Release/0.11.0

.dockerignore

@@ -5,9 +5,6 @@ node_modules
 .opencode
 .state
 # core/ layout (post-refactor)
-core/admin/node_modules
-core/admin/.svelte-kit
-core/admin/build
 core/guardian/node_modules
 # channels
 channels/chat/node_modules
@@ -23,12 +20,15 @@ admin/.svelte-kit
 admin/build
 docs/
 *.md
+!AGENTS.md
 !core/**/*.md
 !packages/**/*.md
 !.openpalm/**/*.md
-# Vault secrets — never send to Docker build context
-.openpalm/vault/**/stack.env
-.openpalm/vault/**/guardian.env
-.openpalm/vault/**/user.env
+# Secrets — never send to Docker build context
+# Stack/channel secrets (OP_HOME/config/stack/)
+.openpalm/config/stack/*.env
+# User secrets (OP_HOME/knowledge/vaults/)
+.openpalm/knowledge/vaults/user.env
+# Auth tokens
 .openpalm/vault/**/auth.json
 .openpalm/vault/**/managed.env

.github/CONTRIBUTING.md

@@ -19,35 +19,34 @@ Repo layout convention:
 ```bash
 ./scripts/dev-setup.sh --seed-env
 
-cd packages/admin
-bun install
-bun run dev
+cd packages/ui
+npm install
+npm run dev
 ```
 
 Admin UI + API runs on `http://localhost:8100`.
 
 From the repo root, convenience scripts are available:
 
 ```bash
-bun run admin:dev        # packages/admin dev server
-bun run admin:check      # svelte-check + TypeScript
+bun run ui:dev     # packages/ui dev server
+bun run ui:check   # svelte-check + TypeScript
 bun run guardian:dev     # core/guardian server
 bun run guardian:test    # guardian tests
 bun run sdk:test         # packages/channels-sdk tests
 bun run cli:test         # packages/cli tests
-bun run channel:chat:dev    # chat channel dev server
-bun run channel:api:dev     # api channel dev server
+bun run channel:api:dev     # api channel dev server (also serves the chat addon when CHANNEL_ID=chat)
 bun run channel:discord:dev # discord channel dev server
 bun run dev:setup        # seed .dev/ dirs and configs
 bun run dev:stack        # start dev stack (pull images)
 bun run dev:build        # start dev stack (build from source)
-bun run test             # all non-admin tests (sdk, guardian, channels, cli)
-bun run check            # admin:check + sdk:test
+bun run test             # all non-UI tests (sdk, guardian, channels, cli)
+bun run check            # ui:check + sdk:test
 ```
 
 `dev:stack` pulls pre-built images from the configured container registries — use it for quick starts and testing admin apply flows. `dev:build` compiles all images from local source using `compose.dev.yml` — use it when developing services or testing Dockerfile changes.
 
-`dev-setup.sh --seed-env` seeds `.dev/vault/user/user.env` and `.dev/vault/stack/stack.env` and sets the `OP_*_HOME` variables to absolute `.dev/` paths. The UI dev server picks these up automatically — no additional environment setup needed.
+`dev-setup.sh --seed-env` seeds `.dev/knowledge/vaults/user.env` and `.dev/config/stack/stack.env` and sets the `OP_*_HOME` variables to absolute `.dev/` paths. The UI dev server picks these up automatically — no additional environment setup needed.
 
 ## 1. Clone and bootstrap
 
@@ -60,18 +59,18 @@ bun run dev:setup      # Creates .dev/ dirs, seeds vault env files
 
 `dev:setup` runs [`scripts/dev-setup.sh --seed-env`](../scripts/dev-setup.sh), which:
 
-- Creates the `.dev/config`, `.dev/vault`, `.dev/data`, and `.dev/logs` directories
-- Seeds `.dev/vault/user/user.env` and `.dev/vault/stack/stack.env` with dev-safe defaults
+- Creates the `.dev/config`, `.dev/knowledge`, `.dev/state`, and `.dev/logs` directories
+- Seeds `.dev/knowledge/vaults/user.env` and `.dev/config/stack/stack.env` with dev-safe defaults
 
-After setup, edit `.dev/vault/user/user.env` to add your LLM provider keys.
+After setup, edit `.dev/knowledge/vaults/user.env` to add your LLM provider keys.
 
-## 2. Run the admin UI (no Docker needed)
+## 2. Run the UI (no Docker needed)
 
 ```bash
-cd packages/admin && npm install && npm run dev
+cd packages/ui && npm install && npm run dev
 ```
 
-Admin UI + API starts on `http://localhost:8100`. The dev server reads `.env` (copy from [`.env.example`](../packages/admin/.env.example)) and the seeded `.dev/` paths automatically.
+UI + API starts on `http://localhost:8100`. The dev server reads `.env` and the seeded `.dev/` paths automatically.
 
 ## 3. Start the full stack
 
@@ -82,15 +81,15 @@ Two options depending on what you're working on:
 | `bun run dev:stack` | Pulls pre-built images from the configured container registries. Fast start for testing admin workflows. |
 | `bun run dev:build` | Builds all images from local source via [`compose.dev.yml`](../compose.dev.yml). Use when developing services or testing Dockerfile changes. |
 
-Both scripts read env files from `.dev/vault/`.
+Both scripts read env files from `.dev/config/stack/` and `.dev/knowledge/vaults/`.
 
 ## 4. Run tests and checks
 
 ```bash
-# Type check the admin UI
-bun run admin:check
+# Type check the UI
+bun run ui:check
 
-# Non-admin tests (sdk, guardian, channels, cli)
+# Non-UI tests (sdk, guardian, channels, cli)
 bun run test
 
 # Both of the above
@@ -100,20 +99,19 @@ bun run check
 bun run guardian:test        # Guardian security tests
 bun run sdk:test             # Channels SDK unit tests
 bun run cli:test             # CLI tests
-bun run admin:test:unit      # Admin Vitest (unit + browser components)
-bun run admin:test:e2e       # Admin Playwright integration tests (no-skip enforced locally)
-bun run admin:test:e2e:mocked # Admin Playwright mocked browser contract tests
+bun run ui:test:unit      # UI Vitest (unit + browser components)
+bun run ui:test:e2e       # UI Playwright integration tests (no-skip enforced locally)
+bun run ui:test:e2e:mocked # UI Playwright mocked browser contract tests
 ```
 
-> Admin uses Vitest and Playwright, not Bun's test runner. Use `bun run test` (not bare `bun test`) from the repo root — the script filters to non-admin directories.
+> UI uses Vitest and Playwright, not Bun's test runner. Use `bun run test` (not bare `bun test`) from the repo root — the script filters to non-UI directories.
 
 ## 5. Run individual services
 
 ```bash
-bun run admin:dev            # Admin SvelteKit dev server (:8100)
+bun run ui:dev         # UI SvelteKit dev server (:8100)
 bun run guardian:dev         # Guardian Bun server
-bun run channel:chat:dev     # Chat channel
-bun run channel:api:dev      # API channel
+bun run channel:api:dev      # API channel (CHANNEL_ID=chat reuses this image to serve the chat addon)
 bun run channel:discord:dev  # Discord channel
 ```
 
@@ -123,25 +121,24 @@ All scripts are defined in the root [`package.json`](../package.json):
 
 | Script | Description |
 |--------|-------------|
-| `bun run admin:dev` | Admin dev server (packages/admin) |
-| `bun run admin:build` | Admin production build |
-| `bun run admin:check` | svelte-check + TypeScript |
-| `bun run admin:test` | Vitest + Playwright (requires build) |
-| `bun run admin:test:unit` | Vitest only (CI-friendly) |
-| `bun run admin:test:e2e` | Playwright integration only (no browser route mocks) |
-| `bun run admin:test:e2e:mocked` | Playwright mocked browser contracts |
+| `bun run ui:dev` | UI dev server (packages/ui) |
+| `bun run ui:build` | UI production build |
+| `bun run ui:check` | svelte-check + TypeScript |
+| `bun run ui:test` | Vitest + Playwright (requires build) |
+| `bun run ui:test:unit` | Vitest only (CI-friendly) |
+| `bun run ui:test:e2e` | Playwright integration only (no browser route mocks) |
+| `bun run ui:test:e2e:mocked` | Playwright mocked browser contracts |
 | `bun run guardian:dev` | Guardian server |
 | `bun run guardian:test` | Guardian tests |
 | `bun run sdk:test` | Channels SDK tests |
-| `bun run channel:chat:dev` | Chat channel dev server |
-| `bun run channel:api:dev` | API channel dev server |
+| `bun run channel:api:dev` | API channel dev server (also serves chat addon via `CHANNEL_ID=chat`) |
 | `bun run channel:discord:dev` | Discord channel dev server |
 | `bun run cli:test` | CLI tests |
 | `bun run dev:setup` | Seed `.dev/` dirs and configs |
 | `bun run dev:stack` | Start dev stack (pull images) |
 | `bun run dev:build` | Start dev stack (build from source) |
-| `bun run test` | All non-admin tests |
-| `bun run check` | admin:check + sdk:test |
+| `bun run test` | All non-UI tests |
+| `bun run check` | ui:check + sdk:test |
 
 ## Dev directory layout
 
@@ -150,8 +147,8 @@ Dev mode mirrors the production [filesystem contract](../docs/technical/foundati
 ```
 .dev/
 ├── config/          # User-editable, non-secret configuration
-├── vault/           # Secrets: vault/user/user.env, vault/stack/stack.env
-├── data/            # Service-managed persistent data
+├── knowledge/           # AKM knowledge (skills, vaults, agents)
+├── state/           # Service-managed persistent data
 └── logs/            # Consolidated audit/debug output
 ```
 
@@ -167,23 +164,22 @@ See [docs/technical/foundations.md](../docs/technical/foundations.md) for the fu
    bun run guardian:test            # Guardian security tests
    ```
 
-3. **Docker builds** must follow the patterns in [docs/technical/docker-dependency-resolution.md](../docs/technical/docker-dependency-resolution.md) (no Bun in admin Docker, no symlink-based node_modules).
+3. **Docker builds** — Guardian and channel Dockerfiles must install `packages/channels-sdk` deps with `bun install --production` after copying sdk source (no symlink-based node_modules). UI is a host binary — no Docker build. The assistant **and guardian** images ship the OpenCode binary; keep `OPENCODE_VERSION` in lockstep between `core/assistant/Dockerfile` and `core/guardian/Dockerfile`.
 4. **No secrets** in client bundles or logs.
 5. **No new dependencies** that duplicate a built-in Bun or platform capability.
 
 ## npm Package Releases
 
-OpenPalm publishes npm packages on an independent release cycle from Docker images and the platform. Each publishable package (`packages/channels-sdk`, `packages/assistant-tools`, `packages/channel-*`) has its own GitHub Actions workflow that publishes to npm when its version field changes on `main`. Platform packages (`packages/admin`, `core/guardian`, `packages/cli`) share a coordinated version managed by `scripts/release.sh`.
+OpenPalm publishes npm packages on an independent release cycle from Docker images and the platform. Each publishable package (`packages/channels-sdk`, `packages/assistant-tools`, `packages/channel-*`) has its own GitHub Actions workflow that publishes to npm when its version field changes on `main`. Platform packages (`packages/ui`, `core/guardian`, `packages/cli`) share a coordinated version managed by `scripts/release.sh`.
 
 ## Key docs for contributors
 
 | Document | What you'll find |
 |----------|-----------------|
 | [docs/technical/core-principles.md](../docs/technical/core-principles.md) | **Must-read.** Security invariants, filesystem contract, architectural rules |
 | [docs/technical/code-quality-principles.md](../docs/technical/code-quality-principles.md) | TypeScript strictness, module design, error handling |
-| [docs/technical/docker-dependency-resolution.md](../docs/technical/docker-dependency-resolution.md) | **Mandatory.** How Docker builds resolve deps across the monorepo |
-| [docs/technical/api-spec.md](../docs/technical/api-spec.md) | Admin API endpoint contract |
+| [docs/technical/api-spec.md](../docs/technical/api-spec.md) | API endpoint contract |
 | [docs/technical/bunjs-rules.md](../docs/technical/bunjs-rules.md) | Bun-specific patterns (guardian, channels, SDK) |
-| [docs/technical/sveltekit-rules.md](../docs/technical/sveltekit-rules.md) | SvelteKit patterns (admin UI) |
+| [docs/technical/sveltekit-rules.md](../docs/technical/sveltekit-rules.md) | SvelteKit patterns (UI) |
 | [docs/community-channels.md](../docs/community-channels.md) | BaseChannel SDK for building custom channel adapters |
 | [docs/technical/environment-and-mounts.md](../docs/technical/environment-and-mounts.md) | All environment variables and volume mounts |

.github/SECURITY.md

@@ -26,8 +26,8 @@ We follow coordinated disclosure — we'll work with you on timing before any de
 
 | Version | Supported |
 |---------|-----------|
-| 0.9.x (current RC) | ✅ Active development |
-| < 0.9.0 | ❌ No backports |
+| 0.11.x (current) | ✅ Active development |
+| < 0.11.0 | ❌ No backports |
 
 Once v1.0.0 ships, this table will be updated with a formal support window.
 
@@ -37,11 +37,11 @@ OpenPalm uses defense-in-depth with multiple independent layers. For the full br
 
 Key boundaries:
 
-- **Network isolation** — Caddy reverse proxy restricts admin access to LAN by default; all inter-service traffic stays on private Docker networks.
+- **Network isolation** — Admin and assistant services bind to localhost by default; all inter-service traffic stays on private Docker networks.
 - **Signed messages** — Every channel message is HMAC-SHA256 signed and verified by the guardian before reaching the assistant.
 - **Rate limiting** — Per-user (120 req/min) and per-channel (200 req/min) throttling with replay detection.
 - **Assistant isolation** — The assistant container has no Docker socket access. All stack operations go through the authenticated admin API.
-- **Docker socket proxy** — Only the admin container communicates with Docker, and only through a filtered socket proxy (Tecnativa) — never a direct socket mount.
+- **Host-only admin** — The admin process runs on the host and accesses Docker directly; containers cannot reach it via the network.
 - **Secret protection** — Secrets are never stored in memory. The admin token is required for all non-health API endpoints after setup completes.
 
 ## Scope

.github/release-package-groups.json

@@ -2,17 +2,16 @@
   "platformManifests": [
     "package.json",
     "packages/lib/package.json",
-    "packages/admin/package.json",
+    "packages/ui/package.json",
     "core/guardian/package.json",
     "packages/cli/package.json",
-    "packages/channels-sdk/package.json"
+    "packages/channels-sdk/package.json",
+    "packages/electron/package.json",
+    "packages/electron/admin-tools/package.json"
   ],
   "independentNpmPackages": [
     "packages/channel-api",
     "packages/channel-discord",
-    "packages/channel-slack",
-    "packages/channel-voice",
-    "packages/assistant-tools",
-    "packages/admin-tools"
+    "packages/channel-slack"
   ]
 }

.github/roadmap/0.10.0/fs-layout.md

@@ -19,11 +19,11 @@
         - memory - mounts to memory container data directory
         - ... - each container can have its own subdirectory(ies) for specific data storage needs
         - stash - mounts to assistant ~/.akm
-        - workspace - mounts to assistant,admin /work directory
+        - workspace - mounts to assistant/admin workspace directory
     - logs
         - various log files for assistant, admin, scheduler and memory containers
     - backups - used for the rollback and long term backups
 
 $HOME/.cache/openpalm
     - assets - core assets from report
-    - registry - mounts to assistant,admin /cache/registry
+    - registry - mounts to assistant,admin /cache/registry

.github/roadmap/0.10.0/fs-mounts-refactor.md

@@ -131,10 +131,10 @@ $HOME/.openpalm/                             Root of all OpenPalm state
 │   ├── assistant/                           Mounts to assistant at $HOME/.opencode
 │   ├── admin/                               Mounts to admin at $HOME/.node (or similar)
 │   ├── memory/                              Mounts to memory at /data
-│   ├── guardian/                            Mounts to guardian at /app/data
+│   ├── guardian/                            Mounts to guardian at /opt/openpalm/guardian
 │   ├── caddy/                               Caddy TLS certs, runtime config, Caddyfile
 │   ├── stash/                               Mounts to assistant at ~/.akm
-│   └── workspace/                           Mounts to assistant, admin at /work
+│   └── workspace/                           Mounts to assistant at /work
 │
 └── logs/                                    Audit and debug logs
     ├── guardian-audit.log
@@ -419,12 +419,12 @@ All host paths are relative to `~/.openpalm/` unless noted.
 | Host Path | Container Path | Mode | Purpose |
 |-----------|---------------|------|---------|
 | `config/` | `/etc/openpalm` | ro | Non-secret stack config, extensions |
-| `config/assistant/` | `/home/opencode/.config/opencode` | rw | User OpenCode extensions |
+| `config/assistant/` | `/etc/opencode` | rw | User OpenCode extensions |
 | `vault/user.env` | `/etc/openpalm/user.env` | ro | Hot-reload LLM keys and provider config |
 | `data/assistant/` | `/home/opencode/.opencode` | rw | OpenCode data + system config |
 | `data/stash/` | `/home/opencode/.akm` | rw | AKM shared stash |
 | `data/workspace/` | `/work` | rw | Working directory |
-| `logs/opencode/` | `/home/opencode/.local/state/opencode` | rw | OpenCode state/logs |
+| `state/assistant/` | `/home/opencode` | rw | OpenCode home/state/logs |
 | `~/.cache/openpalm/registry/` | `/cache/registry` | rw | Cached registry index |
 
 **Admin:**
@@ -441,8 +441,8 @@ All host paths are relative to `~/.openpalm/` unless noted.
 
 | Host Path | Container Path | Mode | Purpose |
 |-----------|---------------|------|---------|
-| `data/guardian/` | `/app/data` | rw | Guardian runtime data |
-| `logs/` | `/app/audit` | rw | Audit log output |
+| `data/guardian/` | `/opt/openpalm/guardian` | rw | Guardian runtime data |
+| `state/logs/` | `/opt/openpalm/logs` | rw | Audit log output |
 
 **Memory:**
 

.github/roadmap/0.10.0/knowledge-system-roadmap.md

@@ -1,5 +1,7 @@
 # OpenPalm 0.10.0 — Knowledge System Roadmap (Revised)
 
+> **Superseded by [#382](https://github.com/itlackey/openpalm/issues/382):** The OpenViking-based knowledge system has been cancelled. Knowledge browsing is now covered by `akm wiki` + `akm search --type knowledge` once the AKM migration lands. This document is preserved for historical context only; do not implement anything described here.
+
 > **Scope Update (2026-03-18):** Agent review consensus (3/5 agents) narrowed the 0.10.0 scope to **Priority 1 only** (Phases 1A-1D: OpenViking as addon + assistant tools). Priorities 2-4 (MCP server, eval framework, MemRL feedback loop) are deferred to 0.11.0 and are included below only as "deferred" context. See `../0.11.0/knowledge-system.md` for the deferred work.
 >
 > **Filesystem context:** This plan uses the `~/.openpalm/` single-root layout defined in [fs-mounts-refactor.md](fs-mounts-refactor.md). The old three-tier XDG references (`DATA_HOME`, `CONFIG_HOME`, `STATE_HOME`) are replaced by subdirectories under `~/.openpalm/`.

.github/roadmap/0.10.0/plans/issue-298-openviking-integration.md

@@ -1,5 +1,7 @@
 # Issue #298 - Add OpenViking integration
 
+> **Superseded by [#382](https://github.com/itlackey/openpalm/issues/382):** The OpenViking integration has been cancelled. Knowledge browsing is now covered by `akm wiki` + `akm search --type knowledge` once the AKM migration lands. This plan is preserved for historical context only; do not implement anything described here.
+
 ## Scope
 
 - Deliver only roadmap Phases 1A-1D for 0.10.0: OpenViking as an optional component, assistant-side Viking tools, session-memory hooks, and token-budget utilities.

.github/roadmap/0.10.0/plans/issue-315-azure-container-apps.md

@@ -51,7 +51,7 @@ The following are intentionally out of scope for #315 and should not be smuggled
   - resource group;
   - ACA environment;
   - storage account;
-  - Azure Files shares for config/data/work;
+  - Azure Files shares for config/data/workspace;
   - Azure Container Registry dependency inputs or documented assumption that images are public/pre-pushed;
   - Key Vault;
   - user-assigned managed identity.