diff --git a/package.nix b/package.nix
index 5c49bf7..adeb62b 100644
--- a/package.nix
+++ b/package.nix
@@ -13,12 +13,17 @@
 }:
 
 let
-  # package.json pins `@nostr-dev-kit/ndk: "workspace:*"` but the lockfile
-  # resolves `^2.8.1`. With --frozen-lockfile pnpm refuses the mismatch,
-  # so rewrite the spec to match the lockfile.
+  # Fork commit `06272c8` ("pin @nostr-dev-kit/ndk to 2.8.1 instead of
+  # workspace:*") changed package.json to a pinned `"2.8.1"`, but the
+  # pnpm-lock.yaml still expresses the spec as `"^2.8.1"` (the way
+  # `pnpm add` originally generated it). pnpm with --frozen-lockfile
+  # rejects that mismatch. Patching package.json to use the caret form
+  # is non-semantic (2.8.1 is still the resolved version) and aligns
+  # both files. Same fix the Dockerfile-side already handles via
+  # `--no-frozen-lockfile`; in nix we prefer frozen + a targeted patch.
   patchNdk = ''
     substituteInPlace package.json \
-      --replace-fail '"@nostr-dev-kit/ndk": "workspace:*"' \
+      --replace-fail '"@nostr-dev-kit/ndk": "2.8.1"' \
                      '"@nostr-dev-kit/ndk": "^2.8.1"'
   '';
 
@@ -77,7 +82,12 @@ stdenv.mkDerivation (finalAttrs: {
     pnpm prisma generate
     pnpm build
 
-    pnpm prune --prod --ignore-scripts
+    # Do NOT `pnpm prune --prod` here — the prisma CLI lives in
+    # devDependencies and `scripts/start.js` invokes it at boot via
+    # `npx prisma migrate deploy`. Without the CLI, the migration step
+    # silently fails (npx falls back to downloading prisma fresh, which
+    # OOMs on most containers) and the SQLite db stays empty. See
+    # `aiolabs/nsecbunkerd#7` diagnosis 2026-05-27.
     find node_modules -xtype l -delete
 
     runHook postBuild
@@ -87,14 +97,24 @@ stdenv.mkDerivation (finalAttrs: {
     runHook preInstall
 
     mkdir -p $out/{bin,share/nsecbunkerd}
-    cp -r dist node_modules prisma templates package.json \
+    # scripts/ MUST be copied — it contains the start.js launcher that
+    # runs `prisma migrate deploy` before spawning the daemon. The
+    # upstream packaging (and the upstream Dockerfile) bypassed this by
+    # invoking dist/index.js directly, leaving migrations unapplied.
+    cp -r dist node_modules prisma scripts templates package.json \
       $out/share/nsecbunkerd/
 
+    # Wrapper invokes scripts/start.js, which runs `prisma migrate deploy`
+    # then spawns dist/index.js. start.js resolves sibling paths from
+    # __dirname, so the caller (systemd unit, docker compose, etc.) can
+    # set its own WorkingDirectory for the writable state dir without
+    # interfering with how the launcher finds its own package files.
+    # NSEC_BUNKER_CONFIG_DIR can override the config directory location;
+    # by default it's `./config` relative to cwd.
     makeWrapper ${lib.getExe nodejs_20} $out/bin/nsecbunkerd \
-      --chdir $out/share/nsecbunkerd \
-      --add-flags $out/share/nsecbunkerd/dist/index.js \
+      --add-flags $out/share/nsecbunkerd/scripts/start.js \
       --set NODE_ENV production \
-      --prefix PATH : ${lib.makeBinPath [ openssl ]} \
+      --prefix PATH : ${lib.makeBinPath [ openssl nodejs_20 ]} \
       ${
         lib.concatStringsSep " \\\n      " (
           lib.mapAttrsToList (n: v: "--set ${n} ${lib.escapeShellArg v}") prismaEnv