fix: tighten production config validation with token length and db path checks

crates/quicproquo-server/src/config.rs

@@ -270,9 +270,26 @@ pub fn validate_production_config(effective: &EffectiveConfig) -> anyhow::Result
             "production forbids auth_token 'devtoken'; set a strong QPQ_AUTH_TOKEN"
         );
     }
+    if token.len() < 16 {
+        anyhow::bail!(
+            "production requires QPQ_AUTH_TOKEN of at least 16 characters (got {})",
+            token.len()
+        );
+    }
     if effective.store_backend == "sql" && effective.db_key.is_empty() {
         anyhow::bail!("production with store_backend=sql requires non-empty QPQ_DB_KEY");
     }
+    if effective.store_backend == "sql" {
+        let db_dir = effective
+            .db_path
+            .parent()
+            .unwrap_or_else(|| Path::new("."));
+        // Verify the directory exists and is writable by creating+removing a probe file.
+        let probe = db_dir.join(".qpq-write-probe");
+        std::fs::write(&probe, b"probe")
+            .with_context(|| format!("DB path parent {:?} is not writable", db_dir))?;
+        let _ = std::fs::remove_file(&probe);
+    }
     if effective.store_backend != "sql" {
         tracing::warn!(
             "production is using file-backed storage; \