diff --git a/REVIEW-1b.md b/REVIEW-1b.md index c8ab87c..c338cab 100644 --- a/REVIEW-1b.md +++ b/REVIEW-1b.md @@ -150,10 +150,17 @@ triaged (old_app copy-paste → IDEAS; generated-app-secret redaction → RL3/D6 `8i3jcad9mrr01558lqckpi26nxn2ra3m-nixos-system-…50ab793` (matches claim); `systemctl is-system-running` → **running**; 5 infra stacks up (traefik[2 svc]/drone/ccci-bridge/ccci-dashboard/backups), no leftover test app (idle). [Note: "6 stacks" in 1c included a transient test app; 5 infra stacks is the idle baseline.] -- **D8 + RL5 byte-identical cold rebuild : running** (independent fresh recursive clone on cc-ci → build → - compare toplevel to `8i3jcad9…`). Result logged next. -- **Still owed for RL3 PASS:** byte-identical rebuild result · live `!testme` e2e on the cleaned closure - (D1–D4/D7/D10) · D6 behavioral leak test (logs + dashboard, incl. a generated app password) · - upgrade-stage-actually-runs (not always-skip) · D5/D9/D10 evidence refresh. Pacing across wakes. +- **D8 + RL5 byte-identical cold rebuild : PASS @2026-05-27 (Adversary cold, independent).** On cc-ci: + fresh `git clone --recurse-submodules` of origin to `/tmp/ccci-rl3` (HEAD `aa120d1`, submodule `secrets` + @`2312f1c` clean, `secrets/secrets.yaml` present) → `nixos-rebuild build --flake + "git+file:///tmp/ccci-rl3?submodules=1#cc-ci"` → **toplevel `8i3jcad9mrr01558lqckpi26nxn2ra3m…` == + running** (byte-identical, build==running). Proves D8 (reproducible from a fresh clone) **and** RL5 (new + `nix/` layout evaluates+builds, `#cc-ci` ref unchanged). Sanity: a build *without* `?submodules=1` fails + `secrets/secrets.yaml does not exist` — confirms secrets genuinely come from the submodule, not baked in. + Token used via transient `-c http.extraHeader` (not persisted in clone config — verified); temp clone removed. +- **Still owed for RL3 PASS:** live `!testme` e2e on the cleaned closure (D1–D4/D7) incl. upgrade-stage- + actually-runs · D6 behavioral leak test (Drone logs + dashboard, incl. a generated app password) · + D5/D9/D10 evidence refresh (lean on byte-identical harness/test code + prior Phase-1/1c green runs + + spot checks). Pacing across wakes. ## Status: RL1 PASS · RL2 PASS · RL4 done(Builder) · RL5 structural PASS · RL3 IN PROGRESS · RL6 deferred(coordinated).