diff --git a/crates/picloud/tests/authz.rs b/crates/picloud/tests/authz.rs
index ecb4040..a82b6c7 100644
--- a/crates/picloud/tests/authz.rs
+++ b/crates/picloud/tests/authz.rs
@@ -325,9 +325,11 @@ async fn admin_is_implicit_app_admin_on_every_app(pool: PgPool) {
         .await
         .assert_status_ok();
 
-    // Allowed: delete the default app (AppAdmin).
+    // Allowed: delete the default app (AppAdmin). ?force=true because
+    // the script we created above pushes us past the soft no-cascade
+    // guard — this test is about the capability, not the cascade.
     s.server
-        .delete("/api/v1/admin/apps/default")
+        .delete("/api/v1/admin/apps/default?force=true")
         .add_header("authorization", format!("Bearer {token}"))
         .await
         .assert_status(axum::http::StatusCode::NO_CONTENT);