fix(#4): re-enable connection watchdog with env-flag opt-out

Calls `relayConnectionWatchdog` (introduced in the previous commit) at
the end of admin-interface connect(). Gated by NSEC_BUNKER_DISABLE_WATCHDOG=1
for operators who run external liveness checks (Prometheus probes, k8s
readiness, etc.) and don't want the daemon to self-terminate.

This restores the watchdog behavior that was commented out in commit
42dbbd7 (the emergency stopgap for the old self-echo false positives),
but on top of the now-reliable pool-status mechanism.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/daemon/admin/index.ts

@@ -168,12 +168,17 @@ class AdminInterface {
                 this.handleRequest(req);
             });
 
-            // pingOrDie disabled — NDK 2.8.1 outbox model doesn't echo
-            // self-published events back through subscriptions on
-            // non-public relay channels, so the watchdog fires false
-            // positives and exits the bunker every 50s on private relays.
-            // See aiolabs/nsecbunkerd#4 + #7.
-            // pingOrDie(this.ndk);
+            // Connection watchdog: exit if pool reports no connected relays
+            // for >60s so the process supervisor (systemd / docker restart
+            // policy / k8s) can recover. Replaces the original self-echo
+            // pingOrDie — see relayConnectionWatchdog comment + #4 + #7.
+            // Operators with external liveness checking can disable via
+            // NSEC_BUNKER_DISABLE_WATCHDOG=1.
+            if (process.env.NSEC_BUNKER_DISABLE_WATCHDOG !== '1') {
+                relayConnectionWatchdog(this.ndk);
+            } else {
+                console.log('⏸  watchdog disabled via NSEC_BUNKER_DISABLE_WATCHDOG=1');
+            }
         }).catch((err) => {
             console.log('❌ admin connection failed');
             console.log(err);