@pleri/olam-cli 0.1.147 → 0.1.150

package/dist/lib/upgrade-kubernetes.d.ts

@@ -4,43 +4,61 @@
  * Phase 1b C2 of olam-host-suite-phase-1b-k3s-beta-flavour (plan
  * ~/.claude/plans/olam-host-suite-phase-1b-k3s-beta-flavour.md).
  *
+ * Phase 2 Phase C extensions:
+ *   C1  — step 2.5: in-memory ConfigMap substitution for inter-peripheral K8s DNS URLs (D4)
+ *   C2  — step 2.6: per-peripheral Secret pre-check (iterates PERIPHERALS; D12 pattern)
+ *   C3  — step 2.7: CoreDNS warm-up wait + extend steps 3/4/5 to iterate peripherals
+ *
+ * Phase 2 Phase D extensions:
+ *   D5  — OLAM_PHASE_2_BETA guard removed; all peripherals deploy unconditionally (Phase 2 GA)
+ *
  * Decisions consumed:
+ *   D4  — K8s DNS URL form for inter-peripheral service URLs
  *   D10 — context-allowlist + OLAM_K8S_CONTEXT_ACK strict-equality check
  *   D12 — Secret pre-check (base64-decode + key-name + placeholder exact match)
  *   D14 — --force-refresh-manifests flag + --accept-security-regression guard
  *   D15 — kubectl rollout status --timeout=90s; state snapshot on failure
  *   D17 — port-forward spawn via flock (spawnPortForward from port-forward.ts)
  *   D22 — probeKubernetesApiReachable pre-flight via kubectl-wrap (5s timeout)
+ *   D27 — audit log entry (phase2.flag_removed) emitted per upgrade run
  *
- * Step order:
- *   0  probeKubernetesApiReachable — 5s timeout kubectl cluster-info
- *   1  D10 context-allowlist + OLAM_K8S_CONTEXT_ACK strict-equality byte-for-byte
- *   2  D12 Secret pre-check (olam-host-cp-secret; base64-decode; key-name check)
- *   3  kubectl apply --context <pinned> -f ~/.olam/k8s/manifests/
- *   4  D15 kubectl rollout status --context <pinned> --timeout=90s (95s wrap)
- *   5  D17 port-forward spawn via flock
- *   6  verify /health returns X-Olam-Engine: kubernetes
- *   7  emit upgrade.complete instrumentation event
- *   8  success message
+ * Step order (Phase D — kubernetes substrate, Phase 2 GA):
+ *   0    probeKubernetesApiReachable — 5s timeout kubectl cluster-info
+ *   1    D10 context-allowlist + OLAM_K8S_CONTEXT_ACK strict-equality byte-for-byte
+ *   2    D12 Secret pre-check (olam-host-cp-secret; base64-decode; key-name check)
+ *   2.5  C1 in-memory ConfigMap substitution — K8s DNS URLs for inter-peripheral URLs
+ *   2.6  C2 per-peripheral Secret pre-check (iterates PERIPHERALS; unconditional — D5)
+ *   2.7  C3 CoreDNS warm-up wait (kubectl wait --for=condition=Available deployment/coredns -n kube-system)
+ *   3    kubectl apply host-cp manifests + all 4 peripheral manifest dirs (alphabetical)
+ *   4    D15 kubectl rollout status (all 5 deployments in parallel)
+ *   5    D17 port-forward spawn for host-cp + spawnAllPeripheralPortForwards in parallel
+ *   6    verify /health returns X-Olam-Engine: kubernetes
+ *   7    emit upgrade.complete instrumentation event
+ *   8    success message
  *
  * Manifests NOT auto-rolled-back on failure (D15 spec). Operator must
  * manually intervene; state snapshot is printed on failure.
  */
+import * as fs from 'node:fs';
 import { kubectlWrap } from './kubectl-wrap.js';
-import { spawnPortForward, probePortForwardLiveness, type PortForwardDeps } from './port-forward.js';
+import { spawnPortForward, spawnAllPeripheralPortForwards, probePortForwardLiveness, type PortForwardDeps, type PeripheralPortForwardDeps } from './port-forward.js';
 import { emitUpgradeComplete, type EmitOpts } from './instrumentation.js';
-import { runManifestRefresh } from './manifest-refresh.js';
+import { runManifestRefresh, seedManifestsFromBundle, type SeedManifestsDeps } from './manifest-refresh.js';
 export declare const OLAM_K8S_MANIFESTS_DIR: string;
 export declare const K8S_NAMESPACE = "olam";
 export declare const HOST_CP_SECRET_NAME = "olam-host-cp-secret";
 export declare const HOST_CP_DEPLOYMENT_NAME = "olam-host-cp";
 export declare const PORT_FORWARD_TARGET = "service/olam-host-cp";
 export declare const HOST_CP_HEALTH_URL = "http://127.0.0.1:19000/health";
+/** Audit log for substrate upgrade events (D18). */
+export declare const SUBSTRATE_AUDIT_LOG: string;
 export interface UpgradeKubernetesDeps {
     /** Override kubectl-wrap for tests. */
     readonly kubectlWrapImpl?: typeof kubectlWrap;
     /** Override spawnPortForward for tests. */
     readonly spawnPortForwardImpl?: typeof spawnPortForward;
+    /** Override spawnAllPeripheralPortForwards for tests. */
+    readonly spawnAllPeripheralPortForwardsImpl?: typeof spawnAllPeripheralPortForwards;
     /** Override probePortForwardLiveness for tests. */
     readonly probePortForwardLivenessImpl?: typeof probePortForwardLiveness;
     /** Override fetch for /health verification in tests. */
@@ -49,16 +67,38 @@ export interface UpgradeKubernetesDeps {
     readonly emitImpl?: typeof emitUpgradeComplete;
     /** Override manifest refresh for tests. */
     readonly manifestRefreshImpl?: typeof runManifestRefresh;
+    /** Override manifests seeder for tests. */
+    readonly seedManifestsImpl?: typeof seedManifestsFromBundle;
+    /** Override seed manifests deps for tests (injectable to seedManifestsFromBundle). */
+    readonly seedManifestsDeps?: SeedManifestsDeps;
     /** Override manifests dir path for tests. */
     readonly manifestsDir?: string;
     /** Override PortForwardDeps for tests (passed into spawnPortForward). */
     readonly portForwardDeps?: PortForwardDeps;
+    /** Override PeripheralPortForwardDeps for tests (passed into spawnAllPeripheralPortForwards). */
+    readonly peripheralPortForwardDeps?: PeripheralPortForwardDeps;
     /** Override emit opts for tests. */
     readonly emitOpts?: EmitOpts;
     /** Override stdout for tests. */
     readonly stdout?: NodeJS.WritableStream;
     /** Override stderr for tests. */
     readonly stderr?: NodeJS.WritableStream;
+    /** Override fs.readFileSync for tests (step 2.5 ConfigMap read). */
+    readonly readFileSyncImpl?: typeof fs.readFileSync;
+    /** Override Date.now for tests (audit log timestamp). */
+    readonly nowImpl?: () => number;
+    /**
+     * D6: override kubectl config view call for managed-k8s detection.
+     * Returns the cluster server URL string, or null when unavailable.
+     * Tests inject a mock to avoid real kubectl invocations.
+     */
+    readonly getClusterServerUrlImpl?: () => Promise<string | null>;
+    /**
+     * D7: override docker socket accessibility check for inline preflight.
+     * Returns true when /var/run/docker.sock is accessible inside the host-cp pod.
+     * Tests inject a mock to avoid real kubectl invocations.
+     */
+    readonly checkDockerSocketImpl?: (context: string) => Promise<boolean>;
 }
 export interface UpgradeKubernetesOpts {
     readonly forceRefreshManifests?: boolean;

package/dist/lib/upgrade-kubernetes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"upgrade-kubernetes.d.ts","sourceRoot":"","sources":["../../src/lib/upgrade-kubernetes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAOH,OAAO,EAAE,WAAW,EAAwB,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,KAAK,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACrG,OAAO,EAAE,mBAAmB,EAAE,KAAK,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAC1E,OAAO,EAAE,kBAAkB,EAA4B,MAAM,uBAAuB,CAAC;AAGrF,eAAO,MAAM,sBAAsB,QAA2C,CAAC;AAC/E,eAAO,MAAM,aAAa,SAAS,CAAC;AACpC,eAAO,MAAM,mBAAmB,wBAAwB,CAAC;AACzD,eAAO,MAAM,uBAAuB,iBAAiB,CAAC;AACtD,eAAO,MAAM,mBAAmB,yBAAyB,CAAC;AAC1D,eAAO,MAAM,kBAAkB,kCAAkC,CAAC;AAclE,MAAM,WAAW,qBAAqB;IACpC,uCAAuC;IACvC,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,WAAW,CAAC;IAC9C,2CAA2C;IAC3C,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,gBAAgB,CAAC;IACxD,mDAAmD;IACnD,QAAQ,CAAC,4BAA4B,CAAC,EAAE,OAAO,wBAAwB,CAAC;IACxE,wDAAwD;IACxD,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC5E,8CAA8C;IAC9C,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,mBAAmB,CAAC;IAC/C,2CAA2C;IAC3C,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,kBAAkB,CAAC;IACzD,6CAA6C;IAC7C,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,yEAAyE;IACzE,QAAQ,CAAC,eAAe,CAAC,EAAE,eAAe,CAAC;IAC3C,oCAAoC;IACpC,QAAQ,CAAC,QAAQ,CAAC,EAAE,QAAQ,CAAC;IAC7B,iCAAiC;IACjC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;IACxC,iCAAiC;IACjC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;CACzC;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,OAAO,CAAC;IACzC,QAAQ,CAAC,wBAAwB,CAAC,EAAE,OAAO,CAAC;CAC7C;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAqJD;;;;GAIG;AACH,wBAAsB,oBAAoB,CACxC,IAAI,GAAE,qBAA0B,EAChC,IAAI,GAAE,qBAA0B,GAC/B,OAAO,CAAC,uBAAuB,CAAC,CAgKlC"}
+{"version":3,"file":"upgrade-kubernetes.d.ts","sourceRoot":"","sources":["../../src/lib/upgrade-kubernetes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAO9B,OAAO,EAAE,WAAW,EAAwB,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,wBAAwB,EAAE,KAAK,eAAe,EAAE,KAAK,yBAAyB,EAAE,MAAM,mBAAmB,CAAC;AACrK,OAAO,EAAE,mBAAmB,EAAE,KAAK,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAC1E,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAA4B,KAAK,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAItI,eAAO,MAAM,sBAAsB,QAA2C,CAAC;AAC/E,eAAO,MAAM,aAAa,SAAS,CAAC;AACpC,eAAO,MAAM,mBAAmB,wBAAwB,CAAC;AACzD,eAAO,MAAM,uBAAuB,iBAAiB,CAAC;AACtD,eAAO,MAAM,mBAAmB,yBAAyB,CAAC;AAC1D,eAAO,MAAM,kBAAkB,kCAAkC,CAAC;AAElE,oDAAoD;AACpD,eAAO,MAAM,mBAAmB,QAAqD,CAAC;AAwItF,MAAM,WAAW,qBAAqB;IACpC,uCAAuC;IACvC,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,WAAW,CAAC;IAC9C,2CAA2C;IAC3C,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,gBAAgB,CAAC;IACxD,yDAAyD;IACzD,QAAQ,CAAC,kCAAkC,CAAC,EAAE,OAAO,8BAA8B,CAAC;IACpF,mDAAmD;IACnD,QAAQ,CAAC,4BAA4B,CAAC,EAAE,OAAO,wBAAwB,CAAC;IACxE,wDAAwD;IACxD,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC5E,8CAA8C;IAC9C,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,mBAAmB,CAAC;IAC/C,2CAA2C;IAC3C,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,kBAAkB,CAAC;IACzD,2CAA2C;IAC3C,QAAQ,CAAC,iBAAiB,CAAC,EAAE,OAAO,uBAAuB,CAAC;IAC5D,sFAAsF;IACtF,QAAQ,CAAC,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;IAC/C,6CAA6C;IAC7C,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,yEAAyE;IACzE,QAAQ,CAAC,eAAe,CAAC,EAAE,eAAe,CAAC;IAC3C,iGAAiG;IACjG,QAAQ,CAAC,yBAAyB,CAAC,EAAE,yBAAyB,CAAC;IAC/D,oCAAoC;IACpC,QAAQ,CAAC,QAAQ,CAAC,EAAE,QAAQ,CAAC;IAC7B,iCAAiC;IACjC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;IACxC,iCAAiC;IACjC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;IACxC,oEAAoE;IACpE,QAAQ,CAAC,gBAAgB,CAAC,EAAE,OAAO,EAAE,CAAC,YAAY,CAAC;IACnD,yDAAyD;IACzD,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,MAAM,CAAC;IAChC;;;;OAIG;IACH,QAAQ,CAAC,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAChE;;;;OAIG;IACH,QAAQ,CAAC,qBAAqB,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;CACxE;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,OAAO,CAAC;IACzC,QAAQ,CAAC,wBAAwB,CAAC,EAAE,OAAO,CAAC;CAC7C;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAgTD;;;;GAIG;AACH,wBAAsB,oBAAoB,CACxC,IAAI,GAAE,qBAA0B,EAChC,IAAI,GAAE,qBAA0B,GAC/B,OAAO,CAAC,uBAAuB,CAAC,CAqUlC"}

package/dist/lib/upgrade-kubernetes.js

@@ -4,53 +4,177 @@
  * Phase 1b C2 of olam-host-suite-phase-1b-k3s-beta-flavour (plan
  * ~/.claude/plans/olam-host-suite-phase-1b-k3s-beta-flavour.md).
  *
+ * Phase 2 Phase C extensions:
+ *   C1  — step 2.5: in-memory ConfigMap substitution for inter-peripheral K8s DNS URLs (D4)
+ *   C2  — step 2.6: per-peripheral Secret pre-check (iterates PERIPHERALS; D12 pattern)
+ *   C3  — step 2.7: CoreDNS warm-up wait + extend steps 3/4/5 to iterate peripherals
+ *
+ * Phase 2 Phase D extensions:
+ *   D5  — OLAM_PHASE_2_BETA guard removed; all peripherals deploy unconditionally (Phase 2 GA)
+ *
  * Decisions consumed:
+ *   D4  — K8s DNS URL form for inter-peripheral service URLs
  *   D10 — context-allowlist + OLAM_K8S_CONTEXT_ACK strict-equality check
  *   D12 — Secret pre-check (base64-decode + key-name + placeholder exact match)
  *   D14 — --force-refresh-manifests flag + --accept-security-regression guard
  *   D15 — kubectl rollout status --timeout=90s; state snapshot on failure
  *   D17 — port-forward spawn via flock (spawnPortForward from port-forward.ts)
  *   D22 — probeKubernetesApiReachable pre-flight via kubectl-wrap (5s timeout)
+ *   D27 — audit log entry (phase2.flag_removed) emitted per upgrade run
  *
- * Step order:
- *   0  probeKubernetesApiReachable — 5s timeout kubectl cluster-info
- *   1  D10 context-allowlist + OLAM_K8S_CONTEXT_ACK strict-equality byte-for-byte
- *   2  D12 Secret pre-check (olam-host-cp-secret; base64-decode; key-name check)
- *   3  kubectl apply --context <pinned> -f ~/.olam/k8s/manifests/
- *   4  D15 kubectl rollout status --context <pinned> --timeout=90s (95s wrap)
- *   5  D17 port-forward spawn via flock
- *   6  verify /health returns X-Olam-Engine: kubernetes
- *   7  emit upgrade.complete instrumentation event
- *   8  success message
+ * Step order (Phase D — kubernetes substrate, Phase 2 GA):
+ *   0    probeKubernetesApiReachable — 5s timeout kubectl cluster-info
+ *   1    D10 context-allowlist + OLAM_K8S_CONTEXT_ACK strict-equality byte-for-byte
+ *   2    D12 Secret pre-check (olam-host-cp-secret; base64-decode; key-name check)
+ *   2.5  C1 in-memory ConfigMap substitution — K8s DNS URLs for inter-peripheral URLs
+ *   2.6  C2 per-peripheral Secret pre-check (iterates PERIPHERALS; unconditional — D5)
+ *   2.7  C3 CoreDNS warm-up wait (kubectl wait --for=condition=Available deployment/coredns -n kube-system)
+ *   3    kubectl apply host-cp manifests + all 4 peripheral manifest dirs (alphabetical)
+ *   4    D15 kubectl rollout status (all 5 deployments in parallel)
+ *   5    D17 port-forward spawn for host-cp + spawnAllPeripheralPortForwards in parallel
+ *   6    verify /health returns X-Olam-Engine: kubernetes
+ *   7    emit upgrade.complete instrumentation event
+ *   8    success message
  *
  * Manifests NOT auto-rolled-back on failure (D15 spec). Operator must
  * manually intervene; state snapshot is printed on failure.
  */
+import * as fs from 'node:fs';
 import * as os from 'node:os';
 import * as path from 'node:path';
+import { parse as yamlParse, stringify as yamlStringify } from 'yaml';
 import ora from 'ora';
 import pc from 'picocolors';
 import { printError, printSuccess, printInfo, printWarning } from '../output.js';
 import { kubectlWrap } from './kubectl-wrap.js';
-import { spawnPortForward, probePortForwardLiveness } from './port-forward.js';
+import { spawnPortForward, spawnAllPeripheralPortForwards, probePortForwardLiveness } from './port-forward.js';
 import { emitUpgradeComplete } from './instrumentation.js';
-import { runManifestRefresh } from './manifest-refresh.js';
-import { OLAM_HOME } from './config.js';
+import { runManifestRefresh, seedManifestsFromBundle } from './manifest-refresh.js';
+import { OLAM_HOME, OLAM_STATE_DIR } from './config.js';
+import { PERIPHERALS } from './peripheral-registry.js';
 export const OLAM_K8S_MANIFESTS_DIR = path.join(OLAM_HOME, 'k8s', 'manifests');
 export const K8S_NAMESPACE = 'olam';
 export const HOST_CP_SECRET_NAME = 'olam-host-cp-secret';
 export const HOST_CP_DEPLOYMENT_NAME = 'olam-host-cp';
 export const PORT_FORWARD_TARGET = 'service/olam-host-cp';
 export const HOST_CP_HEALTH_URL = 'http://127.0.0.1:19000/health';
+/** Audit log for substrate upgrade events (D18). */
+export const SUBSTRATE_AUDIT_LOG = path.join(OLAM_STATE_DIR, 'substrate-audit.jsonl');
 /** Placeholder values that indicate the Secret has not been configured (D12). */
 const PLACEHOLDER_VALUES = new Set(['OLAM_AUTH_SECRET', 'GH_TOKEN']);
 /** Required keys in the olam-host-cp-secret (D12). */
 const REQUIRED_SECRET_KEYS = ['OLAM_AUTH_SECRET', 'GH_TOKEN'];
+/**
+ * Peripheral secret metadata: name and required keys with their placeholder patterns.
+ * Placeholder pattern: starts with REPLACE_ME_ (as per the template files in
+ * packages/host-cp/k8s/templates/).
+ */
+const PERIPHERAL_SECRETS = [
+    { name: 'auth-service', secretName: 'olam-auth-service-secret', keys: ['OLAM_AUTH_DB_SECRET'] },
+    { name: 'mcp-auth-service', secretName: 'olam-mcp-auth-service-secret', keys: ['OLAM_MCP_AUTH_JWT_SECRET'] },
+    { name: 'kg-service', secretName: 'olam-kg-service-secret', keys: ['OLAM_KG_BEARER_TOKEN'] },
+    { name: 'memory-service', secretName: 'olam-memory-service-secret', keys: ['OLAM_MEMORY_BEARER_SECRET'] },
+];
+/** K8s cluster DNS base domain for the olam namespace. */
+const K8S_DNS_SUFFIX = 'olam.svc.cluster.local';
+/**
+ * Build the K8s in-cluster DNS URL for a peripheral service.
+ * Form: http://<k8sServiceName>.olam.svc.cluster.local:<port>
+ */
+function buildK8sDnsUrl(k8sServiceName, port) {
+    return `http://${k8sServiceName}.${K8S_DNS_SUFFIX}:${port}`;
+}
+/**
+ * Append a JSONL audit entry to the substrate audit log (D18).
+ * Best-effort: errors are logged to stderr but do not abort the upgrade.
+ */
+function appendSubstrateAuditEntry(entry, stderr) {
+    try {
+        const line = JSON.stringify(entry) + '\n';
+        const dir = path.dirname(SUBSTRATE_AUDIT_LOG);
+        if (!fs.existsSync(dir))
+            fs.mkdirSync(dir, { recursive: true });
+        fs.writeFileSync(SUBSTRATE_AUDIT_LOG, line, { encoding: 'utf8', flag: 'a', mode: 0o600 });
+    }
+    catch (err) {
+        stderr.write(`${pc.yellow('[warn]')} could not write substrate audit log: ${err instanceof Error ? err.message : String(err)}\n`);
+    }
+}
 /** D10 — allowed kubectl context patterns. Currently: anything non-empty.
  * The allowlist is enforced by OLAM_K8S_CONTEXT_ACK strict-equality. */
 function isContextAllowed(context) {
     return typeof context === 'string' && context.length > 0;
 }
+/**
+ * D6 — Managed-k8s cluster server URL patterns (Decision #18 active retraction).
+ *
+ * Matches the cluster server URL (from `kubectl config view --minify`).
+ * These patterns indicate managed Kubernetes providers where hostPath
+ * /var/run/docker.sock does not reach the operator's docker daemon.
+ * Operators on managed k8s must use a local k3d/k3s cluster instead.
+ *
+ * Pattern sources:
+ *   - EKS: *.amazonaws.com — AWS API server endpoint
+ *   - GKE: *.googleapis.com — Google API server; also *.gke.io
+ *   - AKS: *.azmk8s.io — Azure managed k8s endpoint
+ *   - DO:  *.do-user-*.k8s.ondigitalocean.com — DigitalOcean
+ *   - Civo: *.civo.com — Civo cloud
+ */
+const MANAGED_K8S_URL_PATTERNS = [
+    { pattern: /\.amazonaws\.com(:\d+)?$/, provider: 'EKS (Amazon)' },
+    { pattern: /\.googleapis\.com(:\d+)?$/, provider: 'GKE (Google)' },
+    { pattern: /\.gke\.io(:\d+)?$/, provider: 'GKE (Google)' },
+    { pattern: /\.azmk8s\.io(:\d+)?$/, provider: 'AKS (Azure)' },
+    { pattern: /\.k8s\.ondigitalocean\.com(:\d+)?$/, provider: 'DOKS (DigitalOcean)' },
+    { pattern: /\.civo\.com(:\d+)?$/, provider: 'Civo' },
+];
+/**
+ * Detect whether the active kubectl context is a managed-k8s provider.
+ * Returns the detected provider name if managed, null if local/unknown.
+ * Fail-open: unrecognized cluster URLs return null (no false positives).
+ */
+async function detectManagedK8sProvider(deps) {
+    if (deps.getClusterServerUrlImpl) {
+        const url = await deps.getClusterServerUrlImpl();
+        if (!url)
+            return null;
+        for (const { pattern, provider } of MANAGED_K8S_URL_PATTERNS) {
+            if (pattern.test(url))
+                return provider;
+        }
+        return null;
+    }
+    // Default: run kubectl config view --minify to get the server URL.
+    const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+    const result = await wrap(['config', 'view', '--minify', '-o', 'jsonpath={.clusters[0].cluster.server}'], { timeout: 5_000 });
+    if (!result.ok || !result.stdout.trim())
+        return null;
+    const url = result.stdout.trim();
+    for (const { pattern, provider } of MANAGED_K8S_URL_PATTERNS) {
+        if (pattern.test(url))
+            return provider;
+    }
+    return null;
+}
+/**
+ * D7 — Check docker socket accessibility inside the host-cp pod.
+ * Uses `kubectl exec deploy/olam-host-cp -n olam -- test -S /var/run/docker.sock`.
+ * Returns true when socket is accessible; false when absent or unreachable.
+ */
+async function checkDockerSocketAccessible(context, deps) {
+    if (deps.checkDockerSocketImpl) {
+        return deps.checkDockerSocketImpl(context);
+    }
+    const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+    const result = await wrap([
+        '--context', context,
+        'exec', 'deploy/olam-host-cp',
+        '-n', 'olam',
+        '--',
+        'test', '-S', '/var/run/docker.sock',
+    ], { timeout: 10_000 });
+    return result.ok;
+}
 /**
  * Step 0 — D22: probe Kubernetes API reachability (5s timeout).
  * Uses kubectl cluster-info with a tight timeout to detect unreachable API server.
@@ -135,6 +259,122 @@ async function waitForRollout(context, deps, stderr) {
     stderr.write(`\n${pc.yellow('note:')} Manifests are NOT auto-rolled-back. Inspect the state above and remediate manually.\n`);
     return false;
 }
+/**
+ * Step 2.5 — C1: in-memory ConfigMap substitution for inter-peripheral K8s DNS URLs (D4).
+ *
+ * Reads the bundled host-cp ConfigMap YAML from manifestsDir/30-configmap.yaml,
+ * patches the inter-peripheral URL values to K8s cluster-DNS form, then applies
+ * the patched manifest via `kubectl apply -f -` on stdin.
+ *
+ * Does NOT rewrite any file on disk.
+ * Only runs on kubernetes substrate (called after substrate check).
+ *
+ * Returns null on success; error message string on failure.
+ */
+async function applyConfigMapSubstitution(context, manifestsDir, deps) {
+    const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+    const readFileSync = deps.readFileSyncImpl ?? fs.readFileSync;
+    const configMapPath = path.join(manifestsDir, '30-configmap.yaml');
+    let rawYaml;
+    try {
+        rawYaml = readFileSync(configMapPath, 'utf8');
+    }
+    catch (err) {
+        return `Failed to read ConfigMap at ${configMapPath}: ${err instanceof Error ? err.message : String(err)}`;
+    }
+    // Parse → patch data values → re-serialize.
+    let parsed;
+    try {
+        parsed = yamlParse(rawYaml);
+    }
+    catch (err) {
+        return `Failed to parse ConfigMap YAML at ${configMapPath}: ${err instanceof Error ? err.message : String(err)}`;
+    }
+    const data = (parsed['data'] ?? {});
+    // Substitute each peripheral's ConfigMap key to K8s DNS form.
+    for (const peripheral of PERIPHERALS) {
+        data[peripheral.configMapKeyInHostCp] = buildK8sDnsUrl(peripheral.k8sServiceName, peripheral.port);
+    }
+    parsed['data'] = data;
+    const patchedYaml = yamlStringify(parsed);
+    // Apply via stdin pipe (D20 compliance: no value in argv).
+    const result = await wrap(['--context', context, 'apply', '-f', '-'], { timeout: 30_000, stdin: patchedYaml });
+    if (!result.ok) {
+        return `kubectl apply (ConfigMap substitution) failed: ${result.stderr.split('\n')[0] ?? ''}`;
+    }
+    return null;
+}
+/**
+ * Step 2.6 — C2: per-peripheral Secret pre-check.
+ *
+ * Iterates PERIPHERAL_SECRETS; for each, fetches the Secret via kubectl,
+ * base64-decodes each value, and refuses if:
+ *   (a) Secret does not exist → names the peripheral + Secret resource.
+ *   (b) Any key is missing → names the peripheral + key.
+ *   (c) Any value starts with REPLACE_ME_ (placeholder not configured) → names key.
+ *
+ * Mirrors Phase 1b's D12 host-cp Secret pre-check pattern, generalised to N peripherals.
+ *
+ * Returns null on success; error message string on first failure.
+ */
+async function checkPeripheralSecrets(context, deps) {
+    const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+    for (const { name, secretName, keys } of PERIPHERAL_SECRETS) {
+        const result = await wrap([
+            '--context', context,
+            'get', 'secret', secretName,
+            '-n', K8S_NAMESPACE,
+            '-o', 'json',
+        ], { timeout: 15_000 });
+        if (!result.ok) {
+            return (`Peripheral Secret "${secretName}" (${name}) not found in namespace "${K8S_NAMESPACE}".\n` +
+                `  Create it first: kubectl --context ${context} apply -f <your-${name}-secret.yaml>\n` +
+                `  ${result.stderr.split('\n')[0] ?? ''}`);
+        }
+        let secretJson;
+        try {
+            secretJson = JSON.parse(result.stdout);
+        }
+        catch {
+            return `Failed to parse Secret JSON for "${secretName}" (${name}): ${result.stdout.slice(0, 200)}`;
+        }
+        const data = secretJson.data ?? {};
+        for (const key of keys) {
+            if (!(key in data)) {
+                return (`Peripheral Secret "${secretName}" (${name}) is missing required key "${key}".\n` +
+                    `  Keys found: ${Object.keys(data).join(', ') || '(none)'}\n` +
+                    `  Add the key and re-run.`);
+            }
+            const b64 = data[key] ?? '';
+            const decoded = Buffer.from(b64, 'base64').toString('utf8');
+            if (decoded.startsWith('REPLACE_ME_')) {
+                return (`Peripheral Secret "${secretName}" (${name}) key "${key}" still holds its placeholder value.\n` +
+                    `  Replace the placeholder with a real value, then re-run.`);
+            }
+        }
+    }
+    return null; // all peripheral secrets verified
+}
+/**
+ * Step 2.7 — C3: CoreDNS warm-up wait.
+ *
+ * Runs `kubectl wait --for=condition=Available deployment/coredns -n kube-system --timeout=30s`
+ * before step 3 to ensure DNS resolution is available for peripheral service discovery.
+ *
+ * Returns true on success; false on timeout or failure.
+ */
+async function waitForCoreDns(context, deps) {
+    const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+    const result = await wrap([
+        '--context', context,
+        'wait',
+        '--for=condition=Available',
+        'deployment/coredns',
+        '-n', 'kube-system',
+        '--timeout=30s',
+    ], { timeout: 35_000 });
+    return result.ok;
+}
 /**
  * Step 6 — verify /health returns X-Olam-Engine: kubernetes.
  */
@@ -161,6 +401,60 @@ export async function runUpgradeKubernetes(opts = {}, deps = {}) {
     const stderr = deps.stderr ?? process.stderr;
     const manifestsDir = deps.manifestsDir ?? OLAM_K8S_MANIFESTS_DIR;
     const startMs = Date.now();
+    // ── Pre-step 0: B5 — seed manifests from bundle if dir absent ────
+    // Closes T2/B2: ENOENT at step 2.5 (30-configmap.yaml) on fresh installs.
+    // Runs FIRST so manifests are available for all subsequent steps.
+    {
+        const seedImpl = deps.seedManifestsImpl ?? seedManifestsFromBundle;
+        const seedResult = seedImpl(opts.forceRefreshManifests === true, deps.seedManifestsDeps ?? {});
+        if (seedResult.seeded) {
+            stdout.write(`${pc.dim('[seed]')} ${seedResult.message}\n`);
+        }
+        else if (!seedResult.skipped) {
+            // Hard error: copy failed (permission denied, ENOSPC, etc.).
+            stderr.write(`${pc.red('error:')} Manifest seed failed: ${seedResult.error}\n`);
+            return { exitCode: 1, summary: 'manifest seed failed' };
+        }
+        // skipped: dir exists or bundle absent (dev context) — no output, continue.
+    }
+    // ── Pre-step 0a: D6 — managed-k8s context refusal (Decision #18) ──────
+    // Detects managed-k8s cluster server URL patterns and refuses BEFORE any
+    // kubectl apply. Fail-open: unrecognized cluster URLs proceed normally.
+    {
+        const managedProvider = await detectManagedK8sProvider(deps);
+        if (managedProvider !== null) {
+            stderr.write(`${pc.red('error:')} olam upgrade supports local k3d/k3s clusters only.\n` +
+                `  Detected managed-k8s context: ${managedProvider}\n` +
+                `  hostPath /var/run/docker.sock is not accessible on managed clusters — the docker\n` +
+                `  socket does not reach the operator's host daemon on cloud-managed nodes.\n` +
+                `  See Decision #18 and docs/operator/kubernetes-substrate-beta.md\n` +
+                `  for supported cluster types and the active retraction of managed-k8s support.\n`);
+            return { exitCode: 1, summary: 'managed-k8s context detected (Decision #18 retraction)' };
+        }
+    }
+    // ── Pre-step 0b: D7 — docker socket bind-mount preflight ──────────────
+    // Checks that /var/run/docker.sock is accessible inside the host-cp pod
+    // BEFORE step 0. Prevents crash-loop UX when the operator forgot the
+    // --volume socket bind on k3d cluster create (OQ13 resolution).
+    // Note: only meaningful when host-cp is already deployed. On a fresh install
+    // the pod doesn't exist yet — kubectl exec will fail gracefully (WARN only).
+    {
+        const preflightContext = process.env.OLAM_K8S_CONTEXT_ACK ?? 'default';
+        const socketAccessible = await checkDockerSocketAccessible(preflightContext, deps);
+        if (!socketAccessible) {
+            stderr.write(`${pc.yellow('[WARN]')} docker socket not accessible at /var/run/docker.sock inside the host-cp pod.\n` +
+                `  This means the k3d cluster was not created with the docker socket bind-mount,\n` +
+                `  or host-cp is not yet deployed (first install — this warning is expected).\n` +
+                `  For subsequent upgrades, recreate the cluster with:\n` +
+                `    k3d cluster create olam-host \\\n` +
+                `      --volume /var/run/docker.sock:/var/run/docker.sock@server:* \\\n` +
+                `      --volume ~/.config/gh:/host/.config/gh \\\n` +
+                `      --volume <olam-repo>:/host/olam \\\n` +
+                `      --wait --timeout 90s\n` +
+                `  Run olam doctor to check probe 28 (probeDockerSocketBindMount).\n`);
+            // WARN only — do not abort. Fresh installs have no pod yet.
+        }
+    }
     // ── Step 0: D22 — probe Kubernetes API reachability (5s) ─────────
     const step0Spinner = ora('Probing Kubernetes API reachability').start();
     const context = process.env.OLAM_K8S_CONTEXT_ACK ?? '';
@@ -214,9 +508,46 @@ export async function runUpgradeKubernetes(opts = {}, deps = {}) {
         return { exitCode: 1, summary: 'secret pre-check failed' };
     }
     step2Spinner.succeed(`Secret ${HOST_CP_SECRET_NAME} verified`);
+    // ── D5: Phase 2 GA — OLAM_PHASE_2_BETA guard removed (D27) ──────
+    // Emit phase2.flag_removed audit log entry per upgrade run (D27).
+    appendSubstrateAuditEntry({
+        ts: new Date(deps.nowImpl ? deps.nowImpl() : Date.now()).toISOString(),
+        op: 'upgrade',
+        substrate: 'kubernetes',
+        phase2: { flag_removed: true },
+    }, stderr);
+    // ── Step 2.5: C1 — in-memory ConfigMap substitution (K8s DNS URLs) ──
+    const step25Spinner = ora('Patching ConfigMap with K8s DNS URLs (C1/D4)').start();
+    const configMapError = await applyConfigMapSubstitution(pinnedContext, manifestsDir, deps);
+    if (configMapError !== null) {
+        step25Spinner.fail('ConfigMap substitution failed');
+        stderr.write(`${pc.red('error:')} ${configMapError}\n`);
+        return { exitCode: 1, summary: 'configmap substitution failed' };
+    }
+    step25Spinner.succeed('ConfigMap patched with K8s DNS URLs');
+    // ── Step 2.6: C2 — per-peripheral Secret pre-check ──────────────
+    const step26Spinner = ora('Checking peripheral Secrets (C2)').start();
+    const peripheralSecretError = await checkPeripheralSecrets(pinnedContext, deps);
+    if (peripheralSecretError !== null) {
+        step26Spinner.fail('Peripheral Secret pre-check failed');
+        stderr.write(`${pc.red('error:')} ${peripheralSecretError}\n`);
+        return { exitCode: 1, summary: 'peripheral secret pre-check failed' };
+    }
+    step26Spinner.succeed('All peripheral Secrets verified');
+    // ── Step 2.7: C3 — CoreDNS warm-up wait ────────────────────────
+    const step27Spinner = ora('Waiting for CoreDNS (C3, 30s timeout)').start();
+    const coreDnsOk = await waitForCoreDns(pinnedContext, deps);
+    if (!coreDnsOk) {
+        step27Spinner.warn('CoreDNS not Available within 30s — continuing (DNS may be degraded)');
+    }
+    else {
+        step27Spinner.succeed('CoreDNS Available');
+    }
     // ── Step 3: kubectl apply ─────────────────────────────────────────
     const step3Spinner = ora('Applying manifests').start();
     const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+    // Always apply host-cp manifests (top-level manifests dir).
+    // kubectl -f <dir> does NOT recurse by default — peripheral subdirs are ignored here.
     const applyResult = await wrap(['--context', pinnedContext, 'apply', '-f', manifestsDir], { timeout: 120_000 });
     if (!applyResult.ok) {
         step3Spinner.fail('kubectl apply failed');
@@ -224,24 +555,61 @@ export async function runUpgradeKubernetes(opts = {}, deps = {}) {
             `  ${applyResult.stderr.split('\n').slice(0, 5).join('\n  ')}\n`);
         return { exitCode: 1, summary: 'kubectl apply failed' };
     }
-    step3Spinner.succeed('Manifests applied');
+    // Apply each peripheral's manifest directory (alphabetical order).
+    const peripheralNames = [...PERIPHERALS.map((p) => p.name)].sort();
+    for (const name of peripheralNames) {
+        const peripheralManifestsDir = path.join(manifestsDir, name);
+        const peripheralApplyResult = await wrap(['--context', pinnedContext, 'apply', '-f', peripheralManifestsDir], { timeout: 120_000 });
+        if (!peripheralApplyResult.ok) {
+            step3Spinner.fail(`kubectl apply failed for peripheral "${name}"`);
+            stderr.write(`${pc.red('error:')} kubectl apply failed for peripheral "${name}" (exit ${peripheralApplyResult.exitCode}):\n` +
+                `  ${peripheralApplyResult.stderr.split('\n').slice(0, 5).join('\n  ')}\n`);
+            return { exitCode: 1, summary: `kubectl apply failed for peripheral ${name}` };
+        }
+    }
+    step3Spinner.succeed('All manifests applied (host-cp + 4 peripherals)');
     // ── Step 4: D15 — kubectl rollout status (90s timeout, 95s wrap) ──
-    const step4Spinner = ora('Waiting for rollout (90s)').start();
-    const rolloutOk = await waitForRollout(pinnedContext, deps, stderr);
-    if (!rolloutOk) {
-        step4Spinner.fail('Rollout status failed or timed out');
+    // Wait for all 5 deployments in parallel (host-cp + 4 peripherals).
+    const step4Spinner = ora('Waiting for rollout (all 5 deployments, 90s each)').start();
+    const deploymentNames = [
+        HOST_CP_DEPLOYMENT_NAME,
+        ...PERIPHERALS.map((p) => p.name),
+    ];
+    const rolloutResults = await Promise.all(deploymentNames.map((deploymentName) => (deps.kubectlWrapImpl ?? kubectlWrap)([
+        '--context', pinnedContext,
+        'rollout', 'status',
+        `deployment/${deploymentName}`,
+        '-n', K8S_NAMESPACE,
+        '--timeout=90s',
+    ], { timeout: 95_000 })));
+    const failedDeployments = deploymentNames.filter((_, i) => !rolloutResults[i]?.ok);
+    if (failedDeployments.length > 0) {
+        step4Spinner.fail(`Rollout failed for: ${failedDeployments.join(', ')}`);
+        // Emit state snapshot for failed deployments (mirrors D15 pattern).
+        for (const name of failedDeployments) {
+            stderr.write(`${pc.red('error:')} rollout status failed for deployment/${name}.\n`);
+            stderr.write(`${pc.dim(`--- kubectl get pods -n ${K8S_NAMESPACE} -o wide ---`)}\n`);
+            const podsResult = await wrap(['--context', pinnedContext, 'get', 'pods', '-n', K8S_NAMESPACE, '-o', 'wide'], { timeout: 10_000 });
+            stderr.write((podsResult.stdout || podsResult.stderr || '(no output)') + '\n');
+        }
+        stderr.write(`\n${pc.yellow('note:')} Manifests are NOT auto-rolled-back. Inspect the state above and remediate manually.\n`);
         return { exitCode: 1, summary: 'rollout status timed out' };
     }
-    step4Spinner.succeed('Rollout complete');
+    step4Spinner.succeed('All 5 deployments rolled out');
     // ── Step 5: D17 — port-forward spawn via flock ───────────────────
+    // Spawn host-cp and all peripheral port-forwards in parallel.
     const step5Spinner = ora('Establishing port-forward').start();
     const pfSpawn = deps.spawnPortForwardImpl ?? spawnPortForward;
-    const pfResult = await pfSpawn(pinnedContext, K8S_NAMESPACE, PORT_FORWARD_TARGET, 19000, 19000, deps.portForwardDeps ?? {});
+    const spawnAllPeripheral = deps.spawnAllPeripheralPortForwardsImpl ?? spawnAllPeripheralPortForwards;
+    const [pfResult] = await Promise.all([
+        pfSpawn(pinnedContext, K8S_NAMESPACE, PORT_FORWARD_TARGET, 19000, 19000, deps.portForwardDeps ?? {}),
+        spawnAllPeripheral(pinnedContext, K8S_NAMESPACE, deps.peripheralPortForwardDeps ?? {}),
+    ]);
     if (pfResult.spawned) {
-        step5Spinner.succeed(`Port-forward spawned (pid ${pfResult.pid})`);
+        step5Spinner.succeed(`Port-forward spawned (pid ${pfResult.pid}) + all peripheral port-forwards`);
     }
     else if (pfResult.reason === 'live') {
-        step5Spinner.succeed('Port-forward already live');
+        step5Spinner.succeed('Port-forward already live + peripheral port-forwards spawned');
     }
     else {
         step5Spinner.warn('Port-forward lock held by concurrent caller; skipping spawn');