@openpalm/lib 0.11.0-beta.14 → 0.11.0-beta.16

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openpalm/lib",
-  "version": "0.11.0-beta.14",
+  "version": "0.11.0-beta.16",
   "license": "MPL-2.0",
   "type": "module",
   "description": "Shared control-plane library for OpenPalm — lifecycle, staging, secrets, channels, connections, scheduler",

package/src/control-plane/akm-user-env.ts

@@ -56,7 +56,7 @@ const ENV_FILE_MODE = 0o600;
 
 /**
  * Build the env that points akm at the shared OpenPalm stash. We mirror the
- * layout that the assistant/admin containers use (see
+ * layout that the assistant container uses (see
  * `.openpalm/config/stack/core.compose.yml`) so host-side and container-side
  * runs resolve to the same files.
  *

package/src/control-plane/config-persistence.ts

@@ -14,6 +14,7 @@ import { ensureSecret } from './secrets-files.js';
 import type { ControlPlaneState, ArtifactMeta } from "./types.js";
 import { listEnabledAddonIds } from "./registry.js";
 import { resolveOperatorIds, hasUsableOperatorId } from "./operator-ids.js";
+import { SPEC_DEFAULTS } from "./stack-spec.js";
 
 import {
   readCoreCompose,
@@ -130,9 +131,8 @@ function generateFallbackSystemEnv(state: ControlPlaneState): string {
     "# ── Ports (38XX range) ──────────────────────────────────────────────",
     "# Guardian is network-only (no host port) — channels reach it via",
     "# http://guardian:8080 over the channel_lan Docker network.",
-    `OP_ASSISTANT_PORT=3800`,
-    `OP_ADMIN_PORT=3880`,
-    `OP_ADMIN_OPENCODE_PORT=3881`,
+    `OP_ASSISTANT_PORT=${SPEC_DEFAULTS.ports.assistant}`,
+    `OP_HOST_UI_PORT=${SPEC_DEFAULTS.ports.hostUi}`,
     ""
   ].join("\n");
 }

package/src/control-plane/home.ts

@@ -5,7 +5,7 @@
  *   config/    — user-editable config + system config files (akm/)
  *   config/stack/ — compose runtime + stack config (stack.env, stack.yml, auth.json, fixed compose files)
  *   data/      — persistent service data, logs, backups, rollback
- *   knowledge/ — akm knowledge (skills, vaults, agents)
+ *   knowledge/ — akm knowledge (env, secrets, tasks)
  *   workspace/ — shared assistant work area
  *   config/stack/ — compose runtime assets + stack config (stack.env, stack.yml)
  */
@@ -94,7 +94,6 @@ export function ensureHomeDirs(): void {
     `${home}/data/assistant/.local/bin`,
     `${home}/data/assistant/.local/share/opencode`,
     `${home}/data/assistant/.local/state/opencode`,
-    `${home}/data/admin`,          // admin home bind mount
     `${home}/data/guardian`,       // guardian runtime data
     `${home}/data/akm/cache`,      // akm cache
     `${home}/data/akm/data`,       // akm durable data

package/src/control-plane/install-edge-cases.test.ts

@@ -23,7 +23,6 @@ import {
   performSetup,
   buildSecretsFromSetup,
   buildAuthJsonFromSetup,
-  buildSystemSecretsFromSetup,
 } from "./setup.js";
 import type { SetupSpec, SetupConnection } from "./setup.js";
 import type { ControlPlaneState } from "./types.js";
@@ -113,7 +112,6 @@ function createFullDirTree(): void {
     stackDir,
     dataDir,
     join(dataDir, "assistant"),
-    join(dataDir, "admin"),
     join(dataDir, "guardian"),
     join(dataDir, "akm", "cache"),
     join(dataDir, "akm", "data"),

package/src/control-plane/lifecycle.ts

@@ -184,10 +184,14 @@ export async function updateStackEnvToLatestImageTag(state: ControlPlaneState):
     throw new Error(`Invalid image namespace in system.env: ${namespace}`);
   }
 
+  // `assistant` is the version-of-record image: all platform images
+  // (assistant, guardian, channel, voice) are published in lockstep under the
+  // same OP_IMAGE_TAG, so its newest tag is the canonical platform version.
+
   let response: Response;
   try {
     response = await fetch(
-      `https://registry.hub.docker.com/v2/repositories/${namespace}/admin/tags?page_size=25&ordering=last_updated`,
+      `https://registry.hub.docker.com/v2/repositories/${namespace}/assistant/tags?page_size=25&ordering=last_updated`,
       { headers: { Accept: "application/json" } }
     );
   } catch (e) {

package/src/control-plane/opencode-client.ts

@@ -2,7 +2,7 @@
  * Shared OpenCode REST API client.
  *
  * Factory function that returns typed accessors for an OpenCode server
- * at a configurable base URL. Used by both the admin (container) and
+ * at a configurable base URL. Used by both the admin UI (host process) and
  * CLI (host subprocess) to talk to OpenCode.
  */
 

package/src/control-plane/paths.ts

@@ -24,7 +24,7 @@ import type { ControlPlaneState } from "./types.js";
 export const authJsonPath          = (s: ControlPlaneState): string => `${s.stashDir}/secrets/auth.json`;
 /** akm config directory mounted at /etc/akm */
 export const akmConfigDir          = (s: ControlPlaneState): string => `${s.configDir}/akm`;
-/** akm setup config file (written by admin on capability save) */
+/** akm setup config file (written by the admin UI AKM action and CLI install) */
 export const akmConfigPath         = (s: ControlPlaneState): string => `${s.configDir}/akm/config.json`;
 export const tasksDir              = (s: ControlPlaneState): string => `${s.stashDir}/tasks`;
 export const assistantConfigDir    = (s: ControlPlaneState): string => `${s.configDir}/assistant`;
@@ -67,14 +67,11 @@ export const logsDir               = (s: ControlPlaneState): string => `${s.data
  * chat + tool activity.
  */
 export const guardianAuditPath     = (s: ControlPlaneState): string => `${s.dataDir}/logs/guardian-audit.log`;
-/** One-shot 0.11.0 migration log (OP_UI_TOKEN → OPENCODE_SERVER_PASSWORD, endpoints.json move) */
-export const migration0110LogPath  = (s: ControlPlaneState): string => `${s.dataDir}/logs/migration-0.11.0.log`;
 export const backupsDir            = (s: ControlPlaneState): string => `${s.dataDir}/backups`;
 
 // ── State directory — persistent service data ───────────────────────────────
 
 export const assistantServiceDir   = (s: ControlPlaneState): string => `${s.dataDir}/assistant`;
-export const adminServiceDir       = (s: ControlPlaneState): string => `${s.dataDir}/admin`;
 export const guardianServiceDir    = (s: ControlPlaneState): string => `${s.dataDir}/guardian`;
 export const guardianAkmDir        = (s: ControlPlaneState): string => `${s.dataDir}/guardian/akm`;
 /** akm durable data — NOT config, which lives in config/akm/ */

package/src/control-plane/setup.ts

@@ -19,7 +19,6 @@ import {
   updateSecretsEnv,
   patchSecretsEnvFile,
   ensureOpenCodeConfig,
-  readStackEnv,
   writeAuthJsonProviderKeys,
 } from "./secrets.js";
 import { createState } from "./lifecycle.js";
@@ -132,13 +131,9 @@ export function buildAuthJsonFromSetup(
  *
   * `OP_OPENCODE_PASSWORD` may be supplied explicitly as a file-based secret in
   * `knowledge/secrets/op_opencode_password` when OpenCode auth is enabled.
- *
- * `existingSystemEnv` is unused now but the parameter is kept so callers
- * compile unchanged. It can be removed in a follow-up cleanup.
  */
 export function buildSystemSecretsFromSetup(
   uiLoginPassword: string,
-  _existingSystemEnv: Record<string, string> = {}
 ): Record<string, string> {
   return {
     OP_UI_LOGIN_PASSWORD: uiLoginPassword,
@@ -215,7 +210,6 @@ export async function performSetup(
     try {
       ensureHomeDirs();
       ensureSecrets(state);
-      const existingSystemEnv = readStackEnv(state.stackDir);
       const channelSecretUpdates = channelCredentials ? buildChannelCredentialEnvVars(channelCredentials) : {};
       // Pick up channel credential env vars not already provided in the spec
       for (const mapping of Object.values(CHANNEL_CREDENTIAL_ENV_MAP)) {
@@ -225,7 +219,7 @@ export async function performSetup(
       }
       updateSecretsEnv(state, updates);
       updateSecretsEnv(state, channelSecretUpdates);
-      patchSecretsEnvFile(state.stackDir, buildSystemSecretsFromSetup(security.uiLoginPassword, existingSystemEnv));
+      patchSecretsEnvFile(state.stackDir, buildSystemSecretsFromSetup(security.uiLoginPassword));
       // Provider API keys land in OpenCode's auth.json (bind-mounted into
       // the assistant container) — never in stack.env.
       writeAuthJsonProviderKeys(state, providerKeys);

package/src/control-plane/skeleton-guardrail.test.ts

@@ -117,7 +117,7 @@ describe("skeleton: .openpalm/knowledge/ structure", () => {
 // ── data/ service dirs ────────────────────────────────────────────────
 
 describe("skeleton: .openpalm/data/ service directories", () => {
-  const serviceDirs = ["assistant", "admin", "guardian"];
+  const serviceDirs = ["assistant", "guardian"];
 
   for (const dir of serviceDirs) {
     test(`data/${dir}/ exists`, () => {

package/src/control-plane/spec-to-env.test.ts

@@ -23,6 +23,13 @@ describe("deriveSystemEnvFromSpec", () => {
   test("produces default port values", () => {
     const result = deriveSystemEnvFromSpec("/home/op");
     expect(result.OP_ASSISTANT_PORT).toBe("3800");
+    expect(result.OP_HOST_UI_PORT).toBe("3880");
+  });
+
+  test("does not emit the retired OP_ADMIN_PORT/OP_ADMIN_OPENCODE_PORT vars", () => {
+    const result = deriveSystemEnvFromSpec("/home/op");
+    expect(result.OP_ADMIN_PORT).toBeUndefined();
+    expect(result.OP_ADMIN_OPENCODE_PORT).toBeUndefined();
   });
 
   test("does not emit OP_GUARDIAN_PORT (guardian is network-only, no host mapping)", () => {

package/src/control-plane/spec-to-env.ts

@@ -42,8 +42,7 @@ export function deriveSystemEnvFromSpec(homeDir: string): Record<string, string>
   // network-only (no host port mapping) so OP_GUARDIAN_PORT is no longer
   // emitted; channels reach it via Docker DNS at http://guardian:8080.
   result["OP_ASSISTANT_PORT"] = String(ports.assistant);
-  result["OP_ADMIN_PORT"] = String(ports.admin);
-  result["OP_ADMIN_OPENCODE_PORT"] = String(ports.adminOpencode);
+  result["OP_HOST_UI_PORT"] = String(ports.hostUi);
   result["OP_ASSISTANT_SSH_PORT"] = String(ports.assistantSsh);
 
   return result;

package/src/control-plane/stack-spec.ts

@@ -26,9 +26,7 @@ export const STACK_SPEC_FILENAME = "stack.yml";
 export const SPEC_DEFAULTS = {
   ports: {
     assistant: 3800,
-    admin: 3880,
-    adminOpencode: 3881,
-    guardian: 3899,
+    hostUi: 3880,
     assistantSsh: 2222,
   },
   image: {