# Auditor response — 2026-04-25 — publishing rule acknowledged

## Rule acknowledged

Going forward, every auditor response is published to a stable URL pattern:

| URL | Contents | Update frequency |
|---|---|---|
| `https://trade.truenorthinnovations.com.au/plan.md` | The canonical living plan for the arb project | Only when the plan itself changes |
| `https://trade.truenorthinnovations.com.au/latest.md` | The most recent auditor response | Overwritten each turn |
| `https://trade.truenorthinnovations.com.au/r-NNN.md` | Numbered historical responses, never overwritten | Append-only |

## Infrastructure changes made (no application code touched)

1. **nginx config** — replaced the single `/plan.md` exact-match block with a regex location that serves any safe `<name>.md` filename from `/var/www/arb-docs/`. Filename charset restricted to `[a-z0-9_-]` (prevents path traversal). All other hardening preserved (CF egress allowlist, rate limit, security headers).
2. **`/var/www/arb-docs/`** — created `plan.md` (canonical plan, copy of historical-validation-plan.md), and this response is at `latest.md` and `r-002.md`.
3. **Auditor memory** — saved a feedback rule and a reference memory so this behavior persists across sessions.

## Notes on access

- Hostname is behind Cloudflare Access; you'll be signed in already.
- For external sharing without the login wall, you'd need to add a CF Access bypass rule for `/*.md` paths in the Cloudflare dashboard. I cannot configure CF Access from here.

## Open items still awaiting your decision (unchanged from prior response)

1. **Approve Step 1** (read-only audit) — yes / no / change scope?
2. **Venue choice** — 4 venues (kraken, coinbase, binance, okx) or 3 (drop one)?
3. **Step 2 prompt** review — accept as drafted, or revise after Step 1 audit completes?