openpalm 0.9.10 → 0.10.0-rc9

package/README.md

@@ -6,17 +6,17 @@ Bun CLI for bootstrapping and managing an OpenPalm installation. The CLI is the
 
 The CLI operates directly against Docker Compose without requiring an admin container:
 
-- **Install** -- creates XDG dirs, downloads assets, serves the setup wizard locally via `Bun.serve()`, stages artifacts, starts core services
-- **All lifecycle commands** -- stage artifacts from `@openpalm/lib` using `FilesystemAssetProvider`, then run Docker Compose directly
+- **Install** -- creates the `~/.openpalm/` home layout, downloads assets, serves the setup wizard locally via `Bun.serve()`, writes files to their final locations, and starts core services
+- **All lifecycle commands** -- refresh files in `~/.openpalm/` when needed, then run Docker Compose directly
 - **Admin delegation** -- the `install` command checks for a running admin and delegates if reachable. Other commands operate directly via Docker Compose.
 
-The admin container is optional. Use `--with-admin` to include the admin UI profile.
+The admin container is optional. Use `--with-admin` to enable the admin addon overlay in the compose file set.
 
 ## Commands
 
 | Command | Description |
 |---|---|
-| `openpalm install` | Bootstrap XDG dirs, download assets, run setup wizard, start core services |
+| `openpalm install` | Bootstrap `~/.openpalm/`, download assets, run setup wizard, start core services |
 | `openpalm uninstall` | Stop and remove the stack (preserves config and data) |
 | `openpalm update` | Pull latest images and recreate containers |
 | `openpalm start [svc...]` | Start all or named services |
@@ -26,16 +26,16 @@ The admin container is optional. Use `--with-admin` to include the admin UI prof
 | `openpalm logs [svc...]` | Tail last 100 log lines |
 | `openpalm status` | Show container status |
 | `openpalm service <sub> [svc...]` | Alias -- subcommands: `start`, `stop`, `restart`, `logs`, `status`, `update` |
-| `openpalm validate` | Validate `secrets.env` against the schema (requires prior install) |
+| `openpalm validate` | Validate vault env files against their schemas (requires prior install) |
 | `openpalm scan` | Scan for leaked secrets in config files |
 
 ### Install options
 
 `--force` skip "already installed" check, `--version TAG` install a specific ref (default: current CLI version), `--no-start` prepare files only, `--no-open` skip browser launch.
 
-### Admin profile
+### Admin addon
 
-Admin and docker-socket-proxy use Docker Compose profiles. They start only when explicitly requested:
+Admin and docker-socket-proxy start only when explicitly requested:
 
 ```bash
 openpalm start --with-admin     # Start core + admin profile
@@ -45,23 +45,21 @@ openpalm stop admin             # Stop admin service specifically
 
 ## Setup Wizard
 
-On first install, the CLI serves a setup wizard on port 8100 via `Bun.serve()`. The wizard runs entirely in the browser (vanilla HTML/JS) and calls `performSetup()` from `@openpalm/lib` to write secrets, connection profiles, memory config, and stage artifacts. No admin container is involved.
+On first install, the CLI serves a setup wizard on port `8100` via `Bun.serve()`. That temporary setup port is separate from the admin container, which defaults to `http://localhost:3880` once installed. The wizard runs entirely in the browser (vanilla HTML/JS) and calls `performSetup()` from `@openpalm/lib` to write secrets, connection profiles, memory config, and other files to their final locations. No admin container is involved.
 
 ## Environment Variables
 
 | Variable | Default | Purpose |
 |---|---|---|
-| `OPENPALM_CONFIG_HOME` | `~/.config/openpalm` | User config + secrets |
-| `OPENPALM_DATA_HOME` | `~/.local/share/openpalm` | Persistent service data |
-| `OPENPALM_STATE_HOME` | `~/.local/state/openpalm` | Assembled runtime |
-| `OPENPALM_WORK_DIR` | `~/openpalm` | Assistant working directory |
-| `OPENPALM_ADMIN_API_URL` | `http://localhost:8100` | Admin API endpoint (for optional delegation) |
-| `OPENPALM_ADMIN_TOKEN` | (from `secrets.env`) | Admin API auth token |
+| `OP_HOME` | `~/.openpalm` | Root of all OpenPalm state |
+| `OP_WORK_DIR` | `~/openpalm` | Assistant working directory |
+| `OP_ADMIN_API_URL` | `http://localhost:3880` | Admin API endpoint (for optional delegation) |
+| `OP_ADMIN_TOKEN` | (from `vault/stack/stack.env`) | Admin API auth token |
 
 ## How It Works
 
-1. **Bootstrap** (first install) -- creates XDG directory tree, downloads core assets from GitHub, seeds `secrets.env` and `stack.env`, serves setup wizard, stages artifacts via `@openpalm/lib`, starts core services via `docker compose up`
-2. **Running stack** -- commands stage artifacts locally using `FilesystemAssetProvider`, then execute Docker Compose directly.
+1. **Bootstrap** (first install) -- creates the `~/.openpalm/` tree, downloads core assets from GitHub, seeds `vault/user/user.env` and `vault/stack/stack.env`, materializes the runtime registry catalog under `registry/`, serves the setup wizard, writes `stack/core.compose.yml`, enables requested addons under `stack/addons/`, and starts core services via `docker compose up`
+2. **Running stack** -- commands refresh files in `~/.openpalm/` when needed, then execute Docker Compose directly.
 3. **Admin absent** -- all commands work identically. Admin is never required for any operation.
 
 Follows the file-assembly principle: copies whole files, never renders templates. See [`core-principles.md`](../../docs/technical/core-principles.md).

package/e2e/start-wizard-server.ts

@@ -10,7 +10,6 @@
  */
 import { createSetupServer } from "../src/setup-wizard/server.ts";
 import { mkdirSync, writeFileSync } from "node:fs";
-import type { CoreAssetProvider } from "@openpalm/lib";
 
 const port = parseInt(Bun.argv[2] || "18100", 10);
 const tmpBase = `/tmp/openpalm-wizard-test-${port}`;
@@ -19,36 +18,32 @@ const tmpBase = `/tmp/openpalm-wizard-test-${port}`;
 // API endpoints that need real files are mocked at the browser level
 // by Playwright's page.route(), so these dirs just prevent crashes.
 mkdirSync(`${tmpBase}/config`, { recursive: true });
+mkdirSync(`${tmpBase}/config/automations`, { recursive: true });
 mkdirSync(`${tmpBase}/data`, { recursive: true });
-mkdirSync(`${tmpBase}/state/artifacts`, { recursive: true });
-
-writeFileSync(`${tmpBase}/config/secrets.env`, "# test\n");
-writeFileSync(`${tmpBase}/state/artifacts/stack.env`, "OPENPALM_SETUP_COMPLETE=false\n");
-
-// No-op asset provider — mocked tests intercept API calls before they
-// reach performSetup(), so these methods are never invoked.
-const noopAssetProvider: CoreAssetProvider = {
-	coreCompose: () => "",
-	caddyfile: () => "",
-	ollamaCompose: () => "",
-	agentsMd: () => "",
-	opencodeConfig: () => "",
-	adminOpencodeConfig: () => "",
-	secretsSchema: () => "",
-	stackSchema: () => "",
-	cleanupLogs: () => "",
-	cleanupData: () => "",
-	validateConfig: () => "",
-};
+mkdirSync(`${tmpBase}/data/assistant`, { recursive: true });
+mkdirSync(`${tmpBase}/registry/automations`, { recursive: true });
+mkdirSync(`${tmpBase}/stack`, { recursive: true });
+mkdirSync(`${tmpBase}/vault/stack`, { recursive: true });
+mkdirSync(`${tmpBase}/vault/user`, { recursive: true });
+
+writeFileSync(`${tmpBase}/vault/stack/stack.env`, "OP_SETUP_COMPLETE=false\n");
+writeFileSync(`${tmpBase}/vault/user/user.env`, "# test\n");
+
+// Seed minimal asset files so performSetup() can read them if invoked
+writeFileSync(`${tmpBase}/stack/core.compose.yml`, "services:\n  admin:\n    image: admin:latest\n");
+writeFileSync(`${tmpBase}/data/assistant/opencode.jsonc`, '{"$schema":"https://opencode.ai/config.json"}\n');
+writeFileSync(`${tmpBase}/data/assistant/AGENTS.md`, "# Agents\n");
+writeFileSync(`${tmpBase}/vault/user/user.env.schema`, "OP_ADMIN_TOKEN=string\n");
+writeFileSync(`${tmpBase}/vault/stack/stack.env.schema`, "OP_IMAGE_TAG=string\n");
+writeFileSync(`${tmpBase}/registry/automations/cleanup-logs.yml`, "name: cleanup-logs\nschedule: daily\n");
+writeFileSync(`${tmpBase}/registry/automations/cleanup-data.yml`, "name: cleanup-data\nschedule: weekly\n");
+writeFileSync(`${tmpBase}/registry/automations/validate-config.yml`, "name: validate-config\nschedule: hourly\n");
 
 // Override state/config home so the server doesn't touch real dirs.
-process.env.OPENPALM_CONFIG_HOME = `${tmpBase}/config`;
-process.env.OPENPALM_STATE_HOME = `${tmpBase}/state`;
-process.env.OPENPALM_DATA_HOME = `${tmpBase}/data`;
+process.env.OP_HOME = tmpBase;
 
 const { server } = createSetupServer(port, {
 	configDir: `${tmpBase}/config`,
-	assetProvider: noopAssetProvider,
 });
 
 console.log(`WIZARD_READY:${port}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openpalm",
-  "version": "0.9.10",
+  "version": "0.10.0-rc9",
   "type": "module",
   "license": "MPL-2.0",
   "description": "OpenPalm CLI — install and manage a self-hosted OpenPalm stack",
@@ -16,7 +16,7 @@
     "start": "bun run src/main.ts",
     "test": "bun test",
     "test:e2e": "npx playwright test",
-    "wizard:dev": "bun run src/setup-wizard/standalone.ts",
+    "wizard:dev": "bun run src/main.ts install --no-start --force",
     "build": "bun build src/main.ts --compile --outfile dist/openpalm-cli",
     "build:linux-x64": "bun build src/main.ts --compile --target=bun-linux-x64 --outfile dist/openpalm-cli-linux-x64",
     "build:linux-arm64": "bun build src/main.ts --compile --target=bun-linux-arm64 --outfile dist/openpalm-cli-linux-arm64",
@@ -27,6 +27,7 @@
   },
   "dependencies": {
     "@openpalm/lib": ">=0.9.8 <1.0.0",
-    "citty": "^0.2.1"
+    "citty": "^0.2.1",
+    "yaml": "^2.8.0"
   }
 }

package/src/commands/install-services.test.ts

@@ -1,25 +1,9 @@
 import { describe, expect, it } from 'bun:test';
-import { buildDeployStatusEntries, buildInstallServiceNames } from './install-services.ts';
+import { buildDeployStatusEntries } from './install-services.ts';
 
 describe('install service helpers', () => {
-  it('passes managed services through unchanged', () => {
-    expect(buildInstallServiceNames(['memory', 'assistant'])).toEqual([
-      'memory',
-      'assistant',
-    ]);
-  });
-
-  it('includes admin services when they are in managed list', () => {
-    expect(buildInstallServiceNames(['memory', 'caddy', 'admin', 'docker-socket-proxy'])).toEqual([
-      'memory',
-      'caddy',
-      'admin',
-      'docker-socket-proxy',
-    ]);
-  });
-
-  it('builds deploy status entries for the full install service list', () => {
-    const services = buildInstallServiceNames(['memory', 'assistant']);
+  it('builds deploy status entries for the install service list', () => {
+    const services = ['memory', 'assistant'];
 
     expect(buildDeployStatusEntries(services, 'pending', 'Waiting...')).toEqual([
       { service: 'memory', status: 'pending', label: 'Waiting...' },

package/src/commands/install-services.ts

@@ -1,8 +1,4 @@
-export type DeployStatusState = 'pending' | 'pulling';
-
-export function buildInstallServiceNames(managedServices: string[]): string[] {
-  return [...managedServices];
-}
+export type DeployStatusState = 'pending' | 'pulling' | 'error';
 
 export function buildDeployStatusEntries(
   services: string[],