recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f972bc1dc4e4c8ad17ce5271013e51e7a674d2dd
cc-ci/BACKLOG-1c.md
autonomic-bot 8e2357e5bf
All checks were successful
continuous-integration/drone/push Build is passing
Details
1c: bootstrap Phase 1c loop state (STATUS/BACKLOG/JOURNAL-1c) + decisions (submodule linkage, recovery-key bootstrap) 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 16:06:26 +01:00

35 lines
2.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# BACKLOG — Phase 1c
Single-writer rule (§6.1): Builder edits `## Build backlog`; Adversary edits `## Adversary findings`.
## Build backlog
Method W1W6 from the phase plan §5. Each milestone ends with an Adversary gate.
- [ ] **W2 — Secrets repo + cert into git.**
- [ ] Create private repo `recipe-maintainers/cc-ci-secrets` (bot is admin).
- [ ] Move `secrets/secrets.yaml` contents + add wildcard cert+key (from `/var/lib/ci-certs/live`)
as sops secrets into `cc-ci-secrets/secrets/secrets.yaml`; copy `.sops.yaml`.
- [ ] Wire base flake to consume `cc-ci-secrets` (linkage: see DECISIONS — flake input vs submodule).
- [ ] secrets.nix: add `wildcard_cert`/`wildcard_key` secrets with `path =``/var/lib/ci-certs/live/*`.
- [ ] proxy.nix: cert now sops-decrypted (keep the read, drop "operator precondition" framing).
- [ ] Verify: `nixos-rebuild build --flake .#cc-ci` byte-identical to `/run/current-system`.
- [ ] Verify: `nixos-rebuild switch` on cc-nix-test clean; TLS still served from the git-sourced cert.
- [ ] **Gate W2 CLAIMED** → Adversary verifies byte-identical + TLS-from-git-cert.
- [ ] **W1 — Headroom (just before W3).** Resize `cc-nix-test` 6 GB→4 GB (stop→set→start). Accept:
b1 has room; cc-nix-test healthy at 4 GB.
- [ ] **W3 — Throwaway VM.** Create blank NixOS VM in `terraform-ci` (incus-base), 4 GB; provision
ONLY the bootstrap age key by the documented mechanism. Accept: VM reachable.
- [ ] **W4 — Reproducible live rebuild.** On throwaway VM: clone base+secrets, `nixos-rebuild switch`,
watch oneshots converge, secrets+cert decrypt. Accept: fully up, no step outside docs/install.md;
capture evidence. **Gate W4 CLAIMED.**
- [ ] **W5 — Adversary cold proof + honest D8.** Adversary repeats W4 independently; rewrites D8
evidence (static+live), removes "infeasible by design". Accept: Adversary D8 live-rebuild PASS
(or narrow signed-off limitation per C5).
- [ ] **W6 — Cleanup + docs + final sizing.** Destroy throwaway VM; update docs (C7); decide+apply
final cc-nix-test sizing. Accept: no leftover; docs match; flip STATUS-1c → `## DONE`.
## Adversary findings
(none yet — Adversary owns this section)
Reference in New Issue View Git Blame Copy Permalink