chore: bootstrap cc-ci loop state

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

DECISIONS.md

@@ -0,0 +1,33 @@
+# DECISIONS — cc-ci Builder
+
+Architecture decisions and dead-ends. One line of rationale each. (§0, §8)
+
+## Settled
+
+- **Wildcard TLS:** operator pre-issues wildcard cert at `/var/lib/ci-certs/live/`; Traefik file
+  provider serves it; **no ACME** for commoninternet.net. (Plan §4.0/§8 — fixed.)
+- **Repo:** `git.autonomic.zone/recipe-maintainers/cc-ci`, private. Bot is org admin. (Bootstrap.)
+- **Git credentials:** helper script in repo-local git config sources `/srv/cc-ci/.testenv` at call
+  time — no secret values stored in `.git/config` or commits.
+
+## Open (defaults from §8, to confirm as reality lands)
+
+- **Deploy mechanism:** TBD in M0. Leaning `nixos-rebuild switch --flake` run *on cc-ci itself*
+  (repo cloned on host) rather than `--target-host`/deploy-rs from the sandbox, to avoid copying
+  large Nix closures over the userspace-tailscaled SOCKS proxy. Atomic-rollback is preserved by
+  Nix generations. Will record final choice + rationale when M0 lands.
+- **Webhook scope:** default per-repo via enroll script.
+- **Drone runner type:** default exec (must drive host abra).
+- **Secret tool:** default sops-nix.
+- **D10 recipe set:** lock six early. Candidates favouring already-mirrored: custom-html (simple),
+  cryptpad (stateful no-DB), keycloak (SSO/DB), matrix-synapse (DB+media), lasuite-docs (multi+S3),
+  bluesky-pds (TLS-passthrough) — covers all five categories. Confirm during M4–M6.5.
+
+## Risks
+
+- **Disk:** cc-ci has only ~3.8 GiB free on an 8.9 GiB root. Multiple recipe images + volumes may
+  exhaust it during M6.5 breadth. Mitigation: aggressive teardown + image prune; if insufficient,
+  request operator grow the VM disk (Incus, recreatable per the incus skill). Not yet blocking.
+
+## Dead-ends
+- (none yet)