mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-14 21:41:09 +02:00
4fce6a3ede
Local dev secrets like MANA_STT_API_KEY had no persistent home — they lived only in the gitignored, generator-overwritten per-app .env files. Every `pnpm setup:env` wiped them, so devs had to re-paste keys after any env regeneration. Same recurring friction for MANA_LLM_API_KEY, MANA_AUTH_KEK, OAuth keys, etc. New layer: `.env.secrets` at the repo root. - Gitignored, optional, never required for the build to pass - Read by generate-env.mjs AFTER .env.development; non-empty values override the matching key, so the merged result drives every per-app .env the generator writes - Empty values fall through to the .env.development defaults — a freshly-copied .env.secrets.example is a no-op - One source of truth for all dev secrets, propagated to every app with one `pnpm setup:env` Files: - `.env.secrets.example` — committed template documenting all known secret keys (mana-stt, mana-llm, auth KEK, sync JWT, MinIO, third- party APIs). Devs `cp .env.secrets.example .env.secrets` and fill in. - `.gitignore` — ignores .env.secrets, allows .env.secrets.example - `scripts/generate-env.mjs` — loads .env.secrets if present, prints "Loaded N secrets from .env.secrets" so devs see the override taking effect - `scripts/setup-secrets.mjs` + `pnpm setup:secrets` — convenience script that SSHes to mana-server, greps the prod .env for the keys defined in .env.secrets.example, and writes them locally. Confirms before overwriting an existing .env.secrets unless --force is set; reports which keys couldn't be found on the remote so devs know what's left to fill manually - `docs/LOCAL_DEVELOPMENT.md` + `docs/ENVIRONMENT_VARIABLES.md` — walk-through and architecture diagram update Verified end-to-end: - `rm .env.secrets apps/mana/apps/web/.env && pnpm setup:env` → STT key empty (no regression for devs who haven't opted in) - `pnpm setup:secrets --force && pnpm setup:env` → STT key propagated, "Loaded 3 secrets from .env.secrets" in output - POST /api/v1/voice/transcribe with a real audio file → full transcript back via gpu-stt.mana.how, end-to-end working Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
87 lines
4.3 KiB
Text
87 lines
4.3 KiB
Text
# =============================================================================
|
|
# .env.secrets — Local secret overrides for development
|
|
# =============================================================================
|
|
#
|
|
# Copy this file to `.env.secrets` (gitignored) and fill in real values.
|
|
# Anything you set here overrides the matching key in `.env.development`
|
|
# during `pnpm setup:env` and gets propagated into every per-app .env that
|
|
# the generator writes. This is the persistent place to put dev secrets —
|
|
# unlike per-app `.env` files, which are wiped and regenerated on every
|
|
# `pnpm setup:env`.
|
|
#
|
|
# How to populate (one-shot from the prod machine):
|
|
#
|
|
# pnpm setup:secrets
|
|
#
|
|
# That command SSHes to mana-server, greps the prod `.env` for the keys
|
|
# below, and writes them here. You can also paste values manually if you
|
|
# don't have SSH access — anything in this file overrides the defaults.
|
|
#
|
|
# IMPORTANT:
|
|
# - This file is gitignored. Never commit real values.
|
|
# - Only put SECRETS here. Non-secret config (URLs, ports, feature flags)
|
|
# belongs in `.env.development` so the whole team shares the same setup.
|
|
# - Empty values fall through to whatever `.env.development` defines.
|
|
#
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# mana-stt — Speech-to-Text proxy on the Windows GPU box
|
|
# Used by /api/v1/voice/transcribe in the mana-web app.
|
|
# Source of truth: services/mana-stt/.env on the GPU box (API_KEYS=…)
|
|
# -----------------------------------------------------------------------------
|
|
MANA_STT_API_KEY=
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# mana-llm — LLM gateway. Only required when pointing at gpu-llm.mana.how
|
|
# (which enforces X-API-Key). The public llm.mana.how is open and needs
|
|
# no key — leave empty unless you've explicitly switched MANA_LLM_URL.
|
|
# -----------------------------------------------------------------------------
|
|
MANA_LLM_API_KEY=
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# mana-auth — Master encryption key used to wrap user vault keys.
|
|
# Production: rotated via the mana-auth deploy. Local dev can leave empty
|
|
# (the auth service falls back to a fixed dev KEK in NODE_ENV=development).
|
|
# -----------------------------------------------------------------------------
|
|
MANA_AUTH_KEK=
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Better Auth — session signing secret. Local dev defaults to "dev-secret-
|
|
# change-me" so the auth service starts cleanly; only override if you need
|
|
# tokens to verify against the prod issuer.
|
|
# -----------------------------------------------------------------------------
|
|
BETTER_AUTH_SECRET=
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Sync engine — JWT signing key shared between mana-auth and mana-sync.
|
|
# Local dev defaults to a fixed dev key in .env.development.
|
|
# -----------------------------------------------------------------------------
|
|
MANA_SYNC_JWT_SECRET=
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Service-to-service auth — used by backends to call other Mana services
|
|
# without going through user JWTs. Required for some prod paths only.
|
|
# -----------------------------------------------------------------------------
|
|
MANA_SERVICE_KEY=
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Object storage — MinIO credentials. Local dev uses minioadmin/minioadmin
|
|
# from `.env.development`; production uses real keys from this file.
|
|
# -----------------------------------------------------------------------------
|
|
MINIO_ACCESS_KEY=
|
|
MINIO_SECRET_KEY=
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Third-party APIs — only set when you actually need them locally
|
|
# -----------------------------------------------------------------------------
|
|
OPENROUTER_API_KEY=
|
|
GOOGLE_GENAI_API_KEY=
|
|
GOOGLE_API_KEY=
|
|
GROQ_API_KEY=
|
|
TOGETHER_API_KEY=
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Sentry / GlitchTip DSNs — leave empty in dev unless you actively want
|
|
# local errors to land in the shared error tracker
|
|
# -----------------------------------------------------------------------------
|
|
GLITCHTIP_DSN_MANA_WEB=
|