diff --git a/infrastructure/production/fleet/apps/mail-autodiscovery.yaml b/infrastructure/production/fleet/apps/mail-autodiscovery.yaml
index 86fcc7e..acc5177 100644
--- a/infrastructure/production/fleet/apps/mail-autodiscovery.yaml
+++ b/infrastructure/production/fleet/apps/mail-autodiscovery.yaml
@@ -15,6 +15,9 @@
 #
 # Customer domains (autodiscover.<customer>.tld) need per-domain certs and an
 # automated Ingress/Certificate per verified domain — follow-up feature.
+#
+# NB: the ci-deployer Role carries explicit Endpoints write — the namespaced
+# 'admin' role stopped granting it (CVE-2021-25740 hardening).
 apiVersion: v1
 kind: Service
 metadata:
diff --git a/infrastructure/production/fleet/ci/ci-deployer.yaml b/infrastructure/production/fleet/ci/ci-deployer.yaml
index fc8b420..9e4fe9e 100644
--- a/infrastructure/production/fleet/ci/ci-deployer.yaml
+++ b/infrastructure/production/fleet/ci/ci-deployer.yaml
@@ -48,6 +48,15 @@ rules:
   - apiGroups: ["traefik.io"]
     resources: ["middlewares"]
     verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  # 'admin' stopped granting WRITE on legacy Endpoints (CVE-2021-25740
+  # hardening), but the selectorless stalwart-http Service needs its
+  # Endpoints applied by the pipeline. EndpointSlice included for parity.
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding