Deploy Chat regroup CH-3 image

agent-zero: fix fc_dms netpol egress port (8080 = pod targetPort, not svc 80)
NetworkPolicy matches the destination POD port. dms-web svc:80 -> containerPort 8080, so the egress must allow 8080 (the fc-chat rule already allows 80+8080, which is why chat worked and dms timed out). Add 8080 to the fc-dms egress.
2026-06-14 18:01:43 -05:00 · 2026-06-14 16:25:25 -05:00 · 2026-06-14 16:19:34 -05:00 · 2026-06-14 15:12:05 -05:00 · 2026-06-14 14:36:11 -05:00 · 2026-06-14 14:14:59 -05:00
144 changed files with 39931 additions and 16412 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1,4 @@
 /.gitattributes text eol=lf
 *.yaml text eol=lf
 *.yml text eol=lf
 *.sh text eol=lf
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,7 @@
 # .NET build outputs (lint test project)
 **/bin/
 **/obj/
 # Editor / temp
 .DS_Store
 *.swp
--- a/README.md
+++ b/README.md
@@ -99,10 +99,36 @@ curl -sk -X DELETE https://dns.iamworkin.lan/api/v1/servers/<serverId>/zones/iam
 - **CoreDNS template + ndots:5 collision**: inside pods, `<svc>.<ns>.svc.cluster.local` with <5 dots gets search-expanded through `iamworkin.lan` FIRST and hits the wildcard template → resolves to Traefik VIP, not the real ClusterIP. Use short service names (`<svc>`) in K8s manifests. See memory `feedback_coredns_ndots_template_collision.md`.
 - **Image not on node**: pods stuck `ErrImageNeverPull` means the image wasn't imported to the node Kubernetes scheduled the pod onto. `ctr images import` on all of rke2-server, rke2-agent1, rke2-agent2.
 - **StatefulSet PVC drift**: `volumeClaimTemplates` needs explicit `volumeMode: Filesystem` or ArgoCD SSA self-heals forever. See memory `feedback_argocd_statefulset_pvc_drift.md`.
 - **IngressRoute namespace split**: this RKE2 Traefik install does not allow cross-namespace service refs. Keep the `IngressRoute`, backend `Service`, and TLS secret in the same namespace; if one host is shared across namespaces, duplicate the `Certificate` and move the route next to the destination service.
 - **Public read-only hosts**: if a public host fronts a service that also exposes admin writes internally, add a Traefik route match like `Host(...) && (Method(GET) || Method(HEAD))` on the public edge instead of trusting the app to reject unsafe methods.
 - **Public read-write allowlist hosts**: if a public host accepts a tightly bounded write surface (e.g. bootstrap-JWT POST), pin the allowlist as `(Method(GET) || Method(HEAD) || Method(POST) || Method(OPTIONS))`. PUT/PATCH/DELETE must still 404 at the route. Track A's `updatecenter.iamworkin.lan` / `updates.iamworkin.lan` are the canonical example. The lint test enforces this invariant.
 - **Traefik VIP netpols**: when a `NetworkPolicy` allows `10.0.56.200`, also allow the post-DNAT backend ports (`8443` for TLS plus `8080` or `8000` for HTTP) or Calico will drop the rewritten flow.
 - **Auth-safe probes**: services behind API-key or global auth middleware should prefer `tcpSocket` probes unless `/health` is explicitly exempted before the middleware runs.
 - **ArgoCD must use internal Gitea URL**: `http://gitea-clusterip.gitea.svc.cluster.local:3000/bluejay/bluejay-infra.git`, not the external HTTPS URL (step-ca cert isn't trusted by ArgoCD). The `ApplicationSet` and any hand-created `Application` must both use the internal URL.
 ## Local manifest lint
 The repo now carries a local-first lint pass for the recurring K8s gotchas that have burned the fleet:
 ```bash
 dotnet test tests/bluejay-infra-lint/BluejayInfraLint.Tests.csproj -c Release
 ```
 That test project sweeps `bluejay-infra/apps/**` plus the canonical sibling `FlowerCore.*\\k8s` manifests that share the same workspace. Matching `conftest.dev` policy files live under `tests/bluejay-infra-lint/conftest.dev/` for environments that also have `conftest` or `opa`.
 ## Non-K8s Pi Artifacts
 Some `apps/*` directories are deployment artifact bundles consumed by Puppet
 instead of Kubernetes workloads. `apps/fc-signage-pi-player/` carries the
 Chromium signage Pi player, `apps/fc-divoom-dm-pi-device/` carries the additive
 edge2 Divoom-as-DeviceManagement-device profile/Hiera contract, and
 `apps/fc-divoom-tv-pi/` carries the Divoom TV Pi HDMI systemd/Puppet shape.
 These bundles intentionally avoid Deployment, IngressRoute, Certificate, and
 OnePasswordItem resources.
 ## References
 - OpenVox noc1 durability runbook: `docs/runbooks/openvoxserver-quadlet-durability.md`
 - Cert-manager recovery playbook: `FlowerCore.Notes/memory/project_cert_manager_recovery_2026_04_22.md`
 - Why pfSense DNS is required: `FlowerCore.Notes/memory/feedback_pfsense_dns_required_for_acme.md`
 - Public DNS operator host: `https://dns.iamworkin.lan`
--- a/apps/agent-zero/agent-zero.yaml
+++ b/apps/agent-zero/agent-zero.yaml
@@ -92,13 +92,16 @@ subjects:
 # =============================================================================
 # Agent Zero — AI Agent Web UI (NUC Edition, Blue Jay Profile)
 # =============================================================================
-# Connects directly to fc-llm-bridge for chat + util + embeddings + browser.
+# Connects directly to fc-llm-bridge for chat + internal util/embed + browser.
 # Agent Zero's internal util/embed slots stay on the bridge's OpenAI-compatible
 # /v1 surface, while browser + corpus-search use the Ollama-compatible /api/*
 # surface through OLLAMA_HOST.
 # Blue Jay profile with 21 tools, 3 prompts, 4 extensions.
 ---
 # FC LLM Bridge API key for Agent Zero (ADR-088 chat/util/embed/browser routing).
 # Syncs from 1Password item "FC LLM Bridge API Keys" (field: agent-zero-k8s).
-# Consumed by chat, util, embeddings, browser, and corpus-search requests
+# Consumed by chat, internal util/embed, browser, and corpus-search requests
 # that traverse fc-llm-bridge.
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
@@ -124,6 +127,32 @@ metadata:
 spec:
  itemPath: "vaults/IAmWorkin/items/Print.Web API Keys"
 ---
 # Knowledge MCP bearer token for the direct Agent Zero -> Knowledge.Web path.
 # The 1Password item currently stores the raw token in its concealed PASSWORD
 # field, which the operator syncs to Secret key `password`.
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: knowledge-mcp-tokens
  namespace: agent-zero
 spec:
  itemPath: "vaults/IAmWorkin/items/FlowerCore Knowledge MCP Tokens"
 ---
 # FlowerCore DMS Manager MCP key (product-manager fan-out). Synced from the
 # 1Password "FlowerCore DMS MCP Keys" item (field `credential`) into Secret
 # `dms-mcp-keys`; the deployment reads it as DMS_MCP_API_KEY for the fc_dms
 # MCP server. presentations/messageboard/segmentdisplay/telephony 1P MCP-key
 # items also exist and follow this same pattern when added.
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: dms-mcp-keys
  namespace: agent-zero
 spec:
  itemPath: "vaults/IAmWorkin/items/FlowerCore DMS MCP Keys"
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -135,7 +164,7 @@ metadata:
  annotations:
    agent-zero/deployment: "nuc"
    agent-zero/profile: "bluejay"
-    agent-zero/ollama: "edge1 Pi 5 + AI HAT+ only (10.0.57.17:11434) — workstation Ollama is private dev hardware, not a cluster dependency"
+    agent-zero/ollama: "fc-llm-bridge fronts edge1 Pi 5 + AI HAT+ Ollama for cluster browser/corpus-search traffic; internal chat/util/embed route through the bridge's authenticated OpenAI surface"
 spec:
  replicas: 1
  selector:
@@ -228,23 +257,41 @@ spec:
              # chat_model: FlowerCore LLM Bridge (ADR-088) — OpenAI-compat,
              # spend-tracked, tier-aliased (fc:balanced → Claude Sonnet).
              # api_key comes from A0_SET_chat_model_api_key env var (overrides
-              # config.json). Utility / embedding / browser all point at the
+              # config.json). Utility + embedding stay on the authenticated
-              # same bridge root and use Ollama-compatible endpoints there.
+              # OpenAI-compatible /v1 surface; browser and direct tool traffic
              # use the bridge's Ollama-compatible root via OLLAMA_HOST.
              mkdir -p /a0/usr/plugins/_model_config
              cat > /a0/usr/plugins/_model_config/config.json << 'MODELCFG'
-              {"allow_chat_override":true,"chat_model":{"provider":"openai","name":"fc:balanced","api_base":"http://fc-llm-bridge.fc-llm-bridge.svc:8080/v1","ctx_length":8192,"ctx_history":0.7,"vision":false,"kwargs":{"temperature":0,"num_ctx":8192}},"utility_model":{"provider":"ollama","name":"qwen2.5:1.5b","api_base":"http://fc-llm-bridge.fc-llm-bridge.svc:8080","ctx_length":8192,"ctx_input":0.7,"kwargs":{"num_ctx":8192}},"embedding_model":{"provider":"ollama","name":"nomic-embed-text","api_base":"http://fc-llm-bridge.fc-llm-bridge.svc:8080","kwargs":{}}}
+              {"allow_chat_override":true,"chat_model":{"provider":"openai","name":"fc:balanced","api_base":"http://fc-llm-bridge.fc-llm-bridge.svc:8080/v1","ctx_length":32768,"ctx_history":0.7,"vision":false,"kwargs":{"temperature":0,"num_ctx":32768}},"utility_model":{"provider":"openai","name":"fc:cheap","api_base":"http://fc-llm-bridge.fc-llm-bridge.svc:8080/v1","ctx_length":8192,"ctx_input":0.7,"kwargs":{"num_ctx":8192}},"embedding_model":{"provider":"openai","name":"openai/fc:embedding","api_base":"http://fc-llm-bridge.fc-llm-bridge.svc:8080/v1","kwargs":{}}}
              MODELCFG
              # Strip heredoc indentation
              sed -i 's/^              //' /a0/usr/plugins/_model_config/config.json
              # Phase 0 Chat MCP pilot: Agent Zero does not interpolate env vars
              # inside A0_SET_mcp_servers JSON, so build the final JSON here from
-              # the secret-backed CHAT_MCP_API_KEY env var before initialize.sh.
+              # the secret-backed env vars before initialize.sh. Keep the local
-              # Use the in-cluster Chat service URL rather than the public
+              # corpus_search.py tool mounted either way so outage fallback
-              # Traefik hostname so the pod stays off the private VIP lane that
+              # remains available even when fc_knowledge is not advertised.
-              # the default egress rule blocks.
+              export KNOWLEDGE_MCP_ENABLED=false
-              if [ -n "${CHAT_MCP_API_KEY:-}" ]; then
+              if [ -n "${KNOWLEDGE_MCP_BEARER_TOKEN:-}" ]; then
-                export A0_SET_mcp_servers="{\"mcpServers\":{\"fc-chat\":{\"type\":\"streamable-http\",\"url\":\"http://chat-web.fc-chat.svc/mcp\",\"headers\":{\"X-Api-Key\":\"${CHAT_MCP_API_KEY}\"}}}}"
+                if curl -sf --connect-timeout 3 "${KNOWLEDGE_MCP_HEALTH_URL}" > /dev/null && \
                   curl -sf --connect-timeout 5 \
                     -H "Authorization: Bearer ${KNOWLEDGE_MCP_BEARER_TOKEN}" \
                     -H "Accept: application/json, text/event-stream" \
                     -H "Content-Type: application/json" \
                     -d '{"jsonrpc":"2.0","id":"fc-knowledge-bootstrap","method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"agent-zero-bootstrap","version":"1.0"}}}' \
                     "${KNOWLEDGE_MCP_URL}" > /dev/null; then
                  export KNOWLEDGE_MCP_ENABLED=true
                  echo "fc_knowledge enabled from ${KNOWLEDGE_MCP_URL}."
                else
                  echo "fc_knowledge unavailable or unauthorized; keeping local corpus_search.py as the fallback path."
                fi
              else
                echo "fc_knowledge token missing; keeping local corpus_search.py as the fallback path."
              fi
              export A0_SET_mcp_servers="$(
                python3 -c 'import json, os; servers = {}; chat_key = os.getenv("CHAT_MCP_API_KEY"); knowledge_enabled = os.getenv("KNOWLEDGE_MCP_ENABLED", "false").lower() == "true"; token = os.getenv("KNOWLEDGE_MCP_BEARER_TOKEN", "") if knowledge_enabled else ""; chat_key and servers.setdefault("fc_chat", {"type": "streamable-http", "url": "http://chat-web.fc-chat.svc/mcp", "headers": {"X-Api-Key": chat_key}}); token and servers.setdefault("fc_knowledge", {"type": "streamable-http", "url": os.getenv("KNOWLEDGE_MCP_URL", "http://knowledge-web.knowledge.svc/mcp"), "headers": {"Authorization": f"Bearer {token}"}}); dms_key = os.getenv("DMS_MCP_API_KEY"); dms_key and servers.setdefault("fc_dms", {"type": "streamable-http", "url": os.getenv("DMS_MCP_URL", "http://dms-web.fc-dms.svc/mcp"), "headers": {"X-Api-Key": dms_key}}); print(json.dumps({"mcpServers": servers}, separators=(",", ":")))'
              )"
              # Run the original entrypoint
              exec /exe/initialize.sh $BRANCH
          ports:
@@ -252,12 +299,13 @@ spec:
          env:
            # Agent identity
            - name: AGENT_NAME
-              value: "Blue Jay (NUC)"
+              value: "Blue Jay"
            # Chat model — routed through FlowerCore LLM Bridge (ADR-088)
            # so spend is tracked and tier aliases (fc:cheap/fc:balanced/fc:deep)
            # dispatch to Ollama or Anthropic via a single OpenAI-compat endpoint.
-            # Utility / embedding / browser now traverse fc-llm-bridge too so
+            # Internal utility + embedding use the authenticated OpenAI surface,
-            # Agent Zero no longer needs a local Ollama proxy sidecar.
+            # while browser/corpus-search use the bridge's Ollama-compatible
            # endpoints so Agent Zero no longer needs a local proxy sidecar.
            - name: A0_SET_chat_model_provider
              value: "openai"
            - name: A0_SET_chat_model_name
@@ -288,37 +336,29 @@ spec:
              value: "8192"
            - name: A0_SET_chat_model_kwargs
              value: '{"temperature": 0, "num_ctx": 8192}'
-            # Utility model — fast small helper tier through the same proxy
+            # Utility model — fast small helper tier through the OpenAI surface
            - name: A0_SET_util_model_provider
-              value: "ollama"
+              value: "openai"
            - name: A0_SET_util_model_name
-              value: "qwen2.5:1.5b"
+              value: "fc:cheap"
            - name: A0_SET_util_model_api_base
-              value: "http://fc-llm-bridge.fc-llm-bridge.svc:8080"
+              value: "http://fc-llm-bridge.fc-llm-bridge.svc:8080/v1"
            - name: A0_SET_util_model_api_key
              valueFrom:
                secretKeyRef:
                  name: fc-llm-bridge-api-keys
                  key: agent-zero-k8s
            - name: A0_SET_util_model_kwargs
              value: '{"num_ctx": 2048}'
-            # Embedding model — nomic through the same proxy
+            # Embedding model — authenticated bridge alias to nomic-embed-text.
            # LiteLLM's embedding() path needs an explicit provider prefix here
            # even though the chat slot can use bare fc:* aliases.
            - name: A0_SET_embed_model_provider
-              value: "ollama"
+              value: "openai"
            - name: A0_SET_embed_model_name
-              value: "nomic-embed-text"
+              value: "openai/fc:embedding"
            - name: A0_SET_embed_model_api_base
-              value: "http://fc-llm-bridge.fc-llm-bridge.svc:8080"
+              value: "http://fc-llm-bridge.fc-llm-bridge.svc:8080/v1"
            - name: A0_SET_embed_model_api_key
              valueFrom:
                secretKeyRef:
                  name: fc-llm-bridge-api-keys
                  key: agent-zero-k8s
            # Browser model — small Gemma candidate through the same proxy
            - name: A0_SET_browser_model_provider
              value: "ollama"
            - name: A0_SET_browser_model_name
-              value: "gemma3:4b"
+              value: "qwen2.5:7b"
            - name: A0_SET_browser_model_api_base
              value: "http://fc-llm-bridge.fc-llm-bridge.svc:8080"
            - name: A0_SET_browser_model_api_key
@@ -327,7 +367,7 @@ spec:
                  name: fc-llm-bridge-api-keys
                  key: agent-zero-k8s
            - name: A0_SET_browser_model_vision
-              value: "true"
+              value: "false"
            - name: OLLAMA_HOST
              value: "http://fc-llm-bridge.fc-llm-bridge.svc:8080"
            - name: FLOWERCORE_AGENTZERO_OLLAMA_URL
@@ -354,6 +394,33 @@ spec:
                  name: chat-mcp-api-key
                  key: api-key
                  optional: true
            # FlowerCore.Knowledge MCP Phase 1 — direct Agent Zero client path.
            # Probe /healthz first, then try an authenticated initialize call.
            # If either fails, Agent Zero boots without fc_knowledge and keeps
            # the local corpus_search.py tool as the outage-safe path.
            - name: KNOWLEDGE_MCP_URL
              value: "http://knowledge-web.knowledge.svc/mcp"
            - name: KNOWLEDGE_MCP_HEALTH_URL
              value: "http://knowledge-web.knowledge.svc/healthz"
            - name: KNOWLEDGE_MCP_BEARER_TOKEN
              valueFrom:
                secretKeyRef:
                  name: knowledge-mcp-tokens
                  key: password
            # FlowerCore DMS Manager MCP (dynamic message signs) — first of the
            # product-manager MCP fan-out. dms-web /mcp requires X-Api-Key; the key
            # is synced from 1Password "FlowerCore DMS MCP Keys" (field credential)
            # by the dms-mcp-keys OnePasswordItem CRD above. Same builder+env+netpol
            # pattern extends to presentations/messageboard/segmentdisplay/telephony
            # (all have 1P MCP-key items). MySQL + Signage still need 1P MCP items
            # provisioned before they can join (mysql-web /mcp 401s with no key today).
            - name: DMS_MCP_URL
              value: "http://dms-web.fc-dms.svc/mcp"
            - name: DMS_MCP_API_KEY
              valueFrom:
                secretKeyRef:
                  name: dms-mcp-keys
                  key: credential
            # Print.Web — Thermal printer service on edge2.
            # PRINT_WEB_URL: internal HTTP (bypasses Traefik TLS — print_web.py
            # runs in-cluster and can reach edge2 directly on the PROD VLAN).
@@ -578,6 +645,17 @@ spec:
          protocol: TCP
        - port: 8080
          protocol: TCP
    # FlowerCore.Knowledge MCP (Phase 1) — in-cluster direct route with
    # anonymous /healthz probe plus authenticated /mcp initialize/tool calls.
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: knowledge
      ports:
        - port: 80
          protocol: TCP
        - port: 8080
          protocol: TCP
    # Intranet search API — use in-cluster svc so traffic stays inside
    # the cluster and is not blocked by the private-range egress denylist.
    - to:
@@ -587,6 +665,19 @@ spec:
      ports:
        - port: 5300
          protocol: TCP
    # FlowerCore DMS Manager MCP (product-manager fan-out) — in-cluster
    # dms-web. NetworkPolicy matches the destination POD port: dms-web svc:80
    # targets containerPort 8080, so the egress MUST allow 8080 (not the svc
    # port 80) — same as the fc-chat rule. Allow both for parity.
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: fc-dms
      ports:
        - port: 80
          protocol: TCP
        - port: 8080
          protocol: TCP
    # Allow internet (for kubectl image pull, etc)
    - to:
        - ipBlock:
--- a/apps/agent-zero/configmaps-bluejay.yaml
+++ b/apps/agent-zero/configmaps-bluejay.yaml
@@ -13736,20 +13736,15 @@ data:
    ### Active Services
-    | Service | Tests | Key Facts |
+    The fleet spans dozens of services -- Signage (Web + WPF Player), Common Libraries, MySQL Manager, PHP Manager, Telephony, Chat, AiStation, PiManager, Print.Web, Divoom, TtsReader, WorldBuilder, Library, Retail, and more. Each carries hundreds-to-thousands of xUnit tests; the fleet total runs to many thousands of passing tests.
-    |---------|-------|-----------|
+
-    | Signage Web | 3,127 | 17 controllers, 33 services, 26 entities, 32 pages, 154 MCP tools |
+    **Never quote a hard test count from memory** -- counts drift between sprints and stale numbers look more authoritative than they are. Use range language ("dozens of controllers", "hundreds of tests", "thousands fleet-wide") and, when a number actually matters, run the test command and read the live result. The canonical state of counts lives in `MEMORY.md` and `docs/standards/feature-backlog.md`, not in this prompt.
    | Signage WPF Player | 1,700 | 12 screen types, 12 zone controls, LibVLC video, HtmlBundleRenderer |
    | Common Libraries | 1,189 | UI.Components (427), Operator.Sdk (61), Security (110) |
    | MySQL Manager | 508 | 135 Operator + 373 Web |
    | PHP Manager | 423 | 32 Operator + 391 Web |
    | **Total** | **6,947** | 0 skipped, 0 failures |
    ### Technology Stack
    - **.NET 10 LTS** -- target `net10.0`, SDK 10.0.100
    - **Blazor Server** -- Web UI with Blue Jay theme
-    - **WPF** -- Desktop apps (must build with `dotnet.exe` from WSL)
+    - **WPF** -- Desktop apps (must build with `dotnet.exe` on Windows -- the Linux SDK cannot compile WPF/WinForms)
    - **Entity Framework Core** -- Multi-provider (SQLite, MySQL Pomelo, PostgreSQL, SQL Server)
    - **gRPC** -- HTTP/2 bidirectional streaming (port 5191)
    - **KubeOps 9.x** -- C# Kubernetes operators
@@ -13769,9 +13764,9 @@ data:
    |------|---------|
    | 5190 | HTTP/REST |
    | 5191 | gRPC/HTTP2 |
-    | 30050 | Agent Zero UI |
+    | 11434 | Ollama API (fleet AI hub VIP `10.0.57.201:11434`) |
-    | 11434 | Ollama API |
+
-    | 30052 | Piper TTS |
+    You reach the fleet via Traefik IngressRoutes on `*.iamworkin.lan` (TLS via step-ca). Your own UI is `https://agent-zero.iamworkin.lan`. Don't surface raw NodePort numbers -- they drift.
    ## Technical Standards (Non-Negotiable)
@@ -13803,6 +13798,32 @@ data:
    - **`new X509Certificate2(byte[])` in .NET 10** -- Use `X509CertificateLoader.LoadPkcs12()`
    - **ToString("P0") non-breaking space** -- U+00A0 before percent sign breaks assertions
    ## Session Continuity: HANDOFF.md
    When another agent (Claude Code or Codex) runs out of credits or hands off work mid-task, they write a checkpoint to `HANDOFF.md` in the FlowerCore.Notes repo.
    **Location:** `/a0/work/repos/FlowerCore/FlowerCore.Notes/HANDOFF.md`
    **When to read it:**
    - At the start of any session where you're asked to continue or pick up work
    - When a user says "Claude ran out of credits" or "pick up where we left off"
    - When `HANDOFF.md` status field shows `credits-exhausted` or `handed-off`
    **Key sections to check:**
    - **Reasoning Chain** — what the previous agent figured out (root cause, failed attempts, working hypothesis)
    - **Suggested Next Steps** — ordered list of what to do, prioritized
    - **Uncommitted Changes** — work that may exist on disk but not in git
    - **Blockers** — anything preventing progress
    **What you can do with it:**
    - Handle quick tasks listed in "Suggested Next Steps" (YAML gen, doc formatting, SSH checks)
    - Escalate to Claude Code or Codex if the task requires multi-file code changes (beyond your 32K context)
    - Report findings back by updating the handoff file or telling the user
    **What you should NOT do:**
    - Don't attempt multi-file refactors from a handoff — escalate those
    - Don't ignore the "Failed Attempts" section — repeating them wastes time
    ## Repository Access
    All of Andrew's git repositories are mounted at `/a0/work/repos/` (read-only):
@@ -13827,47 +13848,51 @@ data:
    | PHP Manager | `/a0/work/repos/FlowerCore/FlowerCore.PHP/` |
    | Notes / Docs | `/a0/work/repos/FlowerCore/FlowerCore.Notes/` |
-    ## Available Ollama Models
+    ## The AI Hub -- GX10 (fleet Ollama)
-    Access via `http://host.docker.internal:11434`:
+    The fleet AI runs on the **GX10** -- an ASUS Ascent GX10 = NVIDIA DGX Spark (GB10 Grace-Blackwell, ARM64, CUDA 13, **121 GiB unified memory**) at `10.0.56.14`. Ollama serves on the fleet VIP **`http://10.0.57.201:11434`** with models warm-pinned (`OLLAMA_KEEP_ALIVE=-1`) on local NVMe.
-    | Model | Size | Role | Speed | Status |
+    This GX10 hub **supersedes the retired BLUEJAY-WS R9700 and BLUEJAY-AI (.132) AI roles.** There is no `host.docker.internal`, no port-30050 lane, no edge1-as-Ollama-host story, and no WSL/K3s deployment. The single live deployment is the RKE2 cluster lane (`https://agent-zero.iamworkin.lan`), which reaches Ollama through the FlowerCore LLM Bridge tier router.
    |-------|------|------|-------|--------|
    | qwen2.5:3b | 1.9 GB | Quick utility tasks | ~190 tok/s | 100% GPU |
    | mistral:7b | 4.4 GB | Fast summarization | ~110 tok/s | 100% GPU |
    | granite3.1-dense:8b | 5 GB | Structured JSON/YAML, tool calling | ~92 tok/s | 100% GPU |
    | deepseek-r1:8b | 5.2 GB | Reasoning (compact) | ~73 tok/s | 100% GPU |
    | qwen3-vl:8b | 6.1 GB | Fast lightweight vision | ~76 tok/s | 100% GPU |
    | deepseek-ocr | 6.7 GB | Document OCR | ~167 tok/s | 100% GPU |
    | translategemma:12b | 8.1 GB | Translation (55 languages) | ~54 tok/s | 100% GPU |
    | phi4:14b | 9.1 GB | .NET-focused reasoning, architecture | ~60 tok/s | 100% GPU |
    | devstral:24b | 14 GB | Agentic coding specialist (Mistral) | needs ReBAR | blocked |
    | gemma3:27b | 17 GB | Vision + text, browser model | needs ReBAR | blocked |
    | qwen3-coder:30b | 19 GB | Advanced code generation | needs ReBAR | blocked |
    | deepseek-r1:32b | 20 GB | Deep reasoning (direct API) | needs ReBAR | blocked |
    | qwen3:32b | 20 GB | Chat brain (JSON tool-call mode) | needs ReBAR | blocked |
    | nomic-embed-text | 274 MB | Embeddings (768 dims, RAG/memory) | N/A | 100% GPU |
-    **VRAM budget**: AMD Radeon AI PRO R9700 32GB -- 3-4 models fit simultaneously. Ollama swaps models automatically.
+    | Model | Role | Tool-calling? |
    |-------|------|---------------|
    | `qwen2.5:14b` | **Chat brain** (`fc:balanced`) -- agentic loop, code, architecture | YES (proven live) |
    | `qwen2.5:7b` | **Utility + browser** (`fc:cheap`) -- fast tool-capable tier | YES |
    | `gemma3:12b` | Vision / image description ONLY (non-agentic path) | NO -- 400 on tools |
    | `gemma3:4b` | Lightweight vision fallback | NO -- 400 on tools |
    | `nomic-embed-text` | Embeddings (768 dims) for memory / RAG | N/A (embeddings only) |
    | `llama3.2:1b` | Tiny utility -- garbles tool output, avoid for the loop | NO (too small) |
    With 121 GiB unified memory, VRAM is never the bottleneck -- `nvidia-smi` reports VRAM "Not Supported"; use `free -h`. Multiple models stay resident at once; Ollama does not need to swap.
    ### Model Selection by Task
-    | Task | Primary | Quick Alternative |
+    | Task | Primary | Notes |
-    |------|---------|-------------------|
+    |------|---------|-------|
-    | C#/.NET code gen | qwen3-coder:30b | devstral:24b |
+    | C#/.NET code gen | `qwen2.5:14b` | Tool-capable, free/local |
-    | Agentic coding | devstral:24b | qwen3-coder:30b |
+    | Agentic coding / tool loop | `qwen2.5:14b` | Must be tool-capable -- see rule below |
-    | Code review | phi4:14b | qwen3-coder:30b |
+    | Code review | `qwen2.5:14b` | Falls back to `qwen2.5:7b` for speed |
-    | Architecture decisions | phi4:14b | deepseek-r1:32b |
+    | Architecture decisions | `qwen2.5:14b` | -- |
-    | K8s manifests / YAML | granite3.1-dense:8b | qwen3-coder:30b |
+    | K8s manifests / YAML | `qwen2.5:7b` | Fast structured output |
-    | Screenshot analysis | gemma3:27b | qwen3-vl:8b |
+    | Fast utility | `qwen2.5:7b` | -- |
-    | Translation | translategemma:12b | -- |
+    | Screenshot / image description | `gemma3:12b` | Vision-only, NO tool calls in this path |
-    | Fast summarization | mistral:7b | qwen2.5:3b |
+    | Embeddings | `nomic-embed-text` | -- |
-    | Deep reasoning | deepseek-r1:32b | phi4:14b |
+
-    | Embeddings | nomic-embed-text | -- |
+    ## RULE: Models & Tool-Calling (non-negotiable)
    **The whole point of Agent Zero is the agentic tool-calling loop, and it MUST run on a tool-capable model.** The fleet learned this the hard way:
    - **Use the `qwen2.5` family for any turn that may call a tool** -- chat goes through `fc:balanced` -> `qwen2.5:14b`, utility/browser through `fc:cheap` -> `qwen2.5:7b`. Both return proper `tool_calls`. `qwen2.5:14b` tool-calling is **proven live**.
    - **`gemma3:*` CANNOT call tools.** Ollama returns `400: does not support tools` (even `"tools": null`/`[]`) for the whole gemma3 family. Use it ONLY behind a non-agentic vision/image-description path -- never as the agent brain.
    - **Models <=3B garble tool output.** `llama3.2:1b` and any sub-3B model will mangle JSON tool calls. Don't route the loop through them.
    - **`nomic-embed-text` is embeddings-only.** It powers memory/RAG vectors; it cannot chat or call tools.
    - **qwen2.5 instruct does NOT need `think`.** Do not add a `think` kwarg (that's a qwen3/reasoning gate). Chat kwargs are `{"temperature":0,"num_ctx":32768}`.
    If a turn unexpectedly hits `400: does not support tools` or the model emits literal `<tool_call>` text instead of structured calls, the wiring drifted to a non-tool model -- mob it: report the slot, don't silently degrade.
    ## The Blue Jay Agent Team
-    You work as part of a 14-agent squad. When you are the orchestrator, you spawn focused agents for parallel development:
+    The "Blu" roles below are a **persona vocabulary** for focused sub-agent spawns -- labels for scoped tasks, not a standing fixed-size team. When you are the orchestrator, you spawn focused agents for parallel development using these personas:
    ### Tier 1 -- Core Development
@@ -13949,6 +13974,106 @@ data:
        FlowerCore.{Service}.Operator.Tests/
    ```
    ## Available Tools
    You have custom tools that give you real capabilities. When a user asks you to do something, USE the appropriate tool -- do not say you cannot do it. You are not a generic chatbot; you have hardware access and infrastructure control.
    ### print_web -- Thermal Printer (NuPrint 210, 58mm)
    Connected to a real thermal receipt printer. You CAN print barcodes, QR codes, labels, receipts, images, and more.
    | Action | What It Does | Key Args |
    |--------|-------------|----------|
    | `barcode` | Print a barcode label | `data`, `symbology` (Code128/UpcA/Ean13/Ean8/Code39/Codabar), `title`, `copies` |
    | `qr` | Print a QR code | `data`, `label`, `module_size` |
    | `label` | Print a text label | `title`, `subtitle`, `copies` |
    | `receipt` | Print a formatted receipt | `header`, `lines` [{left, right, bold?, separator?}], `footer` |
    | `image` | Print an image | `image_base64` or `image_path`, `label` |
    | `test` | Print a test page | (no args) |
    | `url` | Print URL as receipt + QR | `url`, `title` |
    | `recipe` | Scrape and print a recipe | `url` |
    | `recipe_print` | Enhanced recipe (Selenium fallback) | `url` |
    | `ai_summary` | AI-summarize text, optionally print | `text`, `url`, `print_result` |
    | `product` | Look up product by barcode | `barcode` |
    | `product_search` | Search product by name | `query` |
    | `status` | Printer connection status | (no args) |
    | `paper` | Paper roll level | (no args) |
    | `queue` | Print queue depth | (no args) |
    | `hardware` | Hardware diagnostics | (no args) |
    | `waste` | Paper waste report | `days` |
    | `drawer` | Open cash drawer | (no args) |
    | `clear_queue` | Clear print queue | `source` |
    **Barcode auto-detection:** 13 digits = EAN-13, 12 digits = UPC-A, starts with 978/979 = ISBN, otherwise Code128.
    **Example:** User says "print a barcode for 20612000248789" → use `print_web` with `action="barcode"`, `data="20612000248789"`, `symbology="Ean13"`.
    ### ssh_remote -- SSH to Infrastructure Nodes
    Execute commands on remote servers via SSH.
    ### kubectl_manager -- Kubernetes Cluster
    Manage RKE2 cluster resources, pods, deployments.
    ### ollama_model_switch -- Ollama Model Management
    Switch models, check loaded models, manage VRAM.
    ### flowercore_build / flowercore_test -- Build and Test
    Build .NET projects and run test suites.
    ### qrcode_generator -- Generate QR Code Images
    Generate QR code image files locally.
    ### kiwix_search -- Offline Knowledge Base
    Search offline Wikipedia, documentation archives.
    ### corpus_search -- Fleet Vector Corpus (Bible / Lexicons / Morphology)
    Semantic search over the fleet knowledge DB at `/a0/usr/vectors/<slug>.db`
    (Strong's, macula-greek/hebrew, aquifer-bible-dictionary/translation-words/acai,
    WEB + Berean Bibles). Uses Ollama `nomic-embed-text` to embed the query,
    computes cosine in Python, returns ranked chunks with source + passage + score.
    Use this for "what does Genesis 1:1 say", "show me every use of agape",
    "find dictionary entries for covenant", etc. Faster and more offline-friendly
    than `intranet_search` for scripture/lexicon queries.
    | Arg | Description |
    |-----|-------------|
    | `query` | Search text. Required. |
    | `limit` | Top-K results (default 8). |
    | `index` | Optional: `bible-texts`, `lexicons`, `dictionaries`, `morphology`. |
    | `repo` | Optional repo substring filter (e.g. `world-english-bible`). |
    | `db` | Optional DB override (absolute path or filename inside `/a0/usr/vectors`). Default picks the largest fleet tier present (workstation-full → pi-edge → bmo-bot). |
    | `action` | Optional. `stats` returns a markdown inventory of every fleet DB (name/size/index/chunk counts/last-built) without doing a query. Useful for "what's in the corpus?" before picking a specific query. |
    ## RULE: Knowledge & RAG (which source to reach for)
    When a question needs grounding in FlowerCore knowledge, reach for sources in this order:
    1. **`fc_knowledge` MCP -- the PRIMARY RAG.** This is the fleet's canonical retrieval layer: vector indexes over the Notes and docs corpora (`notes-md`, `notes-html`, and friends), embedded with `nomic-embed-text` on the GX10 hub. Use it first for "where is X documented", "what does the standard say about Y", ADRs, runbooks, gotchas, and any project/infra knowledge. Embeddings run on the GX10 (`10.0.57.201`) so they are fast now -- no more slow Pi5 embed waits.
    2. **`corpus_search` (fallback / scripture & lexicons).** Offline vector search over the Bible/lexicon/morphology corpus DBs. Prefer this for scripture, Strong's, Greek/Hebrew word studies, and dictionary lookups. Faster and more offline-friendly than the intranet for those queries.
    3. **`intranet_search` (fallback).** HTTP search against the Blue Jay Lab Intranet (`https://intranet.iamworkin.lan/api/v1/search`) when `fc_knowledge` is unavailable or the answer lives in intranet-only content.
    4. **`kiwix_search` (general reference).** Offline Wikipedia/Wiktionary when the question is general-knowledge, not FlowerCore-specific.
    ### Offline datasets in the fleet corpus cache
    The shared cache (`corpus-cache/`, manifest: its own `README.md`; see `docs/standards/shared-datasets.md`) holds open-licensed offline data you can query via `corpus_search` / Knowledge indexes:
    - **Bibles:** Berean Standard Bible, World English Bible (public domain), Reina-Valera (Spanish).
    - **Greek / Hebrew morphology:** MACULA Greek (NT) and MACULA Hebrew (OT) -- morphology + syntax trees, Strong's numbers embedded.
    - **Strong's & lexicons:** Strong's Exhaustive Concordance (Greek + Hebrew), Tyndale Brief lexicon (TBESG), STEPBible tables.
    - **Notes / dictionaries / cross-refs:** unfoldingWord Translation Notes/Words, Aquifer Bible Dictionary, Aquifer Study Notes, ACAI entity graph, OpenBible cross-refs, Treasury of Scripture Knowledge.
    - **General reference:** Wikipedia and Wiktionary ZIMs (via `kiwix_search`).
    The indexing tiers are `bible-texts`, `translation-notes`, `dictionaries`, `morphology`, `strongs`, and `wikipedia`. **Gotcha:** a corpus is queryable only when its on-disk directory name matches the index config exactly -- a mismatch makes the indexer silently skip it.
    **Rule: Never say "I cannot" for something a tool can do.** Check your tools first.
    ## Remember
    You are Blue Jay. You guard the nest. You cache knowledge. You mob bugs fearlessly. You sing when the build is green. And you always, always keep one eye on the squirrels.
--- a/apps/asterisk/deployment.yaml
+++ b/apps/asterisk/deployment.yaml
@@ -20,7 +20,19 @@ spec:
      nodeSelector:
        kubernetes.io/hostname: rke2-agent1
      hostNetwork: true
-      dnsPolicy: ClusterFirstWithHostNet
+      # Keep the search list free of iamworkin.lan so CoreDNS's wildcard
      # template cannot hijack public egress like downloads.asterisk.org.
      dnsPolicy: None
      dnsConfig:
        nameservers:
          - 10.43.0.10
        searches:
          - telephony.svc.cluster.local
          - svc.cluster.local
          - cluster.local
        options:
          - name: ndots
            value: "2"
      securityContext:
        fsGroup: 0
      # CoreDNS in this cluster has an iamworkin.lan wildcard that catches
--- a/apps/authentik/authentik.yaml
+++ b/apps/authentik/authentik.yaml
@@ -0,0 +1,453 @@
 # Authentik OIDC backend
 # ArgoCD-managed. BlueJay Lab.
 #
 # Stack:
 #   - PostgreSQL 16 StatefulSet (single replica, Longhorn RWO 5Gi)
 #   - Redis 7 Deployment (no persistence — session/cache only)
 #   - Authentik server + worker Deployments (image ghcr.io/goauthentik/server:2024.12.3)
 #   - Media PVC shared between server + worker (Longhorn RWO 2Gi)
 #   - Certificate via step-ca-acme ClusterIssuer
 #   - Traefik IngressRoute at id.iamworkin.lan
 #
 # Secrets come from 1Password item "authentik-credentials" (IAmWorkin vault, id y6i74ch22q5wvm7znquq4nhhcu)
 # via the OnePasswordItem CRD, materialized into k8s Secret authentik/authentik-credentials.
 #
 # Why the discovery URL is /application/o/pimanager/ : Authentik issues per-application OIDC providers.
 # The pimanager OIDC application/provider is created after the cluster pods are healthy (manual or
 # via API once the bootstrap token is available — see Notes substrate).
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: authentik
  labels:
    app.kubernetes.io/part-of: bluejay-infra
 ---
 # 1Password operator pulls the authentik-credentials item into a k8s Secret of the same name.
 # Field labels in 1P become Secret keys: AUTHENTIK_SECRET_KEY, POSTGRES_PASSWORD, REDIS_PASSWORD,
 # BOOTSTRAP_ADMIN_PASSWORD, BOOTSTRAP_ADMIN_TOKEN, BOOTSTRAP_ADMIN_EMAIL.
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: authentik-credentials
  namespace: authentik
 spec:
  itemPath: "vaults/IAmWorkin/items/authentik-credentials"
 ---
 # Shared media volume for server + worker pods.
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: authentik-media
  namespace: authentik
 spec:
  storageClassName: longhorn
  accessModes: [ReadWriteOnce]
  resources:
    requests:
      storage: 2Gi
 ---
 # PostgreSQL 16 StatefulSet — Authentik's primary store.
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: authentik-postgres
  namespace: authentik
  labels:
    app: authentik-postgres
    argocd.argoproj.io/instance: infra-authentik
 spec:
  persistentVolumeClaimRetentionPolicy:
    whenDeleted: Retain
    whenScaled: Retain
  podManagementPolicy: OrderedReady
  serviceName: authentik-postgres
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: authentik-postgres
  template:
    metadata:
      labels:
        app: authentik-postgres
    spec:
      containers:
        - name: postgres
          image: postgres:16-alpine
          ports:
            - containerPort: 5432
              name: postgres
          env:
            - name: POSTGRES_USER
              value: authentik
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: authentik-credentials
                  key: POSTGRES_PASSWORD
            - name: POSTGRES_DB
              value: authentik
            - name: POSTGRES_INITDB_ARGS
              value: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C"
            - name: PGDATA
              value: /var/lib/postgresql/data/pgdata
          readinessProbe:
            exec:
              command: ["pg_isready", "-U", "authentik"]
            initialDelaySeconds: 5
            periodSeconds: 5
          livenessProbe:
            exec:
              command: ["pg_isready", "-U", "authentik"]
            initialDelaySeconds: 30
            periodSeconds: 30
          resources:
            requests: { cpu: 100m, memory: 256Mi }
            limits: { cpu: 1000m, memory: 1Gi }
          volumeMounts:
            - name: pgdata
              mountPath: /var/lib/postgresql/data
  volumeClaimTemplates:
    # apiVersion/kind included deliberately: this STS was created via ArgoCD ServerSideApply,
    # so the live object carries PVC TypeMeta inside volumeClaimTemplates; omitting it here
    # leaves the app eternally OutOfSync even though kubectl SSA dry-run shows no change.
    - apiVersion: v1
      kind: PersistentVolumeClaim
      metadata:
        name: pgdata
      spec:
        storageClassName: longhorn
        accessModes: [ReadWriteOnce]
        volumeMode: Filesystem
        resources:
          requests:
            storage: 5Gi
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: authentik-postgres
  namespace: authentik
 spec:
  clusterIP: None
  selector:
    app: authentik-postgres
  ports:
    - name: postgres
      port: 5432
      targetPort: 5432
 ---
 # Redis 7 — session storage + Celery broker. No persistence needed (cache).
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: authentik-redis
  namespace: authentik
  labels:
    app: authentik-redis
    argocd.argoproj.io/instance: infra-authentik
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: authentik-redis
  template:
    metadata:
      labels:
        app: authentik-redis
    spec:
      containers:
        - name: redis
          image: redis:7-alpine
          args:
            - "--save"
            - ""
            - "--appendonly"
            - "no"
            - "--requirepass"
            - "$(REDIS_PASSWORD)"
          env:
            - name: REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: authentik-credentials
                  key: REDIS_PASSWORD
          ports:
            - containerPort: 6379
              name: redis
          readinessProbe:
            tcpSocket: { port: 6379 }
            initialDelaySeconds: 5
            periodSeconds: 5
          livenessProbe:
            tcpSocket: { port: 6379 }
            initialDelaySeconds: 30
            periodSeconds: 30
          resources:
            requests: { cpu: 50m, memory: 64Mi }
            limits: { cpu: 500m, memory: 256Mi }
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: authentik-redis
  namespace: authentik
 spec:
  selector:
    app: authentik-redis
  ports:
    - name: redis
      port: 6379
      targetPort: 6379
 ---
 # Authentik server Deployment — HTTP frontend on :9000.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: authentik-server
  namespace: authentik
  labels:
    app: authentik-server
    argocd.argoproj.io/instance: infra-authentik
 spec:
  replicas: 1
  strategy:
    type: Recreate  # shares /media RWO PVC with worker
  selector:
    matchLabels:
      app: authentik-server
  template:
    metadata:
      labels:
        app: authentik-server
    spec:
      securityContext:
        # Authentik image runs as uid 1000 "authentik" but the Longhorn PVC mounts
        # root:root by default. fsGroup recursively chgrp + chmod g+rwx so the
        # non-root container can mkdir /media/public during the tenant_files migration.
        fsGroup: 1000
      containers:
        - name: server
          image: ghcr.io/goauthentik/server:2024.12.3
          args: ["server"]
          ports:
            - containerPort: 9000
              name: http
            - containerPort: 9443
              name: https
          env:
            - name: AUTHENTIK_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: authentik-credentials
                  key: AUTHENTIK_SECRET_KEY
            - name: AUTHENTIK_REDIS__HOST
              value: authentik-redis
            - name: AUTHENTIK_REDIS__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: authentik-credentials
                  key: REDIS_PASSWORD
            - name: AUTHENTIK_POSTGRESQL__HOST
              value: authentik-postgres
            - name: AUTHENTIK_POSTGRESQL__NAME
              value: authentik
            - name: AUTHENTIK_POSTGRESQL__USER
              value: authentik
            - name: AUTHENTIK_POSTGRESQL__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: authentik-credentials
                  key: POSTGRES_PASSWORD
            - name: AUTHENTIK_BOOTSTRAP_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: authentik-credentials
                  key: BOOTSTRAP_ADMIN_PASSWORD
            - name: AUTHENTIK_BOOTSTRAP_TOKEN
              valueFrom:
                secretKeyRef:
                  name: authentik-credentials
                  key: BOOTSTRAP_ADMIN_TOKEN
            - name: AUTHENTIK_BOOTSTRAP_EMAIL
              valueFrom:
                secretKeyRef:
                  name: authentik-credentials
                  key: BOOTSTRAP_ADMIN_EMAIL
            - name: AUTHENTIK_DISABLE_UPDATE_CHECK
              value: "true"
            - name: AUTHENTIK_ERROR_REPORTING__ENABLED
              value: "false"
            - name: AUTHENTIK_LOG_LEVEL
              value: info
          # First-boot Authentik can take 3+ min on the migration phase
          # (waiting on DB lock while worker also runs migrations). Initial
          # delays are generous so kubelet doesn't kill the pod mid-migration;
          # periodSeconds keeps post-startup probing responsive.
          readinessProbe:
            httpGet:
              path: /-/health/ready/
              port: 9000
            initialDelaySeconds: 60
            periodSeconds: 10
            timeoutSeconds: 5
            failureThreshold: 12
          livenessProbe:
            httpGet:
              path: /-/health/live/
              port: 9000
            initialDelaySeconds: 300
            periodSeconds: 30
            timeoutSeconds: 10
            failureThreshold: 3
          startupProbe:
            httpGet:
              path: /-/health/live/
              port: 9000
            initialDelaySeconds: 30
            periodSeconds: 15
            timeoutSeconds: 10
            failureThreshold: 40  # 30s + 40*15s = 10.5 min budget
          resources:
            requests: { cpu: 150m, memory: 512Mi }
            limits: { cpu: 1500m, memory: 1Gi }
          volumeMounts:
            - name: media
              mountPath: /media
      volumes:
        - name: media
          persistentVolumeClaim:
            claimName: authentik-media
 ---
 # Authentik worker Deployment — runs Celery background tasks.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: authentik-worker
  namespace: authentik
  labels:
    app: authentik-worker
    argocd.argoproj.io/instance: infra-authentik
 spec:
  replicas: 1
  strategy:
    type: Recreate  # shares /media RWO PVC with server
  selector:
    matchLabels:
      app: authentik-worker
  template:
    metadata:
      labels:
        app: authentik-worker
    spec:
      securityContext:
        # Same as server pod — non-root uid 1000 needs PVC group write.
        fsGroup: 1000
      containers:
        - name: worker
          image: ghcr.io/goauthentik/server:2024.12.3
          args: ["worker"]
          env:
            - name: AUTHENTIK_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: authentik-credentials
                  key: AUTHENTIK_SECRET_KEY
            - name: AUTHENTIK_REDIS__HOST
              value: authentik-redis
            - name: AUTHENTIK_REDIS__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: authentik-credentials
                  key: REDIS_PASSWORD
            - name: AUTHENTIK_POSTGRESQL__HOST
              value: authentik-postgres
            - name: AUTHENTIK_POSTGRESQL__NAME
              value: authentik
            - name: AUTHENTIK_POSTGRESQL__USER
              value: authentik
            - name: AUTHENTIK_POSTGRESQL__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: authentik-credentials
                  key: POSTGRES_PASSWORD
            - name: AUTHENTIK_DISABLE_UPDATE_CHECK
              value: "true"
            - name: AUTHENTIK_ERROR_REPORTING__ENABLED
              value: "false"
            - name: AUTHENTIK_LOG_LEVEL
              value: info
          resources:
            requests: { cpu: 100m, memory: 256Mi }
            limits: { cpu: 1000m, memory: 768Mi }
          volumeMounts:
            - name: media
              mountPath: /media
      volumes:
        - name: media
          persistentVolumeClaim:
            claimName: authentik-media
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: authentik-server
  namespace: authentik
 spec:
  selector:
    app: authentik-server
  ports:
    - name: http
      port: 9000
      targetPort: 9000
    - name: https
      port: 9443
      targetPort: 9443
 ---
 # step-ca leaf certificate for id.iamworkin.lan.
 # step-ca container resolver uses pfSense Unbound, so the public A record for id.iamworkin.lan
 # MUST exist before this Certificate is applied (cert-manager HTTP-01 will silently 2h-backoff
 # otherwise). Added 2026-05-25 via scripts/pfsense-add-id-host.py.
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: authentik-tls
  namespace: authentik
 spec:
  secretName: authentik-tls
  dnsNames:
    - id.iamworkin.lan
  issuerRef:
    name: step-ca-acme
    kind: ClusterIssuer
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: authentik
  namespace: authentik
 spec:
  entryPoints: [websecure]
  routes:
    - match: Host(`id.iamworkin.lan`)
      kind: Rule
      services:
        - name: authentik-server
          port: 9000
  tls:
    secretName: authentik-tls
--- a/apps/cdi/README.md
+++ b/apps/cdi/README.md
@@ -0,0 +1,69 @@
 # CDI — Containerized Data Importer
 KubeVirt's `containerized-data-importer` for populating PVCs from external
 sources (HTTP, HTTPS, container registry, S3, virtctl upload). Required to
 import the Windows Server 2025 ISO into the `windows-server-2025-iso` PVC
 that `apps/kubevirt-vms/ci1.yaml` mounts as a CDROM.
 ## Files
 | File              | Source                                                                                                            | Purpose                                            |
 | ----------------- | ----------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- |
 | `cdi-operator.yaml` | [`v1.65.0`](https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.65.0) — verbatim copy        | Installs operator + CRDs (5779 lines, large)       |
 | `cdi-cr.yaml`     | [`v1.65.0`](https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.65.0) — annotated + commented | Tells operator to deploy CDI components          |
 `cdi-operator.yaml` is **vendored verbatim** from the upstream release for
 air-gap reproducibility (no internet fetch at deploy time, ArgoCD prune
 contracts hold). To bump versions:
 ```bash
 CDI_VER=v1.66.0  # for example
 curl -sL "https://github.com/kubevirt/containerized-data-importer/releases/download/${CDI_VER}/cdi-operator.yaml" \
  -o apps/cdi/cdi-operator.yaml
 curl -sL "https://github.com/kubevirt/containerized-data-importer/releases/download/${CDI_VER}/cdi-cr.yaml" \
  -o /tmp/cdi-cr-new.yaml  # then re-apply project header diff
 git diff apps/cdi/  # review
 git commit + push
 ```
 ## Verify after deploy
 ```bash
 kubectl -n cdi get pods               # operator + apiserver + deployment + uploadproxy
 kubectl get cdis cdi -o jsonpath='{.status.phase}'  # "Deployed"
 kubectl get crd | grep cdi.kubevirt.io
 # Expected CRDs: datavolumes.cdi.kubevirt.io, cdiconfigs.cdi.kubevirt.io,
 # storageprofiles.cdi.kubevirt.io, dataimportcrons.cdi.kubevirt.io,
 # datasources.cdi.kubevirt.io, objecttransfers.cdi.kubevirt.io
 ```
 ## Use after install
 ```yaml
 # Example DataVolume that imports from HTTP
 apiVersion: cdi.kubevirt.io/v1beta1
 kind: DataVolume
 metadata:
  name: my-iso
 spec:
  source:
    http:
      url: "https://server/path/to.iso"
  pvc:
    accessModes: [ReadWriteOnce]
    resources:
      requests:
        storage: 10Gi
    storageClassName: longhorn
 ```
 ```bash
 # Or upload from local disk via virtctl
 virtctl image-upload pvc my-iso \
  --image-path ./my.iso \
  --size 10Gi \
  --storage-class longhorn \
  --access-mode ReadWriteOnce \
  --uploadproxy-url https://cdi-uploadproxy.cdi.svc:443 \
  --insecure
 ```
--- a/apps/cdi/cdi-cr.yaml
+++ b/apps/cdi/cdi-cr.yaml
@@ -0,0 +1,36 @@
 # =============================================================================
 # CDI CR — Tells the CDI operator to install CDI components into the cluster.
 # =============================================================================
 # After cdi-operator.yaml is applied, the operator watches for THIS resource
 # (CDI named "cdi"). When found, it deploys cdi-apiserver, cdi-deployment,
 # cdi-uploadproxy, cdi-cronjob, and the importer/uploadserver/cloner pods.
 #
 # Configuration:
 #   - HonorWaitForFirstConsumer: PVCs created by DataVolumes wait for first
 #     pod to schedule before binding (lets storage class pick best node).
 #   - WebhookPvcRendering: validates PVC creation against CDI policies.
 #   - imagePullPolicy IfNotPresent: re-pull only on tag rotation.
 #   - nodeSelector linux: pin to Linux nodes (no Windows worker support).
 #
 # Andrew may want to add a `uploadProxyURLOverride` later to expose the
 # uploadproxy via Traefik IngressRoute for `virtctl image-upload` from
 # BLUEJAY-WS without `kubectl port-forward`. Phase 2 enhancement.
 # =============================================================================
 apiVersion: cdi.kubevirt.io/v1beta1
 kind: CDI
 metadata:
  name: cdi
  annotations:
    bluejay.iamworkin.lan/source: "kubevirt/containerized-data-importer v1.65.0"
 spec:
  config:
    featureGates:
    - HonorWaitForFirstConsumer
    - WebhookPvcRendering
  imagePullPolicy: IfNotPresent
  infra:
    nodeSelector:
      kubernetes.io/os: linux
  workload:
    nodeSelector:
      kubernetes.io/os: linux
--- a/apps/cdi/cdi-operator.yaml
+++ b/apps/cdi/cdi-operator.yaml
--- a/apps/fc-aistation/fc-aistation.yaml
+++ b/apps/fc-aistation/fc-aistation.yaml
@@ -0,0 +1,195 @@
 # FlowerCore.AiStation.Web GitOps adoption manifest.
 #
 # Authored from the already-live fc-aistation resources on 2026-06-04.
 # Keep the live image tag, Service ClusterIP, and PVC volumeName unchanged so
 # ArgoCD adopts in place instead of replacing the workload or data volume.
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: aistation-web-data
  namespace: fc-aistation
  labels:
    app.kubernetes.io/name: aistation-web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-aistation
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  storageClassName: longhorn
  volumeMode: Filesystem
  volumeName: pvc-27448d6f-6e66-42a7-a293-73dd8bbd6b3e
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: aistation-web
  namespace: fc-aistation
  labels:
    app.kubernetes.io/name: aistation-web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-aistation
 spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      app.kubernetes.io/name: aistation-web
  strategy:
    type: Recreate
  template:
    metadata:
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/path: /metrics/prometheus
        prometheus.io/port: "5000"
        prometheus.io/scrape: "true"
      labels:
        app.kubernetes.io/name: aistation-web
        app.kubernetes.io/part-of: flowercore
    spec:
      containers:
        # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
        - envFrom:
            - configMapRef:
                name: aistation-web-config
          image: localhost/fc-aistation-web:v20260602-aistation-owned-deploy-fix2
          imagePullPolicy: Never
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 5000
              scheme: HTTP
            initialDelaySeconds: 30
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 5
          name: aistation-web
          ports:
            - containerPort: 5000
              name: http
              protocol: TCP
          readinessProbe:
            failureThreshold: 6
            httpGet:
              path: /healthz
              port: 5000
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          volumeMounts:
            - mountPath: /data
              name: data
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: aistation-web-data
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: aistation-web
  namespace: fc-aistation
  labels:
    app.kubernetes.io/name: aistation-web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-aistation
 spec:
  clusterIP: 10.43.211.127
  clusterIPs:
    - 10.43.211.127
  internalTrafficPolicy: Cluster
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 5000
  selector:
    app.kubernetes.io/name: aistation-web
  sessionAffinity: None
  type: ClusterIP
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: aistation-web-tls
  namespace: fc-aistation
  labels:
    app.kubernetes.io/name: aistation-web-tls
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-aistation
 spec:
  dnsNames:
    - aistation.iamworkin.lan
  issuerRef:
    kind: ClusterIssuer
    name: step-ca-acme
  secretName: aistation-web-tls
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: aistation-web
  namespace: fc-aistation
  labels:
    app.kubernetes.io/name: aistation-web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-aistation
 spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`aistation.iamworkin.lan`)
      services:
        - name: aistation-web
          port: 80
  tls:
    secretName: aistation-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose aistation-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: aistation-web-public
 #   namespace: fc-aistation
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`aistation.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: aistation-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: aistation-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-chat/fc-chat.yaml
+++ b/apps/fc-chat/fc-chat.yaml
@@ -1,5 +1,207 @@
-# FlowerCore Chat — TLS + Ingress
+# FlowerCore Chat
-# Deployment and Service managed by deploy script (not ArgoCD)
+#
 # ArgoCD-managed workload plus TLS/Ingress. The chat-web-secret remains an
 # out-of-band Secret until the values are moved into a 1Password-backed item;
 # the Deployment references it as optional so GitOps can own the workload
 # without storing secret material in this repo.
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: fc-chat
  labels:
    app.kubernetes.io/part-of: flowercore
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: chat-web-config
  namespace: fc-chat
  labels:
    app.kubernetes.io/name: chat-web
    app.kubernetes.io/part-of: flowercore
 data:
  ASPNETCORE_ENVIRONMENT: Production
  ASPNETCORE_URLS: "http://+:8080"
  ASPNETCORE_FORWARDEDHEADERS_ENABLED: "true"
  FlowerCore__Auth__Enabled: "false"
  FlowerCore__Auth__Oidc__Enabled: "true"
  FlowerCore__Auth__Oidc__Authority: "https://id.iamworkin.lan/application/o/chat/"
  FlowerCore__Auth__Oidc__Audience: "chat"
  FlowerCore__Auth__Oidc__ClientId: "chat"
  FlowerCore__Database__ConnectionStrings__Sqlite: "Data Source=/data/chat.db"
  # Ollama target. BLUEJAY-WS remains faster from the workstation, but this lane
  # proved Chat pods time out reaching 10.0.56.20:11434. Keep generation and
  # behavior-rule checks on the cluster-routable edge1 endpoint until that route
  # is fixed; choose models that edge1 actually hosts.
  FlowerCore__AI__OllamaBaseUrl: "http://10.0.57.201:11434"
  FlowerCore__AI__DefaultModelName: "gemma3:12b"
  ChatOptions__BehaviorRuleEngine__OllamaBaseUrl: "http://10.0.57.201:11434"
  ChatOptions__BehaviorRuleEngine__FallbackOllamaBaseUrl: "http://10.0.57.201:11434"
  ChatOptions__BehaviorRuleEngine__ModelName: "gemma3:4b"
  FlowerCore__AI__Memory__UseSharedIndexingAdapter: "true"
  FlowerCore__AI__Memory__UseOllamaEmbeddings: "true"
  FlowerCore__AI__Memory__EmbeddingModel: "nomic-embed-text"
  FlowerCore__AI__Memory__EnableSharedIndexingBackfill: "true"
  FlowerCore__AI__Memory__SharedIndexingDatabasePath: "/data/chat-memory-index.db"
  FlowerCore__AI__Skills__Library__LibraryApiUrl: "http://library-web.fc-library.svc.cluster.local"
  FlowerCore__AI__Skills__Retail__RetailApiUrl: "http://retail-web.fc-retail.svc.cluster.local"
  FlowerCore__AI__Skills__Intranet__IntranetBaseUrl: "http://intranet-web.intranet.svc.cluster.local"
  FlowerCore__AI__Skills__Print__PrintMcpBaseUrl: "http://10.0.57.16:5200"
  FlowerCore__AI__Helpdesk__SentimentEscalation__Enabled: "true"
  FlowerCore__AI__IrcBridge__Enabled: "true"
  FlowerCore__AI__IrcBridge__DefaultProfileSlug: "it-helpdesk"
  FlowerCore__AI__IrcBridge__MentionProfileSlug: "it-helpdesk"
  FlowerCore__AI__IrcBridge__MentionReactiveMode: "mentions-only"
  FlowerCore__AI__IrcBridge__AllowActionExecution: "false"
  FlowerCore__AI__Voice__Piper__Host: "10.0.57.17"
  FlowerCore__AI__Voice__Piper__Port: "10400"
  FlowerCore__AI__Voice__OutputRoot: "/data/audio"
  FlowerCore__AI__Voice__RetentionDays: "30"
  # LLM provider abstraction (ADR-088). Anthropic stays disabled here -- when
  # an operator wants to enable Claude, they flip Enabled=true and mount
  # FlowerCore__Anthropic__ApiKey from the onepassword-synced Secret (see
  # docs/ai-agents/anthropic-integration.md).
  FlowerCore__Anthropic__Enabled: "false"
  FlowerCore__Anthropic__BaseUrl: "https://api.anthropic.com"
  FlowerCore__Anthropic__DefaultModel: "claude-sonnet-4-6"
  FlowerCore__Anthropic__CheapModel: "claude-haiku-4-5-20251001"
  FlowerCore__Anthropic__DeepModel: "claude-opus-4-7"
  FlowerCore__Budget__ResponseCacheEnabled: "true"
  OTEL_SERVICE_NAME: FlowerCore.Chat
  OTEL_EXPORTER_OTLP_ENDPOINT: "http://otel-collector.monitoring.svc.cluster.local:4317"
  OTEL_EXPORTER_OTLP_PROTOCOL: grpc
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: chat-web-data
  namespace: fc-chat
  labels:
    app.kubernetes.io/name: chat-web
    app.kubernetes.io/part-of: flowercore
 spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: longhorn
  volumeMode: Filesystem
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: chat-web
  namespace: fc-chat
  labels:
    app.kubernetes.io/name: chat-web
    app.kubernetes.io/part-of: flowercore
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app.kubernetes.io/name: chat-web
  template:
    metadata:
      labels:
        app.kubernetes.io/name: chat-web
        app.kubernetes.io/part-of: flowercore
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics/prometheus"
    spec:
      nodeSelector:
        kubernetes.io/hostname: rke2-server
      securityContext:
        fsGroup: 1654
        fsGroupChangePolicy: OnRootMismatch
      containers:
        - name: chat-web
          image: localhost/fc-chat-web:v20260614-regroup-ch3-0479a31
          imagePullPolicy: Never
          ports:
            - name: http
              containerPort: 8080
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          envFrom:
            - configMapRef:
                name: chat-web-config
            - secretRef:
                name: chat-web-secret
                optional: true
          env:
            - name: FlowerCore__Auth__Oidc__Authority
              valueFrom:
                secretKeyRef:
                  name: chat-oidc-client
                  key: issuer_url
                  optional: true
            - name: FlowerCore__Auth__Oidc__ClientId
              valueFrom:
                secretKeyRef:
                  name: chat-oidc-client
                  key: client_id
                  optional: true
            - name: FlowerCore__Auth__Oidc__ClientSecret
              valueFrom:
                secretKeyRef:
                  name: chat-oidc-client
                  key: client_secret
                  optional: true
          volumeMounts:
            - name: data
              mountPath: /data
          resources:
            requests:
              memory: "128Mi"
              cpu: "100m"
            limits:
              memory: "512Mi"
              cpu: "500m"
          readinessProbe:
            httpGet:
              path: /healthz
              port: 8080
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 5
            failureThreshold: 6
          livenessProbe:
            httpGet:
              path: /healthz
              port: 8080
            initialDelaySeconds: 30
            periodSeconds: 30
            timeoutSeconds: 5
            failureThreshold: 3
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: chat-web-data
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: chat-web
  namespace: fc-chat
  labels:
    app.kubernetes.io/name: chat-web
    app.kubernetes.io/part-of: flowercore
 spec:
  type: ClusterIP
  selector:
    app.kubernetes.io/name: chat-web
  ports:
    - name: http
      port: 80
      targetPort: 8080
      protocol: TCP
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -30,3 +232,41 @@ spec:
          port: 80
  tls:
    secretName: chat-web-tls
 ---
 # Public host profile marker. The app treats this header as authoritative for
 # the public twin, while the internal chat.iamworkin.lan route does not attach
 # it and keeps the operator-oriented UI.
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: chat-public-profile-header
  namespace: fc-chat
 spec:
  headers:
    customRequestHeaders:
      X-FC-Chat-Host-Profile: "public"
 ---
 # Public Cloudflare-fronted twin for the anonymous chat surface. Operator
 # paths are intentionally absent from the allowlist below, so /admin,
 # /operator, /console, /ops, /api/operator, and /operatorhub miss this route
 # and return Traefik 404 before reaching the pod. Operator action still needed:
 # create/verify Cloudflare DNS chat.flowercore.io -> public Traefik endpoint
 # and mirror the cf-origin-flowercore-io TLS secret into namespace fc-chat.
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: chat-web-public
  namespace: fc-chat
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`chat.flowercore.io`) && (Path(`/`) || Path(`/chat`) || PathPrefix(`/_blazor`) || PathPrefix(`/_framework`) || PathPrefix(`/_content`) || PathPrefix(`/avatars`) || PathPrefix(`/css`) || PathPrefix(`/js`) || PathPrefix(`/favicon`) || PathPrefix(`/chathub`)) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
      kind: Rule
      middlewares:
        - name: chat-public-profile-header
      services:
        - name: chat-web
          port: 80
  tls:
    secretName: cf-origin-flowercore-io
--- a/apps/fc-desktop/fc-desktop.yaml
+++ b/apps/fc-desktop/fc-desktop.yaml
@@ -1,5 +1,32 @@
 # FlowerCore Remote Desktop — TLS + Ingress
-# Deployment and Service managed by deploy script (not ArgoCD)
+#
 # Source-of-truth split:
 #   - bluejay-infra OWNS: Certificate, IngressRoute, all NetworkPolicies
 #     (see network-policies.yaml in this directory).
 #   - FlowerCore.RemoteDesktop scripts/deploy-web.sh OWNS: Deployment +
 #     Service. Reason: image refs like `localhost/fc-desktop:linux-xfce`
 #     only exist on each node's containerd after a manual import, so a
 #     Deployment manifest in bluejay-infra would race the image-import
 #     step and crash-loop.
 #
 # NetworkPolicies moved into bluejay-infra 2026-05-07 — previously they
 # were applied via the deploy script's kubectl apply calls, which broke
 # cluster-rebuild repeatability. See
 # feedback_networkpolicies_belong_in_bluejay_infra.md.
 ---
 # OIDC client secret for the RemoteDesktop end-user sign-in (fleet regroup L9,
 # 2026-06-12). The Authentik provider `remotedesktop` already exists; the 1P item
 # `remotedesktop-oidc-client` (vault IAmWorkin) carries issuer_url / client_id /
 # client_secret, and the 1Password operator mints the same-named K8s Secret that
 # k8s/web-deployment.yaml (FlowerCore.RemoteDesktop repo) consumes with
 # optional:true. Gate stays OFF (Q-RD-16) — this is flip-READINESS only.
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: remotedesktop-oidc-client
  namespace: fc-desktop
 spec:
  itemPath: "vaults/IAmWorkin/items/remotedesktop-oidc-client"
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -38,3 +65,26 @@ spec:
          port: 8080
  tls:
    secretName: remotedesktop-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose remotedesktop-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: remotedesktop-web-public
 #   namespace: fc-desktop
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`desktop.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: remotedesktop-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: remotedesktop-web
 #           port: 8080
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-desktop/network-policies.yaml
+++ b/apps/fc-desktop/network-policies.yaml
@@ -0,0 +1,332 @@
 # FlowerCore Remote Desktop — NetworkPolicies (GitOps-managed)
 #
 # Moved into bluejay-infra 2026-05-07 as part of the regroup audit. These
 # four policies were previously applied via FlowerCore.RemoteDesktop's
 # scripts/deploy-web.sh `kubectl apply` calls, which meant a fresh cluster
 # rebuild from bluejay-infra alone would miss them — Browser Lab session
 # isolation, control-plane allow-list, and HTTP-01 cert renewal would all
 # silently fail to come up.
 #
 # Source-of-truth contract:
 #   - bluejay-infra OWNS all NetworkPolicy + Certificate + IngressRoute
 #     resources for fc-desktop.
 #   - FlowerCore.RemoteDesktop's scripts/deploy-web.sh continues to own
 #     the Deployment + Service apply (because the image ref
 #     `localhost/fc-desktop:linux-xfce` only exists on each node's
 #     containerd after a manual import — it can't be pulled from a
 #     registry, so a Deployment manifest in bluejay-infra would race the
 #     image-import step and crash-loop).
 ---
 # 1) desktop-isolation — Browser Lab session pods.
 #
 # Locks down pods labeled `app.kubernetes.io/name=remote-desktop` (every
 # session pod regardless of template). Allows guacd ingress for the VNC/RDP
 # display lane and remotedesktop-web's pre-handoff probing. Egress: NFS to
 # Synology, DNS, Traefik (cluster + LB VIP), Intranet (Browser Lab home).
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: desktop-isolation
  namespace: fc-desktop
  labels:
    app.kubernetes.io/part-of: remotedesktop
    app.kubernetes.io/component: isolation
 spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: remote-desktop
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: guacamole
      ports:
        - port: 3000
          protocol: TCP
        - port: 3001
          protocol: TCP
        - port: 5901
          protocol: TCP
        - port: 3389
          protocol: TCP
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: fc-desktop
          podSelector:
            matchLabels:
              app.kubernetes.io/name: remotedesktop-web
      ports:
        - port: 3000
          protocol: TCP
        - port: 5901
          protocol: TCP
  egress:
    # NFS to Synology
    - to:
        - ipBlock:
            cidr: 10.0.58.3/32
      ports:
        - port: 2049
          protocol: TCP
        - port: 2049
          protocol: UDP
        - port: 111
          protocol: TCP
        - port: 111
          protocol: UDP
    - to:
        - ipBlock:
            cidr: 10.0.58.3/32
      ports:
        - port: 445
          protocol: TCP
    - to: []
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP
    - to:
        - ipBlock:
            cidr: 10.0.56.200/32
        - ipBlock:
            cidr: 10.43.33.87/32
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: traefik-system
          podSelector:
            matchLabels:
              app.kubernetes.io/name: traefik
      ports:
        - port: 80
          protocol: TCP
        - port: 443
          protocol: TCP
        - port: 8000
          protocol: TCP
        - port: 8443
          protocol: TCP
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: intranet
          podSelector:
            matchLabels:
              app: intranet-web
      ports:
        - port: 5300
          protocol: TCP
 ---
 # 2) fc-desktop-default-deny — namespace-wide catch-all.
 #
 # Selects every pod EXCEPT remotedesktop-web (the public-surface control
 # plane) and applies default-deny semantics for both Ingress and Egress.
 # Closes the gap where session pods land WITHOUT the desktop-isolation
 # policy's `app.kubernetes.io/name=remote-desktop` label, plus prevents
 # arbitrary debug sidecars / kubectl debug images from getting cluster
 # access.
 #
 # CRITICAL: also catches transient cm-acme-http-solver pods (that's the
 # bug this whole regroup chased). The cm-acme-http-solver-allow policy
 # below is the explicit carve-out.
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: fc-desktop-default-deny
  namespace: fc-desktop
  labels:
    app.kubernetes.io/part-of: remotedesktop
    app.kubernetes.io/component: isolation
 spec:
  podSelector:
    matchExpressions:
      - key: app.kubernetes.io/name
        operator: NotIn
        values:
          - remotedesktop-web
  policyTypes:
    - Ingress
    - Egress
 ---
 # 3) remotedesktop-web-isolation — control plane explicit allow-list.
 #
 # remotedesktop-web is the only pod label the default-deny excludes, so
 # without this policy the control plane would have wide-open Ingress AND
 # Egress. This re-introduces a tight allow-list:
 #   - Ingress: Traefik only on TCP/8080
 #   - Egress: CoreDNS, K8s API, Guacamole admin, NFS, Intranet,
 #     Traefik (cluster + LB), and the fc-desktop namespace itself
 #     (for session pod readiness probing).
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: remotedesktop-web-isolation
  namespace: fc-desktop
  labels:
    app.kubernetes.io/part-of: remotedesktop
    app.kubernetes.io/component: isolation
 spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: remotedesktop-web
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: traefik-system
          podSelector:
            matchLabels:
              app.kubernetes.io/name: traefik
      ports:
        - port: 8080
          protocol: TCP
  egress:
    # CoreDNS
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
          podSelector:
            matchLabels:
              k8s-app: kube-dns
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP
    # K8s API server
    - to: []
      ports:
        - port: 443
          protocol: TCP
        - port: 6443
          protocol: TCP
    # Guacamole admin
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: guacamole
      ports:
        - port: 8080
          protocol: TCP
    # NFS to Synology
    - to:
        - ipBlock:
            cidr: 10.0.58.3/32
      ports:
        - port: 2049
          protocol: TCP
        - port: 2049
          protocol: UDP
        - port: 111
          protocol: TCP
        - port: 111
          protocol: UDP
    # Intranet web
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: intranet
          podSelector:
            matchLabels:
              app: intranet-web
      ports:
        - port: 5300
          protocol: TCP
    # Cluster Traefik pods (in-cluster service resolution + Guacamole
    # routing handoff where web app builds URLs against the public host
    # but resolves internally).
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: traefik-system
          podSelector:
            matchLabels:
              app.kubernetes.io/name: traefik
      ports:
        - port: 80
          protocol: TCP
        - port: 443
          protocol: TCP
        - port: 8080
          protocol: TCP
        - port: 8443
          protocol: TCP
    # fc-desktop namespace — session pod probing during browser-access
    # readiness checks.
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: fc-desktop
      ports:
        - port: 3000
          protocol: TCP
        - port: 3001
          protocol: TCP
        - port: 5901
          protocol: TCP
        - port: 3389
          protocol: TCP
 ---
 # 4) cm-acme-http-solver-allow — cert-manager HTTP-01 carve-out.
 #
 # Without this, fc-desktop-default-deny catches the transient solver pods
 # cert-manager creates for each renewal (they don't carry the
 # remotedesktop-web label). Caused 8-day silent renewal failure on
 # desktop.iamworkin.lan in 2026-04-28..2026-05-07 (see
 # feedback_certmanager_renewal_stuck_when_solver_blocked_by_namespace_default_deny.md).
 #
 # Authorizes:
 #   - Ingress on TCP/8089 from cluster Traefik (which proxies the external
 #     HTTP-01 GET on port 80 through to the solver).
 #   - Egress for cluster DNS (defensive — newer cert-manager probes from
 #     inside the solver too).
 #
 # The `acme.cert-manager.io/http01-solver=true` label is set by
 # cert-manager itself on every solver pod automatically.
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: cm-acme-http-solver-allow
  namespace: fc-desktop
  labels:
    app.kubernetes.io/part-of: remotedesktop
    app.kubernetes.io/component: cert-renewal
 spec:
  podSelector:
    matchLabels:
      acme.cert-manager.io/http01-solver: "true"
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: traefik-system
          podSelector:
            matchLabels:
              app.kubernetes.io/name: traefik
      ports:
        - port: 8089
          protocol: TCP
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
          podSelector:
            matchLabels:
              k8s-app: kube-dns
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP
--- a/apps/fc-devicemgmt/1password-item.yaml
+++ b/apps/fc-devicemgmt/1password-item.yaml
@@ -0,0 +1,26 @@
 # Runtime secrets for FlowerCore.DeviceManagement.
 #
 # OnePasswordItem operator syncs this item into a Kubernetes Secret with the
 # same name. Expected fields:
 #   DB-Password
 #   mtls-ca.pem
 #   mtls-client.crt
 #   mtls-client.key
 #   mtls-chain.pem
 #
 # Do not add literal secret values to this repo. Runtime pods consume the
 # synced Secret through env vars and read-only mounts.
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: fc-devicemgmt-runtime
  namespace: fc-devicemgmt
  labels:
    app.kubernetes.io/name: fc-devicemgmt
    app.kubernetes.io/component: secrets
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  itemPath: "vaults/IAmWorkin/items/FlowerCore DeviceManagement Runtime"
--- a/apps/fc-devicemgmt/ADMIN-CONSOLE-INFRA.md
+++ b/apps/fc-devicemgmt/ADMIN-CONSOLE-INFRA.md
@@ -0,0 +1,70 @@
 # Admin / Helpdesk Console — Infra Finding (Cl-5, ADR-204)
 **Outcome: ZERO new cluster infra required.** The Admin/helpdesk console rides the
 existing `FlowerCore.DeviceManagement.Web` deploy as routes inside DM.Web (ADR-204).
 The ingress already in this directory covers every path the admin console serves.
 ## What already exists for DM.Web (this directory)
 | Manifest | Resource | Notes |
 |----------|----------|-------|
 | `certificate-web.yaml` | cert-manager `Certificate` `fc-devicemgmt-web-tls` | `issuerRef` → `step-ca-acme` `ClusterIssuer`; `dnsNames: [devices.iamworkin.lan]`; `secretName: fc-devicemgmt-web-tls`. DNS preflight gate documented (pfSense A record `devices.iamworkin.lan → 10.0.56.200` required before ACME sync). |
 | `ingressroute-web.yaml` | Traefik `IngressRoute` `fc-devicemgmt-web` | `entryPoints: [websecure]`, `match: Host(\`devices.iamworkin.lan\`)`, service `fc-devicemgmt-web:80`, `tls.secretName: fc-devicemgmt-web-tls`. |
 | `service-web.yaml` | `Service` `fc-devicemgmt-web` (ClusterIP, 80→8080) | Owned by the DM.Web deploy. |
 | `deployment-web.yaml` | `Deployment` `fc-devicemgmt-web` | Currently `replicas: 0` (gated on fc-mysql operator + `flowercore_devicemgmt` DB + 1Password runtime item — see header comment). Not a Cl-5 concern. |
 | also present | operator RBAC, namespace, network-policy, 1password-item | Full app dir, ArgoCD-managed. |
 ## Why the admin console needs nothing new
 The existing IngressRoute matches **`Host(\`devices.iamworkin.lan\`)` with no `PathPrefix`
 constraint**. Traefik therefore forwards *all* paths on that host to the
 `fc-devicemgmt-web` service — including any admin/helpdesk routes the DM.Web app exposes
 under its `FlowerCore:PathBase` (e.g. `/admin`, `/helpdesk`). The same TLS secret
 (`fc-devicemgmt-web-tls`) and the same step-ca ACME `Certificate` already protect them.
 This matches the established TLS-only-app pattern (e.g. `apps/fc-library/fc-library.yaml`,
 `apps/fc-retail/fc-retail.yaml`): `Certificate` (issuerRef `step-ca-acme` ClusterIssuer) +
 host-matched `IngressRoute` sharing the `secretName`. Per ADR-204 the admin console's
 Deployment/Service stay with the DM.Web deploy — no separate workload is created.
 ArgoCD repo URL convention (for reference, not changed here):
 `http://gitea-clusterip.gitea.svc.cluster.local:3000/bluejay/bluejay-infra.git`
 (internal HTTP — step-ca cert isn't trusted by ArgoCD). Apps in `apps/*` are picked up by
 the `bluejay-infra` ApplicationSet directory generator; this dir has no `kustomization.yaml`,
 consistent with that pattern.
 ## Recommendation
 **Ride DM.Web at a PathBase path → no new Certificate, no new IngressRoute, no new
 Deployment/Service.** Close the lane. The admin console reaches users at
 `https://devices.iamworkin.lan/<PathBase>` through the manifests already in this directory.
 ## Open question (operator decision — NOT actioned)
 **Q-MP-ADMIN-HOST — Distinct admin hostname vs PathBase path under DM.Web?**
 If the operator ever wants the admin/helpdesk console on its *own* hostname
 (e.g. `admin.iamworkin.lan`) rather than a path under `devices.iamworkin.lan`, that is a
 deliberate routing/auth-surface choice, not a mechanical infra add. It would require:
 1. a pfSense / FlowerCore.DNS A record `admin.iamworkin.lan → 10.0.56.200` (ACME preflight
   gate — step-ca HTTP-01 can't see the CoreDNS wildcard);
 2. a second cert-manager `Certificate` (`step-ca-acme` ClusterIssuer, `dnsNames:
   [admin.iamworkin.lan]`, own `secretName`);
 3. a second host-matched `IngressRoute` → the same `fc-devicemgmt-web:80` service
   (still no new Deployment/Service — same app behind a second host).
 **Default taken (do not block): PathBase path under DM.Web = zero new infra.** A separate
 admin hostname is left UNBUILT pending an explicit operator answer to Q-MP-ADMIN-HOST,
 because it changes the public/auth surface and conflicts with the ADR-204 "routes inside
 DM.Web" intent. If the answer is "separate host," author only the `Certificate` +
 `IngressRoute` above (no Deployment/Service), mirroring `apps/fc-library/fc-library.yaml`.
 ## Verification
 - `kubectl apply --dry-run=client` (kubectl v1.34.2, no live cluster): `ingressroute-web.yaml`,
  `service-web.yaml`, `deployment-web.yaml` validated clean. `certificate-web.yaml` returned
  "no matches for kind Certificate in cert-manager.io/v1" — expected with no cluster
  connection (CRD discovery unavailable client-side); the YAML shape is identical to the
  proven `fc-library` Certificate. Server-side dry-run + live host resolution =
  **fix-forward** (cluster may be unreachable from this lane).
 - No manifest authored or changed by this lane — finding note only.
--- a/apps/fc-devicemgmt/certificate-web.yaml
+++ b/apps/fc-devicemgmt/certificate-web.yaml
@@ -0,0 +1,30 @@
 # Certificate for devices.iamworkin.lan.
 #
 # Preflight gate: FlowerCore.DNS / pfSense must contain an explicit A record:
 #   devices.iamworkin.lan -> 10.0.56.200
 # before this Certificate is synced. step-ca ACME cannot see the CoreDNS
 # wildcard, so missing pfSense DNS produces cert-manager HTTP-01 backoff
 # (feedback_pfsense_dns_required_for_acme).
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: fc-devicemgmt-web-tls
  namespace: fc-devicemgmt
  labels:
    app.kubernetes.io/name: fc-devicemgmt-web
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
  annotations:
    flowercore.io/dns-preflight: "devices.iamworkin.lan must resolve to 10.0.56.200 before ACME sync"
 spec:
  secretName: fc-devicemgmt-web-tls
  issuerRef:
    name: step-ca-acme
    kind: ClusterIssuer
  dnsNames:
    - devices.iamworkin.lan
  duration: 720h
  renewBefore: 240h
--- a/apps/fc-devicemgmt/clusterrole-operator.yaml
+++ b/apps/fc-devicemgmt/clusterrole-operator.yaml
@@ -0,0 +1,83 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: fc-devicemgmt-operator
  labels:
    app.kubernetes.io/name: fc-devicemgmt-operator
    app.kubernetes.io/component: operator
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 rules:
  - apiGroups:
      - flowercore.io
    resources:
      - '*'
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - flowercore.io
    resources:
      - devices/status
      - devices/finalizers
      - devicegroups/status
      - devicegroups/finalizers
      - devicepolicies/status
      - devicepolicies/finalizers
      - remotecommands/status
      - remotecommands/finalizers
      - desiredstatedocuments/status
      - desiredstatedocuments/finalizers
    verbs:
      - get
      - update
      - patch
  - apiGroups:
      - apps
    resources:
      - deployments
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - pods
      - services
      - configmaps
      - secrets
      - events
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - batch
    resources:
      - jobs
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - networking.k8s.io
    resources:
      - networkpolicies
    verbs:
      - get
      - list
      - watch
--- a/apps/fc-devicemgmt/clusterrolebinding-operator.yaml
+++ b/apps/fc-devicemgmt/clusterrolebinding-operator.yaml
@@ -0,0 +1,19 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: fc-devicemgmt-operator
  labels:
    app.kubernetes.io/name: fc-devicemgmt-operator
    app.kubernetes.io/component: operator
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: fc-devicemgmt-operator
 subjects:
  - kind: ServiceAccount
    name: fc-devicemgmt-operator
    namespace: fc-devicemgmt
--- a/apps/fc-devicemgmt/crds.yaml
+++ b/apps/fc-devicemgmt/crds.yaml
@@ -0,0 +1,186 @@
 # FlowerCore.DeviceManagement CRDs.
 #
 # These CRDs match the current operator annotations:
 #   [KubernetesEntity(Group = "flowercore.io", ApiVersion = "v1alpha1", ...)]
 # Keep the schemas intentionally permissive until the DeviceManagement operator
 # grows enforced CRD validation.
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: devices.flowercore.io
  labels:
    app.kubernetes.io/name: fc-devicemgmt-operator
    app.kubernetes.io/component: operator
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  group: flowercore.io
  scope: Namespaced
  names:
    plural: devices
    singular: device
    kind: Device
    listKind: DeviceList
  versions:
    - name: v1alpha1
      served: true
      storage: true
      subresources:
        status: {}
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              x-kubernetes-preserve-unknown-fields: true
            status:
              type: object
              x-kubernetes-preserve-unknown-fields: true
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: devicegroups.flowercore.io
  labels:
    app.kubernetes.io/name: fc-devicemgmt-operator
    app.kubernetes.io/component: operator
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  group: flowercore.io
  scope: Namespaced
  names:
    plural: devicegroups
    singular: devicegroup
    kind: DeviceGroup
    listKind: DeviceGroupList
  versions:
    - name: v1alpha1
      served: true
      storage: true
      subresources:
        status: {}
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              x-kubernetes-preserve-unknown-fields: true
            status:
              type: object
              x-kubernetes-preserve-unknown-fields: true
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: devicepolicies.flowercore.io
  labels:
    app.kubernetes.io/name: fc-devicemgmt-operator
    app.kubernetes.io/component: operator
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  group: flowercore.io
  scope: Namespaced
  names:
    plural: devicepolicies
    singular: devicepolicy
    kind: DevicePolicy
    listKind: DevicePolicyList
  versions:
    - name: v1alpha1
      served: true
      storage: true
      subresources:
        status: {}
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              x-kubernetes-preserve-unknown-fields: true
            status:
              type: object
              x-kubernetes-preserve-unknown-fields: true
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: remotecommands.flowercore.io
  labels:
    app.kubernetes.io/name: fc-devicemgmt-operator
    app.kubernetes.io/component: operator
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  group: flowercore.io
  scope: Namespaced
  names:
    plural: remotecommands
    singular: remotecommand
    kind: RemoteCommand
    listKind: RemoteCommandList
  versions:
    - name: v1alpha1
      served: true
      storage: true
      subresources:
        status: {}
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              x-kubernetes-preserve-unknown-fields: true
            status:
              type: object
              x-kubernetes-preserve-unknown-fields: true
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: desiredstatedocuments.flowercore.io
  labels:
    app.kubernetes.io/name: fc-devicemgmt-operator
    app.kubernetes.io/component: operator
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  group: flowercore.io
  scope: Namespaced
  names:
    plural: desiredstatedocuments
    singular: desiredstatedocument
    kind: DesiredStateDocument
    listKind: DesiredStateDocumentList
  versions:
    - name: v1alpha1
      served: true
      storage: true
      subresources:
        status: {}
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              x-kubernetes-preserve-unknown-fields: true
            status:
              type: object
              x-kubernetes-preserve-unknown-fields: true
--- a/apps/fc-devicemgmt/deployment-operator.yaml
+++ b/apps/fc-devicemgmt/deployment-operator.yaml
@@ -0,0 +1,109 @@
 # FlowerCore.DeviceManagement Operator.
 #
 # KubeOps controller for devices.flowercore.io resources. Operator-created
 # children must set OwnerReferences + traceability labels/annotations per
 # k8s-pod-ownership-and-traceability-standard.md. RBAC below grants
 # apps/deployments/get so the process can resolve its own Deployment UID.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: fc-devicemgmt-operator
  namespace: fc-devicemgmt
  labels:
    app: fc-devicemgmt-operator
    app.kubernetes.io/name: fc-devicemgmt-operator
    app.kubernetes.io/component: operator
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
  annotations:
    flowercore.io/traceability-standard: k8s-pod-ownership-and-traceability-standard
 spec:
  replicas: 1
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      app: fc-devicemgmt-operator
  template:
    metadata:
      labels:
        app: fc-devicemgmt-operator
        app.kubernetes.io/name: fc-devicemgmt-operator
        app.kubernetes.io/component: operator
        app.kubernetes.io/part-of: flowercore
        app.kubernetes.io/managed-by: argocd
        flowercore.io/tenant-id: system
        flowercore.io/created-by: bluejay-infra
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
        flowercore.io/audit-trace-id: "runtime-activity-trace"
    spec:
      serviceAccountName: fc-devicemgmt-operator
      securityContext:
        fsGroup: 1654
        fsGroupChangePolicy: OnRootMismatch
      containers:
        - name: operator
          image: localhost/fc-devicemgmt-operator:v20260519-sp34cl3-fix
          imagePullPolicy: Never
          ports:
            - name: metrics
              containerPort: 8080
          env:
            - name: ASPNETCORE_ENVIRONMENT
              value: "Production"
            - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
              value: "false"
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: FLOWERCORE_KUBERNETES_OWNER_DEPLOYMENT
              value: "fc-devicemgmt-operator"
            - name: FlowerCore__Service__Name
              value: "FlowerCore.DeviceManagement.Operator"
            - name: FlowerCore__DeviceManagement__DefaultTenantId
              value: "system"
          resources:
            requests:
              cpu: 50m
              memory: 128Mi
            limits:
              cpu: 500m
              memory: 512Mi
          readinessProbe:
            tcpSocket:
              port: 8080
            initialDelaySeconds: 5
            periodSeconds: 10
          livenessProbe:
            tcpSocket:
              port: 8080
            initialDelaySeconds: 20
            periodSeconds: 30
          securityContext:
            runAsNonRoot: true
            runAsUser: 1654
            runAsGroup: 1654
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
          volumeMounts:
            - name: tmp
              mountPath: /tmp
            - name: logs
              mountPath: /app/logs
      volumes:
        - name: tmp
          emptyDir: {}
        - name: logs
          emptyDir: {}
--- a/apps/fc-devicemgmt/deployment-web.yaml
+++ b/apps/fc-devicemgmt/deployment-web.yaml
@@ -0,0 +1,163 @@
 # FlowerCore.DeviceManagement Web.
 #
 # Source repo is expected to ship FlowerCore.DeviceManagement.Web in a later
 # Sprint 9+ lane. This manifest is static-valid without requiring the image to
 # exist yet; import localhost/fc-devicemgmt-web:<tag> to all schedulable RKE2
 # nodes before letting ArgoCD sync a live rollout.
 #
 # LIVE — 2026-06-11 DeviceManagement product-host enablement.
 # The current DeviceManagement Web source is SQLite-backed in Program.cs, so
 # Phase 1 production uses a Longhorn RWO PVC at /data/devicemgmt.db. The
 # 1Password runtime item stays mounted through env for future MySQL/API-key
 # cutover, but MySQL is not required for this first product-host rollout.
 # Image v20260613-g2-66a43c1 is built from FlowerCore.DeviceManagement master
 # 66a43c1, carrying edge enrollment network completion and SQLite-safe trust-bundle smoke coverage.
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: fc-devicemgmt-web-data
  namespace: fc-devicemgmt
  labels:
    app: fc-devicemgmt-web
    app.kubernetes.io/name: fc-devicemgmt-web
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: fc-devicemgmt-web
  namespace: fc-devicemgmt
  labels:
    app: fc-devicemgmt-web
    app.kubernetes.io/name: fc-devicemgmt-web
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
  annotations:
    flowercore.io/traceability-standard: k8s-pod-ownership-and-traceability-standard
 spec:
  replicas: 1
  revisionHistoryLimit: 3
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 0
      maxUnavailable: 1
  selector:
    matchLabels:
      app: fc-devicemgmt-web
  template:
    metadata:
      labels:
        app: fc-devicemgmt-web
        app.kubernetes.io/name: fc-devicemgmt-web
        app.kubernetes.io/component: web
        app.kubernetes.io/part-of: flowercore
        app.kubernetes.io/managed-by: argocd
        flowercore.io/tenant-id: system
        flowercore.io/created-by: bluejay-infra
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
        flowercore.io/audit-trace-id: "runtime-activity-trace"
    spec:
      securityContext:
        fsGroup: 1654
        fsGroupChangePolicy: OnRootMismatch
      containers:
        - name: web
          image: localhost/fc-devicemgmt-web:v20260614-regroup-c5b8f82
          imagePullPolicy: Never
          ports:
            - name: http
              containerPort: 8080
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: ASPNETCORE_URLS
              value: "http://+:8080"
            - name: ASPNETCORE_ENVIRONMENT
              value: "Production"
            - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
              value: "false"
            - name: HOME
              value: "/data"
            - name: FlowerCore__Service__Name
              value: "FlowerCore.DeviceManagement.Web"
            - name: FlowerCore__DeviceManagement__DefaultTenantId
              value: "system"
            - name: FlowerCore__Database__Provider
              value: "Sqlite"
            - name: FlowerCore__Database__ConnectionStrings__Sqlite
              value: "Data Source=/data/devicemgmt.db"
            - name: FlowerCore__Database__Password
              valueFrom:
                secretKeyRef:
                  name: fc-devicemgmt-runtime
                  key: DB-Password
            - name: FlowerCore__EventBus__Redis__Configuration
              value: "redis.fc-redis.svc:6379"
          resources:
            requests:
              cpu: 100m
              memory: 256Mi
            limits:
              cpu: 1000m
              memory: 768Mi
          startupProbe:
            tcpSocket:
              port: 8080
            initialDelaySeconds: 5
            periodSeconds: 5
            failureThreshold: 30
          readinessProbe:
            tcpSocket:
              port: 8080
            periodSeconds: 10
            failureThreshold: 3
          livenessProbe:
            tcpSocket:
              port: 8080
            initialDelaySeconds: 30
            periodSeconds: 30
            failureThreshold: 3
          securityContext:
            runAsNonRoot: true
            runAsUser: 1654
            runAsGroup: 1654
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
          volumeMounts:
            - name: data
              mountPath: /data
            - name: tmp
              mountPath: /tmp
            - name: logs
              mountPath: /app/logs
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: fc-devicemgmt-web-data
        - name: tmp
          emptyDir: {}
        - name: logs
          emptyDir: {}
--- a/apps/fc-devicemgmt/ingressroute-web.yaml
+++ b/apps/fc-devicemgmt/ingressroute-web.yaml
@@ -0,0 +1,55 @@
 # LAN ingress for FlowerCore.DeviceManagement Web.
 #
 # RKE2 Traefik has no built-in ACME resolver configured. Keep TLS certificate
 # ownership in cert-manager Certificate/fc-devicemgmt-web-tls.
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: fc-devicemgmt-web
  namespace: fc-devicemgmt
  labels:
    app.kubernetes.io/name: fc-devicemgmt-web
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`devices.iamworkin.lan`)
      kind: Rule
      services:
        - name: fc-devicemgmt-web
          port: 80
  tls:
    secretName: fc-devicemgmt-web-tls
 # Future public agent/update host gate (OFF by default):
 #
 # Do not enable `update.flowercore.io` here until Authentik OIDC Q-OIDC-1
 # resolves the public-device-management auth model and route ownership with
 # UpdateCenter. When enabled, use a separate public IngressRoute with an
 # explicit Method allowlist, public-host auth middleware, and public TLS
 # certificate strategy. Leaving this as comments keeps ArgoCD from stealing
 # live UpdateCenter traffic.
 #
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: fc-devicemgmt-web-public
 #   namespace: fc-devicemgmt
 #   annotations:
 #     flowercore.io/public-host-gate: "disabled-until-Q-OIDC-1"
 # spec:
 #   entryPoints:
 #     - websecure
 #   routes:
 #     - match: Host(`update.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
 #       kind: Rule
 #       services:
 #         - name: fc-devicemgmt-web
 #           port: 80
 #   tls:
 #     secretName: fc-devicemgmt-public-tls
--- a/apps/fc-devicemgmt/namespace.yaml
+++ b/apps/fc-devicemgmt/namespace.yaml
@@ -0,0 +1,13 @@
 # FlowerCore.DeviceManagement namespace.
 #
 # ArgoCD discovers this directory as Application `infra-fc-devicemgmt`.
 apiVersion: v1
 kind: Namespace
 metadata:
  name: fc-devicemgmt
  labels:
    app.kubernetes.io/name: fc-devicemgmt
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
--- a/apps/fc-devicemgmt/network-policy.yaml
+++ b/apps/fc-devicemgmt/network-policy.yaml
@@ -0,0 +1,224 @@
 # FlowerCore.DeviceManagement NetworkPolicies.
 #
 # NetworkPolicies belong in bluejay-infra so ArgoCD owns rebuild state.
 # Rules include Traefik post-DNAT backend ports per
 # feedback_netpol_dnat_backend_port and Synology NFS egress for the requested
 # cold-tier / future artifact path.
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: fc-devicemgmt-web-isolation
  namespace: fc-devicemgmt
  labels:
    app.kubernetes.io/name: fc-devicemgmt-web
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  podSelector:
    matchLabels:
      app: fc-devicemgmt-web
  policyTypes:
    - Ingress
    - Egress
  ingress:
    # LAN edge: only cluster Traefik should reach the Web pod for
    # devices.iamworkin.lan.
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: traefik-system
          podSelector:
            matchLabels:
              app.kubernetes.io/name: traefik
      ports:
        - port: 8080
          protocol: TCP
    # Direct LAN diagnostics are allowed only from FlowerCore LAN/VPN ranges.
    - from:
        - ipBlock:
            cidr: 10.0.56.0/24
        - ipBlock:
            cidr: 10.0.57.0/24
        - ipBlock:
            cidr: 10.0.58.0/24
        - ipBlock:
            cidr: 10.0.68.0/27
      ports:
        - port: 8080
          protocol: TCP
  egress:
    # CoreDNS.
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
          podSelector:
            matchLabels:
              k8s-app: kube-dns
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP
    # Database namespace.
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: fc-mysql
      ports:
        - port: 3306
          protocol: TCP
    # Redis backplane for multi-replica SignalR / live-status fan-out.
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: fc-redis
      ports:
        - port: 6379
          protocol: TCP
    # Traefik VIP / in-cluster Traefik for self-callbacks and public URL
    # generation tests. Include post-DNAT backend ports 8443 + 8080.
    - to:
        - ipBlock:
            cidr: 10.0.56.200/32
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: traefik-system
          podSelector:
            matchLabels:
              app.kubernetes.io/name: traefik
      ports:
        - port: 80
          protocol: TCP
        - port: 443
          protocol: TCP
        - port: 8080
          protocol: TCP
        - port: 8443
          protocol: TCP
    # Agent egress: LAN/VPN devices may run DM Agent in Generic, Kiosk, Pi,
    # ThinClient, or Server mode. Keep this private-range only.
    - to:
        - ipBlock:
            cidr: 10.0.56.0/24
        - ipBlock:
            cidr: 10.0.57.0/24
        - ipBlock:
            cidr: 10.0.58.0/24
        - ipBlock:
            cidr: 10.0.68.0/27
      ports:
        - port: 80
          protocol: TCP
        - port: 443
          protocol: TCP
        - port: 8080
          protocol: TCP
        - port: 8443
          protocol: TCP
        - port: 5000
          protocol: TCP
        - port: 5001
          protocol: TCP
    # Synology NFS cold-tier / artifact mount allowance.
    - to:
        - ipBlock:
            cidr: 10.0.58.3/32
      ports:
        - port: 2049
          protocol: TCP
        - port: 2049
          protocol: UDP
        - port: 111
          protocol: TCP
        - port: 111
          protocol: UDP
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: fc-devicemgmt-operator-isolation
  namespace: fc-devicemgmt
  labels:
    app.kubernetes.io/name: fc-devicemgmt-operator
    app.kubernetes.io/component: operator
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  podSelector:
    matchLabels:
      app: fc-devicemgmt-operator
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: monitoring
      ports:
        - port: 8080
          protocol: TCP
  egress:
    # CoreDNS.
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
          podSelector:
            matchLabels:
              k8s-app: kube-dns
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP
    # Kubernetes API for KubeOps reconciliation and Deployment UID lookup.
    - to: []
      ports:
        - port: 443
          protocol: TCP
        - port: 6443
          protocol: TCP
    # Agent egress for operator-initiated probes / fallback command dispatch.
    - to:
        - ipBlock:
            cidr: 10.0.56.0/24
        - ipBlock:
            cidr: 10.0.57.0/24
        - ipBlock:
            cidr: 10.0.58.0/24
        - ipBlock:
            cidr: 10.0.68.0/27
      ports:
        - port: 80
          protocol: TCP
        - port: 443
          protocol: TCP
        - port: 8080
          protocol: TCP
        - port: 8443
          protocol: TCP
        - port: 5000
          protocol: TCP
        - port: 5001
          protocol: TCP
    # Synology NFS allowance for future cold-tier/audit archival jobs.
    - to:
        - ipBlock:
            cidr: 10.0.58.3/32
      ports:
        - port: 2049
          protocol: TCP
        - port: 2049
          protocol: UDP
        - port: 111
          protocol: TCP
        - port: 111
          protocol: UDP
--- a/apps/fc-devicemgmt/service-web.yaml
+++ b/apps/fc-devicemgmt/service-web.yaml
@@ -0,0 +1,22 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: fc-devicemgmt-web
  namespace: fc-devicemgmt
  labels:
    app: fc-devicemgmt-web
    app.kubernetes.io/name: fc-devicemgmt-web
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  type: ClusterIP
  selector:
    app: fc-devicemgmt-web
  ports:
    - name: http
      port: 80
      targetPort: 8080
      protocol: TCP
--- a/apps/fc-devicemgmt/serviceaccount-operator.yaml
+++ b/apps/fc-devicemgmt/serviceaccount-operator.yaml
@@ -0,0 +1,12 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: fc-devicemgmt-operator
  namespace: fc-devicemgmt
  labels:
    app.kubernetes.io/name: fc-devicemgmt-operator
    app.kubernetes.io/component: operator
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
--- a/apps/fc-distribution/fc-distribution.yaml
+++ b/apps/fc-distribution/fc-distribution.yaml
@@ -74,6 +74,14 @@ metadata:
 spec:
  itemPath: "vaults/IAmWorkin/items/FlowerCore Edition Signing Key - edition:aistation-field"
 ---
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: distribution-oidc-client
  namespace: fc-distribution
 spec:
  itemPath: "vaults/IAmWorkin/items/distribution-oidc-client"
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -101,6 +109,7 @@ spec:
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      # Synology NFS export `/volume1/kubernetes` ACL only allows rke2-server
      # (10.0.56.11) right now. Until the ACL is widened in DSM (admin only),
@@ -118,7 +127,7 @@ spec:
          #   dotnet.exe publish -c Release -o deploy/app \
          #     src/FlowerCore.Distribution.Web/FlowerCore.Distribution.Web.csproj
          #   podman build -t localhost/fc-distribution:v<tag> -f deploy/Dockerfile.deploy deploy
-          image: localhost/fc-distribution:v202604240010
+          image: localhost/fc-distribution:v20260604-oidc-root-anon
          imagePullPolicy: Never
          ports:
            - containerPort: 8080
@@ -130,6 +139,25 @@ spec:
              value: "Production"
            - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
              value: "false"
            # Authentik/OIDC enforcement. Public read/entitlement + the
            # dist.flowercore.io Method() allowlist stay open; OIDC gates the
            # operator/admin surface while /healthz remains anonymous.
            - name: FlowerCore__Auth__Enabled
              value: "true"
            - name: FlowerCore__Auth__Oidc__Enabled
              value: "true"
            - name: FlowerCore__Auth__Oidc__Authority
              value: "https://id.iamworkin.lan/application/o/distribution/"
            - name: FlowerCore__Auth__Oidc__Audience
              value: "distribution"
            - name: FlowerCore__Auth__Oidc__ClientId
              value: "distribution"
            - name: FlowerCore__Auth__Oidc__ClientSecret
              valueFrom:
                secretKeyRef:
                  name: distribution-oidc-client
                  key: client_secret
                  optional: true
            # SQLite connection (catalog + data-protection keys via FlowerCoreDbContext).
            # Read by Data/DatabaseProviderExtensions.cs in precedence order; Sqlite key wins.
            - name: FlowerCore__Database__Provider
@@ -151,6 +179,10 @@ spec:
              value: "/signing/aistation-field/chain.pem"
            - name: FlowerCore__Distribution__Signing__EditionCerts__aistation-field__KeyPath
              value: "/signing/aistation-field/private-key.pem"
            # Public distribution host is GET/HEAD-only at Traefik; this
            # entitlement list controls which editions are readable there.
            - name: FlowerCore__Distribution__EntitlementPublic__PublicEditions__0
              value: "*"
          resources:
            requests:
              cpu: 100m
@@ -262,8 +294,12 @@ spec:
    kind: ClusterIssuer
  dnsNames:
    - dist.iamworkin.lan
-  duration: 2160h    # 90d
+  # step-ca ACME caps lifetime at 30d; requesting 90d silently capped
-  renewBefore: 720h  # 30d
+  # made renewBefore=cert-lifetime → perpetual renewal loop (10880+ CRs
  # in 18h on 2026-05-07). Match working 720h/240h pattern from other
  # FC services.
  duration: 720h     # 30d (step-ca cap)
  renewBefore: 240h  # 10d
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
--- a/apps/fc-divoom-dm-pi-device/README.md
+++ b/apps/fc-divoom-dm-pi-device/README.md
@@ -0,0 +1,45 @@
 # FlowerCore Divoom DM Pi Device
 Source-controlled Puppet/Hiera deployment contract for registering the edge2
 Divoom MiniToo panel as a FlowerCore DeviceManagement-managed Pi device.
 This is not a Kubernetes application. The live panel remains the existing
 edge2 `flowercore-divoom.service` managed by `FlowerCore.Puppet`
 `profile::pi::service::divoom`, with the .NET payload deployed out of band
 and `/opt/flowercore/divoom/data` plus the Bluetooth shell wrappers preserved.
 Because edge2 is already Hiera-driven through `profile::pi::service::apps`,
 the deploy home is additive `profile::pi::service` data/profile source, not
 `profile::edge::service::apps` and not an ArgoCD/K8s app.
 ## Scope
 - Stage DeviceManagement registration metadata for the edge2 Divoom MiniToo.
 - Stage a separate, disabled-by-default DM Agent executor unit for privileged
  Bluetooth operations once the DM-RPC lane lands.
 - Keep `flowercore-divoom.service` and `flowercore-divoom-bt.service`
  untouched: no service replacement, no restart subscription, no K8s surface.
 - Preserve the current wrapper contract:
  `/opt/flowercore/divoom/bt-link.sh`,
  `/opt/flowercore/divoom/bt-reset.sh`, and
  `/opt/flowercore/divoom/audio-link.sh`.
 - Keep FM radio disabled and require visible render proof; device-info echo is
  not render proof.
 ## Artifact Map
 | Path | Use |
 | --- | --- |
 | `hiera/edge2-divoom-dm-device.overlay.yaml` | Additive Hiera overlay for edge2. Merge into the existing node YAML without removing `fc-pimanager` or `fc-divoom`. |
 | `puppet/profile/pi/service/divoom_dm_device.pp` | Puppet profile shape to vendor into `FlowerCore.Puppet` after the DM-RPC executor binary exists. |
 | `puppet/templates/divoom-device-registration.json.epp` | DM device registration metadata rendered on edge2. |
 | `puppet/templates/flowercore-divoom-dm-agent.service.epp` | Separate DM Agent systemd unit. Defaults are stopped and disabled until a later cutover. |
 ## Rollout Notes
 1. Land these artifacts in bluejay-infra as the deploy contract.
 2. Vendor the Puppet profile and EPP templates into `FlowerCore.Puppet`.
 3. Merge the Hiera overlay into `data/nodes/edge2.iamworkin.lan.yaml`.
 4. Run Puppet in noop first, preferably with a node-local validation directory
   under `~/.fcv` rather than `/tmp`.
 5. Only enable the DM Agent service after the DeviceManagement BT executor has
   landed and passed operator-eyeball render proof.
--- a/apps/fc-divoom-dm-pi-device/hiera/edge2-divoom-dm-device.overlay.yaml
+++ b/apps/fc-divoom-dm-pi-device/hiera/edge2-divoom-dm-device.overlay.yaml
@@ -0,0 +1,32 @@
 ---
 # Merge into FlowerCore.Puppet data/nodes/edge2.iamworkin.lan.yaml.
 # Additive overlay only: keep the existing fc-pimanager version/tarball entry,
 # keep fc-divoom enabled, and do not move Divoom into Kubernetes.
 profile::pi::service::apps:
  fc-pimanager:
    binary: 'FlowerCore.PiManager.Web'
    install_dir: '/opt/fc-pimanager'
    port: 5000
    environment: 'edge2'
    version: '2026.05.28.1646'
    tarball_source: 'puppet:///modules/profile/pi/builds/fc-pimanager.tar.gz'
  fc-divoom:
    enabled: true
 profile::pi::service::divoom_dm_device::ensure: 'present'
 profile::pi::service::divoom_dm_device::service_enabled: false
 profile::pi::service::divoom_dm_device::service_ensure: 'stopped'
 profile::pi::service::divoom_dm_device::device_id: 'edge2-divoom-minitoo'
 profile::pi::service::divoom_dm_device::display_name: 'edge2 Divoom MiniToo'
 profile::pi::service::divoom_dm_device::host_fqdn: 'edge2.iamworkin.lan'
 profile::pi::service::divoom_dm_device::dm_web_url: 'https://devicemgmt.iamworkin.lan'
 profile::pi::service::divoom_dm_device::divoom_install_dir: '/opt/flowercore/divoom'
 profile::pi::service::divoom_dm_device::agent_install_dir: '/opt/flowercore/devicemanagement-agent'
 profile::pi::service::divoom_dm_device::bt_candidate_channels:
  - '1'
  - '10'
 profile::pi::service::divoom_dm_device::default_bt_channel: '1'
 profile::pi::service::divoom_dm_device::a2dp_default_state: 'off'
 profile::pi::service::divoom_dm_device::fm_radio_enabled: false
 profile::pi::service::divoom_dm_device::visible_render_proof_required: true
--- a/apps/fc-divoom-dm-pi-device/puppet/profile/pi/service/divoom_dm_device.pp
+++ b/apps/fc-divoom-dm-pi-device/puppet/profile/pi/service/divoom_dm_device.pp
@@ -0,0 +1,140 @@
 # Drop into FlowerCore.Puppet site-modules/profile/manifests/pi/service/divoom_dm_device.pp.
 # This profile is additive to profile::pi::service::divoom. It must not manage,
 # restart, replace, or subscribe the existing flowercore-divoom.service.
 class profile::pi::service::divoom_dm_device (
  Enum['present', 'absent'] $ensure = 'present',
  Boolean $service_enabled = false,
  Enum['running', 'stopped'] $service_ensure = 'stopped',
  String $service_name = 'flowercore-divoom-dm-agent',
  String $device_id = 'edge2-divoom-minitoo',
  String $display_name = 'edge2 Divoom MiniToo',
  String $host_fqdn = 'edge2.iamworkin.lan',
  String $dm_web_url = 'https://devicemgmt.iamworkin.lan',
  String $divoom_install_dir = '/opt/flowercore/divoom',
  String $agent_install_dir = '/opt/flowercore/devicemanagement-agent',
  String $agent_binary = 'FlowerCore.DeviceManagement.Agent',
  Array[String] $bt_candidate_channels = ['1', '10'],
  String $default_bt_channel = '1',
  Enum['on', 'off'] $a2dp_default_state = 'off',
  Boolean $fm_radio_enabled = false,
  Boolean $visible_render_proof_required = true,
 ) {
  include profile::workstation::safe_account_exclusion
  $safe_account = $profile::workstation::safe_account_exclusion::safe_account
  $config_dir = '/etc/flowercore/device-management/devices'
  $state_dir = '/var/lib/flowercore/divoom-dm-agent'
  $log_dir = '/var/log/flowercore/divoom-dm-agent'
  $registration_path = "${config_dir}/${device_id}.json"
  $agent_binary_path = "${agent_install_dir}/${agent_binary}"
  $bt_channels_json = inline_template('[<%= @bt_candidate_channels.map { |c| "\"#{c}\"" }.join(", ") %>]')
  if $safe_account {
    notify { 'fc-divoom-dm-device safe-account exclusion':
      message => 'SAFE-ACCOUNT-EXCLUSION: Divoom DM Pi device profile refused to apply on operator workstation',
    }
    if $facts['os']['family'] != 'windows' {
      ensure_resource('file', '/var/log/flowercore-audit', {
          'ensure' => 'directory',
          'owner'  => 'root',
          'group'  => 'root',
          'mode'   => '0755',
      })
      file { '/var/log/flowercore-audit/safe-account-noop-fc-divoom-dm-device.log':
        ensure  => file,
        owner   => 'root',
        group   => 'root',
        mode    => '0644',
        content => "noop: divoom dm pi device profile refused to apply on safe-account host\n",
        require => File['/var/log/flowercore-audit'],
      }
    }
  } elsif $ensure == 'absent' {
    service { $service_name:
      ensure => stopped,
      enable => false,
    }
    file { [
        "/etc/systemd/system/${service_name}.service",
        $registration_path,
      ]:
      ensure => absent,
    }
    exec { 'fc-divoom-dm-agent-systemd-reload':
      command     => '/usr/bin/systemctl daemon-reload',
      refreshonly => true,
      path        => ['/usr/bin', '/bin'],
    }
  } else {
    case $facts['os']['family'] {
      'Debian': {}
      default: { fail("profile::pi::service::divoom_dm_device only supports Debian-family OS, got ${facts['os']['family']}") }
    }
    file { [$config_dir, $state_dir, $log_dir]:
      ensure => directory,
      owner  => 'root',
      group  => 'root',
      mode   => '0755',
    }
    file { $registration_path:
      ensure  => file,
      owner   => 'root',
      group   => 'root',
      mode    => '0644',
      content => epp('profile/pi/fc_divoom_dm/divoom-device-registration.json.epp', {
        'device_id'                     => $device_id,
        'display_name'                  => $display_name,
        'host_fqdn'                     => $host_fqdn,
        'divoom_install_dir'            => $divoom_install_dir,
        'bt_channels_json'              => $bt_channels_json,
        'default_bt_channel'            => $default_bt_channel,
        'a2dp_default_state'            => $a2dp_default_state,
        'fm_radio_enabled'              => $fm_radio_enabled,
        'visible_render_proof_required' => $visible_render_proof_required,
      }),
      require => File[$config_dir],
    }
    file { "/etc/systemd/system/${service_name}.service":
      ensure  => file,
      owner   => 'root',
      group   => 'root',
      mode    => '0644',
      content => epp('profile/pi/fc_divoom_dm/flowercore-divoom-dm-agent.service.epp', {
        'service_name'       => $service_name,
        'device_id'          => $device_id,
        'dm_web_url'         => $dm_web_url,
        'registration_path'  => $registration_path,
        'divoom_install_dir' => $divoom_install_dir,
        'agent_install_dir'  => $agent_install_dir,
        'agent_binary_path'  => $agent_binary_path,
        'state_dir'          => $state_dir,
        'log_dir'            => $log_dir,
      }),
      notify  => Exec['fc-divoom-dm-agent-systemd-reload'],
      require => File[$registration_path],
    }
    exec { 'fc-divoom-dm-agent-systemd-reload':
      command     => '/usr/bin/systemctl daemon-reload',
      refreshonly => true,
      path        => ['/usr/bin', '/bin'],
    }
    service { $service_name:
      ensure  => $service_ensure,
      enable  => $service_enabled,
      require => [
        File["/etc/systemd/system/${service_name}.service"],
        File[$registration_path],
        Exec['fc-divoom-dm-agent-systemd-reload'],
      ],
    }
  }
 }
--- a/apps/fc-divoom-dm-pi-device/puppet/templates/divoom-device-registration.json.epp
+++ b/apps/fc-divoom-dm-pi-device/puppet/templates/divoom-device-registration.json.epp
@@ -0,0 +1,34 @@
 {
  "deviceId": "<%= $device_id %>",
  "displayName": "<%= $display_name %>",
  "hostFqdn": "<%= $host_fqdn %>",
  "kind": "DivoomMiniToo",
  "managedBy": "FlowerCore.DeviceManagement",
  "executionMode": "Pi",
  "transport": {
    "kind": "BluetoothSerial",
    "candidateChannels": <%= $bt_channels_json %>,
    "defaultChannel": "<%= $default_bt_channel %>",
    "deviceInfoIsRenderProof": false,
    "visibleRenderProofRequired": <%= $visible_render_proof_required %>
  },
  "paths": {
    "divoomInstallDir": "<%= $divoom_install_dir %>",
    "btLink": "<%= $divoom_install_dir %>/bt-link.sh",
    "btReset": "<%= $divoom_install_dir %>/bt-reset.sh",
    "audioLink": "<%= $divoom_install_dir %>/audio-link.sh"
  },
  "capabilities": {
    "supportsBluetoothSerial": true,
    "supportsBtChannelRedetect": true,
    "supportsBtHardReset": true,
    "supportsBtAudioProfileSwitch": true,
    "a2dpDefaultState": "<%= $a2dp_default_state %>",
    "fmRadioEnabled": <%= $fm_radio_enabled %>
  },
  "safety": {
    "preserveExistingService": "flowercore-divoom.service",
    "preserveDataDirectory": "<%= $divoom_install_dir %>/data",
    "doNotEnableFmRadio": true
  }
 }
--- a/apps/fc-divoom-dm-pi-device/puppet/templates/flowercore-divoom-dm-agent.service.epp
+++ b/apps/fc-divoom-dm-pi-device/puppet/templates/flowercore-divoom-dm-agent.service.epp
@@ -0,0 +1,36 @@
 [Unit]
 Description=FlowerCore Divoom DM Agent Bluetooth executor
 Documentation=https://github.com/astoltz/FlowerCore.Notes/blob/master/docs/standards/divoom-tv-hdmi-multitarget-render-substrate.md
 Wants=network-online.target
 After=network-online.target bluetooth.service
 Requires=bluetooth.service
 ConditionPathExists=<%= $agent_binary_path %>
 ConditionPathExists=<%= $registration_path %>
 ConditionPathExists=<%= $divoom_install_dir %>/bt-link.sh
 ConditionPathExists=<%= $divoom_install_dir %>/bt-reset.sh
 ConditionPathExists=<%= $divoom_install_dir %>/audio-link.sh
 [Service]
 Type=simple
 User=stoltz
 Group=stoltz
 WorkingDirectory=<%= $agent_install_dir %>
 Environment=DOTNET_CLI_TELEMETRY_OPTOUT=1
 Environment=FLOWERCORE_DM_DEVICE_REGISTRATION=<%= $registration_path %>
 Environment=Divoom__Bluetooth__DeviceInfoIsRenderProof=false
 Environment=Divoom__Bluetooth__VisibleRenderProofRequired=true
 Environment=Divoom__Bluetooth__A2dpDefaultState=off
 ExecStart=<%= $agent_binary_path %> --mode=Pi --device-id=<%= $device_id %> --dm-web-url=<%= $dm_web_url %> --registration=<%= $registration_path %>
 Restart=on-failure
 RestartSec=10s
 StartLimitBurst=3
 StartLimitIntervalSec=300s
 SupplementaryGroups=bluetooth audio dialout
 NoNewPrivileges=true
 PrivateTmp=true
 ProtectSystem=strict
 ProtectHome=true
 ReadWritePaths=<%= $state_dir %> <%= $log_dir %>
 [Install]
 WantedBy=multi-user.target
--- a/apps/fc-divoom-tv-pi/README.md
+++ b/apps/fc-divoom-tv-pi/README.md
@@ -0,0 +1,44 @@
 # FlowerCore Divoom TV Pi HDMI
 Source-controlled deploy shape for the native `FlowerCore.Divoom.Tv`
 Avalonia HDMI renderer on a Raspberry Pi connected to a TV.
 This is a Puppet/systemd appliance bundle, not a Kubernetes application. It
 mirrors the existing `fc-signage-pi-player` pattern: bluejay-infra carries the
 systemd units, scripts, Hiera shape, and Puppet profile source that
 `FlowerCore.Puppet` vendors and installs.
 ## Scope
 - Launch the future `FlowerCore.Divoom.Tv` linux-arm64 self-contained payload
  from `/opt/flowercore/divoom-tv/FlowerCore.Divoom.Tv`.
 - Prefer `cage` as the Wayland fullscreen compositor, with direct app launch as
  a fallback for development images.
 - Restart the app after HDMI hotplug with a 2 second DRM settle delay.
 - Keep all runtime state local: `/var/lib/fc-divoom-tv` and
  `/var/log/fc-divoom-tv`.
 - Avoid CDN/runtime fetches; the app renders the in-house Divoom scene catalog
  locally.
 ## Artifact Map
 | Path | Use |
 | --- | --- |
 | `systemd/flowercore-divoom-tv.service` | Fullscreen Avalonia HDMI app service. |
 | `systemd/flowercore-divoom-tv-hdmi.service` | HDMI hotplug responder service. |
 | `systemd/99-flowercore-divoom-tv-hdmi.rules` | DRM udev hotplug rule. |
 | `scripts/flowercore-divoom-tv-prelaunch.sh` | Preflight checks and local directory creation. |
 | `scripts/flowercore-divoom-tv-launch.sh` | Cage-first fullscreen launcher. |
 | `scripts/flowercore-divoom-tv-hdmi-respond.sh` | Hotplug settle and restart script. |
 | `puppet/profile/pi/service/divoom_tv.pp` | Puppet profile shape to vendor into `FlowerCore.Puppet`. |
 | `hiera/example-divoom-tv-pi.iamworkin.lan.yaml` | Example node Hiera for a Divoom TV Pi. |
 ## Rollout Notes
 1. Build `FlowerCore.Divoom.Tv` with `dotnet.exe publish -c Release -r linux-arm64 --self-contained`.
 2. Stage the payload to `/opt/flowercore/divoom-tv/` through the standard noc1
   jump path and avoid `/tmp` for unprivileged Pi scratch.
 3. Vendor the profile and static files into `FlowerCore.Puppet`.
 4. Run Puppet noop, then apply on the target Pi.
 5. Prove deployment with `systemctl is-active flowercore-divoom-tv.service`,
   journal lines showing frames presented, and a visible HDMI display check.
--- a/apps/fc-divoom-tv-pi/hiera/example-divoom-tv-pi.iamworkin.lan.yaml
+++ b/apps/fc-divoom-tv-pi/hiera/example-divoom-tv-pi.iamworkin.lan.yaml
@@ -0,0 +1,19 @@
 ---
 # Example node data for a dedicated Pi -> HDMI -> TV Divoom renderer.
 # Copy into FlowerCore.Puppet data/nodes/<hostname>.iamworkin.lan.yaml only
 # after the Pi has a static DHCP/DNS entry and the linux-arm64 payload exists.
 facts:
  role: pi_prototype
 profile::motd::role: 'Divoom TV HDMI Renderer'
 profile::pi::service::divoom_tv::ensure: 'present'
 profile::pi::service::divoom_tv::service_enabled: true
 profile::pi::service::divoom_tv::service_ensure: 'running'
 profile::pi::service::divoom_tv::install_dir: '/opt/flowercore/divoom-tv'
 profile::pi::service::divoom_tv::state_dir: '/var/lib/fc-divoom-tv'
 profile::pi::service::divoom_tv::log_dir: '/var/log/fc-divoom-tv'
 profile::pi::service::divoom_tv::presentation_mode: 'PillarboxSquare'
 profile::pi::service::divoom_tv::startup_scene: 'bluejay-clock'
 profile::pi::service::divoom_tv::reduced_motion: false
--- a/apps/fc-divoom-tv-pi/puppet/profile/pi/service/divoom_tv.pp
+++ b/apps/fc-divoom-tv-pi/puppet/profile/pi/service/divoom_tv.pp
@@ -0,0 +1,149 @@
 # Drop into FlowerCore.Puppet site-modules/profile/manifests/pi/service/divoom_tv.pp.
 # Static files come from profile/pi/fc_divoom_tv/ after this bluejay-infra
 # bundle is vendored into the Puppet control repo.
 class profile::pi::service::divoom_tv (
  Enum['present', 'absent'] $ensure = 'present',
  Boolean $service_enabled = false,
  Enum['running', 'stopped'] $service_ensure = 'stopped',
  String $service_name = 'flowercore-divoom-tv',
  String $user = 'fc-divoom-tv',
  String $group = 'fc-divoom-tv',
  String $install_dir = '/opt/flowercore/divoom-tv',
  String $state_dir = '/var/lib/fc-divoom-tv',
  String $log_dir = '/var/log/fc-divoom-tv',
  String $presentation_mode = 'PillarboxSquare',
  String $startup_scene = 'bluejay-clock',
  Boolean $reduced_motion = false,
 ) {
  include profile::workstation::safe_account_exclusion
  $safe_account = $profile::workstation::safe_account_exclusion::safe_account
  if $safe_account {
    notify { 'fc-divoom-tv safe-account exclusion':
      message => 'SAFE-ACCOUNT-EXCLUSION: Divoom TV Pi profile refused to apply on operator workstation',
    }
  } elsif $ensure == 'absent' {
    service { $service_name:
      ensure => stopped,
      enable => false,
    }
    file { [
        "/etc/systemd/system/${service_name}.service",
        "/etc/systemd/system/${service_name}-hdmi.service",
        '/etc/udev/rules.d/99-flowercore-divoom-tv-hdmi.rules',
        '/usr/local/bin/flowercore-divoom-tv-prelaunch.sh',
        '/usr/local/bin/flowercore-divoom-tv-launch.sh',
        '/usr/local/bin/flowercore-divoom-tv-hdmi-respond.sh',
        '/etc/flowercore/divoom-tv.env',
      ]:
      ensure => absent,
    }
  } else {
    case $facts['os']['family'] {
      'Debian': {}
      default: { fail("profile::pi::service::divoom_tv only supports Debian-family OS, got ${facts['os']['family']}") }
    }
    package { ['cage', 'libgbm1', 'libdrm2', 'libxkbcommon0', 'fonts-dejavu-core']:
      ensure => installed,
    }
    group { $group:
      ensure => present,
      system => true,
    }
    user { $user:
      ensure     => present,
      system     => true,
      gid        => $group,
      home       => $state_dir,
      managehome => false,
      shell      => '/usr/sbin/nologin',
      require    => Group[$group],
    }
    file { [$install_dir, $state_dir, $log_dir, '/etc/flowercore']:
      ensure => directory,
      owner  => $user,
      group  => $group,
      mode   => '0755',
    }
    file { '/etc/flowercore/divoom-tv.env':
      ensure  => file,
      owner   => 'root',
      group   => 'root',
      mode    => '0644',
      content => "FC_DIVOOM_TV_PRESENTATION_MODE=${presentation_mode}\nFC_DIVOOM_TV_START_SCENE=${startup_scene}\nFC_DIVOOM_TV_REDUCED_MOTION=${reduced_motion}\n",
      require => File['/etc/flowercore'],
    }
    $script_map = {
      '/usr/local/bin/flowercore-divoom-tv-prelaunch.sh'    => 'profile/pi/fc_divoom_tv/flowercore-divoom-tv-prelaunch.sh',
      '/usr/local/bin/flowercore-divoom-tv-launch.sh'       => 'profile/pi/fc_divoom_tv/flowercore-divoom-tv-launch.sh',
      '/usr/local/bin/flowercore-divoom-tv-hdmi-respond.sh' => 'profile/pi/fc_divoom_tv/flowercore-divoom-tv-hdmi-respond.sh',
    }
    $script_map.each |$dest, $src| {
      file { $dest:
        ensure => file,
        owner  => 'root',
        group  => 'root',
        mode   => '0755',
        source => "puppet:///modules/${src}",
      }
    }
    $unit_map = {
      "/etc/systemd/system/${service_name}.service"      => 'profile/pi/fc_divoom_tv/flowercore-divoom-tv.service',
      "/etc/systemd/system/${service_name}-hdmi.service" => 'profile/pi/fc_divoom_tv/flowercore-divoom-tv-hdmi.service',
    }
    $unit_map.each |$dest, $src| {
      file { $dest:
        ensure => file,
        owner  => 'root',
        group  => 'root',
        mode   => '0644',
        source => "puppet:///modules/${src}",
        notify => Exec['fc-divoom-tv-systemd-reload'],
      }
    }
    file { '/etc/udev/rules.d/99-flowercore-divoom-tv-hdmi.rules':
      ensure => file,
      owner  => 'root',
      group  => 'root',
      mode   => '0644',
      source => 'puppet:///modules/profile/pi/fc_divoom_tv/99-flowercore-divoom-tv-hdmi.rules',
      notify => Exec['fc-divoom-tv-udev-reload'],
    }
    exec { 'fc-divoom-tv-systemd-reload':
      command     => '/usr/bin/systemctl daemon-reload',
      refreshonly => true,
      path        => ['/usr/bin', '/bin'],
    }
    exec { 'fc-divoom-tv-udev-reload':
      command     => '/usr/bin/udevadm control --reload-rules',
      refreshonly => true,
      path        => ['/usr/bin', '/bin'],
    }
    service { $service_name:
      ensure  => $service_ensure,
      enable  => $service_enabled,
      require => [
        File["/etc/systemd/system/${service_name}.service"],
        File['/etc/flowercore/divoom-tv.env'],
        File['/usr/local/bin/flowercore-divoom-tv-prelaunch.sh'],
        File['/usr/local/bin/flowercore-divoom-tv-launch.sh'],
        Exec['fc-divoom-tv-systemd-reload'],
      ],
    }
  }
 }
--- a/apps/fc-divoom-tv-pi/scripts/flowercore-divoom-tv-hdmi-respond.sh
+++ b/apps/fc-divoom-tv-pi/scripts/flowercore-divoom-tv-hdmi-respond.sh
@@ -0,0 +1,5 @@
 #!/usr/bin/env bash
 set -euo pipefail
 sleep 2
 systemctl restart flowercore-divoom-tv.service
--- a/apps/fc-divoom-tv-pi/scripts/flowercore-divoom-tv-launch.sh
+++ b/apps/fc-divoom-tv-pi/scripts/flowercore-divoom-tv-launch.sh
@@ -0,0 +1,25 @@
 #!/usr/bin/env bash
 set -euo pipefail
 APP_BIN="${FC_DIVOOM_TV_BIN:-/opt/flowercore/divoom-tv/FlowerCore.Divoom.Tv}"
 STATE_DIR="${FC_DIVOOM_TV_STATE_DIR:-/var/lib/fc-divoom-tv}"
 LOG_DIR="${FC_DIVOOM_TV_LOG_DIR:-/var/log/fc-divoom-tv}"
 PRESENTATION_MODE="${FC_DIVOOM_TV_PRESENTATION_MODE:-PillarboxSquare}"
 START_SCENE="${FC_DIVOOM_TV_START_SCENE:-bluejay-clock}"
 REDUCED_MOTION="${FC_DIVOOM_TV_REDUCED_MOTION:-false}"
 COMMON_ARGS=(
  "--target=hdmi"
  "--presentation-mode=${PRESENTATION_MODE}"
  "--startup-scene=${START_SCENE}"
  "--reduced-motion=${REDUCED_MOTION}"
  "--state-dir=${STATE_DIR}"
  "--log-dir=${LOG_DIR}"
 )
 if command -v cage >/dev/null 2>&1; then
  exec cage -- "${APP_BIN}" "${COMMON_ARGS[@]}" "$@"
 fi
 echo "[$(date -Is)] cage not found; launching FlowerCore.Divoom.Tv directly" >&2
 exec "${APP_BIN}" "${COMMON_ARGS[@]}" "$@"
--- a/apps/fc-divoom-tv-pi/scripts/flowercore-divoom-tv-prelaunch.sh
+++ b/apps/fc-divoom-tv-pi/scripts/flowercore-divoom-tv-prelaunch.sh
@@ -0,0 +1,23 @@
 #!/usr/bin/env bash
 set -euo pipefail
 APP_BIN="${FC_DIVOOM_TV_BIN:-/opt/flowercore/divoom-tv/FlowerCore.Divoom.Tv}"
 STATE_DIR="${FC_DIVOOM_TV_STATE_DIR:-/var/lib/fc-divoom-tv}"
 LOG_DIR="${FC_DIVOOM_TV_LOG_DIR:-/var/log/fc-divoom-tv}"
 mkdir -p "${STATE_DIR}" "${LOG_DIR}"
 if [[ ! -x "${APP_BIN}" ]]; then
  echo "[$(date -Is)] missing executable ${APP_BIN}" >&2
  exit 1
 fi
 if [[ -d /sys/class/drm ]] && ! find /sys/class/drm -maxdepth 1 -name 'card*-HDMI-A-*' -print -quit | grep -q .; then
  echo "[$(date -Is)] no HDMI connector visible yet; continuing so the app can wait for display" >&2
 fi
 if command -v cage >/dev/null 2>&1; then
  echo "[$(date -Is)] cage available for fullscreen Wayland launch"
 else
  echo "[$(date -Is)] cage not installed; direct launch fallback will be used" >&2
 fi
--- a/apps/fc-divoom-tv-pi/systemd/99-flowercore-divoom-tv-hdmi.rules
+++ b/apps/fc-divoom-tv-pi/systemd/99-flowercore-divoom-tv-hdmi.rules
@@ -0,0 +1,2 @@
 # Settle DRM for 2s before restarting the fullscreen Avalonia renderer.
 SUBSYSTEM=="drm", KERNEL=="card?-HDMI-A-?", ACTION=="change", RUN+="/usr/bin/systemctl start flowercore-divoom-tv-hdmi.service"
--- a/apps/fc-divoom-tv-pi/systemd/flowercore-divoom-tv-hdmi.service
+++ b/apps/fc-divoom-tv-pi/systemd/flowercore-divoom-tv-hdmi.service
@@ -0,0 +1,7 @@
 [Unit]
 Description=FlowerCore Divoom TV HDMI hotplug responder
 DefaultDependencies=no
 [Service]
 Type=oneshot
 ExecStart=/usr/local/bin/flowercore-divoom-tv-hdmi-respond.sh
--- a/apps/fc-divoom-tv-pi/systemd/flowercore-divoom-tv.service
+++ b/apps/fc-divoom-tv-pi/systemd/flowercore-divoom-tv.service
@@ -0,0 +1,40 @@
 [Unit]
 Description=FlowerCore Divoom TV HDMI Renderer (Avalonia fullscreen)
 Documentation=https://github.com/astoltz/FlowerCore.Notes/blob/master/docs/standards/divoom-tv-hdmi-multitarget-render-substrate.md
 Wants=network-online.target
 After=network-online.target systemd-user-sessions.service
 ConditionPathExists=/opt/flowercore/divoom-tv/FlowerCore.Divoom.Tv
 [Service]
 Type=simple
 User=fc-divoom-tv
 Group=fc-divoom-tv
 WorkingDirectory=/opt/flowercore/divoom-tv
 EnvironmentFile=-/etc/flowercore/divoom-tv.env
 Environment=DOTNET_CLI_TELEMETRY_OPTOUT=1
 Environment=XDG_RUNTIME_DIR=/run/fc-divoom-tv
 RuntimeDirectory=fc-divoom-tv
 RuntimeDirectoryMode=0700
 ExecStartPre=/usr/local/bin/flowercore-divoom-tv-prelaunch.sh
 ExecStart=/usr/local/bin/flowercore-divoom-tv-launch.sh
 Restart=always
 RestartSec=10s
 StartLimitBurst=5
 StartLimitIntervalSec=300s
 MemoryMax=2G
 MemoryHigh=1500M
 PrivateTmp=true
 NoNewPrivileges=true
 ProtectSystem=strict
 ProtectHome=true
 ReadWritePaths=/var/lib/fc-divoom-tv /var/log/fc-divoom-tv /run/fc-divoom-tv
 TTYPath=/dev/tty1
 StandardInput=tty
 StandardOutput=journal
 StandardError=journal
 TTYReset=yes
 TTYVHangup=yes
 TTYVTDisallocate=yes
 [Install]
 WantedBy=graphical.target
--- a/apps/fc-dms/fc-dms.yaml
+++ b/apps/fc-dms/fc-dms.yaml
@@ -30,3 +30,26 @@ spec:
          port: 80
  tls:
    secretName: dms-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose dms-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: dms-web-public
 #   namespace: fc-dms
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`dms.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: dms-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: dms-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-dns/fc-dns.yaml
+++ b/apps/fc-dns/fc-dns.yaml
@@ -0,0 +1,481 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: fc-dns
  labels:
    app.kubernetes.io/part-of: flowercore
 ---
 # 1Password-backed Secret for the pfSense admin password.
 # The operator watches this CRD, resolves the vault item, and produces a
 # K8s Secret of the same name with each 1P field as a key. The `password`
 # field of the "pfSense Admin" item becomes Secret key `password`.
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: pfsense-admin
  namespace: fc-dns
 spec:
  itemPath: "vaults/IAmWorkin/items/pfSense Admin"
 ---
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: dns-oidc-client
  namespace: fc-dns
 spec:
  itemPath: "vaults/IAmWorkin/items/dns-oidc-client"
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: dns-web-data
  namespace: fc-dns
 spec:
  accessModes: [ReadWriteOnce]
  storageClassName: longhorn
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: dns-web-config
  namespace: fc-dns
 data:
  appsettings.Production.json: |
    {
        "FlowerCore": {
        "Auth": {
          "Enabled": false,
          "Oidc": {
            "Enabled": true,
            "Audience": "dns",
            "RequireHttpsMetadata": true
          }
        },
        "Database": {
          "Provider": "Sqlite",
          "ConnectionStrings": {
            "Sqlite": "Data Source=/data/dns.db"
          }
        },
        "Tenant": {
          "DefaultTenantId": "default",
          "JwtClaimsEnabled": false,
          "DefaultTenantHosts": [
            "dns.iamworkin.lan"
          ]
        },
        "Audit": {
          "HashChain": {
            "BridgeSensitivity": {
              "Distribution": "Warn"
            }
          }
        }
      }
    }
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: dns-web
  namespace: fc-dns
  labels:
    app.kubernetes.io/name: dns-web
    app.kubernetes.io/managed-by: flowercore
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app.kubernetes.io/name: dns-web
  template:
    metadata:
      labels:
        app.kubernetes.io/name: dns-web
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "5320"
        prometheus.io/path: "/metrics/prometheus"
        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      serviceAccountName: dns-web
      securityContext:
        runAsNonRoot: true
        runAsUser: 1654
        runAsGroup: 1654
        fsGroup: 1654
      containers:
        - name: dns-web
          image: localhost/fc-dns-web:v20260614-wave5-isolation-6124856
          imagePullPolicy: Never
          securityContext:
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
            capabilities:
              drop: [ALL]
          ports:
            - containerPort: 5320
          env:
            # pfSense admin password resolved by the 1Password operator.
            # `FallbackPassword` is the Slice A seam exposed by
            # OptionsFallbackPasswordResolver; Slice B will replace it with
            # a pull-at-runtime 1P Connect resolver once Shared.Vault ships.
            - name: FlowerCore__Dns__Providers__PfSenseUnbound__FallbackPassword
              valueFrom:
                secretKeyRef:
                  name: pfsense-admin
                  key: password
            - name: FlowerCore__Auth__Oidc__Authority
              valueFrom:
                secretKeyRef:
                  name: dns-oidc-client
                  key: issuer_url
                  optional: true
            - name: FlowerCore__Auth__Oidc__ClientId
              valueFrom:
                secretKeyRef:
                  name: dns-oidc-client
                  key: client_id
                  optional: true
            - name: FlowerCore__Auth__Oidc__ClientSecret
              valueFrom:
                secretKeyRef:
                  name: dns-oidc-client
                  key: client_secret
                  optional: true
            - name: FlowerCore__Auth__Enabled
              value: "false"
            - name: FlowerCore__Auth__Oidc__Enabled
              value: "true"
            - name: FlowerCore__Auth__Oidc__Audience
              value: "dns"
          volumeMounts:
            - name: data
              mountPath: /data
            - name: tmp
              mountPath: /tmp
            - name: logs
              mountPath: /app/logs
            - name: config
              mountPath: /app/appsettings.Production.json
              subPath: appsettings.Production.json
              readOnly: true
          resources:
            requests:
              cpu: 50m
              memory: 96Mi
            limits:
              cpu: 300m
              memory: 384Mi
          readinessProbe:
            httpGet:
              path: /healthz
              port: 5320
            initialDelaySeconds: 10
            periodSeconds: 10
          livenessProbe:
            httpGet:
              path: /healthz
              port: 5320
            initialDelaySeconds: 20
            periodSeconds: 30
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: dns-web-data
        - name: tmp
          emptyDir: {}
        - name: logs
          emptyDir: {}
        - name: config
          configMap:
            name: dns-web-config
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: dns-web
  namespace: fc-dns
 spec:
  selector:
    app.kubernetes.io/name: dns-web
  ports:
    - port: 5320
      targetPort: 5320
  type: ClusterIP
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: dns-web
  namespace: fc-dns
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: dns-web
 rules:
  - apiGroups: [""]
    resources: ["namespaces", "pods", "services", "secrets", "configmaps"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates"]
    verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: dns-web
 subjects:
  - kind: ServiceAccount
    name: dns-web
    namespace: fc-dns
 roleRef:
  kind: ClusterRole
  name: dns-web
  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: dns-web-cert
  namespace: fc-dns
 spec:
  secretName: dns-web-tls
  issuerRef:
    name: step-ca-dns01
    kind: ClusterIssuer
  dnsNames:
    - dns.iamworkin.lan
  duration: 720h
  renewBefore: 240h
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: dns-web
  namespace: fc-dns
 spec:
  entryPoints: [websecure]
  routes:
    - match: Host(`dns.iamworkin.lan`)
      kind: Rule
      services:
        - name: dns-web
          port: 5320
  tls:
    secretName: dns-web-tls
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: dns-acme-webhook
  namespace: fc-dns
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: dns-acme-webhook
  namespace: fc-dns
  labels:
    app.kubernetes.io/name: dns-acme-webhook
    app.kubernetes.io/managed-by: flowercore
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: dns-acme-webhook
  template:
    metadata:
      labels:
        app.kubernetes.io/name: dns-acme-webhook
    spec:
      serviceAccountName: dns-acme-webhook
      securityContext:
        runAsNonRoot: true
        runAsUser: 1654
        runAsGroup: 1654
        fsGroup: 1654
      containers:
        - name: dns-acme-webhook
          image: localhost/fc-dns-acme-webhook:v20260614-wave5-isolation-6124856
          imagePullPolicy: Never
          securityContext:
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
            capabilities:
              drop: [ALL]
          ports:
            - containerPort: 9443
              name: https
          env:
            - name: ASPNETCORE_URLS
              value: https://+:9443
            - name: Kestrel__Certificates__Default__Path
              value: /tls/tls.crt
            - name: Kestrel__Certificates__Default__KeyPath
              value: /tls/tls.key
            - name: FlowerCore__Dns__AcmeWebhook__ServiceBaseUrl
              value: http://dns-web:5320
            - name: FlowerCore__Dns__AcmeWebhook__GroupName
              value: acme.flowercore.io
            - name: FlowerCore__Dns__AcmeWebhook__SolverName
              value: flowercore-dns
            - name: FlowerCore__Dns__AcmeWebhook__Version
              value: v1alpha1
          volumeMounts:
            - name: tls
              mountPath: /tls
              readOnly: true
            - name: tmp
              mountPath: /tmp
            - name: logs
              mountPath: /app/logs
          resources:
            requests:
              cpu: 25m
              memory: 64Mi
            limits:
              cpu: 200m
              memory: 256Mi
          readinessProbe:
            httpGet:
              scheme: HTTPS
              path: /readyz
              port: https
            initialDelaySeconds: 5
            periodSeconds: 10
            timeoutSeconds: 5
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /healthz
              port: https
            initialDelaySeconds: 10
            periodSeconds: 20
            timeoutSeconds: 5
      volumes:
        - name: tls
          secret:
            secretName: dns-acme-webhook-tls
        - name: tmp
          emptyDir: {}
        - name: logs
          emptyDir: {}
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: dns-acme-webhook
  namespace: fc-dns
 spec:
  selector:
    app.kubernetes.io/name: dns-acme-webhook
  ports:
    - port: 443
      targetPort: https
      name: https
  type: ClusterIP
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: dns-acme-webhook-selfsigned
  namespace: fc-dns
 spec:
  selfSigned: {}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: dns-acme-webhook-ca
  namespace: fc-dns
 spec:
  secretName: dns-acme-webhook-ca
  duration: 43800h
  issuerRef:
    name: dns-acme-webhook-selfsigned
  commonName: ca.dns-acme-webhook.fc-dns
  isCA: true
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: dns-acme-webhook-ca-issuer
  namespace: fc-dns
 spec:
  ca:
    secretName: dns-acme-webhook-ca
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: dns-acme-webhook-serving-cert
  namespace: fc-dns
 spec:
  secretName: dns-acme-webhook-tls
  duration: 8760h
  issuerRef:
    name: dns-acme-webhook-ca-issuer
  dnsNames:
    - dns-acme-webhook
    - dns-acme-webhook.fc-dns
    - dns-acme-webhook.fc-dns.svc
 ---
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
 metadata:
  name: v1alpha1.acme.flowercore.io
  annotations:
    cert-manager.io/inject-ca-from: fc-dns/dns-acme-webhook-serving-cert
 spec:
  group: acme.flowercore.io
  groupPriorityMinimum: 1000
  service:
    name: dns-acme-webhook
    namespace: fc-dns
  version: v1alpha1
  versionPriority: 15
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: dns-acme-webhook-solver
 rules:
  - apiGroups: ["acme.flowercore.io"]
    resources: ["flowercore-dns"]
    verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: dns-acme-webhook-solver
 subjects:
  - kind: ServiceAccount
    name: cert-manager
    namespace: cert-manager
 roleRef:
  kind: ClusterRole
  name: dns-acme-webhook-solver
  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: step-ca-dns01
 spec:
  acme:
    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ4RENDQVdxZ0F3SUJBZ0lSQVBZMzU3RzZvdzZ6TUFMNSs0YlMya2t3Q2dZSUtvWkl6ajBFQXdJd1FERWEKTUJnR0ExVUVDaE1SU1VGdFYyOXlhMmx1SUVGRFRVVWdRMEV4SWpBZ0JnTlZCQU1UR1VsQmJWZHZjbXRwYmlCQgpRMDFGSUVOQklGSnZiM1FnUTBFd0hoY05Nall3TXpBNE1UZ3dOekV4V2hjTk16WXdNekExTVRnd056RXhXakJBCk1Sb3dHQVlEVlFRS0V4RkpRVzFYYjNKcmFXNGdRVU5OUlNCRFFURWlNQ0FHQTFVRUF4TVpTVUZ0VjI5eWEybHUKSUVGRFRVVWdRMEVnVW05dmRDQkRRVEJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCSjJuMDRYMQpKWm81WmRxL2kxSWR2OCtmcXdaeUF6Qmg3d2hicWowU1dzSkw4VVdSYWJDTXFZQ3M3K2RYTzB4UlN6cWt3RkRMCngrdm9vT2FpOFJnUk5oYWpSVEJETUE0R0ExVWREd0VCL3dRRUF3SUJCakFTQmdOVkhSTUJBZjhFQ0RBR0FRSC8KQWdFQk1CMEdBMVVkRGdRV0JCUm51UFBRUjZpTS9INnZPbHVpVTNTeWdheXo4akFLQmdncWhrak9QUVFEQWdOSQpBREJGQWlFQXJRSzlkWVBHbUFac2RZbmp6aXVGVlZFNU5LWlVjY2VZdkdmR0MrdExYVXNDSUF1ZEYyekpyQ1JxCjNtSzUwWlpFVC9md1RrSndpRUY0ODI0bWpQOHAxQ0tNCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    privateKeySecretRef:
      name: step-ca-dns01-account-key
    server: https://10.0.56.10:9443/acme/acme/directory
    solvers:
      - dns01:
          webhook:
            groupName: acme.flowercore.io
            solverName: flowercore-dns
--- a/apps/fc-dns/kustomization.yaml
+++ b/apps/fc-dns/kustomization.yaml
@@ -0,0 +1,6 @@
 # ArgoCD's bluejay-infra ApplicationSet discovers apps/* directories on main.
 # The kustomization is included for local previews and single-app validation.
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - fc-dns.yaml
--- a/apps/fc-library/fc-library.yaml
+++ b/apps/fc-library/fc-library.yaml
@@ -0,0 +1,195 @@
 # FlowerCore.Library.Web GitOps adoption manifest.
 #
 # Authored from the already-live fc-library resources on 2026-06-04.
 # Keep the live image tag, Service ClusterIP, and PVC volumeName unchanged so
 # ArgoCD adopts in place instead of replacing the workload or data volume.
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: library-web-data
  namespace: fc-library
  labels:
    app.kubernetes.io/name: library-web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-library
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  storageClassName: longhorn
  volumeMode: Filesystem
  volumeName: pvc-2690bae2-4ee0-417a-b95f-50ec5c632b63
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: library-web
  namespace: fc-library
  labels:
    app.kubernetes.io/name: library-web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-library
 spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      app.kubernetes.io/name: library-web
  strategy:
    type: Recreate
  template:
    metadata:
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/health"
        prometheus.io/path: /metrics/prometheus
        prometheus.io/port: "5000"
        prometheus.io/scrape: "true"
      labels:
        app.kubernetes.io/name: library-web
        app.kubernetes.io/part-of: flowercore
    spec:
      containers:
        # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
        - envFrom:
            - configMapRef:
                name: library-web-config
          image: localhost/fc-library-web:v20260614-regroup-f20adc1
          imagePullPolicy: Never
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /health
              port: 5000
              scheme: HTTP
            initialDelaySeconds: 30
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 5
          name: library-web
          ports:
            - containerPort: 5000
              name: http
              protocol: TCP
          readinessProbe:
            failureThreshold: 6
            httpGet:
              path: /health
              port: 5000
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          volumeMounts:
            - mountPath: /data
              name: data
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: library-web-data
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: library-web
  namespace: fc-library
  labels:
    app.kubernetes.io/name: library-web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-library
 spec:
  clusterIP: 10.43.179.63
  clusterIPs:
    - 10.43.179.63
  internalTrafficPolicy: Cluster
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 5000
  selector:
    app.kubernetes.io/name: library-web
  sessionAffinity: None
  type: ClusterIP
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: library-web-tls
  namespace: fc-library
  labels:
    app.kubernetes.io/name: library-web-tls
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-library
 spec:
  dnsNames:
    - library.iamworkin.lan
  issuerRef:
    kind: ClusterIssuer
    name: step-ca-acme
  secretName: library-web-tls
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: library-web
  namespace: fc-library
  labels:
    app.kubernetes.io/name: library-web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-library
 spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`library.iamworkin.lan`)
      services:
        - name: library-web
          port: 80
  tls:
    secretName: library-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose library-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: library-web-public
 #   namespace: fc-library
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`library.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: library-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: library-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-llm-bridge/fc-llm-bridge.yaml
+++ b/apps/fc-llm-bridge/fc-llm-bridge.yaml
@@ -83,10 +83,26 @@ spec:
        app.kubernetes.io/name: fc-llm-bridge
        app.kubernetes.io/part-of: flowercore
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
    spec:
      # Use an explicit DNS policy so external FQDNs like api.anthropic.com are
      # resolved directly instead of being expanded through the cluster search
      # path that includes iamworkin.lan.
      dnsPolicy: None
      dnsConfig:
        nameservers:
          - 10.43.0.10
        searches:
          - fc-llm-bridge.svc.cluster.local
          - svc.cluster.local
          - cluster.local
        options:
          - name: ndots
            value: "2"
      securityContext:
        fsGroup: 1654
        fsGroupChangePolicy: OnRootMismatch
@@ -97,11 +113,12 @@ spec:
          #   dotnet.exe publish -c Release -o deploy/app \
          #     src/FlowerCore.LlmBridge.Web/FlowerCore.LlmBridge.Web.csproj
          #   podman build -t localhost/fc-llm-bridge:v<tag> -f deploy/Dockerfile.deploy deploy
-          image: localhost/fc-llm-bridge:v202604292028
+          image: localhost/fc-llm-bridge:v202604300022
          imagePullPolicy: Never
          ports:
            - containerPort: 8080
              name: http
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: ASPNETCORE_URLS
              value: "http://+:8080"
@@ -147,11 +164,33 @@ spec:
                  name: fc-llm-bridge-api-keys
                  key: spare-2
                  optional: true
-            # Shared.Chat — Ollama (edge1 Pi 5 + AI HAT+, matches bridge default)
+            # Shared.Chat — GX10 Ollama via the INFRA-VLAN NodePort (10.0.56.14:30976),
            # NOT the PROD-VLAN MetalLB VIP (10.0.57.201:11434). The cross-VLAN path to
            # the VIP MTU-black-holes LARGE requests: Agent Zero's full prompt (458-line
            # system prompt + 108 MCP tool descriptions ~150KB) times out / resets mid-
            # stream there ("Connection reset by peer" in OllamaClient.ChatStreamAsync),
            # which made AZ loop on "you have sent the same message again". The NodePort is
            # same-VLAN as the old cluster (no inter-VLAN hop) and carries 150KB fine.
            # (Small chat/embed requests still work on the VIP; only big agentic prompts broke.)
            - name: FlowerCore__Chat__OllamaBaseUrl
-              value: "http://10.0.57.17:11434"
+              value: "http://10.0.56.14:30976"
            - name: FlowerCore__Chat__HttpTimeout
              value: "00:05:00"
            # Tier routing override (Wiring A, 2026-06-14): repoint Agent Zero's
            # chat (Balanced) + util (Cheap) tiers to the GX10's tool-capable
            # local qwen2.5. Balanced was Anthropic Sonnet (cloud/cost, and the
            # Anthropic key is currently 401); Cheap was gemma3:4b which CANNOT
            # call tools (400 does not support tools) — fatal for an agentic loop.
            # qwen2.5 instruct supports the tool-calling loop; GX10 has the memory.
            # OllamaBaseUrl above points at the GX10 NodePort (10.0.56.14:30976).
            - name: FlowerCore__Chat__ModelRouter__DefaultRoutes__Balanced__Provider
              value: "Ollama"
            - name: FlowerCore__Chat__ModelRouter__DefaultRoutes__Balanced__Model
              value: "qwen2.5:14b"
            - name: FlowerCore__Chat__ModelRouter__DefaultRoutes__Cheap__Provider
              value: "Ollama"
            - name: FlowerCore__Chat__ModelRouter__DefaultRoutes__Cheap__Model
              value: "qwen2.5:7b"
            # Shared.Chat — Anthropic
            - name: FlowerCore__Chat__Anthropic__Enabled
              value: "true"
@@ -211,17 +250,6 @@ spec:
              port: 8080
            initialDelaySeconds: 15
            periodSeconds: 30
      # Lower ndots so external FQDNs like api.anthropic.com are tried BEFORE
      # the ndots:5 default expands them through the cluster search path, which
      # includes iamworkin.lan. CoreDNS has a `template IN A iamworkin.lan`
      # wildcard that answers `api.anthropic.com.iamworkin.lan` with the
      # Traefik VIP, which then serves a TRAEFIK-DEFAULT-CERT TLS cert and
      # breaks egress to the real Anthropic API (memory:
      # feedback_coredns_ndots_template_collision, generalized to external DNS).
      dnsConfig:
        options:
          - name: ndots
            value: "2"
      volumes:
        - name: data
          persistentVolumeClaim:
@@ -278,3 +306,26 @@ spec:
          port: 8080
  tls:
    secretName: fc-llm-bridge-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose fc-llm-bridge publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: fc-llm-bridge-public
 #   namespace: fc-llm-bridge
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`llm-bridge.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: fc-llm-bridge-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: fc-llm-bridge
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-media/fc-media.yaml
+++ b/apps/fc-media/fc-media.yaml
@@ -0,0 +1,296 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: fc-media
  labels:
    app.kubernetes.io/name: fc-media
    app.kubernetes.io/part-of: flowercore
 ---
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: media-oidc-client
  namespace: fc-media
  labels:
    app.kubernetes.io/name: fc-media-web
    app.kubernetes.io/part-of: flowercore
 spec:
  itemPath: "vaults/IAmWorkin/items/media-oidc-client"
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: fc-media-config
  namespace: fc-media
  labels:
    app.kubernetes.io/name: fc-media-web
    app.kubernetes.io/part-of: flowercore
 data:
  appsettings.Production.json: |
    {
      "DatabaseProvider": "Sqlite",
      "ConnectionStrings": {
        "Sqlite": "Data Source=/data/media.db"
      },
      "FlowerCore": {
        "Auth": {
          "Enabled": true,
          "Oidc": {
            "Authority": "https://id.iamworkin.lan/application/o/media/",
            "ClientId": "media",
            "ClientSecret": "",
            "Audience": "media",
            "RequireHttpsMetadata": true
          }
        },
        "Tenant": {
          "JwtClaimsEnabled": false,
          "DefaultTenantHosts": [ "media.iamworkin.lan" ]
        }
      },
      "Media": {
        "LibraryRoot": "/media/library",
        "Sources": [
          {
            "Name": "BlueJayNAS Video",
            "Driver": "Nfs",
            "MountedPath": "/media/library",
            "RemotePath": "nfs://10.0.58.3/volume1/video",
            "IsEnabled": true,
            "IsDefault": true,
            "Notes": "Synology NFS media share mounted read-only inside the cluster."
          }
        ],
        "GeneratedRoot": "/data/generated",
        "TranscodeRoot": "/data/transcodes",
        "InboxPath": "/media/inbox",
        "InboxScanIntervalMinutes": 5,
        "ScanOnStartup": false,
        "ComputeChecksums": false,
        "FfmpegCommand": "ffmpeg",
        "FfprobeCommand": "ffprobe",
        "Hls": {
          "MaxConcurrentJobs": 1
        },
        "DefaultViewerName": "BlueJay",
        "Dlna": {
          "IsEnabled": true,
          "MulticastAddress": "239.255.255.250",
          "Port": 1900,
          "DiscoveryTimeoutSeconds": 2,
          "DescriptionFetchTimeoutSeconds": 2,
          "MaxResponsesPerSearchTarget": 32,
          "SearchTargets": [
            "urn:schemas-upnp-org:device:MediaRenderer:1",
            "urn:schemas-upnp-org:device:MediaServer:1"
          ]
        }
      }
    }
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: fc-media-data
  namespace: fc-media
  labels:
    app.kubernetes.io/name: fc-media-web
    app.kubernetes.io/part-of: flowercore
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi
  storageClassName: longhorn
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: fc-media-web
  namespace: fc-media
  labels:
    app: fc-media-web
    app.kubernetes.io/name: fc-media-web
    app.kubernetes.io/part-of: flowercore
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: fc-media-web
  template:
    metadata:
      labels:
        app: fc-media-web
        app.kubernetes.io/name: fc-media-web
        app.kubernetes.io/part-of: flowercore
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "5200"
        prometheus.io/path: "/metrics"
        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      nodeSelector:
        kubernetes.io/hostname: rke2-server
      containers:
        - name: fc-media-web
          image: localhost/fc-media-web:v20260604-oidc-proper
          imagePullPolicy: Never
          ports:
            - containerPort: 5200
              name: http
          env:
            - name: ASPNETCORE_ENVIRONMENT
              value: Production
            - name: ASPNETCORE_URLS
              value: http://+:5200
            - name: FlowerCore__Auth__Enabled
              value: "true"
            - name: FlowerCore__Auth__Oidc__Enabled
              value: "true"
            - name: FlowerCore__Auth__Oidc__Audience
              value: "media"
            - name: FlowerCore__Auth__Oidc__ClientId
              valueFrom:
                secretKeyRef:
                  name: media-oidc-client
                  key: client_id
                  optional: true
            - name: FlowerCore__Auth__Oidc__ClientSecret
              valueFrom:
                secretKeyRef:
                  name: media-oidc-client
                  key: client_secret
                  optional: true
            - name: FlowerCore__Auth__Oidc__Authority
              valueFrom:
                secretKeyRef:
                  name: media-oidc-client
                  key: issuer_url
                  optional: true
          resources:
            requests:
              cpu: 500m
              memory: 1Gi
            limits:
              cpu: "4"
              memory: 4Gi
          volumeMounts:
            - name: config
              mountPath: /app/appsettings.Production.json
              subPath: appsettings.Production.json
              readOnly: true
            - name: data
              mountPath: /data
            - name: transcodes
              mountPath: /data/transcodes
            - name: media-library
              mountPath: /media/library
              readOnly: true
            - name: media-inbox
              mountPath: /media/inbox
          startupProbe:
            httpGet:
              path: /healthz
              port: 5200
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            failureThreshold: 18
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 5200
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          livenessProbe:
            httpGet:
              path: /healthz
              port: 5200
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 30
            periodSeconds: 30
      volumes:
        - name: config
          configMap:
            name: fc-media-config
        - name: data
          persistentVolumeClaim:
            claimName: fc-media-data
        - name: transcodes
          nfs:
            server: 10.0.58.3
            path: /volume1/kubernetes/fc-media-transcodes
        - name: media-inbox
          nfs:
            server: 10.0.58.3
            path: /volume1/kubernetes/fc-media-inbox
        - name: media-library
          nfs:
            server: 10.0.58.3
            path: /volume1/video
            readOnly: true
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: fc-media-web
  namespace: fc-media
  labels:
    app: fc-media-web
    app.kubernetes.io/name: fc-media-web
    app.kubernetes.io/part-of: flowercore
 spec:
  type: ClusterIP
  selector:
    app: fc-media-web
  ports:
    - port: 5200
      targetPort: 5200
      protocol: TCP
      name: http
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: fc-media-tls
  namespace: fc-media
  labels:
    app.kubernetes.io/name: fc-media-web
    app.kubernetes.io/part-of: flowercore
 spec:
  secretName: fc-media-tls
  issuerRef:
    name: step-ca-acme
    kind: ClusterIssuer
  dnsNames:
    - media.iamworkin.lan
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: fc-media-web
  namespace: fc-media
  labels:
    app.kubernetes.io/name: fc-media-web
    app.kubernetes.io/part-of: flowercore
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`media.iamworkin.lan`)
      kind: Rule
      services:
        - name: fc-media-web
          port: 5200
  tls:
    secretName: fc-media-tls
--- a/apps/fc-media/kustomization.yaml
+++ b/apps/fc-media/kustomization.yaml
@@ -0,0 +1,6 @@
 # ArgoCD's bluejay-infra ApplicationSet discovers apps/* directories on main.
 # The kustomization is included for local previews and single-app validation.
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - fc-media.yaml
--- a/apps/fc-menuboard/fc-menuboard.yaml
+++ b/apps/fc-menuboard/fc-menuboard.yaml
@@ -30,3 +30,26 @@ spec:
          port: 80
  tls:
    secretName: menuboard-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose menuboard-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: menuboard-web-public
 #   namespace: fc-menuboard
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`menuboard.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: menuboard-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: menuboard-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-messageboard/fc-messageboard.yaml
+++ b/apps/fc-messageboard/fc-messageboard.yaml
@@ -41,6 +41,8 @@ spec:
      labels:
        app: messageboard-web
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/health"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics/prometheus"
@@ -52,6 +54,7 @@ spec:
          ports:
            - containerPort: 8080
              name: http
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          envFrom:
            - configMapRef:
                name: messageboard-web-config
@@ -69,16 +72,14 @@ spec:
              memory: "512Mi"
              cpu: "500m"
          livenessProbe:
-            httpGet:
+            tcpSocket:
              path: /health
              port: 8080
            initialDelaySeconds: 10
            periodSeconds: 30
            timeoutSeconds: 5
            failureThreshold: 3
          readinessProbe:
-            httpGet:
+            tcpSocket:
              path: /health
              port: 8080
            initialDelaySeconds: 10
            periodSeconds: 10
@@ -143,3 +144,26 @@ spec:
          port: 80
  tls:
    secretName: messageboard-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose messageboard-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: messageboard-web-public
 #   namespace: fc-messageboard
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`messageboard.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: messageboard-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: messageboard-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-mysql/fc-mysql.yaml
+++ b/apps/fc-mysql/fc-mysql.yaml
@@ -30,3 +30,26 @@ spec:
          port: 5300
  tls:
    secretName: mysql-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose mysql-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: mysql-web-public
 #   namespace: fc-mysql
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`mysql.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: mysql-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: mysql-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-network/certificate-web.yaml
+++ b/apps/fc-network/certificate-web.yaml
@@ -0,0 +1,33 @@
 # Certificate for network.iamworkin.lan.
 #
 # Preflight gate: network.iamworkin.lan must resolve to 10.0.56.200 before this
 # Certificate is synced. step-ca ACME cannot see the CoreDNS wildcard
 # (*.iamworkin.lan -> 10.0.56.200) — it does an HTTP-01 challenge against the
 # resolved host. The CoreDNS wildcard template covers network.iamworkin.lan, so
 # resolution exists fleet-wide; do NOT add a pfSense DNS override (this plane is
 # read-only and holds no pfSense creds). If ACME backs off, confirm the wildcard
 # resolves first (feedback_pfsense_dns_required_for_acme).
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: fc-network-web-tls
  namespace: fc-network
  labels:
    app: fc-network-web
    app.kubernetes.io/name: fc-network-web
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
  annotations:
    flowercore.io/dns-preflight: "network.iamworkin.lan must resolve to 10.0.56.200 (CoreDNS wildcard) before ACME sync"
 spec:
  secretName: fc-network-web-tls
  issuerRef:
    name: step-ca-acme
    kind: ClusterIssuer
  dnsNames:
    - network.iamworkin.lan
  duration: 720h
  renewBefore: 240h
--- a/apps/fc-network/deployment-web.yaml
+++ b/apps/fc-network/deployment-web.yaml
@@ -0,0 +1,145 @@
 # FlowerCore.Network.Web — the pfSense automation plane (read-only Phase 0, ADR-189).
 #
 # Phase 0 is READ-ONLY: the service holds NO pfSense credentials and has no write
 # path to pfSense anywhere. The only mutating endpoint is POST /api/v1/snapshots,
 # which ingests a config.xml the noc1 exporter collected READ-ONLY and stores it
 # (redacted projection) on the PVC. Auth ships gate-OFF.
 #
 # Image localhost/fc-network-web:<tag> is built by FlowerCore.Network
 # scripts/deploy-k8s.sh and imported to all schedulable RKE2 nodes (rke2-server +
 # rke2-agent1; agent2 retired). imagePullPolicy: Never — bump the tag here, sync
 # ArgoCD, then scale 0->1 for the RWO PVC and verify the running pod imageID.
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: fc-network-web
  namespace: fc-network
  labels:
    app: fc-network-web
    app.kubernetes.io/name: fc-network-web
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
  annotations:
    flowercore.io/traceability-standard: k8s-pod-ownership-and-traceability-standard
 spec:
  replicas: 1
  revisionHistoryLimit: 3
  # RWO PVC: a single replica can't be surged (the new pod can't mount the volume
  # while the old one holds it). maxSurge 0 / maxUnavailable 1 is the rwo-safe shape;
  # for image bumps scale 0->1 rather than rollout restart.
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 0
      maxUnavailable: 1
  selector:
    matchLabels:
      app: fc-network-web
  template:
    metadata:
      labels:
        app: fc-network-web
        app.kubernetes.io/name: fc-network-web
        app.kubernetes.io/component: web
        app.kubernetes.io/part-of: flowercore
        app.kubernetes.io/managed-by: argocd
        flowercore.io/tenant-id: system
        flowercore.io/created-by: bluejay-infra
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "5340"
        prometheus.io/path: "/metrics/prometheus"
        flowercore.io/audit-trace-id: "runtime-activity-trace"
    spec:
      securityContext:
        fsGroup: 1654
        fsGroupChangePolicy: OnRootMismatch
      containers:
        - name: web
          image: localhost/fc-network-web:v20260612-0b5b049
          imagePullPolicy: Never
          ports:
            - name: http
              containerPort: 5340
          # fc-safe-to-expose: read-only plane, auth gate-OFF; X-Forwarded-Proto handled
          # by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: ASPNETCORE_URLS
              value: "http://+:5340"
            - name: ASPNETCORE_ENVIRONMENT
              value: "Production"
            - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
              value: "false"
            - name: HOME
              value: "/data"
            - name: FlowerCore__Auth__Enabled
              value: "false"
            - name: FlowerCore__Database__Provider
              value: "Sqlite"
            - name: FlowerCore__Database__ConnectionStrings__Sqlite
              value: "Data Source=/data/network.db"
            # Snapshot store + intended-model paths MUST be absolute on the PVC —
            # the default is relative to the read-only content root.
            - name: FlowerCore__Network__SnapshotStore__RootDirectory
              value: "/data/snapshots"
            - name: FlowerCore__Network__SnapshotStore__UseGitHistory
              value: "true"
            - name: FlowerCore__Network__IntendedModel__FilePath
              value: "/data/intended.json"
          resources:
            requests:
              cpu: 50m
              memory: 128Mi
            limits:
              cpu: 500m
              memory: 512Mi
          startupProbe:
            httpGet:
              path: /healthz
              port: 5340
            initialDelaySeconds: 5
            periodSeconds: 5
            failureThreshold: 30
          readinessProbe:
            httpGet:
              path: /healthz
              port: 5340
            periodSeconds: 10
            failureThreshold: 3
          livenessProbe:
            httpGet:
              path: /healthz
              port: 5340
            initialDelaySeconds: 30
            periodSeconds: 30
            failureThreshold: 3
          securityContext:
            runAsNonRoot: true
            runAsUser: 1654
            runAsGroup: 1654
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
          volumeMounts:
            - name: data
              mountPath: /data
            - name: tmp
              mountPath: /tmp
            - name: logs
              mountPath: /app/logs
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: fc-network-web-data
        - name: tmp
          emptyDir: {}
        - name: logs
          emptyDir: {}
--- a/apps/fc-network/ingressroute-web.yaml
+++ b/apps/fc-network/ingressroute-web.yaml
@@ -0,0 +1,32 @@
 # LAN ingress for FlowerCore.Network Web (network.iamworkin.lan).
 #
 # RKE2 Traefik has no built-in ACME resolver; TLS certificate ownership stays in
 # cert-manager Certificate/fc-network-web-tls. Phase 0 is read-only but the POST
 # ingest endpoint is genuinely needed by the noc1 exporter, so this route allows
 # all methods (no GET/HEAD-only restriction like fc-dns) — the service itself has
 # NO pfSense write path, so allowing POST here only reaches the local snapshot
 # ingest.
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: fc-network-web
  namespace: fc-network
  labels:
    app: fc-network-web
    app.kubernetes.io/name: fc-network-web
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`network.iamworkin.lan`)
      kind: Rule
      services:
        - name: fc-network-web
          port: 80
  tls:
    secretName: fc-network-web-tls
--- a/apps/fc-network/kustomization.yaml
+++ b/apps/fc-network/kustomization.yaml
@@ -0,0 +1,11 @@
 # ArgoCD's bluejay-infra ApplicationSet discovers apps/* directories on main.
 # The kustomization is included for local previews and single-app validation.
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - pvc.yaml
  - deployment-web.yaml
  - service-web.yaml
  - certificate-web.yaml
  - ingressroute-web.yaml
--- a/apps/fc-network/namespace.yaml
+++ b/apps/fc-network/namespace.yaml
@@ -0,0 +1,8 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: fc-network
  labels:
    app.kubernetes.io/part-of: flowercore
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
--- a/apps/fc-network/pvc.yaml
+++ b/apps/fc-network/pvc.yaml
@@ -0,0 +1,27 @@
 # Persistent store for FlowerCore.Network (read-only pfSense automation plane).
 #
 # Holds the SQLite snapshot INDEX db (network.db) AND the on-box snapshot store
 # (data/snapshots): full-fidelity raw config.xml + redacted inventory sidecars +
 # an on-box git history. Full-fidelity config is on-box ONLY (this PVC); the
 # service DB / REST / MCP / UI only ever surface the REDACTED projection.
 # RWO — single replica, scale 0->1 for updates (never rollout restart).
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: fc-network-web-data
  namespace: fc-network
  labels:
    app: fc-network-web
    app.kubernetes.io/name: fc-network-web
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
      storage: 2Gi
--- a/apps/fc-network/service-web.yaml
+++ b/apps/fc-network/service-web.yaml
@@ -0,0 +1,21 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: fc-network-web
  namespace: fc-network
  labels:
    app: fc-network-web
    app.kubernetes.io/name: fc-network-web
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  selector:
    app: fc-network-web
  ports:
    - name: http
      port: 80
      targetPort: 5340
  type: ClusterIP
--- a/apps/fc-php/fc-php.yaml
+++ b/apps/fc-php/fc-php.yaml
@@ -30,3 +30,26 @@ spec:
          port: 5400
  tls:
    secretName: php-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose php-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: php-web-public
 #   namespace: fc-php
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`php.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: php-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: php-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-presentations/fc-presentations.yaml
+++ b/apps/fc-presentations/fc-presentations.yaml
@@ -30,3 +30,26 @@ spec:
          port: 80
  tls:
    secretName: presentations-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose presentations-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: presentations-web-public
 #   namespace: fc-presentations
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`presentations.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: presentations-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: presentations-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-redis/fc-redis.yaml
+++ b/apps/fc-redis/fc-redis.yaml
@@ -0,0 +1,171 @@
 # fc-redis — SignalR backplane for cross-product event bus
 #
 # Lands per Q-SO-1 resolution (2026-05-11 PM): SignalR backplane in Phase A,
 # not Phase C as originally drafted. Operator directive: "Redis can be
 # deployed just fine as it's another FlowerCore technology we'll want to
 # manage."
 #
 # Phase A scope (this file):
 #   - Single Redis 7.x Alpine pod
 #   - 1Gi Longhorn RWO PVC for AOF persistence
 #   - ClusterIP Service at `redis.fc-redis.svc.cluster.local:6379`
 #   - No AUTH (in-cluster only; not exposed externally)
 #   - No IngressRoute (backplane is server-to-server only)
 #
 # Consumers (Phase A IMPL across FC services):
 #   - FlowerCore.Signage.Web (OpsConsoleHub)
 #   - FlowerCore.Scoreboard.Web (ScoreboardHub)
 #   - FlowerCore.SignalControl.Web
 #   - FlowerCore.DMS.Web
 #   - Any other product joining the cross-product event bus
 #
 # Each consumer adds:
 #   services.AddSignalR()
 #           .AddStackExchangeRedis(
 #               "redis.fc-redis.svc.cluster.local:6379",
 #               opts => opts.Configuration.ChannelPrefix =
 #                   StackExchange.Redis.RedisChannel.Literal("fc-opsconsole"));
 #
 # Phase B / C follow-ons (out of scope here):
 #   - Redis Sentinel for HA (3-node)
 #   - AUTH password from 1Password Connect (rotate via /rotate-password)
 #   - redis_exporter sidecar for Prometheus scrape
 #   - Network policies restricting which namespaces can dial 6379
 #
 # Design: docs/signage/operations-console-phase-2-design.md §3.5
 # Decision: Q-SO-1 (RESOLVED 2026-05-11 PM)
 # Memory: feedback_blooming_ui_pattern_no_iframes
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: fc-redis
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: fc-redis-data
  namespace: fc-redis
 spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: fc-redis-config
  namespace: fc-redis
 data:
  redis.conf: |
    # Phase A — minimal config; no AUTH, no replication.
    bind 0.0.0.0
    protected-mode no
    port 6379
    tcp-backlog 511
    timeout 0
    tcp-keepalive 300
    # Persistence: AOF (fsync every second is the standard SignalR-backplane
    # durability sweet spot — the backplane only needs to survive Redis
    # restarts, not absolute zero loss).
    appendonly yes
    appendfsync everysec
    auto-aof-rewrite-percentage 100
    auto-aof-rewrite-min-size 64mb
    # Reasonable defaults — let Redis pick most things.
    maxmemory-policy allkeys-lru
    maxmemory 256mb
    # Logging
    loglevel notice
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: fc-redis
  namespace: fc-redis
  labels:
    app: fc-redis
 spec:
  replicas: 1
  strategy:
    type: Recreate           # RWO PVC; do not do rolling update
  selector:
    matchLabels:
      app: fc-redis
  template:
    metadata:
      labels:
        app: fc-redis
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 999       # redis:7-alpine default uid
        runAsGroup: 999
        fsGroup: 999
      containers:
        - name: redis
          image: redis:7-alpine
          imagePullPolicy: IfNotPresent
          command: ["redis-server", "/etc/redis/redis.conf"]
          ports:
            - name: redis
              containerPort: 6379
          resources:
            requests:
              cpu: "50m"
              memory: "128Mi"
            limits:
              cpu: "500m"
              memory: "384Mi"
          volumeMounts:
            - name: data
              mountPath: /data
            - name: config
              mountPath: /etc/redis
              readOnly: true
          livenessProbe:
            tcpSocket:
              port: 6379
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            exec:
              command: ["redis-cli", "ping"]
            initialDelaySeconds: 2
            periodSeconds: 5
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop: [ALL]
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: fc-redis-data
        - name: config
          configMap:
            name: fc-redis-config
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: redis
  namespace: fc-redis
 spec:
  type: ClusterIP
  selector:
    app: fc-redis
  ports:
    - name: redis
      port: 6379
      targetPort: 6379
      protocol: TCP
--- a/apps/fc-retail/fc-retail.yaml
+++ b/apps/fc-retail/fc-retail.yaml
@@ -0,0 +1,196 @@
 # FlowerCore.Retail.Web GitOps adoption manifest.
 #
 # Authored from the already-live fc-retail resources on 2026-06-04.
 # Keep the live image tag, Service ClusterIP, and PVC volumeName unchanged so
 # ArgoCD adopts in place instead of replacing the workload or data volume.
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: retail-web-data
  namespace: fc-retail
  labels:
    app.kubernetes.io/name: retail-web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-retail
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  storageClassName: longhorn
  volumeMode: Filesystem
  volumeName: pvc-3d40b336-eab4-41b3-812c-d5e9413ce0ab
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: retail-web
  namespace: fc-retail
  labels:
    app.kubernetes.io/name: retail-web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-retail
 spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      app.kubernetes.io/name: retail-web
  strategy:
    type: Recreate
  template:
    metadata:
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        kubectl.kubernetes.io/restartedAt: "2026-06-02T01:34:08-05:00"
        prometheus.io/path: /metrics/prometheus
        prometheus.io/port: "5000"
        prometheus.io/scrape: "true"
      labels:
        app.kubernetes.io/name: retail-web
        app.kubernetes.io/part-of: flowercore
    spec:
      containers:
        # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
        - envFrom:
            - configMapRef:
                name: retail-web-config
          image: localhost/fc-retail-web:v20260614-regroup-6d81424
          imagePullPolicy: Never
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /health
              port: 5000
              scheme: HTTP
            initialDelaySeconds: 30
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 5
          name: retail-web
          ports:
            - containerPort: 5000
              name: http
              protocol: TCP
          readinessProbe:
            failureThreshold: 6
            httpGet:
              path: /health
              port: 5000
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          volumeMounts:
            - mountPath: /data
              name: data
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: retail-web-data
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: retail-web
  namespace: fc-retail
  labels:
    app.kubernetes.io/name: retail-web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-retail
 spec:
  clusterIP: 10.43.239.8
  clusterIPs:
    - 10.43.239.8
  internalTrafficPolicy: Cluster
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 5000
  selector:
    app.kubernetes.io/name: retail-web
  sessionAffinity: None
  type: ClusterIP
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: retail-web-tls
  namespace: fc-retail
  labels:
    app.kubernetes.io/name: retail-web-tls
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-retail
 spec:
  dnsNames:
    - retail.iamworkin.lan
  issuerRef:
    kind: ClusterIssuer
    name: step-ca-acme
  secretName: retail-web-tls
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: retail-web
  namespace: fc-retail
  labels:
    app.kubernetes.io/name: retail-web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-retail
 spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`retail.iamworkin.lan`)
      services:
        - name: retail-web
          port: 80
  tls:
    secretName: retail-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose retail-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: retail-web-public
 #   namespace: fc-retail
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`retail.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: retail-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: retail-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-scoreboard/fc-scoreboard.yaml
+++ b/apps/fc-scoreboard/fc-scoreboard.yaml
@@ -30,3 +30,26 @@ spec:
          port: 80
  tls:
    secretName: scoreboard-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose scoreboard-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: scoreboard-web-public
 #   namespace: fc-scoreboard
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`scoreboard.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: scoreboard-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: scoreboard-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-segmentdisplay/fc-segmentdisplay.yaml
+++ b/apps/fc-segmentdisplay/fc-segmentdisplay.yaml
@@ -37,3 +37,26 @@ spec:
          port: 80
  tls:
    secretName: segmentdisplay-web-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose segmentdisplay-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: segmentdisplay-web-public
 #   namespace: fc-segmentdisplay
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`segmentdisplay.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: segmentdisplay-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: segmentdisplay-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-signage-appletv/README.md
+++ b/apps/fc-signage-appletv/README.md
@@ -0,0 +1,14 @@
 # fc-signage-appletv
 Apple TV signage is a sealed appliance running the `FlowerCore.Signage.Agent.AppleTv` tvOS app per ADR-134.
 This ApplicationSet entry is documentation and inventory metadata only. It intentionally creates no `Deployment`, `Service`, or `Pod`.
 The Apple TV app connects outbound to existing FC.Signage.Web surfaces:
 - `https://signage.iamworkin.lan/hub/signage` for SignalR live status.
 - `GET /api/v1/nodes/{nodeId}/state` for the 30 second polling fallback.
 - `POST /api/v1/nodes/register` and `POST /api/v1/nodes/{nodeId}/enroll` for pairing and mTLS enrollment.
 - `POST /api/v1/nodes/{nodeId}/heartbeat` for metrics, current content identity, and local audit excerpts.
 Distribution is via Apple Developer Enterprise Program or TestFlight plus FC.Distribution / UpdateCenter publishing once Apple credentials are available.
--- a/apps/fc-signage-appletv/kustomization.yaml
+++ b/apps/fc-signage-appletv/kustomization.yaml
@@ -0,0 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - manifest.yaml
--- a/apps/fc-signage-appletv/manifest.yaml
+++ b/apps/fc-signage-appletv/manifest.yaml
@@ -0,0 +1,26 @@
 # Apple TV signage is a sealed tvOS appliance. This ArgoCD app intentionally
 # carries documentation metadata only; no Deployment, Service, or Pod resources
 # are created for the player.
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: fc-signage-appletv-docs
  namespace: fc-signage
  labels:
    app.kubernetes.io/name: fc-signage-appletv
    app.kubernetes.io/part-of: flowercore-signage
    flowercore.io/manifest-kind: docs-only
 data:
  README: |
    FlowerCore.Signage.Agent.AppleTv is distributed through Apple Developer
    Enterprise Program or TestFlight, not Kubernetes.
    The app connects outbound to FC.Signage.Web:
    - SignalR: https://signage.iamworkin.lan/hub/signage
    - Polling fallback: GET /api/v1/nodes/{nodeId}/state
    - Enrollment: POST /api/v1/nodes/{nodeId}/enroll
    - Heartbeat: POST /api/v1/nodes/{nodeId}/heartbeat
    This placeholder gives ArgoCD and inventory dashboards a first-class
    Apple TV signage app entry without creating runtime pods.
--- a/apps/fc-signage-pi-player/README.md
+++ b/apps/fc-signage-pi-player/README.md
@@ -0,0 +1,17 @@
 # FlowerCore Signage Pi Player
 Phase 1 Raspberry Pi signage player packaging for Chromium kiosk deployments.
 This bundle is intentionally air-gap friendly: systemd units, shell scripts,
 udev rules, and Chromium managed policy are all checked into the repo and are
 installed by `FlowerCore.Puppet`.
 ## Scope
 - Bootstrap a stable node identity and mTLS client certificate.
 - Launch Chromium in kiosk mode against `FC.Signage.Web` player routes.
 - Restart the kiosk on HDMI hotplug.
 - Renew mTLS certificates daily when fewer than 30 days remain.
 - Detect display capabilities at boot, daily, and on HDMI hotplug.
 Phase 2 native Avalonia rendering is documented separately in Notes and remains
 deferred.
--- a/apps/fc-signage-pi-player/chromium-policies/flowercore-signage.json
+++ b/apps/fc-signage-pi-player/chromium-policies/flowercore-signage.json
@@ -0,0 +1,15 @@
 {
  "AutofillAddressEnabled": false,
  "AutofillCreditCardEnabled": false,
  "PasswordManagerEnabled": false,
  "BrowserSignin": 0,
  "MetricsReportingEnabled": false,
  "SafeBrowsingProtectionLevel": 0,
  "DefaultNotificationsSetting": 2,
  "DefaultPopupsSetting": 2,
  "BackgroundModeEnabled": false,
  "DefaultBrowserSettingEnabled": false,
  "PromotionalTabsEnabled": false,
  "CommandLineFlagSecurityWarningsEnabled": false,
  "ExtensionInstallBlocklist": ["*"]
 }
--- a/apps/fc-signage-pi-player/scripts/fc-signage-detect-display
+++ b/apps/fc-signage-pi-player/scripts/fc-signage-detect-display
@@ -0,0 +1,132 @@
 #!/usr/bin/env bash
 set -euo pipefail
 NODE_JSON="/etc/flowercore/signage-node.json"
 CERT_DIR="/etc/fc-signage-player"
 SIGNAGE_URL="${FC_SIGNAGE_URL:-https://signage.iamworkin.lan}"
 NODE_ID=$(jq -r '.nodeId' "$NODE_JSON")
 CONNECTORS=()
 for dir in /sys/class/drm/card*-HDMI-A-*; do
  [[ -e "$dir/status" ]] || continue
  if [[ "$(cat "$dir/status")" == "connected" ]]; then
    CONNECTORS+=("$(basename "$dir")")
  fi
 done
 if [[ ${#CONNECTORS[@]} -eq 0 ]]; then
  CAPABILITIES_JSON=$(jq -n --arg id "$NODE_ID" '{
    nodeId: $id,
    platform: "linux-arm64-pi",
    displayConnected: false,
    detectedAt: (now | todate),
    note: "No HDMI display detected"
  }')
 else
  PRIMARY="${CONNECTORS[0]}"
  EDID_PATH="/sys/class/drm/${PRIMARY}/edid"
  WIDTH=0
  HEIGHT=0
  REFRESH=60
  HDR=false
  AUDIO_HDMI=false
  MFG=""
  MODEL=""
  PHYSICAL_SIZE=null
  if [[ -s "$EDID_PATH" ]] && command -v edid-decode >/dev/null 2>&1; then
    EDID_INFO=$(edid-decode < "$EDID_PATH" 2>/dev/null || true)
    MFG=$(echo "$EDID_INFO" | grep -m1 -oP 'Manufacturer:\s*\K\S+' || true)
    MODEL=$(echo "$EDID_INFO" | grep -m1 -oP 'Model:\s*\K\S+' || true)
    PREF=$(echo "$EDID_INFO" | grep -m1 -oP '\d+x\d+\s*@\s*\d+(?:\.\d+)?\s*Hz' || true)
    if [[ -n "$PREF" ]]; then
      WIDTH=$(echo "$PREF" | grep -oP '^\d+')
      HEIGHT=$(echo "$PREF" | grep -oP 'x\K\d+')
      REFRESH=$(echo "$PREF" | grep -oP '@\s*\K[\d.]+' | cut -d. -f1)
    fi
    if echo "$EDID_INFO" | grep -qiE 'HDR (Static|Dynamic) Metadata Block'; then HDR=true; fi
    if echo "$EDID_INFO" | grep -qiE 'CEA Audio Block|Audio Format Descriptor'; then AUDIO_HDMI=true; fi
    PH_W=$(echo "$EDID_INFO" | grep -m1 -oP 'Maximum image size:\s*\K\d+\s*cm\s*x\s*\d+' || true)
    if [[ -n "$PH_W" ]]; then
      PH_CM_W=$(echo "$PH_W" | grep -oP '^\d+')
      PH_CM_H=$(echo "$PH_W" | grep -oP 'x\s*\K\d+')
      if (( PH_CM_W > 0 && PH_CM_H > 0 )); then
        PHYSICAL_SIZE=$(awk -v w="$PH_CM_W" -v h="$PH_CM_H" 'BEGIN { printf "%.1f", sqrt(w*w + h*h)/2.54 }')
      fi
    fi
  fi
  if [[ "$WIDTH" == "0" ]] && command -v kmsprint >/dev/null 2>&1; then
    KMS=$(kmsprint 2>/dev/null | grep -A2 "$PRIMARY" | grep -oP '\d+x\d+' | head -1 || true)
    if [[ -n "$KMS" ]]; then
      WIDTH=$(echo "$KMS" | grep -oP '^\d+')
      HEIGHT=$(echo "$KMS" | grep -oP 'x\K\d+')
    fi
  fi
  AUDIO_ALSA=false
  if aplay -l 2>/dev/null | grep -qi 'card.*HDMI'; then AUDIO_ALSA=true; fi
  HAS_AUDIO=false
  if [[ "$AUDIO_HDMI" == "true" && "$AUDIO_ALSA" == "true" ]]; then HAS_AUDIO=true; fi
  CAPABILITIES_JSON=$(jq -n \
    --arg id "$NODE_ID" \
    --argjson w "$WIDTH" \
    --argjson h "$HEIGHT" \
    --argjson r "$REFRESH" \
    --argjson hdr "$HDR" \
    --argjson audio "$HAS_AUDIO" \
    --arg connector "$PRIMARY" \
    --arg mfg "$MFG" \
    --arg model "$MODEL" \
    --argjson size "$PHYSICAL_SIZE" \
    '{
      nodeId: $id,
      platform: "linux-arm64-pi",
      displayConnected: true,
      detectedAt: (now | todate),
      hardware: {
        maxResolution: { width: $w, height: $h },
        nativeResolution: { width: $w, height: $h },
        refreshRateHz: $r,
        colorDepth: ($hdr | if . then "Color30Hdr" else "Color24" end),
        hasAudioOutput: $audio,
        audioChannelCount: ($audio | if . then 2 else 0 end),
        physicalSizeInches: $size,
        connector: $connector,
        manufacturer: $mfg,
        modelName: $model
      },
      render: { codecs: ["h264", "vp9", "mp4"] }
    }')
 fi
 ENDPOINT_CANDIDATES=(
  "${SIGNAGE_URL}/api/v1/nodes/${NODE_ID}/capabilities"
  "${SIGNAGE_URL}/api/v1/displays/${NODE_ID}/capability-profile"
 )
 SUCCESS=false
 for url in "${ENDPOINT_CANDIDATES[@]}"; do
  HTTP_STATUS=$(curl -sk -o /tmp/cap-response.json -w "%{http_code}" \
    --max-time 10 \
    --cert "$CERT_DIR/client.crt" --key "$CERT_DIR/client.key" \
    -X POST "$url" \
    -H "Content-Type: application/json" \
    -d "$CAPABILITIES_JSON" || echo "000")
  if [[ "$HTTP_STATUS" == "200" || "$HTTP_STATUS" == "201" || "$HTTP_STATUS" == "204" ]]; then
    SUCCESS=true
    break
  fi
 done
 mkdir -p /var/log/fc-signage-player
 if [[ "$SUCCESS" != "true" ]]; then
  echo "[$(date -Is)] capability declare: no endpoint accepted the profile; logging locally" \
    | tee -a /var/log/fc-signage-player/capabilities.log
  echo "$CAPABILITIES_JSON" | tee -a /var/log/fc-signage-player/capabilities.log
 else
  echo "[$(date -Is)] capability declare: ok ($url)" | tee -a /var/log/fc-signage-player/capabilities.log
 fi
 echo "$CAPABILITIES_JSON"
--- a/apps/fc-signage-pi-player/scripts/flowercore-signage-bootstrap.sh
+++ b/apps/fc-signage-pi-player/scripts/flowercore-signage-bootstrap.sh
@@ -0,0 +1,144 @@
 #!/usr/bin/env bash
 set -euo pipefail
 NODE_JSON="/etc/flowercore/signage-node.json"
 CERT_DIR="/etc/fc-signage-player"
 SIGNAGE_URL="${FC_SIGNAGE_URL:-https://signage.iamworkin.lan}"
 SETUP_CODE_FILE="/etc/flowercore/signage-setup-code"
 mkdir -p /etc/flowercore "$CERT_DIR" /var/log/fc-signage-player
 chown fc-signage:fc-signage /etc/flowercore "$CERT_DIR" /var/log/fc-signage-player
 chmod 0750 "$CERT_DIR"
 if [[ -s "$NODE_JSON" && -s "$CERT_DIR/client.p12" ]]; then
  ENROLLED=$(jq -r '.enrolledAt // empty' "$NODE_JSON")
  if [[ -n "$ENROLLED" ]]; then
    echo "[$(date -Is)] bootstrap: already enrolled at $ENROLLED; skipping"
    exit 0
  fi
 fi
 if [[ -s "$NODE_JSON" ]]; then
  NODE_UUID=$(jq -r '.nodeUuid // empty' "$NODE_JSON")
  MACHINE_ID=$(jq -r '.machineId // empty' "$NODE_JSON")
 else
  NODE_UUID=$(uuidgen)
  MACHINE_ID=$(echo "$NODE_UUID" | tr -d '-' | cut -c1-16)
  jq -n --arg uuid "$NODE_UUID" --arg machine "$MACHINE_ID" --arg host "$(hostname -f)" --arg ts "$(date -Is)" \
    '{nodeUuid: $uuid, machineId: $machine, hostname: $host, platform: "linux-arm64-pi", createdAt: $ts}' \
    > "$NODE_JSON"
  chmod 0640 "$NODE_JSON"
  chown fc-signage:fc-signage "$NODE_JSON"
 fi
 SETUP_CODE=""
 if [[ -s "$SETUP_CODE_FILE" ]]; then
  SETUP_CODE=$(tr -d '\r\n\t ' < "$SETUP_CODE_FILE")
 fi
 MODEL=$(tr -d '\0' < /sys/firmware/devicetree/base/model 2>/dev/null || echo Unknown)
 REG_PAYLOAD=$(jq -n \
  --arg machine "$MACHINE_ID" \
  --arg name "$(hostname -f)" \
  --arg setup "$SETUP_CODE" \
  --arg resolution "1920x1080" \
  --arg model "$MODEL" \
  '{
    machineId: $machine,
    name: $name,
    setupCode: ($setup | if . == "" then null else . end),
    resolution: $resolution,
    hardwareModel: $model,
    platform: "linux-arm64-pi"
  }')
 for attempt in 1 2; do
  HTTP_STATUS=$(curl -sk -o /tmp/register-response.json -w "%{http_code}" \
    --max-time 15 \
    -X POST "${SIGNAGE_URL}/api/v1/nodes/register" \
    -H "Content-Type: application/json" \
    -d "$REG_PAYLOAD" || echo "000")
  if [[ "$HTTP_STATUS" == "200" || "$HTTP_STATUS" == "201" ]]; then
    break
  fi
  echo "[$(date -Is)] bootstrap: register attempt $attempt returned $HTTP_STATUS" >&2
  sleep 5
 done
 if [[ "$HTTP_STATUS" != "200" && "$HTTP_STATUS" != "201" ]]; then
  echo "[$(date -Is)] bootstrap: register failed after 2 attempts" >&2
  exit 2
 fi
 NODE_ID=$(jq -r '.nodeId // empty' /tmp/register-response.json)
 if [[ -z "$NODE_ID" ]]; then
  echo "[$(date -Is)] bootstrap: register response did not include nodeId" >&2
  exit 2
 fi
 jq --arg id "$NODE_ID" '.nodeId = $id' "$NODE_JSON" > "${NODE_JSON}.tmp" && mv "${NODE_JSON}.tmp" "$NODE_JSON"
 if [[ -s "$SETUP_CODE_FILE" ]]; then
  curl -sk -X POST "${SIGNAGE_URL}/api/v1/nodes/${NODE_ID}/approve-via-setup-code" \
    -H "Content-Type: application/json" \
    -d "{\"setupCode\":\"${SETUP_CODE}\"}" \
    -o /dev/null || true
 fi
 STATUS=""
 DEADLINE=$(( $(date +%s) + 1800 ))
 while (( $(date +%s) < DEADLINE )); do
  STATUS=$(curl -sk --max-time 5 "${SIGNAGE_URL}/api/v1/nodes/${NODE_ID}/status" | jq -r '.status // empty')
  if [[ "$STATUS" == "Approved" || "$STATUS" == "Enrolled" || "$STATUS" == "Online" ]]; then
    break
  fi
  sleep 15
 done
 if [[ "$STATUS" != "Approved" && "$STATUS" != "Enrolled" && "$STATUS" != "Online" ]]; then
  echo "[$(date -Is)] bootstrap: approval not granted within 30min budget" >&2
  exit 3
 fi
 KEY_PATH="${CERT_DIR}/client.key"
 CSR_PATH="${CERT_DIR}/client.csr"
 openssl ecparam -genkey -name prime256v1 -out "$KEY_PATH"
 openssl req -new -key "$KEY_PATH" -out "$CSR_PATH" \
  -subj "/CN=${NODE_ID}/O=FlowerCore/OU=SignagePlayer-Pi"
 ENROLL_PAYLOAD=$(jq -n --arg csr "$(cat "$CSR_PATH")" '{certificateSigningRequest: $csr}')
 HTTP_STATUS=$(curl -sk -o /tmp/enroll-response.json -w "%{http_code}" \
  --max-time 15 \
  -X POST "${SIGNAGE_URL}/api/v1/nodes/${NODE_ID}/enroll" \
  -H "Content-Type: application/json" \
  -d "$ENROLL_PAYLOAD")
 if [[ "$HTTP_STATUS" != "200" && "$HTTP_STATUS" != "201" ]]; then
  echo "[$(date -Is)] bootstrap: enroll failed with HTTP $HTTP_STATUS" >&2
  exit 4
 fi
 jq -r '.clientCertificatePem // .signedCertificatePem' /tmp/enroll-response.json > "${CERT_DIR}/client.crt"
 jq -r '.caCertificatePem' /tmp/enroll-response.json > "${CERT_DIR}/ca-chain.pem"
 P12_PASS=$(openssl rand -hex 24)
 echo -n "$P12_PASS" > "${CERT_DIR}/client.p12.pass"
 chmod 0600 "${CERT_DIR}/client.p12.pass"
 openssl pkcs12 -export \
  -inkey "$KEY_PATH" \
  -in "${CERT_DIR}/client.crt" \
  -certfile "${CERT_DIR}/ca-chain.pem" \
  -out "${CERT_DIR}/client.p12" \
  -password "pass:${P12_PASS}"
 chown fc-signage:fc-signage "${CERT_DIR}"/* "$NODE_JSON"
 chmod 0640 "${CERT_DIR}/client.p12" "${CERT_DIR}/client.crt" "${CERT_DIR}/ca-chain.pem" "$KEY_PATH"
 chmod 0600 "${CERT_DIR}/client.p12.pass"
 EXPIRY=$(openssl x509 -in "${CERT_DIR}/client.crt" -enddate -noout | sed 's/notAfter=//')
 jq --arg ts "$(date -Is)" --arg exp "$EXPIRY" \
  '.enrolledAt = $ts | .certExpiry = $exp' "$NODE_JSON" > "${NODE_JSON}.tmp" \
  && mv "${NODE_JSON}.tmp" "$NODE_JSON"
 systemctl start flowercore-signage-detect-display.service || true
 systemctl start flowercore-signage-player-pi.service || true
 echo "[$(date -Is)] bootstrap: enrolled and kiosk started (NodeId=${NODE_ID})"
--- a/apps/fc-signage-pi-player/scripts/flowercore-signage-hdmi-respond.sh
+++ b/apps/fc-signage-pi-player/scripts/flowercore-signage-hdmi-respond.sh
@@ -0,0 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
 sleep 2
 systemctl start flowercore-signage-detect-display.service || true
 systemctl restart flowercore-signage-player-pi.service
--- a/apps/fc-signage-pi-player/scripts/flowercore-signage-launch.sh
+++ b/apps/fc-signage-pi-player/scripts/flowercore-signage-launch.sh
@@ -0,0 +1,44 @@
 #!/usr/bin/env bash
 set -euo pipefail
 NODE_JSON="/etc/flowercore/signage-node.json"
 NODE_ID=$(jq -r '.nodeId' "$NODE_JSON")
 SIGNAGE_URL="${FC_SIGNAGE_URL:-https://signage.iamworkin.lan}"
 CERT_DIR="/etc/fc-signage-player"
 CERT_THUMB=$(openssl pkcs12 -in "$CERT_DIR/client.p12" -passin file:"$CERT_DIR/client.p12.pass" -nodes -nokeys 2>/dev/null \
  | openssl x509 -fingerprint -sha256 -noout \
  | sed 's/.*=//' \
  | tr -d ':')
 PLAYER_URL="${SIGNAGE_URL}/player/${NODE_ID}/embed?token=${CERT_THUMB}"
 HTTP_STATUS=$(curl -sk -o /dev/null -w "%{http_code}" --max-time 5 \
  --cert-type P12 --cert "$CERT_DIR/client.p12:$(cat "$CERT_DIR/client.p12.pass")" \
  "$PLAYER_URL" || echo "000")
 mkdir -p /var/log/fc-signage-player
 if [[ "$HTTP_STATUS" != "200" && "$HTTP_STATUS" != "301" && "$HTTP_STATUS" != "302" ]]; then
  echo "[$(date -Is)] /embed returned $HTTP_STATUS; falling back to /player/${NODE_ID}" \
    >> /var/log/fc-signage-player/url-divergence.log
  PLAYER_URL="${SIGNAGE_URL}/player/${NODE_ID}?token=${CERT_THUMB}"
 fi
 exec chromium-browser \
  --kiosk \
  --noerrdialogs \
  --disable-infobars \
  --disable-translate \
  --disable-features=TranslateUI,InfiniteSessionRestore \
  --autoplay-policy=no-user-gesture-required \
  --password-store=basic \
  --user-data-dir=/var/lib/fc-signage-player/profile \
  --disk-cache-dir=/var/lib/fc-signage-player/cache \
  --disk-cache-size=104857600 \
  --no-first-run \
  --no-default-browser-check \
  --check-for-update-interval=2592000 \
  --enable-features=OverlayScrollbar \
  --start-fullscreen \
  --window-position=0,0 \
  --window-size=1920,1080 \
  "$PLAYER_URL"
--- a/apps/fc-signage-pi-player/scripts/flowercore-signage-prelaunch.sh
+++ b/apps/fc-signage-pi-player/scripts/flowercore-signage-prelaunch.sh
@@ -0,0 +1,20 @@
 #!/usr/bin/env bash
 set -euo pipefail
 mkdir -p /var/log/fc-signage-player
 for f in /etc/flowercore/signage-node.json /etc/fc-signage-player/client.p12 /etc/fc-signage-player/client.p12.pass; do
  if [[ ! -r "$f" ]]; then
    echo "[$(date -Is)] prelaunch: missing or unreadable $f" >&2
    exit 1
  fi
 done
 if openssl pkcs12 -in /etc/fc-signage-player/client.p12 -passin file:/etc/fc-signage-player/client.p12.pass -nokeys -clcerts 2>/dev/null \
   | openssl x509 -checkend $((7*24*3600)) -noout; then
  :
 else
  echo "[$(date -Is)] prelaunch: client cert expires within 7 days" >&2
 fi
 echo "[$(date -Is)] prelaunch: ok" | tee -a /var/log/fc-signage-player/prelaunch.log
--- a/apps/fc-signage-pi-player/scripts/flowercore-signage-renew-cert.sh
+++ b/apps/fc-signage-pi-player/scripts/flowercore-signage-renew-cert.sh
@@ -0,0 +1,46 @@
 #!/usr/bin/env bash
 set -euo pipefail
 CERT_DIR="/etc/fc-signage-player"
 NODE_JSON="/etc/flowercore/signage-node.json"
 SIGNAGE_URL="${FC_SIGNAGE_URL:-https://signage.iamworkin.lan}"
 [[ -s "$CERT_DIR/client.crt" ]] || { echo "no cert to renew"; exit 0; }
 if openssl x509 -in "$CERT_DIR/client.crt" -checkend $((30*24*3600)) -noout; then
  exit 0
 fi
 NODE_ID=$(jq -r '.nodeId' "$NODE_JSON")
 NEW_KEY="$CERT_DIR/client.key.new"
 NEW_CSR="$CERT_DIR/client.csr.new"
 openssl ecparam -genkey -name prime256v1 -out "$NEW_KEY"
 openssl req -new -key "$NEW_KEY" -out "$NEW_CSR" \
  -subj "/CN=${NODE_ID}/O=FlowerCore/OU=SignagePlayer-Pi"
 HTTP_STATUS=$(curl -sk -o /tmp/renew-response.json -w "%{http_code}" \
  --cert "$CERT_DIR/client.crt" --key "$CERT_DIR/client.key" \
  -X POST "${SIGNAGE_URL}/api/v1/nodes/${NODE_ID}/renew" \
  -H "Content-Type: application/json" \
  -d "$(jq -n --arg csr "$(cat "$NEW_CSR")" '{certificateSigningRequest: $csr}')")
 if [[ "$HTTP_STATUS" != "200" && "$HTTP_STATUS" != "201" ]]; then
  echo "[$(date -Is)] renew: failed HTTP $HTTP_STATUS; leaving old cert in place" >&2
  exit 5
 fi
 jq -r '.clientCertificatePem // .signedCertificatePem' /tmp/renew-response.json > "$CERT_DIR/client.crt.new"
 jq -r '.caCertificatePem' /tmp/renew-response.json > "$CERT_DIR/ca-chain.pem.new"
 P12_PASS=$(cat "$CERT_DIR/client.p12.pass")
 openssl pkcs12 -export -inkey "$NEW_KEY" -in "$CERT_DIR/client.crt.new" \
  -certfile "$CERT_DIR/ca-chain.pem.new" \
  -out "$CERT_DIR/client.p12.new" -password "pass:${P12_PASS}"
 mv "$CERT_DIR/client.key.new" "$CERT_DIR/client.key"
 mv "$CERT_DIR/client.crt.new" "$CERT_DIR/client.crt"
 mv "$CERT_DIR/ca-chain.pem.new" "$CERT_DIR/ca-chain.pem"
 mv "$CERT_DIR/client.p12.new" "$CERT_DIR/client.p12"
 chown fc-signage:fc-signage "$CERT_DIR"/client.*
 systemctl restart flowercore-signage-player-pi.service
--- a/apps/fc-signage-pi-player/systemd/99-flowercore-signage-hdmi.rules
+++ b/apps/fc-signage-pi-player/systemd/99-flowercore-signage-hdmi.rules
@@ -0,0 +1,2 @@
 # Settle DRM for 2s before restarting Chromium, then redeclare capabilities.
 SUBSYSTEM=="drm", KERNEL=="card?-HDMI-A-?", ACTION=="change", RUN+="/usr/bin/systemctl start flowercore-signage-player-pi-hdmi.service"
--- a/apps/fc-signage-pi-player/systemd/flowercore-signage-bootstrap.service
+++ b/apps/fc-signage-pi-player/systemd/flowercore-signage-bootstrap.service
@@ -0,0 +1,16 @@
 [Unit]
 Description=FlowerCore Signage Pi: first-boot identity + mTLS enrollment
 Wants=network-online.target
 After=network-online.target
 Before=flowercore-signage-player-pi.service
 [Service]
 Type=oneshot
 ExecStart=/usr/local/bin/flowercore-signage-bootstrap.sh
 RemainAfterExit=yes
 StandardOutput=journal
 StandardError=journal
 TimeoutStartSec=2100
 [Install]
 WantedBy=multi-user.target
--- a/apps/fc-signage-pi-player/systemd/flowercore-signage-detect-display.service
+++ b/apps/fc-signage-pi-player/systemd/flowercore-signage-detect-display.service
@@ -0,0 +1,8 @@
 [Unit]
 Description=FlowerCore Signage Pi: detect connected display + declare capabilities
 After=flowercore-signage-bootstrap.service
 [Service]
 Type=oneshot
 User=fc-signage
 ExecStart=/usr/local/bin/fc-signage-detect-display
--- a/apps/fc-signage-pi-player/systemd/flowercore-signage-detect-display.timer
+++ b/apps/fc-signage-pi-player/systemd/flowercore-signage-detect-display.timer
@@ -0,0 +1,11 @@
 [Unit]
 Description=Daily FlowerCore Signage Pi display capability redeclaration
 [Timer]
 OnCalendar=daily
 RandomizedDelaySec=1h
 Persistent=true
 OnBootSec=30s
 [Install]
 WantedBy=timers.target
--- a/apps/fc-signage-pi-player/systemd/flowercore-signage-player-pi-hdmi.service
+++ b/apps/fc-signage-pi-player/systemd/flowercore-signage-player-pi-hdmi.service
@@ -0,0 +1,7 @@
 [Unit]
 Description=FlowerCore Signage Pi Player HDMI hotplug responder
 DefaultDependencies=no
 [Service]
 Type=oneshot
 ExecStart=/usr/local/bin/flowercore-signage-hdmi-respond.sh
--- a/apps/fc-signage-pi-player/systemd/flowercore-signage-player-pi.service
+++ b/apps/fc-signage-pi-player/systemd/flowercore-signage-player-pi.service
@@ -0,0 +1,30 @@
 [Unit]
 Description=FlowerCore Digital Signage Pi Player (Chromium kiosk)
 Documentation=https://github.com/astoltz/FlowerCore.Notes/blob/master/docs/standards/appletv-pi-signage-agents-design.md
 Wants=network-online.target
 After=network-online.target graphical.target
 ConditionPathExists=/etc/flowercore/signage-node.json
 ConditionPathExists=/etc/fc-signage-player/client.p12
 [Service]
 Type=simple
 User=fc-signage
 Group=fc-signage
 WorkingDirectory=/var/lib/fc-signage-player
 EnvironmentFile=-/etc/flowercore/signage-player.env
 ExecStartPre=/usr/local/bin/flowercore-signage-prelaunch.sh
 ExecStart=/usr/local/bin/flowercore-signage-launch.sh
 Restart=always
 RestartSec=10s
 StartLimitBurst=5
 StartLimitIntervalSec=300s
 MemoryMax=2G
 MemoryHigh=1500M
 ProtectSystem=strict
 ProtectHome=true
 ReadWritePaths=/var/lib/fc-signage-player /var/log/fc-signage-player
 PrivateTmp=true
 NoNewPrivileges=true
 [Install]
 WantedBy=graphical.target
--- a/apps/fc-signage-pi-player/systemd/flowercore-signage-renew.service
+++ b/apps/fc-signage-pi-player/systemd/flowercore-signage-renew.service
@@ -0,0 +1,6 @@
 [Unit]
 Description=FlowerCore Signage Pi: cert renewal worker
 [Service]
 Type=oneshot
 ExecStart=/usr/local/bin/flowercore-signage-renew-cert.sh
--- a/apps/fc-signage-pi-player/systemd/flowercore-signage-renew.timer
+++ b/apps/fc-signage-pi-player/systemd/flowercore-signage-renew.timer
@@ -0,0 +1,10 @@
 [Unit]
 Description=Daily check for FlowerCore Signage Pi cert renewal
 [Timer]
 OnCalendar=daily
 RandomizedDelaySec=2h
 Persistent=true
 [Install]
 WantedBy=timers.target
--- a/apps/fc-signage-pi-player/tests/display_capability.bats
+++ b/apps/fc-signage-pi-player/tests/display_capability.bats
@@ -0,0 +1,22 @@
 #!/usr/bin/env bats
 setup() {
  APP_ROOT="$(cd "$BATS_TEST_DIRNAME/.." && pwd)"
  DETECT="$APP_ROOT/scripts/fc-signage-detect-display"
 }
@test "display detection emits graceful disconnected profile when no hdmi connector is present" {
  script="$(cat "$DETECT")"
  [[ "$script" == *"displayConnected: false"* ]]
  [[ "$script" == *"No HDMI display detected"* ]]
 }
@test "display detection parses edid, falls back to kmsprint, and logs endpoint failures locally" {
  script="$(cat "$DETECT")"
  [[ "$script" == *"edid-decode"* ]]
  [[ "$script" == *"HDR (Static|Dynamic) Metadata Block"* ]]
  [[ "$script" == *"kmsprint"* ]]
  [[ "$script" == *"/api/v1/nodes/\${NODE_ID}/capabilities"* ]]
  [[ "$script" == *"/api/v1/displays/\${NODE_ID}/capability-profile"* ]]
  [[ "$script" == *"capabilities.log"* ]]
 }
--- a/apps/fc-signage-pi-player/tests/identity_bootstrap.bats
+++ b/apps/fc-signage-pi-player/tests/identity_bootstrap.bats
@@ -0,0 +1,64 @@
 #!/usr/bin/env bats
 setup() {
  APP_ROOT="$(cd "$BATS_TEST_DIRNAME/.." && pwd)"
  BOOTSTRAP="$APP_ROOT/scripts/flowercore-signage-bootstrap.sh"
  RENEW="$APP_ROOT/scripts/flowercore-signage-renew-cert.sh"
 }
@test "bootstrap is idempotent when node is already enrolled" {
  script="$(cat "$BOOTSTRAP")"
  [[ "$script" == *'[[ -s "$NODE_JSON" && -s "$CERT_DIR/client.p12" ]]'* ]]
  [[ "$script" == *"already enrolled"* ]]
  [[ "$script" == *"exit 0"* ]]
 }
@test "bootstrap generates a stable node uuid and machine id" {
  script="$(cat "$BOOTSTRAP")"
  [[ "$script" == *"uuidgen"* ]]
  [[ "$script" == *"nodeUuid"* ]]
  [[ "$script" == *"machineId"* ]]
  [[ "$script" == *"cut -c1-16"* ]]
 }
@test "bootstrap posts to the canonical register endpoint" {
  grep -q '/api/v1/nodes/register' "$BOOTSTRAP"
  grep -q '"linux-arm64-pi"' "$BOOTSTRAP"
 }
@test "bootstrap retries registration once for first-call races" {
  script="$(cat "$BOOTSTRAP")"
  [[ "$script" == *"for attempt in 1 2"* ]]
  [[ "$script" == *"register attempt \$attempt returned"* ]]
  [[ "$script" == *"sleep 5"* ]]
 }
@test "bootstrap supports setup-code approval with manual polling fallback" {
  script="$(cat "$BOOTSTRAP")"
  [[ "$script" == *"signage-setup-code"* ]]
  [[ "$script" == *"approve-via-setup-code"* ]]
  [[ "$script" == *"+ 1800"* ]]
  [[ "$script" == *"sleep 15"* ]]
 }
@test "bootstrap generates an ecdsa p256 csr for the signage pi subject" {
  script="$(cat "$BOOTSTRAP")"
  [[ "$script" == *"ecparam -genkey -name prime256v1"* ]]
  [[ "$script" == *'/CN=${NODE_ID}/O=FlowerCore/OU=SignagePlayer-Pi'* ]]
 }
@test "bootstrap writes pkcs12 bundle with restrictive permissions" {
  script="$(cat "$BOOTSTRAP")"
  [[ "$script" == *"openssl pkcs12 -export"* ]]
  [[ "$script" == *"client.p12.pass"* ]]
  [[ "$script" == *"chmod 0640"* ]]
  [[ "$script" == *"chmod 0600"* ]]
 }
@test "renewal only calls renew endpoint inside the thirty-day window and swaps atomically" {
  script="$(cat "$RENEW")"
  [[ "$script" == *'-checkend $((30*24*3600))'* ]]
  [[ "$script" == *"/api/v1/nodes/\${NODE_ID}/renew"* ]]
  [[ "$script" == *"client.key.new"* ]]
  [[ "$script" == *'mv "$CERT_DIR/client.p12.new"   "$CERT_DIR/client.p12"'* ]]
 }
--- a/apps/fc-signage-pi-player/tests/systemd_kiosk_wrapper.bats
+++ b/apps/fc-signage-pi-player/tests/systemd_kiosk_wrapper.bats
@@ -0,0 +1,68 @@
 #!/usr/bin/env bats
 setup() {
  APP_ROOT="$(cd "$BATS_TEST_DIRNAME/.." && pwd)"
 }
@test "player unit exists" {
  [ -f "$APP_ROOT/systemd/flowercore-signage-player-pi.service" ]
 }
@test "player unit uses simple chromium service with restart backoff" {
  unit="$(cat "$APP_ROOT/systemd/flowercore-signage-player-pi.service")"
  [[ "$unit" == *"Type=simple"* ]]
  [[ "$unit" == *"Restart=always"* ]]
  [[ "$unit" == *"RestartSec=10s"* ]]
  [[ "$unit" == *"StartLimitBurst=5"* ]]
  [[ "$unit" == *"StartLimitIntervalSec=300s"* ]]
 }
@test "player unit caps chromium memory at two gigabytes" {
  grep -q '^MemoryMax=2G$' "$APP_ROOT/systemd/flowercore-signage-player-pi.service"
  grep -q '^MemoryHigh=1500M$' "$APP_ROOT/systemd/flowercore-signage-player-pi.service"
 }
@test "player unit condition-gates startup on identity and p12 certificate" {
  grep -q '^ConditionPathExists=/etc/flowercore/signage-node.json$' "$APP_ROOT/systemd/flowercore-signage-player-pi.service"
  grep -q '^ConditionPathExists=/etc/fc-signage-player/client.p12$' "$APP_ROOT/systemd/flowercore-signage-player-pi.service"
 }
@test "player unit runs prelaunch checks before chromium" {
  grep -q '^ExecStartPre=/usr/local/bin/flowercore-signage-prelaunch.sh$' "$APP_ROOT/systemd/flowercore-signage-player-pi.service"
  grep -q '^ExecStart=/usr/local/bin/flowercore-signage-launch.sh$' "$APP_ROOT/systemd/flowercore-signage-player-pi.service"
 }
@test "hdmi udev rule routes through the two-second settle service" {
  rule="$(cat "$APP_ROOT/systemd/99-flowercore-signage-hdmi.rules")"
  [[ "$rule" == *'KERNEL=="card?-HDMI-A-?"'* ]]
  [[ "$rule" == *"systemctl start flowercore-signage-player-pi-hdmi.service"* ]]
  [[ "$rule" != *"systemctl restart flowercore-signage-player-pi.service"* ]]
 }
@test "hdmi responder settles, declares display, then restarts chromium" {
  responder="$(cat "$APP_ROOT/scripts/flowercore-signage-hdmi-respond.sh")"
  [[ "$responder" == *"sleep 2"* ]]
  [[ "$responder" == *"systemctl start flowercore-signage-detect-display.service"* ]]
  [[ "$responder" == *"systemctl restart flowercore-signage-player-pi.service"* ]]
 }
@test "chromium policy json is valid and disables credential prompts" {
  command -v jq >/dev/null || skip "jq not installed"
  jq -e '.AutofillAddressEnabled == false and .AutofillCreditCardEnabled == false and .PasswordManagerEnabled == false' \
    "$APP_ROOT/chromium-policies/flowercore-signage.json" >/dev/null
 }
@test "launch script tries embed URL and logs bare-player fallback" {
  launch="$(cat "$APP_ROOT/scripts/flowercore-signage-launch.sh")"
  [[ "$launch" == *'/player/${NODE_ID}/embed?token=${CERT_THUMB}'* ]]
  [[ "$launch" == *"url-divergence.log"* ]]
  [[ "$launch" == *'/player/${NODE_ID}?token=${CERT_THUMB}'* ]]
 }
@test "prelaunch script validates required node and cert files" {
  prelaunch="$(cat "$APP_ROOT/scripts/flowercore-signage-prelaunch.sh")"
  [[ "$prelaunch" == *"/etc/flowercore/signage-node.json"* ]]
  [[ "$prelaunch" == *"/etc/fc-signage-player/client.p12"* ]]
  [[ "$prelaunch" == *"/etc/fc-signage-player/client.p12.pass"* ]]
  [[ "$prelaunch" == *"exit 1"* ]]
 }
--- a/apps/fc-signage/fc-signage.yaml
+++ b/apps/fc-signage/fc-signage.yaml
@@ -46,3 +46,26 @@ spec:
      services:
        - name: signage-web
          port: 5190
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose signage-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: signage-web-public
 #   namespace: fc-signage
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`signage.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: signage-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: signage-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-signalcontrol/fc-signalcontrol.yaml
+++ b/apps/fc-signalcontrol/fc-signalcontrol.yaml
@@ -76,15 +76,13 @@ spec:
              memory: "512Mi"
              cpu: "500m"
          livenessProbe:
-            httpGet:
+            tcpSocket:
              path: /health
              port: http
            initialDelaySeconds: 30
            periodSeconds: 30
            timeoutSeconds: 5
          readinessProbe:
-            httpGet:
+            tcpSocket:
              path: /health
              port: http
            initialDelaySeconds: 10
            periodSeconds: 10
--- a/apps/fc-ttsreader/biblical-tts/app.py
+++ b/apps/fc-ttsreader/biblical-tts/app.py
@@ -30,6 +30,7 @@ import logging
 import re
 import shlex
 import subprocess
 import unicodedata
 from typing import Optional
 from fastapi import FastAPI, HTTPException
@@ -60,6 +61,189 @@ class TtsRequest(BaseModel):
    volume: int = 100     # 0-200
 HEBREW_CHAR_RE = re.compile(r"[\u0590-\u05FF]")
 HEBREW_WORD_RE = re.compile(r"[\u0590-\u05FF]+")
 # eSpeak-NG's Hebrew voice can spell unpointed Hebrew as Unicode character
 # names on some builds. For source-text study reads, prefer a stable
 # scholarly transliteration so words sound like words even without niqqud.
 HEBREW_WORD_TRANSLITERATIONS = {
    "אב": "av",
    "אבא": "abba",
    "אברהם": "Avraham",
    "אדמה": "adamah",
    "אדני": "Adonai",
    "אדם": "adam",
    "אור": "or",
    "אלהים": "Elohim",
    "אלוהים": "Elohim",
    "אמן": "amen",
    "אם": "em",
    "אמת": "emet",
    "ארץ": "eretz",
    "אש": "esh",
    "את": "et",
    "בית": "beit",
    "בן": "ben",
    "ברא": "bara",
    "בראשית": "bereshit",
    "ברית": "berit",
    "ברוך": "barukh",
    "בת": "bat",
    "גוי": "goy",
    "גוים": "goyim",
    "גויים": "goyim",
    "דבר": "davar",
    "דברים": "devarim",
    "דוד": "David",
    "הלל": "hallel",
    "הארץ": "ha-aretz",
    "הברית": "ha-berit",
    "החדשה": "ha-chadashah",
    "השמים": "ha-shamayim",
    "השמיים": "ha-shamayim",
    "ויאמר": "vayomer",
    "יהוה": "Adonai",
    "יוסף": "Yosef",
    "יוחנן": "Yochanan",
    "ישראל": "Yisrael",
    "ישוע": "Yeshua",
    "יצחק": "Yitzchak",
    "יעקב": "Yaakov",
    "ירושלים": "Yerushalayim",
    "כהן": "kohen",
    "כהנים": "kohanim",
    "מים": "mayim",
    "מות": "mavet",
    "מושיע": "moshia",
    "מלך": "melekh",
    "מלכות": "malkhut",
    "מרים": "Miriam",
    "משה": "Moshe",
    "משיח": "Mashiach",
    "נביא": "navi",
    "נביאים": "neviim",
    "עם": "am",
    "עולם": "olam",
    "צדק": "tzedek",
    "קדוש": "qadosh",
    "קדושים": "qedoshim",
    "קול": "qol",
    "רוח": "ruach",
    "שאול": "Shaul",
    "שמים": "shamayim",
    "שמיים": "shamayim",
    "שמעון": "Shimon",
    "שלום": "Shalom",
    "תורה": "torah",
    "חכמה": "chokhmah",
    "חסד": "chesed",
    "חיים": "chayim",
    "חושך": "choshekh",
 }
 HEBREW_LETTERS = {
    "א": "a",
    "ב": "b",
    "ג": "g",
    "ד": "d",
    "ה": "h",
    "ו": "v",
    "ז": "z",
    "ח": "kh",
    "ט": "t",
    "י": "y",
    "כ": "kh",
    "ך": "kh",
    "ל": "l",
    "מ": "m",
    "ם": "m",
    "נ": "n",
    "ן": "n",
    "ס": "s",
    "ע": "a",
    "פ": "p",
    "ף": "f",
    "צ": "ts",
    "ץ": "ts",
    "ק": "q",
    "ר": "r",
    "ש": "sh",
    "ת": "t",
 }
 HEBREW_VOWELISH = {"a", "e", "i", "o", "u"}
 def _strip_hebrew_marks(value: str) -> str:
    decomposed = unicodedata.normalize("NFD", value)
    return "".join(
        ch for ch in decomposed
        if unicodedata.category(ch) != "Mn" and ch not in {"׳", "״", "־"}
    )
 def _fallback_hebrew_transliteration(word: str) -> str:
    tokens: list[str] = []
    chars = list(word)
    for index, ch in enumerate(chars):
        token = HEBREW_LETTERS.get(ch)
        if token is None:
            continue
        if ch == "ה" and index == len(chars) - 1:
            token = "ah"
        elif ch == "י" and index > 0:
            token = "i"
        elif ch == "ו" and index > 0:
            token = "o"
        tokens.append(token)
    if not tokens:
        return word
    spoken: list[str] = []
    for index, token in enumerate(tokens):
        spoken.append(token)
        next_token = tokens[index + 1] if index + 1 < len(tokens) else ""
        if (
            token[-1:] not in HEBREW_VOWELISH
            and next_token
            and next_token[:1] not in HEBREW_VOWELISH
        ):
            spoken.append("a")
    return "".join(spoken)
 def _transliterate_hebrew_word(match: re.Match[str]) -> str:
    original = match.group(0)
    normalized = _strip_hebrew_marks(original)
    if not normalized:
        return original
    direct = HEBREW_WORD_TRANSLITERATIONS.get(normalized)
    if direct:
        return direct
    if normalized.startswith("ו") and len(normalized) > 1:
        rest = HEBREW_WORD_TRANSLITERATIONS.get(normalized[1:])
        if rest:
            return f"ve-{rest}"
    if normalized.startswith("ה") and len(normalized) > 1:
        rest = HEBREW_WORD_TRANSLITERATIONS.get(normalized[1:])
        if rest:
            return f"ha-{rest}"
    return _fallback_hebrew_transliteration(normalized)
 def _prepare_synthesis_input(text: str, language: str, voice: str) -> tuple[str, str]:
    if language.lower().startswith("he") and HEBREW_CHAR_RE.search(text):
        spoken = HEBREW_WORD_RE.sub(_transliterate_hebrew_word, text)
        return spoken, "en-us"
    return text, voice
 def _resolve_voice(req: TtsRequest) -> str:
    if req.voice:
        return req.voice.strip()
@@ -115,14 +299,15 @@ def tts(req: TtsRequest) -> Response:
        raise HTTPException(status_code=400, detail="text is required")
    voice = _resolve_voice(req)
    spoken_text, synth_voice = _prepare_synthesis_input(req.text, req.language, voice)
    args = [
        "--stdout",
-        "-v", voice,
+        "-v", synth_voice,
        "-s", str(max(80, min(450, req.rate))),
        "-p", str(max(0, min(99, req.pitch))),
        "-a", str(max(0, min(200, req.volume))),
    ]
-    wav = _run_espeak(args, req.text.encode("utf-8"))
+    wav = _run_espeak(args, spoken_text.encode("utf-8"))
    if not wav:
        raise HTTPException(status_code=500, detail="espeak-ng returned empty stdout")
    return Response(content=wav, media_type="audio/wav")
@@ -153,9 +338,9 @@ def tts(req: TtsRequest) -> Response:
 PHONEME_DURATION_RE = re.compile(r"^\s*\S+\s+(\d+)\s+", re.MULTILINE)
-def _estimate_total_ms(req: TtsRequest, voice: str) -> int:
+def _estimate_total_ms(req: TtsRequest, voice: str, spoken_text: str) -> int:
    args = ["--pho", "--quiet", "-v", voice, "-s", str(req.rate)]
-    out = _run_espeak(args, req.text.encode("utf-8"))
+    out = _run_espeak(args, spoken_text.encode("utf-8"))
    text = out.decode("utf-8", errors="replace")
    total = 0
    for match in PHONEME_DURATION_RE.finditer(text):
@@ -175,7 +360,8 @@ def timings(req: TtsRequest):
    if not req.text.strip():
        raise HTTPException(status_code=400, detail="text is required")
    voice = _resolve_voice(req)
-    total_ms = _estimate_total_ms(req, voice)
+    spoken_text, synth_voice = _prepare_synthesis_input(req.text, req.language, voice)
    total_ms = _estimate_total_ms(req, synth_voice, spoken_text)
    # Distribute total_ms across whitespace-split words proportional to
    # character count. Punctuation-only tokens are folded into the previous
@@ -204,7 +390,7 @@ def timings(req: TtsRequest):
        {
            "text": req.text,
            "language": req.language,
-            "voice": voice,
+            "voice": synth_voice,
            "words": out_words,
            "durationMs": total_ms,
        }
--- a/apps/fc-ttsreader/fc-ttsreader.yaml
+++ b/apps/fc-ttsreader/fc-ttsreader.yaml
@@ -37,6 +37,19 @@ spec:
        app.kubernetes.io/name: ttsreader-piper
        app.kubernetes.io/part-of: flowercore
    spec:
      # Bypass CoreDNS's *.iamworkin.lan wildcard so the init container reaches
      # huggingface.co directly when it seeds voice models.
      dnsPolicy: None
      dnsConfig:
        nameservers:
          - 10.43.0.10
        searches:
          - fc-ttsreader.svc.cluster.local
          - svc.cluster.local
          - cluster.local
        options:
          - name: ndots
            value: "2"
      initContainers:
        - name: seed-voices
          image: rhasspy/wyoming-piper:latest
@@ -84,6 +97,7 @@ spec:
      containers:
        - name: piper
          image: rhasspy/wyoming-piper:latest
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: PYTHONHTTPSVERIFY
              value: "0"
@@ -346,7 +360,7 @@ spec:
        runAsUser: 1654
      containers:
        - name: biblical-tts
-          image: localhost/fc-biblical-tts:v1
+          image: localhost/fc-biblical-tts:v20260506-hebrew-translit
          imagePullPolicy: Never
          ports:
            - containerPort: 10402
@@ -510,6 +524,8 @@ spec:
        app.kubernetes.io/name: ttsreader-web
        app.kubernetes.io/part-of: flowercore
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/health"
        prometheus.io/scrape: "true"
        prometheus.io/port: "5217"
        prometheus.io/path: "/metrics"
@@ -519,7 +535,7 @@ spec:
        fsGroupChangePolicy: OnRootMismatch
      containers:
        - name: web
-          image: localhost/fc-ttsreader-web:v202604291817
+          image: localhost/fc-ttsreader-web:v20260614-wave5-help-2f096e3
          imagePullPolicy: Never
          ports:
            - containerPort: 5217
@@ -537,12 +553,20 @@ spec:
              value: "/usr/bin/ffmpeg"
            - name: TtsReader__Bible__CorpusRoot
              value: "/data/corpus-cache/world-english-bible/eng/usx"
            - name: TtsReader__ChapterContext__DatabasePath
              value: "/data/chapter-context.db"
            - name: TtsReader__Jobs__Root
              value: "/data/jobs"
            - name: TtsReader__Export__LocalCasRoot
              value: "/data/bundles/cas"
            - name: TtsReader__Piper__Host
-              value: "ttsreader-piper.fc-ttsreader.svc.cluster.local."
+              value: "10.0.57.17"
            - name: TtsReader__Piper__Port
-              value: "10200"
+              value: "8500"
            - name: TtsReader__Piper__Transport
              value: "http"
            - name: TtsReader__Piper__HttpPath
              value: "/tts"
            - name: TtsReader__Kokoro__Enabled
              value: "true"
            - name: TtsReader__Kokoro__BaseUrl
@@ -553,6 +577,14 @@ spec:
              value: "http://ttsreader-kokoro.fc-ttsreader.svc.cluster.local.:8880"
            - name: TtsReader__Kokoro__TimeoutSeconds
              value: "120"
            - name: FlowerCore__Tts__BiblicalTts__Enabled
              value: "true"
            - name: FlowerCore__Tts__BiblicalTts__BaseUrl
              value: "http://ttsreader-biblical.fc-ttsreader.svc.cluster.local.:10402"
            - name: FlowerCore__Tts__BiblicalTts__TimeoutSeconds
              value: "60"
            - name: FlowerCore__Tts__BiblicalTts__DefaultLanguage
              value: "grc"
            - name: Speech__Alignment__Enabled
              # Cluster-native faster-whisper (Lane F, 2026-04-25). The
              # ttsreader-align deployment in this manifest wraps
@@ -573,7 +605,7 @@ spec:
            - name: TtsReader__Transcription__TimeoutSeconds
              value: "300"
            - name: TtsReader__Ollama__BaseUrl
-              value: "http://10.0.57.17:11434"
+              value: "http://10.0.57.201:11434"
            - name: TtsReader__Ollama__DefaultModel
              value: "gemma3:4b"
            - name: TtsReader__Ollama__TimeoutSeconds
@@ -588,6 +620,8 @@ spec:
            # the writable PVC mount.
            - name: TtsReader__Preview__CacheDirectory
              value: "/data/voice-previews"
            - name: TtsReader__VoiceLibrary__ReferenceClip__Directory
              value: "/data/voice-reference-clips"
            # Sprint E XXL Phase 4γ — content-addressed CDN bundle dir for
            # POST /api/v1/render. Default "wwwroot/cdn" resolves under the
            # read-only app filesystem, so pin to the writable PVC mount
@@ -609,7 +643,10 @@ spec:
                  optional: true
          resources:
            requests:
-              cpu: 100m
+              # The cluster is currently saturated on requested CPU by
              # remotedesktop workloads even when real usage is low.
              # Keep the web frontend schedulable under that pressure.
              cpu: 10m
              memory: 256Mi
            limits:
              cpu: 500m
@@ -728,3 +765,26 @@ spec:
          port: 5217
  tls:
    secretName: ttsreader-tls
 # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
 # When the operator decides to expose ttsreader-web publicly, uncomment + update the host,
 # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
 #
 # --- IngressRoute ---
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: ttsreader-web-public
 #   namespace: fc-ttsreader
 # spec:
 #   entryPoints: [websecure]
 #   routes:
 #     - match: Host(`ttsreader.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
 #       kind: Rule
 #       middlewares:
 #         - name: ttsreader-web-public-profile-header  # injects entitlement profile
 #       services:
 #         - name: ttsreader-web
 #           port: 80
 #   tls: {}
 # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
 # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
--- a/apps/fc-updater/README.md
+++ b/apps/fc-updater/README.md
@@ -0,0 +1,47 @@
 # fc-updater — Update Center GitOps adoption
 **Status:** adopted into `bluejay-infra` on 2026-05-06. The live ArgoCD
 Application is `infra-fc-updater`, generated by the `bluejay-infra`
 ApplicationSet with automated sync, `prune: true`, and `selfHeal: true`.
 ## Managed manifest set
 `apps/fc-updater/fc-updater.yaml` manages:
 - `Namespace/fc-updater`
 - `PersistentVolumeClaim/updatecenter-data`
 - `Deployment/updatecenter-web`
 - `Service/updatecenter-web`
 - `Certificate/updatecenter-web-tls`
 - `Certificate/updatecenter-web-internal-tls`
 - `IngressRoute/updatecenter-web`
 - `IngressRoute/updatecenter-web-internal`
 - `IngressRoute/updatecenter-web-public`
 The Deployment intentionally sets `revisionHistoryLimit: 3` and
 `strategy.type: Recreate`. The service is singleton + SQLite/local bundle
 storage on `PersistentVolumeClaim/updatecenter-data`, pinned to
 `rke2-server`.
 ## Runtime dependencies intentionally not stored here
 These live Secrets are pre-existing runtime material and are not committed to
 Git:
 - `updater-bootstrap-auth`
 - `updater-signing`
 - `updater-webhooks`
 - `cf-origin-flowercore-io`
 Rotate the Cloudflare Origin Certificate through
 `FlowerCore.Notes/docs/standards/code-signing-rotation-runbook.md`; the
 shared origin cert must exist in every namespace that serves a
 `*.flowercore.io` public IngressRoute.
 ## Verification
 ```powershell
 kubectl.exe --kubeconfig C:\Users\AndrewStoltz\.kube\rke2.yaml -n argocd get application infra-fc-updater
 kubectl.exe --kubeconfig C:\Users\AndrewStoltz\.kube\rke2.yaml -n fc-updater get deploy,svc,ingressroute,certificate,pvc
 curl.exe -sk https://update.flowercore.io/api/v1/manifests/_schema
 ```
--- a/apps/fc-updater/fc-updater.yaml
+++ b/apps/fc-updater/fc-updater.yaml
@@ -0,0 +1,275 @@
 # FlowerCore Update Center
 # GitOps adoption of the live fc-updater namespace after PUB-1/PUB-3.
 # Runtime credentials remain in existing K8s Secrets; do not store them here.
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: fc-updater
  labels:
    app.kubernetes.io/part-of: flowercore
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: updatecenter-data
  namespace: fc-updater
  labels:
    app.kubernetes.io/name: updatecenter-web
    app.kubernetes.io/part-of: flowercore
 spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: longhorn
  volumeMode: Filesystem
  resources:
    requests:
      # Sized for fleet bundle storage (LocalFsBundleStore.MaxTotalBytes
      # soft cap at 25 GiB per project_uc_remaining_4_apps_signed_2026_05_06).
      # Mike Bundle alone is ~5.1 GiB; cluster live capacity is already
      # 20 GiB after a manual expand. PVCs cannot shrink, so git must track
      # at least the live size to avoid the OutOfSync loop.
      storage: 25Gi
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: updatecenter-web
  namespace: fc-updater
  labels:
    app: updatecenter-web
    app.kubernetes.io/name: updatecenter-web
    app.kubernetes.io/part-of: flowercore
 spec:
  replicas: 1
  revisionHistoryLimit: 3
  strategy:
    # SQLite + local bundle storage live on a single RWO PVC. Recreate avoids
    # two pods overlapping the same write path during future image bumps.
    type: Recreate
  selector:
    matchLabels:
      app: updatecenter-web
  template:
    metadata:
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/"
      labels:
        app: updatecenter-web
    spec:
      nodeName: rke2-server
      containers:
        - name: web
          image: localhost/fc-updater-web:v20260614-regroup-bdf4a4a
          imagePullPolicy: Never
          ports:
            - containerPort: 8080
              name: http
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          env:
            - name: ASPNETCORE_URLS
              value: http://+:8080
            - name: FlowerCore__Updater__Database__Provider
              value: sqlite
            - name: FlowerCore__Updater__Database__ConnectionString
              value: Data Source=/data/updatecenter.db
            - name: FlowerCore__Updater__BundleStorage__LocalFs__RootDirectory
              value: /data/bundles
            - name: FlowerCore__Updater__PublicShares__RequirePublicVisibilityOnPublicHosts
              value: "true"
            - name: FlowerCore__Updater__PublicShares__Links__0__Code
              value: 8f3c2a9e7d41
            - name: FlowerCore__Updater__PublicShares__Links__0__AppId
              value: flowercore.faith-ai-mike
            - name: FlowerCore__Updater__PublicShares__Links__0__Channel
              value: stable
            - name: FlowerCore__Updater__PublicShares__Links__0__RuntimeId
              value: win-x64
            - name: FlowerCore__Updater__PublicShares__Links__0__DisplayName
              value: Faith AI Mike Edition
            - name: FlowerCore__Updater__PublicShares__Links__0__Headline
              value: Faith AI Mike Edition
            - name: FlowerCore__Updater__PublicShares__Links__0__Description
              value: Private release link for Mike's Faith AI bundle.
            - name: FlowerCore__Audit__Sinks__Loki__Enabled
              value: "false"
            - name: FlowerCore__Updater__Auth__Bootstrap__Enabled
              value: "true"
            - name: FlowerCore__Updater__Auth__Bootstrap__Username
              valueFrom:
                secretKeyRef:
                  name: updater-bootstrap-auth
                  key: username
            - name: FlowerCore__Updater__Auth__Bootstrap__Password
              valueFrom:
                secretKeyRef:
                  name: updater-bootstrap-auth
                  key: password
            - name: FlowerCore__Updater__Auth__Bootstrap__SigningKey
              valueFrom:
                secretKeyRef:
                  name: updater-bootstrap-auth
                  key: signing-key
            - name: FlowerCore__Updater__Signing__AutoSignOnPublish
              value: "true"
            - name: FlowerCore__Updater__Signing__RequireSignatureOnPublish
              value: "true"
            - name: FlowerCore__Updater__Signing__PfxBase64
              valueFrom:
                secretKeyRef:
                  name: updater-signing
                  key: pfx-base64
            - name: FlowerCore__Updater__Signing__PfxPassword
              valueFrom:
                secretKeyRef:
                  name: updater-signing
                  key: pfx-password
            - name: FlowerCore__Updater__Signing__OpItemReference
              value: op://FlowerCore/step-ca-codesign
            - name: FlowerCore__Updater__Signing__TrustAnchorPath
              value: /etc/flowercore-updater/signing/root-ca.pem
            - name: FlowerCore__Updater__GitHub__Token
              valueFrom:
                secretKeyRef:
                  name: updater-webhooks
                  key: github-token
            - name: FlowerCore__Updater__GitHub__WebhookSecret
              valueFrom:
                secretKeyRef:
                  name: updater-webhooks
                  key: github-webhook-secret
            - name: FlowerCore__Updater__Gitea__Token
              valueFrom:
                secretKeyRef:
                  name: updater-webhooks
                  key: gitea-token
            - name: FlowerCore__Updater__Gitea__WebhookSecret
              valueFrom:
                secretKeyRef:
                  name: updater-webhooks
                  key: gitea-webhook-secret
          readinessProbe:
            tcpSocket:
              port: http
            initialDelaySeconds: 10
            periodSeconds: 15
          livenessProbe:
            tcpSocket:
              port: http
            initialDelaySeconds: 30
            periodSeconds: 30
          volumeMounts:
            - name: data
              mountPath: /data
            - name: signing
              mountPath: /etc/flowercore-updater/signing
              readOnly: true
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: updatecenter-data
        - name: signing
          secret:
            secretName: updater-signing
            items:
              - key: root-ca.pem
                path: root-ca.pem
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: updatecenter-web
  namespace: fc-updater
  labels:
    app: updatecenter-web
    app.kubernetes.io/name: updatecenter-web
    app.kubernetes.io/part-of: flowercore
 spec:
  type: ClusterIP
  selector:
    app: updatecenter-web
  ports:
    - name: http
      port: 8080
      targetPort: http
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: updatecenter-web-tls
  namespace: fc-updater
 spec:
  secretName: updatecenter-web-tls
  issuerRef:
    name: step-ca-acme
    kind: ClusterIssuer
  dnsNames:
    - updatecenter.iamworkin.lan
    - updates.iamworkin.lan
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: updatecenter-web-internal-tls
  namespace: fc-updater
 spec:
  secretName: updatecenter-web-internal-tls
  issuerRef:
    name: step-ca-acme
    kind: ClusterIssuer
  dnsNames:
    - updatecenter-internal.iamworkin.lan
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: updatecenter-web
  namespace: fc-updater
 spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: (Host(`updatecenter.iamworkin.lan`) || Host(`updates.iamworkin.lan`)) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
      kind: Rule
      services:
        - name: updatecenter-web
          port: 8080
  tls:
    secretName: updatecenter-web-tls
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: updatecenter-web-internal
  namespace: fc-updater
 spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`updatecenter-internal.iamworkin.lan`)
      kind: Rule
      services:
        - name: updatecenter-web
          port: 8080
  tls:
    secretName: updatecenter-web-internal-tls
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: updatecenter-web-public
  namespace: fc-updater
 spec:
  entryPoints:
    - websecure
  routes:
    - match: (Host(`update.flowercore.io`) || Host(`updates.flowercore.io`)) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
      kind: Rule
      services:
        - name: updatecenter-web
          port: 8080
  tls:
    secretName: cf-origin-flowercore-io
--- a/apps/fc-updater/kustomization.yaml
+++ b/apps/fc-updater/kustomization.yaml
@@ -0,0 +1,7 @@
 # ArgoCD's bluejay-infra ApplicationSet uses a directory generator and does
 # not require kustomization.yaml. Keep this anyway as the manifest inventory
 # and for local `kubectl kustomize apps/fc-updater` previews.
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - fc-updater.yaml
--- a/apps/flowercore/flowercore.yaml
+++ b/apps/flowercore/flowercore.yaml
@@ -1,5 +1,10 @@
-# FlowerCore Tenant — flowercore.io (main brand)
+# FlowerCore Tenant — retired flowercore.io placeholder.
-# Public-facing placeholder landing page served by nginx
+#
 # Public flowercore.io/www.flowercore.io routing is now owned by
 # apps/fc-landing/fc-landing.yaml. This tenant placeholder remains available
 # only as an in-cluster service; do not create a duplicate public
 # IngressRoute here because it competes with fc-landing and requires a
 # namespace-local cf-origin-flowercore-io Secret.
 # ArgoCD managed - BlueJay Lab
 ---
 apiVersion: v1
@@ -10,12 +15,6 @@ metadata:
    app.kubernetes.io/part-of: bluejay-infra
    flowercore.io/tenant: flowercore
 ---
 # NOTE: The existing cf-origin-flowercore-io secret (covering *.flowercore.io)
 # must be copied into this namespace. It already exists in other namespaces.
 # Copy with: kubectl get secret cf-origin-flowercore-io -n fc-system -o yaml \
 #   | sed 's/namespace: .*/namespace: tenant-flowercore/' \
 #   | kubectl apply -f -
 ---
 # Landing page HTML
 apiVersion: v1
 kind: ConfigMap
@@ -311,22 +310,3 @@ spec:
    - port: 80
      targetPort: 80
      name: http
 ---
 # Traefik IngressRoute — public via Cloudflare
 # Uses existing cf-origin-flowercore-io cert (must be copied to this namespace)
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: flowercore-web
  namespace: tenant-flowercore
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
      kind: Rule
      services:
        - name: flowercore-web
          port: 80
  tls:
    secretName: cf-origin-flowercore-io
--- a/apps/github-runner/.gitattributes
+++ b/apps/github-runner/.gitattributes
@@ -0,0 +1,2 @@
 *.sh text eol=lf
 Dockerfile text eol=lf
--- a/apps/github-runner/Dockerfile
+++ b/apps/github-runner/Dockerfile
@@ -0,0 +1,54 @@
 FROM myoung34/github-runner:latest
 ARG RUBY_VERSION=3.3.11
 ARG RUBY_MINOR=3.3
 ARG RUBY_BUILD_VERSION=v20260326
 ARG RUNNER_UID=1001
 ARG RUNNER_GID=1001
 ENV RUNNER_TOOL_CACHE=/home/runner/_tool
 ENV RUNNER_RUBY_TOOLCACHE=/opt/runner-toolcache
 ENV PATH="/home/runner/_tool/Ruby/${RUBY_MINOR}/x64/bin:/opt/runner-toolcache/Ruby/${RUBY_MINOR}/x64/bin:${PATH}"
 USER root
 # Bake the IAmWorkin step-ca root CA into the system trust store. Without
 # this, .NET HttpClient calls from CI tests against *.iamworkin.lan
 # (e.g. https://selenium.iamworkin.lan/session) fail with `PartialChain`
 # because the runner image's default Ubuntu trust bundle doesn't include
 # our internal Root CA. update-ca-certificates regenerates
 # /etc/ssl/certs/ca-certificates.crt, which OpenSSL + .NET on Linux read
 # automatically — no SSL_CERT_FILE env var needed.
 COPY step-ca-root.crt /usr/local/share/ca-certificates/iamworkin-step-ca-root.crt
 RUN apt-get update \
    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        autoconf \
        bison \
        build-essential \
        ca-certificates \
        curl \
        libdb-dev \
        libffi-dev \
        libgdbm-dev \
        libgmp-dev \
        libncurses-dev \
        libreadline-dev \
        libssl-dev \
        libyaml-dev \
        patch \
        pkg-config \
        uuid-dev \
        zlib1g-dev \
    && update-ca-certificates \
    && curl -fsSL "https://github.com/rbenv/ruby-build/archive/refs/tags/${RUBY_BUILD_VERSION}.tar.gz" -o /tmp/ruby-build.tar.gz \
    && mkdir -p /tmp/ruby-build \
    && tar -xzf /tmp/ruby-build.tar.gz --strip-components=1 -C /tmp/ruby-build \
    && /tmp/ruby-build/install.sh \
    && rm -rf /tmp/ruby-build /tmp/ruby-build.tar.gz /var/lib/apt/lists/*
 COPY install-ruby-toolcache.sh /usr/local/bin/install-ruby-toolcache.sh
 RUN chmod +x /usr/local/bin/install-ruby-toolcache.sh \
    && RUBY_VERSION="${RUBY_VERSION}" RUBY_MINOR="${RUBY_MINOR}" TOOLCACHE_ROOT="${RUNNER_RUBY_TOOLCACHE}" RUNNER_UID="${RUNNER_UID}" RUNNER_GID="${RUNNER_GID}" /usr/local/bin/install-ruby-toolcache.sh \
    && ruby -v
--- a/apps/github-runner/README.md
+++ b/apps/github-runner/README.md
@@ -0,0 +1,139 @@
 # GitHub Runner Fleet
 ArgoCD owns `apps/github-runner/github-runner.yaml`. Do not patch live runner
 Deployments with `kubectl`; update this manifest and let ArgoCD reconcile.
 ## Runner Shape
 All repo-scoped Linux runners use:
 - `localhost/fc-github-runner:v20260525-ruby3.3.11-stepca`, derived from
  `myoung34/github-runner:latest`
 - `ACCESS_TOKEN` from the `github-runner-token` Secret
 - `RUN_AS_ROOT=false`
 - `EPHEMERAL=true`
 - `DISABLE_AUTO_UPDATE=true` so the runner does not self-update and exit inside
  the immutable Kubernetes pod
 - `LABELS=self-hosted,linux,fc-build-linux`
 - writable non-root paths under `/home/runner` for .NET, NuGet, XDG cache, and
  Actions tool cache
 - Ruby 3.3.11 seeded into `/home/runner/_tool/Ruby/3.3/x64` from the baked
  `/opt/runner-toolcache` copy so `ruby/setup-ruby@v1` can discover it on
  self-hosted `ubuntu-20.04-x64` runners
 `github-runner` for `FlowerCore.Common` is single-replica because it retains the
 original Longhorn ReadWriteOnce NuGet PVC. Every other repo-scoped runner uses
 two replicas with per-pod `emptyDir` caches. That is the safe backlog-drain
 strategy: no two pods share one RWO PVC.
 Sprint 32 final long-tail wave adds 16 two-replica Deployments:
 `FlowerCore.Knowledge`, `FlowerCore.LlmBridge`, `FlowerCore.Media`,
 `FlowerCore.Presentations`, `FlowerCore.RemoteDesktop`, `FlowerCore.DNS`,
 `FlowerCore.Distribution`, `FlowerCore.Scoreboard`,
 `FlowerCore.SegmentDisplay`, `FlowerCore.Signage.Contracts`,
 `FlowerCore.SignalControl`, `FlowerCore.Intranet.Web`,
 `FlowerCore.Provisioning`, `FlowerCore.Redis`, `FlowerCore.MessageBoard`, and
 `FlowerCore.MenuBoard`.
 ## Image Build
 Ruby is baked with a pinned `ruby-build` release and Ruby patch version. The pod
 still mounts an `emptyDir` over `/home/runner`, so the `setup-runner-home` init
 container copies the baked toolcache from `/opt/runner-toolcache/Ruby` into
 `/home/runner/_tool/Ruby` before the runner container starts.
 The IAmWorkin step-ca root CA is also baked into the system trust store
 (`/usr/local/share/ca-certificates/iamworkin-step-ca-root.crt`, registered by
 `update-ca-certificates`). Without it, .NET HttpClient calls from CI tests
 against `*.iamworkin.lan` (e.g. `https://selenium.iamworkin.lan/session`)
 fail with `PartialChain`. To refresh the bundled cert when the root rotates,
 re-extract from the cluster and overwrite `step-ca-root.crt`:
 ```bash
 kubectl get secret -n cert-manager step-ca-root \
  -o jsonpath='{.data.ca\.crt}' | base64 -d > step-ca-root.crt
 ```
 ```bash
 cd apps/github-runner
 podman build -t localhost/fc-github-runner:v20260525-ruby3.3.11-stepca .
 podman run --rm localhost/fc-github-runner:v20260525-ruby3.3.11-stepca ruby -v
 podman run --rm localhost/fc-github-runner:v20260525-ruby3.3.11-stepca \
  test -f /opt/runner-toolcache/Ruby/3.3/x64.complete
 podman save localhost/fc-github-runner:v20260525-ruby3.3.11-stepca \
  -o fc-github-runner-v20260525-ruby3.3.11-stepca.tar
 ```
 Import the saved image on every schedulable RKE2 node before ArgoCD rolls the
 Deployments:
 ```bash
 for node in rke2-server rke2-agent1 rke2-agent2; do
  scp fc-github-runner-v20260525-ruby3.3.11-stepca.tar "$node:/tmp/"
  ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images rm localhost/fc-github-runner:v20260525-ruby3.3.11-stepca || true'
  ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images import /tmp/fc-github-runner-v20260525-ruby3.3.11-stepca.tar'
 done
 ```
 ## Post-Merge Proof
 After the PR is merged and ArgoCD syncs, verify the runner fleet:
 ```bash
 kubectl -n github-runner get deploy,pods,pvc
 ```
 Verify the Ruby toolcache in a fresh pod:
 ```bash
 kubectl -n github-runner exec deploy/github-runner-puppet -c runner -- ruby -v
 kubectl -n github-runner exec deploy/github-runner-puppet -c runner -- sh -c \
  'echo "$RUNNER_TOOL_CACHE" && test -f "$RUNNER_TOOL_CACHE/Ruby/3.3/x64.complete"'
 ```
 Verify GitHub registration for the repo-scoped runners:
 ```bash
 for repo in FlowerCore.Common FlowerCore.Shared.Pos FlowerCore.Puppet FlowerCore.Signage \
            FlowerCore.DMS FlowerCore.Telephony FlowerCore.Print.Web FlowerCore.Chat \
            FlowerCore.MySQL FlowerCore.Kiosk.Linux FlowerCore.Marquee FlowerCore.TtsReader \
            FlowerCore.Knowledge FlowerCore.LlmBridge FlowerCore.Media \
            FlowerCore.Presentations FlowerCore.RemoteDesktop FlowerCore.DNS \
            FlowerCore.Distribution FlowerCore.Scoreboard FlowerCore.SegmentDisplay \
            FlowerCore.Signage.Contracts FlowerCore.SignalControl FlowerCore.Intranet.Web \
            FlowerCore.Provisioning FlowerCore.Redis FlowerCore.MessageBoard \
            FlowerCore.MenuBoard; do
  echo "=== $repo ==="
  gh api "/repos/astoltz/$repo/actions/runners" \
    --jq '.runners[] | select(.labels[].name == "fc-build-linux") | {name,status,busy,labels:[.labels[].name]}'
 done
 ```
 Shared.Pos publish proof after the runner pod is online:
 ```bash
 gh run list --repo astoltz/FlowerCore.Shared.Pos \
  --workflow "Build, Test & Publish" --branch main --limit 5
 ```
 If the latest run is still queued after runner registration, rerun the workflow
 from GitHub Actions and verify it lands on an `rke2-linux-*` runner.
 ## Failure Notes
 - `actions/setup-dotnet` permission error at `/usr/share/dotnet`: check that
  `DOTNET_INSTALL_DIR=/home/runner/.dotnet` and related cache env vars are
  present on the runner pod.
 - `ruby/setup-ruby@v1` says self-hosted runners must install Ruby in
  `$RUNNER_TOOL_CACHE`: check that the init container copied
  `/opt/runner-toolcache/Ruby` into `/home/runner/_tool/Ruby` and that
  `/home/runner/_tool/Ruby/3.3/x64.complete` exists.
 - `404` during runner registration: the fine-grained PAT is valid but missing
  repository access for that repo. Add the repo to the PAT access list; the PAT
  value does not change.
 - `Multi-Attach` volume error: only the Common runner uses a RWO PVC and it must
  stay single-replica. New multi-replica runners use `emptyDir`.
 - Runner pods repeatedly registering, downloading a newer Actions runner, then
  exiting with code 4: verify `DISABLE_AUTO_UPDATE=true` is present. The image
  translates that into `config.sh --disableupdate`; without it, the Deployment
  controller sees the expected self-update exit as CrashLoopBackOff.
--- a/apps/github-runner/github-runner.yaml
+++ b/apps/github-runner/github-runner.yaml
--- a/apps/github-runner/install-ruby-toolcache.sh
+++ b/apps/github-runner/install-ruby-toolcache.sh
@@ -0,0 +1,19 @@
 #!/usr/bin/env bash
 set -euo pipefail
 RUBY_VERSION="${RUBY_VERSION:-3.3.11}"
 RUBY_MINOR="${RUBY_MINOR:-3.3}"
 TOOLCACHE_ROOT="${TOOLCACHE_ROOT:-/opt/runner-toolcache}"
 RUNNER_UID="${RUNNER_UID:-1001}"
 RUNNER_GID="${RUNNER_GID:-1001}"
 RUBY_PREFIX="${TOOLCACHE_ROOT}/Ruby/${RUBY_VERSION}/x64"
 mkdir -p "${TOOLCACHE_ROOT}/Ruby"
 RUBY_CONFIGURE_OPTS="${RUBY_CONFIGURE_OPTS:---disable-install-doc --disable-yjit}" ruby-build "${RUBY_VERSION}" "${RUBY_PREFIX}"
 touch "${TOOLCACHE_ROOT}/Ruby/${RUBY_VERSION}/x64.complete"
 ln -sfn "${RUBY_VERSION}" "${TOOLCACHE_ROOT}/Ruby/${RUBY_MINOR}"
 "${RUBY_PREFIX}/bin/ruby" -v
 chown -R "${RUNNER_UID}:${RUNNER_GID}" "${TOOLCACHE_ROOT}"
 chmod -R a+rX "${TOOLCACHE_ROOT}"
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`# Settle DRM for 2s before restarting the fullscreen Avalonia renderer.`
							`SUBSYSTEM=="drm", KERNEL=="card?-HDMI-A-?", ACTION=="change", RUN+="/usr/bin/systemctl start flowercore-divoom-tv-hdmi.service"`
		`@@ -0,0 +1,2 @@`
							`# Settle DRM for 2s before restarting Chromium, then redeclare capabilities.`
							`SUBSYSTEM=="drm", KERNEL=="card?-HDMI-A-?", ACTION=="change", RUN+="/usr/bin/systemctl start flowercore-signage-player-pi-hdmi.service"`