@openpalm/lib 0.11.0-beta.1 → 0.11.0-beta.3

package/src/control-plane/migrate-0110.test.ts

@@ -0,0 +1,177 @@
+/**
+ * Tests for the 0.11.0 auth-migration shim.
+ */
+import { describe, expect, it, beforeEach, afterEach } from "bun:test";
+import {
+  existsSync,
+  mkdirSync,
+  mkdtempSync,
+  readFileSync,
+  rmSync,
+  statSync,
+  writeFileSync,
+  chmodSync,
+} from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { migrateAuth0110 } from "./migrate-0110.js";
+import type { ControlPlaneState } from "./types.js";
+
+function makeState(homeDir: string): ControlPlaneState {
+  return {
+    homeDir,
+    configDir: join(homeDir, "config"),
+    stashDir: join(homeDir, "stash"),
+    workspaceDir: join(homeDir, "workspace"),
+    cacheDir: join(homeDir, "cache"),
+    stateDir: join(homeDir, "state"),
+    stackDir: join(homeDir, "config", "stack"),
+    services: {},
+    artifacts: { compose: "" },
+    artifactMeta: [],
+  };
+}
+
+function seedStackEnv(stackDir: string, content: string): string {
+  mkdirSync(stackDir, { recursive: true });
+  const path = join(stackDir, "stack.env");
+  writeFileSync(path, content, { encoding: "utf-8", mode: 0o600 });
+  chmodSync(path, 0o600);
+  return path;
+}
+
+describe("migrateAuth0110", () => {
+  let homeDir: string;
+
+  beforeEach(() => {
+    homeDir = mkdtempSync(join(tmpdir(), "openpalm-migrate-0110-"));
+  });
+
+  afterEach(() => {
+    rmSync(homeDir, { recursive: true, force: true });
+  });
+
+  it("no-ops on a fresh install (no stack.env)", () => {
+    const state = makeState(homeDir);
+    const result = migrateAuth0110(state);
+    expect(result.migrated).toBe(false);
+    expect(result.reason).toContain("fresh install");
+  });
+
+  it("promotes OP_UI_TOKEN → OP_UI_LOGIN_PASSWORD and removes legacy keys", () => {
+    const state = makeState(homeDir);
+    const stackEnvPath = seedStackEnv(
+      state.stackDir,
+      [
+        "# header",
+        "OP_UI_TOKEN=legacy-token-value",
+        "OP_ASSISTANT_TOKEN=some-assistant-token",
+        "OP_OPENCODE_PASSWORD=opencode-secret",
+        "",
+      ].join("\n"),
+    );
+
+    const result = migrateAuth0110(state);
+    expect(result.migrated).toBe(true);
+    expect(result.reason).toContain("promoted OP_UI_TOKEN");
+    expect(result.reason).toContain("removed OP_UI_TOKEN");
+    expect(result.reason).toContain("removed OP_ASSISTANT_TOKEN");
+
+    const after = readFileSync(stackEnvPath, "utf-8");
+    expect(after).toContain("OP_UI_LOGIN_PASSWORD=legacy-token-value");
+    expect(after).not.toMatch(/^OP_UI_TOKEN=/m);
+    expect(after).not.toMatch(/^OP_ASSISTANT_TOKEN=/m);
+    // Unrelated keys preserved
+    expect(after).toContain("OP_OPENCODE_PASSWORD=opencode-secret");
+
+    // Perms preserved
+    expect(statSync(stackEnvPath).mode & 0o777).toBe(0o600);
+
+    // Migration log appended
+    const logPath = join(state.stateDir, "logs", "migration-0.11.0.log");
+    expect(existsSync(logPath)).toBe(true);
+    const log = readFileSync(logPath, "utf-8");
+    expect(log).toContain("migrate-auth-0110");
+    expect(log).toContain("promoted OP_UI_TOKEN");
+  });
+
+  it("does not overwrite an existing OP_UI_LOGIN_PASSWORD", () => {
+    const state = makeState(homeDir);
+    const stackEnvPath = seedStackEnv(
+      state.stackDir,
+      [
+        "OP_UI_LOGIN_PASSWORD=new-password",
+        "OP_UI_TOKEN=legacy-value",
+        "",
+      ].join("\n"),
+    );
+
+    const result = migrateAuth0110(state);
+    expect(result.migrated).toBe(true);
+    expect(result.reason).not.toContain("promoted");
+    expect(result.reason).toContain("removed OP_UI_TOKEN");
+
+    const after = readFileSync(stackEnvPath, "utf-8");
+    expect(after).toContain("OP_UI_LOGIN_PASSWORD=new-password");
+    expect(after).not.toMatch(/^OP_UI_TOKEN=/m);
+  });
+
+  it("removes OP_ASSISTANT_TOKEN even when only it is present", () => {
+    const state = makeState(homeDir);
+    const stackEnvPath = seedStackEnv(
+      state.stackDir,
+      [
+        "OP_UI_LOGIN_PASSWORD=pw",
+        "OP_ASSISTANT_TOKEN=stale",
+        "",
+      ].join("\n"),
+    );
+
+    const result = migrateAuth0110(state);
+    expect(result.migrated).toBe(true);
+    expect(result.reason).toContain("removed OP_ASSISTANT_TOKEN");
+    expect(readFileSync(stackEnvPath, "utf-8")).not.toMatch(/^OP_ASSISTANT_TOKEN=/m);
+  });
+
+  it("is idempotent: second run reports already-migrated", () => {
+    const state = makeState(homeDir);
+    seedStackEnv(
+      state.stackDir,
+      [
+        "OP_UI_TOKEN=t",
+        "OP_ASSISTANT_TOKEN=t2",
+        "",
+      ].join("\n"),
+    );
+
+    const first = migrateAuth0110(state);
+    expect(first.migrated).toBe(true);
+
+    const second = migrateAuth0110(state);
+    expect(second.migrated).toBe(false);
+    expect(second.reason).toContain("already migrated");
+  });
+
+  it("treats an empty OP_UI_TOKEN value as not-set (no promotion)", () => {
+    const state = makeState(homeDir);
+    const stackEnvPath = seedStackEnv(
+      state.stackDir,
+      [
+        "OP_UI_TOKEN=",
+        "OP_ASSISTANT_TOKEN=foo",
+        "",
+      ].join("\n"),
+    );
+
+    const result = migrateAuth0110(state);
+    expect(result.migrated).toBe(true);
+    // Empty-string OP_UI_TOKEN should NOT be promoted as a password.
+    expect(result.reason).not.toContain("promoted");
+
+    const after = readFileSync(stackEnvPath, "utf-8");
+    // The empty OP_UI_TOKEN line is still removed.
+    expect(after).not.toMatch(/^OP_UI_TOKEN=/m);
+    // No OP_UI_LOGIN_PASSWORD added (would be an empty value).
+    expect(after).not.toMatch(/^OP_UI_LOGIN_PASSWORD=/m);
+  });
+});

package/src/control-plane/migrate-0110.ts

@@ -0,0 +1,99 @@
+/**
+ * One-shot migration for the 0.11.0 auth refactor.
+ *
+ * Existing installs have OP_UI_TOKEN and OP_ASSISTANT_TOKEN in
+ * config/stack/stack.env. The 0.11.0 refactor (auth-and-proxy-refactor-plan.md)
+ * replaces them with a single OP_UI_LOGIN_PASSWORD. If we don't migrate,
+ * operators get locked out the moment they run the new UI build because the
+ * login route compares the cookie against process.env.OP_UI_LOGIN_PASSWORD,
+ * which is empty on existing installs.
+ *
+ * Migration logic (idempotent):
+ *   - If OP_UI_LOGIN_PASSWORD is unset AND OP_UI_TOKEN is set, copy
+ *     OP_UI_TOKEN's value into OP_UI_LOGIN_PASSWORD.
+ *   - Remove OP_UI_TOKEN and OP_ASSISTANT_TOKEN from stack.env (they're
+ *     no longer used).
+ *   - Append a one-line summary to state/logs/migration-0.11.0.log.
+ *   - If OP_UI_LOGIN_PASSWORD is already set, leave it alone — the operator
+ *     already migrated or set up fresh.
+ *
+ * Called from ensureSecrets so it runs before any auth-required code path
+ * gets a chance to see the half-migrated state.
+ */
+import {
+  existsSync,
+  readFileSync,
+  writeFileSync,
+  chmodSync,
+  appendFileSync,
+  mkdirSync,
+} from "node:fs";
+import { dirname } from "node:path";
+import { parseEnvContent, removeEnvKey, upsertEnvValue } from "./env.js";
+import { migration0110LogPath } from "./paths.js";
+import type { ControlPlaneState } from "./types.js";
+
+export type MigrateAuth0110Result = {
+  /** True if any change was written to stack.env. */
+  migrated: boolean;
+  /** Human-readable description of what changed (or why nothing did). */
+  reason: string;
+};
+
+export function migrateAuth0110(state: ControlPlaneState): MigrateAuth0110Result {
+  const stackEnvPath = `${state.stackDir}/stack.env`;
+  if (!existsSync(stackEnvPath)) {
+    return { migrated: false, reason: "no stack.env yet (fresh install)" };
+  }
+
+  const before = readFileSync(stackEnvPath, "utf-8");
+  const parsed = parseEnvContent(before);
+  const hasLoginPw = typeof parsed.OP_UI_LOGIN_PASSWORD === "string" && parsed.OP_UI_LOGIN_PASSWORD.length > 0;
+  const hasUiToken = typeof parsed.OP_UI_TOKEN === "string" && parsed.OP_UI_TOKEN.length > 0;
+  const hasAssistantToken = "OP_ASSISTANT_TOKEN" in parsed;
+  const hasUiTokenLine = "OP_UI_TOKEN" in parsed;
+
+  if (hasLoginPw && !hasUiTokenLine && !hasAssistantToken) {
+    return { migrated: false, reason: "already migrated" };
+  }
+
+  let content = before;
+  const changes: string[] = [];
+
+  if (!hasLoginPw && hasUiToken) {
+    content = upsertEnvValue(content, "OP_UI_LOGIN_PASSWORD", parsed.OP_UI_TOKEN);
+    changes.push("promoted OP_UI_TOKEN → OP_UI_LOGIN_PASSWORD");
+  }
+  if (hasUiTokenLine) {
+    content = removeEnvKey(content, "OP_UI_TOKEN");
+    changes.push("removed OP_UI_TOKEN");
+  }
+  if (hasAssistantToken) {
+    content = removeEnvKey(content, "OP_ASSISTANT_TOKEN");
+    changes.push("removed OP_ASSISTANT_TOKEN");
+  }
+
+  if (changes.length === 0) {
+    return { migrated: false, reason: "no changes needed" };
+  }
+
+  // Preserve the 0600 mode the existing file should already have.
+  writeFileSync(stackEnvPath, content, { encoding: "utf-8", mode: 0o600 });
+  try { chmodSync(stackEnvPath, 0o600); } catch { /* best-effort */ }
+
+  // Best-effort audit line. The migration log is small and append-only;
+  // if it fails (perm error, fs full), we don't roll back the migration.
+  try {
+    const logPath = migration0110LogPath(state);
+    mkdirSync(dirname(logPath), { recursive: true });
+    appendFileSync(
+      logPath,
+      `${new Date().toISOString()} migrate-auth-0110 ${changes.join("; ")}\n`,
+      "utf-8",
+    );
+  } catch {
+    /* best-effort */
+  }
+
+  return { migrated: true, reason: changes.join("; ") };
+}

package/src/control-plane/paths.ts

@@ -52,8 +52,15 @@ export const akmStateDir           = (s: ControlPlaneState): string => `${s.stat
 export const taskLogDir            = (s: ControlPlaneState, id: string): string => `${s.cacheDir}/akm/tasks/logs/${id}`;
 export const taskLogsRootDir       = (s: ControlPlaneState): string => `${s.cacheDir}/akm/tasks/logs`;
 export const logsDir               = (s: ControlPlaneState): string => `${s.stateDir}/logs`;
-export const adminAuditPath        = (s: ControlPlaneState): string => `${s.stateDir}/logs/admin-audit.jsonl`;
+/**
+ * Guardian's own audit log of channel ingress (HMAC verify, replay, rate
+ * limit). Phase 6 of the auth/proxy refactor removed the OpenPalm-side
+ * `admin-audit.jsonl` — OpenCode session logs are the audit trail for
+ * chat + tool activity.
+ */
 export const guardianAuditPath     = (s: ControlPlaneState): string => `${s.stateDir}/logs/guardian-audit.log`;
+/** One-shot 0.11.0 migration log (OP_UI_TOKEN → OPENCODE_SERVER_PASSWORD, endpoints.json move) */
+export const migration0110LogPath  = (s: ControlPlaneState): string => `${s.stateDir}/logs/migration-0.11.0.log`;
 export const backupsDir            = (s: ControlPlaneState): string => `${s.stateDir}/backups`;
 export const registryDir           = (s: ControlPlaneState): string => `${s.stateDir}/registry`;
 export const registryAddonsDir     = (s: ControlPlaneState): string => `${s.stateDir}/registry/addons`;

package/src/control-plane/registry-components.test.ts

@@ -343,8 +343,9 @@ describe("registry component sensitive fields", () => {
 
   for (const id of fullAddonIds) {
     it(`${id}: has at least one @sensitive field (channel secret)`, () => {
-      // ollama is a local inference server — no channel secret or API key needed
-      if (id === "ollama") return;
+      // ollama and voice are local inference servers — no channel secret
+      // or upstream API key needed (LAN-only, no auth by design).
+      if (id === "ollama" || id === "voice") return;
       const schema = readComponentFile(id, ".env.schema");
       const entries = parseEnvSchema(schema);
       const sensitiveEntries = entries.filter((e) =>

package/src/control-plane/registry.test.ts

@@ -21,6 +21,9 @@ import {
   getRegistryAddonConfig,
   listAvailableAddonIds,
   getAddonServiceNames,
+  getAddonProfiles,
+  getAddonProfileSelection,
+  setAddonProfileSelection,
   enableAddon,
   disableAddonByName,
   setAddonEnabled,
@@ -391,6 +394,67 @@ describe("materialized registry catalog", () => {
     expect(existsSync(join(otherHome, 'backups', 'config', 'stack.yml'))).toBe(false);
   });
 
+  it("parses compose profiles + openpalm.profile.* labels per addon", () => {
+    const sourceRoot = join(tmpDir, 'repo');
+    const addonDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'addons', 'voice');
+    const automationsDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'automations');
+
+    mkdirSync(addonDir, { recursive: true });
+    mkdirSync(automationsDir, { recursive: true });
+    writeFileSync(
+      join(addonDir, 'compose.yml'),
+      [
+        'services:',
+        '  voice:',
+        '    profiles: [cpu]',
+        '    image: openpalm/voice:cpu',
+        '    labels:',
+        '      openpalm.profile.label: CPU',
+        '      openpalm.profile.default: "true"',
+        '  voice-cuda:',
+        '    profiles: [cuda]',
+        '    image: openpalm/voice:cuda',
+        '    labels:',
+        '      openpalm.profile.label: NVIDIA',
+        '      openpalm.profile.requires: nvidia-container-toolkit',
+        '',
+      ].join('\n'),
+    );
+    writeFileSync(join(addonDir, '.env.schema'), 'VOICE=\n');
+    writeFileSync(join(automationsDir, 'cleanup.md'), '---\ndescription: Cleanup\nschedule: "0 3 * * *"\ncommand: ["echo","clean"]\n---\n');
+
+    materializeRegistryCatalog(sourceRoot);
+
+    const profiles = getAddonProfiles(process.env.OP_HOME!, 'voice');
+    expect(profiles).toEqual([
+      { id: 'cpu', services: ['voice'], label: 'CPU', default: true },
+      { id: 'cuda', services: ['voice-cuda'], label: 'NVIDIA', requires: 'nvidia-container-toolkit' },
+    ]);
+  });
+
+  it("round-trips addon profile selection through stack.env", () => {
+    const sourceRoot = join(tmpDir, 'repo');
+    const addonDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'addons', 'voice');
+    const automationsDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'automations');
+
+    mkdirSync(addonDir, { recursive: true });
+    mkdirSync(automationsDir, { recursive: true });
+    writeFileSync(join(addonDir, 'compose.yml'), 'services:\n  voice:\n    profiles: [cpu]\n    image: x\n');
+    writeFileSync(join(addonDir, '.env.schema'), 'VOICE=\n');
+    writeFileSync(join(automationsDir, 'cleanup.md'), '---\ndescription: Cleanup\nschedule: "0 3 * * *"\ncommand: ["echo","clean"]\n---\n');
+
+    materializeRegistryCatalog(sourceRoot);
+
+    const stackDir = join(process.env.OP_HOME!, 'config', 'stack');
+    mkdirSync(stackDir, { recursive: true });
+    writeFileSync(join(stackDir, 'stack.env'), '');
+
+    expect(getAddonProfileSelection(stackDir, 'voice')).toBeNull();
+    setAddonProfileSelection(stackDir, 'voice', 'cuda');
+    expect(getAddonProfileSelection(stackDir, 'voice')).toBe('cuda');
+    expect(readFileSync(join(stackDir, 'stack.env'), 'utf-8')).toContain('OP_VOICE_PROFILE=cuda');
+  });
+
   it("installs and uninstalls automations through stash/tasks", () => {
     const sourceRoot = join(tmpDir, 'repo');
     const addonDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'addons', 'chat');

package/src/control-plane/registry.ts

@@ -12,6 +12,7 @@ import { parse as parseYaml } from 'yaml';
 import { createLogger } from '../logger.js';
 import { isChannelAddon } from './channels.js';
 import { randomHex, writeChannelSecrets } from './config-persistence.js';
+import { patchSecretsEnvFile, readStackEnv } from './secrets.js';
 import {
   resolveRegistryAddonsDir,
   resolveRegistryAutomationsDir,
@@ -339,6 +340,118 @@ export function getAddonServiceNames(homeDir: string, name: string): string[] {
   return [];
 }
 
+export type AddonProfile = {
+  id: string;
+  services: string[];
+  label?: string;
+  requires?: string;
+  default?: boolean;
+};
+
+function readAddonProfiles(composePath: string): AddonProfile[] {
+  if (!existsSync(composePath)) return [];
+
+  let parsed: unknown;
+  try {
+    parsed = parseYaml(readFileSync(composePath, "utf-8"));
+  } catch (error) {
+    logger.warn("failed to parse addon compose profiles", {
+      composePath,
+      error: error instanceof Error ? error.message : String(error),
+    });
+    return [];
+  }
+
+  const services = parsed && typeof parsed === "object"
+    ? (parsed as { services?: unknown }).services
+    : undefined;
+  if (!services || typeof services !== "object" || Array.isArray(services)) return [];
+
+  const byProfile = new Map<string, AddonProfile>();
+  for (const [svcName, svcRaw] of Object.entries(services as Record<string, unknown>)) {
+    if (!svcRaw || typeof svcRaw !== "object") continue;
+    const svc = svcRaw as { profiles?: unknown; labels?: unknown };
+    if (!Array.isArray(svc.profiles)) continue;
+    const profileIds = svc.profiles.filter((p): p is string => typeof p === "string");
+    if (profileIds.length === 0) continue;
+
+    const labels = readServiceLabels(svc.labels);
+    const label = labels["openpalm.profile.label"];
+    const requires = labels["openpalm.profile.requires"];
+    const isDefault = labels["openpalm.profile.default"] === "true";
+
+    for (const id of profileIds) {
+      const existing = byProfile.get(id);
+      if (existing) {
+        existing.services.push(svcName);
+        if (!existing.label && label) existing.label = label;
+        if (!existing.requires && requires) existing.requires = requires;
+        if (!existing.default && isDefault) existing.default = true;
+      } else {
+        const profile: AddonProfile = { id, services: [svcName] };
+        if (label) profile.label = label;
+        if (requires) profile.requires = requires;
+        if (isDefault) profile.default = true;
+        byProfile.set(id, profile);
+      }
+    }
+  }
+
+  return [...byProfile.values()];
+}
+
+function readServiceLabels(raw: unknown): Record<string, string> {
+  if (!raw) return {};
+  const out: Record<string, string> = {};
+  if (Array.isArray(raw)) {
+    for (const entry of raw) {
+      if (typeof entry !== "string") continue;
+      const eq = entry.indexOf("=");
+      if (eq < 0) continue;
+      out[entry.slice(0, eq)] = entry.slice(eq + 1);
+    }
+  } else if (typeof raw === "object") {
+    for (const [k, v] of Object.entries(raw as Record<string, unknown>)) {
+      if (v == null) continue;
+      out[k] = String(v);
+    }
+  }
+  return out;
+}
+
+export function getAddonProfiles(homeDir: string, name: string): AddonProfile[] {
+  if (!VALID_NAME_RE.test(name)) throw new Error(`Invalid addon name: ${name}`);
+
+  const composeCandidates = [
+    join(homeDir, "config", "stack", "addons", name, "compose.yml"),
+    join(homeDir, "state", "registry", "addons", name, "compose.yml"),
+  ];
+
+  for (const composePath of composeCandidates) {
+    const profiles = readAddonProfiles(composePath);
+    if (profiles.length > 0) return profiles;
+  }
+
+  return [];
+}
+
+function profileEnvKey(name: string): string {
+  if (!VALID_NAME_RE.test(name)) throw new Error(`Invalid addon name: ${name}`);
+  return `OP_${name.replace(/-/g, '_').toUpperCase()}_PROFILE`;
+}
+
+export function getAddonProfileSelection(stackDir: string, name: string): string | null {
+  const env = readStackEnv(stackDir);
+  const value = env[profileEnvKey(name)];
+  return value && value.trim() ? value.trim() : null;
+}
+
+export function setAddonProfileSelection(stackDir: string, name: string, profile: string): void {
+  const trimmed = profile.trim();
+  if (!trimmed) throw new Error('Profile id cannot be empty');
+  patchSecretsEnvFile(stackDir, { [profileEnvKey(name)]: trimmed });
+}
+
 export function enableAddon(homeDir: string, name: string): MutationResult {
   try {
     copyAddonFromRegistry(homeDir, name);

package/src/control-plane/secret-backend.test.ts

@@ -27,8 +27,6 @@ function createState(): ControlPlaneState {
   mkdirSync(cacheDir, { recursive: true });
 
   return {
-    adminToken: 'admin-token',
-    assistantToken: '',
     homeDir: rootDir,
     configDir,
     stashDir: join(rootDir, 'stash'),
@@ -39,7 +37,6 @@ function createState(): ControlPlaneState {
     services: {},
     artifacts: { compose: '' },
     artifactMeta: [],
-    audit: [],
   };
 }
 
@@ -188,16 +185,16 @@ describe('plaintext backend (via detectSecretBackend)', () => {
     mkdirSync(dirname(akmPath), { recursive: true });
     writeFileSync(akmPath, 'OPENAI_API_KEY=akm-vault-openai\n');
 
-    // Stack.env already exists from ensureSecrets — seed a system token.
+    // Stack.env already exists from ensureSecrets — seed the system password.
     const stackEnvPath = join(state.stackDir, "stack.env");
     const stackContent = readFileSync(stackEnvPath, 'utf-8')
-      .replace(/^OP_UI_TOKEN=.*$/m, 'OP_UI_TOKEN=stack-admin-token');
+      .replace(/^OP_UI_LOGIN_PASSWORD=.*$/m, 'OP_UI_LOGIN_PASSWORD=stack-login-password');
     writeFileSync(stackEnvPath, stackContent);
 
     // System scope reads stack.env exclusively.
-    expect(await backend.exists('openpalm/admin-token')).toBe(true);
-    const systemEntries = await backend.list('openpalm/admin-token');
-    expect(systemEntries.find((e) => e.key === 'openpalm/admin-token')?.present).toBe(true);
+    expect(await backend.exists('openpalm/ui-login-password')).toBe(true);
+    const systemEntries = await backend.list('openpalm/ui-login-password');
+    expect(systemEntries.find((e) => e.key === 'openpalm/ui-login-password')?.present).toBe(true);
 
     // User scope reads akm vault file.
     const userEntries = await backend.list('openpalm/openai/');

package/src/control-plane/secret-mappings.ts

@@ -29,9 +29,8 @@ type CoreSecretMapping = {
 };
 
 const STATIC_CORE_MAPPINGS: CoreSecretMapping[] = [
-  // Core authentication tokens
-  { secretKey: 'openpalm/admin-token', envKey: 'OP_UI_TOKEN', scope: 'system' },
-  { secretKey: 'openpalm/assistant-token', envKey: 'OP_ASSISTANT_TOKEN', scope: 'system' },
+  // Core authentication
+  { secretKey: 'openpalm/ui-login-password', envKey: 'OP_UI_LOGIN_PASSWORD', scope: 'system' },
   { secretKey: 'openpalm/opencode/server-password', envKey: 'OP_OPENCODE_PASSWORD', scope: 'system' },
   // LLM provider API keys
   { secretKey: 'openpalm/openai/api-key', envKey: 'OPENAI_API_KEY', scope: 'user' },

package/src/control-plane/secrets.ts

@@ -3,6 +3,7 @@ import { mkdirSync, writeFileSync, readFileSync, existsSync, chmodSync, lstatSyn
 import { randomBytes } from "node:crypto";
 import { createLogger } from "../logger.js";
 import { parseEnvFile, mergeEnvContent } from './env.js';
+import { migrateAuth0110 } from './migrate-0110.js';
 import type { ControlPlaneState } from "./types.js";
 import { resolveConfigDir } from "./home.js";
 
@@ -58,11 +59,13 @@ function ensureSystemSecrets(state: ControlPlaneState): void {
   const existing = existsSync(systemEnvPath) ? parseEnvFile(systemEnvPath) : {};
   const updates: Record<string, string> = {};
 
-  if (!existing.OP_UI_TOKEN && state.adminToken) {
-    updates.OP_UI_TOKEN = state.adminToken;
-  }
-  if (!existing.OP_ASSISTANT_TOKEN) {
-    updates.OP_ASSISTANT_TOKEN = randomBytes(32).toString("hex");
+  // OP_UI_LOGIN_PASSWORD seeds the operator login secret. ensureSecrets
+  // generates a random fallback the first time so the stack is never
+  // installed with an empty password slot; the wizard / CLI install path
+  // overwrites it with the operator's chosen value via
+  // buildSystemSecretsFromSetup().
+  if (!existing.OP_UI_LOGIN_PASSWORD) {
+    updates.OP_UI_LOGIN_PASSWORD = randomBytes(32).toString("hex");
   }
 
   if (!existsSync(systemEnvPath)) {
@@ -71,8 +74,7 @@ function ensureSystemSecrets(state: ControlPlaneState): void {
       "# All secrets and configuration live here. Advanced users may edit directly.",
       "",
       "# ── Authentication ──────────────────────────────────────────────────",
-      "OP_UI_TOKEN=",
-      "OP_ASSISTANT_TOKEN=",
+      "OP_UI_LOGIN_PASSWORD=",
       "",
       "# ── Service Auth ─────────────────────────────────────────────────────",
       "OP_OPENCODE_PASSWORD=",
@@ -104,6 +106,10 @@ function ensureSystemSecrets(state: ControlPlaneState): void {
 export function ensureSecrets(state: ControlPlaneState): void {
   enforceVaultDirMode(state.stackDir);
 
+  // Migrate pre-0.11.0 installs (OP_UI_TOKEN/OP_ASSISTANT_TOKEN → OP_UI_LOGIN_PASSWORD)
+  // before any code path that reads OP_UI_LOGIN_PASSWORD sees an empty value.
+  migrateAuth0110(state);
+
   ensureSystemSecrets(state);
   ensureGuardianEnv(state.stackDir);
   ensureAuthJson(state.configDir);

package/src/control-plane/setup-config.schema.json

@@ -30,12 +30,12 @@
     "security": {
       "type": "object",
       "description": "Security settings for the instance.",
-      "required": ["adminToken"],
+      "required": ["uiLoginPassword"],
       "additionalProperties": false,
       "properties": {
-        "adminToken": {
+        "uiLoginPassword": {
           "type": "string",
-          "description": "Admin API authentication token. Used to authenticate CLI and admin UI requests.",
+          "description": "Operator login password for the OpenPalm UI. Persisted to stack.env as OP_UI_LOGIN_PASSWORD; the UI's op_session cookie value is compared against it on every authenticated request.",
           "minLength": 8
         }
       }

package/src/control-plane/setup-status.ts

@@ -2,6 +2,11 @@ import { parseEnvFile } from './env.js';
 
 /**
  * Check if setup is complete by reading config/stack/stack.env.
+ *
+ * Phase 4 of the auth/proxy refactor replaced the legacy `OP_UI_TOKEN`
+ * sentinel with `OP_UI_LOGIN_PASSWORD`. The presence of a non-empty value
+ * implies the operator (or the install wizard) has seeded the login
+ * secret; `OP_SETUP_COMPLETE=true` is still authoritative when present.
  */
 export function isSetupComplete(stackDir: string): boolean {
   const parsed = parseEnvFile(`${stackDir}/stack.env`);
@@ -9,5 +14,5 @@ export function isSetupComplete(stackDir: string): boolean {
     return parsed.OP_SETUP_COMPLETE.toLowerCase() === "true";
   }
 
-  return (parsed.OP_UI_TOKEN ?? "").length > 0;
+  return (parsed.OP_UI_LOGIN_PASSWORD ?? "").length > 0;
 }

package/src/control-plane/setup-validation.ts

@@ -34,8 +34,8 @@ export function validateSetupSpec(input: unknown): { valid: boolean; errors: str
 function validateSecurity(body: Record<string, unknown>, errors: string[]): void {
   const security = requireObj(body.security, "security object is required", errors);
   if (!security) return;
-  if (!requireStr(security, "adminToken", "security.adminToken is required and must be a non-empty string", errors)) return;
-  if ((security.adminToken as string).length < 8) errors.push("security.adminToken must be at least 8 characters");
+  if (!requireStr(security, "uiLoginPassword", "security.uiLoginPassword is required and must be a non-empty string", errors)) return;
+  if ((security.uiLoginPassword as string).length < 8) errors.push("security.uiLoginPassword must be at least 8 characters");
 }
 
 function validateOwner(body: Record<string, unknown>, errors: string[]): void {