@pleri/olam-cli 0.1.144 → 0.1.146

package/host-cp/k8s/manifests/00-namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: olam
+  labels:
+    name: olam
+    olam.io/component: host-stack

package/host-cp/k8s/manifests/10-serviceaccount.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: olam-host-cp
+  namespace: olam
+  labels:
+    app: olam-host-cp
+    olam.io/component: host-stack

package/host-cp/k8s/manifests/20-rbac.yaml

@@ -0,0 +1,34 @@
+# Phase 1b Decision 19: Role scoped to resourceNames: ["olam-host-cp"] on
+# apps/v1 deployments. Without this scope, the in-cluster ServiceAccount
+# could patch ANY Deployment in the namespace. This is the load-bearing
+# security guardrail — preserve verbatim.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: olam-host-cp
+  namespace: olam
+  labels:
+    app: olam-host-cp
+    olam.io/component: host-stack
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    resourceNames: ["olam-host-cp"]
+    verbs: ["get", "patch", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: olam-host-cp
+  namespace: olam
+  labels:
+    app: olam-host-cp
+    olam.io/component: host-stack
+subjects:
+  - kind: ServiceAccount
+    name: olam-host-cp
+    namespace: olam
+roleRef:
+  kind: Role
+  name: olam-host-cp
+  apiGroup: rbac.authorization.k8s.io

package/host-cp/k8s/manifests/30-configmap.yaml

@@ -0,0 +1,30 @@
+# ConfigMap for olam-host-cp environment. Sensitive values (OLAM_AUTH_SECRET,
+# GH_TOKEN) are NOT here — they live in the Secret (see templates/40-secret-template.yaml).
+# Operators apply the Secret separately before applying the manifests.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: olam-host-cp-env
+  namespace: olam
+  labels:
+    app: olam-host-cp
+    olam.io/component: host-stack
+data:
+  # Auth service URL. Default targets host.docker.internal for Colima/Docker
+  # Desktop k3d setups. Override when auth-service runs elsewhere (e.g. via
+  # an ExternalName Service pointing at the host gateway).
+  OLAM_AUTH_SERVICE_URL: "http://host.docker.internal:8000"
+  # Docker socket proxy — ClusterIP Service DNS inside the namespace.
+  DOCKER_HOST: "tcp://docker-socket-proxy:2375"
+  # Host-cp server port — must match the Service targetPort in 60-service.yaml.
+  OLAM_HOST_CP_PORT: "19000"
+  # Operator state paths (resolved inside the K3s node via hostPath volumes).
+  OLAM_HOST_CP_TOKEN_PATH: "/data/host-cp.token"
+  OLAM_WORKSPACES_DIR: "/data/workspaces"
+  OLAM_WORLDS_DB: "/data/worlds.db"
+  OLAM_PLAN_DB_PATH: "/data/plan.db"
+  OLAM_PLAN_DIR: "/data/plan"
+  # Tunable defaults.
+  OLAM_SECRET_CACHE_TTL_SEC: "300"
+  OLAM_PR_POLL_INTERVAL_MS: "300000"
+  OLAM_MERGE_GRACE_MS: "600000"

package/host-cp/k8s/manifests/45-pvc.yaml

@@ -0,0 +1,27 @@
+# PersistentVolumeClaim for olam-host-cp /data volume.
+#
+# Why PVC instead of hostPath:
+#   hostPath volumes on k3d nodes resolve to paths INSIDE the k3d node
+#   container — not the operator's host filesystem. A bare k3d cluster has
+#   an empty node filesystem, so a hostPath at /host/.olam is always empty.
+#   Additionally, fsGroup does NOT relabel hostPath volumes (only PVCs /
+#   emptyDir / projected volumes), so UID-1000 pods cannot write to
+#   root-owned hostPath mounts even when fsGroup: 1000 is set.
+#
+# local-path StorageClass ships with k3d by default (rancher/local-path-provisioner).
+# On non-k3d clusters, substitute with the appropriate StorageClass name.
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: olam-host-cp-data
+  namespace: olam
+  labels:
+    app: olam-host-cp
+    olam.io/component: host-stack
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 5Gi

package/host-cp/k8s/manifests/50-deployment.yaml

@@ -0,0 +1,148 @@
+# Deployment for olam-host-cp.
+#
+# Image: pinned to sha256 digest (not :latest or named tag) per T4 threat model.
+# Digest resolves to ghcr.io/pleri/olam-host-cp:0.1.143 (multi-arch index).
+# To update: resolve the new tag's digest via:
+#   TOKEN=$(curl -s "https://ghcr.io/token?scope=repository:pleri/olam-host-cp:pull&service=ghcr.io" | jq -r .token)
+#   curl -sI -H "Authorization: Bearer $TOKEN" \
+#     -H "Accept: application/vnd.oci.image.index.v1+json,application/vnd.docker.distribution.manifest.list.v2+json" \
+#     https://ghcr.io/v2/pleri/olam-host-cp/manifests/<tag> | grep docker-content-digest
+#
+# securityContext: conservative defaults per T6/T7 threat model.
+# Operators who need to relax these (e.g. for debugging) must pass
+# --accept-security-regression (Phase C, Decision D14) — out of scope here.
+#
+# Volume requirements for k3d:
+#   olam-home (/data): backed by a PersistentVolumeClaim (45-pvc.yaml).
+#     An init container (chown-data) runs `chown -R 1000:1000 /data` as root
+#     before the main container starts, granting UID-1000 write access on the
+#     freshly-provisioned PV. fsGroup alone is insufficient for hostPath volumes.
+#
+#   gh-config (/gh-config) and operator-repo (/operator-repo) remain hostPath
+#   volumes that resolve to paths inside the k3d node container.
+#   OPERATORS MUST pass these volume mounts when creating the k3d cluster:
+#
+#     k3d cluster create olam-host \
+#       --volume ~/.config/gh:/host/.config/gh \
+#       --volume <olam-repo-root>:/host/olam \
+#       --wait --timeout 90s
+#
+#   Without these flags the gh-config and operator-repo mounts will be empty
+#   (the paths exist inside the node container but contain no data from the
+#   operator's host). The pod will still start — features that depend on GitHub
+#   auth or the operator repo will fail gracefully. The Phase D install guide
+#   surfaces this requirement prominently.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: olam-host-cp
+  namespace: olam
+  labels:
+    app: olam-host-cp
+    olam.io/component: host-stack
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  selector:
+    matchLabels:
+      app: olam-host-cp
+  template:
+    metadata:
+      labels:
+        app: olam-host-cp
+    spec:
+      serviceAccountName: olam-host-cp
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      initContainers:
+        - name: chown-data
+          # busybox:1.36 — sha256-pinned per T4 threat model.
+          # To update: docker pull busybox:1.36 && docker inspect busybox:1.36 --format '{{index .RepoDigests 0}}'
+          image: busybox@sha256:73aaf090f3d85aa34ee199857f03fa3a95c8ede2ffd4cc2cdb5b94e566b11662
+          imagePullPolicy: IfNotPresent
+          # Run as root to chown the freshly-provisioned PV to UID 1000.
+          # The pod-level runAsNonRoot: true is overridden here deliberately.
+          # The main container still runs as UID 1000 with all security defaults intact.
+          securityContext:
+            runAsUser: 0
+            runAsNonRoot: false
+            allowPrivilegeEscalation: false
+          command: ["chown", "-R", "1000:1000", "/data"]
+          volumeMounts:
+            - name: olam-home
+              mountPath: /data
+      containers:
+        - name: olam-host-cp
+          image: ghcr.io/pleri/olam-host-cp@sha256:513b16e1c36c96f4a03b431445da45cabf83c85b5761d1c93fab684a13c7354b
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+          ports:
+            - name: http
+              containerPort: 19000
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: olam-host-cp-env
+            - secretRef:
+                name: olam-host-cp-secret
+          volumeMounts:
+            - name: olam-home
+              mountPath: /data
+            - name: gh-config
+              mountPath: /gh-config
+              readOnly: true
+            - name: operator-repo
+              mountPath: /operator-repo
+              readOnly: true
+            - name: tmp
+              mountPath: /tmp
+          readinessProbe:
+            httpGet:
+              path: /api/version/status
+              port: 19000
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 6
+          livenessProbe:
+            httpGet:
+              path: /api/version/status
+              port: 19000
+            initialDelaySeconds: 30
+            periodSeconds: 20
+            timeoutSeconds: 5
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "256Mi"
+            limits:
+              cpu: "1000m"
+              memory: "1Gi"
+      volumes:
+        - name: olam-home
+          persistentVolumeClaim:
+            claimName: olam-host-cp-data
+        - name: gh-config
+          hostPath:
+            path: /host/.config/gh
+            type: DirectoryOrCreate
+        - name: operator-repo
+          hostPath:
+            path: /host/olam
+            type: DirectoryOrCreate
+        - name: tmp
+          emptyDir: {}

package/host-cp/k8s/manifests/60-service.yaml

@@ -0,0 +1,22 @@
+# ClusterIP Service for olam-host-cp.
+# Operator surfaces the SPA externally via:
+#   kubectl port-forward -n olam svc/olam-host-cp 19000:19000
+# This keeps the "127.0.0.1-only" single-user-per-host invariant
+# (NodePort would bind on all interfaces; port-forward keeps it local).
+apiVersion: v1
+kind: Service
+metadata:
+  name: olam-host-cp
+  namespace: olam
+  labels:
+    app: olam-host-cp
+    olam.io/component: host-stack
+spec:
+  type: ClusterIP
+  selector:
+    app: olam-host-cp
+  ports:
+    - name: http
+      port: 19000
+      targetPort: 19000
+      protocol: TCP

package/host-cp/k8s/templates/40-secret-template.yaml

@@ -0,0 +1,32 @@
+# Secret TEMPLATE for olam-host-cp.
+#
+# This file is a TEMPLATE — it MUST NOT be applied directly without substituting
+# the placeholder values. The placeholders are intentionally invalid; a raw
+# `kubectl apply` will result in auth-service 401s rather than silently shipping
+# fake credentials.
+#
+# Preferred substitution (keeps secrets out of git):
+#   kubectl create secret generic olam-host-cp-secret -n olam \
+#     --from-literal=OLAM_AUTH_SECRET=$(cat ~/.olam/auth-secret) \
+#     --from-literal=GH_TOKEN=$(gh auth token) \
+#     --dry-run=client -o yaml | kubectl apply -f -
+#
+# This template lives in packages/host-cp/k8s/templates/ (NOT manifests/)
+# so that `kubectl apply -f manifests/` does NOT apply it — operators must
+# explicitly handle Secret provisioning before applying the manifests.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: olam-host-cp-secret
+  namespace: olam
+  labels:
+    app: olam-host-cp
+    olam.io/component: host-stack
+type: Opaque
+stringData:
+  # Shared bearer secret between host-cp and the long-lived olam-auth process.
+  # Source: cat ~/.olam/auth-secret
+  OLAM_AUTH_SECRET: "REPLACE_ME_FROM_HOME_DOTOLAM_AUTH_SECRET"
+  # GitHub token for GHCR image pulls and the /api/prs endpoint.
+  # Source: gh auth token
+  GH_TOKEN: "REPLACE_ME_FROM_GH_AUTH_TOKEN"

package/host-cp/src/agent-runtime-trigger.mjs

@@ -165,11 +165,81 @@ export async function triggerAgentRuntime(args) {
     };
   }
 
-  // Container mode (docker-socket-proxy): POST /containers/<name>/exec then
-  // /exec/<id>/start with Detach:true. Deferred to B7-full — the bare-node
-  // mode covers the local-demo flow.
+  // Container mode (docker-socket-proxy on tcp://<host>:<port>).
+  // Two-step Docker API exec: POST /containers/<name>/exec creates an
+  // exec instance, then POST /exec/<id>/start with Detach=true runs it
+  // in the background. Matches the pattern in container-secret-fetcher.mjs.
+  if (dockerHost.startsWith('tcp://')) {
+    const apiBase = dockerHost.replace(/^tcp:\/\//, 'http://');
+
+    // Step 0: verify the container is running.
+    const inspectRes = await fetch(
+      `${apiBase}/containers/${encodeURIComponent(containerName)}/json`,
+    );
+    if (!inspectRes.ok) {
+      throw new Error(
+        `socket-proxy GET /containers/${containerName}/json: ${inspectRes.status} ${inspectRes.statusText}`,
+      );
+    }
+    const inspect = await inspectRes.json();
+    if (!inspect?.State?.Running) {
+      throw new Error(
+        `container ${containerName} is not running (state: ${JSON.stringify(inspect?.State)})`,
+      );
+    }
+
+    // Step 1: create exec instance with env injection.
+    const createRes = await fetch(
+      `${apiBase}/containers/${encodeURIComponent(containerName)}/exec`,
+      {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          Cmd: ['node', supervisorPath],
+          Env: [
+            `HOST_CP_URL=${hostCpUrl}`,
+            `HOST_CP_BEARER=${bearer}`,
+            `WORLD_ID=${worldId}`,
+            `SESSION_ID=${sessionId}`,
+          ],
+          AttachStdout: false,
+          AttachStderr: false,
+          Tty: false,
+        }),
+      },
+    );
+    if (!createRes.ok) {
+      const errBody = await createRes.text().catch(() => '<no body>');
+      throw new Error(
+        `socket-proxy POST /containers/${containerName}/exec: ${createRes.status} — ${errBody}`,
+      );
+    }
+    const { Id: execId } = await createRes.json();
+
+    // Step 2: start exec in detached mode.
+    const startRes = await fetch(`${apiBase}/exec/${execId}/start`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ Detach: true, Tty: false }),
+    });
+    if (!startRes.ok && startRes.status !== 200) {
+      const errBody = await startRes.text().catch(() => '<no body>');
+      throw new Error(
+        `socket-proxy POST /exec/${execId}/start: ${startRes.status} — ${errBody}`,
+      );
+    }
+
+    liveSpawns.set(k, { spawnedAt: Date.now(), execId });
+
+    return {
+      status: 'spawned',
+      container: containerName,
+      execId,
+    };
+  }
+
   throw new Error(
-    `triggerAgentRuntime: dockerHost mode '${dockerHost}' not supported in minimum-demo cut; use 'docker-cli'`,
+    `triggerAgentRuntime: unsupported dockerHost mode '${dockerHost}'`,
   );
 }
 

package/host-cp/src/engine-identity.mjs

@@ -0,0 +1,32 @@
+// Container-engine identity for host-cp.
+//
+// Phase 1a / A1: defaults to "docker"; switches to "kubernetes" when running
+// inside a K8s pod (autodetected via KUBERNETES_SERVICE_HOST). Operators can
+// override either way via OLAM_HOST_CP_ENGINE.
+//
+// This module exists separately from server.mjs to keep the engine-resolution
+// logic pure (no I/O, no mkdir, no global side-effects) so unit tests can
+// import it without triggering server startup. server.mjs imports
+// resolveHostCpEngine from here and computes its module-level HOST_CP_ENGINE
+// constant.
+//
+// KubernetesEngine adapter (Phase B / PR3) consumes the same env variables
+// when constructing the engine; the context-allowlist guard (T6 / Decision 10)
+// lives inside that adapter, not here. This module is "what name to surface
+// in the X-Olam-Engine response header" — nothing more.
+
+/**
+ * Resolve the active container-engine identity for host-cp.
+ *
+ * Precedence (matches HOST_CP_MODE convention at server.mjs:85-87):
+ *   1. Explicit env override: OLAM_HOST_CP_ENGINE=docker|kubernetes
+ *   2. Autodetect: KUBERNETES_SERVICE_HOST set → "kubernetes"
+ *   3. Default: "docker"
+ *
+ * @param {NodeJS.ProcessEnv} [env=process.env] - environment to inspect.
+ * @returns {string} - engine identity surfaced via X-Olam-Engine header.
+ */
+export function resolveHostCpEngine(env = process.env) {
+  return env.OLAM_HOST_CP_ENGINE
+    ?? (env.KUBERNETES_SERVICE_HOST ? 'kubernetes' : 'docker');
+}

package/host-cp/src/plan-chat-service.mjs

@@ -80,19 +80,38 @@ const SCOPED_QUERY_PARAMS = new Set(['world_id', 'session_id', 'where']);
  * resolution is wired here. Remove the throw when this function actually
  * inspects the bearer.
  */
-function principalFromBearer(bearer) {
+/**
+ * G1-demo lift (2026-05-16): trust the client-supplied `actor_type` when
+ * present. The original A2 design hardcoded ('agent','agent') with T3
+ * mitigation explicitly requiring server-injection — but that collapsed
+ * the operator + driver + codex roles into one and broke the driver
+ * pickup loop (which filters on `actor_type === 'operator'`).
+ *
+ * Single-operator local mode has no multi-tenant threat, so trusting the
+ * client field is safe pragmatic. The original silent-collapse safeguard
+ * for OLAM_PLAN_CHAT_SECRETS stays — multi-secret mode still needs A4
+ * proper bearer→principal resolution before it can land.
+ */
+function principalFromBearer(bearer, body) {
   if (process.env.OLAM_PLAN_CHAT_SECRETS) {
-    // Multi-secret mode reserved for A4 / A6.1; minimal A2 doesn't support it.
     throw new Error(
       'plan-chat-service: OLAM_PLAN_CHAT_SECRETS is set but principalFromBearer ' +
-        "still hardcodes ('agent','agent'). Wire multi-principal resolution before " +
-        'enabling multi-secret mode (see plan A4 / A6.1).',
+        "still trusts client-supplied actor_type. Wire bearer→principal " +
+        'resolution before enabling multi-secret mode (see plan A4 / A6.1).',
     );
   }
   if (typeof bearer !== 'string' || bearer.length === 0) {
     throw new Error('plan-chat-service: principalFromBearer called with empty bearer');
   }
-  return { actorId: 'agent', actorType: 'agent' };
+  // Trust client field if supplied (SPA sends 'operator'; SDK adapter omits
+  // and inherits 'agent' default; codex-runner sends 'codex').
+  const claimed = body && typeof body.actor_type === 'string' && body.actor_type.length > 0
+    ? body.actor_type
+    : 'agent';
+  const claimedId = body && typeof body.actor_id === 'string' && body.actor_id.length > 0
+    ? body.actor_id
+    : claimed;
+  return { actorId: claimedId, actorType: claimed };
 }
 
 function readJson(req, limit = 65536) {
@@ -182,7 +201,7 @@ export function createHandler({ pool, bearer, electricUrl }) {
     }
     const invalid = validateChunkInput(body);
     if (invalid) return badRequest(res, invalid);
-    const principal = principalFromBearer(bearer);
+    const principal = principalFromBearer(bearer, body);
     try {
       await pool.query(
         `INSERT INTO chunks
@@ -251,9 +270,14 @@ export function createHandler({ pool, bearer, electricUrl }) {
     }
     // PB2 — server-derived `where` clause; safe because SCOPE_ID_RE has
     // already rejected single-quotes, semicolons, and SQL meta-characters.
+    //
+    // Predicate order: session_id FIRST. Electric SQL caches shapes by the
+    // exact predicate string; flipping the original (world_id, session_id)
+    // order forces a fresh shape and avoids a known cache-staleness bug
+    // where an empty-result shape persists after new rows land.
     upstream.searchParams.set(
       'where',
-      `world_id='${worldId}' AND session_id='${sessionId}'`,
+      `session_id='${sessionId}' AND world_id='${worldId}'`,
     );
 
     let upstreamRes;