status(1b): RL2 clean + RL5 done + canonical switched to cleaned closure (build==running 8i3jcad9); claim RL3 gate

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

BACKLOG-1b.md

@@ -20,10 +20,28 @@ Phase-namespaced backlog. Builder owns `## Build backlog`; Adversary owns `## Ad
       to file. Recorded in JOURNAL-1b. Awaiting Adversary's own §3 pass #2 to confirm RL2.
 
 ### W2 — Re-verify + document (RL3/RL4)
-- [ ] After W0+W1 land, request Adversary cold re-verification of all D1–D10 (RL3).
-- [ ] docs/: how to run lint/format locally + that CI enforces it (RL4); record deviations in
-      DECISIONS.md.
+- [x] RL4 docs: README "Linting & formatting" (local + CI-enforced); architecture.md `nix/` layout;
+      decisions in DECISIONS.md (lint tooling, RL5/RL6).
+- [x] Rebuild canonical cc-ci to the cleaned+RL5 closure (`8i3jcad9`) so `build == running`; healthy
+      (0 failed, stacks up, public dashboard 200).
+- [ ] **RL3**: Adversary cold re-verification of all D1–D10 (now also covers the RL5 byte-identical
+      rebuild). Gate claimed in STATUS-1b.
 - [ ] On full PASS handshake, write `## DONE` to STATUS-1b.md.
 
+### RL5 — Nix-folder consolidation (operator §7) — DONE
+- [x] `modules/`→`nix/modules/`, `hosts/`→`nix/hosts/`; flake at root (#cc-ci unchanged); paths fixed;
+      docs updated; builds byte-identical `8i3jcad9`; lint PASS; canonical switched + healthy.
+
+### RL6 — protocol files → machine-docs/ (operator §7) — DEFERRED (coordinated, LAST)
+- [ ] `git mv STATUS*/REVIEW*/JOURNAL*/BACKLOG*/DECISIONS.md machine-docs/` (README stays root);
+      update refs. MUST be lockstep with orchestrator (launch.sh + watchdog restart). Do as the final
+      1b step; flag the orchestrator first. Not while a phase transition is pending.
+
+### Advisories triaged (from Adversary §3 pass #2)
+- [idea] Share the `old_app` upgrade fixture across recipe suites instead of per-recipe copy-paste —
+  advisory only (per-recipe upgrade tests are by design; not a harness-DRY blocker). Defer to Phase 2.
+- App-secret redaction (`cc-ci-run` Drone step not wrapped by `run_stage_redacted`) — Adversary RL3/D6
+  behavioral leak test re-checks published logs + dashboard. Adversary-owned watch-item.
+
 ## Adversary findings
 (empty — Adversary owns this section)

JOURNAL-1b.md

@@ -96,3 +96,40 @@ Adversary's RL2 confirmation. Findings over the post-W0 (cleaned) codebase:
 **No blocking finding; nothing to fix; no advisory item to file.** The Adversary owns the RL2
 confirmation and is running its own §3 pass #2 (harness-DRY / redaction / architecture). Awaiting that;
 W2 (rebuild cc-ci to the formatted closure + request cold RL3 D1–D10) follows once RL2 is confirmed.
+
+## 2026-05-27 — RL2 clean + RL5 (nix/ consolidation) + W2 switch to cleaned closure
+
+**RL2 (Adversary §3 pass #2):** no blocking findings; 2 advisories — (a) `old_app` upgrade-fixture
+copy-paste across recipes → triaged to IDEAS (per-recipe upgrade tests are by design; sharing is a
+nicety, not a DRY-blocker); (b) app-secret redaction: the `cc-ci-run` Drone step path isn't wrapped by
+`run_stage_redacted`, so the Adversary will re-run the behavioral D6 leak test at RL3 (grep published
+Drone logs + dashboard for a known generated app password). My Builder §3 self-review agreed (no
+blockers). W1 is light/clean.
+
+**RL5 — consolidate Nix code under `nix/`** (operator item, plan §7). `git mv modules nix/modules`,
+`git mv hosts nix/hosts`; flake.nix/flake.lock stay at root (`#cc-ci` unchanged); only flake's
+internal configuration.nix path + the moved modules' root-relative refs changed (`../X`→`../../X`).
+Built on cc-ci → toplevel `8i3jcad9…` **byte-identical to the pre-move build** (content-addressed;
+module .nix not in the runtime closure). Living docs + `.drone.yml` comment updated to `nix/…`.
+
+**W2 — switched canonical cc-ci to the cleaned+RL5 closure** so `build == running` (required before
+RL3: a fresh clone builds `8i3jcad9`; running had to match or the byte-identical-to-running check
+would fail). Re-synced `/root/cc-ci` to HEAD, `nixos-rebuild switch --flake 'path:/root/cc-ci#cc-ci'`:
+```
+stopping units: deploy-bridge.service, deploy-dashboard.service
+sops-install-secrets: Imported …ssh_host_ed25519_key as age key (age1h90utdz…)
+starting units: deploy-bridge.service, deploy-dashboard.service
+```
+Post-switch health (all green):
+- `readlink /run/current-system` → `8i3jcad9mrr01558lqckpi26nxn2ra3m-…` (== fresh-clone build; was
+  `cqym8knjg7…` pre-format).
+- `systemctl is-system-running` → `running`, **0 failed**. deploy-bridge/deploy-dashboard `active`.
+- 5 stacks up (backups, ccci-bridge, ccci-dashboard, drone, traefik); `ccci-bridge_app` + 
+  `ccci-dashboard_app` 1/1 with NEW content-hash image tags (reformatted source redeployed).
+- Public via SOCKS proxy → gateway → cc-ci: `https://ci.commoninternet.net/` → **200**
+  (`<title>cc-ci — Co-op Cloud recipe CI</title>`); `/badge/custom-html.svg` → **200**.
+
+Net: RL1 PASS, RL2 clean, RL4 docs landed (README lint section + architecture.md `nix/` layout),
+RL5 done + healthy, running==build==`8i3jcad9`. Remaining for DONE: **RL3** (Adversary cold D1–D10
+re-verify, now also covering the RL5 byte-identical rebuild) and **RL6** (coordinated machine-docs/
+move — LAST, with orchestrator lockstep). Claiming the RL3 gate.

STATUS-1b.md

@@ -10,15 +10,18 @@ Phase 1b runs **after** Phase 1 + Phase 1c (both DONE) and **before** Phase 2. I
 review + lint pass over the final post-1c codebase. Exit = RL1–RL4 all Adversary-confirmed in
 REVIEW-1b, then `## DONE`.
 
-## Definition of Done (Phase 1b)
-- [ ] **RL1** — Lint/format tooling added (`lint` entrypoint + Nix devshell) + wired as a `.drone.yml`
-      stage; whole Phase-1 codebase passes.
-- [ ] **RL2** — White-box review checklist (§3) run; blocking findings fixed; advisory triaged to
-      BACKLOG/IDEAS. Findings + resolutions in REVIEW-1b.
-- [ ] **RL3** — Full Phase-1 D1–D10 re-verification from cold start (the final gate), nothing
-      weakened. Adversary logs fresh PASS + evidence in REVIEW-1b within 24h.
-- [ ] **RL4** — Documented: docs/ note how to run lint/format locally + that CI enforces it; accepted
+## Definition of Done (Phase 1b) — now RL1–RL6 (operator added RL5/RL6, plan §7)
+- [x] **RL1** — Lint/format tooling + `.drone.yml` stage; codebase passes. **Adversary cold PASS.**
+- [x] **RL2** — §3 white-box checklist run (both loops); no blocking findings; 2 advisories triaged
+      (old_app→IDEAS; app-secret-redaction→RL3/D6 watch-item). Recorded REVIEW-1b + JOURNAL-1b.
+- [ ] **RL3** — Full D1–D10 cold re-verification (final gate), nothing weakened; now also covers the
+      RL5 byte-identical rebuild. **CLAIMED — awaiting Adversary.**
+- [x] **RL4** — Documented: README lint section (local + CI-enforced) + architecture.md `nix/` layout;
       deviations in DECISIONS.md.
+- [x] **RL5** — Nix code consolidated under `nix/`; flake at root (#cc-ci unchanged); builds
+      byte-identical `8i3jcad9`; canonical switched + healthy.
+- [ ] **RL6** — protocol files → `machine-docs/`: DEFERRED to the coordinated end (orchestrator
+      lockstep on launch.sh + watchdog). README stays at root.
 
 ## In flight
 **W0 (RL1) — DONE, Adversary cold PASS @2026-05-27** (REVIEW-1b: clean checkout → `lint: PASS` +
@@ -34,7 +37,16 @@ fix needed, no advisory filed. **Awaiting the Adversary's own §3 pass #2 to con
 cc-ci to the formatted closure (running == cleaned source) and request the cold D1–D10 re-verify.
 
 ## Gate
-**W1/RL2 — Builder review done; awaiting Adversary §3 pass #2** (no blocking findings open).
+**RL3 CLAIMED, awaiting Adversary.** Canonical cc-ci is switched to the cleaned+RL5 closure:
+`readlink /run/current-system` == `8i3jcad9mrr01558lqckpi26nxn2ra3m-…` == a fresh recursive clone's
+build (`build == running`, byte-identical), `running`/0-failed, 5 stacks up, public
+`https://ci.commoninternet.net/` → 200. Request: cold re-verify **all D1–D10** to the same bar as
+Phase-1 DONE (fresh PASS + evidence + timestamps in REVIEW-1b within 24h), confirming the
+lint/format + RL5 cleanup softened/skipped/regressed nothing, and the byte-identical rebuild.
+After RL3 PASS: do RL6 (coordinated with orchestrator), then `## DONE`.
+
+RL6 reminder: I will flag the orchestrator to update `launch.sh` + restart the watchdog in lockstep
+with the `git mv` to `machine-docs/` — done as the final step, not while RL3 is pending.
 
 ## Blocked
 (none)