@pleri/olam-cli 0.1.150 → 0.1.152

package/dist/index.js

@@ -15629,15 +15629,15 @@ var init_registry_allowlist = __esm({
 
 // ../core/dist/world/world-yaml.js
 import * as fs34 from "node:fs";
-import * as path35 from "node:path";
+import * as path36 from "node:path";
 import { parse as parseYaml4, stringify as stringifyYaml4 } from "yaml";
 function writeWorldYaml(worldPath, data) {
-  const olamDir = path35.join(worldPath, ".olam");
+  const olamDir = path36.join(worldPath, ".olam");
   fs34.mkdirSync(olamDir, { recursive: true });
-  fs34.writeFileSync(path35.join(olamDir, "world.yaml"), stringifyYaml4(data), "utf-8");
+  fs34.writeFileSync(path36.join(olamDir, "world.yaml"), stringifyYaml4(data), "utf-8");
 }
 function readWorldYaml(worldPath) {
-  const yamlPath = path35.join(worldPath, ".olam", "world.yaml");
+  const yamlPath = path36.join(worldPath, ".olam", "world.yaml");
   if (!fs34.existsSync(yamlPath))
     return null;
   try {
@@ -21011,7 +21011,7 @@ function registerServices(program2) {
 
 // src/lib/auth-refresh-kubernetes.ts
 import * as fs32 from "node:fs";
-import * as path33 from "node:path";
+import * as path34 from "node:path";
 import pc10 from "picocolors";
 import { stringify as yamlStringify2 } from "yaml";
 
@@ -21019,842 +21019,1233 @@ import { stringify as yamlStringify2 } from "yaml";
 init_output();
 import * as fs31 from "node:fs";
 import "node:os";
-import * as path32 from "node:path";
+import * as path33 from "node:path";
 import { parse as yamlParse, stringify as yamlStringify } from "yaml";
 import ora3 from "ora";
 import pc9 from "picocolors";
 
-// src/lib/port-forward.ts
-import { spawn as spawn5 } from "node:child_process";
-import * as fs29 from "node:fs";
-import * as net3 from "node:net";
-import * as path30 from "node:path";
-import * as os16 from "node:os";
-var PORT_FORWARD_PORT = 19e3;
-var PORT_FORWARD_LOCK_PATH = path30.join(OLAM_STATE_DIR, "port-forward.lock");
-var PORT_FORWARD_PID_PATH = path30.join(OLAM_STATE_DIR, "port-forward.pid");
-var TCP_PROBE_TIMEOUT_MS = 2e3;
-async function probePortForwardLiveness(deps = {}) {
-  const probe2 = deps.tcpProbeImpl ?? realTcpProbe;
-  return probe2("127.0.0.1", PORT_FORWARD_PORT, TCP_PROBE_TIMEOUT_MS);
-}
-function realTcpProbe(host, port2, timeoutMs) {
-  return new Promise((resolve23) => {
-    const socket = new net3.Socket();
-    let done = false;
-    function finish(result) {
-      if (done) return;
-      done = true;
-      socket.destroy();
-      resolve23(result);
-    }
-    const timer = setTimeout(() => finish(false), timeoutMs);
-    socket.once("connect", () => {
-      clearTimeout(timer);
-      finish(true);
-    });
-    socket.once("error", () => {
-      clearTimeout(timer);
-      finish(false);
-    });
-    socket.once("timeout", () => {
-      clearTimeout(timer);
-      finish(false);
-    });
-    socket.connect(port2, host);
+// src/lib/health-probes.ts
+import { spawnSync as spawnSync12 } from "node:child_process";
+import { existsSync as existsSync28, readdirSync as readdirSync7, readFileSync as readFileSync22, statSync as statSync6 } from "node:fs";
+import { homedir as homedir18 } from "node:os";
+import path30 from "node:path";
+
+// src/lib/kg-caps.ts
+var SOFT_CAP_BYTES = 15e8;
+var HARD_CAP_BYTES = 5e9;
+
+// src/lib/health-probes.ts
+var HEALTH_TIMEOUT_MS = 5e3;
+var COLIMA_010_WARN_TEXT = (
+  // eslint-disable-next-line @typescript-eslint/quotes
+  "Colima 0.10.1's --kubernetes mode is broken upstream. Either switch to OLAM_HOST_CP_ENGINE=docker (recommended) or downgrade Colima to 0.9.x. Track abiosoft/colima issues for fix."
+);
+var COLIMA_010_RANGE = /^v?0\.10\.\d+$/;
+var defaultDockerExec2 = (cmd, args) => {
+  const r = spawnSync12(cmd, [...args], {
+    encoding: "utf-8",
+    stdio: ["ignore", "pipe", "pipe"]
   });
-}
-function acquireAdvisoryLock(lockPath) {
-  const fd = fs29.openSync(lockPath, fs29.constants.O_CREAT | fs29.constants.O_EXCL | fs29.constants.O_WRONLY);
-  fs29.closeSync(fd);
-  return () => {
-    try {
-      fs29.unlinkSync(lockPath);
-    } catch {
-    }
+  return {
+    status: r.status,
+    stdout: r.stdout ?? "",
+    stderr: r.stderr ?? ""
   };
-}
-function pidFilePath(deps) {
-  const stateDir = deps.stateDir ?? OLAM_STATE_DIR;
-  return path30.join(stateDir, "port-forward.pid");
-}
-function lockFilePath(deps) {
-  const stateDir = deps.stateDir ?? OLAM_STATE_DIR;
-  return path30.join(stateDir, "port-forward.lock");
-}
-function writePidFile(pidPath2, pid) {
-  const dir = path30.dirname(pidPath2);
-  if (!fs29.existsSync(dir)) {
-    fs29.mkdirSync(dir, { recursive: true });
+};
+var defaultFetch = (input2, init) => fetch(input2, init);
+async function probeDockerDaemon(dockerExec = defaultDockerExec2) {
+  const r = dockerExec("docker", ["info", "--format", "{{.ServerVersion}}"]);
+  if (r.status === 0 && r.stdout.trim().length > 0) {
+    return { ok: true, message: `docker ${r.stdout.trim()} reachable` };
   }
-  const tmp = `${pidPath2}.tmp.${process.pid}`;
-  fs29.writeFileSync(tmp, String(pid) + "\n", { encoding: "utf8", mode: 384 });
-  fs29.renameSync(tmp, pidPath2);
+  return {
+    ok: false,
+    message: "docker daemon not reachable",
+    remedy: "Start Docker Desktop (or your docker daemon) and re-run."
+  };
 }
-async function spawnPortForward(context, namespace, target, localPort = PORT_FORWARD_PORT, remotePort = PORT_FORWARD_PORT, deps = {}) {
-  const lockPath = lockFilePath(deps);
-  const pidPath2 = pidFilePath(deps);
-  const spawnImpl = deps.spawnImpl ?? spawn5;
-  const stateDir = deps.stateDir ?? OLAM_STATE_DIR;
-  if (!fs29.existsSync(stateDir)) {
-    fs29.mkdirSync(stateDir, { recursive: true });
-  }
-  let releaseLock2 = null;
-  try {
-    releaseLock2 = acquireAdvisoryLock(lockPath);
-  } catch (err) {
-    const code = err.code;
-    if (code === "EEXIST") {
-      return { spawned: false, reason: "lock-held" };
+async function probeImagePresence(refs, dockerExec = defaultDockerExec2) {
+  for (const ref of refs) {
+    const r = dockerExec("docker", ["image", "inspect", "--format", "{{.Id}}", ref]);
+    if (r.status !== 0) {
+      return {
+        ok: false,
+        message: `image ${ref} not present locally`,
+        remedy: "Run `olam bootstrap` to pull the published image, or build locally."
+      };
     }
-    throw err;
   }
+  return { ok: true, message: `${refs.length} image(s) present` };
+}
+async function probeHostCpHealth(fetchImpl = defaultFetch) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), HEALTH_TIMEOUT_MS);
   try {
-    const live = await probePortForwardLiveness(deps);
-    if (live) {
-      return { spawned: false, reason: "live" };
+    const res = await fetchImpl("http://127.0.0.1:19000/health", { signal: controller.signal });
+    const body = await res.text().catch(() => "");
+    if (res.status !== 200) {
+      return {
+        ok: false,
+        message: `host-cp /health returned ${res.status}`,
+        remedy: "Restart host-cp via `olam host-cp start`; verify port 19000 is bound to 127.0.0.1."
+      };
     }
-    const child = spawnImpl(
-      "kubectl",
-      [
-        "--context",
-        context,
-        "port-forward",
-        "-n",
-        namespace,
-        target,
-        `${localPort}:${remotePort}`
-      ],
-      {
-        stdio: ["ignore", "ignore", "ignore"],
-        detached: true
-      }
-    );
-    if (typeof child.pid !== "number" || child.pid <= 0) {
-      return { spawned: false, reason: "lock-held" };
+    if (isHostCpHealthEnvelope(body)) {
+      return { ok: true, message: "host-cp /health returned 200" };
     }
-    writePidFile(pidPath2, child.pid);
-    child.unref();
-    child.once("exit", () => {
-      try {
-        fs29.unlinkSync(pidPath2);
-      } catch {
-      }
-    });
-    return { spawned: true, pid: child.pid };
+    return {
+      ok: false,
+      message: "host-cp /health returned 200 but body did not match the host-cp envelope (possible port collision on :19000)",
+      remedy: "Check `lsof -iTCP:19000`; another process may have bound the port. Restart host-cp via `olam host-cp start`."
+    };
+  } catch (err) {
+    const e = err;
+    const reason = e.name === "AbortError" ? `timeout (${HEALTH_TIMEOUT_MS}ms)` : e.message;
+    return {
+      ok: false,
+      message: `host-cp /health unreachable: ${reason}`,
+      remedy: "Restart host-cp via `olam host-cp start`; verify port 19000 is bound to 127.0.0.1."
+    };
   } finally {
-    releaseLock2();
+    clearTimeout(timeout);
   }
 }
-function peripheralPidPath(name, stateDir) {
-  return path30.join(stateDir, `port-forward-${name}.pid`);
-}
-function peripheralLockPath(name, stateDir) {
-  return path30.join(stateDir, `port-forward-${name}.lock`);
+function isHostCpHealthEnvelope(body) {
+  let parsed;
+  try {
+    parsed = JSON.parse(body);
+  } catch {
+    return false;
+  }
+  if (!parsed || typeof parsed !== "object") return false;
+  const obj = parsed;
+  if (typeof obj.phase !== "string") return false;
+  if (!obj.cache || typeof obj.cache !== "object") return false;
+  const mode = obj.mode;
+  if (!mode || typeof mode !== "object") return false;
+  if (typeof mode.deployment !== "string") return false;
+  return true;
 }
-async function spawnPeripheralPortForward(peripheral, context, namespace, deps = {}) {
-  const stateDir = deps.stateDir ?? OLAM_STATE_DIR;
-  const spawnImpl = deps.spawnImpl ?? spawn5;
-  const tcpProbeImpl = deps.tcpProbeImpl ?? realTcpProbe;
-  if (!fs29.existsSync(stateDir)) {
-    fs29.mkdirSync(stateDir, { recursive: true });
+async function probeAuthVault(olamHomeOverride) {
+  const vaultPath = resolveAccountsPath(olamHomeOverride);
+  if (!existsSync28(vaultPath)) {
+    return {
+      ok: false,
+      message: `auth vault missing at ${vaultPath}`,
+      remedy: "Run `olam auth up && olam auth login` to provision the vault."
+    };
   }
-  const lockPath = peripheralLockPath(peripheral.name, stateDir);
-  const pidPath2 = peripheralPidPath(peripheral.name, stateDir);
-  let releaseLock2 = null;
+  let parsed;
   try {
-    releaseLock2 = acquireAdvisoryLock(lockPath);
+    parsed = JSON.parse(readFileSync22(vaultPath, "utf-8"));
   } catch (err) {
-    const code = err.code;
-    if (code === "EEXIST") {
-      return false;
-    }
-    throw err;
+    return {
+      ok: false,
+      message: `auth vault malformed: ${err.message}`,
+      remedy: "Inspect the accounts.json file; restore from backup or re-run `olam auth up`."
+    };
   }
-  try {
-    const alive = await tcpProbeImpl("127.0.0.1", peripheral.port, TCP_PROBE_TIMEOUT_MS);
-    if (alive) {
-      return false;
-    }
-    const child = spawnImpl(
-      "kubectl",
-      [
-        "--context",
-        context,
-        "port-forward",
-        "-n",
-        namespace,
-        `service/${peripheral.k8sServiceName}`,
-        `${peripheral.port}:${peripheral.port}`
-      ],
-      {
-        stdio: ["ignore", "ignore", "ignore"],
-        detached: true
-      }
-    );
-    if (typeof child.pid !== "number" || child.pid <= 0) {
-      return false;
-    }
-    writePidFile(pidPath2, child.pid);
-    child.unref();
-    child.once("exit", () => {
-      try {
-        fs29.unlinkSync(pidPath2);
-      } catch {
-      }
-    });
-    return true;
-  } finally {
-    releaseLock2();
+  if (!Array.isArray(parsed)) {
+    return {
+      ok: false,
+      message: "auth vault malformed: expected JSON array at top level",
+      remedy: "Restore the vault from backup or re-run `olam auth up && olam auth login`."
+    };
+  }
+  const accounts = parsed.filter((a) => a !== null && typeof a === "object");
+  const now = Date.now();
+  const activeClaude = accounts.filter((a) => a.provider === "claude" && effectiveState2(a, now) === "active");
+  if (activeClaude.length === 0) {
+    return {
+      ok: false,
+      message: `no active claude credentials (vault has ${accounts.length} account(s))`,
+      remedy: "Run `olam auth login` to add a credential, or wait for the next reset."
+    };
   }
+  return { ok: true, message: `${activeClaude.length} active claude credential(s)` };
 }
-async function spawnAllPeripheralPortForwards(context = "olam", namespace = "olam", deps = {}) {
-  await Promise.all(
-    PERIPHERALS.map((p) => spawnPeripheralPortForward(p, context, namespace, deps))
-  );
+function resolveAccountsPath(olamHomeOverride) {
+  const explicit = process.env.OLAM_AUTH_DATA_PATH;
+  if (explicit) return explicit;
+  const olamHome5 = olamHomeOverride ?? process.env.OLAM_HOME ?? path30.join(homedir18(), ".olam");
+  return path30.join(olamHome5, "auth-data", "accounts.json");
 }
-
-// src/lib/instrumentation.ts
-var INSTRUMENTATION_SCHEMA = "olam.instr.v1";
-var INSTRUMENTATION_PREFIX = "OLAM_INSTR ";
-function nowIso(now) {
-  const d = now ? now() : /* @__PURE__ */ new Date();
-  return d.toISOString();
+function effectiveState2(account, now) {
+  const persisted = account.state ?? (account.rateLimited ? "cooldown" : "active");
+  if (persisted === "disabled") return "disabled";
+  if (typeof account.expiresAt === "number" && account.expiresAt <= now) return "expired";
+  if (persisted === "cooldown") {
+    const reset = account.rateLimitResetsAt ? new Date(account.rateLimitResetsAt).getTime() : 0;
+    if (reset > 0 && reset <= now) return "active";
+  }
+  return persisted;
 }
-function resolveInstallId(opts) {
+async function probeKgStorage(olamHomeOverride) {
+  const olamHome5 = olamHomeOverride ?? process.env.OLAM_HOME ?? path30.join(homedir18(), ".olam");
+  const kgRoot3 = path30.join(olamHome5, "kg");
+  const worldsRoot3 = path30.join(olamHome5, "worlds");
+  const kgBytes = enumerateGraphifyOut(kgRoot3, "pristine");
+  const overlayBytes = enumerateGraphifyOut(worldsRoot3, "overlay");
+  const totalBytes = kgBytes + overlayBytes;
+  if (totalBytes >= HARD_CAP_BYTES) {
+    return {
+      ok: false,
+      message: `KG storage ${formatBytes(totalBytes)} exceeds 5 GB hard cap`,
+      remedy: "Prune stale pristines: `rm -rf ~/.olam/kg/<workspace>` after operator review."
+    };
+  }
+  if (totalBytes >= SOFT_CAP_BYTES) {
+    return {
+      ok: true,
+      message: `KG storage ${formatBytes(totalBytes)} (soft-warn \u2014 exceeds 1.5 GB; consider pruning)`
+    };
+  }
+  return { ok: true, message: `KG storage ${formatBytes(totalBytes)} (under cap)` };
+}
+function enumerateGraphifyOut(root, layout) {
+  if (!existsSync28(root)) return 0;
+  let total = 0;
+  let entries;
   try {
-    if (opts.installIdProvider) return opts.installIdProvider();
-    const cfg = readConfig();
-    return cfg.install_id;
+    entries = readdirSync7(root, { withFileTypes: true });
   } catch {
-    return "unknown";
+    return 0;
+  }
+  for (const entry of entries) {
+    if (!entry.isDirectory()) continue;
+    if (layout === "pristine") {
+      total += dirSizeBytes(path30.join(root, entry.name, "graphify-out"));
+    } else {
+      const worldDir = path30.join(root, entry.name);
+      let clones;
+      try {
+        clones = readdirSync7(worldDir, { withFileTypes: true });
+      } catch {
+        continue;
+      }
+      for (const clone of clones) {
+        if (!clone.isDirectory()) continue;
+        total += dirSizeBytes(path30.join(worldDir, clone.name, "graphify-out"));
+      }
+    }
   }
+  return total;
 }
-function writeLine(stderr, payload) {
-  try {
-    const line = `${INSTRUMENTATION_PREFIX}${JSON.stringify(payload)}
-`;
-    stderr.write(line);
-  } catch (err) {
+function dirSizeBytes(dir) {
+  if (!existsSync28(dir)) return 0;
+  let total = 0;
+  const stack = [dir];
+  while (stack.length > 0) {
+    const cur = stack.pop();
+    let entries;
     try {
-      stderr.write(
-        `[WARN] olam instrumentation emit failed: ${err instanceof Error ? err.message : String(err)}
-`
-      );
+      entries = readdirSync7(cur, { withFileTypes: true });
     } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      const full = path30.join(cur, entry.name);
+      if (entry.isSymbolicLink()) continue;
+      if (entry.isDirectory()) {
+        stack.push(full);
+        continue;
+      }
+      try {
+        total += statSync6(full).size;
+      } catch {
+      }
     }
   }
+  return total;
 }
-function emitSubstrateSet(payload, opts = {}) {
-  const event = {
-    schema: INSTRUMENTATION_SCHEMA,
-    event: "substrate.set",
-    install_id: resolveInstallId(opts),
-    ts: nowIso(opts.now),
-    substrate: payload.substrate,
-    ...payload.flavor !== void 0 ? { flavor: payload.flavor } : {}
-  };
-  writeLine(opts.stderr ?? process.stderr, event);
+function formatBytes(n) {
+  if (n < 1024) return `${n} B`;
+  if (n < 1024 * 1024) return `${(n / 1024).toFixed(1)} KB`;
+  if (n < 1024 * 1024 * 1024) return `${(n / 1024 / 1024).toFixed(1)} MB`;
+  return `${(n / 1024 / 1024 / 1024).toFixed(2)} GB`;
 }
-function emitUpgradeComplete(payload, opts = {}) {
-  const event = {
-    schema: INSTRUMENTATION_SCHEMA,
-    event: "upgrade.complete",
-    install_id: resolveInstallId(opts),
-    ts: nowIso(opts.now),
-    substrate: payload.substrate,
-    duration_ms: payload.duration_ms,
-    ...payload.flavor !== void 0 ? { flavor: payload.flavor } : {}
-  };
-  writeLine(opts.stderr ?? process.stderr, event);
+async function probeEngine(fetchImpl = defaultFetch) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), HEALTH_TIMEOUT_MS);
+  try {
+    const res = await fetchImpl("http://127.0.0.1:19000/health", { signal: controller.signal });
+    await res.text().catch(() => "");
+    if (res.status !== 200) {
+      return {
+        ok: false,
+        message: `host-cp /health returned ${res.status}; engine unknown`,
+        remedy: "Restart host-cp via `olam host-cp start`; verify port 19000 is bound to 127.0.0.1."
+      };
+    }
+    const engineHeader = res.headers.get("x-olam-engine") ?? res.headers.get("X-Olam-Engine");
+    if (!engineHeader) {
+      return {
+        ok: true,
+        message: "engine unknown (X-Olam-Engine header absent \u2014 older host-cp?)"
+      };
+    }
+    return {
+      ok: true,
+      message: `engine ${engineHeader}`,
+      engineName: engineHeader
+    };
+  } catch (err) {
+    const e = err;
+    const reason = e.name === "AbortError" ? `timeout (${HEALTH_TIMEOUT_MS}ms)` : e.message;
+    return {
+      ok: false,
+      message: `engine probe unreachable: ${reason}`,
+      remedy: "Restart host-cp via `olam host-cp start`; verify port 19000 is bound to 127.0.0.1."
+    };
+  } finally {
+    clearTimeout(timeout);
+  }
 }
-
-// src/lib/manifest-refresh.ts
-import * as fs30 from "node:fs";
-import * as path31 from "node:path";
-init_install_root();
-var MANIFEST_REFRESH_AUDIT_LOG = path31.join(OLAM_STATE_DIR, "manifest-refresh-audit.jsonl");
-var SECURITY_SENSITIVE_FIELDS = [
-  "securityContext",
-  "resources.limits",
-  "capabilities",
-  "readOnlyRootFilesystem",
-  "rules"
-  // RBAC Role rules
-];
-function seedManifestsFromBundle(forceRefresh, deps = {}) {
-  const existsSyncImpl = deps.existsSync ?? fs30.existsSync;
-  const cpSyncImpl = deps.cpSync ?? fs30.cpSync;
-  const mkdirSyncImpl = deps.mkdirSync ?? fs30.mkdirSync;
-  const rootDir = deps.installRootDir ?? installRoot();
-  const sourcePath = path31.join(rootDir, "host-cp", "k8s", "manifests");
-  const OLAM_HOME3 = path31.join(
-    process.env.HOME ?? process.env.USERPROFILE ?? "/tmp",
-    ".olam"
-  );
-  const targetPath = deps.targetManifestsDir ?? path31.join(OLAM_HOME3, "k8s", "manifests");
-  if (!forceRefresh && existsSyncImpl(targetPath)) {
+async function probeColimaVersion(dockerExec = defaultDockerExec2) {
+  const r = dockerExec("colima", ["version"]);
+  if (r.status === null || r.status !== 0 && /not found|ENOENT|not.found/i.test(r.stderr)) {
+    return { ok: true, message: "colima not installed (not in use)" };
+  }
+  if (r.status !== 0) {
     return {
-      seeded: false,
-      skipped: true,
-      reason: `~/.olam/k8s/manifests/ already exists \u2014 skipping seed (use --force-refresh-manifests to overwrite)`
+      ok: true,
+      message: `colima present but version probe failed: ${(r.stderr || "").trim()}`
     };
   }
-  if (!existsSyncImpl(sourcePath)) {
+  const tokens = r.stdout.split(/\s+/);
+  const version = tokens.find((t) => /^v?\d+\.\d+\.\d+/.test(t)) ?? "";
+  if (!version) {
     return {
-      seeded: false,
-      skipped: true,
-      reason: `Bundled manifests not found at ${sourcePath} \u2014 skipping seed (dev/monorepo context).
-If running from a published install, re-run npm install to restore the bundle.`
+      ok: true,
+      message: `colima present but version unrecognised: ${r.stdout.trim().slice(0, 80)}`
     };
   }
-  try {
-    mkdirSyncImpl(path31.dirname(targetPath), { recursive: true });
-    cpSyncImpl(sourcePath, targetPath, { recursive: true });
-  } catch (err) {
+  if (COLIMA_010_RANGE.test(version)) {
     return {
-      seeded: false,
-      skipped: false,
-      error: `Failed to seed manifests from ${sourcePath} to ${targetPath}: ${err instanceof Error ? err.message : String(err)}`
+      ok: true,
+      warn: true,
+      message: `colima ${version} detected \u2014 known kubernetes-mode regression`,
+      remedy: COLIMA_010_WARN_TEXT
     };
   }
+  return { ok: true, message: `colima ${version} (clear)` };
+}
+async function probeK8sApiReachable(exec = defaultDockerExec2) {
+  const r = exec("kubectl", ["version", "--output=json", "--request-timeout=2s"]);
+  if (r.status === 0 && r.stdout.length > 0) {
+    let parsed;
+    try {
+      parsed = JSON.parse(r.stdout);
+    } catch {
+      parsed = null;
+    }
+    const obj = parsed && typeof parsed === "object" ? parsed : {};
+    const serverInfo = obj.serverVersion;
+    const gitVersion = typeof serverInfo?.gitVersion === "string" ? serverInfo.gitVersion : "unknown";
+    return { ok: true, message: `api server ${gitVersion} reachable` };
+  }
   return {
-    seeded: true,
-    source: sourcePath,
-    target: targetPath,
-    message: forceRefresh ? `Manifests force-refreshed from ${sourcePath} \u2192 ${targetPath}` : `Manifests seeded from ${sourcePath} \u2192 ${targetPath}`
+    ok: false,
+    message: "api server not reachable",
+    remedy: "Confirm the cluster is up (e.g. `k3d cluster list`) and your context points at it."
   };
 }
-function extractField(obj, fieldKey) {
-  if (typeof obj !== "object" || obj === null) return "";
-  const keys = fieldKey.split(".");
-  let current = obj;
-  for (const k of keys) {
-    if (typeof current !== "object" || current === null) return "";
-    current = current[k];
-  }
-  if (current === void 0) return "";
-  return JSON.stringify(current);
-}
-function extractSecurityFieldsFromParsed(parsed) {
-  const result = {};
-  for (const field of SECURITY_SENSITIVE_FIELDS) {
-    result[field] = extractField(parsed, field);
-  }
-  return result;
-}
-function diffManifestSecurityFields(oldContent, newContent) {
-  let oldParsed;
-  let newParsed;
-  try {
-    oldParsed = JSON.parse(oldContent);
-  } catch {
-    oldParsed = { _raw: oldContent };
-  }
-  try {
-    newParsed = JSON.parse(newContent);
-  } catch {
-    newParsed = { _raw: newContent };
-  }
-  const oldFields = extractSecurityFieldsFromParsed(oldParsed);
-  const newFields = extractSecurityFieldsFromParsed(newParsed);
-  const changedFields = [];
-  for (const field of SECURITY_SENSITIVE_FIELDS) {
-    if (oldFields[field] !== newFields[field]) {
-      changedFields.push(field);
-    }
-  }
-  return {
-    hasSecurityRegression: changedFields.length > 0,
-    changedFields
-  };
-}
-function appendAuditEntry(entry, auditLogPath, writeFileSyncImpl) {
-  const line = JSON.stringify(entry) + "\n";
-  try {
-    writeFileSyncImpl(auditLogPath, line, {
-      encoding: "utf8",
-      flag: "a",
-      mode: 384
-    });
-  } catch (err) {
-    throw new Error(`audit log unavailable: ${err instanceof Error ? err.message : String(err)}`);
-  }
-}
-async function runManifestRefresh(manifestsDir, acceptRegression, deps = {}, peripheral) {
-  const auditLogPath = deps.auditLogPath ?? MANIFEST_REFRESH_AUDIT_LOG;
-  const readdirSync25 = deps.readdirSync ?? fs30.readdirSync;
-  const readFileSync74 = deps.readFileSync ?? fs30.readFileSync;
-  const writeFileSyncImpl = deps.writeFileSync ?? fs30.writeFileSync;
-  const existsSync99 = deps.existsSync ?? fs30.existsSync;
-  const now = deps.now ? deps.now() : /* @__PURE__ */ new Date();
-  const targetDir = peripheral ? path31.join(manifestsDir, peripheral) : manifestsDir;
-  if (!existsSync99(targetDir)) {
+async function probeK8sImagePresence(refs, exec = defaultDockerExec2) {
+  const r = exec("kubectl", ["get", "nodes", "-o", "json", "--request-timeout=2s"]);
+  if (r.status !== 0) {
     return {
       ok: false,
-      message: peripheral ? `peripheral manifests directory not found: ${targetDir}` : `manifests directory not found: ${targetDir}`
+      message: "unable to list cluster nodes for image presence check",
+      remedy: "Confirm the cluster is up and your context points at it; re-run `olam doctor`."
     };
   }
-  let files;
+  let parsed;
   try {
-    const entries = readdirSync25(targetDir, { withFileTypes: true });
-    files = entries.filter((e) => e.isFile() && (e.name.endsWith(".yaml") || e.name.endsWith(".json"))).map((e) => e.name);
-  } catch (err) {
+    parsed = JSON.parse(r.stdout);
+  } catch {
     return {
       ok: false,
-      message: `failed to read manifests dir: ${err instanceof Error ? err.message : String(err)}`
+      message: "cluster node list returned malformed output",
+      remedy: "Restart your cluster; if persistent, re-create it."
     };
   }
-  const allChangedFields = [];
-  for (const file of files) {
-    const filePath = path31.join(targetDir, file);
-    let content;
-    try {
-      content = readFileSync74(filePath, "utf8");
-    } catch {
-      continue;
-    }
-    const diff = diffManifestSecurityFields("{}", content);
-    for (const f of diff.changedFields) {
-      if (!allChangedFields.includes(f)) allChangedFields.push(f);
-    }
-  }
-  const hasSecurityRegression = allChangedFields.length > 0;
-  if (hasSecurityRegression && !acceptRegression) {
+  const nodes = parsed && typeof parsed === "object" ? parsed.items : void 0;
+  if (!Array.isArray(nodes) || nodes.length === 0) {
     return {
       ok: false,
-      message: `manifest refresh refused: security-sensitive fields changed (${allChangedFields.join(", ")}).
-Re-run with --accept-security-regression to acknowledge and proceed.`
+      message: "cluster has no nodes",
+      remedy: "Start the cluster and try again."
     };
   }
-  const entry = {
-    ts: now.toISOString(),
-    manifests_path: targetDir,
-    security_regression: hasSecurityRegression,
-    changed_fields: allChangedFields,
-    accepted: acceptRegression,
-    operator_pid: process.pid,
-    ...peripheral !== void 0 ? { peripheral } : {}
-  };
-  try {
-    appendAuditEntry(entry, auditLogPath, writeFileSyncImpl);
-  } catch (err) {
-    return {
-      ok: false,
-      message: err instanceof Error ? err.message : String(err)
-    };
+  const presentImages = /* @__PURE__ */ new Set();
+  for (const node of nodes) {
+    const status2 = node.status;
+    const images = status2?.images;
+    if (!Array.isArray(images)) continue;
+    for (const img of images) {
+      const names = img.names;
+      if (!Array.isArray(names)) continue;
+      for (const n of names) presentImages.add(n);
+    }
   }
-  return {
-    ok: true,
-    message: hasSecurityRegression ? `Security-sensitive fields changed (${allChangedFields.join(", ")}); accepted via --accept-security-regression. Audit entry written.` : "Manifest refresh completed (no security-sensitive field changes). Audit entry written."
-  };
-}
-
-// src/lib/upgrade-kubernetes.ts
-var OLAM_K8S_MANIFESTS_DIR = path32.join(OLAM_HOME, "k8s", "manifests");
-var K8S_NAMESPACE2 = "olam";
-var HOST_CP_SECRET_NAME = "olam-host-cp-secret";
-var HOST_CP_DEPLOYMENT_NAME = "olam-host-cp";
-var PORT_FORWARD_TARGET = "service/olam-host-cp";
-var HOST_CP_HEALTH_URL = "http://127.0.0.1:19000/health";
-var SUBSTRATE_AUDIT_LOG = path32.join(OLAM_STATE_DIR, "substrate-audit.jsonl");
-var PLACEHOLDER_VALUES = /* @__PURE__ */ new Set(["OLAM_AUTH_SECRET", "GH_TOKEN"]);
-var REQUIRED_SECRET_KEYS = ["OLAM_AUTH_SECRET", "GH_TOKEN"];
-var PERIPHERAL_SECRETS = [
-  { name: "auth-service", secretName: "olam-auth-service-secret", keys: ["OLAM_AUTH_DB_SECRET"] },
-  { name: "mcp-auth-service", secretName: "olam-mcp-auth-service-secret", keys: ["OLAM_MCP_AUTH_JWT_SECRET"] },
-  { name: "kg-service", secretName: "olam-kg-service-secret", keys: ["OLAM_KG_BEARER_TOKEN"] },
-  { name: "memory-service", secretName: "olam-memory-service-secret", keys: ["OLAM_MEMORY_BEARER_SECRET"] }
-];
-var K8S_DNS_SUFFIX = "olam.svc.cluster.local";
-function buildK8sDnsUrl(k8sServiceName, port2) {
-  return `http://${k8sServiceName}.${K8S_DNS_SUFFIX}:${port2}`;
-}
-function appendSubstrateAuditEntry(entry, stderr) {
-  try {
-    const line = JSON.stringify(entry) + "\n";
-    const dir = path32.dirname(SUBSTRATE_AUDIT_LOG);
-    if (!fs31.existsSync(dir)) fs31.mkdirSync(dir, { recursive: true });
-    fs31.writeFileSync(SUBSTRATE_AUDIT_LOG, line, { encoding: "utf8", flag: "a", mode: 384 });
-  } catch (err) {
-    stderr.write(
-      `${pc9.yellow("[warn]")} could not write substrate audit log: ${err instanceof Error ? err.message : String(err)}
-`
-    );
+  for (const ref of refs) {
+    if (!hasImageRef(presentImages, ref)) {
+      return {
+        ok: false,
+        message: `image ${ref} not present on any cluster node`,
+        remedy: "Run `olam bootstrap` to import the published image into the cluster."
+      };
+    }
   }
+  return { ok: true, message: `${refs.length} image(s) present on cluster` };
 }
-function isContextAllowed(context) {
-  return typeof context === "string" && context.length > 0;
+function hasImageRef(present, ref) {
+  if (present.has(ref)) return true;
+  const variants = [`docker.io/library/${ref}`, `docker.io/${ref}`];
+  return variants.some((v) => present.has(v));
 }
-var MANAGED_K8S_URL_PATTERNS = [
-  { pattern: /\.amazonaws\.com(:\d+)?$/, provider: "EKS (Amazon)" },
-  { pattern: /\.googleapis\.com(:\d+)?$/, provider: "GKE (Google)" },
-  { pattern: /\.gke\.io(:\d+)?$/, provider: "GKE (Google)" },
-  { pattern: /\.azmk8s\.io(:\d+)?$/, provider: "AKS (Azure)" },
-  { pattern: /\.k8s\.ondigitalocean\.com(:\d+)?$/, provider: "DOKS (DigitalOcean)" },
-  { pattern: /\.civo\.com(:\d+)?$/, provider: "Civo" }
-];
-async function detectManagedK8sProvider(deps) {
-  if (deps.getClusterServerUrlImpl) {
-    const url3 = await deps.getClusterServerUrlImpl();
-    if (!url3) return null;
-    for (const { pattern, provider } of MANAGED_K8S_URL_PATTERNS) {
-      if (pattern.test(url3)) return provider;
-    }
-    return null;
-  }
-  const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
-  const result = await wrap(
-    ["config", "view", "--minify", "-o", "jsonpath={.clusters[0].cluster.server}"],
-    { timeout: 5e3 }
-  );
-  if (!result.ok || !result.stdout.trim()) return null;
-  const url2 = result.stdout.trim();
-  for (const { pattern, provider } of MANAGED_K8S_URL_PATTERNS) {
-    if (pattern.test(url2)) return provider;
-  }
-  return null;
+function defaultDetectK8sClusterType(kubectlContext) {
+  const ctx = kubectlContext ?? readCurrentKubectlContext();
+  if (!ctx) return "unknown";
+  if (ctx.startsWith("colima")) return "colima";
+  if (ctx.startsWith("k3d-")) return "k3d";
+  return "unknown";
 }
-async function checkDockerSocketAccessible(context, deps) {
-  if (deps.checkDockerSocketImpl) {
-    return deps.checkDockerSocketImpl(context);
+function readCurrentKubectlContext() {
+  const r = spawnSync12("kubectl", ["config", "current-context"], {
+    encoding: "utf-8",
+    stdio: ["ignore", "pipe", "pipe"]
+  });
+  if (r.status !== 0) return void 0;
+  return r.stdout?.trim() || void 0;
+}
+function buildDockerSocketRemedy(clusterType) {
+  if (clusterType === "colima") {
+    return "Recreate the Colima k3s cluster with the docker socket bind-mount:\n  colima stop\n  colima start --kubernetes \\\n    --mount /var/run/docker.sock:/var/run/docker.sock:w \\\n    --mount ~/.config/gh:/host/.config/gh:r\nThen run: olam upgrade";
   }
-  const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
-  const result = await wrap(
-    [
-      "--context",
-      context,
-      "exec",
-      "deploy/olam-host-cp",
-      "-n",
-      "olam",
-      "--",
-      "test",
-      "-S",
-      "/var/run/docker.sock"
-    ],
-    { timeout: 1e4 }
-  );
-  return result.ok;
+  return "Recreate the k3d cluster with the docker socket bind-mount:\n  k3d cluster create olam-host \\\n    --volume /var/run/docker.sock:/var/run/docker.sock@server:* \\\n    --volume ~/.config/gh:/host/.config/gh \\\n    --wait --timeout 90s\nThen run: olam upgrade";
 }
-async function probeKubernetesApiReachable(context, deps) {
-  const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
-  const result = await wrap(
-    ["--context", context, "cluster-info"],
-    { timeout: 5e3 }
-  );
-  return result.ok;
+
+// src/lib/port-forward.ts
+import { spawn as spawn5 } from "node:child_process";
+import * as fs29 from "node:fs";
+import * as net3 from "node:net";
+import * as path31 from "node:path";
+import * as os16 from "node:os";
+var PORT_FORWARD_PORT = 19e3;
+var PORT_FORWARD_LOCK_PATH = path31.join(OLAM_STATE_DIR, "port-forward.lock");
+var PORT_FORWARD_PID_PATH = path31.join(OLAM_STATE_DIR, "port-forward.pid");
+var TCP_PROBE_TIMEOUT_MS = 2e3;
+async function probePortForwardLiveness(deps = {}) {
+  const probe2 = deps.tcpProbeImpl ?? realTcpProbe;
+  return probe2("127.0.0.1", PORT_FORWARD_PORT, TCP_PROBE_TIMEOUT_MS);
 }
-async function checkSecretPreCondition(context, deps) {
-  const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
-  const result = await wrap(
-    [
-      "--context",
-      context,
-      "get",
-      "secret",
-      HOST_CP_SECRET_NAME,
-      "-n",
-      K8S_NAMESPACE2,
-      "-o",
-      "json"
-    ],
-    { timeout: 15e3 }
-  );
-  if (!result.ok) {
-    return `Secret "${HOST_CP_SECRET_NAME}" not found in namespace "${K8S_NAMESPACE2}".
-  Create it first: kubectl --context ${context} apply -f <your-secret.yaml>
-  ${result.stderr.split("\n")[0] ?? ""}`;
-  }
-  let secretJson;
-  try {
-    secretJson = JSON.parse(result.stdout);
-  } catch {
-    return `Failed to parse Secret JSON: ${result.stdout.slice(0, 200)}`;
-  }
-  const data = secretJson.data ?? {};
-  for (const key of REQUIRED_SECRET_KEYS) {
-    if (!(key in data)) {
-      return `Secret "${HOST_CP_SECRET_NAME}" is missing required key "${key}".
-  Keys found: ${Object.keys(data).join(", ") || "(none)"}
-  Add the key and re-run.`;
+function realTcpProbe(host, port2, timeoutMs) {
+  return new Promise((resolve23) => {
+    const socket = new net3.Socket();
+    let done = false;
+    function finish(result) {
+      if (done) return;
+      done = true;
+      socket.destroy();
+      resolve23(result);
     }
-    const b64 = data[key] ?? "";
-    const decoded = Buffer.from(b64, "base64").toString("utf8");
-    if (PLACEHOLDER_VALUES.has(decoded)) {
-      return `Secret "${HOST_CP_SECRET_NAME}" key "${key}" still holds its placeholder value.
-  Replace the placeholder with a real value, then re-run.`;
+    const timer = setTimeout(() => finish(false), timeoutMs);
+    socket.once("connect", () => {
+      clearTimeout(timer);
+      finish(true);
+    });
+    socket.once("error", () => {
+      clearTimeout(timer);
+      finish(false);
+    });
+    socket.once("timeout", () => {
+      clearTimeout(timer);
+      finish(false);
+    });
+    socket.connect(port2, host);
+  });
+}
+function acquireAdvisoryLock(lockPath) {
+  const fd = fs29.openSync(lockPath, fs29.constants.O_CREAT | fs29.constants.O_EXCL | fs29.constants.O_WRONLY);
+  fs29.closeSync(fd);
+  return () => {
+    try {
+      fs29.unlinkSync(lockPath);
+    } catch {
     }
+  };
+}
+function pidFilePath(deps) {
+  const stateDir = deps.stateDir ?? OLAM_STATE_DIR;
+  return path31.join(stateDir, "port-forward.pid");
+}
+function lockFilePath(deps) {
+  const stateDir = deps.stateDir ?? OLAM_STATE_DIR;
+  return path31.join(stateDir, "port-forward.lock");
+}
+function writePidFile(pidPath2, pid) {
+  const dir = path31.dirname(pidPath2);
+  if (!fs29.existsSync(dir)) {
+    fs29.mkdirSync(dir, { recursive: true });
   }
-  return null;
+  const tmp = `${pidPath2}.tmp.${process.pid}`;
+  fs29.writeFileSync(tmp, String(pid) + "\n", { encoding: "utf8", mode: 384 });
+  fs29.renameSync(tmp, pidPath2);
 }
-async function applyConfigMapSubstitution(context, manifestsDir, deps) {
-  const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
-  const readFileSync74 = deps.readFileSyncImpl ?? fs31.readFileSync;
-  const configMapPath = path32.join(manifestsDir, "30-configmap.yaml");
-  let rawYaml;
+async function spawnPortForward(context, namespace, target, localPort = PORT_FORWARD_PORT, remotePort = PORT_FORWARD_PORT, deps = {}) {
+  const lockPath = lockFilePath(deps);
+  const pidPath2 = pidFilePath(deps);
+  const spawnImpl = deps.spawnImpl ?? spawn5;
+  const stateDir = deps.stateDir ?? OLAM_STATE_DIR;
+  if (!fs29.existsSync(stateDir)) {
+    fs29.mkdirSync(stateDir, { recursive: true });
+  }
+  let releaseLock2 = null;
   try {
-    rawYaml = readFileSync74(configMapPath, "utf8");
+    releaseLock2 = acquireAdvisoryLock(lockPath);
   } catch (err) {
-    return `Failed to read ConfigMap at ${configMapPath}: ${err instanceof Error ? err.message : String(err)}`;
+    const code = err.code;
+    if (code === "EEXIST") {
+      return { spawned: false, reason: "lock-held" };
+    }
+    throw err;
   }
-  let parsed;
   try {
-    parsed = yamlParse(rawYaml);
-  } catch (err) {
-    return `Failed to parse ConfigMap YAML at ${configMapPath}: ${err instanceof Error ? err.message : String(err)}`;
+    const live = await probePortForwardLiveness(deps);
+    if (live) {
+      return { spawned: false, reason: "live" };
+    }
+    const child = spawnImpl(
+      "kubectl",
+      [
+        "--context",
+        context,
+        "port-forward",
+        "-n",
+        namespace,
+        target,
+        `${localPort}:${remotePort}`
+      ],
+      {
+        stdio: ["ignore", "ignore", "ignore"],
+        detached: true
+      }
+    );
+    if (typeof child.pid !== "number" || child.pid <= 0) {
+      return { spawned: false, reason: "lock-held" };
+    }
+    writePidFile(pidPath2, child.pid);
+    child.unref();
+    child.once("exit", () => {
+      try {
+        fs29.unlinkSync(pidPath2);
+      } catch {
+      }
+    });
+    return { spawned: true, pid: child.pid };
+  } finally {
+    releaseLock2();
   }
-  const data = parsed["data"] ?? {};
-  for (const peripheral of PERIPHERALS) {
-    data[peripheral.configMapKeyInHostCp] = buildK8sDnsUrl(peripheral.k8sServiceName, peripheral.port);
+}
+function peripheralPidPath(name, stateDir) {
+  return path31.join(stateDir, `port-forward-${name}.pid`);
+}
+function peripheralLockPath(name, stateDir) {
+  return path31.join(stateDir, `port-forward-${name}.lock`);
+}
+async function spawnPeripheralPortForward(peripheral, context, namespace, deps = {}) {
+  const stateDir = deps.stateDir ?? OLAM_STATE_DIR;
+  const spawnImpl = deps.spawnImpl ?? spawn5;
+  const tcpProbeImpl = deps.tcpProbeImpl ?? realTcpProbe;
+  if (!fs29.existsSync(stateDir)) {
+    fs29.mkdirSync(stateDir, { recursive: true });
   }
-  parsed["data"] = data;
-  const patchedYaml = yamlStringify(parsed);
-  const result = await wrap(
-    ["--context", context, "apply", "-f", "-"],
-    { timeout: 3e4, stdin: patchedYaml }
-  );
-  if (!result.ok) {
-    return `kubectl apply (ConfigMap substitution) failed: ${result.stderr.split("\n")[0] ?? ""}`;
+  const lockPath = peripheralLockPath(peripheral.name, stateDir);
+  const pidPath2 = peripheralPidPath(peripheral.name, stateDir);
+  let releaseLock2 = null;
+  try {
+    releaseLock2 = acquireAdvisoryLock(lockPath);
+  } catch (err) {
+    const code = err.code;
+    if (code === "EEXIST") {
+      return false;
+    }
+    throw err;
   }
-  return null;
-}
-async function checkPeripheralSecrets(context, deps) {
-  const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
-  for (const { name, secretName, keys } of PERIPHERAL_SECRETS) {
-    const result = await wrap(
+  try {
+    const alive = await tcpProbeImpl("127.0.0.1", peripheral.port, TCP_PROBE_TIMEOUT_MS);
+    if (alive) {
+      return false;
+    }
+    const child = spawnImpl(
+      "kubectl",
       [
         "--context",
         context,
-        "get",
-        "secret",
-        secretName,
+        "port-forward",
         "-n",
-        K8S_NAMESPACE2,
-        "-o",
-        "json"
+        namespace,
+        `service/${peripheral.k8sServiceName}`,
+        `${peripheral.port}:${peripheral.port}`
       ],
-      { timeout: 15e3 }
+      {
+        stdio: ["ignore", "ignore", "ignore"],
+        detached: true
+      }
     );
-    if (!result.ok) {
-      return `Peripheral Secret "${secretName}" (${name}) not found in namespace "${K8S_NAMESPACE2}".
-  Create it first: kubectl --context ${context} apply -f <your-${name}-secret.yaml>
-  ${result.stderr.split("\n")[0] ?? ""}`;
-    }
-    let secretJson;
-    try {
-      secretJson = JSON.parse(result.stdout);
-    } catch {
-      return `Failed to parse Secret JSON for "${secretName}" (${name}): ${result.stdout.slice(0, 200)}`;
+    if (typeof child.pid !== "number" || child.pid <= 0) {
+      return false;
     }
-    const data = secretJson.data ?? {};
-    for (const key of keys) {
-      if (!(key in data)) {
-        return `Peripheral Secret "${secretName}" (${name}) is missing required key "${key}".
-  Keys found: ${Object.keys(data).join(", ") || "(none)"}
-  Add the key and re-run.`;
-      }
-      const b64 = data[key] ?? "";
-      const decoded = Buffer.from(b64, "base64").toString("utf8");
-      if (decoded.startsWith("REPLACE_ME_")) {
-        return `Peripheral Secret "${secretName}" (${name}) key "${key}" still holds its placeholder value.
-  Replace the placeholder with a real value, then re-run.`;
+    writePidFile(pidPath2, child.pid);
+    child.unref();
+    child.once("exit", () => {
+      try {
+        fs29.unlinkSync(pidPath2);
+      } catch {
       }
-    }
+    });
+    return true;
+  } finally {
+    releaseLock2();
   }
-  return null;
 }
-async function waitForCoreDns(context, deps) {
-  const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
-  const result = await wrap(
-    [
-      "--context",
-      context,
-      "wait",
-      "--for=condition=Available",
-      "deployment/coredns",
-      "-n",
-      "kube-system",
-      "--timeout=30s"
-    ],
-    { timeout: 35e3 }
+async function spawnAllPeripheralPortForwards(context = "olam", namespace = "olam", deps = {}) {
+  await Promise.all(
+    PERIPHERALS.map((p) => spawnPeripheralPortForward(p, context, namespace, deps))
   );
-  return result.ok;
 }
-async function verifyHealthHeader(deps) {
-  const fetchImpl = deps.fetchImpl ?? fetch;
+
+// src/lib/instrumentation.ts
+var INSTRUMENTATION_SCHEMA = "olam.instr.v1";
+var INSTRUMENTATION_PREFIX = "OLAM_INSTR ";
+function nowIso(now) {
+  const d = now ? now() : /* @__PURE__ */ new Date();
+  return d.toISOString();
+}
+function resolveInstallId(opts) {
   try {
-    const res = await fetchImpl(HOST_CP_HEALTH_URL, {
-      signal: AbortSignal.timeout(5e3)
-    });
-    const engine = res.headers.get("x-olam-engine") ?? res.headers.get("X-Olam-Engine");
-    return { ok: engine === "kubernetes", engineHeader: engine };
+    if (opts.installIdProvider) return opts.installIdProvider();
+    const cfg = readConfig();
+    return cfg.install_id;
   } catch {
-    return { ok: false, engineHeader: null };
+    return "unknown";
   }
 }
-async function runUpgradeKubernetes(opts = {}, deps = {}) {
-  const stdout = deps.stdout ?? process.stdout;
-  const stderr = deps.stderr ?? process.stderr;
-  const manifestsDir = deps.manifestsDir ?? OLAM_K8S_MANIFESTS_DIR;
-  const startMs = Date.now();
-  {
-    const seedImpl = deps.seedManifestsImpl ?? seedManifestsFromBundle;
-    const seedResult = seedImpl(opts.forceRefreshManifests === true, deps.seedManifestsDeps ?? {});
-    if (seedResult.seeded) {
-      stdout.write(`${pc9.dim("[seed]")} ${seedResult.message}
-`);
-    } else if (!seedResult.skipped) {
-      stderr.write(`${pc9.red("error:")} Manifest seed failed: ${seedResult.error}
-`);
-      return { exitCode: 1, summary: "manifest seed failed" };
-    }
-  }
-  {
-    const managedProvider = await detectManagedK8sProvider(deps);
-    if (managedProvider !== null) {
+function writeLine(stderr, payload) {
+  try {
+    const line = `${INSTRUMENTATION_PREFIX}${JSON.stringify(payload)}
+`;
+    stderr.write(line);
+  } catch (err) {
+    try {
       stderr.write(
-        `${pc9.red("error:")} olam upgrade supports local k3d/k3s clusters only.
-  Detected managed-k8s context: ${managedProvider}
-  hostPath /var/run/docker.sock is not accessible on managed clusters \u2014 the docker
-  socket does not reach the operator's host daemon on cloud-managed nodes.
-  See Decision #18 and docs/operator/kubernetes-substrate-beta.md
-  for supported cluster types and the active retraction of managed-k8s support.
+        `[WARN] olam instrumentation emit failed: ${err instanceof Error ? err.message : String(err)}
 `
       );
-      return { exitCode: 1, summary: "managed-k8s context detected (Decision #18 retraction)" };
+    } catch {
     }
   }
-  {
-    const preflightContext = process.env.OLAM_K8S_CONTEXT_ACK ?? "default";
-    const socketAccessible = await checkDockerSocketAccessible(preflightContext, deps);
-    if (!socketAccessible) {
-      stderr.write(
-        `${pc9.yellow("[WARN]")} docker socket not accessible at /var/run/docker.sock inside the host-cp pod.
-  This means the k3d cluster was not created with the docker socket bind-mount,
-  or host-cp is not yet deployed (first install \u2014 this warning is expected).
-  For subsequent upgrades, recreate the cluster with:
-    k3d cluster create olam-host \\
-      --volume /var/run/docker.sock:/var/run/docker.sock@server:* \\
-      --volume ~/.config/gh:/host/.config/gh \\
-      --volume <olam-repo>:/host/olam \\
-      --wait --timeout 90s
-  Run olam doctor to check probe 28 (probeDockerSocketBindMount).
-`
-      );
-    }
+}
+function emitSubstrateSet(payload, opts = {}) {
+  const event = {
+    schema: INSTRUMENTATION_SCHEMA,
+    event: "substrate.set",
+    install_id: resolveInstallId(opts),
+    ts: nowIso(opts.now),
+    substrate: payload.substrate,
+    ...payload.flavor !== void 0 ? { flavor: payload.flavor } : {}
+  };
+  writeLine(opts.stderr ?? process.stderr, event);
+}
+function emitUpgradeComplete(payload, opts = {}) {
+  const event = {
+    schema: INSTRUMENTATION_SCHEMA,
+    event: "upgrade.complete",
+    install_id: resolveInstallId(opts),
+    ts: nowIso(opts.now),
+    substrate: payload.substrate,
+    duration_ms: payload.duration_ms,
+    ...payload.flavor !== void 0 ? { flavor: payload.flavor } : {}
+  };
+  writeLine(opts.stderr ?? process.stderr, event);
+}
+
+// src/lib/manifest-refresh.ts
+import * as fs30 from "node:fs";
+import * as path32 from "node:path";
+init_install_root();
+var MANIFEST_REFRESH_AUDIT_LOG = path32.join(OLAM_STATE_DIR, "manifest-refresh-audit.jsonl");
+var SECURITY_SENSITIVE_FIELDS = [
+  "securityContext",
+  "resources.limits",
+  "capabilities",
+  "readOnlyRootFilesystem",
+  "rules"
+  // RBAC Role rules
+];
+function seedManifestsFromBundle(forceRefresh, deps = {}) {
+  const existsSyncImpl = deps.existsSync ?? fs30.existsSync;
+  const cpSyncImpl = deps.cpSync ?? fs30.cpSync;
+  const mkdirSyncImpl = deps.mkdirSync ?? fs30.mkdirSync;
+  const rootDir = deps.installRootDir ?? installRoot();
+  const sourcePath = path32.join(rootDir, "host-cp", "k8s", "manifests");
+  const OLAM_HOME3 = path32.join(
+    process.env.HOME ?? process.env.USERPROFILE ?? "/tmp",
+    ".olam"
+  );
+  const targetPath = deps.targetManifestsDir ?? path32.join(OLAM_HOME3, "k8s", "manifests");
+  if (!forceRefresh && existsSyncImpl(targetPath)) {
+    return {
+      seeded: false,
+      skipped: true,
+      reason: `~/.olam/k8s/manifests/ already exists \u2014 skipping seed (use --force-refresh-manifests to overwrite)`
+    };
   }
-  const step0Spinner = ora3("Probing Kubernetes API reachability").start();
-  const context = process.env.OLAM_K8S_CONTEXT_ACK ?? "";
-  const probeContext = context.length > 0 ? context : "default";
-  const reachable = await probeKubernetesApiReachable(probeContext, deps);
-  if (!reachable) {
-    step0Spinner.fail("Kubernetes API not reachable");
-    stderr.write(
-      `${pc9.red("error:")} kubectl cluster-info failed (5s timeout).
-  Ensure your kubectl context is correct and the cluster is reachable.
-  Set OLAM_K8S_CONTEXT_ACK=<context-name> to your active kubectl context.
-`
-    );
-    return { exitCode: 1, summary: "kubernetes api not reachable" };
+  if (!existsSyncImpl(sourcePath)) {
+    return {
+      seeded: false,
+      skipped: true,
+      reason: `Bundled manifests not found at ${sourcePath} \u2014 skipping seed (dev/monorepo context).
+If running from a published install, re-run npm install to restore the bundle.`
+    };
   }
-  step0Spinner.succeed("Kubernetes API reachable");
-  const step1Spinner = ora3("Verifying kubectl context (D10)").start();
-  const ackValue = process.env.OLAM_K8S_CONTEXT_ACK ?? "";
-  if (ackValue.length === 0 || !isContextAllowed(ackValue)) {
-    step1Spinner.fail("Context ACK missing or disallowed");
-    stderr.write(
-      `${pc9.red("error:")} OLAM_K8S_CONTEXT_ACK is not set or empty.
-  Set it to your kubectl context name (byte-for-byte match):
-    export OLAM_K8S_CONTEXT_ACK=<your-context-name>
-  See GATES.md G-001 for the context-allowlist requirement.
-`
-    );
-    return { exitCode: 1, summary: "context ack not set" };
+  try {
+    mkdirSyncImpl(path32.dirname(targetPath), { recursive: true });
+    cpSyncImpl(sourcePath, targetPath, { recursive: true });
+  } catch (err) {
+    return {
+      seeded: false,
+      skipped: false,
+      error: `Failed to seed manifests from ${sourcePath} to ${targetPath}: ${err instanceof Error ? err.message : String(err)}`
+    };
   }
-  const pinnedContext = ackValue;
-  process.stderr.write(
-    `${pc9.yellow("[WARN]")} OLAM_K8S_UNSAFE_CONTEXT_ACK ctx=${pinnedContext}
-`
-  );
-  step1Spinner.succeed(`Context pinned: ${pc9.bold(pinnedContext)}`);
-  if (opts.forceRefreshManifests) {
-    const step14Spinner = ora3("Refreshing manifests (D14)").start();
-    const refreshImpl = deps.manifestRefreshImpl ?? runManifestRefresh;
-    const refreshResult = await refreshImpl(
-      manifestsDir,
-      opts.acceptSecurityRegression === true,
-      {}
-    );
-    if (!refreshResult.ok) {
-      step14Spinner.fail("Manifest refresh refused");
-      stderr.write(`${pc9.red("error:")} ${refreshResult.message}
-`);
-      return { exitCode: 1, summary: "manifest refresh refused" };
-    }
-    step14Spinner.succeed(refreshResult.message);
+  return {
+    seeded: true,
+    source: sourcePath,
+    target: targetPath,
+    message: forceRefresh ? `Manifests force-refreshed from ${sourcePath} \u2192 ${targetPath}` : `Manifests seeded from ${sourcePath} \u2192 ${targetPath}`
+  };
+}
+function extractField(obj, fieldKey) {
+  if (typeof obj !== "object" || obj === null) return "";
+  const keys = fieldKey.split(".");
+  let current = obj;
+  for (const k of keys) {
+    if (typeof current !== "object" || current === null) return "";
+    current = current[k];
   }
-  const step2Spinner = ora3(`Checking Secret ${HOST_CP_SECRET_NAME} (D12)`).start();
-  const secretError = await checkSecretPreCondition(pinnedContext, deps);
-  if (secretError !== null) {
-    step2Spinner.fail("Secret pre-check failed");
-    stderr.write(`${pc9.red("error:")} ${secretError}
-`);
-    return { exitCode: 1, summary: "secret pre-check failed" };
+  if (current === void 0) return "";
+  return JSON.stringify(current);
+}
+function extractSecurityFieldsFromParsed(parsed) {
+  const result = {};
+  for (const field of SECURITY_SENSITIVE_FIELDS) {
+    result[field] = extractField(parsed, field);
   }
-  step2Spinner.succeed(`Secret ${HOST_CP_SECRET_NAME} verified`);
-  appendSubstrateAuditEntry(
-    {
-      ts: new Date(deps.nowImpl ? deps.nowImpl() : Date.now()).toISOString(),
-      op: "upgrade",
-      substrate: "kubernetes",
-      phase2: { flag_removed: true }
-    },
-    stderr
-  );
-  const step25Spinner = ora3("Patching ConfigMap with K8s DNS URLs (C1/D4)").start();
-  const configMapError = await applyConfigMapSubstitution(pinnedContext, manifestsDir, deps);
-  if (configMapError !== null) {
-    step25Spinner.fail("ConfigMap substitution failed");
-    stderr.write(`${pc9.red("error:")} ${configMapError}
-`);
-    return { exitCode: 1, summary: "configmap substitution failed" };
+  return result;
+}
+function diffManifestSecurityFields(oldContent, newContent) {
+  let oldParsed;
+  let newParsed;
+  try {
+    oldParsed = JSON.parse(oldContent);
+  } catch {
+    oldParsed = { _raw: oldContent };
   }
-  step25Spinner.succeed("ConfigMap patched with K8s DNS URLs");
-  const step26Spinner = ora3("Checking peripheral Secrets (C2)").start();
-  const peripheralSecretError = await checkPeripheralSecrets(pinnedContext, deps);
-  if (peripheralSecretError !== null) {
-    step26Spinner.fail("Peripheral Secret pre-check failed");
-    stderr.write(`${pc9.red("error:")} ${peripheralSecretError}
-`);
-    return { exitCode: 1, summary: "peripheral secret pre-check failed" };
+  try {
+    newParsed = JSON.parse(newContent);
+  } catch {
+    newParsed = { _raw: newContent };
   }
-  step26Spinner.succeed("All peripheral Secrets verified");
-  const step27Spinner = ora3("Waiting for CoreDNS (C3, 30s timeout)").start();
-  const coreDnsOk = await waitForCoreDns(pinnedContext, deps);
-  if (!coreDnsOk) {
-    step27Spinner.warn("CoreDNS not Available within 30s \u2014 continuing (DNS may be degraded)");
-  } else {
-    step27Spinner.succeed("CoreDNS Available");
+  const oldFields = extractSecurityFieldsFromParsed(oldParsed);
+  const newFields = extractSecurityFieldsFromParsed(newParsed);
+  const changedFields = [];
+  for (const field of SECURITY_SENSITIVE_FIELDS) {
+    if (oldFields[field] !== newFields[field]) {
+      changedFields.push(field);
+    }
   }
-  const step3Spinner = ora3("Applying manifests").start();
-  const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
-  const applyResult = await wrap(
-    ["--context", pinnedContext, "apply", "-f", manifestsDir],
-    { timeout: 12e4 }
-  );
-  if (!applyResult.ok) {
-    step3Spinner.fail("kubectl apply failed");
-    stderr.write(
-      `${pc9.red("error:")} kubectl apply failed (exit ${applyResult.exitCode}):
-  ${applyResult.stderr.split("\n").slice(0, 5).join("\n  ")}
-`
+  return {
+    hasSecurityRegression: changedFields.length > 0,
+    changedFields
+  };
+}
+function appendAuditEntry(entry, auditLogPath, writeFileSyncImpl) {
+  const line = JSON.stringify(entry) + "\n";
+  try {
+    writeFileSyncImpl(auditLogPath, line, {
+      encoding: "utf8",
+      flag: "a",
+      mode: 384
+    });
+  } catch (err) {
+    throw new Error(`audit log unavailable: ${err instanceof Error ? err.message : String(err)}`);
+  }
+}
+async function runManifestRefresh(manifestsDir, acceptRegression, deps = {}, peripheral) {
+  const auditLogPath = deps.auditLogPath ?? MANIFEST_REFRESH_AUDIT_LOG;
+  const readdirSync25 = deps.readdirSync ?? fs30.readdirSync;
+  const readFileSync74 = deps.readFileSync ?? fs30.readFileSync;
+  const writeFileSyncImpl = deps.writeFileSync ?? fs30.writeFileSync;
+  const existsSync99 = deps.existsSync ?? fs30.existsSync;
+  const now = deps.now ? deps.now() : /* @__PURE__ */ new Date();
+  const targetDir = peripheral ? path32.join(manifestsDir, peripheral) : manifestsDir;
+  if (!existsSync99(targetDir)) {
+    return {
+      ok: false,
+      message: peripheral ? `peripheral manifests directory not found: ${targetDir}` : `manifests directory not found: ${targetDir}`
+    };
+  }
+  let files;
+  try {
+    const entries = readdirSync25(targetDir, { withFileTypes: true });
+    files = entries.filter((e) => e.isFile() && (e.name.endsWith(".yaml") || e.name.endsWith(".json"))).map((e) => e.name);
+  } catch (err) {
+    return {
+      ok: false,
+      message: `failed to read manifests dir: ${err instanceof Error ? err.message : String(err)}`
+    };
+  }
+  const allChangedFields = [];
+  for (const file of files) {
+    const filePath = path32.join(targetDir, file);
+    let content;
+    try {
+      content = readFileSync74(filePath, "utf8");
+    } catch {
+      continue;
+    }
+    const diff = diffManifestSecurityFields("{}", content);
+    for (const f of diff.changedFields) {
+      if (!allChangedFields.includes(f)) allChangedFields.push(f);
+    }
+  }
+  const hasSecurityRegression = allChangedFields.length > 0;
+  if (hasSecurityRegression && !acceptRegression) {
+    return {
+      ok: false,
+      message: `manifest refresh refused: security-sensitive fields changed (${allChangedFields.join(", ")}).
+Re-run with --accept-security-regression to acknowledge and proceed.`
+    };
+  }
+  const entry = {
+    ts: now.toISOString(),
+    manifests_path: targetDir,
+    security_regression: hasSecurityRegression,
+    changed_fields: allChangedFields,
+    accepted: acceptRegression,
+    operator_pid: process.pid,
+    ...peripheral !== void 0 ? { peripheral } : {}
+  };
+  try {
+    appendAuditEntry(entry, auditLogPath, writeFileSyncImpl);
+  } catch (err) {
+    return {
+      ok: false,
+      message: err instanceof Error ? err.message : String(err)
+    };
+  }
+  return {
+    ok: true,
+    message: hasSecurityRegression ? `Security-sensitive fields changed (${allChangedFields.join(", ")}); accepted via --accept-security-regression. Audit entry written.` : "Manifest refresh completed (no security-sensitive field changes). Audit entry written."
+  };
+}
+
+// src/lib/upgrade-kubernetes.ts
+var OLAM_K8S_MANIFESTS_DIR = path33.join(OLAM_HOME, "k8s", "manifests");
+var K8S_NAMESPACE2 = "olam";
+var HOST_CP_SECRET_NAME = "olam-host-cp-secret";
+var HOST_CP_DEPLOYMENT_NAME = "olam-host-cp";
+var PORT_FORWARD_TARGET = "service/olam-host-cp";
+var HOST_CP_HEALTH_URL = "http://127.0.0.1:19000/health";
+var SUBSTRATE_AUDIT_LOG = path33.join(OLAM_STATE_DIR, "substrate-audit.jsonl");
+var PLACEHOLDER_VALUES = /* @__PURE__ */ new Set(["OLAM_AUTH_SECRET", "GH_TOKEN"]);
+var REQUIRED_SECRET_KEYS = ["OLAM_AUTH_SECRET", "GH_TOKEN"];
+var PERIPHERAL_SECRETS = [
+  { name: "auth-service", secretName: "olam-auth-service-secret", keys: ["OLAM_AUTH_DB_SECRET"] },
+  { name: "mcp-auth-service", secretName: "olam-mcp-auth-service-secret", keys: ["OLAM_MCP_AUTH_JWT_SECRET"] },
+  { name: "kg-service", secretName: "olam-kg-service-secret", keys: ["OLAM_KG_BEARER_TOKEN"] },
+  { name: "memory-service", secretName: "olam-memory-service-secret", keys: ["OLAM_MEMORY_BEARER_SECRET"] }
+];
+var K8S_DNS_SUFFIX = "olam.svc.cluster.local";
+function buildK8sDnsUrl(k8sServiceName, port2) {
+  return `http://${k8sServiceName}.${K8S_DNS_SUFFIX}:${port2}`;
+}
+function appendSubstrateAuditEntry(entry, stderr) {
+  try {
+    const line = JSON.stringify(entry) + "\n";
+    const dir = path33.dirname(SUBSTRATE_AUDIT_LOG);
+    if (!fs31.existsSync(dir)) fs31.mkdirSync(dir, { recursive: true });
+    fs31.writeFileSync(SUBSTRATE_AUDIT_LOG, line, { encoding: "utf8", flag: "a", mode: 384 });
+  } catch (err) {
+    stderr.write(
+      `${pc9.yellow("[warn]")} could not write substrate audit log: ${err instanceof Error ? err.message : String(err)}
+`
+    );
+  }
+}
+function isContextAllowed(context) {
+  return typeof context === "string" && context.length > 0;
+}
+var MANAGED_K8S_URL_PATTERNS = [
+  { pattern: /\.amazonaws\.com(:\d+)?$/, provider: "EKS (Amazon)" },
+  { pattern: /\.googleapis\.com(:\d+)?$/, provider: "GKE (Google)" },
+  { pattern: /\.gke\.io(:\d+)?$/, provider: "GKE (Google)" },
+  { pattern: /\.azmk8s\.io(:\d+)?$/, provider: "AKS (Azure)" },
+  { pattern: /\.k8s\.ondigitalocean\.com(:\d+)?$/, provider: "DOKS (DigitalOcean)" },
+  { pattern: /\.civo\.com(:\d+)?$/, provider: "Civo" }
+];
+async function detectManagedK8sProvider(deps) {
+  if (deps.getClusterServerUrlImpl) {
+    const url3 = await deps.getClusterServerUrlImpl();
+    if (!url3) return null;
+    for (const { pattern, provider } of MANAGED_K8S_URL_PATTERNS) {
+      if (pattern.test(url3)) return provider;
+    }
+    return null;
+  }
+  const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+  const result = await wrap(
+    ["config", "view", "--minify", "-o", "jsonpath={.clusters[0].cluster.server}"],
+    { timeout: 5e3 }
+  );
+  if (!result.ok || !result.stdout.trim()) return null;
+  const url2 = result.stdout.trim();
+  for (const { pattern, provider } of MANAGED_K8S_URL_PATTERNS) {
+    if (pattern.test(url2)) return provider;
+  }
+  return null;
+}
+async function checkDockerSocketAccessible(context, deps) {
+  if (deps.checkDockerSocketImpl) {
+    return deps.checkDockerSocketImpl(context);
+  }
+  const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+  const result = await wrap(
+    [
+      "--context",
+      context,
+      "exec",
+      "deploy/olam-host-cp",
+      "-n",
+      "olam",
+      "--",
+      "test",
+      "-S",
+      "/var/run/docker.sock"
+    ],
+    { timeout: 1e4 }
+  );
+  return result.ok;
+}
+async function probeKubernetesApiReachable(context, deps) {
+  const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+  const result = await wrap(
+    ["--context", context, "cluster-info"],
+    { timeout: 5e3 }
+  );
+  return result.ok;
+}
+async function checkSecretPreCondition(context, deps) {
+  const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+  const result = await wrap(
+    [
+      "--context",
+      context,
+      "get",
+      "secret",
+      HOST_CP_SECRET_NAME,
+      "-n",
+      K8S_NAMESPACE2,
+      "-o",
+      "json"
+    ],
+    { timeout: 15e3 }
+  );
+  if (!result.ok) {
+    return `Secret "${HOST_CP_SECRET_NAME}" not found in namespace "${K8S_NAMESPACE2}".
+  Create it first: kubectl --context ${context} apply -f <your-secret.yaml>
+  ${result.stderr.split("\n")[0] ?? ""}`;
+  }
+  let secretJson;
+  try {
+    secretJson = JSON.parse(result.stdout);
+  } catch {
+    return `Failed to parse Secret JSON: ${result.stdout.slice(0, 200)}`;
+  }
+  const data = secretJson.data ?? {};
+  for (const key of REQUIRED_SECRET_KEYS) {
+    if (!(key in data)) {
+      return `Secret "${HOST_CP_SECRET_NAME}" is missing required key "${key}".
+  Keys found: ${Object.keys(data).join(", ") || "(none)"}
+  Add the key and re-run.`;
+    }
+    const b64 = data[key] ?? "";
+    const decoded = Buffer.from(b64, "base64").toString("utf8");
+    if (PLACEHOLDER_VALUES.has(decoded)) {
+      return `Secret "${HOST_CP_SECRET_NAME}" key "${key}" still holds its placeholder value.
+  Replace the placeholder with a real value, then re-run.`;
+    }
+  }
+  return null;
+}
+async function applyConfigMapSubstitution(context, manifestsDir, deps) {
+  const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+  const readFileSync74 = deps.readFileSyncImpl ?? fs31.readFileSync;
+  const configMapPath = path33.join(manifestsDir, "30-configmap.yaml");
+  let rawYaml;
+  try {
+    rawYaml = readFileSync74(configMapPath, "utf8");
+  } catch (err) {
+    return `Failed to read ConfigMap at ${configMapPath}: ${err instanceof Error ? err.message : String(err)}`;
+  }
+  let parsed;
+  try {
+    parsed = yamlParse(rawYaml);
+  } catch (err) {
+    return `Failed to parse ConfigMap YAML at ${configMapPath}: ${err instanceof Error ? err.message : String(err)}`;
+  }
+  const data = parsed["data"] ?? {};
+  for (const peripheral of PERIPHERALS) {
+    data[peripheral.configMapKeyInHostCp] = buildK8sDnsUrl(peripheral.k8sServiceName, peripheral.port);
+  }
+  parsed["data"] = data;
+  const patchedYaml = yamlStringify(parsed);
+  const result = await wrap(
+    ["--context", context, "apply", "-f", "-"],
+    { timeout: 3e4, stdin: patchedYaml }
+  );
+  if (!result.ok) {
+    return `kubectl apply (ConfigMap substitution) failed: ${result.stderr.split("\n")[0] ?? ""}`;
+  }
+  return null;
+}
+async function checkPeripheralSecrets(context, deps) {
+  const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+  for (const { name, secretName, keys } of PERIPHERAL_SECRETS) {
+    const result = await wrap(
+      [
+        "--context",
+        context,
+        "get",
+        "secret",
+        secretName,
+        "-n",
+        K8S_NAMESPACE2,
+        "-o",
+        "json"
+      ],
+      { timeout: 15e3 }
+    );
+    if (!result.ok) {
+      return `Peripheral Secret "${secretName}" (${name}) not found in namespace "${K8S_NAMESPACE2}".
+  Create it first: kubectl --context ${context} apply -f <your-${name}-secret.yaml>
+  ${result.stderr.split("\n")[0] ?? ""}`;
+    }
+    let secretJson;
+    try {
+      secretJson = JSON.parse(result.stdout);
+    } catch {
+      return `Failed to parse Secret JSON for "${secretName}" (${name}): ${result.stdout.slice(0, 200)}`;
+    }
+    const data = secretJson.data ?? {};
+    for (const key of keys) {
+      if (!(key in data)) {
+        return `Peripheral Secret "${secretName}" (${name}) is missing required key "${key}".
+  Keys found: ${Object.keys(data).join(", ") || "(none)"}
+  Add the key and re-run.`;
+      }
+      const b64 = data[key] ?? "";
+      const decoded = Buffer.from(b64, "base64").toString("utf8");
+      if (decoded.startsWith("REPLACE_ME_")) {
+        return `Peripheral Secret "${secretName}" (${name}) key "${key}" still holds its placeholder value.
+  Replace the placeholder with a real value, then re-run.`;
+      }
+    }
+  }
+  return null;
+}
+async function waitForCoreDns(context, deps) {
+  const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+  const result = await wrap(
+    [
+      "--context",
+      context,
+      "wait",
+      "--for=condition=Available",
+      "deployment/coredns",
+      "-n",
+      "kube-system",
+      "--timeout=30s"
+    ],
+    { timeout: 35e3 }
+  );
+  return result.ok;
+}
+async function verifyHealthHeader(deps) {
+  const fetchImpl = deps.fetchImpl ?? fetch;
+  try {
+    const res = await fetchImpl(HOST_CP_HEALTH_URL, {
+      signal: AbortSignal.timeout(5e3)
+    });
+    const engine = res.headers.get("x-olam-engine") ?? res.headers.get("X-Olam-Engine");
+    return { ok: engine === "kubernetes", engineHeader: engine };
+  } catch {
+    return { ok: false, engineHeader: null };
+  }
+}
+async function runUpgradeKubernetes(opts = {}, deps = {}) {
+  const stdout = deps.stdout ?? process.stdout;
+  const stderr = deps.stderr ?? process.stderr;
+  const manifestsDir = deps.manifestsDir ?? OLAM_K8S_MANIFESTS_DIR;
+  const startMs = Date.now();
+  {
+    const seedImpl = deps.seedManifestsImpl ?? seedManifestsFromBundle;
+    const seedResult = seedImpl(opts.forceRefreshManifests === true, deps.seedManifestsDeps ?? {});
+    if (seedResult.seeded) {
+      stdout.write(`${pc9.dim("[seed]")} ${seedResult.message}
+`);
+    } else if (!seedResult.skipped) {
+      stderr.write(`${pc9.red("error:")} Manifest seed failed: ${seedResult.error}
+`);
+      return { exitCode: 1, summary: "manifest seed failed" };
+    }
+  }
+  {
+    const managedProvider = await detectManagedK8sProvider(deps);
+    if (managedProvider !== null) {
+      stderr.write(
+        `${pc9.red("error:")} olam upgrade supports local k3d/k3s clusters only.
+  Detected managed-k8s context: ${managedProvider}
+  hostPath /var/run/docker.sock is not accessible on managed clusters \u2014 the docker
+  socket does not reach the operator's host daemon on cloud-managed nodes.
+  See Decision #18 and docs/operator/kubernetes-substrate-beta.md
+  for supported cluster types and the active retraction of managed-k8s support.
+`
+      );
+      return { exitCode: 1, summary: "managed-k8s context detected (Decision #18 retraction)" };
+    }
+  }
+  {
+    const preflightContext = process.env.OLAM_K8S_CONTEXT_ACK ?? "default";
+    const socketAccessible = await checkDockerSocketAccessible(preflightContext, deps);
+    if (!socketAccessible) {
+      const clusterType = defaultDetectK8sClusterType(preflightContext);
+      const remedyText = buildDockerSocketRemedy(clusterType).split("\n").map((line) => `  ${line}`).join("\n");
+      stderr.write(
+        `${pc9.yellow("[WARN]")} docker socket not accessible at /var/run/docker.sock inside the host-cp pod.
+  This means the cluster was not created with the docker socket bind-mount,
+  or host-cp is not yet deployed (first install \u2014 this warning is expected).
+  For subsequent upgrades:
+${remedyText}
+  Run olam doctor to check probe 28 (probeDockerSocketBindMount).
+`
+      );
+    }
+  }
+  const step0Spinner = ora3("Probing Kubernetes API reachability").start();
+  const context = process.env.OLAM_K8S_CONTEXT_ACK ?? "";
+  const probeContext = context.length > 0 ? context : "default";
+  const reachable = await probeKubernetesApiReachable(probeContext, deps);
+  if (!reachable) {
+    step0Spinner.fail("Kubernetes API not reachable");
+    stderr.write(
+      `${pc9.red("error:")} kubectl cluster-info failed (5s timeout).
+  Ensure your kubectl context is correct and the cluster is reachable.
+  Set OLAM_K8S_CONTEXT_ACK=<context-name> to your active kubectl context.
+`
+    );
+    return { exitCode: 1, summary: "kubernetes api not reachable" };
+  }
+  step0Spinner.succeed("Kubernetes API reachable");
+  const step1Spinner = ora3("Verifying kubectl context (D10)").start();
+  const ackValue = process.env.OLAM_K8S_CONTEXT_ACK ?? "";
+  if (ackValue.length === 0 || !isContextAllowed(ackValue)) {
+    step1Spinner.fail("Context ACK missing or disallowed");
+    stderr.write(
+      `${pc9.red("error:")} OLAM_K8S_CONTEXT_ACK is not set or empty.
+  Set it to your kubectl context name (byte-for-byte match):
+    export OLAM_K8S_CONTEXT_ACK=<your-context-name>
+  See GATES.md G-001 for the context-allowlist requirement.
+`
+    );
+    return { exitCode: 1, summary: "context ack not set" };
+  }
+  const pinnedContext = ackValue;
+  process.stderr.write(
+    `${pc9.yellow("[WARN]")} OLAM_K8S_UNSAFE_CONTEXT_ACK ctx=${pinnedContext}
+`
+  );
+  step1Spinner.succeed(`Context pinned: ${pc9.bold(pinnedContext)}`);
+  if (opts.forceRefreshManifests) {
+    const step14Spinner = ora3("Refreshing manifests (D14)").start();
+    const refreshImpl = deps.manifestRefreshImpl ?? runManifestRefresh;
+    const refreshResult = await refreshImpl(
+      manifestsDir,
+      opts.acceptSecurityRegression === true,
+      {}
+    );
+    if (!refreshResult.ok) {
+      step14Spinner.fail("Manifest refresh refused");
+      stderr.write(`${pc9.red("error:")} ${refreshResult.message}
+`);
+      return { exitCode: 1, summary: "manifest refresh refused" };
+    }
+    step14Spinner.succeed(refreshResult.message);
+  }
+  const step2Spinner = ora3(`Checking Secret ${HOST_CP_SECRET_NAME} (D12)`).start();
+  const secretError = await checkSecretPreCondition(pinnedContext, deps);
+  if (secretError !== null) {
+    step2Spinner.fail("Secret pre-check failed");
+    stderr.write(`${pc9.red("error:")} ${secretError}
+`);
+    return { exitCode: 1, summary: "secret pre-check failed" };
+  }
+  step2Spinner.succeed(`Secret ${HOST_CP_SECRET_NAME} verified`);
+  appendSubstrateAuditEntry(
+    {
+      ts: new Date(deps.nowImpl ? deps.nowImpl() : Date.now()).toISOString(),
+      op: "upgrade",
+      substrate: "kubernetes",
+      phase2: { flag_removed: true }
+    },
+    stderr
+  );
+  const step26Spinner = ora3("Checking peripheral Secrets (C2)").start();
+  const peripheralSecretError = await checkPeripheralSecrets(pinnedContext, deps);
+  if (peripheralSecretError !== null) {
+    step26Spinner.fail("Peripheral Secret pre-check failed");
+    stderr.write(`${pc9.red("error:")} ${peripheralSecretError}
+`);
+    return { exitCode: 1, summary: "peripheral secret pre-check failed" };
+  }
+  step26Spinner.succeed("All peripheral Secrets verified");
+  const step27Spinner = ora3("Waiting for CoreDNS (C3, 30s timeout)").start();
+  const coreDnsOk = await waitForCoreDns(pinnedContext, deps);
+  if (!coreDnsOk) {
+    step27Spinner.warn("CoreDNS not Available within 30s \u2014 continuing (DNS may be degraded)");
+  } else {
+    step27Spinner.succeed("CoreDNS Available");
+  }
+  const step3Spinner = ora3("Applying manifests").start();
+  const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+  const applyResult = await wrap(
+    ["--context", pinnedContext, "apply", "-f", manifestsDir],
+    { timeout: 12e4 }
+  );
+  if (!applyResult.ok) {
+    step3Spinner.fail("kubectl apply failed");
+    stderr.write(
+      `${pc9.red("error:")} kubectl apply failed (exit ${applyResult.exitCode}):
+  ${applyResult.stderr.split("\n").slice(0, 5).join("\n  ")}
+`
     );
     return { exitCode: 1, summary: "kubectl apply failed" };
   }
   const peripheralNames = [...PERIPHERALS.map((p) => p.name)].sort();
   for (const name of peripheralNames) {
-    const peripheralManifestsDir = path32.join(manifestsDir, name);
+    const peripheralManifestsDir = path33.join(manifestsDir, name);
     const peripheralApplyResult = await wrap(
       ["--context", pinnedContext, "apply", "-f", peripheralManifestsDir],
       { timeout: 12e4 }
@@ -21870,6 +22261,15 @@ async function runUpgradeKubernetes(opts = {}, deps = {}) {
     }
   }
   step3Spinner.succeed("All manifests applied (host-cp + 4 peripherals)");
+  const step35Spinner = ora3("Re-applying patched ConfigMap with K8s DNS URLs (C1/D4 \u2014 B7 fix)").start();
+  const configMapError = await applyConfigMapSubstitution(pinnedContext, manifestsDir, deps);
+  if (configMapError !== null) {
+    step35Spinner.fail("ConfigMap substitution failed");
+    stderr.write(`${pc9.red("error:")} ${configMapError}
+`);
+    return { exitCode: 1, summary: "configmap substitution failed" };
+  }
+  step35Spinner.succeed("ConfigMap patched with K8s DNS URLs (survives bulk apply)");
   const step4Spinner = ora3("Waiting for rollout (all 5 deployments, 90s each)").start();
   const deploymentNames = [
     HOST_CP_DEPLOYMENT_NAME,
@@ -22009,10 +22409,10 @@ async function applyK8sAuthRefresh(pinnedContext, deps = {}) {
   const stdout = deps.stdout ?? process.stdout;
   const stderr = deps.stderr ?? process.stderr;
   const olamHome5 = deps.olamHomeOverride ?? OLAM_HOME;
-  const authSecretFile = path33.join(olamHome5, "auth-secret");
+  const authSecretFile = path34.join(olamHome5, "auth-secret");
   const readFn = deps.readFileSyncImpl ?? ((p, enc) => fs32.readFileSync(p, enc));
   const writeFn = deps.writeFileSyncImpl ?? ((p, data, opts) => {
-    fs32.mkdirSync(path33.dirname(p), { recursive: true });
+    fs32.mkdirSync(path34.dirname(p), { recursive: true });
     fs32.writeFileSync(p, data, { encoding: "utf8", mode: opts.mode });
   });
   const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
@@ -22262,15 +22662,15 @@ ${pc11.dim("Next: olam create --name my-world")}`);
 
 // src/commands/create.ts
 init_manager();
-import { spawnSync as spawnSync14 } from "node:child_process";
-import { existsSync as existsSync35 } from "node:fs";
+import { spawnSync as spawnSync15 } from "node:child_process";
+import { existsSync as existsSync36 } from "node:fs";
 import { dirname as dirname26, resolve as resolve14 } from "node:path";
 import ora5 from "ora";
 import pc12 from "picocolors";
 
 // ../core/dist/world/devbox-freshness.js
 import { execSync as execSync7 } from "node:child_process";
-import { existsSync as existsSync31, statSync as statSync6 } from "node:fs";
+import { existsSync as existsSync32, statSync as statSync7 } from "node:fs";
 import { join as join38 } from "node:path";
 var DEFAULT_DEVBOX_IMAGE = "olam-devbox:base";
 var DEVBOX_BAKED_SOURCES = [
@@ -22361,9 +22761,9 @@ function defaultDockerInspect(image) {
 }
 function defaultStatMtime(absPath) {
   try {
-    if (!existsSync31(absPath))
+    if (!existsSync32(absPath))
       return null;
-    return statSync6(absPath).mtimeMs;
+    return statSync7(absPath).mtimeMs;
   } catch {
     return null;
   }
@@ -22500,12 +22900,12 @@ init_output();
 init_host_cp();
 
 // src/lib/memory-secret.ts
-import { existsSync as existsSync32, mkdirSync as mkdirSync23, readFileSync as readFileSync26, statSync as statSync7, writeFileSync as writeFileSync18, renameSync as renameSync6, chmodSync as chmodSync3 } from "node:fs";
-import { homedir as homedir18 } from "node:os";
+import { existsSync as existsSync33, mkdirSync as mkdirSync23, readFileSync as readFileSync27, statSync as statSync8, writeFileSync as writeFileSync18, renameSync as renameSync6, chmodSync as chmodSync3 } from "node:fs";
+import { homedir as homedir19 } from "node:os";
 import { join as join39, dirname as dirname25 } from "node:path";
 import { randomBytes as randomBytes6 } from "node:crypto";
-var MEMORY_SECRET_PATH = join39(homedir18(), ".olam", "memory-secret");
-var CLOUD_MEMORY_SECRET_PATH = join39(homedir18(), ".olam", "cloud-memory-secret");
+var MEMORY_SECRET_PATH = join39(homedir19(), ".olam", "memory-secret");
+var CLOUD_MEMORY_SECRET_PATH = join39(homedir19(), ".olam", "cloud-memory-secret");
 var SECRET_LEN_BYTES = 32;
 function generateSecret() {
   return randomBytes6(SECRET_LEN_BYTES).toString("hex");
@@ -22518,15 +22918,15 @@ function writeSecretAtPath(path89, value) {
   renameSync6(tmp, path89);
 }
 function readSecretAtPathOrNull(path89) {
-  if (!existsSync32(path89)) return null;
-  const mode = statSync7(path89).mode & 511;
+  if (!existsSync33(path89)) return null;
+  const mode = statSync8(path89).mode & 511;
   if (mode !== 384) {
     process.stderr.write(
       `warn: ${path89} has mode 0${mode.toString(8)}; expected 0600. Run 'olam memory secret rotate' to regenerate.
 `
     );
   }
-  return readFileSync26(path89, "utf8").trim();
+  return readFileSync27(path89, "utf8").trim();
 }
 function readSecretAtPath(path89) {
   const v = readSecretAtPathOrNull(path89);
@@ -22556,16 +22956,16 @@ function rotateMemorySecret(path89 = MEMORY_SECRET_PATH) {
   return fresh;
 }
 function hasMemorySecret(path89 = MEMORY_SECRET_PATH) {
-  return existsSync32(path89);
+  return existsSync33(path89);
 }
 function writeCloudMemorySecret(value, path89 = CLOUD_MEMORY_SECRET_PATH) {
   writeSecretAtPath(path89, value);
 }
 
 // src/lib/world-mcp-register.ts
-import { spawnSync as spawnSync12 } from "node:child_process";
+import { spawnSync as spawnSync13 } from "node:child_process";
 var DEFAULT_DOCKER_EXEC_DEPS = {
-  spawn: spawnSync12,
+  spawn: spawnSync13,
   log: (msg) => console.log(msg)
 };
 var MCP_NAME = "agentmemory";
@@ -22629,13 +23029,13 @@ function registerAgentMemoryMcp(opts, deps = DEFAULT_DOCKER_EXEC_DEPS) {
 // src/lib/build-if-stale.ts
 init_install_root();
 import * as fs33 from "node:fs";
-import * as path34 from "node:path";
-import { spawnSync as spawnSync13 } from "node:child_process";
+import * as path35 from "node:path";
+import { spawnSync as spawnSync14 } from "node:child_process";
 import ora4 from "ora";
 
 // src/lib/bundle-source.ts
 init_install_root();
-import { existsSync as existsSync33 } from "node:fs";
+import { existsSync as existsSync34 } from "node:fs";
 import { join as join40, resolve as resolve13 } from "node:path";
 var BundleSourceNotFoundError = class extends Error {
   constructor(sourceModePath, installModePath) {
@@ -22659,7 +23059,7 @@ function resolveBundleSource(env = process.env, installRootDir = installRoot())
     const repoRoot2 = resolve13(installRootDir, "..", "..");
     const sourcePath2 = join40(repoRoot2, "packages", "intelligence", "dist", "agent-stream");
     const installPath2 = join40(installRootDir, "dist", "agent-stream");
-    if (!existsSync33(sourcePath2)) {
+    if (!existsSync34(sourcePath2)) {
       throw new BundleSourceNotFoundError(sourcePath2, installPath2);
     }
     return { mode: "source", path: sourcePath2 };
@@ -22667,7 +23067,7 @@ function resolveBundleSource(env = process.env, installRootDir = installRoot())
   const installPath = join40(installRootDir, "dist", "agent-stream");
   const repoRoot = resolve13(installRootDir, "..", "..");
   const sourcePath = join40(repoRoot, "packages", "intelligence", "dist", "agent-stream");
-  if (!existsSync33(installPath)) {
+  if (!existsSync34(installPath)) {
     throw new BundleSourceNotFoundError(sourcePath, installPath);
   }
   return { mode: "install", path: installPath };
@@ -22686,11 +23086,11 @@ function maxMtimeMs(dir) {
       return;
     }
     for (const entry of entries) {
-      const full = path34.join(d, entry.name);
+      const full = path35.join(d, entry.name);
       if (entry.isDirectory()) {
         if (entry.name === "__tests__" || entry.name === "node_modules") continue;
         scan(full);
-      } else if (entry.isFile() && TS_EXTS.has(path34.extname(entry.name))) {
+      } else if (entry.isFile() && TS_EXTS.has(path35.extname(entry.name))) {
         try {
           const mt = fs33.statSync(full).mtimeMs;
           if (mt > max) max = mt;
@@ -22715,7 +23115,7 @@ function minDistMtimeMs(dir) {
   for (const entry of entries) {
     if (entry.isFile() && entry.name.endsWith(".js")) {
       try {
-        const mt = fs33.statSync(path34.join(dir, entry.name)).mtimeMs;
+        const mt = fs33.statSync(path35.join(dir, entry.name)).mtimeMs;
         if (mt < min) min = mt;
         found = true;
       } catch {
@@ -22740,8 +23140,8 @@ function buildIfStale(repoRoot, env = process.env) {
   if (!isDevMode(env)) {
     return { ok: true, built: false, message: "install-mode: skipping build check" };
   }
-  const srcDir = path34.join(repoRoot, "packages", "intelligence", "src", "agent-stream");
-  const distDir = path34.join(repoRoot, "packages", "intelligence", "dist", "agent-stream");
+  const srcDir = path35.join(repoRoot, "packages", "intelligence", "src", "agent-stream");
+  const distDir = path35.join(repoRoot, "packages", "intelligence", "dist", "agent-stream");
   const srcMtime = maxMtimeMs(srcDir);
   const distMtime = minDistMtimeMs(distDir);
   if (distMtime > 0 && srcMtime <= distMtime) {
@@ -22753,7 +23153,7 @@ function buildIfStale(repoRoot, env = process.env) {
   }
   const reason = distMtime === 0 ? "dist is absent" : `source newer by ${Math.round((srcMtime - distMtime) / 1e3)}s`;
   const spinner = ora4(`Rebuilding agent-stream bundle\u2026 (${reason})`).start();
-  const result = spawnSync13(
+  const result = spawnSync14(
     "npm",
     ["run", "build", "--workspace=@olam/intelligence"],
     {
@@ -22817,7 +23217,7 @@ function registerCreate(program2) {
       if (decision.stderrLine) {
         process.stderr.write(decision.stderrLine + "\n");
       }
-      spawnSync14("docker", ["pull", overrideRef], { stdio: "pipe" });
+      spawnSync15("docker", ["pull", overrideRef], { stdio: "pipe" });
       const { inspectImageProtocolVersions: inspectImageProtocolVersions2, checkProtocolOverlap: checkProtocolOverlap2 } = await Promise.resolve().then(() => (init_protocol_version(), protocol_version_exports));
       const inspect = inspectImageProtocolVersions2(overrideRef);
       if (inspect.inspectFailed) {
@@ -22934,7 +23334,7 @@ function registerCreate(program2) {
             throw err;
           }
           const spinner2 = ora5("Rebuilding olam-devbox:latest\u2026").start();
-          const rebuild = spawnSync14(
+          const rebuild = spawnSync15(
             "bash",
             [buildScript],
             { cwd: repoRoot, stdio: "inherit" }
@@ -23215,7 +23615,7 @@ ${pc12.cyan("Host CP UI:")} ${worldUrl}`);
 function resolveRepoRoot(start) {
   let cur = start;
   while (true) {
-    if (existsSync35(resolve14(cur, "packages")) && existsSync35(resolve14(cur, "package.json"))) {
+    if (existsSync36(resolve14(cur, "packages")) && existsSync36(resolve14(cur, "package.json"))) {
       return cur;
     }
     const parent = dirname26(cur);
@@ -23449,7 +23849,7 @@ init_output();
 import * as fs35 from "node:fs";
 import * as http3 from "node:http";
 import * as os18 from "node:os";
-import * as path36 from "node:path";
+import * as path37 from "node:path";
 var CLI_VERSION2 = process.env["OLAM_CLI_VERSION"] ?? "0.0.0";
 var HOST_CP_PORT2 = 19e3;
 var STATE_ENUM = [
@@ -23540,7 +23940,7 @@ async function getMachineStatus(_probe, _loadCtx, _readToken) {
     }
   } catch {
   }
-  const manifestPath2 = path36.join(os18.homedir(), ".olam", "cache", "manifest.json");
+  const manifestPath2 = path37.join(os18.homedir(), ".olam", "cache", "manifest.json");
   let updateAvailable = null;
   let lastUpdateCheck = null;
   if (fs35.existsSync(manifestPath2)) {
@@ -23686,7 +24086,7 @@ init_context();
 init_output();
 import fs36 from "node:fs";
 import os19 from "node:os";
-import path37 from "node:path";
+import path38 from "node:path";
 import { execFileSync as execFileSync8 } from "node:child_process";
 function registerClean(program2) {
   program2.command("clean").description("Reap orphan world filesystem state under ~/.olam/worlds/").option("--apply", "Actually delete the orphans (default is dry-run)", false).option(
@@ -23710,7 +24110,7 @@ async function runClean(opts) {
     printError(error?.message ?? "Olam is not configured. Run `olam init` first.");
     return 1;
   }
-  const worldsDir = path37.join(os19.homedir(), ".olam", "worlds");
+  const worldsDir = path38.join(os19.homedir(), ".olam", "worlds");
   if (!fs36.existsSync(worldsDir)) {
     if (opts.json) {
       process.stdout.write(`${JSON.stringify({ worldsDir, entries: [] })}
@@ -23727,7 +24127,7 @@ async function runClean(opts) {
   const worktreeMap = collectWorktrees(worldsDir);
   const entries = [];
   for (const id of fs36.readdirSync(worldsDir).sort()) {
-    const fullPath = path37.join(worldsDir, id);
+    const fullPath = path38.join(worldsDir, id);
     const stat = safeStat(fullPath);
     if (!stat || !stat.isDirectory()) continue;
     entries.push(classifyWorld({ id, fullPath, liveIds, worktreeMap }));
@@ -23741,7 +24141,7 @@ async function runClean(opts) {
   const deletable = entries.filter((e) => isDeletable(e, opts));
   const reclaimable = deletable.reduce((acc, e) => acc + e.bytes, 0);
   process.stdout.write(`
-  Reclaimable: ${formatBytes(reclaimable)} across ${deletable.length} entries`);
+  Reclaimable: ${formatBytes2(reclaimable)} across ${deletable.length} entries`);
   if (entries.length > deletable.length) {
     process.stdout.write(
       ` (preserved ${entries.length - deletable.length}: live registry + ${opts.includeDirty ? "none" : "dirty worktrees"})`
@@ -23759,7 +24159,7 @@ async function runClean(opts) {
   if (!opts.yes) {
     process.stdout.write(
       `
-  About to delete ${deletable.length} entries (${formatBytes(reclaimable)}). Pass --yes to skip this prompt.
+  About to delete ${deletable.length} entries (${formatBytes2(reclaimable)}). Pass --yes to skip this prompt.
 `
     );
     const confirmed = await confirmInteractive();
@@ -23782,7 +24182,7 @@ async function runClean(opts) {
   }
   process.stdout.write(
     `
-  Reaped ${removedCount}/${deletable.length} entries \xB7 ${formatBytes(removedBytes)} reclaimed.
+  Reaped ${removedCount}/${deletable.length} entries \xB7 ${formatBytes2(removedBytes)} reclaimed.
 `
   );
   return removedCount === deletable.length ? 0 : 1;
@@ -23793,7 +24193,7 @@ function classifyWorld(args) {
   if (liveIds.has(id)) {
     return { id, path: fullPath, bytes, category: "active", note: "in registry" };
   }
-  const worktreeChild = path37.join(fullPath, "olam");
+  const worktreeChild = path38.join(fullPath, "olam");
   const worktreeInfo = worktreeMap.get(worktreeChild);
   if (worktreeInfo) {
     if (worktreeInfo.dirty > 0 || worktreeInfo.unpushed > 0) {
@@ -23850,8 +24250,8 @@ function reapEntry(entry) {
 function collectWorktrees(worldsDir) {
   const out = /* @__PURE__ */ new Map();
   for (const id of fs36.readdirSync(worldsDir)) {
-    const child = path37.join(worldsDir, id, "olam");
-    const gitMarker = path37.join(child, ".git");
+    const child = path38.join(worldsDir, id, "olam");
+    const gitMarker = path38.join(child, ".git");
     if (!fs36.existsSync(gitMarker)) continue;
     const gitDir = resolveGitDirForWorktree(child);
     if (!gitDir) continue;
@@ -23863,7 +24263,7 @@ function collectWorktrees(worldsDir) {
   return out;
 }
 function resolveGitDirForWorktree(worktreePath) {
-  const gitMarker = path37.join(worktreePath, ".git");
+  const gitMarker = path38.join(worktreePath, ".git");
   try {
     const top = execFileSync8("git", ["rev-parse", "--show-toplevel"], {
       cwd: worktreePath,
@@ -23877,7 +24277,7 @@ function resolveGitDirForWorktree(worktreePath) {
       stdio: "pipe"
     }).trim();
     if (!common) return top;
-    return path37.dirname(path37.resolve(worktreePath, common));
+    return path38.dirname(path38.resolve(worktreePath, common));
   } catch {
     return null;
   }
@@ -23944,14 +24344,14 @@ function computeBytes(p) {
       } catch {
         continue;
       }
-      for (const name of entries) stack.push(path37.join(cur, name));
+      for (const name of entries) stack.push(path38.join(cur, name));
     } else {
       total += st.size;
     }
   }
   return total;
 }
-function formatBytes(n) {
+function formatBytes2(n) {
   if (n < 1024) return `${n}B`;
   if (n < 1024 * 1024) return `${(n / 1024).toFixed(1)}KB`;
   if (n < 1024 * 1024 * 1024) return `${(n / 1024 / 1024).toFixed(1)}MB`;
@@ -23970,7 +24370,7 @@ function printTable(entries) {
 `);
   for (const e of entries) {
     process.stdout.write(
-      `  ${e.category.padEnd(10)}  ${formatBytes(e.bytes).padStart(10)}  ${e.id.padEnd(28)}  ${e.note ?? ""}
+      `  ${e.category.padEnd(10)}  ${formatBytes2(e.bytes).padStart(10)}  ${e.id.padEnd(28)}  ${e.note ?? ""}
 `
     );
   }
@@ -23998,7 +24398,7 @@ init_output();
 import { execFileSync as execFileSync9 } from "node:child_process";
 import * as fs37 from "node:fs";
 import * as os20 from "node:os";
-import * as path38 from "node:path";
+import * as path39 from "node:path";
 import { createInterface as createInterface2 } from "node:readline/promises";
 import pc16 from "picocolors";
 var NPM_PACKAGE = "@pleri/olam-cli";
@@ -24020,7 +24420,7 @@ var realExec = (cmd, args) => {
 };
 function surveyOlam(opts = {}) {
   const exec = opts.exec ?? realExec;
-  const home = opts.olamHome ?? path38.join(os20.homedir(), ".olam");
+  const home = opts.olamHome ?? path39.join(os20.homedir(), ".olam");
   const containers = listDocker(exec, ["ps", "-a", "--format", "{{.Names}}"]).filter(
     (n) => n.startsWith("olam-")
   );
@@ -24034,11 +24434,11 @@ function surveyOlam(opts = {}) {
     (n) => n.startsWith("olam-") && n !== "olam-host-cp-internal-default"
   );
   const worlds = [];
-  const worldsDir = path38.join(home, "worlds");
+  const worldsDir = path39.join(home, "worlds");
   if (fs37.existsSync(worldsDir)) {
     for (const entry of fs37.readdirSync(worldsDir, { withFileTypes: true })) {
       if (!entry.isDirectory()) continue;
-      const wPath = path38.join(worldsDir, entry.name);
+      const wPath = path39.join(worldsDir, entry.name);
       const bytes = dirSize(wPath);
       const { dirty, note } = inspectWorldGitState(wPath);
       worlds.push({ id: entry.name, bytes, dirty, note, path: wPath });
@@ -24047,7 +24447,7 @@ function surveyOlam(opts = {}) {
   const homeBytesNonWorld = fs37.existsSync(home) ? Math.max(0, dirSize(home) - worlds.reduce((acc, w) => acc + w.bytes, 0)) : 0;
   const npmRoot = exec("npm", ["root", "-g"]);
   const npmGlobalRoot = npmRoot.exitCode === 0 ? npmRoot.stdout.trim() : null;
-  const npmInstalled = npmGlobalRoot !== null && fs37.existsSync(path38.join(npmGlobalRoot, NPM_PACKAGE));
+  const npmInstalled = npmGlobalRoot !== null && fs37.existsSync(path39.join(npmGlobalRoot, NPM_PACKAGE));
   return {
     containers,
     images,
@@ -24077,7 +24477,7 @@ function dirSize(p) {
         continue;
       }
       for (const e of entries) {
-        const full = path38.join(cur, e.name);
+        const full = path39.join(cur, e.name);
         try {
           if (e.isDirectory()) stack.push(full);
           else if (e.isFile()) total += fs37.statSync(full).size;
@@ -24095,8 +24495,8 @@ function inspectWorldGitState(worldPath) {
   try {
     for (const entry of fs37.readdirSync(worldPath, { withFileTypes: true })) {
       if (!entry.isDirectory()) continue;
-      const repo = path38.join(worldPath, entry.name);
-      const gitDir = path38.join(repo, ".git");
+      const repo = path39.join(worldPath, entry.name);
+      const gitDir = path39.join(repo, ".git");
       if (!fs37.existsSync(gitDir)) continue;
       try {
         const status2 = execFileSync9("git", ["status", "--porcelain"], {
@@ -24166,8 +24566,8 @@ function renderSurvey(survey, opts) {
   lines.push(
     `  worlds:                ${survey.worlds.length}  (${dirtyWorlds.length} dirty, ${cleanWorlds.length} clean)`
   );
-  lines.push(`  ~/.olam/* (non-world): ${formatBytes2(survey.homeBytesNonWorld)}`);
-  lines.push(`  worlds total:          ${formatBytes2(worldBytes)}`);
+  lines.push(`  ~/.olam/* (non-world): ${formatBytes3(survey.homeBytesNonWorld)}`);
+  lines.push(`  worlds total:          ${formatBytes3(worldBytes)}`);
   lines.push(
     `  npm package installed: ${survey.npmInstalled ? `yes (at ${survey.npmGlobalRoot}/${NPM_PACKAGE})` : "no"}`
   );
@@ -24175,14 +24575,14 @@ function renderSurvey(survey, opts) {
     lines.push("");
     lines.push(pc16.yellow(`  \u26A0 dirty worlds (${dirtyWorlds.length}) \u2014 pass --include-dirty to destroy:`));
     for (const w of dirtyWorlds) {
-      lines.push(`    - ${w.id}  ${formatBytes2(w.bytes)}  (${w.note})`);
+      lines.push(`    - ${w.id}  ${formatBytes3(w.bytes)}  (${w.note})`);
     }
   }
   lines.push("");
   lines.push(pc16.dim("  Run with --yes to actually destroy. Default is dry-run."));
   return lines.join("\n");
 }
-function formatBytes2(n) {
+function formatBytes3(n) {
   if (n < 1024) return `${n} B`;
   if (n < 1024 * 1024) return `${(n / 1024).toFixed(1)} KB`;
   if (n < 1024 * 1024 * 1024) return `${(n / 1024 / 1024).toFixed(1)} MB`;
@@ -24190,7 +24590,7 @@ function formatBytes2(n) {
 }
 async function executeImplode(survey, opts) {
   const exec = opts.exec ?? realExec;
-  const home = opts.olamHome ?? path38.join(os20.homedir(), ".olam");
+  const home = opts.olamHome ?? path39.join(os20.homedir(), ".olam");
   const removed = [];
   const skipped = [];
   const errors = [];
@@ -24254,7 +24654,7 @@ async function executeImplode(survey, opts) {
           skipped.push(`fs:~/.olam/auth-data (--keep-vault)`);
           continue;
         }
-        const target = path38.join(home, entry.name);
+        const target = path39.join(home, entry.name);
         try {
           fs37.rmSync(target, { recursive: true, force: true });
           removed.push(`fs:${target}`);
@@ -25928,11 +26328,11 @@ var qmarksTestNoExtDot = ([$0]) => {
   return (f) => f.length === len && f !== "." && f !== "..";
 };
 var defaultPlatform = typeof process === "object" && process ? typeof process.env === "object" && process.env && process.env.__MINIMATCH_TESTING_PLATFORM__ || process.platform : "posix";
-var path40 = {
+var path41 = {
   win32: { sep: "\\" },
   posix: { sep: "/" }
 };
-var sep2 = defaultPlatform === "win32" ? path40.win32.sep : path40.posix.sep;
+var sep2 = defaultPlatform === "win32" ? path41.win32.sep : path41.posix.sep;
 minimatch.sep = sep2;
 var GLOBSTAR = /* @__PURE__ */ Symbol("globstar **");
 minimatch.GLOBSTAR = GLOBSTAR;
@@ -26758,7 +27158,7 @@ function registerPolicyCheck(program2) {
 }
 
 // src/commands/worldspec/compile.ts
-import { existsSync as existsSync40, mkdirSync as mkdirSync25, readFileSync as readFileSync29, writeFileSync as writeFileSync20 } from "node:fs";
+import { existsSync as existsSync41, mkdirSync as mkdirSync25, readFileSync as readFileSync30, writeFileSync as writeFileSync20 } from "node:fs";
 import { resolve as resolvePath } from "node:path";
 import YAML5 from "yaml";
 
@@ -27561,13 +27961,13 @@ function registerWorldspecCompile(parent) {
     const sourcePolicies = [];
     for (const p of paths) {
       const abs = resolvePath(process.cwd(), p);
-      if (!existsSync40(abs)) {
+      if (!existsSync41(abs)) {
         printError(`worldspec not found at ${abs}`);
         process.exit(EXIT_WORLDSPEC_FILE_NOT_FOUND);
       }
       let yaml;
       try {
-        yaml = YAML5.parse(readFileSync29(abs, "utf8"));
+        yaml = YAML5.parse(readFileSync30(abs, "utf8"));
       } catch (err) {
         printError(
           `${p}: YAML parse error: ${err.message}`
@@ -27652,7 +28052,7 @@ function getPkgVersion() {
 // src/commands/worldspec/init.ts
 init_exit_codes();
 init_output();
-import { existsSync as existsSync41, mkdirSync as mkdirSync26, readFileSync as readFileSync30, writeFileSync as writeFileSync21 } from "node:fs";
+import { existsSync as existsSync42, mkdirSync as mkdirSync26, readFileSync as readFileSync31, writeFileSync as writeFileSync21 } from "node:fs";
 import { execSync as execSync10 } from "node:child_process";
 import { basename as basename3, resolve as resolvePath2 } from "node:path";
 function registerWorldspecInit(parent) {
@@ -27670,7 +28070,7 @@ function registerWorldspecInit(parent) {
     const cwd = process.cwd();
     const targetDir = resolvePath2(cwd, ".olam/worldspecs");
     const targetFile = resolvePath2(targetDir, "default.yaml");
-    if (existsSync41(targetFile) && !opts.force) {
+    if (existsSync42(targetFile) && !opts.force) {
       printError(
         `${targetFile} already exists; pass --force to overwrite`
       );
@@ -27704,14 +28104,14 @@ function registerWorldspecInit(parent) {
   });
 }
 function detectProjectShape(root, useAdbYaml) {
-  const hasGemfile = existsSync41(resolvePath2(root, "Gemfile"));
-  const hasNodePackageJson = existsSync41(resolvePath2(root, "package.json"));
-  const hasAdbYaml = existsSync41(resolvePath2(root, ".adb.yaml"));
+  const hasGemfile = existsSync42(resolvePath2(root, "Gemfile"));
+  const hasNodePackageJson = existsSync42(resolvePath2(root, "package.json"));
+  const hasAdbYaml = existsSync42(resolvePath2(root, ".adb.yaml"));
   let rubyVersion = null;
   const rubyVersionPath = resolvePath2(root, ".ruby-version");
-  if (existsSync41(rubyVersionPath)) {
+  if (existsSync42(rubyVersionPath)) {
     try {
-      const raw = readFileSync30(rubyVersionPath, "utf8").trim();
+      const raw = readFileSync31(rubyVersionPath, "utf8").trim();
       const match2 = raw.match(/(\d+\.\d+\.\d+)/);
       if (match2) rubyVersion = match2[1] ?? null;
     } catch {
@@ -29121,7 +29521,7 @@ function registerWorldspecSchema(parent) {
 }
 
 // src/commands/worldspec/validate.ts
-import { existsSync as existsSync42, readFileSync as readFileSync31 } from "node:fs";
+import { existsSync as existsSync43, readFileSync as readFileSync32 } from "node:fs";
 import { resolve as resolvePath4 } from "node:path";
 init_exit_codes();
 init_output();
@@ -29138,13 +29538,13 @@ function registerWorldspecValidate(parent) {
     "human"
   ).action(async (pathArg, opts) => {
     const absPath = resolvePath4(process.cwd(), pathArg);
-    if (!existsSync42(absPath)) {
+    if (!existsSync43(absPath)) {
       printError(`worldspec not found at ${absPath}`);
       process.exit(EXIT_WORLDSPEC_FILE_NOT_FOUND);
     }
     let yamlSource;
     try {
-      yamlSource = readFileSync31(absPath, "utf8");
+      yamlSource = readFileSync32(absPath, "utf8");
     } catch (err) {
       printError(
         `failed to read ${absPath}: ${err.message}`
@@ -29191,17 +29591,17 @@ function registerWorldspec(program2) {
 init_output();
 init_host_cp();
 import * as fs41 from "node:fs";
-import * as path43 from "node:path";
-import { spawnSync as spawnSync16 } from "node:child_process";
+import * as path44 from "node:path";
+import { spawnSync as spawnSync17 } from "node:child_process";
 import ora9 from "ora";
 import pc20 from "picocolors";
 
 // src/commands/upgrade-lock.ts
 import * as fs39 from "node:fs";
 import * as os21 from "node:os";
-import * as path41 from "node:path";
-import { spawnSync as spawnSync15 } from "node:child_process";
-var LOCK_FILE_PATH = path41.join(os21.homedir(), ".olam", ".upgrade.lock");
+import * as path42 from "node:path";
+import { spawnSync as spawnSync16 } from "node:child_process";
+var LOCK_FILE_PATH = path42.join(os21.homedir(), ".olam", ".upgrade.lock");
 var STALE_LOCK_TIMEOUT_MS = 5 * 60 * 1e3;
 function readLockFile(lockPath) {
   try {
@@ -29225,7 +29625,7 @@ function isPidAlive2(pid) {
 }
 var PS_UNAVAILABLE = "__ps_unavailable__";
 function getPidCommand(pid) {
-  const result = spawnSync15("ps", ["-p", String(pid), "-o", "comm="], {
+  const result = spawnSync16("ps", ["-p", String(pid), "-o", "comm="], {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "ignore"]
   });
@@ -29251,7 +29651,7 @@ function isStaleLock(content, nowMs = Date.now()) {
   return false;
 }
 function acquireLock(lockPath = LOCK_FILE_PATH, nowMs = Date.now()) {
-  const dir = path41.dirname(lockPath);
+  const dir = path42.dirname(lockPath);
   fs39.mkdirSync(dir, { recursive: true });
   for (let attempt = 0; attempt < 2; attempt++) {
     try {
@@ -29314,15 +29714,15 @@ function formatRefusalMessage(result, lockPath = LOCK_FILE_PATH) {
 // src/commands/upgrade-log.ts
 import * as fs40 from "node:fs";
 import * as os22 from "node:os";
-import * as path42 from "node:path";
+import * as path43 from "node:path";
 function getUpgradeLogPath() {
   const home = process.env["HOME"] ?? os22.homedir();
-  return path42.join(home, ".olam", "upgrade.log");
+  return path43.join(home, ".olam", "upgrade.log");
 }
 var UPGRADE_LOG_PATH = getUpgradeLogPath();
 function appendUpgradeLog(row, logPath = getUpgradeLogPath()) {
   try {
-    fs40.mkdirSync(path42.dirname(logPath), { recursive: true });
+    fs40.mkdirSync(path43.dirname(logPath), { recursive: true });
     const line = JSON.stringify(row) + "\n";
     fs40.appendFileSync(logPath, line, { mode: 420 });
   } catch (err) {
@@ -29429,8 +29829,8 @@ init_protocol_version();
 init_install_root();
 var AUTH_HEALTH_URL2 = "http://127.0.0.1:9999/health";
 function isNodeModulesInSync(cwd) {
-  const lockPath = path43.join(cwd, "package-lock.json");
-  const markerPath = path43.join(cwd, "node_modules", ".package-lock.json");
+  const lockPath = path44.join(cwd, "package-lock.json");
+  const markerPath = path44.join(cwd, "node_modules", ".package-lock.json");
   if (!fs41.existsSync(lockPath) || !fs41.existsSync(markerPath)) return false;
   try {
     const lockStat = fs41.statSync(lockPath);
@@ -29450,7 +29850,7 @@ function shouldSkipInstall(opts, cwd) {
   return { skip: false };
 }
 function validateRepoRoot(cwd) {
-  const marker = path43.join(cwd, "packages/host-cp/compose.yaml");
+  const marker = path44.join(cwd, "packages/host-cp/compose.yaml");
   if (!fs41.existsSync(marker)) {
     return {
       ok: false,
@@ -29486,7 +29886,7 @@ function extractBundleHash(indexHtml) {
 function runStep2(label, cmd, args, opts = {}) {
   const start = Date.now();
   process.stdout.write(`  ${pc20.dim(label.padEnd(34))}`);
-  const result = spawnSync16(cmd, [...args], {
+  const result = spawnSync17(cmd, [...args], {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "pipe"],
     cwd: opts.cwd ?? process.cwd(),
@@ -29505,7 +29905,7 @@ function runStep2(label, cmd, args, opts = {}) {
   };
 }
 function isGitDirty(cwd) {
-  const result = spawnSync16("git", ["status", "--porcelain"], {
+  const result = spawnSync17("git", ["status", "--porcelain"], {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "pipe"],
     cwd
@@ -29513,7 +29913,7 @@ function isGitDirty(cwd) {
   return (result.stdout ?? "").trim().length > 0;
 }
 function hasGitUpstream(cwd) {
-  const result = spawnSync16("git", ["rev-parse", "--abbrev-ref", "@{u}"], {
+  const result = spawnSync17("git", ["rev-parse", "--abbrev-ref", "@{u}"], {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "pipe"],
     cwd
@@ -29521,7 +29921,7 @@ function hasGitUpstream(cwd) {
   return result.status === 0;
 }
 function captureHeadSha(cwd) {
-  const result = spawnSync16("git", ["rev-parse", "HEAD"], {
+  const result = spawnSync17("git", ["rev-parse", "HEAD"], {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "pipe"],
     cwd
@@ -29536,7 +29936,7 @@ function abbreviateSha(sha) {
 }
 function imageExists(tag) {
   try {
-    const result = spawnSync16("docker", ["image", "inspect", "--format", "{{.Id}}", tag], {
+    const result = spawnSync17("docker", ["image", "inspect", "--format", "{{.Id}}", tag], {
       encoding: "utf-8",
       stdio: ["ignore", "pipe", "ignore"]
     });
@@ -29552,7 +29952,7 @@ function checkRollbackSetExists(plan) {
 }
 var SMOKE_DOCKER_TIMEOUT_MS = 3e4;
 function smokeImage(image, targetSha) {
-  const createResult = spawnSync16("docker", ["create", "--name", `olam-smoke-${Date.now()}`, image], {
+  const createResult = spawnSync17("docker", ["create", "--name", `olam-smoke-${Date.now()}`, image], {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "pipe"],
     timeout: SMOKE_DOCKER_TIMEOUT_MS
@@ -29566,7 +29966,7 @@ function smokeImage(image, targetSha) {
     };
   }
   const containerId = (createResult.stdout ?? "").trim();
-  const inspectResult = spawnSync16(
+  const inspectResult = spawnSync17(
     "docker",
     ["inspect", "--format", '{{index .Config.Labels "olam.build.sha"}}', image],
     {
@@ -29576,7 +29976,7 @@ function smokeImage(image, targetSha) {
     }
   );
   if (containerId.length > 0) {
-    spawnSync16("docker", ["rm", "-f", containerId], {
+    spawnSync17("docker", ["rm", "-f", containerId], {
       encoding: "utf-8",
       stdio: ["ignore", "ignore", "ignore"],
       timeout: SMOKE_DOCKER_TIMEOUT_MS
@@ -29618,7 +30018,7 @@ var PRODUCTION_SWAP_PLAN = [
 ];
 function dockerTag(source, dest) {
   try {
-    const result = spawnSync16("docker", ["tag", source, dest], {
+    const result = spawnSync17("docker", ["tag", source, dest], {
       encoding: "utf-8",
       stdio: ["ignore", "ignore", "pipe"]
     });
@@ -29782,11 +30182,11 @@ async function waitForAuthHealthLocal(timeoutMs = AUTH_HEALTH_TIMEOUT_MS) {
 async function recreateAuthService() {
   const start = Date.now();
   try {
-    spawnSync16("docker", ["stop", "olam-auth"], {
+    spawnSync17("docker", ["stop", "olam-auth"], {
       encoding: "utf-8",
       stdio: ["ignore", "ignore", "ignore"]
     });
-    spawnSync16("docker", ["rm", "olam-auth"], {
+    spawnSync17("docker", ["rm", "olam-auth"], {
       encoding: "utf-8",
       stdio: ["ignore", "ignore", "ignore"]
     });
@@ -29811,7 +30211,7 @@ async function recreateAuthService() {
   }
 }
 function readBundleHash(cwd) {
-  const indexPath = path43.join(cwd, "packages/control-plane/public/index.html");
+  const indexPath = path44.join(cwd, "packages/control-plane/public/index.html");
   if (!fs41.existsSync(indexPath)) return null;
   return extractBundleHash(fs41.readFileSync(indexPath, "utf-8"));
 }
@@ -30084,11 +30484,11 @@ async function defaultRecreateMcpAuthForUpgrade() {
 }
 async function defaultRecreateAuthForUpgrade() {
   try {
-    spawnSync16("docker", ["stop", "olam-auth"], {
+    spawnSync17("docker", ["stop", "olam-auth"], {
       encoding: "utf-8",
       stdio: ["ignore", "ignore", "ignore"]
     });
-    spawnSync16("docker", ["rm", "olam-auth"], {
+    spawnSync17("docker", ["rm", "olam-auth"], {
       encoding: "utf-8",
       stdio: ["ignore", "ignore", "ignore"]
     });
@@ -30110,7 +30510,7 @@ async function defaultRecreateAuthForUpgrade() {
   }
 }
 function defaultInspectContainerLabels(containerName) {
-  const result = spawnSync16(
+  const result = spawnSync17(
     "docker",
     [
       "inspect",
@@ -30134,7 +30534,7 @@ function defaultInspectContainerLabels(containerName) {
   return { ok: false, exists: false, project: "", service: "", stderr };
 }
 function defaultRemoveContainer(containerName) {
-  const result = spawnSync16("docker", ["rm", "-f", containerName], {
+  const result = spawnSync17("docker", ["rm", "-f", containerName], {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "pipe"]
   });
@@ -30417,7 +30817,7 @@ ${buildResult.stderr}`);
     return;
   }
   const authSecret = readAuthSecret2();
-  const spaDir = path43.join(cwd, "packages/control-plane/app");
+  const spaDir = path44.join(cwd, "packages/control-plane/app");
   const spaResult = runStep2(
     "vite build (SPA)",
     "npx",
@@ -30465,7 +30865,7 @@ ${spaResult.stderr}`);
       process.stdout.write(`  ${pc20.dim(step.label.padEnd(34))}
 `);
       const start = Date.now();
-      const result = spawnSync16("bash", [scriptPath], {
+      const result = spawnSync17("bash", [scriptPath], {
         stdio: "inherit",
         cwd,
         env: { ...process.env, ...olamTagEnv }
@@ -30810,7 +31210,7 @@ function registerLogs(program2) {
 init_context();
 init_output();
 import pc22 from "picocolors";
-import { spawnSync as spawnSync17 } from "node:child_process";
+import { spawnSync as spawnSync18 } from "node:child_process";
 var SAFE_IDENT4 = /^[a-z0-9][a-z0-9-]{0,63}$/;
 function parseDockerTop(stdout) {
   const trimmed = stdout.trim();
@@ -30910,7 +31310,7 @@ function registerPs(program2) {
     const containerName = `olam-${worldId}-devbox`;
     let watchInterval;
     function fetchAndPrint() {
-      const result = spawnSync17(
+      const result = spawnSync18(
         "docker",
         ["top", containerName, "pid", "user", "pcpu", "pmem", "stime", "stat", "cmd"],
         { encoding: "utf-8", timeout: 3e3 }
@@ -30949,13 +31349,13 @@ ${pc22.dim(`world: ${worldId}  sort: ${sortKey}  refresh: 5s  Ctrl-C to exit`)}
 init_output();
 import * as fs42 from "node:fs";
 import * as os23 from "node:os";
-import * as path44 from "node:path";
+import * as path45 from "node:path";
 import YAML6 from "yaml";
 function olamHome3() {
-  return process.env.OLAM_HOME ?? path44.join(os23.homedir(), ".olam");
+  return process.env.OLAM_HOME ?? path45.join(os23.homedir(), ".olam");
 }
 function keysFilePath() {
-  return path44.join(olamHome3(), "keys.yaml");
+  return path45.join(olamHome3(), "keys.yaml");
 }
 function readKeysFile() {
   const filePath = keysFilePath();
@@ -31051,7 +31451,7 @@ function registerKeys(program2) {
 init_snapshot();
 init_output();
 import * as fs43 from "node:fs";
-import * as path45 from "node:path";
+import * as path46 from "node:path";
 import { execSync as execSync11 } from "node:child_process";
 import pc23 from "picocolors";
 
@@ -31074,9 +31474,9 @@ function emitDeprecationWarning(subcommand) {
 }
 function bumpDeprecationCounter() {
   if (process.env[INTERNAL_SENTINEL_ENV] === "1") return;
-  const counterPath = path45.join(snapshotsDir(), ".deprecation-counter");
+  const counterPath = path46.join(snapshotsDir(), ".deprecation-counter");
   try {
-    fs43.mkdirSync(path45.dirname(counterPath), { recursive: true });
+    fs43.mkdirSync(path46.dirname(counterPath), { recursive: true });
     let current = 0;
     if (fs43.existsSync(counterPath)) {
       const raw = fs43.readFileSync(counterPath, "utf-8").trim();
@@ -31159,13 +31559,13 @@ function resolveKinds(arg) {
   return [];
 }
 async function captureGems(worldId, workspacePath, repo) {
-  const repoDir = path45.join(workspacePath, repo);
+  const repoDir = path46.join(workspacePath, repo);
   const fingerprint = computeGemsFingerprint(repoDir);
   if (!fingerprint) {
     return { ok: false, tarPath: "", msg: "no Gemfile.lock \u2014 layer does not apply" };
   }
   const tarPath = snapshotTarPath(worldId, "gems", repo, fingerprint);
-  const vendorBundle = path45.join(repoDir, "vendor", "bundle");
+  const vendorBundle = path46.join(repoDir, "vendor", "bundle");
   if (fs43.existsSync(vendorBundle)) {
     try {
       packTarball(vendorBundle, tarPath);
@@ -31202,7 +31602,7 @@ async function captureGems(worldId, workspacePath, repo) {
       `docker exec ${containerName} sh -c 'mkdir -p "$(dirname ${tmpTar})" && tar -czf ${tmpTar}.tmp -C ${bundlePath} . && mv ${tmpTar}.tmp ${tmpTar}'`,
       { stdio: "pipe", timeout: 12e4 }
     );
-    fs43.mkdirSync(path45.dirname(tarPath), { recursive: true });
+    fs43.mkdirSync(path46.dirname(tarPath), { recursive: true });
     execSync11(`docker cp ${containerName}:${tmpTar} "${tarPath}"`, { stdio: "pipe", timeout: 12e4 });
     execSync11(`docker exec ${containerName} rm -f ${tmpTar}`, { stdio: "pipe" });
     const stat = fs43.statSync(tarPath);
@@ -31222,12 +31622,12 @@ async function captureGems(worldId, workspacePath, repo) {
   }
 }
 async function captureNode(worldId, workspacePath, repo) {
-  const repoDir = path45.join(workspacePath, repo);
+  const repoDir = path46.join(workspacePath, repo);
   const fingerprint = computeNodeFingerprint(repoDir);
   if (!fingerprint) {
     return { ok: false, tarPath: "", msg: "no lockfile \u2014 layer does not apply" };
   }
-  const nodeModules = path45.join(repoDir, "node_modules");
+  const nodeModules = path46.join(repoDir, "node_modules");
   if (!fs43.existsSync(nodeModules)) {
     return { ok: false, tarPath: "", msg: "node_modules not installed yet" };
   }
@@ -31251,7 +31651,7 @@ async function captureNode(worldId, workspacePath, repo) {
   }
 }
 async function capturePg(worldId, workspacePath, repoNames) {
-  const repoDirs = repoNames.map((r) => path45.join(workspacePath, r));
+  const repoDirs = repoNames.map((r) => path46.join(workspacePath, r));
   const fingerprint = computePgFingerprint(repoDirs);
   if (!fingerprint) {
     return { ok: false, tarPath: "", msg: "no Gemfile.lock / schema.rb \u2014 layer does not apply" };
@@ -31266,9 +31666,9 @@ async function capturePg(worldId, workspacePath, repoNames) {
   }
   try {
     execSync11(`docker stop ${containerName}`, { stdio: "pipe", timeout: 3e4 });
-    fs43.mkdirSync(path45.dirname(tarPath), { recursive: true });
+    fs43.mkdirSync(path46.dirname(tarPath), { recursive: true });
     execSync11(
-      `docker run --rm         -v "${volumeName2}:/pgdata:ro"         -v "${path45.dirname(tarPath)}:/dest"         alpine         sh -c 'tar -czf /dest/${path45.basename(tarPath)}.tmp -C /pgdata . && mv /dest/${path45.basename(tarPath)}.tmp /dest/${path45.basename(tarPath)}'`,
+      `docker run --rm         -v "${volumeName2}:/pgdata:ro"         -v "${path46.dirname(tarPath)}:/dest"         alpine         sh -c 'tar -czf /dest/${path46.basename(tarPath)}.tmp -C /pgdata . && mv /dest/${path46.basename(tarPath)}.tmp /dest/${path46.basename(tarPath)}'`,
       { stdio: "pipe", timeout: 18e4 }
     );
     execSync11(`docker start ${containerName}`, { stdio: "pipe", timeout: 3e4 });
@@ -31303,7 +31703,7 @@ async function handleEvict(opts) {
     const allTars = [];
     const walk3 = (d) => {
       for (const entry of fs43.readdirSync(d, { withFileTypes: true })) {
-        const full = path45.join(d, entry.name);
+        const full = path46.join(d, entry.name);
         if (entry.isDirectory()) {
           walk3(full);
         } else if (entry.name.endsWith(".tar.gz")) {
@@ -31315,7 +31715,7 @@ async function handleEvict(opts) {
     walk3(root);
     const total = allTars.reduce((a, t) => a + t.size, 0);
     if (total <= maxBytes) {
-      console.log(`${formatBytes3(total)} total \u2264 ${formatBytes3(maxBytes)} cap; nothing to evict.`);
+      console.log(`${formatBytes4(total)} total \u2264 ${formatBytes4(maxBytes)} cap; nothing to evict.`);
       return;
     }
     allTars.sort((a, b) => a.mtime - b.mtime);
@@ -31326,19 +31726,19 @@ async function handleEvict(opts) {
       toEvict.push(t);
       remaining -= t.size;
     }
-    printHeader(`Would evict ${toEvict.length} snapshot(s) (${formatBytes3(total - remaining)})`);
+    printHeader(`Would evict ${toEvict.length} snapshot(s) (${formatBytes4(total - remaining)})`);
     console.log();
     for (const t of toEvict) {
       const age = formatAge2(Date.now() - t.mtime);
-      console.log(`  ${pc23.dim(formatBytes3(t.size).padStart(8))}  ${age.padStart(10)}  ${t.path}`);
+      console.log(`  ${pc23.dim(formatBytes4(t.size).padStart(8))}  ${age.padStart(10)}  ${t.path}`);
     }
     console.log();
-    console.log(pc23.dim(`Total after eviction: ${formatBytes3(remaining)} (cap: ${formatBytes3(maxBytes)})`));
+    console.log(pc23.dim(`Total after eviction: ${formatBytes4(remaining)} (cap: ${formatBytes4(maxBytes)})`));
     return;
   }
   const freed = evictOldSnapshotsWithFlock(maxBytes);
   if (freed > 0) {
-    printSuccess(`Evicted ${formatBytes3(freed)} (cap: ${formatBytes3(maxBytes)})`);
+    printSuccess(`Evicted ${formatBytes4(freed)} (cap: ${formatBytes4(maxBytes)})`);
   } else {
     console.log(pc23.dim("No eviction needed (or another process held the lock)."));
   }
@@ -31361,7 +31761,7 @@ function handleList2(worldIdFilter) {
       lastWorldId = manifest.worldId;
     }
     const repo = manifest.repo ?? "(all repos)";
-    const size = formatBytes3(manifest.sizeBytes);
+    const size = formatBytes4(manifest.sizeBytes);
     const age = formatAge2(entry.ageMs);
     const kindColor = manifest.kind === "gems" ? pc23.magenta(manifest.kind) : manifest.kind === "node" ? pc23.cyan(manifest.kind) : pc23.yellow(manifest.kind);
     console.log(
@@ -31382,7 +31782,7 @@ async function loadWorldMeta(worldId) {
   }
   return { workspacePath: world.workspacePath, repoNames: [...world.repos] };
 }
-function formatBytes3(bytes) {
+function formatBytes4(bytes) {
   if (bytes < 1024) return `${bytes}B`;
   if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)}KB`;
   if (bytes < 1024 * 1024 * 1024) return `${(bytes / (1024 * 1024)).toFixed(1)}MB`;
@@ -31402,33 +31802,33 @@ init_context();
 init_output();
 import * as fs45 from "node:fs";
 import * as os24 from "node:os";
-import * as path47 from "node:path";
-import { spawnSync as spawnSync18 } from "node:child_process";
+import * as path48 from "node:path";
+import { spawnSync as spawnSync19 } from "node:child_process";
 import ora10 from "ora";
 
 // src/commands/refresh-helpers.ts
 import * as fs44 from "node:fs";
-import * as path46 from "node:path";
+import * as path47 from "node:path";
 function collectCpSourceFiles(standaloneDir) {
   if (!fs44.existsSync(standaloneDir)) {
     throw new Error(`CP standalone dir not found: ${standaloneDir}`);
   }
   const entries = [];
   const topLevel = fs44.readdirSync(standaloneDir).filter((f) => {
-    const stat = fs44.statSync(path46.join(standaloneDir, f));
+    const stat = fs44.statSync(path47.join(standaloneDir, f));
     return stat.isFile() && f.endsWith(".mjs") && !f.endsWith(".test.mjs");
   }).sort();
   for (const f of topLevel) {
-    entries.push({ srcPath: path46.join(standaloneDir, f), destRelPath: f });
+    entries.push({ srcPath: path47.join(standaloneDir, f), destRelPath: f });
   }
-  const libDir = path46.join(standaloneDir, "lib");
+  const libDir = path47.join(standaloneDir, "lib");
   if (fs44.existsSync(libDir) && fs44.statSync(libDir).isDirectory()) {
     const libFiles = fs44.readdirSync(libDir).filter((f) => {
-      const stat = fs44.statSync(path46.join(libDir, f));
+      const stat = fs44.statSync(path47.join(libDir, f));
       return stat.isFile() && f.endsWith(".mjs") && !f.endsWith(".test.mjs");
     }).sort();
     for (const f of libFiles) {
-      entries.push({ srcPath: path46.join(libDir, f), destRelPath: `lib/${f}` });
+      entries.push({ srcPath: path47.join(libDir, f), destRelPath: `lib/${f}` });
     }
   }
   return entries;
@@ -31445,9 +31845,9 @@ function validateServerMjsPresent(entries) {
 var HOST_CP_BASE_PORT = 19080;
 var RESTART_TIMEOUT_S = 30;
 var HEALTH_POLL_MS = 500;
-var HEALTH_TIMEOUT_MS = 3e4;
+var HEALTH_TIMEOUT_MS2 = 3e4;
 function docker(args) {
-  const result = spawnSync18("docker", args, {
+  const result = spawnSync19("docker", args, {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "pipe"]
   });
@@ -31457,7 +31857,7 @@ function docker(args) {
     stderr: result.stderr ?? ""
   };
 }
-async function waitForCpHealth(port2, timeoutMs = HEALTH_TIMEOUT_MS) {
+async function waitForCpHealth(port2, timeoutMs = HEALTH_TIMEOUT_MS2) {
   const deadline = Date.now() + timeoutMs;
   while (Date.now() < deadline) {
     try {
@@ -31487,15 +31887,15 @@ async function refreshWorld(worldId, portOffset, standaloneDir, opts) {
     };
   }
   const stagingDir = fs45.mkdtempSync(
-    path47.join(os24.tmpdir(), `olam-refresh-${worldId}-`)
+    path48.join(os24.tmpdir(), `olam-refresh-${worldId}-`)
   );
   try {
     const hasLib = entries.some((e) => e.destRelPath.startsWith("lib/"));
     if (hasLib) {
-      fs45.mkdirSync(path47.join(stagingDir, "lib"), { recursive: true });
+      fs45.mkdirSync(path48.join(stagingDir, "lib"), { recursive: true });
     }
     for (const { srcPath, destRelPath } of entries) {
-      fs45.copyFileSync(srcPath, path47.join(stagingDir, destRelPath));
+      fs45.copyFileSync(srcPath, path48.join(stagingDir, destRelPath));
     }
     const cpResult = docker([
       "cp",
@@ -31529,7 +31929,7 @@ async function refreshWorld(worldId, portOffset, standaloneDir, opts) {
     const cpPort = HOST_CP_BASE_PORT + portOffset;
     const healthy = await waitForCpHealth(cpPort);
     if (!healthy) {
-      return { worldId, ok: true, error: `healthy but /health at :${cpPort} didn't respond within ${HEALTH_TIMEOUT_MS / 1e3}s` };
+      return { worldId, ok: true, error: `healthy but /health at :${cpPort} didn't respond within ${HEALTH_TIMEOUT_MS2 / 1e3}s` };
     }
   }
   return { worldId, ok: true };
@@ -31547,7 +31947,7 @@ function registerRefresh(program2) {
       process.exitCode = 1;
       return;
     }
-    const standaloneDir = path47.join(
+    const standaloneDir = path48.join(
       process.cwd(),
       "packages/control-plane/standalone"
     );
@@ -31625,637 +32025,256 @@ Run \`olam refresh\` from the olam repo root.`
     }
     if (results.some((r) => !r.ok)) {
       process.exitCode = 1;
-    }
-  });
-}
-
-// src/commands/restart.ts
-init_context();
-init_output();
-import { existsSync as existsSync50 } from "node:fs";
-import { dirname as dirname31, resolve as resolve15 } from "node:path";
-import { spawnSync as spawnSync19 } from "node:child_process";
-var RESTART_TIMEOUT_S2 = 30;
-function docker2(args) {
-  const result = spawnSync19("docker", args, {
-    encoding: "utf-8",
-    stdio: ["ignore", "pipe", "pipe"]
-  });
-  return {
-    ok: result.status === 0 && result.error === void 0,
-    stderr: result.stderr ?? ""
-  };
-}
-function resolveRepoRoot2(start) {
-  let cur = start;
-  while (true) {
-    if (existsSync50(resolve15(cur, "packages")) && existsSync50(resolve15(cur, "package.json"))) {
-      return cur;
-    }
-    const parent = dirname31(cur);
-    if (parent === cur) return start;
-    cur = parent;
-  }
-}
-function registerRestart(program2) {
-  program2.command("restart").description("Restart a world container (auto-builds agent-stream bundle when stale)").argument("<world>", "World ID or name").action(async (worldIdOrName) => {
-    const { ctx, error } = await loadContext();
-    if (!ctx) {
-      printError(error?.message ?? "Olam is not configured. Run `olam init` first.");
-      process.exitCode = 1;
-      return;
-    }
-    const world = ctx.worldManager.getWorld(worldIdOrName);
-    if (!world) {
-      printError(`World "${worldIdOrName}" not found. Run \`olam list\` to see worlds.`);
-      process.exitCode = 1;
-      return;
-    }
-    printHeader(`olam restart: ${world.name}`);
-    try {
-      const bundleSource = resolveBundleSource();
-      if (bundleSource.mode === "install") {
-        process.stderr.write("bundle source: install-mode; skipping rebuild\n");
-      } else {
-        const repoRoot = resolveRepoRoot2(process.cwd());
-        const buildResult = buildIfStale(repoRoot);
-        if (!buildResult.ok) {
-          printError(
-            "Agent-stream bundle build failed. Not restarting with a stale bundle.\nFix the build error and re-run `olam restart`."
-          );
-          process.exitCode = 1;
-          return;
-        }
-        printInfo("Bundle", buildResult.message);
-      }
-    } catch (err) {
-      if (err instanceof BundleSourceNotFoundError) {
-        process.stderr.write(
-          `Warning: agent-stream bundle path unresolved; container uses image-baked dist.
-`
-        );
-      } else {
-        throw err;
-      }
-    }
-    const containerName = `olam-${world.id}-devbox`;
-    printInfo("Container", containerName);
-    const result = docker2(["restart", "--time", String(RESTART_TIMEOUT_S2), containerName]);
-    if (!result.ok) {
-      printError(
-        `docker restart failed: ${result.stderr.trim() || "(no stderr)"}`
-      );
-      process.exitCode = 1;
-      return;
-    }
-    printInfo("Status", "restarted");
-  });
-}
-
-// src/commands/diagnose.ts
-import * as fs46 from "node:fs";
-import * as os25 from "node:os";
-import * as path48 from "node:path";
-import { execFileSync as execFileSync11, execSync as execSync12 } from "node:child_process";
-import pc24 from "picocolors";
-
-// ../core/dist/diagnose/secret-stripper.js
-var SECRET_PATTERNS = [
-  { name: "anthropic-key", re: /sk-ant-[A-Za-z0-9\-_]{8,}/g },
-  { name: "github-pat", re: /gh[pourstu]_[A-Za-z0-9]{20,}/g },
-  { name: "github-pat-fgp", re: /github_pat_[A-Za-z0-9_]{22,}/g },
-  { name: "aws-access-key", re: /AKIA[A-Z0-9]{16}/g },
-  { name: "bearer-header", re: /Bearer\s+[A-Za-z0-9._\-+/=]{16,}/g },
-  { name: "slack-token", re: /xox[bpsa]-[A-Za-z0-9-]{10,}/g },
-  { name: "host-cp-token", re: /(?:host[-_.]?cp[-_.]?token|"token")\s*[:=]\s*"?([A-Za-z0-9._\-]{16,})"?/gi },
-  { name: "generic-hex-key", re: /\bkey\s*[:=]\s*[0-9a-f]{32,}/gi },
-  { name: "db-url", re: /(?:postgres|mysql|redis|mongodb):\/\/[^:]+:[^@]+@[^\s'"]+/gi },
-  { name: "env-secret", re: /(?:API_KEY|SECRET_KEY|AUTH_TOKEN|ACCESS_TOKEN|PRIVATE_KEY|DATABASE_URL|REDIS_URL)\s*[=:]\s*\S+/gi },
-  { name: "pem-key", re: /-----BEGIN (?:RSA |EC )?PRIVATE KEY-----[\s\S]*?-----END (?:RSA |EC )?PRIVATE KEY-----/g }
-];
-var REDACTED = "[REDACTED]";
-function stripSecrets(input2) {
-  let out = input2;
-  for (const { re } of SECRET_PATTERNS) {
-    re.lastIndex = 0;
-    out = out.replace(re, (match2) => {
-      const colonOrEq = match2.indexOf(":") !== -1 ? match2.indexOf(":") : match2.indexOf("=");
-      if (colonOrEq !== -1 && (match2.includes("token") || match2.includes("key") || match2.includes("KEY"))) {
-        return match2.slice(0, colonOrEq + 1) + " " + REDACTED;
-      }
-      return REDACTED;
-    });
-  }
-  return out;
-}
-
-// src/commands/diagnose.ts
-var DIAGNOSTICS_DIR = path48.join(os25.homedir(), ".olam", "diagnostics");
-var LOG_DIR = path48.join(os25.homedir(), ".olam", "log");
-var CACHE_DIR = path48.join(os25.homedir(), ".olam", "cache");
-var LOG_TAIL_LINES = 200;
-function safeExec(cmd) {
-  try {
-    return execSync12(cmd, { encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"] });
-  } catch {
-    return "";
-  }
-}
-function defaultZip(zipPath, files) {
-  execFileSync11("zip", ["-j", zipPath, ...files]);
-}
-async function buildDiagnosticsZip(_exec = (cmd) => safeExec(cmd), _outDir = DIAGNOSTICS_DIR, _logDir = LOG_DIR, _zip = defaultZip) {
-  const ts = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").slice(0, 23);
-  const zipPath = path48.join(_outDir, `olam-diag-${ts}.zip`);
-  const tmpDir = fs46.mkdtempSync(path48.join(os25.tmpdir(), "olam-diag-"));
-  try {
-    fs46.mkdirSync(_outDir, { recursive: true });
-    const entries = [];
-    const version = process.env["OLAM_CLI_VERSION"] ?? "unknown";
-    const nodeVersion = process.version;
-    const platform = `${process.platform}/${process.arch}`;
-    const versionContent = `olam: ${version}
-node: ${nodeVersion}
-platform: ${platform}
-`;
-    _writeEntry(tmpDir, "version.txt", stripSecrets(versionContent), entries);
-    const osContent = [
-      `os: ${os25.type()} ${os25.release()}`,
-      `arch: ${os25.arch()}`,
-      `uptime: ${os25.uptime()}s`
-    ].join("\n") + "\n";
-    _writeEntry(tmpDir, "os-info.txt", stripSecrets(osContent), entries);
-    const depsFile = path48.join(CACHE_DIR, "deps.json");
-    if (fs46.existsSync(depsFile)) {
-      const deps = fs46.readFileSync(depsFile, "utf-8");
-      _writeEntry(tmpDir, "deps.json", stripSecrets(deps), entries);
-    }
-    const latestLog = _latestLog(_logDir);
-    if (latestLog) {
-      const lines = fs46.readFileSync(latestLog, "utf-8").split("\n");
-      const tail = lines.slice(-LOG_TAIL_LINES).join("\n");
-      _writeEntry(tmpDir, "log-tail.txt", stripSecrets(tail), entries);
-    }
-    const statusOut = _exec("olam status --json");
-    if (statusOut) {
-      _writeEntry(tmpDir, "status.json", stripSecrets(statusOut), entries);
-    }
-    const authAudit = _exec("npm run audit:auth-callers --if-present 2>&1");
-    if (authAudit) {
-      _writeEntry(tmpDir, "audit-auth-callers.txt", stripSecrets(authAudit), entries);
-    }
-    const fileArgs = entries.map((e) => path48.join(tmpDir, e));
-    try {
-      _zip(zipPath, fileArgs);
-    } catch (err) {
-      throw new Error(`zip command produced no output file. zip stderr: ${err.message}`);
-    }
-    if (!fs46.existsSync(zipPath)) {
-      throw new Error("zip command produced no output file.");
-    }
-    return { zipPath, entries };
-  } finally {
-    try {
-      fs46.rmSync(tmpDir, { recursive: true, force: true });
-    } catch {
-    }
-  }
-}
-function _writeEntry(dir, name, content, entries) {
-  fs46.writeFileSync(path48.join(dir, name), content, { mode: 420 });
-  entries.push(name);
-}
-function _latestLog(logDir) {
-  if (!fs46.existsSync(logDir)) return null;
-  const files = fs46.readdirSync(logDir).filter((f) => f.startsWith("host-")).sort().reverse();
-  return files.length > 0 ? path48.join(logDir, files[0]) : null;
-}
-async function buildTelemetryPayload() {
-  const channel = "stable";
-  const manifestFile = path48.join(CACHE_DIR, "manifest.json");
-  let manifestAgeHours = null;
-  if (fs46.existsSync(manifestFile)) {
-    const mtime = fs46.statSync(manifestFile).mtime.getTime();
-    manifestAgeHours = Math.round((Date.now() - mtime) / 36e5);
-  }
-  return {
-    version: process.env["OLAM_CLI_VERSION"] ?? "unknown",
-    os: process.platform,
-    arch: process.arch,
-    channel,
-    manifest_age_hours: manifestAgeHours
-    // No userid, no project, no path — privacy per design doc
-  };
-}
-function registerDiagnose(program2) {
-  program2.command("diagnose").description("Bundle diagnostics into a zip file for sharing with maintainers").option("--show-telemetry", "Print the telemetry payload that would be sent (no endpoint yet)").option("--no-telemetry", "Suppress telemetry payload (future opt-out)").option("--upload", "Share zip with maintainers (endpoint not yet provisioned)").option("--quiet", "Suppress progress output").action(async (opts) => {
-    if (opts.showTelemetry) {
-      const payload = await buildTelemetryPayload();
-      console.log(JSON.stringify(payload, null, 2));
-      return;
-    }
-    if (!opts.quiet) {
-      console.log(pc24.cyan("Building diagnostics zip\u2026"));
-    }
-    try {
-      const { zipPath, entries } = await buildDiagnosticsZip();
-      if (!opts.quiet) {
-        console.log(pc24.green(`Done: ${zipPath}`));
-        console.log(pc24.dim(`Contents: ${entries.join(", ")}`));
-      }
-      if (opts.upload) {
-        console.log(pc24.yellow(
-          `Telemetry endpoint not yet provisioned. Share the zip manually:
-  File: ${zipPath}
-  See docs/runbooks/share-diagnostics.md for instructions.`
-        ));
-      }
-    } catch (err) {
-      console.error(pc24.red(`Diagnose failed: ${err.message}`));
-      process.exitCode = 1;
-    }
-  });
-}
-
-// src/lib/health-probes.ts
-import { spawnSync as spawnSync20 } from "node:child_process";
-import { existsSync as existsSync52, readdirSync as readdirSync13, readFileSync as readFileSync38, statSync as statSync15 } from "node:fs";
-import { homedir as homedir25 } from "node:os";
-import path49 from "node:path";
-
-// src/lib/kg-caps.ts
-var SOFT_CAP_BYTES = 15e8;
-var HARD_CAP_BYTES = 5e9;
-
-// src/lib/health-probes.ts
-var HEALTH_TIMEOUT_MS2 = 5e3;
-var COLIMA_010_WARN_TEXT = (
-  // eslint-disable-next-line @typescript-eslint/quotes
-  "Colima 0.10.1's --kubernetes mode is broken upstream. Either switch to OLAM_HOST_CP_ENGINE=docker (recommended) or downgrade Colima to 0.9.x. Track abiosoft/colima issues for fix."
-);
-var COLIMA_010_RANGE = /^v?0\.10\.\d+$/;
-var defaultDockerExec2 = (cmd, args) => {
-  const r = spawnSync20(cmd, [...args], {
+    }
+  });
+}
+
+// src/commands/restart.ts
+init_context();
+init_output();
+import { existsSync as existsSync51 } from "node:fs";
+import { dirname as dirname31, resolve as resolve15 } from "node:path";
+import { spawnSync as spawnSync20 } from "node:child_process";
+var RESTART_TIMEOUT_S2 = 30;
+function docker2(args) {
+  const result = spawnSync20("docker", args, {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "pipe"]
   });
   return {
-    status: r.status,
-    stdout: r.stdout ?? "",
-    stderr: r.stderr ?? ""
-  };
-};
-var defaultFetch = (input2, init) => fetch(input2, init);
-async function probeDockerDaemon(dockerExec = defaultDockerExec2) {
-  const r = dockerExec("docker", ["info", "--format", "{{.ServerVersion}}"]);
-  if (r.status === 0 && r.stdout.trim().length > 0) {
-    return { ok: true, message: `docker ${r.stdout.trim()} reachable` };
-  }
-  return {
-    ok: false,
-    message: "docker daemon not reachable",
-    remedy: "Start Docker Desktop (or your docker daemon) and re-run."
+    ok: result.status === 0 && result.error === void 0,
+    stderr: result.stderr ?? ""
   };
 }
-async function probeImagePresence(refs, dockerExec = defaultDockerExec2) {
-  for (const ref of refs) {
-    const r = dockerExec("docker", ["image", "inspect", "--format", "{{.Id}}", ref]);
-    if (r.status !== 0) {
-      return {
-        ok: false,
-        message: `image ${ref} not present locally`,
-        remedy: "Run `olam bootstrap` to pull the published image, or build locally."
-      };
+function resolveRepoRoot2(start) {
+  let cur = start;
+  while (true) {
+    if (existsSync51(resolve15(cur, "packages")) && existsSync51(resolve15(cur, "package.json"))) {
+      return cur;
     }
+    const parent = dirname31(cur);
+    if (parent === cur) return start;
+    cur = parent;
   }
-  return { ok: true, message: `${refs.length} image(s) present` };
 }
-async function probeHostCpHealth(fetchImpl = defaultFetch) {
-  const controller = new AbortController();
-  const timeout = setTimeout(() => controller.abort(), HEALTH_TIMEOUT_MS2);
-  try {
-    const res = await fetchImpl("http://127.0.0.1:19000/health", { signal: controller.signal });
-    const body = await res.text().catch(() => "");
-    if (res.status !== 200) {
-      return {
-        ok: false,
-        message: `host-cp /health returned ${res.status}`,
-        remedy: "Restart host-cp via `olam host-cp start`; verify port 19000 is bound to 127.0.0.1."
-      };
+function registerRestart(program2) {
+  program2.command("restart").description("Restart a world container (auto-builds agent-stream bundle when stale)").argument("<world>", "World ID or name").action(async (worldIdOrName) => {
+    const { ctx, error } = await loadContext();
+    if (!ctx) {
+      printError(error?.message ?? "Olam is not configured. Run `olam init` first.");
+      process.exitCode = 1;
+      return;
     }
-    if (isHostCpHealthEnvelope(body)) {
-      return { ok: true, message: "host-cp /health returned 200" };
+    const world = ctx.worldManager.getWorld(worldIdOrName);
+    if (!world) {
+      printError(`World "${worldIdOrName}" not found. Run \`olam list\` to see worlds.`);
+      process.exitCode = 1;
+      return;
     }
-    return {
-      ok: false,
-      message: "host-cp /health returned 200 but body did not match the host-cp envelope (possible port collision on :19000)",
-      remedy: "Check `lsof -iTCP:19000`; another process may have bound the port. Restart host-cp via `olam host-cp start`."
-    };
-  } catch (err) {
-    const e = err;
-    const reason = e.name === "AbortError" ? `timeout (${HEALTH_TIMEOUT_MS2}ms)` : e.message;
-    return {
-      ok: false,
-      message: `host-cp /health unreachable: ${reason}`,
-      remedy: "Restart host-cp via `olam host-cp start`; verify port 19000 is bound to 127.0.0.1."
-    };
-  } finally {
-    clearTimeout(timeout);
-  }
-}
-function isHostCpHealthEnvelope(body) {
-  let parsed;
-  try {
-    parsed = JSON.parse(body);
-  } catch {
-    return false;
-  }
-  if (!parsed || typeof parsed !== "object") return false;
-  const obj = parsed;
-  if (typeof obj.phase !== "string") return false;
-  if (!obj.cache || typeof obj.cache !== "object") return false;
-  const mode = obj.mode;
-  if (!mode || typeof mode !== "object") return false;
-  if (typeof mode.deployment !== "string") return false;
-  return true;
-}
-async function probeAuthVault(olamHomeOverride) {
-  const vaultPath = resolveAccountsPath(olamHomeOverride);
-  if (!existsSync52(vaultPath)) {
-    return {
-      ok: false,
-      message: `auth vault missing at ${vaultPath}`,
-      remedy: "Run `olam auth up && olam auth login` to provision the vault."
-    };
-  }
-  let parsed;
-  try {
-    parsed = JSON.parse(readFileSync38(vaultPath, "utf-8"));
-  } catch (err) {
-    return {
-      ok: false,
-      message: `auth vault malformed: ${err.message}`,
-      remedy: "Inspect the accounts.json file; restore from backup or re-run `olam auth up`."
-    };
-  }
-  if (!Array.isArray(parsed)) {
-    return {
-      ok: false,
-      message: "auth vault malformed: expected JSON array at top level",
-      remedy: "Restore the vault from backup or re-run `olam auth up && olam auth login`."
-    };
-  }
-  const accounts = parsed.filter((a) => a !== null && typeof a === "object");
-  const now = Date.now();
-  const activeClaude = accounts.filter((a) => a.provider === "claude" && effectiveState2(a, now) === "active");
-  if (activeClaude.length === 0) {
-    return {
-      ok: false,
-      message: `no active claude credentials (vault has ${accounts.length} account(s))`,
-      remedy: "Run `olam auth login` to add a credential, or wait for the next reset."
-    };
-  }
-  return { ok: true, message: `${activeClaude.length} active claude credential(s)` };
-}
-function resolveAccountsPath(olamHomeOverride) {
-  const explicit = process.env.OLAM_AUTH_DATA_PATH;
-  if (explicit) return explicit;
-  const olamHome5 = olamHomeOverride ?? process.env.OLAM_HOME ?? path49.join(homedir25(), ".olam");
-  return path49.join(olamHome5, "auth-data", "accounts.json");
-}
-function effectiveState2(account, now) {
-  const persisted = account.state ?? (account.rateLimited ? "cooldown" : "active");
-  if (persisted === "disabled") return "disabled";
-  if (typeof account.expiresAt === "number" && account.expiresAt <= now) return "expired";
-  if (persisted === "cooldown") {
-    const reset = account.rateLimitResetsAt ? new Date(account.rateLimitResetsAt).getTime() : 0;
-    if (reset > 0 && reset <= now) return "active";
-  }
-  return persisted;
-}
-async function probeKgStorage(olamHomeOverride) {
-  const olamHome5 = olamHomeOverride ?? process.env.OLAM_HOME ?? path49.join(homedir25(), ".olam");
-  const kgRoot3 = path49.join(olamHome5, "kg");
-  const worldsRoot3 = path49.join(olamHome5, "worlds");
-  const kgBytes = enumerateGraphifyOut(kgRoot3, "pristine");
-  const overlayBytes = enumerateGraphifyOut(worldsRoot3, "overlay");
-  const totalBytes = kgBytes + overlayBytes;
-  if (totalBytes >= HARD_CAP_BYTES) {
-    return {
-      ok: false,
-      message: `KG storage ${formatBytes4(totalBytes)} exceeds 5 GB hard cap`,
-      remedy: "Prune stale pristines: `rm -rf ~/.olam/kg/<workspace>` after operator review."
-    };
-  }
-  if (totalBytes >= SOFT_CAP_BYTES) {
-    return {
-      ok: true,
-      message: `KG storage ${formatBytes4(totalBytes)} (soft-warn \u2014 exceeds 1.5 GB; consider pruning)`
-    };
-  }
-  return { ok: true, message: `KG storage ${formatBytes4(totalBytes)} (under cap)` };
-}
-function enumerateGraphifyOut(root, layout) {
-  if (!existsSync52(root)) return 0;
-  let total = 0;
-  let entries;
-  try {
-    entries = readdirSync13(root, { withFileTypes: true });
-  } catch {
-    return 0;
-  }
-  for (const entry of entries) {
-    if (!entry.isDirectory()) continue;
-    if (layout === "pristine") {
-      total += dirSizeBytes(path49.join(root, entry.name, "graphify-out"));
-    } else {
-      const worldDir = path49.join(root, entry.name);
-      let clones;
-      try {
-        clones = readdirSync13(worldDir, { withFileTypes: true });
-      } catch {
-        continue;
+    printHeader(`olam restart: ${world.name}`);
+    try {
+      const bundleSource = resolveBundleSource();
+      if (bundleSource.mode === "install") {
+        process.stderr.write("bundle source: install-mode; skipping rebuild\n");
+      } else {
+        const repoRoot = resolveRepoRoot2(process.cwd());
+        const buildResult = buildIfStale(repoRoot);
+        if (!buildResult.ok) {
+          printError(
+            "Agent-stream bundle build failed. Not restarting with a stale bundle.\nFix the build error and re-run `olam restart`."
+          );
+          process.exitCode = 1;
+          return;
+        }
+        printInfo("Bundle", buildResult.message);
       }
-      for (const clone of clones) {
-        if (!clone.isDirectory()) continue;
-        total += dirSizeBytes(path49.join(worldDir, clone.name, "graphify-out"));
+    } catch (err) {
+      if (err instanceof BundleSourceNotFoundError) {
+        process.stderr.write(
+          `Warning: agent-stream bundle path unresolved; container uses image-baked dist.
+`
+        );
+      } else {
+        throw err;
       }
     }
-  }
-  return total;
-}
-function dirSizeBytes(dir) {
-  if (!existsSync52(dir)) return 0;
-  let total = 0;
-  const stack = [dir];
-  while (stack.length > 0) {
-    const cur = stack.pop();
-    let entries;
-    try {
-      entries = readdirSync13(cur, { withFileTypes: true });
-    } catch {
-      continue;
+    const containerName = `olam-${world.id}-devbox`;
+    printInfo("Container", containerName);
+    const result = docker2(["restart", "--time", String(RESTART_TIMEOUT_S2), containerName]);
+    if (!result.ok) {
+      printError(
+        `docker restart failed: ${result.stderr.trim() || "(no stderr)"}`
+      );
+      process.exitCode = 1;
+      return;
     }
-    for (const entry of entries) {
-      const full = path49.join(cur, entry.name);
-      if (entry.isSymbolicLink()) continue;
-      if (entry.isDirectory()) {
-        stack.push(full);
-        continue;
-      }
-      try {
-        total += statSync15(full).size;
-      } catch {
+    printInfo("Status", "restarted");
+  });
+}
+
+// src/commands/diagnose.ts
+import * as fs46 from "node:fs";
+import * as os25 from "node:os";
+import * as path49 from "node:path";
+import { execFileSync as execFileSync11, execSync as execSync12 } from "node:child_process";
+import pc24 from "picocolors";
+
+// ../core/dist/diagnose/secret-stripper.js
+var SECRET_PATTERNS = [
+  { name: "anthropic-key", re: /sk-ant-[A-Za-z0-9\-_]{8,}/g },
+  { name: "github-pat", re: /gh[pourstu]_[A-Za-z0-9]{20,}/g },
+  { name: "github-pat-fgp", re: /github_pat_[A-Za-z0-9_]{22,}/g },
+  { name: "aws-access-key", re: /AKIA[A-Z0-9]{16}/g },
+  { name: "bearer-header", re: /Bearer\s+[A-Za-z0-9._\-+/=]{16,}/g },
+  { name: "slack-token", re: /xox[bpsa]-[A-Za-z0-9-]{10,}/g },
+  { name: "host-cp-token", re: /(?:host[-_.]?cp[-_.]?token|"token")\s*[:=]\s*"?([A-Za-z0-9._\-]{16,})"?/gi },
+  { name: "generic-hex-key", re: /\bkey\s*[:=]\s*[0-9a-f]{32,}/gi },
+  { name: "db-url", re: /(?:postgres|mysql|redis|mongodb):\/\/[^:]+:[^@]+@[^\s'"]+/gi },
+  { name: "env-secret", re: /(?:API_KEY|SECRET_KEY|AUTH_TOKEN|ACCESS_TOKEN|PRIVATE_KEY|DATABASE_URL|REDIS_URL)\s*[=:]\s*\S+/gi },
+  { name: "pem-key", re: /-----BEGIN (?:RSA |EC )?PRIVATE KEY-----[\s\S]*?-----END (?:RSA |EC )?PRIVATE KEY-----/g }
+];
+var REDACTED = "[REDACTED]";
+function stripSecrets(input2) {
+  let out = input2;
+  for (const { re } of SECRET_PATTERNS) {
+    re.lastIndex = 0;
+    out = out.replace(re, (match2) => {
+      const colonOrEq = match2.indexOf(":") !== -1 ? match2.indexOf(":") : match2.indexOf("=");
+      if (colonOrEq !== -1 && (match2.includes("token") || match2.includes("key") || match2.includes("KEY"))) {
+        return match2.slice(0, colonOrEq + 1) + " " + REDACTED;
       }
-    }
+      return REDACTED;
+    });
   }
-  return total;
+  return out;
 }
-function formatBytes4(n) {
-  if (n < 1024) return `${n} B`;
-  if (n < 1024 * 1024) return `${(n / 1024).toFixed(1)} KB`;
-  if (n < 1024 * 1024 * 1024) return `${(n / 1024 / 1024).toFixed(1)} MB`;
-  return `${(n / 1024 / 1024 / 1024).toFixed(2)} GB`;
+
+// src/commands/diagnose.ts
+var DIAGNOSTICS_DIR = path49.join(os25.homedir(), ".olam", "diagnostics");
+var LOG_DIR = path49.join(os25.homedir(), ".olam", "log");
+var CACHE_DIR = path49.join(os25.homedir(), ".olam", "cache");
+var LOG_TAIL_LINES = 200;
+function safeExec(cmd) {
+  try {
+    return execSync12(cmd, { encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"] });
+  } catch {
+    return "";
+  }
 }
-async function probeEngine(fetchImpl = defaultFetch) {
-  const controller = new AbortController();
-  const timeout = setTimeout(() => controller.abort(), HEALTH_TIMEOUT_MS2);
+function defaultZip(zipPath, files) {
+  execFileSync11("zip", ["-j", zipPath, ...files]);
+}
+async function buildDiagnosticsZip(_exec = (cmd) => safeExec(cmd), _outDir = DIAGNOSTICS_DIR, _logDir = LOG_DIR, _zip = defaultZip) {
+  const ts = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").slice(0, 23);
+  const zipPath = path49.join(_outDir, `olam-diag-${ts}.zip`);
+  const tmpDir = fs46.mkdtempSync(path49.join(os25.tmpdir(), "olam-diag-"));
   try {
-    const res = await fetchImpl("http://127.0.0.1:19000/health", { signal: controller.signal });
-    await res.text().catch(() => "");
-    if (res.status !== 200) {
-      return {
-        ok: false,
-        message: `host-cp /health returned ${res.status}; engine unknown`,
-        remedy: "Restart host-cp via `olam host-cp start`; verify port 19000 is bound to 127.0.0.1."
-      };
+    fs46.mkdirSync(_outDir, { recursive: true });
+    const entries = [];
+    const version = process.env["OLAM_CLI_VERSION"] ?? "unknown";
+    const nodeVersion = process.version;
+    const platform = `${process.platform}/${process.arch}`;
+    const versionContent = `olam: ${version}
+node: ${nodeVersion}
+platform: ${platform}
+`;
+    _writeEntry(tmpDir, "version.txt", stripSecrets(versionContent), entries);
+    const osContent = [
+      `os: ${os25.type()} ${os25.release()}`,
+      `arch: ${os25.arch()}`,
+      `uptime: ${os25.uptime()}s`
+    ].join("\n") + "\n";
+    _writeEntry(tmpDir, "os-info.txt", stripSecrets(osContent), entries);
+    const depsFile = path49.join(CACHE_DIR, "deps.json");
+    if (fs46.existsSync(depsFile)) {
+      const deps = fs46.readFileSync(depsFile, "utf-8");
+      _writeEntry(tmpDir, "deps.json", stripSecrets(deps), entries);
     }
-    const engineHeader = res.headers.get("x-olam-engine") ?? res.headers.get("X-Olam-Engine");
-    if (!engineHeader) {
-      return {
-        ok: true,
-        message: "engine unknown (X-Olam-Engine header absent \u2014 older host-cp?)"
-      };
+    const latestLog = _latestLog(_logDir);
+    if (latestLog) {
+      const lines = fs46.readFileSync(latestLog, "utf-8").split("\n");
+      const tail = lines.slice(-LOG_TAIL_LINES).join("\n");
+      _writeEntry(tmpDir, "log-tail.txt", stripSecrets(tail), entries);
     }
-    return {
-      ok: true,
-      message: `engine ${engineHeader}`,
-      engineName: engineHeader
-    };
-  } catch (err) {
-    const e = err;
-    const reason = e.name === "AbortError" ? `timeout (${HEALTH_TIMEOUT_MS2}ms)` : e.message;
-    return {
-      ok: false,
-      message: `engine probe unreachable: ${reason}`,
-      remedy: "Restart host-cp via `olam host-cp start`; verify port 19000 is bound to 127.0.0.1."
-    };
+    const statusOut = _exec("olam status --json");
+    if (statusOut) {
+      _writeEntry(tmpDir, "status.json", stripSecrets(statusOut), entries);
+    }
+    const authAudit = _exec("npm run audit:auth-callers --if-present 2>&1");
+    if (authAudit) {
+      _writeEntry(tmpDir, "audit-auth-callers.txt", stripSecrets(authAudit), entries);
+    }
+    const fileArgs = entries.map((e) => path49.join(tmpDir, e));
+    try {
+      _zip(zipPath, fileArgs);
+    } catch (err) {
+      throw new Error(`zip command produced no output file. zip stderr: ${err.message}`);
+    }
+    if (!fs46.existsSync(zipPath)) {
+      throw new Error("zip command produced no output file.");
+    }
+    return { zipPath, entries };
   } finally {
-    clearTimeout(timeout);
-  }
-}
-async function probeColimaVersion(dockerExec = defaultDockerExec2) {
-  const r = dockerExec("colima", ["version"]);
-  if (r.status === null || r.status !== 0 && /not found|ENOENT|not.found/i.test(r.stderr)) {
-    return { ok: true, message: "colima not installed (not in use)" };
-  }
-  if (r.status !== 0) {
-    return {
-      ok: true,
-      message: `colima present but version probe failed: ${(r.stderr || "").trim()}`
-    };
-  }
-  const tokens = r.stdout.split(/\s+/);
-  const version = tokens.find((t) => /^v?\d+\.\d+\.\d+/.test(t)) ?? "";
-  if (!version) {
-    return {
-      ok: true,
-      message: `colima present but version unrecognised: ${r.stdout.trim().slice(0, 80)}`
-    };
-  }
-  if (COLIMA_010_RANGE.test(version)) {
-    return {
-      ok: true,
-      warn: true,
-      message: `colima ${version} detected \u2014 known kubernetes-mode regression`,
-      remedy: COLIMA_010_WARN_TEXT
-    };
-  }
-  return { ok: true, message: `colima ${version} (clear)` };
-}
-async function probeK8sApiReachable(exec = defaultDockerExec2) {
-  const r = exec("kubectl", ["version", "--output=json", "--request-timeout=2s"]);
-  if (r.status === 0 && r.stdout.length > 0) {
-    let parsed;
     try {
-      parsed = JSON.parse(r.stdout);
+      fs46.rmSync(tmpDir, { recursive: true, force: true });
     } catch {
-      parsed = null;
     }
-    const obj = parsed && typeof parsed === "object" ? parsed : {};
-    const serverInfo = obj.serverVersion;
-    const gitVersion = typeof serverInfo?.gitVersion === "string" ? serverInfo.gitVersion : "unknown";
-    return { ok: true, message: `api server ${gitVersion} reachable` };
+  }
+}
+function _writeEntry(dir, name, content, entries) {
+  fs46.writeFileSync(path49.join(dir, name), content, { mode: 420 });
+  entries.push(name);
+}
+function _latestLog(logDir) {
+  if (!fs46.existsSync(logDir)) return null;
+  const files = fs46.readdirSync(logDir).filter((f) => f.startsWith("host-")).sort().reverse();
+  return files.length > 0 ? path49.join(logDir, files[0]) : null;
+}
+async function buildTelemetryPayload() {
+  const channel = "stable";
+  const manifestFile = path49.join(CACHE_DIR, "manifest.json");
+  let manifestAgeHours = null;
+  if (fs46.existsSync(manifestFile)) {
+    const mtime = fs46.statSync(manifestFile).mtime.getTime();
+    manifestAgeHours = Math.round((Date.now() - mtime) / 36e5);
   }
   return {
-    ok: false,
-    message: "api server not reachable",
-    remedy: "Confirm the cluster is up (e.g. `k3d cluster list`) and your context points at it."
+    version: process.env["OLAM_CLI_VERSION"] ?? "unknown",
+    os: process.platform,
+    arch: process.arch,
+    channel,
+    manifest_age_hours: manifestAgeHours
+    // No userid, no project, no path — privacy per design doc
   };
 }
-async function probeK8sImagePresence(refs, exec = defaultDockerExec2) {
-  const r = exec("kubectl", ["get", "nodes", "-o", "json", "--request-timeout=2s"]);
-  if (r.status !== 0) {
-    return {
-      ok: false,
-      message: "unable to list cluster nodes for image presence check",
-      remedy: "Confirm the cluster is up and your context points at it; re-run `olam doctor`."
-    };
-  }
-  let parsed;
-  try {
-    parsed = JSON.parse(r.stdout);
-  } catch {
-    return {
-      ok: false,
-      message: "cluster node list returned malformed output",
-      remedy: "Restart your cluster; if persistent, re-create it."
-    };
-  }
-  const nodes = parsed && typeof parsed === "object" ? parsed.items : void 0;
-  if (!Array.isArray(nodes) || nodes.length === 0) {
-    return {
-      ok: false,
-      message: "cluster has no nodes",
-      remedy: "Start the cluster and try again."
-    };
-  }
-  const presentImages = /* @__PURE__ */ new Set();
-  for (const node of nodes) {
-    const status2 = node.status;
-    const images = status2?.images;
-    if (!Array.isArray(images)) continue;
-    for (const img of images) {
-      const names = img.names;
-      if (!Array.isArray(names)) continue;
-      for (const n of names) presentImages.add(n);
+function registerDiagnose(program2) {
+  program2.command("diagnose").description("Bundle diagnostics into a zip file for sharing with maintainers").option("--show-telemetry", "Print the telemetry payload that would be sent (no endpoint yet)").option("--no-telemetry", "Suppress telemetry payload (future opt-out)").option("--upload", "Share zip with maintainers (endpoint not yet provisioned)").option("--quiet", "Suppress progress output").action(async (opts) => {
+    if (opts.showTelemetry) {
+      const payload = await buildTelemetryPayload();
+      console.log(JSON.stringify(payload, null, 2));
+      return;
     }
-  }
-  for (const ref of refs) {
-    if (!hasImageRef(presentImages, ref)) {
-      return {
-        ok: false,
-        message: `image ${ref} not present on any cluster node`,
-        remedy: "Run `olam bootstrap` to import the published image into the cluster."
-      };
+    if (!opts.quiet) {
+      console.log(pc24.cyan("Building diagnostics zip\u2026"));
     }
-  }
-  return { ok: true, message: `${refs.length} image(s) present on cluster` };
-}
-function hasImageRef(present, ref) {
-  if (present.has(ref)) return true;
-  const variants = [`docker.io/library/${ref}`, `docker.io/${ref}`];
-  return variants.some((v) => present.has(v));
+    try {
+      const { zipPath, entries } = await buildDiagnosticsZip();
+      if (!opts.quiet) {
+        console.log(pc24.green(`Done: ${zipPath}`));
+        console.log(pc24.dim(`Contents: ${entries.join(", ")}`));
+      }
+      if (opts.upload) {
+        console.log(pc24.yellow(
+          `Telemetry endpoint not yet provisioned. Share the zip manually:
+  File: ${zipPath}
+  See docs/runbooks/share-diagnostics.md for instructions.`
+        ));
+      }
+    } catch (err) {
+      console.error(pc24.red(`Diagnose failed: ${err.message}`));
+      process.exitCode = 1;
+    }
+  });
 }
 
 // src/lib/bundle-freshness.ts
@@ -32497,7 +32516,8 @@ async function runDoctor(opts, deps = {}) {
     const nodeMemResult = probeNodeMemory(dockerExec, k8sCtx);
     rows.push({ name: "node memory", result: nodeMemResult, position: 27 });
     const socketCheckImpl = deps.dockerSocketCheckImpl;
-    const socketResult = await probeDockerSocketBindMount(k8sCtx, wrapImpl, socketCheckImpl);
+    const detectClusterTypeImpl = deps.detectK8sClusterTypeImpl;
+    const socketResult = await probeDockerSocketBindMount(k8sCtx, wrapImpl, socketCheckImpl, detectClusterTypeImpl);
     rows.push({ name: "docker socket bind-mount", result: socketResult, position: 28 });
   } else {
     const bundleResult = await probeBundleFreshness({
@@ -32731,19 +32751,26 @@ async function defaultDockerSocketCheck(kubectlContext, wrapImpl) {
   );
   return result.ok;
 }
-async function probeDockerSocketBindMount(kubectlContext, wrapImpl, checkImpl) {
+async function probeDockerSocketBindMount(kubectlContext, wrapImpl, checkImpl, detectClusterTypeImpl) {
   const check = checkImpl ?? defaultDockerSocketCheck;
   const accessible = await check(kubectlContext, wrapImpl);
   if (accessible) {
     return { ok: true, message: "docker socket accessible at /var/run/docker.sock" };
   }
+  const clusterType = (detectClusterTypeImpl ?? defaultDetectK8sClusterType)(kubectlContext);
   return {
     ok: true,
     warn: true,
     message: "docker socket not accessible at /var/run/docker.sock",
-    remedy: "Recreate the k3d cluster with the docker socket bind-mount:\n  k3d cluster create olam-host \\\n    --volume /var/run/docker.sock:/var/run/docker.sock@server:* \\\n    --volume ~/.config/gh:/host/.config/gh \\\n    --volume <olam-repo>:/host/olam \\\n    --wait --timeout 90s\nThen run: olam upgrade"
+    remedy: buildDockerSocketRemedy(clusterType)
   };
 }
+async function runK8sPreflight(opts, deps = {}) {
+  const dockerExec = deps.dockerExec;
+  const result = await probeK8sApiReachable(dockerExec);
+  const rows = [{ name: "api server", result, position: 1 }];
+  return emit(makeReport(rows), opts);
+}
 function makeReport(rows) {
   const failureCount = rows.filter((r) => !r.result.ok).length;
   const warnCount = rows.filter((r) => isWarn(r.result)).length;
@@ -32968,6 +32995,7 @@ async function handleSet(target, deps = {}) {
   const write = deps.writeConfig ?? writeConfig;
   const emit2 = deps.emit ?? emitSubstrateSet;
   const runDoctorFn = deps.runDoctor ?? runDoctor;
+  const k8sPreflightFn = deps.runK8sPreflightFn ?? runK8sPreflight;
   const countWorlds = deps.countWorlds ?? defaultCountWorlds;
   if (target !== "compose" && target !== "kubernetes") {
     stderr.write(
@@ -33011,7 +33039,11 @@ async function handleSet(target, deps = {}) {
 `);
   let doctorResult;
   try {
-    doctorResult = await runDoctorFn({ json: true }, { engine });
+    if (engine === "kubernetes") {
+      doctorResult = await k8sPreflightFn({ json: true });
+    } else {
+      doctorResult = await runDoctorFn({ json: true }, { engine });
+    }
   } catch (err) {
     stderr.write(
       `${pc26.red("error:")} pre-flight crashed: ${err instanceof Error ? err.message : String(err)}
@@ -33507,6 +33539,11 @@ async function runProjectSweepPhase(opts, deps, sweepDeps = {}) {
       // gitUrl is required by schema; file:// is in the URL_PATTERN allow-list.
       gitUrl: `file://${projectsRoot}`,
       trustMethod: "none",
+      // Extra passthrough fields (rootPath, matchedCount, etc.) are
+      // accepted via TrustAuditEntrySchema's `.passthrough()` — the
+      // inferred type carries an index signature for unknown keys, so
+      // TS accepts these without a cast. Schema discriminated-union to
+      // land in follow-up plan-hard pass; see Phase D CP3 finding ADV-D-03.
       rootPath: projectsRoot,
       matchedCount: matches2.length,
       builtCount,