1c/W4: cc-ci on ld19aj2 (byte-identical); throwaway TLS leaf-match == git cert (C4 cert proof)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

JOURNAL-1c.md

@@ -253,3 +253,16 @@ re-runs) + re-verify byte-identical, then **recreate the throwaway FRESH** to pr
 convergence (authoritative C4; mirrors the Adversary's W5 cold test).
 
 This is the LAST planned config change before W4 completes (config stable ld19aj2 thereafter).
+
+## 2026-05-27 — W4: cc-ci on serialized config (ld19aj2) + throwaway TLS leaf-match PASS
+
+- cc-ci switched to serialized config: `systemctl is-system-running`=running, **byte-identical
+  build==running==`ld19aj2dcrjm6jarq1k6rvhc0zww34qq` (ZERO DRIFT)**, 6 stacks.
+- **Throwaway local TLS (C4 cert proof):** on the rebuilt throwaway (IP 100.126.124.86),
+  `curl --resolve probe.ci.commoninternet.net:443:127.0.0.1` → http=404 (no route, expected)
+  **ssl_verify=0**. Served leaf sha256 fingerprint == git-cert leaf:
+  `57:8D:67:9E:FE:89:D5:FB:43:2E:2A:02:D6:A6:BA:F4:9B:98:1A:78:4A:6C:6A:85:DB:F6:A2:81:61:A6:B8:A6`
+  (== Adversary reference). Full chain of custody: git sops → recovery-key decrypt → /var/lib/ci-certs/
+  live → traefik swarm secret → served leaf. The rebuilt host serves the git-sourced cert.
+
+Next: recreate throwaway FRESH with fixed config to prove SINGLE nixos-rebuild switch converges (0 failed).