@pleri/olam-cli 0.1.101 → 0.1.103

package/dist/index.js

@@ -487,8 +487,8 @@ var init_parseUtil = __esm({
     init_errors();
     init_en();
     makeIssue = (params) => {
-      const { data, path: path49, errorMaps, issueData } = params;
-      const fullPath = [...path49, ...issueData.path || []];
+      const { data, path: path50, errorMaps, issueData } = params;
+      const fullPath = [...path50, ...issueData.path || []];
       const fullIssue = {
         ...issueData,
         path: fullPath
@@ -796,11 +796,11 @@ var init_types = __esm({
     init_parseUtil();
     init_util();
     ParseInputLazyPath = class {
-      constructor(parent, value, path49, key) {
+      constructor(parent, value, path50, key) {
         this._cachedPath = [];
         this.parent = parent;
         this.data = value;
-        this._path = path49;
+        this._path = path50;
         this._key = key;
       }
       get path() {
@@ -4281,7 +4281,7 @@ import YAML from "yaml";
 function bootstrapStepCmd(entry) {
   return typeof entry === "string" ? entry : entry.cmd;
 }
-function refineForbiddenKeys(value, path49, ctx, rejectSource) {
+function refineForbiddenKeys(value, path50, ctx, rejectSource) {
   if (value === null || typeof value !== "object" || Array.isArray(value)) {
     return;
   }
@@ -4289,12 +4289,12 @@ function refineForbiddenKeys(value, path49, ctx, rejectSource) {
     if (FORBIDDEN_KEYS.has(key)) {
       ctx.addIssue({
         code: external_exports.ZodIssueCode.custom,
-        path: [...path49, key],
+        path: [...path50, key],
         message: `forbidden key "${key}" (prototype-pollution surface)`
       });
       continue;
     }
-    if (rejectSource && path49.length === 0 && key === "source") {
+    if (rejectSource && path50.length === 0 && key === "source") {
       ctx.addIssue({
         code: external_exports.ZodIssueCode.custom,
         path: ["source"],
@@ -4302,21 +4302,21 @@ function refineForbiddenKeys(value, path49, ctx, rejectSource) {
       });
       continue;
     }
-    refineForbiddenKeys(value[key], [...path49, key], ctx, false);
+    refineForbiddenKeys(value[key], [...path50, key], ctx, false);
   }
 }
-function rejectForbiddenKeys(value, path49, rejectSource) {
+function rejectForbiddenKeys(value, path50, rejectSource) {
   if (value === null || typeof value !== "object" || Array.isArray(value)) {
     return;
   }
   for (const key of Object.keys(value)) {
     if (FORBIDDEN_KEYS.has(key)) {
-      throw new Error(`[manifest] ${path49}: forbidden key "${key}" (prototype-pollution surface)`);
+      throw new Error(`[manifest] ${path50}: forbidden key "${key}" (prototype-pollution surface)`);
     }
     if (rejectSource && key === "source") {
-      throw new Error(`[manifest] ${path49}: top-level "source" is loader-stamped \u2014 manifests must not author it`);
+      throw new Error(`[manifest] ${path50}: top-level "source" is loader-stamped \u2014 manifests must not author it`);
     }
-    rejectForbiddenKeys(value[key], `${path49}.${key}`, false);
+    rejectForbiddenKeys(value[key], `${path50}.${key}`, false);
   }
 }
 function unknownTopLevelKeys(parsed) {
@@ -5198,7 +5198,7 @@ async function safeText(res) {
   }
 }
 function sleep(ms) {
-  return new Promise((resolve10) => setTimeout(resolve10, ms));
+  return new Promise((resolve11) => setTimeout(resolve11, ms));
 }
 var DEFAULT_BASE_URL, DEFAULT_TIMEOUT_MS, RETRY_COUNT, RETRY_BACKOFF_MS, AuthClient;
 var init_client = __esm({
@@ -5309,8 +5309,8 @@ var init_client = __esm({
           throw new Error(`failed to report rate-limit for ${accountId} (HTTP ${res.status})`);
         }
       }
-      async request(method, path49, body, attempt = 0) {
-        const url = `${this.baseUrl}${path49}`;
+      async request(method, path50, body, attempt = 0) {
+        const url = `${this.baseUrl}${path50}`;
         const controller = new AbortController();
         const timer = setTimeout(() => controller.abort(), this.timeoutMs);
         const headers = {};
@@ -5328,7 +5328,7 @@ var init_client = __esm({
         } catch (err) {
           if (attempt < RETRY_COUNT && isTransient(err)) {
             await sleep(RETRY_BACKOFF_MS * (attempt + 1));
-            return this.request(method, path49, body, attempt + 1);
+            return this.request(method, path50, body, attempt + 1);
           }
           throw err;
         } finally {
@@ -5350,7 +5350,7 @@ function resolveAuthServicePath() {
   return path9.join(pkgsDir, "auth-service");
 }
 function sleep2(ms) {
-  return new Promise((resolve10) => setTimeout(resolve10, ms));
+  return new Promise((resolve11) => setTimeout(resolve11, ms));
 }
 var DEFAULT_PORT, DEFAULT_VOLUME, DEFAULT_CONTAINER, DEFAULT_IMAGE, AuthContainerController;
 var init_container = __esm({
@@ -5798,7 +5798,7 @@ var init_container2 = __esm({
       await container.start();
       return container;
     };
-    DEFAULT_IMAGE2 = "olam-devbox:latest";
+    DEFAULT_IMAGE2 = "olam-devbox:base";
     CONTROL_PLANE_PORT = 8080;
     HOST_CONTROL_PLANE_BASE = 19080;
     HOST_APP_PORT_BASE_DELTA = 1e4;
@@ -5951,7 +5951,7 @@ var demuxStream, execInContainer;
 var init_exec = __esm({
   "../adapters/dist/docker/exec.js"() {
     "use strict";
-    demuxStream = (stream) => new Promise((resolve10, reject) => {
+    demuxStream = (stream) => new Promise((resolve11, reject) => {
       const stdoutChunks = [];
       const stderrChunks = [];
       const stdout = new PassThrough();
@@ -5965,7 +5965,7 @@ var init_exec = __esm({
         stream.pipe(stdout);
       }
       stream.on("end", () => {
-        resolve10({
+        resolve11({
           stdout: Buffer.concat(stdoutChunks).toString("utf-8"),
           stderr: Buffer.concat(stderrChunks).toString("utf-8")
         });
@@ -6003,6 +6003,51 @@ var init_exec = __esm({
   }
 });
 
+// ../adapters/dist/docker/host.js
+import { spawnSync as spawnSync2 } from "node:child_process";
+function resolveDockerHostOptions(spawnImpl = spawnSync2) {
+  if (process.env.DOCKER_HOST && process.env.DOCKER_HOST.length > 0) {
+    return {};
+  }
+  try {
+    const result = spawnImpl("docker", ["context", "inspect", "--format", "{{.Endpoints.docker.Host}}"], { encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"] });
+    if (result.status === 0) {
+      const host = (result.stdout ?? "").trim();
+      if (host.startsWith("unix://")) {
+        return { socketPath: host.slice("unix://".length) };
+      }
+      if (host.startsWith("npipe://")) {
+        return { socketPath: host.slice("npipe://".length) };
+      }
+      if (host.startsWith("tcp://") || host.startsWith("http://") || host.startsWith("https://")) {
+        const url = new URL(host.startsWith("tcp://") ? host.replace("tcp://", "http://") : host);
+        const protocol = host.startsWith("https://") ? "https" : "http";
+        const port = url.port ? parseInt(url.port, 10) : protocol === "https" ? 2376 : 2375;
+        return { host: url.hostname, port, protocol };
+      }
+    }
+  } catch {
+  }
+  return { socketPath: "/var/run/docker.sock" };
+}
+function describeDockerEndpoint(opts) {
+  if (!opts || Object.keys(opts).length === 0) {
+    return process.env.DOCKER_HOST ? `DOCKER_HOST=${process.env.DOCKER_HOST}` : "/var/run/docker.sock (default)";
+  }
+  if (opts.socketPath) {
+    return `socketPath=${opts.socketPath}`;
+  }
+  if (opts.host) {
+    return `${opts.protocol ?? "http"}://${opts.host}:${opts.port ?? "?"}`;
+  }
+  return JSON.stringify(opts);
+}
+var init_host = __esm({
+  "../adapters/dist/docker/host.js"() {
+    "use strict";
+  }
+});
+
 // ../adapters/dist/docker/provider.js
 import Dockerode from "dockerode";
 var DockerWorld, DockerProvider, dockerStateToWorldStatus;
@@ -6012,6 +6057,7 @@ var init_provider = __esm({
     init_types2();
     init_container2();
     init_exec();
+    init_host();
     init_network();
     init_volume();
     DockerWorld = class {
@@ -6065,9 +6111,11 @@ var init_provider = __esm({
         maxLifetimeMinutes: null
       };
       docker;
+      dockerOptions;
       constructor(dockerOptions) {
         super();
         this.docker = new Dockerode(dockerOptions);
+        this.dockerOptions = dockerOptions;
       }
       // -----------------------------------------------------------------------
       // createWorld
@@ -6076,8 +6124,10 @@ var init_provider = __esm({
         const { id, name, services = [], portOffset = 0 } = config;
         try {
           await this.docker.ping();
-        } catch {
-          throw new Error("Docker daemon is not available. Ensure Docker is running and accessible.");
+        } catch (err) {
+          const where = describeDockerEndpoint(this.dockerOptions);
+          const cause = err instanceof Error ? err.message : String(err);
+          throw new Error(`Docker daemon is not available at ${where}. Ensure Docker is running and the resolved endpoint is correct. (underlying: ${cause})`);
         }
         await createNetwork(this.docker, id, name);
         for (const svc of services) {
@@ -6339,7 +6389,7 @@ var init_connection = __esm({
       // -----------------------------------------------------------------------
       async exec(host, command) {
         const client = await this.getConnection(host);
-        return new Promise((resolve10, reject) => {
+        return new Promise((resolve11, reject) => {
           client.exec(command, (err, stream) => {
             if (err) {
               reject(new Error(`SSH exec failed on ${host}: ${err.message}`));
@@ -6354,7 +6404,7 @@ var init_connection = __esm({
               stderr += data.toString();
             });
             stream.on("close", (code) => {
-              resolve10({
+              resolve11({
                 exitCode: code ?? 0,
                 stdout: stdout.trimEnd(),
                 stderr: stderr.trimEnd()
@@ -6385,10 +6435,10 @@ var init_connection = __esm({
           throw new Error(`No SSH configuration found for host: ${host}`);
         }
         const client = new SSHClient();
-        return new Promise((resolve10, reject) => {
+        return new Promise((resolve11, reject) => {
           client.on("ready", () => {
             this.connections.set(host, client);
-            resolve10(client);
+            resolve11(client);
           }).on("error", (err) => {
             this.connections.delete(host);
             reject(new Error(`SSH connection to ${host} failed: ${err.message}`));
@@ -6827,8 +6877,8 @@ var init_provider3 = __esm({
       // -----------------------------------------------------------------------
       // Internal fetch helper
       // -----------------------------------------------------------------------
-      async request(path49, method, body) {
-        const url = `${this.config.workerUrl}${path49}`;
+      async request(path50, method, body) {
+        const url = `${this.config.workerUrl}${path50}`;
         const bearer = await this.config.mintToken();
         const headers = {
           Authorization: `Bearer ${bearer}`
@@ -6960,7 +7010,9 @@ __export(dist_exports, {
   SSHProvider: () => SSHProvider,
   auditPortsForZombies: () => auditPortsForZombies,
   buildPackageManagerCacheBinds: () => buildPackageManagerCacheBinds,
-  cleanupOrphanedResources: () => cleanupOrphanedResources
+  cleanupOrphanedResources: () => cleanupOrphanedResources,
+  describeDockerEndpoint: () => describeDockerEndpoint,
+  resolveDockerHostOptions: () => resolveDockerHostOptions
 });
 var init_dist = __esm({
   "../adapters/dist/index.js"() {
@@ -6968,6 +7020,7 @@ var init_dist = __esm({
     init_types2();
     init_provider();
     init_cleanup();
+    init_host();
     init_container2();
     init_container2();
     init_provider2();
@@ -6978,41 +7031,13 @@ var init_dist = __esm({
 // src/docker-host.ts
 var docker_host_exports = {};
 __export(docker_host_exports, {
+  describeDockerEndpoint: () => describeDockerEndpoint,
   resolveDockerHostOptions: () => resolveDockerHostOptions
 });
-import { spawnSync as spawnSync2 } from "node:child_process";
-function resolveDockerHostOptions(spawnImpl = spawnSync2) {
-  if (process.env.DOCKER_HOST && process.env.DOCKER_HOST.length > 0) {
-    return {};
-  }
-  try {
-    const result = spawnImpl(
-      "docker",
-      ["context", "inspect", "--format", "{{.Endpoints.docker.Host}}"],
-      { encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"] }
-    );
-    if (result.status === 0) {
-      const host = (result.stdout ?? "").trim();
-      if (host.startsWith("unix://")) {
-        return { socketPath: host.slice("unix://".length) };
-      }
-      if (host.startsWith("npipe://")) {
-        return { socketPath: host.slice("npipe://".length) };
-      }
-      if (host.startsWith("tcp://") || host.startsWith("http://") || host.startsWith("https://")) {
-        const url = new URL(host.startsWith("tcp://") ? host.replace("tcp://", "http://") : host);
-        const protocol = host.startsWith("https://") ? "https" : "http";
-        const port = url.port ? parseInt(url.port, 10) : protocol === "https" ? 2376 : 2375;
-        return { host: url.hostname, port, protocol };
-      }
-    }
-  } catch {
-  }
-  return { socketPath: "/var/run/docker.sock" };
-}
 var init_docker_host = __esm({
   "src/docker-host.ts"() {
     "use strict";
+    init_dist();
   }
 });
 
@@ -7224,7 +7249,7 @@ CREATE TABLE IF NOT EXISTS meta (
         this.db.pragma("foreign_keys = ON");
         this.db.exec(CREATE_TABLE);
         this.db.exec(CREATE_META);
-        for (const col of ["readiness_chain TEXT", "expected_services TEXT", "app_port_urls TEXT"]) {
+        for (const col of ["readiness_chain TEXT", "expected_services TEXT", "app_port_urls TEXT", "tailscale_paths TEXT"]) {
           try {
             this.db.exec(`ALTER TABLE worlds ADD COLUMN ${col}`);
           } catch {
@@ -7342,6 +7367,27 @@ CREATE TABLE IF NOT EXISTS meta (
         const max = rows.length > 0 ? rows[rows.length - 1].port_offset : -100;
         return max + 100;
       }
+      /**
+       * Persist tailscale serve paths registered for a world.
+       * Paths are stored as a JSON array in the tailscale_paths column.
+       */
+      storeTailscalePaths(worldId, paths) {
+        this.db.prepare("UPDATE worlds SET tailscale_paths = ?, updated_at = ? WHERE id = ?").run(JSON.stringify(paths), (/* @__PURE__ */ new Date()).toISOString(), worldId);
+      }
+      /**
+       * Load tailscale serve paths for a world. Returns [] when none stored or
+       * column absent (pre-migration rows).
+       */
+      loadTailscalePaths(worldId) {
+        const row = this.db.prepare("SELECT tailscale_paths FROM worlds WHERE id = ?").get(worldId);
+        if (!row?.tailscale_paths)
+          return [];
+        try {
+          return JSON.parse(row.tailscale_paths);
+        } catch {
+          return [];
+        }
+      }
       close() {
         this.db.close();
       }
@@ -8124,8 +8170,8 @@ import { execFileSync as execFileSync3 } from "node:child_process";
 import * as fs14 from "node:fs";
 import * as os9 from "node:os";
 import * as path15 from "node:path";
-function expandHome(p, homedir26) {
-  return p.replace(/^~(?=$|\/|\\)/, homedir26());
+function expandHome(p, homedir27) {
+  return p.replace(/^~(?=$|\/|\\)/, homedir27());
 }
 function sanitizeRepoFilename(name) {
   const sanitized = name.replace(/[^A-Za-z0-9._-]/g, "_");
@@ -8148,7 +8194,7 @@ ${stderr}`;
 }
 function snapshotBaselineDiff(repos, workspacePath, deps = {}) {
   const exec = deps.exec ?? ((cmd, args, opts) => execFileSync3(cmd, args, opts));
-  const homedir26 = deps.homedir ?? (() => os9.homedir());
+  const homedir27 = deps.homedir ?? (() => os9.homedir());
   const baselineDir = path15.join(workspacePath, ".olam", "baseline");
   try {
     fs14.mkdirSync(baselineDir, { recursive: true });
@@ -8164,7 +8210,7 @@ function snapshotBaselineDiff(repos, workspacePath, deps = {}) {
       continue;
     const filename = `${sanitizeRepoFilename(repo.name)}.diff`;
     const outPath = path15.join(baselineDir, filename);
-    const repoPath = expandHome(repo.path, homedir26);
+    const repoPath = expandHome(repo.path, homedir27);
     if (!fs14.existsSync(repoPath)) {
       writeBaselineFile(outPath, `# repo: ${repo.name}
 # (skipped: path ${repoPath} does not exist)
@@ -10172,6 +10218,34 @@ var init_bootstrap_hooks = __esm({
 });
 
 // ../core/dist/world/tmux-supervisor.js
+function injectBindAll(start) {
+  let result = start;
+  const userBoundRails = /(^|\s)(-b|--binding)(\s+|=)\S+/.test(start);
+  const userBoundNext = /(^|\s)(-H|--hostname)(\s+|=)\S+/.test(start);
+  const userBoundVite = /(^|\s)--host(\s+\S+|=\S+)/.test(start);
+  const userBoundGunicorn = /(^|\s)(-h|--bind)(\s+|=)\S+/.test(start);
+  const userHostEnv = /(^|\s)HOST=\S+/.test(start);
+  const anyUserBound = userBoundRails || userBoundNext || userBoundVite || userBoundGunicorn;
+  if (!userHostEnv && !anyUserBound) {
+    result = `HOST=0.0.0.0 ${result}`;
+  }
+  if (!userBoundRails && /\brails\s+s(?:erver)?\b/.test(start)) {
+    result = `${result} -b 0.0.0.0`;
+  }
+  if (!userBoundNext && /\bnext\s+dev\b/.test(start)) {
+    result = `${result} -H 0.0.0.0`;
+  }
+  if (!userBoundVite && /\b(?:^|\s|=)vite\b/.test(start)) {
+    result = `${result} --host 0.0.0.0`;
+  }
+  if (!userBoundVite && /\b(?:flask\s+run|uvicorn|hypercorn)\b/.test(start)) {
+    result = `${result} --host 0.0.0.0`;
+  }
+  if (!userBoundGunicorn && /\bgunicorn\b/.test(start)) {
+    result = `${result} --bind 0.0.0.0`;
+  }
+  return result;
+}
 async function startSupervisedApps(containerName, worldId, repos, exec, options = {}) {
   if (!SAFE_IDENT2.test(containerName)) {
     throw new Error(`containerName "${containerName}" must match ${SAFE_IDENT2} (defensive guard)`);
@@ -10207,7 +10281,7 @@ async function startSupervisedApps(containerName, worldId, repos, exec, options
       windowsExisting.push(repo.name);
       continue;
     }
-    const expandedStart = repo.start.replace(/\$\{?PORT\}?/g, String(repo.hostPort));
+    const expandedStart = injectBindAll(repo.start).replace(/\$\{?PORT\}?/g, String(repo.hostPort));
     const startCmd = `cd ${shellQuote2(repo.dir)} && exec ${expandedStart}`;
     exec(containerName, `tmux new-window -t ${sessionName} -n ${repo.name} -d ${shellQuote2(startCmd)}`);
     windowsCreated.push(repo.name);
@@ -10284,7 +10358,9 @@ __export(manager_exports, {
   WorldManager: () => WorldManager,
   applyPostgresNetworkOverrides: () => applyPostgresNetworkOverrides,
   buildManifestRuntimeForTest: () => buildManifestRuntime,
+  cleanupWorldTailscale: () => cleanupWorldTailscale,
   deriveReadinessChain: () => deriveReadinessChain,
+  exposeWorldOverTailscale: () => exposeWorldOverTailscale,
   getTokenScopes: () => getTokenScopes,
   planManifestPipeline: () => planManifestPipeline,
   runManifestRuntime: () => runManifestRuntime
@@ -10400,7 +10476,7 @@ ${stderr.split("\n").slice(0, 3).join(" ")}`);
          Likely cause: corrupt local image, a custom devbox image without
          the olam user (line 10 of devbox.Dockerfile), or NSS resolver
          failure under cross-arch QEMU emulation.
-         Remedy:   docker rmi olam-devbox:latest && olam upgrade -y
+         Remedy:   docker rmi olam-devbox:base && olam upgrade -y
          (or set OLAM_DEVBOX_IMAGE to a known-good ref before \`olam create\`).
          PR push from inside the world will not work until this is resolved.`);
       return;
@@ -10634,6 +10710,71 @@ function buildManifestRuntime(worldId, repos) {
   }
   return { worldId, repos: runtimeRepos };
 }
+function exposeWorldOverTailscale(appPortUrls, worldId, registry, _exec = execSync5) {
+  if (process.env["OLAM_TAILSCALE_SERVE"] !== "true")
+    return;
+  if (appPortUrls.length === 0)
+    return;
+  const bin = resolveTailscaleBin(_exec);
+  if (!bin) {
+    console.warn("[tailscale] WARN: OLAM_TAILSCALE_SERVE=true but no tailscale binary found. Set TAILSCALE_BIN or install tailscale. Skipping serve mapping.");
+    return;
+  }
+  const registeredPaths = [];
+  for (const { repoName, hostPort } of appPortUrls) {
+    const servePath = `/world/${worldId}/${repoName}`;
+    try {
+      _exec(`"${bin}" serve --bg --set-path=${servePath} http://localhost:${hostPort}`, {
+        timeout: 1e4
+      });
+      console.log(`[tailscale] exposed ${worldId}/${repoName} at https://<machine>.<tailnet>/world/${worldId}/${repoName}`);
+      registeredPaths.push(servePath);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.warn(`[tailscale] WARN: serve failed for ${repoName} (port ${hostPort}): ${msg}`);
+    }
+  }
+  if (registeredPaths.length > 0) {
+    registry.storeTailscalePaths(worldId, registeredPaths);
+  }
+}
+function cleanupWorldTailscale(worldId, registry, _exec = execSync5) {
+  const paths = registry.loadTailscalePaths(worldId);
+  if (paths.length === 0)
+    return;
+  const bin = resolveTailscaleBin(_exec);
+  if (!bin) {
+    console.warn("[tailscale] WARN: Cannot cleanup tailscale serve paths \u2014 binary not found.");
+    return;
+  }
+  for (const servePath of paths) {
+    try {
+      _exec(`"${bin}" serve --bg --set-path=${servePath} off`, { timeout: 1e4 });
+      console.log(`[tailscale] cleaned up serve path ${servePath}`);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.warn(`[tailscale] WARN: cleanup failed for ${servePath}: ${msg}`);
+    }
+  }
+}
+function resolveTailscaleBin(_exec = execSync5) {
+  const candidates = [
+    process.env["TAILSCALE_BIN"],
+    "/Applications/Tailscale.app/Contents/MacOS/Tailscale",
+    "/usr/local/bin/tailscale",
+    "/opt/homebrew/bin/tailscale"
+  ];
+  for (const c of candidates) {
+    if (!c)
+      continue;
+    try {
+      _exec(`test -x "${c}"`, { timeout: 2e3 });
+      return c;
+    } catch {
+    }
+  }
+  return void 0;
+}
 function applyPostgresNetworkOverrides(worldEnv, enrichedRepos) {
   const hasPostgres = enrichedRepos.some((r) => r.manifest?.services?.["postgres"] !== void 0);
   if (!hasPostgres)
@@ -11379,6 +11520,10 @@ ${opts.task}`;
           }
         } catch {
         }
+        try {
+          exposeWorldOverTailscale(appPortUrls, worldId, this.registry);
+        } catch {
+        }
         return {
           ...metadata,
           status: "running",
@@ -11426,6 +11571,10 @@ ${opts.task}`;
           } catch {
           }
         }
+        try {
+          cleanupWorldTailscale(worldId, this.registry);
+        } catch {
+        }
         try {
           await this.provider.destroyWorld(worldId);
         } catch {
@@ -12827,7 +12976,7 @@ function isCloudflaredAvailable() {
   }
 }
 function startTunnel(port) {
-  return new Promise((resolve10, reject) => {
+  return new Promise((resolve11, reject) => {
     const child = spawn2("cloudflared", ["tunnel", "--url", `http://localhost:${port}`], {
       stdio: ["ignore", "pipe", "pipe"],
       detached: false
@@ -12849,7 +12998,7 @@ function startTunnel(port) {
       if (match2) {
         resolved = true;
         clearTimeout(timeout);
-        resolve10(match2[0]);
+        resolve11(match2[0]);
       }
     }
     child.stdout?.on("data", scan);
@@ -12936,8 +13085,8 @@ var init_dashboard = __esm({
           }
           throw err;
         }
-        await new Promise((resolve10, reject) => {
-          this.server.on("listening", resolve10);
+        await new Promise((resolve11, reject) => {
+          this.server.on("listening", resolve11);
           this.server.on("error", reject);
         });
         this.info = { localUrl: `http://localhost:${port}` };
@@ -12983,8 +13132,8 @@ var init_dashboard = __esm({
       async stop() {
         stopTunnel();
         if (this.server) {
-          await new Promise((resolve10) => {
-            this.server.close(() => resolve10());
+          await new Promise((resolve11) => {
+            this.server.close(() => resolve11());
           });
           this.server = null;
         }
@@ -13673,10 +13822,10 @@ async function readHostCpToken2() {
   if (!fs25.existsSync(tp)) return null;
   return fs25.readFileSync(tp, "utf-8").trim();
 }
-async function callHostCpProxy(method, worldId, path49, body) {
+async function callHostCpProxy(method, worldId, path50, body) {
   const token = await readHostCpToken2();
   if (!token) return { ok: false, status: 0, error: "no token (host CP not started)" };
-  const url = `http://127.0.0.1:${HOST_CP_PORT}/api/world/${encodeURIComponent(worldId)}${path49}`;
+  const url = `http://127.0.0.1:${HOST_CP_PORT}/api/world/${encodeURIComponent(worldId)}${path50}`;
   try {
     const headers = {
       Authorization: `Bearer ${token}`
@@ -14561,9 +14710,9 @@ var UnknownArchetypeError = class extends Error {
 };
 var ArchetypeCycleError = class extends Error {
   path;
-  constructor(path49) {
-    super(`Archetype inheritance cycle detected: ${path49.join(" \u2192 ")} \u2192 ${path49[0] ?? "?"}`);
-    this.path = path49;
+  constructor(path50) {
+    super(`Archetype inheritance cycle detected: ${path50.join(" \u2192 ")} \u2192 ${path50[0] ?? "?"}`);
+    this.path = path50;
     this.name = "ArchetypeCycleError";
   }
 };
@@ -14837,7 +14986,7 @@ var realDocker = {
   }
 };
 function spawnAsync(cmd, args, opts = {}) {
-  return new Promise((resolve10) => {
+  return new Promise((resolve11) => {
     const child = spawn3(cmd, [...args], {
       stdio: ["ignore", "pipe", "pipe"],
       signal: opts.signal
@@ -14851,10 +15000,10 @@ function spawnAsync(cmd, args, opts = {}) {
       stderr += chunk.toString();
     });
     child.on("error", (err) => {
-      resolve10({ exitCode: -1, stdout, stderr: stderr + err.message });
+      resolve11({ exitCode: -1, stdout, stderr: stderr + err.message });
     });
     child.on("close", (code) => {
-      resolve10({ exitCode: code ?? -1, stdout, stderr });
+      resolve11({ exitCode: code ?? -1, stdout, stderr });
     });
   });
 }
@@ -15197,10 +15346,10 @@ async function confirm(message) {
   if (!process.stdin.isTTY) return true;
   const { createInterface: createInterface5 } = await import("node:readline");
   const rl = createInterface5({ input: process.stdin, output: process.stdout });
-  return new Promise((resolve10) => {
+  return new Promise((resolve11) => {
     rl.question(`${message} [y/N] `, (answer) => {
       rl.close();
-      resolve10(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
+      resolve11(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
     });
   });
 }
@@ -15574,7 +15723,7 @@ var McpAuthContainerController = class {
   }
 };
 function sleep3(ms) {
-  return new Promise((resolve10) => setTimeout(resolve10, ms));
+  return new Promise((resolve11) => setTimeout(resolve11, ms));
 }
 function dumpContainerLogs(container, tail = 40) {
   try {
@@ -15861,9 +16010,10 @@ import pc10 from "picocolors";
 import { execSync as execSync7 } from "node:child_process";
 import { existsSync as existsSync26, statSync as statSync6 } from "node:fs";
 import { join as join31 } from "node:path";
-var DEFAULT_DEVBOX_IMAGE = "olam-devbox:latest";
+var DEFAULT_DEVBOX_IMAGE = "olam-devbox:base";
 var DEVBOX_BAKED_SOURCES = [
-  "packages/adapters/src/docker/devbox.Dockerfile",
+  "packages/adapters/src/docker/devbox.base.Dockerfile",
+  "packages/adapters/src/docker/devbox.browser.Dockerfile",
   "packages/control-plane/standalone/server.mjs",
   "packages/control-plane/standalone/intelligence-bridge.mjs",
   "packages/control-plane/standalone/d1-sqlite-adapter.mjs",
@@ -15928,9 +16078,9 @@ function formatFreshnessWarning(result, image = DEFAULT_DEVBOX_IMAGE) {
     "These source files have changed since the image was built; the",
     "changes will NOT take effect in fresh worlds until you rebuild:"
   ];
-  for (const { path: path49, mtimeMs } of result.newerSources) {
+  for (const { path: path50, mtimeMs } of result.newerSources) {
     const when = new Date(mtimeMs).toISOString();
-    lines.push(`  \u2022 ${path49}  (modified ${when})`);
+    lines.push(`  \u2022 ${path50}  (modified ${when})`);
   }
   lines.push("");
   lines.push("Rebuild with:");
@@ -16089,15 +16239,15 @@ init_host_cp();
 var HOST_CP_URL = "http://127.0.0.1:19000";
 async function readHostCpTokenForCreate() {
   try {
-    const { default: fs47 } = await import("node:fs");
+    const { default: fs48 } = await import("node:fs");
     const { default: os28 } = await import("node:os");
-    const { default: path49 } = await import("node:path");
-    const tp = path49.join(
-      process.env.OLAM_HOME ?? path49.join(os28.homedir(), ".olam"),
+    const { default: path50 } = await import("node:path");
+    const tp = path50.join(
+      process.env.OLAM_HOME ?? path50.join(os28.homedir(), ".olam"),
       "host-cp.token"
     );
-    if (!fs47.existsSync(tp)) return null;
-    return fs47.readFileSync(tp, "utf-8").trim();
+    if (!fs48.existsSync(tp)) return null;
+    return fs48.readFileSync(tp, "utf-8").trim();
   } catch {
     return null;
   }
@@ -16460,12 +16610,12 @@ function defaultNameFromPrompt(prompt) {
 }
 async function readHostCpToken3() {
   try {
-    const { default: fs47 } = await import("node:fs");
+    const { default: fs48 } = await import("node:fs");
     const { default: os28 } = await import("node:os");
-    const { default: path49 } = await import("node:path");
-    const tp = path49.join(os28.homedir(), ".olam", "host-cp.token");
-    if (!fs47.existsSync(tp)) return null;
-    const raw = fs47.readFileSync(tp, "utf-8").trim();
+    const { default: path50 } = await import("node:path");
+    const tp = path50.join(os28.homedir(), ".olam", "host-cp.token");
+    if (!fs48.existsSync(tp)) return null;
+    const raw = fs48.readFileSync(tp, "utf-8").trim();
     return raw.length > 0 ? raw : null;
   } catch {
     return null;
@@ -17133,14 +17283,14 @@ function printTable(entries) {
 async function confirmInteractive() {
   process.stdout.write("  Type `yes` to proceed: ");
   const buf = [];
-  return new Promise((resolve10) => {
+  return new Promise((resolve11) => {
     const onData = (chunk) => {
       buf.push(chunk);
       if (Buffer.concat(buf).toString("utf-8").includes("\n")) {
         process.stdin.removeListener("data", onData);
         process.stdin.pause();
         const answer = Buffer.concat(buf).toString("utf-8").trim();
-        resolve10(answer.toLowerCase() === "yes");
+        resolve11(answer.toLowerCase() === "yes");
       }
     };
     process.stdin.resume();
@@ -20196,11 +20346,11 @@ function zodIssueToError(issue, doc, lineCounter) {
     suggestion: deriveSuggestion(issue)
   };
 }
-function formatJsonPath(path49) {
-  if (path49.length === 0)
+function formatJsonPath(path50) {
+  if (path50.length === 0)
     return "<root>";
   let out = "";
-  for (const seg of path49) {
+  for (const seg of path50) {
     if (typeof seg === "number") {
       out += `[${seg}]`;
     } else {
@@ -20209,11 +20359,11 @@ function formatJsonPath(path49) {
   }
   return out;
 }
-function resolveYamlLocation(path49, doc, lineCounter) {
+function resolveYamlLocation(path50, doc, lineCounter) {
   let bestLine = 0;
   let bestColumn = 0;
-  for (let depth = path49.length; depth >= 0; depth -= 1) {
-    const segment = path49.slice(0, depth);
+  for (let depth = path50.length; depth >= 0; depth -= 1) {
+    const segment = path50.slice(0, depth);
     try {
       const node = doc.getIn(segment, true);
       if (node && typeof node === "object" && "range" in node) {
@@ -20431,11 +20581,11 @@ function topoSort(nodes) {
 }
 function traceCycle(start, byId) {
   const seen = /* @__PURE__ */ new Set();
-  const path49 = [];
+  const path50 = [];
   let current = start;
   while (current && !seen.has(current)) {
     seen.add(current);
-    path49.push(current);
+    path50.push(current);
     const node = byId.get(current);
     const next = node?.dependsOn[0];
     if (next === void 0)
@@ -20443,10 +20593,10 @@ function traceCycle(start, byId) {
     current = next;
   }
   if (current && seen.has(current)) {
-    const idx = path49.indexOf(current);
-    return [...path49.slice(idx), current];
+    const idx = path50.indexOf(current);
+    return [...path50.slice(idx), current];
   }
-  return path49;
+  return path50;
 }
 
 // ../core/dist/executor/types.js
@@ -22855,10 +23005,10 @@ async function confirm2(message) {
   if (!process.stdin.isTTY) return true;
   const { createInterface: createInterface5 } = await import("node:readline");
   const rl = createInterface5({ input: process.stdin, output: process.stdout });
-  return new Promise((resolve10) => {
+  return new Promise((resolve11) => {
     rl.question(`${message} [y/N] `, (answer) => {
       rl.close();
-      resolve10(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
+      resolve11(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
     });
   });
 }
@@ -22977,11 +23127,18 @@ async function runUpgradePullByDigest(deps = {}) {
   }
   infoSpinner.succeed("docker daemon reachable");
   const hasMcpAuthDigest = typeof digests["mcp-auth"] === "string" && digests["mcp-auth"].length > 0;
+  const hasDevboxBaseDigest = typeof digests["devbox-base"] === "string" && digests["devbox-base"].length > 0;
   const baseRefs = [
     { name: "host-cp", ref: `${registry}/olam-host-cp@${digests["host-cp"]}` },
     { name: "auth", ref: `${registry}/olam-auth@${digests.auth}` },
     { name: "devbox", ref: `${registry}/olam-devbox@${digests.devbox}` }
   ];
+  if (hasDevboxBaseDigest) {
+    baseRefs.push({
+      name: "devbox-base",
+      ref: `${registry}/olam-devbox@${digests["devbox-base"]}`
+    });
+  }
   if (hasMcpAuthDigest) {
     baseRefs.push({
       name: "mcp-auth",
@@ -23046,18 +23203,29 @@ async function runUpgradePullByDigest(deps = {}) {
     }
   }
   handshakeSpinner.succeed(`Protocol handshake passed (all ${imageRefs.length} images)`);
+  const refByName = (n) => {
+    const found = imageRefs.find((r) => r.name === n);
+    if (!found) throw new Error(`upgrade: missing imageRefs entry for "${n}"`);
+    return found.ref;
+  };
   const tagPlanBase = [
-    { from: imageRefs[0].ref, to: "olam-host-cp:latest", name: "host-cp (bare)" },
-    { from: imageRefs[0].ref, to: `${registry}/olam-host-cp:latest`, name: "host-cp (registry)" },
-    { from: imageRefs[1].ref, to: "olam-auth:local", name: "auth (bare)" },
-    { from: imageRefs[1].ref, to: `${registry}/olam-auth:latest`, name: "auth (registry)" },
-    { from: imageRefs[2].ref, to: "olam-devbox:latest", name: "devbox (bare)" },
-    { from: imageRefs[2].ref, to: `${registry}/olam-devbox:latest`, name: "devbox (registry)" }
+    { from: refByName("host-cp"), to: "olam-host-cp:latest", name: "host-cp (bare)" },
+    { from: refByName("host-cp"), to: `${registry}/olam-host-cp:latest`, name: "host-cp (registry)" },
+    { from: refByName("auth"), to: "olam-auth:local", name: "auth (bare)" },
+    { from: refByName("auth"), to: `${registry}/olam-auth:latest`, name: "auth (registry)" },
+    { from: refByName("devbox"), to: "olam-devbox:latest", name: "devbox (bare)" },
+    { from: refByName("devbox"), to: `${registry}/olam-devbox:latest`, name: "devbox (registry)" }
   ];
-  if (hasMcpAuthDigest && imageRefs[3]) {
+  if (hasDevboxBaseDigest) {
     tagPlanBase.push(
-      { from: imageRefs[3].ref, to: "olam-mcp-auth:local", name: "mcp-auth (bare)" },
-      { from: imageRefs[3].ref, to: `${registry}/olam-mcp-auth:latest`, name: "mcp-auth (registry)" }
+      { from: refByName("devbox-base"), to: "olam-devbox:base", name: "devbox-base (bare)" },
+      { from: refByName("devbox-base"), to: `${registry}/olam-devbox:base`, name: "devbox-base (registry)" }
+    );
+  }
+  if (hasMcpAuthDigest) {
+    tagPlanBase.push(
+      { from: refByName("mcp-auth"), to: "olam-mcp-auth:local", name: "mcp-auth (bare)" },
+      { from: refByName("mcp-auth"), to: `${registry}/olam-mcp-auth:latest`, name: "mcp-auth (registry)" }
     );
   }
   const tagPlan = tagPlanBase;
@@ -25599,8 +25767,8 @@ var SECRET = process.env["OLAM_MCP_AUTH_SECRET"] ?? "";
 function authHeaders() {
   return SECRET ? { "X-Olam-Mcp-Secret": SECRET } : {};
 }
-async function apiFetch(path49, init = {}) {
-  const res = await fetch(`${BASE_URL}${path49}`, {
+async function apiFetch(path50, init = {}) {
+  const res = await fetch(`${BASE_URL}${path50}`, {
     ...init,
     headers: {
       "Content-Type": "application/json",
@@ -25687,7 +25855,7 @@ function registerMcpLogin(cmd) {
 init_output();
 import * as readline2 from "node:readline";
 async function readTokenSilent(prompt) {
-  return new Promise((resolve10, reject) => {
+  return new Promise((resolve11, reject) => {
     const rl = readline2.createInterface({
       input: process.stdin,
       output: process.stdout,
@@ -25705,7 +25873,7 @@ async function readTokenSilent(prompt) {
         process.stdin.removeListener("data", onData);
         process.stdout.write("\n");
         rl.close();
-        resolve10(token);
+        resolve11(token);
       } else if (char === "") {
         if (process.stdin.isTTY) process.stdin.setRawMode(false);
         process.stdin.removeListener("data", onData);
@@ -25980,7 +26148,7 @@ async function discoverMcpSources(repoPaths) {
 import { spawn as spawn6 } from "node:child_process";
 var VALIDATION_TIMEOUT_MS = 5e3;
 async function validateMcpEntry(entry) {
-  return new Promise((resolve10) => {
+  return new Promise((resolve11) => {
     let stdout = "";
     let timedOut = false;
     let child;
@@ -25990,7 +26158,7 @@ async function validateMcpEntry(entry) {
         env: { ...process.env, ...entry.env ?? {} }
       });
     } catch (err) {
-      resolve10({
+      resolve11({
         name: entry.name,
         validated: false,
         reason: err instanceof Error ? err.message : "spawn failed"
@@ -26007,11 +26175,11 @@ async function validateMcpEntry(entry) {
     child.on("close", (code) => {
       clearTimeout(timer);
       if (timedOut) {
-        resolve10({ name: entry.name, validated: false, reason: "timeout (5s)" });
+        resolve11({ name: entry.name, validated: false, reason: "timeout (5s)" });
         return;
       }
       const validated = code === 0 && stdout.trim().length > 0;
-      resolve10({
+      resolve11({
         name: entry.name,
         validated,
         reason: validated ? "ok" : `exit code ${code ?? "null"}`
@@ -26019,7 +26187,7 @@ async function validateMcpEntry(entry) {
     });
     child.on("error", (err) => {
       clearTimeout(timer);
-      resolve10({ name: entry.name, validated: false, reason: err.message });
+      resolve11({ name: entry.name, validated: false, reason: err.message });
     });
   });
 }
@@ -26034,11 +26202,11 @@ async function multiSelectPicker(entries) {
     );
   });
   console.log("\n" + pc29.dim('Enter numbers to import (e.g. 1,2,3 or "all" or Enter to skip):'));
-  const answer = await new Promise((resolve10) => {
+  const answer = await new Promise((resolve11) => {
     const rl = readline3.createInterface({ input: process.stdin, output: process.stdout });
     rl.question("> ", (ans) => {
       rl.close();
-      resolve10(ans.trim());
+      resolve11(ans.trim());
     });
   });
   if (!answer || answer === "") return [];
@@ -26176,19 +26344,217 @@ function registerMcp(program2) {
   registerMcpRevoke(mcp);
 }
 
+// src/commands/kg-build.ts
+import { spawnSync as spawnSync14 } from "node:child_process";
+import fs46 from "node:fs";
+import path48 from "node:path";
+
+// ../core/dist/kg/storage-paths.js
+import { homedir as homedir26 } from "node:os";
+import { join as join48, resolve as resolve10 } from "node:path";
+
+// ../core/dist/world/workspace-name.js
+var InvalidWorkspaceNameError = class extends Error {
+  constructor(name, reason) {
+    super(`invalid workspace name ${JSON.stringify(name)}: ${reason}`);
+    this.name = "InvalidWorkspaceNameError";
+  }
+};
+var WORKSPACE_NAME_RE = /^[a-z0-9][a-z0-9_-]*$/;
+function validateWorkspaceName(name) {
+  if (typeof name !== "string" || name.length === 0) {
+    throw new InvalidWorkspaceNameError(String(name), "must be a non-empty string");
+  }
+  if (!WORKSPACE_NAME_RE.test(name)) {
+    throw new InvalidWorkspaceNameError(name, "must match ^[a-z0-9][a-z0-9_-]*$ (lowercase letters, digits, hyphens, underscores; must start with letter or digit)");
+  }
+}
+
+// ../core/dist/kg/storage-paths.js
+function olamHome3() {
+  return process.env.OLAM_HOME ?? join48(homedir26(), ".olam");
+}
+function kgRoot() {
+  return join48(olamHome3(), "kg");
+}
+function worldsRoot() {
+  return join48(olamHome3(), "worlds");
+}
+function assertWithinPrefix(path50, prefix, label) {
+  if (!path50.startsWith(prefix + "/")) {
+    throw new Error(`${label} escape: ${path50} not under ${prefix}/`);
+  }
+}
+function kgPristinePath(workspace) {
+  validateWorkspaceName(workspace);
+  const root = kgRoot();
+  const path50 = resolve10(join48(root, workspace));
+  assertWithinPrefix(path50, root, "kgPristinePath");
+  return path50;
+}
+var KG_PATHS_INTERNALS = Object.freeze({
+  olamHome: olamHome3,
+  kgRoot,
+  worldsRoot
+});
+
+// src/commands/kg-build.ts
+init_output();
+var DEFAULT_DEVBOX_IMAGE2 = "olam-devbox:latest";
+function resolveWorkspace(arg) {
+  const cwd = process.cwd();
+  const name = arg ?? path48.basename(cwd).toLowerCase();
+  validateWorkspaceName(name);
+  return { name, sourcePath: cwd };
+}
+function copyWorkspaceToScratch(source, scratch) {
+  if (process.platform === "darwin") {
+    const r2 = spawnSync14("cp", ["-c", "-r", source + "/.", scratch], {
+      stdio: ["ignore", "ignore", "pipe"],
+      encoding: "utf-8"
+    });
+    if (r2.status === 0) return "cp-c-r-reflink";
+  }
+  const r = spawnSync14("cp", ["-r", source + "/.", scratch], {
+    stdio: ["ignore", "ignore", "pipe"],
+    encoding: "utf-8"
+  });
+  if (r.status !== 0) {
+    throw new Error(`cp -r failed: ${(r.stderr ?? "").trim() || r.error?.message}`);
+  }
+  return "cp-r";
+}
+function parseNodeCount(graphifyOutDir) {
+  const graphPath = path48.join(graphifyOutDir, "graph.json");
+  if (!fs46.existsSync(graphPath)) return null;
+  try {
+    const content = fs46.readFileSync(graphPath, "utf-8");
+    const data = JSON.parse(content);
+    return Array.isArray(data.nodes) ? data.nodes.length : null;
+  } catch {
+    return null;
+  }
+}
+function readGraphifyVersion(image) {
+  const r = spawnSync14(
+    "docker",
+    [
+      "run",
+      "--rm",
+      "--entrypoint=/opt/graphify-venv/bin/pip",
+      image,
+      "show",
+      "graphifyy"
+    ],
+    { encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"] }
+  );
+  if (r.status !== 0) return "unknown";
+  const m = (r.stdout ?? "").match(/^Version:\s*(\S+)/m);
+  return m?.[1] ?? "unknown";
+}
+async function runKgBuild(workspaceArg, options = {}) {
+  const image = options.image ?? DEFAULT_DEVBOX_IMAGE2;
+  let workspace;
+  try {
+    workspace = resolveWorkspace(workspaceArg);
+  } catch (err) {
+    printError(err instanceof Error ? err.message : String(err));
+    return { exitCode: 2 };
+  }
+  const outDir = kgPristinePath(workspace.name);
+  const scratchDir = path48.join(outDir, "scratch");
+  fs46.mkdirSync(outDir, { recursive: true });
+  if (fs46.existsSync(scratchDir)) fs46.rmSync(scratchDir, { recursive: true, force: true });
+  fs46.mkdirSync(scratchDir);
+  const human = !options.json;
+  if (human) {
+    printInfo("kg build", `workspace=${workspace.name} source=${workspace.sourcePath}`);
+    printInfo("kg build", `scratch=${scratchDir} \u2192 out=${outDir}/graphify-out/`);
+  }
+  const started = Date.now();
+  let scratchStrategy;
+  try {
+    scratchStrategy = copyWorkspaceToScratch(workspace.sourcePath, scratchDir);
+    if (human) printInfo("kg build", `copied via ${scratchStrategy}`);
+    const dockerArgs = [
+      "run",
+      "--rm",
+      "-v",
+      `${scratchDir}:/work`,
+      "-w",
+      "/work",
+      "--entrypoint=graphify",
+      image,
+      "update",
+      "."
+    ];
+    const r = human ? spawnSync14("docker", dockerArgs, { stdio: "inherit" }) : spawnSync14("docker", dockerArgs, { stdio: ["ignore", "ignore", "pipe"] });
+    if (r.status !== 0) {
+      printError(`graphify update failed (exit ${r.status})`);
+      return { exitCode: r.status ?? 1 };
+    }
+    const scratchOut = path48.join(scratchDir, "graphify-out");
+    const finalOut = path48.join(outDir, "graphify-out");
+    if (!fs46.existsSync(scratchOut)) {
+      printError(`graphify produced no graphify-out/ in scratch (${scratchOut})`);
+      return { exitCode: 1 };
+    }
+    if (fs46.existsSync(finalOut)) fs46.rmSync(finalOut, { recursive: true, force: true });
+    fs46.renameSync(scratchOut, finalOut);
+    const durationMs = Date.now() - started;
+    const nodeCount = parseNodeCount(finalOut);
+    const version = readGraphifyVersion(image);
+    const freshness = {
+      built_at: (/* @__PURE__ */ new Date()).toISOString(),
+      duration_ms: durationMs,
+      node_count: nodeCount,
+      graphify_version: version,
+      workspace: workspace.name,
+      scratch_strategy: scratchStrategy
+    };
+    fs46.writeFileSync(
+      path48.join(outDir, "freshness.json"),
+      JSON.stringify(freshness, null, 2) + "\n",
+      "utf-8"
+    );
+    if (options.json) {
+      process.stdout.write(JSON.stringify(freshness) + "\n");
+    } else {
+      printSuccess(
+        `kg build ${workspace.name} \u2014 ${nodeCount ?? "?"} nodes in ${(durationMs / 1e3).toFixed(1)}s (graphify ${version})`
+      );
+      printInfo("output", `${finalOut}/graph.json`);
+    }
+    return { exitCode: 0, freshness, outputDir: finalOut };
+  } finally {
+    if (fs46.existsSync(scratchDir)) {
+      fs46.rmSync(scratchDir, { recursive: true, force: true });
+    }
+  }
+}
+function registerKg(program2) {
+  const kg = program2.command("kg").description("Knowledge-graph operations (graphify-backed)");
+  kg.command("build").description(
+    "Build pristine KG for a workspace (default: current dir). Scratch-dir pattern; ~/.olam/kg/<ws>/graphify-out/"
+  ).argument("[workspace]", "workspace name (lowercase alphanumeric + hyphens/underscores)").option("--image <ref>", `devbox image to invoke (default: ${DEFAULT_DEVBOX_IMAGE2})`).option("--json", "emit freshness record as JSON instead of human-readable status").action(async (workspaceArg, opts) => {
+    const r = await runKgBuild(workspaceArg, opts);
+    if (r.exitCode !== 0) process.exitCode = r.exitCode;
+  });
+}
+
 // src/pleri-config.ts
-import * as fs46 from "node:fs";
-import * as path48 from "node:path";
+import * as fs47 from "node:fs";
+import * as path49 from "node:path";
 function isPleriConfigured(configDir = process.env.OLAM_CONFIG_DIR ?? ".olam") {
   if (process.env.PLERI_BASE_URL) {
     return true;
   }
-  const configPath = path48.join(configDir, "config.yaml");
-  if (!fs46.existsSync(configPath)) {
+  const configPath = path49.join(configDir, "config.yaml");
+  if (!fs47.existsSync(configPath)) {
     return false;
   }
   try {
-    const contents = fs46.readFileSync(configPath, "utf8");
+    const contents = fs47.readFileSync(configPath, "utf8");
     return /^[^#\n]*\bpleri:/m.test(contents);
   } catch {
     return false;
@@ -26230,6 +26596,7 @@ registerBegin(program);
 registerStop(program);
 registerWorldUpgrade(program);
 registerMcp(program);
+registerKg(program);
 registerConfig(program);
 registerRepos(program);
 registerRunbooks(program);