@pleri/olam-cli 0.1.135 → 0.1.137

package/dist/index.js

@@ -4420,7 +4420,7 @@ function loadRepoManifest(repoDir) {
   }
   return { ...body, source };
 }
-var runtimeSchema, appSchema, serviceSchema, deploySchema, BootstrapKindSchema, BootstrapStepSchema, RepoManifestSchema, KNOWN_TOP_LEVEL_KEYS, FORBIDDEN_KEYS;
+var runtimeSchema, appSchema, serviceSchema, deploySchema, planChatSchema, BootstrapKindSchema, BootstrapStepSchema, RepoManifestSchema, KNOWN_TOP_LEVEL_KEYS, FORBIDDEN_KEYS;
 var init_repo_manifest = __esm({
   "../core/dist/world/repo-manifest.js"() {
     "use strict";
@@ -4526,6 +4526,9 @@ var init_repo_manifest = __esm({
     deploySchema = external_exports.object({
       tags: external_exports.array(external_exports.string()).optional()
     }).passthrough();
+    planChatSchema = external_exports.object({
+      enabled: external_exports.boolean()
+    }).strict();
     BootstrapKindSchema = external_exports.enum(["gems", "node", "pg"]);
     BootstrapStepSchema = external_exports.union([
       external_exports.string(),
@@ -4548,7 +4551,8 @@ var init_repo_manifest = __esm({
       secrets: external_exports.string().optional(),
       bootstrap: external_exports.array(BootstrapStepSchema).optional(),
       start: external_exports.string().optional(),
-      deploy: deploySchema.optional()
+      deploy: deploySchema.optional(),
+      plan_chat: planChatSchema.optional()
       // TODO(phase-C): runtime field consumed by stack-install.ts (T16).
       // TODO(phase-D): app.fixed (sticky port) consumed by port-allocation.
       // TODO(phase-D): idempotent_check on bootstrap steps in bootstrap-runner.
@@ -4556,11 +4560,11 @@ var init_repo_manifest = __esm({
     }).passthrough().superRefine((val, ctx) => {
       refineForbiddenKeys(val, [], ctx, true);
     }).superRefine((val, ctx) => {
-      const hasContent = val.version !== void 0 || val.runtime !== void 0 || val.app !== void 0 || val.services !== void 0 || val.env !== void 0 || val.secrets !== void 0 || val.bootstrap !== void 0 || val.start !== void 0 || val.deploy !== void 0;
+      const hasContent = val.version !== void 0 || val.runtime !== void 0 || val.app !== void 0 || val.services !== void 0 || val.env !== void 0 || val.secrets !== void 0 || val.bootstrap !== void 0 || val.start !== void 0 || val.deploy !== void 0 || val.plan_chat !== void 0;
       if (!hasContent) {
         ctx.addIssue({
           code: external_exports.ZodIssueCode.custom,
-          message: "Manifest must declare at least one of: version, runtime, app, services, env, secrets, bootstrap, start, deploy"
+          message: "Manifest must declare at least one of: version, runtime, app, services, env, secrets, bootstrap, start, deploy, plan_chat"
         });
       }
     });
@@ -4574,6 +4578,10 @@ var init_repo_manifest = __esm({
       "bootstrap",
       "start",
       "deploy",
+      // olam-plan-chat-chunks-substrate Phase A task A4: opt-in for the chunks
+      // thought substrate. Read by `resolveThoughtSubstrate` in
+      // `packages/core/src/thought/substrate-router.ts`.
+      "plan_chat",
       // F-7 (olam-hybrid-shared-postgres dogfood finding): native inheritance —
       // `.olam.yaml` may declare `inherits: .adb.yaml` to deep-merge an adb-shaped
       // base manifest into itself. Retires the atlas-one `bin/olam-create-wrap.sh`
@@ -5025,7 +5033,24 @@ var init_schema2 = __esm({
        * (B1/C4) reads this file and forwards the value as
        * `AGENTMEMORY_SECRET` into worlds.
        */
-      secret_ref: external_exports.string().min(1).optional().default("~/.olam/cloud-memory-secret")
+      secret_ref: external_exports.string().min(1).optional().default("~/.olam/cloud-memory-secret"),
+      /**
+       * DO SQLite write-through bridge toggle. Defaults to `true` (bridge
+       * active — every state-mutating call captures the engine's export to
+       * a DO snapshot, restored on cold-start).
+       *
+       * Operators set `bridge: false` to bisect bridge vs engine bugs:
+       * the CLI threads this into the Worker as `OLAM_BRIDGE_DISABLED=1`,
+       * which makes `AgentMemoryContainer.fetch` a plain pass-through
+       * (no capture, no restore). The next deploy with `bridge: true`
+       * resumes captures automatically.
+       *
+       * See `docs/design/olam-agent-memory-do-bridge-schema.md` for the
+       * full storage contract; the bridge is OFF only as a diagnosis aid.
+       *
+       * Plan reference: docs/plans/olam-agent-memory-do-sqlite-bridge/phase-c-tasks.md C3
+       */
+      bridge: external_exports.boolean().optional().default(true)
     });
     MemorySchema = external_exports.object({
       mode: external_exports.enum(["local", "cloud"]).optional().default("local"),
@@ -5370,7 +5395,7 @@ async function safeText(res) {
   }
 }
 function sleep(ms) {
-  return new Promise((resolve14) => setTimeout(resolve14, ms));
+  return new Promise((resolve15) => setTimeout(resolve15, ms));
 }
 var DEFAULT_BASE_URL, DEFAULT_TIMEOUT_MS, RETRY_COUNT, RETRY_BACKOFF_MS, AuthClient;
 var init_client = __esm({
@@ -5522,7 +5547,7 @@ function resolveAuthServicePath() {
   return path9.join(pkgsDir, "auth-service");
 }
 function sleep2(ms) {
-  return new Promise((resolve14) => setTimeout(resolve14, ms));
+  return new Promise((resolve15) => setTimeout(resolve15, ms));
 }
 var DEFAULT_PORT, DEFAULT_VOLUME, DEFAULT_CONTAINER, DEFAULT_IMAGE, AuthContainerController;
 var init_container = __esm({
@@ -5820,7 +5845,7 @@ var init_network = __esm({
 // ../adapters/dist/docker/pull.js
 import { spawn } from "node:child_process";
 function spawnAsync(cmd, args, opts = {}) {
-  return new Promise((resolve14) => {
+  return new Promise((resolve15) => {
     const child = spawn(cmd, [...args], {
       stdio: ["ignore", "pipe", "pipe"],
       signal: opts.signal
@@ -5834,10 +5859,10 @@ function spawnAsync(cmd, args, opts = {}) {
       stderr += chunk.toString();
     });
     child.on("error", (err) => {
-      resolve14({ exitCode: -1, stdout, stderr: stderr + err.message });
+      resolve15({ exitCode: -1, stdout, stderr: stderr + err.message });
     });
     child.on("close", (code) => {
-      resolve14({ exitCode: code ?? -1, stdout, stderr });
+      resolve15({ exitCode: code ?? -1, stdout, stderr });
     });
   });
 }
@@ -6272,6 +6297,10 @@ var init_container2 = __esm({
                 opts.push(`size=${m.size}`);
               if (m.mode !== void 0)
                 opts.push(`mode=${m.mode.toString(8).padStart(4, "0")}`);
+              if (m.uid !== void 0)
+                opts.push(`uid=${m.uid}`);
+              if (m.gid !== void 0)
+                opts.push(`gid=${m.gid}`);
               acc[m.target] = opts.join(",");
               return acc;
             }, {})
@@ -6307,7 +6336,7 @@ var demuxStream, execInContainer;
 var init_exec = __esm({
   "../adapters/dist/docker/exec.js"() {
     "use strict";
-    demuxStream = (stream) => new Promise((resolve14, reject) => {
+    demuxStream = (stream) => new Promise((resolve15, reject) => {
       const stdoutChunks = [];
       const stderrChunks = [];
       const stdout = new PassThrough();
@@ -6321,7 +6350,7 @@ var init_exec = __esm({
         stream.pipe(stdout);
       }
       stream.on("end", () => {
-        resolve14({
+        resolve15({
           stdout: Buffer.concat(stdoutChunks).toString("utf-8"),
           stderr: Buffer.concat(stderrChunks).toString("utf-8")
         });
@@ -6781,7 +6810,7 @@ var init_connection = __esm({
       // -----------------------------------------------------------------------
       async exec(host, command) {
         const client = await this.getConnection(host);
-        return new Promise((resolve14, reject) => {
+        return new Promise((resolve15, reject) => {
           client.exec(command, (err, stream) => {
             if (err) {
               reject(new Error(`SSH exec failed on ${host}: ${err.message}`));
@@ -6796,7 +6825,7 @@ var init_connection = __esm({
               stderr += data.toString();
             });
             stream.on("close", (code) => {
-              resolve14({
+              resolve15({
                 exitCode: code ?? 0,
                 stdout: stdout.trimEnd(),
                 stderr: stderr.trimEnd()
@@ -6827,10 +6856,10 @@ var init_connection = __esm({
           throw new Error(`No SSH configuration found for host: ${host}`);
         }
         const client = new SSHClient();
-        return new Promise((resolve14, reject) => {
+        return new Promise((resolve15, reject) => {
           client.on("ready", () => {
             this.connections.set(host, client);
-            resolve14(client);
+            resolve15(client);
           }).on("error", (err) => {
             this.connections.delete(host);
             reject(new Error(`SSH connection to ${host} failed: ${err.message}`));
@@ -8461,8 +8490,8 @@ function copyMatchingFiles(sourcePath, destPath, pattern) {
   try {
     const matches2 = globSync(fullPattern);
     for (const match2 of matches2) {
-      const relative3 = path14.relative(sourcePath, match2);
-      const dest = path14.join(destPath, relative3);
+      const relative4 = path14.relative(sourcePath, match2);
+      const dest = path14.join(destPath, relative4);
       fs13.mkdirSync(path14.dirname(dest), { recursive: true });
       fs13.copyFileSync(match2, dest);
     }
@@ -8742,8 +8771,8 @@ import { execFileSync as execFileSync4 } from "node:child_process";
 import * as fs15 from "node:fs";
 import * as os9 from "node:os";
 import * as path16 from "node:path";
-function expandHome2(p, homedir35) {
-  return p.replace(/^~(?=$|\/|\\)/, homedir35());
+function expandHome2(p, homedir36) {
+  return p.replace(/^~(?=$|\/|\\)/, homedir36());
 }
 function sanitizeRepoFilename(name) {
   const sanitized = name.replace(/[^A-Za-z0-9._-]/g, "_");
@@ -8766,7 +8795,7 @@ ${stderr}`;
 }
 function snapshotBaselineDiff(repos, workspacePath, deps = {}) {
   const exec = deps.exec ?? ((cmd, args, opts) => execFileSync4(cmd, args, opts));
-  const homedir35 = deps.homedir ?? (() => os9.homedir());
+  const homedir36 = deps.homedir ?? (() => os9.homedir());
   const baselineDir = path16.join(workspacePath, ".olam", "baseline");
   try {
     fs15.mkdirSync(baselineDir, { recursive: true });
@@ -8782,7 +8811,7 @@ function snapshotBaselineDiff(repos, workspacePath, deps = {}) {
       continue;
     const filename = `${sanitizeRepoFilename(repo.name)}.diff`;
     const outPath = path16.join(baselineDir, filename);
-    const repoPath = expandHome2(repo.path, homedir35);
+    const repoPath = expandHome2(repo.path, homedir36);
     if (!fs15.existsSync(repoPath)) {
       writeBaselineFile(outPath, `# repo: ${repo.name}
 # (skipped: path ${repoPath} does not exist)
@@ -8902,17 +8931,17 @@ function extractStderr(err) {
 }
 function carryUncommittedEdits(repos, workspacePath, deps = {}) {
   const exec = deps.exec ?? ((cmd, args, opts) => execFileSync4(cmd, args, opts));
-  const homedir35 = deps.homedir ?? (() => os9.homedir());
+  const homedir36 = deps.homedir ?? (() => os9.homedir());
   const existsSync64 = deps.existsSync ?? ((p) => fs15.existsSync(p));
   const copyFileSync9 = deps.copyFileSync ?? ((src, dest) => fs15.copyFileSync(src, dest));
-  const mkdirSync35 = deps.mkdirSync ?? ((dirPath, opts) => {
+  const mkdirSync36 = deps.mkdirSync ?? ((dirPath, opts) => {
     fs15.mkdirSync(dirPath, opts);
   });
   const plans = [];
   for (const repo of repos) {
     if (!repo.path)
       continue;
-    const repoPath = expandHome2(repo.path, homedir35);
+    const repoPath = expandHome2(repo.path, homedir36);
     const worktreePath = path16.join(workspacePath, repo.name);
     if (!existsSync64(repoPath))
       continue;
@@ -8979,7 +9008,7 @@ function carryUncommittedEdits(repos, workspacePath, deps = {}) {
       if (!existsSync64(src))
         continue;
       try {
-        mkdirSync35(path16.dirname(dest), { recursive: true });
+        mkdirSync36(path16.dirname(dest), { recursive: true });
         copyFileSync9(src, dest);
       } catch (err) {
         const msg = err instanceof Error ? err.message : String(err);
@@ -9422,18 +9451,18 @@ function computeFingerprint(runtimes) {
   const joined = parts.join("_");
   return sanitizeTag(joined);
 }
-function computeImageTag(runtimes) {
-  const baseDigest = getBaseImageDigest();
+function computeImageTag(runtimes, baseImageRef = `${BASE_IMAGE}:latest`) {
+  const baseDigest = getImageDigest(baseImageRef);
   const prefix = baseDigest.slice(0, 8);
   const fingerprint = computeFingerprint(runtimes);
   const tag = `${prefix}_${fingerprint}`;
   return sanitizeTag(tag);
 }
-function computeImageName(runtimes) {
-  return `${BASE_IMAGE}:${computeImageTag(runtimes)}`;
+function computeImageName(runtimes, baseImageRef = `${BASE_IMAGE}:latest`) {
+  return `${BASE_IMAGE}:${computeImageTag(runtimes, baseImageRef)}`;
 }
-function lookupCachedImage(runtimes) {
-  const tag = computeImageTag(runtimes);
+function lookupCachedImage(runtimes, baseImageRef = `${BASE_IMAGE}:latest`) {
+  const tag = computeImageTag(runtimes, baseImageRef);
   const imageName = `${BASE_IMAGE}:${tag}`;
   try {
     execSync2(`docker image inspect ${imageName} > /dev/null 2>&1`, {
@@ -9450,18 +9479,24 @@ function commitAsImage(containerName, imageName) {
   const now = (/* @__PURE__ */ new Date()).toISOString();
   execSync2(`docker commit --change 'LABEL ${LABEL_PREFIX}=true' --change 'LABEL ${LABEL_PREFIX}.created-at=${now}' --change 'LABEL ${LABEL_PREFIX}.base-digest=${baseDigest}' ${containerName} ${imageName}`, { stdio: "pipe", timeout: 12e4 });
 }
-function getBaseImageDigest() {
-  if (cachedBaseDigest)
-    return cachedBaseDigest;
+function getImageDigest(imageRef) {
+  const memo = cachedImageDigests.get(imageRef);
+  if (memo)
+    return memo;
   try {
-    const digest = execSync2(`docker inspect ${BASE_IMAGE}:latest --format '{{.Id}}'`, { encoding: "utf-8", timeout: 5e3 }).trim();
-    cachedBaseDigest = digest.replace("sha256:", "").slice(0, 16);
-    return cachedBaseDigest;
+    const digest = execSync2(`docker inspect ${imageRef} --format '{{.Id}}'`, { encoding: "utf-8", timeout: 5e3 }).trim();
+    const short = digest.replace("sha256:", "").slice(0, 16);
+    cachedImageDigests.set(imageRef, short);
+    return short;
   } catch {
-    cachedBaseDigest = crypto3.createHash("sha256").update("unknown").digest("hex").slice(0, 16);
-    return cachedBaseDigest;
+    const fallback = crypto3.createHash("sha256").update(imageRef).digest("hex").slice(0, 16);
+    cachedImageDigests.set(imageRef, fallback);
+    return fallback;
   }
 }
+function getBaseImageDigest() {
+  return getImageDigest(`${BASE_IMAGE}:latest`);
+}
 function sanitizeTag(raw) {
   let tag = raw.toLowerCase().replace(/[^a-z0-9._-]/g, "-");
   if (tag.length > MAX_TAG_LENGTH) {
@@ -9470,13 +9505,14 @@ function sanitizeTag(raw) {
   }
   return tag;
 }
-var BASE_IMAGE, LABEL_PREFIX, MAX_TAG_LENGTH, cachedBaseDigest;
+var BASE_IMAGE, LABEL_PREFIX, MAX_TAG_LENGTH, cachedImageDigests;
 var init_stack_image = __esm({
   "../core/dist/world/stack-image.js"() {
     "use strict";
     BASE_IMAGE = "olam-devbox";
     LABEL_PREFIX = "olam.stack-image";
     MAX_TAG_LENGTH = 128;
+    cachedImageDigests = /* @__PURE__ */ new Map();
   }
 });
 
@@ -10556,7 +10592,7 @@ var init_auto_dispatch_task = __esm({
         this.name = "TaskDispatchError";
       }
     };
-    DEFAULT_SLEEP = (ms) => new Promise((resolve14) => setTimeout(resolve14, ms));
+    DEFAULT_SLEEP = (ms) => new Promise((resolve15) => setTimeout(resolve15, ms));
   }
 });
 
@@ -12239,9 +12275,32 @@ ${detail}`);
           }
         }
         const repoSecretUrls = enrichedRepos.filter((r) => typeof r.manifest?.secrets === "string" && r.manifest.secrets.length > 0).map((r) => ({ repoName: r.name, secretsUrl: r.manifest.secrets }));
-        let stackCacheHit = false;
         let selectedImage;
+        let cacheArchOverride;
+        const selected = selectDevboxImageForWorld({
+          config: this.config,
+          repos,
+          worldspec: opts.worldspec
+        });
+        if (selected) {
+          selectedImage = selected.image;
+          cacheArchOverride = selected.cacheArch;
+          if (selected.source === "worldspec") {
+            console.log(`[WorldManager] worldspec override \u2014 using ${selected.image} (tag=${selected.tag})`);
+          } else {
+            console.log(`[WorldManager] image_selector matched \u2014 using ${selected.image} (tag=${selected.tag}${selected.cacheArch ? `, cache_arch=${selected.cacheArch}` : ""})`);
+          }
+        } else {
+          const hasRailsRepo = repos.some((r) => r.type === "rails");
+          if (hasRailsRepo) {
+            selectedImage = resolveDevboxImage(this.config, "amd64");
+            cacheArchOverride = "x64";
+            console.log(`[WorldManager] Rails repo detected \u2014 using ${selectedImage} + x64 mise-cache (Rosetta path)`);
+          }
+        }
+        let stackCacheHit = false;
         const preDetectedStacks = /* @__PURE__ */ new Map();
+        const cacheBaseRef = selectedImage ?? "olam-devbox:latest";
         if (this.provider.capabilities.supportsCustomImages) {
           try {
             const hostExec = makeHostExecFn();
@@ -12256,7 +12315,7 @@ ${detail}`);
             }
             const runtimes = collectUniqueRuntimes(Array.from(preDetectedStacks.values()));
             if (runtimes.size > 0) {
-              const cacheResult = lookupCachedImage(runtimes);
+              const cacheResult = lookupCachedImage(runtimes, cacheBaseRef);
               if (cacheResult.hit) {
                 selectedImage = cacheResult.imageName;
                 stackCacheHit = true;
@@ -12270,30 +12329,6 @@ ${detail}`);
             console.warn(`[WorldManager] host-side stack detection failed: ${msg}`);
           }
         }
-        let cacheArchOverride;
-        if (!stackCacheHit) {
-          const selected = selectDevboxImageForWorld({
-            config: this.config,
-            repos,
-            worldspec: opts.worldspec
-          });
-          if (selected) {
-            selectedImage = selected.image;
-            cacheArchOverride = selected.cacheArch;
-            if (selected.source === "worldspec") {
-              console.log(`[WorldManager] worldspec override \u2014 using ${selected.image} (tag=${selected.tag})`);
-            } else {
-              console.log(`[WorldManager] image_selector matched \u2014 using ${selected.image} (tag=${selected.tag}${selected.cacheArch ? `, cache_arch=${selected.cacheArch}` : ""})`);
-            }
-          } else {
-            const hasRailsRepo = repos.some((r) => r.type === "rails");
-            if (hasRailsRepo) {
-              selectedImage = resolveDevboxImage(this.config, "amd64");
-              cacheArchOverride = "x64";
-              console.log(`[WorldManager] Rails repo detected \u2014 using ${selectedImage} + x64 mise-cache (Rosetta path)`);
-            }
-          }
-        }
         const appPorts = [];
         for (const repo of enrichedRepos) {
           const manifestPort = repo.manifest?.app?.port;
@@ -12447,12 +12482,22 @@ ${detail}`);
             ...extraNetworks ? { extraNetworks } : {},
             // Closes SEC-002 residual: hybrid worlds get a tmpfs mount at
             // /run/olam to receive the per-world postgres credentials. Size
-            // 256K is generous for a few env files; mode 0700 means only
-            // root (the container's PID 1, which then drops to the app user
-            // via the entrypoint) can list the directory. Non-hybrid worlds
-            // skip this entirely — no behavior change.
+            // 256K is generous for a few env files; mode 0700 keeps the dir
+            // owner-only. uid/gid 999 matches the `olam` user from the Phase
+            // E E4 base image contract — without setting these, the tmpfs is
+            // root-owned and `docker exec` (which runs as the image's USER,
+            // i.e. olam) hits EACCES on credential writes. Non-hybrid worlds
+            // skip the mount entirely — no behavior change.
             ...tmpfsPostgresCredContent ? {
-              tmpfsMounts: [{ target: "/run/olam", size: 256 * 1024, mode: 448 }],
+              tmpfsMounts: [
+                {
+                  target: "/run/olam",
+                  size: 256 * 1024,
+                  mode: 448,
+                  uid: 999,
+                  gid: 999
+                }
+              ],
               tmpfsCredentialWrites: [
                 { path: "/run/olam/postgres.env", content: tmpfsPostgresCredContent }
               ]
@@ -14179,7 +14224,7 @@ function isCloudflaredAvailable() {
   }
 }
 function startTunnel(port2) {
-  return new Promise((resolve14, reject) => {
+  return new Promise((resolve15, reject) => {
     const child = spawn3("cloudflared", ["tunnel", "--url", `http://localhost:${port2}`], {
       stdio: ["ignore", "pipe", "pipe"],
       detached: false
@@ -14201,7 +14246,7 @@ function startTunnel(port2) {
       if (match2) {
         resolved = true;
         clearTimeout(timeout);
-        resolve14(match2[0]);
+        resolve15(match2[0]);
       }
     }
     child.stdout?.on("data", scan);
@@ -14288,8 +14333,8 @@ var init_dashboard = __esm({
           }
           throw err;
         }
-        await new Promise((resolve14, reject) => {
-          this.server.on("listening", resolve14);
+        await new Promise((resolve15, reject) => {
+          this.server.on("listening", resolve15);
           this.server.on("error", reject);
         });
         this.info = { localUrl: `http://localhost:${port2}` };
@@ -14335,8 +14380,8 @@ var init_dashboard = __esm({
       async stop() {
         stopTunnel();
         if (this.server) {
-          await new Promise((resolve14) => {
-            this.server.close(() => resolve14());
+          await new Promise((resolve15) => {
+            this.server.close(() => resolve15());
           });
           this.server = null;
         }
@@ -15422,7 +15467,7 @@ async function ensureOlamPostgresSingleton(options = {}) {
   };
 }
 function sleep3(ms) {
-  return new Promise((resolve14) => setTimeout(resolve14, ms));
+  return new Promise((resolve15) => setTimeout(resolve15, ms));
 }
 var DEFAULT_POSTGRES_NETWORK, DEFAULT_POSTGRES_CONTAINER, DEFAULT_POSTGRES_HOST_PORT, DEFAULT_POSTGRES_IMAGE, DEFAULT_POSTGRES_USER, DEFAULT_POSTGRES_PASSWORD, DEFAULT_POSTGRES_DB, DEFAULT_POSTGRES_READY_TIMEOUT_MS;
 var init_postgres_init_helpers = __esm({
@@ -16695,10 +16740,10 @@ async function confirm(message) {
   if (!process.stdin.isTTY) return true;
   const { createInterface: createInterface7 } = await import("node:readline");
   const rl = createInterface7({ input: process.stdin, output: process.stdout });
-  return new Promise((resolve14) => {
+  return new Promise((resolve15) => {
     rl.question(`${message} [y/N] `, (answer) => {
       rl.close();
-      resolve14(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
+      resolve15(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
     });
   });
 }
@@ -17076,6 +17121,17 @@ var KgServiceContainerController = class {
         // Mount the operator's KG root (OLAM_HOME-aware) so /build can persist graphs.
         "--volume",
         `${kgData}:${KG_SERVICE_VOLUME_TARGET}`,
+        // kg-service-container-v2 Phase F: read-only mount of $HOME so /build
+        // can ingest any project under the operator's home as the source repo.
+        // Read-only is sufficient: server-side scratch in /tmp/ holds the
+        // working copy + receives graphify's output before persisting to
+        // /kg-data. Operator's source tree is never written. Mount path
+        // `/host-home` is referenced by kg-build.ts when translating cwd
+        // → container-side path. Closes Samuel's multi-submodule cp-r bug
+        // by construction: copy runs INSIDE the container as root, not on
+        // the host with the operator's UID hitting locked .git/objects/pack/*.
+        "--volume",
+        `${process.env.HOME ?? "/root"}:/host-home:ro`,
         this.imageTag
       ],
       { stdio: "pipe" }
@@ -17138,7 +17194,7 @@ var KgServiceContainerController = class {
   }
 };
 function sleep4(ms) {
-  return new Promise((resolve14) => setTimeout(resolve14, ms));
+  return new Promise((resolve15) => setTimeout(resolve15, ms));
 }
 
 // src/commands/services.ts
@@ -17226,7 +17282,7 @@ var McpAuthContainerController = class {
   }
 };
 function sleep5(ms) {
-  return new Promise((resolve14) => setTimeout(resolve14, ms));
+  return new Promise((resolve15) => setTimeout(resolve15, ms));
 }
 function dumpContainerLogs(container, tail = 40) {
   try {
@@ -17922,10 +17978,10 @@ var HOST_CP_URL = "http://127.0.0.1:19000";
 async function readHostCpTokenForCreate() {
   try {
     const { default: fs56 } = await import("node:fs");
-    const { default: os31 } = await import("node:os");
+    const { default: os32 } = await import("node:os");
     const { default: path60 } = await import("node:path");
     const tp = path60.join(
-      process.env.OLAM_HOME ?? path60.join(os31.homedir(), ".olam"),
+      process.env.OLAM_HOME ?? path60.join(os32.homedir(), ".olam"),
       "host-cp.token"
     );
     if (!fs56.existsSync(tp)) return null;
@@ -18338,9 +18394,9 @@ function defaultNameFromPrompt(prompt) {
 async function readHostCpToken3() {
   try {
     const { default: fs56 } = await import("node:fs");
-    const { default: os31 } = await import("node:os");
+    const { default: os32 } = await import("node:os");
     const { default: path60 } = await import("node:path");
-    const tp = path60.join(os31.homedir(), ".olam", "host-cp.token");
+    const tp = path60.join(os32.homedir(), ".olam", "host-cp.token");
     if (!fs56.existsSync(tp)) return null;
     const raw = fs56.readFileSync(tp, "utf-8").trim();
     return raw.length > 0 ? raw : null;
@@ -19010,14 +19066,14 @@ function printTable(entries) {
 async function confirmInteractive() {
   process.stdout.write("  Type `yes` to proceed: ");
   const buf = [];
-  return new Promise((resolve14) => {
+  return new Promise((resolve15) => {
     const onData = (chunk) => {
       buf.push(chunk);
       if (Buffer.concat(buf).toString("utf-8").includes("\n")) {
         process.stdin.removeListener("data", onData);
         process.stdin.pause();
         const answer = Buffer.concat(buf).toString("utf-8").trim();
-        resolve14(answer.toLowerCase() === "yes");
+        resolve15(answer.toLowerCase() === "yes");
       }
     };
     process.stdin.resume();
@@ -24732,10 +24788,10 @@ async function confirm2(message) {
   if (!process.stdin.isTTY) return true;
   const { createInterface: createInterface7 } = await import("node:readline");
   const rl = createInterface7({ input: process.stdin, output: process.stdout });
-  return new Promise((resolve14) => {
+  return new Promise((resolve15) => {
     rl.question(`${message} [y/N] `, (answer) => {
       rl.close();
-      resolve14(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
+      resolve15(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
     });
   });
 }
@@ -27238,9 +27294,9 @@ function appendIdempotent(opts) {
 }
 function resolveShellRc(home, shellEnv) {
   if (!shellEnv) return null;
-  const basename6 = path45.basename(shellEnv);
-  if (basename6 === "zsh") return path45.join(home, ".zshrc");
-  if (basename6 === "bash") return path45.join(home, ".bashrc");
+  const basename7 = path45.basename(shellEnv);
+  if (basename7 === "zsh") return path45.join(home, ".zshrc");
+  if (basename7 === "bash") return path45.join(home, ".bashrc");
   return null;
 }
 
@@ -27252,10 +27308,10 @@ var NEXT_STEPS_DOCS = [
   "docs/architecture/manifest-spec.md    \u2014 per-repo .adb.yaml schema",
   "docs/architecture/config-spec.md      \u2014 workspace .olam/config.yaml schema"
 ];
-var defaultSpawn = (cmd, args) => new Promise((resolve14) => {
+var defaultSpawn = (cmd, args) => new Promise((resolve15) => {
   const child = spawn5(cmd, [...args], { stdio: "inherit" });
-  child.on("exit", (code) => resolve14({ status: code }));
-  child.on("error", () => resolve14({ status: 1 }));
+  child.on("exit", (code) => resolve15({ status: code }));
+  child.on("error", () => resolve15({ status: 1 }));
 });
 var defaultPrompt = (question, defaultYes) => {
   if (!process.stdin.isTTY) {
@@ -27265,18 +27321,18 @@ var defaultPrompt = (question, defaultYes) => {
     );
     return Promise.resolve(defaultYes);
   }
-  return new Promise((resolve14) => {
+  return new Promise((resolve15) => {
     const rl = createInterface3({ input: process.stdin, output: process.stdout });
     const suffix = defaultYes ? " [Y/n]: " : " [y/N]: ";
     rl.question(`${question}${suffix}`, (answer) => {
       rl.close();
       const t = answer.trim().toLowerCase();
-      if (t === "") resolve14(defaultYes);
-      else if (t === "y" || t === "yes") resolve14(true);
-      else if (t === "n" || t === "no") resolve14(false);
-      else resolve14(defaultYes);
+      if (t === "") resolve15(defaultYes);
+      else if (t === "y" || t === "yes") resolve15(true);
+      else if (t === "n" || t === "no") resolve15(false);
+      else resolve15(defaultYes);
     });
-    rl.on("close", () => resolve14(defaultYes));
+    rl.on("close", () => resolve15(defaultYes));
   });
 };
 async function phase1SystemCheck(deps) {
@@ -28500,7 +28556,7 @@ function registerMcpLogin(cmd) {
 init_output();
 import * as readline2 from "node:readline";
 async function readTokenSilent(prompt) {
-  return new Promise((resolve14, reject) => {
+  return new Promise((resolve15, reject) => {
     const rl = readline2.createInterface({
       input: process.stdin,
       output: process.stdout,
@@ -28518,7 +28574,7 @@ async function readTokenSilent(prompt) {
         process.stdin.removeListener("data", onData);
         process.stdout.write("\n");
         rl.close();
-        resolve14(token);
+        resolve15(token);
       } else if (char === "") {
         if (process.stdin.isTTY) process.stdin.setRawMode(false);
         process.stdin.removeListener("data", onData);
@@ -28793,7 +28849,7 @@ async function discoverMcpSources(repoPaths) {
 import { spawn as spawn7 } from "node:child_process";
 var VALIDATION_TIMEOUT_MS = 5e3;
 async function validateMcpEntry(entry) {
-  return new Promise((resolve14) => {
+  return new Promise((resolve15) => {
     let stdout = "";
     let timedOut = false;
     let child;
@@ -28803,7 +28859,7 @@ async function validateMcpEntry(entry) {
         env: { ...process.env, ...entry.env ?? {} }
       });
     } catch (err) {
-      resolve14({
+      resolve15({
         name: entry.name,
         validated: false,
         reason: err instanceof Error ? err.message : "spawn failed"
@@ -28820,11 +28876,11 @@ async function validateMcpEntry(entry) {
     child.on("close", (code) => {
       clearTimeout(timer);
       if (timedOut) {
-        resolve14({ name: entry.name, validated: false, reason: "timeout (5s)" });
+        resolve15({ name: entry.name, validated: false, reason: "timeout (5s)" });
         return;
       }
       const validated = code === 0 && stdout.trim().length > 0;
-      resolve14({
+      resolve15({
         name: entry.name,
         validated,
         reason: validated ? "ok" : `exit code ${code ?? "null"}`
@@ -28832,7 +28888,7 @@ async function validateMcpEntry(entry) {
     });
     child.on("error", (err) => {
       clearTimeout(timer);
-      resolve14({ name: entry.name, validated: false, reason: err.message });
+      resolve15({ name: entry.name, validated: false, reason: err.message });
     });
   });
 }
@@ -28847,11 +28903,11 @@ async function multiSelectPicker(entries) {
     );
   });
   console.log("\n" + pc29.dim('Enter numbers to import (e.g. 1,2,3 or "all" or Enter to skip):'));
-  const answer = await new Promise((resolve14) => {
+  const answer = await new Promise((resolve15) => {
     const rl = readline3.createInterface({ input: process.stdin, output: process.stdout });
     rl.question("> ", (ans) => {
       rl.close();
-      resolve14(ans.trim());
+      resolve15(ans.trim());
     });
   });
   if (!answer || answer === "") return [];
@@ -29136,6 +29192,12 @@ async function runMemoryStart() {
     env: {
       ...process.env,
       AGENTMEMORY_SECRET: secret,
+      // Bind 0.0.0.0 so worlds inside Docker can reach the host service
+      // via `host.docker.internal:3111`. Defaults to 127.0.0.1 in the
+      // upstream iii-config, which would make the service host-only.
+      // The bearer-secret gate above prevents non-authed access from
+      // any other LAN host that can route to this machine.
+      AGENTMEMORY_HOST: "0.0.0.0",
       PATH: `${OLAM_BIN_DIR}:${process.env.PATH ?? ""}`
     },
     stdio: ["ignore", logFd, logFd],
@@ -29329,8 +29391,8 @@ async function runMemoryLogs(opts) {
   args.push(MEMORY_LOG_PATH);
   printHeader(`olam memory logs (${opts.follow ? "follow" : `tail -n ${tailN}`})`);
   const child = spawn9("tail", args, { stdio: "inherit" });
-  return new Promise((resolve14) => {
-    child.on("exit", (code) => resolve14(code ?? 0));
+  return new Promise((resolve15) => {
+    child.on("exit", (code) => resolve15(code ?? 0));
   });
 }
 function registerMemoryLogs(cmd) {
@@ -29696,10 +29758,88 @@ function registerMemory(program2) {
 // src/commands/kg-build.ts
 init_storage_paths();
 init_workspace_name();
+import * as fs53 from "node:fs";
+import * as os30 from "node:os";
+import * as path57 from "node:path";
+
+// ../core/dist/kg/kg-service-client.js
+var KG_SERVICE_PORT_DEFAULT = 9997;
+function port() {
+  const env = process.env.OLAM_KG_SERVICE_PORT;
+  if (!env)
+    return KG_SERVICE_PORT_DEFAULT;
+  const n = Number.parseInt(env, 10);
+  return Number.isFinite(n) && n > 0 ? n : KG_SERVICE_PORT_DEFAULT;
+}
+function url(path60) {
+  return `http://127.0.0.1:${port()}${path60}`;
+}
+function kgServiceHealthUrl() {
+  return url("/health");
+}
+function kgServiceClassifyUrl() {
+  return url("/classify");
+}
+function kgServiceStatusUrl() {
+  return url("/status");
+}
+function kgServiceBuildUrl() {
+  return url("/build");
+}
+var KgServiceUnreachableError = class extends Error {
+  cause;
+  constructor(message, cause) {
+    super(message);
+    this.cause = cause;
+    this.name = "KgServiceUnreachableError";
+  }
+};
+var DEFAULT_TIMEOUT_MS3 = 5e3;
+async function postJson(endpointUrl, body, timeoutMs = DEFAULT_TIMEOUT_MS3) {
+  let res;
+  try {
+    res = await fetch(endpointUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body),
+      signal: AbortSignal.timeout(timeoutMs)
+    });
+  } catch (err) {
+    throw new KgServiceUnreachableError(`kg-service not reachable at ${endpointUrl} \u2014 run \`olam services up\` to start it.`, err);
+  }
+  if (!res.ok) {
+    const errBody = await res.text().catch(() => "");
+    throw new Error(`${endpointUrl} returned ${res.status}: ${errBody.slice(0, 500)}`);
+  }
+  return await res.json();
+}
+async function getJson(endpointUrl, timeoutMs = DEFAULT_TIMEOUT_MS3) {
+  let res;
+  try {
+    res = await fetch(endpointUrl, { signal: AbortSignal.timeout(timeoutMs) });
+  } catch (err) {
+    throw new KgServiceUnreachableError(`kg-service not reachable at ${endpointUrl} \u2014 run \`olam services up\` to start it.`, err);
+  }
+  if (!res.ok) {
+    throw new Error(`${endpointUrl} returned ${res.status}`);
+  }
+  return await res.json();
+}
+async function classify(req, opts = {}) {
+  return postJson(kgServiceClassifyUrl(), req, opts.timeoutMs);
+}
+async function health(opts = {}) {
+  return getJson(kgServiceHealthUrl(), opts.timeoutMs ?? 2e3);
+}
+async function status(opts = {}) {
+  return getJson(kgServiceStatusUrl(), opts.timeoutMs);
+}
+async function build(req, opts = {}) {
+  return postJson(kgServiceBuildUrl(), req, opts.timeoutMs ?? 9e5);
+}
+
+// src/commands/kg-build.ts
 init_output();
-import { spawnSync as spawnSync20 } from "node:child_process";
-import fs53 from "node:fs";
-import path57 from "node:path";
 
 // src/commands/kg-status.ts
 init_storage_paths();
@@ -30063,16 +30203,16 @@ async function runKgWatch(workspaceArg, opts, deps = {}) {
     process.on("SIGINT", () => forward("SIGINT"));
     process.on("SIGTERM", () => forward("SIGTERM"));
   }
-  return new Promise((resolve14) => {
+  return new Promise((resolve15) => {
     child.on("exit", (code, signal) => {
       removePidFile(name);
       const exitCode = typeof code === "number" ? code : signal === "SIGINT" || signal === "SIGTERM" ? 0 : 1;
-      resolve14({ exitCode, pidWritten: true });
+      resolve15({ exitCode, pidWritten: true });
     });
     child.on("error", (err) => {
       removePidFile(name);
       printError(`graphify subprocess error: ${err.message}`);
-      resolve14({ exitCode: 1, pidWritten: true });
+      resolve15({ exitCode: 1, pidWritten: true });
     });
   });
 }
@@ -30087,78 +30227,6 @@ function registerKgWatchCommand(kg) {
 
 // src/commands/kg-classify.ts
 import pc31 from "picocolors";
-
-// ../core/dist/kg/kg-service-client.js
-var KG_SERVICE_PORT_DEFAULT = 9997;
-function port() {
-  const env = process.env.OLAM_KG_SERVICE_PORT;
-  if (!env)
-    return KG_SERVICE_PORT_DEFAULT;
-  const n = Number.parseInt(env, 10);
-  return Number.isFinite(n) && n > 0 ? n : KG_SERVICE_PORT_DEFAULT;
-}
-function url(path60) {
-  return `http://127.0.0.1:${port()}${path60}`;
-}
-function kgServiceHealthUrl() {
-  return url("/health");
-}
-function kgServiceClassifyUrl() {
-  return url("/classify");
-}
-function kgServiceStatusUrl() {
-  return url("/status");
-}
-var KgServiceUnreachableError = class extends Error {
-  cause;
-  constructor(message, cause) {
-    super(message);
-    this.cause = cause;
-    this.name = "KgServiceUnreachableError";
-  }
-};
-var DEFAULT_TIMEOUT_MS3 = 5e3;
-async function postJson(endpointUrl, body, timeoutMs = DEFAULT_TIMEOUT_MS3) {
-  let res;
-  try {
-    res = await fetch(endpointUrl, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify(body),
-      signal: AbortSignal.timeout(timeoutMs)
-    });
-  } catch (err) {
-    throw new KgServiceUnreachableError(`kg-service not reachable at ${endpointUrl} \u2014 run \`olam services up\` to start it.`, err);
-  }
-  if (!res.ok) {
-    const errBody = await res.text().catch(() => "");
-    throw new Error(`${endpointUrl} returned ${res.status}: ${errBody.slice(0, 500)}`);
-  }
-  return await res.json();
-}
-async function getJson(endpointUrl, timeoutMs = DEFAULT_TIMEOUT_MS3) {
-  let res;
-  try {
-    res = await fetch(endpointUrl, { signal: AbortSignal.timeout(timeoutMs) });
-  } catch (err) {
-    throw new KgServiceUnreachableError(`kg-service not reachable at ${endpointUrl} \u2014 run \`olam services up\` to start it.`, err);
-  }
-  if (!res.ok) {
-    throw new Error(`${endpointUrl} returned ${res.status}`);
-  }
-  return await res.json();
-}
-async function classify(req, opts = {}) {
-  return postJson(kgServiceClassifyUrl(), req, opts.timeoutMs);
-}
-async function health(opts = {}) {
-  return getJson(kgServiceHealthUrl(), opts.timeoutMs ?? 2e3);
-}
-async function status(opts = {}) {
-  return getJson(kgServiceStatusUrl(), opts.timeoutMs);
-}
-
-// src/commands/kg-classify.ts
 init_output();
 function registerKgClassifyCommand(kg) {
   kg.command("classify <question>").description("Route a question to kg | grep | both via the 4-layer classifier (kg-service required)").option("--workspace <name>", "Scope the L2 probe gate to a specific workspace graph").option("--json", "Emit raw JSON instead of the formatted summary").action(async (question, opts) => {
@@ -30627,60 +30695,24 @@ function registerKgUninstallHookCommand(kg) {
 }
 
 // src/commands/kg-build.ts
-var DEFAULT_DEVBOX_IMAGE2 = "olam-devbox:latest";
 function resolveWorkspace(arg) {
   const cwd = process.cwd();
   const name = arg ?? path57.basename(cwd).toLowerCase();
   validateWorkspaceName(name);
   return { name, sourcePath: cwd };
 }
-function copyWorkspaceToScratch(source, scratch) {
-  if (process.platform === "darwin") {
-    const r2 = spawnSync20("cp", ["-c", "-r", source + "/.", scratch], {
-      stdio: ["ignore", "ignore", "pipe"],
-      encoding: "utf-8"
-    });
-    if (r2.status === 0) return "cp-c-r-reflink";
-  }
-  const r = spawnSync20("cp", ["-r", source + "/.", scratch], {
-    stdio: ["ignore", "ignore", "pipe"],
-    encoding: "utf-8"
-  });
-  if (r.status !== 0) {
-    throw new Error(`cp -r failed: ${(r.stderr ?? "").trim() || r.error?.message}`);
-  }
-  return "cp-r";
-}
-function parseNodeCount(graphifyOutDir) {
-  const graphPath = path57.join(graphifyOutDir, "graph.json");
-  if (!fs53.existsSync(graphPath)) return null;
-  try {
-    const content = fs53.readFileSync(graphPath, "utf-8");
-    const data = JSON.parse(content);
-    return Array.isArray(data.nodes) ? data.nodes.length : null;
-  } catch {
-    return null;
+function toContainerPath(hostPath) {
+  const home = os30.homedir();
+  const resolved = path57.resolve(hostPath);
+  if (!resolved.startsWith(home + path57.sep) && resolved !== home) {
+    throw new Error(
+      `source path "${resolved}" is not under $HOME (${home}). kg-service can only build repos that live under your home dir (it bind-mounts $HOME:/host-home:ro at start). Move the repo or set OLAM_HOME if you need a different root.`
+    );
   }
-}
-function readGraphifyVersion(image) {
-  const r = spawnSync20(
-    "docker",
-    [
-      "run",
-      "--rm",
-      "--entrypoint=/opt/graphify-venv/bin/pip",
-      image,
-      "show",
-      "graphifyy"
-    ],
-    { encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"] }
-  );
-  if (r.status !== 0) return "unknown";
-  const m = (r.stdout ?? "").match(/^Version:\s*(\S+)/m);
-  return m?.[1] ?? "unknown";
+  const rel = path57.relative(home, resolved);
+  return rel === "" ? "/host-home" : path57.posix.join("/host-home", rel.split(path57.sep).join("/"));
 }
 async function runKgBuild(workspaceArg, options = {}) {
-  const image = options.image ?? DEFAULT_DEVBOX_IMAGE2;
   let workspace;
   try {
     workspace = resolveWorkspace(workspaceArg);
@@ -30688,82 +30720,68 @@ async function runKgBuild(workspaceArg, options = {}) {
     printError(err instanceof Error ? err.message : String(err));
     return { exitCode: 2 };
   }
+  let containerRepoPath;
+  try {
+    containerRepoPath = toContainerPath(workspace.sourcePath);
+  } catch (err) {
+    printError(err instanceof Error ? err.message : String(err));
+    return { exitCode: 2 };
+  }
   const outDir = kgPristinePath(workspace.name);
-  const scratchDir = path57.join(outDir, "scratch");
   fs53.mkdirSync(outDir, { recursive: true });
-  if (fs53.existsSync(scratchDir)) fs53.rmSync(scratchDir, { recursive: true, force: true });
-  fs53.mkdirSync(scratchDir);
   const human = !options.json;
   if (human) {
     printInfo("kg build", `workspace=${workspace.name} source=${workspace.sourcePath}`);
-    printInfo("kg build", `scratch=${scratchDir} \u2192 out=${outDir}/graphify-out/`);
+    printInfo("kg build", `\u2192 kg-service /build (container path ${containerRepoPath}) \u2192 ${outDir}/graphify-out/`);
   }
-  const started = Date.now();
-  let scratchStrategy;
+  let resp;
   try {
-    scratchStrategy = copyWorkspaceToScratch(workspace.sourcePath, scratchDir);
-    if (human) printInfo("kg build", `copied via ${scratchStrategy}`);
-    const dockerArgs = [
-      "run",
-      "--rm",
-      "-v",
-      `${scratchDir}:/work`,
-      "-w",
-      "/work",
-      "--entrypoint=graphify",
-      image,
-      "update",
-      "."
-    ];
-    const r = human ? spawnSync20("docker", dockerArgs, { stdio: "inherit" }) : spawnSync20("docker", dockerArgs, { stdio: ["ignore", "ignore", "pipe"] });
-    if (r.status !== 0) {
-      printError(`graphify update failed (exit ${r.status})`);
-      return { exitCode: r.status ?? 1 };
-    }
-    const scratchOut = path57.join(scratchDir, "graphify-out");
-    const finalOut = path57.join(outDir, "graphify-out");
-    if (!fs53.existsSync(scratchOut)) {
-      printError(`graphify produced no graphify-out/ in scratch (${scratchOut})`);
-      return { exitCode: 1 };
-    }
-    if (fs53.existsSync(finalOut)) fs53.rmSync(finalOut, { recursive: true, force: true });
-    fs53.renameSync(scratchOut, finalOut);
-    const durationMs = Date.now() - started;
-    const nodeCount = parseNodeCount(finalOut);
-    const version = readGraphifyVersion(image);
-    const freshness = {
-      built_at: (/* @__PURE__ */ new Date()).toISOString(),
-      duration_ms: durationMs,
-      node_count: nodeCount,
-      graphify_version: version,
+    resp = await build({
       workspace: workspace.name,
-      scratch_strategy: scratchStrategy
-    };
-    fs53.writeFileSync(
-      path57.join(outDir, "freshness.json"),
-      JSON.stringify(freshness, null, 2) + "\n",
-      "utf-8"
+      repo_path: containerRepoPath
+    });
+  } catch (err) {
+    if (err instanceof KgServiceUnreachableError) {
+      printError(err.message);
+      printInfo("remedy", "run `olam services up` to start kg-service, then re-run `olam kg build`.");
+      return { exitCode: 3 };
+    }
+    printError(`kg-service /build failed: ${err instanceof Error ? err.message : String(err)}`);
+    return { exitCode: 1 };
+  }
+  if (!resp.ok) {
+    printError(`kg-service /build returned error: ${resp.error ?? "unknown"}`);
+    return { exitCode: 1 };
+  }
+  const freshness = {
+    built_at: resp.built_at ?? (/* @__PURE__ */ new Date()).toISOString(),
+    duration_ms: resp.duration_ms ?? 0,
+    node_count: resp.nodes ?? null,
+    edge_count: resp.edges ?? null,
+    workspace: workspace.name,
+    graphify_path: "container"
+  };
+  fs53.writeFileSync(
+    path57.join(outDir, "freshness.json"),
+    JSON.stringify(freshness, null, 2) + "\n",
+    "utf-8"
+  );
+  const finalOut = path57.join(outDir, "graphify-out");
+  if (options.json) {
+    process.stdout.write(JSON.stringify(freshness) + "\n");
+  } else {
+    printSuccess(
+      `kg build ${workspace.name} \u2014 ${resp.nodes ?? "?"} nodes / ${resp.edges ?? "?"} edges in ${((resp.duration_ms ?? 0) / 1e3).toFixed(1)}s (via kg-service container)`
     );
-    if (options.json) {
-      process.stdout.write(JSON.stringify(freshness) + "\n");
-    } else {
-      printSuccess(
-        `kg build ${workspace.name} \u2014 ${nodeCount ?? "?"} nodes in ${(durationMs / 1e3).toFixed(1)}s (graphify ${version})`
-      );
-      printInfo("output", `${finalOut}/graph.json`);
-    }
-    return { exitCode: 0, freshness, outputDir: finalOut };
-  } finally {
-    if (fs53.existsSync(scratchDir)) {
-      fs53.rmSync(scratchDir, { recursive: true, force: true });
-    }
+    printInfo("output", `${finalOut}/graph.json`);
   }
+  return { exitCode: 0, freshness, outputDir: finalOut };
 }
 function registerKg(program2) {
-  const kg = program2.command("kg").description("Knowledge-graph operations (graphify-backed)");
+  const kg = program2.command("kg").description("Knowledge-graph operations (kg-service container)");
   kg.command("build").description(
-    "Build pristine KG for a workspace (default: current dir). Scratch-dir pattern; ~/.olam/kg/<ws>/graphify-out/"
-  ).argument("[workspace]", "workspace name (lowercase alphanumeric + hyphens/underscores)").option("--image <ref>", `devbox image to invoke (default: ${DEFAULT_DEVBOX_IMAGE2})`).option("--json", "emit freshness record as JSON instead of human-readable status").action(async (workspaceArg, opts) => {
+    "Build pristine KG for a workspace (default: current dir). Routes through olam-kg-service /build endpoint."
+  ).argument("[workspace]", "workspace name (lowercase alphanumeric + hyphens/underscores)").option("--json", "emit freshness record as JSON instead of human-readable status").action(async (workspaceArg, opts) => {
     const r = await runKgBuild(workspaceArg, opts);
     if (r.exitCode !== 0) process.exitCode = r.exitCode;
   });
@@ -30777,7 +30795,7 @@ function registerKg(program2) {
 
 // src/commands/seed.ts
 init_output();
-import { spawnSync as spawnSync21, spawn as spawnAsync2 } from "node:child_process";
+import { spawnSync as spawnSync20, spawn as spawnAsync2 } from "node:child_process";
 var DEFAULT_SINGLETON_CONTAINER = "olam-postgres";
 var DEFAULT_SINGLETON_USER = "development";
 function assertValidSeedName(name) {
@@ -30788,7 +30806,7 @@ function assertValidSeedName(name) {
   }
 }
 function singletonDocker(container, user, args, stdin) {
-  return spawnSync21(
+  return spawnSync20(
     "docker",
     ["exec", "-i", container, "psql", "-U", user, ...args],
     { encoding: "utf-8", input: stdin }
@@ -30843,7 +30861,7 @@ async function handleBake(opts) {
   if (sources.length > 1) {
     throw new Error("multiple sources specified \u2014 pass exactly one of --source-container, --source-url, --source-local");
   }
-  const ping = spawnSync21("docker", ["inspect", "--format", "{{.State.Status}}", singleton], { encoding: "utf-8" });
+  const ping = spawnSync20("docker", ["inspect", "--format", "{{.State.Status}}", singleton], { encoding: "utf-8" });
   if (ping.status !== 0 || (ping.stdout || "").trim() !== "running") {
     throw new Error(`singleton container "${singleton}" not running \u2014 run \`olam bootstrap\` first`);
   }
@@ -31025,13 +31043,13 @@ init_context();
 init_output();
 import { spawnSync as defaultSpawnSync } from "node:child_process";
 import * as fs54 from "node:fs";
-import * as os30 from "node:os";
+import * as os31 from "node:os";
 import * as path58 from "node:path";
 function devboxContainerName(worldId) {
   return `olam-${worldId}-devbox`;
 }
 function olamHomeDir() {
-  return process.env["OLAM_HOME"] ?? path58.join(os30.homedir(), ".olam");
+  return process.env["OLAM_HOME"] ?? path58.join(os31.homedir(), ".olam");
 }
 function defaultRestartContainer(name, spawn11 = defaultSpawnSync) {
   const r = spawn11("docker", ["restart", "--time", "30", name], {