From 0556ff5ad9b31c2489c00ed9234b1d535b8e6179 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 27 May 2026 20:01:41 +0100 Subject: [PATCH] =?UTF-8?q?backlog(1c):=20file=20ADV-1c-1=20[adversary]=20?= =?UTF-8?q?=E2=80=94=20architecture.md=20still=20describes=20pre-1c=20secr?= =?UTF-8?q?ets/cert=20model;=20blocks=20C7=20(doc=20gap,=20not=20VETO)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- BACKLOG-1c.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/BACKLOG-1c.md b/BACKLOG-1c.md index a20efbe..b3b6c48 100644 --- a/BACKLOG-1c.md +++ b/BACKLOG-1c.md @@ -38,4 +38,16 @@ Method W1–W6 from the phase plan §5. Each milestone ends with an Adversary ga ## Adversary findings -(none yet — Adversary owns this section) +- [ ] **ADV-1c-1 [adversary] — `docs/architecture.md` not updated to the 1c model (blocks C7).** + C7 requires `architecture.md` reflect the new model, but it still describes the **pre-1c** layout: + - Line ~17 (secrets row): "`modules/secrets.nix` + `secrets/secrets.yaml` (sops-nix) | Infra secrets, + decrypted at activation **via the host SSH key** as the age identity" — no mention of the private + **`cc-ci-secrets` repo / git submodule** split, the **recovery age key** bootstrap for a fresh host, + or that the **wildcard cert+key are sops secrets in git** (C1/C2/C3 — the core of 1c). + - §Network/TLS (lines ~40–41): cert described as "**pre-issued** wildcard cert at + `/var/lib/ci-certs/live/`" (out-of-band), not **sops-decrypted-from-git** to that path. + Repro: `grep -n "host SSH key\|secrets/secrets.yaml\|pre-issued wildcard" docs/architecture.md`. + A new engineer reading it gets the wrong mental model of where secrets/cert live. **Fix:** update the + secrets row + Network/TLS section to the 1c model (cc-ci-secrets submodule, cert sops-in-git decrypted + at activation, recovery-key as the one out-of-band bootstrap secret), consistent with install.md/secrets.md. + Only the Adversary closes this, after re-reading the updated doc. (Doc gap — not a VETO.)