chore(ci): post-deploy smoke + prod env build + extended route coverage

[MP2EZ]

Summary

Closes three deployment-confidence gaps that the recent prod cutover (PR #37) made visible. Code-correctness CI was already strong (74 unit tests + lint + typecheck + wrangler-smoke on `/api/waitlist` + `/crisis`); this PR adds the deployment-correctness layer.

Three coordinated changes

1. `ci.yml` wrangler-smoke builds with `NEXT_PUBLIC_SHOW_FULL_SITE='true'`

CI previously built without the env var, so the `/` → `/home` redirect codepath (production behavior) was never exercised. Now matches the `deploy.yml` build mode. Readiness probe switched from `/` (now returns 307) to `/home` (always 200) so wrangler-dev startup detection still works.

2. `ci.yml` wrangler-smoke extended from 2 routes → 6 routes

Old coverage	+ New coverage
`POST /api/waitlist` (400 + body marker)	`GET /` → 307 with `location: /home`
`GET /crisis` (200 + 988 + security headers)	`GET /home` → 200 + "Mindfulness with meaning"
	`GET /download` → 200 + "Coming soon" + NOT "graphic needed"
	`GET /privacy/multi-state` → 200 + "Multi-State"

The `/download` assertion has a defensive NOT check for "graphic needed" — that string was in the old placeholder-badge page (pre-PR #36). If anyone regresses `/download` to the old badge content, CI catches it.

3. `deploy.yml` post-deploy smoke against live URL

Catches the failure mode CI cannot reach: DNS misconfig, custom-domain unbound, SSL broken, deploy succeeded-but-routed-wrong, deploy succeeded-but-stale.

After `wrangler-action` deploy succeeds:

• Branch-aware URL (`main` → `https://being.fyi\`, `preview` → `https://being-website-preview.palouselabs.workers.dev\`)
• 15s sleep for Cloudflare edge propagation
• Cache-busted curl on `/home` (status 200), `/download` (Coming soon marker), `/privacy` (Strict-Transport-Security header)
• Any FAIL exits the workflow loudly

Verification

CI on this PR will run the expanded wrangler-smoke job (assertions 1+2 above). After merge to preview, the deploy.yml smoke runs against `being-website-preview.palouselabs.workers.dev` (assertion 3 above). Next preview→main cutover gets the same smoke against `being.fyi` automatically.

If the smoke ever fails:

• Pre-merge (CI): review the assertion that failed; either fix the code or update the assertion if the change was intentional
• Post-deploy (deploy.yml): deploy has already happened; manual rollback via `git revert` + redeploy. Smoke just fails loudly to alert.

Note on durability of the "Coming soon" assertion

Temporary marker tied to pre-launch state. When the app actually launches and `/download` swaps to real app-store badges, this assertion becomes a deliberate tripwire — update or replace with a more durable marker (e.g., the H1 text) at launch time.

Out of scope (deferred from the original CI hardening proposal)

• Item test(ab): cover variant assignment, cookie lookup, and conversion logic #4 (Playwright visual regression) — bigger infra investment, separate decision
• Item test(ab): cover variant assignment, cookie lookup, and conversion logic #5 (Cloudflare custom-domain assertion) — low-frequency failure mode, not worth standalone job

🤖 Generated with Claude Code