Guard public channel readiness in systemd tooling

docs/healthchecks.md

@@ -132,12 +132,15 @@ Useful direct flags:
 Operational CLI:
 
 ```bash
+metinctl public-ready
 metinctl healthcheck --mode full
 metinctl healthcheck --mode ready
 metinctl wait-ready
 ```
 
-`metinctl wait-ready` now uses the lighter `ready` mode on purpose. The deeper `full` mode remains available as an explicit admin healthcheck.
+`metinctl public-ready` verifies that every enabled client-visible public channel unit is active and that its declared listener port is actually up.
+
+`metinctl wait-ready` now first waits for the public runtime to be up and only then runs the lighter `ready` login probe. The deeper `full` mode remains available as an explicit admin healthcheck.
 
 Example negative auth test:
 

docs/server-management.md

@@ -41,6 +41,7 @@ The Debian deployment installs:
 - listing managed units
 - checking service status
 - listing declared ports
+- verifying that enabled public client-facing channels are actually up
 - listing recent auth failures
 - listing recent login sessions
 - listing stale open sessions without logout
@@ -78,6 +79,12 @@ Show declared ports and whether they are currently listening:
 metinctl ports --live
 ```
 
+Verify that enabled client-visible public channels are active and listening:
+
+```bash
+metinctl public-ready
+```
+
 Show recent real auth failures and skip smoke-test logins:
 
 ```bash
@@ -219,6 +226,7 @@ It also reconciles enabled game instance units against the selected channels:
 - selected game units are enabled
 - stale game units are disabled
 - if `--restart` is passed, stale game units are disabled with `--now`
+- installs now refuse an auth/internal-only channel selection unless you pass `--allow-internal-only`
 
 This makes channel enablement declarative instead of depending on whatever happened to be enabled previously.