diff --git a/cc-ci-plan/plan.md b/cc-ci-plan/plan.md
index 760e558..1cf2a05 100644
--- a/cc-ci-plan/plan.md
+++ b/cc-ci-plan/plan.md
@@ -338,10 +338,13 @@ Bridge posts/updates a Gitea PR comment with the run URL and (on completion) pas
   git.autonomic.zone, outbound — the reliably-working path) at ≤60s to satisfy D1. Because the modes
   are exclusive, no cross-path dedupe is needed; just don't re-fire already-seen comments when poll
   mode is switched on. Either mode alone satisfies D1.
-- **Collaborator check must count org access.** The commenter-authorization step rejects
-  non-collaborators (correct, per §6) — but it must treat `recipe-maintainers` **org members/admins**
-  as authorized (the bot is org admin; a naive repo-collaborator check rejects it). Verify real
-  maintainers pass; don't gate legitimate `!testme` on a too-narrow collaborator lookup.
+- **Commenter auth uses effective permission, not the collaborators list.** The repo's explicit
+  collaborator list is empty — the bot *and* the real maintainers (`trav`/`notplants`) all reach
+  `recipe-maintainers/cc-ci` as **org owners**, so `GET /collaborators/{user}` 404s for everyone and
+  a naive is-collaborator check rejects all legitimate `!testme`. Authorize instead via
+  `GET /repos/{repo}/collaborators/{user}/permission` and require `owner`/`admin`/`write` (rejects
+  `read`/`none`/404 → still satisfies §6's non-collaborator-rejection check; fail-closed on any API
+  error). The bot token needs repo-admin to read another user's permission — fine, it's org owner.
 - Enrollment = registering the Gitea webhook on a recipe repo (script in `runner/` or documented
   in `enroll-recipe.md`) + ensuring a `tests/<recipe>/` dir exists. The `autonomic-bot` account is
   **admin on the `recipe-maintainers` org**, so it can create repos there and add webhooks to any