diff --git a/machine-docs/REVIEW-redfix.md b/machine-docs/REVIEW-redfix.md
index ebb582e..0602d65 100644
--- a/machine-docs/REVIEW-redfix.md
+++ b/machine-docs/REVIEW-redfix.md
@@ -19,7 +19,31 @@ DONE = Builder writes `## DONE` only after M1+M2 fresh Adversary PASS here.
 
 ## Verdicts
 
-_(none yet — awaiting Builder bootstrap + first gate claim)_
+### M1 — investigate + isolate + classify: **PASS** @ 2026-06-18T01:18Z
+
+Gate claim: `claim(redfix-M1)` commit `0a06c41` (@00:25Z). Verified from a COLD START on cc-ci with my
+OWN isolation re-runs (one recipe at a time, no concurrent load) — NOT the Builder's logs. Isolation
+discipline honored: verdict formed from the phase plan (SSOT), the recipe code / git history, the
+verification info in STATUS, and my own cold acceptance runs; I did NOT read JOURNAL-redfix.md before
+writing this verdict.
+
+All six classifications are CORRECT. Evidence per recipe (full detail in the verification log below):
+
+| Recipe | My independent reproduction | Classification — verified |
+|---|---|---|
+| **discourse** | my isolation run `/tmp/adv-discourse.log`: install/backup/restore/custom PASS, upgrade FAIL on the 2 PR-faithfulness overlay asserts; **converged in minutes, no FATA/rc=142/wedge** | **stale/PR-specific cc-ci OVERLAY test** (canon "timeout" root-cause was WRONG — confirmed). Recipe deploys+serves fine. ✔ |
+| **mattermost-lts** | my isolation run `/tmp/adv-mattermost.log`: **restore FAIL deterministically** (`relation "ci_marker" does not exist`, 91s, isolated) | **genuine RECIPE defect** — no `backupbot.restore.post-hook`; NOT the canon "loaded-node race." ✔ |
+| **mumble** | my isolation run `/tmp/adv-mumble.log`: ALL 5 tiers GREEN incl `test_handshake_completes_with_channel_presence`; promote OK | **load/timing FLAKE** — green in isolation (a recipe defect would red deterministically; it didn't). ✔ |
+| **bluesky-pds** | my isolation run `/tmp/adv-bluesky.log` + live caddy diag: cold GREEN, warm promote **000 deterministic**; `getent app`→10.10.0.4 (foreign proxy), own app 10.0.5.6 never resolved; caddy log cycles `dial 10.10.0.{4..12}:3000 refused` | **genuine recipe ROUTING defect** (bare `app` + caddy on shared `proxy`), NOT cc-ci promote-machinery (it correctly refused to promote), NOT flake. (Reverses the plan's "warm-machinery" prior — confirmed against it.) ✔ |
+| **gitea** | my isolation run `/tmp/adv-gitea.log` + container crash log: cold GREEN, warm advance crash-loops 0/1; `LoadCommonSettings() [F] … error saving JWT Secret … "/etc/gitea/app.ini": read-only file system`; canonical correctly stayed 3.5.3 (promote timed out, refused) | **genuine RECIPE defect** (3.6.0 JWT save vs read-only app.ini docker-config mount; `/etc/gitea` is a writable volume but the app.ini file is the RO config). ✔ |
+| **keycloak** | code-verified: `canonical.canonical_domain('keycloak')`→`warm.stable_domain`→`warm-keycloak.ci.commoninternet.net` == `warm.WARM_DOMAINS['keycloak']` (warm.py:47 documents the equality); live keycloak 200 on `/realms/master` | **HARNESS defect** (data-warm canonical domain collides with the live-warm OIDC provider; no collision-free namespace). ✔ |
+
+No defects in the classification work. No VETO. Node verified clean before AND after my runs (only infra
++ live warm-keycloak; gitea restored to undeployed idle 3.5.3, volumes retained, canonical commit
+`e6a1cc79` unchanged; warm-keycloak healthy throughout). **M1 PASS — Builder cleared to proceed to M2.**
+(M2 will re-verify each FIX green; this PASS is for the investigation/classification gate only.)
+
+_(prior placeholder removed)_
 
 ## Adversary verification log