# ============================================================================= # .env.secrets — Local secret overrides for development # ============================================================================= # # Copy this file to `.env.secrets` (gitignored) and fill in real values. # Anything you set here overrides the matching key in `.env.development` # during `pnpm setup:env` and gets propagated into every per-app .env that # the generator writes. This is the persistent place to put dev secrets — # unlike per-app `.env` files, which are wiped and regenerated on every # `pnpm setup:env`. # # How to populate (one-shot from the prod machine): # # pnpm setup:secrets # # That command SSHes to mana-server, greps the prod `.env` for the keys # below, and writes them here. You can also paste values manually if you # don't have SSH access — anything in this file overrides the defaults. # # IMPORTANT: # - This file is gitignored. Never commit real values. # - Only put SECRETS here. Non-secret config (URLs, ports, feature flags) # belongs in `.env.development` so the whole team shares the same setup. # - Empty values fall through to whatever `.env.development` defines. # # ----------------------------------------------------------------------------- # mana-stt — Speech-to-Text proxy on the Windows GPU box # Used by /api/v1/voice/transcribe in the mana-web app. # Source of truth: services/mana-stt/.env on the GPU box (API_KEYS=…) # ----------------------------------------------------------------------------- MANA_STT_API_KEY= # ----------------------------------------------------------------------------- # mana-llm — LLM gateway. Only required when pointing at gpu-llm.mana.how # (which enforces X-API-Key). The public llm.mana.how is open and needs # no key — leave empty unless you've explicitly switched MANA_LLM_URL. # ----------------------------------------------------------------------------- MANA_LLM_API_KEY= # ----------------------------------------------------------------------------- # mana-auth — Master encryption key used to wrap user vault keys. # Production: rotated via the mana-auth deploy. Local dev can leave empty # (the auth service falls back to a fixed dev KEK in NODE_ENV=development). # ----------------------------------------------------------------------------- MANA_AUTH_KEK= # ----------------------------------------------------------------------------- # Better Auth — session signing secret. Local dev defaults to "dev-secret- # change-me" so the auth service starts cleanly; only override if you need # tokens to verify against the prod issuer. # ----------------------------------------------------------------------------- BETTER_AUTH_SECRET= # ----------------------------------------------------------------------------- # Sync engine — JWT signing key shared between mana-auth and mana-sync. # Local dev defaults to a fixed dev key in .env.development. # ----------------------------------------------------------------------------- MANA_SYNC_JWT_SECRET= # ----------------------------------------------------------------------------- # Service-to-service auth — used by backends to call other Mana services # without going through user JWTs. Required for some prod paths only. # ----------------------------------------------------------------------------- MANA_SERVICE_KEY= # ----------------------------------------------------------------------------- # Object storage — MinIO credentials. Local dev uses minioadmin/minioadmin # from `.env.development`; production uses real keys from this file. # ----------------------------------------------------------------------------- MINIO_ACCESS_KEY= MINIO_SECRET_KEY= # ----------------------------------------------------------------------------- # Third-party APIs — only set when you actually need them locally # ----------------------------------------------------------------------------- OPENROUTER_API_KEY= GOOGLE_GENAI_API_KEY= GOOGLE_API_KEY= GROQ_API_KEY= TOGETHER_API_KEY= # ----------------------------------------------------------------------------- # Sentry / GlitchTip DSNs — leave empty in dev unless you actively want # local errors to land in the shared error tracker # ----------------------------------------------------------------------------- GLITCHTIP_DSN_MANA_WEB=