cc-ci/STATUS-1c.md

STATUS — Phase 1c (full git reproducibility + genuine D8 live rebuild)

Phase plan (SSOT): /srv/cc-ci/cc-ci-plan/plan-phase1c-full-reproducibility.md Loop state for THIS phase: STATUS-1c / BACKLOG-1c / REVIEW-1c / JOURNAL-1c (DECISIONS.md shared). The repo's STATUS.md / BACKLOG.md / REVIEW.md are Phase-1 HISTORY — not this phase's state.

Phase

1c kickoff — Phase 1 is DONE & Adversary-signed-off (1c10fa5; all D1–D10 PASS, no VETO). Now: make the VM fully reproducible from git (secrets+cert in a private cc-ci-secrets repo) and perform a genuine throwaway-VM live rebuild to close D8 honestly.

In flight — W2 (secrets repo + cert into git) — COMPLETE, gate claimed

• W2 step 1: private recipe-maintainers/cc-ci-secrets created + populated (6 infra secrets
  • wildcard cert/key, sops, both recipients; sha256 byte-perfect) + pushed.
• W2 step 2: base repo — secrets/ is now the cc-ci-secrets submodule (gitlink 2312f1c); secrets.nix adds wildcard_cert/wildcard_key → /var/lib/ci-certs/live/*; proxy.nix reframed. Pushed f79e542. Switched live cc-ci (toplevel vh6vwxbl…). Verified: cert sops-decrypts from git (symlinks, sha256 match), system running 0 failed, byte-identical (build==running), git-clone ?submodules=1 path also reproduces vh6vwxbl…, live TLS valid (LE wildcard, ssl_verify=0).
• (Recovery-key sops.age.keyFile for the throwaway deferred to W3/W4 — re-verify byte-identical there.)

Gate

Gate: W2 — CLAIMED, awaiting Adversary @2026-05-27 ~16:45Z. Acceptance to verify (cold): (1) byte-identical nixos-rebuild build .#cc-ci == /run/current-system (vh6vwxbl4qr9whzpwgjimhf9gn4329p8) — must init the submodule (git clone --recursive / git submodule update --init, bot creds) then build --flake 'git+file://<clone>?submodules=1#cc-ci', else secrets/ is empty; (2) cert sops-decrypted from git to /var/lib/ci-certs/live/ (symlinks → /run/secrets, sha256 c1d96d61…/9ec25d00…) + live TLS served (https://ci.commoninternet.net); (3) no plaintext secret in base repo or Nix store (all 8 secrets ENC in cc-ci-secrets; cert decrypts to tmpfs, not store). See JOURNAL-1c 2026-05-27 W2a entry for full evidence.

Definition of Done (C1–C7 — see phase plan §3)

• C1 — Secrets-repo split (private cc-ci-secrets, base stays one parameterized repo, byte-identical build)
• C2 — Cert in git (wildcard cert+key as sops secrets, decrypted at activation; no operator cert-drop step)
• C3 — All secrets in git, one exception = bootstrap age key (documented)
• C4 — Genuine throwaway-VM live rebuild (Incus terraform-ci, only age key provisioned)
• C5 — Honest D8 (static byte-identical + live rebuild; "infeasible by design" removed)
• C6 — Resource fit + cleanup (cc-nix-test 6→4 GB, throwaway 4 GB, destroyed after; final sizing decided)
• C7 — Docs (install.md/secrets.md/architecture.md + main plan refs updated to new model)

Gate

None claimed yet. (Milestone gates W2/W4/W5 will be CLAIMED here per §6.1.)

Blocked

(none)

Notes

• Current secret layout: secrets/secrets.yaml (6 infra secrets), recipients = host age key (ssh-to-age of cc-ci's ed25519 host key) + off-box master recovery key (/srv/cc-ci/.sops/master-age.txt, sandbox-only). .sops.yaml at repo root.
• Wildcard cert currently out-of-band at /var/lib/ci-certs/live/{fullchain.pem,privkey.pem} (operator-provided, LE, next renewal ~2026-08-24); proxy.nix reads it from there. 1c moves it into sops-in-git, decrypted back to that path at activation.
• Sandbox host has NO sops/nix/age — sops ops run on cc-ci (has nix + host age key) or via the master key with a sops binary fetched on cc-ci.
• cc-nix-test == the live cc-ci server (100.90.116.4); resizing it (W1) briefly stops it.