@arkhera30/cli 0.6.1 → 0.7.0

package/dist/index.js

@@ -596,7 +596,7 @@ Run '${runtime.name} compose logs <service>' from ~/Horus/ to investigate.`
 Run '${runtime.name} compose logs' from ~/Horus/ to investigate.`
       );
     }
-    await new Promise((resolve3) => setTimeout(resolve3, intervalMs));
+    await new Promise((resolve2) => setTimeout(resolve2, intervalMs));
   }
 }
 
@@ -934,11 +934,11 @@ function generateComposeFile(config, runtime) {
     ports:
       - "\${VAULT_ROUTER_PORT:-8050}:8400"
     environment:
-      - VAULT_ENDPOINTS=${vaultEndpoints}
-      - VAULT_DEFAULT=${defaultVaultName}
-    depends_on:
+${vaultEndpoints ? `      - VAULT_ENDPOINTS=${vaultEndpoints}
+` : ""}      - VAULT_DEFAULT=${defaultVaultName}
+${vaultRouterDependsOn ? `    depends_on:
 ${vaultRouterDependsOn}
-    networks:
+` : ""}    networks:
       - horus-net
     restart: unless-stopped
     deploy:
@@ -1026,6 +1026,335 @@ ${vaultRouterDependsOn}
   }
   return content;
 }
+function generateStandaloneComposeFile(options) {
+  const { config, ports, slotDataPath, slot, runtime, imageOverrides } = options;
+  const project = `horus-test-${slot}`;
+  const network = `${project}-net`;
+  const vaultEntries = Object.entries(config.vaults).sort(([a], [b]) => a.localeCompare(b));
+  const defaultVaultEntry = vaultEntries.find(([, v]) => v.default);
+  const defaultVaultName = defaultVaultEntry ? defaultVaultEntry[0] : vaultEntries[0]?.[0] ?? "default";
+  function img(service, fallback) {
+    return imageOverrides?.[service] ?? fallback;
+  }
+  const vaultServices = vaultEntries.map(([name], index) => {
+    const vault = config.vaults[name];
+    const githubHost = resolveGitHubHost(vault?.repo ?? "", config.github_hosts);
+    const token = githubHost?.token ?? "";
+    const apiHost = githubHost?.host ?? "github.com";
+    const vaultHostPort = index === 0 ? ports.vault_svc : ports.vault_svc + index;
+    const serviceImage = img(`vault-${name}`, "ghcr.io/arjunkhera/horus/vault:latest");
+    let block = `  vault-${name}:
+    image: ${serviceImage}
+    ports:
+      - "${vaultHostPort}:8000"
+    volumes:
+      - ${slotDataPath}/vaults/${name}:/data/knowledge-repo:rw
+      - ${project}-vault-${name}-workspace:/data/workspace
+    environment:
+      - HORUS_RUNTIME=${runtime ?? "docker"}
+      - KNOWLEDGE_REPO_PATH=/data/knowledge-repo
+      - WORKSPACE_PATH=/data/workspace
+      - VAULT_KNOWLEDGE_REPO_URL=${vault?.repo ?? ""}
+      - SYNC_INTERVAL=300
+      - VAULT_SYNC_INTERVAL=300
+      - LOG_LEVEL=info
+      - HOST=0.0.0.0
+      - PORT=8000
+      - GITHUB_TOKEN=${token}
+      - GITHUB_API_HOST=${apiHost}
+      - TYPESENSE_HOST=typesense
+      - TYPESENSE_PORT=8108
+      - TYPESENSE_API_KEY=horus-local-key
+      - NEO4J_URI=bolt://neo4j:7687
+      - NEO4J_USER=neo4j
+      - NEO4J_PASSWORD=horus-neo4j
+    depends_on:
+      typesense:
+        condition: service_healthy
+      neo4j:
+        condition: service_healthy
+    networks:
+      - ${network}
+    restart: unless-stopped
+    deploy:
+      resources:
+        limits:
+          memory: 512m
+        reservations:
+          memory: 256m
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
+      interval: 30s
+      timeout: 10s
+      start_period: 60s
+      retries: 3`;
+    if (runtime === "podman") {
+      block = block.replace(/^(    image: .+)$/m, '$1\n    user: "0:0"');
+    }
+    return block;
+  });
+  const vaultRouterDependsOn = vaultEntries.map(([name]) => `      vault-${name}:
+        condition: service_healthy`).join("\n");
+  const vaultEndpoints = vaultEntries.map(([name]) => `${name}=http://vault-${name}:8000`).join(",");
+  const vaultRouterImage = img("vault-router", "ghcr.io/arjunkhera/horus/vault-router:latest");
+  let vaultRouterBlock = `  vault-router:
+    image: ${vaultRouterImage}
+    ports:
+      - "${ports.vault_router}:8400"
+    environment:
+${vaultEndpoints ? `      - VAULT_ENDPOINTS=${vaultEndpoints}
+` : ""}      - VAULT_DEFAULT=${defaultVaultName}
+      - LOG_LEVEL=info
+${vaultRouterDependsOn ? `    depends_on:
+${vaultRouterDependsOn}
+` : ""}    networks:
+      - ${network}
+    restart: unless-stopped
+    deploy:
+      resources:
+        limits:
+          memory: 256m
+        reservations:
+          memory: 64m
+    healthcheck:
+      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8400/health')"]
+      interval: 30s
+      timeout: 10s
+      start_period: 30s
+      retries: 3`;
+  if (runtime === "podman") {
+    vaultRouterBlock = vaultRouterBlock.replace(/^(    image: .+)$/m, '$1\n    user: "0:0"');
+  }
+  const vaultMcpImage = img("vault-mcp", "ghcr.io/arjunkhera/horus/vault-mcp:latest");
+  let vaultMcpBlock = `  vault-mcp:
+    image: ${vaultMcpImage}
+    ports:
+      - "${ports.vault_mcp}:8300"
+    environment:
+      - VAULT_MCP_HTTP=true
+      - VAULT_MCP_PORT=8300
+      - VAULT_MCP_HOST=0.0.0.0
+      - KNOWLEDGE_SERVICE_URL=http://vault-router:8400
+    depends_on:
+      vault-router:
+        condition: service_healthy
+    networks:
+      - ${network}
+    restart: unless-stopped
+    stop_grace_period: 15s
+    deploy:
+      resources:
+        limits:
+          memory: 256m
+        reservations:
+          memory: 64m
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8300/health"]
+      interval: 30s
+      timeout: 5s
+      start_period: 30s
+      retries: 3`;
+  if (runtime === "podman") {
+    vaultMcpBlock = vaultMcpBlock.replace(/^(    image: .+)$/m, '$1\n    user: "0:0"');
+  }
+  const anvilImage = img("anvil", "ghcr.io/arjunkhera/horus/anvil:latest");
+  let anvilBlock = `  anvil:
+    image: ${anvilImage}
+    ports:
+      - "${ports.anvil}:8100"
+    volumes:
+      - ${slotDataPath}/notes:/data/notes:rw
+    environment:
+      - HORUS_RUNTIME=${runtime ?? "docker"}
+      - ANVIL_TRANSPORT=http
+      - ANVIL_PORT=8100
+      - ANVIL_HOST=0.0.0.0
+      - ANVIL_NOTES_PATH=/data/notes
+      - ANVIL_REPO_URL=
+      - ANVIL_SYNC_INTERVAL=300
+      - ANVIL_DEBOUNCE_SECONDS=5
+      - GITHUB_TOKEN=
+      - TYPESENSE_HOST=typesense
+      - TYPESENSE_PORT=8108
+      - TYPESENSE_API_KEY=horus-local-key
+      - NEO4J_URI=bolt://neo4j:7687
+      - NEO4J_USER=neo4j
+      - NEO4J_PASSWORD=horus-neo4j
+    depends_on:
+      typesense:
+        condition: service_healthy
+      neo4j:
+        condition: service_healthy
+    networks:
+      - ${network}
+    restart: unless-stopped
+    stop_grace_period: 15s
+    deploy:
+      resources:
+        limits:
+          memory: 512m
+        reservations:
+          memory: 256m
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8100/health"]
+      interval: 30s
+      timeout: 5s
+      start_period: 60s
+      retries: 3`;
+  if (runtime === "podman") {
+    anvilBlock = anvilBlock.replace(/^(    image: .+)$/m, '$1\n    user: "0:0"');
+  }
+  const forgeImage = img("forge", "ghcr.io/arjunkhera/horus/forge:latest");
+  let forgeBlock = `  forge:
+    image: ${forgeImage}
+    ports:
+      - "${ports.forge}:8200"
+    volumes:
+      - ${slotDataPath}/config:/data/config:rw
+      - ${slotDataPath}/registry:/data/registry:rw
+      - ${slotDataPath}/workspaces:/data/workspaces:rw
+      - ${slotDataPath}/repos:/data/horus-repos:rw
+      - ${slotDataPath}/sessions:/data/sessions:rw
+    environment:
+      - HORUS_RUNTIME=${runtime ?? "docker"}
+      - FORGE_PORT=8200
+      - FORGE_HOST=0.0.0.0
+      - FORGE_REGISTRY_PATH=/data/registry
+      - FORGE_WORKSPACES_PATH=/data/workspaces
+      - FORGE_CONFIG_PATH=/data/config
+      - FORGE_MANAGED_REPOS_PATH=/data/horus-repos
+      - FORGE_REGISTRY_REPO_URL=
+      - FORGE_SYNC_INTERVAL=300
+      - FORGE_ANVIL_URL=http://anvil:8100
+      - FORGE_VAULT_URL=http://vault-mcp:8300
+      - FORGE_HOST_WORKSPACES_PATH=${slotDataPath}/workspaces
+      - FORGE_HOST_MANAGED_REPOS_PATH=${slotDataPath}/repos
+      - FORGE_HOST_REPOS_PATH=${slotDataPath}/repos
+      - FORGE_HOST_ANVIL_URL=http://localhost:${ports.anvil}
+      - FORGE_HOST_VAULT_URL=http://localhost:${ports.vault_mcp}
+      - FORGE_HOST_FORGE_URL=http://localhost:${ports.forge}
+      - FORGE_SCAN_PATHS=/data/horus-repos
+      - FORGE_SESSION_TTL_MS=1800000
+      - GITHUB_TOKEN=
+      - TYPESENSE_HOST=typesense
+      - TYPESENSE_PORT=8108
+      - TYPESENSE_API_KEY=horus-local-key
+    depends_on:
+      anvil:
+        condition: service_healthy
+      typesense:
+        condition: service_healthy
+      vault-router:
+        condition: service_healthy
+    networks:
+      - ${network}
+    restart: unless-stopped
+    stop_grace_period: 15s
+    deploy:
+      resources:
+        limits:
+          memory: 512m
+        reservations:
+          memory: 128m
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8200/health"]
+      interval: 30s
+      timeout: 5s
+      start_period: 60s
+      retries: 3`;
+  if (runtime === "podman") {
+    forgeBlock = forgeBlock.replace(/^(    image: .+)$/m, '$1\n    user: "0:0"');
+  }
+  const typesenseBlock = `  typesense:
+    image: typesense/typesense:27.1
+    ports:
+      - "${ports.typesense}:8108"
+    volumes:
+      - ${slotDataPath}/typesense-data:/data
+    command: >
+      --data-dir=/data
+      --api-key=horus-local-key
+      --enable-cors
+    networks:
+      - ${network}
+    healthcheck:
+      test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/localhost/8108'"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 5s
+    restart: unless-stopped`;
+  const neo4jBlock = `  neo4j:
+    image: neo4j:5-community
+    ports:
+      - "${ports.neo4j_http}:7474"
+      - "${ports.neo4j_bolt}:7687"
+    volumes:
+      - ${slotDataPath}/neo4j-data:/data
+      - ${slotDataPath}/neo4j-logs:/logs
+    environment:
+      - NEO4J_AUTH=neo4j/horus-neo4j
+      - NEO4J_server_memory_heap_initial__size=256m
+      - NEO4J_server_memory_heap_max__size=512m
+      - NEO4J_server_memory_pagecache_size=256m
+      - NEO4J_PLUGINS=[]
+    networks:
+      - ${network}
+    restart: unless-stopped
+    stop_grace_period: 30s
+    deploy:
+      resources:
+        limits:
+          memory: 1g
+        reservations:
+          memory: 512m
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://localhost:7474"]
+      interval: 30s
+      timeout: 10s
+      start_period: 60s
+      retries: 3`;
+  const vaultVolumeNames = vaultEntries.map(([name]) => `  ${project}-vault-${name}-workspace:`).join("\n");
+  const volumesSection = vaultVolumeNames ? [
+    `# \u2500\u2500 Volumes \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`,
+    `volumes:`,
+    vaultVolumeNames
+  ] : [];
+  const sections = [
+    `# \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`,
+    `# Horus \u2014 Standalone Shadow Stack (slot ${slot})`,
+    `# Generated by \`horus test-env acquire --standalone\`. Do not edit manually.`,
+    `# Fully-projected: no overlay merge; all ports/volumes are explicit.`,
+    `# Isolation: project=${project}  network=${network}`,
+    `# \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`,
+    ``,
+    `services:`,
+    ``,
+    anvilBlock,
+    ``,
+    ...vaultServices.map((s) => s + "\n"),
+    vaultRouterBlock,
+    ``,
+    vaultMcpBlock,
+    ``,
+    forgeBlock,
+    ``,
+    typesenseBlock,
+    ``,
+    neo4jBlock,
+    ``,
+    `# \u2500\u2500 Networks \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`,
+    `networks:`,
+    `  ${network}:`,
+    `    driver: bridge`,
+    ``,
+    ...volumesSection
+  ];
+  return sections.join("\n");
+}
+function standaloneComposePath(slotDataPath) {
+  return `${slotDataPath}/docker-compose.standalone.yml`;
+}
 function composeFileExists() {
   return existsSync3(COMPOSE_PATH);
 }
@@ -1371,7 +1700,7 @@ var setupCommand = new Command2("setup").description("Interactive first-run setu
   console.log("");
   if (configExists()) {
     if (opts.yes) {
-      console.log(chalk2.yellow("Existing configuration found. Overwriting in non-interactive mode."));
+      console.log(chalk2.yellow("Existing configuration found. Merging with existing values in non-interactive mode."));
     } else {
       const proceed = await confirm({
         message: "Horus is already configured. Reconfigure?",
@@ -1425,50 +1754,65 @@ var setupCommand = new Command2("setup").description("Interactive first-run setu
   const runtime = await detectRuntime(selectedRuntime);
   let config;
   if (opts.yes) {
+    const existing = configExists() ? loadConfig() : null;
     const defaults = defaultConfig();
-    const vaultNames = opts.vaultName ? Array.isArray(opts.vaultName) ? opts.vaultName : [opts.vaultName] : ["default"];
-    const vaultRepos = opts.vaultRepo ? Array.isArray(opts.vaultRepo) ? opts.vaultRepo : [opts.vaultRepo] : [process.env.VAULT_KNOWLEDGE_REPO_URL ?? ""];
-    const vaults = {};
-    vaultNames.forEach((name, i) => {
-      vaults[name] = {
-        repo: vaultRepos[i] ?? vaultRepos[0] ?? "",
-        default: i === 0
-      };
-    });
-    const primaryToken = opts.githubToken || process.env.GITHUB_TOKEN || "";
-    const anvilRepo = opts.anvilRepo || process.env.ANVIL_REPO_URL || defaults.repos.anvil_notes;
-    const allRepoUrls = [anvilRepo, ...Object.values(vaults).map((v) => v.repo)].filter(Boolean);
-    const seenHosts = /* @__PURE__ */ new Set();
-    const github_hosts = {};
-    let hostIndex = 0;
-    for (const url of allRepoUrls) {
-      const hostname = extractHostname(url);
-      if (!seenHosts.has(hostname)) {
-        seenHosts.add(hostname);
-        const hostKey = hostIndex === 0 ? "default" : hostname;
-        github_hosts[hostKey] = {
-          host: hostname,
-          token: primaryToken
+    let vaults;
+    if (opts.vaultName || opts.vaultRepo) {
+      const vaultNames = opts.vaultName ? Array.isArray(opts.vaultName) ? opts.vaultName : [opts.vaultName] : ["default"];
+      const vaultRepos = opts.vaultRepo ? Array.isArray(opts.vaultRepo) ? opts.vaultRepo : [opts.vaultRepo] : [process.env.VAULT_KNOWLEDGE_REPO_URL ?? ""];
+      vaults = {};
+      vaultNames.forEach((name, i) => {
+        vaults[name] = {
+          repo: vaultRepos[i] ?? vaultRepos[0] ?? "",
+          default: i === 0
         };
-        hostIndex++;
-      }
+      });
+    } else {
+      vaults = existing?.vaults ?? (process.env.VAULT_KNOWLEDGE_REPO_URL ? { default: { repo: process.env.VAULT_KNOWLEDGE_REPO_URL, default: true } } : defaults.vaults);
     }
-    if (Object.keys(github_hosts).length === 0) {
-      github_hosts["default"] = { host: "github.com", token: primaryToken };
+    const primaryToken = opts.githubToken || process.env.GITHUB_TOKEN || "";
+    const anvilRepo = opts.anvilRepo || process.env.ANVIL_REPO_URL || existing?.repos.anvil_notes || defaults.repos.anvil_notes;
+    let github_hosts;
+    if (opts.githubToken || !existing || Object.keys(existing.github_hosts).length === 0) {
+      const allRepoUrls = [anvilRepo, ...Object.values(vaults).map((v) => v.repo)].filter(Boolean);
+      const seenHosts = /* @__PURE__ */ new Set();
+      github_hosts = {};
+      let hostIndex = 0;
+      for (const url of allRepoUrls) {
+        const hostname = extractHostname(url);
+        if (!seenHosts.has(hostname)) {
+          seenHosts.add(hostname);
+          const hostKey = hostIndex === 0 ? "default" : hostname;
+          github_hosts[hostKey] = {
+            host: hostname,
+            token: primaryToken
+          };
+          hostIndex++;
+        }
+      }
+      if (Object.keys(github_hosts).length === 0) {
+        github_hosts["default"] = { host: "github.com", token: primaryToken };
+      }
+    } else {
+      github_hosts = existing.github_hosts;
     }
     config = {
       ...defaults,
+      // Preserve all existing top-level fields first
+      ...existing ?? {},
+      // Then apply runtime (always re-detected)
       runtime: runtime.name,
-      data_dir: opts.dataDir || DEFAULT_DATA_DIR,
-      host_repos_path: opts.reposPath || "",
+      // Apply field-level overrides: explicit flag > existing value > default
+      data_dir: opts.dataDir || existing?.data_dir || DEFAULT_DATA_DIR,
+      host_repos_path: opts.reposPath || existing?.host_repos_path || "",
       repos: {
         anvil_notes: anvilRepo,
-        forge_registry: opts.forgeRepo || process.env.FORGE_REGISTRY_REPO_URL || defaults.repos.forge_registry
+        forge_registry: opts.forgeRepo || process.env.FORGE_REGISTRY_REPO_URL || existing?.repos.forge_registry || defaults.repos.forge_registry
       },
       vaults,
       github_hosts,
       ai: {
-        key: process.env.HORUS_AI_KEY || ""
+        key: process.env.HORUS_AI_KEY || existing?.ai.key || ""
       }
     };
   } else {
@@ -1730,6 +2074,20 @@ ${example(`${vaultName.trim()}-knowledge`)}
       }
     }
   }
+  if (process.platform === "linux") {
+    const forgeDirs = ["config", "registry", "workspaces", "sessions"].map((d) => join3(dataDir, d));
+    for (const dir of forgeDirs) {
+      mkdirSync3(dir, { recursive: true });
+    }
+    const dirList = forgeDirs.map((d) => `"${d}"`).join(" ");
+    try {
+      execSync(`chown -R 1001:1001 ${dirList}`, { stdio: "pipe" });
+    } catch (error) {
+      console.log(chalk2.yellow("Warning: could not chown Forge data dirs to UID 1001."));
+      console.log(chalk2.dim("  Forge may fail to start if directory ownership is incorrect."));
+      console.log(chalk2.dim(`  Run manually: sudo chown -R 1001:1001 ${forgeDirs.join(" ")}`));
+    }
+  }
   console.log("");
   console.log(chalk2.bold("Pulling container images..."));
   try {
@@ -2918,17 +3276,20 @@ import ora8 from "ora";
 import { join as join8 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 import { dirname as dirname2 } from "path";
+import { writeFileSync as writeFileSync7 } from "fs";
 
 // src/lib/test-env.ts
 import {
   existsSync as existsSync9,
   mkdirSync as mkdirSync6,
+  chmodSync,
   readFileSync as readFileSync6,
   writeFileSync as writeFileSync6,
   rmSync,
   readdirSync as readdirSync3,
   cpSync
 } from "fs";
+import { execFileSync, execSync as execSync4 } from "child_process";
 import { join as join7 } from "path";
 import { parse as parseYaml3 } from "yaml";
 import { execa as execa3 } from "execa";
@@ -2956,7 +3317,9 @@ var PORT_OFFSETS = {
   vault_router: 50,
   vault_mcp: 100,
   forge: 150,
-  ui: 160
+  ui: 160,
+  neo4j_http: 174,
+  neo4j_bolt: 187
 };
 function loadTestEnvConfig(dataDir) {
   const configPath = getTestEnvConfigPath(dataDir);
@@ -2985,7 +3348,9 @@ function calcPorts(slot, basePort) {
     vault_router: base + PORT_OFFSETS.vault_router,
     vault_mcp: base + PORT_OFFSETS.vault_mcp,
     forge: base + PORT_OFFSETS.forge,
-    ui: base + PORT_OFFSETS.ui
+    ui: base + PORT_OFFSETS.ui,
+    neo4j_http: base + PORT_OFFSETS.neo4j_http,
+    neo4j_bolt: base + PORT_OFFSETS.neo4j_bolt
   };
 }
 function readLock(dataDir, slot) {
@@ -3045,18 +3410,43 @@ function createSlotDirs(slotDataPath, vaultNames = ["default"]) {
   const dirs = [
     "notes",
     ...vaultNames.map((name) => join7("vaults", name)),
+    "config",
     "registry",
     "workspaces",
     "sessions",
-    "typesense-data"
+    "repos",
+    "typesense-data",
+    "neo4j-data",
+    "neo4j-logs"
   ];
   for (const dir of dirs) {
-    mkdirSync6(join7(slotDataPath, dir), { recursive: true });
+    const fullPath = join7(slotDataPath, dir);
+    mkdirSync6(fullPath, { recursive: true });
+    try {
+      chmodSync(fullPath, 511);
+    } catch (err) {
+      const code = err.code;
+      if (code === "EPERM" || code === "EACCES") {
+        try {
+          execSync4("sudo chmod 777 " + fullPath, { stdio: "pipe" });
+        } catch {
+          console.warn(`[test-env] Warning: could not chmod ${fullPath} (permission denied, sudo also failed)`);
+        }
+      } else {
+        throw err;
+      }
+    }
   }
 }
 function removeSlotDirs(slotDataPath) {
-  if (existsSync9(slotDataPath)) {
+  if (!existsSync9(slotDataPath)) return;
+  try {
     rmSync(slotDataPath, { recursive: true, force: true });
+  } catch {
+    try {
+      execFileSync("sudo", ["rm", "-rf", slotDataPath]);
+    } catch {
+    }
   }
 }
 async function preSeedNotesDir(dataDir, slotDataPath) {
@@ -3066,7 +3456,11 @@ async function preSeedNotesDir(dataDir, slotDataPath) {
     if (existsSync9(destNotesPath)) {
       rmSync(destNotesPath, { recursive: true });
     }
-    await execa3("git", ["clone", "--local", srcNotesPath, destNotesPath]);
+    try {
+      execSync4(`git config --global --add safe.directory ${srcNotesPath}`, { stdio: "pipe" });
+    } catch {
+    }
+    await execa3("git", ["clone", "--no-hardlinks", srcNotesPath, destNotesPath]);
   } else {
     await execa3("git", ["-C", destNotesPath, "init"]);
     await execa3("git", [
@@ -3083,6 +3477,65 @@ async function preSeedNotesDir(dataDir, slotDataPath) {
     ]);
   }
 }
+async function preSeedVaultDirs(dataDir, slotDataPath, vaultNames) {
+  for (const name of vaultNames) {
+    const srcVaultPath = join7(dataDir, "vaults", name);
+    const destVaultPath = join7(slotDataPath, "vaults", name);
+    if (existsSync9(join7(srcVaultPath, ".git"))) {
+      if (existsSync9(destVaultPath)) {
+        rmSync(destVaultPath, { recursive: true });
+      }
+      try {
+        execSync4(`git config --global --add safe.directory ${srcVaultPath}`, { stdio: "pipe" });
+      } catch {
+      }
+      await execa3("git", ["clone", "--no-hardlinks", srcVaultPath, destVaultPath]);
+    } else {
+      await execa3("git", ["-C", destVaultPath, "init"]);
+      await execa3("git", [
+        "-C",
+        destVaultPath,
+        "-c",
+        "user.email=horus@local",
+        "-c",
+        "user.name=Horus",
+        "commit",
+        "--allow-empty",
+        "-m",
+        "init"
+      ]);
+    }
+  }
+}
+async function preSeedRegistryDir(dataDir, slotDataPath) {
+  const srcRegistryPath = join7(dataDir, "registry");
+  const destRegistryPath = join7(slotDataPath, "registry");
+  if (existsSync9(join7(srcRegistryPath, ".git"))) {
+    if (existsSync9(destRegistryPath)) {
+      rmSync(destRegistryPath, { recursive: true });
+    }
+    try {
+      execSync4(`git config --global --add safe.directory ${srcRegistryPath}`, { stdio: "pipe" });
+    } catch {
+    }
+    await execa3("git", ["clone", "--no-hardlinks", srcRegistryPath, destRegistryPath]);
+    chmodSync(destRegistryPath, 511);
+  } else {
+    await execa3("git", ["-C", destRegistryPath, "init"]);
+    await execa3("git", [
+      "-C",
+      destRegistryPath,
+      "-c",
+      "user.email=horus@local",
+      "-c",
+      "user.name=Horus",
+      "commit",
+      "--allow-empty",
+      "-m",
+      "init"
+    ]);
+  }
+}
 function buildComposeEnv(runtime, ports, slotDataPath, defaultVaultName = "default") {
   const vaultPortEnvVar = `VAULT_REST_PORT_${defaultVaultName.toUpperCase().replace(/-/g, "_")}`;
   return {
@@ -3107,26 +3560,36 @@ function buildComposeEnv(runtime, ports, slotDataPath, defaultVaultName = "defau
     TEST_PORT_VAULT_ROUTER: String(ports.vault_router),
     TEST_PORT_VAULT_MCP: String(ports.vault_mcp),
     TEST_PORT_FORGE: String(ports.forge),
-    TEST_PORT_UI: String(ports.ui)
+    TEST_PORT_UI: String(ports.ui),
+    NEO4J_HTTP_PORT: String(ports.neo4j_http),
+    NEO4J_BOLT_PORT: String(ports.neo4j_bolt),
+    TEST_PORT_NEO4J_HTTP: String(ports.neo4j_http),
+    TEST_PORT_NEO4J_BOLT: String(ports.neo4j_bolt)
   };
 }
-async function composeUp(runtime, projectName2, ports, slotDataPath, defaultVaultName = "default") {
+async function composeUp(runtime, projectName2, ports, slotDataPath, defaultVaultName = "default", imageOverrides) {
   const env = buildComposeEnv(runtime, ports, slotDataPath, defaultVaultName);
-  const result = await execa3(
-    runtime.name,
-    [
-      "compose",
-      "-p",
-      projectName2,
-      "-f",
-      join7(HORUS_DIR, "docker-compose.yml"),
-      "-f",
-      join7(HORUS_DIR, "docker-compose.test.yml"),
-      "up",
-      "-d"
-    ],
-    { cwd: HORUS_DIR, env, reject: false }
-  );
+  const composeArgs = [
+    "compose",
+    "-p",
+    projectName2,
+    "-f",
+    join7(HORUS_DIR, "docker-compose.yml"),
+    "-f",
+    join7(HORUS_DIR, "docker-compose.test.yml")
+  ];
+  if (imageOverrides && Object.keys(imageOverrides).length > 0) {
+    const overrideYaml = {
+      services: Object.fromEntries(
+        Object.entries(imageOverrides).map(([svc, img]) => [svc, { image: img }])
+      )
+    };
+    const overridePath = join7(slotDataPath, "docker-compose.image-overrides.json");
+    writeFileSync6(overridePath, JSON.stringify(overrideYaml, null, 2));
+    composeArgs.push("-f", overridePath);
+  }
+  composeArgs.push("up", "-d", "--force-recreate");
+  const result = await execa3(runtime.name, composeArgs, { cwd: HORUS_DIR, env, reject: false });
   if (result.exitCode !== 0) {
     throw new Error(
       `Failed to start shadow stack (project ${projectName2}):
@@ -3142,7 +3605,51 @@ async function composeDown(runtime, projectName2, ports, slotDataPath, defaultVa
     { cwd: HORUS_DIR, env, reject: false }
   );
 }
-var HEALTH_SERVICES = ["anvil", "forge", "vault-mcp", "typesense"];
+async function composeUpStandalone(runtime, projectName2, ports, slotDataPath, config, imageOverrides) {
+  const forgeDirs = ["config", "registry", "workspaces", "sessions"];
+  for (const dir of forgeDirs) {
+    const fullPath = join7(slotDataPath, dir);
+    try {
+      execSync4(`chown -R 1001:1001 ${fullPath}`, { stdio: "pipe" });
+    } catch {
+      try {
+        execSync4(`sudo chown -R 1001:1001 ${fullPath}`, { stdio: "pipe" });
+      } catch {
+      }
+    }
+  }
+  const content = generateStandaloneComposeFile({
+    config,
+    ports,
+    slotDataPath,
+    slot: parseInt(projectName2.replace("horus-test-", ""), 10),
+    runtime: runtime.name,
+    imageOverrides
+  });
+  const composePath = standaloneComposePath(slotDataPath);
+  writeFileSync6(composePath, content, "utf-8");
+  const result = await execa3(
+    runtime.name,
+    ["compose", "-p", projectName2, "-f", composePath, "up", "-d", "--force-recreate"],
+    { cwd: slotDataPath, env: { ...process.env, HORUS_RUNTIME: runtime.name }, reject: false }
+  );
+  if (result.exitCode !== 0) {
+    throw new Error(
+      `Failed to start standalone shadow stack (project ${projectName2}):
+${result.stderr}`
+    );
+  }
+}
+async function composeDownStandalone(runtime, projectName2, slotDataPath) {
+  const composePath = standaloneComposePath(slotDataPath);
+  const args = existsSync9(composePath) ? ["compose", "-p", projectName2, "-f", composePath, "down", "--volumes", "--remove-orphans"] : ["compose", "-p", projectName2, "down", "--volumes", "--remove-orphans"];
+  await execa3(
+    runtime.name,
+    args,
+    { cwd: slotDataPath, env: { ...process.env, HORUS_RUNTIME: runtime.name }, reject: false }
+  );
+}
+var HEALTH_SERVICES = ["anvil", "forge", "vault-mcp", "typesense", "neo4j"];
 async function checkContainerHealthByProject(runtime, projectName2, service) {
   const candidates = [
     `${projectName2}-${service}-1`,
@@ -3218,7 +3725,10 @@ function projectName(slot) {
 
 // src/commands/test-env.ts
 var testEnvCommand = new Command10("test-env").description("Manage isolated shadow stacks for integration testing");
-testEnvCommand.command("acquire").description("Start a shadow stack on alternate ports with isolated data").option("--timeout <seconds>", "Max wait for health checks (default: 120)", "120").action(async (opts) => {
+testEnvCommand.command("acquire").description("Start a shadow stack on alternate ports with isolated data").option("--timeout <seconds>", "Max wait for health checks (default: 120)", "120").option("--image <overrides...>", "Override service images (format: service=image:tag)").option(
+  "--standalone",
+  "Generate a fully-projected compose file (no overlay-merge). Eliminates port-collision with a live stack. Required on fresh VMs."
+).action(async (opts) => {
   const config = loadConfig();
   const dataDir = config.data_dir;
   const testCfg = loadTestEnvConfig(dataDir);
@@ -3248,12 +3758,14 @@ testEnvCommand.command("acquire").description("Start a shadow stack on alternate
   const dirSpinner = ora8(`Creating slot-${slot} data directories...`).start();
   createSlotDirs(slotDataPath, vaultNames);
   dirSpinner.succeed(`Data directory: ${chalk10.dim(slotDataPath)}`);
-  const seedSpinner = ora8("Pre-seeding notes directory...").start();
+  const seedSpinner = ora8("Pre-seeding git repos...").start();
   try {
     await preSeedNotesDir(dataDir, slotDataPath);
-    seedSpinner.succeed("Notes directory ready");
+    await preSeedVaultDirs(dataDir, slotDataPath, vaultNames);
+    await preSeedRegistryDir(dataDir, slotDataPath);
+    seedSpinner.succeed("Git repos ready");
   } catch (error) {
-    seedSpinner.fail(`Notes pre-seed failed: ${error.message}`);
+    seedSpinner.fail(`Pre-seed failed: ${error.message}`);
     removeLock(dataDir, slot);
     removeSlotDirs(slotDataPath);
     process.exit(1);
@@ -3265,10 +3777,29 @@ testEnvCommand.command("acquire").description("Start a shadow stack on alternate
     ports,
     dataPath: slotDataPath
   });
-  const upSpinner = ora8(`Starting shadow stack (project ${chalk10.cyan(project)})...`).start();
+  const imageOverrides = {};
+  if (opts.image) {
+    for (const entry of opts.image) {
+      const eqIdx = entry.indexOf("=");
+      if (eqIdx < 1) {
+        console.error(chalk10.red(`Invalid --image format: "${entry}". Expected: service=image:tag`));
+        process.exit(1);
+      }
+      imageOverrides[entry.slice(0, eqIdx)] = entry.slice(eqIdx + 1);
+    }
+  }
+  const standaloneMode = Boolean(opts.standalone);
+  const modeLabel = standaloneMode ? "standalone" : "overlay";
+  const upSpinner = ora8(
+    `Starting shadow stack (project ${chalk10.cyan(project)}, mode: ${chalk10.dim(modeLabel)})...`
+  ).start();
   try {
-    await composeUp(runtime, project, ports, slotDataPath, defaultVaultName);
-    upSpinner.succeed(`Shadow stack started`);
+    if (standaloneMode) {
+      await composeUpStandalone(runtime, project, ports, slotDataPath, config, imageOverrides);
+    } else {
+      await composeUp(runtime, project, ports, slotDataPath, defaultVaultName, imageOverrides);
+    }
+    upSpinner.succeed(`Shadow stack started (${modeLabel})`);
   } catch (error) {
     upSpinner.fail("Failed to start shadow stack");
     removeLock(dataDir, slot);
@@ -3284,6 +3815,15 @@ testEnvCommand.command("acquire").description("Start a shadow stack on alternate
       healthSpinner.text = `Waiting for services... ${parts}`;
     });
     healthSpinner.succeed("All services healthy");
+    const mcpSettings = {
+      mcpServers: {
+        "anvil-dev": { type: "http", url: `http://localhost:${ports.anvil}` },
+        "vault-dev": { type: "http", url: `http://localhost:${ports.vault_mcp}` },
+        "forge-dev": { type: "http", url: `http://localhost:${ports.forge}` }
+      }
+    };
+    const settingsPath2 = join8(slotDataPath, "claude-settings.json");
+    writeFileSync7(settingsPath2, JSON.stringify(mcpSettings, null, 2));
   } catch (error) {
     healthSpinner.fail("Health check failed");
     await composeDown(runtime, project, ports, slotDataPath, defaultVaultName);
@@ -3315,6 +3855,11 @@ testEnvCommand.command("acquire").description("Start a shadow stack on alternate
   console.log(`  export TEST_VAULT_MCP_URL=http://localhost:${ports.vault_mcp}`);
   console.log(`  export TEST_DATA_PATH=${slotDataPath}`);
   console.log("");
+  const settingsPath = join8(slotDataPath, "claude-settings.json");
+  console.log(chalk10.bold("Agent dev mode:"));
+  console.log(`  MCP config: ${chalk10.dim(settingsPath)}`);
+  console.log(`  Launch:     ${chalk10.cyan(`claude --mcp-config ${settingsPath}`)}`);
+  console.log("");
   console.log(chalk10.dim(`Run ${chalk10.bold(`horus test-env seed --slot ${slot}`)} to populate with fixtures.`));
   console.log(chalk10.dim(`Run ${chalk10.bold(`horus test-env release --slot ${slot}`)} when done.`));
 });
@@ -3353,7 +3898,14 @@ testEnvCommand.command("release").description("Tear down a shadow stack and remo
   }
   const downSpinner = ora8(`Stopping ${chalk10.cyan(project)}...`).start();
   try {
-    await composeDown(runtime, project, ports, slotDataPath, defaultVaultName);
+    const { existsSync: existsSync12 } = await import("fs");
+    const { join: join11 } = await import("path");
+    const standaloneFile = join11(slotDataPath, "docker-compose.standalone.yml");
+    if (existsSync12(standaloneFile)) {
+      await composeDownStandalone(runtime, project, slotDataPath);
+    } else {
+      await composeDown(runtime, project, ports, slotDataPath, defaultVaultName);
+    }
     downSpinner.succeed("Shadow stack stopped");
   } catch {
     downSpinner.warn("Failed to stop cleanly (continuing cleanup)");

package/guides/index.json

@@ -1,6 +1,6 @@
 {
   "schema_version": 1,
-  "built_at": "2026-05-07T09:00:33.452Z",
+  "built_at": "2026-05-17T08:16:12.633Z",
   "guide_count": 5,
   "guides": [
     {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@arkhera30/cli",
-  "version": "0.6.1",
+  "version": "0.7.0",
   "description": "CLI for managing the Horus AI development stack",
   "type": "module",
   "bin": {