@openpalm/lib 0.10.2 → 0.11.0-beta.2

package/src/control-plane/setup.test.ts

@@ -5,31 +5,21 @@ import { join } from "node:path";
 import {
   validateSetupSpec,
   buildSecretsFromSetup,
+  buildAuthJsonFromSetup,
   buildSystemSecretsFromSetup,
   performSetup,
 } from "./setup.js";
 import type { SetupSpec, SetupConnection } from "./setup.js";
 import { STACK_SPEC_FILENAME, readStackSpec } from "./stack-spec.js";
-import type { StackSpec } from "./stack-spec.js";
 
 // ── Helpers ──────────────────────────────────────────────────────────────
 
 function makeValidSpec(overrides?: Partial<SetupSpec>): SetupSpec {
   return {
     version: 2,
-    capabilities: {
-      llm: "openai/gpt-4o",
-      embeddings: {
-        provider: "openai",
-        model: "text-embedding-3-small",
-        dims: 1536,
-      },
-      memory: {
-        userId: "test_user",
-        customInstructions: "",
-      },
-    },
-    security: { adminToken: "test-admin-token-12345" },
+    llm: { provider: "openai", model: "gpt-4o", baseUrl: "https://api.openai.com/v1" },
+    embedding: { provider: "openai", model: "text-embedding-3-small", dims: 1536, baseUrl: "https://api.openai.com/v1" },
+    security: { uiLoginPassword: "test-admin-token-12345" },
     owner: { name: "Test User", email: "test@example.com" },
     connections: [
       {
@@ -46,19 +36,17 @@ function makeValidSpec(overrides?: Partial<SetupSpec>): SetupSpec {
 
 /** Seed the minimal asset files that ensure* functions expect to find at OP_HOME. */
 function seedRequiredAssets(homeDir: string): void {
-  mkdirSync(join(homeDir, "stack"), { recursive: true });
-  writeFileSync(join(homeDir, "stack", "core.compose.yml"), "services:\n  assistant:\n    image: assistant:latest\n");
-  mkdirSync(join(homeDir, "data", "assistant"), { recursive: true });
-  writeFileSync(join(homeDir, "data", "assistant", "opencode.jsonc"), '{"$schema":"https://opencode.ai/config.json"}\n');
-  writeFileSync(join(homeDir, "data", "assistant", "AGENTS.md"), "# Agents\n");
-  mkdirSync(join(homeDir, "vault", "user"), { recursive: true });
-  writeFileSync(join(homeDir, "vault", "user", "user.env.schema"), "ADMIN_TOKEN=string\n");
-  mkdirSync(join(homeDir, "vault", "stack"), { recursive: true });
-  writeFileSync(join(homeDir, "vault", "stack", "stack.env.schema"), "OP_IMAGE_TAG=string\n");
-  mkdirSync(join(homeDir, "config", "automations"), { recursive: true });
-  writeFileSync(join(homeDir, "config", "automations", "cleanup-logs.yml"), "name: cleanup-logs\nschedule: daily\n");
-  writeFileSync(join(homeDir, "config", "automations", "cleanup-data.yml"), "name: cleanup-data\nschedule: weekly\n");
-  writeFileSync(join(homeDir, "config", "automations", "validate-config.yml"), "name: validate-config\nschedule: hourly\n");
+  mkdirSync(join(homeDir, "config", "stack"), { recursive: true });
+  writeFileSync(join(homeDir, "config", "stack", "core.compose.yml"), "services:\n  assistant:\n    image: assistant:latest\n");
+  mkdirSync(join(homeDir, "state", "assistant"), { recursive: true });
+  writeFileSync(join(homeDir, "state", "assistant", "opencode.jsonc"), '{"$schema":"https://opencode.ai/config.json"}\n');
+  writeFileSync(join(homeDir, "state", "assistant", "AGENTS.md"), "# Agents\n");
+  mkdirSync(join(homeDir, "state"), { recursive: true });
+  // Automations live in state/registry/automations (shipped catalog) and stash/tasks (user tasks)
+  mkdirSync(join(homeDir, "state", "registry", "automations"), { recursive: true });
+  writeFileSync(join(homeDir, "state", "registry", "automations", "cleanup-logs.md"), "---\nschedule: \"0 4 * * 0\"\ndescription: cleanup logs\n---\n");
+  writeFileSync(join(homeDir, "state", "registry", "automations", "cleanup-data.md"), "---\nschedule: \"0 5 * * 0\"\ndescription: cleanup data\n---\n");
+  writeFileSync(join(homeDir, "state", "registry", "automations", "validate-config.md"), "---\nschedule: \"0 3 * * *\"\ndescription: validate config\n---\n");
 }
 
 // ── Tests: validateSetupSpec ────────────────────────────────────────────
@@ -84,17 +72,17 @@ describe("validateSetupSpec", () => {
     expect(result.errors.some((e) => e.includes("security object is required"))).toBe(true);
   });
 
-  it("rejects missing security.adminToken", () => {
+  it("rejects missing security.uiLoginPassword", () => {
     const spec = makeValidSpec();
-    spec.security.adminToken = "";
+    spec.security.uiLoginPassword = "";
     const result = validateSetupSpec(spec);
     expect(result.valid).toBe(false);
-    expect(result.errors.some((e) => e.includes("security.adminToken"))).toBe(true);
+    expect(result.errors.some((e) => e.includes("security.uiLoginPassword"))).toBe(true);
   });
 
-  it("rejects short security.adminToken", () => {
+  it("rejects short security.uiLoginPassword", () => {
     const spec = makeValidSpec();
-    spec.security.adminToken = "short";
+    spec.security.uiLoginPassword = "short";
     const result = validateSetupSpec(spec);
     expect(result.valid).toBe(false);
     expect(result.errors.some((e) => e.includes("at least 8"))).toBe(true);
@@ -149,36 +137,36 @@ describe("validateSetupSpec", () => {
     expect(result.errors.some((e) => e.includes("version must be 2"))).toBe(true);
   });
 
-  it("rejects missing capabilities.llm", () => {
+  it("rejects missing llm.model", () => {
     const input = makeValidSpec();
-    (input.capabilities as Record<string, unknown>).llm = "";
+    (input.llm as Record<string, unknown>).model = "";
     const result = validateSetupSpec(input);
     expect(result.valid).toBe(false);
-    expect(result.errors.some((e) => e.includes("capabilities.llm"))).toBe(true);
+    expect(result.errors.some((e) => e.includes("llm.model"))).toBe(true);
   });
 
-  it("rejects missing capabilities.embeddings", () => {
+  it("rejects missing llm.provider", () => {
     const input = makeValidSpec();
-    (input.capabilities as Record<string, unknown>).embeddings = null;
+    (input.llm as Record<string, unknown>).provider = "";
     const result = validateSetupSpec(input);
     expect(result.valid).toBe(false);
-    expect(result.errors.some((e) => e.includes("capabilities.embeddings"))).toBe(true);
+    expect(result.errors.some((e) => e.includes("llm.provider"))).toBe(true);
   });
 
-  it("rejects missing capabilities.memory", () => {
+  it("rejects non-integer embedding.dims", () => {
     const input = makeValidSpec();
-    (input.capabilities as Record<string, unknown>).memory = null;
+    (input.embedding as Record<string, unknown>).dims = 1.5;
     const result = validateSetupSpec(input);
     expect(result.valid).toBe(false);
-    expect(result.errors.some((e) => e.includes("capabilities.memory"))).toBe(true);
+    expect(result.errors.some((e) => e.includes("dims must be a positive integer"))).toBe(true);
   });
 
-  it("rejects non-integer embeddings.dims", () => {
+  it("accepts spec without llm or embedding (minimal)", () => {
     const input = makeValidSpec();
-    input.capabilities.embeddings.dims = 1.5;
+    delete (input as Record<string, unknown>).llm;
+    delete (input as Record<string, unknown>).embedding;
     const result = validateSetupSpec(input);
-    expect(result.valid).toBe(false);
-    expect(result.errors.some((e) => e.includes("dims must be a positive integer"))).toBe(true);  // or 0 (auto-resolve)
+    expect(result.valid).toBe(true);
   });
 
   it("accepts multiple connections with different IDs", () => {
@@ -192,29 +180,6 @@ describe("validateSetupSpec", () => {
     expect(result.valid).toBe(true);
   });
 
-  it("rejects memory.userId with dots", () => {
-    const input = makeValidSpec();
-    input.capabilities.memory.userId = "user.name";
-    const result = validateSetupSpec(input);
-    expect(result.valid).toBe(false);
-    expect(result.errors.some((e) => e.includes("alphanumeric and underscores only"))).toBe(true);
-  });
-
-  it("rejects memory.userId with hyphens", () => {
-    const input = makeValidSpec();
-    input.capabilities.memory.userId = "user-name";
-    const result = validateSetupSpec(input);
-    expect(result.valid).toBe(false);
-    expect(result.errors.some((e) => e.includes("alphanumeric and underscores only"))).toBe(true);
-  });
-
-  it("accepts memory.userId with underscores", () => {
-    const input = makeValidSpec();
-    input.capabilities.memory.userId = "user_name_123";
-    const result = validateSetupSpec(input);
-    expect(result.valid).toBe(true);
-  });
-
   it("accepts valid owner fields", () => {
     const spec = makeValidSpec({ owner: { name: "Alice", email: "alice@test.com" } });
     const result = validateSetupSpec(spec);
@@ -229,25 +194,20 @@ describe("validateSetupSpec", () => {
     expect(result.errors.some((e) => e.includes("owner.name"))).toBe(true);
   });
 
-  it("accepts valid memory section", () => {
-    const spec = makeValidSpec();
-    spec.capabilities.memory.userId = "my_user";
-    const result = validateSetupSpec(spec);
-    expect(result.valid).toBe(true);
-  });
 });
 
 // ── Tests: buildSecretsFromSetup ─────────────────────────────────────────
 
 describe("buildSecretsFromSetup", () => {
-  it("does not include admin token in user secrets", () => {
+  it("does not include UI login password in user secrets", () => {
     const spec = makeValidSpec();
     const secrets = buildSecretsFromSetup(spec.connections, spec.owner);
-    expect(secrets.OP_ADMIN_TOKEN).toBeUndefined();
+    expect(secrets.OP_UI_LOGIN_PASSWORD).toBeUndefined();
+    expect(secrets.OP_UI_TOKEN).toBeUndefined();
     expect(secrets.ADMIN_TOKEN).toBeUndefined();
   });
 
-  it("does not include SYSTEM_LLM_* in user secrets (lives in stack.env via OP_CAP_*)", () => {
+  it("does not include SYSTEM_LLM_* in user secrets", () => {
     const spec = makeValidSpec();
     const secrets = buildSecretsFromSetup(spec.connections, spec.owner);
     expect(secrets.SYSTEM_LLM_PROVIDER).toBeUndefined();
@@ -255,18 +215,6 @@ describe("buildSecretsFromSetup", () => {
     expect(secrets.SYSTEM_LLM_BASE_URL).toBeUndefined();
   });
 
-  it("persists OPENAI_BASE_URL from openai connection", () => {
-    const spec = makeValidSpec();
-    const secrets = buildSecretsFromSetup(spec.connections, spec.owner);
-    expect(secrets.OPENAI_BASE_URL).toBe("https://api.openai.com");
-  });
-
-  it("does not include MEMORY_USER_ID in user secrets (lives in stack.env via OP_CAP_*)", () => {
-    const spec = makeValidSpec();
-    const secrets = buildSecretsFromSetup(spec.connections, spec.owner);
-    expect(secrets.MEMORY_USER_ID).toBeUndefined();
-  });
-
   it("sets owner info when provided", () => {
     const spec = makeValidSpec();
     const secrets = buildSecretsFromSetup(spec.connections, spec.owner);
@@ -281,21 +229,45 @@ describe("buildSecretsFromSetup", () => {
     expect(secrets.OWNER_EMAIL).toBeUndefined();
   });
 
-  it("maps API key to correct env var", () => {
+  it("does NOT include provider API keys in stack.env updates", () => {
+    // Provider API keys now live in OpenCode's auth.json — buildSecretsFromSetup
+    // returns only non-credential vars. See buildAuthJsonFromSetup for the key flow.
     const spec = makeValidSpec();
     const secrets = buildSecretsFromSetup(spec.connections, spec.owner);
-    expect(secrets.OPENAI_API_KEY).toBe("sk-test-key-123");
+    expect(secrets.OPENAI_API_KEY).toBeUndefined();
+    expect(secrets.ANTHROPIC_API_KEY).toBeUndefined();
+  });
+
+  it("does not include Ollama base URL in stack.env secrets", () => {
+    const caps: SetupConnection[] = [
+      { id: "ollama-1", name: "Ollama", provider: "ollama", baseUrl: "http://localhost:11434", apiKey: "" },
+    ];
+    const secrets = buildSecretsFromSetup(caps);
+    expect(secrets.SYSTEM_LLM_BASE_URL).toBeUndefined();
+    expect(secrets.OLLAMA_BASE_URL).toBeUndefined();
+  });
+});
+
+describe("buildAuthJsonFromSetup", () => {
+  it("maps provider id → apiKey from the spec", () => {
+    const conns: SetupConnection[] = [
+      { id: "openai-1", name: "OpenAI", provider: "openai", baseUrl: "", apiKey: "sk-from-spec" },
+      { id: "anthropic-1", name: "Anthropic", provider: "anthropic", baseUrl: "", apiKey: "sk-ant" },
+    ];
+    const keys = buildAuthJsonFromSetup(conns);
+    expect(keys.openai).toBe("sk-from-spec");
+    expect(keys.anthropic).toBe("sk-ant");
   });
 
-  it("falls back to process.env when apiKey is empty", () => {
+  it("falls back to process.env when spec apiKey is empty", () => {
     const saved = process.env.OPENAI_API_KEY;
     process.env.OPENAI_API_KEY = "sk-from-env";
     try {
-      const caps: SetupConnection[] = [
+      const conns: SetupConnection[] = [
         { id: "openai-1", name: "OpenAI", provider: "openai", baseUrl: "", apiKey: "" },
       ];
-      const secrets = buildSecretsFromSetup(caps);
-      expect(secrets.OPENAI_API_KEY).toBe("sk-from-env");
+      const keys = buildAuthJsonFromSetup(conns);
+      expect(keys.openai).toBe("sk-from-env");
     } finally {
       if (saved !== undefined) process.env.OPENAI_API_KEY = saved;
       else delete process.env.OPENAI_API_KEY;
@@ -306,35 +278,41 @@ describe("buildSecretsFromSetup", () => {
     const saved = process.env.OPENAI_API_KEY;
     process.env.OPENAI_API_KEY = "sk-from-env";
     try {
-      const caps: SetupConnection[] = [
+      const conns: SetupConnection[] = [
         { id: "openai-1", name: "OpenAI", provider: "openai", baseUrl: "", apiKey: "sk-from-spec" },
       ];
-      const secrets = buildSecretsFromSetup(caps);
-      expect(secrets.OPENAI_API_KEY).toBe("sk-from-spec");
+      const keys = buildAuthJsonFromSetup(conns);
+      expect(keys.openai).toBe("sk-from-spec");
     } finally {
       if (saved !== undefined) process.env.OPENAI_API_KEY = saved;
       else delete process.env.OPENAI_API_KEY;
     }
   });
 
-  it("does not include Ollama base URL in user secrets when ollamaEnabled (lives in stack.env via OP_CAP_*)", () => {
-    const caps: SetupConnection[] = [
-      { id: "ollama-1", name: "Ollama", provider: "ollama", baseUrl: "http://localhost:11434", apiKey: "" },
+  it("skips connections without a key in either spec or env", () => {
+    const conns: SetupConnection[] = [
+      { id: "openai-1", name: "OpenAI", provider: "openai", baseUrl: "", apiKey: "" },
     ];
-    const secrets = buildSecretsFromSetup(caps);
-    // These are no longer written to user.env — they live in stack.env via OP_CAP_* vars
-    expect(secrets.SYSTEM_LLM_BASE_URL).toBeUndefined();
-    expect(secrets.OPENAI_BASE_URL).toBeUndefined();
+    const saved = process.env.OPENAI_API_KEY;
+    delete process.env.OPENAI_API_KEY;
+    try {
+      const keys = buildAuthJsonFromSetup(conns);
+      expect(keys.openai).toBeUndefined();
+    } finally {
+      if (saved !== undefined) process.env.OPENAI_API_KEY = saved;
+    }
   });
 });
 
 describe("buildSystemSecretsFromSetup", () => {
-  it("includes distinct admin and assistant credentials", () => {
+  // Phase 4: assistant token was removed; the only stack.env secret this
+  // helper writes now is OP_UI_LOGIN_PASSWORD. OP_OPENCODE_PASSWORD is
+  // generated by ensureSystemSecrets() and persists across reruns.
+  it("returns OP_UI_LOGIN_PASSWORD equal to the supplied operator password", () => {
     const secrets = buildSystemSecretsFromSetup("test-admin-token-12345");
-    expect(secrets.OP_ADMIN_TOKEN).toBe("test-admin-token-12345");
-    expect(typeof secrets.OP_ASSISTANT_TOKEN).toBe("string");
-    expect(secrets.OP_ASSISTANT_TOKEN).not.toBe("test-admin-token-12345");
-    expect(typeof secrets.OP_MEMORY_TOKEN).toBe("string");
+    expect(secrets.OP_UI_LOGIN_PASSWORD).toBe("test-admin-token-12345");
+    expect(secrets.OP_UI_TOKEN).toBeUndefined();
+    expect(secrets.OP_ASSISTANT_TOKEN).toBeUndefined();
   });
 });
 
@@ -343,49 +321,46 @@ describe("buildSystemSecretsFromSetup", () => {
 describe("performSetup", () => {
   let homeDir: string;
   let configDir: string;
-  let vaultDir: string;
-  let dataDir: string;
-  let logsDir: string;
+  let stateDir: string;
+  let stackDir: string;
 
   const savedEnv: Record<string, string | undefined> = {};
 
   beforeEach(() => {
     homeDir = mkdtempSync(join(tmpdir(), "openpalm-setup-"));
     configDir = join(homeDir, "config");
-    vaultDir = join(homeDir, "vault");
-    dataDir = join(homeDir, "data");
-    logsDir = join(homeDir, "logs");
+    stateDir = join(homeDir, "state");
+    stackDir = join(configDir, "stack");
 
     // Create required directory structure
     for (const dir of [
       homeDir,
       configDir,
-      join(configDir, "automations"),
-      join(configDir, "channels"),
+      join(homeDir, "state", "registry", "automations"),
       join(configDir, "assistant"),
-      join(configDir, "stash"),
-      vaultDir,
-      dataDir,
-      join(dataDir, "admin"),
-      join(dataDir, "memory"),
-      join(dataDir, "assistant"),
-      join(dataDir, "guardian"),
-      join(dataDir, "automations"),
-      join(dataDir, "opencode"),
-      logsDir,
-      join(logsDir, "opencode"),
+      join(configDir, "akm"),
+      stackDir,
+      join(stackDir, "addons"),
+      join(homeDir, "stash"),
+      join(homeDir, "workspace"),
+      join(homeDir, "cache"),
+      join(homeDir, "cache", "akm"),
+      stateDir,
+      join(stateDir, "assistant"),
+      join(stateDir, "admin"),
+      join(stateDir, "guardian"),
+      join(stateDir, "logs"),
+      join(stateDir, "logs", "opencode"),
     ]) {
       mkdirSync(dir, { recursive: true });
     }
 
     // Create stub stack.env so isSetupComplete doesn't crash
-    mkdirSync(join(vaultDir, "stack"), { recursive: true });
-    mkdirSync(join(vaultDir, "user"), { recursive: true });
     writeFileSync(
-      join(vaultDir, "stack", "stack.env"),
+      join(stackDir, "stack.env"),
       [
         "OP_SETUP_COMPLETE=false",
-        "OP_ADMIN_TOKEN=",
+        "OP_UI_LOGIN_PASSWORD=",
         "OPENAI_API_KEY=",
         "OPENAI_BASE_URL=",
         "ANTHROPIC_API_KEY=",
@@ -398,17 +373,6 @@ describe("performSetup", () => {
       ].join("\n")
     );
 
-    // Seed a user.env placeholder
-    writeFileSync(
-      join(vaultDir, "user", "user.env"),
-      [
-        "# OpenPalm — User Extensions",
-        "# Add any custom environment variables here.",
-        "# These are loaded by compose alongside stack.env.",
-        "",
-      ].join("\n")
-    );
-
     // Seed required asset files at OP_HOME
     seedRequiredAssets(homeDir);
 
@@ -424,39 +388,41 @@ describe("performSetup", () => {
 
   it("returns an error for invalid input", async () => {
     const result = await performSetup(
-      { security: { adminToken: "short" } } as SetupSpec
+      { security: { uiLoginPassword: "short" } } as SetupSpec
     );
     expect(result.ok).toBe(false);
     expect(result.error).toBeDefined();
   });
 
-  it("writes stack.env with the admin token", async () => {
+  it("writes stack.env with the UI login password", async () => {
     const result = await performSetup(makeValidSpec());
     expect(result.ok).toBe(true);
 
-    const secretsContent = readFileSync(join(vaultDir, "stack", "stack.env"), "utf-8");
+    const secretsContent = readFileSync(join(stackDir, "stack.env"), "utf-8");
     expect(secretsContent).toContain("test-admin-token-12345");
   });
 
-  it("writes OP_CAP_* vars to stack.env for capabilities", async () => {
+  it("writes akm config.json with llm and embedding", async () => {
     const result = await performSetup(makeValidSpec());
     expect(result.ok).toBe(true);
 
-    const stackEnvContent = readFileSync(join(vaultDir, "stack", "stack.env"), "utf-8");
-    expect(stackEnvContent).toContain("OP_CAP_LLM_MODEL=gpt-4o");
-    expect(stackEnvContent).toContain("OP_CAP_EMBEDDINGS_MODEL=text-embedding-3-small");
+    const akmConfigPath = join(homeDir, "config", "akm", "config.json");
+    expect(existsSync(akmConfigPath)).toBe(true);
+    const config = JSON.parse(readFileSync(akmConfigPath, "utf-8"));
+    expect(config.llm.model).toBe("gpt-4o");
+    expect(config.llm.provider).toBe("openai");
+    expect(config.embedding.model).toBe("text-embedding-3-small");
+    expect(config.embedding.provider).toBe("openai");
+    expect(config.embedding.dimension).toBe(1536);
   });
 
-  it("writes capabilities to stack.yml v2", async () => {
+  it("writes stack.yml v2 version marker", async () => {
     const result = await performSetup(makeValidSpec());
     expect(result.ok).toBe(true);
 
-    const spec = readStackSpec(configDir);
+    const spec = readStackSpec(stackDir);
     expect(spec).not.toBeNull();
     expect(spec!.version).toBe(2);
-    expect(spec!.capabilities.llm).toBe("openai/gpt-4o");
-    expect(spec!.capabilities.embeddings.model).toBe("text-embedding-3-small");
-    expect(spec!.capabilities.embeddings.provider).toBe("openai");
   });
 
   it("writes core compose file to stack/", async () => {
@@ -464,95 +430,42 @@ describe("performSetup", () => {
     expect(result.ok).toBe(true);
 
     // applyInstall should have written the compose file to stack/ (not config/components/)
-    const stagedCompose = join(homeDir, "stack", "core.compose.yml");
+    const stagedCompose = join(homeDir, "config", "stack", "core.compose.yml");
     expect(existsSync(stagedCompose)).toBe(true);
   });
 
-  it("writes ollama capabilities without addon metadata in stack.yml", async () => {
+  it("writes akm config.json with ollama llm settings", async () => {
     const input = makeValidSpec({
-      capabilities: {
-        llm: "ollama/llama3.2",
-        embeddings: {
-          provider: "ollama",
-          model: "nomic-embed-text",
-          dims: 768,
-        },
-        memory: {
-          userId: "test_user",
-          customInstructions: "",
-        },
-      },
+      llm: { provider: "ollama", model: "llama3.2", baseUrl: "http://localhost:11434/v1" },
+      embedding: { provider: "ollama", model: "nomic-embed-text", dims: 768, baseUrl: "http://localhost:11434/v1" },
       connections: [
-        {
-          id: "ollama-local",
-          name: "Ollama",
-          provider: "ollama",
-          baseUrl: "http://localhost:11434",
-          apiKey: "",
-        },
-      ],
-    });
-
-    const result = await performSetup(input);
-    expect(result.ok).toBe(true);
-
-    // v2 spec should have correct capabilities without addon metadata
-    const spec = readStackSpec(configDir);
-    expect(spec).not.toBeNull();
-    expect(spec!.version).toBe(2);
-    expect(spec!.capabilities.llm).toBe("ollama/llama3.2");
-  });
-
-  it("resolves embedding dims from EMBEDDING_DIMS lookup", async () => {
-    const input = makeValidSpec({
-      capabilities: {
-        llm: "ollama/llama3.2",
-        embeddings: {
-          provider: "ollama",
-          model: "nomic-embed-text",
-          dims: 0, // Should be resolved from lookup
-        },
-        memory: {
-          userId: "test_user",
-          customInstructions: "",
-        },
-      },
-      connections: [
-        {
-          id: "ollama-local",
-          name: "Ollama",
-          provider: "ollama",
-          baseUrl: "http://localhost:11434",
-          apiKey: "",
-        },
+        { id: "ollama-local", name: "Ollama", provider: "ollama", baseUrl: "http://localhost:11434", apiKey: "" },
       ],
     });
 
     const result = await performSetup(input);
     expect(result.ok).toBe(true);
 
-    // nomic-embed-text is 768 dims per EMBEDDING_DIMS — verify via stack.env OP_CAP_EMBEDDINGS_DIMS
-    const stackEnvContent = readFileSync(join(vaultDir, "stack", "stack.env"), "utf-8");
-    expect(stackEnvContent).toContain("OP_CAP_EMBEDDINGS_DIMS=768");
+    const akmConfigPath = join(homeDir, "config", "akm", "config.json");
+    const config = JSON.parse(readFileSync(akmConfigPath, "utf-8"));
+    expect(config.llm.provider).toBe("ollama");
+    expect(config.llm.model).toBe("llama3.2");
+    expect(config.embedding.dimension).toBe(768);
   });
 
-  it("writes stack.yml with correct v2 structure", async () => {
+  it("writes stack.yml as version marker only", async () => {
     const result = await performSetup(makeValidSpec());
     expect(result.ok).toBe(true);
 
-    const specPath = join(configDir, STACK_SPEC_FILENAME);
+    const specPath = join(stackDir, STACK_SPEC_FILENAME);
     expect(existsSync(specPath)).toBe(true);
 
-    const spec = readStackSpec(configDir);
+    const spec = readStackSpec(stackDir);
     expect(spec).not.toBeNull();
     expect(spec!.version).toBe(2);
-    expect(spec!.capabilities.llm).toBe("openai/gpt-4o");
-    expect(spec!.capabilities.embeddings.provider).toBe("openai");
-    expect(spec!.capabilities.embeddings.model).toBe("text-embedding-3-small");
-    expect(spec!.capabilities.memory.userId).toBe("test_user");
   });
 
-  it("completes setup even when duplicate connection ID with hyphen is skipped by env var map", async () => {
+  it("completes setup with multiple connections", async () => {
     const input = makeValidSpec({
       connections: [
         { id: "openai_primary", name: "OpenAI Primary", provider: "openai", baseUrl: "https://api.openai.com", apiKey: "sk-primary" },
@@ -563,11 +476,9 @@ describe("performSetup", () => {
     const result = await performSetup(input);
     expect(result.ok).toBe(true);
 
-    // v2 spec should still have correct capabilities
-    const spec = readStackSpec(configDir);
+    const spec = readStackSpec(stackDir);
     expect(spec).not.toBeNull();
     expect(spec!.version).toBe(2);
-    expect(spec!.capabilities.llm).toBe("openai/gpt-4o");
   });
 
   it("writes channel credentials to stack.env when channelCredentials provided", async () => {
@@ -578,24 +489,12 @@ describe("performSetup", () => {
           applicationId: "discord-app-id-123",
         },
       },
-      capabilities: {
-        llm: "openai/gpt-4o",
-        embeddings: {
-          provider: "openai",
-          model: "text-embedding-3-small",
-          dims: 1536,
-        },
-        memory: {
-          userId: "test_user",
-          customInstructions: "",
-        },
-      },
     });
 
     const result = await performSetup(input);
     expect(result.ok).toBe(true);
 
-    const stackEnvContent = readFileSync(join(vaultDir, "stack", "stack.env"), "utf-8");
+    const stackEnvContent = readFileSync(join(stackDir, "stack.env"), "utf-8");
     expect(stackEnvContent).toContain("discord-bot-token-xyz");
     expect(stackEnvContent).toContain("discord-app-id-123");
   });