fix: improve error handling and provider registry consistency

- Add include depth limit to config includes
- Improve error handling for flag parsing and TLS/HTTP providers
- Make provider registry internal and update references
- Update Vault provider docs for lowercase health fields
- Return error when all container components fail to resolve
- Add default HTTP status check if no CEL checks configured
- Fix time CEL function panics on wrong type
- Update example config for Kubernetes kind field
- Miscellaneous doc and comment improvements

Author: isometry

pkg/checks/README.md

@@ -19,7 +19,7 @@ ph context my-app -o yaml
 
 ## CEL Expression Syntax
 
-CEL expressions must evaluate to a boolean (`true` for healthy, `false` for unhealthy). Expressions have access to provider-specific context variables (e.g., `response` for REST, `resource` for Kubernetes).
+CEL expressions must evaluate to a boolean (`true` for healthy, `false` for unhealthy). Expressions have access to provider-specific context variables (e.g., `response` for HTTP, `resource` for Kubernetes).
 
 ## Common CEL Patterns
 

pkg/checks/cel.go

@@ -249,7 +249,11 @@ func ParseConfig(raw any) ([]Expression, error) {
 // ValidateExpression validates CEL expression syntax at configuration time.
 // Variables should be declared using cel.Variable() options.
 func ValidateExpression(expression string, variables ...cel.EnvOption) error {
-	env, err := cel.NewEnv(append(variables, standardExtensions...)...)
+	allOpts := make([]cel.EnvOption, 0, len(standardFunctions)+len(variables)+len(standardExtensions))
+	allOpts = append(allOpts, standardFunctions...)
+	allOpts = append(allOpts, variables...)
+	allOpts = append(allOpts, standardExtensions...)
+	env, err := cel.NewEnv(allOpts...)
 	if err != nil {
 		return fmt.Errorf("failed to create CEL environment: %w", err)
 	}
@@ -262,7 +266,7 @@ func ValidateExpression(expression string, variables ...cel.EnvOption) error {
 }
 
 // EvaluateAny compiles and evaluates a CEL expression returning its result.
-// Unlike Evaluate(), this does not require boolean output - any type is allowed.
+// Unlike Check.Evaluate(), this does not require boolean output - any type is allowed.
 // The result is converted to native Go types for serialization.
 // Note: Uses the cached environment but compiles the AST directly (no caching)
 // since the boolean output validation in getOrCompileAST() doesn't apply here.

pkg/checks/functions/time.go

@@ -27,7 +27,10 @@ func Time() []cel.EnvOption {
 				[]*cel.Type{cel.TimestampType},
 				cel.DurationType,
 				cel.UnaryBinding(func(arg ref.Val) ref.Val {
-					ts := arg.(types.Timestamp)
+					ts, ok := arg.(types.Timestamp)
+					if !ok {
+						return types.NewErr("time.Since: expected timestamp, got %T", arg)
+					}
 					return types.Duration{Duration: time.Since(ts.Time)}
 				}),
 			),
@@ -38,7 +41,10 @@ func Time() []cel.EnvOption {
 				[]*cel.Type{cel.TimestampType},
 				cel.DurationType,
 				cel.UnaryBinding(func(arg ref.Val) ref.Val {
-					ts := arg.(types.Timestamp)
+					ts, ok := arg.(types.Timestamp)
+					if !ok {
+						return types.NewErr("time.Until: expected timestamp, got %T", arg)
+					}
 					return types.Duration{Duration: time.Until(ts.Time)}
 				}),
 			),

pkg/commands/check/check.go

@@ -115,11 +115,8 @@ func setup(cmd *cobra.Command, _ []string) (err error) {
 		return err
 	}
 
-	// In strict mode, fail if any configuration errors were found
-	if strict {
-		if err := result.EnforceStrict(log); err != nil {
-			return err
-		}
+	if err := result.EnforceStrict(log); err != nil {
+		return err
 	}
 
 	conf = result

pkg/commands/context/context.go

@@ -138,8 +138,14 @@ func displayContext(cmd *cobra.Command, checkProvider provider.InstanceWithCheck
 	v := phctx.Viper(cmd.Context())
 	output := v.GetString("output-format")
 
-	defaultExprs, _ := cmd.Flags().GetStringArray("expr")
-	eachExprs, _ := cmd.Flags().GetStringArray("expr-each")
+	defaultExprs, err := cmd.Flags().GetStringArray("expr")
+	if err != nil {
+		return fmt.Errorf("failed to get expr flag: %w", err)
+	}
+	eachExprs, err := cmd.Flags().GetStringArray("expr-each")
+	if err != nil {
+		return fmt.Errorf("failed to get expr-each flag: %w", err)
+	}
 
 	if len(defaultExprs) > 0 || len(eachExprs) > 0 {
 		celConfig := checkProvider.GetCheckConfig()

pkg/commands/server/server.go

@@ -59,11 +59,8 @@ func setup(cmd *cobra.Command, args []string) (err error) {
 		return err
 	}
 
-	// In strict mode, fail if any configuration errors were found
-	if strict {
-		if err := result.EnforceStrict(log); err != nil {
-			return err
-		}
+	if err := result.EnforceStrict(log); err != nil {
+		return err
 	}
 
 	conf = result

pkg/config/includes.go

@@ -50,6 +50,8 @@ func (s IncludeStack) CycleString(cyclePath string) string {
 	return strings.Join(parts, " -> ")
 }
 
+const maxIncludeDepth = 10
+
 // ProcessIncludes recursively processes includes in a config map.
 // basePath is the directory containing the current config file.
 // stack is used for loop detection via content hashing.
@@ -58,6 +60,10 @@ func (s IncludeStack) CycleString(cyclePath string) string {
 // (not replaced), and scalar values are overridden by later includes.
 // The local config (non-included content) takes highest priority.
 func ProcessIncludes(configMap map[string]any, basePath string, stack IncludeStack) (map[string]any, error) {
+	if len(stack) > maxIncludeDepth {
+		return nil, fmt.Errorf("include depth exceeds maximum of %d", maxIncludeDepth)
+	}
+
 	// Extract includes list
 	includesRaw, hasIncludes := configMap["includes"]
 	if !hasIncludes {

pkg/provider/README.md

@@ -75,4 +75,24 @@ type BaseWithChecks struct {
 }
 ```
 
-Embed this in your provider to get default implementations of `GetChecks()` and `SetChecks()`. In your provider's `SetChecks()` method, call `SetChecksAndCompile(exprs, celConfig)` to compile the CEL expressions against your provider's CEL configuration.
+Embed this in your provider to get default implementations of `GetChecks()`, `HasChecks()`, `EvaluateChecks()`, and `EvaluateChecksByMode()`. In your provider's `SetChecks()` method, call `SetChecksAndCompile(exprs, celConfig)` to compile the CEL expressions against your provider's CEL configuration.
+
+### Container
+
+Providers that group related child health checks implement the `Container` interface:
+
+```go
+type Container interface {
+    SetComponents(config map[string]any)
+    GetComponents() []Instance
+    ComponentErrors() []error
+}
+```
+
+Methods:
+
+- `SetComponents()`: Stores raw component configuration (called by factory before Setup)
+- `GetComponents()`: Returns resolved child instances (available after Setup)
+- `ComponentErrors()`: Returns validation errors from component resolution
+
+The `BaseContainer` struct provides a default implementation. Call `ResolveComponents()` from your provider's `Setup()` method to resolve child instances from stored config.

pkg/provider/container.go

@@ -61,5 +61,9 @@ func (b *BaseContainer) ResolveComponents() error {
 		b.resolved = append(b.resolved, instance)
 	}
 
-	return nil // errors collected in resolutionErrors, not returned
+	if len(b.resolved) == 0 && len(b.resolutionErrors) > 0 {
+		return errors.Join(b.resolutionErrors...)
+	}
+
+	return nil
 }

pkg/provider/factory.go

@@ -95,7 +95,7 @@ func WithTimeout(timeout time.Duration) Option {
 // For configured instances, use NewInstance instead.
 func New(providerType string) (Instance, error) {
 	mu.RLock()
-	registeredType, ok := Providers[providerType]
+	registeredType, ok := providers[providerType]
 	mu.RUnlock()
 	if !ok {
 		return nil, fmt.Errorf("unknown provider type: %q", providerType)
@@ -110,7 +110,7 @@ func New(providerType string) (Instance, error) {
 // If no name is provided via WithName, defaults to the provider type.
 func NewInstance(providerType string, opts ...Option) (Instance, error) {
 	mu.RLock()
-	registeredType, ok := Providers[providerType]
+	registeredType, ok := providers[providerType]
 	mu.RUnlock()
 	if !ok {
 		return nil, fmt.Errorf("unknown provider type: %q", providerType)