@openpalm/lib 0.11.0-beta.2 → 0.11.0-beta.6

package/src/control-plane/registry.test.ts

@@ -21,11 +21,15 @@ import {
   getRegistryAddonConfig,
   listAvailableAddonIds,
   getAddonServiceNames,
-  enableAddon,
-  disableAddonByName,
+  getAddonProfiles,
+  getAddonProfileSelection,
+  setAddonProfileSelection,
   setAddonEnabled,
   installAutomationFromRegistry,
   uninstallAutomation,
+  getAddonProfileAvailability,
+  annotateAddonProfileAvailability,
+  __addonAvailabilityTestHooks,
 } from "./registry.js";
 
 // ── Validation Tests ─────────────────────────────────────────────────
@@ -306,10 +310,11 @@ describe("materialized registry catalog", () => {
 
     materializeRegistryCatalog(sourceRoot);
 
-    expect(enableAddon(process.env.OP_HOME!, 'chat')).toEqual({ ok: true });
+    const stackDir = join(process.env.OP_HOME!, 'config', 'stack');
+    expect(setAddonEnabled(process.env.OP_HOME!, stackDir, 'chat', true)).toMatchObject({ ok: true });
     expect(existsSync(join(process.env.OP_HOME!, 'config', 'stack', 'addons', 'chat', 'compose.yml'))).toBe(true);
 
-    expect(disableAddonByName(process.env.OP_HOME!, 'chat')).toEqual({ ok: true });
+    expect(setAddonEnabled(process.env.OP_HOME!, stackDir, 'chat', false)).toMatchObject({ ok: true });
     expect(existsSync(join(process.env.OP_HOME!, 'config', 'stack', 'addons', 'chat'))).toBe(false);
   });
 
@@ -391,6 +396,67 @@ describe("materialized registry catalog", () => {
     expect(existsSync(join(otherHome, 'backups', 'config', 'stack.yml'))).toBe(false);
   });
 
+  it("parses compose profiles + openpalm.profile.* labels per addon", () => {
+    const sourceRoot = join(tmpDir, 'repo');
+    const addonDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'addons', 'voice');
+    const automationsDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'automations');
+
+    mkdirSync(addonDir, { recursive: true });
+    mkdirSync(automationsDir, { recursive: true });
+    writeFileSync(
+      join(addonDir, 'compose.yml'),
+      [
+        'services:',
+        '  voice:',
+        '    profiles: [cpu]',
+        '    image: openpalm/voice:cpu',
+        '    labels:',
+        '      openpalm.profile.label: CPU',
+        '      openpalm.profile.default: "true"',
+        '  voice-cuda:',
+        '    profiles: [cuda]',
+        '    image: openpalm/voice:cuda',
+        '    labels:',
+        '      openpalm.profile.label: NVIDIA',
+        '      openpalm.profile.requires: nvidia-container-toolkit',
+        '',
+      ].join('\n'),
+    );
+    writeFileSync(join(addonDir, '.env.schema'), 'VOICE=\n');
+    writeFileSync(join(automationsDir, 'cleanup.md'), '---\ndescription: Cleanup\nschedule: "0 3 * * *"\ncommand: ["echo","clean"]\n---\n');
+
+    materializeRegistryCatalog(sourceRoot);
+
+    const profiles = getAddonProfiles(process.env.OP_HOME!, 'voice');
+    expect(profiles).toEqual([
+      { id: 'cpu', services: ['voice'], label: 'CPU', default: true },
+      { id: 'cuda', services: ['voice-cuda'], label: 'NVIDIA', requires: 'nvidia-container-toolkit' },
+    ]);
+  });
+
+  it("round-trips addon profile selection through stack.env", () => {
+    const sourceRoot = join(tmpDir, 'repo');
+    const addonDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'addons', 'voice');
+    const automationsDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'automations');
+
+    mkdirSync(addonDir, { recursive: true });
+    mkdirSync(automationsDir, { recursive: true });
+    writeFileSync(join(addonDir, 'compose.yml'), 'services:\n  voice:\n    profiles: [cpu]\n    image: x\n');
+    writeFileSync(join(addonDir, '.env.schema'), 'VOICE=\n');
+    writeFileSync(join(automationsDir, 'cleanup.md'), '---\ndescription: Cleanup\nschedule: "0 3 * * *"\ncommand: ["echo","clean"]\n---\n');
+
+    materializeRegistryCatalog(sourceRoot);
+
+    const stackDir = join(process.env.OP_HOME!, 'config', 'stack');
+    mkdirSync(stackDir, { recursive: true });
+    writeFileSync(join(stackDir, 'stack.env'), '');
+
+    expect(getAddonProfileSelection(stackDir, 'voice')).toBeNull();
+    setAddonProfileSelection(stackDir, 'voice', 'cuda');
+    expect(getAddonProfileSelection(stackDir, 'voice')).toBe('cuda');
+    expect(readFileSync(join(stackDir, 'stack.env'), 'utf-8')).toContain('OP_VOICE_PROFILE=cuda');
+  });
+
   it("installs and uninstalls automations through stash/tasks", () => {
     const sourceRoot = join(tmpDir, 'repo');
     const addonDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'addons', 'chat');
@@ -414,3 +480,131 @@ describe("materialized registry catalog", () => {
     expect(existsSync(join(stashDir, 'tasks', 'cleanup.md'))).toBe(false);
   });
 });
+
+// ── Host capability probes ───────────────────────────────────────────
+
+describe("getAddonProfileAvailability", () => {
+  beforeEach(() => {
+    __addonAvailabilityTestHooks.reset();
+  });
+
+  afterEach(() => {
+    __addonAvailabilityTestHooks.reset();
+  });
+
+  it("returns available:true for the cpu profile (no host requirements)", async () => {
+    const result = await getAddonProfileAvailability({ id: 'cpu' });
+    expect(result.available).toBe(true);
+    expect(result.reason).toBeUndefined();
+  });
+
+  it("returns available:true for unknown profile ids (no host-side gating)", async () => {
+    const result = await getAddonProfileAvailability({ id: 'something-else' });
+    expect(result.available).toBe(true);
+  });
+
+  it("caches the result across calls (probe runs only once)", async () => {
+    const a = await getAddonProfileAvailability({ id: 'cpu' });
+    const b = await getAddonProfileAvailability({ id: 'cpu' });
+    expect(a).toBe(b); // same reference — cached
+  });
+
+  it("probes cuda: returns available:false on a host with no NVIDIA runtime / CDI", async () => {
+    // This test runs on CI/dev machines without GPUs. We don't mock execFile;
+    // we just assert the contract: when neither signal is present, the
+    // reason mentions nvidia-container-toolkit. If a future GPU host runs
+    // this test, the assertion still tolerates the success case.
+    const result = await getAddonProfileAvailability({ id: 'cuda' });
+    if (!result.available) {
+      expect(result.reason).toContain('NVIDIA');
+    } else {
+      // Host genuinely has the runtime registered — accept it.
+      expect(result.reason).toBeUndefined();
+    }
+  });
+
+  it("probes rocm: returns available:false when /dev/kfd is missing", async () => {
+    const result = await getAddonProfileAvailability({ id: 'rocm' });
+    if (!result.available) {
+      expect(result.reason).toContain('ROCm');
+    } else {
+      expect(result.reason).toBeUndefined();
+    }
+  });
+
+  it("probes rocm: when devices exist, reports unpublished image distinctly from missing-device case", async () => {
+    // On a host without /dev/kfd, we hit the device-missing branch and
+    // get the "devices not present" copy. On a ROCm host, we'd fall
+    // through to the manifest-inspect probe and (until 0.11.0-rocm6
+    // ships) get the "image not published yet" copy. Both must mention
+    // ROCm so operator-facing copy stays consistent.
+    const result = await getAddonProfileAvailability({ id: 'rocm' });
+    if (!result.available && existsSync('/dev/kfd') && existsSync('/dev/dri')) {
+      expect(result.reason).toMatch(/image not published|CPU profile/i);
+    }
+    if (!result.available && !(existsSync('/dev/kfd') && existsSync('/dev/dri'))) {
+      expect(result.reason).toMatch(/devices not present/i);
+    }
+  });
+});
+
+describe("execFileNoThrow (ENOENT capture)", () => {
+  it("captures ENOENT for a missing binary as 'spawn <cmd> ENOENT' stderr", async () => {
+    const result = await __addonAvailabilityTestHooks.execFileNoThrow(
+      '/nonexistent/path/to/openpalm-test-no-such-binary-zzz',
+      ['--help'],
+      2_000,
+    );
+    expect(result.ok).toBe(false);
+    expect(result.stderr).toMatch(/ENOENT/);
+    // When the binary is "docker", the synthetic stderr becomes
+    // `spawn docker ENOENT: command not found` — that string matches the
+    // translateDockerError regex `/spawn .*docker.*ENOENT/i` so the
+    // operator gets actionable copy instead of "unknown error (no stderr)".
+    expect(result.stderr).toMatch(/spawn\s+\S*\s*ENOENT/);
+  });
+
+  it("formats ENOENT for `docker` so translateDockerError can match it", async () => {
+    // Use an absolute path that we know doesn't exist so the test is
+    // deterministic regardless of whether docker is installed on the host.
+    const result = await __addonAvailabilityTestHooks.execFileNoThrow(
+      'docker-not-installed-zzz',
+      ['info'],
+      2_000,
+    );
+    expect(result.ok).toBe(false);
+    expect(result.stderr).toBe('spawn docker-not-installed-zzz ENOENT: command not found');
+  });
+});
+
+describe("annotateAddonProfileAvailability", () => {
+  beforeEach(() => {
+    __addonAvailabilityTestHooks.reset();
+  });
+
+  afterEach(() => {
+    __addonAvailabilityTestHooks.reset();
+  });
+
+  it("decorates each profile with available + optional reason", async () => {
+    const out = await annotateAddonProfileAvailability([
+      { id: 'cpu', services: ['voice'], label: 'CPU', default: true },
+      { id: 'rocm', services: ['voice-rocm'], label: 'AMD' },
+    ]);
+    expect(out).toHaveLength(2);
+    expect(out[0]?.id).toBe('cpu');
+    expect(out[0]?.available).toBe(true);
+    // Preserves original fields.
+    expect(out[0]?.label).toBe('CPU');
+    expect(out[0]?.default).toBe(true);
+    expect(out[1]?.id).toBe('rocm');
+    expect(typeof out[1]?.available).toBe('boolean');
+  });
+
+  it("does not mutate the input array", async () => {
+    const input = [{ id: 'cpu', services: ['voice'] }];
+    const before = JSON.parse(JSON.stringify(input));
+    await annotateAddonProfileAvailability(input);
+    expect(input).toEqual(before);
+  });
+});

package/src/control-plane/registry.ts

@@ -5,13 +5,14 @@
  * Install seeds it once; refresh replaces it explicitly.
  */
 import { cpSync, existsSync, mkdtempSync, mkdirSync, readdirSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
-import { execFileSync } from 'node:child_process';
+import { execFile, execFileSync } from 'node:child_process';
 import { join } from 'node:path';
 import { tmpdir } from 'node:os';
 import { parse as parseYaml } from 'yaml';
 import { createLogger } from '../logger.js';
 import { isChannelAddon } from './channels.js';
 import { randomHex, writeChannelSecrets } from './config-persistence.js';
+import { patchSecretsEnvFile, readStackEnv } from './secrets.js';
 import {
   resolveRegistryAddonsDir,
   resolveRegistryAutomationsDir,
@@ -83,7 +84,7 @@ export type RegistryCatalogVerification = {
   automationCount: number;
 };
 
-export type MutationResult = { ok: true } | { ok: false; error: string };
+type MutationResult = { ok: true } | { ok: false; error: string };
 export type AddonMutationResult = (
   | { ok: true; enabled: boolean; changed: boolean; services: string[] }
   | { ok: false; error: string }
@@ -339,7 +340,335 @@ export function getAddonServiceNames(homeDir: string, name: string): string[] {
   return [];
 }
 
-export function enableAddon(homeDir: string, name: string): MutationResult {
+export type AddonProfile = {
+  id: string;
+  services: string[];
+  label?: string;
+  requires?: string;
+  default?: boolean;
+  /**
+   * Whether the host can run this profile.
+   *
+   * Populated by `getAddonProfileAvailability()`. When the value is missing
+   * (e.g. older catalogs), callers should treat the profile as available.
+   */
+  available?: boolean;
+  /** Human-readable reason when `available === false`. */
+  reason?: string;
+};
+
+// ── Host capability probes ─────────────────────────────────────────────
+
+export type AddonProfileAvailability = { available: boolean; reason?: string };
+
+const HOST_PROBE_TIMEOUT_MS = 2_000;
+
+// Process-lifetime cache. Hardware presence does not change while the UI
+// server is running, so probing once is enough.
+const availabilityCache = new Map<string, AddonProfileAvailability>();
+
+/**
+ * Reset the host-capability cache. Test-only — not exported.
+ */
+function _resetAvailabilityCacheForTests(): void {
+  availabilityCache.clear();
+}
+
+// Exported under a deliberately ugly name so test files can reach it.
+export const __addonAvailabilityTestHooks = {
+  reset: _resetAvailabilityCacheForTests,
+  /**
+   * Test-only: exposes the internal exec wrapper so tests can verify
+   * ENOENT (missing binary) is surfaced as actionable stderr that the
+   * docker-error translator can recognise.
+   */
+  execFileNoThrow: (cmd: string, args: string[], timeoutMs: number) =>
+    execFileNoThrow(cmd, args, timeoutMs),
+};
+
+function execFileNoThrow(
+  cmd: string,
+  args: string[],
+  timeoutMs: number,
+): Promise<{ ok: boolean; stdout: string; stderr: string }> {
+  return new Promise((resolve) => {
+    execFile(cmd, args, { timeout: timeoutMs }, (error, stdout, stderr) => {
+      // ENOENT (binary missing) surfaces here with no stderr — child_process
+      // never gets to exec the program. Inject a synthetic stderr that
+      // matches the translateDockerError ENOENT regex so callers get
+      // actionable copy instead of "unknown error (no stderr)".
+      let mergedStderr = stderr?.toString() ?? '';
+      const code = (error as NodeJS.ErrnoException | null)?.code;
+      if (code && !mergedStderr) {
+        if (code === 'ENOENT') {
+          mergedStderr = `spawn ${cmd} ENOENT: command not found`;
+        } else {
+          mergedStderr = `spawn ${cmd} ${code}`;
+        }
+      }
+      resolve({
+        ok: !error,
+        stdout: stdout?.toString() ?? '',
+        stderr: mergedStderr,
+      });
+    });
+  });
+}
+
+/**
+ * Compute the openpalm/voice image ref for a given GPU variant, matching
+ * the substitution chain in the addon compose file:
+ *   ${OP_IMAGE_NAMESPACE:-openpalm}/voice:${OP_VOICE_IMAGE_TAG:-${OP_IMAGE_TAG:-v0.11.0}-<variant>}
+ */
+function voiceImageRef(variant: 'cpu' | 'cu121' | 'rocm6'): string {
+  const namespace = process.env.OP_IMAGE_NAMESPACE?.trim() || 'openpalm';
+  const explicit = process.env.OP_VOICE_IMAGE_TAG?.trim();
+  if (explicit) return `${namespace}/voice:${explicit}`;
+  const baseTag = process.env.OP_IMAGE_TAG?.trim() || 'v0.11.0';
+  return `${namespace}/voice:${baseTag}-${variant}`;
+}
+
+/**
+ * `docker manifest inspect <ref>` returns 0 only when the registry can
+ * resolve a manifest for that ref. We use it as the cheap "is this image
+ * actually published?" check — no pull required. The retry handles
+ * transient registry hiccups. Timeout is short because the manifest blob
+ * is a few KB.
+ */
+async function dockerManifestExists(imageRef: string): Promise<boolean> {
+  for (let attempt = 0; attempt < 2; attempt++) {
+    const res = await execFileNoThrow(
+      'docker',
+      ['manifest', 'inspect', imageRef],
+      5_000,
+    );
+    if (res.ok) return true;
+    // If docker itself is missing (ENOENT), retrying won't help.
+    if (/ENOENT/.test(res.stderr)) return false;
+  }
+  return false;
+}
+
+async function probeCuda(): Promise<AddonProfileAvailability> {
+  // Two acceptance signals:
+  //   1. `docker info` reports an `nvidia` runtime (toolkit installed +
+  //      `nvidia-ctk runtime configure --runtime=docker` was run).
+  //   2. `/etc/cdi/nvidia.yaml` exists (CDI-mode daemon with a generated
+  //      spec). We don't require the runtime in this case — the route's
+  //      CDI fallback can switch the compose to driver:cdi.
+  try {
+    if (existsSync('/etc/cdi/nvidia.yaml')) return { available: true };
+  } catch {
+    // existsSync only throws on path-syntax issues; ignore and probe docker.
+  }
+
+  const result = await execFileNoThrow(
+    'docker',
+    ['info', '--format', '{{json .Runtimes}}'],
+    HOST_PROBE_TIMEOUT_MS,
+  );
+  if (result.ok && result.stdout.includes('"nvidia"')) {
+    return { available: true };
+  }
+  return {
+    available: false,
+    reason: 'NVIDIA runtime not registered. Install nvidia-container-toolkit or enable CDI.',
+  };
+}
+
+async function probeRocm(): Promise<AddonProfileAvailability> {
+  // Hardware gate: ROCm needs both the KFD char device and the GPU DRI nodes.
+  let devicesPresent = false;
+  try {
+    devicesPresent = existsSync('/dev/kfd') && existsSync('/dev/dri');
+  } catch {
+    devicesPresent = false;
+  }
+  if (!devicesPresent) {
+    return {
+      available: false,
+      reason: 'AMD ROCm devices not present on this host.',
+    };
+  }
+
+  // Image gate: the openpalm/voice:*-rocm6 image isn't published yet, so
+  // even on a fully-functional ROCm host the compose-up would fail with a
+  // manifest-unknown pull error. Refuse the profile until the image lands.
+  const imageRef = voiceImageRef('rocm6');
+  const published = await dockerManifestExists(imageRef);
+  if (!published) {
+    return {
+      available: false,
+      reason: 'AMD ROCm image not published yet. Check back in a future release or use the CPU profile.',
+    };
+  }
+  return { available: true };
+}
+
+/**
+ * Probe the host for the capabilities required by an addon profile.
+ *
+ * Results are cached for the lifetime of the process — hardware doesn't
+ * change while the UI server runs. All probes use execFile (no shell)
+ * and never throw: errors collapse to `{ available: false, reason }`.
+ *
+ * Unknown profile ids default to `available: true` so unrelated addons
+ * (e.g. a future "high-mem" profile that doesn't probe hardware) keep
+ * working without code changes here.
+ */
+export async function getAddonProfileAvailability(
+  profile: Pick<AddonProfile, 'id'>,
+): Promise<AddonProfileAvailability> {
+  const cacheKey = profile.id;
+  const cached = availabilityCache.get(cacheKey);
+  if (cached) return cached;
+
+  let result: AddonProfileAvailability;
+  try {
+    if (profile.id === 'cpu') {
+      result = { available: true };
+    } else if (profile.id === 'cuda') {
+      result = await probeCuda();
+    } else if (profile.id === 'rocm') {
+      result = await probeRocm();
+    } else {
+      // Unknown profile id — assume available; caller is responsible for
+      // labelling profiles that need host capability gating.
+      result = { available: true };
+    }
+  } catch (err) {
+    // Belt-and-braces: any unexpected throw collapses to unavailable.
+    const reason = err instanceof Error ? err.message : String(err);
+    result = { available: false, reason: `probe failed: ${reason}` };
+  }
+
+  availabilityCache.set(cacheKey, result);
+  return result;
+}
+
+/**
+ * Decorate a list of profiles with `available`/`reason` based on the host
+ * capability probes. Returns a fresh array; does not mutate inputs.
+ */
+export async function annotateAddonProfileAvailability(
+  profiles: AddonProfile[],
+): Promise<AddonProfile[]> {
+  const results = await Promise.all(
+    profiles.map(async (p) => {
+      const a = await getAddonProfileAvailability(p);
+      const annotated: AddonProfile = { ...p, available: a.available };
+      if (a.reason) annotated.reason = a.reason;
+      return annotated;
+    }),
+  );
+  return results;
+}
+
+function readAddonProfiles(composePath: string): AddonProfile[] {
+  if (!existsSync(composePath)) return [];
+
+  let parsed: unknown;
+  try {
+    parsed = parseYaml(readFileSync(composePath, "utf-8"));
+  } catch (error) {
+    logger.warn("failed to parse addon compose profiles", {
+      composePath,
+      error: error instanceof Error ? error.message : String(error),
+    });
+    return [];
+  }
+
+  const services = parsed && typeof parsed === "object"
+    ? (parsed as { services?: unknown }).services
+    : undefined;
+  if (!services || typeof services !== "object" || Array.isArray(services)) return [];
+
+  const byProfile = new Map<string, AddonProfile>();
+  for (const [svcName, svcRaw] of Object.entries(services as Record<string, unknown>)) {
+    if (!svcRaw || typeof svcRaw !== "object") continue;
+    const svc = svcRaw as { profiles?: unknown; labels?: unknown };
+    if (!Array.isArray(svc.profiles)) continue;
+    const profileIds = svc.profiles.filter((p): p is string => typeof p === "string");
+    if (profileIds.length === 0) continue;
+
+    const labels = readServiceLabels(svc.labels);
+    const label = labels["openpalm.profile.label"];
+    const requires = labels["openpalm.profile.requires"];
+    const isDefault = labels["openpalm.profile.default"] === "true";
+
+    for (const id of profileIds) {
+      const existing = byProfile.get(id);
+      if (existing) {
+        existing.services.push(svcName);
+        if (!existing.label && label) existing.label = label;
+        if (!existing.requires && requires) existing.requires = requires;
+        if (!existing.default && isDefault) existing.default = true;
+      } else {
+        const profile: AddonProfile = { id, services: [svcName] };
+        if (label) profile.label = label;
+        if (requires) profile.requires = requires;
+        if (isDefault) profile.default = true;
+        byProfile.set(id, profile);
+      }
+    }
+  }
+
+  return [...byProfile.values()];
+}
+
+function readServiceLabels(raw: unknown): Record<string, string> {
+  if (!raw) return {};
+  const out: Record<string, string> = {};
+  if (Array.isArray(raw)) {
+    for (const entry of raw) {
+      if (typeof entry !== "string") continue;
+      const eq = entry.indexOf("=");
+      if (eq < 0) continue;
+      out[entry.slice(0, eq)] = entry.slice(eq + 1);
+    }
+  } else if (typeof raw === "object") {
+    for (const [k, v] of Object.entries(raw as Record<string, unknown>)) {
+      if (v == null) continue;
+      out[k] = String(v);
+    }
+  }
+  return out;
+}
+
+export function getAddonProfiles(homeDir: string, name: string): AddonProfile[] {
+  if (!VALID_NAME_RE.test(name)) throw new Error(`Invalid addon name: ${name}`);
+
+  const composeCandidates = [
+    join(homeDir, "config", "stack", "addons", name, "compose.yml"),
+    join(homeDir, "state", "registry", "addons", name, "compose.yml"),
+  ];
+
+  for (const composePath of composeCandidates) {
+    const profiles = readAddonProfiles(composePath);
+    if (profiles.length > 0) return profiles;
+  }
+
+  return [];
+}
+
+function profileEnvKey(name: string): string {
+  if (!VALID_NAME_RE.test(name)) throw new Error(`Invalid addon name: ${name}`);
+  return `OP_${name.replace(/-/g, '_').toUpperCase()}_PROFILE`;
+}
+
+export function getAddonProfileSelection(stackDir: string, name: string): string | null {
+  const env = readStackEnv(stackDir);
+  const value = env[profileEnvKey(name)];
+  return value && value.trim() ? value.trim() : null;
+}
+
+export function setAddonProfileSelection(stackDir: string, name: string, profile: string): void {
+  const trimmed = profile.trim();
+  if (!trimmed) throw new Error('Profile id cannot be empty');
+  patchSecretsEnvFile(stackDir, { [profileEnvKey(name)]: trimmed });
+}
+
+function enableAddon(homeDir: string, name: string): MutationResult {
   try {
     copyAddonFromRegistry(homeDir, name);
     // Pre-create the addon services directory so Docker doesn't create it as root
@@ -350,7 +679,7 @@ export function enableAddon(homeDir: string, name: string): MutationResult {
   }
 }
 
-export function disableAddonByName(homeDir: string, name: string): MutationResult {
+function disableAddonByName(homeDir: string, name: string): MutationResult {
   try {
     removeEnabledAddon(homeDir, name);
     return { ok: true };

package/src/control-plane/secrets.ts

@@ -14,8 +14,8 @@ const logger = createLogger("secrets");
 /** Keys whose values are shown unmasked in the UI (not secrets). */
 export const PLAIN_CONFIG_KEYS = new Set([
   "OPENAI_BASE_URL",
-  "OWNER_NAME",
-  "OWNER_EMAIL",
+  "OP_OWNER_NAME",
+  "OP_OWNER_EMAIL",
 ]);
 
 
@@ -91,8 +91,8 @@ function ensureSystemSecrets(state: ControlPlaneState): void {
       "LMSTUDIO_API_KEY=",
       "",
       "# ── Owner ────────────────────────────────────────────────────────────",
-      `OWNER_NAME=${process.env.OWNER_NAME ?? ""}`,
-      `OWNER_EMAIL=${process.env.OWNER_EMAIL ?? ""}`,
+      `OP_OWNER_NAME=${process.env.OP_OWNER_NAME ?? ""}`,
+      `OP_OWNER_EMAIL=${process.env.OP_OWNER_EMAIL ?? ""}`,
       "",
     ].join("\n");
     const content = mergeEnvContent(header, updates);

package/src/control-plane/setup.test.ts

@@ -218,15 +218,15 @@ describe("buildSecretsFromSetup", () => {
   it("sets owner info when provided", () => {
     const spec = makeValidSpec();
     const secrets = buildSecretsFromSetup(spec.connections, spec.owner);
-    expect(secrets.OWNER_NAME).toBe("Test User");
-    expect(secrets.OWNER_EMAIL).toBe("test@example.com");
+    expect(secrets.OP_OWNER_NAME).toBe("Test User");
+    expect(secrets.OP_OWNER_EMAIL).toBe("test@example.com");
   });
 
   it("omits owner info when empty", () => {
     const spec = makeValidSpec({ owner: { name: "", email: "" } });
     const secrets = buildSecretsFromSetup(spec.connections, spec.owner);
-    expect(secrets.OWNER_NAME).toBeUndefined();
-    expect(secrets.OWNER_EMAIL).toBeUndefined();
+    expect(secrets.OP_OWNER_NAME).toBeUndefined();
+    expect(secrets.OP_OWNER_EMAIL).toBeUndefined();
   });
 
   it("does NOT include provider API keys in stack.env updates", () => {
@@ -367,8 +367,8 @@ describe("performSetup", () => {
         "GROQ_API_KEY=",
         "MISTRAL_API_KEY=",
         "GOOGLE_API_KEY=",
-        "OWNER_NAME=",
-        "OWNER_EMAIL=",
+        "OP_OWNER_NAME=",
+        "OP_OWNER_EMAIL=",
         "",
       ].join("\n")
     );