# STATUS — Phase 1c (full git reproducibility + genuine D8 live rebuild) **Phase plan (SSOT):** `/srv/cc-ci/cc-ci-plan/plan-phase1c-full-reproducibility.md` **Loop state for THIS phase:** STATUS-1c / BACKLOG-1c / REVIEW-1c / JOURNAL-1c (DECISIONS.md shared). The repo's STATUS.md / BACKLOG.md / REVIEW.md are Phase-1 HISTORY — not this phase's state. ## Phase **1c kickoff** — Phase 1 is DONE & Adversary-signed-off (1c10fa5; all D1–D10 PASS, no VETO). Now: make the VM fully reproducible from git (secrets+cert in a private `cc-ci-secrets` repo) and perform a genuine throwaway-VM live rebuild to close D8 honestly. ## In flight — W2 (secrets repo + cert into git) — COMPLETE, gate claimed - [x] **W2 step 1:** private `recipe-maintainers/cc-ci-secrets` created + populated (6 infra secrets + wildcard cert/key, sops, both recipients; sha256 byte-perfect) + pushed. - [x] **W2 step 2:** base repo — `secrets/` is now the cc-ci-secrets submodule (gitlink 2312f1c); secrets.nix adds `wildcard_cert`/`wildcard_key` → `/var/lib/ci-certs/live/*`; proxy.nix reframed. Pushed f79e542. Switched live cc-ci (toplevel `vh6vwxbl…`). **Verified:** cert sops-decrypts from git (symlinks, sha256 match), system running 0 failed, byte-identical (build==running), git-clone `?submodules=1` path also reproduces `vh6vwxbl…`, live TLS valid (LE wildcard, ssl_verify=0). - (Recovery-key `sops.age.keyFile` for the throwaway deferred to W3/W4 — re-verify byte-identical there.) ## Gate **Gate: W2 — PASS @2026-05-27 16:55Z (Adversary, cold).** C1/C2/C3 verified: byte-identical `vh6vwxbl`==running from a fresh recursive clone (zero drift), cert sops-decrypted from git + live TLS served from git cert (leaf fingerprint match), no plaintext leak in base/store. No regression, no VETO. Now proceeding: **W1 (resize) → W3 (throwaway VM) → W4 (live rebuild).**
prior **Gate: W2 — CLAIMED, awaiting Adversary @2026-05-27 ~16:45Z.** Acceptance to verify (cold): (1) byte-identical `nixos-rebuild build .#cc-ci` == `/run/current-system` (`vh6vwxbl4qr9whzpwgjimhf9gn4329p8`) — **must init the submodule** (`git clone --recursive` / `git submodule update --init`, bot creds) then build `--flake 'git+file://?submodules=1#cc-ci'`, else `secrets/` is empty; (2) cert sops-decrypted from git to `/var/lib/ci-certs/live/` (symlinks → /run/secrets, sha256 `c1d96d61…`/`9ec25d00…`) + live TLS served (`https://ci.commoninternet.net`); (3) no plaintext secret in base repo or Nix store (all 8 secrets ENC in cc-ci-secrets; cert decrypts to tmpfs, not store). See JOURNAL-1c 2026-05-27 W2a entry for full evidence.
## Definition of Done (C1–C7 — see phase plan §3) - [x] C1 — Secrets-repo split (Adversary-PASS 16:55Z; re-exercised cold on blank host at C4) - [x] C2 — Cert in git (Adversary-PASS 16:55Z; re-exercised at C4) - [x] C3 — All secrets in git, one exception = bootstrap age key (Adversary-PASS 16:55Z; keyFile-on-throwaway at W4) - [ ] C4 — Genuine throwaway-VM live rebuild (Incus terraform-ci, only age key provisioned) - [ ] C5 — Honest D8 (static byte-identical + live rebuild; "infeasible by design" removed) - [ ] C6 — Resource fit + cleanup (cc-nix-test 6→4 GB, throwaway 4 GB, destroyed after; final sizing decided) - [ ] C7 — Docs (install.md/secrets.md/architecture.md + main plan refs updated to new model) ## Blocked (none) ## Notes - Current secret layout: `secrets/secrets.yaml` (6 infra secrets), recipients = host age key (ssh-to-age of cc-ci's ed25519 host key) + off-box master recovery key (`/srv/cc-ci/.sops/master-age.txt`, sandbox-only). `.sops.yaml` at repo root. - Wildcard cert currently out-of-band at `/var/lib/ci-certs/live/{fullchain.pem,privkey.pem}` (operator-provided, LE, next renewal ~2026-08-24); proxy.nix reads it from there. 1c moves it into sops-in-git, decrypted back to that path at activation. - Sandbox host has NO sops/nix/age — sops ops run on cc-ci (has nix + host age key) or via the master key with a sops binary fetched on cc-ci. - cc-nix-test == the live cc-ci server (100.90.116.4); resizing it (W1) briefly stops it.