feat: update OpenSSL verification to check Node.js runtime crypto in production image (#49)

Author: rajashish147

.github/workflows/deploy.yml

@@ -251,19 +251,20 @@ jobs:
           cache-from: type=gha,scope=production
           cache-to: type=gha,mode=max,scope=production
 
-      # Verify OpenSSL version in PRODUCTION stage (not builder or runtime-deps).
-      # Confirms dependencies were rebuilt AND are present in final distroless image.
-      - name: Verify OpenSSL in production image
+      # Verify Node.js runtime crypto via OpenSSL binding in PRODUCTION stage.
+      # Confirms the Node runtime has OpenSSL linked (critical for TLS/HTTPS).
+      # Uses Node's built-in binding instead of CLI tool (distroless has no CLI tools).
+      - name: Verify Node.js runtime crypto
         run: |
           IMAGE_NAME="fieldtrack-backend:${{ steps.meta.outputs.sha_short }}"
-          # Run against production image (distroless) — would fail if deps layer missed rebuild
-          OPENSSL_VERSION=$(docker run --rm "$IMAGE_NAME" openssl version 2>&1)
-          if [ $? -ne 0 ] || [ -z "$OPENSSL_VERSION" ]; then
-            echo "::error::OpenSSL check failed — dependencies were not rebuilt or not copied to production stage"
+          OPENSSL_VERSION=$(docker run --rm "$IMAGE_NAME" node -p "process.versions.openssl" 2>&1)
+          EXIT_CODE=$?
+          if [ $EXIT_CODE -ne 0 ] || [ -z "$OPENSSL_VERSION" ]; then
+            echo "::error::Node.js OpenSSL binding check failed"
             echo "Output: $OPENSSL_VERSION"
             exit 1
           fi
-          echo "✓ Production image verified: $OPENSSL_VERSION"
+          echo "✓ Runtime crypto verified: OpenSSL $OPENSSL_VERSION"
 
       # Capture the content-addressable image digest.
       # With cache scoping and cache busting, digest should always reproduce correctly.