1c/W5.5: point to authoritative E2E-TESTME spec (E1-E6); orchestrator-signal-gated

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

BACKLOG-1c.md

@@ -23,11 +23,13 @@ Method W1–W6 from the phase plan §5. Each milestone ends with an Adversary ga
       --recursive` + ONE `nixos-rebuild switch ?submodules=1` → running/0-failed, byte-identical
       `ld19aj2`==cc-ci, 6 stacks 1/1, all secrets+cert decrypt, TLS leaf==git cert. Found+fixed a
       concurrent-abra race (serialized reconcilers). **Gate W4 CLAIMED** (awaiting Adversary W5).
-- [ ] **W5.5 — Functional-acceptance e2e (operator-gated).** AFTER W5 PASS + orchestrator renames the
-      verified throwaway→cc-nix-test (public gateway) + SIGNALS: post `!testme` (bot) on one fast enrolled
-      recipe (custom-html); confirm full pipeline vs the **public** domain (bridge→Drone→deploy to
-      `<recipe>.ci.commoninternet.net` reachable THROUGH the gateway→test→undeploy→report). Record Drone
-      run # + public-URL curl. Do NOT start before the orchestrator's swap-done signal. Keep VM stack up.
+- [ ] **W5.5 — Functional-acceptance e2e (E2E-TESTME, operator-gated).** Authority:
+      `cc-ci-plan/test-e2e-testme-acceptance.md`. After C4/C5 PASS + orchestrator renames rebuilt VM→
+      cc-nix-test + confirms public gateway + SIGNALS: `!testme` (bot) on a fast enrolled recipe
+      (custom-html); verify E1–E6 (self-check 200/cert → new Drone build via bridge → app reachable
+      EXTERNALLY at `<app>.ci.commoninternet.net` w/ valid cert+content → real assertions pass → clean
+      undeploy → reported). Evidence→JOURNAL-1c, verdict→STATUS/REVIEW-1c. Fail⇒fix in git, re-run.
+      Do NOT start before the signal; keep VM stack up. Adversary independently verifies.
 - [ ] **W5 — Adversary cold proof + honest D8.** Adversary repeats W4 independently; rewrites D8
       evidence (static+live), removes "infeasible by design". Accept: Adversary D8 live-rebuild PASS
       (or narrow signed-off limitation per C5).

JOURNAL-1c.md

@@ -311,3 +311,16 @@ public gateway** (curl the public subdomain, not localhost) → test passes →
 reported. Record Drone run # + public-URL curl in JOURNAL-1c/STATUS-1c as functional acceptance of
 D8/clean-room. Until the swap-done signal: keep the rebuilt VM's full stack running, do NOT tear down,
 do NOT start the e2e. (Tracked as W5.5 in BACKLOG-1c.)
+
+## 2026-05-27 — E2E-TESTME spec is authoritative (cc-ci-plan/test-e2e-testme-acceptance.md)
+
+Orchestrator: the full spec at `/srv/cc-ci/cc-ci-plan/test-e2e-testme-acceptance.md` is the AUTHORITY
+(supersedes earlier inline wording). Read it. It's MY test to execute; Adversary independently
+verifies. Preconditions P1-P3 are orchestrator-provided (node rename → cc-nix-test, public-gateway
+routing, then a SIGNAL). Self-check on signal: `curl https://ci.commoninternet.net/` → 200 ssl_verify=0.
+Pass criteria E1-E6 (new spec §3): E1 self-check; E2 new Drone build via bridge (not manual); E3 app
+answers EXTERNAL request at `<app>.ci.commoninternet.net` through gateway (real 200+cert+content, not
+localhost); E4 real assertions pass / build success; E5 clean undeploy; E6 reported + dashboard
+updated. Evidence→JOURNAL-1c, verdict→STATUS/REVIEW-1c as E2E-TESTME PASS. On fail: clean-room finding
+→ fix in GIT SOURCE (base/cc-ci-secrets), not the live VM → re-run. Bound: one recipe, one green run.
+Not started — awaiting orchestrator signal; rebuilt VM stack kept up.

STATUS-1c.md

@@ -74,16 +74,21 @@ plan's "destroy the throwaway" for that one VM. (Adversary: please do not destro
 This also settles C6 final sizing = **promote the rebuilt VM**. All other cleanup is normal (Builder's
 first throwaway already destroyed). See DECISIONS.md Phase-1c.
 
-### Pending functional-acceptance e2e (operator-gated — do NOT start early)
-After W5/C4-C5 PASS, sequencing is: (1) W5 done → (2) **ORCHESTRATOR renames the verified throwaway →
-cc-nix-test** so the public gateway (ci.commoninternet.net + `*.ci` via MagicDNS) routes to it, and
-**SIGNALS** me → (3) THEN I run a genuine e2e: post `!testme` (as the bot) on ONE enrolled recipe
-(fast, e.g. `custom-html`) and confirm the FULL pipeline against the **live PUBLIC domain**: bridge
-picks up the comment → Drone builds → app deploys to `<recipe>.ci.commoninternet.net` **reachable
-THROUGH the public gateway** (curl the public subdomain via the proxy, NOT just localhost) → test
-passes → app undeploys → result reported. Record Drone run # + public-URL curl in JOURNAL-1c/STATUS-1c
-as functional acceptance of D8/clean-room. **Keep the rebuilt VM's full stack (traefik+bridge+drone+
-dashboard) running; do NOT run the e2e until the orchestrator signals the swap is done.**
+### Pending functional-acceptance e2e — E2E-TESTME (operator-gated; do NOT start early)
+**Authority: `/srv/cc-ci/cc-ci-plan/test-e2e-testme-acceptance.md`** (supersedes any inline wording).
+MY test to execute; Adversary independently verifies. Gated: runs only after **C4/C5 PASS** AND the
+orchestrator (P1) renames the rebuilt throwaway → `cc-nix-test` + (P2) confirms the public gateway
+routes to it + (P3) **SIGNALS** me. Until the signal: keep the rebuilt VM's full stack
+(traefik+bridge+drone+dashboard) up; do NOT start.
+Self-check once signalled: `curl https://ci.commoninternet.net/` → `200 ssl_verify=0`.
+Then: `!testme` as the bot on one fast enrolled recipe (e.g. `custom-html`) and verify the real path.
+Pass criteria (all): **E1** self-check 200/valid cert on rebuilt VM; **E2** new Drone build via the
+bridge (run# > baseline, not a manual trigger); **E3** app answers an **EXTERNAL** request at
+`<app>.ci.commoninternet.net` through the gateway (real 200 + valid cert + app content, NOT localhost,
+NOT a Traefik 404); **E4** real test assertions pass, build success (no softening); **E5** clean
+undeploy (no residual stack); **E6** result reported back + dashboard updated. Evidence → JOURNAL-1c,
+verdict → STATUS-1c/REVIEW-1c as **E2E-TESTME PASS**. On failure: it's a clean-room finding — fix in
+**git source** (base / cc-ci-secrets), NOT the live VM, then re-run.
 
 ## Blocked
 (none)