@pleri/olam-cli 0.1.186 → 0.1.195

package/hermes-bundle/version.json

@@ -1,4 +1,4 @@
 {
-  "bundledAt": "2026-05-27T14:52:44.062Z",
+  "bundledAt": "2026-05-28T12:44:06.696Z",
   "kgFirstSha": "29a9ccce1b115d049e375c4a90eb5cf7c123e610e2d0590270a4db2cdbc64a28"
 }

package/host-cp/k8s/manifests/30-configmap.yaml

@@ -13,7 +13,14 @@ data:
   # Auth service URL. Default targets host.docker.internal for Colima/Docker
   # Desktop k3d setups. Override when auth-service runs elsewhere (e.g. via
   # an ExternalName Service pointing at the host gateway).
-  OLAM_AUTH_SERVICE_URL: "http://host.docker.internal:8000"
+  #
+  # Port :9999 matches the published port in AuthContainerController.start()
+  # (packages/core/src/auth/container.ts) — the value was historically :8000,
+  # which never matched any running auth-service version and surfaced as
+  #   {"error":"auth_service_unavailable","message":"fetch failed"}
+  # on /api/auth/* calls. Verified during the K3d-HTTPS PR live bring-up;
+  # see docs/runbooks/k3d-https-setup.md.
+  OLAM_AUTH_SERVICE_URL: "http://host.docker.internal:9999"
   # Docker socket proxy — ClusterIP Service DNS inside the namespace.
   DOCKER_HOST: "tcp://docker-socket-proxy:2375"
   # Host-cp server port — must match the Service targetPort in 60-service.yaml.

package/host-cp/k8s/manifests/50-deployment.yaml

@@ -118,7 +118,7 @@ spec:
         # k3d), started by `olam upgrade` Step 0.7 — not inside this Pod.
       containers:
         - name: olam-host-cp
-          image: ghcr.io/pleri/olam-host-cp@sha256:c9a2df3d6fc1d4646204968007123d04d817b80aa4ab83a8bf23168fa943822a
+          image: ghcr.io/pleri/olam-host-cp@sha256:42fb12f23d51c229288e0c0fa93df8028784136ce75245e582e4fffbc5867798
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/60-service.yaml

@@ -1,8 +1,16 @@
 # ClusterIP Service for olam-host-cp.
-# Operator surfaces the SPA externally via:
-#   kubectl port-forward -n olam svc/olam-host-cp 19000:19000
-# This keeps the "127.0.0.1-only" single-user-per-host invariant
-# (NodePort would bind on all interfaces; port-forward keeps it local).
+#
+# Two ways to reach the SPA externally:
+#   1. (preferred) Traefik IngressRoute at https://olam.local:<traefik-https-port>
+#      Terminates TLS at the cluster edge, unlocks HTTP/2 multiplexing for
+#      Electric SQL long-polls. See 70-ingressroute.yaml + 65-tls-secret-template.yaml.tmpl.
+#      The pod itself stays HTTP-only — Traefik handles TLS at the edge.
+#   2. (fallback) kubectl port-forward -n olam svc/olam-host-cp 19000:19000
+#      Plain HTTP/1.1; hits browser's 6-conn-per-origin cap under Electric load.
+#
+# ClusterIP (not NodePort) preserves the "127.0.0.1-only" single-user-per-host
+# invariant — exposure is via Traefik's LoadBalancer or port-forward, not by
+# binding pod ports on every node interface.
 apiVersion: v1
 kind: Service
 metadata:

package/host-cp/k8s/manifests/70-ingressroute.yaml

@@ -0,0 +1,58 @@
+# Traefik IngressRoute terminating TLS at the cluster edge for olam-host-cp.
+#
+# Topology:
+#   Browser --HTTPS/h2--> Traefik :443 (LoadBalancer / k3d NodePort)
+#                         |
+#                         | (TLS terminated; cleartext inside cluster)
+#                         v
+#                       olam-host-cp:19000 (ClusterIP, HTTP/1.1 internal)
+#                         |
+#                         v
+#                       plan-chat-service:3200 (and other peripherals)
+#
+# Why terminate TLS at Traefik (NOT at host-cp): host-cp is a Node/Hono
+# server tuned for cleartext HTTP. Pushing TLS into the pod would force a
+# second cert-distribution mechanism (Secret → volumeMount → server.mjs
+# reload) and double the operational surface. Traefik already owns cert
+# lifecycle in production (cert-manager + Let's Encrypt), so dev-mode
+# mkcert at the same boundary keeps prod parity tight.
+#
+# Why HTTP/2 matters: TanStack DB / Electric SQL opens N long-poll
+# connections per browser tab (one per shape subscription). Without h2
+# multiplexing they queue against the browser's 6-connection-per-origin
+# cap, leading to the "25-second pending requests" symptom Electric users
+# hit on HTTP/1.1. Traefik 2.x advertises h2 over TLS via ALPN by default;
+# no extra config needed.
+#
+# Why Host(olam.local) instead of a wildcard: the cert is minted for that
+# exact SAN. Traefik routes based on SNI, so the host-rule must match the
+# cert subject or the TLS handshake completes but the route 404s.
+#
+# Operator MUST add `127.0.0.1 olam.local` to /etc/hosts before this works.
+# `olam services tls-install` prints the line + sudo command — it does NOT
+# auto-edit (touching /etc/hosts behind the operator's back is a foot-gun).
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  # Distinct name avoids collision with packages/peripheral-services'
+  # `olam-host-cp` IngressRoute (the legacy `web`-entrypoint + path-based
+  # router that 50+ SPA fetch sites still depend on). The `-https` variant
+  # adds a SECOND ingress that matches Host(olam.local) on `websecure` and
+  # terminates TLS via the operator-minted Secret. Both coexist; the legacy
+  # one keeps `http://<lb>/api/...` working, this one unlocks HTTP/2.
+  name: olam-host-cp-https
+  namespace: olam
+  labels:
+    app: olam-host-cp
+    olam.io/component: host-stack
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`olam.local`)
+      kind: Rule
+      services:
+        - name: olam-host-cp
+          port: 19000
+  tls:
+    secretName: olam-host-cp-tls

package/host-cp/k8s/manifests/auth-service/50-deployment.yaml

@@ -70,7 +70,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-auth-service
-          image: ghcr.io/pleri/olam-auth@sha256:90bb6b0025b10ac92af4193160bdef881c4f7945346b42803785885b75fe857b
+          image: ghcr.io/pleri/olam-auth@sha256:e982aa9812c9c57768987d8fc0a22178c84811bf59a1470eb7a5aa58a73f11a5
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/chunks-electric/10-serviceaccount.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: olam-chunks-electric
+  namespace: olam
+  labels:
+    app: olam-chunks-electric
+    olam.io/component: substrate

package/host-cp/k8s/manifests/chunks-electric/20-rbac.yaml

@@ -0,0 +1,27 @@
+# Electric does not call the Kubernetes API. Empty Role kept for layout parity.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: olam-chunks-electric
+  namespace: olam
+  labels:
+    app: olam-chunks-electric
+    olam.io/component: substrate
+rules: []
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: olam-chunks-electric
+  namespace: olam
+  labels:
+    app: olam-chunks-electric
+    olam.io/component: substrate
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: olam-chunks-electric
+subjects:
+  - kind: ServiceAccount
+    name: olam-chunks-electric
+    namespace: olam

package/host-cp/k8s/manifests/chunks-electric/30-configmap.yaml

@@ -0,0 +1,23 @@
+# ConfigMap for olam-chunks-electric.
+#
+# ELECTRIC_INSECURE=true disables Electric's API-secret-token gate. Acceptable
+# in a single-operator local-dev k3d cluster (the Service is ClusterIP — no
+# external reachability). For multi-tenant deploys, set ELECTRIC_INSECURE=false
+# and provision ELECTRIC_SECRET via a Secret instead.
+#
+# DATABASE_URL is composed at runtime in the Deployment via env: composition
+# referencing the chunks-postgres Secret (POSTGRES_PASSWORD). It is NOT
+# stored here.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: olam-chunks-electric-env
+  namespace: olam
+  labels:
+    app: olam-chunks-electric
+    olam.io/component: substrate
+data:
+  ELECTRIC_INSECURE: "true"
+  ELECTRIC_PORT: "3000"
+  ELECTRIC_HTTP_API_PORT: "3000"
+  ELECTRIC_LOG_LEVEL: "info"

package/host-cp/k8s/manifests/chunks-electric/45-pvc.yaml

@@ -0,0 +1,19 @@
+# Electric's HTTP server state lives in-memory + the replication slot lives on
+# Postgres. No persistent state required, but a small PVC is kept for parity
+# with other peripherals — Electric writes its persisted-shape index to
+# /app/persistent by default; PVC backs that path.
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: olam-chunks-electric-data
+  namespace: olam
+  labels:
+    app: olam-chunks-electric
+    olam.io/component: substrate
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 1Gi

package/host-cp/k8s/manifests/chunks-electric/50-deployment.yaml

@@ -0,0 +1,84 @@
+# Deployment for olam-chunks-electric.
+#
+# Electric SQL — Postgres logical-replication → HTTP long-poll shape proxy.
+# Single replica (replication slot is single-writer).
+#
+# Image: electricsql/electric:1.6.8 — sha256-pinned per T4 threat model.
+# Resolves to the same digest as :latest at 2026-05-27; refresh when the
+# upstream cuts a new release that closes a security advisory.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: olam-chunks-electric
+  namespace: olam
+  labels:
+    app: olam-chunks-electric
+    olam.io/component: substrate
+spec:
+  replicas: 1
+  strategy:
+    # Recreate (NOT RollingUpdate) — Electric holds a postgres replication
+    # slot; two pods running at once would fight for the same slot and one
+    # would crashloop.
+    type: Recreate
+  selector:
+    matchLabels:
+      app: olam-chunks-electric
+  template:
+    metadata:
+      labels:
+        app: olam-chunks-electric
+    spec:
+      enableServiceLinks: false
+      serviceAccountName: olam-chunks-electric
+      containers:
+        - name: electric
+          image: electricsql/electric:1.6.8@sha256:a716f2affde44d5b991bdd1492876d9d6bddbcae5c98411327614575cd8f9eec
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: olam-chunks-electric-env
+          env:
+            # DATABASE_URL composition. POSTGRES_PASSWORD is sourced from the
+            # chunks-postgres Secret (rendered by k8s-secret-render.ts).
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: olam-chunks-postgres-secret
+                  key: POSTGRES_PASSWORD
+            - name: DATABASE_URL
+              value: "postgres://postgres:$(POSTGRES_PASSWORD)@olam-chunks-postgres.olam.svc.cluster.local:5432/chunks?sslmode=disable"
+          volumeMounts:
+            - name: persistent
+              mountPath: /app/persistent
+          readinessProbe:
+            httpGet:
+              path: /v1/health
+              port: 3000
+            initialDelaySeconds: 10
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 12
+          livenessProbe:
+            httpGet:
+              path: /v1/health
+              port: 3000
+            initialDelaySeconds: 60
+            periodSeconds: 20
+            timeoutSeconds: 5
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "256Mi"
+            limits:
+              cpu: "1000m"
+              memory: "1Gi"
+      volumes:
+        - name: persistent
+          persistentVolumeClaim:
+            claimName: olam-chunks-electric-data

package/host-cp/k8s/manifests/chunks-electric/60-service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: olam-chunks-electric
+  namespace: olam
+  labels:
+    app: olam-chunks-electric
+    olam.io/component: substrate
+spec:
+  type: ClusterIP
+  selector:
+    app: olam-chunks-electric
+  ports:
+    - name: http
+      port: 3000
+      targetPort: 3000
+      protocol: TCP

package/host-cp/k8s/manifests/chunks-postgres/10-serviceaccount.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: olam-chunks-postgres
+  namespace: olam
+  labels:
+    app: olam-chunks-postgres
+    olam.io/component: substrate

package/host-cp/k8s/manifests/chunks-postgres/20-rbac.yaml

@@ -0,0 +1,29 @@
+# Minimal-privilege RBAC for chunks-postgres. The pod does not call the
+# Kubernetes API; this Role exists to make the per-service apply order
+# (10/20/30/45/50/60) uniform across peripherals + substrate.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: olam-chunks-postgres
+  namespace: olam
+  labels:
+    app: olam-chunks-postgres
+    olam.io/component: substrate
+rules: []
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: olam-chunks-postgres
+  namespace: olam
+  labels:
+    app: olam-chunks-postgres
+    olam.io/component: substrate
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: olam-chunks-postgres
+subjects:
+  - kind: ServiceAccount
+    name: olam-chunks-postgres
+    namespace: olam

package/host-cp/k8s/manifests/chunks-postgres/30-configmap.yaml

@@ -0,0 +1,185 @@
+# ConfigMap for olam-chunks-postgres.
+#
+# Two ConfigMaps in one file:
+#
+# 1. olam-chunks-postgres-env       — non-secret env vars (POSTGRES_USER, POSTGRES_DB).
+#                                     POSTGRES_PASSWORD lives in the Secret rendered by
+#                                     packages/cli/src/lib/k8s-secret-render.ts.
+#
+# 2. olam-chunks-postgres-initdb-sql — the chunks schema. Mounted at
+#                                     /docker-entrypoint-initdb.d/01-chunks.sql so
+#                                     the postgres image's entrypoint auto-applies it
+#                                     on FIRST init (empty data dir). Subsequent
+#                                     restarts skip the directory by design.
+#
+#                                     Source-of-truth: packages/chunks/src/schema.ts
+#                                     (SCHEMA_SQL export). The CI gate
+#                                     `audit:chunks-schema-parity` (follow-up) will
+#                                     fail when this ConfigMap drifts from
+#                                     SCHEMA_VERSION-tagged schema.ts.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: olam-chunks-postgres-env
+  namespace: olam
+  labels:
+    app: olam-chunks-postgres
+    olam.io/component: substrate
+data:
+  POSTGRES_USER: "postgres"
+  POSTGRES_DB: "chunks"
+  # PGDATA must point at a subdirectory of the PVC mount, not its root —
+  # the PVC root may carry the local-path provisioner's lost+found dir,
+  # which postgres's initdb rejects ("data directory not empty").
+  PGDATA: "/var/lib/postgresql/data/pgdata"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: olam-chunks-postgres-initdb-sql
+  namespace: olam
+  labels:
+    app: olam-chunks-postgres
+    olam.io/component: substrate
+data:
+  # MIRRORS packages/chunks/src/schema.ts SCHEMA_VERSION=2.
+  # Idempotent: CREATE TABLE IF NOT EXISTS / ADD COLUMN IF NOT EXISTS /
+  # DO blocks with EXCEPTION-WHEN-{undefined_object,duplicate_object}.
+  01-chunks.sql: |
+    CREATE TABLE IF NOT EXISTS chunks (
+      world_id    TEXT        NOT NULL,
+      session_id  TEXT        NOT NULL,
+      message_id  TEXT        NOT NULL,
+      seq         INTEGER     NOT NULL,
+      actor_id    TEXT        NOT NULL,
+      actor_type  TEXT        NOT NULL CHECK (actor_type IN ('agent', 'operator', 'codex', 'system')),
+      role        TEXT        NOT NULL CHECK (role       IN ('user', 'assistant', 'tool', 'system')),
+      chunk       TEXT        NOT NULL,
+      chunk_type  TEXT        NOT NULL DEFAULT 'text' CHECK (chunk_type IN ('text', 'tool_use', 'goal_mode_assumption', 'dispatch_overflow')),
+      created_at  TIMESTAMPTZ NOT NULL DEFAULT clock_timestamp(),
+      PRIMARY KEY (message_id, seq)
+    );
+
+    ALTER TABLE chunks ADD COLUMN IF NOT EXISTS chunk_type TEXT NOT NULL DEFAULT 'text';
+
+    DO $$ BEGIN
+      ALTER TABLE chunks DROP CONSTRAINT IF EXISTS chunks_chunk_type_check;
+    EXCEPTION WHEN undefined_object THEN NULL;
+    END $$;
+
+    DO $$ BEGIN
+      ALTER TABLE chunks ADD CONSTRAINT chunks_chunk_type_check
+        CHECK (chunk_type IN ('text', 'tool_use', 'goal_mode_assumption', 'dispatch_overflow'));
+    EXCEPTION WHEN duplicate_object THEN NULL;
+    END $$;
+
+    CREATE INDEX IF NOT EXISTS chunks_world_session_seq
+      ON chunks (world_id, session_id, seq);
+
+    CREATE INDEX IF NOT EXISTS chunks_world_session_created
+      ON chunks (world_id, session_id, created_at);
+
+    CREATE INDEX IF NOT EXISTS idx_chunks_planning
+      ON chunks (session_id, seq)
+      WHERE world_id = '_planning';
+
+    CREATE TABLE IF NOT EXISTS planning_sessions (
+      session_id            TEXT PRIMARY KEY,
+      actor_id              TEXT NOT NULL,
+      summary               TEXT,
+      crystallize_status    TEXT NOT NULL DEFAULT 'open'
+                              CHECK (crystallize_status IN ('open', 'in_progress', 'crystallized', 'failed', 'abandoned')),
+      crystallized_world_id TEXT,
+      created_at            TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+      updated_at            TIMESTAMPTZ NOT NULL DEFAULT NOW()
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_planning_sessions_created_at
+      ON planning_sessions (created_at DESC);
+
+    ALTER TABLE planning_sessions ADD COLUMN IF NOT EXISTS session_source TEXT;
+
+    CREATE OR REPLACE FUNCTION chunks_append_only_trigger()
+    RETURNS trigger AS $body$
+    BEGIN
+      RAISE EXCEPTION 'chunks is append-only; % forbidden', TG_OP;
+    END;
+    $body$ LANGUAGE plpgsql;
+
+    DROP TRIGGER IF EXISTS chunks_no_update ON chunks;
+    CREATE TRIGGER chunks_no_update
+      BEFORE UPDATE ON chunks
+      FOR EACH ROW EXECUTE FUNCTION chunks_append_only_trigger();
+
+    DROP TRIGGER IF EXISTS chunks_no_delete ON chunks;
+    CREATE TRIGGER chunks_no_delete
+      BEFORE DELETE ON chunks
+      FOR EACH ROW EXECUTE FUNCTION chunks_append_only_trigger();
+
+    CREATE TABLE IF NOT EXISTS message_usage (
+      world_id              TEXT        NOT NULL,
+      session_id            TEXT        NOT NULL,
+      message_id            TEXT        NOT NULL,
+      actor_id              TEXT        NOT NULL,
+      model                 TEXT        NOT NULL,
+      input_tokens          INTEGER     NOT NULL DEFAULT 0,
+      output_tokens         INTEGER     NOT NULL DEFAULT 0,
+      cache_read_tokens     INTEGER     NOT NULL DEFAULT 0,
+      cache_create_tokens   INTEGER     NOT NULL DEFAULT 0,
+      created_at            TIMESTAMPTZ NOT NULL DEFAULT clock_timestamp(),
+      PRIMARY KEY (message_id, actor_id)
+    );
+
+    CREATE INDEX IF NOT EXISTS message_usage_session_created
+      ON message_usage (session_id, created_at);
+
+    CREATE OR REPLACE FUNCTION message_usage_append_only_trigger()
+    RETURNS trigger AS $body$
+    BEGIN
+      RAISE EXCEPTION 'message_usage is append-only; % forbidden', TG_OP;
+    END;
+    $body$ LANGUAGE plpgsql;
+
+    DROP TRIGGER IF EXISTS message_usage_no_update ON message_usage;
+    CREATE TRIGGER message_usage_no_update
+      BEFORE UPDATE ON message_usage
+      FOR EACH ROW EXECUTE FUNCTION message_usage_append_only_trigger();
+
+    DROP TRIGGER IF EXISTS message_usage_no_delete ON message_usage;
+    CREATE TRIGGER message_usage_no_delete
+      BEFORE DELETE ON message_usage
+      FOR EACH ROW EXECUTE FUNCTION message_usage_append_only_trigger();
+
+    CREATE TABLE IF NOT EXISTS planning_artifacts (
+      id                    TEXT PRIMARY KEY,
+      world_id              TEXT NOT NULL,
+      session_id            TEXT NOT NULL,
+      type                  TEXT NOT NULL CHECK (type IN ('commit_plan', 'component_scaffold', 'design_jam')),
+      title                 TEXT NOT NULL,
+      body                  JSONB NOT NULL,
+      status                TEXT NOT NULL DEFAULT 'open'
+                              CHECK (status IN ('open', 'crystallized', 'failed', 'archived')),
+      linear_issue_url      TEXT,
+      crystallized_world_id TEXT,
+      created_at            TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+      updated_at            TIMESTAMPTZ NOT NULL DEFAULT NOW()
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_planning_artifacts_session
+      ON planning_artifacts (session_id, created_at);
+
+    CREATE INDEX IF NOT EXISTS idx_planning_artifacts_world
+      ON planning_artifacts (world_id, status);
+
+    CREATE OR REPLACE FUNCTION planning_artifacts_touch_updated_at()
+    RETURNS trigger AS $body$
+    BEGIN
+      NEW.updated_at = NOW();
+      RETURN NEW;
+    END;
+    $body$ LANGUAGE plpgsql;
+
+    DROP TRIGGER IF EXISTS planning_artifacts_touch ON planning_artifacts;
+    CREATE TRIGGER planning_artifacts_touch
+      BEFORE UPDATE ON planning_artifacts
+      FOR EACH ROW EXECUTE FUNCTION planning_artifacts_touch_updated_at();

package/host-cp/k8s/manifests/chunks-postgres/45-pvc.yaml

@@ -0,0 +1,24 @@
+# PVC for the chunks-postgres data directory.
+#
+# Sized 10Gi for local-dev. Chunks rows are small (~1KB each) so even a
+# busy single-operator world rarely cracks 1Gi; the headroom is for the
+# message_usage + planning_artifacts sidecar tables.
+#
+# accessModes: ReadWriteOnce — postgres is a StatefulSet with replicas=1.
+# k3d's local-path provisioner only supports RWO; the in-cluster postgres
+# pattern is single-writer by design (no operator-managed HA).
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: olam-chunks-postgres-data
+  namespace: olam
+  labels:
+    app: olam-chunks-postgres
+    olam.io/component: substrate
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 10Gi

package/host-cp/k8s/manifests/chunks-postgres/50-deployment.yaml

@@ -0,0 +1,101 @@
+# StatefulSet for olam-chunks-postgres.
+#
+# Why StatefulSet vs Deployment: even with replicas=1 the StatefulSet gives
+# stable network identity (olam-chunks-postgres-0 inside the headless service)
+# and ordered termination semantics — both useful when Electric's replication
+# slot survives pod restarts.
+#
+# command override: postgres requires wal_level=logical for Electric SQL's
+# logical-replication subscription. The image's default postgresql.conf
+# ships wal_level=replica; the -c overrides on the entrypoint args take
+# precedence. max_replication_slots / max_wal_senders need raising too —
+# Electric holds one slot per database.
+#
+# securityContext: postgres image runs as uid 999 by default. fsGroup=999
+# on the pod ensures the PVC mount is chowned to 999 so postgres can write
+# its data dir.
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: olam-chunks-postgres
+  namespace: olam
+  labels:
+    app: olam-chunks-postgres
+    olam.io/component: substrate
+spec:
+  replicas: 1
+  serviceName: olam-chunks-postgres
+  selector:
+    matchLabels:
+      app: olam-chunks-postgres
+  template:
+    metadata:
+      labels:
+        app: olam-chunks-postgres
+    spec:
+      enableServiceLinks: false
+      serviceAccountName: olam-chunks-postgres
+      securityContext:
+        fsGroup: 999
+      containers:
+        - name: postgres
+          # postgres:16-alpine — sha256-pinned per T4 threat model.
+          image: postgres:16-alpine@sha256:16bc17c64a573ef34162af9298258d1aec548232985b33ed7b1eac33ba35c229
+          imagePullPolicy: IfNotPresent
+          args:
+            - postgres
+            - -c
+            - wal_level=logical
+            - -c
+            - max_replication_slots=10
+            - -c
+            - max_wal_senders=10
+          ports:
+            - name: postgres
+              containerPort: 5432
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: olam-chunks-postgres-env
+            - secretRef:
+                name: olam-chunks-postgres-secret
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+            - name: initdb
+              mountPath: /docker-entrypoint-initdb.d
+              readOnly: true
+          readinessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - pg_isready -U postgres -d chunks -h 127.0.0.1
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 12
+          livenessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - pg_isready -U postgres -h 127.0.0.1
+            initialDelaySeconds: 30
+            periodSeconds: 20
+            timeoutSeconds: 5
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "256Mi"
+            limits:
+              cpu: "1000m"
+              memory: "1Gi"
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: olam-chunks-postgres-data
+        - name: initdb
+          configMap:
+            name: olam-chunks-postgres-initdb-sql