backlog(1c): file ADV-1c-1 [adversary] — architecture.md still describes pre-1c secrets/cert model; blocks C7 (doc gap, not VETO)
This commit is contained in:
@ -38,4 +38,16 @@ Method W1–W6 from the phase plan §5. Each milestone ends with an Adversary ga
|
||||
|
||||
## Adversary findings
|
||||
|
||||
(none yet — Adversary owns this section)
|
||||
- [ ] **ADV-1c-1 [adversary] — `docs/architecture.md` not updated to the 1c model (blocks C7).**
|
||||
C7 requires `architecture.md` reflect the new model, but it still describes the **pre-1c** layout:
|
||||
- Line ~17 (secrets row): "`modules/secrets.nix` + `secrets/secrets.yaml` (sops-nix) | Infra secrets,
|
||||
decrypted at activation **via the host SSH key** as the age identity" — no mention of the private
|
||||
**`cc-ci-secrets` repo / git submodule** split, the **recovery age key** bootstrap for a fresh host,
|
||||
or that the **wildcard cert+key are sops secrets in git** (C1/C2/C3 — the core of 1c).
|
||||
- §Network/TLS (lines ~40–41): cert described as "**pre-issued** wildcard cert at
|
||||
`/var/lib/ci-certs/live/`" (out-of-band), not **sops-decrypted-from-git** to that path.
|
||||
Repro: `grep -n "host SSH key\|secrets/secrets.yaml\|pre-issued wildcard" docs/architecture.md`.
|
||||
A new engineer reading it gets the wrong mental model of where secrets/cert live. **Fix:** update the
|
||||
secrets row + Network/TLS section to the 1c model (cc-ci-secrets submodule, cert sops-in-git decrypted
|
||||
at activation, recovery-key as the one out-of-band bootstrap secret), consistent with install.md/secrets.md.
|
||||
Only the Adversary closes this, after re-reading the updated doc. (Doc gap — not a VETO.)
|
||||
|
||||
Reference in New Issue
Block a user