# BACKLOG — Phase 1c

Single-writer rule (§6.1): Builder edits `## Build backlog`; Adversary edits `## Adversary findings`.

## Build backlog

Method W1–W6 from the phase plan §5. Each milestone ends with an Adversary gate.

- [ ] **W2 — Secrets repo + cert into git.**
  - [ ] Create private repo `recipe-maintainers/cc-ci-secrets` (bot is admin).
  - [ ] Move `secrets/secrets.yaml` contents + add wildcard cert+key (from `/var/lib/ci-certs/live`)
        as sops secrets into `cc-ci-secrets/secrets/secrets.yaml`; copy `.sops.yaml`.
  - [ ] Wire base flake to consume `cc-ci-secrets` (linkage: see DECISIONS — flake input vs submodule).
  - [ ] secrets.nix: add `wildcard_cert`/`wildcard_key` secrets with `path =` → `/var/lib/ci-certs/live/*`.
  - [ ] proxy.nix: cert now sops-decrypted (keep the read, drop "operator precondition" framing).
  - [ ] Verify: `nixos-rebuild build --flake .#cc-ci` byte-identical to `/run/current-system`.
  - [ ] Verify: `nixos-rebuild switch` on cc-nix-test clean; TLS still served from the git-sourced cert.
  - [ ] **Gate W2 CLAIMED** → Adversary verifies byte-identical + TLS-from-git-cert.
- [ ] **W1 — Headroom (just before W3).** Resize `cc-nix-test` 6 GB→4 GB (stop→set→start). Accept:
      b1 has room; cc-nix-test healthy at 4 GB.
- [ ] **W3 — Throwaway VM.** Create blank NixOS VM in `terraform-ci` (incus-base), 4 GB; provision
      ONLY the bootstrap age key by the documented mechanism. Accept: VM reachable.
- [ ] **W4 — Reproducible live rebuild.** On throwaway VM: clone base+secrets, `nixos-rebuild switch`,
      watch oneshots converge, secrets+cert decrypt. Accept: fully up, no step outside docs/install.md;
      capture evidence. **Gate W4 CLAIMED.**
- [ ] **W5 — Adversary cold proof + honest D8.** Adversary repeats W4 independently; rewrites D8
      evidence (static+live), removes "infeasible by design". Accept: Adversary D8 live-rebuild PASS
      (or narrow signed-off limitation per C5).
- [ ] **W6 — Cleanup + docs + final sizing.** Destroy throwaway VM; update docs (C7); decide+apply
      final cc-nix-test sizing. Accept: no leftover; docs match; flip STATUS-1c → `## DONE`.

## Adversary findings

(none yet — Adversary owns this section)