fix(modules): align F2 health probes with runtime #268

Merged

pdurlej merged 1 commit from codex/cutover/f2-health-probe-fix into main

2026-05-13 20:26:49 +02:00

codex commented

2026-05-13 20:23:34 +02:00

Collaborator

Canary status: missing — operator merge only after spot-check; F2 smoke gate remains sequential

Canary Context Pack

Product story

F2 no-op smoke should validate real runtime health instead of failing on invented /health endpoints. This keeps the auto-apply cutover honest: a green smoke means the service contract matches production behavior.

What changed

excalidraw-room: changed HTTP health probe and acceptance text from /health to /.
excalidraw-app: changed HTTP health probe and acceptance text from /health to /.
np-meerkat-frontend: filled strict-v2 user outcome, acceptance criteria, image evidence, digest pin status, audit timestamp, image build, and domain. It remains container-only for F2 because the public route returns 403 and the canonical compose service is still missing from repo compose.
safe-session-web: verified and intentionally left unchanged; it is private/internal and uses container health only.

Why it changed

Run #822 for excalidraw-room failed after strict-v2 was fixed because https://room.excalidraw.pdurlej.com/health returns 404 while the actual root endpoint returns 200. Pan Herbatka asked to audit the full F2 set and fix the affected health-probe acceptance in one batch.

Files touched

modules/excalidraw-room/module.yaml
modules/excalidraw-app/module.yaml
modules/np-meerkat-frontend/module.yaml

Runtime evidence

Captured from RS2000 on 2026-05-13:

https://room.excalidraw.pdurlej.com/health -> HTTP/2 404
https://room.excalidraw.pdurlej.com/       -> HTTP/2 200
https://excalidraw.pdurlej.com/health      -> HTTP/2 404
https://excalidraw.pdurlej.com/            -> HTTP/2 200
https://meerkat.pdurlej.com/health         -> HTTP/2 403
https://meerkat.pdurlej.com/               -> HTTP/2 403
https://meerkat.pdurlej.com/login          -> HTTP/2 403

home-platform-excalidraw-room-1        -> status=running health=healthy image=home-platform-excalidraw-room:2026.02.24-03ff435
home-platform-excalidraw-app-1         -> status=running health=healthy image=home-platform-excalidraw-app:2026.02.24-2874f9e
home-platform-np-meerkat-frontend-1    -> status=running health=none image=ghcr.io/fbuchner/meerkat-crm-frontend:latest
home-platform-safe-session-web-1       -> status=running health=healthy image=home-platform-safe-session-web:1.0.0

np-meerkat-frontend image evidence:
ghcr.io/fbuchner/meerkat-crm-frontend@sha256:32f73297bd4b09b1ad6ba8679b1abbc6dc1b20f4afe1ae7b05c6f784ba2d2373

Known constraints

np-meerkat-frontend still lacks a canonical service in current repo compose. This PR makes its manifest strict-v2 and container-only for health, but does not resolve the canonical compose gap.
No runtime mutation was performed while preparing this PR.
F2 retry must remain one service at a time after merge.

Explicit out-of-scope

Adding or restoring canonical compose for np-meerkat-frontend.
F3/stateful smoke.
Real-change apply.
Production restart.

Requested decision

Approve merge if the health-probe contracts match the runtime evidence.

Merge blockers

Any evidence that Excalidraw has a better stable health endpoint than /.
Any decision that np-meerkat-frontend should be excluded from F2 until canonical compose is fixed.

Spec sources read

modules/excalidraw-room/module.yaml — failing F2 health probe contract.
modules/excalidraw-app/module.yaml — likely same Excalidraw health probe pattern.
modules/np-meerkat-frontend/module.yaml — missing strict-v2 acceptance/runtime evidence.
modules/safe-session-web/module.yaml — verified skip, private/container-health pattern already present.
compose/apps/compose.yaml and compose/core/compose.yaml — checked canonical service presence.
RS2000 live curl and docker inspect outputs — runtime evidence.

Validation

platformctl validate --strict-v2:
- excalidraw-room: OK
- excalidraw-app: OK
- np-meerkat-frontend: OK
- safe-session-web: OK

Tests

PYTHONPATH=control-plane /tmp/platformctl-test-venv/bin/python -m pytest \
  control-plane/platformctl/tests/test_validate.py \
  control-plane/platformctl/tests/test_health_phase3.py -q
# 25 passed

PYTHONPATH=control-plane /tmp/platformctl-test-venv/bin/python -m pytest \
  control-plane/platformctl/tests/test_forgejo_ci_scripts_contract.py -q
# 25 passed

git diff --check
# passed

Canary status: missing — operator merge only after spot-check; F2 smoke gate remains sequential ## Canary Context Pack ### Product story F2 no-op smoke should validate real runtime health instead of failing on invented `/health` endpoints. This keeps the auto-apply cutover honest: a green smoke means the service contract matches production behavior. ### What changed - `excalidraw-room`: changed HTTP health probe and acceptance text from `/health` to `/`. - `excalidraw-app`: changed HTTP health probe and acceptance text from `/health` to `/`. - `np-meerkat-frontend`: filled strict-v2 user outcome, acceptance criteria, image evidence, digest pin status, audit timestamp, image build, and domain. It remains container-only for F2 because the public route returns 403 and the canonical compose service is still missing from repo compose. - `safe-session-web`: verified and intentionally left unchanged; it is private/internal and uses container health only. ### Why it changed Run #822 for `excalidraw-room` failed after strict-v2 was fixed because `https://room.excalidraw.pdurlej.com/health` returns 404 while the actual root endpoint returns 200. Pan Herbatka asked to audit the full F2 set and fix the affected health-probe acceptance in one batch. ### Files touched - `modules/excalidraw-room/module.yaml` - `modules/excalidraw-app/module.yaml` - `modules/np-meerkat-frontend/module.yaml` ### Runtime evidence Captured from RS2000 on 2026-05-13: ```text https://room.excalidraw.pdurlej.com/health -> HTTP/2 404 https://room.excalidraw.pdurlej.com/ -> HTTP/2 200 https://excalidraw.pdurlej.com/health -> HTTP/2 404 https://excalidraw.pdurlej.com/ -> HTTP/2 200 https://meerkat.pdurlej.com/health -> HTTP/2 403 https://meerkat.pdurlej.com/ -> HTTP/2 403 https://meerkat.pdurlej.com/login -> HTTP/2 403 ``` ```text home-platform-excalidraw-room-1 -> status=running health=healthy image=home-platform-excalidraw-room:2026.02.24-03ff435 home-platform-excalidraw-app-1 -> status=running health=healthy image=home-platform-excalidraw-app:2026.02.24-2874f9e home-platform-np-meerkat-frontend-1 -> status=running health=none image=ghcr.io/fbuchner/meerkat-crm-frontend:latest home-platform-safe-session-web-1 -> status=running health=healthy image=home-platform-safe-session-web:1.0.0 ``` ```text np-meerkat-frontend image evidence: ghcr.io/fbuchner/meerkat-crm-frontend@sha256:32f73297bd4b09b1ad6ba8679b1abbc6dc1b20f4afe1ae7b05c6f784ba2d2373 ``` ### Known constraints - `np-meerkat-frontend` still lacks a canonical service in current repo compose. This PR makes its manifest strict-v2 and container-only for health, but does not resolve the canonical compose gap. - No runtime mutation was performed while preparing this PR. - F2 retry must remain one service at a time after merge. ### Explicit out-of-scope - Adding or restoring canonical compose for `np-meerkat-frontend`. - F3/stateful smoke. - Real-change apply. - Production restart. ### Requested decision Approve merge if the health-probe contracts match the runtime evidence. ### Merge blockers - Any evidence that Excalidraw has a better stable health endpoint than `/`. - Any decision that `np-meerkat-frontend` should be excluded from F2 until canonical compose is fixed. ## Spec sources read - `modules/excalidraw-room/module.yaml` — failing F2 health probe contract. - `modules/excalidraw-app/module.yaml` — likely same Excalidraw health probe pattern. - `modules/np-meerkat-frontend/module.yaml` — missing strict-v2 acceptance/runtime evidence. - `modules/safe-session-web/module.yaml` — verified skip, private/container-health pattern already present. - `compose/apps/compose.yaml` and `compose/core/compose.yaml` — checked canonical service presence. - RS2000 live `curl` and `docker inspect` outputs — runtime evidence. ## Validation ```text platformctl validate --strict-v2: - excalidraw-room: OK - excalidraw-app: OK - np-meerkat-frontend: OK - safe-session-web: OK ``` ## Tests ```text PYTHONPATH=control-plane /tmp/platformctl-test-venv/bin/python -m pytest \ control-plane/platformctl/tests/test_validate.py \ control-plane/platformctl/tests/test_health_phase3.py -q # 25 passed PYTHONPATH=control-plane /tmp/platformctl-test-venv/bin/python -m pytest \ control-plane/platformctl/tests/test_forgejo_ci_scripts_contract.py -q # 25 passed git diff --check # passed ```

codex added 1 commit

2026-05-13 20:23:34 +02:00

fix(modules): align F2 health probes with runtime

canary-required / collect-diff (pull_request) Successful in 3s

Details

platformctl plan / auto-apply scope (pull_request) Successful in 21s

Details

canary-required / canary (pull_request) Successful in 13s

Details

base-is-main / guard (pull_request) Successful in 1s

Details

7f75189608