1c/W4: record orchestrator C4 TLS-verification approach (local --resolve on throwaway)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

JOURNAL-1c.md

@@ -189,3 +189,18 @@ sshKeyPaths). Provision that file = the host's bootstrap age key: on **cc-ci** =
 key (ssh-to-age of the host SSH key — no new secret exposure); on the **throwaway** = the **recovery
 key** (/srv/cc-ci/.sops/master-age.txt). cc-ci must get the file BEFORE the keyFile config deploys.
 Adding keyFile changes the closure (supersedes W2 `vh6vwxbl`) → re-verify byte-identical after.
+
+## 2026-05-27 — Orchestrator guidance for C4 TLS verification (W4 Step B)
+
+The throwaway has a NEW tailscale IP (100.126.124.86); the canonical `ci.commoninternet.net`
+gateway/DNS still points at the LIVE cc-ci, and the git cert is `*.ci.commoninternet.net`. So verify
+C4 TLS **locally ON the throwaway**, WITHOUT repointing the live gateway and WITHOUT changing the
+throwaway DOMAIN (keep DOMAIN=ci.commoninternet.net so the cert matches):
+- ssh into the throwaway; `curl --resolve probe.ci.commoninternet.net:443:127.0.0.1 \
+  https://probe.ci.commoninternet.net/` → hits the local traefik with SNI ci.commoninternet.net.
+- Confirm the served leaf == the git cert (sha256 fullchain `c1d96d61…`; Adversary's leaf fingerprint
+  `57:8D:67:9E:FE:89:…:B8:A6`). That proves the rebuilt system serves the git-sourced cert reproducibly.
+- Do NOT use ci2 for the TLS test (no `*.ci2` cert → would mismatch). Operator wired
+  `ci2.commoninternet.net` + `*.ci2` → 100.126.124.86 for *plain* reachability only (not needed for TLS).
+- DNS/gateway/cert are documented external INSTANCE preconditions; C4 proves the VM rebuilds from git
+  + the single bootstrap age key. Don't skip/fake the TLS check.