diff --git a/apps-gx10/fc-devicemgmt/README.md b/apps-gx10/fc-devicemgmt/README.md
index 24aeb59..f6e0236 100644
--- a/apps-gx10/fc-devicemgmt/README.md
+++ b/apps-gx10/fc-devicemgmt/README.md
@@ -21,7 +21,7 @@ values to clear readiness checks.
 | `DEVICE_MANAGEMENT_OPERATOR_API_KEY` | Required operator API key for authenticated REST/MCP write operations, including Android command queueing. |
 | `DEVICE_MANAGEMENT_ADMIN_API_KEY` | Required admin API key for privileged DeviceManagement operations. |
 | `DEVICE_MANAGEMENT_AGENT_API_KEY` | Required scoped agent credential for REST agent callbacks when TLS terminates before Kestrel; maps to `Auth:AgentApiKey` and `FlowerCore:Auth:AgentApiKey`. |
-| `DEVICE_MANAGEMENT_ENROLLMENT_CA_CERTIFICATE_PEM` | Optional persistent enrollment CA certificate PEM; maps to `FlowerCore:DeviceManagement:EnrollmentCertificateAuthorityCertificatePem`. Required before ingress can verify agent client-cert chains. |
+| `DEVICE_MANAGEMENT_ENROLLMENT_CA_CERTIFICATE_PEM` | Optional persistent enrollment CA certificate PEM; maps to `FlowerCore:DeviceManagement:EnrollmentCertificateAuthorityCertificatePem`. Live on GX10 for the agent client-cert chain currently trusted by Traefik. |
 | `DEVICE_MANAGEMENT_ENROLLMENT_CA_PRIVATE_KEY_PEM` | Optional private key PEM matching the persistent enrollment CA certificate; maps to `FlowerCore:DeviceManagement:EnrollmentCertificateAuthorityPrivateKeyPem`. |
 | `NANOHUB_API_KEY` | NanoHUB API password for HTTP Basic user `nanohub`. |
 | `APPLE_MDM_APNS_TOPIC` | MDM APNs topic returned after uploading the Apple MDM push certificate to NanoHUB/NanoMDM. |
@@ -49,13 +49,11 @@ validates Traefik-forwarded client certificates only on
 `X-Agent-Api-Key` as the fallback path. Operator write endpoints must use
 `X-Api-Key`.
 
-The agent-only Traefik route currently uses `RequireAnyClientCert`; the
-application remains the authorization boundary by matching the forwarded client
-certificate thumbprint to the enrolled device record. Once
-`DEVICE_MANAGEMENT_ENROLLMENT_CA_CERTIFICATE_PEM` and
-`DEVICE_MANAGEMENT_ENROLLMENT_CA_PRIVATE_KEY_PEM` are present and newly enrolled
-agents prove they chain to that CA, create the matching Traefik CA secret and
-switch this TLSOption to `RequireAndVerifyClientCert`.
+The agent-only Traefik route uses `RequireAndVerifyClientCert` with
+`Secret/devicemgmt-agent-client-ca`, derived from the persistent
+DeviceManagement enrollment CA. The application still matches the forwarded
+client certificate thumbprint to the enrolled device record, but unauthenticated
+clients are now rejected during TLS before reaching the agent REST route.
 
 ## Readiness Check