@pleri/olam-cli 0.1.188 → 0.1.195

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;GAKG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACxE,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,sBAAsB,EAAE,MAAM,gCAAgC,CAAC;AACxE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAC;AAC9E,OAAO,EAAE,0BAA0B,EAAE,MAAM,oCAAoC,CAAC;AAChF,OAAO,EAAE,8BAA8B,EAAE,MAAM,yCAAyC,CAAC;AACzF,OAAO,EAAE,2BAA2B,EAAE,MAAM,qCAAqC,CAAC;AAClF,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAEtD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,MAAM,CAAC;KACZ,WAAW,CAAC,+DAA+D,CAAC;IAC7E,4EAA4E;IAC5E,0EAA0E;KACzE,MAAM,CAAC,OAAO,EAAE,6DAA6D,CAAC;KAC9E,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC;AAE7B,gEAAgE;AAChE,6EAA6E;AAC7E,4EAA4E;AAC5E,yEAAyE;AACzE,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;AACnD,IAAI,YAAY,KAAK,CAAC,CAAC,EAAE,CAAC;IACxB,qEAAqE;IACrE,+EAA+E;IAC/E,iDAAiD;IACjD,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IACzF,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,0DAA0D,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,KAAK;YACtF,qEAAqE,CACxE,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;AACvD,CAAC;AAED,YAAY,CAAC,OAAO,CAAC,CAAC;AACtB,eAAe,CAAC,OAAO,CAAC,CAAC;AACzB,YAAY,CAAC,OAAO,CAAC,CAAC;AACtB,WAAW,CAAC,OAAO,CAAC,CAAC;AACrB,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAC1B,eAAe,CAAC,OAAO,CAAC,CAAC;AACzB,YAAY,CAAC,OAAO,CAAC,CAAC;AACtB,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,eAAe,CAAC,OAAO,CAAC,CAAC;AACzB,aAAa,CAAC,OAAO,CAAC,CAAC;AACvB,eAAe,CAAC,OAAO,CAAC,CAAC;AACzB,aAAa,CAAC,OAAO,CAAC,CAAC;AACvB,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,sEAAsE;AACtE,yEAAyE;AACzE,0EAA0E;AAC1E,wEAAwE;AACxE,mBAAmB,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,CAAC,iBAAiB,EAAE,EAAE,CAAC,CAAC;AAC/D,UAAU,CAAC,OAAO,CAAC,CAAC;AACpB,iBAAiB,CAAC,OAAO,CAAC,CAAC;AAC3B,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,aAAa,CAAC,OAAO,CAAC,CAAC;AACvB,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAC1B,YAAY,CAAC,OAAO,CAAC,CAAC;AACtB,aAAa,CAAC,OAAO,CAAC,CAAC;AACvB,YAAY,CAAC,OAAO,CAAC,CAAC;AACtB,aAAa,CAAC,OAAO,CAAC,CAAC;AACvB,mBAAmB,CAAC,OAAO,CAAC,CAAC;AAC7B,iBAAiB,CAAC,OAAO,CAAC,CAAC;AAC3B,eAAe,CAAC,OAAO,CAAC,CAAC;AACzB,YAAY,CAAC,OAAO,CAAC,CAAC;AACtB,UAAU,CAAC,OAAO,CAAC,CAAC;AACpB,YAAY,CAAC,OAAO,CAAC,CAAC;AACtB,qBAAqB,CAAC,OAAO,CAAC,CAAC;AAC/B,eAAe,CAAC,OAAO,CAAC,CAAC;AACzB,eAAe,CAAC,OAAO,CAAC,CAAC;AACzB,iBAAiB,CAAC,OAAO,CAAC,CAAC;AAC3B,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAC1B,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,iBAAiB,CAAC,OAAO,CAAC,CAAC;AAC3B,aAAa,CAAC,OAAO,CAAC,CAAC;AACvB,eAAe,CAAC,OAAO,CAAC,CAAC;AACzB,kBAAkB,CAAC,OAAO,CAAC,CAAC;AAC5B,aAAa,CAAC,OAAO,CAAC,CAAC;AACvB,oBAAoB,CAAC,OAAO,CAAC,CAAC;AAC9B,sBAAsB,CAAC,OAAO,CAAC,CAAC;AAChC,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,aAAa,CAAC,OAAO,CAAC,CAAC;AACvB,YAAY,CAAC,OAAO,CAAC,CAAC;AACtB,oBAAoB,CAAC,OAAO,CAAC,CAAC;AAC9B,WAAW,CAAC,OAAO,CAAC,CAAC;AACrB,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAC1B,UAAU,CAAC,OAAO,CAAC,CAAC;AACpB,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,aAAa,CAAC,OAAO,CAAC,CAAC;AACvB,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAC1B,oBAAoB,CAAC,OAAO,CAAC,CAAC;AAC9B,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,kBAAkB,CAAC,OAAO,CAAC,CAAC;AAC5B,qBAAqB,CAAC,OAAO,CAAC,CAAC;AAC/B,qBAAqB,CAAC,OAAO,CAAC,CAAC;AAC/B,yBAAyB,CAAC,OAAO,CAAC,CAAC;AACnC,0BAA0B,CAAC,OAAO,CAAC,CAAC;AACpC,8BAA8B,CAAC,OAAO,CAAC,CAAC;AACxC,2BAA2B,CAAC,OAAO,CAAC,CAAC;AACrC,oBAAoB,CAAC,OAAO,CAAC,CAAC;AAC9B,iBAAiB,CAAC,OAAO,CAAC,CAAC;AAC3B,cAAc,CAAC,OAAO,CAAC,CAAC;AAExB,0EAA0E;AAC1E,6EAA6E;AAC7E,yEAAyE;AACzE,wBAAwB;AAExB,wEAAwE;AACxE,0EAA0E;AAC1E,uEAAuE;AACvE,wEAAwE;AACxE,qEAAqE;AACrE,wEAAwE;AACxE,2EAA2E;AAC3E,+DAA+D;AAC/D,MAAM,OAAO,CAAC,UAAU,EAAE,CAAC;AAC3B,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;GAKG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACxE,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,sBAAsB,EAAE,MAAM,gCAAgC,CAAC;AACxE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAC;AAC9E,OAAO,EAAE,0BAA0B,EAAE,MAAM,oCAAoC,CAAC;AAChF,OAAO,EAAE,8BAA8B,EAAE,MAAM,yCAAyC,CAAC;AACzF,OAAO,EAAE,2BAA2B,EAAE,MAAM,qCAAqC,CAAC;AAClF,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAC9D,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,yBAAyB,EAAE,MAAM,sBAAsB,CAAC;AAEjE,MAAM,UAAU,GAAG,cAAc,EAAE,CAAC;AACpC,iFAAiF;AACjF,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,GAAG,UAAU,CAAC;AAE7C,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,MAAM,CAAC;KACZ,WAAW,CAAC,+DAA+D,CAAC;IAC7E,4EAA4E;IAC5E,0EAA0E;KACzE,MAAM,CAAC,OAAO,EAAE,6DAA6D,CAAC;KAC9E,OAAO,CAAC,UAAU,CAAC;KACnB,aAAa,CAAC,yBAAyB,EAAE,CAAC,CAAC;AAE9C,gEAAgE;AAChE,6EAA6E;AAC7E,4EAA4E;AAC5E,yEAAyE;AACzE,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;AACnD,IAAI,YAAY,KAAK,CAAC,CAAC,EAAE,CAAC;IACxB,qEAAqE;IACrE,+EAA+E;IAC/E,iDAAiD;IACjD,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IACzF,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,0DAA0D,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,KAAK;YACtF,qEAAqE,CACxE,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;AACvD,CAAC;AAED,YAAY,CAAC,OAAO,CAAC,CAAC;AACtB,eAAe,CAAC,OAAO,CAAC,CAAC;AACzB,YAAY,CAAC,OAAO,CAAC,CAAC;AACtB,WAAW,CAAC,OAAO,CAAC,CAAC;AACrB,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAC1B,eAAe,CAAC,OAAO,CAAC,CAAC;AACzB,YAAY,CAAC,OAAO,CAAC,CAAC;AACtB,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,eAAe,CAAC,OAAO,CAAC,CAAC;AACzB,aAAa,CAAC,OAAO,CAAC,CAAC;AACvB,eAAe,CAAC,OAAO,CAAC,CAAC;AACzB,aAAa,CAAC,OAAO,CAAC,CAAC;AACvB,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,sEAAsE;AACtE,yEAAyE;AACzE,0EAA0E;AAC1E,wEAAwE;AACxE,mBAAmB,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,CAAC,iBAAiB,EAAE,EAAE,CAAC,CAAC;AAC/D,UAAU,CAAC,OAAO,CAAC,CAAC;AACpB,iBAAiB,CAAC,OAAO,CAAC,CAAC;AAC3B,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,aAAa,CAAC,OAAO,CAAC,CAAC;AACvB,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAC1B,YAAY,CAAC,OAAO,CAAC,CAAC;AACtB,aAAa,CAAC,OAAO,CAAC,CAAC;AACvB,YAAY,CAAC,OAAO,CAAC,CAAC;AACtB,aAAa,CAAC,OAAO,CAAC,CAAC;AACvB,mBAAmB,CAAC,OAAO,CAAC,CAAC;AAC7B,iBAAiB,CAAC,OAAO,CAAC,CAAC;AAC3B,eAAe,CAAC,OAAO,CAAC,CAAC;AACzB,YAAY,CAAC,OAAO,CAAC,CAAC;AACtB,UAAU,CAAC,OAAO,CAAC,CAAC;AACpB,YAAY,CAAC,OAAO,CAAC,CAAC;AACtB,qBAAqB,CAAC,OAAO,CAAC,CAAC;AAC/B,eAAe,CAAC,OAAO,CAAC,CAAC;AACzB,eAAe,CAAC,OAAO,CAAC,CAAC;AACzB,iBAAiB,CAAC,OAAO,CAAC,CAAC;AAC3B,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAC1B,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,iBAAiB,CAAC,OAAO,CAAC,CAAC;AAC3B,aAAa,CAAC,OAAO,CAAC,CAAC;AACvB,eAAe,CAAC,OAAO,CAAC,CAAC;AACzB,kBAAkB,CAAC,OAAO,CAAC,CAAC;AAC5B,aAAa,CAAC,OAAO,CAAC,CAAC;AACvB,oBAAoB,CAAC,OAAO,CAAC,CAAC;AAC9B,sBAAsB,CAAC,OAAO,CAAC,CAAC;AAChC,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,aAAa,CAAC,OAAO,CAAC,CAAC;AACvB,YAAY,CAAC,OAAO,CAAC,CAAC;AACtB,oBAAoB,CAAC,OAAO,CAAC,CAAC;AAC9B,WAAW,CAAC,OAAO,CAAC,CAAC;AACrB,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAC1B,UAAU,CAAC,OAAO,CAAC,CAAC;AACpB,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,aAAa,CAAC,OAAO,CAAC,CAAC;AACvB,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAC1B,oBAAoB,CAAC,OAAO,CAAC,CAAC;AAC9B,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,kBAAkB,CAAC,OAAO,CAAC,CAAC;AAC5B,qBAAqB,CAAC,OAAO,CAAC,CAAC;AAC/B,qBAAqB,CAAC,OAAO,CAAC,CAAC;AAC/B,yBAAyB,CAAC,OAAO,CAAC,CAAC;AACnC,0BAA0B,CAAC,OAAO,CAAC,CAAC;AACpC,8BAA8B,CAAC,OAAO,CAAC,CAAC;AACxC,2BAA2B,CAAC,OAAO,CAAC,CAAC;AACrC,oBAAoB,CAAC,OAAO,CAAC,CAAC;AAC9B,iBAAiB,CAAC,OAAO,CAAC,CAAC;AAC3B,cAAc,CAAC,OAAO,CAAC,CAAC;AAExB,6EAA6E;AAC7E,4EAA4E;AAC5E,uEAAuE;AACvE,iEAAiE;AACjE,KAAK,oBAAoB,CAAC,UAAU,CAAC,CAAC;AAEtC,wEAAwE;AACxE,0EAA0E;AAC1E,uEAAuE;AACvE,wEAAwE;AACxE,qEAAqE;AACrE,wEAAwE;AACxE,2EAA2E;AAC3E,+DAA+D;AAC/D,MAAM,OAAO,CAAC,UAAU,EAAE,CAAC;AAC3B,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC"}

package/dist/lib/auth-refresh-kubernetes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-refresh-kubernetes.d.ts","sourceRoot":"","sources":["../../src/lib/auth-refresh-kubernetes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAOH,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAMhD,MAAM,WAAW,yBAAyB;IACxC,yEAAyE;IACzE,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,WAAW,CAAC;IAC9C,+DAA+D;IAC/D,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,KAAK,MAAM,CAAC;IAC/D,gEAAgE;IAChE,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;IACvF,6CAA6C;IAC7C,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,4DAA4D;IAC5D,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC,yBAAyB;IACzB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;IACxC,yBAAyB;IACzB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;CACzC;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAYxF;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG;IAC1D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAEA;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,mBAAmB,CACvC,aAAa,EAAE,MAAM,EACrB,IAAI,GAAE,yBAA8B,GACnC,OAAO,CAAC,MAAM,CAAC,CAoEjB"}
+{"version":3,"file":"auth-refresh-kubernetes.d.ts","sourceRoot":"","sources":["../../src/lib/auth-refresh-kubernetes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAOH,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAOhD,MAAM,WAAW,yBAAyB;IACxC,yEAAyE;IACzE,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,WAAW,CAAC;IAC9C,+DAA+D;IAC/D,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,KAAK,MAAM,CAAC;IAC/D,gEAAgE;IAChE,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;IACvF,6CAA6C;IAC7C,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,4DAA4D;IAC5D,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC,yBAAyB;IACzB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;IACxC,yBAAyB;IACzB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;CACzC;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAYxF;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG;IAC1D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAEA;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,mBAAmB,CACvC,aAAa,EAAE,MAAM,EACrB,IAAI,GAAE,yBAA8B,GACnC,OAAO,CAAC,MAAM,CAAC,CA4EjB"}

package/dist/lib/auth-refresh-kubernetes.js

@@ -17,6 +17,7 @@ import { OLAM_HOME } from './config.js';
 import { kubectlWrap } from './kubectl-wrap.js';
 import { HOST_CP_SECRET_NAME, HOST_CP_DEPLOYMENT_NAME } from './upgrade-kubernetes.js';
 import { resolveKubectlContext as resolveKubectlContextShared } from './kubectl-context.js';
+import { resolveSecretPath, canonicalSecretPath, ensureSecretsDir } from '@olam/core/src/secrets/paths.js';
 const K8S_NAMESPACE = 'olam';
 /**
  * Construct the olam-host-cp-secret YAML in-process (D20 stdin-safe design).
@@ -65,26 +66,34 @@ export async function applyK8sAuthRefresh(pinnedContext, deps = {}) {
     const stdout = deps.stdout ?? process.stdout;
     const stderr = deps.stderr ?? process.stderr;
     const olamHome = deps.olamHomeOverride ?? OLAM_HOME;
-    const authSecretFile = path.join(olamHome, 'auth-secret');
+    // READ from resolved path (new canonical or legacy fallback).
+    const authSecretReadFile = deps.olamHomeOverride
+        ? path.join(olamHome, 'auth-secret')
+        : resolveSecretPath('auth-secret');
+    // WRITE to canonical path.
+    const authSecretWriteFile = deps.olamHomeOverride
+        ? path.join(olamHome, 'auth-secret')
+        : canonicalSecretPath('auth-secret');
     const readFn = deps.readFileSyncImpl ?? ((p, enc) => fs.readFileSync(p, enc));
     const writeFn = deps.writeFileSyncImpl ?? ((p, data, opts) => {
+        ensureSecretsDir();
         fs.mkdirSync(path.dirname(p), { recursive: true });
         fs.writeFileSync(p, data, { encoding: 'utf8', mode: opts.mode });
     });
     const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
-    // Read current ~/.olam/auth-secret.
+    // Read current auth-secret.
     let authSecretValue = null;
     try {
-        const raw = readFn(authSecretFile, 'utf8').trim();
+        const raw = readFn(authSecretReadFile, 'utf8').trim();
         if (raw.length > 0)
             authSecretValue = raw;
     }
     catch {
         // File absent — warn and skip Secret update.
     }
-    // Write ~/.olam/auth-secret (both substrates; idempotent).
+    // Write to canonical location (both substrates; idempotent).
     if (authSecretValue !== null) {
-        writeFn(authSecretFile, authSecretValue + '\n', { mode: 0o600 });
+        writeFn(authSecretWriteFile, authSecretValue + '\n', { mode: 0o600 });
     }
     else {
         stderr.write(`${pc.yellow('[warn]')} ~/.olam/auth-secret not found — skipping kubernetes Secret update. ` +

package/dist/lib/auth-refresh-kubernetes.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth-refresh-kubernetes.js","sourceRoot":"","sources":["../../src/lib/auth-refresh-kubernetes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,SAAS,IAAI,aAAa,EAAE,MAAM,MAAM,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AACvF,OAAO,EAAE,qBAAqB,IAAI,2BAA2B,EAAE,MAAM,sBAAsB,CAAC;AAE5F,MAAM,aAAa,GAAG,MAAM,CAAC;AAmB7B;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,UAAkB,EAAE,IAA4B;IAC9E,MAAM,UAAU,GAA2B,EAAE,CAAC;IAC9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAChD,UAAU,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC1D,CAAC;IACD,OAAO,aAAa,CAAC;QACnB,UAAU,EAAE,IAAI;QAChB,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE;QACxD,IAAI,EAAE,QAAQ;QACd,IAAI,EAAE,UAAU;KACjB,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,qBAAqB,CAAC,UAAmB;IAKvD,OAAO,2BAA2B,CAAC,UAAU,CAAC,CAAC;AACjD,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,aAAqB,EACrB,OAAkC,EAAE;IAEpC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,QAAQ,GAAG,IAAI,CAAC,gBAAgB,IAAI,SAAS,CAAC;IACpD,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IAE1D,MAAM,MAAM,GAAG,IAAI,CAAC,gBAAgB,IAAI,CAAC,CAAC,CAAS,EAAE,GAAW,EAAE,EAAE,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;IAC9F,MAAM,OAAO,GAAG,IAAI,CAAC,iBAAiB,IAAI,CAAC,CAAC,CAAS,EAAE,IAAY,EAAE,IAAsB,EAAE,EAAE;QAC7F,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACnD,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,IAAI,WAAW,CAAC;IAEjD,oCAAoC;IACpC,IAAI,eAAe,GAAkB,IAAI,CAAC;IAC1C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QAClD,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC;YAAE,eAAe,GAAG,GAAG,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,6CAA6C;IAC/C,CAAC;IAED,2DAA2D;IAC3D,IAAI,eAAe,KAAK,IAAI,EAAE,CAAC;QAC7B,OAAO,CAAC,cAAc,EAAE,eAAe,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACnE,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,sEAAsE;YAC5F,gDAAgD,CACjD,CAAC;QACF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,gFAAgF;IAChF,MAAM,UAAU,GAAG,eAAe,CAAC,mBAAmB,EAAE;QACtD,gBAAgB,EAAE,eAAe;KAClC,CAAC,CAAC;IAEH,mCAAmC;IACnC,MAAM,WAAW,GAAG,MAAM,IAAI,CAC5B,CAAC,WAAW,EAAE,aAAa,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,EAChD,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,CACvC,CAAC;IAEF,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;QACpB,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,0CAA0C,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,CACzG,CAAC;QACF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,uEAAuE;IACvE,MAAM,aAAa,GAAG,MAAM,IAAI,CAC9B,CAAC,WAAW,EAAE,aAAa,EAAE,SAAS,EAAE,SAAS,EAAE,cAAc,uBAAuB,EAAE,EAAE,IAAI,EAAE,aAAa,CAAC,EAChH,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;IAEF,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;QACtB,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,4BAA4B,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI;YAC/F,qEAAqE,CACtE,CAAC;QACF,iDAAiD;IACnD,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,yBAAyB,uBAAuB,wBAAwB,CAAC,CAAC;IACzG,CAAC;IAED,OAAO,CAAC,CAAC;AACX,CAAC"}
+{"version":3,"file":"auth-refresh-kubernetes.js","sourceRoot":"","sources":["../../src/lib/auth-refresh-kubernetes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,SAAS,IAAI,aAAa,EAAE,MAAM,MAAM,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AACvF,OAAO,EAAE,qBAAqB,IAAI,2BAA2B,EAAE,MAAM,sBAAsB,CAAC;AAC5F,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AAE3G,MAAM,aAAa,GAAG,MAAM,CAAC;AAmB7B;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,UAAkB,EAAE,IAA4B;IAC9E,MAAM,UAAU,GAA2B,EAAE,CAAC;IAC9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAChD,UAAU,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC1D,CAAC;IACD,OAAO,aAAa,CAAC;QACnB,UAAU,EAAE,IAAI;QAChB,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE;QACxD,IAAI,EAAE,QAAQ;QACd,IAAI,EAAE,UAAU;KACjB,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,qBAAqB,CAAC,UAAmB;IAKvD,OAAO,2BAA2B,CAAC,UAAU,CAAC,CAAC;AACjD,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,aAAqB,EACrB,OAAkC,EAAE;IAEpC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,QAAQ,GAAG,IAAI,CAAC,gBAAgB,IAAI,SAAS,CAAC;IACpD,8DAA8D;IAC9D,MAAM,kBAAkB,GAAG,IAAI,CAAC,gBAAgB;QAC9C,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,aAAa,CAAC;QACpC,CAAC,CAAC,iBAAiB,CAAC,aAAa,CAAC,CAAC;IACrC,2BAA2B;IAC3B,MAAM,mBAAmB,GAAG,IAAI,CAAC,gBAAgB;QAC/C,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,aAAa,CAAC;QACpC,CAAC,CAAC,mBAAmB,CAAC,aAAa,CAAC,CAAC;IAEvC,MAAM,MAAM,GAAG,IAAI,CAAC,gBAAgB,IAAI,CAAC,CAAC,CAAS,EAAE,GAAW,EAAE,EAAE,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;IAC9F,MAAM,OAAO,GAAG,IAAI,CAAC,iBAAiB,IAAI,CAAC,CAAC,CAAS,EAAE,IAAY,EAAE,IAAsB,EAAE,EAAE;QAC7F,gBAAgB,EAAE,CAAC;QACnB,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACnD,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,IAAI,WAAW,CAAC;IAEjD,4BAA4B;IAC5B,IAAI,eAAe,GAAkB,IAAI,CAAC;IAC1C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QACtD,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC;YAAE,eAAe,GAAG,GAAG,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,6CAA6C;IAC/C,CAAC;IAED,6DAA6D;IAC7D,IAAI,eAAe,KAAK,IAAI,EAAE,CAAC;QAC7B,OAAO,CAAC,mBAAmB,EAAE,eAAe,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACxE,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,sEAAsE;YAC5F,gDAAgD,CACjD,CAAC;QACF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,gFAAgF;IAChF,MAAM,UAAU,GAAG,eAAe,CAAC,mBAAmB,EAAE;QACtD,gBAAgB,EAAE,eAAe;KAClC,CAAC,CAAC;IAEH,mCAAmC;IACnC,MAAM,WAAW,GAAG,MAAM,IAAI,CAC5B,CAAC,WAAW,EAAE,aAAa,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,EAChD,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,CACvC,CAAC;IAEF,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;QACpB,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,0CAA0C,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,CACzG,CAAC;QACF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,uEAAuE;IACvE,MAAM,aAAa,GAAG,MAAM,IAAI,CAC9B,CAAC,WAAW,EAAE,aAAa,EAAE,SAAS,EAAE,SAAS,EAAE,cAAc,uBAAuB,EAAE,EAAE,IAAI,EAAE,aAAa,CAAC,EAChH,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;IAEF,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;QACtB,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,4BAA4B,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI;YAC/F,qEAAqE,CACtE,CAAC;QACF,iDAAiD;IACnD,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,yBAAyB,uBAAuB,wBAAwB,CAAC,CAAC;IACzG,CAAC;IAED,OAAO,CAAC,CAAC;AACX,CAAC"}

package/dist/lib/bootstrap-kubernetes.d.ts

@@ -33,10 +33,51 @@ export interface BootstrapKubernetesOptions {
     readonly autoInstall: boolean;
     readonly skipObservability: boolean;
     readonly skipClusterCreate: boolean;
+    readonly forceObservability: boolean;
+    /** Stream raw script output to the terminal instead of buffering. Useful when
+     *  debugging a failing observability script. Mirrors the --force-observability
+     *  pattern. Default: false (buffered; one-line status per script). */
+    readonly verboseObservability: boolean;
+    /**
+     * DEV-ONLY: mount a local olam source checkout into the k3d node at
+     * /host/olam. See `RunSetupOptions.hostCpDevPath` for full rationale —
+     * regular operators leave this unset; the published image is
+     * self-contained.
+     */
+    readonly hostCpDevPath?: string;
 }
 export interface BootstrapKubernetesResult {
     readonly exitCode: number;
     readonly summary: string;
 }
+/**
+ * Probe whether the component installed by `script` is already healthy.
+ * Uses `spawnSync` with `stdio: 'pipe'` so output never leaks to the operator.
+ * Returns false on any error or unexpected output — conservatively runs the
+ * script when in doubt.
+ */
+export declare function isObservabilityComponentReady(component: string): boolean;
+/**
+ * Read the Grafana admin credentials from the cluster secret.
+ * Returns null when the secret is absent or kubectl fails (bootstrap
+ * may not have run observability yet).
+ */
+export declare function getGrafanaCredentials(): {
+    user: string;
+    password: string;
+} | null;
+/**
+ * Run a single observability bash script, capturing all output to a log file
+ * instead of streaming it to the terminal. Returns whether the script
+ * succeeded, how long it took, and the log path for error context.
+ *
+ * When `verbose` is true the function falls back to `stdio: 'inherit'` so the
+ * operator can watch the raw output live (useful when debugging a failure).
+ */
+export declare function runObservabilityScript(scriptPath: string, scriptName: string, env: NodeJS.ProcessEnv, verbose?: boolean): {
+    ok: boolean;
+    durationMs: number;
+    logPath: string;
+};
 export declare function runBootstrapKubernetes(rawOpts: Partial<BootstrapKubernetesOptions>): Promise<BootstrapKubernetesResult>;
 //# sourceMappingURL=bootstrap-kubernetes.d.ts.map

package/dist/lib/bootstrap-kubernetes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bootstrap-kubernetes.d.ts","sourceRoot":"","sources":["../../src/lib/bootstrap-kubernetes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AA0BH,eAAO,MAAM,mBAAmB,cAAc,CAAC;AAsC/C,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;CACrC;AAED,MAAM,WAAW,yBAAyB;IACxC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AA4ZD,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,OAAO,CAAC,0BAA0B,CAAC,GAC3C,OAAO,CAAC,yBAAyB,CAAC,CAgCpC"}
+{"version":3,"file":"bootstrap-kubernetes.d.ts","sourceRoot":"","sources":["../../src/lib/bootstrap-kubernetes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AA4BH,eAAO,MAAM,mBAAmB,cAAc,CAAC;AAsC/C,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,kBAAkB,EAAE,OAAO,CAAC;IACrC;;0EAEsE;IACtE,QAAQ,CAAC,oBAAoB,EAAE,OAAO,CAAC;IACvC;;;;;OAKG;IACH,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;CACjC;AAED,MAAM,WAAW,yBAAyB;IACxC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAqSD;;;;;GAKG;AACH,wBAAgB,6BAA6B,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAqFxE;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,IAAI;IACvC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;CAClB,GAAG,IAAI,CA0BP;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CACpC,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,MAAM,CAAC,UAAU,EACtB,OAAO,GAAE,OAAe,GACvB;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,UAAU,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAwBtD;AA+QD,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,OAAO,CAAC,0BAA0B,CAAC,GAC3C,OAAO,CAAC,yBAAyB,CAAC,CAmCpC"}

package/dist/lib/bootstrap-kubernetes.js

@@ -28,7 +28,7 @@
  * the prereq + cluster-create + observability wrapper around it.
  */
 import { spawnSync } from "node:child_process";
-import { existsSync, mkdirSync, readdirSync, writeFileSync, chmodSync, } from "node:fs";
+import { existsSync, mkdirSync, readdirSync, readFileSync, writeFileSync, chmodSync, } from "node:fs";
 import { join } from "node:path";
 import { homedir, platform } from "node:os";
 import { randomBytes } from "node:crypto";
@@ -36,6 +36,7 @@ import pc from "picocolors";
 import { printError, printSuccess, printInfo, printWarning, printHeader, } from "../output.js";
 import { installRoot } from "../install-root.js";
 import { resolveK8sAssetsRoot } from "./k8s-bootstrap.js";
+import { canonicalSecretPath, ensureSecretsDir } from "@olam/core/src/secrets/paths.js";
 const OLAM_HOME = join(homedir(), ".olam");
 export const DEFAULT_K3S_CLUSTER = "olam-host";
 const REQUIRED_TOOLS = [
@@ -159,16 +160,20 @@ function preflight(opts) {
 function ensureSecrets() {
     step("1/6 — operator secrets");
     mkdirSync(OLAM_HOME, { recursive: true });
+    ensureSecretsDir();
     for (const name of SECRET_FILES) {
-        const path = join(OLAM_HOME, name);
-        if (existsSync(path)) {
-            printInfo("skip", `~/.olam/${name} already exists`);
+        // Write to canonical new location (~/.olam/secrets/<name>).
+        const newPath = canonicalSecretPath(name);
+        // Legacy path — if it already exists there, skip (migration handles move).
+        const legacyPath = join(OLAM_HOME, name);
+        if (existsSync(newPath) || existsSync(legacyPath)) {
+            printInfo("skip", `~/.olam/secrets/${name} already exists`);
             continue;
         }
         const hex = randomBytes(32).toString("hex");
-        writeFileSync(path, hex + "\n", { encoding: "utf8", mode: 0o600 });
-        chmodSync(path, 0o600);
-        printSuccess(`generated ~/.olam/${name}`);
+        writeFileSync(newPath, hex + "\n", { encoding: "utf8", mode: 0o600 });
+        chmodSync(newPath, 0o600);
+        printSuccess(`generated ~/.olam/secrets/${name}`);
     }
 }
 function ensureColima() {
@@ -214,13 +219,32 @@ function ensureCluster(opts) {
         printInfo("cluster", `'${opts.cluster}' already exists`);
         return;
     }
-    const ghConfigBind = `${homedir()}/.config/gh:/host/.config/gh`;
+    // host-cp's deployment has two hostPath mounts:
+    //   /host/.config/gh   ← gh CLI config (optional; bound when present)
+    //   /host/olam         ← operator's olam source (DEV ONLY via --host-cp-dev-path)
+    // Published-CLI consumers have no olam checkout; the operator-repo mount
+    // is left absent + DirectoryOrCreate handles it gracefully in-cluster.
+    const volumes = [];
+    const ghConfigDir = `${homedir()}/.config/gh`;
+    if (existsSync(ghConfigDir)) {
+        volumes.push("--volume", `${ghConfigDir}:/host/.config/gh`);
+    }
+    else {
+        printInfo("cluster", `${ghConfigDir} not found; skipping gh-config bind (run \`gh auth login\` to enable)`);
+    }
+    if (opts.hostCpDevPath) {
+        if (!existsSync(opts.hostCpDevPath)) {
+            printError(`--host-cp-dev-path ${opts.hostCpDevPath} does not exist`);
+            process.exit(1);
+        }
+        volumes.push("--volume", `${opts.hostCpDevPath}:/host/olam`);
+        printInfo("cluster", `dev-mode: mounting ${opts.hostCpDevPath} → /host/olam`);
+    }
     runOrFail("k3d", [
         "cluster",
         "create",
         opts.cluster,
-        "--volume",
-        ghConfigBind,
+        ...volumes,
         "--wait",
         "--timeout",
         "90s",
@@ -284,12 +308,147 @@ function resolveBundleRoot() {
     }
     return null;
 }
+/**
+ * Probe whether the component installed by `script` is already healthy.
+ * Uses `spawnSync` with `stdio: 'pipe'` so output never leaks to the operator.
+ * Returns false on any error or unexpected output — conservatively runs the
+ * script when in doubt.
+ */
+export function isObservabilityComponentReady(component) {
+    /** Silent kubectl probe — returns trimmed stdout or empty string on failure. */
+    function kget(args) {
+        const r = spawnSync("kubectl", [...args], {
+            encoding: "utf-8",
+            stdio: "pipe",
+        });
+        if (r.status !== 0)
+            return "";
+        return (r.stdout ?? "").trim();
+    }
+    switch (component) {
+        case "kyverno-cardinality-mutate": {
+            // ClusterPolicy doesn't expose `.status.ready` as a flat field — the real
+            // shape is `.status.conditions[?(@.type=="Ready")].status == "True"`.
+            // The previous flat probe always returned empty → script re-ran every
+            // boot. Caught during live verification on 2026-05-28.
+            const policyReady = kget([
+                "get", "clusterpolicy", "enforce-cardinality-labeldrop",
+                "-o", `jsonpath={.status.conditions[?(@.type=="Ready")].status}`,
+            ]);
+            const admissionReplicas = parseInt(kget([
+                "get", "deploy", "-n", "kyverno", "kyverno-admission-controller",
+                "-o", "jsonpath={.status.readyReplicas}",
+            ]) || "0", 10);
+            return policyReady === "True" && admissionReplicas >= 1;
+        }
+        case "prom-no-double-grafana": {
+            const grafanaReplicas = parseInt(kget([
+                "-n", "monitoring", "get", "deploy", "olam-grafana",
+                "-o", "jsonpath={.status.readyReplicas}",
+            ]) || "0", 10);
+            const promReplicas = parseInt(kget([
+                "-n", "monitoring", "get", "sts",
+                "prometheus-olam-prom-kube-prometheus-prometheus",
+                "-o", "jsonpath={.status.readyReplicas}",
+            ]) || "0", 10);
+            return grafanaReplicas >= 1 && promReplicas >= 1;
+        }
+        case "loki-ingest": {
+            const lokiReplicas = parseInt(kget([
+                "-n", "monitoring", "get", "sts", "olam-loki",
+                "-o", "jsonpath={.status.readyReplicas}",
+            ]) || "0", 10);
+            const promtailReady = parseInt(kget([
+                "-n", "monitoring", "get", "ds", "olam-promtail",
+                "-o", "jsonpath={.status.numberReady}",
+            ]) || "0", 10);
+            return lokiReplicas >= 1 && promtailReady >= 1;
+        }
+        case "grafana-port-forward": {
+            // Probe: Grafana deploy has >= 1 ready replica AND the olam-dashboards
+            // ConfigMap exists (created by this script). When both are true the
+            // chart + dashboards are already installed; skip the re-run.
+            const grafanaReplicas = parseInt(kget([
+                "-n", "monitoring", "get", "deploy", "olam-grafana",
+                "-o", "jsonpath={.status.readyReplicas}",
+            ]) || "0", 10);
+            const dashboardsCm = kget([
+                "-n", "monitoring", "get", "cm", "olam-dashboards",
+                "-o", "name",
+            ]);
+            return grafanaReplicas >= 1 && dashboardsCm.trim().length > 0;
+        }
+        default:
+            return false;
+    }
+}
+/**
+ * Read the Grafana admin credentials from the cluster secret.
+ * Returns null when the secret is absent or kubectl fails (bootstrap
+ * may not have run observability yet).
+ */
+export function getGrafanaCredentials() {
+    function getSecretKey(key) {
+        const r = spawnSync("kubectl", [
+            "-n", "monitoring", "get", "secret", "olam-grafana-admin",
+            "-o", `jsonpath={.data.${key}}`,
+        ], { encoding: "utf-8", stdio: "pipe" });
+        if (r.status !== 0)
+            return "";
+        return (r.stdout ?? "").trim();
+    }
+    const rawUser = getSecretKey("admin-user");
+    const rawPassword = getSecretKey("admin-password");
+    if (!rawUser || !rawPassword)
+        return null;
+    try {
+        const user = Buffer.from(rawUser, "base64").toString("utf-8");
+        const password = Buffer.from(rawPassword, "base64").toString("utf-8");
+        if (!user || !password)
+            return null;
+        return { user, password };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Run a single observability bash script, capturing all output to a log file
+ * instead of streaming it to the terminal. Returns whether the script
+ * succeeded, how long it took, and the log path for error context.
+ *
+ * When `verbose` is true the function falls back to `stdio: 'inherit'` so the
+ * operator can watch the raw output live (useful when debugging a failure).
+ */
+export function runObservabilityScript(scriptPath, scriptName, env, verbose = false) {
+    const logDir = join(homedir(), ".olam", "logs");
+    mkdirSync(logDir, { recursive: true });
+    const baseName = scriptName.replace(/\.sh$/, "");
+    const logPath = join(logDir, `observability-${baseName}.log`);
+    const startMs = Date.now();
+    if (verbose) {
+        // Verbose mode: stream directly to terminal; log file captures nothing.
+        const result = spawnSync("bash", [scriptPath], { stdio: "inherit", env });
+        const durationMs = Date.now() - startMs;
+        writeFileSync(logPath, `(verbose mode — output streamed to terminal)\n`, "utf-8");
+        return { ok: result.status === 0, durationMs, logPath };
+    }
+    const result = spawnSync("bash", [scriptPath], {
+        stdio: "pipe",
+        env,
+        encoding: "utf-8",
+    });
+    const durationMs = Date.now() - startMs;
+    const combined = (result.stdout ?? "") + (result.stderr ?? "");
+    writeFileSync(logPath, combined, "utf-8");
+    return { ok: result.status === 0, durationMs, logPath };
+}
 function installObservability(opts) {
     if (opts.skipObservability) {
         step("4/6 — observability (skipped via --skip-observability)");
         return;
     }
-    step("4/6 — observability stack (Loki + Promtail + Grafana + Prometheus + Kyverno)");
+    step("4/6 — observability");
     const observabilityDir = resolveObservabilityScriptsDir();
     if (!observabilityDir) {
         throw new Error(`Bundled observability assets missing. ` +
@@ -306,30 +465,85 @@ function installObservability(opts) {
     if (bundleRoot) {
         scriptEnv.OLAM_BUNDLE_ROOT = bundleRoot;
     }
+    const outcomes = [];
     for (const script of OBSERVABILITY_SCRIPTS) {
         const path = join(observabilityDir, script);
         if (!existsSync(path)) {
-            printWarning(`observability script missing: ${script} — skipping`);
+            outcomes.push({ script, state: "missing" });
             continue;
         }
-        printInfo("run", script);
-        const result = spawnSync("bash", [path], {
-            stdio: "inherit",
-            env: scriptEnv,
-        });
-        if (result.status !== 0) {
-            // loki-ingest's 10s scrub-wait is known to flake on cold-start; the
-            // underlying Loki/Promtail install almost always succeeded.
-            if (script === "loki-ingest.sh") {
-                printWarning("loki-ingest non-zero — likely Promtail scrub-wait flake; continuing");
-            }
-            else {
-                printError(`${script} failed — observability stack not ready`);
-                process.exit(1);
+        if (!opts.forceObservability) {
+            const component = script.replace(/\.sh$/, "");
+            if (isObservabilityComponentReady(component)) {
+                outcomes.push({ script, state: "skipped" });
+                continue;
             }
         }
+        const runResult = runObservabilityScript(path, script, scriptEnv, opts.verboseObservability);
+        if (runResult.ok) {
+            outcomes.push({
+                script,
+                state: "ran",
+                durationMs: runResult.durationMs,
+                logPath: runResult.logPath,
+            });
+        }
+        else if (script === "loki-ingest.sh") {
+            outcomes.push({
+                script,
+                state: "loki-flake",
+                durationMs: runResult.durationMs,
+                logPath: runResult.logPath,
+            });
+        }
         else {
-            printSuccess(`${script} passed`);
+            outcomes.push({
+                script,
+                state: "ran-failed",
+                durationMs: runResult.durationMs,
+                logPath: runResult.logPath,
+            });
+        }
+    }
+    // Compact name: strip the .sh suffix and the cardinality-mutate suffix that
+    // serves no informational purpose at this level.
+    const niceName = (script) => script.replace(/\.sh$/, "").replace(/-cardinality-mutate$/, "");
+    // All-installed fast path: one line instead of four. Trims the most common
+    // case (operator re-runs setup on a healthy cluster) to a single line.
+    const allSkipped = outcomes.length > 0 && outcomes.every((o) => o.state === "skipped");
+    if (allSkipped) {
+        printSuccess(`all ${outcomes.length} already installed (--force-observability to reinstall)`);
+        return;
+    }
+    for (const o of outcomes) {
+        const name = niceName(o.script);
+        const seconds = o.durationMs !== undefined
+            ? `${(o.durationMs / 1000).toFixed(1)}s`
+            : "";
+        switch (o.state) {
+            case "missing":
+                printWarning(`${name}: script not found — skipping`);
+                break;
+            case "skipped":
+                printSuccess(`${name}: already installed`);
+                break;
+            case "ran":
+                printSuccess(`${name}: ${seconds}`);
+                break;
+            case "loki-flake":
+                printWarning(`${name}: ${seconds} (promtail scrub-wait flake; continuing)`);
+                break;
+            case "ran-failed": {
+                printError(`${name}: failed (${seconds}) — log=${o.logPath}`);
+                if (o.logPath !== undefined) {
+                    const tail = readFileSync(o.logPath, "utf-8")
+                        .split("\n")
+                        .slice(-20)
+                        .join("\n");
+                    process.stderr.write(`  --- last 20 lines from ${o.script} ---\n${tail}\n`);
+                }
+                process.exit(1);
+            }
         }
     }
 }
@@ -364,17 +578,46 @@ function applyPeripheralServicesManifests() {
         printWarning("no non-deployment peripheral-services manifests found — skipping");
         return;
     }
+    // Capture kubectl apply output for each manifest; count unchanged vs changed.
+    // On a healthy re-run every resource reports "unchanged" — no per-manifest spam.
+    // Verbose output is written to ~/.olam/logs/peripheral-services-apply.log.
+    const logDir = join(homedir(), ".olam", "logs");
+    mkdirSync(logDir, { recursive: true });
+    const logPath = join(logDir, "peripheral-services-apply.log");
+    const logLines = [];
+    let unchangedCount = 0;
+    let changedCount = 0;
     for (const manifest of manifestFiles) {
-        printInfo("apply", manifest.replace(manifestsDir + "/", ""));
         const r = spawnSync("kubectl", ["apply", "-f", manifest], {
-            stdio: "inherit",
+            stdio: "pipe",
+            encoding: "utf-8",
         });
+        const combined = (r.stdout ?? "") + (r.stderr ?? "");
+        logLines.push(`==> ${manifest}\n${combined}`);
         if (r.status !== 0) {
-            printError(`kubectl apply failed for ${manifest}`);
+            // Write the full log before aborting so the operator can diagnose.
+            writeFileSync(logPath, logLines.join("\n"), "utf-8");
+            printError(`kubectl apply failed for ${manifest.replace(manifestsDir + "/", "")} — see ${logPath}`);
+            process.stderr.write(`  --- last lines ---\n${combined.split("\n").slice(-10).join("\n")}\n`);
             process.exit(r.status ?? 1);
         }
+        // Count resources by whether kubectl reported "unchanged" or "configured"/"created".
+        const lines = combined.split("\n").filter((l) => l.trim().length > 0);
+        for (const line of lines) {
+            if (/unchanged$/.test(line.trim())) {
+                unchangedCount++;
+            }
+            else if (/configured$|created$/.test(line.trim())) {
+                changedCount++;
+            }
+        }
     }
-    printSuccess("peripheral-services manifests applied");
+    writeFileSync(logPath, logLines.join("\n"), "utf-8");
+    // Compact: "12 manifests — no-op" or "12 manifests — 3 changed"
+    const summary = changedCount > 0
+        ? `${manifestFiles.length} manifests — ${changedCount} changed`
+        : `${manifestFiles.length} manifests — no-op`;
+    printSuccess(`peripheral-services: ${summary}`);
 }
 function delegateToUpgrade() {
     step("6/6 — apply host-cp + peripherals + rollout (olam upgrade)");
@@ -393,6 +636,11 @@ function delegateToUpgrade() {
 }
 function summary(opts) {
     step("done");
+    const grafanaCreds = getGrafanaCredentials();
+    const grafanaCredsBlock = grafanaCreds
+        ? `    User:     ${grafanaCreds.user}\n    Password: ${grafanaCreds.password}`
+        : `    # Get password: kubectl -n monitoring get secret olam-grafana-admin \\
+    #   -o jsonpath='{.data.admin-password}' | base64 -d`;
     process.stdout.write(`
   Cluster:    ${opts.cluster}
   Next steps:
@@ -401,11 +649,13 @@ function summary(opts) {
     kubectl get pods -n olam
 
   Grafana:
-    kubectl port-forward -n monitoring svc/olam-grafana 3000:80
-    open http://localhost:3000
-    # admin password:
-    kubectl get secret olam-grafana-admin -n monitoring \\
-      -o jsonpath='{.data.admin-password}' | base64 -d
+    URL:          http://localhost:3000  (after the port-forward below)
+${grafanaCredsBlock}
+    Port-forward: kubectl port-forward -n monitoring svc/olam-grafana 3000:80
+
+  Prometheus:
+    URL:          http://localhost:9090  (after the port-forward below)
+    Port-forward: kubectl port-forward -n monitoring svc/olam-prom-kube-prometheus-prometheus 9090:9090
 `);
 }
 export async function runBootstrapKubernetes(rawOpts) {
@@ -421,6 +671,9 @@ export async function runBootstrapKubernetes(rawOpts) {
         autoInstall: rawOpts.autoInstall ?? defaultAutoInstall,
         skipObservability: rawOpts.skipObservability ?? false,
         skipClusterCreate: rawOpts.skipClusterCreate ?? false,
+        forceObservability: rawOpts.forceObservability ?? false,
+        verboseObservability: rawOpts.verboseObservability ?? false,
+        hostCpDevPath: rawOpts.hostCpDevPath,
     };
     printHeader("olam setup — k3s mode");
     printInfo("mode", "one-command bring-up of olam peripherals + observability on a local k3d cluster");