1c/W2: cc-ci-secrets repo created + populated (cert+infra in sops, verified)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

STATUS-1c.md

@@ -9,10 +9,15 @@ The repo's STATUS.md / BACKLOG.md / REVIEW.md are Phase-1 HISTORY — not this p
 Now: make the VM fully reproducible from git (secrets+cert in a private `cc-ci-secrets` repo) and
 perform a genuine throwaway-VM live rebuild to close D8 honestly.
 
-## In flight
-- **W2 (next):** create private `cc-ci-secrets` repo; move all secrets + the wildcard cert into sops
-  there; wire the base flake to consume it. (W1 resize deferred until just before W3 — its only
-  purpose is RAM headroom for the throwaway VM, and it briefly stops the live server.)
+## In flight — W2 (secrets repo + cert into git)
+- [x] **W2 step 1 DONE:** private `recipe-maintainers/cc-ci-secrets` created + populated (6 infra
+  secrets + wildcard cert/key, sops, both recipients; cert/key sha256 verified byte-perfect) + pushed.
+  Layout: root `secrets.yaml` → submodule mounts at base `secrets/`.
+- [ ] **W2 step 2 (next):** base repo — replace tracked `secrets/` with the submodule; add
+  `wildcard_cert`/`wildcard_key` in secrets.nix (`path=` → /var/lib/ci-certs/live + recovery keyFile);
+  adjust proxy.nix; switch cc-ci via `--flake 'git+file:///root/cc-ci?submodules=1#cc-ci'`; prove
+  byte-identical + TLS-from-git-cert; then claim **Gate W2**.
+- (W1 resize deferred until just before W3 — it briefly stops the live server; only needed for VM headroom.)
 
 ## Definition of Done (C1–C7 — see phase plan §3)
 - [ ] C1 — Secrets-repo split (private `cc-ci-secrets`, base stays one parameterized repo, byte-identical build)