Export the following from @manacore/bot-services:
- LOGIN_MESSAGES: Pre-defined auth error messages for all bot types
- AUTH_ERROR_MESSAGES: Same as LOGIN_MESSAGES (preferred name)
- formatAuthErrorMessage(): Helper to create custom auth error messages
These are used by bots to show consistent error messages when token
refresh fails and the user needs to re-authenticate.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When the JWT token expires (15 min), the bot now automatically:
1. Detects the 401 "exp claim" error
2. Clears the expired session
3. Attempts to fetch a new token via Matrix-SSO-Link
4. Retries the failed operation with the new token
This prevents users from getting authentication errors after 15 minutes
of inactivity.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
MP3 format was causing "no supported sources" error in Element.
Switch to WAV which has broader browser/client support.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The Matrix Media API now requires authentication (spec v1.11+). Updated
all 5 affected bots to use downloadMedia() from BaseMatrixService which
handles authenticated downloads via /_matrix/client/v1/media/download/.
Affected bots:
- matrix-nutriphi-bot (images + audio)
- matrix-zitare-bot (audio)
- matrix-todo-bot (audio)
- matrix-ollama-bot (images)
- matrix-project-doc-bot (images + audio)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The Umami API returns stats in a different format than expected:
- Before: { pageviews: { value, change } }
- After: { pageviews: number, comparison: { pageviews: number } }
Transform the raw API response to the expected format and calculate
percentage change from comparison values.
Also update URL_SCHEMA.md with complete list of all mana.how services.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add TTS_API_KEY config option to configuration.ts
- Send X-API-Key header in TtsService requests
- Update docker-compose.macmini.yml with TTS_INTERNAL_API_KEY env var
- Update .env.example and CLAUDE.md documentation
The mana-tts service requires authentication, but the TTS bot was not
sending the required X-API-Key header, causing 401 errors.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove duplicate route prefix in GiftsController (was /api/v1/api/v1/gifts)
- Fix JwtAuthGuard to use JWT_ISSUER as fallback when BASE_URL is not set
- Add comprehensive GIFT_CODES.md documentation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add gift code creation, redemption, and refund endpoints
- Add Stripe payment link generation for credits
- Add gifts database schema
- Enhance credits controller with new operations
Add backend endpoints for user profile management:
- GET /auth/profile - retrieve user profile data
- POST /auth/profile - update name and profile image
- POST /auth/change-password - change password (requires current)
- DELETE /auth/account - soft-delete account (requires password)
Security features:
- Password verification before sensitive actions
- Soft-delete preserves data for retention
- Security events logged for audit trail
- Rate limiting on sensitive endpoints
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove credit display from responses (credits still charged)
- Remove "Synchronisiert" text (sync still works)
- Use sendMessage instead of sendReply to avoid quoting user ID
- Simplify status output
- Use cleaner formatting with dots instead of pipes
- Add account deletion confirmation email
- Extend data export with sessions, security events, transactions
- Add DSGVO info banner with privacy policy link
- Add data retention periods section
- Add cookie info (no tracking cookies)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add 6-language support: original, de, en, it, fr, es
- Add quote metadata: source, year, tags, imageUrl, authorBio, verified
- Add originalLanguage field to preserve original quote language (la, el, zh, sa, etc.)
- Update all 50 quotes with full translations and metadata
- Add new utility functions: getQuoteText, getQuotesByTag, getAllTags,
getQuotesByAuthor, getVerifiedQuotes, getQuotesByYearRange,
getQuotesByOriginalLanguage
- Update matrix-zitare-bot to use new multilingual schema
- Remove local JSON storage from matrix-todo-bot and matrix-calendar-bot
- Delete TodoService, CalendarService and their modules
- Add requireLogin() helper that prompts users to authenticate
- All bot commands now require login before any operation
- Data is always synced with respective backends (todo-backend, calendar-backend)
- Update CLAUDE.md documentation for both bots
BREAKING CHANGE: Bots no longer work without authentication
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add admin modules with GET/DELETE /api/v1/admin/user-data/:userId
- Photos: albums, favorites, tags counting and deletion
- Clock: alarms, timers, world clocks, presets counting and deletion
- Storage: files, folders, shares, tags counting and deletion
- Update UserDataService to include photos, clock, storage backends
- Add ADMIN_SERVICE_KEY env var to all backends in docker-compose
- Build storage-backend locally instead of using GHCR image
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Disable api-gateway and skilltree-web (no working images/Dockerfiles)
- Fix mana-search Dockerfile healthcheck port and endpoint
- Update health-check.sh to skip disabled services
- Fix search service health endpoint (/api/v1/health)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
pnpm creates symlinks in node_modules that point to ../../node_modules/.pnpm/
These symlinks break when only the service node_modules are copied.
Using pnpm deploy creates a standalone version with all dependencies
copied (no symlinks), which works correctly in Docker.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add /api/v1/me/data endpoints for users to view, export, and delete
their own data without admin privileges (GDPR compliance).
Backend:
- New MeModule with MeController and MeService
- GET /api/v1/me/data - view own data summary
- GET /api/v1/me/data/export - download as JSON
- DELETE /api/v1/me/data - delete all own data
Frontend:
- New /settings/my-data page with full data overview
- Export button for JSON download
- DeleteConfirmationModal with email verification
- Link from settings page to my-data
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Keep same directory structure in production stage so pnpm symlinks
resolve correctly. Copy the .pnpm store and app's node_modules
separately.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add api_keys schema in mana-core-auth with SHA-256 hashing
- Create NestJS module with CRUD endpoints and validation
- Add external auth module to STT/TTS for sk_live_ key validation
- Create web UI page at /api-keys for key management
- Support rate limiting per key with configurable limits
- Cache validation results for 5 minutes to reduce auth service load
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Source .env file before starting uvicorn to enable API key auth
and other environment-based configuration.
Removes hardcoded PORT values in favor of .env configuration.
Add auth.py module to both STT and TTS services with:
- API key validation via X-API-Key header
- Rate limiting with sliding window (requests per minute)
- Internal API key option for unlimited access
- Environment variable configuration
All protected endpoints now require authentication.
Public endpoints (/health, /docs) remain accessible.
- Add Photos NestJS backend (port 3019) with albums, favorites, tags
- Add Photos SvelteKit web app (port 5189) with gallery, upload, filters
- Extend mana-media with EXIF extraction service using exifr
- Add cross-app photo listing endpoint to mana-media
- Add photo stats endpoint to mana-media
- Add photos to setup-databases.sh
Backend features:
- Albums CRUD with cover image and items management
- Favorites toggle with status check
- Tags CRUD with photo-tag associations
- Photo proxy to mana-media with local data enrichment
Web features:
- Photo grid with infinite scroll
- Photo detail modal with EXIF display
- Album grid and detail views
- Upload dropzone with progress tracking
- Filter bar (app, date range, location, sort)
- i18n support (de/en)
- Svelte 5 runes mode
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Disable vLLM by default (has issues on macOS CPU)
- Use Mistral API for Voxtral transcription (cloud-based)
- Keep Whisper-MLX for local transcription
- Update README with architecture diagram
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Reduce max-model-len to 4096 for CPU compatibility
- Add max-num-batched-tokens matching the context size
- Add enforce-eager for stable CPU inference
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add vllm_service.py as proxy to vLLM server for Voxtral 3B/4B
- Add voxtral_api_service.py for Mistral API fallback
- Update main.py with /transcribe/voxtral endpoint using vLLM
- Add /transcribe/auto endpoint with automatic fallback chain
- Create setup-vllm.sh and start-vllm-voxtral.sh scripts
- Add launchd plist files for Mac Mini deployment
- Add install-services.sh for automated service installation
Architecture:
- vLLM server runs Voxtral models on port 8100
- mana-stt proxies to vLLM with Mistral API fallback
- Fallback chain: vLLM -> Mistral API
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add comprehensive admin dashboard to view and manage user data across all projects:
Backend:
- Add admin endpoints to Chat, Todo, Contacts, Calendar, Picture, Zitare, Presi
- Each backend exposes GET/DELETE /api/v1/admin/user-data/:userId
- Service-to-service auth via X-Service-Key header
Aggregation (mana-core-auth):
- GET /api/v1/admin/users - Paginated user list with search
- GET /api/v1/admin/users/:userId/data - Aggregated data from all backends
- DELETE /api/v1/admin/users/:userId/data - GDPR deletion across all projects
Frontend (ManaCore web):
- New User Data tab in admin navigation
- User search page at /admin/user-data
- User detail page with ProjectDataCard components
- GDPR deletion dialog with email confirmation
Presi:
- Migrate user_id from UUID to TEXT for Better Auth compatibility
- Add SQL migration script
- Use --ignore-scripts to skip postinstall builds during install
- Remove unnecessary shared-builder stage
- Fix health check URL to /api/v1/health
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
pnpm hoists dependencies to root node_modules, so we don't need to copy
service-level node_modules that don't exist.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Matrix user IDs like @user:matrix.org are not UUIDs, so the schema
needs to accept text strings for the userId field in media_references.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- heute command now shows both today's tasks AND inbox tasks
- All commands work without ! prefix (e.g., 'heute' instead of '!heute')
- Updated all help text and messages to show German commands
- Added direct command recognition for: neu, heute, erledigt, löschen, etc.
- Commands still work with ! prefix for backwards compatibility
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Implement mana-media service with PostgreSQL/Drizzle ORM persistence
- Add content-addressable storage (SHA-256) for automatic deduplication
- Add Matrix MXC URL import endpoint to copy images from Matrix
- Create @manacore/media-client package for service consumption
- Integrate mana-media into NutriPhi bot for persistent image storage
- Update pnpm-workspace.yaml to include nested service packages
- Add mana-media to docker-compose with port 3015
Images sent to NutriPhi bot are now stored in mana-media after analysis,
providing persistent storage with deduplication across all apps.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When users log into Matrix via OIDC (Sign in with Mana Core), their
Matrix user ID is now automatically linked to their Mana account.
This enables automatic bot authentication without requiring a
separate !login command.
- Add autoLinkOnOidcLogin() method to MatrixSessionService
- Hook into OIDC userinfo endpoint to create links automatically
- Calculate Matrix user ID from email using Synapse's template
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Better Auth signs JWTs with issuer=BASE_URL (https://auth.mana.how) for OIDC
compatibility, but validation was using jwt.issuer config which defaults to
'manacore'. This caused "unexpected iss claim value" errors.
Fixed in:
- better-auth.service.ts validateToken()
- jwt-auth.guard.ts
- optional-auth.guard.ts
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The refresh endpoint was using manual jwt.sign with RSA keys, but the
server doesn't have JWT_PRIVATE_KEY configured. Changed to use Better
Auth's signJWT method which uses the JWKS/EdDSA keys from the database.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Same issue as sessionToToken - the signIn method was returning the
session cookie token as refreshToken, but the /api/v1/auth/refresh
endpoint expects the actual refreshToken field from the sessions table.
Now signIn:
- Fetches the session from database after Better Auth creates it
- Uses existing refreshToken if available
- Generates and stores a new refreshToken if missing
- Returns the actual refreshToken that works with token refresh
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The get-session endpoint needs to be accessible at /api/auth/get-session
(without the /api/v1 prefix) for SSO to work.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The SSO flow in client apps calls /api/auth/get-session with cookies
to check if the user has a valid session. This endpoint was missing
from the NestJS passthrough controller.
Now the endpoint forwards the request with cookies to Better Auth's
native handler and returns the session data.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Images are now automatically analyzed when sent to the bot, removing
the need for the !analyze command after sending a photo.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
All 19 Matrix bots now use SessionModule.forRoot({ storageMode: 'redis' })
to share user sessions across all bots via Redis. Users only need to
login once with any bot to be authenticated with all bots.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
