fix(auth): harden public infra routes

fix(auth): mark OIDC healthz probes anonymous
fix(monitoring): probe OIDC-safe health routes
2026-06-04 13:20:16 -05:00 · 2026-06-04 11:03:20 -05:00 · 2026-06-04 06:45:34 +00:00 · 2026-06-04 06:20:09 +00:00 · 2026-06-04 01:19:16 -05:00 · 2026-06-04 06:05:15 +00:00
20 changed files with 317 additions and 33 deletions
--- a/apps/andrew/andrew.yaml
+++ b/apps/andrew/andrew.yaml
@@ -201,6 +201,8 @@ spec:
    metadata:
      labels:
        app: andrew-web
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -225,12 +227,18 @@ spec:
            httpGet:
              path: /healthz
              port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -265,7 +273,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`bluejay.dev`) || Host(`www.bluejay.dev`)
+    - match: (Host(`bluejay.dev`) || Host(`www.bluejay.dev`)) && (Method(`GET`) || Method(`HEAD`))
      kind: Rule
      services:
        - name: andrew-web
--- a/apps/dustin/dustin.yaml
+++ b/apps/dustin/dustin.yaml
@@ -201,6 +201,8 @@ spec:
    metadata:
      labels:
        app: dustin-web
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -225,12 +227,18 @@ spec:
            httpGet:
              path: /healthz
              port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -265,7 +273,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`timeforta.co`) || Host(`www.timeforta.co`)
+    - match: (Host(`timeforta.co`) || Host(`www.timeforta.co`)) && (Method(`GET`) || Method(`HEAD`))
      kind: Rule
      services:
        - name: dustin-web
--- a/apps/erik/erik.yaml
+++ b/apps/erik/erik.yaml
@@ -201,6 +201,8 @@ spec:
    metadata:
      labels:
        app: erik-web
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -225,12 +227,18 @@ spec:
            httpGet:
              path: /healthz
              port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -265,7 +273,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`erckak.dev`) || Host(`www.erckak.dev`)
+    - match: (Host(`erckak.dev`) || Host(`www.erckak.dev`)) && (Method(`GET`) || Method(`HEAD`))
      kind: Rule
      services:
        - name: erik-web
--- a/apps/fc-distribution/fc-distribution.yaml
+++ b/apps/fc-distribution/fc-distribution.yaml
@@ -109,6 +109,7 @@ spec:
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      # Synology NFS export `/volume1/kubernetes` ACL only allows rke2-server
      # (10.0.56.11) right now. Until the ACL is widened in DSM (admin only),
@@ -126,7 +127,7 @@ spec:
          #   dotnet.exe publish -c Release -o deploy/app \
          #     src/FlowerCore.Distribution.Web/FlowerCore.Distribution.Web.csproj
          #   podman build -t localhost/fc-distribution:v<tag> -f deploy/Dockerfile.deploy deploy
-          image: localhost/fc-distribution:v202605061948
+          image: localhost/fc-distribution:v20260604-oidc-root-anon
          imagePullPolicy: Never
          ports:
            - containerPort: 8080
--- a/apps/fc-dns/fc-dns.yaml
+++ b/apps/fc-dns/fc-dns.yaml
@@ -101,6 +101,7 @@ spec:
        prometheus.io/scrape: "true"
        prometheus.io/port: "5320"
        prometheus.io/path: "/metrics/prometheus"
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      serviceAccountName: dns-web
      securityContext:
--- a/apps/fc-landing/fc-landing.yaml
+++ b/apps/fc-landing/fc-landing.yaml
@@ -203,6 +203,8 @@ spec:
    metadata:
      labels:
        app: fc-landing
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -227,12 +229,18 @@ spec:
            httpGet:
              path: /healthz
              port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -298,7 +306,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
+    - match: (Host(`flowercore.io`) || Host(`www.flowercore.io`)) && (Method(`GET`) || Method(`HEAD`))
      kind: Rule
      services:
        - name: fc-landing
@@ -316,7 +324,7 @@ spec:
  entryPoints:
    - web
  routes:
-    - match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
+    - match: (Host(`flowercore.io`) || Host(`www.flowercore.io`)) && (Method(`GET`) || Method(`HEAD`))
      kind: Rule
      services:
        - name: fc-landing
--- a/apps/fc-media/fc-media.yaml
+++ b/apps/fc-media/fc-media.yaml
@@ -131,6 +131,7 @@ spec:
        prometheus.io/scrape: "true"
        prometheus.io/port: "5200"
        prometheus.io/path: "/metrics"
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      nodeSelector:
        kubernetes.io/hostname: rke2-server
--- a/apps/fit/fit.yaml
+++ b/apps/fit/fit.yaml
@@ -201,6 +201,8 @@ spec:
    metadata:
      labels:
        app: fit-web
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -225,12 +227,18 @@ spec:
            httpGet:
              path: /healthz
              port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -265,7 +273,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`flowerinsider.xyz`) || Host(`www.flowerinsider.xyz`)
+    - match: (Host(`flowerinsider.xyz`) || Host(`www.flowerinsider.xyz`)) && (Method(`GET`) || Method(`HEAD`))
      kind: Rule
      services:
        - name: fit-web
--- a/apps/flowercore/flowercore.yaml
+++ b/apps/flowercore/flowercore.yaml
@@ -257,6 +257,8 @@ spec:
    metadata:
      labels:
        app: flowercore-web
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -281,12 +283,18 @@ spec:
            httpGet:
              path: /healthz
              port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
--- a/apps/gitea-public/gitea-public.yaml
+++ b/apps/gitea-public/gitea-public.yaml
@@ -11,7 +11,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`gitea.flowercore.io`)
+    - match: Host(`gitea.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
      kind: Rule
      services:
        - name: gitea-http
--- a/apps/knowledge/knowledge.yaml
+++ b/apps/knowledge/knowledge.yaml
@@ -93,6 +93,7 @@ spec:
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      securityContext:
        runAsNonRoot: true
@@ -123,9 +124,9 @@ spec:
              value: "Production"
            - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
              value: "false"
-            # AuthentiK/OIDC is wired but not enforced until the
-            # knowledge-oidc-client Secret is provisioned and
-            # FlowerCore__Auth__Enabled is flipped to true.
+            # AuthentiK/OIDC is enforced. /healthz stays anonymous by contract;
+            # see flowercore.io/healthz-auth-policy above and the Sprint 58
+            # OIDC readiness probe audit.
            - name: FlowerCore__Auth__Enabled
              value: "true"
            - name: FlowerCore__Auth__Oidc__Enabled
--- a/apps/mail/mail.yaml
+++ b/apps/mail/mail.yaml
@@ -243,7 +243,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`webmail.flowercore.io`)
+    - match: Host(`webmail.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
      kind: Rule
      services:
        - name: mail-webmail
--- a/apps/matrix/matrix.yaml
+++ b/apps/matrix/matrix.yaml
@@ -479,7 +479,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`element.flowercore.io`)
+    - match: Host(`element.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
      kind: Rule
      services:
        - name: element-web
@@ -497,7 +497,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`matrix.flowercore.io`)
+    - match: Host(`matrix.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
      kind: Rule
      services:
        - name: synapse
--- a/apps/monitoring/noc-monitoring.yaml
+++ b/apps/monitoring/noc-monitoring.yaml
@@ -481,22 +481,25 @@ data:
              - "https://intranet.iamworkin.lan/"
              - "https://signage.iamworkin.lan/healthz"   # root 401 auth-gated 2026-06-01; /healthz anon 200
              - "https://kiosk.iamworkin.lan/"
-              - "https://media.iamworkin.lan/healthz"   # root auth-gated by OIDC; /healthz anon 200
+              - "https://media.iamworkin.lan/healthz"    # root auth-gated by OIDC; /healthz anonymous 200
              - "https://mysql.iamworkin.lan/healthz"   # root 401 auth-gated 2026-06-01; /healthz anon 200
              - "https://php.iamworkin.lan/healthz"     # root 401 auth-gated 2026-06-01; /healthz anon 200
              - "https://zabbix.iamworkin.lan/"
              - "https://desktop.iamworkin.lan/"
-              - "https://print.iamworkin.lan/"
-              - "https://dns.iamworkin.lan/healthz"     # root auth-gated by OIDC; /healthz anon 200
-              - "https://chat.iamworkin.lan/"
-              - "https://dist.iamworkin.lan/healthz"    # root/admin auth-gated by OIDC; /healthz anon 200
-              - "https://dms.iamworkin.lan/"
+              - "https://print.iamworkin.lan/healthz"    # root 401 behind API key auth; /healthz anonymous 200
+              - "https://dns.iamworkin.lan/healthz"      # root auth-gated by OIDC; /healthz anonymous 200
+              - "https://chat.iamworkin.lan/healthz"     # OIDC staged; keep blackbox off root before enforcement flips
+              - "https://dist.iamworkin.lan/healthz"     # root/admin auth-gated by OIDC; /healthz anonymous 200
+              - "https://dms.iamworkin.lan/healthz"      # future OIDC posture; health route is already anonymous/live
              - "https://menuboard.iamworkin.lan/"
              - "https://messageboard.iamworkin.lan/"
              - "https://presentations.iamworkin.lan/"
              - "https://retail.iamworkin.lan/"
              - "https://ttsreader.iamworkin.lan/"
              # Explicit healthcheck paths
+              - "https://library.iamworkin.lan/health"
+              - "https://aistation.iamworkin.lan/healthz"
+              - "https://knowledge.iamworkin.lan/healthz"
              - "https://fc-llm-bridge.iamworkin.lan/healthz"
              - "https://acme.iamworkin.lan/health"
              # NOTE: services intentionally NOT in this probe surface
@@ -1020,7 +1023,12 @@ data:
      - name: kubernetes-state
        rules:
          - alert: KubeContainerRestartingFrequently
-            expr: increase(kube_pod_container_status_restarts_total[1h]) > 5
+            # Exclude github-runner: ephemeral runners register, run one job,
+            # exit cleanly, and restart by design. Also require kube_pod_info so
+            # deleted rollout pods do not keep firing from retained restart series.
+            expr: |
+              increase(kube_pod_container_status_restarts_total{namespace!="github-runner"}[1h]) > 5
+              and on(namespace, pod) kube_pod_info
            for: 15m
            labels:
              severity: warning
@@ -1029,7 +1037,12 @@ data:
              description: "Container {{ $labels.container }} in pod {{ $labels.namespace }}/{{ $labels.pod }} has restarted {{ $value | printf \"%.0f\" }} times in the last hour. Check 'kubectl describe pod' + last-state termination reason."

          - alert: KubeContainerCrashLooping
-            expr: increase(kube_pod_container_status_restarts_total[15m]) > 3
+            # Same github-runner/delete-retention exclusions as the hourly
+            # restart rule above; real runner failures are covered by the
+            # dedicated LinuxRunnerOffline/MacMiniRunnerOffline alerts.
+            expr: |
+              increase(kube_pod_container_status_restarts_total{namespace!="github-runner"}[15m]) > 3
+              and on(namespace, pod) kube_pod_info
            for: 5m
            labels:
              severity: critical
@@ -1057,7 +1070,10 @@ data:
              description: "Pod can't pull image. Check the image ref (often a stale tag or unreachable registry) and clean up if it's an orphan."

          - alert: KubeDeploymentReplicasMismatch
-            expr: kube_deployment_spec_replicas != kube_deployment_status_replicas_available
+            # github-runner has explicit runner-offline alerts; the generic
+            # replica-mismatch rule should not page on intentionally ephemeral
+            # 0/1 runner churn between CI jobs.
+            expr: kube_deployment_spec_replicas{namespace!="github-runner"} != kube_deployment_status_replicas_available{namespace!="github-runner"}
            for: 15m
            labels:
              severity: warning
--- a/apps/pki-web/pki-web.yaml
+++ b/apps/pki-web/pki-web.yaml
@@ -134,6 +134,8 @@ spec:
    metadata:
      labels:
        app: pki-web
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -158,12 +160,18 @@ spec:
            httpGet:
              path: /healthz
              port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -201,6 +209,7 @@ spec:
  dnsNames:
    - pki.iamworkin.lan
 ---
+# Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
 # Traefik IngressRoute
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
--- a/apps/telephony/telephony.yaml
+++ b/apps/telephony/telephony.yaml
@@ -207,12 +207,18 @@ spec:
            httpGet:
              path: /health
              port: 5100
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 30
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /health
              port: 5100
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 10
            periodSeconds: 5
      volumes:
@@ -256,12 +262,12 @@ spec:
    - websecure
  routes:
    - kind: Rule
-      match: Host(`telephony.flowercore.io`)
+      match: Host(`telephony.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
      services:
        - name: telephony-web
          port: 5100
    - kind: Rule
-      match: Host(`telephony.iamwork.in`)
+      match: Host(`telephony.iamwork.in`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
      services:
        - name: telephony-web
          port: 5100
--- a/apps/traefik-dashboard/traefik-dashboard.yaml
+++ b/apps/traefik-dashboard/traefik-dashboard.yaml
@@ -20,10 +20,11 @@ metadata:
 spec:
  basicAuth:
    secret: traefik-dashboard-auth
---
-# Dashboard IngressRoute
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
+---
+# Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
+# Dashboard IngressRoute
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
 metadata:
  name: traefik-dashboard
  namespace: traefik-system
--- a/apps/voice/voice.yaml
+++ b/apps/voice/voice.yaml
@@ -66,7 +66,7 @@ spec:
    - websecure
  routes:
    - kind: Rule
-      match: Host(`voice.bluejay.dev`)
+      match: Host(`voice.bluejay.dev`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
      services:
        - name: voice-bridge
          port: 8766
@@ -84,7 +84,7 @@ spec:
    - websecure
  routes:
    - kind: Rule
-      match: Host(`voice-ws.bluejay.dev`)
+      match: Host(`voice-ws.bluejay.dev`) && (Method(`GET`) || Method(`HEAD`))
      services:
        - name: voice-bridge
          port: 8765
--- a/apps/zabbix/zabbix.yaml
+++ b/apps/zabbix/zabbix.yaml
@@ -344,6 +344,7 @@ spec:
  dnsNames:
    - zabbix.iamworkin.lan
 ---
+# Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
 # Traefik IngressRoute
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -13,8 +13,20 @@ public sealed class FleetManifestLintTests

    private static readonly HashSet<string> PublicReadOnlyHosts = new(StringComparer.Ordinal)
    {
+        "bluejay.dev",
        "brochure.flowercore.io",
        "dist.flowercore.io",
+        "element.flowercore.io",
+        "erckak.dev",
+        "flowercore.io",
+        "flowerinsider.xyz",
+        "timeforta.co",
+        "voice-ws.bluejay.dev",
+        "www.bluejay.dev",
+        "www.erckak.dev",
+        "www.flowercore.io",
+        "www.flowerinsider.xyz",
+        "www.timeforta.co",
    };

    // Public hosts that allow a tightly bounded write surface in addition to
@@ -28,10 +40,40 @@ public sealed class FleetManifestLintTests
    // same bounded read-write allowlist as the LAN pair.
    private static readonly HashSet<string> PublicReadWriteAllowlistHosts = new(StringComparer.Ordinal)
    {
+        "chat.flowercore.io",
+        "gitea.flowercore.io",
+        "matrix.flowercore.io",
+        "telephony.flowercore.io",
+        "telephony.iamwork.in",
        "updatecenter.iamworkin.lan",
        "updates.iamworkin.lan",
        "update.flowercore.io",
        "updates.flowercore.io",
+        "voice.bluejay.dev",
+        "webmail.flowercore.io",
+    };
+
+    private static readonly IReadOnlyDictionary<string, string> InfraHealthzProbeDeployments = new Dictionary<string, string>(StringComparer.Ordinal)
+    {
+        ["andrew"] = "andrew-web",
+        ["dustin"] = "dustin-web",
+        ["erik"] = "erik-web",
+        ["fc-landing"] = "fc-landing",
+        ["fit"] = "fit-web",
+        ["flowercore"] = "flowercore-web",
+        ["pki-web"] = "pki-web",
+    };
+
+    private static readonly IReadOnlyDictionary<string, string> InfraForwardedProtoProbeDeployments = new Dictionary<string, string>(StringComparer.Ordinal)
+    {
+        ["andrew"] = "andrew-web",
+        ["dustin"] = "dustin-web",
+        ["erik"] = "erik-web",
+        ["fc-landing"] = "fc-landing",
+        ["fit"] = "fit-web",
+        ["flowercore"] = "flowercore-web",
+        ["pki-web"] = "pki-web",
+        ["telephony"] = "telephony-web",
    };

    private static readonly HashSet<string> ApiKeyProtectedDeployments = new(StringComparer.Ordinal)
@@ -131,8 +173,13 @@ public sealed class FleetManifestLintTests
                    }))
            .Where(entry => PublicReadOnlyHosts.Any(host => entry.Match.Contains($"Host(`{host}`)", StringComparison.Ordinal)))
            .Where(entry => !entry.Match.Contains("Method(`GET`)", StringComparison.Ordinal)
-                || !entry.Match.Contains("Method(`HEAD`)", StringComparison.Ordinal))
-            .Select(entry => $"{entry.Document.Descriptor} is missing an explicit GET/HEAD method allowlist.")
+                || !entry.Match.Contains("Method(`HEAD`)", StringComparison.Ordinal)
+                || entry.Match.Contains("Method(`POST`)", StringComparison.Ordinal)
+                || entry.Match.Contains("Method(`PUT`)", StringComparison.Ordinal)
+                || entry.Match.Contains("Method(`PATCH`)", StringComparison.Ordinal)
+                || entry.Match.Contains("Method(`DELETE`)", StringComparison.Ordinal)
+                || entry.Match.Contains("Method(`OPTIONS`)", StringComparison.Ordinal))
+            .Select(entry => $"{entry.Document.Descriptor} must explicitly allow GET/HEAD only on a public read-only host.")
            .ToList();

        violations.Should().BeEmpty();
@@ -423,6 +470,125 @@ public sealed class FleetManifestLintTests
        monitoring.Should().Contain("alert_channel: irc");
    }

+    [Fact]
+    public void Monitoring_GenericKubernetesAlerts_MustExcludeEphemeralGithubRunnerNamespace()
+    {
+        var monitoring = File.ReadAllText(Path.Combine(Inventory.BluejayRoot, "apps", "monitoring", "noc-monitoring.yaml"));
+
+        monitoring.Should().Contain("kube_pod_container_status_restarts_total{namespace!=\"github-runner\"}");
+        monitoring.Should().Contain("and on(namespace, pod) kube_pod_info");
+        monitoring.Should().Contain("kube_deployment_spec_replicas{namespace!=\"github-runner\"} != kube_deployment_status_replicas_available{namespace!=\"github-runner\"}");
+        monitoring.Should().Contain("dedicated LinuxRunnerOffline/MacMiniRunnerOffline alerts");
+    }
+
+    [Fact]
+    public void Monitoring_BlackboxTargetsForOidcSensitiveServices_MustUseAnonymousHealthRoutesWhenAvailable()
+    {
+        var monitoring = File.ReadAllText(Path.Combine(Inventory.BluejayRoot, "apps", "monitoring", "noc-monitoring.yaml"));
+
+        monitoring.Should().Contain("https://chat.iamworkin.lan/healthz");
+        monitoring.Should().Contain("https://dist.iamworkin.lan/healthz");
+        monitoring.Should().Contain("https://dms.iamworkin.lan/healthz");
+        monitoring.Should().Contain("https://print.iamworkin.lan/healthz");
+        monitoring.Should().Contain("https://knowledge.iamworkin.lan/healthz");
+        monitoring.Should().Contain("https://library.iamworkin.lan/health");
+        monitoring.Should().Contain("https://aistation.iamworkin.lan/healthz");
+        monitoring.Should().NotContain("https://print.iamworkin.lan/\"");
+    }
+
+    [Fact]
+    public void OidcEnforcedDeployments_WithHttpHealthzProbes_MustDeclareAnonymousHealthzContract()
+    {
+        var violations = Inventory.Documents
+            .Where(document => document.Kind == "Deployment")
+            .SelectMany(document => document.MainContainerMappings()
+                .Where(container => string.Equals(EnvValue(container, "FlowerCore__Auth__Enabled"), "true", StringComparison.OrdinalIgnoreCase))
+                .Where(container => string.Equals(EnvValue(container, "FlowerCore__Auth__Oidc__Enabled"), "true", StringComparison.OrdinalIgnoreCase))
+                .Where(container => ProbeHttpGetPath(container, "readinessProbe") == "/healthz"
+                    || ProbeHttpGetPath(container, "startupProbe") == "/healthz")
+                .Where(_ => !string.Equals(
+                    PodAnnotation(document, "flowercore.io/healthz-auth-policy"),
+                    "allow-anonymous",
+                    StringComparison.Ordinal))
+                .Select(container =>
+                {
+                    var containerName = ManifestNodeExtensions.Scalar(container, "name") ?? "<unnamed>";
+                    return $"{document.Descriptor} container '{containerName}' enforces OIDC while probing /healthz but lacks flowercore.io/healthz-auth-policy: allow-anonymous.";
+                }))
+            .ToList();
+
+        violations.Should().BeEmpty();
+    }
+
+    [Fact]
+    public void AuthSafeInfraHealthzProbes_MustDeclareAnonymousHealthzContract()
+    {
+        var violations = InfraHealthzProbeDeployments.SelectMany(expected =>
+        {
+            var deployment = AppDocuments(expected.Key)
+                .Single(document => document.Kind == "Deployment" && document.Name == expected.Value);
+            var hasHealthzProbe = deployment.MainContainerMappings()
+                .Any(container => ProbeHttpGetPath(container, "readinessProbe") == "/healthz"
+                    || ProbeHttpGetPath(container, "startupProbe") == "/healthz"
+                    || ProbeHttpGetPath(container, "livenessProbe") == "/healthz");
+
+            return hasHealthzProbe
+                && !string.Equals(PodAnnotation(deployment, "flowercore.io/healthz-auth-policy"), "allow-anonymous", StringComparison.Ordinal)
+                    ? new[] { $"{deployment.Descriptor} probes /healthz but lacks flowercore.io/healthz-auth-policy: allow-anonymous." }
+                    : Array.Empty<string>();
+        }).ToList();
+
+        violations.Should().BeEmpty();
+    }
+
+    [Fact]
+    public void AuthSafeInfraHttpProbes_MustSendForwardedProtoHttpsHeader()
+    {
+        var violations = InfraForwardedProtoProbeDeployments.SelectMany(expected =>
+        {
+            var deployment = AppDocuments(expected.Key)
+                .Single(document => document.Kind == "Deployment" && document.Name == expected.Value);
+
+            return deployment.MainContainerMappings()
+                .SelectMany(container => new[] { "startupProbe", "readinessProbe", "livenessProbe" }
+                    .Where(probeKey => ProbeHttpGetPath(container, probeKey) is "/healthz" or "/health")
+                    .Where(probeKey => !string.Equals(ProbeHttpGetHeaderValue(container, probeKey, "X-Forwarded-Proto"), "https", StringComparison.Ordinal))
+                    .Select(probeKey =>
+                    {
+                        var containerName = ManifestNodeExtensions.Scalar(container, "name") ?? "<unnamed>";
+                        return $"{deployment.Descriptor} container '{containerName}' {probeKey} is missing X-Forwarded-Proto=https.";
+                    }));
+        }).ToList();
+
+        violations.Should().BeEmpty();
+    }
+
+    [Fact]
+    public void Knowledge_OidcEnforcement_MustKeepHealthzAnonymousContractVisibleInManifest()
+    {
+        var knowledge = Inventory.Documents
+            .Single(document => document.Kind == "Deployment" && document.Namespace == "knowledge" && document.Name == "knowledge-web");
+        var container = knowledge.MainContainerMappings().Should().ContainSingle().Subject;
+
+        EnvValue(container, "FlowerCore__Auth__Enabled").Should().Be("true");
+        EnvValue(container, "FlowerCore__Auth__Oidc__Enabled").Should().Be("true");
+        ProbeHttpGetPath(container, "readinessProbe").Should().Be("/healthz");
+        PodAnnotation(knowledge, "flowercore.io/healthz-auth-policy").Should().Be("allow-anonymous");
+    }
+
+    [Fact]
+    public void Distribution_OidcEnforcement_MustKeepHealthzAnonymousContractVisibleInManifest()
+    {
+        var distribution = Inventory.Documents
+            .Single(document => document.Kind == "Deployment" && document.Namespace == "fc-distribution" && document.Name == "fc-distribution");
+        var container = distribution.MainContainerMappings().Should().ContainSingle().Subject;
+
+        EnvValue(container, "FlowerCore__Auth__Oidc__Enabled").Should().Be("true");
+        EnvValue(container, "FlowerCore__Auth__Enabled").Should().Be("true");
+        ProbeHttpGetPath(container, "readinessProbe").Should().Be("/healthz");
+        PodAnnotation(distribution, "flowercore.io/healthz-auth-policy").Should().Be("allow-anonymous");
+    }
+
    [Fact]
    public void StatefulSets_WithVolumeClaimTemplates_MustDeclareFilesystemDefaults()
    {
@@ -790,6 +956,12 @@ public sealed class FleetManifestLintTests
            "/volume1/kubernetes/fc-media-inbox",
            "/volume1/video",
        });
+
+        var distributionDeployment = AppDocuments("fc-distribution")
+            .Single(document => document.Kind == "Deployment" && document.Name == "fc-distribution");
+        var distributionContainer = distributionDeployment.MainContainerMappings().Should().ContainSingle().Subject;
+
+        ManifestNodeExtensions.Scalar(distributionContainer, "image").Should().Be("localhost/fc-distribution:v20260604-oidc-root-anon");
    }

    [Fact]
@@ -920,6 +1092,33 @@ public sealed class FleetManifestLintTests
            .SingleOrDefault(env => string.Equals(ManifestNodeExtensions.Scalar(env, "name"), name, StringComparison.Ordinal));
    }

+    private static string? PodAnnotation(ManifestDocument document, string name)
+    {
+        return document.Scalar("spec", "template", "metadata", "annotations", name);
+    }
+
+    private static string? ProbeHttpGetPath(YamlMappingNode container, string probeKey)
+    {
+        return ManifestNodeExtensions.TryGetMapping(container, probeKey, out var probe)
+            && ManifestNodeExtensions.TryGetMapping(probe, "httpGet", out var httpGet)
+            ? ManifestNodeExtensions.Scalar(httpGet, "path")
+            : null;
+    }
+
+    private static string? ProbeHttpGetHeaderValue(YamlMappingNode container, string probeKey, string name)
+    {
+        if (!ManifestNodeExtensions.TryGetMapping(container, probeKey, out var probe)
+            || !ManifestNodeExtensions.TryGetMapping(probe, "httpGet", out var httpGet))
+        {
+            return null;
+        }
+
+        return ManifestNodeExtensions.MappingSequence(httpGet, "httpHeaders")
+            .Where(header => string.Equals(ManifestNodeExtensions.Scalar(header, "name"), name, StringComparison.Ordinal))
+            .Select(header => ManifestNodeExtensions.Scalar(header, "value"))
+            .SingleOrDefault();
+    }
+
    private static IReadOnlyList<ManifestDocument> FcDeviceManagementDocuments()
    {
        return Inventory.Documents
Author	SHA1	Message	Date
Andrew Stoltz	90599b0413	fix(auth): harden public infra routes	2026-06-04 13:20:16 -05:00
Andrew Stoltz	81a3ddac4c	fix(auth): mark OIDC healthz probes anonymous	2026-06-04 11:03:20 -05:00
bluejay	300f8ad546	fix(monitoring): probe OIDC-safe health routes Sprint 58 Cx-12. Rebased over OIDC GitOps main; YAML parse and focused bluejay-infra lint tests passed.	2026-06-04 06:45:34 +00:00
bluejay	fe38c2641f	Merge pull request 'fix(auth): deploy distribution root anonymous image' (#38 ) from codex/s58-distribution-root-anon-gitops into main	2026-06-04 06:20:09 +00:00
Andrew Stoltz	3b40dfb185	fix(auth): deploy distribution root anonymous image	2026-06-04 01:19:16 -05:00
bluejay	103878671c	Merge pull request 'fix(auth): deploy Distribution OIDC image tag' (#37 ) from codex/s58-oidc-proper into main	2026-06-04 06:05:15 +00:00
Andrew Stoltz	36039c1335	fix(auth): deploy distribution oidc image tag	2026-06-04 01:04:44 -05:00
bluejay	2a66109f13	Merge pull request 'feat(auth): adopt OIDC GitOps for DNS Distribution Media' (#36 ) from codex/s58-oidc-proper into main	2026-06-04 05:52:56 +00:00