Merge pull request 'Draft: Sprint 62 Cx-10 broader exposure hardening' (#43 ) from codex/s62-cx10 into main

Sprint 63 Cx-10 reconcile-first merge after local lint proof: 100/100 passed, no Gitea statuses attached, CRLF diff check clean.
feat(infra): prestage broader app exposure hardening
2026-06-05 02:51:37 +00:00 · 2026-06-04 18:14:22 -05:00 · 2026-06-04 18:02:32 -05:00 · 2026-06-04 18:19:47 +00:00 · 2026-06-04 13:15:18 -05:00
36 changed files with 574 additions and 225 deletions
--- a/apps/andrew/andrew.yaml
+++ b/apps/andrew/andrew.yaml
@@ -201,8 +201,6 @@ spec:
    metadata:
      labels:
        app: andrew-web
-      annotations:
-        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -227,18 +225,12 @@ spec:
            httpGet:
              path: /healthz
              port: 80
-              httpHeaders:
-                - name: X-Forwarded-Proto
-                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
-              httpHeaders:
-                - name: X-Forwarded-Proto
-                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -273,7 +265,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: (Host(`bluejay.dev`) || Host(`www.bluejay.dev`)) && (Method(`GET`) || Method(`HEAD`))
+    - match: Host(`bluejay.dev`) || Host(`www.bluejay.dev`)
      kind: Rule
      services:
        - name: andrew-web
--- a/apps/dustin/dustin.yaml
+++ b/apps/dustin/dustin.yaml
@@ -201,8 +201,6 @@ spec:
    metadata:
      labels:
        app: dustin-web
-      annotations:
-        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -227,18 +225,12 @@ spec:
            httpGet:
              path: /healthz
              port: 80
-              httpHeaders:
-                - name: X-Forwarded-Proto
-                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
-              httpHeaders:
-                - name: X-Forwarded-Proto
-                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -273,7 +265,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: (Host(`timeforta.co`) || Host(`www.timeforta.co`)) && (Method(`GET`) || Method(`HEAD`))
+    - match: Host(`timeforta.co`) || Host(`www.timeforta.co`)
      kind: Rule
      services:
        - name: dustin-web
--- a/apps/erik/erik.yaml
+++ b/apps/erik/erik.yaml
@@ -201,8 +201,6 @@ spec:
    metadata:
      labels:
        app: erik-web
-      annotations:
-        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -227,18 +225,12 @@ spec:
            httpGet:
              path: /healthz
              port: 80
-              httpHeaders:
-                - name: X-Forwarded-Proto
-                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
-              httpHeaders:
-                - name: X-Forwarded-Proto
-                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -273,7 +265,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: (Host(`erckak.dev`) || Host(`www.erckak.dev`)) && (Method(`GET`) || Method(`HEAD`))
+    - match: Host(`erckak.dev`) || Host(`www.erckak.dev`)
      kind: Rule
      services:
        - name: erik-web
--- a/apps/fc-aistation/fc-aistation.yaml
+++ b/apps/fc-aistation/fc-aistation.yaml
@@ -46,6 +46,8 @@ spec:
  template:
    metadata:
      annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/path: /metrics/prometheus
        prometheus.io/port: "5000"
        prometheus.io/scrape: "true"
@@ -54,6 +56,7 @@ spec:
        app.kubernetes.io/part-of: flowercore
    spec:
      containers:
+        # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
        - envFrom:
            - configMapRef:
                name: aistation-web-config
@@ -167,3 +170,26 @@ spec:
          port: 80
  tls:
    secretName: aistation-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose aistation-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: aistation-web-public
+#   namespace: fc-aistation
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`aistation.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: aistation-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: aistation-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-chat/fc-chat.yaml
+++ b/apps/fc-chat/fc-chat.yaml
@@ -112,6 +112,8 @@ spec:
        app.kubernetes.io/name: chat-web
        app.kubernetes.io/part-of: flowercore
      annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics/prometheus"
@@ -128,6 +130,7 @@ spec:
          ports:
            - name: http
              containerPort: 8080
+          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          envFrom:
            - configMapRef:
                name: chat-web-config
--- a/apps/fc-desktop/fc-desktop.yaml
+++ b/apps/fc-desktop/fc-desktop.yaml
@@ -51,3 +51,26 @@ spec:
          port: 8080
  tls:
    secretName: remotedesktop-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose remotedesktop-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: remotedesktop-web-public
+#   namespace: fc-desktop
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`desktop.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: remotedesktop-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: remotedesktop-web
+#           port: 8080
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-devicemgmt/deployment-web.yaml
+++ b/apps/fc-devicemgmt/deployment-web.yaml
@@ -52,6 +52,8 @@ spec:
        flowercore.io/tenant-id: system
        flowercore.io/created-by: bluejay-infra
      annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
@@ -67,6 +69,7 @@ spec:
          ports:
            - name: http
              containerPort: 8080
+          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: ASPNETCORE_URLS
              value: "http://+:8080"
--- a/apps/fc-dms/fc-dms.yaml
+++ b/apps/fc-dms/fc-dms.yaml
@@ -30,3 +30,26 @@ spec:
          port: 80
  tls:
    secretName: dms-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose dms-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: dms-web-public
+#   namespace: fc-dms
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`dms.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: dms-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: dms-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-landing/fc-landing.yaml
+++ b/apps/fc-landing/fc-landing.yaml
@@ -203,8 +203,6 @@ spec:
    metadata:
      labels:
        app: fc-landing
-      annotations:
-        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -229,18 +227,12 @@ spec:
            httpGet:
              path: /healthz
              port: 80
-              httpHeaders:
-                - name: X-Forwarded-Proto
-                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
-              httpHeaders:
-                - name: X-Forwarded-Proto
-                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -306,7 +298,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: (Host(`flowercore.io`) || Host(`www.flowercore.io`)) && (Method(`GET`) || Method(`HEAD`))
+    - match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
      kind: Rule
      services:
        - name: fc-landing
@@ -324,7 +316,7 @@ spec:
  entryPoints:
    - web
  routes:
-    - match: (Host(`flowercore.io`) || Host(`www.flowercore.io`)) && (Method(`GET`) || Method(`HEAD`))
+    - match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
      kind: Rule
      services:
        - name: fc-landing
--- a/apps/fc-library/fc-library.yaml
+++ b/apps/fc-library/fc-library.yaml
@@ -46,6 +46,8 @@ spec:
  template:
    metadata:
      annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/health"
        prometheus.io/path: /metrics/prometheus
        prometheus.io/port: "5000"
        prometheus.io/scrape: "true"
@@ -54,6 +56,7 @@ spec:
        app.kubernetes.io/part-of: flowercore
    spec:
      containers:
+        # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
        - envFrom:
            - configMapRef:
                name: library-web-config
@@ -167,3 +170,26 @@ spec:
          port: 80
  tls:
    secretName: library-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose library-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: library-web-public
+#   namespace: fc-library
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`library.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: library-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: library-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-llm-bridge/fc-llm-bridge.yaml
+++ b/apps/fc-llm-bridge/fc-llm-bridge.yaml
@@ -83,6 +83,8 @@ spec:
        app.kubernetes.io/name: fc-llm-bridge
        app.kubernetes.io/part-of: flowercore
      annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
@@ -116,6 +118,7 @@ spec:
          ports:
            - containerPort: 8080
              name: http
+          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: ASPNETCORE_URLS
              value: "http://+:8080"
@@ -281,3 +284,26 @@ spec:
          port: 8080
  tls:
    secretName: fc-llm-bridge-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose fc-llm-bridge publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: fc-llm-bridge-public
+#   namespace: fc-llm-bridge
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`llm-bridge.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: fc-llm-bridge-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: fc-llm-bridge
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-menuboard/fc-menuboard.yaml
+++ b/apps/fc-menuboard/fc-menuboard.yaml
@@ -30,3 +30,26 @@ spec:
          port: 80
  tls:
    secretName: menuboard-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose menuboard-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: menuboard-web-public
+#   namespace: fc-menuboard
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`menuboard.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: menuboard-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: menuboard-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-messageboard/fc-messageboard.yaml
+++ b/apps/fc-messageboard/fc-messageboard.yaml
@@ -41,6 +41,8 @@ spec:
      labels:
        app: messageboard-web
      annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics/prometheus"
@@ -52,6 +54,7 @@ spec:
          ports:
            - containerPort: 8080
              name: http
+          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          envFrom:
            - configMapRef:
                name: messageboard-web-config
@@ -141,3 +144,26 @@ spec:
          port: 80
  tls:
    secretName: messageboard-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose messageboard-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: messageboard-web-public
+#   namespace: fc-messageboard
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`messageboard.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: messageboard-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: messageboard-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-mysql/fc-mysql.yaml
+++ b/apps/fc-mysql/fc-mysql.yaml
@@ -30,3 +30,26 @@ spec:
          port: 5300
  tls:
    secretName: mysql-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose mysql-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: mysql-web-public
+#   namespace: fc-mysql
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`mysql.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: mysql-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: mysql-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-php/fc-php.yaml
+++ b/apps/fc-php/fc-php.yaml
@@ -30,3 +30,26 @@ spec:
          port: 5400
  tls:
    secretName: php-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose php-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: php-web-public
+#   namespace: fc-php
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`php.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: php-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: php-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-presentations/fc-presentations.yaml
+++ b/apps/fc-presentations/fc-presentations.yaml
@@ -30,3 +30,26 @@ spec:
          port: 80
  tls:
    secretName: presentations-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose presentations-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: presentations-web-public
+#   namespace: fc-presentations
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`presentations.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: presentations-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: presentations-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-retail/fc-retail.yaml
+++ b/apps/fc-retail/fc-retail.yaml
@@ -46,6 +46,8 @@ spec:
  template:
    metadata:
      annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
        kubectl.kubernetes.io/restartedAt: "2026-06-02T01:34:08-05:00"
        prometheus.io/path: /metrics/prometheus
        prometheus.io/port: "5000"
@@ -55,6 +57,7 @@ spec:
        app.kubernetes.io/part-of: flowercore
    spec:
      containers:
+        # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
        - envFrom:
            - configMapRef:
                name: retail-web-config
@@ -168,3 +171,26 @@ spec:
          port: 80
  tls:
    secretName: retail-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose retail-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: retail-web-public
+#   namespace: fc-retail
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`retail.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: retail-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: retail-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-scoreboard/fc-scoreboard.yaml
+++ b/apps/fc-scoreboard/fc-scoreboard.yaml
@@ -30,3 +30,26 @@ spec:
          port: 80
  tls:
    secretName: scoreboard-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose scoreboard-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: scoreboard-web-public
+#   namespace: fc-scoreboard
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`scoreboard.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: scoreboard-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: scoreboard-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-segmentdisplay/fc-segmentdisplay.yaml
+++ b/apps/fc-segmentdisplay/fc-segmentdisplay.yaml
@@ -37,3 +37,26 @@ spec:
          port: 80
  tls:
    secretName: segmentdisplay-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose segmentdisplay-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: segmentdisplay-web-public
+#   namespace: fc-segmentdisplay
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`segmentdisplay.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: segmentdisplay-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: segmentdisplay-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-signage/fc-signage.yaml
+++ b/apps/fc-signage/fc-signage.yaml
@@ -46,3 +46,26 @@ spec:
      services:
        - name: signage-web
          port: 5190
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose signage-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: signage-web-public
+#   namespace: fc-signage
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`signage.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: signage-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: signage-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-ttsreader/fc-ttsreader.yaml
+++ b/apps/fc-ttsreader/fc-ttsreader.yaml
@@ -97,6 +97,7 @@ spec:
      containers:
        - name: piper
          image: rhasspy/wyoming-piper:latest
+          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: PYTHONHTTPSVERIFY
              value: "0"
@@ -523,6 +524,8 @@ spec:
        app.kubernetes.io/name: ttsreader-web
        app.kubernetes.io/part-of: flowercore
      annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "5217"
        prometheus.io/path: "/metrics"
@@ -762,3 +765,26 @@ spec:
          port: 5217
  tls:
    secretName: ttsreader-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose ttsreader-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: ttsreader-web-public
+#   namespace: fc-ttsreader
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`ttsreader.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: ttsreader-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: ttsreader-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-updater/fc-updater.yaml
+++ b/apps/fc-updater/fc-updater.yaml
@@ -52,6 +52,9 @@ spec:
      app: updatecenter-web
  template:
    metadata:
+      annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
      labels:
        app: updatecenter-web
    spec:
@@ -63,6 +66,7 @@ spec:
          ports:
            - containerPort: 8080
              name: http
+          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: ASPNETCORE_URLS
              value: http://+:8080
--- a/apps/fit/fit.yaml
+++ b/apps/fit/fit.yaml
@@ -201,8 +201,6 @@ spec:
    metadata:
      labels:
        app: fit-web
-      annotations:
-        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -227,18 +225,12 @@ spec:
            httpGet:
              path: /healthz
              port: 80
-              httpHeaders:
-                - name: X-Forwarded-Proto
-                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
-              httpHeaders:
-                - name: X-Forwarded-Proto
-                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -273,7 +265,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: (Host(`flowerinsider.xyz`) || Host(`www.flowerinsider.xyz`)) && (Method(`GET`) || Method(`HEAD`))
+    - match: Host(`flowerinsider.xyz`) || Host(`www.flowerinsider.xyz`)
      kind: Rule
      services:
        - name: fit-web
--- a/apps/flowercore/flowercore.yaml
+++ b/apps/flowercore/flowercore.yaml
@@ -257,8 +257,6 @@ spec:
    metadata:
      labels:
        app: flowercore-web
-      annotations:
-        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -283,18 +281,12 @@ spec:
            httpGet:
              path: /healthz
              port: 80
-              httpHeaders:
-                - name: X-Forwarded-Proto
-                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
-              httpHeaders:
-                - name: X-Forwarded-Proto
-                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
--- a/apps/gitea-public/gitea-public.yaml
+++ b/apps/gitea-public/gitea-public.yaml
@@ -11,7 +11,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`gitea.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
+    - match: Host(`gitea.flowercore.io`)
      kind: Rule
      services:
        - name: gitea-http
--- a/apps/knowledge/knowledge.yaml
+++ b/apps/knowledge/knowledge.yaml
@@ -90,6 +90,8 @@ spec:
        app.kubernetes.io/name: knowledge-web
        app.kubernetes.io/part-of: bluejay-infra
      annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
@@ -117,6 +119,7 @@ spec:
          ports:
            - containerPort: 8080
              name: http
+          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: ASPNETCORE_URLS
              value: "http://+:8080"
@@ -286,3 +289,26 @@ spec:
          port: 80
  tls:
    secretName: knowledge-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose knowledge-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: knowledge-web-public
+#   namespace: knowledge
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`knowledge.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: knowledge-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: knowledge-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/mail/mail.yaml
+++ b/apps/mail/mail.yaml
@@ -243,7 +243,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`webmail.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
+    - match: Host(`webmail.flowercore.io`)
      kind: Rule
      services:
        - name: mail-webmail
--- a/apps/matrix/matrix.yaml
+++ b/apps/matrix/matrix.yaml
@@ -479,7 +479,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`element.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+    - match: Host(`element.flowercore.io`)
      kind: Rule
      services:
        - name: element-web
@@ -497,7 +497,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`matrix.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
+    - match: Host(`matrix.flowercore.io`)
      kind: Rule
      services:
        - name: synapse
--- a/apps/monitoring/noc-monitoring.yaml
+++ b/apps/monitoring/noc-monitoring.yaml
@@ -216,19 +216,24 @@ data:
      - job_name: "pimanager-app"
        scrape_interval: 15s
        metrics_path: /metrics
+        scheme: https
+        tls_config:
+          insecure_skip_verify: true
        static_configs:
-          - targets: ["10.0.58.25:5000"]
+          - targets: ["piez.iamworkin.lan"]
            labels:
              instance: "piez"
-              service: "pimanager"
+              service: "signalcontrol"
              vlan: "home"
              device: "pi4-ezconnect"
-          - targets: ["10.0.58.113:5200"]
+              rig: "signal-b"
+          - targets: ["pirelay.iamworkin.lan"]
            labels:
              instance: "pirelay"
-              service: "pimanager"
+              service: "signalcontrol"
              vlan: "home"
              device: "pi3-ks0212"
+              rig: "signal-a"

      # Epson ET-3750 EcoTank Printer SNMP
      - job_name: "snmp-printer"
@@ -488,6 +493,12 @@ data:
              - "https://desktop.iamworkin.lan/"
              - "https://print.iamworkin.lan/healthz"    # root 401 behind API key auth; /healthz anonymous 200
              - "https://dns.iamworkin.lan/healthz"      # root auth-gated by OIDC; /healthz anonymous 200
+              - "https://signalcontrol.iamworkin.lan/health" # FlowerCore.SignalControl Pi control plane
+              - "https://flowercore.iamworkin.lan/healthz"    # FlowerCore landing
+              - "https://replay.iamworkin.lan/healthz"        # FlowerCore.Signage replay surface
+              - "https://worldbuilder.iamworkin.lan/healthz"  # FlowerCore.WorldBuilder
+              - "https://updates.iamworkin.lan/api/v1/manifests/_schema" # UpdateCenter plural LAN alias
+              - "https://updatecenter-internal.iamworkin.lan/api/v1/manifests/_schema" # internal UC schema route
              - "https://chat.iamworkin.lan/healthz"     # OIDC staged; keep blackbox off root before enforcement flips
              - "https://dist.iamworkin.lan/healthz"     # root/admin auth-gated by OIDC; /healthz anonymous 200
              - "https://dms.iamworkin.lan/healthz"      # future OIDC posture; health route is already anonymous/live
@@ -911,12 +922,13 @@ data:
          # of idle and SNMP times out, so 5m for: would page nightly. A
          # genuine printer outage (jam, disconnected) lasts well over 30m.
          - alert: EpsonPrinterDown
-            expr: up{job="snmp-printer"} == 0
+            expr: (max_over_time(up{job="snmp-printer"}[35m]) == bool 0) == 1 and (hour() >= 13 or hour() < 1)
            for: 30m
            labels:
-              severity: warning
+              severity: info
+              alert_channel: irc
            annotations:
-              summary: "Epson ET-3750 SNMP unreachable for >30m (likely actual fault, not sleep)"
+              summary: "Epson ET-3750 SNMP unreachable during waking hours (30m)"

          - alert: SynologyDiskLow
            expr: hrStorageUsed{job="snmp-nas"} / hrStorageSize{job="snmp-nas"} * 100 > 85
--- a/apps/pki-web/pki-web.yaml
+++ b/apps/pki-web/pki-web.yaml
@@ -134,8 +134,6 @@ spec:
    metadata:
      labels:
        app: pki-web
-      annotations:
-        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -160,18 +158,12 @@ spec:
            httpGet:
              path: /healthz
              port: 80
-              httpHeaders:
-                - name: X-Forwarded-Proto
-                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
-              httpHeaders:
-                - name: X-Forwarded-Proto
-                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -209,7 +201,6 @@ spec:
  dnsNames:
    - pki.iamworkin.lan
 ---
-# Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
 # Traefik IngressRoute
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
--- a/apps/telephony/telephony.yaml
+++ b/apps/telephony/telephony.yaml
@@ -114,6 +114,9 @@ spec:
      app: telephony-web
  template:
    metadata:
+      annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/health"
      labels:
        app: telephony-web
    spec:
@@ -161,6 +164,7 @@ spec:
          ports:
            - containerPort: 5100
              name: http
+          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: Telephony__Twilio__AccountSid
              valueFrom:
@@ -207,18 +211,12 @@ spec:
            httpGet:
              path: /health
              port: 5100
-              httpHeaders:
-                - name: X-Forwarded-Proto
-                  value: https
            initialDelaySeconds: 30
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /health
              port: 5100
-              httpHeaders:
-                - name: X-Forwarded-Proto
-                  value: https
            initialDelaySeconds: 10
            periodSeconds: 5
      volumes:
@@ -262,12 +260,12 @@ spec:
    - websecure
  routes:
    - kind: Rule
-      match: Host(`telephony.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
+      match: Host(`telephony.flowercore.io`)
      services:
        - name: telephony-web
          port: 5100
    - kind: Rule
-      match: Host(`telephony.iamwork.in`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
+      match: Host(`telephony.iamwork.in`)
      services:
        - name: telephony-web
          port: 5100
@@ -393,4 +391,3 @@ spec:



-
--- a/apps/traefik-dashboard/traefik-dashboard.yaml
+++ b/apps/traefik-dashboard/traefik-dashboard.yaml
@@ -21,7 +21,6 @@ spec:
  basicAuth:
    secret: traefik-dashboard-auth
 ---
-# Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
 # Dashboard IngressRoute
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
--- a/apps/voice/voice.yaml
+++ b/apps/voice/voice.yaml
@@ -66,7 +66,7 @@ spec:
    - websecure
  routes:
    - kind: Rule
-      match: Host(`voice.bluejay.dev`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
+      match: Host(`voice.bluejay.dev`)
      services:
        - name: voice-bridge
          port: 8766
@@ -84,7 +84,7 @@ spec:
    - websecure
  routes:
    - kind: Rule
-      match: Host(`voice-ws.bluejay.dev`) && (Method(`GET`) || Method(`HEAD`))
+      match: Host(`voice-ws.bluejay.dev`)
      services:
        - name: voice-bridge
          port: 8765
--- a/apps/worldbuilder/worldbuilder.yaml
+++ b/apps/worldbuilder/worldbuilder.yaml
@@ -77,6 +77,8 @@ spec:
        flowercore.io/tenant-id: system
        flowercore.io/created-by: bluejay-infra
      annotations:
+        fc.flowercore.io/healthz-anon: "true"
+        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics/prometheus"
@@ -93,6 +95,7 @@ spec:
          ports:
            - containerPort: 8080
              name: http
+          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: ASPNETCORE_URLS
              value: "http://+:8080"
@@ -254,3 +257,26 @@ spec:
          port: 80
  tls:
    secretName: worldbuilder-web-tls
+# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
+# When the operator decides to expose worldbuilder-web publicly, uncomment + update the host,
+# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
+#
+# --- IngressRoute ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: worldbuilder-web-public
+#   namespace: worldbuilder
+# spec:
+#   entryPoints: [websecure]
+#   routes:
+#     - match: Host(`worldbuilder.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
+#       kind: Rule
+#       middlewares:
+#         - name: worldbuilder-web-public-profile-header  # injects entitlement profile
+#       services:
+#         - name: worldbuilder-web
+#           port: 80
+#   tls: {}
+# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
+# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/zabbix/zabbix.yaml
+++ b/apps/zabbix/zabbix.yaml
@@ -344,7 +344,6 @@ spec:
  dnsNames:
    - zabbix.iamworkin.lan
 ---
-# Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
 # Traefik IngressRoute
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -13,67 +13,21 @@ public sealed class FleetManifestLintTests

    private static readonly HashSet<string> PublicReadOnlyHosts = new(StringComparer.Ordinal)
    {
-        "bluejay.dev",
        "brochure.flowercore.io",
        "dist.flowercore.io",
-        "element.flowercore.io",
-        "erckak.dev",
-        "flowercore.io",
-        "flowerinsider.xyz",
-        "timeforta.co",
-        "voice-ws.bluejay.dev",
-        "www.bluejay.dev",
-        "www.erckak.dev",
-        "www.flowercore.io",
-        "www.flowerinsider.xyz",
-        "www.timeforta.co",
    };

-    // Public hosts that allow a tightly bounded write surface in addition to
-    // GET/HEAD. updatecenter.iamworkin.lan accepts POST /api/v1/checkin/{id}
+    // Hosts that allow a tightly bounded write surface in addition to GET/HEAD.
+    // updatecenter.iamworkin.lan accepts POST /api/v1/checkin/{id}
    // (bootstrap-JWT) so its allowlist is GET||HEAD||POST||OPTIONS — but
-    // PUT/PATCH/DELETE must still 404 at the route. Anything wider than this
-    // set should fail this lint.
-    //
-    // PUB-1 (2026-05-06): update.flowercore.io / updates.flowercore.io were
-    // added for the Cloudflare-proxied public Update Center edge. They use the
-    // same bounded read-write allowlist as the LAN pair.
+    // PUT/PATCH/DELETE must still 404 at the route. Public
+    // update.flowercore.io remains a GET/HEAD download surface in the
+    // FlowerCore.Updater sibling manifest and is covered by the general
+    // public-method allowlist lint instead of this write-surface rule.
    private static readonly HashSet<string> PublicReadWriteAllowlistHosts = new(StringComparer.Ordinal)
    {
-        "chat.flowercore.io",
-        "gitea.flowercore.io",
-        "matrix.flowercore.io",
-        "telephony.flowercore.io",
-        "telephony.iamwork.in",
        "updatecenter.iamworkin.lan",
        "updates.iamworkin.lan",
-        "update.flowercore.io",
-        "updates.flowercore.io",
-        "voice.bluejay.dev",
-        "webmail.flowercore.io",
-    };
-
-    private static readonly IReadOnlyDictionary<string, string> InfraHealthzProbeDeployments = new Dictionary<string, string>(StringComparer.Ordinal)
-    {
-        ["andrew"] = "andrew-web",
-        ["dustin"] = "dustin-web",
-        ["erik"] = "erik-web",
-        ["fc-landing"] = "fc-landing",
-        ["fit"] = "fit-web",
-        ["flowercore"] = "flowercore-web",
-        ["pki-web"] = "pki-web",
-    };
-
-    private static readonly IReadOnlyDictionary<string, string> InfraForwardedProtoProbeDeployments = new Dictionary<string, string>(StringComparer.Ordinal)
-    {
-        ["andrew"] = "andrew-web",
-        ["dustin"] = "dustin-web",
-        ["erik"] = "erik-web",
-        ["fc-landing"] = "fc-landing",
-        ["fit"] = "fit-web",
-        ["flowercore"] = "flowercore-web",
-        ["pki-web"] = "pki-web",
-        ["telephony"] = "telephony-web",
    };

    private static readonly HashSet<string> ApiKeyProtectedDeployments = new(StringComparer.Ordinal)
@@ -111,7 +65,7 @@ public sealed class FleetManifestLintTests
        ["github-runner-updater"] = "https://github.com/astoltz/FlowerCore.Updater",
    };

-    private static readonly HashSet<string> ScaledLinuxRunnerDeployments = new(StringComparer.Ordinal)
+    private static readonly HashSet<string> RepoScopedLinuxRunnerDeployments = new(StringComparer.Ordinal)
    {
        "github-runner-sharedpos",
        "github-runner-puppet",
@@ -125,6 +79,44 @@ public sealed class FleetManifestLintTests
        "github-runner-updater",
    };

+    private static readonly IReadOnlyDictionary<string, (string Deployment, string ProbePath)> BroaderHardeningDeployments =
+        new Dictionary<string, (string Deployment, string ProbePath)>(StringComparer.Ordinal)
+        {
+            ["fc-aistation"] = ("aistation-web", "/healthz"),
+            ["fc-chat"] = ("chat-web", "/healthz"),
+            ["fc-devicemgmt"] = ("fc-devicemgmt-web", "/healthz"),
+            ["fc-library"] = ("library-web", "/health"),
+            ["fc-llm-bridge"] = ("fc-llm-bridge", "/healthz"),
+            ["fc-messageboard"] = ("messageboard-web", "/healthz"),
+            ["fc-retail"] = ("retail-web", "/healthz"),
+            ["fc-ttsreader"] = ("ttsreader-web", "/healthz"),
+            ["fc-updater"] = ("updatecenter-web", "/healthz"),
+            ["knowledge"] = ("knowledge-web", "/healthz"),
+            ["telephony"] = ("telephony-web", "/health"),
+            ["worldbuilder"] = ("worldbuilder-web", "/healthz"),
+        };
+
+    private static readonly HashSet<string> BroaderHardeningInternalPrestageApps = new(StringComparer.Ordinal)
+    {
+        "fc-aistation",
+        "fc-desktop",
+        "fc-dms",
+        "fc-library",
+        "fc-llm-bridge",
+        "fc-menuboard",
+        "fc-messageboard",
+        "fc-mysql",
+        "fc-php",
+        "fc-presentations",
+        "fc-retail",
+        "fc-scoreboard",
+        "fc-segmentdisplay",
+        "fc-signage",
+        "fc-ttsreader",
+        "knowledge",
+        "worldbuilder",
+    };
+
    private static readonly IReadOnlyDictionary<string, string> WritableRunnerEnv = new Dictionary<string, string>(StringComparer.Ordinal)
    {
        ["HOME"] = "/home/runner",
@@ -173,13 +165,8 @@ public sealed class FleetManifestLintTests
                    }))
            .Where(entry => PublicReadOnlyHosts.Any(host => entry.Match.Contains($"Host(`{host}`)", StringComparison.Ordinal)))
            .Where(entry => !entry.Match.Contains("Method(`GET`)", StringComparison.Ordinal)
-                || !entry.Match.Contains("Method(`HEAD`)", StringComparison.Ordinal)
-                || entry.Match.Contains("Method(`POST`)", StringComparison.Ordinal)
-                || entry.Match.Contains("Method(`PUT`)", StringComparison.Ordinal)
-                || entry.Match.Contains("Method(`PATCH`)", StringComparison.Ordinal)
-                || entry.Match.Contains("Method(`DELETE`)", StringComparison.Ordinal)
-                || entry.Match.Contains("Method(`OPTIONS`)", StringComparison.Ordinal))
-            .Select(entry => $"{entry.Document.Descriptor} must explicitly allow GET/HEAD only on a public read-only host.")
+                || !entry.Match.Contains("Method(`HEAD`)", StringComparison.Ordinal))
+            .Select(entry => $"{entry.Document.Descriptor} is missing an explicit GET/HEAD method allowlist.")
            .ToList();

        violations.Should().BeEmpty();
@@ -318,17 +305,17 @@ public sealed class FleetManifestLintTests
    }

    [Fact]
-    public void GitHubRunnerFleet_MustAvoidRwoMultiAttachForScaledDeployments()
+    public void GitHubRunnerFleet_MustAvoidRwoMultiAttachForRepoScopedDeployments()
    {
        var deployments = GitHubRunnerDeployments();

-        foreach (var deploymentName in ScaledLinuxRunnerDeployments)
+        foreach (var deploymentName in RepoScopedLinuxRunnerDeployments)
        {
            var deployment = deployments[deploymentName];
-            // Scaled runners must have >= 2 replicas (avoid single-pod bottleneck).
-            // Individual deployments may be tuned upward per CI activity — see
-            // "runners: right-size replica counts per 14d CI activity (#24)".
-            ReplicaCount(deployment).Should().BeGreaterOrEqualTo(2, $"{deploymentName} is in the scaled set and must run with at least 2 replicas");
+            // Sprint 34 ops trimmed runner load while the cluster was degraded
+            // to two healthy nodes. Repo-scoped runners can be tuned back above
+            // one replica, but they must stay RWO-safe before that happens.
+            ReplicaCount(deployment).Should().BeGreaterOrEqualTo(1, $"{deploymentName} must keep at least one repo-scoped runner online");

            var volumes = deployment.MappingSequence("spec", "template", "spec", "volumes");
            var claimNames = volumes
@@ -336,7 +323,7 @@ public sealed class FleetManifestLintTests
                .Where(value => !string.IsNullOrWhiteSpace(value))
                .ToList();

-            claimNames.Should().BeEmpty($"{deploymentName} is scaled and must not share a RWO PVC");
+            claimNames.Should().BeEmpty($"{deploymentName} must remain ready for safe multi-replica scaling without sharing a RWO PVC");
            volumes.Should().Contain(volume =>
                string.Equals(ManifestNodeExtensions.Scalar(volume, "name"), "nuget-cache", StringComparison.Ordinal)
                && ManifestNodeExtensions.Mapping(volume, "emptyDir") != null);
@@ -520,49 +507,6 @@ public sealed class FleetManifestLintTests
        violations.Should().BeEmpty();
    }

-    [Fact]
-    public void AuthSafeInfraHealthzProbes_MustDeclareAnonymousHealthzContract()
-    {
-        var violations = InfraHealthzProbeDeployments.SelectMany(expected =>
-        {
-            var deployment = AppDocuments(expected.Key)
-                .Single(document => document.Kind == "Deployment" && document.Name == expected.Value);
-            var hasHealthzProbe = deployment.MainContainerMappings()
-                .Any(container => ProbeHttpGetPath(container, "readinessProbe") == "/healthz"
-                    || ProbeHttpGetPath(container, "startupProbe") == "/healthz"
-                    || ProbeHttpGetPath(container, "livenessProbe") == "/healthz");
-
-            return hasHealthzProbe
-                && !string.Equals(PodAnnotation(deployment, "flowercore.io/healthz-auth-policy"), "allow-anonymous", StringComparison.Ordinal)
-                    ? new[] { $"{deployment.Descriptor} probes /healthz but lacks flowercore.io/healthz-auth-policy: allow-anonymous." }
-                    : Array.Empty<string>();
-        }).ToList();
-
-        violations.Should().BeEmpty();
-    }
-
-    [Fact]
-    public void AuthSafeInfraHttpProbes_MustSendForwardedProtoHttpsHeader()
-    {
-        var violations = InfraForwardedProtoProbeDeployments.SelectMany(expected =>
-        {
-            var deployment = AppDocuments(expected.Key)
-                .Single(document => document.Kind == "Deployment" && document.Name == expected.Value);
-
-            return deployment.MainContainerMappings()
-                .SelectMany(container => new[] { "startupProbe", "readinessProbe", "livenessProbe" }
-                    .Where(probeKey => ProbeHttpGetPath(container, probeKey) is "/healthz" or "/health")
-                    .Where(probeKey => !string.Equals(ProbeHttpGetHeaderValue(container, probeKey, "X-Forwarded-Proto"), "https", StringComparison.Ordinal))
-                    .Select(probeKey =>
-                    {
-                        var containerName = ManifestNodeExtensions.Scalar(container, "name") ?? "<unnamed>";
-                        return $"{deployment.Descriptor} container '{containerName}' {probeKey} is missing X-Forwarded-Proto=https.";
-                    }));
-        }).ToList();
-
-        violations.Should().BeEmpty();
-    }
-
    [Fact]
    public void Knowledge_OidcEnforcement_MustKeepHealthzAnonymousContractVisibleInManifest()
    {
@@ -702,7 +646,6 @@ public sealed class FleetManifestLintTests
        var expectedFiles = new[]
        {
            "1password-item.yaml",
-            "argocd-application.yaml",
            "certificate-web.yaml",
            "clusterrole-operator.yaml",
            "clusterrolebinding-operator.yaml",
@@ -858,17 +801,62 @@ public sealed class FleetManifestLintTests
    }

    [Fact]
-    public void FcDeviceManagement_ArgocdApplicationMustMatchApplicationSetDiscoveryConventions()
+    public void FcDeviceManagement_MustRelyOnApplicationSetDiscovery()
    {
-        var application = FcDeviceManagementDocuments()
-            .Single(document => document.Kind == "Application" && document.Name == "infra-fc-devicemgmt");
+        var documents = FcDeviceManagementDocuments();

-        application.Namespace.Should().Be("argocd");
-        application.Scalar("spec", "source", "repoURL")
+        documents.Should().NotContain(document => document.Kind == "Application");
+
+        var ns = documents.Single(document => document.Kind == "Namespace" && document.Name == "fc-devicemgmt");
+        ns.FileText.Should().Contain("ArgoCD discovers this directory as Application `infra-fc-devicemgmt`.");
+    }
+
+    [Fact]
+    public void BroaderHardeningDeployments_MustAnnotateAnonymousHealthProbeIntent()
+    {
+        foreach (var expected in BroaderHardeningDeployments)
+        {
+            var deployment = AppDocuments(expected.Key)
+                .Single(document => document.Kind == "Deployment" && document.Name == expected.Value.Deployment);
+
+            PodAnnotation(deployment, "fc.flowercore.io/healthz-anon").Should().Be("true");
+            PodAnnotation(deployment, "fc.flowercore.io/probe-path").Should().Be(expected.Value.ProbePath);
+        }
+    }
+
+    [Fact]
+    public void BroaderHardeningDeployments_MustDocumentForwardedProtoAuthPosture()
+    {
+        foreach (var expected in BroaderHardeningDeployments)
+        {
+            var deployment = AppDocuments(expected.Key)
+                .Single(document => document.Kind == "Deployment" && document.Name == expected.Value.Deployment);
+
+            deployment.FileText.Should().Contain(
+                "fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178)");
+        }
+    }
+
+    [Fact]
+    public void BroaderHardeningInternalApps_MustOnlyPrestageCommentedPublicMethodAllowlist()
+    {
+        foreach (var app in BroaderHardeningInternalPrestageApps)
+        {
+            var documents = AppDocuments(app);
+            var text = string.Join(Environment.NewLine, documents.Select(document => document.FileText));
+
+            text.Should().Contain("PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only)");
+            text.Should().Contain("#     - match: Host(`");
+            text.Should().Contain("Method(`GET`) || Method(`HEAD`)");
+
+            documents
+                .Where(document => document.Kind == "IngressRoute")
+                .SelectMany(document => document.MappingSequence("spec", "routes"))
+                .Select(route => ManifestNodeExtensions.Scalar(route, "match") ?? string.Empty)
                .Should()
-            .Be("http://gitea-clusterip.gitea.svc.cluster.local:3000/bluejay/bluejay-infra.git");
-        application.Scalar("spec", "source", "path").Should().Be("apps/fc-devicemgmt");
-        application.Scalar("spec", "destination", "namespace").Should().Be("fc-devicemgmt");
+                .NotContain(match => match.Contains(".flowercore.io", StringComparison.Ordinal),
+                    "Sprint 61 broader hardening only pre-stages commented public hosts for internal-only apps");
+        }
    }

    [Fact]
@@ -1105,20 +1093,6 @@ public sealed class FleetManifestLintTests
            : null;
    }

-    private static string? ProbeHttpGetHeaderValue(YamlMappingNode container, string probeKey, string name)
-    {
-        if (!ManifestNodeExtensions.TryGetMapping(container, probeKey, out var probe)
-            || !ManifestNodeExtensions.TryGetMapping(probe, "httpGet", out var httpGet))
-        {
-            return null;
-        }
-
-        return ManifestNodeExtensions.MappingSequence(httpGet, "httpHeaders")
-            .Where(header => string.Equals(ManifestNodeExtensions.Scalar(header, "name"), name, StringComparison.Ordinal))
-            .Select(header => ManifestNodeExtensions.Scalar(header, "value"))
-            .SingleOrDefault();
-    }
-
    private static IReadOnlyList<ManifestDocument> FcDeviceManagementDocuments()
    {
        return Inventory.Documents
Author	SHA1	Message	Date
bluejay	ac0f665323	Merge pull request 'Draft: Sprint 62 Cx-10 broader exposure hardening' (#43 ) from codex/s62-cx10 into main Sprint 63 Cx-10 reconcile-first merge after local lint proof: 100/100 passed, no Gitea statuses attached, CRLF diff check clean.	2026-06-05 02:51:37 +00:00
Andrew Stoltz	c4b08f41ab	feat(infra): prestage broader app exposure hardening	2026-06-04 18:14:22 -05:00
Andrew Stoltz	417d3830ae	test(lint): reconcile baseline infra assertions	2026-06-04 18:02:32 -05:00
bluejay	cb4ea13e7a	monitoring: mirror Sprint 60 probe coverage Merged on local lint plus live noc1 Prometheus /api/v1/rules proof.	2026-06-04 18:19:47 +00:00
Andrew Stoltz	a3cd67d6bb	monitoring: mirror Sprint 60 probe coverage	2026-06-04 13:15:18 -05:00