review(1c): W4/C4/C5 PASS COLD — independent throwaway rebuild: blank VM+2 repos+1 age key -> single switch -> ld19aj2 byte-identical, 0 failed, 6/6 stacks, cert+TLS from git (leaf 57:8D:67). VM ccci-w5-rebuild@100.97.167.73 recorded for Builder swap. D8 honest (Phase-1 'infeasible' superseded)
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
22
REVIEW-1c.md
22
REVIEW-1c.md
@ -80,4 +80,26 @@ My cold proof of the throwaway-VM live rebuild (C4) will require, and I will REJ
|
||||
|
||||
Builder W4 Step A (`9cc6788`/`24fe11a`) added `sops.age.keyFile` (recovery key on clones, host-derived on cc-ci) and switched cc-ci → new toplevel `izsmiajwjwa12356mm35fw08jdy5f0zs` (supersedes the `vh6vwxbl` from my 16:55 W2 PASS). Re-verified cold: fresh recursive clone (HEAD `24fe11a`, submodule `2312f1c`) → `nixos-rebuild build` = `izsmiajw` == `/run/current-system`. **BYTE-IDENTICAL: YES, zero drift.** Live host healthy (running, 0 failed), cert sha `c1d96d61…`, TLS `200/ssl_verify=0`. → **C1 stays Adversary-PASS** against the current running config; clock refreshed 18:00Z. (W4 Step B throwaway rebuild still in flight — not yet CLAIMED.)
|
||||
|
||||
## W4/C4 + C5: PASS @2026-05-27 18:55Z — genuine throwaway-VM live rebuild (COLD, independent)
|
||||
|
||||
Gate W4 CLAIMED by Builder. Verified by performing my OWN independent clean-room rebuild on a fresh throwaway VM (not the Builder's — theirs was destroyed). Full cold flow, following `docs/install.md` exactly:
|
||||
|
||||
**Setup (mine, cold):** Created `ccci-w5-rebuild` in Incus `terraform-ci` via the REST API (image `incus-base-vm`, 4 GB/2 cpu/20 GB; tailnet via the CURRENT `TS_AUTH_KEY` from `/srv/cc-ci/.testenv`). Confirmed genuinely **blank**: NixOS 24.11 base config, no `/root/cc-ci`, no docker/swarm, **no `/var/lib/sops-nix/key.txt`**. Provisioned the **ONE** out-of-band secret = the recovery age key (`/srv/cc-ci/.sops/master-age.txt`) → `/var/lib/sops-nix/key.txt` (0600). `git clone --recursive` base+secrets (bot creds via per-command header, not persisted) → HEAD `b54ea6d`, submodule `secrets`→`2312f1c` (ENC), `age.keyFile` present. **One** `nixos-rebuild switch --flake 'git+file:///root/cc-ci?submodules=1#cc-ci'` (detached unit). **No step outside docs/install.md.** Switch succeeded in ~14 min.
|
||||
|
||||
**C4 convergence — PASS (cold):**
|
||||
- **Byte-identical:** rebuilt VM `/run/current-system` = `/nix/store/ld19aj2dcrjm6jarq1k6rvhc0zww34qq-nixos-system-…` == cc-ci's running toplevel. A blank host + 2 git repos + 1 age key reproduces cc-ci **bit-for-bit** (re-exercises C1 on a clean host).
|
||||
- `systemctl is-system-running` = **running, 0 failed units**.
|
||||
- **All 6 swarm stacks 1/1** (traefik app + socket-proxy, drone, ccci-bridge `cc-ci-bridge:cb0f9d7c6936`, ccci-dashboard `cc-ci-dashboard:daf1afd05cae`, backups) — same images as cc-ci; serialized reconcile oneshots converged on the single switch.
|
||||
- **All secrets incl. cert decrypt from git** via the recovery key (the VM's SSH host key is NOT a sops recipient — proves the recovery-key model): `/var/lib/ci-certs/live/fullchain.pem` → `/run/secrets.d/1/wildcard_cert` (**ramfs**, not store), sha256 `c1d96d61…` (== operator original). Re-exercises C2/C3 on a clean host.
|
||||
- **TLS from git cert (off-box):** curl through the proxy to the rebuilt VM's Traefik (SNI `ci.commoninternet.net`, resolved to the VM IP) → `ssl_verify=0`; served leaf fingerprint **`57:8D:67:9E:FE:89:…:B8:A6`** == git cert leaf exactly (CN=`*.ci.commoninternet.net`, LE E8). The rebuilt VM serves the sops-from-git wildcard cert. (404 body is expected — no app deployed behind `probe`.)
|
||||
|
||||
**C5 honest D8 — PASS.** D8 now has both halves: static (byte-identical build==running, W2/16:55Z + ld19aj2 18:00Z) **plus** dynamic (this live throwaway rebuild). `docs/install.md` states the rebuild is "verified," not "infeasible by design"; `docs/` and `DECISIONS.md` carry no "infeasible" wording (the only residual hits are in the Phase-1 HISTORY `REVIEW.md`/`JOURNAL.md` — superseding note appended to Phase-1 REVIEW.md). **Narrow documented limitation, Adversary-signed-off:** `docs/install.md §2` keeps the one-time **Drone↔Gitea OAuth grant** as a documented manual post-step (can't be Nix-declared without the bot password on the box). This does NOT block system/swarm convergence (drone server came up 1/1 without it) and its functional effect (Drone cloning/building) is exactly what the upcoming E2E-TESTME (E1-E6) validates. I accept it as a narrow, documented, justified limitation — not a blanket "infeasible."
|
||||
|
||||
→ **C1, C2, C3, C4, C5 all Adversary-PASS** (re-exercised cold on a blank host; clocks refreshed 18:55Z). No VETO.
|
||||
|
||||
### VM identity for the Builder (target for the E2E-TESTME swap — per orchestrator actor/critic split)
|
||||
- **Incus instance:** `ccci-w5-rebuild` (project `terraform-ci` on b1), Running, 4 GB.
|
||||
- **Current tailnet IP:** `100.97.167.73` | tailscale DNSName `ccci-w5-rebuild.taila4a0bf.ts.net` (not yet renamed).
|
||||
- Stack is UP and converged (ld19aj2, 6/6). **I am keeping it running** (C6 override). The Builder owns the swap (original→`cc-nix-test-orig` first, then `ccci-w5-rebuild`→`cc-nix-test`) + runs `!testme`; **the Adversary will NOT rename nodes** and will independently verify E1-E6 from a cold start afterward.
|
||||
|
||||
<!-- Append PASS/FAIL verdicts below with timestamps + evidence. -->
|
||||
|
||||
12
REVIEW.md
12
REVIEW.md
@ -532,3 +532,15 @@ STATUS shows `## DONE` (Builder, 1c10fa5). Final cold reality check confirms it
|
||||
The DONE is **confirmed**. Adversary loop terminating — exit condition met (STATUS `## DONE` + fresh
|
||||
PASS logged for every D1–D10). Standing note: Docker Hub registry creds remain a documented
|
||||
good-to-have for rate-limit robustness (not a correctness gap).
|
||||
|
||||
---
|
||||
## SUPERSEDED by Phase 1c (appended @2026-05-27 18:55Z)
|
||||
The Phase-1 D8 verdict above (and the "throwaway-VM live rebuild **infeasible by design**" wording
|
||||
at lines ~485–502) is **CORRECTED / superseded** by Phase 1c. The premise no longer holds: the
|
||||
project's own recovery age key decrypts the repo's secrets on a fresh host, and the wildcard cert is
|
||||
now sops-in-git — so a from-scratch live rebuild IS feasible and has been **performed and verified**.
|
||||
Adversary cold-proved it 2026-05-27: a blank NixOS Incus VM + the two git repos + the single
|
||||
bootstrap age key → one `nixos-rebuild switch` → fully-converged cc-ci, byte-identical (`ld19aj2`),
|
||||
0 failed, 6 stacks 1/1, cert decrypted from git, TLS leaf == git cert. See REVIEW-1c.md (W4/C4/C5
|
||||
PASS). D8 is now honest: static byte-identical **plus** live throwaway rebuild; "infeasible by design"
|
||||
is withdrawn.
|
||||
|
||||
Reference in New Issue
Block a user