@openpalm/lib 0.11.0-beta.1 → 0.11.0-beta.11

package/src/control-plane/registry.ts

@@ -5,13 +5,14 @@
  * Install seeds it once; refresh replaces it explicitly.
  */
 import { cpSync, existsSync, mkdtempSync, mkdirSync, readdirSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
-import { execFileSync } from 'node:child_process';
+import { execFile, execFileSync } from 'node:child_process';
 import { join } from 'node:path';
 import { tmpdir } from 'node:os';
 import { parse as parseYaml } from 'yaml';
 import { createLogger } from '../logger.js';
 import { isChannelAddon } from './channels.js';
 import { randomHex, writeChannelSecrets } from './config-persistence.js';
+import { patchSecretsEnvFile, readStackEnv } from './secrets.js';
 import {
   resolveRegistryAddonsDir,
   resolveRegistryAutomationsDir,
@@ -83,7 +84,7 @@ export type RegistryCatalogVerification = {
   automationCount: number;
 };
 
-export type MutationResult = { ok: true } | { ok: false; error: string };
+type MutationResult = { ok: true } | { ok: false; error: string };
 export type AddonMutationResult = (
   | { ok: true; enabled: boolean; changed: boolean; services: string[] }
   | { ok: false; error: string }
@@ -339,7 +340,335 @@ export function getAddonServiceNames(homeDir: string, name: string): string[] {
   return [];
 }
 
-export function enableAddon(homeDir: string, name: string): MutationResult {
+export type AddonProfile = {
+  id: string;
+  services: string[];
+  label?: string;
+  requires?: string;
+  default?: boolean;
+  /**
+   * Whether the host can run this profile.
+   *
+   * Populated by `getAddonProfileAvailability()`. When the value is missing
+   * (e.g. older catalogs), callers should treat the profile as available.
+   */
+  available?: boolean;
+  /** Human-readable reason when `available === false`. */
+  reason?: string;
+};
+
+// ── Host capability probes ─────────────────────────────────────────────
+
+export type AddonProfileAvailability = { available: boolean; reason?: string };
+
+const HOST_PROBE_TIMEOUT_MS = 2_000;
+
+// Process-lifetime cache. Hardware presence does not change while the UI
+// server is running, so probing once is enough.
+const availabilityCache = new Map<string, AddonProfileAvailability>();
+
+/**
+ * Reset the host-capability cache. Test-only — not exported.
+ */
+function _resetAvailabilityCacheForTests(): void {
+  availabilityCache.clear();
+}
+
+// Exported under a deliberately ugly name so test files can reach it.
+export const __addonAvailabilityTestHooks = {
+  reset: _resetAvailabilityCacheForTests,
+  /**
+   * Test-only: exposes the internal exec wrapper so tests can verify
+   * ENOENT (missing binary) is surfaced as actionable stderr that the
+   * docker-error translator can recognise.
+   */
+  execFileNoThrow: (cmd: string, args: string[], timeoutMs: number) =>
+    execFileNoThrow(cmd, args, timeoutMs),
+};
+
+function execFileNoThrow(
+  cmd: string,
+  args: string[],
+  timeoutMs: number,
+): Promise<{ ok: boolean; stdout: string; stderr: string }> {
+  return new Promise((resolve) => {
+    execFile(cmd, args, { timeout: timeoutMs }, (error, stdout, stderr) => {
+      // ENOENT (binary missing) surfaces here with no stderr — child_process
+      // never gets to exec the program. Inject a synthetic stderr that
+      // matches the translateDockerError ENOENT regex so callers get
+      // actionable copy instead of "unknown error (no stderr)".
+      let mergedStderr = stderr?.toString() ?? '';
+      const code = (error as NodeJS.ErrnoException | null)?.code;
+      if (code && !mergedStderr) {
+        if (code === 'ENOENT') {
+          mergedStderr = `spawn ${cmd} ENOENT: command not found`;
+        } else {
+          mergedStderr = `spawn ${cmd} ${code}`;
+        }
+      }
+      resolve({
+        ok: !error,
+        stdout: stdout?.toString() ?? '',
+        stderr: mergedStderr,
+      });
+    });
+  });
+}
+
+/**
+ * Compute the openpalm/voice image ref for a given GPU variant, matching
+ * the substitution chain in the addon compose file:
+ *   ${OP_IMAGE_NAMESPACE:-openpalm}/voice:${OP_VOICE_IMAGE_TAG:-${OP_IMAGE_TAG:-v0.11.0}-<variant>}
+ */
+function voiceImageRef(variant: 'cpu' | 'cu121' | 'rocm6'): string {
+  const namespace = process.env.OP_IMAGE_NAMESPACE?.trim() || 'openpalm';
+  const explicit = process.env.OP_VOICE_IMAGE_TAG?.trim();
+  if (explicit) return `${namespace}/voice:${explicit}`;
+  const baseTag = process.env.OP_IMAGE_TAG?.trim() || 'v0.11.0';
+  return `${namespace}/voice:${baseTag}-${variant}`;
+}
+
+/**
+ * `docker manifest inspect <ref>` returns 0 only when the registry can
+ * resolve a manifest for that ref. We use it as the cheap "is this image
+ * actually published?" check — no pull required. The retry handles
+ * transient registry hiccups. Timeout is short because the manifest blob
+ * is a few KB.
+ */
+async function dockerManifestExists(imageRef: string): Promise<boolean> {
+  for (let attempt = 0; attempt < 2; attempt++) {
+    const res = await execFileNoThrow(
+      'docker',
+      ['manifest', 'inspect', imageRef],
+      5_000,
+    );
+    if (res.ok) return true;
+    // If docker itself is missing (ENOENT), retrying won't help.
+    if (/ENOENT/.test(res.stderr)) return false;
+  }
+  return false;
+}
+
+async function probeCuda(): Promise<AddonProfileAvailability> {
+  // Two acceptance signals:
+  //   1. `docker info` reports an `nvidia` runtime (toolkit installed +
+  //      `nvidia-ctk runtime configure --runtime=docker` was run).
+  //   2. `/etc/cdi/nvidia.yaml` exists (CDI-mode daemon with a generated
+  //      spec). We don't require the runtime in this case — the route's
+  //      CDI fallback can switch the compose to driver:cdi.
+  try {
+    if (existsSync('/etc/cdi/nvidia.yaml')) return { available: true };
+  } catch {
+    // existsSync only throws on path-syntax issues; ignore and probe docker.
+  }
+
+  const result = await execFileNoThrow(
+    'docker',
+    ['info', '--format', '{{json .Runtimes}}'],
+    HOST_PROBE_TIMEOUT_MS,
+  );
+  if (result.ok && result.stdout.includes('"nvidia"')) {
+    return { available: true };
+  }
+  return {
+    available: false,
+    reason: 'NVIDIA runtime not registered. Install nvidia-container-toolkit or enable CDI.',
+  };
+}
+
+async function probeRocm(): Promise<AddonProfileAvailability> {
+  // Hardware gate: ROCm needs both the KFD char device and the GPU DRI nodes.
+  let devicesPresent = false;
+  try {
+    devicesPresent = existsSync('/dev/kfd') && existsSync('/dev/dri');
+  } catch {
+    devicesPresent = false;
+  }
+  if (!devicesPresent) {
+    return {
+      available: false,
+      reason: 'AMD ROCm devices not present on this host.',
+    };
+  }
+
+  // Image gate: the openpalm/voice:*-rocm6 image isn't published yet, so
+  // even on a fully-functional ROCm host the compose-up would fail with a
+  // manifest-unknown pull error. Refuse the profile until the image lands.
+  const imageRef = voiceImageRef('rocm6');
+  const published = await dockerManifestExists(imageRef);
+  if (!published) {
+    return {
+      available: false,
+      reason: 'AMD ROCm image not published yet. Check back in a future release or use the CPU profile.',
+    };
+  }
+  return { available: true };
+}
+
+/**
+ * Probe the host for the capabilities required by an addon profile.
+ *
+ * Results are cached for the lifetime of the process — hardware doesn't
+ * change while the UI server runs. All probes use execFile (no shell)
+ * and never throw: errors collapse to `{ available: false, reason }`.
+ *
+ * Unknown profile ids default to `available: true` so unrelated addons
+ * (e.g. a future "high-mem" profile that doesn't probe hardware) keep
+ * working without code changes here.
+ */
+export async function getAddonProfileAvailability(
+  profile: Pick<AddonProfile, 'id'>,
+): Promise<AddonProfileAvailability> {
+  const cacheKey = profile.id;
+  const cached = availabilityCache.get(cacheKey);
+  if (cached) return cached;
+
+  let result: AddonProfileAvailability;
+  try {
+    if (profile.id === 'cpu') {
+      result = { available: true };
+    } else if (profile.id === 'cuda') {
+      result = await probeCuda();
+    } else if (profile.id === 'rocm') {
+      result = await probeRocm();
+    } else {
+      // Unknown profile id — assume available; caller is responsible for
+      // labelling profiles that need host capability gating.
+      result = { available: true };
+    }
+  } catch (err) {
+    // Belt-and-braces: any unexpected throw collapses to unavailable.
+    const reason = err instanceof Error ? err.message : String(err);
+    result = { available: false, reason: `probe failed: ${reason}` };
+  }
+
+  availabilityCache.set(cacheKey, result);
+  return result;
+}
+
+/**
+ * Decorate a list of profiles with `available`/`reason` based on the host
+ * capability probes. Returns a fresh array; does not mutate inputs.
+ */
+export async function annotateAddonProfileAvailability(
+  profiles: AddonProfile[],
+): Promise<AddonProfile[]> {
+  const results = await Promise.all(
+    profiles.map(async (p) => {
+      const a = await getAddonProfileAvailability(p);
+      const annotated: AddonProfile = { ...p, available: a.available };
+      if (a.reason) annotated.reason = a.reason;
+      return annotated;
+    }),
+  );
+  return results;
+}
+
+function readAddonProfiles(composePath: string): AddonProfile[] {
+  if (!existsSync(composePath)) return [];
+
+  let parsed: unknown;
+  try {
+    parsed = parseYaml(readFileSync(composePath, "utf-8"));
+  } catch (error) {
+    logger.warn("failed to parse addon compose profiles", {
+      composePath,
+      error: error instanceof Error ? error.message : String(error),
+    });
+    return [];
+  }
+
+  const services = parsed && typeof parsed === "object"
+    ? (parsed as { services?: unknown }).services
+    : undefined;
+  if (!services || typeof services !== "object" || Array.isArray(services)) return [];
+
+  const byProfile = new Map<string, AddonProfile>();
+  for (const [svcName, svcRaw] of Object.entries(services as Record<string, unknown>)) {
+    if (!svcRaw || typeof svcRaw !== "object") continue;
+    const svc = svcRaw as { profiles?: unknown; labels?: unknown };
+    if (!Array.isArray(svc.profiles)) continue;
+    const profileIds = svc.profiles.filter((p): p is string => typeof p === "string");
+    if (profileIds.length === 0) continue;
+
+    const labels = readServiceLabels(svc.labels);
+    const label = labels["openpalm.profile.label"];
+    const requires = labels["openpalm.profile.requires"];
+    const isDefault = labels["openpalm.profile.default"] === "true";
+
+    for (const id of profileIds) {
+      const existing = byProfile.get(id);
+      if (existing) {
+        existing.services.push(svcName);
+        if (!existing.label && label) existing.label = label;
+        if (!existing.requires && requires) existing.requires = requires;
+        if (!existing.default && isDefault) existing.default = true;
+      } else {
+        const profile: AddonProfile = { id, services: [svcName] };
+        if (label) profile.label = label;
+        if (requires) profile.requires = requires;
+        if (isDefault) profile.default = true;
+        byProfile.set(id, profile);
+      }
+    }
+  }
+
+  return [...byProfile.values()];
+}
+
+function readServiceLabels(raw: unknown): Record<string, string> {
+  if (!raw) return {};
+  const out: Record<string, string> = {};
+  if (Array.isArray(raw)) {
+    for (const entry of raw) {
+      if (typeof entry !== "string") continue;
+      const eq = entry.indexOf("=");
+      if (eq < 0) continue;
+      out[entry.slice(0, eq)] = entry.slice(eq + 1);
+    }
+  } else if (typeof raw === "object") {
+    for (const [k, v] of Object.entries(raw as Record<string, unknown>)) {
+      if (v == null) continue;
+      out[k] = String(v);
+    }
+  }
+  return out;
+}
+
+export function getAddonProfiles(homeDir: string, name: string): AddonProfile[] {
+  if (!VALID_NAME_RE.test(name)) throw new Error(`Invalid addon name: ${name}`);
+
+  const composeCandidates = [
+    join(homeDir, "config", "stack", "addons", name, "compose.yml"),
+    join(homeDir, "state", "registry", "addons", name, "compose.yml"),
+  ];
+
+  for (const composePath of composeCandidates) {
+    const profiles = readAddonProfiles(composePath);
+    if (profiles.length > 0) return profiles;
+  }
+
+  return [];
+}
+
+function profileEnvKey(name: string): string {
+  if (!VALID_NAME_RE.test(name)) throw new Error(`Invalid addon name: ${name}`);
+  return `OP_${name.replace(/-/g, '_').toUpperCase()}_PROFILE`;
+}
+
+export function getAddonProfileSelection(stackDir: string, name: string): string | null {
+  const env = readStackEnv(stackDir);
+  const value = env[profileEnvKey(name)];
+  return value && value.trim() ? value.trim() : null;
+}
+
+export function setAddonProfileSelection(stackDir: string, name: string, profile: string): void {
+  const trimmed = profile.trim();
+  if (!trimmed) throw new Error('Profile id cannot be empty');
+  patchSecretsEnvFile(stackDir, { [profileEnvKey(name)]: trimmed });
+}
+
+function enableAddon(homeDir: string, name: string): MutationResult {
   try {
     copyAddonFromRegistry(homeDir, name);
     // Pre-create the addon services directory so Docker doesn't create it as root
@@ -350,7 +679,7 @@ export function enableAddon(homeDir: string, name: string): MutationResult {
   }
 }
 
-export function disableAddonByName(homeDir: string, name: string): MutationResult {
+function disableAddonByName(homeDir: string, name: string): MutationResult {
   try {
     removeEnabledAddon(homeDir, name);
     return { ok: true };

package/src/control-plane/secret-mappings.ts

@@ -29,9 +29,8 @@ type CoreSecretMapping = {
 };
 
 const STATIC_CORE_MAPPINGS: CoreSecretMapping[] = [
-  // Core authentication tokens
-  { secretKey: 'openpalm/admin-token', envKey: 'OP_UI_TOKEN', scope: 'system' },
-  { secretKey: 'openpalm/assistant-token', envKey: 'OP_ASSISTANT_TOKEN', scope: 'system' },
+  // Core authentication
+  { secretKey: 'openpalm/ui-login-password', envKey: 'OP_UI_LOGIN_PASSWORD', scope: 'system' },
   { secretKey: 'openpalm/opencode/server-password', envKey: 'OP_OPENCODE_PASSWORD', scope: 'system' },
   // LLM provider API keys
   { secretKey: 'openpalm/openai/api-key', envKey: 'OPENAI_API_KEY', scope: 'user' },

package/src/control-plane/secrets.ts

@@ -3,6 +3,7 @@ import { mkdirSync, writeFileSync, readFileSync, existsSync, chmodSync, lstatSyn
 import { randomBytes } from "node:crypto";
 import { createLogger } from "../logger.js";
 import { parseEnvFile, mergeEnvContent } from './env.js';
+import { migrateAuth0110 } from './migrate-0110.js';
 import type { ControlPlaneState } from "./types.js";
 import { resolveConfigDir } from "./home.js";
 
@@ -13,8 +14,8 @@ const logger = createLogger("secrets");
 /** Keys whose values are shown unmasked in the UI (not secrets). */
 export const PLAIN_CONFIG_KEYS = new Set([
   "OPENAI_BASE_URL",
-  "OWNER_NAME",
-  "OWNER_EMAIL",
+  "OP_OWNER_NAME",
+  "OP_OWNER_EMAIL",
 ]);
 
 
@@ -58,11 +59,13 @@ function ensureSystemSecrets(state: ControlPlaneState): void {
   const existing = existsSync(systemEnvPath) ? parseEnvFile(systemEnvPath) : {};
   const updates: Record<string, string> = {};
 
-  if (!existing.OP_UI_TOKEN && state.adminToken) {
-    updates.OP_UI_TOKEN = state.adminToken;
-  }
-  if (!existing.OP_ASSISTANT_TOKEN) {
-    updates.OP_ASSISTANT_TOKEN = randomBytes(32).toString("hex");
+  // OP_UI_LOGIN_PASSWORD seeds the operator login secret. ensureSecrets
+  // generates a random fallback the first time so the stack is never
+  // installed with an empty password slot; the wizard / CLI install path
+  // overwrites it with the operator's chosen value via
+  // buildSystemSecretsFromSetup().
+  if (!existing.OP_UI_LOGIN_PASSWORD) {
+    updates.OP_UI_LOGIN_PASSWORD = randomBytes(32).toString("hex");
   }
 
   if (!existsSync(systemEnvPath)) {
@@ -71,8 +74,7 @@ function ensureSystemSecrets(state: ControlPlaneState): void {
       "# All secrets and configuration live here. Advanced users may edit directly.",
       "",
       "# ── Authentication ──────────────────────────────────────────────────",
-      "OP_UI_TOKEN=",
-      "OP_ASSISTANT_TOKEN=",
+      "OP_UI_LOGIN_PASSWORD=",
       "",
       "# ── Service Auth ─────────────────────────────────────────────────────",
       "OP_OPENCODE_PASSWORD=",
@@ -89,8 +91,8 @@ function ensureSystemSecrets(state: ControlPlaneState): void {
       "LMSTUDIO_API_KEY=",
       "",
       "# ── Owner ────────────────────────────────────────────────────────────",
-      `OWNER_NAME=${process.env.OWNER_NAME ?? ""}`,
-      `OWNER_EMAIL=${process.env.OWNER_EMAIL ?? ""}`,
+      `OP_OWNER_NAME=${process.env.OP_OWNER_NAME ?? ""}`,
+      `OP_OWNER_EMAIL=${process.env.OP_OWNER_EMAIL ?? ""}`,
       "",
     ].join("\n");
     const content = mergeEnvContent(header, updates);
@@ -104,6 +106,10 @@ function ensureSystemSecrets(state: ControlPlaneState): void {
 export function ensureSecrets(state: ControlPlaneState): void {
   enforceVaultDirMode(state.stackDir);
 
+  // Migrate pre-0.11.0 installs (OP_UI_TOKEN/OP_ASSISTANT_TOKEN → OP_UI_LOGIN_PASSWORD)
+  // before any code path that reads OP_UI_LOGIN_PASSWORD sees an empty value.
+  migrateAuth0110(state);
+
   ensureSystemSecrets(state);
   ensureGuardianEnv(state.stackDir);
   ensureAuthJson(state.configDir);

package/src/control-plane/setup-config.schema.json

@@ -30,12 +30,12 @@
     "security": {
       "type": "object",
       "description": "Security settings for the instance.",
-      "required": ["adminToken"],
+      "required": ["uiLoginPassword"],
       "additionalProperties": false,
       "properties": {
-        "adminToken": {
+        "uiLoginPassword": {
           "type": "string",
-          "description": "Admin API authentication token. Used to authenticate CLI and admin UI requests.",
+          "description": "Operator login password for the OpenPalm UI. Persisted to stack.env as OP_UI_LOGIN_PASSWORD; the UI's op_session cookie value is compared against it on every authenticated request.",
           "minLength": 8
         }
       }

package/src/control-plane/setup-status.ts

@@ -2,6 +2,11 @@ import { parseEnvFile } from './env.js';
 
 /**
  * Check if setup is complete by reading config/stack/stack.env.
+ *
+ * Phase 4 of the auth/proxy refactor replaced the legacy `OP_UI_TOKEN`
+ * sentinel with `OP_UI_LOGIN_PASSWORD`. The presence of a non-empty value
+ * implies the operator (or the install wizard) has seeded the login
+ * secret; `OP_SETUP_COMPLETE=true` is still authoritative when present.
  */
 export function isSetupComplete(stackDir: string): boolean {
   const parsed = parseEnvFile(`${stackDir}/stack.env`);
@@ -9,5 +14,5 @@ export function isSetupComplete(stackDir: string): boolean {
     return parsed.OP_SETUP_COMPLETE.toLowerCase() === "true";
   }
 
-  return (parsed.OP_UI_TOKEN ?? "").length > 0;
+  return (parsed.OP_UI_LOGIN_PASSWORD ?? "").length > 0;
 }

package/src/control-plane/setup-validation.ts

@@ -34,8 +34,8 @@ export function validateSetupSpec(input: unknown): { valid: boolean; errors: str
 function validateSecurity(body: Record<string, unknown>, errors: string[]): void {
   const security = requireObj(body.security, "security object is required", errors);
   if (!security) return;
-  if (!requireStr(security, "adminToken", "security.adminToken is required and must be a non-empty string", errors)) return;
-  if ((security.adminToken as string).length < 8) errors.push("security.adminToken must be at least 8 characters");
+  if (!requireStr(security, "uiLoginPassword", "security.uiLoginPassword is required and must be a non-empty string", errors)) return;
+  if ((security.uiLoginPassword as string).length < 8) errors.push("security.uiLoginPassword must be at least 8 characters");
 }
 
 function validateOwner(body: Record<string, unknown>, errors: string[]): void {

package/src/control-plane/setup.test.ts

@@ -19,7 +19,7 @@ function makeValidSpec(overrides?: Partial<SetupSpec>): SetupSpec {
     version: 2,
     llm: { provider: "openai", model: "gpt-4o", baseUrl: "https://api.openai.com/v1" },
     embedding: { provider: "openai", model: "text-embedding-3-small", dims: 1536, baseUrl: "https://api.openai.com/v1" },
-    security: { adminToken: "test-admin-token-12345" },
+    security: { uiLoginPassword: "test-admin-token-12345" },
     owner: { name: "Test User", email: "test@example.com" },
     connections: [
       {
@@ -72,17 +72,17 @@ describe("validateSetupSpec", () => {
     expect(result.errors.some((e) => e.includes("security object is required"))).toBe(true);
   });
 
-  it("rejects missing security.adminToken", () => {
+  it("rejects missing security.uiLoginPassword", () => {
     const spec = makeValidSpec();
-    spec.security.adminToken = "";
+    spec.security.uiLoginPassword = "";
     const result = validateSetupSpec(spec);
     expect(result.valid).toBe(false);
-    expect(result.errors.some((e) => e.includes("security.adminToken"))).toBe(true);
+    expect(result.errors.some((e) => e.includes("security.uiLoginPassword"))).toBe(true);
   });
 
-  it("rejects short security.adminToken", () => {
+  it("rejects short security.uiLoginPassword", () => {
     const spec = makeValidSpec();
-    spec.security.adminToken = "short";
+    spec.security.uiLoginPassword = "short";
     const result = validateSetupSpec(spec);
     expect(result.valid).toBe(false);
     expect(result.errors.some((e) => e.includes("at least 8"))).toBe(true);
@@ -199,9 +199,10 @@ describe("validateSetupSpec", () => {
 // ── Tests: buildSecretsFromSetup ─────────────────────────────────────────
 
 describe("buildSecretsFromSetup", () => {
-  it("does not include admin token in user secrets", () => {
+  it("does not include UI login password in user secrets", () => {
     const spec = makeValidSpec();
     const secrets = buildSecretsFromSetup(spec.connections, spec.owner);
+    expect(secrets.OP_UI_LOGIN_PASSWORD).toBeUndefined();
     expect(secrets.OP_UI_TOKEN).toBeUndefined();
     expect(secrets.ADMIN_TOKEN).toBeUndefined();
   });
@@ -217,15 +218,15 @@ describe("buildSecretsFromSetup", () => {
   it("sets owner info when provided", () => {
     const spec = makeValidSpec();
     const secrets = buildSecretsFromSetup(spec.connections, spec.owner);
-    expect(secrets.OWNER_NAME).toBe("Test User");
-    expect(secrets.OWNER_EMAIL).toBe("test@example.com");
+    expect(secrets.OP_OWNER_NAME).toBe("Test User");
+    expect(secrets.OP_OWNER_EMAIL).toBe("test@example.com");
   });
 
   it("omits owner info when empty", () => {
     const spec = makeValidSpec({ owner: { name: "", email: "" } });
     const secrets = buildSecretsFromSetup(spec.connections, spec.owner);
-    expect(secrets.OWNER_NAME).toBeUndefined();
-    expect(secrets.OWNER_EMAIL).toBeUndefined();
+    expect(secrets.OP_OWNER_NAME).toBeUndefined();
+    expect(secrets.OP_OWNER_EMAIL).toBeUndefined();
   });
 
   it("does NOT include provider API keys in stack.env updates", () => {
@@ -304,11 +305,14 @@ describe("buildAuthJsonFromSetup", () => {
 });
 
 describe("buildSystemSecretsFromSetup", () => {
-  it("includes distinct admin and assistant credentials", () => {
+  // Phase 4: assistant token was removed; the only stack.env secret this
+  // helper writes now is OP_UI_LOGIN_PASSWORD. OP_OPENCODE_PASSWORD is
+  // generated by ensureSystemSecrets() and persists across reruns.
+  it("returns OP_UI_LOGIN_PASSWORD equal to the supplied operator password", () => {
     const secrets = buildSystemSecretsFromSetup("test-admin-token-12345");
-    expect(secrets.OP_UI_TOKEN).toBe("test-admin-token-12345");
-    expect(typeof secrets.OP_ASSISTANT_TOKEN).toBe("string");
-    expect(secrets.OP_ASSISTANT_TOKEN).not.toBe("test-admin-token-12345");
+    expect(secrets.OP_UI_LOGIN_PASSWORD).toBe("test-admin-token-12345");
+    expect(secrets.OP_UI_TOKEN).toBeUndefined();
+    expect(secrets.OP_ASSISTANT_TOKEN).toBeUndefined();
   });
 });
 
@@ -356,15 +360,15 @@ describe("performSetup", () => {
       join(stackDir, "stack.env"),
       [
         "OP_SETUP_COMPLETE=false",
-        "OP_UI_TOKEN=",
+        "OP_UI_LOGIN_PASSWORD=",
         "OPENAI_API_KEY=",
         "OPENAI_BASE_URL=",
         "ANTHROPIC_API_KEY=",
         "GROQ_API_KEY=",
         "MISTRAL_API_KEY=",
         "GOOGLE_API_KEY=",
-        "OWNER_NAME=",
-        "OWNER_EMAIL=",
+        "OP_OWNER_NAME=",
+        "OP_OWNER_EMAIL=",
         "",
       ].join("\n")
     );
@@ -384,13 +388,13 @@ describe("performSetup", () => {
 
   it("returns an error for invalid input", async () => {
     const result = await performSetup(
-      { security: { adminToken: "short" } } as SetupSpec
+      { security: { uiLoginPassword: "short" } } as SetupSpec
     );
     expect(result.ok).toBe(false);
     expect(result.error).toBeDefined();
   });
 
-  it("writes stack.env with the admin token", async () => {
+  it("writes stack.env with the UI login password", async () => {
     const result = await performSetup(makeValidSpec());
     expect(result.ok).toBe(true);
 
@@ -494,4 +498,22 @@ describe("performSetup", () => {
     expect(stackEnvContent).toContain("discord-bot-token-xyz");
     expect(stackEnvContent).toContain("discord-app-id-123");
   });
+
+  it("ensureOpenCodeConfig never writes forbidden keys (providers, smallModel, model) to the user config", async () => {
+    // OpenCode v1.2.24+ rejects these keys with ConfigInvalidError at startup.
+    // This test locks the starter config shape so future changes can't
+    // accidentally introduce keys that would crash the assistant on boot.
+    const { ensureOpenCodeConfig } = await import("./secrets.js");
+    ensureOpenCodeConfig();
+
+    const configPath = join(homeDir, "config", "assistant", "opencode.json");
+    expect(existsSync(configPath)).toBe(true);
+
+    const config = JSON.parse(readFileSync(configPath, "utf-8"));
+    expect(config).not.toHaveProperty("providers");
+    expect(config).not.toHaveProperty("smallModel");
+    expect(config).not.toHaveProperty("model");
+    // $schema is the only required key
+    expect(config.$schema).toBeTruthy();
+  });
 });