feat(mvp): phase 4 - app registry & healthcheck

Add app CRUD API endpoints, healthcheck service with node-cron scheduler,
icon resolver (Lucide, Simple Icons, CDN, uploads), app management UI
with Superforms, health badge component, and Docker health endpoint.

src/routes/api/apps/+server.ts

@@ -0,0 +1,55 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { requireAuth } from '$lib/server/middleware/authenticate.js';
+import * as appService from '$lib/server/services/appService.js';
+import { createAppSchema } from '$lib/utils/validators.js';
+import { success, error } from '$lib/server/utils/response.js';
+
+/**
+ * GET /api/apps — List all apps, optionally filtered by category or search.
+ */
+export const GET: RequestHandler = async (event) => {
+	requireAuth(event);
+
+	const category = event.url.searchParams.get('category') ?? undefined;
+	const search = event.url.searchParams.get('search') ?? undefined;
+
+	try {
+		const apps = await appService.findAll({ category, search });
+		return json(success(apps));
+	} catch (err) {
+		const message = err instanceof Error ? err.message : 'Failed to fetch apps';
+		return json(error(message), { status: 500 });
+	}
+};
+
+/**
+ * POST /api/apps — Create a new app.
+ */
+export const POST: RequestHandler = async (event) => {
+	const user = requireAuth(event);
+
+	let body: unknown;
+	try {
+		body = await event.request.json();
+	} catch {
+		return json(error('Invalid JSON body'), { status: 400 });
+	}
+
+	const parsed = createAppSchema.safeParse(body);
+	if (!parsed.success) {
+		const messages = parsed.error.errors.map((e) => e.message).join(', ');
+		return json(error(messages), { status: 400 });
+	}
+
+	try {
+		const app = await appService.create({
+			...parsed.data,
+			createdById: user.id
+		});
+		return json(success(app), { status: 201 });
+	} catch (err) {
+		const message = err instanceof Error ? err.message : 'Failed to create app';
+		return json(error(message), { status: 500 });
+	}
+};

src/routes/api/apps/[id]/+server.ts

@@ -0,0 +1,72 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { requireAuth } from '$lib/server/middleware/authenticate.js';
+import * as appService from '$lib/server/services/appService.js';
+import { updateAppSchema } from '$lib/utils/validators.js';
+import { success, error } from '$lib/server/utils/response.js';
+
+/**
+ * GET /api/apps/:id — Get a single app by ID.
+ */
+export const GET: RequestHandler = async (event) => {
+	requireAuth(event);
+
+	const { id } = event.params;
+
+	try {
+		const app = await appService.findById(id);
+		return json(success(app));
+	} catch (err) {
+		const message = err instanceof Error ? err.message : 'App not found';
+		return json(error(message), { status: 404 });
+	}
+};
+
+/**
+ * PATCH /api/apps/:id — Update an existing app.
+ */
+export const PATCH: RequestHandler = async (event) => {
+	requireAuth(event);
+
+	const { id } = event.params;
+
+	let body: unknown;
+	try {
+		body = await event.request.json();
+	} catch {
+		return json(error('Invalid JSON body'), { status: 400 });
+	}
+
+	const parsed = updateAppSchema.safeParse(body);
+	if (!parsed.success) {
+		const messages = parsed.error.errors.map((e) => e.message).join(', ');
+		return json(error(messages), { status: 400 });
+	}
+
+	try {
+		const app = await appService.update(id, parsed.data);
+		return json(success(app));
+	} catch (err) {
+		const message = err instanceof Error ? err.message : 'Failed to update app';
+		const status = message.includes('not found') ? 404 : 500;
+		return json(error(message), { status });
+	}
+};
+
+/**
+ * DELETE /api/apps/:id — Delete an app.
+ */
+export const DELETE: RequestHandler = async (event) => {
+	requireAuth(event);
+
+	const { id } = event.params;
+
+	try {
+		await appService.remove(id);
+		return json(success(null));
+	} catch (err) {
+		const message = err instanceof Error ? err.message : 'Failed to delete app';
+		const status = message.includes('not found') ? 404 : 500;
+		return json(error(message), { status });
+	}
+};

src/routes/api/apps/[id]/status/+server.ts

@@ -0,0 +1,35 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { requireAuth } from '$lib/server/middleware/authenticate.js';
+import * as appService from '$lib/server/services/appService.js';
+import { success, error } from '$lib/server/utils/response.js';
+
+/**
+ * GET /api/apps/:id/status — Get healthcheck status history for an app.
+ */
+export const GET: RequestHandler = async (event) => {
+	requireAuth(event);
+
+	const { id } = event.params;
+	const limitParam = event.url.searchParams.get('limit');
+	const limit = limitParam ? Math.min(Math.max(parseInt(limitParam, 10) || 50, 1), 200) : 50;
+
+	try {
+		// Verify app exists
+		await appService.findById(id);
+
+		const latest = await appService.getLatestStatus(id);
+		const history = await appService.getStatusHistory(id, limit);
+
+		return json(
+			success({
+				current: latest,
+				history
+			})
+		);
+	} catch (err) {
+		const message = err instanceof Error ? err.message : 'Failed to fetch status';
+		const status = message.includes('not found') ? 404 : 500;
+		return json(error(message), { status });
+	}
+};

src/routes/api/health/+server.ts

@@ -0,0 +1,10 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+
+/**
+ * GET /api/health — Docker healthcheck endpoint.
+ * Returns 200 when the server is running. No auth required.
+ */
+export const GET: RequestHandler = async () => {
+	return json({ status: 'ok' });
+};

src/routes/api/uploads/+server.ts

@@ -0,0 +1,67 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { requireAuth } from '$lib/server/middleware/authenticate.js';
+import { error, success } from '$lib/server/utils/response.js';
+import { writeFile, mkdir } from 'node:fs/promises';
+import { join } from 'node:path';
+import { randomUUID } from 'node:crypto';
+
+const ALLOWED_TYPES = new Set([
+	'image/svg+xml',
+	'image/png',
+	'image/jpeg',
+	'image/webp'
+]);
+
+const EXTENSION_MAP: Record<string, string> = {
+	'image/svg+xml': '.svg',
+	'image/png': '.png',
+	'image/jpeg': '.jpg',
+	'image/webp': '.webp'
+};
+
+const MAX_FILE_SIZE = 1024 * 1024; // 1MB
+
+/**
+ * POST /api/uploads — Upload a custom icon file.
+ * Accepts multipart form data with a single 'file' field.
+ * Validates type (SVG, PNG, JPG, WebP) and size (<1MB).
+ * Saves to static/uploads/ and returns the public path.
+ */
+export const POST: RequestHandler = async (event) => {
+	requireAuth(event);
+
+	let formData: FormData;
+	try {
+		formData = await event.request.formData();
+	} catch {
+		return json(error('Invalid form data'), { status: 400 });
+	}
+
+	const file = formData.get('file');
+	if (!file || !(file instanceof File)) {
+		return json(error('No file provided'), { status: 400 });
+	}
+
+	if (!ALLOWED_TYPES.has(file.type)) {
+		return json(error('Invalid file type. Allowed: SVG, PNG, JPG, WebP'), { status: 400 });
+	}
+
+	if (file.size > MAX_FILE_SIZE) {
+		return json(error('File too large. Maximum size: 1MB'), { status: 400 });
+	}
+
+	const extension = EXTENSION_MAP[file.type] ?? '.bin';
+	const filename = `${randomUUID()}${extension}`;
+
+	const uploadsDir = join(process.cwd(), 'static', 'uploads');
+	await mkdir(uploadsDir, { recursive: true });
+
+	const filePath = join(uploadsDir, filename);
+	const buffer = Buffer.from(await file.arrayBuffer());
+	await writeFile(filePath, buffer);
+
+	const publicPath = `/uploads/${filename}`;
+
+	return json(success({ path: publicPath, filename }), { status: 201 });
+};

src/routes/apps/+page.server.ts

@@ -0,0 +1,46 @@
+import type { Actions, PageServerLoad } from './$types.js';
+import { superValidate, setError } from 'sveltekit-superforms';
+import { zod } from 'sveltekit-superforms/adapters';
+import { fail } from '@sveltejs/kit';
+import { requireAuth } from '$lib/server/middleware/authenticate.js';
+import * as appService from '$lib/server/services/appService.js';
+import { createAppSchema } from '$lib/utils/validators.js';
+
+export const load: PageServerLoad = async (event) => {
+	requireAuth(event);
+
+	const category = event.url.searchParams.get('category') ?? undefined;
+	const search = event.url.searchParams.get('search') ?? undefined;
+
+	const [apps, categories, form] = await Promise.all([
+		appService.findAll({ category, search }),
+		appService.getCategories(),
+		superValidate(zod(createAppSchema))
+	]);
+
+	return { apps, categories, form };
+};
+
+export const actions: Actions = {
+	create: async (event) => {
+		const user = requireAuth(event);
+
+		const form = await superValidate(event.request, zod(createAppSchema));
+
+		if (!form.valid) {
+			return fail(400, { form });
+		}
+
+		try {
+			await appService.create({
+				...form.data,
+				createdById: user.id
+			});
+		} catch (err) {
+			const message = err instanceof Error ? err.message : 'Failed to create app';
+			return setError(form, '', message);
+		}
+
+		return { form };
+	}
+};

src/routes/apps/+page.svelte

@@ -0,0 +1,67 @@
+<script lang="ts">
+	import type { PageData } from './$types.js';
+	import AppCard from '$lib/components/app/AppCard.svelte';
+	import AppForm from '$lib/components/app/AppForm.svelte';
+
+	let { data }: { data: PageData } = $props();
+
+	let showForm = $state(false);
+</script>
+
+<svelte:head>
+	<title>Apps — Web App Launcher</title>
+</svelte:head>
+
+<main class="min-h-screen bg-background p-6 text-foreground">
+	<div class="mx-auto max-w-6xl">
+		<div class="mb-6 flex items-center justify-between">
+			<h1 class="text-2xl font-bold text-card-foreground">App Registry</h1>
+			<button
+				type="button"
+				onclick={() => (showForm = !showForm)}
+				class="rounded-md bg-primary px-4 py-2 text-sm font-medium text-primary-foreground hover:bg-primary/90 focus:outline-none focus:ring-2 focus:ring-ring"
+			>
+				{showForm ? 'Cancel' : 'Add App'}
+			</button>
+		</div>
+
+		{#if showForm}
+			<div class="mb-6 rounded-lg border border-border bg-card p-6">
+				<h2 class="mb-4 text-lg font-semibold text-card-foreground">New App</h2>
+				<AppForm form={data.form} action="?/create" />
+			</div>
+		{/if}
+
+		{#if data.categories.length > 0}
+			<div class="mb-4 flex flex-wrap gap-2">
+				<a
+					href="/apps"
+					class="rounded-full border border-border px-3 py-1 text-sm text-muted-foreground hover:bg-accent"
+				>
+					All
+				</a>
+				{#each data.categories as category}
+					<a
+						href="/apps?category={encodeURIComponent(category)}"
+						class="rounded-full border border-border px-3 py-1 text-sm text-muted-foreground hover:bg-accent"
+					>
+						{category}
+					</a>
+				{/each}
+			</div>
+		{/if}
+
+		{#if data.apps.length === 0}
+			<div class="flex flex-col items-center justify-center py-16 text-muted-foreground">
+				<p class="text-lg">No apps registered yet.</p>
+				<p class="mt-1 text-sm">Click "Add App" to register your first application.</p>
+			</div>
+		{:else}
+			<div class="grid grid-cols-1 gap-4 sm:grid-cols-2 md:grid-cols-3 lg:grid-cols-4">
+				{#each data.apps as app (app.id)}
+					<AppCard {app} />
+				{/each}
+			</div>
+		{/if}
+	</div>
+</main>