@pleri/olam-cli 0.1.147 → 0.1.150

package/host-cp/k8s/manifests/50-deployment.yaml

@@ -18,20 +18,30 @@
 #     before the main container starts, granting UID-1000 write access on the
 #     freshly-provisioned PV. fsGroup alone is insufficient for hostPath volumes.
 #
-#   gh-config (/gh-config) and operator-repo (/operator-repo) remain hostPath
-#   volumes that resolve to paths inside the k3d node container.
-#   OPERATORS MUST pass these volume mounts when creating the k3d cluster:
+#   docker-sock (/var/run/docker.sock): hostPath volume — the operator must
+#     bind the host docker socket into the k3d node container when creating
+#     the cluster (Decision #3 — direct hostPath mount, not docker-socket-proxy):
 #
 #     k3d cluster create olam-host \
+#       --volume /var/run/docker.sock:/var/run/docker.sock@server:* \
 #       --volume ~/.config/gh:/host/.config/gh \
 #       --volume <olam-repo-root>:/host/olam \
 #       --wait --timeout 90s
 #
-#   Without these flags the gh-config and operator-repo mounts will be empty
-#   (the paths exist inside the node container but contain no data from the
-#   operator's host). The pod will still start — features that depend on GitHub
-#   auth or the operator repo will fail gracefully. The Phase D install guide
-#   surfaces this requirement prominently.
+#     An init container (socket-perm) runs `chmod 666 /var/run/docker.sock` as
+#     root BEFORE the main container starts. This grants the non-root main
+#     container (UID 1000) read+write access to the daemon socket.
+#     Deliberate platform-permission concession — see Decision #15:
+#     init container as root is the only way to grant non-root main container
+#     socket access without bake-time UID alignment on a single-tenant machine.
+#
+#   gh-config (/gh-config) and operator-repo (/operator-repo) remain hostPath
+#   volumes that resolve to paths inside the k3d node container.
+#   OPERATORS MUST pass these volume mounts when creating the k3d cluster (see
+#   the k3d command above). Without these flags the gh-config and operator-repo
+#   mounts will be empty. The pod will still start — features that depend on
+#   GitHub auth or the operator repo will fail gracefully. The Phase D install
+#   guide surfaces this requirement prominently.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -78,9 +88,26 @@ spec:
           volumeMounts:
             - name: olam-home
               mountPath: /data
+        - name: socket-perm
+          # busybox:1.36 — same sha256-pinned image as chown-data above.
+          # Deliberate platform-permission concession — see Decision #15.
+          # Runs as root to chmod the docker socket before the non-root main
+          # container starts. 666 (world-rw) is intentional on a single-tenant
+          # operator machine: UID 1000 must write to a root-owned socket without
+          # UID alignment at image build time.
+          image: busybox@sha256:73aaf090f3d85aa34ee199857f03fa3a95c8ede2ffd4cc2cdb5b94e566b11662
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsUser: 0
+            runAsNonRoot: false
+            allowPrivilegeEscalation: false
+          command: ["sh", "-c", "chmod 666 /var/run/docker.sock"]
+          volumeMounts:
+            - name: docker-sock
+              mountPath: /var/run/docker.sock
       containers:
         - name: olam-host-cp
-          image: ghcr.io/pleri/olam-host-cp@sha256:513b16e1c36c96f4a03b431445da45cabf83c85b5761d1c93fab684a13c7354b
+          image: ghcr.io/pleri/olam-host-cp@sha256:3256501cfcd2efecd73083d74fa4f12ffe54d4a1842c95f7441d9079102e8bbb
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true
@@ -109,6 +136,8 @@ spec:
               readOnly: true
             - name: tmp
               mountPath: /tmp
+            - name: docker-sock
+              mountPath: /var/run/docker.sock
           readinessProbe:
             httpGet:
               path: /api/version/status
@@ -146,3 +175,11 @@ spec:
             type: DirectoryOrCreate
         - name: tmp
           emptyDir: {}
+        - name: docker-sock
+          # D4 — Direct hostPath docker socket mount (Decision #3, architecture a2).
+          # The operator must bind the host docker socket into the k3d node when
+          # creating the cluster: --volume /var/run/docker.sock:/var/run/docker.sock@server:*
+          # Without this bind-mount the socket path exists inside the node but is empty.
+          hostPath:
+            path: /var/run/docker.sock
+            type: Socket

package/host-cp/k8s/manifests/auth-service/10-serviceaccount.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: olam-auth-service
+  namespace: olam
+  labels:
+    app: olam-auth-service
+    olam.io/component: peripheral

package/host-cp/k8s/manifests/auth-service/20-rbac.yaml

@@ -0,0 +1,34 @@
+# Phase 1a Decision 19: Role scoped to resourceNames: ["olam-auth-service"] on
+# apps/v1 deployments. Without this scope, the in-cluster ServiceAccount
+# could patch ANY Deployment in the namespace. This is the load-bearing
+# security guardrail — preserve verbatim.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: olam-auth-service
+  namespace: olam
+  labels:
+    app: olam-auth-service
+    olam.io/component: peripheral
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    resourceNames: ["olam-auth-service"]
+    verbs: ["get", "patch", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: olam-auth-service
+  namespace: olam
+  labels:
+    app: olam-auth-service
+    olam.io/component: peripheral
+subjects:
+  - kind: ServiceAccount
+    name: olam-auth-service
+    namespace: olam
+roleRef:
+  kind: Role
+  name: olam-auth-service
+  apiGroup: rbac.authorization.k8s.io

package/host-cp/k8s/manifests/auth-service/30-configmap.yaml

@@ -0,0 +1,24 @@
+# ConfigMap for olam-auth-service environment. Sensitive values (AUTH_DB_SECRET,
+# API keys) are NOT here — they live in the Secret (see templates/auth-service-secret-template.yaml).
+# Operators apply the Secret separately before applying the manifests.
+#
+# Inter-peripheral URL placeholders (e.g. OLAM_MCP_AUTH_URL) are set to
+# cluster-internal DNS names. These are resolved by Phase C substitution;
+# operators running Phase 2 Beta may override them directly.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: olam-auth-service-env
+  namespace: olam
+  labels:
+    app: olam-auth-service
+    olam.io/component: peripheral
+data:
+  # Port auth-service listens on. Must match 60-service.yaml targetPort.
+  OLAM_AUTH_PORT: "9999"
+  # Data directory — backed by the PVC mounted at /data.
+  OLAM_AUTH_DATA_PATH: "/data/auth"
+  # URL of mcp-auth-service (cluster-internal DNS). Override in non-k3d environments.
+  OLAM_MCP_AUTH_SERVICE_URL: "http://olam-mcp-auth-service.olam.svc.cluster.local:9998"
+  # Credential vault poll interval.
+  OLAM_CREDENTIAL_POLL_MS: "60000"

package/host-cp/k8s/manifests/auth-service/45-pvc.yaml

@@ -0,0 +1,25 @@
+# PersistentVolumeClaim for olam-auth-service /data volume.
+#
+# Why PVC instead of hostPath: see packages/host-cp/k8s/manifests/host-cp/45-pvc.yaml
+# for the full rationale (fsGroup, k3d node filesystem, etc.).
+#
+# local-path StorageClass ships with k3d by default (rancher/local-path-provisioner).
+# On non-k3d clusters, substitute storageClassName with your cluster's provisioner.
+# D24: storageClassName operator-editable — edit the field below for non-k3d substrates.
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: olam-auth-data
+  namespace: olam
+  labels:
+    app: olam-auth-service
+    olam.io/component: peripheral
+spec:
+  accessModes:
+    - ReadWriteOnce
+  # D24: operator-editable. k3d default is local-path. Change for non-k3d substrates.
+  storageClassName: local-path
+  resources:
+    requests:
+      # D25: auth-service PVC size 5Gi.
+      storage: 5Gi

package/host-cp/k8s/manifests/auth-service/50-deployment.yaml

@@ -0,0 +1,117 @@
+# Deployment for olam-auth-service.
+#
+# Image: pinned to sha256 digest (not :latest or named tag) per T4 threat model.
+# Digest resolves to ghcr.io/pleri/olam-auth:latest (multi-arch index).
+# NOTE (B1): image name is olam-auth (NOT olam-auth-service) — matches the
+# actual GHCR package name published by release.yml publish-auth job.
+# To update: resolve the new tag's digest via:
+#   TOKEN=$(curl -s "https://ghcr.io/token?scope=repository:pleri/olam-auth:pull&service=ghcr.io" | jq -r .token)
+#   curl -sI -H "Authorization: Bearer $TOKEN" \
+#     -H "Accept: application/vnd.oci.image.index.v1+json,application/vnd.docker.distribution.manifest.list.v2+json" \
+#     https://ghcr.io/v2/pleri/olam-auth/manifests/<tag> | grep docker-content-digest
+# Or use: node scripts/refresh-manifest-digests.mjs
+#
+# securityContext: conservative defaults per T6/T7 threat model (runAsNonRoot,
+# readOnlyRootFilesystem). /tmp backed by emptyDir for transient write needs.
+#
+# D17: auth-service does NOT mount /var/run/docker.sock (Phase 2 k8s pods
+# cannot reach docker.sock — no hostPath socket mount).
+#
+# chown-data init container: grants UID-1000 write access on the freshly-
+# provisioned PV (fsGroup alone is insufficient for local-path PVs).
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: olam-auth-service
+  namespace: olam
+  labels:
+    app: olam-auth-service
+    olam.io/component: peripheral
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  selector:
+    matchLabels:
+      app: olam-auth-service
+  template:
+    metadata:
+      labels:
+        app: olam-auth-service
+    spec:
+      serviceAccountName: olam-auth-service
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      initContainers:
+        - name: chown-data
+          # busybox:1.36 — sha256-pinned per T4 threat model.
+          image: busybox@sha256:73aaf090f3d85aa34ee199857f03fa3a95c8ede2ffd4cc2cdb5b94e566b11662
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsUser: 0
+            runAsNonRoot: false
+            allowPrivilegeEscalation: false
+          command: ["chown", "-R", "1000:1000", "/data"]
+          volumeMounts:
+            - name: auth-data
+              mountPath: /data
+      containers:
+        - name: olam-auth-service
+          image: ghcr.io/pleri/olam-auth@sha256:8530c3ad6719eeadcd141ff04f6d209f57cdc9aff3636afd43e774d7445df8ee
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+          ports:
+            - name: http
+              containerPort: 9999
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: olam-auth-service-env
+            - secretRef:
+                name: olam-auth-service-secret
+          volumeMounts:
+            - name: auth-data
+              mountPath: /data
+            - name: tmp
+              mountPath: /tmp
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 9999
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 6
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 9999
+            initialDelaySeconds: 30
+            periodSeconds: 20
+            timeoutSeconds: 5
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "128Mi"
+            limits:
+              cpu: "500m"
+              memory: "512Mi"
+      volumes:
+        - name: auth-data
+          persistentVolumeClaim:
+            claimName: olam-auth-data
+        - name: tmp
+          emptyDir: {}

package/host-cp/k8s/manifests/auth-service/60-service.yaml

@@ -0,0 +1,21 @@
+# ClusterIP Service for olam-auth-service.
+# Port 9999 — consumed by host-cp and other peripherals via cluster-internal DNS.
+# Operator surfaces externally via:
+#   kubectl port-forward -n olam svc/olam-auth-service 9999:9999
+apiVersion: v1
+kind: Service
+metadata:
+  name: olam-auth-service
+  namespace: olam
+  labels:
+    app: olam-auth-service
+    olam.io/component: peripheral
+spec:
+  type: ClusterIP
+  selector:
+    app: olam-auth-service
+  ports:
+    - name: http
+      port: 9999
+      targetPort: 9999
+      protocol: TCP

package/host-cp/k8s/manifests/kg-service/10-serviceaccount.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: olam-kg-service
+  namespace: olam
+  labels:
+    app: olam-kg-service
+    olam.io/component: peripheral

package/host-cp/k8s/manifests/kg-service/20-rbac.yaml

@@ -0,0 +1,34 @@
+# Phase 1a Decision 19: Role scoped to resourceNames: ["olam-kg-service"] on
+# apps/v1 deployments. Without this scope, the in-cluster ServiceAccount
+# could patch ANY Deployment in the namespace. This is the load-bearing
+# security guardrail — preserve verbatim.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: olam-kg-service
+  namespace: olam
+  labels:
+    app: olam-kg-service
+    olam.io/component: peripheral
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    resourceNames: ["olam-kg-service"]
+    verbs: ["get", "patch", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: olam-kg-service
+  namespace: olam
+  labels:
+    app: olam-kg-service
+    olam.io/component: peripheral
+subjects:
+  - kind: ServiceAccount
+    name: olam-kg-service
+    namespace: olam
+roleRef:
+  kind: Role
+  name: olam-kg-service
+  apiGroup: rbac.authorization.k8s.io

package/host-cp/k8s/manifests/kg-service/30-configmap.yaml

@@ -0,0 +1,18 @@
+# ConfigMap for olam-kg-service environment. Sensitive values live in
+# the Secret (see templates/kg-service-secret-template.yaml).
+# Operators apply the Secret separately before applying the manifests.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: olam-kg-service-env
+  namespace: olam
+  labels:
+    app: olam-kg-service
+    olam.io/component: peripheral
+data:
+  # Port kg-service listens on. Must match 60-service.yaml targetPort.
+  OLAM_KG_PORT: "9997"
+  # Data directory — backed by the PVC mounted at /data.
+  OLAM_KG_DATA_PATH: "/data/kg"
+  # URL of auth-service (cluster-internal DNS). Override in non-k3d environments.
+  OLAM_AUTH_SERVICE_URL: "http://olam-auth-service.olam.svc.cluster.local:9999"

package/host-cp/k8s/manifests/kg-service/45-pvc.yaml

@@ -0,0 +1,25 @@
+# PersistentVolumeClaim for olam-kg-service /data volume.
+#
+# Why PVC instead of hostPath: see packages/host-cp/k8s/manifests/host-cp/45-pvc.yaml
+# for the full rationale (fsGroup, k3d node filesystem, etc.).
+#
+# local-path StorageClass ships with k3d by default (rancher/local-path-provisioner).
+# On non-k3d clusters, substitute storageClassName with your cluster's provisioner.
+# D24: storageClassName operator-editable — edit the field below for non-k3d substrates.
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: olam-kg-data
+  namespace: olam
+  labels:
+    app: olam-kg-service
+    olam.io/component: peripheral
+spec:
+  accessModes:
+    - ReadWriteOnce
+  # D24: operator-editable. k3d default is local-path. Change for non-k3d substrates.
+  storageClassName: local-path
+  resources:
+    requests:
+      # D25: kg-service PVC size 10Gi (larger: graph index grows with codebase).
+      storage: 10Gi

package/host-cp/k8s/manifests/kg-service/50-deployment.yaml

@@ -0,0 +1,108 @@
+# Deployment for olam-kg-service.
+#
+# Image: pinned to sha256 digest (not :latest or named tag) per T4 threat model.
+# Digest resolves to ghcr.io/pleri/olam-kg-service:0.1.0 (multi-arch index).
+# To update: resolve the new tag's digest via:
+#   TOKEN=$(curl -s "https://ghcr.io/token?scope=repository:pleri/olam-kg-service:pull&service=ghcr.io" | jq -r .token)
+#   curl -sI -H "Authorization: Bearer $TOKEN" \
+#     -H "Accept: application/vnd.oci.image.index.v1+json,application/vnd.docker.distribution.manifest.list.v2+json" \
+#     https://ghcr.io/v2/pleri/olam-kg-service/manifests/<tag> | grep docker-content-digest
+#
+# securityContext: conservative defaults per T6/T7 threat model (runAsNonRoot,
+# readOnlyRootFilesystem). /tmp backed by emptyDir for transient write needs.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: olam-kg-service
+  namespace: olam
+  labels:
+    app: olam-kg-service
+    olam.io/component: peripheral
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  selector:
+    matchLabels:
+      app: olam-kg-service
+  template:
+    metadata:
+      labels:
+        app: olam-kg-service
+    spec:
+      serviceAccountName: olam-kg-service
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      initContainers:
+        - name: chown-data
+          # busybox:1.36 — sha256-pinned per T4 threat model.
+          image: busybox@sha256:73aaf090f3d85aa34ee199857f03fa3a95c8ede2ffd4cc2cdb5b94e566b11662
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsUser: 0
+            runAsNonRoot: false
+            allowPrivilegeEscalation: false
+          command: ["chown", "-R", "1000:1000", "/data"]
+          volumeMounts:
+            - name: kg-data
+              mountPath: /data
+      containers:
+        - name: olam-kg-service
+          image: ghcr.io/pleri/olam-kg-service@sha256:7e213dcc29d865e1d99b4c92d381fa05dfd66677dce72590c23455a49e1afa4a
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+          ports:
+            - name: http
+              containerPort: 9997
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: olam-kg-service-env
+            - secretRef:
+                name: olam-kg-service-secret
+          volumeMounts:
+            - name: kg-data
+              mountPath: /data
+            - name: tmp
+              mountPath: /tmp
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 9997
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 6
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 9997
+            initialDelaySeconds: 30
+            periodSeconds: 20
+            timeoutSeconds: 5
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "256Mi"
+            limits:
+              cpu: "1000m"
+              memory: "1Gi"
+      volumes:
+        - name: kg-data
+          persistentVolumeClaim:
+            claimName: olam-kg-data
+        - name: tmp
+          emptyDir: {}

package/host-cp/k8s/manifests/kg-service/60-service.yaml

@@ -0,0 +1,21 @@
+# ClusterIP Service for olam-kg-service.
+# Port 9997 — consumed by agents and host-cp via cluster-internal DNS.
+# Operator surfaces externally via:
+#   kubectl port-forward -n olam svc/olam-kg-service 9997:9997
+apiVersion: v1
+kind: Service
+metadata:
+  name: olam-kg-service
+  namespace: olam
+  labels:
+    app: olam-kg-service
+    olam.io/component: peripheral
+spec:
+  type: ClusterIP
+  selector:
+    app: olam-kg-service
+  ports:
+    - name: http
+      port: 9997
+      targetPort: 9997
+      protocol: TCP

package/host-cp/k8s/manifests/mcp-auth-service/10-serviceaccount.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: olam-mcp-auth-service
+  namespace: olam
+  labels:
+    app: olam-mcp-auth-service
+    olam.io/component: peripheral

package/host-cp/k8s/manifests/mcp-auth-service/20-rbac.yaml

@@ -0,0 +1,34 @@
+# Phase 1a Decision 19: Role scoped to resourceNames: ["olam-mcp-auth-service"] on
+# apps/v1 deployments. Without this scope, the in-cluster ServiceAccount
+# could patch ANY Deployment in the namespace. This is the load-bearing
+# security guardrail — preserve verbatim.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: olam-mcp-auth-service
+  namespace: olam
+  labels:
+    app: olam-mcp-auth-service
+    olam.io/component: peripheral
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    resourceNames: ["olam-mcp-auth-service"]
+    verbs: ["get", "patch", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: olam-mcp-auth-service
+  namespace: olam
+  labels:
+    app: olam-mcp-auth-service
+    olam.io/component: peripheral
+subjects:
+  - kind: ServiceAccount
+    name: olam-mcp-auth-service
+    namespace: olam
+roleRef:
+  kind: Role
+  name: olam-mcp-auth-service
+  apiGroup: rbac.authorization.k8s.io

package/host-cp/k8s/manifests/mcp-auth-service/30-configmap.yaml

@@ -0,0 +1,18 @@
+# ConfigMap for olam-mcp-auth-service environment. Sensitive values live in
+# the Secret (see templates/mcp-auth-service-secret-template.yaml).
+# Operators apply the Secret separately before applying the manifests.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: olam-mcp-auth-service-env
+  namespace: olam
+  labels:
+    app: olam-mcp-auth-service
+    olam.io/component: peripheral
+data:
+  # Port mcp-auth-service listens on. Must match 60-service.yaml targetPort.
+  OLAM_MCP_AUTH_PORT: "9998"
+  # Data directory — backed by the PVC mounted at /data.
+  OLAM_MCP_AUTH_DATA_PATH: "/data/mcp-auth"
+  # URL of auth-service (cluster-internal DNS). Override in non-k3d environments.
+  OLAM_AUTH_SERVICE_URL: "http://olam-auth-service.olam.svc.cluster.local:9999"

package/host-cp/k8s/manifests/mcp-auth-service/45-pvc.yaml

@@ -0,0 +1,25 @@
+# PersistentVolumeClaim for olam-mcp-auth-service /data volume.
+#
+# Why PVC instead of hostPath: see packages/host-cp/k8s/manifests/host-cp/45-pvc.yaml
+# for the full rationale (fsGroup, k3d node filesystem, etc.).
+#
+# local-path StorageClass ships with k3d by default (rancher/local-path-provisioner).
+# On non-k3d clusters, substitute storageClassName with your cluster's provisioner.
+# D24: storageClassName operator-editable — edit the field below for non-k3d substrates.
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: olam-mcp-auth-data
+  namespace: olam
+  labels:
+    app: olam-mcp-auth-service
+    olam.io/component: peripheral
+spec:
+  accessModes:
+    - ReadWriteOnce
+  # D24: operator-editable. k3d default is local-path. Change for non-k3d substrates.
+  storageClassName: local-path
+  resources:
+    requests:
+      # D25: mcp-auth-service PVC size 5Gi.
+      storage: 5Gi