nao1215
diff --git a/‎Cargo.lock‎
Lines changed: 1 addition & 0 deletions b/‎Cargo.lock‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 2 additions & 1 deletion b/‎Cargo.toml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 10 additions & 0 deletions b/‎README.md‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎ROADMAP.md‎
Lines changed: 9 additions & 0 deletions b/‎ROADMAP.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎doc/openapi.yaml‎
Lines changed: 48 additions & 2 deletions b/‎doc/openapi.yaml‎
Lines changed: 48 additions & 2 deletions
diff --git a/‎src/adapters/cli.rs‎
Lines changed: 117 additions & 1 deletion b/‎src/adapters/cli.rs‎
Lines changed: 117 additions & 1 deletion
@@ -13,7 +13,7 @@ categories = ["command-line-utilities", "multimedia::images", "web-programming::
 [features]
 default = ["cli", "server", "svg", "webp-lossy"]
 cli = ["dep:clap", "dep:clap_complete", "dep:ureq", "server"]
-server = ["dep:hmac", "dep:hex", "dep:serde_json", "dep:sha2", "dep:subtle", "dep:ureq", "dep:url", "dep:uuid", "svg"]
+server = ["dep:hmac", "dep:hex", "dep:serde_json", "dep:sha2", "dep:subtle", "dep:ureq", "dep:url", "dep:uuid", "dep:libc", "svg"]
 s3 = ["server", "dep:aws-sdk-s3", "dep:aws-config", "dep:tokio"]
 gcs = ["server", "dep:google-cloud-storage", "dep:google-cloud-auth", "dep:tokio"]
 azure = ["server", "dep:azure_storage_blob", "dep:azure_core", "dep:futures", "dep:tokio"]
@@ -60,6 +60,7 @@ google-cloud-auth = { version = "1", optional = true }
 azure_storage_blob = { version = "0.9", optional = true }
 azure_core = { version = "0.32", optional = true }
 futures = { version = "0.3", optional = true }
+libc = { version = "0.2", optional = true }
 
 [profile.release]
 lto = "thin"
 
@@ -203,6 +203,7 @@ See the [Docker](#docker) section for running with Docker instead.
 | `convert` | Convert and transform an image file (can be omitted; see above) |
 | `inspect` | Show metadata (format, dimensions, alpha) of an image |
 | `serve` | Start the HTTP image-transform server (implied when server flags are used at the top level) |
+| `validate` | Validate server configuration without starting the server (useful in CI/CD) |
 | `sign` | Generate a signed public URL for the server |
 | `completions` | Generate shell completion scripts |
 | `version` | Print version information |
@@ -246,6 +247,12 @@ By default, the server listens on `127.0.0.1:8080`. Configuration can be supplie
 truss serve --bind 0.0.0.0:8080 --storage-root /var/images
 ```
 
+To validate the server configuration without starting the server (useful in CI/CD pipelines):
+
+```sh
+truss validate
+```
+
 ### Core settings
 
 | Variable | Description |
@@ -259,6 +266,9 @@ truss serve --bind 0.0.0.0:8080 --storage-root /var/images
 | `TRUSS_MAX_INPUT_PIXELS` | Max input image pixels before decode; excess images receive 422 (default: `40000000`, range: 1-100000000) |
 | `TRUSS_MAX_UPLOAD_BYTES` | Max upload body size in bytes; excess requests receive 413 (default: `104857600` = 100 MB, range: 1-10737418240) |
 | `TRUSS_STORAGE_TIMEOUT_SECS` | Download timeout for object storage backends in seconds (default: `30`, range: 1-300) |
+| `TRUSS_KEEP_ALIVE_MAX_REQUESTS` | Max requests per keep-alive connection before the server closes it (default: `100`, range: 1-100000) |
+| `TRUSS_HEALTH_CACHE_MIN_FREE_BYTES` | Minimum free bytes on cache disk; `/health/ready` returns 503 when breached (disabled by default) |
+| `TRUSS_HEALTH_MAX_MEMORY_BYTES` | Maximum process RSS in bytes; `/health/ready` returns 503 when breached (disabled by default, Linux only) |
 
 `TRUSS_STORAGE_BACKEND` selects the source for public `GET /images/by-path`. When set to `s3`, `gcs`, or `azure`, the `path` query parameter is used as the object key. Only one backend can be active at a time. Private endpoints can still use `kind: storage` regardless of this setting.
 
 
@@ -0,0 +1,9 @@
+# Roadmap
+
+Items planned for future releases, roughly in priority order.
+
+## Health Check Hardening
+
+- [#72 — Add hysteresis to readiness probe resource checks to prevent flapping](https://github.com/nao1215/truss/issues/72)
+- [#73 — Consider authentication for /health diagnostic endpoint](https://github.com/nao1215/truss/issues/73)
+- [#74 — Cache syscall results in health check endpoints](https://github.com/nao1215/truss/issues/74)
@@ -348,8 +348,18 @@ paths:
                 checks:
                   - name: storageRoot
                     status: ok
+                  - name: cacheDiskFree
+                    status: ok
+                    freeBytes: 53687091200
+                    thresholdBytes: 1073741824
                   - name: transformCapacity
                     status: ok
+                    current: 2
+                    max: 64
+                  - name: memoryUsage
+                    status: ok
+                    rssBytes: 134217728
+                    thresholdBytes: 536870912
                 maxInputPixels: 40000000
 
   /health/live:
@@ -382,8 +392,17 @@ paths:
         Readiness probe for container orchestrators (e.g. Kubernetes
         `readinessProbe`). Checks that the server is able to accept traffic by
         verifying the storage root is accessible, the cache root (if configured)
-        is accessible, and the object-storage backend (if configured) is
-        network-reachable.
+        is accessible, the object-storage backend (if configured) is
+        network-reachable, cache disk free space is above the configured
+        threshold (`TRUSS_HEALTH_CACHE_MIN_FREE_BYTES`), process memory
+        usage is below the configured limit (`TRUSS_HEALTH_MAX_MEMORY_BYTES`),
+        and transform capacity is not exhausted.
+
+        **Platform note:** RSS memory and cache disk free space are read on
+        Linux only. On other platforms `TRUSS_HEALTH_MAX_MEMORY_BYTES` and
+        `TRUSS_HEALTH_CACHE_MIN_FREE_BYTES` are effectively no-ops — those
+        checks are omitted from the response and the remaining checks
+        (object-storage reachability, transform capacity, etc.) still apply.
 
         The object-storage reachability check (S3, GCS, or Azure) confirms
         that the configured bucket/container exists and the service responds to
@@ -1150,6 +1169,33 @@ components:
         status:
           type: string
           enum: [ok, fail]
+        freeBytes:
+          type: integer
+          format: int64
+          minimum: 0
+          description: Free bytes on the cache disk (cacheDiskFree check only).
+        thresholdBytes:
+          type: integer
+          format: int64
+          minimum: 1
+          description: >-
+            Configured threshold in bytes. Present on cacheDiskFree and
+            memoryUsage checks when a threshold is configured.
+        rssBytes:
+          type: integer
+          format: int64
+          minimum: 0
+          description: Process resident set size in bytes (memoryUsage check only, Linux).
+        current:
+          type: integer
+          format: int64
+          minimum: 0
+          description: Current number of in-flight transforms (transformCapacity check only).
+        max:
+          type: integer
+          format: int64
+          minimum: 1
+          description: Maximum concurrent transforms allowed (transformCapacity check only).
     ProblemDetail:
       type: object
       description: RFC 7807 Problem Details
 
@@ -51,6 +51,7 @@ COMMANDS:
   convert       Convert and transform an image file
   inspect       Show metadata (format, dimensions, alpha) of an image
   serve         Start the HTTP image-transform server
+  validate      Check server configuration without starting the server
   sign          Generate a signed public URL for the server
   completions   Generate shell completion scripts
   help          Show help for a command (e.g. truss help convert)
@@ -299,6 +300,19 @@ EXAMPLES:
     --expires 1700000000 --width 640 --format webp
 ";
 
+const HELP_VALIDATE: &str = "\
+truss validate - check server configuration without starting the server
+
+USAGE:
+  truss validate
+
+Parses and validates all environment variables used by `truss serve`.
+Exits 0 when the configuration is valid, or exits 1 with a description
+of each error found.
+
+Useful in CI/CD pipelines to catch configuration mistakes early.
+";
+
 const HELP_COMPLETIONS: &str = "\
 truss completions - generate shell completion scripts
 
@@ -358,6 +372,9 @@ enum CliSubcommand {
     Help { topic: Option<String> },
     /// Print version information
     Version,
+    /// Validate server configuration without starting the server
+    #[command(disable_help_flag = true)]
+    Validate(ClapValidateArgs),
     /// Generate shell completion scripts
     #[command(disable_help_flag = true)]
     Completions {
@@ -483,6 +500,13 @@ struct ClapServeArgs {
     help: bool,
 }
 
+#[derive(clap::Args)]
+struct ClapValidateArgs {
+    /// Show help for validate
+    #[arg(short = 'h', long = "help")]
+    help: bool,
+}
+
 #[derive(clap::Args)]
 struct ClapSignArgs {
     /// CDN base URL for the signed request
@@ -716,6 +740,7 @@ enum HelpTopic {
     Convert,
     Inspect,
     Serve,
+    Validate,
     Sign,
     Completions,
     Version,
@@ -726,6 +751,7 @@ enum Command {
     Help(HelpTopic),
     Version,
     Serve(ServeCommand),
+    Validate,
     Inspect(InspectCommand),
     Convert(ConvertCommand),
     Sign(SignCommand),
@@ -816,6 +842,7 @@ where
                 HelpTopic::Convert => HELP_CONVERT.to_string(),
                 HelpTopic::Inspect => HELP_INSPECT.to_string(),
                 HelpTopic::Serve => help_serve(),
+                HelpTopic::Validate => HELP_VALIDATE.to_string(),
                 HelpTopic::Sign => HELP_SIGN.to_string(),
                 HelpTopic::Completions => HELP_COMPLETIONS.to_string(),
                 HelpTopic::Version => HELP_VERSION.to_string(),
@@ -833,6 +860,10 @@ where
             Ok(()) => EXIT_SUCCESS,
             Err(error) => write_error(stderr, error),
         },
+        Ok(Command::Validate) => match execute_validate(stdout) {
+            Ok(()) => EXIT_SUCCESS,
+            Err(error) => write_error(stderr, error),
+        },
         Ok(Command::Inspect(command)) => match execute_inspect(command, stdin, stdout) {
             Ok(()) => EXIT_SUCCESS,
             Err(error) => write_error(stderr, error),
@@ -861,6 +892,7 @@ const KNOWN_SUBCOMMANDS: &[&str] = &[
     "convert",
     "inspect",
     "serve",
+    "validate",
     "sign",
     "help",
     "completions",
@@ -989,6 +1021,7 @@ where
         Some(CliSubcommand::Convert(args)) => convert_from_clap(args),
         Some(CliSubcommand::Inspect(args)) => inspect_from_clap(args),
         Some(CliSubcommand::Serve(args)) => serve_from_clap(args),
+        Some(CliSubcommand::Validate(args)) => validate_from_clap(args),
         Some(CliSubcommand::Sign(args)) => sign_from_clap(args),
     }
 }
@@ -1017,6 +1050,7 @@ fn parse_help_topic(topic: Option<String>) -> Result<Command, CliError> {
         Some("convert") => Ok(Command::Help(HelpTopic::Convert)),
         Some("inspect") => Ok(Command::Help(HelpTopic::Inspect)),
         Some("serve") => Ok(Command::Help(HelpTopic::Serve)),
+        Some("validate") => Ok(Command::Help(HelpTopic::Validate)),
         Some("sign") => Ok(Command::Help(HelpTopic::Sign)),
         Some("completions") => Ok(Command::Help(HelpTopic::Completions)),
         Some("version") => Ok(Command::Help(HelpTopic::Version)),
@@ -1025,7 +1059,8 @@ fn parse_help_topic(topic: Option<String>) -> Result<Command, CliError> {
             message: format!("unknown help topic '{other}'"),
             usage: None,
             hint: Some(
-                "available topics: convert, inspect, serve, sign, completions, version".to_string(),
+                "available topics: convert, inspect, serve, validate, sign, completions, version"
+                    .to_string(),
             ),
         }),
     }
@@ -1173,6 +1208,13 @@ fn serve_from_clap(args: ClapServeArgs) -> Result<Command, CliError> {
     }))
 }
 
+fn validate_from_clap(args: ClapValidateArgs) -> Result<Command, CliError> {
+    if args.help {
+        return Ok(Command::Help(HelpTopic::Validate));
+    }
+    Ok(Command::Validate)
+}
+
 fn sign_from_clap(args: ClapSignArgs) -> Result<Command, CliError> {
     if args.help {
         return Ok(Command::Help(HelpTopic::Sign));
@@ -1446,6 +1488,24 @@ fn execute_serve(command: ServeCommand) -> Result<(), CliError> {
         .map_err(|error| runtime_error(EXIT_RUNTIME, &format!("server runtime failed: {error}")))
 }
 
+fn execute_validate<W: Write>(stdout: &mut W) -> Result<(), CliError> {
+    match ServerConfig::from_env() {
+        Ok(config) => {
+            writeln!(stdout, "configuration is valid").map_err(|error| {
+                runtime_error(EXIT_RUNTIME, &format!("failed to write stdout: {error}"))
+            })?;
+            writeln!(stdout, "  storage root: {}", config.storage_root.display()).map_err(
+                |error| runtime_error(EXIT_RUNTIME, &format!("failed to write stdout: {error}")),
+            )?;
+            Ok(())
+        }
+        Err(error) => Err(runtime_error(
+            EXIT_USAGE,
+            &format!("invalid configuration: {error}"),
+        )),
+    }
+}
+
 fn resolve_server_config(command: ServeCommand) -> Result<ServerConfig, CliError> {
     let mut config = ServerConfig::from_env().map_err(|error| {
         runtime_error(
@@ -1843,6 +1903,7 @@ mod tests {
     use crate::{Fit, MediaType, RawArtifact, SignedUrlSource, TransformOptions, sniff_artifact};
     use image::codecs::png::PngEncoder;
     use image::{ColorType, ImageEncoder, Rgba, RgbaImage};
+    use serial_test::serial;
     use std::env;
     use std::fs;
     use std::io::{Cursor, Read, Write};
@@ -2382,6 +2443,61 @@ mod tests {
         assert_eq!(result.unwrap(), Command::Help(HelpTopic::Serve));
     }
 
+    // ===== Additional test: help validate =====
+
+    #[test]
+    fn help_validate_shows_validate_help() {
+        let result = parse_args(vec![
+            "truss".to_string(),
+            "help".to_string(),
+            "validate".to_string(),
+        ]);
+        assert_eq!(result.unwrap(), Command::Help(HelpTopic::Validate));
+    }
+
+    #[test]
+    fn parse_args_validate() {
+        let result =
+            parse_args(vec!["truss".to_string(), "validate".to_string()]).expect("parse validate");
+        assert_eq!(result, Command::Validate);
+    }
+
+    #[test]
+    fn validate_help_flag() {
+        let result = parse_args(vec![
+            "truss".to_string(),
+            "validate".to_string(),
+            "--help".to_string(),
+        ]);
+        assert_eq!(result.unwrap(), Command::Help(HelpTopic::Validate));
+    }
+
+    #[test]
+    #[serial]
+    fn validate_invalid_config() {
+        // SAFETY: test-only, single-threaded access to this env var.
+        unsafe { env::set_var("TRUSS_MAX_CONCURRENT_TRANSFORMS", "invalid") };
+        let mut stdout = Vec::new();
+        let result = super::execute_validate(&mut stdout);
+        unsafe { env::remove_var("TRUSS_MAX_CONCURRENT_TRANSFORMS") };
+        assert!(result.is_err());
+    }
+
+    #[test]
+    #[serial]
+    fn validate_valid_config() {
+        let dir = tempfile::tempdir().expect("create temp dir");
+        let mut stdout = Vec::new();
+        // SAFETY: test-only, single-threaded access to this env var.
+        unsafe { env::set_var("TRUSS_STORAGE_ROOT", dir.path().to_str().unwrap()) };
+        let result = super::execute_validate(&mut stdout);
+        unsafe { env::remove_var("TRUSS_STORAGE_ROOT") };
+        assert!(result.is_ok());
+        let output = String::from_utf8(stdout).expect("valid utf-8");
+        assert!(output.contains("configuration is valid"));
+        assert!(output.contains("storage root:"));
+    }
+
     // ===== Additional test: help sign =====
 
     #[test]