@pleri/olam-cli 0.1.160 → 0.1.162

package/hermes-bundle/version.json

@@ -1,4 +1,4 @@
 {
-  "bundledAt": "2026-05-22T05:49:33.599Z",
+  "bundledAt": "2026-05-22T10:22:35.652Z",
   "kgFirstSha": "29a9ccce1b115d049e375c4a90eb5cf7c123e610e2d0590270a4db2cdbc64a28"
 }

package/host-cp/k8s/manifests/50-deployment.yaml

@@ -111,7 +111,7 @@ spec:
         # k3d), started by `olam upgrade` Step 0.7 — not inside this Pod.
       containers:
         - name: olam-host-cp
-          image: ghcr.io/pleri/olam-host-cp@sha256:3bf4a89af3544e382bf2d708ff73baa6704cf91a0b509f8b1a153fbe603a4223
+          image: ghcr.io/pleri/olam-host-cp@sha256:dbb84fdfd63e7a928f166f4b65ae681cef7c6eb79cedf70cdba865b3151dfb71
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/auth-service/50-deployment.yaml

@@ -70,7 +70,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-auth-service
-          image: ghcr.io/pleri/olam-auth@sha256:a7b1e4c0ddee4fc6bfb2689c4d23d8bc0fcc95bc7b42a28d977b990f1408505b
+          image: ghcr.io/pleri/olam-auth@sha256:13a4a2dd2993fa597fd29a739a87771502f687cf9729aaaf52c85d9ff3b4b0ae
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/kg-service/50-deployment.yaml

@@ -61,7 +61,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-kg-service
-          image: ghcr.io/pleri/olam-kg-service@sha256:72fdfb96981903cd83d0b6ad997985bad86a7892c0d1ec7c5dcc9b4d9f8f44db
+          image: ghcr.io/pleri/olam-kg-service@sha256:66cde72b67bb2bcfffb1a344d7d57769e5ec292bad1493596c166b053b4c7b0e
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/mcp-auth-service/50-deployment.yaml

@@ -68,7 +68,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-mcp-auth-service
-          image: ghcr.io/pleri/olam-mcp-auth@sha256:d8fb62e437142bf352e0d6f637c2b912baa592f25f4abbac1acc2c8cced976c2
+          image: ghcr.io/pleri/olam-mcp-auth@sha256:8304039ed42843fb9da63690e603a03b7ab16592d73761fb8eb15cc6196543ce
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/memory-service/50-deployment.yaml

@@ -70,7 +70,7 @@ spec:
           # bootstrap-placeholder comment + run `npm run refresh:manifest-digests`
           # once ghcr.io/pleri/olam-memory-service has a real published digest.
           # bootstrap-placeholder: pre-publish; refresh after first release
-          image: ghcr.io/pleri/olam-memory-service@sha256:bc377f94911baff74f7b91c44ea471580fdfdc1947e757dd6f550675084312d6
+          image: ghcr.io/pleri/olam-memory-service@sha256:f0f7d975d23895e136327e7b593bb16acda5e24183d4455b15c6404de7caab42
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/observability/grafana-port-forward.sh

@@ -0,0 +1,283 @@
+#!/usr/bin/env bash
+# grafana-port-forward.sh — e2e smoke test: Grafana installs via Helm,
+#                           port-forward is accessible, Loki datasource
+#                           is pre-wired and reachable.
+#
+# Usage: scripts/e2e/grafana-port-forward.sh
+#
+# Pre-conditions:
+#   - kubectl context is set to a live k8s cluster (does NOT spin up k3d)
+#   - helm binary available
+#   - jq binary available
+#   - grafana Helm repo added (helm repo add grafana https://grafana.github.io/helm-charts)
+#   - Loki is already installed (scripts/e2e/loki-ingest.sh ran successfully
+#     OR `helm status olam-loki -n monitoring` is healthy)
+#
+# Idempotency: `helm upgrade --install` is idempotent; re-runs succeed on an
+#              existing cluster. The Secret is applied via --dry-run | kubectl apply
+#              so re-runs update the password (useful for rotation testing).
+#              The olam-dashboards ConfigMap is applied before helm install so
+#              Grafana's volume mount finds the ConfigMap on first boot.
+#
+# Cleanup: port-forward is killed on exit; Helm release is left in place so
+#          downstream tasks can reuse the same cluster.
+#
+# Refs: docs/plans/k3s-ingress-observability/phase-b-tasks.md — Task B2, B3
+#       Chart: grafana/grafana 8.5.2 (pinned; latest stable 2026-05-20)
+
+set -euo pipefail
+
+NAMESPACE="monitoring"
+GRAFANA_RELEASE="olam-grafana"
+GRAFANA_CHART_VERSION="8.5.2"
+LOCAL_PORT="3000"
+GRAFANA_SVC_PORT="80"
+PF_BIND_SECONDS=5
+
+log()  { printf '[grafana-port-forward] %s\n' "$*" >&2; }
+fail() { printf '[grafana-port-forward] FAIL: %s\n' "$*" >&2; exit 1; }
+
+# -------------------------------------------------------------------------
+# Cleanup trap — kill port-forward on exit; leave Helm release in place
+# -------------------------------------------------------------------------
+PF_PID=""
+cleanup() {
+  if [[ -n "$PF_PID" ]] && kill -0 "$PF_PID" 2>/dev/null; then
+    kill "$PF_PID" 2>/dev/null || true
+  fi
+}
+trap cleanup EXIT
+
+# -------------------------------------------------------------------------
+# Pre-flight
+# -------------------------------------------------------------------------
+command -v helm    >/dev/null 2>&1 || fail "helm not installed"
+command -v kubectl >/dev/null 2>&1 || fail "kubectl not installed"
+command -v curl    >/dev/null 2>&1 || fail "curl not installed"
+command -v openssl >/dev/null 2>&1 || fail "openssl not installed"
+command -v jq      >/dev/null 2>&1 || fail "jq not installed (required for B3 dashboard assertion)"
+kubectl cluster-info >/dev/null 2>&1 || fail "kubectl: no reachable cluster; set KUBECONFIG"
+
+log "pre-flight checks passed"
+
+# -------------------------------------------------------------------------
+# Ensure grafana Helm repo is present (idempotent — safe to re-run)
+# -------------------------------------------------------------------------
+helm repo add grafana https://grafana.github.io/helm-charts 2>/dev/null || true
+helm repo update grafana
+
+# Verify Loki is already installed (B2 depends on B1)
+if ! helm status "olam-loki" -n "$NAMESPACE" >/dev/null 2>&1; then
+  fail "olam-loki Helm release not found in namespace $NAMESPACE — run scripts/e2e/loki-ingest.sh first"
+fi
+log "Loki pre-condition satisfied (olam-loki release found)"
+
+# -------------------------------------------------------------------------
+# Step 1: Resolve admin password (preserve existing on idempotent re-run)
+# -------------------------------------------------------------------------
+# Grafana persists the admin password in its internal SQLite on first
+# deploy. Subsequent helm upgrades do NOT re-read GF_SECURITY_ADMIN_PASSWORD
+# from the env (env value is set once at pod-start and not refreshed). So
+# on a re-run, rotating the Secret leaves the in-Grafana password stale
+# and breaks API auth.
+#
+# Idempotency contract: if the Secret already exists, reuse its current
+# password. The Secret's value matches Grafana's stored value (set in
+# concert on first install). Only generate a new password when the
+# Secret doesn't exist yet — i.e. true first deploy.
+if kubectl get secret olam-grafana-admin -n "$NAMESPACE" >/dev/null 2>&1; then
+  log "reusing existing admin password from Secret olam-grafana-admin"
+  GRAFANA_ADMIN_PW=$(kubectl get secret olam-grafana-admin -n "$NAMESPACE" \
+    -o jsonpath='{.data.admin-password}' | base64 -d)
+else
+  log "generating fresh admin password (first deploy)"
+  GRAFANA_ADMIN_PW=$(openssl rand -base64 24)
+fi
+export GRAFANA_ADMIN_PW
+
+# -------------------------------------------------------------------------
+# Step 2: Create / update the admin Secret idempotently
+# -------------------------------------------------------------------------
+log "applying Secret olam-grafana-admin in namespace $NAMESPACE"
+kubectl create secret generic olam-grafana-admin \
+  --from-literal=admin-user=admin \
+  --from-literal=admin-password="$GRAFANA_ADMIN_PW" \
+  -n "$NAMESPACE" \
+  --dry-run=client -o yaml \
+  | kubectl apply -f -
+
+log "Secret applied"
+
+# -------------------------------------------------------------------------
+# Step 3a: Apply olam-dashboards ConfigMap BEFORE helm install
+#          so Grafana's volume mount finds it on first boot (B3).
+#          The ConfigMap is generated from grafana-dashboards/*.json by
+#          packages/peripheral-services/scripts/sync-grafana-dashboards.sh.
+# -------------------------------------------------------------------------
+REPO_ROOT="$(git -C "$(dirname "$0")" rev-parse --show-toplevel 2>/dev/null || pwd)"
+# When invoked from a published @pleri/olam-cli install (no monorepo), `olam
+# setup` exports OLAM_BUNDLE_ROOT=<install>/host-cp so the bundled
+# peripheral-services/{helm-values,manifests} directory is reachable.
+# Monorepo callers leave it unset; the script falls back to the source dir
+# under packages/peripheral-services/.
+if [[ -n "${OLAM_BUNDLE_ROOT:-}" ]]; then
+  PERIPHERAL_SERVICES_DIR="$OLAM_BUNDLE_ROOT/peripheral-services"
+else
+  PERIPHERAL_SERVICES_DIR="$REPO_ROOT/packages/peripheral-services"
+fi
+CONFIGMAP_MANIFEST="$PERIPHERAL_SERVICES_DIR/manifests/80-grafana-dashboard-configmap.yaml"
+
+if [[ -f "$CONFIGMAP_MANIFEST" ]]; then
+  log "applying olam-dashboards ConfigMap from $CONFIGMAP_MANIFEST"
+  kubectl apply -f "$CONFIGMAP_MANIFEST"
+  log "ConfigMap applied"
+else
+  log "WARN: $CONFIGMAP_MANIFEST not found — Grafana will warn 'ConfigMap not found' until B3 is deployed"
+fi
+
+# -------------------------------------------------------------------------
+# Step 3: Helm upgrade --install
+# -------------------------------------------------------------------------
+log "installing grafana/grafana ($GRAFANA_RELEASE) in namespace $NAMESPACE"
+helm upgrade --install "$GRAFANA_RELEASE" grafana/grafana \
+  --version "$GRAFANA_CHART_VERSION" \
+  --namespace "$NAMESPACE" \
+  --create-namespace \
+  -f "$PERIPHERAL_SERVICES_DIR/helm-values/grafana-values.yaml" \
+  --wait \
+  --timeout 300s
+
+log "Grafana Helm install complete"
+
+# -------------------------------------------------------------------------
+# Step 4: Wait for Grafana pod Ready
+# -------------------------------------------------------------------------
+log "waiting for Grafana pod Ready (120s)"
+kubectl wait \
+  --for=condition=ready pod \
+  -l "app.kubernetes.io/name=grafana" \
+  -n "$NAMESPACE" \
+  --timeout=120s
+
+log "Grafana pod Ready"
+
+# -------------------------------------------------------------------------
+# Step 5: Start port-forward in background
+# -------------------------------------------------------------------------
+log "port-forwarding svc/$GRAFANA_RELEASE $LOCAL_PORT:$GRAFANA_SVC_PORT in namespace $NAMESPACE"
+kubectl port-forward \
+  -n "$NAMESPACE" \
+  "svc/$GRAFANA_RELEASE" \
+  "${LOCAL_PORT}:${GRAFANA_SVC_PORT}" &
+PF_PID=$!
+
+log "port-forward PID $PF_PID; waiting ${PF_BIND_SECONDS}s for bind"
+sleep "$PF_BIND_SECONDS"
+
+# Verify the port-forward process is still alive after sleep
+kill -0 "$PF_PID" 2>/dev/null || fail "port-forward process exited prematurely"
+
+# -------------------------------------------------------------------------
+# Diagnostic helper — called on assertion failure
+# -------------------------------------------------------------------------
+dump_diagnostics() {
+  log "DIAGNOSTIC: last 50 lines of Grafana pod logs:"
+  kubectl logs -n "$NAMESPACE" \
+    -l "app.kubernetes.io/name=grafana" \
+    --tail=50 2>&1 >&2 || true
+}
+
+# -------------------------------------------------------------------------
+# Step 6: Assertion 1 — /api/health returns 200 with database: ok
+# -------------------------------------------------------------------------
+log "asserting Grafana health (GET /api/health)"
+HEALTH_RESPONSE=$(
+  curl -sf \
+    -u "admin:${GRAFANA_ADMIN_PW}" \
+    "http://localhost:${LOCAL_PORT}/api/health" \
+  || { dump_diagnostics; fail "GET /api/health failed — Grafana not reachable on port $LOCAL_PORT"; }
+)
+
+if ! echo "$HEALTH_RESPONSE" | jq -e '.database == "ok"' >/dev/null 2>&1; then
+  log "DIAGNOSTIC: /api/health response:"
+  echo "$HEALTH_RESPONSE" >&2
+  dump_diagnostics
+  fail '/api/health returned database != "ok" — Grafana DB layer not healthy'
+fi
+
+log "PASS: /api/health → database: ok"
+
+# -------------------------------------------------------------------------
+# Step 7: Assertion 2 — /api/datasources includes Loki entry with cluster URL
+# -------------------------------------------------------------------------
+log "asserting Loki datasource pre-wired (GET /api/datasources)"
+DS_RESPONSE=$(
+  curl -sf \
+    -u "admin:${GRAFANA_ADMIN_PW}" \
+    "http://localhost:${LOCAL_PORT}/api/datasources" \
+  || { dump_diagnostics; fail "GET /api/datasources failed"; }
+)
+
+EXPECTED_URL="olam-loki.monitoring.svc.cluster.local:3100"
+
+if ! echo "$DS_RESPONSE" | jq -e 'map(select(.type == "loki")) | length >= 1' >/dev/null 2>&1; then
+  log "DIAGNOSTIC: /api/datasources response:"
+  echo "$DS_RESPONSE" >&2
+  dump_diagnostics
+  fail "datasources response contains no 'loki' type entry — datasource not provisioned"
+fi
+
+if ! echo "$DS_RESPONSE" | jq -e --arg url "$EXPECTED_URL" 'map(select(.type == "loki" and (.url | contains($url)))) | length >= 1' >/dev/null 2>&1; then
+  log "DIAGNOSTIC: /api/datasources response:"
+  echo "$DS_RESPONSE" >&2
+  dump_diagnostics
+  fail "Loki datasource URL does not contain '$EXPECTED_URL' — check grafana-values.yaml datasources block"
+fi
+
+log "PASS: Loki datasource found with cluster-local URL $EXPECTED_URL"
+
+# -------------------------------------------------------------------------
+# Step 7b: Assertion 2b — dashboard provider loaded olam-home (catches mount-path bugs)
+# -------------------------------------------------------------------------
+log "asserting olam-home dashboard visible in /api/search (catches ConfigMap mount failures)"
+DASHBOARDS=$(
+  curl -sf \
+    -u "admin:${GRAFANA_ADMIN_PW}" \
+    "http://localhost:${LOCAL_PORT}/api/search?type=dash-db&query=olam" \
+  || true
+)
+
+if ! echo "$DASHBOARDS" | jq -e 'map(select(.uid == "olam-home")) | length == 1' >/dev/null 2>&1; then
+  log "DIAGNOSTIC: /api/search response:"
+  echo "$DASHBOARDS" >&2
+  dump_diagnostics
+  fail "olam-home dashboard not found in /api/search — check ConfigMap mount path and dashboard provider config"
+fi
+
+log "PASS: olam-home dashboard found via /api/search"
+
+# -------------------------------------------------------------------------
+# Step 8: Assertion 3 — olam-home dashboard present (B3)
+# -------------------------------------------------------------------------
+log "asserting olam-home dashboard present (GET /api/dashboards/uid/olam-home)"
+DASHBOARD_RESPONSE=$(
+  curl -sf \
+    -u "admin:${GRAFANA_ADMIN_PW}" \
+    "http://localhost:${LOCAL_PORT}/api/dashboards/uid/olam-home" \
+  || { dump_diagnostics; fail "GET /api/dashboards/uid/olam-home failed — dashboard not found or Grafana unreachable"; }
+)
+
+if ! echo "$DASHBOARD_RESPONSE" | jq -e '.dashboard.uid == "olam-home"' >/dev/null 2>&1; then
+  log "DIAGNOSTIC: /api/dashboards/uid/olam-home response:"
+  echo "$DASHBOARD_RESPONSE" >&2
+  dump_diagnostics
+  fail "olam-home dashboard uid mismatch or missing — check ConfigMap provisioning and Grafana provider config"
+fi
+
+log "PASS: olam-home dashboard present with uid=olam-home"
+
+# -------------------------------------------------------------------------
+# Final
+# -------------------------------------------------------------------------
+log "PASS: Grafana port-forward accessible; Loki datasource pre-wired; olam-home dashboard provisioned — Tasks B2+B3 verified"
+exit 0