# Post-Deploy Smoketest Script

## Context

After deploying security hardening changes (Redis auth, NetworkPolicies, CORS restrictions, security headers, ownership validation, SSRF protection, credential fallback removal), we need a smoketest to verify the deployed services still function correctly and that the security controls are active. The existing `test_raw_dose_live.sh` provides the pattern: curl + jq, colored output, exit 1 on failure.

## Approach

Create a shell script `health/services/smoketest.sh` that tests the live deployed services. Follows the `test_raw_dose_live.sh` pattern. Not a K8s Job -- a script you run locally after deploying.

## File

- `health/services/smoketest.sh` (new)

## Test Sections

**1. Service availability (5 tests):**
- API health endpoint returns `status: ok` with `redis_connection: connected`
- Web frontend returns HTTP 302
- Heartbeat returns HTTP 200
- Public `/v1/substances` returns 200 without auth
- API docs at `/v1/` return 200 without auth

**2. Authentication enforcement (3 tests):**
- Protected endpoint `/v1/metrics/substances` returns 401 without credentials
- Returns 200 with valid Basic Auth
- Returns 401 with wrong password

**3. Security headers (4 tests):**
- `X-Frame-Options: DENY` present on API response
- `X-Content-Type-Options: nosniff` present
- `Strict-Transport-Security` present
- `Content-Security-Policy` present

**4. CORS restrictions (2 tests):**
- Request with `Origin: https://josie.health` returns matching ACAO header
- Request with `Origin: https://evil.com` does NOT return ACAO header

**5. Data flow (2 tests):**
- `GET /v1/metrics/substances` returns JSON with `data` array
- `GET /v1/substances/caffeine/info` returns substance info

## Design Details

- Reads `API_URL`, `WEB_URL`, `HEARTBEAT_URL`, `API_AUTH` from env with sensible defaults
- Groups tests with section headers
- `check_status` helper: curl URL, assert HTTP status code
- `check_header` helper: curl URL, assert response header present/value
- `check_json` helper: curl URL, assert jq expression is truthy
- All curl calls use `--connect-timeout 5 -s`
- Summary at end with pass/fail counts
- Exits 1 if any test failed

## Verification

```bash
cd health/services
chmod +x smoketest.sh
API_AUTH="admin:<password>" ./smoketest.sh
```