@pleri/olam-cli 0.1.188 → 0.1.195

package/dist/lib/memory-secret.js

@@ -16,7 +16,8 @@ import { existsSync, mkdirSync, readFileSync, statSync, writeFileSync, renameSyn
 import { homedir } from 'node:os';
 import { join, dirname } from 'node:path';
 import { randomBytes } from 'node:crypto';
-export const MEMORY_SECRET_PATH = join(homedir(), '.olam', 'memory-secret');
+import { resolveSecretPath, canonicalSecretPath } from '@olam/core/src/secrets/paths.js';
+export const MEMORY_SECRET_PATH = resolveSecretPath('memory-secret');
 /**
  * Default cloud-mode secret path. Phase C C2.
  *
@@ -25,7 +26,13 @@ export const MEMORY_SECRET_PATH = join(homedir(), '.olam', 'memory-secret');
  * config-resolver (C4) handles the precedence; this constant is the
  * fall-through when the operator doesn't override.
  */
-export const CLOUD_MEMORY_SECRET_PATH = join(homedir(), '.olam', 'cloud-memory-secret');
+export const CLOUD_MEMORY_SECRET_PATH = resolveSecretPath('cloud-memory-secret');
+/**
+ * Canonical (new) location for memory secret — used by writers.
+ * Defined here as a convenience alias so callers don't need to import from core.
+ */
+export const MEMORY_SECRET_CANONICAL_PATH = canonicalSecretPath('memory-secret');
+export const CLOUD_MEMORY_SECRET_CANONICAL_PATH = canonicalSecretPath('cloud-memory-secret');
 export const SECRET_LEN_BYTES = 32; // 64 hex chars
 /** Generate a 64-char hex secret. */
 export function generateSecret() {
@@ -36,7 +43,7 @@ export function generateSecret() {
  * created with default mode if absent.
  */
 export function writeSecretAtPath(path, value) {
-    mkdirSync(dirname(path), { recursive: true });
+    mkdirSync(dirname(path), { recursive: true, mode: 0o700 });
     const tmp = `${path}.tmp.${process.pid}`;
     writeFileSync(tmp, value, { mode: 0o600 });
     // writeFileSync's mode is umask-respecting; chmod explicitly to be safe.
@@ -65,15 +72,20 @@ export function readSecretAtPath(path) {
     return v;
 }
 /**
- * Ensure `~/.olam/memory-secret` exists with mode 0600. Generates a
+ * Ensure `~/.olam/secrets/memory-secret` exists with mode 0600. Generates a
  * fresh 64-char hex secret on first call. Idempotent.
+ *
+ * Reads from the resolved path (new or legacy fallback); writes to canonical.
  */
 export function ensureMemorySecret(path = MEMORY_SECRET_PATH) {
     const existing = readSecretAtPathOrNull(path);
     if (existing)
         return existing;
     const fresh = generateSecret();
-    writeSecretAtPath(path, fresh);
+    // When using the default resolved path, write to canonical new location.
+    // When given an explicit path (test seam or direct caller), honour it for write too.
+    const writePath = path === MEMORY_SECRET_PATH ? MEMORY_SECRET_CANONICAL_PATH : path;
+    writeSecretAtPath(writePath, fresh);
     return fresh;
 }
 /** Read the local-mode memory secret (no-throw shape). */
@@ -88,8 +100,10 @@ export function readMemorySecret(path = MEMORY_SECRET_PATH) {
  * Rotate the secret: generate fresh value, atomically replace the file,
  * return the new value. Caller is responsible for restarting any
  * running memory service so it picks up the new value.
+ *
+ * Always writes to canonical path (~/.olam/secrets/memory-secret).
  */
-export function rotateMemorySecret(path = MEMORY_SECRET_PATH) {
+export function rotateMemorySecret(path = MEMORY_SECRET_CANONICAL_PATH) {
     const fresh = generateSecret();
     writeSecretAtPath(path, fresh);
     return fresh;
@@ -119,8 +133,11 @@ export function readCloudMemorySecretOrNull(path = CLOUD_MEMORY_SECRET_PATH) {
 export function readCloudMemorySecret(path = CLOUD_MEMORY_SECRET_PATH) {
     return readSecretAtPath(path);
 }
-/** Atomic write 0600. Caller supplies the value (cloud secrets are operator-prompted, not generated). */
-export function writeCloudMemorySecret(value, path = CLOUD_MEMORY_SECRET_PATH) {
+/**
+ * Atomic write 0600. Caller supplies the value (cloud secrets are
+ * operator-prompted, not generated). Always writes to canonical path.
+ */
+export function writeCloudMemorySecret(value, path = CLOUD_MEMORY_SECRET_CANONICAL_PATH) {
     writeSecretAtPath(path, value);
 }
 /** Convenience: is a cloud secret on disk? */

package/dist/lib/memory-secret.js.map

@@ -1 +1 @@
-{"version":3,"file":"memory-secret.js","sourceRoot":"","sources":["../../src/lib/memory-secret.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,QAAQ,EAAE,aAAa,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAC1H,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,eAAe,CAAC,CAAC;AAC5E;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,qBAAqB,CAAC,CAAC;AACxF,MAAM,CAAC,MAAM,gBAAgB,GAAG,EAAE,CAAC,CAAC,eAAe;AAEnD,qCAAqC;AACrC,MAAM,UAAU,cAAc;IAC5B,OAAO,WAAW,CAAC,gBAAgB,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACvD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,IAAY,EAAE,KAAa;IAC3D,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,GAAG,IAAI,QAAQ,OAAO,CAAC,GAAG,EAAE,CAAC;IACzC,aAAa,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC3C,yEAAyE;IACzE,SAAS,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACtB,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;AACxB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,IAAY;IACjD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC;IACzC,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,SAAS,IAAI,cAAc,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,mEAAmE,CAC/G,CAAC;IACJ,CAAC;IACD,OAAO,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;AAC3C,CAAC;AAED,uCAAuC;AACvC,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAC3C,MAAM,CAAC,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;IACvC,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,uBAAuB,IAAI,2CAA2C,CACvE,CAAC;IACJ,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe,kBAAkB;IAClE,MAAM,QAAQ,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;IAC9C,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC9B,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,iBAAiB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC/B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,0DAA0D;AAC1D,MAAM,UAAU,sBAAsB,CAAC,OAAe,kBAAkB;IACtE,OAAO,sBAAsB,CAAC,IAAI,CAAC,CAAC;AACtC,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,gBAAgB,CAAC,OAAe,kBAAkB;IAChE,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC;AAChC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe,kBAAkB;IAClE,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,iBAAiB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC/B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,eAAe,CAAC,OAAe,kBAAkB;IAC/D,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,+EAA+E;AAC/E,EAAE;AACF,yEAAyE;AACzE,wEAAwE;AACxE,4EAA4E;AAC5E,6EAA6E;AAC7E,oEAAoE;AACpE,iCAAiC;AAEjC;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CACzC,OAAe,wBAAwB;IAEvC,OAAO,sBAAsB,CAAC,IAAI,CAAC,CAAC;AACtC,CAAC;AAED,gGAAgG;AAChG,MAAM,UAAU,qBAAqB,CAAC,OAAe,wBAAwB;IAC3E,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC;AAChC,CAAC;AAED,yGAAyG;AACzG,MAAM,UAAU,sBAAsB,CACpC,KAAa,EACb,OAAe,wBAAwB;IAEvC,iBAAiB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AACjC,CAAC;AAED,8CAA8C;AAC9C,MAAM,UAAU,oBAAoB,CAAC,OAAe,wBAAwB;IAC1E,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}
+{"version":3,"file":"memory-secret.js","sourceRoot":"","sources":["../../src/lib/memory-secret.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,QAAQ,EAAE,aAAa,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAC1H,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,iCAAiC,CAAC;AAEzF,MAAM,CAAC,MAAM,kBAAkB,GAAG,iBAAiB,CAAC,eAAe,CAAC,CAAC;AACrE;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG,iBAAiB,CAAC,qBAAqB,CAAC,CAAC;AAEjF;;;GAGG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAG,mBAAmB,CAAC,eAAe,CAAC,CAAC;AACjF,MAAM,CAAC,MAAM,kCAAkC,GAAG,mBAAmB,CAAC,qBAAqB,CAAC,CAAC;AAC7F,MAAM,CAAC,MAAM,gBAAgB,GAAG,EAAE,CAAC,CAAC,eAAe;AAEnD,qCAAqC;AACrC,MAAM,UAAU,cAAc;IAC5B,OAAO,WAAW,CAAC,gBAAgB,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACvD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,IAAY,EAAE,KAAa;IAC3D,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC3D,MAAM,GAAG,GAAG,GAAG,IAAI,QAAQ,OAAO,CAAC,GAAG,EAAE,CAAC;IACzC,aAAa,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC3C,yEAAyE;IACzE,SAAS,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACtB,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;AACxB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,IAAY;IACjD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC;IACzC,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,SAAS,IAAI,cAAc,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,mEAAmE,CAC/G,CAAC;IACJ,CAAC;IACD,OAAO,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;AAC3C,CAAC;AAED,uCAAuC;AACvC,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAC3C,MAAM,CAAC,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;IACvC,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,uBAAuB,IAAI,2CAA2C,CACvE,CAAC;IACJ,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe,kBAAkB;IAClE,MAAM,QAAQ,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;IAC9C,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC9B,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,yEAAyE;IACzE,qFAAqF;IACrF,MAAM,SAAS,GAAG,IAAI,KAAK,kBAAkB,CAAC,CAAC,CAAC,4BAA4B,CAAC,CAAC,CAAC,IAAI,CAAC;IACpF,iBAAiB,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IACpC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,0DAA0D;AAC1D,MAAM,UAAU,sBAAsB,CAAC,OAAe,kBAAkB;IACtE,OAAO,sBAAsB,CAAC,IAAI,CAAC,CAAC;AACtC,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,gBAAgB,CAAC,OAAe,kBAAkB;IAChE,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC;AAChC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe,4BAA4B;IAC5E,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,iBAAiB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC/B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,eAAe,CAAC,OAAe,kBAAkB;IAC/D,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,+EAA+E;AAC/E,EAAE;AACF,yEAAyE;AACzE,wEAAwE;AACxE,4EAA4E;AAC5E,6EAA6E;AAC7E,oEAAoE;AACpE,iCAAiC;AAEjC;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CACzC,OAAe,wBAAwB;IAEvC,OAAO,sBAAsB,CAAC,IAAI,CAAC,CAAC;AACtC,CAAC;AAED,gGAAgG;AAChG,MAAM,UAAU,qBAAqB,CAAC,OAAe,wBAAwB;IAC3E,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CACpC,KAAa,EACb,OAAe,kCAAkC;IAEjD,iBAAiB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AACjC,CAAC;AAED,8CAA8C;AAC9C,MAAM,UAAU,oBAAoB,CAAC,OAAe,wBAAwB;IAC1E,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/lib/upgrade-check.d.ts

@@ -0,0 +1,60 @@
+/**
+ * upgrade-check.ts — non-blocking upgrade-available banner for olam CLI.
+ *
+ * On each `olam <command>` invocation, asynchronously checks whether a newer
+ * version of `@pleri/olam-cli` is available on npm. The result is cached for
+ * 24 hours in `~/.olam/cli-upgrade-cache.json` so the npm check fires at most
+ * once per day. Any network or FS failure silently skips the banner.
+ *
+ * Suppression rules (any match → silent):
+ *   - OLAM_DISABLE_UPGRADE_BANNER=1
+ *   - --json flag present in argv
+ *   - stdout is not a TTY
+ */
+export declare const UPGRADE_CACHE_TTL_MS: number;
+export declare const NPM_CHECK_TIMEOUT_MS = 2000;
+export declare const DEFAULT_CACHE_PATH: string;
+/**
+ * Fetch the latest published version of @pleri/olam-cli from the npm registry.
+ * Returns null on any network error or timeout.
+ */
+export declare function fetchLatestVersion(timeoutMs?: number): Promise<string | null>;
+/**
+ * Determine the latest version, using cache when fresh.
+ * Always returns without throwing. Returns null when unavailable.
+ */
+export declare function resolveLatestVersion(opts: {
+    cachePath?: string;
+    now?: number;
+    fetchFn?: (timeout: number) => Promise<string | null>;
+}): Promise<string | null>;
+/**
+ * Build the upgrade banner string (with box-drawing characters).
+ */
+export declare function buildBanner(latestVersion: string, currentVersion: string): string;
+/**
+ * Returns true when the upgrade banner should be suppressed.
+ */
+export declare function shouldSuppressBanner(opts: {
+    env?: Record<string, string | undefined>;
+    argv?: readonly string[];
+    isTTY?: boolean;
+}): boolean;
+/**
+ * Fire-and-forget upgrade check. Resolves the latest version, prints a banner
+ * to stdout if a newer version is available, and swallows all errors.
+ *
+ * Call this BEFORE program.parseAsync(). The promise is not awaited — the
+ * banner races the command action. For short commands this means the banner
+ * arrives before exit; for fast commands that call process.exit explicitly
+ * (e.g. olam --version), the banner may be suppressed naturally.
+ */
+export declare function scheduleUpgradeCheck(currentVersion: string, opts?: {
+    cachePath?: string;
+    fetchFn?: (timeout: number) => Promise<string | null>;
+    env?: Record<string, string | undefined>;
+    argv?: readonly string[];
+    isTTY?: boolean;
+    write?: (s: string) => void;
+}): Promise<void>;
+//# sourceMappingURL=upgrade-check.d.ts.map

package/dist/lib/upgrade-check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"upgrade-check.d.ts","sourceRoot":"","sources":["../../src/lib/upgrade-check.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAMH,eAAO,MAAM,oBAAoB,QAAsB,CAAC;AACxD,eAAO,MAAM,oBAAoB,OAAQ,CAAC;AAE1C,eAAO,MAAM,kBAAkB,QAA6D,CAAC;AAgD7F;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,SAAS,SAAuB,GAC/B,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAuBxB;AAED;;;GAGG;AACH,wBAAsB,oBAAoB,CAAC,IAAI,EAAE;IAC/C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;CACvD,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAoBzB;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,aAAa,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,CAWjF;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE;IACzC,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;IACzC,IAAI,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACzB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB,GAAG,OAAO,CASV;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,cAAc,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;IAClE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACtD,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;IACzC,IAAI,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACzB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,KAAK,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;CAC7B,GAAG,OAAO,CAAC,IAAI,CAAC,CAmBhB"}

package/dist/lib/upgrade-check.js

@@ -0,0 +1,169 @@
+/**
+ * upgrade-check.ts — non-blocking upgrade-available banner for olam CLI.
+ *
+ * On each `olam <command>` invocation, asynchronously checks whether a newer
+ * version of `@pleri/olam-cli` is available on npm. The result is cached for
+ * 24 hours in `~/.olam/cli-upgrade-cache.json` so the npm check fires at most
+ * once per day. Any network or FS failure silently skips the banner.
+ *
+ * Suppression rules (any match → silent):
+ *   - OLAM_DISABLE_UPGRADE_BANNER=1
+ *   - --json flag present in argv
+ *   - stdout is not a TTY
+ */
+import * as fs from 'node:fs';
+import * as os from 'node:os';
+import * as path from 'node:path';
+export const UPGRADE_CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
+export const NPM_CHECK_TIMEOUT_MS = 2_000;
+export const DEFAULT_CACHE_PATH = path.join(os.homedir(), '.olam', 'cli-upgrade-cache.json');
+function parseVersion(v) {
+    const parts = v.replace(/^[^0-9]*/, '').split('.').map(Number);
+    return [parts[0] ?? 0, parts[1] ?? 0, parts[2] ?? 0];
+}
+function isNewer(latest, current) {
+    const [la, lb, lc] = parseVersion(latest);
+    const [ca, cb, cc] = parseVersion(current);
+    if (la !== ca)
+        return la > ca;
+    if (lb !== cb)
+        return lb > cb;
+    return lc > cc;
+}
+function readCache(cachePath) {
+    try {
+        const raw = fs.readFileSync(cachePath, 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (typeof parsed === 'object' &&
+            parsed !== null &&
+            typeof parsed['checkedAt'] === 'number' &&
+            typeof parsed['latestVersion'] === 'string') {
+            return parsed;
+        }
+    }
+    catch {
+        // unreadable or missing — treat as no cache
+    }
+    return null;
+}
+function writeCache(cachePath, data) {
+    try {
+        const dir = path.dirname(cachePath);
+        fs.mkdirSync(dir, { recursive: true });
+        fs.writeFileSync(cachePath, JSON.stringify(data), 'utf-8');
+    }
+    catch {
+        // non-fatal
+    }
+}
+/**
+ * Fetch the latest published version of @pleri/olam-cli from the npm registry.
+ * Returns null on any network error or timeout.
+ */
+export async function fetchLatestVersion(timeoutMs = NPM_CHECK_TIMEOUT_MS) {
+    const ac = new AbortController();
+    const timer = setTimeout(() => ac.abort(), timeoutMs);
+    try {
+        const res = await fetch('https://registry.npmjs.org/@pleri/olam-cli/latest', {
+            signal: ac.signal,
+            headers: { accept: 'application/json' },
+        });
+        if (!res.ok)
+            return null;
+        const json = (await res.json());
+        if (typeof json === 'object' &&
+            json !== null &&
+            typeof json['version'] === 'string') {
+            return json['version'];
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+/**
+ * Determine the latest version, using cache when fresh.
+ * Always returns without throwing. Returns null when unavailable.
+ */
+export async function resolveLatestVersion(opts) {
+    const cachePath = opts.cachePath ?? DEFAULT_CACHE_PATH;
+    const now = opts.now ?? Date.now();
+    const fetchFn = opts.fetchFn ?? fetchLatestVersion;
+    const cached = readCache(cachePath);
+    if (cached !== null && now - cached.checkedAt < UPGRADE_CACHE_TTL_MS) {
+        return cached.latestVersion;
+    }
+    let latest = null;
+    try {
+        latest = await fetchFn(NPM_CHECK_TIMEOUT_MS);
+    }
+    catch {
+        return null;
+    }
+    if (latest !== null) {
+        writeCache(cachePath, { checkedAt: now, latestVersion: latest });
+    }
+    return latest;
+}
+/**
+ * Build the upgrade banner string (with box-drawing characters).
+ */
+export function buildBanner(latestVersion, currentVersion) {
+    const line1 = `  olam v${latestVersion} available (you have v${currentVersion})  `;
+    const line2 = `  Update: npm install -g @pleri/olam-cli@latest  `;
+    const width = Math.max(line1.length, line2.length);
+    const pad1 = line1.padEnd(width);
+    const pad2 = line2.padEnd(width);
+    const top = `╭${'─'.repeat(width)}╮`;
+    const mid1 = `│${pad1}│`;
+    const mid2 = `│${pad2}│`;
+    const bot = `╰${'─'.repeat(width)}╯`;
+    return [top, mid1, mid2, bot].join('\n') + '\n';
+}
+/**
+ * Returns true when the upgrade banner should be suppressed.
+ */
+export function shouldSuppressBanner(opts) {
+    const env = opts.env ?? process.env;
+    const argv = opts.argv ?? process.argv;
+    const isTTY = opts.isTTY ?? process.stdout.isTTY;
+    if (env['OLAM_DISABLE_UPGRADE_BANNER'] === '1')
+        return true;
+    if (!isTTY)
+        return true;
+    if (argv.includes('--json'))
+        return true;
+    return false;
+}
+/**
+ * Fire-and-forget upgrade check. Resolves the latest version, prints a banner
+ * to stdout if a newer version is available, and swallows all errors.
+ *
+ * Call this BEFORE program.parseAsync(). The promise is not awaited — the
+ * banner races the command action. For short commands this means the banner
+ * arrives before exit; for fast commands that call process.exit explicitly
+ * (e.g. olam --version), the banner may be suppressed naturally.
+ */
+export function scheduleUpgradeCheck(currentVersion, opts) {
+    if (shouldSuppressBanner(opts ?? {})) {
+        return Promise.resolve();
+    }
+    const write = opts?.write ?? ((s) => process.stdout.write(s));
+    return resolveLatestVersion({
+        cachePath: opts?.cachePath,
+        fetchFn: opts?.fetchFn,
+    })
+        .then((latest) => {
+        if (latest !== null && isNewer(latest, currentVersion)) {
+            write(buildBanner(latest, currentVersion));
+        }
+    })
+        .catch(() => {
+        // never surface
+    });
+}
+//# sourceMappingURL=upgrade-check.js.map

package/dist/lib/upgrade-check.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"upgrade-check.js","sourceRoot":"","sources":["../../src/lib/upgrade-check.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,MAAM,CAAC,MAAM,oBAAoB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW;AACpE,MAAM,CAAC,MAAM,oBAAoB,GAAG,KAAK,CAAC;AAE1C,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,wBAAwB,CAAC,CAAC;AAO7F,SAAS,YAAY,CAAC,CAAS;IAC7B,MAAM,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC/D,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,OAAO,CAAC,MAAc,EAAE,OAAe;IAC9C,MAAM,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IAC3C,IAAI,EAAE,KAAK,EAAE;QAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAC9B,IAAI,EAAE,KAAK,EAAE;QAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAC9B,OAAO,EAAE,GAAG,EAAE,CAAC;AACjB,CAAC;AAED,SAAS,SAAS,CAAC,SAAiB;IAClC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAY,CAAC;QAC1C,IACE,OAAO,MAAM,KAAK,QAAQ;YAC1B,MAAM,KAAK,IAAI;YACf,OAAQ,MAAkC,CAAC,WAAW,CAAC,KAAK,QAAQ;YACpE,OAAQ,MAAkC,CAAC,eAAe,CAAC,KAAK,QAAQ,EACxE,CAAC;YACD,OAAO,MAAsB,CAAC;QAChC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,4CAA4C;IAC9C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,UAAU,CAAC,SAAiB,EAAE,IAAkB;IACvD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACpC,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACvC,EAAE,CAAC,aAAa,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;IAC7D,CAAC;IAAC,MAAM,CAAC;QACP,YAAY;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,SAAS,GAAG,oBAAoB;IAEhC,MAAM,EAAE,GAAG,IAAI,eAAe,EAAE,CAAC;IACjC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;IACtD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,mDAAmD,EAAE;YAC3E,MAAM,EAAE,EAAE,CAAC,MAAM;YACjB,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;SACxC,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QACzB,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAY,CAAC;QAC3C,IACE,OAAO,IAAI,KAAK,QAAQ;YACxB,IAAI,KAAK,IAAI;YACb,OAAQ,IAAgC,CAAC,SAAS,CAAC,KAAK,QAAQ,EAChE,CAAC;YACD,OAAQ,IAAgC,CAAC,SAAS,CAAW,CAAC;QAChE,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,IAI1C;IACC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,kBAAkB,CAAC;IACvD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;IACnC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,kBAAkB,CAAC;IAEnD,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,CAAC;IACpC,IAAI,MAAM,KAAK,IAAI,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,GAAG,oBAAoB,EAAE,CAAC;QACrE,OAAO,MAAM,CAAC,aAAa,CAAC;IAC9B,CAAC;IAED,IAAI,MAAM,GAAkB,IAAI,CAAC;IACjC,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,UAAU,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,GAAG,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC,CAAC;IACnE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,aAAqB,EAAE,cAAsB;IACvE,MAAM,KAAK,GAAG,WAAW,aAAa,yBAAyB,cAAc,KAAK,CAAC;IACnF,MAAM,KAAK,GAAG,mDAAmD,CAAC;IAClE,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACnD,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACjC,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACjC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC;IACrC,MAAM,IAAI,GAAG,IAAI,IAAI,GAAG,CAAC;IACzB,MAAM,IAAI,GAAG,IAAI,IAAI,GAAG,CAAC;IACzB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC;IACrC,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AAClD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,IAIpC;IACC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAK,OAAO,CAAC,GAA0C,CAAC;IAC5E,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IACvC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC;IAEjD,IAAI,GAAG,CAAC,6BAA6B,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAC5D,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IACzC,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,oBAAoB,CAAC,cAAsB,EAAE,IAO5D;IACC,IAAI,oBAAoB,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,CAAC;QACrC,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,IAAI,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAEtE,OAAO,oBAAoB,CAAC;QAC1B,SAAS,EAAE,IAAI,EAAE,SAAS;QAC1B,OAAO,EAAE,IAAI,EAAE,OAAO;KACvB,CAAC;SACC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE;QACf,IAAI,MAAM,KAAK,IAAI,IAAI,OAAO,CAAC,MAAM,EAAE,cAAc,CAAC,EAAE,CAAC;YACvD,KAAK,CAAC,WAAW,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC,CAAC;SACD,KAAK,CAAC,GAAG,EAAE;QACV,gBAAgB;IAClB,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/lib/upgrade-kubernetes.d.ts

@@ -167,6 +167,23 @@ export interface UpgradeKubernetesResult {
     readonly exitCode: number;
     readonly summary: string;
 }
+/**
+ * Early-exit probe for healthy-cluster re-runs.
+ *
+ * Reads the host-cp image spec from the on-disk 50-deployment.yaml, queries
+ * the running deployment's current image + readyReplicas, and returns true
+ * when the cluster is already at the desired state. When true the caller
+ * prints a single skip line and exits 0 without running any of the 8 steps.
+ *
+ * Fail-open: any read/parse/kubectl error returns false (run the full flow).
+ * Only triggers when --force-refresh-manifests is NOT set.
+ *
+ * Exported for unit testing (injectable deps).
+ */
+export declare function probeClusterAlreadyAtDesiredState(context: string, manifestsDir: string, deps: UpgradeKubernetesDeps): Promise<{
+    atDesiredState: boolean;
+    desiredDigest: string | null;
+}>;
 /**
  * Main entrypoint for the kubernetes upgrade path.
  *

package/dist/lib/upgrade-kubernetes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"upgrade-kubernetes.d.ts","sourceRoot":"","sources":["../../src/lib/upgrade-kubernetes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoDG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAS9B,OAAO,EAAE,WAAW,EAAwB,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,wBAAwB,EAAE,KAAK,eAAe,EAAE,KAAK,yBAAyB,EAAE,MAAM,mBAAmB,CAAC;AACrK,OAAO,EAAE,mBAAmB,EAAE,KAAK,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAC1E,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAA4B,KAAK,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAGtI,OAAO,EAAyB,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AACpF,OAAO,EAAE,kBAAkB,EAAwB,KAAK,aAAa,IAAI,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAgBtH,eAAO,MAAM,sBAAsB,QAA2C,CAAC;AAC/E,eAAO,MAAM,aAAa,SAAS,CAAC;AACpC,eAAO,MAAM,mBAAmB,wBAAwB,CAAC;AACzD,eAAO,MAAM,uBAAuB,iBAAiB,CAAC;AACtD,eAAO,MAAM,mBAAmB,yBAAyB,CAAC;AAC1D,eAAO,MAAM,kBAAkB,kCAAkC,CAAC;AAElE,oDAAoD;AACpD,eAAO,MAAM,mBAAmB,QAAqD,CAAC;AA6HtF,MAAM,WAAW,qBAAqB;IACpC,uCAAuC;IACvC,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,WAAW,CAAC;IAC9C,2CAA2C;IAC3C,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,gBAAgB,CAAC;IACxD,yDAAyD;IACzD,QAAQ,CAAC,kCAAkC,CAAC,EAAE,OAAO,8BAA8B,CAAC;IACpF,mDAAmD;IACnD,QAAQ,CAAC,4BAA4B,CAAC,EAAE,OAAO,wBAAwB,CAAC;IACxE,wDAAwD;IACxD,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC5E,8CAA8C;IAC9C,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,mBAAmB,CAAC;IAC/C,2CAA2C;IAC3C,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,kBAAkB,CAAC;IACzD,2CAA2C;IAC3C,QAAQ,CAAC,iBAAiB,CAAC,EAAE,OAAO,uBAAuB,CAAC;IAC5D,sFAAsF;IACtF,QAAQ,CAAC,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;IAC/C,6CAA6C;IAC7C,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,yEAAyE;IACzE,QAAQ,CAAC,eAAe,CAAC,EAAE,eAAe,CAAC;IAC3C,iGAAiG;IACjG,QAAQ,CAAC,yBAAyB,CAAC,EAAE,yBAAyB,CAAC;IAC/D,oCAAoC;IACpC,QAAQ,CAAC,QAAQ,CAAC,EAAE,QAAQ,CAAC;IAC7B,iCAAiC;IACjC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;IACxC,iCAAiC;IACjC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;IACxC,oEAAoE;IACpE,QAAQ,CAAC,gBAAgB,CAAC,EAAE,OAAO,EAAE,CAAC,YAAY,CAAC;IACnD,yDAAyD;IACzD,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,MAAM,CAAC;IAChC;;;;OAIG;IACH,QAAQ,CAAC,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAChE;;;;;;OAMG;IACH,QAAQ,CAAC,qBAAqB,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IACvE;;;OAGG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B;;;;OAIG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,qBAAqB,CAAC;IACpD;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,CAAC,EAAE,OAAO,kBAAkB,CAAC;IACtD,sDAAsD;IACtD,QAAQ,CAAC,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IAC7C;;;;;;OAMG;IACH,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,OAAO,CAAC;IACzC;;;;OAIG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAKpD;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,OAAO,CAAC;IACzC,QAAQ,CAAC,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAC5C,wFAAwF;IACxF,QAAQ,CAAC,aAAa,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;OAMG;IACH,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC;CACpC;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAiYD;;;;GAIG;AACH,wBAAsB,oBAAoB,CACxC,IAAI,GAAE,qBAA0B,EAChC,IAAI,GAAE,qBAA0B,GAC/B,OAAO,CAAC,uBAAuB,CAAC,CAkelC"}
+{"version":3,"file":"upgrade-kubernetes.d.ts","sourceRoot":"","sources":["../../src/lib/upgrade-kubernetes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoDG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAS9B,OAAO,EAAE,WAAW,EAAwB,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,wBAAwB,EAAE,KAAK,eAAe,EAAE,KAAK,yBAAyB,EAAE,MAAM,mBAAmB,CAAC;AACrK,OAAO,EAAE,mBAAmB,EAAE,KAAK,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAC1E,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAA4B,KAAK,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAGtI,OAAO,EAAyB,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AACpF,OAAO,EAAE,kBAAkB,EAAwB,KAAK,aAAa,IAAI,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAgBtH,eAAO,MAAM,sBAAsB,QAA2C,CAAC;AAC/E,eAAO,MAAM,aAAa,SAAS,CAAC;AACpC,eAAO,MAAM,mBAAmB,wBAAwB,CAAC;AACzD,eAAO,MAAM,uBAAuB,iBAAiB,CAAC;AACtD,eAAO,MAAM,mBAAmB,yBAAyB,CAAC;AAC1D,eAAO,MAAM,kBAAkB,kCAAkC,CAAC;AAElE,oDAAoD;AACpD,eAAO,MAAM,mBAAmB,QAAqD,CAAC;AA6HtF,MAAM,WAAW,qBAAqB;IACpC,uCAAuC;IACvC,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,WAAW,CAAC;IAC9C,2CAA2C;IAC3C,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,gBAAgB,CAAC;IACxD,yDAAyD;IACzD,QAAQ,CAAC,kCAAkC,CAAC,EAAE,OAAO,8BAA8B,CAAC;IACpF,mDAAmD;IACnD,QAAQ,CAAC,4BAA4B,CAAC,EAAE,OAAO,wBAAwB,CAAC;IACxE,wDAAwD;IACxD,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC5E,8CAA8C;IAC9C,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,mBAAmB,CAAC;IAC/C,2CAA2C;IAC3C,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,kBAAkB,CAAC;IACzD,2CAA2C;IAC3C,QAAQ,CAAC,iBAAiB,CAAC,EAAE,OAAO,uBAAuB,CAAC;IAC5D,sFAAsF;IACtF,QAAQ,CAAC,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;IAC/C,6CAA6C;IAC7C,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,yEAAyE;IACzE,QAAQ,CAAC,eAAe,CAAC,EAAE,eAAe,CAAC;IAC3C,iGAAiG;IACjG,QAAQ,CAAC,yBAAyB,CAAC,EAAE,yBAAyB,CAAC;IAC/D,oCAAoC;IACpC,QAAQ,CAAC,QAAQ,CAAC,EAAE,QAAQ,CAAC;IAC7B,iCAAiC;IACjC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;IACxC,iCAAiC;IACjC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;IACxC,oEAAoE;IACpE,QAAQ,CAAC,gBAAgB,CAAC,EAAE,OAAO,EAAE,CAAC,YAAY,CAAC;IACnD,yDAAyD;IACzD,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,MAAM,CAAC;IAChC;;;;OAIG;IACH,QAAQ,CAAC,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAChE;;;;;;OAMG;IACH,QAAQ,CAAC,qBAAqB,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IACvE;;;OAGG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B;;;;OAIG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,qBAAqB,CAAC;IACpD;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,CAAC,EAAE,OAAO,kBAAkB,CAAC;IACtD,sDAAsD;IACtD,QAAQ,CAAC,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IAC7C;;;;;;OAMG;IACH,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,OAAO,CAAC;IACzC;;;;OAIG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAKpD;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,OAAO,CAAC;IACzC,QAAQ,CAAC,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAC5C,wFAAwF;IACxF,QAAQ,CAAC,aAAa,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;OAMG;IACH,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC;CACpC;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAiYD;;;;;;;;;;;;GAYG;AACH,wBAAsB,iCAAiC,CACrD,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,EACpB,IAAI,EAAE,qBAAqB,GAC1B,OAAO,CAAC;IAAE,cAAc,EAAE,OAAO,CAAC;IAAC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CAAC,CA6DpE;AAED;;;;GAIG;AACH,wBAAsB,oBAAoB,CACxC,IAAI,GAAE,qBAA0B,EAChC,IAAI,GAAE,qBAA0B,GAC/B,OAAO,CAAC,uBAAuB,CAAC,CAkjBlC"}

package/dist/lib/upgrade-kubernetes.js

@@ -479,6 +479,67 @@ async function createGhcrPullSecret(context, deps, stderr) {
 // two-volume hostPath approach, which is fully retracted (Phase B B2).
 // host-cp now reaches docker via TCP through the docker-socket-proxy
 // ExternalName Service — no docker socket bind into k3d nodes at all.
+/**
+ * Early-exit probe for healthy-cluster re-runs.
+ *
+ * Reads the host-cp image spec from the on-disk 50-deployment.yaml, queries
+ * the running deployment's current image + readyReplicas, and returns true
+ * when the cluster is already at the desired state. When true the caller
+ * prints a single skip line and exits 0 without running any of the 8 steps.
+ *
+ * Fail-open: any read/parse/kubectl error returns false (run the full flow).
+ * Only triggers when --force-refresh-manifests is NOT set.
+ *
+ * Exported for unit testing (injectable deps).
+ */
+export async function probeClusterAlreadyAtDesiredState(context, manifestsDir, deps) {
+    const readFileSyncImpl = deps.readFileSyncImpl ?? fs.readFileSync;
+    const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+    // 1. Read desired image from 50-deployment.yaml
+    const deploymentManifestPath = path.join(manifestsDir, '50-deployment.yaml');
+    let desiredImage = null;
+    try {
+        const raw = readFileSyncImpl(deploymentManifestPath, 'utf8');
+        // Match the main container image line: "image: <ref>@sha256:<digest>"
+        // The manifest uses `image: ghcr.io/pleri/olam-host-cp@sha256:<digest>`
+        const match = raw.match(/^\s+image:\s+(ghcr\.io\/pleri\/olam-host-cp@sha256:[a-f0-9]+)/m);
+        if (match?.[1]) {
+            desiredImage = match[1].trim();
+        }
+    }
+    catch {
+        return { atDesiredState: false, desiredDigest: null };
+    }
+    if (!desiredImage) {
+        // Could not parse desired image — fail open.
+        return { atDesiredState: false, desiredDigest: null };
+    }
+    // Extract just the digest portion for reporting.
+    const digestMatch = desiredImage.match(/sha256:[a-f0-9]+/);
+    const desiredDigest = digestMatch?.[0] ?? null;
+    // 2. Query running deployment image + readyReplicas
+    const imageResult = await wrap([
+        '--context', context,
+        'get', 'deploy', HOST_CP_DEPLOYMENT_NAME,
+        '-n', K8S_NAMESPACE,
+        '-o', `jsonpath={.spec.template.spec.containers[?(@.name=="${HOST_CP_DEPLOYMENT_NAME}")].image}`,
+    ], { timeout: 10_000 });
+    if (!imageResult.ok || !imageResult.stdout.trim()) {
+        return { atDesiredState: false, desiredDigest };
+    }
+    const runningImage = imageResult.stdout.trim();
+    // 3. Check readyReplicas
+    const replicasResult = await wrap([
+        '--context', context,
+        'get', 'deploy', HOST_CP_DEPLOYMENT_NAME,
+        '-n', K8S_NAMESPACE,
+        '-o', 'jsonpath={.status.readyReplicas}',
+    ], { timeout: 10_000 });
+    const readyReplicas = parseInt(replicasResult.stdout.trim() || '0', 10);
+    // 4. Cluster is at desired state iff images match AND deployment is healthy.
+    const atDesiredState = runningImage === desiredImage && readyReplicas >= 1;
+    return { atDesiredState, desiredDigest };
+}
 /**
  * Main entrypoint for the kubernetes upgrade path.
  *
@@ -505,6 +566,43 @@ export async function runUpgradeKubernetes(opts = {}, deps = {}) {
         }
         // skipped: dir exists or bundle absent (dev context) — no output, continue.
     }
+    // ── Pre-step 0b: early-exit probe — skip all 8 steps on healthy re-run ──
+    // Reads desired host-cp image from 50-deployment.yaml, compares to running
+    // deployment. When they match AND readyReplicas >= 1, nothing has changed:
+    // all 8 steps are no-ops, so we skip them and report in <1s.
+    // Only active when --force-refresh-manifests is NOT set (that flag is the
+    // explicit "re-run everything" escape hatch).
+    if (!opts.forceRefreshManifests) {
+        // Need a context for the probe — resolve it first with a lightweight helper.
+        const earlyCtxResolved = resolveKubectlContext(deps.configPath);
+        let earlyCtx = null;
+        if (earlyCtxResolved.error === undefined) {
+            earlyCtx = earlyCtxResolved.context;
+        }
+        else {
+            // Try auto-pin (same logic as the main flow below).
+            const autoPin = (deps.autoPinImpl ?? autoPinKubectlContext)({ configPath: deps.configPath });
+            if (autoPin.context !== undefined) {
+                earlyCtx = autoPin.context;
+            }
+        }
+        if (earlyCtx !== null) {
+            const probe = await probeClusterAlreadyAtDesiredState(earlyCtx, manifestsDir, deps);
+            if (probe.atDesiredState) {
+                const digest = probe.desiredDigest ?? '(unknown)';
+                stdout.write(`${pc.green('✓')} cluster already at desired state — host-cp ${pc.dim(digest)} ready, skipping 8-step flow\n`);
+                // Still emit the instrumentation event so dashboards track re-runs.
+                const emitImpl = deps.emitImpl ?? emitUpgradeComplete;
+                emitImpl({
+                    substrate: 'kubernetes',
+                    duration_ms: Date.now() - startMs,
+                    flavor: 'k3s',
+                    skipped: true,
+                }, deps.emitOpts ?? {});
+                return { exitCode: 0, summary: `cluster already at desired state (host-cp ${digest})` };
+            }
+        }
+    }
     // ── Step 0.4: R3-C — create/update ghcr-pull imagePullSecret ────────
     // RELOCATED (R4-W2-A): this step previously ran before ensureK8sBootstrap,
     // but the `olam` namespace doesn't exist yet on a fresh cluster — `kubectl
@@ -607,6 +705,11 @@ export async function runUpgradeKubernetes(opts = {}, deps = {}) {
             rotateSecrets: opts.rotateSecrets === true,
         }, {
             kubectlWrapImpl: deps.kubectlWrapImpl,
+            // Route per-manifest progress through spinner.text so each file
+            // updates in-place instead of printing a new line (B4 spam fix).
+            onProgress: (label) => {
+                step05Spinner.text = `Bootstrapping olam namespace + RBAC + secrets (B4)${label}`;
+            },
             ...(deps.k8sBootstrapDeps ?? {}),
         });
         if (bootstrap.exitCode !== 0) {
@@ -868,7 +971,28 @@ export async function runUpgradeKubernetes(opts = {}, deps = {}) {
         }
         else {
             stderr.write(`${pc.red('error:')} host-cp did not report engine=kubernetes.\n` +
-                `  Check that the deployment rolled out with the correct image.\n`);
+                `  The /health port-forward succeeded but no X-Olam-Engine header was returned —\n` +
+                `  usually means the pod isn't Ready yet, is crashlooping, or failed to pull its image.\n` +
+                `  Pod-state diagnostics follow (share the FULL block when asking for help):\n`);
+            // Surface the actual pod state. The two commands below are read-only +
+            // safe to run multiple times. Output is captured + redirected to stderr
+            // so the operator sees it inline with the failure.
+            const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+            try {
+                const getPods = await wrap(['-n', 'olam', 'get', 'pods', '-l', 'app=olam-host-cp', '-o', 'wide'], { timeout: 5_000 });
+                stderr.write(`\n${pc.dim('--- kubectl -n olam get pods -l app=olam-host-cp ---')}\n` +
+                    `${getPods.stdout || getPods.stderr || '(no output)'}\n`);
+                const describe = await wrap(['-n', 'olam', 'describe', 'pod', '-l', 'app=olam-host-cp'], { timeout: 5_000 });
+                // Tail the last 40 lines — Events block sits at the bottom and is
+                // the highest-signal slice (ImagePullBackOff / FailedScheduling /
+                // CrashLoopBackOff all surface there).
+                const tail = (describe.stdout || '').split('\n').slice(-40).join('\n');
+                stderr.write(`\n${pc.dim('--- kubectl -n olam describe pod (tail 40 lines, includes Events) ---')}\n` +
+                    `${tail || '(no output)'}\n\n`);
+            }
+            catch (err) {
+                stderr.write(`  ${pc.dim('(kubectl diagnostics unavailable: ' + err.message + ')')}\n`);
+            }
         }
         return { exitCode: 1, summary: 'health check failed — engine mismatch' };
     }