feat(infra): prestage broader app exposure hardening

apps/fc-ttsreader/fc-ttsreader.yaml

@@ -97,6 +97,7 @@ spec:
       containers:
         - name: piper
           image: rhasspy/wyoming-piper:latest
+          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
           env:
             - name: PYTHONHTTPSVERIFY
               value: "0"
@@ -523,6 +524,8 @@ spec:
         app.kubernetes.io/name: ttsreader-web
         app.kubernetes.io/part-of: flowercore
       annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
         prometheus.io/scrape: "true"
         prometheus.io/port: "5217"
         prometheus.io/path: "/metrics"
@@ -762,3 +765,26 @@ spec:
           port: 5217
   tls:
     secretName: ttsreader-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose ttsreader-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: ttsreader-web-public
+#   namespace: fc-ttsreader
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`ttsreader.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: ttsreader-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: ttsreader-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).