The refresh endpoint was using manual jwt.sign with RSA keys, but the
server doesn't have JWT_PRIVATE_KEY configured. Changed to use Better
Auth's signJWT method which uses the JWKS/EdDSA keys from the database.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Same issue as sessionToToken - the signIn method was returning the
session cookie token as refreshToken, but the /api/v1/auth/refresh
endpoint expects the actual refreshToken field from the sessions table.
Now signIn:
- Fetches the session from database after Better Auth creates it
- Uses existing refreshToken if available
- Generates and stores a new refreshToken if missing
- Returns the actual refreshToken that works with token refresh
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The get-session endpoint needs to be accessible at /api/auth/get-session
(without the /api/v1 prefix) for SSO to work.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The SSO flow in client apps calls /api/auth/get-session with cookies
to check if the user has a valid session. This endpoint was missing
from the NestJS passthrough controller.
Now the endpoint forwards the request with cookies to Better Auth's
native handler and returns the session data.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Images are now automatically analyzed when sent to the bot, removing
the need for the !analyze command after sending a photo.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The package was incorrectly exporting src/index.ts which causes runtime
errors when used with plain Node.js. Changed to export from dist/.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
All 19 Matrix bots now use SessionModule.forRoot({ storageMode: 'redis' })
to share user sessions across all bots via Redis. Users only need to
login once with any bot to be authenticated with all bots.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Added shared-tsconfig, shared-nestjs-setup, and shared-nestjs-health
packages required for the backend build.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The NutriPhi bot was failing with 413 "request entity too large" when
analyzing images via Base64. Added configurable bodyLimit option to
shared-nestjs-setup and set NutriPhi backend to 50mb.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add I18nService with per-user language preferences (de/en)
- Add !language/!sprache command to all 4 bots (todo, calendar, contacts, clock)
- Add fallback behavior: messages without commands create tasks/events/contacts/timers
- Improve clock bot duration parsing to accept bare numbers as minutes (e.g. "25" = 25min)
- Add support for more duration formats: "25 minuten", "1 stunde", etc.
Language preferences stored in SessionService, default configurable via BOT_DEFAULT_LANGUAGE env var.
The sessionToToken method was incorrectly returning the session cookie
token instead of the actual refreshToken from the database. This caused
"No refresh token available" errors when users logged in via SSO
(cross-domain cookie) because the /api/v1/auth/refresh endpoint expects
the refreshToken field from the sessions table, not the cookie token.
Now the method:
- Fetches the session from database by cookie token
- Uses existing refreshToken if available
- Generates and stores a new refreshToken if missing
- Returns the actual refreshToken that works with token refresh
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add /bots route with bot overview grid
- Create BotCard component with expandable details
- Implement search and category filtering (AI, Productivity, Media, Lifestyle, Tools)
- Add bot data structure with commands, descriptions, and metadata
- Support starting chat with bots (creates DM or navigates to existing room)
- Add German and English translations
- Add robot icon to PillNavigation component
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
EventSourceResponse from sse-starlette adds its own 'data:' prefix,
so we should yield dicts with a 'data' key instead of pre-formatted
SSE strings. This was causing 'data: data:' double prefixes and
backticks appearing in chat messages.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add mana-llm FastAPI service for LLM API gateway
- Configure CORS for playground.mana.how
- Use shared Redis from existing infra
- Connect playground to mana-llm container
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add PlaygroundLogo to shared-branding package
- Add playground to APP_BRANDING, APP_ICONS, and APP_URLS
- Replace custom login/register pages with shared-auth-ui components
- Update authStore with resendVerificationEmail and improved signUp
- Add Caddy reverse proxy entry for playground.mana.how
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Activate Redis session storage in both bots for cross-bot SSO
- Update SessionHelper to async methods for Redis-backed SessionService
- Fix async/await issues in todo-bot and calendar-bot matrix.service.ts
- Remove unused imports from calendar-api and todo-api services
- Add CALENDAR_BACKEND_URL and MANA_CORE_SERVICE_KEY to .env.development
Note: SessionService methods are now async (Redis-backed). Other bots
need their matrix.service.ts updated to await these async calls.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Docker Desktop relocation to external SSD via symlink
- Document ~80GB freed on internal SSD
- Add Matrix Bots section with all 10 bots and ports
- Include health check, logs, and management commands
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add Single Sign-On (SSO) support across all mana.how subdomains:
- Add trySSO() method to @manacore/shared-auth that exchanges session
cookies for JWT tokens
- Add /api/v1/auth/session-to-token endpoint to mana-core-auth service
- Update all 15 web apps to try SSO during auth initialization
SSO Flow:
1. User logs in on any app (e.g., calendar.mana.how)
2. Session cookie is set with Domain=.mana.how
3. When visiting another app (e.g., todo.mana.how), it checks for
local tokens first
4. If no local tokens, tries SSO via session cookie
5. Session cookie is exchanged for JWT tokens via new endpoint
6. User is automatically authenticated
Apps updated: calendar, chat, clock, contacts, manacore, manadeck,
nutriphi, picture, planta, presi, questions, skilltree, storage,
todo, zitare
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Document cross-domain SSO with COOKIE_DOMAIN configuration
- Add production test credentials for automated testing
- Explain cookie-based SSO flow across *.mana.how subdomains
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Configure Better Auth with crossSubDomainCookies for .mana.how domain
- Add COOKIE_DOMAIN environment variable (production: .mana.how)
- Sync trustedOrigins with all production subdomains
- Users now login once and are authenticated across all apps
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The calendar frontend integrates with todo and contacts backends
for tasks and birthdays. The env vars were only available during
SSR, not in client-side JavaScript.
- Add PUBLIC_TODO_BACKEND_URL and PUBLIC_CONTACTS_API_URL injection
in hooks.server.ts
- Update todos.ts to use injected window variable
- Update birthdays.ts to use injected window variable
Fixes 404 errors on calendar.mana.how for /tasks/* and /contacts/birthdays
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The tsconfig was missing include/exclude which caused the build to
output to dist/src/main.js instead of dist/main.js.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
node:20-slim doesn't include wget or curl, which is required
for the HEALTHCHECK commands in the Dockerfiles.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add root-level pnpm override to replace @matrix-org/matrix-sdk-crypto-nodejs
with empty-npm-package. This disables E2EE support but allows matrix bots
to run without native module compilation issues.
The bots don't need E2EE since Matrix Synapse handles encryption at
the server level for our use case.
Also removes the explicit pnpm add commands from Dockerfiles since the
override handles the module replacement.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The pnpm lockfile doesn't contain the linux-x64-gnu variant of
@matrix-org/matrix-sdk-crypto-nodejs since it was created on macOS.
Explicitly adding this package during Docker build ensures the
correct native binary is available at runtime.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add loginWithLoginToken function to exchange Matrix SSO loginToken for credentials.
The app layout now detects the loginToken URL parameter and completes the SSO flow.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The @matrix-org/matrix-sdk-crypto-nodejs package needs a rebuild step
after install to properly select the platform-specific prebuilt binary.
Without this, the module fails to find the correct binding at runtime.
Adds `pnpm rebuild @matrix-org/matrix-sdk-crypto-nodejs || true` after
both the dev and prod install steps in all matrix bot Dockerfiles.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Move PostgreSQL data from Docker volume to /Volumes/ManaData/postgres
for better data safety and performance.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The root package.json has postinstall hooks (generate-env, build:packages,
husky) that fail in Docker context. --ignore-scripts prevents these from
running while still allowing the build to complete.
Using node:20-slim (glibc) should handle matrix-sdk crypto modules via
prebuilt binaries without needing install scripts.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Changed base images from Alpine to Debian slim (glibc vs musl)
- Removed --ignore-scripts to allow native module builds
- Fixed user creation commands for Debian-based images
The matrix-bot-sdk requires @matrix-org/matrix-sdk-crypto-nodejs which
needs platform-specific native binaries. Alpine's musl libc causes
compatibility issues with these modules.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Mac Mini with Apple Silicon needs explicit platform specification
to pull amd64 images since matrix bots only have amd64 builds.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
All matrix bots use matrix-bot-sdk which has native dependencies
(cpu-features, ssh2) that cause QEMU emulation failures during CI
arm64 builds. Build amd64 only - can run on arm64 via Rosetta.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Mount MinIO data directly to /Volumes/ManaData/minio for better
performance and persistence on external SSD.
Requires Docker Desktop "Full Disk Access" permission on Mac Mini.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix LoggerService mock in better-auth.service.spec.ts
- Fix name assertion in auth.controller.spec.ts (empty string fallback)
- Fix createRemoteJWKSet mock in jwt-auth.guard.spec.ts
- Add Grafana dashboard for Auth Service monitoring
- Add 10 auth-specific Prometheus alert rules
- Update production readiness plan to 100% complete
All 199 unit tests passing.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Build matrix-mana-bot only for linux/amd64 (arm64 fails due to QEMU)
- Move pnpm overrides for cpu-features and ssh2 to root package.json
- These native deps cause illegal instruction errors under QEMU emulation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
OIDC providers like Synapse expect the JWT issuer claim to match the
discovery document's issuer URL. Changed JWT plugin config from
JWT_ISSUER to BASE_URL to ensure consistency.
Also adds:
- @manacore/credit-operations package with operation definitions
- @manacore/shared-credit-ui package with React Native and Svelte components
- CreditInterceptor and @UseCredits decorator in nestjs-integration
- Credit system integration in chat backend
Set useJWTPlugin: true so id_tokens are signed with EdDSA keys
from JWKS instead of HS256. This fixes Synapse OIDC integration
which verifies tokens via JWKS endpoint.
SSD bind mount requires Docker Desktop GUI configuration for
/Volumes access. Reverting to standard volume until manually configured.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
