@pleri/olam-cli 0.1.170 → 0.1.174

package/hermes-bundle/version.json

@@ -1,4 +1,4 @@
 {
-  "bundledAt": "2026-05-24T03:12:41.846Z",
+  "bundledAt": "2026-05-24T12:50:15.815Z",
   "kgFirstSha": "29a9ccce1b115d049e375c4a90eb5cf7c123e610e2d0590270a4db2cdbc64a28"
 }

package/host-cp/k8s/manifests/50-deployment.yaml

@@ -118,7 +118,7 @@ spec:
         # k3d), started by `olam upgrade` Step 0.7 — not inside this Pod.
       containers:
         - name: olam-host-cp
-          image: ghcr.io/pleri/olam-host-cp@sha256:1206e857af61f8907d76d9324adbe8d2d5638a94fe2411c6713ffb4f570e8f58
+          image: ghcr.io/pleri/olam-host-cp@sha256:78ab85611487425028f9843dda1cf48fe32cfaac56e0ba180e37f0b7c327d2fd
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/auth-service/50-deployment.yaml

@@ -70,7 +70,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-auth-service
-          image: ghcr.io/pleri/olam-auth@sha256:2d32d178380641bcdae11f9ad05851238bd4b121adfc9638c8abed3b25467846
+          image: ghcr.io/pleri/olam-auth@sha256:b7f79147b521f8e7fc8f962e623334f6ae4ea98e893a3fa8f6c81f3916d01f11
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/kg-service/50-deployment.yaml

@@ -61,7 +61,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-kg-service
-          image: ghcr.io/pleri/olam-kg-service@sha256:ee636804b8cffd40a1fb75ba3f79cc0c30a17e89c9a135864567859ccdf895d7
+          image: ghcr.io/pleri/olam-kg-service@sha256:7ca19574cc018e3ceaef7eb0421d3539aa361e1f1ab95a4df5ad400de45d9c41
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/mcp-auth-service/50-deployment.yaml

@@ -68,7 +68,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-mcp-auth-service
-          image: ghcr.io/pleri/olam-mcp-auth@sha256:07cdd816ac1d991c065f2936b142a5c6909da683d9a6d4efbe7fe66f0c811821
+          image: ghcr.io/pleri/olam-mcp-auth@sha256:223f5aa65736fbf0bc96b86cf01d4acf447856d18e5a5e50467eff714b922ed3
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/memory-service/50-deployment.yaml

@@ -70,7 +70,7 @@ spec:
           # bootstrap-placeholder comment + run `npm run refresh:manifest-digests`
           # once ghcr.io/pleri/olam-memory-service has a real published digest.
           # bootstrap-placeholder: pre-publish; refresh after first release
-          image: ghcr.io/pleri/olam-memory-service@sha256:20443e8e6725151f7523a8a85c73c7449767782de1d03bb172ba395df19a0939
+          image: ghcr.io/pleri/olam-memory-service@sha256:5db73eab55738ac6eb79150363d6d98daf26e5bc43e626231de146e40e908015
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/observability/ndjson-span-sink.mjs

@@ -102,6 +102,58 @@ export async function createNdjsonSpanSink({
   };
 }
 
+/**
+ * Subscribe an NDJSON sink to `@olam/auth-client`'s `betaResponseEmitter`.
+ * Each `beta-response` event becomes a `withCredential.beta-response` span
+ * with the beta payload exploded onto `attributes` — downstream `jq`
+ * consumers can query e.g.
+ *
+ *   jq 'select(.name == "withCredential.beta-response")
+ *       | {ts: .startedAt, cred: .attributes.credentialName,
+ *          cache: .attributes.cacheStatus,
+ *          thinking: .attributes.thinkingTokens,
+ *          latencyMs: .durationMs}' ~/.olam/logs/host.trace.ndjson
+ *
+ * Wire is opt-in (call from server boot). Returns a detach function so the
+ * subscription can be removed in tests or on shutdown.
+ *
+ * Pure additive: spans flowing from other sources (docker lifecycle,
+ * plan-orchestrator, etc.) are unaffected.
+ */
+export function attachBetaResponseEvents({ sink, emitter }) {
+  if (!sink || typeof sink.recordSpan !== 'function') {
+    throw new Error('attachBetaResponseEvents: sink.recordSpan required');
+  }
+  if (!emitter || typeof emitter.on !== 'function') {
+    throw new Error('attachBetaResponseEvents: emitter.on required');
+  }
+
+  const handler = (info) => {
+    const now = Date.now();
+    const latency = typeof info?.latencyMs === 'number' ? info.latencyMs : 0;
+    sink.recordSpan({
+      name: 'withCredential.beta-response',
+      startedAt: now - latency,
+      endedAt: now,
+      attributes: {
+        credentialName: info?.credentialName ?? null,
+        credId: info?.credId ?? null,
+        betas: Array.isArray(info?.betas) ? [...info.betas] : [],
+        cacheStatus: info?.cacheStatus ?? null,
+        thinkingTokens: info?.tokenCounts?.thinking ?? null,
+        statusCode: typeof info?.statusCode === 'number' ? info.statusCode : null,
+        extraHeaders: info?.extraHeaders && typeof info.extraHeaders === 'object'
+          ? { ...info.extraHeaders }
+          : {},
+      },
+      exit: { _tag: 'Success' },
+    });
+  };
+
+  emitter.on('beta-response', handler);
+  return () => emitter.off('beta-response', handler);
+}
+
 // Duck-typed ServerResponse for host-stream's `addSink`. Parses SSE frames
 // (`event: <type>\ndata: <json>\n\n`) and dispatches `event: span` payloads
 // to `onSpan`. All other event types are silently ignored — host-stream

package/host-cp/src/boot-reconciler.mjs

@@ -0,0 +1,238 @@
+/**
+ * Boot-time reconciler — sync worlds.db with live docker state.
+ *
+ * Problem (issue #963): after Colima / userspace restart, host-cp can
+ * start with worlds.db rows that no longer reflect docker reality. The
+ * existing `worlds-db-source.mjs` reconciler runs DB→registry (reads
+ * 'running' rows and adds them to in-memory WORLDS). It does NOT heal
+ * the inverse case: a container is alive on docker but worlds.db has
+ * no row (Hazel coral-sky-2478 scenario), or worlds.db says a world is
+ * running but the container is gone (orphaned row).
+ *
+ * This module fills both gaps with a one-shot pass at boot:
+ *
+ *   1. List `olam-*-devbox` containers via the docker API.
+ *   2. For each container, derive the worldId (strip prefix + suffix).
+ *   3. Cross-check against worlds.db rows:
+ *        - container alive, row exists                 → no-op
+ *        - container alive, row missing                → INSERT (status=reconciled)
+ *        - row says running/active, container missing  → UPDATE status=orphaned
+ *
+ * Fail-soft: if the docker daemon is unreachable OR better-sqlite3 is
+ * not available, the function logs a warning and returns without
+ * throwing. Server boot continues.
+ *
+ * Idempotent: a second invocation against the same docker + DB state
+ * produces no further changes (existing rows are skipped at step 3a,
+ * already-orphaned rows are skipped at step 3c).
+ *
+ * Coordination with issue #962: the dedup logic in `olam create` handles
+ * per-call deduplication; this reconciler handles boot-time cleanup.
+ * They don't conflict — both operate on the worlds.db source-of-truth.
+ */
+
+import { createRequire } from 'node:module';
+
+const require = createRequire(import.meta.url);
+
+const CONTAINER_NAME_PATTERN = /^\/?(olam-(.+)-devbox)$/;
+
+/**
+ * @typedef {object} ReconcileDeps
+ * @property {string} dbPath                                  Path to worlds.db
+ * @property {() => Promise<string[] | null>} listContainerNames  Returns null when docker is unreachable
+ * @property {(msg: string) => void} [log]                    Defaults to console.log
+ * @property {() => string} [now]                             ISO timestamp generator (overridable for tests)
+ * @property {(path: string) => unknown | null} [openDb]      Overridable DB opener (tests inject fakes)
+ */
+
+/**
+ * @typedef {object} ReconcileSummary
+ * @property {number} inserted   Number of new rows inserted (reconciled containers)
+ * @property {number} orphaned   Number of rows transitioned to status='orphaned'
+ * @property {number} skipped    Containers/rows where no change was needed
+ * @property {boolean} dockerUnreachable
+ * @property {boolean} dbUnavailable
+ */
+
+/**
+ * Extract a worldId from a docker container name.
+ * Accepts either `olam-foo-bar-1234-devbox` or `/olam-foo-bar-1234-devbox`
+ * (the docker API prefixes container names with a slash).
+ *
+ * @param {string} name
+ * @returns {string | null}
+ */
+export function extractWorldIdFromContainerName(name) {
+  if (typeof name !== 'string') return null;
+  const match = CONTAINER_NAME_PATTERN.exec(name);
+  if (!match) return null;
+  const worldId = match[2];
+  if (!worldId || worldId.length === 0) return null;
+  return worldId;
+}
+
+/**
+ * Default docker container lister. Hits the Docker Engine API.
+ * Returns null on any failure (fail-soft).
+ *
+ * @param {string} dockerApiBase   e.g. 'http://docker-socket-proxy:2375'
+ * @param {(msg: string) => void} log
+ * @returns {Promise<string[] | null>}
+ */
+export async function defaultListContainerNames(dockerApiBase, log) {
+  if (!dockerApiBase || dockerApiBase === 'http://localhost:2375') {
+    // 'docker-cli' sentinel; no API available in this deployment mode.
+    log('[boot-reconciler] docker API unavailable (bare-node mode); skipping');
+    return null;
+  }
+  try {
+    const filters = encodeURIComponent(JSON.stringify({ name: ['olam-'] }));
+    const url = `${dockerApiBase}/containers/json?filters=${filters}`;
+    const res = await fetch(url, { signal: AbortSignal.timeout(5000) });
+    if (!res.ok) {
+      log(`[boot-reconciler] docker /containers/json returned ${res.status}; skipping`);
+      return null;
+    }
+    const data = await res.json();
+    if (!Array.isArray(data)) return [];
+    const names = [];
+    for (const container of data) {
+      const list = container?.Names;
+      if (!Array.isArray(list)) continue;
+      for (const n of list) {
+        if (typeof n === 'string') names.push(n);
+      }
+    }
+    return names;
+  } catch (err) {
+    log(`[boot-reconciler] docker query failed: ${err.message}; skipping`);
+    return null;
+  }
+}
+
+/**
+ * Default DB opener. Loads better-sqlite3 dynamically so a missing
+ * native build degrades gracefully instead of crashing host-cp boot.
+ *
+ * @param {string} dbPath
+ * @param {(msg: string) => void} log
+ * @returns {unknown | null}
+ */
+export function defaultOpenDb(dbPath, log) {
+  try {
+    const Database = require('better-sqlite3');
+    return new Database(dbPath, { fileMustExist: true });
+  } catch (err) {
+    if (err && err.code === 'MODULE_NOT_FOUND') {
+      log('[boot-reconciler] better-sqlite3 not available; skipping');
+    } else if (err && err.code === 'SQLITE_CANTOPEN') {
+      log(`[boot-reconciler] ${dbPath} not found; nothing to reconcile`);
+    } else {
+      log(`[boot-reconciler] failed to open ${dbPath}: ${err.message}`);
+    }
+    return null;
+  }
+}
+
+/**
+ * Run a single boot-time reconciliation pass. Pure and dep-injected
+ * for testability.
+ *
+ * @param {ReconcileDeps} deps
+ * @returns {Promise<ReconcileSummary>}
+ */
+export async function reconcileWorldsWithDocker(deps) {
+  const log = deps.log ?? console.log;
+  const now = deps.now ?? (() => new Date().toISOString());
+  const openDb = deps.openDb ?? ((p) => defaultOpenDb(p, log));
+
+  const summary = {
+    inserted: 0,
+    orphaned: 0,
+    skipped: 0,
+    dockerUnreachable: false,
+    dbUnavailable: false,
+  };
+
+  const containerNames = await deps.listContainerNames();
+  if (containerNames === null) {
+    summary.dockerUnreachable = true;
+    return summary;
+  }
+
+  const liveWorldIds = new Set();
+  for (const name of containerNames) {
+    const worldId = extractWorldIdFromContainerName(name);
+    if (worldId) liveWorldIds.add(worldId);
+  }
+
+  const db = openDb(deps.dbPath);
+  if (!db) {
+    summary.dbUnavailable = true;
+    return summary;
+  }
+
+  try {
+    /** @type {Array<{ id: string, status: string }>} */
+    let rows;
+    try {
+      rows = db.prepare('SELECT id, status FROM worlds').all();
+    } catch (err) {
+      log(`[boot-reconciler] query failed: ${err.message}; skipping`);
+      summary.dbUnavailable = true;
+      return summary;
+    }
+
+    const dbWorlds = new Map(rows.map((r) => [r.id, r.status]));
+
+    // Pass 1: containers alive but missing from DB → insert.
+    const insertStmt = db.prepare(
+      `INSERT INTO worlds
+       (id, name, status, repos, branch, port_offset, workspace_path,
+        compute_provider, total_cost_usd, thought_count, created_at, updated_at)
+       VALUES (?, ?, 'reconciled', '[]', 'main', 0, ?, 'docker', 0, 0, ?, ?)`,
+    );
+    for (const worldId of liveWorldIds) {
+      if (dbWorlds.has(worldId)) {
+        summary.skipped += 1;
+        continue;
+      }
+      const ts = now();
+      const workspacePath = `~/.olam/worlds/${worldId}`;
+      try {
+        insertStmt.run(worldId, worldId, workspacePath, ts, ts);
+        summary.inserted += 1;
+        log(`[boot-reconciler] inserted reconciled row for ${worldId} (container alive, no DB row)`);
+      } catch (err) {
+        log(`[boot-reconciler] failed to insert ${worldId}: ${err.message}`);
+      }
+    }
+
+    // Pass 2: DB says alive but container missing → mark orphaned.
+    const orphanStmt = db.prepare(
+      `UPDATE worlds SET status = 'orphaned', updated_at = ? WHERE id = ?`,
+    );
+    const aliveStatuses = new Set(['running', 'active', 'creating']);
+    for (const [worldId, status] of dbWorlds) {
+      if (liveWorldIds.has(worldId)) continue;
+      if (!aliveStatuses.has(status)) continue;
+      try {
+        orphanStmt.run(now(), worldId);
+        summary.orphaned += 1;
+        log(`[boot-reconciler] marked ${worldId} as orphaned (was '${status}', container missing)`);
+      } catch (err) {
+        log(`[boot-reconciler] failed to mark ${worldId} orphaned: ${err.message}`);
+      }
+    }
+
+    log(
+      `[boot-reconciler] complete: inserted=${summary.inserted} orphaned=${summary.orphaned} ` +
+        `skipped=${summary.skipped} live-containers=${liveWorldIds.size}`,
+    );
+  } finally {
+    try { db.close?.(); } catch { /* ignore */ }
+  }
+
+  return summary;
+}

package/host-cp/src/linear-sync.mjs

@@ -0,0 +1,43 @@
+// H6 (Phase G) — Linear outbound sync skeleton.
+//
+// When a planning_artifacts row is created via H2 chunk extraction AND
+// the operator has Linear MCP active, host-cp posts a new Linear issue
+// (OR appends a comment to an existing linked issue if linear_issue_url
+// is already populated on the row).
+//
+// PHASE G SHIPS SKELETON ONLY. The MCP-from-host wiring is not yet in
+// host-cp; full Linear outbound posting lands in a follow-up commit
+// when the MCP runtime story for host-cp is settled (today MCP lives in
+// the operator's Claude Code runtime, not host-cp).
+//
+// Reverse channel (incoming Linear webhooks update artifact row status):
+// EXPLICITLY OUT OF SCOPE for Phase G per plan body Out of scope list.
+// Deferred to follow-up plan.
+
+/**
+ * Best-effort Linear outbound sync. Returns null when MCP is unavailable
+ * (the typical case today — silent no-op). When MCP wires in, this
+ * function resolves to the posted issue URL which the caller can persist
+ * back to planning_artifacts.linear_issue_url.
+ *
+ * @param {object} args
+ * @param {string} args.artifactId
+ * @param {string} args.title
+ * @param {unknown} args.body            — JSON body of the artifact
+ * @param {string} args.sessionId
+ * @returns {Promise<string | null>}     — Linear issue URL or null
+ */
+export async function syncArtifactToLinear({ artifactId, title, body, sessionId }) {
+  // Probe for Linear MCP availability via host-cp's bootstrap config (TBD).
+  // Until that surface exists, return null. Logging the intent surfaces
+  // the wiring gap to operators inspecting host-cp logs.
+  void artifactId;
+  void title;
+  void body;
+  void sessionId;
+  console.log(
+    `[linear-sync] outbound skip — Linear MCP not yet wired to host-cp; ` +
+      `artifactId=${artifactId} sessionId=${sessionId}`,
+  );
+  return null;
+}

package/host-cp/src/plan-chat-service.mjs

@@ -68,7 +68,7 @@ const SCOPE_ID_RE = /^[A-Za-z0-9_.-]+$/;
 // /v1/shape. Only these tables have server-side where-rewrite support; any
 // other table=... param gets a 400. Guards against a client enumerating
 // tables the service doesn't own.
-const ALLOWED_SHAPE_TABLES = new Set(['chunks', 'message_usage']);
+const ALLOWED_SHAPE_TABLES = new Set(['chunks', 'message_usage', 'planning_artifacts']);
 
 // B6 (plan-chat-context-window-display Phase B): context-window caps per
 // model. Mirrors CONTEXT_CAPS from @olam/intelligence/src/llm-router/providers/claude.ts.
@@ -399,6 +399,44 @@ export function createHandler({
           }
         }
       }
+      // H2 (plan-chat-spa-canonical-surface Phase G) — extract commit_plan /
+      // propose_plan tool_use chunks into the planning_artifacts mutable
+      // table. The chunk's content carries JSON-stringified {name, input}
+      // per the substrate contract; we parse it once + write a single row.
+      // Failure to extract is logged + swallowed — the chunk itself is
+      // already persisted; artifact row absence is recoverable via
+      // re-extraction from chunks in a follow-up batch job.
+      if (body.chunk_type === 'tool_use') {
+        try {
+          const parsed = JSON.parse(body.chunk);
+          const toolName = typeof parsed?.name === 'string' ? parsed.name : '';
+          const artifactType = (toolName === 'commit_plan' || toolName === 'propose_plan')
+            ? 'commit_plan'
+            : toolName === 'component_scaffold'
+              ? 'component_scaffold'
+              : toolName === 'design_jam'
+                ? 'design_jam'
+                : null;
+          if (artifactType && parsed.input && typeof parsed.input === 'object') {
+            const input = parsed.input;
+            const title = typeof input.title === 'string' && input.title.length > 0
+              ? input.title.slice(0, 200)
+              : `Untitled ${artifactType}`;
+            const artifactId = `${body.message_id}:${body.seq}`;
+            await pool.query(
+              `INSERT INTO planning_artifacts
+                 (id, world_id, session_id, type, title, body)
+               VALUES ($1, $2, $3, $4, $5, $6)
+               ON CONFLICT (id) DO NOTHING`,
+              [artifactId, body.world_id, body.session_id, artifactType, title, input],
+            );
+          }
+        } catch (artifactErr) {
+          console.warn(
+            `[plan-chat-service] planning_artifacts extraction failed for message=${body.message_id} seq=${body.seq}: ${artifactErr?.message ?? artifactErr}`,
+          );
+        }
+      }
     } catch (err) {
       if (err && typeof err === 'object' && 'code' in err && err.code === '23505') {
         return send(res, 409, { error: 'duplicate', message: '(message_id, seq) already exists' });
@@ -634,6 +672,26 @@ export function createHandler({
         createWorld,
         destroyWorld,
       });
+      // H7 (Phase G) — back-fill crystallized_world_id to all planning_artifacts
+      // rows for this session. The status pill state machine (Phase E E4) reads
+      // this field; the editor view + diagrams viewer use it for the
+      // "View world →" CTA. Failure here is logged + swallowed — the
+      // crystallize itself already succeeded; back-fill is a best-effort
+      // sync that an operator can re-run via a CLI helper.
+      if (result.worldId) {
+        try {
+          await pool.query(
+            `UPDATE planning_artifacts
+               SET crystallized_world_id = $1, status = 'crystallized'
+               WHERE session_id = $2 AND status = 'open'`,
+            [result.worldId, body.session_id],
+          );
+        } catch (backfillErr) {
+          console.warn(
+            `[plan-chat-service] crystallize back-fill failed for session=${body.session_id}: ${backfillErr?.message ?? backfillErr}`,
+          );
+        }
+      }
       return send(res, 200, {
         ok: true,
         created_world_id: result.worldId,
@@ -649,6 +707,68 @@ export function createHandler({
     }
   }
 
+  // H4 (Phase G) — GET + PATCH /v1/artifacts/:id endpoint pair backing
+  // the SPA's editor-view round-trip. GET returns the artifact row;
+  // PATCH updates body (the JSON payload) + bumps updated_at via trigger.
+  // SCOPE_ID_RE on :id; bearer auth identical to the chunks endpoints.
+  async function handleGetArtifact(req, res, id) {
+    if (!checkAuth(req)) return unauthorized(res);
+    if (!SCOPE_ID_RE.test(id)) return badRequest(res, 'invalid artifact id');
+    try {
+      const result = await pool.query(
+        `SELECT id, world_id, session_id, type, title, body, status,
+                linear_issue_url, crystallized_world_id,
+                created_at, updated_at
+           FROM planning_artifacts WHERE id = $1`,
+        [id],
+      );
+      const row = result.rows[0];
+      if (!row) return send(res, 404, { error: 'not-found' });
+      return send(res, 200, row);
+    } catch (err) {
+      return send(res, 500, { error: 'query-failed', message: String(err?.message ?? err) });
+    }
+  }
+
+  async function handlePatchArtifact(req, res, id) {
+    if (!checkAuth(req)) return unauthorized(res);
+    if (!SCOPE_ID_RE.test(id)) return badRequest(res, 'invalid artifact id');
+    let body;
+    try {
+      body = await readJson(req);
+    } catch {
+      return badRequest(res, 'malformed JSON body');
+    }
+    const sets = [];
+    const values = [id];
+    if (body.body !== undefined) {
+      values.push(body.body);
+      sets.push(`body = $${values.length}::jsonb`);
+    }
+    if (typeof body.title === 'string') {
+      values.push(body.title.slice(0, 200));
+      sets.push(`title = $${values.length}`);
+    }
+    if (typeof body.status === 'string' && ['open', 'crystallized', 'failed', 'archived'].includes(body.status)) {
+      values.push(body.status);
+      sets.push(`status = $${values.length}`);
+    }
+    if (sets.length === 0) {
+      return badRequest(res, 'no patchable fields supplied (body | title | status)');
+    }
+    try {
+      const result = await pool.query(
+        `UPDATE planning_artifacts SET ${sets.join(', ')} WHERE id = $1 RETURNING *`,
+        values,
+      );
+      const row = result.rows[0];
+      if (!row) return send(res, 404, { error: 'not-found' });
+      return send(res, 200, row);
+    } catch (err) {
+      return send(res, 500, { error: 'update-failed', message: String(err?.message ?? err) });
+    }
+  }
+
   return async function handler(req, res) {
     const url = new URL(req.url ?? '/', `http://${req.headers.host}`);
     if (req.method === 'GET' && url.pathname === '/livez') return send(res, 200, { ok: true });
@@ -656,6 +776,14 @@ export function createHandler({
     if (req.method === 'GET' && url.pathname === '/v1/shape') return handleGetShape(req, res, url);
     if (req.method === 'GET' && url.pathname === '/v1/planning-sessions') return handleGetPlanningSessions(req, res, url);
     if (req.method === 'POST' && url.pathname === '/v1/crystallize') return handlePostCrystallize(req, res);
+    // H4 — /v1/artifacts/:id pair
+    const artifactMatch = /^\/v1\/artifacts\/([^/]+)$/.exec(url.pathname);
+    if (artifactMatch) {
+      const id = decodeURIComponent(artifactMatch[1]);
+      if (req.method === 'GET') return handleGetArtifact(req, res, id);
+      if (req.method === 'PATCH') return handlePatchArtifact(req, res, id);
+      return send(res, 405, { error: 'method-not-allowed' });
+    }
     return send(res, 404, { error: 'not-found' });
   };
 }