From a7600346b13e1137c0b9365d8e2afc12a01d489f Mon Sep 17 00:00:00 2001
From: autonomic-bot <maxf.account@proton.me>
Date: Wed, 27 May 2026 18:09:38 +0100
Subject: [PATCH] =?UTF-8?q?1c/W4:=20status=20=E2=80=94=20cc-ci=20on=20ld19?=
 =?UTF-8?q?aj2=20(final);=20fresh=20throwaway=20booting=20for=20single-swi?=
 =?UTF-8?q?tch=20C4=20proof?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 STATUS-1c.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/STATUS-1c.md b/STATUS-1c.md
index 92e67fb..4e8a289 100644
--- a/STATUS-1c.md
+++ b/STATUS-1c.md
@@ -9,6 +9,16 @@ The repo's STATUS.md / BACKLOG.md / REVIEW.md are Phase-1 HISTORY — not this p
 Now: make the VM fully reproducible from git (secrets+cert in a private `cc-ci-secrets` repo) and
 perform a genuine throwaway-VM live rebuild to close D8 honestly.
 
+## In flight — W4 (throwaway live rebuild)
+- W1 DONE (cc-nix-test 6→4 GB, healthy). W2 PASS (Adversary cold). W3 DONE (VM reachable).
+- W4 Step A DONE: cc-ci on final config with `sops.age.keyFile` + serialized abra reconcilers →
+  byte-identical **`ld19aj2…`** (zero drift). (config evolved vh6vwxbl→izsmiajw→ld19aj2; ld19aj2 is final.)
+- W4 Step B (1st run, pre-fix): blank VM built **izsmiajw==cc-ci byte-identical** from git + recovery
+  key; cert+secrets decrypted; TLS leaf == git cert (`57:8D:…:B8:A6`). Found+fixed concurrent-abra
+  race (serialized reconcilers). **Now: fresh throwaway booting → prove SINGLE switch converges (0 failed).**
+- Then claim **Gate W4**.
+
+<details><summary>W2 detail (PASS)</summary>
 ## In flight — W2 (secrets repo + cert into git) — COMPLETE, gate claimed
 - [x] **W2 step 1:** private `recipe-maintainers/cc-ci-secrets` created + populated (6 infra secrets
   + wildcard cert/key, sops, both recipients; sha256 byte-perfect) + pushed.
@@ -18,6 +28,7 @@ perform a genuine throwaway-VM live rebuild to close D8 honestly.
   git (symlinks, sha256 match), system running 0 failed, byte-identical (build==running), git-clone
   `?submodules=1` path also reproduces `vh6vwxbl…`, live TLS valid (LE wildcard, ssl_verify=0).
 - (Recovery-key `sops.age.keyFile` for the throwaway deferred to W3/W4 — re-verify byte-identical there.)
+</details>
 
 ## Gate
 **Gate: W2 — PASS @2026-05-27 16:55Z (Adversary, cold).** C1/C2/C3 verified: byte-identical