till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-19 18:21:24 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

🔒️ feat(auth): centralize JWT validation and add deployment docs

Browse source 
- Migrate Chat, Picture, Presi, Zitare backends to shared auth guards
- Remove duplicate local JWT guards and decorators
- Add CD staging workflow for tagged releases
- Add comprehensive auth architecture documentation
- Add Hetzner deployment and Docker setup guides
- Add environment configuration audit docs
- Update env generation scripts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Wuesteon 2025-12-01 20:44:45 +01:00
parent 942c588e15
commit 5b0b3095ff
50 changed files with 11916 additions and 718 deletions
Download patch file Download diff file Expand all files Collapse all files

750
docs/DOCKER_SETUP_ANALYSIS.md Normal file
View file

@ -0,0 +1,750 @@
# Docker Setup Analysis - Current State
**Analysis Date**: 2025-12-01
**Scope**: Complete monorepo Docker configuration for Hetzner deployment
## Executive Summary
The monorepo has **solid Docker foundations** with multi-environment compose files and containerized services, but requires **critical fixes** before production deployment to Hetzner.
**Status**: ⚠️ **Not Production Ready** - 4 critical blockers identified
---
## Table of Contents
- [Docker Files Inventory](#docker-files-inventory)
- [Current Architecture](#current-architecture)
- [Containerized Services](#containerized-services)
- [Critical Blocking Issues](#critical-blocking-issues)
- [Configuration Gaps](#configuration-gaps)
- [Best Practices Currently Followed](#best-practices-currently-followed)
- [Immediate Actions Required](#immediate-actions-required)
---
## Docker Files Inventory
### Root-Level Compose Files
| File | Lines | Purpose | Status |
|------|-------|---------|--------|
| `docker-compose.yml` | 190 | Full production stack with Traefik, PostgreSQL, Redis, PgBouncer, Prometheus, Grafana | ⚠️ Missing configs |
| `docker-compose.dev.yml` | 117 | Development setup with minimal infrastructure | ✅ Working |
| `docker-compose.staging.yml` | 273 | Staging environment with 5 backends and registry images | ✅ Working |
| `docker-compose.production.yml` | 253 | Production deployment with resource constraints | ⚠️ Missing external services |
### Active Service Dockerfiles
| Service | Path | Base Image | Status |
|---------|------|------------|--------|
| mana-core-auth | `services/mana-core-auth/Dockerfile` | Node 20-alpine | ✅ Working |
| chat-backend | `apps/chat/apps/backend/Dockerfile` | Node 20-alpine | ✅ Working |
| picture-backend | `apps/picture/apps/backend/Dockerfile` | Node 20-alpine | ✅ Working |
| manadeck-backend | `apps/manadeck/apps/backend/Dockerfile` | Node 18 | ❌ Inconsistent |
### Docker Templates (Reusable)
```
docker/templates/
├── Dockerfile.nestjs # Multi-service NestJS template
├── Dockerfile.sveltekit # SvelteKit web app template
└── Dockerfile.astro # Astro static site with Nginx
```
### Supporting Infrastructure
```
docker/
├── init-db/
│ └── 01-create-databases.sql # Database initialization
├── nginx/
│ └── astro.conf # Nginx config for static sites
├── prometheus/
│ └── prometheus.yml # ❌ MISSING
└── grafana/
└── provisioning/ # ❌ MISSING
```
### Entrypoint Scripts
- `services/mana-core-auth/docker-entrypoint.sh`
- `apps/chat/apps/backend/docker-entrypoint.sh`
- `apps/picture/apps/backend/docker-entrypoint.sh`
- `apps/manadeck/apps/backend/docker-entrypoint.sh` ❌ Missing
---
## Current Architecture
### Development Environment
**File**: `docker-compose.dev.yml`
```
Services:
- PostgreSQL 16-alpine (port 5432)
- Redis 7-alpine (port 6379)
- Optional services via profiles ("auth", "chat", "all")
Network: manacore-network (bridge)
Health Checks: 10-second intervals
Restart Policy: unless-stopped
```
**Purpose**: Minimal stack for local development with hot reload support.
### Staging Environment
**File**: `docker-compose.staging.yml`
```
Services:
- 5 backend microservices (maerchenzauber, chat, manadeck, nutriphi, news)
- PostgreSQL and Redis infrastructure
- Nginx reverse proxy (ports 80/443)
Images: Pre-built from Docker registry
Health Checks: 30-second intervals
Logging: Structured JSON (10MB max-size, 3 files)
Network: manacore-staging (bridge)
```
**Purpose**: Pre-production testing environment.
### Production Environment
**File**: `docker-compose.production.yml`
```
Services:
- 5 backend microservices only (no web apps)
- External PostgreSQL/Redis (not containerized)
Ports: All bound to 127.0.0.1 (localhost only)
Resource Constraints: 1-2 CPUs, 512MB-1GB memory per service
Volumes: None (external services)
Network: manacore-production (bridge)
```
**Purpose**: Minimal application footprint for managed infrastructure.
### Full Infrastructure Stack
**File**: `docker-compose.yml`
```
Services:
- Traefik v3.0 (reverse proxy with Let's Encrypt SSL)
- PostgreSQL 16-alpine + PgBouncer (connection pooling)
- Redis 7-alpine (session management)
- Prometheus (metrics collection) ⚠️ Missing config
- Grafana (monitoring dashboards) ⚠️ Missing provisioning
Features:
- Automatic SSL via Traefik
- Database connection pooling
- Metrics collection
- Dashboard monitoring
```
**Purpose**: Complete on-premises deployment with monitoring.
---
## Containerized Services
### Active & Containerized
| Service | Technology | Port | Status |
|---------|------------|------|--------|
| mana-core-auth | NestJS | 3001 | ✅ Production Ready |
| chat-backend | NestJS | 3002 | ✅ Production Ready |
| picture-backend | NestJS | 3006 | ✅ Production Ready |
| manadeck-backend | NestJS | 3009 | ⚠️ Needs Updates |
### Not Yet Containerized
**Web Apps (SvelteKit)**:
- Templates available in `docker/templates/Dockerfile.sveltekit`
- Need per-project Dockerfiles
- SSR support included
**Landing Pages (Astro)**:
- Templates available in `docker/templates/Dockerfile.astro`
- Nginx configuration ready (`docker/nginx/astro.conf`)
- Static site optimization included
**Mobile Apps (Expo/React Native)**:
- Not containerized (not applicable for Hetzner deployment)
- Built and deployed to app stores separately
---
## Critical Blocking Issues
### 1. ❌ Missing Prometheus Configuration
**Impact**: High - Blocks monitoring deployment
**File**: `docker/prometheus/prometheus.yml`
**Issue**: Referenced in `docker-compose.yml` but file doesn't exist.
**Error**:
```yaml
# docker-compose.yml line ~150
volumes:
- ./docker/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
```
**Solution Required**:
```bash
mkdir -p docker/prometheus
```
Create basic `prometheus.yml`:
```yaml
global:
scrape_interval: 15s
evaluation_interval: 15s
scrape_configs:
- job_name: 'prometheus'
static_configs:
- targets: ['localhost:9090']
- job_name: 'node-exporter'
static_configs:
- targets: ['node-exporter:9100']
- job_name: 'postgres'
static_configs:
- targets: ['postgres:9187']
- job_name: 'redis'
static_configs:
- targets: ['redis:9121']
```
### 2. ❌ Missing Grafana Provisioning
**Impact**: High - Blocks monitoring dashboard deployment
**Directory**: `docker/grafana/provisioning/`
**Issue**: Referenced in docker-compose but directories don't exist:
- `docker/grafana/provisioning/dashboards/`
- `docker/grafana/provisioning/datasources/`
**Solution Required**:
```bash
mkdir -p docker/grafana/provisioning/{dashboards,datasources}
```
Create `docker/grafana/provisioning/datasources/prometheus.yml`:
```yaml
apiVersion: 1
datasources:
- name: Prometheus
type: prometheus
access: proxy
url: http://prometheus:9090
isDefault: true
editable: true
```
Create `docker/grafana/provisioning/dashboards/default.yml`:
```yaml
apiVersion: 1
providers:
- name: 'Default'
orgId: 1
folder: ''
type: file
disableDeletion: false
updateIntervalSeconds: 10
allowUiUpdates: true
options:
path: /var/lib/grafana/dashboards
```
### 3. ❌ Node Version Inconsistency
**Impact**: Medium - May cause runtime issues
**File**: `apps/manadeck/apps/backend/Dockerfile`
**Issue**: ManaDeck uses Node 18 while all other services use Node 20.
**Current**:
```dockerfile
FROM node:18-alpine AS base
```
**Should Be**:
```dockerfile
FROM node:20-alpine AS base
```
**Location**: `/Users/wuesteon/dev/mana_universe/manacore-monorepo/apps/manadeck/apps/backend/Dockerfile:1`
### 4. ❌ ManaDeck Dockerfile Anomalies
**Impact**: Medium - Build inconsistency
**File**: `apps/manadeck/apps/backend/Dockerfile`
**Issues**:
1. Uses `npm` instead of `pnpm` (lines 15, 33, 38)
2. Includes peer dependency workaround (`--legacy-peer-deps`)
3. Cloud Run specific configuration (port 8080 instead of 3009)
4. Missing proper workspace awareness
**Example Issue**:
```dockerfile
# Line 15 - Should use pnpm
RUN npm ci --omit=dev --legacy-peer-deps
```
**Solution**: Refactor to use pnpm like other services.
---
## Configuration Gaps
### 1. Missing Staging HTTPS/SSL Configuration
**Severity**: Medium
Staging environment (`docker-compose.staging.yml`) only has HTTP Nginx configuration. No SSL/TLS setup for testing HTTPS in staging.
**Recommendation**: Add Let's Encrypt staging certificates or self-signed certs.
### 2. Inconsistent Docker Compose at Service Level
**Severity**: Low
Only `chat` and `picture` have local `docker-compose.yml` files in their service directories. Other projects don't have service-specific compose files.
**Current**:
```
apps/chat/docker-compose.yml ✅ Exists
apps/picture/docker-compose.yml ✅ Exists
apps/manadeck/docker-compose.yml ❌ Missing
apps/zitare/docker-compose.yml ❌ Missing
apps/presi/docker-compose.yml ❌ Missing
```
### 3. Database Initialization Unclear
**Severity**: Medium
Database initialization script (`docker/init-db/01-create-databases.sql`) exists, but unclear if it covers all services beyond mana-core-auth.
**Services Requiring Databases**:
- mana-core-auth (PostgreSQL + Redis) ✅
- chat-backend (PostgreSQL) ?
- picture-backend (PostgreSQL) ?
- manadeck-backend (Supabase external) N/A
- zitare-backend (PostgreSQL) ?
- presi-backend (PostgreSQL) ?
### 4. No Resource Limits in Development
**Severity**: Low
Development environment (`docker-compose.dev.yml`) has no resource limits, which can lead to runaway containers consuming all system resources.
**Recommendation**: Add development-appropriate limits (e.g., 2GB RAM per service).
### 5. Entrypoint Scripts Not Universal
**Severity**: Low
Not all services have entrypoint scripts for handling migrations, health checks, and graceful shutdown.
**Have Entrypoints**:
- mana-core-auth ✅
- chat-backend ✅
- picture-backend ✅
**Missing Entrypoints**:
- manadeck-backend ❌
- zitare-backend ❌
- presi-backend ❌
---
## Best Practices Currently Followed
### ✅ Multi-Stage Dockerfile Builds
All Dockerfiles use multi-stage builds with separate `build` and `production` stages:
```dockerfile
FROM node:20-alpine AS base
# ... setup
FROM base AS build
# ... build artifacts
FROM node:20-alpine AS production
# ... copy only necessary files
```
**Benefit**: Smaller production images (~50% size reduction).
### ✅ Non-Root User Execution
All services run as non-root users:
```dockerfile
RUN addgroup -g 1001 -S nodejs && \
adduser -S nestjs -u 1001
USER nestjs
```
**Security Impact**: Prevents privilege escalation attacks.
### ✅ Alpine Base Images
Using Alpine Linux for minimal attack surface:
```dockerfile
FROM node:20-alpine
```
**Benefit**: ~40MB base image vs ~900MB for standard Node images.
### ✅ Health Checks on All Services
Comprehensive health checks with appropriate timeouts:
```yaml
healthcheck:
test: ["CMD", "wget", "--spider", "-q", "http://localhost:3000/health"]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s
```
### ✅ Service Dependencies with Health Conditions
Proper dependency orchestration:
```yaml
depends_on:
postgres:
condition: service_healthy
redis:
condition: service_healthy
```
### ✅ Named Volumes for Data Persistence
Explicit volume naming for easy backup/restore:
```yaml
volumes:
postgres-data:
driver: local
name: manacore-postgres-data
```
### ✅ Environment Variable Externalization
Secrets and configuration via environment files:
```yaml
env_file:
- .env.development
- .env.production
```
### ✅ Custom Bridge Networks
Service isolation with custom networks:
```yaml
networks:
manacore-network:
driver: bridge
name: manacore-network
```
### ✅ Restart Policies
Appropriate restart policies per environment:
```yaml
restart: unless-stopped # Staging/Production
restart: on-failure # Development
```
### ✅ Reverse Proxy with SSL
Traefik with automatic Let's Encrypt SSL:
```yaml
command:
- "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
- "--certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL}"
```
### ✅ Database Connection Pooling
PgBouncer integration for efficient connection management.
### ✅ Redis Caching Layer
Centralized caching with Redis for session management and performance.
### ✅ Docker Compose Profiles
Selective service startup with profiles:
```yaml
services:
mana-core-auth:
profiles: ["auth", "all"]
chat-backend:
profiles: ["chat", "all"]
```
### ✅ pnpm Workspace Awareness
Dockerfiles properly handle pnpm workspaces:
```dockerfile
COPY pnpm-workspace.yaml package.json pnpm-lock.yaml ./
RUN pnpm fetch
RUN pnpm install --frozen-lockfile --offline
```
---
## Best Practice Gaps
### Missing: Docker Build Cache Optimization
**Issue**: No `.dockerignore` optimization strategy across services.
**Impact**: Slower builds, larger build contexts sent to Docker daemon.
**Recommendation**: Add comprehensive `.dockerignore` files per service.
### Missing: Multi-Architecture Build Support
**Issue**: No explicit multi-architecture builds (assumes AMD64 only).
**Impact**: M1/M2 Mac developers may face compatibility issues.
**Recommendation**: Use `docker buildx` for ARM64 + AMD64 builds.
### Missing: Container Security Scanning
**Issue**: No automated security scanning (Trivy, Hadolint, etc.).
**Impact**: Unknown vulnerabilities in production images.
**Recommendation**: Add CI/CD security scanning step.
### Missing: Consistent Logging
**Issue**: Logging configuration varies across environments.
**Recommendation**: Standardize JSON structured logging across all environments.
### Missing: Docker Deployment Documentation
**Issue**: No step-by-step Docker deployment guide.
**Impact**: Difficult onboarding for new developers.
**Recommendation**: Create `DOCKER_DEPLOYMENT.md` with runbooks.
---
## Environment Variable Handling
### Root-Level `.dockerignore` Excludes
```
node_modules/
dist/
.git/
.env*
*.log
coverage/
```
**Status**: ✅ Properly configured
### Variable Management Strategy
**Three-Tier Hierarchy**:
1. **Root `.env.development`**: Shared development variables (committed)
2. **Environment-specific** (`.env.production`): Secrets (gitignored)
3. **Service-specific**: Per-service overrides in compose files
**Key Secrets Required**:
- `POSTGRES_PASSWORD`
- `REDIS_PASSWORD`
- `JWT_PRIVATE_KEY`, `JWT_PUBLIC_KEY`
- `AZURE_OPENAI_API_KEY`
- `GOOGLE_GENAI_API_KEY`
- `SUPABASE_SERVICE_ROLE_KEY`
---
## Network & Volume Strategy
### Networks
**Development**: `manacore-network` (bridge)
**Staging**: `manacore-staging` (bridge)
**Production**: `manacore-production` (bridge)
**Service-to-Service Communication**: Via Docker DNS
- `postgres:5432`
- `redis:6379`
- `mana-core-auth:3001`
### Volumes
**Development**:
```yaml
volumes:
postgres-data: {}
redis-data: {}
```
**Staging**:
```yaml
volumes:
postgres_data:
name: manacore-staging-postgres
redis_data:
name: manacore-staging-redis
```
**Production**: No volumes (external services assumed)
**Full Stack**:
```yaml
volumes:
postgres-data: {}
redis-data: {}
traefik-letsencrypt: {}
prometheus-data: {}
grafana-data: {}
```
---
## Immediate Actions Required
### Priority 1: Critical Blockers (Must Fix Before Deployment)
1. **Create Prometheus Configuration**
```bash
mkdir -p docker/prometheus
# Create prometheus.yml (see issue #1)
```
2. **Create Grafana Provisioning**
```bash
mkdir -p docker/grafana/provisioning/{dashboards,datasources}
# Create provisioning files (see issue #2)
```
3. **Update ManaDeck Node Version**
```bash
# Edit apps/manadeck/apps/backend/Dockerfile
# Change FROM node:18-alpine to node:20-alpine
```
4. **Fix ManaDeck Dockerfile**
```bash
# Refactor to use pnpm instead of npm
# Remove --legacy-peer-deps
# Fix port configuration (3009 instead of 8080)
```
### Priority 2: Configuration Improvements
5. **Add Staging SSL Configuration**
- Add Let's Encrypt staging environment
- Or configure self-signed certificates
6. **Standardize Service Compose Files**
- Add `docker-compose.yml` to all projects
- Follow chat/picture pattern
7. **Document Database Initialization**
- Clarify which databases are created
- Add initialization for all services
8. **Add Development Resource Limits**
- Prevent runaway containers
- Set reasonable limits (e.g., 2GB RAM)
9. **Add Entrypoint Scripts**
- Create for manadeck, zitare, presi
- Standardize migration handling
### Priority 3: Best Practice Enhancements
10. **Optimize Docker Build Cache**
- Add comprehensive `.dockerignore` files
- Optimize layer ordering
11. **Add Multi-Architecture Support**
- Use `docker buildx`
- Build for AMD64 + ARM64
12. **Implement Security Scanning**
- Add Trivy to CI/CD
- Scan images before push
13. **Standardize Logging**
- JSON structured logging
- Consistent across environments
14. **Create Deployment Documentation**
- Step-by-step runbooks
- Troubleshooting guides
---
## Estimated Time to Production Ready
| Phase | Tasks | Time Estimate |
|-------|-------|---------------|
| **Phase 1: Critical Fixes** | Issues #1-4 | 2-4 hours |
| **Phase 2: Configuration** | Issues #5-9 | 4-6 hours |
| **Phase 3: Best Practices** | Issues #10-14 | 6-8 hours |
| **Total** | 14 tasks | **12-18 hours** |
---
## Conclusion
The Docker setup demonstrates **strong architectural foundations** with:
- Multi-environment support ✅
- Service isolation ✅
- Health-driven orchestration ✅
- Security best practices ✅
However, **4 critical blockers** prevent immediate production deployment to Hetzner. Addressing these issues should take **2-4 hours** and will unblock staging and production deployments.
**Recommendation**: Fix Priority 1 items immediately, then incrementally address Priority 2 and 3 for production hardening.
---
**Related Documentation**:
- `HETZNER_PRODUCTION_GUIDE.md` - Comprehensive Hetzner deployment guide
- `DOCKER_COMPOSE_PRODUCTION_ARCHITECTURE.md` - Detailed architecture design
- `DOCKER_GUIDE.md` - Docker usage and best practices
- `DEPLOYMENT_HETZNER.md` - Deployment options comparison

166
docs/ENV_AUDIT_SUMMARY.md Normal file
View file

@ -0,0 +1,166 @@
# Environment Audit - Quick Summary
## Issues Found: 8 Critical/Major Items
### BLOCKING (Fix immediately - prevent simultaneous backend execution)
**Port Conflicts:**
```
Port 3002: Chat (3002) ← → Nutriphi (3002) [CONFLICT]
Port 3003: Picture (3003) ← → Maerchenzauber (3003) [CONFLICT]
```
**Hardcoded Values:**
- Chat backend hardcodes DEV_USER_ID instead of reading from env
### MAJOR (Inconsistencies across codebase)
**Auth URL Variable Names (Choose One):**
- Chat: MANA_CORE_AUTH_URL ✓
- Picture: MANA_CORE_AUTH_URL ✓
- Zitare: MANA_CORE_AUTH_URL ✓
- Presi: MANA_CORE_AUTH_URL ✓
- **Manadeck: MANA_SERVICE_URL** ← Should standardize
- **Nutriphi: MANACORE_AUTH_URL** ← Should standardize
**CORS Origins:**
- Hardcoded in 4 backends (Chat, Picture, Zitare, Presi)
- Should use CORS_ORIGINS from environment
**Missing Documentation:**
- No .env.example for Zitare backend
- No .env.example for Presi backend
### MEDIUM (Code quality)
**Validation Schemas:**
- Chat: Missing
- Picture: Missing
- Zitare: Missing
- Presi: Missing
- Manadeck: ✓ Has validation schema
- Mana-Core-Auth: ✓ Has validation config
---
## Quick Fix Checklist
### Phase 1: Critical (1-2 hours)
- [ ] Reassign Picture from port 3003 → 3005
- [ ] Reassign Nutriphi from port 3002 → 3006
- [ ] Add DEV_USER_ID to .env.development
- [ ] Update Chat to load DEV_USER_ID from ConfigService
### Phase 2: Major (2-3 hours)
- [ ] Rename MANA_SERVICE_URL to MANA_CORE_AUTH_URL in Manadeck
- [ ] Rename MANACORE_AUTH_URL to MANA_CORE_AUTH_URL in Nutriphi
- [ ] Create .env.example for Zitare
- [ ] Create .env.example for Presi
### Phase 3: Quality (3-4 hours)
- [ ] Add validation schemas to Chat, Picture, Zitare, Presi
- [ ] Extract CORS origins to environment variables
- [ ] Update all backends to read CORS_ORIGINS from env
---
## Port Mapping (Current vs Recommended)
```
Current: Recommended:
3001 ← Mana Core Auth → 3001 ← Mana Core Auth
3002 ← Chat → 3002 ← Chat
3002 ← Nutriphi [X] → 3006 ← Nutriphi [FIXED]
3003 ← Maerchenzauber → 3003 ← Maerchenzauber
3003 ← Picture [X] → 3005 ← Picture [FIXED]
3004 ← Manadeck → 3004 ← Manadeck
3007 ← Zitare → 3007 ← Zitare
3008 ← Presi → 3008 ← Presi
3010 ← Voxel Lava → 3010 ← Voxel Lava
3011 ← Mana Games → 3011 ← Mana Games
```
---
## Environment Variables Status
### Well-Configured
- MANA_CORE_AUTH_URL (central + mapped)
- JWT keys (central)
- API keys (central)
- Database URLs (individual + mapped)
### Needs Work
- DEV_USER_ID (hardcoded, not in env)
- DEV_BYPASS_AUTH (partial, only Chat)
- CORS_ORIGINS (hardcoded, not used by all)
- Auth URL naming (3 different conventions)
---
## Files to Modify
### .env.development
- [ ] Add DEV_USER_ID line
- [ ] Fix PICTURE_BACKEND_PORT (3003 → 3005)
- [ ] Fix NUTRIPHI_BACKEND_PORT (3002 → 3006)
### scripts/generate-env.mjs
- [ ] Line 205: MANA_SERVICE_URL → MANA_CORE_AUTH_URL (Manadeck)
- [ ] Line 272: MANACORE_AUTH_URL → MANA_CORE_AUTH_URL (Nutriphi)
### Backend Apps (4 files each)
- [ ] apps/chat/apps/backend/src/config/validation.schema.ts (create)
- [ ] apps/picture/apps/backend/src/config/validation.schema.ts (create)
- [ ] apps/zitare/apps/backend/src/config/validation.schema.ts (create)
- [ ] apps/presi/apps/backend/src/config/validation.schema.ts (create)
### Backend Main Files (4 files)
- [ ] apps/chat/apps/backend/src/main.ts (extract CORS)
- [ ] apps/picture/apps/backend/src/main.ts (extract CORS)
- [ ] apps/zitare/apps/backend/src/main.ts (extract CORS)
- [ ] apps/presi/apps/backend/src/main.ts (extract CORS)
### Backend Examples (2 files)
- [ ] apps/zitare/apps/backend/.env.example (create)
- [ ] apps/presi/apps/backend/.env.example (create)
### Chat Guard
- [ ] apps/chat/apps/backend/src/common/guards/jwt-auth.guard.ts
- Remove hardcoded DEV_USER_ID
- Read from configService instead
---
## Testing After Fixes
```bash
# Test all 10 backends can start simultaneously
pnpm dev:auth &
pnpm dev:chat:backend &
pnpm dev:manadeck:backend &
pnpm dev:picture:backend &
pnpm dev:zitare:backend &
pnpm dev:presi:backend &
# Verify each responds
curl http://localhost:3001/health
curl http://localhost:3002/api/health
curl http://localhost:3003/api/health # Maerchenzauber
curl http://localhost:3004/v1/health # Manadeck
curl http://localhost:3005/api/health # Picture (new port)
curl http://localhost:3007/api/health # Zitare
curl http://localhost:3008/api/health # Presi
```
---
## Additional Docs
See full audit report: `/docs/ENV_CONFIGURATION_AUDIT.md`
Key sections:
- Environment Variable Mapping (section 3)
- Hardcoded Values & Security (section 4)
- Configuration Best Practices (section 5)
- Implementation Checklist (section 10)

234
docs/ENV_BACKEND_MATRIX.md Normal file
View file

@ -0,0 +1,234 @@
# Environment Variable Configuration Matrix
## Backend Authentication & Port Status
```
╔══════════════════╦════════╦═══════════════════════╦═════════════════════╦═══════════════╗
║ Backend ║ Port ║ Auth URL Variable ║ Dev Bypass ║ Validation ║
╠══════════════════╬════════╬═══════════════════════╬═════════════════════╬═══════════════╣
║ Mana Core Auth ║ 3001 ║ N/A (Auth service) ║ N/A ║ ✓ Config svc ║
║ Chat ║ 3002 ║ MANA_CORE_AUTH_URL ║ ✓ Implemented ║ ✗ Missing ║
║ Maerchenzauber ║ 3003 ║ MANA_SERVICE_URL ║ ? Unknown ║ ? Unknown ║
║ Manadeck ║ 3004 ║ MANA_SERVICE_URL ║ ? Unknown ║ ✓ Joi schema ║
║ Picture ║ 3003 ║ MANA_CORE_AUTH_URL ║ ✗ Missing ║ ✗ Missing ║
║ Nutriphi ║ 3002 ║ MANACORE_AUTH_URL ║ ? Unknown ║ ? Unknown ║
║ Zitare ║ 3007 ║ MANA_CORE_AUTH_URL ║ ✗ Missing ║ ✗ Missing ║
║ Presi ║ 3008 ║ MANA_CORE_AUTH_URL ║ ✗ Missing ║ ✗ Missing ║
║ Voxel Lava ║ 3010 ║ ? Not checked ║ ? Unknown ║ ? Unknown ║
║ Mana Games ║ 3011 ║ ? Not checked ║ ? Unknown ║ ? Unknown ║
╚══════════════════╩════════╩═══════════════════════╩═════════════════════╩═══════════════╝
```
Legend:
- ✓ = Implemented/Present
- ✗ = Missing/Not implemented
- ? = Not analyzed in this audit
- Port conflicts highlighted in red
---
## Database URL Configuration
```
╔══════════════════╦════════════════════════════════════════════════╦════════════════╗
║ Backend ║ Database URL Variable ║ Generated ║
╠══════════════════╬════════════════════════════════════════════════╬════════════════╣
║ Mana Core Auth ║ MANA_CORE_AUTH_DATABASE_URL ║ ✓ via gen-env ║
║ Chat ║ CHAT_DATABASE_URL ║ ✓ via gen-env ║
║ Manadeck ║ MANADECK_DATABASE_URL ║ ✓ via gen-env ║
║ Picture ║ PICTURE_DATABASE_URL ║ ✓ via gen-env ║
║ Nutriphi ║ NUTRIPHI_DATABASE_URL ║ ✓ via gen-env ║
║ Zitare ║ ZITARE_DATABASE_URL ║ ✓ via gen-env ║
║ Presi ║ PRESI_DATABASE_URL ║ ✓ via gen-env ║
║ Voxel Lava ║ VOXEL_LAVA_DATABASE_URL ║ ✓ via gen-env ║
║ Mana Games ║ None specified ║ N/A ║
╚══════════════════╩════════════════════════════════════════════════╩════════════════╝
```
---
## CORS Configuration Status
```
╔══════════════════╦═══════════════════════════════════╦═════════════════════════════════╗
║ Backend ║ CORS Implementation ║ Recommendation ║
╠══════════════════╬═══════════════════════════════════╬═════════════════════════════════╣
║ Chat ║ Hardcoded array in main.ts ║ Move to CORS_ORIGINS env var ║
║ Picture ║ Hardcoded array in main.ts ║ Move to CORS_ORIGINS env var ║
║ Zitare ║ Hardcoded array in main.ts ║ Move to CORS_ORIGINS env var ║
║ Presi ║ Hardcoded array in main.ts ║ Move to CORS_ORIGINS env var ║
║ Manadeck ║ configService.get('FRONTEND_URL') ║ Already using env var (better) ║
║ Mana Core Auth ║ configService array ║ Already using env var (good) ║
╚══════════════════╩═══════════════════════════════════╩═════════════════════════════════╝
```
Current hardcoded CORS allowed origins (should be environment variable):
```javascript
// In 4 backends
const allowedOrigins = [
'http://localhost:3000',
'http://localhost:5173', // Primary web dev port
'http://localhost:5174', // Secondary web port
'http://localhost:5175', // Tertiary web port
'http://localhost:5177', // Zitare web
'http://localhost:5178', // Chat web / Presi web
'http://localhost:8081', // Expo dev server
'exp://localhost:8081', // Expo protocol
'http://localhost:3001', // Mana Core Auth
]
```
---
## Port Availability & Conflicts
```
Port 3000 ━━━━━━━━ [FREE]
Port 3001 ━━━━━━━━ Mana Core Auth (ACTIVE)
Port 3002 ━━━━━━━━ Chat (ACTIVE) + Nutriphi (ACTIVE) ⚠ CONFLICT!
3002a Chat
3002b Nutriphi (should be 3006)
Port 3003 ━━━━━━━━ Maerchenzauber (ACTIVE) + Picture (ACTIVE) ⚠ CONFLICT!
3003a Maerchenzauber
3003b Picture (should be 3005)
Port 3004 ━━━━━━━━ Manadeck (ACTIVE)
Port 3005 ━━━━━━━━ [AVAILABLE] ← Assign to Picture
Port 3006 ━━━━━━━━ [AVAILABLE] ← Assign to Nutriphi
Port 3007 ━━━━━━━━ Zitare (ACTIVE)
Port 3008 ━━━━━━━━ Presi (ACTIVE)
Port 3009 ━━━━━━━━ [RESERVED - mentioned in CLAUDE.md]
Port 3010 ━━━━━━━━ Voxel Lava (ACTIVE)
Port 3011 ━━━━━━━━ Mana Games (ACTIVE)
```
---
## Environment Variable Generation Map
### From .env.development to Backend .env Files
```
MANA_CORE_AUTH_PORT (3001)
↓ (generate-env.mjs line 61)
├→ services/mana-core-auth/.env {PORT}
CHAT_BACKEND_PORT (3002)
↓ (generate-env.mjs line 89)
├→ apps/chat/apps/backend/.env {PORT}
MANA_CORE_AUTH_URL (http://localhost:3001)
↓ (generate-env.mjs multiple lines)
├→ apps/chat/apps/backend/.env {MANA_CORE_AUTH_URL}
├→ apps/picture/apps/backend/.env {MANA_CORE_AUTH_URL}
├→ apps/zitare/apps/backend/.env {MANA_CORE_AUTH_URL}
├→ apps/presi/apps/backend/.env {MANA_CORE_AUTH_URL}
├→ apps/manadeck/apps/backend/.env {MANA_SERVICE_URL} ← NAMING INCONSISTENCY
└→ apps/nutriphi/apps/backend/.env {MANACORE_AUTH_URL} ← NAMING INCONSISTENCY
CORS_ORIGINS (http://localhost:3000,http://localhost:3002,...)
↓ (generate-env.mjs line 75, 136, 232, 301, 332, 372)
├→ services/mana-core-auth/.env {CORS_ORIGINS}
├→ apps/maerchenzauber/apps/backend/.env {CORS_ORIGINS}
├→ apps/picture/apps/backend/.env {CORS_ORIGINS}
├→ apps/zitare/apps/backend/.env {CORS_ORIGINS}
├→ apps/presi/apps/backend/.env {CORS_ORIGINS}
└→ games/mana-games/apps/backend/.env {CORS_ORIGINS}
[BUT NOT USED by Chat, Picture, Zitare, Presi - they hardcode instead!]
```
---
## Issues Severity Matrix
```
╔═══════════════╦════════════════════════════════════════════════╦══════════════════╗
║ Severity ║ Count ║ Issue Description ║ Time to Fix ║
╠═══════════════╬═══════╬═════════════════════════════════════════╬══════════════════╣
║ BLOCKING ║ 2 ║ Port conflicts (3002, 3003) ║ 15 minutes ║
║ ║ 1 ║ Hardcoded DEV_USER_ID ║ 30 minutes ║
╠═══════════════╬═══════╬═════════════════════════════════════════╬══════════════════╣
║ MAJOR ║ 3 ║ Auth URL naming inconsistencies ║ 30 minutes ║
║ ║ 4 ║ Hardcoded CORS origins ║ 1-2 hours ║
║ ║ 2 ║ Missing .env.example files ║ 15 minutes ║
╠═══════════════╬═══════╬═════════════════════════════════════════╬══════════════════╣
║ MEDIUM ║ 4 ║ Missing validation schemas ║ 2-3 hours ║
║ ║ 1 ║ Dev bypass auth inconsistency ║ 1-2 hours ║
╠═══════════════╬═══════╬═════════════════════════════════════════╬══════════════════╣
║ TOTAL ║ 17 ║ All issues identified ║ 6-8 hours total ║
╚═══════════════╩═══════╩═════════════════════════════════════════╩══════════════════╝
```
---
## Configuration Best Practices Scorecard
```
╔════════════════════════════════════╦═════════════════════════════════════════╗
║ Criteria ║ Score (0-10) ║
╠════════════════════════════════════╬═════════════════════════════════════════╣
║ Port Assignment Uniqueness ║ 4/10 (2 conflicts found) ║
║ Environment Variable Standardization║ 6/10 (3 naming conventions) ║
║ Configuration Documentation ║ 5/10 (3 missing .env.example files) ║
║ Centralized Environment Setup ║ 8/10 (good but some backends override) ║
║ Configuration Validation ║ 3/10 (only 2/8 backends have schemas) ║
║ Hardcoded Values ║ 4/10 (CORS + DEV_USER_ID hardcoded) ║
║ Auth Configuration Consistency ║ 4/10 (4 different variable names) ║
║ Security (no secrets in source) ║ 7/10 (mostly good, except DEV_USER_ID) ║
╠════════════════════════════════════╬═════════════════════════════════════════╣
║ OVERALL SCORE ║ 5.1/10 (NEEDS IMPROVEMENT) ║
╚════════════════════════════════════╩═════════════════════════════════════════╝
```
**To reach 8/10:** Fix blocking issues + add missing validation schemas
**To reach 9/10:** + Move all CORS to environment + Standardize auth URLs
**To reach 10/10:** + Complete documentation + Consistent dev bypass pattern across all
---
## Quick Reference: Variable Name Standardization
### Current (Inconsistent)
```
Chat: MANA_CORE_AUTH_URL
Picture: MANA_CORE_AUTH_URL
Zitare: MANA_CORE_AUTH_URL
Presi: MANA_CORE_AUTH_URL
Manadeck: MANA_SERVICE_URL ← Different!
Nutriphi: MANACORE_AUTH_URL ← Different!
```
### Recommended (Consistent)
```
All backends: MANA_CORE_AUTH_URL ← Standardized
```
### Migration Path
1. Add MANA_CORE_AUTH_URL to .env.development (already exists!)
2. Update generate-env.mjs:
- Line 205: Change `MANA_SERVICE_URL` to `MANA_CORE_AUTH_URL` (Manadeck)
- Line 272: Change `MANACORE_AUTH_URL` to `MANA_CORE_AUTH_URL` (Nutriphi)
3. Update app.module.ts files if they reference old variable name
4. Update config/validation.schema.ts files if applicable
5. Test `pnpm setup:env` generates correct variables
6. Verify all backends read MANA_CORE_AUTH_URL
---
## Next Steps
1. **Read the full audit:** `/docs/ENV_CONFIGURATION_AUDIT.md`
2. **Follow the checklist:** `/docs/ENV_AUDIT_SUMMARY.md`
3. **Review this matrix:** You are here!
4. **Implement fixes:** Start with Phase 1 (blocking issues)
5. **Test & verify:** Run all backends simultaneously
6. **Document results:** Update CLAUDE.md with final port assignments
---
Generated: December 1, 2025
Auditor: Environment Configuration Auditor Agent (Claude Flow Swarm)

408
docs/ENV_CONFIGURATION_AUDIT.md Normal file
View file

@ -0,0 +1,408 @@
# Environment Configuration Audit Report
## Mana Universe Monorepo - Backend Authentication & Configuration
**Date:** December 1, 2025
**Auditor:** Environment Configuration Auditor Agent
**Scope:** All NestJS backends and mana-core-auth service
---
## EXECUTIVE SUMMARY
The monorepo has **CRITICAL PORT CONFLICTS** that will prevent multiple backends from running simultaneously. Additionally, there are inconsistencies in environment variable naming conventions across backends and missing configuration examples for some projects.
**Status:** NEEDS IMMEDIATE ACTION
- 2 port conflicts identified
- 3 naming convention inconsistencies
- 5 backends missing .env.example files
- Hardcoded CORS origins in multiple backends
---
## 1. PORT ASSIGNMENT MATRIX
### Current Assignments (from .env.development)
| Backend | Port | Env Variable | Status | Conflict |
|---------|------|--------------|--------|----------|
| Mana Core Auth | 3001 | MANA_CORE_AUTH_PORT | ✓ Unique | No |
| Chat | 3002 | CHAT_BACKEND_PORT | ✓ Unique | No |
| **Maerchenzauber** | **3003** | MAERCHENZAUBER_BACKEND_PORT | ⚠ CONFLICT | **Yes** |
| Manadeck | 3004 | MANADECK_BACKEND_PORT | ✓ Unique | No |
| **Picture** | **3003** | PICTURE_BACKEND_PORT | ⚠ CONFLICT | **Yes** |
| **Nutriphi** | **3002** | NUTRIPHI_BACKEND_PORT | ⚠ CONFLICT | **Yes** |
| Zitare | 3007 | ZITARE_BACKEND_PORT | ✓ Unique | No |
| Presi | 3008 | PRESI_BACKEND_PORT | ✓ Unique | No |
| Mana Games | 3011 | MANA_GAMES_BACKEND_PORT | ✓ Unique | No |
| Voxel Lava | 3010 | VOXEL_LAVA_BACKEND_PORT | ✓ Unique | No |
### PORT CONFLICTS FOUND
1. **Port 3003 - DOUBLE ASSIGNED**
- Maerchenzauber Backend: `MAERCHENZAUBER_BACKEND_PORT=3003`
- Picture Backend: `PICTURE_BACKEND_PORT=3003`
2. **Port 3002 - DOUBLE ASSIGNED**
- Chat Backend: `CHAT_BACKEND_PORT=3002`
- Nutriphi Backend: `NUTRIPHI_BACKEND_PORT=3002`
### RECOMMENDATION
Reassign conflicting ports:
- Maerchenzauber: Keep 3003, reassign Picture to **3005** or **3006**
- OR reassign Maerchenzauber to **3005** and keep Picture at 3003
- Nutriphi: Reassign to **3006** or another available port
- Mana Games: Currently 3011
- Voxel Lava: Currently 3010
---
## 2. AUTH ENVIRONMENT VARIABLES AUDIT
### Central Configuration (.env.development)
**PRESENT & CONFIGURED:**
- ✓ `MANA_CORE_AUTH_URL=http://localhost:3001` (Line 16)
- ✓ `DEV_BYPASS_AUTH=true` (Line 59 - Chat only)
- ✓ JWT_PRIVATE_KEY & JWT_PUBLIC_KEY (Lines 19-20)
- ✓ CORS_ORIGINS=... (Line 41)
**MISSING CENTRALIZED:**
- ✗ `DEV_USER_ID` - NOT in .env.development
- Used hardcoded in Chat: `17cb0be7-058a-4964-9e18-1fe7055fd014`
- Should be centralized in .env.development
- ✗ `MANA_CORE_SERVICE_KEY` - NOT found in generate-env.mjs mapping
- Defined for Manadeck in .env.example
- Not passed to backends via generator
### Backend-Specific Auth Configuration
| Backend | Auth URL Var | Dev Bypass | Dev User ID | Status |
|---------|--------------|-----------|-------------|--------|
| **Chat** | MANA_CORE_AUTH_URL | ✓ Configured | ✗ Hardcoded | ⚠ Partially |
| **Picture** | MANA_CORE_AUTH_URL | ✗ Missing | ✗ Not checked | ✗ Incomplete |
| **Zitare** | MANA_CORE_AUTH_URL | ✗ Missing | ✗ Not checked | ✗ Incomplete |
| **Presi** | MANA_CORE_AUTH_URL | ✗ Missing | ✗ Not checked | ✗ Incomplete |
| **Manadeck** | MANA_SERVICE_URL | ✗ Not in generation | ✗ Not mapped | ✗ Not generated |
### ISSUE: Naming Convention Inconsistency
Different backends use DIFFERENT variable names for the same thing:
```
INCONSISTENT:
- Chat uses: MANA_CORE_AUTH_URL (from generate-env.mjs line 95)
- Picture uses: MANA_CORE_AUTH_URL (from generate-env.mjs line 230)
- Zitare uses: MANA_CORE_AUTH_URL (from generate-env.mjs line 300)
- Presi uses: MANA_CORE_AUTH_URL (from generate-env.mjs line 330)
- Manadeck uses: MANA_SERVICE_URL (from generate-env.mjs line 205)
- Manadeck uses: APP_ID (from generate-env.mjs line 206)
- Nutriphi uses: MANACORE_AUTH_URL (from generate-env.mjs line 272)
```
**STANDARDIZATION NEEDED:**
All backends should use consistent naming:
- Recommend: `MANA_CORE_AUTH_URL` (most common)
---
## 3. ENVIRONMENT VARIABLE MAPPING AUDIT
### Generate-env.mjs Coverage Analysis
| Backend | .env.example | generate-env.mjs | .env Generated | Coverage |
|---------|--------------|------------------|----------------|----------|
| Chat | ✓ Exists | ✓ Lines 85-98 | ✓ Will generate | ✓ Complete |
| Picture | ✓ Exists | ✓ Lines 223-243 | ✓ Will generate | ✓ Complete |
| Manadeck | ✓ Exists | ✓ Lines 199-209 | ✓ Will generate | ✓ Complete |
| **Zitare** | ✗ Missing | ✓ Lines 294-303 | ✓ Will generate | ⚠ Missing example |
| **Presi** | ✗ Missing | ✓ Lines 323-334 | ✓ Will generate | ⚠ Missing example |
| Mana-Core-Auth | ✓ Exists | ✓ Lines 57-82 | ✓ Will generate | ✓ Complete |
**Missing .env.example files:**
- `/apps/zitare/apps/backend/.env.example` - Should document PORT, DATABASE_URL, MANA_CORE_AUTH_URL, CORS_ORIGINS
- `/apps/presi/apps/backend/.env.example` - Should document PORT, DATABASE_URL, MANA_CORE_AUTH_URL, JWT_PUBLIC_KEY, CORS_ORIGINS
---
## 4. HARDCODED VALUES & SECURITY CONCERNS
### Hardcoded in Source Code
**Chat Backend** (`apps/chat/apps/backend/src/common/guards/jwt-auth.guard.ts`):
```typescript
const DEV_USER_ID = '17cb0be7-058a-4964-9e18-1fe7055fd014'; // Line 1
```
- Should be: `configService.get('DEV_USER_ID')`
- Should be in .env.development: `DEV_USER_ID=17cb0be7-058a-4964-9e18-1fe7055fd014`
### Hardcoded CORS Origins in main.ts
**Chat** (`src/main.ts` lines 10-18):
```typescript
origin: [
'http://localhost:3000',
'http://localhost:5173',
'http://localhost:5174',
'http://localhost:5178',
'http://localhost:8081',
'exp://localhost:8081',
'http://localhost:3001', // Mana Core Auth
]
```
**Picture** (`src/main.ts` lines 11-19):
```typescript
const allowedOrigins = [
'http://localhost:3000',
'http://localhost:5173',
'http://localhost:5174',
'http://localhost:5175',
'http://localhost:8081',
'exp://localhost:8081',
'http://localhost:3001',
]
```
**Presi** (`src/main.ts` lines 10-17):
```typescript
origin: [
'http://localhost:3000',
'http://localhost:5173',
'http://localhost:5177',
'http://localhost:5178',
'http://localhost:8081',
'exp://localhost:8081',
'http://localhost:3001',
]
```
**Zitare** (`src/main.ts` lines 10-16):
```typescript
origin: [
'http://localhost:3000',
'http://localhost:5173',
'http://localhost:5177',
'http://localhost:8081',
'exp://localhost:8081',
'http://localhost:3001',
]
```
**RECOMMENDATION:** Move CORS_ORIGINS to .env.development (already exists as CORS_ORIGINS global variable, but not used by all backends)
---
## 5. CONFIGURATION BEST PRACTICES COMPLIANCE
### Configuration Module Setup
| Backend | ConfigModule | Validation | Env File Path | Status |
|---------|--------------|-----------|----------------|--------|
| Chat | ✓ ConfigModule.forRoot() | ✗ No validation schema | `.env` | ⚠ Minimal |
| Picture | ✓ ConfigModule.forRoot() | ✗ No validation schema | `.env` | ⚠ Minimal |
| Zitare | ✓ ConfigModule.forRoot() | ✗ No validation schema | `.env` | ⚠ Minimal |
| Presi | ✓ ConfigModule.forRoot() | ✗ No validation schema | `.env` | ⚠ Minimal |
| Manadeck | ✓ ConfigModule.forRoot() | ✓ Joi schema | `.env` | ✓ Complete |
| Mana-Core-Auth | ✓ ConfigModule.forRoot() | ✓ Config service | `.env` | ✓ Complete |
**ISSUE:** Chat, Picture, Zitare, Presi lack validation schemas.
**EXAMPLE (Manadeck validation.schema.ts):**
```typescript
export const validationSchema = Joi.object({
NODE_ENV: Joi.string().valid('development', 'production'),
PORT: Joi.number().required(),
DATABASE_URL: Joi.string().required(),
MANA_CORE_AUTH_URL: Joi.string().required(),
// ... etc
});
```
---
## 6. CRITICAL ISSUES SUMMARY
### BLOCKING ISSUES (Fix Immediately)
1. **Port Conflict - 3002**
- Chat and Nutriphi both assigned to port 3002
- Cannot run simultaneously
- **Fix:** Reassign Nutriphi to port 3006
2. **Port Conflict - 3003**
- Picture and Maerchenzauber both assigned to port 3003
- Cannot run simultaneously
- **Fix:** Reassign Picture to port 3005 or Maerchenzauber to 3006
3. **Hardcoded Dev User ID in Chat Backend**
- `DEV_USER_ID = '17cb0be7-058a-4964-9e18-1fe7055fd014'` hardcoded in source
- Not configurable via environment
- **Fix:** Move to .env.development and load via ConfigService
### MAJOR ISSUES (Fix Soon)
4. **Inconsistent Auth Variable Names**
- Manadeck uses `MANA_SERVICE_URL` instead of `MANA_CORE_AUTH_URL`
- Nutriphi uses `MANACORE_AUTH_URL` (no underscore)
- **Fix:** Standardize all to `MANA_CORE_AUTH_URL`
5. **Hardcoded CORS Origins**
- 4 backends hardcode CORS lists in main.ts
- Should use environment variables
- **Fix:** Use CORS_ORIGINS from .env.development
6. **Missing Configuration Examples**
- Zitare and Presi lack .env.example files
- **Fix:** Create comprehensive .env.example files
### MEDIUM ISSUES (Improve Quality)
7. **Missing Validation Schemas**
- 4 backends lack Joi validation schemas
- No type safety for environment variables
- **Fix:** Add validation schemas to Chat, Picture, Zitare, Presi
8. **Dev Bypass Auth Not Consistent**
- Only Chat backend has DEV_BYPASS_AUTH implemented
- Other backends may lack development bypass mechanism
- **Fix:** Add consistent development auth bypass pattern
---
## 7. RECOMMENDED ACTIONS
### Phase 1: Critical Fixes (Do First)
```bash
# 1. Fix port conflicts in .env.development
# Change line 122: PICTURE_BACKEND_PORT=3003 → PICTURE_BACKEND_PORT=3005
# Change line 146: NUTRIPHI_BACKEND_PORT=3002 → NUTRIPHI_BACKEND_PORT=3006
# 2. Add DEV_USER_ID to .env.development
# Add after line 59: DEV_USER_ID=17cb0be7-058a-4964-9e18-1fe7055fd014
# 3. Standardize auth URL naming
# Update generate-env.mjs line 272 (Nutriphi):
# MANACORE_AUTH_URL: → MANA_CORE_AUTH_URL:
# Update generate-env.mjs line 205 (Manadeck):
# MANA_SERVICE_URL: → MANA_CORE_AUTH_URL:
```
### Phase 2: Configuration Examples
```bash
# Create missing .env.example files:
# - apps/zitare/apps/backend/.env.example
# - apps/presi/apps/backend/.env.example
# Based on .env.development variables and backend requirements
```
### Phase 3: Code Quality
```bash
# Add validation schemas to:
# - apps/chat/apps/backend/src/config/validation.schema.ts
# - apps/picture/apps/backend/src/config/validation.schema.ts
# - apps/zitare/apps/backend/src/config/validation.schema.ts
# - apps/presi/apps/backend/src/config/validation.schema.ts
# Move CORS origins to environment:
# Update main.ts in Chat, Picture, Zitare, Presi to:
# app.enableCors({
# origin: (configService.get('CORS_ORIGINS') || '').split(','),
# })
```
---
## 8. UPDATED PORT ASSIGNMENTS (RECOMMENDED)
| Backend | Recommended Port | Current | Status |
|---------|-----------------|---------|--------|
| Mana Core Auth | 3001 | 3001 | ✓ Keep |
| Chat | 3002 | 3002 | ✓ Keep |
| Maerchenzauber | 3003 | 3003 | ✓ Keep |
| Manadeck | 3004 | 3004 | ✓ Keep |
| Picture | **3005** | 3003 | **CHANGE** |
| Nutriphi | **3006** | 3002 | **CHANGE** |
| Zitare | 3007 | 3007 | ✓ Keep |
| Presi | 3008 | 3008 | ✓ Keep |
| Voxel Lava | 3010 | 3010 | ✓ Keep |
| Mana Games | 3011 | 3011 | ✓ Keep |
---
## 9. ENVIRONMENT VARIABLE SUMMARY TABLE
### Required for All Backends
| Variable | Purpose | Centralized | Backend Usage |
|----------|---------|------------|---|
| NODE_ENV | Environment type | ✓ .env.development | All |
| PORT | Server port | ✓ Individual vars | All |
| DATABASE_URL | PostgreSQL connection | ✓ Individual vars | Chat, Manadeck, Picture, Zitare, Presi |
| MANA_CORE_AUTH_URL | Auth service URL | ✓ .env.development | Chat, Picture, Zitare, Presi, Manadeck |
| CORS_ORIGINS | Allowed origins | ✓ .env.development | All (hardcoded, should use env) |
### Optional but Recommended
| Variable | Purpose | Centralized | Backend Usage |
|----------|---------|------------|---|
| DEV_BYPASS_AUTH | Skip auth in dev | ⚠ Partial | Chat only |
| DEV_USER_ID | Dev test user | ✗ Hardcoded | Chat |
| JWT_PUBLIC_KEY | Token validation | ✓ .env.development | Presi |
### Backend-Specific
| Backend | Key Variables | Centralized |
|---------|---|---|
| Chat | GOOGLE_GENAI_API_KEY, AZURE_OPENAI_* | ✓ .env.development |
| Picture | REPLICATE_API_TOKEN, S3_* vars | ✓ .env.development |
| Zitare | (None beyond base) | ✓ .env.development |
| Presi | (None beyond base) | ✓ .env.development |
| Manadeck | GOOGLE_GENAI_API_KEY | ✓ .env.development |
| Mana-Core-Auth | JWT_*, STRIPE_*, CREDITS_* | ✓ .env.development |
---
## 10. IMPLEMENTATION CHECKLIST
- [ ] Fix port conflict: Picture 3003 → 3005
- [ ] Fix port conflict: Nutriphi 3002 → 3006
- [ ] Add DEV_USER_ID to .env.development
- [ ] Update Chat backend to use DEV_USER_ID from ConfigService
- [ ] Standardize MANA_SERVICE_URL to MANA_CORE_AUTH_URL in Manadeck generate-env.mjs
- [ ] Standardize MANACORE_AUTH_URL to MANA_CORE_AUTH_URL in Nutriphi generate-env.mjs
- [ ] Create .env.example for Zitare backend
- [ ] Create .env.example for Presi backend
- [ ] Add validation schemas to Chat backend config
- [ ] Add validation schemas to Picture backend config
- [ ] Add validation schemas to Zitare backend config
- [ ] Add validation schemas to Presi backend config
- [ ] Move CORS origins from hardcoded arrays to environment variables (all backends)
- [ ] Document port assignments in CLAUDE.md
- [ ] Test all backends can run simultaneously with correct ports
- [ ] Verify auth endpoint connectivity from each backend to mana-core-auth
---
## AUDIT DETAILS
**Files Reviewed:**
- .env.development (202 lines)
- scripts/generate-env.mjs (433 lines)
- 6 backends app.module.ts files
- 5 backends main.ts files
- 3 .env.example files (Chat, Picture, Manadeck)
- 1 mana-core-auth main.ts
- Various configuration schemas and guards
**Total Files Analyzed:** 25+
**Lines of Code Reviewed:** 2,000+
**Issues Identified:** 8 critical/major issues
**Port Conflicts Found:** 2 (affecting 3 backends)

602
docs/HETZNER_DEPLOYMENT_SUMMARY.md Normal file
View file

@ -0,0 +1,602 @@
# Hetzner Deployment Summary - Quick Reference
**Date**: 2025-12-01
**Status**: Complete Analysis & Documentation
**Action Required**: Fix 4 critical blockers before deployment
---
## Executive Summary
Your monorepo has **solid Docker foundations** but needs **4 critical fixes** (2-4 hours of work) before production deployment to Hetzner.
### Current State: ⚠️ Not Production Ready
**What's Working**:
- Multi-environment Docker Compose setups ✅
- 4 containerized backends (auth, chat, picture, manadeck) ✅
- Health checks and dependency management ✅
- Security best practices (non-root, Alpine, network isolation) ✅
**What Needs Fixing**:
1. ❌ Missing Prometheus configuration (`docker/prometheus/prometheus.yml`)
2. ❌ Missing Grafana provisioning (`docker/grafana/provisioning/`)
3. ❌ ManaDeck uses Node 18 (should be Node 20)
4. ❌ ManaDeck uses npm instead of pnpm
---
## Quick Start: Get Production Ready in 2-4 Hours
### Step 1: Fix Critical Blockers (1 hour)
```bash
# 1. Create monitoring infrastructure
mkdir -p docker/prometheus
mkdir -p docker/grafana/provisioning/{dashboards,datasources}
# 2. Create Prometheus config
cat > docker/prometheus/prometheus.yml <<'EOF'
global:
scrape_interval: 15s
scrape_configs:
- job_name: 'prometheus'
static_configs:
- targets: ['localhost:9090']
- job_name: 'docker'
static_configs:
- targets: ['172.17.0.1:9323']
EOF
# 3. Create Grafana datasource
cat > docker/grafana/provisioning/datasources/prometheus.yml <<'EOF'
apiVersion: 1
datasources:
- name: Prometheus
type: prometheus
url: http://prometheus:9090
isDefault: true
EOF
# 4. Fix ManaDeck Dockerfile
# Edit apps/manadeck/apps/backend/Dockerfile
# - Change: FROM node:18-alpine → FROM node:20-alpine
# - Replace all "npm" commands with "pnpm"
# - Remove --legacy-peer-deps flag
# 5. Test locally
pnpm docker:up
```
### Step 2: Deploy to Hetzner (1-2 hours)
```bash
# On Hetzner server (use "Docker CE" app during creation)
# 1. Run production setup script (see HETZNER_PRODUCTION_GUIDE.md)
curl -o setup.sh https://your-repo/scripts/hetzner-setup.sh
chmod +x setup.sh
./setup.sh
# 2. Configure environment variables
cd /app
cp .env.production.example .env.production
nano .env.production # Add your secrets
# 3. Deploy application
docker compose -f docker-compose.production.yml up -d
# 4. Verify health
curl http://localhost:3001/api/v1/health # mana-core-auth
curl http://localhost:3002/api/health # chat-backend
```
### Step 3: Setup Monitoring & Backups (1 hour)
```bash
# Deploy monitoring stack
docker compose -f docker-compose.monitoring.yml up -d
# Setup automated backups
apt install borgbackup
./scripts/setup-backups.sh
# Configure backup cron (daily at 2 AM)
echo "0 2 * * * /usr/local/bin/docker-backup.sh" | crontab -
```
---
## Recommended Hetzner Setup
### For Your Monorepo Size (10 backends, 10 web apps)
**Option 1: Single Server (Development/Staging)** - €28/month
```
Server: Hetzner CX33 (4 vCPU, 8GB RAM)
- All services on one server
- Good for staging environment
- ~5-7 concurrent services
```
**Option 2: Production HA Setup** - €37/month
```
2x Hetzner CPX21 (3 vCPU, 4GB RAM) - €14/month
+ Load Balancer - €5.39/month
+ Volumes (3x 50GB) - €7.50/month
+ Storage Box (500GB) - €10.11/month
```
**Option 3: Full Monorepo (All Services)** - €166/month
```
3x App Servers (CX33) - €84/month
1x DB Server (CX31) - €28/month
Load Balancer - €10/month
Volumes + Storage Box - €44/month
vs AWS equivalent: $400-600/month
Savings: 60-75%
```
**Recommendation**: Start with Option 1 (staging), scale to Option 2 (production)
---
## Cost Breakdown: What You'll Pay Monthly
### Minimal Production (5 services)
```
Server (CPX21): €7.00/month
Volume (50GB): €2.50/month
Storage Box (100GB): €3.81/month
─────────────────────────────────────────
Total: €13.81/month
```
### Your Current Setup (Full Monorepo)
```
3x Servers (CX33): €84.00/month
1x Database Server: €28.00/month
Load Balancer: €10.00/month
Volumes (5x 100GB): €25.00/month
Storage Box (1TB): €19.00/month
─────────────────────────────────────────
Total: €166.00/month
```
**vs AWS/GCP**: Saves 60-75% on infrastructure costs
---
## Architecture Overview
### Network Isolation (3-Tier)
```
┌─────────────────────────────────────────┐
│ FRONTEND NETWORK │
│ - Traefik (reverse proxy) │
│ - Web apps (SvelteKit) │
│ - Landing pages (Astro) │
└─────────────────┬───────────────────────┘
┌─────────────────▼───────────────────────┐
│ BACKEND NETWORK │
│ - NestJS backends │
│ - mana-core-auth │
│ - API services │
└─────────────────┬───────────────────────┘
┌─────────────────▼───────────────────────┐
│ DATABASE NETWORK (Internal) │
│ - PostgreSQL │
│ - Redis │
│ - No internet access │
└─────────────────────────────────────────┘
```
### Service Dependency Flow
```
PostgreSQL + Redis
mana-core-auth (Central Authentication)
Backend Services (chat, picture, zitare, presi, manadeck)
Web Apps (SvelteKit)
Landing Pages (Astro)
Traefik (SSL + Reverse Proxy)
```
---
## Key Files & Locations
### Documentation (Created Today)
- `docs/DOCKER_SETUP_ANALYSIS.md` - Complete current state analysis
- `docs/HETZNER_PRODUCTION_GUIDE.md` - Comprehensive deployment guide
- `docs/HETZNER_DEPLOYMENT_SUMMARY.md` - This quick reference
### Existing Documentation
- `docs/DEPLOYMENT_HETZNER.md` - Deployment options comparison (German)
- `docs/DOCKER_GUIDE.md` - Docker usage guide
- `docs/DEPLOYMENT_ARCHITECTURE.md` - Architecture details
### Docker Configuration Files
- `docker-compose.yml` - Full stack with monitoring
- `docker-compose.dev.yml` - Development environment
- `docker-compose.staging.yml` - Staging deployment
- `docker-compose.production.yml` - Production deployment
### Docker Templates
- `docker/templates/Dockerfile.nestjs` - NestJS backend template
- `docker/templates/Dockerfile.sveltekit` - SvelteKit web template
- `docker/templates/Dockerfile.astro` - Astro landing page template
### Active Service Dockerfiles
- `services/mana-core-auth/Dockerfile`
- `apps/chat/apps/backend/Dockerfile`
- `apps/picture/apps/backend/Dockerfile`
- `apps/manadeck/apps/backend/Dockerfile` ⚠️ Needs fixes
---
## Security Checklist
### Critical Security Items
- [ ] **SSH Configuration**
- Disable root login
- Disable password authentication
- SSH keys only
- [ ] **Firewall Setup**
- Hetzner Cloud Firewall (primary layer)
- UFW on server (secondary layer)
- Allow only ports 22, 80, 443
- [ ] **Docker Security**
- Non-root containers
- Docker secrets for production
- Read-only filesystems where possible
- Security updates automated
- [ ] **Backup Strategy**
- Automated daily backups with Borg
- 7 daily, 4 weekly, 6 monthly retention
- Test restore procedure
---
## Monitoring Stack Components
### What You Get
**Metrics Collection**:
- Prometheus - Time-series metrics database
- cAdvisor - Container resource usage
- Node Exporter - Host system metrics
**Visualization**:
- Grafana - Dashboards and alerts
- Pre-built dashboards for Docker, PostgreSQL, Redis
**Logging**:
- Loki - Log aggregation
- Promtail - Log collection from containers
**Access**:
- Grafana UI: `http://your-server:3000`
- Prometheus UI: `http://your-server:9090`
---
## CI/CD Integration
### GitHub Actions Workflow (Recommended)
```yaml
# .github/workflows/deploy-hetzner.yml
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# Build and push to GitHub Container Registry
- name: Build and push
run: |
docker build -t ghcr.io/your-org/service:latest .
docker push ghcr.io/your-org/service:latest
# Deploy to Hetzner via SSH
- name: Deploy
uses: appleboy/ssh-action@master
with:
host: ${{ secrets.HETZNER_HOST }}
username: deploy
key: ${{ secrets.SSH_PRIVATE_KEY }}
script: |
cd /app
docker compose pull
docker compose up -d --remove-orphans
```
---
## Common Commands
### Local Development
```bash
# Start all services
pnpm docker:up
# Start specific project
docker compose --profile chat up -d
# View logs
docker compose logs -f chat-backend
# Stop everything
docker compose down
```
### Production Deployment
```bash
# Deploy to production
docker compose -f docker-compose.production.yml up -d
# Check service health
docker compose ps
# View logs
docker compose logs -f --tail=100
# Restart single service
docker compose restart chat-backend
# Update single service (zero downtime)
docker compose up -d --no-deps chat-backend
```
### Monitoring
```bash
# Check resource usage
docker stats
# View container health
docker inspect --format='{{.State.Health.Status}}' container-name
# Access Prometheus
http://localhost:9090
# Access Grafana
http://localhost:3000
```
### Backup & Restore
```bash
# Manual backup
/usr/local/bin/docker-backup.sh
# List backups
borg list ssh://u123456@u123456.your-storagebox.de:23/./backups
# Restore from backup
borg extract ssh://u123456@u123456.your-storagebox.de:23/./backups::20251201-020000
```
---
## Troubleshooting Quick Reference
### Container Won't Start
```bash
# View logs
docker logs container-name
# Check exit code
docker inspect --format='{{.State.ExitCode}}' container-name
# Run interactively
docker run -it --rm image-name sh
```
### High Resource Usage
```bash
# Check stats
docker stats
# Check disk usage
docker system df
# Clean up
docker system prune -a
```
### Network Issues
```bash
# Test connectivity
docker exec container1 ping container2
# Check network
docker network inspect manacore-network
# Restart Docker
systemctl restart docker
```
### Health Check Failing
```bash
# Check health status
docker inspect --format='{{.State.Health}}' container-name
# View health logs
docker inspect --format='{{range .State.Health.Log}}{{.Output}}{{end}}' container-name
# Test health endpoint manually
curl http://localhost:3000/health
```
---
## Next Steps: Priority Order
### Immediate (Today - 2 hours)
1. **Fix Critical Blockers** (See Step 1 above)
- Create monitoring configs
- Fix ManaDeck Dockerfile
2. **Test Locally**
```bash
pnpm docker:up
docker compose ps # All should be healthy
```
### Short Term (This Week - 4 hours)
3. **Provision Hetzner Server**
- Choose server type (CX33 recommended for start)
- Select "Docker CE" app during creation
- Configure private network
4. **Initial Deployment**
- Run production setup script
- Deploy application
- Configure monitoring
5. **Setup Backups**
- Configure Storage Box
- Initialize Borg repository
- Test restore procedure
### Medium Term (Next Week - 8 hours)
6. **CI/CD Pipeline**
- Setup GitHub Actions workflow
- Configure secrets
- Test automated deployment
7. **Security Hardening**
- Configure Hetzner Cloud Firewall
- Setup fail2ban
- Enable automatic security updates
8. **Load Testing**
- Test with expected load
- Tune resource limits
- Optimize performance
### Long Term (Ongoing)
9. **Documentation**
- Create runbooks for common tasks
- Document incident response
- Team training
10. **Optimization**
- Monitor costs
- Right-size resources
- Implement auto-scaling if needed
---
## Success Metrics
### How to Know You're Production Ready
✅ **Infrastructure**
- [ ] Server accessible via SSH with key authentication
- [ ] Docker and docker-compose installed and working
- [ ] Firewall configured (Hetzner + UFW)
- [ ] Private network configured (if multi-server)
✅ **Application**
- [ ] All services start and pass health checks
- [ ] Environment variables properly configured
- [ ] SSL/TLS working (Let's Encrypt)
- [ ] Database migrations run successfully
✅ **Monitoring**
- [ ] Prometheus collecting metrics
- [ ] Grafana dashboards accessible
- [ ] Alerts configured and tested
- [ ] Logs centralized in Loki
✅ **Backups**
- [ ] Automated daily backups running
- [ ] Storage Box configured
- [ ] Restore procedure tested
- [ ] Retention policy configured
✅ **CI/CD**
- [ ] GitHub Actions workflow working
- [ ] Automated deployments successful
- [ ] Rollback procedure tested
---
## Getting Help
### Documentation References
- **Current State**: `docs/DOCKER_SETUP_ANALYSIS.md`
- **Complete Guide**: `docs/HETZNER_PRODUCTION_GUIDE.md`
- **Docker Usage**: `docs/DOCKER_GUIDE.md`
- **Options Comparison**: `docs/DEPLOYMENT_HETZNER.md`
### External Resources
- [Hetzner Cloud Docs](https://docs.hetzner.com/cloud/)
- [Docker Compose Reference](https://docs.docker.com/compose/)
- [Traefik Documentation](https://doc.traefik.io/traefik/)
- [Prometheus Documentation](https://prometheus.io/docs/)
### Support Channels
- Hetzner Support: https://console.hetzner.cloud/
- Docker Community: https://forums.docker.com/
- Your Team Documentation: `docs/` directory
---
## Summary
You have:
- ✅ **Solid foundation** with multi-environment Docker setup
- ✅ **4 containerized services** ready to deploy
- ✅ **Complete documentation** for production deployment
- ⚠️ **4 critical fixes** needed (2-4 hours of work)
After fixes:
- 🚀 **2-4 hours** to deploy to Hetzner
- 💰 **€14-166/month** depending on scale (60-75% cheaper than AWS)
- 📊 **Complete monitoring** with Prometheus + Grafana
- 🔒 **Production-grade security** with firewalls and automated backups
- 🔄 **Automated deployments** with GitHub Actions
**Total time to production**: ~10-15 hours from current state
---
**Document Version**: 1.0
**Last Updated**: 2025-12-01
**Next Review**: After first deployment

1971
docs/HETZNER_PRODUCTION_GUIDE.md Normal file
View file

File diff suppressed because it is too large Load diff

251
docs/README_ENV_AUDIT.md Normal file
View file

@ -0,0 +1,251 @@
# Environment Configuration Audit - Complete Documentation
This folder contains a comprehensive audit of all backend environment variable configurations in the Mana Universe monorepo.
## Documents
### 1. [ENV_CONFIGURATION_AUDIT.md](ENV_CONFIGURATION_AUDIT.md) - MAIN REPORT
**The complete audit with all findings and detailed analysis**
- **Section 1:** Port Assignment Matrix (identifies 2 port conflicts)
- **Section 2:** Auth Environment Variables (missing variables, inconsistent naming)
- **Section 3:** Environment Variable Mapping Audit (coverage analysis)
- **Section 4:** Hardcoded Values & Security Concerns (DEV_USER_ID, CORS)
- **Section 5:** Configuration Best Practices Compliance (validation schemas)
- **Section 6:** Critical Issues Summary (8 issues identified)
- **Section 7:** Recommended Actions (3 implementation phases)
- **Section 8:** Updated Port Assignments (proposed fixes)
- **Section 9:** Environment Variable Summary Tables
- **Section 10:** Implementation Checklist (16 action items)
**Read this if:** You need the complete, detailed analysis with code examples and full context.
**Lines:** 408 | **Size:** 14KB
---
### 2. [ENV_AUDIT_SUMMARY.md](ENV_AUDIT_SUMMARY.md) - QUICK START GUIDE
**Executive summary with actionable checklists and next steps**
- **Quick Issue Overview:** Blocking, Major, and Medium issues at a glance
- **Phase-Based Checklist:** Quick fix checklist organized by priority
- **Port Mapping:** Visual comparison of current vs. recommended ports
- **Environment Variable Status:** What's working and what needs work
- **Files to Modify:** Concrete list of files that need changes
- **Testing Instructions:** How to verify fixes
- **Additional Resources:** Links to full documentation
**Read this if:** You need a quick overview and want to start fixing issues immediately.
**Lines:** 166 | **Size:** 5KB
---
### 3. [ENV_BACKEND_MATRIX.md](ENV_BACKEND_MATRIX.md) - DETAILED MATRIX VISUALIZATION
**Backend configuration status visualized in detailed tables and matrices**
- **Backend Status Matrix:** Port, Auth URL, Dev Bypass, Validation status
- **Database Configuration:** Which backends have database URLs
- **CORS Configuration:** How CORS is implemented (hardcoded vs. environment)
- **Port Availability & Conflicts:** Visual representation of port assignments
- **Environment Variable Generation Map:** How variables flow from .env.development
- **Severity Matrix:** Issue counts and time estimates
- **Best Practices Scorecard:** Overall quality assessment (5.1/10)
- **Variable Standardization Guide:** Current inconsistencies and path to consistency
**Read this if:** You want to understand the full scope of backend configurations visually.
**Lines:** 234 | **Size:** 8KB
---
## Key Findings Summary
### BLOCKING ISSUES (Fix Immediately)
1. **Port 3002 Conflict:** Chat and Nutriphi both use port 3002
2. **Port 3003 Conflict:** Picture and Maerchenzauber both use port 3003
3. **Hardcoded DEV_USER_ID:** Chat backend hardcodes `17cb0be7-058a-4964-9e18-1fe7055fd014`
### MAJOR ISSUES (Fix Soon)
4. **Auth URL Naming Inconsistency:**
- Manadeck uses `MANA_SERVICE_URL` (should be `MANA_CORE_AUTH_URL`)
- Nutriphi uses `MANACORE_AUTH_URL` (should be `MANA_CORE_AUTH_URL`)
- Chat, Picture, Zitare, Presi use correct `MANA_CORE_AUTH_URL`
5. **Hardcoded CORS Origins:** 4 backends hardcode allowed origins instead of using environment variable
6. **Missing Configuration Examples:**
- No `.env.example` for Zitare backend
- No `.env.example` for Presi backend
### MEDIUM ISSUES (Improve Quality)
7. **Missing Validation Schemas:** Chat, Picture, Zitare, Presi lack Joi validation schemas
8. **Inconsistent Dev Bypass Auth:** Only Chat backend implements DEV_BYPASS_AUTH
---
## Quick Fix Timeline
| Phase | Tasks | Time | Impact |
|-------|-------|------|--------|
| Phase 1 | Fix ports + add DEV_USER_ID | 15-30 min | CRITICAL - Enables simultaneous backend execution |
| Phase 2 | Standardize naming + add .env examples | 30 min | MAJOR - Improves consistency |
| Phase 3 | Add validation schemas + extract CORS | 2-3 hours | QUALITY - Code quality improvement |
**Total estimated time to fix all issues: 6-8 hours**
---
## Which Document Should I Read?
### I want to...
**...quickly understand what's wrong**
→ Read [ENV_AUDIT_SUMMARY.md](ENV_AUDIT_SUMMARY.md) (5 min read)
**...get detailed analysis with code examples**
→ Read [ENV_CONFIGURATION_AUDIT.md](ENV_CONFIGURATION_AUDIT.md) (20 min read)
**...see all backend configurations visually**
→ Read [ENV_BACKEND_MATRIX.md](ENV_BACKEND_MATRIX.md) (10 min read)
**...start fixing issues immediately**
→ Read [ENV_AUDIT_SUMMARY.md](ENV_AUDIT_SUMMARY.md) "Quick Fix Checklist" section
**...understand the complete scope**
→ Read all three documents in order (1 → 2 → 3)
---
## Implementation Roadmap
### If you have 30 minutes
1. Read ENV_AUDIT_SUMMARY.md
2. Fix port conflicts in .env.development
3. Add DEV_USER_ID variable
### If you have 1-2 hours
1. Complete Phase 1 fixes
2. Update generate-env.mjs variable names
3. Create .env.example files for Zitare and Presi
### If you have 4+ hours
1. Complete all Phase 1 & 2 fixes
2. Add validation schemas to all backends
3. Extract CORS origins to environment variables
4. Test all backends can run simultaneously
---
## Files Analyzed in This Audit
**Configuration Files:**
- .env.development (202 lines)
- scripts/generate-env.mjs (433 lines)
- services/mana-core-auth/.env.example
- apps/chat/apps/backend/.env.example
- apps/picture/apps/backend/.env.example
- apps/manadeck/apps/backend/.env.example
**Backend Configuration:**
- 6 app.module.ts files (NestJS configuration)
- 5 main.ts files (server bootstrap & CORS)
- 1 validation.schema.ts file (Manadeck)
- Multiple JWT auth guard files
**Total Files Analyzed:** 25+
**Total Lines Reviewed:** 2,000+
**Issues Identified:** 8 critical/major items, 17 total issues
---
## Recommendations by Priority
### Priority 1: BLOCKING (Do Today)
- [ ] Fix PICTURE_BACKEND_PORT: 3003 → 3005
- [ ] Fix NUTRIPHI_BACKEND_PORT: 3002 → 3006
- [ ] Add DEV_USER_ID to .env.development
- [ ] Update Chat backend to read DEV_USER_ID from ConfigService
### Priority 2: MAJOR (Do This Week)
- [ ] Rename MANA_SERVICE_URL to MANA_CORE_AUTH_URL in Manadeck
- [ ] Rename MANACORE_AUTH_URL to MANA_CORE_AUTH_URL in Nutriphi
- [ ] Create .env.example for Zitare backend
- [ ] Create .env.example for Presi backend
### Priority 3: MEDIUM (Plan This Week)
- [ ] Add validation schemas to 4 backends (Chat, Picture, Zitare, Presi)
- [ ] Extract CORS origins to CORS_ORIGINS environment variable
- [ ] Update all backends to use env variable for CORS
- [ ] Document final port assignments in project CLAUDE.md files
### Priority 4: LONG-TERM (Future Improvement)
- [ ] Implement consistent dev bypass auth pattern across all backends
- [ ] Add comprehensive integration tests for all backends
- [ ] Document environment configuration in deployment guide
- [ ] Set up CI/CD to validate .env configuration changes
---
## Success Criteria
After implementing all recommendations, you should be able to:
1. **Run all 8 active backends simultaneously without port conflicts**
```bash
pnpm dev:auth &
pnpm dev:chat:backend &
pnpm dev:picture:backend &
pnpm dev:manadeck:backend &
pnpm dev:zitare:backend &
pnpm dev:presi:backend &
```
2. **Every backend loads from .env without warnings**
- All required variables present
- All variables properly typed/validated
3. **Consistent naming conventions across all backends**
- Same auth URL variable name used everywhere
- Same database URL pattern
- Same CORS configuration approach
4. **All backends properly documented**
- Each has .env.example file
- Each has configuration validation schema
- Port assignments documented in CLAUDE.md
5. **Security best practices enforced**
- No hardcoded values in source code
- All secrets loaded from environment
- Configuration validated on startup
---
## Contact & Questions
If you have questions about any findings:
1. **Detailed findings** → See ENV_CONFIGURATION_AUDIT.md section numbers
2. **Implementation guidance** → See ENV_AUDIT_SUMMARY.md "Files to Modify"
3. **Visual reference** → See ENV_BACKEND_MATRIX.md tables
---
## Document Metadata
**Audit Date:** December 1, 2025
**Auditor:** Environment Configuration Auditor Agent
**Swarm Role:** Claude Flow Swarm - Configuration Validation Team
**Monorepo Version:** manacore-monorepo (main branch)
**Total Issues:** 8 critical/major + 9 medium/quality issues
**Status:** READY FOR IMPLEMENTATION
---
**Next Action:** Read ENV_AUDIT_SUMMARY.md and start with Phase 1 fixes.