@openpalm/lib 0.11.0-beta.10 → 0.11.0-beta.13

package/src/control-plane/ui-assets.ts

@@ -12,13 +12,13 @@
  */
 import {
   existsSync, mkdirSync, readdirSync, copyFileSync,
-  readFileSync, writeFileSync, rmSync, realpathSync, renameSync,
+  writeFileSync, rmSync, realpathSync, renameSync,
 } from 'node:fs';
 import { join, dirname, relative } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { createHash } from 'node:crypto';
 import { x as tarExtract } from 'tar';
-import { resolveStateDir } from './home.js';
+import { resolveBackupsDir, resolveDataDir } from './home.js';
 import { createLogger } from '../logger.js';
 
 const logger = createLogger('lib:ui-assets');
@@ -87,13 +87,15 @@ export function resolveLocalOpenpalmDir(): string | null {
     () => process.env.OPENPALM_REPO_ROOT
       ? join(process.env.OPENPALM_REPO_ROOT, '.openpalm')
       : null,
-    // 2. Relative to this source file (dev / bun run)
+    // 2. Electron extraResources — openpalm-skeleton/ placed alongside the asar
+    () => process.env.OPENPALM_SKELETON_DIR ?? null,
+    // 3. Relative to this source file (dev / bun run)
     () => {
       const meta = fileURLToPath(import.meta.url);
       if (meta.startsWith('/$bunfs/')) return null;
       return join(dirname(meta), '..', '..', '..', '..', '.openpalm');
     },
-    // 3. Relative to the compiled binary on disk
+    // 4. Relative to the compiled binary on disk
     () => join(dirname(realpathSync(process.execPath)), '..', '..', '..', '.openpalm'),
   );
 }
@@ -109,14 +111,12 @@ export async function seedOpenPalmDir(
   repoRef: string,
   homeDir: string,
   _configDir: string,
-  _stateDir: string,
+  _dataDir: string,
 ): Promise<void> {
   const local = resolveLocalOpenpalmDir();
   if (local) {
     logger.debug('seeding .openpalm from local source', { src: local });
     copyTree(local, homeDir, { skipExisting: true });
-    // Registry is system-managed — always refresh so addon overlays stay current.
-    copyTree(join(local, 'state', 'registry'), join(homeDir, 'state', 'registry'));
     return;
   }
 
@@ -137,8 +137,6 @@ export async function seedOpenPalmDir(
     const srcOpenpalm = join(tmpDir, '.openpalm');
     if (!existsSync(srcOpenpalm)) throw new Error('.openpalm/ not found in tarball');
     copyTree(srcOpenpalm, homeDir, { skipExisting: true });
-    // Registry is system-managed — always refresh so addon overlays stay current.
-    copyTree(join(srcOpenpalm, 'state', 'registry'), join(homeDir, 'state', 'registry'));
   } finally {
     rmSync(tmpDir, { recursive: true, force: true });
   }
@@ -179,47 +177,28 @@ export function resolveLocalUiBuild(): string | null {
   );
 }
 
-function readUiVersionFile(dir: string): string | null {
-  try { return readFileSync(join(dir, 'version.txt'), 'utf-8').trim(); } catch { return null; }
-}
-
 /**
  * Resolve the best available UI build directory at runtime.
  *
  * Priority:
- *   1. OP_HOME/state/ui/ — if its version.txt is NEWER than the bundled build
- *   2. Bundled / local build (Electron extraResources, source checkout)
- *   3. OP_HOME/state/ui/ — fallback when no bundled build exists
- *
- * This means GitHub-downloaded updates are applied automatically (disk wins
- * when newer), but a fresh AppImage install always works without a download.
+ *   1. OP_HOME/data/ui/ — user-installed or auto-updated build
+ *   2. Bundled / local build (Electron extraResources, OPENPALM_REPO_ROOT, source checkout)
  */
 export function resolveUiBuildDir(): string {
-  const stateBuild = join(resolveStateDir(), 'ui');
-  const localBuild = resolveLocalUiBuild();
-
-  if (existsSync(join(stateBuild, 'index.js')) && localBuild) {
-    const diskVer    = readUiVersionFile(stateBuild);
-    const bundledVer = readUiVersionFile(localBuild);
-    if (diskVer && bundledVer && compareVersionTags(diskVer, bundledVer) > 0) {
-      return stateBuild;
-    }
-    return localBuild;
-  }
-
-  if (localBuild) return localBuild;
-  return stateBuild;
+  const dataBuild = join(resolveDataDir(), 'ui');
+  if (existsSync(join(dataBuild, 'index.js'))) return dataBuild;
+  return resolveLocalUiBuild() ?? dataBuild;
 }
 
 /**
- * Install the UI build to OP_HOME/state/ui/.
+ * Install the UI build to OP_HOME/data/ui/.
  *
  * Copies from local packages/ui/build/ when running from source,
  * otherwise downloads ui-build.tar.gz from the GitHub release.
  * Called during install and update; always replaces existing content.
  *
- * state/ui/ is automatically included in backups because
- * backupOpenPalmHome() copies all of OP_HOME/state/.
+ * data/ui/ is automatically included in backups because
+ * backupOpenPalmHome() copies all of OP_HOME/data/.
  */
 /** SHA-256 hex digest of arbitrary bytes. */
 function sha256Hex(data: Uint8Array): string {
@@ -241,21 +220,14 @@ function parseChecksumsFile(content: string): Map<string, string> {
   return map;
 }
 
-export function readCurrentUiBuildVersion(stateDir: string): string | null {
-  const versionFile = join(stateDir, 'ui', 'version.txt');
-  if (!existsSync(versionFile)) return null;
-  return readFileSync(versionFile, 'utf-8').trim() || null;
-}
-
-export async function seedUiBuild(repoRef: string, stateDir: string, options?: { forceRemote?: boolean }): Promise<void> {
-  const uiDir = join(stateDir, 'ui');
+export async function seedUiBuild(repoRef: string, dataDir: string, options?: { forceRemote?: boolean }): Promise<void> {
+  const uiDir = join(dataDir, 'ui');
   mkdirSync(uiDir, { recursive: true });
 
   const local = options?.forceRemote ? null : resolveLocalUiBuild();
   if (local) {
     logger.debug('seeding UI build from local source', { src: local });
     copyTree(local, uiDir);
-    writeFileSync(join(uiDir, 'version.txt'), repoRef.replace(/^v/, ''));
     return;
   }
 
@@ -264,7 +236,7 @@ export async function seedUiBuild(repoRef: string, stateDir: string, options?: {
   const checksumUrl  = `${base}/checksums-sha256.txt`;
   logger.debug('downloading UI build', { url: tarballUrl });
 
-  const tmpTar = join(stateDir, '.ui-build.tar.gz.tmp');
+  const tmpTar = join(dataDir, '.ui-build.tar.gz.tmp');
   try {
     // Download tarball and checksums file in parallel (checksums best-effort)
     const [tarRes, csRes] = await Promise.all([
@@ -295,7 +267,6 @@ export async function seedUiBuild(repoRef: string, stateDir: string, options?: {
     mkdirSync(uiDir, { recursive: true });
     // Cross-platform extraction via the `tar` npm package — no shell dependency
     await tarExtract({ file: tmpTar, cwd: uiDir, strip: 1 });
-    writeFileSync(join(uiDir, 'version.txt'), repoRef.replace(/^v/, ''));
   } finally {
     rmSync(tmpTar, { force: true });
   }
@@ -305,14 +276,45 @@ export async function seedUiBuild(repoRef: string, stateDir: string, options?: {
 
 const GITHUB_API = 'https://api.github.com';
 
-/** Returns 1 if a > b, -1 if a < b, 0 if equal. Strips leading 'v'. */
+/** Returns 1 if a > b, -1 if a < b, 0 if equal. Strips leading 'v'. Handles pre-release tags. */
 function compareVersionTags(a: string, b: string): number {
-  const parse = (v: string) => v.replace(/^v/, '').split('.').map(Number);
-  const [aM, am, ap] = parse(a);
-  const [bM, bm, bp] = parse(b);
+  const parse = (v: string): [number, number, number, string | null] => {
+    const clean = v.replace(/^v/, '');
+    const dashIdx = clean.indexOf('-');
+    const main = dashIdx === -1 ? clean : clean.slice(0, dashIdx);
+    const pre = dashIdx === -1 ? null : clean.slice(dashIdx + 1);
+    const parts = main.split('.').map(Number);
+    return [parts[0] ?? 0, parts[1] ?? 0, parts[2] ?? 0, pre];
+  };
+  const comparePre = (x: string, y: string): number => {
+    const xp = x.split('.');
+    const yp = y.split('.');
+    for (let i = 0; i < Math.max(xp.length, yp.length); i++) {
+      if (i >= xp.length) return -1;
+      if (i >= yp.length) return 1;
+      const xn = Number(xp[i]);
+      const yn = Number(yp[i]);
+      const xIsNum = !isNaN(xn);
+      const yIsNum = !isNaN(yn);
+      if (xIsNum && yIsNum) {
+        if (xn !== yn) return xn > yn ? 1 : -1;
+      } else if (xIsNum !== yIsNum) {
+        return xIsNum ? -1 : 1; // numeric < alphanumeric per semver
+      } else {
+        if (xp[i] !== yp[i]) return xp[i]! > yp[i]! ? 1 : -1;
+      }
+    }
+    return 0;
+  };
+  const [aM, am, ap, aPre] = parse(a);
+  const [bM, bm, bp, bPre] = parse(b);
   if (aM !== bM) return aM > bM ? 1 : -1;
   if (am !== bm) return am > bm ? 1 : -1;
   if (ap !== bp) return ap > bp ? 1 : -1;
+  // Same numeric version: stable > pre-release (semver spec)
+  if (aPre === null && bPre !== null) return 1;
+  if (aPre !== null && bPre === null) return -1;
+  if (aPre !== null && bPre !== null) return comparePre(aPre, bPre);
   return 0;
 }
 
@@ -326,15 +328,15 @@ export interface UiBuildUpdateResult {
  * Check GitHub for a newer UI build and apply it if one exists.
  *
  * When an update is available:
- *   1. Move state/ui/ → state/backups/ui-{timestamp}/ (preserves the old build)
- *   2. Download ui-build.tar.gz from the latest release and extract to state/ui/
+ *   1. Move data/ui/ → data/backups/ui-{timestamp}/ (preserves the old build)
+ *   2. Download ui-build.tar.gz from the latest release and extract to data/ui/
  *
  * Non-fatal: any network or extraction error returns { updated: false, error }.
  * The caller should proceed with the existing build on failure.
  */
 export async function checkAndUpdateUiBuild(
   currentVersion: string,
-  stateDir: string,
+  dataDir: string,
 ): Promise<UiBuildUpdateResult> {
   try {
     const res = await fetch(
@@ -365,15 +367,15 @@ export async function checkAndUpdateUiBuild(
     }
 
     // Back up the existing UI build before replacing it
-    const uiDir = join(stateDir, 'ui');
+    const uiDir = join(dataDir, 'ui');
     if (existsSync(join(uiDir, 'index.js'))) {
-      const backupDir = join(stateDir, 'backups', `ui-${Date.now()}`);
-      mkdirSync(join(stateDir, 'backups'), { recursive: true });
+      const backupDir = join(resolveBackupsDir(), `ui-${Date.now()}`);
+      mkdirSync(resolveBackupsDir(), { recursive: true });
       renameSync(uiDir, backupDir);
       logger.debug('backed up UI build before update', { backup: backupDir });
     }
 
-    await seedUiBuild(latestTag, stateDir);
+    await seedUiBuild(latestTag, dataDir);
     logger.debug('UI build updated', { from: currentVersion, to: latestVersion });
 
     return { updated: true, latestVersion };

package/src/control-plane/validate.ts

@@ -2,26 +2,26 @@
  * Runtime configuration validation for the OpenPalm control plane.
  *
  * Validation is a presence check on the canonical env keys we expect in
- * the live config/stack/stack.env file. The
+ * the live config/stack files. The
  * historical schema files and external validation binary were retired in
  * #391; everything advisory is surfaced as a non-blocking warning. The
  * function never shells out and never reads schemas.
  */
 import { existsSync } from "node:fs";
-import { readStackEnv } from "./secrets.js";
+import { readStackRuntimeEnv } from "./secrets.js";
 import { getCoreSecretMappings } from "./secret-mappings.js";
 import type { ControlPlaneState } from "./types.js";
 
 // Stack-scoped env keys that must always exist and carry a non-empty value
 // for the platform to boot. Keep this list small — anything optional
 // belongs in the warning bucket instead.
-const REQUIRED_STACK_KEYS = ["OP_UI_LOGIN_PASSWORD"] as const;
+const REQUIRED_SECRET_KEYS = ["OP_UI_LOGIN_PASSWORD"] as const;
 
 /**
  * Validate the live configuration files.
  *
  * Checks:
- * 1. config/stack/stack.env exists and carries every required key with a
+ * 1. knowledge/env/stack.env exists and carries every required key with a
  *    non-empty value.
  * 2. Every secret env key in getCoreSecretMappings() is present (key only
  *    — blank values are warned about, never erred on, because operators
@@ -38,32 +38,30 @@ export async function validateProposedState(state: ControlPlaneState): Promise<{
   const errors: string[] = [];
   const warnings: string[] = [];
 
-  const stackEnvPath = `${state.stackDir}/stack.env`;
+  const stackEnvPath = `${state.stashDir}/env/stack.env`;
 
   if (!existsSync(stackEnvPath)) {
     errors.push(`ERROR: stack env file missing at ${stackEnvPath}`);
     return { ok: false, errors, warnings };
   }
 
-  const stackEnv = readStackEnv(state.stackDir);
-  const userEnv: Record<string, string> = {};
+  const runtimeEnv = readStackRuntimeEnv(state.stackDir);
 
-  for (const key of REQUIRED_STACK_KEYS) {
-    const value = stackEnv[key];
+  for (const key of REQUIRED_SECRET_KEYS) {
+    const value = runtimeEnv[key];
     if (!value || value.trim().length === 0) {
-      errors.push(`ERROR: required key ${key} is missing or empty in config/stack/stack.env`);
+      errors.push(`ERROR: required secret ${key} is missing or empty in knowledge/secrets/${key.toLowerCase()}`);
     }
   }
 
   // Every canonical secret should at least appear as a key somewhere in
   // the env files so the operator sees the slot. Missing slots warn (not
   // error) since not every provider is in use on every install.
-  for (const mapping of getCoreSecretMappings(stackEnv)) {
-    const inStack = Object.prototype.hasOwnProperty.call(stackEnv, mapping.envKey);
-    const inUser = Object.prototype.hasOwnProperty.call(userEnv, mapping.envKey);
-    if (!inStack && !inUser) {
+  for (const mapping of getCoreSecretMappings(runtimeEnv)) {
+    const inRuntime = Object.prototype.hasOwnProperty.call(runtimeEnv, mapping.envKey);
+    if (!inRuntime) {
       warnings.push(
-        `WARN: ${mapping.envKey} (akm ${mapping.secretKey}) is not declared in config/stack/stack.env`,
+        `WARN: ${mapping.envKey} (akm ${mapping.secretKey}) is not declared in knowledge/secrets/${mapping.envKey.toLowerCase()}`,
       );
     }
   }

package/src/index.ts

@@ -10,6 +10,7 @@
 export {
   LLM_PROVIDERS,
   EMBEDDING_DIMS,
+  PROVIDER_KEY_MAP,
   lookupEmbeddingDims,
 } from "./provider-constants.js";
 
@@ -75,8 +76,7 @@ export {
   resolveConfigDir,
   resolveStashDir,
   resolveWorkspaceDir,
-  resolveCacheDir,
-  resolveStateDir,
+  resolveDataDir,
   resolveStackDir,
   resolveLogsDir,
   ensureHomeDirs,
@@ -109,12 +109,36 @@ export {
   updateSecretsEnv,
   writeAuthJsonProviderKeys,
   readStackEnv,
+  readStackSecretEnv,
+  readStackRuntimeEnv,
+  writeStackSecretEnv,
   patchSecretsEnvFile,
   maskSecretValue,
   ensureOpenCodeConfig,
+  assertNoSecretLikeStackEnvKeys,
 } from "./control-plane/secrets.js";
-export { migrateAuth0110 } from "./control-plane/migrate-0110.js";
-export type { MigrateAuth0110Result } from "./control-plane/migrate-0110.js";
+export {
+  resolveSecretsDir,
+  secretPath,
+  readSecret,
+  writeSecret,
+  ensureSecret,
+  removeSecret,
+  listSecretNames,
+} from './control-plane/secrets-files.js';
+export type {
+  SecretAuditIssue,
+  SecretAuditOptions,
+  SecretAuditResult,
+  SecretAuditSeverity,
+} from "./control-plane/secret-audit.js";
+export {
+  auditComposeSecrets,
+  auditFileBasedSecrets,
+  auditSecretFilesystem,
+  auditStackEnv,
+  isSecretLikeKey,
+} from "./control-plane/secret-audit.js";
 // ── Setup Status ────────────────────────────────────────────────────────
 export {
   isSetupComplete,
@@ -156,8 +180,8 @@ export {
   buildRuntimeFileMeta,
   writeRuntimeFiles,
   writeSystemEnv,
-  readChannelSecrets,
-  writeChannelSecrets,
+  channelSecretName,
+  ensureChannelSecret,
   ensureComposeVolumeTargets,
 } from "./control-plane/config-persistence.js";
 
@@ -230,8 +254,16 @@ export { detectLocalProviders } from "./control-plane/model-runner.js";
 export {
   buildComposeOptions,
   buildComposeCliArgs,
+  resolveActiveProfiles,
+  writeRunScript,
 } from "./control-plane/compose-args.js";
 
+export {
+  addonProfileId,
+  canonicalAddonProfileSelection,
+  resolveHardwareProfileVariant,
+} from "./control-plane/profile-ids.js";
+
 // ── Compose Error Parsing ────────────────────────────────────────────────
 export type { ComposeServiceFailure } from "./control-plane/compose-errors.js";
 export {
@@ -289,16 +321,17 @@ export {
   importHostOpenCode,
 } from "./control-plane/host-opencode.js";
 
-// ── AKM Vault ────────────────────────────────────────────────────────────
+// ── AKM user env (env:user) ──────────────────────────────────────────────
 export {
-  AKM_USER_VAULT_REF,
+  AKM_USER_ENV_REF,
   buildAkmEnv,
-  ensureAkmUserVault,
-  writeAkmVaultKey,
-  deleteAkmVaultKey,
-  readAkmUserVaultFile,
-  readUserVaultSync,
-} from "./control-plane/akm-vault.js";
+  ensureAkmUserEnv,
+  writeUserEnvKey,
+  deleteUserEnvKey,
+  readUserEnvFile,
+  readUserEnvSync,
+  userEnvPathSync,
+} from "./control-plane/akm-user-env.js";
 
 // ── UI asset seeding and resolution ─────────────────────────────────────────
 export type { UiBuildUpdateResult } from "./control-plane/ui-assets.js";
@@ -309,5 +342,4 @@ export {
   resolveUiBuildDir,
   seedUiBuild,
   checkAndUpdateUiBuild,
-  readCurrentUiBuildVersion,
 } from "./control-plane/ui-assets.js";

package/src/control-plane/akm-vault.test.ts

@@ -1,105 +0,0 @@
-/**
- * Tests for the akm vault helpers. The vault helpers spawn `akm vault set
- * <ref> <key>` and feed the secret VALUE on stdin (akm-cli >= 0.8.0).
- *
- * Tests gate on the akm CLI being on PATH so the suite stays green in
- * environments without akm installed.
- */
-import { describe, expect, it, beforeEach, afterEach, mock } from "bun:test";
-import { existsSync, mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
-import { execFileSync } from "node:child_process";
-import {
-  ensureAkmUserVault,
-  readAkmUserVaultFile,
-  writeAkmVaultKey,
-  deleteAkmVaultKey,
-  AKM_USER_VAULT_REF,
-} from "./akm-vault.js";
-import type { ControlPlaneState } from "./types.js";
-
-function makeState(homeDir: string): ControlPlaneState {
-  return {
-    homeDir,
-    configDir: join(homeDir, "config"),
-    stashDir: join(homeDir, "stash"),
-    workspaceDir: join(homeDir, "workspace"),
-    cacheDir: join(homeDir, "cache"),
-    stateDir: join(homeDir, "state"),
-    stackDir: join(homeDir, "stack"),
-    services: {},
-    artifacts: { compose: "" },
-    artifactMeta: [],
-  };
-}
-
-function hasAkmCli(): boolean {
-  try {
-    execFileSync("akm", ["--version"], { stdio: "ignore" });
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-const AKM_AVAILABLE = hasAkmCli();
-
-
-describe("writeAkmVaultKey", () => {
-  let homeDir: string;
-  let state: ControlPlaneState;
-
-  beforeEach(() => {
-    homeDir = mkdtempSync(join(tmpdir(), "openpalm-akm-write-"));
-    state = makeState(homeDir);
-    mkdirSync(state.stashDir, { recursive: true });
-    mkdirSync(`${state.stateDir}/cache/akm`, { recursive: true });
-  });
-
-  afterEach(() => {
-    rmSync(homeDir, { recursive: true, force: true });
-  });
-
-  it.skipIf(!AKM_AVAILABLE)("writes a key via `akm vault set` (stdin mode, no argv leak)", async () => {
-    const value = "argv-free-secret-9988";
-    const ok = await writeAkmVaultKey(state, "TOKEN", value);
-    expect(ok).toBe(true);
-
-    const vaultPath = await ensureAkmUserVault(state);
-    expect(vaultPath).not.toBeNull();
-    if (vaultPath) {
-      const stored = readAkmUserVaultFile(vaultPath);
-      expect(stored.TOKEN).toBe(value);
-    }
-  });
-
-  it.skipIf(!AKM_AVAILABLE)("deleteAkmVaultKey removes a key via `akm vault unset`", async () => {
-    await writeAkmVaultKey(state, "TOKEN_A", "value-a");
-    await writeAkmVaultKey(state, "TOKEN_B", "value-b");
-
-    const ok = await deleteAkmVaultKey(state, "TOKEN_A");
-    expect(ok).toBe(true);
-
-    const vaultPath = await ensureAkmUserVault(state);
-    if (vaultPath) {
-      const stored = readAkmUserVaultFile(vaultPath);
-      expect(stored.TOKEN_A).toBeUndefined();
-      expect(stored.TOKEN_B).toBe("value-b");
-    }
-  });
-
-  it.skipIf(!AKM_AVAILABLE)("deleteAkmVaultKey is idempotent on a missing key", async () => {
-    // Deleting a key that was never set should not throw — `akm vault unset`
-    // either exits 0 or emits a "not found" message we tolerate.
-    const ok = await deleteAkmVaultKey(state, "NEVER_SET_KEY");
-    expect(ok).toBe(true);
-  });
-});
-
-
-describe("AKM_USER_VAULT_REF", () => {
-  it("exports the canonical akm ref string", () => {
-    expect(AKM_USER_VAULT_REF).toBe("vault:user");
-  });
-});