fix(deploy): add mongodb runtime dep and harden env checks

.github/workflows/deploy.yml

@@ -37,10 +37,14 @@ jobs:
             restart_log=/tmp/indiekit-restart.log
 
             # Update code and dependencies as indiekit user inside the jail.
-            sudo bastille cmd node sh -lc 'cd /usr/local/indiekit && su -l indiekit -c "git pull origin main && npm ci"'
+            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && git pull origin main && npm ci && install -m 755 start.example.sh start.sh"'
+
+            # Ensure env file exists and contains auth secrets required by start.sh.
+            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && test -f .env"'
+            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && if ! (grep -Eq \"^SECRET=.*\" .env && grep -Eq \"^PASSWORD_SECRET=.*\" .env); then echo \"Missing SECRET or PASSWORD_SECRET in /usr/local/indiekit/.env\"; exit 1; fi"'
 
             # Validate startup prerequisites before touching the running service.
-            sudo bastille cmd node sh -lc 'cd /usr/local/indiekit && su -l indiekit -c "NODE_ENV=production node scripts/preflight-mongo-connection.mjs"'
+            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && NODE_ENV=production node scripts/preflight-mongo-connection.mjs"'
 
             # Restart asynchronously to avoid hanging SSH sessions when rc scripts keep stdout open.
             sudo bastille cmd node sh -lc "nohup service indiekit restart >${restart_log} 2>&1 </dev/null &"
@@ -61,7 +65,7 @@ jobs:
             echo "Indiekit process not found after restart."
             sudo bastille cmd node sh -lc "tail -n 120 ${restart_log} || true"
             sudo bastille cmd node sh -lc 'service indiekit onestatus || true'
-            sudo bastille cmd node sh -lc 'cd /usr/local/indiekit && su -l indiekit -c "NODE_ENV=production node scripts/preflight-mongo-connection.mjs" || true'
+            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && NODE_ENV=production node scripts/preflight-mongo-connection.mjs" || true'
             exit 1
       # Optionally reload nginx on web jail
       # - name: Reload nginx

package-lock.json

@@ -19,6 +19,7 @@
         "@rmdes/indiekit-post-type-page": "^1.0.4",
         "@rmdes/indiekit-preset-eleventy": "^1.0.0-beta.33",
         "dotenv": "^17.3.1",
+        "mongodb": "^7.1.0",
         "node-gyp": "^12.2.0"
       }
     },
@@ -5555,7 +5556,6 @@
       "resolved": "https://registry.npmjs.org/socks/-/socks-2.8.7.tgz",
       "integrity": "sha512-HLpt+uLy/pxB+bum/9DzAgiKS8CX1EvbWxI4zlmgGCExImLdiad2iCwXT5Z4c9c3Eq8rP2318mPW2c+QbtjK8A==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "ip-address": "^10.0.1",
         "smart-buffer": "^4.2.0"

package.json

@@ -27,10 +27,11 @@
     "@rmdes/indiekit-endpoint-conversations": "^2.1.6",
     "@rmdes/indiekit-endpoint-github": "^1.2.3",
     "@rmdes/indiekit-endpoint-posts": "^1.0.0-beta.25",
+    "@rmdes/indiekit-endpoint-webmention-io": "^1.0.7",
     "@rmdes/indiekit-post-type-page": "^1.0.4",
     "@rmdes/indiekit-preset-eleventy": "^1.0.0-beta.33",
-    "@rmdes/indiekit-endpoint-webmention-io": "^1.0.7",
     "dotenv": "^17.3.1",
+    "mongodb": "^7.1.0",
     "node-gyp": "^12.2.0"
   }
 }