fix(auth): harden public infra routes

Sprint 58 Cx-12. Rebased over OIDC GitOps main; YAML parse and focused bluejay-infra lint tests passed.

apps/andrew/andrew.yaml

@@ -201,6 +201,8 @@ spec:
     metadata:
       labels:
         app: andrew-web
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       containers:
         - name: nginx
@@ -225,12 +227,18 @@ spec:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 5
             periodSeconds: 10
           readinessProbe:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 3
             periodSeconds: 5
       volumes:
@@ -265,7 +273,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`bluejay.dev`) || Host(`www.bluejay.dev`)
+    - match: (Host(`bluejay.dev`) || Host(`www.bluejay.dev`)) && (Method(`GET`) || Method(`HEAD`))
       kind: Rule
       services:
         - name: andrew-web

apps/dustin/dustin.yaml

@@ -201,6 +201,8 @@ spec:
     metadata:
       labels:
         app: dustin-web
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       containers:
         - name: nginx
@@ -225,12 +227,18 @@ spec:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 5
             periodSeconds: 10
           readinessProbe:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 3
             periodSeconds: 5
       volumes:
@@ -265,7 +273,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`timeforta.co`) || Host(`www.timeforta.co`)
+    - match: (Host(`timeforta.co`) || Host(`www.timeforta.co`)) && (Method(`GET`) || Method(`HEAD`))
       kind: Rule
       services:
         - name: dustin-web

apps/erik/erik.yaml

@@ -201,6 +201,8 @@ spec:
     metadata:
       labels:
         app: erik-web
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       containers:
         - name: nginx
@@ -225,12 +227,18 @@ spec:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 5
             periodSeconds: 10
           readinessProbe:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 3
             periodSeconds: 5
       volumes:
@@ -265,7 +273,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`erckak.dev`) || Host(`www.erckak.dev`)
+    - match: (Host(`erckak.dev`) || Host(`www.erckak.dev`)) && (Method(`GET`) || Method(`HEAD`))
       kind: Rule
       services:
         - name: erik-web

apps/fc-distribution/fc-distribution.yaml

@@ -109,6 +109,7 @@ spec:
         prometheus.io/scrape: "true"
         prometheus.io/port: "8080"
         prometheus.io/path: "/metrics"
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       # Synology NFS export `/volume1/kubernetes` ACL only allows rke2-server
       # (10.0.56.11) right now. Until the ACL is widened in DSM (admin only),

apps/fc-dns/fc-dns.yaml

@@ -101,6 +101,7 @@ spec:
         prometheus.io/scrape: "true"
         prometheus.io/port: "5320"
         prometheus.io/path: "/metrics/prometheus"
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       serviceAccountName: dns-web
       securityContext:

apps/fc-landing/fc-landing.yaml

@@ -203,6 +203,8 @@ spec:
     metadata:
       labels:
         app: fc-landing
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       containers:
         - name: nginx
@@ -227,12 +229,18 @@ spec:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 5
             periodSeconds: 10
           readinessProbe:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 3
             periodSeconds: 5
       volumes:
@@ -298,7 +306,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
+    - match: (Host(`flowercore.io`) || Host(`www.flowercore.io`)) && (Method(`GET`) || Method(`HEAD`))
       kind: Rule
       services:
         - name: fc-landing
@@ -316,7 +324,7 @@ spec:
   entryPoints:
     - web
   routes:
-    - match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
+    - match: (Host(`flowercore.io`) || Host(`www.flowercore.io`)) && (Method(`GET`) || Method(`HEAD`))
       kind: Rule
       services:
         - name: fc-landing

apps/fc-media/fc-media.yaml

@@ -131,6 +131,7 @@ spec:
         prometheus.io/scrape: "true"
         prometheus.io/port: "5200"
         prometheus.io/path: "/metrics"
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       nodeSelector:
         kubernetes.io/hostname: rke2-server

apps/fit/fit.yaml

@@ -201,6 +201,8 @@ spec:
     metadata:
       labels:
         app: fit-web
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       containers:
         - name: nginx
@@ -225,12 +227,18 @@ spec:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 5
             periodSeconds: 10
           readinessProbe:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 3
             periodSeconds: 5
       volumes:
@@ -265,7 +273,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`flowerinsider.xyz`) || Host(`www.flowerinsider.xyz`)
+    - match: (Host(`flowerinsider.xyz`) || Host(`www.flowerinsider.xyz`)) && (Method(`GET`) || Method(`HEAD`))
       kind: Rule
       services:
         - name: fit-web

apps/flowercore/flowercore.yaml

@@ -257,6 +257,8 @@ spec:
     metadata:
       labels:
         app: flowercore-web
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       containers:
         - name: nginx
@@ -281,12 +283,18 @@ spec:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 5
             periodSeconds: 10
           readinessProbe:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 3
             periodSeconds: 5
       volumes:

apps/gitea-public/gitea-public.yaml

@@ -11,7 +11,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`gitea.flowercore.io`)
+    - match: Host(`gitea.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
       kind: Rule
       services:
         - name: gitea-http

apps/knowledge/knowledge.yaml

@@ -93,6 +93,7 @@ spec:
         prometheus.io/scrape: "true"
         prometheus.io/port: "8080"
         prometheus.io/path: "/metrics"
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       securityContext:
         runAsNonRoot: true
@@ -123,9 +124,9 @@ spec:
               value: "Production"
             - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
               value: "false"
-            # AuthentiK/OIDC is wired but not enforced until the
-            # knowledge-oidc-client Secret is provisioned and
-            # FlowerCore__Auth__Enabled is flipped to true.
+            # AuthentiK/OIDC is enforced. /healthz stays anonymous by contract;
+            # see flowercore.io/healthz-auth-policy above and the Sprint 58
+            # OIDC readiness probe audit.
             - name: FlowerCore__Auth__Enabled
               value: "true"
             - name: FlowerCore__Auth__Oidc__Enabled

apps/mail/mail.yaml

@@ -243,7 +243,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`webmail.flowercore.io`)
+    - match: Host(`webmail.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
       kind: Rule
       services:
         - name: mail-webmail

apps/matrix/matrix.yaml

@@ -479,7 +479,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`element.flowercore.io`)
+    - match: Host(`element.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
       kind: Rule
       services:
         - name: element-web
@@ -497,7 +497,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`matrix.flowercore.io`)
+    - match: Host(`matrix.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
       kind: Rule
       services:
         - name: synapse

apps/monitoring/noc-monitoring.yaml

@@ -481,22 +481,25 @@ data:
               - "https://intranet.iamworkin.lan/"
               - "https://signage.iamworkin.lan/healthz"   # root 401 auth-gated 2026-06-01; /healthz anon 200
               - "https://kiosk.iamworkin.lan/"
-              - "https://media.iamworkin.lan/healthz"   # root auth-gated by OIDC; /healthz anon 200
+              - "https://media.iamworkin.lan/healthz"    # root auth-gated by OIDC; /healthz anonymous 200
               - "https://mysql.iamworkin.lan/healthz"   # root 401 auth-gated 2026-06-01; /healthz anon 200
               - "https://php.iamworkin.lan/healthz"     # root 401 auth-gated 2026-06-01; /healthz anon 200
               - "https://zabbix.iamworkin.lan/"
               - "https://desktop.iamworkin.lan/"
-              - "https://print.iamworkin.lan/"
-              - "https://dns.iamworkin.lan/healthz"     # root auth-gated by OIDC; /healthz anon 200
-              - "https://chat.iamworkin.lan/"
-              - "https://dist.iamworkin.lan/healthz"    # root/admin auth-gated by OIDC; /healthz anon 200
-              - "https://dms.iamworkin.lan/"
+              - "https://print.iamworkin.lan/healthz"    # root 401 behind API key auth; /healthz anonymous 200
+              - "https://dns.iamworkin.lan/healthz"      # root auth-gated by OIDC; /healthz anonymous 200
+              - "https://chat.iamworkin.lan/healthz"     # OIDC staged; keep blackbox off root before enforcement flips
+              - "https://dist.iamworkin.lan/healthz"     # root/admin auth-gated by OIDC; /healthz anonymous 200
+              - "https://dms.iamworkin.lan/healthz"      # future OIDC posture; health route is already anonymous/live
               - "https://menuboard.iamworkin.lan/"
               - "https://messageboard.iamworkin.lan/"
               - "https://presentations.iamworkin.lan/"
               - "https://retail.iamworkin.lan/"
               - "https://ttsreader.iamworkin.lan/"
               # Explicit healthcheck paths
+              - "https://library.iamworkin.lan/health"
+              - "https://aistation.iamworkin.lan/healthz"
+              - "https://knowledge.iamworkin.lan/healthz"
               - "https://fc-llm-bridge.iamworkin.lan/healthz"
               - "https://acme.iamworkin.lan/health"
               # NOTE: services intentionally NOT in this probe surface
@@ -1020,7 +1023,12 @@ data:
       - name: kubernetes-state
         rules:
           - alert: KubeContainerRestartingFrequently
-            expr: increase(kube_pod_container_status_restarts_total[1h]) > 5
+            # Exclude github-runner: ephemeral runners register, run one job,
+            # exit cleanly, and restart by design. Also require kube_pod_info so
+            # deleted rollout pods do not keep firing from retained restart series.
+            expr: |
+              increase(kube_pod_container_status_restarts_total{namespace!="github-runner"}[1h]) > 5
+              and on(namespace, pod) kube_pod_info
             for: 15m
             labels:
               severity: warning
@@ -1029,7 +1037,12 @@ data:
               description: "Container {{ $labels.container }} in pod {{ $labels.namespace }}/{{ $labels.pod }} has restarted {{ $value | printf \"%.0f\" }} times in the last hour. Check 'kubectl describe pod' + last-state termination reason."
 
           - alert: KubeContainerCrashLooping
-            expr: increase(kube_pod_container_status_restarts_total[15m]) > 3
+            # Same github-runner/delete-retention exclusions as the hourly
+            # restart rule above; real runner failures are covered by the
+            # dedicated LinuxRunnerOffline/MacMiniRunnerOffline alerts.
+            expr: |
+              increase(kube_pod_container_status_restarts_total{namespace!="github-runner"}[15m]) > 3
+              and on(namespace, pod) kube_pod_info
             for: 5m
             labels:
               severity: critical
@@ -1057,7 +1070,10 @@ data:
               description: "Pod can't pull image. Check the image ref (often a stale tag or unreachable registry) and clean up if it's an orphan."
 
           - alert: KubeDeploymentReplicasMismatch
-            expr: kube_deployment_spec_replicas != kube_deployment_status_replicas_available
+            # github-runner has explicit runner-offline alerts; the generic
+            # replica-mismatch rule should not page on intentionally ephemeral
+            # 0/1 runner churn between CI jobs.
+            expr: kube_deployment_spec_replicas{namespace!="github-runner"} != kube_deployment_status_replicas_available{namespace!="github-runner"}
             for: 15m
             labels:
               severity: warning

apps/pki-web/pki-web.yaml

@@ -134,6 +134,8 @@ spec:
     metadata:
       labels:
         app: pki-web
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       containers:
         - name: nginx
@@ -158,12 +160,18 @@ spec:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 5
             periodSeconds: 10
           readinessProbe:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 3
             periodSeconds: 5
       volumes:
@@ -201,6 +209,7 @@ spec:
   dnsNames:
     - pki.iamworkin.lan
 ---
+# Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
 # Traefik IngressRoute
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute

apps/telephony/telephony.yaml

@@ -207,12 +207,18 @@ spec:
             httpGet:
               path: /health
               port: 5100
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 30
             periodSeconds: 10
           readinessProbe:
             httpGet:
               path: /health
               port: 5100
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 10
             periodSeconds: 5
       volumes:
@@ -256,12 +262,12 @@ spec:
     - websecure
   routes:
     - kind: Rule
-      match: Host(`telephony.flowercore.io`)
+      match: Host(`telephony.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
       services:
         - name: telephony-web
           port: 5100
     - kind: Rule
-      match: Host(`telephony.iamwork.in`)
+      match: Host(`telephony.iamwork.in`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
       services:
         - name: telephony-web
           port: 5100

apps/traefik-dashboard/traefik-dashboard.yaml

@@ -20,10 +20,11 @@ metadata:
 spec:
   basicAuth:
     secret: traefik-dashboard-auth
----
-# Dashboard IngressRoute
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
+---
+# Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
+# Dashboard IngressRoute
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
 metadata:
   name: traefik-dashboard
   namespace: traefik-system

apps/voice/voice.yaml

@@ -66,7 +66,7 @@ spec:
     - websecure
   routes:
     - kind: Rule
-      match: Host(`voice.bluejay.dev`)
+      match: Host(`voice.bluejay.dev`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
       services:
         - name: voice-bridge
           port: 8766
@@ -84,7 +84,7 @@ spec:
     - websecure
   routes:
     - kind: Rule
-      match: Host(`voice-ws.bluejay.dev`)
+      match: Host(`voice-ws.bluejay.dev`) && (Method(`GET`) || Method(`HEAD`))
       services:
         - name: voice-bridge
           port: 8765

apps/zabbix/zabbix.yaml

@@ -344,6 +344,7 @@ spec:
   dnsNames:
     - zabbix.iamworkin.lan
 ---
+# Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
 # Traefik IngressRoute
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute

tests/bluejay-infra-lint/FleetManifestLintTests.cs

@@ -13,8 +13,20 @@ public sealed class FleetManifestLintTests
 
     private static readonly HashSet<string> PublicReadOnlyHosts = new(StringComparer.Ordinal)
     {
+        "bluejay.dev",
         "brochure.flowercore.io",
         "dist.flowercore.io",
+        "element.flowercore.io",
+        "erckak.dev",
+        "flowercore.io",
+        "flowerinsider.xyz",
+        "timeforta.co",
+        "voice-ws.bluejay.dev",
+        "www.bluejay.dev",
+        "www.erckak.dev",
+        "www.flowercore.io",
+        "www.flowerinsider.xyz",
+        "www.timeforta.co",
     };
 
     // Public hosts that allow a tightly bounded write surface in addition to
@@ -28,10 +40,40 @@ public sealed class FleetManifestLintTests
     // same bounded read-write allowlist as the LAN pair.
     private static readonly HashSet<string> PublicReadWriteAllowlistHosts = new(StringComparer.Ordinal)
     {
+        "chat.flowercore.io",
+        "gitea.flowercore.io",
+        "matrix.flowercore.io",
+        "telephony.flowercore.io",
+        "telephony.iamwork.in",
         "updatecenter.iamworkin.lan",
         "updates.iamworkin.lan",
         "update.flowercore.io",
         "updates.flowercore.io",
+        "voice.bluejay.dev",
+        "webmail.flowercore.io",
+    };
+
+    private static readonly IReadOnlyDictionary<string, string> InfraHealthzProbeDeployments = new Dictionary<string, string>(StringComparer.Ordinal)
+    {
+        ["andrew"] = "andrew-web",
+        ["dustin"] = "dustin-web",
+        ["erik"] = "erik-web",
+        ["fc-landing"] = "fc-landing",
+        ["fit"] = "fit-web",
+        ["flowercore"] = "flowercore-web",
+        ["pki-web"] = "pki-web",
+    };
+
+    private static readonly IReadOnlyDictionary<string, string> InfraForwardedProtoProbeDeployments = new Dictionary<string, string>(StringComparer.Ordinal)
+    {
+        ["andrew"] = "andrew-web",
+        ["dustin"] = "dustin-web",
+        ["erik"] = "erik-web",
+        ["fc-landing"] = "fc-landing",
+        ["fit"] = "fit-web",
+        ["flowercore"] = "flowercore-web",
+        ["pki-web"] = "pki-web",
+        ["telephony"] = "telephony-web",
     };
 
     private static readonly HashSet<string> ApiKeyProtectedDeployments = new(StringComparer.Ordinal)
@@ -131,8 +173,13 @@ public sealed class FleetManifestLintTests
                     }))
             .Where(entry => PublicReadOnlyHosts.Any(host => entry.Match.Contains($"Host(`{host}`)", StringComparison.Ordinal)))
             .Where(entry => !entry.Match.Contains("Method(`GET`)", StringComparison.Ordinal)
-                || !entry.Match.Contains("Method(`HEAD`)", StringComparison.Ordinal))
-            .Select(entry => $"{entry.Document.Descriptor} is missing an explicit GET/HEAD method allowlist.")
+                || !entry.Match.Contains("Method(`HEAD`)", StringComparison.Ordinal)
+                || entry.Match.Contains("Method(`POST`)", StringComparison.Ordinal)
+                || entry.Match.Contains("Method(`PUT`)", StringComparison.Ordinal)
+                || entry.Match.Contains("Method(`PATCH`)", StringComparison.Ordinal)
+                || entry.Match.Contains("Method(`DELETE`)", StringComparison.Ordinal)
+                || entry.Match.Contains("Method(`OPTIONS`)", StringComparison.Ordinal))
+            .Select(entry => $"{entry.Document.Descriptor} must explicitly allow GET/HEAD only on a public read-only host.")
             .ToList();
 
         violations.Should().BeEmpty();
@@ -423,6 +470,125 @@ public sealed class FleetManifestLintTests
         monitoring.Should().Contain("alert_channel: irc");
     }
 
+    [Fact]
+    public void Monitoring_GenericKubernetesAlerts_MustExcludeEphemeralGithubRunnerNamespace()
+    {
+        var monitoring = File.ReadAllText(Path.Combine(Inventory.BluejayRoot, "apps", "monitoring", "noc-monitoring.yaml"));
+
+        monitoring.Should().Contain("kube_pod_container_status_restarts_total{namespace!=\"github-runner\"}");
+        monitoring.Should().Contain("and on(namespace, pod) kube_pod_info");
+        monitoring.Should().Contain("kube_deployment_spec_replicas{namespace!=\"github-runner\"} != kube_deployment_status_replicas_available{namespace!=\"github-runner\"}");
+        monitoring.Should().Contain("dedicated LinuxRunnerOffline/MacMiniRunnerOffline alerts");
+    }
+
+    [Fact]
+    public void Monitoring_BlackboxTargetsForOidcSensitiveServices_MustUseAnonymousHealthRoutesWhenAvailable()
+    {
+        var monitoring = File.ReadAllText(Path.Combine(Inventory.BluejayRoot, "apps", "monitoring", "noc-monitoring.yaml"));
+
+        monitoring.Should().Contain("https://chat.iamworkin.lan/healthz");
+        monitoring.Should().Contain("https://dist.iamworkin.lan/healthz");
+        monitoring.Should().Contain("https://dms.iamworkin.lan/healthz");
+        monitoring.Should().Contain("https://print.iamworkin.lan/healthz");
+        monitoring.Should().Contain("https://knowledge.iamworkin.lan/healthz");
+        monitoring.Should().Contain("https://library.iamworkin.lan/health");
+        monitoring.Should().Contain("https://aistation.iamworkin.lan/healthz");
+        monitoring.Should().NotContain("https://print.iamworkin.lan/\"");
+    }
+
+    [Fact]
+    public void OidcEnforcedDeployments_WithHttpHealthzProbes_MustDeclareAnonymousHealthzContract()
+    {
+        var violations = Inventory.Documents
+            .Where(document => document.Kind == "Deployment")
+            .SelectMany(document => document.MainContainerMappings()
+                .Where(container => string.Equals(EnvValue(container, "FlowerCore__Auth__Enabled"), "true", StringComparison.OrdinalIgnoreCase))
+                .Where(container => string.Equals(EnvValue(container, "FlowerCore__Auth__Oidc__Enabled"), "true", StringComparison.OrdinalIgnoreCase))
+                .Where(container => ProbeHttpGetPath(container, "readinessProbe") == "/healthz"
+                    || ProbeHttpGetPath(container, "startupProbe") == "/healthz")
+                .Where(_ => !string.Equals(
+                    PodAnnotation(document, "flowercore.io/healthz-auth-policy"),
+                    "allow-anonymous",
+                    StringComparison.Ordinal))
+                .Select(container =>
+                {
+                    var containerName = ManifestNodeExtensions.Scalar(container, "name") ?? "<unnamed>";
+                    return $"{document.Descriptor} container '{containerName}' enforces OIDC while probing /healthz but lacks flowercore.io/healthz-auth-policy: allow-anonymous.";
+                }))
+            .ToList();
+
+        violations.Should().BeEmpty();
+    }
+
+    [Fact]
+    public void AuthSafeInfraHealthzProbes_MustDeclareAnonymousHealthzContract()
+    {
+        var violations = InfraHealthzProbeDeployments.SelectMany(expected =>
+        {
+            var deployment = AppDocuments(expected.Key)
+                .Single(document => document.Kind == "Deployment" && document.Name == expected.Value);
+            var hasHealthzProbe = deployment.MainContainerMappings()
+                .Any(container => ProbeHttpGetPath(container, "readinessProbe") == "/healthz"
+                    || ProbeHttpGetPath(container, "startupProbe") == "/healthz"
+                    || ProbeHttpGetPath(container, "livenessProbe") == "/healthz");
+
+            return hasHealthzProbe
+                && !string.Equals(PodAnnotation(deployment, "flowercore.io/healthz-auth-policy"), "allow-anonymous", StringComparison.Ordinal)
+                    ? new[] { $"{deployment.Descriptor} probes /healthz but lacks flowercore.io/healthz-auth-policy: allow-anonymous." }
+                    : Array.Empty<string>();
+        }).ToList();
+
+        violations.Should().BeEmpty();
+    }
+
+    [Fact]
+    public void AuthSafeInfraHttpProbes_MustSendForwardedProtoHttpsHeader()
+    {
+        var violations = InfraForwardedProtoProbeDeployments.SelectMany(expected =>
+        {
+            var deployment = AppDocuments(expected.Key)
+                .Single(document => document.Kind == "Deployment" && document.Name == expected.Value);
+
+            return deployment.MainContainerMappings()
+                .SelectMany(container => new[] { "startupProbe", "readinessProbe", "livenessProbe" }
+                    .Where(probeKey => ProbeHttpGetPath(container, probeKey) is "/healthz" or "/health")
+                    .Where(probeKey => !string.Equals(ProbeHttpGetHeaderValue(container, probeKey, "X-Forwarded-Proto"), "https", StringComparison.Ordinal))
+                    .Select(probeKey =>
+                    {
+                        var containerName = ManifestNodeExtensions.Scalar(container, "name") ?? "<unnamed>";
+                        return $"{deployment.Descriptor} container '{containerName}' {probeKey} is missing X-Forwarded-Proto=https.";
+                    }));
+        }).ToList();
+
+        violations.Should().BeEmpty();
+    }
+
+    [Fact]
+    public void Knowledge_OidcEnforcement_MustKeepHealthzAnonymousContractVisibleInManifest()
+    {
+        var knowledge = Inventory.Documents
+            .Single(document => document.Kind == "Deployment" && document.Namespace == "knowledge" && document.Name == "knowledge-web");
+        var container = knowledge.MainContainerMappings().Should().ContainSingle().Subject;
+
+        EnvValue(container, "FlowerCore__Auth__Enabled").Should().Be("true");
+        EnvValue(container, "FlowerCore__Auth__Oidc__Enabled").Should().Be("true");
+        ProbeHttpGetPath(container, "readinessProbe").Should().Be("/healthz");
+        PodAnnotation(knowledge, "flowercore.io/healthz-auth-policy").Should().Be("allow-anonymous");
+    }
+
+    [Fact]
+    public void Distribution_OidcEnforcement_MustKeepHealthzAnonymousContractVisibleInManifest()
+    {
+        var distribution = Inventory.Documents
+            .Single(document => document.Kind == "Deployment" && document.Namespace == "fc-distribution" && document.Name == "fc-distribution");
+        var container = distribution.MainContainerMappings().Should().ContainSingle().Subject;
+
+        EnvValue(container, "FlowerCore__Auth__Oidc__Enabled").Should().Be("true");
+        EnvValue(container, "FlowerCore__Auth__Enabled").Should().Be("true");
+        ProbeHttpGetPath(container, "readinessProbe").Should().Be("/healthz");
+        PodAnnotation(distribution, "flowercore.io/healthz-auth-policy").Should().Be("allow-anonymous");
+    }
+
     [Fact]
     public void StatefulSets_WithVolumeClaimTemplates_MustDeclareFilesystemDefaults()
     {
@@ -926,6 +1092,33 @@ public sealed class FleetManifestLintTests
             .SingleOrDefault(env => string.Equals(ManifestNodeExtensions.Scalar(env, "name"), name, StringComparison.Ordinal));
     }
 
+    private static string? PodAnnotation(ManifestDocument document, string name)
+    {
+        return document.Scalar("spec", "template", "metadata", "annotations", name);
+    }
+
+    private static string? ProbeHttpGetPath(YamlMappingNode container, string probeKey)
+    {
+        return ManifestNodeExtensions.TryGetMapping(container, probeKey, out var probe)
+            && ManifestNodeExtensions.TryGetMapping(probe, "httpGet", out var httpGet)
+            ? ManifestNodeExtensions.Scalar(httpGet, "path")
+            : null;
+    }
+
+    private static string? ProbeHttpGetHeaderValue(YamlMappingNode container, string probeKey, string name)
+    {
+        if (!ManifestNodeExtensions.TryGetMapping(container, probeKey, out var probe)
+            || !ManifestNodeExtensions.TryGetMapping(probe, "httpGet", out var httpGet))
+        {
+            return null;
+        }
+
+        return ManifestNodeExtensions.MappingSequence(httpGet, "httpHeaders")
+            .Where(header => string.Equals(ManifestNodeExtensions.Scalar(header, "name"), name, StringComparison.Ordinal))
+            .Select(header => ManifestNodeExtensions.Scalar(header, "value"))
+            .SingleOrDefault();
+    }
+
     private static IReadOnlyList<ManifestDocument> FcDeviceManagementDocuments()
     {
         return Inventory.Documents