mcp-coordinator 0.3.0 → 0.4.0

package/dist/cli/server/backup.d.ts

@@ -0,0 +1,7 @@
+import { Command } from "commander";
+/**
+ * Check whether the coordinator daemon appears to be running.
+ * Returns the pid if alive, or null otherwise.
+ */
+export declare function getRunningCoordinatorPid(configDir: string): number | null;
+export declare function createServerBackupCommand(): Command;

package/dist/cli/server/backup.js

@@ -0,0 +1,162 @@
+import { Command } from "commander";
+import { existsSync, readFileSync, statSync } from "fs";
+import { join, resolve, basename } from "path";
+import { create as tarCreate } from "tar";
+import { getConfigDir, loadConfig } from "../config.js";
+/**
+ * Format a timestamp suitable for filenames: YYYY-MM-DD-HHMMSS (UTC).
+ */
+function timestampSlug(date = new Date()) {
+    const pad = (n) => String(n).padStart(2, "0");
+    return (`${date.getUTCFullYear()}-${pad(date.getUTCMonth() + 1)}-${pad(date.getUTCDate())}` +
+        `-${pad(date.getUTCHours())}${pad(date.getUTCMinutes())}${pad(date.getUTCSeconds())}`);
+}
+/**
+ * Returns true if a process with the given pid is currently alive.
+ * On both POSIX and Windows, sending signal 0 acts as a liveness probe
+ * (it raises ESRCH if the process is dead, EPERM if alive but not ours).
+ */
+function isProcessAlive(pid) {
+    try {
+        process.kill(pid, 0);
+        return true;
+    }
+    catch (err) {
+        // EPERM means the process exists but we lack permission — still "alive".
+        if (err.code === "EPERM")
+            return true;
+        return false;
+    }
+}
+/**
+ * Check whether the coordinator daemon appears to be running.
+ * Returns the pid if alive, or null otherwise.
+ */
+export function getRunningCoordinatorPid(configDir) {
+    const pidPath = join(configDir, "server.pid");
+    if (!existsSync(pidPath))
+        return null;
+    const raw = readFileSync(pidPath, "utf-8").trim();
+    const pid = parseInt(raw, 10);
+    if (Number.isNaN(pid))
+        return null;
+    return isProcessAlive(pid) ? pid : null;
+}
+/**
+ * Recursively walk a directory and yield relative file paths.
+ * Used purely for reporting (file count) — tar handles the actual packing.
+ */
+async function countFiles(root) {
+    const { readdir, stat } = await import("fs/promises");
+    let count = 0;
+    const walk = async (dir) => {
+        const entries = await readdir(dir, { withFileTypes: true });
+        for (const entry of entries) {
+            const full = join(dir, entry.name);
+            if (entry.isDirectory()) {
+                await walk(full);
+            }
+            else if (entry.isFile()) {
+                count += 1;
+            }
+        }
+    };
+    if (existsSync(root))
+        await walk(root);
+    return count;
+}
+/**
+ * Build the list of entries (relative to configDir) we want to include in the
+ * tarball. We deliberately keep the layout flat — the same paths used at
+ * runtime — so a `tar -xzf` into `~/.mcp-coordinator/` is a valid restore.
+ *
+ * NOTE on live backups: this command refuses to run while the coordinator is
+ * up because better-sqlite3's WAL journal may have uncommitted writes that
+ * file-copy will miss. For online backups, switch to SQLite's Online Backup
+ * API (`db.backup(path)` from better-sqlite3) and snapshot config.json
+ * separately — see docs/superpowers/working/v04/backup-integration.md.
+ */
+function buildEntries(configDir, dataDirAbsolute) {
+    const entries = [];
+    if (existsSync(join(configDir, "config.json")))
+        entries.push("config.json");
+    // The data dir might live outside ~/.mcp-coordinator (custom --data-dir).
+    // tar's `cwd` option can only point at one directory, so when the data dir
+    // is non-default we pack it under its absolute path inside the archive
+    // (preserving structure for round-trip restore via --data-dir).
+    const defaultDataDir = join(configDir, "data");
+    if (resolve(dataDirAbsolute) === resolve(defaultDataDir) && existsSync(defaultDataDir)) {
+        entries.push("data");
+    }
+    return entries;
+}
+export function createServerBackupCommand() {
+    return new Command("backup")
+        .description("Snapshot the coordinator config + SQLite database to a tar.gz archive")
+        .option("--output <path>", "Output tarball path (default ./mcp-coordinator-backup-<ts>.tar.gz)")
+        .option("--data-dir <path>", "Data directory to back up (overrides config.server.data_dir)")
+        .option("--force", "Skip the running-coordinator safety check")
+        .action(async (opts) => {
+        const configDir = getConfigDir();
+        const config = loadConfig(configDir);
+        const dataDir = resolve(opts.dataDir ?? process.env.COORDINATOR_DATA_DIR ?? config.server.data_dir);
+        // Safety: refuse when the daemon is up. WAL writes might be in flight.
+        const runningPid = getRunningCoordinatorPid(configDir);
+        if (runningPid !== null && !opts.force) {
+            console.error(`Coordinator is running (PID ${runningPid}).`);
+            console.error("Refusing to back up: live SQLite WAL writes may be in flight.");
+            console.error("Either stop it first ('mcp-coordinator server stop') or pass --force.");
+            process.exit(1);
+        }
+        if (!existsSync(configDir)) {
+            console.error(`No coordinator config directory at ${configDir} — nothing to back up.`);
+            process.exit(1);
+        }
+        const ts = timestampSlug();
+        const outputPath = resolve(opts.output ?? join(process.cwd(), `mcp-coordinator-backup-${ts}.tar.gz`));
+        const defaultDataDir = join(configDir, "data");
+        const dataIsCustom = resolve(dataDir) !== resolve(defaultDataDir);
+        // Pack ~/.mcp-coordinator entries from configDir as cwd.
+        const entries = buildEntries(configDir, dataDir);
+        // For custom data dirs, pack them under their absolute path so restore
+        // can reproduce the original location (or be redirected with --data-dir).
+        const customDataEntries = [];
+        if (dataIsCustom && existsSync(dataDir)) {
+            customDataEntries.push({ cwd: resolve(dataDir, ".."), entry: basename(dataDir) });
+        }
+        if (entries.length === 0 && customDataEntries.length === 0) {
+            console.error("Nothing to back up: no config.json and no data directory found.");
+            process.exit(1);
+        }
+        // First archive pass: config + default data (if any).
+        if (entries.length > 0) {
+            await tarCreate({ gzip: true, file: outputPath, cwd: configDir, portable: true }, entries);
+        }
+        // Second pass for a custom data dir — append into the same archive.
+        // tar's gzip mode doesn't support append, so we re-create instead by
+        // extracting the previous entries and re-packing. Simpler path: emit
+        // a sibling .data.tar.gz when custom dir is in use, and document it.
+        if (customDataEntries.length > 0) {
+            const dataArchive = outputPath.replace(/\.tar\.gz$/, ".data.tar.gz");
+            for (const { cwd, entry } of customDataEntries) {
+                await tarCreate({ gzip: true, file: dataArchive, cwd, portable: true }, [entry]);
+            }
+            console.log(`Custom data dir packed separately: ${dataArchive}`);
+        }
+        // outputPath only exists if entries.length > 0; report on whichever
+        // archive(s) we actually produced.
+        const reportPath = entries.length > 0
+            ? outputPath
+            : outputPath.replace(/\.tar\.gz$/, ".data.tar.gz");
+        const sizeBytes = existsSync(reportPath) ? statSync(reportPath).size : 0;
+        const sizeMB = (sizeBytes / (1024 * 1024)).toFixed(2);
+        const fileCount = (existsSync(join(configDir, "config.json")) ? 1 : 0) +
+            (await countFiles(dataIsCustom ? dataDir : defaultDataDir));
+        console.log("Backup complete.");
+        console.log(`  Archive:   ${reportPath}`);
+        console.log(`  Size:      ${sizeMB} MB (${sizeBytes} bytes)`);
+        console.log(`  Files:     ${fileCount}`);
+        console.log(`  ConfigDir: ${configDir}`);
+        console.log(`  DataDir:   ${dataDir}${dataIsCustom ? " (custom)" : ""}`);
+    });
+}

package/dist/cli/server/index.js

@@ -3,11 +3,16 @@ import { createServerStartCommand } from "./start.js";
 import { createServerStopCommand } from "./stop.js";
 import { createServerStatusCommand } from "./status.js";
 import { createServerLogsCommand } from "./logs.js";
+import { createServerBackupCommand } from "./backup.js";
+import { createServerRestoreCommand } from "./restore.js";
 export function createServerProgram() {
     const server = new Command("server").description("Manage the coordination server");
     server.addCommand(createServerStartCommand());
     server.addCommand(createServerStopCommand());
     server.addCommand(createServerStatusCommand());
     server.addCommand(createServerLogsCommand());
+    // v0.4 Operability
+    server.addCommand(createServerBackupCommand());
+    server.addCommand(createServerRestoreCommand());
     return server;
 }

package/dist/cli/server/restore.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function createServerRestoreCommand(): Command;

package/dist/cli/server/restore.js

@@ -0,0 +1,117 @@
+import { Command } from "commander";
+import { existsSync, mkdirSync, renameSync, statSync } from "fs";
+import { resolve } from "path";
+import { extract as tarExtract, list as tarList } from "tar";
+import { getConfigDir } from "../config.js";
+import { getRunningCoordinatorPid } from "./backup.js";
+function timestampSlug(date = new Date()) {
+    const pad = (n) => String(n).padStart(2, "0");
+    return (`${date.getUTCFullYear()}-${pad(date.getUTCMonth() + 1)}-${pad(date.getUTCDate())}` +
+        `-${pad(date.getUTCHours())}${pad(date.getUTCMinutes())}${pad(date.getUTCSeconds())}`);
+}
+/**
+ * Inspect the tarball without extracting and return the list of top-level
+ * entries (file or dir names). Used to validate structure before touching
+ * the user's existing config dir.
+ */
+async function listTarballEntries(tarPath) {
+    const entries = [];
+    await tarList({
+        file: tarPath,
+        onReadEntry: (entry) => {
+            // Trailing slash on dirs — strip it, take the first path segment only.
+            const head = entry.path.replace(/\\/g, "/").split("/")[0];
+            if (head && !entries.includes(head))
+                entries.push(head);
+        },
+    });
+    return entries;
+}
+export function createServerRestoreCommand() {
+    return new Command("restore")
+        .description("Restore a coordinator config + database snapshot from a tar.gz archive")
+        .argument("<tarball>", "Path to the backup .tar.gz produced by 'mcp-coordinator server backup'")
+        .option("--force", "Skip the running-coordinator safety check")
+        .option("--no-backup", "Do not snapshot the existing config dir before overwriting")
+        .option("--data-dir <path>", "Override data directory (rarely needed)")
+        .action(async (tarballArg, opts) => {
+        const tarPath = resolve(tarballArg);
+        if (!existsSync(tarPath)) {
+            console.error(`Tarball not found: ${tarPath}`);
+            process.exit(1);
+        }
+        const tarStat = statSync(tarPath);
+        if (!tarStat.isFile()) {
+            console.error(`Not a regular file: ${tarPath}`);
+            process.exit(1);
+        }
+        const configDir = getConfigDir();
+        // Safety: refuse when the daemon is running so we don't clobber an
+        // open SQLite handle (would corrupt the WAL on the daemon side).
+        const runningPid = getRunningCoordinatorPid(configDir);
+        if (runningPid !== null && !opts.force) {
+            console.error(`Coordinator is running (PID ${runningPid}).`);
+            console.error("Refusing to restore: stop the coordinator first or pass --force.");
+            process.exit(1);
+        }
+        // Validate tarball contents BEFORE moving anything aside.
+        let entries;
+        try {
+            entries = await listTarballEntries(tarPath);
+        }
+        catch (err) {
+            console.error(`Failed to read tarball: ${err.message}`);
+            process.exit(1);
+        }
+        const hasConfig = entries.includes("config.json");
+        const hasData = entries.includes("data");
+        if (!hasConfig && !hasData) {
+            console.error("Tarball does not contain expected entries (config.json or data/).");
+            console.error(`Top-level entries found: ${entries.join(", ") || "(none)"}`);
+            process.exit(1);
+        }
+        // Snapshot the existing config dir before overwriting.
+        // commander auto-flips `--no-backup` -> opts.backup = false. The default
+        // value is `true` (the option is registered with .option("--no-backup")
+        // below, which makes commander seed `opts.backup = true`).
+        const shouldSnapshot = opts.backup !== false;
+        let snapshotPath = null;
+        if (shouldSnapshot && existsSync(configDir)) {
+            snapshotPath = `${configDir}.bak-${timestampSlug()}`;
+            renameSync(configDir, snapshotPath);
+            console.log(`Existing config moved aside: ${snapshotPath}`);
+        }
+        // Recreate the target dir and extract.
+        mkdirSync(configDir, { recursive: true });
+        try {
+            await tarExtract({ file: tarPath, cwd: configDir });
+        }
+        catch (err) {
+            console.error(`Extraction failed: ${err.message}`);
+            // Try to roll back the snapshot if we made one.
+            if (snapshotPath !== null && existsSync(snapshotPath)) {
+                // Best-effort: only roll back if extraction created an empty dir.
+                try {
+                    renameSync(configDir, `${configDir}.failed-${timestampSlug()}`);
+                    renameSync(snapshotPath, configDir);
+                    console.error("Rolled back to previous config dir.");
+                }
+                catch {
+                    console.error(`Manual recovery required — snapshot at: ${snapshotPath}`);
+                }
+            }
+            process.exit(1);
+        }
+        console.log("Restore complete.");
+        console.log(`  Source:    ${tarPath}`);
+        console.log(`  ConfigDir: ${configDir}`);
+        console.log(`  Restored:  ${entries.filter((e) => e === "config.json" || e === "data").join(", ")}`);
+        if (snapshotPath !== null) {
+            console.log(`  Previous:  ${snapshotPath}  (delete once verified)`);
+        }
+        if (opts.dataDir !== undefined) {
+            console.log(`  Note:      --data-dir was provided but restore extracts to default location.\n` +
+                `             Update config.json or COORDINATOR_DATA_DIR if you need a non-default path.`);
+        }
+    });
+}

package/dist/src/consultation.d.ts

@@ -74,6 +74,14 @@ export declare class Consultation {
          * parsing the thread list themselves.
          */
         assigned_to_me?: string;
+        /**
+         * P2 perf: bound resolved-thread queries to a recency window. Without
+         * this, the impact scorer would scan all-time resolved threads on every
+         * announce_work call (O(historical-threads) per scoring pass). The window
+         * applies to resolved_at when status='resolved', otherwise to created_at,
+         * so the filter is meaningful for both states.
+         */
+        since_minutes?: number;
     }): Thread[];
     getThreadUpdates(agentId: string, since?: string): ThreadMessage[];
     logActionSummary(params: {

package/dist/src/consultation.js

@@ -320,6 +320,14 @@ export class Consultation {
             sql += " AND (assigned_to IS NULL OR assigned_to = ?)";
             params.push(filters.assigned_to_me);
         }
+        if (typeof filters.since_minutes === "number") {
+            // For resolved threads, gate on resolved_at (the moment that matters
+            // for "recent enough to still influence scoring"). For open/resolving
+            // threads, gate on created_at since they have no resolved_at yet.
+            // COALESCE picks the right column per row.
+            sql += " AND COALESCE(resolved_at, created_at) > datetime('now', '-' || ? || ' minutes')";
+            params.push(filters.since_minutes);
+        }
         sql += " ORDER BY created_at DESC";
         return db.prepare(sql).all(...params);
     }

package/dist/src/db-adapter.d.ts

@@ -1,3 +1,15 @@
+/**
+ * Database adapter surface.
+ *
+ * Design intent: this file is the *contract* both `createBetterSqlite3` and
+ * `createBunSqlite` (in `database.ts`) implement. The interfaces are a strict
+ * subset of better-sqlite3's API that Bun:sqlite also satisfies, so callers
+ * stay portable across both runtimes.
+ *
+ * Helpers (e.g. `withTransaction`) live here so portable code paths can use
+ * one canonical entry point without each call site re-deriving the
+ * `db.transaction(fn)()` two-step pattern.
+ */
 export interface RunResult {
     changes: number;
     lastInsertRowid: number;
@@ -13,3 +25,21 @@ export interface DatabaseAdapter {
     close(): void;
     transaction<T>(fn: () => T): () => T;
 }
+/**
+ * Run `fn` inside a single SQLite transaction and return its result.
+ *
+ * Replaces the verbose two-step pattern:
+ *
+ *     const tx = db.transaction(() => { ...; return value; });
+ *     const value = tx();
+ *
+ * with:
+ *
+ *     const value = withTransaction(db, () => { ...; return value; });
+ *
+ * Errors thrown inside `fn` propagate to the caller and the transaction is
+ * rolled back by the underlying driver (better-sqlite3 / bun:sqlite both do
+ * this). Use this for any read-modify-write block where multiple statements
+ * must be atomic.
+ */
+export declare function withTransaction<T>(db: DatabaseAdapter, fn: () => T): T;

package/dist/src/db-adapter.js

@@ -1 +1,32 @@
-export {};
+/**
+ * Database adapter surface.
+ *
+ * Design intent: this file is the *contract* both `createBetterSqlite3` and
+ * `createBunSqlite` (in `database.ts`) implement. The interfaces are a strict
+ * subset of better-sqlite3's API that Bun:sqlite also satisfies, so callers
+ * stay portable across both runtimes.
+ *
+ * Helpers (e.g. `withTransaction`) live here so portable code paths can use
+ * one canonical entry point without each call site re-deriving the
+ * `db.transaction(fn)()` two-step pattern.
+ */
+/**
+ * Run `fn` inside a single SQLite transaction and return its result.
+ *
+ * Replaces the verbose two-step pattern:
+ *
+ *     const tx = db.transaction(() => { ...; return value; });
+ *     const value = tx();
+ *
+ * with:
+ *
+ *     const value = withTransaction(db, () => { ...; return value; });
+ *
+ * Errors thrown inside `fn` propagate to the caller and the transaction is
+ * rolled back by the underlying driver (better-sqlite3 / bun:sqlite both do
+ * this). Use this for any read-modify-write block where multiple statements
+ * must be atomic.
+ */
+export function withTransaction(db, fn) {
+    return db.transaction(fn)();
+}

package/dist/src/dependency-map.js

@@ -1,4 +1,5 @@
 import { getDb } from "./database.js";
+import { withTransaction } from "./db-adapter.js";
 export class DependencyMapper {
     getMap() {
         const db = getDb();
@@ -20,12 +21,11 @@ export class DependencyMapper {
        VALUES (?, ?, ?, ?)
        ON CONFLICT(module_id) DO UPDATE SET
          depends_on = excluded.depends_on, exports = excluded.exports, owners = excluded.owners`);
-        const tx = db.transaction(() => {
+        withTransaction(db, () => {
             for (const [id, info] of Object.entries(map)) {
                 stmt.run(id, JSON.stringify(info.depends_on), JSON.stringify(info.exports), JSON.stringify(info.owners));
             }
         });
-        tx();
     }
     getModuleInfo(moduleId) {
         const db = getDb();

package/dist/src/file-tracker.d.ts

@@ -17,5 +17,15 @@ export declare class FileTracker {
         conflict: boolean;
         agents: string[];
     };
+    /**
+     * P2 perf: batch lookup of recent file→agents activity. Replaces N
+     * `checkFileConflict` calls (one per file) with a single SQL query, then
+     * builds an in-memory reverse index. The impact scorer uses this so its
+     * per-file inner loop is O(1) Map.get() rather than O(F) SQL round-trips.
+     *
+     * Excludes the calling agent (so the scorer doesn't flag the announcer
+     * against themselves). Returns Map<file_path, Set<agent_id>>.
+     */
+    getFileToAgentsIndex(filePaths: string[], excludeAgentId: string, withinMinutes?: number): Map<string, Set<string>>;
     fileToModule(filePath: string): string;
 }

package/dist/src/file-tracker.js

@@ -31,6 +31,38 @@ export class FileTracker {
        AND created_at > datetime('now', '-' || ? || ' minutes')`).all(filePath, agentId, withinMinutes);
         return { conflict: rows.length > 0, agents: rows.map((r) => r.agent_id) };
     }
+    /**
+     * P2 perf: batch lookup of recent file→agents activity. Replaces N
+     * `checkFileConflict` calls (one per file) with a single SQL query, then
+     * builds an in-memory reverse index. The impact scorer uses this so its
+     * per-file inner loop is O(1) Map.get() rather than O(F) SQL round-trips.
+     *
+     * Excludes the calling agent (so the scorer doesn't flag the announcer
+     * against themselves). Returns Map<file_path, Set<agent_id>>.
+     */
+    getFileToAgentsIndex(filePaths, excludeAgentId, withinMinutes = 30) {
+        const index = new Map();
+        if (filePaths.length === 0)
+            return index;
+        const db = getDb();
+        // Dynamic IN-list — better-sqlite3 binds each ? positionally. Cheap because
+        // the impact scorer only passes target_files + depends_on_files (typically
+        // a handful of files per announce_work call).
+        const placeholders = filePaths.map(() => "?").join(",");
+        const rows = db.prepare(`SELECT DISTINCT file_path, agent_id FROM file_activity
+       WHERE file_path IN (${placeholders})
+       AND agent_id != ?
+       AND created_at > datetime('now', '-' || ? || ' minutes')`).all(...filePaths, excludeAgentId, withinMinutes);
+        for (const r of rows) {
+            let set = index.get(r.file_path);
+            if (!set) {
+                set = new Set();
+                index.set(r.file_path, set);
+            }
+            set.add(r.agent_id);
+        }
+        return index;
+    }
     fileToModule(filePath) {
         // Strip leading / so "/server/src/x.ts" and "server/src/x.ts" produce the
         // same module name. Without this, split("/") on an absolute path yields

package/dist/src/http/handle-health.d.ts

@@ -0,0 +1,23 @@
+import type { IncomingMessage, ServerResponse } from "http";
+import type { CoordinatorServices } from "../server-setup.js";
+/**
+ * Liveness probe — process is alive. Always returns 200 with no dep checks
+ * so orchestrators don't restart the pod over transient downstream failures.
+ */
+export declare function handleLivez(_req: IncomingMessage, res: ServerResponse): void;
+/**
+ * Readiness probe — downstream deps must all be green for the LB to route
+ * traffic here. 503 when any check fails so the pod is drained until ready.
+ *
+ * Each check is wrapped in try/catch so a thrown DB/MQTT error becomes a
+ * structured `{ok:false,error:"…"}` instead of a 500. The response shape is
+ * identical between 200 and 503 so consumers can parse uniformly.
+ */
+export declare function handleReadyz(_req: IncomingMessage, res: ServerResponse, services: Pick<CoordinatorServices, "mqttBridge">): void;
+/**
+ * Backwards-compatible alias. The original /health route returned a fixed
+ * {status:"ok",version} payload with no dep checks; semantically that is a
+ * liveness probe, so we delegate. Anything that polled /health for "is the
+ * process up" continues to work without changes.
+ */
+export declare function handleHealth(req: IncomingMessage, res: ServerResponse): void;

package/dist/src/http/handle-health.js

@@ -0,0 +1,86 @@
+import { getDb } from "../database.js";
+import { json } from "./utils.js";
+import { getVersion } from "../../cli/version.js";
+/**
+ * v0.4 Operability: Kubernetes-style health probes.
+ *
+ * - /livez   → is the process alive? Used by an orchestrator (k8s, systemd,
+ *             docker swarm) to decide whether to restart the pod. MUST NOT
+ *             check downstream deps; an unreachable DB does not mean the
+ *             coordinator process should be killed and restarted.
+ *
+ * - /readyz  → are downstream deps ready? Used by a load balancer / service
+ *             mesh to decide whether to add this pod to rotation. Returns 503
+ *             when the DB or MQTT broker is not reachable so the LB drains
+ *             traffic until the coordinator can actually serve it.
+ *
+ * - /health  → backwards-compat alias for /livez. The original stub returned
+ *             {status:"ok",version} unconditionally; preserving alive-only
+ *             semantics keeps existing dashboards and uptime probes green
+ *             without forcing them to migrate.
+ */
+const STARTED_AT_MS = Date.now();
+const VERSION = getVersion();
+function uptimeSeconds() {
+    return Math.floor((Date.now() - STARTED_AT_MS) / 1000);
+}
+/**
+ * Liveness probe — process is alive. Always returns 200 with no dep checks
+ * so orchestrators don't restart the pod over transient downstream failures.
+ */
+export function handleLivez(_req, res) {
+    json(res, {
+        status: "alive",
+        uptime_seconds: uptimeSeconds(),
+        version: VERSION,
+    });
+}
+/**
+ * Readiness probe — downstream deps must all be green for the LB to route
+ * traffic here. 503 when any check fails so the pod is drained until ready.
+ *
+ * Each check is wrapped in try/catch so a thrown DB/MQTT error becomes a
+ * structured `{ok:false,error:"…"}` instead of a 500. The response shape is
+ * identical between 200 and 503 so consumers can parse uniformly.
+ */
+export function handleReadyz(_req, res, services) {
+    const checks = {
+        db: { ok: false },
+        mqtt: { ok: false },
+    };
+    try {
+        // Cheapest possible round-trip that exercises the connection without
+        // touching application tables. Throws if the handle is closed or the
+        // file is locked beyond busy_timeout.
+        getDb().prepare("SELECT 1").get();
+        checks.db.ok = true;
+    }
+    catch (err) {
+        checks.db.error = err.message;
+    }
+    try {
+        if (services.mqttBridge.isConnected()) {
+            checks.mqtt.ok = true;
+        }
+        else {
+            checks.mqtt.error = "not connected";
+        }
+    }
+    catch (err) {
+        checks.mqtt.error = err.message;
+    }
+    const allOk = checks.db.ok && checks.mqtt.ok;
+    json(res, {
+        status: allOk ? "ready" : "not_ready",
+        checks,
+    }, allOk ? 200 : 503);
+}
+/**
+ * Backwards-compatible alias. The original /health route returned a fixed
+ * {status:"ok",version} payload with no dep checks; semantically that is a
+ * liveness probe, so we delegate. Anything that polled /health for "is the
+ * process up" continues to work without changes.
+ */
+export function handleHealth(req, res) {
+    return handleLivez(req, res);
+}