mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-14 20:01:09 +02:00
142a65a22f
Five documentation surfaces gained encryption awareness in this
sweep. Before this commit, the only place anyone could learn about
the at-rest encryption layer or the zero-knowledge opt-in was the
internal DATA_LAYER_AUDIT.md. New contributors and self-hosters
would never discover one of the most important features of the
product just by reading the standard onboarding docs.
apps/docs/src/content/docs/architecture/security.mdx (NEW)
----------------------------------------------------------
First-class user-facing security page in the Starlight site,
slotted into the Architecture sidebar between Authentication and
Backend.
Sections:
- What's encrypted (overview table of 27 modules + the
intentional plaintext carve-outs)
- Standard mode flow with ASCII diagram
- "What Mana CAN see" trust statements per mode
- Zero-knowledge mode setup walkthrough (Steps component)
- Unlock flow on a new device
- Recovery code rotation
- Deployment requirements (the loud MANA_AUTH_KEK warning)
- Audit trail action vocabulary
- Threat model summary table
- Implementation file references with paths
services/mana-auth/CLAUDE.md
----------------------------
New "Encryption Vault" section under Key Endpoints, listing all 7
routes (status, init, key, rotate, recovery-wrap GET+DELETE,
zero-knowledge) with their HTTP method, path, error codes, and a
description. Mentions the three CHECK constraints + RLS + audit
table. Points readers at DATA_LAYER_AUDIT.md and the new
security.mdx for the deep dive.
Environment Variables block gains MANA_AUTH_KEK with a multi-line
comment explaining the openssl rand command + dev fallback warning.
apps/mana/CLAUDE.md
-------------------
Full rewrite. The existing file was from the Supabase era and
described things like @supabase/ssr, safeGetSession(), and a
five-table schema with users + organizations + teams that doesn't
exist any more. Replaced with the unified-app architecture:
- Module system layout (collections.ts / queries.ts / stores/)
- Mana Auth (Better Auth + EdDSA JWT) instead of Supabase
- Local-first data layer with the full pipeline diagram
- At-rest encryption section with the "when writing module code
that touches sensitive fields" 4-step guide
- Updated routing structure (no more separate /organizations,
/teams routes)
- Module store pattern code example
- Reference document table at the bottom pointing at the audit,
the new security.mdx, and the auth doc
Root CLAUDE.md
--------------
New "At-Rest Encryption (Phase 1–9)" subsection under the
Local-First Architecture section. Two-mode trust summary table,
production requirement for MANA_AUTH_KEK with the openssl command,
the "when writing module code" 4-step guide, and a reference
table. New contributors reading the root CLAUDE.md from top to
bottom now hit encryption naturally as part of the data layer
discussion.
.env.macmini.example
--------------------
MANA_AUTH_KEK was missing from the production env example
entirely — the macmini deployment would silently boot on the
32-zero-byte dev fallback if you copied this file. Added with a
multi-paragraph comment covering: how to generate, why it's
required, how to store securely (Docker secrets / KMS / Vault),
and the rotation caveat.
apps/docs/src/content/docs/deployment/self-hosting.mdx
------------------------------------------------------
Two changes:
1. Added MANA_AUTH_KEK to the mana-auth service block in the
Compose example with an inline comment pointing at the new
section below.
2. New "Encryption Vault Setup" H2 section with subsections:
- Generating a KEK (with a fake example value labelled DO NOT
USE — generate your own)
- Securing the KEK (Docker secrets, KMS, systemd
LoadCredential, anti-patterns)
- "What if I lose the KEK?" — explains the data is
unrecoverable by design and mitigation via zero-knowledge
mode opt-in
- KEK rotation — calls out the missing background re-wrap
job as a known limitation
apps/docs/astro.config.mjs
--------------------------
Added "Security & Encryption" entry to the Architecture sidebar
between Authentication and Backend so the new page is reachable
from the docs nav.
Astro check: 0 errors, 0 warnings, 0 hints across 4 .astro files.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
71 lines
2.7 KiB
Text
71 lines
2.7 KiB
Text
# Mac Mini Production Environment
|
|
# Copy to .env.macmini and fill in the values
|
|
|
|
# ============================================
|
|
# Compose project name (pinned, do not change)
|
|
# ============================================
|
|
# All Mac Mini containers were originally created under this project
|
|
# name, which mismatches the current directory name (mana-monorepo).
|
|
# Pinning the project name here means anyone running 'docker compose ...'
|
|
# from the repo root automatically lands in the same project as the
|
|
# already-running containers, instead of silently spawning a duplicate
|
|
# project with the same compose file. Removing this line WILL break
|
|
# the next deployment.
|
|
COMPOSE_PROJECT_NAME=manacore-monorepo
|
|
|
|
# ============================================
|
|
# Database (PostgreSQL)
|
|
# ============================================
|
|
POSTGRES_PASSWORD=your-secure-password-here
|
|
|
|
# ============================================
|
|
# Redis
|
|
# ============================================
|
|
REDIS_PASSWORD=your-redis-password-here
|
|
|
|
# ============================================
|
|
# JWT Keys (generate with: openssl rand -base64 32)
|
|
# For EdDSA keys, use mana-auth key generation
|
|
# ============================================
|
|
JWT_SECRET=your-jwt-secret-here
|
|
# Leave empty to use auto-generated keys
|
|
JWT_PUBLIC_KEY=
|
|
JWT_PRIVATE_KEY=
|
|
|
|
# ============================================
|
|
# Encryption Vault Key Encryption Key (KEK) — REQUIRED
|
|
# ============================================
|
|
# Wraps every user's master key in auth.encryption_vaults.
|
|
# Generate with: openssl rand -base64 32
|
|
#
|
|
# Without a real value, mana-auth boots with a 32-zero-byte fallback
|
|
# and prints a loud warning every startup. Production must set this.
|
|
# Treat it like a database root password — store as a Docker secret,
|
|
# KMS-injected env var, or Vault-served value.
|
|
#
|
|
# Rotation requires planned downtime today (no background re-wrap job
|
|
# yet). The kek_id column on encryption_vaults is reserved for the
|
|
# future migration path.
|
|
MANA_AUTH_KEK=
|
|
|
|
# ============================================
|
|
# Supabase (optional, for legacy features)
|
|
# ============================================
|
|
SUPABASE_URL=
|
|
SUPABASE_SERVICE_ROLE_KEY=
|
|
|
|
# ============================================
|
|
# Azure OpenAI (for Chat AI features)
|
|
# ============================================
|
|
AZURE_OPENAI_ENDPOINT=https://your-resource.openai.azure.com/
|
|
AZURE_OPENAI_API_KEY=your-api-key-here
|
|
|
|
# ============================================
|
|
# Monitoring (Grafana)
|
|
# ============================================
|
|
GRAFANA_PASSWORD=your-grafana-admin-password
|
|
|
|
# ============================================
|
|
# Web Analytics (Umami)
|
|
# ============================================
|
|
UMAMI_APP_SECRET=your-umami-secret-here
|