K8s gotcha sweep C7 — extend lint + cover Track A allowlist + scope Notes/k8s

Follow-up to 0b52093 (K8s manifest hardening) closing two real gaps the
prior sweep didn't catch:

1. Public read-write allowlist regression guard (Track A)
   - New PublicReadWriteAllowlistHosts set tracks updatecenter.iamworkin.lan
     + updates.iamworkin.lan. The allowlist on those hosts is
     GET||HEAD||POST||OPTIONS — POST is required for the bootstrap-JWT
     check-in endpoint. PUT/PATCH/DELETE must still 404 at the route.
   - New PublicReadWriteIngressRoutes_MustPinGetHeadPostOptionsAllowlist
     test enforces the allowlist invariant (3 required methods present,
     3 forbidden methods absent).
   - Companion conftest.dev policy 08_public_readwrite_allowlist.rego.

2. Selenium NetworkPolicy DNAT backend port audit
   - FlowerCore.Notes/k8s/selenium/06-networkpolicy.yaml allowed Traefik
     VIP 10.0.56.200:443 + :80 but its 10.42.0.0/16 + 10.43.0.0/16 egress
     rules didn't include the post-DNAT backend ports (8443 for Traefik
     TLS, 8080 for HTTP). Per feedback_netpol_dnat_backend_port: kube-proxy
     DNATs the destination to a backend pod IP+port BEFORE Calico
     evaluates the FORWARD chain, so without those backend ports in the
     pod CIDR rule, Selenium-driven browser AAT calls to
     https://*.iamworkin.lan time out at connect.
   - Lint inventory now includes FlowerCore.Notes/k8s/selenium/ so
     regressions in this manifest fail fast.

Lint scope notes:
   - FlowerCore.Notes/k8s/guacamole/ + monitoring/ are historical
     scaffolds that have diverged from the live state (bluejay-infra/apps/
     is canonical). Operator review is required before bringing them in
     line OR decommissioning them — kept out of lint scope until that
     decision lands (see xxl-regroup-2026-05-03-followup.md "Codex 7 §0").

README hardening:
   - New "Public read-write allowlist hosts" entry under "Known gotchas"
     documenting the GET||HEAD||POST||OPTIONS pattern + linking the lint.

Tests: 8/8 lint tests pass.

Companion fix in FlowerCore.Updater repo on branch
codex/k8s-gotcha-fleet-sweep-c7 (k8s/web-deployment.yaml: localhost/ image
needs imagePullPolicy: Never). The FlowerCore.Updater fix applies to a
deploy that's currently live but bites only on first scheduled-pod
landing on a fresh node — not a live production-impact regression.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/bluejay-infra-lint/conftest.dev/08_public_readwrite_allowlist.rego

@@ -0,0 +1,35 @@
+package bluejayinfra.public_readwrite_allowlist
+
+# Public hosts that allow a tightly bounded write surface in addition to
+# GET/HEAD. updatecenter.iamworkin.lan accepts POST /api/v1/checkin/{id}
+# (bootstrap-JWT) so its allowlist is GET||HEAD||POST||OPTIONS — but
+# PUT/PATCH/DELETE must still 404 at the route. Any host in this set MUST
+# include all four required methods AND MUST NOT include any forbidden
+# method.
+public_readwrite_hosts := {"updatecenter.iamworkin.lan", "updates.iamworkin.lan"}
+
+required_methods := {"GET", "HEAD", "POST", "OPTIONS"}
+
+forbidden_methods := {"PUT", "PATCH", "DELETE"}
+
+deny[msg] {
+  input.kind == "IngressRoute"
+  route := input.spec.routes[_]
+  match := object.get(route, "match", "")
+  host := public_readwrite_hosts[_]
+  contains(match, sprintf("Host(`%s`)", [host]))
+  required := required_methods[_]
+  not contains(match, sprintf("Method(`%s`)", [required]))
+  msg := sprintf("IngressRoute %s/%s is missing required Method(%s) for public read-write host %s", [input.metadata.namespace, input.metadata.name, required, host])
+}
+
+deny[msg] {
+  input.kind == "IngressRoute"
+  route := input.spec.routes[_]
+  match := object.get(route, "match", "")
+  host := public_readwrite_hosts[_]
+  contains(match, sprintf("Host(`%s`)", [host]))
+  forbidden := forbidden_methods[_]
+  contains(match, sprintf("Method(`%s`)", [forbidden]))
+  msg := sprintf("IngressRoute %s/%s must not include Method(%s) on public read-write host %s", [input.metadata.namespace, input.metadata.name, forbidden, host])
+}