@openpalm/lib 0.11.0-beta.1 → 0.11.0-beta.3

package/src/control-plane/setup.test.ts

@@ -19,7 +19,7 @@ function makeValidSpec(overrides?: Partial<SetupSpec>): SetupSpec {
     version: 2,
     llm: { provider: "openai", model: "gpt-4o", baseUrl: "https://api.openai.com/v1" },
     embedding: { provider: "openai", model: "text-embedding-3-small", dims: 1536, baseUrl: "https://api.openai.com/v1" },
-    security: { adminToken: "test-admin-token-12345" },
+    security: { uiLoginPassword: "test-admin-token-12345" },
     owner: { name: "Test User", email: "test@example.com" },
     connections: [
       {
@@ -72,17 +72,17 @@ describe("validateSetupSpec", () => {
     expect(result.errors.some((e) => e.includes("security object is required"))).toBe(true);
   });
 
-  it("rejects missing security.adminToken", () => {
+  it("rejects missing security.uiLoginPassword", () => {
     const spec = makeValidSpec();
-    spec.security.adminToken = "";
+    spec.security.uiLoginPassword = "";
     const result = validateSetupSpec(spec);
     expect(result.valid).toBe(false);
-    expect(result.errors.some((e) => e.includes("security.adminToken"))).toBe(true);
+    expect(result.errors.some((e) => e.includes("security.uiLoginPassword"))).toBe(true);
   });
 
-  it("rejects short security.adminToken", () => {
+  it("rejects short security.uiLoginPassword", () => {
     const spec = makeValidSpec();
-    spec.security.adminToken = "short";
+    spec.security.uiLoginPassword = "short";
     const result = validateSetupSpec(spec);
     expect(result.valid).toBe(false);
     expect(result.errors.some((e) => e.includes("at least 8"))).toBe(true);
@@ -199,9 +199,10 @@ describe("validateSetupSpec", () => {
 // ── Tests: buildSecretsFromSetup ─────────────────────────────────────────
 
 describe("buildSecretsFromSetup", () => {
-  it("does not include admin token in user secrets", () => {
+  it("does not include UI login password in user secrets", () => {
     const spec = makeValidSpec();
     const secrets = buildSecretsFromSetup(spec.connections, spec.owner);
+    expect(secrets.OP_UI_LOGIN_PASSWORD).toBeUndefined();
     expect(secrets.OP_UI_TOKEN).toBeUndefined();
     expect(secrets.ADMIN_TOKEN).toBeUndefined();
   });
@@ -304,11 +305,14 @@ describe("buildAuthJsonFromSetup", () => {
 });
 
 describe("buildSystemSecretsFromSetup", () => {
-  it("includes distinct admin and assistant credentials", () => {
+  // Phase 4: assistant token was removed; the only stack.env secret this
+  // helper writes now is OP_UI_LOGIN_PASSWORD. OP_OPENCODE_PASSWORD is
+  // generated by ensureSystemSecrets() and persists across reruns.
+  it("returns OP_UI_LOGIN_PASSWORD equal to the supplied operator password", () => {
     const secrets = buildSystemSecretsFromSetup("test-admin-token-12345");
-    expect(secrets.OP_UI_TOKEN).toBe("test-admin-token-12345");
-    expect(typeof secrets.OP_ASSISTANT_TOKEN).toBe("string");
-    expect(secrets.OP_ASSISTANT_TOKEN).not.toBe("test-admin-token-12345");
+    expect(secrets.OP_UI_LOGIN_PASSWORD).toBe("test-admin-token-12345");
+    expect(secrets.OP_UI_TOKEN).toBeUndefined();
+    expect(secrets.OP_ASSISTANT_TOKEN).toBeUndefined();
   });
 });
 
@@ -356,7 +360,7 @@ describe("performSetup", () => {
       join(stackDir, "stack.env"),
       [
         "OP_SETUP_COMPLETE=false",
-        "OP_UI_TOKEN=",
+        "OP_UI_LOGIN_PASSWORD=",
         "OPENAI_API_KEY=",
         "OPENAI_BASE_URL=",
         "ANTHROPIC_API_KEY=",
@@ -384,13 +388,13 @@ describe("performSetup", () => {
 
   it("returns an error for invalid input", async () => {
     const result = await performSetup(
-      { security: { adminToken: "short" } } as SetupSpec
+      { security: { uiLoginPassword: "short" } } as SetupSpec
     );
     expect(result.ok).toBe(false);
     expect(result.error).toBeDefined();
   });
 
-  it("writes stack.env with the admin token", async () => {
+  it("writes stack.env with the UI login password", async () => {
     const result = await performSetup(makeValidSpec());
     expect(result.ok).toBe(true);
 

package/src/control-plane/setup.ts

@@ -7,7 +7,6 @@
  */
 import { readFileSync, writeFileSync, existsSync, mkdirSync, renameSync } from "node:fs";
 import { join } from "node:path";
-import { randomBytes } from "node:crypto";
 import { createLogger } from "../logger.js";
 import {
   PROVIDER_KEY_MAP,
@@ -70,7 +69,12 @@ export type SetupSpec = {
   embedding?: { provider: string; model: string; dims: number; baseUrl?: string };
   tts?: { enabled?: boolean; engine?: string; provider?: string; baseURL?: string; model?: string; voice?: string };
   stt?: { enabled?: boolean; engine?: string; provider?: string; baseURL?: string; model?: string; language?: string };
-  security: { adminToken: string };
+  /**
+   * Operator-supplied UI login password. Persisted to stack.env as
+   * `OP_UI_LOGIN_PASSWORD`. Replaces the legacy `adminToken` field
+   * (Phase 4 of docs/technical/auth-and-proxy-refactor-plan.md).
+   */
+  security: { uiLoginPassword: string };
   owner?: { name?: string; email?: string };
   connections: SetupConnection[];
   channelCredentials?: Record<string, Record<string, string>>;
@@ -121,41 +125,26 @@ export function buildAuthJsonFromSetup(
 }
 
 /**
- * Build the system-secret env update.
+ * Build the system-secret env update for the wizard / CLI install path.
  *
- * `OP_ASSISTANT_TOKEN` is critical: rotating it on a running stack would
- * invalidate every container's auth. We therefore distinguish three cases:
- *  - existing system env has a non-empty token → reuse it (idempotent rerun).
- *  - existing system env explicitly contains `OP_ASSISTANT_TOKEN=` (blank)  →
- *    throw rather than silently rotate. This means a user edited stack.env
- *    or a previous run wrote it blank; either way silent rotation breaks the
- *    running stack.
- *  - the key is absent entirely → generate a fresh token (first install).
+ * Phase 4 of the auth/proxy refactor collapsed the legacy
+ * `OP_UI_TOKEN` / `OP_ASSISTANT_TOKEN` pair into a single operator login
+ * secret (`OP_UI_LOGIN_PASSWORD`). The browser stores the cookie value =
+ * password; `requireAdmin()` compares the cookie against
+ * `process.env.OP_UI_LOGIN_PASSWORD` via the existing `safeTokenCompare`.
  *
- * If you legitimately need to rotate the token, delete the OP_ASSISTANT_TOKEN
- * line from stack.env (rather than blanking it) before re-running setup.
+ * `OP_OPENCODE_PASSWORD` is generated by `ensureSystemSecrets()` on first
+ * run and persists across reruns — it is not regenerated here.
+ *
+ * `existingSystemEnv` is unused now but the parameter is kept so callers
+ * compile unchanged. It can be removed in a follow-up cleanup.
  */
 export function buildSystemSecretsFromSetup(
-  adminToken: string,
-  existingSystemEnv: Record<string, string> = {}
+  uiLoginPassword: string,
+  _existingSystemEnv: Record<string, string> = {}
 ): Record<string, string> {
-  const hasKey = Object.prototype.hasOwnProperty.call(existingSystemEnv, "OP_ASSISTANT_TOKEN");
-  const existing = existingSystemEnv.OP_ASSISTANT_TOKEN;
-  let token: string;
-  if (existing) {
-    token = existing;
-  } else if (hasKey) {
-    throw new Error(
-      "OP_ASSISTANT_TOKEN is present but blank in config/stack/stack.env. " +
-      "Refusing to silently rotate the token (it would break the running stack). " +
-      "Restore the previous value or remove the line entirely to generate a fresh one.",
-    );
-  } else {
-    token = randomBytes(32).toString("hex");
-  }
   return {
-    OP_UI_TOKEN: adminToken,
-    OP_ASSISTANT_TOKEN: token,
+    OP_UI_LOGIN_PASSWORD: uiLoginPassword,
   };
 }
 
@@ -205,7 +194,7 @@ export async function performSetup(
   if (!validation.valid) return { ok: false, error: validation.errors.join("; ") };
 
   const { llm, embedding, tts, stt, security, owner, connections, channelCredentials, addons, imageTag, hostAkm } = input;
-  const state = opts?.state ?? createState(security.adminToken);
+  const state = opts?.state ?? createState();
 
   // Acquire install lock to prevent two concurrent setup runs from racing on
   // the same config directory. The lock lives in stateDir so it is co-located
@@ -238,7 +227,7 @@ export async function performSetup(
         }
       }
       updateSecretsEnv(state, updates);
-      updateSystemSecretsEnv(state, buildSystemSecretsFromSetup(security.adminToken, existingSystemEnv));
+      updateSystemSecretsEnv(state, buildSystemSecretsFromSetup(security.uiLoginPassword, existingSystemEnv));
       // Provider API keys land in OpenCode's auth.json (bind-mounted into
       // the assistant container) — never in stack.env.
       writeAuthJsonProviderKeys(state, providerKeys);
@@ -248,9 +237,6 @@ export async function performSetup(
       return { ok: false, error: `Failed to persist setup outputs: ${message}` };
     }
 
-    state.adminToken = security.adminToken;
-    state.assistantToken = readStackEnv(state.stackDir).OP_ASSISTANT_TOKEN ?? state.assistantToken;
-
     // Everything from here through the OP_SETUP_COMPLETE write is wrapped in a
     // single try/catch so that a disk-full or permission-denied mid-way returns a
     // clean error rather than leaving a broken half-installed ~/.openpalm/.

package/src/control-plane/spec-to-env.ts

@@ -51,12 +51,18 @@ export function deriveSystemEnvFromSpec(
 export type VoiceVarsConfig = {
   tts?: {
     enabled?: boolean;
+    /** Engine name (e.g. "kokoro", "elevenlabs", "browser"). */
+    engine?: string;
+    /** Optional sub-provider qualifier when an engine fronts multiple providers. */
+    provider?: string;
     baseURL?: string;
     model?: string;
     voice?: string;
   };
   stt?: {
     enabled?: boolean;
+    engine?: string;
+    provider?: string;
     baseURL?: string;
     model?: string;
     language?: string;
@@ -65,7 +71,8 @@ export type VoiceVarsConfig = {
 
 /**
  * Write TTS/STT env vars to stack.env for the voice channel container.
- * Only vars with non-empty values are written; missing values are left unchanged.
+ * `engine` always writes (even if it's the only field) so picking an
+ * engine without filling in URL/model still persists.
  */
 export function writeVoiceVars(config: VoiceVarsConfig, stackDir: string): void {
   const stackEnvPath = `${stackDir}/stack.env`;
@@ -74,11 +81,15 @@ export function writeVoiceVars(config: VoiceVarsConfig, stackDir: string): void
 
   const { tts, stt } = config;
   if (tts?.enabled !== false) {
+    if (tts?.engine) vars["TTS_ENGINE"] = tts.engine;
+    if (tts?.provider) vars["TTS_PROVIDER"] = tts.provider;
     if (tts?.baseURL) vars["TTS_BASE_URL"] = tts.baseURL;
     if (tts?.model) vars["TTS_MODEL"] = tts.model;
     if (tts?.voice) vars["TTS_VOICE"] = tts.voice;
   }
   if (stt?.enabled !== false) {
+    if (stt?.engine) vars["STT_ENGINE"] = stt.engine;
+    if (stt?.provider) vars["STT_PROVIDER"] = stt.provider;
     if (stt?.baseURL) vars["STT_BASE_URL"] = stt.baseURL;
     if (stt?.model) vars["STT_MODEL"] = stt.model;
     if (stt?.language) vars["STT_LANGUAGE"] = stt.language;

package/src/control-plane/types.ts

@@ -12,11 +12,6 @@ export type OptionalServiceName = never;
 
 export type AccessScope = "host" | "lan";
 export type CallerType = "assistant" | "cli" | "ui" | "system" | "test" | "unknown";
-export type AuditContext = {
-  actor: string;
-  requestId?: string;
-  callerType?: CallerType;
-};
 
 /** Info about a discovered channel */
 export type ChannelInfo = {
@@ -24,16 +19,6 @@ export type ChannelInfo = {
   ymlPath: string;
 };
 
-export type AuditEntry = {
-  at: string;
-  requestId: string;
-  actor: string;
-  callerType: CallerType;
-  action: string;
-  args: Record<string, unknown>;
-  ok: boolean;
-};
-
 export type ArtifactMeta = {
   name: string;
   sha256: string;
@@ -42,8 +27,6 @@ export type ArtifactMeta = {
 };
 
 export type ControlPlaneState = {
-  adminToken: string;
-  assistantToken: string;
   homeDir: string;
   configDir: string;
   stashDir: string;      // homeDir/stash
@@ -56,7 +39,6 @@ export type ControlPlaneState = {
     compose: string;
   };
   artifactMeta: ArtifactMeta[];
-  audit: AuditEntry[];
 };
 
 // ── Constants ──────────────────────────────────────────────────────────

package/src/control-plane/validate.ts

@@ -15,7 +15,7 @@ import type { ControlPlaneState } from "./types.js";
 // Stack-scoped env keys that must always exist and carry a non-empty value
 // for the platform to boot. Keep this list small — anything optional
 // belongs in the warning bucket instead.
-const REQUIRED_STACK_KEYS = ["OP_UI_TOKEN", "OP_ASSISTANT_TOKEN"] as const;
+const REQUIRED_STACK_KEYS = ["OP_UI_LOGIN_PASSWORD"] as const;
 
 /**
  * Validate the live configuration files.

package/src/index.ts

@@ -29,7 +29,6 @@ export type {
   ChannelInfo,
   CallerType,
   ArtifactMeta,
-  AuditEntry,
 } from "./control-plane/types.js";
 export {
   CORE_SERVICES,
@@ -44,6 +43,7 @@ export {
 // ── Registry Catalog ─────────────────────────────────────────────────────
 export type {
   AddonMutationResult,
+  AddonProfile,
   RegistryAutomationEntry,
   RegistryComponentEntry,
   RegistryAddonConfig,
@@ -58,6 +58,9 @@ export {
   getRegistryAutomation,
   getRegistryAddonConfig,
   getAddonServiceNames,
+  getAddonProfiles,
+  getAddonProfileSelection,
+  setAddonProfileSelection,
   listAvailableAddonIds,
   listEnabledAddonIds,
   enableAddon,
@@ -96,9 +99,6 @@ export {
   RELEASE_TAG_REGEX,
 } from "./control-plane/env.js";
 
-// ── Audit ───────────────────────────────────────────────────────────────
-export { appendAudit } from "./control-plane/audit.js";
-
 // ── OpenCode Client ─────────────────────────────────────────────────────
 export { createOpenCodeClient } from "./control-plane/opencode-client.js";
 export type { ProxyResult, OpenCodeProvider } from "./control-plane/opencode-client.js";
@@ -114,6 +114,8 @@ export {
   maskSecretValue,
   ensureOpenCodeConfig,
 } from "./control-plane/secrets.js";
+export { migrateAuth0110 } from "./control-plane/migrate-0110.js";
+export type { MigrateAuth0110Result } from "./control-plane/migrate-0110.js";
 export {
   detectSecretBackend,
   validatePassEntryName,
@@ -234,6 +236,13 @@ export {
   buildComposeCliArgs,
 } from "./control-plane/compose-args.js";
 
+// ── Compose Error Parsing ────────────────────────────────────────────────
+export type { ComposeServiceFailure } from "./control-plane/compose-errors.js";
+export {
+  parseComposeStderr,
+  summarizeComposeStderr,
+} from "./control-plane/compose-errors.js";
+
 // ── Stack Spec (v2) ──────────────────────────────────────────────────────
 export type {
   StackSpec,

package/src/logger.ts

@@ -13,7 +13,7 @@ export type LogLevel = 'debug' | 'info' | 'warn' | 'error';
  * with un-anchored alternations was sloppy enough to invite future bugs).
  *
  * Examples:
- *   OP_UI_TOKEN     → sensitive (suffix _TOKEN)
+ *   OP_UI_LOGIN_PASSWORD → sensitive (suffix _PASSWORD)
  *   CHANNEL_API_KEY    → sensitive (suffix _KEY)
  *   CHANNEL_FOO_HMAC   → sensitive (suffix _HMAC)
  *   HMAC_KEY           → sensitive (prefix HMAC_, suffix _KEY)

package/src/control-plane/audit.ts

@@ -1,41 +0,0 @@
-/**
- * Audit logging for the OpenPalm control plane.
- */
-import { mkdirSync, appendFileSync } from "node:fs";
-import type { ControlPlaneState, AuditEntry, CallerType } from "./types.js";
-
-const MAX_AUDIT_MEMORY = 1000;
-
-export function appendAudit(
-  state: ControlPlaneState,
-  actor: string,
-  action: string,
-  args: Record<string, unknown>,
-  ok: boolean,
-  requestId = "",
-  callerType: CallerType = "unknown"
-): void {
-  const entry: AuditEntry = {
-    at: new Date().toISOString(),
-    requestId,
-    actor,
-    callerType,
-    action,
-    args,
-    ok
-  };
-  state.audit.push(entry);
-  if (state.audit.length > MAX_AUDIT_MEMORY) {
-    state.audit = state.audit.slice(-MAX_AUDIT_MEMORY);
-  }
-  try {
-    const logsDir = `${state.stateDir}/logs`;
-    mkdirSync(logsDir, { recursive: true });
-    appendFileSync(
-      `${logsDir}/admin-audit.jsonl`,
-      JSON.stringify(entry) + "\n"
-    );
-  } catch {
-    // best-effort persistence
-  }
-}