feat(auth): adopt oidc apps in gitops

apps/fc-distribution/fc-distribution.yaml

@@ -74,6 +74,14 @@ metadata:
 spec:
   itemPath: "vaults/IAmWorkin/items/FlowerCore Edition Signing Key - edition:aistation-field"
 ---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: distribution-oidc-client
+  namespace: fc-distribution
+spec:
+  itemPath: "vaults/IAmWorkin/items/distribution-oidc-client"
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -130,13 +138,11 @@ spec:
               value: "Production"
             - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
               value: "false"
-            # Authentik/OIDC enforcement (flipped ON 2026-06-04, no-live-proof per operator;
-            # public read/entitlement + Method() allowlist stay open — OIDC gates admin only).
-            # Auth__Enabled reverted to false 2026-06-04: enabling it gated the
-            # /healthz readiness probe (probe->302->NotReady->endpoints drop->down).
-            # Re-enable once /healthz is AllowAnonymous (falcon OIDC lane).
+            # Authentik/OIDC enforcement. Public read/entitlement + the
+            # dist.flowercore.io Method() allowlist stay open; OIDC gates the
+            # operator/admin surface while /healthz remains anonymous.
             - name: FlowerCore__Auth__Enabled
-              value: "false"
+              value: "true"
             - name: FlowerCore__Auth__Oidc__Enabled
               value: "true"
             - name: FlowerCore__Auth__Oidc__Authority