feat(http): unauthenticated /api/health and /api/metrics on http service

[devin-ai-integration]

Summary

Adds two unauthenticated HTTP endpoints served directly by HttpService so they are always available when http is enabled, regardless of which other services are registered. Tightens the Docker healthcheck to actually fail on non-2xx responses.

Why: the previous /api/parser-health is served by api and requires an API key. As Devin Review pointed out on #16, the Docker healthcheck using that endpoint was effectively just a liveness probe — 401/404 both matched ^[234], so healthcheck passed even when the API wasn't routed at all. This PR fixes it.

What's new:

• src/http.ts:
  • HttpService constructor now accepts app: App (already passed by registerService, previously ignored).
  • Registers two routes before body parsing / auth / error handler:
    • GET /api/health → JSON { ok, uptime, services, parserOk }. Always 200 while the process is alive. services reports the enabled list; parserOk is raspCache.successUpdate.
    • GET /api/metrics → Prometheus text/plain; version=0.0.4 with:
      • bot_up / bot_uptime_seconds
      • bot_services_enabled / bot_service_enabled{service="..."} (per-service gauge)
      • bot_parser_ok / bot_parser_last_update_timestamp_seconds / bot_parser_staleness_seconds
      • bot_process_memory_bytes{area="rss|heap_total|heap_used|external"}
• Dockerfile + docker-compose.yml: healthcheck now hits /api/health with strict grep -qE '^2' — any non-2xx fails the check.
• AGENTS.md: documents both endpoints and the Prometheus metric names.

Verification:

• pnpm run test:all — 30 files / 204 tests passed (unchanged surface area, http endpoint is covered by live Docker smoke).
• pnpm run ts-check / pnpm run lint / pnpm run format:check — clean.
• pnpm audit --audit-level=low — no known vulnerabilities.
• docker compose build && docker compose up -d with the default config.example.ts (services = ['http', 'parser', 'timetable']):
  • Container transitions to healthy (~45s).
  • curl http://127.0.0.1:8081/api/health → {"ok":true,"uptime":54,"services":["http","parser","timetable"],"parserOk":true}.
  • curl http://127.0.0.1:8081/api/metrics → full Prometheus text with bot_parser_ok 1, bot_parser_staleness_seconds 13, etc.

Stacked on PR #17 (service dependency graph).

Review & Testing Checklist for Human

• docker compose up -d from a clean checkout — container should transition to healthy within ~60s and curl /api/health should return JSON with "parserOk":true once the first parser run completes.
• Confirm /api/health works even if the api service is NOT in config.services — it's registered on http, not via the API method loader.
• Point a Prometheus scraper at /api/metrics and verify the gauges appear with expected labels (service, area).
• Verify the new healthcheck fails when the process is crashed/killed (docker stop mgke-timetable-bot should flip unhealthy on the next poll).

Notes

• Follow-up PR K (rate limiting) will cover express-rate-limit on api routes. /api/health stays unthrottled on purpose — it's meant for container orchestrators.
• Follow-up PR L (graceful shutdown) will extend HttpService with a stop() method so SIGTERM drains connections cleanly.

Link to Devin session: https://app.devin.ai/sessions/7732f5fd16e9448295cbabeb8b5f471a
Requested by: @BlindMaster24

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.