fix(health): canonicalize on /api/health + /api/v1/health alias + drift guard

[sudoshi]

Root cause

routes/api.php is mounted under the /api prefix (not /api/v1), so the health route is /api/health. Consumers that assumed the v1 prefix hit /api/v1/health → 404. Most damaging: the installer readiness probe (installer/health.py) checks for HTTP 200, so first-run "waiting for Parthenon to come online" could never reach ready and the Done-page "Open" button never enabled. LegacyAtlasRedirectController also 301-redirected WebAPI fallbacks to the 404.

Fixes (the comprehensive sweep)

• Backend: add a backward-compatible /api/v1/health alias (direct route, not a redirect — probes need a real 200) so already-shipped installer binaries + external monitors work; HealthCheckTest now locks both paths to 200.
• Installer: probe + tests + GUI label → /api/health.
• LegacyAtlasRedirectController: redirect fallbacks → /api/health.
• Runbooks: compliance (DR/IR/remediation) + FinnGen runbook → /api/health; FinnGen jq corrected to .services.darkstar (the .finngen field was specced but never built).
• Historical/archived design specs left as-is (they record past state).

Permanent + evolving prevention (so it can't recur)

• scripts/checks/check_health_urls.py — derives the real health routes from api.php and fails if any live consumer (installer/deploy/infra/SPA) references a health path the backend doesn't serve. Self-maintaining: add/rename a route and the allowed set updates; remove the alias and every straggler is flagged; a new typo is caught. Verified it flags a planted /api/v2/health.
• Wired into CI (license-guard.yml) and the pre-commit hook.
• deploy.sh smoke checks now probe both /api/health and /api/v1/health.

Verified

Guard pass + self-test, installer pytest (5), HealthCheckTest both paths 200 (24 assertions), Pint, PHPStan.

🤖 Generated with claude-flow