feat(github-runner): harden Linux runner fleet

Tighten Pi signage HDMI settle coverage (#3 )
feat(github-runner): pod-env DOTNET_INSTALL_DIR + initContainer for non-root runner (#7 )
2026-05-17 21:50:29 -05:00 · 2026-05-18 02:35:17 +00:00 · 2026-05-18 02:25:18 +00:00 · 2026-05-18 02:20:00 +00:00 · 2026-05-17 21:54:16 +00:00 · 2026-05-17 21:50:35 +00:00
65 changed files with 2771 additions and 1128 deletions
--- a/apps/authentik/README.md
+++ b/apps/authentik/README.md
@@ -1,18 +0,0 @@
 # Authentik OIDC client registration sweep
 This directory holds the FlowerCore per-service OIDC client secret references
 for the ADR-093 / ADR-124 Phase 1 step 8 sweep.
 The `clients/*-oidc-client.yaml` manifests are intentionally only
 `OnePasswordItem` CRDs. The actual 1Password items are created by an operator in
 the `IAmWorkin` vault with these fields:
 | Field | Purpose |
 | --- | --- |
 | `client_id` | Authentik provider client id, default `<slug>` |
 | `client_secret` | Authentik provider client secret |
 | `issuer_url` | `https://id.iamworkin.lan/application/o/<slug>/` |
 Run `scripts/authentik-bulk-client-create.py` in dry-run mode first. Live REST
 mutation requires `--apply`, `AUTHENTIK_TOKEN`, and an operator-provided
 client-secret JSON file. The script redacts secrets in all normal output.
--- a/apps/authentik/clients/aistation-oidc-client.yaml
+++ b/apps/authentik/clients/aistation-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: aistation-oidc-client
  namespace: fc-aistation
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: aistation
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/aistation-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/aistation-oidc-client"
--- a/apps/authentik/clients/audit-oidc-client.yaml
+++ b/apps/authentik/clients/audit-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: audit-oidc-client
  namespace: fc-audit
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: audit
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/audit-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/audit-oidc-client"
--- a/apps/authentik/clients/chat-oidc-client.yaml
+++ b/apps/authentik/clients/chat-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: chat-oidc-client
  namespace: fc-chat
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: chat
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/chat-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/chat-oidc-client"
--- a/apps/authentik/clients/distribution-oidc-client.yaml
+++ b/apps/authentik/clients/distribution-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: distribution-oidc-client
  namespace: fc-distribution
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: distribution
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/distribution-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/distribution-oidc-client"
--- a/apps/authentik/clients/dms-oidc-client.yaml
+++ b/apps/authentik/clients/dms-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: dms-oidc-client
  namespace: fc-dms
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: dms
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/dms-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/dms-oidc-client"
--- a/apps/authentik/clients/dns-oidc-client.yaml
+++ b/apps/authentik/clients/dns-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: dns-oidc-client
  namespace: fc-dns
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: dns
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/dns-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/dns-oidc-client"
--- a/apps/authentik/clients/intranet-oidc-client.yaml
+++ b/apps/authentik/clients/intranet-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: intranet-oidc-client
  namespace: intranet
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: intranet
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/intranet-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/intranet-oidc-client"
--- a/apps/authentik/clients/irc-oidc-client.yaml
+++ b/apps/authentik/clients/irc-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: irc-oidc-client
  namespace: irc
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: irc
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/irc-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/irc-oidc-client"
--- a/apps/authentik/clients/kiosk-oidc-client.yaml
+++ b/apps/authentik/clients/kiosk-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: kiosk-oidc-client
  namespace: fc-system
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: kiosk
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/kiosk-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/kiosk-oidc-client"
--- a/apps/authentik/clients/knowledge-oidc-client.yaml
+++ b/apps/authentik/clients/knowledge-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: knowledge-oidc-client
  namespace: knowledge
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: knowledge
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/knowledge-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/knowledge-oidc-client"
--- a/apps/authentik/clients/library-oidc-client.yaml
+++ b/apps/authentik/clients/library-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: library-oidc-client
  namespace: fc-library
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: library
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/library-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/library-oidc-client"
--- a/apps/authentik/clients/licensing-oidc-client.yaml
+++ b/apps/authentik/clients/licensing-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: licensing-oidc-client
  namespace: fc-licensing
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: licensing
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/licensing-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/licensing-oidc-client"
--- a/apps/authentik/clients/llmbridge-oidc-client.yaml
+++ b/apps/authentik/clients/llmbridge-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: llmbridge-oidc-client
  namespace: fc-llm-bridge
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: llmbridge
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/llmbridge-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/llmbridge-oidc-client"
--- a/apps/authentik/clients/media-oidc-client.yaml
+++ b/apps/authentik/clients/media-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: media-oidc-client
  namespace: fc-media
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: media
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/media-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/media-oidc-client"
--- a/apps/authentik/clients/menuboard-oidc-client.yaml
+++ b/apps/authentik/clients/menuboard-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: menuboard-oidc-client
  namespace: fc-menuboard
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: menuboard
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/menuboard-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/menuboard-oidc-client"
--- a/apps/authentik/clients/messageboard-oidc-client.yaml
+++ b/apps/authentik/clients/messageboard-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: messageboard-oidc-client
  namespace: fc-messageboard
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: messageboard
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/messageboard-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/messageboard-oidc-client"
--- a/apps/authentik/clients/mike-bundle-oidc-client.yaml
+++ b/apps/authentik/clients/mike-bundle-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: mike-bundle-oidc-client
  namespace: fc-mike-bundle
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: mike-bundle
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/mike-bundle-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/mike-bundle-oidc-client"
--- a/apps/authentik/clients/mndot-oidc-client.yaml
+++ b/apps/authentik/clients/mndot-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: mndot-oidc-client
  namespace: fc-mndot
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: mndot
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/mndot-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/mndot-oidc-client"
--- a/apps/authentik/clients/mysql-oidc-client.yaml
+++ b/apps/authentik/clients/mysql-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: mysql-oidc-client
  namespace: fc-mysql
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: mysql
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/mysql-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/mysql-oidc-client"
--- a/apps/authentik/clients/php-oidc-client.yaml
+++ b/apps/authentik/clients/php-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: php-oidc-client
  namespace: fc-php
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: php
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/php-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/php-oidc-client"
--- a/apps/authentik/clients/pimanager-oidc-client.yaml
+++ b/apps/authentik/clients/pimanager-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: pimanager-oidc-client
  namespace: fc-pimanager
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: pimanager
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/pimanager-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/pimanager-oidc-client"
--- a/apps/authentik/clients/presentations-oidc-client.yaml
+++ b/apps/authentik/clients/presentations-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: presentations-oidc-client
  namespace: fc-presentations
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: presentations
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/presentations-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/presentations-oidc-client"
--- a/apps/authentik/clients/print-oidc-client.yaml
+++ b/apps/authentik/clients/print-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: print-oidc-client
  namespace: fc-print
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: print
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/print-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/print-oidc-client"
--- a/apps/authentik/clients/provisioning-oidc-client.yaml
+++ b/apps/authentik/clients/provisioning-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: provisioning-oidc-client
  namespace: fc-provisioning
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: provisioning
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/provisioning-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/provisioning-oidc-client"
--- a/apps/authentik/clients/remotedesktop-oidc-client.yaml
+++ b/apps/authentik/clients/remotedesktop-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: remotedesktop-oidc-client
  namespace: fc-desktop
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: remotedesktop
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/remotedesktop-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/remotedesktop-oidc-client"
--- a/apps/authentik/clients/retail-oidc-client.yaml
+++ b/apps/authentik/clients/retail-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: retail-oidc-client
  namespace: fc-retail
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: retail
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/retail-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/retail-oidc-client"
--- a/apps/authentik/clients/scoreboards-oidc-client.yaml
+++ b/apps/authentik/clients/scoreboards-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: scoreboards-oidc-client
  namespace: fc-scoreboard
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: scoreboards
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/scoreboards-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/scoreboards-oidc-client"
--- a/apps/authentik/clients/segmentdisplay-oidc-client.yaml
+++ b/apps/authentik/clients/segmentdisplay-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: segmentdisplay-oidc-client
  namespace: fc-segmentdisplay
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: segmentdisplay
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/segmentdisplay-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/segmentdisplay-oidc-client"
--- a/apps/authentik/clients/signage-oidc-client.yaml
+++ b/apps/authentik/clients/signage-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: signage-oidc-client
  namespace: fc-signage
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: signage
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/signage-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/signage-oidc-client"
--- a/apps/authentik/clients/signalcontrol-oidc-client.yaml
+++ b/apps/authentik/clients/signalcontrol-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: signalcontrol-oidc-client
  namespace: fc-signalcontrol
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: signalcontrol
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/signalcontrol-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/signalcontrol-oidc-client"
--- a/apps/authentik/clients/telephony-oidc-client.yaml
+++ b/apps/authentik/clients/telephony-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: telephony-oidc-client
  namespace: telephony
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: telephony
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/telephony-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/telephony-oidc-client"
--- a/apps/authentik/clients/ttsreader-oidc-client.yaml
+++ b/apps/authentik/clients/ttsreader-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: ttsreader-oidc-client
  namespace: fc-ttsreader
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: ttsreader
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/ttsreader-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/ttsreader-oidc-client"
--- a/apps/authentik/clients/worldbuilder-oidc-client.yaml
+++ b/apps/authentik/clients/worldbuilder-oidc-client.yaml
@@ -1,14 +0,0 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: worldbuilder-oidc-client
  namespace: fc-worldbuilder
  labels:
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/component: authentik-oidc-client
    flowercore.io/authentik-client-slug: worldbuilder
  annotations:
    flowercore.io/onepassword-item: "IAmWorkin/items/worldbuilder-oidc-client"
    flowercore.io/expected-fields: "client_id,client_secret,issuer_url"
 spec:
  itemPath: "vaults/IAmWorkin/items/worldbuilder-oidc-client"
--- a/apps/authentik/kustomization.yaml
+++ b/apps/authentik/kustomization.yaml
@@ -1,38 +0,0 @@
 # ArgoCD's bluejay-infra ApplicationSet sees apps/authentik as one app. Keep
 # an explicit resource list so the client manifests can live under clients/.
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - clients/library-oidc-client.yaml
  - clients/retail-oidc-client.yaml
  - clients/telephony-oidc-client.yaml
  - clients/knowledge-oidc-client.yaml
  - clients/llmbridge-oidc-client.yaml
  - clients/mysql-oidc-client.yaml
  - clients/php-oidc-client.yaml
  - clients/signage-oidc-client.yaml
  - clients/media-oidc-client.yaml
  - clients/dms-oidc-client.yaml
  - clients/pimanager-oidc-client.yaml
  - clients/distribution-oidc-client.yaml
  - clients/dns-oidc-client.yaml
  - clients/print-oidc-client.yaml
  - clients/aistation-oidc-client.yaml
  - clients/irc-oidc-client.yaml
  - clients/ttsreader-oidc-client.yaml
  - clients/chat-oidc-client.yaml
  - clients/intranet-oidc-client.yaml
  - clients/remotedesktop-oidc-client.yaml
  - clients/provisioning-oidc-client.yaml
  - clients/scoreboards-oidc-client.yaml
  - clients/mndot-oidc-client.yaml
  - clients/kiosk-oidc-client.yaml
  - clients/mike-bundle-oidc-client.yaml
  - clients/messageboard-oidc-client.yaml
  - clients/menuboard-oidc-client.yaml
  - clients/presentations-oidc-client.yaml
  - clients/segmentdisplay-oidc-client.yaml
  - clients/signalcontrol-oidc-client.yaml
  - clients/worldbuilder-oidc-client.yaml
  - clients/audit-oidc-client.yaml
  - clients/licensing-oidc-client.yaml
--- a/apps/fc-signage-appletv/README.md
+++ b/apps/fc-signage-appletv/README.md
@@ -0,0 +1,14 @@
 # fc-signage-appletv
 Apple TV signage is a sealed appliance running the `FlowerCore.Signage.Agent.AppleTv` tvOS app per ADR-134.
 This ApplicationSet entry is documentation and inventory metadata only. It intentionally creates no `Deployment`, `Service`, or `Pod`.
 The Apple TV app connects outbound to existing FC.Signage.Web surfaces:
 - `https://signage.iamworkin.lan/hub/signage` for SignalR live status.
 - `GET /api/v1/nodes/{nodeId}/state` for the 30 second polling fallback.
 - `POST /api/v1/nodes/register` and `POST /api/v1/nodes/{nodeId}/enroll` for pairing and mTLS enrollment.
 - `POST /api/v1/nodes/{nodeId}/heartbeat` for metrics, current content identity, and local audit excerpts.
 Distribution is via Apple Developer Enterprise Program or TestFlight plus FC.Distribution / UpdateCenter publishing once Apple credentials are available.
--- a/apps/fc-signage-appletv/kustomization.yaml
+++ b/apps/fc-signage-appletv/kustomization.yaml
@@ -0,0 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - manifest.yaml
--- a/apps/fc-signage-appletv/manifest.yaml
+++ b/apps/fc-signage-appletv/manifest.yaml
@@ -0,0 +1,26 @@
 # Apple TV signage is a sealed tvOS appliance. This ArgoCD app intentionally
 # carries documentation metadata only; no Deployment, Service, or Pod resources
 # are created for the player.
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: fc-signage-appletv-docs
  namespace: fc-signage
  labels:
    app.kubernetes.io/name: fc-signage-appletv
    app.kubernetes.io/part-of: flowercore-signage
    flowercore.io/manifest-kind: docs-only
 data:
  README: |
    FlowerCore.Signage.Agent.AppleTv is distributed through Apple Developer
    Enterprise Program or TestFlight, not Kubernetes.
    The app connects outbound to FC.Signage.Web:
    - SignalR: https://signage.iamworkin.lan/hub/signage
    - Polling fallback: GET /api/v1/nodes/{nodeId}/state
    - Enrollment: POST /api/v1/nodes/{nodeId}/enroll
    - Heartbeat: POST /api/v1/nodes/{nodeId}/heartbeat
    This placeholder gives ArgoCD and inventory dashboards a first-class
    Apple TV signage app entry without creating runtime pods.
--- a/apps/fc-signage-pi-player/README.md
+++ b/apps/fc-signage-pi-player/README.md
@@ -0,0 +1,17 @@
 # FlowerCore Signage Pi Player
 Phase 1 Raspberry Pi signage player packaging for Chromium kiosk deployments.
 This bundle is intentionally air-gap friendly: systemd units, shell scripts,
 udev rules, and Chromium managed policy are all checked into the repo and are
 installed by `FlowerCore.Puppet`.
 ## Scope
 - Bootstrap a stable node identity and mTLS client certificate.
 - Launch Chromium in kiosk mode against `FC.Signage.Web` player routes.
 - Restart the kiosk on HDMI hotplug.
 - Renew mTLS certificates daily when fewer than 30 days remain.
 - Detect display capabilities at boot, daily, and on HDMI hotplug.
 Phase 2 native Avalonia rendering is documented separately in Notes and remains
 deferred.
--- a/apps/fc-signage-pi-player/chromium-policies/flowercore-signage.json
+++ b/apps/fc-signage-pi-player/chromium-policies/flowercore-signage.json
@@ -0,0 +1,15 @@
 {
  "AutofillAddressEnabled": false,
  "AutofillCreditCardEnabled": false,
  "PasswordManagerEnabled": false,
  "BrowserSignin": 0,
  "MetricsReportingEnabled": false,
  "SafeBrowsingProtectionLevel": 0,
  "DefaultNotificationsSetting": 2,
  "DefaultPopupsSetting": 2,
  "BackgroundModeEnabled": false,
  "DefaultBrowserSettingEnabled": false,
  "PromotionalTabsEnabled": false,
  "CommandLineFlagSecurityWarningsEnabled": false,
  "ExtensionInstallBlocklist": ["*"]
 }
--- a/apps/fc-signage-pi-player/scripts/fc-signage-detect-display
+++ b/apps/fc-signage-pi-player/scripts/fc-signage-detect-display
@@ -0,0 +1,132 @@
 #!/usr/bin/env bash
 set -euo pipefail
 NODE_JSON="/etc/flowercore/signage-node.json"
 CERT_DIR="/etc/fc-signage-player"
 SIGNAGE_URL="${FC_SIGNAGE_URL:-https://signage.iamworkin.lan}"
 NODE_ID=$(jq -r '.nodeId' "$NODE_JSON")
 CONNECTORS=()
 for dir in /sys/class/drm/card*-HDMI-A-*; do
  [[ -e "$dir/status" ]] || continue
  if [[ "$(cat "$dir/status")" == "connected" ]]; then
    CONNECTORS+=("$(basename "$dir")")
  fi
 done
 if [[ ${#CONNECTORS[@]} -eq 0 ]]; then
  CAPABILITIES_JSON=$(jq -n --arg id "$NODE_ID" '{
    nodeId: $id,
    platform: "linux-arm64-pi",
    displayConnected: false,
    detectedAt: (now | todate),
    note: "No HDMI display detected"
  }')
 else
  PRIMARY="${CONNECTORS[0]}"
  EDID_PATH="/sys/class/drm/${PRIMARY}/edid"
  WIDTH=0
  HEIGHT=0
  REFRESH=60
  HDR=false
  AUDIO_HDMI=false
  MFG=""
  MODEL=""
  PHYSICAL_SIZE=null
  if [[ -s "$EDID_PATH" ]] && command -v edid-decode >/dev/null 2>&1; then
    EDID_INFO=$(edid-decode < "$EDID_PATH" 2>/dev/null || true)
    MFG=$(echo "$EDID_INFO" | grep -m1 -oP 'Manufacturer:\s*\K\S+' || true)
    MODEL=$(echo "$EDID_INFO" | grep -m1 -oP 'Model:\s*\K\S+' || true)
    PREF=$(echo "$EDID_INFO" | grep -m1 -oP '\d+x\d+\s*@\s*\d+(?:\.\d+)?\s*Hz' || true)
    if [[ -n "$PREF" ]]; then
      WIDTH=$(echo "$PREF" | grep -oP '^\d+')
      HEIGHT=$(echo "$PREF" | grep -oP 'x\K\d+')
      REFRESH=$(echo "$PREF" | grep -oP '@\s*\K[\d.]+' | cut -d. -f1)
    fi
    if echo "$EDID_INFO" | grep -qiE 'HDR (Static|Dynamic) Metadata Block'; then HDR=true; fi
    if echo "$EDID_INFO" | grep -qiE 'CEA Audio Block|Audio Format Descriptor'; then AUDIO_HDMI=true; fi
    PH_W=$(echo "$EDID_INFO" | grep -m1 -oP 'Maximum image size:\s*\K\d+\s*cm\s*x\s*\d+' || true)
    if [[ -n "$PH_W" ]]; then
      PH_CM_W=$(echo "$PH_W" | grep -oP '^\d+')
      PH_CM_H=$(echo "$PH_W" | grep -oP 'x\s*\K\d+')
      if (( PH_CM_W > 0 && PH_CM_H > 0 )); then
        PHYSICAL_SIZE=$(awk -v w="$PH_CM_W" -v h="$PH_CM_H" 'BEGIN { printf "%.1f", sqrt(w*w + h*h)/2.54 }')
      fi
    fi
  fi
  if [[ "$WIDTH" == "0" ]] && command -v kmsprint >/dev/null 2>&1; then
    KMS=$(kmsprint 2>/dev/null | grep -A2 "$PRIMARY" | grep -oP '\d+x\d+' | head -1 || true)
    if [[ -n "$KMS" ]]; then
      WIDTH=$(echo "$KMS" | grep -oP '^\d+')
      HEIGHT=$(echo "$KMS" | grep -oP 'x\K\d+')
    fi
  fi
  AUDIO_ALSA=false
  if aplay -l 2>/dev/null | grep -qi 'card.*HDMI'; then AUDIO_ALSA=true; fi
  HAS_AUDIO=false
  if [[ "$AUDIO_HDMI" == "true" && "$AUDIO_ALSA" == "true" ]]; then HAS_AUDIO=true; fi
  CAPABILITIES_JSON=$(jq -n \
    --arg id "$NODE_ID" \
    --argjson w "$WIDTH" \
    --argjson h "$HEIGHT" \
    --argjson r "$REFRESH" \
    --argjson hdr "$HDR" \
    --argjson audio "$HAS_AUDIO" \
    --arg connector "$PRIMARY" \
    --arg mfg "$MFG" \
    --arg model "$MODEL" \
    --argjson size "$PHYSICAL_SIZE" \
    '{
      nodeId: $id,
      platform: "linux-arm64-pi",
      displayConnected: true,
      detectedAt: (now | todate),
      hardware: {
        maxResolution: { width: $w, height: $h },
        nativeResolution: { width: $w, height: $h },
        refreshRateHz: $r,
        colorDepth: ($hdr | if . then "Color30Hdr" else "Color24" end),
        hasAudioOutput: $audio,
        audioChannelCount: ($audio | if . then 2 else 0 end),
        physicalSizeInches: $size,
        connector: $connector,
        manufacturer: $mfg,
        modelName: $model
      },
      render: { codecs: ["h264", "vp9", "mp4"] }
    }')
 fi
 ENDPOINT_CANDIDATES=(
  "${SIGNAGE_URL}/api/v1/nodes/${NODE_ID}/capabilities"
  "${SIGNAGE_URL}/api/v1/displays/${NODE_ID}/capability-profile"
 )
 SUCCESS=false
 for url in "${ENDPOINT_CANDIDATES[@]}"; do
  HTTP_STATUS=$(curl -sk -o /tmp/cap-response.json -w "%{http_code}" \
    --max-time 10 \
    --cert "$CERT_DIR/client.crt" --key "$CERT_DIR/client.key" \
    -X POST "$url" \
    -H "Content-Type: application/json" \
    -d "$CAPABILITIES_JSON" || echo "000")
  if [[ "$HTTP_STATUS" == "200" || "$HTTP_STATUS" == "201" || "$HTTP_STATUS" == "204" ]]; then
    SUCCESS=true
    break
  fi
 done
 mkdir -p /var/log/fc-signage-player
 if [[ "$SUCCESS" != "true" ]]; then
  echo "[$(date -Is)] capability declare: no endpoint accepted the profile; logging locally" \
    | tee -a /var/log/fc-signage-player/capabilities.log
  echo "$CAPABILITIES_JSON" | tee -a /var/log/fc-signage-player/capabilities.log
 else
  echo "[$(date -Is)] capability declare: ok ($url)" | tee -a /var/log/fc-signage-player/capabilities.log
 fi
 echo "$CAPABILITIES_JSON"
--- a/apps/fc-signage-pi-player/scripts/flowercore-signage-bootstrap.sh
+++ b/apps/fc-signage-pi-player/scripts/flowercore-signage-bootstrap.sh
@@ -0,0 +1,144 @@
 #!/usr/bin/env bash
 set -euo pipefail
 NODE_JSON="/etc/flowercore/signage-node.json"
 CERT_DIR="/etc/fc-signage-player"
 SIGNAGE_URL="${FC_SIGNAGE_URL:-https://signage.iamworkin.lan}"
 SETUP_CODE_FILE="/etc/flowercore/signage-setup-code"
 mkdir -p /etc/flowercore "$CERT_DIR" /var/log/fc-signage-player
 chown fc-signage:fc-signage /etc/flowercore "$CERT_DIR" /var/log/fc-signage-player
 chmod 0750 "$CERT_DIR"
 if [[ -s "$NODE_JSON" && -s "$CERT_DIR/client.p12" ]]; then
  ENROLLED=$(jq -r '.enrolledAt // empty' "$NODE_JSON")
  if [[ -n "$ENROLLED" ]]; then
    echo "[$(date -Is)] bootstrap: already enrolled at $ENROLLED; skipping"
    exit 0
  fi
 fi
 if [[ -s "$NODE_JSON" ]]; then
  NODE_UUID=$(jq -r '.nodeUuid // empty' "$NODE_JSON")
  MACHINE_ID=$(jq -r '.machineId // empty' "$NODE_JSON")
 else
  NODE_UUID=$(uuidgen)
  MACHINE_ID=$(echo "$NODE_UUID" | tr -d '-' | cut -c1-16)
  jq -n --arg uuid "$NODE_UUID" --arg machine "$MACHINE_ID" --arg host "$(hostname -f)" --arg ts "$(date -Is)" \
    '{nodeUuid: $uuid, machineId: $machine, hostname: $host, platform: "linux-arm64-pi", createdAt: $ts}' \
    > "$NODE_JSON"
  chmod 0640 "$NODE_JSON"
  chown fc-signage:fc-signage "$NODE_JSON"
 fi
 SETUP_CODE=""
 if [[ -s "$SETUP_CODE_FILE" ]]; then
  SETUP_CODE=$(tr -d '\r\n\t ' < "$SETUP_CODE_FILE")
 fi
 MODEL=$(tr -d '\0' < /sys/firmware/devicetree/base/model 2>/dev/null || echo Unknown)
 REG_PAYLOAD=$(jq -n \
  --arg machine "$MACHINE_ID" \
  --arg name "$(hostname -f)" \
  --arg setup "$SETUP_CODE" \
  --arg resolution "1920x1080" \
  --arg model "$MODEL" \
  '{
    machineId: $machine,
    name: $name,
    setupCode: ($setup | if . == "" then null else . end),
    resolution: $resolution,
    hardwareModel: $model,
    platform: "linux-arm64-pi"
  }')
 for attempt in 1 2; do
  HTTP_STATUS=$(curl -sk -o /tmp/register-response.json -w "%{http_code}" \
    --max-time 15 \
    -X POST "${SIGNAGE_URL}/api/v1/nodes/register" \
    -H "Content-Type: application/json" \
    -d "$REG_PAYLOAD" || echo "000")
  if [[ "$HTTP_STATUS" == "200" || "$HTTP_STATUS" == "201" ]]; then
    break
  fi
  echo "[$(date -Is)] bootstrap: register attempt $attempt returned $HTTP_STATUS" >&2
  sleep 5
 done
 if [[ "$HTTP_STATUS" != "200" && "$HTTP_STATUS" != "201" ]]; then
  echo "[$(date -Is)] bootstrap: register failed after 2 attempts" >&2
  exit 2
 fi
 NODE_ID=$(jq -r '.nodeId // empty' /tmp/register-response.json)
 if [[ -z "$NODE_ID" ]]; then
  echo "[$(date -Is)] bootstrap: register response did not include nodeId" >&2
  exit 2
 fi
 jq --arg id "$NODE_ID" '.nodeId = $id' "$NODE_JSON" > "${NODE_JSON}.tmp" && mv "${NODE_JSON}.tmp" "$NODE_JSON"
 if [[ -s "$SETUP_CODE_FILE" ]]; then
  curl -sk -X POST "${SIGNAGE_URL}/api/v1/nodes/${NODE_ID}/approve-via-setup-code" \
    -H "Content-Type: application/json" \
    -d "{\"setupCode\":\"${SETUP_CODE}\"}" \
    -o /dev/null || true
 fi
 STATUS=""
 DEADLINE=$(( $(date +%s) + 1800 ))
 while (( $(date +%s) < DEADLINE )); do
  STATUS=$(curl -sk --max-time 5 "${SIGNAGE_URL}/api/v1/nodes/${NODE_ID}/status" | jq -r '.status // empty')
  if [[ "$STATUS" == "Approved" || "$STATUS" == "Enrolled" || "$STATUS" == "Online" ]]; then
    break
  fi
  sleep 15
 done
 if [[ "$STATUS" != "Approved" && "$STATUS" != "Enrolled" && "$STATUS" != "Online" ]]; then
  echo "[$(date -Is)] bootstrap: approval not granted within 30min budget" >&2
  exit 3
 fi
 KEY_PATH="${CERT_DIR}/client.key"
 CSR_PATH="${CERT_DIR}/client.csr"
 openssl ecparam -genkey -name prime256v1 -out "$KEY_PATH"
 openssl req -new -key "$KEY_PATH" -out "$CSR_PATH" \
  -subj "/CN=${NODE_ID}/O=FlowerCore/OU=SignagePlayer-Pi"
 ENROLL_PAYLOAD=$(jq -n --arg csr "$(cat "$CSR_PATH")" '{certificateSigningRequest: $csr}')
 HTTP_STATUS=$(curl -sk -o /tmp/enroll-response.json -w "%{http_code}" \
  --max-time 15 \
  -X POST "${SIGNAGE_URL}/api/v1/nodes/${NODE_ID}/enroll" \
  -H "Content-Type: application/json" \
  -d "$ENROLL_PAYLOAD")
 if [[ "$HTTP_STATUS" != "200" && "$HTTP_STATUS" != "201" ]]; then
  echo "[$(date -Is)] bootstrap: enroll failed with HTTP $HTTP_STATUS" >&2
  exit 4
 fi
 jq -r '.clientCertificatePem // .signedCertificatePem' /tmp/enroll-response.json > "${CERT_DIR}/client.crt"
 jq -r '.caCertificatePem' /tmp/enroll-response.json > "${CERT_DIR}/ca-chain.pem"
 P12_PASS=$(openssl rand -hex 24)
 echo -n "$P12_PASS" > "${CERT_DIR}/client.p12.pass"
 chmod 0600 "${CERT_DIR}/client.p12.pass"
 openssl pkcs12 -export \
  -inkey "$KEY_PATH" \
  -in "${CERT_DIR}/client.crt" \
  -certfile "${CERT_DIR}/ca-chain.pem" \
  -out "${CERT_DIR}/client.p12" \
  -password "pass:${P12_PASS}"
 chown fc-signage:fc-signage "${CERT_DIR}"/* "$NODE_JSON"
 chmod 0640 "${CERT_DIR}/client.p12" "${CERT_DIR}/client.crt" "${CERT_DIR}/ca-chain.pem" "$KEY_PATH"
 chmod 0600 "${CERT_DIR}/client.p12.pass"
 EXPIRY=$(openssl x509 -in "${CERT_DIR}/client.crt" -enddate -noout | sed 's/notAfter=//')
 jq --arg ts "$(date -Is)" --arg exp "$EXPIRY" \
  '.enrolledAt = $ts | .certExpiry = $exp' "$NODE_JSON" > "${NODE_JSON}.tmp" \
  && mv "${NODE_JSON}.tmp" "$NODE_JSON"
 systemctl start flowercore-signage-detect-display.service || true
 systemctl start flowercore-signage-player-pi.service || true
 echo "[$(date -Is)] bootstrap: enrolled and kiosk started (NodeId=${NODE_ID})"
--- a/apps/fc-signage-pi-player/scripts/flowercore-signage-hdmi-respond.sh
+++ b/apps/fc-signage-pi-player/scripts/flowercore-signage-hdmi-respond.sh
@@ -0,0 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
 sleep 2
 systemctl start flowercore-signage-detect-display.service || true
 systemctl restart flowercore-signage-player-pi.service
--- a/apps/fc-signage-pi-player/scripts/flowercore-signage-launch.sh
+++ b/apps/fc-signage-pi-player/scripts/flowercore-signage-launch.sh
@@ -0,0 +1,44 @@
 #!/usr/bin/env bash
 set -euo pipefail
 NODE_JSON="/etc/flowercore/signage-node.json"
 NODE_ID=$(jq -r '.nodeId' "$NODE_JSON")
 SIGNAGE_URL="${FC_SIGNAGE_URL:-https://signage.iamworkin.lan}"
 CERT_DIR="/etc/fc-signage-player"
 CERT_THUMB=$(openssl pkcs12 -in "$CERT_DIR/client.p12" -passin file:"$CERT_DIR/client.p12.pass" -nodes -nokeys 2>/dev/null \
  | openssl x509 -fingerprint -sha256 -noout \
  | sed 's/.*=//' \
  | tr -d ':')
 PLAYER_URL="${SIGNAGE_URL}/player/${NODE_ID}/embed?token=${CERT_THUMB}"
 HTTP_STATUS=$(curl -sk -o /dev/null -w "%{http_code}" --max-time 5 \
  --cert-type P12 --cert "$CERT_DIR/client.p12:$(cat "$CERT_DIR/client.p12.pass")" \
  "$PLAYER_URL" || echo "000")
 mkdir -p /var/log/fc-signage-player
 if [[ "$HTTP_STATUS" != "200" && "$HTTP_STATUS" != "301" && "$HTTP_STATUS" != "302" ]]; then
  echo "[$(date -Is)] /embed returned $HTTP_STATUS; falling back to /player/${NODE_ID}" \
    >> /var/log/fc-signage-player/url-divergence.log
  PLAYER_URL="${SIGNAGE_URL}/player/${NODE_ID}?token=${CERT_THUMB}"
 fi
 exec chromium-browser \
  --kiosk \
  --noerrdialogs \
  --disable-infobars \
  --disable-translate \
  --disable-features=TranslateUI,InfiniteSessionRestore \
  --autoplay-policy=no-user-gesture-required \
  --password-store=basic \
  --user-data-dir=/var/lib/fc-signage-player/profile \
  --disk-cache-dir=/var/lib/fc-signage-player/cache \
  --disk-cache-size=104857600 \
  --no-first-run \
  --no-default-browser-check \
  --check-for-update-interval=2592000 \
  --enable-features=OverlayScrollbar \
  --start-fullscreen \
  --window-position=0,0 \
  --window-size=1920,1080 \
  "$PLAYER_URL"
--- a/apps/fc-signage-pi-player/scripts/flowercore-signage-prelaunch.sh
+++ b/apps/fc-signage-pi-player/scripts/flowercore-signage-prelaunch.sh
@@ -0,0 +1,20 @@
 #!/usr/bin/env bash
 set -euo pipefail
 mkdir -p /var/log/fc-signage-player
 for f in /etc/flowercore/signage-node.json /etc/fc-signage-player/client.p12 /etc/fc-signage-player/client.p12.pass; do
  if [[ ! -r "$f" ]]; then
    echo "[$(date -Is)] prelaunch: missing or unreadable $f" >&2
    exit 1
  fi
 done
 if openssl pkcs12 -in /etc/fc-signage-player/client.p12 -passin file:/etc/fc-signage-player/client.p12.pass -nokeys -clcerts 2>/dev/null \
   | openssl x509 -checkend $((7*24*3600)) -noout; then
  :
 else
  echo "[$(date -Is)] prelaunch: client cert expires within 7 days" >&2
 fi
 echo "[$(date -Is)] prelaunch: ok" | tee -a /var/log/fc-signage-player/prelaunch.log
--- a/apps/fc-signage-pi-player/scripts/flowercore-signage-renew-cert.sh
+++ b/apps/fc-signage-pi-player/scripts/flowercore-signage-renew-cert.sh
@@ -0,0 +1,46 @@
 #!/usr/bin/env bash
 set -euo pipefail
 CERT_DIR="/etc/fc-signage-player"
 NODE_JSON="/etc/flowercore/signage-node.json"
 SIGNAGE_URL="${FC_SIGNAGE_URL:-https://signage.iamworkin.lan}"
 [[ -s "$CERT_DIR/client.crt" ]] || { echo "no cert to renew"; exit 0; }
 if openssl x509 -in "$CERT_DIR/client.crt" -checkend $((30*24*3600)) -noout; then
  exit 0
 fi
 NODE_ID=$(jq -r '.nodeId' "$NODE_JSON")
 NEW_KEY="$CERT_DIR/client.key.new"
 NEW_CSR="$CERT_DIR/client.csr.new"
 openssl ecparam -genkey -name prime256v1 -out "$NEW_KEY"
 openssl req -new -key "$NEW_KEY" -out "$NEW_CSR" \
  -subj "/CN=${NODE_ID}/O=FlowerCore/OU=SignagePlayer-Pi"
 HTTP_STATUS=$(curl -sk -o /tmp/renew-response.json -w "%{http_code}" \
  --cert "$CERT_DIR/client.crt" --key "$CERT_DIR/client.key" \
  -X POST "${SIGNAGE_URL}/api/v1/nodes/${NODE_ID}/renew" \
  -H "Content-Type: application/json" \
  -d "$(jq -n --arg csr "$(cat "$NEW_CSR")" '{certificateSigningRequest: $csr}')")
 if [[ "$HTTP_STATUS" != "200" && "$HTTP_STATUS" != "201" ]]; then
  echo "[$(date -Is)] renew: failed HTTP $HTTP_STATUS; leaving old cert in place" >&2
  exit 5
 fi
 jq -r '.clientCertificatePem // .signedCertificatePem' /tmp/renew-response.json > "$CERT_DIR/client.crt.new"
 jq -r '.caCertificatePem' /tmp/renew-response.json > "$CERT_DIR/ca-chain.pem.new"
 P12_PASS=$(cat "$CERT_DIR/client.p12.pass")
 openssl pkcs12 -export -inkey "$NEW_KEY" -in "$CERT_DIR/client.crt.new" \
  -certfile "$CERT_DIR/ca-chain.pem.new" \
  -out "$CERT_DIR/client.p12.new" -password "pass:${P12_PASS}"
 mv "$CERT_DIR/client.key.new" "$CERT_DIR/client.key"
 mv "$CERT_DIR/client.crt.new" "$CERT_DIR/client.crt"
 mv "$CERT_DIR/ca-chain.pem.new" "$CERT_DIR/ca-chain.pem"
 mv "$CERT_DIR/client.p12.new" "$CERT_DIR/client.p12"
 chown fc-signage:fc-signage "$CERT_DIR"/client.*
 systemctl restart flowercore-signage-player-pi.service
--- a/apps/fc-signage-pi-player/systemd/99-flowercore-signage-hdmi.rules
+++ b/apps/fc-signage-pi-player/systemd/99-flowercore-signage-hdmi.rules
@@ -0,0 +1,2 @@
 # Settle DRM for 2s before restarting Chromium, then redeclare capabilities.
 SUBSYSTEM=="drm", KERNEL=="card?-HDMI-A-?", ACTION=="change", RUN+="/usr/bin/systemctl start flowercore-signage-player-pi-hdmi.service"
--- a/apps/fc-signage-pi-player/systemd/flowercore-signage-bootstrap.service
+++ b/apps/fc-signage-pi-player/systemd/flowercore-signage-bootstrap.service
@@ -0,0 +1,16 @@
 [Unit]
 Description=FlowerCore Signage Pi: first-boot identity + mTLS enrollment
 Wants=network-online.target
 After=network-online.target
 Before=flowercore-signage-player-pi.service
 [Service]
 Type=oneshot
 ExecStart=/usr/local/bin/flowercore-signage-bootstrap.sh
 RemainAfterExit=yes
 StandardOutput=journal
 StandardError=journal
 TimeoutStartSec=2100
 [Install]
 WantedBy=multi-user.target
--- a/apps/fc-signage-pi-player/systemd/flowercore-signage-detect-display.service
+++ b/apps/fc-signage-pi-player/systemd/flowercore-signage-detect-display.service
@@ -0,0 +1,8 @@
 [Unit]
 Description=FlowerCore Signage Pi: detect connected display + declare capabilities
 After=flowercore-signage-bootstrap.service
 [Service]
 Type=oneshot
 User=fc-signage
 ExecStart=/usr/local/bin/fc-signage-detect-display
--- a/apps/fc-signage-pi-player/systemd/flowercore-signage-detect-display.timer
+++ b/apps/fc-signage-pi-player/systemd/flowercore-signage-detect-display.timer
@@ -0,0 +1,11 @@
 [Unit]
 Description=Daily FlowerCore Signage Pi display capability redeclaration
 [Timer]
 OnCalendar=daily
 RandomizedDelaySec=1h
 Persistent=true
 OnBootSec=30s
 [Install]
 WantedBy=timers.target
--- a/apps/fc-signage-pi-player/systemd/flowercore-signage-player-pi-hdmi.service
+++ b/apps/fc-signage-pi-player/systemd/flowercore-signage-player-pi-hdmi.service
@@ -0,0 +1,7 @@
 [Unit]
 Description=FlowerCore Signage Pi Player HDMI hotplug responder
 DefaultDependencies=no
 [Service]
 Type=oneshot
 ExecStart=/usr/local/bin/flowercore-signage-hdmi-respond.sh
--- a/apps/fc-signage-pi-player/systemd/flowercore-signage-player-pi.service
+++ b/apps/fc-signage-pi-player/systemd/flowercore-signage-player-pi.service
@@ -0,0 +1,30 @@
 [Unit]
 Description=FlowerCore Digital Signage Pi Player (Chromium kiosk)
 Documentation=https://github.com/astoltz/FlowerCore.Notes/blob/master/docs/standards/appletv-pi-signage-agents-design.md
 Wants=network-online.target
 After=network-online.target graphical.target
 ConditionPathExists=/etc/flowercore/signage-node.json
 ConditionPathExists=/etc/fc-signage-player/client.p12
 [Service]
 Type=simple
 User=fc-signage
 Group=fc-signage
 WorkingDirectory=/var/lib/fc-signage-player
 EnvironmentFile=-/etc/flowercore/signage-player.env
 ExecStartPre=/usr/local/bin/flowercore-signage-prelaunch.sh
 ExecStart=/usr/local/bin/flowercore-signage-launch.sh
 Restart=always
 RestartSec=10s
 StartLimitBurst=5
 StartLimitIntervalSec=300s
 MemoryMax=2G
 MemoryHigh=1500M
 ProtectSystem=strict
 ProtectHome=true
 ReadWritePaths=/var/lib/fc-signage-player /var/log/fc-signage-player
 PrivateTmp=true
 NoNewPrivileges=true
 [Install]
 WantedBy=graphical.target
--- a/apps/fc-signage-pi-player/systemd/flowercore-signage-renew.service
+++ b/apps/fc-signage-pi-player/systemd/flowercore-signage-renew.service
@@ -0,0 +1,6 @@
 [Unit]
 Description=FlowerCore Signage Pi: cert renewal worker
 [Service]
 Type=oneshot
 ExecStart=/usr/local/bin/flowercore-signage-renew-cert.sh
--- a/apps/fc-signage-pi-player/systemd/flowercore-signage-renew.timer
+++ b/apps/fc-signage-pi-player/systemd/flowercore-signage-renew.timer
@@ -0,0 +1,10 @@
 [Unit]
 Description=Daily check for FlowerCore Signage Pi cert renewal
 [Timer]
 OnCalendar=daily
 RandomizedDelaySec=2h
 Persistent=true
 [Install]
 WantedBy=timers.target
--- a/apps/fc-signage-pi-player/tests/display_capability.bats
+++ b/apps/fc-signage-pi-player/tests/display_capability.bats
@@ -0,0 +1,22 @@
 #!/usr/bin/env bats
 setup() {
  APP_ROOT="$(cd "$BATS_TEST_DIRNAME/.." && pwd)"
  DETECT="$APP_ROOT/scripts/fc-signage-detect-display"
 }
@test "display detection emits graceful disconnected profile when no hdmi connector is present" {
  script="$(cat "$DETECT")"
  [[ "$script" == *"displayConnected: false"* ]]
  [[ "$script" == *"No HDMI display detected"* ]]
 }
@test "display detection parses edid, falls back to kmsprint, and logs endpoint failures locally" {
  script="$(cat "$DETECT")"
  [[ "$script" == *"edid-decode"* ]]
  [[ "$script" == *"HDR (Static|Dynamic) Metadata Block"* ]]
  [[ "$script" == *"kmsprint"* ]]
  [[ "$script" == *"/api/v1/nodes/\${NODE_ID}/capabilities"* ]]
  [[ "$script" == *"/api/v1/displays/\${NODE_ID}/capability-profile"* ]]
  [[ "$script" == *"capabilities.log"* ]]
 }
--- a/apps/fc-signage-pi-player/tests/identity_bootstrap.bats
+++ b/apps/fc-signage-pi-player/tests/identity_bootstrap.bats
@@ -0,0 +1,64 @@
 #!/usr/bin/env bats
 setup() {
  APP_ROOT="$(cd "$BATS_TEST_DIRNAME/.." && pwd)"
  BOOTSTRAP="$APP_ROOT/scripts/flowercore-signage-bootstrap.sh"
  RENEW="$APP_ROOT/scripts/flowercore-signage-renew-cert.sh"
 }
@test "bootstrap is idempotent when node is already enrolled" {
  script="$(cat "$BOOTSTRAP")"
  [[ "$script" == *'[[ -s "$NODE_JSON" && -s "$CERT_DIR/client.p12" ]]'* ]]
  [[ "$script" == *"already enrolled"* ]]
  [[ "$script" == *"exit 0"* ]]
 }
@test "bootstrap generates a stable node uuid and machine id" {
  script="$(cat "$BOOTSTRAP")"
  [[ "$script" == *"uuidgen"* ]]
  [[ "$script" == *"nodeUuid"* ]]
  [[ "$script" == *"machineId"* ]]
  [[ "$script" == *"cut -c1-16"* ]]
 }
@test "bootstrap posts to the canonical register endpoint" {
  grep -q '/api/v1/nodes/register' "$BOOTSTRAP"
  grep -q '"linux-arm64-pi"' "$BOOTSTRAP"
 }
@test "bootstrap retries registration once for first-call races" {
  script="$(cat "$BOOTSTRAP")"
  [[ "$script" == *"for attempt in 1 2"* ]]
  [[ "$script" == *"register attempt \$attempt returned"* ]]
  [[ "$script" == *"sleep 5"* ]]
 }
@test "bootstrap supports setup-code approval with manual polling fallback" {
  script="$(cat "$BOOTSTRAP")"
  [[ "$script" == *"signage-setup-code"* ]]
  [[ "$script" == *"approve-via-setup-code"* ]]
  [[ "$script" == *"+ 1800"* ]]
  [[ "$script" == *"sleep 15"* ]]
 }
@test "bootstrap generates an ecdsa p256 csr for the signage pi subject" {
  script="$(cat "$BOOTSTRAP")"
  [[ "$script" == *"ecparam -genkey -name prime256v1"* ]]
  [[ "$script" == *'/CN=${NODE_ID}/O=FlowerCore/OU=SignagePlayer-Pi'* ]]
 }
@test "bootstrap writes pkcs12 bundle with restrictive permissions" {
  script="$(cat "$BOOTSTRAP")"
  [[ "$script" == *"openssl pkcs12 -export"* ]]
  [[ "$script" == *"client.p12.pass"* ]]
  [[ "$script" == *"chmod 0640"* ]]
  [[ "$script" == *"chmod 0600"* ]]
 }
@test "renewal only calls renew endpoint inside the thirty-day window and swaps atomically" {
  script="$(cat "$RENEW")"
  [[ "$script" == *'-checkend $((30*24*3600))'* ]]
  [[ "$script" == *"/api/v1/nodes/\${NODE_ID}/renew"* ]]
  [[ "$script" == *"client.key.new"* ]]
  [[ "$script" == *'mv "$CERT_DIR/client.p12.new"   "$CERT_DIR/client.p12"'* ]]
 }
--- a/apps/fc-signage-pi-player/tests/systemd_kiosk_wrapper.bats
+++ b/apps/fc-signage-pi-player/tests/systemd_kiosk_wrapper.bats
@@ -0,0 +1,68 @@
 #!/usr/bin/env bats
 setup() {
  APP_ROOT="$(cd "$BATS_TEST_DIRNAME/.." && pwd)"
 }
@test "player unit exists" {
  [ -f "$APP_ROOT/systemd/flowercore-signage-player-pi.service" ]
 }
@test "player unit uses simple chromium service with restart backoff" {
  unit="$(cat "$APP_ROOT/systemd/flowercore-signage-player-pi.service")"
  [[ "$unit" == *"Type=simple"* ]]
  [[ "$unit" == *"Restart=always"* ]]
  [[ "$unit" == *"RestartSec=10s"* ]]
  [[ "$unit" == *"StartLimitBurst=5"* ]]
  [[ "$unit" == *"StartLimitIntervalSec=300s"* ]]
 }
@test "player unit caps chromium memory at two gigabytes" {
  grep -q '^MemoryMax=2G$' "$APP_ROOT/systemd/flowercore-signage-player-pi.service"
  grep -q '^MemoryHigh=1500M$' "$APP_ROOT/systemd/flowercore-signage-player-pi.service"
 }
@test "player unit condition-gates startup on identity and p12 certificate" {
  grep -q '^ConditionPathExists=/etc/flowercore/signage-node.json$' "$APP_ROOT/systemd/flowercore-signage-player-pi.service"
  grep -q '^ConditionPathExists=/etc/fc-signage-player/client.p12$' "$APP_ROOT/systemd/flowercore-signage-player-pi.service"
 }
@test "player unit runs prelaunch checks before chromium" {
  grep -q '^ExecStartPre=/usr/local/bin/flowercore-signage-prelaunch.sh$' "$APP_ROOT/systemd/flowercore-signage-player-pi.service"
  grep -q '^ExecStart=/usr/local/bin/flowercore-signage-launch.sh$' "$APP_ROOT/systemd/flowercore-signage-player-pi.service"
 }
@test "hdmi udev rule routes through the two-second settle service" {
  rule="$(cat "$APP_ROOT/systemd/99-flowercore-signage-hdmi.rules")"
  [[ "$rule" == *'KERNEL=="card?-HDMI-A-?"'* ]]
  [[ "$rule" == *"systemctl start flowercore-signage-player-pi-hdmi.service"* ]]
  [[ "$rule" != *"systemctl restart flowercore-signage-player-pi.service"* ]]
 }
@test "hdmi responder settles, declares display, then restarts chromium" {
  responder="$(cat "$APP_ROOT/scripts/flowercore-signage-hdmi-respond.sh")"
  [[ "$responder" == *"sleep 2"* ]]
  [[ "$responder" == *"systemctl start flowercore-signage-detect-display.service"* ]]
  [[ "$responder" == *"systemctl restart flowercore-signage-player-pi.service"* ]]
 }
@test "chromium policy json is valid and disables credential prompts" {
  command -v jq >/dev/null || skip "jq not installed"
  jq -e '.AutofillAddressEnabled == false and .AutofillCreditCardEnabled == false and .PasswordManagerEnabled == false' \
    "$APP_ROOT/chromium-policies/flowercore-signage.json" >/dev/null
 }
@test "launch script tries embed URL and logs bare-player fallback" {
  launch="$(cat "$APP_ROOT/scripts/flowercore-signage-launch.sh")"
  [[ "$launch" == *'/player/${NODE_ID}/embed?token=${CERT_THUMB}'* ]]
  [[ "$launch" == *"url-divergence.log"* ]]
  [[ "$launch" == *'/player/${NODE_ID}?token=${CERT_THUMB}'* ]]
 }
@test "prelaunch script validates required node and cert files" {
  prelaunch="$(cat "$APP_ROOT/scripts/flowercore-signage-prelaunch.sh")"
  [[ "$prelaunch" == *"/etc/flowercore/signage-node.json"* ]]
  [[ "$prelaunch" == *"/etc/fc-signage-player/client.p12"* ]]
  [[ "$prelaunch" == *"/etc/fc-signage-player/client.p12.pass"* ]]
  [[ "$prelaunch" == *"exit 1"* ]]
 }
--- a/apps/github-runner/README.md
+++ b/apps/github-runner/README.md
@@ -0,0 +1,61 @@
 # GitHub Runner Fleet
 ArgoCD owns `apps/github-runner/github-runner.yaml`. Do not patch live runner
 Deployments with `kubectl`; update this manifest and let ArgoCD reconcile.
 ## Runner Shape
 All repo-scoped Linux runners use:
 - `ACCESS_TOKEN` from the `github-runner-token` Secret
 - `RUN_AS_ROOT=false`
 - `EPHEMERAL=true`
 - `LABELS=self-hosted,linux,fc-build-linux`
 - writable non-root paths under `/home/runner` for .NET, NuGet, XDG cache, and
  Actions tool cache
 `github-runner` for `FlowerCore.Common` is single-replica because it retains the
 original Longhorn ReadWriteOnce NuGet PVC. `github-runner-sharedpos` and the top
 Linux-cost repo runners use two replicas with per-pod `emptyDir` caches. That is
 the safe backlog-drain strategy: no two pods share one RWO PVC.
 ## Post-Merge Proof
 After the PR is merged and ArgoCD syncs, verify the runner fleet:
 ```bash
 kubectl -n github-runner get deploy,pods,pvc
 ```
 Verify GitHub registration for the repo-scoped runners:
 ```bash
 for repo in FlowerCore.Common FlowerCore.Shared.Pos FlowerCore.Puppet FlowerCore.Signage \
            FlowerCore.DMS FlowerCore.Telephony FlowerCore.Print.Web FlowerCore.Chat \
            FlowerCore.MySQL FlowerCore.Kiosk.Linux; do
  echo "=== $repo ==="
  gh api "/repos/astoltz/$repo/actions/runners" \
    --jq '.runners[] | select(.labels[].name == "fc-build-linux") | {name,status,busy,labels:[.labels[].name]}'
 done
 ```
 Shared.Pos publish proof after the runner pod is online:
 ```bash
 gh run list --repo astoltz/FlowerCore.Shared.Pos \
  --workflow "Build, Test & Publish" --branch main --limit 5
 ```
 If the latest run is still queued after runner registration, rerun the workflow
 from GitHub Actions and verify it lands on an `rke2-linux-*` runner.
 ## Failure Notes
 - `actions/setup-dotnet` permission error at `/usr/share/dotnet`: check that
  `DOTNET_INSTALL_DIR=/home/runner/.dotnet` and related cache env vars are
  present on the runner pod.
 - `404` during runner registration: the fine-grained PAT is valid but missing
  repository access for that repo. Add the repo to the PAT access list; the PAT
  value does not change.
 - `Multi-Attach` volume error: only the Common runner uses a RWO PVC and it must
  stay single-replica. New multi-replica runners use `emptyDir`.
--- a/apps/github-runner/github-runner.yaml
+++ b/apps/github-runner/github-runner.yaml
--- a/apps/monitoring/noc-monitoring.yaml
+++ b/apps/monitoring/noc-monitoring.yaml
@@ -75,6 +75,20 @@ data:
              cluster: "rke2"
              role: "agent"
      # Mac mini macOS runner node (INFRA VLAN)
      - job_name: "macmini-node"
        scrape_timeout: 15s
        static_configs:
          - targets: ["10.0.56.115:9100"]
            labels:
              instance: "macmini"
              host: "macmini.iamworkin.lan"
              vlan: "infra"
              arch: "arm64"
              role: "macos-runner"
              puppet_managed: "true"
              puppet_server: "puppet.iamworkin.lan"
      # In-cluster node-exporter DaemonSet
      - job_name: "k8s-node-exporter"
        kubernetes_sd_configs:
@@ -697,6 +711,36 @@ data:
              summary: "Print.Web Ollama runner held for >10m ({{ $labels.model }})"
              description: "Print.Web reports model {{ $labels.model }} with {{ $value | printf \"%.0f\" }}s of keep-alive remaining. Check concurrent requests before the Pi 5 Ollama lane thrashes."
      - name: macmini-runners
        rules:
          - alert: MacMiniRunnerOffline
            expr: (flowercore_github_runner_online{runner=~"macmini-.*"} == 0) or absent(flowercore_github_runner_online{runner=~"macmini-.*"})
            for: 10m
            labels:
              severity: warning
              service: github-runner
            annotations:
              summary: "Mac mini GitHub runner offline ({{ $labels.runner }})"
              description: "A macmini-* GitHub Actions runner has not reported online for more than 10 minutes. Puppet manages its LaunchDaemon under /Library/LaunchDaemons/io.flowercore.github-runner-<slug>.plist; runners survive reboot and do not require a GUI session."
      - name: linux-runners
        rules:
          - alert: LinuxRunnerOffline
            expr: |
              kube_deployment_status_replicas_ready{
                namespace="github-runner",
                deployment=~"github-runner(|-(sharedpos|puppet|signage|dms|telephony|print-web|chat|mysql|kiosk-linux))"
              } == 0
            for: 5m
            labels:
              severity: warning
              alert_channel: irc
              service: github-runner
              team: ci
            annotations:
              summary: "Linux CI runner offline: {{ $labels.deployment }}"
              description: "Deployment {{ $labels.deployment }} in namespace github-runner has 0 ready replicas for more than 5 minutes. CI jobs targeting this repo will queue until the runner pod restarts and re-registers with GitHub. Check pods with: kubectl -n github-runner get pods -l app.kubernetes.io/name={{ $labels.deployment }}. Check logs with: kubectl -n github-runner logs -l app.kubernetes.io/name={{ $labels.deployment }} --tail=50. Common causes: PAT missing repo access, runner CrashLoopBackOff, or node/resource pressure."
      - name: remote-desktop
        rules:
          - alert: RemoteDesktopWebDown
@@ -3395,6 +3439,39 @@ data:
                relativeTimeRange: {from: 120, to: 0}
                datasourceUid: __expr__
                model: {type: threshold, expression: B, conditions: [{evaluator: {params: [600], type: gt}}], refId: C}
      - orgId: 1
        name: CI Runners
        folder: CI Alerts
        interval: 1m
        rules:
          - uid: linux-runner-offline
            title: LinuxRunnerOffline
            condition: C
            for: 5m
            noDataState: OK
            execErrState: Error
            annotations:
              summary: "Linux CI runner offline: {{ $labels.deployment }}"
              description: "A github-runner namespace Deployment has 0 ready replicas for more than 5 minutes. CI jobs targeting that repo will queue until the runner pod restarts and re-registers."
              runbook: "1. kubectl -n github-runner get pods -l app.kubernetes.io/name={{ $labels.deployment }} 2. kubectl -n github-runner logs -l app.kubernetes.io/name={{ $labels.deployment }} --tail=50 3. Verify PAT repo access if registration returns 404 4. Verify no RWO PVC is shared by scaled runners"
            labels:
              severity: warning
              service: github-runner
              alert_channel: irc
              team: ci
            data:
              - refId: A
                relativeTimeRange: {from: 300, to: 0}
                datasourceUid: prometheus
                model: {expr: 'kube_deployment_status_replicas_ready{namespace="github-runner",deployment=~"github-runner(|-(sharedpos|puppet|signage|dms|telephony|print-web|chat|mysql|kiosk-linux))"} == 0', instant: true, refId: A}
              - refId: B
                relativeTimeRange: {from: 300, to: 0}
                datasourceUid: __expr__
                model: {type: reduce, expression: A, reducer: last, refId: B}
              - refId: C
                relativeTimeRange: {from: 300, to: 0}
                datasourceUid: __expr__
                model: {type: threshold, expression: B, conditions: [{evaluator: {params: [0], type: gt}}], refId: C}
      - orgId: 1
        name: Infrastructure
        folder: AI Stack Alerts
@@ -3427,6 +3504,32 @@ data:
                relativeTimeRange: {from: 120, to: 0}
                datasourceUid: __expr__
                model: {type: threshold, expression: B, conditions: [{evaluator: {params: [1], type: lt}}], refId: C}
          - uid: macmini-runner-offline
            title: MacMiniRunnerOffline
            condition: C
            for: 10m
            noDataState: Alerting
            execErrState: OK
            annotations:
              summary: Mac mini GitHub runner offline
              description: "One or more macmini-* GitHub Actions runners have not reported online for more than 10 minutes. LaunchDaemons survive reboot and do not require the bluejay GUI session."
              runbook: "1. ssh fcadmin@macmini.iamworkin.lan 2. launchctl print system/io.flowercore.github-runner-<slug> 3. Check /Users/fcadmin/Library/Logs/github-runners/<slug>/stderr.log 4. Re-register the repo runner if .runner is missing"
            labels:
              severity: warning
              service: github-runner
            data:
              - refId: A
                relativeTimeRange: {from: 600, to: 0}
                datasourceUid: prometheus
                model: {expr: 'min(flowercore_github_runner_online{runner=~"macmini-.*"} or vector(0))', instant: true, refId: A}
              - refId: B
                relativeTimeRange: {from: 600, to: 0}
                datasourceUid: __expr__
                model: {type: reduce, expression: A, reducer: last, refId: B}
              - refId: C
                relativeTimeRange: {from: 600, to: 0}
                datasourceUid: __expr__
                model: {type: threshold, expression: B, conditions: [{evaluator: {params: [1], type: lt}}], refId: C}
          - uid: high-cpu
            title: High CPU (>85%)
            condition: C
--- a/apps/zabbix/zabbix.yaml
+++ b/apps/zabbix/zabbix.yaml
@@ -305,15 +305,17 @@ spec:
              path: /
              port: 8080
            initialDelaySeconds: 60
-            timeoutSeconds: 5
+            timeoutSeconds: 15
            periodSeconds: 10
            failureThreshold: 3
          readinessProbe:
            httpGet:
              path: /
              port: 8080
            initialDelaySeconds: 30
            periodSeconds: 5
-            timeoutSeconds: 5
+            timeoutSeconds: 15
            failureThreshold: 3
 ---
 apiVersion: v1
 kind: Service
--- a/scripts/authentik-bulk-client-create.py
+++ b/scripts/authentik-bulk-client-create.py
@@ -1,416 +0,0 @@
 #!/usr/bin/env python3
 """Generate and optionally apply FlowerCore Authentik OIDC client assets.
 Dry-run is the default. Live Authentik mutations require --apply plus an
 AUTHENTIK_TOKEN bearer token and an operator-provided client secret JSON file.
 The script never prints client_secret values.
 """
 from __future__ import annotations
 import argparse
 import json
 import os
 import sys
 import urllib.error
 import urllib.parse
 import urllib.request
 from dataclasses import dataclass
 from typing import Any
 CLAIMS = (
    "fc:roles",
    "fc:tenant",
    "fc:svc",
    "fc:scope",
    "fc:mfa",
    "flowercore_actor_id",
 )
 BUILTIN_SCOPE_MAPPINGS = (
    "goauthentik.io/providers/oauth2/scope-openid",
    "goauthentik.io/providers/oauth2/scope-profile",
    "goauthentik.io/providers/oauth2/scope-email",
    "goauthentik.io/providers/oauth2/scope-offline_access",
 )
 FLOW_CONTRACT = {
    "response_type": "code",
    "grant_types": ["authorization_code", "refresh_token"],
    "offline_access_required": True,
 }
@dataclass(frozen=True)
 class ServiceSpec:
    slug: str
    namespace: str
    display_name: str
    host: str
    @property
    def client_id(self) -> str:
        return self.slug
    @property
    def provider_name(self) -> str:
        return f"FlowerCore {self.display_name} OIDC"
    @property
    def application_name(self) -> str:
        return f"FlowerCore {self.display_name}"
    @property
    def issuer_url(self) -> str:
        return f"https://id.iamworkin.lan/application/o/{self.slug}/"
    @property
    def onepassword_item_path(self) -> str:
        return f"IAmWorkin/items/{self.slug}-oidc-client"
 SERVICE_SPECS = (
    ServiceSpec("library", "fc-library", "Library", "library.iamworkin.lan"),
    ServiceSpec("retail", "fc-retail", "Retail", "retail.iamworkin.lan"),
    ServiceSpec("telephony", "telephony", "Telephony", "telephony.iamworkin.lan"),
    ServiceSpec("knowledge", "knowledge", "Knowledge", "knowledge.iamworkin.lan"),
    ServiceSpec("llmbridge", "fc-llm-bridge", "LlmBridge", "fc-llm-bridge.iamworkin.lan"),
    ServiceSpec("mysql", "fc-mysql", "MySQL", "mysql.iamworkin.lan"),
    ServiceSpec("php", "fc-php", "PHP", "php.iamworkin.lan"),
    ServiceSpec("signage", "fc-signage", "Signage", "signage.iamworkin.lan"),
    ServiceSpec("media", "fc-media", "Media", "media.iamworkin.lan"),
    ServiceSpec("dms", "fc-dms", "DMS", "dms.iamworkin.lan"),
    ServiceSpec("pimanager", "fc-pimanager", "PiManager", "pimanager.iamworkin.lan"),
    ServiceSpec("distribution", "fc-distribution", "Distribution", "distribution.iamworkin.lan"),
    ServiceSpec("dns", "fc-dns", "DNS", "dns.iamworkin.lan"),
    ServiceSpec("print", "fc-print", "Print", "print.iamworkin.lan"),
    ServiceSpec("aistation", "fc-aistation", "AiStation", "aistation.iamworkin.lan"),
    ServiceSpec("irc", "irc", "IRC", "irc.iamworkin.lan"),
    ServiceSpec("ttsreader", "fc-ttsreader", "TtsReader", "ttsreader.iamworkin.lan"),
    ServiceSpec("chat", "fc-chat", "Chat", "chat.iamworkin.lan"),
    ServiceSpec("intranet", "intranet", "Intranet", "intranet.iamworkin.lan"),
    ServiceSpec("remotedesktop", "fc-desktop", "RemoteDesktop", "remotedesktop.iamworkin.lan"),
    ServiceSpec("provisioning", "fc-provisioning", "Provisioning", "provisioning.iamworkin.lan"),
    ServiceSpec("scoreboards", "fc-scoreboard", "Scoreboards", "scoreboards.iamworkin.lan"),
    ServiceSpec("mndot", "fc-mndot", "MnDOT", "mndot.iamworkin.lan"),
    ServiceSpec("kiosk", "fc-system", "Kiosk", "kiosk.iamworkin.lan"),
    ServiceSpec("mike-bundle", "fc-mike-bundle", "Mike Bundle", "mike-bundle.iamworkin.lan"),
    ServiceSpec("messageboard", "fc-messageboard", "MessageBoard", "messageboard.iamworkin.lan"),
    ServiceSpec("menuboard", "fc-menuboard", "MenuBoard", "menuboard.iamworkin.lan"),
    ServiceSpec("presentations", "fc-presentations", "Presentations", "presentations.iamworkin.lan"),
    ServiceSpec("segmentdisplay", "fc-segmentdisplay", "SegmentDisplay", "segmentdisplay.iamworkin.lan"),
    ServiceSpec("signalcontrol", "fc-signalcontrol", "SignalControl", "signalcontrol.iamworkin.lan"),
    ServiceSpec("worldbuilder", "fc-worldbuilder", "WorldBuilder", "worldbuilder.iamworkin.lan"),
    ServiceSpec("audit", "fc-audit", "Audit", "audit.iamworkin.lan"),
    ServiceSpec("licensing", "fc-licensing", "Licensing", "licensing.iamworkin.lan"),
 )
 def scope_mapping_payloads(service: ServiceSpec) -> list[dict[str, str]]:
    managed_prefix = f"flowercore.io/authentik/oidc/{service.slug}"
    return [
        {
            "managed": f"{managed_prefix}/fc-roles",
            "name": f"FlowerCore {service.slug} fc:roles",
            "scope_name": "flowercore",
            "description": "FlowerCore role claim from Authentik group memberships.",
            "expression": (
                "groups = [group.name for group in request.user.ak_groups.all()]\n"
                "return {'fc:roles': ','.join(groups)}"
            ),
        },
        {
            "managed": f"{managed_prefix}/fc-tenant",
            "name": f"FlowerCore {service.slug} fc:tenant",
            "scope_name": "flowercore",
            "description": "FlowerCore tenant claim from group attribute fc_tenant_id.",
            "expression": (
                "for group in request.user.ak_groups.all():\n"
                "    tenant_id = group.attributes.get('fc_tenant_id')\n"
                "    if tenant_id:\n"
                "        return {'fc:tenant': tenant_id}\n"
                "return {'fc:tenant': 'default'}"
            ),
        },
        {
            "managed": f"{managed_prefix}/fc-svc",
            "name": f"FlowerCore {service.slug} fc:svc",
            "scope_name": "flowercore",
            "description": "FlowerCore service slug claim.",
            "expression": f"return {{'fc:svc': '{service.slug}'}}",
        },
        {
            "managed": f"{managed_prefix}/fc-scope",
            "name": f"FlowerCore {service.slug} fc:scope",
            "scope_name": "flowercore",
            "description": "FlowerCore service permission scope claim.",
            "expression": f"return {{'fc:scope': 'flowercore:{service.slug}'}}",
        },
        {
            "managed": f"{managed_prefix}/fc-mfa",
            "name": f"FlowerCore {service.slug} fc:mfa",
            "scope_name": "flowercore",
            "description": "FlowerCore MFA satisfied session claim.",
            "expression": (
                "mfa_stage = request.session.get('authentik/stages/authenticator_validate')\n"
                "return {'fc:mfa': bool(mfa_stage)}"
            ),
        },
        {
            "managed": f"{managed_prefix}/flowercore-actor-id",
            "name": f"FlowerCore {service.slug} flowercore_actor_id",
            "scope_name": "flowercore",
            "description": "FlowerCore audit actor alias for the Authentik user id.",
            "expression": "return {'flowercore_actor_id': str(request.user.uid)}",
        },
    ]
 def provider_payload(
    service: ServiceSpec,
    args: argparse.Namespace,
    mapping_ids: list[str],
    client_secret: str,
 ) -> dict[str, Any]:
    payload: dict[str, Any] = {
        "name": service.provider_name,
        "authorization_flow": args.authorization_flow,
        "invalidation_flow": args.invalidation_flow,
        "property_mappings": mapping_ids,
        "client_type": "confidential",
        "client_id": service.client_id,
        "client_secret": client_secret,
        "access_code_validity": "minutes=1",
        "access_token_validity": "hours=1",
        "refresh_token_validity": "days=30",
        "include_claims_in_id_token": True,
        "redirect_uris": [
            {"matching_mode": "strict", "url": f"https://{service.host}/signin-oidc"},
            {"matching_mode": "strict", "url": f"https://{service.host}/signout-callback-oidc"},
        ],
        "sub_mode": "hashed_user_id",
        "issuer_mode": "per_provider",
    }
    if args.authentication_flow:
        payload["authentication_flow"] = args.authentication_flow
    if args.signing_key:
        payload["signing_key"] = args.signing_key
    return payload
 def application_payload(service: ServiceSpec, provider_pk: int | str | None) -> dict[str, Any]:
    return {
        "name": service.application_name,
        "slug": service.slug,
        "provider": provider_pk,
        "open_in_new_tab": True,
        "meta_launch_url": f"https://{service.host}/",
        "meta_description": f"FlowerCore {service.display_name} OIDC client",
        "meta_publisher": "FlowerCore",
        "policy_engine_mode": "all",
        "group": "FlowerCore",
    }
 def load_client_secrets(path: str | None) -> dict[str, str]:
    if not path:
        return {}
    with open(path, "r", encoding="utf-8") as handle:
        data = json.load(handle)
    if not isinstance(data, dict):
        raise ValueError("client secret file must be a JSON object keyed by service slug")
    return {str(key): str(value) for key, value in data.items()}
 def redact(value: Any) -> Any:
    if isinstance(value, dict):
        return {
            key: "<redacted>" if key == "client_secret" else redact(child)
            for key, child in value.items()
        }
    if isinstance(value, list):
        return [redact(child) for child in value]
    return value
 class AuthentikClient:
    def __init__(self, base_url: str, token: str) -> None:
        self.base_url = base_url.rstrip("/")
        self.token = token
    def request(self, method: str, path: str, payload: dict[str, Any] | None = None) -> Any:
        url = f"{self.base_url}/api/v3/{path.lstrip('/')}"
        body = None
        headers = {
            "Accept": "application/json",
            "Authorization": f"Bearer {self.token}",
        }
        if payload is not None:
            headers["Content-Type"] = "application/json"
            body = json.dumps(payload).encode("utf-8")
        request = urllib.request.Request(url, data=body, headers=headers, method=method)
        try:
            with urllib.request.urlopen(request, timeout=30) as response:
                text = response.read().decode("utf-8")
        except urllib.error.HTTPError as error:
            error_text = error.read().decode("utf-8", errors="replace")
            raise RuntimeError(f"{method} {path} failed with HTTP {error.code}: {error_text}") from error
        if not text:
            return None
        return json.loads(text)
    def first_result(self, path: str, **query: str) -> dict[str, Any] | None:
        query_string = urllib.parse.urlencode(query)
        response = self.request("GET", f"{path}?{query_string}")
        results = response.get("results", []) if isinstance(response, dict) else []
        return results[0] if results else None
 def select_services(slugs: list[str]) -> list[ServiceSpec]:
    if not slugs:
        return list(SERVICE_SPECS)
    by_slug = {service.slug: service for service in SERVICE_SPECS}
    unknown = sorted(set(slugs) - set(by_slug))
    if unknown:
        raise ValueError(f"unknown service slug(s): {', '.join(unknown)}")
    return [by_slug[slug] for slug in slugs]
 def validate_specs(services: list[ServiceSpec]) -> None:
    slugs = [service.slug for service in services]
    if len(slugs) != len(set(slugs)):
        raise ValueError("duplicate service slug in OIDC roster")
    for service in services:
        if not service.namespace:
            raise ValueError(f"{service.slug} is missing a target namespace")
        expressions = "\n".join(mapping["expression"] for mapping in scope_mapping_payloads(service))
        missing_claims = [claim for claim in CLAIMS if claim not in expressions]
        if missing_claims:
            raise ValueError(f"{service.slug} mapping payloads miss claims: {', '.join(missing_claims)}")
 def dry_run(services: list[ServiceSpec], args: argparse.Namespace) -> int:
    placeholder_ids = [
        *[f"<builtin-{managed.rsplit('/', 1)[-1]}-pk>" for managed in BUILTIN_SCOPE_MAPPINGS],
        *[f"<{claim}-mapping-pk>" for claim in CLAIMS],
    ]
    documents = []
    for service in services:
        provider = provider_payload(service, args, placeholder_ids, "<from-1password-client_secret>")
        documents.append(
            {
                "service": service.slug,
                "namespace": service.namespace,
                "onepassword_item": service.onepassword_item_path,
                "issuer_url": service.issuer_url,
                "flow_contract": FLOW_CONTRACT,
                "builtin_scope_mappings": list(BUILTIN_SCOPE_MAPPINGS),
                "scope_mappings": scope_mapping_payloads(service),
                "provider": redact(provider),
                "application": application_payload(service, "<provider-pk>"),
            }
        )
    if args.print_json:
        print(json.dumps(documents, indent=2, sort_keys=True))
    else:
        print(
            "Dry-run only: generated "
            f"{len(services)} providers, {len(services)} applications, "
            f"and {len(services) * len(CLAIMS)} scope mappings."
        )
        print("Use --print-json to inspect redacted payloads; use --apply for live Authentik mutation.")
    return 0
 def apply(services: list[ServiceSpec], args: argparse.Namespace) -> int:
    token = os.environ.get("AUTHENTIK_TOKEN")
    if not token:
        raise ValueError("AUTHENTIK_TOKEN is required with --apply")
    if not args.client_secrets_json:
        raise ValueError("--client-secrets-json is required with --apply")
    secrets = load_client_secrets(args.client_secrets_json)
    missing = [service.slug for service in services if not secrets.get(service.slug)]
    if missing:
        raise ValueError(f"client secret JSON is missing slug(s): {', '.join(missing)}")
    client = AuthentikClient(args.base_url, token)
    for service in services:
        mapping_ids: list[str] = []
        for managed in BUILTIN_SCOPE_MAPPINGS:
            existing = client.first_result("/propertymappings/provider/scope/", managed=managed)
            if not existing:
                raise ValueError(f"built-in Authentik scope mapping not found: {managed}")
            mapping_ids.append(existing["pk"])
        for mapping in scope_mapping_payloads(service):
            existing = client.first_result("/propertymappings/provider/scope/", name=mapping["name"])
            if existing and not args.update_existing:
                mapping_ids.append(existing["pk"])
                continue
            if existing and args.update_existing:
                updated = client.request("PATCH", f"/propertymappings/provider/scope/{existing['pk']}/", mapping)
                mapping_ids.append(updated["pk"])
                continue
            created = client.request("POST", "/propertymappings/provider/scope/", mapping)
            mapping_ids.append(created["pk"])
        existing_provider = client.first_result("/providers/oauth2/", client_id=service.client_id)
        provider_body = provider_payload(service, args, mapping_ids, secrets[service.slug])
        if existing_provider and not args.update_existing:
            provider_pk = existing_provider["pk"]
        elif existing_provider:
            updated_provider = client.request("PATCH", f"/providers/oauth2/{existing_provider['pk']}/", provider_body)
            provider_pk = updated_provider["pk"]
        else:
            provider_pk = client.request("POST", "/providers/oauth2/", provider_body)["pk"]
        app_body = application_payload(service, provider_pk)
        existing_app = client.first_result("/core/applications/", slug=service.slug)
        if existing_app and args.update_existing:
            client.request("PATCH", f"/core/applications/{existing_app['slug']}/", app_body)
        elif not existing_app:
            client.request("POST", "/core/applications/", app_body)
        print(f"applied {service.slug}: provider/app present, secret redacted")
    return 0
 def parse_args() -> argparse.Namespace:
    parser = argparse.ArgumentParser(description=__doc__)
    parser.add_argument("--apply", action="store_true", help="perform live Authentik REST mutations")
    parser.add_argument("--update-existing", action="store_true", help="patch existing mappings/providers/applications")
    parser.add_argument("--print-json", action="store_true", help="print redacted dry-run payloads")
    parser.add_argument("--service", action="append", default=[], help="limit to one service slug; repeatable")
    parser.add_argument("--base-url", default="http://localhost:9000", help="Authentik base URL")
    parser.add_argument("--client-secrets-json", help="operator-provided JSON object of slug to client_secret")
    parser.add_argument("--authorization-flow", default="<authorization-flow-uuid>")
    parser.add_argument("--invalidation-flow", default="<invalidation-flow-uuid>")
    parser.add_argument("--authentication-flow")
    parser.add_argument("--signing-key", help="shared Authentik signing key UUID")
    return parser.parse_args()
 def main() -> int:
    args = parse_args()
    try:
        services = select_services(args.service)
        validate_specs(services)
        if args.apply:
            return apply(services, args)
        return dry_run(services, args)
    except Exception as error:
        print(f"error: {error}", file=sys.stderr)
        return 2
 if __name__ == "__main__":
    raise SystemExit(main())
--- a/tests/bluejay-infra-lint/AuthentikOidcClientRegistrationTests.cs
+++ b/tests/bluejay-infra-lint/AuthentikOidcClientRegistrationTests.cs
@@ -1,192 +0,0 @@
 using FluentAssertions;
 using System.Diagnostics;
 using System.Text.RegularExpressions;
 using Xunit;
 using YamlDotNet.RepresentationModel;
 namespace BluejayInfraLint.Tests;
 [Trait("Category", "AuthentikOidc")]
 public sealed class AuthentikOidcClientRegistrationTests
 {
    private static readonly IReadOnlyList<ServiceClientExpectation> ExpectedClients =
    [
        new("library", "fc-library"),
        new("retail", "fc-retail"),
        new("telephony", "telephony"),
        new("knowledge", "knowledge"),
        new("llmbridge", "fc-llm-bridge"),
        new("mysql", "fc-mysql"),
        new("php", "fc-php"),
        new("signage", "fc-signage"),
        new("media", "fc-media"),
        new("dms", "fc-dms"),
        new("pimanager", "fc-pimanager"),
        new("distribution", "fc-distribution"),
        new("dns", "fc-dns"),
        new("print", "fc-print"),
        new("aistation", "fc-aistation"),
        new("irc", "irc"),
        new("ttsreader", "fc-ttsreader"),
        new("chat", "fc-chat"),
        new("intranet", "intranet"),
        new("remotedesktop", "fc-desktop"),
        new("provisioning", "fc-provisioning"),
        new("scoreboards", "fc-scoreboard"),
        new("mndot", "fc-mndot"),
        new("kiosk", "fc-system"),
        new("mike-bundle", "fc-mike-bundle"),
        new("messageboard", "fc-messageboard"),
        new("menuboard", "fc-menuboard"),
        new("presentations", "fc-presentations"),
        new("segmentdisplay", "fc-segmentdisplay"),
        new("signalcontrol", "fc-signalcontrol"),
        new("worldbuilder", "fc-worldbuilder"),
        new("audit", "fc-audit"),
        new("licensing", "fc-licensing"),
    ];
    public static TheoryData<string, string> ExpectedClientRows()
    {
        var data = new TheoryData<string, string>();
        foreach (var client in ExpectedClients)
        {
            data.Add(client.Slug, client.Namespace);
        }
        return data;
    }
    [Theory]
    [MemberData(nameof(ExpectedClientRows))]
    public void OidcClientManifest_MatchesOnePasswordOperatorContract(string slug, string targetNamespace)
    {
        var manifest = LoadClientManifest(slug);
        manifest.Scalar("apiVersion").Should().Be("onepassword.com/v1");
        manifest.Scalar("kind").Should().Be("OnePasswordItem");
        manifest.Scalar("metadata", "name").Should().Be($"{slug}-oidc-client");
        manifest.Scalar("metadata", "namespace").Should().Be(targetNamespace);
        manifest.Scalar("metadata", "labels", "app.kubernetes.io/component")
            .Should().Be("authentik-oidc-client");
        manifest.Scalar("metadata", "labels", "flowercore.io/authentik-client-slug")
            .Should().Be(slug);
        manifest.Scalar("metadata", "annotations", "flowercore.io/expected-fields")
            .Should().Be("client_id,client_secret,issuer_url");
        manifest.Scalar("spec", "itemPath")
            .Should().Be($"vaults/IAmWorkin/items/{slug}-oidc-client");
    }
    [Fact]
    public void AuthentikKustomization_ReferencesEveryClientManifest()
    {
        var kustomizationPath = Path.Combine(BluejayRoot(), "apps", "authentik", "kustomization.yaml");
        var text = File.ReadAllText(kustomizationPath);
        foreach (var client in ExpectedClients)
        {
            text.Should().Contain($"clients/{client.Slug}-oidc-client.yaml");
        }
        Regex.Matches(text, @"clients/[-a-z0-9]+-oidc-client\.yaml")
            .Select(match => match.Value)
            .Distinct(StringComparer.Ordinal)
            .Should()
            .HaveCount(ExpectedClients.Count);
    }
    [Fact]
    public void BulkClientScript_HasDryRunDefaultAndRequiredClaimPayloads()
    {
        var scriptPath = Path.Combine(BluejayRoot(), "scripts", "authentik-bulk-client-create.py");
        var script = File.ReadAllText(scriptPath);
        script.Should().Contain("--apply");
        script.Should().Contain("Dry-run only");
        script.Should().Contain("AUTHENTIK_TOKEN");
        script.Should().Contain("client_secrets_json");
        script.Should().Contain("scope-offline_access");
        script.Should().Contain("authorization_code");
        script.Should().Contain("refresh_token");
        foreach (var claim in new[] { "fc:roles", "fc:tenant", "fc:svc", "fc:scope", "fc:mfa", "flowercore_actor_id" })
        {
            script.Should().Contain(claim);
        }
    }
    [Fact]
    public void BulkClientScript_DryRunGeneratesAllServicesWithoutSecrets()
    {
        var scriptPath = Path.Combine(BluejayRoot(), "scripts", "authentik-bulk-client-create.py");
        var startInfo = new ProcessStartInfo
        {
            FileName = "python",
            WorkingDirectory = BluejayRoot(),
            RedirectStandardOutput = true,
            RedirectStandardError = true,
        };
        startInfo.ArgumentList.Add(scriptPath);
        startInfo.ArgumentList.Add("--print-json");
        using var process = Process.Start(startInfo)
            ?? throw new InvalidOperationException("Could not start python dry-run.");
        var stdout = process.StandardOutput.ReadToEnd();
        var stderr = process.StandardError.ReadToEnd();
        process.WaitForExit(15000).Should().BeTrue(stderr);
        process.ExitCode.Should().Be(0, stderr);
        foreach (var client in ExpectedClients)
        {
            stdout.Should().Contain($"\"service\": \"{client.Slug}\"");
            stdout.Should().Contain($"\"namespace\": \"{client.Namespace}\"");
        }
        stdout.Should().Contain("\"client_secret\": \"<redacted>\"");
        stdout.Should().NotMatchRegex("\"client_secret\"\\s*:\\s*\"(?!<redacted>)[^\"]+\"");
    }
    [Fact]
    public void ClientManifests_DoNotContainInlineSecretMaterial()
    {
        foreach (var client in ExpectedClients)
        {
            var path = ClientManifestPath(client.Slug);
            var text = File.ReadAllText(path);
            text.Should().NotContain("client_secret:");
            text.Should().NotContain("password:");
            text.Should().NotContain("secret:");
            text.Should().Contain($"IAmWorkin/items/{client.Slug}-oidc-client");
        }
    }
    private static YamlMappingNode LoadClientManifest(string slug)
    {
        using var reader = File.OpenText(ClientManifestPath(slug));
        var stream = new YamlStream();
        stream.Load(reader);
        return stream.Documents[0].RootNode.Should().BeOfType<YamlMappingNode>().Subject;
    }
    private static string ClientManifestPath(string slug) =>
        Path.Combine(BluejayRoot(), "apps", "authentik", "clients", $"{slug}-oidc-client.yaml");
    private static string BluejayRoot()
    {
        var current = new DirectoryInfo(AppContext.BaseDirectory);
        while (current is not null)
        {
            if (Directory.Exists(Path.Combine(current.FullName, "apps"))
                && File.Exists(Path.Combine(current.FullName, "README.md")))
            {
                return current.FullName;
            }
            current = current.Parent;
        }
        throw new DirectoryNotFoundException("Could not find bluejay-infra root.");
    }
    private sealed record ServiceClientExpectation(string Slug, string Namespace);
 }
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -54,6 +54,43 @@ public sealed class FleetManifestLintTests
        "ttsreader-piper",
    };
    private static readonly IReadOnlyDictionary<string, string> LinuxRunnerRepos = new Dictionary<string, string>(StringComparer.Ordinal)
    {
        ["github-runner"] = "https://github.com/astoltz/FlowerCore.Common",
        ["github-runner-sharedpos"] = "https://github.com/astoltz/FlowerCore.Shared.Pos",
        ["github-runner-puppet"] = "https://github.com/astoltz/FlowerCore.Puppet",
        ["github-runner-signage"] = "https://github.com/astoltz/FlowerCore.Signage",
        ["github-runner-dms"] = "https://github.com/astoltz/FlowerCore.DMS",
        ["github-runner-telephony"] = "https://github.com/astoltz/FlowerCore.Telephony",
        ["github-runner-print-web"] = "https://github.com/astoltz/FlowerCore.Print.Web",
        ["github-runner-chat"] = "https://github.com/astoltz/FlowerCore.Chat",
        ["github-runner-mysql"] = "https://github.com/astoltz/FlowerCore.MySQL",
        ["github-runner-kiosk-linux"] = "https://github.com/astoltz/FlowerCore.Kiosk.Linux",
    };
    private static readonly HashSet<string> ScaledLinuxRunnerDeployments = new(StringComparer.Ordinal)
    {
        "github-runner-sharedpos",
        "github-runner-puppet",
        "github-runner-signage",
        "github-runner-dms",
        "github-runner-telephony",
        "github-runner-print-web",
        "github-runner-chat",
        "github-runner-mysql",
        "github-runner-kiosk-linux",
    };
    private static readonly IReadOnlyDictionary<string, string> WritableRunnerEnv = new Dictionary<string, string>(StringComparer.Ordinal)
    {
        ["HOME"] = "/home/runner",
        ["DOTNET_INSTALL_DIR"] = "/home/runner/.dotnet",
        ["DOTNET_CLI_HOME"] = "/home/runner",
        ["NUGET_PACKAGES"] = "/home/runner/.nuget/packages",
        ["XDG_CACHE_HOME"] = "/home/runner/.cache",
        ["RUNNER_TOOL_CACHE"] = "/home/runner/_tool",
    };
    [Fact]
    public void IngressRoutes_MustKeepServiceReferencesInTheSameNamespace()
    {
@@ -187,6 +224,98 @@ public sealed class FleetManifestLintTests
        violations.Should().BeEmpty();
    }
    [Fact]
    public void GitHubRunnerFleet_MustRegisterRequiredReposAsRepoScopedDeployments()
    {
        var deployments = GitHubRunnerDeployments();
        foreach (var expectedRunner in LinuxRunnerRepos)
        {
            deployments.Should().ContainKey(expectedRunner.Key);
            var container = deployments[expectedRunner.Key].ContainerMappings().Should().ContainSingle().Subject;
            EnvValue(container, "REPO_URL").Should().Be(expectedRunner.Value);
            EnvValue(container, "EPHEMERAL").Should().Be("true");
            EnvValue(container, "LABELS").Should().Be("self-hosted,linux,fc-build-linux");
            EnvValue(container, "RUN_AS_ROOT").Should().Be("false");
            EnvValue(container, "ACCESS_TOKEN").Should().BeNull("ACCESS_TOKEN must come from github-runner-token Secret, not a literal");
            EnvSecretName(container, "ACCESS_TOKEN").Should().Be("github-runner-token");
            EnvSecretKey(container, "ACCESS_TOKEN").Should().Be("credential");
        }
    }
    [Fact]
    public void GitHubRunnerFleet_MustSetWritableNonRootDotnetAndCachePaths()
    {
        foreach (var deployment in GitHubRunnerDeployments().Values)
        {
            var container = deployment.ContainerMappings().Should().ContainSingle().Subject;
            foreach (var expectedEnv in WritableRunnerEnv)
            {
                EnvValue(container, expectedEnv.Key).Should().Be(expectedEnv.Value, $"{deployment.Name} must keep .NET paths writable for uid 1001");
            }
            var mounts = ManifestNodeExtensions.MappingSequence(container, "volumeMounts")
                .ToDictionary(
                    mount => ManifestNodeExtensions.Scalar(mount, "name") ?? string.Empty,
                    mount => ManifestNodeExtensions.Scalar(mount, "mountPath") ?? string.Empty,
                    StringComparer.Ordinal);
            mounts.Should().Contain("runner-home", "/home/runner");
            mounts.Should().Contain("nuget-cache", "/home/runner/.nuget/packages");
            mounts.Should().Contain("tmp", "/tmp");
        }
    }
    [Fact]
    public void GitHubRunnerFleet_MustAvoidRwoMultiAttachForScaledDeployments()
    {
        var deployments = GitHubRunnerDeployments();
        foreach (var deploymentName in ScaledLinuxRunnerDeployments)
        {
            var deployment = deployments[deploymentName];
            ReplicaCount(deployment).Should().Be(2);
            var volumes = deployment.MappingSequence("spec", "template", "spec", "volumes");
            var claimNames = volumes
                .Select(volume => ManifestNodeExtensions.Scalar(volume, "persistentVolumeClaim", "claimName"))
                .Where(value => !string.IsNullOrWhiteSpace(value))
                .ToList();
            claimNames.Should().BeEmpty($"{deploymentName} is scaled and must not share a RWO PVC");
            volumes.Should().Contain(volume =>
                string.Equals(ManifestNodeExtensions.Scalar(volume, "name"), "nuget-cache", StringComparison.Ordinal)
                && ManifestNodeExtensions.Mapping(volume, "emptyDir") != null);
        }
        var common = deployments["github-runner"];
        ReplicaCount(common).Should().Be(1);
        common.MappingSequence("spec", "template", "spec", "volumes")
            .Select(volume => ManifestNodeExtensions.Scalar(volume, "persistentVolumeClaim", "claimName"))
            .Where(value => !string.IsNullOrWhiteSpace(value))
            .Should()
            .ContainSingle()
            .Which
            .Should()
            .Be("github-runner-nuget-cache");
    }
    [Fact]
    public void Monitoring_MustAlertWhenLinuxRunnerDeploymentIsUnavailable()
    {
        var monitoring = File.ReadAllText(Path.Combine(Inventory.BluejayRoot, "apps", "monitoring", "noc-monitoring.yaml"));
        monitoring.Should().Contain("MacMiniRunnerOffline");
        monitoring.Should().Contain("LinuxRunnerOffline");
        monitoring.Should().Contain("kube_deployment_status_replicas_ready");
        monitoring.Should().Contain("github-runner(|-(sharedpos|puppet|signage|dms|telephony|print-web|chat|mysql|kiosk-linux))");
        monitoring.Should().Contain("folder: CI Alerts");
        monitoring.Should().Contain("uid: linux-runner-offline");
        monitoring.Should().Contain("alert_channel: irc");
    }
    [Fact]
    public void StatefulSets_WithVolumeClaimTemplates_MustDeclareFilesystemDefaults()
    {
@@ -314,6 +443,44 @@ public sealed class FleetManifestLintTests
            $"{document.Descriptor} container '{containerName}' still uses {probeKey}.httpGet on /health.",
        };
    }
    private static IReadOnlyDictionary<string, ManifestDocument> GitHubRunnerDeployments()
    {
        return Inventory.Documents
            .Where(document => document.Kind == "Deployment")
            .Where(document => document.Namespace == "github-runner")
            .ToDictionary(document => document.Name, StringComparer.Ordinal);
    }
    private static int ReplicaCount(ManifestDocument document)
    {
        return int.TryParse(document.Scalar("spec", "replicas"), out var replicas) ? replicas : 1;
    }
    private static string? EnvValue(YamlMappingNode container, string name)
    {
        return EnvMapping(container, name) is { } env ? ManifestNodeExtensions.Scalar(env, "value") : null;
    }
    private static string? EnvSecretName(YamlMappingNode container, string name)
    {
        return EnvMapping(container, name) is { } env
            ? ManifestNodeExtensions.Scalar(env, "valueFrom", "secretKeyRef", "name")
            : null;
    }
    private static string? EnvSecretKey(YamlMappingNode container, string name)
    {
        return EnvMapping(container, name) is { } env
            ? ManifestNodeExtensions.Scalar(env, "valueFrom", "secretKeyRef", "key")
            : null;
    }
    private static YamlMappingNode? EnvMapping(YamlMappingNode container, string name)
    {
        return ManifestNodeExtensions.MappingSequence(container, "env")
            .SingleOrDefault(env => string.Equals(ManifestNodeExtensions.Scalar(env, "name"), name, StringComparison.Ordinal));
    }
 }
 internal sealed class ManifestInventory
--- a/tests/bluejay-infra-lint/PiSignagePlayerArtifactTests.cs
+++ b/tests/bluejay-infra-lint/PiSignagePlayerArtifactTests.cs
@@ -0,0 +1,269 @@
 using System.Text.Json;
 using FluentAssertions;
 using Xunit;
 namespace BluejayInfraLint.Tests;
 [Trait("Category", "Unit")]
 public sealed class PiSignagePlayerArtifactTests
 {
    private static readonly string Root = FindRepoRoot();
    private static readonly string AppRoot = Path.Combine(Root, "apps", "fc-signage-pi-player");
    public static TheoryData<string> RequiredArtifacts => new()
    {
        "README.md",
        "systemd/flowercore-signage-player-pi.service",
        "systemd/flowercore-signage-player-pi-hdmi.service",
        "systemd/flowercore-signage-bootstrap.service",
        "systemd/flowercore-signage-renew.service",
        "systemd/flowercore-signage-renew.timer",
        "systemd/flowercore-signage-detect-display.service",
        "systemd/flowercore-signage-detect-display.timer",
        "systemd/99-flowercore-signage-hdmi.rules",
        "chromium-policies/flowercore-signage.json",
        "scripts/flowercore-signage-launch.sh",
        "scripts/flowercore-signage-prelaunch.sh",
        "scripts/flowercore-signage-bootstrap.sh",
        "scripts/flowercore-signage-renew-cert.sh",
        "scripts/flowercore-signage-hdmi-respond.sh",
        "scripts/fc-signage-detect-display",
    };
    [Theory]
    [MemberData(nameof(RequiredArtifacts))]
    public void RequiredArtifacts_ArePresent(string relativePath)
    {
        File.Exists(Path.Combine(AppRoot, relativePath)).Should().BeTrue(relativePath);
    }
    [Fact]
    public void PlayerService_UsesExpectedRestartAndMemoryGuards()
    {
        var unit = Read("systemd/flowercore-signage-player-pi.service");
        unit.Should().Contain("Restart=always");
        unit.Should().Contain("RestartSec=10s");
        unit.Should().Contain("StartLimitBurst=5");
        unit.Should().Contain("StartLimitIntervalSec=300s");
        unit.Should().Contain("MemoryMax=2G");
    }
    [Fact]
    public void PlayerService_IsGatedByNodeIdentityAndMtlsCertificate()
    {
        var unit = Read("systemd/flowercore-signage-player-pi.service");
        unit.Should().Contain("ConditionPathExists=/etc/flowercore/signage-node.json");
        unit.Should().Contain("ConditionPathExists=/etc/fc-signage-player/client.p12");
        unit.Should().Contain("ExecStartPre=/usr/local/bin/flowercore-signage-prelaunch.sh");
    }
    [Fact]
    public void LaunchScript_TriesEmbedThenFallsBackToBarePlayerRoute()
    {
        var script = Read("scripts/flowercore-signage-launch.sh");
        script.Should().Contain("/player/${NODE_ID}/embed?token=${CERT_THUMB}");
        script.Should().Contain("url-divergence.log");
        script.Should().Contain("/player/${NODE_ID}?token=${CERT_THUMB}");
    }
    [Fact]
    public void LaunchScript_DisablesChromiumPromptsAndRuntimeUpdates()
    {
        var script = Read("scripts/flowercore-signage-launch.sh");
        script.Should().Contain("--noerrdialogs");
        script.Should().Contain("--disable-infobars");
        script.Should().Contain("--password-store=basic");
        script.Should().Contain("--check-for-update-interval=2592000");
    }
    [Fact]
    public void PrelaunchScript_AbortsWhenRequiredFilesAreMissing()
    {
        var script = Read("scripts/flowercore-signage-prelaunch.sh");
        script.Should().Contain("for f in /etc/flowercore/signage-node.json /etc/fc-signage-player/client.p12 /etc/fc-signage-player/client.p12.pass");
        script.Should().Contain("exit 1");
        script.Should().Contain("-checkend $((7*24*3600))");
    }
    [Fact]
    public void BootstrapScript_IsIdempotentWhenAlreadyEnrolled()
    {
        var script = Read("scripts/flowercore-signage-bootstrap.sh");
        script.Should().Contain("already enrolled");
        script.Should().Contain("exit 0");
        script.Should().Contain(".enrolledAt");
    }
    [Fact]
    public void BootstrapScript_GeneratesStableMachineIdFromUuid()
    {
        var script = Read("scripts/flowercore-signage-bootstrap.sh");
        script.Should().Contain("uuidgen");
        script.Should().Contain("cut -c1-16");
        script.Should().Contain("machineId");
    }
    [Fact]
    public void BootstrapScript_RetriesRegisterOnceForFirstCallRace()
    {
        var script = Read("scripts/flowercore-signage-bootstrap.sh");
        script.Should().Contain("for attempt in 1 2");
        script.Should().Contain("register attempt $attempt returned");
        script.Should().Contain("sleep 5");
    }
    [Fact]
    public void BootstrapScript_SupportsSetupCodeAndApprovalPollingBudget()
    {
        var script = Read("scripts/flowercore-signage-bootstrap.sh");
        script.Should().Contain("signage-setup-code");
        script.Should().Contain("approve-via-setup-code");
        script.Should().Contain("+ 1800");
        script.Should().Contain("sleep 15");
    }
    [Fact]
    public void BootstrapScript_CsrSubjectIdentifiesPiPlayer()
    {
        var script = Read("scripts/flowercore-signage-bootstrap.sh");
        script.Should().Contain("/CN=${NODE_ID}/O=FlowerCore/OU=SignagePlayer-Pi");
    }
    [Fact]
    public void BootstrapScript_PersistsCertificateAsP12WithRestrictivePermissions()
    {
        var script = Read("scripts/flowercore-signage-bootstrap.sh");
        script.Should().Contain("openssl pkcs12 -export");
        script.Should().Contain("client.p12.pass");
        script.Should().Contain("chmod 0600");
        script.Should().Contain("chmod 0640");
    }
    [Fact]
    public void RenewScript_OnlyRunsWhenCertHasLessThanThirtyDays()
    {
        var script = Read("scripts/flowercore-signage-renew-cert.sh");
        script.Should().Contain("-checkend $((30*24*3600))");
        script.Should().Contain("exit 0");
        script.Should().Contain("/renew");
    }
    [Fact]
    public void RenewScript_AtomicallySwapsNewCertificateFiles()
    {
        var script = Read("scripts/flowercore-signage-renew-cert.sh");
        script.Should().Contain("client.key.new");
        script.Should().Contain("mv \"$CERT_DIR/client.key.new\" \"$CERT_DIR/client.key\"");
        script.Should().Contain("mv \"$CERT_DIR/client.p12.new\" \"$CERT_DIR/client.p12\"");
    }
    [Fact]
    public void HdmiRule_RestartsPlayerAndRunsCapabilityDetection()
    {
        var rule = Read("systemd/99-flowercore-signage-hdmi.rules");
        var responder = Read("scripts/flowercore-signage-hdmi-respond.sh");
        rule.Should().Contain("KERNEL==\"card?-HDMI-A-?\"");
        rule.Should().Contain("start flowercore-signage-player-pi-hdmi.service");
        responder.Should().Contain("sleep 2");
        responder.Should().Contain("start flowercore-signage-detect-display.service");
        responder.Should().Contain("restart flowercore-signage-player-pi.service");
    }
    [Fact]
    public void DetectDisplayServiceAndTimer_RunAtBootAndDaily()
    {
        var service = Read("systemd/flowercore-signage-detect-display.service");
        var timer = Read("systemd/flowercore-signage-detect-display.timer");
        service.Should().Contain("ExecStart=/usr/local/bin/fc-signage-detect-display");
        timer.Should().Contain("OnBootSec=30s");
        timer.Should().Contain("OnCalendar=daily");
        timer.Should().Contain("RandomizedDelaySec=1h");
    }
    [Fact]
    public void DetectDisplayScript_EmitsDisconnectedProfileWhenNoHdmiIsPresent()
    {
        var script = Read("scripts/fc-signage-detect-display");
        script.Should().Contain("displayConnected: false");
        script.Should().Contain("No HDMI display detected");
    }
    [Fact]
    public void DetectDisplayScript_ParsesEdidForHdrResolutionAndAudio()
    {
        var script = Read("scripts/fc-signage-detect-display");
        script.Should().Contain("edid-decode");
        script.Should().Contain("HDR (Static|Dynamic) Metadata Block");
        script.Should().Contain("maxResolution");
        script.Should().Contain("hasAudioOutput");
    }
    [Fact]
    public void DetectDisplayScript_TriesBothForwardCompatibleCapabilityEndpoints()
    {
        var script = Read("scripts/fc-signage-detect-display");
        script.Should().Contain("/api/v1/nodes/${NODE_ID}/capabilities");
        script.Should().Contain("/api/v1/displays/${NODE_ID}/capability-profile");
        script.Should().Contain("no endpoint accepted the profile");
    }
    [Fact]
    public void ChromiumPolicy_IsValidJsonAndDisablesCredentialPrompts()
    {
        using var doc = JsonDocument.Parse(Read("chromium-policies/flowercore-signage.json"));
        var root = doc.RootElement;
        root.GetProperty("AutofillAddressEnabled").GetBoolean().Should().BeFalse();
        root.GetProperty("AutofillCreditCardEnabled").GetBoolean().Should().BeFalse();
        root.GetProperty("PasswordManagerEnabled").GetBoolean().Should().BeFalse();
        root.GetProperty("ExtensionInstallBlocklist")[0].GetString().Should().Be("*");
    }
    [Fact]
    public void RenewalTimer_UsesDailyCadenceWithTwoHourJitter()
    {
        var timer = Read("systemd/flowercore-signage-renew.timer");
        timer.Should().Contain("OnCalendar=daily");
        timer.Should().Contain("RandomizedDelaySec=2h");
        timer.Should().Contain("Persistent=true");
    }
    private static string Read(string relativePath)
        => File.ReadAllText(Path.Combine(AppRoot, relativePath.Replace('/', Path.DirectorySeparatorChar)));
    private static string FindRepoRoot()
    {
        var current = new DirectoryInfo(AppContext.BaseDirectory);
        while (current is not null)
        {
            if (Directory.Exists(Path.Combine(current.FullName, "apps"))
                && File.Exists(Path.Combine(current.FullName, "README.md")))
            {
                return current.FullName;
            }
            current = current.Parent;
        }
        throw new DirectoryNotFoundException("Could not find bluejay-infra root.");
    }
 }
Author	SHA1	Message	Date
Andrew Stoltz	67064c4129	feat(github-runner): harden Linux runner fleet	2026-05-17 21:50:29 -05:00
bluejay	b8c7e59005	Tighten Pi signage HDMI settle coverage (#3 )	2026-05-18 02:35:17 +00:00
bluejay	65ac8d6f01	feat(github-runner): pod-env DOTNET_INSTALL_DIR + initContainer for non-root runner (#7 )	2026-05-18 02:25:18 +00:00
bluejay	35844e0dbd	chore(github-runner): un-park github-runner-sharedpos (Shared.Pos non-root build fixed) (#6 )	2026-05-18 02:20:00 +00:00
bluejay	b1e307151e	chore(github-runner): un-park github-runner-sharedpos (replicas 1) after Shared.Pos CI fix merged	2026-05-17 21:54:16 +00:00
bluejay	12b07219c7	chore(github-runner): park github-runner-sharedpos (replicas 0) until Cx-1 non-root fix Shared.Pos build fails on non-root runner (setup-dotnet /usr/share/dotnet denied); churning runner drove HighCPU on rke2-agent2. Re-enable in the Sprint 30+ Cx-1 Linux-runner-fleet lane (DOTNET_INSTALL_DIR on pod env).	2026-05-17 21:50:35 +00:00
bluejay	9fd32c4415	feat(monitoring): MacMiniRunnerOffline alert (Sprint 28 reconcile)	2026-05-17 19:50:29 +00:00
bluejay	ad670fb344	feat(github-runner): add Shared.Pos repo-scoped Linux runner (unstick stuck publish)	2026-05-17 19:50:23 +00:00
Codex	6f6ca50987	fix(github-runner): switch RUNNER_TOKEN -> ACCESS_TOKEN; set RUN_AS_ROOT=false Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-16 22:08:56 +00:00
Codex	c7be58c1f7	chore(github-runner): bump replicas 0 -> 1 (PAT provisioned) Operator provisioned GitHub PAT (Runner Registration) 1P item. OnePasswordItem CRD already materialized the secret. Unblocks CI fleet-wide. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-16 22:04:03 +00:00
Codex	a1f5a393cd	chore(github-runner): rename 1P item to GitHub PAT (Runner Registration) Renames the OnePasswordItem.itemPath from "GitHub Runner Registration Token" to "GitHub PAT (Runner Registration)" so the runner 1P entry sits next to its siblings — GitHub PAT (Gitea Mirrors) and GitHub PAT (NuGet Packages) — under a consistent "GitHub PAT (...)" naming pattern and API_CREDENTIAL category. Existing field "credential" remains the consumer (RUNNER_TOKEN env). Comment block clarified to require Administration:read/write fine-grained PAT scope on target repos. Old 1P item renamed to "[DEPRECATED 2026-05-16] GitHub Runner Registration" — kept as recovery backup; can be hard-deleted after the first successful runner pod start against the new item path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-16 22:01:41 +00:00
Codex	710340d8be	chore(github-runner): rename 1P item to GitHub PAT (Runner Registration) Renames the OnePasswordItem.itemPath from "GitHub Runner Registration Token" to "GitHub PAT (Runner Registration)" so the runner 1P entry sits next to its siblings — GitHub PAT (Gitea Mirrors) and GitHub PAT (NuGet Packages) — under a consistent "GitHub PAT (...)" naming pattern and API_CREDENTIAL category. Existing field "credential" remains the consumer (RUNNER_TOKEN env). Comment block clarified to require Administration:read/write fine-grained PAT scope on target repos. Old 1P item renamed to "[DEPRECATED 2026-05-16] GitHub Runner Registration" — kept as recovery backup; can be hard-deleted after the first successful runner pod start against the new item path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-16 10:27:58 -05:00
Andrew Stoltz	7d2daaa4f8	chore(github-runner): replicas 1 → 0 until 1Password token provisioned github-runner-token OnePasswordItem exists but the underlying 1Password vault item hasn't been created yet, so the operator can't mint the K8s Secret. Pod stuck in CreateContainerConfigError → DeploymentReplicasMismatch alert fires. Scaling to 0 keeps the manifest infrastructure intact but stops trying to schedule until operator: 1. Creates "GitHub Runner Registration Token" item in IAmWorkin vault 2. Generates a token at github.com/astoltz/<repo>/settings/actions/runners/new 3. Updates the OnePasswordItem itemPath to point at it 4. Bumps replicas back to 1 via PR	2026-05-15 16:18:19 -05:00
Andrew Stoltz	e50e103ba0	fix(zabbix): bump web probe timeouts 5s→15s + add failureThreshold zabbix-web nginx+PHP-FPM container serves / at ~3-5s baseline with occasional 6-7s spikes (probe path renders full dashboard via PHP). kube-probe was killing the container after 3 consecutive 5s-timeout 499s, producing CrashLoopBackOff alert noise even though the app was serving real traffic fine. 15s timeout absorbs the natural variance; explicit failureThreshold=3 documents the policy (was implicit default). Closes the firing PodCrashLoopBackOff (zabbix-web) + pending HTTPServiceSlow/HTTPServiceDegraded alerts. zabbix.iamworkin.lan remains slow at the application layer (separate work — PHP-FPM warm-up + Zabbix server "host not found" agent lookup spam need their own fixes) but the pod restart loop stops.	2026-05-15 15:59:04 -05:00
Codex	e8094eb0bd	ci(github-runner): add Phase 2 ephemeral Linux runner K8s manifest Namespace github-runner with myoung34/github-runner:latest Deployment, 5Gi Longhorn RWO NuGet cache PVC, zero-privilege ServiceAccount, and OnePasswordItem CRD for the registration token. EPHEMERAL=true mode re-registers after each job; Recreate strategy avoids RWO multi-attach. Targets fc-build-linux label; single replica pinned to rke2-server node. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-14 12:46:25 -05:00
bluejay	8d87d9172c	Add Pi signage Phase 1 player artifacts Squash merge Sprint 14 Pi signage player artifacts.	2026-05-14 01:46:09 +00:00
Codex	cfd9743afa	Add Apple TV signage docs manifest	2026-05-13 20:32:48 -05:00
		`@@ -0,0 +1,2 @@`
							`# Settle DRM for 2s before restarting Chromium, then redeclare capabilities.`
							`SUBSYSTEM=="drm", KERNEL=="card?-HDMI-A-?", ACTION=="change", RUN+="/usr/bin/systemctl start flowercore-signage-player-pi-hdmi.service"`