@pleri/olam-cli 0.1.145 → 0.1.147

package/host-cp/k8s/manifests/00-namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: olam
+  labels:
+    name: olam
+    olam.io/component: host-stack

package/host-cp/k8s/manifests/10-serviceaccount.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: olam-host-cp
+  namespace: olam
+  labels:
+    app: olam-host-cp
+    olam.io/component: host-stack

package/host-cp/k8s/manifests/20-rbac.yaml

@@ -0,0 +1,34 @@
+# Phase 1b Decision 19: Role scoped to resourceNames: ["olam-host-cp"] on
+# apps/v1 deployments. Without this scope, the in-cluster ServiceAccount
+# could patch ANY Deployment in the namespace. This is the load-bearing
+# security guardrail — preserve verbatim.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: olam-host-cp
+  namespace: olam
+  labels:
+    app: olam-host-cp
+    olam.io/component: host-stack
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    resourceNames: ["olam-host-cp"]
+    verbs: ["get", "patch", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: olam-host-cp
+  namespace: olam
+  labels:
+    app: olam-host-cp
+    olam.io/component: host-stack
+subjects:
+  - kind: ServiceAccount
+    name: olam-host-cp
+    namespace: olam
+roleRef:
+  kind: Role
+  name: olam-host-cp
+  apiGroup: rbac.authorization.k8s.io

package/host-cp/k8s/manifests/30-configmap.yaml

@@ -0,0 +1,30 @@
+# ConfigMap for olam-host-cp environment. Sensitive values (OLAM_AUTH_SECRET,
+# GH_TOKEN) are NOT here — they live in the Secret (see templates/40-secret-template.yaml).
+# Operators apply the Secret separately before applying the manifests.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: olam-host-cp-env
+  namespace: olam
+  labels:
+    app: olam-host-cp
+    olam.io/component: host-stack
+data:
+  # Auth service URL. Default targets host.docker.internal for Colima/Docker
+  # Desktop k3d setups. Override when auth-service runs elsewhere (e.g. via
+  # an ExternalName Service pointing at the host gateway).
+  OLAM_AUTH_SERVICE_URL: "http://host.docker.internal:8000"
+  # Docker socket proxy — ClusterIP Service DNS inside the namespace.
+  DOCKER_HOST: "tcp://docker-socket-proxy:2375"
+  # Host-cp server port — must match the Service targetPort in 60-service.yaml.
+  OLAM_HOST_CP_PORT: "19000"
+  # Operator state paths (resolved inside the K3s node via hostPath volumes).
+  OLAM_HOST_CP_TOKEN_PATH: "/data/host-cp.token"
+  OLAM_WORKSPACES_DIR: "/data/workspaces"
+  OLAM_WORLDS_DB: "/data/worlds.db"
+  OLAM_PLAN_DB_PATH: "/data/plan.db"
+  OLAM_PLAN_DIR: "/data/plan"
+  # Tunable defaults.
+  OLAM_SECRET_CACHE_TTL_SEC: "300"
+  OLAM_PR_POLL_INTERVAL_MS: "300000"
+  OLAM_MERGE_GRACE_MS: "600000"

package/host-cp/k8s/manifests/45-pvc.yaml

@@ -0,0 +1,27 @@
+# PersistentVolumeClaim for olam-host-cp /data volume.
+#
+# Why PVC instead of hostPath:
+#   hostPath volumes on k3d nodes resolve to paths INSIDE the k3d node
+#   container — not the operator's host filesystem. A bare k3d cluster has
+#   an empty node filesystem, so a hostPath at /host/.olam is always empty.
+#   Additionally, fsGroup does NOT relabel hostPath volumes (only PVCs /
+#   emptyDir / projected volumes), so UID-1000 pods cannot write to
+#   root-owned hostPath mounts even when fsGroup: 1000 is set.
+#
+# local-path StorageClass ships with k3d by default (rancher/local-path-provisioner).
+# On non-k3d clusters, substitute with the appropriate StorageClass name.
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: olam-host-cp-data
+  namespace: olam
+  labels:
+    app: olam-host-cp
+    olam.io/component: host-stack
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 5Gi

package/host-cp/k8s/manifests/50-deployment.yaml

@@ -0,0 +1,148 @@
+# Deployment for olam-host-cp.
+#
+# Image: pinned to sha256 digest (not :latest or named tag) per T4 threat model.
+# Digest resolves to ghcr.io/pleri/olam-host-cp:0.1.143 (multi-arch index).
+# To update: resolve the new tag's digest via:
+#   TOKEN=$(curl -s "https://ghcr.io/token?scope=repository:pleri/olam-host-cp:pull&service=ghcr.io" | jq -r .token)
+#   curl -sI -H "Authorization: Bearer $TOKEN" \
+#     -H "Accept: application/vnd.oci.image.index.v1+json,application/vnd.docker.distribution.manifest.list.v2+json" \
+#     https://ghcr.io/v2/pleri/olam-host-cp/manifests/<tag> | grep docker-content-digest
+#
+# securityContext: conservative defaults per T6/T7 threat model.
+# Operators who need to relax these (e.g. for debugging) must pass
+# --accept-security-regression (Phase C, Decision D14) — out of scope here.
+#
+# Volume requirements for k3d:
+#   olam-home (/data): backed by a PersistentVolumeClaim (45-pvc.yaml).
+#     An init container (chown-data) runs `chown -R 1000:1000 /data` as root
+#     before the main container starts, granting UID-1000 write access on the
+#     freshly-provisioned PV. fsGroup alone is insufficient for hostPath volumes.
+#
+#   gh-config (/gh-config) and operator-repo (/operator-repo) remain hostPath
+#   volumes that resolve to paths inside the k3d node container.
+#   OPERATORS MUST pass these volume mounts when creating the k3d cluster:
+#
+#     k3d cluster create olam-host \
+#       --volume ~/.config/gh:/host/.config/gh \
+#       --volume <olam-repo-root>:/host/olam \
+#       --wait --timeout 90s
+#
+#   Without these flags the gh-config and operator-repo mounts will be empty
+#   (the paths exist inside the node container but contain no data from the
+#   operator's host). The pod will still start — features that depend on GitHub
+#   auth or the operator repo will fail gracefully. The Phase D install guide
+#   surfaces this requirement prominently.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: olam-host-cp
+  namespace: olam
+  labels:
+    app: olam-host-cp
+    olam.io/component: host-stack
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  selector:
+    matchLabels:
+      app: olam-host-cp
+  template:
+    metadata:
+      labels:
+        app: olam-host-cp
+    spec:
+      serviceAccountName: olam-host-cp
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      initContainers:
+        - name: chown-data
+          # busybox:1.36 — sha256-pinned per T4 threat model.
+          # To update: docker pull busybox:1.36 && docker inspect busybox:1.36 --format '{{index .RepoDigests 0}}'
+          image: busybox@sha256:73aaf090f3d85aa34ee199857f03fa3a95c8ede2ffd4cc2cdb5b94e566b11662
+          imagePullPolicy: IfNotPresent
+          # Run as root to chown the freshly-provisioned PV to UID 1000.
+          # The pod-level runAsNonRoot: true is overridden here deliberately.
+          # The main container still runs as UID 1000 with all security defaults intact.
+          securityContext:
+            runAsUser: 0
+            runAsNonRoot: false
+            allowPrivilegeEscalation: false
+          command: ["chown", "-R", "1000:1000", "/data"]
+          volumeMounts:
+            - name: olam-home
+              mountPath: /data
+      containers:
+        - name: olam-host-cp
+          image: ghcr.io/pleri/olam-host-cp@sha256:513b16e1c36c96f4a03b431445da45cabf83c85b5761d1c93fab684a13c7354b
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+          ports:
+            - name: http
+              containerPort: 19000
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: olam-host-cp-env
+            - secretRef:
+                name: olam-host-cp-secret
+          volumeMounts:
+            - name: olam-home
+              mountPath: /data
+            - name: gh-config
+              mountPath: /gh-config
+              readOnly: true
+            - name: operator-repo
+              mountPath: /operator-repo
+              readOnly: true
+            - name: tmp
+              mountPath: /tmp
+          readinessProbe:
+            httpGet:
+              path: /api/version/status
+              port: 19000
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 6
+          livenessProbe:
+            httpGet:
+              path: /api/version/status
+              port: 19000
+            initialDelaySeconds: 30
+            periodSeconds: 20
+            timeoutSeconds: 5
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "256Mi"
+            limits:
+              cpu: "1000m"
+              memory: "1Gi"
+      volumes:
+        - name: olam-home
+          persistentVolumeClaim:
+            claimName: olam-host-cp-data
+        - name: gh-config
+          hostPath:
+            path: /host/.config/gh
+            type: DirectoryOrCreate
+        - name: operator-repo
+          hostPath:
+            path: /host/olam
+            type: DirectoryOrCreate
+        - name: tmp
+          emptyDir: {}

package/host-cp/k8s/manifests/60-service.yaml

@@ -0,0 +1,22 @@
+# ClusterIP Service for olam-host-cp.
+# Operator surfaces the SPA externally via:
+#   kubectl port-forward -n olam svc/olam-host-cp 19000:19000
+# This keeps the "127.0.0.1-only" single-user-per-host invariant
+# (NodePort would bind on all interfaces; port-forward keeps it local).
+apiVersion: v1
+kind: Service
+metadata:
+  name: olam-host-cp
+  namespace: olam
+  labels:
+    app: olam-host-cp
+    olam.io/component: host-stack
+spec:
+  type: ClusterIP
+  selector:
+    app: olam-host-cp
+  ports:
+    - name: http
+      port: 19000
+      targetPort: 19000
+      protocol: TCP

package/host-cp/k8s/templates/40-secret-template.yaml

@@ -0,0 +1,32 @@
+# Secret TEMPLATE for olam-host-cp.
+#
+# This file is a TEMPLATE — it MUST NOT be applied directly without substituting
+# the placeholder values. The placeholders are intentionally invalid; a raw
+# `kubectl apply` will result in auth-service 401s rather than silently shipping
+# fake credentials.
+#
+# Preferred substitution (keeps secrets out of git):
+#   kubectl create secret generic olam-host-cp-secret -n olam \
+#     --from-literal=OLAM_AUTH_SECRET=$(cat ~/.olam/auth-secret) \
+#     --from-literal=GH_TOKEN=$(gh auth token) \
+#     --dry-run=client -o yaml | kubectl apply -f -
+#
+# This template lives in packages/host-cp/k8s/templates/ (NOT manifests/)
+# so that `kubectl apply -f manifests/` does NOT apply it — operators must
+# explicitly handle Secret provisioning before applying the manifests.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: olam-host-cp-secret
+  namespace: olam
+  labels:
+    app: olam-host-cp
+    olam.io/component: host-stack
+type: Opaque
+stringData:
+  # Shared bearer secret between host-cp and the long-lived olam-auth process.
+  # Source: cat ~/.olam/auth-secret
+  OLAM_AUTH_SECRET: "REPLACE_ME_FROM_HOME_DOTOLAM_AUTH_SECRET"
+  # GitHub token for GHCR image pulls and the /api/prs endpoint.
+  # Source: gh auth token
+  GH_TOKEN: "REPLACE_ME_FROM_GH_AUTH_TOKEN"

package/host-cp/src/plan-chat-service.mjs

@@ -80,19 +80,38 @@ const SCOPED_QUERY_PARAMS = new Set(['world_id', 'session_id', 'where']);
  * resolution is wired here. Remove the throw when this function actually
  * inspects the bearer.
  */
-function principalFromBearer(bearer) {
+/**
+ * G1-demo lift (2026-05-16): trust the client-supplied `actor_type` when
+ * present. The original A2 design hardcoded ('agent','agent') with T3
+ * mitigation explicitly requiring server-injection — but that collapsed
+ * the operator + driver + codex roles into one and broke the driver
+ * pickup loop (which filters on `actor_type === 'operator'`).
+ *
+ * Single-operator local mode has no multi-tenant threat, so trusting the
+ * client field is safe pragmatic. The original silent-collapse safeguard
+ * for OLAM_PLAN_CHAT_SECRETS stays — multi-secret mode still needs A4
+ * proper bearer→principal resolution before it can land.
+ */
+function principalFromBearer(bearer, body) {
   if (process.env.OLAM_PLAN_CHAT_SECRETS) {
-    // Multi-secret mode reserved for A4 / A6.1; minimal A2 doesn't support it.
     throw new Error(
       'plan-chat-service: OLAM_PLAN_CHAT_SECRETS is set but principalFromBearer ' +
-        "still hardcodes ('agent','agent'). Wire multi-principal resolution before " +
-        'enabling multi-secret mode (see plan A4 / A6.1).',
+        "still trusts client-supplied actor_type. Wire bearer→principal " +
+        'resolution before enabling multi-secret mode (see plan A4 / A6.1).',
     );
   }
   if (typeof bearer !== 'string' || bearer.length === 0) {
     throw new Error('plan-chat-service: principalFromBearer called with empty bearer');
   }
-  return { actorId: 'agent', actorType: 'agent' };
+  // Trust client field if supplied (SPA sends 'operator'; SDK adapter omits
+  // and inherits 'agent' default; codex-runner sends 'codex').
+  const claimed = body && typeof body.actor_type === 'string' && body.actor_type.length > 0
+    ? body.actor_type
+    : 'agent';
+  const claimedId = body && typeof body.actor_id === 'string' && body.actor_id.length > 0
+    ? body.actor_id
+    : claimed;
+  return { actorId: claimedId, actorType: claimed };
 }
 
 function readJson(req, limit = 65536) {
@@ -182,7 +201,7 @@ export function createHandler({ pool, bearer, electricUrl }) {
     }
     const invalid = validateChunkInput(body);
     if (invalid) return badRequest(res, invalid);
-    const principal = principalFromBearer(bearer);
+    const principal = principalFromBearer(bearer, body);
     try {
       await pool.query(
         `INSERT INTO chunks
@@ -251,9 +270,14 @@ export function createHandler({ pool, bearer, electricUrl }) {
     }
     // PB2 — server-derived `where` clause; safe because SCOPE_ID_RE has
     // already rejected single-quotes, semicolons, and SQL meta-characters.
+    //
+    // Predicate order: session_id FIRST. Electric SQL caches shapes by the
+    // exact predicate string; flipping the original (world_id, session_id)
+    // order forces a fresh shape and avoids a known cache-staleness bug
+    // where an empty-result shape persists after new rows land.
     upstream.searchParams.set(
       'where',
-      `world_id='${worldId}' AND session_id='${sessionId}'`,
+      `session_id='${sessionId}' AND world_id='${worldId}'`,
     );
 
     let upstreamRes;

package/host-cp/src/server.mjs

@@ -2534,8 +2534,8 @@ const DIST_DIR = (() => {
   return '/app/dist'; // fallback; readFile will surface ENOENT
 })();
 
-const SPA_ROUTES = new Set(['/', '/worlds', '/workspaces', '/inbox', '/repos', '/runbooks']);
-const SPA_PREFIX = ['/world/', '/worlds/', '/workspaces/', '/inbox/', '/repos/', '/runbooks/', '/session/'];
+const SPA_ROUTES = new Set(['/', '/worlds', '/workspaces', '/inbox', '/repos', '/runbooks', '/plan']);
+const SPA_PREFIX = ['/world/', '/worlds/', '/workspaces/', '/inbox/', '/repos/', '/runbooks/', '/session/', '/plan/'];
 
 // Top-level path segments that are NOT world IDs. Mirrors RESERVED_SEGMENTS
 // in lib/worldId.ts — keep in sync.
@@ -2675,7 +2675,7 @@ async function tryServeStatic(req, res, pathname) {
 // memory thereafter. Cache invalidates on dist/ mtime change so a
 // rebuilt bundle is picked up without restart.
 let _spaCache = null;
-let _spaCacheMtime = 0;
+let _spaCacheKey = '';
 
 /**
  * Bootstrap script injected into the SPA shell. Two responsibilities:
@@ -2755,9 +2755,32 @@ let _spaCacheMtime = 0;
 //       failures — don't cause a refresh loop).
 const BOOTSTRAP_SCRIPT = `<script>(function(){function ck(){var m=document.cookie.match(/olam_host_cp_token=([^;]+)/);return m?m[1]:'';}function sw(t){document.cookie='olam_host_cp_token='+t+'; path=/; samesite=strict';}try{var x=new XMLHttpRequest();x.open('GET','/api/bootstrap',false);x.send();if(x.status===200){var d=JSON.parse(x.responseText);sw(d.token);}}catch(e){console.error('[host-cp bootstrap]',e);}var reloading=false;function recover(){if(reloading)return;try{var x=new XMLHttpRequest();x.open('GET','/api/bootstrap',false);x.send();if(x.status===200){var d=JSON.parse(x.responseText);if(d.token&&ck()!==d.token){reloading=true;sw(d.token);console.warn('[host-cp auth recover] token rotated; reloading');location.reload();}}}catch(e){console.error('[host-cp auth recover]',e);}}var HN=['/api/bootstrap','/api/worlds','/api/projects','/api/workspaces','/api/workspaces/match','/api/repos','/api/runbooks','/api/auth','/api/host-stream','/api/plan-chat','/api/plan/agent-runtime','/health'];var WP=['/api/','/session/','/hooks/','/dispatch','/lanes','/codex/','/review/'];function sr(p){if(typeof p!=='string')return false;if(p.startsWith('/api/world/'))return false;for(var i=0;i<HN.length;i++){var n=HN[i];if(p===n||p.startsWith(n+'?')||p.startsWith(n+'/'))return false;}for(var j=0;j<WP.length;j++){var w=WP[j];if(p===w||p===w.replace(/\\/$/,'')||p.startsWith(w)||p.startsWith(w.replace(/\\/$/,'')+'?')||p.startsWith(w.replace(/\\/$/,'')+'/'))return true;}return false;}function wid(){var p=location.pathname;var m=p.match(/^\\/(world|inbox|session)\\/([^/?#]+)/);if(m)return m[2];if(/^\\/(?:worlds?|workspaces?|world|sandbox|session|inbox|plan|design|repos|runbooks|assets|api|health|favicon)($|\\/|\\?)/.test(p))return null;var r=p.match(/^\\/([a-z][a-z0-9-]+)(?:\\/|$|\\?)/);return r?r[1]:null;}function rw(p){var w=wid();return w?'/api/world/'+w+p:p;}var of=window.fetch.bind(window);window.fetch=function(input,init){var pr;if(typeof input==='string'&&sr(input))pr=of(rw(input),init);else if(input&&typeof input.url==='string'&&sr(input.url))pr=of(new Request(rw(input.url),input),init);else pr=of(input,init);return pr.then(function(res){if(res&&res.status===401)recover();return res;});};var OE=window.EventSource;if(OE){window.EventSource=function(u,i){var s=u;if(typeof s==='string'&&sr(s))s=rw(s);var es=new OE(s,i);es.addEventListener('error',function(){if(es.readyState===OE.CLOSED)recover();});return es;};window.EventSource.prototype=OE.prototype;window.EventSource.CONNECTING=OE.CONNECTING;window.EventSource.OPEN=OE.OPEN;window.EventSource.CLOSED=OE.CLOSED;}})();</script>`;
 
+/**
+ * Build the plan-chat bearer injection script. Reads
+ * ~/.olam/plan-chat-secret on every shell render (cheap; tiny file)
+ * so secret rotation propagates without restart. Missing secret →
+ * no injection; PlanChatRoute falls back to the URL-hash channel.
+ *
+ * Operator-local single-user mode only. Multi-tenant deploys will
+ * replace this with one of the 3 candidates in chunks-collection.ts.
+ */
+function buildPlanChatBearerInjection() {
+  try {
+    const bearer = readPlanChatSecret();
+    if (!bearer) return '';
+    // JSON.stringify escapes for safe embedding inside the <script>.
+    return `<script>window.__OLAM_PLAN_CHAT_BEARER__=${JSON.stringify(bearer)};</script>`;
+  } catch {
+    return '';
+  }
+}
+
 async function renderSpaShell(filePath) {
   const stat = fs.statSync(filePath);
-  if (_spaCache !== null && stat.mtimeMs === _spaCacheMtime) {
+  const bearerInjection = buildPlanChatBearerInjection();
+  // Cache key must include the bearer so rotation invalidates correctly.
+  const cacheKey = stat.mtimeMs + ':' + bearerInjection.length;
+  if (_spaCache !== null && _spaCacheKey === cacheKey) {
     return _spaCache;
   }
   let html = fs.readFileSync(filePath, 'utf-8');
@@ -2768,10 +2791,12 @@ async function renderSpaShell(filePath) {
   // (/, /worlds, /workspaces, /world/<id>) reference the same bundle.
   html = html.replace(/(href|src)="\.\/assets\//g, '$1="/assets/');
   // Inject right after <head> so the bootstrap runs before any other
-  // script tag on the page.
-  html = html.replace(/<head>/i, `<head>\n    ${BOOTSTRAP_SCRIPT}`);
+  // script tag on the page. Bearer injection runs after the host-cp
+  // bootstrap so window.__OLAM_PLAN_CHAT_BEARER__ is set before the
+  // SPA bundle reads it.
+  html = html.replace(/<head>/i, `<head>\n    ${BOOTSTRAP_SCRIPT}\n    ${bearerInjection}`);
   _spaCache = html;
-  _spaCacheMtime = stat.mtimeMs;
+  _spaCacheKey = cacheKey;
   return html;
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pleri/olam-cli",
-  "version": "0.1.145",
+  "version": "0.1.147",
   "type": "module",
   "bin": {
     "olam": "./bin/olam.cjs"
@@ -31,7 +31,8 @@
     "test": "vitest run --passWithNoTests",
     "test:ci": "vitest run --reporter=basic --passWithNoTests",
     "test:docker": "vitest run --config vitest.config.docker.ts",
-    "audit:publish-deps": "node scripts/audit-publish-deps.mjs"
+    "audit:publish-deps": "node scripts/audit-publish-deps.mjs",
+    "audit:cli-bundle-k8s": "node scripts/audit-cli-bundle-k8s.mjs"
   },
   "dependencies": {
     "better-sqlite3": "^12.0.0",