diff --git a/apps/fc-desktop/fc-desktop.yaml b/apps/fc-desktop/fc-desktop.yaml
index 9773152..773469e 100644
--- a/apps/fc-desktop/fc-desktop.yaml
+++ b/apps/fc-desktop/fc-desktop.yaml
@@ -14,6 +14,20 @@
 # cluster-rebuild repeatability. See
 # feedback_networkpolicies_belong_in_bluejay_infra.md.
 ---
+# OIDC client secret for the RemoteDesktop end-user sign-in (fleet regroup L9,
+# 2026-06-12). The Authentik provider `remotedesktop` already exists; the 1P item
+# `remotedesktop-oidc-client` (vault IAmWorkin) carries issuer_url / client_id /
+# client_secret, and the 1Password operator mints the same-named K8s Secret that
+# k8s/web-deployment.yaml (FlowerCore.RemoteDesktop repo) consumes with
+# optional:true. Gate stays OFF (Q-RD-16) — this is flip-READINESS only.
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: remotedesktop-oidc-client
+  namespace: fc-desktop
+spec:
+  itemPath: "vaults/IAmWorkin/items/remotedesktop-oidc-client"
+---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata: