@openpalm/lib 0.11.0-beta.9 → 0.11.0-rc.18

package/src/control-plane/registry.ts

@@ -1,8 +1,9 @@
 /**
- * Registry catalog discovery and refresh.
+ * Built-in addon/profile discovery and legacy registry helpers.
  *
- * `OP_HOME/state/registry` is the only persistent catalog location.
- * Install seeds it once; refresh replaces it explicitly.
+ * Runtime addon enablement is recorded as OP_ENABLED_ADDONS in stack.env and
+ * resolved to Compose profiles. The fixed compose files under config/stack are
+ * the runtime source of truth.
  */
 import { cpSync, existsSync, mkdtempSync, mkdirSync, readdirSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
 import { execFile, execFileSync } from 'node:child_process';
@@ -10,19 +11,164 @@ import { join } from 'node:path';
 import { tmpdir } from 'node:os';
 import { parse as parseYaml } from 'yaml';
 import { createLogger } from '../logger.js';
-import { isChannelAddon } from './channels.js';
-import { randomHex, writeChannelSecrets } from './config-persistence.js';
+import { resolveLocalOpenpalmDir } from './ui-assets.js';
+import { ensureChannelSecret } from './config-persistence.js';
 import { patchSecretsEnvFile, readStackEnv } from './secrets.js';
+import { readBundledStackAsset } from './core-assets.js';
+import { canonicalAddonProfileSelection, resolveHardwareProfileVariant } from './profile-ids.js';
+import { parseEnabledAddons } from './env.js';
+import type { ControlPlaneState } from './types.js';
 import {
   resolveRegistryAddonsDir,
   resolveRegistryAutomationsDir,
   resolveRegistryDir,
+  resolveStashDir,
 } from './home.js';
 
 const BRANCH_RE = /^[a-zA-Z0-9._\/-]+$/;
 const URL_RE = /^(https:\/\/|git@)/;
 const VALID_NAME_RE = /^[a-z0-9][a-z0-9-]{0,62}$/;
 const logger = createLogger('registry');
+const BUILTIN_ADDONS = ['api', 'chat', 'discord', 'ollama', 'slack', 'ssh', 'voice'] as const;
+
+// Credential/config field definitions for the first-party addons, parsed by the
+// admin Secrets/Addons UI (`# @sensitive` → password+masked, `KEY=DEFAULT`).
+// The file-based registry was removed from the skeleton, so these live in-code.
+// `ssh` is compose/profile-only (no configurable env) and is intentionally absent.
+const BUILTIN_ADDON_ENV_SCHEMAS: Record<string, string> = {
+  api: `# API Gateway channel configuration
+# ---
+
+# HMAC secret for the API channel. Auto-generated during setup if left blank;
+# stored as knowledge/secrets/channel_api_secret.
+# @required @sensitive
+CHANNEL_API_SECRET=
+`,
+  chat: `# Web Chat channel configuration
+# ---
+
+# HMAC secret for the chat channel. Auto-generated during setup if left blank;
+# stored as knowledge/secrets/channel_chat_secret.
+# @required @sensitive
+CHANNEL_CHAT_SECRET=
+`,
+  discord: `# Discord bot configuration
+# ---
+
+# HMAC secret for the Discord channel. Auto-generated during setup if left blank.
+# @required @sensitive
+CHANNEL_DISCORD_SECRET=
+
+# ---
+# Discord credentials
+# ---
+
+# Application ID from the Discord Developer Portal.
+# https://discord.com/developers/applications
+# @required
+DISCORD_APPLICATION_ID=
+
+# Bot token from the Discord Developer Portal (Bot → Token).
+# @required @sensitive
+DISCORD_BOT_TOKEN=
+
+# ---
+# Access control
+# ---
+
+# Comma-separated allowed guild (server) IDs. Empty = all joined guilds.
+DISCORD_ALLOWED_GUILDS=
+
+# Comma-separated allowed role IDs.
+DISCORD_ALLOWED_ROLES=
+
+# Comma-separated allowed user IDs.
+DISCORD_ALLOWED_USERS=
+
+# Comma-separated blocked user IDs (denied even if otherwise allowed).
+DISCORD_BLOCKED_USERS=
+
+# ---
+# Behavior
+# ---
+
+# Register slash commands on startup.
+DISCORD_REGISTER_COMMANDS=true
+
+# JSON array of custom slash command definitions.
+DISCORD_CUSTOM_COMMANDS=
+
+# Hours before a conversation thread expires.
+DISCORD_THREAD_TTL_HOURS=24
+
+# Milliseconds to wait before forwarding a message (0 = immediate).
+DISCORD_FORWARD_TIMEOUT_MS=0
+`,
+  slack: `# Slack bot configuration
+# ---
+
+# HMAC secret for the Slack channel. Auto-generated during setup if left blank.
+# @required @sensitive
+CHANNEL_SLACK_SECRET=
+
+# ---
+# Slack credentials
+# ---
+
+# Bot User OAuth Token (OAuth & Permissions → Bot User OAuth Token).
+# @required @sensitive
+SLACK_BOT_TOKEN=
+
+# App-Level Token with connections:write (Basic Information → App-Level Tokens).
+# @required @sensitive
+SLACK_APP_TOKEN=
+
+# ---
+# Access control
+# ---
+
+# Comma-separated allowed channel IDs. Empty = all channels the bot is in.
+SLACK_ALLOWED_CHANNELS=
+
+# Comma-separated allowed user IDs.
+SLACK_ALLOWED_USERS=
+
+# Comma-separated blocked user IDs.
+SLACK_BLOCKED_USERS=
+
+# ---
+# Behavior
+# ---
+
+# Hours before a conversation thread expires.
+SLACK_THREAD_TTL_HOURS=24
+
+# Milliseconds to allow for guardian forwarding before timing out (default 30m).
+SLACK_FORWARD_TIMEOUT_MS=1800000
+`,
+  ollama: `# Ollama component configuration
+# ---
+
+# Bind address for the Ollama HTTP API (default: localhost only).
+# @required
+OP_OLLAMA_BIND_ADDRESS=127.0.0.1
+`,
+  voice: `# OpenPalm Voice (Kokoro TTS + Whisper STT) configuration
+# ---
+# Local inference server — no upstream API or key. Values are optional; the
+# compose overlay supplies safe defaults.
+
+# faster-whisper model id. Default base.en is baked into the image.
+# @required
+OP_VOICE_WHISPER_MODEL=base.en
+
+# Default Kokoro voice id (54 bundled voices, e.g. af_heart, am_michael).
+OP_VOICE_KOKORO_VOICE=bf_isabella
+
+# Python logging level: debug, info, warning, error.
+OP_VOICE_LOG_LEVEL=info
+`,
+};
 
 let warnedMissingRegistryAddonsDir = false;
 
@@ -107,8 +253,8 @@ function countValidAutomations(rootDir: string): number {
   const automationsDir = join(rootDir, 'automations');
   if (!existsSync(automationsDir)) return 0;
   return readdirSync(automationsDir).filter((file) => {
-    if (!file.endsWith('.md')) return false;
-    return isValidComponentName(file.replace(/\.md$/, ''));
+    if (!file.endsWith('.yml')) return false;
+    return isValidComponentName(file.replace(/\.yml$/, ''));
   }).length;
 }
 
@@ -127,8 +273,8 @@ export function verifyRegistryCatalog(rootDir = resolveRegistryDir()): RegistryC
 }
 
 export function materializeRegistryCatalog(sourceRoot: string): string {
-  const sourceAddonsDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'addons');
-  const sourceAutomationsDir = join(sourceRoot, '.openpalm', 'state', 'registry', 'automations');
+  const sourceAddonsDir = join(sourceRoot, '.openpalm', 'data', 'registry', 'addons');
+  const sourceAutomationsDir = join(sourceRoot, '.openpalm', 'data', 'registry', 'automations');
   const tempRoot = mkdtempSync(join(tmpdir(), 'openpalm-registry-materialize-'));
 
   try {
@@ -205,29 +351,28 @@ export function discoverRegistryComponents(): Record<string, RegistryComponentEn
 }
 
 export function discoverRegistryAutomations(stashDir: string): RegistryAutomationEntry[] {
-  const automationsDir = resolveRegistryAutomationsDir();
+  const localOpenpalmDir = resolveLocalOpenpalmDir();
+  const automationsDir = localOpenpalmDir
+    ? join(localOpenpalmDir, 'knowledge', 'tasks')
+    : join(stashDir, 'tasks');
   if (!existsSync(automationsDir)) return [];
 
   return readdirSync(automationsDir)
-    .filter((file) => file.endsWith('.md'))
+    .filter((file) => file.endsWith('.yml'))
     .map((file) => {
-      const name = file.replace(/\.md$/, '');
+      const name = file.replace(/\.yml$/, '');
       if (!VALID_NAME_RE.test(name)) return null;
 
       const content = readFileSync(join(automationsDir, file), 'utf-8');
       let description = '';
       let schedule = '';
 
-      // Extract frontmatter metadata (between --- delimiters)
+      // Extract YAML metadata.
       try {
-        const after = content.startsWith('---') ? content.slice(3) : '';
-        const end = after.indexOf('\n---');
-        if (end !== -1) {
-          const parsed = parseYaml(after.slice(0, end));
-          if (parsed && typeof parsed === 'object') {
-            description = (parsed as Record<string, unknown>).description as string ?? '';
-            schedule = (parsed as Record<string, unknown>).schedule as string ?? '';
-          }
+        const parsed = parseYaml(content);
+        if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+          description = (parsed as Record<string, unknown>).description as string ?? '';
+          schedule = (parsed as Record<string, unknown>).schedule as string ?? '';
         }
       } catch {
         // best-effort metadata extraction
@@ -246,75 +391,75 @@ export function discoverRegistryAutomations(stashDir: string): RegistryAutomatio
 
 export function getRegistryAutomation(name: string): string | null {
   if (!VALID_NAME_RE.test(name)) return null;
-  const mdPath = join(resolveRegistryAutomationsDir(), `${name}.md`);
-  if (!existsSync(mdPath)) return null;
-  return readFileSync(mdPath, 'utf-8');
+  const localOpenpalmDir = resolveLocalOpenpalmDir();
+  const candidates = [
+    localOpenpalmDir ? join(localOpenpalmDir, 'knowledge', 'tasks', `${name}.yml`) : '',
+    join(resolveStashDir(), 'tasks', `${name}.yml`),
+    join(resolveRegistryAutomationsDir(), `${name}.yml`),
+  ].filter(Boolean);
+  for (const ymlPath of candidates) {
+    if (existsSync(ymlPath)) return readFileSync(ymlPath, 'utf-8');
+  }
+  return null;
 }
 
-export function getRegistryAddonConfig(homeDir: string, name: string): RegistryAddonConfig {
+export function getRegistryAddonConfig(_homeDir: string, name: string): RegistryAddonConfig {
   if (!VALID_NAME_RE.test(name)) {
     throw new Error(`Invalid addon name: ${name}`);
   }
 
-  // Overlay-only addons (compose.yml only, no .env.schema) have no env vars
-  // to render, so the schema reads as an empty string.
-  const schemaPath = `state/registry/addons/${name}/.env.schema`;
-  const schemaFile = join(homeDir, schemaPath);
+  // Resolve the addon's `.env.schema` (credential/config field definitions):
+  //   1. A materialized registry copy at OP_HOME/data/registry/addons (custom
+  //      addons installed from a registry win).
+  //   2. The built-in schema embedded below (the first-party addons). The
+  //      file-based registry was removed from the skeleton, so the built-in
+  //      addon credential schemas live in-code rather than as bundled files.
+  const materialized = join(resolveRegistryAddonsDir(), name, '.env.schema');
+  if (existsSync(materialized)) {
+    return { schemaPath: materialized, userEnvPath: 'knowledge/env/stack.env', envSchema: readFileSync(materialized, 'utf-8') };
+  }
   return {
-    schemaPath,
-    userEnvPath: 'config/stack/stack.env',
-    envSchema: existsSync(schemaFile) ? readFileSync(schemaFile, 'utf-8') : '',
+    schemaPath: '',
+    userEnvPath: 'knowledge/env/stack.env',
+    envSchema: BUILTIN_ADDON_ENV_SCHEMAS[name] ?? '',
   };
 }
 
 export function listAvailableAddonIds(): string[] {
-  const addonsDir = resolveRegistryAddonsDir();
-  if (!existsSync(addonsDir) && !warnedMissingRegistryAddonsDir) {
-    warnedMissingRegistryAddonsDir = true;
-    logger.warn('registry addons directory is missing', { addonsDir });
-  }
-  return Object.keys(discoverRegistryComponents()).sort();
+  return [...BUILTIN_ADDONS].sort();
 }
 
 export function listEnabledAddonIds(homeDir: string): string[] {
-  const addonsDir = join(homeDir, 'config', 'stack', 'addons');
-  if (!existsSync(addonsDir)) return [];
-
-  return readdirSync(addonsDir, { withFileTypes: true })
-    .filter((entry) => entry.isDirectory() && existsSync(join(addonsDir, entry.name, 'compose.yml')))
-    .map((entry) => entry.name)
-    .sort();
-}
-
-function copyAddonFromRegistry(homeDir: string, name: string): void {
-  if (!VALID_NAME_RE.test(name)) throw new Error(`Invalid addon name: ${name}`);
-
-  const sourceDir = join(resolveRegistryAddonsDir(), name);
-  // compose.yml is the only required file. Overlay-only addons may omit
-  // .env.schema entirely.
-  if (!existsSync(join(sourceDir, 'compose.yml'))) {
-    throw new Error(`Addon "${name}" not found in registry`);
+  const env = readStackEnv(join(homeDir, 'config', 'stack'));
+  const enabled = new Set(parseEnabledAddons(env.OP_ENABLED_ADDONS));
+  const profiles = new Set((env.COMPOSE_PROFILES ?? '').split(',').map((p) => p.trim()).filter(Boolean));
+  for (const key of ['OP_VOICE_PROFILE', 'OP_OLLAMA_PROFILE']) {
+    const profile = env[key]?.trim();
+    if (profile) profiles.add(profile);
   }
-
-  const targetDir = join(homeDir, 'config', 'stack', 'addons', name);
-  rmSync(targetDir, { recursive: true, force: true });
-  mkdirSync(join(homeDir, 'config', 'stack', 'addons'), { recursive: true });
-  cpSync(sourceDir, targetDir, { recursive: true });
-}
-
-function removeEnabledAddon(homeDir: string, name: string): void {
-  if (!VALID_NAME_RE.test(name)) throw new Error(`Invalid addon name: ${name}`);
-  rmSync(join(homeDir, 'config', 'stack', 'addons', name), { recursive: true, force: true });
+  for (const profile of profiles) {
+    const match = profile.match(/^addon\.([a-z0-9-]+)(?:\.|$)/);
+    if (match?.[1]) enabled.add(match[1]);
+  }
+  return [...enabled].sort();
 }
 
-function readAddonServiceNames(composePath: string): string[] {
-  if (!existsSync(composePath)) return [];
-
+function readAddonServiceNamesFromContent(composeContent: string, composePath: string, addonName?: string): string[] {
   try {
-    const parsed = parseYaml(readFileSync(composePath, "utf-8"));
+    const parsed = parseYaml(composeContent);
     const services = parsed && typeof parsed === "object" ? (parsed as { services?: unknown }).services : undefined;
     if (!services || typeof services !== "object" || Array.isArray(services)) return [];
-    return Object.keys(services as Record<string, unknown>);
+    const entries = Object.entries(services as Record<string, unknown>);
+    if (!addonName) return entries.map(([name]) => name);
+    return entries
+      .filter(([serviceName, raw]) => {
+        if (serviceName === 'guardian') return false;
+        if (serviceName === addonName || serviceName.startsWith(`${addonName}-`)) return true;
+        if (!raw || typeof raw !== 'object') return false;
+        const profiles = (raw as { profiles?: unknown }).profiles;
+        return Array.isArray(profiles) && profiles.some((p) => typeof p === 'string' && p.startsWith(`addon.${addonName}`));
+      })
+      .map(([serviceName]) => serviceName);
   } catch (error) {
     logger.warn("failed to parse addon compose services", {
       composePath,
@@ -324,16 +469,27 @@ function readAddonServiceNames(composePath: string): string[] {
   }
 }
 
+function readAddonServiceNames(composePath: string, addonName?: string): string[] {
+  if (!existsSync(composePath)) return [];
+  return readAddonServiceNamesFromContent(readFileSync(composePath, "utf-8"), composePath, addonName);
+}
+
 export function getAddonServiceNames(homeDir: string, name: string): string[] {
   if (!VALID_NAME_RE.test(name)) throw new Error(`Invalid addon name: ${name}`);
 
   const composeCandidates = [
-    join(homeDir, "config", "stack", "addons", name, "compose.yml"),
-    join(homeDir, "state", "registry", "addons", name, "compose.yml"),
+    join(homeDir, "config", "stack", "channels.compose.yml"),
+    join(homeDir, "config", "stack", "services.compose.yml"),
+    join(homeDir, "config", "stack", "custom.compose.yml"),
   ];
 
   for (const composePath of composeCandidates) {
-    const services = readAddonServiceNames(composePath);
+    const services = readAddonServiceNames(composePath, name);
+    if (services.length > 0) return services;
+  }
+
+  for (const assetName of ["channels.compose.yml", "services.compose.yml", "custom.compose.yml"]) {
+    const services = readAddonServiceNamesFromContent(readBundledStackAsset(assetName), `bundled:${assetName}`, name);
     if (services.length > 0) return services;
   }
 
@@ -418,14 +574,18 @@ function execFileNoThrow(
 /**
  * Compute the openpalm/voice image ref for a given GPU variant, matching
  * the substitution chain in the addon compose file:
- *   ${OP_IMAGE_NAMESPACE:-openpalm}/voice:${OP_VOICE_IMAGE_TAG:-${OP_IMAGE_TAG:-v0.11.0}-<variant>}
+ *   ${OP_IMAGE_NAMESPACE:-openpalm}/voice:${OP_VOICE_IMAGE_TAG:-latest-<variant>}
+ *
+ * Voice images are published OUT OF BAND (publish-voice.yml), decoupled from the
+ * platform OP_IMAGE_TAG — they are heavy and rarely change. So the default is
+ * the moving `latest-<variant>` voice tag; operators pin a specific build by
+ * setting OP_VOICE_IMAGE_TAG (e.g. `v1.0.0-cpu`).
  */
 function voiceImageRef(variant: 'cpu' | 'cu121' | 'rocm6'): string {
   const namespace = process.env.OP_IMAGE_NAMESPACE?.trim() || 'openpalm';
   const explicit = process.env.OP_VOICE_IMAGE_TAG?.trim();
   if (explicit) return `${namespace}/voice:${explicit}`;
-  const baseTag = process.env.OP_IMAGE_TAG?.trim() || 'v0.11.0';
-  return `${namespace}/voice:${baseTag}-${variant}`;
+  return `${namespace}/voice:latest-${variant}`;
 }
 
 /**
@@ -525,11 +685,12 @@ export async function getAddonProfileAvailability(
 
   let result: AddonProfileAvailability;
   try {
-    if (profile.id === 'cpu') {
+    const variant = resolveHardwareProfileVariant(profile.id);
+    if (variant === 'cpu') {
       result = { available: true };
-    } else if (profile.id === 'cuda') {
+    } else if (variant === 'cuda') {
       result = await probeCuda();
-    } else if (profile.id === 'rocm') {
+    } else if (variant === 'rocm') {
       result = await probeRocm();
     } else {
       // Unknown profile id — assume available; caller is responsible for
@@ -564,12 +725,10 @@ export async function annotateAddonProfileAvailability(
   return results;
 }
 
-function readAddonProfiles(composePath: string): AddonProfile[] {
-  if (!existsSync(composePath)) return [];
-
+function readAddonProfilesFromContent(composeContent: string, composePath: string): AddonProfile[] {
   let parsed: unknown;
   try {
-    parsed = parseYaml(readFileSync(composePath, "utf-8"));
+    parsed = parseYaml(composeContent);
   } catch (error) {
     logger.warn("failed to parse addon compose profiles", {
       composePath,
@@ -616,6 +775,11 @@ function readAddonProfiles(composePath: string): AddonProfile[] {
   return [...byProfile.values()];
 }
 
+function readAddonProfiles(composePath: string): AddonProfile[] {
+  if (!existsSync(composePath)) return [];
+  return readAddonProfilesFromContent(readFileSync(composePath, "utf-8"), composePath);
+}
+
 function readServiceLabels(raw: unknown): Record<string, string> {
   if (!raw) return {};
   const out: Record<string, string> = {};
@@ -639,12 +803,26 @@ export function getAddonProfiles(homeDir: string, name: string): AddonProfile[]
   if (!VALID_NAME_RE.test(name)) throw new Error(`Invalid addon name: ${name}`);
 
   const composeCandidates = [
-    join(homeDir, "config", "stack", "addons", name, "compose.yml"),
-    join(homeDir, "state", "registry", "addons", name, "compose.yml"),
+    join(homeDir, "config", "stack", "channels.compose.yml"),
+    join(homeDir, "config", "stack", "services.compose.yml"),
+    join(homeDir, "config", "stack", "custom.compose.yml"),
   ];
 
+	const localOpenpalmDir = resolveLocalOpenpalmDir();
+	if (localOpenpalmDir) {
+		composeCandidates.push(join(localOpenpalmDir, 'config', 'stack', 'channels.compose.yml'));
+		composeCandidates.push(join(localOpenpalmDir, 'config', 'stack', 'services.compose.yml'));
+		composeCandidates.push(join(localOpenpalmDir, 'config', 'stack', 'custom.compose.yml'));
+	}
+
   for (const composePath of composeCandidates) {
-    const profiles = readAddonProfiles(composePath);
+    const profiles = readAddonProfiles(composePath).filter((profile) => profile.id.startsWith(`addon.${name}`));
+    if (profiles.length > 0) return profiles;
+  }
+
+  for (const assetName of ["channels.compose.yml", "services.compose.yml", "custom.compose.yml"]) {
+    const profiles = readAddonProfilesFromContent(readBundledStackAsset(assetName), `bundled:${assetName}`)
+      .filter((profile) => profile.id.startsWith(`addon.${name}`));
     if (profiles.length > 0) return profiles;
   }
 
@@ -659,42 +837,53 @@ function profileEnvKey(name: string): string {
 export function getAddonProfileSelection(stackDir: string, name: string): string | null {
   const env = readStackEnv(stackDir);
   const value = env[profileEnvKey(name)];
-  return value && value.trim() ? value.trim() : null;
+  const normalized = value ? canonicalAddonProfileSelection(name, value) : '';
+  return normalized ? normalized : null;
 }
 
-export function setAddonProfileSelection(stackDir: string, name: string, profile: string): void {
-  const trimmed = profile.trim();
-  if (!trimmed) throw new Error('Profile id cannot be empty');
+export function setAddonProfileSelection(stackDir: string, name: string, profile: string, state?: ControlPlaneState): void {
+  const trimmed = canonicalAddonProfileSelection(name, profile);
+  if (!trimmed) throw new Error(`Invalid canonical profile id for addon ${name}: ${profile}`);
   patchSecretsEnvFile(stackDir, { [profileEnvKey(name)]: trimmed });
 }
 
-function enableAddon(homeDir: string, name: string): MutationResult {
+/** Add/remove an addon id in the OP_ENABLED_ADDONS list in stack.env. */
+function setEnabledAddonState(stackDir: string, name: string, enabled: boolean): void {
+  const current = new Set(parseEnabledAddons(readStackEnv(stackDir).OP_ENABLED_ADDONS));
+  if (enabled) current.add(name);
+  else current.delete(name);
+  patchSecretsEnvFile(stackDir, { OP_ENABLED_ADDONS: [...current].sort().join(',') });
+}
+
+function enableAddon(homeDir: string, stackDir: string, name: string): MutationResult {
   try {
-    copyAddonFromRegistry(homeDir, name);
-    // Pre-create the addon services directory so Docker doesn't create it as root
-    mkdirSync(join(homeDir, 'services', name), { recursive: true });
+    if (!VALID_NAME_RE.test(name)) throw new Error(`Invalid addon name: ${name}`);
+    setEnabledAddonState(stackDir, name, true);
+    if (name === 'ssh') patchSecretsEnvFile(stackDir, { OPENCODE_ENABLE_SSH: '1' });
     return { ok: true };
   } catch (error) {
     return { ok: false, error: error instanceof Error ? error.message : String(error) };
   }
 }
 
-function disableAddonByName(homeDir: string, name: string): MutationResult {
+function disableAddonByName(homeDir: string, stackDir: string, name: string): MutationResult {
   try {
-    removeEnabledAddon(homeDir, name);
+    if (!VALID_NAME_RE.test(name)) throw new Error(`Invalid addon name: ${name}`);
+    setEnabledAddonState(stackDir, name, false);
+    if (name === 'ssh') patchSecretsEnvFile(stackDir, { OPENCODE_ENABLE_SSH: '0' });
     return { ok: true };
   } catch (error) {
     return { ok: false, error: error instanceof Error ? error.message : String(error) };
   }
 }
 
-export function setAddonEnabled(homeDir: string, stackDir: string, name: string, enabled: boolean): AddonMutationResult {
+export function setAddonEnabled(homeDir: string, stackDir: string, name: string, enabled: boolean, state?: ControlPlaneState): AddonMutationResult {
   if (!VALID_NAME_RE.test(name)) {
     return { ok: false, error: `Invalid addon name: ${name}` };
   }
 
   if (!listAvailableAddonIds().includes(name)) {
-    return { ok: false, error: `Addon "${name}" not found in registry` };
+    return { ok: false, error: `Addon "${name}" is not built in` };
   }
 
   const wasEnabled = listEnabledAddonIds(homeDir).includes(name);
@@ -709,16 +898,18 @@ export function setAddonEnabled(homeDir: string, stackDir: string, name: string,
     };
   }
 
-  const mutation = enabled ? enableAddon(homeDir, name) : disableAddonByName(homeDir, name);
+  const mutation = enabled ? enableAddon(homeDir, stackDir, name) : disableAddonByName(homeDir, stackDir, name);
   if (!mutation.ok) return mutation;
 
   if (enabled) {
-    const composePath = join(homeDir, "config", "stack", "addons", name, "compose.yml");
-    if (isChannelAddon(composePath)) {
-      writeChannelSecrets(stackDir, { [name]: randomHex(16) });
+    if (['api', 'chat', 'discord', 'slack'].includes(name)) {
+      for (const channel of ['api', 'chat', 'discord', 'slack']) {
+        ensureChannelSecret(stackDir, channel);
+      }
     }
   }
 
+
   return {
     ok: true,
     enabled,
@@ -732,20 +923,20 @@ export function installAutomationFromRegistry(name: string, stashDir: string): M
     return { ok: false, error: `Invalid automation name: ${name}` };
   }
 
-  const markdownContent = getRegistryAutomation(name);
-  if (!markdownContent) {
+  const taskContent = getRegistryAutomation(name);
+  if (!taskContent) {
     return { ok: false, error: `Automation "${name}" not found in registry` };
   }
 
   const tasksDir = join(stashDir, 'tasks');
   mkdirSync(tasksDir, { recursive: true });
 
-  const mdPath = join(tasksDir, `${name}.md`);
-  if (existsSync(mdPath)) {
+  const ymlPath = join(tasksDir, `${name}.yml`);
+  if (existsSync(ymlPath)) {
     return { ok: false, error: `Automation "${name}" is already installed` };
   }
 
-  writeFileSync(mdPath, markdownContent);
+  writeFileSync(ymlPath, taskContent);
   // The assistant container's 60-second akm tasks sync loop picks up the new
   // file from the shared stash mount and registers it with OS cron.
   return { ok: true };
@@ -756,12 +947,12 @@ export function uninstallAutomation(name: string, stashDir: string): MutationRes
     return { ok: false, error: `Invalid automation name: ${name}` };
   }
 
-  const mdPath = join(stashDir, 'tasks', `${name}.md`);
-  if (!existsSync(mdPath)) {
+  const ymlPath = join(stashDir, 'tasks', `${name}.yml`);
+  if (!existsSync(ymlPath)) {
     return { ok: false, error: `Automation "${name}" is not installed` };
   }
 
-  rmSync(mdPath, { force: true });
+  rmSync(ymlPath, { force: true });
   // The assistant container's 60-second akm tasks sync will notice the file
   // is gone and deregister it from OS cron on next sync.
   return { ok: true };