ci: harden inter-hub production smoke gate

.gitea/workflows/deploy.yaml

@@ -79,3 +79,14 @@ jobs:
             | grep -q "inter-hub" && echo "Landing page OK"
           curl -s https://hub.coulomb.social/api/v2/widgets \
             -o /dev/null -w "%{http_code}" | grep -q "401" && echo "API auth gate OK"
+          HUBS_STATUS=$(curl -s https://hub.coulomb.social/api/v2/hubs \
+            -o /dev/null -w "%{http_code}")
+          test "${HUBS_STATUS}" = "401" \
+            && echo "Hub bootstrap auth gate OK" \
+            || { echo "Expected /api/v2/hubs to return 401, got ${HUBS_STATUS}" >&2; exit 1; }
+          OPENAPI=$(curl -fsS https://hub.coulomb.social/api/v2/openapi.json)
+          for path in /hubs /hub-capability-manifests /api-consumers /policy-scopes; do
+            grep -q "\"${path}\"" <<< "${OPENAPI}" \
+              && echo "OpenAPI path present: ${path}" \
+              || { echo "OpenAPI path missing: ${path}" >&2; exit 1; }
+          done

workplans/IHUB-WP-0018-railiance01-deployment.md

@@ -392,6 +392,13 @@ workplans, `.custodian-brief.md`, `app.toml`, `.sops.yaml`, and
 `deploy/railiance/**` so State Hub consistency/doc-only commits do not consume a
 haskelseed build/deploy cycle.
 
+**Bootstrap-gate deploy note (2026-06-14):** Hardened the deployment workflow
+smoke test so a production rollout only passes when `/api/v2/hubs` returns the
+expected unauthenticated `401` and OpenAPI exposes `/hubs`,
+`/hub-capability-manifests`, `/api-consumers`, and `/policy-scopes`. This
+directly protects the ops-hub bootstrap gate instead of only checking the
+landing page and generic widget auth gate.
+
 ### R8 — Staged deployment and smoke test
 
 ```task