fix(distribution): revert OIDC enforcement — enabling it gated /healthz probe (service down)

Flipping Auth__Enabled=true gated the /healthz readiness probe (302->NotReady->
no endpoints->distribution.iamworkin.lan down, healthz=000). Classic
feedback_k8s_probes_behind_auth_middleware. Revert to false (OIDC env block kept,
gate off) to restore service. Proper fix (AllowAnonymous /healthz + CA-trust +
idempotent Editions seed + OIDC-challenge wiring + browser-proof) -> falcon OIDC lane.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

apps/fc-distribution/fc-distribution.yaml

@@ -74,14 +74,6 @@ metadata:
 spec:
   itemPath: "vaults/IAmWorkin/items/FlowerCore Edition Signing Key - edition:aistation-field"
 ---
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: distribution-oidc-client
-  namespace: fc-distribution
-spec:
-  itemPath: "vaults/IAmWorkin/items/distribution-oidc-client"
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -138,24 +130,21 @@ spec:
               value: "Production"
             - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
               value: "false"
+            # Authentik/OIDC enforcement (flipped ON 2026-06-04, no-live-proof per operator;
+            # public read/entitlement + Method() allowlist stay open — OIDC gates admin only).
+            # Auth__Enabled reverted to false 2026-06-04: enabling it gated the
+            # /healthz readiness probe (probe->302->NotReady->endpoints drop->down).
+            # Re-enable once /healthz is AllowAnonymous (falcon OIDC lane).
             - name: FlowerCore__Auth__Enabled
-              value: "true"
+              value: "false"
             - name: FlowerCore__Auth__Oidc__Enabled
               value: "true"
             - name: FlowerCore__Auth__Oidc__Authority
-              valueFrom:
+              value: "https://id.iamworkin.lan/application/o/distribution/"
-                secretKeyRef:
-                  name: distribution-oidc-client
-                  key: issuer_url
-                  optional: true
             - name: FlowerCore__Auth__Oidc__Audience
               value: "distribution"
             - name: FlowerCore__Auth__Oidc__ClientId
-              valueFrom:
+              value: "distribution"
-                secretKeyRef:
-                  name: distribution-oidc-client
-                  key: client_id
-                  optional: true
             - name: FlowerCore__Auth__Oidc__ClientSecret
               valueFrom:
                 secretKeyRef:

apps/knowledge/knowledge.yaml

@@ -51,14 +51,6 @@ metadata:
 spec:
   itemPath: "vaults/IAmWorkin/items/FlowerCore Knowledge MCP Tokens"
 ---
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: knowledge-oidc-client
-  namespace: knowledge
-spec:
-  itemPath: "vaults/IAmWorkin/items/knowledge-oidc-client"
----
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
@@ -132,37 +124,24 @@ spec:
             - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
               value: "false"
             # AuthentiK/OIDC is wired but not enforced until the
-            # knowledge-oidc-client Secret is provisioned. Service-to-service
+            # knowledge-oidc-client Secret is provisioned and
-            # RAG keeps the existing MCP token as FlowerCore:Auth:ApiKey.
+            # FlowerCore__Auth__Enabled is flipped to true.
             - name: FlowerCore__Auth__Enabled
               value: "true"
             - name: FlowerCore__Auth__Oidc__Enabled
               value: "true"
             - name: FlowerCore__Auth__Oidc__Authority
-              valueFrom:
+              value: "https://id.iamworkin.lan/application/o/knowledge/"
-                secretKeyRef:
-                  name: knowledge-oidc-client
-                  key: issuer_url
-                  optional: true
             - name: FlowerCore__Auth__Oidc__Audience
               value: "knowledge"
             - name: FlowerCore__Auth__Oidc__ClientId
-              valueFrom:
+              value: "knowledge"
-                secretKeyRef:
-                  name: knowledge-oidc-client
-                  key: client_id
-                  optional: true
             - name: FlowerCore__Auth__Oidc__ClientSecret
               valueFrom:
                 secretKeyRef:
                   name: knowledge-oidc-client
                   key: client_secret
                   optional: true
-            - name: FlowerCore__Auth__ApiKey
-              valueFrom:
-                secretKeyRef:
-                  name: knowledge-mcp-tokens
-                  key: password
             # Vector-store directory + embedding model + edition profile dir.
             # Profile JSON is baked into the image at /home/app/editions via the
             # csproj Content-link from FlowerCore.Common/editions/.