openpalm 0.9.8 → 0.9.9

package/src/commands/service.ts

@@ -1,5 +1,4 @@
 import { defineCommand } from 'citty';
-import { tryAdminRequest } from '../lib/admin.ts';
 import { runDockerCompose } from '../lib/docker.ts';
 import { ensureStagedState, fullComposeArgs, buildManagedServiceNames } from '../lib/staging.ts';
 import { runLogsAction } from './logs.ts';
@@ -42,14 +41,6 @@ const logsCmd = defineCommand({
 const updateCmd = defineCommand({
   meta: { name: 'update', description: 'Pull latest images' },
   async run() {
-    // Try admin delegation first
-    const adminResult = await tryAdminRequest('/admin/containers/pull', { method: 'POST' });
-    if (adminResult !== null) {
-      console.log(JSON.stringify(adminResult, null, 2));
-      return;
-    }
-
-    // Direct compose pull + recreate (scoped to managed services)
     const state = await ensureStagedState();
     const composeArgs = fullComposeArgs(state);
     const managedServices = buildManagedServiceNames(state);
@@ -64,14 +55,6 @@ const updateCmd = defineCommand({
 const statusCmd = defineCommand({
   meta: { name: 'status', description: 'Show container status' },
   async run() {
-    // Try admin delegation first
-    const adminResult = await tryAdminRequest('/admin/containers/list');
-    if (adminResult !== null) {
-      console.log(JSON.stringify(adminResult, null, 2));
-      return;
-    }
-
-    // Direct compose ps
     const state = await ensureStagedState();
     await runDockerCompose([...fullComposeArgs(state), 'ps', '--format', 'table']);
   },

package/src/commands/start.ts

@@ -1,5 +1,4 @@
 import { defineCommand } from 'citty';
-import { tryAdminRequest } from '../lib/admin.ts';
 import { runDockerCompose } from '../lib/docker.ts';
 import { ensureStagedState, fullComposeArgs, buildManagedServiceNames } from '../lib/staging.ts';
 
@@ -14,66 +13,29 @@ export default defineCommand({
       description: 'Service names to start (omit for all)',
       required: false,
     },
-    'with-admin': {
-      type: 'boolean',
-      description: 'Include admin UI and docker-socket-proxy (use --no-with-admin to skip)',
-      default: true,
-    },
   },
   async run({ args }) {
     const services = args._ ?? [];
-    const withAdmin = args['with-admin'] ?? false;
-    await runStartAction(services, { withAdmin });
+    await runStartAction(services);
   },
 });
 
 export async function runStartAction(
   services: string[],
-  opts?: { withAdmin?: boolean },
 ): Promise<void> {
-  const withAdmin = opts?.withAdmin ?? false;
-
   if (services.length === 0) {
-    // Try admin delegation first (gives admin's scheduler/audit a chance to observe)
-    const adminResult = await tryAdminRequest('/admin/install', { method: 'POST' });
-    if (adminResult !== null) {
-      console.log(JSON.stringify(adminResult, null, 2));
-      return;
-    }
-
-    // Direct compose — stage artifacts and start managed services
+    // Stage artifacts and start all managed services (admin included if enabled)
     const state = await ensureStagedState();
     const composeArgs = fullComposeArgs(state);
     const managedServices = buildManagedServiceNames(state);
-
-    if (withAdmin) {
-      // Include the admin profile — starts admin + docker-socket-proxy
-      await runDockerCompose([...composeArgs, '--profile', 'admin', 'up', '-d', ...managedServices, 'admin', 'docker-socket-proxy']);
-    } else {
-      await runDockerCompose([...composeArgs, 'up', '-d', ...managedServices]);
-    }
+    await runDockerCompose([...composeArgs, 'up', '-d', ...managedServices]);
     return;
   }
 
-  // Start specific services — try admin first, fall back to direct compose
+  // Start specific services
   for (const service of services) {
-    const adminResult = await tryAdminRequest('/admin/containers/up', {
-      method: 'POST',
-      body: JSON.stringify({ service }),
-    });
-    if (adminResult !== null) {
-      console.log(JSON.stringify(adminResult, null, 2));
-      continue;
-    }
-
-    // Direct compose for specific service
     const state = await ensureStagedState();
     const composeArgs = fullComposeArgs(state);
-    // If starting admin explicitly, include the admin profile
-    if (service === 'admin' || service === 'docker-socket-proxy') {
-      await runDockerCompose([...composeArgs, '--profile', 'admin', 'up', '-d', service]);
-    } else {
-      await runDockerCompose([...composeArgs, 'up', '-d', service]);
-    }
+    await runDockerCompose([...composeArgs, 'up', '-d', service]);
   }
 }

package/src/commands/status.ts

@@ -1,5 +1,4 @@
 import { defineCommand } from 'citty';
-import { tryAdminRequest } from '../lib/admin.ts';
 import { runDockerCompose } from '../lib/docker.ts';
 import { ensureStagedState, fullComposeArgs } from '../lib/staging.ts';
 
@@ -9,14 +8,6 @@ export default defineCommand({
     description: 'Show container status',
   },
   async run() {
-    // Try admin delegation first for richer output
-    const adminResult = await tryAdminRequest('/admin/containers/list');
-    if (adminResult !== null) {
-      console.log(JSON.stringify(adminResult, null, 2));
-      return;
-    }
-
-    // Direct compose ps
     const state = await ensureStagedState();
     await runDockerCompose([...fullComposeArgs(state), 'ps', '--format', 'table']);
   },

package/src/commands/stop.ts

@@ -1,5 +1,4 @@
 import { defineCommand } from 'citty';
-import { tryAdminRequest, getServiceNames } from '../lib/admin.ts';
 import { runDockerCompose } from '../lib/docker.ts';
 import { ensureStagedState, fullComposeArgs } from '../lib/staging.ts';
 
@@ -23,48 +22,17 @@ export default defineCommand({
 
 export async function runStopAction(services: string[]): Promise<void> {
   if (services.length === 0) {
-    // Try admin delegation — stop each managed container
-    const adminResult = await tryAdminRequest('/admin/containers/list');
-    if (adminResult !== null) {
-      const serviceNames = getServiceNames(adminResult);
-      for (const service of serviceNames) {
-        const result = await tryAdminRequest('/admin/containers/down', {
-          method: 'POST',
-          body: JSON.stringify({ service }),
-        });
-        if (result !== null) {
-          console.log(JSON.stringify(result, null, 2));
-        } else {
-          console.warn(`Warning: failed to stop ${service} via admin API`);
-        }
-      }
-      return;
-    }
-
-    // Direct compose down — include admin profile to tear down all services
+    // Compose file list includes admin.yml when admin is enabled,
+    // so `down` tears down all services including admin/caddy/socket-proxy.
     const state = await ensureStagedState();
-    await runDockerCompose([...fullComposeArgs(state), '--profile', 'admin', 'down']);
+    await runDockerCompose([...fullComposeArgs(state), 'down']);
     return;
   }
 
   // Stop specific services
   for (const service of services) {
-    const adminResult = await tryAdminRequest('/admin/containers/down', {
-      method: 'POST',
-      body: JSON.stringify({ service }),
-    });
-    if (adminResult !== null) {
-      console.log(JSON.stringify(adminResult, null, 2));
-      continue;
-    }
-
-    // Direct compose stop for specific service
     const state = await ensureStagedState();
     const composeArgs = fullComposeArgs(state);
-    if (service === 'admin' || service === 'docker-socket-proxy') {
-      await runDockerCompose([...composeArgs, '--profile', 'admin', 'stop', service]);
-    } else {
-      await runDockerCompose([...composeArgs, 'stop', service]);
-    }
+    await runDockerCompose([...composeArgs, 'stop', service]);
   }
 }

package/src/commands/uninstall.ts

@@ -1,7 +1,8 @@
 import { defineCommand } from 'citty';
-import { tryAdminRequest } from '../lib/admin.ts';
+import { rmSync } from 'node:fs';
 import { runDockerCompose } from '../lib/docker.ts';
 import { ensureStagedState, fullComposeArgs } from '../lib/staging.ts';
+import { resolveConfigHome, resolveDataHome, resolveStateHome } from '@openpalm/lib';
 
 export default defineCommand({
   meta: {
@@ -14,24 +15,32 @@ export default defineCommand({
       description: 'Also remove Docker volumes',
       default: false,
     },
+    purge: {
+      type: 'boolean',
+      description: 'Remove all OpenPalm XDG directories (config, data, state)',
+      default: false,
+    },
   },
   async run({ args }) {
-    // Try admin delegation first
-    const adminResult = await tryAdminRequest('/admin/uninstall', { method: 'POST' });
-    if (adminResult !== null) {
-      console.log(JSON.stringify(adminResult, null, 2));
-      return;
-    }
-
-    // Direct compose down — include admin profile to tear down all services
+    // Compose file list includes admin.yml when admin is enabled,
+    // so `down` tears down all services including admin/caddy/socket-proxy.
     const state = await ensureStagedState();
     const composeArgs = fullComposeArgs(state);
-    const downArgs = args.volumes ? ['down', '-v'] : ['down'];
-    await runDockerCompose([...composeArgs, '--profile', 'admin', ...downArgs]);
+    const downArgs = args.volumes || args.purge ? ['down', '-v'] : ['down'];
+    await runDockerCompose([...composeArgs, ...downArgs]);
 
-    console.log('OpenPalm stack stopped and removed.');
-    if (!args.volumes) {
-      console.log('Config and data directories are preserved. Use --volumes to also remove Docker volumes.');
+    if (args.purge) {
+      const dirs = [resolveConfigHome(), resolveDataHome(), resolveStateHome()];
+      for (const dir of dirs) {
+        console.log(`Removing ${dir}`);
+        rmSync(dir, { recursive: true, force: true });
+      }
+      console.log('OpenPalm stack and all data removed.');
+    } else {
+      console.log('OpenPalm stack stopped and removed.');
+      if (!args.volumes) {
+        console.log('Config and data directories are preserved. Use --purge to remove everything.');
+      }
     }
   },
 });

package/src/commands/update.ts

@@ -1,5 +1,4 @@
 import { defineCommand } from 'citty';
-import { tryAdminRequest } from '../lib/admin.ts';
 import { runDockerCompose } from '../lib/docker.ts';
 import { ensureStagedState, fullComposeArgs, buildManagedServiceNames } from '../lib/staging.ts';
 
@@ -9,14 +8,6 @@ export default defineCommand({
     description: 'Pull latest images and recreate containers',
   },
   async run() {
-    // Try admin delegation first
-    const adminResult = await tryAdminRequest('/admin/containers/pull', { method: 'POST' });
-    if (adminResult !== null) {
-      console.log(JSON.stringify(adminResult, null, 2));
-      return;
-    }
-
-    // Direct compose: pull + recreate
     const state = await ensureStagedState();
     const composeArgs = fullComposeArgs(state);
     const managedServices = buildManagedServiceNames(state);

package/src/lib/docker.ts

@@ -27,6 +27,23 @@ export async function ensureDirectoryTree(
   }
 }
 
+/**
+ * Fetches a URL with retries and exponential backoff. Only retries on 5xx or network errors.
+ */
+async function fetchWithRetry(url: string, retries = 3): Promise<Response> {
+  for (let i = 0; i < retries; i++) {
+    try {
+      const res = await fetch(url, { signal: AbortSignal.timeout(30000) });
+      if (res.ok || res.status < 500) return res;
+      if (i < retries - 1) await Bun.sleep(200 * 2 ** i);
+    } catch (err) {
+      if (i === retries - 1) throw err;
+      await Bun.sleep(200 * 2 ** i);
+    }
+  }
+  throw new Error(`Failed to fetch ${url} after ${retries} attempts`);
+}
+
 /**
  * Downloads an asset from a GitHub release, falling back to raw.githubusercontent.com.
  */
@@ -34,15 +51,15 @@ export async function fetchAsset(repoRef: string, filename: string): Promise<str
   const releaseUrl = `https://github.com/${REPO_OWNER}/${REPO_NAME}/releases/download/${repoRef}/${filename}`;
   const rawUrl = `https://raw.githubusercontent.com/${REPO_OWNER}/${REPO_NAME}/${repoRef}/assets/${filename}`;
 
-  const releaseResponse = await fetch(releaseUrl, { signal: AbortSignal.timeout(30000) });
-  if (releaseResponse.ok) {
-    return await releaseResponse.text();
+  try {
+    const releaseResponse = await fetchWithRetry(releaseUrl);
+    if (releaseResponse.ok) return await releaseResponse.text();
+  } catch {
+    // Fall through to raw URL
   }
 
-  const rawResponse = await fetch(rawUrl, { signal: AbortSignal.timeout(30000) });
-  if (rawResponse.ok) {
-    return await rawResponse.text();
-  }
+  const rawResponse = await fetchWithRetry(rawUrl);
+  if (rawResponse.ok) return await rawResponse.text();
 
   throw new Error(`Failed to download ${filename} from ${repoRef}`);
 }
@@ -90,6 +107,7 @@ export async function runDockerComposeCapture(args: string[]): Promise<string> {
  * Opens a URL in the user's default browser. Best-effort, never throws.
  */
 export async function openBrowser(url: string): Promise<void> {
+  console.log(`Opening ${url} in your browser...`);
   const platform = process.platform;
   try {
     if (platform === 'darwin') {

package/src/lib/env.ts

@@ -1,62 +1,7 @@
-import { basename, dirname, join } from 'node:path';
-import { defaultConfigHome, defaultDockerSock } from './paths.ts';
-
-const EXPORT_ENV_PREFIX = 'export ';
-
-/**
- * Loads the admin token from environment variables or secrets.env file.
- * Checks OPENPALM_ADMIN_TOKEN first, then ADMIN_TOKEN (legacy), then reads from
- * CONFIG_HOME/secrets.env. Returns empty string if no token is found.
- */
-export async function loadAdminToken(): Promise<string> {
-  if (process.env.OPENPALM_ADMIN_TOKEN) {
-    return process.env.OPENPALM_ADMIN_TOKEN;
-  }
-
-  if (process.env.ADMIN_TOKEN) {
-    return process.env.ADMIN_TOKEN;
-  }
-
-  const configHome = defaultConfigHome();
-  const secretsPaths = [join(configHome, 'secrets.env')];
-  if (basename(configHome) === 'openpalm') {
-    secretsPaths.push(join(dirname(configHome), 'secrets.env'));
-  }
-
-  for (const secretsPath of secretsPaths) {
-    const token = await readTokenFromFile(secretsPath, 'OPENPALM_ADMIN_TOKEN');
-    if (token) return token;
-    const legacyToken = await readTokenFromFile(secretsPath, 'ADMIN_TOKEN');
-    if (legacyToken) return legacyToken;
-  }
-
-  return '';
-}
-
-/**
- * Reads a specific key from an env file. Handles `export` prefix and quoted values.
- */
-async function readTokenFromFile(secretsPath: string, key: string): Promise<string | null> {
-  try {
-    const text = await Bun.file(secretsPath).text();
-    for (const rawLine of text.split('\n')) {
-      const line = rawLine.trim();
-      if (!line || line.startsWith('#')) continue;
-      const lineWithoutExportPrefix = line.startsWith(EXPORT_ENV_PREFIX)
-        ? line.slice(EXPORT_ENV_PREFIX.length).trimStart()
-        : line;
-      const [lineKey, ...rest] = lineWithoutExportPrefix.split('=');
-      if (lineKey !== key) continue;
-      const value = unwrapQuotedEnvValue(rest.join('=').trim());
-      if (!value) return null;
-      return value;
-    }
-  } catch {
-    // Best effort only.
-  }
-
-  return null;
-}
+import { join, dirname } from 'node:path';
+import { randomBytes } from 'node:crypto';
+import { mkdirSync } from 'node:fs';
+import { defaultDockerSock } from './paths.ts';
 
 export function unwrapQuotedEnvValue(value: string): string {
   const isDoubleQuoted = value.startsWith('"') && value.endsWith('"');
@@ -143,6 +88,7 @@ export OPENAI_BASE_URL=
 
 # Memory
 export MEMORY_USER_ID=${userId}
+export MEMORY_AUTH_TOKEN=${randomBytes(32).toString('hex')}
 `;
 
   await Bun.write(secretsPath, content);
@@ -189,6 +135,7 @@ OPENPALM_IMAGE_TAG=${defaultImageTag}
       await Bun.write(dataStackEnv, reconciled);
     }
   }
+  mkdirSync(dirname(stagedStackEnv), { recursive: true });
   await Bun.write(stagedStackEnv, Bun.file(dataStackEnv));
 
   const stateSecrets = join(stateHome, 'artifacts', 'secrets.env');

package/src/lib/paths.ts

@@ -1,6 +1,7 @@
 /**
  * Path resolution — re-exports from @openpalm/lib with CLI-specific additions.
  */
+import { existsSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
 import {
@@ -19,7 +20,16 @@ export { resolveStateHome as defaultStateHome };
 // CLI-specific paths (not in lib)
 export function defaultDockerSock(): string {
   if (process.env.OPENPALM_DOCKER_SOCK) return process.env.OPENPALM_DOCKER_SOCK;
-  return IS_WINDOWS ? '//./pipe/docker_engine' : '/var/run/docker.sock';
+  if (IS_WINDOWS) return '//./pipe/docker_engine';
+
+  const home = homedir();
+  const candidates = [
+    '/var/run/docker.sock',
+    join(home, '.orbstack/run/docker.sock'),
+    join(home, '.colima/default/docker.sock'),
+    join(home, '.rd/docker.sock'),
+  ];
+  return candidates.find((p) => existsSync(p)) ?? candidates[0];
 }
 
 export function defaultWorkDir(): string {

package/src/lib/staging.ts

@@ -22,9 +22,9 @@ import { defaultDataHome } from './paths.ts';
 /**
  * Ensure all artifacts are staged from CONFIG_HOME/DATA_HOME to STATE_HOME.
  *
- * This is the CLI-side equivalent of the admin's staging pipeline.
- * It uses FilesystemAssetProvider (reads core assets from DATA_HOME,
- * persisted by the install command) rather than Vite bundle imports.
+ * Uses FilesystemAssetProvider (reads core assets from DATA_HOME,
+ * persisted by the install command) to assemble compose files, env
+ * files, and Caddyfile into STATE_HOME/artifacts for Docker Compose.
  *
  * Returns a ControlPlaneState usable with fullComposeArgs().
  */

package/src/main.test.ts

@@ -57,92 +57,57 @@ describe('cli main', () => {
     process.env.OPENPALM_ADMIN_TOKEN = originalOpenPalmAdminToken;
   });
 
-  it('calls containers pull for update (via admin when reachable)', async () => {
-    const calls: string[] = [];
-    process.env.OPENPALM_ADMIN_TOKEN = 'test-token';
-    globalThis.fetch = mock(async (input: string | URL) => {
-      calls.push(String(input));
-      return new Response('{"ok":true}', { status: 200 });
-    }) as typeof fetch;
-    console.log = mock(() => {}) as typeof console.log;
-
-    await main(['update']);
-
-    // tryAdminRequest attempts directly — no separate health check
-    expect(calls).toEqual([
-      'http://localhost:8100/admin/containers/pull',
-    ]);
-  });
-
-  it('uses ADMIN_TOKEN from the environment for admin requests', async () => {
-    const adminTokens: string[] = [];
-    process.env.ADMIN_TOKEN = 'env-admin-token';
-    delete process.env.OPENPALM_ADMIN_TOKEN;
-
-    globalThis.fetch = mock(async (_input: string | URL, init?: RequestInit) => {
-      const headers = new Headers(init?.headers);
-      adminTokens.push(headers.get('X-Admin-Token') ?? '');
-      return new Response('{"ok":true}', { status: 200 });
-    }) as typeof fetch;
-    console.log = mock(() => {}) as typeof console.log;
-
-    await main(['update']);
-
-    // Direct request — single call with token header
-    expect(adminTokens).toEqual(['env-admin-token']);
-  });
-
-  it('falls back to the legacy parent secrets.env for admin requests', async () => {
-    const base = mkdtempSync(join(tmpdir(), 'openpalm-config-'));
-    const configHome = join(base, 'openpalm');
-    const adminTokens: string[] = [];
+  it('runs bootstrap install directly without admin delegation', async () => {
+    const base = mkdtempSync(join(tmpdir(), 'openpalm-install-'));
+    const configHome = join(base, 'config');
+    const dataHome = join(base, 'data');
+    const stateHome = join(base, 'state');
+    const workDir = join(base, 'work');
+    const binDir = join(stateHome, 'bin');
 
-    mkdirSync(configHome, { recursive: true });
-    writeFileSync(join(configHome, 'secrets.env'), 'OPENPALM_ADMIN_TOKEN=\nADMIN_TOKEN=\n');
-    writeFileSync(join(base, 'secrets.env'), 'export ADMIN_TOKEN="legacy-admin-token"\n');
+    mkdirSync(binDir, { recursive: true });
+    writeFileSync(join(binDir, 'varlock'), '#!/bin/sh\nexit 0\n');
+    chmodSync(join(binDir, 'varlock'), 0o755);
 
     process.env.OPENPALM_CONFIG_HOME = configHome;
+    process.env.OPENPALM_DATA_HOME = dataHome;
+    process.env.OPENPALM_STATE_HOME = stateHome;
+    process.env.OPENPALM_WORK_DIR = workDir;
     delete process.env.ADMIN_TOKEN;
     delete process.env.OPENPALM_ADMIN_TOKEN;
 
-    globalThis.fetch = mock(async (_input: string | URL, init?: RequestInit) => {
-      const headers = new Headers(init?.headers);
-      adminTokens.push(headers.get('X-Admin-Token') ?? '');
-      return new Response('{"ok":true}', { status: 200 });
-    }) as typeof fetch;
-    console.log = mock(() => {}) as typeof console.log;
-
-    try {
-      await main(['update']);
-      // Direct request — single call with legacy token
-      expect(adminTokens).toEqual(['legacy-admin-token']);
-    } finally {
-      rmSync(base, { recursive: true, force: true });
-    }
-  });
-
-  it('calls admin install when stack is already running and token exists', async () => {
-    const calls: string[] = [];
-    process.env.OPENPALM_ADMIN_TOKEN = 'test-token';
+    mockDockerCli();
+    const fetchedUrls: string[] = [];
     globalThis.fetch = mock(async (input: string | URL) => {
       const url = String(input);
-      calls.push(url);
+      fetchedUrls.push(url);
       if (url.endsWith('/health')) {
         return new Response('ok', { status: 200 });
       }
-      return new Response('{\"ok\":true}', { status: 200 });
+      if (url.includes('/docker-compose.yml')) {
+        return new Response('services: {}\n', { status: 200 });
+      }
+      if (url.includes('/Caddyfile')) {
+        return new Response(':80 {\n}\n', { status: 200 });
+      }
+      if (url.includes('/secrets.env.schema') || url.includes('/stack.env.schema')) {
+        return new Response('KEY=string\n', { status: 200 });
+      }
+      return new Response('', { status: 503 });
     }) as typeof fetch;
     console.log = mock(() => {}) as typeof console.log;
+    console.warn = mock(() => {}) as typeof console.warn;
 
-    await main(['install']);
-
-    expect(calls).toEqual([
-      'http://localhost:8100/health',
-      'http://localhost:8100/admin/install',
-    ]);
+    try {
+      await main(['install', '--no-start', '--force', '--no-open']);
+      // Bootstrap runs directly, creating directories
+      expect(existsSync(join(dataHome, 'admin'))).toBe(true);
+    } finally {
+      rmSync(base, { recursive: true, force: true });
+    }
   });
 
-  it('falls back to bootstrap when stack is running but no token exists', async () => {
+  it('creates the admin data directory during bootstrap install', async () => {
     const base = mkdtempSync(join(tmpdir(), 'openpalm-install-'));
     const configHome = join(base, 'config');
     const dataHome = join(base, 'data');
@@ -158,16 +123,12 @@ describe('cli main', () => {
     process.env.OPENPALM_DATA_HOME = dataHome;
     process.env.OPENPALM_STATE_HOME = stateHome;
     process.env.OPENPALM_WORK_DIR = workDir;
-    delete process.env.ADMIN_TOKEN;
-    delete process.env.OPENPALM_ADMIN_TOKEN;
 
     mockDockerCli();
-    const fetchedUrls: string[] = [];
     globalThis.fetch = mock(async (input: string | URL) => {
       const url = String(input);
-      fetchedUrls.push(url);
       if (url.endsWith('/health')) {
-        return new Response('ok', { status: 200 });
+        throw new TypeError('fetch failed');
       }
       if (url.includes('/docker-compose.yml')) {
         return new Response('services: {}\n', { status: 200 });
@@ -181,24 +142,23 @@ describe('cli main', () => {
       return new Response('', { status: 503 });
     }) as typeof fetch;
     console.log = mock(() => {}) as typeof console.log;
-    console.warn = mock(() => {}) as typeof console.warn;
 
     try {
       await main(['install', '--no-start', '--force', '--no-open']);
-      // Should have fallen through to bootstrap, creating directories
       expect(existsSync(join(dataHome, 'admin'))).toBe(true);
     } finally {
       rmSync(base, { recursive: true, force: true });
     }
   });
 
-  it('creates the admin data directory during bootstrap install', async () => {
+  it('uses main as the default install ref for bootstrap asset downloads', async () => {
     const base = mkdtempSync(join(tmpdir(), 'openpalm-install-'));
     const configHome = join(base, 'config');
     const dataHome = join(base, 'data');
     const stateHome = join(base, 'state');
     const workDir = join(base, 'work');
     const binDir = join(stateHome, 'bin');
+    const fetchedUrls: string[] = [];
 
     mkdirSync(binDir, { recursive: true });
     writeFileSync(join(binDir, 'varlock'), '#!/bin/sh\nexit 0\n');
@@ -212,25 +172,33 @@ describe('cli main', () => {
     mockDockerCli();
     globalThis.fetch = mock(async (input: string | URL) => {
       const url = String(input);
+      fetchedUrls.push(url);
       if (url.endsWith('/health')) {
         throw new TypeError('fetch failed');
       }
-      if (url.includes('/docker-compose.yml')) {
+      if (url.includes('/main/assets/docker-compose.yml')) {
         return new Response('services: {}\n', { status: 200 });
       }
-      if (url.includes('/Caddyfile')) {
+      if (url.includes('/main/assets/Caddyfile')) {
         return new Response(':80 {\n}\n', { status: 200 });
       }
-      if (url.includes('/secrets.env.schema') || url.includes('/stack.env.schema')) {
+      if (url.includes('/main/assets/secrets.env.schema') || url.includes('/main/assets/stack.env.schema')) {
         return new Response('KEY=string\n', { status: 200 });
       }
       return new Response('', { status: 503 });
     }) as typeof fetch;
     console.log = mock(() => {}) as typeof console.log;
+    console.warn = mock(() => {}) as typeof console.warn;
 
     try {
       await main(['install', '--no-start', '--force', '--no-open']);
-      expect(existsSync(join(dataHome, 'admin'))).toBe(true);
+
+      expect(fetchedUrls).toContain(
+        'https://raw.githubusercontent.com/itlackey/openpalm/main/assets/docker-compose.yml',
+      );
+      expect(fetchedUrls).toContain(
+        'https://raw.githubusercontent.com/itlackey/openpalm/main/assets/Caddyfile',
+      );
     } finally {
       rmSync(base, { recursive: true, force: true });
     }