From 21d16695c2a2e3b955b5b4c5ce55bc3cac3c7db2 Mon Sep 17 00:00:00 2001
From: svemagie <869694+svemagie@users.noreply.github.com>
Date: Sun, 8 Mar 2026 02:10:17 +0100
Subject: [PATCH] fix(deploy): add mongodb runtime dep and harden env checks

---
 .github/workflows/deploy.yml | 10 +++++++---
 package-lock.json            |  2 +-
 package.json                 |  3 ++-
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 013f9a3e..144d48ad 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -37,10 +37,14 @@ jobs:
             restart_log=/tmp/indiekit-restart.log
 
             # Update code and dependencies as indiekit user inside the jail.
-            sudo bastille cmd node sh -lc 'cd /usr/local/indiekit && su -l indiekit -c "git pull origin main && npm ci"'
+            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && git pull origin main && npm ci && install -m 755 start.example.sh start.sh"'
+
+            # Ensure env file exists and contains auth secrets required by start.sh.
+            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && test -f .env"'
+            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && if ! (grep -Eq \"^SECRET=.*\" .env && grep -Eq \"^PASSWORD_SECRET=.*\" .env); then echo \"Missing SECRET or PASSWORD_SECRET in /usr/local/indiekit/.env\"; exit 1; fi"'
 
             # Validate startup prerequisites before touching the running service.
-            sudo bastille cmd node sh -lc 'cd /usr/local/indiekit && su -l indiekit -c "NODE_ENV=production node scripts/preflight-mongo-connection.mjs"'
+            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && NODE_ENV=production node scripts/preflight-mongo-connection.mjs"'
 
             # Restart asynchronously to avoid hanging SSH sessions when rc scripts keep stdout open.
             sudo bastille cmd node sh -lc "nohup service indiekit restart >${restart_log} 2>&1 </dev/null &"
@@ -61,7 +65,7 @@ jobs:
             echo "Indiekit process not found after restart."
             sudo bastille cmd node sh -lc "tail -n 120 ${restart_log} || true"
             sudo bastille cmd node sh -lc 'service indiekit onestatus || true'
-            sudo bastille cmd node sh -lc 'cd /usr/local/indiekit && su -l indiekit -c "NODE_ENV=production node scripts/preflight-mongo-connection.mjs" || true'
+            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && NODE_ENV=production node scripts/preflight-mongo-connection.mjs" || true'
             exit 1
       # Optionally reload nginx on web jail
       # - name: Reload nginx
diff --git a/package-lock.json b/package-lock.json
index 3c12d651..64ef41f4 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -19,6 +19,7 @@
         "@rmdes/indiekit-post-type-page": "^1.0.4",
         "@rmdes/indiekit-preset-eleventy": "^1.0.0-beta.33",
         "dotenv": "^17.3.1",
+        "mongodb": "^7.1.0",
         "node-gyp": "^12.2.0"
       }
     },
@@ -5555,7 +5556,6 @@
       "resolved": "https://registry.npmjs.org/socks/-/socks-2.8.7.tgz",
       "integrity": "sha512-HLpt+uLy/pxB+bum/9DzAgiKS8CX1EvbWxI4zlmgGCExImLdiad2iCwXT5Z4c9c3Eq8rP2318mPW2c+QbtjK8A==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "ip-address": "^10.0.1",
         "smart-buffer": "^4.2.0"
diff --git a/package.json b/package.json
index 5125c923..5ab16e52 100644
--- a/package.json
+++ b/package.json
@@ -27,10 +27,11 @@
     "@rmdes/indiekit-endpoint-conversations": "^2.1.6",
     "@rmdes/indiekit-endpoint-github": "^1.2.3",
     "@rmdes/indiekit-endpoint-posts": "^1.0.0-beta.25",
+    "@rmdes/indiekit-endpoint-webmention-io": "^1.0.7",
     "@rmdes/indiekit-post-type-page": "^1.0.4",
     "@rmdes/indiekit-preset-eleventy": "^1.0.0-beta.33",
-    "@rmdes/indiekit-endpoint-webmention-io": "^1.0.7",
     "dotenv": "^17.3.1",
+    "mongodb": "^7.1.0",
     "node-gyp": "^12.2.0"
   }
 }