@openpalm/lib 0.11.0-beta.11 → 0.11.0-beta.14

package/src/control-plane/secrets.ts

@@ -1,11 +1,12 @@
 /** Secrets and capability key management. */
 import { mkdirSync, writeFileSync, readFileSync, existsSync, chmodSync, lstatSync, rmSync, renameSync } from "node:fs";
-import { randomBytes } from "node:crypto";
 import { createLogger } from "../logger.js";
 import { parseEnvFile, mergeEnvContent } from './env.js';
-import { migrateAuth0110 } from './migrate-0110.js';
 import type { ControlPlaneState } from "./types.js";
 import { resolveConfigDir } from "./home.js";
+import { authJsonPath as resolveAuthJsonPath, stackEnvPathFromStackDir } from "./paths.js";
+import { dirname } from "node:path";
+import { listSecretNames, readSecret, resolveSecretsDir, writeSecret } from './secrets-files.js';
 
 const OPENCODE_STARTER_CONFIG = JSON.stringify({ $schema: "https://opencode.ai/config.json" }, null, 2) + "\n";
 const logger = createLogger("secrets");
@@ -22,6 +23,22 @@ export const PLAIN_CONFIG_KEYS = new Set([
 const VAULT_DIR_MODE = 0o700;
 const VAULT_FILE_MODE = 0o600;
 
+export const SECRET_ENV_KEY_RE = /(?:^OP_UI_LOGIN_PASSWORD$|^OP_OPENCODE_PASSWORD$|_API_KEY$|_TOKEN$|_SECRET$|_PASSWORD$)/;
+const SECRET_LIKE_STACK_ENV_KEY_RE = /(SECRET|TOKEN|PASSWORD|API_KEY|PRIVATE_KEY|CLIENT_SECRET|AUTH_JSON|CREDENTIALS)/;
+const NON_SECRET_STACK_ENV_KEY_ALLOWLIST = new Set<string>();
+
+export function isSecretLikeStackEnvKey(key: string): boolean {
+  return SECRET_LIKE_STACK_ENV_KEY_RE.test(key) && !NON_SECRET_STACK_ENV_KEY_ALLOWLIST.has(key);
+}
+
+export function assertNoSecretLikeStackEnvKeys(updates: Record<string, string>): void {
+  for (const key of Object.keys(updates)) {
+    if (isSecretLikeStackEnvKey(key)) {
+      throw new Error(`Refusing to write secret-like key to stack.env: ${key}`);
+    }
+  }
+}
+
 function enforceVaultDirMode(vaultDir: string): void {
   mkdirSync(vaultDir, { recursive: true, mode: VAULT_DIR_MODE });
   try {
@@ -46,8 +63,39 @@ function writeVaultFile(path: string, content: string): void {
   }
 }
 
+export function stackSecretsDir(stackDir: string): string {
+  return resolveSecretsDir(stackDir);
+}
+
+export function stackSecretPath(stackDir: string, envKey: string): string {
+  return `${stackSecretsDir(stackDir)}/${envKey.toLowerCase()}`;
+}
+
+export function readStackSecretEnv(stackDir: string): Record<string, string> {
+  const out: Record<string, string> = {};
+  for (const name of listSecretNames(stackDir)) {
+    const envKey = name.toUpperCase();
+    try {
+      out[envKey] = (readSecret(stackDir, name) ?? '').replace(/[\r\n]+$/, '');
+    } catch {
+      // ignore unreadable secret files; callers treat missing values as absent
+    }
+  }
+  return out;
+}
+
+export function writeStackSecretEnv(state: ControlPlaneState, updates: Record<string, string>): void {
+  if (Object.keys(updates).length === 0) return;
+  resolveSecretsDir(state.stackDir);
+  for (const [envKey, value] of Object.entries(updates)) {
+    if (!/^[A-Z0-9_]+$/.test(envKey)) throw new Error(`Invalid secret env key: ${envKey}`);
+    writeSecret(state.stackDir, envKey.toLowerCase(), value.endsWith('\n') ? value : `${value}\n`);
+  }
+}
+
 function mergeVaultEnvFile(path: string, updates: Record<string, string>, uncomment = false): void {
   if (Object.keys(updates).length === 0) return;
+  assertNoSecretLikeStackEnvKeys(updates);
   const raw = existsSync(path) ? readFileSync(path, "utf-8") : "";
   let merged = mergeEnvContent(raw, updates, { uncomment });
   if (!merged.endsWith("\n")) merged += "\n";
@@ -55,88 +103,45 @@ function mergeVaultEnvFile(path: string, updates: Record<string, string>, uncomm
 }
 
 function ensureSystemSecrets(state: ControlPlaneState): void {
-  const systemEnvPath = `${state.stackDir}/stack.env`;
-  const existing = existsSync(systemEnvPath) ? parseEnvFile(systemEnvPath) : {};
+  const systemEnvPath = `${state.stashDir}/env/stack.env`;
+  enforceVaultDirMode(dirname(systemEnvPath));
   const updates: Record<string, string> = {};
 
-  // OP_UI_LOGIN_PASSWORD seeds the operator login secret. ensureSecrets
-  // generates a random fallback the first time so the stack is never
-  // installed with an empty password slot; the wizard / CLI install path
-  // overwrites it with the operator's chosen value via
-  // buildSystemSecretsFromSetup().
-  if (!existing.OP_UI_LOGIN_PASSWORD) {
-    updates.OP_UI_LOGIN_PASSWORD = randomBytes(32).toString("hex");
+  // Bootstrap only explicit host-provided overrides. Setup is allowed to be
+  // genuinely unconfigured until the wizard/CLI writes the chosen password.
+  if (process.env.OP_UI_LOGIN_PASSWORD) {
+    updates.OP_UI_LOGIN_PASSWORD = process.env.OP_UI_LOGIN_PASSWORD;
+  }
+  if (process.env.OP_OPENCODE_PASSWORD) {
+    updates.OP_OPENCODE_PASSWORD = process.env.OP_OPENCODE_PASSWORD;
   }
 
+  writeStackSecretEnv(state, updates);
+
   if (!existsSync(systemEnvPath)) {
-    const header = [
-      "# OpenPalm — Stack Configuration",
-      "# All secrets and configuration live here. Advanced users may edit directly.",
-      "",
-      "# ── Authentication ──────────────────────────────────────────────────",
-      "OP_UI_LOGIN_PASSWORD=",
-      "",
-      "# ── Service Auth ─────────────────────────────────────────────────────",
-      "OP_OPENCODE_PASSWORD=",
-      "",
-      "# ── Provider API Keys ────────────────────────────────────────────────",
-      "OPENAI_API_KEY=",
-      "OPENAI_BASE_URL=",
-      "ANTHROPIC_API_KEY=",
-      "GROQ_API_KEY=",
-      "MISTRAL_API_KEY=",
-      "GOOGLE_API_KEY=",
-      "MCP_API_KEY=",
-      "EMBEDDING_API_KEY=",
-      "LMSTUDIO_API_KEY=",
-      "",
-      "# ── Owner ────────────────────────────────────────────────────────────",
-      `OP_OWNER_NAME=${process.env.OP_OWNER_NAME ?? ""}`,
-      `OP_OWNER_EMAIL=${process.env.OP_OWNER_EMAIL ?? ""}`,
+      const header = [
+        "# OpenPalm — Stack Configuration",
+        "# Non-secret stack configuration only. File-based secrets live in knowledge/secrets/.",
+        "",
+        "# ── Authentication ──────────────────────────────────────────────────",
+        "OP_SETUP_COMPLETE=false",
       "",
     ].join("\n");
-    const content = mergeEnvContent(header, updates);
-    writeVaultFile(systemEnvPath, content.endsWith("\n") ? content : content + "\n");
+    writeVaultFile(systemEnvPath, header.endsWith("\n") ? header : header + "\n");
     return;
   }
-
-  mergeVaultEnvFile(systemEnvPath, updates, true);
 }
 
 export function ensureSecrets(state: ControlPlaneState): void {
   enforceVaultDirMode(state.stackDir);
 
-  // Migrate pre-0.11.0 installs (OP_UI_TOKEN/OP_ASSISTANT_TOKEN → OP_UI_LOGIN_PASSWORD)
-  // before any code path that reads OP_UI_LOGIN_PASSWORD sees an empty value.
-  migrateAuth0110(state);
-
   ensureSystemSecrets(state);
-  ensureGuardianEnv(state.stackDir);
-  ensureAuthJson(state.configDir);
+  ensureAuthJson(state);
 }
 
-/**
- * Ensure config/stack/guardian.env exists.
- * Channel HMAC secrets (CHANNEL_<NAME>_SECRET) live here exclusively.
- * This file is loaded by the guardian as an env_file and via GUARDIAN_SECRETS_PATH.
- */
-function ensureGuardianEnv(stackDir: string): void {
-  const guardianEnvPath = `${stackDir}/guardian.env`;
-  mkdirSync(stackDir, { recursive: true, mode: VAULT_DIR_MODE });
-  if (!existsSync(guardianEnvPath)) {
-    writeVaultFile(guardianEnvPath, [
-      "# Guardian channel HMAC secrets — managed by openpalm",
-      "# Each enabled channel gets a CHANNEL_<NAME>_SECRET entry.",
-      "",
-    ].join("\n"));
-  } else {
-    try { chmodSync(guardianEnvPath, VAULT_FILE_MODE); } catch { /* best-effort */ }
-  }
-}
-
-function ensureAuthJson(configDir: string): void {
-  const authJsonPath = `${configDir}/auth.json`;
-  mkdirSync(configDir, { recursive: true, mode: VAULT_DIR_MODE });
+function ensureAuthJson(state: ControlPlaneState): void {
+  const authJsonPath = resolveAuthJsonPath(state);
+  mkdirSync(dirname(authJsonPath), { recursive: true, mode: VAULT_DIR_MODE });
 
   if (existsSync(authJsonPath)) {
     try {
@@ -162,22 +167,24 @@ export function updateSecretsEnv(
   state: ControlPlaneState,
   updates: Record<string, string>
 ): void {
-  const stackEnvPath = `${state.stackDir}/stack.env`;
-  if (!existsSync(stackEnvPath)) {
-    throw new Error("config/stack/stack.env does not exist — run setup first");
+  const secretUpdates: Record<string, string> = {};
+  const stackUpdates: Record<string, string> = {};
+  for (const [key, value] of Object.entries(updates)) {
+    if (SECRET_ENV_KEY_RE.test(key)) secretUpdates[key] = value;
+    else stackUpdates[key] = value;
   }
-
-  mergeVaultEnvFile(stackEnvPath, updates, true);
+  writeStackSecretEnv(state, secretUpdates);
+  if (Object.keys(stackUpdates).length > 0) patchSecretsEnvFile(state.stackDir, stackUpdates);
 }
 
 /**
  * Merge-write provider API keys into OpenCode's auth.json at
- * `${configDir}/auth.json`. Each entry uses OpenCode's schema for
- * api-key auth: `{ <providerId>: { type: "api", key: "..." } }`.
+ * `${stackDir}/auth.json` (knowledge/secrets/auth.json). Each entry uses
+ * OpenCode's schema for api-key auth: `{ <providerId>: { type: "api", key } }`.
  *
- * This file is bind-mounted into the assistant container so the chat
- * assistant picks up new credentials on its next OpenCode restart —
- * see core.compose.yml.
+ * This file is bind-mounted into both the assistant and guardian containers
+ * so every OpenCode instance picks up new credentials on its next restart —
+ * see core.compose.yml (assistant) and channels.compose.yml (guardian).
  *
  * Existing entries (OAuth tokens, other providers) are preserved.
  * Empty values DELETE the corresponding entry.
@@ -188,8 +195,8 @@ export function writeAuthJsonProviderKeys(
 ): void {
   if (Object.keys(providerKeys).length === 0) return;
 
-  const authJsonPath = `${state.configDir}/auth.json`;
-  mkdirSync(state.configDir, { recursive: true, mode: VAULT_DIR_MODE });
+  const authJsonPath = resolveAuthJsonPath(state);
+  mkdirSync(dirname(authJsonPath), { recursive: true, mode: VAULT_DIR_MODE });
 
   let current: Record<string, unknown> = {};
   if (existsSync(authJsonPath)) {
@@ -227,16 +234,25 @@ export function writeAuthJsonProviderKeys(
   writeVaultFile(authJsonPath, JSON.stringify(current, null, 2) + "\n");
 }
 
-/** Read and parse config/stack/stack.env. Returns {} if the file does not exist. */
+/** Read and parse knowledge/env/stack.env. Returns {} if the file does not exist. */
 export function readStackEnv(stackDir: string): Record<string, string> {
-  return parseEnvFile(`${stackDir}/stack.env`);
+  const parsed = parseEnvFile(stackEnvPathFromStackDir(stackDir));
+  const nonSecret: Record<string, string> = {};
+  for (const [key, value] of Object.entries(parsed)) {
+    if (!isSecretLikeStackEnvKey(key)) nonSecret[key] = value;
+  }
+  return nonSecret;
+}
+
+export function readStackRuntimeEnv(stackDir: string): Record<string, string> {
+  return { ...readStackEnv(stackDir), ...readStackSecretEnv(stackDir) };
 }
 
 export function updateSystemSecretsEnv(
   state: ControlPlaneState,
   updates: Record<string, string>
 ): void {
-  const systemEnvPath = `${state.stackDir}/stack.env`;
+  const systemEnvPath = `${state.stashDir}/env/stack.env`;
   enforceVaultDirMode(state.stackDir);
   if (!existsSync(systemEnvPath)) {
     ensureSystemSecrets(state);
@@ -250,9 +266,20 @@ export function patchSecretsEnvFile(
 ): void {
   if (Object.keys(patches).length === 0) return;
 
-  const stackEnvPath = `${stackDir}/stack.env`;
-  enforceVaultDirMode(stackDir);
-  mkdirSync(stackDir, { recursive: true, mode: VAULT_DIR_MODE });
+  const stackPatches: Record<string, string> = {};
+  const secretPatches: Record<string, string> = {};
+  for (const [key, value] of Object.entries(patches)) {
+    if (SECRET_ENV_KEY_RE.test(key)) secretPatches[key] = value;
+    else stackPatches[key] = value;
+  }
+  if (Object.keys(secretPatches).length > 0) {
+    writeStackSecretEnv({ stackDir, homeDir: '', configDir: '', stashDir: '', workspaceDir: '', dataDir: '', services: {}, artifacts: { compose: '' }, artifactMeta: [] }, secretPatches);
+  }
+  if (Object.keys(stackPatches).length === 0) return;
+  assertNoSecretLikeStackEnvKeys(stackPatches);
+
+  const stackEnvPath = stackEnvPathFromStackDir(stackDir);
+  enforceVaultDirMode(dirname(stackEnvPath));
 
   let existingContent = "";
   try {
@@ -263,7 +290,7 @@ export function patchSecretsEnvFile(
     // start fresh
   }
 
-  let result = mergeEnvContent(existingContent, patches);
+  let result = mergeEnvContent(existingContent, stackPatches);
   if (!result.endsWith("\n")) result += "\n";
   writeVaultFile(stackEnvPath, result);
 }

package/src/control-plane/setup-config.schema.json

@@ -35,7 +35,7 @@
       "properties": {
         "uiLoginPassword": {
           "type": "string",
-          "description": "Operator login password for the OpenPalm UI. Persisted to stack.env as OP_UI_LOGIN_PASSWORD; the UI's op_session cookie value is compared against it on every authenticated request.",
+          "description": "Operator login password for the OpenPalm UI. Persisted as knowledge/secrets/op_ui_login_password; the UI's op_session cookie value is compared against it on every authenticated request.",
           "minLength": 8
         }
       }

package/src/control-plane/setup-status.ts

@@ -1,18 +1,13 @@
 import { parseEnvFile } from './env.js';
+import { stackEnvPathFromStackDir } from './paths.js';
 
 /**
- * Check if setup is complete by reading config/stack/stack.env.
+ * Check if setup is complete by reading knowledge/env/stack.env.
  *
- * Phase 4 of the auth/proxy refactor replaced the legacy `OP_UI_TOKEN`
- * sentinel with `OP_UI_LOGIN_PASSWORD`. The presence of a non-empty value
- * implies the operator (or the install wizard) has seeded the login
- * secret; `OP_SETUP_COMPLETE=true` is still authoritative when present.
+ * Only OP_SETUP_COMPLETE=true is authoritative. Secrets live in
+ * knowledge/secrets and are not completion sentinels.
  */
 export function isSetupComplete(stackDir: string): boolean {
-  const parsed = parseEnvFile(`${stackDir}/stack.env`);
-  if ("OP_SETUP_COMPLETE" in parsed) {
-    return parsed.OP_SETUP_COMPLETE.toLowerCase() === "true";
-  }
-
-  return (parsed.OP_UI_LOGIN_PASSWORD ?? "").length > 0;
+  const parsed = parseEnvFile(stackEnvPathFromStackDir(stackDir));
+  return parsed.OP_SETUP_COMPLETE === "true";
 }

package/src/control-plane/setup.test.ts

@@ -11,6 +11,7 @@ import {
 } from "./setup.js";
 import type { SetupSpec, SetupConnection } from "./setup.js";
 import { STACK_SPEC_FILENAME, readStackSpec } from "./stack-spec.js";
+import { readSecret } from './secrets-files.js';
 
 // ── Helpers ──────────────────────────────────────────────────────────────
 
@@ -38,15 +39,15 @@ function makeValidSpec(overrides?: Partial<SetupSpec>): SetupSpec {
 function seedRequiredAssets(homeDir: string): void {
   mkdirSync(join(homeDir, "config", "stack"), { recursive: true });
   writeFileSync(join(homeDir, "config", "stack", "core.compose.yml"), "services:\n  assistant:\n    image: assistant:latest\n");
-  mkdirSync(join(homeDir, "state", "assistant"), { recursive: true });
-  writeFileSync(join(homeDir, "state", "assistant", "opencode.jsonc"), '{"$schema":"https://opencode.ai/config.json"}\n');
-  writeFileSync(join(homeDir, "state", "assistant", "AGENTS.md"), "# Agents\n");
-  mkdirSync(join(homeDir, "state"), { recursive: true });
-  // Automations live in state/registry/automations (shipped catalog) and stash/tasks (user tasks)
-  mkdirSync(join(homeDir, "state", "registry", "automations"), { recursive: true });
-  writeFileSync(join(homeDir, "state", "registry", "automations", "cleanup-logs.md"), "---\nschedule: \"0 4 * * 0\"\ndescription: cleanup logs\n---\n");
-  writeFileSync(join(homeDir, "state", "registry", "automations", "cleanup-data.md"), "---\nschedule: \"0 5 * * 0\"\ndescription: cleanup data\n---\n");
-  writeFileSync(join(homeDir, "state", "registry", "automations", "validate-config.md"), "---\nschedule: \"0 3 * * *\"\ndescription: validate config\n---\n");
+  mkdirSync(join(homeDir, "data", "assistant"), { recursive: true });
+  writeFileSync(join(homeDir, "data", "assistant", "opencode.jsonc"), '{"$schema":"https://opencode.ai/config.json"}\n');
+  writeFileSync(join(homeDir, "data", "assistant", "AGENTS.md"), "# Agents\n");
+  mkdirSync(join(homeDir, "data"), { recursive: true });
+  // Automations live in knowledge/tasks as AKM-owned task files.
+  mkdirSync(join(homeDir, "data", "registry", "automations"), { recursive: true });
+  writeFileSync(join(homeDir, "data", "registry", "automations", "cleanup-logs.yml"), "schedule: \"0 4 * * 0\"\ndescription: cleanup logs\ncommand: [\"echo\",\"clean\"]\n");
+  writeFileSync(join(homeDir, "data", "registry", "automations", "cleanup-data.yml"), "schedule: \"0 5 * * 0\"\ndescription: cleanup data\ncommand: [\"echo\",\"clean\"]\n");
+  writeFileSync(join(homeDir, "data", "registry", "automations", "validate-config.yml"), "schedule: \"0 3 * * *\"\ndescription: validate config\ncommand: [\"echo\",\"clean\"]\n");
 }
 
 // ── Tests: validateSetupSpec ────────────────────────────────────────────
@@ -204,7 +205,6 @@ describe("buildSecretsFromSetup", () => {
     const secrets = buildSecretsFromSetup(spec.connections, spec.owner);
     expect(secrets.OP_UI_LOGIN_PASSWORD).toBeUndefined();
     expect(secrets.OP_UI_TOKEN).toBeUndefined();
-    expect(secrets.ADMIN_TOKEN).toBeUndefined();
   });
 
   it("does not include SYSTEM_LLM_* in user secrets", () => {
@@ -305,10 +305,7 @@ describe("buildAuthJsonFromSetup", () => {
 });
 
 describe("buildSystemSecretsFromSetup", () => {
-  // Phase 4: assistant token was removed; the only stack.env secret this
-  // helper writes now is OP_UI_LOGIN_PASSWORD. OP_OPENCODE_PASSWORD is
-  // generated by ensureSystemSecrets() and persists across reruns.
-  it("returns OP_UI_LOGIN_PASSWORD equal to the supplied operator password", () => {
+  it("returns the file-based UI login password update", () => {
     const secrets = buildSystemSecretsFromSetup("test-admin-token-12345");
     expect(secrets.OP_UI_LOGIN_PASSWORD).toBe("test-admin-token-12345");
     expect(secrets.OP_UI_TOKEN).toBeUndefined();
@@ -321,7 +318,7 @@ describe("buildSystemSecretsFromSetup", () => {
 describe("performSetup", () => {
   let homeDir: string;
   let configDir: string;
-  let stateDir: string;
+  let dataDir: string;
   let stackDir: string;
 
   const savedEnv: Record<string, string | undefined> = {};
@@ -329,44 +326,41 @@ describe("performSetup", () => {
   beforeEach(() => {
     homeDir = mkdtempSync(join(tmpdir(), "openpalm-setup-"));
     configDir = join(homeDir, "config");
-    stateDir = join(homeDir, "state");
+    dataDir = join(homeDir, "data");
     stackDir = join(configDir, "stack");
 
     // Create required directory structure
     for (const dir of [
       homeDir,
       configDir,
-      join(homeDir, "state", "registry", "automations"),
+      join(homeDir, "data", "registry", "automations"),
       join(configDir, "assistant"),
       join(configDir, "akm"),
       stackDir,
       join(stackDir, "addons"),
-      join(homeDir, "stash"),
+      join(homeDir, "knowledge"),
+      join(homeDir, "knowledge", "env"),
+      join(homeDir, "knowledge", "secrets"),
       join(homeDir, "workspace"),
-      join(homeDir, "cache"),
-      join(homeDir, "cache", "akm"),
-      stateDir,
-      join(stateDir, "assistant"),
-      join(stateDir, "admin"),
-      join(stateDir, "guardian"),
-      join(stateDir, "logs"),
-      join(stateDir, "logs", "opencode"),
+      dataDir,
+      join(dataDir, "assistant"),
+      join(dataDir, "admin"),
+      join(dataDir, "guardian"),
+      join(dataDir, "akm", "cache"),
+      join(dataDir, "akm", "data"),
+      join(dataDir, "logs"),
+      join(dataDir, "backups"),
+      join(dataDir, "rollback"),
     ]) {
       mkdirSync(dir, { recursive: true });
     }
 
     // Create stub stack.env so isSetupComplete doesn't crash
     writeFileSync(
-      join(stackDir, "stack.env"),
+      join(homeDir, "knowledge", "env", "stack.env"),
       [
         "OP_SETUP_COMPLETE=false",
-        "OP_UI_LOGIN_PASSWORD=",
-        "OPENAI_API_KEY=",
         "OPENAI_BASE_URL=",
-        "ANTHROPIC_API_KEY=",
-        "GROQ_API_KEY=",
-        "MISTRAL_API_KEY=",
-        "GOOGLE_API_KEY=",
         "OP_OWNER_NAME=",
         "OP_OWNER_EMAIL=",
         "",
@@ -394,12 +388,11 @@ describe("performSetup", () => {
     expect(result.error).toBeDefined();
   });
 
-  it("writes stack.env with the UI login password", async () => {
+  it("writes the UI login password to knowledge/secrets", async () => {
     const result = await performSetup(makeValidSpec());
     expect(result.ok).toBe(true);
 
-    const secretsContent = readFileSync(join(stackDir, "stack.env"), "utf-8");
-    expect(secretsContent).toContain("test-admin-token-12345");
+    expect(readSecret(stackDir, 'op_ui_login_password')).toBe("test-admin-token-12345\n");
   });
 
   it("writes akm config.json with llm and embedding", async () => {
@@ -479,9 +472,16 @@ describe("performSetup", () => {
     const spec = readStackSpec(stackDir);
     expect(spec).not.toBeNull();
     expect(spec!.version).toBe(2);
+
+    const stackEnv = readFileSync(join(homeDir, "knowledge", "env", "stack.env"), 'utf-8');
+    expect(stackEnv).not.toContain('OPENAI_API_KEY=');
+    expect(readSecret(stackDir, 'openai_api_key')).toBeNull();
+
+    const authJson = JSON.parse(readFileSync(join(homeDir, "knowledge", "secrets", "auth.json"), 'utf-8')) as Record<string, { key: string }>;
+    expect(authJson.openai.key).toBe('sk-secondary');
   });
 
-  it("writes channel credentials to stack.env when channelCredentials provided", async () => {
+  it("splits channel credentials between secret files and stack.env", async () => {
     const input = makeValidSpec({
       channelCredentials: {
         discord: {
@@ -494,9 +494,11 @@ describe("performSetup", () => {
     const result = await performSetup(input);
     expect(result.ok).toBe(true);
 
-    const stackEnvContent = readFileSync(join(stackDir, "stack.env"), "utf-8");
-    expect(stackEnvContent).toContain("discord-bot-token-xyz");
-    expect(stackEnvContent).toContain("discord-app-id-123");
+    expect(readSecret(stackDir, 'discord_bot_token')).toBe("discord-bot-token-xyz\n");
+    expect(readSecret(stackDir, 'discord_application_id')).toBeNull();
+    const stackEnv = readFileSync(join(homeDir, "knowledge", "env", "stack.env"), 'utf-8');
+    expect(stackEnv).toContain('DISCORD_APPLICATION_ID=discord-app-id-123');
+    expect(stackEnv).not.toContain('DISCORD_BOT_TOKEN=');
   });
 
   it("ensureOpenCodeConfig never writes forbidden keys (providers, smallModel, model) to the user config", async () => {