diff --git a/TODO.md b/TODO.md
index f327347..7f6d259 100644
--- a/TODO.md
+++ b/TODO.md
@@ -2,6 +2,8 @@
 
 ## Completed
 
+- [x] Fix `just serve` — justfile shebang recipes (`deploy-env`, `reencrypt-password`) used space indentation instead of tabs, causing "extra leading whitespace" parse error
+
 - [x] PDF 100 MB limit + bentopdf mention
   - [x] `ThesisCreateController`: `MAX_PDF_SIZE = 100 MB`; PDFs checked against it, other files still 500 MB
   - [x] `ThesisEditController`: same per-PDF limit applied
diff --git a/justfile b/justfile
index 2822109..3cfed30 100644
--- a/justfile
+++ b/justfile
@@ -68,39 +68,39 @@ deploy:
 
 [group('deploy')]
 deploy-env:
-    # Upload app/.env only if it exists locally; never overwrites a remote .env that already has APP_KEY.
-    #!/usr/bin/env bash
-    set -euo pipefail
-    if [ ! -f app/.env ]; then
-        echo "WARNING: app/.env not found locally — skipping."
-        exit 0
-    fi
-    if ssh xamxam '[ -f /var/www/xamxam/.env ]'; then
-        echo "Remote .env already exists — skipping to avoid overwriting key."
-        echo "Run 'just reencrypt-password' if you rotated APP_KEY."
-    else
-        rsync -v --progress app/.env xamxam:/var/www/xamxam/.env
-        ssh xamxam "chmod 640 /var/www/xamxam/.env && chown www-data:xamxam /var/www/xamxam/.env"
-        echo ".env uploaded."
-    fi
+	#!/usr/bin/env bash
+	set -euo pipefail
+	# Upload app/.env only if it exists locally; never overwrites a remote .env that already has APP_KEY.
+	if [ ! -f app/.env ]; then
+		echo "WARNING: app/.env not found locally — skipping."
+		exit 0
+	fi
+	if ssh xamxam '[ -f /var/www/xamxam/.env ]'; then
+		echo "Remote .env already exists — skipping to avoid overwriting key."
+		echo "Run 'just reencrypt-password' if you rotated APP_KEY."
+	else
+		rsync -v --progress app/.env xamxam:/var/www/xamxam/.env
+		ssh xamxam "chmod 640 /var/www/xamxam/.env && chown www-data:xamxam /var/www/xamxam/.env"
+		echo ".env uploaded."
+	fi
 
 [group('deploy')]
 reencrypt-password new_key_b64="":
-    # Re-encrypt the SMTP password in the remote DB after rotating APP_KEY.
-    # Usage:
-    #   1. Generate a new key:  php -r "echo base64_encode(random_bytes(32));"
-    #   2. Run:                 just reencrypt-password <new_base64_key>
-    #   3. Update app/.env locally with the new key, then run: just deploy-env
-    #!/usr/bin/env bash
-    set -euo pipefail
-    if [ -z "{{new_key_b64}}" ]; then
-        echo "Usage: just reencrypt-password <new_base64_key>"
-        echo "Generate a key: php -r \"echo base64_encode(random_bytes(32));\""
-        exit 1
-    fi
-    # Run the re-encryption script on the server using the current key (from remote .env)
-    # and the supplied new key.
-    ssh xamxam "php /var/www/xamxam/scripts/reencrypt-smtp-password.php '{{new_key_b64}}' /var/www/xamxam/storage/xamxam.db"
+	#!/usr/bin/env bash
+	set -euo pipefail
+	# Re-encrypt the SMTP password in the remote DB after rotating APP_KEY.
+	# Usage:
+	#   1. Generate a new key:  php -r "echo base64_encode(random_bytes(32));"
+	#   2. Run:                 just reencrypt-password <new_base64_key>
+	#   3. Update app/.env locally with the new key, then run: just deploy-env
+	if [ -z "{{new_key_b64}}" ]; then
+		echo "Usage: just reencrypt-password <new_base64_key>"
+		echo "Generate a key: php -r \"echo base64_encode(random_bytes(32));\""
+		exit 1
+	fi
+	# Run the re-encryption script on the server using the current key (from remote .env)
+	# and the supplied new key.
+	ssh xamxam "php /var/www/xamxam/scripts/reencrypt-smtp-password.php '{{new_key_b64}}' /var/www/xamxam/storage/xamxam.db"
 
 [group('deploy')]
 deploy-db: