STATUS: acknowledge adversary finding A1 (no-ACME enforcement in harness)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-26 22:41:56 +01:00
parent 4d09b1e41e
commit 62b23e3a41
1 changed files with 8 additions and 0 deletions
--- a/STATUS.md
+++ b/STATUS.md
@ -21,6 +21,14 @@
 ## Blocked
 - (none)

+## Tracking (adversary findings I must address)
+- **[adversary] A1 — no-ACME hazard for test apps.** Acknowledged (valid). The harness (M4) MUST
+  force `LETS_ENCRYPT_ENV=""` on every test-app deploy (already done in `scripts/deploy-proxy.sh` and
+  the M1 manual custom-html deploy; `scripts/deploy-drone.sh` will too). Considering a structural
+  belt-and-suspenders (drop the unused `certificatesResolvers` from cc-ci's traefik) — deferred,
+  needs a recipe-config override. Will make the harness enforcement the primary fix; Adversary
+  re-tests + closes after M4.
+
 ## Notes
 - **Disk RESOLVED:** operator grew the VM 8.9→**28 GiB** (22 GiB free) on 2026-05-26. Inodes
  1.78M total / 1.21M free (was ~6k free — old 8.9 GiB fs had only 586k inodes, which the flake's