npm - @openpalm/lib - Versions diffs - 0.11.0-beta.11 → 0.11.0-beta.13 - Mend

@openpalm/lib 0.11.0-beta.11 → 0.11.0-beta.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

package/README.md +1 -1
package/package.json +1 -1
package/src/control-plane/akm-user-env.test.ts +113 -0
package/src/control-plane/akm-user-env.ts +144 -0
package/src/control-plane/backup.ts +14 -5
package/src/control-plane/channels.ts +48 -29
package/src/control-plane/cleanup-guardrails.test.ts +1 -1
package/src/control-plane/compose-args.test.ts +90 -31
package/src/control-plane/compose-args.ts +119 -9
package/src/control-plane/config-persistence.ts +87 -133
package/src/control-plane/core-assets.test.ts +9 -9
package/src/control-plane/core-assets.ts +24 -8
package/src/control-plane/docker.ts +15 -14
package/src/control-plane/env.test.ts +10 -10
package/src/control-plane/env.ts +1 -1
package/src/control-plane/extends-support.test.ts +8 -8
package/src/control-plane/home.ts +34 -46
package/src/control-plane/host-opencode.test.ts +82 -10
package/src/control-plane/host-opencode.ts +42 -13
package/src/control-plane/install-edge-cases.test.ts +94 -102
package/src/control-plane/install-lock.ts +7 -7
package/src/control-plane/lifecycle.ts +36 -34
package/src/control-plane/markdown-task.ts +30 -50
package/src/control-plane/paths.ts +62 -42
package/src/control-plane/profile-ids.ts +21 -0
package/src/control-plane/provider-models.ts +3 -3
package/src/control-plane/registry.test.ts +97 -88
package/src/control-plane/registry.ts +142 -110
package/src/control-plane/rollback.ts +8 -38
package/src/control-plane/scheduler.ts +7 -7
package/src/control-plane/secret-audit.test.ts +159 -0
package/src/control-plane/secret-audit.ts +255 -0
package/src/control-plane/secret-mappings.ts +2 -2
package/src/control-plane/secrets-files.test.ts +60 -0
package/src/control-plane/secrets-files.ts +66 -0
package/src/control-plane/secrets.ts +113 -86
package/src/control-plane/setup-config.schema.json +1 -1
package/src/control-plane/setup-status.ts +6 -11
package/src/control-plane/setup.test.ts +42 -40
package/src/control-plane/setup.ts +36 -31
package/src/control-plane/skeleton-guardrail.test.ts +64 -55
package/src/control-plane/spec-to-env.test.ts +22 -17
package/src/control-plane/spec-to-env.ts +7 -2
package/src/control-plane/stack-spec.test.ts +10 -0
package/src/control-plane/stack-spec.ts +28 -1
package/src/control-plane/types.ts +2 -4
package/src/control-plane/ui-assets.ts +60 -58
package/src/control-plane/validate.ts +13 -15
package/src/index.ts +47 -15
package/src/control-plane/akm-vault.test.ts +0 -105
package/src/control-plane/akm-vault.ts +0 -311
package/src/control-plane/migrate-0110.test.ts +0 -177
package/src/control-plane/migrate-0110.ts +0 -99
package/src/control-plane/registry-components.test.ts +0 -391

package/src/control-plane/host-opencode.ts CHANGED Viewed

@@ -11,12 +11,14 @@
  *   - auth.json is copied byte-for-byte and chmodded 0o600. Its contents
  *     are never parsed, logged, or returned to callers.
  *   - opencode.json is parsed to strip plugin/mcp/permission keys before
- *     writing; only provider/model/small_model/disabled_providers are kept.
+ *     writing; provider definitions are always kept, and top-level model
+ *     defaults are imported only when OP_HOME does not already define them.
  *   - Conflict detection compares provider IDs; existing credentials are
  *     preserved unless overwriteConflicts=true.
  */
 import { existsSync, mkdirSync, readFileSync, writeFileSync, chmodSync, copyFileSync } from "node:fs";
 import { homedir } from "node:os";
+import { dirname } from "node:path";
 import type { ControlPlaneState } from "./types.js";
 import { authJsonPath, assistantConfigDir } from "./paths.js";
@@ -31,6 +33,8 @@ export type HostOpenCodeStatus = {
   providerCount: number;
   /** Number of credential entries in auth.json (0 when not found) */
   credentialCount: number;
+  /** Model preferences from the host's opencode.json, if present */
+  modelPreferences?: { model?: string; small_model?: string };
 };
 export type HostImportResult = {
@@ -64,7 +68,7 @@ function hostAuthJsonPath(): string {
 // ── opencode.json parsing ────────────────────────────────────────────────────
-/** Keys that are safe to import from host opencode.json into OP_HOME config */
+/** Keys that are safe to import from host opencode.json into OP_HOME config. */
 const ALLOWED_CONFIG_KEYS = new Set(["$schema", "provider", "model", "small_model", "disabled_providers"]);
 type OpenCodeJson = Record<string, unknown>;
@@ -78,8 +82,18 @@ function readJsonFileSafe(path: string): OpenCodeJson | null {
 }
 function stripDisallowedKeys(obj: OpenCodeJson): OpenCodeJson {
+  const next: OpenCodeJson = {};
+  if (typeof obj.$schema === 'string') next.$schema = obj.$schema;
+  if (obj.provider && typeof obj.provider === 'object' && !Array.isArray(obj.provider)) {
+    next.provider = obj.provider;
+  }
+  if (typeof obj.model === 'string') next.model = obj.model;
+  if (typeof obj.small_model === 'string') next.small_model = obj.small_model;
+  if (Array.isArray(obj.disabled_providers) && obj.disabled_providers.every((entry) => typeof entry === 'string')) {
+    next.disabled_providers = obj.disabled_providers;
+  }
   return Object.fromEntries(
-    Object.entries(obj).filter(([k]) => ALLOWED_CONFIG_KEYS.has(k))
+    Object.entries(next).filter(([k]) => ALLOWED_CONFIG_KEYS.has(k))
   );
 }
@@ -116,9 +130,16 @@ export function detectHostOpenCode(): HostOpenCodeStatus {
   }
   let providerCount = 0;
+  let modelPreferences: { model?: string; small_model?: string } | undefined;
   if (configExists) {
     const parsed = readJsonFileSafe(configPath);
     providerCount = parsed ? countProviders(parsed) : 0;
+    if (parsed) {
+      const prefs: { model?: string; small_model?: string } = {};
+      if (typeof parsed.model === 'string' && parsed.model) prefs.model = parsed.model;
+      if (typeof parsed.small_model === 'string' && parsed.small_model) prefs.small_model = parsed.small_model;
+      if (prefs.model || prefs.small_model) modelPreferences = prefs;
+    }
   }
   let credentialCount = 0;
@@ -131,6 +152,7 @@ export function detectHostOpenCode(): HostOpenCodeStatus {
     authPath: authExists ? authPath : undefined,
     providerCount,
     credentialCount,
+    ...(modelPreferences ? { modelPreferences } : {}),
   };
 }
@@ -181,21 +203,28 @@ export function importHostOpenCode(
         }
       }
-      const merged: OpenCodeJson = {
-        ...existing,
-        ...sanitized,
-        ...(Object.keys(mergedProviders).length > 0 ? { provider: mergedProviders } : {}),
-      };
-      writeFileSync(destPath, JSON.stringify(merged, null, 2) + "\n");
-    }
+       const merged: OpenCodeJson = {
+         ...existing,
+         ...(typeof existing.$schema === 'undefined' && typeof sanitized.$schema !== 'undefined'
+           ? { $schema: sanitized.$schema }
+           : {}),
+         ...(Object.keys(mergedProviders).length > 0 ? { provider: mergedProviders } : {}),
+       };
+       for (const key of ["model", "small_model", "disabled_providers"] as const) {
+         if (typeof merged[key] === 'undefined' && typeof sanitized[key] !== 'undefined') {
+           merged[key] = sanitized[key];
+         }
+       }
+       writeFileSync(destPath, JSON.stringify(merged, null, 2) + "\n");
+     }
   }
   // ── auth.json ──────────────────────────────────────────────────────────
   if (status.authPath) {
     const destPath = authJsonPath(state);
-    const destDir = state.configDir;
-    mkdirSync(destDir, { recursive: true });
+    mkdirSync(dirname(destPath), { recursive: true, mode: 0o700 });
     if (existsSync(destPath) && !overwriteConflicts) {
       // Merge: copy only keys that do not already exist in OP_HOME auth.json

package/src/control-plane/install-edge-cases.test.ts CHANGED Viewed

@@ -2,7 +2,7 @@
  * Edge-case tests for the OpenPalm install and setup flow.
  *
  * Each test creates its own temp directory tree mimicking the single
- * ~/.openpalm/ root layout (config, vault, data, logs), then runs the
+ * ~/.openpalm/ root layout (config, knowledge, data, logs), then runs the
  * actual library functions against it. No mocks of code under test.
  */
 import { describe, expect, it, beforeEach, afterEach } from "bun:test";
@@ -28,6 +28,7 @@ import {
 import type { SetupSpec, SetupConnection } from "./setup.js";
 import type { ControlPlaneState } from "./types.js";
 import { STACK_SPEC_FILENAME, readStackSpec } from "./stack-spec.js";
+import { readSecret } from './secrets-files.js';
 // ── Helpers ──────────────────────────────────────────────────────────────
@@ -55,70 +56,70 @@ function makeValidSpec(overrides?: Partial<SetupSpec>): SetupSpec {
 function seedRequiredAssets(homeDir: string): void {
   mkdirSync(join(homeDir, "config", "stack"), { recursive: true });
   writeFileSync(join(homeDir, "config", "stack", "core.compose.yml"), "services:\n  assistant:\n    image: assistant:latest\n");
-  mkdirSync(join(homeDir, "state", "assistant"), { recursive: true });
-  writeFileSync(join(homeDir, "state", "assistant", "opencode.jsonc"), '{"$schema":"https://opencode.ai/config.json"}\n');
-  writeFileSync(join(homeDir, "state", "assistant", "AGENTS.md"), "# Agents\n");
-  mkdirSync(join(homeDir, "state"), { recursive: true });
-  // Automations live in state/registry/automations (shipped catalog) and stash/tasks (user tasks)
-  mkdirSync(join(homeDir, "state", "registry", "automations"), { recursive: true });
-  writeFileSync(join(homeDir, "state", "registry", "automations", "cleanup-logs.md"), "---\nschedule: \"0 4 * * 0\"\ndescription: cleanup logs\n---\n");
-  writeFileSync(join(homeDir, "state", "registry", "automations", "cleanup-data.md"), "---\nschedule: \"0 5 * * 0\"\ndescription: cleanup data\n---\n");
-  writeFileSync(join(homeDir, "state", "registry", "automations", "validate-config.md"), "---\nschedule: \"0 3 * * *\"\ndescription: validate config\n---\n");
+  mkdirSync(join(homeDir, "data", "assistant"), { recursive: true });
+  writeFileSync(join(homeDir, "data", "assistant", "opencode.jsonc"), '{"$schema":"https://opencode.ai/config.json"}\n');
+  writeFileSync(join(homeDir, "data", "assistant", "AGENTS.md"), "# Agents\n");
+  mkdirSync(join(homeDir, "data"), { recursive: true });
+  // Automations live in knowledge/tasks as AKM-owned task files.
+  mkdirSync(join(homeDir, "knowledge", "tasks"), { recursive: true });
+  writeFileSync(join(homeDir, "knowledge", "tasks", "cleanup-logs.yml"), "schedule: \"0 4 * * 0\"\ndescription: cleanup logs\ncommand: [\"echo\",\"clean\"]\n");
+  writeFileSync(join(homeDir, "knowledge", "tasks", "cleanup-data.yml"), "schedule: \"0 5 * * 0\"\ndescription: cleanup data\ncommand: [\"echo\",\"clean\"]\n");
+  writeFileSync(join(homeDir, "knowledge", "tasks", "validate-config.yml"), "schedule: \"0 3 * * *\"\ndescription: validate config\ncommand: [\"echo\",\"clean\"]\n");
 }
 // ── Shared test fixture ──────────────────────────────────────────────────
 let homeDir: string;
 let configDir: string;
-let stateDir: string;
+let dataDir: string;
 let stackDir: string;
-let cacheDir: string;
 const savedEnv: Record<string, string | undefined> = {};
 function saveAndSetEnv(): void {
   savedEnv.OP_HOME = process.env.OP_HOME;
+  savedEnv.OP_UI_LOGIN_PASSWORD = process.env.OP_UI_LOGIN_PASSWORD;
+  savedEnv.OP_OPENCODE_PASSWORD = process.env.OP_OPENCODE_PASSWORD;
   process.env.OP_HOME = homeDir;
+  delete process.env.OP_UI_LOGIN_PASSWORD;
+  delete process.env.OP_OPENCODE_PASSWORD;
 }
 function restoreEnv(): void {
-  process.env.OP_HOME = savedEnv.OP_HOME;
+  if (savedEnv.OP_HOME === undefined) delete process.env.OP_HOME;
+  else process.env.OP_HOME = savedEnv.OP_HOME;
+  if (savedEnv.OP_UI_LOGIN_PASSWORD === undefined) delete process.env.OP_UI_LOGIN_PASSWORD;
+  else process.env.OP_UI_LOGIN_PASSWORD = savedEnv.OP_UI_LOGIN_PASSWORD;
+  if (savedEnv.OP_OPENCODE_PASSWORD === undefined) delete process.env.OP_OPENCODE_PASSWORD;
+  else process.env.OP_OPENCODE_PASSWORD = savedEnv.OP_OPENCODE_PASSWORD;
 }
 /** Create a full directory tree matching ensureHomeDirs() output. */
 function createFullDirTree(): void {
   homeDir = mkdtempSync(join(tmpdir(), "openpalm-edge-"));
   configDir = join(homeDir, "config");
-  stateDir = join(homeDir, "state");
+  dataDir = join(homeDir, "data");
   stackDir = join(configDir, "stack");
-  cacheDir = join(homeDir, "cache");
   for (const dir of [
     homeDir,
     configDir,
-    join(homeDir, "state", "registry", "automations"),
     join(configDir, "assistant"),
     join(configDir, "akm"),
-    join(homeDir, "stash"),
+    join(homeDir, "knowledge"),
+    join(homeDir, "knowledge", "env"),
+    join(homeDir, "knowledge", "secrets"),
     join(homeDir, "workspace"),
     stackDir,
-    join(stackDir, "addons"),
-    stateDir,
-    join(stateDir, "assistant"),
-    join(stateDir, "admin"),
-    join(stateDir, "guardian"),
-    join(stateDir, "logs"),
-    join(stateDir, "logs", "opencode"),
-    join(stateDir, "registry"),
-    join(stateDir, "registry", "addons"),
-    join(stateDir, "backups"),
-    join(stateDir, "akm"),
-    join(stateDir, "akm", "data"),
-    join(stateDir, "akm", "state"),
-    cacheDir,
-    join(cacheDir, "akm"),
-    join(cacheDir, "guardian"),
-    join(cacheDir, "rollback"),
+    dataDir,
+    join(dataDir, "assistant"),
+    join(dataDir, "admin"),
+    join(dataDir, "guardian"),
+    join(dataDir, "akm", "cache"),
+    join(dataDir, "akm", "data"),
+    join(dataDir, "logs"),
+    join(dataDir, "backups"),
+    join(dataDir, "rollback"),
   ]) {
     mkdirSync(dir, { recursive: true });
   }
@@ -132,16 +133,10 @@ function seedMinimalEnvFiles(): void {
   mkdirSync(stackDir, { recursive: true });
   writeFileSync(
-    join(stackDir, "stack.env"),
+    join(homeDir, "knowledge", "env", "stack.env"),
     [
       "# OpenPalm — Stack Configuration",
-      "OP_UI_LOGIN_PASSWORD=",
-      "OPENAI_API_KEY=",
       "OPENAI_BASE_URL=",
-      "ANTHROPIC_API_KEY=",
-      "GROQ_API_KEY=",
-      "MISTRAL_API_KEY=",
-      "GOOGLE_API_KEY=",
       "OP_OWNER_NAME=",
       "OP_OWNER_EMAIL=",
       "",
@@ -166,16 +161,15 @@ describe("Fresh Install", () => {
     rmSync(homeDir, { recursive: true, force: true });
   });
-  // Scenario 1: ensureSecrets does NOT seed user.env (see akm-vault) but
+  // Scenario 1: ensureSecrets does NOT seed user.env (see akm-user-env) but
   // does create stack.env with required keys when files do not exist.
-  it("ensureSecrets creates state/stack.env with required keys on fresh install", () => {
+  it("ensureSecrets creates stack.env with required keys on fresh install", () => {
     const state: ControlPlaneState = {
       homeDir,
       configDir,
-      stashDir: join(homeDir, "stash"),
+      stashDir: join(homeDir, "knowledge"),
       workspaceDir: join(homeDir, "workspace"),
-      cacheDir,
-      stateDir,
+      dataDir,
       stackDir,
       services: {},
       artifacts: { compose: "" },
@@ -184,17 +178,18 @@ describe("Fresh Install", () => {
     ensureSecrets(state);
-    // API keys and owner info are seeded in state/stack.env.
-    const stackContent = readFileSync(join(stackDir, "stack.env"), "utf-8");
-    expect(stackContent).toContain("OPENAI_API_KEY=");
-    expect(stackContent).toContain("OP_OWNER_NAME=");
+    // stack.env only carries non-secret setup/config keys.
+    const stackContent = readFileSync(join(homeDir, "knowledge", "env", "stack.env"), "utf-8");
+    expect(stackContent).not.toContain("OPENAI_API_KEY=");
+    expect(stackContent).toContain("OP_SETUP_COMPLETE=false");
+    expect(readSecret(stackDir, 'op_ui_login_password')).toBeNull();
   });
   // Scenario 2: isSetupComplete returns false before setup
   it("isSetupComplete returns false when stack.env has OP_SETUP_COMPLETE=false", () => {
-    mkdirSync(stateDir, { recursive: true });
+    mkdirSync(dataDir, { recursive: true });
     writeFileSync(
-      join(stackDir, "stack.env"),
+      join(homeDir, "knowledge", "env", "stack.env"),
       "OP_SETUP_COMPLETE=false\n"
     );
@@ -223,7 +218,7 @@ describe("Fresh Install", () => {
     await performSetup(makeValidSpec());
-    const stackEnv = readFileSync(join(stackDir, "stack.env"), "utf-8");
+    const stackEnv = readFileSync(join(homeDir, "knowledge", "env", "stack.env"), "utf-8");
     const parsed = parseEnvContent(stackEnv);
     // Either entirely absent, or still the seeded "false" — never "true".
     expect(parsed.OP_SETUP_COMPLETE === undefined || parsed.OP_SETUP_COMPLETE === "false").toBe(true);
@@ -246,18 +241,17 @@ describe("Existing Install", () => {
     rmSync(homeDir, { recursive: true, force: true });
   });
-  // Scenario 5: ensureSecrets does NOT overwrite existing stack.env
-  it("ensureSecrets does not overwrite existing stack.env tokens", () => {
-    mkdirSync(stateDir, { recursive: true });
-    writeFileSync(join(stackDir, "stack.env"), "OP_UI_LOGIN_PASSWORD=my-custom-password\n");
+  // Scenario 5: ensureSecrets creates file-based secrets without stack.env tokens
+  it("ensureSecrets creates file-based system secrets", () => {
+    mkdirSync(dataDir, { recursive: true });
+    writeFileSync(join(homeDir, "knowledge", "env", "stack.env"), "OP_SETUP_COMPLETE=false\n");
     const state: ControlPlaneState = {
       homeDir,
       configDir,
-      stashDir: join(homeDir, "stash"),
+      stashDir: join(homeDir, "knowledge"),
       workspaceDir: join(homeDir, "workspace"),
-      cacheDir,
-      stateDir,
+      dataDir,
       stackDir,
       services: {},
       artifacts: { compose: "" },
@@ -266,25 +260,23 @@ describe("Existing Install", () => {
     ensureSecrets(state);
-    // Existing password must be preserved
-    const afterContent = readFileSync(join(stackDir, "stack.env"), "utf-8");
-    expect(afterContent).toContain("OP_UI_LOGIN_PASSWORD=my-custom-password");
+    const afterContent = readFileSync(join(homeDir, "knowledge", "env", "stack.env"), "utf-8");
+    expect(afterContent).not.toContain("OP_UI_LOGIN_PASSWORD=");
+    expect(readSecret(stackDir, 'op_ui_login_password')).toBeNull();
   });
   // Scenario 6: performSetup re-run rewrites OP_UI_LOGIN_PASSWORD when the
   // operator supplies a new one in the spec. This is intentional — the
   // wizard "rerun" path is how an operator rotates the password. The
   // legacy OP_ASSISTANT_TOKEN preservation test was removed with the token.
-  it("performSetup re-run rewrites OP_UI_LOGIN_PASSWORD when spec changes", async () => {
+  it("performSetup re-run rewrites OP_UI_LOGIN_PASSWORD secret file when spec changes", async () => {
     await performSetup(makeValidSpec({ security: { uiLoginPassword: "first-password-12345" } }));
-    const afterFirst = readFileSync(join(stackDir, "stack.env"), "utf-8");
-    expect(afterFirst).toContain("OP_UI_LOGIN_PASSWORD=first-password-12345");
+    expect(readSecret(stackDir, 'op_ui_login_password')).toBe("first-password-12345\n");
     await performSetup(makeValidSpec({ security: { uiLoginPassword: "second-password-12345" } }));
-    const afterSecond = readFileSync(join(stackDir, "stack.env"), "utf-8");
-    expect(afterSecond).toContain("OP_UI_LOGIN_PASSWORD=second-password-12345");
+    expect(readSecret(stackDir, 'op_ui_login_password')).toBe("second-password-12345\n");
   });
   // Scenario 7: performSetup must NOT mark OP_SETUP_COMPLETE — see scenario
@@ -294,7 +286,7 @@ describe("Existing Install", () => {
     await performSetup(makeValidSpec());
     const stackEnv = readFileSync(
-      join(stackDir, "stack.env"),
+      join(homeDir, "knowledge", "env", "stack.env"),
       "utf-8"
     );
     const parsed = parseEnvContent(stackEnv);
@@ -328,9 +320,8 @@ describe("Existing Install", () => {
     expect(specAfterSecond).not.toBeNull();
     expect(specAfterSecond!.version).toBe(2);
-    // stack.env should retain both keys
-    const secrets = readFileSync(join(stackDir, "stack.env"), "utf-8");
-    expect(secrets).toContain("GROQ_API_KEY");
+    const auth = JSON.parse(readFileSync(join(homeDir, "knowledge", "secrets", "auth.json"), "utf-8"));
+    expect(auth.groq.key).toBe("gsk-test-key-456");
   });
 });
@@ -351,16 +342,15 @@ describe("Broken/Corrupt State", () => {
   // Scenario 9: ensureSecrets is idempotent on repeated calls
   it("ensureSecrets is idempotent — second call does not overwrite existing stack.env", () => {
-    mkdirSync(stateDir, { recursive: true });
-    writeFileSync(join(stackDir, "stack.env"), "OP_UI_LOGIN_PASSWORD=existing-password\n");
+    mkdirSync(dataDir, { recursive: true });
+    writeFileSync(join(homeDir, "knowledge", "env", "stack.env"), "OP_SETUP_COMPLETE=false\n");
     const state: ControlPlaneState = {
       homeDir,
       configDir,
-      stashDir: join(homeDir, "stash"),
+      stashDir: join(homeDir, "knowledge"),
       workspaceDir: join(homeDir, "workspace"),
-      cacheDir,
-      stateDir,
+      dataDir,
       stackDir,
       services: {},
       artifacts: { compose: "" },
@@ -369,9 +359,10 @@ describe("Broken/Corrupt State", () => {
     ensureSecrets(state);
-    // Existing password must be preserved
-    const content = readFileSync(join(stackDir, "stack.env"), "utf-8");
-    expect(content).toContain("OP_UI_LOGIN_PASSWORD=existing-password");
+    // Existing non-secret stack config must be preserved.
+    const content = readFileSync(join(homeDir, "knowledge", "env", "stack.env"), "utf-8");
+    expect(content).toContain("OP_SETUP_COMPLETE=false");
+    expect(content).not.toContain("OP_UI_LOGIN_PASSWORD=");
   });
   // Scenario 10: env file with malformed lines
@@ -388,10 +379,10 @@ describe("Broken/Corrupt State", () => {
       "  # indented comment",
     ].join("\n");
-    mkdirSync(stateDir, { recursive: true });
-    writeFileSync(join(stateDir, "test.env"), malformedContent);
+    mkdirSync(dataDir, { recursive: true });
+    writeFileSync(join(dataDir, "test.env"), malformedContent);
-    const parsed = parseEnvFile(join(stateDir, "test.env"));
+    const parsed = parseEnvFile(join(dataDir, "test.env"));
     expect(parsed.VALID_KEY).toBe("valid_value");
     expect(parsed.EXPORTED_KEY).toBe("exported_value");
     expect(parsed.ANOTHER_VALID).toBe("value");
@@ -400,23 +391,25 @@ describe("Broken/Corrupt State", () => {
   // Scenario 11: stack.env missing OP_SETUP_COMPLETE
   it("isSetupComplete falls back to token check when OP_SETUP_COMPLETE missing", () => {
     // stack.env without OP_SETUP_COMPLETE
-    mkdirSync(stateDir, { recursive: true });
+    mkdirSync(dataDir, { recursive: true });
     writeFileSync(
-      join(stackDir, "stack.env"),
+      join(homeDir, "knowledge", "env", "stack.env"),
       "OP_IMAGE_TAG=latest\n"
     );
     expect(isSetupComplete(stackDir)).toBe(false);
   });
-  it("isSetupComplete falls back to true when UI login password is set but OP_SETUP_COMPLETE missing", () => {
-    mkdirSync(stateDir, { recursive: true });
+  it("isSetupComplete returns false when OP_UI_LOGIN_PASSWORD is set but OP_SETUP_COMPLETE is missing", () => {
+    mkdirSync(dataDir, { recursive: true });
     writeFileSync(
-      join(stackDir, "stack.env"),
+      join(homeDir, "knowledge", "env", "stack.env"),
       "OP_IMAGE_TAG=latest\nexport OP_UI_LOGIN_PASSWORD=my-real-password\n"
     );
-    expect(isSetupComplete(stackDir)).toBe(true);
+    // Password alone is no longer a proxy for setup completion.
+    // Only OP_SETUP_COMPLETE=true counts.
+    expect(isSetupComplete(stackDir)).toBe(false);
   });
   // Scenario 12: API key with special characters round-trips
@@ -441,13 +434,13 @@ describe("Broken/Corrupt State", () => {
     expect(spec).toBeNull();
   });
-  // Scenario 14: stash/tasks dir missing (performSetup should recreate it via ensureHomeDirs)
+  // Scenario 14: knowledge/tasks dir missing (performSetup should recreate it via ensureHomeDirs)
   it("performSetup creates missing subdirectories", async () => {
     // Seed the minimal env files first
     seedMinimalEnvFiles();
-    // Remove stash/tasks dir (performSetup should recreate it via ensureHomeDirs)
-    rmSync(join(homeDir, "stash", "tasks"), { recursive: true, force: true });
+    // Remove knowledge/tasks dir (performSetup should recreate it via ensureHomeDirs)
+    rmSync(join(homeDir, "knowledge", "tasks"), { recursive: true, force: true });
     const result = await performSetup(
       makeValidSpec()
@@ -458,8 +451,8 @@ describe("Broken/Corrupt State", () => {
     expect(existsSync(join(homeDir, "config", "stack", "core.compose.yml"))).toBe(
       true
     );
-    // stash/tasks dir should be recreated by ensureHomeDirs
-    expect(existsSync(join(homeDir, "stash", "tasks"))).toBe(true);
+    // knowledge/tasks dir should be recreated by ensureHomeDirs
+    expect(existsSync(join(homeDir, "knowledge", "tasks"))).toBe(true);
   });
   // Scenario 15: openpalm.yaml with old version
@@ -489,15 +482,15 @@ describe("Environment Edge Cases", () => {
     rmSync(homeDir, { recursive: true, force: true });
   });
-  // Scenario 16: isSetupComplete picks up OP_UI_LOGIN_PASSWORD when set
-  it("isSetupComplete detects OP_UI_LOGIN_PASSWORD", () => {
-    mkdirSync(stateDir, { recursive: true });
+  // Scenario 16: isSetupComplete requires explicit OP_SETUP_COMPLETE=true
+  it("isSetupComplete returns false when only OP_UI_LOGIN_PASSWORD is set", () => {
+    mkdirSync(dataDir, { recursive: true });
     writeFileSync(
-      join(stackDir, "stack.env"),
+      join(homeDir, "knowledge", "env", "stack.env"),
       "SOME_OTHER_KEY=value\nexport OP_UI_LOGIN_PASSWORD=real-password-here\n"
     );
-    expect(isSetupComplete(stackDir)).toBe(true);
+    expect(isSetupComplete(stackDir)).toBe(false);
   });
   // Scenario 17: export prefix on env vars
@@ -667,11 +660,10 @@ describe("performSetup end-to-end artifacts", () => {
     ).toBe(true);
   });
-  it("writes the UI login password to stack.env", async () => {
+  it("writes the UI login password to a secret file", async () => {
     await performSetup(makeValidSpec());
-    const secrets = parseEnvFile(join(stackDir, "stack.env"));
-    expect(secrets.OP_UI_LOGIN_PASSWORD).toBe("test-admin-token-12345");
+    expect(readSecret(stackDir, 'op_ui_login_password')).toBe("test-admin-token-12345\n");
   });
   it("writes akm config with llm provider and model", async () => {

package/src/control-plane/install-lock.ts CHANGED Viewed

@@ -3,7 +3,7 @@
  *
  * Both `performSetup` (config writes) and `startDeploy` (Docker work) need an
  * exclusive lock against concurrent installs. The lock file lives at
- * `<stateDir>/.install.lock` and contains `<pid>\n<timestamp>\n`.
+ * `<dataDir>/.install.lock` and contains `<pid>\n<timestamp>\n`.
  *
  * Self-healing rules:
  *  - On EEXIST, parse the holder PID. If the process is gone (`process.kill(pid, 0)`
@@ -89,23 +89,23 @@ function tryCreate(path: string): boolean {
 }
 /**
- * Try to acquire the install lock under `stateDir`. Returns a handle on
+ * Try to acquire the install lock under `dataDir`. Returns a handle on
  * success or null if the lock is held by a live, recent install (or on any
  * unexpected filesystem error — caller should surface "install_in_progress").
  *
  * Callers MUST call `releaseInstallLock()` in a finally block when done.
  */
-export function acquireInstallLock(stateDir: string): InstallLockHandle | null {
+export function acquireInstallLock(dataDir: string): InstallLockHandle | null {
   try {
-    mkdirSync(stateDir, { recursive: true });
+    mkdirSync(dataDir, { recursive: true });
   } catch (err) {
-    logger.warn("failed to ensure state dir for install lock", {
-      stateDir,
+    logger.warn("failed to ensure data dir for install lock", {
+      dataDir,
       error: err instanceof Error ? err.message : String(err),
     });
     return null;
   }
-  const path = join(stateDir, ".install.lock");
+  const path = join(dataDir, ".install.lock");
   try {
     if (tryCreate(path)) return { path };