@pleri/olam-cli 0.1.159 → 0.1.161

package/hermes-bundle/version.json

@@ -1,4 +1,4 @@
 {
-  "bundledAt": "2026-05-21T16:31:13.129Z",
+  "bundledAt": "2026-05-22T07:50:42.070Z",
   "kgFirstSha": "29a9ccce1b115d049e375c4a90eb5cf7c123e610e2d0590270a4db2cdbc64a28"
 }

package/host-cp/k8s/manifests/50-deployment.yaml

@@ -111,7 +111,7 @@ spec:
         # k3d), started by `olam upgrade` Step 0.7 — not inside this Pod.
       containers:
         - name: olam-host-cp
-          image: ghcr.io/pleri/olam-host-cp@sha256:53c6548f6930231a6f905f4a3ae1f49dbc66e52233b64a09e539b4ffa21180db
+          image: ghcr.io/pleri/olam-host-cp@sha256:a71a02ad25f03c1481d8b5a4f3cf50614eb1f9b02376935e4df5c65b9bd4fa8f
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/auth-service/50-deployment.yaml

@@ -70,7 +70,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-auth-service
-          image: ghcr.io/pleri/olam-auth@sha256:d1b13f12d87d5b119d6495214c26d8c8255deb996d37193f3b4fa47363ab9367
+          image: ghcr.io/pleri/olam-auth@sha256:7ad7f92e5feafff3921f3219886a2aec312d83e00c66eaa568e53aac03b19b16
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/kg-service/50-deployment.yaml

@@ -61,7 +61,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-kg-service
-          image: ghcr.io/pleri/olam-kg-service@sha256:e7276f9ea4d359dcb8a0d623e701e290f51c565fc8b6e3c14bea75b1b780d23d
+          image: ghcr.io/pleri/olam-kg-service@sha256:9c01fd288e136116abfd0e34c7230417a30c5036e411838b88a553c44a802f13
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/mcp-auth-service/50-deployment.yaml

@@ -68,7 +68,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-mcp-auth-service
-          image: ghcr.io/pleri/olam-mcp-auth@sha256:d53a7538ca405f4d8c0c4be67d3961617304f07623839eb0de75f9cd2b47b914
+          image: ghcr.io/pleri/olam-mcp-auth@sha256:ddd15d5ee0b18ed36a8916c4d8d985182f6e32b57fc2625295f5db19a14b37a0
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/memory-service/30-configmap.yaml

@@ -22,3 +22,14 @@ data:
   # AGENTMEMORY_HOST=0.0.0.0 but ConfigMap override is explicit defense against
   # a future image regression reverting to 127.0.0.1.
   AGENTMEMORY_HOST: "0.0.0.0"
+  # III_REST_PORT is the env var the agentmemory CLI wrapper reads when it
+  # polls its iii subprocess for readiness (cli.mjs:155 — `process.env
+  # ["III_REST_PORT"] || "3111"`). The iii engine itself binds the port
+  # declared in iii-config.yaml's iii-http worker (overridden via the
+  # olam-memory-service-iii-config ConfigMap to 3110, so it does not
+  # collide with the metrics-proxy on 3111). Without this env var the
+  # wrapper polls 3111 forever, prints "iii-engine did not become ready",
+  # and exits — entrypoint propagates the exit, container restarts, and
+  # the liveness probe returns 502 from the proxy (its backend was never
+  # up). Must equal the iii-http port in 35-configmap-iii-config.yaml.
+  III_REST_PORT: "3110"

package/host-cp/k8s/manifests/memory-service/35-configmap-iii-config.yaml

@@ -0,0 +1,76 @@
+# Overrides the iii-config.yaml shipped inside the agentmemory image so the
+# iii engine binds the INTERNAL port (3110) instead of the EXTERNAL port
+# (3111). The shipped yaml hardcodes `port: 3111` and the agentmemory CLI
+# reads its bind from yaml (NOT from the AGENTMEMORY_PORT env var), so
+# entrypoint.sh's `AGENTMEMORY_PORT=3110` override has no effect.
+#
+# Without this override, the engine and the metrics-proxy both try to bind
+# 0.0.0.0:3111. The proxy starts first and wins the port; the engine fails
+# silently. Probes to /agentmemory/livez hit the proxy and get forwarded to
+# 127.0.0.1:3110, where nothing is listening — proxy returns 502, readiness
+# fails, container restarts.
+#
+# Mounted at /usr/local/lib/node_modules/@agentmemory/agentmemory/dist/iii-config.yaml
+# via subPath in 50-deployment.yaml.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: olam-memory-service-iii-config
+  namespace: olam
+  labels:
+    app: olam-memory-service
+    olam.io/component: peripheral
+data:
+  iii-config.yaml: |
+    workers:
+      - name: iii-http
+        config:
+          port: 3110
+          host: 0.0.0.0
+          default_timeout: 180000
+          cors:
+            allowed_origins: ["http://localhost:3111", "http://localhost:3113", "http://127.0.0.1:3111", "http://127.0.0.1:3113"]
+            allowed_methods: [GET, POST, PUT, DELETE, OPTIONS]
+      - name: iii-state
+        config:
+          adapter:
+            name: kv
+            config:
+              store_method: file_based
+              file_path: ./data/state_store.db
+      - name: iii-queue
+        config:
+          adapter:
+            name: builtin
+      - name: iii-pubsub
+        config:
+          adapter:
+            name: local
+      - name: iii-cron
+        config:
+          adapter:
+            name: kv
+      - name: iii-stream
+        config:
+          port: 3112
+          host: 0.0.0.0
+          adapter:
+            name: kv
+            config:
+              store_method: file_based
+              file_path: ./data/stream_store
+      - name: iii-observability
+        config:
+          enabled: true
+          service_name: agentmemory
+          exporter: memory
+          sampling_ratio: 1.0
+          metrics_enabled: true
+          logs_enabled: true
+          logs_console_output: true
+      - name: iii-exec
+        config:
+          watch:
+            - src/**/*.ts
+          exec:
+            - node dist/index.mjs

package/host-cp/k8s/manifests/memory-service/50-deployment.yaml

@@ -70,7 +70,7 @@ spec:
           # bootstrap-placeholder comment + run `npm run refresh:manifest-digests`
           # once ghcr.io/pleri/olam-memory-service has a real published digest.
           # bootstrap-placeholder: pre-publish; refresh after first release
-          image: ghcr.io/pleri/olam-memory-service@sha256:023bde810b0594829c8aa553b88a64cf53b81b6374085c7a92fb6102450fa3ff
+          image: ghcr.io/pleri/olam-memory-service@sha256:8dd1593af37b345a9b9b741803355254f1f719d9bf23e56339d9baed8dea9ac1
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true
@@ -93,6 +93,13 @@ spec:
               mountPath: /data
             - name: tmp
               mountPath: /tmp
+            # Overrides the shipped iii-config.yaml so the engine binds the
+            # internal port (3110) instead of colliding with the metrics-proxy
+            # on 3111. See 35-configmap-iii-config.yaml for full rationale.
+            - name: iii-config-override
+              mountPath: /usr/local/lib/node_modules/@agentmemory/agentmemory/dist/iii-config.yaml
+              subPath: iii-config.yaml
+              readOnly: true
           readinessProbe:
             httpGet:
               # D15 (LOAD-BEARING): memory-service health path is /agentmemory/livez.
@@ -126,3 +133,6 @@ spec:
             claimName: olam-memory-data
         - name: tmp
           emptyDir: {}
+        - name: iii-config-override
+          configMap:
+            name: olam-memory-service-iii-config

package/host-cp/observability/grafana-port-forward.sh

@@ -0,0 +1,273 @@
+#!/usr/bin/env bash
+# grafana-port-forward.sh — e2e smoke test: Grafana installs via Helm,
+#                           port-forward is accessible, Loki datasource
+#                           is pre-wired and reachable.
+#
+# Usage: scripts/e2e/grafana-port-forward.sh
+#
+# Pre-conditions:
+#   - kubectl context is set to a live k8s cluster (does NOT spin up k3d)
+#   - helm binary available
+#   - jq binary available
+#   - grafana Helm repo added (helm repo add grafana https://grafana.github.io/helm-charts)
+#   - Loki is already installed (scripts/e2e/loki-ingest.sh ran successfully
+#     OR `helm status olam-loki -n monitoring` is healthy)
+#
+# Idempotency: `helm upgrade --install` is idempotent; re-runs succeed on an
+#              existing cluster. The Secret is applied via --dry-run | kubectl apply
+#              so re-runs update the password (useful for rotation testing).
+#              The olam-dashboards ConfigMap is applied before helm install so
+#              Grafana's volume mount finds the ConfigMap on first boot.
+#
+# Cleanup: port-forward is killed on exit; Helm release is left in place so
+#          downstream tasks can reuse the same cluster.
+#
+# Refs: docs/plans/k3s-ingress-observability/phase-b-tasks.md — Task B2, B3
+#       Chart: grafana/grafana 8.5.2 (pinned; latest stable 2026-05-20)
+
+set -euo pipefail
+
+NAMESPACE="monitoring"
+GRAFANA_RELEASE="olam-grafana"
+GRAFANA_CHART_VERSION="8.5.2"
+LOCAL_PORT="3000"
+GRAFANA_SVC_PORT="80"
+PF_BIND_SECONDS=5
+
+log()  { printf '[grafana-port-forward] %s\n' "$*" >&2; }
+fail() { printf '[grafana-port-forward] FAIL: %s\n' "$*" >&2; exit 1; }
+
+# -------------------------------------------------------------------------
+# Cleanup trap — kill port-forward on exit; leave Helm release in place
+# -------------------------------------------------------------------------
+PF_PID=""
+cleanup() {
+  if [[ -n "$PF_PID" ]] && kill -0 "$PF_PID" 2>/dev/null; then
+    kill "$PF_PID" 2>/dev/null || true
+  fi
+}
+trap cleanup EXIT
+
+# -------------------------------------------------------------------------
+# Pre-flight
+# -------------------------------------------------------------------------
+command -v helm    >/dev/null 2>&1 || fail "helm not installed"
+command -v kubectl >/dev/null 2>&1 || fail "kubectl not installed"
+command -v curl    >/dev/null 2>&1 || fail "curl not installed"
+command -v openssl >/dev/null 2>&1 || fail "openssl not installed"
+command -v jq      >/dev/null 2>&1 || fail "jq not installed (required for B3 dashboard assertion)"
+kubectl cluster-info >/dev/null 2>&1 || fail "kubectl: no reachable cluster; set KUBECONFIG"
+
+log "pre-flight checks passed"
+
+# -------------------------------------------------------------------------
+# Ensure grafana Helm repo is present (idempotent — safe to re-run)
+# -------------------------------------------------------------------------
+helm repo add grafana https://grafana.github.io/helm-charts 2>/dev/null || true
+helm repo update grafana
+
+# Verify Loki is already installed (B2 depends on B1)
+if ! helm status "olam-loki" -n "$NAMESPACE" >/dev/null 2>&1; then
+  fail "olam-loki Helm release not found in namespace $NAMESPACE — run scripts/e2e/loki-ingest.sh first"
+fi
+log "Loki pre-condition satisfied (olam-loki release found)"
+
+# -------------------------------------------------------------------------
+# Step 1: Resolve admin password (preserve existing on idempotent re-run)
+# -------------------------------------------------------------------------
+# Grafana persists the admin password in its internal SQLite on first
+# deploy. Subsequent helm upgrades do NOT re-read GF_SECURITY_ADMIN_PASSWORD
+# from the env (env value is set once at pod-start and not refreshed). So
+# on a re-run, rotating the Secret leaves the in-Grafana password stale
+# and breaks API auth.
+#
+# Idempotency contract: if the Secret already exists, reuse its current
+# password. The Secret's value matches Grafana's stored value (set in
+# concert on first install). Only generate a new password when the
+# Secret doesn't exist yet — i.e. true first deploy.
+if kubectl get secret olam-grafana-admin -n "$NAMESPACE" >/dev/null 2>&1; then
+  log "reusing existing admin password from Secret olam-grafana-admin"
+  GRAFANA_ADMIN_PW=$(kubectl get secret olam-grafana-admin -n "$NAMESPACE" \
+    -o jsonpath='{.data.admin-password}' | base64 -d)
+else
+  log "generating fresh admin password (first deploy)"
+  GRAFANA_ADMIN_PW=$(openssl rand -base64 24)
+fi
+export GRAFANA_ADMIN_PW
+
+# -------------------------------------------------------------------------
+# Step 2: Create / update the admin Secret idempotently
+# -------------------------------------------------------------------------
+log "applying Secret olam-grafana-admin in namespace $NAMESPACE"
+kubectl create secret generic olam-grafana-admin \
+  --from-literal=admin-user=admin \
+  --from-literal=admin-password="$GRAFANA_ADMIN_PW" \
+  -n "$NAMESPACE" \
+  --dry-run=client -o yaml \
+  | kubectl apply -f -
+
+log "Secret applied"
+
+# -------------------------------------------------------------------------
+# Step 3a: Apply olam-dashboards ConfigMap BEFORE helm install
+#          so Grafana's volume mount finds it on first boot (B3).
+#          The ConfigMap is generated from grafana-dashboards/*.json by
+#          packages/peripheral-services/scripts/sync-grafana-dashboards.sh.
+# -------------------------------------------------------------------------
+REPO_ROOT="$(git -C "$(dirname "$0")" rev-parse --show-toplevel 2>/dev/null || pwd)"
+CONFIGMAP_MANIFEST="$REPO_ROOT/packages/peripheral-services/manifests/80-grafana-dashboard-configmap.yaml"
+
+if [[ -f "$CONFIGMAP_MANIFEST" ]]; then
+  log "applying olam-dashboards ConfigMap from $CONFIGMAP_MANIFEST"
+  kubectl apply -f "$CONFIGMAP_MANIFEST"
+  log "ConfigMap applied"
+else
+  log "WARN: $CONFIGMAP_MANIFEST not found — Grafana will warn 'ConfigMap not found' until B3 is deployed"
+fi
+
+# -------------------------------------------------------------------------
+# Step 3: Helm upgrade --install
+# -------------------------------------------------------------------------
+log "installing grafana/grafana ($GRAFANA_RELEASE) in namespace $NAMESPACE"
+helm upgrade --install "$GRAFANA_RELEASE" grafana/grafana \
+  --version "$GRAFANA_CHART_VERSION" \
+  --namespace "$NAMESPACE" \
+  --create-namespace \
+  -f "$REPO_ROOT/packages/peripheral-services/helm-values/grafana-values.yaml" \
+  --wait \
+  --timeout 300s
+
+log "Grafana Helm install complete"
+
+# -------------------------------------------------------------------------
+# Step 4: Wait for Grafana pod Ready
+# -------------------------------------------------------------------------
+log "waiting for Grafana pod Ready (120s)"
+kubectl wait \
+  --for=condition=ready pod \
+  -l "app.kubernetes.io/name=grafana" \
+  -n "$NAMESPACE" \
+  --timeout=120s
+
+log "Grafana pod Ready"
+
+# -------------------------------------------------------------------------
+# Step 5: Start port-forward in background
+# -------------------------------------------------------------------------
+log "port-forwarding svc/$GRAFANA_RELEASE $LOCAL_PORT:$GRAFANA_SVC_PORT in namespace $NAMESPACE"
+kubectl port-forward \
+  -n "$NAMESPACE" \
+  "svc/$GRAFANA_RELEASE" \
+  "${LOCAL_PORT}:${GRAFANA_SVC_PORT}" &
+PF_PID=$!
+
+log "port-forward PID $PF_PID; waiting ${PF_BIND_SECONDS}s for bind"
+sleep "$PF_BIND_SECONDS"
+
+# Verify the port-forward process is still alive after sleep
+kill -0 "$PF_PID" 2>/dev/null || fail "port-forward process exited prematurely"
+
+# -------------------------------------------------------------------------
+# Diagnostic helper — called on assertion failure
+# -------------------------------------------------------------------------
+dump_diagnostics() {
+  log "DIAGNOSTIC: last 50 lines of Grafana pod logs:"
+  kubectl logs -n "$NAMESPACE" \
+    -l "app.kubernetes.io/name=grafana" \
+    --tail=50 2>&1 >&2 || true
+}
+
+# -------------------------------------------------------------------------
+# Step 6: Assertion 1 — /api/health returns 200 with database: ok
+# -------------------------------------------------------------------------
+log "asserting Grafana health (GET /api/health)"
+HEALTH_RESPONSE=$(
+  curl -sf \
+    -u "admin:${GRAFANA_ADMIN_PW}" \
+    "http://localhost:${LOCAL_PORT}/api/health" \
+  || { dump_diagnostics; fail "GET /api/health failed — Grafana not reachable on port $LOCAL_PORT"; }
+)
+
+if ! echo "$HEALTH_RESPONSE" | jq -e '.database == "ok"' >/dev/null 2>&1; then
+  log "DIAGNOSTIC: /api/health response:"
+  echo "$HEALTH_RESPONSE" >&2
+  dump_diagnostics
+  fail '/api/health returned database != "ok" — Grafana DB layer not healthy'
+fi
+
+log "PASS: /api/health → database: ok"
+
+# -------------------------------------------------------------------------
+# Step 7: Assertion 2 — /api/datasources includes Loki entry with cluster URL
+# -------------------------------------------------------------------------
+log "asserting Loki datasource pre-wired (GET /api/datasources)"
+DS_RESPONSE=$(
+  curl -sf \
+    -u "admin:${GRAFANA_ADMIN_PW}" \
+    "http://localhost:${LOCAL_PORT}/api/datasources" \
+  || { dump_diagnostics; fail "GET /api/datasources failed"; }
+)
+
+EXPECTED_URL="olam-loki.monitoring.svc.cluster.local:3100"
+
+if ! echo "$DS_RESPONSE" | jq -e 'map(select(.type == "loki")) | length >= 1' >/dev/null 2>&1; then
+  log "DIAGNOSTIC: /api/datasources response:"
+  echo "$DS_RESPONSE" >&2
+  dump_diagnostics
+  fail "datasources response contains no 'loki' type entry — datasource not provisioned"
+fi
+
+if ! echo "$DS_RESPONSE" | jq -e --arg url "$EXPECTED_URL" 'map(select(.type == "loki" and (.url | contains($url)))) | length >= 1' >/dev/null 2>&1; then
+  log "DIAGNOSTIC: /api/datasources response:"
+  echo "$DS_RESPONSE" >&2
+  dump_diagnostics
+  fail "Loki datasource URL does not contain '$EXPECTED_URL' — check grafana-values.yaml datasources block"
+fi
+
+log "PASS: Loki datasource found with cluster-local URL $EXPECTED_URL"
+
+# -------------------------------------------------------------------------
+# Step 7b: Assertion 2b — dashboard provider loaded olam-home (catches mount-path bugs)
+# -------------------------------------------------------------------------
+log "asserting olam-home dashboard visible in /api/search (catches ConfigMap mount failures)"
+DASHBOARDS=$(
+  curl -sf \
+    -u "admin:${GRAFANA_ADMIN_PW}" \
+    "http://localhost:${LOCAL_PORT}/api/search?type=dash-db&query=olam" \
+  || true
+)
+
+if ! echo "$DASHBOARDS" | jq -e 'map(select(.uid == "olam-home")) | length == 1' >/dev/null 2>&1; then
+  log "DIAGNOSTIC: /api/search response:"
+  echo "$DASHBOARDS" >&2
+  dump_diagnostics
+  fail "olam-home dashboard not found in /api/search — check ConfigMap mount path and dashboard provider config"
+fi
+
+log "PASS: olam-home dashboard found via /api/search"
+
+# -------------------------------------------------------------------------
+# Step 8: Assertion 3 — olam-home dashboard present (B3)
+# -------------------------------------------------------------------------
+log "asserting olam-home dashboard present (GET /api/dashboards/uid/olam-home)"
+DASHBOARD_RESPONSE=$(
+  curl -sf \
+    -u "admin:${GRAFANA_ADMIN_PW}" \
+    "http://localhost:${LOCAL_PORT}/api/dashboards/uid/olam-home" \
+  || { dump_diagnostics; fail "GET /api/dashboards/uid/olam-home failed — dashboard not found or Grafana unreachable"; }
+)
+
+if ! echo "$DASHBOARD_RESPONSE" | jq -e '.dashboard.uid == "olam-home"' >/dev/null 2>&1; then
+  log "DIAGNOSTIC: /api/dashboards/uid/olam-home response:"
+  echo "$DASHBOARD_RESPONSE" >&2
+  dump_diagnostics
+  fail "olam-home dashboard uid mismatch or missing — check ConfigMap provisioning and Grafana provider config"
+fi
+
+log "PASS: olam-home dashboard present with uid=olam-home"
+
+# -------------------------------------------------------------------------
+# Final
+# -------------------------------------------------------------------------
+log "PASS: Grafana port-forward accessible; Loki datasource pre-wired; olam-home dashboard provisioned — Tasks B2+B3 verified"
+exit 0