feat(personas): move admin + internal endpoints from mana-auth to apps/api

Schließt die platform/product-split-Lücke: HEAD's apps/api/src/index.ts
referenziert seit dem Forms-M10d-Commit personasInternalRoutes /
personasAdminRoutes — die Implementierung lag aber noch nicht im Repo.
Build war strukturell broken bis hierhin.

Was wandert von mana-auth nach apps/api:

  apps/api/src/modules/personas/
    ├── schema.ts          — pgSchema('personas') mit personas /
    │                        persona_actions / persona_feedback;
    │                        userId ist plain text (Cross-DB-FK auf
    │                        mana-auth's auth.users geht nach Split nicht).
    ├── internal-routes.ts — service-key gated GET /due, POST /:id/actions
    │                        und POST /:id/feedback. Append-only +
    │                        idempotent über deterministische row-ids
    │                        (tickId-i-tool / tickId-module).
    └── admin-routes.ts    — admin-JWT gated CRUD; ruft mana-auth via
                             /api/v1/admin/users + /api/v1/auth/register
                             + /api/v1/internal/users/:id/persona-stamp
                             für den User-Lifecycle.

Persona-runner-Client zeigt jetzt auf apps/api:

  - config.ts: neues apiUrl-Feld (default http://localhost:3060,
    Env MANA_API_URL); authUrl bleibt für /api/v1/auth/login + spaces.
  - clients/mana-auth-internal.ts: drei Calls treffen jetzt
    /api/v1/personas/internal/* statt mana-auth's
    /api/v1/internal/personas/* — Datei-Name bleibt um Call-Site-Diff
    klein zu halten.
  - index.ts: ManaAuthInternalClient bekommt config.apiUrl statt authUrl.

Seed/Cleanup-Skripte:

  - --api= als bevorzugter Flag, --auth= als Legacy-Alias (cached
    Shell-History würde sonst hart brechen).
  - default http://localhost:3060, Env MANA_API_URL.
  - Endpoint-Pfade umgeschrieben:
      POST   /api/v1/admin/personas        → /api/v1/personas/admin
      DELETE /api/v1/admin/personas/:id    → /api/v1/personas/admin/:id

drizzle.config.ts: schema-Array + schemaFilter um 'personas' erweitert.
DB-push ist Pflicht-Schritt vor erstem Boot, sonst 42P01 auf /due.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

services/mana-persona-runner/src/clients/mana-auth-internal.ts

@@ -1,8 +1,13 @@
 /**
- * Service-to-service client for mana-auth's internal persona endpoints.
+ * Service-to-service client for the personas internal endpoints.
  *
  * Three calls: list due personas, post actions batch, post feedback
  * batch. All gated by `X-Service-Key` (not a user JWT).
+ *
+ * After the platform/product split, personas live in apps/api
+ * (`mana-monorepo/apps/api`), not in mana-auth. The constructor takes
+ * the apps/api URL — the file name stays the same to keep the
+ * callsite diff small (one import path), but the destination changed.
  */
 
 import type { ActionRow, FeedbackRow } from '../runner/types.ts';
@@ -19,7 +24,7 @@ export interface DuePersona {
 
 export class ManaAuthInternalClient {
 	constructor(
-		private readonly authUrl: string,
+		private readonly apiUrl: string,
 		private readonly serviceKey: string
 	) {
 		if (!serviceKey) {
@@ -35,7 +40,7 @@ export class ManaAuthInternalClient {
 	}
 
 	async listDuePersonas(): Promise<DuePersona[]> {
-		const res = await fetch(`${this.authUrl}/api/v1/internal/personas/due`, {
+		const res = await fetch(`${this.apiUrl}/api/v1/personas/internal/due`, {
 			headers: this.headers(),
 		});
 		if (!res.ok) {
@@ -47,7 +52,7 @@ export class ManaAuthInternalClient {
 
 	async postActions(personaId: string, actions: ActionRow[]): Promise<void> {
 		if (actions.length === 0) return;
-		const res = await fetch(`${this.authUrl}/api/v1/internal/personas/${personaId}/actions`, {
+		const res = await fetch(`${this.apiUrl}/api/v1/personas/internal/${personaId}/actions`, {
 			method: 'POST',
 			headers: this.headers(),
 			body: JSON.stringify({ actions }),
@@ -59,7 +64,7 @@ export class ManaAuthInternalClient {
 
 	async postFeedback(personaId: string, feedback: FeedbackRow[]): Promise<void> {
 		if (feedback.length === 0) return;
-		const res = await fetch(`${this.authUrl}/api/v1/internal/personas/${personaId}/feedback`, {
+		const res = await fetch(`${this.apiUrl}/api/v1/personas/internal/${personaId}/feedback`, {
 			method: 'POST',
 			headers: this.headers(),
 			body: JSON.stringify({ feedback }),

services/mana-persona-runner/src/config.ts

@@ -6,12 +6,16 @@
 export interface Config {
 	port: number;
 
-	/** mana-auth base URL — for login, spaces list, persistence callbacks. */
+	/** mana-auth base URL — for login + spaces list. */
 	authUrl: string;
+	/** apps/api base URL — for /api/v1/personas/internal/* callbacks
+	 *  (due, actions, feedback). Personas live in mana_platform now,
+	 *  not in mana-auth. */
+	apiUrl: string;
 	/** mana-mcp base URL — where Claude talks to the tool registry. */
 	mcpUrl: string;
 
-	/** Service key for /api/v1/internal/* callbacks into mana-auth. */
+	/** Service key for /api/v1/personas/internal/* callbacks into apps/api. */
 	serviceKey: string;
 
 	/** Anthropic API key that drives each persona's Claude call. */
@@ -60,6 +64,7 @@ export function loadConfig(): Config {
 	return {
 		port: intEnv('PORT', 3070),
 		authUrl: process.env.MANA_AUTH_URL ?? 'http://localhost:3001',
+		apiUrl: process.env.MANA_API_URL ?? 'http://localhost:3060',
 		mcpUrl: process.env.MANA_MCP_URL ?? 'http://localhost:3069',
 		serviceKey: process.env.MANA_SERVICE_KEY ?? '',
 		anthropicApiKey: process.env.ANTHROPIC_API_KEY ?? '',

services/mana-persona-runner/src/index.ts

@@ -23,7 +23,7 @@ assertProductionSecrets(config);
 
 const authClient = new AuthClient(config.authUrl);
 const internalClient = config.serviceKey
-	? new ManaAuthInternalClient(config.authUrl, config.serviceKey)
+	? new ManaAuthInternalClient(config.apiUrl, config.serviceKey)
 	: null;
 
 const app = new Hono();