@openpalm/lib 0.10.2 → 0.11.0-beta.2

package/src/control-plane/registry-components.test.ts

@@ -1,10 +1,23 @@
 /**
  * Tests for the registry component directory format.
  *
- * Validates that all components in .openpalm/registry/addons/ follow the
+ * Validates that all components in .openpalm/state/registry/addons/ follow the
  * component conventions: compose.yml with required labels, .env.schema
  * with documented variables, proper service naming, and no security
  * violations.
+ *
+ * Two component shapes are accepted:
+ *
+ *   1. Full addons — compose.yml + .env.schema. They introduce a new
+ *      service, declare env vars, and must satisfy the full structural
+ *      checklist (labels, network, healthcheck, restart policy, sensitive
+ *      fields).
+ *   2. Overlay-only addons — compose.yml only. They patch existing
+ *      services (ports, env, volumes) instead of introducing new ones,
+ *      so they have no env vars to document and no service-shaped
+ *      requirements. They still must satisfy the security invariants:
+ *      no INSTANCE_ID, no container_name, no INSTANCE_DIR, no vault
+ *      directory mounts, no docker socket.
  */
 import { describe, expect, it } from "bun:test";
 import {
@@ -18,7 +31,7 @@ import { join, resolve } from "node:path";
 
 /** Resolve path from repo root */
 const REPO_ROOT = resolve(import.meta.dir, "../../../..");
-const REGISTRY_DIR = join(REPO_ROOT, ".openpalm/registry/addons");
+const REGISTRY_DIR = join(REPO_ROOT, ".openpalm/state/registry/addons");
 
 /** List all component directories in the registry */
 function listComponentDirs(): string[] {
@@ -28,6 +41,19 @@ function listComponentDirs(): string[] {
     .map((d) => d.name);
 }
 
+/** Overlay-only addons ship compose.yml only — no .env.schema. */
+function isOverlayOnly(componentId: string): boolean {
+  return !existsSync(join(REGISTRY_DIR, componentId, ".env.schema"));
+}
+
+function listFullAddonIds(componentIds: string[]): string[] {
+  return componentIds.filter((id) => !isOverlayOnly(id));
+}
+
+function listOverlayOnlyAddonIds(componentIds: string[]): string[] {
+  return componentIds.filter(isOverlayOnly);
+}
+
 /** Read a file from a component directory */
 function readComponentFile(componentId: string, filename: string): string {
   return readFileSync(join(REGISTRY_DIR, componentId, filename), "utf-8");
@@ -118,24 +144,67 @@ describe("registry component discovery", () => {
 
 describe("registry component required files", () => {
   const componentIds = listComponentDirs();
+  const fullAddonIds = listFullAddonIds(componentIds);
 
   for (const id of componentIds) {
     it(`${id}: has compose.yml`, () => {
       expect(existsSync(join(REGISTRY_DIR, id, "compose.yml"))).toBe(true);
     });
+  }
 
-    it(`${id}: has .env.schema`, () => {
+  for (const id of fullAddonIds) {
+    it(`${id}: has .env.schema (full addon)`, () => {
       expect(existsSync(join(REGISTRY_DIR, id, ".env.schema"))).toBe(true);
     });
   }
 });
 
+// ── Overlay-only Addon Tests ─────────────────────────────────────────────
+
+describe("registry overlay-only addons", () => {
+  const componentIds = listComponentDirs();
+  const overlayIds = listOverlayOnlyAddonIds(componentIds);
+
+  it("at least one overlay-only addon (ssh) is recognized as valid", () => {
+    expect(overlayIds).toContain("ssh");
+  });
+
+  for (const id of overlayIds) {
+    describe(id, () => {
+      it("ships only compose.yml (no .env.schema, no entrypoint, no Dockerfile)", () => {
+        const dirEntries = readdirSync(join(REGISTRY_DIR, id));
+        // compose.yml is required; an optional README.md is allowed; nothing
+        // else (no .env.schema, no entrypoint*, no Dockerfile, no scripts).
+        const allowed = new Set(["compose.yml", "README.md"]);
+        for (const file of dirEntries) {
+          expect(allowed.has(file)).toBe(true);
+        }
+      });
+
+      it("compose.yml does not introduce a new service (no image: or build:)", () => {
+        // Overlay-only addons may patch existing services with new ports/env,
+        // but they MUST NOT introduce a new service that needs its own
+        // network/healthcheck/restart contract — those would belong in a
+        // full addon. Reject service definition keys that imply a new
+        // service body. A pure overlay only sets `ports:`, `environment:`,
+        // `volumes:`, etc. on already-defined services.
+        const compose = readComponentFile(id, "compose.yml");
+        expect(compose).not.toMatch(/^\s+image:\s/m);
+        expect(compose).not.toMatch(/^\s+build:\s/m);
+      });
+    });
+  }
+});
+
 // ── Compose Overlay Validation Tests ─────────────────────────────────────
 
 describe("registry compose.yml validation", () => {
   const componentIds = listComponentDirs();
+  const fullAddonIds = listFullAddonIds(componentIds);
 
-  for (const id of componentIds) {
+  // Full-addon-only assertions: anything that requires a service body
+  // (labels, network, healthcheck, restart policy) is checked here.
+  for (const id of fullAddonIds) {
     describe(id, () => {
       const compose = readComponentFile(id, "compose.yml");
 
@@ -147,18 +216,6 @@ describe("registry compose.yml validation", () => {
         expect(compose).toMatch(/openpalm\.description:/);
       });
 
-      it("uses static service name (no INSTANCE_ID)", () => {
-        expect(compose).not.toContain("${INSTANCE_ID}");
-      });
-
-      it("does not use container_name", () => {
-        expect(compose).not.toMatch(/container_name:/);
-      });
-
-      it("does not reference INSTANCE_DIR", () => {
-        expect(compose).not.toContain("${INSTANCE_DIR}");
-      });
-
       it("joins a valid stack network", () => {
         const hasValidNetwork = compose.includes("channel_lan") || compose.includes("channel_public") || compose.includes("assistant_net");
         expect(hasValidNetwork).toBe(true);
@@ -171,9 +228,28 @@ describe("registry compose.yml validation", () => {
       it("has healthcheck", () => {
         expect(compose).toMatch(/healthcheck:/);
       });
+    });
+  }
+
+  // Security/hygiene assertions apply to ALL addons (full and overlay-only).
+  for (const id of componentIds) {
+    describe(`${id} (security)`, () => {
+      const compose = readComponentFile(id, "compose.yml");
+
+      it("uses static service name (no INSTANCE_ID)", () => {
+        expect(compose).not.toContain("${INSTANCE_ID}");
+      });
+
+      it("does not use container_name", () => {
+        expect(compose).not.toMatch(/container_name:/);
+      });
+
+      it("does not reference INSTANCE_DIR", () => {
+        expect(compose).not.toContain("${INSTANCE_DIR}");
+      });
 
       it("does not mount vault directory (single-file mounts allowed)", () => {
-        // Directory-level vault mounts are a security violation — only admin gets full vault access.
+        // Directory-level vault mounts are a security violation — no container may mount the full vault.
         // Single-file mounts like vault/user/ov.conf are allowed (the source must end with a filename).
         const lines = compose.split("\n");
         for (const line of lines) {
@@ -193,8 +269,6 @@ describe("registry compose.yml validation", () => {
       });
 
       it("does not mount docker socket", () => {
-        // admin component is exempt — docker-socket-proxy IS the docker socket accessor by design
-        if (id === "admin") return;
         expect(compose).not.toContain("/var/run/docker.sock");
       });
 
@@ -209,8 +283,9 @@ describe("registry compose.yml validation", () => {
 
 describe("registry .env.schema validation", () => {
   const componentIds = listComponentDirs();
+  const fullAddonIds = listFullAddonIds(componentIds);
 
-  for (const id of componentIds) {
+  for (const id of fullAddonIds) {
     describe(id, () => {
       const schema = readComponentFile(id, ".env.schema");
       const entries = parseEnvSchema(schema);
@@ -264,11 +339,13 @@ describe("registry .env.schema validation", () => {
 
 describe("registry component sensitive fields", () => {
   const componentIds = listComponentDirs();
+  const fullAddonIds = listFullAddonIds(componentIds);
 
-  for (const id of componentIds) {
+  for (const id of fullAddonIds) {
     it(`${id}: has at least one @sensitive field (channel secret)`, () => {
-      // ollama is a local inference server — no channel secret or API key needed
-      if (id === "ollama") return;
+      // ollama and voice are local inference servers — no channel secret
+      // or upstream API key needed (LAN-only, no auth by design).
+      if (id === "ollama" || id === "voice") return;
       const schema = readComponentFile(id, ".env.schema");
       const entries = parseEnvSchema(schema);
       const sensitiveEntries = entries.filter((e) =>
@@ -283,10 +360,11 @@ describe("registry component sensitive fields", () => {
 
 describe("cross-component consistency", () => {
   const componentIds = listComponentDirs();
+  const fullAddonIds = listFullAddonIds(componentIds);
 
-  it("no duplicate openpalm.name labels across components", () => {
+  it("no duplicate openpalm.name labels across full addons", () => {
     const names = new Set<string>();
-    for (const id of componentIds) {
+    for (const id of fullAddonIds) {
       const compose = readComponentFile(id, "compose.yml");
       const nameMatch = compose.match(/openpalm\.name:\s*(.+)/);
       expect(nameMatch).not.toBeNull();
@@ -296,8 +374,8 @@ describe("cross-component consistency", () => {
     }
   });
 
-  it("all components join a valid stack network", () => {
-    for (const id of componentIds) {
+  it("all full addons join a valid stack network", () => {
+    for (const id of fullAddonIds) {
       const compose = readComponentFile(id, "compose.yml");
       const hasValidNetwork = compose.includes("channel_lan") || compose.includes("channel_public") || compose.includes("assistant_net");
       expect(hasValidNetwork).toBe(true);

package/src/control-plane/registry.test.ts

@@ -201,75 +201,76 @@ describe("materialized registry catalog", () => {
 
   it("materializes addons and automations into OP_HOME/registry", () => {
     const sourceRoot = join(tmpDir, 'repo');
-    const addonDir = join(sourceRoot, '.openpalm', 'registry', 'addons', 'chat');
-    const automationsDir = join(sourceRoot, '.openpalm', 'registry', 'automations');
+    const addonDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'addons', 'chat');
+    const automationsDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'automations');
 
     mkdirSync(addonDir, { recursive: true });
     mkdirSync(automationsDir, { recursive: true });
     writeFileSync(join(addonDir, 'compose.yml'), 'services: {}\n');
     writeFileSync(join(addonDir, '.env.schema'), 'CHANNEL_CHAT_SECRET=\n');
-    writeFileSync(join(automationsDir, 'cleanup.yml'), 'description: Cleanup\nschedule: daily\n');
+    writeFileSync(join(automationsDir, 'cleanup.md'), '---\ndescription: Cleanup\nschedule: "0 3 * * *"\ncommand: ["echo","clean"]\n---\n');
 
     const root = materializeRegistryCatalog(sourceRoot);
 
-    expect(root).toBe(join(process.env.OP_HOME!, 'registry'));
+    expect(root).toBe(join(process.env.OP_HOME!, 'state', 'registry'));
     expect(existsSync(join(root, 'addons', 'chat', 'compose.yml'))).toBe(true);
     expect(existsSync(join(root, 'addons', 'chat', '.env.schema'))).toBe(true);
-    expect(readFileSync(join(root, 'automations', 'cleanup.yml'), 'utf-8')).toContain('Cleanup');
+    expect(readFileSync(join(root, 'automations', 'cleanup.md'), 'utf-8')).toContain('Cleanup');
   });
 
   it("discovers materialized registry entries", () => {
     const sourceRoot = join(tmpDir, 'repo');
-    const addonDir = join(sourceRoot, '.openpalm', 'registry', 'addons', 'chat');
-    const automationsDir = join(sourceRoot, '.openpalm', 'registry', 'automations');
+    const addonDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'addons', 'chat');
+    const automationsDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'automations');
 
     mkdirSync(addonDir, { recursive: true });
     mkdirSync(automationsDir, { recursive: true });
     writeFileSync(join(addonDir, 'compose.yml'), 'services: {}\n');
     writeFileSync(join(addonDir, '.env.schema'), 'CHANNEL_CHAT_SECRET=\n');
-    writeFileSync(join(automationsDir, 'cleanup.yml'), 'description: Cleanup\nschedule: daily\n');
+    writeFileSync(join(automationsDir, 'cleanup.md'), '---\ndescription: Cleanup\nschedule: "0 3 * * *"\ncommand: ["echo","clean"]\n---\n');
 
     materializeRegistryCatalog(sourceRoot);
 
     const components = discoverRegistryComponents();
-    const automations = discoverRegistryAutomations();
+    const stashDir = join(process.env.OP_HOME!, 'stash');
+    const automations = discoverRegistryAutomations(stashDir);
 
     expect(Object.keys(components)).toEqual(['chat']);
     expect(components.chat?.schema).toContain('CHANNEL_CHAT_SECRET');
     expect(automations.map((entry) => entry.name)).toEqual(['cleanup']);
-    expect(getRegistryAutomation('cleanup')).toContain('schedule: daily');
+    expect(getRegistryAutomation('cleanup')).toContain('schedule: "0 3 * * *"');
   });
 
   it("returns addon config metadata from the materialized registry", () => {
     const sourceRoot = join(tmpDir, 'repo');
-    const addonDir = join(sourceRoot, '.openpalm', 'registry', 'addons', 'chat');
-    const automationsDir = join(sourceRoot, '.openpalm', 'registry', 'automations');
+    const addonDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'addons', 'chat');
+    const automationsDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'automations');
 
     mkdirSync(addonDir, { recursive: true });
     mkdirSync(automationsDir, { recursive: true });
     writeFileSync(join(addonDir, 'compose.yml'), 'services: {}\n');
     writeFileSync(join(addonDir, '.env.schema'), 'CHANNEL_CHAT_SECRET=\n');
-    writeFileSync(join(automationsDir, 'cleanup.yml'), 'description: Cleanup\nschedule: daily\n');
+    writeFileSync(join(automationsDir, 'cleanup.md'), '---\ndescription: Cleanup\nschedule: "0 3 * * *"\ncommand: ["echo","clean"]\n---\n');
 
     materializeRegistryCatalog(sourceRoot);
 
     expect(getRegistryAddonConfig(process.env.OP_HOME!, 'chat')).toEqual({
-      schemaPath: 'registry/addons/chat/.env.schema',
-      userEnvPath: 'vault/user/user.env',
+      schemaPath: 'state/registry/addons/chat/.env.schema',
+      userEnvPath: 'config/stack/stack.env',
       envSchema: 'CHANNEL_CHAT_SECRET=\n',
     });
   });
 
   it("verifies the materialized registry and returns counts", () => {
     const sourceRoot = join(tmpDir, 'repo');
-    const addonDir = join(sourceRoot, '.openpalm', 'registry', 'addons', 'chat');
-    const automationsDir = join(sourceRoot, '.openpalm', 'registry', 'automations');
+    const addonDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'addons', 'chat');
+    const automationsDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'automations');
 
     mkdirSync(addonDir, { recursive: true });
     mkdirSync(automationsDir, { recursive: true });
     writeFileSync(join(addonDir, 'compose.yml'), 'services: {}\n');
     writeFileSync(join(addonDir, '.env.schema'), 'CHANNEL_CHAT_SECRET=\n');
-    writeFileSync(join(automationsDir, 'cleanup.yml'), 'description: Cleanup\nschedule: daily\n');
+    writeFileSync(join(automationsDir, 'cleanup.md'), '---\ndescription: Cleanup\nschedule: "0 3 * * *"\ncommand: ["echo","clean"]\n---\n');
 
     const root = materializeRegistryCatalog(sourceRoot);
 
@@ -286,77 +287,77 @@ describe("materialized registry catalog", () => {
 
   it("fails when source catalog is incomplete", () => {
     const sourceRoot = join(tmpDir, 'repo');
-    mkdirSync(join(sourceRoot, '.openpalm', 'registry', 'addons'), { recursive: true });
-    mkdirSync(join(sourceRoot, '.openpalm', 'registry', 'automations'), { recursive: true });
+    mkdirSync(join(sourceRoot, '.openpalm', 'state', 'registry', 'addons'), { recursive: true });
+    mkdirSync(join(sourceRoot, '.openpalm', 'state', 'registry', 'automations'), { recursive: true });
 
     expect(() => materializeRegistryCatalog(sourceRoot)).toThrow('Registry catalog is incomplete');
   });
 
   it("enables and disables addons through the runtime stack directory", () => {
     const sourceRoot = join(tmpDir, 'repo');
-    const addonDir = join(sourceRoot, '.openpalm', 'registry', 'addons', 'chat');
-    const automationsDir = join(sourceRoot, '.openpalm', 'registry', 'automations');
+    const addonDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'addons', 'chat');
+    const automationsDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'automations');
 
     mkdirSync(addonDir, { recursive: true });
     mkdirSync(automationsDir, { recursive: true });
     writeFileSync(join(addonDir, 'compose.yml'), 'services: {}\n');
     writeFileSync(join(addonDir, '.env.schema'), 'CHANNEL_CHAT_SECRET=\n');
-    writeFileSync(join(automationsDir, 'cleanup.yml'), 'description: Cleanup\nschedule: daily\n');
+    writeFileSync(join(automationsDir, 'cleanup.md'), '---\ndescription: Cleanup\nschedule: "0 3 * * *"\ncommand: ["echo","clean"]\n---\n');
 
     materializeRegistryCatalog(sourceRoot);
 
     expect(enableAddon(process.env.OP_HOME!, 'chat')).toEqual({ ok: true });
-    expect(existsSync(join(process.env.OP_HOME!, 'stack', 'addons', 'chat', 'compose.yml'))).toBe(true);
+    expect(existsSync(join(process.env.OP_HOME!, 'config', 'stack', 'addons', 'chat', 'compose.yml'))).toBe(true);
 
     expect(disableAddonByName(process.env.OP_HOME!, 'chat')).toEqual({ ok: true });
-    expect(existsSync(join(process.env.OP_HOME!, 'stack', 'addons', 'chat'))).toBe(false);
+    expect(existsSync(join(process.env.OP_HOME!, 'config', 'stack', 'addons', 'chat'))).toBe(false);
   });
 
   it("returns addon service names from stack or registry compose files", () => {
     const sourceRoot = join(tmpDir, 'repo');
-    const addonDir = join(sourceRoot, '.openpalm', 'registry', 'addons', 'admin');
-    const automationsDir = join(sourceRoot, '.openpalm', 'registry', 'automations');
+    const addonDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'addons', 'proxy-test');
+    const automationsDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'automations');
 
     mkdirSync(addonDir, { recursive: true });
     mkdirSync(automationsDir, { recursive: true });
-    writeFileSync(join(addonDir, 'compose.yml'), 'services:\n  docker-socket-proxy:\n    image: proxy\n  admin:\n    image: admin\n');
-    writeFileSync(join(addonDir, '.env.schema'), 'OP_ADMIN_TOKEN=\n');
-    writeFileSync(join(automationsDir, 'cleanup.yml'), 'description: Cleanup\nschedule: daily\n');
+    writeFileSync(join(addonDir, 'compose.yml'), 'services:\n  svc-a:\n    image: image-a\n  svc-b:\n    image: image-b\n');
+    writeFileSync(join(addonDir, '.env.schema'), 'PROXY_TOKEN=\n');
+    writeFileSync(join(automationsDir, 'cleanup.md'), '---\ndescription: Cleanup\nschedule: "0 3 * * *"\ncommand: ["echo","clean"]\n---\n');
 
     materializeRegistryCatalog(sourceRoot);
 
-    expect(getAddonServiceNames(process.env.OP_HOME!, 'admin')).toEqual(['docker-socket-proxy', 'admin']);
+    expect(getAddonServiceNames(process.env.OP_HOME!, 'proxy-test')).toEqual(['svc-a', 'svc-b']);
   });
 
   it("toggles addons and generates channel secrets when enabling channel addons", () => {
     const sourceRoot = join(tmpDir, 'repo');
-    const addonDir = join(sourceRoot, '.openpalm', 'registry', 'addons', 'chat');
-    const automationsDir = join(sourceRoot, '.openpalm', 'registry', 'automations');
+    const addonDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'addons', 'chat');
+    const automationsDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'automations');
 
     mkdirSync(addonDir, { recursive: true });
     mkdirSync(automationsDir, { recursive: true });
     writeFileSync(join(addonDir, 'compose.yml'), 'services:\n  chat:\n    image: test\n    environment:\n      CHANNEL_NAME: "Chat"\n      CHANNEL_ID: "chat"\n');
     writeFileSync(join(addonDir, '.env.schema'), 'CHANNEL_CHAT_SECRET=\n');
-    writeFileSync(join(automationsDir, 'cleanup.yml'), 'description: Cleanup\nschedule: daily\n');
+    writeFileSync(join(automationsDir, 'cleanup.md'), '---\ndescription: Cleanup\nschedule: "0 3 * * *"\ncommand: ["echo","clean"]\n---\n');
 
     materializeRegistryCatalog(sourceRoot);
 
-    expect(setAddonEnabled(process.env.OP_HOME!, join(process.env.OP_HOME!, 'vault'), 'chat', true)).toEqual({
+    expect(setAddonEnabled(process.env.OP_HOME!, join(process.env.OP_HOME!, 'config', 'stack'), 'chat', true)).toEqual({
       ok: true,
       enabled: true,
       changed: true,
       services: ['chat'],
     });
-    expect(existsSync(join(process.env.OP_HOME!, 'stack', 'addons', 'chat', 'compose.yml'))).toBe(true);
-    expect(readFileSync(join(process.env.OP_HOME!, 'vault', 'stack', 'guardian.env'), 'utf-8')).toMatch(/CHANNEL_CHAT_SECRET=/);
+    expect(existsSync(join(process.env.OP_HOME!, 'config', 'stack', 'addons', 'chat', 'compose.yml'))).toBe(true);
+    expect(readFileSync(join(process.env.OP_HOME!, 'config', 'stack', 'guardian.env'), 'utf-8')).toMatch(/CHANNEL_CHAT_SECRET=/);
 
-    expect(setAddonEnabled(process.env.OP_HOME!, join(process.env.OP_HOME!, 'vault'), 'chat', false)).toEqual({
+    expect(setAddonEnabled(process.env.OP_HOME!, join(process.env.OP_HOME!, 'config', 'stack'), 'chat', false)).toEqual({
       ok: true,
       enabled: false,
       changed: true,
       services: ['chat'],
     });
-    expect(existsSync(join(process.env.OP_HOME!, 'stack', 'addons', 'chat'))).toBe(false);
+    expect(existsSync(join(process.env.OP_HOME!, 'config', 'stack', 'addons', 'chat'))).toBe(false);
   });
 
   it("backs up OP_HOME without recursively copying backups", () => {
@@ -390,10 +391,10 @@ describe("materialized registry catalog", () => {
     expect(existsSync(join(otherHome, 'backups', 'config', 'stack.yml'))).toBe(false);
   });
 
-  it("installs and uninstalls automations through config/automations", () => {
+  it("installs and uninstalls automations through stash/tasks", () => {
     const sourceRoot = join(tmpDir, 'repo');
-    const addonDir = join(sourceRoot, '.openpalm', 'registry', 'addons', 'chat');
-    const automationsDir = join(sourceRoot, '.openpalm', 'registry', 'automations');
+    const addonDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'addons', 'chat');
+    const automationsDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'automations');
     const configDir = join(process.env.OP_HOME!, 'config');
 
     mkdirSync(addonDir, { recursive: true });
@@ -401,14 +402,15 @@ describe("materialized registry catalog", () => {
     mkdirSync(configDir, { recursive: true });
     writeFileSync(join(addonDir, 'compose.yml'), 'services: {}\n');
     writeFileSync(join(addonDir, '.env.schema'), 'CHANNEL_CHAT_SECRET=\n');
-    writeFileSync(join(automationsDir, 'cleanup.yml'), 'description: Cleanup\nschedule: daily\n');
+    writeFileSync(join(automationsDir, 'cleanup.md'), '---\ndescription: Cleanup\nschedule: "0 3 * * *"\ncommand: ["echo","clean"]\n---\n');
 
     materializeRegistryCatalog(sourceRoot);
 
-    expect(installAutomationFromRegistry('cleanup', configDir)).toEqual({ ok: true });
-    expect(readFileSync(join(configDir, 'automations', 'cleanup.yml'), 'utf-8')).toContain('Cleanup');
+    const stashDir = join(process.env.OP_HOME!, 'stash');
+    expect(installAutomationFromRegistry('cleanup', stashDir)).toEqual({ ok: true });
+    expect(readFileSync(join(stashDir, 'tasks', 'cleanup.md'), 'utf-8')).toContain('Cleanup');
 
-    expect(uninstallAutomation('cleanup', configDir)).toEqual({ ok: true });
-    expect(existsSync(join(configDir, 'automations', 'cleanup.yml'))).toBe(false);
+    expect(uninstallAutomation('cleanup', stashDir)).toEqual({ ok: true });
+    expect(existsSync(join(stashDir, 'tasks', 'cleanup.md'))).toBe(false);
   });
 });