Wire SignalControl platform observability

apps/fc-signalcontrol/README.md

@@ -0,0 +1,33 @@
+# FlowerCore SignalControl platform notes
+
+This app owns the cluster web manager at `signalcontrol.iamworkin.lan` and documents the physical Pi pilot at `signal-a.iamworkin.lan` / `pirelay`.
+
+## mTLS enrollment pattern
+
+Do not install or restart anything from this repo. The intended pirelay pattern is the Pi-signage step-ca-agent shape:
+
+- stable node identity: `pirelay`
+- local private key and CSR generated on the node
+- CSR submitted through the approved DeviceManagement/step-ca enrollment path
+- client certificate and chain stored node-local under `/etc/flowercore/signalcontrol/mtls/`
+- daily renewal timer, renewing only when fewer than 30 days remain
+- certificate used for DM-agent to DM-web traffic and future SignalControl inter-service calls
+
+Secrets, enrollment codes, private keys, p12 passphrases, and OIDC client secrets stay out of Git.
+
+## Telemetry
+
+Monitoring manifests add a dedicated Prometheus job:
+
+- `signalcontrol-pi-app`
+- target `10.0.58.113:5200`
+- path `/metrics/prometheus`
+- labels `instance="pirelay"`, `host="signal-a.iamworkin.lan"`, `service="signalcontrol-pi"`
+
+Host metrics continue through the `edge-nodes` node_exporter target at `10.0.58.113:9100`.
+
+## Physical-control audit
+
+The app ships with `FlowerCore:SignalControl:PhysicalAudit:Enabled=false` and `ForwardingEnabled=false`. Enabling local audit creates a SHA-256 hash chain for physical-control mutations. Forwarding to `https://audit.iamworkin.lan/api/v1/audit/signalcontrol` requires flipping the forwarding gate separately.
+
+Telemetry reads and `/metrics` scrapes are not audited.

apps/fc-signalcontrol/fc-signalcontrol.yaml

@@ -46,7 +46,7 @@ spec:
     spec:
       containers:
         - name: signalcontrol-web
-          image: localhost/fc-signalcontrol-web:latest
+          image: localhost/fc-signalcontrol-web:s50cx12-20260602-1d26c58
           imagePullPolicy: Never
           ports:
             - containerPort: 5000
@@ -65,6 +65,48 @@ spec:
                 secretKeyRef:
                   name: signalcontrol-auth
                   key: Auth__ApiKey
+            - name: Auth__AdminApiKey
+              valueFrom:
+                secretKeyRef:
+                  name: signalcontrol-auth
+                  key: Auth__AdminApiKey
+                  optional: true
+            - name: Auth__Enabled
+              value: "false"
+            - name: FlowerCore__Auth__Enabled
+              value: "false"
+            - name: FlowerCore__Auth__Oidc__Enabled
+              value: "true"
+            - name: FlowerCore__Auth__Oidc__Authority
+              valueFrom:
+                secretKeyRef:
+                  name: signalcontrol-oidc-client
+                  key: issuer_url
+                  optional: true
+            - name: FlowerCore__Auth__Oidc__ClientId
+              valueFrom:
+                secretKeyRef:
+                  name: signalcontrol-oidc-client
+                  key: client_id
+                  optional: true
+            - name: FlowerCore__Auth__Oidc__ClientSecret
+              valueFrom:
+                secretKeyRef:
+                  name: signalcontrol-oidc-client
+                  key: client_secret
+                  optional: true
+            - name: TrafficSignal__RelayBridge__Enabled
+              value: "true"
+            - name: TrafficSignal__RelayBridge__BaseUrl
+              value: https://pirelay.iamworkin.lan
+            - name: TrafficSignal__RelayBridge__ApiKey
+              valueFrom:
+                secretKeyRef:
+                  name: signalcontrol-pirelay
+                  key: ApiKey
+                  optional: true
+            - name: LiveStatus__TrafficSignal__BaseAddress
+              value: https://signalcontrol.iamworkin.lan
           volumeMounts:
             - name: data
               mountPath: /data