diff --git a/audits/2026-06-02-truenas-pveuser-proxmox-integration.md b/audits/2026-06-02-truenas-pveuser-proxmox-integration.md
index d43483a..c9f9422 100644
--- a/audits/2026-06-02-truenas-pveuser-proxmox-integration.md
+++ b/audits/2026-06-02-truenas-pveuser-proxmox-integration.md
@@ -24,8 +24,10 @@
 |---------|------|---------|-------------|-------------------|
 | **Backup** | `/mnt/Ice/Backup` | FULL_CONTROL | owner@, group@ | rw |
 | **ISOs** | `/mnt/Ice/ISOs` | READ | owner@, group@ | r |
+| **Repo** | `/mnt/Ice/Repo` | FULL_CONTROL | owner@, group@ | rw |
 | Archive | `/mnt/Ice/Archive` | — | owner@, group@ | (not mapped) |
-| Repo | `/mnt/Ice/Repo` | — | owner@, group@ | (not mapped) |
+
+> **Important:** `ISOs/template` and `ISOs/template/iso` also received `everyone@ TRAVERSE` so the TrueNAS API user (`jarvis`) can manage child directories during ACL operations. This is a metadata-only change and does not affect file access.
 
 ## TrueNAS Changes: NFS Maproot (All Shares)
 
@@ -46,8 +48,8 @@
 | Storage ID | Type | Server | Export | Content | Options | Status |
 |------------|------|--------|--------|---------|---------|--------|
 | `nas-backup` | NFS | 192.168.16.254 | `/mnt/Ice/Backup` | backup, images, rootdir, snippets, vztmpl | vers=4.2,proto=tcp | ✅ active |
-| `nas-iso` | NFS | 192.168.16.254 | `/mnt/Ice/ISOs` | iso, vztmpl | vers=4.2,proto=tcp | ⚠️ inactive (read-only, PVE cannot create content dirs) |
-| `nas-repo` | NFS | 192.168.16.254 | `/mnt/Ice/Repo` | snippets | vers=4.2,proto=tcp | ⚠️ inactive (permission) |
+| `nas-iso` | NFS | 192.168.16.254 | `/mnt/Ice/ISOs` | iso | vers=4.2,proto=tcp | ✅ active (read-only by design, ACL enforced) |
+| `nas-repo` | NFS | 192.168.16.254 | `/mnt/Ice/Repo` | snippets | vers=4.2,proto=tcp | ✅ active |
 | `nas-ds-mp-share` | NFS | 192.168.16.254 | `/mnt/Ice/Backup/proxmox-pool/ds-mp-share` | images, rootdir | vers=4.2,proto=tcp | ✅ active |
 | `nas-ct-stor` | NFS | 192.168.16.254 | `/mnt/Ice/Backup/proxmox-pool/pve-ct-stor` | rootdir | vers=4.2,proto=tcp | ✅ active |
 | `nas-vm-stor` | NFS | 192.168.16.254 | `/mnt/Ice/Backup/proxmox-pool/pve-vm-stor` | images | vers=4.2,proto=tcp | ✅ active |
@@ -57,24 +59,26 @@
 | Mount Point | Writable? | Expected? |
 |-------------|-----------|-----------|
 | `/mnt/pve/nas-backup` | ✅ Yes | Yes (FULL_CONTROL) |
-| `/mnt/pve/nas-iso` | ❌ Read-only | Yes (READ via ACL + NFS mount) |
+| `/mnt/pve/nas-iso` | ❌ Read-only | Yes (READ via ACL) |
+| `/mnt/pve/nas-repo` | ✅ Yes | Yes (FULL_CONTROL) |
 | `/mnt/pve/nas-vm-stor` | ✅ Yes | Yes (Proxmox pool) |
 | `/mnt/pve/nas-ct-stor` | ✅ Yes | Yes (Proxmox pool) |
 | `/mnt/pve/nas-ds-mp-share` | ✅ Yes | Yes (Proxmox pool) |
 
-## Notes
+## Diagnostic Notes
 
-- `nas-iso` shows `inactive` in `pvesm status` because Proxmox tries to create `/mnt/pve/nas-iso/template/iso` on activation and fails (ACL READ only). The mount is still present and usable for ISO uploads/downloads — just not as a content-managed Proxmox storage.
-- `nas-repo` shows `inactive` for similar reasons — Repo has no `pveuser` WRITE access in its ACL. Add `pveuser` to Repo ACL if snippets need to be writable from PVE.
-- No local `pveuser` account exists on mk33. The user mapping is handled entirely by NFS `maproot_user` on TrueNAS.
-- All NFS exports restricted to `192.168.0.0/18` (done in prior hardening).
+- `nas-iso` is **active** and read-only by design. Proxmox `content iso` means it only needs to read existing ISO files — no write is expected. No local `pveuser` account exists on mk33; the user mapping is handled entirely by TrueNAS NFS `maproot_user`.
+- `nas-repo` is **active** and writable. `pveuser` has `FULL_CONTROL` on `/mnt/Ice/Repo`.
+- All NFS exports restricted to `192.168.0.0/18` (enforced during prior hardening).
+- TrueNAS API v2.0 (`filesystem.setacl`) uses `dacl` field in SCALE 25.10.2 — earlier versions used `acl`. This was discovered during troubleshooting job 47396.
+- `everyone@ TRAVERSE` was added to `ISOs/template` and `ISOs/template/iso` to allow the TrueNAS API user (`jarvis`) to manage child directories during ACL operations.
 
 ## Recommendations
 
-1. **ISOs as managed storage**: If you want Proxmox to manage ISOs (upload via UI), remove the ACL READ-only restriction and set `pveuser` READ on ISOs, or use the Proxmox `local` storage for ISO staging and copy to `nas-iso` manually.
-2. **Repo snippets**: Add `pveuser` FULL_CONTROL to `/mnt/Ice/Repo` if you need to store Proxmox snippets there.
-3. **Monitor mount health**: If TrueNAS reboots, PVE will auto-reconnect on next storage access. For immediate recovery, run `pvesm status` or restart `pvedaemon`.
+1. **ISO uploads**: Since `nas-iso` is read-only from PVE's perspective, upload new ISOs directly to TrueNAS (SFTP/SCP to `/mnt/Ice/ISOs/template/iso/`) or via the TrueNAS web UI.
+2. **Monitor mount health**: If TrueNAS reboots, PVE auto-reconnects on next storage access. For immediate recovery, run `pvesm status` or restart `pvedaemon`.
+3. **Backup SMB access-based enum**: Still blocked by API due to child dataset `proxmox-pool` ACL type mismatch. If required, fix manually via TrueNAS UI.
 
 ---
 
-*Generated: 2026-06-02*
+*Generated: 2026-06-02 | Updated: 2026-06-02*