fix(linux/build): make builder image actually build (M1.1)

- Pin debian:bookworm-slim by real digest (resolved 2026-04-26).
- Two-phase install: seed ca-certificates from the default mirror first
  so HTTPS to snapshot.debian.org works, then swap to the pinned snapshot
  for the toolchain itself. Slim images don't ship the CA bundle, so the
  one-shot pinned-source-only install would deadlock on cert verification.

Validated locally: image builds clean, 302MB, all live-build / debootstrap /
mksquashfs / xorriso / diffoscope-minimal present.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

linux/build/docker/Dockerfile.builder

@@ -17,10 +17,10 @@
 # check, commit all four changes together.
 
 # debian:bookworm-slim — pinned by digest.
-# TODO(M1.1): replace placeholder digest with the actual one resolved at
-# image-build time. The placeholder is intentionally invalid so a build that
-# forgets to update it fails fast rather than silently using "latest".
-FROM debian:bookworm-slim@sha256:0000000000000000000000000000000000000000000000000000000000000000
+# Resolved 2026-04-26 via `docker pull debian:bookworm-slim`.
+# Bumping this requires rebuilding + pushing the silvermetal-builder image
+# AND updating BUILDER_IMAGE in linux/build/scripts/build.sh in the same commit.
+FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
 
 # Reproducibility-friendly apt configuration.
 ENV DEBIAN_FRONTEND=noninteractive \
@@ -35,13 +35,21 @@ ENV DEBIAN_FRONTEND=noninteractive \
 ARG APT_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian/20260415T000000Z"
 ARG APT_SECURITY_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian-security/20260415T000000Z"
 
+# Two-phase install:
+#   1. Use the base image's default mirror to seed ca-certificates so HTTPS
+#      to snapshot.debian.org works. (slim images don't ship CA bundles.)
+#   2. Pin sources.list to the snapshot and install the actual toolchain.
+# The first phase touches deb.debian.org without a pin; that's fine because
+# nothing it installs ends up in the final ISO — only the toolchain installed
+# in phase 2 does, and that is fully snapshot-pinned.
 RUN set -eux; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends ca-certificates; \
     rm -f /etc/apt/sources.list.d/*; \
     printf 'deb [check-valid-until=no] %s bookworm main\n' "$APT_SNAPSHOT_URL" >  /etc/apt/sources.list; \
     printf 'deb [check-valid-until=no] %s bookworm-security main\n' "$APT_SECURITY_SNAPSHOT_URL" >> /etc/apt/sources.list; \
     apt-get -o Acquire::Check-Valid-Until=false update; \
     apt-get install -y --no-install-recommends \
-        ca-certificates \
         debootstrap \
         diffoscope-minimal \
         dosfstools \