fix: fail-fast config validation and post-deploy smoke test

.github/workflows/deploy.yml

@@ -80,6 +80,22 @@ jobs:
           app-name: ${{ secrets.AZURE_WEBAPP_NAME }}
           package: dist
 
+      - name: Smoke test
+        run: |
+          url="https://${{ secrets.AZURE_WEBAPP_NAME }}.azurewebsites.net/health/live"
+          echo "Smoke testing $url"
+          for i in 1 2 3 4 5; do
+            status=$(curl -s -o /dev/null -w "%{http_code}" "$url")
+            echo "Attempt $i: HTTP $status"
+            if [ "$status" = "200" ]; then
+              echo "Smoke test passed"
+              exit 0
+            fi
+            sleep 15
+          done
+          echo "Smoke test failed — last status was $status"
+          exit 1
+
       # NOTE: Database migrations are not run automatically here.
       # If you use EF Core migrations, consider adding a step like:
       #   dotnet ef database update --project apps/api/Api

apps/api/Api/Api.csproj

@@ -5,6 +5,7 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="AspNetCore.HealthChecks.SqlServer" Version="9.0.0" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.5" />
     <PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="10.0.2" />
     <PackageReference Include="Microsoft.AspNetCore.SpaServices.Extensions" Version="10.0.2" />

apps/api/Api/Program.cs

@@ -1,5 +1,7 @@
 using System;
+using System.Collections.Generic;
 using System.IO;
+using System.Linq;
 using System.Text;
 using System.Threading.RateLimiting;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
@@ -29,6 +31,19 @@
     builder.Configuration["Jwt:Key"] = envJwtKey;
 }
 
+// Fail fast: refuse to start if any required config is absent.
+// This surfaces missing env vars immediately in logs rather than as
+// cryptic 500s at runtime.
+var requiredConfig = new[] { "Jwt:Key", "Jwt:Issuer", "Jwt:Audience" };
+var missingConfig = requiredConfig
+  .Where(key => string.IsNullOrEmpty(builder.Configuration[key]))
+  .ToList();
+if (missingConfig.Count > 0)
+  throw new InvalidOperationException(
+    $"Required configuration values are missing: {string.Join(", ", missingConfig)}. " +
+    "Set them as environment variables (e.g. JWT_KEY, Jwt__Issuer, Jwt__Audience) before starting the application."
+  );
+
 builder.Services
   .AddAuthentication(options =>
   {
@@ -69,6 +84,13 @@
 
 builder.Services.AddScoped<TokenService>();
 
+var connectionString = builder.Environment.IsDevelopment()
+  ? builder.Configuration.GetConnectionString("AZURE_SQL_CONNECTIONSTRING")
+  : Environment.GetEnvironmentVariable("AZURE_SQL_CONNECTIONSTRING");
+
+builder.Services.AddHealthChecks()
+  .AddSqlServer(connectionString!, name: "sql", tags: ["ready"]);
+
 builder.Services.AddEndpointsApiExplorer();
 
 builder.Services.AddSwaggerGen(c =>
@@ -163,6 +185,15 @@
 
 app.MapControllers();
 
+// Liveness: app process is up — used by deploy smoke test.
+app.MapHealthChecks("/health/live", new Microsoft.AspNetCore.Diagnostics.HealthChecks.HealthCheckOptions
+{
+  Predicate = _ => false, // exclude all tagged checks (e.g. SQL)
+});
+
+// Readiness: app + dependencies (DB) — used for monitoring.
+app.MapHealthChecks("/health/ready");
+
 // Custom JWT auth endpoints: login / refresh / logout
 app.MapAuthEndpoints(app.Environment.IsDevelopment());