npm - @openpalm/lib - Versions diffs - 0.10.1 → 0.11.0-beta.1 - Mend

@openpalm/lib 0.10.1 → 0.11.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (55) hide show

package/README.md +2 -2
package/package.json +7 -3
package/src/control-plane/admin-token.ts +73 -0
package/src/control-plane/akm-vault.test.ts +108 -0
package/src/control-plane/akm-vault.ts +307 -0
package/src/control-plane/audit.ts +3 -2
package/src/control-plane/channels.ts +3 -3
package/src/control-plane/cleanup-guardrails.test.ts +8 -9
package/src/control-plane/compose-args.test.ts +25 -21
package/src/control-plane/config-persistence.ts +103 -64
package/src/control-plane/core-assets.test.ts +104 -0
package/src/control-plane/core-assets.ts +54 -57
package/src/control-plane/docker.ts +55 -21
package/src/control-plane/env.test.ts +25 -1
package/src/control-plane/env.ts +80 -0
package/src/control-plane/home.ts +66 -69
package/src/control-plane/host-opencode.test.ts +263 -0
package/src/control-plane/host-opencode.ts +229 -0
package/src/control-plane/install-edge-cases.test.ts +182 -244
package/src/control-plane/install-lock.ts +157 -0
package/src/control-plane/lifecycle.ts +57 -56
package/src/control-plane/markdown-task.ts +200 -0
package/src/control-plane/paths.ts +75 -0
package/src/control-plane/provider-config.ts +2 -2
package/src/control-plane/provider-models.ts +154 -0
package/src/control-plane/registry-components.test.ts +102 -25
package/src/control-plane/registry.test.ts +49 -47
package/src/control-plane/registry.ts +71 -50
package/src/control-plane/rollback.ts +17 -16
package/src/control-plane/scheduler.ts +75 -262
package/src/control-plane/secret-backend.test.ts +98 -108
package/src/control-plane/secret-backend.ts +221 -181
package/src/control-plane/secret-mappings.ts +3 -6
package/src/control-plane/secrets.ts +83 -47
package/src/control-plane/setup-config.schema.json +2 -14
package/src/control-plane/setup-status.ts +4 -29
package/src/control-plane/setup-validation.ts +21 -21
package/src/control-plane/setup.test.ts +122 -227
package/src/control-plane/setup.ts +224 -125
package/src/control-plane/skeleton-guardrail.test.ts +151 -0
package/src/control-plane/spec-to-env.test.ts +59 -58
package/src/control-plane/spec-to-env.ts +39 -140
package/src/control-plane/spec-validator.ts +2 -99
package/src/control-plane/stack-spec.test.ts +21 -77
package/src/control-plane/stack-spec.ts +7 -83
package/src/control-plane/types.ts +17 -15
package/src/control-plane/ui-assets.ts +349 -0
package/src/control-plane/validate.ts +44 -79
package/src/index.ts +77 -44
package/src/logger.test.ts +228 -0
package/src/logger.ts +71 -1
package/src/provider-constants.ts +22 -1
package/src/control-plane/env-schema-validation.test.ts +0 -118
package/src/control-plane/memory-config.ts +0 -298
package/src/control-plane/redact-schema.ts +0 -50

package/src/control-plane/install-edge-cases.test.ts CHANGED Viewed

@@ -22,6 +22,7 @@ import { isSetupComplete } from "./setup-status.js";
 import {
   performSetup,
   buildSecretsFromSetup,
+  buildAuthJsonFromSetup,
   buildSystemSecretsFromSetup,
 } from "./setup.js";
 import type { SetupSpec, SetupConnection } from "./setup.js";
@@ -33,18 +34,8 @@ import { STACK_SPEC_FILENAME, readStackSpec } from "./stack-spec.js";
 function makeValidSpec(overrides?: Partial<SetupSpec>): SetupSpec {
   return {
     version: 2,
-    capabilities: {
-      llm: "openai/gpt-4o",
-      embeddings: {
-        provider: "openai",
-        model: "text-embedding-3-small",
-        dims: 1536,
-      },
-      memory: {
-        userId: "test_user",
-        customInstructions: "",
-      },
-    },
+    llm: { provider: "openai", model: "gpt-4o", baseUrl: "https://api.openai.com/v1" },
+    embedding: { provider: "openai", model: "text-embedding-3-small", dims: 1536, baseUrl: "https://api.openai.com/v1" },
     security: { adminToken: "test-admin-token-12345" },
     owner: { name: "Test User", email: "test@example.com" },
     connections: [
@@ -62,28 +53,26 @@ function makeValidSpec(overrides?: Partial<SetupSpec>): SetupSpec {
 /** Seed the minimal asset files that ensure* functions expect to find at OP_HOME. */
 function seedRequiredAssets(homeDir: string): void {
-  mkdirSync(join(homeDir, "stack"), { recursive: true });
-  writeFileSync(join(homeDir, "stack", "core.compose.yml"), "services:\n  assistant:\n    image: assistant:latest\n");
-  mkdirSync(join(homeDir, "data", "assistant"), { recursive: true });
-  writeFileSync(join(homeDir, "data", "assistant", "opencode.jsonc"), '{"$schema":"https://opencode.ai/config.json"}\n');
-  writeFileSync(join(homeDir, "data", "assistant", "AGENTS.md"), "# Agents\n");
-  mkdirSync(join(homeDir, "vault", "user"), { recursive: true });
-  writeFileSync(join(homeDir, "vault", "user", "user.env.schema"), "ADMIN_TOKEN=string\n");
-  mkdirSync(join(homeDir, "vault", "stack"), { recursive: true });
-  writeFileSync(join(homeDir, "vault", "stack", "stack.env.schema"), "OP_IMAGE_TAG=string\n");
-  mkdirSync(join(homeDir, "config", "automations"), { recursive: true });
-  writeFileSync(join(homeDir, "config", "automations", "cleanup-logs.yml"), "name: cleanup-logs\nschedule: daily\n");
-  writeFileSync(join(homeDir, "config", "automations", "cleanup-data.yml"), "name: cleanup-data\nschedule: weekly\n");
-  writeFileSync(join(homeDir, "config", "automations", "validate-config.yml"), "name: validate-config\nschedule: hourly\n");
+  mkdirSync(join(homeDir, "config", "stack"), { recursive: true });
+  writeFileSync(join(homeDir, "config", "stack", "core.compose.yml"), "services:\n  assistant:\n    image: assistant:latest\n");
+  mkdirSync(join(homeDir, "state", "assistant"), { recursive: true });
+  writeFileSync(join(homeDir, "state", "assistant", "opencode.jsonc"), '{"$schema":"https://opencode.ai/config.json"}\n');
+  writeFileSync(join(homeDir, "state", "assistant", "AGENTS.md"), "# Agents\n");
+  mkdirSync(join(homeDir, "state"), { recursive: true });
+  // Automations live in state/registry/automations (shipped catalog) and stash/tasks (user tasks)
+  mkdirSync(join(homeDir, "state", "registry", "automations"), { recursive: true });
+  writeFileSync(join(homeDir, "state", "registry", "automations", "cleanup-logs.md"), "---\nschedule: \"0 4 * * 0\"\ndescription: cleanup logs\n---\n");
+  writeFileSync(join(homeDir, "state", "registry", "automations", "cleanup-data.md"), "---\nschedule: \"0 5 * * 0\"\ndescription: cleanup data\n---\n");
+  writeFileSync(join(homeDir, "state", "registry", "automations", "validate-config.md"), "---\nschedule: \"0 3 * * *\"\ndescription: validate config\n---\n");
 }
 // ── Shared test fixture ──────────────────────────────────────────────────
 let homeDir: string;
 let configDir: string;
-let vaultDir: string;
-let dataDir: string;
-let logsDir: string;
+let stateDir: string;
+let stackDir: string;
+let cacheDir: string;
 const savedEnv: Record<string, string | undefined> = {};
@@ -100,31 +89,36 @@ function restoreEnv(): void {
 function createFullDirTree(): void {
   homeDir = mkdtempSync(join(tmpdir(), "openpalm-edge-"));
   configDir = join(homeDir, "config");
-  vaultDir = join(homeDir, "vault");
-  dataDir = join(homeDir, "data");
-  logsDir = join(homeDir, "logs");
+  stateDir = join(homeDir, "state");
+  stackDir = join(configDir, "stack");
+  cacheDir = join(homeDir, "cache");
   for (const dir of [
     homeDir,
     configDir,
-    join(configDir, "automations"),
-    join(configDir, "channels"),
+    join(homeDir, "state", "registry", "automations"),
     join(configDir, "assistant"),
-    join(configDir, "stash"),
-    join(homeDir, "stack"),
-    join(homeDir, "stack", "addons"),
-    vaultDir,
-    dataDir,
-    join(dataDir, "admin"),
-    join(dataDir, "memory"),
-    join(dataDir, "assistant"),
-    join(dataDir, "guardian"),
-    join(dataDir, "automations"),
-    join(dataDir, "opencode"),
-    join(dataDir, "stash"),
-    join(dataDir, "workspace"),
-    logsDir,
-    join(logsDir, "opencode"),
+    join(configDir, "akm"),
+    join(homeDir, "stash"),
+    join(homeDir, "workspace"),
+    stackDir,
+    join(stackDir, "addons"),
+    stateDir,
+    join(stateDir, "assistant"),
+    join(stateDir, "admin"),
+    join(stateDir, "guardian"),
+    join(stateDir, "logs"),
+    join(stateDir, "logs", "opencode"),
+    join(stateDir, "registry"),
+    join(stateDir, "registry", "addons"),
+    join(stateDir, "backups"),
+    join(stateDir, "akm"),
+    join(stateDir, "akm", "data"),
+    join(stateDir, "akm", "state"),
+    cacheDir,
+    join(cacheDir, "akm"),
+    join(cacheDir, "guardian"),
+    join(cacheDir, "rollback"),
   ]) {
     mkdirSync(dir, { recursive: true });
   }
@@ -133,27 +127,16 @@ function createFullDirTree(): void {
   seedRequiredAssets(homeDir);
 }
-/** Seed the minimal user.env and stack.env needed for most tests. */
+/** Seed the minimal stack.env needed for most tests. */
 function seedMinimalEnvFiles(): void {
-  mkdirSync(join(vaultDir, "user"), { recursive: true });
-  mkdirSync(join(vaultDir, "stack"), { recursive: true });
-  writeFileSync(
-    join(vaultDir, "user", "user.env"),
-    [
-      "# OpenPalm — User Extensions",
-      "# Add any custom environment variables here.",
-      "# These are loaded by compose alongside stack.env.",
-      "",
-    ].join("\n")
-  );
+  mkdirSync(stackDir, { recursive: true });
   writeFileSync(
-    join(vaultDir, "stack", "stack.env"),
+    join(stackDir, "stack.env"),
     [
       "# OpenPalm — Stack Configuration",
-      "OP_ADMIN_TOKEN=",
+      "OP_UI_TOKEN=",
       "OP_ASSISTANT_TOKEN=",
-      "OP_MEMORY_TOKEN=",
       "OPENAI_API_KEY=",
       "OPENAI_BASE_URL=",
       "ANTHROPIC_API_KEY=",
@@ -184,51 +167,42 @@ describe("Fresh Install", () => {
     rmSync(homeDir, { recursive: true, force: true });
   });
-  // Scenario 1: ensureSecrets creates user.env as placeholder and stack.env with required keys
-  it("ensureSecrets creates user.env as placeholder and stack.env with required keys when files do not exist", () => {
+  // Scenario 1: ensureSecrets does NOT seed user.env (see akm-vault) but
+  // does create stack.env with required keys when files do not exist.
+  it("ensureSecrets creates state/stack.env with required keys on fresh install", () => {
     const state: ControlPlaneState = {
       adminToken: "",
       assistantToken: "",
-      setupToken: "",
       homeDir,
       configDir,
-      vaultDir,
-      dataDir,
-      logsDir,
-      cacheDir: join(homeDir, "cache"),
+      stashDir: join(homeDir, "stash"),
+      workspaceDir: join(homeDir, "workspace"),
+      cacheDir,
+      stateDir,
+      stackDir,
       services: {},
       artifacts: { compose: "" },
       artifactMeta: [],
       audit: [],
     };
-    // No user.env exists yet
-    expect(existsSync(join(vaultDir, "user", "user.env"))).toBe(false);
     ensureSecrets(state);
-    // user.env is now a minimal placeholder
-    const userContent = readFileSync(join(vaultDir, "user", "user.env"), "utf-8");
-    expect(userContent).toContain("User Extensions");
-    // API keys and owner info are seeded in stack.env
-    const stackContent = readFileSync(join(vaultDir, "stack", "stack.env"), "utf-8");
+    // API keys and owner info are seeded in state/stack.env.
+    const stackContent = readFileSync(join(stackDir, "stack.env"), "utf-8");
     expect(stackContent).toContain("OPENAI_API_KEY=");
     expect(stackContent).toContain("OWNER_NAME=");
   });
   // Scenario 2: isSetupComplete returns false before setup
   it("isSetupComplete returns false when stack.env has OP_SETUP_COMPLETE=false", () => {
-    mkdirSync(join(vaultDir, "stack"), { recursive: true });
-    mkdirSync(join(vaultDir, "user"), { recursive: true });
+    mkdirSync(stateDir, { recursive: true });
     writeFileSync(
-      join(vaultDir, "stack", "stack.env"),
+      join(stackDir, "stack.env"),
       "OP_SETUP_COMPLETE=false\n"
     );
-    // Empty user.env so fallback check doesn't trigger
-    writeFileSync(join(vaultDir, "user", "user.env"), "");
-    expect(isSetupComplete(vaultDir)).toBe(false);
+    expect(isSetupComplete(stackDir)).toBe(false);
   });
   // Scenario 3: performSetup succeeds from completely empty state
@@ -242,15 +216,21 @@ describe("Fresh Install", () => {
     expect(result.ok).toBe(true);
   });
-  // Scenario 4: performSetup marks setup complete in vault/stack/stack.env
-  it("performSetup marks OP_SETUP_COMPLETE=true in vault stack.env", async () => {
+  // Scenario 4: performSetup must NOT mark OP_SETUP_COMPLETE.
+  //
+  // The flag is set by setup-deploy.ts:startDeploy AFTER the Docker stack is
+  // confirmed healthy. If performSetup wrote it eagerly, a deploy failure
+  // would leave the wizard convinced setup was complete and bounce the user
+  // into a broken admin UI.
+  it("performSetup does NOT mark OP_SETUP_COMPLETE (deploy owns that flag)", async () => {
     seedMinimalEnvFiles();
     await performSetup(makeValidSpec());
-    const stackEnv = readFileSync(join(vaultDir, "stack", "stack.env"), "utf-8");
+    const stackEnv = readFileSync(join(stackDir, "stack.env"), "utf-8");
     const parsed = parseEnvContent(stackEnv);
-    expect(parsed.OP_SETUP_COMPLETE).toBe("true");
+    // Either entirely absent, or still the seeded "false" — never "true".
+    expect(parsed.OP_SETUP_COMPLETE === undefined || parsed.OP_SETUP_COMPLETE === "false").toBe(true);
   });
 });
@@ -270,23 +250,21 @@ describe("Existing Install", () => {
     rmSync(homeDir, { recursive: true, force: true });
   });
-  // Scenario 5: ensureSecrets does NOT overwrite existing user.env
-  it("ensureSecrets does not overwrite existing user.env", () => {
-    const customContent =
-      "export OP_ADMIN_TOKEN=my-custom-token\nexport OP_MEMORY_TOKEN=custom-auth-token\n";
-    mkdirSync(join(vaultDir, "user"), { recursive: true });
-    writeFileSync(join(vaultDir, "user", "user.env"), customContent);
+  // Scenario 5: ensureSecrets does NOT overwrite existing stack.env
+  it("ensureSecrets does not overwrite existing stack.env tokens", () => {
+    mkdirSync(stateDir, { recursive: true });
+    writeFileSync(join(stackDir, "stack.env"), "OP_UI_TOKEN=my-custom-token\nOP_ASSISTANT_TOKEN=existing-token\n");
     const state: ControlPlaneState = {
       adminToken: "",
       assistantToken: "",
-      setupToken: "",
       homeDir,
       configDir,
-      vaultDir,
-      dataDir,
-      logsDir,
-      cacheDir: join(homeDir, "cache"),
+      stashDir: join(homeDir, "stash"),
+      workspaceDir: join(homeDir, "workspace"),
+      cacheDir,
+      stateDir,
+      stackDir,
       services: {},
       artifacts: { compose: "" },
       artifactMeta: [],
@@ -295,21 +273,23 @@ describe("Existing Install", () => {
     ensureSecrets(state);
-    const afterContent = readFileSync(join(vaultDir, "user", "user.env"), "utf-8");
-    expect(afterContent).toBe(customContent);
+    // Existing tokens must be preserved
+    const afterContent = readFileSync(join(stackDir, "stack.env"), "utf-8");
+    expect(afterContent).toContain("OP_UI_TOKEN=my-custom-token");
+    expect(afterContent).toContain("OP_ASSISTANT_TOKEN=existing-token");
   });
-  // Scenario 6: performSetup re-run preserves OP_MEMORY_TOKEN
-  it("performSetup re-run preserves OP_MEMORY_TOKEN from first run", async () => {
+  // Scenario 6: performSetup re-run preserves OP_ASSISTANT_TOKEN
+  it("performSetup re-run preserves OP_ASSISTANT_TOKEN from first run", async () => {
     // First setup
     await performSetup(makeValidSpec());
     const secretsAfterFirst = readFileSync(
-      join(vaultDir, "stack", "stack.env"),
+      join(stackDir, "stack.env"),
       "utf-8"
     );
     const firstMatch = secretsAfterFirst.match(
-      /OP_MEMORY_TOKEN=([a-f0-9]+)/
+      /OP_ASSISTANT_TOKEN=([a-f0-9]+)/
     );
     expect(firstMatch).not.toBeNull();
     const firstToken = firstMatch![1];
@@ -330,53 +310,41 @@ describe("Existing Install", () => {
     );
     const secretsAfterSecond = readFileSync(
-      join(vaultDir, "stack", "stack.env"),
+      join(stackDir, "stack.env"),
       "utf-8"
     );
     const secondMatch = secretsAfterSecond.match(
-      /OP_MEMORY_TOKEN=([a-f0-9]+)/
+      /OP_ASSISTANT_TOKEN=([a-f0-9]+)/
     );
     expect(secondMatch).not.toBeNull();
-    // OP_MEMORY_TOKEN should be preserved (buildSystemSecretsFromSetup does not overwrite it)
+    // OP_ASSISTANT_TOKEN should be preserved across setups
     expect(secondMatch![1]).toBe(firstToken);
   });
-  // Scenario 7: performSetup marks OP_SETUP_COMPLETE=true in vault/stack/stack.env
-  it("performSetup marks OP_SETUP_COMPLETE=true in vault stack.env", async () => {
+  // Scenario 7: performSetup must NOT mark OP_SETUP_COMPLETE — see scenario
+  // 4 in the Fresh Install block for the rationale. The deploy phase owns
+  // this flag and only writes it after the container stack is healthy.
+  it("performSetup does NOT mark OP_SETUP_COMPLETE (deploy owns that flag)", async () => {
     await performSetup(makeValidSpec());
     const stackEnv = readFileSync(
-      join(vaultDir, "stack", "stack.env"),
+      join(stackDir, "stack.env"),
       "utf-8"
     );
     const parsed = parseEnvContent(stackEnv);
-    expect(parsed.OP_SETUP_COMPLETE).toBe("true");
+    expect(parsed.OP_SETUP_COMPLETE === undefined || parsed.OP_SETUP_COMPLETE === "false").toBe(true);
   });
-  // Scenario 8: Re-setup with different provider updates stack.yml capabilities
-  it("re-setup with different provider updates capabilities in stack.yml", async () => {
+  // Scenario 8: Re-setup with different provider updates akm config
+  it("re-setup with different provider updates akm config", async () => {
     // First setup with OpenAI
     await performSetup(makeValidSpec());
-    const specAfterFirst = readStackSpec(configDir);
-    expect(specAfterFirst).not.toBeNull();
-    expect(specAfterFirst!.capabilities.llm).toContain("openai/");
     // Second setup with Groq
     await performSetup(
       makeValidSpec({
-        capabilities: {
-          llm: "groq/llama3-70b-8192",
-          embeddings: {
-            provider: "groq",
-            model: "text-embedding-3-small",
-            dims: 1536,
-          },
-          memory: {
-            userId: "test_user",
-            customInstructions: "",
-          },
-        },
+        llm: { provider: "groq", model: "llama3-70b-8192", baseUrl: "https://api.groq.com/openai/v1" },
+        embedding: { provider: "groq", model: "text-embedding-3-small", dims: 1536, baseUrl: "https://api.groq.com/openai/v1" },
         connections: [
           {
             id: "groq-main",
@@ -389,12 +357,13 @@ describe("Existing Install", () => {
       })
     );
-    const specAfterSecond = readStackSpec(configDir);
+    // stack.yml is just a version marker now
+    const specAfterSecond = readStackSpec(stackDir);
     expect(specAfterSecond).not.toBeNull();
-    expect(specAfterSecond!.capabilities.llm).toBe("groq/llama3-70b-8192");
+    expect(specAfterSecond!.version).toBe(2);
     // stack.env should retain both keys
-    const secrets = readFileSync(join(vaultDir, "stack", "stack.env"), "utf-8");
+    const secrets = readFileSync(join(stackDir, "stack.env"), "utf-8");
     expect(secrets).toContain("GROQ_API_KEY");
   });
 });
@@ -414,21 +383,21 @@ describe("Broken/Corrupt State", () => {
     rmSync(homeDir, { recursive: true, force: true });
   });
-  // Scenario 9: user.env exists but is empty
-  it("ensureSecrets returns early for an empty but existing user.env", () => {
-    mkdirSync(join(vaultDir, "user"), { recursive: true });
-    writeFileSync(join(vaultDir, "user", "user.env"), "");
+  // Scenario 9: ensureSecrets is idempotent on repeated calls
+  it("ensureSecrets is idempotent — second call does not overwrite existing stack.env", () => {
+    mkdirSync(stateDir, { recursive: true });
+    writeFileSync(join(stackDir, "stack.env"), "OP_UI_TOKEN=existing-token\nOP_ASSISTANT_TOKEN=existing-assistant\n");
     const state: ControlPlaneState = {
       adminToken: "",
       assistantToken: "",
-      setupToken: "",
       homeDir,
       configDir,
-      vaultDir,
-      dataDir,
-      logsDir,
-      cacheDir: join(homeDir, "cache"),
+      stashDir: join(homeDir, "stash"),
+      workspaceDir: join(homeDir, "workspace"),
+      cacheDir,
+      stateDir,
+      stackDir,
       services: {},
       artifacts: { compose: "" },
       artifactMeta: [],
@@ -437,12 +406,13 @@ describe("Broken/Corrupt State", () => {
     ensureSecrets(state);
-    // File should still exist and still be empty (ensureSecrets only checks existence)
-    const content = readFileSync(join(vaultDir, "user", "user.env"), "utf-8");
-    expect(content).toBe("");
+    // Existing tokens must be preserved
+    const content = readFileSync(join(stackDir, "stack.env"), "utf-8");
+    expect(content).toContain("OP_UI_TOKEN=existing-token");
+    expect(content).toContain("OP_ASSISTANT_TOKEN=existing-assistant");
   });
-  // Scenario 10: user.env with malformed lines
+  // Scenario 10: env file with malformed lines
   it("parseEnvFile handles malformed env lines gracefully", () => {
     const malformedContent = [
       "# Comment line",
@@ -456,10 +426,10 @@ describe("Broken/Corrupt State", () => {
       "  # indented comment",
     ].join("\n");
-    mkdirSync(join(vaultDir, "user"), { recursive: true });
-    writeFileSync(join(vaultDir, "user", "user.env"), malformedContent);
+    mkdirSync(stateDir, { recursive: true });
+    writeFileSync(join(stateDir, "test.env"), malformedContent);
-    const parsed = parseEnvFile(join(vaultDir, "user", "user.env"));
+    const parsed = parseEnvFile(join(stateDir, "test.env"));
     expect(parsed.VALID_KEY).toBe("valid_value");
     expect(parsed.EXPORTED_KEY).toBe("exported_value");
     expect(parsed.ANOTHER_VALID).toBe("value");
@@ -468,30 +438,23 @@ describe("Broken/Corrupt State", () => {
   // Scenario 11: stack.env missing OP_SETUP_COMPLETE
   it("isSetupComplete falls back to token check when OP_SETUP_COMPLETE missing", () => {
     // stack.env without OP_SETUP_COMPLETE
-    mkdirSync(join(vaultDir, "stack"), { recursive: true });
-    mkdirSync(join(vaultDir, "user"), { recursive: true });
+    mkdirSync(stateDir, { recursive: true });
     writeFileSync(
-      join(vaultDir, "stack", "stack.env"),
+      join(stackDir, "stack.env"),
       "OP_IMAGE_TAG=latest\n"
     );
-    // user.env without any token
-    writeFileSync(
-      join(vaultDir, "user", "user.env"),
-      "export OP_ADMIN_TOKEN=\nexport ADMIN_TOKEN=\n"
-    );
-    expect(isSetupComplete(vaultDir)).toBe(false);
+    expect(isSetupComplete(stackDir)).toBe(false);
   });
   it("isSetupComplete falls back to true when admin token is set but OP_SETUP_COMPLETE missing", () => {
-    mkdirSync(join(vaultDir, "stack"), { recursive: true });
+    mkdirSync(stateDir, { recursive: true });
     writeFileSync(
-      join(vaultDir, "stack", "stack.env"),
-      "OP_IMAGE_TAG=latest\nexport OP_ADMIN_TOKEN=my-real-token\n"
+      join(stackDir, "stack.env"),
+      "OP_IMAGE_TAG=latest\nexport OP_UI_TOKEN=my-real-token\n"
     );
-    expect(isSetupComplete(vaultDir)).toBe(true);
+    expect(isSetupComplete(stackDir)).toBe(true);
   });
   // Scenario 12: API key with special characters round-trips
@@ -512,39 +475,39 @@ describe("Broken/Corrupt State", () => {
   // Scenario 13: Missing stack.yml returns null
   it("readStackSpec returns null when stack.yml missing", () => {
-    const spec = readStackSpec(configDir);
+    const spec = readStackSpec(stackDir);
     expect(spec).toBeNull();
   });
-  // Scenario 14: config dir exists but automations dir doesn't
+  // Scenario 14: stash/tasks dir missing (performSetup should recreate it via ensureHomeDirs)
   it("performSetup creates missing subdirectories", async () => {
     // Seed the minimal env files first
     seedMinimalEnvFiles();
-    // Remove automations dir (performSetup should recreate it)
-    rmSync(join(configDir, "automations"), { recursive: true, force: true });
+    // Remove stash/tasks dir (performSetup should recreate it via ensureHomeDirs)
+    rmSync(join(homeDir, "stash", "tasks"), { recursive: true, force: true });
     const result = await performSetup(
       makeValidSpec()
     );
     expect(result.ok).toBe(true);
-    // Artifacts should exist in stack/ (not config/components/)
-    expect(existsSync(join(homeDir, "stack", "core.compose.yml"))).toBe(
+    // Artifacts should exist in config/stack/
+    expect(existsSync(join(homeDir, "config", "stack", "core.compose.yml"))).toBe(
       true
     );
-    // Automations dir should be recreated
-    expect(existsSync(join(configDir, "automations"))).toBe(true);
+    // stash/tasks dir should be recreated by ensureHomeDirs
+    expect(existsSync(join(homeDir, "stash", "tasks"))).toBe(true);
   });
   // Scenario 15: openpalm.yaml with old version
   it("readStackSpec returns null for version 1 spec", () => {
     writeFileSync(
-      join(configDir, STACK_SPEC_FILENAME),
+      join(stackDir, STACK_SPEC_FILENAME),
       "version: 1\nconnections: []\n"
     );
-    const spec = readStackSpec(configDir);
+    const spec = readStackSpec(stackDir);
     expect(spec).toBeNull();
   });
 });
@@ -564,15 +527,15 @@ describe("Environment Edge Cases", () => {
     rmSync(homeDir, { recursive: true, force: true });
   });
-  // Scenario 16: Commented-out ADMIN_TOKEN but OP_ADMIN_TOKEN set
-  it("isSetupComplete detects OP_ADMIN_TOKEN when ADMIN_TOKEN is commented out", () => {
-    mkdirSync(join(vaultDir, "stack"), { recursive: true });
+  // Scenario 16: Commented-out ADMIN_TOKEN but OP_UI_TOKEN set
+  it("isSetupComplete detects OP_UI_TOKEN when ADMIN_TOKEN is commented out", () => {
+    mkdirSync(stateDir, { recursive: true });
     writeFileSync(
-      join(vaultDir, "stack", "stack.env"),
-      "SOME_OTHER_KEY=value\nexport OP_ADMIN_TOKEN=real-token-here\n"
+      join(stackDir, "stack.env"),
+      "SOME_OTHER_KEY=value\nexport OP_UI_TOKEN=real-token-here\n"
     );
-    expect(isSetupComplete(vaultDir)).toBe(true);
+    expect(isSetupComplete(stackDir)).toBe(true);
   });
   // Scenario 17: export prefix on env vars
@@ -628,21 +591,11 @@ describe("Setup Input Variations", () => {
     rmSync(homeDir, { recursive: true, force: true });
   });
-  // Scenario 20: Ollama in-stack setup
-  it("Ollama in-stack setup overrides localhost URL to docker-internal", async () => {
+  // Scenario 20: Ollama setup
+  it("Ollama setup writes akm config with ollama provider", async () => {
     const input = makeValidSpec({
-      capabilities: {
-        llm: "ollama/llama3.2",
-        embeddings: {
-          provider: "ollama",
-          model: "nomic-embed-text",
-          dims: 768,
-        },
-        memory: {
-          userId: "test_user",
-          customInstructions: "",
-        },
-      },
+      llm: { provider: "ollama", model: "llama3.2", baseUrl: "http://localhost:11434/v1" },
+      embedding: { provider: "ollama", model: "nomic-embed-text", dims: 768, baseUrl: "http://localhost:11434/v1" },
       connections: [
         {
           id: "ollama-local",
@@ -657,23 +610,22 @@ describe("Setup Input Variations", () => {
     const result = await performSetup(input);
     expect(result.ok).toBe(true);
-    // stack.yml should have ollama capabilities
-    const spec = readStackSpec(configDir);
+    const spec = readStackSpec(stackDir);
     expect(spec).not.toBeNull();
-    expect(spec!.capabilities.llm).toBe("ollama/llama3.2");
+    expect(spec!.version).toBe(2);
   });
   // Scenario 21: Multiple providers map to correct env vars
-  it("multiple providers each write their API key to the correct env var", () => {
+  it("multiple providers each write their API key into auth.json keyed by providerId", () => {
     const conns: SetupConnection[] = [
       { id: "openai-1", name: "OpenAI", provider: "openai", baseUrl: "", apiKey: "sk-openai" },
       { id: "groq-1", name: "Groq", provider: "groq", baseUrl: "", apiKey: "gsk-groq" },
       { id: "anthropic-1", name: "Anthropic", provider: "anthropic", baseUrl: "", apiKey: "sk-ant-api03" },
     ];
-    const secrets = buildSecretsFromSetup(conns);
-    expect(secrets.OPENAI_API_KEY).toBe("sk-openai");
-    expect(secrets.GROQ_API_KEY).toBe("gsk-groq");
-    expect(secrets.ANTHROPIC_API_KEY).toBe("sk-ant-api03");
+    const keys = buildAuthJsonFromSetup(conns);
+    expect(keys.openai).toBe("sk-openai");
+    expect(keys.groq).toBe("gsk-groq");
+    expect(keys.anthropic).toBe("sk-ant-api03");
   });
   // Scenario 21b: OAuth providers (no API key) are silently skipped
@@ -682,19 +634,22 @@ describe("Setup Input Variations", () => {
       { id: "github-copilot", name: "GitHub Copilot", provider: "github-copilot", baseUrl: "", apiKey: "" },
       { id: "openai-1", name: "OpenAI", provider: "openai", baseUrl: "", apiKey: "sk-test" },
     ];
-    const secrets = buildSecretsFromSetup(conns);
-    expect(secrets.OPENAI_API_KEY).toBe("sk-test");
-    expect(Object.keys(secrets)).not.toContain("GITHUB_COPILOT_API_KEY");
+    const keys = buildAuthJsonFromSetup(conns);
+    expect(keys.openai).toBe("sk-test");
+    expect(keys["github-copilot"]).toBeUndefined();
   });
-  // Scenario 22: buildSecretsFromSetup only writes API keys and owner info
-  it("buildSecretsFromSetup writes API keys but not config vars", () => {
+  // Scenario 22: buildSecretsFromSetup writes non-credential vars only;
+  // API keys flow into auth.json via buildAuthJsonFromSetup.
+  it("buildSecretsFromSetup does not write API keys; buildAuthJsonFromSetup does", () => {
     const spec = makeValidSpec();
     const secrets = buildSecretsFromSetup(spec.connections, spec.owner);
+    const keys = buildAuthJsonFromSetup(spec.connections);
-    // API key should be written
-    expect(secrets.OPENAI_API_KEY).toBe("sk-test-key-123");
-    // Config vars should NOT be in user.env anymore
+    // API keys go to auth.json, not stack.env
+    expect(secrets.OPENAI_API_KEY).toBeUndefined();
+    expect(keys.openai).toBe("sk-test-key-123");
+    // Config vars (capability resolution) are not in stack.env user-secrets either
     expect(secrets.SYSTEM_LLM_PROVIDER).toBeUndefined();
     expect(secrets.SYSTEM_LLM_MODEL).toBeUndefined();
     expect(secrets.EMBEDDING_MODEL).toBeUndefined();
@@ -721,69 +676,52 @@ describe("performSetup end-to-end artifacts", () => {
   it("writes stack.yml and readStackSpec returns v2", async () => {
     await performSetup(makeValidSpec());
-    const spec = readStackSpec(configDir);
+    const spec = readStackSpec(stackDir);
     expect(spec).not.toBeNull();
     expect(spec!.version).toBe(2);
-    expect(spec!.capabilities.llm).toBe("openai/gpt-4o");
-    expect(spec!.capabilities.embeddings.model).toBe("text-embedding-3-small");
   });
-  it("writes OP_CAP_EMBEDDINGS_DIMS with correct embedding dims from lookup", async () => {
+  it("writes akm config with embedding dims from setup spec", async () => {
     const input = makeValidSpec({
-      capabilities: {
-        llm: "ollama/llama3.2",
-        embeddings: {
-          provider: "ollama",
-          model: "nomic-embed-text",
-          dims: 0, // Resolved from lookup
-        },
-        memory: {
-          userId: "test_user",
-          customInstructions: "",
-        },
-      },
+      llm: { provider: "ollama", model: "llama3.2", baseUrl: "http://localhost:11434/v1" },
+      embedding: { provider: "ollama", model: "nomic-embed-text", dims: 768, baseUrl: "http://localhost:11434/v1" },
       connections: [
-        {
-          id: "ollama-1",
-          name: "Ollama",
-          provider: "ollama",
-          baseUrl: "http://localhost:11434",
-          apiKey: "",
-        },
+        { id: "ollama-1", name: "Ollama", provider: "ollama", baseUrl: "http://localhost:11434", apiKey: "" },
       ],
     });
     await performSetup(input);
-    // nomic-embed-text is 768 dims per EMBEDDING_DIMS constant — verify via stack.env
-    const stackEnvContent = readFileSync(join(vaultDir, "stack", "stack.env"), "utf-8");
-    expect(stackEnvContent).toContain("OP_CAP_EMBEDDINGS_DIMS=768");
+    const akmConfigPath = join(homeDir, "config", "akm", "config.json");
+    const config = JSON.parse(readFileSync(akmConfigPath, "utf-8"));
+    expect(config.embedding.dimension).toBe(768);
   });
   it("writes core.compose.yml to stack/", async () => {
     await performSetup(makeValidSpec());
     expect(
-      existsSync(join(homeDir, "stack", "core.compose.yml"))
+      existsSync(join(homeDir, "config", "stack", "core.compose.yml"))
     ).toBe(true);
   });
   it("writes admin and assistant tokens to stack.env", async () => {
     await performSetup(makeValidSpec());
-    const secrets = parseEnvFile(join(vaultDir, "stack", "stack.env"));
-    expect(secrets.OP_ADMIN_TOKEN).toBe("test-admin-token-12345");
+    const secrets = parseEnvFile(join(stackDir, "stack.env"));
+    expect(secrets.OP_UI_TOKEN).toBe("test-admin-token-12345");
     expect(typeof secrets.OP_ASSISTANT_TOKEN).toBe("string");
     expect(secrets.OP_ASSISTANT_TOKEN).not.toBe("test-admin-token-12345");
   });
-  it("writes OP_CAP_* vars from capabilities to stack.env", async () => {
+  it("writes akm config with llm provider and model", async () => {
     await performSetup(makeValidSpec());
-    const stackEnv = parseEnvFile(join(vaultDir, "stack", "stack.env"));
-    expect(stackEnv.OP_CAP_LLM_PROVIDER).toBe("openai");
-    expect(stackEnv.OP_CAP_LLM_MODEL).toBe("gpt-4o");
-    expect(stackEnv.OP_CAP_EMBEDDINGS_MODEL).toBe("text-embedding-3-small");
+    const akmConfigPath = join(homeDir, "config", "akm", "config.json");
+    const config = JSON.parse(readFileSync(akmConfigPath, "utf-8"));
+    expect(config.llm.provider).toBe("openai");
+    expect(config.llm.model).toBe("gpt-4o");
+    expect(config.embedding.model).toBe("text-embedding-3-small");
   });
 });