@openpalm/lib 0.11.0-beta.1 → 0.11.0-beta.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openpalm/lib",
-  "version": "0.11.0-beta.1",
+  "version": "0.11.0-beta.3",
   "license": "MPL-2.0",
   "type": "module",
   "description": "Shared control-plane library for OpenPalm — lifecycle, staging, secrets, channels, connections, scheduler",

package/src/control-plane/akm-vault.test.ts

@@ -21,19 +21,16 @@ import type { ControlPlaneState } from "./types.js";
 
 function makeState(homeDir: string): ControlPlaneState {
   return {
-    adminToken: "test-admin",
-    assistantToken: "test-assistant",
     homeDir,
     configDir: join(homeDir, "config"),
     stashDir: join(homeDir, "stash"),
     workspaceDir: join(homeDir, "workspace"),
-    servicesDir: join(homeDir, "services"),
+    cacheDir: join(homeDir, "cache"),
     stateDir: join(homeDir, "state"),
     stackDir: join(homeDir, "stack"),
     services: {},
     artifacts: { compose: "" },
     artifactMeta: [],
-    audit: [],
   };
 }
 

package/src/control-plane/compose-args.test.ts

@@ -17,8 +17,6 @@ let tempDir: string;
 function makeState(overrides: Partial<ControlPlaneState> = {}): ControlPlaneState {
   const configDir = join(tempDir, "config");
   return {
-    adminToken: "test",
-    assistantToken: "test",
     homeDir: tempDir,
     configDir,
     stashDir: join(tempDir, "stash"),
@@ -29,7 +27,6 @@ function makeState(overrides: Partial<ControlPlaneState> = {}): ControlPlaneStat
     services: {},
     artifacts: { compose: "" },
     artifactMeta: [],
-    audit: [],
     ...overrides,
   };
 }

package/src/control-plane/compose-errors.test.ts

@@ -0,0 +1,106 @@
+import { describe, expect, it } from "bun:test";
+import {
+  parseComposeStderr,
+  summarizeComposeStderr,
+} from "./compose-errors.js";
+
+describe("parseComposeStderr", () => {
+  it("returns empty for empty input", () => {
+    expect(parseComposeStderr("")).toEqual([]);
+    expect(parseComposeStderr("\n\n")).toEqual([]);
+  });
+
+  it("extracts pull access denied for a single service", () => {
+    const stderr = [
+      " Network openpalm_default  Created",
+      " voice Pulling",
+      " voice Error pull access denied for openpalm/voice, repository does not exist or may require 'docker login'",
+      "Error response from daemon: pull access denied for openpalm/voice, repository does not exist or may require 'docker login': denied: requested access to the resource is denied",
+    ].join("\n");
+
+    const failures = parseComposeStderr(stderr);
+    expect(failures.length).toBeGreaterThanOrEqual(1);
+    expect(failures[0].service).toBe("voice");
+    expect(failures[0].reason).toMatch(/pull access denied/);
+  });
+
+  it("handles spinner / status prefix glyphs", () => {
+    const stderr = " ⠿ voice Error    pull access denied for openpalm/voice";
+    const failures = parseComposeStderr(stderr);
+    expect(failures).toHaveLength(1);
+    expect(failures[0].service).toBe("voice");
+    expect(failures[0].reason).toMatch(/pull access denied/);
+  });
+
+  it("captures quoted Service failed lines", () => {
+    const stderr =
+      'Service "discord" failed to build: failed to solve: process did not complete';
+    const failures = parseComposeStderr(stderr);
+    expect(failures).toHaveLength(1);
+    expect(failures[0].service).toBe("discord");
+    expect(failures[0].reason).toMatch(/failed to solve/);
+  });
+
+  it("deduplicates identical (service, reason) pairs", () => {
+    const stderr = [
+      "voice Error pull access denied for openpalm/voice",
+      "voice Error pull access denied for openpalm/voice",
+    ].join("\n");
+    const failures = parseComposeStderr(stderr);
+    expect(failures).toHaveLength(1);
+  });
+
+  it("returns multiple distinct failures", () => {
+    const stderr = [
+      "voice Error pull access denied for openpalm/voice",
+      "discord Error no such image: openpalm/discord:latest",
+    ].join("\n");
+    const failures = parseComposeStderr(stderr);
+    expect(failures).toHaveLength(2);
+    expect(failures.map((f) => f.service).sort()).toEqual(["discord", "voice"]);
+  });
+
+  it("falls back to image name when only daemon error is present", () => {
+    const stderr =
+      "Error response from daemon: pull access denied for openpalm/voice, repository does not exist";
+    const failures = parseComposeStderr(stderr);
+    expect(failures).toHaveLength(1);
+    expect(failures[0].service).toBe("openpalm/voice");
+    expect(failures[0].reason).toMatch(/pull access denied/);
+  });
+
+  it("ignores non-error noise (Pulling/Created/Started)", () => {
+    const stderr = [
+      " Network openpalm_default  Created",
+      " Container openpalm-guardian-1  Started",
+      " assistant Pulling",
+    ].join("\n");
+    expect(parseComposeStderr(stderr)).toEqual([]);
+  });
+
+  it("does not treat 'Error response from daemon' as a service name", () => {
+    const stderr = "Error response from daemon: something bad happened";
+    // No service-prefixed line, no pull access denied, no quoted service —
+    // parser should NOT invent a service called "Error".
+    expect(parseComposeStderr(stderr)).toEqual([]);
+  });
+});
+
+describe("summarizeComposeStderr", () => {
+  it("returns first non-empty line", () => {
+    expect(summarizeComposeStderr("\n\n  hello world  \nnext line")).toBe(
+      "hello world"
+    );
+  });
+
+  it("truncates long lines", () => {
+    const long = "x".repeat(800);
+    const out = summarizeComposeStderr(long, 100);
+    expect(out.length).toBe(100);
+    expect(out.endsWith("…")).toBe(true);
+  });
+
+  it("returns empty string for empty input", () => {
+    expect(summarizeComposeStderr("")).toBe("");
+  });
+});

package/src/control-plane/compose-errors.ts

@@ -0,0 +1,117 @@
+/**
+ * Parse `docker compose` stderr for per-service failures.
+ *
+ * `docker compose up -d` reports its progress on stderr — one or more
+ * status lines per service, plus a daemon-level "Error response from daemon"
+ * summary. When a single addon service fails to pull or start, the rest of
+ * the stack often comes up fine, so the only signal that anything is wrong
+ * is whatever appears on stderr. This helper extracts the per-service
+ * failure messages so callers can surface them to operators.
+ */
+export type ComposeServiceFailure = {
+  service: string;
+  reason: string;
+};
+
+/**
+ * Lines we recognise as per-service failure indicators. The compose CLI
+ * has rendered these in a few different shapes across versions:
+ *
+ *   "voice Error pull access denied for openpalm/voice ..."
+ *   " ⠿ voice Error    pull access denied for openpalm/voice ..."
+ *   "Service \"voice\" failed to build: ..."
+ *
+ * We also pick up the bare daemon error and attribute it to the service
+ * named in nearby lines when no service-prefixed line is present.
+ */
+const SERVICE_ERROR_RE = /^[\s⠦⠧⠇⠏⠋⠙⠹⠸⠼⠴⠿✔✘×]*\s*([A-Za-z0-9._-]+)\s+(Error|Failed|failed)\s+(.+)$/;
+const SERVICE_FAILED_QUOTED_RE = /Service\s+["']([A-Za-z0-9._-]+)["']\s+failed[^:]*:\s*(.+)$/i;
+const SERVICE_NOT_FOUND_RE = /no such service:\s*([A-Za-z0-9._-]+)/i;
+const PULL_ACCESS_DENIED_RE = /pull access denied for\s+([^\s,]+)/i;
+
+function pushUnique(
+  failures: ComposeServiceFailure[],
+  entry: ComposeServiceFailure
+): void {
+  const trimmed = { service: entry.service.trim(), reason: entry.reason.trim() };
+  if (!trimmed.service || !trimmed.reason) return;
+  const dup = failures.find(
+    (f) => f.service === trimmed.service && f.reason === trimmed.reason
+  );
+  if (!dup) failures.push(trimmed);
+}
+
+/**
+ * Best-effort extraction of failures from compose stderr.
+ *
+ * - Returns one entry per (service, reason) pair, in stderr order.
+ * - Does NOT fabricate service names: if a daemon error appears without
+ *   any nearby service-prefixed line, the caller's intended-services list
+ *   is used by the route, not this parser.
+ */
+export function parseComposeStderr(stderr: string): ComposeServiceFailure[] {
+  const failures: ComposeServiceFailure[] = [];
+  if (!stderr) return failures;
+
+  const lines = stderr.split(/\r?\n/);
+
+  for (const raw of lines) {
+    const line = raw.replace(/\s+$/, "");
+    if (!line.trim()) continue;
+
+    const quoted = SERVICE_FAILED_QUOTED_RE.exec(line);
+    if (quoted) {
+      pushUnique(failures, { service: quoted[1], reason: quoted[2] });
+      continue;
+    }
+
+    const m = SERVICE_ERROR_RE.exec(line);
+    if (m) {
+      // Skip generic prefixes that look like services but aren't
+      // (e.g. "Error response from daemon ..." would match if the parser
+      // is too lenient — the verb word would be the second token).
+      const candidate = m[1];
+      if (candidate.toLowerCase() === "error") continue;
+      pushUnique(failures, { service: candidate, reason: m[3] });
+      continue;
+    }
+
+    const notFound = SERVICE_NOT_FOUND_RE.exec(line);
+    if (notFound) {
+      pushUnique(failures, {
+        service: notFound[1],
+        reason: `no such service: ${notFound[1]}`,
+      });
+      continue;
+    }
+  }
+
+  // If we still found nothing but the stderr clearly mentions a pull
+  // access denied, surface the offending image as the "service" identifier
+  // — better than swallowing the failure entirely.
+  if (failures.length === 0) {
+    const denied = PULL_ACCESS_DENIED_RE.exec(stderr);
+    if (denied) {
+      pushUnique(failures, {
+        service: denied[1],
+        reason: `pull access denied for ${denied[1]}`,
+      });
+    }
+  }
+
+  return failures;
+}
+
+/**
+ * Summarise compose stderr in a single short line, suitable for log
+ * envelopes / API error messages when no per-service parse succeeded.
+ * Returns the first non-empty stderr line, capped.
+ */
+export function summarizeComposeStderr(stderr: string, maxLen = 500): string {
+  if (!stderr) return "";
+  const first = stderr
+    .split(/\r?\n/)
+    .map((l) => l.trim())
+    .find((l) => l.length > 0) ?? "";
+  return first.length > maxLen ? first.slice(0, maxLen - 1) + "…" : first;
+}

package/src/control-plane/config-persistence.ts

@@ -85,8 +85,7 @@ function generateFallbackSystemEnv(state: ControlPlaneState): string {
     "# Auto-generated fallback.",
     "",
     "# ── Authentication ──────────────────────────────────────────────────",
-    `OP_UI_TOKEN=\${OP_UI_TOKEN}`,
-    `OP_ASSISTANT_TOKEN=\${OP_ASSISTANT_TOKEN}`,
+    `OP_UI_LOGIN_PASSWORD=\${OP_UI_LOGIN_PASSWORD}`,
     "",
     "# ── Service Auth ─────────────────────────────────────────────────────",
     "OP_OPENCODE_PASSWORD=",

package/src/control-plane/host-opencode.test.ts

@@ -14,8 +14,6 @@ import type { ControlPlaneState } from "./types.js";
 
 function makeState(homeDir: string): ControlPlaneState {
   return {
-    adminToken: "test-admin",
-    assistantToken: "test-assistant",
     homeDir,
     configDir: join(homeDir, "config"),
     stashDir: join(homeDir, "stash"),
@@ -26,7 +24,6 @@ function makeState(homeDir: string): ControlPlaneState {
     services: {},
     artifacts: { compose: "" },
     artifactMeta: [],
-    audit: [],
   };
 }
 

package/src/control-plane/install-edge-cases.test.ts

@@ -36,7 +36,7 @@ function makeValidSpec(overrides?: Partial<SetupSpec>): SetupSpec {
     version: 2,
     llm: { provider: "openai", model: "gpt-4o", baseUrl: "https://api.openai.com/v1" },
     embedding: { provider: "openai", model: "text-embedding-3-small", dims: 1536, baseUrl: "https://api.openai.com/v1" },
-    security: { adminToken: "test-admin-token-12345" },
+    security: { uiLoginPassword: "test-admin-token-12345" },
     owner: { name: "Test User", email: "test@example.com" },
     connections: [
       {
@@ -135,8 +135,7 @@ function seedMinimalEnvFiles(): void {
     join(stackDir, "stack.env"),
     [
       "# OpenPalm — Stack Configuration",
-      "OP_UI_TOKEN=",
-      "OP_ASSISTANT_TOKEN=",
+      "OP_UI_LOGIN_PASSWORD=",
       "OPENAI_API_KEY=",
       "OPENAI_BASE_URL=",
       "ANTHROPIC_API_KEY=",
@@ -171,8 +170,6 @@ describe("Fresh Install", () => {
   // does create stack.env with required keys when files do not exist.
   it("ensureSecrets creates state/stack.env with required keys on fresh install", () => {
     const state: ControlPlaneState = {
-      adminToken: "",
-      assistantToken: "",
       homeDir,
       configDir,
       stashDir: join(homeDir, "stash"),
@@ -183,7 +180,6 @@ describe("Fresh Install", () => {
       services: {},
       artifacts: { compose: "" },
       artifactMeta: [],
-      audit: [],
     };
 
     ensureSecrets(state);
@@ -253,11 +249,9 @@ describe("Existing Install", () => {
   // Scenario 5: ensureSecrets does NOT overwrite existing stack.env
   it("ensureSecrets does not overwrite existing stack.env tokens", () => {
     mkdirSync(stateDir, { recursive: true });
-    writeFileSync(join(stackDir, "stack.env"), "OP_UI_TOKEN=my-custom-token\nOP_ASSISTANT_TOKEN=existing-token\n");
+    writeFileSync(join(stackDir, "stack.env"), "OP_UI_LOGIN_PASSWORD=my-custom-password\n");
 
     const state: ControlPlaneState = {
-      adminToken: "",
-      assistantToken: "",
       homeDir,
       configDir,
       stashDir: join(homeDir, "stash"),
@@ -268,57 +262,29 @@ describe("Existing Install", () => {
       services: {},
       artifacts: { compose: "" },
       artifactMeta: [],
-      audit: [],
     };
 
     ensureSecrets(state);
 
-    // Existing tokens must be preserved
+    // Existing password must be preserved
     const afterContent = readFileSync(join(stackDir, "stack.env"), "utf-8");
-    expect(afterContent).toContain("OP_UI_TOKEN=my-custom-token");
-    expect(afterContent).toContain("OP_ASSISTANT_TOKEN=existing-token");
+    expect(afterContent).toContain("OP_UI_LOGIN_PASSWORD=my-custom-password");
   });
 
-  // Scenario 6: performSetup re-run preserves OP_ASSISTANT_TOKEN
-  it("performSetup re-run preserves OP_ASSISTANT_TOKEN from first run", async () => {
-    // First setup
-    await performSetup(makeValidSpec());
+  // Scenario 6: performSetup re-run rewrites OP_UI_LOGIN_PASSWORD when the
+  // operator supplies a new one in the spec. This is intentional — the
+  // wizard "rerun" path is how an operator rotates the password. The
+  // legacy OP_ASSISTANT_TOKEN preservation test was removed with the token.
+  it("performSetup re-run rewrites OP_UI_LOGIN_PASSWORD when spec changes", async () => {
+    await performSetup(makeValidSpec({ security: { uiLoginPassword: "first-password-12345" } }));
 
-    const secretsAfterFirst = readFileSync(
-      join(stackDir, "stack.env"),
-      "utf-8"
-    );
-    const firstMatch = secretsAfterFirst.match(
-      /OP_ASSISTANT_TOKEN=([a-f0-9]+)/
-    );
-    expect(firstMatch).not.toBeNull();
-    const firstToken = firstMatch![1];
+    const afterFirst = readFileSync(join(stackDir, "stack.env"), "utf-8");
+    expect(afterFirst).toContain("OP_UI_LOGIN_PASSWORD=first-password-12345");
 
-    // Second setup (re-run with different API key)
-    await performSetup(
-      makeValidSpec({
-        connections: [
-          {
-            id: "openai-main",
-            name: "OpenAI",
-            provider: "openai",
-            baseUrl: "https://api.openai.com",
-            apiKey: "sk-different-key-999",
-          },
-        ],
-      })
-    );
+    await performSetup(makeValidSpec({ security: { uiLoginPassword: "second-password-12345" } }));
 
-    const secretsAfterSecond = readFileSync(
-      join(stackDir, "stack.env"),
-      "utf-8"
-    );
-    const secondMatch = secretsAfterSecond.match(
-      /OP_ASSISTANT_TOKEN=([a-f0-9]+)/
-    );
-    expect(secondMatch).not.toBeNull();
-    // OP_ASSISTANT_TOKEN should be preserved across setups
-    expect(secondMatch![1]).toBe(firstToken);
+    const afterSecond = readFileSync(join(stackDir, "stack.env"), "utf-8");
+    expect(afterSecond).toContain("OP_UI_LOGIN_PASSWORD=second-password-12345");
   });
 
   // Scenario 7: performSetup must NOT mark OP_SETUP_COMPLETE — see scenario
@@ -386,11 +352,9 @@ describe("Broken/Corrupt State", () => {
   // Scenario 9: ensureSecrets is idempotent on repeated calls
   it("ensureSecrets is idempotent — second call does not overwrite existing stack.env", () => {
     mkdirSync(stateDir, { recursive: true });
-    writeFileSync(join(stackDir, "stack.env"), "OP_UI_TOKEN=existing-token\nOP_ASSISTANT_TOKEN=existing-assistant\n");
+    writeFileSync(join(stackDir, "stack.env"), "OP_UI_LOGIN_PASSWORD=existing-password\n");
 
     const state: ControlPlaneState = {
-      adminToken: "",
-      assistantToken: "",
       homeDir,
       configDir,
       stashDir: join(homeDir, "stash"),
@@ -401,15 +365,13 @@ describe("Broken/Corrupt State", () => {
       services: {},
       artifacts: { compose: "" },
       artifactMeta: [],
-      audit: [],
     };
 
     ensureSecrets(state);
 
-    // Existing tokens must be preserved
+    // Existing password must be preserved
     const content = readFileSync(join(stackDir, "stack.env"), "utf-8");
-    expect(content).toContain("OP_UI_TOKEN=existing-token");
-    expect(content).toContain("OP_ASSISTANT_TOKEN=existing-assistant");
+    expect(content).toContain("OP_UI_LOGIN_PASSWORD=existing-password");
   });
 
   // Scenario 10: env file with malformed lines
@@ -447,11 +409,11 @@ describe("Broken/Corrupt State", () => {
     expect(isSetupComplete(stackDir)).toBe(false);
   });
 
-  it("isSetupComplete falls back to true when admin token is set but OP_SETUP_COMPLETE missing", () => {
+  it("isSetupComplete falls back to true when UI login password is set but OP_SETUP_COMPLETE missing", () => {
     mkdirSync(stateDir, { recursive: true });
     writeFileSync(
       join(stackDir, "stack.env"),
-      "OP_IMAGE_TAG=latest\nexport OP_UI_TOKEN=my-real-token\n"
+      "OP_IMAGE_TAG=latest\nexport OP_UI_LOGIN_PASSWORD=my-real-password\n"
     );
 
     expect(isSetupComplete(stackDir)).toBe(true);
@@ -527,12 +489,12 @@ describe("Environment Edge Cases", () => {
     rmSync(homeDir, { recursive: true, force: true });
   });
 
-  // Scenario 16: Commented-out ADMIN_TOKEN but OP_UI_TOKEN set
-  it("isSetupComplete detects OP_UI_TOKEN when ADMIN_TOKEN is commented out", () => {
+  // Scenario 16: isSetupComplete picks up OP_UI_LOGIN_PASSWORD when set
+  it("isSetupComplete detects OP_UI_LOGIN_PASSWORD", () => {
     mkdirSync(stateDir, { recursive: true });
     writeFileSync(
       join(stackDir, "stack.env"),
-      "SOME_OTHER_KEY=value\nexport OP_UI_TOKEN=real-token-here\n"
+      "SOME_OTHER_KEY=value\nexport OP_UI_LOGIN_PASSWORD=real-password-here\n"
     );
 
     expect(isSetupComplete(stackDir)).toBe(true);
@@ -705,13 +667,11 @@ describe("performSetup end-to-end artifacts", () => {
     ).toBe(true);
   });
 
-  it("writes admin and assistant tokens to stack.env", async () => {
+  it("writes the UI login password to stack.env", async () => {
     await performSetup(makeValidSpec());
 
     const secrets = parseEnvFile(join(stackDir, "stack.env"));
-    expect(secrets.OP_UI_TOKEN).toBe("test-admin-token-12345");
-    expect(typeof secrets.OP_ASSISTANT_TOKEN).toBe("string");
-    expect(secrets.OP_ASSISTANT_TOKEN).not.toBe("test-admin-token-12345");
+    expect(secrets.OP_UI_LOGIN_PASSWORD).toBe("test-admin-token-12345");
   });
 
   it("writes akm config with llm provider and model", async () => {

package/src/control-plane/lifecycle.ts

@@ -1,7 +1,7 @@
 /** Lifecycle helpers — state factory, apply transitions, compose file list. */
 import { readFileSync, writeFileSync, existsSync, mkdirSync } from "node:fs";
 import { parseEnvFile, mergeEnvContent } from "./env.js";
-import type { ControlPlaneState, CallerType, AuditContext } from "./types.js";
+import type { ControlPlaneState, CallerType } from "./types.js";
 import { CORE_SERVICES } from "./types.js";
 import {
   resolveOpenPalmHome,
@@ -12,7 +12,7 @@ import {
   resolveStateDir,
   resolveStackDir,
 } from "./home.js";
-import { ensureSecrets, readStackEnv, updateSystemSecretsEnv } from "./secrets.js";
+import { ensureSecrets } from "./secrets.js";
 import {
   resolveRuntimeFiles,
   writeRuntimeFiles,
@@ -26,16 +26,13 @@ import { isSetupComplete } from "./setup-status.js";
 import { snapshotCurrentState } from "./rollback.js";
 import { checkDocker, composePreflight, composePull, composeUp, composeConfigServices, resolveComposeProjectName } from "./docker.js";
 import { acquireLock, releaseLock } from "./lock.js";
-import { appendAudit } from "./audit.js";
 import { listEnabledAddonIds } from "./registry.js";
 
 const IMAGE_NAMESPACE_RE = /^[a-z0-9]+(?:[._-][a-z0-9]+)*$/;
 const SEMVER_TAG_RE = /^v\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?$/;
 
 
-export function createState(
-  adminToken?: string
-): ControlPlaneState {
+export function createState(): ControlPlaneState {
   const homeDir = resolveOpenPalmHome();
   const configDir = resolveConfigDir();
   const stashDir = resolveStashDir();
@@ -50,8 +47,6 @@ export function createState(
   }
 
   const bootstrapState: ControlPlaneState = {
-    adminToken: adminToken ?? process.env.OP_UI_TOKEN ?? "",
-    assistantToken: "",
     homeDir,
     configDir,
     stashDir,
@@ -62,23 +57,10 @@ export function createState(
     services,
     artifacts: { compose: "" },
     artifactMeta: [],
-    audit: [],
   };
 
   ensureSecrets(bootstrapState);
 
-  const stackEnv = readStackEnv(stackDir);
-  // Precedence: explicit parameter > stack.env > process.env.
-  bootstrapState.adminToken =
-    adminToken
-      ?? stackEnv.OP_UI_TOKEN
-      ?? process.env.OP_UI_TOKEN
-      ?? "";
-  bootstrapState.assistantToken =
-    stackEnv.OP_ASSISTANT_TOKEN
-      ?? process.env.OP_ASSISTANT_TOKEN
-      ?? "";
-
   return bootstrapState;
 }
 
@@ -142,7 +124,7 @@ async function reconcileCore(
   return active;
 }
 
-export async function applyInstall(state: ControlPlaneState, ctx?: AuditContext): Promise<void> {
+export async function applyInstall(state: ControlPlaneState): Promise<void> {
   const lock = acquireLock(state.homeDir, "install");
   try {
     await reconcileCore(state, { activateServices: true });
@@ -150,38 +132,24 @@ export async function applyInstall(state: ControlPlaneState, ctx?: AuditContext)
     // Docker doesn't create them root-owned (which causes EACCES inside
     // non-root containers).
     ensureComposeVolumeTargets(state);
-    if (ctx) appendAudit(state, ctx.actor, "install", {}, true, ctx.requestId ?? "", ctx.callerType ?? "unknown");
-  } catch (err) {
-    if (ctx) appendAudit(state, ctx.actor, "install", { error: String(err) }, false, ctx.requestId ?? "", ctx.callerType ?? "unknown");
-    throw err;
   } finally {
     releaseLock(lock);
   }
 }
 
-export async function applyUpdate(state: ControlPlaneState, ctx?: AuditContext): Promise<{ restarted: string[] }> {
+export async function applyUpdate(state: ControlPlaneState): Promise<{ restarted: string[] }> {
   const lock = acquireLock(state.homeDir, "update");
   try {
-    const result = { restarted: await reconcileCore(state, {}) };
-    if (ctx) appendAudit(state, ctx.actor, "update", { restarted: result.restarted }, true, ctx.requestId ?? "", ctx.callerType ?? "unknown");
-    return result;
-  } catch (err) {
-    if (ctx) appendAudit(state, ctx.actor, "update", { error: String(err) }, false, ctx.requestId ?? "", ctx.callerType ?? "unknown");
-    throw err;
+    return { restarted: await reconcileCore(state, {}) };
   } finally {
     releaseLock(lock);
   }
 }
 
-export async function applyUninstall(state: ControlPlaneState, ctx?: AuditContext): Promise<{ stopped: string[] }> {
+export async function applyUninstall(state: ControlPlaneState): Promise<{ stopped: string[] }> {
   const lock = acquireLock(state.homeDir, "uninstall");
   try {
-    const result = { stopped: await reconcileCore(state, { deactivateServices: true }) };
-    if (ctx) appendAudit(state, ctx.actor, "uninstall", { stopped: result.stopped }, true, ctx.requestId ?? "", ctx.callerType ?? "unknown");
-    return result;
-  } catch (err) {
-    if (ctx) appendAudit(state, ctx.actor, "uninstall", { error: String(err) }, false, ctx.requestId ?? "", ctx.callerType ?? "unknown");
-    throw err;
+    return { stopped: await reconcileCore(state, { deactivateServices: true }) };
   } finally {
     releaseLock(lock);
   }