@openpalm/lib 0.10.2 → 0.11.0-beta.2

package/src/control-plane/secrets.ts

@@ -1,8 +1,9 @@
 /** Secrets and capability key management. */
-import { mkdirSync, writeFileSync, readFileSync, existsSync, chmodSync, lstatSync, rmSync } from "node:fs";
+import { mkdirSync, writeFileSync, readFileSync, existsSync, chmodSync, lstatSync, rmSync, renameSync } from "node:fs";
 import { randomBytes } from "node:crypto";
 import { createLogger } from "../logger.js";
 import { parseEnvFile, mergeEnvContent } from './env.js';
+import { migrateAuth0110 } from './migrate-0110.js';
 import type { ControlPlaneState } from "./types.js";
 import { resolveConfigDir } from "./home.js";
 
@@ -54,18 +55,17 @@ function mergeVaultEnvFile(path: string, updates: Record<string, string>, uncomm
 }
 
 function ensureSystemSecrets(state: ControlPlaneState): void {
-  const systemEnvPath = `${state.vaultDir}/stack/stack.env`;
+  const systemEnvPath = `${state.stackDir}/stack.env`;
   const existing = existsSync(systemEnvPath) ? parseEnvFile(systemEnvPath) : {};
   const updates: Record<string, string> = {};
 
-  if (!existing.OP_ADMIN_TOKEN && state.adminToken) {
-    updates.OP_ADMIN_TOKEN = state.adminToken;
-  }
-  if (!existing.OP_ASSISTANT_TOKEN) {
-    updates.OP_ASSISTANT_TOKEN = randomBytes(32).toString("hex");
-  }
-  if (!existing.OP_MEMORY_TOKEN) {
-    updates.OP_MEMORY_TOKEN = randomBytes(32).toString("hex");
+  // OP_UI_LOGIN_PASSWORD seeds the operator login secret. ensureSecrets
+  // generates a random fallback the first time so the stack is never
+  // installed with an empty password slot; the wizard / CLI install path
+  // overwrites it with the operator's chosen value via
+  // buildSystemSecretsFromSetup().
+  if (!existing.OP_UI_LOGIN_PASSWORD) {
+    updates.OP_UI_LOGIN_PASSWORD = randomBytes(32).toString("hex");
   }
 
   if (!existsSync(systemEnvPath)) {
@@ -74,11 +74,9 @@ function ensureSystemSecrets(state: ControlPlaneState): void {
       "# All secrets and configuration live here. Advanced users may edit directly.",
       "",
       "# ── Authentication ──────────────────────────────────────────────────",
-      "OP_ADMIN_TOKEN=",
-      "OP_ASSISTANT_TOKEN=",
+      "OP_UI_LOGIN_PASSWORD=",
       "",
       "# ── Service Auth ─────────────────────────────────────────────────────",
-      "OP_MEMORY_TOKEN=",
       "OP_OPENCODE_PASSWORD=",
       "",
       "# ── Provider API Keys ────────────────────────────────────────────────",
@@ -88,7 +86,6 @@ function ensureSystemSecrets(state: ControlPlaneState): void {
       "GROQ_API_KEY=",
       "MISTRAL_API_KEY=",
       "GOOGLE_API_KEY=",
-      "OPENVIKING_API_KEY=",
       "MCP_API_KEY=",
       "EMBEDDING_API_KEY=",
       "LMSTUDIO_API_KEY=",
@@ -107,37 +104,25 @@ function ensureSystemSecrets(state: ControlPlaneState): void {
 }
 
 export function ensureSecrets(state: ControlPlaneState): void {
-  enforceVaultDirMode(state.vaultDir);
-  mkdirSync(`${state.vaultDir}/stack`, { recursive: true, mode: VAULT_DIR_MODE });
-  mkdirSync(`${state.vaultDir}/user`, { recursive: true, mode: VAULT_DIR_MODE });
-
-  // user.env is an empty placeholder — users can add custom vars here.
-  // All standard config lives in stack.env.
-  const userEnvPath = `${state.vaultDir}/user/user.env`;
-  if (!existsSync(userEnvPath)) {
-    writeVaultFile(userEnvPath, [
-      "# OpenPalm — User Extensions",
-      "# Add any custom environment variables here.",
-      "# These are loaded by compose alongside stack.env.",
-      "",
-    ].join("\n"));
-  } else {
-    try { chmodSync(userEnvPath, VAULT_FILE_MODE); } catch { /* best-effort */ }
-  }
+  enforceVaultDirMode(state.stackDir);
+
+  // Migrate pre-0.11.0 installs (OP_UI_TOKEN/OP_ASSISTANT_TOKEN → OP_UI_LOGIN_PASSWORD)
+  // before any code path that reads OP_UI_LOGIN_PASSWORD sees an empty value.
+  migrateAuth0110(state);
 
   ensureSystemSecrets(state);
-  ensureGuardianEnv(state.vaultDir);
-  ensureAuthJson(state.vaultDir);
+  ensureGuardianEnv(state.stackDir);
+  ensureAuthJson(state.configDir);
 }
 
 /**
- * Ensure vault/stack/guardian.env exists.
+ * Ensure config/stack/guardian.env exists.
  * Channel HMAC secrets (CHANNEL_<NAME>_SECRET) live here exclusively.
  * This file is loaded by the guardian as an env_file and via GUARDIAN_SECRETS_PATH.
  */
-function ensureGuardianEnv(vaultDir: string): void {
-  const guardianEnvPath = `${vaultDir}/stack/guardian.env`;
-  mkdirSync(`${vaultDir}/stack`, { recursive: true, mode: VAULT_DIR_MODE });
+function ensureGuardianEnv(stackDir: string): void {
+  const guardianEnvPath = `${stackDir}/guardian.env`;
+  mkdirSync(stackDir, { recursive: true, mode: VAULT_DIR_MODE });
   if (!existsSync(guardianEnvPath)) {
     writeVaultFile(guardianEnvPath, [
       "# Guardian channel HMAC secrets — managed by openpalm",
@@ -149,9 +134,9 @@ function ensureGuardianEnv(vaultDir: string): void {
   }
 }
 
-function ensureAuthJson(vaultDir: string): void {
-  const authJsonPath = `${vaultDir}/stack/auth.json`;
-  mkdirSync(`${vaultDir}/stack`, { recursive: true, mode: VAULT_DIR_MODE });
+function ensureAuthJson(configDir: string): void {
+  const authJsonPath = `${configDir}/auth.json`;
+  mkdirSync(configDir, { recursive: true, mode: VAULT_DIR_MODE });
 
   if (existsSync(authJsonPath)) {
     try {
@@ -177,25 +162,82 @@ export function updateSecretsEnv(
   state: ControlPlaneState,
   updates: Record<string, string>
 ): void {
-  const stackEnvPath = `${state.vaultDir}/stack/stack.env`;
+  const stackEnvPath = `${state.stackDir}/stack.env`;
   if (!existsSync(stackEnvPath)) {
-    throw new Error("vault/stack/stack.env does not exist — run setup first");
+    throw new Error("config/stack/stack.env does not exist — run setup first");
   }
 
   mergeVaultEnvFile(stackEnvPath, updates, true);
 }
 
-/** Read and parse vault/stack/stack.env. Returns {} if the file does not exist. */
-export function readStackEnv(vaultDir: string): Record<string, string> {
-  return parseEnvFile(`${vaultDir}/stack/stack.env`);
+/**
+ * Merge-write provider API keys into OpenCode's auth.json at
+ * `${configDir}/auth.json`. Each entry uses OpenCode's schema for
+ * api-key auth: `{ <providerId>: { type: "api", key: "..." } }`.
+ *
+ * This file is bind-mounted into the assistant container so the chat
+ * assistant picks up new credentials on its next OpenCode restart —
+ * see core.compose.yml.
+ *
+ * Existing entries (OAuth tokens, other providers) are preserved.
+ * Empty values DELETE the corresponding entry.
+ */
+export function writeAuthJsonProviderKeys(
+  state: ControlPlaneState,
+  providerKeys: Record<string, string>
+): void {
+  if (Object.keys(providerKeys).length === 0) return;
+
+  const authJsonPath = `${state.configDir}/auth.json`;
+  mkdirSync(state.configDir, { recursive: true, mode: VAULT_DIR_MODE });
+
+  let current: Record<string, unknown> = {};
+  if (existsSync(authJsonPath)) {
+    try {
+      const raw = readFileSync(authJsonPath, "utf-8").trim();
+      if (raw && raw !== "{}") current = JSON.parse(raw) as Record<string, unknown>;
+    } catch {
+      // Corrupt auth.json — rename it so the operator can recover, then start fresh.
+      const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
+      const corruptPath = `${authJsonPath}.corrupt-${timestamp}`;
+      try {
+        renameSync(authJsonPath, corruptPath);
+        logger.warn("corrupt auth.json renamed for recovery", {
+          original: authJsonPath,
+          renamed: corruptPath,
+        });
+      } catch (renameErr) {
+        logger.warn("could not rename corrupt auth.json; starting fresh", {
+          path: authJsonPath,
+          error: renameErr instanceof Error ? renameErr.message : String(renameErr),
+        });
+      }
+      current = {};
+    }
+  }
+
+  for (const [providerId, key] of Object.entries(providerKeys)) {
+    if (key) {
+      current[providerId] = { type: "api", key };
+    } else {
+      delete current[providerId];
+    }
+  }
+
+  writeVaultFile(authJsonPath, JSON.stringify(current, null, 2) + "\n");
+}
+
+/** Read and parse config/stack/stack.env. Returns {} if the file does not exist. */
+export function readStackEnv(stackDir: string): Record<string, string> {
+  return parseEnvFile(`${stackDir}/stack.env`);
 }
 
 export function updateSystemSecretsEnv(
   state: ControlPlaneState,
   updates: Record<string, string>
 ): void {
-  const systemEnvPath = `${state.vaultDir}/stack/stack.env`;
-  enforceVaultDirMode(state.vaultDir);
+  const systemEnvPath = `${state.stackDir}/stack.env`;
+  enforceVaultDirMode(state.stackDir);
   if (!existsSync(systemEnvPath)) {
     ensureSystemSecrets(state);
   }
@@ -203,14 +245,14 @@ export function updateSystemSecretsEnv(
 }
 
 export function patchSecretsEnvFile(
-  vaultDir: string,
+  stackDir: string,
   patches: Record<string, string>
 ): void {
   if (Object.keys(patches).length === 0) return;
 
-  const stackEnvPath = `${vaultDir}/stack/stack.env`;
-  enforceVaultDirMode(vaultDir);
-  mkdirSync(`${vaultDir}/stack`, { recursive: true, mode: VAULT_DIR_MODE });
+  const stackEnvPath = `${stackDir}/stack.env`;
+  enforceVaultDirMode(stackDir);
+  mkdirSync(stackDir, { recursive: true, mode: VAULT_DIR_MODE });
 
   let existingContent = "";
   try {

package/src/control-plane/setup-config.schema.json

@@ -30,12 +30,12 @@
     "security": {
       "type": "object",
       "description": "Security settings for the instance.",
-      "required": ["adminToken"],
+      "required": ["uiLoginPassword"],
       "additionalProperties": false,
       "properties": {
-        "adminToken": {
+        "uiLoginPassword": {
           "type": "string",
-          "description": "Admin API authentication token. Used to authenticate CLI and admin UI requests.",
+          "description": "Operator login password for the OpenPalm UI. Persisted to stack.env as OP_UI_LOGIN_PASSWORD; the UI's op_session cookie value is compared against it on every authenticated request.",
           "minLength": 8
         }
       }
@@ -51,18 +51,6 @@
     "assignments": {
       "$ref": "#/$defs/SetupConfigAssignments"
     },
-    "memory": {
-      "type": "object",
-      "description": "Optional memory subsystem configuration.",
-      "additionalProperties": false,
-      "properties": {
-        "userId": {
-          "type": "string",
-          "pattern": "^[A-Za-z0-9_]+$",
-          "description": "User ID for the memory service. Alphanumeric and underscores only. Defaults to 'default_user' if omitted."
-        }
-      }
-    },
     "channels": {
       "type": "object",
       "description": "Optional channel configurations. Keys are channel identifiers (e.g. 'chat', 'discord', 'api'). Values can be a boolean to enable (true) or skip (false) installation, or a credential object.",
@@ -162,13 +150,13 @@
             },
             "smallModel": {
               "type": "string",
-              "description": "Optional smaller/faster model for lightweight tasks (e.g. memory extraction)."
+              "description": "Optional smaller/faster model for lightweight akm operations."
             }
           }
         },
         "embeddings": {
           "type": "object",
-          "description": "Embedding model assignment for the memory subsystem.",
+          "description": "Embedding model assignment for akm and semantic operations.",
           "required": ["capabilityId", "model"],
           "additionalProperties": false,
           "properties": {

package/src/control-plane/setup-status.ts

@@ -1,38 +1,18 @@
-import { userInfo } from "node:os";
 import { parseEnvFile } from './env.js';
 
-export function readSecretsKeys(vaultDir: string): Record<string, boolean> {
-  // System scope wins on overlap because vault/stack/stack.env is the
-  // authoritative source for system-managed credentials and flags.
-  const parsed = {
-    ...parseEnvFile(`${vaultDir}/user/user.env`),
-    ...parseEnvFile(`${vaultDir}/stack/stack.env`),
-  };
-  const result: Record<string, boolean> = {};
-  for (const [key, value] of Object.entries(parsed)) {
-    result[key] = value.length > 0;
-  }
-  return result;
-}
-
-export function detectUserId(): string {
-  const envUser = process.env.USER ?? process.env.LOGNAME ?? "";
-  if (envUser) return envUser;
-  try {
-    return userInfo().username || "default_user";
-  } catch {
-    return "default_user";
-  }
-}
-
 /**
- * Check if setup is complete by reading vault/stack/stack.env.
+ * Check if setup is complete by reading config/stack/stack.env.
+ *
+ * Phase 4 of the auth/proxy refactor replaced the legacy `OP_UI_TOKEN`
+ * sentinel with `OP_UI_LOGIN_PASSWORD`. The presence of a non-empty value
+ * implies the operator (or the install wizard) has seeded the login
+ * secret; `OP_SETUP_COMPLETE=true` is still authoritative when present.
  */
-export function isSetupComplete(vaultDir: string): boolean {
-  const parsed = parseEnvFile(`${vaultDir}/stack/stack.env`);
+export function isSetupComplete(stackDir: string): boolean {
+  const parsed = parseEnvFile(`${stackDir}/stack.env`);
   if ("OP_SETUP_COMPLETE" in parsed) {
     return parsed.OP_SETUP_COMPLETE.toLowerCase() === "true";
   }
 
-  return (parsed.OP_ADMIN_TOKEN ?? "").length > 0;
+  return (parsed.OP_UI_LOGIN_PASSWORD ?? "").length > 0;
 }

package/src/control-plane/setup-validation.ts

@@ -1,6 +1,5 @@
 /**
  * Validation logic for SetupSpec inputs.
- * Extracted from setup.ts to reduce per-file complexity.
  */
 
 const CAPABILITY_ID_RE = /^[A-Za-z0-9][A-Za-z0-9_-]*$/;
@@ -20,10 +19,12 @@ export function validateSetupSpec(input: unknown): { valid: boolean; errors: str
   const body = requireObj(input, "Input must be a non-null object", errors);
   if (!body) return { valid: false, errors };
 
+  if (body.version !== 2) errors.push("version must be 2");
   validateSecurity(body, errors);
   validateOwner(body, errors);
   validateConnectionsArray(body.connections, errors);
-  validateSpecCapabilities(body, errors);
+  validateLlm(body, errors);
+  validateEmbedding(body, errors);
   if (body.channelCredentials !== undefined && (typeof body.channelCredentials !== "object" || body.channelCredentials === null)) {
     errors.push("channelCredentials must be an object if provided");
   }
@@ -33,35 +34,34 @@ export function validateSetupSpec(input: unknown): { valid: boolean; errors: str
 function validateSecurity(body: Record<string, unknown>, errors: string[]): void {
   const security = requireObj(body.security, "security object is required", errors);
   if (!security) return;
-  if (!requireStr(security, "adminToken", "security.adminToken is required and must be a non-empty string", errors)) return;
-  if ((security.adminToken as string).length < 8) errors.push("security.adminToken must be at least 8 characters");
+  if (!requireStr(security, "uiLoginPassword", "security.uiLoginPassword is required and must be a non-empty string", errors)) return;
+  if ((security.uiLoginPassword as string).length < 8) errors.push("security.uiLoginPassword must be at least 8 characters");
 }
 
 function validateOwner(body: Record<string, unknown>, errors: string[]): void {
   const owner = body.owner as Record<string, unknown> | undefined;
-  if (!owner) return; // owner is optional
+  if (!owner) return;
   if (owner.name !== undefined && typeof owner.name !== "string") errors.push("owner.name must be a string");
   if (owner.email !== undefined && typeof owner.email !== "string") errors.push("owner.email must be a string");
 }
 
-function validateSpecCapabilities(body: Record<string, unknown>, errors: string[]): void {
-  if (body.version !== 2) errors.push("version must be 2");
-  const caps = requireObj(body.capabilities, "capabilities is required", errors);
-  if (!caps) return;
-  requireStr(caps, "llm", "capabilities.llm is required (format: 'provider/model')", errors);
-  const emb = requireObj(caps.embeddings, "capabilities.embeddings is required", errors);
-  if (emb) {
-    requireStr(emb, "provider", "capabilities.embeddings.provider is required", errors);
-    requireStr(emb, "model", "capabilities.embeddings.model is required", errors);
-    if (emb.dims !== undefined && emb.dims !== 0 && (typeof emb.dims !== "number" || !Number.isInteger(emb.dims) || emb.dims < 1)) {
-      errors.push("capabilities.embeddings.dims must be a positive integer or 0 (auto-resolve)");
-    }
-  }
-  const mem = requireObj(caps.memory, "capabilities.memory is required", errors);
-  if (!mem) return;
-  if (mem.userId !== undefined && typeof mem.userId !== "string") errors.push("capabilities.memory.userId must be a string if provided");
-  if (typeof mem.userId === "string" && mem.userId && !/^[A-Za-z0-9_]+$/.test(mem.userId)) {
-    errors.push("capabilities.memory.userId contains invalid characters (alphanumeric and underscores only)");
+function validateLlm(body: Record<string, unknown>, errors: string[]): void {
+  if (body.llm === undefined) return;
+  const llm = requireObj(body.llm, "llm must be an object if provided", errors);
+  if (!llm) return;
+  requireStr(llm, "provider", "llm.provider is required", errors);
+  requireStr(llm, "model", "llm.model is required", errors);
+  if (llm.baseUrl !== undefined && typeof llm.baseUrl !== "string") errors.push("llm.baseUrl must be a string");
+}
+
+function validateEmbedding(body: Record<string, unknown>, errors: string[]): void {
+  if (body.embedding === undefined) return;
+  const emb = requireObj(body.embedding, "embedding must be an object if provided", errors);
+  if (!emb) return;
+  requireStr(emb, "provider", "embedding.provider is required", errors);
+  requireStr(emb, "model", "embedding.model is required", errors);
+  if (emb.dims !== undefined && (typeof emb.dims !== "number" || !Number.isInteger(emb.dims) || emb.dims < 1)) {
+    errors.push("embedding.dims must be a positive integer");
   }
 }