@pleri/olam-cli 0.1.147 → 0.1.148

package/host-cp/k8s/templates/auth-service-secret-template.yaml

@@ -0,0 +1,28 @@
+# Secret TEMPLATE for olam-auth-service.
+#
+# This file is a TEMPLATE — it MUST NOT be applied directly without substituting
+# the placeholder values. The placeholders are intentionally invalid; a raw
+# `kubectl apply` will result in auth failures rather than silently shipping
+# fake credentials.
+#
+# Preferred substitution (keeps secrets out of git):
+#   kubectl create secret generic olam-auth-service-secret -n olam \
+#     --from-literal=OLAM_AUTH_DB_SECRET=$(cat ~/.olam/auth-db-secret) \
+#     --dry-run=client -o yaml | kubectl apply -f -
+#
+# This template lives in packages/host-cp/k8s/templates/ (NOT manifests/)
+# so that `kubectl apply -f manifests/auth-service/` does NOT apply it —
+# operators must explicitly handle Secret provisioning before applying manifests.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: olam-auth-service-secret
+  namespace: olam
+  labels:
+    app: olam-auth-service
+    olam.io/component: peripheral
+type: Opaque
+stringData:
+  # Shared database encryption secret for the credential vault.
+  # Source: cat ~/.olam/auth-db-secret
+  OLAM_AUTH_DB_SECRET: "REPLACE_ME_FROM_HOME_DOTOLAM_AUTH_DB_SECRET"

package/host-cp/k8s/templates/kg-service-secret-template.yaml

@@ -0,0 +1,28 @@
+# Secret TEMPLATE for olam-kg-service.
+#
+# This file is a TEMPLATE — it MUST NOT be applied directly without substituting
+# the placeholder values. The placeholders are intentionally invalid; a raw
+# `kubectl apply` will result in auth failures rather than silently shipping
+# fake credentials.
+#
+# Preferred substitution (keeps secrets out of git):
+#   kubectl create secret generic olam-kg-service-secret -n olam \
+#     --from-literal=OLAM_KG_BEARER_TOKEN=$(cat ~/.olam/kg-bearer-token) \
+#     --dry-run=client -o yaml | kubectl apply -f -
+#
+# This template lives in packages/host-cp/k8s/templates/ (NOT manifests/)
+# so that `kubectl apply -f manifests/kg-service/` does NOT apply it —
+# operators must explicitly handle Secret provisioning before applying manifests.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: olam-kg-service-secret
+  namespace: olam
+  labels:
+    app: olam-kg-service
+    olam.io/component: peripheral
+type: Opaque
+stringData:
+  # Bearer token for in-cluster KG query authentication.
+  # Source: cat ~/.olam/kg-bearer-token
+  OLAM_KG_BEARER_TOKEN: "REPLACE_ME_FROM_HOME_DOTOLAM_KG_BEARER_TOKEN"

package/host-cp/k8s/templates/mcp-auth-service-secret-template.yaml

@@ -0,0 +1,28 @@
+# Secret TEMPLATE for olam-mcp-auth-service.
+#
+# This file is a TEMPLATE — it MUST NOT be applied directly without substituting
+# the placeholder values. The placeholders are intentionally invalid; a raw
+# `kubectl apply` will result in auth failures rather than silently shipping
+# fake credentials.
+#
+# Preferred substitution (keeps secrets out of git):
+#   kubectl create secret generic olam-mcp-auth-service-secret -n olam \
+#     --from-literal=OLAM_MCP_AUTH_JWT_SECRET=$(cat ~/.olam/mcp-auth-jwt-secret) \
+#     --dry-run=client -o yaml | kubectl apply -f -
+#
+# This template lives in packages/host-cp/k8s/templates/ (NOT manifests/)
+# so that `kubectl apply -f manifests/mcp-auth-service/` does NOT apply it —
+# operators must explicitly handle Secret provisioning before applying manifests.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: olam-mcp-auth-service-secret
+  namespace: olam
+  labels:
+    app: olam-mcp-auth-service
+    olam.io/component: peripheral
+type: Opaque
+stringData:
+  # JWT signing secret for MCP client authentication.
+  # Source: cat ~/.olam/mcp-auth-jwt-secret
+  OLAM_MCP_AUTH_JWT_SECRET: "REPLACE_ME_FROM_HOME_DOTOLAM_MCP_AUTH_JWT_SECRET"

package/host-cp/k8s/templates/memory-service-secret-template.yaml

@@ -0,0 +1,29 @@
+# Secret TEMPLATE for olam-memory-service.
+#
+# This file is a TEMPLATE — it MUST NOT be applied directly without substituting
+# the placeholder values. The placeholders are intentionally invalid; a raw
+# `kubectl apply` will result in auth failures rather than silently shipping
+# fake credentials.
+#
+# Preferred substitution (keeps secrets out of git):
+#   kubectl create secret generic olam-memory-service-secret -n olam \
+#     --from-literal=OLAM_MEMORY_BEARER_SECRET=$(cat ~/.olam/memory-bearer-secret) \
+#     --dry-run=client -o yaml | kubectl apply -f -
+#
+# This template lives in packages/host-cp/k8s/templates/ (NOT manifests/)
+# so that `kubectl apply -f manifests/memory-service/` does NOT apply it —
+# operators must explicitly handle Secret provisioning before applying manifests.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: olam-memory-service-secret
+  namespace: olam
+  labels:
+    app: olam-memory-service
+    olam.io/component: peripheral
+type: Opaque
+stringData:
+  # Bearer secret for the memory-service HTTP API (matches OLAM_MEMORY_BEARER_SECRET
+  # used by host-cp and agents that call the memory endpoints).
+  # Source: cat ~/.olam/memory-bearer-secret
+  OLAM_MEMORY_BEARER_SECRET: "REPLACE_ME_FROM_HOME_DOTOLAM_MEMORY_BEARER_SECRET"

package/host-cp/src/plan-chat-service.mjs

@@ -22,7 +22,9 @@
 // Configuration is environment-driven so a single binary works in laptop
 // (the K3 container-spike), in a devbox container, and on a host-cp Mac:
 //
-//   OLAM_PLAN_CHAT_PORT          (default 3112)
+//   OLAM_PLAN_CHAT_PORT          (default 3200; moved off 3112 — see
+//                                 olam-chunks-subscriber-long-poll Phase A.
+//                                 agentmemory iii/node claim 3111-3113.)
 //   OLAM_PLAN_CHAT_DATABASE_URL  (default postgres://postgres:spike@localhost:54321/chunks)
 //   OLAM_PLAN_CHAT_ELECTRIC_URL  (default http://localhost:30001)
 //   OLAM_PLAN_CHAT_SECRET_PATH   (default ~/.olam/plan-chat-secret)
@@ -33,7 +35,7 @@ import { URL } from 'node:url';
 import pg from 'pg';
 import { ensureSecret, timingSafeEqual, SECRET_PATH } from './plan-chat-secret.mjs';
 
-const DEFAULT_PORT = 3112;
+const DEFAULT_PORT = 3200;
 const DEFAULT_DB_URL = 'postgres://postgres:spike@localhost:54321/chunks';
 const DEFAULT_ELECTRIC_URL = 'http://localhost:30001';
 
@@ -374,7 +376,24 @@ export async function startService(opts = {}) {
   });
 
   await new Promise((resolve, reject) => {
-    server.once('error', reject);
+    server.once('error', (err) => {
+      if (err && err.code === 'EADDRINUSE') {
+        // A3 — port-collision diagnostic. Prevents silent half-start when the
+        // target port is held by another process. agentmemory's `iii` has
+        // historically claimed 3111-3113 (motivated the 3112 → 3200 move in
+        // olam-chunks-subscriber-long-poll Phase A); flag it so the next
+        // collision is debuggable in one log line, not three rounds of grep.
+        // eslint-disable-next-line no-console
+        console.error(`[plan-chat-service] EADDRINUSE on :${port} — port already in use.`);
+        // eslint-disable-next-line no-console
+        console.error(`[plan-chat-service]   Check:  lsof -i:${port}`);
+        // eslint-disable-next-line no-console
+        console.error(`[plan-chat-service]   Note:   agentmemory's iii claims 3111-3113 (motivated 3112 → 3200 move).`);
+        // eslint-disable-next-line no-console
+        console.error(`[plan-chat-service]   Override: OLAM_PLAN_CHAT_PORT=<free-port>`);
+      }
+      reject(err);
+    });
     server.listen(port, () => resolve(undefined));
   });
 

package/host-cp/src/server.mjs

@@ -1921,7 +1921,7 @@ const server = http.createServer(async (req, res) => {
     // the host-cp service name. Default: host.docker.internal for the
     // operator-local demo flow.
     const hostCpUrlForContainer =
-      process.env.OLAM_AGENT_RUNTIME_HOST_CP_URL ?? 'http://host.docker.internal:3112';
+      process.env.OLAM_AGENT_RUNTIME_HOST_CP_URL ?? 'http://host.docker.internal:3200';
     try {
       const result = await triggerAgentRuntime({
         worldId: body.worldId,
@@ -1940,7 +1940,7 @@ const server = http.createServer(async (req, res) => {
   }
 
   // /api/plan-chat/* — passthrough proxy to plan-chat-service.
-  // The sidecar runs on PLAN_CHAT_SERVICE_URL (default http://127.0.0.1:3112).
+  // The sidecar runs on PLAN_CHAT_SERVICE_URL (default http://127.0.0.1:3200).
   // Strips the /api/plan-chat prefix; forwards method, headers, body, and
   // query verbatim. Streams the response (Electric SQL long-poll friendly).
   // Auth: client supplies Bearer; we don't add or strip it.
@@ -1950,8 +1950,8 @@ const server = http.createServer(async (req, res) => {
       // Default depends on where host-cp runs. In-container = host.docker.internal;
       // bare-node = 127.0.0.1. DOCKER_HOST=tcp://* implies container mode.
       ((process.env.DOCKER_HOST ?? '').startsWith('tcp://')
-        ? 'http://host.docker.internal:3112'
-        : 'http://127.0.0.1:3112');
+        ? 'http://host.docker.internal:3200'
+        : 'http://127.0.0.1:3200');
     const subPath = url.pathname === '/api/plan-chat'
       ? '/'
       : url.pathname.slice('/api/plan-chat'.length);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pleri/olam-cli",
-  "version": "0.1.147",
+  "version": "0.1.148",
   "type": "module",
   "bin": {
     "olam": "./bin/olam.cjs"