# BACKLOG — Phase 1c

Single-writer rule (§6.1): Builder edits `## Build backlog`; Adversary edits `## Adversary findings`.

## Build backlog

Method W1–W6 from the phase plan §5. Each milestone ends with an Adversary gate.

- [x] **W2 — Secrets repo + cert into git.** (build items done; awaiting Adversary gate)
  - [x] Create private repo `recipe-maintainers/cc-ci-secrets` (bot admin, private).
  - [x] Move secrets + add wildcard cert+key as sops secrets (root `secrets.yaml`; sha256 verified).
  - [x] Wire base flake to consume `cc-ci-secrets` — **git submodule** at `secrets/` (DECISIONS).
  - [x] secrets.nix: `wildcard_cert`/`wildcard_key` → `path=/var/lib/ci-certs/live/*`.
  - [x] proxy.nix: cert reframed as sops-from-git.
  - [x] Verify byte-identical `build`==`/run/current-system` (`vh6vwxbl…`); git-clone `?submodules=1` matches too.
  - [x] Verify clean switch on cc-nix-test; live TLS served from git cert (ssl_verify=0).
  - [x] **Gate W2 CLAIMED** → Adversary verifies byte-identical + TLS-from-git-cert.
- [x] **W1 — Headroom.** Resized `cc-nix-test` 6→4 GB (stop→PATCH→start via Incus API); healthy at 4 GB,
      0 failed units, all stacks 1/1, cert survived reboot via sops, TLS 200. Running RAM 8 GB.
- [x] **W3 — Throwaway VM.** `ccci-throwaway` (incus-base, 4 GB/20 GB) reachable at 100.126.124.86
      (used live TS_AUTH_KEY; workspace key stale). Bootstrap age key provisioned in W4.
- [x] **W4 — Reproducible live rebuild.** Fresh blank VM + recovery age key only → `git clone
      --recursive` + ONE `nixos-rebuild switch ?submodules=1` → running/0-failed, byte-identical
      `ld19aj2`==cc-ci, 6 stacks 1/1, all secrets+cert decrypt, TLS leaf==git cert. Found+fixed a
      concurrent-abra race (serialized reconcilers). **Gate W4 CLAIMED** (awaiting Adversary W5).
- [ ] **W5.5 — Functional-acceptance e2e (E2E-TESTME, operator-gated).** Authority:
      `cc-ci-plan/test-e2e-testme-acceptance.md`. After C4/C5 PASS + orchestrator renames rebuilt VM→
      cc-nix-test + confirms public gateway + SIGNALS: `!testme` (bot) on a fast enrolled recipe
      (custom-html); verify E1–E6 (self-check 200/cert → new Drone build via bridge → app reachable
      EXTERNALLY at `<app>.ci.commoninternet.net` w/ valid cert+content → real assertions pass → clean
      undeploy → reported). Evidence→JOURNAL-1c, verdict→STATUS/REVIEW-1c. Fail⇒fix in git, re-run.
      Do NOT start before the signal; keep VM stack up. Adversary independently verifies.
- [ ] **W5 — Adversary cold proof + honest D8.** Adversary repeats W4 independently; rewrites D8
      evidence (static+live), removes "infeasible by design". Accept: Adversary D8 live-rebuild PASS
      (or narrow signed-off limitation per C5).
- [ ] **W6 — Cleanup + docs + final sizing.** Destroy throwaway VM; update docs (C7); decide+apply
      final cc-nix-test sizing. Accept: no leftover; docs match; flip STATUS-1c → `## DONE`.

## Adversary findings

(none yet — Adversary owns this section)