Harden WORKS image deploy startup path

test/production_image_workflows_policy_test.sh

@@ -104,6 +104,8 @@ grep -Fq "scripts/deploy/upload_and_run_image_deploy.sh" "$staging_deploy_workfl
   || fail "staging deploy workflow must use the shared remote deploy script."
 grep -Fq "WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: \${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}" "$staging_deploy_workflow" \
   || fail "staging deploy workflow must pass the Docker-image-specific WORKS Drive ID variable."
+grep -Fq "WORKS_ADMIN_OAUTH_TOKEN_URL: \${{ vars.WORKS_ADMIN_OAUTH_TOKEN_URL }}" "$staging_deploy_workflow" \
+  || fail "staging deploy workflow must pass the WORKS OAuth token URL into the remote image deploy step."
 
 grep -Fq "name: Deploy Baron SSO Production Images" "$deploy_workflow" \
   || fail "deploy workflow must have the expected name."
@@ -125,20 +127,32 @@ grep -Fq "scripts/deploy/upload_and_run_image_deploy.sh" "$deploy_workflow" \
   || fail "production deploy workflow must use the shared remote deploy script."
 grep -Fq "WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: \${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}" "$deploy_workflow" \
   || fail "production deploy workflow must pass the Docker-image-specific WORKS Drive ID variable."
+grep -Fq "WORKS_ADMIN_OAUTH_TOKEN_URL: \${{ vars.WORKS_ADMIN_OAUTH_TOKEN_URL }}" "$deploy_workflow" \
+  || fail "production deploy workflow must pass the WORKS OAuth token URL into the remote image deploy step."
 grep -Fq "Same image tag contract as staging" "$deploy_workflow" \
   || fail "production deploy workflow must document that it uses the same image tag as staging."
 grep -Fq "TRAEFIK_PUBLIC_NETWORK=traefik-public" "$bundle_script" \
   || fail "shared bundle script must write Traefik public network env."
 grep -Fq "scripts/docker-image/download_works_drive.sh" "$remote_deploy_script" \
   || fail "shared remote deploy script must load requested image archives from WORKS Drive before running."
+grep -Fq "refresh_works_drive_access_token" "$remote_deploy_script" \
+  || fail "shared remote deploy script must refresh WORKS Drive access tokens when a refresh token is available."
+grep -Fq 'WORKS_ADMIN_OAUTH_TOKEN_URL:-${WORKS_DRIVE_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}' "$remote_deploy_script" \
+  || fail "shared remote deploy script must honor WORKS_ADMIN_OAUTH_TOKEN_URL for refresh-token grants."
+grep -Fq "docker compose --env-file .env -f docker-compose.yml config" "$remote_deploy_script" \
+  || fail "shared remote deploy script must validate the remote compose config before running."
+grep -Fq "docker compose --env-file .env -f docker-compose.yml pull --ignore-pull-failures" "$remote_deploy_script" \
+  || fail "shared remote deploy script must prefetch runtime images before compose up."
+grep -Fq 'docker image inspect \"\${image_ref}\"' "$remote_deploy_script" \
+  || fail "shared remote deploy script must inspect loaded application images before compose up."
 grep -Fq "docker load" "$works_image_download_script" \
   || fail "WORKS Drive image download script must load downloaded archives into Docker."
 grep -Fq 'baron-sso/${IMAGE_TAG}/${image}.${IMAGE_TAG}.tar.zst' "$works_image_download_script" \
   || fail "WORKS Drive image download script must document the normalized archive path."
 grep -Fq "docker compose --env-file .env -f docker-compose.yml up -d" "$remote_deploy_script" \
   || fail "shared remote deploy script must start the stack after pulling images."
-if grep -Eiq 'harbor|docker login|docker compose --env-file .env -f docker-compose.yml pull|HARBOR_' "$staging_deploy_workflow" "$deploy_workflow" "$remote_deploy_script"; then
-  fail "image deploy workflows/scripts must not depend on Harbor registry login or compose pull."
+if grep -Eiq 'harbor|docker login|HARBOR_' "$staging_deploy_workflow" "$deploy_workflow" "$remote_deploy_script"; then
+  fail "image deploy workflows/scripts must not depend on Harbor registry login."
 fi
 
 if grep -Eq 'docker (build|commit)' "$staging_deploy_workflow" "$deploy_workflow"; then