#!/usr/bin/env bash set -euo pipefail ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)" ENV_FILE="${1:-$ROOT_DIR/.env.production}" TIMEOUT_SECONDS="${OPS_SMOKE_TIMEOUT_SECONDS:-15}" INSECURE_TLS="${OPS_SMOKE_INSECURE_TLS:-0}" VERIFY_HTTP_REDIRECT="${VERIFY_HTTP_REDIRECT:-1}" if [[ "${1:-}" == "--help" || "${1:-}" == "-h" ]]; then cat <<'USAGE' Usage: scripts/ops/smoke-prod.sh [env-file] Examples: scripts/ops/smoke-prod.sh OPS_SMOKE_INSECURE_TLS=1 scripts/ops/smoke-prod.sh .env.production Checks: - Public homepage responds with 2xx/3xx - /v1/health returns {"ok":true} - Security headers exist on public response - Optional HTTP->HTTPS redirect validation for PUBLIC_DOMAIN USAGE exit 0 fi if [[ ! -f "$ENV_FILE" ]]; then echo "[error] env file not found: $ENV_FILE" >&2 exit 1 fi node "$ROOT_DIR/scripts/check-production-env.mjs" "$ENV_FILE" read_env_value() { local key="$1" local file="$2" local value value="$( awk -F '=' -v k="$key" ' /^[[:space:]]*#/ { next } /^[[:space:]]*$/ { next } { line=$0 gsub(/^[[:space:]]+|[[:space:]]+$/, "", line) if (index(line, "export ") == 1) { sub(/^export[[:space:]]+/, "", line) } split(line, parts, "=") if (parts[1] == k) { val=substr(line, index(line, "=") + 1) gsub(/^[[:space:]]+|[[:space:]]+$/, "", val) if ((substr(val,1,1) == "\"" && substr(val,length(val),1) == "\"") || (substr(val,1,1) == "'"'"'" && substr(val,length(val),1) == "'"'"'")) { val=substr(val, 2, length(val)-2) } print val exit } } ' "$file" )" printf '%s' "$value" } PUBLIC_URL="$(read_env_value PUBLIC_URL "$ENV_FILE")" PUBLIC_DOMAIN="$(read_env_value PUBLIC_DOMAIN "$ENV_FILE")" if [[ -z "$PUBLIC_URL" || -z "$PUBLIC_DOMAIN" ]]; then echo "[error] missing PUBLIC_URL or PUBLIC_DOMAIN in $ENV_FILE" >&2 exit 1 fi curl_args=(-fsS --max-time "$TIMEOUT_SECONDS") if [[ "$INSECURE_TLS" == "1" || "$INSECURE_TLS" == "true" ]]; then curl_args+=(-k) fi echo "[step] checking homepage status..." home_status="$(curl "${curl_args[@]}" -o /dev/null -w '%{http_code}' "$PUBLIC_URL/")" if [[ ! "$home_status" =~ ^(2|3)[0-9]{2}$ ]]; then echo "[error] homepage status is $home_status (expected 2xx/3xx)" >&2 exit 1 fi echo "[step] checking API health payload..." health_payload="$(curl "${curl_args[@]}" "$PUBLIC_URL/v1/health")" node -e ' const payload = JSON.parse(process.argv[1]); if (!payload || payload.ok !== true) { console.error("[error] /v1/health did not return ok=true"); process.exit(1); } ' "$health_payload" echo "[step] checking security headers..." headers="$(curl "${curl_args[@]}" -D - -o /dev/null "$PUBLIC_URL/")" for expected_header in "strict-transport-security" "x-content-type-options" "x-frame-options" "referrer-policy"; do if ! printf '%s\n' "$headers" | tr '[:upper:]' '[:lower:]' | grep -q "^${expected_header}:"; then echo "[error] missing security header: $expected_header" >&2 exit 1 fi done if [[ "$VERIFY_HTTP_REDIRECT" == "1" || "$VERIFY_HTTP_REDIRECT" == "true" ]]; then echo "[step] checking HTTP->HTTPS redirect..." redirect_headers="$(curl -sS --max-time "$TIMEOUT_SECONDS" -D - -o /dev/null "http://$PUBLIC_DOMAIN/" || true)" redirect_status="$(printf '%s\n' "$redirect_headers" | awk 'NR==1 {print $2}')" redirect_location="$(printf '%s\n' "$redirect_headers" | awk 'BEGIN{IGNORECASE=1} /^Location:/ {sub(/\r$/, "", $2); print $2; exit}')" if [[ "$redirect_status" != "301" && "$redirect_status" != "302" && "$redirect_status" != "307" && "$redirect_status" != "308" ]]; then echo "[error] expected redirect status from http://$PUBLIC_DOMAIN but got '$redirect_status'" >&2 exit 1 fi if [[ "$redirect_location" != https://"$PUBLIC_DOMAIN"* ]]; then echo "[error] expected redirect location to https://$PUBLIC_DOMAIN but got '$redirect_location'" >&2 exit 1 fi fi echo "[ok] production smoke checks passed for $PUBLIC_URL"