diff --git a/deploy/build.sh b/deploy/build.sh
index 12a8ba2..5509dbb 100755
--- a/deploy/build.sh
+++ b/deploy/build.sh
@@ -4,6 +4,60 @@ set -euo pipefail
 cd "$(dirname "$0")/.."
 source deploy/env.sh
 
+AGE_KEY_FILE="${SOPS_AGE_KEY_FILE:-$HOME/.config/age/keys.txt}"
+AGE_RECIPIENT="age1hkehkc2rryjl975c2mg5cghmjr54n4wjshncl292h2eg5l394fhs4uydrh"
+
+require_cmd() {
+  local cmd="$1"
+  if ! command -v "$cmd" >/dev/null 2>&1; then
+    echo "Missing required tool: $cmd. Please install it before building." >&2
+    exit 1
+  fi
+}
+
+check_docker() {
+  if [[ -n "${SKIP_DOCKER_CHECK:-}" ]]; then
+    return
+  fi
+  require_cmd docker
+  if ! docker info >/dev/null 2>&1; then
+    echo "Docker is installed but the daemon is not reachable. Start Docker Desktop/Engine and try again." >&2
+    exit 1
+  fi
+}
+
+check_age_setup() {
+  if [[ -n "${SKIP_AGE_CHECK:-}" ]]; then
+    return
+  fi
+  require_cmd sops
+  if [[ ! -f "$AGE_KEY_FILE" ]]; then
+    echo "Age key file not found at $AGE_KEY_FILE. Copy creds/age-key.txt or set SOPS_AGE_KEY_FILE." >&2
+    exit 1
+  fi
+  if command -v age-keygen >/dev/null 2>&1; then
+    if ! age-keygen -y "$AGE_KEY_FILE" 2>/dev/null | grep -q "$AGE_RECIPIENT"; then
+      echo "Age key file at $AGE_KEY_FILE does not contain the expected public key ($AGE_RECIPIENT)." >&2
+      echo "Ensure your ~/.config/age/keys.txt includes the repo key (see creds/age-key.txt)." >&2
+      exit 1
+    fi
+  else
+    # Fallback: best-effort text check for the public key comment
+    if ! grep -q "$AGE_RECIPIENT" "$AGE_KEY_FILE"; then
+      echo "Age key file at $AGE_KEY_FILE is missing the expected public key comment ($AGE_RECIPIENT)." >&2
+      echo "Install age-keygen to verify keys or copy creds/age-key.txt." >&2
+      exit 1
+    fi
+  fi
+}
+
+echo "Running pre-flight checks..."
+for tool in git npm; do
+  require_cmd "$tool"
+done
+check_docker
+check_age_setup
+
 GIT_SHA=$(git rev-parse --short HEAD 2>/dev/null || date +%s)
 BASE_TAG=${BUILD_TAG:-$GIT_SHA}