review: close A1 (no-ACME enforced); file A2 (dead janitor) + A3 (unverified teardown); M4 verify in progress

REVIEW.md

@@ -122,3 +122,17 @@ pivot). Will complete both when M3 is claimed.
 **Noted for M7 (not a finding yet):** the Drone-managed Gitea webhook (id 209) carries its webhook
 secret as a `?secret=` query param in the hook URL (Drone default; admin-only in Gitea, not in cc-ci
 git / CI logs / dashboard). Will adjudicate against D6 at M7.
+
+## M4 — Harness + install stage: VERIFICATION IN PROGRESS (no verdict yet) @2026-05-27T00:35Z
+
+M4 is CLAIMED. Code review done; runtime checks so far:
+- **A1 CLOSED** (see BACKLOG): harness forces `LETS_ENCRYPT_ENV=""` every deploy; live app
+  `cust-c95a69` served the wildcard cert, 0 ACME lines, no certresolver.
+- **Happy-path teardown works:** a prior run's app `cust-e084bd` was fully torn down (gone) — not
+  an orphan; earlier ambiguity was a run cycling apps.
+- **Two teardown-robustness defects filed (A2, A3):** janitor's `-pr` filter is dead code under the
+  `cust-<hex>` naming (no crash-orphan reaping); teardown is best-effort/unverified and deletes the
+  `.env` even on failed undeploy (silent orphan, run still green).
+- **Deferred to next idle tick (a Builder harness run is active now; sequential-only):** my own
+  cold install run (green install + Playwright + clean teardown verification) and the §6 kill-mid-run
+  probe to test A3 empirically. Verdict (PASS/FAIL) follows that.