tests/bluejay-infra-lint/FleetManifestLintTests.cs

@@ -17,21 +17,17 @@ public sealed class FleetManifestLintTests
         "dist.flowercore.io",
     };
 
-    // Public hosts that allow a tightly bounded write surface in addition to
-    // GET/HEAD. updatecenter.iamworkin.lan accepts POST /api/v1/checkin/{id}
+    // Hosts that allow a tightly bounded write surface in addition to GET/HEAD.
+    // updatecenter.iamworkin.lan accepts POST /api/v1/checkin/{id}
     // (bootstrap-JWT) so its allowlist is GET||HEAD||POST||OPTIONS — but
-    // PUT/PATCH/DELETE must still 404 at the route. Anything wider than this
-    // set should fail this lint.
-    //
-    // PUB-1 (2026-05-06): update.flowercore.io / updates.flowercore.io were
-    // added for the Cloudflare-proxied public Update Center edge. They use the
-    // same bounded read-write allowlist as the LAN pair.
+    // PUT/PATCH/DELETE must still 404 at the route. Public
+    // update.flowercore.io remains a GET/HEAD download surface in the
+    // FlowerCore.Updater sibling manifest and is covered by the general
+    // public-method allowlist lint instead of this write-surface rule.
     private static readonly HashSet<string> PublicReadWriteAllowlistHosts = new(StringComparer.Ordinal)
     {
         "updatecenter.iamworkin.lan",
         "updates.iamworkin.lan",
-        "update.flowercore.io",
-        "updates.flowercore.io",
     };
 
     private static readonly HashSet<string> ApiKeyProtectedDeployments = new(StringComparer.Ordinal)
@@ -69,7 +65,7 @@ public sealed class FleetManifestLintTests
         ["github-runner-updater"] = "https://github.com/astoltz/FlowerCore.Updater",
     };
 
-    private static readonly HashSet<string> ScaledLinuxRunnerDeployments = new(StringComparer.Ordinal)
+    private static readonly HashSet<string> RepoScopedLinuxRunnerDeployments = new(StringComparer.Ordinal)
     {
         "github-runner-sharedpos",
         "github-runner-puppet",
@@ -271,17 +267,17 @@ public sealed class FleetManifestLintTests
     }
 
     [Fact]
-    public void GitHubRunnerFleet_MustAvoidRwoMultiAttachForScaledDeployments()
+    public void GitHubRunnerFleet_MustAvoidRwoMultiAttachForRepoScopedDeployments()
     {
         var deployments = GitHubRunnerDeployments();
 
-        foreach (var deploymentName in ScaledLinuxRunnerDeployments)
+        foreach (var deploymentName in RepoScopedLinuxRunnerDeployments)
         {
             var deployment = deployments[deploymentName];
-            // Scaled runners must have >= 2 replicas (avoid single-pod bottleneck).
-            // Individual deployments may be tuned upward per CI activity — see
-            // "runners: right-size replica counts per 14d CI activity (#24)".
-            ReplicaCount(deployment).Should().BeGreaterOrEqualTo(2, $"{deploymentName} is in the scaled set and must run with at least 2 replicas");
+            // Sprint 34 ops trimmed runner load while the cluster was degraded
+            // to two healthy nodes. Repo-scoped runners can be tuned back above
+            // one replica, but they must stay RWO-safe before that happens.
+            ReplicaCount(deployment).Should().BeGreaterOrEqualTo(1, $"{deploymentName} must keep at least one repo-scoped runner online");
 
             var volumes = deployment.MappingSequence("spec", "template", "spec", "volumes");
             var claimNames = volumes
@@ -289,7 +285,7 @@ public sealed class FleetManifestLintTests
                 .Where(value => !string.IsNullOrWhiteSpace(value))
                 .ToList();
 
-            claimNames.Should().BeEmpty($"{deploymentName} is scaled and must not share a RWO PVC");
+            claimNames.Should().BeEmpty($"{deploymentName} must remain ready for safe multi-replica scaling without sharing a RWO PVC");
             volumes.Should().Contain(volume =>
                 string.Equals(ManifestNodeExtensions.Scalar(volume, "name"), "nuget-cache", StringComparison.Ordinal)
                 && ManifestNodeExtensions.Mapping(volume, "emptyDir") != null);
@@ -612,7 +608,6 @@ public sealed class FleetManifestLintTests
         var expectedFiles = new[]
         {
             "1password-item.yaml",
-            "argocd-application.yaml",
             "certificate-web.yaml",
             "clusterrole-operator.yaml",
             "clusterrolebinding-operator.yaml",
@@ -768,17 +763,14 @@ public sealed class FleetManifestLintTests
     }
 
     [Fact]
-    public void FcDeviceManagement_ArgocdApplicationMustMatchApplicationSetDiscoveryConventions()
+    public void FcDeviceManagement_MustRelyOnApplicationSetDiscovery()
     {
-        var application = FcDeviceManagementDocuments()
-            .Single(document => document.Kind == "Application" && document.Name == "infra-fc-devicemgmt");
+        var documents = FcDeviceManagementDocuments();
 
-        application.Namespace.Should().Be("argocd");
-        application.Scalar("spec", "source", "repoURL")
-            .Should()
-            .Be("http://gitea-clusterip.gitea.svc.cluster.local:3000/bluejay/bluejay-infra.git");
-        application.Scalar("spec", "source", "path").Should().Be("apps/fc-devicemgmt");
-        application.Scalar("spec", "destination", "namespace").Should().Be("fc-devicemgmt");
+        documents.Should().NotContain(document => document.Kind == "Application");
+
+        var ns = documents.Single(document => document.Kind == "Namespace" && document.Name == "fc-devicemgmt");
+        ns.FileText.Should().Contain("ArgoCD discovers this directory as Application `infra-fc-devicemgmt`.");
     }
 
     [Fact]