fix(health): shallow unauthenticated /health liveness probe

.eslintrc.json

@@ -0,0 +1,32 @@
+{
+  "env": {
+    "node": true,
+    "es2021": true
+  },
+  "extends": [
+    "eslint:recommended",
+    "plugin:@typescript-eslint/recommended"
+  ],
+  "parser": "@typescript-eslint/parser",
+  "parserOptions": {
+    "ecmaVersion": "latest",
+    "sourceType": "module"
+  },
+  "plugins": [
+    "@typescript-eslint"
+  ],
+  "rules": {
+    "@typescript-eslint/no-explicit-any": "warn",
+    "@typescript-eslint/no-unused-vars": ["warn", {
+      "argsIgnorePattern": "^_",
+      "varsIgnorePattern": "^_"
+    }],
+    "no-console": "off"
+  },
+  "ignorePatterns": [
+    "dist",
+    "node_modules",
+    "coverage",
+    "*.js"
+  ]
+}

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+
+- `/health` no longer calls `getCredentials()` — it is now a shallow, unauthenticated liveness probe returning `200 {"status":"ok"}`. In gateway mode credentials only arrive per-request via headers, so the previous credential check always returned `503`, failing the Azure liveness probe and crash-looping the container. Also added `/healthz` as an alias.
+
 ### Added
 
 - Lazy-loading meta-tools mode (`LAZY_LOADING=true` env var) as alternative to decision-tree navigation

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wyre-technology/proofpoint-mcp",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "MCP server for Proofpoint Email Protection - email security, threat intelligence, TAP (Targeted Attack Protection), and email filtering API integration",
   "type": "module",
   "main": "dist/index.js",
@@ -60,4 +60,4 @@
   "engines": {
     "node": ">=20.0.0"
   }
-}
+}

src/index.ts

@@ -527,25 +527,14 @@ async function startHttpTransport(): Promise<void> {
   const httpServer = createHttpServer((req: IncomingMessage, res: ServerResponse) => {
     const url = new URL(req.url || "/", `http://${req.headers.host || "localhost"}`);
 
-    // Health check - no auth required
-    if (url.pathname === "/health") {
-      const creds = getCredentials();
-      const statusCode = creds ? 200 : 503;
-
-      res.writeHead(statusCode, { "Content-Type": "application/json" });
-      res.end(
-        JSON.stringify({
-          status: creds ? "ok" : "degraded",
-          transport: "http",
-          authMode: isGatewayMode ? "gateway" : "env",
-          timestamp: new Date().toISOString(),
-          credentials: {
-            configured: !!creds,
-          },
-          logLevel: process.env.LOG_LEVEL || "info",
-          version: "1.0.0",
-        })
-      );
+    // Health check - shallow, unauthenticated liveness probe.
+    // Must NOT call getCredentials() or any upstream: in gateway mode
+    // credentials only arrive per-request via headers, so a credential
+    // check here would always fail the Azure liveness probe and the
+    // container would be SIGTERM-killed in a crash loop.
+    if (url.pathname === "/health" || url.pathname === "/healthz") {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ status: "ok" }));
       return;
     }