diff --git a/STATUS.md b/STATUS.md
index b0a0034..d638ef4 100644
--- a/STATUS.md
+++ b/STATUS.md
@@ -25,7 +25,13 @@ Next: M6.5 (breadth ramp — recipes 3–6 + keycloak full 3-stage), M7, M8. Res
   `scripts/bootstrap-drone-oauth.sh`. Starting M3 as independent work; won't flip M3 gate until M2 PASS.
 
 ## Blocked
-- **M3 gate — Gitea→bridge webhook delivery not arriving (suspect Gitea `ALLOWED_HOST_LIST`).**
+- **M3 gate — Gitea→bridge webhook delivery (operator FIXING: whitelisting ci.commoninternet.net in
+  git.autonomic.zone `ALLOWED_HOST_LIST`).** Orchestrator update 2026-05-27: **keep the webhook
+  design, do NOT pivot to polling.** Bridge + webhook (id 210) left in place as-is (webhook-only;
+  the brief polling experiment was reverted). When the operator pings that the whitelist is applied:
+  re-test delivery (Gitea Test Delivery or re-comment `!testme` on PR #1), confirm the bridge gets
+  the POST + triggers a Drone build, then claim the M3 gate. Working other milestones meanwhile.
+  Original diagnosis below for reference.
   The comment-bridge is built, deployed (swarm service behind traefik), and **publicly reachable**:
   `https://ci.commoninternet.net/hook/healthz` → 200 from the sandbox over *real public DNS*
   (ci.commoninternet.net → gateway 143.244.213.108). HMAC logic verified (a manually openssl-signed