@simbimbo/brainstem 0.0.3 → 0.0.5

package/brainstem/api.py

@@ -1,36 +1,106 @@
 from __future__ import annotations
 
 from datetime import datetime
+import os
+import secrets
+import sys
+from dataclasses import asdict
 from typing import Any, Dict, List, Optional
 
 import json
-from fastapi import FastAPI, HTTPException, Query
-from fastapi.responses import JSONResponse
+from fastapi import Depends, FastAPI, Header, HTTPException, Query
 from pydantic import BaseModel, Field
 
-from .ingest import canonicalize_raw_input_envelope
+from .ingest import ReplayAttempt, run_ingest_logicmonitor_events, replay_raw_envelopes_by_ids, run_ingest_pipeline
 from .interesting import interesting_items
+from .config import get_runtime_config
+from .fingerprint import normalize_message
+from . import __version__
 from .models import Candidate, RawInputEnvelope
-from .recurrence import build_recurrence_candidates
+from .source_drivers import list_source_driver_types
 from .storage import (
     RAW_ENVELOPE_STATUSES,
+    extract_source_raw_envelope_ids,
     get_ingest_stats,
-    init_db,
     list_candidates,
+    list_signatures,
     get_raw_envelope_by_id,
+    get_raw_envelopes_by_ids,
     get_source_dimension_summaries,
+    get_source_status_summaries,
+    list_canonical_events,
     list_recent_failed_raw_envelopes,
     list_recent_raw_envelopes,
-    set_raw_envelope_status,
-    store_candidates,
-    store_events,
-    store_raw_envelopes,
-    store_signatures,
 )
-from .ingest import signatures_for_events
 
 
 app = FastAPI(title="brAInstem Runtime")
+RUNTIME_CONFIG = get_runtime_config()
+API_TOKEN_ENV_VAR = RUNTIME_CONFIG.api_token_env_var
+API_TOKEN_HEADER = "X-API-Token"
+RUNTIME_DEFAULTS = asdict(RUNTIME_CONFIG.defaults)
+RUNTIME_LIMITS = {k: v for k, v in asdict(RUNTIME_CONFIG.limits).items() if k != "replay_allowed_statuses"}
+MAX_REPLAY_IDS = RUNTIME_LIMITS["replay_raw_max_ids"]
+DEFAULT_INGEST_THRESHOLD = RUNTIME_DEFAULTS["ingest_threshold"]
+DEFAULT_BATCH_THRESHOLD = RUNTIME_DEFAULTS["batch_threshold"]
+DEFAULT_INTERESTING_LIMIT = RUNTIME_DEFAULTS["interesting_limit"]
+DEFAULT_FAILURE_LIMIT = RUNTIME_DEFAULTS["failure_limit"]
+DEFAULT_INGEST_RECENT_LIMIT = RUNTIME_DEFAULTS["ingest_recent_limit"]
+DEFAULT_SOURCES_LIMIT = RUNTIME_DEFAULTS["sources_limit"]
+DEFAULT_SOURCES_STATUS_LIMIT = RUNTIME_DEFAULTS["sources_status_limit"]
+DEFAULT_REPLAY_THRESHOLD = RUNTIME_DEFAULTS["replay_threshold"]
+DEFAULT_REPLAY_ALLOWED_STATUSES = tuple(RUNTIME_CONFIG.limits.replay_allowed_statuses)
+CAPABILITIES = {
+    "ingest_endpoints": {
+        "single_event": True,
+        "batch_events": True,
+        "logicmonitor_events": True,
+        "replay_raw": True,
+    },
+    "inspection_endpoints": {
+        "interesting": True,
+        "candidates": True,
+        "signatures": True,
+        "canonical_events": True,
+        "stats": True,
+        "raw_envelopes": True,
+        "failures": True,
+        "ingest_recent": True,
+        "sources": True,
+    },
+}
+
+
+def _configured_api_token() -> str:
+    return os.getenv(API_TOKEN_ENV_VAR, "").strip()
+
+
+def is_api_token_auth_enabled() -> bool:
+    return bool(_configured_api_token())
+
+
+def _extract_bearer_token(authorization: Optional[str]) -> Optional[str]:
+    if not authorization:
+        return None
+    scheme, separator, token = authorization.partition(" ")
+    if separator != " ":
+        return None
+    if scheme.lower() != "bearer":
+        return None
+    return token.strip() or None
+
+
+def _require_api_token(
+    x_api_token: Optional[str] = Header(default=None, alias=API_TOKEN_HEADER),
+    authorization: Optional[str] = Header(default=None),
+) -> None:
+    configured_token = _configured_api_token()
+    if not configured_token:
+        return
+
+    provided_token = x_api_token or _extract_bearer_token(authorization)
+    if not provided_token or not secrets.compare_digest(provided_token, configured_token):
+        raise HTTPException(status_code=401, detail="missing or invalid API token")
 
 
 class RawEnvelopeRequest(BaseModel):
@@ -57,7 +127,23 @@ class IngestEventRequest(RawEnvelopeRequest):
 
 class IngestBatchRequest(BaseModel):
     events: List[RawEnvelopeRequest]
-    threshold: int = Field(default=2, ge=1)
+    threshold: int = Field(default=DEFAULT_BATCH_THRESHOLD, ge=1)
+    db_path: Optional[str] = None
+
+
+class ReplayRawRequest(BaseModel):
+    db_path: str
+    raw_envelope_ids: List[int] = Field(default_factory=list, min_length=1, max_length=MAX_REPLAY_IDS)
+    threshold: int = Field(default=DEFAULT_REPLAY_THRESHOLD, ge=1)
+    force: bool = False
+    allowed_statuses: List[str] = Field(default_factory=lambda: list(DEFAULT_REPLAY_ALLOWED_STATUSES))
+
+
+class IngestLogicMonitorRequest(BaseModel):
+    tenant_id: str
+    events: List[Dict[str, Any]] = Field(default_factory=list, min_length=1)
+    source_path: str = "/logicmonitor/ingest"
+    threshold: int = Field(default=DEFAULT_BATCH_THRESHOLD, ge=1)
     db_path: Optional[str] = None
 
 
@@ -96,6 +182,85 @@ def _candidate_from_row(row) -> Candidate:
     )
 
 
+def _candidate_inspection_from_row(row, db_path: str | None) -> Dict[str, Any]:
+    candidate = _candidate_from_row(row)
+    inspected = interesting_items([candidate], limit=1)
+    summary = inspected[0] if inspected else {
+        "title": candidate.title,
+        "summary": candidate.summary,
+        "decision_band": candidate.decision_band,
+        "attention_band": None,
+        "attention_score": candidate.score_total,
+        "score_total": candidate.score_total,
+        "attention_explanation": [],
+        "score_breakdown": candidate.score_breakdown,
+    }
+
+    raw_envelope_ids = extract_source_raw_envelope_ids(row["metadata_json"])
+    raw_envelopes = []
+    if raw_envelope_ids:
+        raw_envelope_rows = get_raw_envelopes_by_ids(raw_envelope_ids, db_path=db_path)
+        raw_envelope_index = {raw_row["id"]: raw_row for raw_row in raw_envelope_rows}
+        raw_envelopes = [
+            _raw_envelope_from_row(raw_envelope_index[row_id])
+            for row_id in raw_envelope_ids
+            if row_id in raw_envelope_index
+        ]
+
+    return {
+        **summary,
+        "id": row["id"],
+        "candidate_type": candidate.candidate_type,
+        "confidence": candidate.confidence,
+        "source_signature_ids": candidate.source_signature_ids,
+        "source_event_ids": candidate.source_event_ids,
+        "score_breakdown": candidate.score_breakdown,
+        "raw_envelope_ids": raw_envelope_ids,
+        "raw_envelopes": raw_envelopes,
+    }
+
+
+def _signature_inspection_from_row(row, db_path: str | None) -> Dict[str, Any]:
+    metadata = json.loads(row["metadata_json"] or "{}")
+    if not isinstance(metadata, dict):
+        metadata = {}
+    raw_envelope_ids = extract_source_raw_envelope_ids(row["metadata_json"])
+    occurrence_count = int(row["occurrence_count"]) if row["occurrence_count"] is not None else 0
+    raw_envelope_count = len(raw_envelope_ids)
+
+    return {
+        "signature_key": row["signature_key"],
+        "event_family": row["event_family"],
+        "normalized_pattern": row["normalized_pattern"],
+        "service": row["service"],
+        "occurrence_count": occurrence_count,
+        "raw_envelope_ids": raw_envelope_ids,
+        "raw_envelope_count": raw_envelope_count,
+        "recurrence": {
+            "occurrence_count": occurrence_count,
+            "raw_envelope_count": raw_envelope_count,
+            "signature_id": row["id"],
+        },
+        "metadata": metadata,
+    }
+
+
+def _canonical_event_from_row(row) -> Dict[str, Any]:
+    message_raw = row["message_raw"] or ""
+    return {
+        "raw_envelope_id": row["id"],
+        "tenant_id": row["tenant_id"],
+        "source": row["source_type"],
+        "source_type": row["source_type"],
+        "message_raw": message_raw,
+        "timestamp": row["timestamp"],
+        "host": row["host"] or "",
+        "service": row["service"] or "",
+        "severity": row["severity"] or "info",
+        "message_normalized": normalize_message(message_raw),
+    }
+
+
 def _raw_envelope_from_row(row) -> Dict[str, Any]:
     return {
         "id": row["id"],
@@ -119,31 +284,76 @@ def _raw_envelope_from_row(row) -> Dict[str, Any]:
     }
 
 
+def _replay_attempt_from_item(item: ReplayAttempt) -> Dict[str, Any]:
+    return {
+        "raw_envelope_id": item.raw_envelope_id,
+        "reason": item.reason,
+        "status": item.status,
+    }
+
+
+def _source_capability_matrix() -> Dict[str, Any]:
+    source_types = list_source_driver_types()
+    modes_by_source_type: List[Dict[str, Any]] = []
+    for source_type in source_types:
+        if source_type == "logicmonitor":
+            modes = [
+                {"mode": "logicmonitor_webhook", "endpoint": "/ingest/logicmonitor"},
+            ]
+        else:
+            modes = [
+                {"mode": "single_event_api", "endpoint": "/ingest/event"},
+                {"mode": "batch_api", "endpoint": "/ingest/batch"},
+            ]
+            if source_type == "syslog":
+                modes.append({"mode": "udp_listener", "endpoint": "brainstem.listener"})
+
+        modes_by_source_type.append({"source_type": source_type, "modes": modes})
+
+    return {
+        "source_types": source_types,
+        "ingest_modes_by_source_type": modes_by_source_type,
+    }
+
+
+def _runtime_summary() -> Dict[str, Any]:
+    runtime_config = get_runtime_config()
+    return {
+        "version": __version__,
+        "runtime": {
+            "python_version": ".".join(str(item) for item in sys.version_info[:3]),
+            "api_token_env": runtime_config.api_token_env_var,
+            "config": runtime_config.as_dict(),
+        },
+        "capability_flags": {
+            **CAPABILITIES,
+            "source_capabilities": _source_capability_matrix(),
+        },
+        "auth_state": {
+            "api_token_configured": is_api_token_auth_enabled(),
+            "supports_x_api_token_header": True,
+            "supports_bearer_header": True,
+        },
+        "defaults": dict(RUNTIME_DEFAULTS),
+        "limits": dict(RUNTIME_LIMITS),
+    }
+
+
+def _status_payload() -> Dict[str, Any]:
+    runtime_summary = _runtime_summary()
+    return {
+        "ok": True,
+        "status": "ok",
+        "runtime": runtime_summary,
+        "api_token_enabled": runtime_summary["auth_state"]["api_token_configured"],
+    }
+
+
 def _run_ingest_batch(raw_events: List[RawInputEnvelope], *, threshold: int, db_path: Optional[str]) -> Dict[str, Any]:
-    raw_envelope_ids: List[int] = []
-    if db_path:
-        init_db(db_path)
-        raw_envelope_ids = store_raw_envelopes(raw_events, db_path)
-
-    events = []
-    parse_failed = 0
-    for idx, raw_event in enumerate(raw_events):
-        raw_envelope_id = raw_envelope_ids[idx] if idx < len(raw_envelope_ids) else None
-        try:
-            canonical_event = canonicalize_raw_input_envelope(raw_event)
-        except Exception as exc:
-            parse_failed += 1
-            if raw_envelope_id is not None:
-                set_raw_envelope_status(
-                    raw_envelope_id,
-                    "parse_failed",
-                    db_path=db_path,
-                    failure_reason=str(exc),
-                )
-            continue
-        events.append(canonical_event)
-        if raw_envelope_id is not None:
-            set_raw_envelope_status(raw_envelope_id, "canonicalized", db_path=db_path)
+    result = run_ingest_pipeline(raw_events, threshold=threshold, db_path=db_path)
+    events = result.events
+    parse_failed = result.parse_failed
+    item_results = [asdict(item) for item in result.item_results]
 
     if not events:
         return {
@@ -151,16 +361,14 @@ def _run_ingest_batch(raw_events: List[RawInputEnvelope], *, threshold: int, db_
             "event_count": 0,
             "signature_count": 0,
             "candidate_count": 0,
+            "item_count": len(raw_events),
+            "item_results": item_results,
             "parse_failed": parse_failed,
             "interesting_items": [],
         }
 
-    signatures = signatures_for_events(events)
-    candidates = build_recurrence_candidates(events, signatures, threshold=threshold)
-    if db_path:
-        store_events(events, db_path)
-        store_signatures(signatures, db_path)
-        store_candidates(candidates, db_path)
+    signatures = result.signatures
+    candidates = result.candidates
 
     return {
         "ok": True,
@@ -168,27 +376,101 @@ def _run_ingest_batch(raw_events: List[RawInputEnvelope], *, threshold: int, db_
         "event_count": len(events),
         "signature_count": len({sig.signature_key for sig in signatures}),
         "candidate_count": len(candidates),
+        "item_count": len(raw_events),
+        "item_results": item_results,
+        "parse_failed": parse_failed,
+        "interesting_items": interesting_items(candidates, limit=max(1, 5)),
+    }
+
+
+@app.post("/ingest/logicmonitor", dependencies=[Depends(_require_api_token)])
+def ingest_logicmonitor(payload: IngestLogicMonitorRequest) -> Dict[str, Any]:
+    result = run_ingest_logicmonitor_events(
+        payload.events,
+        tenant_id=payload.tenant_id,
+        source_path=payload.source_path,
+        threshold=payload.threshold,
+        db_path=payload.db_path,
+    )
+    events = result.events
+    parse_failed = result.parse_failed
+    item_results = [asdict(item) for item in result.item_results]
+
+    if not events:
+        return {
+            "ok": True,
+            "event_count": 0,
+            "signature_count": 0,
+            "candidate_count": 0,
+            "item_count": len(result.raw_envelopes),
+            "item_results": item_results,
+            "parse_failed": parse_failed,
+            "interesting_items": [],
+        }
+
+    signatures = result.signatures
+    candidates = result.candidates
+    return {
+        "ok": True,
+        "tenant_id": events[0].tenant_id if events else payload.tenant_id,
+        "event_count": len(events),
+        "signature_count": len({sig.signature_key for sig in signatures}),
+        "candidate_count": len(candidates),
+        "item_count": len(result.raw_envelopes),
+        "item_results": item_results,
         "parse_failed": parse_failed,
         "interesting_items": interesting_items(candidates, limit=max(1, 5)),
     }
 
 
-@app.post("/ingest/event")
-def ingest_event(payload: IngestEventRequest, threshold: int = 2, db_path: Optional[str] = None) -> Dict[str, Any]:
+@app.post("/replay/raw", dependencies=[Depends(_require_api_token)])
+def replay_raw(payload: ReplayRawRequest) -> Dict[str, Any]:
+    if not payload.raw_envelope_ids:
+        raise HTTPException(status_code=422, detail="raw_envelope_ids is required")
+    if payload.allowed_statuses:
+        invalid = [status for status in payload.allowed_statuses if status not in RAW_ENVELOPE_STATUSES]
+        if invalid:
+            raise HTTPException(
+                status_code=422,
+                detail=f"invalid status in allowed_statuses: {invalid}; expected one of: {', '.join(RAW_ENVELOPE_STATUSES)}",
+            )
+
+    result = replay_raw_envelopes_by_ids(
+        payload.raw_envelope_ids,
+        db_path=payload.db_path,
+        threshold=payload.threshold,
+        force=payload.force,
+        allowed_statuses=payload.allowed_statuses,
+    )
+    return {
+        "ok": True,
+        "db_path": payload.db_path,
+        "requested_raw_envelope_ids": result.requested_raw_envelope_ids,
+        "attempted_raw_envelope_ids": result.attempted_raw_envelope_ids,
+        "skipped": [_replay_attempt_from_item(item) for item in result.skipped],
+        "event_count": len(result.events),
+        "signature_count": len(result.signatures),
+        "candidate_count": len(result.candidates),
+        "parse_failed": result.parse_failed,
+    }
+
+
+@app.post("/ingest/event", dependencies=[Depends(_require_api_token)])
+def ingest_event(payload: IngestEventRequest, threshold: int = DEFAULT_INGEST_THRESHOLD, db_path: Optional[str] = None) -> Dict[str, Any]:
     if threshold < 1:
         raise HTTPException(status_code=422, detail="threshold must be >= 1")
     return _run_ingest_batch([_raw_envelope_from_request(payload)], threshold=threshold, db_path=db_path)
 
 
-@app.post("/ingest/batch")
+@app.post("/ingest/batch", dependencies=[Depends(_require_api_token)])
 def ingest_batch(payload: IngestBatchRequest) -> Dict[str, Any]:
     raw_events = [_raw_envelope_from_request(event) for event in payload.events]
     return _run_ingest_batch(raw_events, threshold=payload.threshold, db_path=payload.db_path)
 
 
-@app.get("/interesting")
+@app.get("/interesting", dependencies=[Depends(_require_api_token)])
 def get_interesting(
-    limit: int = Query(default=5, ge=1),
+    limit: int = Query(default=DEFAULT_INTERESTING_LIMIT, ge=1),
     db_path: Optional[str] = None,
 ) -> Dict[str, Any]:
     if not db_path:
@@ -198,14 +480,58 @@ def get_interesting(
     return {"ok": True, "items": interesting_items(candidates, limit=limit)}
 
 
-@app.get("/stats")
+@app.get("/candidates", dependencies=[Depends(_require_api_token)])
+def get_candidates(
+    limit: int = Query(default=DEFAULT_INTERESTING_LIMIT, ge=1),
+    db_path: Optional[str] = None,
+    candidate_type: Optional[str] = None,
+    decision_band: Optional[str] = None,
+    min_score_total: Optional[float] = Query(default=None, ge=0),
+) -> Dict[str, Any]:
+    if not db_path:
+        return {"ok": True, "count": 0, "items": []}
+
+    rows = list_candidates(
+        db_path=db_path,
+        limit=limit,
+        candidate_type=candidate_type,
+        decision_band=decision_band,
+        min_score_total=min_score_total,
+    )
+    items = [_candidate_inspection_from_row(row, db_path=db_path) for row in rows]
+    return {"ok": True, "count": len(items), "items": items}
+
+
+@app.get("/signatures", dependencies=[Depends(_require_api_token)])
+def get_signatures(
+    limit: int = Query(default=DEFAULT_INTERESTING_LIMIT, ge=1),
+    db_path: Optional[str] = None,
+    event_family: Optional[str] = None,
+    service: Optional[str] = None,
+    min_occurrence_count: Optional[int] = Query(default=None, ge=1),
+) -> Dict[str, Any]:
+    if not db_path:
+        return {"ok": True, "count": 0, "items": []}
+
+    rows = list_signatures(
+        db_path=db_path,
+        limit=limit,
+        event_family=event_family,
+        service=service,
+        min_occurrence_count=min_occurrence_count,
+    )
+    items = [_signature_inspection_from_row(row, db_path=db_path) for row in rows]
+    return {"ok": True, "count": len(items), "items": items}
+
+
+@app.get("/stats", dependencies=[Depends(_require_api_token)])
 def get_stats(db_path: Optional[str] = None) -> Dict[str, Any]:
     return {"ok": True, **get_ingest_stats(db_path)}
 
 
-@app.get("/failures")
+@app.get("/failures", dependencies=[Depends(_require_api_token)])
 def get_failures(
-    limit: int = Query(default=20, ge=1),
+    limit: int = Query(default=DEFAULT_FAILURE_LIMIT, ge=1),
     status: Optional[str] = None,
     db_path: Optional[str] = None,
 ) -> Dict[str, Any]:
@@ -220,9 +546,38 @@ def get_failures(
     return {"ok": True, "items": items, "count": len(items), "status": status}
 
 
-@app.get("/ingest/recent")
+@app.get("/raw_envelopes", dependencies=[Depends(_require_api_token)])
+def get_raw_envelopes(
+    limit: int = Query(default=DEFAULT_INGEST_RECENT_LIMIT, ge=1),
+    status: Optional[str] = None,
+    tenant_id: Optional[str] = None,
+    source_type: Optional[str] = None,
+    source_id: Optional[str] = None,
+    source_path: Optional[str] = None,
+    db_path: Optional[str] = None,
+) -> Dict[str, Any]:
+    if status is not None and status not in RAW_ENVELOPE_STATUSES:
+        raise HTTPException(
+            status_code=422,
+            detail=f"invalid status '{status}'; expected one of: {', '.join(RAW_ENVELOPE_STATUSES)}",
+        )
+    rows = list_recent_raw_envelopes(
+        db_path=db_path,
+        status=status,
+        limit=limit,
+        tenant_id=tenant_id,
+        source_type=source_type,
+        source_id=source_id,
+        source_path=source_path,
+        failures_only=False,
+    )
+    items = [_raw_envelope_from_row(row) for row in rows]
+    return {"ok": True, "items": items, "count": len(items)}
+
+
+@app.get("/ingest/recent", dependencies=[Depends(_require_api_token)])
 def get_ingest_recent(
-    limit: int = Query(default=20, ge=1),
+    limit: int = Query(default=DEFAULT_INGEST_RECENT_LIMIT, ge=1),
     status: Optional[str] = None,
     db_path: Optional[str] = None,
 ) -> Dict[str, Any]:
@@ -236,15 +591,61 @@ def get_ingest_recent(
     return {"ok": True, "items": items, "count": len(items), "status": status}
 
 
-@app.get("/sources")
+@app.get("/canonical_events", dependencies=[Depends(_require_api_token)])
+def get_canonical_events(
+    limit: int = Query(default=DEFAULT_INGEST_RECENT_LIMIT, ge=1),
+    tenant_id: Optional[str] = None,
+    source: Optional[str] = None,
+    host: Optional[str] = None,
+    service: Optional[str] = None,
+    severity: Optional[str] = None,
+    db_path: Optional[str] = None,
+) -> Dict[str, Any]:
+    if not db_path:
+        return {"ok": True, "items": [], "count": 0}
+
+    rows = list_canonical_events(
+        db_path=db_path,
+        limit=limit,
+        tenant_id=tenant_id,
+        source_type=source,
+        host=host,
+        service=service,
+        severity=severity,
+    )
+    items = [_canonical_event_from_row(row) for row in rows]
+    return {"ok": True, "items": items, "count": len(items)}
+
+
+@app.get("/sources", dependencies=[Depends(_require_api_token)])
 def get_sources(
-    limit: int = Query(default=10, ge=1),
+    limit: int = Query(default=DEFAULT_SOURCES_LIMIT, ge=1),
     db_path: Optional[str] = None,
 ) -> Dict[str, Any]:
     return {"ok": True, "items": get_source_dimension_summaries(db_path=db_path, limit=limit)}
 
 
-@app.get("/failures/{raw_envelope_id}")
+@app.get("/sources/status", dependencies=[Depends(_require_api_token)])
+def get_sources_status(
+    limit: int = Query(default=DEFAULT_SOURCES_STATUS_LIMIT, ge=1),
+    tenant_id: Optional[str] = None,
+    source_type: Optional[str] = None,
+    source_id: Optional[str] = None,
+    source_path: Optional[str] = None,
+    db_path: Optional[str] = None,
+) -> Dict[str, Any]:
+    items = get_source_status_summaries(
+        db_path=db_path,
+        limit=limit,
+        tenant_id=tenant_id,
+        source_type=source_type,
+        source_id=source_id,
+        source_path=source_path,
+    )
+    return {"ok": True, "items": items, "count": len(items)}
+
+
+@app.get("/failures/{raw_envelope_id}", dependencies=[Depends(_require_api_token)])
 def get_failure(raw_envelope_id: int, db_path: Optional[str] = None) -> Dict[str, Any]:
     row = get_raw_envelope_by_id(raw_envelope_id, db_path=db_path)
     if row is None:
@@ -253,5 +654,15 @@ def get_failure(raw_envelope_id: int, db_path: Optional[str] = None) -> Dict[str
 
 
 @app.get("/healthz")
-def healthz() -> Dict[str, str]:
-    return JSONResponse(content={"ok": True, "status": "ok"})
+def healthz() -> Dict[str, Any]:
+    return _status_payload()
+
+
+@app.get("/runtime")
+def runtime() -> Dict[str, Any]:
+    return {"ok": True, "runtime": _runtime_summary()}
+
+
+@app.get("/status")
+def status() -> Dict[str, Any]:
+    return _status_payload()