Fix CO deployment crash caused by Socure startup validation (#101)

* Add Socure Enabled flag, validator short circuit, and DisabledSocureClient

* Wire DisabledSocureClient into DI and move Socure config to state-specific templates

---------

Co-authored-by: Nick Campanini <ncampanini@codeforamerica.org>

Author: necampanini

.gitignore

@@ -25,8 +25,10 @@ scripts/scratch/
 *.sln.docstates
 *.env
 
-# Local development config (use appsettings.Development.example.json as template)
+# Local/deployed config (use matching .example.json as template)
 src/SEBT.Portal.Api/appsettings.Development.json
+src/SEBT.Portal.Api/appsettings.dc.json
+src/SEBT.Portal.Api/appsettings.co.json
 
 # User-specific files (MonoDevelop/Xamarin Studio)
 *.userprefs

src/SEBT.Portal.Api/Program.cs

@@ -114,7 +114,7 @@
 
 // Adds use cases (i.e., query and command handlers) for portal business logic
 builder.Services.AddUseCases();
-builder.Services.AddPortalInfrastructureServices();
+builder.Services.AddPortalInfrastructureServices(builder.Configuration);
 builder.Services.AddPortalDbContext(builder.Configuration, options => options.ConfigureDevelopmentSeeding());
 builder.Services.AddPortalInfrastructureRepositories(builder.Configuration);
 builder.Services.AddPortalInfrastructureAppSettings(builder.Configuration);

src/SEBT.Portal.Api/appsettings.co.example.json

@@ -1,4 +1,7 @@
 {
+  "Socure": {
+    "Enabled": false
+  },
   "IdProofingRequirements": {
     "address+view": "IAL1plus",
     "email+view": "IAL1plus",

src/SEBT.Portal.Api/appsettings.dc.example.json

@@ -0,0 +1,16 @@
+{
+  "Socure": {
+    "Enabled": true,
+    "UseStub": true,
+    "BaseUrl": "https://riskos.sandbox.socure.com",
+    "ChallengeExpirationMinutes": 30,
+    "ApiVersion": "2025-01-01.orion",
+    "Workflow": "consumer_onboarding",
+    "DocvEnrichmentName": "SocureDocRequest"
+  },
+  "FeatureManagement": {
+    "show_application_number": false,
+    "show_case_number": false,
+    "show_card_last4": false
+  }
+}

src/SEBT.Portal.Api/appsettings.dc.json

@@ -87,14 +87,6 @@
       "ProfileId": ""
     }
   },
-  "Socure": {
-    "UseStub": true,
-    "BaseUrl": "https://riskos.sandbox.socure.com",
-    "ChallengeExpirationMinutes": 30,
-    "ApiVersion": "2025-01-01.orion",
-    "Workflow": "consumer_onboarding",
-    "DocvEnrichmentName": "SocureDocRequest"
-  },
   "FeatureManagement": {
     "email_dob_opt_in": false,
     "show_application_number": true,

src/SEBT.Portal.Api/appsettings.json

@@ -11,6 +11,12 @@ public class SocureSettings
 {
     public static readonly string SectionName = "Socure";
 
+    /// <summary>
+    /// When false, Socure integration is disabled entirely — validation is skipped
+    /// and a no-op client is registered. States that don't use Socure leave this false.
+    /// </summary>
+    public bool Enabled { get; set; }
+
     /// <summary>
     /// When true, uses the StubSocureClient instead of the real HTTP client.
     /// Automatically true in Development when no API key is configured.

src/SEBT.Portal.Core/AppSettings/SocureSettings.cs

@@ -19,6 +19,11 @@ public ValidateOptionsResult Validate(string? name, SocureSettings options)
             return ValidateOptionsResult.Fail("Socure configuration section is not present.");
         }
 
+        if (!options.Enabled)
+        {
+            return ValidateOptionsResult.Success;
+        }
+
         if (options.ChallengeExpirationMinutes < 1 || options.ChallengeExpirationMinutes > 1440)
         {
             return ValidateOptionsResult.Fail(

src/SEBT.Portal.Infrastructure/Configuration/SocureSettingsValidator.cs

@@ -16,7 +16,7 @@ namespace SEBT.Portal.Infrastructure;
 
 public static class Dependencies
 {
-    public static IServiceCollection AddPortalInfrastructureServices(this IServiceCollection services)
+    public static IServiceCollection AddPortalInfrastructureServices(this IServiceCollection services, IConfiguration configuration)
     {
         // Otp Services
         services.AddTransient<IOtpSenderService, EmailOtpSenderService>();
@@ -39,17 +39,25 @@ public static IServiceCollection AddPortalInfrastructureServices(this IServiceCo
         // Expose SocureSettings directly for use case injection (avoids IOptions dependency in UseCases layer)
         services.AddSingleton(sp => sp.GetRequiredService<IOptions<SocureSettings>>().Value);
 
-        // Socure client — stub or real based on SocureSettings.UseStub
-        services.AddTransient<StubSocureClient>();
-        services.AddTransient<HttpSocureClient>();
-        services.AddTransient<ISocureClient>(sp =>
+        // Socure client — disabled, stub, or real based on configuration
+        var socureEnabled = configuration.GetValue<bool>("Socure:Enabled");
+        if (socureEnabled)
         {
-            var settings = sp.GetRequiredService<IOptions<SocureSettings>>().Value;
-            if (settings.UseStub)
-                return sp.GetRequiredService<StubSocureClient>();
+            services.AddTransient<StubSocureClient>();
+            services.AddTransient<HttpSocureClient>();
+            services.AddTransient<ISocureClient>(sp =>
+            {
+                var settings = sp.GetRequiredService<IOptions<SocureSettings>>().Value;
+                if (settings.UseStub)
+                    return sp.GetRequiredService<StubSocureClient>();
 
-            return sp.GetRequiredService<HttpSocureClient>();
-        });
+                return sp.GetRequiredService<HttpSocureClient>();
+            });
+        }
+        else
+        {
+            services.AddTransient<ISocureClient, DisabledSocureClient>();
+        }
 
         return services;
     }

src/SEBT.Portal.Infrastructure/Dependencies.cs

@@ -0,0 +1,38 @@
+using SEBT.Portal.Core.Models.DocVerification;
+using SEBT.Portal.Core.Services;
+using SEBT.Portal.Kernel;
+using SEBT.Portal.Kernel.Results;
+
+namespace SEBT.Portal.Infrastructure.Services;
+
+/// <summary>
+/// No-op implementation of <see cref="ISocureClient"/> used when Socure integration is disabled.
+/// Returns a <see cref="DependencyFailedReason.NotConfigured"/> result for all operations.
+/// </summary>
+public class DisabledSocureClient : ISocureClient
+{
+    private const string DisabledMessage = "Socure integration is not enabled for this deployment.";
+
+    public Task<Result<IdProofingAssessmentResult>> RunIdProofingAssessmentAsync(
+        int userId,
+        string email,
+        string dateOfBirth,
+        string? idType,
+        string? idValue,
+        CancellationToken cancellationToken = default)
+    {
+        return Task.FromResult(
+            Result<IdProofingAssessmentResult>.DependencyFailed(
+                DependencyFailedReason.NotConfigured, DisabledMessage));
+    }
+
+    public Task<Result<SocureDocvSession>> StartDocvSessionAsync(
+        int userId,
+        string email,
+        CancellationToken cancellationToken = default)
+    {
+        return Task.FromResult(
+            Result<SocureDocvSession>.DependencyFailed(
+                DependencyFailedReason.NotConfigured, DisabledMessage));
+    }
+}