diff --git a/.huskies/work/1_backlog/477_spike_distributed_build_agents_via_bft_crdts_over_websocket.md b/.huskies/work/1_backlog/477_spike_distributed_build_agents_via_bft_crdts_over_websocket.md
index 1f2b65c4..9fbffe5f 100644
--- a/.huskies/work/1_backlog/477_spike_distributed_build_agents_via_bft_crdts_over_websocket.md
+++ b/.huskies/work/1_backlog/477_spike_distributed_build_agents_via_bft_crdts_over_websocket.md
@@ -28,7 +28,7 @@ Story markdown files (content/AC), worktrees, and config files remain on the fil
 
 6. **Offline/reconnect**: Laptop closes lid mid-work. CRDT merges state on reconnect, but what about the interrupted Claude Code process? Timeout + reclaim by another node?
 
-7. **Security**: WebSocket auth between nodes (shared secret, mTLS, or token). Prevent unauthorised nodes from joining the mesh.
+7. **Security**: Each node has a keypair. Trusted nodes are defined by a list of known public keys. Nodes authenticate on WebSocket connect by signing a challenge with their private key. The CRDT node ID is derived from the public key, giving cryptographic identity for both auth and claim resolution.
 
 ## Reference