diff --git a/CVES.md b/CVES.md
index 560227b..7318e1c 100644
--- a/CVES.md
+++ b/CVES.md
@@ -18,11 +18,11 @@ Status legend:
 
 | CVE | Name | Class | First patched | IAMROOT module | Status | Notes |
 |---|---|---|---|---|---|---|
-| CVE-2026-31431 | Copy Fail (algif_aead `authencesn` page-cache write) | LPE (page-cache write → /etc/passwd) | mainline 2026-04-22 | `copy_fail_family/copy_fail` | 🟢 | Verified on Ubuntu 26.04, Alma 9, Debian 13. Full AppArmor bypass. |
-| CVE-2026-43284 (v4) | Dirty Frag — IPv4 xfrm-ESP page-cache write | LPE (same primitive shape as Copy Fail, different trigger) | mainline 2026-05-XX | `copy_fail_family/dirty_frag_esp` | 🟢 | Full PoC + active-probe scan |
-| CVE-2026-43284 (v6) | Dirty Frag — IPv6 xfrm-ESP (`esp6`) | LPE | mainline 2026-05-XX | `copy_fail_family/dirty_frag_esp6` | 🟢 | V6 STORE shift auto-calibrated per kernel build |
-| CVE-2026-43500 | Dirty Frag — RxRPC page-cache write | LPE | mainline 2026-05-XX | `copy_fail_family/dirty_frag_rxrpc` | 🟢 | |
-| (variant, no CVE) | Copy Fail GCM variant — xfrm-ESP `rfc4106(gcm(aes))` page-cache write | LPE | n/a | `copy_fail_family/copy_fail_gcm` | 🟢 | Sibling primitive, same fix |
+| CVE-2026-31431 | Copy Fail (algif_aead `authencesn` page-cache write) | LPE (page-cache write → /etc/passwd) | mainline 2026-04-22 | `copy_fail` | 🟢 | Verified on Ubuntu 26.04, Alma 9, Debian 13. Full AppArmor bypass. |
+| CVE-2026-43284 (v4) | Dirty Frag — IPv4 xfrm-ESP page-cache write | LPE (same primitive shape as Copy Fail, different trigger) | mainline 2026-05-XX | `dirty_frag_esp` | 🟢 | Full PoC + active-probe scan |
+| CVE-2026-43284 (v6) | Dirty Frag — IPv6 xfrm-ESP (`esp6`) | LPE | mainline 2026-05-XX | `dirty_frag_esp6` | 🟢 | V6 STORE shift auto-calibrated per kernel build |
+| CVE-2026-43500 | Dirty Frag — RxRPC page-cache write | LPE | mainline 2026-05-XX | `dirty_frag_rxrpc` | 🟢 | |
+| (variant, no CVE) | Copy Fail GCM variant — xfrm-ESP `rfc4106(gcm(aes))` page-cache write | LPE | n/a | `copy_fail_gcm` | 🟢 | Sibling primitive, same fix |
 | CVE-2022-0847 | Dirty Pipe — pipe `PIPE_BUF_FLAG_CAN_MERGE` write | LPE (arbitrary file write into page cache) | mainline 2022-02-23 | `_stubs/dirty_pipe_cve_2022_0847` | ⚪ | Stub. Public PoCs exist; bundling for completeness. Affects ≤5.16.11, ≤5.15.25, ≤5.10.102 |
 | CVE-2023-0458 | EntryBleed — KPTI prefetchnta KASLR bypass | INFO-LEAK (kbase) | mainline (partial mitigations only) | `_stubs/entrybleed_cve_2023_0458` | ⚪ | Stub. Used as STAGE-1 leak brick, not a standalone LPE. Works on lts-6.12.88 (empirical 5/5). |
 | CVE-2026-31402 | NFS replay-cache heap overflow | LPE (NFS server) | mainline 2026-04-03 | — | ⚪ | Candidate. Different audience (NFS servers) — TBD whether in-scope. |
diff --git a/ROADMAP.md b/ROADMAP.md
index 9c884b0..3759125 100644
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -13,20 +13,25 @@ commitments.
 - [x] LICENSE (MIT)
 - [x] Private GitHub repo
 
-## Phase 1 — Make the bundling real (next session)
+## Phase 1 — Make the bundling real (DONE 2026-05-16)
 
-- [ ] Top-level `iamroot` dispatcher CLI (`iamroot.c`) — module
-      registry, fingerprint, route to module's detect/exploit
-- [ ] Module interface header (`core/module.h`) — standard
-      `iamroot_module` struct each module exports
-- [ ] Refactor `modules/copy_fail_family/` internals to expose the
-      standard module interface
-- [ ] Extract shared code into `core/`: `apparmor_bypass.c`,
-      `exploit_su.c`, `common.c`, `fcrypt.c` (currently duplicated
-      under the absorbed DIRTYFAIL tree)
-- [ ] Top-level `Makefile` that builds all modules into one binary
-- [ ] Smoke test: `iamroot --scan --json` on Ubuntu 26.04
-      produces sensible output
+- [x] Top-level `iamroot` dispatcher CLI (`iamroot.c`) — module
+      registry, route to module's detect/exploit
+- [x] Module interface header (`core/module.h`) — standard
+      `iamroot_module` struct + `iamroot_result_t` (numerically
+      aligned with copy_fail_family's `df_result_t` for zero-cost
+      bridging)
+- [x] `core/registry.{c,h}` — flat-array registry with `find_by_name`
+- [x] `modules/copy_fail_family/iamroot_modules.{c,h}` — bridge layer
+      exposing 5 modules
+- [x] Top-level `Makefile` that builds all modules into one binary
+- [x] Smoke test: `iamroot --scan --json` produces ingest-ready JSON;
+      `iamroot --list` prints the module inventory
+- [ ] **Deferred to Phase 1.5**: extract `apparmor_bypass.c`,
+      `exploit_su.c`, `common.c`, `fcrypt.c` into `core/` (shared
+      across families). Phase 1 keeps them inside copy_fail_family/src/
+      because there's only one family today; the extraction is
+      mechanical and lands when a second family arrives.
 
 ## Phase 2 — Add Dirty Pipe (CVE-2022-0847)