Deploy Chat regroup CH-3 image

NetworkPolicy matches the destination POD port. dms-web svc:80 -> containerPort
8080, so the egress must allow 8080 (the fc-chat rule already allows 80+8080,
which is why chat worked and dms timed out). Add 8080 to the fc-dms egress.

apps/agent-zero/agent-zero.yaml

@@ -139,6 +139,20 @@ metadata:
 spec:
   itemPath: "vaults/IAmWorkin/items/FlowerCore Knowledge MCP Tokens"
 
+---
+# FlowerCore DMS Manager MCP key (product-manager fan-out). Synced from the
+# 1Password "FlowerCore DMS MCP Keys" item (field `credential`) into Secret
+# `dms-mcp-keys`; the deployment reads it as DMS_MCP_API_KEY for the fc_dms
+# MCP server. presentations/messageboard/segmentdisplay/telephony 1P MCP-key
+# items also exist and follow this same pattern when added.
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: dms-mcp-keys
+  namespace: agent-zero
+spec:
+  itemPath: "vaults/IAmWorkin/items/FlowerCore DMS MCP Keys"
+
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -248,7 +262,7 @@ spec:
               # use the bridge's Ollama-compatible root via OLLAMA_HOST.
               mkdir -p /a0/usr/plugins/_model_config
               cat > /a0/usr/plugins/_model_config/config.json << 'MODELCFG'
-              {"allow_chat_override":true,"chat_model":{"provider":"openai","name":"fc:balanced","api_base":"http://fc-llm-bridge.fc-llm-bridge.svc:8080/v1","ctx_length":8192,"ctx_history":0.7,"vision":false,"kwargs":{"temperature":0,"num_ctx":8192}},"utility_model":{"provider":"openai","name":"fc:cheap","api_base":"http://fc-llm-bridge.fc-llm-bridge.svc:8080/v1","ctx_length":8192,"ctx_input":0.7,"kwargs":{"num_ctx":8192}},"embedding_model":{"provider":"openai","name":"openai/fc:embedding","api_base":"http://fc-llm-bridge.fc-llm-bridge.svc:8080/v1","kwargs":{}}}
+              {"allow_chat_override":true,"chat_model":{"provider":"openai","name":"fc:balanced","api_base":"http://fc-llm-bridge.fc-llm-bridge.svc:8080/v1","ctx_length":32768,"ctx_history":0.7,"vision":false,"kwargs":{"temperature":0,"num_ctx":32768}},"utility_model":{"provider":"openai","name":"fc:cheap","api_base":"http://fc-llm-bridge.fc-llm-bridge.svc:8080/v1","ctx_length":8192,"ctx_input":0.7,"kwargs":{"num_ctx":8192}},"embedding_model":{"provider":"openai","name":"openai/fc:embedding","api_base":"http://fc-llm-bridge.fc-llm-bridge.svc:8080/v1","kwargs":{}}}
               MODELCFG
               # Strip heredoc indentation
               sed -i 's/^              //' /a0/usr/plugins/_model_config/config.json
@@ -276,7 +290,7 @@ spec:
               fi
 
               export A0_SET_mcp_servers="$(
-                python3 -c 'import json, os; servers = {}; chat_key = os.getenv("CHAT_MCP_API_KEY"); knowledge_enabled = os.getenv("KNOWLEDGE_MCP_ENABLED", "false").lower() == "true"; token = os.getenv("KNOWLEDGE_MCP_BEARER_TOKEN", "") if knowledge_enabled else ""; chat_key and servers.setdefault("fc_chat", {"type": "streamable-http", "url": "http://chat-web.fc-chat.svc/mcp", "headers": {"X-Api-Key": chat_key}}); token and servers.setdefault("fc_knowledge", {"type": "streamable-http", "url": os.getenv("KNOWLEDGE_MCP_URL", "http://knowledge-web.knowledge.svc/mcp"), "headers": {"Authorization": f"Bearer {token}"}}); print(json.dumps({"mcpServers": servers}, separators=(",", ":")))'
+                python3 -c 'import json, os; servers = {}; chat_key = os.getenv("CHAT_MCP_API_KEY"); knowledge_enabled = os.getenv("KNOWLEDGE_MCP_ENABLED", "false").lower() == "true"; token = os.getenv("KNOWLEDGE_MCP_BEARER_TOKEN", "") if knowledge_enabled else ""; chat_key and servers.setdefault("fc_chat", {"type": "streamable-http", "url": "http://chat-web.fc-chat.svc/mcp", "headers": {"X-Api-Key": chat_key}}); token and servers.setdefault("fc_knowledge", {"type": "streamable-http", "url": os.getenv("KNOWLEDGE_MCP_URL", "http://knowledge-web.knowledge.svc/mcp"), "headers": {"Authorization": f"Bearer {token}"}}); dms_key = os.getenv("DMS_MCP_API_KEY"); dms_key and servers.setdefault("fc_dms", {"type": "streamable-http", "url": os.getenv("DMS_MCP_URL", "http://dms-web.fc-dms.svc/mcp"), "headers": {"X-Api-Key": dms_key}}); print(json.dumps({"mcpServers": servers}, separators=(",", ":")))'
               )"
               # Run the original entrypoint
               exec /exe/initialize.sh $BRANCH
@@ -285,7 +299,7 @@ spec:
           env:
             # Agent identity
             - name: AGENT_NAME
-              value: "Blue Jay (NUC)"
+              value: "Blue Jay"
             # Chat model — routed through FlowerCore LLM Bridge (ADR-088)
             # so spend is tracked and tier aliases (fc:cheap/fc:balanced/fc:deep)
             # dispatch to Ollama or Anthropic via a single OpenAI-compat endpoint.
@@ -344,7 +358,7 @@ spec:
             - name: A0_SET_browser_model_provider
               value: "ollama"
             - name: A0_SET_browser_model_name
-              value: "gemma3:4b"
+              value: "qwen2.5:7b"
             - name: A0_SET_browser_model_api_base
               value: "http://fc-llm-bridge.fc-llm-bridge.svc:8080"
             - name: A0_SET_browser_model_api_key
@@ -353,7 +367,7 @@ spec:
                   name: fc-llm-bridge-api-keys
                   key: agent-zero-k8s
             - name: A0_SET_browser_model_vision
-              value: "true"
+              value: "false"
             - name: OLLAMA_HOST
               value: "http://fc-llm-bridge.fc-llm-bridge.svc:8080"
             - name: FLOWERCORE_AGENTZERO_OLLAMA_URL
@@ -393,6 +407,20 @@ spec:
                 secretKeyRef:
                   name: knowledge-mcp-tokens
                   key: password
+            # FlowerCore DMS Manager MCP (dynamic message signs) — first of the
+            # product-manager MCP fan-out. dms-web /mcp requires X-Api-Key; the key
+            # is synced from 1Password "FlowerCore DMS MCP Keys" (field credential)
+            # by the dms-mcp-keys OnePasswordItem CRD above. Same builder+env+netpol
+            # pattern extends to presentations/messageboard/segmentdisplay/telephony
+            # (all have 1P MCP-key items). MySQL + Signage still need 1P MCP items
+            # provisioned before they can join (mysql-web /mcp 401s with no key today).
+            - name: DMS_MCP_URL
+              value: "http://dms-web.fc-dms.svc/mcp"
+            - name: DMS_MCP_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: dms-mcp-keys
+                  key: credential
             # Print.Web — Thermal printer service on edge2.
             # PRINT_WEB_URL: internal HTTP (bypasses Traefik TLS — print_web.py
             # runs in-cluster and can reach edge2 directly on the PROD VLAN).
@@ -637,6 +665,19 @@ spec:
       ports:
         - port: 5300
           protocol: TCP
+    # FlowerCore DMS Manager MCP (product-manager fan-out) — in-cluster
+    # dms-web. NetworkPolicy matches the destination POD port: dms-web svc:80
+    # targets containerPort 8080, so the egress MUST allow 8080 (not the svc
+    # port 80) — same as the fc-chat rule. Allow both for parity.
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: fc-dms
+      ports:
+        - port: 80
+          protocol: TCP
+        - port: 8080
+          protocol: TCP
     # Allow internet (for kubectl image pull, etc)
     - to:
         - ipBlock:

apps/fc-chat/fc-chat.yaml

@@ -34,10 +34,10 @@ data:
   # proved Chat pods time out reaching 10.0.56.20:11434. Keep generation and
   # behavior-rule checks on the cluster-routable edge1 endpoint until that route
   # is fixed; choose models that edge1 actually hosts.
-  FlowerCore__AI__OllamaBaseUrl: "http://10.0.57.17:11434"
-  FlowerCore__AI__DefaultModelName: "qwen2.5-coder:7b"
-  ChatOptions__BehaviorRuleEngine__OllamaBaseUrl: "http://10.0.57.17:11434"
-  ChatOptions__BehaviorRuleEngine__FallbackOllamaBaseUrl: "http://10.0.57.17:11434"
+  FlowerCore__AI__OllamaBaseUrl: "http://10.0.57.201:11434"
+  FlowerCore__AI__DefaultModelName: "gemma3:12b"
+  ChatOptions__BehaviorRuleEngine__OllamaBaseUrl: "http://10.0.57.201:11434"
+  ChatOptions__BehaviorRuleEngine__FallbackOllamaBaseUrl: "http://10.0.57.201:11434"
   ChatOptions__BehaviorRuleEngine__ModelName: "gemma3:4b"
   FlowerCore__AI__Memory__UseSharedIndexingAdapter: "true"
   FlowerCore__AI__Memory__UseOllamaEmbeddings: "true"
@@ -123,7 +123,7 @@ spec:
         fsGroupChangePolicy: OnRootMismatch
       containers:
         - name: chat-web
-          image: localhost/fc-chat-web:v20260614-wave5-sentiment-685f62c
+          image: localhost/fc-chat-web:v20260614-regroup-ch3-0479a31
           imagePullPolicy: Never
           ports:
             - name: http

apps/fc-devicemgmt/ADMIN-CONSOLE-INFRA.md

@@ -0,0 +1,70 @@
+# Admin / Helpdesk Console — Infra Finding (Cl-5, ADR-204)
+
+**Outcome: ZERO new cluster infra required.** The Admin/helpdesk console rides the
+existing `FlowerCore.DeviceManagement.Web` deploy as routes inside DM.Web (ADR-204).
+The ingress already in this directory covers every path the admin console serves.
+
+## What already exists for DM.Web (this directory)
+
+| Manifest | Resource | Notes |
+|----------|----------|-------|
+| `certificate-web.yaml` | cert-manager `Certificate` `fc-devicemgmt-web-tls` | `issuerRef` → `step-ca-acme` `ClusterIssuer`; `dnsNames: [devices.iamworkin.lan]`; `secretName: fc-devicemgmt-web-tls`. DNS preflight gate documented (pfSense A record `devices.iamworkin.lan → 10.0.56.200` required before ACME sync). |
+| `ingressroute-web.yaml` | Traefik `IngressRoute` `fc-devicemgmt-web` | `entryPoints: [websecure]`, `match: Host(\`devices.iamworkin.lan\`)`, service `fc-devicemgmt-web:80`, `tls.secretName: fc-devicemgmt-web-tls`. |
+| `service-web.yaml` | `Service` `fc-devicemgmt-web` (ClusterIP, 80→8080) | Owned by the DM.Web deploy. |
+| `deployment-web.yaml` | `Deployment` `fc-devicemgmt-web` | Currently `replicas: 0` (gated on fc-mysql operator + `flowercore_devicemgmt` DB + 1Password runtime item — see header comment). Not a Cl-5 concern. |
+| also present | operator RBAC, namespace, network-policy, 1password-item | Full app dir, ArgoCD-managed. |
+
+## Why the admin console needs nothing new
+
+The existing IngressRoute matches **`Host(\`devices.iamworkin.lan\`)` with no `PathPrefix`
+constraint**. Traefik therefore forwards *all* paths on that host to the
+`fc-devicemgmt-web` service — including any admin/helpdesk routes the DM.Web app exposes
+under its `FlowerCore:PathBase` (e.g. `/admin`, `/helpdesk`). The same TLS secret
+(`fc-devicemgmt-web-tls`) and the same step-ca ACME `Certificate` already protect them.
+
+This matches the established TLS-only-app pattern (e.g. `apps/fc-library/fc-library.yaml`,
+`apps/fc-retail/fc-retail.yaml`): `Certificate` (issuerRef `step-ca-acme` ClusterIssuer) +
+host-matched `IngressRoute` sharing the `secretName`. Per ADR-204 the admin console's
+Deployment/Service stay with the DM.Web deploy — no separate workload is created.
+
+ArgoCD repo URL convention (for reference, not changed here):
+`http://gitea-clusterip.gitea.svc.cluster.local:3000/bluejay/bluejay-infra.git`
+(internal HTTP — step-ca cert isn't trusted by ArgoCD). Apps in `apps/*` are picked up by
+the `bluejay-infra` ApplicationSet directory generator; this dir has no `kustomization.yaml`,
+consistent with that pattern.
+
+## Recommendation
+
+**Ride DM.Web at a PathBase path → no new Certificate, no new IngressRoute, no new
+Deployment/Service.** Close the lane. The admin console reaches users at
+`https://devices.iamworkin.lan/<PathBase>` through the manifests already in this directory.
+
+## Open question (operator decision — NOT actioned)
+
+**Q-MP-ADMIN-HOST — Distinct admin hostname vs PathBase path under DM.Web?**
+If the operator ever wants the admin/helpdesk console on its *own* hostname
+(e.g. `admin.iamworkin.lan`) rather than a path under `devices.iamworkin.lan`, that is a
+deliberate routing/auth-surface choice, not a mechanical infra add. It would require:
+
+1. a pfSense / FlowerCore.DNS A record `admin.iamworkin.lan → 10.0.56.200` (ACME preflight
+   gate — step-ca HTTP-01 can't see the CoreDNS wildcard);
+2. a second cert-manager `Certificate` (`step-ca-acme` ClusterIssuer, `dnsNames:
+   [admin.iamworkin.lan]`, own `secretName`);
+3. a second host-matched `IngressRoute` → the same `fc-devicemgmt-web:80` service
+   (still no new Deployment/Service — same app behind a second host).
+
+**Default taken (do not block): PathBase path under DM.Web = zero new infra.** A separate
+admin hostname is left UNBUILT pending an explicit operator answer to Q-MP-ADMIN-HOST,
+because it changes the public/auth surface and conflicts with the ADR-204 "routes inside
+DM.Web" intent. If the answer is "separate host," author only the `Certificate` +
+`IngressRoute` above (no Deployment/Service), mirroring `apps/fc-library/fc-library.yaml`.
+
+## Verification
+
+- `kubectl apply --dry-run=client` (kubectl v1.34.2, no live cluster): `ingressroute-web.yaml`,
+  `service-web.yaml`, `deployment-web.yaml` validated clean. `certificate-web.yaml` returned
+  "no matches for kind Certificate in cert-manager.io/v1" — expected with no cluster
+  connection (CRD discovery unavailable client-side); the YAML shape is identical to the
+  proven `fc-library` Certificate. Server-side dry-run + live host resolution =
+  **fix-forward** (cluster may be unreachable from this lane).
+- No manifest authored or changed by this lane — finding note only.

apps/fc-devicemgmt/deployment-web.yaml

@@ -83,7 +83,7 @@ spec:
         fsGroupChangePolicy: OnRootMismatch
       containers:
         - name: web
-          image: localhost/fc-devicemgmt-web:v20260613-g3-6555c0d
+          image: localhost/fc-devicemgmt-web:v20260614-regroup-c5b8f82
           imagePullPolicy: Never
           ports:
             - name: http

apps/fc-library/fc-library.yaml

@@ -60,7 +60,7 @@ spec:
         - envFrom:
             - configMapRef:
                 name: library-web-config
-          image: localhost/fc-library-web:v20260602-library-owned-deploy-fix1
+          image: localhost/fc-library-web:v20260614-regroup-f20adc1
           imagePullPolicy: Never
           livenessProbe:
             failureThreshold: 3

apps/fc-llm-bridge/fc-llm-bridge.yaml

@@ -164,11 +164,33 @@ spec:
                   name: fc-llm-bridge-api-keys
                   key: spare-2
                   optional: true
-            # Shared.Chat — Ollama (edge1 Pi 5 + AI HAT+, matches bridge default)
+            # Shared.Chat — GX10 Ollama via the INFRA-VLAN NodePort (10.0.56.14:30976),
+            # NOT the PROD-VLAN MetalLB VIP (10.0.57.201:11434). The cross-VLAN path to
+            # the VIP MTU-black-holes LARGE requests: Agent Zero's full prompt (458-line
+            # system prompt + 108 MCP tool descriptions ~150KB) times out / resets mid-
+            # stream there ("Connection reset by peer" in OllamaClient.ChatStreamAsync),
+            # which made AZ loop on "you have sent the same message again". The NodePort is
+            # same-VLAN as the old cluster (no inter-VLAN hop) and carries 150KB fine.
+            # (Small chat/embed requests still work on the VIP; only big agentic prompts broke.)
             - name: FlowerCore__Chat__OllamaBaseUrl
-              value: "http://10.0.57.17:11434"
+              value: "http://10.0.56.14:30976"
             - name: FlowerCore__Chat__HttpTimeout
               value: "00:05:00"
+            # Tier routing override (Wiring A, 2026-06-14): repoint Agent Zero's
+            # chat (Balanced) + util (Cheap) tiers to the GX10's tool-capable
+            # local qwen2.5. Balanced was Anthropic Sonnet (cloud/cost, and the
+            # Anthropic key is currently 401); Cheap was gemma3:4b which CANNOT
+            # call tools (400 does not support tools) — fatal for an agentic loop.
+            # qwen2.5 instruct supports the tool-calling loop; GX10 has the memory.
+            # OllamaBaseUrl above points at the GX10 NodePort (10.0.56.14:30976).
+            - name: FlowerCore__Chat__ModelRouter__DefaultRoutes__Balanced__Provider
+              value: "Ollama"
+            - name: FlowerCore__Chat__ModelRouter__DefaultRoutes__Balanced__Model
+              value: "qwen2.5:14b"
+            - name: FlowerCore__Chat__ModelRouter__DefaultRoutes__Cheap__Provider
+              value: "Ollama"
+            - name: FlowerCore__Chat__ModelRouter__DefaultRoutes__Cheap__Model
+              value: "qwen2.5:7b"
             # Shared.Chat — Anthropic
             - name: FlowerCore__Chat__Anthropic__Enabled
               value: "true"

apps/fc-retail/fc-retail.yaml

@@ -61,7 +61,7 @@ spec:
         - envFrom:
             - configMapRef:
                 name: retail-web-config
-          image: localhost/fc-retail-web:v20260602-retail-owned-deploy-fix5
+          image: localhost/fc-retail-web:v20260614-regroup-6d81424
           imagePullPolicy: Never
           livenessProbe:
             failureThreshold: 3

apps/fc-ttsreader/fc-ttsreader.yaml

@@ -605,7 +605,7 @@ spec:
             - name: TtsReader__Transcription__TimeoutSeconds
               value: "300"
             - name: TtsReader__Ollama__BaseUrl
-              value: "http://10.0.57.17:11434"
+              value: "http://10.0.57.201:11434"
             - name: TtsReader__Ollama__DefaultModel
               value: "gemma3:4b"
             - name: TtsReader__Ollama__TimeoutSeconds

apps/fc-updater/fc-updater.yaml

@@ -61,7 +61,7 @@ spec:
       nodeName: rke2-server
       containers:
         - name: web
-          image: localhost/fc-updater-web:v202605310029-7974fc4
+          image: localhost/fc-updater-web:v20260614-regroup-bdf4a4a
           imagePullPolicy: Never
           ports:
             - containerPort: 8080

apps/intranet/intranet.yaml

@@ -92,7 +92,7 @@ spec:
             # down. Bulk embed runs in the background; /health does not depend on it.
             # Memory: feedback_pi5_nomic_embed_slow.
             - name: IntranetSearch__OllamaBaseUrl
-              value: "http://10.0.56.132:11434"
+              value: "http://10.0.57.201:11434"
             # Notes docs corpus IS now mounted at /srv/flowercore-notes (see the
             # notes-corpus-clone initContainer + notes-corpus-sync sidecar), so the
             # IntranetSearch indexer is ENABLED. First-boot bulk embed of the corpus

apps/knowledge/knowledge.yaml

@@ -168,7 +168,7 @@ spec:
             # need a separate ingestion lane that can opt into the
             # workstation GPU when present.
             - name: FlowerCore__Ollama__BaseUrl
-              value: "http://10.0.57.17:11434"
+              value: "http://10.0.57.201:11434"
             - name: FlowerCore__Mcp__ApiKey__Key
               valueFrom:
                 secretKeyRef:

apps/telephony/telephony.yaml

@@ -1,7 +1,8 @@
 # FlowerCore.Telephony - Blazor Server + REST API + Twilio IVR
 # ArgoCD managed - BlueJay Lab
 # Credentials: 1Password → OnePasswordItem CRD → K8s Secret (twilio-credentials)
-# TTS: Piper on edge1 (10.0.57.17:8500) — endpoint /tts with {"text":"..."}
+# TTS: Piper on GX10 (10.0.56.14:30850, en_US-amy-medium) — endpoint /tts with {"text":"..."}
+#      edge1 (10.0.57.17:8500, amy-low) kept as warm fallback (revert PiperUrl to roll back)
 # Public: telephony.flowercore.io via Cloudflare origin cert
 ---
 apiVersion: v1
@@ -62,7 +63,8 @@ data:
         "Password": "bluejay-asterisk-ari",
         "Application": "flowercore-pbx",
         "ReconnectDelaySeconds": 5,
-        "MaxReconnectDelaySeconds": 60
+        "MaxReconnectDelaySeconds": 60,
+        "WebSocketKeepAliveIntervalSeconds": 30
       },
       "Sip": {
         "Domain": "10.0.56.207",
@@ -70,7 +72,7 @@ data:
         "Transport": "udp"
       },
       "Tts": {
-        "PiperUrl": "http://10.0.57.17:8500",
+        "PiperUrl": "http://10.0.56.14:30850",
         "DefaultEngine": "piper",
         "SampleRate": 8000
       },
@@ -114,9 +116,9 @@ spec:
       app: telephony-web
   template:
     metadata:
-      annotations:
-        fc.flowercore.io/healthz-anon: "true"
-        fc.flowercore.io/probe-path: "/health"
+      annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/health"
       labels:
         app: telephony-web
     spec:
@@ -154,7 +156,7 @@ spec:
               topologyKey: kubernetes.io/hostname
       containers:
         - name: telephony-web
-          image: localhost/fc-telephony-web:v202604252156
+          image: localhost/fc-telephony-web:v20260614-arifix
           imagePullPolicy: Never
           securityContext:
             readOnlyRootFilesystem: true
@@ -164,7 +166,7 @@ spec:
           ports:
             - containerPort: 5100
               name: http
-          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
+          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
           env:
             - name: Telephony__Twilio__AccountSid
               valueFrom:
@@ -184,6 +186,16 @@ spec:
                   name: twilio-credentials
                   key: DefaultFromNumber
                   optional: true
+            # Env vars OVERRIDE appsettings.Production.json in ASP.NET Core config.
+            # These were previously applied live-only (kubectl) and drifted from git;
+            # codified here so git is the source of truth. Tts__PiperUrl is the real
+            # TTS cutover lever (the configmap "Tts" block is shadowed by this env).
+            - name: Tts__PiperUrl
+              value: "http://10.0.56.14:30850"   # GX10 amy-medium; edge1 10.0.57.17:8500 = rollback
+            - name: Ari__Username
+              value: "flowercore"
+            - name: Ari__Password
+              value: "bluejay-asterisk-ari"
           volumeMounts:
             - name: telephony-config
               mountPath: /app/appsettings.Production.json
@@ -320,7 +332,14 @@ spec:
           protocol: UDP
         - port: 53
           protocol: TCP
-    # Allow Piper TTS on edge1 (10.0.57.17:8500)
+    # Allow Piper TTS on GX10 (10.0.56.14:30850) — primary
+    - to:
+        - ipBlock:
+            cidr: 10.0.56.14/32
+      ports:
+        - port: 30850
+          protocol: TCP
+    # Allow Piper TTS on edge1 (10.0.57.17:8500) — warm fallback / rollback target
     - to:
         - ipBlock:
             cidr: 10.0.57.17/32

gx10/tts/Dockerfile

@@ -0,0 +1,31 @@
+# GX10 Piper TTS — linux/arm64 (built natively on the GX10 / DGX Spark, aarch64).
+# Serves the telephony /tts contract: POST {"text"} -> 16 kHz/16-bit/mono WAV.
+# Voice baked into the image so there is no runtime HuggingFace dependency.
+FROM python:3.12-slim
+
+# espeak-ng is the phonemizer backend piper-tts uses at synthesis time.
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends espeak-ng ca-certificates curl \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN pip install --no-cache-dir piper-tts flask numpy
+
+# Bake the voice model (en_US-amy-medium, 22.05 kHz native) into the image.
+ARG PIPER_VOICE=en_US-amy-medium
+ARG VOICE_BASE=https://huggingface.co/rhasspy/piper-voices/resolve/v1.0.0/en/en_US/amy/medium
+RUN mkdir -p /voices \
+    && curl -sSL -o "/voices/${PIPER_VOICE}.onnx" "${VOICE_BASE}/${PIPER_VOICE}.onnx" \
+    && curl -sSL -o "/voices/${PIPER_VOICE}.onnx.json" "${VOICE_BASE}/${PIPER_VOICE}.onnx.json" \
+    && test -s "/voices/${PIPER_VOICE}.onnx" \
+    && test -s "/voices/${PIPER_VOICE}.onnx.json"
+
+COPY tts_service.py /app/tts_service.py
+WORKDIR /app
+
+ENV TTS_PORT=8500 \
+    PIPER_VOICE=en_US-amy-medium \
+    VOICES_DIR=/voices \
+    TARGET_RATE=16000
+
+EXPOSE 8500
+CMD ["python", "tts_service.py"]

gx10/tts/README.md

@@ -0,0 +1,59 @@
+# GX10 Piper TTS — telephony `/tts` endpoint
+
+CPU Piper TTS serving the telephony `/tts` contract on the **GX10 RKE2 cluster**
+(ASUS Ascent GX10 / NVIDIA DGX Spark, ARM64, `10.0.56.14`). This is the
+telephony-TTS-port-to-GX10 (P1) baseline: edge1 parity at higher quality, zero
+GPU/aarch64 risk, frees telephony off the slow edge1 Pi 5.
+
+## What it is
+- `tts_service.py` — Flask app: `POST /tts {"text"}` → **16 kHz / 16-bit / mono WAV**
+  (canonical 44-byte header) + `GET /health`. Voice `en_US-amy-medium` (22.05 kHz
+  native) is numpy-resampled to 16 kHz so it drops straight onto Asterisk's
+  `.sln16` path (telephony strips the 44-byte header). Same wire contract as the
+  edge1 `speech-pipeline` `/tts`, just the TTS half (no STT/Wyoming).
+- `Dockerfile` — `linux/arm64`, voice baked in (no runtime HuggingFace dep).
+- `gx10-tts.yaml` — Namespace `tts` + Deployment (CPU-only, **no GPU request** so it
+  co-resides with the GPU-holding Ollama pod) + NodePort Service.
+
+## This cluster is NOT under the old-cluster ArgoCD (yet)
+Apply manually with the GX10's own kubectl:
+```bash
+ssh -J noc1 -i ~/.ssh/fcadmin_ed25519 bluejay@10.0.56.14
+export KUBECONFIG=/etc/rancher/rke2/rke2.yaml
+K=/var/lib/rancher/rke2/bin/kubectl
+$K apply -f gx10-tts.yaml
+```
+
+## Build + import (native arm64 on the GX10)
+```bash
+docker build -t localhost/fc-gx10-tts:v20260614 .
+docker save localhost/fc-gx10-tts:v20260614 -o /tmp/t.tar
+sudo /var/lib/rancher/rke2/bin/ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images import /tmp/t.tar
+# manifest uses imagePullPolicy: Never (image lives in containerd, no registry)
+```
+
+## Telephony cutover (reversible)
+Endpoint telephony hits: **`http://10.0.56.14:30850`** (NodePort, MGMT VLAN 56).
+In `apps/telephony/telephony.yaml`:
+1. Deployment env `Tts__PiperUrl=http://10.0.56.14:30850` — **this is the real lever**;
+   env vars override `appsettings.Production.json`, so the configmap `Tts` block alone
+   is inert (it was shadowed by a drifted live env `Tts__PiperUrl=edge1`).
+2. NetworkPolicy egress to `10.0.56.14/32:30850` (telephony-web is `hostNetwork`, so this
+   only matters for non-hostNetwork pods; harmless either way).
+3. edge1 (`10.0.57.17:8500`) stays warm — **rollback = set `Tts__PiperUrl` back to it**.
+   The TTS circuit breaker + `MapTextToSound` canned-prompt fallback mean a bad endpoint
+   degrades gracefully, never to silence.
+
+## Verify (not a manual call)
+```bash
+FLOWERCORE_SIP_TEST_MODE=required dotnet.exe test \
+  FlowerCore.Telephony/tests/FlowerCore.Telephony.SipTests/FlowerCore.Telephony.SipTests.csproj \
+  --filter FullyQualifiedName~Call_Star100_ReceivesAudibleAudioStream
+```
+A passing audible test alone is NOT sufficient (edge1 also produces audible audio) —
+confirm the **GX10 TTS pod's own access log** (`kubectl -n tts logs deploy/gx10-tts`)
+shows `POST /tts 200` during the call, and telephony-web logs target `10.0.56.14:30850`.
+
+## Voice upgrade (follow-on)
+Operator's pick is **Kokoro**; needs GPU time-slicing (Ollama holds the GB10 GPU; MPS is
+refuted on GB10) OR Kokoro-CPU behind a `/tts` shim. This Piper baseline stays as the floor.

gx10/tts/gx10-tts.yaml

@@ -0,0 +1,81 @@
+# GX10 Piper TTS — telephony /tts endpoint on the GX10 RKE2 cluster.
+# Applied DIRECTLY via the GX10's own kubectl (KUBECONFIG=/etc/rancher/rke2/rke2.yaml);
+# the GX10 cluster is NOT yet under the old-cluster ArgoCD. CPU-only (no GPU request)
+# so it co-resides with the GPU-holding Ollama pod without contending for the GB10.
+# Image is imported into RKE2 containerd (imagePullPolicy: Never).
+# Telephony reaches it at http://10.0.56.14:30850 (NodePort, MGMT VLAN 56).
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tts
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gx10-tts
+  namespace: tts
+  labels:
+    app: gx10-tts
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gx10-tts
+  template:
+    metadata:
+      labels:
+        app: gx10-tts
+    spec:
+      containers:
+        - name: tts
+          image: localhost/fc-gx10-tts:v20260614
+          imagePullPolicy: Never
+          ports:
+            - containerPort: 8500
+              name: http
+          env:
+            - name: TTS_PORT
+              value: "8500"
+            - name: PIPER_VOICE
+              value: "en_US-amy-medium"
+            - name: TARGET_RATE
+              value: "16000"
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 8500
+            initialDelaySeconds: 3
+            periodSeconds: 5
+            timeoutSeconds: 3
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 8500
+            initialDelaySeconds: 10
+            periodSeconds: 20
+            timeoutSeconds: 5
+          resources:
+            requests:
+              cpu: "500m"
+              memory: "512Mi"
+            limits:
+              cpu: "4"
+              memory: "2Gi"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gx10-tts
+  namespace: tts
+  labels:
+    app: gx10-tts
+spec:
+  type: NodePort
+  selector:
+    app: gx10-tts
+  ports:
+    - name: http
+      port: 8500
+      targetPort: 8500
+      nodePort: 30850
+      protocol: TCP

gx10/tts/tts_service.py

@@ -0,0 +1,153 @@
+#!/usr/bin/env python3
+"""GX10 Piper TTS microservice — telephony /tts contract.
+
+POST /tts  {"text": "..."}  -> 16 kHz / 16-bit / mono WAV (canonical 44-byte header)
+GET  /health                -> JSON status
+
+The telephony AsteriskProvider strips the 44-byte WAV header and writes the
+remainder as a `.sln16` (signed-linear 16 kHz) file that Asterisk transcodes to
+any codec. So the response MUST be 16 kHz / 16-bit / mono. The en_US-amy-medium
+voice is 22.05 kHz native, so we resample to 16 kHz (a 22.05 kHz stream treated
+as 16 kHz plays ~1.38x too fast). This is a drop-in upgrade over edge1's
+en_US-amy-low (16 kHz native, lower quality), keeping the exact wire contract.
+"""
+import io
+import logging
+import os
+import sys
+import threading
+import wave
+
+import numpy as np
+from flask import Flask, Response, jsonify, request
+
+API_PORT = int(os.environ.get("TTS_PORT", "8500"))
+PIPER_VOICE = os.environ.get("PIPER_VOICE", "en_US-amy-medium")
+VOICES_DIR = os.environ.get("VOICES_DIR", "/voices")
+TARGET_RATE = int(os.environ.get("TARGET_RATE", "16000"))
+
+logging.basicConfig(
+    level=logging.INFO,
+    format="%(asctime)s [%(levelname)s] %(name)s: %(message)s",
+    stream=sys.stdout,
+)
+log = logging.getLogger("gx10-tts")
+
+piper_voice_obj = None
+piper_loaded = False
+piper_lock = threading.Lock()
+native_rate = None
+
+app = Flask(__name__)
+
+
+def load_piper():
+    """Load the Piper voice model once at startup (shared, lock-guarded)."""
+    global piper_voice_obj, piper_loaded
+    try:
+        from piper import PiperVoice
+        model_path = os.path.join(VOICES_DIR, f"{PIPER_VOICE}.onnx")
+        if not os.path.isfile(model_path):
+            log.error("Piper voice model not found at %s — TTS disabled", model_path)
+            piper_loaded = False
+            return
+        log.info("Loading Piper voice %s from %s", PIPER_VOICE, model_path)
+        piper_voice_obj = PiperVoice.load(model_path)
+        piper_loaded = True
+        log.info("Piper voice loaded")
+    except Exception as exc:  # noqa: BLE001 — fail-soft, /health reports it
+        log.error("Failed to load Piper: %s", exc)
+        piper_loaded = False
+
+
+def synthesize_chunks(text):
+    """Run Piper synthesis under a lock because the loaded voice is shared."""
+    with piper_lock:
+        return list(piper_voice_obj.synthesize(text))
+
+
+def resample_i16(pcm_i16, src_rate, dst_rate):
+    """Linear-interpolation resample of int16 PCM (matches edge1's STT resample)."""
+    if src_rate == dst_rate or len(pcm_i16) == 0:
+        return pcm_i16
+    audio = pcm_i16.astype(np.float32)
+    target_len = int(round(len(audio) * dst_rate / src_rate))
+    if target_len <= 0:
+        return np.zeros(0, dtype=np.int16)
+    idx = np.linspace(0, len(audio) - 1, target_len)
+    res = np.interp(idx, np.arange(len(audio)), audio)
+    return np.clip(np.round(res), -32768, 32767).astype(np.int16)
+
+
+@app.route("/health", methods=["GET"])
+def health():
+    return jsonify({
+        "status": "ok",
+        "voice": PIPER_VOICE,
+        "loaded": piper_loaded,
+        "target_rate": TARGET_RATE,
+        "native_rate": native_rate,
+    })
+
+
+@app.route("/tts", methods=["POST"])
+def tts():
+    """Text -> 16 kHz/16-bit/mono WAV. Mirrors the edge1 speech-pipeline contract."""
+    if not piper_loaded:
+        return jsonify({"error": "Piper TTS model not loaded"}), 503
+
+    data = request.get_json(silent=True)
+    if not data or "text" not in data:
+        return jsonify({"error": "Missing required field: text"}), 400
+
+    text = data["text"].strip()
+    if not text:
+        return jsonify({"error": "Text field is empty"}), 400
+    if len(text) > 10000:
+        return jsonify({"error": "Text too long (max 10000 characters)"}), 400
+
+    try:
+        chunks = synthesize_chunks(text)
+        if not chunks:
+            return jsonify({"error": "No audio produced"}), 500
+
+        global native_rate
+        first = chunks[0]
+        native_rate = first.sample_rate
+
+        if first.sample_width != 2 or first.sample_channels != 1:
+            return jsonify({
+                "error": f"Unexpected PCM format: width={first.sample_width} "
+                         f"channels={first.sample_channels} (need 16-bit mono)"
+            }), 500
+
+        pcm = np.frombuffer(
+            b"".join(c.audio_int16_bytes for c in chunks), dtype=np.int16
+        )
+        out = resample_i16(pcm, native_rate, TARGET_RATE)
+
+        wav_buffer = io.BytesIO()
+        with wave.open(wav_buffer, "wb") as wav_file:
+            wav_file.setnchannels(1)
+            wav_file.setsampwidth(2)
+            wav_file.setframerate(TARGET_RATE)
+            wav_file.writeframes(out.tobytes())
+        wav_buffer.seek(0)
+
+        return Response(
+            wav_buffer.read(),
+            mimetype="audio/wav",
+            headers={"Content-Disposition": 'inline; filename="speech.wav"'},
+        )
+    except Exception as exc:  # noqa: BLE001
+        log.error("TTS synthesis failed: %s", exc)
+        return jsonify({"error": f"Synthesis failed: {exc}"}), 500
+
+
+if __name__ == "__main__":
+    log.info(
+        "GX10 TTS starting on port %d (voice=%s -> %d Hz)",
+        API_PORT, PIPER_VOICE, TARGET_RATE,
+    )
+    load_piper()
+    app.run(host="0.0.0.0", port=API_PORT, threaded=True)