@pleri/olam-cli 0.1.153 → 0.1.158

package/host-cp/k8s/manifests/mcp-auth-service/50-deployment.yaml

@@ -43,6 +43,10 @@ spec:
       # B9 (round 2 recovery): disable k8s automatic Service env injection.
       # See packages/host-cp/k8s/manifests/50-deployment.yaml for rationale.
       enableServiceLinks: false
+      # R3-C (Decision R3-#3): imagePullSecrets references the ghcr-pull Secret
+      # created by `olam upgrade` step 0.4 when GH_TOKEN is available.
+      imagePullSecrets:
+        - name: ghcr-pull
       serviceAccountName: olam-mcp-auth-service
       securityContext:
         runAsNonRoot: true
@@ -64,7 +68,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-mcp-auth-service
-          image: ghcr.io/pleri/olam-mcp-auth@sha256:2d1b17fe2d53361a24ba9f137eaabc63df8c79f08d4eee93db42e5b909b41b14
+          image: ghcr.io/pleri/olam-mcp-auth@sha256:4d4806e2aa7c782de60471a9742d9e85dcf9f5ba0af3c496c26ff7aab9847a43
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/memory-service/30-configmap.yaml

@@ -18,3 +18,7 @@ data:
   OLAM_AUTH_SERVICE_URL: "http://olam-auth-service.olam.svc.cluster.local:9999"
   # Health path exposed at /agentmemory/livez (D15 — do not change).
   OLAM_MEMORY_HEALTH_PATH: "/agentmemory/livez"
+  # R3-B defensive (Decision R3-#2): memory-service Dockerfile already sets
+  # AGENTMEMORY_HOST=0.0.0.0 but ConfigMap override is explicit defense against
+  # a future image regression reverting to 127.0.0.1.
+  AGENTMEMORY_HOST: "0.0.0.0"

package/host-cp/k8s/manifests/memory-service/50-deployment.yaml

@@ -40,6 +40,10 @@ spec:
       # B9 (round 2 recovery): disable k8s automatic Service env injection.
       # See packages/host-cp/k8s/manifests/50-deployment.yaml for rationale.
       enableServiceLinks: false
+      # R3-C (Decision R3-#3): imagePullSecrets references the ghcr-pull Secret
+      # created by `olam upgrade` step 0.4 when GH_TOKEN is available.
+      imagePullSecrets:
+        - name: ghcr-pull
       serviceAccountName: olam-memory-service
       securityContext:
         runAsNonRoot: true
@@ -66,7 +70,7 @@ spec:
           # bootstrap-placeholder comment + run `npm run refresh:manifest-digests`
           # once ghcr.io/pleri/olam-memory-service has a real published digest.
           # bootstrap-placeholder: pre-publish; refresh after first release
-          image: ghcr.io/pleri/olam-memory-service@sha256:36ee04cf04b62e1ac84473885abcbd8aabb0bbbd2ab0d4d15a5cfe9d0a3469fd
+          image: ghcr.io/pleri/olam-memory-service@sha256:2c31c0f1f93c6b9a3a6d7e94db91dbc9f99cfe17aa8088e594ef4b484b039066
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/src/metrics.mjs

@@ -0,0 +1,281 @@
+// Phase C Task C3 — hand-rolled Prometheus metrics registry for host-cp.
+//
+// Emits exactly two metric families:
+//   http_requests_total{service,route,method,status_code}  counter
+//   http_request_duration_seconds{service,route,method}    histogram
+//
+// TAXONOMY COMPLIANCE (NON-NEGOTIABLE):
+//   ONLY {service, route, method, status_code} labels allowed.
+//   BANNED: world_id, trace_id, user_id, request_id, operator_id.
+//   world_id surfaces via Prometheus exemplars in Phase D — NOT labels.
+//
+// No external npm deps — Prometheus text exposition is simple enough to
+// produce with template literals. Avoids the prom-client footprint on a
+// host-side service that has no other dependency on metrics tooling.
+
+// ─── Route mapping ────────────────────────────────────────────────────────
+//
+// Raw req.url is a cardinality bomb: every unique URL is a new time series.
+// We normalize dynamic path segments to stable patterns before labelling.
+//
+// RULES (first match wins):
+//   /health                          → /health
+//   /api/bootstrap                   → /api/bootstrap
+//   /metrics                         → /metrics
+//   /api/host-stream                 → /api/host-stream
+//   /api/worlds/{id}/credentials/... → /api/worlds/:id/credentials/:action
+//   /api/worlds/{id}/tunnels/...     → /api/worlds/:id/tunnels
+//   /api/worlds/{id}/pr              → /api/worlds/:id/pr
+//   /api/worlds/{id}/progress        → /api/worlds/:id/progress
+//   /api/worlds (no id)              → /api/worlds
+//   /api/world/{id}/**               → /api/world/:id/*  (proxy routes)
+//   /api/admin/registry/...          → /api/admin/registry
+//   /api/admin/upgrade               → /api/admin/upgrade
+//   /api/admin/world-pr              → /api/admin/world-pr
+//   /api/admin/world-pr/{id}         → /api/admin/world-pr/:id
+//   /api/auth/credentials/...        → /api/auth/credentials
+//   /api/auth/...                    → /api/auth
+//   /api/plan/conversations/{id}/... → /api/plan/conversations/:id
+//   /api/plan/conversations          → /api/plan/conversations
+//   /api/plan/**                     → /api/plan
+//   /api/auth/events                 → /api/auth/events
+//   /api/version/status              → /api/version/status
+//   /api/repos                       → /api/repos
+//   /api/runbooks                    → /api/runbooks
+//   /api/workspaces/match            → /api/workspaces/match
+//   /api/workspaces                  → /api/workspaces
+//   /api/projects                    → /api/projects
+//   /api/processes/**                → /api/processes
+//   /v1/chunks/**                    → /v1/chunks
+//   /v1/worlds/**                    → /v1/worlds
+//   /assets/**                       → /assets (SPA static assets)
+//   (other GET to static paths)      → /static
+//   (unknown)                        → /unknown
+
+/** @param {string} pathname */
+export function pathToRoute(pathname) {
+  // Normalize trailing slash for matching (keep bare / as /)
+  const p = pathname.length > 1 ? pathname.replace(/\/$/, '') : pathname;
+
+  if (p === '/health') return '/health';
+  if (p === '/api/bootstrap') return '/api/bootstrap';
+  if (p === '/metrics') return '/metrics';
+  if (p === '/api/host-stream') return '/api/host-stream';
+  if (p === '/api/auth/events') return '/api/auth/events';
+  if (p === '/api/version/status') return '/api/version/status';
+  if (p === '/api/repos') return '/api/repos';
+  if (p === '/api/runbooks') return '/api/runbooks';
+  if (p === '/api/workspaces/match') return '/api/workspaces/match';
+  if (p === '/api/workspaces') return '/api/workspaces';
+  if (p === '/api/projects') return '/api/projects';
+  if (p === '/api/worlds') return '/api/worlds';
+  if (p === '/api/plan/conversations' || p === '/api/plan/personas') return p;
+  if (p === '/api/admin/upgrade') return '/api/admin/upgrade';
+  if (p === '/api/admin/world-pr') return '/api/admin/world-pr';
+  if (p === '/api/admin/registry') return '/api/admin/registry';
+  if (p.startsWith('/api/worlds/')) {
+    if (p.includes('/credentials/')) return '/api/worlds/:id/credentials/:action';
+    if (p.includes('/tunnels')) return '/api/worlds/:id/tunnels';
+    if (p.endsWith('/pr')) return '/api/worlds/:id/pr';
+    if (p.endsWith('/progress')) return '/api/worlds/:id/progress';
+    return '/api/worlds/:id';
+  }
+  if (p.startsWith('/api/world/')) return '/api/world/:id/*';
+  if (p.startsWith('/api/admin/registry/')) return '/api/admin/registry';
+  if (p.startsWith('/api/admin/world-pr/')) return '/api/admin/world-pr/:id';
+  if (p.startsWith('/api/auth/credentials')) return '/api/auth/credentials';
+  if (p.startsWith('/api/auth/')) return '/api/auth';
+  if (p.startsWith('/api/plan/conversations/')) return '/api/plan/conversations/:id';
+  if (p.startsWith('/api/plan/')) return '/api/plan';
+  if (p.startsWith('/api/processes') || p.startsWith('/api/servers')) return '/api/processes';
+  if (p.startsWith('/v1/chunks')) return '/v1/chunks';
+  if (p.startsWith('/v1/worlds')) return '/v1/worlds';
+  if (p.startsWith('/assets/')) return '/assets';
+  // SPA HTML fallback routes (GET / and SPA sub-routes like /worlds, /plan/...)
+  if (p === '/' || p.startsWith('/worlds') || p.startsWith('/plan') || p.startsWith('/workspaces')) return '/static';
+  return '/unknown';
+}
+
+// ─── In-memory registry ───────────────────────────────────────────────────
+
+const HISTOGRAM_BUCKETS = [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5];
+
+/** @type {Map<string, number>} labelSet → count */
+const _counters = new Map();
+
+/**
+ * Per label-set histogram state.
+ * @type {Map<string, {buckets: number[], sum: number, count: number}>}
+ */
+const _histograms = new Map();
+
+/** @param {string[]} parts label values in canonical order */
+function _labelKey(parts) {
+  return parts.join('\x00');
+}
+
+/**
+ * Reset all metrics. FOR TESTS ONLY — never call in production code.
+ * Exported as a separate name so it's invisible to consumers that only
+ * import the named exports they need.
+ */
+export function _resetForTest() {
+  _counters.clear();
+  _histograms.clear();
+}
+
+/**
+ * Increment http_requests_total counter.
+ *
+ * @param {string} service
+ * @param {string} route    — MUST be a normalized route pattern
+ * @param {string} method
+ * @param {string} statusCode
+ */
+export function incRequest(service, route, method, statusCode) {
+  const key = _labelKey([service, route, method, statusCode]);
+  _counters.set(key, (_counters.get(key) ?? 0) + 1);
+}
+
+/**
+ * Observe http_request_duration_seconds.
+ *
+ * @param {string} service
+ * @param {string} route
+ * @param {string} method
+ * @param {number} seconds
+ */
+export function observeDuration(service, route, method, seconds) {
+  const key = _labelKey([service, route, method]);
+  let h = _histograms.get(key);
+  if (!h) {
+    // buckets[i] = count of observations where seconds <= HISTOGRAM_BUCKETS[i]
+    // but stored as INCREMENTAL per-range so cumulation happens on render.
+    // Each bucket[i] = count that fell in range (HISTOGRAM_BUCKETS[i-1], HISTOGRAM_BUCKETS[i]].
+    h = { buckets: new Array(HISTOGRAM_BUCKETS.length).fill(0), sum: 0, count: 0 };
+    _histograms.set(key, h);
+  }
+  // Find the first bucket boundary that accommodates this observation.
+  // Increment only that bucket; render accumulates for the exposition.
+  let placed = false;
+  for (let i = 0; i < HISTOGRAM_BUCKETS.length; i++) {
+    if (seconds <= HISTOGRAM_BUCKETS[i]) {
+      h.buckets[i]++;
+      placed = true;
+      break;
+    }
+  }
+  // Observations beyond the last bucket are counted in h.count only;
+  // the +Inf bucket in the exposition equals h.count.
+  if (!placed) {
+    // No bucket captured it — it lands in +Inf only.
+  }
+  h.sum += seconds;
+  h.count++;
+}
+
+// ─── Prometheus text exposition ───────────────────────────────────────────
+
+/** Escape label value per Prometheus text format (backslash, newline, quote). */
+function escapeLabelValue(v) {
+  return String(v).replace(/\\/g, '\\\\').replace(/\n/g, '\\n').replace(/"/g, '\\"');
+}
+
+/**
+ * Build the `{k1="v1",k2="v2",...}` label-set string.
+ * @param {Record<string, string>} labels
+ */
+function labelSet(labels) {
+  const parts = Object.entries(labels).map(
+    ([k, v]) => `${k}="${escapeLabelValue(v)}"`,
+  );
+  return `{${parts.join(',')}}`;
+}
+
+/**
+ * Render the complete Prometheus text exposition.
+ * @returns {string}
+ */
+export function renderMetrics() {
+  const lines = [];
+
+  // ── http_requests_total ─────────────────────────────────────────────
+  lines.push('# HELP http_requests_total Total number of HTTP requests handled.');
+  lines.push('# TYPE http_requests_total counter');
+  for (const [key, count] of _counters) {
+    const [service, route, method, status_code] = key.split('\x00');
+    lines.push(
+      `http_requests_total${labelSet({ service, route, method, status_code })} ${count}`,
+    );
+  }
+
+  // ── http_request_duration_seconds ───────────────────────────────────
+  lines.push('# HELP http_request_duration_seconds HTTP request duration in seconds (histogram).');
+  lines.push('# TYPE http_request_duration_seconds histogram');
+  for (const [key, h] of _histograms) {
+    const [service, route, method] = key.split('\x00');
+    const base = { service, route, method };
+    // Cumulative buckets: le=X must be ≥ sum of all observations ≤ X.
+    let cumulative = 0;
+    for (let i = 0; i < HISTOGRAM_BUCKETS.length; i++) {
+      cumulative += h.buckets[i];
+      lines.push(
+        `http_request_duration_seconds_bucket${labelSet({ ...base, le: String(HISTOGRAM_BUCKETS[i]) })} ${cumulative}`,
+      );
+    }
+    lines.push(
+      `http_request_duration_seconds_bucket${labelSet({ ...base, le: '+Inf' })} ${h.count}`,
+    );
+    lines.push(`http_request_duration_seconds_sum${labelSet(base)} ${h.sum}`);
+    lines.push(`http_request_duration_seconds_count${labelSet(base)} ${h.count}`);
+  }
+
+  lines.push(''); // trailing newline
+  return lines.join('\n');
+}
+
+// ─── Request instrumentation wrapper ─────────────────────────────────────
+
+/**
+ * Wrap an async request handler so every request is instrumented.
+ *
+ * The wrapper:
+ *   1. Derives a stable route pattern from req.url.
+ *   2. Starts a high-resolution timer.
+ *   3. Calls the original handler.
+ *   4. Records counter + histogram using the response's status code.
+ *
+ * Status code capture: we monkey-patch res.writeHead and res.end to intercept
+ * the status before it's sent. Falls back to res.statusCode (which Node sets
+ * implicitly on .end() when no explicit writeHead call was made).
+ *
+ * @param {string} serviceName  — emitted as the `service` label
+ * @param {(req: import('node:http').IncomingMessage, res: import('node:http').ServerResponse) => Promise<void>} handler
+ * @returns {(req: import('node:http').IncomingMessage, res: import('node:http').ServerResponse) => Promise<void>}
+ */
+export function instrumentHandler(serviceName, handler) {
+  return async (req, res) => {
+    const start = performance.now();
+
+    // Intercept status code by wrapping writeHead.
+    let capturedStatus = null;
+    const origWriteHead = res.writeHead.bind(res);
+    res.writeHead = (status, ...rest) => {
+      capturedStatus = status;
+      return origWriteHead(status, ...rest);
+    };
+
+    try {
+      await handler(req, res);
+    } finally {
+      const durationSec = (performance.now() - start) / 1000;
+      const urlObj = new URL(req.url ?? '/', `http://localhost`);
+      const route = pathToRoute(urlObj.pathname);
+      const method = (req.method ?? 'GET').toUpperCase();
+      const statusCode = String(capturedStatus ?? res.statusCode ?? 200);
+
+      incRequest(serviceName, route, method, statusCode);
+      observeDuration(serviceName, route, method, durationSec);
+    }
+  };
+}

package/host-cp/src/server.mjs

@@ -71,6 +71,7 @@ import {
   handleListServers,
   handleServerBridges,
 } from './routes/process-port.mjs';
+import { instrumentHandler, renderMetrics } from './metrics.mjs';
 
 // ── Deployment-mode detection ─────────────────────────────────────
 //
@@ -680,7 +681,10 @@ async function getSecret(worldId) {
 
 // ── HTTP server ──────────────────────────────────────────────────────
 
-const server = http.createServer(async (req, res) => {
+// Phase C Task C3: wrap the raw handler with the Prometheus instrumentation
+// wrapper. Every request increments http_requests_total and observes
+// http_request_duration_seconds before the response is sent.
+const server = http.createServer(instrumentHandler('host-cp', async (req, res) => {
   const url = new URL(req.url ?? '/', `http://${req.headers.host}`);
 
   // /health: fast diagnostics, no auth, no proxying. Docker healthcheck
@@ -717,6 +721,22 @@ const server = http.createServer(async (req, res) => {
     });
   }
 
+  // /metrics: Prometheus text exposition (Phase C Task C3).
+  // Unauthenticated — same rationale as /health: the Prometheus scraper
+  // in-cluster cannot carry the operator's session token.
+  // Returns only the 4 taxonomy-compliant labels {service,route,method,status_code}.
+  // BANNED labels (world_id, trace_id, user_id, request_id, operator_id)
+  // are never emitted here; layer-2 enforcement is the ServiceMonitor labeldrop.
+  if (url.pathname === '/metrics') {
+    const body = renderMetrics();
+    res.writeHead(200, {
+      'Content-Type': 'text/plain; version=0.0.4; charset=utf-8',
+      'Cache-Control': 'no-cache, no-store',
+    });
+    res.end(body);
+    return;
+  }
+
   // /api/bootstrap: SPA reads the token at load time. Unauthed because
   // anything local that can hit 127.0.0.1:19000 can also read the token
   // file directly (same OS-level privilege boundary). Single-user-only;
@@ -2178,7 +2198,7 @@ const server = http.createServer(async (req, res) => {
     pathname: url.pathname,
     message: 'B3 ships /health + /api/world/<id>/*. B4-B9 ship the rest.',
   });
-});
+}));
 
 /**
  * @param {import('node:http').ServerResponse} res

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pleri/olam-cli",
-  "version": "0.1.153",
+  "version": "0.1.158",
   "type": "module",
   "bin": {
     "olam": "./bin/olam.cjs"
@@ -8,8 +8,8 @@
   "files": [
     "bin",
     "dist",
+    "hermes-bundle",
     "host-cp",
-    "memory-service-bundle",
     "plugin",
     "README.md"
   ],
@@ -47,7 +47,6 @@
     "@inquirer/prompts": "^7.0.0",
     "zod-to-json-schema": "^3.24.0",
     "playwright-core": "~1.59.0",
-    "@napi-rs/keyring": "^1.1.6",
-    "@agentmemory/agentmemory": "0.9.6"
+    "@napi-rs/keyring": "^1.1.6"
   }
 }

package/memory-service-bundle/scripts/ensure-iii-engine.mjs

@@ -1,179 +0,0 @@
-#!/usr/bin/env node
-/**
- * ensure-iii-engine.mjs — install (or verify) the iii-engine v0.11.2
- * binary that the agentmemory CLI depends on.
- *
- * Why this exists:
- *   `agentmemory` (npm-installed) launches the iii-engine as a subprocess
- *   but does NOT bundle the engine binary — it expects a system-installed
- *   `iii` on PATH. Upstream's documented install path A is a `curl`
- *   recipe that drops the binary into `~/.local/bin`. We do the
- *   equivalent into `~/.olam/bin/iii` so the engine lives under olam's
- *   namespace + never collides with an operator's own iii install
- *   (OQ9 resolved pass 3).
- *
- * Pinned to iii v0.11.2 exactly. Upstream agentmemory's
- * `docker-compose.yml` documents that v0.11.6+ breaks with
- * "EPIPE reconnect loops and empty search after save" — bumping is
- * not safe until agentmemory is refactored for the new sandbox-worker
- * model.
- *
- * SHA256 integrity: each tarball is verified against a hash pinned
- * in this file before extract. Mismatch → exit 1 (defends against
- * github.com/iii-hq/iii release tampering — T9).
- *
- * Hashes captured 2026-05-12 from `.sha256` sidecars at
- * https://github.com/iii-hq/iii/releases/tag/iii%2Fv0.11.2
- *
- * Plan reference: docs/plans/olam-agent-memory-distributed/phase-a-tasks.md A1
- * Research:       docs/research/agent-memory-distributed/REPORT.md Q1
- */
-
-import { existsSync, mkdirSync, writeFileSync, unlinkSync, chmodSync, statSync } from 'node:fs';
-import { homedir, platform, arch } from 'node:os';
-import { join } from 'node:path';
-import { createHash } from 'node:crypto';
-import { execSync } from 'node:child_process';
-
-export const III_VERSION = '0.11.2';
-
-/**
- * Map of {process.platform-process.arch} → upstream Rust target triple.
- * Only host platforms olam supports for local mode. Cloud-mode containers
- * (Phase C Dockerfile) handle linux-only via TARGETARCH ARG separately.
- */
-export const PLATFORM_ARCH_TO_TRIPLE = Object.freeze({
-  'darwin-arm64': 'aarch64-apple-darwin',
-  'darwin-x64': 'x86_64-apple-darwin',
-  'linux-arm64': 'aarch64-unknown-linux-gnu',
-  'linux-x64': 'x86_64-unknown-linux-gnu',
-});
-
-/**
- * SHA256 hashes of the upstream iii v0.11.2 release tarballs.
- * Captured from `.sha256` sidecars on the iii-hq/iii GitHub release.
- * If these ever fail to match after `iii v0.11.2` is published, upstream
- * has tampered with the release — refuse to install + open an issue.
- */
-export const SHA256 = Object.freeze({
-  'aarch64-apple-darwin':       'e7834c44fefb2b5343d327102a941419245f7fff447f95373857a04b033fb1bd',
-  'x86_64-apple-darwin':        '2b67e5f18833c415f4cb16a9e13b0e953555e0ca138682bf24894abe8b80b836',
-  'aarch64-unknown-linux-gnu':  'e0d35ee54a6b6c8a46576ab661e1711d11eb4dafeb1be8e1dbd1cc0ccb48b615',
-  'x86_64-unknown-linux-gnu':   '9c83c47788b4ef4beeb65dd9bf37e94f993770cd3db874464c3ce1cdc92352cd',
-});
-
-export function detectTriple(plat = platform(), cpuArch = arch()) {
-  const key = `${plat}-${cpuArch}`;
-  const triple = PLATFORM_ARCH_TO_TRIPLE[key];
-  if (!triple) {
-    const supported = Object.keys(PLATFORM_ARCH_TO_TRIPLE).join(', ');
-    throw new Error(
-      `Unsupported host platform/arch combo: ${key}. ` +
-      `iii v${III_VERSION} ships for: ${supported}. ` +
-      `Run agentmemory directly via 'npx @agentmemory/agentmemory' if your platform is missing.`,
-    );
-  }
-  return triple;
-}
-
-export function urlForTriple(triple) {
-  return `https://github.com/iii-hq/iii/releases/download/iii/v${III_VERSION}/iii-${triple}.tar.gz`;
-}
-
-/**
- * Idempotent install + verify. Returns { ok: true, path, cached } on
- * success; throws on failure (caller decides exit code).
- *
- * deps is for testability:
- *   - fetch    — substitutable in tests (default: global fetch)
- *   - logStream — process.stderr in prod; a fake in tests
- */
-export async function ensureIiiEngine({
-  olamHome = join(homedir(), '.olam'),
-  triple = detectTriple(),
-  fetchImpl = globalThis.fetch,
-  logStream = process.stderr,
-} = {}) {
-  const binDir = join(olamHome, 'bin');
-  const binPath = join(binDir, 'iii');
-
-  // Cached?
-  if (existsSync(binPath)) {
-    try {
-      const out = execSync(`${binPath} --version`, { encoding: 'utf8', timeout: 5_000 });
-      if (out.includes(III_VERSION)) {
-        return { ok: true, path: binPath, cached: true };
-      }
-      logStream.write(`iii at ${binPath} reports unexpected version: ${out.trim()}; re-installing\n`);
-    } catch (err) {
-      logStream.write(`iii at ${binPath} not executable (${err.message}); re-installing\n`);
-    }
-  }
-
-  const expectedSha = SHA256[triple];
-  if (!expectedSha) {
-    throw new Error(`No SHA256 pinned for triple ${triple} — update ensure-iii-engine.mjs.`);
-  }
-
-  const url = urlForTriple(triple);
-  logStream.write(`Downloading iii v${III_VERSION} (${triple}) from ${url}\n`);
-
-  const response = await fetchImpl(url);
-  if (!response.ok) {
-    throw new Error(`Failed to download iii v${III_VERSION} (${triple}): HTTP ${response.status}`);
-  }
-
-  const buf = Buffer.from(await response.arrayBuffer());
-  const actualSha = createHash('sha256').update(buf).digest('hex');
-
-  if (actualSha !== expectedSha) {
-    throw new Error(
-      `iii v${III_VERSION} tarball SHA256 mismatch for ${triple}:\n` +
-      `  expected: ${expectedSha}\n` +
-      `  got:      ${actualSha}\n` +
-      `If this is a legitimate upstream change, update SHA256 in ${import.meta.url} ` +
-      `and rotate the pin (see plan T9).`,
-    );
-  }
-
-  mkdirSync(binDir, { recursive: true });
-
-  // Extract via system tar — saves bundling node-tar
-  const tarPath = join(binDir, '.iii.tar.gz');
-  writeFileSync(tarPath, buf);
-  try {
-    execSync(`tar -xzf '${tarPath}' -C '${binDir}'`, { stdio: 'pipe' });
-  } finally {
-    if (existsSync(tarPath)) unlinkSync(tarPath);
-  }
-
-  if (!existsSync(binPath)) {
-    throw new Error(`tar extract succeeded but iii binary not found at ${binPath}`);
-  }
-  chmodSync(binPath, 0o755);
-
-  // Smoke
-  const ver = execSync(`${binPath} --version`, { encoding: 'utf8', timeout: 5_000 });
-  if (!ver.includes(III_VERSION)) {
-    throw new Error(`iii binary installed but reports unexpected version: ${ver.trim()}`);
-  }
-
-  return { ok: true, path: binPath, cached: false };
-}
-
-// CLI entry — `node ensure-iii-engine.mjs`
-const isDirect = import.meta.url === `file://${process.argv[1]}` ||
-                 process.argv[1]?.endsWith('/ensure-iii-engine.mjs');
-if (isDirect) {
-  ensureIiiEngine()
-    .then((r) => {
-      process.stderr.write(
-        `iii v${III_VERSION} ready at ${r.path}${r.cached ? ' (cached)' : ''}\n`,
-      );
-      process.exit(0);
-    })
-    .catch((err) => {
-      process.stderr.write(`ensure-iii-engine failed: ${err.message}\n`);
-      process.exit(1);
-    });
-}