hotfix: close frontend 500 incident with runtime and APIM safeguards (#198)

* hotfix: close frontend 500 incident with runtime and APIM safeguards

* hardening: prevent frontend 500 recurrence across infra and deploy

- add deploy guardrails (ACR preflight, CRUD /ready gate, deterministic SWA selection)

- align Helm render hooks and chart availability controls (strategy, spread, PDB)

- stabilize CRUD Postgres auth env generation and defaults with explicit mode handling

- harden UI API base-url fallback resolution and proxy error coverage

- document incident hardening plan and runtime resilience updates

* fix: address PR review findings on readiness and proxy leakage

- allow /ready postgres check to recover from stale startup init errors

- add readiness recovery unit coverage for stale init-error path

- sanitize proxy 502 payloads by removing raw upstream error detail

- keep diagnostics server-side via structured error logging

* docs: finalize incident #198 architecture and guardrail documentation

- add implementation-closure and operational guardrails summary

- document readiness recovery follow-up and auth-mode contract

- align UI proxy docs with sanitized error payload behavior

- record roadmap closure status and residual hardening items

* hotfix: finalize truth-export compatibility and executive notebook updates

Author: Cataldir

.github/workflows/deploy-azd.yml

@@ -7,26 +7,114 @@ on:
         description: Target GitHub environment
         required: true
         default: dev
-      apiUrl:
-        description: Public API base URL used by the UI build
+      projectName:
+        description: Project prefix used by naming convention
         required: true
-        default: https://apim-holidaypeakhub405-dev.azure-api.net
+        default: holidaypeakhub
+      apiUrl:
+        description: Optional API base URL override (must match APIM gateway URL for drift safety)
+        required: false
+        default: ''
 
 permissions:
+  id-token: write
   contents: read
 
+concurrency:
+  group: deploy-ui-swa-${{ inputs.environment }}
+  cancel-in-progress: false
+
 jobs:
   deploy-ui:
     runs-on: ubuntu-latest
     environment: ${{ inputs.environment }}
+    env:
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
     steps:
       - uses: actions/checkout@v4
 
+      - name: Azure login (OIDC)
+        uses: azure/login@v2
+        with:
+          client-id: ${{ env.AZURE_CLIENT_ID }}
+          tenant-id: ${{ env.AZURE_TENANT_ID }}
+          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: '20'
 
+      - name: Resolve and validate API URL
+        id: api
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          RESOURCE_GROUP="${{ inputs.projectName }}-${{ inputs.environment }}-rg"
+
+          APIM_URL=$(az apim show \
+            --name "${{ inputs.projectName }}-${{ inputs.environment }}-apim" \
+            --resource-group "$RESOURCE_GROUP" \
+            --query "gatewayUrl" -o tsv)
+
+          APIM_URL="$(echo "$APIM_URL" | xargs)"
+          APIM_URL="${APIM_URL%/}"
+
+          if [ -z "$APIM_URL" ]; then
+            echo "Failed to resolve APIM gateway URL for environment '${{ inputs.environment }}'." >&2
+            exit 1
+          fi
+
+          RESOLVED_API_URL="$APIM_URL"
+
+          if [ -n "${{ inputs.apiUrl }}" ]; then
+            OVERRIDE_API_URL="$(echo "${{ inputs.apiUrl }}" | xargs)"
+            OVERRIDE_API_URL="${OVERRIDE_API_URL%/}"
+
+            if [ "$OVERRIDE_API_URL" != "$APIM_URL" ]; then
+              echo "apiUrl override drift detected. Provided URL does not match live APIM gateway URL." >&2
+              echo "Provided: $OVERRIDE_API_URL" >&2
+              echo "Expected: $APIM_URL" >&2
+              exit 1
+            fi
+
+            RESOLVED_API_URL="$OVERRIDE_API_URL"
+          fi
+
+          if [ -z "$RESOLVED_API_URL" ]; then
+            echo "Could not resolve API URL from APIM." >&2
+            exit 1
+          fi
+
+          echo "api_url=$RESOLVED_API_URL" >> "$GITHUB_OUTPUT"
+          echo "crud_api_url=$RESOLVED_API_URL" >> "$GITHUB_OUTPUT"
+
+      - name: Smoke test APIM health before UI deploy
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          API_BASE_URL="${{ steps.api.outputs.api_url }}"
+          API_BASE_URL="${API_BASE_URL%/}"
+
+          smoke_endpoint() {
+            local url="$1"
+            local label="$2"
+            STATUS_CODE=$(curl -sS -o /tmp/ui-only-api-health.json -w "%{http_code}" "$url" || true)
+            if [ "$STATUS_CODE" != "200" ]; then
+              echo "$label check failed before UI deployment with HTTP $STATUS_CODE at $url" >&2
+              cat /tmp/ui-only-api-health.json 2>/dev/null || true
+              exit 1
+            fi
+          }
+
+          smoke_endpoint "${API_BASE_URL}/api/health" "APIM health"
+          smoke_endpoint "${API_BASE_URL}/api/products?limit=1" "Products"
+          smoke_endpoint "${API_BASE_URL}/api/categories" "Categories"
+
       - name: Deploy UI to Azure Static Web Apps
         uses: Azure/static-web-apps-deploy@v1
         with:
@@ -37,5 +125,78 @@ jobs:
           skip_api_build: true
           app_build_command: yarn install --frozen-lockfile && yarn build
         env:
-          NEXT_PUBLIC_API_URL: ${{ inputs.apiUrl }}
-          NEXT_PUBLIC_CRUD_API_URL: ${{ inputs.apiUrl }}
+          NEXT_PUBLIC_API_URL: ${{ steps.api.outputs.api_url }}
+          NEXT_PUBLIC_CRUD_API_URL: ${{ steps.api.outputs.crud_api_url }}
+
+      - name: Smoke test UI host and API health after deploy
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          RESOURCE_GROUP="${{ inputs.projectName }}-${{ inputs.environment }}-rg"
+          EXPECTED_SWA_NAME="${{ inputs.projectName }}-ui-${{ inputs.environment }}"
+          SWA_NAME=""
+
+          if az staticwebapp show --name "$EXPECTED_SWA_NAME" --resource-group "$RESOURCE_GROUP" >/dev/null 2>&1; then
+            SWA_NAME="$EXPECTED_SWA_NAME"
+          else
+            SWA_NAME=$(az staticwebapp list \
+              --resource-group "$RESOURCE_GROUP" \
+              --query "[?starts_with(defaultHostname, '${EXPECTED_SWA_NAME}.')].name | [0]" -o tsv)
+
+            if [ -z "$SWA_NAME" ]; then
+              COUNT=$(az staticwebapp list --resource-group "$RESOURCE_GROUP" --query "length(@)" -o tsv)
+              if [ "$COUNT" = "1" ]; then
+                SWA_NAME=$(az staticwebapp list --resource-group "$RESOURCE_GROUP" --query "[0].name" -o tsv)
+              fi
+            fi
+          fi
+
+          SWA_NAME="$(echo "$SWA_NAME" | xargs)"
+          if [ -z "$SWA_NAME" ]; then
+            echo "Could not deterministically resolve Static Web App in resource group $RESOURCE_GROUP." >&2
+            echo "Expected name: $EXPECTED_SWA_NAME" >&2
+            exit 1
+          fi
+
+          SWA_HOSTNAME=$(az staticwebapp show \
+            --name "$SWA_NAME" \
+            --resource-group "$RESOURCE_GROUP" \
+            --query "defaultHostname" -o tsv)
+
+          SWA_HOSTNAME="$(echo "$SWA_HOSTNAME" | xargs)"
+          if [ -z "$SWA_HOSTNAME" ]; then
+            echo "Could not resolve Static Web App hostname for $SWA_NAME." >&2
+            exit 1
+          fi
+
+          UI_URL="https://$SWA_HOSTNAME"
+          STATUS_CODE=$(curl -sS -o /tmp/ui-only-homepage.html -w "%{http_code}" "$UI_URL" || true)
+          if [ "$STATUS_CODE" != "200" ]; then
+            echo "UI smoke test failed with HTTP $STATUS_CODE at $UI_URL" >&2
+            exit 1
+          fi
+
+          HEALTH_URL="${{ steps.api.outputs.api_url }}/api/health"
+          STATUS_CODE=$(curl -sS -o /tmp/ui-only-api-health-post.json -w "%{http_code}" "$HEALTH_URL" || true)
+          if [ "$STATUS_CODE" != "200" ]; then
+            echo "API health check failed after UI deployment with HTTP $STATUS_CODE at $HEALTH_URL" >&2
+            cat /tmp/ui-only-api-health-post.json 2>/dev/null || true
+            exit 1
+          fi
+
+          PRODUCTS_URL="${{ steps.api.outputs.api_url }}/api/products?limit=1"
+          STATUS_CODE=$(curl -sS -o /tmp/ui-only-api-products-post.json -w "%{http_code}" "$PRODUCTS_URL" || true)
+          if [ "$STATUS_CODE" != "200" ]; then
+            echo "Products smoke check failed after UI deployment with HTTP $STATUS_CODE at $PRODUCTS_URL" >&2
+            cat /tmp/ui-only-api-products-post.json 2>/dev/null || true
+            exit 1
+          fi
+
+          CATEGORIES_URL="${{ steps.api.outputs.api_url }}/api/categories"
+          STATUS_CODE=$(curl -sS -o /tmp/ui-only-api-categories-post.json -w "%{http_code}" "$CATEGORIES_URL" || true)
+          if [ "$STATUS_CODE" != "200" ]; then
+            echo "Categories smoke check failed after UI deployment with HTTP $STATUS_CODE at $CATEGORIES_URL" >&2
+            cat /tmp/ui-only-api-categories-post.json 2>/dev/null || true
+            exit 1
+          fi

.github/workflows/deploy-ui-swa.yml

@@ -72,7 +72,14 @@ az account set --subscription <SUBSCRIPTION_ID>
 
 Deploy a single shared resource stack, then deploy all services as AKS workloads.
 
-**Deployment order**: Shared Infrastructure → Static Web App → CRUD Service → Agent Services
+**Deployment order**: Shared Infrastructure → CRUD Service + Agent Services → APIM Sync + APIM Smoke Gate → Static Web App
+
+Release gate notes:
+
+- UI deployment is blocked unless backend deployment jobs are `success` or `skipped`.
+- APIM gateway URL is propagated from `azd` outputs and checked against live APIM to catch config drift.
+- APIM smoke checks validate `GET /api/health`, `GET /api/products?limit=1`, and `GET /api/categories` plus changed agent `GET /agents/<service>/health` before UI publish.
+- UI deployment runs pre/post smoke checks to ensure API health and SWA hostname reachability.
 
 ### Step 1: Deploy Shared Infrastructure
 
@@ -379,6 +386,13 @@ az deployment sub delete --name shared-infra-dev
 
 ## CI/CD Integration
 
+Current workflow gate behavior:
+
+- `.github/workflows/deploy-azd.yml` enforces backend and APIM readiness before `deploy-ui`.
+- `.github/workflows/deploy-azd.yml` fails on Foundry readiness check failures instead of warning-only.
+- `.github/workflows/deploy-ui-swa.yml` resolves APIM gateway URL from Azure and rejects mismatched manual `apiUrl` overrides.
+- `.github/workflows/deploy-ui-swa.yml` includes pre/post deployment smoke checks (`/api/health`, `/api/products?limit=1`, `/api/categories`, and SWA home page).
+
 ### GitHub Actions Workflow (recommended)
 
 ```yaml

.infra/DEPLOYMENT.md

@@ -90,7 +90,32 @@ $environment = First-Value -Map $values -Keys @('ENVIRONMENT', 'environment') -D
 
 $postgresHost = First-Value -Map $values -Keys @('POSTGRES_HOST', 'postgresFqdn', 'POSTGRES_FQDN')
 $postgresDatabase = First-Value -Map $values -Keys @('POSTGRES_DATABASE', 'postgresDatabaseName') -DefaultValue 'holiday_peak_crud'
-$postgresUser = First-Value -Map $values -Keys @('POSTGRES_USER', 'postgresAdminUser') -DefaultValue 'crud_admin'
+$postgresAuthMode = First-Value -Map $values -Keys @('POSTGRES_AUTH_MODE', 'postgresAuthMode') -DefaultValue 'password'
+$postgresAdminUser = First-Value -Map $values -Keys @('POSTGRES_ADMIN_USER', 'postgresAdminUser') -DefaultValue 'crud_admin'
+$postgresUser = First-Value -Map $values -Keys @('POSTGRES_USER')
+if ($postgresAuthMode -eq 'password') {
+    $postgresUser = $postgresAdminUser
+}
+elseif (-not $postgresUser) {
+    $aksClusterName = First-Value -Map $values -Keys @('AZURE_AKS_CLUSTER_NAME', 'AKS_CLUSTER_NAME', 'aksClusterName')
+    if ($aksClusterName) {
+        $postgresUser = "$aksClusterName-agentpool"
+    }
+    else {
+        $projectName = First-Value -Map $values -Keys @('projectName', 'PROJECT_NAME')
+        if ($projectName) {
+            if ($environment -eq 'prod') {
+                $postgresUser = "$projectName-aks-agentpool"
+            }
+            else {
+                $postgresUser = "$projectName-$environment-aks-agentpool"
+            }
+        }
+        else {
+            $postgresUser = "crud-$environment-aks-agentpool"
+        }
+    }
+}
 
 $eventHubNamespace = Ensure-Suffix -Value (First-Value -Map $values -Keys @('EVENT_HUB_NAMESPACE', 'eventHubsNamespaceName')) -Suffix '.servicebus.windows.net'
 $keyVaultUri = First-Value -Map $values -Keys @('KEY_VAULT_URI', 'keyVaultUri')
@@ -119,9 +144,11 @@ LOG_LEVEL=INFO
 POSTGRES_HOST=$postgresHost
 POSTGRES_PORT=5432
 POSTGRES_DATABASE=$postgresDatabase
+POSTGRES_AUTH_MODE=$postgresAuthMode
 POSTGRES_USER=$postgresUser
 POSTGRES_PASSWORD=
 POSTGRES_PASSWORD_SECRET_NAME=postgres-admin-password
+POSTGRES_ENTRA_SCOPE=https://ossrdbms-aad.database.windows.net/.default
 POSTGRES_SSL=true
 
 EVENT_HUB_NAMESPACE=$eventHubNamespace

.infra/azd/hooks/generate-crud-env.ps1

@@ -54,9 +54,39 @@ POSTGRES_DATABASE="$(get_val POSTGRES_DATABASE)"
 [ -z "$POSTGRES_DATABASE" ] && POSTGRES_DATABASE="$(get_val postgresDatabaseName)"
 [ -z "$POSTGRES_DATABASE" ] && POSTGRES_DATABASE="holiday_peak_crud"
 
+POSTGRES_AUTH_MODE="$(get_val POSTGRES_AUTH_MODE)"
+[ -z "$POSTGRES_AUTH_MODE" ] && POSTGRES_AUTH_MODE="$(get_val postgresAuthMode)"
+[ -z "$POSTGRES_AUTH_MODE" ] && POSTGRES_AUTH_MODE="password"
+
+POSTGRES_ADMIN_USER="$(get_val POSTGRES_ADMIN_USER)"
+[ -z "$POSTGRES_ADMIN_USER" ] && POSTGRES_ADMIN_USER="$(get_val postgresAdminUser)"
+[ -z "$POSTGRES_ADMIN_USER" ] && POSTGRES_ADMIN_USER="crud_admin"
+
 POSTGRES_USER="$(get_val POSTGRES_USER)"
-[ -z "$POSTGRES_USER" ] && POSTGRES_USER="$(get_val postgresAdminUser)"
-[ -z "$POSTGRES_USER" ] && POSTGRES_USER="crud_admin"
+if [ "$POSTGRES_AUTH_MODE" = "password" ]; then
+  POSTGRES_USER="$POSTGRES_ADMIN_USER"
+elif [ -z "$POSTGRES_USER" ]; then
+  AKS_CLUSTER_NAME="$(get_val AZURE_AKS_CLUSTER_NAME)"
+  [ -z "$AKS_CLUSTER_NAME" ] && AKS_CLUSTER_NAME="$(get_val AKS_CLUSTER_NAME)"
+  [ -z "$AKS_CLUSTER_NAME" ] && AKS_CLUSTER_NAME="$(get_val aksClusterName)"
+
+  if [ -n "$AKS_CLUSTER_NAME" ]; then
+    POSTGRES_USER="${AKS_CLUSTER_NAME}-agentpool"
+  else
+    PROJECT_NAME="$(get_val projectName)"
+    [ -z "$PROJECT_NAME" ] && PROJECT_NAME="$(get_val PROJECT_NAME)"
+
+    if [ -n "$PROJECT_NAME" ]; then
+      if [ "$ENVIRONMENT_VALUE" = "prod" ]; then
+        POSTGRES_USER="${PROJECT_NAME}-aks-agentpool"
+      else
+        POSTGRES_USER="${PROJECT_NAME}-${ENVIRONMENT_VALUE}-aks-agentpool"
+      fi
+    else
+      POSTGRES_USER="crud-${ENVIRONMENT_VALUE}-aks-agentpool"
+    fi
+  fi
+fi
 
 EVENT_HUB_NAMESPACE="$(get_val EVENT_HUB_NAMESPACE)"
 [ -z "$EVENT_HUB_NAMESPACE" ] && EVENT_HUB_NAMESPACE="$(get_val eventHubsNamespaceName)"
@@ -103,9 +133,11 @@ LOG_LEVEL=INFO
 POSTGRES_HOST=$POSTGRES_HOST
 POSTGRES_PORT=5432
 POSTGRES_DATABASE=$POSTGRES_DATABASE
+POSTGRES_AUTH_MODE=$POSTGRES_AUTH_MODE
 POSTGRES_USER=$POSTGRES_USER
 POSTGRES_PASSWORD=
 POSTGRES_PASSWORD_SECRET_NAME=postgres-admin-password
+POSTGRES_ENTRA_SCOPE=https://ossrdbms-aad.database.windows.net/.default
 POSTGRES_SSL=true
 
 EVENT_HUB_NAMESPACE=$EVENT_HUB_NAMESPACE

.infra/azd/hooks/generate-crud-env.sh

@@ -12,8 +12,21 @@ $ingressClassName = if ($env:INGRESS_CLASS_NAME) { $env:INGRESS_CLASS_NAME } els
 $canaryEnabled = if ($env:CANARY_ENABLED) { $env:CANARY_ENABLED } else { "false" }
 $readinessPath = "/ready"
 
+$nodePool = "agents"
+$workloadType = "agents"
+$pdbEnabled = "false"
+$pdbMinAvailable = ""
+$maxUnavailable = ""
+$maxSurge = ""
+
 if ($ServiceName -eq "crud-service") {
-  $readinessPath = "/health"
+  $nodePool = "crud"
+  $workloadType = "crud"
+  # Safer defaults for CRUD without changing global chart defaults.
+  $pdbEnabled = "true"
+  $pdbMinAvailable = "1"
+  $maxUnavailable = "0"
+  $maxSurge = "1"
 }
 
 $serviceImageVarName = "SERVICE_$($ServiceName.ToUpper().Replace('-', '_'))_IMAGE_NAME"
@@ -59,9 +72,34 @@ $helmArgs = @(
   '--set',
   "canary.enabled=$canaryEnabled",
   '--set',
-  "probes.readiness.path=$readinessPath"
+  "probes.readiness.path=$readinessPath",
+  '--set',
+  "nodeSelector.agentpool=$nodePool",
+  '--set',
+  "tolerations[0].key=workload",
+  '--set',
+  "tolerations[0].operator=Equal",
+  '--set',
+  "tolerations[0].value=$workloadType",
+  '--set',
+  "tolerations[0].effect=NoSchedule"
 )
 
+if ($maxUnavailable) {
+  $helmArgs += @('--set-string', "availability.rollingUpdate.maxUnavailable=$maxUnavailable")
+}
+
+if ($maxSurge) {
+  $helmArgs += @('--set-string', "availability.rollingUpdate.maxSurge=$maxSurge")
+}
+
+if ($pdbEnabled -eq "true") {
+  $helmArgs += @('--set', "pdb.enabled=true")
+  if ($pdbMinAvailable) {
+    $helmArgs += @('--set-string', "pdb.minAvailable=$pdbMinAvailable")
+  }
+}
+
 $envMappings = @{
   # Database
   POSTGRES_HOST = $env:POSTGRES_HOST