diff --git a/cc-ci-plan/plan-phase1c-full-reproducibility.md b/cc-ci-plan/plan-phase1c-full-reproducibility.md index 635cd9f..305c047 100644 --- a/cc-ci-plan/plan-phase1c-full-reproducibility.md +++ b/cc-ci-plan/plan-phase1c-full-reproducibility.md @@ -90,10 +90,16 @@ Terminates only when every item holds **and the Adversary has independently re-v webhook HMAC, registry creds, host age recipients) is sops-encrypted in git. The **only** out-of-band secret is the bootstrap age key — documented precisely, nothing else. - [ ] **C4 — Genuine throwaway-VM live rebuild.** On a blank NixOS VM (Incus, `terraform-ci`), - provisioned with *only* the bootstrap age key, the loops `git clone` base+instance and run + provisioned with *only* the bootstrap age key, the loops `git clone` base+secrets and run `nixos-rebuild switch`; the system activates and the reconcile oneshots converge (swarm/proxy/drone/bridge/dashboard), all secrets incl. the cert decrypt, with **no manual step - not in `docs/install.md`**. The Adversary performs this **cold** and logs evidence. + not in `docs/install.md`**. + **The true proof is a clean-room repeat (C4 done right):** the Adversary **deletes** any + existing throwaway VM, **creates a brand-new blank VM via Incus**, and runs the *entire* install + from scratch (clone base+secrets → provision age key → `nixos-rebuild switch` → everything comes + up) — proving reproducibility on a genuinely fresh machine, with **no residue** from the + Builder's setup attempt masking a gap. Done **cold** by the Adversary, with logged evidence + (VM id, the exact commands from `docs/install.md`, convergence + TLS-from-git-cert proof). - [ ] **C5 — Honest D8.** The D8 evidence is rewritten: byte-identical closure (static) **plus** the live throwaway-VM rebuild (dynamic). The "infeasible by design" wording is removed. If any single aspect genuinely can't be reproduced, it is a narrowly-scoped, Adversary-signed-off @@ -144,9 +150,12 @@ out — see memory). 4. **W4 — Reproducible live rebuild.** On the throwaway VM: clone base+instance, `nixos-rebuild switch`, watch oneshots converge, secrets+cert decrypt. *Accept:* system fully up with **no step outside `docs/install.md`**; capture evidence. -5. **W5 — Adversary cold proof + honest D8.** Adversary repeats W4 from scratch independently and - rewrites the D8 evidence (static + live), removing "infeasible by design." *Accept:* Adversary - logs a real D8 live-rebuild PASS (or a narrow, signed-off limitation per §3 C5). +5. **W5 — Adversary clean-room proof + honest D8.** The Adversary **deletes** the Builder's throwaway + VM, **creates a brand-new blank VM**, and runs the full install from scratch per `docs/install.md` + (clone base+secrets → provision age key → `nixos-rebuild switch` → all up) — a genuinely fresh + machine, no residue. Then rewrites the D8 evidence (static byte-identical + this live clean-room + rebuild), removing "infeasible by design." *Accept:* Adversary logs a real D8 live-rebuild PASS on + a freshly-created VM (or a narrow, signed-off limitation per §3 C5). 6. **W6 — Cleanup + docs + final sizing.** Destroy the throwaway VM; update all docs (C7); decide and apply final `cc-nix-test` sizing. *Accept:* no leftover VM/secret leak; docs match; flip Phase-1c `STATUS.md` to `## DONE`.