fix(auth): harden public infra routes

apps/andrew/andrew.yaml

@@ -201,6 +201,8 @@ spec:
     metadata:
       labels:
         app: andrew-web
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       containers:
         - name: nginx
@@ -225,12 +227,18 @@ spec:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 5
             periodSeconds: 10
           readinessProbe:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 3
             periodSeconds: 5
       volumes:
@@ -265,7 +273,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`bluejay.dev`) || Host(`www.bluejay.dev`)
+    - match: (Host(`bluejay.dev`) || Host(`www.bluejay.dev`)) && (Method(`GET`) || Method(`HEAD`))
       kind: Rule
       services:
         - name: andrew-web

apps/dustin/dustin.yaml

@@ -201,6 +201,8 @@ spec:
     metadata:
       labels:
         app: dustin-web
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       containers:
         - name: nginx
@@ -225,12 +227,18 @@ spec:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 5
             periodSeconds: 10
           readinessProbe:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 3
             periodSeconds: 5
       volumes:
@@ -265,7 +273,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`timeforta.co`) || Host(`www.timeforta.co`)
+    - match: (Host(`timeforta.co`) || Host(`www.timeforta.co`)) && (Method(`GET`) || Method(`HEAD`))
       kind: Rule
       services:
         - name: dustin-web

apps/erik/erik.yaml

@@ -201,6 +201,8 @@ spec:
     metadata:
       labels:
         app: erik-web
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       containers:
         - name: nginx
@@ -225,12 +227,18 @@ spec:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 5
             periodSeconds: 10
           readinessProbe:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 3
             periodSeconds: 5
       volumes:
@@ -265,7 +273,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`erckak.dev`) || Host(`www.erckak.dev`)
+    - match: (Host(`erckak.dev`) || Host(`www.erckak.dev`)) && (Method(`GET`) || Method(`HEAD`))
       kind: Rule
       services:
         - name: erik-web

apps/fc-aistation/fc-aistation.yaml

@@ -46,8 +46,6 @@ spec:
   template:
     metadata:
       annotations:
-        fc.flowercore.io/healthz-anon: "true"
-        fc.flowercore.io/probe-path: "/healthz"
         prometheus.io/path: /metrics/prometheus
         prometheus.io/port: "5000"
         prometheus.io/scrape: "true"
@@ -56,7 +54,6 @@ spec:
         app.kubernetes.io/part-of: flowercore
     spec:
       containers:
-        # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
         - envFrom:
             - configMapRef:
                 name: aistation-web-config
@@ -170,26 +167,3 @@ spec:
           port: 80
   tls:
     secretName: aistation-web-tls
-# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
-# When the operator decides to expose aistation-web publicly, uncomment + update the host,
-# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
-#
-# --- IngressRoute ---
-# apiVersion: traefik.io/v1alpha1
-# kind: IngressRoute
-# metadata:
-#   name: aistation-web-public
-#   namespace: fc-aistation
-# spec:
-#   entryPoints: [websecure]
-#   routes:
-#     - match: Host(`aistation.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
-#       kind: Rule
-#       middlewares:
-#         - name: aistation-web-public-profile-header  # injects entitlement profile
-#       services:
-#         - name: aistation-web
-#           port: 80
-#   tls: {}
-# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
-# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-chat/fc-chat.yaml

@@ -112,8 +112,6 @@ spec:
         app.kubernetes.io/name: chat-web
         app.kubernetes.io/part-of: flowercore
       annotations:
-        fc.flowercore.io/healthz-anon: "true"
-        fc.flowercore.io/probe-path: "/healthz"
         prometheus.io/scrape: "true"
         prometheus.io/port: "8080"
         prometheus.io/path: "/metrics/prometheus"
@@ -130,7 +128,6 @@ spec:
           ports:
             - name: http
               containerPort: 8080
-          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
           envFrom:
             - configMapRef:
                 name: chat-web-config

apps/fc-desktop/fc-desktop.yaml

@@ -51,26 +51,3 @@ spec:
           port: 8080
   tls:
     secretName: remotedesktop-web-tls
-# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
-# When the operator decides to expose remotedesktop-web publicly, uncomment + update the host,
-# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
-#
-# --- IngressRoute ---
-# apiVersion: traefik.io/v1alpha1
-# kind: IngressRoute
-# metadata:
-#   name: remotedesktop-web-public
-#   namespace: fc-desktop
-# spec:
-#   entryPoints: [websecure]
-#   routes:
-#     - match: Host(`desktop.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
-#       kind: Rule
-#       middlewares:
-#         - name: remotedesktop-web-public-profile-header  # injects entitlement profile
-#       services:
-#         - name: remotedesktop-web
-#           port: 8080
-#   tls: {}
-# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
-# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-devicemgmt/deployment-web.yaml

@@ -52,8 +52,6 @@ spec:
         flowercore.io/tenant-id: system
         flowercore.io/created-by: bluejay-infra
       annotations:
-        fc.flowercore.io/healthz-anon: "true"
-        fc.flowercore.io/probe-path: "/healthz"
         prometheus.io/scrape: "true"
         prometheus.io/port: "8080"
         prometheus.io/path: "/metrics"
@@ -69,7 +67,6 @@ spec:
           ports:
             - name: http
               containerPort: 8080
-          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
           env:
             - name: ASPNETCORE_URLS
               value: "http://+:8080"

apps/fc-dms/fc-dms.yaml

@@ -30,26 +30,3 @@ spec:
           port: 80
   tls:
     secretName: dms-web-tls
-# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
-# When the operator decides to expose dms-web publicly, uncomment + update the host,
-# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
-#
-# --- IngressRoute ---
-# apiVersion: traefik.io/v1alpha1
-# kind: IngressRoute
-# metadata:
-#   name: dms-web-public
-#   namespace: fc-dms
-# spec:
-#   entryPoints: [websecure]
-#   routes:
-#     - match: Host(`dms.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
-#       kind: Rule
-#       middlewares:
-#         - name: dms-web-public-profile-header  # injects entitlement profile
-#       services:
-#         - name: dms-web
-#           port: 80
-#   tls: {}
-# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
-# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-landing/fc-landing.yaml

@@ -203,6 +203,8 @@ spec:
     metadata:
       labels:
         app: fc-landing
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       containers:
         - name: nginx
@@ -227,12 +229,18 @@ spec:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 5
             periodSeconds: 10
           readinessProbe:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 3
             periodSeconds: 5
       volumes:
@@ -298,7 +306,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
+    - match: (Host(`flowercore.io`) || Host(`www.flowercore.io`)) && (Method(`GET`) || Method(`HEAD`))
       kind: Rule
       services:
         - name: fc-landing
@@ -316,7 +324,7 @@ spec:
   entryPoints:
     - web
   routes:
-    - match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
+    - match: (Host(`flowercore.io`) || Host(`www.flowercore.io`)) && (Method(`GET`) || Method(`HEAD`))
       kind: Rule
       services:
         - name: fc-landing

apps/fc-library/fc-library.yaml

@@ -46,8 +46,6 @@ spec:
   template:
     metadata:
       annotations:
-        fc.flowercore.io/healthz-anon: "true"
-        fc.flowercore.io/probe-path: "/health"
         prometheus.io/path: /metrics/prometheus
         prometheus.io/port: "5000"
         prometheus.io/scrape: "true"
@@ -56,7 +54,6 @@ spec:
         app.kubernetes.io/part-of: flowercore
     spec:
       containers:
-        # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
         - envFrom:
             - configMapRef:
                 name: library-web-config
@@ -170,26 +167,3 @@ spec:
           port: 80
   tls:
     secretName: library-web-tls
-# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
-# When the operator decides to expose library-web publicly, uncomment + update the host,
-# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
-#
-# --- IngressRoute ---
-# apiVersion: traefik.io/v1alpha1
-# kind: IngressRoute
-# metadata:
-#   name: library-web-public
-#   namespace: fc-library
-# spec:
-#   entryPoints: [websecure]
-#   routes:
-#     - match: Host(`library.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
-#       kind: Rule
-#       middlewares:
-#         - name: library-web-public-profile-header  # injects entitlement profile
-#       services:
-#         - name: library-web
-#           port: 80
-#   tls: {}
-# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
-# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-llm-bridge/fc-llm-bridge.yaml

@@ -83,8 +83,6 @@ spec:
         app.kubernetes.io/name: fc-llm-bridge
         app.kubernetes.io/part-of: flowercore
       annotations:
-        fc.flowercore.io/healthz-anon: "true"
-        fc.flowercore.io/probe-path: "/healthz"
         prometheus.io/scrape: "true"
         prometheus.io/port: "8080"
         prometheus.io/path: "/metrics"
@@ -118,7 +116,6 @@ spec:
           ports:
             - containerPort: 8080
               name: http
-          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
           env:
             - name: ASPNETCORE_URLS
               value: "http://+:8080"
@@ -284,26 +281,3 @@ spec:
           port: 8080
   tls:
     secretName: fc-llm-bridge-tls
-# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
-# When the operator decides to expose fc-llm-bridge publicly, uncomment + update the host,
-# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
-#
-# --- IngressRoute ---
-# apiVersion: traefik.io/v1alpha1
-# kind: IngressRoute
-# metadata:
-#   name: fc-llm-bridge-public
-#   namespace: fc-llm-bridge
-# spec:
-#   entryPoints: [websecure]
-#   routes:
-#     - match: Host(`llm-bridge.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
-#       kind: Rule
-#       middlewares:
-#         - name: fc-llm-bridge-public-profile-header  # injects entitlement profile
-#       services:
-#         - name: fc-llm-bridge
-#           port: 80
-#   tls: {}
-# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
-# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-menuboard/fc-menuboard.yaml

@@ -30,26 +30,3 @@ spec:
           port: 80
   tls:
     secretName: menuboard-web-tls
-# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
-# When the operator decides to expose menuboard-web publicly, uncomment + update the host,
-# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
-#
-# --- IngressRoute ---
-# apiVersion: traefik.io/v1alpha1
-# kind: IngressRoute
-# metadata:
-#   name: menuboard-web-public
-#   namespace: fc-menuboard
-# spec:
-#   entryPoints: [websecure]
-#   routes:
-#     - match: Host(`menuboard.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
-#       kind: Rule
-#       middlewares:
-#         - name: menuboard-web-public-profile-header  # injects entitlement profile
-#       services:
-#         - name: menuboard-web
-#           port: 80
-#   tls: {}
-# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
-# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-messageboard/fc-messageboard.yaml

@@ -41,8 +41,6 @@ spec:
       labels:
         app: messageboard-web
       annotations:
-        fc.flowercore.io/healthz-anon: "true"
-        fc.flowercore.io/probe-path: "/health"
         prometheus.io/scrape: "true"
         prometheus.io/port: "8080"
         prometheus.io/path: "/metrics/prometheus"
@@ -54,7 +52,6 @@ spec:
           ports:
             - containerPort: 8080
               name: http
-          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
           envFrom:
             - configMapRef:
                 name: messageboard-web-config
@@ -144,26 +141,3 @@ spec:
           port: 80
   tls:
     secretName: messageboard-web-tls
-# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
-# When the operator decides to expose messageboard-web publicly, uncomment + update the host,
-# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
-#
-# --- IngressRoute ---
-# apiVersion: traefik.io/v1alpha1
-# kind: IngressRoute
-# metadata:
-#   name: messageboard-web-public
-#   namespace: fc-messageboard
-# spec:
-#   entryPoints: [websecure]
-#   routes:
-#     - match: Host(`messageboard.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
-#       kind: Rule
-#       middlewares:
-#         - name: messageboard-web-public-profile-header  # injects entitlement profile
-#       services:
-#         - name: messageboard-web
-#           port: 80
-#   tls: {}
-# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
-# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-mysql/fc-mysql.yaml

@@ -30,26 +30,3 @@ spec:
           port: 5300
   tls:
     secretName: mysql-web-tls
-# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
-# When the operator decides to expose mysql-web publicly, uncomment + update the host,
-# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
-#
-# --- IngressRoute ---
-# apiVersion: traefik.io/v1alpha1
-# kind: IngressRoute
-# metadata:
-#   name: mysql-web-public
-#   namespace: fc-mysql
-# spec:
-#   entryPoints: [websecure]
-#   routes:
-#     - match: Host(`mysql.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
-#       kind: Rule
-#       middlewares:
-#         - name: mysql-web-public-profile-header  # injects entitlement profile
-#       services:
-#         - name: mysql-web
-#           port: 80
-#   tls: {}
-# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
-# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-php/fc-php.yaml

@@ -30,26 +30,3 @@ spec:
           port: 5400
   tls:
     secretName: php-web-tls
-# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
-# When the operator decides to expose php-web publicly, uncomment + update the host,
-# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
-#
-# --- IngressRoute ---
-# apiVersion: traefik.io/v1alpha1
-# kind: IngressRoute
-# metadata:
-#   name: php-web-public
-#   namespace: fc-php
-# spec:
-#   entryPoints: [websecure]
-#   routes:
-#     - match: Host(`php.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
-#       kind: Rule
-#       middlewares:
-#         - name: php-web-public-profile-header  # injects entitlement profile
-#       services:
-#         - name: php-web
-#           port: 80
-#   tls: {}
-# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
-# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-presentations/fc-presentations.yaml

@@ -30,26 +30,3 @@ spec:
           port: 80
   tls:
     secretName: presentations-web-tls
-# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
-# When the operator decides to expose presentations-web publicly, uncomment + update the host,
-# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
-#
-# --- IngressRoute ---
-# apiVersion: traefik.io/v1alpha1
-# kind: IngressRoute
-# metadata:
-#   name: presentations-web-public
-#   namespace: fc-presentations
-# spec:
-#   entryPoints: [websecure]
-#   routes:
-#     - match: Host(`presentations.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
-#       kind: Rule
-#       middlewares:
-#         - name: presentations-web-public-profile-header  # injects entitlement profile
-#       services:
-#         - name: presentations-web
-#           port: 80
-#   tls: {}
-# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
-# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-retail/fc-retail.yaml

@@ -46,8 +46,6 @@ spec:
   template:
     metadata:
       annotations:
-        fc.flowercore.io/healthz-anon: "true"
-        fc.flowercore.io/probe-path: "/healthz"
         kubectl.kubernetes.io/restartedAt: "2026-06-02T01:34:08-05:00"
         prometheus.io/path: /metrics/prometheus
         prometheus.io/port: "5000"
@@ -57,7 +55,6 @@ spec:
         app.kubernetes.io/part-of: flowercore
     spec:
       containers:
-        # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
         - envFrom:
             - configMapRef:
                 name: retail-web-config
@@ -171,26 +168,3 @@ spec:
           port: 80
   tls:
     secretName: retail-web-tls
-# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
-# When the operator decides to expose retail-web publicly, uncomment + update the host,
-# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
-#
-# --- IngressRoute ---
-# apiVersion: traefik.io/v1alpha1
-# kind: IngressRoute
-# metadata:
-#   name: retail-web-public
-#   namespace: fc-retail
-# spec:
-#   entryPoints: [websecure]
-#   routes:
-#     - match: Host(`retail.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
-#       kind: Rule
-#       middlewares:
-#         - name: retail-web-public-profile-header  # injects entitlement profile
-#       services:
-#         - name: retail-web
-#           port: 80
-#   tls: {}
-# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
-# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-scoreboard/fc-scoreboard.yaml

@@ -30,26 +30,3 @@ spec:
           port: 80
   tls:
     secretName: scoreboard-web-tls
-# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
-# When the operator decides to expose scoreboard-web publicly, uncomment + update the host,
-# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
-#
-# --- IngressRoute ---
-# apiVersion: traefik.io/v1alpha1
-# kind: IngressRoute
-# metadata:
-#   name: scoreboard-web-public
-#   namespace: fc-scoreboard
-# spec:
-#   entryPoints: [websecure]
-#   routes:
-#     - match: Host(`scoreboard.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
-#       kind: Rule
-#       middlewares:
-#         - name: scoreboard-web-public-profile-header  # injects entitlement profile
-#       services:
-#         - name: scoreboard-web
-#           port: 80
-#   tls: {}
-# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
-# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-segmentdisplay/fc-segmentdisplay.yaml

@@ -37,26 +37,3 @@ spec:
           port: 80
   tls:
     secretName: segmentdisplay-web-tls
-# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
-# When the operator decides to expose segmentdisplay-web publicly, uncomment + update the host,
-# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
-#
-# --- IngressRoute ---
-# apiVersion: traefik.io/v1alpha1
-# kind: IngressRoute
-# metadata:
-#   name: segmentdisplay-web-public
-#   namespace: fc-segmentdisplay
-# spec:
-#   entryPoints: [websecure]
-#   routes:
-#     - match: Host(`segmentdisplay.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
-#       kind: Rule
-#       middlewares:
-#         - name: segmentdisplay-web-public-profile-header  # injects entitlement profile
-#       services:
-#         - name: segmentdisplay-web
-#           port: 80
-#   tls: {}
-# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
-# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-signage/fc-signage.yaml

@@ -46,26 +46,3 @@ spec:
       services:
         - name: signage-web
           port: 5190
-# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
-# When the operator decides to expose signage-web publicly, uncomment + update the host,
-# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
-#
-# --- IngressRoute ---
-# apiVersion: traefik.io/v1alpha1
-# kind: IngressRoute
-# metadata:
-#   name: signage-web-public
-#   namespace: fc-signage
-# spec:
-#   entryPoints: [websecure]
-#   routes:
-#     - match: Host(`signage.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
-#       kind: Rule
-#       middlewares:
-#         - name: signage-web-public-profile-header  # injects entitlement profile
-#       services:
-#         - name: signage-web
-#           port: 80
-#   tls: {}
-# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
-# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-ttsreader/fc-ttsreader.yaml

@@ -97,7 +97,6 @@ spec:
       containers:
         - name: piper
           image: rhasspy/wyoming-piper:latest
-          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
           env:
             - name: PYTHONHTTPSVERIFY
               value: "0"
@@ -524,8 +523,6 @@ spec:
         app.kubernetes.io/name: ttsreader-web
         app.kubernetes.io/part-of: flowercore
       annotations:
-        fc.flowercore.io/healthz-anon: "true"
-        fc.flowercore.io/probe-path: "/health"
         prometheus.io/scrape: "true"
         prometheus.io/port: "5217"
         prometheus.io/path: "/metrics"
@@ -765,26 +762,3 @@ spec:
           port: 5217
   tls:
     secretName: ttsreader-tls
-# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
-# When the operator decides to expose ttsreader-web publicly, uncomment + update the host,
-# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
-#
-# --- IngressRoute ---
-# apiVersion: traefik.io/v1alpha1
-# kind: IngressRoute
-# metadata:
-#   name: ttsreader-web-public
-#   namespace: fc-ttsreader
-# spec:
-#   entryPoints: [websecure]
-#   routes:
-#     - match: Host(`ttsreader.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
-#       kind: Rule
-#       middlewares:
-#         - name: ttsreader-web-public-profile-header  # injects entitlement profile
-#       services:
-#         - name: ttsreader-web
-#           port: 80
-#   tls: {}
-# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
-# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/fc-updater/fc-updater.yaml

@@ -52,9 +52,6 @@ spec:
       app: updatecenter-web
   template:
     metadata:
-      annotations:
-        fc.flowercore.io/healthz-anon: "true"
-        fc.flowercore.io/probe-path: "/"
       labels:
         app: updatecenter-web
     spec:
@@ -66,7 +63,6 @@ spec:
           ports:
             - containerPort: 8080
               name: http
-          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
           env:
             - name: ASPNETCORE_URLS
               value: http://+:8080

apps/fit/fit.yaml

@@ -201,6 +201,8 @@ spec:
     metadata:
       labels:
         app: fit-web
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       containers:
         - name: nginx
@@ -225,12 +227,18 @@ spec:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 5
             periodSeconds: 10
           readinessProbe:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 3
             periodSeconds: 5
       volumes:
@@ -265,7 +273,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`flowerinsider.xyz`) || Host(`www.flowerinsider.xyz`)
+    - match: (Host(`flowerinsider.xyz`) || Host(`www.flowerinsider.xyz`)) && (Method(`GET`) || Method(`HEAD`))
       kind: Rule
       services:
         - name: fit-web

apps/flowercore/flowercore.yaml

@@ -257,6 +257,8 @@ spec:
     metadata:
       labels:
         app: flowercore-web
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       containers:
         - name: nginx
@@ -281,12 +283,18 @@ spec:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 5
             periodSeconds: 10
           readinessProbe:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 3
             periodSeconds: 5
       volumes:

apps/gitea-public/gitea-public.yaml

@@ -11,7 +11,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`gitea.flowercore.io`)
+    - match: Host(`gitea.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
       kind: Rule
       services:
         - name: gitea-http

apps/knowledge/knowledge.yaml

@@ -90,8 +90,6 @@ spec:
         app.kubernetes.io/name: knowledge-web
         app.kubernetes.io/part-of: bluejay-infra
       annotations:
-        fc.flowercore.io/healthz-anon: "true"
-        fc.flowercore.io/probe-path: "/healthz"
         prometheus.io/scrape: "true"
         prometheus.io/port: "8080"
         prometheus.io/path: "/metrics"
@@ -119,7 +117,6 @@ spec:
           ports:
             - containerPort: 8080
               name: http
-          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
           env:
             - name: ASPNETCORE_URLS
               value: "http://+:8080"
@@ -289,26 +286,3 @@ spec:
           port: 80
   tls:
     secretName: knowledge-tls
-# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
-# When the operator decides to expose knowledge-web publicly, uncomment + update the host,
-# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
-#
-# --- IngressRoute ---
-# apiVersion: traefik.io/v1alpha1
-# kind: IngressRoute
-# metadata:
-#   name: knowledge-web-public
-#   namespace: knowledge
-# spec:
-#   entryPoints: [websecure]
-#   routes:
-#     - match: Host(`knowledge.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
-#       kind: Rule
-#       middlewares:
-#         - name: knowledge-web-public-profile-header  # injects entitlement profile
-#       services:
-#         - name: knowledge-web
-#           port: 80
-#   tls: {}
-# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
-# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/mail/mail.yaml

@@ -243,7 +243,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`webmail.flowercore.io`)
+    - match: Host(`webmail.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
       kind: Rule
       services:
         - name: mail-webmail

apps/matrix/matrix.yaml

@@ -479,7 +479,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`element.flowercore.io`)
+    - match: Host(`element.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
       kind: Rule
       services:
         - name: element-web
@@ -497,7 +497,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`matrix.flowercore.io`)
+    - match: Host(`matrix.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
       kind: Rule
       services:
         - name: synapse

apps/monitoring/noc-monitoring.yaml

@@ -216,24 +216,19 @@ data:
       - job_name: "pimanager-app"
         scrape_interval: 15s
         metrics_path: /metrics
-        scheme: https
-        tls_config:
-          insecure_skip_verify: true
         static_configs:
-          - targets: ["piez.iamworkin.lan"]
+          - targets: ["10.0.58.25:5000"]
             labels:
               instance: "piez"
-              service: "signalcontrol"
+              service: "pimanager"
               vlan: "home"
               device: "pi4-ezconnect"
-              rig: "signal-b"
+          - targets: ["10.0.58.113:5200"]
-          - targets: ["pirelay.iamworkin.lan"]
             labels:
               instance: "pirelay"
-              service: "signalcontrol"
+              service: "pimanager"
               vlan: "home"
               device: "pi3-ks0212"
-              rig: "signal-a"
 
       # Epson ET-3750 EcoTank Printer SNMP
       - job_name: "snmp-printer"
@@ -493,12 +488,6 @@ data:
               - "https://desktop.iamworkin.lan/"
               - "https://print.iamworkin.lan/healthz"    # root 401 behind API key auth; /healthz anonymous 200
               - "https://dns.iamworkin.lan/healthz"      # root auth-gated by OIDC; /healthz anonymous 200
-              - "https://signalcontrol.iamworkin.lan/health" # FlowerCore.SignalControl Pi control plane
-              - "https://flowercore.iamworkin.lan/healthz"    # FlowerCore landing
-              - "https://replay.iamworkin.lan/healthz"        # FlowerCore.Signage replay surface
-              - "https://worldbuilder.iamworkin.lan/healthz"  # FlowerCore.WorldBuilder
-              - "https://updates.iamworkin.lan/api/v1/manifests/_schema" # UpdateCenter plural LAN alias
-              - "https://updatecenter-internal.iamworkin.lan/api/v1/manifests/_schema" # internal UC schema route
               - "https://chat.iamworkin.lan/healthz"     # OIDC staged; keep blackbox off root before enforcement flips
               - "https://dist.iamworkin.lan/healthz"     # root/admin auth-gated by OIDC; /healthz anonymous 200
               - "https://dms.iamworkin.lan/healthz"      # future OIDC posture; health route is already anonymous/live
@@ -922,13 +911,12 @@ data:
           # of idle and SNMP times out, so 5m for: would page nightly. A
           # genuine printer outage (jam, disconnected) lasts well over 30m.
           - alert: EpsonPrinterDown
-            expr: (max_over_time(up{job="snmp-printer"}[35m]) == bool 0) == 1 and (hour() >= 13 or hour() < 1)
+            expr: up{job="snmp-printer"} == 0
             for: 30m
             labels:
-              severity: info
+              severity: warning
-              alert_channel: irc
             annotations:
-              summary: "Epson ET-3750 SNMP unreachable during waking hours (30m)"
+              summary: "Epson ET-3750 SNMP unreachable for >30m (likely actual fault, not sleep)"
 
           - alert: SynologyDiskLow
             expr: hrStorageUsed{job="snmp-nas"} / hrStorageSize{job="snmp-nas"} * 100 > 85

apps/pki-web/pki-web.yaml

@@ -134,6 +134,8 @@ spec:
     metadata:
       labels:
         app: pki-web
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       containers:
         - name: nginx
@@ -158,12 +160,18 @@ spec:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 5
             periodSeconds: 10
           readinessProbe:
             httpGet:
               path: /healthz
               port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 3
             periodSeconds: 5
       volumes:
@@ -201,6 +209,7 @@ spec:
   dnsNames:
     - pki.iamworkin.lan
 ---
+# Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
 # Traefik IngressRoute
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute

apps/telephony/telephony.yaml

@@ -114,9 +114,6 @@ spec:
       app: telephony-web
   template:
     metadata:
-      annotations:
-        fc.flowercore.io/healthz-anon: "true"
-        fc.flowercore.io/probe-path: "/health"
       labels:
         app: telephony-web
     spec:
@@ -164,7 +161,6 @@ spec:
           ports:
             - containerPort: 5100
               name: http
-          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
           env:
             - name: Telephony__Twilio__AccountSid
               valueFrom:
@@ -211,12 +207,18 @@ spec:
             httpGet:
               path: /health
               port: 5100
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 30
             periodSeconds: 10
           readinessProbe:
             httpGet:
               path: /health
               port: 5100
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
             initialDelaySeconds: 10
             periodSeconds: 5
       volumes:
@@ -260,12 +262,12 @@ spec:
     - websecure
   routes:
     - kind: Rule
-      match: Host(`telephony.flowercore.io`)
+      match: Host(`telephony.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
       services:
         - name: telephony-web
           port: 5100
     - kind: Rule
-      match: Host(`telephony.iamwork.in`)
+      match: Host(`telephony.iamwork.in`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
       services:
         - name: telephony-web
           port: 5100
@@ -391,3 +393,4 @@ spec:
 
 
 
+

apps/traefik-dashboard/traefik-dashboard.yaml

@@ -20,10 +20,11 @@ metadata:
 spec:
   basicAuth:
     secret: traefik-dashboard-auth
----
+---
-# Dashboard IngressRoute
+# Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
-apiVersion: traefik.io/v1alpha1
+# Dashboard IngressRoute
-kind: IngressRoute
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
 metadata:
   name: traefik-dashboard
   namespace: traefik-system

apps/voice/voice.yaml

@@ -66,7 +66,7 @@ spec:
     - websecure
   routes:
     - kind: Rule
-      match: Host(`voice.bluejay.dev`)
+      match: Host(`voice.bluejay.dev`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
       services:
         - name: voice-bridge
           port: 8766
@@ -84,7 +84,7 @@ spec:
     - websecure
   routes:
     - kind: Rule
-      match: Host(`voice-ws.bluejay.dev`)
+      match: Host(`voice-ws.bluejay.dev`) && (Method(`GET`) || Method(`HEAD`))
       services:
         - name: voice-bridge
           port: 8765

apps/worldbuilder/worldbuilder.yaml

@@ -77,8 +77,6 @@ spec:
         flowercore.io/tenant-id: system
         flowercore.io/created-by: bluejay-infra
       annotations:
-        fc.flowercore.io/healthz-anon: "true"
-        fc.flowercore.io/probe-path: "/healthz"
         prometheus.io/scrape: "true"
         prometheus.io/port: "8080"
         prometheus.io/path: "/metrics/prometheus"
@@ -95,7 +93,6 @@ spec:
           ports:
             - containerPort: 8080
               name: http
-          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
           env:
             - name: ASPNETCORE_URLS
               value: "http://+:8080"
@@ -257,26 +254,3 @@ spec:
           port: 80
   tls:
     secretName: worldbuilder-web-tls
-# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
-# When the operator decides to expose worldbuilder-web publicly, uncomment + update the host,
-# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
-#
-# --- IngressRoute ---
-# apiVersion: traefik.io/v1alpha1
-# kind: IngressRoute
-# metadata:
-#   name: worldbuilder-web-public
-#   namespace: worldbuilder
-# spec:
-#   entryPoints: [websecure]
-#   routes:
-#     - match: Host(`worldbuilder.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
-#       kind: Rule
-#       middlewares:
-#         - name: worldbuilder-web-public-profile-header  # injects entitlement profile
-#       services:
-#         - name: worldbuilder-web
-#           port: 80
-#   tls: {}
-# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
-# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).

apps/zabbix/zabbix.yaml

@@ -344,6 +344,7 @@ spec:
   dnsNames:
     - zabbix.iamworkin.lan
 ---
+# Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
 # Traefik IngressRoute
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute

tests/bluejay-infra-lint/FleetManifestLintTests.cs

@@ -13,21 +13,67 @@ public sealed class FleetManifestLintTests
 
     private static readonly HashSet<string> PublicReadOnlyHosts = new(StringComparer.Ordinal)
     {
+        "bluejay.dev",
         "brochure.flowercore.io",
         "dist.flowercore.io",
+        "element.flowercore.io",
+        "erckak.dev",
+        "flowercore.io",
+        "flowerinsider.xyz",
+        "timeforta.co",
+        "voice-ws.bluejay.dev",
+        "www.bluejay.dev",
+        "www.erckak.dev",
+        "www.flowercore.io",
+        "www.flowerinsider.xyz",
+        "www.timeforta.co",
     };
 
-    // Hosts that allow a tightly bounded write surface in addition to GET/HEAD.
+    // Public hosts that allow a tightly bounded write surface in addition to
-    // updatecenter.iamworkin.lan accepts POST /api/v1/checkin/{id}
+    // GET/HEAD. updatecenter.iamworkin.lan accepts POST /api/v1/checkin/{id}
     // (bootstrap-JWT) so its allowlist is GET||HEAD||POST||OPTIONS — but
-    // PUT/PATCH/DELETE must still 404 at the route. Public
+    // PUT/PATCH/DELETE must still 404 at the route. Anything wider than this
-    // update.flowercore.io remains a GET/HEAD download surface in the
+    // set should fail this lint.
-    // FlowerCore.Updater sibling manifest and is covered by the general
+    //
-    // public-method allowlist lint instead of this write-surface rule.
+    // PUB-1 (2026-05-06): update.flowercore.io / updates.flowercore.io were
+    // added for the Cloudflare-proxied public Update Center edge. They use the
+    // same bounded read-write allowlist as the LAN pair.
     private static readonly HashSet<string> PublicReadWriteAllowlistHosts = new(StringComparer.Ordinal)
     {
+        "chat.flowercore.io",
+        "gitea.flowercore.io",
+        "matrix.flowercore.io",
+        "telephony.flowercore.io",
+        "telephony.iamwork.in",
         "updatecenter.iamworkin.lan",
         "updates.iamworkin.lan",
+        "update.flowercore.io",
+        "updates.flowercore.io",
+        "voice.bluejay.dev",
+        "webmail.flowercore.io",
+    };
+
+    private static readonly IReadOnlyDictionary<string, string> InfraHealthzProbeDeployments = new Dictionary<string, string>(StringComparer.Ordinal)
+    {
+        ["andrew"] = "andrew-web",
+        ["dustin"] = "dustin-web",
+        ["erik"] = "erik-web",
+        ["fc-landing"] = "fc-landing",
+        ["fit"] = "fit-web",
+        ["flowercore"] = "flowercore-web",
+        ["pki-web"] = "pki-web",
+    };
+
+    private static readonly IReadOnlyDictionary<string, string> InfraForwardedProtoProbeDeployments = new Dictionary<string, string>(StringComparer.Ordinal)
+    {
+        ["andrew"] = "andrew-web",
+        ["dustin"] = "dustin-web",
+        ["erik"] = "erik-web",
+        ["fc-landing"] = "fc-landing",
+        ["fit"] = "fit-web",
+        ["flowercore"] = "flowercore-web",
+        ["pki-web"] = "pki-web",
+        ["telephony"] = "telephony-web",
     };
 
     private static readonly HashSet<string> ApiKeyProtectedDeployments = new(StringComparer.Ordinal)
@@ -65,7 +111,7 @@ public sealed class FleetManifestLintTests
         ["github-runner-updater"] = "https://github.com/astoltz/FlowerCore.Updater",
     };
 
-    private static readonly HashSet<string> RepoScopedLinuxRunnerDeployments = new(StringComparer.Ordinal)
+    private static readonly HashSet<string> ScaledLinuxRunnerDeployments = new(StringComparer.Ordinal)
     {
         "github-runner-sharedpos",
         "github-runner-puppet",
@@ -79,44 +125,6 @@ public sealed class FleetManifestLintTests
         "github-runner-updater",
     };
 
-    private static readonly IReadOnlyDictionary<string, (string Deployment, string ProbePath)> BroaderHardeningDeployments =
-        new Dictionary<string, (string Deployment, string ProbePath)>(StringComparer.Ordinal)
-        {
-            ["fc-aistation"] = ("aistation-web", "/healthz"),
-            ["fc-chat"] = ("chat-web", "/healthz"),
-            ["fc-devicemgmt"] = ("fc-devicemgmt-web", "/healthz"),
-            ["fc-library"] = ("library-web", "/health"),
-            ["fc-llm-bridge"] = ("fc-llm-bridge", "/healthz"),
-            ["fc-messageboard"] = ("messageboard-web", "/health"),
-            ["fc-retail"] = ("retail-web", "/healthz"),
-            ["fc-ttsreader"] = ("ttsreader-web", "/health"),
-            ["fc-updater"] = ("updatecenter-web", "/"),
-            ["knowledge"] = ("knowledge-web", "/healthz"),
-            ["telephony"] = ("telephony-web", "/health"),
-            ["worldbuilder"] = ("worldbuilder-web", "/healthz"),
-        };
-
-    private static readonly HashSet<string> BroaderHardeningInternalPrestageApps = new(StringComparer.Ordinal)
-    {
-        "fc-aistation",
-        "fc-desktop",
-        "fc-dms",
-        "fc-library",
-        "fc-llm-bridge",
-        "fc-menuboard",
-        "fc-messageboard",
-        "fc-mysql",
-        "fc-php",
-        "fc-presentations",
-        "fc-retail",
-        "fc-scoreboard",
-        "fc-segmentdisplay",
-        "fc-signage",
-        "fc-ttsreader",
-        "knowledge",
-        "worldbuilder",
-    };
-
     private static readonly IReadOnlyDictionary<string, string> WritableRunnerEnv = new Dictionary<string, string>(StringComparer.Ordinal)
     {
         ["HOME"] = "/home/runner",
@@ -165,8 +173,13 @@ public sealed class FleetManifestLintTests
                     }))
             .Where(entry => PublicReadOnlyHosts.Any(host => entry.Match.Contains($"Host(`{host}`)", StringComparison.Ordinal)))
             .Where(entry => !entry.Match.Contains("Method(`GET`)", StringComparison.Ordinal)
-                || !entry.Match.Contains("Method(`HEAD`)", StringComparison.Ordinal))
+                || !entry.Match.Contains("Method(`HEAD`)", StringComparison.Ordinal)
-            .Select(entry => $"{entry.Document.Descriptor} is missing an explicit GET/HEAD method allowlist.")
+                || entry.Match.Contains("Method(`POST`)", StringComparison.Ordinal)
+                || entry.Match.Contains("Method(`PUT`)", StringComparison.Ordinal)
+                || entry.Match.Contains("Method(`PATCH`)", StringComparison.Ordinal)
+                || entry.Match.Contains("Method(`DELETE`)", StringComparison.Ordinal)
+                || entry.Match.Contains("Method(`OPTIONS`)", StringComparison.Ordinal))
+            .Select(entry => $"{entry.Document.Descriptor} must explicitly allow GET/HEAD only on a public read-only host.")
             .ToList();
 
         violations.Should().BeEmpty();
@@ -305,17 +318,17 @@ public sealed class FleetManifestLintTests
     }
 
     [Fact]
-    public void GitHubRunnerFleet_MustAvoidRwoMultiAttachForRepoScopedDeployments()
+    public void GitHubRunnerFleet_MustAvoidRwoMultiAttachForScaledDeployments()
     {
         var deployments = GitHubRunnerDeployments();
 
-        foreach (var deploymentName in RepoScopedLinuxRunnerDeployments)
+        foreach (var deploymentName in ScaledLinuxRunnerDeployments)
         {
             var deployment = deployments[deploymentName];
-            // Sprint 34 ops trimmed runner load while the cluster was degraded
+            // Scaled runners must have >= 2 replicas (avoid single-pod bottleneck).
-            // to two healthy nodes. Repo-scoped runners can be tuned back above
+            // Individual deployments may be tuned upward per CI activity — see
-            // one replica, but they must stay RWO-safe before that happens.
+            // "runners: right-size replica counts per 14d CI activity (#24)".
-            ReplicaCount(deployment).Should().BeGreaterOrEqualTo(1, $"{deploymentName} must keep at least one repo-scoped runner online");
+            ReplicaCount(deployment).Should().BeGreaterOrEqualTo(2, $"{deploymentName} is in the scaled set and must run with at least 2 replicas");
 
             var volumes = deployment.MappingSequence("spec", "template", "spec", "volumes");
             var claimNames = volumes
@@ -323,7 +336,7 @@ public sealed class FleetManifestLintTests
                 .Where(value => !string.IsNullOrWhiteSpace(value))
                 .ToList();
 
-            claimNames.Should().BeEmpty($"{deploymentName} must remain ready for safe multi-replica scaling without sharing a RWO PVC");
+            claimNames.Should().BeEmpty($"{deploymentName} is scaled and must not share a RWO PVC");
             volumes.Should().Contain(volume =>
                 string.Equals(ManifestNodeExtensions.Scalar(volume, "name"), "nuget-cache", StringComparison.Ordinal)
                 && ManifestNodeExtensions.Mapping(volume, "emptyDir") != null);
@@ -507,6 +520,49 @@ public sealed class FleetManifestLintTests
         violations.Should().BeEmpty();
     }
 
+    [Fact]
+    public void AuthSafeInfraHealthzProbes_MustDeclareAnonymousHealthzContract()
+    {
+        var violations = InfraHealthzProbeDeployments.SelectMany(expected =>
+        {
+            var deployment = AppDocuments(expected.Key)
+                .Single(document => document.Kind == "Deployment" && document.Name == expected.Value);
+            var hasHealthzProbe = deployment.MainContainerMappings()
+                .Any(container => ProbeHttpGetPath(container, "readinessProbe") == "/healthz"
+                    || ProbeHttpGetPath(container, "startupProbe") == "/healthz"
+                    || ProbeHttpGetPath(container, "livenessProbe") == "/healthz");
+
+            return hasHealthzProbe
+                && !string.Equals(PodAnnotation(deployment, "flowercore.io/healthz-auth-policy"), "allow-anonymous", StringComparison.Ordinal)
+                    ? new[] { $"{deployment.Descriptor} probes /healthz but lacks flowercore.io/healthz-auth-policy: allow-anonymous." }
+                    : Array.Empty<string>();
+        }).ToList();
+
+        violations.Should().BeEmpty();
+    }
+
+    [Fact]
+    public void AuthSafeInfraHttpProbes_MustSendForwardedProtoHttpsHeader()
+    {
+        var violations = InfraForwardedProtoProbeDeployments.SelectMany(expected =>
+        {
+            var deployment = AppDocuments(expected.Key)
+                .Single(document => document.Kind == "Deployment" && document.Name == expected.Value);
+
+            return deployment.MainContainerMappings()
+                .SelectMany(container => new[] { "startupProbe", "readinessProbe", "livenessProbe" }
+                    .Where(probeKey => ProbeHttpGetPath(container, probeKey) is "/healthz" or "/health")
+                    .Where(probeKey => !string.Equals(ProbeHttpGetHeaderValue(container, probeKey, "X-Forwarded-Proto"), "https", StringComparison.Ordinal))
+                    .Select(probeKey =>
+                    {
+                        var containerName = ManifestNodeExtensions.Scalar(container, "name") ?? "<unnamed>";
+                        return $"{deployment.Descriptor} container '{containerName}' {probeKey} is missing X-Forwarded-Proto=https.";
+                    }));
+        }).ToList();
+
+        violations.Should().BeEmpty();
+    }
+
     [Fact]
     public void Knowledge_OidcEnforcement_MustKeepHealthzAnonymousContractVisibleInManifest()
     {
@@ -646,6 +702,7 @@ public sealed class FleetManifestLintTests
         var expectedFiles = new[]
         {
             "1password-item.yaml",
+            "argocd-application.yaml",
             "certificate-web.yaml",
             "clusterrole-operator.yaml",
             "clusterrolebinding-operator.yaml",
@@ -801,62 +858,17 @@ public sealed class FleetManifestLintTests
     }
 
     [Fact]
-    public void FcDeviceManagement_MustRelyOnApplicationSetDiscovery()
+    public void FcDeviceManagement_ArgocdApplicationMustMatchApplicationSetDiscoveryConventions()
     {
-        var documents = FcDeviceManagementDocuments();
+        var application = FcDeviceManagementDocuments()
+            .Single(document => document.Kind == "Application" && document.Name == "infra-fc-devicemgmt");
 
-        documents.Should().NotContain(document => document.Kind == "Application");
+        application.Namespace.Should().Be("argocd");
-
+        application.Scalar("spec", "source", "repoURL")
-        var ns = documents.Single(document => document.Kind == "Namespace" && document.Name == "fc-devicemgmt");
+            .Should()
-        ns.FileText.Should().Contain("ArgoCD discovers this directory as Application `infra-fc-devicemgmt`.");
+            .Be("http://gitea-clusterip.gitea.svc.cluster.local:3000/bluejay/bluejay-infra.git");
-    }
+        application.Scalar("spec", "source", "path").Should().Be("apps/fc-devicemgmt");
-
+        application.Scalar("spec", "destination", "namespace").Should().Be("fc-devicemgmt");
-    [Fact]
-    public void BroaderHardeningDeployments_MustAnnotateAnonymousHealthProbeIntent()
-    {
-        foreach (var expected in BroaderHardeningDeployments)
-        {
-            var deployment = AppDocuments(expected.Key)
-                .Single(document => document.Kind == "Deployment" && document.Name == expected.Value.Deployment);
-
-            PodAnnotation(deployment, "fc.flowercore.io/healthz-anon").Should().Be("true");
-            PodAnnotation(deployment, "fc.flowercore.io/probe-path").Should().Be(expected.Value.ProbePath);
-        }
-    }
-
-    [Fact]
-    public void BroaderHardeningDeployments_MustDocumentForwardedProtoAuthPosture()
-    {
-        foreach (var expected in BroaderHardeningDeployments)
-        {
-            var deployment = AppDocuments(expected.Key)
-                .Single(document => document.Kind == "Deployment" && document.Name == expected.Value.Deployment);
-
-            deployment.FileText.Should().Contain(
-                "fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178)");
-        }
-    }
-
-    [Fact]
-    public void BroaderHardeningInternalApps_MustOnlyPrestageCommentedPublicMethodAllowlist()
-    {
-        foreach (var app in BroaderHardeningInternalPrestageApps)
-        {
-            var documents = AppDocuments(app);
-            var text = string.Join(Environment.NewLine, documents.Select(document => document.FileText));
-
-            text.Should().Contain("PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only)");
-            text.Should().Contain("#     - match: Host(`");
-            text.Should().Contain("Method(`GET`) || Method(`HEAD`)");
-
-            documents
-                .Where(document => document.Kind == "IngressRoute")
-                .SelectMany(document => document.MappingSequence("spec", "routes"))
-                .Select(route => ManifestNodeExtensions.Scalar(route, "match") ?? string.Empty)
-                .Should()
-                .NotContain(match => match.Contains(".flowercore.io", StringComparison.Ordinal),
-                    "Sprint 61 broader hardening only pre-stages commented public hosts for internal-only apps");
-        }
     }
 
     [Fact]
@@ -1093,6 +1105,20 @@ public sealed class FleetManifestLintTests
             : null;
     }
 
+    private static string? ProbeHttpGetHeaderValue(YamlMappingNode container, string probeKey, string name)
+    {
+        if (!ManifestNodeExtensions.TryGetMapping(container, probeKey, out var probe)
+            || !ManifestNodeExtensions.TryGetMapping(probe, "httpGet", out var httpGet))
+        {
+            return null;
+        }
+
+        return ManifestNodeExtensions.MappingSequence(httpGet, "httpHeaders")
+            .Where(header => string.Equals(ManifestNodeExtensions.Scalar(header, "name"), name, StringComparison.Ordinal))
+            .Select(header => ManifestNodeExtensions.Scalar(header, "value"))
+            .SingleOrDefault();
+    }
+
     private static IReadOnlyList<ManifestDocument> FcDeviceManagementDocuments()
     {
         return Inventory.Documents