@openpalm/lib 0.11.0-beta.1 → 0.11.0-beta.2

package/src/control-plane/migrate-0110.test.ts

@@ -0,0 +1,177 @@
+/**
+ * Tests for the 0.11.0 auth-migration shim.
+ */
+import { describe, expect, it, beforeEach, afterEach } from "bun:test";
+import {
+  existsSync,
+  mkdirSync,
+  mkdtempSync,
+  readFileSync,
+  rmSync,
+  statSync,
+  writeFileSync,
+  chmodSync,
+} from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { migrateAuth0110 } from "./migrate-0110.js";
+import type { ControlPlaneState } from "./types.js";
+
+function makeState(homeDir: string): ControlPlaneState {
+  return {
+    homeDir,
+    configDir: join(homeDir, "config"),
+    stashDir: join(homeDir, "stash"),
+    workspaceDir: join(homeDir, "workspace"),
+    cacheDir: join(homeDir, "cache"),
+    stateDir: join(homeDir, "state"),
+    stackDir: join(homeDir, "config", "stack"),
+    services: {},
+    artifacts: { compose: "" },
+    artifactMeta: [],
+  };
+}
+
+function seedStackEnv(stackDir: string, content: string): string {
+  mkdirSync(stackDir, { recursive: true });
+  const path = join(stackDir, "stack.env");
+  writeFileSync(path, content, { encoding: "utf-8", mode: 0o600 });
+  chmodSync(path, 0o600);
+  return path;
+}
+
+describe("migrateAuth0110", () => {
+  let homeDir: string;
+
+  beforeEach(() => {
+    homeDir = mkdtempSync(join(tmpdir(), "openpalm-migrate-0110-"));
+  });
+
+  afterEach(() => {
+    rmSync(homeDir, { recursive: true, force: true });
+  });
+
+  it("no-ops on a fresh install (no stack.env)", () => {
+    const state = makeState(homeDir);
+    const result = migrateAuth0110(state);
+    expect(result.migrated).toBe(false);
+    expect(result.reason).toContain("fresh install");
+  });
+
+  it("promotes OP_UI_TOKEN → OP_UI_LOGIN_PASSWORD and removes legacy keys", () => {
+    const state = makeState(homeDir);
+    const stackEnvPath = seedStackEnv(
+      state.stackDir,
+      [
+        "# header",
+        "OP_UI_TOKEN=legacy-token-value",
+        "OP_ASSISTANT_TOKEN=some-assistant-token",
+        "OP_OPENCODE_PASSWORD=opencode-secret",
+        "",
+      ].join("\n"),
+    );
+
+    const result = migrateAuth0110(state);
+    expect(result.migrated).toBe(true);
+    expect(result.reason).toContain("promoted OP_UI_TOKEN");
+    expect(result.reason).toContain("removed OP_UI_TOKEN");
+    expect(result.reason).toContain("removed OP_ASSISTANT_TOKEN");
+
+    const after = readFileSync(stackEnvPath, "utf-8");
+    expect(after).toContain("OP_UI_LOGIN_PASSWORD=legacy-token-value");
+    expect(after).not.toMatch(/^OP_UI_TOKEN=/m);
+    expect(after).not.toMatch(/^OP_ASSISTANT_TOKEN=/m);
+    // Unrelated keys preserved
+    expect(after).toContain("OP_OPENCODE_PASSWORD=opencode-secret");
+
+    // Perms preserved
+    expect(statSync(stackEnvPath).mode & 0o777).toBe(0o600);
+
+    // Migration log appended
+    const logPath = join(state.stateDir, "logs", "migration-0.11.0.log");
+    expect(existsSync(logPath)).toBe(true);
+    const log = readFileSync(logPath, "utf-8");
+    expect(log).toContain("migrate-auth-0110");
+    expect(log).toContain("promoted OP_UI_TOKEN");
+  });
+
+  it("does not overwrite an existing OP_UI_LOGIN_PASSWORD", () => {
+    const state = makeState(homeDir);
+    const stackEnvPath = seedStackEnv(
+      state.stackDir,
+      [
+        "OP_UI_LOGIN_PASSWORD=new-password",
+        "OP_UI_TOKEN=legacy-value",
+        "",
+      ].join("\n"),
+    );
+
+    const result = migrateAuth0110(state);
+    expect(result.migrated).toBe(true);
+    expect(result.reason).not.toContain("promoted");
+    expect(result.reason).toContain("removed OP_UI_TOKEN");
+
+    const after = readFileSync(stackEnvPath, "utf-8");
+    expect(after).toContain("OP_UI_LOGIN_PASSWORD=new-password");
+    expect(after).not.toMatch(/^OP_UI_TOKEN=/m);
+  });
+
+  it("removes OP_ASSISTANT_TOKEN even when only it is present", () => {
+    const state = makeState(homeDir);
+    const stackEnvPath = seedStackEnv(
+      state.stackDir,
+      [
+        "OP_UI_LOGIN_PASSWORD=pw",
+        "OP_ASSISTANT_TOKEN=stale",
+        "",
+      ].join("\n"),
+    );
+
+    const result = migrateAuth0110(state);
+    expect(result.migrated).toBe(true);
+    expect(result.reason).toContain("removed OP_ASSISTANT_TOKEN");
+    expect(readFileSync(stackEnvPath, "utf-8")).not.toMatch(/^OP_ASSISTANT_TOKEN=/m);
+  });
+
+  it("is idempotent: second run reports already-migrated", () => {
+    const state = makeState(homeDir);
+    seedStackEnv(
+      state.stackDir,
+      [
+        "OP_UI_TOKEN=t",
+        "OP_ASSISTANT_TOKEN=t2",
+        "",
+      ].join("\n"),
+    );
+
+    const first = migrateAuth0110(state);
+    expect(first.migrated).toBe(true);
+
+    const second = migrateAuth0110(state);
+    expect(second.migrated).toBe(false);
+    expect(second.reason).toContain("already migrated");
+  });
+
+  it("treats an empty OP_UI_TOKEN value as not-set (no promotion)", () => {
+    const state = makeState(homeDir);
+    const stackEnvPath = seedStackEnv(
+      state.stackDir,
+      [
+        "OP_UI_TOKEN=",
+        "OP_ASSISTANT_TOKEN=foo",
+        "",
+      ].join("\n"),
+    );
+
+    const result = migrateAuth0110(state);
+    expect(result.migrated).toBe(true);
+    // Empty-string OP_UI_TOKEN should NOT be promoted as a password.
+    expect(result.reason).not.toContain("promoted");
+
+    const after = readFileSync(stackEnvPath, "utf-8");
+    // The empty OP_UI_TOKEN line is still removed.
+    expect(after).not.toMatch(/^OP_UI_TOKEN=/m);
+    // No OP_UI_LOGIN_PASSWORD added (would be an empty value).
+    expect(after).not.toMatch(/^OP_UI_LOGIN_PASSWORD=/m);
+  });
+});

package/src/control-plane/migrate-0110.ts

@@ -0,0 +1,99 @@
+/**
+ * One-shot migration for the 0.11.0 auth refactor.
+ *
+ * Existing installs have OP_UI_TOKEN and OP_ASSISTANT_TOKEN in
+ * config/stack/stack.env. The 0.11.0 refactor (auth-and-proxy-refactor-plan.md)
+ * replaces them with a single OP_UI_LOGIN_PASSWORD. If we don't migrate,
+ * operators get locked out the moment they run the new UI build because the
+ * login route compares the cookie against process.env.OP_UI_LOGIN_PASSWORD,
+ * which is empty on existing installs.
+ *
+ * Migration logic (idempotent):
+ *   - If OP_UI_LOGIN_PASSWORD is unset AND OP_UI_TOKEN is set, copy
+ *     OP_UI_TOKEN's value into OP_UI_LOGIN_PASSWORD.
+ *   - Remove OP_UI_TOKEN and OP_ASSISTANT_TOKEN from stack.env (they're
+ *     no longer used).
+ *   - Append a one-line summary to state/logs/migration-0.11.0.log.
+ *   - If OP_UI_LOGIN_PASSWORD is already set, leave it alone — the operator
+ *     already migrated or set up fresh.
+ *
+ * Called from ensureSecrets so it runs before any auth-required code path
+ * gets a chance to see the half-migrated state.
+ */
+import {
+  existsSync,
+  readFileSync,
+  writeFileSync,
+  chmodSync,
+  appendFileSync,
+  mkdirSync,
+} from "node:fs";
+import { dirname } from "node:path";
+import { parseEnvContent, removeEnvKey, upsertEnvValue } from "./env.js";
+import { migration0110LogPath } from "./paths.js";
+import type { ControlPlaneState } from "./types.js";
+
+export type MigrateAuth0110Result = {
+  /** True if any change was written to stack.env. */
+  migrated: boolean;
+  /** Human-readable description of what changed (or why nothing did). */
+  reason: string;
+};
+
+export function migrateAuth0110(state: ControlPlaneState): MigrateAuth0110Result {
+  const stackEnvPath = `${state.stackDir}/stack.env`;
+  if (!existsSync(stackEnvPath)) {
+    return { migrated: false, reason: "no stack.env yet (fresh install)" };
+  }
+
+  const before = readFileSync(stackEnvPath, "utf-8");
+  const parsed = parseEnvContent(before);
+  const hasLoginPw = typeof parsed.OP_UI_LOGIN_PASSWORD === "string" && parsed.OP_UI_LOGIN_PASSWORD.length > 0;
+  const hasUiToken = typeof parsed.OP_UI_TOKEN === "string" && parsed.OP_UI_TOKEN.length > 0;
+  const hasAssistantToken = "OP_ASSISTANT_TOKEN" in parsed;
+  const hasUiTokenLine = "OP_UI_TOKEN" in parsed;
+
+  if (hasLoginPw && !hasUiTokenLine && !hasAssistantToken) {
+    return { migrated: false, reason: "already migrated" };
+  }
+
+  let content = before;
+  const changes: string[] = [];
+
+  if (!hasLoginPw && hasUiToken) {
+    content = upsertEnvValue(content, "OP_UI_LOGIN_PASSWORD", parsed.OP_UI_TOKEN);
+    changes.push("promoted OP_UI_TOKEN → OP_UI_LOGIN_PASSWORD");
+  }
+  if (hasUiTokenLine) {
+    content = removeEnvKey(content, "OP_UI_TOKEN");
+    changes.push("removed OP_UI_TOKEN");
+  }
+  if (hasAssistantToken) {
+    content = removeEnvKey(content, "OP_ASSISTANT_TOKEN");
+    changes.push("removed OP_ASSISTANT_TOKEN");
+  }
+
+  if (changes.length === 0) {
+    return { migrated: false, reason: "no changes needed" };
+  }
+
+  // Preserve the 0600 mode the existing file should already have.
+  writeFileSync(stackEnvPath, content, { encoding: "utf-8", mode: 0o600 });
+  try { chmodSync(stackEnvPath, 0o600); } catch { /* best-effort */ }
+
+  // Best-effort audit line. The migration log is small and append-only;
+  // if it fails (perm error, fs full), we don't roll back the migration.
+  try {
+    const logPath = migration0110LogPath(state);
+    mkdirSync(dirname(logPath), { recursive: true });
+    appendFileSync(
+      logPath,
+      `${new Date().toISOString()} migrate-auth-0110 ${changes.join("; ")}\n`,
+      "utf-8",
+    );
+  } catch {
+    /* best-effort */
+  }
+
+  return { migrated: true, reason: changes.join("; ") };
+}

package/src/control-plane/paths.ts

@@ -52,8 +52,15 @@ export const akmStateDir           = (s: ControlPlaneState): string => `${s.stat
 export const taskLogDir            = (s: ControlPlaneState, id: string): string => `${s.cacheDir}/akm/tasks/logs/${id}`;
 export const taskLogsRootDir       = (s: ControlPlaneState): string => `${s.cacheDir}/akm/tasks/logs`;
 export const logsDir               = (s: ControlPlaneState): string => `${s.stateDir}/logs`;
-export const adminAuditPath        = (s: ControlPlaneState): string => `${s.stateDir}/logs/admin-audit.jsonl`;
+/**
+ * Guardian's own audit log of channel ingress (HMAC verify, replay, rate
+ * limit). Phase 6 of the auth/proxy refactor removed the OpenPalm-side
+ * `admin-audit.jsonl` — OpenCode session logs are the audit trail for
+ * chat + tool activity.
+ */
 export const guardianAuditPath     = (s: ControlPlaneState): string => `${s.stateDir}/logs/guardian-audit.log`;
+/** One-shot 0.11.0 migration log (OP_UI_TOKEN → OPENCODE_SERVER_PASSWORD, endpoints.json move) */
+export const migration0110LogPath  = (s: ControlPlaneState): string => `${s.stateDir}/logs/migration-0.11.0.log`;
 export const backupsDir            = (s: ControlPlaneState): string => `${s.stateDir}/backups`;
 export const registryDir           = (s: ControlPlaneState): string => `${s.stateDir}/registry`;
 export const registryAddonsDir     = (s: ControlPlaneState): string => `${s.stateDir}/registry/addons`;

package/src/control-plane/registry-components.test.ts

@@ -343,8 +343,9 @@ describe("registry component sensitive fields", () => {
 
   for (const id of fullAddonIds) {
     it(`${id}: has at least one @sensitive field (channel secret)`, () => {
-      // ollama is a local inference server — no channel secret or API key needed
-      if (id === "ollama") return;
+      // ollama and voice are local inference servers — no channel secret
+      // or upstream API key needed (LAN-only, no auth by design).
+      if (id === "ollama" || id === "voice") return;
       const schema = readComponentFile(id, ".env.schema");
       const entries = parseEnvSchema(schema);
       const sensitiveEntries = entries.filter((e) =>

package/src/control-plane/secret-backend.test.ts

@@ -27,8 +27,6 @@ function createState(): ControlPlaneState {
   mkdirSync(cacheDir, { recursive: true });
 
   return {
-    adminToken: 'admin-token',
-    assistantToken: '',
     homeDir: rootDir,
     configDir,
     stashDir: join(rootDir, 'stash'),
@@ -39,7 +37,6 @@ function createState(): ControlPlaneState {
     services: {},
     artifacts: { compose: '' },
     artifactMeta: [],
-    audit: [],
   };
 }
 
@@ -188,16 +185,16 @@ describe('plaintext backend (via detectSecretBackend)', () => {
     mkdirSync(dirname(akmPath), { recursive: true });
     writeFileSync(akmPath, 'OPENAI_API_KEY=akm-vault-openai\n');
 
-    // Stack.env already exists from ensureSecrets — seed a system token.
+    // Stack.env already exists from ensureSecrets — seed the system password.
     const stackEnvPath = join(state.stackDir, "stack.env");
     const stackContent = readFileSync(stackEnvPath, 'utf-8')
-      .replace(/^OP_UI_TOKEN=.*$/m, 'OP_UI_TOKEN=stack-admin-token');
+      .replace(/^OP_UI_LOGIN_PASSWORD=.*$/m, 'OP_UI_LOGIN_PASSWORD=stack-login-password');
     writeFileSync(stackEnvPath, stackContent);
 
     // System scope reads stack.env exclusively.
-    expect(await backend.exists('openpalm/admin-token')).toBe(true);
-    const systemEntries = await backend.list('openpalm/admin-token');
-    expect(systemEntries.find((e) => e.key === 'openpalm/admin-token')?.present).toBe(true);
+    expect(await backend.exists('openpalm/ui-login-password')).toBe(true);
+    const systemEntries = await backend.list('openpalm/ui-login-password');
+    expect(systemEntries.find((e) => e.key === 'openpalm/ui-login-password')?.present).toBe(true);
 
     // User scope reads akm vault file.
     const userEntries = await backend.list('openpalm/openai/');

package/src/control-plane/secret-mappings.ts

@@ -29,9 +29,8 @@ type CoreSecretMapping = {
 };
 
 const STATIC_CORE_MAPPINGS: CoreSecretMapping[] = [
-  // Core authentication tokens
-  { secretKey: 'openpalm/admin-token', envKey: 'OP_UI_TOKEN', scope: 'system' },
-  { secretKey: 'openpalm/assistant-token', envKey: 'OP_ASSISTANT_TOKEN', scope: 'system' },
+  // Core authentication
+  { secretKey: 'openpalm/ui-login-password', envKey: 'OP_UI_LOGIN_PASSWORD', scope: 'system' },
   { secretKey: 'openpalm/opencode/server-password', envKey: 'OP_OPENCODE_PASSWORD', scope: 'system' },
   // LLM provider API keys
   { secretKey: 'openpalm/openai/api-key', envKey: 'OPENAI_API_KEY', scope: 'user' },

package/src/control-plane/secrets.ts

@@ -3,6 +3,7 @@ import { mkdirSync, writeFileSync, readFileSync, existsSync, chmodSync, lstatSyn
 import { randomBytes } from "node:crypto";
 import { createLogger } from "../logger.js";
 import { parseEnvFile, mergeEnvContent } from './env.js';
+import { migrateAuth0110 } from './migrate-0110.js';
 import type { ControlPlaneState } from "./types.js";
 import { resolveConfigDir } from "./home.js";
 
@@ -58,11 +59,13 @@ function ensureSystemSecrets(state: ControlPlaneState): void {
   const existing = existsSync(systemEnvPath) ? parseEnvFile(systemEnvPath) : {};
   const updates: Record<string, string> = {};
 
-  if (!existing.OP_UI_TOKEN && state.adminToken) {
-    updates.OP_UI_TOKEN = state.adminToken;
-  }
-  if (!existing.OP_ASSISTANT_TOKEN) {
-    updates.OP_ASSISTANT_TOKEN = randomBytes(32).toString("hex");
+  // OP_UI_LOGIN_PASSWORD seeds the operator login secret. ensureSecrets
+  // generates a random fallback the first time so the stack is never
+  // installed with an empty password slot; the wizard / CLI install path
+  // overwrites it with the operator's chosen value via
+  // buildSystemSecretsFromSetup().
+  if (!existing.OP_UI_LOGIN_PASSWORD) {
+    updates.OP_UI_LOGIN_PASSWORD = randomBytes(32).toString("hex");
   }
 
   if (!existsSync(systemEnvPath)) {
@@ -71,8 +74,7 @@ function ensureSystemSecrets(state: ControlPlaneState): void {
       "# All secrets and configuration live here. Advanced users may edit directly.",
       "",
       "# ── Authentication ──────────────────────────────────────────────────",
-      "OP_UI_TOKEN=",
-      "OP_ASSISTANT_TOKEN=",
+      "OP_UI_LOGIN_PASSWORD=",
       "",
       "# ── Service Auth ─────────────────────────────────────────────────────",
       "OP_OPENCODE_PASSWORD=",
@@ -104,6 +106,10 @@ function ensureSystemSecrets(state: ControlPlaneState): void {
 export function ensureSecrets(state: ControlPlaneState): void {
   enforceVaultDirMode(state.stackDir);
 
+  // Migrate pre-0.11.0 installs (OP_UI_TOKEN/OP_ASSISTANT_TOKEN → OP_UI_LOGIN_PASSWORD)
+  // before any code path that reads OP_UI_LOGIN_PASSWORD sees an empty value.
+  migrateAuth0110(state);
+
   ensureSystemSecrets(state);
   ensureGuardianEnv(state.stackDir);
   ensureAuthJson(state.configDir);

package/src/control-plane/setup-config.schema.json

@@ -30,12 +30,12 @@
     "security": {
       "type": "object",
       "description": "Security settings for the instance.",
-      "required": ["adminToken"],
+      "required": ["uiLoginPassword"],
       "additionalProperties": false,
       "properties": {
-        "adminToken": {
+        "uiLoginPassword": {
           "type": "string",
-          "description": "Admin API authentication token. Used to authenticate CLI and admin UI requests.",
+          "description": "Operator login password for the OpenPalm UI. Persisted to stack.env as OP_UI_LOGIN_PASSWORD; the UI's op_session cookie value is compared against it on every authenticated request.",
           "minLength": 8
         }
       }

package/src/control-plane/setup-status.ts

@@ -2,6 +2,11 @@ import { parseEnvFile } from './env.js';
 
 /**
  * Check if setup is complete by reading config/stack/stack.env.
+ *
+ * Phase 4 of the auth/proxy refactor replaced the legacy `OP_UI_TOKEN`
+ * sentinel with `OP_UI_LOGIN_PASSWORD`. The presence of a non-empty value
+ * implies the operator (or the install wizard) has seeded the login
+ * secret; `OP_SETUP_COMPLETE=true` is still authoritative when present.
  */
 export function isSetupComplete(stackDir: string): boolean {
   const parsed = parseEnvFile(`${stackDir}/stack.env`);
@@ -9,5 +14,5 @@ export function isSetupComplete(stackDir: string): boolean {
     return parsed.OP_SETUP_COMPLETE.toLowerCase() === "true";
   }
 
-  return (parsed.OP_UI_TOKEN ?? "").length > 0;
+  return (parsed.OP_UI_LOGIN_PASSWORD ?? "").length > 0;
 }

package/src/control-plane/setup-validation.ts

@@ -34,8 +34,8 @@ export function validateSetupSpec(input: unknown): { valid: boolean; errors: str
 function validateSecurity(body: Record<string, unknown>, errors: string[]): void {
   const security = requireObj(body.security, "security object is required", errors);
   if (!security) return;
-  if (!requireStr(security, "adminToken", "security.adminToken is required and must be a non-empty string", errors)) return;
-  if ((security.adminToken as string).length < 8) errors.push("security.adminToken must be at least 8 characters");
+  if (!requireStr(security, "uiLoginPassword", "security.uiLoginPassword is required and must be a non-empty string", errors)) return;
+  if ((security.uiLoginPassword as string).length < 8) errors.push("security.uiLoginPassword must be at least 8 characters");
 }
 
 function validateOwner(body: Record<string, unknown>, errors: string[]): void {

package/src/control-plane/setup.test.ts

@@ -19,7 +19,7 @@ function makeValidSpec(overrides?: Partial<SetupSpec>): SetupSpec {
     version: 2,
     llm: { provider: "openai", model: "gpt-4o", baseUrl: "https://api.openai.com/v1" },
     embedding: { provider: "openai", model: "text-embedding-3-small", dims: 1536, baseUrl: "https://api.openai.com/v1" },
-    security: { adminToken: "test-admin-token-12345" },
+    security: { uiLoginPassword: "test-admin-token-12345" },
     owner: { name: "Test User", email: "test@example.com" },
     connections: [
       {
@@ -72,17 +72,17 @@ describe("validateSetupSpec", () => {
     expect(result.errors.some((e) => e.includes("security object is required"))).toBe(true);
   });
 
-  it("rejects missing security.adminToken", () => {
+  it("rejects missing security.uiLoginPassword", () => {
     const spec = makeValidSpec();
-    spec.security.adminToken = "";
+    spec.security.uiLoginPassword = "";
     const result = validateSetupSpec(spec);
     expect(result.valid).toBe(false);
-    expect(result.errors.some((e) => e.includes("security.adminToken"))).toBe(true);
+    expect(result.errors.some((e) => e.includes("security.uiLoginPassword"))).toBe(true);
   });
 
-  it("rejects short security.adminToken", () => {
+  it("rejects short security.uiLoginPassword", () => {
     const spec = makeValidSpec();
-    spec.security.adminToken = "short";
+    spec.security.uiLoginPassword = "short";
     const result = validateSetupSpec(spec);
     expect(result.valid).toBe(false);
     expect(result.errors.some((e) => e.includes("at least 8"))).toBe(true);
@@ -199,9 +199,10 @@ describe("validateSetupSpec", () => {
 // ── Tests: buildSecretsFromSetup ─────────────────────────────────────────
 
 describe("buildSecretsFromSetup", () => {
-  it("does not include admin token in user secrets", () => {
+  it("does not include UI login password in user secrets", () => {
     const spec = makeValidSpec();
     const secrets = buildSecretsFromSetup(spec.connections, spec.owner);
+    expect(secrets.OP_UI_LOGIN_PASSWORD).toBeUndefined();
     expect(secrets.OP_UI_TOKEN).toBeUndefined();
     expect(secrets.ADMIN_TOKEN).toBeUndefined();
   });
@@ -304,11 +305,14 @@ describe("buildAuthJsonFromSetup", () => {
 });
 
 describe("buildSystemSecretsFromSetup", () => {
-  it("includes distinct admin and assistant credentials", () => {
+  // Phase 4: assistant token was removed; the only stack.env secret this
+  // helper writes now is OP_UI_LOGIN_PASSWORD. OP_OPENCODE_PASSWORD is
+  // generated by ensureSystemSecrets() and persists across reruns.
+  it("returns OP_UI_LOGIN_PASSWORD equal to the supplied operator password", () => {
     const secrets = buildSystemSecretsFromSetup("test-admin-token-12345");
-    expect(secrets.OP_UI_TOKEN).toBe("test-admin-token-12345");
-    expect(typeof secrets.OP_ASSISTANT_TOKEN).toBe("string");
-    expect(secrets.OP_ASSISTANT_TOKEN).not.toBe("test-admin-token-12345");
+    expect(secrets.OP_UI_LOGIN_PASSWORD).toBe("test-admin-token-12345");
+    expect(secrets.OP_UI_TOKEN).toBeUndefined();
+    expect(secrets.OP_ASSISTANT_TOKEN).toBeUndefined();
   });
 });
 
@@ -356,7 +360,7 @@ describe("performSetup", () => {
       join(stackDir, "stack.env"),
       [
         "OP_SETUP_COMPLETE=false",
-        "OP_UI_TOKEN=",
+        "OP_UI_LOGIN_PASSWORD=",
         "OPENAI_API_KEY=",
         "OPENAI_BASE_URL=",
         "ANTHROPIC_API_KEY=",
@@ -384,13 +388,13 @@ describe("performSetup", () => {
 
   it("returns an error for invalid input", async () => {
     const result = await performSetup(
-      { security: { adminToken: "short" } } as SetupSpec
+      { security: { uiLoginPassword: "short" } } as SetupSpec
     );
     expect(result.ok).toBe(false);
     expect(result.error).toBeDefined();
   });
 
-  it("writes stack.env with the admin token", async () => {
+  it("writes stack.env with the UI login password", async () => {
     const result = await performSetup(makeValidSpec());
     expect(result.ok).toBe(true);
 

package/src/control-plane/setup.ts

@@ -7,7 +7,6 @@
  */
 import { readFileSync, writeFileSync, existsSync, mkdirSync, renameSync } from "node:fs";
 import { join } from "node:path";
-import { randomBytes } from "node:crypto";
 import { createLogger } from "../logger.js";
 import {
   PROVIDER_KEY_MAP,
@@ -70,7 +69,12 @@ export type SetupSpec = {
   embedding?: { provider: string; model: string; dims: number; baseUrl?: string };
   tts?: { enabled?: boolean; engine?: string; provider?: string; baseURL?: string; model?: string; voice?: string };
   stt?: { enabled?: boolean; engine?: string; provider?: string; baseURL?: string; model?: string; language?: string };
-  security: { adminToken: string };
+  /**
+   * Operator-supplied UI login password. Persisted to stack.env as
+   * `OP_UI_LOGIN_PASSWORD`. Replaces the legacy `adminToken` field
+   * (Phase 4 of docs/technical/auth-and-proxy-refactor-plan.md).
+   */
+  security: { uiLoginPassword: string };
   owner?: { name?: string; email?: string };
   connections: SetupConnection[];
   channelCredentials?: Record<string, Record<string, string>>;
@@ -121,41 +125,26 @@ export function buildAuthJsonFromSetup(
 }
 
 /**
- * Build the system-secret env update.
+ * Build the system-secret env update for the wizard / CLI install path.
  *
- * `OP_ASSISTANT_TOKEN` is critical: rotating it on a running stack would
- * invalidate every container's auth. We therefore distinguish three cases:
- *  - existing system env has a non-empty token → reuse it (idempotent rerun).
- *  - existing system env explicitly contains `OP_ASSISTANT_TOKEN=` (blank)  →
- *    throw rather than silently rotate. This means a user edited stack.env
- *    or a previous run wrote it blank; either way silent rotation breaks the
- *    running stack.
- *  - the key is absent entirely → generate a fresh token (first install).
+ * Phase 4 of the auth/proxy refactor collapsed the legacy
+ * `OP_UI_TOKEN` / `OP_ASSISTANT_TOKEN` pair into a single operator login
+ * secret (`OP_UI_LOGIN_PASSWORD`). The browser stores the cookie value =
+ * password; `requireAdmin()` compares the cookie against
+ * `process.env.OP_UI_LOGIN_PASSWORD` via the existing `safeTokenCompare`.
  *
- * If you legitimately need to rotate the token, delete the OP_ASSISTANT_TOKEN
- * line from stack.env (rather than blanking it) before re-running setup.
+ * `OP_OPENCODE_PASSWORD` is generated by `ensureSystemSecrets()` on first
+ * run and persists across reruns — it is not regenerated here.
+ *
+ * `existingSystemEnv` is unused now but the parameter is kept so callers
+ * compile unchanged. It can be removed in a follow-up cleanup.
  */
 export function buildSystemSecretsFromSetup(
-  adminToken: string,
-  existingSystemEnv: Record<string, string> = {}
+  uiLoginPassword: string,
+  _existingSystemEnv: Record<string, string> = {}
 ): Record<string, string> {
-  const hasKey = Object.prototype.hasOwnProperty.call(existingSystemEnv, "OP_ASSISTANT_TOKEN");
-  const existing = existingSystemEnv.OP_ASSISTANT_TOKEN;
-  let token: string;
-  if (existing) {
-    token = existing;
-  } else if (hasKey) {
-    throw new Error(
-      "OP_ASSISTANT_TOKEN is present but blank in config/stack/stack.env. " +
-      "Refusing to silently rotate the token (it would break the running stack). " +
-      "Restore the previous value or remove the line entirely to generate a fresh one.",
-    );
-  } else {
-    token = randomBytes(32).toString("hex");
-  }
   return {
-    OP_UI_TOKEN: adminToken,
-    OP_ASSISTANT_TOKEN: token,
+    OP_UI_LOGIN_PASSWORD: uiLoginPassword,
   };
 }
 
@@ -205,7 +194,7 @@ export async function performSetup(
   if (!validation.valid) return { ok: false, error: validation.errors.join("; ") };
 
   const { llm, embedding, tts, stt, security, owner, connections, channelCredentials, addons, imageTag, hostAkm } = input;
-  const state = opts?.state ?? createState(security.adminToken);
+  const state = opts?.state ?? createState();
 
   // Acquire install lock to prevent two concurrent setup runs from racing on
   // the same config directory. The lock lives in stateDir so it is co-located
@@ -238,7 +227,7 @@ export async function performSetup(
         }
       }
       updateSecretsEnv(state, updates);
-      updateSystemSecretsEnv(state, buildSystemSecretsFromSetup(security.adminToken, existingSystemEnv));
+      updateSystemSecretsEnv(state, buildSystemSecretsFromSetup(security.uiLoginPassword, existingSystemEnv));
       // Provider API keys land in OpenCode's auth.json (bind-mounted into
       // the assistant container) — never in stack.env.
       writeAuthJsonProviderKeys(state, providerKeys);
@@ -248,9 +237,6 @@ export async function performSetup(
       return { ok: false, error: `Failed to persist setup outputs: ${message}` };
     }
 
-    state.adminToken = security.adminToken;
-    state.assistantToken = readStackEnv(state.stackDir).OP_ASSISTANT_TOKEN ?? state.assistantToken;
-
     // Everything from here through the OP_SETUP_COMPLETE write is wrapped in a
     // single try/catch so that a disk-full or permission-denied mid-way returns a
     // clean error rather than leaving a broken half-installed ~/.openpalm/.