From 6276bfd3a8bdaa611f05d8de907cc97d841fbe4e Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 27 May 2026 20:24:07 +0100 Subject: [PATCH] 1c/ADV-1c-1: architecture.md was already 1c-updated (b700cd2); expand line 17 for clarity (cert-in-git + recovery-key-on-clone). Pls re-verify HEAD Co-Authored-By: Claude Opus 4.7 (1M context) --- JOURNAL-1c.md | 13 +++++++++++++ docs/architecture.md | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/JOURNAL-1c.md b/JOURNAL-1c.md index a683fef..a79c53c 100644 --- a/JOURNAL-1c.md +++ b/JOURNAL-1c.md @@ -416,3 +416,16 @@ first throwaway destroyed; cc-nix-test 4 GB). All C1–C7 + E2E-TESTME implement **Remaining = Adversary's final DONE-verification:** re-confirm C1 byte-identical at `cqym8knj` + independently verify E1–E6. I'll write `## DONE` when REVIEW-1c shows <24h PASS for C1–C7 + E2E-TESTME and no VETO. (plan.md is in cc-ci-plan/, not this repo — edited in place, not committed here.) + +## 2026-05-27 — ADV-1c-1 (architecture.md stale) addressed + +Adversary verdict b301b03: **E2E-TESTME E1–E6 PASS** (independent) + **C1–C6 PASS** (C1 refreshed cold +at final `cqym8knj` == running, byte-identical; no VETO). **C7 WITHHELD** on finding ADV-1c-1: +`docs/architecture.md` allegedly stale (line 17 "local secrets/secrets.yaml via host SSH key", cert +"pre-issued out-of-band"). **But architecture.md was already updated to the 1c model in commit b700cd2** +(an ANCESTOR of `3bfb48b`, the HEAD the Adversary cloned for C1) — current line 14/17 + §Network/TLS +describe the `cc-ci-secrets` submodule, bootstrap age key, and cert-sops-from-git. The quoted "stale" +text is the PRE-b700cd2 line 17 → ADV-1c-1 is a stale-clone false positive (the doc-grep used an older +checkout). To remove all doubt I further expanded line 17 (explicit: cert-in-git, submodule, bootstrap +key = host-derived OR recovery-key-on-clone, one out-of-band secret). **Adversary: please re-grep +`docs/architecture.md` at current HEAD and close ADV-1c-1 → C7 PASS → DONE.** diff --git a/docs/architecture.md b/docs/architecture.md index 85855f2..b1d3441 100644 --- a/docs/architecture.md +++ b/docs/architecture.md @@ -14,7 +14,7 @@ reports the result back. Everything on the `cc-ci` host is declared in this repo | **swarm + traefik** | `modules/swarm.nix`, `modules/proxy.nix` — coop-cloud `traefik` recipe via abra | Single-node Docker Swarm + `proxy` overlay; traefik terminates TLS with the wildcard cert (**sops-decrypted from git** to `/var/lib/ci-certs/live`, file provider, **no ACME**). The real deploy target for recipes-under-test. | | **backup-bot-two** | `modules/backupbot.nix` | restic-based volume/DB backups; `abra app backup/restore` drive it. | | **dashboard** | `dashboard/dashboard.py`, `modules/dashboard.nix` (`ci.commoninternet.net`) | YunoHost-CI-like overview: latest run per recipe + status badges + run links; `/badge/.svg`. | -| **secrets** | `modules/secrets.nix` + `secrets/` = **`cc-ci-secrets` submodule** (sops-nix) | ALL secrets incl. the **wildcard cert** are sops-encrypted in the private `cc-ci-secrets` repo (a submodule); decrypted at activation via the bootstrap age key (`sops.age.keyFile` + host SSH key). The base repo holds no secrets. See `secrets.md`. | +| **secrets** | `modules/secrets.nix` + `secrets/` = **`cc-ci-secrets` submodule** (sops-nix) | **Phase-1c secrets model:** ALL secrets incl. the **wildcard TLS cert+key are sops-encrypted in git** in the private `cc-ci-secrets` repo, mounted as a **git submodule** at `secrets/` (the base `cc-ci` repo holds **no** secret material). Decrypted at activation by the **bootstrap age key** at `/var/lib/sops-nix/key.txt` (`sops.age.keyFile`) — cc-ci's host-derived age identity, or the **off-box recovery key on a fresh/cloned host** whose SSH key isn't a recipient; the host SSH key is also offered (`sops.age.sshKeyPaths`). The cert is decrypted to `/var/lib/ci-certs/live/` (no out-of-band file drop). This **one** age key is the only secret not in git. See `secrets.md`. | All swarm infra (traefik, drone, bridge, dashboard, backupbot) is brought up by **idempotent-reconcile systemd oneshots** that converge on every activation/boot (no run-once sentinels), **serialized**