@openpalm/lib 0.9.9 → 0.10.1

package/src/control-plane/install-edge-cases.test.ts

@@ -1,9 +1,9 @@
 /**
  * Edge-case tests for the OpenPalm install and setup flow.
  *
- * Each test creates its own temp directory tree mimicking the XDG layout
- * (CONFIG_HOME, DATA_HOME, STATE_HOME), then runs the actual library
- * functions against it. No mocks of code under test.
+ * Each test creates its own temp directory tree mimicking the single
+ * ~/.openpalm/ root layout (config, vault, data, logs), then runs the
+ * actual library functions against it. No mocks of code under test.
  */
 import { describe, expect, it, beforeEach, afterEach } from "bun:test";
 import {
@@ -16,31 +16,37 @@ import {
 } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
-import { parse as yamlParse } from "yaml";
-
 import { parseEnvContent, parseEnvFile, mergeEnvContent } from "./env.js";
-import { ensureSecrets, loadSecretsEnvFile } from "./secrets.js";
+import { ensureSecrets, readStackEnv } from "./secrets.js";
 import { isSetupComplete } from "./setup-status.js";
 import {
   performSetup,
   buildSecretsFromSetup,
-  buildConnectionEnvVarMap,
+  buildSystemSecretsFromSetup,
 } from "./setup.js";
-import type { SetupInput, SetupConnection } from "./setup.js";
-import type { CoreAssetProvider } from "./core-asset-provider.js";
+import type { SetupSpec, SetupConnection } from "./setup.js";
 import type { ControlPlaneState } from "./types.js";
 import { STACK_SPEC_FILENAME, readStackSpec } from "./stack-spec.js";
-import { readConnectionProfilesDocument } from "./connection-profiles.js";
 
 // ── Helpers ──────────────────────────────────────────────────────────────
 
-function makeValidInput(overrides?: Partial<SetupInput>): SetupInput {
+function makeValidSpec(overrides?: Partial<SetupSpec>): SetupSpec {
   return {
-    adminToken: "test-admin-token-12345",
-    ownerName: "Test User",
-    ownerEmail: "test@example.com",
-    memoryUserId: "test_user",
-    ollamaEnabled: false,
+    version: 2,
+    capabilities: {
+      llm: "openai/gpt-4o",
+      embeddings: {
+        provider: "openai",
+        model: "text-embedding-3-small",
+        dims: 1536,
+      },
+      memory: {
+        userId: "test_user",
+        customInstructions: "",
+      },
+    },
+    security: { adminToken: "test-admin-token-12345" },
+    owner: { name: "Test User", email: "test@example.com" },
     connections: [
       {
         id: "openai-main",
@@ -50,121 +56,114 @@ function makeValidInput(overrides?: Partial<SetupInput>): SetupInput {
         apiKey: "sk-test-key-123",
       },
     ],
-    assignments: {
-      llm: { connectionId: "openai-main", model: "gpt-4o" },
-      embeddings: {
-        connectionId: "openai-main",
-        model: "text-embedding-3-small",
-      },
-    },
     ...overrides,
   };
 }
 
-function createStubAssetProvider(): CoreAssetProvider {
-  return {
-    coreCompose: () => "services:\n  caddy:\n    image: caddy:latest\n",
-    caddyfile: () =>
-      ":80 {\n  @denied not remote_ip 127.0.0.0/8 ::1\n  respond @denied 403\n}\n",
-    ollamaCompose: () => "services:\n  ollama:\n    image: ollama/ollama\n",
-    adminCompose: () => "services:\n  admin:\n    image: openpalm/admin\n",
-    agentsMd: () => "# Agents\n",
-    opencodeConfig: () =>
-      '{"$schema":"https://opencode.ai/config.json"}\n',
-    adminOpencodeConfig: () =>
-      '{"$schema":"https://opencode.ai/config.json","plugin":["@openpalm/admin-tools"]}\n',
-    secretsSchema: () => "ADMIN_TOKEN=string\n",
-    stackSchema: () => "OPENPALM_IMAGE_TAG=string\n",
-    cleanupLogs: () => "name: cleanup-logs\nschedule: daily\n",
-    cleanupData: () => "name: cleanup-data\nschedule: weekly\n",
-    validateConfig: () => "name: validate-config\nschedule: hourly\n",
-  };
+/** Seed the minimal asset files that ensure* functions expect to find at OP_HOME. */
+function seedRequiredAssets(homeDir: string): void {
+  mkdirSync(join(homeDir, "stack"), { recursive: true });
+  writeFileSync(join(homeDir, "stack", "core.compose.yml"), "services:\n  assistant:\n    image: assistant:latest\n");
+  mkdirSync(join(homeDir, "data", "assistant"), { recursive: true });
+  writeFileSync(join(homeDir, "data", "assistant", "opencode.jsonc"), '{"$schema":"https://opencode.ai/config.json"}\n');
+  writeFileSync(join(homeDir, "data", "assistant", "AGENTS.md"), "# Agents\n");
+  mkdirSync(join(homeDir, "vault", "user"), { recursive: true });
+  writeFileSync(join(homeDir, "vault", "user", "user.env.schema"), "ADMIN_TOKEN=string\n");
+  mkdirSync(join(homeDir, "vault", "stack"), { recursive: true });
+  writeFileSync(join(homeDir, "vault", "stack", "stack.env.schema"), "OP_IMAGE_TAG=string\n");
+  mkdirSync(join(homeDir, "config", "automations"), { recursive: true });
+  writeFileSync(join(homeDir, "config", "automations", "cleanup-logs.yml"), "name: cleanup-logs\nschedule: daily\n");
+  writeFileSync(join(homeDir, "config", "automations", "cleanup-data.yml"), "name: cleanup-data\nschedule: weekly\n");
+  writeFileSync(join(homeDir, "config", "automations", "validate-config.yml"), "name: validate-config\nschedule: hourly\n");
 }
 
 // ── Shared test fixture ──────────────────────────────────────────────────
 
-let tempBase: string;
+let homeDir: string;
 let configDir: string;
+let vaultDir: string;
 let dataDir: string;
-let stateDir: string;
+let logsDir: string;
 
 const savedEnv: Record<string, string | undefined> = {};
 
 function saveAndSetEnv(): void {
-  savedEnv.OPENPALM_CONFIG_HOME = process.env.OPENPALM_CONFIG_HOME;
-  savedEnv.OPENPALM_DATA_HOME = process.env.OPENPALM_DATA_HOME;
-  savedEnv.OPENPALM_STATE_HOME = process.env.OPENPALM_STATE_HOME;
-  process.env.OPENPALM_CONFIG_HOME = configDir;
-  process.env.OPENPALM_DATA_HOME = dataDir;
-  process.env.OPENPALM_STATE_HOME = stateDir;
+  savedEnv.OP_HOME = process.env.OP_HOME;
+  process.env.OP_HOME = homeDir;
 }
 
 function restoreEnv(): void {
-  process.env.OPENPALM_CONFIG_HOME = savedEnv.OPENPALM_CONFIG_HOME;
-  process.env.OPENPALM_DATA_HOME = savedEnv.OPENPALM_DATA_HOME;
-  process.env.OPENPALM_STATE_HOME = savedEnv.OPENPALM_STATE_HOME;
+  process.env.OP_HOME = savedEnv.OP_HOME;
 }
 
-/** Create a full directory tree matching ensureXdgDirs() output. */
+/** Create a full directory tree matching ensureHomeDirs() output. */
 function createFullDirTree(): void {
-  tempBase = mkdtempSync(join(tmpdir(), "openpalm-edge-"));
-  configDir = join(tempBase, "config");
-  dataDir = join(tempBase, "data");
-  stateDir = join(tempBase, "state");
+  homeDir = mkdtempSync(join(tmpdir(), "openpalm-edge-"));
+  configDir = join(homeDir, "config");
+  vaultDir = join(homeDir, "vault");
+  dataDir = join(homeDir, "data");
+  logsDir = join(homeDir, "logs");
 
   for (const dir of [
+    homeDir,
     configDir,
+    join(configDir, "automations"),
     join(configDir, "channels"),
-    join(configDir, "connections"),
     join(configDir, "assistant"),
-    join(configDir, "automations"),
     join(configDir, "stash"),
+    join(homeDir, "stack"),
+    join(homeDir, "stack", "addons"),
+    vaultDir,
     dataDir,
     join(dataDir, "admin"),
     join(dataDir, "memory"),
     join(dataDir, "assistant"),
     join(dataDir, "guardian"),
-    join(dataDir, "caddy"),
-    join(dataDir, "caddy", "data"),
-    join(dataDir, "caddy", "config"),
     join(dataDir, "automations"),
     join(dataDir, "opencode"),
-    stateDir,
-    join(stateDir, "artifacts"),
-    join(stateDir, "audit"),
-    join(stateDir, "artifacts", "channels"),
-    join(stateDir, "automations"),
-    join(stateDir, "opencode"),
+    join(dataDir, "stash"),
+    join(dataDir, "workspace"),
+    logsDir,
+    join(logsDir, "opencode"),
   ]) {
     mkdirSync(dir, { recursive: true });
   }
+
+  // Seed asset files that ensure* functions expect to find at OP_HOME
+  seedRequiredAssets(homeDir);
 }
 
-/** Seed the minimal secrets.env and stack.env needed for most tests. */
+/** Seed the minimal user.env and stack.env needed for most tests. */
 function seedMinimalEnvFiles(): void {
+  mkdirSync(join(vaultDir, "user"), { recursive: true });
+  mkdirSync(join(vaultDir, "stack"), { recursive: true });
   writeFileSync(
-    join(configDir, "secrets.env"),
+    join(vaultDir, "user", "user.env"),
     [
-      "# OpenPalm Secrets",
-      "export OPENPALM_ADMIN_TOKEN=",
-      "export ADMIN_TOKEN=",
-      "export OPENAI_API_KEY=",
-      "export OPENAI_BASE_URL=",
-      "export ANTHROPIC_API_KEY=",
-      "export GROQ_API_KEY=",
-      "export MISTRAL_API_KEY=",
-      "export GOOGLE_API_KEY=",
-      "export MEMORY_USER_ID=default_user",
-      "export MEMORY_AUTH_TOKEN=abc123",
-      "export OWNER_NAME=",
-      "export OWNER_EMAIL=",
+      "# OpenPalm — User Extensions",
+      "# Add any custom environment variables here.",
+      "# These are loaded by compose alongside stack.env.",
       "",
     ].join("\n")
   );
 
   writeFileSync(
-    join(stateDir, "artifacts", "stack.env"),
-    "OPENPALM_SETUP_COMPLETE=false\n"
+    join(vaultDir, "stack", "stack.env"),
+    [
+      "# OpenPalm — Stack Configuration",
+      "OP_ADMIN_TOKEN=",
+      "OP_ASSISTANT_TOKEN=",
+      "OP_MEMORY_TOKEN=",
+      "OPENAI_API_KEY=",
+      "OPENAI_BASE_URL=",
+      "ANTHROPIC_API_KEY=",
+      "GROQ_API_KEY=",
+      "MISTRAL_API_KEY=",
+      "GOOGLE_API_KEY=",
+      "OWNER_NAME=",
+      "OWNER_EMAIL=",
+      "",
+    ].join("\n")
   );
 }
 
@@ -182,47 +181,54 @@ describe("Fresh Install", () => {
 
   afterEach(() => {
     restoreEnv();
-    rmSync(tempBase, { recursive: true, force: true });
+    rmSync(homeDir, { recursive: true, force: true });
   });
 
-  // Scenario 1: ensureSecrets creates secrets.env with all required keys
-  it("ensureSecrets creates secrets.env with MEMORY_AUTH_TOKEN when file does not exist", () => {
+  // Scenario 1: ensureSecrets creates user.env as placeholder and stack.env with required keys
+  it("ensureSecrets creates user.env as placeholder and stack.env with required keys when files do not exist", () => {
     const state: ControlPlaneState = {
       adminToken: "",
+      assistantToken: "",
       setupToken: "",
-      stateDir,
+      homeDir,
       configDir,
+      vaultDir,
       dataDir,
+      logsDir,
+      cacheDir: join(homeDir, "cache"),
       services: {},
-      artifacts: { compose: "", caddyfile: "" },
+      artifacts: { compose: "" },
       artifactMeta: [],
       audit: [],
-      channelSecrets: {},
     };
 
-    // No secrets.env exists yet
-    expect(existsSync(join(configDir, "secrets.env"))).toBe(false);
+    // No user.env exists yet
+    expect(existsSync(join(vaultDir, "user", "user.env"))).toBe(false);
 
     ensureSecrets(state);
 
-    const content = readFileSync(join(configDir, "secrets.env"), "utf-8");
-    expect(content).toContain("MEMORY_AUTH_TOKEN=");
-    // Token should be a non-empty hex string (64 chars for 32 bytes)
-    const match = content.match(/MEMORY_AUTH_TOKEN=([a-f0-9]+)/);
-    expect(match).not.toBeNull();
-    expect(match![1].length).toBe(64);
+    // user.env is now a minimal placeholder
+    const userContent = readFileSync(join(vaultDir, "user", "user.env"), "utf-8");
+    expect(userContent).toContain("User Extensions");
+
+    // API keys and owner info are seeded in stack.env
+    const stackContent = readFileSync(join(vaultDir, "stack", "stack.env"), "utf-8");
+    expect(stackContent).toContain("OPENAI_API_KEY=");
+    expect(stackContent).toContain("OWNER_NAME=");
   });
 
   // Scenario 2: isSetupComplete returns false before setup
-  it("isSetupComplete returns false when stack.env has OPENPALM_SETUP_COMPLETE=false", () => {
+  it("isSetupComplete returns false when stack.env has OP_SETUP_COMPLETE=false", () => {
+    mkdirSync(join(vaultDir, "stack"), { recursive: true });
+    mkdirSync(join(vaultDir, "user"), { recursive: true });
     writeFileSync(
-      join(stateDir, "artifacts", "stack.env"),
-      "OPENPALM_SETUP_COMPLETE=false\n"
+      join(vaultDir, "stack", "stack.env"),
+      "OP_SETUP_COMPLETE=false\n"
     );
-    // Empty secrets.env so fallback check doesn't trigger
-    writeFileSync(join(configDir, "secrets.env"), "");
+    // Empty user.env so fallback check doesn't trigger
+    writeFileSync(join(vaultDir, "user", "user.env"), "");
 
-    expect(isSetupComplete(stateDir, configDir)).toBe(false);
+    expect(isSetupComplete(vaultDir)).toBe(false);
   });
 
   // Scenario 3: performSetup succeeds from completely empty state
@@ -230,20 +236,21 @@ describe("Fresh Install", () => {
     seedMinimalEnvFiles();
 
     const result = await performSetup(
-      makeValidInput(),
-      createStubAssetProvider()
+      makeValidSpec()
     );
 
     expect(result.ok).toBe(true);
   });
 
-  // Scenario 4: isSetupComplete returns true after performSetup
-  it("isSetupComplete returns true after performSetup", async () => {
+  // Scenario 4: performSetup marks setup complete in vault/stack/stack.env
+  it("performSetup marks OP_SETUP_COMPLETE=true in vault stack.env", async () => {
     seedMinimalEnvFiles();
 
-    await performSetup(makeValidInput(), createStubAssetProvider());
+    await performSetup(makeValidSpec());
 
-    expect(isSetupComplete(stateDir, configDir)).toBe(true);
+    const stackEnv = readFileSync(join(vaultDir, "stack", "stack.env"), "utf-8");
+    const parsed = parseEnvContent(stackEnv);
+    expect(parsed.OP_SETUP_COMPLETE).toBe("true");
   });
 });
 
@@ -260,52 +267,56 @@ describe("Existing Install", () => {
 
   afterEach(() => {
     restoreEnv();
-    rmSync(tempBase, { recursive: true, force: true });
+    rmSync(homeDir, { recursive: true, force: true });
   });
 
-  // Scenario 5: ensureSecrets does NOT overwrite existing secrets.env
-  it("ensureSecrets does not overwrite existing secrets.env", () => {
+  // Scenario 5: ensureSecrets does NOT overwrite existing user.env
+  it("ensureSecrets does not overwrite existing user.env", () => {
     const customContent =
-      "export OPENPALM_ADMIN_TOKEN=my-custom-token\nexport MEMORY_AUTH_TOKEN=custom-auth-token\n";
-    writeFileSync(join(configDir, "secrets.env"), customContent);
+      "export OP_ADMIN_TOKEN=my-custom-token\nexport OP_MEMORY_TOKEN=custom-auth-token\n";
+    mkdirSync(join(vaultDir, "user"), { recursive: true });
+    writeFileSync(join(vaultDir, "user", "user.env"), customContent);
 
     const state: ControlPlaneState = {
       adminToken: "",
+      assistantToken: "",
       setupToken: "",
-      stateDir,
+      homeDir,
       configDir,
+      vaultDir,
       dataDir,
+      logsDir,
+      cacheDir: join(homeDir, "cache"),
       services: {},
-      artifacts: { compose: "", caddyfile: "" },
+      artifacts: { compose: "" },
       artifactMeta: [],
       audit: [],
-      channelSecrets: {},
     };
 
     ensureSecrets(state);
 
-    const afterContent = readFileSync(join(configDir, "secrets.env"), "utf-8");
+    const afterContent = readFileSync(join(vaultDir, "user", "user.env"), "utf-8");
     expect(afterContent).toBe(customContent);
   });
 
-  // Scenario 6: performSetup re-run preserves MEMORY_AUTH_TOKEN
-  it("performSetup re-run preserves MEMORY_AUTH_TOKEN from first run", async () => {
+  // Scenario 6: performSetup re-run preserves OP_MEMORY_TOKEN
+  it("performSetup re-run preserves OP_MEMORY_TOKEN from first run", async () => {
     // First setup
-    await performSetup(makeValidInput(), createStubAssetProvider());
+    await performSetup(makeValidSpec());
 
     const secretsAfterFirst = readFileSync(
-      join(configDir, "secrets.env"),
+      join(vaultDir, "stack", "stack.env"),
       "utf-8"
     );
     const firstMatch = secretsAfterFirst.match(
-      /MEMORY_AUTH_TOKEN=([a-f0-9]+)/
+      /OP_MEMORY_TOKEN=([a-f0-9]+)/
     );
     expect(firstMatch).not.toBeNull();
     const firstToken = firstMatch![1];
 
     // Second setup (re-run with different API key)
     await performSetup(
-      makeValidInput({
+      makeValidSpec({
         connections: [
           {
             id: "openai-main",
@@ -315,46 +326,57 @@ describe("Existing Install", () => {
             apiKey: "sk-different-key-999",
           },
         ],
-      }),
-      createStubAssetProvider()
+      })
     );
 
     const secretsAfterSecond = readFileSync(
-      join(configDir, "secrets.env"),
+      join(vaultDir, "stack", "stack.env"),
       "utf-8"
     );
     const secondMatch = secretsAfterSecond.match(
-      /MEMORY_AUTH_TOKEN=([a-f0-9]+)/
+      /OP_MEMORY_TOKEN=([a-f0-9]+)/
     );
     expect(secondMatch).not.toBeNull();
-    // MEMORY_AUTH_TOKEN should be preserved (buildSecretsFromSetup does not overwrite it)
+    // OP_MEMORY_TOKEN should be preserved (buildSystemSecretsFromSetup does not overwrite it)
     expect(secondMatch![1]).toBe(firstToken);
   });
 
-  // Scenario 7: stageStackEnv preserves OPENPALM_SETUP_COMPLETE=true from existing stack.env
-  it("performSetup marks OPENPALM_SETUP_COMPLETE=true in staged stack.env", async () => {
-    await performSetup(makeValidInput(), createStubAssetProvider());
+  // Scenario 7: performSetup marks OP_SETUP_COMPLETE=true in vault/stack/stack.env
+  it("performSetup marks OP_SETUP_COMPLETE=true in vault stack.env", async () => {
+    await performSetup(makeValidSpec());
 
-    const stagedStack = readFileSync(
-      join(stateDir, "artifacts", "stack.env"),
+    const stackEnv = readFileSync(
+      join(vaultDir, "stack", "stack.env"),
       "utf-8"
     );
-    const parsed = parseEnvContent(stagedStack);
-    expect(parsed.OPENPALM_SETUP_COMPLETE).toBe("true");
+    const parsed = parseEnvContent(stackEnv);
+    expect(parsed.OP_SETUP_COMPLETE).toBe("true");
   });
 
-  // Scenario 8: Re-setup with different provider preserves existing connections
-  it("re-setup with different provider writes new connection profiles", async () => {
+  // Scenario 8: Re-setup with different provider updates stack.yml capabilities
+  it("re-setup with different provider updates capabilities in stack.yml", async () => {
     // First setup with OpenAI
-    await performSetup(makeValidInput(), createStubAssetProvider());
+    await performSetup(makeValidSpec());
 
-    const profilesAfterFirst = readConnectionProfilesDocument(configDir);
-    expect(profilesAfterFirst.profiles).toHaveLength(1);
-    expect(profilesAfterFirst.profiles[0].provider).toBe("openai");
+    const specAfterFirst = readStackSpec(configDir);
+    expect(specAfterFirst).not.toBeNull();
+    expect(specAfterFirst!.capabilities.llm).toContain("openai/");
 
     // Second setup with Groq
     await performSetup(
-      makeValidInput({
+      makeValidSpec({
+        capabilities: {
+          llm: "groq/llama3-70b-8192",
+          embeddings: {
+            provider: "groq",
+            model: "text-embedding-3-small",
+            dims: 1536,
+          },
+          memory: {
+            userId: "test_user",
+            customInstructions: "",
+          },
+        },
         connections: [
           {
             id: "groq-main",
@@ -364,24 +386,15 @@ describe("Existing Install", () => {
             apiKey: "gsk-test-key-456",
           },
         ],
-        assignments: {
-          llm: { connectionId: "groq-main", model: "llama3-70b-8192" },
-          embeddings: {
-            connectionId: "groq-main",
-            model: "text-embedding-3-small",
-          },
-        },
-      }),
-      createStubAssetProvider()
+      })
     );
 
-    const profilesAfterSecond = readConnectionProfilesDocument(configDir);
-    // performSetup writes the full document, so second setup replaces profiles
-    expect(profilesAfterSecond.profiles).toHaveLength(1);
-    expect(profilesAfterSecond.profiles[0].provider).toBe("groq");
+    const specAfterSecond = readStackSpec(configDir);
+    expect(specAfterSecond).not.toBeNull();
+    expect(specAfterSecond!.capabilities.llm).toBe("groq/llama3-70b-8192");
 
-    // But secrets.env should retain both keys
-    const secrets = readFileSync(join(configDir, "secrets.env"), "utf-8");
+    // stack.env should retain both keys
+    const secrets = readFileSync(join(vaultDir, "stack", "stack.env"), "utf-8");
     expect(secrets).toContain("GROQ_API_KEY");
   });
 });
@@ -398,34 +411,38 @@ describe("Broken/Corrupt State", () => {
 
   afterEach(() => {
     restoreEnv();
-    rmSync(tempBase, { recursive: true, force: true });
+    rmSync(homeDir, { recursive: true, force: true });
   });
 
-  // Scenario 9: secrets.env exists but is empty
-  it("ensureSecrets returns early for an empty but existing secrets.env", () => {
-    writeFileSync(join(configDir, "secrets.env"), "");
+  // Scenario 9: user.env exists but is empty
+  it("ensureSecrets returns early for an empty but existing user.env", () => {
+    mkdirSync(join(vaultDir, "user"), { recursive: true });
+    writeFileSync(join(vaultDir, "user", "user.env"), "");
 
     const state: ControlPlaneState = {
       adminToken: "",
+      assistantToken: "",
       setupToken: "",
-      stateDir,
+      homeDir,
       configDir,
+      vaultDir,
       dataDir,
+      logsDir,
+      cacheDir: join(homeDir, "cache"),
       services: {},
-      artifacts: { compose: "", caddyfile: "" },
+      artifacts: { compose: "" },
       artifactMeta: [],
       audit: [],
-      channelSecrets: {},
     };
 
     ensureSecrets(state);
 
     // File should still exist and still be empty (ensureSecrets only checks existence)
-    const content = readFileSync(join(configDir, "secrets.env"), "utf-8");
+    const content = readFileSync(join(vaultDir, "user", "user.env"), "utf-8");
     expect(content).toBe("");
   });
 
-  // Scenario 10: secrets.env with malformed lines
+  // Scenario 10: user.env with malformed lines
   it("parseEnvFile handles malformed env lines gracefully", () => {
     const malformedContent = [
       "# Comment line",
@@ -439,43 +456,42 @@ describe("Broken/Corrupt State", () => {
       "  # indented comment",
     ].join("\n");
 
-    writeFileSync(join(configDir, "secrets.env"), malformedContent);
+    mkdirSync(join(vaultDir, "user"), { recursive: true });
+    writeFileSync(join(vaultDir, "user", "user.env"), malformedContent);
 
-    const parsed = parseEnvFile(join(configDir, "secrets.env"));
+    const parsed = parseEnvFile(join(vaultDir, "user", "user.env"));
     expect(parsed.VALID_KEY).toBe("valid_value");
     expect(parsed.EXPORTED_KEY).toBe("exported_value");
     expect(parsed.ANOTHER_VALID).toBe("value");
   });
 
-  // Scenario 11: stack.env missing OPENPALM_SETUP_COMPLETE
-  it("isSetupComplete falls back to token check when OPENPALM_SETUP_COMPLETE missing", () => {
-    // stack.env without OPENPALM_SETUP_COMPLETE
+  // Scenario 11: stack.env missing OP_SETUP_COMPLETE
+  it("isSetupComplete falls back to token check when OP_SETUP_COMPLETE missing", () => {
+    // stack.env without OP_SETUP_COMPLETE
+    mkdirSync(join(vaultDir, "stack"), { recursive: true });
+    mkdirSync(join(vaultDir, "user"), { recursive: true });
     writeFileSync(
-      join(stateDir, "artifacts", "stack.env"),
-      "OPENPALM_IMAGE_TAG=latest\n"
+      join(vaultDir, "stack", "stack.env"),
+      "OP_IMAGE_TAG=latest\n"
     );
 
-    // secrets.env without any token
+    // user.env without any token
     writeFileSync(
-      join(configDir, "secrets.env"),
-      "export OPENPALM_ADMIN_TOKEN=\nexport ADMIN_TOKEN=\n"
+      join(vaultDir, "user", "user.env"),
+      "export OP_ADMIN_TOKEN=\nexport ADMIN_TOKEN=\n"
     );
 
-    expect(isSetupComplete(stateDir, configDir)).toBe(false);
+    expect(isSetupComplete(vaultDir)).toBe(false);
   });
 
-  it("isSetupComplete falls back to true when admin token is set but OPENPALM_SETUP_COMPLETE missing", () => {
-    writeFileSync(
-      join(stateDir, "artifacts", "stack.env"),
-      "OPENPALM_IMAGE_TAG=latest\n"
-    );
-
+  it("isSetupComplete falls back to true when admin token is set but OP_SETUP_COMPLETE missing", () => {
+    mkdirSync(join(vaultDir, "stack"), { recursive: true });
     writeFileSync(
-      join(configDir, "secrets.env"),
-      "export OPENPALM_ADMIN_TOKEN=my-real-token\n"
+      join(vaultDir, "stack", "stack.env"),
+      "OP_IMAGE_TAG=latest\nexport OP_ADMIN_TOKEN=my-real-token\n"
     );
 
-    expect(isSetupComplete(stateDir, configDir)).toBe(true);
+    expect(isSetupComplete(vaultDir)).toBe(true);
   });
 
   // Scenario 12: API key with special characters round-trips
@@ -494,57 +510,38 @@ describe("Broken/Corrupt State", () => {
     }
   });
 
-  // Scenario 13: Corrupt profiles.json
-  it("readConnectionProfilesDocument throws on corrupt JSON", () => {
-    writeFileSync(
-      join(configDir, "connections", "profiles.json"),
-      "NOT VALID JSON {{{{"
-    );
-
-    expect(() => readConnectionProfilesDocument(configDir)).toThrow(
-      "invalid JSON"
-    );
-  });
-
-  it("readConnectionProfilesDocument throws on valid JSON but wrong structure", () => {
-    writeFileSync(
-      join(configDir, "connections", "profiles.json"),
-      JSON.stringify({ version: 1, profiles: [], assignments: {} })
-    );
-
-    expect(() => readConnectionProfilesDocument(configDir)).toThrow(
-      "invalid"
-    );
+  // Scenario 13: Missing stack.yml returns null
+  it("readStackSpec returns null when stack.yml missing", () => {
+    const spec = readStackSpec(configDir);
+    expect(spec).toBeNull();
   });
 
-  // Scenario 14: CONFIG_HOME exists but STATE_HOME/automations doesn't
-  it("performSetup creates missing STATE_HOME subdirectories", async () => {
-    // Seed the minimal env files first (needs artifacts dir to exist)
+  // Scenario 14: config dir exists but automations dir doesn't
+  it("performSetup creates missing subdirectories", async () => {
+    // Seed the minimal env files first
     seedMinimalEnvFiles();
 
     // Remove automations dir (performSetup should recreate it)
-    rmSync(join(stateDir, "automations"), { recursive: true, force: true });
+    rmSync(join(configDir, "automations"), { recursive: true, force: true });
 
     const result = await performSetup(
-      makeValidInput(),
-      createStubAssetProvider()
+      makeValidSpec()
     );
     expect(result.ok).toBe(true);
 
-    // Artifacts should exist
-    expect(existsSync(join(stateDir, "artifacts", "docker-compose.yml"))).toBe(
+    // Artifacts should exist in stack/ (not config/components/)
+    expect(existsSync(join(homeDir, "stack", "core.compose.yml"))).toBe(
       true
     );
-    expect(existsSync(join(stateDir, "artifacts", "Caddyfile"))).toBe(true);
     // Automations dir should be recreated
-    expect(existsSync(join(stateDir, "automations"))).toBe(true);
+    expect(existsSync(join(configDir, "automations"))).toBe(true);
   });
 
   // Scenario 15: openpalm.yaml with old version
-  it("readStackSpec returns null for version 2 spec", () => {
+  it("readStackSpec returns null for version 1 spec", () => {
     writeFileSync(
       join(configDir, STACK_SPEC_FILENAME),
-      "version: 2\nservices: []\n"
+      "version: 1\nconnections: []\n"
     );
 
     const spec = readStackSpec(configDir);
@@ -564,26 +561,18 @@ describe("Environment Edge Cases", () => {
 
   afterEach(() => {
     restoreEnv();
-    rmSync(tempBase, { recursive: true, force: true });
+    rmSync(homeDir, { recursive: true, force: true });
   });
 
-  // Scenario 16: Commented-out ADMIN_TOKEN but OPENPALM_ADMIN_TOKEN set
-  it("isSetupComplete detects OPENPALM_ADMIN_TOKEN when ADMIN_TOKEN is commented out", () => {
-    writeFileSync(
-      join(stateDir, "artifacts", "stack.env"),
-      "SOME_OTHER_KEY=value\n"
-    );
-
+  // Scenario 16: Commented-out ADMIN_TOKEN but OP_ADMIN_TOKEN set
+  it("isSetupComplete detects OP_ADMIN_TOKEN when ADMIN_TOKEN is commented out", () => {
+    mkdirSync(join(vaultDir, "stack"), { recursive: true });
     writeFileSync(
-      join(configDir, "secrets.env"),
-      [
-        "export OPENPALM_ADMIN_TOKEN=real-token-here",
-        "# export ADMIN_TOKEN=",
-        "",
-      ].join("\n")
+      join(vaultDir, "stack", "stack.env"),
+      "SOME_OTHER_KEY=value\nexport OP_ADMIN_TOKEN=real-token-here\n"
     );
 
-    expect(isSetupComplete(stateDir, configDir)).toBe(true);
+    expect(isSetupComplete(vaultDir)).toBe(true);
   });
 
   // Scenario 17: export prefix on env vars
@@ -636,13 +625,24 @@ describe("Setup Input Variations", () => {
 
   afterEach(() => {
     restoreEnv();
-    rmSync(tempBase, { recursive: true, force: true });
+    rmSync(homeDir, { recursive: true, force: true });
   });
 
   // Scenario 20: Ollama in-stack setup
   it("Ollama in-stack setup overrides localhost URL to docker-internal", async () => {
-    const input = makeValidInput({
-      ollamaEnabled: true,
+    const input = makeValidSpec({
+      capabilities: {
+        llm: "ollama/llama3.2",
+        embeddings: {
+          provider: "ollama",
+          model: "nomic-embed-text",
+          dims: 768,
+        },
+        memory: {
+          userId: "test_user",
+          customInstructions: "",
+        },
+      },
       connections: [
         {
           id: "ollama-local",
@@ -652,135 +652,53 @@ describe("Setup Input Variations", () => {
           apiKey: "",
         },
       ],
-      assignments: {
-        llm: { connectionId: "ollama-local", model: "llama3.2" },
-        embeddings: {
-          connectionId: "ollama-local",
-          model: "nomic-embed-text",
-        },
-      },
     });
 
-    const result = await performSetup(input, createStubAssetProvider());
+    const result = await performSetup(input);
     expect(result.ok).toBe(true);
 
-    // Connection profiles should use the in-stack URL
-    const doc = readConnectionProfilesDocument(configDir);
-    expect(doc.profiles[0].baseUrl).toBe("http://ollama:11434");
-
-    // secrets.env should have in-stack URL
-    const secrets = parseEnvFile(join(configDir, "secrets.env"));
-    expect(secrets.SYSTEM_LLM_BASE_URL).toBe("http://ollama:11434");
-    expect(secrets.OPENAI_BASE_URL).toBe("http://ollama:11434/v1");
+    // stack.yml should have ollama capabilities
+    const spec = readStackSpec(configDir);
+    expect(spec).not.toBeNull();
+    expect(spec!.capabilities.llm).toBe("ollama/llama3.2");
   });
 
-  // Scenario 21: Multiple providers each get own env var key
-  it("multiple providers each get their own env var key (no collision)", () => {
-    const connections: SetupConnection[] = [
-      {
-        id: "openai-1",
-        name: "OpenAI",
-        provider: "openai",
-        baseUrl: "",
-        apiKey: "sk-openai",
-      },
-      {
-        id: "groq-1",
-        name: "Groq",
-        provider: "groq",
-        baseUrl: "",
-        apiKey: "gsk-groq",
-      },
-      {
-        id: "anthropic-1",
-        name: "Anthropic",
-        provider: "anthropic",
-        baseUrl: "",
-        apiKey: "sk-ant-api03",
-      },
+  // Scenario 21: Multiple providers map to correct env vars
+  it("multiple providers each write their API key to the correct env var", () => {
+    const conns: SetupConnection[] = [
+      { id: "openai-1", name: "OpenAI", provider: "openai", baseUrl: "", apiKey: "sk-openai" },
+      { id: "groq-1", name: "Groq", provider: "groq", baseUrl: "", apiKey: "gsk-groq" },
+      { id: "anthropic-1", name: "Anthropic", provider: "anthropic", baseUrl: "", apiKey: "sk-ant-api03" },
     ];
-
-    const map = buildConnectionEnvVarMap(connections);
-    expect(map.get("openai-1")).toBe("OPENAI_API_KEY");
-    expect(map.get("groq-1")).toBe("GROQ_API_KEY");
-    expect(map.get("anthropic-1")).toBe("ANTHROPIC_API_KEY");
+    const secrets = buildSecretsFromSetup(conns);
+    expect(secrets.OPENAI_API_KEY).toBe("sk-openai");
+    expect(secrets.GROQ_API_KEY).toBe("gsk-groq");
+    expect(secrets.ANTHROPIC_API_KEY).toBe("sk-ant-api03");
   });
 
-  // Scenario 22: Provider URL already ending in /v1
-  it("provider URL already ending in /v1 does not get double /v1/v1", () => {
-    const secrets = buildSecretsFromSetup(
-      makeValidInput({
-        connections: [
-          {
-            id: "openai-compat",
-            name: "OpenAI Compatible",
-            provider: "openai",
-            baseUrl: "https://example.com/v1",
-            apiKey: "sk-test",
-          },
-        ],
-        assignments: {
-          llm: { connectionId: "openai-compat", model: "gpt-4o" },
-          embeddings: {
-            connectionId: "openai-compat",
-            model: "text-embedding-3-small",
-          },
-        },
-      })
-    );
-
-    expect(secrets.OPENAI_BASE_URL).toBe("https://example.com/v1");
-    expect(secrets.OPENAI_BASE_URL).not.toContain("/v1/v1");
+  // Scenario 21b: OAuth providers (no API key) are silently skipped
+  it("skips connections without API keys (OAuth providers)", () => {
+    const conns: SetupConnection[] = [
+      { id: "github-copilot", name: "GitHub Copilot", provider: "github-copilot", baseUrl: "", apiKey: "" },
+      { id: "openai-1", name: "OpenAI", provider: "openai", baseUrl: "", apiKey: "sk-test" },
+    ];
+    const secrets = buildSecretsFromSetup(conns);
+    expect(secrets.OPENAI_API_KEY).toBe("sk-test");
+    expect(Object.keys(secrets)).not.toContain("GITHUB_COPILOT_API_KEY");
   });
 
-  it("provider URL without /v1 gets /v1 appended to OPENAI_BASE_URL", () => {
-    const secrets = buildSecretsFromSetup(
-      makeValidInput({
-        connections: [
-          {
-            id: "openai-main",
-            name: "OpenAI",
-            provider: "openai",
-            baseUrl: "https://api.openai.com",
-            apiKey: "sk-test",
-          },
-        ],
-        assignments: {
-          llm: { connectionId: "openai-main", model: "gpt-4o" },
-          embeddings: {
-            connectionId: "openai-main",
-            model: "text-embedding-3-small",
-          },
-        },
-      })
-    );
+  // Scenario 22: buildSecretsFromSetup only writes API keys and owner info
+  it("buildSecretsFromSetup writes API keys but not config vars", () => {
+    const spec = makeValidSpec();
+    const secrets = buildSecretsFromSetup(spec.connections, spec.owner);
 
-    expect(secrets.OPENAI_BASE_URL).toBe("https://api.openai.com/v1");
-  });
-
-  it("provider URL with trailing slash normalizes correctly", () => {
-    const secrets = buildSecretsFromSetup(
-      makeValidInput({
-        connections: [
-          {
-            id: "openai-main",
-            name: "OpenAI",
-            provider: "openai",
-            baseUrl: "https://api.openai.com/",
-            apiKey: "sk-test",
-          },
-        ],
-        assignments: {
-          llm: { connectionId: "openai-main", model: "gpt-4o" },
-          embeddings: {
-            connectionId: "openai-main",
-            model: "text-embedding-3-small",
-          },
-        },
-      })
-    );
-
-    expect(secrets.OPENAI_BASE_URL).toBe("https://api.openai.com/v1");
+    // API key should be written
+    expect(secrets.OPENAI_API_KEY).toBe("sk-test-key-123");
+    // Config vars should NOT be in user.env anymore
+    expect(secrets.SYSTEM_LLM_PROVIDER).toBeUndefined();
+    expect(secrets.SYSTEM_LLM_MODEL).toBeUndefined();
+    expect(secrets.EMBEDDING_MODEL).toBeUndefined();
+    expect(secrets.EMBEDDING_DIMS).toBeUndefined();
   });
 });
 
@@ -797,22 +715,33 @@ describe("performSetup end-to-end artifacts", () => {
 
   afterEach(() => {
     restoreEnv();
-    rmSync(tempBase, { recursive: true, force: true });
+    rmSync(homeDir, { recursive: true, force: true });
   });
 
-  it("writes openpalm.yaml with version 3", async () => {
-    await performSetup(makeValidInput(), createStubAssetProvider());
+  it("writes stack.yml and readStackSpec returns v2", async () => {
+    await performSetup(makeValidSpec());
 
     const spec = readStackSpec(configDir);
     expect(spec).not.toBeNull();
-    expect(spec!.version).toBe(3);
-    expect(spec!.connections).toHaveLength(1);
-    expect(spec!.assignments.llm.model).toBe("gpt-4o");
-    expect(spec!.ollamaEnabled).toBe(false);
+    expect(spec!.version).toBe(2);
+    expect(spec!.capabilities.llm).toBe("openai/gpt-4o");
+    expect(spec!.capabilities.embeddings.model).toBe("text-embedding-3-small");
   });
 
-  it("writes memory config with correct embedding dims from lookup", async () => {
-    const input = makeValidInput({
+  it("writes OP_CAP_EMBEDDINGS_DIMS with correct embedding dims from lookup", async () => {
+    const input = makeValidSpec({
+      capabilities: {
+        llm: "ollama/llama3.2",
+        embeddings: {
+          provider: "ollama",
+          model: "nomic-embed-text",
+          dims: 0, // Resolved from lookup
+        },
+        memory: {
+          userId: "test_user",
+          customInstructions: "",
+        },
+      },
       connections: [
         {
           id: "ollama-1",
@@ -822,54 +751,39 @@ describe("performSetup end-to-end artifacts", () => {
           apiKey: "",
         },
       ],
-      assignments: {
-        llm: { connectionId: "ollama-1", model: "llama3.2" },
-        embeddings: {
-          connectionId: "ollama-1",
-          model: "nomic-embed-text",
-        },
-      },
     });
 
-    await performSetup(input, createStubAssetProvider());
+    await performSetup(input);
 
-    const memConfig = JSON.parse(
-      readFileSync(join(dataDir, "memory", "default_config.json"), "utf-8")
-    );
-    // nomic-embed-text is 768 dims per EMBEDDING_DIMS constant
-    expect(memConfig.mem0.vector_store.config.embedding_model_dims).toBe(768);
+    // nomic-embed-text is 768 dims per EMBEDDING_DIMS constant — verify via stack.env
+    const stackEnvContent = readFileSync(join(vaultDir, "stack", "stack.env"), "utf-8");
+    expect(stackEnvContent).toContain("OP_CAP_EMBEDDINGS_DIMS=768");
   });
 
-  it("writes docker-compose.yml and Caddyfile to STATE_HOME/artifacts", async () => {
-    await performSetup(makeValidInput(), createStubAssetProvider());
+  it("writes core.compose.yml to stack/", async () => {
+    await performSetup(makeValidSpec());
 
     expect(
-      existsSync(join(stateDir, "artifacts", "docker-compose.yml"))
+      existsSync(join(homeDir, "stack", "core.compose.yml"))
     ).toBe(true);
-    expect(existsSync(join(stateDir, "artifacts", "Caddyfile"))).toBe(true);
-    expect(existsSync(join(stateDir, "artifacts", "manifest.json"))).toBe(
-      true
-    );
   });
 
-  it("writes secrets.env with correct admin token to both OPENPALM_ADMIN_TOKEN and ADMIN_TOKEN", async () => {
-    await performSetup(makeValidInput(), createStubAssetProvider());
+  it("writes admin and assistant tokens to stack.env", async () => {
+    await performSetup(makeValidSpec());
 
-    const secrets = parseEnvFile(join(configDir, "secrets.env"));
-    expect(secrets.OPENPALM_ADMIN_TOKEN).toBe("test-admin-token-12345");
-    expect(secrets.ADMIN_TOKEN).toBe("test-admin-token-12345");
+    const secrets = parseEnvFile(join(vaultDir, "stack", "stack.env"));
+    expect(secrets.OP_ADMIN_TOKEN).toBe("test-admin-token-12345");
+    expect(typeof secrets.OP_ASSISTANT_TOKEN).toBe("string");
+    expect(secrets.OP_ASSISTANT_TOKEN).not.toBe("test-admin-token-12345");
   });
 
-  it("creates connection profiles document with correct assignments", async () => {
-    await performSetup(makeValidInput(), createStubAssetProvider());
+  it("writes OP_CAP_* vars from capabilities to stack.env", async () => {
+    await performSetup(makeValidSpec());
 
-    const doc = readConnectionProfilesDocument(configDir);
-    expect(doc.version).toBe(1);
-    expect(doc.profiles).toHaveLength(1);
-    expect(doc.profiles[0].id).toBe("openai-main");
-    expect(doc.profiles[0].provider).toBe("openai");
-    expect(doc.assignments.llm.model).toBe("gpt-4o");
-    expect(doc.assignments.embeddings.model).toBe("text-embedding-3-small");
+    const stackEnv = parseEnvFile(join(vaultDir, "stack", "stack.env"));
+    expect(stackEnv.OP_CAP_LLM_PROVIDER).toBe("openai");
+    expect(stackEnv.OP_CAP_LLM_MODEL).toBe("gpt-4o");
+    expect(stackEnv.OP_CAP_EMBEDDINGS_MODEL).toBe("text-embedding-3-small");
   });
 });
 
@@ -894,321 +808,4 @@ describe("mergeEnvContent edge cases", () => {
     const parsed = parseEnvContent(result);
     expect(parsed.FOO).toBe("new");
   });
-
-  it("appends new keys to the end when they do not exist", () => {
-    const original = "EXISTING=value\n";
-    const result = mergeEnvContent(original, { NEW_KEY: "new_value" });
-    const parsed = parseEnvContent(result);
-    expect(parsed.EXISTING).toBe("value");
-    expect(parsed.NEW_KEY).toBe("new_value");
-  });
-
-  it("uncomment option replaces commented-out keys", () => {
-    const original = "# export ADMIN_TOKEN=old_value\n";
-    const result = mergeEnvContent(
-      original,
-      { ADMIN_TOKEN: "new_value" },
-      { uncomment: true }
-    );
-    const parsed = parseEnvContent(result);
-    expect(parsed.ADMIN_TOKEN).toBe("new_value");
-  });
-
-  it("handles empty content gracefully", () => {
-    const result = mergeEnvContent("", { KEY: "value" });
-    const parsed = parseEnvContent(result);
-    expect(parsed.KEY).toBe("value");
-  });
-
-  it("handles content with only comments", () => {
-    const original = "# comment\n# another comment\n";
-    const result = mergeEnvContent(original, { KEY: "value" });
-    const parsed = parseEnvContent(result);
-    expect(parsed.KEY).toBe("value");
-  });
-});
-
-// =====================================================================
-// parseEnvFile / parseEnvContent EDGE CASES
-// =====================================================================
-
-describe("parseEnvFile edge cases", () => {
-  beforeEach(() => {
-    createFullDirTree();
-  });
-
-  afterEach(() => {
-    rmSync(tempBase, { recursive: true, force: true });
-  });
-
-  it("returns empty object for nonexistent file", () => {
-    const result = parseEnvFile(join(configDir, "nonexistent.env"));
-    expect(result).toEqual({});
-  });
-
-  it("returns empty object for empty file", () => {
-    writeFileSync(join(configDir, "empty.env"), "");
-    const result = parseEnvFile(join(configDir, "empty.env"));
-    expect(result).toEqual({});
-  });
-
-  it("handles single-quoted values", () => {
-    writeFileSync(
-      join(configDir, "quoted.env"),
-      "KEY='value with spaces'\n"
-    );
-    const result = parseEnvFile(join(configDir, "quoted.env"));
-    expect(result.KEY).toBe("value with spaces");
-  });
-
-  it("handles double-quoted values", () => {
-    writeFileSync(
-      join(configDir, "quoted.env"),
-      'KEY="value with spaces"\n'
-    );
-    const result = parseEnvFile(join(configDir, "quoted.env"));
-    expect(result.KEY).toBe("value with spaces");
-  });
-
-  it("handles values with inline comments when unquoted", () => {
-    // dotenv spec: unquoted values with # are treated as comments
-    writeFileSync(
-      join(configDir, "comment.env"),
-      "KEY=value # this is a comment\n"
-    );
-    const result = parseEnvFile(join(configDir, "comment.env"));
-    // dotenv library trims at the # for unquoted values
-    expect(result.KEY).toBe("value");
-  });
-});
-
-// =====================================================================
-// loadSecretsEnvFile EDGE CASES
-// =====================================================================
-
-describe("loadSecretsEnvFile edge cases", () => {
-  beforeEach(() => {
-    createFullDirTree();
-    saveAndSetEnv();
-  });
-
-  afterEach(() => {
-    restoreEnv();
-    rmSync(tempBase, { recursive: true, force: true });
-  });
-
-  it("returns empty object when secrets.env does not exist", () => {
-    const result = loadSecretsEnvFile(configDir);
-    expect(result).toEqual({});
-  });
-
-  it("filters out keys not matching uppercase alphanumeric pattern", () => {
-    writeFileSync(
-      join(configDir, "secrets.env"),
-      [
-        "VALID_KEY=valid",
-        "another_key=lowercase", // lowercase keys are filtered out
-        "ALSO_VALID=yes",
-        "123_STARTS_NUM=num", // starts with number but matches pattern
-        "",
-      ].join("\n")
-    );
-
-    const result = loadSecretsEnvFile(configDir);
-    expect(result.VALID_KEY).toBe("valid");
-    expect(result.ALSO_VALID).toBe("yes");
-    // The regex /^[A-Z0-9_]+$/ does match 123_STARTS_NUM
-    expect(result["123_STARTS_NUM"]).toBe("num");
-    // Lowercase key does not match the filter
-    expect(result.another_key).toBeUndefined();
-  });
-});
-
-// =====================================================================
-// isSetupComplete EDGE CASES
-// =====================================================================
-
-describe("isSetupComplete edge cases", () => {
-  beforeEach(() => {
-    createFullDirTree();
-    saveAndSetEnv();
-  });
-
-  afterEach(() => {
-    restoreEnv();
-    rmSync(tempBase, { recursive: true, force: true });
-  });
-
-  it("returns false when stack.env does not exist and no admin token", () => {
-    // No stack.env and no secrets.env
-    rmSync(join(stateDir, "artifacts", "stack.env"), { force: true });
-
-    expect(isSetupComplete(stateDir, configDir)).toBe(false);
-  });
-
-  it("returns true for OPENPALM_SETUP_COMPLETE=TRUE (case insensitive)", () => {
-    writeFileSync(
-      join(stateDir, "artifacts", "stack.env"),
-      "OPENPALM_SETUP_COMPLETE=TRUE\n"
-    );
-
-    expect(isSetupComplete(stateDir, configDir)).toBe(true);
-  });
-
-  it("returns true for OPENPALM_SETUP_COMPLETE=True (mixed case)", () => {
-    writeFileSync(
-      join(stateDir, "artifacts", "stack.env"),
-      "OPENPALM_SETUP_COMPLETE=True\n"
-    );
-
-    expect(isSetupComplete(stateDir, configDir)).toBe(true);
-  });
-
-  it("returns false for OPENPALM_SETUP_COMPLETE=false", () => {
-    writeFileSync(
-      join(stateDir, "artifacts", "stack.env"),
-      "OPENPALM_SETUP_COMPLETE=false\n"
-    );
-    writeFileSync(join(configDir, "secrets.env"), "");
-
-    expect(isSetupComplete(stateDir, configDir)).toBe(false);
-  });
-
-  it("falls back to ADMIN_TOKEN presence when OPENPALM_SETUP_COMPLETE not in stack.env", () => {
-    writeFileSync(
-      join(stateDir, "artifacts", "stack.env"),
-      "OPENPALM_IMAGE_TAG=latest\n"
-    );
-    writeFileSync(
-      join(configDir, "secrets.env"),
-      "export ADMIN_TOKEN=my-admin-token\n"
-    );
-
-    expect(isSetupComplete(stateDir, configDir)).toBe(true);
-  });
-});
-
-// =====================================================================
-// buildSecretsFromSetup EDGE CASES
-// =====================================================================
-
-describe("buildSecretsFromSetup edge cases", () => {
-  it("sanitizes owner name with control characters", () => {
-    const input = makeValidInput({ ownerName: "Test\nUser\r\0" });
-    const secrets = buildSecretsFromSetup(input);
-    expect(secrets.OWNER_NAME).toBe("TestUser");
-  });
-
-  it("omits empty owner name and email", () => {
-    const input = makeValidInput({ ownerName: "", ownerEmail: "" });
-    const secrets = buildSecretsFromSetup(input);
-    expect(secrets.OWNER_NAME).toBeUndefined();
-    expect(secrets.OWNER_EMAIL).toBeUndefined();
-  });
-
-  it("defaults memoryUserId to default_user when empty", () => {
-    const input = makeValidInput({ memoryUserId: "" });
-    const secrets = buildSecretsFromSetup(input);
-    expect(secrets.MEMORY_USER_ID).toBe("default_user");
-  });
-
-  it("sets SYSTEM_LLM_PROVIDER correctly for each provider", () => {
-    for (const provider of ["openai", "groq", "anthropic"] as const) {
-      const envKey =
-        provider === "openai"
-          ? "OPENAI_API_KEY"
-          : provider === "groq"
-            ? "GROQ_API_KEY"
-            : "ANTHROPIC_API_KEY";
-
-      const input = makeValidInput({
-        connections: [
-          {
-            id: `${provider}-1`,
-            name: provider,
-            provider,
-            baseUrl: "https://api.example.com",
-            apiKey: "sk-test",
-          },
-        ],
-        assignments: {
-          llm: { connectionId: `${provider}-1`, model: "test-model" },
-          embeddings: {
-            connectionId: `${provider}-1`,
-            model: "embed-model",
-          },
-        },
-      });
-      const secrets = buildSecretsFromSetup(input);
-      expect(secrets.SYSTEM_LLM_PROVIDER).toBe(provider);
-      expect(secrets[envKey]).toBe("sk-test");
-    }
-  });
-});
-
-// =====================================================================
-// buildConnectionEnvVarMap EDGE CASES
-// =====================================================================
-
-describe("buildConnectionEnvVarMap edge cases", () => {
-  it("handles a single Ollama connection (fallback to OPENAI_API_KEY)", () => {
-    const connections: SetupConnection[] = [
-      {
-        id: "ollama-1",
-        name: "Ollama",
-        provider: "ollama",
-        baseUrl: "http://localhost:11434",
-        apiKey: "",
-      },
-    ];
-    const map = buildConnectionEnvVarMap(connections);
-    expect(map.get("ollama-1")).toBe("OPENAI_API_KEY");
-  });
-
-  it("skips connections with unsafe env var keys (hyphen creates invalid key)", () => {
-    const connections: SetupConnection[] = [
-      {
-        id: "openai-1",
-        name: "OpenAI",
-        provider: "openai",
-        baseUrl: "",
-        apiKey: "sk-a",
-      },
-      {
-        id: "openai-2",
-        name: "OpenAI 2",
-        provider: "openai",
-        baseUrl: "",
-        apiKey: "sk-b",
-      },
-    ];
-    const map = buildConnectionEnvVarMap(connections);
-    // First gets canonical key
-    expect(map.get("openai-1")).toBe("OPENAI_API_KEY");
-    // Second would be OPENAI_API_KEY_OPENAI-2, which has a hyphen -> skipped
-    expect(map.has("openai-2")).toBe(false);
-  });
-
-  it("namespaces duplicate provider env vars with underscore IDs", () => {
-    const connections: SetupConnection[] = [
-      {
-        id: "openai_1",
-        name: "OpenAI 1",
-        provider: "openai",
-        baseUrl: "",
-        apiKey: "sk-a",
-      },
-      {
-        id: "openai_2",
-        name: "OpenAI 2",
-        provider: "openai",
-        baseUrl: "",
-        apiKey: "sk-b",
-      },
-    ];
-    const map = buildConnectionEnvVarMap(connections);
-    expect(map.get("openai_1")).toBe("OPENAI_API_KEY");
-    // openai_2 -> OPENAI_API_KEY_OPENAI_2 which is a safe key
-    expect(map.get("openai_2")).toBe("OPENAI_API_KEY_OPENAI_2");
-  });
 });