fix(auth): harden public infra routes

2026-06-04 13:20:16 -05:00
44 changed files with 766 additions and 1499 deletions
--- a/apps/andrew/andrew.yaml
+++ b/apps/andrew/andrew.yaml
@@ -201,6 +201,8 @@ spec:
    metadata:
      labels:
        app: andrew-web
      annotations:
        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -225,12 +227,18 @@ spec:
            httpGet:
              path: /healthz
              port: 80
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -265,7 +273,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`bluejay.dev`) || Host(`www.bluejay.dev`)
+    - match: (Host(`bluejay.dev`) || Host(`www.bluejay.dev`)) && (Method(`GET`) || Method(`HEAD`))
      kind: Rule
      services:
        - name: andrew-web
--- a/apps/authentik/authentik.yaml
+++ b/apps/authentik/authentik.yaml
@@ -113,12 +113,7 @@ spec:
            - name: pgdata
              mountPath: /var/lib/postgresql/data
  volumeClaimTemplates:
-    # apiVersion/kind included deliberately: this STS was created via ArgoCD ServerSideApply,
+    - metadata:
    # so the live object carries PVC TypeMeta inside volumeClaimTemplates; omitting it here
    # leaves the app eternally OutOfSync even though kubectl SSA dry-run shows no change.
    - apiVersion: v1
      kind: PersistentVolumeClaim
      metadata:
        name: pgdata
      spec:
        storageClassName: longhorn
--- a/apps/dustin/dustin.yaml
+++ b/apps/dustin/dustin.yaml
@@ -201,6 +201,8 @@ spec:
    metadata:
      labels:
        app: dustin-web
      annotations:
        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -225,12 +227,18 @@ spec:
            httpGet:
              path: /healthz
              port: 80
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -265,7 +273,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`timeforta.co`) || Host(`www.timeforta.co`)
+    - match: (Host(`timeforta.co`) || Host(`www.timeforta.co`)) && (Method(`GET`) || Method(`HEAD`))
      kind: Rule
      services:
        - name: dustin-web
--- a/apps/erik/erik.yaml
+++ b/apps/erik/erik.yaml
@@ -201,6 +201,8 @@ spec:
    metadata:
      labels:
        app: erik-web
      annotations:
        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -225,12 +227,18 @@ spec:
            httpGet:
              path: /healthz
              port: 80
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -265,7 +273,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`erckak.dev`) || Host(`www.erckak.dev`)
+    - match: (Host(`erckak.dev`) || Host(`www.erckak.dev`)) && (Method(`GET`) || Method(`HEAD`))
      kind: Rule
      services:
        - name: erik-web
--- a/apps/fc-aistation/fc-aistation.yaml
+++ b/apps/fc-aistation/fc-aistation.yaml
@@ -46,8 +46,6 @@ spec:
  template:
    metadata:
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/path: /metrics/prometheus
        prometheus.io/port: "5000"
        prometheus.io/scrape: "true"
@@ -56,7 +54,6 @@ spec:
        app.kubernetes.io/part-of: flowercore
    spec:
      containers:
        # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
        - envFrom:
            - configMapRef:
                name: aistation-web-config
@@ -170,26 +167,3 @@ spec:
          port: 80
  tls:
    secretName: aistation-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose aistation-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: aistation-web-public
 #   namespace: fc-aistation
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`aistation.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: aistation-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: aistation-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-chat/fc-chat.yaml
+++ b/apps/fc-chat/fc-chat.yaml
@@ -112,8 +112,6 @@ spec:
        app.kubernetes.io/name: chat-web
        app.kubernetes.io/part-of: flowercore
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics/prometheus"
@@ -130,7 +128,6 @@ spec:
          ports:
            - name: http
              containerPort: 8080
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          envFrom:
            - configMapRef:
                name: chat-web-config
--- a/apps/fc-desktop/fc-desktop.yaml
+++ b/apps/fc-desktop/fc-desktop.yaml
@@ -14,20 +14,6 @@
 # cluster-rebuild repeatability. See
 # feedback_networkpolicies_belong_in_bluejay_infra.md.
 ---
 # OIDC client secret for the RemoteDesktop end-user sign-in (fleet regroup L9,
 # 2026-06-12). The Authentik provider `remotedesktop` already exists; the 1P item
 # `remotedesktop-oidc-client` (vault IAmWorkin) carries issuer_url / client_id /
 # client_secret, and the 1Password operator mints the same-named K8s Secret that
 # k8s/web-deployment.yaml (FlowerCore.RemoteDesktop repo) consumes with
 # optional:true. Gate stays OFF (Q-RD-16) — this is flip-READINESS only.
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: remotedesktop-oidc-client
  namespace: fc-desktop
 spec:
  itemPath: "vaults/IAmWorkin/items/remotedesktop-oidc-client"
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -65,26 +51,3 @@ spec:
          port: 8080
  tls:
    secretName: remotedesktop-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose remotedesktop-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: remotedesktop-web-public
 #   namespace: fc-desktop
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`desktop.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: remotedesktop-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: remotedesktop-web
 #           port: 8080
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-devicemgmt/clusterrole-operator.yaml
+++ b/apps/fc-devicemgmt/clusterrole-operator.yaml
@@ -11,7 +11,7 @@ metadata:
    flowercore.io/created-by: bluejay-infra
 rules:
  - apiGroups:
-      - flowercore.io
+      - devices.flowercore.io
    resources:
      - '*'
    verbs:
@@ -23,7 +23,7 @@ rules:
      - patch
      - delete
  - apiGroups:
-      - flowercore.io
+      - devices.flowercore.io
    resources:
      - devices/status
      - devices/finalizers
@@ -33,8 +33,6 @@ rules:
      - devicepolicies/finalizers
      - remotecommands/status
      - remotecommands/finalizers
      - desiredstatedocuments/status
      - desiredstatedocuments/finalizers
    verbs:
      - get
      - update
--- a/apps/fc-devicemgmt/crds.yaml
+++ b/apps/fc-devicemgmt/crds.yaml
@@ -1,186 +0,0 @@
 # FlowerCore.DeviceManagement CRDs.
 #
 # These CRDs match the current operator annotations:
 #   [KubernetesEntity(Group = "flowercore.io", ApiVersion = "v1alpha1", ...)]
 # Keep the schemas intentionally permissive until the DeviceManagement operator
 # grows enforced CRD validation.
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: devices.flowercore.io
  labels:
    app.kubernetes.io/name: fc-devicemgmt-operator
    app.kubernetes.io/component: operator
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  group: flowercore.io
  scope: Namespaced
  names:
    plural: devices
    singular: device
    kind: Device
    listKind: DeviceList
  versions:
    - name: v1alpha1
      served: true
      storage: true
      subresources:
        status: {}
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              x-kubernetes-preserve-unknown-fields: true
            status:
              type: object
              x-kubernetes-preserve-unknown-fields: true
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: devicegroups.flowercore.io
  labels:
    app.kubernetes.io/name: fc-devicemgmt-operator
    app.kubernetes.io/component: operator
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  group: flowercore.io
  scope: Namespaced
  names:
    plural: devicegroups
    singular: devicegroup
    kind: DeviceGroup
    listKind: DeviceGroupList
  versions:
    - name: v1alpha1
      served: true
      storage: true
      subresources:
        status: {}
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              x-kubernetes-preserve-unknown-fields: true
            status:
              type: object
              x-kubernetes-preserve-unknown-fields: true
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: devicepolicies.flowercore.io
  labels:
    app.kubernetes.io/name: fc-devicemgmt-operator
    app.kubernetes.io/component: operator
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  group: flowercore.io
  scope: Namespaced
  names:
    plural: devicepolicies
    singular: devicepolicy
    kind: DevicePolicy
    listKind: DevicePolicyList
  versions:
    - name: v1alpha1
      served: true
      storage: true
      subresources:
        status: {}
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              x-kubernetes-preserve-unknown-fields: true
            status:
              type: object
              x-kubernetes-preserve-unknown-fields: true
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: remotecommands.flowercore.io
  labels:
    app.kubernetes.io/name: fc-devicemgmt-operator
    app.kubernetes.io/component: operator
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  group: flowercore.io
  scope: Namespaced
  names:
    plural: remotecommands
    singular: remotecommand
    kind: RemoteCommand
    listKind: RemoteCommandList
  versions:
    - name: v1alpha1
      served: true
      storage: true
      subresources:
        status: {}
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              x-kubernetes-preserve-unknown-fields: true
            status:
              type: object
              x-kubernetes-preserve-unknown-fields: true
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: desiredstatedocuments.flowercore.io
  labels:
    app.kubernetes.io/name: fc-devicemgmt-operator
    app.kubernetes.io/component: operator
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  group: flowercore.io
  scope: Namespaced
  names:
    plural: desiredstatedocuments
    singular: desiredstatedocument
    kind: DesiredStateDocument
    listKind: DesiredStateDocumentList
  versions:
    - name: v1alpha1
      served: true
      storage: true
      subresources:
        status: {}
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              x-kubernetes-preserve-unknown-fields: true
            status:
              type: object
              x-kubernetes-preserve-unknown-fields: true
--- a/apps/fc-devicemgmt/deployment-web.yaml
+++ b/apps/fc-devicemgmt/deployment-web.yaml
@@ -5,35 +5,21 @@
 # exist yet; import localhost/fc-devicemgmt-web:<tag> to all schedulable RKE2
 # nodes before letting ArgoCD sync a live rollout.
 #
-# LIVE — 2026-06-11 DeviceManagement product-host enablement.
+# SCALED TO 0 — 2026-05-19 morning-routine cleanup.
-# The current DeviceManagement Web source is SQLite-backed in Program.cs, so
+# The Web pod cannot start until TWO upstream gaps close:
-# Phase 1 production uses a Longhorn RWO PVC at /data/devicemgmt.db. The
+#   1. MySQL DB instance `flowercore_devicemgmt` (user `fc_devicemgmt`) is
-# 1Password runtime item stays mounted through env for future MySQL/API-key
+#      provisioned via fc-mysql Manager. The cluster currently has ZERO
-# cutover, but MySQL is not required for this first product-host rollout.
+#      MySqlInstanceCrds and no `mysql.fc-mysql.svc:3306` Service, so the
-# Image v20260611-healthz is built from FlowerCore.DeviceManagement master
+#      deployment-web container env `FlowerCore__Database__Host=mysql.fc-mysql.svc`
-# 3c15f3b, which adds the /healthz alias required by fleet monitoring.
+#      points at nothing. Provision via the fc-mysql Manager UI/REST/MCP.
---
+#   2. 1Password vault item `IAmWorkin/FlowerCore DeviceManagement Runtime`
-apiVersion: v1
+#      with 5 fields (DB-Password, mtls-ca.pem, mtls-client.crt, mtls-client.key,
-kind: PersistentVolumeClaim
+#      mtls-chain.pem) — see apps/fc-devicemgmt/1password-item.yaml. Mint mTLS
-metadata:
+#      from step-ca-agent ClusterIssuer per ADR-126; DB-Password must match the
-  name: fc-devicemgmt-web-data
+#      password configured for the MySQL user.
-  namespace: fc-devicemgmt
+# Re-enable: change replicas back to 2 after both gaps close. The image tag
-  labels:
+# in this file (v20260512-cx5) MAY also need a refresh — it predates the
-    app: fc-devicemgmt-web
+# Sprint 34 Cl-3 operator fix; Web may have an analogous bug.
    app.kubernetes.io/name: fc-devicemgmt-web
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -50,7 +36,7 @@ metadata:
  annotations:
    flowercore.io/traceability-standard: k8s-pod-ownership-and-traceability-standard
 spec:
-  replicas: 1
+  replicas: 0
  revisionHistoryLimit: 3
  selector:
    matchLabels:
@@ -66,8 +52,6 @@ spec:
        flowercore.io/tenant-id: system
        flowercore.io/created-by: bluejay-infra
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
@@ -78,12 +62,11 @@ spec:
        fsGroupChangePolicy: OnRootMismatch
      containers:
        - name: web
-          image: localhost/fc-devicemgmt-web:v20260611-healthz
+          image: localhost/fc-devicemgmt-web:v20260512-cx5
          imagePullPolicy: Never
          ports:
            - name: http
              containerPort: 8080
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: ASPNETCORE_URLS
              value: "http://+:8080"
@@ -91,21 +74,29 @@ spec:
              value: "Production"
            - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
              value: "false"
            - name: HOME
              value: "/data"
            - name: FlowerCore__Service__Name
              value: "FlowerCore.DeviceManagement.Web"
            - name: FlowerCore__DeviceManagement__DefaultTenantId
              value: "system"
            - name: FlowerCore__Database__Provider
-              value: "Sqlite"
+              value: "MySql"
-            - name: FlowerCore__Database__ConnectionStrings__Sqlite
+            - name: FlowerCore__Database__Host
-              value: "Data Source=/data/devicemgmt.db"
+              value: "mysql.fc-mysql.svc"
            - name: FlowerCore__Database__Database
              value: "flowercore_devicemgmt"
            - name: FlowerCore__Database__User
              value: "fc_devicemgmt"
            - name: FlowerCore__Database__Password
              valueFrom:
                secretKeyRef:
                  name: fc-devicemgmt-runtime
                  key: DB-Password
            - name: FlowerCore__DeviceManagement__AgentMtls__CaPath
              value: "/secrets/devicemgmt-mtls/mtls-ca.pem"
            - name: FlowerCore__DeviceManagement__AgentMtls__ClientCertificatePath
              value: "/secrets/devicemgmt-mtls/mtls-client.crt"
            - name: FlowerCore__DeviceManagement__AgentMtls__ClientKeyPath
              value: "/secrets/devicemgmt-mtls/mtls-client.key"
            - name: FlowerCore__EventBus__Redis__Configuration
              value: "redis.fc-redis.svc:6379"
          resources:
@@ -142,17 +133,19 @@ spec:
              drop:
                - ALL
          volumeMounts:
            - name: data
              mountPath: /data
            - name: tmp
              mountPath: /tmp
            - name: logs
              mountPath: /app/logs
            - name: devicemgmt-mtls
              mountPath: /secrets/devicemgmt-mtls
              readOnly: true
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: fc-devicemgmt-web-data
        - name: tmp
          emptyDir: {}
        - name: logs
          emptyDir: {}
        - name: devicemgmt-mtls
          secret:
            secretName: fc-devicemgmt-runtime
            defaultMode: 0400
--- a/apps/fc-dms/fc-dms.yaml
+++ b/apps/fc-dms/fc-dms.yaml
@@ -30,26 +30,3 @@ spec:
          port: 80
  tls:
    secretName: dms-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose dms-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: dms-web-public
 #   namespace: fc-dms
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`dms.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: dms-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: dms-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-dns/fc-dns.yaml
+++ b/apps/fc-dns/fc-dns.yaml
@@ -48,7 +48,7 @@ data:
    {
        "FlowerCore": {
        "Auth": {
-          "Enabled": false,
+          "Enabled": true,
          "Oidc": {
            "Enabled": true,
            "Audience": "dns",
@@ -111,7 +111,7 @@ spec:
        fsGroup: 1654
      containers:
        - name: dns-web
-          image: localhost/fc-dns-web:v20260612-l4dns-a5d2849
+          image: localhost/fc-dns-web:v20260604-oidc-proper
          imagePullPolicy: Never
          securityContext:
            readOnlyRootFilesystem: true
@@ -149,7 +149,7 @@ spec:
                  key: client_secret
                  optional: true
            - name: FlowerCore__Auth__Enabled
-              value: "false"
+              value: "true"
            - name: FlowerCore__Auth__Oidc__Enabled
              value: "true"
            - name: FlowerCore__Auth__Oidc__Audience
@@ -303,7 +303,7 @@ spec:
        fsGroup: 1654
      containers:
        - name: dns-acme-webhook
-          image: localhost/fc-dns-acme-webhook:v20260612-l4dns-a5d2849
+          image: localhost/fc-dns-acme-webhook:v202604290845
          imagePullPolicy: Never
          securityContext:
            readOnlyRootFilesystem: true
--- a/apps/fc-landing/fc-landing.yaml
+++ b/apps/fc-landing/fc-landing.yaml
@@ -203,6 +203,8 @@ spec:
    metadata:
      labels:
        app: fc-landing
      annotations:
        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -227,12 +229,18 @@ spec:
            httpGet:
              path: /healthz
              port: 80
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -298,7 +306,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
+    - match: (Host(`flowercore.io`) || Host(`www.flowercore.io`)) && (Method(`GET`) || Method(`HEAD`))
      kind: Rule
      services:
        - name: fc-landing
@@ -316,7 +324,7 @@ spec:
  entryPoints:
    - web
  routes:
-    - match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
+    - match: (Host(`flowercore.io`) || Host(`www.flowercore.io`)) && (Method(`GET`) || Method(`HEAD`))
      kind: Rule
      services:
        - name: fc-landing
--- a/apps/fc-library/fc-library.yaml
+++ b/apps/fc-library/fc-library.yaml
@@ -46,8 +46,6 @@ spec:
  template:
    metadata:
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/health"
        prometheus.io/path: /metrics/prometheus
        prometheus.io/port: "5000"
        prometheus.io/scrape: "true"
@@ -56,7 +54,6 @@ spec:
        app.kubernetes.io/part-of: flowercore
    spec:
      containers:
        # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
        - envFrom:
            - configMapRef:
                name: library-web-config
@@ -170,26 +167,3 @@ spec:
          port: 80
  tls:
    secretName: library-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose library-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: library-web-public
 #   namespace: fc-library
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`library.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: library-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: library-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-llm-bridge/fc-llm-bridge.yaml
+++ b/apps/fc-llm-bridge/fc-llm-bridge.yaml
@@ -83,8 +83,6 @@ spec:
        app.kubernetes.io/name: fc-llm-bridge
        app.kubernetes.io/part-of: flowercore
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
@@ -118,7 +116,6 @@ spec:
          ports:
            - containerPort: 8080
              name: http
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: ASPNETCORE_URLS
              value: "http://+:8080"
@@ -284,26 +281,3 @@ spec:
          port: 8080
  tls:
    secretName: fc-llm-bridge-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose fc-llm-bridge publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: fc-llm-bridge-public
 #   namespace: fc-llm-bridge
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`llm-bridge.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: fc-llm-bridge-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: fc-llm-bridge
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-menuboard/fc-menuboard.yaml
+++ b/apps/fc-menuboard/fc-menuboard.yaml
@@ -30,26 +30,3 @@ spec:
          port: 80
  tls:
    secretName: menuboard-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose menuboard-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: menuboard-web-public
 #   namespace: fc-menuboard
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`menuboard.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: menuboard-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: menuboard-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-messageboard/fc-messageboard.yaml
+++ b/apps/fc-messageboard/fc-messageboard.yaml
@@ -41,8 +41,6 @@ spec:
      labels:
        app: messageboard-web
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/health"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics/prometheus"
@@ -54,7 +52,6 @@ spec:
          ports:
            - containerPort: 8080
              name: http
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          envFrom:
            - configMapRef:
                name: messageboard-web-config
@@ -144,26 +141,3 @@ spec:
          port: 80
  tls:
    secretName: messageboard-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose messageboard-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: messageboard-web-public
 #   namespace: fc-messageboard
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`messageboard.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: messageboard-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: messageboard-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-mysql/fc-mysql.yaml
+++ b/apps/fc-mysql/fc-mysql.yaml
@@ -30,26 +30,3 @@ spec:
          port: 5300
  tls:
    secretName: mysql-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose mysql-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: mysql-web-public
 #   namespace: fc-mysql
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`mysql.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: mysql-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: mysql-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-php/fc-php.yaml
+++ b/apps/fc-php/fc-php.yaml
@@ -30,26 +30,3 @@ spec:
          port: 5400
  tls:
    secretName: php-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose php-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: php-web-public
 #   namespace: fc-php
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`php.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: php-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: php-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-presentations/fc-presentations.yaml
+++ b/apps/fc-presentations/fc-presentations.yaml
@@ -30,26 +30,3 @@ spec:
          port: 80
  tls:
    secretName: presentations-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose presentations-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: presentations-web-public
 #   namespace: fc-presentations
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`presentations.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: presentations-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: presentations-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-retail/fc-retail.yaml
+++ b/apps/fc-retail/fc-retail.yaml
@@ -46,8 +46,6 @@ spec:
  template:
    metadata:
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        kubectl.kubernetes.io/restartedAt: "2026-06-02T01:34:08-05:00"
        prometheus.io/path: /metrics/prometheus
        prometheus.io/port: "5000"
@@ -57,7 +55,6 @@ spec:
        app.kubernetes.io/part-of: flowercore
    spec:
      containers:
        # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
        - envFrom:
            - configMapRef:
                name: retail-web-config
@@ -171,26 +168,3 @@ spec:
          port: 80
  tls:
    secretName: retail-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose retail-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: retail-web-public
 #   namespace: fc-retail
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`retail.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: retail-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: retail-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-scoreboard/fc-scoreboard.yaml
+++ b/apps/fc-scoreboard/fc-scoreboard.yaml
@@ -30,26 +30,3 @@ spec:
          port: 80
  tls:
    secretName: scoreboard-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose scoreboard-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: scoreboard-web-public
 #   namespace: fc-scoreboard
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`scoreboard.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: scoreboard-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: scoreboard-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-segmentdisplay/fc-segmentdisplay.yaml
+++ b/apps/fc-segmentdisplay/fc-segmentdisplay.yaml
@@ -37,26 +37,3 @@ spec:
          port: 80
  tls:
    secretName: segmentdisplay-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose segmentdisplay-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: segmentdisplay-web-public
 #   namespace: fc-segmentdisplay
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`segmentdisplay.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: segmentdisplay-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: segmentdisplay-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-signage/fc-signage.yaml
+++ b/apps/fc-signage/fc-signage.yaml
@@ -46,26 +46,3 @@ spec:
      services:
        - name: signage-web
          port: 5190
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose signage-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: signage-web-public
 #   namespace: fc-signage
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`signage.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: signage-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: signage-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-ttsreader/fc-ttsreader.yaml
+++ b/apps/fc-ttsreader/fc-ttsreader.yaml
@@ -97,7 +97,6 @@ spec:
      containers:
        - name: piper
          image: rhasspy/wyoming-piper:latest
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: PYTHONHTTPSVERIFY
              value: "0"
@@ -524,8 +523,6 @@ spec:
        app.kubernetes.io/name: ttsreader-web
        app.kubernetes.io/part-of: flowercore
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/health"
        prometheus.io/scrape: "true"
        prometheus.io/port: "5217"
        prometheus.io/path: "/metrics"
@@ -535,7 +532,7 @@ spec:
        fsGroupChangePolicy: OnRootMismatch
      containers:
        - name: web
-          image: localhost/fc-ttsreader-web:v20260612-readalong-corrections
+          image: localhost/fc-ttsreader-web:v20260603-s54cx14-pr29-schema
          imagePullPolicy: Never
          ports:
            - containerPort: 5217
@@ -765,26 +762,3 @@ spec:
          port: 5217
  tls:
    secretName: ttsreader-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose ttsreader-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: ttsreader-web-public
 #   namespace: fc-ttsreader
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`ttsreader.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: ttsreader-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: ttsreader-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-updater/fc-updater.yaml
+++ b/apps/fc-updater/fc-updater.yaml
@@ -52,9 +52,6 @@ spec:
      app: updatecenter-web
  template:
    metadata:
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/"
      labels:
        app: updatecenter-web
    spec:
@@ -66,7 +63,6 @@ spec:
          ports:
            - containerPort: 8080
              name: http
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: ASPNETCORE_URLS
              value: http://+:8080
--- a/apps/fit/fit.yaml
+++ b/apps/fit/fit.yaml
@@ -201,6 +201,8 @@ spec:
    metadata:
      labels:
        app: fit-web
      annotations:
        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -225,12 +227,18 @@ spec:
            httpGet:
              path: /healthz
              port: 80
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -265,7 +273,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`flowerinsider.xyz`) || Host(`www.flowerinsider.xyz`)
+    - match: (Host(`flowerinsider.xyz`) || Host(`www.flowerinsider.xyz`)) && (Method(`GET`) || Method(`HEAD`))
      kind: Rule
      services:
        - name: fit-web
--- a/apps/flowercore/flowercore.yaml
+++ b/apps/flowercore/flowercore.yaml
@@ -257,6 +257,8 @@ spec:
    metadata:
      labels:
        app: flowercore-web
      annotations:
        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -281,12 +283,18 @@ spec:
            httpGet:
              path: /healthz
              port: 80
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
--- a/apps/gitea-public/gitea-public.yaml
+++ b/apps/gitea-public/gitea-public.yaml
@@ -11,7 +11,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`gitea.flowercore.io`)
+    - match: Host(`gitea.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
      kind: Rule
      services:
        - name: gitea-http
--- a/apps/github-runner/README.md
+++ b/apps/github-runner/README.md
@@ -12,8 +12,6 @@ All repo-scoped Linux runners use:
 - `ACCESS_TOKEN` from the `github-runner-token` Secret
 - `RUN_AS_ROOT=false`
 - `EPHEMERAL=true`
 - `DISABLE_AUTO_UPDATE=true` so the runner does not self-update and exit inside
  the immutable Kubernetes pod
 - `LABELS=self-hosted,linux,fc-build-linux`
 - writable non-root paths under `/home/runner` for .NET, NuGet, XDG cache, and
  Actions tool cache
@@ -133,7 +131,3 @@ from GitHub Actions and verify it lands on an `rke2-linux-*` runner.
  value does not change.
 - `Multi-Attach` volume error: only the Common runner uses a RWO PVC and it must
  stay single-replica. New multi-replica runners use `emptyDir`.
 - Runner pods repeatedly registering, downloading a newer Actions runner, then
  exiting with code 4: verify `DISABLE_AUTO_UPDATE=true` is present. The image
  translates that into `config.sh --disableupdate`; without it, the Deployment
  controller sees the expected self-update exit as CrashLoopBackOff.
--- a/apps/github-runner/github-runner.yaml
+++ b/apps/github-runner/github-runner.yaml
@@ -195,11 +195,6 @@ spec:
            # fresh registration occurs. Prevents stale runner accumulation.
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            # Labels used by workflow files: runs-on: [self-hosted, linux, fc-build-linux]
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
@@ -371,11 +366,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -514,11 +504,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -651,11 +636,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -788,11 +768,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -925,11 +900,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -1065,11 +1035,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -1202,11 +1167,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -1339,11 +1299,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -1476,11 +1431,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -1615,11 +1565,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -1754,11 +1699,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -1898,11 +1838,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -2037,11 +1972,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -2176,11 +2106,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -2315,11 +2240,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -2453,11 +2373,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -2592,11 +2507,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -2730,11 +2640,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -2868,11 +2773,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -3006,11 +2906,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -3144,11 +3039,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -3282,11 +3172,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -3421,11 +3306,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -3560,11 +3440,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -3699,11 +3574,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -3838,11 +3708,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -3977,11 +3842,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -4115,11 +3975,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -4254,11 +4109,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -4397,11 +4247,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -4541,11 +4386,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
@@ -4681,11 +4521,6 @@ spec:
              value: "/tmp/runner/work"
            - name: EPHEMERAL
              value: "true"
            # The runner image must not self-update inside an immutable
            # Kubernetes pod. Without this, GitHub runner auto-update exits
            # with code 4 and the Deployment falls into CrashLoopBackOff.
            - name: DISABLE_AUTO_UPDATE
              value: "true"
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
            - name: HOME
--- a/apps/intranet/intranet.yaml
+++ b/apps/intranet/intranet.yaml
@@ -46,7 +46,7 @@ spec:
    spec:
      containers:
        - name: intranet-web
-          image: localhost/fc-intranet-web:v20260612-screenshot-metadata
+          image: localhost/fc-intranet-web:v20260531-ttsreader-bridge
          imagePullPolicy: Never
          ports:
            - containerPort: 5300
@@ -60,17 +60,14 @@ spec:
            # ≈ 9 hours. BLUEJAY-WS GPU (R9700, 32GB VRAM) does the same work
            # in minutes. Memory: feedback_pi5_nomic_embed_slow.
            - name: IntranetSearch__OllamaBaseUrl
-              value: "http://edge1.iamworkin.lan:11434"
+              value: "http://10.0.56.20:11434"
-            # External Notes corpus roots are not mounted in the live pod today.
+            # Sprint E Phase 2α — JSON-file-backed PageReadingOverride persistence
-            # Keep the curated/workflow docs directory active without logging
+            # on the writable PVC at /data. Without this env var the
-            # repeated /srv/flowercore-notes missing-root warnings.
+            # intranet falls back to the in-memory store (loses state on
-            - name: IntranetSearch__Enabled
+            # pod restart). Master's PageReadingOverrideOptions binds
-              value: "false"
+            # PageReadingOverrides:FilePath.
-            # Page-reading override SQLite persistence on the writable PVC at
+            - name: PageReadingOverrides__FilePath
-            # /data. This backs pronunciation, notes, corrections, and
+              value: "/data/page-reading-overrides.json"
            # page-profile metadata across pod restarts.
            - name: PageReadingOverrides__DatabasePath
              value: "/data/page-reading-overrides.db"
            - name: KnowledgeFleetSearch__BaseUrl
              value: "https://knowledge.iamworkin.lan"
            - name: KnowledgeFleetSearch__ApiKey
--- a/apps/knowledge/knowledge.yaml
+++ b/apps/knowledge/knowledge.yaml
@@ -90,8 +90,6 @@ spec:
        app.kubernetes.io/name: knowledge-web
        app.kubernetes.io/part-of: bluejay-infra
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
@@ -119,7 +117,6 @@ spec:
          ports:
            - containerPort: 8080
              name: http
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: ASPNETCORE_URLS
              value: "http://+:8080"
@@ -289,26 +286,3 @@ spec:
          port: 80
  tls:
    secretName: knowledge-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose knowledge-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: knowledge-web-public
 #   namespace: knowledge
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`knowledge.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: knowledge-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: knowledge-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/mail/mail.yaml
+++ b/apps/mail/mail.yaml
@@ -243,7 +243,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`webmail.flowercore.io`)
+    - match: Host(`webmail.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
      kind: Rule
      services:
        - name: mail-webmail
--- a/apps/matrix/matrix.yaml
+++ b/apps/matrix/matrix.yaml
@@ -479,7 +479,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`element.flowercore.io`)
+    - match: Host(`element.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
      kind: Rule
      services:
        - name: element-web
@@ -497,7 +497,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`matrix.flowercore.io`)
+    - match: Host(`matrix.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
      kind: Rule
      services:
        - name: synapse
--- a/apps/monitoring/noc-monitoring.yaml
+++ b/apps/monitoring/noc-monitoring.yaml
@@ -216,24 +216,19 @@ data:
      - job_name: "pimanager-app"
        scrape_interval: 15s
        metrics_path: /metrics
        scheme: https
        tls_config:
          insecure_skip_verify: true
        static_configs:
-          - targets: ["piez.iamworkin.lan"]
+          - targets: ["10.0.58.25:5000"]
            labels:
              instance: "piez"
-              service: "signalcontrol"
+              service: "pimanager"
              vlan: "home"
              device: "pi4-ezconnect"
-              rig: "signal-b"
+          - targets: ["10.0.58.113:5200"]
          - targets: ["pirelay.iamworkin.lan"]
            labels:
              instance: "pirelay"
-              service: "signalcontrol"
+              service: "pimanager"
              vlan: "home"
              device: "pi3-ks0212"
              rig: "signal-a"
      # Epson ET-3750 EcoTank Printer SNMP
      - job_name: "snmp-printer"
@@ -493,12 +488,6 @@ data:
              - "https://desktop.iamworkin.lan/"
              - "https://print.iamworkin.lan/healthz"    # root 401 behind API key auth; /healthz anonymous 200
              - "https://dns.iamworkin.lan/healthz"      # root auth-gated by OIDC; /healthz anonymous 200
              - "https://signalcontrol.iamworkin.lan/health" # FlowerCore.SignalControl Pi control plane
              - "https://flowercore.iamworkin.lan/healthz"    # FlowerCore landing
              - "https://replay.iamworkin.lan/healthz"        # FlowerCore.Signage replay surface
              - "https://worldbuilder.iamworkin.lan/healthz"  # FlowerCore.WorldBuilder
              - "https://updates.iamworkin.lan/api/v1/manifests/_schema" # UpdateCenter plural LAN alias
              - "https://updatecenter-internal.iamworkin.lan/api/v1/manifests/_schema" # internal UC schema route
              - "https://chat.iamworkin.lan/healthz"     # OIDC staged; keep blackbox off root before enforcement flips
              - "https://dist.iamworkin.lan/healthz"     # root/admin auth-gated by OIDC; /healthz anonymous 200
              - "https://dms.iamworkin.lan/healthz"      # future OIDC posture; health route is already anonymous/live
@@ -922,13 +911,12 @@ data:
          # of idle and SNMP times out, so 5m for: would page nightly. A
          # genuine printer outage (jam, disconnected) lasts well over 30m.
          - alert: EpsonPrinterDown
-            expr: (max_over_time(up{job="snmp-printer"}[35m]) == bool 0) == 1 and (hour() >= 13 or hour() < 1)
+            expr: up{job="snmp-printer"} == 0
            for: 30m
            labels:
-              severity: info
+              severity: warning
              alert_channel: irc
            annotations:
-              summary: "Epson ET-3750 SNMP unreachable during waking hours (30m)"
+              summary: "Epson ET-3750 SNMP unreachable for >30m (likely actual fault, not sleep)"
          - alert: SynologyDiskLow
            expr: hrStorageUsed{job="snmp-nas"} / hrStorageSize{job="snmp-nas"} * 100 > 85
--- a/apps/pki-web/pki-web.yaml
+++ b/apps/pki-web/pki-web.yaml
@@ -134,6 +134,8 @@ spec:
    metadata:
      labels:
        app: pki-web
      annotations:
        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -158,12 +160,18 @@ spec:
            httpGet:
              path: /healthz
              port: 80
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -201,6 +209,7 @@ spec:
  dnsNames:
    - pki.iamworkin.lan
 ---
 # Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
 # Traefik IngressRoute
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
--- a/apps/telephony/telephony.yaml
+++ b/apps/telephony/telephony.yaml
@@ -114,9 +114,6 @@ spec:
      app: telephony-web
  template:
    metadata:
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/health"
      labels:
        app: telephony-web
    spec:
@@ -164,7 +161,6 @@ spec:
          ports:
            - containerPort: 5100
              name: http
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: Telephony__Twilio__AccountSid
              valueFrom:
@@ -211,12 +207,18 @@ spec:
            httpGet:
              path: /health
              port: 5100
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 30
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /health
              port: 5100
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 10
            periodSeconds: 5
      volumes:
@@ -260,12 +262,12 @@ spec:
    - websecure
  routes:
    - kind: Rule
-      match: Host(`telephony.flowercore.io`)
+      match: Host(`telephony.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
      services:
        - name: telephony-web
          port: 5100
    - kind: Rule
-      match: Host(`telephony.iamwork.in`)
+      match: Host(`telephony.iamwork.in`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
      services:
        - name: telephony-web
          port: 5100
@@ -391,3 +393,4 @@ spec:
--- a/apps/traefik-dashboard/traefik-dashboard.yaml
+++ b/apps/traefik-dashboard/traefik-dashboard.yaml
@@ -21,6 +21,7 @@ spec:
  basicAuth:
    secret: traefik-dashboard-auth
 ---
 # Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
 # Dashboard IngressRoute
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
--- a/apps/voice/voice.yaml
+++ b/apps/voice/voice.yaml
@@ -66,7 +66,7 @@ spec:
    - websecure
  routes:
    - kind: Rule
-      match: Host(`voice.bluejay.dev`)
+      match: Host(`voice.bluejay.dev`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
      services:
        - name: voice-bridge
          port: 8766
@@ -84,7 +84,7 @@ spec:
    - websecure
  routes:
    - kind: Rule
-      match: Host(`voice-ws.bluejay.dev`)
+      match: Host(`voice-ws.bluejay.dev`) && (Method(`GET`) || Method(`HEAD`))
      services:
        - name: voice-bridge
          port: 8765
--- a/apps/worldbuilder/README.md
+++ b/apps/worldbuilder/README.md
@@ -12,27 +12,28 @@ Source: `D:\git\FlowerCore\FlowerCore.WorldBuilder` (master)
   in pfSense Unbound before this manifest is applied, or cert-manager
   HTTP-01 silently exponential-backs-off ~2h.
   Memory: `feedback_pfsense_dns_required_for_acme`.
-2. **Image import to ALL Ready RKE2 nodes** — pod can currently schedule to
+2. **Image import to ALL RKE2 nodes** — pod can schedule to any of
-   `rke2-server` (10.0.56.11) and `rke2-agent1` (10.0.56.12). Build with:
+   `rke2-server` (10.0.56.11), `rke2-agent1` (10.0.56.12),
   `rke2-agent2` (10.0.56.13). Build with:
   ```bash
   bash deploy/build.sh   # in FlowerCore.WorldBuilder repo
-   mkdir -p artifacts/deploy
+   podman save localhost/fc-worldbuilder:v<TAG> -o /tmp/fc-worldbuilder-v<TAG>.tar
-   podman save localhost/fc-worldbuilder:v<TAG> -o artifacts/deploy/fc-worldbuilder-v<TAG>.tar
+   for h in 10.0.56.11 10.0.56.12 10.0.56.13; do
-   for h in 10.0.56.11 10.0.56.12; do
+     scp /tmp/fc-worldbuilder-v<TAG>.tar fcadmin@$h:/tmp/
     ssh fcadmin@$h "mkdir -p /home/fcadmin/.fcv"
     scp artifacts/deploy/fc-worldbuilder-v<TAG>.tar fcadmin@$h:/home/fcadmin/.fcv/
     ssh fcadmin@$h \
       "sudo /var/lib/rancher/rke2/bin/ctr -a /run/k3s/containerd/containerd.sock \
-         -n k8s.io images import /home/fcadmin/.fcv/fc-worldbuilder-v<TAG>.tar"
+         -n k8s.io images import /tmp/fc-worldbuilder-v<TAG>.tar"
   done
   ```
   Memory: `feedback_rke2_image_import_per_node_scp`.
 3. **Bump image tag** in `worldbuilder.yaml` and git push.
   ArgoCD ApplicationSet picks up within ~3 minutes.
-4. **First production render** — verify
+4. **First production render** — open
-   `https://worldbuilder.iamworkin.lan/healthz`, open
+   `https://worldbuilder.iamworkin.lan/studio/c32e0000-0000-4000-8000-000000000004`
-   `https://worldbuilder.iamworkin.lan/settings`, and confirm the image backend
+   and confirm the Cyberpunk Blue Jay demo prompt loads with five seeded fake
-   reports ComfyUI before running an operator-owned render lane.
+   generated images. This Sprint 32 visitor-safe profile uses
   `ClientMode=fake`; switch the image-generation env vars back to ComfyUI only
   for an operator-owned GPU render lane.
 ## Health probes
@@ -55,8 +56,13 @@ Source: `D:\git\FlowerCore\FlowerCore.WorldBuilder` (master)
 ## Image generation backend
-The live internal profile now uses
+Sprint 32 pins the Kubernetes profile to
-`FlowerCore:WorldBuilder:ImageGeneration:ClientMode=comfyui` with
+`FlowerCore:WorldBuilder:ImageGeneration:ClientMode=fake` with
-`BaseUrl=http://10.0.56.20:8188` on BLUEJAY-WS (R9700 / gfx1201 / ROCm 7.2).
+`BaseUrl=http://127.0.0.1:1`. That keeps the public/internal visitor demo
-Keep the public host pre-staging disabled unless the five safe-to-expose gates
+deterministic, avoids GPU exposure, and still exercises the studio/gallery
-are rechecked; the live GPU lane is operator-owned and internal-only.
+surface with persisted generated-image metadata.
 The previous ComfyUI backend target was `http://10.0.56.20:8188` on
 BLUEJAY-WS (R9700 / gfx1201 / ROCm 7.2.1). Re-enable it only in an
 operator-owned follow-up that also verifies workstation reachability and image
 import freshness.
--- a/apps/worldbuilder/worldbuilder.yaml
+++ b/apps/worldbuilder/worldbuilder.yaml
@@ -5,10 +5,10 @@
 #
 # Image build (BLUEJAY-WS):
 #   bash deploy/build.sh                 # in FlowerCore.WorldBuilder repo
-#   podman save localhost/fc-worldbuilder:v<TAG> -o artifacts/deploy/fc-worldbuilder-v<TAG>.tar
+#   podman save localhost/fc-worldbuilder:v<TAG> -o /tmp/fc-worldbuilder-v<TAG>.tar
-#   for h in 10.0.56.11 10.0.56.12; do
+#   for h in 10.0.56.11 10.0.56.12 10.0.56.13; do
-#     scp artifacts/deploy/fc-worldbuilder-v<TAG>.tar fcadmin@$h:/home/fcadmin/.fcv/
+#     scp /tmp/fc-worldbuilder-v<TAG>.tar fcadmin@$h:/tmp/
-#     ssh fcadmin@$h "sudo /var/lib/rancher/rke2/bin/ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images import /home/fcadmin/.fcv/fc-worldbuilder-v<TAG>.tar"
+#     ssh fcadmin@$h "sudo /var/lib/rancher/rke2/bin/ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images import /tmp/fc-worldbuilder-v<TAG>.tar"
 #   done
 ---
 apiVersion: v1
@@ -77,8 +77,6 @@ spec:
        flowercore.io/tenant-id: system
        flowercore.io/created-by: bluejay-infra
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics/prometheus"
@@ -90,12 +88,11 @@ spec:
      containers:
        - name: web
          # Bump tag for each rebuild. Initial deploy: v202605062048
-          image: localhost/fc-worldbuilder:v202606121657-35aaa2c-gpu
+          image: localhost/fc-worldbuilder:v202605062048
          imagePullPolicy: Never
          ports:
            - containerPort: 8080
              name: http
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: ASPNETCORE_URLS
              value: "http://+:8080"
@@ -117,16 +114,14 @@ spec:
              value: "/data/gallery"
            - name: FlowerCore__WorldBuilder__Export__RootPath
              value: "/data/exports"
-            # Operator-approved live GPU lane. Internal-only host targets
+            # Visitor-safe Sprint 32 profile: fake backend keeps public demo
-            # BLUEJAY-WS ComfyUI; keep public host pre-staging disabled below.
+            # rendering deterministic and avoids exposing BLUEJAY-WS GPU.
            - name: FlowerCore__WorldBuilder__ImageGeneration__BaseUrl
-              value: "http://10.0.56.20:8188"
+              value: "http://127.0.0.1:1"
            - name: FlowerCore__WorldBuilder__ImageGeneration__ClientMode
-              value: "comfyui"
+              value: "fake"
            - name: FlowerCore__WorldBuilder__ImageGeneration__BackendId
-              value: "comfyui"
+              value: "fake"
            - name: FlowerCore__WorldBuilder__ImageGeneration__VisitorSafe
              value: "false"
          resources:
            # Cluster CPU-request budget runs hot (99% on all 3 nodes at deploy
            # time) while actual CPU usage is well below capacity. Idle Blazor
@@ -259,26 +254,3 @@ spec:
          port: 80
  tls:
    secretName: worldbuilder-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose worldbuilder-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: worldbuilder-web-public
 #   namespace: worldbuilder
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`worldbuilder.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: worldbuilder-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: worldbuilder-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/zabbix/zabbix.yaml
+++ b/apps/zabbix/zabbix.yaml
@@ -344,6 +344,7 @@ spec:
  dnsNames:
    - zabbix.iamworkin.lan
 ---
 # Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
 # Traefik IngressRoute
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -13,21 +13,67 @@ public sealed class FleetManifestLintTests
    private static readonly HashSet<string> PublicReadOnlyHosts = new(StringComparer.Ordinal)
    {
        "bluejay.dev",
        "brochure.flowercore.io",
        "dist.flowercore.io",
        "element.flowercore.io",
        "erckak.dev",
        "flowercore.io",
        "flowerinsider.xyz",
        "timeforta.co",
        "voice-ws.bluejay.dev",
        "www.bluejay.dev",
        "www.erckak.dev",
        "www.flowercore.io",
        "www.flowerinsider.xyz",
        "www.timeforta.co",
    };
-    // Hosts that allow a tightly bounded write surface in addition to GET/HEAD.
+    // Public hosts that allow a tightly bounded write surface in addition to
-    // updatecenter.iamworkin.lan accepts POST /api/v1/checkin/{id}
+    // GET/HEAD. updatecenter.iamworkin.lan accepts POST /api/v1/checkin/{id}
    // (bootstrap-JWT) so its allowlist is GET||HEAD||POST||OPTIONS — but
-    // PUT/PATCH/DELETE must still 404 at the route. Public
+    // PUT/PATCH/DELETE must still 404 at the route. Anything wider than this
-    // update.flowercore.io remains a GET/HEAD download surface in the
+    // set should fail this lint.
-    // FlowerCore.Updater sibling manifest and is covered by the general
+    //
-    // public-method allowlist lint instead of this write-surface rule.
+    // PUB-1 (2026-05-06): update.flowercore.io / updates.flowercore.io were
    // added for the Cloudflare-proxied public Update Center edge. They use the
    // same bounded read-write allowlist as the LAN pair.
    private static readonly HashSet<string> PublicReadWriteAllowlistHosts = new(StringComparer.Ordinal)
    {
        "chat.flowercore.io",
        "gitea.flowercore.io",
        "matrix.flowercore.io",
        "telephony.flowercore.io",
        "telephony.iamwork.in",
        "updatecenter.iamworkin.lan",
        "updates.iamworkin.lan",
        "update.flowercore.io",
        "updates.flowercore.io",
        "voice.bluejay.dev",
        "webmail.flowercore.io",
    };
    private static readonly IReadOnlyDictionary<string, string> InfraHealthzProbeDeployments = new Dictionary<string, string>(StringComparer.Ordinal)
    {
        ["andrew"] = "andrew-web",
        ["dustin"] = "dustin-web",
        ["erik"] = "erik-web",
        ["fc-landing"] = "fc-landing",
        ["fit"] = "fit-web",
        ["flowercore"] = "flowercore-web",
        ["pki-web"] = "pki-web",
    };
    private static readonly IReadOnlyDictionary<string, string> InfraForwardedProtoProbeDeployments = new Dictionary<string, string>(StringComparer.Ordinal)
    {
        ["andrew"] = "andrew-web",
        ["dustin"] = "dustin-web",
        ["erik"] = "erik-web",
        ["fc-landing"] = "fc-landing",
        ["fit"] = "fit-web",
        ["flowercore"] = "flowercore-web",
        ["pki-web"] = "pki-web",
        ["telephony"] = "telephony-web",
    };
    private static readonly HashSet<string> ApiKeyProtectedDeployments = new(StringComparer.Ordinal)
@@ -65,7 +111,7 @@ public sealed class FleetManifestLintTests
        ["github-runner-updater"] = "https://github.com/astoltz/FlowerCore.Updater",
    };
-    private static readonly HashSet<string> RepoScopedLinuxRunnerDeployments = new(StringComparer.Ordinal)
+    private static readonly HashSet<string> ScaledLinuxRunnerDeployments = new(StringComparer.Ordinal)
    {
        "github-runner-sharedpos",
        "github-runner-puppet",
@@ -79,44 +125,6 @@ public sealed class FleetManifestLintTests
        "github-runner-updater",
    };
    private static readonly IReadOnlyDictionary<string, (string Deployment, string ProbePath)> BroaderHardeningDeployments =
        new Dictionary<string, (string Deployment, string ProbePath)>(StringComparer.Ordinal)
        {
            ["fc-aistation"] = ("aistation-web", "/healthz"),
            ["fc-chat"] = ("chat-web", "/healthz"),
            ["fc-devicemgmt"] = ("fc-devicemgmt-web", "/healthz"),
            ["fc-library"] = ("library-web", "/health"),
            ["fc-llm-bridge"] = ("fc-llm-bridge", "/healthz"),
            ["fc-messageboard"] = ("messageboard-web", "/health"),
            ["fc-retail"] = ("retail-web", "/healthz"),
            ["fc-ttsreader"] = ("ttsreader-web", "/health"),
            ["fc-updater"] = ("updatecenter-web", "/"),
            ["knowledge"] = ("knowledge-web", "/healthz"),
            ["telephony"] = ("telephony-web", "/health"),
            ["worldbuilder"] = ("worldbuilder-web", "/healthz"),
        };
    private static readonly HashSet<string> BroaderHardeningInternalPrestageApps = new(StringComparer.Ordinal)
    {
        "fc-aistation",
        "fc-desktop",
        "fc-dms",
        "fc-library",
        "fc-llm-bridge",
        "fc-menuboard",
        "fc-messageboard",
        "fc-mysql",
        "fc-php",
        "fc-presentations",
        "fc-retail",
        "fc-scoreboard",
        "fc-segmentdisplay",
        "fc-signage",
        "fc-ttsreader",
        "knowledge",
        "worldbuilder",
    };
    private static readonly IReadOnlyDictionary<string, string> WritableRunnerEnv = new Dictionary<string, string>(StringComparer.Ordinal)
    {
        ["HOME"] = "/home/runner",
@@ -165,8 +173,13 @@ public sealed class FleetManifestLintTests
                    }))
            .Where(entry => PublicReadOnlyHosts.Any(host => entry.Match.Contains($"Host(`{host}`)", StringComparison.Ordinal)))
            .Where(entry => !entry.Match.Contains("Method(`GET`)", StringComparison.Ordinal)
-                || !entry.Match.Contains("Method(`HEAD`)", StringComparison.Ordinal))
+                || !entry.Match.Contains("Method(`HEAD`)", StringComparison.Ordinal)
-            .Select(entry => $"{entry.Document.Descriptor} is missing an explicit GET/HEAD method allowlist.")
+                || entry.Match.Contains("Method(`POST`)", StringComparison.Ordinal)
                || entry.Match.Contains("Method(`PUT`)", StringComparison.Ordinal)
                || entry.Match.Contains("Method(`PATCH`)", StringComparison.Ordinal)
                || entry.Match.Contains("Method(`DELETE`)", StringComparison.Ordinal)
                || entry.Match.Contains("Method(`OPTIONS`)", StringComparison.Ordinal))
            .Select(entry => $"{entry.Document.Descriptor} must explicitly allow GET/HEAD only on a public read-only host.")
            .ToList();
        violations.Should().BeEmpty();
@@ -272,7 +285,6 @@ public sealed class FleetManifestLintTests
            var container = deployments[expectedRunner.Key].MainContainerMappings().Should().ContainSingle().Subject;
            EnvValue(container, "REPO_URL").Should().Be(expectedRunner.Value);
            EnvValue(container, "EPHEMERAL").Should().Be("true");
            EnvValue(container, "DISABLE_AUTO_UPDATE").Should().Be("true", $"{expectedRunner.Key} must not self-update inside immutable Kubernetes runner pods");
            EnvValue(container, "LABELS").Should().Be("self-hosted,linux,fc-build-linux");
            EnvValue(container, "RUN_AS_ROOT").Should().Be("false");
            EnvValue(container, "ACCESS_TOKEN").Should().BeNull("ACCESS_TOKEN must come from github-runner-token Secret, not a literal");
@@ -306,17 +318,17 @@ public sealed class FleetManifestLintTests
    }
    [Fact]
-    public void GitHubRunnerFleet_MustAvoidRwoMultiAttachForRepoScopedDeployments()
+    public void GitHubRunnerFleet_MustAvoidRwoMultiAttachForScaledDeployments()
    {
        var deployments = GitHubRunnerDeployments();
-        foreach (var deploymentName in RepoScopedLinuxRunnerDeployments)
+        foreach (var deploymentName in ScaledLinuxRunnerDeployments)
        {
            var deployment = deployments[deploymentName];
-            // Sprint 34 ops trimmed runner load while the cluster was degraded
+            // Scaled runners must have >= 2 replicas (avoid single-pod bottleneck).
-            // to two healthy nodes. Repo-scoped runners can be tuned back above
+            // Individual deployments may be tuned upward per CI activity — see
-            // one replica, but they must stay RWO-safe before that happens.
+            // "runners: right-size replica counts per 14d CI activity (#24)".
-            ReplicaCount(deployment).Should().BeGreaterOrEqualTo(1, $"{deploymentName} must keep at least one repo-scoped runner online");
+            ReplicaCount(deployment).Should().BeGreaterOrEqualTo(2, $"{deploymentName} is in the scaled set and must run with at least 2 replicas");
            var volumes = deployment.MappingSequence("spec", "template", "spec", "volumes");
            var claimNames = volumes
@@ -324,7 +336,7 @@ public sealed class FleetManifestLintTests
                .Where(value => !string.IsNullOrWhiteSpace(value))
                .ToList();
-            claimNames.Should().BeEmpty($"{deploymentName} must remain ready for safe multi-replica scaling without sharing a RWO PVC");
+            claimNames.Should().BeEmpty($"{deploymentName} is scaled and must not share a RWO PVC");
            volumes.Should().Contain(volume =>
                string.Equals(ManifestNodeExtensions.Scalar(volume, "name"), "nuget-cache", StringComparison.Ordinal)
                && ManifestNodeExtensions.Mapping(volume, "emptyDir") != null);
@@ -508,6 +520,49 @@ public sealed class FleetManifestLintTests
        violations.Should().BeEmpty();
    }
    [Fact]
    public void AuthSafeInfraHealthzProbes_MustDeclareAnonymousHealthzContract()
    {
        var violations = InfraHealthzProbeDeployments.SelectMany(expected =>
        {
            var deployment = AppDocuments(expected.Key)
                .Single(document => document.Kind == "Deployment" && document.Name == expected.Value);
            var hasHealthzProbe = deployment.MainContainerMappings()
                .Any(container => ProbeHttpGetPath(container, "readinessProbe") == "/healthz"
                    || ProbeHttpGetPath(container, "startupProbe") == "/healthz"
                    || ProbeHttpGetPath(container, "livenessProbe") == "/healthz");
            return hasHealthzProbe
                && !string.Equals(PodAnnotation(deployment, "flowercore.io/healthz-auth-policy"), "allow-anonymous", StringComparison.Ordinal)
                    ? new[] { $"{deployment.Descriptor} probes /healthz but lacks flowercore.io/healthz-auth-policy: allow-anonymous." }
                    : Array.Empty<string>();
        }).ToList();
        violations.Should().BeEmpty();
    }
    [Fact]
    public void AuthSafeInfraHttpProbes_MustSendForwardedProtoHttpsHeader()
    {
        var violations = InfraForwardedProtoProbeDeployments.SelectMany(expected =>
        {
            var deployment = AppDocuments(expected.Key)
                .Single(document => document.Kind == "Deployment" && document.Name == expected.Value);
            return deployment.MainContainerMappings()
                .SelectMany(container => new[] { "startupProbe", "readinessProbe", "livenessProbe" }
                    .Where(probeKey => ProbeHttpGetPath(container, probeKey) is "/healthz" or "/health")
                    .Where(probeKey => !string.Equals(ProbeHttpGetHeaderValue(container, probeKey, "X-Forwarded-Proto"), "https", StringComparison.Ordinal))
                    .Select(probeKey =>
                    {
                        var containerName = ManifestNodeExtensions.Scalar(container, "name") ?? "<unnamed>";
                        return $"{deployment.Descriptor} container '{containerName}' {probeKey} is missing X-Forwarded-Proto=https.";
                    }));
        }).ToList();
        violations.Should().BeEmpty();
    }
    [Fact]
    public void Knowledge_OidcEnforcement_MustKeepHealthzAnonymousContractVisibleInManifest()
    {
@@ -647,10 +702,10 @@ public sealed class FleetManifestLintTests
        var expectedFiles = new[]
        {
            "1password-item.yaml",
            "argocd-application.yaml",
            "certificate-web.yaml",
            "clusterrole-operator.yaml",
            "clusterrolebinding-operator.yaml",
            "crds.yaml",
            "deployment-operator.yaml",
            "deployment-web.yaml",
            "ingressroute-web.yaml",
@@ -740,8 +795,7 @@ public sealed class FleetManifestLintTests
            .Single(document => document.Kind == "ClusterRole" && document.Name == "fc-devicemgmt-operator");
        var allScalars = clusterRole.AllScalars().ToList();
-        allScalars.Should().Contain("flowercore.io");
+        allScalars.Should().Contain("devices.flowercore.io");
        allScalars.Should().NotContain("devices.flowercore.io");
        allScalars.Should().Contain("*");
        allScalars.Should().Contain("deployments");
        allScalars.Should().Contain("get");
@@ -770,7 +824,7 @@ public sealed class FleetManifestLintTests
        FcDeviceManagementDocuments().Should().NotContain(document => document.Kind == "Secret");
        appText.Should().Contain("secretKeyRef:");
-        appText.Should().Contain("name: fc-devicemgmt-runtime");
+        appText.Should().Contain("secretName: fc-devicemgmt-runtime");
        appText.Should().NotContain("stringData:");
        appText.Should().NotContain("from-literal");
        appText.Should().NotContain("tls.key:");
@@ -804,62 +858,17 @@ public sealed class FleetManifestLintTests
    }
    [Fact]
-    public void FcDeviceManagement_MustRelyOnApplicationSetDiscovery()
+    public void FcDeviceManagement_ArgocdApplicationMustMatchApplicationSetDiscoveryConventions()
    {
-        var documents = FcDeviceManagementDocuments();
+        var application = FcDeviceManagementDocuments()
            .Single(document => document.Kind == "Application" && document.Name == "infra-fc-devicemgmt");
-        documents.Should().NotContain(document => document.Kind == "Application");
+        application.Namespace.Should().Be("argocd");
-
+        application.Scalar("spec", "source", "repoURL")
-        var ns = documents.Single(document => document.Kind == "Namespace" && document.Name == "fc-devicemgmt");
+            .Should()
-        ns.FileText.Should().Contain("ArgoCD discovers this directory as Application `infra-fc-devicemgmt`.");
+            .Be("http://gitea-clusterip.gitea.svc.cluster.local:3000/bluejay/bluejay-infra.git");
-    }
+        application.Scalar("spec", "source", "path").Should().Be("apps/fc-devicemgmt");
-
+        application.Scalar("spec", "destination", "namespace").Should().Be("fc-devicemgmt");
    [Fact]
    public void BroaderHardeningDeployments_MustAnnotateAnonymousHealthProbeIntent()
    {
        foreach (var expected in BroaderHardeningDeployments)
        {
            var deployment = AppDocuments(expected.Key)
                .Single(document => document.Kind == "Deployment" && document.Name == expected.Value.Deployment);
            PodAnnotation(deployment, "fc.flowercore.io/healthz-anon").Should().Be("true");
            PodAnnotation(deployment, "fc.flowercore.io/probe-path").Should().Be(expected.Value.ProbePath);
        }
    }
    [Fact]
    public void BroaderHardeningDeployments_MustDocumentForwardedProtoAuthPosture()
    {
        foreach (var expected in BroaderHardeningDeployments)
        {
            var deployment = AppDocuments(expected.Key)
                .Single(document => document.Kind == "Deployment" && document.Name == expected.Value.Deployment);
            deployment.FileText.Should().Contain(
                "fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178)");
        }
    }
    [Fact]
    public void BroaderHardeningInternalApps_MustOnlyPrestageCommentedPublicMethodAllowlist()
    {
        foreach (var app in BroaderHardeningInternalPrestageApps)
        {
            var documents = AppDocuments(app);
            var text = string.Join(Environment.NewLine, documents.Select(document => document.FileText));
            text.Should().Contain("PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only)");
            text.Should().Contain("#     - match: Host(`");
            text.Should().Contain("Method(`GET`) || Method(`HEAD`)");
            documents
                .Where(document => document.Kind == "IngressRoute")
                .SelectMany(document => document.MappingSequence("spec", "routes"))
                .Select(route => ManifestNodeExtensions.Scalar(route, "match") ?? string.Empty)
                .Should()
                .NotContain(match => match.Contains(".flowercore.io", StringComparison.Ordinal),
                    "Sprint 61 broader hardening only pre-stages commented public hosts for internal-only apps");
        }
    }
    [Fact]
@@ -867,9 +876,9 @@ public sealed class FleetManifestLintTests
    {
        var deployments = new[]
        {
-            (App: "fc-dns", Name: "dns-web", Slug: "dns", Secret: "dns-oidc-client", AuthEnabled: "false"),
+            (App: "fc-dns", Name: "dns-web", Slug: "dns", Secret: "dns-oidc-client"),
-            (App: "fc-media", Name: "fc-media-web", Slug: "media", Secret: "media-oidc-client", AuthEnabled: "true"),
+            (App: "fc-media", Name: "fc-media-web", Slug: "media", Secret: "media-oidc-client"),
-            (App: "fc-distribution", Name: "fc-distribution", Slug: "distribution", Secret: "distribution-oidc-client", AuthEnabled: "true"),
+            (App: "fc-distribution", Name: "fc-distribution", Slug: "distribution", Secret: "distribution-oidc-client"),
        };
        foreach (var expected in deployments)
@@ -878,7 +887,7 @@ public sealed class FleetManifestLintTests
                .Single(document => document.Kind == "Deployment" && document.Name == expected.Name);
            var container = deployment.MainContainerMappings().Should().ContainSingle().Subject;
-            EnvValue(container, "FlowerCore__Auth__Enabled").Should().Be(expected.AuthEnabled);
+            EnvValue(container, "FlowerCore__Auth__Enabled").Should().Be("true");
            EnvValue(container, "FlowerCore__Auth__Oidc__Enabled").Should().Be("true");
            (EnvValue(container, "FlowerCore__Auth__Oidc__Audience") ?? EnvValue(container, "FlowerCore__Auth__Oidc__ClientId"))
                .Should()
@@ -927,7 +936,7 @@ public sealed class FleetManifestLintTests
        var dnsPvc = AppDocuments("fc-dns")
            .Single(document => document.Kind == "PersistentVolumeClaim" && document.Name == "dns-web-data");
-        ManifestNodeExtensions.Scalar(dnsContainer, "image").Should().Be("localhost/fc-dns-web:v20260612-l4dns-a5d2849");
+        ManifestNodeExtensions.Scalar(dnsContainer, "image").Should().Be("localhost/fc-dns-web:v20260604-oidc-proper");
        dnsPvc.Scalar("spec", "storageClassName").Should().Be("longhorn");
        dnsPvc.Scalar("spec", "resources", "requests", "storage").Should().Be("1Gi");
@@ -1096,6 +1105,20 @@ public sealed class FleetManifestLintTests
            : null;
    }
    private static string? ProbeHttpGetHeaderValue(YamlMappingNode container, string probeKey, string name)
    {
        if (!ManifestNodeExtensions.TryGetMapping(container, probeKey, out var probe)
            || !ManifestNodeExtensions.TryGetMapping(probe, "httpGet", out var httpGet))
        {
            return null;
        }
        return ManifestNodeExtensions.MappingSequence(httpGet, "httpHeaders")
            .Where(header => string.Equals(ManifestNodeExtensions.Scalar(header, "name"), name, StringComparison.Ordinal))
            .Select(header => ManifestNodeExtensions.Scalar(header, "value"))
            .SingleOrDefault();
    }
    private static IReadOnlyList<ManifestDocument> FcDeviceManagementDocuments()
    {
        return Inventory.Documents