diff --git a/lib/workspaces.ts b/lib/workspaces.ts
index 159ab42..e5daa49 100644
--- a/lib/workspaces.ts
+++ b/lib/workspaces.ts
@@ -174,7 +174,17 @@ export async function ensureWorkspaceForUser(opts: {
  * can retry by calling again. Returns the up-to-date workspace row.
  */
 export async function ensureWorkspaceProvisioned(workspace: VibnWorkspace): Promise<VibnWorkspace> {
-  if (workspace.provision_status === 'ready') return workspace;
+  // Only short-circuit when every sub-resource is actually present.
+  // We've seen "ready but missing bot token" cases (e.g. after an
+  // operational rotation that nulled the encrypted token) and the
+  // status check alone would silently skip re-minting.
+  const fullyProvisioned =
+    workspace.provision_status === 'ready' &&
+    workspace.coolify_project_uuid &&
+    workspace.gitea_org &&
+    workspace.gitea_bot_username &&
+    workspace.gitea_bot_token_encrypted;
+  if (fullyProvisioned) return workspace;
 
   let coolifyUuid = workspace.coolify_project_uuid;
   let giteaOrg = workspace.gitea_org;