🔒 security(auth): migrate to EdDSA JWT and add automated monitoring

BREAKING: JWT keys are now auto-managed by Better Auth (EdDSA/Ed25519)
- Remove all JWT_PRIVATE_KEY, JWT_PUBLIC_KEY, JWT_SECRET references
- Keys stored in auth.jwks database table (auto-generated on first run)
- Delete obsolete generate-keys.sh and generate-staging-secrets.sh scripts
- Clean up legacy AUTH_*.md analysis files from root

Security Improvements:
- Add security_events table for audit logging
- Add SecurityEventsService for tracking auth events
- Enhanced security headers (HSTS, CSP, X-Frame-Options)
- Rate limiting configuration

Monitoring Setup:
- Add auth-health-check.sh for automated testing
- Add generate-dashboard.sh for HTML status dashboard
- Tests: health endpoint, JWKS (EdDSA), security headers, response time
- Ready for Hetzner cron deployment

Documentation:
- Update deployment docs with Better Auth notes
- Update environment variable references
- Add security improvements documentation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.github/workflows/cd-production.yml

@@ -180,9 +180,7 @@ jobs:
 
           # Mana Core Auth
           MANA_SERVICE_URL=${{ secrets.PRODUCTION_MANA_SERVICE_URL }}
-          JWT_SECRET=${{ secrets.PRODUCTION_JWT_SECRET }}
-          JWT_PUBLIC_KEY=${{ secrets.PRODUCTION_JWT_PUBLIC_KEY }}
-          JWT_PRIVATE_KEY=${{ secrets.PRODUCTION_JWT_PRIVATE_KEY }}
+          # JWT keys managed automatically by Better Auth (EdDSA) - stored in auth.jwks table
 
           # Supabase
           SUPABASE_URL=${{ secrets.PRODUCTION_SUPABASE_URL }}

.github/workflows/cd-staging.yml

@@ -109,9 +109,7 @@ jobs:
 
           # Mana Core Auth - Configuration
           MANA_SERVICE_URL=http://mana-core-auth:3001
-          JWT_SECRET=${{ secrets.JWT_SECRET }}
-          JWT_PUBLIC_KEY=${{ secrets.JWT_PUBLIC_KEY }}
-          JWT_PRIVATE_KEY=${{ secrets.JWT_PRIVATE_KEY }}
+          # JWT keys managed automatically by Better Auth (EdDSA) - stored in auth.jwks table
 
           # Brevo Email Service
           BREVO_API_KEY=${{ secrets.BREVO_API_KEY }}

.github/workflows/cd-staging.yml.bak

@@ -1,264 +0,0 @@
-# ARCHIVED: Full staging workflow with all services
-# Active simplified workflow: .github/workflows/cd-staging.yml
-#
-# Services included: mana-core-auth, chat-backend, manadeck-backend
-#
-# To restore: cp .github/workflows/cd-staging.full.yml .github/workflows/cd-staging.yml
-
-name: CD - Staging Deployment
-
-on:
-  workflow_dispatch:
-    inputs:
-      service:
-        description: 'Service to deploy (leave empty for all)'
-        required: false
-        type: choice
-        options:
-          - all
-          - mana-core-auth
-          - chat-backend
-          - manadeck-backend
-  workflow_call:
-
-permissions:
-  contents: read
-  packages: read
-
-env:
-  NODE_VERSION: '20'
-  PNPM_VERSION: '9.15.0'
-
-jobs:
-  deploy-staging:
-    name: Deploy to Staging
-    runs-on: ubuntu-latest
-    environment:
-      name: staging
-      url: https://staging.manacore.app
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Setup SSH for deployment
-        uses: webfactory/ssh-agent@v0.9.0
-        with:
-          ssh-private-key: ${{ secrets.STAGING_SSH_KEY }}
-
-      - name: Add staging server to known hosts
-        env:
-          STAGING_HOST: 46.224.108.214
-        run: |
-          mkdir -p ~/.ssh
-          ssh-keyscan -H $STAGING_HOST >> ~/.ssh/known_hosts
-
-      - name: Prepare deployment directory
-        env:
-          STAGING_USER: deploy
-          STAGING_HOST: 46.224.108.214
-        run: |
-          ssh $STAGING_USER@$STAGING_HOST << 'EOF'
-            mkdir -p ~/manacore-staging
-            cd ~/manacore-staging
-
-            # Create required directories
-            mkdir -p logs
-            mkdir -p data/postgres
-            mkdir -p data/redis
-          EOF
-
-      - name: Copy docker-compose file
-        env:
-          STAGING_USER: deploy
-          STAGING_HOST: 46.224.108.214
-        run: |
-          scp docker-compose.staging.yml $STAGING_USER@$STAGING_HOST:~/manacore-staging/docker-compose.yml
-
-      - name: Copy environment file
-        env:
-          STAGING_USER: deploy
-          STAGING_HOST: 46.224.108.214
-        run: |
-          # Create staging env file (mix of hardcoded config and secrets)
-          cat > .env.staging << EOF
-          # Database - Configuration
-          POSTGRES_HOST=postgres
-          POSTGRES_PORT=5432
-          POSTGRES_DB=manacore
-          POSTGRES_USER=postgres
-          POSTGRES_PASSWORD=${{ secrets.STAGING_POSTGRES_PASSWORD }}
-
-          # Redis - Configuration
-          REDIS_HOST=redis
-          REDIS_PORT=6379
-          REDIS_PASSWORD=${{ secrets.STAGING_REDIS_PASSWORD }}
-
-          # Mana Core Auth - Configuration
-          MANA_SERVICE_URL=http://mana-core-auth:3001
-          JWT_SECRET=${{ secrets.STAGING_JWT_SECRET }}
-          JWT_PUBLIC_KEY=${{ secrets.STAGING_JWT_PUBLIC_KEY }}
-          JWT_PRIVATE_KEY=${{ secrets.STAGING_JWT_PRIVATE_KEY }}
-
-          # Supabase
-          SUPABASE_URL=${{ secrets.STAGING_SUPABASE_URL }}
-          SUPABASE_ANON_KEY=${{ secrets.STAGING_SUPABASE_ANON_KEY }}
-          SUPABASE_SERVICE_ROLE_KEY=${{ secrets.STAGING_SUPABASE_SERVICE_ROLE_KEY }}
-
-          # Azure OpenAI
-          AZURE_OPENAI_ENDPOINT=${{ secrets.STAGING_AZURE_OPENAI_ENDPOINT }}
-          AZURE_OPENAI_API_KEY=${{ secrets.STAGING_AZURE_OPENAI_API_KEY }}
-          AZURE_OPENAI_API_VERSION=2024-12-01-preview
-
-          # Environment
-          NODE_ENV=staging
-          EOF
-
-          scp .env.staging $STAGING_USER@$STAGING_HOST:~/manacore-staging/.env
-          rm .env.staging
-
-      - name: Login to GitHub Container Registry on staging server
-        env:
-          STAGING_USER: deploy
-          STAGING_HOST: 46.224.108.214
-        run: |
-          ssh $STAGING_USER@$STAGING_HOST << EOF
-            # Login to ghcr.io with GitHub token
-            echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-          EOF
-
-      - name: Pull latest Docker images
-        env:
-          STAGING_USER: deploy
-          STAGING_HOST: 46.224.108.214
-        run: |
-          ssh $STAGING_USER@$STAGING_HOST << 'EOF'
-            cd ~/manacore-staging
-            docker compose pull
-          EOF
-
-      - name: Deploy services
-        env:
-          STAGING_USER: deploy
-          STAGING_HOST: 46.224.108.214
-        run: |
-          SERVICE="${{ github.event.inputs.service || 'all' }}"
-
-          ssh $STAGING_USER@$STAGING_HOST << EOF
-            cd ~/manacore-staging
-
-            # Determine which services to deploy
-            if [ "$SERVICE" == "all" ]; then
-              echo "Deploying all services..."
-              docker compose up -d
-            else
-              echo "Deploying service: $SERVICE"
-              docker compose up -d $SERVICE
-            fi
-
-            # Wait for initial startup
-            echo "Waiting for services to start..."
-            sleep 15
-
-            echo "=== Container Status ==="
-            docker compose ps
-          EOF
-
-      - name: Run health checks
-        env:
-          STAGING_USER: deploy
-          STAGING_HOST: 46.224.108.214
-        run: |
-          ssh $STAGING_USER@$STAGING_HOST << 'EOF'
-            cd ~/manacore-staging
-
-            # Wait for services to fully start
-            echo "Waiting 60s for services to fully initialize..."
-            sleep 60
-
-            echo "=== Container Status ==="
-            docker compose ps
-
-            echo ""
-            echo "=== Health Checks ==="
-
-            # Check mana-core-auth
-            echo "Checking mana-core-auth..."
-            if docker compose exec -T mana-core-auth wget -q -O - http://localhost:3001/api/v1/health > /dev/null 2>&1; then
-              echo "✅ mana-core-auth is healthy"
-            else
-              echo "❌ mana-core-auth health check failed"
-              echo "=== Logs ==="
-              docker compose logs --tail=50 mana-core-auth
-              exit 1
-            fi
-
-            # Check chat-backend
-            echo "Checking chat-backend..."
-            if docker compose exec -T chat-backend wget -q -O - http://localhost:3002/api/health > /dev/null 2>&1; then
-              echo "✅ chat-backend is healthy"
-            else
-              echo "❌ chat-backend health check failed"
-              echo "=== Logs ==="
-              docker compose logs --tail=50 chat-backend
-              exit 1
-            fi
-
-            # Check manadeck-backend
-            echo "Checking manadeck-backend..."
-            if docker compose exec -T manadeck-backend wget -q -O - http://localhost:3003/api/health > /dev/null 2>&1; then
-              echo "✅ manadeck-backend is healthy"
-            else
-              echo "❌ manadeck-backend health check failed"
-              echo "=== Logs ==="
-              docker compose logs --tail=50 manadeck-backend
-              exit 1
-            fi
-
-            echo ""
-            echo "✅ All health checks passed!"
-          EOF
-
-      - name: Run database migrations
-        env:
-          STAGING_USER: deploy
-          STAGING_HOST: 46.224.108.214
-        run: |
-          # Run migrations for services that need them
-          ssh $STAGING_USER@$STAGING_HOST << 'EOF'
-            cd ~/manacore-staging
-
-            # Mana Core Auth migrations
-            docker compose exec -T mana-core-auth pnpm run db:migrate || echo "Auth migrations skipped"
-          EOF
-
-      - name: Deployment summary
-        run: |
-          echo "## Staging Deployment Summary" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "- **Environment**: Staging" >> $GITHUB_STEP_SUMMARY
-          echo "- **Deployed by**: ${{ github.actor }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **Commit**: ${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **Timestamp**: $(date -u +'%Y-%m-%d %H:%M:%S UTC')" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "### Services Deployed" >> $GITHUB_STEP_SUMMARY
-          echo "Service: ${{ github.event.inputs.service || 'all' }}" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "### Health Checks" >> $GITHUB_STEP_SUMMARY
-          echo "All health checks passed ✅" >> $GITHUB_STEP_SUMMARY
-
-  notify-deployment:
-    name: Notify Deployment
-    runs-on: ubuntu-latest
-    needs: deploy-staging
-    if: always()
-    steps:
-      - name: Deployment notification
-        run: |
-          STATUS="${{ needs.deploy-staging.result }}"
-
-          if [ "$STATUS" == "success" ]; then
-            echo "✅ Staging deployment completed successfully"
-          else
-            echo "❌ Staging deployment failed"
-            exit 1
-          fi