@pleri/olam-cli 0.1.186 → 0.1.195

package/host-cp/k8s/manifests/chunks-postgres/60-service.yaml

@@ -0,0 +1,24 @@
+# Headless Service for olam-chunks-postgres StatefulSet.
+#
+# clusterIP: None gives the StatefulSet's pod stable DNS:
+#   olam-chunks-postgres-0.olam-chunks-postgres.olam.svc.cluster.local
+# Callers (plan-chat-service, chunks-electric) connect via the shorter
+# olam-chunks-postgres.olam.svc.cluster.local form which Kubernetes resolves
+# round-robin to the single backing pod.
+apiVersion: v1
+kind: Service
+metadata:
+  name: olam-chunks-postgres
+  namespace: olam
+  labels:
+    app: olam-chunks-postgres
+    olam.io/component: substrate
+spec:
+  clusterIP: None
+  selector:
+    app: olam-chunks-postgres
+  ports:
+    - name: postgres
+      port: 5432
+      targetPort: 5432
+      protocol: TCP

package/host-cp/k8s/manifests/kg-service/50-deployment.yaml

@@ -61,7 +61,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-kg-service
-          image: ghcr.io/pleri/olam-kg-service@sha256:a031eeb1a906b646396d1954e9116b228e5ad9ccedfc9953465f347541e1ecb2
+          image: ghcr.io/pleri/olam-kg-service@sha256:bd7c1c65b3537fd59a8a5f252a99a7fc5c2e195e973356bfe764b957fdebe58c
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/mcp-auth-service/50-deployment.yaml

@@ -68,7 +68,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-mcp-auth-service
-          image: ghcr.io/pleri/olam-mcp-auth@sha256:be68e388e003ccc4489b3dcf6caecb43bf1e529b6e6384b6cab0d7a6f897438e
+          image: ghcr.io/pleri/olam-mcp-auth@sha256:1191734c32480a7ab22dbeede616c0f697ec02e3d0d43093cbbf56d6fe3b115c
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/memory-service/50-deployment.yaml

@@ -70,7 +70,7 @@ spec:
           # bootstrap-placeholder comment + run `npm run refresh:manifest-digests`
           # once ghcr.io/pleri/olam-memory-service has a real published digest.
           # bootstrap-placeholder: pre-publish; refresh after first release
-          image: ghcr.io/pleri/olam-memory-service@sha256:a28ad257f7c4d9de3ff6a99fbc016b66356ad09b487840fce106f407096eea3c
+          image: ghcr.io/pleri/olam-memory-service@sha256:2037a12d390be09714bb80e2d707fb94d210f28b5227428d3047fe9155635acd
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/plan-chat-service/10-serviceaccount.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: olam-plan-chat-service
+  namespace: olam
+  labels:
+    app: olam-plan-chat-service
+    olam.io/component: peripheral

package/host-cp/k8s/manifests/plan-chat-service/20-rbac.yaml

@@ -0,0 +1,29 @@
+# plan-chat-service does not need to read or write any Kubernetes API objects.
+# A no-op Role + RoleBinding documents the minimal-privilege stance and
+# keeps the file present so audit:cli-bundle-k8s does not skip this peripheral.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: olam-plan-chat-service
+  namespace: olam
+  labels:
+    app: olam-plan-chat-service
+    olam.io/component: peripheral
+rules: []
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: olam-plan-chat-service
+  namespace: olam
+  labels:
+    app: olam-plan-chat-service
+    olam.io/component: peripheral
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: olam-plan-chat-service
+subjects:
+  - kind: ServiceAccount
+    name: olam-plan-chat-service
+    namespace: olam

package/host-cp/k8s/manifests/plan-chat-service/30-configmap.yaml

@@ -0,0 +1,36 @@
+# ConfigMap for olam-plan-chat-service.
+#
+# plan-chat-service.mjs (packages/host-cp/src/plan-chat-service.mjs) reads
+# these env vars at startup. See the file header for the canonical names.
+#
+# DATABASE_URL: points at the in-cluster chunks-postgres StatefulSet's Service.
+#               The password is sourced from the chunks-postgres-secret
+#               (mounted via envFrom in 50-deployment.yaml) — the literal
+#               here uses the env-var substitution syntax
+#               `$(VAR)` which kubelet expands when DATABASE_URL is itself
+#               read via envFrom or env: subordinate.
+#
+#               BUT: kubelet only expands env-refs declared on the container,
+#               not values inside a ConfigMap key. So we keep DATABASE_URL
+#               OUT of this ConfigMap and assemble it in the Deployment's
+#               env: section instead (which CAN reference the Secret-backed
+#               POSTGRES_PASSWORD via $(POSTGRES_PASSWORD)). See 50-deployment.yaml.
+#
+# ELECTRIC_URL: chunks-electric ClusterIP. No auth (ELECTRIC_INSECURE=true on
+#               that service in local-dev mode).
+#
+# SECRET_PATH: filesystem path where the olam-plan-chat-secret Secret is
+#              mounted (see volumeMounts in 50-deployment.yaml). The mount
+#              key is "secret" → file `/etc/olam-plan-chat/secret`.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: olam-plan-chat-service-env
+  namespace: olam
+  labels:
+    app: olam-plan-chat-service
+    olam.io/component: peripheral
+data:
+  OLAM_PLAN_CHAT_PORT: "3200"
+  OLAM_PLAN_CHAT_ELECTRIC_URL: "http://olam-chunks-electric.olam.svc.cluster.local:3000"
+  OLAM_PLAN_CHAT_SECRET_PATH: "/etc/olam-plan-chat/secret"

package/host-cp/k8s/manifests/plan-chat-service/45-pvc.yaml

@@ -0,0 +1,24 @@
+# PersistentVolumeClaim for olam-plan-chat-service /data volume.
+#
+# plan-chat-service is mostly stateless (DB lives in chunks-postgres, secret
+# lives in olam-plan-chat-secret), but ships a /data PVC for parity with
+# the other peripherals. Used for any transient state the service decides
+# to spool (e.g. planning-session resumption buffers).
+#
+# local-path StorageClass ships with k3d by default. On non-k3d clusters,
+# substitute storageClassName with your cluster's provisioner.
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: olam-plan-chat-service-data
+  namespace: olam
+  labels:
+    app: olam-plan-chat-service
+    olam.io/component: peripheral
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 1Gi

package/host-cp/k8s/manifests/plan-chat-service/50-deployment.yaml

@@ -0,0 +1,135 @@
+# Deployment for olam-plan-chat-service.
+#
+# Image strategy: REUSES the olam-host-cp image. Per the package layout,
+# plan-chat-service.mjs is a sibling under packages/host-cp/src/, and the
+# host-cp image's WORKDIR=/app already contains it at /app/src/plan-chat-service.mjs.
+# The single shared image avoids version-drift between the two binaries that
+# share plan-chat-secret.mjs (bearer-auth logic), planning-sessions.mjs,
+# crystallize-planning.mjs, and resolver.mjs.
+#
+# The command override replaces the host-cp default
+# ENTRYPOINT (`node src/server.mjs`) with the plan-chat-service entrypoint.
+#
+# Image: pinned to the SAME digest as host-cp's 50-deployment.yaml. Refresh
+# both in lockstep via scripts/refresh-manifest-digests.mjs on every release.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: olam-plan-chat-service
+  namespace: olam
+  labels:
+    app: olam-plan-chat-service
+    olam.io/component: peripheral
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  selector:
+    matchLabels:
+      app: olam-plan-chat-service
+  template:
+    metadata:
+      labels:
+        app: olam-plan-chat-service
+    spec:
+      enableServiceLinks: false
+      imagePullSecrets:
+        - name: ghcr-pull
+      serviceAccountName: olam-plan-chat-service
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      initContainers:
+        # chown-data: identical to memory-service pattern. Postgres-RWO PVC
+        # mounts as root-owned on local-path; this brings it to 1000:1000.
+        - name: chown-data
+          image: busybox@sha256:73aaf090f3d85aa34ee199857f03fa3a95c8ede2ffd4cc2cdb5b94e566b11662
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsUser: 0
+            runAsNonRoot: false
+            allowPrivilegeEscalation: false
+          command: ["chown", "-R", "1000:1000", "/data"]
+          volumeMounts:
+            - name: plan-chat-data
+              mountPath: /data
+      containers:
+        - name: olam-plan-chat-service
+          # Reuses the host-cp image (same source tree, same node_modules).
+          # Digest pinned in lockstep with packages/host-cp/k8s/manifests/50-deployment.yaml.
+          image: ghcr.io/pleri/olam-host-cp@sha256:20d84b6d490c633bc5a158b0f7f849152aba3cf1d2d45657360f627d8d41ec3f
+          imagePullPolicy: IfNotPresent
+          # Override the host-cp ENTRYPOINT. plan-chat-service.mjs exports
+          # startService(); we boot it via -e import-and-call.
+          command: ["node"]
+          args:
+            - "-e"
+            - "import('/app/src/plan-chat-service.mjs').then(m => m.startService()).catch(e => { console.error('[plan-chat-service]', e); process.exit(1); });"
+          workingDir: /app
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+          ports:
+            - name: http
+              containerPort: 3200
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: olam-plan-chat-service-env
+          env:
+            # DATABASE_URL composition. Same pattern as chunks-electric.
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: olam-chunks-postgres-secret
+                  key: POSTGRES_PASSWORD
+            - name: OLAM_PLAN_CHAT_DATABASE_URL
+              value: "postgres://postgres:$(POSTGRES_PASSWORD)@olam-chunks-postgres.olam.svc.cluster.local:5432/chunks"
+          volumeMounts:
+            - name: plan-chat-data
+              mountPath: /data
+            - name: plan-chat-secret
+              mountPath: /etc/olam-plan-chat
+              readOnly: true
+          readinessProbe:
+            httpGet:
+              path: /livez
+              port: 3200
+            initialDelaySeconds: 10
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 12
+          livenessProbe:
+            httpGet:
+              path: /livez
+              port: 3200
+            initialDelaySeconds: 60
+            periodSeconds: 20
+            timeoutSeconds: 5
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "256Mi"
+            limits:
+              cpu: "500m"
+              memory: "1Gi"
+      volumes:
+        - name: plan-chat-data
+          persistentVolumeClaim:
+            claimName: olam-plan-chat-service-data
+        - name: plan-chat-secret
+          secret:
+            secretName: olam-plan-chat-secret
+            defaultMode: 0400
+            items:
+              - key: PLAN_CHAT_SECRET
+                path: secret

package/host-cp/k8s/manifests/plan-chat-service/60-service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: olam-plan-chat-service
+  namespace: olam
+  labels:
+    app: olam-plan-chat-service
+    olam.io/component: peripheral
+spec:
+  type: ClusterIP
+  selector:
+    app: olam-plan-chat-service
+  ports:
+    - name: http
+      port: 3200
+      targetPort: 3200
+      protocol: TCP

package/host-cp/src/plan-chat-secret.mjs

@@ -21,8 +21,23 @@ import os from 'node:os';
 import path from 'node:path';
 import crypto from 'node:crypto';
 
+/**
+ * Resolve the plan-chat-secret path: prefer ~/.olam/secrets/plan-chat-secret
+ * (new canonical location) over ~/.olam/plan-chat-secret (legacy). Inlined
+ * here because host-cp is a pure .mjs package with no @olam/core dep.
+ */
+function resolvePlanChatSecretPath() {
+  const olamHome = path.join(os.homedir(), '.olam');
+  const newPath = path.join(olamHome, 'secrets', 'plan-chat-secret');
+  if (fs.existsSync(newPath)) return newPath;
+  const legacyPath = path.join(olamHome, 'plan-chat-secret');
+  if (fs.existsSync(legacyPath)) return legacyPath;
+  // Neither exists — return canonical so writes land in the right place.
+  return newPath;
+}
+
 export const SECRET_PATH =
-  process.env.OLAM_PLAN_CHAT_SECRET_PATH ?? path.join(os.homedir(), '.olam', 'plan-chat-secret');
+  process.env.OLAM_PLAN_CHAT_SECRET_PATH ?? resolvePlanChatSecretPath();
 export const SECRET_DIR = path.dirname(SECRET_PATH);
 const SECRET_BYTES = 32; // 64 hex chars
 const SECRET_MODE = 0o600;