diff --git a/JOURNAL-1b.md b/JOURNAL-1b.md
index e6b24b7..3f4f9c2 100644
--- a/JOURNAL-1b.md
+++ b/JOURNAL-1b.md
@@ -149,3 +149,22 @@ self-test/lint pipeline auto-firing; **recipe-CI triggering is unaffected** —
 polls Gitea *outbound* (cc-ci → git.autonomic.zone, the reliable direction), which is the plan's
 primary trigger (§4.1). The lint stage is wired + proven green via its exact command; manual/API
 Drone builds work. Not expanding scope to re-engineer the inbound path (bounded pass).
+
+## 2026-05-27 — RL3 FULL D1–D10 PASS (Adversary cold). Only RL6 (coordinated) left.
+
+Adversary logged **RL3 PASS** (REVIEW-1b): all D1–D10 re-verified cold on the cleaned+RL5
+byte-identical closure (`8i3jcad9`==running==fresh-clone build), fresh <24h evidence, nothing
+weakened. Highlights: D1 trigger 20s/8s; D2 install/upgrade/backup green (upgrade actually ran, not
+skipped) on custom-html + keycloak; D6 leak test 0 hits (8/8 infra + cert/key + generated keycloak
+admin pw absent from logs/dashboard); D8 fresh-recursive-clone rebuild == running; D10 = 2 fresh
+category runs (#151 custom-html, #152 keycloak) + carry-forward of the Phase-1 Adversary-verified
+6/6 set (byte-identical harness/test/closure). Cardinal-rule PASS. **RL1–RL5 Adversary-PASS, no open
+findings, NO VETO.**
+
+→ Flagged the orchestrator (STATUS-1b) that I'm **ready for the RL6 coordinated cutover**: it updates
+`launch.sh` to `machine-docs/` paths + restarts the watchdog; on its signal I `git mv`
+STATUS*/BACKLOG*/JOURNAL*/DECISIONS.md into `machine-docs/` (README stays root), the Adversary moves
+REVIEW*, I fix the only in-repo refs (README Loop-state + docs/install.md:15), Adversary re-verifies,
+then I write `## DONE`. Holding all root protocol files in place until that signal (moving them early
+breaks the live watchdog). Loop continues; not idling on a long sleep — short fallback while awaiting
+the orchestrator go-ahead.
diff --git a/STATUS-1b.md b/STATUS-1b.md
index 1de5cce..e231715 100644
--- a/STATUS-1b.md
+++ b/STATUS-1b.md
@@ -36,17 +36,29 @@ fix needed, no advisory filed. **Awaiting the Adversary's own §3 pass #2 to con
 **W2 (RL3/RL4) — next.** RL4 docs already landed (README lint section). After RL2 confirms: rebuild
 cc-ci to the formatted closure (running == cleaned source) and request the cold D1–D10 re-verify.
 
-## Gate
-**RL3 CLAIMED, awaiting Adversary.** Canonical cc-ci is switched to the cleaned+RL5 closure:
-`readlink /run/current-system` == `8i3jcad9mrr01558lqckpi26nxn2ra3m-…` == a fresh recursive clone's
-build (`build == running`, byte-identical), `running`/0-failed, 5 stacks up, public
-`https://ci.commoninternet.net/` → 200. Request: cold re-verify **all D1–D10** to the same bar as
-Phase-1 DONE (fresh PASS + evidence + timestamps in REVIEW-1b within 24h), confirming the
-lint/format + RL5 cleanup softened/skipped/regressed nothing, and the byte-identical rebuild.
-After RL3 PASS: do RL6 (coordinated with orchestrator), then `## DONE`.
+## Gate — RL3 PASS; ONLY RL6 (coordinated) remains before DONE
+**RL3 ✅ PASS @2026-05-27** (Adversary cold, REVIEW-1b): full D1–D10 re-verified on the cleaned+RL5
+byte-identical closure (`8i3jcad9`==running==fresh-clone build), fresh evidence <24h, **nothing
+weakened**; cardinal-rule PASS; 2 fresh category-spanning green runs (custom-html #151, keycloak #152)
++ carry-forward of the Phase-1 Adversary-verified 6/6 set. **RL1–RL5 all Adversary-PASS, no open
+`[adversary]` findings, NO VETO.**
 
-RL6 reminder: I will flag the orchestrator to update `launch.sh` + restart the watchdog in lockstep
-with the `git mv` to `machine-docs/` — done as the final step, not while RL3 is pending.
+### ⚑ READY FOR THE RL6 COORDINATED CUTOVER — orchestrator action requested
+RL6 is the **only** thing left before `## DONE`. It cannot be done unilaterally: the watchdog
+(`launch.sh`) reads `STATUS-1b.md` / `REVIEW-1b.md` at the **repo root**, so moving them stalls the
+loops until `launch.sh` is updated + the watchdog restarted.
+
+**Orchestrator: please update `launch.sh` to the `machine-docs/` paths and restart the watchdog, then
+signal me.** No phase transition is pending; this is the final 1b step. On your signal, IN LOCKSTEP:
+- **Builder `git mv` → `machine-docs/`:** `STATUS*.md` (3), `BACKLOG*.md` (3), `JOURNAL*.md` (3),
+  `DECISIONS.md`. **README.md STAYS at root** (operator decision).
+- **Adversary `git mv` → `machine-docs/`:** `REVIEW*.md` (3) (single-writer rule).
+- **In-repo ref updates (Builder):** `README.md` (Loop-state section + DECISIONS refs) and
+  `docs/install.md:15`. (No `AGENTS.md`/`.drone.yml`/`scripts` refs exist in-repo; the `cc-ci-plan/`
+  plans are outside this repo.)
+Then Adversary re-verifies refs + watchdog handoff; then Builder writes `## DONE`.
+
+Until that signal I keep STATUS-1b.md / JOURNAL-1b.md / etc. at the repo root.
 
 ## Blocked
 (none)