@pleri/olam-cli 0.1.195 → 0.1.198

package/dist/commands/setup.js

@@ -28,7 +28,7 @@
  *   Phase 3.5: (no-op for docker)
  *   Phase 4:   Shell init       (idempotent append of completion eval-line)
  *   Phase 5:   Init global config (ensure ~/.olam/config.json has host.substrate set)
- *   Phase 5a:  Skill source picker
+ *   Phase 5a:  Skill source picker (runs unconditionally; auto-skips when sources already registered)
  *   Phase 5b:  Project sweep
  *   Phase 6:   Auth prompt      (offer interactive `olam auth login`)
  *   Phase 7:   Final verify     (subprocess: olam doctor; halt on non-zero)
@@ -65,8 +65,11 @@ import { ensureTlsInstalled } from './services-tls.js';
 import { printError, printHeader, printInfo, printSuccess, printWarning } from '../output.js';
 import { pickSkillSourcePhase, formatPostSetupSuggestion, } from './setup-phase-5a-skill-source.js';
 import { runProjectSweepPhase } from './setup-phase-5b-project-sweep.js';
+import { runKgHookPhase } from './setup-phase-8-kg-hook.js';
+import { runMemoryBridgePhase } from './setup-phase-9-memory-bridge.js';
 import { OLAM_CONFIG_PATH, writeConfig } from '../lib/config.js';
 import { migrateSecretIfNeeded, KNOWN_SECRET_NAMES } from '@olam/core/src/secrets/paths.js';
+import { resolveKubectlContext } from '../lib/kubectl-context.js';
 const REQUIRED_NODE_MAJOR = 20;
 /** k3d cluster name provisioned by olam setup --substrate=kubernetes. */
 export const SETUP_K3D_CLUSTER_NAME = 'olam-dev';
@@ -182,7 +185,200 @@ function resolveSubstrate(opts, deps) {
     // Fresh install (no config file, or unrecognised substrate) → new default
     return 'kubernetes';
 }
-// ── Phases ─────────────────────────────────────────────────────────────
+const SUBSTRATE_CHOICES = [
+    {
+        label: 'Docker Desktop (recommended)',
+        substrate: 'docker',
+        preferredRuntime: 'docker-desktop',
+    },
+    {
+        label: 'Colima',
+        substrate: 'docker',
+        preferredRuntime: 'colima',
+    },
+    {
+        label: 'Kubernetes (k3d on Docker Desktop)',
+        substrate: 'kubernetes',
+        preferredRuntime: 'docker-desktop',
+    },
+    {
+        label: 'Kubernetes (k3d on Colima)',
+        substrate: 'kubernetes',
+        preferredRuntime: 'colima',
+    },
+    {
+        label: 'Kubernetes (external context already pinned)',
+        substrate: 'kubernetes',
+        preferredRuntime: 'external-k8s',
+        requirePinnedContext: true,
+    },
+];
+/** Default (first) choice — Docker Desktop. */
+const DEFAULT_SUBSTRATE_CHOICE = SUBSTRATE_CHOICES[0];
+/**
+ * Narrows the picker-internal `SetupSubstrate` to the config-schema `Substrate`.
+ * `'docker'` in the picker maps to `'compose'` in the config (they name the same
+ * non-kubernetes stack; the config schema predates the picker rename).
+ */
+function toConfigSubstrate(s) {
+    return s === 'docker' ? 'compose' : 'kubernetes';
+}
+/**
+ * Phase 0 — Substrate picker.
+ *
+ * Asks the operator which container runtime + substrate they want to use.
+ * Writes `host.substrate` and `host.preferred_runtime` to ~/.olam/config.json.
+ *
+ * Skip conditions (all silent — return { ok: true, skipped: true }):
+ *   - opts.substrate is already set    → "--substrate=<value> passed"
+ *   - opts.skipSubstratePicker         → "--skip-substrate-picker"
+ *   - config already has both fields   → "already configured (<runtime>)"
+ *   - !process.stdin.isTTY && !opts.yes → uses docker-desktop default
+ *   - opts.yes                         → uses docker-desktop default
+ */
+/**
+ * Return a comma-joined list of up to 5 available kubectl context names.
+ * Used to populate the error message when the operator enters an unknown context.
+ */
+function listAvailableContexts() {
+    const r = spawnSync('kubectl', ['config', 'get-contexts', '-o', 'name'], {
+        encoding: 'utf-8',
+        stdio: 'pipe',
+    });
+    if (r.status !== 0 || !r.stdout.trim())
+        return '(none found)';
+    const names = r.stdout.trim().split('\n').map((n) => n.trim()).filter(Boolean);
+    const preview = names.slice(0, 5);
+    return preview.join(', ') + (names.length > 5 ? `, … (+${names.length - 5} more)` : '');
+}
+export async function phase0SubstratePicker(opts, deps) {
+    // Skip: explicit --substrate= on the command line
+    if (opts.substrate !== undefined) {
+        return {
+            ok: true,
+            skipped: true,
+            message: `skipped — --substrate=${opts.substrate} passed`,
+        };
+    }
+    // Skip: explicit --skip-substrate-picker
+    if (opts.skipSubstratePicker) {
+        return { ok: true, skipped: true, message: 'skipped via --skip-substrate-picker' };
+    }
+    // Skip: already configured in config file
+    const configPath = deps.configPath ?? OLAM_CONFIG_PATH;
+    if (existsSync(configPath)) {
+        try {
+            const raw = readFileSync(configPath, 'utf8');
+            const parsed = JSON.parse(raw);
+            const host = parsed.host;
+            if (host?.substrate !== undefined
+                && host?.preferred_runtime !== undefined) {
+                return {
+                    ok: true,
+                    skipped: true,
+                    message: `skipped — substrate already configured (${host.preferred_runtime})`,
+                };
+            }
+        }
+        catch {
+            // malformed config — proceed to picker
+        }
+    }
+    // Non-TTY without --yes → use default silently
+    if (!process.stdin.isTTY && !opts.yes) {
+        writeConfig({ host: { substrate: toConfigSubstrate(DEFAULT_SUBSTRATE_CHOICE.substrate), preferred_runtime: DEFAULT_SUBSTRATE_CHOICE.preferredRuntime } }, { configPath: deps.configPath });
+        return {
+            ok: true,
+            skipped: true,
+            message: 'skipped (non-TTY); using docker-desktop default',
+        };
+    }
+    // --yes mode → use default silently (write config, print summary)
+    if (opts.yes) {
+        writeConfig({ host: { substrate: toConfigSubstrate(DEFAULT_SUBSTRATE_CHOICE.substrate), preferred_runtime: DEFAULT_SUBSTRATE_CHOICE.preferredRuntime } }, { configPath: deps.configPath });
+        process.stdout.write(`  ✓ Phase 0: substrate=${DEFAULT_SUBSTRATE_CHOICE.substrate} runtime=${DEFAULT_SUBSTRATE_CHOICE.preferredRuntime}\n`);
+        return {
+            ok: true,
+            message: `substrate=${DEFAULT_SUBSTRATE_CHOICE.substrate} runtime=${DEFAULT_SUBSTRATE_CHOICE.preferredRuntime}`,
+        };
+    }
+    // Interactive picker via @inquirer/prompts select (same pattern as Phase 5a).
+    // Lazy-load only when deps don't inject the prompt functions — keeps the
+    // import out of the test path and avoids the eager-import overhead.
+    const resolvedSelectFn = deps.selectPromptFn
+        ?? (await import('@inquirer/prompts')).select;
+    const choices = SUBSTRATE_CHOICES.map((c, i) => ({
+        value: String(i),
+        name: c.label,
+    }));
+    const pickedIndex = await resolvedSelectFn({
+        message: 'Choose your container runtime + substrate:',
+        choices,
+    });
+    const choice = SUBSTRATE_CHOICES[Number(pickedIndex)] ?? DEFAULT_SUBSTRATE_CHOICE;
+    // Special handling: external context requires kubectl_context_pinned to be set
+    if (choice.requirePinnedContext) {
+        // Check whether the config already has it
+        let hasPinnedContext = false;
+        if (existsSync(configPath)) {
+            try {
+                const raw = readFileSync(configPath, 'utf8');
+                const parsed = JSON.parse(raw);
+                const host = parsed.host;
+                hasPinnedContext = typeof host?.kubectl_context_pinned === 'string'
+                    && host.kubectl_context_pinned.length > 0;
+            }
+            catch {
+                // ignore
+            }
+        }
+        if (!hasPinnedContext) {
+            // Prompt for context name + validate
+            const resolvedInputFn = deps.inputPromptFn
+                ?? (await import('@inquirer/prompts')).input;
+            const contextName = await resolvedInputFn({
+                message: 'Enter your kubectl context name (e.g. lima-k3s, gke_proj_region_cluster):',
+                validate: (v) => {
+                    if (v.trim().length === 0)
+                        return 'Context name must not be empty';
+                    const name = v.trim();
+                    // Sanitize to prevent jsonpath injection via embedded quotes.
+                    const escaped = name.replace(/"/g, '\\"');
+                    // Use jsonpath — `get-contexts <name>` exits 0 even for missing contexts
+                    // (it just prints an empty table). jsonpath prints the name when found,
+                    // empty string when not found.
+                    const r = spawnSync('kubectl', ['config', 'view', '-o', `jsonpath={.contexts[?(@.name=="${escaped}")].name}`], { stdio: 'pipe', encoding: 'utf-8' });
+                    if (r.status !== 0) {
+                        return 'kubectl not available — verify kubectl is installed and re-run setup';
+                    }
+                    if (r.stdout.trim() !== name) {
+                        return (`Context "${name}" not found in kubeconfig. `
+                            + `Available: ${listAvailableContexts()}`);
+                    }
+                    return true;
+                },
+            });
+            writeConfig({
+                host: {
+                    substrate: toConfigSubstrate(choice.substrate),
+                    preferred_runtime: choice.preferredRuntime,
+                    kubectl_context_pinned: contextName.trim(),
+                },
+            }, { configPath: deps.configPath });
+            process.stdout.write(`  ✓ Phase 0: substrate=${choice.substrate} runtime=${choice.preferredRuntime} context=${contextName.trim()}\n`);
+            return {
+                ok: true,
+                message: `substrate=${choice.substrate} runtime=${choice.preferredRuntime} context=${contextName.trim()}`,
+            };
+        }
+    }
+    writeConfig({ host: { substrate: toConfigSubstrate(choice.substrate), preferred_runtime: choice.preferredRuntime } }, { configPath: deps.configPath });
+    process.stdout.write(`  ✓ Phase 0: substrate=${choice.substrate} runtime=${choice.preferredRuntime}\n`);
+    return {
+        ok: true,
+        message: `substrate=${choice.substrate} runtime=${choice.preferredRuntime}`,
+    };
+}
 /**
  * Phase 0.5 — Detect existing reachable kubeconfig contexts (ADR 021).
  *
@@ -270,15 +466,35 @@ async function phase1SystemCheck(substrate, deps) {
         if (!kubectlProbe.ok) {
             return phaseFromProbe(kubectlProbe);
         }
-        // k3d runs inside Docker on all platforms (macOS and Linux alike).
-        const dockerProbe = await probeDockerDaemon(deps.dockerExec);
-        if (!dockerProbe.ok) {
-            return {
-                ok: false,
-                message: 'docker daemon required for k3d: ' + dockerProbe.message,
-                remedy: dockerProbe.remedy,
-            };
+        // docker is only required when the cluster is k3d-managed (k3d runs its node
+        // containers on the operator's local docker daemon). External kubernetes clusters
+        // (K3s-on-Lima, Kind on a remote VM, GKE, AKS, kubeadm, etc.) reach the
+        // apiserver directly via kubectl and don't need a local docker daemon.
+        //
+        // Heuristic: kubectl context names that START with `k3d-` are k3d-managed
+        // (e.g. `k3d-olam-dev`, `k3d-olam-host`). Anything else (`lima-k3s`,
+        // `kind-foo`, `gke_proj_region_cluster`, custom names) is treated as external
+        // — docker is optional.
+        const ctx = resolveKubectlContext(deps.configPath);
+        const isK3dManaged = ctx.context?.startsWith('k3d-') ?? false;
+        if (isK3dManaged) {
+            const dockerProbe = await probeDockerDaemon(deps.dockerExec);
+            if (!dockerProbe.ok) {
+                return {
+                    ok: false,
+                    message: 'docker daemon required for k3d-managed cluster: ' + dockerProbe.message,
+                    remedy: dockerProbe.remedy,
+                };
+            }
+        }
+        else if (ctx.context !== undefined) {
+            // Surface that we deliberately skipped the docker check so the operator
+            // sees the decision in the phase log.
+            process.stdout.write(`  ℹ skipped docker check — kubectl context "${ctx.context}" is not k3d-managed\n`);
         }
+        // If ctx.context is undefined (no context pinned yet), the kubectlProbe above
+        // already confirms kubectl is present; the cluster-provision phases that follow
+        // will surface the missing context error — don't double-fail here.
         if (!nodeOk) {
             return {
                 ok: false,
@@ -296,7 +512,8 @@ async function phase1SystemCheck(substrate, deps) {
             const lintWithWarn = colimaLint;
             printWarning(`  ⚠ ${lintWithWarn.remedy}`);
         }
-        return { ok: true, message: `kubectl on PATH; docker ready; node ${nodeVersion}` };
+        const dockerNote = isK3dManaged ? '; docker ready' : '';
+        return { ok: true, message: `kubectl on PATH${dockerNote}; node ${nodeVersion}` };
     }
     // Docker substrate (default)
     const dockerProbe = await probeDockerDaemon(deps.dockerExec);
@@ -344,6 +561,19 @@ async function phase1_5InstallSubstrate(substrate, opts, deps, reuseContext) {
             message: `skipped k3d install (reusing context ${reuseContext})`,
         };
     }
+    // k3d only runs on k3d-managed clusters (context name starts with `k3d-`).
+    // External clusters (lima-k3s, kind-*, gke_*, custom names) already have their
+    // own k8s distribution installed — k3d is irrelevant and would be misleading to
+    // install. Mirror the same heuristic used by phase1SystemCheck for consistency.
+    const ctx = resolveKubectlContext(deps.configPath);
+    const isK3dManaged = ctx.context?.startsWith('k3d-') ?? false;
+    if (!isK3dManaged && ctx.context !== undefined) {
+        return {
+            ok: true,
+            skipped: true,
+            message: `skipped k3d install — kubectl context "${ctx.context}" is not k3d-managed`,
+        };
+    }
     const spawnFn = deps.spawnSubprocess ?? defaultSpawn;
     const promptFn = deps.prompt ?? defaultPrompt;
     // k3d works on both darwin and linux; one path for both.
@@ -637,6 +867,13 @@ async function phase3Bootstrap(substrate, deps, opts) {
     if (substrate === 'kubernetes' && opts.hostCpDevPath) {
         bootstrapArgs.push('--host-cp-dev-path', opts.hostCpDevPath);
     }
+    // Forward output + pre-pull preferences to the k3s bootstrap subprocess.
+    if (substrate === 'kubernetes' && opts.verbose) {
+        bootstrapArgs.push('--verbose');
+    }
+    if (substrate === 'kubernetes' && opts.skipPrepull) {
+        bootstrapArgs.push('--skip-prepull');
+    }
     const r = await spawnFn('olam', bootstrapArgs);
     if (r.status === 0) {
         return { ok: true, message: `olam bootstrap succeeded (substrate: ${substrate})` };
@@ -790,11 +1027,10 @@ async function phase5aSkillSource(opts, deps) {
     if (opts.skipSkillSource) {
         return { ok: true, skipped: true, message: 'skipped via --skip-skill-source' };
     }
-    // Skip by default unless operator explicitly passed --skill-source.
-    // The post-setup summary will print the suggestion block instead.
-    if (!opts.skillSource) {
-        return { ok: true, skipped: true, message: 'skipped (use --skill-source to onboard inline)' };
-    }
+    // Run unconditionally. pickSkillSourcePhase auto-detects existing skill sources
+    // (skips silently when ≥1 are registered) and handles the interactive TUI,
+    // non-interactive --skill-source flag, and non-TTY fallback internally.
+    // Use --skip-skill-source to opt out entirely (headless CI, manual setup later).
     return pickSkillSourcePhase(opts, deps);
 }
 async function phase5bProjectSweep(opts, deps) {
@@ -846,8 +1082,21 @@ async function phase7Verify(opts, deps) {
         remedy: 'Inspect doctor output above; the specific failing probe names its remedy.',
     };
 }
+async function phase8KgHook(opts, deps) {
+    if (opts.skipKgHook) {
+        return { ok: true, skipped: true, message: 'skipped via --skip-kg-hook' };
+    }
+    return runKgHookPhase(opts, deps);
+}
+async function phase9MemoryBridge(opts, deps) {
+    if (opts.skipMemoryBridge) {
+        return { ok: true, skipped: true, message: 'skipped via --skip-memory-bridge' };
+    }
+    return runMemoryBridgePhase(opts, deps);
+}
 // ── Orchestrator ──────────────────────────────────────────────────────
 const PHASE_TITLES = [
+    'Phase 0: Substrate picker',
     'Phase 0.5: Detect existing k8s context',
     'Phase 1: System check',
     'Phase 1.5: Substrate tools install',
@@ -862,11 +1111,89 @@ const PHASE_TITLES = [
     'Phase 5b: Project sweep',
     'Phase 6: Auth prompt',
     'Phase 7: Final verification',
+    'Phase 8: KG hook install',
+    'Phase 9: Agent memory bridge install',
 ];
 export async function runSetup(opts, deps = {}) {
+    // ── --continue mode: skip Phases 1-7, run only Phase 8 + Phase 9 ──────────
+    if (opts.continueMode) {
+        printHeader('olam setup --continue — Phase 8 + Phase 9 only');
+        const results = [];
+        let failureAt = null;
+        // Migrate secrets idempotently (same as full run).
+        for (const name of KNOWN_SECRET_NAMES) {
+            migrateSecretIfNeeded(name);
+        }
+        // Phase 8 title is at PHASE_TITLES index 15 (0=0, 0.5=1, 1=2, … 7=14, 8=15).
+        const p8Title = PHASE_TITLES[15];
+        const p9Title = PHASE_TITLES[16];
+        process.stdout.write(`\n${p8Title}\n`);
+        const p8Result = await phase8KgHook(opts, deps);
+        results.push({ name: p8Title, result: p8Result });
+        if (p8Result.ok && p8Result.skipped) {
+            printWarning(`  ⊘ ${p8Result.message}`);
+        }
+        else if (p8Result.ok) {
+            printSuccess(`  ✓ ${p8Result.message}`);
+        }
+        else {
+            printError(`  ✗ ${p8Result.message}`);
+            if (p8Result.remedy)
+                printWarning(`    remedy: ${p8Result.remedy}`);
+            failureAt = 8;
+        }
+        if (failureAt === null) {
+            process.stdout.write(`\n${p9Title}\n`);
+            const p9Result = await phase9MemoryBridge(opts, deps);
+            results.push({ name: p9Title, result: p9Result });
+            if (p9Result.ok && p9Result.skipped) {
+                printWarning(`  ⊘ ${p9Result.message}`);
+            }
+            else if (p9Result.ok) {
+                printSuccess(`  ✓ ${p9Result.message}`);
+            }
+            else {
+                printError(`  ✗ ${p9Result.message}`);
+                if (p9Result.remedy)
+                    printWarning(`    remedy: ${p9Result.remedy}`);
+                failureAt = 9;
+            }
+        }
+        process.stdout.write('\n');
+        if (failureAt !== null) {
+            printError(`Setup FAILED at Phase ${failureAt}`);
+            return { phases: results, failureAt, exitCode: 1 };
+        }
+        printSuccess('Setup --continue complete.');
+        return { phases: results, failureAt: null, exitCode: 0 };
+    }
+    // ── Full setup (Phases 0 through 9) ───────────────────────────────────────
+    // Phase 0 (substrate picker) runs eagerly BEFORE resolveSubstrate so it can
+    // write host.substrate to config — resolveSubstrate then reads the written value.
+    // We still push the result into the phases array for the SetupReport.
+    const results = [];
+    let failureAt = null;
+    const phase0Title = PHASE_TITLES[0];
+    process.stdout.write(`\n${phase0Title}\n`);
+    const phase0Result = await phase0SubstratePicker(opts, deps);
+    results.push({ name: phase0Title, result: phase0Result });
+    if (phase0Result.ok && phase0Result.skipped) {
+        printWarning(`  ⊘ ${phase0Result.message}`);
+    }
+    else if (phase0Result.ok) {
+        // Summary line already printed inside phase0SubstratePicker for non-skip path.
+    }
+    else {
+        printError(`  ✗ ${phase0Result.message}`);
+        if (phase0Result.remedy)
+            printWarning(`    remedy: ${phase0Result.remedy}`);
+        process.stdout.write('\n');
+        printError('Setup FAILED at Phase 0');
+        return { phases: results, failureAt: 0, exitCode: 1 };
+    }
     const substrate = resolveSubstrate(opts, deps);
     const clusterName = resolveClusterName(opts);
-    // Phase 0: flag validation (fail fast before any I/O).
+    // Cluster-name flag validation (fail fast before any I/O).
     // Only validate when the kubernetes substrate is in play — the flag is a
     // no-op for docker and should not block docker-only operators who pass it
     // accidentally, but we still validate the format to surface typos.
@@ -899,9 +1226,7 @@ export async function runSetup(opts, deps = {}) {
     // Phase 0.5: detect existing k8s context. Run eagerly (not in phaseFns) so
     // we can capture reuseContext and thread it through Phases 1.5, 2.5, 2.6.
     // We still push the result into the phases array for the SetupReport.
-    const results = [];
-    let failureAt = null;
-    const phase0_5Title = PHASE_TITLES[0];
+    const phase0_5Title = PHASE_TITLES[1];
     process.stdout.write(`\n${phase0_5Title}\n`);
     const phase0_5Result = await phase0_5DetectExistingContext(substrate, opts, deps);
     results.push({ name: phase0_5Title, result: phase0_5Result });
@@ -934,11 +1259,13 @@ export async function runSetup(opts, deps = {}) {
         () => phase5bProjectSweep(opts, deps),
         () => phase6Auth(opts, deps),
         () => phase7Verify(opts, deps),
+        () => phase8KgHook(opts, deps),
+        () => phase9MemoryBridge(opts, deps),
     ];
-    // results + failureAt were initialised above (before Phase 0.5).
-    // phaseFns indices correspond to PHASE_TITLES[1..] (Phase 0.5 is PHASE_TITLES[0]).
+    // results + failureAt were initialised above (before Phase 0).
+    // phaseFns indices correspond to PHASE_TITLES[2..] (Phase 0 = [0], Phase 0.5 = [1]).
     for (let i = 0; i < phaseFns.length; i += 1) {
-        const name = PHASE_TITLES[i + 1];
+        const name = PHASE_TITLES[i + 2];
         process.stdout.write(`\n${name}\n`);
         const result = await phaseFns[i]();
         results.push({ name, result });
@@ -952,7 +1279,7 @@ export async function runSetup(opts, deps = {}) {
             printError(`  ✗ ${result.message}`);
             if (result.remedy)
                 printWarning(`    remedy: ${result.remedy}`);
-            failureAt = i + 2; // +2 because Phase 0.5 is position 1
+            failureAt = i + 2; // phaseFns[0] lands at results[2] — Phase 0 + Phase 0.5 occupy [0] + [1]
             break;
         }
     }
@@ -967,10 +1294,12 @@ export async function runSetup(opts, deps = {}) {
     for (const line of nextStepsDocs) {
         printInfo('docs', line);
     }
-    // Print the skill-source suggestion when Phase 5a was skipped by default
-    // (operator did not pass --skill-source to onboard inline).
-    const skillSourceWasSkippedByDefault = !opts.skillSource && !opts.skipSkillSource;
-    if (skillSourceWasSkippedByDefault) {
+    // Print the skill-source suggestion only when the operator explicitly opted out
+    // via --skip-skill-source (they asked us not to run Phase 5a at all).
+    // When Phase 5a ran unconditionally (the default), it either registered a source,
+    // found existing ones, or the operator chose "skip for now" in the interactive picker
+    // — no post-setup hint needed because the phase itself communicated the outcome.
+    if (opts.skipSkillSource) {
         process.stdout.write(formatPostSetupSuggestion());
     }
     else {
@@ -982,6 +1311,8 @@ export function registerSetup(program) {
     program
         .command('setup')
         .description('Fresh-host onboarding wizard (k3d cluster + services, idempotent)')
+        .option('--skip-substrate-picker', 'Skip Phase 0 substrate picker (uses existing config or default). '
+        + 'For non-interactive setups where host.substrate is managed manually.')
         .option('--substrate <substrate>', 'Target substrate: kubernetes (default, alias: k3s) or docker. '
         + 'Auto-detected from ~/.olam/config.json when not specified.')
         .option('--cluster-name <name>', 'k3d cluster name to create/use (kubernetes substrate only; default: olam-dev). '
@@ -996,8 +1327,8 @@ export function registerSetup(program) {
         .option('--skip-https-bootstrap', 'Skip Phase 3.5 (do not install mkcert or provision TLS Secret; run `olam services tls-install` later)')
         .option('--skip-shell-init', 'Skip Phase 4 (do not append to ~/.zshrc / ~/.bashrc)')
         .option('--skip-auth', 'Skip Phase 6 (do not prompt for `olam auth login`)')
-        .option('--skip-skill-source', 'Skip Phase 5a (do not pick a skill source; run `olam skills source add` later)')
-        .option('--skill-source <id-or-url>', 'Non-interactive Phase 5a: curated name (e.g. atlas-toolbox) or git URL')
+        .option('--skip-skill-source', 'Skip Phase 5a entirely (run `olam skills source add` later; default: Phase 5a runs and auto-skips when sources already registered)')
+        .option('--skill-source <id-or-url>', 'Non-interactive Phase 5a: curated name (e.g. atlas-toolbox) or git URL (skips interactive picker)')
         .option('--skip-project-sweep', 'Skip Phase 5b (do not walk projects directory for repo discovery)')
         .option('--projects <path>', 'Phase 5b: project root path to walk (default: ~/Projects)')
         .option('--dry-run', 'Phase 5b: print matches without registering or building (no side effects)')
@@ -1008,6 +1339,12 @@ export function registerSetup(program) {
         + '/host/olam so host-cp reads live source. Regular operators DO NOT '
         + 'use this — the published image is self-contained. Absolute path required.')
         .option('-y, --yes', 'Auto-affirm every prompt (non-interactive)')
+        .option('--continue', 'Skip Phases 1-7 (initial setup) and run Phase 8 (KG hook) + Phase 9 '
+        + '(memory bridge) only. Use after `olam setup` has run once successfully.')
+        .option('--skip-kg-hook', 'Skip Phase 8 (do not install KG hook; run `olam kg install-hook --scope user` later)')
+        .option('--skip-memory-bridge', 'Skip Phase 9 (do not register agentmemory MCP; run `olam memory install` later)')
+        .option('--verbose', '[k3s] stream all bootstrap phase output sequentially instead of collapsing to live spinner lines')
+        .option('--skip-prepull', '[k3s] skip pre-pulling olam-* images into the k3d node (pods cold-pull on demand)')
         .action(async (rawOpts) => {
         // Normalise the --substrate flag: 'k3s' is an alias for 'kubernetes'.
         let substrate;
@@ -1024,9 +1361,12 @@ export function registerSetup(program) {
             process.exitCode = 1;
             return;
         }
-        const { substrate: _drop, ...restOpts } = rawOpts;
+        // commander maps `--continue` to rawOpts.continue (reserved word in JS,
+        // but valid as an object property). Map it to continueMode to avoid
+        // shadowing the `continue` keyword in the surrounding scope.
+        const { substrate: _drop, continue: continueFlag, ...restOpts } = rawOpts;
         void _drop;
-        const report = await runSetup({ ...restOpts, substrate });
+        const report = await runSetup({ ...restOpts, substrate, continueMode: continueFlag });
         if (report.exitCode !== 0)
             process.exitCode = report.exitCode;
     });