From b51fb6da21aa91dc1b175d068e9d925c8969dee8 Mon Sep 17 00:00:00 2001
From: Mark Henderson <mark@getacquired.com>
Date: Tue, 21 Apr 2026 11:20:58 -0700
Subject: [PATCH] fix(workspaces): don't short-circuit provisioning when bot
 token is missing

ensureWorkspaceProvisioned was bailing out as soon as provision_status=='ready',
even if gitea_bot_token_encrypted had been cleared (e.g. after a manual rotation).
Check every sub-resource is present before skipping.

Made-with: Cursor
---
 lib/workspaces.ts | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/lib/workspaces.ts b/lib/workspaces.ts
index 159ab42..e5daa49 100644
--- a/lib/workspaces.ts
+++ b/lib/workspaces.ts
@@ -174,7 +174,17 @@ export async function ensureWorkspaceForUser(opts: {
  * can retry by calling again. Returns the up-to-date workspace row.
  */
 export async function ensureWorkspaceProvisioned(workspace: VibnWorkspace): Promise<VibnWorkspace> {
-  if (workspace.provision_status === 'ready') return workspace;
+  // Only short-circuit when every sub-resource is actually present.
+  // We've seen "ready but missing bot token" cases (e.g. after an
+  // operational rotation that nulled the encrypted token) and the
+  // status check alone would silently skip re-minting.
+  const fullyProvisioned =
+    workspace.provision_status === 'ready' &&
+    workspace.coolify_project_uuid &&
+    workspace.gitea_org &&
+    workspace.gitea_bot_username &&
+    workspace.gitea_bot_token_encrypted;
+  if (fullyProvisioned) return workspace;
 
   let coolifyUuid = workspace.coolify_project_uuid;
   let giteaOrg = workspace.gitea_org;