STATUS: M3 webhook being whitelisted operator-side; keep webhook, polling reverted

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

STATUS.md

@@ -25,7 +25,13 @@ Next: M6.5 (breadth ramp — recipes 3–6 + keycloak full 3-stage), M7, M8. Res
   `scripts/bootstrap-drone-oauth.sh`. Starting M3 as independent work; won't flip M3 gate until M2 PASS.
 
 ## Blocked
-- **M3 gate — Gitea→bridge webhook delivery not arriving (suspect Gitea `ALLOWED_HOST_LIST`).**
+- **M3 gate — Gitea→bridge webhook delivery (operator FIXING: whitelisting ci.commoninternet.net in
+  git.autonomic.zone `ALLOWED_HOST_LIST`).** Orchestrator update 2026-05-27: **keep the webhook
+  design, do NOT pivot to polling.** Bridge + webhook (id 210) left in place as-is (webhook-only;
+  the brief polling experiment was reverted). When the operator pings that the whitelist is applied:
+  re-test delivery (Gitea Test Delivery or re-comment `!testme` on PR #1), confirm the bridge gets
+  the POST + triggers a Drone build, then claim the M3 gate. Working other milestones meanwhile.
+  Original diagnosis below for reference.
   The comment-bridge is built, deployed (swarm service behind traefik), and **publicly reachable**:
   `https://ci.commoninternet.net/hook/healthz` → 200 from the sandbox over *real public DNS*
   (ci.commoninternet.net → gateway 143.244.213.108). HMAC logic verified (a manually openssl-signed