feat(health-monitor): host-side silent-fail detection and operator alerting

[alexli-77]

Summary

• Adds src/modules/health-monitor/ module: 5-min timer that detects silent task failures and posts direct Discord alerts
• Adds pre-spawn OAuth token refresh from macOS Keychain in buildMounts()

Problem

Stuck-container detection catches hung containers but misses containers that complete with zero output — the silent 401 auth failure pattern:

1. Token expires → container spawns → Claude binary 401
2. Agent-runner writes processing_ack = completed (processed the message, result was empty)
3. Container idles → 30 min later absolute-ceiling kills it
4. Operator has no idea. Scheduled task looks like it ran.

Changes

src/modules/health-monitor/ (new module):

• setup.ts — idempotent DB bootstrap (agent group + messaging group + wiring + named destination)
• checks.ts — checkSilentFail() (ack with no output in 2h window, container stopped) + checkTokenExpiry()
• alert.ts — direct Discord REST to configurable keepalive channel (bypasses routing — works even if routing is broken) + task injection into health-monitor session
• index.ts — 5-min timer, 1h dedup per issue key, startHealthMonitor() called after initDb() via MODULE-HOOK

src/container-runner.ts: pre-spawn Keychain token refresh in buildMounts(). try/catch, no-op on non-macOS.

src/index.ts + src/modules/index.ts: MODULE-HOOK wiring.

Test plan

• Service starts cleanly, [health-monitor] Started in logs
• DB rows created on startup (idempotent)
• Health-monitor container spawns and delivers <message to="keepalive"> to Discord
• pnpm run build passes

Related upstream issues

• Bug: CLAUDE_CODE_OAUTH_TOKEN in .env expires overnight — containers fail with 401 each morning #730 — OAuth token expiry (macOS Keychain details added to comment)
• Feature: operator alerting + health-monitor agent for silent task failures #2492 — health-monitor feature proposal to upstream

🤖 Generated with Claude Code