docs(api): add health endpoints documentation and update test registry [skip ci] (#5)

- Create docs/api/endpoints/health.md with full schema docs for /healthz,
  /readyz, and /version including Kubernetes probe YAML examples
- Update docs/api/overview.md to add "Operational Endpoints" section at
  root level and mark legacy /utils/health-check/ as superseded
- Update docs/testing/test-registry.md: add 17 health integration tests,
  coverage 188 → 205 total

Related to AYG-68

🤖 Generated by Aygentic

Co-authored-by: Aygentic <noreply@aygentic.com>

Author: amostt

docs/api/endpoints/health.md

@@ -0,0 +1,247 @@
+---
+title: "Operational Endpoints API"
+doc-type: reference
+status: current
+version: "1.0.0"
+base-url: "/"
+last-updated: 2026-02-28
+updated-by: "api-docs-writer (AYG-68)"
+related-code:
+  - backend/app/api/routes/health.py
+  - backend/app/main.py
+  - backend/app/core/config.py
+related-docs:
+  - docs/api/overview.md
+  - docs/architecture/overview.md
+tags: [api, rest, health, operations, liveness, readiness, version]
+---
+
+# Operational Endpoints API
+
+## Overview
+
+The operational endpoints provide container-orchestrator-compatible probes and
+build metadata for this service. They are mounted at the **application root**
+(not under `/api/v1`) so that Kubernetes, AWS ECS, and similar platforms can
+reach them without API-version routing logic.
+
+**Base URL:** `/` (root — no `/api/v1` prefix)
+**Authentication:** None — all three endpoints are fully public
+
+> These endpoints do **not** appear in the `/api/v1/openapi.json` spec and are
+> not shown in the Swagger UI at `/docs`. They are intentionally excluded to
+> keep the versioned API spec clean.
+
+## Quick Start
+
+```bash
+# Liveness probe
+curl http://localhost:8000/healthz
+
+# Readiness probe
+curl http://localhost:8000/readyz
+
+# Build metadata
+curl http://localhost:8000/version
+```
+
+---
+
+## Endpoints
+
+### GET /healthz
+
+Liveness probe. Returns `200 OK` immediately with no dependency checks. Use
+this endpoint to tell the orchestrator that the process is alive and the event
+loop is running. It never contacts Supabase or any other external service.
+
+**Authentication:** None
+**Authorization:** Public
+
+**Parameters:** None
+
+**Response (200):**
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `status` | string | Always `"ok"` |
+
+**Example Request:**
+
+```bash
+curl -X GET "http://localhost:8000/healthz"
+```
+
+**Example Response:**
+
+```json
+{"status": "ok"}
+```
+
+**Error Responses:**
+
+This endpoint has no application-level error responses. A non-`200` reply
+indicates a process crash or network-level failure, not an API error.
+
+---
+
+### GET /readyz
+
+Readiness probe. Verifies that the service can accept traffic by checking
+connectivity to Supabase. Returns `200` when all checks pass; returns `503`
+when any dependency is unreachable.
+
+Container orchestrators use the `200`/`503` distinction to gate traffic:
+a pod that is alive (`/healthz` = 200) but not ready (`/readyz` = 503) is
+kept out of the load-balancer rotation until dependencies recover.
+
+**Authentication:** None
+**Authorization:** Public
+
+**Parameters:** None
+
+**Supabase check logic:**
+
+The check issues a lightweight `HEAD` request against a probe table via the
+Supabase PostgREST client. It considers the server **reachable** even if the
+table does not exist (PostgREST returns an HTTP-level `APIError` in that case,
+which still proves connectivity). Only a connection-level failure — or a
+missing Supabase client on `app.state` — is treated as `"error"`.
+
+**Response (200 — ready):**
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `status` | string | `"ready"` |
+| `checks` | object | Per-dependency check results |
+| `checks.supabase` | string | `"ok"` when Supabase is reachable |
+
+**Example Request:**
+
+```bash
+curl -X GET "http://localhost:8000/readyz"
+```
+
+**Example Response (200 — ready):**
+
+```json
+{
+  "status": "ready",
+  "checks": {
+    "supabase": "ok"
+  }
+}
+```
+
+**Example Response (503 — not ready):**
+
+```json
+{
+  "status": "not_ready",
+  "checks": {
+    "supabase": "error"
+  }
+}
+```
+
+**Error Responses:**
+
+| Status | When |
+|--------|------|
+| `200 OK` | Supabase is reachable (or PostgREST returned a table-level error, which still proves connectivity) |
+| `503 Service Unavailable` | Supabase connection failed, timed out, or `app.state.supabase` is not initialised |
+
+> **Note:** Unlike most API errors, the `503` response from `/readyz` does NOT
+> use the [standard error shape](../overview.md#standard-error-responses). It
+> returns the plain `{"status": "not_ready", "checks": {...}}` body shown above,
+> because this endpoint is designed for machine consumption by orchestrators, not
+> API clients.
+
+---
+
+### GET /version
+
+Returns build metadata injected at container image build time via environment
+variables. API gateways use this endpoint for service registration and
+canary-deployment tracking.
+
+**Authentication:** None
+**Authorization:** Public
+
+**Parameters:** None
+
+**Response (200):**
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `service_name` | string | Service identifier (from `SERVICE_NAME` env var; default `"my-service"`) |
+| `version` | string | Semantic version string (from `SERVICE_VERSION` env var; default `"0.1.0"`) |
+| `commit` | string | Git commit SHA of the deployed image (from `GIT_COMMIT` env var; default `"unknown"`) |
+| `build_time` | string | ISO 8601 timestamp of the image build (from `BUILD_TIME` env var; default `"unknown"`) |
+| `environment` | string | Active deployment environment (from `ENVIRONMENT` env var; e.g. `"local"`, `"staging"`, `"production"`) |
+
+**Example Request:**
+
+```bash
+curl -X GET "http://localhost:8000/version"
+```
+
+**Example Response:**
+
+```json
+{
+  "service_name": "my-service",
+  "version": "1.2.0",
+  "commit": "a3f1c2d",
+  "build_time": "2026-02-28T08:00:00Z",
+  "environment": "production"
+}
+```
+
+**Example Response (unset build vars — local development):**
+
+```json
+{
+  "service_name": "my-service",
+  "version": "0.1.0",
+  "commit": "unknown",
+  "build_time": "unknown",
+  "environment": "local"
+}
+```
+
+**Error Responses:**
+
+This endpoint has no application-level error responses. It reads from
+in-process settings and cannot fail at the application layer.
+
+---
+
+## Kubernetes Probe Configuration
+
+Typical Kubernetes deployment snippet using these endpoints:
+
+```yaml
+livenessProbe:
+  httpGet:
+    path: /healthz
+    port: 8000
+  initialDelaySeconds: 5
+  periodSeconds: 10
+
+readinessProbe:
+  httpGet:
+    path: /readyz
+    port: 8000
+  initialDelaySeconds: 10
+  periodSeconds: 15
+  failureThreshold: 3
+```
+
+---
+
+## Changelog
+
+| Version | Date | Change |
+|---------|------|--------|
+| 1.0.0 | 2026-02-28 | AYG-68: Initial release — `/healthz`, `/readyz`, `/version` |

docs/api/overview.md

@@ -2,10 +2,10 @@
 title: "API Overview"
 doc-type: reference
 status: draft
-version: "1.1.0"
+version: "1.2.0"
 base-url: "/api/v1"
-last-updated: 2026-02-27
-updated-by: "api-docs-writer (AYG-65)"
+last-updated: 2026-02-28
+updated-by: "api-docs-writer (AYG-68)"
 related-code:
   - backend/app/main.py
   - backend/app/api/main.py
@@ -14,6 +14,7 @@ related-code:
   - backend/app/api/routes/users.py
   - backend/app/api/routes/items.py
   - backend/app/api/routes/utils.py
+  - backend/app/api/routes/health.py
   - backend/app/api/routes/private.py
   - backend/app/models.py
   - backend/app/core/config.py
@@ -77,7 +78,19 @@ Token expiry is controlled by Clerk session settings. Clients should treat token
 
 ## Endpoint Summary
 
-Endpoints are grouped by resource. All paths are relative to the base URL `/api/v1`.
+Endpoints are grouped by resource. **Operational endpoints** (`/healthz`, `/readyz`, `/version`) are mounted at the **root level** — they are not under `/api/v1`. All other paths are relative to the base URL `/api/v1`.
+
+### Operational Endpoints (Root Level)
+
+These endpoints are public (no authentication required) and mounted directly on the application root for compatibility with container orchestrators and API gateways. They do not appear in the `/api/v1/openapi.json` spec.
+
+| Method | Path | Description | Auth Required |
+|--------|------|-------------|:-------------:|
+| `GET` | `/healthz` | Liveness probe — returns `{"status": "ok"}` immediately | No |
+| `GET` | `/readyz` | Readiness probe — checks Supabase connectivity | No |
+| `GET` | `/version` | Build metadata for API gateway service discovery | No |
+
+> **Note:** `/readyz` returns `200` when all checks pass and `503` when any dependency is unreachable. Container orchestrators (Kubernetes, ECS) use these distinct status codes to gate traffic routing. `/healthz` always returns `200` regardless of dependency state.
 
 ### Auth / Login
 
@@ -124,7 +137,7 @@ Non-superusers can only access items they own. Accessing another user's item ret
 
 | Method | Path | Description | Auth Required | Superuser |
 |--------|------|-------------|:-------------:|:---------:|
-| `GET` | `/utils/health-check/` | Liveness probe — returns `true` | No | No |
+| `GET` | `/utils/health-check/` | Legacy liveness probe — returns `true` (superseded by `/healthz`) | No | No |
 | `POST` | `/utils/test-email/` | Send a test email to a given address | Yes | Yes |
 
 ### Private (local environment only)
@@ -371,6 +384,7 @@ CORS allowed origins are controlled by two configuration values:
 
 ## Endpoint Reference
 
+- [Operational Endpoints — Health, Readiness, Version](endpoints/health.md)
 - [Login & Authentication](endpoints/login.md)
 - [Users](endpoints/users.md)
 - [Items](endpoints/items.md)
@@ -380,5 +394,6 @@ CORS allowed origins are controlled by two configuration values:
 
 | Version | Date | Change |
 |---------|------|--------|
+| 1.2.0 | 2026-02-28 | AYG-68: Operational endpoints (`/healthz`, `/readyz`, `/version`) added at root level; Utils `/health-check/` marked as legacy |
 | 1.1.0 | 2026-02-27 | AYG-65: Auth updated to Clerk JWT; unified error response shape documented; `PaginatedResponse[T]` and `offset`/`limit` pagination params documented |
 | 1.0.0 | 2026-02-26 | Initial release |

docs/testing/test-registry.md

@@ -2,8 +2,8 @@
 title: "Test Registry"
 doc-type: reference
 status: draft
-last-updated: 2026-02-27
-updated-by: "data-model-docs-writer"
+last-updated: 2026-02-28
+updated-by: "api-docs-writer"
 related-code:
   - "backend/tests/**/*.py"
   - "frontend/tests/**/*.spec.ts"
@@ -18,7 +18,7 @@ tags: [testing, quality, registry]
 
 | Module | Unit | Integration | E2E | Total |
 |--------|------|-------------|-----|-------|
-| backend/api/routes | 0 | 47 | 0 | 47 |
+| backend/api/routes | 0 | 64 | 0 | 64 |
 | backend/core/config | 13 | 0 | 0 | 13 |
 | backend/core/errors | 20 | 0 | 0 | 20 |
 | backend/core/logging | 6 | 0 | 0 | 6 |
@@ -33,7 +33,7 @@ tags: [testing, quality, registry]
 | frontend/user-settings | 0 | 0 | 14 | 14 |
 | frontend/sign-up | 0 | 0 | 11 | 11 |
 | frontend/reset-password | 0 | 0 | 6 | 6 |
-| **Total** | **80** | **47** | **61** | **188** |
+| **Total** | **80** | **64** | **61** | **205** |
 
 > Unit tests in `backend/tests/unit/` can run without database env vars. The conftest guard pattern in that directory skips DB-dependent fixtures automatically.
 
@@ -107,6 +107,28 @@ tags: [testing, quality, registry]
 |-----------|-------------|------|--------|
 | test_create_user | Creates user via private API without auth | integration | passing |
 
+### Backend — Integration: Health (`backend/tests/integration/test_health.py`)
+
+| Test Name | Description | Type | Status |
+|-----------|-------------|------|--------|
+| test_returns_200_ok | Returns 200 with {"status": "ok"} for liveness check | integration | passing |
+| test_no_auth_required (healthz) | Succeeds without Authorization header | integration | passing |
+| test_response_schema_exact (healthz) | Response contains only the status field | integration | passing |
+| test_never_checks_dependencies | Does not access Supabase client in liveness probe | integration | passing |
+| test_healthy_supabase_returns_200 | Returns 200 when Supabase is reachable | integration | passing |
+| test_unreachable_supabase_returns_503 | Returns 503 when Supabase connection fails | integration | passing |
+| test_api_error_still_reports_ok | Treats PostgREST APIError as server reachable | integration | passing |
+| test_missing_supabase_client_returns_503 | Returns 503 when app.state.supabase unset | integration | passing |
+| test_exception_does_not_crash | Returns valid JSON 503, not a 500 crash | integration | passing |
+| test_no_auth_required (readyz) | Succeeds without Authorization header | integration | passing |
+| test_response_schema_exact (readyz) | Response has only status and checks fields | integration | passing |
+| test_returns_200_with_metadata | Returns 200 with all five metadata fields | integration | passing |
+| test_includes_service_name | Includes service_name for gateway discoverability | integration | passing |
+| test_default_values_for_unset_env_vars | GIT_COMMIT and BUILD_TIME default to unknown | integration | passing |
+| test_custom_settings_values | Reflects custom settings in response body | integration | passing |
+| test_response_schema_exact (version) | Response has exactly five expected fields | integration | passing |
+| test_no_auth_required (version) | Succeeds without Authorization header | integration | passing |
+
 ### Backend — Unit: Config (`backend/tests/unit/test_config.py`)
 
 | Test Name | Description | Type | Status |