feat(infra): deploy mana-ai + wire Mission Grant keys via docker-compose

Wire the Mission Key-Grant feature into the production Mac Mini
compose stack so mana-ai can boot and mana-auth can mint grants.

- New mana-ai service block (port 3066) — 256m mem limit, depends on
  postgres + mana-llm, tick interval configurable via
  MANA_AI_TICK_INTERVAL_MS / MANA_AI_TICK_ENABLED. Pulls
  MANA_AI_PRIVATE_KEY_PEM from env; absent = grants silently disabled.
- mana-auth environment gains MANA_AI_PUBLIC_KEY_PEM (default empty
  so existing deployments without the keypair degrade to 503
  GRANT_NOT_CONFIGURED rather than failing to boot).
- mana-auth Dockerfile rewritten to the two-stage pnpm+bun pattern
  used by mana-credits/mana-events — required now that mana-auth has
  a @mana/shared-ai workspace dep. The previous single-stage
  Dockerfile with service-scoped build context couldn't resolve any
  @mana/* imports; that only worked historically because it fell
  through at runtime via a pre-built layer.
- mana-ai Dockerfile copies packages/shared-ai into the installer
  stage alongside shared-hono.

The build contexts for mana-auth flip from services/mana-auth to the
repo root. Existing CI/CD paths (scripts/mac-mini/build-app.sh) pass
through to docker compose build and pick up the new context
automatically — no script edits needed.

Flip-on procedure: on the Mac Mini, set MANA_AI_PUBLIC_KEY_PEM +
MANA_AI_PRIVATE_KEY_PEM in .env (already done, see
secrets/mana-ai/README.md on the host), then rebuild mana-auth +
build mana-ai.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

services/mana-ai/Dockerfile

@@ -9,6 +9,7 @@ WORKDIR /app
 COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
 COPY services/mana-ai/package.json ./services/mana-ai/
 COPY packages/shared-hono ./packages/shared-hono
+COPY packages/shared-ai ./packages/shared-ai
 
 # Install only mana-ai and its workspace deps
 RUN pnpm install --filter @mana/ai-service... --no-frozen-lockfile --ignore-scripts

services/mana-auth/Dockerfile

@@ -1,12 +1,36 @@
+# Install stage: use node + pnpm to resolve workspace dependencies.
+# Build context must be the monorepo root (see docker-compose.macmini.yml).
+FROM node:22-alpine AS installer
+
+RUN corepack enable && corepack prepare pnpm@9.15.0 --activate
+
+WORKDIR /app
+
+# Copy workspace structure
+COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY services/mana-auth/package.json ./services/mana-auth/
+COPY packages/shared-hono ./packages/shared-hono
+COPY packages/shared-ai ./packages/shared-ai
+
+# Install only mana-auth and its workspace deps
+RUN pnpm install --filter @mana/auth... --no-frozen-lockfile --ignore-scripts
+
+# Runtime stage: bun
 FROM oven/bun:1 AS production
 
 WORKDIR /app
 
-COPY package.json bun.lock* ./
-RUN bun install --frozen-lockfile 2>/dev/null || bun install
+# Copy installed deps from installer stage
+COPY --from=installer /app/node_modules ./node_modules
+COPY --from=installer /app/services/mana-auth/node_modules ./services/mana-auth/node_modules
+COPY --from=installer /app/packages ./packages
 
-COPY src ./src
-COPY tsconfig.json drizzle.config.ts ./
+# Copy source
+COPY services/mana-auth/package.json ./services/mana-auth/
+COPY services/mana-auth/src ./services/mana-auth/src
+COPY services/mana-auth/tsconfig.json services/mana-auth/drizzle.config.ts ./services/mana-auth/
+
+WORKDIR /app/services/mana-auth
 
 EXPOSE 3001