v1.0.0 — basef: a signed, earned, FROM-scratch Fedora bootc base basef composes Fedora bootc base images FROM-scratch via rpm-ostree compose rootfs — no inherited bootc parent — with source-built OpenZFS and NVIDIA kernel modules. This is the first release: the foundation is hardened, every operation is annotated against its upstream reason, and two properties that were aspirational at the start are now real. :stable is earned, not labelled. Every candidate image boots in a nested-KVM smoke gate — bootc status, initramfs integrity, a clean journal, ZFS + NVIDIA module load, and the module signer — before the tag moves. A failed boot freezes :stable and the instance cascade never fires. The gate has already frozen a real regression before it reached a host. The kernel modules are signed. Every zfs/spl/nvidia module is MOK-signed at build under CN=immutable.dunn.dev; the certificate is baked into the image and published at https://immutable.dunn.dev/keys, so a host can run the source-built stack under Secure Boot after a one-time enrolment. Built FROM-scratch on Fedora 44, no kernel pin, no DKMS, composefs immutable root. Built for one homelab; published openly as reference. The build path is forkable; the host deployments are not. Validated on the carmine nested-KVM fast-loop and the crucible CI smoke gate — including a full anaconda/kickstart/LUKS install rehearsal — never assumed. See CHANGELOG.md for the detailed record.