fix(monitoring): probe OIDC-safe health routes

2026-06-04 00:23:48 -05:00
28 changed files with 52 additions and 1524 deletions
--- a/apps/fc-aistation/fc-aistation.yaml
+++ b/apps/fc-aistation/fc-aistation.yaml
@@ -46,8 +46,6 @@ spec:
  template:
    metadata:
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/path: /metrics/prometheus
        prometheus.io/port: "5000"
        prometheus.io/scrape: "true"
@@ -56,7 +54,6 @@ spec:
        app.kubernetes.io/part-of: flowercore
    spec:
      containers:
        # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
        - envFrom:
            - configMapRef:
                name: aistation-web-config
@@ -170,26 +167,3 @@ spec:
          port: 80
  tls:
    secretName: aistation-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose aistation-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: aistation-web-public
 #   namespace: fc-aistation
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`aistation.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: aistation-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: aistation-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-chat/fc-chat.yaml
+++ b/apps/fc-chat/fc-chat.yaml
@@ -112,8 +112,6 @@ spec:
        app.kubernetes.io/name: chat-web
        app.kubernetes.io/part-of: flowercore
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics/prometheus"
@@ -130,7 +128,6 @@ spec:
          ports:
            - name: http
              containerPort: 8080
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          envFrom:
            - configMapRef:
                name: chat-web-config
--- a/apps/fc-desktop/fc-desktop.yaml
+++ b/apps/fc-desktop/fc-desktop.yaml
@@ -51,26 +51,3 @@ spec:
          port: 8080
  tls:
    secretName: remotedesktop-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose remotedesktop-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: remotedesktop-web-public
 #   namespace: fc-desktop
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`desktop.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: remotedesktop-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: remotedesktop-web
 #           port: 8080
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-devicemgmt/deployment-web.yaml
+++ b/apps/fc-devicemgmt/deployment-web.yaml
@@ -52,8 +52,6 @@ spec:
        flowercore.io/tenant-id: system
        flowercore.io/created-by: bluejay-infra
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
@@ -69,7 +67,6 @@ spec:
          ports:
            - name: http
              containerPort: 8080
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: ASPNETCORE_URLS
              value: "http://+:8080"
--- a/apps/fc-distribution/fc-distribution.yaml
+++ b/apps/fc-distribution/fc-distribution.yaml
@@ -74,14 +74,6 @@ metadata:
 spec:
  itemPath: "vaults/IAmWorkin/items/FlowerCore Edition Signing Key - edition:aistation-field"
 ---
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: distribution-oidc-client
  namespace: fc-distribution
 spec:
  itemPath: "vaults/IAmWorkin/items/distribution-oidc-client"
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -109,7 +101,6 @@ spec:
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      # Synology NFS export `/volume1/kubernetes` ACL only allows rke2-server
      # (10.0.56.11) right now. Until the ACL is widened in DSM (admin only),
@@ -127,7 +118,7 @@ spec:
          #   dotnet.exe publish -c Release -o deploy/app \
          #     src/FlowerCore.Distribution.Web/FlowerCore.Distribution.Web.csproj
          #   podman build -t localhost/fc-distribution:v<tag> -f deploy/Dockerfile.deploy deploy
-          image: localhost/fc-distribution:v20260604-oidc-root-anon
+          image: localhost/fc-distribution:v202605061948
          imagePullPolicy: Never
          ports:
            - containerPort: 8080
@@ -139,11 +130,13 @@ spec:
              value: "Production"
            - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
              value: "false"
-            # Authentik/OIDC enforcement. Public read/entitlement + the
+            # Authentik/OIDC enforcement (flipped ON 2026-06-04, no-live-proof per operator;
-            # dist.flowercore.io Method() allowlist stay open; OIDC gates the
+            # public read/entitlement + Method() allowlist stay open — OIDC gates admin only).
-            # operator/admin surface while /healthz remains anonymous.
+            # Auth__Enabled reverted to false 2026-06-04: enabling it gated the
            # /healthz readiness probe (probe->302->NotReady->endpoints drop->down).
            # Re-enable once /healthz is AllowAnonymous (falcon OIDC lane).
            - name: FlowerCore__Auth__Enabled
-              value: "true"
+              value: "false"
            - name: FlowerCore__Auth__Oidc__Enabled
              value: "true"
            - name: FlowerCore__Auth__Oidc__Authority
--- a/apps/fc-dms/fc-dms.yaml
+++ b/apps/fc-dms/fc-dms.yaml
@@ -30,26 +30,3 @@ spec:
          port: 80
  tls:
    secretName: dms-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose dms-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: dms-web-public
 #   namespace: fc-dms
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`dms.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: dms-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: dms-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-dns/fc-dns.yaml
+++ b/apps/fc-dns/fc-dns.yaml
@@ -1,481 +0,0 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: fc-dns
  labels:
    app.kubernetes.io/part-of: flowercore
 ---
 # 1Password-backed Secret for the pfSense admin password.
 # The operator watches this CRD, resolves the vault item, and produces a
 # K8s Secret of the same name with each 1P field as a key. The `password`
 # field of the "pfSense Admin" item becomes Secret key `password`.
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: pfsense-admin
  namespace: fc-dns
 spec:
  itemPath: "vaults/IAmWorkin/items/pfSense Admin"
 ---
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: dns-oidc-client
  namespace: fc-dns
 spec:
  itemPath: "vaults/IAmWorkin/items/dns-oidc-client"
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: dns-web-data
  namespace: fc-dns
 spec:
  accessModes: [ReadWriteOnce]
  storageClassName: longhorn
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: dns-web-config
  namespace: fc-dns
 data:
  appsettings.Production.json: |
    {
        "FlowerCore": {
        "Auth": {
          "Enabled": true,
          "Oidc": {
            "Enabled": true,
            "Audience": "dns",
            "RequireHttpsMetadata": true
          }
        },
        "Database": {
          "Provider": "Sqlite",
          "ConnectionStrings": {
            "Sqlite": "Data Source=/data/dns.db"
          }
        },
        "Tenant": {
          "DefaultTenantId": "default",
          "JwtClaimsEnabled": false,
          "DefaultTenantHosts": [
            "dns.iamworkin.lan"
          ]
        },
        "Audit": {
          "HashChain": {
            "BridgeSensitivity": {
              "Distribution": "Warn"
            }
          }
        }
      }
    }
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: dns-web
  namespace: fc-dns
  labels:
    app.kubernetes.io/name: dns-web
    app.kubernetes.io/managed-by: flowercore
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app.kubernetes.io/name: dns-web
  template:
    metadata:
      labels:
        app.kubernetes.io/name: dns-web
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "5320"
        prometheus.io/path: "/metrics/prometheus"
        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      serviceAccountName: dns-web
      securityContext:
        runAsNonRoot: true
        runAsUser: 1654
        runAsGroup: 1654
        fsGroup: 1654
      containers:
        - name: dns-web
          image: localhost/fc-dns-web:v20260604-oidc-proper
          imagePullPolicy: Never
          securityContext:
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
            capabilities:
              drop: [ALL]
          ports:
            - containerPort: 5320
          env:
            # pfSense admin password resolved by the 1Password operator.
            # `FallbackPassword` is the Slice A seam exposed by
            # OptionsFallbackPasswordResolver; Slice B will replace it with
            # a pull-at-runtime 1P Connect resolver once Shared.Vault ships.
            - name: FlowerCore__Dns__Providers__PfSenseUnbound__FallbackPassword
              valueFrom:
                secretKeyRef:
                  name: pfsense-admin
                  key: password
            - name: FlowerCore__Auth__Oidc__Authority
              valueFrom:
                secretKeyRef:
                  name: dns-oidc-client
                  key: issuer_url
                  optional: true
            - name: FlowerCore__Auth__Oidc__ClientId
              valueFrom:
                secretKeyRef:
                  name: dns-oidc-client
                  key: client_id
                  optional: true
            - name: FlowerCore__Auth__Oidc__ClientSecret
              valueFrom:
                secretKeyRef:
                  name: dns-oidc-client
                  key: client_secret
                  optional: true
            - name: FlowerCore__Auth__Enabled
              value: "true"
            - name: FlowerCore__Auth__Oidc__Enabled
              value: "true"
            - name: FlowerCore__Auth__Oidc__Audience
              value: "dns"
          volumeMounts:
            - name: data
              mountPath: /data
            - name: tmp
              mountPath: /tmp
            - name: logs
              mountPath: /app/logs
            - name: config
              mountPath: /app/appsettings.Production.json
              subPath: appsettings.Production.json
              readOnly: true
          resources:
            requests:
              cpu: 50m
              memory: 96Mi
            limits:
              cpu: 300m
              memory: 384Mi
          readinessProbe:
            httpGet:
              path: /healthz
              port: 5320
            initialDelaySeconds: 10
            periodSeconds: 10
          livenessProbe:
            httpGet:
              path: /healthz
              port: 5320
            initialDelaySeconds: 20
            periodSeconds: 30
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: dns-web-data
        - name: tmp
          emptyDir: {}
        - name: logs
          emptyDir: {}
        - name: config
          configMap:
            name: dns-web-config
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: dns-web
  namespace: fc-dns
 spec:
  selector:
    app.kubernetes.io/name: dns-web
  ports:
    - port: 5320
      targetPort: 5320
  type: ClusterIP
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: dns-web
  namespace: fc-dns
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: dns-web
 rules:
  - apiGroups: [""]
    resources: ["namespaces", "pods", "services", "secrets", "configmaps"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates"]
    verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: dns-web
 subjects:
  - kind: ServiceAccount
    name: dns-web
    namespace: fc-dns
 roleRef:
  kind: ClusterRole
  name: dns-web
  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: dns-web-cert
  namespace: fc-dns
 spec:
  secretName: dns-web-tls
  issuerRef:
    name: step-ca-dns01
    kind: ClusterIssuer
  dnsNames:
    - dns.iamworkin.lan
  duration: 720h
  renewBefore: 240h
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: dns-web
  namespace: fc-dns
 spec:
  entryPoints: [websecure]
  routes:
    - match: Host(`dns.iamworkin.lan`)
      kind: Rule
      services:
        - name: dns-web
          port: 5320
  tls:
    secretName: dns-web-tls
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: dns-acme-webhook
  namespace: fc-dns
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: dns-acme-webhook
  namespace: fc-dns
  labels:
    app.kubernetes.io/name: dns-acme-webhook
    app.kubernetes.io/managed-by: flowercore
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: dns-acme-webhook
  template:
    metadata:
      labels:
        app.kubernetes.io/name: dns-acme-webhook
    spec:
      serviceAccountName: dns-acme-webhook
      securityContext:
        runAsNonRoot: true
        runAsUser: 1654
        runAsGroup: 1654
        fsGroup: 1654
      containers:
        - name: dns-acme-webhook
          image: localhost/fc-dns-acme-webhook:v202604290845
          imagePullPolicy: Never
          securityContext:
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
            capabilities:
              drop: [ALL]
          ports:
            - containerPort: 9443
              name: https
          env:
            - name: ASPNETCORE_URLS
              value: https://+:9443
            - name: Kestrel__Certificates__Default__Path
              value: /tls/tls.crt
            - name: Kestrel__Certificates__Default__KeyPath
              value: /tls/tls.key
            - name: FlowerCore__Dns__AcmeWebhook__ServiceBaseUrl
              value: http://dns-web:5320
            - name: FlowerCore__Dns__AcmeWebhook__GroupName
              value: acme.flowercore.io
            - name: FlowerCore__Dns__AcmeWebhook__SolverName
              value: flowercore-dns
            - name: FlowerCore__Dns__AcmeWebhook__Version
              value: v1alpha1
          volumeMounts:
            - name: tls
              mountPath: /tls
              readOnly: true
            - name: tmp
              mountPath: /tmp
            - name: logs
              mountPath: /app/logs
          resources:
            requests:
              cpu: 25m
              memory: 64Mi
            limits:
              cpu: 200m
              memory: 256Mi
          readinessProbe:
            httpGet:
              scheme: HTTPS
              path: /readyz
              port: https
            initialDelaySeconds: 5
            periodSeconds: 10
            timeoutSeconds: 5
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /healthz
              port: https
            initialDelaySeconds: 10
            periodSeconds: 20
            timeoutSeconds: 5
      volumes:
        - name: tls
          secret:
            secretName: dns-acme-webhook-tls
        - name: tmp
          emptyDir: {}
        - name: logs
          emptyDir: {}
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: dns-acme-webhook
  namespace: fc-dns
 spec:
  selector:
    app.kubernetes.io/name: dns-acme-webhook
  ports:
    - port: 443
      targetPort: https
      name: https
  type: ClusterIP
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: dns-acme-webhook-selfsigned
  namespace: fc-dns
 spec:
  selfSigned: {}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: dns-acme-webhook-ca
  namespace: fc-dns
 spec:
  secretName: dns-acme-webhook-ca
  duration: 43800h
  issuerRef:
    name: dns-acme-webhook-selfsigned
  commonName: ca.dns-acme-webhook.fc-dns
  isCA: true
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: dns-acme-webhook-ca-issuer
  namespace: fc-dns
 spec:
  ca:
    secretName: dns-acme-webhook-ca
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: dns-acme-webhook-serving-cert
  namespace: fc-dns
 spec:
  secretName: dns-acme-webhook-tls
  duration: 8760h
  issuerRef:
    name: dns-acme-webhook-ca-issuer
  dnsNames:
    - dns-acme-webhook
    - dns-acme-webhook.fc-dns
    - dns-acme-webhook.fc-dns.svc
 ---
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
 metadata:
  name: v1alpha1.acme.flowercore.io
  annotations:
    cert-manager.io/inject-ca-from: fc-dns/dns-acme-webhook-serving-cert
 spec:
  group: acme.flowercore.io
  groupPriorityMinimum: 1000
  service:
    name: dns-acme-webhook
    namespace: fc-dns
  version: v1alpha1
  versionPriority: 15
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: dns-acme-webhook-solver
 rules:
  - apiGroups: ["acme.flowercore.io"]
    resources: ["flowercore-dns"]
    verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: dns-acme-webhook-solver
 subjects:
  - kind: ServiceAccount
    name: cert-manager
    namespace: cert-manager
 roleRef:
  kind: ClusterRole
  name: dns-acme-webhook-solver
  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: step-ca-dns01
 spec:
  acme:
    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ4RENDQVdxZ0F3SUJBZ0lSQVBZMzU3RzZvdzZ6TUFMNSs0YlMya2t3Q2dZSUtvWkl6ajBFQXdJd1FERWEKTUJnR0ExVUVDaE1SU1VGdFYyOXlhMmx1SUVGRFRVVWdRMEV4SWpBZ0JnTlZCQU1UR1VsQmJWZHZjbXRwYmlCQgpRMDFGSUVOQklGSnZiM1FnUTBFd0hoY05Nall3TXpBNE1UZ3dOekV4V2hjTk16WXdNekExTVRnd056RXhXakJBCk1Sb3dHQVlEVlFRS0V4RkpRVzFYYjNKcmFXNGdRVU5OUlNCRFFURWlNQ0FHQTFVRUF4TVpTVUZ0VjI5eWEybHUKSUVGRFRVVWdRMEVnVW05dmRDQkRRVEJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCSjJuMDRYMQpKWm81WmRxL2kxSWR2OCtmcXdaeUF6Qmg3d2hicWowU1dzSkw4VVdSYWJDTXFZQ3M3K2RYTzB4UlN6cWt3RkRMCngrdm9vT2FpOFJnUk5oYWpSVEJETUE0R0ExVWREd0VCL3dRRUF3SUJCakFTQmdOVkhSTUJBZjhFQ0RBR0FRSC8KQWdFQk1CMEdBMVVkRGdRV0JCUm51UFBRUjZpTS9INnZPbHVpVTNTeWdheXo4akFLQmdncWhrak9QUVFEQWdOSQpBREJGQWlFQXJRSzlkWVBHbUFac2RZbmp6aXVGVlZFNU5LWlVjY2VZdkdmR0MrdExYVXNDSUF1ZEYyekpyQ1JxCjNtSzUwWlpFVC9md1RrSndpRUY0ODI0bWpQOHAxQ0tNCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    privateKeySecretRef:
      name: step-ca-dns01-account-key
    server: https://10.0.56.10:9443/acme/acme/directory
    solvers:
      - dns01:
          webhook:
            groupName: acme.flowercore.io
            solverName: flowercore-dns
--- a/apps/fc-dns/kustomization.yaml
+++ b/apps/fc-dns/kustomization.yaml
@@ -1,6 +0,0 @@
 # ArgoCD's bluejay-infra ApplicationSet discovers apps/* directories on main.
 # The kustomization is included for local previews and single-app validation.
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - fc-dns.yaml
--- a/apps/fc-library/fc-library.yaml
+++ b/apps/fc-library/fc-library.yaml
@@ -46,8 +46,6 @@ spec:
  template:
    metadata:
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/health"
        prometheus.io/path: /metrics/prometheus
        prometheus.io/port: "5000"
        prometheus.io/scrape: "true"
@@ -56,7 +54,6 @@ spec:
        app.kubernetes.io/part-of: flowercore
    spec:
      containers:
        # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
        - envFrom:
            - configMapRef:
                name: library-web-config
@@ -170,26 +167,3 @@ spec:
          port: 80
  tls:
    secretName: library-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose library-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: library-web-public
 #   namespace: fc-library
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`library.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: library-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: library-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-llm-bridge/fc-llm-bridge.yaml
+++ b/apps/fc-llm-bridge/fc-llm-bridge.yaml
@@ -83,8 +83,6 @@ spec:
        app.kubernetes.io/name: fc-llm-bridge
        app.kubernetes.io/part-of: flowercore
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
@@ -118,7 +116,6 @@ spec:
          ports:
            - containerPort: 8080
              name: http
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: ASPNETCORE_URLS
              value: "http://+:8080"
@@ -284,26 +281,3 @@ spec:
          port: 8080
  tls:
    secretName: fc-llm-bridge-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose fc-llm-bridge publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: fc-llm-bridge-public
 #   namespace: fc-llm-bridge
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`llm-bridge.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: fc-llm-bridge-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: fc-llm-bridge
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-media/fc-media.yaml
+++ b/apps/fc-media/fc-media.yaml
@@ -1,296 +0,0 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: fc-media
  labels:
    app.kubernetes.io/name: fc-media
    app.kubernetes.io/part-of: flowercore
 ---
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: media-oidc-client
  namespace: fc-media
  labels:
    app.kubernetes.io/name: fc-media-web
    app.kubernetes.io/part-of: flowercore
 spec:
  itemPath: "vaults/IAmWorkin/items/media-oidc-client"
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: fc-media-config
  namespace: fc-media
  labels:
    app.kubernetes.io/name: fc-media-web
    app.kubernetes.io/part-of: flowercore
 data:
  appsettings.Production.json: |
    {
      "DatabaseProvider": "Sqlite",
      "ConnectionStrings": {
        "Sqlite": "Data Source=/data/media.db"
      },
      "FlowerCore": {
        "Auth": {
          "Enabled": true,
          "Oidc": {
            "Authority": "https://id.iamworkin.lan/application/o/media/",
            "ClientId": "media",
            "ClientSecret": "",
            "Audience": "media",
            "RequireHttpsMetadata": true
          }
        },
        "Tenant": {
          "JwtClaimsEnabled": false,
          "DefaultTenantHosts": [ "media.iamworkin.lan" ]
        }
      },
      "Media": {
        "LibraryRoot": "/media/library",
        "Sources": [
          {
            "Name": "BlueJayNAS Video",
            "Driver": "Nfs",
            "MountedPath": "/media/library",
            "RemotePath": "nfs://10.0.58.3/volume1/video",
            "IsEnabled": true,
            "IsDefault": true,
            "Notes": "Synology NFS media share mounted read-only inside the cluster."
          }
        ],
        "GeneratedRoot": "/data/generated",
        "TranscodeRoot": "/data/transcodes",
        "InboxPath": "/media/inbox",
        "InboxScanIntervalMinutes": 5,
        "ScanOnStartup": false,
        "ComputeChecksums": false,
        "FfmpegCommand": "ffmpeg",
        "FfprobeCommand": "ffprobe",
        "Hls": {
          "MaxConcurrentJobs": 1
        },
        "DefaultViewerName": "BlueJay",
        "Dlna": {
          "IsEnabled": true,
          "MulticastAddress": "239.255.255.250",
          "Port": 1900,
          "DiscoveryTimeoutSeconds": 2,
          "DescriptionFetchTimeoutSeconds": 2,
          "MaxResponsesPerSearchTarget": 32,
          "SearchTargets": [
            "urn:schemas-upnp-org:device:MediaRenderer:1",
            "urn:schemas-upnp-org:device:MediaServer:1"
          ]
        }
      }
    }
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: fc-media-data
  namespace: fc-media
  labels:
    app.kubernetes.io/name: fc-media-web
    app.kubernetes.io/part-of: flowercore
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi
  storageClassName: longhorn
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: fc-media-web
  namespace: fc-media
  labels:
    app: fc-media-web
    app.kubernetes.io/name: fc-media-web
    app.kubernetes.io/part-of: flowercore
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: fc-media-web
  template:
    metadata:
      labels:
        app: fc-media-web
        app.kubernetes.io/name: fc-media-web
        app.kubernetes.io/part-of: flowercore
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "5200"
        prometheus.io/path: "/metrics"
        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      nodeSelector:
        kubernetes.io/hostname: rke2-server
      containers:
        - name: fc-media-web
          image: localhost/fc-media-web:v20260604-oidc-proper
          imagePullPolicy: Never
          ports:
            - containerPort: 5200
              name: http
          env:
            - name: ASPNETCORE_ENVIRONMENT
              value: Production
            - name: ASPNETCORE_URLS
              value: http://+:5200
            - name: FlowerCore__Auth__Enabled
              value: "true"
            - name: FlowerCore__Auth__Oidc__Enabled
              value: "true"
            - name: FlowerCore__Auth__Oidc__Audience
              value: "media"
            - name: FlowerCore__Auth__Oidc__ClientId
              valueFrom:
                secretKeyRef:
                  name: media-oidc-client
                  key: client_id
                  optional: true
            - name: FlowerCore__Auth__Oidc__ClientSecret
              valueFrom:
                secretKeyRef:
                  name: media-oidc-client
                  key: client_secret
                  optional: true
            - name: FlowerCore__Auth__Oidc__Authority
              valueFrom:
                secretKeyRef:
                  name: media-oidc-client
                  key: issuer_url
                  optional: true
          resources:
            requests:
              cpu: 500m
              memory: 1Gi
            limits:
              cpu: "4"
              memory: 4Gi
          volumeMounts:
            - name: config
              mountPath: /app/appsettings.Production.json
              subPath: appsettings.Production.json
              readOnly: true
            - name: data
              mountPath: /data
            - name: transcodes
              mountPath: /data/transcodes
            - name: media-library
              mountPath: /media/library
              readOnly: true
            - name: media-inbox
              mountPath: /media/inbox
          startupProbe:
            httpGet:
              path: /healthz
              port: 5200
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            failureThreshold: 18
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 5200
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          livenessProbe:
            httpGet:
              path: /healthz
              port: 5200
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 30
            periodSeconds: 30
      volumes:
        - name: config
          configMap:
            name: fc-media-config
        - name: data
          persistentVolumeClaim:
            claimName: fc-media-data
        - name: transcodes
          nfs:
            server: 10.0.58.3
            path: /volume1/kubernetes/fc-media-transcodes
        - name: media-inbox
          nfs:
            server: 10.0.58.3
            path: /volume1/kubernetes/fc-media-inbox
        - name: media-library
          nfs:
            server: 10.0.58.3
            path: /volume1/video
            readOnly: true
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: fc-media-web
  namespace: fc-media
  labels:
    app: fc-media-web
    app.kubernetes.io/name: fc-media-web
    app.kubernetes.io/part-of: flowercore
 spec:
  type: ClusterIP
  selector:
    app: fc-media-web
  ports:
    - port: 5200
      targetPort: 5200
      protocol: TCP
      name: http
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: fc-media-tls
  namespace: fc-media
  labels:
    app.kubernetes.io/name: fc-media-web
    app.kubernetes.io/part-of: flowercore
 spec:
  secretName: fc-media-tls
  issuerRef:
    name: step-ca-acme
    kind: ClusterIssuer
  dnsNames:
    - media.iamworkin.lan
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: fc-media-web
  namespace: fc-media
  labels:
    app.kubernetes.io/name: fc-media-web
    app.kubernetes.io/part-of: flowercore
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`media.iamworkin.lan`)
      kind: Rule
      services:
        - name: fc-media-web
          port: 5200
  tls:
    secretName: fc-media-tls
--- a/apps/fc-media/kustomization.yaml
+++ b/apps/fc-media/kustomization.yaml
@@ -1,6 +0,0 @@
 # ArgoCD's bluejay-infra ApplicationSet discovers apps/* directories on main.
 # The kustomization is included for local previews and single-app validation.
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - fc-media.yaml
--- a/apps/fc-menuboard/fc-menuboard.yaml
+++ b/apps/fc-menuboard/fc-menuboard.yaml
@@ -30,26 +30,3 @@ spec:
          port: 80
  tls:
    secretName: menuboard-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose menuboard-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: menuboard-web-public
 #   namespace: fc-menuboard
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`menuboard.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: menuboard-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: menuboard-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-messageboard/fc-messageboard.yaml
+++ b/apps/fc-messageboard/fc-messageboard.yaml
@@ -41,8 +41,6 @@ spec:
      labels:
        app: messageboard-web
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics/prometheus"
@@ -54,7 +52,6 @@ spec:
          ports:
            - containerPort: 8080
              name: http
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          envFrom:
            - configMapRef:
                name: messageboard-web-config
@@ -144,26 +141,3 @@ spec:
          port: 80
  tls:
    secretName: messageboard-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose messageboard-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: messageboard-web-public
 #   namespace: fc-messageboard
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`messageboard.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: messageboard-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: messageboard-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-mysql/fc-mysql.yaml
+++ b/apps/fc-mysql/fc-mysql.yaml
@@ -30,26 +30,3 @@ spec:
          port: 5300
  tls:
    secretName: mysql-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose mysql-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: mysql-web-public
 #   namespace: fc-mysql
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`mysql.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: mysql-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: mysql-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-php/fc-php.yaml
+++ b/apps/fc-php/fc-php.yaml
@@ -30,26 +30,3 @@ spec:
          port: 5400
  tls:
    secretName: php-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose php-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: php-web-public
 #   namespace: fc-php
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`php.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: php-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: php-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-presentations/fc-presentations.yaml
+++ b/apps/fc-presentations/fc-presentations.yaml
@@ -30,26 +30,3 @@ spec:
          port: 80
  tls:
    secretName: presentations-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose presentations-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: presentations-web-public
 #   namespace: fc-presentations
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`presentations.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: presentations-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: presentations-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-retail/fc-retail.yaml
+++ b/apps/fc-retail/fc-retail.yaml
@@ -46,8 +46,6 @@ spec:
  template:
    metadata:
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        kubectl.kubernetes.io/restartedAt: "2026-06-02T01:34:08-05:00"
        prometheus.io/path: /metrics/prometheus
        prometheus.io/port: "5000"
@@ -57,7 +55,6 @@ spec:
        app.kubernetes.io/part-of: flowercore
    spec:
      containers:
        # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
        - envFrom:
            - configMapRef:
                name: retail-web-config
@@ -171,26 +168,3 @@ spec:
          port: 80
  tls:
    secretName: retail-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose retail-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: retail-web-public
 #   namespace: fc-retail
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`retail.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: retail-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: retail-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-scoreboard/fc-scoreboard.yaml
+++ b/apps/fc-scoreboard/fc-scoreboard.yaml
@@ -30,26 +30,3 @@ spec:
          port: 80
  tls:
    secretName: scoreboard-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose scoreboard-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: scoreboard-web-public
 #   namespace: fc-scoreboard
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`scoreboard.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: scoreboard-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: scoreboard-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-segmentdisplay/fc-segmentdisplay.yaml
+++ b/apps/fc-segmentdisplay/fc-segmentdisplay.yaml
@@ -37,26 +37,3 @@ spec:
          port: 80
  tls:
    secretName: segmentdisplay-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose segmentdisplay-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: segmentdisplay-web-public
 #   namespace: fc-segmentdisplay
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`segmentdisplay.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: segmentdisplay-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: segmentdisplay-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-signage/fc-signage.yaml
+++ b/apps/fc-signage/fc-signage.yaml
@@ -46,26 +46,3 @@ spec:
      services:
        - name: signage-web
          port: 5190
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose signage-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: signage-web-public
 #   namespace: fc-signage
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`signage.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: signage-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: signage-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-ttsreader/fc-ttsreader.yaml
+++ b/apps/fc-ttsreader/fc-ttsreader.yaml
@@ -97,7 +97,6 @@ spec:
      containers:
        - name: piper
          image: rhasspy/wyoming-piper:latest
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: PYTHONHTTPSVERIFY
              value: "0"
@@ -524,8 +523,6 @@ spec:
        app.kubernetes.io/name: ttsreader-web
        app.kubernetes.io/part-of: flowercore
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "5217"
        prometheus.io/path: "/metrics"
@@ -765,26 +762,3 @@ spec:
          port: 5217
  tls:
    secretName: ttsreader-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose ttsreader-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: ttsreader-web-public
 #   namespace: fc-ttsreader
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`ttsreader.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: ttsreader-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: ttsreader-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-updater/fc-updater.yaml
+++ b/apps/fc-updater/fc-updater.yaml
@@ -52,9 +52,6 @@ spec:
      app: updatecenter-web
  template:
    metadata:
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
      labels:
        app: updatecenter-web
    spec:
@@ -66,7 +63,6 @@ spec:
          ports:
            - containerPort: 8080
              name: http
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: ASPNETCORE_URLS
              value: http://+:8080
--- a/apps/knowledge/knowledge.yaml
+++ b/apps/knowledge/knowledge.yaml
@@ -90,8 +90,6 @@ spec:
        app.kubernetes.io/name: knowledge-web
        app.kubernetes.io/part-of: bluejay-infra
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
@@ -119,7 +117,6 @@ spec:
          ports:
            - containerPort: 8080
              name: http
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: ASPNETCORE_URLS
              value: "http://+:8080"
@@ -289,26 +286,3 @@ spec:
          port: 80
  tls:
    secretName: knowledge-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose knowledge-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: knowledge-web-public
 #   namespace: knowledge
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`knowledge.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: knowledge-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: knowledge-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/monitoring/noc-monitoring.yaml
+++ b/apps/monitoring/noc-monitoring.yaml
@@ -216,24 +216,19 @@ data:
      - job_name: "pimanager-app"
        scrape_interval: 15s
        metrics_path: /metrics
        scheme: https
        tls_config:
          insecure_skip_verify: true
        static_configs:
-          - targets: ["piez.iamworkin.lan"]
+          - targets: ["10.0.58.25:5000"]
            labels:
              instance: "piez"
-              service: "signalcontrol"
+              service: "pimanager"
              vlan: "home"
              device: "pi4-ezconnect"
-              rig: "signal-b"
+          - targets: ["10.0.58.113:5200"]
          - targets: ["pirelay.iamworkin.lan"]
            labels:
              instance: "pirelay"
-              service: "signalcontrol"
+              service: "pimanager"
              vlan: "home"
              device: "pi3-ks0212"
              rig: "signal-a"
      # Epson ET-3750 EcoTank Printer SNMP
      - job_name: "snmp-printer"
@@ -486,22 +481,16 @@ data:
              - "https://intranet.iamworkin.lan/"
              - "https://signage.iamworkin.lan/healthz"   # root 401 auth-gated 2026-06-01; /healthz anon 200
              - "https://kiosk.iamworkin.lan/"
-              - "https://media.iamworkin.lan/healthz"    # root auth-gated by OIDC; /healthz anonymous 200
+              - "https://media.iamworkin.lan/"        # OIDC lane must add /healthz before flipping auth; live /healthz 404 on 2026-06-04
              - "https://mysql.iamworkin.lan/healthz"   # root 401 auth-gated 2026-06-01; /healthz anon 200
              - "https://php.iamworkin.lan/healthz"     # root 401 auth-gated 2026-06-01; /healthz anon 200
              - "https://zabbix.iamworkin.lan/"
              - "https://desktop.iamworkin.lan/"
-              - "https://print.iamworkin.lan/healthz"    # root 401 behind API key auth; /healthz anonymous 200
+              - "https://print.iamworkin.lan/healthz" # root 401 behind API key auth; /healthz anonymous 200
-              - "https://dns.iamworkin.lan/healthz"      # root auth-gated by OIDC; /healthz anonymous 200
+              - "https://dns.iamworkin.lan/"          # OIDC lane must add /healthz before flipping auth; live /healthz 404 on 2026-06-04
-              - "https://signalcontrol.iamworkin.lan/health" # FlowerCore.SignalControl Pi control plane
+              - "https://chat.iamworkin.lan/healthz"  # OIDC staged; keep blackbox off root before enforcement flips
-              - "https://flowercore.iamworkin.lan/healthz"    # FlowerCore landing
+              - "https://dist.iamworkin.lan/healthz"  # distribution OIDC flip outage was /healthz gating; probe the anonymous health route
-              - "https://replay.iamworkin.lan/healthz"        # FlowerCore.Signage replay surface
+              - "https://dms.iamworkin.lan/healthz"   # future OIDC posture; health route is already anonymous/live
              - "https://worldbuilder.iamworkin.lan/healthz"  # FlowerCore.WorldBuilder
              - "https://updates.iamworkin.lan/api/v1/manifests/_schema" # UpdateCenter plural LAN alias
              - "https://updatecenter-internal.iamworkin.lan/api/v1/manifests/_schema" # internal UC schema route
              - "https://chat.iamworkin.lan/healthz"     # OIDC staged; keep blackbox off root before enforcement flips
              - "https://dist.iamworkin.lan/healthz"     # root/admin auth-gated by OIDC; /healthz anonymous 200
              - "https://dms.iamworkin.lan/healthz"      # future OIDC posture; health route is already anonymous/live
              - "https://menuboard.iamworkin.lan/"
              - "https://messageboard.iamworkin.lan/"
              - "https://presentations.iamworkin.lan/"
@@ -922,13 +911,12 @@ data:
          # of idle and SNMP times out, so 5m for: would page nightly. A
          # genuine printer outage (jam, disconnected) lasts well over 30m.
          - alert: EpsonPrinterDown
-            expr: (max_over_time(up{job="snmp-printer"}[35m]) == bool 0) == 1 and (hour() >= 13 or hour() < 1)
+            expr: up{job="snmp-printer"} == 0
            for: 30m
            labels:
-              severity: info
+              severity: warning
              alert_channel: irc
            annotations:
-              summary: "Epson ET-3750 SNMP unreachable during waking hours (30m)"
+              summary: "Epson ET-3750 SNMP unreachable for >30m (likely actual fault, not sleep)"
          - alert: SynologyDiskLow
            expr: hrStorageUsed{job="snmp-nas"} / hrStorageSize{job="snmp-nas"} * 100 > 85
--- a/apps/telephony/telephony.yaml
+++ b/apps/telephony/telephony.yaml
@@ -114,9 +114,6 @@ spec:
      app: telephony-web
  template:
    metadata:
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/health"
      labels:
        app: telephony-web
    spec:
@@ -164,7 +161,6 @@ spec:
          ports:
            - containerPort: 5100
              name: http
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: Telephony__Twilio__AccountSid
              valueFrom:
@@ -391,3 +387,4 @@ spec:
--- a/apps/worldbuilder/worldbuilder.yaml
+++ b/apps/worldbuilder/worldbuilder.yaml
@@ -77,8 +77,6 @@ spec:
        flowercore.io/tenant-id: system
        flowercore.io/created-by: bluejay-infra
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics/prometheus"
@@ -95,7 +93,6 @@ spec:
          ports:
            - containerPort: 8080
              name: http
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: ASPNETCORE_URLS
              value: "http://+:8080"
@@ -257,26 +254,3 @@ spec:
          port: 80
  tls:
    secretName: worldbuilder-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose worldbuilder-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: worldbuilder-web-public
 #   namespace: worldbuilder
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`worldbuilder.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: worldbuilder-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: worldbuilder-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -15,19 +15,24 @@ public sealed class FleetManifestLintTests
    {
        "brochure.flowercore.io",
        "dist.flowercore.io",
        "dns.iamworkin.lan",
    };
-    // Hosts that allow a tightly bounded write surface in addition to GET/HEAD.
+    // Public hosts that allow a tightly bounded write surface in addition to
-    // updatecenter.iamworkin.lan accepts POST /api/v1/checkin/{id}
+    // GET/HEAD. updatecenter.iamworkin.lan accepts POST /api/v1/checkin/{id}
    // (bootstrap-JWT) so its allowlist is GET||HEAD||POST||OPTIONS — but
-    // PUT/PATCH/DELETE must still 404 at the route. Public
+    // PUT/PATCH/DELETE must still 404 at the route. Anything wider than this
-    // update.flowercore.io remains a GET/HEAD download surface in the
+    // set should fail this lint.
-    // FlowerCore.Updater sibling manifest and is covered by the general
+    //
-    // public-method allowlist lint instead of this write-surface rule.
+    // PUB-1 (2026-05-06): update.flowercore.io / updates.flowercore.io were
    // added for the Cloudflare-proxied public Update Center edge. They use the
    // same bounded read-write allowlist as the LAN pair.
    private static readonly HashSet<string> PublicReadWriteAllowlistHosts = new(StringComparer.Ordinal)
    {
        "updatecenter.iamworkin.lan",
        "updates.iamworkin.lan",
        "update.flowercore.io",
        "updates.flowercore.io",
    };
    private static readonly HashSet<string> ApiKeyProtectedDeployments = new(StringComparer.Ordinal)
@@ -65,7 +70,7 @@ public sealed class FleetManifestLintTests
        ["github-runner-updater"] = "https://github.com/astoltz/FlowerCore.Updater",
    };
-    private static readonly HashSet<string> RepoScopedLinuxRunnerDeployments = new(StringComparer.Ordinal)
+    private static readonly HashSet<string> ScaledLinuxRunnerDeployments = new(StringComparer.Ordinal)
    {
        "github-runner-sharedpos",
        "github-runner-puppet",
@@ -79,44 +84,6 @@ public sealed class FleetManifestLintTests
        "github-runner-updater",
    };
    private static readonly IReadOnlyDictionary<string, (string Deployment, string ProbePath)> BroaderHardeningDeployments =
        new Dictionary<string, (string Deployment, string ProbePath)>(StringComparer.Ordinal)
        {
            ["fc-aistation"] = ("aistation-web", "/healthz"),
            ["fc-chat"] = ("chat-web", "/healthz"),
            ["fc-devicemgmt"] = ("fc-devicemgmt-web", "/healthz"),
            ["fc-library"] = ("library-web", "/health"),
            ["fc-llm-bridge"] = ("fc-llm-bridge", "/healthz"),
            ["fc-messageboard"] = ("messageboard-web", "/healthz"),
            ["fc-retail"] = ("retail-web", "/healthz"),
            ["fc-ttsreader"] = ("ttsreader-web", "/healthz"),
            ["fc-updater"] = ("updatecenter-web", "/healthz"),
            ["knowledge"] = ("knowledge-web", "/healthz"),
            ["telephony"] = ("telephony-web", "/health"),
            ["worldbuilder"] = ("worldbuilder-web", "/healthz"),
        };
    private static readonly HashSet<string> BroaderHardeningInternalPrestageApps = new(StringComparer.Ordinal)
    {
        "fc-aistation",
        "fc-desktop",
        "fc-dms",
        "fc-library",
        "fc-llm-bridge",
        "fc-menuboard",
        "fc-messageboard",
        "fc-mysql",
        "fc-php",
        "fc-presentations",
        "fc-retail",
        "fc-scoreboard",
        "fc-segmentdisplay",
        "fc-signage",
        "fc-ttsreader",
        "knowledge",
        "worldbuilder",
    };
    private static readonly IReadOnlyDictionary<string, string> WritableRunnerEnv = new Dictionary<string, string>(StringComparer.Ordinal)
    {
        ["HOME"] = "/home/runner",
@@ -305,17 +272,17 @@ public sealed class FleetManifestLintTests
    }
    [Fact]
-    public void GitHubRunnerFleet_MustAvoidRwoMultiAttachForRepoScopedDeployments()
+    public void GitHubRunnerFleet_MustAvoidRwoMultiAttachForScaledDeployments()
    {
        var deployments = GitHubRunnerDeployments();
-        foreach (var deploymentName in RepoScopedLinuxRunnerDeployments)
+        foreach (var deploymentName in ScaledLinuxRunnerDeployments)
        {
            var deployment = deployments[deploymentName];
-            // Sprint 34 ops trimmed runner load while the cluster was degraded
+            // Scaled runners must have >= 2 replicas (avoid single-pod bottleneck).
-            // to two healthy nodes. Repo-scoped runners can be tuned back above
+            // Individual deployments may be tuned upward per CI activity — see
-            // one replica, but they must stay RWO-safe before that happens.
+            // "runners: right-size replica counts per 14d CI activity (#24)".
-            ReplicaCount(deployment).Should().BeGreaterOrEqualTo(1, $"{deploymentName} must keep at least one repo-scoped runner online");
+            ReplicaCount(deployment).Should().BeGreaterOrEqualTo(2, $"{deploymentName} is in the scaled set and must run with at least 2 replicas");
            var volumes = deployment.MappingSequence("spec", "template", "spec", "volumes");
            var claimNames = volumes
@@ -323,7 +290,7 @@ public sealed class FleetManifestLintTests
                .Where(value => !string.IsNullOrWhiteSpace(value))
                .ToList();
-            claimNames.Should().BeEmpty($"{deploymentName} must remain ready for safe multi-replica scaling without sharing a RWO PVC");
+            claimNames.Should().BeEmpty($"{deploymentName} is scaled and must not share a RWO PVC");
            volumes.Should().Contain(volume =>
                string.Equals(ManifestNodeExtensions.Scalar(volume, "name"), "nuget-cache", StringComparison.Ordinal)
                && ManifestNodeExtensions.Mapping(volume, "emptyDir") != null);
@@ -521,16 +488,16 @@ public sealed class FleetManifestLintTests
    }
    [Fact]
-    public void Distribution_OidcEnforcement_MustKeepHealthzAnonymousContractVisibleInManifest()
+    public void Distribution_OidcEnforcement_MustStayOffUntilHealthzAllowAnonymousProofLands()
    {
        var distribution = Inventory.Documents
            .Single(document => document.Kind == "Deployment" && document.Namespace == "fc-distribution" && document.Name == "fc-distribution");
        var container = distribution.MainContainerMappings().Should().ContainSingle().Subject;
        EnvValue(container, "FlowerCore__Auth__Oidc__Enabled").Should().Be("true");
-        EnvValue(container, "FlowerCore__Auth__Enabled").Should().Be("true");
+        EnvValue(container, "FlowerCore__Auth__Enabled").Should().Be("false");
        ProbeHttpGetPath(container, "readinessProbe").Should().Be("/healthz");
-        PodAnnotation(distribution, "flowercore.io/healthz-auth-policy").Should().Be("allow-anonymous");
+        PodAnnotation(distribution, "flowercore.io/healthz-auth-policy").Should().NotBe("allow-anonymous");
    }
    [Fact]
@@ -646,6 +613,7 @@ public sealed class FleetManifestLintTests
        var expectedFiles = new[]
        {
            "1password-item.yaml",
            "argocd-application.yaml",
            "certificate-web.yaml",
            "clusterrole-operator.yaml",
            "clusterrolebinding-operator.yaml",
@@ -801,202 +769,17 @@ public sealed class FleetManifestLintTests
    }
    [Fact]
-    public void FcDeviceManagement_MustRelyOnApplicationSetDiscovery()
+    public void FcDeviceManagement_ArgocdApplicationMustMatchApplicationSetDiscoveryConventions()
    {
-        var documents = FcDeviceManagementDocuments();
+        var application = FcDeviceManagementDocuments()
            .Single(document => document.Kind == "Application" && document.Name == "infra-fc-devicemgmt");
-        documents.Should().NotContain(document => document.Kind == "Application");
+        application.Namespace.Should().Be("argocd");
-
+        application.Scalar("spec", "source", "repoURL")
        var ns = documents.Single(document => document.Kind == "Namespace" && document.Name == "fc-devicemgmt");
        ns.FileText.Should().Contain("ArgoCD discovers this directory as Application `infra-fc-devicemgmt`.");
    }
    [Fact]
    public void BroaderHardeningDeployments_MustAnnotateAnonymousHealthProbeIntent()
    {
        foreach (var expected in BroaderHardeningDeployments)
        {
            var deployment = AppDocuments(expected.Key)
                .Single(document => document.Kind == "Deployment" && document.Name == expected.Value.Deployment);
            PodAnnotation(deployment, "fc.flowercore.io/healthz-anon").Should().Be("true");
            PodAnnotation(deployment, "fc.flowercore.io/probe-path").Should().Be(expected.Value.ProbePath);
        }
    }
    [Fact]
    public void BroaderHardeningDeployments_MustDocumentForwardedProtoAuthPosture()
    {
        foreach (var expected in BroaderHardeningDeployments)
        {
            var deployment = AppDocuments(expected.Key)
                .Single(document => document.Kind == "Deployment" && document.Name == expected.Value.Deployment);
            deployment.FileText.Should().Contain(
                "fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178)");
        }
    }
    [Fact]
    public void BroaderHardeningInternalApps_MustOnlyPrestageCommentedPublicMethodAllowlist()
    {
        foreach (var app in BroaderHardeningInternalPrestageApps)
        {
            var documents = AppDocuments(app);
            var text = string.Join(Environment.NewLine, documents.Select(document => document.FileText));
            text.Should().Contain("PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only)");
            text.Should().Contain("#     - match: Host(`");
            text.Should().Contain("Method(`GET`) || Method(`HEAD`)");
            documents
                .Where(document => document.Kind == "IngressRoute")
                .SelectMany(document => document.MappingSequence("spec", "routes"))
                .Select(route => ManifestNodeExtensions.Scalar(route, "match") ?? string.Empty)
                .Should()
                .NotContain(match => match.Contains(".flowercore.io", StringComparison.Ordinal),
                    "Sprint 61 broader hardening only pre-stages commented public hosts for internal-only apps");
        }
    }
    [Fact]
    public void OidcFlipServices_AreGitOpsManagedWithHealthzProbes()
    {
        var deployments = new[]
        {
            (App: "fc-dns", Name: "dns-web", Slug: "dns", Secret: "dns-oidc-client"),
            (App: "fc-media", Name: "fc-media-web", Slug: "media", Secret: "media-oidc-client"),
            (App: "fc-distribution", Name: "fc-distribution", Slug: "distribution", Secret: "distribution-oidc-client"),
        };
        foreach (var expected in deployments)
        {
            var deployment = AppDocuments(expected.App)
                .Single(document => document.Kind == "Deployment" && document.Name == expected.Name);
            var container = deployment.MainContainerMappings().Should().ContainSingle().Subject;
            EnvValue(container, "FlowerCore__Auth__Enabled").Should().Be("true");
            EnvValue(container, "FlowerCore__Auth__Oidc__Enabled").Should().Be("true");
            (EnvValue(container, "FlowerCore__Auth__Oidc__Audience") ?? EnvValue(container, "FlowerCore__Auth__Oidc__ClientId"))
                .Should()
                .Be(expected.Slug);
            EnvSecretName(container, "FlowerCore__Auth__Oidc__ClientSecret").Should().Be(expected.Secret);
            EnvSecretOptional(container, "FlowerCore__Auth__Oidc__ClientSecret").Should().Be("true");
            ProbePath(container, "readinessProbe").Should().Be("/healthz");
            if (ProbePath(container, "startupProbe") is { } startupProbePath)
            {
                startupProbePath.Should().Be("/healthz");
            }
            if (ProbePath(container, "livenessProbe") is { } livenessProbePath)
            {
                livenessProbePath.Should().Be("/healthz");
            }
        }
    }
    [Fact]
    public void OidcFlipServices_UseOnePasswordItemClientSecrets()
    {
        var expectedItems = new Dictionary<string, (string Name, string ItemPath)>(StringComparer.Ordinal)
        {
            ["fc-dns"] = ("dns-oidc-client", "vaults/IAmWorkin/items/dns-oidc-client"),
            ["fc-media"] = ("media-oidc-client", "vaults/IAmWorkin/items/media-oidc-client"),
            ["fc-distribution"] = ("distribution-oidc-client", "vaults/IAmWorkin/items/distribution-oidc-client"),
        };
        foreach (var expected in expectedItems)
        {
            var item = AppDocuments(expected.Key)
                .Single(document => document.Kind == "OnePasswordItem" && document.Name == expected.Value.Name);
            item.Scalar("spec", "itemPath").Should().Be(expected.Value.ItemPath);
        }
    }
    [Fact]
    public void DnsAndMediaGitOpsAdoption_PreservesLiveStorageAndImageShape()
    {
        var dnsDeployment = AppDocuments("fc-dns")
            .Single(document => document.Kind == "Deployment" && document.Name == "dns-web");
        var dnsContainer = dnsDeployment.MainContainerMappings().Should().ContainSingle().Subject;
        var dnsPvc = AppDocuments("fc-dns")
            .Single(document => document.Kind == "PersistentVolumeClaim" && document.Name == "dns-web-data");
        ManifestNodeExtensions.Scalar(dnsContainer, "image").Should().Be("localhost/fc-dns-web:v20260604-oidc-proper");
        dnsPvc.Scalar("spec", "storageClassName").Should().Be("longhorn");
        dnsPvc.Scalar("spec", "resources", "requests", "storage").Should().Be("1Gi");
        var mediaDeployment = AppDocuments("fc-media")
            .Single(document => document.Kind == "Deployment" && document.Name == "fc-media-web");
        var mediaContainer = mediaDeployment.MainContainerMappings().Should().ContainSingle().Subject;
        var mediaPvc = AppDocuments("fc-media")
            .Single(document => document.Kind == "PersistentVolumeClaim" && document.Name == "fc-media-data");
        ManifestNodeExtensions.Scalar(mediaContainer, "image").Should().Be("localhost/fc-media-web:v20260604-oidc-proper");
        mediaPvc.Scalar("spec", "storageClassName").Should().Be("longhorn");
        mediaPvc.Scalar("spec", "resources", "requests", "storage").Should().Be("20Gi");
        mediaDeployment.AllScalars().Should().Contain(new[]
        {
            "/volume1/kubernetes/fc-media-transcodes",
            "/volume1/kubernetes/fc-media-inbox",
            "/volume1/video",
        });
        var distributionDeployment = AppDocuments("fc-distribution")
            .Single(document => document.Kind == "Deployment" && document.Name == "fc-distribution");
        var distributionContainer = distributionDeployment.MainContainerMappings().Should().ContainSingle().Subject;
        ManifestNodeExtensions.Scalar(distributionContainer, "image").Should().Be("localhost/fc-distribution:v20260604-oidc-root-anon");
    }
    [Fact]
    public void MonitoringProbes_UseHealthzForOidcGatedHosts()
    {
        var monitoring = File.ReadAllText(Path.Combine(Inventory.BluejayRoot, "apps", "monitoring", "noc-monitoring.yaml"));
        monitoring.Should().Contain("\"https://dns.iamworkin.lan/healthz\"");
        monitoring.Should().Contain("\"https://dist.iamworkin.lan/healthz\"");
        monitoring.Should().Contain("\"https://media.iamworkin.lan/healthz\"");
        monitoring.Should().NotContain("\"https://dns.iamworkin.lan/\"");
        monitoring.Should().NotContain("\"https://dist.iamworkin.lan/\"");
        monitoring.Should().NotContain("\"https://media.iamworkin.lan/\"");
    }
    [Fact]
    public void DistributionPublicIngress_KeepsGetHeadMethodAllowlist()
    {
        var publicIngress = AppDocuments("fc-distribution")
            .Single(document => document.Kind == "IngressRoute" && document.Name == "fc-distribution-public");
        var route = publicIngress.MappingSequence("spec", "routes").Should().ContainSingle().Subject;
        var match = ManifestNodeExtensions.Scalar(route, "match");
        match.Should().Contain("Host(`dist.flowercore.io`)");
        match.Should().Contain("Method(`GET`)");
        match.Should().Contain("Method(`HEAD`)");
        match.Should().NotContain("Method(`POST`)");
    }
    [Fact]
    public void DnsAndMediaIngressRoutes_MatchLiveInternalHosts()
    {
        var dnsRoute = AppDocuments("fc-dns")
            .Single(document => document.Kind == "IngressRoute" && document.Name == "dns-web")
            .MappingSequence("spec", "routes")
            .Should()
-            .ContainSingle()
+            .Be("http://gitea-clusterip.gitea.svc.cluster.local:3000/bluejay/bluejay-infra.git");
-            .Subject;
+        application.Scalar("spec", "source", "path").Should().Be("apps/fc-devicemgmt");
-        var mediaRoute = AppDocuments("fc-media")
+        application.Scalar("spec", "destination", "namespace").Should().Be("fc-devicemgmt");
            .Single(document => document.Kind == "IngressRoute" && document.Name == "fc-media-web")
            .MappingSequence("spec", "routes")
            .Should()
            .ContainSingle()
            .Subject;
        ManifestNodeExtensions.Scalar(dnsRoute, "match").Should().Be("Host(`dns.iamworkin.lan`)");
        ManifestNodeExtensions.Scalar(mediaRoute, "match").Should().Be("Host(`media.iamworkin.lan`)");
    }
    private static IEnumerable<string> ProbeViolations(
@@ -1055,25 +838,6 @@ public sealed class FleetManifestLintTests
            : null;
    }
    private static string? EnvSecretOptional(YamlMappingNode container, string name)
    {
        return EnvMapping(container, name) is { } env
            ? ManifestNodeExtensions.Scalar(env, "valueFrom", "secretKeyRef", "optional")
            : null;
    }
    private static string? ProbePath(YamlMappingNode container, string probeKey)
    {
        return ManifestNodeExtensions.Scalar(container, probeKey, "httpGet", "path");
    }
    private static IReadOnlyList<ManifestDocument> AppDocuments(string app)
    {
        return Inventory.Documents
            .Where(document => document.RelativePath.StartsWith($"{app}/", StringComparison.Ordinal))
            .ToList();
    }
    private static YamlMappingNode? EnvMapping(YamlMappingNode container, string name)
    {
        return ManifestNodeExtensions.MappingSequence(container, "env")