@pleri/olam-cli 0.1.120 → 0.1.126

package/dist/mcp-server.js

@@ -2986,7 +2986,7 @@ var require_compile = __commonJS({
       const schOrFunc = root.refs[ref];
       if (schOrFunc)
         return schOrFunc;
-      let _sch = resolve9.call(this, root, ref);
+      let _sch = resolve10.call(this, root, ref);
       if (_sch === void 0) {
         const schema = (_a = root.localRefs) === null || _a === void 0 ? void 0 : _a[ref];
         const { schemaId } = this.opts;
@@ -3013,7 +3013,7 @@ var require_compile = __commonJS({
     function sameSchemaEnv(s1, s2) {
       return s1.schema === s2.schema && s1.root === s2.root && s1.baseId === s2.baseId;
     }
-    function resolve9(root, ref) {
+    function resolve10(root, ref) {
       let sch;
       while (typeof (sch = this.refs[ref]) == "string")
         ref = sch;
@@ -3588,7 +3588,7 @@ var require_fast_uri = __commonJS({
       }
       return uri;
     }
-    function resolve9(baseURI, relativeURI, options) {
+    function resolve10(baseURI, relativeURI, options) {
       const schemelessOptions = options ? Object.assign({ scheme: "null" }, options) : { scheme: "null" };
       const resolved = resolveComponent(parse3(baseURI, schemelessOptions), parse3(relativeURI, schemelessOptions), schemelessOptions, true);
       schemelessOptions.skipEscape = true;
@@ -3815,7 +3815,7 @@ var require_fast_uri = __commonJS({
     var fastUri = {
       SCHEMES,
       normalize,
-      resolve: resolve9,
+      resolve: resolve10,
       resolveComponent,
       equal,
       serialize,
@@ -12914,12 +12914,12 @@ var StdioServerTransport = class {
     this.onclose?.();
   }
   send(message) {
-    return new Promise((resolve9) => {
+    return new Promise((resolve10) => {
       const json = serializeMessage(message);
       if (this._stdout.write(json)) {
-        resolve9();
+        resolve10();
       } else {
-        this._stdout.once("drain", resolve9);
+        this._stdout.once("drain", resolve10);
       }
     });
   }
@@ -18987,7 +18987,7 @@ var Protocol = class {
           return;
         }
         const pollInterval = task2.pollInterval ?? this._options?.defaultTaskPollInterval ?? 1e3;
-        await new Promise((resolve9) => setTimeout(resolve9, pollInterval));
+        await new Promise((resolve10) => setTimeout(resolve10, pollInterval));
         options?.signal?.throwIfAborted();
       }
     } catch (error2) {
@@ -19004,7 +19004,7 @@ var Protocol = class {
    */
   request(request2, resultSchema, options) {
     const { relatedRequestId, resumptionToken, onresumptiontoken, task, relatedTask } = options ?? {};
-    return new Promise((resolve9, reject2) => {
+    return new Promise((resolve10, reject2) => {
       const earlyReject = (error2) => {
         reject2(error2);
       };
@@ -19082,7 +19082,7 @@ var Protocol = class {
           if (!parseResult.success) {
             reject2(parseResult.error);
           } else {
-            resolve9(parseResult.data);
+            resolve10(parseResult.data);
           }
         } catch (error2) {
           reject2(error2);
@@ -19343,12 +19343,12 @@ var Protocol = class {
       }
     } catch {
     }
-    return new Promise((resolve9, reject2) => {
+    return new Promise((resolve10, reject2) => {
       if (signal.aborted) {
         reject2(new McpError(ErrorCode.InvalidRequest, "Request cancelled"));
         return;
       }
-      const timeoutId = setTimeout(resolve9, interval);
+      const timeoutId = setTimeout(resolve10, interval);
       signal.addEventListener("abort", () => {
         clearTimeout(timeoutId);
         reject2(new McpError(ErrorCode.InvalidRequest, "Request cancelled"));
@@ -20448,7 +20448,7 @@ var McpServer = class {
     let task = createTaskResult.task;
     const pollInterval = task.pollInterval ?? 5e3;
     while (task.status !== "completed" && task.status !== "failed" && task.status !== "cancelled") {
-      await new Promise((resolve9) => setTimeout(resolve9, pollInterval));
+      await new Promise((resolve10) => setTimeout(resolve10, pollInterval));
       const updatedTask = await extra.taskStore.getTask(taskId);
       if (!updatedTask) {
         throw new McpError(ErrorCode.InternalError, `Task ${taskId} not found during polling`);
@@ -21411,7 +21411,7 @@ async function safeText(res) {
   }
 }
 function sleep(ms) {
-  return new Promise((resolve9) => setTimeout(resolve9, ms));
+  return new Promise((resolve10) => setTimeout(resolve10, ms));
 }
 
 // ../core/dist/auth/container.js
@@ -21543,7 +21543,7 @@ function resolveAuthServicePath() {
   return path3.join(pkgsDir, "auth-service");
 }
 function sleep2(ms) {
-  return new Promise((resolve9) => setTimeout(resolve9, ms));
+  return new Promise((resolve10) => setTimeout(resolve10, ms));
 }
 
 // ../core/dist/auth/preflight.js
@@ -21788,6 +21788,7 @@ function rowToMetadata(row) {
   let readinessChain;
   let expectedServices;
   let appPortUrls;
+  let worldDbNames;
   try {
     if (row.readiness_chain)
       readinessChain = JSON.parse(row.readiness_chain);
@@ -21803,6 +21804,11 @@ function rowToMetadata(row) {
       appPortUrls = JSON.parse(row.app_port_urls);
   } catch {
   }
+  try {
+    if (row.world_db_names)
+      worldDbNames = JSON.parse(row.world_db_names);
+  } catch {
+  }
   return {
     id: row.id,
     name: row.name,
@@ -21825,7 +21831,9 @@ function rowToMetadata(row) {
     autoDestroyOnMerge: (row.auto_destroy_on_merge ?? 1) !== 0,
     ...readinessChain !== void 0 ? { readinessChain } : {},
     ...expectedServices !== void 0 ? { expectedServices } : {},
-    ...appPortUrls !== void 0 ? { appPortUrls } : {}
+    ...appPortUrls !== void 0 ? { appPortUrls } : {},
+    ...worldDbNames !== void 0 ? { worldDbNames } : {},
+    ...row.world_role_name ? { worldRoleName: row.world_role_name } : {}
   };
 }
 var SCHEMA_VERSION = "1";
@@ -21871,7 +21879,17 @@ var WorldRegistry = class {
     this.db.pragma("foreign_keys = ON");
     this.db.exec(CREATE_TABLE);
     this.db.exec(CREATE_META);
-    for (const col of ["readiness_chain TEXT", "expected_services TEXT", "app_port_urls TEXT", "tailscale_paths TEXT"]) {
+    for (const col of [
+      "readiness_chain TEXT",
+      "expected_services TEXT",
+      "app_port_urls TEXT",
+      "tailscale_paths TEXT",
+      // olam-hybrid-shared-postgres Phase A task A7. JSON-serialised string for
+      // world_db_names (SQLite has no native array; matches repos column shape).
+      // TEXT[] would fail at DDL time (closes OQ13/OQ22 / FS-03).
+      "world_db_names TEXT",
+      "world_role_name TEXT"
+    ]) {
       try {
         this.db.exec(`ALTER TABLE worlds ADD COLUMN ${col}`);
       } catch {
@@ -21897,8 +21915,9 @@ var WorldRegistry = class {
          (id, name, status, repos, branch, port_offset, workspace_path,
           compute_provider, total_cost_usd, thought_count, created_at, updated_at,
           pr_url, pr_number, pr_repo, pr_created_at, pr_state, pr_merged_at, auto_destroy_on_merge,
-          readiness_chain, expected_services, app_port_urls)
-         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(world.id, world.name, world.status, JSON.stringify(world.repos), world.branch, world.portOffset, world.workspacePath, world.computeProvider, world.totalCostUsd, world.thoughtCount, world.createdAt, world.updatedAt, world.prUrl ?? null, world.prNumber ?? null, world.prRepo ?? null, world.prCreatedAt ?? null, world.prState ?? "none", world.prMergedAt ?? null, world.autoDestroyOnMerge === false ? 0 : 1, world.readinessChain !== void 0 ? JSON.stringify(world.readinessChain) : null, world.expectedServices !== void 0 ? JSON.stringify(world.expectedServices) : null, world.appPortUrls !== void 0 ? JSON.stringify(world.appPortUrls) : null);
+          readiness_chain, expected_services, app_port_urls,
+          world_db_names, world_role_name)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(world.id, world.name, world.status, JSON.stringify(world.repos), world.branch, world.portOffset, world.workspacePath, world.computeProvider, world.totalCostUsd, world.thoughtCount, world.createdAt, world.updatedAt, world.prUrl ?? null, world.prNumber ?? null, world.prRepo ?? null, world.prCreatedAt ?? null, world.prState ?? "none", world.prMergedAt ?? null, world.autoDestroyOnMerge === false ? 0 : 1, world.readinessChain !== void 0 ? JSON.stringify(world.readinessChain) : null, world.expectedServices !== void 0 ? JSON.stringify(world.expectedServices) : null, world.appPortUrls !== void 0 ? JSON.stringify(world.appPortUrls) : null, world.worldDbNames !== void 0 ? JSON.stringify(world.worldDbNames) : null, world.worldRoleName ?? null);
   }
   update(worldId, updates) {
     const setClauses = [];
@@ -21923,9 +21942,12 @@ var WorldRegistry = class {
       autoDestroyOnMerge: "auto_destroy_on_merge",
       readinessChain: "readiness_chain",
       expectedServices: "expected_services",
-      appPortUrls: "app_port_urls"
+      appPortUrls: "app_port_urls",
+      // olam-hybrid-shared-postgres Phase A task A7.
+      worldDbNames: "world_db_names",
+      worldRoleName: "world_role_name"
     };
-    const jsonColumns = /* @__PURE__ */ new Set(["repos", "readinessChain", "expectedServices", "appPortUrls"]);
+    const jsonColumns = /* @__PURE__ */ new Set(["repos", "readinessChain", "expectedServices", "appPortUrls", "worldDbNames"]);
     for (const [key, col] of Object.entries(columnMap)) {
       const val = updates[key];
       if (val !== void 0) {
@@ -22326,7 +22348,7 @@ var runtimeVersionSchema = external_exports.object({
 
 // ../core/dist/world/repo-manifest.js
 import { existsSync as existsSync4, lstatSync, readFileSync as readFileSync3 } from "node:fs";
-import { join as join5 } from "node:path";
+import { join as join5, resolve as resolve3, sep } from "node:path";
 import YAML from "yaml";
 
 // ../core/dist/manifest/version.js
@@ -22354,7 +22376,44 @@ var serviceSchema = external_exports.object({
   // - 'world'  (default): container is per-world (today's behaviour).
   // - 'shared': container is shared across worlds (consumed by later phases).
   // TODO(phase-D): enforce shared-service deduplication in planManifestPipeline.
-  scope: external_exports.enum(["world", "shared"]).optional()
+  scope: external_exports.enum(["world", "shared"]).optional(),
+  // olam-hybrid-shared-postgres Phase A task A8.
+  // Declares which postgres template DB(s) Olam should clone at world
+  // create time. Consumed by `applyPostgresTemplateClone` (task A3 in
+  // manager.ts) which runs `CREATE DATABASE <world-db> TEMPLATE <name>`
+  // per entry. Accepts either a single string (single-DB repo) or an
+  // array (atlas-core → ['atlas_common_seed', 'atlas_merchant_seed'];
+  // atlas-pay → adds 'atlas_pay_seed' per Phase B Decision 17).
+  seed_template: external_exports.union([external_exports.string().min(1), external_exports.array(external_exports.string().min(1)).nonempty()]).optional(),
+  // Optional hash bound to the seed_template content for cross-machine
+  // drift detection. The A1 bake script writes this value via .adb.yaml
+  // post-bake (operator pastes from seed/seed-hash.txt; auto-write CI
+  // tool is a Phase D follow-up per the plan's Out of scope).
+  seed_template_hash: external_exports.string().optional(),
+  // olam-hybrid-shared-postgres Phase A task A5 (closes OQ15 plan-killer).
+  // Per-clone SQL hook: after `CREATE DATABASE <world-db> TEMPLATE <seed>`,
+  // run these statements against the cloned world-DB. Atlas-core uses this
+  // to UPDATE `merchants.identifier` so `Current.merchant` (which resolves
+  // via `Merchant.find_by(identifier: ENV['POSTGRESQL_MERCHANT_DATABASE'])`)
+  // matches the per-world merchant DB name.
+  //
+  // Shape: { <seed_template_name>: [<sql statement>, ...] }
+  // The seed_template_name key selects which cloned DB the statements run
+  // in. Order is preserved within each seed's list.
+  //
+  // Interpolation in statements:
+  //   ${WORLD_ID}                  → world id (e.g. frost-oak-5916)
+  //   ${WORLD_DB:<seed>}           → corresponding world-DB name for that seed
+  //                                  (e.g. ${WORLD_DB:atlas_merchant_seed} →
+  //                                  atlas_merchant_world_frost-oak-5916)
+  //
+  // SECURITY INVARIANT: statements come from the operator's own checked-out
+  // `.olam.yaml` (same trust class as `BootstrapStep.cmd`). They run as the
+  // singleton's `development` superuser today; A4's per-world role lands
+  // later in the seam. Statements are NOT exposed to operator-controlled
+  // env variables — only the two whitelisted placeholders above. No shell
+  // expansion, no DOLLAR-name expansion.
+  post_clone_sql: external_exports.record(external_exports.string().min(1), external_exports.array(external_exports.string().min(1))).optional()
 }).passthrough();
 var deploySchema = external_exports.object({
   tags: external_exports.array(external_exports.string()).optional()
@@ -22409,7 +22468,12 @@ var KNOWN_TOP_LEVEL_KEYS = /* @__PURE__ */ new Set([
   "secrets",
   "bootstrap",
   "start",
-  "deploy"
+  "deploy",
+  // F-7 (olam-hybrid-shared-postgres dogfood finding): native inheritance —
+  // `.olam.yaml` may declare `inherits: .adb.yaml` to deep-merge an adb-shaped
+  // base manifest into itself. Retires the atlas-one `bin/olam-create-wrap.sh`
+  // stopgap. See the inheritance resolver in `loadRepoManifest`.
+  "inherits"
 ]);
 var FORBIDDEN_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
 function refineForbiddenKeys(value, path28, ctx, rejectSource) {
@@ -22453,6 +22517,23 @@ function rejectForbiddenKeys(value, path28, rejectSource) {
 function unknownTopLevelKeys(parsed) {
   return Object.keys(parsed).filter((k) => !KNOWN_TOP_LEVEL_KEYS.has(k));
 }
+function deepMergeManifest(base, overlay) {
+  const out = { ...base };
+  for (const key of Object.keys(overlay)) {
+    if (FORBIDDEN_KEYS.has(key))
+      continue;
+    const overlayValue = overlay[key];
+    if (overlayValue === void 0)
+      continue;
+    const baseValue = base[key];
+    const bothObjects = isPlainObject3(baseValue) && isPlainObject3(overlayValue);
+    out[key] = bothObjects ? deepMergeManifest(baseValue, overlayValue) : overlayValue;
+  }
+  return out;
+}
+function isPlainObject3(value) {
+  return value !== null && typeof value === "object" && !Array.isArray(value) && Object.getPrototypeOf(value) === Object.prototype;
+}
 function loadRepoManifest(repoDir) {
   const olamPath = join5(repoDir, ".olam.yaml");
   const adbPath = join5(repoDir, ".adb.yaml");
@@ -22483,7 +22564,37 @@ function loadRepoManifest(repoDir) {
     throw new Error(`[manifest] ${manifestPath2}: expected a YAML mapping at the top level`);
   }
   rejectForbiddenKeys(parsed, manifestPath2, true);
-  const body = RepoManifestSchema.parse(parsed);
+  let mergedParsed = parsed;
+  const inheritsRaw = parsed["inherits"];
+  if (typeof inheritsRaw === "string" && inheritsRaw.length > 0) {
+    if (source !== "olam") {
+      throw new Error(`[manifest] ${manifestPath2}: \`inherits\` only valid in .olam.yaml (found in .adb.yaml \u2014 drop the field)`);
+    }
+    const inheritedAbs = resolve3(repoDir, inheritsRaw);
+    const repoDirAbs = resolve3(repoDir);
+    if (!inheritedAbs.startsWith(repoDirAbs + sep) && inheritedAbs !== repoDirAbs) {
+      throw new Error(`[manifest] ${manifestPath2}: inherits target "${inheritsRaw}" escapes repo dir`);
+    }
+    if (!existsSync4(inheritedAbs)) {
+      throw new Error(`[manifest] ${manifestPath2}: inherits target "${inheritsRaw}" not found`);
+    }
+    const inheritedStat = lstatSync(inheritedAbs);
+    if (inheritedStat.isSymbolicLink()) {
+      throw new Error(`[manifest] ${manifestPath2}: inherits target "${inheritsRaw}" is a symlink (not permitted)`);
+    }
+    const inheritedRaw = readFileSync3(inheritedAbs, "utf-8");
+    const inheritedParsed = YAML.parse(inheritedRaw, { maxAliasCount: 100 });
+    if (inheritedParsed !== null && inheritedParsed !== void 0) {
+      if (typeof inheritedParsed !== "object" || Array.isArray(inheritedParsed)) {
+        throw new Error(`[manifest] ${inheritedAbs}: expected a YAML mapping at the top level`);
+      }
+      rejectForbiddenKeys(inheritedParsed, inheritedAbs, true);
+      const overlay = { ...parsed };
+      delete overlay["inherits"];
+      mergedParsed = deepMergeManifest(inheritedParsed, overlay);
+    }
+  }
+  const body = RepoManifestSchema.parse(mergedParsed);
   if (parsed["version"] === void 0) {
     console.warn(`[manifest] ${manifestPath2}: missing "version: ${MANIFEST_VERSION}" field \u2014 add it to suppress this warning (backward-compat: file still parses)`);
   }
@@ -23012,7 +23123,7 @@ var realDocker = {
   }
 };
 function spawnAsync(cmd, args, opts = {}) {
-  return new Promise((resolve9) => {
+  return new Promise((resolve10) => {
     const child = spawn(cmd, [...args], {
       stdio: ["ignore", "pipe", "pipe"],
       signal: opts.signal
@@ -23026,10 +23137,10 @@ function spawnAsync(cmd, args, opts = {}) {
       stderr += chunk.toString();
     });
     child.on("error", (err) => {
-      resolve9({ exitCode: -1, stdout, stderr: stderr + err.message });
+      resolve10({ exitCode: -1, stdout, stderr: stderr + err.message });
     });
     child.on("close", (code) => {
-      resolve9({ exitCode: code ?? -1, stdout, stderr });
+      resolve10({ exitCode: code ?? -1, stdout, stderr });
     });
   });
 }
@@ -23107,6 +23218,18 @@ function readHostCpToken() {
     return "";
   }
 }
+function readMemorySecret() {
+  const fromEnv = process.env["OLAM_MEMORY_SECRET"];
+  if (fromEnv && fromEnv.length > 0)
+    return fromEnv;
+  const file = path7.join(os5.homedir(), ".olam", "memory-secret");
+  try {
+    return fs5.readFileSync(file, "utf-8").trim();
+  } catch {
+    return "";
+  }
+}
+var AGENTMEMORY_HOST_INTERNAL_URL = "http://host.docker.internal:3111";
 function sanitizeContainerName(name) {
   return name.replace(/[^a-zA-Z0-9_.-]/g, "-");
 }
@@ -23236,6 +23359,7 @@ var createWorldContainer = async (docker, worldId, worldName, image, env, resour
   const labels = olamLabels(worldId, worldName);
   const authSecret = readAuthSecret();
   const hostCpToken = readHostCpToken();
+  const memorySecret = readMemorySecret();
   const worldEnv = {
     OLAM_WORLD_ID: worldId,
     OLAM_WORLD_NAME: worldName,
@@ -23252,6 +23376,14 @@ var createWorldContainer = async (docker, worldId, worldName, image, env, resour
     OLAM_HOST_CP_URL: "http://host.docker.internal:19000",
     ...authSecret ? { OLAM_AUTH_SECRET: authSecret } : {},
     ...hostCpToken ? { OLAM_HOST_CP_TOKEN: hostCpToken } : {},
+    // Phase B1 — agent-memory wiring. Both vars are injected together
+    // (or neither): without a secret the URL is useless. The in-world
+    // @agentmemory/mcp shim (Phase B2/B3) reads these env vars to find
+    // the host's REST endpoint.
+    ...memorySecret ? {
+      AGENTMEMORY_URL: AGENTMEMORY_HOST_INTERNAL_URL,
+      AGENTMEMORY_SECRET: memorySecret
+    } : {},
     ...env
   };
   const envList = Object.entries(worldEnv).map(([k, v]) => `${k}=${v}`);
@@ -23362,7 +23494,7 @@ var stopAndRemove = async (container) => {
 
 // ../adapters/dist/docker/exec.js
 import { PassThrough } from "node:stream";
-var demuxStream = (stream) => new Promise((resolve9, reject2) => {
+var demuxStream = (stream) => new Promise((resolve10, reject2) => {
   const stdoutChunks = [];
   const stderrChunks = [];
   const stdout = new PassThrough();
@@ -23376,7 +23508,7 @@ var demuxStream = (stream) => new Promise((resolve9, reject2) => {
     stream.pipe(stdout);
   }
   stream.on("end", () => {
-    resolve9({
+    resolve10({
       stdout: Buffer.concat(stdoutChunks).toString("utf-8"),
       stderr: Buffer.concat(stderrChunks).toString("utf-8")
     });
@@ -23554,6 +23686,19 @@ var DockerProvider = class extends ComputeProvider {
     }
     const mergedEnv = { ...serviceEnv, ...config2.env };
     const container = await createWorldContainer(this.docker, id, name, config2.image, mergedEnv, config2.resources, config2.workspacePath, config2.portOffset, config2.appPorts, config2.cacheArch);
+    for (const networkName3 of config2.extraNetworks ?? []) {
+      try {
+        const network = this.docker.getNetwork(networkName3);
+        await network.connect({ Container: container.id });
+      } catch (err) {
+        const statusCode = err.statusCode;
+        if (statusCode === 404) {
+          throw new Error(`extra network "${networkName3}" not found \u2014 run \`olam bootstrap\` to recreate it`);
+        }
+        if (statusCode !== 403)
+          throw err;
+      }
+    }
     return new DockerWorld(id, name, container, "running");
   }
   // -----------------------------------------------------------------------
@@ -23721,7 +23866,7 @@ var SSHConnectionPool = class {
   // -----------------------------------------------------------------------
   async exec(host, command) {
     const client = await this.getConnection(host);
-    return new Promise((resolve9, reject2) => {
+    return new Promise((resolve10, reject2) => {
       client.exec(command, (err, stream) => {
         if (err) {
           reject2(new Error(`SSH exec failed on ${host}: ${err.message}`));
@@ -23736,7 +23881,7 @@ var SSHConnectionPool = class {
           stderr += data.toString();
         });
         stream.on("close", (code) => {
-          resolve9({
+          resolve10({
             exitCode: code ?? 0,
             stdout: stdout.trimEnd(),
             stderr: stderr.trimEnd()
@@ -23767,10 +23912,10 @@ var SSHConnectionPool = class {
       throw new Error(`No SSH configuration found for host: ${host}`);
     }
     const client = new SSHClient();
-    return new Promise((resolve9, reject2) => {
+    return new Promise((resolve10, reject2) => {
       client.on("ready", () => {
         this.connections.set(host, client);
-        resolve9(client);
+        resolve10(client);
       }).on("error", (err) => {
         this.connections.delete(host);
         reject2(new Error(`SSH connection to ${host} failed: ${err.message}`));
@@ -24750,7 +24895,7 @@ function register6(server, ctx, initError) {
                 }
               } catch {
               }
-              await new Promise((resolve9) => setTimeout(resolve9, POLL_INTERVAL_MS));
+              await new Promise((resolve10) => setTimeout(resolve10, POLL_INTERVAL_MS));
             }
           }
           if (authenticated) {
@@ -26990,15 +27135,15 @@ ${JSON.stringify({ error: reason })}`
       unlinkSync2(udsPath);
     } catch {
     }
-    await new Promise((resolve9, reject2) => {
-      server.listen(udsPath, () => resolve9());
+    await new Promise((resolve10, reject2) => {
+      server.listen(udsPath, () => resolve10());
       server.once("error", reject2);
     });
     chmodSync3(udsPath, 384);
     port = 0;
   } else {
-    await new Promise((resolve9, reject2) => {
-      server.listen(opts.port ?? 0, "127.0.0.1", () => resolve9());
+    await new Promise((resolve10, reject2) => {
+      server.listen(opts.port ?? 0, "127.0.0.1", () => resolve10());
       server.once("error", reject2);
     });
     const addr = server.address();
@@ -27014,10 +27159,10 @@ ${JSON.stringify({ error: reason })}`
     } catch {
     }
     await Promise.race([
-      new Promise((resolve9, reject2) => {
-        server.close((err) => err ? reject2(err) : resolve9());
+      new Promise((resolve10, reject2) => {
+        server.close((err) => err ? reject2(err) : resolve10());
       }),
-      new Promise((resolve9) => setTimeout(resolve9, 5e3))
+      new Promise((resolve10) => setTimeout(resolve10, 5e3))
     ]);
     if (udsPath) {
       try {
@@ -27349,10 +27494,10 @@ async function acquireLaunchSlot() {
     _inFlightLaunches++;
     return releaseLaunchSlot;
   }
-  return new Promise((resolve9) => {
+  return new Promise((resolve10) => {
     _launchQueue.push(() => {
       _inFlightLaunches++;
-      resolve9(releaseLaunchSlot);
+      resolve10(releaseLaunchSlot);
     });
   });
 }
@@ -27368,8 +27513,8 @@ function resolveShootsRoot() {
 }
 function isUnderRoot(absPath, root) {
   if (absPath === root) return true;
-  const sep = root.endsWith("/") ? "" : "/";
-  return absPath.startsWith(root + sep);
+  const sep2 = root.endsWith("/") ? "" : "/";
+  return absPath.startsWith(root + sep2);
 }
 function deriveAllowedPaths(shots) {
   const paths = /* @__PURE__ */ new Set();
@@ -29637,7 +29782,7 @@ function loadConfig(startDir) {
 
 // ../core/dist/world/manager.js
 import * as crypto5 from "node:crypto";
-import { execSync as execSync5 } from "node:child_process";
+import { execSync as execSync5, spawnSync as spawnSync4 } from "node:child_process";
 import * as fs22 from "node:fs";
 import * as os13 from "node:os";
 import * as path25 from "node:path";
@@ -29864,7 +30009,7 @@ import * as path17 from "node:path";
 
 // ../core/dist/kg/storage-paths.js
 import { homedir as homedir10 } from "node:os";
-import { join as join18, resolve as resolve4 } from "node:path";
+import { join as join18, resolve as resolve5 } from "node:path";
 
 // ../core/dist/world/workspace-name.js
 var InvalidWorkspaceNameError = class extends Error {
@@ -29901,7 +30046,7 @@ function assertWithinPrefix(path28, prefix, label) {
 function kgPristinePath(workspace) {
   validateWorkspaceName(workspace);
   const root = kgRoot();
-  const path28 = resolve4(join18(root, workspace));
+  const path28 = resolve5(join18(root, workspace));
   assertWithinPrefix(path28, root, "kgPristinePath");
   return path28;
 }
@@ -32470,6 +32615,8 @@ ${detail}`);
       const hostPort = override !== void 0 ? override : ap.port + 1e4 + portOffset;
       return { repoName: ap.name, internalPort: ap.port, hostPort, url: `http://localhost:${hostPort}` };
     });
+    let worldDbNames = void 0;
+    let worldRoleName = void 0;
     try {
       const worldEnv = {};
       if (opts.task)
@@ -32570,7 +32717,27 @@ ${detail}`);
           }
         }
       }
-      applyPostgresNetworkOverrides(worldEnv, enrichedRepos);
+      applyPostgresNetworkOverrides(worldEnv, enrichedRepos, worldId);
+      const cloneResult = applyPostgresTemplateClone(worldId, enrichedRepos);
+      worldDbNames = cloneResult.worldDbNames.length > 0 ? cloneResult.worldDbNames : void 0;
+      if (worldDbNames !== void 0) {
+        const roleResult = applyPostgresWorldRole(worldId, worldDbNames);
+        worldRoleName = roleResult.worldRoleName;
+        worldEnv["POSTGRESQL_USERNAME"] = roleResult.worldRoleName;
+        worldEnv["POSTGRESQL_PASSWORD"] = roleResult.password;
+        worldEnv["POSTGRESQL_COMMON_USERNAME"] = roleResult.worldRoleName;
+        worldEnv["POSTGRESQL_COMMON_PASSWORD"] = roleResult.password;
+        worldEnv["POSTGRESQL_MERCHANT_USERNAME"] = roleResult.worldRoleName;
+        worldEnv["POSTGRESQL_MERCHANT_PASSWORD"] = roleResult.password;
+      }
+      if (worldDbNames !== void 0 || worldRoleName !== void 0) {
+        this.registry.update(worldId, {
+          ...worldDbNames !== void 0 ? { worldDbNames: [...worldDbNames] } : {},
+          ...worldRoleName !== void 0 ? { worldRoleName } : {}
+        });
+      }
+      const hybridActive = worldDbNames !== void 0;
+      const extraNetworks = hybridActive ? ["olam-shared"] : void 0;
       await this.provider.createWorld({
         id: worldId,
         name: opts.name,
@@ -32580,6 +32747,7 @@ ${detail}`);
         portOffset,
         workspacePath,
         appPorts: appPorts.length > 0 ? appPorts : void 0,
+        ...extraNetworks ? { extraNetworks } : {},
         // Phase 7 A1: per-world cost ceiling sourced from config.cost.
         // Cloudflare provider forwards this to /session/start so the DO
         // can enforce kill-switch on `cost_update` events. Other providers
@@ -32603,7 +32771,16 @@ ${detail}`);
     sm.transition("running");
     this.registry.update(worldId, {
       status: "running",
-      ...appPortUrls.length > 0 ? { appPortUrls } : {}
+      ...appPortUrls.length > 0 ? { appPortUrls } : {},
+      // olam-hybrid-shared-postgres A3: persist the cloned per-world DB
+      // names so olam destroy + olam gc can find them later (A7's
+      // world_db_names TEXT JSON column).
+      ...worldDbNames !== void 0 ? { worldDbNames: [...worldDbNames] } : {},
+      // olam-hybrid-shared-postgres A4: persist the role name so olam destroy
+      // can DROP it after the world's DBs are gone (A7's world_role_name
+      // column). Password is NOT persisted — it lives only in the world
+      // container's env and the in-memory return value.
+      ...worldRoleName !== void 0 ? { worldRoleName } : {}
     });
     const containerName = `olam-${worldId}-devbox`;
     try {
@@ -32903,6 +33080,14 @@ ${opts.task}`;
       cleanupWorldTailscale(worldId, this.registry);
     } catch {
     }
+    const worldDbNames = world.worldDbNames;
+    if (worldDbNames !== void 0 && worldDbNames.length > 0) {
+      dropPostgresWorldDbs(worldId, worldDbNames);
+    }
+    const worldRoleName = world.worldRoleName;
+    if (typeof worldRoleName === "string" && worldRoleName.length > 0) {
+      dropPostgresWorldRole(worldId, worldRoleName);
+    }
     try {
       await this.provider.destroyWorld(worldId);
     } catch {
@@ -33050,16 +33235,268 @@ ${opts.task}`;
     return services;
   }
 };
-function applyPostgresNetworkOverrides(worldEnv, enrichedRepos) {
+function applyPostgresNetworkOverrides(worldEnv, enrichedRepos, worldId) {
   const hasPostgres = enrichedRepos.some((r) => r.manifest?.services?.["postgres"] !== void 0);
   if (!hasPostgres)
     return;
-  worldEnv["POSTGRESQL_HOST"] = "postgres";
+  const hasSeedTemplate = enrichedRepos.some((r) => {
+    const pg = r.manifest?.services?.["postgres"];
+    return pg?.seed_template !== void 0;
+  });
+  const host = hasSeedTemplate ? "olam-postgres" : "postgres";
+  worldEnv["POSTGRESQL_HOST"] = host;
   worldEnv["POSTGRESQL_PORT"] = "5432";
-  if ("POSTGRESQL_COMMON_HOST" in worldEnv)
-    worldEnv["POSTGRESQL_COMMON_HOST"] = "postgres";
-  if ("POSTGRESQL_COMMON_PORT" in worldEnv)
+  if (hasSeedTemplate) {
+    worldEnv["POSTGRESQL_COMMON_HOST"] = host;
     worldEnv["POSTGRESQL_COMMON_PORT"] = "5432";
+    if (worldId !== void 0) {
+      assertSafeWorldId(worldId);
+      const seedTemplates = /* @__PURE__ */ new Set();
+      for (const repo of enrichedRepos) {
+        const pg = repo.manifest?.services?.["postgres"];
+        const raw = pg?.seed_template;
+        if (typeof raw === "string")
+          seedTemplates.add(raw);
+        else if (Array.isArray(raw)) {
+          for (const s of raw)
+            if (typeof s === "string")
+              seedTemplates.add(s);
+        }
+      }
+      for (const seed of seedTemplates) {
+        const match = seed.match(/^atlas_([a-z][a-z0-9_]*?)_seed$/i);
+        if (match && match[1] !== void 0) {
+          const purpose = match[1].toUpperCase();
+          const envKey = `POSTGRESQL_${purpose}_DATABASE`;
+          worldEnv[envKey] = deriveWorldDbName(seed, worldId);
+        }
+      }
+    }
+  } else {
+    if ("POSTGRESQL_COMMON_HOST" in worldEnv)
+      worldEnv["POSTGRESQL_COMMON_HOST"] = "postgres";
+    if ("POSTGRESQL_COMMON_PORT" in worldEnv)
+      worldEnv["POSTGRESQL_COMMON_PORT"] = "5432";
+  }
+}
+function applyPostgresTemplateClone(worldId, enrichedRepos, options = {}) {
+  assertSafeWorldId(worldId);
+  const container = options.singletonContainer ?? "olam-postgres";
+  const user = options.postgresUser ?? "development";
+  const seedTemplates = [];
+  const postCloneSqlBySeed = /* @__PURE__ */ new Map();
+  for (const repo of enrichedRepos) {
+    const pg = repo.manifest?.services?.["postgres"];
+    if (!pg?.seed_template)
+      continue;
+    const list = Array.isArray(pg.seed_template) ? pg.seed_template : [pg.seed_template];
+    for (const t of list) {
+      if (typeof t === "string" && t.length > 0 && !seedTemplates.includes(t)) {
+        seedTemplates.push(t);
+      }
+    }
+    if (pg.post_clone_sql && typeof pg.post_clone_sql === "object") {
+      for (const [seedKey, sqlList] of Object.entries(pg.post_clone_sql)) {
+        if (!Array.isArray(sqlList))
+          continue;
+        const existing = postCloneSqlBySeed.get(seedKey) ?? [];
+        for (const stmt of sqlList) {
+          if (typeof stmt === "string" && stmt.length > 0)
+            existing.push(stmt);
+        }
+        postCloneSqlBySeed.set(seedKey, existing);
+      }
+    }
+  }
+  if (seedTemplates.length === 0) {
+    return { worldDbNames: [] };
+  }
+  const spawn4 = options.spawn ?? spawnSync4;
+  const seedToWorldDb = /* @__PURE__ */ new Map();
+  for (const seed of seedTemplates) {
+    seedToWorldDb.set(seed, deriveWorldDbName(seed, worldId));
+  }
+  const created = [];
+  for (const seed of seedTemplates) {
+    const worldDb = seedToWorldDb.get(seed);
+    const exists = spawn4("docker", [
+      "exec",
+      container,
+      "psql",
+      "-U",
+      user,
+      "-tAc",
+      `SELECT 1 FROM pg_database WHERE datname='${worldDb}'`
+    ], { encoding: "utf-8" });
+    const dbAlreadyExists = exists.status === 0 && (exists.stdout || "").trim() === "1";
+    if (!dbAlreadyExists) {
+      const sql = `CREATE DATABASE "${worldDb}" TEMPLATE "${seed}"`;
+      const create = spawn4("docker", ["exec", container, "psql", "-U", user, "-d", "postgres", "-v", "ON_ERROR_STOP=1", "-c", sql], { encoding: "utf-8" });
+      if (create.status !== 0) {
+        throw new Error(`failed to CREATE DATABASE "${worldDb}" TEMPLATE "${seed}": ${(create.stderr || "").trim()}`);
+      }
+    }
+    created.push(worldDb);
+    const stmts = postCloneSqlBySeed.get(seed);
+    if (stmts !== void 0 && stmts.length > 0) {
+      for (const rawStmt of stmts) {
+        const stmt = interpolatePostCloneSql(rawStmt, worldId, seedToWorldDb);
+        const fixup = spawn4("docker", ["exec", container, "psql", "-U", user, "-d", worldDb, "-v", "ON_ERROR_STOP=1", "-c", stmt], { encoding: "utf-8" });
+        if (fixup.status !== 0) {
+          throw new Error(`post_clone_sql against "${worldDb}" failed (statement: ${truncate(stmt, 120)}): ${(fixup.stderr || "").trim()}`);
+        }
+      }
+    }
+  }
+  return { worldDbNames: created };
+}
+function interpolatePostCloneSql(stmt, worldId, seedToWorldDb) {
+  return stmt.replace(/\$\{([^}]+)\}/g, (_, expr) => {
+    if (expr === "WORLD_ID")
+      return worldId;
+    const dbMatch = expr.match(/^WORLD_DB:(.+)$/);
+    if (dbMatch && dbMatch[1] !== void 0) {
+      const target = seedToWorldDb.get(dbMatch[1]);
+      if (target === void 0) {
+        throw new Error(`post_clone_sql references seed "${dbMatch[1]}" not declared in seed_template`);
+      }
+      return target;
+    }
+    throw new Error(`post_clone_sql contains unknown placeholder "\${${expr}}" \u2014 only \${WORLD_ID} and \${WORLD_DB:<seed>} are supported`);
+  });
+}
+function truncate(s, max) {
+  return s.length <= max ? s : s.slice(0, max - 1) + "\u2026";
+}
+function deriveWorldRoleName(worldId) {
+  return `olam_world_${worldId}`;
+}
+function applyPostgresWorldRole(worldId, worldDbNames, options = {}) {
+  assertSafeWorldId(worldId);
+  if (worldDbNames.length === 0) {
+    throw new Error(`applyPostgresWorldRole called with empty worldDbNames for "${worldId}" \u2014 should only run when applyPostgresTemplateClone produced clones`);
+  }
+  const spawn4 = options.spawn ?? spawnSync4;
+  const container = options.singletonContainer ?? "olam-postgres";
+  const user = options.postgresUser ?? "development";
+  const genPassword = options.generatePassword ?? defaultPasswordGenerator;
+  const worldRoleName = deriveWorldRoleName(worldId);
+  const password = genPassword();
+  const exists = spawn4("docker", [
+    "exec",
+    container,
+    "psql",
+    "-U",
+    user,
+    "-tAc",
+    `SELECT 1 FROM pg_roles WHERE rolname='${escapeSqlLiteral(worldRoleName)}'`
+  ], { encoding: "utf-8" });
+  const roleExists = exists.status === 0 && (exists.stdout || "").trim() === "1";
+  const escapedPassword = escapeSqlLiteral(password);
+  const roleDdl = roleExists ? `ALTER ROLE "${worldRoleName}" WITH LOGIN PASSWORD '${escapedPassword}' NOSUPERUSER NOCREATEDB NOCREATEROLE NOREPLICATION` : `CREATE ROLE "${worldRoleName}" WITH LOGIN PASSWORD '${escapedPassword}' NOSUPERUSER NOCREATEDB NOCREATEROLE NOREPLICATION`;
+  const dml = spawn4("docker", ["exec", container, "psql", "-U", user, "-d", "postgres", "-v", "ON_ERROR_STOP=1", "-c", roleDdl], { encoding: "utf-8" });
+  if (dml.status !== 0) {
+    throw new Error(`failed to ${roleExists ? "ALTER" : "CREATE"} ROLE "${worldRoleName}": ` + redactCreateRolePassword((dml.stderr || "").trim()));
+  }
+  for (const worldDb of worldDbNames) {
+    const grantConnect = spawn4("docker", [
+      "exec",
+      container,
+      "psql",
+      "-U",
+      user,
+      "-d",
+      "postgres",
+      "-v",
+      "ON_ERROR_STOP=1",
+      "-c",
+      `GRANT CONNECT ON DATABASE "${worldDb}" TO "${worldRoleName}"`
+    ], { encoding: "utf-8" });
+    if (grantConnect.status !== 0) {
+      throw new Error(`failed to GRANT CONNECT on "${worldDb}" to "${worldRoleName}": ${(grantConnect.stderr || "").trim()}`);
+    }
+    const perDbGrants = [
+      `GRANT USAGE ON SCHEMA public TO "${worldRoleName}"`,
+      `GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "${worldRoleName}"`,
+      `GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO "${worldRoleName}"`,
+      // DEFAULT PRIVILEGES for future objects — Rails migrations create new
+      // tables/sequences post-spawn and they need to be grantable.
+      `ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO "${worldRoleName}"`,
+      `ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO "${worldRoleName}"`
+    ].join("; ");
+    const grantResult = spawn4("docker", ["exec", container, "psql", "-U", user, "-d", worldDb, "-v", "ON_ERROR_STOP=1", "-c", perDbGrants], { encoding: "utf-8" });
+    if (grantResult.status !== 0) {
+      throw new Error(`failed to GRANT privileges on "${worldDb}" to "${worldRoleName}": ${(grantResult.stderr || "").trim()}`);
+    }
+  }
+  return { worldRoleName, password };
+}
+function defaultPasswordGenerator() {
+  return crypto5.randomBytes(24).toString("base64url");
+}
+function escapeSqlLiteral(s) {
+  return s.replace(/'/g, "''");
+}
+function redactCreateRolePassword(s) {
+  return s.replace(/PASSWORD\s+'[^']*'/g, "PASSWORD '<scrubbed>'");
+}
+function dropPostgresWorldDbs(worldId, worldDbNames, options = {}) {
+  if (worldDbNames.length === 0)
+    return;
+  assertSafeWorldId(worldId);
+  const spawn4 = options.spawn ?? spawnSync4;
+  const container = options.container ?? "olam-postgres";
+  const user = options.user ?? "development";
+  for (const db of worldDbNames) {
+    const drop = spawn4("docker", [
+      "exec",
+      container,
+      "psql",
+      "-U",
+      user,
+      "-d",
+      "postgres",
+      "-c",
+      `DROP DATABASE IF EXISTS "${db}" WITH (FORCE)`
+    ], { encoding: "utf-8" });
+    if (drop.status !== 0) {
+      console.warn(`[manager] destroyWorld(${worldId}): failed to DROP "${db}" from singleton: ${(drop.stderr || "").trim()}`);
+    }
+  }
+}
+function dropPostgresWorldRole(worldId, worldRoleName, options = {}) {
+  if (!worldRoleName)
+    return;
+  assertSafeWorldId(worldId);
+  const spawn4 = options.spawn ?? spawnSync4;
+  const container = options.container ?? "olam-postgres";
+  const user = options.user ?? "development";
+  const cleanup = spawn4("docker", [
+    "exec",
+    container,
+    "psql",
+    "-U",
+    user,
+    "-d",
+    "postgres",
+    "-c",
+    `DROP OWNED BY "${worldRoleName}" CASCADE; DROP ROLE IF EXISTS "${worldRoleName}"`
+  ], { encoding: "utf-8" });
+  if (cleanup.status !== 0) {
+    console.warn(`[manager] destroyWorld(${worldId}): failed to DROP role "${worldRoleName}" from singleton: ${(cleanup.stderr || "").trim()}`);
+  }
+}
+function assertSafeWorldId(worldId) {
+  if (!/^[a-z0-9]+(-[a-z0-9]+)*$/.test(worldId)) {
+    throw new Error(`world id "${worldId}" contains characters outside [a-z0-9-] \u2014 hybrid-postgres + post_clone_sql interpolation require the name-generator's [a-z0-9-]+ alphabet`);
+  }
+}
+function deriveWorldDbName(seed, worldId) {
+  if (seed.endsWith("_seed")) {
+    const prefix = seed.slice(0, -"_seed".length);
+    return `${prefix}_world_${worldId}`;
+  }
+  return `${seed}_world_${worldId}`;
 }
 
 // ../core/dist/cost/tracker.js
@@ -33985,7 +34422,7 @@ function isCloudflaredAvailable() {
   }
 }
 function startTunnel(port) {
-  return new Promise((resolve9, reject2) => {
+  return new Promise((resolve10, reject2) => {
     const child = spawn3("cloudflared", ["tunnel", "--url", `http://localhost:${port}`], {
       stdio: ["ignore", "pipe", "pipe"],
       detached: false
@@ -34007,7 +34444,7 @@ function startTunnel(port) {
       if (match) {
         resolved = true;
         clearTimeout(timeout);
-        resolve9(match[0]);
+        resolve10(match[0]);
       }
     }
     child.stdout?.on("data", scan);
@@ -34075,8 +34512,8 @@ var DashboardManager = class {
       }
       throw err;
     }
-    await new Promise((resolve9, reject2) => {
-      this.server.on("listening", resolve9);
+    await new Promise((resolve10, reject2) => {
+      this.server.on("listening", resolve10);
       this.server.on("error", reject2);
     });
     this.info = { localUrl: `http://localhost:${port}` };
@@ -34122,8 +34559,8 @@ var DashboardManager = class {
   async stop() {
     stopTunnel();
     if (this.server) {
-      await new Promise((resolve9) => {
-        this.server.close(() => resolve9());
+      await new Promise((resolve10) => {
+        this.server.close(() => resolve10());
       });
       this.server = null;
     }
@@ -34237,7 +34674,7 @@ var PleriClient = class {
 
 // ../mcp-server/src/env-loader.ts
 import { readFileSync as readFileSync17, existsSync as existsSync23, statSync as statSync7 } from "node:fs";
-import { join as join29, dirname as dirname15, resolve as resolve8 } from "node:path";
+import { join as join29, dirname as dirname15, resolve as resolve9 } from "node:path";
 var PROJECT_MARKERS = [
   ".olam/config.yaml",
   ".olam/config.yml",
@@ -34245,8 +34682,8 @@ var PROJECT_MARKERS = [
   "olam.yml"
 ];
 function findProjectRoot2(startDir) {
-  let dir = resolve8(startDir);
-  const root = resolve8("/");
+  let dir = resolve9(startDir);
+  const root = resolve9("/");
   while (true) {
     for (const marker of PROJECT_MARKERS) {
       if (existsSync23(join29(dir, marker))) return dir;