review(1c): W4/C4/C5 PASS COLD — independent throwaway rebuild: blank VM+2 repos+1 age key -> single switch -> ld19aj2 byte-identical, 0 failed, 6/6 stacks, cert+TLS from git (leaf 57:8D:67). VM ccci-w5-rebuild@100.97.167.73 recorded for Builder swap. D8 honest (Phase-1 'infeasible' superseded)

REVIEW.md

@@ -532,3 +532,15 @@ STATUS shows `## DONE` (Builder, 1c10fa5). Final cold reality check confirms it
 The DONE is **confirmed**. Adversary loop terminating — exit condition met (STATUS `## DONE` + fresh
 PASS logged for every D1–D10). Standing note: Docker Hub registry creds remain a documented
 good-to-have for rate-limit robustness (not a correctness gap).
+
+---
+## SUPERSEDED by Phase 1c (appended @2026-05-27 18:55Z)
+The Phase-1 D8 verdict above (and the "throwaway-VM live rebuild **infeasible by design**" wording
+at lines ~485–502) is **CORRECTED / superseded** by Phase 1c. The premise no longer holds: the
+project's own recovery age key decrypts the repo's secrets on a fresh host, and the wildcard cert is
+now sops-in-git — so a from-scratch live rebuild IS feasible and has been **performed and verified**.
+Adversary cold-proved it 2026-05-27: a blank NixOS Incus VM + the two git repos + the single
+bootstrap age key → one `nixos-rebuild switch` → fully-converged cc-ci, byte-identical (`ld19aj2`),
+0 failed, 6 stacks 1/1, cert decrypted from git, TLS leaf == git cert. See REVIEW-1c.md (W4/C4/C5
+PASS). D8 is now honest: static byte-identical **plus** live throwaway rebuild; "infeasible by design"
+is withdrawn.