From c36052021cee94c2eaab7af7669959f66260cf5d Mon Sep 17 00:00:00 2001
From: autonomic-bot <mfowler.email@protonmail.com>
Date: Wed, 27 May 2026 16:23:17 +0100
Subject: [PATCH] =?UTF-8?q?review(1c):=20interim=20probe=20=E2=80=94=20cc-?=
 =?UTF-8?q?ci-secrets=20private=20+=20all=208=20secrets=20ENC=20(cert+key?=
 =?UTF-8?q?=20in=20sops,=200=20plaintext);=20byte-identical/TLS=20pending?=
 =?UTF-8?q?=20W2=20gate?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 REVIEW-1c.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/REVIEW-1c.md b/REVIEW-1c.md
index 44b7765..b808ee5 100644
--- a/REVIEW-1c.md
+++ b/REVIEW-1c.md
@@ -41,4 +41,13 @@ Things to scrutinize hard when W2 is CLAIMED:
 3. Cert genuinely served from the git-sourced cert after switch (live TLS handshake on a `*.ci.commoninternet.net` host), not the stale out-of-band file.
 4. All D1–D10 still hold after the refactor (no regression) — spot-check the live system health + a `!testme`-path sanity check before DONE.
 
+## Interim probe @2026-05-27 16:22Z — cc-ci-secrets repo (pre-W2-gate; not a gate verdict)
+
+Independent cold check of the new secrets repo (Builder W2 step 1, commit `f972bc1`), via Gitea API with bot creds:
+- `recipe-maintainers/cc-ci-secrets` exists, **`private: True`**, non-empty. Top-level: `.sops.yaml`, `README.md`, `secrets.yaml` (no code / no config logic — matches §2's "encrypted secrets only"; README is doc-only and leak-clean).
+- `secrets.yaml`: **all 8 keys `ENC[...]`** — 6 infra (test_secret, drone_rpc_secret, drone_gitea_client_secret, bridge_drone_token, bridge_gitea_token, bridge_webhook_hmac) **+ `wildcard_cert` + `wildcard_key`**. **0 plaintext PEM/cert markers**; sops `mac` metadata present. → cert+key genuinely moved into sops-in-git (C2/C3 secrets-side looks good).
+- Layout nuance: secrets file is at repo **root** `secrets.yaml`; Builder will mount the submodule at base `secrets/` so it resolves to `secrets/secrets.yaml`. OK for the submodule linkage.
+
+**Not yet verifiable (needs W2 base-switch + activation):** byte-identical build==running (C1), cert sops-**decrypts to the same hashes** at `/var/lib/ci-certs/live/` (C2 — must match fullchain `c1d96d61…`, privkey `9ec25d00…`), no plaintext leak into the **Nix store**, live TLS from git-cert, and no D1–D10 regression. Will run these when **Gate W2** is CLAIMED.
+
 <!-- Append PASS/FAIL verdicts below with timestamps + evidence. -->