chore(deploy): wire OIDC runtime configuration

scripts/validate-env.sh

@@ -25,7 +25,7 @@ warnings=0
 
 log_error() {
     echo -e "${RED}✗${NC} $1"
-    ((errors++))
+    errors=$((errors + 1))
 }
 
 log_success() {
@@ -34,7 +34,7 @@ log_success() {
 
 log_warning() {
     echo -e "${YELLOW}⚠${NC} $1"
-    ((warnings++))
+    warnings=$((warnings + 1))
 }
 
 check_symlink() {
@@ -131,6 +131,21 @@ if [ -f "$SHARED_BACKEND_ENV" ]; then
     check_var "$SHARED_BACKEND_ENV" "GEMINI_API_KEY"
     check_var "$SHARED_BACKEND_ENV" "LOG_LEVEL" true
     check_var "$SHARED_BACKEND_ENV" "CORS_ORIGINS" true
+
+    # OIDC Configuration
+    check_var "$SHARED_BACKEND_ENV" "OIDC_ISSUER"
+    check_var "$SHARED_BACKEND_ENV" "OIDC_CLIENT_ID"
+    check_var "$SHARED_BACKEND_ENV" "OIDC_DISCOVERY_URL"
+    check_var "$SHARED_BACKEND_ENV" "OIDC_ADMIN_GROUPS"
+    check_var "$SHARED_BACKEND_ENV" "OIDC_MEMBER_GROUPS"
+    check_var "$SHARED_BACKEND_ENV" "OIDC_JWKS_CACHE_TTL_SECONDS" true
+
+    # Bootstrap Admin (Optional, used for initial setup)
+    check_var "$SHARED_BACKEND_ENV" "BOOTSTRAP_ADMIN_OIDC_ISSUER" true
+    check_var "$SHARED_BACKEND_ENV" "BOOTSTRAP_ADMIN_OIDC_SUB" true
+    check_var "$SHARED_BACKEND_ENV" "BOOTSTRAP_ADMIN_EMAIL" true
+    check_var "$SHARED_BACKEND_ENV" "BOOTSTRAP_ADMIN_NAME" true
+    check_var "$SHARED_BACKEND_ENV" "BOOTSTRAP_HOUSEHOLD_NAME" true
 fi
 
 echo ""
@@ -138,6 +153,12 @@ echo "=== Validating Frontend Environment Variables ==="
 if [ -f "$SHARED_FRONTEND_ENV" ]; then
     check_var "$SHARED_FRONTEND_ENV" "PUBLIC_API_BASE"
     check_var "$SHARED_FRONTEND_ENV" "ORIGIN"
+
+    # Session and OIDC
+    check_var "$SHARED_FRONTEND_ENV" "SESSION_SECRET"
+    check_var "$SHARED_FRONTEND_ENV" "OIDC_ISSUER"
+    check_var "$SHARED_FRONTEND_ENV" "OIDC_CLIENT_ID"
+    check_var "$SHARED_FRONTEND_ENV" "OIDC_DISCOVERY_URL"
 fi
 
 echo ""