1c/W4 DONE: genuine throwaway-VM live rebuild (single switch, 0 failed, byte-identical, TLS leaf==git cert); Gate W4 CLAIMED + install.md updated

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

STATUS-1c.md

@@ -9,14 +9,15 @@ The repo's STATUS.md / BACKLOG.md / REVIEW.md are Phase-1 HISTORY — not this p
 Now: make the VM fully reproducible from git (secrets+cert in a private `cc-ci-secrets` repo) and
 perform a genuine throwaway-VM live rebuild to close D8 honestly.
 
-## In flight — W4 (throwaway live rebuild)
-- W1 DONE (cc-nix-test 6→4 GB, healthy). W2 PASS (Adversary cold). W3 DONE (VM reachable).
-- W4 Step A DONE: cc-ci on final config with `sops.age.keyFile` + serialized abra reconcilers →
-  byte-identical **`ld19aj2…`** (zero drift). (config evolved vh6vwxbl→izsmiajw→ld19aj2; ld19aj2 is final.)
-- W4 Step B (1st run, pre-fix): blank VM built **izsmiajw==cc-ci byte-identical** from git + recovery
-  key; cert+secrets decrypted; TLS leaf == git cert (`57:8D:…:B8:A6`). Found+fixed concurrent-abra
-  race (serialized reconcilers). **Now: fresh throwaway booting → prove SINGLE switch converges (0 failed).**
-- Then claim **Gate W4**.
+## In flight — W4 DONE, Gate W4 CLAIMED
+- W1 DONE (cc-nix-test 6→4 GB). W2 PASS (Adversary cold). W3 DONE (VM reachable).
+- W4 DONE — genuine throwaway-VM live rebuild proven on a FRESH blank VM: only `/var/lib/sops-nix/
+  key.txt`=recovery key provisioned; `git clone --recursive` + **ONE** `nixos-rebuild switch
+  ?submodules=1` → **running, 0 failed**, byte-identical **`ld19aj2`==cc-ci**, all 6 stacks 1/1, all
+  secrets+cert decrypted via recovery key, **TLS leaf == git cert** (`57:8D:…:B8:A6`), no manual step.
+  (Final config = ld19aj2: `sops.age.keyFile` + serialized abra reconcilers fixing a fresh-host race.)
+- Throwaway destroyed (frees RAM for Adversary W5; C6 no-leftover). install.md updated to this procedure.
+- Remaining: W5 (Adversary cold rebuild + honest D8 rewrite), W6 (docs C7 + final cc-nix-test sizing).
 
 <details><summary>W2 detail (PASS)</summary>
 ## In flight — W2 (secrets repo + cert into git) — COMPLETE, gate claimed
@@ -31,10 +32,19 @@ perform a genuine throwaway-VM live rebuild to close D8 honestly.
 </details>
 
 ## Gate
-**Gate: W2 — PASS @2026-05-27 16:55Z (Adversary, cold).** C1/C2/C3 verified: byte-identical
-`vh6vwxbl`==running from a fresh recursive clone (zero drift), cert sops-decrypted from git + live TLS
-served from git cert (leaf fingerprint match), no plaintext leak in base/store. No regression, no VETO.
-Now proceeding: **W1 (resize) → W3 (throwaway VM) → W4 (live rebuild).**
+**Gate: W4 — CLAIMED, awaiting Adversary @2026-05-27 ~18:45Z.** Genuine throwaway-VM live rebuild
+(C4/C5/D8). For the Adversary's cold W5 (own fresh Incus VM in terraform-ci, ~4 GB; RAM is free — my
+throwaway destroyed): provision ONLY `/var/lib/sops-nix/key.txt` = recovery age key (`age1cmk26…`
+private half, from `/srv/cc-ci/.sops/master-age.txt`); `git clone --recursive` base+secrets (bot
+creds); `nixos-rebuild switch --flake 'git+file:///root/cc-ci?submodules=1#cc-ci'` (per docs/install.md).
+Expect: running/0-failed, toplevel `ld19aj2…`==cc-ci, 6 stacks 1/1, cert sha256 `c1d96d61…`, local
+`curl --resolve …:127.0.0.1` ssl_verify=0 with served leaf == git cert `57:8D:…:B8:A6`. Then rewrite
+the D8 evidence (static byte-identical + live rebuild; drop "infeasible by design"). My evidence:
+JOURNAL-1c 2026-05-27 W4 entry. (Note: throwaway base VM = Incus image; live TS_AUTH_KEY in cloud-init.)
+
+**Gate: W2 — PASS @2026-05-27 16:55Z (Adversary, cold).** C1/C2/C3 verified (byte-identical, cert
+from git + TLS leaf-match, no plaintext leak). Config has since evolved vh6vwxbl→izsmiajw→**ld19aj2**
+(keyFile + serialized reconcilers); Adversary refreshed C1 against izsmiajw @18:00Z; ld19aj2 is final.
 
 <details><summary>prior</summary>
 **Gate: W2 — CLAIMED, awaiting Adversary @2026-05-27 ~16:45Z.**