@pleri/olam-cli 0.1.152 → 0.1.157

package/dist/lib/memory-host-process-migration.js

@@ -0,0 +1,156 @@
+/**
+ * memory-host-process-migration.ts — idempotent cleanup of the Phase A
+ * host-process model's residual state on disk.
+ *
+ * Phase A spawned `agentmemory` as a host child process and recorded its PID
+ * at `~/.olam/memory.pid` + stdout/stderr at `~/.olam/memory-service.log`.
+ * Phase B repoints `olam memory start` at the Docker substrate (this skill's
+ * `MemoryServiceContainerController`); the legacy pidfile + log become orphan
+ * artefacts the moment the new substrate runs.
+ *
+ * This helper is called from `runMemoryStart` / `runMemoryStop` (B1 / B2) BEFORE
+ * the substrate handoff so operators upgrading from the host-process model
+ * never have to manually clean up.
+ *
+ * PID-reuse defence (T2 mitigation). A stale pidfile can record a PID that
+ * the OS has since recycled to an unrelated process. SIGTERMing the wrong PID
+ * is a foot-gun. Defence:
+ *   1. If pidfile is absent → no-op.
+ *   2. If recorded PID is dead (kill(0) throws ESRCH) → unlink pidfile only.
+ *   3. If recorded PID is alive BUT `ps -p <pid> -o comm=` doesn't return
+ *      `node` (the legacy host-process was always a node child) → unlink
+ *      pidfile WITHOUT signalling. Logs a warning so support can diagnose.
+ *   4. Only when PID is alive AND comm=node → SIGTERM, wait up to 5s,
+ *      SIGKILL on timeout, then unlink.
+ *
+ * Plan reference: docs/plans/memory-service-as-docker-peripheral/phase-b-tasks.md B5
+ */
+import { existsSync, readFileSync, unlinkSync } from 'node:fs';
+import { spawnSync } from 'node:child_process';
+import { MEMORY_PID_PATH, MEMORY_LOG_PATH } from '../commands/memory/_paths.js';
+const KILL_TIMEOUT_MS = 5_000;
+/**
+ * Detect + clean up legacy host-process state. Idempotent — safe to call on
+ * every `olam memory start` / `olam memory stop` invocation; no-op when no
+ * legacy artefacts present.
+ *
+ * Side effects (only when artefacts present):
+ *   - Unlink `~/.olam/memory.pid` if it exists.
+ *   - Send SIGTERM (then SIGKILL on timeout) to the recorded PID iff it's
+ *     alive AND its comm name is `node` (the legacy spawn shape).
+ *   - Leave `~/.olam/memory-service.log` in place by default — operators
+ *     may want to inspect it post-migration. Pass `{ removeLog: true }` to
+ *     remove it explicitly (B2's stop path uses this).
+ */
+export function migrateFromHostProcess(opts = {}) {
+    const pidPath = opts.pidPath ?? MEMORY_PID_PATH;
+    const logPath = opts.logPath ?? MEMORY_LOG_PATH;
+    const pidfileExists = existsSync(pidPath);
+    const logExists = existsSync(logPath);
+    if (!pidfileExists && !logExists) {
+        return { cleaned: false, summary: 'no legacy host-process state to clean' };
+    }
+    const events = [];
+    if (pidfileExists) {
+        const pid = readPidFromFile(pidPath);
+        if (pid === null) {
+            // Pidfile exists but is unparseable — just unlink.
+            unlinkSync(pidPath);
+            events.push('unlinked unparseable ~/.olam/memory.pid');
+        }
+        else if (!isProcessAlive(pid)) {
+            // Recorded PID is dead — clean unlink with no signalling.
+            unlinkSync(pidPath);
+            events.push(`unlinked stale ~/.olam/memory.pid (pid ${pid} not alive)`);
+        }
+        else {
+            // PID is alive — check comm name before signalling.
+            const comm = processCommName(pid);
+            if (comm !== 'node') {
+                // PID-reuse case: alive but not our process. Unlink WITHOUT signalling.
+                unlinkSync(pidPath);
+                events.push(`unlinked ~/.olam/memory.pid without signal (pid ${pid} comm=${comm ?? 'unknown'}, not node — assumed PID-reuse, defensive skip)`);
+            }
+            else {
+                // Our process — terminate gracefully.
+                const terminated = terminateProcess(pid);
+                unlinkSync(pidPath);
+                events.push(terminated
+                    ? `terminated legacy host-process pid ${pid} (SIGTERM) + unlinked pidfile`
+                    : `terminated legacy host-process pid ${pid} (SIGKILL after timeout) + unlinked pidfile`);
+            }
+        }
+    }
+    if (logExists && opts.removeLog) {
+        unlinkSync(logPath);
+        events.push('removed legacy ~/.olam/memory-service.log');
+    }
+    else if (logExists) {
+        events.push('left ~/.olam/memory-service.log in place (inspectable; pass {removeLog:true} to remove)');
+    }
+    return { cleaned: true, summary: events.join('; ') };
+}
+function readPidFromFile(pidPath) {
+    try {
+        const raw = readFileSync(pidPath, 'utf8').trim();
+        const pid = parseInt(raw, 10);
+        if (!Number.isFinite(pid) || pid <= 0)
+            return null;
+        return pid;
+    }
+    catch {
+        return null;
+    }
+}
+function isProcessAlive(pid) {
+    try {
+        // signal 0 doesn't deliver; just tests existence + permission
+        process.kill(pid, 0);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Read the comm name of a process via `ps -p <pid> -o comm=`. Returns null
+ * on any error (process gone, ps not available, etc.) — the caller treats
+ * null as "don't signal," which is the safe default.
+ */
+function processCommName(pid) {
+    const r = spawnSync('ps', ['-p', String(pid), '-o', 'comm='], { encoding: 'utf-8' });
+    if (r.status !== 0)
+        return null;
+    const comm = r.stdout.trim();
+    // `ps` may return a full path (e.g. `/usr/local/bin/node`); take basename.
+    return comm.split('/').pop() ?? null;
+}
+/**
+ * SIGTERM the PID; wait up to 5s for it to exit; SIGKILL on timeout.
+ * Returns true if SIGTERM was sufficient, false if SIGKILL was needed.
+ */
+function terminateProcess(pid) {
+    try {
+        process.kill(pid, 'SIGTERM');
+    }
+    catch {
+        // Already dead between the comm-check and now; nothing to do.
+        return true;
+    }
+    const deadline = Date.now() + KILL_TIMEOUT_MS;
+    while (Date.now() < deadline) {
+        if (!isProcessAlive(pid))
+            return true;
+        // Busy-spin sleep — node:fs is synchronous; no async helper here.
+        spawnSync('sleep', ['0.1']);
+    }
+    // Still alive after timeout — escalate.
+    try {
+        process.kill(pid, 'SIGKILL');
+    }
+    catch {
+        // race: died between probe and SIGKILL
+    }
+    return false;
+}
+//# sourceMappingURL=memory-host-process-migration.js.map

package/dist/lib/memory-host-process-migration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"memory-host-process-migration.js","sourceRoot":"","sources":["../../src/lib/memory-host-process-migration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAC/D,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAkBhF,MAAM,eAAe,GAAG,KAAK,CAAC;AAE9B;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAyB,EAAE;IAChE,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,eAAe,CAAC;IAChD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,eAAe,CAAC;IAChD,MAAM,aAAa,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IAEtC,IAAI,CAAC,aAAa,IAAI,CAAC,SAAS,EAAE,CAAC;QACjC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,uCAAuC,EAAE,CAAC;IAC9E,CAAC;IAED,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,GAAG,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YACjB,mDAAmD;YACnD,UAAU,CAAC,OAAO,CAAC,CAAC;YACpB,MAAM,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;QACzD,CAAC;aAAM,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,0DAA0D;YAC1D,UAAU,CAAC,OAAO,CAAC,CAAC;YACpB,MAAM,CAAC,IAAI,CAAC,0CAA0C,GAAG,aAAa,CAAC,CAAC;QAC1E,CAAC;aAAM,CAAC;YACN,oDAAoD;YACpD,MAAM,IAAI,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;YAClC,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;gBACpB,wEAAwE;gBACxE,UAAU,CAAC,OAAO,CAAC,CAAC;gBACpB,MAAM,CAAC,IAAI,CACT,mDAAmD,GAAG,SAAS,IAAI,IAAI,SAAS,iDAAiD,CAClI,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,sCAAsC;gBACtC,MAAM,UAAU,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;gBACzC,UAAU,CAAC,OAAO,CAAC,CAAC;gBACpB,MAAM,CAAC,IAAI,CACT,UAAU;oBACR,CAAC,CAAC,sCAAsC,GAAG,+BAA+B;oBAC1E,CAAC,CAAC,sCAAsC,GAAG,6CAA6C,CAC3F,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,SAAS,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QAChC,UAAU,CAAC,OAAO,CAAC,CAAC;QACpB,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;IAC3D,CAAC;SAAM,IAAI,SAAS,EAAE,CAAC;QACrB,MAAM,CAAC,IAAI,CAAC,yFAAyF,CAAC,CAAC;IACzG,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;AACvD,CAAC;AAED,SAAS,eAAe,CAAC,OAAe;IACtC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC9B,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACnD,OAAO,GAAG,CAAC;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,GAAW;IACjC,IAAI,CAAC;QACH,8DAA8D;QAC9D,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACrB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,eAAe,CAAC,GAAW;IAClC,MAAM,CAAC,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;IACrF,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAChC,MAAM,IAAI,GAAG,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAC7B,2EAA2E;IAC3E,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC;AACvC,CAAC;AAED;;;GAGG;AACH,SAAS,gBAAgB,CAAC,GAAW;IACnC,IAAI,CAAC;QACH,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,8DAA8D;QAC9D,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,eAAe,CAAC;IAC9C,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;QAC7B,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACtC,kEAAkE;QAClE,SAAS,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;IAC9B,CAAC;IACD,wCAAwC;IACxC,IAAI,CAAC;QACH,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,uCAAuC;IACzC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/lib/upgrade-kubernetes.d.ts

@@ -23,6 +23,8 @@
  *   D27 — audit log entry (phase2.flag_removed) emitted per upgrade run
  *
  * Step order (Phase D — kubernetes substrate, Phase 2 GA):
+ *   0.4  R3-C create/update ghcr-pull imagePullSecret in olam namespace (when GH_TOKEN available)
+ *   0.5  D4 k3d node docker socket bind-mount preflight (Decision #11 backward-compat surface)
  *   0    probeKubernetesApiReachable — 5s timeout kubectl cluster-info
  *   1    D10 context-allowlist + OLAM_K8S_CONTEXT_ACK strict-equality byte-for-byte
  *   2    D12 Secret pre-check (olam-host-cp-secret; base64-decode; key-name check)
@@ -44,6 +46,7 @@ import { kubectlWrap } from './kubectl-wrap.js';
 import { spawnPortForward, spawnAllPeripheralPortForwards, probePortForwardLiveness, type PortForwardDeps, type PeripheralPortForwardDeps } from './port-forward.js';
 import { emitUpgradeComplete, type EmitOpts } from './instrumentation.js';
 import { runManifestRefresh, seedManifestsFromBundle, type SeedManifestsDeps } from './manifest-refresh.js';
+import { ensureK8sBootstrap, type BootstrapDeps as K8sBootstrapDeps } from './k8s-bootstrap.js';
 export declare const OLAM_K8S_MANIFESTS_DIR: string;
 export declare const K8S_NAMESPACE = "olam";
 export declare const HOST_CP_SECRET_NAME = "olam-host-cp-secret";
@@ -99,10 +102,49 @@ export interface UpgradeKubernetesDeps {
      * Tests inject a mock to avoid real kubectl invocations.
      */
     readonly checkDockerSocketImpl?: (context: string) => Promise<boolean>;
+    /**
+     * B3: override config path passed to resolveKubectlContext (tests use a
+     * tmpdir fixture). Defaults to the real ~/.olam/config.json.
+     */
+    readonly configPath?: string;
+    /**
+     * B4: override the k8s-bootstrap step (tests inject a mock so kubectl
+     * isn't called). When omitted defaults to the real `ensureK8sBootstrap`.
+     */
+    readonly k8sBootstrapImpl?: typeof ensureK8sBootstrap;
+    /** B4: pass-through deps for `ensureK8sBootstrap`. */
+    readonly k8sBootstrapDeps?: K8sBootstrapDeps;
+    /**
+     * B3/step 0.4: override the GH token value for tests.
+     * When `ghTokenOverrideActive` is true AND `ghTokenOverride` is undefined,
+     * the step treats GH_TOKEN as absent (skipped path). When `ghTokenOverride`
+     * is a string, that string is used as the token regardless of env/config.
+     * When `ghTokenOverrideActive` is falsy (default), real env/config is used.
+     */
+    readonly ghTokenOverride?: string;
+    readonly ghTokenOverrideActive?: boolean;
+    /**
+     * Phase D D4: override for k3d node mount detection (step 0.5 preflight).
+     * Returns 'new-form' when /host-colima/ bind is present (correct),
+     * 'old-form' when /var/run/docker.sock direct file-bind is present (broken on colima),
+     * or 'none' when neither is detectable (non-k3d or bare k3s cluster — warn only).
+     * Tests inject a mock to avoid real `docker inspect` invocations.
+     */
+    readonly checkK3dNodeMountsImpl?: () => Promise<'new-form' | 'old-form' | 'none'>;
 }
 export interface UpgradeKubernetesOpts {
     readonly forceRefreshManifests?: boolean;
     readonly acceptSecurityRegression?: boolean;
+    /** B4/B5: regenerate all rendered Secret values (overwrites k8s-secrets-state.json). */
+    readonly rotateSecrets?: boolean;
+    /**
+     * B4: run the namespace + RBAC + secret bootstrap step BEFORE step 1.
+     * Default is `false` for direct lib callers (preserves existing test
+     * ordering invariants); the CLI command in `upgrade.ts` passes `true` so
+     * npm-only operators get the bootstrap automatically. Operators who
+     * manage secrets out-of-band (GitOps) can disable via `--skip-k8s-bootstrap`.
+     */
+    readonly runK8sBootstrap?: boolean;
 }
 export interface UpgradeKubernetesResult {
     readonly exitCode: number;

package/dist/lib/upgrade-kubernetes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"upgrade-kubernetes.d.ts","sourceRoot":"","sources":["../../src/lib/upgrade-kubernetes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAQ9B,OAAO,EAAE,WAAW,EAAwB,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,wBAAwB,EAAE,KAAK,eAAe,EAAE,KAAK,yBAAyB,EAAE,MAAM,mBAAmB,CAAC;AACrK,OAAO,EAAE,mBAAmB,EAAE,KAAK,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAC1E,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAA4B,KAAK,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAItI,eAAO,MAAM,sBAAsB,QAA2C,CAAC;AAC/E,eAAO,MAAM,aAAa,SAAS,CAAC;AACpC,eAAO,MAAM,mBAAmB,wBAAwB,CAAC;AACzD,eAAO,MAAM,uBAAuB,iBAAiB,CAAC;AACtD,eAAO,MAAM,mBAAmB,yBAAyB,CAAC;AAC1D,eAAO,MAAM,kBAAkB,kCAAkC,CAAC;AAElE,oDAAoD;AACpD,eAAO,MAAM,mBAAmB,QAAqD,CAAC;AAwItF,MAAM,WAAW,qBAAqB;IACpC,uCAAuC;IACvC,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,WAAW,CAAC;IAC9C,2CAA2C;IAC3C,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,gBAAgB,CAAC;IACxD,yDAAyD;IACzD,QAAQ,CAAC,kCAAkC,CAAC,EAAE,OAAO,8BAA8B,CAAC;IACpF,mDAAmD;IACnD,QAAQ,CAAC,4BAA4B,CAAC,EAAE,OAAO,wBAAwB,CAAC;IACxE,wDAAwD;IACxD,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC5E,8CAA8C;IAC9C,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,mBAAmB,CAAC;IAC/C,2CAA2C;IAC3C,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,kBAAkB,CAAC;IACzD,2CAA2C;IAC3C,QAAQ,CAAC,iBAAiB,CAAC,EAAE,OAAO,uBAAuB,CAAC;IAC5D,sFAAsF;IACtF,QAAQ,CAAC,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;IAC/C,6CAA6C;IAC7C,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,yEAAyE;IACzE,QAAQ,CAAC,eAAe,CAAC,EAAE,eAAe,CAAC;IAC3C,iGAAiG;IACjG,QAAQ,CAAC,yBAAyB,CAAC,EAAE,yBAAyB,CAAC;IAC/D,oCAAoC;IACpC,QAAQ,CAAC,QAAQ,CAAC,EAAE,QAAQ,CAAC;IAC7B,iCAAiC;IACjC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;IACxC,iCAAiC;IACjC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;IACxC,oEAAoE;IACpE,QAAQ,CAAC,gBAAgB,CAAC,EAAE,OAAO,EAAE,CAAC,YAAY,CAAC;IACnD,yDAAyD;IACzD,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,MAAM,CAAC;IAChC;;;;OAIG;IACH,QAAQ,CAAC,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAChE;;;;OAIG;IACH,QAAQ,CAAC,qBAAqB,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;CACxE;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,OAAO,CAAC;IACzC,QAAQ,CAAC,wBAAwB,CAAC,EAAE,OAAO,CAAC;CAC7C;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAgTD;;;;GAIG;AACH,wBAAsB,oBAAoB,CACxC,IAAI,GAAE,qBAA0B,EAChC,IAAI,GAAE,qBAA0B,GAC/B,OAAO,CAAC,uBAAuB,CAAC,CA2UlC"}
+{"version":3,"file":"upgrade-kubernetes.d.ts","sourceRoot":"","sources":["../../src/lib/upgrade-kubernetes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAQ9B,OAAO,EAAE,WAAW,EAAwB,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,wBAAwB,EAAE,KAAK,eAAe,EAAE,KAAK,yBAAyB,EAAE,MAAM,mBAAmB,CAAC;AACrK,OAAO,EAAE,mBAAmB,EAAE,KAAK,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAC1E,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAA4B,KAAK,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAItI,OAAO,EAAE,kBAAkB,EAAE,KAAK,aAAa,IAAI,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEhG,eAAO,MAAM,sBAAsB,QAA2C,CAAC;AAC/E,eAAO,MAAM,aAAa,SAAS,CAAC;AACpC,eAAO,MAAM,mBAAmB,wBAAwB,CAAC;AACzD,eAAO,MAAM,uBAAuB,iBAAiB,CAAC;AACtD,eAAO,MAAM,mBAAmB,yBAAyB,CAAC;AAC1D,eAAO,MAAM,kBAAkB,kCAAkC,CAAC;AAElE,oDAAoD;AACpD,eAAO,MAAM,mBAAmB,QAAqD,CAAC;AAkJtF,MAAM,WAAW,qBAAqB;IACpC,uCAAuC;IACvC,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,WAAW,CAAC;IAC9C,2CAA2C;IAC3C,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,gBAAgB,CAAC;IACxD,yDAAyD;IACzD,QAAQ,CAAC,kCAAkC,CAAC,EAAE,OAAO,8BAA8B,CAAC;IACpF,mDAAmD;IACnD,QAAQ,CAAC,4BAA4B,CAAC,EAAE,OAAO,wBAAwB,CAAC;IACxE,wDAAwD;IACxD,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC5E,8CAA8C;IAC9C,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,mBAAmB,CAAC;IAC/C,2CAA2C;IAC3C,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,kBAAkB,CAAC;IACzD,2CAA2C;IAC3C,QAAQ,CAAC,iBAAiB,CAAC,EAAE,OAAO,uBAAuB,CAAC;IAC5D,sFAAsF;IACtF,QAAQ,CAAC,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;IAC/C,6CAA6C;IAC7C,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,yEAAyE;IACzE,QAAQ,CAAC,eAAe,CAAC,EAAE,eAAe,CAAC;IAC3C,iGAAiG;IACjG,QAAQ,CAAC,yBAAyB,CAAC,EAAE,yBAAyB,CAAC;IAC/D,oCAAoC;IACpC,QAAQ,CAAC,QAAQ,CAAC,EAAE,QAAQ,CAAC;IAC7B,iCAAiC;IACjC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;IACxC,iCAAiC;IACjC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;IACxC,oEAAoE;IACpE,QAAQ,CAAC,gBAAgB,CAAC,EAAE,OAAO,EAAE,CAAC,YAAY,CAAC;IACnD,yDAAyD;IACzD,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,MAAM,CAAC;IAChC;;;;OAIG;IACH,QAAQ,CAAC,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAChE;;;;OAIG;IACH,QAAQ,CAAC,qBAAqB,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IACvE;;;OAGG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,CAAC,EAAE,OAAO,kBAAkB,CAAC;IACtD,sDAAsD;IACtD,QAAQ,CAAC,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IAC7C;;;;;;OAMG;IACH,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,OAAO,CAAC;IACzC;;;;;;OAMG;IACH,QAAQ,CAAC,sBAAsB,CAAC,EAAE,MAAM,OAAO,CAAC,UAAU,GAAG,UAAU,GAAG,MAAM,CAAC,CAAC;CACnF;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,OAAO,CAAC;IACzC,QAAQ,CAAC,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAC5C,wFAAwF;IACxF,QAAQ,CAAC,aAAa,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;OAMG;IACH,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC;CACpC;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAkdD;;;;GAIG;AACH,wBAAsB,oBAAoB,CACxC,IAAI,GAAE,qBAA0B,EAChC,IAAI,GAAE,qBAA0B,GAC/B,OAAO,CAAC,uBAAuB,CAAC,CAmalC"}

package/dist/lib/upgrade-kubernetes.js

@@ -23,6 +23,8 @@
  *   D27 — audit log entry (phase2.flag_removed) emitted per upgrade run
  *
  * Step order (Phase D — kubernetes substrate, Phase 2 GA):
+ *   0.4  R3-C create/update ghcr-pull imagePullSecret in olam namespace (when GH_TOKEN available)
+ *   0.5  D4 k3d node docker socket bind-mount preflight (Decision #11 backward-compat surface)
  *   0    probeKubernetesApiReachable — 5s timeout kubectl cluster-info
  *   1    D10 context-allowlist + OLAM_K8S_CONTEXT_ACK strict-equality byte-for-byte
  *   2    D12 Secret pre-check (olam-host-cp-secret; base64-decode; key-name check)
@@ -53,6 +55,8 @@ import { emitUpgradeComplete } from './instrumentation.js';
 import { runManifestRefresh, seedManifestsFromBundle } from './manifest-refresh.js';
 import { OLAM_HOME, OLAM_STATE_DIR } from './config.js';
 import { PERIPHERALS } from './peripheral-registry.js';
+import { resolveKubectlContext } from './kubectl-context.js';
+import { ensureK8sBootstrap } from './k8s-bootstrap.js';
 export const OLAM_K8S_MANIFESTS_DIR = path.join(OLAM_HOME, 'k8s', 'manifests');
 export const K8S_NAMESPACE = 'olam';
 export const HOST_CP_SECRET_NAME = 'olam-host-cp-secret';
@@ -80,10 +84,20 @@ const PERIPHERAL_SECRETS = [
 const K8S_DNS_SUFFIX = 'olam.svc.cluster.local';
 /**
  * Build the K8s in-cluster DNS URL for a peripheral service.
- * Form: http://<k8sServiceName>.olam.svc.cluster.local:<port>
+ * Form: http://olam-<k8sServiceName>.olam.svc.cluster.local:<port>
+ *
+ * All olam peripheral k8s Services are named `olam-<short-name>` in the
+ * manifests (e.g. `olam-auth-service` not `auth-service`). The PERIPHERALS
+ * registry stores the short name in `k8sServiceName` for use by port-forward
+ * (which already works). Here we always prepend `olam-` because the DNS
+ * hostname MUST match the Service metadata.name in 60-service.yaml.
+ *
+ * C3 (R3-F): fix — previous form `http://auth-service.olam.svc.cluster.local`
+ * resolved to nothing; correct form is `http://olam-auth-service.olam.svc.cluster.local`.
  */
 function buildK8sDnsUrl(k8sServiceName, port) {
-    return `http://${k8sServiceName}.${K8S_DNS_SUFFIX}:${port}`;
+    const prefixed = k8sServiceName.startsWith('olam-') ? k8sServiceName : `olam-${k8sServiceName}`;
+    return `http://${prefixed}.${K8S_DNS_SUFFIX}:${port}`;
 }
 /**
  * Append a JSONL audit entry to the substrate audit log (D18).
@@ -392,6 +406,140 @@ async function verifyHealthHeader(deps) {
         return { ok: false, engineHeader: null };
     }
 }
+/**
+ * Step 0.4 — R3-C: create/update ghcr-pull imagePullSecret (Decision R3-#3).
+ *
+ * Creates a kubernetes.io/dockerconfigjson Secret named `ghcr-pull` in the
+ * `olam` namespace so all 5 Deployment specs (host-cp + 4 peripherals) can
+ * pull private images from ghcr.io/pleri/* without anonymous rate limits.
+ *
+ * Token resolution order:
+ *   1. deps.ghTokenOverride (test injection — ghTokenOverrideActive must be true)
+ *   2. host.gh_token in ~/.olam/config.json (operator config, not yet wired here —
+ *      future: read via resolveKubectlContext deps; skipped for Phase B scope)
+ *   3. GH_TOKEN environment variable
+ *
+ * Returns { skipped: true } when no token is available (not a hard failure —
+ * operators without a GH token fall back to anonymous pulls which may rate-limit).
+ *
+ * Idempotent: `kubectl apply -f -` (stdin) is a no-op when the Secret already
+ * exists with the same content (kubectl reports "configured" or "unchanged").
+ */
+async function createGhcrPullSecret(context, deps, stderr) {
+    // Resolve GH token from override (test injection) or environment.
+    let ghToken;
+    if (deps.ghTokenOverrideActive === true) {
+        ghToken = deps.ghTokenOverride;
+    }
+    else {
+        ghToken = process.env['GH_TOKEN'];
+    }
+    if (!ghToken) {
+        stderr.write(`${pc.yellow('[warn]')} GH_TOKEN not found — skipping ghcr-pull Secret creation.\n` +
+            `  Image pulls from ghcr.io/pleri/* will use anonymous access (may rate-limit).\n` +
+            `  Set GH_TOKEN env var or add host.gh_token to ~/.olam/config.json to enable.\n`);
+        return { skipped: true, reason: 'no GH_TOKEN in env or config' };
+    }
+    const dockerConfigJson = JSON.stringify({
+        auths: {
+            'ghcr.io': {
+                auth: Buffer.from(`pleri:${ghToken}`).toString('base64'),
+            },
+        },
+    });
+    const secretManifest = {
+        apiVersion: 'v1',
+        kind: 'Secret',
+        type: 'kubernetes.io/dockerconfigjson',
+        metadata: { name: 'ghcr-pull', namespace: K8S_NAMESPACE },
+        data: {
+            '.dockerconfigjson': Buffer.from(dockerConfigJson).toString('base64'),
+        },
+    };
+    const secretYaml = JSON.stringify(secretManifest); // kubectl apply accepts JSON as YAML
+    const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+    const result = await wrap(['--context', context, 'apply', '-f', '-'], { timeout: 30_000, stdin: secretYaml });
+    if (!result.ok) {
+        return { skipped: false, reason: `kubectl apply ghcr-pull failed: ${result.stderr.split('\n')[0] ?? ''}` };
+    }
+    return { skipped: false };
+}
+/** k3d node container name olam uses by convention. */
+const K3D_NODE_CONTAINER = 'k3d-olam-host-server-0';
+/**
+ * Default implementation: run `docker inspect k3d-olam-host-server-0` and
+ * scan the Mounts array to determine which bind form is in use.
+ *
+ * Returns:
+ *   'new-form' — /host-colima/ bind present (correct form per Phase B B1)
+ *   'old-form' — /var/run/docker.sock direct file-bind present (broken on colima, R3-A)
+ *   'none'     — container not found or neither bind detectable (non-k3d / bare k3s)
+ */
+async function defaultCheckK3dNodeMounts() {
+    const { execFile } = await import('node:child_process');
+    const { promisify } = await import('node:util');
+    const execFileAsync = promisify(execFile);
+    try {
+        const { stdout } = await execFileAsync('docker', ['inspect', K3D_NODE_CONTAINER, '--format', '{{json .HostConfig.Binds}}'], { timeout: 8_000 });
+        const binds = JSON.parse(stdout.trim());
+        if (!Array.isArray(binds))
+            return 'none';
+        // New form: bind contains /host-colima/ (directory bind from Phase B B1).
+        if (binds.some((b) => b.includes('/host-colima/')))
+            return 'new-form';
+        // Old form: bind contains /var/run/docker.sock as a file source (R3-A broken form).
+        if (binds.some((b) => b.startsWith('/var/run/docker.sock:')))
+            return 'old-form';
+        return 'none';
+    }
+    catch {
+        // Container not found, docker unavailable, or JSON parse error — treat as non-k3d.
+        return 'none';
+    }
+}
+/**
+ * Step 0.5 — Phase D D4: k3d node docker socket bind-mount preflight (Decision #11).
+ *
+ * Detects whether the k3d-olam-host cluster was created with the correct
+ * `--volume "$HOME/.colima/default/:/host-colima/@server:*"` bind (new form,
+ * Phase B B1) or the old `--volume /var/run/docker.sock:/var/run/docker.sock`
+ * direct file-bind (broken on colima, R3-A).
+ *
+ * - 'new-form' → proceed (correct)
+ * - 'old-form' → hard error with actionable Decision #11 recreate command
+ * - 'none'     → WARN only (non-k3d or bare k3s without socket bind; may work)
+ *
+ * Runs ONLY on kubernetes substrate. The check is host-side (`docker inspect`)
+ * so it can fire BEFORE any kubectl apply (pre-step 0b runs AFTER cluster is
+ * deployed; this runs BEFORE step 0 so fresh-install operators catch the
+ * broken bind before wasting a full upgrade attempt).
+ *
+ * Returns null on pass/warn (upgrade should continue);
+ * returns error message string on hard failure (upgrade should abort).
+ */
+async function preflightK3dNodeMounts(deps, stderr) {
+    const check = deps.checkK3dNodeMountsImpl ?? defaultCheckK3dNodeMounts;
+    const form = await check();
+    if (form === 'new-form') {
+        // Correct bind — proceed silently.
+        return null;
+    }
+    if (form === 'old-form') {
+        // Decision #11 backward-compat error: operator must recreate the cluster.
+        return (`Your k3d cluster was created with the old --volume form which fails on colima.\n` +
+            `  Recreate the cluster with:\n` +
+            `    k3d cluster delete olam-host\n` +
+            `    k3d cluster create olam-host --volume "$HOME/.colima/default/:/host-colima/@server:*"\n` +
+            `  Then re-run olam upgrade.`);
+    }
+    // 'none': k3d node container not found or non-k3d cluster (bare k3s, minikube, etc.).
+    // Emit WARN only — we cannot detect the bind on non-k3d setups, so do not block.
+    stderr.write(`${pc.yellow('[warn]')} step 0.5: k3d node container "${K3D_NODE_CONTAINER}" not found or bind form undetectable.\n` +
+        `  This is expected on non-k3d clusters (bare k3s, minikube). Continuing.\n` +
+        `  On colima+k3d: ensure the cluster was created with:\n` +
+        `    k3d cluster create olam-host --volume "$HOME/.colima/default/:/host-colima/@server:*"\n`);
+    return null;
+}
 /**
  * Main entrypoint for the kubernetes upgrade path.
  *
@@ -418,6 +566,68 @@ export async function runUpgradeKubernetes(opts = {}, deps = {}) {
         }
         // skipped: dir exists or bundle absent (dev context) — no output, continue.
     }
+    // ── Step 0.4: R3-C — create/update ghcr-pull imagePullSecret ────────
+    // Runs BEFORE probeKubernetesApiReachable because the Secret creation itself
+    // requires API access. Placed after manifest seed so manifests (which include
+    // imagePullSecrets: [{name: ghcr-pull}]) are on disk before step 3 applies them.
+    //
+    // Context resolution: step 0.4 runs before the B3 context-resolution block, so
+    // we resolve a preliminary context here. The canonical resolution happens at
+    // pre-step 0a-prelude and is used for all subsequent steps. This duplicate
+    // resolution is acceptable — step 0.4 is additive and does not replace B3.
+    {
+        const preliminaryResolved = resolveKubectlContext(deps.configPath);
+        if (preliminaryResolved.error === undefined) {
+            const preliminaryContext = preliminaryResolved.context;
+            const step04Spinner = ora('Creating ghcr-pull imagePullSecret (R3-C)').start();
+            const pullSecretResult = await createGhcrPullSecret(preliminaryContext, deps, stderr);
+            if (pullSecretResult.skipped) {
+                step04Spinner.warn(`ghcr-pull Secret skipped: ${pullSecretResult.reason ?? 'no token'}`);
+            }
+            else if (pullSecretResult.reason) {
+                // kubectl apply failed — warn but do not abort. Rollout will fail on 401
+                // image pull if the secret is needed, which surfaces a clear error.
+                const warnMsg = `ghcr-pull Secret apply failed (continuing): ${pullSecretResult.reason}`;
+                step04Spinner.warn(warnMsg);
+                stderr.write(`${pc.yellow('[warn]')} ${warnMsg}\n`);
+            }
+            else {
+                step04Spinner.succeed('ghcr-pull imagePullSecret created/updated');
+            }
+        }
+        // If context resolution fails here, step 0a-prelude will catch and abort below.
+    }
+    // ── Step 0.5: D4 — k3d node docker socket bind-mount preflight (Decision #11) ──
+    // Runs BEFORE API reachability (step 0) so operators on a mis-configured k3d
+    // cluster get an actionable error before wasting a full upgrade attempt.
+    // Only meaningful on k3d clusters where the node container is named
+    // k3d-olam-host-server-0. Non-k3d clusters emit WARN and proceed.
+    {
+        const step05Error = await preflightK3dNodeMounts(deps, stderr);
+        if (step05Error !== null) {
+            stderr.write(`${pc.red('error:')} ${step05Error}\n`);
+            return { exitCode: 1, summary: 'k3d node bind-mount preflight failed (Decision #11)' };
+        }
+    }
+    // ── Pre-step 0a-prelude: B3 — resolve kubectl context ONCE (config + env) ──
+    // The context is needed by ALL kubectl-invoking pre-steps and steps below.
+    // Resolution policy lives in `kubectl-context.ts` (single source of truth):
+    //   1. host.kubectl_context_pinned from ~/.olam/config.json (preferred)
+    //   2. OLAM_K8S_CONTEXT_ACK env var (deprecated, emits warning)
+    //   3. neither → error with actionable remediation
+    //
+    // Pre-B3 bug: step 0 read OLAM_K8S_CONTEXT_ACK directly and fell back to
+    // 'default' when unset, so operators who had only pinned the config got
+    // cryptic `cluster-info failed` failures pointing at the wrong remediation.
+    const resolved = resolveKubectlContext(deps.configPath);
+    if (resolved.error !== undefined) {
+        stderr.write(`${pc.red('error:')} ${resolved.error}\n`);
+        return { exitCode: 1, summary: 'kubectl context not configured' };
+    }
+    const pinnedContext = resolved.context;
+    if (resolved.deprecationWarning !== undefined) {
+        stderr.write(`${pc.yellow('[warn]')} ${resolved.deprecationWarning}\n`);
+    }
     // ── Pre-step 0a: D6 — managed-k8s context refusal (Decision #18) ──────
     // Detects managed-k8s cluster server URL patterns and refuses BEFORE any
     // kubectl apply. Fail-open: unrecognized cluster URLs proceed normally.
@@ -440,11 +650,10 @@ export async function runUpgradeKubernetes(opts = {}, deps = {}) {
     // Note: only meaningful when host-cp is already deployed. On a fresh install
     // the pod doesn't exist yet — kubectl exec will fail gracefully (WARN only).
     {
-        const preflightContext = process.env.OLAM_K8S_CONTEXT_ACK ?? 'default';
-        const socketAccessible = await checkDockerSocketAccessible(preflightContext, deps);
+        const socketAccessible = await checkDockerSocketAccessible(pinnedContext, deps);
         if (!socketAccessible) {
             // Issue #713: emit a cluster-type-aware remedy (colima vs k3d).
-            const clusterType = defaultDetectK8sClusterType(preflightContext);
+            const clusterType = defaultDetectK8sClusterType(pinnedContext);
             const remedyText = buildDockerSocketRemedy(clusterType)
                 .split('\n')
                 .map((line) => `  ${line}`)
@@ -460,33 +669,58 @@ export async function runUpgradeKubernetes(opts = {}, deps = {}) {
     }
     // ── Step 0: D22 — probe Kubernetes API reachability (5s) ─────────
     const step0Spinner = ora('Probing Kubernetes API reachability').start();
-    const context = process.env.OLAM_K8S_CONTEXT_ACK ?? '';
-    // We need a context for the probe — use the env var if set, else try default.
-    // The full context validation happens at step 1.
-    const probeContext = context.length > 0 ? context : 'default';
-    const reachable = await probeKubernetesApiReachable(probeContext, deps);
+    const reachable = await probeKubernetesApiReachable(pinnedContext, deps);
     if (!reachable) {
         step0Spinner.fail('Kubernetes API not reachable');
-        stderr.write(`${pc.red('error:')} kubectl cluster-info failed (5s timeout).\n` +
-            `  Ensure your kubectl context is correct and the cluster is reachable.\n` +
-            `  Set OLAM_K8S_CONTEXT_ACK=<context-name> to your active kubectl context.\n`);
+        stderr.write(`${pc.red('error:')} kubectl cluster-info failed (5s timeout) for context ${pc.bold(pinnedContext)}.\n` +
+            `  Ensure the cluster is reachable for this context, or update host.kubectl_context_pinned\n` +
+            `  in ~/.olam/config.json to a working context.\n`);
         return { exitCode: 1, summary: 'kubernetes api not reachable' };
     }
     step0Spinner.succeed('Kubernetes API reachable');
-    // ── Step 1: D10 — context-allowlist + OLAM_K8S_CONTEXT_ACK ───────
+    // ── Step 0.5: B4 — ensureK8sBootstrap ────────────────────────────
+    // Apply namespace + RBAC + ConfigMap + PVC + Secret set BEFORE the
+    // existing 8-step flow's step 2 Secret pre-check. Without this an npm-only
+    // operator running `olam upgrade --substrate=kubernetes` against a fresh
+    // cluster hit "namespaces \"olam\" not found" / "Secret olam-host-cp-secret
+    // not found". Idempotent: reapply on subsequent runs reuses tokens from
+    // ~/.olam/k8s-secrets-state.json so worlds with cached values don't break.
+    // --rotate-secrets opts in to fresh value generation.
+    if (opts.runK8sBootstrap === true) {
+        const step05Spinner = ora('Bootstrapping olam namespace + RBAC + secrets (B4)').start();
+        const bootstrapImpl = deps.k8sBootstrapImpl ?? ensureK8sBootstrap;
+        // Thread the same kubectlWrap that the rest of upgrade-kubernetes uses so
+        // existing tests that inject `kubectlWrapImpl` don't reach the real kubectl
+        // binary via the bootstrap module's default.
+        const bootstrap = await bootstrapImpl({
+            context: pinnedContext,
+            namespace: K8S_NAMESPACE,
+            rotateSecrets: opts.rotateSecrets === true,
+        }, {
+            kubectlWrapImpl: deps.kubectlWrapImpl,
+            ...(deps.k8sBootstrapDeps ?? {}),
+        });
+        if (bootstrap.exitCode !== 0) {
+            step05Spinner.fail('k8s bootstrap failed');
+            stderr.write(`${pc.red('error:')} ${bootstrap.error ?? 'unknown bootstrap error'}\n`);
+            return { exitCode: 1, summary: 'k8s bootstrap failed' };
+        }
+        const appliedCount = bootstrap.result.applied.length;
+        const skippedCount = bootstrap.result.skipped.length;
+        const note = skippedCount > 0 ? ` (${skippedCount} skipped — see warnings above)` : '';
+        step05Spinner.succeed(`k8s bootstrap: ${appliedCount} applied${note}`);
+    }
+    // ── Step 1: D10 — context-allowlist validation ───────────────────
+    // The context was already resolved (config-first, env-fallback) before
+    // pre-step 0a. Step 1 keeps the D10 allowlist gate + the audit WARN so
+    // observability of which context is being used is preserved.
     const step1Spinner = ora('Verifying kubectl context (D10)').start();
-    // OLAM_K8S_CONTEXT_ACK is byte-for-byte, no trim, no case-fold (D10).
-    const ackValue = process.env.OLAM_K8S_CONTEXT_ACK ?? '';
-    if (ackValue.length === 0 || !isContextAllowed(ackValue)) {
-        step1Spinner.fail('Context ACK missing or disallowed');
-        stderr.write(`${pc.red('error:')} OLAM_K8S_CONTEXT_ACK is not set or empty.\n` +
-            `  Set it to your kubectl context name (byte-for-byte match):\n` +
-            `    export OLAM_K8S_CONTEXT_ACK=<your-context-name>\n` +
+    if (!isContextAllowed(pinnedContext)) {
+        step1Spinner.fail('Context disallowed');
+        stderr.write(`${pc.red('error:')} kubectl context ${pc.bold(pinnedContext)} is not allowed by the D10 allowlist.\n` +
             `  See GATES.md G-001 for the context-allowlist requirement.\n`);
-        return { exitCode: 1, summary: 'context ack not set' };
+        return { exitCode: 1, summary: 'context disallowed' };
     }
-    // Capture the pinned context name (byte-for-byte, as provided).
-    const pinnedContext = ackValue;
     // Audit WARN on bypass (D10: operator explicitly acknowledged a potentially unsafe context).
     process.stderr.write(`${pc.yellow('[WARN]')} OLAM_K8S_UNSAFE_CONTEXT_ACK ctx=${pinnedContext}\n`);
     step1Spinner.succeed(`Context pinned: ${pc.bold(pinnedContext)}`);