feat(infra): prestage broader app exposure hardening

Merged on local lint plus live noc1 Prometheus /api/v1/rules proof.

.gitattributes

@@ -0,0 +1,4 @@
+/.gitattributes text eol=lf
+*.yaml text eol=lf
+*.yml text eol=lf
+*.sh text eol=lf

README.md

@@ -116,6 +116,16 @@ dotnet test tests/bluejay-infra-lint/BluejayInfraLint.Tests.csproj -c Release
 
 That test project sweeps `bluejay-infra/apps/**` plus the canonical sibling `FlowerCore.*\\k8s` manifests that share the same workspace. Matching `conftest.dev` policy files live under `tests/bluejay-infra-lint/conftest.dev/` for environments that also have `conftest` or `opa`.
 
+## Non-K8s Pi Artifacts
+
+Some `apps/*` directories are deployment artifact bundles consumed by Puppet
+instead of Kubernetes workloads. `apps/fc-signage-pi-player/` carries the
+Chromium signage Pi player, `apps/fc-divoom-dm-pi-device/` carries the additive
+edge2 Divoom-as-DeviceManagement-device profile/Hiera contract, and
+`apps/fc-divoom-tv-pi/` carries the Divoom TV Pi HDMI systemd/Puppet shape.
+These bundles intentionally avoid Deployment, IngressRoute, Certificate, and
+OnePasswordItem resources.
+
 ## References
 
 - OpenVox noc1 durability runbook: `docs/runbooks/openvoxserver-quadlet-durability.md`

apps/fc-aistation/fc-aistation.yaml

@@ -0,0 +1,195 @@
+# FlowerCore.AiStation.Web GitOps adoption manifest.
+#
+# Authored from the already-live fc-aistation resources on 2026-06-04.
+# Keep the live image tag, Service ClusterIP, and PVC volumeName unchanged so
+# ArgoCD adopts in place instead of replacing the workload or data volume.
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: aistation-web-data
+  namespace: fc-aistation
+  labels:
+    app.kubernetes.io/name: aistation-web
+    app.kubernetes.io/part-of: flowercore
+    app.kubernetes.io/managed-by: argocd
+    argocd.argoproj.io/instance: infra-fc-aistation
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+  volumeMode: Filesystem
+  volumeName: pvc-27448d6f-6e66-42a7-a293-73dd8bbd6b3e
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: aistation-web
+  namespace: fc-aistation
+  labels:
+    app.kubernetes.io/name: aistation-web
+    app.kubernetes.io/part-of: flowercore
+    app.kubernetes.io/managed-by: argocd
+    argocd.argoproj.io/instance: infra-fc-aistation
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: aistation-web
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
+        prometheus.io/path: /metrics/prometheus
+        prometheus.io/port: "5000"
+        prometheus.io/scrape: "true"
+      labels:
+        app.kubernetes.io/name: aistation-web
+        app.kubernetes.io/part-of: flowercore
+    spec:
+      containers:
+        # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
+        - envFrom:
+            - configMapRef:
+                name: aistation-web-config
+          image: localhost/fc-aistation-web:v20260602-aistation-owned-deploy-fix2
+          imagePullPolicy: Never
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz
+              port: 5000
+              scheme: HTTP
+            initialDelaySeconds: 30
+            periodSeconds: 30
+            successThreshold: 1
+            timeoutSeconds: 5
+          name: aistation-web
+          ports:
+            - containerPort: 5000
+              name: http
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 6
+            httpGet:
+              path: /healthz
+              port: 5000
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 5
+          resources: {}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /data
+              name: data
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: aistation-web-data
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: aistation-web
+  namespace: fc-aistation
+  labels:
+    app.kubernetes.io/name: aistation-web
+    app.kubernetes.io/part-of: flowercore
+    app.kubernetes.io/managed-by: argocd
+    argocd.argoproj.io/instance: infra-fc-aistation
+spec:
+  clusterIP: 10.43.211.127
+  clusterIPs:
+    - 10.43.211.127
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+    - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 5000
+  selector:
+    app.kubernetes.io/name: aistation-web
+  sessionAffinity: None
+  type: ClusterIP
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: aistation-web-tls
+  namespace: fc-aistation
+  labels:
+    app.kubernetes.io/name: aistation-web-tls
+    app.kubernetes.io/part-of: flowercore
+    app.kubernetes.io/managed-by: argocd
+    argocd.argoproj.io/instance: infra-fc-aistation
+spec:
+  dnsNames:
+    - aistation.iamworkin.lan
+  issuerRef:
+    kind: ClusterIssuer
+    name: step-ca-acme
+  secretName: aistation-web-tls
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: aistation-web
+  namespace: fc-aistation
+  labels:
+    app.kubernetes.io/name: aistation-web
+    app.kubernetes.io/part-of: flowercore
+    app.kubernetes.io/managed-by: argocd
+    argocd.argoproj.io/instance: infra-fc-aistation
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`aistation.iamworkin.lan`)
+      services:
+        - name: aistation-web
+          port: 80
+  tls:
+    secretName: aistation-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose aistation-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: aistation-web-public
+#   namespace: fc-aistation
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`aistation.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: aistation-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: aistation-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-chat/fc-chat.yaml

@@ -1,5 +1,209 @@
-# FlowerCore Chat — TLS + Ingress
-# Deployment and Service managed by deploy script (not ArgoCD)
+# FlowerCore Chat
+#
+# ArgoCD-managed workload plus TLS/Ingress. The chat-web-secret remains an
+# out-of-band Secret until the values are moved into a 1Password-backed item;
+# the Deployment references it as optional so GitOps can own the workload
+# without storing secret material in this repo.
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: fc-chat
+  labels:
+    app.kubernetes.io/part-of: flowercore
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: chat-web-config
+  namespace: fc-chat
+  labels:
+    app.kubernetes.io/name: chat-web
+    app.kubernetes.io/part-of: flowercore
+data:
+  ASPNETCORE_ENVIRONMENT: Production
+  ASPNETCORE_URLS: "http://+:8080"
+  ASPNETCORE_FORWARDEDHEADERS_ENABLED: "true"
+  FlowerCore__Auth__Enabled: "false"
+  FlowerCore__Auth__Oidc__Enabled: "true"
+  FlowerCore__Auth__Oidc__Authority: "https://id.iamworkin.lan/application/o/chat/"
+  FlowerCore__Auth__Oidc__Audience: "chat"
+  FlowerCore__Auth__Oidc__ClientId: "chat"
+  FlowerCore__Database__ConnectionStrings__Sqlite: "Data Source=/data/chat.db"
+  # Ollama target. Switched 2026-04-25 from edge1 Pi5 (10.0.57.17) to BLUEJAY-WS
+  # workstation (10.0.56.20, RX 9070 XT 16GB, OLLAMA_HOST=0.0.0.0:11434, Vulkan
+  # backend per feedback_rdna4_vulkan_broken). The Pi5 was timing out every team-
+  # round speaker at the 300s per-turn cap (live-proven 2026-04-25 03:53 UTC,
+  # see feedback_chat_team_round_edge1_too_slow). Workstation has gemma3:4b for
+  # the Cheap tier, plus gemma3:27b/phi4:14b/qwen3:14b for Default/Balanced/Deep.
+  # Piper TTS stays on edge1 below (different service, Pi handles TTS fine).
+  FlowerCore__AI__OllamaBaseUrl: "http://10.0.56.20:11434"
+  FlowerCore__AI__DefaultModelName: "phi4:14b"
+  ChatOptions__BehaviorRuleEngine__OllamaBaseUrl: "http://10.0.56.20:11434"
+  ChatOptions__BehaviorRuleEngine__FallbackOllamaBaseUrl: "http://10.0.57.17:11434"
+  ChatOptions__BehaviorRuleEngine__ModelName: "gemma3:12b"
+  FlowerCore__AI__Memory__UseSharedIndexingAdapter: "true"
+  FlowerCore__AI__Memory__UseOllamaEmbeddings: "true"
+  FlowerCore__AI__Memory__EmbeddingModel: "nomic-embed-text"
+  FlowerCore__AI__Memory__EnableSharedIndexingBackfill: "true"
+  FlowerCore__AI__Memory__SharedIndexingDatabasePath: "/data/chat-memory-index.db"
+  FlowerCore__AI__Skills__Library__LibraryApiUrl: "http://library-web.fc-library.svc.cluster.local"
+  FlowerCore__AI__Skills__Retail__RetailApiUrl: "http://retail-web.fc-retail.svc.cluster.local"
+  FlowerCore__AI__Skills__Intranet__IntranetBaseUrl: "http://intranet-web.intranet.svc.cluster.local"
+  FlowerCore__AI__Skills__Print__PrintMcpBaseUrl: "http://10.0.57.16:5200"
+  FlowerCore__AI__IrcBridge__Enabled: "true"
+  FlowerCore__AI__IrcBridge__DefaultProfileSlug: "it-helpdesk"
+  FlowerCore__AI__IrcBridge__MentionProfileSlug: "it-helpdesk"
+  FlowerCore__AI__IrcBridge__MentionReactiveMode: "mentions-only"
+  FlowerCore__AI__IrcBridge__AllowActionExecution: "false"
+  FlowerCore__AI__Voice__Piper__Host: "10.0.57.17"
+  FlowerCore__AI__Voice__Piper__Port: "10400"
+  FlowerCore__AI__Voice__OutputRoot: "/data/audio"
+  FlowerCore__AI__Voice__RetentionDays: "30"
+  # LLM provider abstraction (ADR-088). Anthropic stays disabled here -- when
+  # an operator wants to enable Claude, they flip Enabled=true and mount
+  # FlowerCore__Anthropic__ApiKey from the onepassword-synced Secret (see
+  # docs/ai-agents/anthropic-integration.md).
+  FlowerCore__Anthropic__Enabled: "false"
+  FlowerCore__Anthropic__BaseUrl: "https://api.anthropic.com"
+  FlowerCore__Anthropic__DefaultModel: "claude-sonnet-4-6"
+  FlowerCore__Anthropic__CheapModel: "claude-haiku-4-5-20251001"
+  FlowerCore__Anthropic__DeepModel: "claude-opus-4-7"
+  FlowerCore__Budget__ResponseCacheEnabled: "true"
+  OTEL_SERVICE_NAME: FlowerCore.Chat
+  OTEL_EXPORTER_OTLP_ENDPOINT: "http://otel-collector.monitoring.svc.cluster.local:4317"
+  OTEL_EXPORTER_OTLP_PROTOCOL: grpc
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: chat-web-data
+  namespace: fc-chat
+  labels:
+    app.kubernetes.io/name: chat-web
+    app.kubernetes.io/part-of: flowercore
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: chat-web
+  namespace: fc-chat
+  labels:
+    app.kubernetes.io/name: chat-web
+    app.kubernetes.io/part-of: flowercore
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: chat-web
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: chat-web
+        app.kubernetes.io/part-of: flowercore
+      annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "8080"
+        prometheus.io/path: "/metrics/prometheus"
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: rke2-server
+      securityContext:
+        fsGroup: 1654
+        fsGroupChangePolicy: OnRootMismatch
+      containers:
+        - name: chat-web
+          image: localhost/fc-chat-web:v20260603-oidc-authentik
+          imagePullPolicy: Never
+          ports:
+            - name: http
+              containerPort: 8080
+          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
+          envFrom:
+            - configMapRef:
+                name: chat-web-config
+            - secretRef:
+                name: chat-web-secret
+                optional: true
+          env:
+            - name: FlowerCore__Auth__Oidc__Authority
+              valueFrom:
+                secretKeyRef:
+                  name: chat-oidc-client
+                  key: issuer_url
+                  optional: true
+            - name: FlowerCore__Auth__Oidc__ClientId
+              valueFrom:
+                secretKeyRef:
+                  name: chat-oidc-client
+                  key: client_id
+                  optional: true
+            - name: FlowerCore__Auth__Oidc__ClientSecret
+              valueFrom:
+                secretKeyRef:
+                  name: chat-oidc-client
+                  key: client_secret
+                  optional: true
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          resources:
+            requests:
+              memory: "128Mi"
+              cpu: "100m"
+            limits:
+              memory: "512Mi"
+              cpu: "500m"
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 8080
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 6
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8080
+            initialDelaySeconds: 30
+            periodSeconds: 30
+            timeoutSeconds: 5
+            failureThreshold: 3
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: chat-web-data
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: chat-web
+  namespace: fc-chat
+  labels:
+    app.kubernetes.io/name: chat-web
+    app.kubernetes.io/part-of: flowercore
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: chat-web
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8080
+      protocol: TCP
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate

apps/fc-desktop/fc-desktop.yaml

@@ -51,3 +51,26 @@ spec:
           port: 8080
   tls:
     secretName: remotedesktop-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose remotedesktop-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: remotedesktop-web-public
+#   namespace: fc-desktop
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`desktop.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: remotedesktop-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: remotedesktop-web
+#           port: 8080
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-devicemgmt/deployment-web.yaml

@@ -52,6 +52,8 @@ spec:
         flowercore.io/tenant-id: system
         flowercore.io/created-by: bluejay-infra
       annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
         prometheus.io/scrape: "true"
         prometheus.io/port: "8080"
         prometheus.io/path: "/metrics"
@@ -67,6 +69,7 @@ spec:
           ports:
             - name: http
               containerPort: 8080
+          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
           env:
             - name: ASPNETCORE_URLS
               value: "http://+:8080"

apps/fc-distribution/fc-distribution.yaml

@@ -74,6 +74,14 @@ metadata:
 spec:
   itemPath: "vaults/IAmWorkin/items/FlowerCore Edition Signing Key - edition:aistation-field"
 ---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: distribution-oidc-client
+  namespace: fc-distribution
+spec:
+  itemPath: "vaults/IAmWorkin/items/distribution-oidc-client"
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -101,6 +109,7 @@ spec:
         prometheus.io/scrape: "true"
         prometheus.io/port: "8080"
         prometheus.io/path: "/metrics"
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       # Synology NFS export `/volume1/kubernetes` ACL only allows rke2-server
       # (10.0.56.11) right now. Until the ACL is widened in DSM (admin only),
@@ -118,7 +127,7 @@ spec:
           #   dotnet.exe publish -c Release -o deploy/app \
           #     src/FlowerCore.Distribution.Web/FlowerCore.Distribution.Web.csproj
           #   podman build -t localhost/fc-distribution:v<tag> -f deploy/Dockerfile.deploy deploy
-          image: localhost/fc-distribution:v202605061948
+          image: localhost/fc-distribution:v20260604-oidc-root-anon
           imagePullPolicy: Never
           ports:
             - containerPort: 8080
@@ -130,6 +139,25 @@ spec:
               value: "Production"
             - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
               value: "false"
+            # Authentik/OIDC enforcement. Public read/entitlement + the
+            # dist.flowercore.io Method() allowlist stay open; OIDC gates the
+            # operator/admin surface while /healthz remains anonymous.
+            - name: FlowerCore__Auth__Enabled
+              value: "true"
+            - name: FlowerCore__Auth__Oidc__Enabled
+              value: "true"
+            - name: FlowerCore__Auth__Oidc__Authority
+              value: "https://id.iamworkin.lan/application/o/distribution/"
+            - name: FlowerCore__Auth__Oidc__Audience
+              value: "distribution"
+            - name: FlowerCore__Auth__Oidc__ClientId
+              value: "distribution"
+            - name: FlowerCore__Auth__Oidc__ClientSecret
+              valueFrom:
+                secretKeyRef:
+                  name: distribution-oidc-client
+                  key: client_secret
+                  optional: true
             # SQLite connection (catalog + data-protection keys via FlowerCoreDbContext).
             # Read by Data/DatabaseProviderExtensions.cs in precedence order; Sqlite key wins.
             - name: FlowerCore__Database__Provider

apps/fc-divoom-dm-pi-device/README.md

@@ -0,0 +1,45 @@
+# FlowerCore Divoom DM Pi Device
+
+Source-controlled Puppet/Hiera deployment contract for registering the edge2
+Divoom MiniToo panel as a FlowerCore DeviceManagement-managed Pi device.
+
+This is not a Kubernetes application. The live panel remains the existing
+edge2 `flowercore-divoom.service` managed by `FlowerCore.Puppet`
+`profile::pi::service::divoom`, with the .NET payload deployed out of band
+and `/opt/flowercore/divoom/data` plus the Bluetooth shell wrappers preserved.
+Because edge2 is already Hiera-driven through `profile::pi::service::apps`,
+the deploy home is additive `profile::pi::service` data/profile source, not
+`profile::edge::service::apps` and not an ArgoCD/K8s app.
+
+## Scope
+
+- Stage DeviceManagement registration metadata for the edge2 Divoom MiniToo.
+- Stage a separate, disabled-by-default DM Agent executor unit for privileged
+  Bluetooth operations once the DM-RPC lane lands.
+- Keep `flowercore-divoom.service` and `flowercore-divoom-bt.service`
+  untouched: no service replacement, no restart subscription, no K8s surface.
+- Preserve the current wrapper contract:
+  `/opt/flowercore/divoom/bt-link.sh`,
+  `/opt/flowercore/divoom/bt-reset.sh`, and
+  `/opt/flowercore/divoom/audio-link.sh`.
+- Keep FM radio disabled and require visible render proof; device-info echo is
+  not render proof.
+
+## Artifact Map
+
+| Path | Use |
+| --- | --- |
+| `hiera/edge2-divoom-dm-device.overlay.yaml` | Additive Hiera overlay for edge2. Merge into the existing node YAML without removing `fc-pimanager` or `fc-divoom`. |
+| `puppet/profile/pi/service/divoom_dm_device.pp` | Puppet profile shape to vendor into `FlowerCore.Puppet` after the DM-RPC executor binary exists. |
+| `puppet/templates/divoom-device-registration.json.epp` | DM device registration metadata rendered on edge2. |
+| `puppet/templates/flowercore-divoom-dm-agent.service.epp` | Separate DM Agent systemd unit. Defaults are stopped and disabled until a later cutover. |
+
+## Rollout Notes
+
+1. Land these artifacts in bluejay-infra as the deploy contract.
+2. Vendor the Puppet profile and EPP templates into `FlowerCore.Puppet`.
+3. Merge the Hiera overlay into `data/nodes/edge2.iamworkin.lan.yaml`.
+4. Run Puppet in noop first, preferably with a node-local validation directory
+   under `~/.fcv` rather than `/tmp`.
+5. Only enable the DM Agent service after the DeviceManagement BT executor has
+   landed and passed operator-eyeball render proof.

apps/fc-divoom-dm-pi-device/hiera/edge2-divoom-dm-device.overlay.yaml

@@ -0,0 +1,32 @@
+---
+# Merge into FlowerCore.Puppet data/nodes/edge2.iamworkin.lan.yaml.
+# Additive overlay only: keep the existing fc-pimanager version/tarball entry,
+# keep fc-divoom enabled, and do not move Divoom into Kubernetes.
+
+profile::pi::service::apps:
+  fc-pimanager:
+    binary: 'FlowerCore.PiManager.Web'
+    install_dir: '/opt/fc-pimanager'
+    port: 5000
+    environment: 'edge2'
+    version: '2026.05.28.1646'
+    tarball_source: 'puppet:///modules/profile/pi/builds/fc-pimanager.tar.gz'
+  fc-divoom:
+    enabled: true
+
+profile::pi::service::divoom_dm_device::ensure: 'present'
+profile::pi::service::divoom_dm_device::service_enabled: false
+profile::pi::service::divoom_dm_device::service_ensure: 'stopped'
+profile::pi::service::divoom_dm_device::device_id: 'edge2-divoom-minitoo'
+profile::pi::service::divoom_dm_device::display_name: 'edge2 Divoom MiniToo'
+profile::pi::service::divoom_dm_device::host_fqdn: 'edge2.iamworkin.lan'
+profile::pi::service::divoom_dm_device::dm_web_url: 'https://devicemgmt.iamworkin.lan'
+profile::pi::service::divoom_dm_device::divoom_install_dir: '/opt/flowercore/divoom'
+profile::pi::service::divoom_dm_device::agent_install_dir: '/opt/flowercore/devicemanagement-agent'
+profile::pi::service::divoom_dm_device::bt_candidate_channels:
+  - '1'
+  - '10'
+profile::pi::service::divoom_dm_device::default_bt_channel: '1'
+profile::pi::service::divoom_dm_device::a2dp_default_state: 'off'
+profile::pi::service::divoom_dm_device::fm_radio_enabled: false
+profile::pi::service::divoom_dm_device::visible_render_proof_required: true

apps/fc-divoom-dm-pi-device/puppet/profile/pi/service/divoom_dm_device.pp

@@ -0,0 +1,140 @@
+# Drop into FlowerCore.Puppet site-modules/profile/manifests/pi/service/divoom_dm_device.pp.
+# This profile is additive to profile::pi::service::divoom. It must not manage,
+# restart, replace, or subscribe the existing flowercore-divoom.service.
+class profile::pi::service::divoom_dm_device (
+  Enum['present', 'absent'] $ensure = 'present',
+  Boolean $service_enabled = false,
+  Enum['running', 'stopped'] $service_ensure = 'stopped',
+  String $service_name = 'flowercore-divoom-dm-agent',
+  String $device_id = 'edge2-divoom-minitoo',
+  String $display_name = 'edge2 Divoom MiniToo',
+  String $host_fqdn = 'edge2.iamworkin.lan',
+  String $dm_web_url = 'https://devicemgmt.iamworkin.lan',
+  String $divoom_install_dir = '/opt/flowercore/divoom',
+  String $agent_install_dir = '/opt/flowercore/devicemanagement-agent',
+  String $agent_binary = 'FlowerCore.DeviceManagement.Agent',
+  Array[String] $bt_candidate_channels = ['1', '10'],
+  String $default_bt_channel = '1',
+  Enum['on', 'off'] $a2dp_default_state = 'off',
+  Boolean $fm_radio_enabled = false,
+  Boolean $visible_render_proof_required = true,
+) {
+  include profile::workstation::safe_account_exclusion
+
+  $safe_account = $profile::workstation::safe_account_exclusion::safe_account
+  $config_dir = '/etc/flowercore/device-management/devices'
+  $state_dir = '/var/lib/flowercore/divoom-dm-agent'
+  $log_dir = '/var/log/flowercore/divoom-dm-agent'
+  $registration_path = "${config_dir}/${device_id}.json"
+  $agent_binary_path = "${agent_install_dir}/${agent_binary}"
+  $bt_channels_json = inline_template('[<%= @bt_candidate_channels.map { |c| "\"#{c}\"" }.join(", ") %>]')
+
+  if $safe_account {
+    notify { 'fc-divoom-dm-device safe-account exclusion':
+      message => 'SAFE-ACCOUNT-EXCLUSION: Divoom DM Pi device profile refused to apply on operator workstation',
+    }
+
+    if $facts['os']['family'] != 'windows' {
+      ensure_resource('file', '/var/log/flowercore-audit', {
+          'ensure' => 'directory',
+          'owner'  => 'root',
+          'group'  => 'root',
+          'mode'   => '0755',
+      })
+
+      file { '/var/log/flowercore-audit/safe-account-noop-fc-divoom-dm-device.log':
+        ensure  => file,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0644',
+        content => "noop: divoom dm pi device profile refused to apply on safe-account host\n",
+        require => File['/var/log/flowercore-audit'],
+      }
+    }
+  } elsif $ensure == 'absent' {
+    service { $service_name:
+      ensure => stopped,
+      enable => false,
+    }
+
+    file { [
+        "/etc/systemd/system/${service_name}.service",
+        $registration_path,
+      ]:
+      ensure => absent,
+    }
+
+    exec { 'fc-divoom-dm-agent-systemd-reload':
+      command     => '/usr/bin/systemctl daemon-reload',
+      refreshonly => true,
+      path        => ['/usr/bin', '/bin'],
+    }
+  } else {
+    case $facts['os']['family'] {
+      'Debian': {}
+      default: { fail("profile::pi::service::divoom_dm_device only supports Debian-family OS, got ${facts['os']['family']}") }
+    }
+
+    file { [$config_dir, $state_dir, $log_dir]:
+      ensure => directory,
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0755',
+    }
+
+    file { $registration_path:
+      ensure  => file,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => epp('profile/pi/fc_divoom_dm/divoom-device-registration.json.epp', {
+        'device_id'                     => $device_id,
+        'display_name'                  => $display_name,
+        'host_fqdn'                     => $host_fqdn,
+        'divoom_install_dir'            => $divoom_install_dir,
+        'bt_channels_json'              => $bt_channels_json,
+        'default_bt_channel'            => $default_bt_channel,
+        'a2dp_default_state'            => $a2dp_default_state,
+        'fm_radio_enabled'              => $fm_radio_enabled,
+        'visible_render_proof_required' => $visible_render_proof_required,
+      }),
+      require => File[$config_dir],
+    }
+
+    file { "/etc/systemd/system/${service_name}.service":
+      ensure  => file,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => epp('profile/pi/fc_divoom_dm/flowercore-divoom-dm-agent.service.epp', {
+        'service_name'       => $service_name,
+        'device_id'          => $device_id,
+        'dm_web_url'         => $dm_web_url,
+        'registration_path'  => $registration_path,
+        'divoom_install_dir' => $divoom_install_dir,
+        'agent_install_dir'  => $agent_install_dir,
+        'agent_binary_path'  => $agent_binary_path,
+        'state_dir'          => $state_dir,
+        'log_dir'            => $log_dir,
+      }),
+      notify  => Exec['fc-divoom-dm-agent-systemd-reload'],
+      require => File[$registration_path],
+    }
+
+    exec { 'fc-divoom-dm-agent-systemd-reload':
+      command     => '/usr/bin/systemctl daemon-reload',
+      refreshonly => true,
+      path        => ['/usr/bin', '/bin'],
+    }
+
+    service { $service_name:
+      ensure  => $service_ensure,
+      enable  => $service_enabled,
+      require => [
+        File["/etc/systemd/system/${service_name}.service"],
+        File[$registration_path],
+        Exec['fc-divoom-dm-agent-systemd-reload'],
+      ],
+    }
+  }
+}

apps/fc-divoom-dm-pi-device/puppet/templates/divoom-device-registration.json.epp

@@ -0,0 +1,34 @@
+{
+  "deviceId": "<%= $device_id %>",
+  "displayName": "<%= $display_name %>",
+  "hostFqdn": "<%= $host_fqdn %>",
+  "kind": "DivoomMiniToo",
+  "managedBy": "FlowerCore.DeviceManagement",
+  "executionMode": "Pi",
+  "transport": {
+    "kind": "BluetoothSerial",
+    "candidateChannels": <%= $bt_channels_json %>,
+    "defaultChannel": "<%= $default_bt_channel %>",
+    "deviceInfoIsRenderProof": false,
+    "visibleRenderProofRequired": <%= $visible_render_proof_required %>
+  },
+  "paths": {
+    "divoomInstallDir": "<%= $divoom_install_dir %>",
+    "btLink": "<%= $divoom_install_dir %>/bt-link.sh",
+    "btReset": "<%= $divoom_install_dir %>/bt-reset.sh",
+    "audioLink": "<%= $divoom_install_dir %>/audio-link.sh"
+  },
+  "capabilities": {
+    "supportsBluetoothSerial": true,
+    "supportsBtChannelRedetect": true,
+    "supportsBtHardReset": true,
+    "supportsBtAudioProfileSwitch": true,
+    "a2dpDefaultState": "<%= $a2dp_default_state %>",
+    "fmRadioEnabled": <%= $fm_radio_enabled %>
+  },
+  "safety": {
+    "preserveExistingService": "flowercore-divoom.service",
+    "preserveDataDirectory": "<%= $divoom_install_dir %>/data",
+    "doNotEnableFmRadio": true
+  }
+}

apps/fc-divoom-dm-pi-device/puppet/templates/flowercore-divoom-dm-agent.service.epp

@@ -0,0 +1,36 @@
+[Unit]
+Description=FlowerCore Divoom DM Agent Bluetooth executor
+Documentation=https://github.com/astoltz/FlowerCore.Notes/blob/master/docs/standards/divoom-tv-hdmi-multitarget-render-substrate.md
+Wants=network-online.target
+After=network-online.target bluetooth.service
+Requires=bluetooth.service
+ConditionPathExists=<%= $agent_binary_path %>
+ConditionPathExists=<%= $registration_path %>
+ConditionPathExists=<%= $divoom_install_dir %>/bt-link.sh
+ConditionPathExists=<%= $divoom_install_dir %>/bt-reset.sh
+ConditionPathExists=<%= $divoom_install_dir %>/audio-link.sh
+
+[Service]
+Type=simple
+User=stoltz
+Group=stoltz
+WorkingDirectory=<%= $agent_install_dir %>
+Environment=DOTNET_CLI_TELEMETRY_OPTOUT=1
+Environment=FLOWERCORE_DM_DEVICE_REGISTRATION=<%= $registration_path %>
+Environment=Divoom__Bluetooth__DeviceInfoIsRenderProof=false
+Environment=Divoom__Bluetooth__VisibleRenderProofRequired=true
+Environment=Divoom__Bluetooth__A2dpDefaultState=off
+ExecStart=<%= $agent_binary_path %> --mode=Pi --device-id=<%= $device_id %> --dm-web-url=<%= $dm_web_url %> --registration=<%= $registration_path %>
+Restart=on-failure
+RestartSec=10s
+StartLimitBurst=3
+StartLimitIntervalSec=300s
+SupplementaryGroups=bluetooth audio dialout
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=<%= $state_dir %> <%= $log_dir %>
+
+[Install]
+WantedBy=multi-user.target

apps/fc-divoom-tv-pi/README.md

@@ -0,0 +1,44 @@
+# FlowerCore Divoom TV Pi HDMI
+
+Source-controlled deploy shape for the native `FlowerCore.Divoom.Tv`
+Avalonia HDMI renderer on a Raspberry Pi connected to a TV.
+
+This is a Puppet/systemd appliance bundle, not a Kubernetes application. It
+mirrors the existing `fc-signage-pi-player` pattern: bluejay-infra carries the
+systemd units, scripts, Hiera shape, and Puppet profile source that
+`FlowerCore.Puppet` vendors and installs.
+
+## Scope
+
+- Launch the future `FlowerCore.Divoom.Tv` linux-arm64 self-contained payload
+  from `/opt/flowercore/divoom-tv/FlowerCore.Divoom.Tv`.
+- Prefer `cage` as the Wayland fullscreen compositor, with direct app launch as
+  a fallback for development images.
+- Restart the app after HDMI hotplug with a 2 second DRM settle delay.
+- Keep all runtime state local: `/var/lib/fc-divoom-tv` and
+  `/var/log/fc-divoom-tv`.
+- Avoid CDN/runtime fetches; the app renders the in-house Divoom scene catalog
+  locally.
+
+## Artifact Map
+
+| Path | Use |
+| --- | --- |
+| `systemd/flowercore-divoom-tv.service` | Fullscreen Avalonia HDMI app service. |
+| `systemd/flowercore-divoom-tv-hdmi.service` | HDMI hotplug responder service. |
+| `systemd/99-flowercore-divoom-tv-hdmi.rules` | DRM udev hotplug rule. |
+| `scripts/flowercore-divoom-tv-prelaunch.sh` | Preflight checks and local directory creation. |
+| `scripts/flowercore-divoom-tv-launch.sh` | Cage-first fullscreen launcher. |
+| `scripts/flowercore-divoom-tv-hdmi-respond.sh` | Hotplug settle and restart script. |
+| `puppet/profile/pi/service/divoom_tv.pp` | Puppet profile shape to vendor into `FlowerCore.Puppet`. |
+| `hiera/example-divoom-tv-pi.iamworkin.lan.yaml` | Example node Hiera for a Divoom TV Pi. |
+
+## Rollout Notes
+
+1. Build `FlowerCore.Divoom.Tv` with `dotnet.exe publish -c Release -r linux-arm64 --self-contained`.
+2. Stage the payload to `/opt/flowercore/divoom-tv/` through the standard noc1
+   jump path and avoid `/tmp` for unprivileged Pi scratch.
+3. Vendor the profile and static files into `FlowerCore.Puppet`.
+4. Run Puppet noop, then apply on the target Pi.
+5. Prove deployment with `systemctl is-active flowercore-divoom-tv.service`,
+   journal lines showing frames presented, and a visible HDMI display check.

apps/fc-divoom-tv-pi/hiera/example-divoom-tv-pi.iamworkin.lan.yaml

@@ -0,0 +1,19 @@
+---
+# Example node data for a dedicated Pi -> HDMI -> TV Divoom renderer.
+# Copy into FlowerCore.Puppet data/nodes/<hostname>.iamworkin.lan.yaml only
+# after the Pi has a static DHCP/DNS entry and the linux-arm64 payload exists.
+
+facts:
+  role: pi_prototype
+
+profile::motd::role: 'Divoom TV HDMI Renderer'
+
+profile::pi::service::divoom_tv::ensure: 'present'
+profile::pi::service::divoom_tv::service_enabled: true
+profile::pi::service::divoom_tv::service_ensure: 'running'
+profile::pi::service::divoom_tv::install_dir: '/opt/flowercore/divoom-tv'
+profile::pi::service::divoom_tv::state_dir: '/var/lib/fc-divoom-tv'
+profile::pi::service::divoom_tv::log_dir: '/var/log/fc-divoom-tv'
+profile::pi::service::divoom_tv::presentation_mode: 'PillarboxSquare'
+profile::pi::service::divoom_tv::startup_scene: 'bluejay-clock'
+profile::pi::service::divoom_tv::reduced_motion: false

apps/fc-divoom-tv-pi/puppet/profile/pi/service/divoom_tv.pp

@@ -0,0 +1,149 @@
+# Drop into FlowerCore.Puppet site-modules/profile/manifests/pi/service/divoom_tv.pp.
+# Static files come from profile/pi/fc_divoom_tv/ after this bluejay-infra
+# bundle is vendored into the Puppet control repo.
+class profile::pi::service::divoom_tv (
+  Enum['present', 'absent'] $ensure = 'present',
+  Boolean $service_enabled = false,
+  Enum['running', 'stopped'] $service_ensure = 'stopped',
+  String $service_name = 'flowercore-divoom-tv',
+  String $user = 'fc-divoom-tv',
+  String $group = 'fc-divoom-tv',
+  String $install_dir = '/opt/flowercore/divoom-tv',
+  String $state_dir = '/var/lib/fc-divoom-tv',
+  String $log_dir = '/var/log/fc-divoom-tv',
+  String $presentation_mode = 'PillarboxSquare',
+  String $startup_scene = 'bluejay-clock',
+  Boolean $reduced_motion = false,
+) {
+  include profile::workstation::safe_account_exclusion
+
+  $safe_account = $profile::workstation::safe_account_exclusion::safe_account
+
+  if $safe_account {
+    notify { 'fc-divoom-tv safe-account exclusion':
+      message => 'SAFE-ACCOUNT-EXCLUSION: Divoom TV Pi profile refused to apply on operator workstation',
+    }
+  } elsif $ensure == 'absent' {
+    service { $service_name:
+      ensure => stopped,
+      enable => false,
+    }
+
+    file { [
+        "/etc/systemd/system/${service_name}.service",
+        "/etc/systemd/system/${service_name}-hdmi.service",
+        '/etc/udev/rules.d/99-flowercore-divoom-tv-hdmi.rules',
+        '/usr/local/bin/flowercore-divoom-tv-prelaunch.sh',
+        '/usr/local/bin/flowercore-divoom-tv-launch.sh',
+        '/usr/local/bin/flowercore-divoom-tv-hdmi-respond.sh',
+        '/etc/flowercore/divoom-tv.env',
+      ]:
+      ensure => absent,
+    }
+  } else {
+    case $facts['os']['family'] {
+      'Debian': {}
+      default: { fail("profile::pi::service::divoom_tv only supports Debian-family OS, got ${facts['os']['family']}") }
+    }
+
+    package { ['cage', 'libgbm1', 'libdrm2', 'libxkbcommon0', 'fonts-dejavu-core']:
+      ensure => installed,
+    }
+
+    group { $group:
+      ensure => present,
+      system => true,
+    }
+
+    user { $user:
+      ensure     => present,
+      system     => true,
+      gid        => $group,
+      home       => $state_dir,
+      managehome => false,
+      shell      => '/usr/sbin/nologin',
+      require    => Group[$group],
+    }
+
+    file { [$install_dir, $state_dir, $log_dir, '/etc/flowercore']:
+      ensure => directory,
+      owner  => $user,
+      group  => $group,
+      mode   => '0755',
+    }
+
+    file { '/etc/flowercore/divoom-tv.env':
+      ensure  => file,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => "FC_DIVOOM_TV_PRESENTATION_MODE=${presentation_mode}\nFC_DIVOOM_TV_START_SCENE=${startup_scene}\nFC_DIVOOM_TV_REDUCED_MOTION=${reduced_motion}\n",
+      require => File['/etc/flowercore'],
+    }
+
+    $script_map = {
+      '/usr/local/bin/flowercore-divoom-tv-prelaunch.sh'    => 'profile/pi/fc_divoom_tv/flowercore-divoom-tv-prelaunch.sh',
+      '/usr/local/bin/flowercore-divoom-tv-launch.sh'       => 'profile/pi/fc_divoom_tv/flowercore-divoom-tv-launch.sh',
+      '/usr/local/bin/flowercore-divoom-tv-hdmi-respond.sh' => 'profile/pi/fc_divoom_tv/flowercore-divoom-tv-hdmi-respond.sh',
+    }
+
+    $script_map.each |$dest, $src| {
+      file { $dest:
+        ensure => file,
+        owner  => 'root',
+        group  => 'root',
+        mode   => '0755',
+        source => "puppet:///modules/${src}",
+      }
+    }
+
+    $unit_map = {
+      "/etc/systemd/system/${service_name}.service"      => 'profile/pi/fc_divoom_tv/flowercore-divoom-tv.service',
+      "/etc/systemd/system/${service_name}-hdmi.service" => 'profile/pi/fc_divoom_tv/flowercore-divoom-tv-hdmi.service',
+    }
+
+    $unit_map.each |$dest, $src| {
+      file { $dest:
+        ensure => file,
+        owner  => 'root',
+        group  => 'root',
+        mode   => '0644',
+        source => "puppet:///modules/${src}",
+        notify => Exec['fc-divoom-tv-systemd-reload'],
+      }
+    }
+
+    file { '/etc/udev/rules.d/99-flowercore-divoom-tv-hdmi.rules':
+      ensure => file,
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0644',
+      source => 'puppet:///modules/profile/pi/fc_divoom_tv/99-flowercore-divoom-tv-hdmi.rules',
+      notify => Exec['fc-divoom-tv-udev-reload'],
+    }
+
+    exec { 'fc-divoom-tv-systemd-reload':
+      command     => '/usr/bin/systemctl daemon-reload',
+      refreshonly => true,
+      path        => ['/usr/bin', '/bin'],
+    }
+
+    exec { 'fc-divoom-tv-udev-reload':
+      command     => '/usr/bin/udevadm control --reload-rules',
+      refreshonly => true,
+      path        => ['/usr/bin', '/bin'],
+    }
+
+    service { $service_name:
+      ensure  => $service_ensure,
+      enable  => $service_enabled,
+      require => [
+        File["/etc/systemd/system/${service_name}.service"],
+        File['/etc/flowercore/divoom-tv.env'],
+        File['/usr/local/bin/flowercore-divoom-tv-prelaunch.sh'],
+        File['/usr/local/bin/flowercore-divoom-tv-launch.sh'],
+        Exec['fc-divoom-tv-systemd-reload'],
+      ],
+    }
+  }
+}

apps/fc-divoom-tv-pi/scripts/flowercore-divoom-tv-hdmi-respond.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+sleep 2
+systemctl restart flowercore-divoom-tv.service

apps/fc-divoom-tv-pi/scripts/flowercore-divoom-tv-launch.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+APP_BIN="${FC_DIVOOM_TV_BIN:-/opt/flowercore/divoom-tv/FlowerCore.Divoom.Tv}"
+STATE_DIR="${FC_DIVOOM_TV_STATE_DIR:-/var/lib/fc-divoom-tv}"
+LOG_DIR="${FC_DIVOOM_TV_LOG_DIR:-/var/log/fc-divoom-tv}"
+PRESENTATION_MODE="${FC_DIVOOM_TV_PRESENTATION_MODE:-PillarboxSquare}"
+START_SCENE="${FC_DIVOOM_TV_START_SCENE:-bluejay-clock}"
+REDUCED_MOTION="${FC_DIVOOM_TV_REDUCED_MOTION:-false}"
+
+COMMON_ARGS=(
+  "--target=hdmi"
+  "--presentation-mode=${PRESENTATION_MODE}"
+  "--startup-scene=${START_SCENE}"
+  "--reduced-motion=${REDUCED_MOTION}"
+  "--state-dir=${STATE_DIR}"
+  "--log-dir=${LOG_DIR}"
+)
+
+if command -v cage >/dev/null 2>&1; then
+  exec cage -- "${APP_BIN}" "${COMMON_ARGS[@]}" "$@"
+fi
+
+echo "[$(date -Is)] cage not found; launching FlowerCore.Divoom.Tv directly" >&2
+exec "${APP_BIN}" "${COMMON_ARGS[@]}" "$@"

apps/fc-divoom-tv-pi/scripts/flowercore-divoom-tv-prelaunch.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+APP_BIN="${FC_DIVOOM_TV_BIN:-/opt/flowercore/divoom-tv/FlowerCore.Divoom.Tv}"
+STATE_DIR="${FC_DIVOOM_TV_STATE_DIR:-/var/lib/fc-divoom-tv}"
+LOG_DIR="${FC_DIVOOM_TV_LOG_DIR:-/var/log/fc-divoom-tv}"
+
+mkdir -p "${STATE_DIR}" "${LOG_DIR}"
+
+if [[ ! -x "${APP_BIN}" ]]; then
+  echo "[$(date -Is)] missing executable ${APP_BIN}" >&2
+  exit 1
+fi
+
+if [[ -d /sys/class/drm ]] && ! find /sys/class/drm -maxdepth 1 -name 'card*-HDMI-A-*' -print -quit | grep -q .; then
+  echo "[$(date -Is)] no HDMI connector visible yet; continuing so the app can wait for display" >&2
+fi
+
+if command -v cage >/dev/null 2>&1; then
+  echo "[$(date -Is)] cage available for fullscreen Wayland launch"
+else
+  echo "[$(date -Is)] cage not installed; direct launch fallback will be used" >&2
+fi

apps/fc-divoom-tv-pi/systemd/99-flowercore-divoom-tv-hdmi.rules

@@ -0,0 +1,2 @@
+# Settle DRM for 2s before restarting the fullscreen Avalonia renderer.
+SUBSYSTEM=="drm", KERNEL=="card?-HDMI-A-?", ACTION=="change", RUN+="/usr/bin/systemctl start flowercore-divoom-tv-hdmi.service"

apps/fc-divoom-tv-pi/systemd/flowercore-divoom-tv-hdmi.service

@@ -0,0 +1,7 @@
+[Unit]
+Description=FlowerCore Divoom TV HDMI hotplug responder
+DefaultDependencies=no
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/flowercore-divoom-tv-hdmi-respond.sh

apps/fc-divoom-tv-pi/systemd/flowercore-divoom-tv.service

@@ -0,0 +1,40 @@
+[Unit]
+Description=FlowerCore Divoom TV HDMI Renderer (Avalonia fullscreen)
+Documentation=https://github.com/astoltz/FlowerCore.Notes/blob/master/docs/standards/divoom-tv-hdmi-multitarget-render-substrate.md
+Wants=network-online.target
+After=network-online.target systemd-user-sessions.service
+ConditionPathExists=/opt/flowercore/divoom-tv/FlowerCore.Divoom.Tv
+
+[Service]
+Type=simple
+User=fc-divoom-tv
+Group=fc-divoom-tv
+WorkingDirectory=/opt/flowercore/divoom-tv
+EnvironmentFile=-/etc/flowercore/divoom-tv.env
+Environment=DOTNET_CLI_TELEMETRY_OPTOUT=1
+Environment=XDG_RUNTIME_DIR=/run/fc-divoom-tv
+RuntimeDirectory=fc-divoom-tv
+RuntimeDirectoryMode=0700
+ExecStartPre=/usr/local/bin/flowercore-divoom-tv-prelaunch.sh
+ExecStart=/usr/local/bin/flowercore-divoom-tv-launch.sh
+Restart=always
+RestartSec=10s
+StartLimitBurst=5
+StartLimitIntervalSec=300s
+MemoryMax=2G
+MemoryHigh=1500M
+PrivateTmp=true
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/lib/fc-divoom-tv /var/log/fc-divoom-tv /run/fc-divoom-tv
+TTYPath=/dev/tty1
+StandardInput=tty
+StandardOutput=journal
+StandardError=journal
+TTYReset=yes
+TTYVHangup=yes
+TTYVTDisallocate=yes
+
+[Install]
+WantedBy=graphical.target

apps/fc-dms/fc-dms.yaml

@@ -30,3 +30,26 @@ spec:
           port: 80
   tls:
     secretName: dms-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose dms-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: dms-web-public
+#   namespace: fc-dms
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`dms.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: dms-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: dms-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-dns/fc-dns.yaml

@@ -0,0 +1,481 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: fc-dns
+  labels:
+    app.kubernetes.io/part-of: flowercore
+---
+# 1Password-backed Secret for the pfSense admin password.
+# The operator watches this CRD, resolves the vault item, and produces a
+# K8s Secret of the same name with each 1P field as a key. The `password`
+# field of the "pfSense Admin" item becomes Secret key `password`.
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: pfsense-admin
+  namespace: fc-dns
+spec:
+  itemPath: "vaults/IAmWorkin/items/pfSense Admin"
+---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: dns-oidc-client
+  namespace: fc-dns
+spec:
+  itemPath: "vaults/IAmWorkin/items/dns-oidc-client"
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: dns-web-data
+  namespace: fc-dns
+spec:
+  accessModes: [ReadWriteOnce]
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: dns-web-config
+  namespace: fc-dns
+data:
+  appsettings.Production.json: |
+    {
+        "FlowerCore": {
+        "Auth": {
+          "Enabled": true,
+          "Oidc": {
+            "Enabled": true,
+            "Audience": "dns",
+            "RequireHttpsMetadata": true
+          }
+        },
+        "Database": {
+          "Provider": "Sqlite",
+          "ConnectionStrings": {
+            "Sqlite": "Data Source=/data/dns.db"
+          }
+        },
+        "Tenant": {
+          "DefaultTenantId": "default",
+          "JwtClaimsEnabled": false,
+          "DefaultTenantHosts": [
+            "dns.iamworkin.lan"
+          ]
+        },
+        "Audit": {
+          "HashChain": {
+            "BridgeSensitivity": {
+              "Distribution": "Warn"
+            }
+          }
+        }
+      }
+    }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dns-web
+  namespace: fc-dns
+  labels:
+    app.kubernetes.io/name: dns-web
+    app.kubernetes.io/managed-by: flowercore
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: dns-web
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: dns-web
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "5320"
+        prometheus.io/path: "/metrics/prometheus"
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
+    spec:
+      serviceAccountName: dns-web
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1654
+        runAsGroup: 1654
+        fsGroup: 1654
+      containers:
+        - name: dns-web
+          image: localhost/fc-dns-web:v20260604-oidc-proper
+          imagePullPolicy: Never
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: [ALL]
+          ports:
+            - containerPort: 5320
+          env:
+            # pfSense admin password resolved by the 1Password operator.
+            # `FallbackPassword` is the Slice A seam exposed by
+            # OptionsFallbackPasswordResolver; Slice B will replace it with
+            # a pull-at-runtime 1P Connect resolver once Shared.Vault ships.
+            - name: FlowerCore__Dns__Providers__PfSenseUnbound__FallbackPassword
+              valueFrom:
+                secretKeyRef:
+                  name: pfsense-admin
+                  key: password
+            - name: FlowerCore__Auth__Oidc__Authority
+              valueFrom:
+                secretKeyRef:
+                  name: dns-oidc-client
+                  key: issuer_url
+                  optional: true
+            - name: FlowerCore__Auth__Oidc__ClientId
+              valueFrom:
+                secretKeyRef:
+                  name: dns-oidc-client
+                  key: client_id
+                  optional: true
+            - name: FlowerCore__Auth__Oidc__ClientSecret
+              valueFrom:
+                secretKeyRef:
+                  name: dns-oidc-client
+                  key: client_secret
+                  optional: true
+            - name: FlowerCore__Auth__Enabled
+              value: "true"
+            - name: FlowerCore__Auth__Oidc__Enabled
+              value: "true"
+            - name: FlowerCore__Auth__Oidc__Audience
+              value: "dns"
+          volumeMounts:
+            - name: data
+              mountPath: /data
+            - name: tmp
+              mountPath: /tmp
+            - name: logs
+              mountPath: /app/logs
+            - name: config
+              mountPath: /app/appsettings.Production.json
+              subPath: appsettings.Production.json
+              readOnly: true
+          resources:
+            requests:
+              cpu: 50m
+              memory: 96Mi
+            limits:
+              cpu: 300m
+              memory: 384Mi
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 5320
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 5320
+            initialDelaySeconds: 20
+            periodSeconds: 30
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: dns-web-data
+        - name: tmp
+          emptyDir: {}
+        - name: logs
+          emptyDir: {}
+        - name: config
+          configMap:
+            name: dns-web-config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: dns-web
+  namespace: fc-dns
+spec:
+  selector:
+    app.kubernetes.io/name: dns-web
+  ports:
+    - port: 5320
+      targetPort: 5320
+  type: ClusterIP
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dns-web
+  namespace: fc-dns
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dns-web
+rules:
+  - apiGroups: [""]
+    resources: ["namespaces", "pods", "services", "secrets", "configmaps"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dns-web
+subjects:
+  - kind: ServiceAccount
+    name: dns-web
+    namespace: fc-dns
+roleRef:
+  kind: ClusterRole
+  name: dns-web
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: dns-web-cert
+  namespace: fc-dns
+spec:
+  secretName: dns-web-tls
+  issuerRef:
+    name: step-ca-dns01
+    kind: ClusterIssuer
+  dnsNames:
+    - dns.iamworkin.lan
+  duration: 720h
+  renewBefore: 240h
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: dns-web
+  namespace: fc-dns
+spec:
+  entryPoints: [websecure]
+  routes:
+    - match: Host(`dns.iamworkin.lan`)
+      kind: Rule
+      services:
+        - name: dns-web
+          port: 5320
+  tls:
+    secretName: dns-web-tls
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dns-acme-webhook
+  namespace: fc-dns
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dns-acme-webhook
+  namespace: fc-dns
+  labels:
+    app.kubernetes.io/name: dns-acme-webhook
+    app.kubernetes.io/managed-by: flowercore
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: dns-acme-webhook
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: dns-acme-webhook
+    spec:
+      serviceAccountName: dns-acme-webhook
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1654
+        runAsGroup: 1654
+        fsGroup: 1654
+      containers:
+        - name: dns-acme-webhook
+          image: localhost/fc-dns-acme-webhook:v202604290845
+          imagePullPolicy: Never
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: [ALL]
+          ports:
+            - containerPort: 9443
+              name: https
+          env:
+            - name: ASPNETCORE_URLS
+              value: https://+:9443
+            - name: Kestrel__Certificates__Default__Path
+              value: /tls/tls.crt
+            - name: Kestrel__Certificates__Default__KeyPath
+              value: /tls/tls.key
+            - name: FlowerCore__Dns__AcmeWebhook__ServiceBaseUrl
+              value: http://dns-web:5320
+            - name: FlowerCore__Dns__AcmeWebhook__GroupName
+              value: acme.flowercore.io
+            - name: FlowerCore__Dns__AcmeWebhook__SolverName
+              value: flowercore-dns
+            - name: FlowerCore__Dns__AcmeWebhook__Version
+              value: v1alpha1
+          volumeMounts:
+            - name: tls
+              mountPath: /tls
+              readOnly: true
+            - name: tmp
+              mountPath: /tmp
+            - name: logs
+              mountPath: /app/logs
+          resources:
+            requests:
+              cpu: 25m
+              memory: 64Mi
+            limits:
+              cpu: 200m
+              memory: 256Mi
+          readinessProbe:
+            httpGet:
+              scheme: HTTPS
+              path: /readyz
+              port: https
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 5
+          livenessProbe:
+            httpGet:
+              scheme: HTTPS
+              path: /healthz
+              port: https
+            initialDelaySeconds: 10
+            periodSeconds: 20
+            timeoutSeconds: 5
+      volumes:
+        - name: tls
+          secret:
+            secretName: dns-acme-webhook-tls
+        - name: tmp
+          emptyDir: {}
+        - name: logs
+          emptyDir: {}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: dns-acme-webhook
+  namespace: fc-dns
+spec:
+  selector:
+    app.kubernetes.io/name: dns-acme-webhook
+  ports:
+    - port: 443
+      targetPort: https
+      name: https
+  type: ClusterIP
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: dns-acme-webhook-selfsigned
+  namespace: fc-dns
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: dns-acme-webhook-ca
+  namespace: fc-dns
+spec:
+  secretName: dns-acme-webhook-ca
+  duration: 43800h
+  issuerRef:
+    name: dns-acme-webhook-selfsigned
+  commonName: ca.dns-acme-webhook.fc-dns
+  isCA: true
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: dns-acme-webhook-ca-issuer
+  namespace: fc-dns
+spec:
+  ca:
+    secretName: dns-acme-webhook-ca
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: dns-acme-webhook-serving-cert
+  namespace: fc-dns
+spec:
+  secretName: dns-acme-webhook-tls
+  duration: 8760h
+  issuerRef:
+    name: dns-acme-webhook-ca-issuer
+  dnsNames:
+    - dns-acme-webhook
+    - dns-acme-webhook.fc-dns
+    - dns-acme-webhook.fc-dns.svc
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1alpha1.acme.flowercore.io
+  annotations:
+    cert-manager.io/inject-ca-from: fc-dns/dns-acme-webhook-serving-cert
+spec:
+  group: acme.flowercore.io
+  groupPriorityMinimum: 1000
+  service:
+    name: dns-acme-webhook
+    namespace: fc-dns
+  version: v1alpha1
+  versionPriority: 15
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dns-acme-webhook-solver
+rules:
+  - apiGroups: ["acme.flowercore.io"]
+    resources: ["flowercore-dns"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dns-acme-webhook-solver
+subjects:
+  - kind: ServiceAccount
+    name: cert-manager
+    namespace: cert-manager
+roleRef:
+  kind: ClusterRole
+  name: dns-acme-webhook-solver
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: step-ca-dns01
+spec:
+  acme:
+    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ4RENDQVdxZ0F3SUJBZ0lSQVBZMzU3RzZvdzZ6TUFMNSs0YlMya2t3Q2dZSUtvWkl6ajBFQXdJd1FERWEKTUJnR0ExVUVDaE1SU1VGdFYyOXlhMmx1SUVGRFRVVWdRMEV4SWpBZ0JnTlZCQU1UR1VsQmJWZHZjbXRwYmlCQgpRMDFGSUVOQklGSnZiM1FnUTBFd0hoY05Nall3TXpBNE1UZ3dOekV4V2hjTk16WXdNekExTVRnd056RXhXakJBCk1Sb3dHQVlEVlFRS0V4RkpRVzFYYjNKcmFXNGdRVU5OUlNCRFFURWlNQ0FHQTFVRUF4TVpTVUZ0VjI5eWEybHUKSUVGRFRVVWdRMEVnVW05dmRDQkRRVEJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCSjJuMDRYMQpKWm81WmRxL2kxSWR2OCtmcXdaeUF6Qmg3d2hicWowU1dzSkw4VVdSYWJDTXFZQ3M3K2RYTzB4UlN6cWt3RkRMCngrdm9vT2FpOFJnUk5oYWpSVEJETUE0R0ExVWREd0VCL3dRRUF3SUJCakFTQmdOVkhSTUJBZjhFQ0RBR0FRSC8KQWdFQk1CMEdBMVVkRGdRV0JCUm51UFBRUjZpTS9INnZPbHVpVTNTeWdheXo4akFLQmdncWhrak9QUVFEQWdOSQpBREJGQWlFQXJRSzlkWVBHbUFac2RZbmp6aXVGVlZFNU5LWlVjY2VZdkdmR0MrdExYVXNDSUF1ZEYyekpyQ1JxCjNtSzUwWlpFVC9md1RrSndpRUY0ODI0bWpQOHAxQ0tNCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+    privateKeySecretRef:
+      name: step-ca-dns01-account-key
+    server: https://10.0.56.10:9443/acme/acme/directory
+    solvers:
+      - dns01:
+          webhook:
+            groupName: acme.flowercore.io
+            solverName: flowercore-dns

apps/fc-dns/kustomization.yaml

@@ -0,0 +1,6 @@
+# ArgoCD's bluejay-infra ApplicationSet discovers apps/* directories on main.
+# The kustomization is included for local previews and single-app validation.
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - fc-dns.yaml

apps/fc-library/fc-library.yaml

@@ -0,0 +1,195 @@
+# FlowerCore.Library.Web GitOps adoption manifest.
+#
+# Authored from the already-live fc-library resources on 2026-06-04.
+# Keep the live image tag, Service ClusterIP, and PVC volumeName unchanged so
+# ArgoCD adopts in place instead of replacing the workload or data volume.
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: library-web-data
+  namespace: fc-library
+  labels:
+    app.kubernetes.io/name: library-web
+    app.kubernetes.io/part-of: flowercore
+    app.kubernetes.io/managed-by: argocd
+    argocd.argoproj.io/instance: infra-fc-library
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+  volumeMode: Filesystem
+  volumeName: pvc-2690bae2-4ee0-417a-b95f-50ec5c632b63
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: library-web
+  namespace: fc-library
+  labels:
+    app.kubernetes.io/name: library-web
+    app.kubernetes.io/part-of: flowercore
+    app.kubernetes.io/managed-by: argocd
+    argocd.argoproj.io/instance: infra-fc-library
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: library-web
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/health"
+        prometheus.io/path: /metrics/prometheus
+        prometheus.io/port: "5000"
+        prometheus.io/scrape: "true"
+      labels:
+        app.kubernetes.io/name: library-web
+        app.kubernetes.io/part-of: flowercore
+    spec:
+      containers:
+        # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
+        - envFrom:
+            - configMapRef:
+                name: library-web-config
+          image: localhost/fc-library-web:v20260602-library-owned-deploy-fix1
+          imagePullPolicy: Never
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /health
+              port: 5000
+              scheme: HTTP
+            initialDelaySeconds: 30
+            periodSeconds: 30
+            successThreshold: 1
+            timeoutSeconds: 5
+          name: library-web
+          ports:
+            - containerPort: 5000
+              name: http
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 6
+            httpGet:
+              path: /health
+              port: 5000
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 5
+          resources: {}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /data
+              name: data
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: library-web-data
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: library-web
+  namespace: fc-library
+  labels:
+    app.kubernetes.io/name: library-web
+    app.kubernetes.io/part-of: flowercore
+    app.kubernetes.io/managed-by: argocd
+    argocd.argoproj.io/instance: infra-fc-library
+spec:
+  clusterIP: 10.43.179.63
+  clusterIPs:
+    - 10.43.179.63
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+    - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 5000
+  selector:
+    app.kubernetes.io/name: library-web
+  sessionAffinity: None
+  type: ClusterIP
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: library-web-tls
+  namespace: fc-library
+  labels:
+    app.kubernetes.io/name: library-web-tls
+    app.kubernetes.io/part-of: flowercore
+    app.kubernetes.io/managed-by: argocd
+    argocd.argoproj.io/instance: infra-fc-library
+spec:
+  dnsNames:
+    - library.iamworkin.lan
+  issuerRef:
+    kind: ClusterIssuer
+    name: step-ca-acme
+  secretName: library-web-tls
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: library-web
+  namespace: fc-library
+  labels:
+    app.kubernetes.io/name: library-web
+    app.kubernetes.io/part-of: flowercore
+    app.kubernetes.io/managed-by: argocd
+    argocd.argoproj.io/instance: infra-fc-library
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`library.iamworkin.lan`)
+      services:
+        - name: library-web
+          port: 80
+  tls:
+    secretName: library-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose library-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: library-web-public
+#   namespace: fc-library
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`library.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: library-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: library-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-llm-bridge/fc-llm-bridge.yaml

@@ -83,6 +83,8 @@ spec:
         app.kubernetes.io/name: fc-llm-bridge
         app.kubernetes.io/part-of: flowercore
       annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
         prometheus.io/scrape: "true"
         prometheus.io/port: "8080"
         prometheus.io/path: "/metrics"
@@ -116,6 +118,7 @@ spec:
           ports:
             - containerPort: 8080
               name: http
+          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
           env:
             - name: ASPNETCORE_URLS
               value: "http://+:8080"
@@ -281,3 +284,26 @@ spec:
           port: 8080
   tls:
     secretName: fc-llm-bridge-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose fc-llm-bridge publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: fc-llm-bridge-public
+#   namespace: fc-llm-bridge
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`llm-bridge.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: fc-llm-bridge-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: fc-llm-bridge
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-media/fc-media.yaml

@@ -0,0 +1,296 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: fc-media
+  labels:
+    app.kubernetes.io/name: fc-media
+    app.kubernetes.io/part-of: flowercore
+---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: media-oidc-client
+  namespace: fc-media
+  labels:
+    app.kubernetes.io/name: fc-media-web
+    app.kubernetes.io/part-of: flowercore
+spec:
+  itemPath: "vaults/IAmWorkin/items/media-oidc-client"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fc-media-config
+  namespace: fc-media
+  labels:
+    app.kubernetes.io/name: fc-media-web
+    app.kubernetes.io/part-of: flowercore
+data:
+  appsettings.Production.json: |
+    {
+      "DatabaseProvider": "Sqlite",
+      "ConnectionStrings": {
+        "Sqlite": "Data Source=/data/media.db"
+      },
+      "FlowerCore": {
+        "Auth": {
+          "Enabled": true,
+          "Oidc": {
+            "Authority": "https://id.iamworkin.lan/application/o/media/",
+            "ClientId": "media",
+            "ClientSecret": "",
+            "Audience": "media",
+            "RequireHttpsMetadata": true
+          }
+        },
+        "Tenant": {
+          "JwtClaimsEnabled": false,
+          "DefaultTenantHosts": [ "media.iamworkin.lan" ]
+        }
+      },
+      "Media": {
+        "LibraryRoot": "/media/library",
+        "Sources": [
+          {
+            "Name": "BlueJayNAS Video",
+            "Driver": "Nfs",
+            "MountedPath": "/media/library",
+            "RemotePath": "nfs://10.0.58.3/volume1/video",
+            "IsEnabled": true,
+            "IsDefault": true,
+            "Notes": "Synology NFS media share mounted read-only inside the cluster."
+          }
+        ],
+        "GeneratedRoot": "/data/generated",
+        "TranscodeRoot": "/data/transcodes",
+        "InboxPath": "/media/inbox",
+        "InboxScanIntervalMinutes": 5,
+        "ScanOnStartup": false,
+        "ComputeChecksums": false,
+        "FfmpegCommand": "ffmpeg",
+        "FfprobeCommand": "ffprobe",
+        "Hls": {
+          "MaxConcurrentJobs": 1
+        },
+        "DefaultViewerName": "BlueJay",
+        "Dlna": {
+          "IsEnabled": true,
+          "MulticastAddress": "239.255.255.250",
+          "Port": 1900,
+          "DiscoveryTimeoutSeconds": 2,
+          "DescriptionFetchTimeoutSeconds": 2,
+          "MaxResponsesPerSearchTarget": 32,
+          "SearchTargets": [
+            "urn:schemas-upnp-org:device:MediaRenderer:1",
+            "urn:schemas-upnp-org:device:MediaServer:1"
+          ]
+        }
+      }
+    }
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: fc-media-data
+  namespace: fc-media
+  labels:
+    app.kubernetes.io/name: fc-media-web
+    app.kubernetes.io/part-of: flowercore
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Gi
+  storageClassName: longhorn
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: fc-media-web
+  namespace: fc-media
+  labels:
+    app: fc-media-web
+    app.kubernetes.io/name: fc-media-web
+    app.kubernetes.io/part-of: flowercore
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: fc-media-web
+  template:
+    metadata:
+      labels:
+        app: fc-media-web
+        app.kubernetes.io/name: fc-media-web
+        app.kubernetes.io/part-of: flowercore
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "5200"
+        prometheus.io/path: "/metrics"
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: rke2-server
+      containers:
+        - name: fc-media-web
+          image: localhost/fc-media-web:v20260604-oidc-proper
+          imagePullPolicy: Never
+          ports:
+            - containerPort: 5200
+              name: http
+          env:
+            - name: ASPNETCORE_ENVIRONMENT
+              value: Production
+            - name: ASPNETCORE_URLS
+              value: http://+:5200
+            - name: FlowerCore__Auth__Enabled
+              value: "true"
+            - name: FlowerCore__Auth__Oidc__Enabled
+              value: "true"
+            - name: FlowerCore__Auth__Oidc__Audience
+              value: "media"
+            - name: FlowerCore__Auth__Oidc__ClientId
+              valueFrom:
+                secretKeyRef:
+                  name: media-oidc-client
+                  key: client_id
+                  optional: true
+            - name: FlowerCore__Auth__Oidc__ClientSecret
+              valueFrom:
+                secretKeyRef:
+                  name: media-oidc-client
+                  key: client_secret
+                  optional: true
+            - name: FlowerCore__Auth__Oidc__Authority
+              valueFrom:
+                secretKeyRef:
+                  name: media-oidc-client
+                  key: issuer_url
+                  optional: true
+          resources:
+            requests:
+              cpu: 500m
+              memory: 1Gi
+            limits:
+              cpu: "4"
+              memory: 4Gi
+          volumeMounts:
+            - name: config
+              mountPath: /app/appsettings.Production.json
+              subPath: appsettings.Production.json
+              readOnly: true
+            - name: data
+              mountPath: /data
+            - name: transcodes
+              mountPath: /data/transcodes
+            - name: media-library
+              mountPath: /media/library
+              readOnly: true
+            - name: media-inbox
+              mountPath: /media/inbox
+          startupProbe:
+            httpGet:
+              path: /healthz
+              port: 5200
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
+            failureThreshold: 18
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 5200
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 5200
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
+            initialDelaySeconds: 30
+            periodSeconds: 30
+      volumes:
+        - name: config
+          configMap:
+            name: fc-media-config
+        - name: data
+          persistentVolumeClaim:
+            claimName: fc-media-data
+        - name: transcodes
+          nfs:
+            server: 10.0.58.3
+            path: /volume1/kubernetes/fc-media-transcodes
+        - name: media-inbox
+          nfs:
+            server: 10.0.58.3
+            path: /volume1/kubernetes/fc-media-inbox
+        - name: media-library
+          nfs:
+            server: 10.0.58.3
+            path: /volume1/video
+            readOnly: true
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: fc-media-web
+  namespace: fc-media
+  labels:
+    app: fc-media-web
+    app.kubernetes.io/name: fc-media-web
+    app.kubernetes.io/part-of: flowercore
+spec:
+  type: ClusterIP
+  selector:
+    app: fc-media-web
+  ports:
+    - port: 5200
+      targetPort: 5200
+      protocol: TCP
+      name: http
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: fc-media-tls
+  namespace: fc-media
+  labels:
+    app.kubernetes.io/name: fc-media-web
+    app.kubernetes.io/part-of: flowercore
+spec:
+  secretName: fc-media-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - media.iamworkin.lan
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: fc-media-web
+  namespace: fc-media
+  labels:
+    app.kubernetes.io/name: fc-media-web
+    app.kubernetes.io/part-of: flowercore
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`media.iamworkin.lan`)
+      kind: Rule
+      services:
+        - name: fc-media-web
+          port: 5200
+  tls:
+    secretName: fc-media-tls

apps/fc-media/kustomization.yaml

@@ -0,0 +1,6 @@
+# ArgoCD's bluejay-infra ApplicationSet discovers apps/* directories on main.
+# The kustomization is included for local previews and single-app validation.
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - fc-media.yaml

apps/fc-menuboard/fc-menuboard.yaml

@@ -30,3 +30,26 @@ spec:
           port: 80
   tls:
     secretName: menuboard-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose menuboard-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: menuboard-web-public
+#   namespace: fc-menuboard
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`menuboard.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: menuboard-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: menuboard-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-messageboard/fc-messageboard.yaml

@@ -41,6 +41,8 @@ spec:
       labels:
         app: messageboard-web
       annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
         prometheus.io/scrape: "true"
         prometheus.io/port: "8080"
         prometheus.io/path: "/metrics/prometheus"
@@ -52,6 +54,7 @@ spec:
           ports:
             - containerPort: 8080
               name: http
+          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
           envFrom:
             - configMapRef:
                 name: messageboard-web-config
@@ -141,3 +144,26 @@ spec:
           port: 80
   tls:
     secretName: messageboard-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose messageboard-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: messageboard-web-public
+#   namespace: fc-messageboard
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`messageboard.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: messageboard-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: messageboard-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-mysql/fc-mysql.yaml

@@ -30,3 +30,26 @@ spec:
           port: 5300
   tls:
     secretName: mysql-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose mysql-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: mysql-web-public
+#   namespace: fc-mysql
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`mysql.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: mysql-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: mysql-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-php/fc-php.yaml

@@ -30,3 +30,26 @@ spec:
           port: 5400
   tls:
     secretName: php-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose php-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: php-web-public
+#   namespace: fc-php
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`php.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: php-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: php-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-presentations/fc-presentations.yaml

@@ -30,3 +30,26 @@ spec:
           port: 80
   tls:
     secretName: presentations-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose presentations-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: presentations-web-public
+#   namespace: fc-presentations
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`presentations.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: presentations-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: presentations-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-retail/fc-retail.yaml

@@ -0,0 +1,196 @@
+# FlowerCore.Retail.Web GitOps adoption manifest.
+#
+# Authored from the already-live fc-retail resources on 2026-06-04.
+# Keep the live image tag, Service ClusterIP, and PVC volumeName unchanged so
+# ArgoCD adopts in place instead of replacing the workload or data volume.
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: retail-web-data
+  namespace: fc-retail
+  labels:
+    app.kubernetes.io/name: retail-web
+    app.kubernetes.io/part-of: flowercore
+    app.kubernetes.io/managed-by: argocd
+    argocd.argoproj.io/instance: infra-fc-retail
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+  volumeMode: Filesystem
+  volumeName: pvc-3d40b336-eab4-41b3-812c-d5e9413ce0ab
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: retail-web
+  namespace: fc-retail
+  labels:
+    app.kubernetes.io/name: retail-web
+    app.kubernetes.io/part-of: flowercore
+    app.kubernetes.io/managed-by: argocd
+    argocd.argoproj.io/instance: infra-fc-retail
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: retail-web
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
+        kubectl.kubernetes.io/restartedAt: "2026-06-02T01:34:08-05:00"
+        prometheus.io/path: /metrics/prometheus
+        prometheus.io/port: "5000"
+        prometheus.io/scrape: "true"
+      labels:
+        app.kubernetes.io/name: retail-web
+        app.kubernetes.io/part-of: flowercore
+    spec:
+      containers:
+        # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
+        - envFrom:
+            - configMapRef:
+                name: retail-web-config
+          image: localhost/fc-retail-web:v20260602-retail-owned-deploy-fix5
+          imagePullPolicy: Never
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /health
+              port: 5000
+              scheme: HTTP
+            initialDelaySeconds: 30
+            periodSeconds: 30
+            successThreshold: 1
+            timeoutSeconds: 5
+          name: retail-web
+          ports:
+            - containerPort: 5000
+              name: http
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 6
+            httpGet:
+              path: /health
+              port: 5000
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 5
+          resources: {}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /data
+              name: data
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: retail-web-data
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: retail-web
+  namespace: fc-retail
+  labels:
+    app.kubernetes.io/name: retail-web
+    app.kubernetes.io/part-of: flowercore
+    app.kubernetes.io/managed-by: argocd
+    argocd.argoproj.io/instance: infra-fc-retail
+spec:
+  clusterIP: 10.43.239.8
+  clusterIPs:
+    - 10.43.239.8
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+    - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 5000
+  selector:
+    app.kubernetes.io/name: retail-web
+  sessionAffinity: None
+  type: ClusterIP
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: retail-web-tls
+  namespace: fc-retail
+  labels:
+    app.kubernetes.io/name: retail-web-tls
+    app.kubernetes.io/part-of: flowercore
+    app.kubernetes.io/managed-by: argocd
+    argocd.argoproj.io/instance: infra-fc-retail
+spec:
+  dnsNames:
+    - retail.iamworkin.lan
+  issuerRef:
+    kind: ClusterIssuer
+    name: step-ca-acme
+  secretName: retail-web-tls
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: retail-web
+  namespace: fc-retail
+  labels:
+    app.kubernetes.io/name: retail-web
+    app.kubernetes.io/part-of: flowercore
+    app.kubernetes.io/managed-by: argocd
+    argocd.argoproj.io/instance: infra-fc-retail
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`retail.iamworkin.lan`)
+      services:
+        - name: retail-web
+          port: 80
+  tls:
+    secretName: retail-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose retail-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: retail-web-public
+#   namespace: fc-retail
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`retail.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: retail-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: retail-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-scoreboard/fc-scoreboard.yaml

@@ -30,3 +30,26 @@ spec:
           port: 80
   tls:
     secretName: scoreboard-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose scoreboard-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: scoreboard-web-public
+#   namespace: fc-scoreboard
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`scoreboard.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: scoreboard-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: scoreboard-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-segmentdisplay/fc-segmentdisplay.yaml

@@ -37,3 +37,26 @@ spec:
           port: 80
   tls:
     secretName: segmentdisplay-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose segmentdisplay-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: segmentdisplay-web-public
+#   namespace: fc-segmentdisplay
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`segmentdisplay.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: segmentdisplay-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: segmentdisplay-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-signage/fc-signage.yaml

@@ -46,3 +46,26 @@ spec:
       services:
         - name: signage-web
           port: 5190
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose signage-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: signage-web-public
+#   namespace: fc-signage
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`signage.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: signage-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: signage-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-ttsreader/fc-ttsreader.yaml

@@ -97,6 +97,7 @@ spec:
       containers:
         - name: piper
           image: rhasspy/wyoming-piper:latest
+          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
           env:
             - name: PYTHONHTTPSVERIFY
               value: "0"
@@ -523,6 +524,8 @@ spec:
         app.kubernetes.io/name: ttsreader-web
         app.kubernetes.io/part-of: flowercore
       annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
         prometheus.io/scrape: "true"
         prometheus.io/port: "5217"
         prometheus.io/path: "/metrics"
@@ -532,7 +535,7 @@ spec:
         fsGroupChangePolicy: OnRootMismatch
       containers:
         - name: web
-          image: localhost/fc-ttsreader-web:v20260518-sprint36-demo-finish-b132cbf
+          image: localhost/fc-ttsreader-web:v20260603-s54cx14-pr29-schema
           imagePullPolicy: Never
           ports:
             - containerPort: 5217
@@ -554,6 +557,8 @@ spec:
               value: "/data/chapter-context.db"
             - name: TtsReader__Jobs__Root
               value: "/data/jobs"
+            - name: TtsReader__Export__LocalCasRoot
+              value: "/data/bundles/cas"
             - name: TtsReader__Piper__Host
               value: "10.0.57.17"
             - name: TtsReader__Piper__Port
@@ -760,3 +765,26 @@ spec:
           port: 5217
   tls:
     secretName: ttsreader-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose ttsreader-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: ttsreader-web-public
+#   namespace: fc-ttsreader
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`ttsreader.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: ttsreader-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: ttsreader-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-updater/fc-updater.yaml

@@ -52,17 +52,21 @@ spec:
       app: updatecenter-web
   template:
     metadata:
+      annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
       labels:
         app: updatecenter-web
     spec:
       nodeName: rke2-server
       containers:
         - name: web
-          image: localhost/fc-updater-web:v20260509-4162dca-authgate
+          image: localhost/fc-updater-web:v202605310029-7974fc4
           imagePullPolicy: Never
           ports:
             - containerPort: 8080
               name: http
+          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
           env:
             - name: ASPNETCORE_URLS
               value: http://+:8080
@@ -88,6 +92,8 @@ spec:
               value: Faith AI Mike Edition
             - name: FlowerCore__Updater__PublicShares__Links__0__Description
               value: Private release link for Mike's Faith AI bundle.
+            - name: FlowerCore__Audit__Sinks__Loki__Enabled
+              value: "false"
             - name: FlowerCore__Updater__Auth__Bootstrap__Enabled
               value: "true"
             - name: FlowerCore__Updater__Auth__Bootstrap__Username

apps/intranet/intranet.yaml

@@ -46,7 +46,7 @@ spec:
     spec:
       containers:
         - name: intranet-web
-          image: localhost/fc-intranet-web:v20260508-brochure-w1
+          image: localhost/fc-intranet-web:v20260531-ttsreader-bridge
           imagePullPolicy: Never
           ports:
             - containerPort: 5300

apps/knowledge/knowledge.yaml

@@ -90,9 +90,12 @@ spec:
         app.kubernetes.io/name: knowledge-web
         app.kubernetes.io/part-of: bluejay-infra
       annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
         prometheus.io/scrape: "true"
         prometheus.io/port: "8080"
         prometheus.io/path: "/metrics"
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       securityContext:
         runAsNonRoot: true
@@ -102,7 +105,7 @@ spec:
         - name: web
           # Placeholder tag — bump to the image you built + imported to ALL
           # RKE2 nodes via scripts/deploy-knowledge.sh before applying.
-          image: localhost/fc-knowledge-web:v20260429232635
+          image: localhost/fc-knowledge-web:v20260603-oidc-authentik-auditfix
           imagePullPolicy: Never
           command:
             - /bin/sh
@@ -116,6 +119,7 @@ spec:
           ports:
             - containerPort: 8080
               name: http
+          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
           env:
             - name: ASPNETCORE_URLS
               value: "http://+:8080"
@@ -123,6 +127,25 @@ spec:
               value: "Production"
             - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
               value: "false"
+            # AuthentiK/OIDC is enforced. /healthz stays anonymous by contract;
+            # see flowercore.io/healthz-auth-policy above and the Sprint 58
+            # OIDC readiness probe audit.
+            - name: FlowerCore__Auth__Enabled
+              value: "true"
+            - name: FlowerCore__Auth__Oidc__Enabled
+              value: "true"
+            - name: FlowerCore__Auth__Oidc__Authority
+              value: "https://id.iamworkin.lan/application/o/knowledge/"
+            - name: FlowerCore__Auth__Oidc__Audience
+              value: "knowledge"
+            - name: FlowerCore__Auth__Oidc__ClientId
+              value: "knowledge"
+            - name: FlowerCore__Auth__Oidc__ClientSecret
+              valueFrom:
+                secretKeyRef:
+                  name: knowledge-oidc-client
+                  key: client_secret
+                  optional: true
             # Vector-store directory + embedding model + edition profile dir.
             # Profile JSON is baked into the image at /home/app/editions via the
             # csproj Content-link from FlowerCore.Common/editions/.
@@ -134,6 +157,8 @@ spec:
               value: "5"
             - name: Knowledge__MaxLimit
               value: "50"
+            - name: Knowledge__Federation__DatabasePath
+              value: "/data/vector-stores/knowledge-federation.db"
             - name: FlowerCore__Editions__ProfileDirectory
               value: "/home/app/editions"
             # Embed via edge1 Pi 5 + AI HAT+ (10.0.57.17:11434). Cluster
@@ -264,3 +289,26 @@ spec:
           port: 80
   tls:
     secretName: knowledge-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose knowledge-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: knowledge-web-public
+#   namespace: knowledge
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`knowledge.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: knowledge-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: knowledge-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/kubevirt-vms/ci1.yaml

@@ -25,7 +25,7 @@ metadata:
     role: github-actions-runner
     flowercore.io/managed-by: bluejay-infra
 spec:
-  runStrategy: Always
+  runStrategy: Halted
   template:
     metadata:
       labels:

apps/mail/mail.yaml

@@ -207,20 +207,13 @@ spec:
     - port: 993
       targetPort: 993
       name: imaps
----
-# TLS Certificate via cert-manager
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: mail-tls
-  namespace: mail
-spec:
-  secretName: mail-tls
-  issuerRef:
-    name: step-ca-acme
-    kind: ClusterIssuer
-  dnsNames:
-    - mail.iamworkin.lan
+# --- mail-tls Certificate REMOVED 2026-06-01 ---
+# mail-tls is now managed OUTSIDE cert-manager: issued from step-ca's JWK 'admin'
+# provisioner and auto-renewed by a systemd timer on noc1 (step ca renew), which
+# writes the mail-tls secret directly. step-ca-acme only has an HTTP-01 (Traefik)
+# solver, but mail.iamworkin.lan must resolve to the dedicated MetalLB IP 10.0.56.202
+# (SMTP/IMAP), so HTTP-01 cannot validate. Do NOT re-add a cert-manager Certificate
+# here unless a DNS-01 solver is deployed for step-ca-acme.
 ---
 # Traefik IngressRoute - Webmail placeholder
 apiVersion: traefik.io/v1alpha1

apps/monitoring/noc-monitoring.yaml

@@ -216,19 +216,24 @@ data:
       - job_name: "pimanager-app"
         scrape_interval: 15s
         metrics_path: /metrics
+        scheme: https
+        tls_config:
+          insecure_skip_verify: true
         static_configs:
-          - targets: ["10.0.58.25:5000"]
+          - targets: ["piez.iamworkin.lan"]
             labels:
               instance: "piez"
-              service: "pimanager"
+              service: "signalcontrol"
               vlan: "home"
               device: "pi4-ezconnect"
-          - targets: ["10.0.58.113:5100"]
+              rig: "signal-b"
+          - targets: ["pirelay.iamworkin.lan"]
             labels:
               instance: "pirelay"
-              service: "pimanager"
+              service: "signalcontrol"
               vlan: "home"
               device: "pi3-ks0212"
+              rig: "signal-a"
 
       # Epson ET-3750 EcoTank Printer SNMP
       - job_name: "snmp-printer"
@@ -479,24 +484,33 @@ data:
               - "https://gitea.iamworkin.lan/"
               - "https://argocd.iamworkin.lan/"
               - "https://intranet.iamworkin.lan/"
-              - "https://signage.iamworkin.lan/"
+              - "https://signage.iamworkin.lan/healthz"   # root 401 auth-gated 2026-06-01; /healthz anon 200
               - "https://kiosk.iamworkin.lan/"
-              - "https://media.iamworkin.lan/"
-              - "https://mysql.iamworkin.lan/"
-              - "https://php.iamworkin.lan/"
+              - "https://media.iamworkin.lan/healthz"    # root auth-gated by OIDC; /healthz anonymous 200
+              - "https://mysql.iamworkin.lan/healthz"   # root 401 auth-gated 2026-06-01; /healthz anon 200
+              - "https://php.iamworkin.lan/healthz"     # root 401 auth-gated 2026-06-01; /healthz anon 200
               - "https://zabbix.iamworkin.lan/"
               - "https://desktop.iamworkin.lan/"
-              - "https://print.iamworkin.lan/"
-              - "https://dns.iamworkin.lan/"
-              - "https://chat.iamworkin.lan/"
-              - "https://dist.iamworkin.lan/"
-              - "https://dms.iamworkin.lan/"
+              - "https://print.iamworkin.lan/healthz"    # root 401 behind API key auth; /healthz anonymous 200
+              - "https://dns.iamworkin.lan/healthz"      # root auth-gated by OIDC; /healthz anonymous 200
+              - "https://signalcontrol.iamworkin.lan/health" # FlowerCore.SignalControl Pi control plane
+              - "https://flowercore.iamworkin.lan/healthz"    # FlowerCore landing
+              - "https://replay.iamworkin.lan/healthz"        # FlowerCore.Signage replay surface
+              - "https://worldbuilder.iamworkin.lan/healthz"  # FlowerCore.WorldBuilder
+              - "https://updates.iamworkin.lan/api/v1/manifests/_schema" # UpdateCenter plural LAN alias
+              - "https://updatecenter-internal.iamworkin.lan/api/v1/manifests/_schema" # internal UC schema route
+              - "https://chat.iamworkin.lan/healthz"     # OIDC staged; keep blackbox off root before enforcement flips
+              - "https://dist.iamworkin.lan/healthz"     # root/admin auth-gated by OIDC; /healthz anonymous 200
+              - "https://dms.iamworkin.lan/healthz"      # future OIDC posture; health route is already anonymous/live
               - "https://menuboard.iamworkin.lan/"
               - "https://messageboard.iamworkin.lan/"
               - "https://presentations.iamworkin.lan/"
               - "https://retail.iamworkin.lan/"
               - "https://ttsreader.iamworkin.lan/"
               # Explicit healthcheck paths
+              - "https://library.iamworkin.lan/health"
+              - "https://aistation.iamworkin.lan/healthz"
+              - "https://knowledge.iamworkin.lan/healthz"
               - "https://fc-llm-bridge.iamworkin.lan/healthz"
               - "https://acme.iamworkin.lan/health"
               # NOTE: services intentionally NOT in this probe surface
@@ -908,12 +922,13 @@ data:
           # of idle and SNMP times out, so 5m for: would page nightly. A
           # genuine printer outage (jam, disconnected) lasts well over 30m.
           - alert: EpsonPrinterDown
-            expr: up{job="snmp-printer"} == 0
+            expr: (max_over_time(up{job="snmp-printer"}[35m]) == bool 0) == 1 and (hour() >= 13 or hour() < 1)
             for: 30m
             labels:
-              severity: warning
+              severity: info
+              alert_channel: irc
             annotations:
-              summary: "Epson ET-3750 SNMP unreachable for >30m (likely actual fault, not sleep)"
+              summary: "Epson ET-3750 SNMP unreachable during waking hours (30m)"
 
           - alert: SynologyDiskLow
             expr: hrStorageUsed{job="snmp-nas"} / hrStorageSize{job="snmp-nas"} * 100 > 85
@@ -1020,7 +1035,12 @@ data:
       - name: kubernetes-state
         rules:
           - alert: KubeContainerRestartingFrequently
-            expr: increase(kube_pod_container_status_restarts_total[1h]) > 5
+            # Exclude github-runner: ephemeral runners register, run one job,
+            # exit cleanly, and restart by design. Also require kube_pod_info so
+            # deleted rollout pods do not keep firing from retained restart series.
+            expr: |
+              increase(kube_pod_container_status_restarts_total{namespace!="github-runner"}[1h]) > 5
+              and on(namespace, pod) kube_pod_info
             for: 15m
             labels:
               severity: warning
@@ -1029,7 +1049,12 @@ data:
               description: "Container {{ $labels.container }} in pod {{ $labels.namespace }}/{{ $labels.pod }} has restarted {{ $value | printf \"%.0f\" }} times in the last hour. Check 'kubectl describe pod' + last-state termination reason."
 
           - alert: KubeContainerCrashLooping
-            expr: increase(kube_pod_container_status_restarts_total[15m]) > 3
+            # Same github-runner/delete-retention exclusions as the hourly
+            # restart rule above; real runner failures are covered by the
+            # dedicated LinuxRunnerOffline/MacMiniRunnerOffline alerts.
+            expr: |
+              increase(kube_pod_container_status_restarts_total{namespace!="github-runner"}[15m]) > 3
+              and on(namespace, pod) kube_pod_info
             for: 5m
             labels:
               severity: critical
@@ -1057,7 +1082,10 @@ data:
               description: "Pod can't pull image. Check the image ref (often a stale tag or unreachable registry) and clean up if it's an orphan."
 
           - alert: KubeDeploymentReplicasMismatch
-            expr: kube_deployment_spec_replicas != kube_deployment_status_replicas_available
+            # github-runner has explicit runner-offline alerts; the generic
+            # replica-mismatch rule should not page on intentionally ephemeral
+            # 0/1 runner churn between CI jobs.
+            expr: kube_deployment_spec_replicas{namespace!="github-runner"} != kube_deployment_status_replicas_available{namespace!="github-runner"}
             for: 15m
             labels:
               severity: warning

apps/telephony/telephony.yaml

@@ -114,6 +114,9 @@ spec:
       app: telephony-web
   template:
     metadata:
+      annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/health"
       labels:
         app: telephony-web
     spec:
@@ -161,6 +164,7 @@ spec:
           ports:
             - containerPort: 5100
               name: http
+          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
           env:
             - name: Telephony__Twilio__AccountSid
               valueFrom:
@@ -387,4 +391,3 @@ spec:
 
 
 
-

apps/worldbuilder/worldbuilder.yaml

@@ -77,6 +77,8 @@ spec:
         flowercore.io/tenant-id: system
         flowercore.io/created-by: bluejay-infra
       annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
         prometheus.io/scrape: "true"
         prometheus.io/port: "8080"
         prometheus.io/path: "/metrics/prometheus"
@@ -93,6 +95,7 @@ spec:
           ports:
             - containerPort: 8080
               name: http
+          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
           env:
             - name: ASPNETCORE_URLS
               value: "http://+:8080"
@@ -254,3 +257,26 @@ spec:
           port: 80
   tls:
     secretName: worldbuilder-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose worldbuilder-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: worldbuilder-web-public
+#   namespace: worldbuilder
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`worldbuilder.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: worldbuilder-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: worldbuilder-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

tests/bluejay-infra-lint/DivoomPiDeployArtifactTests.cs

@@ -0,0 +1,206 @@
+using FluentAssertions;
+using Xunit;
+
+namespace BluejayInfraLint.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class DivoomPiDeployArtifactTests
+{
+    private static readonly string Root = FindRepoRoot();
+    private static readonly string DmRoot = Path.Combine(Root, "apps", "fc-divoom-dm-pi-device");
+    private static readonly string TvRoot = Path.Combine(Root, "apps", "fc-divoom-tv-pi");
+
+    public static TheoryData<string> DmRequiredArtifacts => new()
+    {
+        "README.md",
+        "hiera/edge2-divoom-dm-device.overlay.yaml",
+        "puppet/profile/pi/service/divoom_dm_device.pp",
+        "puppet/templates/divoom-device-registration.json.epp",
+        "puppet/templates/flowercore-divoom-dm-agent.service.epp",
+    };
+
+    public static TheoryData<string> TvRequiredArtifacts => new()
+    {
+        "README.md",
+        "hiera/example-divoom-tv-pi.iamworkin.lan.yaml",
+        "puppet/profile/pi/service/divoom_tv.pp",
+        "systemd/flowercore-divoom-tv.service",
+        "systemd/flowercore-divoom-tv-hdmi.service",
+        "systemd/99-flowercore-divoom-tv-hdmi.rules",
+        "scripts/flowercore-divoom-tv-prelaunch.sh",
+        "scripts/flowercore-divoom-tv-launch.sh",
+        "scripts/flowercore-divoom-tv-hdmi-respond.sh",
+    };
+
+    [Theory]
+    [MemberData(nameof(DmRequiredArtifacts))]
+    public void DmDeviceArtifacts_ArePresent(string relativePath)
+    {
+        File.Exists(Path.Combine(DmRoot, relativePath.Replace('/', Path.DirectorySeparatorChar))).Should().BeTrue(relativePath);
+    }
+
+    [Theory]
+    [MemberData(nameof(TvRequiredArtifacts))]
+    public void TvPiArtifacts_ArePresent(string relativePath)
+    {
+        File.Exists(Path.Combine(TvRoot, relativePath.Replace('/', Path.DirectorySeparatorChar))).Should().BeTrue(relativePath);
+    }
+
+    [Fact]
+    public void DmDeviceReadme_DeclaresPuppetSystemdNotKubernetes()
+    {
+        var readme = ReadDm("README.md");
+
+        readme.Should().Contain("not a Kubernetes application");
+        readme.Should().Contain("profile::pi::service::divoom");
+        readme.Should().Contain("no K8s surface");
+    }
+
+    [Fact]
+    public void DmHieraOverlay_PreservesExistingEdge2DivoomService()
+    {
+        var hiera = ReadDm("hiera/edge2-divoom-dm-device.overlay.yaml");
+
+        hiera.Should().Contain("fc-pimanager:");
+        hiera.Should().Contain("fc-divoom:");
+        hiera.Should().Contain("enabled: true");
+        hiera.Should().Contain("profile::pi::service::divoom_dm_device::service_enabled: false");
+        hiera.Should().Contain("profile::pi::service::divoom_dm_device::service_ensure: 'stopped'");
+    }
+
+    [Fact]
+    public void DmPuppetProfile_DefaultsToStoppedDisabledService()
+    {
+        var profile = ReadDm("puppet/profile/pi/service/divoom_dm_device.pp");
+
+        profile.Should().Contain("Boolean $service_enabled = false");
+        profile.Should().Contain("Enum['running', 'stopped'] $service_ensure = 'stopped'");
+        profile.Should().Contain("service { $service_name:");
+        profile.Should().Contain("ensure  => $service_ensure");
+        profile.Should().Contain("enable  => $service_enabled");
+    }
+
+    [Fact]
+    public void DmPuppetProfile_DoesNotManageLiveDivoomWebUnit()
+    {
+        var profile = ReadDm("puppet/profile/pi/service/divoom_dm_device.pp");
+
+        profile.Should().NotContain("Service['flowercore-divoom.service']");
+        profile.Should().NotContain("service { 'flowercore-divoom.service'");
+        profile.Should().NotContain("notify  => Service");
+    }
+
+    [Fact]
+    public void DmAgentUnit_IsSeparateAndGatedByExistingWrappers()
+    {
+        var unit = ReadDm("puppet/templates/flowercore-divoom-dm-agent.service.epp");
+
+        unit.Should().Contain("ConditionPathExists=<%= $divoom_install_dir %>/bt-link.sh");
+        unit.Should().Contain("ConditionPathExists=<%= $divoom_install_dir %>/bt-reset.sh");
+        unit.Should().Contain("ConditionPathExists=<%= $divoom_install_dir %>/audio-link.sh");
+        unit.Should().Contain("ExecStart=<%= $agent_binary_path %> --mode=Pi");
+        unit.Should().NotContain("flowercore-divoom.service");
+    }
+
+    [Fact]
+    public void DmRegistration_CarriesRenderProofAndSafetyPolicy()
+    {
+        var registration = ReadDm("puppet/templates/divoom-device-registration.json.epp");
+
+        registration.Should().Contain("\"candidateChannels\": <%= $bt_channels_json %>");
+        registration.Should().Contain("\"deviceInfoIsRenderProof\": false");
+        registration.Should().Contain("\"visibleRenderProofRequired\": <%= $visible_render_proof_required %>");
+        registration.Should().Contain("\"preserveExistingService\": \"flowercore-divoom.service\"");
+        registration.Should().Contain("\"doNotEnableFmRadio\": true");
+    }
+
+    [Fact]
+    public void TvService_UsesAvaloniaHdmiSafetyGates()
+    {
+        var unit = ReadTv("systemd/flowercore-divoom-tv.service");
+
+        unit.Should().Contain("ConditionPathExists=/opt/flowercore/divoom-tv/FlowerCore.Divoom.Tv");
+        unit.Should().Contain("Environment=XDG_RUNTIME_DIR=/run/fc-divoom-tv");
+        unit.Should().Contain("RuntimeDirectoryMode=0700");
+        unit.Should().Contain("ExecStartPre=/usr/local/bin/flowercore-divoom-tv-prelaunch.sh");
+        unit.Should().Contain("ExecStart=/usr/local/bin/flowercore-divoom-tv-launch.sh");
+        unit.Should().Contain("MemoryMax=2G");
+        unit.Should().Contain("PrivateTmp=true");
+        unit.Should().NotContain("/tmp");
+    }
+
+    [Fact]
+    public void TvLauncher_PrefersCageAndFallsBackToDirectLaunch()
+    {
+        var script = ReadTv("scripts/flowercore-divoom-tv-launch.sh");
+
+        script.Should().Contain("command -v cage");
+        script.Should().Contain("exec cage --");
+        script.Should().Contain("launching FlowerCore.Divoom.Tv directly");
+        script.Should().Contain("--target=hdmi");
+        script.Should().Contain("--presentation-mode=${PRESENTATION_MODE}");
+    }
+
+    [Fact]
+    public void TvHotplugRule_SettlesAndRestartsRenderer()
+    {
+        var rule = ReadTv("systemd/99-flowercore-divoom-tv-hdmi.rules");
+        var responder = ReadTv("scripts/flowercore-divoom-tv-hdmi-respond.sh");
+
+        rule.Should().Contain("KERNEL==\"card?-HDMI-A-?\"");
+        rule.Should().Contain("start flowercore-divoom-tv-hdmi.service");
+        responder.Should().Contain("sleep 2");
+        responder.Should().Contain("systemctl restart flowercore-divoom-tv.service");
+    }
+
+    [Fact]
+    public void TvPuppetProfile_InstallsCageAndStaticArtifacts()
+    {
+        var profile = ReadTv("puppet/profile/pi/service/divoom_tv.pp");
+
+        profile.Should().Contain("package { ['cage', 'libgbm1', 'libdrm2', 'libxkbcommon0', 'fonts-dejavu-core']");
+        profile.Should().Contain("'profile/pi/fc_divoom_tv/flowercore-divoom-tv.service'");
+        profile.Should().Contain("'profile/pi/fc_divoom_tv/flowercore-divoom-tv-launch.sh'");
+        profile.Should().Contain("profile/pi/fc_divoom_tv/99-flowercore-divoom-tv-hdmi.rules");
+        profile.Should().Contain("Boolean $service_enabled = false");
+    }
+
+    [Fact]
+    public void DivoomArtifacts_DoNotAddKubernetesWorkloads()
+    {
+        var allText = Directory.GetFiles(DmRoot, "*", SearchOption.AllDirectories)
+            .Concat(Directory.GetFiles(TvRoot, "*", SearchOption.AllDirectories))
+            .Select(File.ReadAllText);
+
+        foreach (var text in allText)
+        {
+            text.Should().NotContain("kind: Deployment");
+            text.Should().NotContain("kind: IngressRoute");
+            text.Should().NotContain("kind: Certificate");
+            text.Should().NotContain("kind: OnePasswordItem");
+        }
+    }
+
+    private static string ReadDm(string relativePath)
+        => File.ReadAllText(Path.Combine(DmRoot, relativePath.Replace('/', Path.DirectorySeparatorChar)));
+
+    private static string ReadTv(string relativePath)
+        => File.ReadAllText(Path.Combine(TvRoot, relativePath.Replace('/', Path.DirectorySeparatorChar)));
+
+    private static string FindRepoRoot()
+    {
+        var current = new DirectoryInfo(AppContext.BaseDirectory);
+        while (current is not null)
+        {
+            if (Directory.Exists(Path.Combine(current.FullName, "apps"))
+                && File.Exists(Path.Combine(current.FullName, "README.md")))
+            {
+                return current.FullName;
+            }
+
+            current = current.Parent;
+        }
+
+        throw new DirectoryNotFoundException("Could not find bluejay-infra root.");
+    }
+}

tests/bluejay-infra-lint/FleetManifestLintTests.cs

@@ -15,24 +15,19 @@ public sealed class FleetManifestLintTests
     {
         "brochure.flowercore.io",
         "dist.flowercore.io",
-        "dns.iamworkin.lan",
     };
 
-    // Public hosts that allow a tightly bounded write surface in addition to
-    // GET/HEAD. updatecenter.iamworkin.lan accepts POST /api/v1/checkin/{id}
+    // Hosts that allow a tightly bounded write surface in addition to GET/HEAD.
+    // updatecenter.iamworkin.lan accepts POST /api/v1/checkin/{id}
     // (bootstrap-JWT) so its allowlist is GET||HEAD||POST||OPTIONS — but
-    // PUT/PATCH/DELETE must still 404 at the route. Anything wider than this
-    // set should fail this lint.
-    //
-    // PUB-1 (2026-05-06): update.flowercore.io / updates.flowercore.io were
-    // added for the Cloudflare-proxied public Update Center edge. They use the
-    // same bounded read-write allowlist as the LAN pair.
+    // PUT/PATCH/DELETE must still 404 at the route. Public
+    // update.flowercore.io remains a GET/HEAD download surface in the
+    // FlowerCore.Updater sibling manifest and is covered by the general
+    // public-method allowlist lint instead of this write-surface rule.
     private static readonly HashSet<string> PublicReadWriteAllowlistHosts = new(StringComparer.Ordinal)
     {
         "updatecenter.iamworkin.lan",
         "updates.iamworkin.lan",
-        "update.flowercore.io",
-        "updates.flowercore.io",
     };
 
     private static readonly HashSet<string> ApiKeyProtectedDeployments = new(StringComparer.Ordinal)
@@ -67,9 +62,10 @@ public sealed class FleetManifestLintTests
         ["github-runner-chat"] = "https://github.com/astoltz/FlowerCore.Chat",
         ["github-runner-mysql"] = "https://github.com/astoltz/FlowerCore.MySQL",
         ["github-runner-kiosk-linux"] = "https://github.com/astoltz/FlowerCore.Kiosk.Linux",
+        ["github-runner-updater"] = "https://github.com/astoltz/FlowerCore.Updater",
     };
 
-    private static readonly HashSet<string> ScaledLinuxRunnerDeployments = new(StringComparer.Ordinal)
+    private static readonly HashSet<string> RepoScopedLinuxRunnerDeployments = new(StringComparer.Ordinal)
     {
         "github-runner-sharedpos",
         "github-runner-puppet",
@@ -80,6 +76,45 @@ public sealed class FleetManifestLintTests
         "github-runner-chat",
         "github-runner-mysql",
         "github-runner-kiosk-linux",
+        "github-runner-updater",
+    };
+
+    private static readonly IReadOnlyDictionary<string, (string Deployment, string ProbePath)> BroaderHardeningDeployments =
+        new Dictionary<string, (string Deployment, string ProbePath)>(StringComparer.Ordinal)
+        {
+            ["fc-aistation"] = ("aistation-web", "/healthz"),
+            ["fc-chat"] = ("chat-web", "/healthz"),
+            ["fc-devicemgmt"] = ("fc-devicemgmt-web", "/healthz"),
+            ["fc-library"] = ("library-web", "/health"),
+            ["fc-llm-bridge"] = ("fc-llm-bridge", "/healthz"),
+            ["fc-messageboard"] = ("messageboard-web", "/healthz"),
+            ["fc-retail"] = ("retail-web", "/healthz"),
+            ["fc-ttsreader"] = ("ttsreader-web", "/healthz"),
+            ["fc-updater"] = ("updatecenter-web", "/healthz"),
+            ["knowledge"] = ("knowledge-web", "/healthz"),
+            ["telephony"] = ("telephony-web", "/health"),
+            ["worldbuilder"] = ("worldbuilder-web", "/healthz"),
+        };
+
+    private static readonly HashSet<string> BroaderHardeningInternalPrestageApps = new(StringComparer.Ordinal)
+    {
+        "fc-aistation",
+        "fc-desktop",
+        "fc-dms",
+        "fc-library",
+        "fc-llm-bridge",
+        "fc-menuboard",
+        "fc-messageboard",
+        "fc-mysql",
+        "fc-php",
+        "fc-presentations",
+        "fc-retail",
+        "fc-scoreboard",
+        "fc-segmentdisplay",
+        "fc-signage",
+        "fc-ttsreader",
+        "knowledge",
+        "worldbuilder",
     };
 
     private static readonly IReadOnlyDictionary<string, string> WritableRunnerEnv = new Dictionary<string, string>(StringComparer.Ordinal)
@@ -234,7 +269,7 @@ public sealed class FleetManifestLintTests
         {
             deployments.Should().ContainKey(expectedRunner.Key);
 
-            var container = deployments[expectedRunner.Key].ContainerMappings().Should().ContainSingle().Subject;
+            var container = deployments[expectedRunner.Key].MainContainerMappings().Should().ContainSingle().Subject;
             EnvValue(container, "REPO_URL").Should().Be(expectedRunner.Value);
             EnvValue(container, "EPHEMERAL").Should().Be("true");
             EnvValue(container, "LABELS").Should().Be("self-hosted,linux,fc-build-linux");
@@ -250,7 +285,7 @@ public sealed class FleetManifestLintTests
     {
         foreach (var deployment in GitHubRunnerDeployments().Values)
         {
-            var container = deployment.ContainerMappings().Should().ContainSingle().Subject;
+            var container = deployment.MainContainerMappings().Should().ContainSingle().Subject;
 
             foreach (var expectedEnv in WritableRunnerEnv)
             {
@@ -270,14 +305,17 @@ public sealed class FleetManifestLintTests
     }
 
     [Fact]
-    public void GitHubRunnerFleet_MustAvoidRwoMultiAttachForScaledDeployments()
+    public void GitHubRunnerFleet_MustAvoidRwoMultiAttachForRepoScopedDeployments()
     {
         var deployments = GitHubRunnerDeployments();
 
-        foreach (var deploymentName in ScaledLinuxRunnerDeployments)
+        foreach (var deploymentName in RepoScopedLinuxRunnerDeployments)
         {
             var deployment = deployments[deploymentName];
-            ReplicaCount(deployment).Should().Be(2);
+            // Sprint 34 ops trimmed runner load while the cluster was degraded
+            // to two healthy nodes. Repo-scoped runners can be tuned back above
+            // one replica, but they must stay RWO-safe before that happens.
+            ReplicaCount(deployment).Should().BeGreaterOrEqualTo(1, $"{deploymentName} must keep at least one repo-scoped runner online");
 
             var volumes = deployment.MappingSequence("spec", "template", "spec", "volumes");
             var claimNames = volumes
@@ -285,7 +323,7 @@ public sealed class FleetManifestLintTests
                 .Where(value => !string.IsNullOrWhiteSpace(value))
                 .ToList();
 
-            claimNames.Should().BeEmpty($"{deploymentName} is scaled and must not share a RWO PVC");
+            claimNames.Should().BeEmpty($"{deploymentName} must remain ready for safe multi-replica scaling without sharing a RWO PVC");
             volumes.Should().Contain(volume =>
                 string.Equals(ManifestNodeExtensions.Scalar(volume, "name"), "nuget-cache", StringComparison.Ordinal)
                 && ManifestNodeExtensions.Mapping(volume, "emptyDir") != null);
@@ -303,6 +341,108 @@ public sealed class FleetManifestLintTests
             .Be("github-runner-nuget-cache");
     }
 
+    [Fact]
+    public void Runners_MustNotPinToOperatorWorkstationHosts()
+    {
+        // CRITICAL SAFETY (operator directive 2026-05-26): BLUEJAY-WS is the
+        // operator's primary workstation — host of the 1Password Connect
+        // bearer token, fcadmin SSH keys to noc1, signing CA private keys,
+        // and source for every FC repo. A self-hosted GitHub Actions runner
+        // there would execute arbitrary PR code with that local access.
+        // Build-side analog of the Sprint 9 NEW safe-account exclusion gate
+        // (Puppet GPO/AppLocker/WDAC/audit-forwarder modules refuse to apply
+        // on BLUEJAY-WS). This lint asserts no GitHub-runner Deployment in
+        // apps/github-runner/ pins to a forbidden operator-workstation host
+        // via nodeName, nodeSelector, nodeAffinity, or tolerations.
+        // Existing legacy `bluejay-ws-sandbox-1` GitHub-registered runner is
+        // out of scope here (it's a runtime registration, not a K8s
+        // Deployment) — see CLAUDE.md "Common Mistakes" entry and
+        // feedback_bluejay_ws_never_public_runner.md.
+        var forbiddenHostPatterns = new[]
+        {
+            "bluejay-ws",
+            "BLUEJAY-WS",
+            "bluejay-ws.iamworkin.lan",
+            "iamworkin-ws",
+        };
+
+        bool ContainsForbidden(string? value) =>
+            !string.IsNullOrWhiteSpace(value)
+            && forbiddenHostPatterns.Any(pattern => value!.Contains(pattern, StringComparison.OrdinalIgnoreCase));
+
+        var violations = GitHubRunnerDeployments().Values.SelectMany(deployment =>
+        {
+            var local = new List<string>();
+            var podSpec = ManifestNodeExtensions.Mapping(deployment.Root, "spec", "template", "spec");
+            if (podSpec is null)
+            {
+                return local;
+            }
+
+            // nodeName: pins the pod to a specific node by name.
+            var nodeName = ManifestNodeExtensions.Scalar(podSpec, "nodeName");
+            if (ContainsForbidden(nodeName))
+            {
+                local.Add($"{deployment.Name} sets nodeName='{nodeName}' which targets a forbidden operator-workstation host.");
+            }
+
+            // nodeSelector: dict of label → value pinning the pod to nodes
+            // carrying matching labels. Examples that would trip this:
+            //   kubernetes.io/hostname: bluejay-ws
+            //   flowercore.io/host: bluejay-ws.iamworkin.lan
+            var nodeSelector = ManifestNodeExtensions.Mapping(podSpec, "nodeSelector");
+            if (nodeSelector is not null)
+            {
+                foreach (var entry in nodeSelector.Children)
+                {
+                    var key = entry.Key is YamlScalarNode keyScalar ? keyScalar.Value : null;
+                    var value = entry.Value is YamlScalarNode valueScalar ? valueScalar.Value : null;
+                    if (ContainsForbidden(value))
+                    {
+                        local.Add($"{deployment.Name} has nodeSelector entry '{key}: {value}' which targets a forbidden operator-workstation host.");
+                    }
+                }
+            }
+
+            // nodeAffinity: matchExpressions over node labels.
+            foreach (var term in ManifestNodeExtensions.MappingSequence(podSpec, "affinity", "nodeAffinity", "requiredDuringSchedulingIgnoredDuringExecution", "nodeSelectorTerms"))
+            {
+                foreach (var expr in ManifestNodeExtensions.MappingSequence(term, "matchExpressions"))
+                {
+                    var key = ManifestNodeExtensions.Scalar(expr, "key");
+                    foreach (var valueNode in ManifestNodeExtensions.ScalarSequence(expr, "values"))
+                    {
+                        if (ContainsForbidden(valueNode))
+                        {
+                            local.Add($"{deployment.Name} has nodeAffinity matchExpression '{key}' value '{valueNode}' which targets a forbidden operator-workstation host.");
+                        }
+                    }
+                }
+            }
+
+            // tolerations: scheduling onto a tainted operator-workstation
+            // node would let the runner run there. Forbid any toleration
+            // value that names the workstation.
+            foreach (var toleration in ManifestNodeExtensions.MappingSequence(podSpec, "tolerations"))
+            {
+                var key = ManifestNodeExtensions.Scalar(toleration, "key");
+                var value = ManifestNodeExtensions.Scalar(toleration, "value");
+                if (ContainsForbidden(key))
+                {
+                    local.Add($"{deployment.Name} has toleration key '{key}' which targets a forbidden operator-workstation host.");
+                }
+                if (ContainsForbidden(value))
+                {
+                    local.Add($"{deployment.Name} has toleration value '{value}' which targets a forbidden operator-workstation host.");
+                }
+            }
+
+            return local;
+        }).ToList();
+
+        violations.Should().BeEmpty("BLUEJAY-WS / iamworkin-ws must never host a fleet GitHub Actions runner; see CLAUDE.md 'Registering BLUEJAY-WS as a fleet GitHub Actions runner' and feedback_bluejay_ws_never_public_runner.md");
+    }
+
     [Fact]
     public void Monitoring_MustAlertWhenLinuxRunnerDeploymentIsUnavailable()
     {
@@ -317,6 +457,82 @@ public sealed class FleetManifestLintTests
         monitoring.Should().Contain("alert_channel: irc");
     }
 
+    [Fact]
+    public void Monitoring_GenericKubernetesAlerts_MustExcludeEphemeralGithubRunnerNamespace()
+    {
+        var monitoring = File.ReadAllText(Path.Combine(Inventory.BluejayRoot, "apps", "monitoring", "noc-monitoring.yaml"));
+
+        monitoring.Should().Contain("kube_pod_container_status_restarts_total{namespace!=\"github-runner\"}");
+        monitoring.Should().Contain("and on(namespace, pod) kube_pod_info");
+        monitoring.Should().Contain("kube_deployment_spec_replicas{namespace!=\"github-runner\"} != kube_deployment_status_replicas_available{namespace!=\"github-runner\"}");
+        monitoring.Should().Contain("dedicated LinuxRunnerOffline/MacMiniRunnerOffline alerts");
+    }
+
+    [Fact]
+    public void Monitoring_BlackboxTargetsForOidcSensitiveServices_MustUseAnonymousHealthRoutesWhenAvailable()
+    {
+        var monitoring = File.ReadAllText(Path.Combine(Inventory.BluejayRoot, "apps", "monitoring", "noc-monitoring.yaml"));
+
+        monitoring.Should().Contain("https://chat.iamworkin.lan/healthz");
+        monitoring.Should().Contain("https://dist.iamworkin.lan/healthz");
+        monitoring.Should().Contain("https://dms.iamworkin.lan/healthz");
+        monitoring.Should().Contain("https://print.iamworkin.lan/healthz");
+        monitoring.Should().Contain("https://knowledge.iamworkin.lan/healthz");
+        monitoring.Should().Contain("https://library.iamworkin.lan/health");
+        monitoring.Should().Contain("https://aistation.iamworkin.lan/healthz");
+        monitoring.Should().NotContain("https://print.iamworkin.lan/\"");
+    }
+
+    [Fact]
+    public void OidcEnforcedDeployments_WithHttpHealthzProbes_MustDeclareAnonymousHealthzContract()
+    {
+        var violations = Inventory.Documents
+            .Where(document => document.Kind == "Deployment")
+            .SelectMany(document => document.MainContainerMappings()
+                .Where(container => string.Equals(EnvValue(container, "FlowerCore__Auth__Enabled"), "true", StringComparison.OrdinalIgnoreCase))
+                .Where(container => string.Equals(EnvValue(container, "FlowerCore__Auth__Oidc__Enabled"), "true", StringComparison.OrdinalIgnoreCase))
+                .Where(container => ProbeHttpGetPath(container, "readinessProbe") == "/healthz"
+                    || ProbeHttpGetPath(container, "startupProbe") == "/healthz")
+                .Where(_ => !string.Equals(
+                    PodAnnotation(document, "flowercore.io/healthz-auth-policy"),
+                    "allow-anonymous",
+                    StringComparison.Ordinal))
+                .Select(container =>
+                {
+                    var containerName = ManifestNodeExtensions.Scalar(container, "name") ?? "<unnamed>";
+                    return $"{document.Descriptor} container '{containerName}' enforces OIDC while probing /healthz but lacks flowercore.io/healthz-auth-policy: allow-anonymous.";
+                }))
+            .ToList();
+
+        violations.Should().BeEmpty();
+    }
+
+    [Fact]
+    public void Knowledge_OidcEnforcement_MustKeepHealthzAnonymousContractVisibleInManifest()
+    {
+        var knowledge = Inventory.Documents
+            .Single(document => document.Kind == "Deployment" && document.Namespace == "knowledge" && document.Name == "knowledge-web");
+        var container = knowledge.MainContainerMappings().Should().ContainSingle().Subject;
+
+        EnvValue(container, "FlowerCore__Auth__Enabled").Should().Be("true");
+        EnvValue(container, "FlowerCore__Auth__Oidc__Enabled").Should().Be("true");
+        ProbeHttpGetPath(container, "readinessProbe").Should().Be("/healthz");
+        PodAnnotation(knowledge, "flowercore.io/healthz-auth-policy").Should().Be("allow-anonymous");
+    }
+
+    [Fact]
+    public void Distribution_OidcEnforcement_MustKeepHealthzAnonymousContractVisibleInManifest()
+    {
+        var distribution = Inventory.Documents
+            .Single(document => document.Kind == "Deployment" && document.Namespace == "fc-distribution" && document.Name == "fc-distribution");
+        var container = distribution.MainContainerMappings().Should().ContainSingle().Subject;
+
+        EnvValue(container, "FlowerCore__Auth__Oidc__Enabled").Should().Be("true");
+        EnvValue(container, "FlowerCore__Auth__Enabled").Should().Be("true");
+        ProbeHttpGetPath(container, "readinessProbe").Should().Be("/healthz");
+        PodAnnotation(distribution, "flowercore.io/healthz-auth-policy").Should().Be("allow-anonymous");
+    }
+
     [Fact]
     public void StatefulSets_WithVolumeClaimTemplates_MustDeclareFilesystemDefaults()
     {
@@ -430,7 +646,6 @@ public sealed class FleetManifestLintTests
         var expectedFiles = new[]
         {
             "1password-item.yaml",
-            "argocd-application.yaml",
             "certificate-web.yaml",
             "clusterrole-operator.yaml",
             "clusterrolebinding-operator.yaml",
@@ -586,17 +801,202 @@ public sealed class FleetManifestLintTests
     }
 
     [Fact]
-    public void FcDeviceManagement_ArgocdApplicationMustMatchApplicationSetDiscoveryConventions()
+    public void FcDeviceManagement_MustRelyOnApplicationSetDiscovery()
     {
-        var application = FcDeviceManagementDocuments()
-            .Single(document => document.Kind == "Application" && document.Name == "infra-fc-devicemgmt");
+        var documents = FcDeviceManagementDocuments();
 
-        application.Namespace.Should().Be("argocd");
-        application.Scalar("spec", "source", "repoURL")
+        documents.Should().NotContain(document => document.Kind == "Application");
+
+        var ns = documents.Single(document => document.Kind == "Namespace" && document.Name == "fc-devicemgmt");
+        ns.FileText.Should().Contain("ArgoCD discovers this directory as Application `infra-fc-devicemgmt`.");
+    }
+
+    [Fact]
+    public void BroaderHardeningDeployments_MustAnnotateAnonymousHealthProbeIntent()
+    {
+        foreach (var expected in BroaderHardeningDeployments)
+        {
+            var deployment = AppDocuments(expected.Key)
+                .Single(document => document.Kind == "Deployment" && document.Name == expected.Value.Deployment);
+
+            PodAnnotation(deployment, "fc.flowercore.io/healthz-anon").Should().Be("true");
+            PodAnnotation(deployment, "fc.flowercore.io/probe-path").Should().Be(expected.Value.ProbePath);
+        }
+    }
+
+    [Fact]
+    public void BroaderHardeningDeployments_MustDocumentForwardedProtoAuthPosture()
+    {
+        foreach (var expected in BroaderHardeningDeployments)
+        {
+            var deployment = AppDocuments(expected.Key)
+                .Single(document => document.Kind == "Deployment" && document.Name == expected.Value.Deployment);
+
+            deployment.FileText.Should().Contain(
+                "fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178)");
+        }
+    }
+
+    [Fact]
+    public void BroaderHardeningInternalApps_MustOnlyPrestageCommentedPublicMethodAllowlist()
+    {
+        foreach (var app in BroaderHardeningInternalPrestageApps)
+        {
+            var documents = AppDocuments(app);
+            var text = string.Join(Environment.NewLine, documents.Select(document => document.FileText));
+
+            text.Should().Contain("PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only)");
+            text.Should().Contain("#     - match: Host(`");
+            text.Should().Contain("Method(`GET`) || Method(`HEAD`)");
+
+            documents
+                .Where(document => document.Kind == "IngressRoute")
+                .SelectMany(document => document.MappingSequence("spec", "routes"))
+                .Select(route => ManifestNodeExtensions.Scalar(route, "match") ?? string.Empty)
                 .Should()
-            .Be("http://gitea-clusterip.gitea.svc.cluster.local:3000/bluejay/bluejay-infra.git");
-        application.Scalar("spec", "source", "path").Should().Be("apps/fc-devicemgmt");
-        application.Scalar("spec", "destination", "namespace").Should().Be("fc-devicemgmt");
+                .NotContain(match => match.Contains(".flowercore.io", StringComparison.Ordinal),
+                    "Sprint 61 broader hardening only pre-stages commented public hosts for internal-only apps");
+        }
+    }
+
+    [Fact]
+    public void OidcFlipServices_AreGitOpsManagedWithHealthzProbes()
+    {
+        var deployments = new[]
+        {
+            (App: "fc-dns", Name: "dns-web", Slug: "dns", Secret: "dns-oidc-client"),
+            (App: "fc-media", Name: "fc-media-web", Slug: "media", Secret: "media-oidc-client"),
+            (App: "fc-distribution", Name: "fc-distribution", Slug: "distribution", Secret: "distribution-oidc-client"),
+        };
+
+        foreach (var expected in deployments)
+        {
+            var deployment = AppDocuments(expected.App)
+                .Single(document => document.Kind == "Deployment" && document.Name == expected.Name);
+            var container = deployment.MainContainerMappings().Should().ContainSingle().Subject;
+
+            EnvValue(container, "FlowerCore__Auth__Enabled").Should().Be("true");
+            EnvValue(container, "FlowerCore__Auth__Oidc__Enabled").Should().Be("true");
+            (EnvValue(container, "FlowerCore__Auth__Oidc__Audience") ?? EnvValue(container, "FlowerCore__Auth__Oidc__ClientId"))
+                .Should()
+                .Be(expected.Slug);
+            EnvSecretName(container, "FlowerCore__Auth__Oidc__ClientSecret").Should().Be(expected.Secret);
+            EnvSecretOptional(container, "FlowerCore__Auth__Oidc__ClientSecret").Should().Be("true");
+
+            ProbePath(container, "readinessProbe").Should().Be("/healthz");
+            if (ProbePath(container, "startupProbe") is { } startupProbePath)
+            {
+                startupProbePath.Should().Be("/healthz");
+            }
+
+            if (ProbePath(container, "livenessProbe") is { } livenessProbePath)
+            {
+                livenessProbePath.Should().Be("/healthz");
+            }
+        }
+    }
+
+    [Fact]
+    public void OidcFlipServices_UseOnePasswordItemClientSecrets()
+    {
+        var expectedItems = new Dictionary<string, (string Name, string ItemPath)>(StringComparer.Ordinal)
+        {
+            ["fc-dns"] = ("dns-oidc-client", "vaults/IAmWorkin/items/dns-oidc-client"),
+            ["fc-media"] = ("media-oidc-client", "vaults/IAmWorkin/items/media-oidc-client"),
+            ["fc-distribution"] = ("distribution-oidc-client", "vaults/IAmWorkin/items/distribution-oidc-client"),
+        };
+
+        foreach (var expected in expectedItems)
+        {
+            var item = AppDocuments(expected.Key)
+                .Single(document => document.Kind == "OnePasswordItem" && document.Name == expected.Value.Name);
+
+            item.Scalar("spec", "itemPath").Should().Be(expected.Value.ItemPath);
+        }
+    }
+
+    [Fact]
+    public void DnsAndMediaGitOpsAdoption_PreservesLiveStorageAndImageShape()
+    {
+        var dnsDeployment = AppDocuments("fc-dns")
+            .Single(document => document.Kind == "Deployment" && document.Name == "dns-web");
+        var dnsContainer = dnsDeployment.MainContainerMappings().Should().ContainSingle().Subject;
+        var dnsPvc = AppDocuments("fc-dns")
+            .Single(document => document.Kind == "PersistentVolumeClaim" && document.Name == "dns-web-data");
+
+        ManifestNodeExtensions.Scalar(dnsContainer, "image").Should().Be("localhost/fc-dns-web:v20260604-oidc-proper");
+        dnsPvc.Scalar("spec", "storageClassName").Should().Be("longhorn");
+        dnsPvc.Scalar("spec", "resources", "requests", "storage").Should().Be("1Gi");
+
+        var mediaDeployment = AppDocuments("fc-media")
+            .Single(document => document.Kind == "Deployment" && document.Name == "fc-media-web");
+        var mediaContainer = mediaDeployment.MainContainerMappings().Should().ContainSingle().Subject;
+        var mediaPvc = AppDocuments("fc-media")
+            .Single(document => document.Kind == "PersistentVolumeClaim" && document.Name == "fc-media-data");
+
+        ManifestNodeExtensions.Scalar(mediaContainer, "image").Should().Be("localhost/fc-media-web:v20260604-oidc-proper");
+        mediaPvc.Scalar("spec", "storageClassName").Should().Be("longhorn");
+        mediaPvc.Scalar("spec", "resources", "requests", "storage").Should().Be("20Gi");
+
+        mediaDeployment.AllScalars().Should().Contain(new[]
+        {
+            "/volume1/kubernetes/fc-media-transcodes",
+            "/volume1/kubernetes/fc-media-inbox",
+            "/volume1/video",
+        });
+
+        var distributionDeployment = AppDocuments("fc-distribution")
+            .Single(document => document.Kind == "Deployment" && document.Name == "fc-distribution");
+        var distributionContainer = distributionDeployment.MainContainerMappings().Should().ContainSingle().Subject;
+
+        ManifestNodeExtensions.Scalar(distributionContainer, "image").Should().Be("localhost/fc-distribution:v20260604-oidc-root-anon");
+    }
+
+    [Fact]
+    public void MonitoringProbes_UseHealthzForOidcGatedHosts()
+    {
+        var monitoring = File.ReadAllText(Path.Combine(Inventory.BluejayRoot, "apps", "monitoring", "noc-monitoring.yaml"));
+
+        monitoring.Should().Contain("\"https://dns.iamworkin.lan/healthz\"");
+        monitoring.Should().Contain("\"https://dist.iamworkin.lan/healthz\"");
+        monitoring.Should().Contain("\"https://media.iamworkin.lan/healthz\"");
+        monitoring.Should().NotContain("\"https://dns.iamworkin.lan/\"");
+        monitoring.Should().NotContain("\"https://dist.iamworkin.lan/\"");
+        monitoring.Should().NotContain("\"https://media.iamworkin.lan/\"");
+    }
+
+    [Fact]
+    public void DistributionPublicIngress_KeepsGetHeadMethodAllowlist()
+    {
+        var publicIngress = AppDocuments("fc-distribution")
+            .Single(document => document.Kind == "IngressRoute" && document.Name == "fc-distribution-public");
+        var route = publicIngress.MappingSequence("spec", "routes").Should().ContainSingle().Subject;
+        var match = ManifestNodeExtensions.Scalar(route, "match");
+
+        match.Should().Contain("Host(`dist.flowercore.io`)");
+        match.Should().Contain("Method(`GET`)");
+        match.Should().Contain("Method(`HEAD`)");
+        match.Should().NotContain("Method(`POST`)");
+    }
+
+    [Fact]
+    public void DnsAndMediaIngressRoutes_MatchLiveInternalHosts()
+    {
+        var dnsRoute = AppDocuments("fc-dns")
+            .Single(document => document.Kind == "IngressRoute" && document.Name == "dns-web")
+            .MappingSequence("spec", "routes")
+            .Should()
+            .ContainSingle()
+            .Subject;
+        var mediaRoute = AppDocuments("fc-media")
+            .Single(document => document.Kind == "IngressRoute" && document.Name == "fc-media-web")
+            .MappingSequence("spec", "routes")
+            .Should()
+            .ContainSingle()
+            .Subject;
+
+        ManifestNodeExtensions.Scalar(dnsRoute, "match").Should().Be("Host(`dns.iamworkin.lan`)");
+        ManifestNodeExtensions.Scalar(mediaRoute, "match").Should().Be("Host(`media.iamworkin.lan`)");
     }
 
     private static IEnumerable<string> ProbeViolations(
@@ -655,12 +1055,44 @@ public sealed class FleetManifestLintTests
             : null;
     }
 
+    private static string? EnvSecretOptional(YamlMappingNode container, string name)
+    {
+        return EnvMapping(container, name) is { } env
+            ? ManifestNodeExtensions.Scalar(env, "valueFrom", "secretKeyRef", "optional")
+            : null;
+    }
+
+    private static string? ProbePath(YamlMappingNode container, string probeKey)
+    {
+        return ManifestNodeExtensions.Scalar(container, probeKey, "httpGet", "path");
+    }
+
+    private static IReadOnlyList<ManifestDocument> AppDocuments(string app)
+    {
+        return Inventory.Documents
+            .Where(document => document.RelativePath.StartsWith($"{app}/", StringComparison.Ordinal))
+            .ToList();
+    }
+
     private static YamlMappingNode? EnvMapping(YamlMappingNode container, string name)
     {
         return ManifestNodeExtensions.MappingSequence(container, "env")
             .SingleOrDefault(env => string.Equals(ManifestNodeExtensions.Scalar(env, "name"), name, StringComparison.Ordinal));
     }
 
+    private static string? PodAnnotation(ManifestDocument document, string name)
+    {
+        return document.Scalar("spec", "template", "metadata", "annotations", name);
+    }
+
+    private static string? ProbeHttpGetPath(YamlMappingNode container, string probeKey)
+    {
+        return ManifestNodeExtensions.TryGetMapping(container, probeKey, out var probe)
+            && ManifestNodeExtensions.TryGetMapping(probe, "httpGet", out var httpGet)
+            ? ManifestNodeExtensions.Scalar(httpGet, "path")
+            : null;
+    }
+
     private static IReadOnlyList<ManifestDocument> FcDeviceManagementDocuments()
     {
         return Inventory.Documents
@@ -890,6 +1322,22 @@ internal sealed record ManifestDocument(
             .ToList();
     }
 
+    // MainContainerMappings excludes initContainers. Use this when asserting
+    // properties of the primary container (env, image, volumeMounts) where an
+    // initContainer would be a false-positive match — e.g. the GitHub runner
+    // image's `setup-runner-home` initContainer should not count toward the
+    // single-container assertions on the runner deployments.
+    public IReadOnlyList<YamlMappingNode> MainContainerMappings()
+    {
+        var podSpec = PodSpec();
+        if (podSpec is null)
+        {
+            return Array.Empty<YamlMappingNode>();
+        }
+
+        return ManifestNodeExtensions.MappingSequence(podSpec, "containers").ToList();
+    }
+
     public IReadOnlyList<ContainerSpec> ContainerSpecs()
     {
         return ContainerMappings()