01 updated

docs/architecture/01-topology-and-trust.md

@@ -111,9 +111,10 @@ credentials.
   deploys the controller into it — injecting the controller's hub API key and its local-API
   token. The controller is the agent's product, never the other way around.
 - The **hub customer record is the durable source of truth**, and it survives box loss:
-  identity, domain, **Cloudflare tunnel token**, **PBS namespace**, **storage manifest**,
+  identity, domain, **Cloudflare tunnel token**, **PBS namespace**, **storage manifest**, a
-  **declarative app inventory**, and the **escrowed (zero-knowledge) backup key**. This is
+  **mirrored app inventory** (bottom-up reality, not operator-declared intent — apps themselves
-  what makes hardware replacement possible.
+  restore from the PBS guest snapshot, never re-deployed from this record; see `05` §1/§9), and the
+  **escrowed (zero-knowledge) backup key**. This is what makes hardware replacement possible.
 
 ---
 
@@ -218,3 +219,6 @@ credentials.
   hub-enforced (S4/S5).
 - §11 open items: removed the now-resolved **tunnel placement** and **self-update flow** entries
   (S5; self-update designed in 03 §11).
+- §6 durable record: **"declarative app inventory" → "mirrored app inventory"** — aligns the wording
+  with the locked two-driver model (`05` §1: apps are bottom-up mirror, never operator-declared;
+  `05` §9: apps restore from the PBS guest snapshot, not re-deployed from this record).