chore(deploy): wire OIDC runtime configuration

scripts/healthcheck.sh

@@ -25,13 +25,27 @@ log() {
 check_service() {
     local service_name=$1
     local url=$2
+    local allow_redirect=${3:-false}
     
     if systemctl is-active --quiet "$service_name"; then
-        if curl -sf --max-time "$TIMEOUT" "$url" > /dev/null 2>&1; then
+        local curl_opts="-s --max-time $TIMEOUT"
+        if [ "$allow_redirect" = false ]; then
+            curl_opts="$curl_opts -f"
+        fi
+
+        if curl $curl_opts "$url" > /dev/null 2>&1; then
             log "${GREEN}✓${NC} $service_name is healthy"
             return 0
         else
-            log "${YELLOW}⚠${NC} $service_name is running but not responding at $url"
+            # If allow_redirect is true, we check if it's a 302
+            if [ "$allow_redirect" = true ]; then
+                local status=$(curl -s -o /dev/null -w "%{http_code}" --max-time "$TIMEOUT" "$url")
+                if [ "$status" = "302" ] || [ "$status" = "303" ] || [ "$status" = "307" ] || [ "$status" = "200" ]; then
+                    log "${GREEN}✓${NC} $service_name is healthy (status $status)"
+                    return 0
+                fi
+            fi
+            log "${YELLOW}⚠${NC} $service_name is running but not responding correctly at $url"
             return 1
         fi
     else
@@ -45,8 +59,10 @@ backend_ok=0
 frontend_ok=0
 worker_ok=0
 
+# Backend health-check is public and should return 200
 check_service "innercontext" "$BACKEND_URL" || backend_ok=1
-check_service "innercontext-node" "$FRONTEND_URL" || frontend_ok=1
+# Frontend root may redirect to login (302)
+check_service "innercontext-node" "$FRONTEND_URL" true || frontend_ok=1
 
 # Worker doesn't have HTTP endpoint, just check if it's running
 if systemctl is-active --quiet "innercontext-pricing-worker"; then

scripts/validate-env.sh

@@ -25,7 +25,7 @@ warnings=0
 
 log_error() {
     echo -e "${RED}✗${NC} $1"
-    ((errors++))
+    errors=$((errors + 1))
 }
 
 log_success() {
@@ -34,7 +34,7 @@ log_success() {
 
 log_warning() {
     echo -e "${YELLOW}⚠${NC} $1"
-    ((warnings++))
+    warnings=$((warnings + 1))
 }
 
 check_symlink() {
@@ -131,6 +131,21 @@ if [ -f "$SHARED_BACKEND_ENV" ]; then
     check_var "$SHARED_BACKEND_ENV" "GEMINI_API_KEY"
     check_var "$SHARED_BACKEND_ENV" "LOG_LEVEL" true
     check_var "$SHARED_BACKEND_ENV" "CORS_ORIGINS" true
+
+    # OIDC Configuration
+    check_var "$SHARED_BACKEND_ENV" "OIDC_ISSUER"
+    check_var "$SHARED_BACKEND_ENV" "OIDC_CLIENT_ID"
+    check_var "$SHARED_BACKEND_ENV" "OIDC_DISCOVERY_URL"
+    check_var "$SHARED_BACKEND_ENV" "OIDC_ADMIN_GROUPS"
+    check_var "$SHARED_BACKEND_ENV" "OIDC_MEMBER_GROUPS"
+    check_var "$SHARED_BACKEND_ENV" "OIDC_JWKS_CACHE_TTL_SECONDS" true
+
+    # Bootstrap Admin (Optional, used for initial setup)
+    check_var "$SHARED_BACKEND_ENV" "BOOTSTRAP_ADMIN_OIDC_ISSUER" true
+    check_var "$SHARED_BACKEND_ENV" "BOOTSTRAP_ADMIN_OIDC_SUB" true
+    check_var "$SHARED_BACKEND_ENV" "BOOTSTRAP_ADMIN_EMAIL" true
+    check_var "$SHARED_BACKEND_ENV" "BOOTSTRAP_ADMIN_NAME" true
+    check_var "$SHARED_BACKEND_ENV" "BOOTSTRAP_HOUSEHOLD_NAME" true
 fi
 
 echo ""
@@ -138,6 +153,12 @@ echo "=== Validating Frontend Environment Variables ==="
 if [ -f "$SHARED_FRONTEND_ENV" ]; then
     check_var "$SHARED_FRONTEND_ENV" "PUBLIC_API_BASE"
     check_var "$SHARED_FRONTEND_ENV" "ORIGIN"
+
+    # Session and OIDC
+    check_var "$SHARED_FRONTEND_ENV" "SESSION_SECRET"
+    check_var "$SHARED_FRONTEND_ENV" "OIDC_ISSUER"
+    check_var "$SHARED_FRONTEND_ENV" "OIDC_CLIENT_ID"
+    check_var "$SHARED_FRONTEND_ENV" "OIDC_DISCOVERY_URL"
 fi
 
 echo ""