diff --git a/.env.macmini.example b/.env.macmini.example index c35c8c9cc..960fdc0cb 100644 --- a/.env.macmini.example +++ b/.env.macmini.example @@ -118,17 +118,52 @@ AZURE_STORAGE_ACCOUNT_KEY= # ─── Google Gemini ────────────────────────────────────────── # Used by mana-llm + several Gemini-Vision modules (planta, food). +# GOOGLE_GEMINI_API_KEY and GOOGLE_GENAI_API_KEY are SDK-specific aliases +# consumed by mana-research's Deep-Research provider (@google/genai) and +# mana-ai's planner. In practice all three hold the same value. GEMINI_API_KEY= +GOOGLE_GEMINI_API_KEY= +GOOGLE_GENAI_API_KEY= + +# ─── Mission Grants (AI Workbench) ────────────────────────── +# EdDSA keypair used by mana-ai to unwrap server-side decryption grants. +# Must be Ed25519 in PEM form, base64-encoded. Generate with: +# openssl genpkey -algorithm Ed25519 -out key.pem +# openssl pkey -in key.pem -pubout -out pub.pem +# base64 -w0 key.pem # → MANA_AI_PRIVATE_KEY_PEM +# base64 -w0 pub.pem # → MANA_AI_PUBLIC_KEY_PEM +# Keep the private half server-only; the public half goes into the +# browser so users can wrap grants for specific missions. +MANA_AI_PRIVATE_KEY_PEM= +MANA_AI_PUBLIC_KEY_PEM= + +# ─── AI feature flags ─────────────────────────────────────── +# MANA_AI_DEEP_RESEARCH_ENABLED gates the async deep-research provider +# in mana-research. PUBLIC_AI_MISSION_GRANTS surfaces the Mission-Grant +# UI in the webapp. Both default off; set to "true" in production. +MANA_AI_DEEP_RESEARCH_ENABLED=false +PUBLIC_AI_MISSION_GRANTS=false # ─── Service-to-service auth keys ─────────────────────────── # Shared secrets backends use to call each other without going through # user JWTs. Generate with: openssl rand -base64 32 # MANA_SERVICE_KEY appears in compose with BOTH a default and a no-default # reference, so it MUST be set to a real value in production. +# MANA_CORE_SERVICE_KEY is a legacy alias consumed by games/arcade + +# mana-ai's internal client; keep it in sync with MANA_SERVICE_KEY until +# the rename is finished. MANA_SERVICE_KEY= +MANA_CORE_SERVICE_KEY= MANA_CREDITS_SERVICE_KEY= MEMORO_SERVICE_KEY= +# ─── STT / TTS internal keys ──────────────────────────────── +# Shared secrets between mana-api and the GPU-hosted STT/TTS services +# (see docs/WINDOWS_GPU_SERVER_SETUP.md). Required only if voice +# features are enabled. +STT_INTERNAL_API_KEY= +TTS_INTERNAL_API_KEY= + # ─── Memoro Supabase (legacy) ─────────────────────────────── # Memoro still keeps recording metadata in Supabase. Move to mana_platform # is tracked in the Memoro CLAUDE.md. diff --git a/scripts/mac-mini/build-app.sh b/scripts/mac-mini/build-app.sh index 1f6a02719..8809b3e1c 100755 --- a/scripts/mac-mini/build-app.sh +++ b/scripts/mac-mini/build-app.sh @@ -14,8 +14,17 @@ set -e SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)" COMPOSE_FILE="$PROJECT_ROOT/docker-compose.macmini.yml" +ENV_FILE="$PROJECT_ROOT/.env.macmini" DOCKER="${DOCKER_CMD:-/usr/local/bin/docker}" +# Explicit --env-file flag keeps this script aligned with deploy.sh / +# restart.sh / the CD workflow (all use .env.macmini). Without it compose +# falls back to .env in the project root — which used to be a separate +# file holding a superset of secrets, and missing that file meant mana- +# auth started with an empty MANA_AUTH_KEK. Server was reconciled +# 2026-04-23; this flag keeps it that way. +COMPOSE_ARGS=(-f "$COMPOSE_FILE" --env-file "$ENV_FILE") + # Minimum free memory (in MB) needed for a Docker build BUILD_MEM_THRESHOLD_MB=3000 @@ -188,7 +197,7 @@ build_services() { done echo "=== Building: ${services[*]} ===" - $DOCKER compose -f "$COMPOSE_FILE" build --no-cache "${services[@]}" 2>&1 + $DOCKER compose "${COMPOSE_ARGS[@]}" build --no-cache "${services[@]}" 2>&1 echo "" echo "=== Restarting: ${services[*]} ===" # Tear down existing containers BEFORE the up cycle. We hit "container @@ -206,13 +215,13 @@ build_services() { # 3. `up -d --remove-orphans` then creates a clean new container # and silences the "Found orphan containers" warning we kept # seeing for the unrelated mana-game-whopixels leftover. - $DOCKER compose -f "$COMPOSE_FILE" rm -fs "${services[@]}" 2>&1 \ + $DOCKER compose "${COMPOSE_ARGS[@]}" rm -fs "${services[@]}" 2>&1 \ | grep -v 'No stopped containers' || true for svc in "${services[@]}"; do # Map compose service name → container_name from the compose config. # Falls back to the service name itself if container_name isn't set. local cname - cname=$($DOCKER compose -f "$COMPOSE_FILE" config 2>/dev/null \ + cname=$($DOCKER compose "${COMPOSE_ARGS[@]}" config 2>/dev/null \ | awk -v s="$svc:" ' $0 ~ "^ "s {found=1; next} found && /^ [a-z]/ {found=0} @@ -228,7 +237,7 @@ build_services() { echo "$orphans" | xargs -r $DOCKER rm -f 2>/dev/null || true fi done - $DOCKER compose -f "$COMPOSE_FILE" up -d --no-deps --remove-orphans "${services[@]}" 2>&1 + $DOCKER compose "${COMPOSE_ARGS[@]}" up -d --no-deps --remove-orphans "${services[@]}" 2>&1 } # --- Main --- @@ -273,7 +282,7 @@ case "$1" in --all-web) build_base_images # Find all web services in compose - WEB_SERVICES=$($DOCKER compose -f "$COMPOSE_FILE" config --services 2>/dev/null | grep '\-web$' || true) + WEB_SERVICES=$($DOCKER compose "${COMPOSE_ARGS[@]}" config --services 2>/dev/null | grep '\-web$' || true) if [ -n "$WEB_SERVICES" ]; then build_services $WEB_SERVICES else @@ -291,7 +300,7 @@ echo "=== Build complete ===" # Show status of built services for svc in "$@"; do if [ "$svc" != "--base" ] && [ "$svc" != "--all-web" ]; then - STATUS=$($DOCKER compose -f "$COMPOSE_FILE" ps --format '{{.Name}}\t{{.Status}}' "$svc" 2>/dev/null || echo "$svc: unknown") + STATUS=$($DOCKER compose "${COMPOSE_ARGS[@]}" ps --format '{{.Name}}\t{{.Status}}' "$svc" 2>/dev/null || echo "$svc: unknown") echo " $STATUS" fi done