@pleri/olam-cli 0.1.119 → 0.1.125

package/dist/index.js

@@ -21,11 +21,11 @@ import * as path from "node:path";
 import { fileURLToPath } from "node:url";
 function readCliVersion() {
   try {
-    const here2 = path.dirname(fileURLToPath(import.meta.url));
+    const here3 = path.dirname(fileURLToPath(import.meta.url));
     for (const candidate of [
-      path.join(here2, "package.json"),
-      path.join(here2, "..", "package.json"),
-      path.join(here2, "..", "..", "package.json")
+      path.join(here3, "package.json"),
+      path.join(here3, "..", "package.json"),
+      path.join(here3, "..", "..", "package.json")
     ]) {
       if (fs.existsSync(candidate)) {
         const pkg = JSON.parse(fs.readFileSync(candidate, "utf-8"));
@@ -4276,7 +4276,7 @@ var init_version2 = __esm({
 
 // ../core/dist/world/repo-manifest.js
 import { existsSync as existsSync2, lstatSync, readFileSync as readFileSync2 } from "node:fs";
-import { join as join2 } from "node:path";
+import { join as join2, resolve, sep } from "node:path";
 import YAML from "yaml";
 function bootstrapStepCmd(entry) {
   return typeof entry === "string" ? entry : entry.cmd;
@@ -4322,6 +4322,23 @@ function rejectForbiddenKeys(value, path56, rejectSource) {
 function unknownTopLevelKeys(parsed) {
   return Object.keys(parsed).filter((k) => !KNOWN_TOP_LEVEL_KEYS.has(k));
 }
+function deepMergeManifest(base, overlay) {
+  const out = { ...base };
+  for (const key of Object.keys(overlay)) {
+    if (FORBIDDEN_KEYS.has(key))
+      continue;
+    const overlayValue = overlay[key];
+    if (overlayValue === void 0)
+      continue;
+    const baseValue = base[key];
+    const bothObjects = isPlainObject(baseValue) && isPlainObject(overlayValue);
+    out[key] = bothObjects ? deepMergeManifest(baseValue, overlayValue) : overlayValue;
+  }
+  return out;
+}
+function isPlainObject(value) {
+  return value !== null && typeof value === "object" && !Array.isArray(value) && Object.getPrototypeOf(value) === Object.prototype;
+}
 function loadRepoManifest(repoDir) {
   const olamPath = join2(repoDir, ".olam.yaml");
   const adbPath = join2(repoDir, ".adb.yaml");
@@ -4352,7 +4369,37 @@ function loadRepoManifest(repoDir) {
     throw new Error(`[manifest] ${manifestPath2}: expected a YAML mapping at the top level`);
   }
   rejectForbiddenKeys(parsed, manifestPath2, true);
-  const body = RepoManifestSchema.parse(parsed);
+  let mergedParsed = parsed;
+  const inheritsRaw = parsed["inherits"];
+  if (typeof inheritsRaw === "string" && inheritsRaw.length > 0) {
+    if (source !== "olam") {
+      throw new Error(`[manifest] ${manifestPath2}: \`inherits\` only valid in .olam.yaml (found in .adb.yaml \u2014 drop the field)`);
+    }
+    const inheritedAbs = resolve(repoDir, inheritsRaw);
+    const repoDirAbs = resolve(repoDir);
+    if (!inheritedAbs.startsWith(repoDirAbs + sep) && inheritedAbs !== repoDirAbs) {
+      throw new Error(`[manifest] ${manifestPath2}: inherits target "${inheritsRaw}" escapes repo dir`);
+    }
+    if (!existsSync2(inheritedAbs)) {
+      throw new Error(`[manifest] ${manifestPath2}: inherits target "${inheritsRaw}" not found`);
+    }
+    const inheritedStat = lstatSync(inheritedAbs);
+    if (inheritedStat.isSymbolicLink()) {
+      throw new Error(`[manifest] ${manifestPath2}: inherits target "${inheritsRaw}" is a symlink (not permitted)`);
+    }
+    const inheritedRaw = readFileSync2(inheritedAbs, "utf-8");
+    const inheritedParsed = YAML.parse(inheritedRaw, { maxAliasCount: 100 });
+    if (inheritedParsed !== null && inheritedParsed !== void 0) {
+      if (typeof inheritedParsed !== "object" || Array.isArray(inheritedParsed)) {
+        throw new Error(`[manifest] ${inheritedAbs}: expected a YAML mapping at the top level`);
+      }
+      rejectForbiddenKeys(inheritedParsed, inheritedAbs, true);
+      const overlay = { ...parsed };
+      delete overlay["inherits"];
+      mergedParsed = deepMergeManifest(inheritedParsed, overlay);
+    }
+  }
+  const body = RepoManifestSchema.parse(mergedParsed);
   if (parsed["version"] === void 0) {
     console.warn(`[manifest] ${manifestPath2}: missing "version: ${MANIFEST_VERSION}" field \u2014 add it to suppress this warning (backward-compat: file still parses)`);
   }
@@ -4390,7 +4437,44 @@ var init_repo_manifest = __esm({
       // - 'world'  (default): container is per-world (today's behaviour).
       // - 'shared': container is shared across worlds (consumed by later phases).
       // TODO(phase-D): enforce shared-service deduplication in planManifestPipeline.
-      scope: external_exports.enum(["world", "shared"]).optional()
+      scope: external_exports.enum(["world", "shared"]).optional(),
+      // olam-hybrid-shared-postgres Phase A task A8.
+      // Declares which postgres template DB(s) Olam should clone at world
+      // create time. Consumed by `applyPostgresTemplateClone` (task A3 in
+      // manager.ts) which runs `CREATE DATABASE <world-db> TEMPLATE <name>`
+      // per entry. Accepts either a single string (single-DB repo) or an
+      // array (atlas-core → ['atlas_common_seed', 'atlas_merchant_seed'];
+      // atlas-pay → adds 'atlas_pay_seed' per Phase B Decision 17).
+      seed_template: external_exports.union([external_exports.string().min(1), external_exports.array(external_exports.string().min(1)).nonempty()]).optional(),
+      // Optional hash bound to the seed_template content for cross-machine
+      // drift detection. The A1 bake script writes this value via .adb.yaml
+      // post-bake (operator pastes from seed/seed-hash.txt; auto-write CI
+      // tool is a Phase D follow-up per the plan's Out of scope).
+      seed_template_hash: external_exports.string().optional(),
+      // olam-hybrid-shared-postgres Phase A task A5 (closes OQ15 plan-killer).
+      // Per-clone SQL hook: after `CREATE DATABASE <world-db> TEMPLATE <seed>`,
+      // run these statements against the cloned world-DB. Atlas-core uses this
+      // to UPDATE `merchants.identifier` so `Current.merchant` (which resolves
+      // via `Merchant.find_by(identifier: ENV['POSTGRESQL_MERCHANT_DATABASE'])`)
+      // matches the per-world merchant DB name.
+      //
+      // Shape: { <seed_template_name>: [<sql statement>, ...] }
+      // The seed_template_name key selects which cloned DB the statements run
+      // in. Order is preserved within each seed's list.
+      //
+      // Interpolation in statements:
+      //   ${WORLD_ID}                  → world id (e.g. frost-oak-5916)
+      //   ${WORLD_DB:<seed>}           → corresponding world-DB name for that seed
+      //                                  (e.g. ${WORLD_DB:atlas_merchant_seed} →
+      //                                  atlas_merchant_world_frost-oak-5916)
+      //
+      // SECURITY INVARIANT: statements come from the operator's own checked-out
+      // `.olam.yaml` (same trust class as `BootstrapStep.cmd`). They run as the
+      // singleton's `development` superuser today; A4's per-world role lands
+      // later in the seam. Statements are NOT exposed to operator-controlled
+      // env variables — only the two whitelisted placeholders above. No shell
+      // expansion, no DOLLAR-name expansion.
+      post_clone_sql: external_exports.record(external_exports.string().min(1), external_exports.array(external_exports.string().min(1))).optional()
     }).passthrough();
     deploySchema = external_exports.object({
       tags: external_exports.array(external_exports.string()).optional()
@@ -4442,7 +4526,12 @@ var init_repo_manifest = __esm({
       "secrets",
       "bootstrap",
       "start",
-      "deploy"
+      "deploy",
+      // F-7 (olam-hybrid-shared-postgres dogfood finding): native inheritance —
+      // `.olam.yaml` may declare `inherits: .adb.yaml` to deep-merge an adb-shaped
+      // base manifest into itself. Retires the atlas-one `bin/olam-create-wrap.sh`
+      // stopgap. See the inheritance resolver in `loadRepoManifest`.
+      "inherits"
     ]);
     FORBIDDEN_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
   }
@@ -5198,7 +5287,7 @@ async function safeText(res) {
   }
 }
 function sleep(ms) {
-  return new Promise((resolve12) => setTimeout(resolve12, ms));
+  return new Promise((resolve14) => setTimeout(resolve14, ms));
 }
 var DEFAULT_BASE_URL, DEFAULT_TIMEOUT_MS, RETRY_COUNT, RETRY_BACKOFF_MS, AuthClient;
 var init_client = __esm({
@@ -5345,12 +5434,12 @@ import { existsSync as existsSync9 } from "node:fs";
 import * as path9 from "node:path";
 import { fileURLToPath as fileURLToPath2 } from "node:url";
 function resolveAuthServicePath() {
-  const here2 = fileURLToPath2(import.meta.url);
-  const pkgsDir = path9.resolve(path9.dirname(here2), "..", "..", "..");
+  const here3 = fileURLToPath2(import.meta.url);
+  const pkgsDir = path9.resolve(path9.dirname(here3), "..", "..", "..");
   return path9.join(pkgsDir, "auth-service");
 }
 function sleep2(ms) {
-  return new Promise((resolve12) => setTimeout(resolve12, ms));
+  return new Promise((resolve14) => setTimeout(resolve14, ms));
 }
 var DEFAULT_PORT, DEFAULT_VOLUME, DEFAULT_CONTAINER, DEFAULT_IMAGE, AuthContainerController;
 var init_container = __esm({
@@ -5648,7 +5737,7 @@ var init_network = __esm({
 // ../adapters/dist/docker/pull.js
 import { spawn } from "node:child_process";
 function spawnAsync(cmd, args, opts = {}) {
-  return new Promise((resolve12) => {
+  return new Promise((resolve14) => {
     const child = spawn(cmd, [...args], {
       stdio: ["ignore", "pipe", "pipe"],
       signal: opts.signal
@@ -5662,10 +5751,10 @@ function spawnAsync(cmd, args, opts = {}) {
       stderr += chunk.toString();
     });
     child.on("error", (err) => {
-      resolve12({ exitCode: -1, stdout, stderr: stderr + err.message });
+      resolve14({ exitCode: -1, stdout, stderr: stderr + err.message });
     });
     child.on("close", (code) => {
-      resolve12({ exitCode: code ?? -1, stdout, stderr });
+      resolve14({ exitCode: code ?? -1, stdout, stderr });
     });
   });
 }
@@ -6050,7 +6139,7 @@ var demuxStream, execInContainer;
 var init_exec = __esm({
   "../adapters/dist/docker/exec.js"() {
     "use strict";
-    demuxStream = (stream) => new Promise((resolve12, reject) => {
+    demuxStream = (stream) => new Promise((resolve14, reject) => {
       const stdoutChunks = [];
       const stderrChunks = [];
       const stdout = new PassThrough();
@@ -6064,7 +6153,7 @@ var init_exec = __esm({
         stream.pipe(stdout);
       }
       stream.on("end", () => {
-        resolve12({
+        resolve14({
           stdout: Buffer.concat(stdoutChunks).toString("utf-8"),
           stderr: Buffer.concat(stderrChunks).toString("utf-8")
         });
@@ -6260,6 +6349,19 @@ var init_provider = __esm({
         }
         const mergedEnv = { ...serviceEnv, ...config.env };
         const container = await createWorldContainer(this.docker, id, name, config.image, mergedEnv, config.resources, config.workspacePath, config.portOffset, config.appPorts, config.cacheArch);
+        for (const networkName3 of config.extraNetworks ?? []) {
+          try {
+            const network = this.docker.getNetwork(networkName3);
+            await network.connect({ Container: container.id });
+          } catch (err) {
+            const statusCode = err.statusCode;
+            if (statusCode === 404) {
+              throw new Error(`extra network "${networkName3}" not found \u2014 run \`olam bootstrap\` to recreate it`);
+            }
+            if (statusCode !== 403)
+              throw err;
+          }
+        }
         return new DockerWorld(id, name, container, "running");
       }
       // -----------------------------------------------------------------------
@@ -6496,7 +6598,7 @@ var init_connection = __esm({
       // -----------------------------------------------------------------------
       async exec(host, command) {
         const client = await this.getConnection(host);
-        return new Promise((resolve12, reject) => {
+        return new Promise((resolve14, reject) => {
           client.exec(command, (err, stream) => {
             if (err) {
               reject(new Error(`SSH exec failed on ${host}: ${err.message}`));
@@ -6511,7 +6613,7 @@ var init_connection = __esm({
               stderr += data.toString();
             });
             stream.on("close", (code) => {
-              resolve12({
+              resolve14({
                 exitCode: code ?? 0,
                 stdout: stdout.trimEnd(),
                 stderr: stderr.trimEnd()
@@ -6542,10 +6644,10 @@ var init_connection = __esm({
           throw new Error(`No SSH configuration found for host: ${host}`);
         }
         const client = new SSHClient();
-        return new Promise((resolve12, reject) => {
+        return new Promise((resolve14, reject) => {
           client.on("ready", () => {
             this.connections.set(host, client);
-            resolve12(client);
+            resolve14(client);
           }).on("error", (err) => {
             this.connections.delete(host);
             reject(new Error(`SSH connection to ${host} failed: ${err.message}`));
@@ -7270,6 +7372,7 @@ function rowToMetadata(row) {
   let readinessChain;
   let expectedServices;
   let appPortUrls;
+  let worldDbNames;
   try {
     if (row.readiness_chain)
       readinessChain = JSON.parse(row.readiness_chain);
@@ -7285,6 +7388,11 @@ function rowToMetadata(row) {
       appPortUrls = JSON.parse(row.app_port_urls);
   } catch {
   }
+  try {
+    if (row.world_db_names)
+      worldDbNames = JSON.parse(row.world_db_names);
+  } catch {
+  }
   return {
     id: row.id,
     name: row.name,
@@ -7307,7 +7415,9 @@ function rowToMetadata(row) {
     autoDestroyOnMerge: (row.auto_destroy_on_merge ?? 1) !== 0,
     ...readinessChain !== void 0 ? { readinessChain } : {},
     ...expectedServices !== void 0 ? { expectedServices } : {},
-    ...appPortUrls !== void 0 ? { appPortUrls } : {}
+    ...appPortUrls !== void 0 ? { appPortUrls } : {},
+    ...worldDbNames !== void 0 ? { worldDbNames } : {},
+    ...row.world_role_name ? { worldRoleName: row.world_role_name } : {}
   };
 }
 var _require, _Database, SCHEMA_VERSION, CREATE_TABLE, CREATE_META, WorldRegistry;
@@ -7359,7 +7469,17 @@ CREATE TABLE IF NOT EXISTS meta (
         this.db.pragma("foreign_keys = ON");
         this.db.exec(CREATE_TABLE);
         this.db.exec(CREATE_META);
-        for (const col of ["readiness_chain TEXT", "expected_services TEXT", "app_port_urls TEXT", "tailscale_paths TEXT"]) {
+        for (const col of [
+          "readiness_chain TEXT",
+          "expected_services TEXT",
+          "app_port_urls TEXT",
+          "tailscale_paths TEXT",
+          // olam-hybrid-shared-postgres Phase A task A7. JSON-serialised string for
+          // world_db_names (SQLite has no native array; matches repos column shape).
+          // TEXT[] would fail at DDL time (closes OQ13/OQ22 / FS-03).
+          "world_db_names TEXT",
+          "world_role_name TEXT"
+        ]) {
           try {
             this.db.exec(`ALTER TABLE worlds ADD COLUMN ${col}`);
           } catch {
@@ -7385,8 +7505,9 @@ CREATE TABLE IF NOT EXISTS meta (
          (id, name, status, repos, branch, port_offset, workspace_path,
           compute_provider, total_cost_usd, thought_count, created_at, updated_at,
           pr_url, pr_number, pr_repo, pr_created_at, pr_state, pr_merged_at, auto_destroy_on_merge,
-          readiness_chain, expected_services, app_port_urls)
-         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(world.id, world.name, world.status, JSON.stringify(world.repos), world.branch, world.portOffset, world.workspacePath, world.computeProvider, world.totalCostUsd, world.thoughtCount, world.createdAt, world.updatedAt, world.prUrl ?? null, world.prNumber ?? null, world.prRepo ?? null, world.prCreatedAt ?? null, world.prState ?? "none", world.prMergedAt ?? null, world.autoDestroyOnMerge === false ? 0 : 1, world.readinessChain !== void 0 ? JSON.stringify(world.readinessChain) : null, world.expectedServices !== void 0 ? JSON.stringify(world.expectedServices) : null, world.appPortUrls !== void 0 ? JSON.stringify(world.appPortUrls) : null);
+          readiness_chain, expected_services, app_port_urls,
+          world_db_names, world_role_name)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(world.id, world.name, world.status, JSON.stringify(world.repos), world.branch, world.portOffset, world.workspacePath, world.computeProvider, world.totalCostUsd, world.thoughtCount, world.createdAt, world.updatedAt, world.prUrl ?? null, world.prNumber ?? null, world.prRepo ?? null, world.prCreatedAt ?? null, world.prState ?? "none", world.prMergedAt ?? null, world.autoDestroyOnMerge === false ? 0 : 1, world.readinessChain !== void 0 ? JSON.stringify(world.readinessChain) : null, world.expectedServices !== void 0 ? JSON.stringify(world.expectedServices) : null, world.appPortUrls !== void 0 ? JSON.stringify(world.appPortUrls) : null, world.worldDbNames !== void 0 ? JSON.stringify(world.worldDbNames) : null, world.worldRoleName ?? null);
       }
       update(worldId, updates) {
         const setClauses = [];
@@ -7411,9 +7532,12 @@ CREATE TABLE IF NOT EXISTS meta (
           autoDestroyOnMerge: "auto_destroy_on_merge",
           readinessChain: "readiness_chain",
           expectedServices: "expected_services",
-          appPortUrls: "app_port_urls"
+          appPortUrls: "app_port_urls",
+          // olam-hybrid-shared-postgres Phase A task A7.
+          worldDbNames: "world_db_names",
+          worldRoleName: "world_role_name"
         };
-        const jsonColumns = /* @__PURE__ */ new Set(["repos", "readinessChain", "expectedServices", "appPortUrls"]);
+        const jsonColumns = /* @__PURE__ */ new Set(["repos", "readinessChain", "expectedServices", "appPortUrls", "worldDbNames"]);
         for (const [key, col] of Object.entries(columnMap)) {
           const val = updates[key];
           if (val !== void 0) {
@@ -8300,7 +8424,7 @@ var init_workspace_name = __esm({
 
 // ../core/dist/kg/storage-paths.js
 import { homedir as homedir9 } from "node:os";
-import { join as join16, resolve as resolve4 } from "node:path";
+import { join as join16, resolve as resolve5 } from "node:path";
 function olamHome() {
   return process.env.OLAM_HOME ?? join16(homedir9(), ".olam");
 }
@@ -8318,7 +8442,7 @@ function assertWithinPrefix(path56, prefix, label) {
 function kgPristinePath(workspace) {
   validateWorkspaceName(workspace);
   const root = kgRoot();
-  const path56 = resolve4(join16(root, workspace));
+  const path56 = resolve5(join16(root, workspace));
   assertWithinPrefix(path56, root, "kgPristinePath");
   return path56;
 }
@@ -8471,8 +8595,8 @@ import { execFileSync as execFileSync5 } from "node:child_process";
 import * as fs15 from "node:fs";
 import * as os9 from "node:os";
 import * as path16 from "node:path";
-function expandHome(p, homedir30) {
-  return p.replace(/^~(?=$|\/|\\)/, homedir30());
+function expandHome(p, homedir32) {
+  return p.replace(/^~(?=$|\/|\\)/, homedir32());
 }
 function sanitizeRepoFilename(name) {
   const sanitized = name.replace(/[^A-Za-z0-9._-]/g, "_");
@@ -8495,7 +8619,7 @@ ${stderr}`;
 }
 function snapshotBaselineDiff(repos, workspacePath, deps = {}) {
   const exec = deps.exec ?? ((cmd, args, opts) => execFileSync5(cmd, args, opts));
-  const homedir30 = deps.homedir ?? (() => os9.homedir());
+  const homedir32 = deps.homedir ?? (() => os9.homedir());
   const baselineDir = path16.join(workspacePath, ".olam", "baseline");
   try {
     fs15.mkdirSync(baselineDir, { recursive: true });
@@ -8511,7 +8635,7 @@ function snapshotBaselineDiff(repos, workspacePath, deps = {}) {
       continue;
     const filename = `${sanitizeRepoFilename(repo.name)}.diff`;
     const outPath = path16.join(baselineDir, filename);
-    const repoPath = expandHome(repo.path, homedir30);
+    const repoPath = expandHome(repo.path, homedir32);
     if (!fs15.existsSync(repoPath)) {
       writeBaselineFile(outPath, `# repo: ${repo.name}
 # (skipped: path ${repoPath} does not exist)
@@ -9411,8 +9535,8 @@ function computeGemsFingerprint(repoDir, imageDigest) {
   return hashBuffers(entries);
 }
 function computeNodeFingerprint(repoDir, imageDigest) {
-  const candidates = ["yarn.lock", "pnpm-lock.yaml", "package-lock.json"];
-  for (const name of candidates) {
+  const candidates2 = ["yarn.lock", "pnpm-lock.yaml", "package-lock.json"];
+  for (const name of candidates2) {
     const lockfile = path18.join(repoDir, name);
     if (fs17.existsSync(lockfile)) {
       const entries = [
@@ -10566,7 +10690,7 @@ async function startSupervisedApps(containerName, worldId, repos, exec, options
   const probeTimeoutMs = options.probeTimeoutMs ?? 3e4;
   const probeIntervalMs = options.probeIntervalMs ?? 1e3;
   const clock = options.clock ?? Date.now;
-  const sleep4 = options.sleep ?? ((ms) => new Promise((r) => setTimeout(r, ms)));
+  const sleep5 = options.sleep ?? ((ms) => new Promise((r) => setTimeout(r, ms)));
   for (const repo of repos) {
     if (isPortBound(exec, containerName, repo.hostPort)) {
       throw new PortInUseError(repo.hostPort, repo.name, repo.manifestPath);
@@ -10591,7 +10715,7 @@ async function startSupervisedApps(containerName, worldId, repos, exec, options
     probeTimeoutMs,
     probeIntervalMs,
     clock,
-    sleep: sleep4
+    sleep: sleep5
   })));
   return {
     sessionName,
@@ -10658,16 +10782,20 @@ __export(manager_exports, {
   WorkspaceNotFoundError: () => WorkspaceNotFoundError,
   WorldManager: () => WorldManager,
   applyPostgresNetworkOverrides: () => applyPostgresNetworkOverrides,
+  applyPostgresTemplateClone: () => applyPostgresTemplateClone,
+  applyPostgresWorldRole: () => applyPostgresWorldRole,
   buildManifestRuntimeForTest: () => buildManifestRuntime,
   cleanupWorldTailscale: () => cleanupWorldTailscale,
   deriveReadinessChain: () => deriveReadinessChain,
+  deriveWorldRoleName: () => deriveWorldRoleName,
   exposeWorldOverTailscale: () => exposeWorldOverTailscale,
   getTokenScopes: () => getTokenScopes,
   planManifestPipeline: () => planManifestPipeline,
+  redactCreateRolePassword: () => redactCreateRolePassword,
   runManifestRuntime: () => runManifestRuntime
 });
 import * as crypto5 from "node:crypto";
-import { execSync as execSync5 } from "node:child_process";
+import { execSync as execSync5, spawnSync as spawnSync4 } from "node:child_process";
 import * as fs23 from "node:fs";
 import * as os13 from "node:os";
 import * as path24 from "node:path";
@@ -11059,13 +11187,13 @@ function cleanupWorldTailscale(worldId, registry, _exec = execSync5) {
   }
 }
 function resolveTailscaleBin(_exec = execSync5) {
-  const candidates = [
+  const candidates2 = [
     process.env["TAILSCALE_BIN"],
     "/Applications/Tailscale.app/Contents/MacOS/Tailscale",
     "/usr/local/bin/tailscale",
     "/opt/homebrew/bin/tailscale"
   ];
-  for (const c of candidates) {
+  for (const c of candidates2) {
     if (!c)
       continue;
     try {
@@ -11076,16 +11204,268 @@ function resolveTailscaleBin(_exec = execSync5) {
   }
   return void 0;
 }
-function applyPostgresNetworkOverrides(worldEnv, enrichedRepos) {
+function applyPostgresNetworkOverrides(worldEnv, enrichedRepos, worldId) {
   const hasPostgres = enrichedRepos.some((r) => r.manifest?.services?.["postgres"] !== void 0);
   if (!hasPostgres)
     return;
-  worldEnv["POSTGRESQL_HOST"] = "postgres";
+  const hasSeedTemplate = enrichedRepos.some((r) => {
+    const pg = r.manifest?.services?.["postgres"];
+    return pg?.seed_template !== void 0;
+  });
+  const host = hasSeedTemplate ? "olam-postgres" : "postgres";
+  worldEnv["POSTGRESQL_HOST"] = host;
   worldEnv["POSTGRESQL_PORT"] = "5432";
-  if ("POSTGRESQL_COMMON_HOST" in worldEnv)
-    worldEnv["POSTGRESQL_COMMON_HOST"] = "postgres";
-  if ("POSTGRESQL_COMMON_PORT" in worldEnv)
+  if (hasSeedTemplate) {
+    worldEnv["POSTGRESQL_COMMON_HOST"] = host;
     worldEnv["POSTGRESQL_COMMON_PORT"] = "5432";
+    if (worldId !== void 0) {
+      assertSafeWorldId(worldId);
+      const seedTemplates = /* @__PURE__ */ new Set();
+      for (const repo of enrichedRepos) {
+        const pg = repo.manifest?.services?.["postgres"];
+        const raw = pg?.seed_template;
+        if (typeof raw === "string")
+          seedTemplates.add(raw);
+        else if (Array.isArray(raw)) {
+          for (const s of raw)
+            if (typeof s === "string")
+              seedTemplates.add(s);
+        }
+      }
+      for (const seed of seedTemplates) {
+        const match2 = seed.match(/^atlas_([a-z][a-z0-9_]*?)_seed$/i);
+        if (match2 && match2[1] !== void 0) {
+          const purpose = match2[1].toUpperCase();
+          const envKey = `POSTGRESQL_${purpose}_DATABASE`;
+          worldEnv[envKey] = deriveWorldDbName(seed, worldId);
+        }
+      }
+    }
+  } else {
+    if ("POSTGRESQL_COMMON_HOST" in worldEnv)
+      worldEnv["POSTGRESQL_COMMON_HOST"] = "postgres";
+    if ("POSTGRESQL_COMMON_PORT" in worldEnv)
+      worldEnv["POSTGRESQL_COMMON_PORT"] = "5432";
+  }
+}
+function applyPostgresTemplateClone(worldId, enrichedRepos, options = {}) {
+  assertSafeWorldId(worldId);
+  const container = options.singletonContainer ?? "olam-postgres";
+  const user = options.postgresUser ?? "development";
+  const seedTemplates = [];
+  const postCloneSqlBySeed = /* @__PURE__ */ new Map();
+  for (const repo of enrichedRepos) {
+    const pg = repo.manifest?.services?.["postgres"];
+    if (!pg?.seed_template)
+      continue;
+    const list = Array.isArray(pg.seed_template) ? pg.seed_template : [pg.seed_template];
+    for (const t of list) {
+      if (typeof t === "string" && t.length > 0 && !seedTemplates.includes(t)) {
+        seedTemplates.push(t);
+      }
+    }
+    if (pg.post_clone_sql && typeof pg.post_clone_sql === "object") {
+      for (const [seedKey, sqlList] of Object.entries(pg.post_clone_sql)) {
+        if (!Array.isArray(sqlList))
+          continue;
+        const existing = postCloneSqlBySeed.get(seedKey) ?? [];
+        for (const stmt of sqlList) {
+          if (typeof stmt === "string" && stmt.length > 0)
+            existing.push(stmt);
+        }
+        postCloneSqlBySeed.set(seedKey, existing);
+      }
+    }
+  }
+  if (seedTemplates.length === 0) {
+    return { worldDbNames: [] };
+  }
+  const spawn11 = options.spawn ?? spawnSync4;
+  const seedToWorldDb = /* @__PURE__ */ new Map();
+  for (const seed of seedTemplates) {
+    seedToWorldDb.set(seed, deriveWorldDbName(seed, worldId));
+  }
+  const created = [];
+  for (const seed of seedTemplates) {
+    const worldDb = seedToWorldDb.get(seed);
+    const exists = spawn11("docker", [
+      "exec",
+      container,
+      "psql",
+      "-U",
+      user,
+      "-tAc",
+      `SELECT 1 FROM pg_database WHERE datname='${worldDb}'`
+    ], { encoding: "utf-8" });
+    const dbAlreadyExists = exists.status === 0 && (exists.stdout || "").trim() === "1";
+    if (!dbAlreadyExists) {
+      const sql = `CREATE DATABASE "${worldDb}" TEMPLATE "${seed}"`;
+      const create = spawn11("docker", ["exec", container, "psql", "-U", user, "-d", "postgres", "-v", "ON_ERROR_STOP=1", "-c", sql], { encoding: "utf-8" });
+      if (create.status !== 0) {
+        throw new Error(`failed to CREATE DATABASE "${worldDb}" TEMPLATE "${seed}": ${(create.stderr || "").trim()}`);
+      }
+    }
+    created.push(worldDb);
+    const stmts = postCloneSqlBySeed.get(seed);
+    if (stmts !== void 0 && stmts.length > 0) {
+      for (const rawStmt of stmts) {
+        const stmt = interpolatePostCloneSql(rawStmt, worldId, seedToWorldDb);
+        const fixup = spawn11("docker", ["exec", container, "psql", "-U", user, "-d", worldDb, "-v", "ON_ERROR_STOP=1", "-c", stmt], { encoding: "utf-8" });
+        if (fixup.status !== 0) {
+          throw new Error(`post_clone_sql against "${worldDb}" failed (statement: ${truncate(stmt, 120)}): ${(fixup.stderr || "").trim()}`);
+        }
+      }
+    }
+  }
+  return { worldDbNames: created };
+}
+function interpolatePostCloneSql(stmt, worldId, seedToWorldDb) {
+  return stmt.replace(/\$\{([^}]+)\}/g, (_, expr) => {
+    if (expr === "WORLD_ID")
+      return worldId;
+    const dbMatch = expr.match(/^WORLD_DB:(.+)$/);
+    if (dbMatch && dbMatch[1] !== void 0) {
+      const target = seedToWorldDb.get(dbMatch[1]);
+      if (target === void 0) {
+        throw new Error(`post_clone_sql references seed "${dbMatch[1]}" not declared in seed_template`);
+      }
+      return target;
+    }
+    throw new Error(`post_clone_sql contains unknown placeholder "\${${expr}}" \u2014 only \${WORLD_ID} and \${WORLD_DB:<seed>} are supported`);
+  });
+}
+function truncate(s, max) {
+  return s.length <= max ? s : s.slice(0, max - 1) + "\u2026";
+}
+function deriveWorldRoleName(worldId) {
+  return `olam_world_${worldId}`;
+}
+function applyPostgresWorldRole(worldId, worldDbNames, options = {}) {
+  assertSafeWorldId(worldId);
+  if (worldDbNames.length === 0) {
+    throw new Error(`applyPostgresWorldRole called with empty worldDbNames for "${worldId}" \u2014 should only run when applyPostgresTemplateClone produced clones`);
+  }
+  const spawn11 = options.spawn ?? spawnSync4;
+  const container = options.singletonContainer ?? "olam-postgres";
+  const user = options.postgresUser ?? "development";
+  const genPassword = options.generatePassword ?? defaultPasswordGenerator;
+  const worldRoleName = deriveWorldRoleName(worldId);
+  const password = genPassword();
+  const exists = spawn11("docker", [
+    "exec",
+    container,
+    "psql",
+    "-U",
+    user,
+    "-tAc",
+    `SELECT 1 FROM pg_roles WHERE rolname='${escapeSqlLiteral(worldRoleName)}'`
+  ], { encoding: "utf-8" });
+  const roleExists = exists.status === 0 && (exists.stdout || "").trim() === "1";
+  const escapedPassword = escapeSqlLiteral(password);
+  const roleDdl = roleExists ? `ALTER ROLE "${worldRoleName}" WITH LOGIN PASSWORD '${escapedPassword}' NOSUPERUSER NOCREATEDB NOCREATEROLE NOREPLICATION` : `CREATE ROLE "${worldRoleName}" WITH LOGIN PASSWORD '${escapedPassword}' NOSUPERUSER NOCREATEDB NOCREATEROLE NOREPLICATION`;
+  const dml = spawn11("docker", ["exec", container, "psql", "-U", user, "-d", "postgres", "-v", "ON_ERROR_STOP=1", "-c", roleDdl], { encoding: "utf-8" });
+  if (dml.status !== 0) {
+    throw new Error(`failed to ${roleExists ? "ALTER" : "CREATE"} ROLE "${worldRoleName}": ` + redactCreateRolePassword((dml.stderr || "").trim()));
+  }
+  for (const worldDb of worldDbNames) {
+    const grantConnect = spawn11("docker", [
+      "exec",
+      container,
+      "psql",
+      "-U",
+      user,
+      "-d",
+      "postgres",
+      "-v",
+      "ON_ERROR_STOP=1",
+      "-c",
+      `GRANT CONNECT ON DATABASE "${worldDb}" TO "${worldRoleName}"`
+    ], { encoding: "utf-8" });
+    if (grantConnect.status !== 0) {
+      throw new Error(`failed to GRANT CONNECT on "${worldDb}" to "${worldRoleName}": ${(grantConnect.stderr || "").trim()}`);
+    }
+    const perDbGrants = [
+      `GRANT USAGE ON SCHEMA public TO "${worldRoleName}"`,
+      `GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "${worldRoleName}"`,
+      `GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO "${worldRoleName}"`,
+      // DEFAULT PRIVILEGES for future objects — Rails migrations create new
+      // tables/sequences post-spawn and they need to be grantable.
+      `ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO "${worldRoleName}"`,
+      `ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO "${worldRoleName}"`
+    ].join("; ");
+    const grantResult = spawn11("docker", ["exec", container, "psql", "-U", user, "-d", worldDb, "-v", "ON_ERROR_STOP=1", "-c", perDbGrants], { encoding: "utf-8" });
+    if (grantResult.status !== 0) {
+      throw new Error(`failed to GRANT privileges on "${worldDb}" to "${worldRoleName}": ${(grantResult.stderr || "").trim()}`);
+    }
+  }
+  return { worldRoleName, password };
+}
+function defaultPasswordGenerator() {
+  return crypto5.randomBytes(24).toString("base64url");
+}
+function escapeSqlLiteral(s) {
+  return s.replace(/'/g, "''");
+}
+function redactCreateRolePassword(s) {
+  return s.replace(/PASSWORD\s+'[^']*'/g, "PASSWORD '<scrubbed>'");
+}
+function dropPostgresWorldDbs(worldId, worldDbNames, options = {}) {
+  if (worldDbNames.length === 0)
+    return;
+  assertSafeWorldId(worldId);
+  const spawn11 = options.spawn ?? spawnSync4;
+  const container = options.container ?? "olam-postgres";
+  const user = options.user ?? "development";
+  for (const db of worldDbNames) {
+    const drop = spawn11("docker", [
+      "exec",
+      container,
+      "psql",
+      "-U",
+      user,
+      "-d",
+      "postgres",
+      "-c",
+      `DROP DATABASE IF EXISTS "${db}" WITH (FORCE)`
+    ], { encoding: "utf-8" });
+    if (drop.status !== 0) {
+      console.warn(`[manager] destroyWorld(${worldId}): failed to DROP "${db}" from singleton: ${(drop.stderr || "").trim()}`);
+    }
+  }
+}
+function dropPostgresWorldRole(worldId, worldRoleName, options = {}) {
+  if (!worldRoleName)
+    return;
+  assertSafeWorldId(worldId);
+  const spawn11 = options.spawn ?? spawnSync4;
+  const container = options.container ?? "olam-postgres";
+  const user = options.user ?? "development";
+  const cleanup = spawn11("docker", [
+    "exec",
+    container,
+    "psql",
+    "-U",
+    user,
+    "-d",
+    "postgres",
+    "-c",
+    `DROP OWNED BY "${worldRoleName}" CASCADE; DROP ROLE IF EXISTS "${worldRoleName}"`
+  ], { encoding: "utf-8" });
+  if (cleanup.status !== 0) {
+    console.warn(`[manager] destroyWorld(${worldId}): failed to DROP role "${worldRoleName}" from singleton: ${(cleanup.stderr || "").trim()}`);
+  }
+}
+function assertSafeWorldId(worldId) {
+  if (!/^[a-z0-9]+(-[a-z0-9]+)*$/.test(worldId)) {
+    throw new Error(`world id "${worldId}" contains characters outside [a-z0-9-] \u2014 hybrid-postgres + post_clone_sql interpolation require the name-generator's [a-z0-9-]+ alphabet`);
+  }
+}
+function deriveWorldDbName(seed, worldId) {
+  if (seed.endsWith("_seed")) {
+    const prefix = seed.slice(0, -"_seed".length);
+    return `${prefix}_world_${worldId}`;
+  }
+  return `${seed}_world_${worldId}`;
 }
 var BotIdentityError, ADJECTIVES, NOUNS, AuthPreflightError, WorkspaceNotFoundError, WorldManager;
 var init_manager = __esm({
@@ -11472,6 +11852,8 @@ ${detail}`);
           const hostPort = override !== void 0 ? override : ap.port + 1e4 + portOffset;
           return { repoName: ap.name, internalPort: ap.port, hostPort, url: `http://localhost:${hostPort}` };
         });
+        let worldDbNames = void 0;
+        let worldRoleName = void 0;
         try {
           const worldEnv = {};
           if (opts.task)
@@ -11572,7 +11954,27 @@ ${detail}`);
               }
             }
           }
-          applyPostgresNetworkOverrides(worldEnv, enrichedRepos);
+          applyPostgresNetworkOverrides(worldEnv, enrichedRepos, worldId);
+          const cloneResult = applyPostgresTemplateClone(worldId, enrichedRepos);
+          worldDbNames = cloneResult.worldDbNames.length > 0 ? cloneResult.worldDbNames : void 0;
+          if (worldDbNames !== void 0) {
+            const roleResult = applyPostgresWorldRole(worldId, worldDbNames);
+            worldRoleName = roleResult.worldRoleName;
+            worldEnv["POSTGRESQL_USERNAME"] = roleResult.worldRoleName;
+            worldEnv["POSTGRESQL_PASSWORD"] = roleResult.password;
+            worldEnv["POSTGRESQL_COMMON_USERNAME"] = roleResult.worldRoleName;
+            worldEnv["POSTGRESQL_COMMON_PASSWORD"] = roleResult.password;
+            worldEnv["POSTGRESQL_MERCHANT_USERNAME"] = roleResult.worldRoleName;
+            worldEnv["POSTGRESQL_MERCHANT_PASSWORD"] = roleResult.password;
+          }
+          if (worldDbNames !== void 0 || worldRoleName !== void 0) {
+            this.registry.update(worldId, {
+              ...worldDbNames !== void 0 ? { worldDbNames: [...worldDbNames] } : {},
+              ...worldRoleName !== void 0 ? { worldRoleName } : {}
+            });
+          }
+          const hybridActive = worldDbNames !== void 0;
+          const extraNetworks = hybridActive ? ["olam-shared"] : void 0;
           await this.provider.createWorld({
             id: worldId,
             name: opts.name,
@@ -11582,6 +11984,7 @@ ${detail}`);
             portOffset,
             workspacePath,
             appPorts: appPorts.length > 0 ? appPorts : void 0,
+            ...extraNetworks ? { extraNetworks } : {},
             // Phase 7 A1: per-world cost ceiling sourced from config.cost.
             // Cloudflare provider forwards this to /session/start so the DO
             // can enforce kill-switch on `cost_update` events. Other providers
@@ -11605,7 +12008,16 @@ ${detail}`);
         sm.transition("running");
         this.registry.update(worldId, {
           status: "running",
-          ...appPortUrls.length > 0 ? { appPortUrls } : {}
+          ...appPortUrls.length > 0 ? { appPortUrls } : {},
+          // olam-hybrid-shared-postgres A3: persist the cloned per-world DB
+          // names so olam destroy + olam gc can find them later (A7's
+          // world_db_names TEXT JSON column).
+          ...worldDbNames !== void 0 ? { worldDbNames: [...worldDbNames] } : {},
+          // olam-hybrid-shared-postgres A4: persist the role name so olam destroy
+          // can DROP it after the world's DBs are gone (A7's world_role_name
+          // column). Password is NOT persisted — it lives only in the world
+          // container's env and the in-memory return value.
+          ...worldRoleName !== void 0 ? { worldRoleName } : {}
         });
         const containerName = `olam-${worldId}-devbox`;
         try {
@@ -11905,6 +12317,14 @@ ${opts.task}`;
           cleanupWorldTailscale(worldId, this.registry);
         } catch {
         }
+        const worldDbNames = world.worldDbNames;
+        if (worldDbNames !== void 0 && worldDbNames.length > 0) {
+          dropPostgresWorldDbs(worldId, worldDbNames);
+        }
+        const worldRoleName = world.worldRoleName;
+        if (typeof worldRoleName === "string" && worldRoleName.length > 0) {
+          dropPostgresWorldRole(worldId, worldRoleName);
+        }
         try {
           await this.provider.destroyWorld(worldId);
         } catch {
@@ -13306,7 +13726,7 @@ function isCloudflaredAvailable() {
   }
 }
 function startTunnel(port) {
-  return new Promise((resolve12, reject) => {
+  return new Promise((resolve14, reject) => {
     const child = spawn3("cloudflared", ["tunnel", "--url", `http://localhost:${port}`], {
       stdio: ["ignore", "pipe", "pipe"],
       detached: false
@@ -13328,7 +13748,7 @@ function startTunnel(port) {
       if (match2) {
         resolved = true;
         clearTimeout(timeout);
-        resolve12(match2[0]);
+        resolve14(match2[0]);
       }
     }
     child.stdout?.on("data", scan);
@@ -13415,8 +13835,8 @@ var init_dashboard = __esm({
           }
           throw err;
         }
-        await new Promise((resolve12, reject) => {
-          this.server.on("listening", resolve12);
+        await new Promise((resolve14, reject) => {
+          this.server.on("listening", resolve14);
           this.server.on("error", reject);
         });
         this.info = { localUrl: `http://localhost:${port}` };
@@ -13462,8 +13882,8 @@ var init_dashboard = __esm({
       async stop() {
         stopTunnel();
         if (this.server) {
-          await new Promise((resolve12) => {
-            this.server.close(() => resolve12());
+          await new Promise((resolve14) => {
+            this.server.close(() => resolve14());
           });
           this.server = null;
         }
@@ -13689,10 +14109,10 @@ import * as crypto6 from "node:crypto";
 import * as fs26 from "node:fs";
 import * as os15 from "node:os";
 import * as path28 from "node:path";
-import { spawnSync as spawnSync4 } from "node:child_process";
+import { spawnSync as spawnSync5 } from "node:child_process";
 import Dockerode2 from "dockerode";
 function findComposeFile() {
-  const candidates = [
+  const candidates2 = [
     // Bundled path: dist/index.js lives at <pkg>/dist/; host-cp/ is a sibling of dist/
     path28.resolve(path28.dirname(new URL(import.meta.url).pathname), "../host-cp/compose.yaml"),
     // Source-mode: cwd is monorepo root
@@ -13700,7 +14120,7 @@ function findComposeFile() {
     // Source-mode: cwd is one level inside the monorepo
     path28.resolve(process.cwd(), "../packages/host-cp/compose.yaml")
   ];
-  for (const c of candidates) {
+  for (const c of candidates2) {
     if (fs26.existsSync(c)) return c;
   }
   return path28.resolve(process.cwd(), "packages/host-cp/compose.yaml");
@@ -13875,7 +14295,7 @@ async function probeHealth() {
   }
 }
 function runCompose(args, composeFile, extraEnv = {}) {
-  const result = spawnSync4("docker", ["compose", "-f", composeFile, ...args], {
+  const result = spawnSync5("docker", ["compose", "-f", composeFile, ...args], {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "pipe"],
     env: { ...process.env, ...extraEnv }
@@ -13902,7 +14322,7 @@ function buildComposeEnv(authSecret, ghToken) {
 }
 function captureGhToken() {
   try {
-    const result = spawnSync4("gh", ["auth", "token"], {
+    const result = spawnSync5("gh", ["auth", "token"], {
       encoding: "utf-8",
       stdio: ["ignore", "pipe", "pipe"]
     });
@@ -14282,15 +14702,15 @@ __export(install_root_exports, {
   resolveBuildScript: () => resolveBuildScript
 });
 import { existsSync as existsSync24 } from "node:fs";
-import { dirname as dirname17, join as join30, resolve as resolve9 } from "node:path";
+import { dirname as dirname17, join as join30, resolve as resolve10 } from "node:path";
 import { fileURLToPath as fileURLToPath5 } from "node:url";
 function installRoot(metaUrl = import.meta.url) {
-  const here2 = fileURLToPath5(metaUrl);
-  return resolve9(dirname17(here2), "..");
+  const here3 = fileURLToPath5(metaUrl);
+  return resolve10(dirname17(here3), "..");
 }
 function isDevMode(env = process.env, installRootDir = installRoot()) {
   if (env.OLAM_DEV !== "1") return false;
-  const repoRoot = resolve9(installRootDir, "..", "..");
+  const repoRoot = resolve10(installRootDir, "..", "..");
   return existsSync24(join30(repoRoot, "packages")) && existsSync24(join30(repoRoot, "package.json"));
 }
 function resolveBuildScript(input) {
@@ -14298,7 +14718,7 @@ function resolveBuildScript(input) {
   if (!isDevMode(env, installRootDir)) {
     throw new MissingBuildScriptError(scriptRelPath);
   }
-  const repoRoot = resolve9(installRootDir, "..", "..");
+  const repoRoot = resolve10(installRootDir, "..", "..");
   return join30(repoRoot, scriptRelPath);
 }
 var MissingBuildScriptError;
@@ -14329,7 +14749,7 @@ __export(protocol_version_exports, {
   inspectImageProtocolVersions: () => inspectImageProtocolVersions,
   parseProtocolVersionsLabel: () => parseProtocolVersionsLabel
 });
-import { spawnSync as spawnSync5 } from "node:child_process";
+import { spawnSync as spawnSync6 } from "node:child_process";
 function parseProtocolVersionsLabel(labelValue) {
   if (!labelValue) return [];
   const parts = labelValue.split(",").map((s) => s.trim()).filter(Boolean);
@@ -14400,7 +14820,7 @@ var init_protocol_version = __esm({
     "use strict";
     OLAM_PROTOCOL_VERSIONS_SUPPORTED = [1];
     realDockerInspect = (imageRef) => {
-      const result = spawnSync5(
+      const result = spawnSync6(
         "docker",
         ["inspect", imageRef, "--format", '{{ index .Config.Labels "olam.protocol.versions" }}'],
         { encoding: "utf8", timeout: 1e4 }
@@ -14414,6 +14834,158 @@ var init_protocol_version = __esm({
   }
 });
 
+// ../core/dist/auth/postgres-init-helpers.js
+var postgres_init_helpers_exports = {};
+__export(postgres_init_helpers_exports, {
+  DEFAULT_POSTGRES_CONTAINER: () => DEFAULT_POSTGRES_CONTAINER,
+  DEFAULT_POSTGRES_DB: () => DEFAULT_POSTGRES_DB,
+  DEFAULT_POSTGRES_HOST_PORT: () => DEFAULT_POSTGRES_HOST_PORT,
+  DEFAULT_POSTGRES_IMAGE: () => DEFAULT_POSTGRES_IMAGE,
+  DEFAULT_POSTGRES_NETWORK: () => DEFAULT_POSTGRES_NETWORK,
+  DEFAULT_POSTGRES_PASSWORD: () => DEFAULT_POSTGRES_PASSWORD,
+  DEFAULT_POSTGRES_READY_TIMEOUT_MS: () => DEFAULT_POSTGRES_READY_TIMEOUT_MS,
+  DEFAULT_POSTGRES_USER: () => DEFAULT_POSTGRES_USER,
+  ensureOlamPostgresSingleton: () => ensureOlamPostgresSingleton,
+  ensureOlamSharedNetwork: () => ensureOlamSharedNetwork,
+  pullPostgresImage: () => pullPostgresImage,
+  startPostgresSingleton: () => startPostgresSingleton,
+  statusPostgresSingleton: () => statusPostgresSingleton,
+  waitPostgresReady: () => waitPostgresReady
+});
+import { spawnSync as spawnSync7 } from "node:child_process";
+function resolve11(options) {
+  return {
+    network: options.network ?? DEFAULT_POSTGRES_NETWORK,
+    containerName: options.containerName ?? DEFAULT_POSTGRES_CONTAINER,
+    image: options.image ?? DEFAULT_POSTGRES_IMAGE,
+    hostPort: options.hostPort ?? DEFAULT_POSTGRES_HOST_PORT,
+    user: options.user ?? DEFAULT_POSTGRES_USER,
+    password: options.password ?? DEFAULT_POSTGRES_PASSWORD,
+    db: options.db ?? DEFAULT_POSTGRES_DB,
+    readyTimeoutMs: options.readyTimeoutMs ?? DEFAULT_POSTGRES_READY_TIMEOUT_MS,
+    spawn: options.spawn ?? spawnSync7
+  };
+}
+function statusPostgresSingleton(options = {}) {
+  const opts = resolve11(options);
+  const inspect = opts.spawn("docker", ["inspect", "--format", "{{.State.Status}}", opts.containerName], { encoding: "utf-8" });
+  if (inspect.status !== 0)
+    return "missing";
+  const raw = (inspect.stdout || "").trim();
+  return raw === "running" ? "running" : "stopped";
+}
+function ensureOlamSharedNetwork(options = {}) {
+  const opts = resolve11(options);
+  const create = opts.spawn("docker", ["network", "create", opts.network], {
+    encoding: "utf-8"
+  });
+  if (create.status !== 0 && !(create.stderr || "").includes("already exists")) {
+    throw new Error(`failed to create docker network ${opts.network}: ${(create.stderr || "").trim()}`);
+  }
+  const inspect = opts.spawn("docker", ["network", "inspect", opts.network, "--format", "{{.Driver}}"], { encoding: "utf-8" });
+  if (inspect.status !== 0) {
+    throw new Error(`failed to inspect docker network ${opts.network} after create: ${(inspect.stderr || "").trim()}`);
+  }
+  const driver = (inspect.stdout || "").trim();
+  if (driver !== "bridge") {
+    throw new Error(`docker network ${opts.network} exists with driver=${driver}, expected bridge. Run \`docker network rm ${opts.network} && olam init\` to recreate.`);
+  }
+}
+function pullPostgresImage(options = {}) {
+  const opts = resolve11(options);
+  const pull = opts.spawn("docker", ["pull", "--platform", "linux/amd64", opts.image], { encoding: "utf-8" });
+  if (pull.status !== 0) {
+    throw new Error(`failed to pull postgres image ${opts.image}: ${(pull.stderr || "").trim()}`);
+  }
+}
+function startPostgresSingleton(options = {}) {
+  const opts = resolve11(options);
+  const state = statusPostgresSingleton(options);
+  if (state === "running")
+    return;
+  if (state === "stopped") {
+    const start = opts.spawn("docker", ["start", opts.containerName], {
+      encoding: "utf-8"
+    });
+    if (start.status !== 0) {
+      throw new Error(`failed to start existing postgres container ${opts.containerName}: ${(start.stderr || "").trim()}`);
+    }
+    return;
+  }
+  const run = opts.spawn("docker", [
+    "run",
+    "--detach",
+    "--name",
+    opts.containerName,
+    "--network",
+    opts.network,
+    "--network-alias",
+    opts.containerName,
+    "--restart",
+    "unless-stopped",
+    "--publish",
+    `127.0.0.1:${opts.hostPort}:5432`,
+    "--env",
+    `POSTGRES_USER=${opts.user}`,
+    "--env",
+    `POSTGRES_PASSWORD=${opts.password}`,
+    "--env",
+    `POSTGRES_DB=${opts.db}`,
+    "--env",
+    `TZ=Asia/Singapore`,
+    opts.image
+  ], { encoding: "utf-8" });
+  if (run.status !== 0) {
+    throw new Error(`failed to start postgres singleton ${opts.containerName}: ${(run.stderr || "").trim()}`);
+  }
+}
+async function waitPostgresReady(options = {}) {
+  const opts = resolve11(options);
+  const deadline = Date.now() + opts.readyTimeoutMs;
+  while (Date.now() < deadline) {
+    const ready = opts.spawn("docker", ["exec", opts.containerName, "pg_isready", "-U", opts.user], { encoding: "utf-8" });
+    if (ready.status === 0)
+      return true;
+    await sleep3(1e3);
+  }
+  return false;
+}
+async function ensureOlamPostgresSingleton(options = {}) {
+  const opts = resolve11(options);
+  ensureOlamSharedNetwork(options);
+  pullPostgresImage(options);
+  startPostgresSingleton(options);
+  const ready = await waitPostgresReady(options);
+  if (!ready) {
+    throw new Error(`postgres singleton ${opts.containerName} failed pg_isready within ${opts.readyTimeoutMs}ms. Inspect with \`docker logs ${opts.containerName}\`.`);
+  }
+  const finalState = statusPostgresSingleton(options);
+  return {
+    state: finalState,
+    network: opts.network,
+    container: opts.containerName,
+    hostPort: opts.hostPort,
+    ready
+  };
+}
+function sleep3(ms) {
+  return new Promise((resolve14) => setTimeout(resolve14, ms));
+}
+var DEFAULT_POSTGRES_NETWORK, DEFAULT_POSTGRES_CONTAINER, DEFAULT_POSTGRES_HOST_PORT, DEFAULT_POSTGRES_IMAGE, DEFAULT_POSTGRES_USER, DEFAULT_POSTGRES_PASSWORD, DEFAULT_POSTGRES_DB, DEFAULT_POSTGRES_READY_TIMEOUT_MS;
+var init_postgres_init_helpers = __esm({
+  "../core/dist/auth/postgres-init-helpers.js"() {
+    "use strict";
+    DEFAULT_POSTGRES_NETWORK = "olam-shared";
+    DEFAULT_POSTGRES_CONTAINER = "olam-postgres";
+    DEFAULT_POSTGRES_HOST_PORT = 5433;
+    DEFAULT_POSTGRES_IMAGE = "odidev/postgis:13-3.1-alpine";
+    DEFAULT_POSTGRES_USER = "development";
+    DEFAULT_POSTGRES_PASSWORD = "development";
+    DEFAULT_POSTGRES_DB = "postgres";
+    DEFAULT_POSTGRES_READY_TIMEOUT_MS = 6e4;
+  }
+});
+
 // src/registry-allowlist.ts
 var registry_allowlist_exports = {};
 __export(registry_allowlist_exports, {
@@ -15256,7 +15828,7 @@ init_host_cp();
 init_auth();
 import * as fs27 from "node:fs";
 import * as path29 from "node:path";
-import { spawnSync as spawnSync7 } from "node:child_process";
+import { spawnSync as spawnSync9 } from "node:child_process";
 import ora2 from "ora";
 import pc7 from "picocolors";
 
@@ -15266,7 +15838,7 @@ init_install_root();
 init_exit_codes();
 init_protocol_version();
 init_output();
-import { spawnSync as spawnSync6 } from "node:child_process";
+import { spawnSync as spawnSync8 } from "node:child_process";
 import { existsSync as existsSync25, readFileSync as readFileSync19 } from "node:fs";
 import { join as join31 } from "node:path";
 import ora from "ora";
@@ -15298,7 +15870,7 @@ function loadImageDigests(installRootDir = installRoot()) {
   return parsed;
 }
 var REAL_OLAM_SUBCOMMAND = (args) => {
-  const result = spawnSync6(process.execPath, [
+  const result = spawnSync8(process.execPath, [
     process.argv[1] ?? "olam",
     ...args
   ], {
@@ -15460,6 +16032,48 @@ async function runBootstrap2(opts, deps = {}) {
     return { exitCode: EXIT_GENERIC_ERROR, summary: "auth up failed" };
   }
   authUpSpinner.succeed("auth-service running");
+  if (opts.skipPostgresSingleton || process.env.OLAM_BOOTSTRAP_SKIP_POSTGRES === "1") {
+    printInfo("postgres singleton", "skipped");
+  } else {
+    const pgSpinner = ora("Starting olam-postgres singleton").start();
+    try {
+      const { ensureOlamPostgresSingleton: ensureOlamPostgresSingleton2 } = await Promise.resolve().then(() => (init_postgres_init_helpers(), postgres_init_helpers_exports));
+      const result = await ensureOlamPostgresSingleton2();
+      pgSpinner.succeed(
+        `olam-postgres ${result.state} on network ${result.network} \u2192 127.0.0.1:${result.hostPort}`
+      );
+    } catch (err) {
+      pgSpinner.fail("olam-postgres singleton bring-up failed");
+      process.stderr.write(`  ${err instanceof Error ? err.message : String(err)}
+`);
+      process.stderr.write(`  Re-run \`olam bootstrap\` after resolving, or skip via OLAM_BOOTSTRAP_SKIP_POSTGRES=1.
+`);
+      return { exitCode: EXIT_GENERIC_ERROR, summary: "postgres singleton bring-up failed" };
+    }
+  }
+  if (opts.skipMemory || process.env.OLAM_BOOTSTRAP_SKIP_MEMORY === "1") {
+    printInfo("agent-memory", "skipped");
+  } else {
+    const memSpinner = ora("Starting agent-memory host-process").start();
+    const mem = runOlam(["memory", "start"]);
+    if (mem.exitCode !== 0) {
+      memSpinner.fail("agent-memory start failed");
+      if (mem.stdout.trim().length > 0) {
+        process.stderr.write(`  stdout: ${mem.stdout.split("\n").slice(0, 20).join("\n  ")}
+`);
+      }
+      if (mem.stderr.trim().length > 0) {
+        process.stderr.write(`  stderr: ${mem.stderr.split("\n").slice(0, 20).join("\n  ")}
+`);
+      }
+      process.stderr.write(
+        `  Re-run \`olam bootstrap\` after resolving, or skip via OLAM_BOOTSTRAP_SKIP_MEMORY=1.
+`
+      );
+      return { exitCode: EXIT_GENERIC_ERROR, summary: "agent-memory start failed" };
+    }
+    memSpinner.succeed("agent-memory running");
+  }
   if (opts.skipAuthLogin || process.env.OLAM_BOOTSTRAP_SKIP_AUTH_LOGIN === "1") {
     printInfo("auth login", "skipped");
   } else {
@@ -15496,6 +16110,8 @@ async function runBootstrap2(opts, deps = {}) {
   printHeader("Stack ready");
   printInfo("olam-host-cp", `running (${digests["host-cp"].slice(0, 19)}\u2026)`);
   printInfo("olam-auth", `running (${digests.auth.slice(0, 19)}\u2026)`);
+  const memorySkipped = opts.skipMemory || process.env.OLAM_BOOTSTRAP_SKIP_MEMORY === "1";
+  printInfo("agent-memory", memorySkipped ? "skipped" : "running");
   printInfo("olam-devbox", `pulled (${digests.devbox.slice(0, 19)}\u2026)`);
   printInfo("next", '`olam create --task "your task"` to spawn a world');
   return { exitCode: 0, summary: "stack ready" };
@@ -15503,7 +16119,7 @@ async function runBootstrap2(opts, deps = {}) {
 function registerBootstrap(program2) {
   program2.command("bootstrap").description(
     "Bootstrap the olam stack: pull 3 images by digest, verify protocol handshake, start host-cp + auth, run auth login."
-  ).option("--with-smoke", "After bootstrap, create a smoke-test world to verify end-to-end").option("--skip-auth-login", "Skip the interactive PKCE step (CI / scripted use only)").option(
+  ).option("--with-smoke", "After bootstrap, create a smoke-test world to verify end-to-end").option("--skip-auth-login", "Skip the interactive PKCE step (CI / scripted use only)").option("--skip-postgres-singleton", "Skip the olam-postgres singleton bring-up (operators with host postgres opt-out, or CI)").option("--skip-memory", "Skip the agent-memory host-process bring-up (CI / scripted use, or unsupported arch)").option(
     "--registry <ref>",
     "Override the registry prefix (default: read from image-digests.json or fall back to ghcr.io/pleri)"
   ).action(async (opts) => {
@@ -15511,6 +16127,8 @@ function registerBootstrap(program2) {
       const result = await runBootstrap2({
         withSmoke: opts.withSmoke === true,
         skipAuthLogin: opts.skipAuthLogin === true,
+        skipPostgresSingleton: opts.skipPostgresSingleton === true,
+        skipMemory: opts.skipMemory === true,
         registry: opts.registry
       });
       process.exitCode = result.exitCode;
@@ -15594,7 +16212,7 @@ async function smokeTestCodexProvider(authSecret) {
 function runStep(label, cmd, args, opts = {}) {
   const start = Date.now();
   process.stdout.write(`  ${pc7.dim(label.padEnd(34))}`);
-  const result = spawnSync7(cmd, [...args], {
+  const result = spawnSync9(cmd, [...args], {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "pipe"],
     cwd: opts.cwd ?? process.cwd(),
@@ -15616,10 +16234,10 @@ async function confirm(message) {
   if (!process.stdin.isTTY) return true;
   const { createInterface: createInterface6 } = await import("node:readline");
   const rl = createInterface6({ input: process.stdin, output: process.stdout });
-  return new Promise((resolve12) => {
+  return new Promise((resolve14) => {
     rl.question(`${message} [y/N] `, (answer) => {
       rl.close();
-      resolve12(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
+      resolve14(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
     });
   });
 }
@@ -15714,7 +16332,7 @@ async function runAuthUpgradePullByDigest(deps = {}) {
 }
 function defaultTagAuth(from, to) {
   try {
-    const r = spawnSync7("docker", ["tag", from, to], {
+    const r = spawnSync9("docker", ["tag", from, to], {
       encoding: "utf-8",
       stdio: ["ignore", "ignore", "pipe"]
     });
@@ -15732,11 +16350,11 @@ function defaultTagAuth(from, to) {
 }
 async function defaultRecreateAuth() {
   try {
-    spawnSync7("docker", ["stop", "olam-auth"], {
+    spawnSync9("docker", ["stop", "olam-auth"], {
       encoding: "utf-8",
       stdio: ["ignore", "ignore", "ignore"]
     });
-    spawnSync7("docker", ["rm", "olam-auth"], {
+    spawnSync9("docker", ["rm", "olam-auth"], {
       encoding: "utf-8",
       stdio: ["ignore", "ignore", "ignore"]
     });
@@ -15805,7 +16423,7 @@ ${imageResult.stderr}`);
   }
   const stopStart = Date.now();
   process.stdout.write(`  ${pc7.dim("docker stop olam-auth".padEnd(34))}`);
-  spawnSync7("docker", ["stop", "olam-auth"], {
+  spawnSync9("docker", ["stop", "olam-auth"], {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "pipe"]
   });
@@ -15815,7 +16433,7 @@ ${imageResult.stderr}`);
   timings.push({ label: "container stop", durationMs: stopDurationMs });
   const rmStart = Date.now();
   process.stdout.write(`  ${pc7.dim("docker rm olam-auth".padEnd(34))}`);
-  spawnSync7("docker", ["rm", "olam-auth"], {
+  spawnSync9("docker", ["rm", "olam-auth"], {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "pipe"]
   });
@@ -15907,7 +16525,7 @@ function registerAuthUpgrade(auth) {
 // src/commands/services.ts
 init_auth();
 init_output();
-import { execFileSync as execFileSync7, spawnSync as spawnSync8 } from "node:child_process";
+import { execFileSync as execFileSync7, spawnSync as spawnSync10 } from "node:child_process";
 import pc8 from "picocolors";
 var MCP_AUTH_PORT = 9998;
 var MCP_AUTH_VOLUME = "olam-mcp-auth-data";
@@ -15919,7 +16537,7 @@ var MCP_AUTH_HEALTH_TIMEOUT_MS = 6e4;
 var McpAuthContainerController = class {
   imageTag = MCP_AUTH_LOCAL_TAG;
   status() {
-    const r = spawnSync8(
+    const r = spawnSync10(
       "docker",
       ["inspect", "--format", "{{.State.Status}}|{{.Id}}", MCP_AUTH_CONTAINER],
       { encoding: "utf-8" }
@@ -15935,7 +16553,7 @@ var McpAuthContainerController = class {
     return { state: "missing", port: MCP_AUTH_PORT };
   }
   imageExists(tag = this.imageTag) {
-    return spawnSync8("docker", ["image", "inspect", tag], { encoding: "utf-8" }).status === 0;
+    return spawnSync10("docker", ["image", "inspect", tag], { encoding: "utf-8" }).status === 0;
   }
   start() {
     const current = this.status();
@@ -15977,7 +16595,7 @@ var McpAuthContainerController = class {
     execFileSync7("docker", ["stop", MCP_AUTH_CONTAINER], { stdio: "pipe" });
   }
   remove() {
-    spawnSync8("docker", ["rm", "-f", MCP_AUTH_CONTAINER], { stdio: "pipe" });
+    spawnSync10("docker", ["rm", "-f", MCP_AUTH_CONTAINER], { stdio: "pipe" });
   }
   async waitForReady(timeoutMs = MCP_AUTH_HEALTH_TIMEOUT_MS) {
     const deadline = Date.now() + timeoutMs;
@@ -15987,17 +16605,17 @@ var McpAuthContainerController = class {
         if (res.ok) return true;
       } catch {
       }
-      await sleep3(500);
+      await sleep4(500);
     }
     return false;
   }
 };
-function sleep3(ms) {
-  return new Promise((resolve12) => setTimeout(resolve12, ms));
+function sleep4(ms) {
+  return new Promise((resolve14) => setTimeout(resolve14, ms));
 }
 function dumpContainerLogs(container, tail = 40) {
   try {
-    const result = spawnSync8("docker", ["logs", "--tail", String(tail), container], {
+    const result = spawnSync10("docker", ["logs", "--tail", String(tail), container], {
       encoding: "utf-8",
       stdio: ["ignore", "pipe", "pipe"]
     });
@@ -16270,9 +16888,9 @@ ${pc9.dim("Next: olam create --name my-world")}`);
 
 // src/commands/create.ts
 init_manager();
-import { spawnSync as spawnSync9 } from "node:child_process";
+import { spawnSync as spawnSync11 } from "node:child_process";
 import { existsSync as existsSync28 } from "node:fs";
-import { dirname as dirname18, resolve as resolve10 } from "node:path";
+import { dirname as dirname18, resolve as resolve12 } from "node:path";
 import ora3 from "ora";
 import pc10 from "picocolors";
 
@@ -16401,17 +17019,17 @@ function inferRepos(input) {
       proceed: true
     };
   }
-  const candidates = extractCandidates(input.prompt);
-  if (candidates.length === 0) {
+  const candidates2 = extractCandidates(input.prompt);
+  if (candidates2.length === 0) {
     return { repos: [], confidence: 0, proceed: false };
   }
   if (input.catalog && input.catalog.length > 0) {
     const catalogSet = new Set(input.catalog.map((c) => c.toLowerCase()));
-    const matched = candidates.filter((c) => catalogSet.has(c));
+    const matched = candidates2.filter((c) => catalogSet.has(c));
     if (matched.length === 0) {
       return { repos: [], confidence: 0.2, proceed: false };
     }
-    const ratio = matched.length / candidates.length;
+    const ratio = matched.length / candidates2.length;
     const confidence = Math.min(0.95, 0.5 + 0.5 * ratio);
     return {
       repos: matched,
@@ -16420,7 +17038,7 @@ function inferRepos(input) {
     };
   }
   return {
-    repos: candidates,
+    repos: candidates2,
     confidence: 0.6,
     proceed: false
   };
@@ -16542,7 +17160,7 @@ function registerCreate(program2) {
       if (decision.stderrLine) {
         process.stderr.write(decision.stderrLine + "\n");
       }
-      spawnSync9("docker", ["pull", overrideRef], { stdio: "pipe" });
+      spawnSync11("docker", ["pull", overrideRef], { stdio: "pipe" });
       const { inspectImageProtocolVersions: inspectImageProtocolVersions2, checkProtocolOverlap: checkProtocolOverlap2 } = await Promise.resolve().then(() => (init_protocol_version(), protocol_version_exports));
       const inspect = inspectImageProtocolVersions2(overrideRef);
       if (inspect.inspectFailed) {
@@ -16659,7 +17277,7 @@ function registerCreate(program2) {
             throw err;
           }
           const spinner2 = ora3("Rebuilding olam-devbox:latest\u2026").start();
-          const rebuild = spawnSync9(
+          const rebuild = spawnSync11(
             "bash",
             [buildScript],
             { cwd: repoRoot, stdio: "inherit" }
@@ -16866,7 +17484,7 @@ ${pc10.cyan("Host CP UI:")} ${worldUrl}`);
 function resolveRepoRoot(start) {
   let cur = start;
   while (true) {
-    if (existsSync28(resolve10(cur, "packages")) && existsSync28(resolve10(cur, "package.json"))) {
+    if (existsSync28(resolve12(cur, "packages")) && existsSync28(resolve12(cur, "package.json"))) {
       return cur;
     }
     const parent = dirname18(cur);
@@ -17103,7 +17721,7 @@ import * as path31 from "node:path";
 var CLI_VERSION2 = process.env["OLAM_CLI_VERSION"] ?? "0.0.0";
 var HOST_CP_PORT2 = 19e3;
 async function getMachineStatus(_probe, _loadCtx, _readToken) {
-  const probe = _probe ?? (async () => {
+  const probe2 = _probe ?? (async () => {
     const { probeHostCp: probeHostCp2 } = await Promise.resolve().then(() => (init_host_cp(), host_cp_exports));
     return probeHostCp2();
   });
@@ -17118,7 +17736,7 @@ async function getMachineStatus(_probe, _loadCtx, _readToken) {
     const { loadContext: loadContext2 } = await Promise.resolve().then(() => (init_context(), context_exports));
     return loadContext2();
   });
-  const probeResult = await probe();
+  const probeResult = await probe2();
   const tokenPresent = readToken2() !== null;
   const hostCpRunning = probeResult !== null;
   let worldCount = 0;
@@ -17553,14 +18171,14 @@ function printTable(entries) {
 async function confirmInteractive() {
   process.stdout.write("  Type `yes` to proceed: ");
   const buf = [];
-  return new Promise((resolve12) => {
+  return new Promise((resolve14) => {
     const onData = (chunk) => {
       buf.push(chunk);
       if (Buffer.concat(buf).toString("utf-8").includes("\n")) {
         process.stdin.removeListener("data", onData);
         process.stdin.pause();
         const answer = Buffer.concat(buf).toString("utf-8").trim();
-        resolve12(answer.toLowerCase() === "yes");
+        resolve14(answer.toLowerCase() === "yes");
       }
     };
     process.stdin.resume();
@@ -19507,8 +20125,8 @@ var path35 = {
   win32: { sep: "\\" },
   posix: { sep: "/" }
 };
-var sep = defaultPlatform === "win32" ? path35.win32.sep : path35.posix.sep;
-minimatch.sep = sep;
+var sep2 = defaultPlatform === "win32" ? path35.win32.sep : path35.posix.sep;
+minimatch.sep = sep2;
 var GLOBSTAR = /* @__PURE__ */ Symbol("globstar **");
 minimatch.GLOBSTAR = GLOBSTAR;
 var qmark2 = "[^/]";
@@ -20660,10 +21278,10 @@ function deriveSuggestion(issue) {
     if (firstKey === void 0)
       return void 0;
     const isTopLevel = issue.path.length === 0;
-    const candidates = isTopLevel ? KNOWN_TOP_LEVEL_KEYS2 : [];
-    if (candidates.length === 0)
+    const candidates2 = isTopLevel ? KNOWN_TOP_LEVEL_KEYS2 : [];
+    if (candidates2.length === 0)
       return void 0;
-    const closest = nearestMatch(firstKey, [...candidates]);
+    const closest = nearestMatch(firstKey, [...candidates2]);
     return closest ? `did you mean "${closest}"?` : void 0;
   }
   if (issue.code === "invalid_union_discriminator") {
@@ -20671,10 +21289,10 @@ function deriveSuggestion(issue) {
   }
   return void 0;
 }
-function nearestMatch(input, candidates) {
+function nearestMatch(input, candidates2) {
   let best;
   let bestDistance = 3;
-  for (const c of candidates) {
+  for (const c of candidates2) {
     const d = levenshtein(input.toLowerCase(), c.toLowerCase());
     if (d < bestDistance) {
       bestDistance = d;
@@ -22760,7 +23378,7 @@ init_output();
 init_host_cp();
 import * as fs35 from "node:fs";
 import * as path38 from "node:path";
-import { spawnSync as spawnSync11 } from "node:child_process";
+import { spawnSync as spawnSync13 } from "node:child_process";
 import ora7 from "ora";
 import pc18 from "picocolors";
 
@@ -22768,7 +23386,7 @@ import pc18 from "picocolors";
 import * as fs33 from "node:fs";
 import * as os19 from "node:os";
 import * as path36 from "node:path";
-import { spawnSync as spawnSync10 } from "node:child_process";
+import { spawnSync as spawnSync12 } from "node:child_process";
 var LOCK_FILE_PATH = path36.join(os19.homedir(), ".olam", ".upgrade.lock");
 var STALE_LOCK_TIMEOUT_MS = 5 * 60 * 1e3;
 function readLockFile(lockPath) {
@@ -22793,7 +23411,7 @@ function isPidAlive2(pid) {
 }
 var PS_UNAVAILABLE = "__ps_unavailable__";
 function getPidCommand(pid) {
-  const result = spawnSync10("ps", ["-p", String(pid), "-o", "comm="], {
+  const result = spawnSync12("ps", ["-p", String(pid), "-o", "comm="], {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "ignore"]
   });
@@ -23052,7 +23670,7 @@ function extractBundleHash(indexHtml) {
 function runStep2(label, cmd, args, opts = {}) {
   const start = Date.now();
   process.stdout.write(`  ${pc18.dim(label.padEnd(34))}`);
-  const result = spawnSync11(cmd, [...args], {
+  const result = spawnSync13(cmd, [...args], {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "pipe"],
     cwd: opts.cwd ?? process.cwd(),
@@ -23071,7 +23689,7 @@ function runStep2(label, cmd, args, opts = {}) {
   };
 }
 function isGitDirty(cwd) {
-  const result = spawnSync11("git", ["status", "--porcelain"], {
+  const result = spawnSync13("git", ["status", "--porcelain"], {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "pipe"],
     cwd
@@ -23079,7 +23697,7 @@ function isGitDirty(cwd) {
   return (result.stdout ?? "").trim().length > 0;
 }
 function hasGitUpstream(cwd) {
-  const result = spawnSync11("git", ["rev-parse", "--abbrev-ref", "@{u}"], {
+  const result = spawnSync13("git", ["rev-parse", "--abbrev-ref", "@{u}"], {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "pipe"],
     cwd
@@ -23087,7 +23705,7 @@ function hasGitUpstream(cwd) {
   return result.status === 0;
 }
 function captureHeadSha(cwd) {
-  const result = spawnSync11("git", ["rev-parse", "HEAD"], {
+  const result = spawnSync13("git", ["rev-parse", "HEAD"], {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "pipe"],
     cwd
@@ -23102,7 +23720,7 @@ function abbreviateSha(sha) {
 }
 function imageExists(tag) {
   try {
-    const result = spawnSync11("docker", ["image", "inspect", "--format", "{{.Id}}", tag], {
+    const result = spawnSync13("docker", ["image", "inspect", "--format", "{{.Id}}", tag], {
       encoding: "utf-8",
       stdio: ["ignore", "pipe", "ignore"]
     });
@@ -23118,7 +23736,7 @@ function checkRollbackSetExists(plan) {
 }
 var SMOKE_DOCKER_TIMEOUT_MS = 3e4;
 function smokeImage(image, targetSha) {
-  const createResult = spawnSync11("docker", ["create", "--name", `olam-smoke-${Date.now()}`, image], {
+  const createResult = spawnSync13("docker", ["create", "--name", `olam-smoke-${Date.now()}`, image], {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "pipe"],
     timeout: SMOKE_DOCKER_TIMEOUT_MS
@@ -23132,7 +23750,7 @@ function smokeImage(image, targetSha) {
     };
   }
   const containerId = (createResult.stdout ?? "").trim();
-  const inspectResult = spawnSync11(
+  const inspectResult = spawnSync13(
     "docker",
     ["inspect", "--format", '{{index .Config.Labels "olam.build.sha"}}', image],
     {
@@ -23142,7 +23760,7 @@ function smokeImage(image, targetSha) {
     }
   );
   if (containerId.length > 0) {
-    spawnSync11("docker", ["rm", "-f", containerId], {
+    spawnSync13("docker", ["rm", "-f", containerId], {
       encoding: "utf-8",
       stdio: ["ignore", "ignore", "ignore"],
       timeout: SMOKE_DOCKER_TIMEOUT_MS
@@ -23182,7 +23800,7 @@ var PRODUCTION_SWAP_PLAN = [
 ];
 function dockerTag(source, dest) {
   try {
-    const result = spawnSync11("docker", ["tag", source, dest], {
+    const result = spawnSync13("docker", ["tag", source, dest], {
       encoding: "utf-8",
       stdio: ["ignore", "ignore", "pipe"]
     });
@@ -23275,10 +23893,10 @@ async function confirm2(message) {
   if (!process.stdin.isTTY) return true;
   const { createInterface: createInterface6 } = await import("node:readline");
   const rl = createInterface6({ input: process.stdin, output: process.stdout });
-  return new Promise((resolve12) => {
+  return new Promise((resolve14) => {
     rl.question(`${message} [y/N] `, (answer) => {
       rl.close();
-      resolve12(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
+      resolve14(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
     });
   });
 }
@@ -23346,11 +23964,11 @@ async function waitForAuthHealthLocal(timeoutMs = AUTH_HEALTH_TIMEOUT_MS) {
 async function recreateAuthService() {
   const start = Date.now();
   try {
-    spawnSync11("docker", ["stop", "olam-auth"], {
+    spawnSync13("docker", ["stop", "olam-auth"], {
       encoding: "utf-8",
       stdio: ["ignore", "ignore", "ignore"]
     });
-    spawnSync11("docker", ["rm", "olam-auth"], {
+    spawnSync13("docker", ["rm", "olam-auth"], {
       encoding: "utf-8",
       stdio: ["ignore", "ignore", "ignore"]
     });
@@ -23609,11 +24227,11 @@ async function defaultRecreateMcpAuthForUpgrade() {
 }
 async function defaultRecreateAuthForUpgrade() {
   try {
-    spawnSync11("docker", ["stop", "olam-auth"], {
+    spawnSync13("docker", ["stop", "olam-auth"], {
       encoding: "utf-8",
       stdio: ["ignore", "ignore", "ignore"]
     });
-    spawnSync11("docker", ["rm", "olam-auth"], {
+    spawnSync13("docker", ["rm", "olam-auth"], {
       encoding: "utf-8",
       stdio: ["ignore", "ignore", "ignore"]
     });
@@ -23959,7 +24577,7 @@ ${spaResult.stderr}`);
       process.stdout.write(`  ${pc18.dim(step.label.padEnd(34))}
 `);
       const start = Date.now();
-      const result = spawnSync11("bash", [scriptPath], {
+      const result = spawnSync13("bash", [scriptPath], {
         stdio: "inherit",
         cwd,
         env: { ...process.env, ...olamTagEnv }
@@ -24308,7 +24926,7 @@ function registerLogs(program2) {
 init_context();
 init_output();
 import pc20 from "picocolors";
-import { spawnSync as spawnSync12 } from "node:child_process";
+import { spawnSync as spawnSync14 } from "node:child_process";
 var SAFE_IDENT4 = /^[a-z0-9][a-z0-9-]{0,63}$/;
 function parseDockerTop(stdout) {
   const trimmed = stdout.trim();
@@ -24329,8 +24947,8 @@ function parseDockerTop(stdout) {
     titles = (lines[0] ?? "").trim().toLowerCase().split(/\s+/);
     processes = lines.slice(1).map((l) => l.trim().split(/\s+/));
   }
-  const idx = (candidates) => {
-    for (const c of candidates) {
+  const idx = (candidates2) => {
+    for (const c of candidates2) {
       const i = titles.indexOf(c);
       if (i !== -1) return i;
     }
@@ -24408,7 +25026,7 @@ function registerPs(program2) {
     const containerName = `olam-${worldId}-devbox`;
     let watchInterval;
     function fetchAndPrint() {
-      const result = spawnSync12(
+      const result = spawnSync14(
         "docker",
         ["top", containerName, "pid", "user", "pcpu", "pmem", "stime", "stat", "cmd"],
         { encoding: "utf-8", timeout: 3e3 }
@@ -24901,7 +25519,7 @@ init_output();
 import * as fs39 from "node:fs";
 import * as os22 from "node:os";
 import * as path42 from "node:path";
-import { spawnSync as spawnSync13 } from "node:child_process";
+import { spawnSync as spawnSync15 } from "node:child_process";
 import ora8 from "ora";
 
 // src/commands/refresh-helpers.ts
@@ -24945,7 +25563,7 @@ var RESTART_TIMEOUT_S = 30;
 var HEALTH_POLL_MS = 500;
 var HEALTH_TIMEOUT_MS = 3e4;
 function docker(args) {
-  const result = spawnSync13("docker", args, {
+  const result = spawnSync15("docker", args, {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "pipe"]
   });
@@ -25293,7 +25911,7 @@ function registerDiagnose(program2) {
 }
 
 // src/lib/health-probes.ts
-import { spawnSync as spawnSync14 } from "node:child_process";
+import { spawnSync as spawnSync16 } from "node:child_process";
 import { existsSync as existsSync44, readdirSync as readdirSync11, readFileSync as readFileSync31, statSync as statSync13 } from "node:fs";
 import { homedir as homedir23 } from "node:os";
 import path44 from "node:path";
@@ -25305,7 +25923,7 @@ var HARD_CAP_BYTES = 5e9;
 // src/lib/health-probes.ts
 var HEALTH_TIMEOUT_MS2 = 5e3;
 var defaultDockerExec2 = (cmd, args) => {
-  const r = spawnSync14(cmd, [...args], {
+  const r = spawnSync16(cmd, [...args], {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "pipe"]
   });
@@ -25795,10 +26413,10 @@ var NEXT_STEPS_DOCS = [
   "docs/architecture/manifest-spec.md    \u2014 per-repo .adb.yaml schema",
   "docs/architecture/config-spec.md      \u2014 workspace .olam/config.yaml schema"
 ];
-var defaultSpawn = (cmd, args) => new Promise((resolve12) => {
+var defaultSpawn = (cmd, args) => new Promise((resolve14) => {
   const child = spawn5(cmd, [...args], { stdio: "inherit" });
-  child.on("exit", (code) => resolve12({ status: code }));
-  child.on("error", () => resolve12({ status: 1 }));
+  child.on("exit", (code) => resolve14({ status: code }));
+  child.on("error", () => resolve14({ status: 1 }));
 });
 var defaultPrompt = (question, defaultYes) => {
   if (!process.stdin.isTTY) {
@@ -25808,18 +26426,18 @@ var defaultPrompt = (question, defaultYes) => {
     );
     return Promise.resolve(defaultYes);
   }
-  return new Promise((resolve12) => {
+  return new Promise((resolve14) => {
     const rl = createInterface3({ input: process.stdin, output: process.stdout });
     const suffix = defaultYes ? " [Y/n]: " : " [y/N]: ";
     rl.question(`${question}${suffix}`, (answer) => {
       rl.close();
       const t = answer.trim().toLowerCase();
-      if (t === "") resolve12(defaultYes);
-      else if (t === "y" || t === "yes") resolve12(true);
-      else if (t === "n" || t === "no") resolve12(false);
-      else resolve12(defaultYes);
+      if (t === "") resolve14(defaultYes);
+      else if (t === "y" || t === "yes") resolve14(true);
+      else if (t === "n" || t === "no") resolve14(false);
+      else resolve14(defaultYes);
     });
-    rl.on("close", () => resolve12(defaultYes));
+    rl.on("close", () => resolve14(defaultYes));
   });
 };
 async function phase1SystemCheck(deps) {
@@ -25847,9 +26465,9 @@ function parseNodeMajor(version) {
   const n = Number.parseInt(m[1], 10);
   return Number.isFinite(n) ? n : null;
 }
-function phaseFromProbe(probe) {
-  if (probe.ok) return { ok: true, message: probe.message };
-  return { ok: false, message: probe.message, remedy: probe.remedy };
+function phaseFromProbe(probe2) {
+  if (probe2.ok) return { ok: true, message: probe2.message };
+  return { ok: false, message: probe2.message, remedy: probe2.remedy };
 }
 async function phase2CliSanity(deps) {
   const version = deps.olamCliVersion ?? safeReadCliVersion();
@@ -26789,17 +27407,17 @@ function registerWorldUpgrade(program2) {
 // src/commands/mcp/serve.ts
 init_output();
 import { existsSync as existsSync51 } from "node:fs";
-import { dirname as dirname25, resolve as resolve11 } from "node:path";
+import { dirname as dirname25, resolve as resolve13 } from "node:path";
 import { fileURLToPath as fileURLToPath6 } from "node:url";
 var here = dirname25(fileURLToPath6(import.meta.url));
 var BUNDLE_PATH_CANDIDATES = [
   // bundled (`dist/index.js` after bundle-cli.mjs) — sibling
-  resolve11(here, "mcp-server.js"),
+  resolve13(here, "mcp-server.js"),
   // dev / tsc-only (`dist/commands/mcp/serve.js`) — up two levels
-  resolve11(here, "..", "..", "mcp-server.js")
+  resolve13(here, "..", "..", "mcp-server.js")
 ];
-function resolveBundlePath(candidates = BUNDLE_PATH_CANDIDATES, exists = existsSync51) {
-  return candidates.find(exists) ?? null;
+function resolveBundlePath(candidates2 = BUNDLE_PATH_CANDIDATES, exists = existsSync51) {
+  return candidates2.find(exists) ?? null;
 }
 var MISSING_BUNDLE_REMEDY = "olam mcp server bundle missing. Searched: " + BUNDLE_PATH_CANDIDATES.join(", ") + ". For local dev, run: node packages/cli/scripts/bundle-mcp-server.mjs. A fresh `npm install -g @pleri/olam-cli@latest` should always include the bundle (see prepublishOnly in packages/cli/package.json); file an issue if it does not.";
 function registerMcpServe(cmd) {
@@ -26820,14 +27438,14 @@ function registerMcpServe(cmd) {
 init_output();
 
 // src/commands/mcp/install-shared.ts
-import { spawnSync as spawnSync15 } from "node:child_process";
+import { spawnSync as spawnSync17 } from "node:child_process";
 var DEFAULT_CLAUDE_SHELL_DEPS = {
-  spawn: spawnSync15,
+  spawn: spawnSync17,
   log: (msg) => console.log(msg)
 };
 function isOnPath(deps, bin) {
-  const probe = process.platform === "win32" ? "where" : "which";
-  const result = deps.spawn(probe, [bin], {
+  const probe2 = process.platform === "win32" ? "where" : "which";
+  const result = deps.spawn(probe2, [bin], {
     encoding: "utf8",
     stdio: ["ignore", "pipe", "ignore"]
   });
@@ -26838,6 +27456,10 @@ function normaliseScope(raw) {
   return value === "user" || value === "project" || value === "local" ? value : null;
 }
 var REMEDY_CLAUDE_MISSING = "`claude` not found on PATH. Install Claude Code (https://docs.claude.com/claude-code) or paste the JSON snippet from docs/architecture/mcp-as-npx-served.md.";
+var NOT_INSTALLED_PATTERN = /no\s+(?:\S+\s+)*mcp\s+server\s+found/i;
+function looksLikeNotInstalled(text) {
+  return NOT_INSTALLED_PATTERN.test(text);
+}
 
 // src/commands/mcp/install.ts
 var NPM_PACKAGE_NAME = "@pleri/olam-cli";
@@ -26889,10 +27511,6 @@ function registerMcpInstall(cmd) {
 
 // src/commands/mcp/uninstall.ts
 init_output();
-var NOT_INSTALLED_PATTERN = /no\s+(?:\S+\s+)*mcp\s+server\s+found/i;
-function looksLikeNotInstalled(text) {
-  return NOT_INSTALLED_PATTERN.test(text);
-}
 function buildClaudeMcpRemoveArgs(scope) {
   return {
     command: "claude",
@@ -27043,7 +27661,7 @@ function registerMcpLogin(cmd) {
 init_output();
 import * as readline2 from "node:readline";
 async function readTokenSilent(prompt) {
-  return new Promise((resolve12, reject) => {
+  return new Promise((resolve14, reject) => {
     const rl = readline2.createInterface({
       input: process.stdin,
       output: process.stdout,
@@ -27061,7 +27679,7 @@ async function readTokenSilent(prompt) {
         process.stdin.removeListener("data", onData);
         process.stdout.write("\n");
         rl.close();
-        resolve12(token);
+        resolve14(token);
       } else if (char === "") {
         if (process.stdin.isTTY) process.stdin.setRawMode(false);
         process.stdin.removeListener("data", onData);
@@ -27336,7 +27954,7 @@ async function discoverMcpSources(repoPaths) {
 import { spawn as spawn7 } from "node:child_process";
 var VALIDATION_TIMEOUT_MS = 5e3;
 async function validateMcpEntry(entry) {
-  return new Promise((resolve12) => {
+  return new Promise((resolve14) => {
     let stdout = "";
     let timedOut = false;
     let child;
@@ -27346,7 +27964,7 @@ async function validateMcpEntry(entry) {
         env: { ...process.env, ...entry.env ?? {} }
       });
     } catch (err) {
-      resolve12({
+      resolve14({
         name: entry.name,
         validated: false,
         reason: err instanceof Error ? err.message : "spawn failed"
@@ -27363,11 +27981,11 @@ async function validateMcpEntry(entry) {
     child.on("close", (code) => {
       clearTimeout(timer);
       if (timedOut) {
-        resolve12({ name: entry.name, validated: false, reason: "timeout (5s)" });
+        resolve14({ name: entry.name, validated: false, reason: "timeout (5s)" });
         return;
       }
       const validated = code === 0 && stdout.trim().length > 0;
-      resolve12({
+      resolve14({
         name: entry.name,
         validated,
         reason: validated ? "ok" : `exit code ${code ?? "null"}`
@@ -27375,7 +27993,7 @@ async function validateMcpEntry(entry) {
     });
     child.on("error", (err) => {
       clearTimeout(timer);
-      resolve12({ name: entry.name, validated: false, reason: err.message });
+      resolve14({ name: entry.name, validated: false, reason: err.message });
     });
   });
 }
@@ -27390,11 +28008,11 @@ async function multiSelectPicker(entries) {
     );
   });
   console.log("\n" + pc29.dim('Enter numbers to import (e.g. 1,2,3 or "all" or Enter to skip):'));
-  const answer = await new Promise((resolve12) => {
+  const answer = await new Promise((resolve14) => {
     const rl = readline3.createInterface({ input: process.stdin, output: process.stdout });
     rl.question("> ", (ans) => {
       rl.close();
-      resolve12(ans.trim());
+      resolve14(ans.trim());
     });
   });
   if (!answer || answer === "") return [];
@@ -27421,21 +28039,21 @@ function registerMcpImport(cmd) {
     }
     printInfo("Sources", sources.length > 0 ? sources.join(", ") : "none");
     printInfo("Found", `${entries.length} MCP server(s) in ${Math.round(durationMs)}ms`);
-    let candidates = entries;
+    let candidates2 = entries;
     let skippedCount = 0;
     if (!opts.reimport) {
       const filtered = entries.filter((e) => !existingIds.has(e.name));
       skippedCount = entries.length - filtered.length;
-      candidates = filtered;
+      candidates2 = filtered;
     }
     if (skippedCount > 0) {
       console.log(pc29.dim(`skipped: ${skippedCount} already registered`));
     }
-    if (candidates.length === 0) {
+    if (candidates2.length === 0) {
       console.log(pc29.dim("Nothing new to import. Use --reimport to force."));
       return;
     }
-    const selected = await multiSelectPicker(candidates);
+    const selected = await multiSelectPicker(candidates2);
     if (selected.length === 0) {
       console.log(pc29.dim("No servers selected."));
       return;
@@ -27535,11 +28153,607 @@ function registerMcp(program2) {
   registerMcpRevoke(mcp);
 }
 
+// src/commands/memory/start.ts
+init_output();
+import { spawn as spawn8 } from "node:child_process";
+import { existsSync as existsSync54, mkdirSync as mkdirSync30, openSync as openSync3, readFileSync as readFileSync38, writeFileSync as writeFileSync24 } from "node:fs";
+import { join as join52 } from "node:path";
+
+// src/lib/memory-secret.ts
+import { existsSync as existsSync53, mkdirSync as mkdirSync29, readFileSync as readFileSync37, statSync as statSync14, writeFileSync as writeFileSync23, renameSync as renameSync5, chmodSync as chmodSync4 } from "node:fs";
+import { homedir as homedir29 } from "node:os";
+import { join as join50, dirname as dirname26 } from "node:path";
+import { randomBytes as randomBytes6 } from "node:crypto";
+var MEMORY_SECRET_PATH = join50(homedir29(), ".olam", "memory-secret");
+var SECRET_LEN_BYTES = 32;
+function generateSecret() {
+  return randomBytes6(SECRET_LEN_BYTES).toString("hex");
+}
+function writeSecretAtPath(path56, value) {
+  mkdirSync29(dirname26(path56), { recursive: true });
+  const tmp = `${path56}.tmp.${process.pid}`;
+  writeFileSync23(tmp, value, { mode: 384 });
+  chmodSync4(tmp, 384);
+  renameSync5(tmp, path56);
+}
+function readSecretAtPathOrNull(path56) {
+  if (!existsSync53(path56)) return null;
+  const mode = statSync14(path56).mode & 511;
+  if (mode !== 384) {
+    process.stderr.write(
+      `warn: ${path56} has mode 0${mode.toString(8)}; expected 0600. Run 'olam memory secret rotate' to regenerate.
+`
+    );
+  }
+  return readFileSync37(path56, "utf8").trim();
+}
+function readSecretAtPath(path56) {
+  const v = readSecretAtPathOrNull(path56);
+  if (v === null) {
+    throw new Error(
+      `Secret not found at ${path56}. Run 'olam memory start' to generate it.`
+    );
+  }
+  return v;
+}
+function ensureMemorySecret(path56 = MEMORY_SECRET_PATH) {
+  const existing = readSecretAtPathOrNull(path56);
+  if (existing) return existing;
+  const fresh = generateSecret();
+  writeSecretAtPath(path56, fresh);
+  return fresh;
+}
+function readMemorySecretOrNull(path56 = MEMORY_SECRET_PATH) {
+  return readSecretAtPathOrNull(path56);
+}
+function readMemorySecret(path56 = MEMORY_SECRET_PATH) {
+  return readSecretAtPath(path56);
+}
+function rotateMemorySecret(path56 = MEMORY_SECRET_PATH) {
+  const fresh = generateSecret();
+  writeSecretAtPath(path56, fresh);
+  return fresh;
+}
+function hasMemorySecret(path56 = MEMORY_SECRET_PATH) {
+  return existsSync53(path56);
+}
+
+// src/commands/memory/_paths.ts
+import { homedir as homedir30 } from "node:os";
+import { join as join51, dirname as dirname27 } from "node:path";
+import { fileURLToPath as fileURLToPath7 } from "node:url";
+var OLAM_HOME = join51(homedir30(), ".olam");
+var OLAM_BIN_DIR = join51(OLAM_HOME, "bin");
+var III_BINARY_PATH = join51(OLAM_BIN_DIR, "iii");
+var MEMORY_PID_PATH = join51(OLAM_HOME, "memory.pid");
+var MEMORY_LOG_PATH = join51(OLAM_HOME, "memory-service.log");
+var MEMORY_DATA_DIR = join51(OLAM_HOME, "memory-data");
+var MEMORY_REST_PORT = 3111;
+var MEMORY_LIVEZ_URL = `http://localhost:${MEMORY_REST_PORT}/agentmemory/livez`;
+var here2 = dirname27(fileURLToPath7(import.meta.url));
+var candidates = [
+  // Workspace dev: packages/cli/src/commands/memory/_paths.ts (run via tsx) — unlikely
+  // Workspace built: packages/cli/dist/commands/memory/_paths.js → packages/cli → packages/memory-service
+  join51(here2, "..", "..", "..", "..", "memory-service"),
+  // Bundled: dist/index.js (esbuild) → packages/cli → packages/memory-service
+  join51(here2, "..", "..", "memory-service"),
+  // Fallback: cwd-relative
+  join51(process.cwd(), "packages", "memory-service")
+];
+var MEMORY_SERVICE_CANDIDATES = candidates;
+
+// src/commands/memory/start.ts
+var READINESS_TIMEOUT_MS = 3e4;
+var READINESS_POLL_MS = 500;
+function resolveMemoryServiceDir() {
+  for (const c of MEMORY_SERVICE_CANDIDATES) {
+    if (existsSync54(c)) return c;
+  }
+  throw new Error(
+    `Could not find packages/memory-service/. Searched: ${MEMORY_SERVICE_CANDIDATES.join(", ")}. If running from a published @pleri/olam-cli tarball, this is a packaging bug \u2014 please file an issue.`
+  );
+}
+function resolveAgentMemoryBin(serviceDir) {
+  const candidates2 = [
+    join52(serviceDir, "node_modules", ".bin", "agentmemory"),
+    join52(serviceDir, "..", "..", "node_modules", ".bin", "agentmemory"),
+    join52(serviceDir, "..", "..", "..", "node_modules", ".bin", "agentmemory")
+  ];
+  for (const c of candidates2) {
+    if (existsSync54(c)) return c;
+  }
+  throw new Error(
+    `Could not find agentmemory bin. Searched: ${candidates2.join(", ")}. Run 'npm install' from the repo root.`
+  );
+}
+function isProcessAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function readPidFromFile() {
+  if (!existsSync54(MEMORY_PID_PATH)) return null;
+  const raw = readFileSync38(MEMORY_PID_PATH, "utf8").trim();
+  const pid = parseInt(raw, 10);
+  if (!Number.isFinite(pid) || pid <= 0) return null;
+  return pid;
+}
+async function probeLivez(secret, signal) {
+  try {
+    const resp = await fetch(MEMORY_LIVEZ_URL, {
+      headers: { authorization: `Bearer ${secret}` },
+      signal
+    });
+    if (!resp.ok) return false;
+    const body = await resp.json();
+    return body.status === "ok";
+  } catch {
+    return false;
+  }
+}
+async function waitForReady(secret) {
+  const deadline = Date.now() + READINESS_TIMEOUT_MS;
+  while (Date.now() < deadline) {
+    if (await probeLivez(secret)) return true;
+    await new Promise((r) => setTimeout(r, READINESS_POLL_MS));
+  }
+  return false;
+}
+async function runMemoryStart() {
+  printHeader("olam memory start");
+  if (!existsSync54(III_BINARY_PATH)) {
+    printError(
+      `iii binary missing at ${III_BINARY_PATH}. Run: node packages/memory-service/scripts/ensure-iii-engine.mjs`
+    );
+    return 1;
+  }
+  printInfo("iii binary", III_BINARY_PATH);
+  const secret = ensureMemorySecret();
+  printInfo("secret", "~/.olam/memory-secret (0600)");
+  const serviceDir = resolveMemoryServiceDir();
+  const agentmemoryBin = resolveAgentMemoryBin(serviceDir);
+  printInfo("agentmemory", agentmemoryBin);
+  const existingPid = readPidFromFile();
+  if (existingPid !== null && isProcessAlive(existingPid)) {
+    const ready2 = await probeLivez(secret);
+    if (ready2) {
+      printSuccess(`already running (pid ${existingPid}); /agentmemory/livez ok`);
+      return 0;
+    }
+    printError(
+      `pid ${existingPid} is alive but /agentmemory/livez isn't responding. Run 'olam memory stop' to clear, then retry.`
+    );
+    return 1;
+  }
+  mkdirSync30(OLAM_HOME, { recursive: true });
+  mkdirSync30(MEMORY_DATA_DIR, { recursive: true });
+  const logFd = openSync3(MEMORY_LOG_PATH, "a");
+  const child = spawn8(agentmemoryBin, [], {
+    cwd: OLAM_HOME,
+    env: {
+      ...process.env,
+      AGENTMEMORY_SECRET: secret,
+      PATH: `${OLAM_BIN_DIR}:${process.env.PATH ?? ""}`
+    },
+    stdio: ["ignore", logFd, logFd],
+    detached: true
+  });
+  child.unref();
+  if (child.pid === void 0) {
+    printError("spawn returned no pid (process failed to start)");
+    return 1;
+  }
+  writeFileSync24(MEMORY_PID_PATH, `${child.pid}
+`, { mode: 420 });
+  printInfo("pid", `${child.pid}`);
+  printInfo("readiness", `polling ${MEMORY_LIVEZ_URL}`);
+  const ready = await waitForReady(secret);
+  if (!ready) {
+    printError(
+      `agentmemory failed to come up within ${READINESS_TIMEOUT_MS / 1e3}s. Inspect ${MEMORY_LOG_PATH} for engine errors.`
+    );
+    return 1;
+  }
+  printSuccess(`memory service ready (pid ${child.pid}; logs at ${MEMORY_LOG_PATH})`);
+  return 0;
+}
+function registerMemoryStart(cmd) {
+  cmd.command("start").description("Start the host agent-memory process (idempotent; polls livez until ready)").action(async () => {
+    const rc = await runMemoryStart();
+    if (rc !== 0) process.exitCode = rc;
+  });
+}
+
+// src/commands/memory/stop.ts
+init_output();
+import { existsSync as existsSync55, readFileSync as readFileSync39, unlinkSync as unlinkSync9 } from "node:fs";
+var SIGTERM_GRACE_MS = 1e4;
+var POLL_MS = 250;
+function isAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function runMemoryStop() {
+  printHeader("olam memory stop");
+  if (!existsSync55(MEMORY_PID_PATH)) {
+    printSuccess("no pidfile present (nothing to stop)");
+    return 0;
+  }
+  const pid = parseInt(readFileSync39(MEMORY_PID_PATH, "utf8").trim(), 10);
+  if (!Number.isFinite(pid) || pid <= 0) {
+    printWarning(`pidfile contained invalid value; removing`);
+    unlinkSync9(MEMORY_PID_PATH);
+    return 0;
+  }
+  if (!isAlive(pid)) {
+    printSuccess(`pid ${pid} is not running (stale pidfile); cleaned up`);
+    unlinkSync9(MEMORY_PID_PATH);
+    return 0;
+  }
+  printInfo("pid", `${pid}`);
+  try {
+    process.kill(pid, "SIGTERM");
+  } catch (err) {
+    printWarning(`SIGTERM to pid ${pid} failed: ${err.message}`);
+  }
+  const deadline = Date.now() + SIGTERM_GRACE_MS;
+  while (Date.now() < deadline) {
+    if (!isAlive(pid)) break;
+    await new Promise((r) => setTimeout(r, POLL_MS));
+  }
+  if (isAlive(pid)) {
+    printWarning(`pid ${pid} did not exit within ${SIGTERM_GRACE_MS / 1e3}s; sending SIGKILL`);
+    try {
+      process.kill(pid, "SIGKILL");
+    } catch (err) {
+      printWarning(`SIGKILL to pid ${pid} failed: ${err.message}`);
+    }
+    await new Promise((r) => setTimeout(r, 500));
+  }
+  if (existsSync55(MEMORY_PID_PATH)) {
+    unlinkSync9(MEMORY_PID_PATH);
+  }
+  printSuccess(`stopped (pid ${pid})`);
+  return 0;
+}
+function registerMemoryStop(cmd) {
+  cmd.command("stop").description("Stop the host agent-memory process (SIGTERM \u2192 SIGKILL after 10s; idempotent)").action(async () => {
+    const rc = await runMemoryStop();
+    if (rc !== 0) process.exitCode = rc;
+  });
+}
+
+// src/commands/memory/status.ts
+init_output();
+import { existsSync as existsSync56, readFileSync as readFileSync40 } from "node:fs";
+function isAlive2(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function probe(secret) {
+  try {
+    const headers = {};
+    if (secret) headers.authorization = `Bearer ${secret}`;
+    const resp = await fetch(MEMORY_LIVEZ_URL, { headers });
+    if (resp.status === 401) return "unauthorized";
+    if (!resp.ok) return "unknown";
+    const body = await resp.json();
+    return body.status === "ok" ? "ok" : "unknown";
+  } catch {
+    return "unreachable";
+  }
+}
+async function collectMemoryStatus() {
+  let pid = null;
+  if (existsSync56(MEMORY_PID_PATH)) {
+    const raw = readFileSync40(MEMORY_PID_PATH, "utf8").trim();
+    const parsed = parseInt(raw, 10);
+    pid = Number.isFinite(parsed) && parsed > 0 ? parsed : null;
+  }
+  const alive = pid === null ? null : isAlive2(pid);
+  const secret = readMemorySecretOrNull();
+  const livez = await probe(secret);
+  return {
+    pid,
+    alive,
+    livez,
+    secretSet: hasMemorySecret(),
+    iiiBinary: existsSync56(III_BINARY_PATH) ? III_BINARY_PATH : null,
+    port: MEMORY_REST_PORT
+  };
+}
+async function runMemoryStatus(opts = {}) {
+  const s = await collectMemoryStatus();
+  if (opts.json) {
+    process.stdout.write(JSON.stringify(s, null, 2) + "\n");
+    return s.livez === "ok" ? 0 : 1;
+  }
+  printHeader("olam memory status");
+  printInfo("pid", s.pid === null ? "(no pidfile)" : `${s.pid}`);
+  printInfo("alive", s.alive === null ? "n/a" : s.alive ? "yes" : "no (stale pidfile)");
+  printInfo("livez", s.livez);
+  printInfo("secret", s.secretSet ? "~/.olam/memory-secret (set)" : "(missing)");
+  printInfo("iii", s.iiiBinary ?? "(not installed)");
+  printInfo("port", `${s.port}`);
+  if (s.livez === "ok" && s.alive) return 0;
+  if (s.livez === "unauthorized") {
+    printWarning("livez returned 401 \u2014 the memory service is up but the local secret does not match. Try `olam memory secret rotate`.");
+    return 1;
+  }
+  if (s.alive === false && s.pid !== null) {
+    printWarning("pidfile points at a dead process; run `olam memory stop` to clean up");
+    return 1;
+  }
+  if (!s.iiiBinary) {
+    printWarning("iii binary missing; run `node packages/memory-service/scripts/ensure-iii-engine.mjs`");
+  }
+  if (!s.secretSet) {
+    printWarning("secret missing; `olam memory start` will generate it");
+  }
+  return s.livez === "ok" ? 0 : 1;
+}
+function registerMemoryStatus(cmd) {
+  cmd.command("status").description("Diagnostic dump for the host memory service (pid + livez + secret-set check)").option("--json", "Machine-readable JSON output", false).action(async (opts) => {
+    const rc = await runMemoryStatus(opts);
+    if (rc !== 0) process.exitCode = rc;
+  });
+}
+
+// src/commands/memory/logs.ts
+init_output();
+import { existsSync as existsSync57 } from "node:fs";
+import { spawn as spawn9 } from "node:child_process";
+async function runMemoryLogs(opts) {
+  if (!existsSync57(MEMORY_LOG_PATH)) {
+    printWarning(`no log at ${MEMORY_LOG_PATH} (start the service first via 'olam memory start')`);
+    return 1;
+  }
+  const tailN = opts.tail ? parseInt(opts.tail, 10) : 50;
+  if (!Number.isFinite(tailN) || tailN < 0) {
+    printWarning(`invalid --tail value: ${opts.tail}`);
+    return 1;
+  }
+  const args = ["-n", `${tailN}`];
+  if (opts.follow) args.push("-f");
+  args.push(MEMORY_LOG_PATH);
+  printHeader(`olam memory logs (${opts.follow ? "follow" : `tail -n ${tailN}`})`);
+  const child = spawn9("tail", args, { stdio: "inherit" });
+  return new Promise((resolve14) => {
+    child.on("exit", (code) => resolve14(code ?? 0));
+  });
+}
+function registerMemoryLogs(cmd) {
+  cmd.command("logs").description("Tail the memory service log file at ~/.olam/memory-service.log").option("-f, --follow", "Stream new log lines (Ctrl-C to stop)", false).option("--tail <n>", "Number of trailing lines (default 50)", "50").action(async (opts) => {
+    const rc = await runMemoryLogs(opts);
+    if (rc !== 0) process.exitCode = rc;
+  });
+}
+
+// src/commands/memory/secret.ts
+import { existsSync as existsSync58 } from "node:fs";
+init_output();
+async function runMemorySecretShow() {
+  if (!hasMemorySecret()) {
+    printError(
+      `secret missing at ${MEMORY_SECRET_PATH}. Run 'olam memory start' to generate it.`
+    );
+    return 1;
+  }
+  process.stdout.write(`${readMemorySecret()}
+`);
+  return 0;
+}
+async function runMemorySecretRotate() {
+  printHeader("olam memory secret rotate");
+  const wasRunning = existsSync58(MEMORY_PID_PATH);
+  if (wasRunning) {
+    printInfo("current state", "service running; will restart with new secret");
+    const stopRc = await runMemoryStop();
+    if (stopRc !== 0) {
+      printError("failed to stop the running service; rotation aborted to avoid split-brain");
+      return stopRc;
+    }
+  } else {
+    printInfo("current state", "service stopped");
+  }
+  const fresh = rotateMemorySecret();
+  printSuccess(`secret rotated (${fresh.length / 2}-byte hex written to ${MEMORY_SECRET_PATH})`);
+  if (wasRunning) {
+    printInfo("restarting", "memory service with new secret");
+    const startRc = await runMemoryStart();
+    if (startRc !== 0) {
+      printError(
+        "service failed to restart after rotation. The new secret is on disk; run `olam memory start` once you fix the underlying issue."
+      );
+      return startRc;
+    }
+  } else {
+    printWarning("service was not running; new secret will be picked up on next `olam memory start`");
+  }
+  printWarning(
+    "worlds created BEFORE this rotation still have the old secret in their env. Re-create them (olam destroy + olam create) to pick up the new value."
+  );
+  return 0;
+}
+function registerMemorySecret(cmd) {
+  const secret = cmd.command("secret").description("Show or rotate the bearer secret at ~/.olam/memory-secret");
+  secret.command("show").description("Print the current secret value (use with care; do not pipe to logs)").action(async () => {
+    const rc = await runMemorySecretShow();
+    if (rc !== 0) process.exitCode = rc;
+  });
+  secret.command("rotate").description(
+    "Regenerate the secret and restart the running memory service (worlds created before rotation must be re-created)"
+  ).action(async () => {
+    const rc = await runMemorySecretRotate();
+    if (rc !== 0) process.exitCode = rc;
+  });
+}
+
+// src/commands/memory/install.ts
+init_output();
+var MCP_NAME = "agentmemory";
+var NPM_PACKAGE_NAME2 = "@agentmemory/mcp";
+var DEFAULT_SECRET_READER = () => readMemorySecretOrNull();
+function buildClaudeMcpAddArgs2(scope, agentmemoryUrl, secret) {
+  return {
+    command: "claude",
+    args: [
+      "mcp",
+      "add",
+      MCP_NAME,
+      "--scope",
+      scope,
+      "--env",
+      `AGENTMEMORY_URL=${agentmemoryUrl}`,
+      "--env",
+      `AGENTMEMORY_SECRET=${secret}`,
+      "--",
+      "npx",
+      "-y",
+      NPM_PACKAGE_NAME2
+    ]
+  };
+}
+var REMEDY_SECRET_MISSING = `No memory-secret found at ${MEMORY_SECRET_PATH}. Run 'olam memory start' first \u2014 it generates the secret on first launch.`;
+function redactSecretInText(text) {
+  return text.replace(/AGENTMEMORY_SECRET=\S+/g, "AGENTMEMORY_SECRET=<redacted>");
+}
+async function runInstall2(opts, deps = DEFAULT_CLAUDE_SHELL_DEPS) {
+  if (!isOnPath(deps, "claude")) {
+    printError(REMEDY_CLAUDE_MISSING);
+    return 1;
+  }
+  const readSecret = opts.readSecret ?? DEFAULT_SECRET_READER;
+  const secret = opts.secret ?? readSecret();
+  if (!secret) {
+    printError(REMEDY_SECRET_MISSING);
+    return 1;
+  }
+  const agentmemoryUrl = `http://localhost:${MEMORY_REST_PORT}`;
+  const { command, args } = buildClaudeMcpAddArgs2(opts.scope, agentmemoryUrl, secret);
+  const redacted = args.map(
+    (a) => a.startsWith("AGENTMEMORY_SECRET=") ? "AGENTMEMORY_SECRET=<redacted>" : a
+  );
+  deps.log(`Wiring: ${command} ${redacted.join(" ")}`);
+  const result = deps.spawn(command, args, {
+    encoding: "utf8",
+    stdio: ["ignore", "pipe", "pipe"]
+  });
+  if (result.status !== 0) {
+    const detail = redactSecretInText(
+      result.stderr?.trim() || result.stdout?.trim() || "(no output)"
+    );
+    printError(`claude mcp add failed (rc=${result.status ?? "unknown"}): ${detail}`);
+    return result.status ?? 1;
+  }
+  printSuccess(
+    `agentmemory MCP registered with claude (--scope ${opts.scope}; url ${agentmemoryUrl}).`
+  );
+  return 0;
+}
+function registerMemoryInstall(cmd) {
+  cmd.command("install").description(
+    "Register agentmemory as an MCP server with the operator's host claude (shells to `claude mcp add`)"
+  ).option("--scope <scope>", "claude mcp scope: user | project | local", "user").action(async (rawOpts) => {
+    const scope = normaliseScope(rawOpts.scope);
+    if (scope === null) {
+      printError(`--scope must be one of: user, project, local (got: ${rawOpts.scope})`);
+      process.exitCode = 1;
+      return;
+    }
+    const rc = await runInstall2({ scope });
+    if (rc !== 0) {
+      process.exitCode = rc;
+    }
+  });
+}
+
+// src/commands/memory/uninstall.ts
+init_output();
+var MCP_NAME2 = "agentmemory";
+function buildClaudeMcpRemoveArgs2(scope) {
+  return {
+    command: "claude",
+    args: ["mcp", "remove", MCP_NAME2, "--scope", scope]
+  };
+}
+async function runUninstall2(opts, deps = DEFAULT_CLAUDE_SHELL_DEPS) {
+  if (!isOnPath(deps, "claude")) {
+    printError(REMEDY_CLAUDE_MISSING);
+    return 1;
+  }
+  const { command, args } = buildClaudeMcpRemoveArgs2(opts.scope);
+  deps.log(`Unwiring: ${command} ${args.join(" ")}`);
+  const result = deps.spawn(command, args, {
+    encoding: "utf8",
+    stdio: ["ignore", "pipe", "pipe"]
+  });
+  if (result.status === 0) {
+    printSuccess(`agentmemory MCP removed from claude (--scope ${opts.scope}).`);
+    return 0;
+  }
+  const stderr = result.stderr?.trim() ?? "";
+  const stdout = result.stdout?.trim() ?? "";
+  const combined = `${stderr}
+${stdout}`.trim();
+  if (looksLikeNotInstalled(combined)) {
+    printWarning(
+      `agentmemory MCP not registered with claude (--scope ${opts.scope}); nothing to remove.`
+    );
+    return 0;
+  }
+  printError(
+    `claude mcp remove failed (rc=${result.status ?? "unknown"}): ${combined || "(no output)"}`
+  );
+  return result.status ?? 1;
+}
+function registerMemoryUninstall(cmd) {
+  cmd.command("uninstall").description(
+    "Remove agentmemory from the operator's host claude (symmetric with `install`; idempotent)"
+  ).option("--scope <scope>", "claude mcp scope: user | project | local", "user").action(async (rawOpts) => {
+    const scope = normaliseScope(rawOpts.scope);
+    if (scope === null) {
+      printError(`--scope must be one of: user, project, local (got: ${rawOpts.scope})`);
+      process.exitCode = 1;
+      return;
+    }
+    const rc = await runUninstall2({ scope });
+    if (rc !== 0) {
+      process.exitCode = rc;
+    }
+  });
+}
+
+// src/commands/memory/index.ts
+function registerMemory(program2) {
+  const memory = program2.command("memory").description(
+    "Host-process agent-memory service for the olam fleet (start, stop, status, logs, secret, install, uninstall)"
+  );
+  registerMemoryStart(memory);
+  registerMemoryStop(memory);
+  registerMemoryStatus(memory);
+  registerMemoryLogs(memory);
+  registerMemorySecret(memory);
+  registerMemoryInstall(memory);
+  registerMemoryUninstall(memory);
+}
+
 // src/commands/kg-build.ts
 init_storage_paths();
 init_workspace_name();
 init_output();
-import { spawnSync as spawnSync16 } from "node:child_process";
+import { spawnSync as spawnSync18 } from "node:child_process";
 import fs49 from "node:fs";
 import path54 from "node:path";
 
@@ -27547,11 +28761,11 @@ import path54 from "node:path";
 init_storage_paths();
 init_workspace_name();
 import fs47 from "node:fs";
-import { homedir as homedir29 } from "node:os";
+import { homedir as homedir31 } from "node:os";
 import path52 from "node:path";
 init_output();
 function olamHome4() {
-  return process.env.OLAM_HOME ?? path52.join(homedir29(), ".olam");
+  return process.env.OLAM_HOME ?? path52.join(homedir31(), ".olam");
 }
 function kgRoot2() {
   return path52.join(olamHome4(), "kg");
@@ -27806,7 +29020,7 @@ function registerKgStatusCommand(kg) {
 init_storage_paths();
 init_workspace_name();
 init_output();
-import { spawn as spawn8 } from "node:child_process";
+import { spawn as spawn10 } from "node:child_process";
 import fs48 from "node:fs";
 import path53 from "node:path";
 function pidFilePath(workspace) {
@@ -27876,7 +29090,7 @@ async function runKgWatch(workspaceArg, opts, deps = {}) {
   if (pidState.status === "stale-reclaimed") {
     printInfo("stale-pid", `reclaimed dead PID file at ${pidFilePath(name)}`);
   }
-  const spawnFn = deps.spawnImpl ?? spawn8;
+  const spawnFn = deps.spawnImpl ?? spawn10;
   const child = spawnFn(
     "graphify",
     [cwd, "--watch", "--update", "--graph", graphPath],
@@ -27905,16 +29119,16 @@ async function runKgWatch(workspaceArg, opts, deps = {}) {
     process.on("SIGINT", () => forward("SIGINT"));
     process.on("SIGTERM", () => forward("SIGTERM"));
   }
-  return new Promise((resolve12) => {
+  return new Promise((resolve14) => {
     child.on("exit", (code, signal) => {
       removePidFile(name);
       const exitCode = typeof code === "number" ? code : signal === "SIGINT" || signal === "SIGTERM" ? 0 : 1;
-      resolve12({ exitCode, pidWritten: true });
+      resolve14({ exitCode, pidWritten: true });
     });
     child.on("error", (err) => {
       removePidFile(name);
       printError(`graphify subprocess error: ${err.message}`);
-      resolve12({ exitCode: 1, pidWritten: true });
+      resolve14({ exitCode: 1, pidWritten: true });
     });
   });
 }
@@ -27937,13 +29151,13 @@ function resolveWorkspace(arg) {
 }
 function copyWorkspaceToScratch(source, scratch) {
   if (process.platform === "darwin") {
-    const r2 = spawnSync16("cp", ["-c", "-r", source + "/.", scratch], {
+    const r2 = spawnSync18("cp", ["-c", "-r", source + "/.", scratch], {
       stdio: ["ignore", "ignore", "pipe"],
       encoding: "utf-8"
     });
     if (r2.status === 0) return "cp-c-r-reflink";
   }
-  const r = spawnSync16("cp", ["-r", source + "/.", scratch], {
+  const r = spawnSync18("cp", ["-r", source + "/.", scratch], {
     stdio: ["ignore", "ignore", "pipe"],
     encoding: "utf-8"
   });
@@ -27964,7 +29178,7 @@ function parseNodeCount(graphifyOutDir) {
   }
 }
 function readGraphifyVersion(image) {
-  const r = spawnSync16(
+  const r = spawnSync18(
     "docker",
     [
       "run",
@@ -28016,7 +29230,7 @@ async function runKgBuild(workspaceArg, options = {}) {
       "update",
       "."
     ];
-    const r = human ? spawnSync16("docker", dockerArgs, { stdio: "inherit" }) : spawnSync16("docker", dockerArgs, { stdio: ["ignore", "ignore", "pipe"] });
+    const r = human ? spawnSync18("docker", dockerArgs, { stdio: "inherit" }) : spawnSync18("docker", dockerArgs, { stdio: ["ignore", "ignore", "pipe"] });
     if (r.status !== 0) {
       printError(`graphify update failed (exit ${r.status})`);
       return { exitCode: r.status ?? 1 };
@@ -28072,6 +29286,250 @@ function registerKg(program2) {
   registerKgWatchCommand(kg);
 }
 
+// src/commands/seed.ts
+init_output();
+import { spawnSync as spawnSync19, spawn as spawnAsync2 } from "node:child_process";
+var DEFAULT_SINGLETON_CONTAINER = "olam-postgres";
+var DEFAULT_SINGLETON_USER = "development";
+function assertValidSeedName(name) {
+  if (!/^[a-z][a-z0-9_]*$/.test(name)) {
+    throw new Error(
+      `invalid seed name "${name}" \u2014 must match [a-z][a-z0-9_]* (no hyphens, no uppercase)`
+    );
+  }
+}
+function singletonDocker(container, user, args, stdin) {
+  return spawnSync19(
+    "docker",
+    ["exec", "-i", container, "psql", "-U", user, ...args],
+    { encoding: "utf-8", input: stdin }
+  );
+}
+function singletonHasDb(container, user, db) {
+  const r = singletonDocker(container, user, [
+    "-d",
+    "postgres",
+    "-tAc",
+    `SELECT 1 FROM pg_database WHERE datname='${db.replace(/'/g, "''")}'`
+  ]);
+  return r.status === 0 && (r.stdout || "").trim() === "1";
+}
+function singletonListSeeds(container, user) {
+  const r = singletonDocker(container, user, [
+    "-d",
+    "postgres",
+    "-tAc",
+    "SELECT datname || '|' || pg_size_pretty(pg_database_size(datname)) FROM pg_database WHERE datname LIKE '%\\_seed' ORDER BY datname"
+  ]);
+  if (r.status !== 0) {
+    throw new Error(`failed to list seeds: ${(r.stderr || "").trim()}`);
+  }
+  const lines = (r.stdout || "").trim().split("\n").filter((l) => l.length > 0);
+  return lines.map((line) => {
+    const [name = "", size = ""] = line.split("|");
+    return { name, size };
+  });
+}
+function singletonListClonesOf(container, user, seed) {
+  const prefix = seed.endsWith("_seed") ? seed.slice(0, -"_seed".length) : seed;
+  const r = singletonDocker(container, user, [
+    "-d",
+    "postgres",
+    "-tAc",
+    `SELECT datname FROM pg_database WHERE datname LIKE '${prefix.replace(/'/g, "''")}_world_%' ORDER BY datname`
+  ]);
+  if (r.status !== 0) return [];
+  return (r.stdout || "").trim().split("\n").filter((l) => l.length > 0);
+}
+async function handleBake(opts) {
+  assertValidSeedName(opts.as);
+  const singleton = opts.singletonContainer ?? DEFAULT_SINGLETON_CONTAINER;
+  const singletonUser = opts.singletonUser ?? DEFAULT_SINGLETON_USER;
+  const sources = [opts.sourceContainer, opts.sourceUrl, opts.sourceLocal].filter(Boolean);
+  if (sources.length === 0) {
+    throw new Error(
+      "no source specified \u2014 pass exactly one of --source-container, --source-url, --source-local"
+    );
+  }
+  if (sources.length > 1) {
+    throw new Error("multiple sources specified \u2014 pass exactly one of --source-container, --source-url, --source-local");
+  }
+  const ping = spawnSync19("docker", ["inspect", "--format", "{{.State.Status}}", singleton], { encoding: "utf-8" });
+  if (ping.status !== 0 || (ping.stdout || "").trim() !== "running") {
+    throw new Error(`singleton container "${singleton}" not running \u2014 run \`olam bootstrap\` first`);
+  }
+  if (singletonHasDb(singleton, singletonUser, opts.as)) {
+    if (!opts.force) {
+      throw new Error(`seed "${opts.as}" already exists \u2014 pass --force to overwrite (DROP + recreate)`);
+    }
+    const clones = singletonListClonesOf(singleton, singletonUser, opts.as);
+    if (clones.length > 0) {
+      throw new Error(
+        `cannot --force overwrite "${opts.as}" \u2014 ${clones.length} per-world clone(s) still depend on it: ${clones.join(", ")}
+Destroy those worlds first, then re-bake.`
+      );
+    }
+    printWarning(`Dropping existing seed "${opts.as}" (--force)`);
+    const drop = singletonDocker(singleton, singletonUser, ["-d", "postgres", "-c", `DROP DATABASE "${opts.as}"`]);
+    if (drop.status !== 0) {
+      throw new Error(`DROP DATABASE failed: ${(drop.stderr || "").trim()}`);
+    }
+  }
+  process.stdout.write(`  Creating empty target DB "${opts.as}" on singleton
+`);
+  const create = singletonDocker(singleton, singletonUser, ["-d", "postgres", "-c", `CREATE DATABASE "${opts.as}"`]);
+  if (create.status !== 0) {
+    throw new Error(`CREATE DATABASE "${opts.as}" failed: ${(create.stderr || "").trim()}`);
+  }
+  let dumpArgs;
+  let dumpEnv = { PATH: process.env["PATH"] || "" };
+  if (opts.sourceContainer) {
+    const srcDb = opts.sourceDb ?? "postgres";
+    const srcUser = opts.sourceUser ?? DEFAULT_SINGLETON_USER;
+    process.stdout.write(`  Source: container ${opts.sourceContainer} DB=${srcDb} user=${srcUser}
+`);
+    dumpArgs = ["exec", opts.sourceContainer, "pg_dump", "-U", srcUser, "-d", srcDb, "--no-owner", "--no-privileges"];
+    dumpEnv = { PATH: process.env["PATH"] || "" };
+  } else if (opts.sourceLocal) {
+    if (!singletonHasDb(singleton, singletonUser, opts.sourceLocal)) {
+      throw new Error(`--source-local "${opts.sourceLocal}" does not exist on singleton`);
+    }
+    process.stdout.write(`  Source: singleton local DB ${opts.sourceLocal}
+`);
+    dumpArgs = ["exec", singleton, "pg_dump", "-U", singletonUser, "-d", opts.sourceLocal, "--no-owner", "--no-privileges"];
+    dumpEnv = { PATH: process.env["PATH"] || "" };
+  } else {
+    process.stdout.write(`  Source: ${opts.sourceUrl.replace(/\/\/[^:]+:[^@]+@/, "//<creds>@")}
+`);
+    dumpArgs = ["exec", "-e", `PGURL=${opts.sourceUrl}`, singleton, "sh", "-c", 'pg_dump --no-owner --no-privileges "$PGURL"'];
+    dumpEnv = { PATH: process.env["PATH"] || "" };
+  }
+  const dumper = spawnAsync2("docker", dumpArgs, { stdio: ["ignore", "pipe", "inherit"], env: dumpEnv });
+  const loader = spawnAsync2(
+    "docker",
+    ["exec", "-i", singleton, "psql", "-U", singletonUser, "-d", opts.as, "-v", "ON_ERROR_STOP=1", "-q"],
+    { stdio: ["pipe", "inherit", "inherit"], env: { PATH: process.env["PATH"] || "" } }
+  );
+  dumper.stdout.pipe(loader.stdin);
+  const [dumpExit, loadExit] = await Promise.all([
+    new Promise((res) => dumper.on("close", (code) => res(code ?? 1))),
+    new Promise((res) => loader.on("close", (code) => res(code ?? 1)))
+  ]);
+  if (dumpExit !== 0) {
+    throw new Error(`pg_dump exited with code ${dumpExit}`);
+  }
+  if (loadExit !== 0) {
+    throw new Error(`psql load exited with code ${loadExit}`);
+  }
+  const size = singletonDocker(singleton, singletonUser, [
+    "-d",
+    "postgres",
+    "-tAc",
+    `SELECT pg_size_pretty(pg_database_size('${opts.as}'))`
+  ]);
+  const sizeStr = (size.stdout || "").trim() || "unknown";
+  printSuccess(`Seed "${opts.as}" baked (${sizeStr})`);
+}
+function handleList3(opts) {
+  const singleton = opts.singletonContainer ?? DEFAULT_SINGLETON_CONTAINER;
+  const singletonUser = opts.singletonUser ?? DEFAULT_SINGLETON_USER;
+  const seeds = singletonListSeeds(singleton, singletonUser);
+  if (opts.json) {
+    process.stdout.write(JSON.stringify(seeds, null, 2) + "\n");
+    return;
+  }
+  if (seeds.length === 0) {
+    process.stdout.write("No seeds found on singleton.\n");
+    return;
+  }
+  printHeader(`${seeds.length} seed(s) on ${singleton}`);
+  const nameWidth = Math.max(...seeds.map((s) => s.name.length), 4);
+  for (const s of seeds) {
+    process.stdout.write(`  ${s.name.padEnd(nameWidth)}  ${s.size}
+`);
+  }
+}
+function handleRemove(name, opts) {
+  assertValidSeedName(name);
+  const singleton = opts.singletonContainer ?? DEFAULT_SINGLETON_CONTAINER;
+  const singletonUser = opts.singletonUser ?? DEFAULT_SINGLETON_USER;
+  if (!singletonHasDb(singleton, singletonUser, name)) {
+    printWarning(`Seed "${name}" does not exist on singleton \u2014 nothing to do`);
+    return;
+  }
+  const clones = singletonListClonesOf(singleton, singletonUser, name);
+  if (clones.length > 0 && !opts.force) {
+    throw new Error(
+      `seed "${name}" has ${clones.length} active world clone(s): ${clones.join(", ")}
+Destroy those worlds first, or re-run with --force to drop anyway (CAUTION: leaves world DBs orphaned).`
+    );
+  }
+  const drop = singletonDocker(singleton, singletonUser, ["-d", "postgres", "-c", `DROP DATABASE "${name}"`]);
+  if (drop.status !== 0) {
+    throw new Error(`DROP DATABASE "${name}" failed: ${(drop.stderr || "").trim()}`);
+  }
+  printSuccess(`Removed seed "${name}"`);
+}
+function handleVerify(name, opts) {
+  assertValidSeedName(name);
+  const singleton = opts.singletonContainer ?? DEFAULT_SINGLETON_CONTAINER;
+  const singletonUser = opts.singletonUser ?? DEFAULT_SINGLETON_USER;
+  if (!singletonHasDb(singleton, singletonUser, name)) {
+    throw new Error(`seed "${name}" does not exist on singleton`);
+  }
+  const heartbeat = singletonDocker(singleton, singletonUser, ["-d", name, "-tAc", "SELECT 1"]);
+  if (heartbeat.status !== 0 || (heartbeat.stdout || "").trim() !== "1") {
+    throw new Error(`heartbeat failed: ${(heartbeat.stderr || "").trim()}`);
+  }
+  const meta = singletonDocker(singleton, singletonUser, [
+    "-d",
+    name,
+    "-tAc",
+    "SELECT pg_size_pretty(pg_database_size(current_database())) || '|' || (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema = 'public')"
+  ]);
+  const [size = "?", tableCount = "?"] = (meta.stdout || "").trim().split("|");
+  const clones = singletonListClonesOf(singleton, singletonUser, name);
+  printSuccess(`Seed "${name}" OK`);
+  printInfo("size", size);
+  printInfo("tables", `${tableCount} (public schema)`);
+  printInfo("clones", `${clones.length}${clones.length > 0 ? " (" + clones.join(", ") + ")" : ""}`);
+}
+function registerSeed(program2) {
+  const seed = program2.command("seed").description("Manage postgres seed templates on the olam-postgres singleton");
+  seed.command("bake").description("Bake a source DB into the singleton as a named seed template").requiredOption("--as <name>", "Target seed name (e.g. atlas_common_seed); [a-z][a-z0-9_]*").option("--source-container <name>", "Source: pg_dump inside this docker container").option("--source-url <url>", "Source: pg_dump via postgres:// URL (libpq)").option("--source-local <db>", "Source: pg_dump a DB already on the singleton").option("--source-db <db>", "DB name to dump (when --source-container; default: postgres)").option("--source-user <user>", "Source-side user (when --source-container; default: development)").option("--singleton-container <name>", "Override singleton container name (default: olam-postgres)").option("--singleton-user <user>", "Override singleton user (default: development)").option("--force", "Drop + recreate if the seed already exists").action(async (opts) => {
+    try {
+      await handleBake(opts);
+    } catch (err) {
+      printError(err instanceof Error ? err.message : String(err));
+      process.exit(1);
+    }
+  });
+  seed.command("list").description("List seed templates on the singleton").option("--json", "Emit machine-parseable JSON").option("--singleton-container <name>", "Override singleton container name (default: olam-postgres)").option("--singleton-user <user>", "Override singleton user (default: development)").action((opts) => {
+    try {
+      handleList3(opts);
+    } catch (err) {
+      printError(err instanceof Error ? err.message : String(err));
+      process.exit(1);
+    }
+  });
+  seed.command("remove <name>").description("Remove a seed template (refuses by default if any per-world clones exist)").option("--force", "DROP even if active clones exist (clones will be orphaned)").option("--singleton-container <name>", "Override singleton container name (default: olam-postgres)").option("--singleton-user <user>", "Override singleton user (default: development)").action((name, opts) => {
+    try {
+      handleRemove(name, opts);
+    } catch (err) {
+      printError(err instanceof Error ? err.message : String(err));
+      process.exit(1);
+    }
+  });
+  seed.command("verify <name>").description("Sanity-check a seed (existence, connectivity, size, clone count)").option("--singleton-container <name>", "Override singleton container name (default: olam-postgres)").option("--singleton-user <user>", "Override singleton user (default: development)").action((name, opts) => {
+    try {
+      handleVerify(name, opts);
+    } catch (err) {
+      printError(err instanceof Error ? err.message : String(err));
+      process.exit(1);
+    }
+  });
+}
+
 // src/pleri-config.ts
 import * as fs50 from "node:fs";
 import * as path55 from "node:path";
@@ -28122,6 +29580,7 @@ registerCrystallize(program, { hidden: !isPleriConfigured() });
 registerPr(program);
 registerWorkspace(program);
 registerHostCp(program);
+registerSeed(program);
 registerLanes(program);
 registerPolicyCheck(program);
 registerWorldspec(program);
@@ -28141,6 +29600,7 @@ registerBegin(program);
 registerStop(program);
 registerWorldUpgrade(program);
 registerMcp(program);
+registerMemory(program);
 registerKg(program);
 registerConfig(program);
 registerRepos(program);