From 92a271ede9eb19349ba82acce2c7171df6bcb4e8 Mon Sep 17 00:00:00 2001
From: Your Name <youremail@example.com>
Date: Mon, 1 Dec 2025 08:35:06 -0600
Subject: [PATCH] Add MAS keys directory

---
 mas/mas-config.template.yaml | 2 ++
 start.sh                     | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/mas/mas-config.template.yaml b/mas/mas-config.template.yaml
index b6321d3..e0fdd5d 100644
--- a/mas/mas-config.template.yaml
+++ b/mas/mas-config.template.yaml
@@ -49,3 +49,5 @@ assets:
   manifest: "/app/pkg/mas/share/manifest.json"
   policy: "/app/pkg/mas/share/policy.wasm"
   translations: "/app/pkg/mas/share/translations"
+secrets:
+  keys_dir: "/app/data/configs/mas-keys"
diff --git a/start.sh b/start.sh
index d71709a..a51a55c 100755
--- a/start.sh
+++ b/start.sh
@@ -3,6 +3,7 @@
 set -eu
 
 mkdir -p /app/data/data /app/data/configs /run/synapse
+mkdir -p "${MAS_KEYS_DIR}"
 
 source /app/code/env/bin/activate
 
@@ -12,6 +13,7 @@ MAS_SECRET_FILE=/app/data/configs/mas-client-secret
 MAS_CONFIG_TEMPLATE=/app/pkg/mas/mas-config.template.yaml
 MAS_CONFIG_OUTPUT=/app/data/configs/mas.yaml
 MAS_CLI_BIN=/app/pkg/mas/mas-cli
+MAS_KEYS_DIR=/app/data/configs/mas-keys
 MAS_OIDC_CLIENT_ID=${MAS_OIDC_CLIENT_ID:-synapse}
 MAS_OIDC_ISSUER=${MAS_OIDC_ISSUER:-https://${MAS_DOMAIN}}
 MAS_OIDC_AUTH_ENDPOINT=${MAS_OIDC_AUTH_ENDPOINT:-${MAS_OIDC_ISSUER}/oauth2/authorize}
@@ -19,7 +21,7 @@ MAS_OIDC_TOKEN_ENDPOINT=${MAS_OIDC_TOKEN_ENDPOINT:-${MAS_OIDC_ISSUER}/oauth2/tok
 MAS_OIDC_USERINFO_ENDPOINT=${MAS_OIDC_USERINFO_ENDPOINT:-${MAS_OIDC_ISSUER}/oauth2/userinfo}
 MAS_OIDC_SCOPES=${MAS_OIDC_SCOPES:-"openid profile email"}
 export MAS_PORT MAS_DOMAIN MAS_CONFIG_TEMPLATE MAS_CONFIG_OUTPUT MAS_CLI_BIN
-export MAS_OIDC_CLIENT_ID MAS_OIDC_CLIENT_SECRET MAS_OIDC_ISSUER MAS_OIDC_AUTH_ENDPOINT MAS_OIDC_TOKEN_ENDPOINT MAS_OIDC_USERINFO_ENDPOINT MAS_OIDC_SCOPES
+export MAS_OIDC_CLIENT_ID MAS_OIDC_CLIENT_SECRET MAS_OIDC_ISSUER MAS_OIDC_AUTH_ENDPOINT MAS_OIDC_TOKEN_ENDPOINT MAS_OIDC_USERINFO_ENDPOINT MAS_OIDC_SCOPES MAS_KEYS_DIR
 
 # ensure we have a persistent MAS client secret for the Synapse OIDC client
 if [[ -f "${MAS_SECRET_FILE}" ]]; then