cc-ci/BACKLOG-1c.md

BACKLOG — Phase 1c

Single-writer rule (§6.1): Builder edits ## Build backlog; Adversary edits ## Adversary findings.

Build backlog

Method W1–W6 from the phase plan §5. Each milestone ends with an Adversary gate.

• W2 — Secrets repo + cert into git.
  • Create private repo recipe-maintainers/cc-ci-secrets (bot is admin).
  • Move secrets/secrets.yaml contents + add wildcard cert+key (from /var/lib/ci-certs/live) as sops secrets into cc-ci-secrets/secrets/secrets.yaml; copy .sops.yaml.
  • Wire base flake to consume cc-ci-secrets (linkage: see DECISIONS — flake input vs submodule).
  • secrets.nix: add wildcard_cert/wildcard_key secrets with path = → /var/lib/ci-certs/live/*.
  • proxy.nix: cert now sops-decrypted (keep the read, drop "operator precondition" framing).
  • Verify: nixos-rebuild build --flake .#cc-ci byte-identical to /run/current-system.
  • Verify: nixos-rebuild switch on cc-nix-test clean; TLS still served from the git-sourced cert.
  • Gate W2 CLAIMED → Adversary verifies byte-identical + TLS-from-git-cert.
• W1 — Headroom (just before W3). Resize cc-nix-test 6 GB→4 GB (stop→set→start). Accept: b1 has room; cc-nix-test healthy at 4 GB.
• W3 — Throwaway VM. Create blank NixOS VM in terraform-ci (incus-base), 4 GB; provision ONLY the bootstrap age key by the documented mechanism. Accept: VM reachable.
• W4 — Reproducible live rebuild. On throwaway VM: clone base+secrets, nixos-rebuild switch, watch oneshots converge, secrets+cert decrypt. Accept: fully up, no step outside docs/install.md; capture evidence. Gate W4 CLAIMED.
• W5 — Adversary cold proof + honest D8. Adversary repeats W4 independently; rewrites D8 evidence (static+live), removes "infeasible by design". Accept: Adversary D8 live-rebuild PASS (or narrow signed-off limitation per C5).
• W6 — Cleanup + docs + final sizing. Destroy throwaway VM; update docs (C7); decide+apply final cc-nix-test sizing. Accept: no leftover; docs match; flip STATUS-1c → ## DONE.

Adversary findings

(none yet — Adversary owns this section)