openpalm 0.10.2 → 0.11.0-beta.2

package/src/lib/browser.ts

@@ -0,0 +1,20 @@
+/**
+ * Opens a URL in the user's default browser. Best-effort, never throws.
+ */
+export async function openBrowser(url: string): Promise<void> {
+  console.log(`Opening ${url} in your browser...`);
+  const platform = process.platform;
+  try {
+    if (platform === 'darwin') {
+      Bun.spawn(['open', url], { stdout: 'ignore', stderr: 'ignore' });
+      return;
+    }
+    if (platform === 'win32') {
+      Bun.spawn(['cmd', '/c', 'start', url], { stdout: 'ignore', stderr: 'ignore' });
+      return;
+    }
+    Bun.spawn(['xdg-open', url], { stdout: 'ignore', stderr: 'ignore' });
+  } catch {
+    // Best effort
+  }
+}

package/src/lib/cli-compose.ts

@@ -5,7 +5,6 @@
  * CLI argument construction, and preflight checks.
  */
 import {
-  buildManagedServices,
   buildComposeCliArgs,
   buildComposeOptions,
   composePreflight,
@@ -14,23 +13,6 @@ import {
 import type { ControlPlaneState } from '@openpalm/lib';
 import { runDockerCompose } from './docker.ts';
 
-/**
- * Build the full list of docker compose CLI arguments for a given state.
- *
- * Returns: ['--project-name', 'openpalm', '-f', '...', '--env-file', '...']
- */
-export function fullComposeArgs(state: ControlPlaneState): string[] {
-  return buildComposeCliArgs(state);
-}
-
-/**
- * Build the list of managed service names (used for targeted `up` commands).
- * Uses compose-derived discovery when Docker is available.
- */
-export async function buildManagedServiceNames(state: ControlPlaneState): Promise<string[]> {
-  return buildManagedServices(state);
-}
-
 /**
  * Run a compose command that does NOT mutate state (e.g. logs, ps, status).
  * Skips preflight validation since these commands are read-only.
@@ -39,7 +21,7 @@ export async function runComposeReadOnly(
   state: ControlPlaneState,
   composeSubArgs: string[],
 ): Promise<void> {
-  const composeArgs = fullComposeArgs(state);
+  const composeArgs = buildComposeCliArgs(state);
   await runDockerCompose([...composeArgs, ...composeSubArgs]);
 }
 
@@ -73,6 +55,6 @@ export async function runComposeWithPreflight(
     }
   }
 
-  const composeArgs = fullComposeArgs(state);
+  const composeArgs = buildComposeCliArgs(state);
   await runDockerCompose([...composeArgs, ...composeSubArgs]);
 }

package/src/lib/cli-state.ts

@@ -17,7 +17,7 @@ import type { ControlPlaneState } from '@openpalm/lib';
  * Does NOT persist to disk — persistence happens inside runComposeWithPreflight()
  * after compose preflight validation, ensuring no mutation before validation.
  *
- * Returns a ControlPlaneState usable with fullComposeArgs().
+ * Returns a ControlPlaneState usable with buildComposeCliArgs().
  */
 export function ensureValidState(): ControlPlaneState {
   const state = createState();

package/src/lib/docker.ts

@@ -1,94 +1,13 @@
-import { mkdir, rm, writeFile } from 'node:fs/promises';
-import { join, dirname, relative } from 'node:path';
-import { resolveCacheHome } from '@openpalm/lib';
-
-const REPO_OWNER = 'itlackey';
-const REPO_NAME = 'openpalm';
-
-/**
- * Creates the full directory tree required by the stack.
- * Uses the caller-provided directory roots, then adds CLI-specific extras.
- */
-export async function ensureDirectoryTree(
-  homeDir: string,
-  configDir: string,
-  vaultDir: string,
-  dataDir: string,
-  workDir: string,
-): Promise<void> {
-  const cacheDir = resolveCacheHome();
-
-  for (const dir of [
-    homeDir,
-    configDir,
-    join(configDir, 'automations'),
-    join(configDir, 'assistant'),
-    join(configDir, 'assistant', 'tools'),
-    join(configDir, 'assistant', 'plugins'),
-    join(configDir, 'assistant', 'skills'),
-    join(configDir, 'guardian'),
-    vaultDir,
-    join(vaultDir, 'user'),
-    join(vaultDir, 'stack'),
-    join(vaultDir, 'stack', 'addons'),
-    dataDir,
-    join(dataDir, 'assistant'),
-    join(dataDir, 'admin'),
-    join(dataDir, 'memory'),
-    join(dataDir, 'guardian'),
-    join(dataDir, 'stash'),
-    join(homeDir, 'stack'),
-    join(homeDir, 'stack', 'addons'),
-    join(homeDir, 'registry'),
-    join(homeDir, 'registry', 'addons'),
-    join(homeDir, 'registry', 'automations'),
-    join(homeDir, 'backups'),
-    join(homeDir, 'logs'),
-    join(homeDir, 'logs', 'opencode'),
-    cacheDir,
-    join(cacheDir, 'rollback'),
-    workDir,
-  ]) {
-    await mkdir(dir, { recursive: true });
-  }
-}
-
-/**
- * Fetches a URL with retries and exponential backoff. Only retries on 5xx or network errors.
- */
-async function fetchWithRetry(url: string, retries = 3): Promise<Response> {
-  for (let i = 0; i < retries; i++) {
-    try {
-      const res = await fetch(url, { signal: AbortSignal.timeout(30000) });
-      if (res.ok || res.status < 500) return res;
-      if (i < retries - 1) await Bun.sleep(200 * 2 ** i);
-    } catch (err) {
-      if (i === retries - 1) throw err;
-      await Bun.sleep(200 * 2 ** i);
-    }
-  }
-  throw new Error(`Failed to fetch ${url} after ${retries} attempts`);
-}
-
 /**
- * Downloads an asset from a GitHub release, falling back to raw.githubusercontent.com.
+ * Thin wrappers around `docker compose` invocations used by the CLI.
+ *
+ * Both spawn `docker compose` directly via `Bun.spawn` (no shell). The
+ * inherit-stdio variant is used for interactive operations (logs, ps);
+ * the capture variant returns stdout for parsing (e.g. `ps --format json`).
+ *
+ * Compose file/env-file resolution lives in `@openpalm/lib`'s
+ * `buildComposeCliArgs` — callers prepend that result before sub-args.
  */
-export async function fetchAsset(repoRef: string, filename: string): Promise<string> {
-  const releaseUrl = `https://github.com/${REPO_OWNER}/${REPO_NAME}/releases/download/${repoRef}/${filename}`;
-  const rawUrl = `https://raw.githubusercontent.com/${REPO_OWNER}/${REPO_NAME}/${repoRef}/${filename}`;
-
-  try {
-    const releaseResponse = await fetchWithRetry(releaseUrl);
-    if (releaseResponse.ok) return await releaseResponse.text();
-  } catch {
-    // Fall through to raw URL
-  }
-
-  const rawResponse = await fetchWithRetry(rawUrl);
-  if (rawResponse.ok) return await rawResponse.text();
-
-  throw new Error(`Failed to download ${filename} from ${repoRef}`);
-}
 
 /**
  * Runs a `docker compose` command with inherited stdio. Throws on non-zero exit.
@@ -122,128 +41,3 @@ export async function runDockerComposeCapture(args: string[]): Promise<string> {
   }
   return output;
 }
-
-// composeProjectArgs() removed — use fullComposeArgs(state) from cli-compose.ts instead.
-// That function builds the correct file list including channel overlays and env files.
-
-// ensureOpenCodeConfig and ensureOpenCodeSystemConfig are imported from @openpalm/lib.
-// See packages/lib/src/control-plane/secrets.ts and core-assets.ts.
-
-/**
- * Downloads the .openpalm/ directory from GitHub and seeds it into homeDir.
- *
- * Mapping:
- *   .openpalm/stack/core.compose.yml → homeDir/stack/core.compose.yml
- *   .openpalm/registry/              → homeDir/registry/
- *   .openpalm/vault/   → homeDir/vault/   (schemas only)
- *
- * Also seeds assistant config files from core/assistant/opencode/.
- */
-/**
- * Download latest assets from GitHub. Optional — embedded assets in lib
- * provide the baseline. This upgrades to the latest release versions.
- */
-export async function seedOpenPalmDir(
-  repoRef: string,
-  homeDir: string,
-  configDir: string,
-  vaultDir: string,
-  dataDir: string,
-): Promise<void> {
-  const tarballUrl = `https://github.com/${REPO_OWNER}/${REPO_NAME}/archive/${repoRef}.tar.gz`;
-  const tmpDir = join(homeDir, '.seed-tmp');
-  const tmpTar = join(tmpDir, 'repo.tar.gz');
-
-  try {
-    await mkdir(tmpDir, { recursive: true });
-
-    const res = await fetch(tarballUrl, { signal: AbortSignal.timeout(60_000) });
-    if (!res.ok) throw new Error(`Failed to download tarball (HTTP ${res.status})`);
-    await Bun.write(tmpTar, res);
-
-    // Extract full tarball — avoid --wildcards which is GNU tar-only and
-    // breaks on macOS (BSD tar), causing silent extraction failure.
-    const extractProc = Bun.spawn(
-      ['tar', 'xzf', tmpTar, '--strip-components=1'],
-      { cwd: tmpDir, stdout: 'ignore', stderr: 'pipe' },
-    );
-    const extractCode = await extractProc.exited;
-    if (extractCode !== 0) {
-      throw new Error(`tar extraction failed (exit code ${extractCode})`);
-    }
-
-    const srcCoreCompose = join(tmpDir, '.openpalm', 'stack', 'core.compose.yml');
-    if (!await Bun.file(srcCoreCompose).exists()) {
-      throw new Error('core.compose.yml not found in downloaded assets');
-    }
-    await mkdir(join(homeDir, 'stack'), { recursive: true });
-    await writeFile(join(homeDir, 'stack', 'core.compose.yml'), new Uint8Array(await Bun.file(srcCoreCompose).arrayBuffer()));
-
-    const srcRegistry = join(tmpDir, '.openpalm', 'registry');
-    if (await dirExists(srcRegistry)) {
-      await copyTree(srcRegistry, join(homeDir, 'registry'));
-    }
-
-    const srcVault = join(tmpDir, '.openpalm', 'vault');
-    if (await dirExists(srcVault)) {
-      await copyTree(srcVault, vaultDir, { onlyPattern: /\.schema$/ });
-    }
-
-    const srcAssistant = join(tmpDir, 'core', 'assistant', 'opencode');
-    if (await dirExists(srcAssistant)) {
-      await copyTree(srcAssistant, join(dataDir, 'assistant'));
-    }
-  } finally {
-    await rm(tmpDir, { recursive: true, force: true }).catch(() => {});
-  }
-}
-
-async function dirExists(path: string): Promise<boolean> {
-  try {
-    const stat = await Bun.file(join(path, '.')).exists();
-    // Bun.file().exists() doesn't work for dirs, use a different check
-    const proc = Bun.spawn(['test', '-d', path], { stdout: 'ignore', stderr: 'ignore' });
-    return (await proc.exited) === 0;
-  } catch { return false; }
-}
-
-async function copyTree(
-  src: string,
-  dest: string,
-  opts?: { skipExisting?: boolean; onlyPattern?: RegExp },
-): Promise<void> {
-  const proc = Bun.spawn(['find', src, '-type', 'f'], { stdout: 'pipe' });
-  const output = await new Response(proc.stdout).text();
-  await proc.exited;
-
-  for (const srcFile of output.trim().split('\n').filter(Boolean)) {
-    const rel = relative(src, srcFile);
-    if (opts?.onlyPattern && !opts.onlyPattern.test(rel)) continue;
-    const destFile = join(dest, rel);
-    if (opts?.skipExisting && await Bun.file(destFile).exists()) continue;
-    await mkdir(dirname(destFile), { recursive: true });
-    const content = await Bun.file(srcFile).arrayBuffer();
-    await writeFile(destFile, new Uint8Array(content));
-  }
-}
-
-/**
- * Opens a URL in the user's default browser. Best-effort, never throws.
- */
-export async function openBrowser(url: string): Promise<void> {
-  console.log(`Opening ${url} in your browser...`);
-  const platform = process.platform;
-  try {
-    if (platform === 'darwin') {
-      Bun.spawn(['open', url], { stdout: 'ignore', stderr: 'ignore' });
-      return;
-    }
-    if (platform === 'win32') {
-      Bun.spawn(['cmd', '/c', 'start', url], { stdout: 'ignore', stderr: 'ignore' });
-      return;
-    }
-    Bun.spawn(['xdg-open', url], { stdout: 'ignore', stderr: 'ignore' });
-  } catch {
-    // Best effort
-  }
-}

package/src/lib/env.ts

@@ -1,90 +1,19 @@
-import { join, dirname } from 'node:path';
-import { randomBytes } from 'node:crypto';
+import { join } from 'node:path';
 import { mkdirSync } from 'node:fs';
+import { reconcileStackEnvImageTag, resolveRequestedImageTag } from '@openpalm/lib';
 import { defaultDockerSock } from './paths.ts';
 
-export function unwrapQuotedEnvValue(value: string): string {
-  const isDoubleQuoted = value.startsWith('"') && value.endsWith('"');
-  const isSingleQuoted = value.startsWith('\'') && value.endsWith('\'');
-  if ((isDoubleQuoted || isSingleQuoted) && value.length >= 2) {
-    return value.slice(1, -1);
-  }
-
-  return value;
-}
-
-/**
- * Upserts a key=value pair in env file content. If the key exists, replaces the line;
- * otherwise appends a new line.
- */
-export function upsertEnvValue(content: string, key: string, value: string): string {
-  const escapedKey = key.replace(/[|\\{}()[\]^$+*?.-]/g, '\\$&');
-  const pattern = new RegExp(`^((?:export\\s+)?)${escapedKey}=.*$`, 'm');
-  if (pattern.test(content)) {
-    // Preserve the `export ` prefix if the original line had one
-    return content.replace(pattern, `$1${key}=${value}`);
-  }
-
-  const line = `${key}=${value}`;
-  const suffix = content.endsWith('\n') || content.length === 0 ? '' : '\n';
-  return `${content}${suffix}${line}\n`;
-}
-
-export const RELEASE_TAG_REGEX = /^v?\d+\.\d+\.\d+(?:[-+](?:[0-9A-Za-z]+(?:\.[0-9A-Za-z]+)*))?$/;
-
-/**
- * Normalizes a repository ref to an image tag. Returns null for non-release refs.
- * E.g. "0.9.0" → "v0.9.0", "v0.9.0" → "v0.9.0", "main" → null.
- */
-export function resolveRequestedImageTag(repoRef: string): string | null {
-  const trimmed = repoRef.trim();
-  if (!trimmed || trimmed === 'main') return null;
-  if (!RELEASE_TAG_REGEX.test(trimmed)) return null;
-  return trimmed.startsWith('v') ? trimmed : `v${trimmed}`;
-}
-
-/**
- * Reconciles the OP_IMAGE_TAG value in stack.env content.
- */
-export function reconcileStackEnvImageTag(
-  content: string,
-  repoRef: string,
-  explicitImageTag?: string,
-): string {
-  const desiredImageTag = explicitImageTag || resolveRequestedImageTag(repoRef);
-  if (!desiredImageTag) return content;
-  return upsertEnvValue(content, 'OP_IMAGE_TAG', desiredImageTag);
-}
-
 /**
- * Seeds vault/user/user.env with initial template.
- * Uses `export` prefix so the file can be sourced in a shell and is still
- * compatible with Docker Compose v2 `env_file`.
- * Contains user-managed secrets only (API keys, memory user ID).
- * System secrets (OP_ADMIN_TOKEN, OP_ASSISTANT_TOKEN, OP_MEMORY_TOKEN)
- * live in vault/stack/stack.env and are managed by the control plane.
+ * Ensures the state/ directory exists.
+ * User-managed env secrets live in the akm `vault:user` store and are sourced
+ * by the assistant entrypoint directly.
  */
-export async function ensureSecrets(vaultDir: string): Promise<void> {
-  const secretsPath = join(vaultDir, 'user', 'user.env');
-  if (await Bun.file(secretsPath).exists()) {
-    return;
-  }
-
-  mkdirSync(join(vaultDir, 'user'), { recursive: true });
-  // user.env is for user-added custom env vars only.
-  // All standard secrets (API keys, tokens) live in stack.env.
-  // Do NOT put API key placeholders here — user.env is loaded after
-  // stack.env by Docker Compose, so empty values would override real keys.
-  const content = `# OpenPalm — User Extensions
-# Add any custom environment variables here.
-# These are loaded by compose alongside stack.env.
-`;
-
-  await Bun.write(secretsPath, content);
+export async function ensureSecrets(stateDir: string): Promise<void> {
+  mkdirSync(stateDir, { recursive: true });
 }
 
 /**
- * Creates or updates the vault/stack/stack.env bootstrap file.
+ * Creates or updates the config/stack/stack.env bootstrap file.
  *
  * When `imageTagOverride` is provided (e.g. derived from --version during
  * install), it takes precedence over both the OP_IMAGE_TAG env var
@@ -93,15 +22,16 @@ export async function ensureSecrets(vaultDir: string): Promise<void> {
  */
 export async function ensureStackEnv(
   homeDir: string,
-  vaultDir: string,
+  configDir: string,
   workDir: string,
   repoRef: string,
   imageTagOverride?: string,
 ): Promise<void> {
-  const systemEnvPath = join(vaultDir, 'stack', 'stack.env');
+  const stackDir = join(configDir, 'stack');
+  const systemEnvPath = join(stackDir, 'stack.env');
   const explicitImageTag = imageTagOverride ?? process.env.OP_IMAGE_TAG;
   const hasExplicitImageTag = explicitImageTag !== undefined && explicitImageTag !== '';
-  mkdirSync(join(vaultDir, 'stack'), { recursive: true });
+  mkdirSync(stackDir, { recursive: true });
   if (!(await Bun.file(systemEnvPath).exists())) {
     const defaultImageTag = hasExplicitImageTag
       ? explicitImageTag
@@ -111,7 +41,6 @@ OP_HOME=${homeDir}
 OP_WORK_DIR=${workDir}
 OP_UID=${process.getuid?.() ?? 1000}
 OP_GID=${process.getgid?.() ?? 1000}
-OP_DOCKER_SOCK=${defaultDockerSock()}
 OP_IMAGE_NAMESPACE=${process.env.OP_IMAGE_NAMESPACE || 'openpalm'}
 OP_IMAGE_TAG=${defaultImageTag}
 `;

package/src/lib/io.ts

@@ -0,0 +1,130 @@
+/**
+ * Filesystem and HTTP helpers used by the CLI install/upgrade flows.
+ *
+ * Asset seeding (seedOpenPalmDir, seedUiBuild) and path resolution
+ * (resolveLocalUiBuild, resolveUiBuildDir) now live in @openpalm/lib
+ * so both the CLI and any future Electron shell can import them directly.
+ */
+import { mkdir, writeFile } from 'node:fs/promises';
+import { existsSync, readdirSync, statSync } from 'node:fs';
+import { join, dirname, relative } from 'node:path';
+
+const REPO_OWNER = 'itlackey';
+const REPO_NAME = 'openpalm';
+
+/**
+ * Creates the full directory tree required by the stack.
+ */
+export async function ensureDirectoryTree(
+  homeDir: string,
+  _configDir: string,
+  _vaultDir: string,
+  _dataDir: string,
+  workDir: string,
+): Promise<void> {
+  const configDir = `${homeDir}/config`;
+  const stateDir = `${homeDir}/state`;
+  const cacheDir = `${homeDir}/cache`;
+
+  for (const dir of [
+    homeDir,
+    configDir,
+    join(configDir, 'assistant'),
+    join(configDir, 'assistant', 'tools'),
+    join(configDir, 'assistant', 'plugins'),
+    join(configDir, 'assistant', 'skills'),
+    join(configDir, 'akm'),
+    join(configDir, 'stack'),
+    join(configDir, 'stack', 'addons'),
+    join(homeDir, 'stash'),
+    join(homeDir, 'stash', 'vaults'),
+    join(homeDir, 'stash', 'tasks'),
+    join(homeDir, 'workspace'),
+    cacheDir,
+    join(cacheDir, 'akm'),
+    join(cacheDir, 'guardian'),
+    join(cacheDir, 'rollback'),
+    stateDir,
+    join(stateDir, 'assistant'),
+    join(stateDir, 'admin'),
+    join(stateDir, 'guardian'),
+    join(stateDir, 'guardian', 'stash'),
+    join(stateDir, 'guardian', 'akm'),
+    join(stateDir, 'guardian', 'akm', 'data'),
+    join(stateDir, 'guardian', 'akm', 'state'),
+    join(stateDir, 'akm'),
+    join(stateDir, 'akm', 'data'),
+    join(stateDir, 'akm', 'state'),
+    join(stateDir, 'scheduler'),
+    join(stateDir, 'scheduler', 'triggers'),
+    join(stateDir, 'logs'),
+    join(stateDir, 'logs', 'opencode'),
+    join(stateDir, 'backups'),
+    join(stateDir, 'registry'),
+    join(stateDir, 'registry', 'addons'),
+    join(stateDir, 'registry', 'automations'),
+    join(stateDir, 'ui'),
+    workDir,
+  ]) {
+    await mkdir(dir, { recursive: true });
+  }
+}
+
+async function fetchWithRetry(url: string, retries = 3): Promise<Response> {
+  for (let i = 0; i < retries; i++) {
+    try {
+      const res = await fetch(url, { signal: AbortSignal.timeout(30000) });
+      if (res.ok || res.status < 500) return res;
+      if (i < retries - 1) await new Promise(r => setTimeout(r, 200 * 2 ** i));
+    } catch (err) {
+      if (i === retries - 1) throw err;
+      await new Promise(r => setTimeout(r, 200 * 2 ** i));
+    }
+  }
+  throw new Error(`Failed to fetch ${url} after ${retries} attempts`);
+}
+
+/** Downloads a text asset from a GitHub release, falling back to raw URL. */
+export async function fetchAsset(repoRef: string, filename: string): Promise<string> {
+  const releaseUrl = `https://github.com/${REPO_OWNER}/${REPO_NAME}/releases/download/${repoRef}/${filename}`;
+  const rawUrl = `https://raw.githubusercontent.com/${REPO_OWNER}/${REPO_NAME}/${repoRef}/${filename}`;
+
+  try {
+    const r = await fetchWithRetry(releaseUrl);
+    if (r.ok) return await r.text();
+  } catch { /* fall through */ }
+
+  const r = await fetchWithRetry(rawUrl);
+  if (r.ok) return await r.text();
+  throw new Error(`Failed to download ${filename} from ${repoRef}`);
+}
+
+/** Returns true if `path` is an existing directory. */
+export function dirExists(path: string): boolean {
+  try { return statSync(path).isDirectory(); } catch { return false; }
+}
+
+/** Recursively copy files from src to dest. */
+export async function copyTree(
+  src: string,
+  dest: string,
+  opts?: { skipExisting?: boolean; onlyPattern?: RegExp },
+): Promise<void> {
+  if (!dirExists(src)) return;
+  const entries = readdirSync(src, { recursive: true, withFileTypes: true });
+  for (const entry of entries) {
+    if (!entry.isFile()) continue;
+    const parentDir = (entry as unknown as { parentPath?: string; path?: string }).parentPath
+      ?? (entry as unknown as { path: string }).path;
+    const srcFile = join(parentDir, entry.name);
+    const rel = relative(src, srcFile);
+    if (opts?.onlyPattern && !opts.onlyPattern.test(rel)) continue;
+    const destFile = join(dest, rel);
+    if (opts?.skipExisting && existsSync(destFile)) continue;
+    await mkdir(dirname(destFile), { recursive: true });
+    await writeFile(destFile, new Uint8Array(await Bun.file(srcFile).arrayBuffer()));
+  }
+}
+
+// Re-export from lib so existing imports in CLI commands keep working.
+export { seedOpenPalmDir, seedUiBuild } from '@openpalm/lib';

package/src/lib/opencode-subprocess.ts

@@ -28,13 +28,12 @@ const STOP_TIMEOUT_MS = 5_000;
  * Start an OpenCode subprocess for the wizard to talk to.
  *
  * Creates a temporary HOME directory structure with symlinks to the real
- * vault/config paths so OpenCode reads/writes auth.json at the right location.
+ * state/config paths so OpenCode reads/writes auth.json at the right location.
  */
 export async function startOpenCodeSubprocess(opts: {
   homeDir: string;
   configDir: string;
-  vaultDir: string;
-  dataDir: string;
+  stateDir: string;
   port?: number;
 }): Promise<OpenCodeSubprocess> {
   const opencodeBin = Bun.which("opencode");
@@ -54,11 +53,20 @@ export async function startOpenCodeSubprocess(opts: {
   mkdirSync(ocConfigDir, { recursive: true });
   mkdirSync(ocStateDir, { recursive: true });
 
-  // Symlink auth.json → real vault location
-  const authJsonSrc = join(opts.vaultDir, "stack", "auth.json");
+  // Symlink auth.json → the canonical OpenCode credential file at
+  // ${OP_HOME}/config/auth.json. This is the same file the assistant
+  // container bind-mounts (see .openpalm/config/stack/core.compose.yml),
+  // so credentials written by this wizard subprocess are immediately
+  // visible to the chat assistant on next start.
+  // SEC-5: Windows does not support unprivileged symlinks; use copyFileSync instead.
+  const authJsonSrc = join(opts.configDir, "auth.json");
   const authJsonDst = join(ocShareDir, "auth.json");
   if (!existsSync(authJsonDst)) {
-    symlinkSync(authJsonSrc, authJsonDst);
+    if (process.platform === "win32") {
+      if (existsSync(authJsonSrc)) copyFileSync(authJsonSrc, authJsonDst);
+    } else {
+      symlinkSync(authJsonSrc, authJsonDst);
+    }
   }
 
   // Copy opencode.json config (not symlink — OpenCode may modify it)

package/src/lib/paths.ts

@@ -5,7 +5,7 @@ import { existsSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
 import {
-  resolveDataDir,
+  resolveWorkspaceDir,
 } from '@openpalm/lib';
 
 export const IS_WINDOWS = process.platform === 'win32';
@@ -27,5 +27,5 @@ export function defaultDockerSock(): string {
 }
 
 export function defaultWorkDir(): string {
-  return process.env.OP_WORK_DIR || `${resolveDataDir()}/workspace`;
+  return process.env.OP_WORK_DIR || resolveWorkspaceDir();
 }