feat(infra): route dns preflight through flowercore dns

apps/fc-llm-bridge/README.md

@@ -8,10 +8,10 @@ ADR: ADR-088 in [`../../../FlowerCore.Notes/ARCHITECTURE.md`](../../../FlowerCor
 
 ## Deployment order (do NOT skip / reorder)
 
-### 1. pfSense Unbound DNS override — REQUIRED FIRST
+### 1. FlowerCore.DNS preflight — REQUIRED FIRST
 
-`fc-llm-bridge.iamworkin.lan` is not currently in pfSense Unbound. Verified
-with `python bluejay-infra/scripts/check-pfsense-dns.py` at staging time.
+`fc-llm-bridge.iamworkin.lan` must keep resolving to `10.0.56.200` through
+FlowerCore.DNS before this manifest is applied.
 
 step-ca (the ACME CA on noc1) uses pfSense Unbound (10.0.56.1), **not**
 cluster CoreDNS. If you apply this manifest before adding the DNS override,
@@ -19,29 +19,28 @@ cert-manager's HTTP-01 challenge silently fails for ~2h (exponential backoff)
 until someone manually runs `kubectl -n fc-llm-bridge delete order <order>`
 to bust the cache. See memory `feedback_pfsense_dns_required_for_acme.md`.
 
-From `FlowerCore.Notes`:
+Verify the record through the public preflight API:
 
 ```bash
-# 1. Edit HOSTS list in scripts/pfsense-add-dns-overrides.py, append:
-#    ("fc-llm-bridge", "10.0.56.200", "cert-manager HTTP-01 target (Traefik VIP)"),
-# 2. Source creds + run:
-source scripts/credential-helper.sh
-export PFSENSE_PASS=$(get_cred "pfSense Admin")
-python scripts/pfsense-add-dns-overrides.py
+curl -sk "https://dns.iamworkin.lan/api/v1/zones/iamworkin.lan/resolve-preflight?hostname=fc-llm-bridge.iamworkin.lan"
+# Expect: "resolvable": true
 ```
 
 Verify:
 
 ```bash
-nslookup fc-llm-bridge.iamworkin.lan 10.0.56.1
-# Expect: Address: 10.0.56.200
+python scripts/check-pfsense-dns.py
+# Historical filename retained; implementation now calls FlowerCore.DNS
+# resolve-preflight instead of raw resolver lookups.
 ```
 
-Or run the full pre-merge gate from `bluejay-infra`:
+If the record is missing, recreate it through FlowerCore.DNS before pushing:
 
 ```bash
-python scripts/check-pfsense-dns.py
-# Expect: OK   fc-llm-bridge.iamworkin.lan                   -> 10.0.56.200
+curl -sk https://dns.iamworkin.lan/api/v1/servers
+curl -sk -X POST https://dns.iamworkin.lan/api/v1/servers/<serverId>/zones/iamworkin.lan/records \
+  -H "Content-Type: application/json" \
+  -d '{"name":"fc-llm-bridge","type":"A","data":"10.0.56.200","ttl":300}'
 ```
 
 ### 2. Create the `FC LLM Bridge API Keys` 1Password item
@@ -154,8 +153,9 @@ bridge (the design doc describes this split as the preferred approach).
 
 ## Current state at staging time (2026-04-23)
 
-- `fc-llm-bridge.iamworkin.lan` — NOT in pfSense Unbound (verified via
-  `nslookup fc-llm-bridge.iamworkin.lan 10.0.56.1`: NXDOMAIN).
+- `fc-llm-bridge.iamworkin.lan` — public FlowerCore.DNS preflight is now
+  green and resolves to `10.0.56.200`; keep `python scripts/check-pfsense-dns.py`
+  green before push.
 - `FC LLM Bridge API Keys` — NOT created in 1Password (user action).
 - `Claude API Key` — already exists in `IAmWorkin` vault
   (`e5tth3y5mp3lhdavg35pxadzca`), also consumed by AiStation and Chat.Web.