fix(webapp): close two bypass paths around the REQUIRE_PLUGINS healthcheck

Two paths could silently skip the new plugin-load gate, found in review:

- server.ts: when DASHBOARD_AND_API_DISABLED=true, /healthcheck was
  served by a static Express handler (200 OK) that bypassed the Remix
  loader entirely. Forward to createRequestHandler in that branch too
  so the loader's readiness checks (DB ping + rbac.isUsingPlugin())
  run in every deployment mode.
- healthcheck.tsx: rbac.isUsingPlugin() sat after the
  HEALTHCHECK_DATABASE_DISABLED early return, so it never ran when
  that flag was set. The rbac fallback doesn't touch the DB
  (fallback.ts isUsingPlugin returns false unconditionally), so move
  the rbac check above the DB-disabled guard — REQUIRE_PLUGINS
  protection now applies regardless of the DB-healthcheck setting.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: matt-aitken

apps/webapp/app/routes/healthcheck.tsx

@@ -5,18 +5,20 @@ import { rbac } from "~/services/rbac.server";
 
 export const loader: LoaderFunction = async ({ request }) => {
   try {
+    // Resolve the lazy plugin controller so plugin-load failures surface
+    // during readiness probes. With REQUIRE_PLUGINS=1, a failed plugin
+    // load throws here and the rollout's readiness probe fails. The
+    // fallback path doesn't touch the DB, so this runs even when
+    // HEALTHCHECK_DATABASE_DISABLED=1 — REQUIRE_PLUGINS protection must
+    // not be silently bypassed by the DB-disabled flag.
+    await rbac.isUsingPlugin();
+
     if (env.HEALTHCHECK_DATABASE_DISABLED === "1") {
       return new Response("OK");
     }
 
     await prisma.$queryRaw`SELECT 1`;
 
-    // Resolve the lazy plugin controller so plugin-load failures surface
-    // during readiness probes. With REQUIRE_PLUGINS=1, a failed plugin
-    // load throws here and the rollout's readiness probe fails. Without
-    // REQUIRE_PLUGINS, the fallback resolves cleanly and this is a noop.
-    await rbac.isUsingPlugin();
-
     return new Response("OK");
   } catch (error: unknown) {
     console.log("healthcheck ❌", { error });

apps/webapp/server.ts

@@ -188,10 +188,18 @@ if (ENABLE_CLUSTER && cluster.isPrimary) {
         })
       );
     } else {
-      // we need to do the health check here at /healthcheck
-      app.get("/healthcheck", (req, res) => {
-        res.status(200).send("OK");
-      });
+      // we need to do the health check here at /healthcheck — forward
+      // to the Remix handler so the loader's readiness checks (DB ping,
+      // REQUIRE_PLUGINS-gated plugin load) run in this mode too. A
+      // static 200 here would silently mask a failed plugin load.
+      app.get(
+        "/healthcheck",
+        // @ts-ignore
+        createRequestHandler({
+          build,
+          mode: MODE,
+        })
+      );
     }
 
     const server = app.listen(port, () => {