diff --git a/BACKLOG.md b/BACKLOG.md
index 78acf32..0aa83c1 100644
--- a/BACKLOG.md
+++ b/BACKLOG.md
@@ -111,18 +111,3 @@ Two single-writer sections (§6.1): Builder edits only `## Build backlog`; Adver
       remove the `.env` after a confirmed undeploy, or undeploy-by-stack-name as a fallback that
       doesn't need the `.env`. *Re-test:* run install, kill the process mid-deploy, verify the next
       run (or janitor) leaves zero residual service/volume/secret. Adversary closes after re-test.
-      Found during M1 verify (M1 still PASSes — proxy itself fires no ACME). cc-ci's traefik static
-      config (`/etc/traefik/traefik.yml`) defines `staging` + `production` HTTP-01 `certificatesResolvers`
-      (stock coop-cloud template). They're currently inert (no router references them; both
-      `*-acme.json` are 0 bytes; 0 ACME log lines) because the proxy runs `LETS_ENCRYPT_ENV=""`.
-      **But** the recipe default for test apps (e.g. `custom-html/.env.sample`) ships
-      `LETS_ENCRYPT_ENV=production`, which renders `traefik.http.routers.<app>.tls.certresolver=production`.
-      So if the harness (M4+) deploys a test app *without* forcing `LETS_ENCRYPT_ENV=""`, traefik
-      WILL attempt Let's Encrypt HTTP-01 for that app's domain — contradicting the "NO ACME" design,
-      hitting LE rate limits, and likely failing (HTTP-01 needs :80 reachable; gateway passes TLS).
-      *Repro:* `abra app new custom-html -D x.ci.commoninternet.net` (keep default env) → deploy →
-      `docker service inspect <app> ... | grep certresolver` shows `=production`.
-      *Fix:* harness must force `LETS_ENCRYPT_ENV=""` (or strip the certresolver label) on every
-      test-app deploy; and/or remove the unused `certificatesResolvers` from cc-ci's traefik so
-      no-ACME is structural. Re-test: deploy a test app via the harness and confirm 0 ACME log lines
-      + served cert is the wildcard. Adversary closes after re-test.