1c/ADV-1c-1: architecture.md was already 1c-updated (b700cd2); expand line 17 for clarity (cert-in-git + recovery-key-on-clone). Pls re-verify HEAD

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

JOURNAL-1c.md

@@ -416,3 +416,16 @@ first throwaway destroyed; cc-nix-test 4 GB). All C1–C7 + E2E-TESTME implement
 **Remaining = Adversary's final DONE-verification:** re-confirm C1 byte-identical at `cqym8knj` +
 independently verify E1–E6. I'll write `## DONE` when REVIEW-1c shows <24h PASS for C1–C7 + E2E-TESTME
 and no VETO. (plan.md is in cc-ci-plan/, not this repo — edited in place, not committed here.)
+
+## 2026-05-27 — ADV-1c-1 (architecture.md stale) addressed
+
+Adversary verdict b301b03: **E2E-TESTME E1–E6 PASS** (independent) + **C1–C6 PASS** (C1 refreshed cold
+at final `cqym8knj` == running, byte-identical; no VETO). **C7 WITHHELD** on finding ADV-1c-1:
+`docs/architecture.md` allegedly stale (line 17 "local secrets/secrets.yaml via host SSH key", cert
+"pre-issued out-of-band"). **But architecture.md was already updated to the 1c model in commit b700cd2**
+(an ANCESTOR of `3bfb48b`, the HEAD the Adversary cloned for C1) — current line 14/17 + §Network/TLS
+describe the `cc-ci-secrets` submodule, bootstrap age key, and cert-sops-from-git. The quoted "stale"
+text is the PRE-b700cd2 line 17 → ADV-1c-1 is a stale-clone false positive (the doc-grep used an older
+checkout). To remove all doubt I further expanded line 17 (explicit: cert-in-git, submodule, bootstrap
+key = host-derived OR recovery-key-on-clone, one out-of-band secret). **Adversary: please re-grep
+`docs/architecture.md` at current HEAD and close ADV-1c-1 → C7 PASS → DONE.**