Mim per-program health, env injection, and eval

  - Fix doctor falsely reporting podman as unreachable (use {{.Version.Version}} for podman)
  - Add GET /health/<program> endpoint with per-program daemon status
  - Enhance GET /health to return aggregated per-program breakdown
  - Add --env/--env-file flags to start for secret/config injection into containers
  - Add --env to freeze for recording expected env var names in manifest
  - Add eval CLI command that POSTs to a running serve container's /eval endpoint
  - Add engine fallback warning on unfreeze when defaulting to global config

Author: arendsee

data/rust/morloc-manager/src/doctor.rs

@@ -105,8 +105,12 @@ pub fn doctor(
 
 fn check_engine(c: &mut Counts, engine: ContainerEngine) {
     let exe = engine_executable(engine);
+    let fmt = match engine {
+        ContainerEngine::Podman => "{{.Version.Version}}",
+        ContainerEngine::Docker => "{{.ServerVersion}}",
+    };
     let output = Command::new(exe)
-        .args(["info", "--format", "{{.ServerVersion}}"])
+        .args(["info", "--format", fmt])
         .output();
     match output {
         Ok(o) if o.status.success() => {

data/rust/morloc-manager/src/freeze.rs

@@ -16,6 +16,7 @@ pub fn freeze_from_dir(
     v_data_dir: &str,
     output_dir: &str,
     verbose: bool,
+    env_vars: &[String],
 ) -> Result<()> {
     fs::create_dir_all(output_dir)
         .map_err(|e| ManagerError::FreezeError(format!("Failed to create output dir: {e}")))?;
@@ -112,11 +113,16 @@ pub fn freeze_from_dir(
         programs,
         base_image: base_img,
         env_layer,
+        env_vars: env_vars.to_vec(),
     };
     let manifest_path = Path::new(output_dir).join("freeze-manifest.json");
     let manifest_path = manifest_path.to_string_lossy();
     write_freeze_manifest(&manifest_path, &manifest)?;
     eprintln!("Wrote {manifest_path}");
+    if !env_vars.is_empty() {
+        eprintln!("Expected env vars: {}", env_vars.join(", "));
+        eprintln!("  Pass at start time with: morloc-manager start --env KEY=VALUE");
+    }
     eprintln!("Frozen state written to {output_dir}");
     Ok(())
 }

data/rust/morloc-manager/src/main.rs

@@ -260,6 +260,12 @@ Without --, flags like --version are interpreted by morloc-manager itself.")]
         /// Port mapping HOST:CONTAINER (default: 8080:8080)
         #[arg(short, long, value_parser = parse_port)]
         port: Vec<(u16, u16)>,
+        /// Pass environment variable to the container (KEY=VALUE)
+        #[arg(short, long = "env")]
+        env_vars: Vec<String>,
+        /// Read environment variables from a file (one KEY=VALUE per line)
+        #[arg(long)]
+        env_file: Option<String>,
     },
     /// Stop a running serve container
     #[command(display_order = 21)]
@@ -288,6 +294,9 @@ Without --, flags like --version are interpreted by morloc-manager itself.")]
         /// Overwrite existing output directory
         #[arg(long)]
         force: bool,
+        /// Declare an expected environment variable name (recorded in manifest, no value stored)
+        #[arg(short, long = "env")]
+        env_vars: Vec<String>,
     },
     /// Build a serve image from frozen state
     #[command(display_order = 24)]
@@ -310,8 +319,20 @@ Without --, flags like --version are interpreted by morloc-manager itself.")]
         #[arg(long)]
         rebuild: bool,
     },
-    /// List running serve containers
+    /// Evaluate a morloc expression against a running serve container
     #[command(display_order = 25)]
+    #[command(after_help = "Examples:\n  morloc-manager eval 'add 1 2'\n  morloc-manager eval myenv 'map (add 1) [1,2,3]'\n  morloc-manager eval -p 9090 'greet \"world\"'")]
+    Eval {
+        /// Expression to evaluate (or environment name if two positional args)
+        first: String,
+        /// Expression to evaluate (when first arg is environment name)
+        second: Option<String>,
+        /// Port of the serve container (default: 8080)
+        #[arg(short, long, default_value = "8080")]
+        port: u16,
+    },
+    /// List running serve containers
+    #[command(display_order = 26)]
     #[command(after_help = "Examples:\n  morloc-manager status")]
     Status,
     /// Check environment health and diagnose issues
@@ -358,6 +379,44 @@ fn parse_port(s: &str) -> std::result::Result<(u16, u16), String> {
     Ok((host, container))
 }
 
+/// Parse env vars from --env flags and --env-file, returning (key, value) pairs.
+fn collect_env_vars(
+    env_flags: &[String],
+    env_file: Option<&str>,
+) -> Result<Vec<(String, String)>> {
+    let mut result = Vec::new();
+
+    if let Some(path) = env_file {
+        let contents = std::fs::read_to_string(path).map_err(|e| {
+            ManagerError::EnvError(format!("Cannot read env file {path}: {e}"))
+        })?;
+        for line in contents.lines() {
+            let trimmed = line.trim();
+            if trimmed.is_empty() || trimmed.starts_with('#') {
+                continue;
+            }
+            if let Some((k, v)) = trimmed.split_once('=') {
+                result.push((k.to_string(), v.to_string()));
+            }
+        }
+    }
+
+    for entry in env_flags {
+        if let Some((k, v)) = entry.split_once('=') {
+            result.push((k.to_string(), v.to_string()));
+        } else {
+            // Bare key — pass through from host environment
+            if let Ok(v) = std::env::var(entry) {
+                result.push((entry.clone(), v));
+            } else {
+                eprintln!("Warning: env var '{entry}' not set in host environment, skipping");
+            }
+        }
+    }
+
+    Ok(result)
+}
+
 // ======================================================================
 // Main
 // ======================================================================
@@ -1293,7 +1352,7 @@ fn dispatch(verbose: bool, cmd: Cmd) -> Result<()> {
         }
 
         // ---- freeze ----
-        Cmd::Freeze { output, force } => {
+        Cmd::Freeze { output, force, env_vars } => {
             let output_dir = output.as_deref().unwrap_or("./morloc-freeze");
             // Protect against silently overwriting a previous freeze
             let existing_tar = std::path::Path::new(output_dir).join("state.tar.gz");
@@ -1330,7 +1389,7 @@ fn dispatch(verbose: bool, cmd: Cmd) -> Result<()> {
             };
             let data_dir = cfg::env_data_dir(env_scope, &env_name);
             let image = ec.active_image().to_string();
-            let result = freeze::freeze_from_dir(env_scope, ver.clone(), engine, &image, &data_dir.to_string_lossy(), output_dir, verbose);
+            let result = freeze::freeze_from_dir(env_scope, ver.clone(), engine, &image, &data_dir.to_string_lossy(), output_dir, verbose, &env_vars);
             if result.is_ok() && ec.morloc_version.as_ref() != Some(&ver) {
                 let mut updated = ec.clone();
                 updated.morloc_version = Some(ver);
@@ -1360,13 +1419,27 @@ fn dispatch(verbose: bool, cmd: Cmd) -> Result<()> {
             let engine = match engine_override {
                 Some(EngineArg::Docker) => ContainerEngine::Docker,
                 Some(EngineArg::Podman) => ContainerEngine::Podman,
-                None => ensure_engine()?,
+                None => {
+                    let e = ensure_engine()?;
+                    eprintln!(
+                        "Note: using {} engine from global config. Override with --engine if needed.",
+                        display_engine(e)
+                    );
+                    e
+                }
             };
+            if !manifest.env_vars.is_empty() {
+                eprintln!(
+                    "Note: frozen state expects env vars: {}",
+                    manifest.env_vars.join(", ")
+                );
+                eprintln!("  Pass at runtime with: -e KEY=VALUE when running the image");
+            }
             serve::build_serve_image(engine, verbose, &from, &tag, manifest.morloc_version, base.as_deref(), rebuild, &manifest.programs)
         }
 
         // ---- start ----
-        Cmd::Start { name, port } => {
+        Cmd::Start { name, port, env_vars, env_file } => {
             let (env_name, env_scope, ec) = resolve_env_or_active(name)?;
             let image = ec.active_image().to_string();
             let data_dir = cfg::env_data_dir(env_scope, &env_name);
@@ -1382,10 +1455,12 @@ fn dispatch(verbose: bool, cmd: Cmd) -> Result<()> {
             };
             let flags_path = cfg::env_flags_path(env_scope, &env_name);
             let extra_flags = cfg::read_flags_file(&flags_path);
+            let user_env = collect_env_vars(&env_vars, env_file.as_deref())?;
             serve::serve_environment(
                 ec.engine, verbose, &image,
                 &data_dir.to_string_lossy(), &container_name,
                 &port_mappings, &extra_flags, &Some(ec.shm_size.clone()),
+                &user_env,
             )
         }
 
@@ -1439,6 +1514,50 @@ fn dispatch(verbose: bool, cmd: Cmd) -> Result<()> {
             Ok(())
         }
 
+        // ---- eval ----
+        Cmd::Eval { first, second, port } => {
+            let expr = if let Some(ref expr_arg) = second {
+                // first is env name — validate it exists and its serve container is running
+                let (env_name, _, ec) = resolve_env_or_active(Some(first))?;
+                let container_name = format!("morloc-serve-{env_name}");
+                if !container::container_exists(ec.engine, &container_name) {
+                    return Err(ManagerError::EnvError(format!(
+                        "No serve container running for '{env_name}'. Start with: morloc-manager start {env_name}"
+                    )));
+                }
+                expr_arg.clone()
+            } else {
+                first
+            };
+            use std::io::{Read as IoRead, Write as IoWrite};
+            let body = format!("{{\"expr\":{}}}", serde_json::to_string(&expr).unwrap_or_default());
+            let request = format!(
+                "POST /eval HTTP/1.1\r\nHost: localhost\r\nContent-Type: application/json\r\nContent-Length: {}\r\nConnection: close\r\n\r\n{}",
+                body.len(), body
+            );
+            let addr = format!("127.0.0.1:{port}");
+            let mut stream = std::net::TcpStream::connect(&addr).map_err(|e| {
+                ManagerError::EnvError(format!(
+                    "Cannot connect to serve container on {addr}: {e}\n  Is a serve container running? Start with: morloc-manager start"
+                ))
+            })?;
+            stream.write_all(request.as_bytes()).map_err(|e| {
+                ManagerError::EnvError(format!("Failed to send request: {e}"))
+            })?;
+            let mut response = String::new();
+            stream.read_to_string(&mut response).map_err(|e| {
+                ManagerError::EnvError(format!("Failed to read response: {e}"))
+            })?;
+            // Extract body from HTTP response (after \r\n\r\n)
+            if let Some(pos) = response.find("\r\n\r\n") {
+                let body = &response[pos + 4..];
+                println!("{body}");
+            } else {
+                println!("{response}");
+            }
+            Ok(())
+        }
+
         // ---- status ----
         Cmd::Status => {
             // Only show engines that have running/stopped serve containers.
@@ -1907,6 +2026,7 @@ mod tests {
                 content_hash: "abc".to_string(),
                 image_digest: None,
             }),
+            env_vars: vec!["API_KEY".to_string(), "DB_URL".to_string()],
         };
         cfg::write_config(&path, &fm).unwrap();
         let fm2: FreezeManifest = cfg::read_config(&path).unwrap();

data/rust/morloc-manager/src/serve.rs

@@ -286,6 +286,7 @@ pub fn serve_environment(
     ports: &[(u16, u16)],
     extra_flags: &[String],
     shm_size: &Option<String>,
+    user_env: &[(String, String)],
 ) -> Result<()> {
     // Clean up any existing dead container with this name (silently)
     let _ = crate::container::container_remove_quiet(engine, container_name);
@@ -310,6 +311,7 @@ pub fn serve_environment(
         ("PATH".to_string(), format!("{mh}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin")),
         ("MORLOC_HOME".to_string(), mh.to_string()),
     ];
+    cfg.env.extend(user_env.iter().cloned());
     cfg.command = Some(vec![
         "morloc-nexus".to_string(),
         "--router".to_string(),

data/rust/morloc-manager/src/types.rs

@@ -239,6 +239,9 @@ pub struct FreezeManifest {
     pub programs: Vec<ProgramEntry>,
     pub base_image: String,
     pub env_layer: Option<FrozenEnvLayer>,
+    /// Expected environment variable names (no values — injected at start/run time).
+    #[serde(default)]
+    pub env_vars: Vec<String>,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]

data/rust/morloc-runtime/src/router_ffi.rs

@@ -833,9 +833,16 @@ unsafe fn router_http_to_request(
         ""
     };
 
-    // GET /health
-    if method == HttpMethod::Get && path == "/health" {
+    // GET /health or GET /health/<program>
+    if method == HttpMethod::Get && (path == "/health" || path.starts_with("/health/")) {
         (*dreq).method = DaemonMethod::Health;
+        if path.starts_with("/health/") {
+            let prog_name = &path[8..];
+            if !prog_name.is_empty() {
+                let c = CString::new(prog_name).unwrap_or_default();
+                *out_program = libc::strdup(c.as_ptr());
+            }
+        }
         return dreq;
     }
 
@@ -1170,13 +1177,37 @@ pub unsafe extern "C" fn router_run(config: *mut DaemonConfig, router: *mut Rout
             // Router-level requests
             if target_program.is_null() {
                 if (*dreq).method == DaemonMethod::Health {
-                    let body = b"{\"status\":\"ok\"}\0";
+                    // Aggregate per-program health
+                    let mut all_ok = true;
+                    let mut prog_entries = Vec::new();
+                    for i in 0..(*router).n_programs {
+                        let prog = &*(*router).programs.add(i);
+                        let name = CStr::from_ptr(prog.name).to_string_lossy();
+                        let alive =
+                            prog.daemon_pid > 0 && libc::kill(prog.daemon_pid, 0) == 0;
+                        if !alive {
+                            all_ok = false;
+                        }
+                        let status_str = if alive { "ok" } else { "error" };
+                        prog_entries.push(serde_json::json!({
+                            "program": name.as_ref(),
+                            "status": status_str,
+                        }));
+                    }
+                    let overall = if all_ok { "ok" } else { "degraded" };
+                    let body = serde_json::json!({
+                        "status": overall,
+                        "programs": prog_entries,
+                    }).to_string();
+                    let status_code = if all_ok { 200 } else { 503 };
+                    resp_status = status_code;
+                    let c = CString::new(body.as_str()).unwrap_or_default();
                     http_write_response(
                         client_fd,
-                        200,
+                        status_code,
                         ct.as_ptr() as *const c_char,
-                        body.as_ptr() as *const c_char,
-                        body.len() - 1,
+                        c.as_ptr(),
+                        body.len(),
                     );
                 } else if (*dreq).method == DaemonMethod::Discover {
                     let disco = router_build_discovery(router);
@@ -1214,7 +1245,51 @@ pub unsafe extern "C" fn router_run(config: *mut DaemonConfig, router: *mut Rout
             }
 
             // Per-program request
-            if (*dreq).method == DaemonMethod::Discover {
+            if (*dreq).method == DaemonMethod::Health {
+                let mut found = false;
+                for p in 0..(*router).n_programs {
+                    let rprog = &*(*router).programs.add(p);
+                    if CStr::from_ptr(rprog.name) == CStr::from_ptr(target_program) {
+                        found = true;
+                        let alive =
+                            rprog.daemon_pid > 0 && libc::kill(rprog.daemon_pid, 0) == 0;
+                        let prog_str = CStr::from_ptr(rprog.name).to_string_lossy();
+                        let body = if alive {
+                            serde_json::json!({
+                                "status": "ok",
+                                "program": prog_str.as_ref(),
+                            }).to_string()
+                        } else {
+                            resp_status = 503;
+                            serde_json::json!({
+                                "status": "error",
+                                "program": prog_str.as_ref(),
+                                "error": "daemon not running",
+                            }).to_string()
+                        };
+                        let c = CString::new(body.as_str()).unwrap_or_default();
+                        http_write_response(
+                            client_fd,
+                            resp_status,
+                            ct.as_ptr() as *const c_char,
+                            c.as_ptr(),
+                            body.len(),
+                        );
+                        break;
+                    }
+                }
+                if !found {
+                    resp_status = 404;
+                    let body = b"{\"status\":\"error\",\"error\":\"Unknown program\"}\0";
+                    http_write_response(
+                        client_fd,
+                        404,
+                        ct.as_ptr() as *const c_char,
+                        body.as_ptr() as *const c_char,
+                        body.len() - 1,
+                    );
+                }
+            } else if (*dreq).method == DaemonMethod::Discover {
                 let mut found = false;
                 for p in 0..(*router).n_programs {
                     let rprog = &*(*router).programs.add(p);