Implements passwordless authentication via passkeys using @simplewebauthn:
Backend (mana-core-auth):
- New passkeys table in auth schema (credentialId, publicKey, counter, etc.)
- PasskeyService with registration/authentication flows and challenge storage
- 7 new API endpoints (register, authenticate, list, delete, rename)
- createSessionAndTokens helper for non-password auth flows
- Security event types for passkey operations
Client (shared-auth):
- signInWithPasskey() and registerPasskey() with dynamic @simplewebauthn/browser imports
- isPasskeyAvailable() browser capability check
- Passkey management methods (list, delete, rename)
UI (shared-auth-ui):
- Passkey button on LoginPage with key icon, shown when browser supports WebAuthn
- Divider between passkey and email/password form
App integration:
- All 19 web app auth stores have isPasskeyAvailable() and signInWithPasskey()
- All 19 web app login pages pass passkeyAvailable and onSignInWithPasskey props
- rpID=mana.how in production enables cross-app passkey usage (SSO-compatible)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Switch from bcrypt (native C++ addon) to bcryptjs (pure JavaScript)
- Remove python3/make/g++ build tools from Dockerfile builder stage
- bcryptjs is 100% hash-compatible with bcrypt
- Smaller builder image and faster Docker builds
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Assign version numbers based on app maturity: Calendar/Contacts/Todo (1.0.0),
Chat/Picture (0.3.0), 11 beta apps (0.2.0), Context/Planta/Questions (0.1.0),
Traces (0.0.1). Set up @changesets/cli for future version management.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add comprehensive admin dashboard to view and manage user data across all projects:
Backend:
- Add admin endpoints to Chat, Todo, Contacts, Calendar, Picture, Zitare, Presi
- Each backend exposes GET/DELETE /api/v1/admin/user-data/:userId
- Service-to-service auth via X-Service-Key header
Aggregation (mana-core-auth):
- GET /api/v1/admin/users - Paginated user list with search
- GET /api/v1/admin/users/:userId/data - Aggregated data from all backends
- DELETE /api/v1/admin/users/:userId/data - GDPR deletion across all projects
Frontend (ManaCore web):
- New User Data tab in admin navigation
- User search page at /admin/user-data
- User detail page with ProjectDataCard components
- GDPR deletion dialog with email confirmation
Presi:
- Migrate user_id from UUID to TEXT for Better Auth compatibility
- Add SQL migration script
- Build matrix-mana-bot only for linux/amd64 (arm64 fails due to QEMU)
- Move pnpm overrides for cpu-features and ssh2 to root package.json
- These native deps cause illegal instruction errors under QEMU emulation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
OIDC providers like Synapse expect the JWT issuer claim to match the
discovery document's issuer URL. Changed JWT plugin config from
JWT_ISSUER to BASE_URL to ensure consistency.
Also adds:
- @manacore/credit-operations package with operation definitions
- @manacore/shared-credit-ui package with React Native and Svelte components
- CreditInterceptor and @UseCredits decorator in nestjs-integration
- Credit system integration in chat backend
- Add OIDC Provider plugin to Better Auth configuration
- Add OIDC database tables (oauth_applications, oauth_access_tokens,
oauth_authorization_codes, oauth_consents)
- Configure Synapse as OIDC client in homeserver.yaml
- Update Element Web config for SSO support
- Add seed script for OIDC clients (db:seed:oidc)
- Update Cloudflare tunnel config with Matrix URLs
This enables Single Sign-On between Mana Core Auth and Matrix/Synapse,
allowing users to authenticate via their existing Mana account.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace Prometheus with VictoriaMetrics (2-year retention)
- Add DuckDB analytics module for business KPIs (unlimited retention)
- Add master overview dashboard combining all metrics
- Add business metrics dashboard for user growth tracking
- Add backup script for VictoriaMetrics snapshots and DuckDB
- Add ADR documentation for monitoring stack decision
Analytics API endpoints:
- GET /api/v1/analytics/health - Service health
- GET /api/v1/analytics/latest - Latest metrics snapshot
- GET /api/v1/analytics/growth - User growth over time
- GET /api/v1/analytics/monthly - Monthly aggregates
- POST /api/v1/analytics/snapshot - Manual snapshot trigger
- Add dev credentials pre-fill on login page (dev@manacore.local)
- Add initialPassword prop to LoginPage component
- Add seed script for dev user (pnpm db:seed:dev in mana-core-auth)
- Add OLLAMA_URL to .env.development for Mac Mini connection
- Add nodemailer-based email service with Brevo SMTP integration
- Implement password reset, invitation, and welcome email templates
- Update better-auth.config.ts to use email service for sendResetPassword and sendInvitationEmail
- Add SMTP environment variables to docker-compose.macmini.yml
- Change minimum password length from 12 to 8 characters
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add metrics module to calendar, chat, clock, contacts backends
- Add metrics module to mana-core-auth service
- Expose /metrics endpoint for Prometheus scraping
- Track HTTP requests, response times, and custom business metrics
Co-Authored-By: Claude <noreply@anthropic.com>
Merge till-dev branch containing:
- Planta plant care tracking application
- Clock backend with alarms, timers, world clocks
- Zitare backend with favorites and lists
- Various app improvements and fixes
- Auth system updates
- Infrastructure improvements
Note: Some type-check issues may need resolution after merge.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add safe-db-push.mjs script for safer database migrations
- Update docker-entrypoint.sh with db:push fallback when migrations fail
- Add validate-migrations.mjs script for CI migration validation
- Update CI workflow to use migration validation
- Update drizzle.config.ts with improved configuration
Add includeAllManaApps option to enable all ManaCore apps to communicate
with each other without manually listing each app's domains.
**Changes:**
- Added MANACORE_STAGING_ORIGINS, MANACORE_PRODUCTION_ORIGINS, and
MANACORE_ALL_APP_ORIGINS constants
- Added includeAllManaApps flag to CorsConfigOptions interface
- Updated createCorsConfig() and createCorsConfigWithCallback() to support
the new flag
- Updated mana-core-auth to use includeAllManaApps: true (auth needs to be
accessible by all apps)
- Updated documentation with usage examples and decision matrix
**Benefits:**
- One-line configuration enables cross-app communication
- Automatically stays in sync as new apps are added
- No need to manually update CORS_ORIGINS for each app
- Works in both staging and production environments
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
## Runtime Environment Fix
- Updated all web app hooks.server.ts to use $env/dynamic/private
- This allows Docker containers to inject env vars at runtime
- Updated docker-compose.staging.yml with HTTPS staging domains
- Fixes Mixed Content errors when accessing staging via domains
## New Features
- Added email service to mana-core-auth for sending emails
- Added storage module to chat backend
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Merged auth/complete into main with resolved conflicts:
- Kept Better Auth system (EdDSA JWT via JWKS)
- Removed all Coolify references
- Added dev:auth and dev:chat:full scripts for auth development
- Combined zitare scripts from main with auth scripts
- Exported both feedback.schema and organizations.schema
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Replace jsonwebtoken RS256 validation with jose EdDSA
- Add JWKS endpoint to expose Better Auth public keys
- Use createRemoteJWKSet for token validation
- Fix issuer mismatch (use env var consistently)
- Add jwks table to schema for Better Auth JWT plugin
- Install jose library for JWT verification
- Add shared-feedback-types package with TypeScript types
- Add shared-feedback-service package with factory function
- Add shared-feedback-ui package with Svelte 5 components
- Add feedback module to mana-core-auth backend
- Add AI service using Gemini 2.0 Flash for title/category generation
- Add database schema and migration for feedback tables
- Integrate feedback page into Chat web app
- Add CORS support for X-App-Id header
- Add COMMANDS.md documentation for all dev commands
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
