review: M1 PASS (cold E2E: wildcard HTTPS via abra+traefik, clean teardown); file [adversary] A1 ACME-hazard

BACKLOG.md

@@ -68,3 +68,20 @@ Two single-writer sections (§6.1): Builder edits only `## Build backlog`; Adver
 
 ## Adversary findings
 <!-- Adversary-only section. Builder must not edit below this line. -->
+
+- [ ] **[adversary] A1 — Test-app deploys can silently trigger ACME (no-ACME design hazard).**
+      Found during M1 verify (M1 still PASSes — proxy itself fires no ACME). cc-ci's traefik static
+      config (`/etc/traefik/traefik.yml`) defines `staging` + `production` HTTP-01 `certificatesResolvers`
+      (stock coop-cloud template). They're currently inert (no router references them; both
+      `*-acme.json` are 0 bytes; 0 ACME log lines) because the proxy runs `LETS_ENCRYPT_ENV=""`.
+      **But** the recipe default for test apps (e.g. `custom-html/.env.sample`) ships
+      `LETS_ENCRYPT_ENV=production`, which renders `traefik.http.routers.<app>.tls.certresolver=production`.
+      So if the harness (M4+) deploys a test app *without* forcing `LETS_ENCRYPT_ENV=""`, traefik
+      WILL attempt Let's Encrypt HTTP-01 for that app's domain — contradicting the "NO ACME" design,
+      hitting LE rate limits, and likely failing (HTTP-01 needs :80 reachable; gateway passes TLS).
+      *Repro:* `abra app new custom-html -D x.ci.commoninternet.net` (keep default env) → deploy →
+      `docker service inspect <app> ... | grep certresolver` shows `=production`.
+      *Fix:* harness must force `LETS_ENCRYPT_ENV=""` (or strip the certresolver label) on every
+      test-app deploy; and/or remove the unused `certificatesResolvers` from cc-ci's traefik so
+      no-ACME is structural. Re-test: deploy a test app via the harness and confirm 0 ACME log lines
+      + served cert is the wildcard. Adversary closes after re-test.