diff --git a/docs/PRIORITY-HANDOFF-ISO-SPAWN-COST.md b/docs/PRIORITY-HANDOFF-ISO-SPAWN-COST.md
index d516480..75abe93 100644
--- a/docs/PRIORITY-HANDOFF-ISO-SPAWN-COST.md
+++ b/docs/PRIORITY-HANDOFF-ISO-SPAWN-COST.md
@@ -62,6 +62,23 @@ Gate 1 (passive service) is unproven.
    config is in place, and `service colibri_daemon stop` cleanly stops the
    daemon and removes the pidfile.
 
+4. **Validate the Hermes rc.d service** (`hermes-bsd`, merged 2026-06-14 as
+   `fc4b57ade`). The `hermes_daemon` rc.d script runs `hermes gateway run`
+   under `daemon(8)` with a dedicated user, persistent `HERMES_HOME`, and
+   supervisor/child pidfile separation — but it has not been booted on real
+   FreeBSD yet. On the same image run:
+
+   ```sh
+   # one-time: create user + install the rc.d script per README-FreeBSD.md
+   service hermes_daemon start    # must abort cleanly if config.yaml is missing
+   service hermes_daemon health
+   service hermes_daemon stop     # supervisor exits, child does not respawn
+   ```
+
+   Confirm: prestart aborts (exit 1, no crash loop) when
+   `/var/db/hermes/config.yaml` is absent; once configured, start/health/stop
+   work and both the supervisor and child pidfiles are cleaned up on stop.
+
 ### Key files
 
 - `scripts/stage-colibri-iso.sh` — the staging script (dir creation, bin copy, rc.d install, rc.conf.sample generation)
@@ -69,12 +86,13 @@ Gate 1 (passive service) is unproven.
 - `docs/ISO-ACCEPTANCE-RUNBOOK.md` — acceptance commands to run on the booted image
 - `docs/ISO-INTEGRATION-PLAN.md` §Lane A — full plan with gap audit
 - clawdie-iso `build.sh` — `install_colibri_service()` already wires staging, user creation, and service enable
+- `hermes-bsd` `packaging/freebsd/hermes_daemon.in` + `README-FreeBSD.md` — Hermes rc.d service and setup steps
 
 ### Suggested owner
 
 ISO/build lane — FreeBSD agent (Codex) or Sam boots a built image and runs the
-acceptance runbook. No Linux-side code change is required; this is a
-runtime-proof step.
+acceptance runbook plus the Hermes rc.d checks. No Linux-side code change is
+required; this is a runtime-proof step.
 
 ---