@openpalm/lib 0.10.2 → 0.11.0-beta.2

package/src/control-plane/install-edge-cases.test.ts

@@ -22,6 +22,7 @@ import { isSetupComplete } from "./setup-status.js";
 import {
   performSetup,
   buildSecretsFromSetup,
+  buildAuthJsonFromSetup,
   buildSystemSecretsFromSetup,
 } from "./setup.js";
 import type { SetupSpec, SetupConnection } from "./setup.js";
@@ -33,19 +34,9 @@ import { STACK_SPEC_FILENAME, readStackSpec } from "./stack-spec.js";
 function makeValidSpec(overrides?: Partial<SetupSpec>): SetupSpec {
   return {
     version: 2,
-    capabilities: {
-      llm: "openai/gpt-4o",
-      embeddings: {
-        provider: "openai",
-        model: "text-embedding-3-small",
-        dims: 1536,
-      },
-      memory: {
-        userId: "test_user",
-        customInstructions: "",
-      },
-    },
-    security: { adminToken: "test-admin-token-12345" },
+    llm: { provider: "openai", model: "gpt-4o", baseUrl: "https://api.openai.com/v1" },
+    embedding: { provider: "openai", model: "text-embedding-3-small", dims: 1536, baseUrl: "https://api.openai.com/v1" },
+    security: { uiLoginPassword: "test-admin-token-12345" },
     owner: { name: "Test User", email: "test@example.com" },
     connections: [
       {
@@ -62,28 +53,26 @@ function makeValidSpec(overrides?: Partial<SetupSpec>): SetupSpec {
 
 /** Seed the minimal asset files that ensure* functions expect to find at OP_HOME. */
 function seedRequiredAssets(homeDir: string): void {
-  mkdirSync(join(homeDir, "stack"), { recursive: true });
-  writeFileSync(join(homeDir, "stack", "core.compose.yml"), "services:\n  assistant:\n    image: assistant:latest\n");
-  mkdirSync(join(homeDir, "data", "assistant"), { recursive: true });
-  writeFileSync(join(homeDir, "data", "assistant", "opencode.jsonc"), '{"$schema":"https://opencode.ai/config.json"}\n');
-  writeFileSync(join(homeDir, "data", "assistant", "AGENTS.md"), "# Agents\n");
-  mkdirSync(join(homeDir, "vault", "user"), { recursive: true });
-  writeFileSync(join(homeDir, "vault", "user", "user.env.schema"), "ADMIN_TOKEN=string\n");
-  mkdirSync(join(homeDir, "vault", "stack"), { recursive: true });
-  writeFileSync(join(homeDir, "vault", "stack", "stack.env.schema"), "OP_IMAGE_TAG=string\n");
-  mkdirSync(join(homeDir, "config", "automations"), { recursive: true });
-  writeFileSync(join(homeDir, "config", "automations", "cleanup-logs.yml"), "name: cleanup-logs\nschedule: daily\n");
-  writeFileSync(join(homeDir, "config", "automations", "cleanup-data.yml"), "name: cleanup-data\nschedule: weekly\n");
-  writeFileSync(join(homeDir, "config", "automations", "validate-config.yml"), "name: validate-config\nschedule: hourly\n");
+  mkdirSync(join(homeDir, "config", "stack"), { recursive: true });
+  writeFileSync(join(homeDir, "config", "stack", "core.compose.yml"), "services:\n  assistant:\n    image: assistant:latest\n");
+  mkdirSync(join(homeDir, "state", "assistant"), { recursive: true });
+  writeFileSync(join(homeDir, "state", "assistant", "opencode.jsonc"), '{"$schema":"https://opencode.ai/config.json"}\n');
+  writeFileSync(join(homeDir, "state", "assistant", "AGENTS.md"), "# Agents\n");
+  mkdirSync(join(homeDir, "state"), { recursive: true });
+  // Automations live in state/registry/automations (shipped catalog) and stash/tasks (user tasks)
+  mkdirSync(join(homeDir, "state", "registry", "automations"), { recursive: true });
+  writeFileSync(join(homeDir, "state", "registry", "automations", "cleanup-logs.md"), "---\nschedule: \"0 4 * * 0\"\ndescription: cleanup logs\n---\n");
+  writeFileSync(join(homeDir, "state", "registry", "automations", "cleanup-data.md"), "---\nschedule: \"0 5 * * 0\"\ndescription: cleanup data\n---\n");
+  writeFileSync(join(homeDir, "state", "registry", "automations", "validate-config.md"), "---\nschedule: \"0 3 * * *\"\ndescription: validate config\n---\n");
 }
 
 // ── Shared test fixture ──────────────────────────────────────────────────
 
 let homeDir: string;
 let configDir: string;
-let vaultDir: string;
-let dataDir: string;
-let logsDir: string;
+let stateDir: string;
+let stackDir: string;
+let cacheDir: string;
 
 const savedEnv: Record<string, string | undefined> = {};
 
@@ -100,31 +89,36 @@ function restoreEnv(): void {
 function createFullDirTree(): void {
   homeDir = mkdtempSync(join(tmpdir(), "openpalm-edge-"));
   configDir = join(homeDir, "config");
-  vaultDir = join(homeDir, "vault");
-  dataDir = join(homeDir, "data");
-  logsDir = join(homeDir, "logs");
+  stateDir = join(homeDir, "state");
+  stackDir = join(configDir, "stack");
+  cacheDir = join(homeDir, "cache");
 
   for (const dir of [
     homeDir,
     configDir,
-    join(configDir, "automations"),
-    join(configDir, "channels"),
+    join(homeDir, "state", "registry", "automations"),
     join(configDir, "assistant"),
-    join(configDir, "stash"),
-    join(homeDir, "stack"),
-    join(homeDir, "stack", "addons"),
-    vaultDir,
-    dataDir,
-    join(dataDir, "admin"),
-    join(dataDir, "memory"),
-    join(dataDir, "assistant"),
-    join(dataDir, "guardian"),
-    join(dataDir, "automations"),
-    join(dataDir, "opencode"),
-    join(dataDir, "stash"),
-    join(dataDir, "workspace"),
-    logsDir,
-    join(logsDir, "opencode"),
+    join(configDir, "akm"),
+    join(homeDir, "stash"),
+    join(homeDir, "workspace"),
+    stackDir,
+    join(stackDir, "addons"),
+    stateDir,
+    join(stateDir, "assistant"),
+    join(stateDir, "admin"),
+    join(stateDir, "guardian"),
+    join(stateDir, "logs"),
+    join(stateDir, "logs", "opencode"),
+    join(stateDir, "registry"),
+    join(stateDir, "registry", "addons"),
+    join(stateDir, "backups"),
+    join(stateDir, "akm"),
+    join(stateDir, "akm", "data"),
+    join(stateDir, "akm", "state"),
+    cacheDir,
+    join(cacheDir, "akm"),
+    join(cacheDir, "guardian"),
+    join(cacheDir, "rollback"),
   ]) {
     mkdirSync(dir, { recursive: true });
   }
@@ -133,27 +127,15 @@ function createFullDirTree(): void {
   seedRequiredAssets(homeDir);
 }
 
-/** Seed the minimal user.env and stack.env needed for most tests. */
+/** Seed the minimal stack.env needed for most tests. */
 function seedMinimalEnvFiles(): void {
-  mkdirSync(join(vaultDir, "user"), { recursive: true });
-  mkdirSync(join(vaultDir, "stack"), { recursive: true });
-  writeFileSync(
-    join(vaultDir, "user", "user.env"),
-    [
-      "# OpenPalm — User Extensions",
-      "# Add any custom environment variables here.",
-      "# These are loaded by compose alongside stack.env.",
-      "",
-    ].join("\n")
-  );
+  mkdirSync(stackDir, { recursive: true });
 
   writeFileSync(
-    join(vaultDir, "stack", "stack.env"),
+    join(stackDir, "stack.env"),
     [
       "# OpenPalm — Stack Configuration",
-      "OP_ADMIN_TOKEN=",
-      "OP_ASSISTANT_TOKEN=",
-      "OP_MEMORY_TOKEN=",
+      "OP_UI_LOGIN_PASSWORD=",
       "OPENAI_API_KEY=",
       "OPENAI_BASE_URL=",
       "ANTHROPIC_API_KEY=",
@@ -184,51 +166,39 @@ describe("Fresh Install", () => {
     rmSync(homeDir, { recursive: true, force: true });
   });
 
-  // Scenario 1: ensureSecrets creates user.env as placeholder and stack.env with required keys
-  it("ensureSecrets creates user.env as placeholder and stack.env with required keys when files do not exist", () => {
+  // Scenario 1: ensureSecrets does NOT seed user.env (see akm-vault) but
+  // does create stack.env with required keys when files do not exist.
+  it("ensureSecrets creates state/stack.env with required keys on fresh install", () => {
     const state: ControlPlaneState = {
-      adminToken: "",
-      assistantToken: "",
-      setupToken: "",
       homeDir,
       configDir,
-      vaultDir,
-      dataDir,
-      logsDir,
-      cacheDir: join(homeDir, "cache"),
+      stashDir: join(homeDir, "stash"),
+      workspaceDir: join(homeDir, "workspace"),
+      cacheDir,
+      stateDir,
+      stackDir,
       services: {},
       artifacts: { compose: "" },
       artifactMeta: [],
-      audit: [],
     };
 
-    // No user.env exists yet
-    expect(existsSync(join(vaultDir, "user", "user.env"))).toBe(false);
-
     ensureSecrets(state);
 
-    // user.env is now a minimal placeholder
-    const userContent = readFileSync(join(vaultDir, "user", "user.env"), "utf-8");
-    expect(userContent).toContain("User Extensions");
-
-    // API keys and owner info are seeded in stack.env
-    const stackContent = readFileSync(join(vaultDir, "stack", "stack.env"), "utf-8");
+    // API keys and owner info are seeded in state/stack.env.
+    const stackContent = readFileSync(join(stackDir, "stack.env"), "utf-8");
     expect(stackContent).toContain("OPENAI_API_KEY=");
     expect(stackContent).toContain("OWNER_NAME=");
   });
 
   // Scenario 2: isSetupComplete returns false before setup
   it("isSetupComplete returns false when stack.env has OP_SETUP_COMPLETE=false", () => {
-    mkdirSync(join(vaultDir, "stack"), { recursive: true });
-    mkdirSync(join(vaultDir, "user"), { recursive: true });
+    mkdirSync(stateDir, { recursive: true });
     writeFileSync(
-      join(vaultDir, "stack", "stack.env"),
+      join(stackDir, "stack.env"),
       "OP_SETUP_COMPLETE=false\n"
     );
-    // Empty user.env so fallback check doesn't trigger
-    writeFileSync(join(vaultDir, "user", "user.env"), "");
 
-    expect(isSetupComplete(vaultDir)).toBe(false);
+    expect(isSetupComplete(stackDir)).toBe(false);
   });
 
   // Scenario 3: performSetup succeeds from completely empty state
@@ -242,15 +212,21 @@ describe("Fresh Install", () => {
     expect(result.ok).toBe(true);
   });
 
-  // Scenario 4: performSetup marks setup complete in vault/stack/stack.env
-  it("performSetup marks OP_SETUP_COMPLETE=true in vault stack.env", async () => {
+  // Scenario 4: performSetup must NOT mark OP_SETUP_COMPLETE.
+  //
+  // The flag is set by setup-deploy.ts:startDeploy AFTER the Docker stack is
+  // confirmed healthy. If performSetup wrote it eagerly, a deploy failure
+  // would leave the wizard convinced setup was complete and bounce the user
+  // into a broken admin UI.
+  it("performSetup does NOT mark OP_SETUP_COMPLETE (deploy owns that flag)", async () => {
     seedMinimalEnvFiles();
 
     await performSetup(makeValidSpec());
 
-    const stackEnv = readFileSync(join(vaultDir, "stack", "stack.env"), "utf-8");
+    const stackEnv = readFileSync(join(stackDir, "stack.env"), "utf-8");
     const parsed = parseEnvContent(stackEnv);
-    expect(parsed.OP_SETUP_COMPLETE).toBe("true");
+    // Either entirely absent, or still the seeded "false" — never "true".
+    expect(parsed.OP_SETUP_COMPLETE === undefined || parsed.OP_SETUP_COMPLETE === "false").toBe(true);
   });
 });
 
@@ -270,113 +246,71 @@ describe("Existing Install", () => {
     rmSync(homeDir, { recursive: true, force: true });
   });
 
-  // Scenario 5: ensureSecrets does NOT overwrite existing user.env
-  it("ensureSecrets does not overwrite existing user.env", () => {
-    const customContent =
-      "export OP_ADMIN_TOKEN=my-custom-token\nexport OP_MEMORY_TOKEN=custom-auth-token\n";
-    mkdirSync(join(vaultDir, "user"), { recursive: true });
-    writeFileSync(join(vaultDir, "user", "user.env"), customContent);
+  // Scenario 5: ensureSecrets does NOT overwrite existing stack.env
+  it("ensureSecrets does not overwrite existing stack.env tokens", () => {
+    mkdirSync(stateDir, { recursive: true });
+    writeFileSync(join(stackDir, "stack.env"), "OP_UI_LOGIN_PASSWORD=my-custom-password\n");
 
     const state: ControlPlaneState = {
-      adminToken: "",
-      assistantToken: "",
-      setupToken: "",
       homeDir,
       configDir,
-      vaultDir,
-      dataDir,
-      logsDir,
-      cacheDir: join(homeDir, "cache"),
+      stashDir: join(homeDir, "stash"),
+      workspaceDir: join(homeDir, "workspace"),
+      cacheDir,
+      stateDir,
+      stackDir,
       services: {},
       artifacts: { compose: "" },
       artifactMeta: [],
-      audit: [],
     };
 
     ensureSecrets(state);
 
-    const afterContent = readFileSync(join(vaultDir, "user", "user.env"), "utf-8");
-    expect(afterContent).toBe(customContent);
+    // Existing password must be preserved
+    const afterContent = readFileSync(join(stackDir, "stack.env"), "utf-8");
+    expect(afterContent).toContain("OP_UI_LOGIN_PASSWORD=my-custom-password");
   });
 
-  // Scenario 6: performSetup re-run preserves OP_MEMORY_TOKEN
-  it("performSetup re-run preserves OP_MEMORY_TOKEN from first run", async () => {
-    // First setup
-    await performSetup(makeValidSpec());
+  // Scenario 6: performSetup re-run rewrites OP_UI_LOGIN_PASSWORD when the
+  // operator supplies a new one in the spec. This is intentional — the
+  // wizard "rerun" path is how an operator rotates the password. The
+  // legacy OP_ASSISTANT_TOKEN preservation test was removed with the token.
+  it("performSetup re-run rewrites OP_UI_LOGIN_PASSWORD when spec changes", async () => {
+    await performSetup(makeValidSpec({ security: { uiLoginPassword: "first-password-12345" } }));
 
-    const secretsAfterFirst = readFileSync(
-      join(vaultDir, "stack", "stack.env"),
-      "utf-8"
-    );
-    const firstMatch = secretsAfterFirst.match(
-      /OP_MEMORY_TOKEN=([a-f0-9]+)/
-    );
-    expect(firstMatch).not.toBeNull();
-    const firstToken = firstMatch![1];
+    const afterFirst = readFileSync(join(stackDir, "stack.env"), "utf-8");
+    expect(afterFirst).toContain("OP_UI_LOGIN_PASSWORD=first-password-12345");
 
-    // Second setup (re-run with different API key)
-    await performSetup(
-      makeValidSpec({
-        connections: [
-          {
-            id: "openai-main",
-            name: "OpenAI",
-            provider: "openai",
-            baseUrl: "https://api.openai.com",
-            apiKey: "sk-different-key-999",
-          },
-        ],
-      })
-    );
+    await performSetup(makeValidSpec({ security: { uiLoginPassword: "second-password-12345" } }));
 
-    const secretsAfterSecond = readFileSync(
-      join(vaultDir, "stack", "stack.env"),
-      "utf-8"
-    );
-    const secondMatch = secretsAfterSecond.match(
-      /OP_MEMORY_TOKEN=([a-f0-9]+)/
-    );
-    expect(secondMatch).not.toBeNull();
-    // OP_MEMORY_TOKEN should be preserved (buildSystemSecretsFromSetup does not overwrite it)
-    expect(secondMatch![1]).toBe(firstToken);
+    const afterSecond = readFileSync(join(stackDir, "stack.env"), "utf-8");
+    expect(afterSecond).toContain("OP_UI_LOGIN_PASSWORD=second-password-12345");
   });
 
-  // Scenario 7: performSetup marks OP_SETUP_COMPLETE=true in vault/stack/stack.env
-  it("performSetup marks OP_SETUP_COMPLETE=true in vault stack.env", async () => {
+  // Scenario 7: performSetup must NOT mark OP_SETUP_COMPLETE — see scenario
+  // 4 in the Fresh Install block for the rationale. The deploy phase owns
+  // this flag and only writes it after the container stack is healthy.
+  it("performSetup does NOT mark OP_SETUP_COMPLETE (deploy owns that flag)", async () => {
     await performSetup(makeValidSpec());
 
     const stackEnv = readFileSync(
-      join(vaultDir, "stack", "stack.env"),
+      join(stackDir, "stack.env"),
       "utf-8"
     );
     const parsed = parseEnvContent(stackEnv);
-    expect(parsed.OP_SETUP_COMPLETE).toBe("true");
+    expect(parsed.OP_SETUP_COMPLETE === undefined || parsed.OP_SETUP_COMPLETE === "false").toBe(true);
   });
 
-  // Scenario 8: Re-setup with different provider updates stack.yml capabilities
-  it("re-setup with different provider updates capabilities in stack.yml", async () => {
+  // Scenario 8: Re-setup with different provider updates akm config
+  it("re-setup with different provider updates akm config", async () => {
     // First setup with OpenAI
     await performSetup(makeValidSpec());
 
-    const specAfterFirst = readStackSpec(configDir);
-    expect(specAfterFirst).not.toBeNull();
-    expect(specAfterFirst!.capabilities.llm).toContain("openai/");
-
     // Second setup with Groq
     await performSetup(
       makeValidSpec({
-        capabilities: {
-          llm: "groq/llama3-70b-8192",
-          embeddings: {
-            provider: "groq",
-            model: "text-embedding-3-small",
-            dims: 1536,
-          },
-          memory: {
-            userId: "test_user",
-            customInstructions: "",
-          },
-        },
+        llm: { provider: "groq", model: "llama3-70b-8192", baseUrl: "https://api.groq.com/openai/v1" },
+        embedding: { provider: "groq", model: "text-embedding-3-small", dims: 1536, baseUrl: "https://api.groq.com/openai/v1" },
         connections: [
           {
             id: "groq-main",
@@ -389,12 +323,13 @@ describe("Existing Install", () => {
       })
     );
 
-    const specAfterSecond = readStackSpec(configDir);
+    // stack.yml is just a version marker now
+    const specAfterSecond = readStackSpec(stackDir);
     expect(specAfterSecond).not.toBeNull();
-    expect(specAfterSecond!.capabilities.llm).toBe("groq/llama3-70b-8192");
+    expect(specAfterSecond!.version).toBe(2);
 
     // stack.env should retain both keys
-    const secrets = readFileSync(join(vaultDir, "stack", "stack.env"), "utf-8");
+    const secrets = readFileSync(join(stackDir, "stack.env"), "utf-8");
     expect(secrets).toContain("GROQ_API_KEY");
   });
 });
@@ -414,35 +349,32 @@ describe("Broken/Corrupt State", () => {
     rmSync(homeDir, { recursive: true, force: true });
   });
 
-  // Scenario 9: user.env exists but is empty
-  it("ensureSecrets returns early for an empty but existing user.env", () => {
-    mkdirSync(join(vaultDir, "user"), { recursive: true });
-    writeFileSync(join(vaultDir, "user", "user.env"), "");
+  // Scenario 9: ensureSecrets is idempotent on repeated calls
+  it("ensureSecrets is idempotent — second call does not overwrite existing stack.env", () => {
+    mkdirSync(stateDir, { recursive: true });
+    writeFileSync(join(stackDir, "stack.env"), "OP_UI_LOGIN_PASSWORD=existing-password\n");
 
     const state: ControlPlaneState = {
-      adminToken: "",
-      assistantToken: "",
-      setupToken: "",
       homeDir,
       configDir,
-      vaultDir,
-      dataDir,
-      logsDir,
-      cacheDir: join(homeDir, "cache"),
+      stashDir: join(homeDir, "stash"),
+      workspaceDir: join(homeDir, "workspace"),
+      cacheDir,
+      stateDir,
+      stackDir,
       services: {},
       artifacts: { compose: "" },
       artifactMeta: [],
-      audit: [],
     };
 
     ensureSecrets(state);
 
-    // File should still exist and still be empty (ensureSecrets only checks existence)
-    const content = readFileSync(join(vaultDir, "user", "user.env"), "utf-8");
-    expect(content).toBe("");
+    // Existing password must be preserved
+    const content = readFileSync(join(stackDir, "stack.env"), "utf-8");
+    expect(content).toContain("OP_UI_LOGIN_PASSWORD=existing-password");
   });
 
-  // Scenario 10: user.env with malformed lines
+  // Scenario 10: env file with malformed lines
   it("parseEnvFile handles malformed env lines gracefully", () => {
     const malformedContent = [
       "# Comment line",
@@ -456,10 +388,10 @@ describe("Broken/Corrupt State", () => {
       "  # indented comment",
     ].join("\n");
 
-    mkdirSync(join(vaultDir, "user"), { recursive: true });
-    writeFileSync(join(vaultDir, "user", "user.env"), malformedContent);
+    mkdirSync(stateDir, { recursive: true });
+    writeFileSync(join(stateDir, "test.env"), malformedContent);
 
-    const parsed = parseEnvFile(join(vaultDir, "user", "user.env"));
+    const parsed = parseEnvFile(join(stateDir, "test.env"));
     expect(parsed.VALID_KEY).toBe("valid_value");
     expect(parsed.EXPORTED_KEY).toBe("exported_value");
     expect(parsed.ANOTHER_VALID).toBe("value");
@@ -468,30 +400,23 @@ describe("Broken/Corrupt State", () => {
   // Scenario 11: stack.env missing OP_SETUP_COMPLETE
   it("isSetupComplete falls back to token check when OP_SETUP_COMPLETE missing", () => {
     // stack.env without OP_SETUP_COMPLETE
-    mkdirSync(join(vaultDir, "stack"), { recursive: true });
-    mkdirSync(join(vaultDir, "user"), { recursive: true });
+    mkdirSync(stateDir, { recursive: true });
     writeFileSync(
-      join(vaultDir, "stack", "stack.env"),
+      join(stackDir, "stack.env"),
       "OP_IMAGE_TAG=latest\n"
     );
 
-    // user.env without any token
-    writeFileSync(
-      join(vaultDir, "user", "user.env"),
-      "export OP_ADMIN_TOKEN=\nexport ADMIN_TOKEN=\n"
-    );
-
-    expect(isSetupComplete(vaultDir)).toBe(false);
+    expect(isSetupComplete(stackDir)).toBe(false);
   });
 
-  it("isSetupComplete falls back to true when admin token is set but OP_SETUP_COMPLETE missing", () => {
-    mkdirSync(join(vaultDir, "stack"), { recursive: true });
+  it("isSetupComplete falls back to true when UI login password is set but OP_SETUP_COMPLETE missing", () => {
+    mkdirSync(stateDir, { recursive: true });
     writeFileSync(
-      join(vaultDir, "stack", "stack.env"),
-      "OP_IMAGE_TAG=latest\nexport OP_ADMIN_TOKEN=my-real-token\n"
+      join(stackDir, "stack.env"),
+      "OP_IMAGE_TAG=latest\nexport OP_UI_LOGIN_PASSWORD=my-real-password\n"
     );
 
-    expect(isSetupComplete(vaultDir)).toBe(true);
+    expect(isSetupComplete(stackDir)).toBe(true);
   });
 
   // Scenario 12: API key with special characters round-trips
@@ -512,39 +437,39 @@ describe("Broken/Corrupt State", () => {
 
   // Scenario 13: Missing stack.yml returns null
   it("readStackSpec returns null when stack.yml missing", () => {
-    const spec = readStackSpec(configDir);
+    const spec = readStackSpec(stackDir);
     expect(spec).toBeNull();
   });
 
-  // Scenario 14: config dir exists but automations dir doesn't
+  // Scenario 14: stash/tasks dir missing (performSetup should recreate it via ensureHomeDirs)
   it("performSetup creates missing subdirectories", async () => {
     // Seed the minimal env files first
     seedMinimalEnvFiles();
 
-    // Remove automations dir (performSetup should recreate it)
-    rmSync(join(configDir, "automations"), { recursive: true, force: true });
+    // Remove stash/tasks dir (performSetup should recreate it via ensureHomeDirs)
+    rmSync(join(homeDir, "stash", "tasks"), { recursive: true, force: true });
 
     const result = await performSetup(
       makeValidSpec()
     );
     expect(result.ok).toBe(true);
 
-    // Artifacts should exist in stack/ (not config/components/)
-    expect(existsSync(join(homeDir, "stack", "core.compose.yml"))).toBe(
+    // Artifacts should exist in config/stack/
+    expect(existsSync(join(homeDir, "config", "stack", "core.compose.yml"))).toBe(
       true
     );
-    // Automations dir should be recreated
-    expect(existsSync(join(configDir, "automations"))).toBe(true);
+    // stash/tasks dir should be recreated by ensureHomeDirs
+    expect(existsSync(join(homeDir, "stash", "tasks"))).toBe(true);
   });
 
   // Scenario 15: openpalm.yaml with old version
   it("readStackSpec returns null for version 1 spec", () => {
     writeFileSync(
-      join(configDir, STACK_SPEC_FILENAME),
+      join(stackDir, STACK_SPEC_FILENAME),
       "version: 1\nconnections: []\n"
     );
 
-    const spec = readStackSpec(configDir);
+    const spec = readStackSpec(stackDir);
     expect(spec).toBeNull();
   });
 });
@@ -564,15 +489,15 @@ describe("Environment Edge Cases", () => {
     rmSync(homeDir, { recursive: true, force: true });
   });
 
-  // Scenario 16: Commented-out ADMIN_TOKEN but OP_ADMIN_TOKEN set
-  it("isSetupComplete detects OP_ADMIN_TOKEN when ADMIN_TOKEN is commented out", () => {
-    mkdirSync(join(vaultDir, "stack"), { recursive: true });
+  // Scenario 16: isSetupComplete picks up OP_UI_LOGIN_PASSWORD when set
+  it("isSetupComplete detects OP_UI_LOGIN_PASSWORD", () => {
+    mkdirSync(stateDir, { recursive: true });
     writeFileSync(
-      join(vaultDir, "stack", "stack.env"),
-      "SOME_OTHER_KEY=value\nexport OP_ADMIN_TOKEN=real-token-here\n"
+      join(stackDir, "stack.env"),
+      "SOME_OTHER_KEY=value\nexport OP_UI_LOGIN_PASSWORD=real-password-here\n"
     );
 
-    expect(isSetupComplete(vaultDir)).toBe(true);
+    expect(isSetupComplete(stackDir)).toBe(true);
   });
 
   // Scenario 17: export prefix on env vars
@@ -628,21 +553,11 @@ describe("Setup Input Variations", () => {
     rmSync(homeDir, { recursive: true, force: true });
   });
 
-  // Scenario 20: Ollama in-stack setup
-  it("Ollama in-stack setup overrides localhost URL to docker-internal", async () => {
+  // Scenario 20: Ollama setup
+  it("Ollama setup writes akm config with ollama provider", async () => {
     const input = makeValidSpec({
-      capabilities: {
-        llm: "ollama/llama3.2",
-        embeddings: {
-          provider: "ollama",
-          model: "nomic-embed-text",
-          dims: 768,
-        },
-        memory: {
-          userId: "test_user",
-          customInstructions: "",
-        },
-      },
+      llm: { provider: "ollama", model: "llama3.2", baseUrl: "http://localhost:11434/v1" },
+      embedding: { provider: "ollama", model: "nomic-embed-text", dims: 768, baseUrl: "http://localhost:11434/v1" },
       connections: [
         {
           id: "ollama-local",
@@ -657,23 +572,22 @@ describe("Setup Input Variations", () => {
     const result = await performSetup(input);
     expect(result.ok).toBe(true);
 
-    // stack.yml should have ollama capabilities
-    const spec = readStackSpec(configDir);
+    const spec = readStackSpec(stackDir);
     expect(spec).not.toBeNull();
-    expect(spec!.capabilities.llm).toBe("ollama/llama3.2");
+    expect(spec!.version).toBe(2);
   });
 
   // Scenario 21: Multiple providers map to correct env vars
-  it("multiple providers each write their API key to the correct env var", () => {
+  it("multiple providers each write their API key into auth.json keyed by providerId", () => {
     const conns: SetupConnection[] = [
       { id: "openai-1", name: "OpenAI", provider: "openai", baseUrl: "", apiKey: "sk-openai" },
       { id: "groq-1", name: "Groq", provider: "groq", baseUrl: "", apiKey: "gsk-groq" },
       { id: "anthropic-1", name: "Anthropic", provider: "anthropic", baseUrl: "", apiKey: "sk-ant-api03" },
     ];
-    const secrets = buildSecretsFromSetup(conns);
-    expect(secrets.OPENAI_API_KEY).toBe("sk-openai");
-    expect(secrets.GROQ_API_KEY).toBe("gsk-groq");
-    expect(secrets.ANTHROPIC_API_KEY).toBe("sk-ant-api03");
+    const keys = buildAuthJsonFromSetup(conns);
+    expect(keys.openai).toBe("sk-openai");
+    expect(keys.groq).toBe("gsk-groq");
+    expect(keys.anthropic).toBe("sk-ant-api03");
   });
 
   // Scenario 21b: OAuth providers (no API key) are silently skipped
@@ -682,19 +596,22 @@ describe("Setup Input Variations", () => {
       { id: "github-copilot", name: "GitHub Copilot", provider: "github-copilot", baseUrl: "", apiKey: "" },
       { id: "openai-1", name: "OpenAI", provider: "openai", baseUrl: "", apiKey: "sk-test" },
     ];
-    const secrets = buildSecretsFromSetup(conns);
-    expect(secrets.OPENAI_API_KEY).toBe("sk-test");
-    expect(Object.keys(secrets)).not.toContain("GITHUB_COPILOT_API_KEY");
+    const keys = buildAuthJsonFromSetup(conns);
+    expect(keys.openai).toBe("sk-test");
+    expect(keys["github-copilot"]).toBeUndefined();
   });
 
-  // Scenario 22: buildSecretsFromSetup only writes API keys and owner info
-  it("buildSecretsFromSetup writes API keys but not config vars", () => {
+  // Scenario 22: buildSecretsFromSetup writes non-credential vars only;
+  // API keys flow into auth.json via buildAuthJsonFromSetup.
+  it("buildSecretsFromSetup does not write API keys; buildAuthJsonFromSetup does", () => {
     const spec = makeValidSpec();
     const secrets = buildSecretsFromSetup(spec.connections, spec.owner);
+    const keys = buildAuthJsonFromSetup(spec.connections);
 
-    // API key should be written
-    expect(secrets.OPENAI_API_KEY).toBe("sk-test-key-123");
-    // Config vars should NOT be in user.env anymore
+    // API keys go to auth.json, not stack.env
+    expect(secrets.OPENAI_API_KEY).toBeUndefined();
+    expect(keys.openai).toBe("sk-test-key-123");
+    // Config vars (capability resolution) are not in stack.env user-secrets either
     expect(secrets.SYSTEM_LLM_PROVIDER).toBeUndefined();
     expect(secrets.SYSTEM_LLM_MODEL).toBeUndefined();
     expect(secrets.EMBEDDING_MODEL).toBeUndefined();
@@ -721,69 +638,50 @@ describe("performSetup end-to-end artifacts", () => {
   it("writes stack.yml and readStackSpec returns v2", async () => {
     await performSetup(makeValidSpec());
 
-    const spec = readStackSpec(configDir);
+    const spec = readStackSpec(stackDir);
     expect(spec).not.toBeNull();
     expect(spec!.version).toBe(2);
-    expect(spec!.capabilities.llm).toBe("openai/gpt-4o");
-    expect(spec!.capabilities.embeddings.model).toBe("text-embedding-3-small");
   });
 
-  it("writes OP_CAP_EMBEDDINGS_DIMS with correct embedding dims from lookup", async () => {
+  it("writes akm config with embedding dims from setup spec", async () => {
     const input = makeValidSpec({
-      capabilities: {
-        llm: "ollama/llama3.2",
-        embeddings: {
-          provider: "ollama",
-          model: "nomic-embed-text",
-          dims: 0, // Resolved from lookup
-        },
-        memory: {
-          userId: "test_user",
-          customInstructions: "",
-        },
-      },
+      llm: { provider: "ollama", model: "llama3.2", baseUrl: "http://localhost:11434/v1" },
+      embedding: { provider: "ollama", model: "nomic-embed-text", dims: 768, baseUrl: "http://localhost:11434/v1" },
       connections: [
-        {
-          id: "ollama-1",
-          name: "Ollama",
-          provider: "ollama",
-          baseUrl: "http://localhost:11434",
-          apiKey: "",
-        },
+        { id: "ollama-1", name: "Ollama", provider: "ollama", baseUrl: "http://localhost:11434", apiKey: "" },
       ],
     });
 
     await performSetup(input);
 
-    // nomic-embed-text is 768 dims per EMBEDDING_DIMS constant — verify via stack.env
-    const stackEnvContent = readFileSync(join(vaultDir, "stack", "stack.env"), "utf-8");
-    expect(stackEnvContent).toContain("OP_CAP_EMBEDDINGS_DIMS=768");
+    const akmConfigPath = join(homeDir, "config", "akm", "config.json");
+    const config = JSON.parse(readFileSync(akmConfigPath, "utf-8"));
+    expect(config.embedding.dimension).toBe(768);
   });
 
   it("writes core.compose.yml to stack/", async () => {
     await performSetup(makeValidSpec());
 
     expect(
-      existsSync(join(homeDir, "stack", "core.compose.yml"))
+      existsSync(join(homeDir, "config", "stack", "core.compose.yml"))
     ).toBe(true);
   });
 
-  it("writes admin and assistant tokens to stack.env", async () => {
+  it("writes the UI login password to stack.env", async () => {
     await performSetup(makeValidSpec());
 
-    const secrets = parseEnvFile(join(vaultDir, "stack", "stack.env"));
-    expect(secrets.OP_ADMIN_TOKEN).toBe("test-admin-token-12345");
-    expect(typeof secrets.OP_ASSISTANT_TOKEN).toBe("string");
-    expect(secrets.OP_ASSISTANT_TOKEN).not.toBe("test-admin-token-12345");
+    const secrets = parseEnvFile(join(stackDir, "stack.env"));
+    expect(secrets.OP_UI_LOGIN_PASSWORD).toBe("test-admin-token-12345");
   });
 
-  it("writes OP_CAP_* vars from capabilities to stack.env", async () => {
+  it("writes akm config with llm provider and model", async () => {
     await performSetup(makeValidSpec());
 
-    const stackEnv = parseEnvFile(join(vaultDir, "stack", "stack.env"));
-    expect(stackEnv.OP_CAP_LLM_PROVIDER).toBe("openai");
-    expect(stackEnv.OP_CAP_LLM_MODEL).toBe("gpt-4o");
-    expect(stackEnv.OP_CAP_EMBEDDINGS_MODEL).toBe("text-embedding-3-small");
+    const akmConfigPath = join(homeDir, "config", "akm", "config.json");
+    const config = JSON.parse(readFileSync(akmConfigPath, "utf-8"));
+    expect(config.llm.provider).toBe("openai");
+    expect(config.llm.model).toBe("gpt-4o");
+    expect(config.embedding.model).toBe("text-embedding-3-small");
   });
 });