feat(api): Codex: add /health endpoint with podman + systemd checks

SAFE_FILES.md

@@ -0,0 +1,87 @@
+# SAFE FILES — podman-mvp
+
+These files and runtime assumptions are considered infrastructure-critical.
+
+Changes are NOT forbidden, but must ALWAYS be proposed first
+and explicitly approved before implementation.
+
+---
+
+## Runtime architecture (critical)
+
+Do not change without agreement:
+
+- Pod name: mvp-pod
+- Port mappings:
+  - 8080 → backend
+  - 8081 → webui proxy
+- userns=keep-id
+
+Backend runtime assumptions:
+
+- DBUS_SESSION_BUS_ADDRESS usage
+- XDG_RUNTIME_DIR mounts
+- Podman unix socket access
+- /run/user/1000 mounts
+- host PID namespace
+- host IPC namespace
+
+Reason:
+Backend communicates with user-session Podman and systemd.
+
+---
+
+## Infrastructure sensitive files
+
+High risk files:
+
+control/Dockerfile
+webui/conf/httpd.conf
+
+Changes must be proposed first.
+
+---
+
+## Core API stability
+
+Files requiring caution:
+
+control/app.py
+control/app_images.py
+
+Rules:
+- Never rewrite structure without agreement.
+- Extend endpoints instead of replacing logic.
+
+---
+
+## Frontend stability
+
+Files:
+
+webui/html/index.html
+
+Avoid:
+- framework migrations
+- large UI rewrites
+
+Prefer incremental improvements.
+
+---
+
+## Allowed improvements
+
+Safe changes include:
+
+- new API endpoints
+- optional JSON response fields
+- new UI tabs
+- bug fixes
+- performance improvements
+
+---
+
+## Goal
+
+System stability has priority over architectural perfection.
+Prefer minimal and predictable changes.