@openpalm/lib 0.10.2 → 0.11.0-beta.2

package/src/logger.ts

@@ -1,8 +1,78 @@
 export type LogLevel = 'debug' | 'info' | 'warn' | 'error';
 
+/**
+ * In-house redactor. Returns `'***REDACTED***'` when `key` names something
+ * that looks like a secret (token, key, secret, password, hmac). Replaces
+ * the value-masking that varlock used to do for log output.
+ *
+ * The pattern matches the bare word at the start or end of the key, using
+ * underscore as a word boundary. This avoids substring false positives
+ * like `MONKEY` (contains `_KEY`? no, but the un-anchored pattern used
+ * to match the substring `KEY` even without an underscore) and
+ * `PACKET_SIZE` (does not actually contain `_KEY`, but the regex engine
+ * with un-anchored alternations was sloppy enough to invite future bugs).
+ *
+ * Examples:
+ *   OP_UI_LOGIN_PASSWORD → sensitive (suffix _PASSWORD)
+ *   CHANNEL_API_KEY    → sensitive (suffix _KEY)
+ *   CHANNEL_FOO_HMAC   → sensitive (suffix _HMAC)
+ *   HMAC_KEY           → sensitive (prefix HMAC_, suffix _KEY)
+ *   TOKEN              → sensitive (bare word)
+ *   MONKEY             → NOT sensitive
+ *   PACKET_SIZE        → NOT sensitive
+ *
+ * The same predicate is exported as {@link isSensitiveEnvKey} so callers
+ * that need to mask only part of a larger payload can short-circuit.
+ */
+const REDACT_PATTERN = /(?:^|_)(?:TOKEN|SECRET|KEY|PASSWORD|HMAC)(?:_|$)/i;
+
+export function isSensitiveEnvKey(key: string): boolean {
+  return REDACT_PATTERN.test(key);
+}
+
+export function redactValue(key: string, value: string): string {
+  return isSensitiveEnvKey(key) ? '***REDACTED***' : value;
+}
+
+/**
+ * Recursively walk a structured `extra` payload and mask every value whose
+ * own key (or the nearest enclosing object key) matches the sensitivity
+ * pattern. The original object is not mutated. Sensitive values of any
+ * primitive type (string, number, boolean) are replaced wholesale; nested
+ * objects under a sensitive key are still walked so that callers can mix
+ * structured payloads with redacted leaves.
+ */
+export function redactExtra<T>(extra: T): T {
+  if (extra == null || typeof extra !== 'object') return extra;
+  if (Array.isArray(extra)) {
+    return extra.map((v) => (v && typeof v === 'object' ? redactExtra(v) : v)) as unknown as T;
+  }
+  const out: Record<string, unknown> = {};
+  for (const [k, v] of Object.entries(extra as Record<string, unknown>)) {
+    if (isSensitiveEnvKey(k)) {
+      // Redact any non-null primitive (string/number/boolean) under a
+      // sensitive key. Nested objects keep being walked so a structured
+      // payload like { credentials: { ... } } still gets per-field masking.
+      if (v && typeof v === 'object') {
+        out[k] = redactExtra(v);
+      } else if (v == null) {
+        out[k] = v;
+      } else {
+        out[k] = '***REDACTED***';
+      }
+    } else if (v && typeof v === 'object') {
+      out[k] = redactExtra(v);
+    } else {
+      out[k] = v;
+    }
+  }
+  return out as T;
+}
+
 export function createLogger(service: string) {
   function log(level: LogLevel, msg: string, extra?: Record<string, unknown>): void {
-    const entry = { ts: new Date().toISOString(), level, service, msg, ...(extra ? { extra } : {}) };
+    const safeExtra = extra ? redactExtra(extra) : undefined;
+    const entry = { ts: new Date().toISOString(), level, service, msg, ...(safeExtra ? { extra: safeExtra } : {}) };
     (level === 'error' || level === 'warn' ? console.error : console.log)(JSON.stringify(entry));
   }
   return {

package/src/provider-constants.ts

@@ -40,19 +40,40 @@ export const PROVIDER_KEY_MAP: Record<string, string> = {
   huggingface: "HF_TOKEN",
 };
 
-/** Known embedding model dimensions (cloud providers). */
+/** Known embedding model dimensions. Keyed by `provider/model`. */
 export const EMBEDDING_DIMS: Record<string, number> = {
   "openai/text-embedding-3-small": 1536,
   "openai/text-embedding-3-large": 3072,
   "openai/text-embedding-ada-002": 1536,
   "ollama/nomic-embed-text": 768,
   "ollama/mxbai-embed-large": 1024,
+  "ollama/mxbai-embed-large-v1": 1024,
   "ollama/all-minilm": 384,
   "ollama/snowflake-arctic-embed": 1024,
+  "model-runner/ai/mxbai-embed-large-v1": 1024,
+  "mistral/mistral-embed": 1024,
   "google/text-embedding-004": 768,
   "huggingface/sentence-transformers/all-MiniLM-L6-v2": 384,
+  "huggingface/intfloat/multilingual-e5-large": 1024,
 };
 
+/**
+ * Look up embedding model dimensions. Tries the full key first, then strips
+ * any trailing `:tag` from the model name (Ollama-style versions).
+ * Returns 0 when no match is found.
+ */
+export function lookupEmbeddingDims(provider: string, model: string): number {
+  if (!provider || !model) return 0;
+  const key = `${provider}/${model}`;
+  if (EMBEDDING_DIMS[key]) return EMBEDDING_DIMS[key];
+  const colon = model.lastIndexOf(":");
+  if (colon > 0) {
+    const bare = `${provider}/${model.slice(0, colon)}`;
+    if (EMBEDDING_DIMS[bare]) return EMBEDDING_DIMS[bare];
+  }
+  return 0;
+}
+
 /** Provider display labels for UI. */
 export const PROVIDER_LABELS: Record<string, string> = {
   openai: "OpenAI",

package/src/control-plane/audit.ts

@@ -1,40 +0,0 @@
-/**
- * Audit logging for the OpenPalm control plane.
- */
-import { mkdirSync, appendFileSync } from "node:fs";
-import type { ControlPlaneState, AuditEntry, CallerType } from "./types.js";
-
-const MAX_AUDIT_MEMORY = 1000;
-
-export function appendAudit(
-  state: ControlPlaneState,
-  actor: string,
-  action: string,
-  args: Record<string, unknown>,
-  ok: boolean,
-  requestId = "",
-  callerType: CallerType = "unknown"
-): void {
-  const entry: AuditEntry = {
-    at: new Date().toISOString(),
-    requestId,
-    actor,
-    callerType,
-    action,
-    args,
-    ok
-  };
-  state.audit.push(entry);
-  if (state.audit.length > MAX_AUDIT_MEMORY) {
-    state.audit = state.audit.slice(-MAX_AUDIT_MEMORY);
-  }
-  try {
-    mkdirSync(state.logsDir, { recursive: true });
-    appendFileSync(
-      `${state.logsDir}/admin-audit.jsonl`,
-      JSON.stringify(entry) + "\n"
-    );
-  } catch {
-    // best-effort persistence
-  }
-}

package/src/control-plane/env-schema-validation.test.ts

@@ -1,118 +0,0 @@
-/**
- * Test that env schema validation uses the correct nested vault paths.
- */
-import { describe, test, expect, beforeAll, afterAll } from "bun:test";
-import { mkdirSync, writeFileSync, rmSync, existsSync } from "node:fs";
-import { join } from "node:path";
-import { tmpdir } from "node:os";
-import type { ControlPlaneState } from "./types.js";
-
-describe("env schema validation paths", () => {
-  let tmpDir: string;
-  let state: ControlPlaneState;
-
-  beforeAll(() => {
-    tmpDir = join(tmpdir(), `openpalm-schema-test-${Date.now()}`);
-    mkdirSync(join(tmpDir, "vault/user"), { recursive: true });
-    mkdirSync(join(tmpDir, "vault/stack"), { recursive: true });
-    mkdirSync(join(tmpDir, "data"), { recursive: true });
-    mkdirSync(join(tmpDir, "logs"), { recursive: true });
-    mkdirSync(join(tmpDir, "config"), { recursive: true });
-
-    state = {
-      adminToken: "test-token",
-      assistantToken: "test-assistant",
-      setupToken: "test-setup",
-      homeDir: tmpDir,
-      configDir: join(tmpDir, "config"),
-      vaultDir: join(tmpDir, "vault"),
-      dataDir: join(tmpDir, "data"),
-      logsDir: join(tmpDir, "logs"),
-      cacheDir: join(tmpDir, "cache"),
-      services: {},
-      artifacts: { compose: "" },
-      artifactMeta: [],
-      audit: [],
-    };
-  });
-
-  afterAll(() => {
-    if (tmpDir && existsSync(tmpDir)) {
-      rmSync(tmpDir, { recursive: true, force: true });
-    }
-  });
-
-  test("validation succeeds when no schema files exist (skip mode)", async () => {
-    const { validateProposedState } = await import("./validate.js");
-    const result = await validateProposedState(state);
-    // When schema files don't exist, validation is skipped (no errors)
-    expect(result.ok).toBe(true);
-    expect(result.errors).toEqual([]);
-  });
-
-  test("schema paths match canonical vault layout", () => {
-    const expectedUserSchema = join(tmpDir, "vault/user/user.env.schema");
-    const expectedStackSchema = join(tmpDir, "vault/stack/stack.env.schema");
-
-    writeFileSync(expectedUserSchema, "# test schema\n");
-    writeFileSync(expectedStackSchema, "# test schema\n");
-
-    expect(existsSync(expectedUserSchema)).toBe(true);
-    expect(existsSync(expectedStackSchema)).toBe(true);
-
-    // Old flat paths must NOT exist
-    expect(existsSync(join(tmpDir, "vault/user.env.schema"))).toBe(false);
-    expect(existsSync(join(tmpDir, "vault/system.env.schema"))).toBe(false);
-  });
-
-  test("validate.ts reads from nested paths, not flat paths", async () => {
-    // Write schemas at OLD flat paths — should be ignored
-    writeFileSync(join(tmpDir, "vault/user.env.schema"), "OPENAI_API_KEY\n");
-    writeFileSync(join(tmpDir, "vault/system.env.schema"), "OP_ADMIN_TOKEN\n");
-    // Write env files
-    writeFileSync(join(tmpDir, "vault/user/user.env"), "# empty\n");
-    writeFileSync(join(tmpDir, "vault/stack/stack.env"), "# empty\n");
-    // Delete nested schemas to prove flat paths are ignored
-    try { rmSync(join(tmpDir, "vault/user/user.env.schema")); } catch { /* may not exist */ }
-    try { rmSync(join(tmpDir, "vault/stack/stack.env.schema")); } catch { /* may not exist */ }
-
-    const { validateProposedState } = await import("./validate.js");
-    const result = await validateProposedState(state);
-    // Should pass because nested schemas don't exist (skipped), not because flat schemas were read
-    expect(result.ok).toBe(true);
-  });
-
-  test("validation reports warnings for missing required schema keys", async () => {
-    // Seed a schema that requires OPENAI_API_KEY
-    writeFileSync(join(tmpDir, "vault/user/user.env.schema"), "OPENAI_API_KEY=string\nOWNER_NAME=string\n");
-    // Seed an env file that is missing those keys
-    writeFileSync(join(tmpDir, "vault/user/user.env"), "# empty env\nSOME_OTHER_KEY=value\n");
-
-    const { validateProposedState } = await import("./validate.js");
-    const result = await validateProposedState(state);
-    // The validator should report warnings for missing keys (not errors — env validation is advisory)
-    expect(result.warnings.length).toBeGreaterThanOrEqual(0);
-  });
-
-  test("validation handles malformed env file gracefully", async () => {
-    writeFileSync(join(tmpDir, "vault/user/user.env.schema"), "OPENAI_API_KEY=string\n");
-    // Malformed: no = sign, just random text
-    writeFileSync(join(tmpDir, "vault/user/user.env"), "this is not a valid env file\n===\n");
-
-    const { validateProposedState } = await import("./validate.js");
-    const result = await validateProposedState(state);
-    // Should not throw — graceful handling
-    expect(typeof result.ok).toBe("boolean");
-  });
-
-  test("validation handles empty schema file gracefully", async () => {
-    writeFileSync(join(tmpDir, "vault/user/user.env.schema"), "");
-    writeFileSync(join(tmpDir, "vault/user/user.env"), "OPENAI_API_KEY=sk-test\n");
-
-    const { validateProposedState } = await import("./validate.js");
-    const result = await validateProposedState(state);
-    // Empty schema may cause varlock to report an error — that's fine,
-    // the important thing is it doesn't throw/crash
-    expect(typeof result.ok).toBe("boolean");
-  });
-});

package/src/control-plane/memory-config.ts

@@ -1,298 +0,0 @@
-/** Memory LLM & Embedding configuration management. */
-import { mkdirSync, writeFileSync, readFileSync, existsSync, rmSync } from "node:fs";
-import { readStackEnv } from "./secrets.js";
-import { EMBEDDING_DIMS, PROVIDER_DEFAULT_URLS } from "../provider-constants.js";
-
-
-export type MemoryConfig = {
-  mem0: {
-    llm: { provider: string; config: Record<string, unknown> };
-    embedder: { provider: string; config: Record<string, unknown> };
-    vector_store: {
-      provider: "sqlite-vec" | "qdrant";
-      config: {
-        collection_name: string;
-        db_path?: string;
-        path?: string;
-        embedding_model_dims: number;
-      };
-    };
-  };
-  memory: { custom_instructions: string };
-};
-
-
-export const EMBED_PROVIDERS = [
-  "openai", "ollama", "huggingface", "lmstudio"
-] as const;
-
-/** Static model list for Anthropic (no listing API available). */
-const ANTHROPIC_MODELS = [
-  "claude-opus-4-6",
-  "claude-sonnet-4-6",
-  "claude-opus-4-20250514",
-  "claude-sonnet-4-20250514",
-  "claude-haiku-4-5-20251001",
-  "claude-3-5-sonnet-20241022",
-  "claude-3-5-haiku-20241022",
-];
-
-
-export function resolveApiKey(apiKeyRef: string, configDir: string): string {
-  if (!apiKeyRef) return "";
-  if (!apiKeyRef.startsWith("env:")) return apiKeyRef;
-
-  const varName = apiKeyRef.slice(4);
-  if (process.env[varName]) return process.env[varName]!;
-
-  const secrets = readStackEnv(configDir);
-  return secrets[varName] ?? "";
-}
-
-
-export type ModelDiscoveryReason =
-  | 'none'
-  | 'provider_static'
-  | 'provider_http'
-  | 'missing_base_url'
-  | 'timeout'
-  | 'network';
-
-export type ProviderModelsResult = {
-  models: string[];
-  status: 'ok' | 'recoverable_error';
-  reason: ModelDiscoveryReason;
-  error?: string;
-};
-
-const HTTP_STATUS_LABELS: Record<number, string> = {
-  401: 'Invalid or missing API key',
-  403: 'Access denied — check API key permissions',
-  404: 'Endpoint not found — verify the base URL',
-  429: 'Rate limited — try again shortly',
-  500: 'Provider internal error',
-  502: 'Provider returned a bad gateway error',
-  503: 'Provider is temporarily unavailable',
-};
-
-export async function fetchProviderModels(
-  provider: string,
-  apiKeyRef: string,
-  baseUrl: string,
-  configDir: string
-): Promise<ProviderModelsResult> {
-  try {
-    if (provider === "anthropic") {
-      return { models: [...ANTHROPIC_MODELS], status: 'ok', reason: 'provider_static' };
-    }
-
-    const resolvedKey = resolveApiKey(apiKeyRef, configDir);
-
-    if (provider === "ollama") {
-      const base = baseUrl?.trim() || PROVIDER_DEFAULT_URLS.ollama;
-      const url = `${base.replace(/\/+$/, "")}/api/tags`;
-      const res = await fetch(url, { signal: AbortSignal.timeout(5000) });
-      if (!res.ok) {
-        return {
-          models: [],
-          status: 'recoverable_error',
-          reason: 'provider_http',
-          error: `Ollama API returned ${res.status}: ${(HTTP_STATUS_LABELS[res.status] ?? `HTTP ${res.status}`)}`,
-        };
-      }
-      const data = (await res.json()) as { models?: { name: string }[] };
-      const models = (data.models ?? []).map((m) => m.name).sort();
-      return { models, status: 'ok', reason: 'none' };
-    }
-
-    const base = baseUrl?.trim() || PROVIDER_DEFAULT_URLS[provider] || "";
-    if (!base) {
-      return {
-        models: [],
-        status: 'recoverable_error',
-        reason: 'missing_base_url',
-        error: `No base URL configured for provider "${provider}"`,
-      };
-    }
-    const url = `${base.replace(/\/+$/, "")}/v1/models`;
-
-    const headers: Record<string, string> = {};
-    if (resolvedKey) {
-      headers["Authorization"] = `Bearer ${resolvedKey}`;
-    }
-
-    const res = await fetch(url, { headers, signal: AbortSignal.timeout(5000) });
-    if (!res.ok) {
-      let detail = '';
-      try {
-        const json = JSON.parse(await res.text()) as Record<string, unknown>;
-        const errObj = json.error as Record<string, unknown> | string | undefined;
-        detail = (typeof errObj === 'object' && errObj !== null && typeof errObj.message === 'string') ? errObj.message
-          : typeof errObj === 'string' ? errObj
-          : typeof json.message === 'string' ? json.message
-          : typeof json.detail === 'string' ? json.detail : '';
-      } catch { /* ignore parse errors */ }
-      return {
-        models: [],
-        status: 'recoverable_error',
-        reason: 'provider_http',
-        error: detail
-          ? `Provider API returned ${res.status}: ${detail}`
-          : `Provider API returned ${res.status}: ${(HTTP_STATUS_LABELS[res.status] ?? `HTTP ${res.status}`)}`,
-      };
-    }
-    const data = (await res.json()) as { data?: { id: string }[] };
-    const models = (data.data ?? []).map((m) => m.id).sort();
-    return { models, status: 'ok', reason: 'none' };
-  } catch (err) {
-    const message =
-      err instanceof Error && err.name === "TimeoutError"
-        ? "Request timed out after 5s"
-        : String(err);
-    return {
-      models: [],
-      status: 'recoverable_error',
-      reason: err instanceof Error && err.name === 'TimeoutError' ? 'timeout' : 'network',
-      error: message,
-    };
-  }
-}
-
-
-export function getDefaultConfig(): MemoryConfig {
-  return {
-    mem0: {
-      llm: {
-        provider: "openai",
-        config: {
-          model: "gpt-4o-mini",
-          temperature: 0.1,
-          max_tokens: 2000,
-          api_key: "env:OPENAI_API_KEY",
-        },
-      },
-      embedder: {
-        provider: "openai",
-        config: {
-          model: "text-embedding-3-small",
-          api_key: "env:OPENAI_API_KEY",
-        },
-      },
-      vector_store: {
-        provider: "sqlite-vec",
-        config: {
-          collection_name: "memory",
-          db_path: "/data/memory.db",
-          embedding_model_dims: 1536,
-        },
-      },
-    },
-    memory: { custom_instructions: "" },
-  };
-}
-
-
-export function readMemoryConfig(dataDir: string): MemoryConfig {
-  const path = `${dataDir}/memory/default_config.json`;
-  if (!existsSync(path)) return getDefaultConfig();
-  try {
-    return JSON.parse(readFileSync(path, "utf-8")) as MemoryConfig;
-  } catch {
-    return getDefaultConfig();
-  }
-}
-
-export function writeMemoryConfig(dataDir: string, config: MemoryConfig): void {
-  mkdirSync(`${dataDir}/memory`, { recursive: true });
-  writeFileSync(`${dataDir}/memory/default_config.json`, JSON.stringify(config, null, 2) + "\n");
-}
-
-export function ensureMemoryConfig(dataDir: string): void {
-  if (existsSync(`${dataDir}/memory/default_config.json`)) return;
-  writeMemoryConfig(dataDir, getDefaultConfig());
-}
-
-
-export type VectorDimensionResult = {
-  match: boolean;
-  currentDims?: number;
-  expectedDims: number;
-};
-
-export function checkVectorDimensions(
-  dataDir: string,
-  newConfig: MemoryConfig
-): VectorDimensionResult {
-  const expectedDims = newConfig.mem0.vector_store.config.embedding_model_dims;
-  const persisted = readMemoryConfig(dataDir);
-  const currentDims = persisted.mem0.vector_store.config.embedding_model_dims;
-  return { match: currentDims === expectedDims, currentDims, expectedDims };
-}
-
-export function resetVectorStore(
-  dataDir: string
-): { ok: boolean; error?: string } {
-  const persisted = readMemoryConfig(dataDir);
-  const configuredPath = persisted.mem0.vector_store.config.db_path;
-
-  let dbPath: string;
-  if (configuredPath && configuredPath.startsWith('/data/')) {
-    dbPath = `${dataDir}/memory/${configuredPath.slice('/data/'.length)}`;
-  } else if (configuredPath && !configuredPath.startsWith('/')) {
-    dbPath = `${dataDir}/memory/${configuredPath}`;
-  } else {
-    dbPath = `${dataDir}/memory/memory.db`;
-  }
-  const qdrantPath = `${dataDir}/memory/qdrant`;
-  try {
-    if (existsSync(dbPath)) {
-      rmSync(dbPath, { force: true });
-    }
-    for (const suffix of ['-wal', '-shm']) {
-      const walPath = `${dbPath}${suffix}`;
-      if (existsSync(walPath)) rmSync(walPath, { force: true });
-    }
-    if (existsSync(qdrantPath)) {
-      rmSync(qdrantPath, { recursive: true, force: true });
-    }
-    return { ok: true };
-  } catch (err) {
-    return { ok: false, error: String(err) };
-  }
-}
-
-
-async function callMemoryApi(path: string, init?: RequestInit): Promise<Response> {
-  const configured = process.env.MEMORY_API_URL?.trim() || process.env.OP_MEMORY_API_URL?.trim();
-  const bases = configured ? [configured.replace(/\/+$/, "")] : ["http://memory:8765", "http://127.0.0.1:8765"];
-  const token = process.env.MEMORY_AUTH_TOKEN?.trim();
-  const authHeaders: Record<string, string> = token ? { authorization: `Bearer ${token}` } : {};
-  let lastError: unknown;
-
-  for (let i = 0; i < bases.length; i++) {
-    try {
-      const headers = { ...authHeaders, ...(init?.headers as Record<string, string>) };
-      return await fetch(`${bases[i]}${path}`, { ...init, headers });
-    } catch (err) {
-      lastError = err;
-      if (i === bases.length - 1) throw err;
-    }
-  }
-  throw lastError ?? new Error("Memory API request failed");
-}
-
-export async function provisionMemoryUser(
-  userId: string,
-): Promise<{ ok: boolean; error?: string }> {
-  try {
-    const res = await callMemoryApi("/api/v1/users", {
-      method: "POST",
-      headers: { "content-type": "application/json" },
-      body: JSON.stringify({ user_id: userId }),
-      signal: AbortSignal.timeout(5_000),
-    });
-    return { ok: res.ok };
-  } catch (err) {
-    return { ok: false, error: String(err) };
-  }
-}

package/src/control-plane/redact-schema.ts

@@ -1,50 +0,0 @@
-/**
- * Auto-generates a `redact.env.schema` from the canonical secret mappings.
- *
- * This ensures that every env var carrying a secret is marked for redaction
- * by varlock, without requiring manual maintenance of the schema file.
- */
-import { getCoreSecretMappings } from './secret-mappings.js';
-
-/**
- * Generate a redact.env.schema string from the canonical secret mappings.
- *
- * @param systemEnv - The current system env (used to discover dynamic channel secrets)
- * @returns A complete `@env-spec` schema suitable for varlock redaction
- */
-export function generateRedactSchema(systemEnv: Record<string, string>): string {
-  const lines: string[] = [
-    '# OpenPalm — Runtime Redaction Schema (auto-generated)',
-    '# Marks env vars as @sensitive so varlock redacts their values from',
-    '# stdout/stderr before they reach docker compose logs.',
-    '#',
-    '# @defaultSensitive=true',
-    '# @defaultRequired=false',
-    '# ---',
-    '',
-  ];
-
-  const envKeys = new Set<string>();
-  for (const mapping of getCoreSecretMappings(systemEnv)) {
-    envKeys.add(mapping.envKey);
-  }
-
-  // Include container-runtime env names that differ from env-file keys
-  // (compose maps OP_MEMORY_TOKEN -> MEMORY_AUTH_TOKEN, etc.)
-  envKeys.add('ADMIN_TOKEN');
-  envKeys.add('MEMORY_AUTH_TOKEN');
-  envKeys.add('OPENCODE_SERVER_PASSWORD');
-
-  // Resolved capability API keys (written to stack.env by spec-to-env)
-  envKeys.add('OP_CAP_LLM_API_KEY');
-  envKeys.add('OP_CAP_EMBEDDINGS_API_KEY');
-  envKeys.add('OP_CAP_TTS_API_KEY');
-  envKeys.add('OP_CAP_STT_API_KEY');
-  envKeys.add('OP_CAP_SLM_API_KEY');
-
-  for (const key of [...envKeys].sort()) {
-    lines.push(`${key}=`);
-  }
-
-  return lines.join('\n') + '\n';
-}