@pleri/olam-cli 0.1.188 → 0.1.195

package/hermes-bundle/version.json

@@ -1,4 +1,4 @@
 {
-  "bundledAt": "2026-05-28T00:56:36.187Z",
+  "bundledAt": "2026-05-28T12:44:06.696Z",
   "kgFirstSha": "29a9ccce1b115d049e375c4a90eb5cf7c123e610e2d0590270a4db2cdbc64a28"
 }

package/host-cp/k8s/manifests/30-configmap.yaml

@@ -13,7 +13,14 @@ data:
   # Auth service URL. Default targets host.docker.internal for Colima/Docker
   # Desktop k3d setups. Override when auth-service runs elsewhere (e.g. via
   # an ExternalName Service pointing at the host gateway).
-  OLAM_AUTH_SERVICE_URL: "http://host.docker.internal:8000"
+  #
+  # Port :9999 matches the published port in AuthContainerController.start()
+  # (packages/core/src/auth/container.ts) — the value was historically :8000,
+  # which never matched any running auth-service version and surfaced as
+  #   {"error":"auth_service_unavailable","message":"fetch failed"}
+  # on /api/auth/* calls. Verified during the K3d-HTTPS PR live bring-up;
+  # see docs/runbooks/k3d-https-setup.md.
+  OLAM_AUTH_SERVICE_URL: "http://host.docker.internal:9999"
   # Docker socket proxy — ClusterIP Service DNS inside the namespace.
   DOCKER_HOST: "tcp://docker-socket-proxy:2375"
   # Host-cp server port — must match the Service targetPort in 60-service.yaml.

package/host-cp/k8s/manifests/50-deployment.yaml

@@ -118,7 +118,7 @@ spec:
         # k3d), started by `olam upgrade` Step 0.7 — not inside this Pod.
       containers:
         - name: olam-host-cp
-          image: ghcr.io/pleri/olam-host-cp@sha256:023eb5c01c56fd738770f6314126186af53bd5fd45b80d11f9298f89e0c2b4c5
+          image: ghcr.io/pleri/olam-host-cp@sha256:42fb12f23d51c229288e0c0fa93df8028784136ce75245e582e4fffbc5867798
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/60-service.yaml

@@ -1,8 +1,16 @@
 # ClusterIP Service for olam-host-cp.
-# Operator surfaces the SPA externally via:
-#   kubectl port-forward -n olam svc/olam-host-cp 19000:19000
-# This keeps the "127.0.0.1-only" single-user-per-host invariant
-# (NodePort would bind on all interfaces; port-forward keeps it local).
+#
+# Two ways to reach the SPA externally:
+#   1. (preferred) Traefik IngressRoute at https://olam.local:<traefik-https-port>
+#      Terminates TLS at the cluster edge, unlocks HTTP/2 multiplexing for
+#      Electric SQL long-polls. See 70-ingressroute.yaml + 65-tls-secret-template.yaml.tmpl.
+#      The pod itself stays HTTP-only — Traefik handles TLS at the edge.
+#   2. (fallback) kubectl port-forward -n olam svc/olam-host-cp 19000:19000
+#      Plain HTTP/1.1; hits browser's 6-conn-per-origin cap under Electric load.
+#
+# ClusterIP (not NodePort) preserves the "127.0.0.1-only" single-user-per-host
+# invariant — exposure is via Traefik's LoadBalancer or port-forward, not by
+# binding pod ports on every node interface.
 apiVersion: v1
 kind: Service
 metadata:

package/host-cp/k8s/manifests/70-ingressroute.yaml

@@ -0,0 +1,58 @@
+# Traefik IngressRoute terminating TLS at the cluster edge for olam-host-cp.
+#
+# Topology:
+#   Browser --HTTPS/h2--> Traefik :443 (LoadBalancer / k3d NodePort)
+#                         |
+#                         | (TLS terminated; cleartext inside cluster)
+#                         v
+#                       olam-host-cp:19000 (ClusterIP, HTTP/1.1 internal)
+#                         |
+#                         v
+#                       plan-chat-service:3200 (and other peripherals)
+#
+# Why terminate TLS at Traefik (NOT at host-cp): host-cp is a Node/Hono
+# server tuned for cleartext HTTP. Pushing TLS into the pod would force a
+# second cert-distribution mechanism (Secret → volumeMount → server.mjs
+# reload) and double the operational surface. Traefik already owns cert
+# lifecycle in production (cert-manager + Let's Encrypt), so dev-mode
+# mkcert at the same boundary keeps prod parity tight.
+#
+# Why HTTP/2 matters: TanStack DB / Electric SQL opens N long-poll
+# connections per browser tab (one per shape subscription). Without h2
+# multiplexing they queue against the browser's 6-connection-per-origin
+# cap, leading to the "25-second pending requests" symptom Electric users
+# hit on HTTP/1.1. Traefik 2.x advertises h2 over TLS via ALPN by default;
+# no extra config needed.
+#
+# Why Host(olam.local) instead of a wildcard: the cert is minted for that
+# exact SAN. Traefik routes based on SNI, so the host-rule must match the
+# cert subject or the TLS handshake completes but the route 404s.
+#
+# Operator MUST add `127.0.0.1 olam.local` to /etc/hosts before this works.
+# `olam services tls-install` prints the line + sudo command — it does NOT
+# auto-edit (touching /etc/hosts behind the operator's back is a foot-gun).
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  # Distinct name avoids collision with packages/peripheral-services'
+  # `olam-host-cp` IngressRoute (the legacy `web`-entrypoint + path-based
+  # router that 50+ SPA fetch sites still depend on). The `-https` variant
+  # adds a SECOND ingress that matches Host(olam.local) on `websecure` and
+  # terminates TLS via the operator-minted Secret. Both coexist; the legacy
+  # one keeps `http://<lb>/api/...` working, this one unlocks HTTP/2.
+  name: olam-host-cp-https
+  namespace: olam
+  labels:
+    app: olam-host-cp
+    olam.io/component: host-stack
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`olam.local`)
+      kind: Rule
+      services:
+        - name: olam-host-cp
+          port: 19000
+  tls:
+    secretName: olam-host-cp-tls

package/host-cp/k8s/manifests/auth-service/50-deployment.yaml

@@ -70,7 +70,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-auth-service
-          image: ghcr.io/pleri/olam-auth@sha256:625321c18fcb7f97bfec747bb1d2679273350232eb352d69f6a2571dba350b1a
+          image: ghcr.io/pleri/olam-auth@sha256:e982aa9812c9c57768987d8fc0a22178c84811bf59a1470eb7a5aa58a73f11a5
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/kg-service/50-deployment.yaml

@@ -61,7 +61,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-kg-service
-          image: ghcr.io/pleri/olam-kg-service@sha256:c9a0226339907711443657e2ca1eb40d2e2df120562dbb5d7d0ddf628614fb74
+          image: ghcr.io/pleri/olam-kg-service@sha256:bd7c1c65b3537fd59a8a5f252a99a7fc5c2e195e973356bfe764b957fdebe58c
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/mcp-auth-service/50-deployment.yaml

@@ -68,7 +68,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-mcp-auth-service
-          image: ghcr.io/pleri/olam-mcp-auth@sha256:eba57d0c5c89763bc266faba80e98912875f541c9ad8e96ee5f28790f9fb96d8
+          image: ghcr.io/pleri/olam-mcp-auth@sha256:1191734c32480a7ab22dbeede616c0f697ec02e3d0d43093cbbf56d6fe3b115c
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/memory-service/50-deployment.yaml

@@ -70,7 +70,7 @@ spec:
           # bootstrap-placeholder comment + run `npm run refresh:manifest-digests`
           # once ghcr.io/pleri/olam-memory-service has a real published digest.
           # bootstrap-placeholder: pre-publish; refresh after first release
-          image: ghcr.io/pleri/olam-memory-service@sha256:33390ba1b2b4785ebf9af9732c42c40ae572ec1176e01f1fed8225d0d449ca57
+          image: ghcr.io/pleri/olam-memory-service@sha256:2037a12d390be09714bb80e2d707fb94d210f28b5227428d3047fe9155635acd
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/src/plan-chat-secret.mjs

@@ -21,8 +21,23 @@ import os from 'node:os';
 import path from 'node:path';
 import crypto from 'node:crypto';
 
+/**
+ * Resolve the plan-chat-secret path: prefer ~/.olam/secrets/plan-chat-secret
+ * (new canonical location) over ~/.olam/plan-chat-secret (legacy). Inlined
+ * here because host-cp is a pure .mjs package with no @olam/core dep.
+ */
+function resolvePlanChatSecretPath() {
+  const olamHome = path.join(os.homedir(), '.olam');
+  const newPath = path.join(olamHome, 'secrets', 'plan-chat-secret');
+  if (fs.existsSync(newPath)) return newPath;
+  const legacyPath = path.join(olamHome, 'plan-chat-secret');
+  if (fs.existsSync(legacyPath)) return legacyPath;
+  // Neither exists — return canonical so writes land in the right place.
+  return newPath;
+}
+
 export const SECRET_PATH =
-  process.env.OLAM_PLAN_CHAT_SECRET_PATH ?? path.join(os.homedir(), '.olam', 'plan-chat-secret');
+  process.env.OLAM_PLAN_CHAT_SECRET_PATH ?? resolvePlanChatSecretPath();
 export const SECRET_DIR = path.dirname(SECRET_PATH);
 const SECRET_BYTES = 32; // 64 hex chars
 const SECRET_MODE = 0o600;