@pleri/olam-cli 0.1.152 → 0.1.157

package/host-cp/k8s/manifests/mcp-auth-service/50-deployment.yaml

@@ -43,6 +43,10 @@ spec:
       # B9 (round 2 recovery): disable k8s automatic Service env injection.
       # See packages/host-cp/k8s/manifests/50-deployment.yaml for rationale.
       enableServiceLinks: false
+      # R3-C (Decision R3-#3): imagePullSecrets references the ghcr-pull Secret
+      # created by `olam upgrade` step 0.4 when GH_TOKEN is available.
+      imagePullSecrets:
+        - name: ghcr-pull
       serviceAccountName: olam-mcp-auth-service
       securityContext:
         runAsNonRoot: true
@@ -64,7 +68,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-mcp-auth-service
-          image: ghcr.io/pleri/olam-mcp-auth@sha256:e4f5276fd8cce0e95d978e58b692244f8393396a01d971e962f3d0ef8f7d3ebd
+          image: ghcr.io/pleri/olam-mcp-auth@sha256:500901539eca6de84cf873929b4fcabbef1e40d725d456f744679ae8c6c843f5
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/memory-service/30-configmap.yaml

@@ -18,3 +18,7 @@ data:
   OLAM_AUTH_SERVICE_URL: "http://olam-auth-service.olam.svc.cluster.local:9999"
   # Health path exposed at /agentmemory/livez (D15 — do not change).
   OLAM_MEMORY_HEALTH_PATH: "/agentmemory/livez"
+  # R3-B defensive (Decision R3-#2): memory-service Dockerfile already sets
+  # AGENTMEMORY_HOST=0.0.0.0 but ConfigMap override is explicit defense against
+  # a future image regression reverting to 127.0.0.1.
+  AGENTMEMORY_HOST: "0.0.0.0"

package/host-cp/k8s/manifests/memory-service/50-deployment.yaml

@@ -40,6 +40,10 @@ spec:
       # B9 (round 2 recovery): disable k8s automatic Service env injection.
       # See packages/host-cp/k8s/manifests/50-deployment.yaml for rationale.
       enableServiceLinks: false
+      # R3-C (Decision R3-#3): imagePullSecrets references the ghcr-pull Secret
+      # created by `olam upgrade` step 0.4 when GH_TOKEN is available.
+      imagePullSecrets:
+        - name: ghcr-pull
       serviceAccountName: olam-memory-service
       securityContext:
         runAsNonRoot: true
@@ -66,7 +70,7 @@ spec:
           # bootstrap-placeholder comment + run `npm run refresh:manifest-digests`
           # once ghcr.io/pleri/olam-memory-service has a real published digest.
           # bootstrap-placeholder: pre-publish; refresh after first release
-          image: ghcr.io/pleri/olam-memory-service@sha256:cc60aee650f6194795a64e469572a1270308a9852690f5b902c6412d7ae0f58c
+          image: ghcr.io/pleri/olam-memory-service@sha256:a77779a50d904e78627fb5b09a685220ea995cc8f0df058efcd85caf5c548d94
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pleri/olam-cli",
-  "version": "0.1.152",
+  "version": "0.1.157",
   "type": "module",
   "bin": {
     "olam": "./bin/olam.cjs"
@@ -8,8 +8,8 @@
   "files": [
     "bin",
     "dist",
+    "hermes-bundle",
     "host-cp",
-    "memory-service-bundle",
     "plugin",
     "README.md"
   ],
@@ -47,7 +47,6 @@
     "@inquirer/prompts": "^7.0.0",
     "zod-to-json-schema": "^3.24.0",
     "playwright-core": "~1.59.0",
-    "@napi-rs/keyring": "^1.1.6",
-    "@agentmemory/agentmemory": "0.9.6"
+    "@napi-rs/keyring": "^1.1.6"
   }
 }

package/memory-service-bundle/scripts/ensure-iii-engine.mjs

@@ -1,179 +0,0 @@
-#!/usr/bin/env node
-/**
- * ensure-iii-engine.mjs — install (or verify) the iii-engine v0.11.2
- * binary that the agentmemory CLI depends on.
- *
- * Why this exists:
- *   `agentmemory` (npm-installed) launches the iii-engine as a subprocess
- *   but does NOT bundle the engine binary — it expects a system-installed
- *   `iii` on PATH. Upstream's documented install path A is a `curl`
- *   recipe that drops the binary into `~/.local/bin`. We do the
- *   equivalent into `~/.olam/bin/iii` so the engine lives under olam's
- *   namespace + never collides with an operator's own iii install
- *   (OQ9 resolved pass 3).
- *
- * Pinned to iii v0.11.2 exactly. Upstream agentmemory's
- * `docker-compose.yml` documents that v0.11.6+ breaks with
- * "EPIPE reconnect loops and empty search after save" — bumping is
- * not safe until agentmemory is refactored for the new sandbox-worker
- * model.
- *
- * SHA256 integrity: each tarball is verified against a hash pinned
- * in this file before extract. Mismatch → exit 1 (defends against
- * github.com/iii-hq/iii release tampering — T9).
- *
- * Hashes captured 2026-05-12 from `.sha256` sidecars at
- * https://github.com/iii-hq/iii/releases/tag/iii%2Fv0.11.2
- *
- * Plan reference: docs/plans/olam-agent-memory-distributed/phase-a-tasks.md A1
- * Research:       docs/research/agent-memory-distributed/REPORT.md Q1
- */
-
-import { existsSync, mkdirSync, writeFileSync, unlinkSync, chmodSync, statSync } from 'node:fs';
-import { homedir, platform, arch } from 'node:os';
-import { join } from 'node:path';
-import { createHash } from 'node:crypto';
-import { execSync } from 'node:child_process';
-
-export const III_VERSION = '0.11.2';
-
-/**
- * Map of {process.platform-process.arch} → upstream Rust target triple.
- * Only host platforms olam supports for local mode. Cloud-mode containers
- * (Phase C Dockerfile) handle linux-only via TARGETARCH ARG separately.
- */
-export const PLATFORM_ARCH_TO_TRIPLE = Object.freeze({
-  'darwin-arm64': 'aarch64-apple-darwin',
-  'darwin-x64': 'x86_64-apple-darwin',
-  'linux-arm64': 'aarch64-unknown-linux-gnu',
-  'linux-x64': 'x86_64-unknown-linux-gnu',
-});
-
-/**
- * SHA256 hashes of the upstream iii v0.11.2 release tarballs.
- * Captured from `.sha256` sidecars on the iii-hq/iii GitHub release.
- * If these ever fail to match after `iii v0.11.2` is published, upstream
- * has tampered with the release — refuse to install + open an issue.
- */
-export const SHA256 = Object.freeze({
-  'aarch64-apple-darwin':       'e7834c44fefb2b5343d327102a941419245f7fff447f95373857a04b033fb1bd',
-  'x86_64-apple-darwin':        '2b67e5f18833c415f4cb16a9e13b0e953555e0ca138682bf24894abe8b80b836',
-  'aarch64-unknown-linux-gnu':  'e0d35ee54a6b6c8a46576ab661e1711d11eb4dafeb1be8e1dbd1cc0ccb48b615',
-  'x86_64-unknown-linux-gnu':   '9c83c47788b4ef4beeb65dd9bf37e94f993770cd3db874464c3ce1cdc92352cd',
-});
-
-export function detectTriple(plat = platform(), cpuArch = arch()) {
-  const key = `${plat}-${cpuArch}`;
-  const triple = PLATFORM_ARCH_TO_TRIPLE[key];
-  if (!triple) {
-    const supported = Object.keys(PLATFORM_ARCH_TO_TRIPLE).join(', ');
-    throw new Error(
-      `Unsupported host platform/arch combo: ${key}. ` +
-      `iii v${III_VERSION} ships for: ${supported}. ` +
-      `Run agentmemory directly via 'npx @agentmemory/agentmemory' if your platform is missing.`,
-    );
-  }
-  return triple;
-}
-
-export function urlForTriple(triple) {
-  return `https://github.com/iii-hq/iii/releases/download/iii/v${III_VERSION}/iii-${triple}.tar.gz`;
-}
-
-/**
- * Idempotent install + verify. Returns { ok: true, path, cached } on
- * success; throws on failure (caller decides exit code).
- *
- * deps is for testability:
- *   - fetch    — substitutable in tests (default: global fetch)
- *   - logStream — process.stderr in prod; a fake in tests
- */
-export async function ensureIiiEngine({
-  olamHome = join(homedir(), '.olam'),
-  triple = detectTriple(),
-  fetchImpl = globalThis.fetch,
-  logStream = process.stderr,
-} = {}) {
-  const binDir = join(olamHome, 'bin');
-  const binPath = join(binDir, 'iii');
-
-  // Cached?
-  if (existsSync(binPath)) {
-    try {
-      const out = execSync(`${binPath} --version`, { encoding: 'utf8', timeout: 5_000 });
-      if (out.includes(III_VERSION)) {
-        return { ok: true, path: binPath, cached: true };
-      }
-      logStream.write(`iii at ${binPath} reports unexpected version: ${out.trim()}; re-installing\n`);
-    } catch (err) {
-      logStream.write(`iii at ${binPath} not executable (${err.message}); re-installing\n`);
-    }
-  }
-
-  const expectedSha = SHA256[triple];
-  if (!expectedSha) {
-    throw new Error(`No SHA256 pinned for triple ${triple} — update ensure-iii-engine.mjs.`);
-  }
-
-  const url = urlForTriple(triple);
-  logStream.write(`Downloading iii v${III_VERSION} (${triple}) from ${url}\n`);
-
-  const response = await fetchImpl(url);
-  if (!response.ok) {
-    throw new Error(`Failed to download iii v${III_VERSION} (${triple}): HTTP ${response.status}`);
-  }
-
-  const buf = Buffer.from(await response.arrayBuffer());
-  const actualSha = createHash('sha256').update(buf).digest('hex');
-
-  if (actualSha !== expectedSha) {
-    throw new Error(
-      `iii v${III_VERSION} tarball SHA256 mismatch for ${triple}:\n` +
-      `  expected: ${expectedSha}\n` +
-      `  got:      ${actualSha}\n` +
-      `If this is a legitimate upstream change, update SHA256 in ${import.meta.url} ` +
-      `and rotate the pin (see plan T9).`,
-    );
-  }
-
-  mkdirSync(binDir, { recursive: true });
-
-  // Extract via system tar — saves bundling node-tar
-  const tarPath = join(binDir, '.iii.tar.gz');
-  writeFileSync(tarPath, buf);
-  try {
-    execSync(`tar -xzf '${tarPath}' -C '${binDir}'`, { stdio: 'pipe' });
-  } finally {
-    if (existsSync(tarPath)) unlinkSync(tarPath);
-  }
-
-  if (!existsSync(binPath)) {
-    throw new Error(`tar extract succeeded but iii binary not found at ${binPath}`);
-  }
-  chmodSync(binPath, 0o755);
-
-  // Smoke
-  const ver = execSync(`${binPath} --version`, { encoding: 'utf8', timeout: 5_000 });
-  if (!ver.includes(III_VERSION)) {
-    throw new Error(`iii binary installed but reports unexpected version: ${ver.trim()}`);
-  }
-
-  return { ok: true, path: binPath, cached: false };
-}
-
-// CLI entry — `node ensure-iii-engine.mjs`
-const isDirect = import.meta.url === `file://${process.argv[1]}` ||
-                 process.argv[1]?.endsWith('/ensure-iii-engine.mjs');
-if (isDirect) {
-  ensureIiiEngine()
-    .then((r) => {
-      process.stderr.write(
-        `iii v${III_VERSION} ready at ${r.path}${r.cached ? ' (cached)' : ''}\n`,
-      );
-      process.exit(0);
-    })
-    .catch((err) => {
-      process.stderr.write(`ensure-iii-engine failed: ${err.message}\n`);
-      process.exit(1);
-    });
-}