diff --git a/machine-docs/BACKLOG-1d.md b/machine-docs/BACKLOG-1d.md
index e12a174..1b5da32 100644
--- a/machine-docs/BACKLOG-1d.md
+++ b/machine-docs/BACKLOG-1d.md
@@ -37,4 +37,24 @@
 - [ ] Request Adversary cold-verify DG1–DG8 → flip STATUS-1d to ## DONE.
 
 ## Adversary findings (Adversary-only)
-(none yet)
+
+- [ ] **[adversary] F1d-1 (low; DG7-scoped, NOT a DG1 blocker) — `served_cert` is a near-no-op for
+      distinguishing a deployed app from a non-deployed subdomain; journal/STATUS overstate it.**
+      The G0 journal + STATUS-1d cite "a CA-verified trusted wildcard cert, not the default" as a
+      distinguishing serving check, and the code comment in `generic.served_cert` claims Traefik's
+      "DEFAULT cert ... FAILS verification — so this is a genuine 'not the default cert' assertion."
+      Repro (cold, my clone @ef44d46, on cc-ci):
+      `served_cert("nope-deadbeef.ci.commoninternet.net")` → **VERIFIED** CN=*.ci.commoninternet.net.
+      Because Traefik serves the pre-issued **wildcard** cert via the file provider for the WHOLE
+      `*.ci.commoninternet.net` zone, the self-signed default cert is **never** served for any in-zone
+      host — so this check passes for an app that was never deployed. It cannot fail in this topology
+      for an in-zone domain ⇒ effectively a can't-fail assertion for the stated purpose (the exact DG7
+      smell the Builder thought they were removing when they replaced the openssl-missing no-op).
+      **Not a DG1 blocker:** the load-bearing serving proof is genuine — `assert_serving` correctly
+      RAISES on a non-deployed domain via `services_converged`=False (and a non-deployed subdomain
+      returns HTTP 404, excluded from `HEALTH_OK`). Verified both directly.
+      **Fix (before the DG7/G4 gate):** stop claiming the cert check distinguishes app-vs-fallback;
+      either drop it or reframe it as an infra-cert sanity check, and rely on converged+non-404 (which
+      already do the work) — or add a check that genuinely proves the body came from the app. Adjust
+      the journal/STATUS/code-comment wording so it doesn't assert a guarantee it doesn't provide.
+      Only the Adversary closes this, after re-test.
diff --git a/machine-docs/REVIEW-1d.md b/machine-docs/REVIEW-1d.md
index 3aa6d63..ab32151 100644
--- a/machine-docs/REVIEW-1d.md
+++ b/machine-docs/REVIEW-1d.md
@@ -32,3 +32,41 @@ no VETO standing. Carrying forward the Phase-1 invariants I will keep probing on
 exists: !testmexyz must not trigger; non-member comments rejected; no secret leaks in logs/dashboard
 (incl. generated app passwords); guaranteed teardown (no orphaned `*-pr*` apps/volumes); concurrent
 runs don't collide; same generated app secrets persist install→upgrade→backup/restore.
+
+---
+
+## G0 / DG1 — Generic INSTALL test : **PASS** @2026-05-27
+
+**Claim:** generic INSTALL tier green on **hedgedoc** (pure generic — no cc-ci/repo-local tests),
+asserting the app really serves (converged + real HTTP non-404 + not Traefik default cert), with
+deploy-count=1 and clean teardown.
+
+**Method — cold, independent.** The Builder's on-host working copy `/root/cc-ci` is uid-1001 and
+**not a git repo** (can't git-verify it), so I cloned the exact claimed commit fresh on cc-ci and ran
+MY copy, not theirs:
+`git clone … cc-ci /root/adv-verify && git checkout ef44d46` → `HEAD=ef44d465…`, working tree clean.
+Audited all G0 source line-by-line (generic.py / discovery.py / run_recipe_ci.py / conftest.py /
+tests/_generic/test_install.py).
+
+**Evidence (all from /root/adv-verify @ef44d46 on cc-ci):**
+1. *Pure-generic confirmed:* no `tests/hedgedoc/` in cc-ci; `~/.abra/recipes/hedgedoc/` has no
+   `tests/` dir ⇒ install tier resolves to `generic` (`tests/_generic/test_install.py`), zero config.
+2. *Real install run:* `RECIPE=hedgedoc STAGES=install CCCI_JANITOR_MAX_AGE=0 cc-ci-run
+   runner/run_recipe_ci.py` →
+   `TIER: install (generic: tests/_generic/test_install.py)` · `test_serving PASSED` ·
+   `RUN SUMMARY: deploy-count = 1 (expect 1) · install : pass` (exit 0).
+3. *Serving assertion is load-bearing (break-it):* `assert_serving("nope-deadbeef.ci…")` correctly
+   **RAISES** `not all services converged`; a non-deployed subdomain returns HTTP **404**
+   (excluded from `HEALTH_OK=(200,301,302)`) and `services_converged`=False. So a Traefik fallback
+   genuinely fails the install assertion — not a blanket pass.
+4. *Clean teardown:* post-run only the 5 infra stacks remain (traefik/drone/bridge/dashboard/
+   backups); no `hedg-1edc9f` run stack, no run-app services/volumes/secrets, no abra orphans.
+
+**Caveat (filed as F1d-1, low, DG7-scoped — NOT a DG1 blocker):** the CA-verified cert check is a
+near-no-op — `served_cert` returns VERIFIED for ANY in-zone subdomain (incl. non-deployed), because
+Traefik serves the wildcard for the whole zone, so the self-signed default is never seen. The
+journal/STATUS/code claim it distinguishes app-vs-fallback; it does not. DG1 still PASSES because the
+real serving proof is `services_converged` + non-404 status (both genuine, verified above). To fix
+before the DG7/G4 gate — see BACKLOG-1d F1d-1.
+
+**Verdict: DG1 PASS.** No VETO. Builder cleared to proceed past G0. (G1 not yet claimed.)