@pleri/olam-cli 0.1.128 → 0.1.131

package/dist/commands/memory/mode.js

@@ -0,0 +1,181 @@
+/**
+ * olam memory mode <local|cloud> — flip the workspace's agent-memory
+ * source between the host-process (Phase A) and a remote agentmemory
+ * deployment (Phase C).
+ *
+ * Reads + rewrites `.olam/config.yaml`'s `memory:` block via the schema
+ * defined in C1. Idempotent: re-running the same mode is a noop.
+ *
+ *   mode local              → memory.mode = "local"; ensures host-process running
+ *   mode cloud [--url ...]  → prompts for URL + bearer secret, writes both to
+ *                              config + ~/.olam/cloud-memory-secret, stops the
+ *                              local host-process. Operator must re-create
+ *                              active worlds for the new env to take effect.
+ *
+ * Plan reference: docs/plans/olam-agent-memory-distributed/phase-c-tasks.md C3
+ */
+import { existsSync, readFileSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import * as readline from 'node:readline/promises';
+import { parse as parseYaml, stringify as stringifyYaml } from 'yaml';
+import { MemorySchema } from '@olam/core/src/config/schema.js';
+import { printError, printSuccess, printInfo, printHeader, printWarning } from '../../output.js';
+import { writeCloudMemorySecret, CLOUD_MEMORY_SECRET_PATH } from '../../lib/memory-secret.js';
+import { runMemoryStart } from './start.js';
+import { runMemoryStop } from './stop.js';
+const CONFIG_REL = '.olam/config.yaml';
+function locateConfig(cwd) {
+    const absPath = join(cwd, CONFIG_REL);
+    if (!existsSync(absPath)) {
+        throw new Error(`No ${CONFIG_REL} at ${cwd}. Run \`olam init\` in your workspace root first.`);
+    }
+    return { absPath };
+}
+function readConfigYaml(absPath) {
+    const raw = readFileSync(absPath, 'utf-8');
+    const parsed = (parseYaml(raw) ?? {});
+    if (typeof parsed !== 'object' || parsed === null) {
+        throw new Error(`${absPath} is not a YAML object`);
+    }
+    return { raw, parsed };
+}
+function writeConfigYaml(absPath, parsed) {
+    // `yaml`'s default stringify is reasonable for round-trip; we don't
+    // preserve every comment edge case but the major shape + keys survive.
+    const out = stringifyYaml(parsed, { aliasDuplicateObjects: false });
+    writeFileSync(absPath, out, 'utf-8');
+}
+async function defaultPromptText(question) {
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    try {
+        return (await rl.question(question)).trim();
+    }
+    finally {
+        rl.close();
+    }
+}
+/**
+ * Same shape as defaultPromptText for now — terminals don't natively mask
+ * input via readline. Operators wanting a masked prompt can pipe via stdin
+ * or pass `--secret` (NOT recommended; argv leaks via ps). The choice is
+ * deferred to OQ4: "no Keychain integration in v1; document the limitation"
+ * (design rubric S5).
+ */
+async function defaultPromptSecret(question) {
+    return defaultPromptText(`${question} (will appear on-screen; use stdin to pipe) `);
+}
+export async function runMemoryModeLocal(deps = {}) {
+    const cwd = deps.cwd ?? process.cwd();
+    const cfg = locateConfig(cwd);
+    const { parsed } = readConfigYaml(cfg.absPath);
+    const currentMode = parsed.memory?.mode ?? 'local';
+    if (currentMode === 'local') {
+        printInfo('memory.mode', 'already local — ensuring host-process is up');
+        const rc = (deps.runStart ?? runMemoryStart)();
+        await rc;
+        return { outcome: 'noop', mode: 'local' };
+    }
+    // Flip: drop the cloud block (operator can re-cloud later via mode cloud)
+    parsed.memory = { mode: 'local' };
+    writeConfigYaml(cfg.absPath, parsed);
+    printSuccess(`flipped .olam/config.yaml memory.mode → local`);
+    printInfo('host-process', 'starting');
+    const rc = await (deps.runStart ?? runMemoryStart)();
+    if (rc !== 0) {
+        printWarning('local host-process failed to start. Config flipped but service is down — fix the underlying issue and run `olam memory start`.');
+    }
+    return { outcome: 'flipped-to-local' };
+}
+export async function runMemoryModeCloud(deps = {}) {
+    const cwd = deps.cwd ?? process.cwd();
+    const cfg = locateConfig(cwd);
+    const { parsed } = readConfigYaml(cfg.absPath);
+    const currentMem = (parsed.memory ?? {});
+    const currentMode = currentMem.mode ?? 'local';
+    // Resolve URL: --url flag wins, else interactive prompt.
+    let url = deps.url;
+    if (!url) {
+        const askText = deps.promptText ?? defaultPromptText;
+        url = (await askText('Cloud agentmemory URL (e.g. https://agentmemory.<you>.workers.dev): ')).trim();
+    }
+    if (!url) {
+        throw new Error('cloud URL is required');
+    }
+    // Validate via the C1 schema before writing.
+    const candidate = { mode: 'cloud', cloud: { url } };
+    const parsedMem = MemorySchema.safeParse(candidate);
+    if (!parsedMem.success) {
+        const msg = parsedMem.error.issues.map((i) => i.message).join('; ');
+        throw new Error(`invalid memory.cloud config: ${msg}`);
+    }
+    // Resolve secret: --secret flag wins, else interactive prompt. The
+    // secret is the bearer the operator already configured on the remote
+    // service (Cloudflare wrangler secret or equivalent). We persist it to
+    // ~/.olam/cloud-memory-secret 0600 so B1's env-resolver can inject it
+    // into worlds at spawn (C4 wires the read path).
+    let secret = deps.secret;
+    if (!secret) {
+        const askSecret = deps.promptSecret ?? defaultPromptSecret;
+        secret = await askSecret('Cloud agentmemory bearer secret (64-hex):');
+    }
+    if (!secret) {
+        throw new Error('cloud secret is required');
+    }
+    // Idempotency check: if already cloud-mode with the same URL, just refresh secret.
+    const sameUrl = currentMode === 'cloud' && currentMem.cloud?.url === url;
+    if (sameUrl) {
+        printInfo('memory.mode', `already cloud (url=${url}) — refreshing secret only`);
+        (deps.writeSecret ?? ((v) => writeCloudMemorySecret(v)))(secret);
+        return { outcome: 'noop', mode: 'cloud' };
+    }
+    // Stop local host-process first — fail-soft if it wasn't running.
+    printInfo('host-process', 'stopping (was running for local mode)');
+    await (deps.runStop ?? runMemoryStop)();
+    // Persist the secret BEFORE updating the config so worlds spawned
+    // between the writes see at most a transient "cloud but no secret"
+    // state rather than the inverse (config flipped, secret missing).
+    (deps.writeSecret ?? ((v) => writeCloudMemorySecret(v)))(secret);
+    printSuccess(`wrote cloud bearer secret to ${CLOUD_MEMORY_SECRET_PATH} (0600)`);
+    parsed.memory = {
+        mode: 'cloud',
+        cloud: {
+            url,
+            secret_ref: '~/.olam/cloud-memory-secret',
+        },
+    };
+    writeConfigYaml(cfg.absPath, parsed);
+    printSuccess(`flipped .olam/config.yaml memory.mode → cloud (${url})`);
+    printWarning('Worlds spawned BEFORE this flip still have the old env. Re-create them ' +
+        '(olam destroy + olam create) to pick up the new AGENTMEMORY_URL + secret.');
+    return { outcome: 'flipped-to-cloud', url };
+}
+export function registerMemoryMode(cmd) {
+    const mode = cmd
+        .command('mode <target>')
+        .description('Flip agent-memory source between local (host-process) and cloud (remote agentmemory deployment)')
+        .option('--url <url>', 'Cloud URL (skips the interactive prompt; mode cloud only)')
+        .option('--secret <value>', 'Cloud bearer secret (skips interactive prompt; argv-visible — prefer stdin)');
+    mode.action(async (target, opts) => {
+        printHeader(`olam memory mode ${target}`);
+        try {
+            if (target === 'local') {
+                await runMemoryModeLocal();
+            }
+            else if (target === 'cloud') {
+                await runMemoryModeCloud({
+                    ...(opts.url !== undefined ? { url: opts.url } : {}),
+                    ...(opts.secret !== undefined ? { secret: opts.secret } : {}),
+                });
+            }
+            else {
+                printError(`mode must be 'local' or 'cloud' (got: ${target})`);
+                process.exitCode = 1;
+            }
+        }
+        catch (err) {
+            printError(err instanceof Error ? err.message : String(err));
+            process.exitCode = 1;
+        }
+    });
+}
+//# sourceMappingURL=mode.js.map

package/dist/commands/memory/mode.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mode.js","sourceRoot":"","sources":["../../../src/commands/memory/mode.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,KAAK,QAAQ,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,SAAS,IAAI,aAAa,EAAE,MAAM,MAAM,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,MAAM,iCAAiC,CAAC;AAC/D,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AACjG,OAAO,EAAE,sBAAsB,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AAC9F,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAE1C,MAAM,UAAU,GAAG,mBAAmB,CAAC;AAwBvC,SAAS,YAAY,CAAC,GAAW;IAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IACtC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CACb,MAAM,UAAU,OAAO,GAAG,mDAAmD,CAC9E,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,CAAC;AACrB,CAAC;AAED,SAAS,cAAc,CAAC,OAAe;IACrC,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC3C,MAAM,MAAM,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,EAAE,CAA4B,CAAC;IACjE,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,uBAAuB,CAAC,CAAC;IACrD,CAAC;IACD,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;AACzB,CAAC;AAED,SAAS,eAAe,CAAC,OAAe,EAAE,MAAe;IACvD,oEAAoE;IACpE,uEAAuE;IACvE,MAAM,GAAG,GAAG,aAAa,CAAC,MAAM,EAAE,EAAE,qBAAqB,EAAE,KAAK,EAAE,CAAC,CAAC;IACpE,aAAa,CAAC,OAAO,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,QAAgB;IAC/C,MAAM,EAAE,GAAG,QAAQ,CAAC,eAAe,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IACtF,IAAI,CAAC;QACH,OAAO,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC9C,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,mBAAmB,CAAC,QAAgB;IACjD,OAAO,iBAAiB,CAAC,GAAG,QAAQ,8CAA8C,CAAC,CAAC;AACtF,CAAC;AAOD,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,OAAiB,EAAE;IAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACtC,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IAC9B,MAAM,EAAE,MAAM,EAAE,GAAG,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAE/C,MAAM,WAAW,GAAI,MAAM,CAAC,MAAwC,EAAE,IAAI,IAAI,OAAO,CAAC;IACtF,IAAI,WAAW,KAAK,OAAO,EAAE,CAAC;QAC5B,SAAS,CAAC,aAAa,EAAE,6CAA6C,CAAC,CAAC;QACxE,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,QAAQ,IAAI,cAAc,CAAC,EAAE,CAAC;QAC/C,MAAM,EAAE,CAAC;QACT,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IAC5C,CAAC;IAED,0EAA0E;IAC1E,MAAM,CAAC,MAAM,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IAClC,eAAe,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACrC,YAAY,CAAC,+CAA+C,CAAC,CAAC;IAE9D,SAAS,CAAC,cAAc,EAAE,UAAU,CAAC,CAAC;IACtC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,IAAI,cAAc,CAAC,EAAE,CAAC;IACrD,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC;QACb,YAAY,CACV,gIAAgI,CACjI,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,kBAAkB,EAAE,CAAC;AACzC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,OAAiB,EAAE;IAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACtC,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IAC9B,MAAM,EAAE,MAAM,EAAE,GAAG,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAE/C,MAAM,UAAU,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAgD,CAAC;IACxF,MAAM,WAAW,GAAG,UAAU,CAAC,IAAI,IAAI,OAAO,CAAC;IAE/C,yDAAyD;IACzD,IAAI,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;IACnB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,IAAI,iBAAiB,CAAC;QACrD,GAAG,GAAG,CACJ,MAAM,OAAO,CAAC,sEAAsE,CAAC,CACtF,CAAC,IAAI,EAAE,CAAC;IACX,CAAC;IACD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IAED,6CAA6C;IAC7C,MAAM,SAAS,GAAG,EAAE,IAAI,EAAE,OAAgB,EAAE,KAAK,EAAE,EAAE,GAAG,EAAE,EAAE,CAAC;IAC7D,MAAM,SAAS,GAAG,YAAY,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IACpD,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpE,MAAM,IAAI,KAAK,CAAC,gCAAgC,GAAG,EAAE,CAAC,CAAC;IACzD,CAAC;IAED,mEAAmE;IACnE,qEAAqE;IACrE,uEAAuE;IACvE,sEAAsE;IACtE,iDAAiD;IACjD,IAAI,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;IACzB,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,IAAI,mBAAmB,CAAC;QAC3D,MAAM,GAAG,MAAM,SAAS,CAAC,2CAA2C,CAAC,CAAC;IACxE,CAAC;IACD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IAED,mFAAmF;IACnF,MAAM,OAAO,GAAG,WAAW,KAAK,OAAO,IAAI,UAAU,CAAC,KAAK,EAAE,GAAG,KAAK,GAAG,CAAC;IACzE,IAAI,OAAO,EAAE,CAAC;QACZ,SAAS,CAAC,aAAa,EAAE,sBAAsB,GAAG,4BAA4B,CAAC,CAAC;QAChF,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QACzE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IAC5C,CAAC;IAED,kEAAkE;IAClE,SAAS,CAAC,cAAc,EAAE,uCAAuC,CAAC,CAAC;IACnE,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,aAAa,CAAC,EAAE,CAAC;IAExC,kEAAkE;IAClE,mEAAmE;IACnE,kEAAkE;IAClE,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IACzE,YAAY,CAAC,gCAAgC,wBAAwB,SAAS,CAAC,CAAC;IAEhF,MAAM,CAAC,MAAM,GAAG;QACd,IAAI,EAAE,OAAO;QACb,KAAK,EAAE;YACL,GAAG;YACH,UAAU,EAAE,6BAA6B;SAC1C;KACF,CAAC;IACF,eAAe,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACrC,YAAY,CAAC,kDAAkD,GAAG,GAAG,CAAC,CAAC;IAEvE,YAAY,CACV,yEAAyE;QACvE,2EAA2E,CAC9E,CAAC;IACF,OAAO,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,EAAE,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,GAAY;IAC7C,MAAM,IAAI,GAAG,GAAG;SACb,OAAO,CAAC,eAAe,CAAC;SACxB,WAAW,CACV,iGAAiG,CAClG;SACA,MAAM,CAAC,aAAa,EAAE,2DAA2D,CAAC;SAClF,MAAM,CACL,kBAAkB,EAClB,6EAA6E,CAC9E,CAAC;IAEJ,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,MAAc,EAAE,IAAuC,EAAE,EAAE;QAC5E,WAAW,CAAC,oBAAoB,MAAM,EAAE,CAAC,CAAC;QAC1C,IAAI,CAAC;YACH,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;gBACvB,MAAM,kBAAkB,EAAE,CAAC;YAC7B,CAAC;iBAAM,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;gBAC9B,MAAM,kBAAkB,CAAC;oBACvB,GAAG,CAAC,IAAI,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACpD,GAAG,CAAC,IAAI,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAC9D,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,yCAAyC,MAAM,GAAG,CAAC,CAAC;gBAC/D,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,UAAU,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAC7D,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/commands/rekey.d.ts

@@ -0,0 +1,84 @@
+/**
+ * `olam rekey <world-id>` — rotate the per-world postgres password.
+ *
+ * Phase A9 of `olam-hybrid-shared-postgres`. Phase A4 (commit 7b4334ff)
+ * landed `applyPostgresWorldRole` which already supports rotation via
+ * `ALTER ROLE` when the role exists. A9 exposes that rotation as a
+ * standalone operator-facing command, useful when:
+ *
+ *   - The operator wants to force-rotate credentials (suspected leak).
+ *   - A world container lost its env-injected password (e.g. crashed
+ *     before the app read it).
+ *   - A future tmpfs cred-mount flow needs a re-inject path.
+ *
+ * Flow:
+ *   1. Load context + WorldManager.getWorld(worldId).
+ *   2. Hybrid + DB gates (exit 3 if non-hybrid or no per-world DBs).
+ *   3. `applyPostgresWorldRole(id, worldDbNames)` → ALTER ROLE rotates
+ *      the password atomically. The old password is gone.
+ *   4. Write new password to `~/.olam/worlds/<id>/credentials.json`
+ *      (chmod 600).
+ *   5. `docker restart olam-<id>-devbox` so the container picks up the
+ *      new password from env on next process start.
+ *   6. Audit-log line to `~/.olam/usage.log` (SEC-002): timestamp +
+ *      world-id + "rekey" — NEVER the password.
+ *
+ * Exit codes:
+ *   0  success
+ *   1  unexpected error
+ *   2  world not found
+ *   3  precondition failed (non-hybrid, no DBs, etc.)
+ */
+import type { Command } from 'commander';
+import { type PostgresWorldRoleResult } from '@olam/core/src/world/manager.js';
+import type { WorldMetadata } from '@olam/core/src/world/types.js';
+export interface RekeyOptions {
+    readonly print?: boolean;
+    readonly json?: boolean;
+}
+export interface RekeyResult {
+    readonly worldId: string;
+    readonly worldRoleName: string;
+    readonly password: string;
+    readonly credentialsPath: string;
+    readonly rotatedAt: string;
+    readonly containerRestarted: boolean;
+}
+/**
+ * Minimal dependency surface used by {@link doRekey}. Pure-function
+ * injection lets tests run without docker, without disk writes outside
+ * the test's tmp dir, and without mocking modules.
+ */
+export interface RekeyDeps {
+    readonly getWorld: (id: string) => WorldMetadata | undefined;
+    readonly applyPostgresWorldRole: (worldId: string, worldDbNames: ReadonlyArray<string>) => PostgresWorldRoleResult;
+    readonly restartContainer: (containerName: string) => {
+        ok: boolean;
+        stderr: string;
+    };
+    /** Override for tests. Default: real fs + ~/.olam. */
+    readonly olamHomeDir: () => string;
+    readonly now: () => Date;
+    /** Stream for human-readable lines (overridable for tests). */
+    readonly stdout: {
+        write(s: string): void;
+    };
+    /** Audit-log appender; default writes to `${olamHomeDir()}/usage.log`. */
+    readonly appendAuditLog: (line: string) => void;
+}
+/** Domain-specific error carrying the documented exit code. */
+export declare class RekeyError extends Error {
+    readonly exitCode: number;
+    constructor(message: string, exitCode: number);
+}
+/**
+ * Core rekey logic. Returns the rotation result on success, throws
+ * {@link RekeyError} with the documented exit code on failure.
+ *
+ * The password is held in this function's local binding and the
+ * returned object only; it is written to disk with mode 0o600 and
+ * NEVER logged or written to the audit trail (SEC-002).
+ */
+export declare function doRekey(worldId: string, deps: RekeyDeps): Promise<RekeyResult>;
+export declare function registerRekey(program: Command): void;
+//# sourceMappingURL=rekey.d.ts.map

package/dist/commands/rekey.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rekey.d.ts","sourceRoot":"","sources":["../../src/commands/rekey.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAMH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAEL,KAAK,uBAAuB,EAC7B,MAAM,iCAAiC,CAAC;AACzC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAC;AAcnE,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;IACzB,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,kBAAkB,EAAE,OAAO,CAAC;CACtC;AAED;;;;GAIG;AACH,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,QAAQ,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,aAAa,GAAG,SAAS,CAAC;IAC7D,QAAQ,CAAC,sBAAsB,EAAE,CAC/B,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,aAAa,CAAC,MAAM,CAAC,KAChC,uBAAuB,CAAC;IAC7B,QAAQ,CAAC,gBAAgB,EAAE,CAAC,aAAa,EAAE,MAAM,KAAK;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IACtF,sDAAsD;IACtD,QAAQ,CAAC,WAAW,EAAE,MAAM,MAAM,CAAC;IACnC,QAAQ,CAAC,GAAG,EAAE,MAAM,IAAI,CAAC;IACzB,+DAA+D;IAC/D,QAAQ,CAAC,MAAM,EAAE;QAAE,KAAK,CAAC,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;IAC5C,0EAA0E;IAC1E,QAAQ,CAAC,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;CACjD;AAsCD,+DAA+D;AAC/D,qBAAa,UAAW,SAAQ,KAAK;IACnC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;gBACd,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM;CAK9C;AAED;;;;;;;GAOG;AACH,wBAAsB,OAAO,CAC3B,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,SAAS,GACd,OAAO,CAAC,WAAW,CAAC,CA0EtB;AAuBD,wBAAgB,aAAa,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAqCpD"}

package/dist/commands/rekey.js

@@ -0,0 +1,209 @@
+/**
+ * `olam rekey <world-id>` — rotate the per-world postgres password.
+ *
+ * Phase A9 of `olam-hybrid-shared-postgres`. Phase A4 (commit 7b4334ff)
+ * landed `applyPostgresWorldRole` which already supports rotation via
+ * `ALTER ROLE` when the role exists. A9 exposes that rotation as a
+ * standalone operator-facing command, useful when:
+ *
+ *   - The operator wants to force-rotate credentials (suspected leak).
+ *   - A world container lost its env-injected password (e.g. crashed
+ *     before the app read it).
+ *   - A future tmpfs cred-mount flow needs a re-inject path.
+ *
+ * Flow:
+ *   1. Load context + WorldManager.getWorld(worldId).
+ *   2. Hybrid + DB gates (exit 3 if non-hybrid or no per-world DBs).
+ *   3. `applyPostgresWorldRole(id, worldDbNames)` → ALTER ROLE rotates
+ *      the password atomically. The old password is gone.
+ *   4. Write new password to `~/.olam/worlds/<id>/credentials.json`
+ *      (chmod 600).
+ *   5. `docker restart olam-<id>-devbox` so the container picks up the
+ *      new password from env on next process start.
+ *   6. Audit-log line to `~/.olam/usage.log` (SEC-002): timestamp +
+ *      world-id + "rekey" — NEVER the password.
+ *
+ * Exit codes:
+ *   0  success
+ *   1  unexpected error
+ *   2  world not found
+ *   3  precondition failed (non-hybrid, no DBs, etc.)
+ */
+import { spawnSync as defaultSpawnSync } from 'node:child_process';
+import * as fs from 'node:fs';
+import * as os from 'node:os';
+import * as path from 'node:path';
+import { applyPostgresWorldRole as defaultApplyPostgresWorldRole, } from '@olam/core/src/world/manager.js';
+import { loadContext } from '../context.js';
+import { printError, printSuccess, printInfo, printHeader } from '../output.js';
+/** Container name convention — mirrors enter.ts:286, refresh.ts:90, ps.ts:157. */
+function devboxContainerName(worldId) {
+    return `olam-${worldId}-devbox`;
+}
+/** Resolve `~/.olam` honoring OLAM_HOME (mirrors host-cp.ts:55). */
+function olamHomeDir() {
+    return process.env['OLAM_HOME'] ?? path.join(os.homedir(), '.olam');
+}
+function defaultRestartContainer(name, spawn = defaultSpawnSync) {
+    // 30s graceful-stop window matches refresh.ts:41 (RESTART_TIMEOUT_S).
+    const r = spawn('docker', ['restart', '--time', '30', name], {
+        encoding: 'utf-8',
+        stdio: ['ignore', 'pipe', 'pipe'],
+    });
+    return {
+        ok: r.status === 0 && r.error === undefined,
+        stderr: (r.stderr || '').trim() || (r.stdout || '').trim(),
+    };
+}
+function defaultAppendAuditLog(homeDir, line) {
+    fs.mkdirSync(homeDir, { recursive: true });
+    fs.appendFileSync(path.join(homeDir, 'usage.log'), line.endsWith('\n') ? line : line + '\n', {
+        encoding: 'utf-8',
+    });
+}
+function buildDefaultDeps() {
+    return {
+        // Replaced inside `registerRekey` once the context is loaded; the
+        // default here keeps the type contract self-consistent.
+        getWorld: () => undefined,
+        applyPostgresWorldRole: (id, dbs) => defaultApplyPostgresWorldRole(id, dbs),
+        restartContainer: (name) => defaultRestartContainer(name),
+        olamHomeDir,
+        now: () => new Date(),
+        stdout: { write: (s) => process.stdout.write(s) },
+        appendAuditLog: (line) => defaultAppendAuditLog(olamHomeDir(), line),
+    };
+}
+/** Domain-specific error carrying the documented exit code. */
+export class RekeyError extends Error {
+    exitCode;
+    constructor(message, exitCode) {
+        super(message);
+        this.name = 'RekeyError';
+        this.exitCode = exitCode;
+    }
+}
+/**
+ * Core rekey logic. Returns the rotation result on success, throws
+ * {@link RekeyError} with the documented exit code on failure.
+ *
+ * The password is held in this function's local binding and the
+ * returned object only; it is written to disk with mode 0o600 and
+ * NEVER logged or written to the audit trail (SEC-002).
+ */
+export async function doRekey(worldId, deps) {
+    const world = deps.getWorld(worldId);
+    if (!world) {
+        throw new RekeyError(`world not found: ${worldId}`, 2);
+    }
+    if (world.worldRoleName === undefined) {
+        throw new RekeyError(`world ${worldId} is not hybrid-mode (no per-world role). ` +
+            '`olam rekey` only applies to hybrid-mode worlds; use the bridge ' +
+            "postgres's `development` user.", 3);
+    }
+    if (world.worldDbNames === undefined || world.worldDbNames.length === 0) {
+        throw new RekeyError('world has no per-world DBs to rotate role on', 3);
+    }
+    // 1. Rotate. ALTER ROLE inside applyPostgresWorldRole is idempotent —
+    //    the same function handles both initial create and rotation.
+    const { worldRoleName, password } = deps.applyPostgresWorldRole(worldId, world.worldDbNames);
+    // 2. Persist credentials BEFORE restart so the container always has a
+    //    valid file to consult if env-injection ever moves to file-mount.
+    const rotatedAt = deps.now().toISOString();
+    const homeDir = deps.olamHomeDir();
+    const worldDir = path.join(homeDir, 'worlds', worldId);
+    fs.mkdirSync(worldDir, { recursive: true });
+    const credentialsPath = path.join(worldDir, 'credentials.json');
+    const payload = {
+        worldRoleName,
+        password,
+        rotatedAt,
+    };
+    // chmod 600 — owner read/write only. Order matters: create empty file
+    // first, fchmod, THEN write. `writeFileSync({ mode })` only applies on
+    // initial create, so re-rotations on an existing file keep the old
+    // mode if we skip the explicit chmod.
+    fs.writeFileSync(credentialsPath, JSON.stringify(payload, null, 2) + '\n', {
+        encoding: 'utf-8',
+        mode: 0o600,
+    });
+    fs.chmodSync(credentialsPath, 0o600);
+    // 3. Restart the world devbox container so the (env-injected)
+    //    password reload happens. Failure here is reported but the
+    //    rotation itself is already durable in postgres.
+    const restart = deps.restartContainer(devboxContainerName(worldId));
+    // Container restart is best-effort; rotation already landed in pg.
+    // 4. Audit-log line — NO password. SEC-002 closure.
+    deps.appendAuditLog(`${rotatedAt} ${worldId} rekey`);
+    if (!restart.ok) {
+        // Surface the restart failure in stderr; caller can re-run
+        // `docker restart olam-<id>-devbox` manually. Exit code stays 0
+        // because the credential rotation succeeded.
+        process.stderr.write(`warn: docker restart ${devboxContainerName(worldId)} failed (` +
+            `${restart.stderr || 'unknown'}). Run it manually to pick up the new ` +
+            'password.\n');
+    }
+    return {
+        worldId,
+        worldRoleName,
+        password,
+        credentialsPath,
+        rotatedAt,
+        containerRestarted: restart.ok,
+    };
+}
+function emitJson(stdout, result) {
+    stdout.write(JSON.stringify(result, null, 2) + '\n');
+}
+function emitHuman(result, opts) {
+    printHeader(`Rotated credentials for ${result.worldId}`);
+    printInfo('role', result.worldRoleName);
+    printInfo('credentials', result.credentialsPath);
+    printInfo('rotated', result.rotatedAt);
+    printInfo('container', result.containerRestarted ? 'restarted' : 'restart failed (see stderr)');
+    if (opts.print) {
+        // Plain stdout (no `printInfo` decorator) so the password can be
+        // piped: `olam rekey <id> --print | tail -n1`.
+        process.stdout.write(result.password + '\n');
+    }
+    printSuccess(`Run \`olam enter ${result.worldId}\` to verify the new password works`);
+}
+export function registerRekey(program) {
+    program
+        .command('rekey')
+        .description('Rotate the per-world postgres password for a hybrid-mode world')
+        .argument('<world-id>', 'World ID (e.g. iron-bay-3122)')
+        .option('--print', 'Also print the new password to stdout (default: write to file only)')
+        .option('--json', 'Emit the rotation result as JSON')
+        .action(async (worldId, opts) => {
+        const { ctx, error } = await loadContext();
+        if (!ctx) {
+            printError(error?.message ?? 'Olam is not configured. Run `olam init` first.');
+            process.exitCode = 1;
+            return;
+        }
+        const deps = {
+            ...buildDefaultDeps(),
+            getWorld: (id) => ctx.worldManager.getWorld(id),
+        };
+        try {
+            const result = await doRekey(worldId, deps);
+            if (opts.json) {
+                emitJson(deps.stdout, result);
+            }
+            else {
+                emitHuman(result, opts);
+            }
+        }
+        catch (err) {
+            if (err instanceof RekeyError) {
+                printError(err.message);
+                process.exitCode = err.exitCode;
+                return;
+            }
+            printError(err instanceof Error ? err.message : String(err));
+            process.exitCode = 1;
+        }
+    });
+}
+//# sourceMappingURL=rekey.js.map

package/dist/commands/rekey.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rekey.js","sourceRoot":"","sources":["../../src/commands/rekey.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,EAAE,SAAS,IAAI,gBAAgB,EAAyB,MAAM,oBAAoB,CAAC;AAC1F,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EACL,sBAAsB,IAAI,6BAA6B,GAExD,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAEhF,kFAAkF;AAClF,SAAS,mBAAmB,CAAC,OAAe;IAC1C,OAAO,QAAQ,OAAO,SAAS,CAAC;AAClC,CAAC;AAED,oEAAoE;AACpE,SAAS,WAAW;IAClB,OAAO,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,OAAO,CAAC,CAAC;AACtE,CAAC;AAqCD,SAAS,uBAAuB,CAC9B,IAAY,EACZ,QAAiC,gBAAgB;IAEjD,sEAAsE;IACtE,MAAM,CAAC,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAC,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE;QAC3D,QAAQ,EAAE,OAAO;QACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;KAClC,CAA6B,CAAC;IAC/B,OAAO;QACL,EAAE,EAAE,CAAC,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,KAAK,SAAS;QAC3C,MAAM,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE;KAC3D,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAAC,OAAe,EAAE,IAAY;IAC1D,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC3C,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,GAAG,IAAI,EAAE;QAC3F,QAAQ,EAAE,OAAO;KAClB,CAAC,CAAC;AACL,CAAC;AAED,SAAS,gBAAgB;IACvB,OAAO;QACL,kEAAkE;QAClE,wDAAwD;QACxD,QAAQ,EAAE,GAAG,EAAE,CAAC,SAAS;QACzB,sBAAsB,EAAE,CAAC,EAAE,EAAE,GAAG,EAAE,EAAE,CAAC,6BAA6B,CAAC,EAAE,EAAE,GAAG,CAAC;QAC3E,gBAAgB,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,uBAAuB,CAAC,IAAI,CAAC;QACzD,WAAW;QACX,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE;QACrB,MAAM,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE;QACjD,cAAc,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,qBAAqB,CAAC,WAAW,EAAE,EAAE,IAAI,CAAC;KACrE,CAAC;AACJ,CAAC;AAED,+DAA+D;AAC/D,MAAM,OAAO,UAAW,SAAQ,KAAK;IAC1B,QAAQ,CAAS;IAC1B,YAAY,OAAe,EAAE,QAAgB;QAC3C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,YAAY,CAAC;QACzB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;CACF;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,OAAe,EACf,IAAe;IAEf,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACrC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,UAAU,CAAC,oBAAoB,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,KAAK,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QACtC,MAAM,IAAI,UAAU,CAClB,SAAS,OAAO,2CAA2C;YACzD,kEAAkE;YAClE,gCAAgC,EAClC,CAAC,CACF,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS,IAAI,KAAK,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxE,MAAM,IAAI,UAAU,CAAC,8CAA8C,EAAE,CAAC,CAAC,CAAC;IAC1E,CAAC;IAED,sEAAsE;IACtE,iEAAiE;IACjE,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,sBAAsB,CAC7D,OAAO,EACP,KAAK,CAAC,YAAY,CACnB,CAAC;IAEF,sEAAsE;IACtE,sEAAsE;IACtE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC;IAC3C,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACnC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;IACvD,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC5C,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAC;IAChE,MAAM,OAAO,GAAG;QACd,aAAa;QACb,QAAQ;QACR,SAAS;KACV,CAAC;IACF,sEAAsE;IACtE,uEAAuE;IACvE,mEAAmE;IACnE,sCAAsC;IACtC,EAAE,CAAC,aAAa,CAAC,eAAe,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE;QACzE,QAAQ,EAAE,OAAO;QACjB,IAAI,EAAE,KAAK;KACZ,CAAC,CAAC;IACH,EAAE,CAAC,SAAS,CAAC,eAAe,EAAE,KAAK,CAAC,CAAC;IAErC,8DAA8D;IAC9D,+DAA+D;IAC/D,qDAAqD;IACrD,MAAM,OAAO,GAAG,IAAI,CAAC,gBAAgB,CAAC,mBAAmB,CAAC,OAAO,CAAC,CAAC,CAAC;IACpE,mEAAmE;IAEnE,oDAAoD;IACpD,IAAI,CAAC,cAAc,CAAC,GAAG,SAAS,IAAI,OAAO,QAAQ,CAAC,CAAC;IAErD,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;QAChB,2DAA2D;QAC3D,gEAAgE;QAChE,6CAA6C;QAC7C,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,wBAAwB,mBAAmB,CAAC,OAAO,CAAC,WAAW;YAC7D,GAAG,OAAO,CAAC,MAAM,IAAI,SAAS,wCAAwC;YACtE,aAAa,CAChB,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO;QACP,aAAa;QACb,QAAQ;QACR,eAAe;QACf,SAAS;QACT,kBAAkB,EAAE,OAAO,CAAC,EAAE;KAC/B,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CAAC,MAAkC,EAAE,MAAmB;IACvE,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,SAAS,CAChB,MAAmB,EACnB,IAAkB;IAElB,WAAW,CAAC,2BAA2B,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;IACzD,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;IACxC,SAAS,CAAC,aAAa,EAAE,MAAM,CAAC,eAAe,CAAC,CAAC;IACjD,SAAS,CAAC,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;IACvC,SAAS,CAAC,WAAW,EAAE,MAAM,CAAC,kBAAkB,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,6BAA6B,CAAC,CAAC;IAChG,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACf,iEAAiE;QACjE,+CAA+C;QAC/C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;IAC/C,CAAC;IACD,YAAY,CAAC,oBAAoB,MAAM,CAAC,OAAO,qCAAqC,CAAC,CAAC;AACxF,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,OAAgB;IAC5C,OAAO;SACJ,OAAO,CAAC,OAAO,CAAC;SAChB,WAAW,CAAC,gEAAgE,CAAC;SAC7E,QAAQ,CAAC,YAAY,EAAE,+BAA+B,CAAC;SACvD,MAAM,CAAC,SAAS,EAAE,qEAAqE,CAAC;SACxF,MAAM,CAAC,QAAQ,EAAE,kCAAkC,CAAC;SACpD,MAAM,CAAC,KAAK,EAAE,OAAe,EAAE,IAAkB,EAAE,EAAE;QACpD,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,MAAM,WAAW,EAAE,CAAC;QAC3C,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,UAAU,CAAC,KAAK,EAAE,OAAO,IAAI,gDAAgD,CAAC,CAAC;YAC/E,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACrB,OAAO;QACT,CAAC;QAED,MAAM,IAAI,GAAc;YACtB,GAAG,gBAAgB,EAAE;YACrB,QAAQ,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC,GAAG,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC;SAChD,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;YAC5C,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBACd,QAAQ,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAChC,CAAC;iBAAM,CAAC;gBACN,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,UAAU,EAAE,CAAC;gBAC9B,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBACxB,OAAO,CAAC,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;gBAChC,OAAO;YACT,CAAC;YACD,UAAU,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAC7D,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/commands/services.d.ts

@@ -2,9 +2,9 @@
  * `olam services` — umbrella verb for managing Olam service containers.
  *
  * Subcommands:
- *   olam services up     — start olam-auth + olam-mcp-auth (idempotent)
- *   olam services down   — stop both containers
- *   olam services status — show state of both containers
+ *   olam services up     — start olam-auth + olam-mcp-auth + olam-kg-service (idempotent)
+ *   olam services down   — stop all service containers
+ *   olam services status — show state of all service containers
  *
  * `olam auth up/down/status` delegates here with a deprecation warning.
  */
@@ -27,11 +27,11 @@ export declare class McpAuthContainerController {
 export declare function servicesUp(): Promise<{
     exitCode: number;
 }>;
-/** Stop both auth containers. */
+/** Stop all service containers. */
 export declare function servicesDown(): {
     exitCode: number;
 };
-/** Show container state for both services. */
+/** Show container state for all services. */
 export declare function servicesStatus(): void;
 export declare function registerServices(program: Command): void;
 export {};

package/dist/commands/services.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"services.d.ts","sourceRoot":"","sources":["../../src/commands/services.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AA2BzC,KAAK,cAAc,GAAG,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;AAExD,UAAU,eAAe;IACvB,QAAQ,CAAC,KAAK,EAAE,cAAc,CAAC;IAC/B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED,qBAAa,0BAA0B;IACrC,OAAO,CAAC,QAAQ,CAA8B;IAE9C,MAAM,IAAI,eAAe;IAiBzB,OAAO,CAAC,WAAW;IAInB,KAAK,IAAI,IAAI;IAgCb,IAAI,IAAI,IAAI;IAMZ,MAAM,IAAI,IAAI;IAIR,YAAY,CAAC,SAAS,SAA6B,GAAG,OAAO,CAAC,OAAO,CAAC;CAa7E;AAgCD,wBAAsB,UAAU,IAAI,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAgDhE;AAED,iCAAiC;AACjC,wBAAgB,YAAY,IAAI;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CAsBnD;AAED,8CAA8C;AAC9C,wBAAgB,cAAc,IAAI,IAAI,CAuBrC;AAID,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CA2BvD"}
+{"version":3,"file":"services.d.ts","sourceRoot":"","sources":["../../src/commands/services.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAgCzC,KAAK,cAAc,GAAG,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;AAExD,UAAU,eAAe;IACvB,QAAQ,CAAC,KAAK,EAAE,cAAc,CAAC;IAC/B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED,qBAAa,0BAA0B;IACrC,OAAO,CAAC,QAAQ,CAA8B;IAE9C,MAAM,IAAI,eAAe;IAiBzB,OAAO,CAAC,WAAW;IAInB,KAAK,IAAI,IAAI;IAgCb,IAAI,IAAI,IAAI;IAMZ,MAAM,IAAI,IAAI;IAIR,YAAY,CAAC,SAAS,SAA6B,GAAG,OAAO,CAAC,OAAO,CAAC;CAa7E;AAgCD,wBAAsB,UAAU,IAAI,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAgGhE;AAED,mCAAmC;AACnC,wBAAgB,YAAY,IAAI;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CA+BnD;AAED,6CAA6C;AAC7C,wBAAgB,cAAc,IAAI,IAAI,CAiCrC;AAID,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CA2BvD"}