1c: add operator-gated functional-acceptance e2e (W5.5) — real !testme via public gateway after VM promotion

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

BACKLOG-1c.md

@@ -23,6 +23,11 @@ Method W1–W6 from the phase plan §5. Each milestone ends with an Adversary ga
       --recursive` + ONE `nixos-rebuild switch ?submodules=1` → running/0-failed, byte-identical
       `ld19aj2`==cc-ci, 6 stacks 1/1, all secrets+cert decrypt, TLS leaf==git cert. Found+fixed a
       concurrent-abra race (serialized reconcilers). **Gate W4 CLAIMED** (awaiting Adversary W5).
+- [ ] **W5.5 — Functional-acceptance e2e (operator-gated).** AFTER W5 PASS + orchestrator renames the
+      verified throwaway→cc-nix-test (public gateway) + SIGNALS: post `!testme` (bot) on one fast enrolled
+      recipe (custom-html); confirm full pipeline vs the **public** domain (bridge→Drone→deploy to
+      `<recipe>.ci.commoninternet.net` reachable THROUGH the gateway→test→undeploy→report). Record Drone
+      run # + public-URL curl. Do NOT start before the orchestrator's swap-done signal. Keep VM stack up.
 - [ ] **W5 — Adversary cold proof + honest D8.** Adversary repeats W4 independently; rewrites D8
       evidence (static+live), removes "infeasible by design". Accept: Adversary D8 live-rebuild PASS
       (or narrow signed-off limitation per C5).

JOURNAL-1c.md

@@ -299,3 +299,15 @@ public gateway. Keep it running; defer its C6 teardown until the operator explic
 Overrides plan §5/§6 "destroy the throwaway" for that one VM. Settles **C6 final sizing = promote the
 rebuilt VM**. Recorded in DECISIONS.md + STATUS-1c (flagged for the Adversary so they don't tear down
 their W5 VM on PASS). My already-destroyed first throwaway + RAM accounting unaffected.
+
+## 2026-05-27 — Added acceptance step: real e2e !testme on the promoted VM (operator-gated)
+
+Orchestrator added a functional-acceptance step for the clean-room rebuild. SEQUENCING (strict):
+(1) finish W5/C4-C5; (2) ORCHESTRATOR renames the verified throwaway → cc-nix-test so the public
+gateway (ci.commoninternet.net + `*.ci` via MagicDNS) routes to it, and SIGNALS me; (3) THEN I run a
+genuine e2e: `!testme` (as bot) on ONE enrolled recipe (fast, e.g. custom-html) → confirm bridge
+picks up → Drone builds → app deploys to `<recipe>.ci.commoninternet.net` reachable **through the
+public gateway** (curl the public subdomain, not localhost) → test passes → undeploy → result
+reported. Record Drone run # + public-URL curl in JOURNAL-1c/STATUS-1c as functional acceptance of
+D8/clean-room. Until the swap-done signal: keep the rebuilt VM's full stack running, do NOT tear down,
+do NOT start the e2e. (Tracked as W5.5 in BACKLOG-1c.)

STATUS-1c.md

@@ -74,6 +74,17 @@ plan's "destroy the throwaway" for that one VM. (Adversary: please do not destro
 This also settles C6 final sizing = **promote the rebuilt VM**. All other cleanup is normal (Builder's
 first throwaway already destroyed). See DECISIONS.md Phase-1c.
 
+### Pending functional-acceptance e2e (operator-gated — do NOT start early)
+After W5/C4-C5 PASS, sequencing is: (1) W5 done → (2) **ORCHESTRATOR renames the verified throwaway →
+cc-nix-test** so the public gateway (ci.commoninternet.net + `*.ci` via MagicDNS) routes to it, and
+**SIGNALS** me → (3) THEN I run a genuine e2e: post `!testme` (as the bot) on ONE enrolled recipe
+(fast, e.g. `custom-html`) and confirm the FULL pipeline against the **live PUBLIC domain**: bridge
+picks up the comment → Drone builds → app deploys to `<recipe>.ci.commoninternet.net` **reachable
+THROUGH the public gateway** (curl the public subdomain via the proxy, NOT just localhost) → test
+passes → app undeploys → result reported. Record Drone run # + public-URL curl in JOURNAL-1c/STATUS-1c
+as functional acceptance of D8/clean-room. **Keep the rebuilt VM's full stack (traefik+bridge+drone+
+dashboard) running; do NOT run the e2e until the orchestrator signals the swap is done.**
+
 ## Blocked
 (none)