fix(mukke): add media-src to CSP for audio playback from MinIO

Add mediaSrc option to shared security headers and configure mukke
to allow audio loading from minio.mana.how (S3 presigned URLs).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/mukke/apps/web/src/hooks.server.ts

@@ -14,6 +14,7 @@ const PUBLIC_MANA_CORE_AUTH_URL_CLIENT =
 const PUBLIC_BACKEND_URL_CLIENT =
 	process.env.PUBLIC_BACKEND_URL_CLIENT || process.env.PUBLIC_BACKEND_URL || '';
 const PUBLIC_GLITCHTIP_DSN = process.env.PUBLIC_GLITCHTIP_DSN || '';
+const S3_PUBLIC_ENDPOINT = process.env.S3_PUBLIC_ENDPOINT || 'https://minio.mana.how';
 
 export const handle: Handle = async ({ event, resolve }) => {
 	const response = await resolve(event, {
@@ -30,7 +31,9 @@ window.__PUBLIC_GLITCHTIP_DSN__ = "${PUBLIC_GLITCHTIP_DSN}";
 	});
 
 	setSecurityHeaders(response, {
-		connectSrc: [PUBLIC_MANA_CORE_AUTH_URL_CLIENT, PUBLIC_BACKEND_URL_CLIENT],
+		connectSrc: [PUBLIC_MANA_CORE_AUTH_URL_CLIENT, PUBLIC_BACKEND_URL_CLIENT, S3_PUBLIC_ENDPOINT],
+		mediaSrc: [S3_PUBLIC_ENDPOINT, 'blob:'],
+		imgSrc: [S3_PUBLIC_ENDPOINT],
 	});
 
 	return response;

docs/MAC_MINI_SERVER.md

@@ -389,6 +389,39 @@ curl -s http://localhost:3002/api/v1/health
 curl -s http://localhost:3000/
 ```
 
+The health check monitors:
+- All backend APIs and web frontends
+- Infrastructure (PostgreSQL, Redis)
+- Matrix services (Synapse, Element, all bots)
+- Monitoring stack (Grafana, Umami, GlitchTip, VictoriaMetrics)
+- Alerting stack (vmalert, Alertmanager, Alert Notifier)
+- Disk space for `/` and `/Volumes/ManaData` (warning at 80%, critical at 90%)
+- Cloudflare Tunnel (cloudflared process)
+
+### Docker PATH auf dem Server
+
+Bei SSH-Zugriff ist Docker nicht im Standard-PATH. Für Remote-Befehle:
+
+```bash
+# Docker liegt unter Docker Desktop
+PATH=/Applications/Docker.app/Contents/Resources/bin:$PATH
+
+# Beispiel: Remote docker compose
+ssh mana-server "PATH=/Applications/Docker.app/Contents/Resources/bin:\$PATH && docker compose -f ~/projects/manacore-monorepo/docker-compose.macmini.yml restart grafana"
+```
+
+### Container existiert nicht (wurde nie erstellt)
+
+Wenn ein Service im Health-Check als `HTTP 000` erscheint und `docker ps -a` den Container nicht zeigt, wurde er vermutlich beim letzten Deploy übersprungen:
+
+```bash
+# Container erstellen und starten (Beispiel: Project Doc Bot)
+docker compose -f docker-compose.macmini.yml up -d matrix-project-doc-bot
+
+# Nach Restart prüfen
+docker ps --filter name=mana-matrix-bot-projectdoc --format '{{.Names}} {{.Status}}'
+```
+
 ## Wartung
 
 ### Updates einspielen

packages/shared-utils/src/security-headers.ts

@@ -25,6 +25,8 @@ interface SecurityHeadersOptions {
 	imgSrc?: string[];
 	/** Additional font-src origins */
 	fontSrc?: string[];
+	/** Additional media-src origins (audio/video sources) */
+	mediaSrc?: string[];
 	/** Override frame-ancestors (default: 'none') */
 	frameAncestors?: string;
 }
@@ -39,6 +41,7 @@ export function setSecurityHeaders(response: Response, options: SecurityHeadersO
 		scriptSrc = [],
 		imgSrc = [],
 		fontSrc = [],
+		mediaSrc = [],
 		frameAncestors = "'none'",
 	} = options;
 
@@ -56,11 +59,12 @@ export function setSecurityHeaders(response: Response, options: SecurityHeadersO
 		`img-src 'self' data: https: ${imgSrc.join(' ')}`.trim(),
 		`connect-src 'self' https://stats.mana.how https://glitchtip.mana.how ${connectSrc.join(' ')}`.trim(),
 		`font-src 'self' ${fontSrc.join(' ')}`.trim(),
+		mediaSrc.length > 0 ? `media-src 'self' ${mediaSrc.join(' ')}`.trim() : '',
 		"object-src 'none'",
 		"base-uri 'self'",
 		"form-action 'self'",
 		`frame-ancestors ${frameAncestors}`,
 	];
 
-	response.headers.set('Content-Security-Policy', cspDirectives.join('; '));
+	response.headers.set('Content-Security-Policy', cspDirectives.filter(Boolean).join('; '));
 }