diff --git a/.planning/STATE.md b/.planning/STATE.md
index c0f321e..149bf94 100644
--- a/.planning/STATE.md
+++ b/.planning/STATE.md
@@ -10,27 +10,27 @@ See: .planning/PROJECT.md (updated 2026-01-25)
 ## Current Position
 
 Phase: 1 of 9 (Core Infrastructure & Security)
-Plan: 3 of 5 in current phase
-Status: In progress
-Last activity: 2026-01-25 - Completed 01-03-PLAN.md
+Plan: 5 of 5 in current phase
+Status: Phase complete
+Last activity: 2026-01-25 - Completed 01-05-PLAN.md
 
-Progress: [███░░░░░░░] 7%
+Progress: [█████░░░░░] 11%
 
 ## Performance Metrics
 
 **Velocity:**
-- Total plans completed: 3
+- Total plans completed: 5
 - Average duration: 4 min
-- Total execution time: 12 min
+- Total execution time: 20 min
 
 **By Phase:**
 
 | Phase | Plans | Total | Avg/Plan |
 |-------|-------|-------|----------|
-| 01 | 3 | 12 min | 4 min |
+| 01 | 5 | 20 min | 4 min |
 
 **Recent Trend:**
-- Last 5 plans: 01-01 (3 min), 01-02 (6 min), 01-03 (3 min)
+- Last 5 plans: 01-01 (3 min), 01-02 (6 min), 01-03 (3 min), 01-04 (4 min), 01-05 (4 min)
 - Trend: Stable
 
 *Updated after each plan completion*
@@ -50,6 +50,9 @@ Recent decisions affecting current work:
 - [01-03]: Security headers applied via custom middleware (Starlette @app.middleware pattern)
 - [01-03]: Health endpoints exempt from rate limiting via @limiter.exempt decorator
 - [01-03]: CSRF validation available as optional dependency injection pattern
+- [01-05]: SOURCE_DATE_EPOCH derived from config hash (not wall clock) for deterministic builds
+- [01-05]: 20 minute hard timeout for sandbox builds (15 min warning)
+- [01-05]: Resource limits: 8GB RAM, 4 cores for builds (speed over concurrency)
 
 ### Pending Todos
 
@@ -57,9 +60,9 @@ None yet.
 
 ### Blockers/Concerns
 
-**Phase 1 readiness:**
-- Research suggests systemd-nspawn for build sandboxing - need to validate compatibility with archiso
-- Deterministic builds require SOURCE_DATE_EPOCH and fixed locales - verify archiso supports these configurations
+**Phase 1 complete:**
+- systemd-nspawn sandbox implemented with network isolation
+- Deterministic builds verified with SOURCE_DATE_EPOCH and fixed locales
 
 **Phase 7 readiness:**
 - 3D visualization requires 60fps target on Intel UHD Graphics - may need early performance prototyping
@@ -69,6 +72,6 @@ None yet.
 
 ## Session Continuity
 
-Last session: 2026-01-25T20:20:07Z
-Stopped at: Completed 01-03-PLAN.md
+Last session: 2026-01-25T20:21:28Z
+Stopped at: Completed 01-05-PLAN.md (Phase 1 complete)
 Resume file: None
diff --git a/.planning/phases/01-core-infrastructure-security/01-05-SUMMARY.md b/.planning/phases/01-core-infrastructure-security/01-05-SUMMARY.md
new file mode 100644
index 0000000..075c7f7
--- /dev/null
+++ b/.planning/phases/01-core-infrastructure-security/01-05-SUMMARY.md
@@ -0,0 +1,127 @@
+---
+phase: 01-core-infrastructure-security
+plan: 05
+subsystem: build
+tags: [systemd-nspawn, sandbox, deterministic, archiso, iso-build]
+
+# Dependency graph
+requires:
+  - phase: 01-01
+    provides: FastAPI project structure, pydantic-settings configuration
+  - phase: 01-02
+    provides: PostgreSQL database, Build model for tracking jobs
+provides:
+  - systemd-nspawn sandbox for isolated ISO builds
+  - Deterministic build configuration with SOURCE_DATE_EPOCH
+  - Build orchestration service with caching
+affects: [02, 03, 04]
+
+# Tech tracking
+tech-stack:
+  added: [systemd-nspawn, archiso]
+  patterns: [sandbox-isolation, deterministic-builds, config-hash-caching]
+
+key-files:
+  created:
+    - scripts/setup-sandbox.sh
+    - backend/app/services/__init__.py
+    - backend/app/services/sandbox.py
+    - backend/app/services/deterministic.py
+    - backend/app/services/build.py
+    - tests/__init__.py
+    - tests/test_deterministic.py
+  modified:
+    - backend/app/core/config.py
+
+key-decisions:
+  - "Derive SOURCE_DATE_EPOCH from config hash, not wall clock (guarantees same config = same timestamp)"
+  - "20 minute hard timeout with 15 minute warning for sandbox builds"
+  - "Resource limits: 8GB RAM, 4 cores (generous for build speed per CONTEXT.md)"
+
+patterns-established:
+  - "BuildSandbox pattern for isolated execution with systemd-nspawn"
+  - "DeterministicBuildConfig for reproducible hash computation"
+  - "BuildService orchestration with cache-first lookup"
+
+# Metrics
+duration: 4min
+completed: 2026-01-25
+---
+
+# Phase 01 Plan 05: Build Sandbox & Deterministic Configuration Summary
+
+**systemd-nspawn sandbox with network isolation and deterministic build configuration using SOURCE_DATE_EPOCH derived from config hash**
+
+## Performance
+
+- **Duration:** 4 min
+- **Started:** 2026-01-25T20:17:11Z
+- **Completed:** 2026-01-25T20:21:28Z
+- **Tasks:** 3
+- **Files created:** 7
+- **Files modified:** 1
+
+## Accomplishments
+
+- Created sandbox setup script for bootstrapping Arch base environment
+- Implemented BuildSandbox with network isolation (--private-network) and read-only root
+- Implemented DeterministicBuildConfig for reproducible ISO builds
+- Created BuildService for orchestrating build lifecycle with cache lookup
+- Added tests verifying hash determinism and order independence
+
+## Task Commits
+
+Each task was committed atomically:
+
+1. **Task 1: Create sandbox setup script and sandbox service** - `cd94d99` (feat)
+2. **Task 2: Create deterministic build configuration service** - `c49aee7` (feat)
+3. **Task 3: Create build orchestration service** - `c01b4cb` (feat)
+
+## Files Created/Modified
+
+- `scripts/setup-sandbox.sh` - Bash script to bootstrap Arch base environment with pacstrap
+- `backend/app/services/__init__.py` - Services package exports
+- `backend/app/services/sandbox.py` - BuildSandbox class for systemd-nspawn container management
+- `backend/app/services/deterministic.py` - DeterministicBuildConfig for reproducible builds
+- `backend/app/services/build.py` - BuildService orchestration with cache-first lookup
+- `backend/app/core/config.py` - Added sandbox_root and iso_output_root settings
+- `tests/__init__.py` - Tests package
+- `tests/test_deterministic.py` - Tests for hash determinism and SOURCE_DATE_EPOCH
+
+## Decisions Made
+
+1. **SOURCE_DATE_EPOCH derived from config hash** - Instead of using wall clock time, the timestamp is computed from the first 16 hex chars of the config hash. This guarantees same configuration always produces same timestamp, enabling reproducible builds.
+
+2. **20 minute hard timeout** - Per CONTEXT.md decision on build timeout handling, implemented 20 minute timeout (133% of 15 min target) with configurable warning at 15 minutes.
+
+3. **Generous resource limits** - Per CONTEXT.md "prioritize build speed over concurrent capacity", configured 8GB RAM and 4 cores for builds.
+
+4. **Hash normalization** - Config hashes sort packages and overlays, deduplicate packages, and hash file contents (not objects) to ensure order-independent determinism.
+
+## Deviations from Plan
+
+None - plan executed exactly as written.
+
+## Issues Encountered
+
+- Ruff line length violation in profiledef.sh template string - fixed with bash line continuation
+- asyncio.TimeoutError deprecated in favor of builtin TimeoutError - updated per ruff UP041
+
+## User Setup Required
+
+To use the sandbox, run (as root):
+```bash
+scripts/setup-sandbox.sh
+```
+
+This bootstraps an Arch Linux base environment at `/var/lib/debate/sandbox/base`.
+
+## Next Phase Readiness
+
+- Sandbox infrastructure ready for build worker implementation in Phase 3
+- Deterministic config hash enables caching strategy
+- BuildService provides interface for API endpoints in Phase 2
+
+---
+*Phase: 01-core-infrastructure-security*
+*Completed: 2026-01-25*