WIP: Sprint 59: Auth safe-to-expose probe hardening #39

Draft

bluejay wants to merge 0 commits from codex/s59-auth-safe-to-expose-bluejay-infra into main

pull from: codex/s59-auth-safe-to-expose-bluejay-infra

merge into: bluejay:main

bluejay:main

bluejay:codex/s63-cx10

bluejay:codex/s62-cx10

bluejay:codex/s61-cx10

bluejay:codex/s60-cx3

bluejay:codex/s60-cx4

bluejay:codex/s58-distribution-root-anon-gitops

bluejay:codex/s58-oidc-proper

bluejay:codex/s57-monitoring-coverage

bluejay:codex/s57-oidc-flip

bluejay:codex/s56-monitoring-coverage

bluejay:codex/s54-cx14-ttsreader-pr29-live

bluejay:codex/s50-cx12-signalcontrol-platform

bluejay:codex/s49-cx11-signalcontrol-platform

bluejay:runners/add-dm-ailinux-worldbuilder-2026-05-26

bluejay:runners/bluejay-ws-exclusion-lint-2026-05-26

bluejay:runners/add-updater-deployment-2026-05-26

bluejay:runners/add-pimanager-deployment-2026-05-25

bluejay:ops/selenium-right-size-memory-2026-05-25

bluejay:ops/runners-bake-step-ca-root-2026-05-25

bluejay:ops/selenium-allow-github-runner-2026-05-25

bluejay:authentik/initial-deploy

bluejay:sprint44/cx-9-fc-desktop-cpu-phase-1

bluejay:sprint42/cx-4-linux-runner-ruby-bake

bluejay:sprint42/cx-5-fc-build-windows-runner

bluejay:sprint42/cx-2-fc-devicemgmt-self-ref-cleanup

bluejay:sprint41/cx-2-step-ca-agent-provisioner

bluejay:sprint41/cx-5-pirelay-scrape-investigation

bluejay:sprint40/cx-7-fc-desktop-prewarm-rq-codify

bluejay:sprint40/cx-5-alert-classification-offline-vs-depleted

bluejay:sprint39/cx-12-longhorn-pvc-growth-alarm

bluejay:sprint39/cx-8-qt-sdk-image

bluejay:sprint39/cx-3-claim-init-hooks-xfce

bluejay:sprint39/cx-5-netpol-isolation

bluejay:sprint37/cx-2-linux-runner-expansion

bluejay:codex/sprint29-linux-runner-fleet

bluejay:claude/github-runner-token-provisioning

bluejay:claude/fix-guacamole-yaml-doc-separator

bluejay:feat/authentik-oidc-client-registration

bluejay:feat/redis-bluejay-infra-cleanup-phase-1

bluejay:claude/ci1-revert-virtio-disk-2026-05-08

bluejay:claude/ci1-iso-as-virtio-disk-2026-05-08

bluejay:claude/ci1-disable-secureboot-2026-05-08

bluejay:claude/ci1-containerdisk-2026-05-08

bluejay:codex/signage-observability-tail-20260508

bluejay:claude/ci1-longhorn-scsi-2026-05-08

bluejay:claude/ci1-vm-phase1-2026-05-08

bluejay:codex/ttsreader-deploy-20260506

bluejay:claude/bluejay-infra-worldbuilder

bluejay:claude/bluejay-infra-ttsreader-4delta

bluejay:claude/marquee-monitoring-mirror-2026-05-06

bluejay:claude/bluejay-infra-update-center-monitoring-2026-05-05

bluejay:claude/k8s-manifest-hardening

bluejay:claude/fc-vision-deploy

bluejay:codex/agent-zero-bridge-phase3-20260429

Conversation 0 Commits - Files Changed -

bluejay commented 2026-06-04 16:04:20 +00:00

Owner

Copy Link

Summary

• mark DNS, Distribution, and Media OIDC /healthz probes with the explicit anonymous-healthz contract annotation
• reconcile Distribution lint expectations with Sprint 58 OIDC already enabled/live
• no public routes added; no Auth:Enabled flips

Tests

• dotnet.exe test tests\bluejay-infra-lint\BluejayInfraLint.Tests.csproj --filter "FullyQualifiedName~OidcEnforcedDeployments_WithHttpHealthzProbes|FullyQualifiedName~Distribution_OidcEnforcement" --logger "console;verbosity=minimal" -m:1

## Summary - mark DNS, Distribution, and Media OIDC /healthz probes with the explicit anonymous-healthz contract annotation - reconcile Distribution lint expectations with Sprint 58 OIDC already enabled/live - no public routes added; no Auth:Enabled flips ## Tests - `dotnet.exe test tests\bluejay-infra-lint\BluejayInfraLint.Tests.csproj --filter "FullyQualifiedName~OidcEnforcedDeployments_WithHttpHealthzProbes|FullyQualifiedName~Distribution_OidcEnforcement" --logger "console;verbosity=minimal" -m:1`

bluejay added 1 commit 2026-06-04 16:04:21 +00:00

fix(auth): mark OIDC healthz probes anonymous 81a3ddac4c

This pull request is marked as a work in progress.

This branch is out-of-date with the base branch

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin codex/s59-auth-safe-to-expose-bluejay-infra:codex/s59-auth-safe-to-expose-bluejay-infra

git checkout codex/s59-auth-safe-to-expose-bluejay-infra

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

bluejay

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: bluejay/bluejay-infra#39