chore(infra): unify prod deploy on .env.macmini + document missing keys

Two pieces of the same cleanup:

1. build-app.sh now passes `--env-file .env.macmini` explicitly via a
   shared COMPOSE_ARGS array. Without it, docker compose silently fell
   back to `.env` in the project root — a separate file that happened
   to hold MANA_AUTH_KEK and other secrets that `.env.macmini` lacked.
   deploy.sh, restart.sh, and the CD workflow already used the flag;
   this aligns build-app.sh with the rest. Server-side .env.macmini
   was reconciled 2026-04-23 with the union of both files, so the
   duplicate `.env` is no longer needed.

2. .env.macmini.example now documents 7 keys the prod stack actually
   depends on but that had never been listed: GOOGLE_GEMINI_API_KEY /
   GOOGLE_GENAI_API_KEY (SDK aliases for Deep-Research + mana-ai),
   MANA_AI_PRIVATE_KEY_PEM / MANA_AI_PUBLIC_KEY_PEM (Mission-Grant
   keypair), MANA_AI_DEEP_RESEARCH_ENABLED + PUBLIC_AI_MISSION_GRANTS
   (feature flags), MANA_CORE_SERVICE_KEY (legacy alias), and the STT/
   TTS internal shared secrets.

Matrix-bot tokens deliberately left undocumented — no Matrix homeserver
in the current running stack.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.env.macmini.example

@@ -118,17 +118,52 @@ AZURE_STORAGE_ACCOUNT_KEY=
 
 # ─── Google Gemini ──────────────────────────────────────────
 # Used by mana-llm + several Gemini-Vision modules (planta, food).
+# GOOGLE_GEMINI_API_KEY and GOOGLE_GENAI_API_KEY are SDK-specific aliases
+# consumed by mana-research's Deep-Research provider (@google/genai) and
+# mana-ai's planner. In practice all three hold the same value.
 GEMINI_API_KEY=
+GOOGLE_GEMINI_API_KEY=
+GOOGLE_GENAI_API_KEY=
+
+# ─── Mission Grants (AI Workbench) ──────────────────────────
+# EdDSA keypair used by mana-ai to unwrap server-side decryption grants.
+# Must be Ed25519 in PEM form, base64-encoded. Generate with:
+#   openssl genpkey -algorithm Ed25519 -out key.pem
+#   openssl pkey -in key.pem -pubout -out pub.pem
+#   base64 -w0 key.pem   # → MANA_AI_PRIVATE_KEY_PEM
+#   base64 -w0 pub.pem   # → MANA_AI_PUBLIC_KEY_PEM
+# Keep the private half server-only; the public half goes into the
+# browser so users can wrap grants for specific missions.
+MANA_AI_PRIVATE_KEY_PEM=
+MANA_AI_PUBLIC_KEY_PEM=
+
+# ─── AI feature flags ───────────────────────────────────────
+# MANA_AI_DEEP_RESEARCH_ENABLED gates the async deep-research provider
+# in mana-research. PUBLIC_AI_MISSION_GRANTS surfaces the Mission-Grant
+# UI in the webapp. Both default off; set to "true" in production.
+MANA_AI_DEEP_RESEARCH_ENABLED=false
+PUBLIC_AI_MISSION_GRANTS=false
 
 # ─── Service-to-service auth keys ───────────────────────────
 # Shared secrets backends use to call each other without going through
 # user JWTs. Generate with: openssl rand -base64 32
 # MANA_SERVICE_KEY appears in compose with BOTH a default and a no-default
 # reference, so it MUST be set to a real value in production.
+# MANA_CORE_SERVICE_KEY is a legacy alias consumed by games/arcade +
+# mana-ai's internal client; keep it in sync with MANA_SERVICE_KEY until
+# the rename is finished.
 MANA_SERVICE_KEY=
+MANA_CORE_SERVICE_KEY=
 MANA_CREDITS_SERVICE_KEY=
 MEMORO_SERVICE_KEY=
 
+# ─── STT / TTS internal keys ────────────────────────────────
+# Shared secrets between mana-api and the GPU-hosted STT/TTS services
+# (see docs/WINDOWS_GPU_SERVER_SETUP.md). Required only if voice
+# features are enabled.
+STT_INTERNAL_API_KEY=
+TTS_INTERNAL_API_KEY=
+
 # ─── Memoro Supabase (legacy) ───────────────────────────────
 # Memoro still keeps recording metadata in Supabase. Move to mana_platform
 # is tracked in the Memoro CLAUDE.md.