fix(workspaces): don't short-circuit provisioning when bot token is missing

ensureWorkspaceProvisioned was bailing out as soon as provision_status=='ready',
even if gitea_bot_token_encrypted had been cleared (e.g. after a manual rotation).
Check every sub-resource is present before skipping.

Made-with: Cursor

lib/workspaces.ts

@@ -174,7 +174,17 @@ export async function ensureWorkspaceForUser(opts: {
  * can retry by calling again. Returns the up-to-date workspace row.
  */
 export async function ensureWorkspaceProvisioned(workspace: VibnWorkspace): Promise<VibnWorkspace> {
-  if (workspace.provision_status === 'ready') return workspace;
+  // Only short-circuit when every sub-resource is actually present.
+  // We've seen "ready but missing bot token" cases (e.g. after an
+  // operational rotation that nulled the encrypted token) and the
+  // status check alone would silently skip re-minting.
+  const fullyProvisioned =
+    workspace.provision_status === 'ready' &&
+    workspace.coolify_project_uuid &&
+    workspace.gitea_org &&
+    workspace.gitea_bot_username &&
+    workspace.gitea_bot_token_encrypted;
+  if (fullyProvisioned) return workspace;
 
   let coolifyUuid = workspace.coolify_project_uuid;
   let giteaOrg = workspace.gitea_org;