- herbatrium.mana.how + herbatrium-api.mana.how raus aus cloudflared
und mana-auth CORS_ORIGINS — nur noch herbatrium.com /
api.herbatrium.com.
- Seepuls vom .mana.how- auf .com-Setup gewechselt: cloudflared
exposed jetzt seepuls.com (apex + www) und api.seepuls.com (statt
seepuls.mana.how + seepuls-api.mana.how).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Beim 2026-05-20-Cutover war Schritt "Ingress in cloudflared-config.yml" zwar
im Memory abgehakt, aber nie wirklich gemacht — beide Hosts liefen in den
service: http_status:404 Catchall. App-Symptom: Native zeigte "API-Fehler
404:" in Töpfe-/Aufnehmen-Tab, Container kreisel-api selbst war healthy.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
cloudflared-config: 2 hostnames hinzu (apex → 3104, api → 3103).
docker-compose mana-auth: CORS_ORIGINS erweitert um die zwei neuen
Origins. herbatrium.mana.how bleibt funktional (kein Primary-Switch).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Primary-Domain-Cutover 2026-05-20 — Apex zeigte vorher als
Namecheap-Parking-A-Record, Tunnel hatte keine Routes für die
.com-Domain. CF-DNS auf Verein-Tunnel umgehängt, Routes hier
ergänzt. .mana.how-Co-Domain bleibt.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Drei Hostnames waren NIE im aktiven cloudflared-config eingetragen,
obwohl die DNS-CNAMEs angelegt waren:
- sync2.mana.how → mana-sync-v2 (Event-Sourcing-Platform, alle 9
Verein-Apps; ohne diesen Route konnten Browser-Clients keine
Events emittieren)
- herbatrium.mana.how / -api.mana.how (Live-Status in Memory war
falsch, Smokes nur gegen localhost grün)
Manueller Insert via sed am 2026-05-19 ist beim nächsten managarten-
git-pull verloren gegangen, jetzt sauber im Repo persistiert.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Wurde während des υ-6-Cutovers nur live auf mana-server gepatcht, nicht
committed — letzter git pull hat die Edits überschrieben (live-Stack
lief weiter weil cloudflared in-Memory + mana-auth post-restart-State
noch korrekt war, aber bei nächstem Restart wäre alles weg).
- cloudflared-config.yml: uload.mana.how 5000→3108, uload-api.mana.how
3070→3107, ulo.ad NEU auf 3107.
- docker-compose.macmini.yml: 3 uload-Origins (uload.mana.how,
uload-api.mana.how, ulo.ad) in mana-auth CORS_ORIGINS.
- scripts/mac-mini/backup-databases.sh: uload-postgres → 'uload' +
comicello-postgres → 'comicello' im db_user_for_container()-Case.
Memory + Playbook tracken Cutover-Details (project_uload_live.md).
Mein vorheriges live-Edit am 2026-05-18 12:01 hat den moodlit-Block
direkt auf dem mana-server eingefügt, aber nicht im Git committet.
Beim Comicello-Deploy um 14:14 wurde die Server-Datei dann aus
einem älteren Git-State regeneriert → moodlit-Block weg, alter
`moodlit.mana.how → :5000`-Unified-App-Stub wieder aktiv → live
zeigte fälschlich die Unified-App.
Jetzt im Repo verankert (nach Comicello-Block, vor catch-all):
- moodlit.mana.how → :3106 (web)
- moodlit-api.mana.how → :3105 (api)
Plus: alter Stub `moodlit.mana.how → :5000` im unified-Block entfernt
(war fälschlich noch in Z. 129 — ingress-Reihenfolge zählt, hätte
den neuen Block weiter unten überrannt).
Live verifiziert: HTML zeigt `data-theme=\"twilight\"`, gelieferter
0.*.css enthält @keyframes sunrise / sunset / sparkle (eigene
Brightness-Animationen statt gradient-shift-Fallback) und
requestFullscreen ist im ausgelieferten Chunk.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- cloudflared-config: zwei zusätzliche Ingress-Regeln pageta.com →
:3100 + api.pageta.com → :3099 (zusätzlich zu pageta.mana.how —
kein Primary-Switch).
- docker-compose.macmini mana-auth CORS_ORIGINS: lesen.mana.how-
Reste durch pageta.mana.how + pageta-api.mana.how + pageta.com +
api.pageta.com ersetzt. Der Rebrand vom Mittag hatte diese env
übersehen — Memory project_pageta_live.md warnt explizit davor.
DNS-CNAMEs (pageta.com + api.pageta.com) sind via Cloudflare-API
angelegt (Zone ba85dec9..., proxied=true auf den mana-server-Tunnel).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Brand-Rebrand der Reader-Webapp. DNS-CNAMEs für pageta.mana.how +
pageta-api.mana.how sind über die Cloudflare-API angelegt (CNAME auf
1435166a-…cfargotunnel.com, proxied=true), aber dieser Reload sollte
ERST nach dem Container-Cutover passieren — sonst gibt der Tunnel
ein 404-Fenster, weil die alten lesen-Container kein pageta-Hostname-
Match haben.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
cardecky.mana.how routet jetzt zu mana-infra-landings:4400 (nginx
301-Redirect) statt direkt zu cards-web:5181. Damit greift der
landings.conf-Block, der auf wordeck.com weiterleitet — alte
Browser-Bookmarks und Deep-Links landen automatisch auf der neuen
Domain.
cardecky-api.mana.how bleibt direkt zu cards-api:3191 — cards-native
v0.9.4 (TestFlight) nutzt das als Backend. Universal-Links der alten
App (AASA `applinks:cardecky.mana.how`) brechen mit dem Cutover
bewusst — Wordeck-Native v1 wird stattdessen `applinks:wordeck.com`
deklarieren.
Smoke-Tests grün: cardecky.mana.how/d/<slug> → wordeck.com/d/<slug>.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Cards-zu-Wordeck-Rebrand: drei neue Hostnames ergänzt, alle auf
gleichem cards-web/cards-api Backend wie cardecky.mana.how.
- wordeck.com → :5181 (cards-web)
- www.wordeck.com → :5181
- api.wordeck.com → :3191 (cards-api)
Cloudflare-Tunnel-CNAMEs sind via API angelegt. cloudflared per
launchctl reloaded und smoke-tested. wordeck.com antwortet HTTP 200
mit Wordeck-Branding.
Siehe mana/docs/playbooks/WORDECK_REBRAND.md.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- manameme.mana.how → :3197, manameme-api.mana.how → :3196
(Phase-8-Cutover 2026-05-15, DNS-Routes bereits live;
Config-Block war noch uncommitted, jetzt explizit dokumentiert)
- seepuls.mana.how → :3096, seepuls-api.mana.how → :3095
(Phase β-4 Deploy pending; DNS wird vorgemerkt, Tunnel liefert
502 bis Container deployed ist. Aggregator-App, gilt
mana/docs/AGGREGATOR_POLICY.md)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Manaspur (GPS-Tracking) Phase 8 cutover 2026-05-13. Ports per
mana/docs/PORTS.md: 3193 api / 5183 web. Web container kommt mit
Phase 6 — Hostname ist DNS-only vorgemerkt, 502 bis dahin.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Cloudflared-Ingress für `manawald.mana.how` (port 3090 lokal) + dem
mana-auth-Container die Origin in `CORS_ORIGINS` ergänzen, damit SSO-
Cookie-Auth funktioniert.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Auth portal is now live: API calls (Better Auth endpoints) still hit
mana-auth (:3001) directly; all UI routes (login, register, reset,
verify-email) are served by the new mana-auth-web SvelteKit app on
host port 3042.
Also updates the duplicate-hostname validator to allow path-based split
routing rules for the same hostname.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Vier Cloudflare-Zonen für mana e.V. Schweizer Verein in Gründung:
- mana-ev.ch (apex) → Astro-Landing (mana-landing :3088)
- www.mana-ev.ch → 301 → mana-ev.ch
- mana-ev.{com,de,at} + jeweils www → 301 → mana-ev.ch
DNS via CF-API (32 Operationen): Default-A/AAAA-Records von
domainssaubillig auf Hetzner gelöscht (Apex, www, Wildcard pro Zone),
durch CNAME → 1435166a-...cfargotunnel.com ersetzt. Wildcard nicht
recreated — saubere Konfig, nur explizite Subdomains gehen.
Tunnel-Config (cloudflared-config.yml): 8 neue Hostnames mit
service-Rules. Nginx-Config (docker/nginx/landings.conf): ein
server-Block für 7 Redirect-Hostnames.
Aufgedeckte Pfad-Korruption: cloudflared-launchd-plist und
docker-compose-Volumes verweisen noch auf ~/projects/mana-monorepo/
statt managarten/. Mit Symlink (Tunnel) und Datei-Kopie (Nginx)
notdürftig geflickt — siehe OFFENE_PUNKTE.md für saubere Lösung.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mac-Mini-Drift in Source-Control bringen — war seit 2026-05-08 live
auf dem Server, aber uncommitted (während des managarten-Renames via
stash gerettet).
Cloudflared-Tunnel:
- verein.mana.how → :3088 (Verein-Landing, live seit 2026-05-09)
- share.mana.how → :3072 (Föderations-Share-Service, Phase F)
- mcp.mana.how → :3069 (MCP-Gateway, exposing tool-registry)
- cardecky-api.mana.how → :3191 (Port-Korrektur, war fälschlich :3072)
- cardecky.mana.how → :5181 (Port-Korrektur, war :5180)
- nutriphi.mana.how → :3087, nutriphi-api.mana.how → :3086
docker-compose.macmini.yml:
- mana-auth CORS_ORIGINS: nutriphi.mana.how + nutriphi-api.mana.how
- Neuer Service mana-share (Build aus ../mana/services/mana-share,
Föderations-Backbone Phase F, Port 3072, eigene DB-Tabellen in
mana_platform)
- Neuer Service mana-mcp (Build aus ../mana/services/mana-mcp,
MCP-Gateway, Port 3069)
Beide Services bauen aus dem mana-platform-Repo (../mana/services/...),
nicht aus managarten — managarten orchestriert nur via Compose.
Two long-uncommitted Mac Mini drifts cleaned up:
1. cloudflared-config.yml — git.mana.how → :3030 (Forgejo). The
route has been live for weeks (HTTP 200), just never committed.
2. .gitignore — exclude secrets/ (private keys: mana-ai mission-grant
RSA keypair lives there; must NEVER be committed) and *.bak-*
files (operator backup workflow on the Mac Mini).
services/mana-auth/drizzle/ on the Mac Mini was Mac-Mini-side
generated state for the (now deleted) mana-monorepo mana-auth
service; cleanup fell out with the Phase 7 deletion.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three new ingress rules for the Zitare repo (Code/zitare/, separate
repo, deployed under ~/projects/zitare-deploy/ on the Mac Mini).
Ports follow mana/docs/PORTS.md: 3083 api / 3084 app / 3085 com.
zitare.com is a separate Cloudflare zone — the tunnel route for
that hostname needs a one-time `cloudflared tunnel route dns
1435166a-0e3f-4222-8de6-744f32cea5c9 zitare.com` to point the CNAME
at this tunnel. Same for the two .mana.how subdomains, which sit on
the existing mana.how zone.
Code-only: no Mac Mini deploy in this commit. The actual reload
needs ./scripts/mac-mini/sync-tunnel-config.sh after the matching
mana-auth/CORS_ORIGINS + sso-origins changes are committed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Phase 2f-1 hatte verdaccio von der Mini auf die GPU-Box verlegt — das
Storage-Volume kam dort aber nie an. Der GPU-Container war leer (keine
htpasswd, keine @mana/*-Pakete), externe `npm install @mana/foo` lief
auf 404. Rollback statt Storage-Migration nachzuholen, weil:
- Mini's Standalone-Verdaccio (~/projects/verdaccio/) hat alle Daten
inklusive claudebot-Service-Account und 9 published Pakete
- npm-Reads sind ohnehin niedrig (CI-builds), Mini-Disk hat Platz
- Vereinfacht den User-/Token-Pflad-Lebenszyklus (eine Quelle, keine
Sync-Choreografie)
Cleanup:
- DNS npm.mana.how zurück auf Mini-Tunnel via Cloudflare-API
- Mini cloudflared-config.yml: npm.mana.how-Ingress wieder eingetragen
- GPU-Box: verdaccio-Container + 3 Volumes entfernt (mana_verdaccio-storage,
mana_verdaccio-plugins, verdaccio-storage)
- infrastructure/docker-compose.gpu-box.yml: verdaccio-Service-Block raus
- infrastructure/verdaccio/config.yaml: gelöscht (war GPU-spezifischer
Bundle, der Code/mana hat die kanonische Kopie für Mini)
- docs/PLAN_OPTION_C.md: Phase 2f markiert als ⚠️ teilweise zurückgerollt
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Web-Research-Orchestrator (16+ search-/LLM-providers) auf die GPU-Box
verlagert. Cross-LAN für mana-auth/mana-credits/mana-llm/mana-search/
postgres/redis (192.168.178.131). research.mana.how routet jetzt zum
mana-gpu-server-Tunnel (CF config v29). Mini-Container-Count 42 → 41.
PUBLIC_MANA_RESEARCH_URL in mana-app-web auf https-URL umgestellt —
Mini-Container können 192.168.178.11 nicht direkt erreichen (Colima-NAT),
daher Cross-LAN-Bridge via Cloudflare-Tunnel wie bei mana-ai.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Phase 2f-3 (final of the 2f-trio). The background tick-loop runner is
the most coupled of the three: it queries mana-api, mana-llm, and
mana-research, and writes through to the mana_sync DB. Wired up via
cross-LAN host-IPs to those Mini-side services + the existing RSA
key-pair for Mission-Grant decryption (MANA_AI_PRIVATE_KEY_PEM moved
into /srv/mana/.env on the GPU-Box; the matching MANA_AI_PUBLIC_KEY_PEM
stays on mana-auth's env-set as before).
Bonus rationale: AI Mission Runner now sits in the same compose
network as the GPU-Box's gpu-llm/gpu-ollama tasks, so future
"agent talks to local LLM" paths skip the Cloudflare round-trip.
Tunnel: mana-ai.mana.how repointed at the mana-gpu-server tunnel
(config v28). The Mini-side ingress was removed in the same step.
OTEL_EXPORTER_OTLP_ENDPOINT cleared since Tempo was retired in 2c.
Mini-side: container stopped + removed from docker-compose.macmini.yml.
Running count went from 39 → 42 because of unrelated services that
re-appeared on the latest CD pull (cards-server, memoro-web), but the
actual mana-ai service is gone — net move accomplished.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Wires cards-server into the Mac-mini stack so we can deploy alongside
the rest of the Mana services.
- Dockerfile mirrors the mana-credits 2-stage pattern (node+pnpm
installer → bun runtime), exposes :3072, includes a /health
healthcheck.
- docker-compose.macmini.yml: new cards-server block right after
mana-credits — depends on postgres + mana-auth, 128m mem, all the
env knobs from the Phase-α config (author payout BPS, community-
verified thresholds, sibling-service URLs).
- cloudflared-config.yml: cards-api.mana.how → :3072. Distinct from
cards.mana.how (the user-facing PWA) so the API surface is clearly
separated.
- sso-origins.ts: cards-api.mana.how added to PRODUCTION_TRUSTED_ORIGINS.
- mana-auth CORS_ORIGINS in compose: cards-api.mana.how added.
Restored whopxl.mana.how that had drifted out — sso-config.spec.ts
had been flagging it but the missing entry surfaced when I added
cards-api. spec is back to 8/8 green.
Deploy plan (next steps, not in this commit):
1. ./scripts/mac-mini/build-app.sh cards-server
2. docker exec mana-app-cards-server bun run db:push (creates the
`cards` schema + 16 tables in mana_platform)
3. ./scripts/mac-mini/sync-tunnel-config.sh
4. Smoke: curl https://cards-api.mana.how/health → 200
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Phase 2f-1 cutover. npm.mana.how DNS now CNAMEs to mana-gpu-server
tunnel (config v27), Mini-side route entry no longer needed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Two cleanups against the status-page DOWN list:
photon-self (photon.mana.how route):
mana-geocoding's /health/photon-self pings the photon backend, which
lives as a Docker container on the GPU-Box (port 2322). PHOTON_SELF_API_URL
was http://192.168.178.11:2322 — Mini-host can hit that fine but
Mini-Docker-containers can't (Colima-NAT-quirk we keep running into).
Routed photon through the mana-gpu-server tunnel (config v26) and
flipped the env var to https://photon.mana.how. Probe goes UP, geocoding
for sensitive queries (privacy:'local' provider tier) actually works
now too — was effectively orphaned before.
whopxl removed everywhere it still lingered:
Container hasn't existed on the Mini in months (no compose service,
no source dir under apps/, no listener on :5100 — only the dead
cloudflared route + a stale CORS_ORIGINS entry on mana-auth). Cleaned
cloudflared-config.yml, prometheus.yml blackbox-web target, and the
mana-auth CORS list. Old DNS CNAME for whopxl.mana.how stays for now;
no harm.
Plus while we were here: who-api.mana.how/api/decks was the right probe
for who-server's deck catalogue (root /api/decks lives on who-api, not
who.mana.how which is the SSR shell).
Live: status.mana.how shows 58/59 UP; the last 'whopxl' entry will
fall off after VM's TSDB rolls past the probe_success staleness window.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Audit revealed status.mana.how was probing only the unified mana-app
path-routes (mana.how/{module}) plus a couple of GPU services. None
of the standalone deployments were monitored, and three probe targets
were stale.
Changes:
- prometheus.yml blackbox-web: drop mana.how/{context,who} (context
module was dropped 2026-04-29; mana.how/who never existed —
/who is a standalone stack on its own subdomain). Add the eight
hosts that DO have separate deployments today: whopxl, manavoxel,
memoro (landing), cards (Phase-1 spinoff), who.mana.how/cantina,
npm (Verdaccio).
- prometheus.yml blackbox-api: add memoro-api/health,
memoro-audio/health, who-api.mana.how/api/decks,
admin.mana.how/health (admin's root is auth-walled, only /health
returns 200).
- prometheus.yml blackbox-gpu: add gpu-llm.mana.how/health (was
missing; gpu-stt/tts/img/video were in, gpu-llm was somehow not).
- cloudflared-config.yml: restore who.mana.how → :5092 +
who-api.mana.how → :3092. The DNS CNAME points at the Mini tunnel
but the route entries had been lost during a previous compose
cleanup, so every who.* request was hitting the catch-all 404 and
the standalone Bun stack was effectively orphaned at the edge
(PM2 + LaunchAgent all healthy on Mini, just no public route).
Live state after rollout: status.mana.how shows 57/59 services UP,
the two remaining DOWN are pre-existing — photon-self (Phase-2c
cross-LAN routing limitation, documented in PLAN_OPTION_C.md) and
whopxl-web (container not running on the Mini, separate issue).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Phase 2e cleanup. status-page-gen + a dedicated nginx now run on the
GPU-Box (sparse repo clone provides the generator script + mana-apps.ts,
hourly git-pull via systemd timer). Container queries VictoriaMetrics
locally over docker-network ('http://victoriametrics:9090'), no public
vm.mana.how endpoint required — that hostname is also gone from the
GPU tunnel config (v25 → v26 effectively, removed in same PUT that
added status.mana.how).
DNS for status.mana.how now points at the mana-gpu-server tunnel.
Mini-tunnel ingress for it is removed; the previous 'mana-status-gen'
container on the Mini was stopped + rm'd.
Side benefit: closes the inode-stale-bind-mount bug that took status.
mana.how down for a few hours — single-file bind mounts on the Mini
break whenever the CD git-checkout rewrites the source file. The
GPU-Box mounts the same files but the systemd timer git-pulls in-
place, preserving the inode.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Phase 2c+2d cleanup. The 14 services that moved to the GPU-Box stack
(grafana, victoriametrics, loki, tempo, promtail, alertmanager,
vmalert, pushgateway, blackbox-exporter, alert-notifier, umami,
glitchtip + worker, forgejo) are now stopped on the Mini and stable
on the GPU box, so the rollback insurance can come out:
- docker-compose.macmini.yml: drop 14 service blocks (-369 lines) +
the now-orphan named volumes (victoriametrics_data, loki_data,
alertmanager_data, grafana_data, tempo_data).
- cloudflared-config.yml: drop the four hostnames whose DNS already
points at the mana-gpu-server tunnel — Mini-tunnel ingress for them
has been dead routing since 2026-05-06, removing the rules just makes
the file match reality. The hostnames now live in the GPU tunnel's
dashboard config (token-managed).
Containers + volumes stay on the Mini for now; running
`docker compose -f docker-compose.macmini.yml --env-file .env.macmini up -d --remove-orphans`
on the box drops them in one go when ready.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Builds out the Cards spinoff end-to-end so the standalone app at
cards.mana.how shares its data layer with the in-mana cards module
through a single pure-utility package.
Why a spinoff and not just a deeper module: per the GUIDELINES, Cards
gets its own brand + URL while reusing mana-auth, mana-sync, and the
mana-credits/billing stack. The in-mana module under mana.how/cards
stays untouched as the integrated experience.
Phase 0 — mana-modul foundation
• New tables cardReviews + cardStudyBlocks (Dexie v61) + plaintext
classification in the crypto registry.
• LocalCard learns a {type, fields} shape; legacy front/back columns
kept as a back-compat mirror so older builds keep rendering.
• FSRS v6 scheduler + Cloze parser + Markdown render pipeline.
• UI in apps/mana/.../routes/(app)/cards/ gets a learn session
(learn/[deckId]), 4-type card editor, due-counter, markdown lists.
Phase 1 — standalone (apps/cards/apps/web)
• SvelteKit 2 + Svelte 5 + Tailwind 4, port 5180.
• Own Dexie 'cards' DB with a slim 5-table schema.
• Own sync engine: pending-changes hooks, 1 s push / 5 s pull against
POST /sync/cards, server-apply with suppression to avoid ping-pong.
• Auth-Gate via @mana/shared-auth-ui (LoginPage / RegisterPage).
• Encryption hooks at every write/read/apply path, currently no-op
stubs — flipping to real vault-backed AES-GCM is a single-file
change in src/lib/data/crypto.ts.
Shared package — @mana/cards-core
• Pulls types, cloze, card-reviews, FSRS wrapper, and Markdown
renderer out of the mana module so both frontends import from one
source. mana-modul keeps thin re-export shims so consumers don't
need to change imports.
• 19 vitest tests carried over from the mana module.
Server-side wiring
• cards.mana.how added to mana-auth PRODUCTION_TRUSTED_ORIGINS and
its CORS_ORIGINS env (sso-config.spec.ts stays green).
• New cards-web container in docker-compose.macmini.yml (mirrors
manavoxel-web pattern, 128m, depends on mana-auth healthy).
• cloudflared-config.yml repoints cards.mana.how from :5000 (the
unified mana-web container) to :5180. mana.how/cards is unchanged.
Cleanup
• Removed an unrelated 2026-03/04 NestJS+Supabase+Expo experiment
that was lingering under apps/cards/ (apps/landing, supabase/,
.github/workflows, MANA_CORE_*.md, etc.). It predated this plan
and would have confused future readers.
Validation
• svelte-check on mana-web: 0 errors over 7697 files
• svelte-check on cards-web: 0 errors over 3481 files
• vitest on cards-core: 19/19 pass
• pnpm check:crypto: 214 tables classified
• bun test sso-config.spec.ts: 8/8 pass
• vite build on cards-web: green
Not done in this commit (deliberate)
• Real encryption (vault roundtrip) — Phase 2.
• WebSocket-driven pull (5 s polling for now).
• Mobile/landing standalone surfaces — Phase 2/3.
• The actual production cutover on the Mac mini (build, deploy,
cloudflared sync) — config is staged, deploy is a user action.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
memoro ist seit längerem ein eigener Repo (Code/memoro/) mit eigenem
Compose-Stack auf dem Mini (~/projects/memoro-deploy/). Der Tunnel
zeigte bisher trotzdem auf die unified mana web app (Port 5000) — d.h.
memoro.mana.how rendert nur das Mana-Dashboard, nicht die echte
Memoro-Marketing-Landing.
Vier Hostnames in einem eigenen Memoro-Block:
memoro.mana.how → :3120 (Astro-Landing, Marketing-Site)
memoro-app.mana.how → :3130 (SvelteKit-SPA, Web-App)
memoro-api.mana.how → :3110 (API)
memoro-audio.mana.how → :3101 (Audio-Service)
memoro-app vs memoro auf erster Subdomain-Tiefe gelassen damit
Cloudflare Universal SSL ohne Wildcard-Konfig greift.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Two new public hostnames pointing at containers that live in the
separate mana-platform repo (Code/mana, ~/projects/mana-platform on
the Mac Mini):
- admin.mana.how → :3071 (mana-admin, Verein backoffice)
- npm.mana.how → :4873 (Verdaccio, private @mana/* npm registry)
Both deployed alongside the legacy stack via
infrastructure/docker-compose.macmini.yml in the mana-platform repo.
No change to existing routes.
Arcade lives as its own pnpm workspace at ~/Documents/Code/arcade
now, with no @mana/* coupling. This drops every reference and the
games/ directory from the monorepo.
Removes:
- games/ directory (89 files: web + server + 22 HTML games + screenshots)
- @arcade/web, @arcade/server pnpm workspace entries (games/* globs)
- arcade scripts in root package.json (4 scripts)
- arcade.mana.how from mana-auth trusted origins + CORS_ORIGINS
- arcade entries in mana-apps registry, app-icons, URL overrides
- arcade.mana.how from cloudflared tunnel + prometheus blackbox probes
- arcade-web service block in docker-compose.macmini.yml
- generate-env.mjs entries for arcade server + web
- BRANDING_ONLY 'arcade' entry in registry consistency spec
- dead arcade translation keys in GuestWelcomeModal (DE+EN)
- arcade mention in CLAUDE.md, authentication guideline, MODULE_REGISTRY
Verified:
- services/mana-auth/src/auth/sso-config.spec.ts: 8/8 pass
- pnpm install regenerates lockfile cleanly (-536 lines)
- no remaining 'arcade' refs outside historical snapshot docs
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Modul, Routen und Public-Domain heißen jetzt einheitlich "feedback":
- App-Registry: id 'community' → 'feedback', name 'Community' → 'Feedback',
Icon Megaphone → HeartHalf (passt zum bereits-globalen heart-half-Icon
am Module-Header und im PillNav-Usermenü)
- Modul-Config: communityModuleConfig → feedbackModuleConfig
- Routen-Refs: alle href/goto-Aufrufe in Modul-Views, MyWishesView,
Onboarding-Wish, Profile-MyWishes auf /feedback umgestellt
- /feedback/+layout: Brand "Mana Community" → "Mana Feedback", Megaphone
→ HeartHalf, "In Mana öffnen"-CTA zeigt jetzt auf /?app=feedback
- Public-Mirror Domain: community.mana.how → feedback.mana.how
(cloudflared-config.yml + docker-compose.macmini.yml CORS_ORIGINS +
PUBLIC_MANA_ANALYTICS_URL_CLIENT). DNS muss separat angelegt werden.
- Settings-Section: Hilfe-Text nennt jetzt feedback.mana.how
Internal: community_show_real_name + community_karma DB-Spalten bleiben
(Migration nicht im Scope dieses Renames). Settings-Search-Index-Kategorie
'community' bleibt ebenfalls — sie spiegelt das DB-Schema, nicht den
User-Begriff.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
analytics.mana.how DNS already existed as a non-CNAME record — picking
the user-facing 'community.mana.how' subdomain instead. Added the
tunnel ingress + matched the CORS origin + client-side env var.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Phase 2 feedback hub needs a public hostname so the browser-side
FeedbackHook + /community page can talk to mana-analytics. Internal
docker URL stays for SSR.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Two subdomains the webapp references in its SSR-injected config but
that had no tunnel entry:
- events.mana.how → mana-events on :3065. The container itself was
also missing (defined in compose but never started); started
today so the route now terminates somewhere real.
- research.mana.how → mana-research on :3068. The webapp was built
with PUBLIC_MANA_RESEARCH_URL empty, which made research fetches
fall back to mana.how and 404. The env-var side is still pending
a rebuild, but the tunnel side is live now.
Cloudflare CNAMEs already created via `tunnel route dns`.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Public ingress for the Mission Key-Grant audit endpoint
(/api/v1/me/ai-audit) so the Workbench "Datenzugriff" tab can reach
mana-ai from the browser. Background tick + /metrics stay internal;
only the JWT-gated user endpoint is exposed.
Requires a Cloudflare DNS record pointing mana-ai.mana.how at the
tunnel CNAME (one-off: \`cloudflared tunnel route dns
1435166a-0e3f-4222-8de6-744f32cea5c9 mana-ai.mana.how\`), then sync
via scripts/mac-mini/sync-tunnel-config.sh.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
