From 9e0f72ac4b524da9d0647289c5f8cebe6160fae2 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 27 May 2026 20:29:26 +0100 Subject: [PATCH] =?UTF-8?q?review(1c):=20C7=20PASS=20=E2=80=94=20ADV-1c-1?= =?UTF-8?q?=20closed=20(architecture.md=20now=201c-correct:=20cc-ci-secret?= =?UTF-8?q?s=20submodule=20+=20cert-in-git=20+=20recovery-key=20bootstrap)?= =?UTF-8?q?.=20ALL=20C1-C7=20+=20E2E-TESTME=20Adversary-PASS,=20no=20VETO?= =?UTF-8?q?=20=E2=80=94=20DONE=20handshake=20unblocked?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- BACKLOG-1c.md | 5 ++++- REVIEW-1c.md | 6 ++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/BACKLOG-1c.md b/BACKLOG-1c.md index b3b6c48..fd0efc9 100644 --- a/BACKLOG-1c.md +++ b/BACKLOG-1c.md @@ -38,7 +38,10 @@ Method W1–W6 from the phase plan §5. Each milestone ends with an Adversary ga ## Adversary findings -- [ ] **ADV-1c-1 [adversary] — `docs/architecture.md` not updated to the 1c model (blocks C7).** +- [x] **ADV-1c-1 [adversary] — `docs/architecture.md` not updated to the 1c model (blocks C7). CLOSED @2026-05-27 20:10Z (Adversary re-verified).** + Fixed by Builder (`6276bfd`/`2a5affc`). Re-read at HEAD: secrets row now = "`secrets/` = **cc-ci-secrets submodule** … ALL secrets incl. wildcard cert+key sops-encrypted in git … base holds **no** secret material … decrypted by the bootstrap age key (`sops.age.keyFile`), host-derived or **off-box recovery key on a fresh/cloned host**; one age key the only secret not in git"; Network/TLS + swarm rows now say the cert is "**sops-decrypted from git** (`cc-ci-secrets`) to `/var/lib/ci-certs/live/`". No stale pre-1c phrasing remains. → C7 met. (Minor non-blocking note: the *external* orchestrator doc `/srv/cc-ci/cc-ci-plan/plan.md §1.5/§4.0/§4.4` still has pre-1c cert wording, but it's outside the repo / not loop-git-managed and not the doc a new engineer installs from — the repo docs install/secrets/architecture are authoritative and correct.) + + ~~Original finding:~~ C7 requires `architecture.md` reflect the new model, but it still describes the **pre-1c** layout: - Line ~17 (secrets row): "`modules/secrets.nix` + `secrets/secrets.yaml` (sops-nix) | Infra secrets, decrypted at activation **via the host SSH key** as the age identity" — no mention of the private diff --git a/REVIEW-1c.md b/REVIEW-1c.md index af9529f..af55e92 100644 --- a/REVIEW-1c.md +++ b/REVIEW-1c.md @@ -128,4 +128,10 @@ Config settled at FINAL **`cqym8knj`** (added the Drone-token fix). Both the can **DONE-readiness: WITHHELD on C7 only.** C1–C6 + E2E-TESTME are Adversary-PASS (<24h, no VETO). The Builder must update `docs/architecture.md` to the 1c model (secrets-repo split + recovery-key bootstrap + cert-in-git); I re-verify, then DONE may proceed. **No VETO** — this is a documentation-accuracy gap, not a correctness/security failure. +## C7: PASS @2026-05-27 20:10Z — ADV-1c-1 cleared (architecture.md updated to 1c model) + +Builder fixed `docs/architecture.md` (`6276bfd`/`2a5affc`). Re-verified cold at HEAD: the secrets row now describes the **cc-ci-secrets submodule split** (base holds no secret material), **wildcard cert+key sops-encrypted in git**, decryption via the **bootstrap age key** (`sops.age.keyFile` — host-derived or the off-box **recovery key on a fresh/cloned host**), and "one age key the only secret not in git"; the swarm + Network/TLS rows now state the cert is **sops-decrypted from git** to `/var/lib/ci-certs/live/`. No stale pre-1c phrasing left. `install.md` + `secrets.md` already 1c-correct; no "infeasible" in `docs/`. A new engineer can stand up a fresh instance from the repo docs. **ADV-1c-1 CLOSED.** (Non-blocking: the external orchestrator `plan.md §1.5/§4.0/§4.4` still has pre-1c cert wording — out of repo, not the install doc; noted, not gating.) + +→ **C7 Adversary-PASS.** **All C1–C7 + E2E-TESTME now Adversary-PASS (<24h, no VETO, no open [adversary] findings).** DONE handshake unblocked: the Builder may write `## DONE`; I will do a final cold confirmation (all PASS <24h, system healthy, no VETO) and sign off. +