r/mnemosyne
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(deploy): clarify MCP signing key is Mnemosyne-only
All checks were successful
CVE Scan & Docker Build / security-scan (push) Successful in 51s
Details
CVE Scan & Docker Build / build-and-push (push) Successful in 2m32s
Details

Browse Source 
Update deployment documentation to reflect that the MCPSigningKey is
persisted in Mnemosyne's database and used directly for minting team
JWTs, rather than being shared with Daedalus via vault. Remove the
obsolete vault variable reference and document the key rotation
procedure.
This commit is contained in:
Robert Helewka
2026-05-11 06:50:21 -04:00
parent 38274825d9
commit 8ddbcf4612
1 changed files with 11 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
docs/deploy.md
View File

@@ -100,17 +100,22 @@ docker compose -f /srv/mnemosyne/docker-compose.yaml \
--username daedalus-service \ --username daedalus-service \
--password "{{ vault_mnemosyne_daedalus_service_password }}" --password "{{ vault_mnemosyne_daedalus_service_password }}"
# Seed the MCP signing key (for Phase 2 per-turn JWT auth) # Seed the MCPSigningKey used to sign long-lived Pallas team JWTs.
# --retire-other deactivates any previously-active key. # --retire-other deactivates any previously-active key. The hex
# Print the secret_hex and store in vault as vault_mnemosyne_signing_secret. # emitted to stdout is persisted in Mnemosyne's database and is
# not re-injected from the vault — no operator action required
# beyond running this command once per fresh deployment.
docker compose -f /srv/mnemosyne/docker-compose.yaml \ docker compose -f /srv/mnemosyne/docker-compose.yaml \
run --rm app \ run --rm app \
python manage.py seed_signing_key --kid daedalus-1 --retire-other python manage.py seed_signing_key --kid daedalus-1 --retire-other
``` ```
The `seed_signing_key` command prints the generated secret once to stdout — The `seed_signing_key` command prints the generated secret once to stdout — it
capture it and store in the vault. The Daedalus role reads this secret from the is safe to discard that output after the command succeeds. Mnemosyne persists
same vault variable to mint per-turn tokens (Phase 2). the active key inside ``MCPSigningKey`` and reads it directly when minting each
team JWT; Daedalus never sees this value. To rotate, re-run the command with
``--retire-other`` and then rotate every Pallas team JWT via the Daedalus admin
UI so consumers pick up bearers signed with the new key.
--- ---
@@ -372,4 +377,3 @@ will report as a failure.
| `vault_rabbitmq_password` | embedded in `CELERY_BROKER_URL` | | `vault_rabbitmq_password` | embedded in `CELERY_BROKER_URL` |
| `vault_mnemosyne_llm_encryption_key` | `LLM_API_SECRETS_ENCRYPTION_KEY` | | `vault_mnemosyne_llm_encryption_key` | `LLM_API_SECRETS_ENCRYPTION_KEY` |
| `vault_mnemosyne_daedalus_service_password` | passed to `ensure_service_user --password` | | `vault_mnemosyne_daedalus_service_password` | passed to `ensure_service_user --password` |
| `vault_mnemosyne_signing_secret` | (Phase 2) printed by `seed_signing_key`, stored here, consumed by Daedalus role |