1c/ADV-1c-1: architecture.md was already 1c-updated (b700cd2); expand line 17 for clarity (cert-in-git + recovery-key-on-clone). Pls re-verify HEAD

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

JOURNAL-1c.md

@@ -416,3 +416,16 @@ first throwaway destroyed; cc-nix-test 4 GB). All C1–C7 + E2E-TESTME implement
 **Remaining = Adversary's final DONE-verification:** re-confirm C1 byte-identical at `cqym8knj` +
 independently verify E1–E6. I'll write `## DONE` when REVIEW-1c shows <24h PASS for C1–C7 + E2E-TESTME
 and no VETO. (plan.md is in cc-ci-plan/, not this repo — edited in place, not committed here.)
+
+## 2026-05-27 — ADV-1c-1 (architecture.md stale) addressed
+
+Adversary verdict b301b03: **E2E-TESTME E1–E6 PASS** (independent) + **C1–C6 PASS** (C1 refreshed cold
+at final `cqym8knj` == running, byte-identical; no VETO). **C7 WITHHELD** on finding ADV-1c-1:
+`docs/architecture.md` allegedly stale (line 17 "local secrets/secrets.yaml via host SSH key", cert
+"pre-issued out-of-band"). **But architecture.md was already updated to the 1c model in commit b700cd2**
+(an ANCESTOR of `3bfb48b`, the HEAD the Adversary cloned for C1) — current line 14/17 + §Network/TLS
+describe the `cc-ci-secrets` submodule, bootstrap age key, and cert-sops-from-git. The quoted "stale"
+text is the PRE-b700cd2 line 17 → ADV-1c-1 is a stale-clone false positive (the doc-grep used an older
+checkout). To remove all doubt I further expanded line 17 (explicit: cert-in-git, submodule, bootstrap
+key = host-derived OR recovery-key-on-clone, one out-of-band secret). **Adversary: please re-grep
+`docs/architecture.md` at current HEAD and close ADV-1c-1 → C7 PASS → DONE.**

docs/architecture.md

@@ -14,7 +14,7 @@ reports the result back. Everything on the `cc-ci` host is declared in this repo
 | **swarm + traefik** | `modules/swarm.nix`, `modules/proxy.nix` — coop-cloud `traefik` recipe via abra | Single-node Docker Swarm + `proxy` overlay; traefik terminates TLS with the wildcard cert (**sops-decrypted from git** to `/var/lib/ci-certs/live`, file provider, **no ACME**). The real deploy target for recipes-under-test. |
 | **backup-bot-two** | `modules/backupbot.nix` | restic-based volume/DB backups; `abra app backup/restore` drive it. |
 | **dashboard** | `dashboard/dashboard.py`, `modules/dashboard.nix` (`ci.commoninternet.net`) | YunoHost-CI-like overview: latest run per recipe + status badges + run links; `/badge/<recipe>.svg`. |
-| **secrets** | `modules/secrets.nix` + `secrets/` = **`cc-ci-secrets` submodule** (sops-nix) | ALL secrets incl. the **wildcard cert** are sops-encrypted in the private `cc-ci-secrets` repo (a submodule); decrypted at activation via the bootstrap age key (`sops.age.keyFile` + host SSH key). The base repo holds no secrets. See `secrets.md`. |
+| **secrets** | `modules/secrets.nix` + `secrets/` = **`cc-ci-secrets` submodule** (sops-nix) | **Phase-1c secrets model:** ALL secrets incl. the **wildcard TLS cert+key are sops-encrypted in git** in the private `cc-ci-secrets` repo, mounted as a **git submodule** at `secrets/` (the base `cc-ci` repo holds **no** secret material). Decrypted at activation by the **bootstrap age key** at `/var/lib/sops-nix/key.txt` (`sops.age.keyFile`) — cc-ci's host-derived age identity, or the **off-box recovery key on a fresh/cloned host** whose SSH key isn't a recipient; the host SSH key is also offered (`sops.age.sshKeyPaths`). The cert is decrypted to `/var/lib/ci-certs/live/` (no out-of-band file drop). This **one** age key is the only secret not in git. See `secrets.md`. |
 
 All swarm infra (traefik, drone, bridge, dashboard, backupbot) is brought up by **idempotent-reconcile
 systemd oneshots** that converge on every activation/boot (no run-once sentinels), **serialized**