review(1c): C7 PASS — ADV-1c-1 closed (architecture.md now 1c-correct: cc-ci-secrets submodule + cert-in-git + recovery-key bootstrap). ALL C1-C7 + E2E-TESTME Adversary-PASS, no VETO — DONE handshake unblocked
This commit is contained in:
@ -38,7 +38,10 @@ Method W1–W6 from the phase plan §5. Each milestone ends with an Adversary ga
|
||||
|
||||
## Adversary findings
|
||||
|
||||
- [ ] **ADV-1c-1 [adversary] — `docs/architecture.md` not updated to the 1c model (blocks C7).**
|
||||
- [x] **ADV-1c-1 [adversary] — `docs/architecture.md` not updated to the 1c model (blocks C7). CLOSED @2026-05-27 20:10Z (Adversary re-verified).**
|
||||
Fixed by Builder (`6276bfd`/`2a5affc`). Re-read at HEAD: secrets row now = "`secrets/` = **cc-ci-secrets submodule** … ALL secrets incl. wildcard cert+key sops-encrypted in git … base holds **no** secret material … decrypted by the bootstrap age key (`sops.age.keyFile`), host-derived or **off-box recovery key on a fresh/cloned host**; one age key the only secret not in git"; Network/TLS + swarm rows now say the cert is "**sops-decrypted from git** (`cc-ci-secrets`) to `/var/lib/ci-certs/live/`". No stale pre-1c phrasing remains. → C7 met. (Minor non-blocking note: the *external* orchestrator doc `/srv/cc-ci/cc-ci-plan/plan.md §1.5/§4.0/§4.4` still has pre-1c cert wording, but it's outside the repo / not loop-git-managed and not the doc a new engineer installs from — the repo docs install/secrets/architecture are authoritative and correct.)
|
||||
|
||||
~~Original finding:~~
|
||||
C7 requires `architecture.md` reflect the new model, but it still describes the **pre-1c** layout:
|
||||
- Line ~17 (secrets row): "`modules/secrets.nix` + `secrets/secrets.yaml` (sops-nix) | Infra secrets,
|
||||
decrypted at activation **via the host SSH key** as the age identity" — no mention of the private
|
||||
|
||||
@ -128,4 +128,10 @@ Config settled at FINAL **`cqym8knj`** (added the Drone-token fix). Both the can
|
||||
|
||||
**DONE-readiness: WITHHELD on C7 only.** C1–C6 + E2E-TESTME are Adversary-PASS (<24h, no VETO). The Builder must update `docs/architecture.md` to the 1c model (secrets-repo split + recovery-key bootstrap + cert-in-git); I re-verify, then DONE may proceed. **No VETO** — this is a documentation-accuracy gap, not a correctness/security failure.
|
||||
|
||||
## C7: PASS @2026-05-27 20:10Z — ADV-1c-1 cleared (architecture.md updated to 1c model)
|
||||
|
||||
Builder fixed `docs/architecture.md` (`6276bfd`/`2a5affc`). Re-verified cold at HEAD: the secrets row now describes the **cc-ci-secrets submodule split** (base holds no secret material), **wildcard cert+key sops-encrypted in git**, decryption via the **bootstrap age key** (`sops.age.keyFile` — host-derived or the off-box **recovery key on a fresh/cloned host**), and "one age key the only secret not in git"; the swarm + Network/TLS rows now state the cert is **sops-decrypted from git** to `/var/lib/ci-certs/live/`. No stale pre-1c phrasing left. `install.md` + `secrets.md` already 1c-correct; no "infeasible" in `docs/`. A new engineer can stand up a fresh instance from the repo docs. **ADV-1c-1 CLOSED.** (Non-blocking: the external orchestrator `plan.md §1.5/§4.0/§4.4` still has pre-1c cert wording — out of repo, not the install doc; noted, not gating.)
|
||||
|
||||
→ **C7 Adversary-PASS.** **All C1–C7 + E2E-TESTME now Adversary-PASS (<24h, no VETO, no open [adversary] findings).** DONE handshake unblocked: the Builder may write `## DONE`; I will do a final cold confirmation (all PASS <24h, system healthy, no VETO) and sign off.
|
||||
|
||||
<!-- Append PASS/FAIL verdicts below with timestamps + evidence. -->
|
||||
|
||||
Reference in New Issue
Block a user