# Environment Configuration Audit Report ## Mana Universe Monorepo - Backend Authentication & Configuration **Date:** December 1, 2025 **Auditor:** Environment Configuration Auditor Agent **Scope:** All NestJS backends and mana-core-auth service --- ## EXECUTIVE SUMMARY The monorepo has **CRITICAL PORT CONFLICTS** that will prevent multiple backends from running simultaneously. Additionally, there are inconsistencies in environment variable naming conventions across backends and missing configuration examples for some projects. **Status:** NEEDS IMMEDIATE ACTION - 2 port conflicts identified - 3 naming convention inconsistencies - 5 backends missing .env.example files - Hardcoded CORS origins in multiple backends --- ## 1. PORT ASSIGNMENT MATRIX ### Current Assignments (from .env.development) | Backend | Port | Env Variable | Status | Conflict | | ------------------ | -------- | --------------------------- | ----------- | -------- | | Mana Core Auth | 3001 | MANA_CORE_AUTH_PORT | ✓ Unique | No | | Chat | 3002 | CHAT_BACKEND_PORT | ✓ Unique | No | | **Maerchenzauber** | **3003** | MAERCHENZAUBER_BACKEND_PORT | ⚠ CONFLICT | **Yes** | | Manadeck | 3004 | MANADECK_BACKEND_PORT | ✓ Unique | No | | **Picture** | **3003** | PICTURE_BACKEND_PORT | ⚠ CONFLICT | **Yes** | | **Nutriphi** | **3002** | NUTRIPHI_BACKEND_PORT | ⚠ CONFLICT | **Yes** | | Zitare | 3007 | ZITARE_BACKEND_PORT | ✓ Unique | No | | Presi | 3008 | PRESI_BACKEND_PORT | ✓ Unique | No | | Mana Games | 3011 | MANA_GAMES_BACKEND_PORT | ✓ Unique | No | | Voxel Lava | 3010 | VOXEL_LAVA_BACKEND_PORT | ✓ Unique | No | ### PORT CONFLICTS FOUND 1. **Port 3003 - DOUBLE ASSIGNED** - Maerchenzauber Backend: `MAERCHENZAUBER_BACKEND_PORT=3003` - Picture Backend: `PICTURE_BACKEND_PORT=3003` 2. **Port 3002 - DOUBLE ASSIGNED** - Chat Backend: `CHAT_BACKEND_PORT=3002` - Nutriphi Backend: `NUTRIPHI_BACKEND_PORT=3002` ### RECOMMENDATION Reassign conflicting ports: - Maerchenzauber: Keep 3003, reassign Picture to **3005** or **3006** - OR reassign Maerchenzauber to **3005** and keep Picture at 3003 - Nutriphi: Reassign to **3006** or another available port - Mana Games: Currently 3011 - Voxel Lava: Currently 3010 --- ## 2. AUTH ENVIRONMENT VARIABLES AUDIT ### Central Configuration (.env.development) **PRESENT & CONFIGURED:** - ✓ `MANA_CORE_AUTH_URL=http://localhost:3001` (Line 16) - ✓ `DEV_BYPASS_AUTH=true` (Line 59 - Chat only) - ✓ JWT_PRIVATE_KEY & JWT_PUBLIC_KEY (Lines 19-20) - ✓ CORS_ORIGINS=... (Line 41) **MISSING CENTRALIZED:** - ✗ `DEV_USER_ID` - NOT in .env.development - Used hardcoded in Chat: `17cb0be7-058a-4964-9e18-1fe7055fd014` - Should be centralized in .env.development - ✗ `MANA_CORE_SERVICE_KEY` - NOT found in generate-env.mjs mapping - Defined for Manadeck in .env.example - Not passed to backends via generator ### Backend-Specific Auth Configuration | Backend | Auth URL Var | Dev Bypass | Dev User ID | Status | | ------------ | ------------------ | ------------------- | ------------- | --------------- | | **Chat** | MANA_CORE_AUTH_URL | ✓ Configured | ✗ Hardcoded | ⚠ Partially | | **Picture** | MANA_CORE_AUTH_URL | ✗ Missing | ✗ Not checked | ✗ Incomplete | | **Zitare** | MANA_CORE_AUTH_URL | ✗ Missing | ✗ Not checked | ✗ Incomplete | | **Presi** | MANA_CORE_AUTH_URL | ✗ Missing | ✗ Not checked | ✗ Incomplete | | **Manadeck** | MANA_SERVICE_URL | ✗ Not in generation | ✗ Not mapped | ✗ Not generated | ### ISSUE: Naming Convention Inconsistency Different backends use DIFFERENT variable names for the same thing: ``` INCONSISTENT: - Chat uses: MANA_CORE_AUTH_URL (from generate-env.mjs line 95) - Picture uses: MANA_CORE_AUTH_URL (from generate-env.mjs line 230) - Zitare uses: MANA_CORE_AUTH_URL (from generate-env.mjs line 300) - Presi uses: MANA_CORE_AUTH_URL (from generate-env.mjs line 330) - Manadeck uses: MANA_SERVICE_URL (from generate-env.mjs line 205) - Manadeck uses: APP_ID (from generate-env.mjs line 206) - Nutriphi uses: MANACORE_AUTH_URL (from generate-env.mjs line 272) ``` **STANDARDIZATION NEEDED:** All backends should use consistent naming: - Recommend: `MANA_CORE_AUTH_URL` (most common) --- ## 3. ENVIRONMENT VARIABLE MAPPING AUDIT ### Generate-env.mjs Coverage Analysis | Backend | .env.example | generate-env.mjs | .env Generated | Coverage | | -------------- | ------------ | ---------------- | --------------- | ------------------ | | Chat | ✓ Exists | ✓ Lines 85-98 | ✓ Will generate | ✓ Complete | | Picture | ✓ Exists | ✓ Lines 223-243 | ✓ Will generate | ✓ Complete | | Manadeck | ✓ Exists | ✓ Lines 199-209 | ✓ Will generate | ✓ Complete | | **Zitare** | ✗ Missing | ✓ Lines 294-303 | ✓ Will generate | ⚠ Missing example | | **Presi** | ✗ Missing | ✓ Lines 323-334 | ✓ Will generate | ⚠ Missing example | | Mana-Core-Auth | ✓ Exists | ✓ Lines 57-82 | ✓ Will generate | ✓ Complete | **Missing .env.example files:** - `/apps/zitare/apps/backend/.env.example` - Should document PORT, DATABASE_URL, MANA_CORE_AUTH_URL, CORS_ORIGINS - `/apps/presi/apps/backend/.env.example` - Should document PORT, DATABASE_URL, MANA_CORE_AUTH_URL, JWT_PUBLIC_KEY, CORS_ORIGINS --- ## 4. HARDCODED VALUES & SECURITY CONCERNS ### Hardcoded in Source Code **Chat Backend** (`apps/chat/apps/backend/src/common/guards/jwt-auth.guard.ts`): ```typescript const DEV_USER_ID = '17cb0be7-058a-4964-9e18-1fe7055fd014'; // Line 1 ``` - Should be: `configService.get('DEV_USER_ID')` - Should be in .env.development: `DEV_USER_ID=17cb0be7-058a-4964-9e18-1fe7055fd014` ### Hardcoded CORS Origins in main.ts **Chat** (`src/main.ts` lines 10-18): ```typescript origin: [ 'http://localhost:3000', 'http://localhost:5173', 'http://localhost:5174', 'http://localhost:5178', 'http://localhost:8081', 'exp://localhost:8081', 'http://localhost:3001', // Mana Core Auth ]; ``` **Picture** (`src/main.ts` lines 11-19): ```typescript const allowedOrigins = [ 'http://localhost:3000', 'http://localhost:5173', 'http://localhost:5174', 'http://localhost:5175', 'http://localhost:8081', 'exp://localhost:8081', 'http://localhost:3001', ]; ``` **Presi** (`src/main.ts` lines 10-17): ```typescript origin: [ 'http://localhost:3000', 'http://localhost:5173', 'http://localhost:5177', 'http://localhost:5178', 'http://localhost:8081', 'exp://localhost:8081', 'http://localhost:3001', ]; ``` **Zitare** (`src/main.ts` lines 10-16): ```typescript origin: [ 'http://localhost:3000', 'http://localhost:5173', 'http://localhost:5177', 'http://localhost:8081', 'exp://localhost:8081', 'http://localhost:3001', ]; ``` **RECOMMENDATION:** Move CORS_ORIGINS to .env.development (already exists as CORS_ORIGINS global variable, but not used by all backends) --- ## 5. CONFIGURATION BEST PRACTICES COMPLIANCE ### Configuration Module Setup | Backend | ConfigModule | Validation | Env File Path | Status | | -------------- | ------------------------ | ---------------------- | ------------- | ---------- | | Chat | ✓ ConfigModule.forRoot() | ✗ No validation schema | `.env` | ⚠ Minimal | | Picture | ✓ ConfigModule.forRoot() | ✗ No validation schema | `.env` | ⚠ Minimal | | Zitare | ✓ ConfigModule.forRoot() | ✗ No validation schema | `.env` | ⚠ Minimal | | Presi | ✓ ConfigModule.forRoot() | ✗ No validation schema | `.env` | ⚠ Minimal | | Manadeck | ✓ ConfigModule.forRoot() | ✓ Joi schema | `.env` | ✓ Complete | | Mana-Core-Auth | ✓ ConfigModule.forRoot() | ✓ Config service | `.env` | ✓ Complete | **ISSUE:** Chat, Picture, Zitare, Presi lack validation schemas. **EXAMPLE (Manadeck validation.schema.ts):** ```typescript export const validationSchema = Joi.object({ NODE_ENV: Joi.string().valid('development', 'production'), PORT: Joi.number().required(), DATABASE_URL: Joi.string().required(), MANA_CORE_AUTH_URL: Joi.string().required(), // ... etc }); ``` --- ## 6. CRITICAL ISSUES SUMMARY ### BLOCKING ISSUES (Fix Immediately) 1. **Port Conflict - 3002** - Chat and Nutriphi both assigned to port 3002 - Cannot run simultaneously - **Fix:** Reassign Nutriphi to port 3006 2. **Port Conflict - 3003** - Picture and Maerchenzauber both assigned to port 3003 - Cannot run simultaneously - **Fix:** Reassign Picture to port 3005 or Maerchenzauber to 3006 3. **Hardcoded Dev User ID in Chat Backend** - `DEV_USER_ID = '17cb0be7-058a-4964-9e18-1fe7055fd014'` hardcoded in source - Not configurable via environment - **Fix:** Move to .env.development and load via ConfigService ### MAJOR ISSUES (Fix Soon) 4. **Inconsistent Auth Variable Names** - Manadeck uses `MANA_SERVICE_URL` instead of `MANA_CORE_AUTH_URL` - Nutriphi uses `MANACORE_AUTH_URL` (no underscore) - **Fix:** Standardize all to `MANA_CORE_AUTH_URL` 5. **Hardcoded CORS Origins** - 4 backends hardcode CORS lists in main.ts - Should use environment variables - **Fix:** Use CORS_ORIGINS from .env.development 6. **Missing Configuration Examples** - Zitare and Presi lack .env.example files - **Fix:** Create comprehensive .env.example files ### MEDIUM ISSUES (Improve Quality) 7. **Missing Validation Schemas** - 4 backends lack Joi validation schemas - No type safety for environment variables - **Fix:** Add validation schemas to Chat, Picture, Zitare, Presi 8. **Dev Bypass Auth Not Consistent** - Only Chat backend has DEV_BYPASS_AUTH implemented - Other backends may lack development bypass mechanism - **Fix:** Add consistent development auth bypass pattern --- ## 7. RECOMMENDED ACTIONS ### Phase 1: Critical Fixes (Do First) ```bash # 1. Fix port conflicts in .env.development # Change line 122: PICTURE_BACKEND_PORT=3003 → PICTURE_BACKEND_PORT=3005 # Change line 146: NUTRIPHI_BACKEND_PORT=3002 → NUTRIPHI_BACKEND_PORT=3006 # 2. Add DEV_USER_ID to .env.development # Add after line 59: DEV_USER_ID=17cb0be7-058a-4964-9e18-1fe7055fd014 # 3. Standardize auth URL naming # Update generate-env.mjs line 272 (Nutriphi): # MANACORE_AUTH_URL: → MANA_CORE_AUTH_URL: # Update generate-env.mjs line 205 (Manadeck): # MANA_SERVICE_URL: → MANA_CORE_AUTH_URL: ``` ### Phase 2: Configuration Examples ```bash # Create missing .env.example files: # - apps/zitare/apps/backend/.env.example # - apps/presi/apps/backend/.env.example # Based on .env.development variables and backend requirements ``` ### Phase 3: Code Quality ```bash # Add validation schemas to: # - apps/chat/apps/backend/src/config/validation.schema.ts # - apps/picture/apps/backend/src/config/validation.schema.ts # - apps/zitare/apps/backend/src/config/validation.schema.ts # - apps/presi/apps/backend/src/config/validation.schema.ts # Move CORS origins to environment: # Update main.ts in Chat, Picture, Zitare, Presi to: # app.enableCors({ # origin: (configService.get('CORS_ORIGINS') || '').split(','), # }) ``` --- ## 8. UPDATED PORT ASSIGNMENTS (RECOMMENDED) | Backend | Recommended Port | Current | Status | | -------------- | ---------------- | ------- | ---------- | | Mana Core Auth | 3001 | 3001 | ✓ Keep | | Chat | 3002 | 3002 | ✓ Keep | | Maerchenzauber | 3003 | 3003 | ✓ Keep | | Manadeck | 3004 | 3004 | ✓ Keep | | Picture | **3005** | 3003 | **CHANGE** | | Nutriphi | **3006** | 3002 | **CHANGE** | | Zitare | 3007 | 3007 | ✓ Keep | | Presi | 3008 | 3008 | ✓ Keep | | Voxel Lava | 3010 | 3010 | ✓ Keep | | Mana Games | 3011 | 3011 | ✓ Keep | --- ## 9. ENVIRONMENT VARIABLE SUMMARY TABLE ### Required for All Backends | Variable | Purpose | Centralized | Backend Usage | | ------------------ | --------------------- | ------------------ | -------------------------------------- | | NODE_ENV | Environment type | ✓ .env.development | All | | PORT | Server port | ✓ Individual vars | All | | DATABASE_URL | PostgreSQL connection | ✓ Individual vars | Chat, Manadeck, Picture, Zitare, Presi | | MANA_CORE_AUTH_URL | Auth service URL | ✓ .env.development | Chat, Picture, Zitare, Presi, Manadeck | | CORS_ORIGINS | Allowed origins | ✓ .env.development | All (hardcoded, should use env) | ### Optional but Recommended | Variable | Purpose | Centralized | Backend Usage | | --------------- | ---------------- | ------------------ | ------------- | | DEV_BYPASS_AUTH | Skip auth in dev | ⚠ Partial | Chat only | | DEV_USER_ID | Dev test user | ✗ Hardcoded | Chat | | JWT_PUBLIC_KEY | Token validation | ✓ .env.development | Presi | ### Backend-Specific | Backend | Key Variables | Centralized | | -------------- | ------------------------------------- | ------------------ | | Chat | GOOGLE*GENAI_API_KEY, AZURE_OPENAI*\* | ✓ .env.development | | Picture | REPLICATE*API_TOKEN, S3*\* vars | ✓ .env.development | | Zitare | (None beyond base) | ✓ .env.development | | Presi | (None beyond base) | ✓ .env.development | | Manadeck | GOOGLE_GENAI_API_KEY | ✓ .env.development | | Mana-Core-Auth | JWT*\*, STRIPE*_, CREDITS\__ | ✓ .env.development | --- ## 10. IMPLEMENTATION CHECKLIST - [ ] Fix port conflict: Picture 3003 → 3005 - [ ] Fix port conflict: Nutriphi 3002 → 3006 - [ ] Add DEV_USER_ID to .env.development - [ ] Update Chat backend to use DEV_USER_ID from ConfigService - [ ] Standardize MANA_SERVICE_URL to MANA_CORE_AUTH_URL in Manadeck generate-env.mjs - [ ] Standardize MANACORE_AUTH_URL to MANA_CORE_AUTH_URL in Nutriphi generate-env.mjs - [ ] Create .env.example for Zitare backend - [ ] Create .env.example for Presi backend - [ ] Add validation schemas to Chat backend config - [ ] Add validation schemas to Picture backend config - [ ] Add validation schemas to Zitare backend config - [ ] Add validation schemas to Presi backend config - [ ] Move CORS origins from hardcoded arrays to environment variables (all backends) - [ ] Document port assignments in CLAUDE.md - [ ] Test all backends can run simultaneously with correct ports - [ ] Verify auth endpoint connectivity from each backend to mana-core-auth --- ## AUDIT DETAILS **Files Reviewed:** - .env.development (202 lines) - scripts/generate-env.mjs (433 lines) - 6 backends app.module.ts files - 5 backends main.ts files - 3 .env.example files (Chat, Picture, Manadeck) - 1 mana-core-auth main.ts - Various configuration schemas and guards **Total Files Analyzed:** 25+ **Lines of Code Reviewed:** 2,000+ **Issues Identified:** 8 critical/major issues **Port Conflicts Found:** 2 (affecting 3 backends)