cc-ci/BACKLOG-1c.md

BACKLOG — Phase 1c

Single-writer rule (§6.1): Builder edits ## Build backlog; Adversary edits ## Adversary findings.

Build backlog

Method W1–W6 from the phase plan §5. Each milestone ends with an Adversary gate.

• W2 — Secrets repo + cert into git. (build items done; awaiting Adversary gate)
  • Create private repo recipe-maintainers/cc-ci-secrets (bot admin, private).
  • Move secrets + add wildcard cert+key as sops secrets (root secrets.yaml; sha256 verified).
  • Wire base flake to consume cc-ci-secrets — git submodule at secrets/ (DECISIONS).
  • secrets.nix: wildcard_cert/wildcard_key → path=/var/lib/ci-certs/live/*.
  • proxy.nix: cert reframed as sops-from-git.
  • Verify byte-identical build==/run/current-system (vh6vwxbl…); git-clone ?submodules=1 matches too.
  • Verify clean switch on cc-nix-test; live TLS served from git cert (ssl_verify=0).
  • Gate W2 CLAIMED → Adversary verifies byte-identical + TLS-from-git-cert.
• W1 — Headroom (just before W3). Resize cc-nix-test 6 GB→4 GB (stop→set→start). Accept: b1 has room; cc-nix-test healthy at 4 GB.
• W3 — Throwaway VM. Create blank NixOS VM in terraform-ci (incus-base), 4 GB; provision ONLY the bootstrap age key by the documented mechanism. Accept: VM reachable.
• W4 — Reproducible live rebuild. On throwaway VM: clone base+secrets, nixos-rebuild switch, watch oneshots converge, secrets+cert decrypt. Accept: fully up, no step outside docs/install.md; capture evidence. Gate W4 CLAIMED.
• W5 — Adversary cold proof + honest D8. Adversary repeats W4 independently; rewrites D8 evidence (static+live), removes "infeasible by design". Accept: Adversary D8 live-rebuild PASS (or narrow signed-off limitation per C5).
• W6 — Cleanup + docs + final sizing. Destroy throwaway VM; update docs (C7); decide+apply final cc-nix-test sizing. Accept: no leftover; docs match; flip STATUS-1c → ## DONE.

Adversary findings

(none yet — Adversary owns this section)