diff --git a/gx10/platform/README.md b/gx10/platform/README.md
index 23503d4..13f6615 100644
--- a/gx10/platform/README.md
+++ b/gx10/platform/README.md
@@ -8,7 +8,7 @@ auto-deploy them there. Once ArgoCD is stood up on the GX10, a GX10-only
 ApplicationSet (`apps-gx10/*`) will own these.
 
 - `step-ca-acme.yaml` — cert-manager ClusterIssuer (ACME → noc1 step-ca, in-spec caBundle). APPLIED + Ready.
-- `traefik-helmchart.yaml` — Traefik v3.6.10 (chart 39.0.5) via the RKE2 HelmChart CRD, LoadBalancer VIP 10.0.57.202 (prod-pool; temp parallel-run VIP — canonical .200 reclaimed at cutover). APPLIED.
+- `traefik-helmchart.yaml` — Traefik v3.6.10 (chart 39.0.5) via the RKE2 HelmChart CRD, LoadBalancer VIP 10.0.57.202 (prod-pool; temp parallel-run VIP — canonical .200 reclaimed at cutover), with `externalTrafficPolicy: Local` so tenant IP allowlists see client source IP instead of the GX10 node hop. APPLIED.
 
 cert-manager v1.17.2 was installed separately (upstream static manifest). See
 `docs/ai-agents/gx10-migration-continuation-2026-06-14.md` + memory
diff --git a/gx10/platform/traefik-helmchart.yaml b/gx10/platform/traefik-helmchart.yaml
index ff36c1a..8b28b30 100644
--- a/gx10/platform/traefik-helmchart.yaml
+++ b/gx10/platform/traefik-helmchart.yaml
@@ -27,6 +27,8 @@ spec:
       enabled: true
     service:
       type: LoadBalancer
+      spec:
+        externalTrafficPolicy: Local
       annotations:
         metallb.io/loadBalancerIPs: "10.0.57.202"
         metallb.io/address-pool: "prod-pool"
diff --git a/tests/bluejay-infra-lint/FleetManifestLintTests.cs b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
index e2c83ff..264a5f6 100644
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -249,6 +249,16 @@ public sealed class FleetManifestLintTests
         violations.Should().BeEmpty();
     }
 
+    [Fact]
+    public void Gx10TraefikLoadBalancer_MustPreserveClientSourceIp()
+    {
+        var path = Path.Combine(Inventory.BluejayRoot, "gx10", "platform", "traefik-helmchart.yaml");
+        var manifest = File.ReadAllText(path);
+
+        manifest.Should().Contain("metallb.io/loadBalancerIPs: \"10.0.57.202\"");
+        manifest.Should().Contain("spec:\n        externalTrafficPolicy: Local");
+    }
+
     [Fact]
     public void ApiKeyProtectedDeployments_MustUseTcpSocketHealthProbes()
     {