build-stream was failing on openssl-sys because the runner has glibc
libssl-dev but cargo cross-compiles to x86_64-unknown-linux-musl.
Adding \`openssl = { features = ["vendored"] }\` as a direct dep forces
openssl-src to build OpenSSL from source against musl, which feature-
unifies through reqwest's native-tls and any other openssl-sys consumer.
The vendored build needs perl + make at compile time — added them to
runner-bake-deps.sh. The runner already has build-essential for the C
compiler.
Note: the build-web "husky: not found" error in the same run looks
like a re-run of an old SHA, since main has \`npm ci --ignore-scripts\`
since d243c2e2. A fresh workflow_dispatch should clear it.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three more deploy.yml fixes shaken out by the first non-broken run:
1. backend Push step: \`curl --fail-with-body\` is curl 7.76+; the
runner's curl is older. Plain \`-f\` already fails on non-2xx, the
extra flag was redundant.
2. stream Build: \`cargo build --locked\` requires Cargo.lock, but
veza-stream-server/.gitignore was hiding it. Tracked it now (binary
crate — lock file belongs in version control for reproducibility).
3. web Install: NODE_ENV=production skips devDeps, including husky,
but the root \`prepare\` script invokes husky and exits 127.
--ignore-scripts skips the install hook entirely; the explicit
\`npm run build:tokens\` step still runs.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
