feat(phase-4): WS1 — Production Hardening (Redis rate limiting, DB pool, health endpoint, k6)

Rate limiting:
- Replace in-memory express-rate-limit with ioredis + rate-limiter-flexible (sliding window)
- Graceful fallback to RateLimiterMemory when Redis unreachable
- RATE_LIMIT_WINDOW_MS / RATE_LIMIT_MAX_REQUESTS env var config
- Retry-After header on 429 responses
- agentidp_rate_limit_hits_total Prometheus counter

Database pool:
- Explicit pg.Pool config via DB_POOL_MAX/MIN/IDLE_TIMEOUT_MS/CONNECTION_TIMEOUT_MS
- Defaults: max=20, min=2, idle=30s, conn timeout=5s
- agentidp_db_pool_active_connections + agentidp_db_pool_waiting_requests gauges

Health endpoint:
- GET /health/detailed — per-service status (database, Redis, Vault, OPA)
- healthy / degraded (>1000ms) / unreachable classification
- HTTP 200 (all healthy) / 207 (any degraded) / 503 (any unreachable)

Load tests:
- tests/load/ with k6 scenarios for agent registration (100 VUs), token issuance (1000 VUs), credential rotation (50 VUs)
- npm run load-test script

Tests: 586 passing, zero TypeScript errors

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/unit/metrics/registry.test.ts

@@ -16,6 +16,9 @@ import {
   redisCommandDurationSeconds,
   credentialsExpiringSoonTotal,
   auditChainIntegrity,
+  rateLimitHitsTotal,
+  dbPoolActiveConnections,
+  dbPoolWaitingRequests,
 } from '../../../src/metrics/registry';
 
 describe('metricsRegistry', () => {
@@ -30,9 +33,9 @@ describe('metricsRegistry', () => {
     expect(metricsRegistry).not.toBe(register);
   });
 
-  it('contains exactly 9 metric entries', async () => {
+  it('contains exactly 12 metric entries', async () => {
     const entries = await metricsRegistry.getMetricsAsJSON();
-    expect(entries).toHaveLength(9);
+    expect(entries).toHaveLength(12);
   });
 
   // ──────────────────────────────────────────────────────────────────
@@ -48,6 +51,9 @@ describe('metricsRegistry', () => {
     'agentidp_webhook_dead_letters_total',
     'agentidp_credentials_expiring_soon_total',
     'agentidp_audit_chain_integrity',
+    'agentidp_rate_limit_hits_total',
+    'agentidp_db_pool_active_connections',
+    'agentidp_db_pool_waiting_requests',
   ])('registers metric "%s"', async (metricName) => {
     const entries = await metricsRegistry.getMetricsAsJSON();
     const names = entries.map((e) => e.name);
@@ -159,4 +165,39 @@ describe('metricsRegistry', () => {
       expect(() => auditChainIntegrity.set(0)).not.toThrow();
     });
   });
+
+  describe('rateLimitHitsTotal', () => {
+    it('has name agentidp_rate_limit_hits_total', () => {
+      const metric = rateLimitHitsTotal as unknown as { name: string };
+      expect(metric.name).toBe('agentidp_rate_limit_hits_total');
+    });
+
+    it('increments with endpoint label without throwing', () => {
+      expect(() =>
+        rateLimitHitsTotal.inc({ endpoint: '/api/v1/agents' }),
+      ).not.toThrow();
+    });
+  });
+
+  describe('dbPoolActiveConnections', () => {
+    it('has name agentidp_db_pool_active_connections', () => {
+      const metric = dbPoolActiveConnections as unknown as { name: string };
+      expect(metric.name).toBe('agentidp_db_pool_active_connections');
+    });
+
+    it('can be set without throwing', () => {
+      expect(() => dbPoolActiveConnections.set(5)).not.toThrow();
+    });
+  });
+
+  describe('dbPoolWaitingRequests', () => {
+    it('has name agentidp_db_pool_waiting_requests', () => {
+      const metric = dbPoolWaitingRequests as unknown as { name: string };
+      expect(metric.name).toBe('agentidp_db_pool_waiting_requests');
+    });
+
+    it('can be set without throwing', () => {
+      expect(() => dbPoolWaitingRequests.set(2)).not.toThrow();
+    });
+  });
 });