mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-26 23:17:42 +02:00
9a3025fed8
Phase 1 of the Mission Key-Grant rollout. Webapp can now request a
wrapped per-mission data key; mana-ai can unwrap and (Phase 2) use it.
mana-auth:
- POST /api/v1/me/ai-mission-grant — HKDF-derives MDK from the user
master key, RSA-OAEP-2048-wraps with the mana-ai public key, returns
{ wrappedKey, derivation, issuedAt, expiresAt }
- MissionGrantService refuses zero-knowledge users (409 ZK_ACTIVE) and
returns 503 GRANT_NOT_CONFIGURED when MANA_AI_PUBLIC_KEY_PEM is unset
- TTL clamped to [1h, 30d]
mana-ai:
- configureMissionGrantKey + unwrapMissionGrant with structured failure
reasons (not-configured / expired / malformed / wrap-rejected)
- mana_ai.decrypt_audit table + RLS policy scoped to
app.current_user_id — append-only row per server-side decrypt attempt
- MANA_AI_PRIVATE_KEY_PEM env slot; absent = grants silently disabled
No existing behaviour changes: missions without a grant run exactly as
before. Grant flow is wired end-to-end but unused until Phase 2 lands
the encrypted resolver.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
57 lines
2.1 KiB
TypeScript
57 lines
2.1 KiB
TypeScript
/**
|
|
* Env-driven config for the mana-ai service.
|
|
*
|
|
* Only references the secrets/URLs the tick loop needs. Auth is
|
|
* service-to-service via MANA_SERVICE_KEY (same pattern as mana-credits,
|
|
* mana-user); no end-user JWTs reach this service.
|
|
*/
|
|
|
|
export interface Config {
|
|
port: number;
|
|
/** mana_sync DB — source of Mission rows (via sync_changes replay). */
|
|
syncDatabaseUrl: string;
|
|
/** mana-llm HTTP endpoint (OpenAI-compatible). */
|
|
manaLlmUrl: string;
|
|
/** Shared key for service-to-service calls. */
|
|
serviceKey: string;
|
|
/** How often the background tick scans for due Missions, in ms. */
|
|
tickIntervalMs: number;
|
|
/** Flip to false to boot the HTTP surface without the background tick
|
|
* — useful for local smoke-tests + Docker image build verification. */
|
|
tickEnabled: boolean;
|
|
/**
|
|
* PEM-encoded RSA-OAEP-2048 private key for unwrapping Mission Grants.
|
|
* Paired with the public key pinned in mana-auth's config. Provision
|
|
* via Docker secret / out-of-band env; never commit.
|
|
*
|
|
* Optional at boot so the service can start without grant support
|
|
* (development, legacy deployments). When absent, Missions that
|
|
* carry a Grant are skipped with state='grant-missing'.
|
|
*
|
|
* Generate with:
|
|
* openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out priv.pem
|
|
* openssl pkey -in priv.pem -pubout -out pub.pem
|
|
*/
|
|
missionGrantPrivateKeyPem?: string;
|
|
}
|
|
|
|
function requireEnv(key: string, fallback?: string): string {
|
|
const value = process.env[key] ?? fallback;
|
|
if (!value) throw new Error(`Missing required env var: ${key}`);
|
|
return value;
|
|
}
|
|
|
|
export function loadConfig(): Config {
|
|
return {
|
|
port: parseInt(process.env.PORT ?? '3066', 10),
|
|
syncDatabaseUrl: requireEnv(
|
|
'SYNC_DATABASE_URL',
|
|
'postgresql://mana:devpassword@localhost:5432/mana_sync'
|
|
),
|
|
manaLlmUrl: requireEnv('MANA_LLM_URL', 'http://localhost:3020'),
|
|
serviceKey: requireEnv('MANA_SERVICE_KEY', 'dev-service-key'),
|
|
tickIntervalMs: parseInt(process.env.TICK_INTERVAL_MS ?? '60000', 10),
|
|
tickEnabled: process.env.TICK_ENABLED !== 'false',
|
|
missionGrantPrivateKeyPem: process.env.MANA_AI_PRIVATE_KEY_PEM || undefined,
|
|
};
|
|
}
|