diff --git a/docs/D1_Verification_Report.md b/docs/D1_Verification_Report.md
new file mode 100644
index 0000000..ef30d31
--- /dev/null
+++ b/docs/D1_Verification_Report.md
@@ -0,0 +1,131 @@
+# D-1 Verification Report
+
+**Date:** 2026-03-29
+**Branch:** culurien
+
+---
+
+## PART 1: BUILD & TEST
+
+### Builds
+- **Linux AMD64 agent**: PASS
+- **Linux AMD64 server**: PASS
+
+### Test Counts
+- Agent: system(7) + client(2) + logging(2) + scanner(19) + internal(4) + circuitbreaker(3) + crypto(14) = **51 tests**
+- Server: middleware(12) + handlers(17) + database(9) + migrations(10) + queries(3) + services(4) = **55 tests**
+- **Total: 106 tests, all PASS, 0 FAIL, 0 SKIP**
+
+### D-1 State-Change Confirmation
+All 6 FAIL-NOW tests flipped to PASS. All 9 PASS-NOW tests updated correctly.
+
+---
+
+## PART 2: REGISTRATION FALLBACK (F-D1-1) — PASS
+
+- NO `"unknown-"` string in registration path (grep: zero matches in main.go)
+- Only machine ID source: `system.GetMachineID()`
+- Failure: `log.Fatalf("[ERROR] [agent] [registration] machine_id_unavailable...")` — clean abort
+- Format consistency: both registration and runtime call `system.GetMachineID()` → both get SHA256 hex
+- No divergence possible in fixed code
+
+---
+
+## PART 3: REBIND ENDPOINT (F-D1-2) — PASS
+
+- Route: `POST /api/v1/admin/agents/:id/rebind-machine-id` (main.go:604)
+- Auth: admin group (WebAuthMiddleware + RequireAdmin)
+- Input validation: exactly 64 chars, lowercase hex [0-9a-f] only
+- Uppercase hex → 400 rejected (not normalized — consistent with GetMachineID output)
+- Audit: `[INFO] [server] [admin] agent_machine_id_updated agent_id=%s old_id=%s new_id=%s admin_user=%s`
+- UpdateMachineID uses parameterized query (`$1`, `$2`)
+
+---
+
+## PART 4: DEAD CODE DELETION (F-D1-3) — PASS
+
+- `example_integration.go`: file not found (deleted)
+- Zero references remain in codebase
+- Logging package compiles cleanly
+
+---
+
+## PART 5: WINDOWS REDUNDANT RETRY (F-D1-4) — PASS
+
+- `getWindowsMachineID()` no longer calls `machineid.ID()` (grep: zero in function body)
+- Falls through directly to `generateGenericMachineID()` which produces SHA256 hash
+- Windows reinstall comment present with rebind endpoint reference
+
+---
+
+## PART 6: LOGGING FORMAT (F-D1-5) — PASS
+
+- `fmt.Printf` in client.go: only at line 94 (event buffer, NOT machine ID)
+- Machine ID error uses `log.Printf("[WARNING] [agent] [client] machine_id_error...")`
+- `log` import present, `fmt` retained for other uses
+
+---
+
+## PART 7: EDGE CASES
+
+- **Existing "unknown-" agents**: Will be locked out on upgrade. Migration guide in D1_Fix_Implementation.md covers this with SQL query and rebind instructions.
+- **Runtime GetMachineID failure**: client.go sets `machineID = ""` → server rejects with 403 "missing machine ID header" → agent can't check in but doesn't crash. Operator must fix underlying machine ID issue.
+- **Rebind uppercase hex**: Rejected with 400 (lowercase only). Consistent with `hashMachineID()` output which is lowercase.
+
+---
+
+## PART 8: ETHOS COMPLIANCE
+
+- [x] Registration abort: `[ERROR] [agent] [registration]`
+- [x] Client error: `[WARNING] [agent] [client]`
+- [x] Rebind audit: `[INFO] [server] [admin]`
+- [x] No emojis in modified files
+- [x] Rebind behind WebAuthMiddleware + RequireAdmin
+- [x] Input validation prevents malformed IDs
+- [x] Registration fails cleanly
+- [x] GetMachineID() is idempotent
+- [x] No banned words
+
+---
+
+## PART 9: PRE-INTEGRATION CHECKLIST
+
+- [x] Linux AMD64 builds pass
+- [x] All 106 tests pass, zero regressions
+- [x] All 6 D-1 FAIL-NOW tests now PASS
+- [x] "unknown-" fallback removed
+- [x] Registration aborts on failure
+- [x] client.go logs warning (not empty string crash)
+- [x] Rebind endpoint with admin auth and validation
+- [x] Audit logging with old + new IDs
+- [x] example_integration.go deleted
+- [x] Windows retry removed
+- [x] Windows reinstall documented
+- [x] fmt.Printf replaced in client.go
+- [x] Operator migration guide complete
+- [x] ETHOS compliant
+
+---
+
+## ISSUES FOUND
+
+None. All 5 D-1 fixes verified correct.
+
+---
+
+## GIT LOG
+
+```
+db67049 fix(identity): D-1 machine ID deduplication fixes
+2c98973 test(machineid): D-1 pre-fix tests for machine ID duplication bugs
+8530e6c docs: D-1 machine ID duplication audit
+a1df7d7 refactor: C-series cleanup and TODO documentation
+1b2aa1b verify: C-1 Windows bug fixes verified
+8901f22 fix(windows): C-1 Windows-specific bug fixes
+38184a9 test(windows): C-1 pre-fix tests for Windows-specific bugs
+799c155 docs: C-1 Windows-specific bugs audit
+```
+
+---
+
+## FINAL STATUS: VERIFIED