diff --git a/BACKLOG-1c.md b/BACKLOG-1c.md
index c6ed72d..0edecb8 100644
--- a/BACKLOG-1c.md
+++ b/BACKLOG-1c.md
@@ -17,8 +17,8 @@ Method W1–W6 from the phase plan §5. Each milestone ends with an Adversary ga
   - [x] **Gate W2 CLAIMED** → Adversary verifies byte-identical + TLS-from-git-cert.
 - [x] **W1 — Headroom.** Resized `cc-nix-test` 6→4 GB (stop→PATCH→start via Incus API); healthy at 4 GB,
       0 failed units, all stacks 1/1, cert survived reboot via sops, TLS 200. Running RAM 8 GB.
-- [ ] **W3 — Throwaway VM.** Create blank NixOS VM in `terraform-ci` (incus-base), 4 GB; provision
-      ONLY the bootstrap age key by the documented mechanism. Accept: VM reachable.
+- [x] **W3 — Throwaway VM.** `ccci-throwaway` (incus-base, 4 GB/20 GB) reachable at 100.126.124.86
+      (used live TS_AUTH_KEY; workspace key stale). Bootstrap age key provisioned in W4.
 - [ ] **W4 — Reproducible live rebuild.** On throwaway VM: clone base+secrets, `nixos-rebuild switch`,
       watch oneshots converge, secrets+cert decrypt. Accept: fully up, no step outside docs/install.md;
       capture evidence. **Gate W4 CLAIMED.**
diff --git a/JOURNAL-1c.md b/JOURNAL-1c.md
index aef41fa..d0d06b9 100644
--- a/JOURNAL-1c.md
+++ b/JOURNAL-1c.md
@@ -167,3 +167,25 @@ NOTE: cc-nix-test was terraform-created (`projects/cc-nix-test`); my W1 API resi
   3. **Bridge side effect:** throwaway's bridge would poll Gitea with the real token (fresh state ⇒ could
      re-trigger already-`!testme`'d PRs). Mitigate: run W4 when no `!testme` is pending; destroy promptly.
 - Adding keyFile changes the closure again (W2 byte-identical was at `vh6vwxbl`); re-verify after.
+
+## 2026-05-27 — W3 DONE (VM reachable) + keyFile finding
+
+**W3 reachable:** throwaway base boot initially failed tailscale auth — the incus-workspace
+`.test.env` key is **stale** ("invalid key: API key does not exist"). Fixed by writing the **current
+`TS_AUTH_KEY` from /srv/cc-ci/.testenv** (same tailnet `taila4a0bf.ts.net`) to /etc/ts-auth-key and
+`tailscale up`. VM now at **100.126.124.86**; `ssh -i vm_ssh_key` via the 1055 proxy works → NixOS
+24.11 (rev 50ab793, == cc-ci), nix 2.24 flakes, 4 GB / 20 GB (13 G free). *(install.md/Adversary note:
+provision the live TS key, not the stale workspace one.)*
+
+**keyFile finding (decisive):** read sops-install-secrets main.go (sops-nix 77c423a, store
+`hm2xjph…-source/pkgs/sops-install-secrets/main.go`): when `age.keyFile` is set, line ~1349
+`os.ReadFile(AgeKeyFile)` and **returns a fatal error if the file is missing** → activation fails.
+⇒ Adding `keyFile` to cc-ci's config FORCES the file to exist on cc-ci. Also: `sshKeyPaths` reads
+`/etc/ssh/ssh_host_ed25519_key` (exists on any host; non-recipient keys are simply unused), so keeping
+both is safe on both hosts.
+
+**W4 design (locked):** secrets.nix gets `sops.age.keyFile = "/var/lib/sops-nix/key.txt"` (keep
+sshKeyPaths). Provision that file = the host's bootstrap age key: on **cc-ci** = its host-derived age
+key (ssh-to-age of the host SSH key — no new secret exposure); on the **throwaway** = the **recovery
+key** (/srv/cc-ci/.sops/master-age.txt). cc-ci must get the file BEFORE the keyFile config deploys.
+Adding keyFile changes the closure (supersedes W2 `vh6vwxbl`) → re-verify byte-identical after.