From 82cf190650a651d656ddcd591a4304a2080fdecf Mon Sep 17 00:00:00 2001
From: Till JS <tills95@gmail.com>
Date: Wed, 15 Apr 2026 15:51:59 +0200
Subject: [PATCH] =?UTF-8?q?feat(tunnel):=20route=20mana-ai.mana.how=20?=
 =?UTF-8?q?=E2=86=92=20mana-ai:3067?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Public ingress for the Mission Key-Grant audit endpoint
(/api/v1/me/ai-audit) so the Workbench "Datenzugriff" tab can reach
mana-ai from the browser. Background tick + /metrics stay internal;
only the JWT-gated user endpoint is exposed.

Requires a Cloudflare DNS record pointing mana-ai.mana.how at the
tunnel CNAME (one-off: \`cloudflared tunnel route dns
1435166a-0e3f-4222-8de6-744f32cea5c9 mana-ai.mana.how\`), then sync
via scripts/mac-mini/sync-tunnel-config.sh.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 cloudflared-config.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/cloudflared-config.yml b/cloudflared-config.yml
index a304ad8b9..159d7c05e 100644
--- a/cloudflared-config.yml
+++ b/cloudflared-config.yml
@@ -104,6 +104,16 @@ ingress:
   - hostname: mana-api.mana.how
     service: http://localhost:3060
 
+  # ============================================
+  # mana-ai — background AI Mission Runner
+  # ============================================
+  # Serves the user-facing decrypt-audit endpoint
+  # /api/v1/me/ai-audit that powers the Workbench "Datenzugriff" tab.
+  # The background tick loop + /metrics stay internal; only the
+  # JWT-gated user endpoint is public.
+  - hostname: mana-ai.mana.how
+    service: http://localhost:3067
+
   # ============================================
   # API Gateway (Go)
   # ============================================