@pleri/olam-cli 0.1.210 → 0.1.212

package/README.md

@@ -53,11 +53,17 @@ olam setup \
   --remote-memory-url=<memory-url> \
   --remote-kg-url=<kg-url> \
   --remote-dispatch-url=<dispatch-url> \
-  --credentials=gcp                       # pull bearers from gs://olam-credentials
+  --credentials=gcp \
+  --gcp-bucket=<gs://your-bucket[/prefix]>  # explicit — no implicit default
 ```
 
-- **Admin (once):** `olam credentials push` uploads the team's bearers to the
-  bucket (auto-created, uniform bucket-level access). Grant teammates
+The credentials bucket has no implicit default: pass `--gcp-bucket`, set
+`OLAM_CREDENTIALS_BUCKET`, or persist it with
+`olam config set credentials.bucket <gs://bucket[/prefix]>`.
+
+- **Admin (once):** `olam credentials push --gcp-bucket <name>` uploads the
+  team's bearers to the bucket (auto-created, uniform bucket-level access).
+  Grant teammates
   `roles/storage.objectViewer`.
 - **Teammate:** `--credentials=gcp` runs `olam credentials pull` — `gcloud`
   downloads the bearers with the teammate's own ADC and writes them `0600`.

package/dist/image-digests.json

@@ -1,12 +1,12 @@
 {
-  "auth": "sha256:90c00c3d75cc697539a0d6663fdf30d67fac787171ff1c53a3c1fa1755fcecb3",
-  "devbox": "sha256:6d8eccfb38c5379a8977bbd79e59c36ce7d45b4cb7f834d76c7b0bdbc7c27c43",
-  "devbox-base": "sha256:e9ddfc1305549e76608d4da12d2930e8c10be1e3c198db04b7b3b21e4bffc284",
-  "host-cp": "sha256:5d8726cbe667359e64d2abe53150c80c870a2d71960c2f41833a3c8719abee12",
-  "kg-service": "sha256:829de080754fe0728b0c0368b6083a6679baff33745dd81c68fadc4ccea7bf7d",
-  "memory-service": "sha256:2b40d835b807fa49316a9db0215ee4ac6b36e2403c8170cfb4a70067115ad292",
-  "mcp-auth": "sha256:c7041e093e23acdad36eb2a611e66e925061b79e41a5b8a3be28bba57d6624c5",
+  "auth": "sha256:7a206b619cd92d39b2550a09e270e9999a6c0b1a70e391e72b46c2cfbbf0be9c",
+  "devbox": "sha256:d9d1635ba112c00f3f722f2f19c272263f3187b7667751839c33307ee79fef6b",
+  "devbox-base": "sha256:e09f5646a9434fb7b19dcaa70f7efca92e5e884b1a3395146856e7087046fa3a",
+  "host-cp": "sha256:1818b62ee1475cf42f8d55c3ba3cbda9c27b799dc99abcff6c63f02d54574893",
+  "kg-service": "sha256:b74d2099752a0299317c95feab19893764a291db375c4ce0fd96d06691defb9f",
+  "memory-service": "sha256:847d97e6970158f5037821c5664836a1781949750ce69caab08128e1c9c6a157",
+  "mcp-auth": "sha256:9e1b11d9a67005a1a3c65f63b5c4c94d311a35f6b424e576d63bba82290f86cf",
   "$schema_version": 1,
-  "$published_version": "0.1.210",
+  "$published_version": "0.1.212",
   "$registry": "ghcr.io/pleri"
 }

package/dist/index.js

@@ -5742,7 +5742,11 @@ function writeConfig(updates, opts = {}) {
     ...current,
     "config.schema": 1,
     host: { ...current.host, ...updates.host ?? {} },
-    install_id: current.install_id
+    install_id: current.install_id,
+    // Only materialise `credentials` when the update sets it or it already
+    // exists — avoids writing an empty `credentials: {}` on every host-only
+    // write.
+    ...updates.credentials || current.credentials ? { credentials: { ...current.credentials, ...updates.credentials ?? {} } } : {}
   };
   atomicWrite(configPath, next, stderr);
   return next;
@@ -23497,6 +23501,41 @@ import { existsSync as existsSync97, mkdtempSync as mkdtempSync5, readFileSync a
 import { spawnSync as spawnSync29 } from "node:child_process";
 import { homedir as homedir56, tmpdir as tmpdir7 } from "node:os";
 import { join as join104 } from "node:path";
+function parseBucketSpec(spec) {
+  const trimmed = spec.trim().replace(/^gs:\/\//i, "").replace(/\/+$/, "");
+  if (!trimmed) return null;
+  const slash = trimmed.indexOf("/");
+  if (slash === -1) return { bucket: trimmed };
+  const bucket = trimmed.slice(0, slash);
+  const prefix = trimmed.slice(slash + 1).replace(/^\/+/, "");
+  if (!bucket) return null;
+  return prefix ? { bucket, prefix } : { bucket };
+}
+function readConfiguredBucketDefault() {
+  try {
+    const cfg = readConfig();
+    return cfg.credentials?.bucket;
+  } catch {
+    return void 0;
+  }
+}
+function resolveCredentialsBucket(explicit, deps = {}) {
+  const env = deps.env ?? process.env;
+  const readConfigured = deps.readConfiguredBucket ?? readConfiguredBucketDefault;
+  const candidates2 = [
+    { value: explicit, source: "flag" },
+    { value: env[CREDENTIALS_BUCKET_ENV], source: "env" },
+    { value: readConfigured(), source: "config" }
+  ];
+  for (const { value, source } of candidates2) {
+    if (value && value.trim()) {
+      const spec = parseBucketSpec(value);
+      if (!spec) return { ok: false, error: `invalid credentials bucket spec: "${value}"`, remedy: NO_BUCKET_REMEDY };
+      return { ok: true, bucket: spec.bucket, prefix: spec.prefix, source };
+    }
+  }
+  return { ok: false, error: "no credentials bucket configured", remedy: NO_BUCKET_REMEDY };
+}
 function preflightGcp(project, deps = {}) {
   const run = deps.run ?? defaultRun;
   const version = run("gcloud", ["--version"]);
@@ -23531,8 +23570,9 @@ function preflightGcp(project, deps = {}) {
   }
   return { ok: true, project: resolvedProject, account };
 }
-function bucketUri(bucket, object) {
-  return object ? `gs://${bucket}/${object}` : `gs://${bucket}`;
+function bucketUri(bucket, object, prefix) {
+  const parts = [prefix, object].filter((p) => !!p && p.length > 0);
+  return parts.length > 0 ? `gs://${bucket}/${parts.join("/")}` : `gs://${bucket}`;
 }
 function olamDir(deps) {
   return join104(deps.home ?? homedir56(), ".olam");
@@ -23550,7 +23590,9 @@ function resolveLocalSecretValue(obj, deps = {}) {
 }
 function pushCredentials(opts, deps = {}) {
   const run = deps.run ?? defaultRun;
-  const bucket = opts.bucket ?? DEFAULT_CREDENTIALS_BUCKET;
+  const bucket = opts.bucket;
+  if (!bucket) return { ok: false, error: "no credentials bucket specified" };
+  const prefix = opts.prefix;
   const project = opts.project;
   const describe2 = run("gcloud", ["storage", "buckets", "describe", bucketUri(bucket), "--format=value(name)"]);
   if (describe2.status !== 0) {
@@ -23573,7 +23615,7 @@ function pushCredentials(opts, deps = {}) {
       }
       const tmp = join104(staging, obj.object);
       writeSecretAtPath(tmp, value);
-      const cp = run("gcloud", ["storage", "cp", tmp, bucketUri(bucket, obj.object)]);
+      const cp = run("gcloud", ["storage", "cp", tmp, bucketUri(bucket, obj.object, prefix)]);
       if (cp.status !== 0) {
         return { ok: false, pushed, error: `upload ${obj.object} failed: ${cp.stderr.trim()}` };
       }
@@ -23586,14 +23628,16 @@ function pushCredentials(opts, deps = {}) {
 }
 function pullCredentials(opts, deps = {}) {
   const run = deps.run ?? defaultRun;
-  const bucket = opts.bucket ?? DEFAULT_CREDENTIALS_BUCKET;
+  const bucket = opts.bucket;
+  if (!bucket) return { ok: false, error: "no credentials bucket specified" };
+  const prefix = opts.prefix;
   const pulled = [];
   const skipped = [];
   const staging = mkdtempSync5(join104(tmpdir7(), "olam-cred-pull-"));
   try {
     for (const obj of CREDENTIAL_OBJECTS) {
       const tmp = join104(staging, obj.object);
-      const cp = run("gcloud", ["storage", "cp", bucketUri(bucket, obj.object), tmp]);
+      const cp = run("gcloud", ["storage", "cp", bucketUri(bucket, obj.object, prefix), tmp]);
       if (cp.status !== 0 || !existsSync97(tmp)) {
         skipped.push(obj.object);
         continue;
@@ -23607,17 +23651,19 @@ function pullCredentials(opts, deps = {}) {
     rmSync12(staging, { recursive: true, force: true });
   }
   if (pulled.length === 0) {
-    return { ok: false, pulled, skipped, error: `no credential objects found in ${bucketUri(bucket)} (check bucket name + IAM access)` };
+    return { ok: false, pulled, skipped, error: `no credential objects found in ${bucketUri(bucket, void 0, prefix)} (check bucket name + IAM access)` };
   }
   return { ok: true, pulled, skipped };
 }
-var DEFAULT_CREDENTIALS_BUCKET, CREDENTIAL_OBJECTS, defaultRun;
+var CREDENTIALS_BUCKET_ENV, NO_BUCKET_REMEDY, CREDENTIAL_OBJECTS, defaultRun;
 var init_gcp_credentials = __esm({
   "src/lib/gcp-credentials.ts"() {
     "use strict";
     init_memory_secret();
     init_remote_connection();
-    DEFAULT_CREDENTIALS_BUCKET = "olam-credentials";
+    init_config();
+    CREDENTIALS_BUCKET_ENV = "OLAM_CREDENTIALS_BUCKET";
+    NO_BUCKET_REMEDY = `set one: olam config set credentials.bucket <gs://bucket[/prefix]>  \xB7  or pass --gcp-bucket <name>  \xB7  or export ${CREDENTIALS_BUCKET_ENV}=<name>`;
     CREDENTIAL_OBJECTS = [
       { local: "secrets/cloud-memory-secret", object: "cloud-memory-secret" },
       { local: "kg-proxy-bearer", object: "kg-proxy-bearer" },
@@ -23734,14 +23780,20 @@ async function runCloudFirstSetup(opts, deps = {}) {
   }
   if (usingGcp) {
     printInfo("5. Credentials", "pull team bearers from GCS (IAM-gated)");
+    const resolvedBucket = resolveCredentialsBucket(opts.gcpBucket);
     const preflight2 = (deps.gcpPreflightFn ?? preflightGcp)(opts.gcpProject);
-    if (!preflight2.ok) {
+    if (!resolvedBucket.ok) {
+      printError(`  ${resolvedBucket.error}`);
+      printWarning(`  remedy: ${resolvedBucket.remedy}`);
+      steps.push({ name: "credentials", status: "error" });
+    } else if (!preflight2.ok) {
       printError(`  GCP preflight failed: ${preflight2.error}`);
       if (preflight2.remedy) printWarning(`  remedy: ${preflight2.remedy}`);
       steps.push({ name: "credentials", status: "error" });
     } else {
       const pull = (deps.gcpPullFn ?? ((o) => pullCredentials(o)))({
-        bucket: opts.gcpBucket,
+        bucket: resolvedBucket.bucket,
+        prefix: resolvedBucket.prefix,
         project: preflight2.project
       });
       if (pull.ok) {
@@ -47669,7 +47721,7 @@ function registerSetup(program2) {
   ).option(
     "--skip-inbox-hook",
     "Skip Phase 10 (do not install question-inbox hook; run `olam inbox install-hook` later)"
-  ).option("--verbose", "[k3s] stream all bootstrap phase output sequentially instead of collapsing to live spinner lines").option("--skip-prepull", "[k3s] skip pre-pulling olam-* images into the k3d node (pods cold-pull on demand)").option("--cloud-first", "Run the guided cloud-first onboarding (skills/memory/kg/remote); skips docker/k3s").option("--local-mode", "Run the legacy local (docker/k3s) bootstrap pipeline and reveal local commands").option("--skills-source <git-url>", "Cloud-first: register + sync this skill source (trusted)").option("--memory-url <url>", "Cloud-first: non-interactive memory service URL").option("--remote-memory-url <url>", "Cloud-first: alias of --memory-url").option("--memory-secret <bearer>", "Cloud-first: memory bearer secret (stored 0600; prefer --credentials=gcp)").option("--kg-url <url>", "Cloud-first: non-interactive KG mirror URL").option("--remote-kg-url <url>", "Cloud-first: alias of --kg-url").option("--kg-bearer <token>", "Cloud-first: KG mirror bearer (stored 0600; prefer --credentials=gcp)").option("--remote-url <url>", "Cloud-first: non-interactive plan-agent backend URL").option("--remote-dispatch-url <url>", "Cloud-first: alias of --remote-url (cloud dispatch backend)").option("--remote-password <pw>", "Cloud-first: plan-DO showcase password (stored 0600; prefer --credentials=gcp)").option("--credentials <source>", 'Cloud-first: secret source \u2014 "gcp" pulls bearers from the shared GCS bucket (no secrets on the CLI)').option("--gcp-bucket <name>", "Cloud-first: GCS bucket for --credentials=gcp (default: olam-credentials)").option("--gcp-project <id>", "Cloud-first: GCP project for --credentials=gcp (default: gcloud active project)").option("--allow-local-dev", "Cloud-first: allow http:// / private-IP connect endpoints").action(async (rawOpts) => {
+  ).option("--verbose", "[k3s] stream all bootstrap phase output sequentially instead of collapsing to live spinner lines").option("--skip-prepull", "[k3s] skip pre-pulling olam-* images into the k3d node (pods cold-pull on demand)").option("--cloud-first", "Run the guided cloud-first onboarding (skills/memory/kg/remote); skips docker/k3s").option("--local-mode", "Run the legacy local (docker/k3s) bootstrap pipeline and reveal local commands").option("--skills-source <git-url>", "Cloud-first: register + sync this skill source (trusted)").option("--memory-url <url>", "Cloud-first: non-interactive memory service URL").option("--remote-memory-url <url>", "Cloud-first: alias of --memory-url").option("--memory-secret <bearer>", "Cloud-first: memory bearer secret (stored 0600; prefer --credentials=gcp)").option("--kg-url <url>", "Cloud-first: non-interactive KG mirror URL").option("--remote-kg-url <url>", "Cloud-first: alias of --kg-url").option("--kg-bearer <token>", "Cloud-first: KG mirror bearer (stored 0600; prefer --credentials=gcp)").option("--remote-url <url>", "Cloud-first: non-interactive plan-agent backend URL").option("--remote-dispatch-url <url>", "Cloud-first: alias of --remote-url (cloud dispatch backend)").option("--remote-password <pw>", "Cloud-first: plan-DO showcase password (stored 0600; prefer --credentials=gcp)").option("--credentials <source>", 'Cloud-first: secret source \u2014 "gcp" pulls bearers from the shared GCS bucket (no secrets on the CLI)').option("--gcp-bucket <name>", "Cloud-first: GCS bucket or gs://bucket/prefix for --credentials=gcp (overrides OLAM_CREDENTIALS_BUCKET / config; required \u2014 no implicit default)").option("--gcp-project <id>", "Cloud-first: GCP project for --credentials=gcp (default: gcloud active project)").option("--allow-local-dev", "Cloud-first: allow http:// / private-IP connect endpoints").action(async (rawOpts) => {
     const { resolveSetupPath: resolveSetupPath2, runCloudFirstSetup: runCloudFirstSetup2 } = await Promise.resolve().then(() => (init_setup_cloud_first(), setup_cloud_first_exports));
     const isTty = Boolean(process.stdin.isTTY);
     const hasCloudArg = Boolean(
@@ -48281,7 +48333,8 @@ var SETTABLE_KEYS = [
   "host.substrate",
   "host.mode",
   "host.kubectl_context_pinned",
-  "host.gh_token"
+  "host.gh_token",
+  "credentials.bucket"
 ];
 var SECRET_KEYS = /* @__PURE__ */ new Set(["host.gh_token"]);
 function hostConfigPath() {
@@ -48396,6 +48449,14 @@ function registerConfig(program2) {
         process.exit(1);
       }
       writeConfig({ host: { gh_token: value } }, { configPath });
+    } else if (key === "credentials.bucket") {
+      if (value.length === 0) {
+        process.stderr.write(
+          "credentials.bucket must be a non-empty bucket name or gs://bucket[/prefix] path\n"
+        );
+        process.exit(1);
+      }
+      writeConfig({ credentials: { bucket: value } }, { configPath });
     } else {
       process.stderr.write(
         `unknown config key: "${key}"
@@ -56410,28 +56471,34 @@ function fail(message, remedy) {
 }
 function registerCredentials(program2) {
   const credentials = program2.command("credentials").description("Distribute team secret bearers through a GCS bucket (IAM-gated)");
-  credentials.command("push").description("Upload local secret bearers to the shared GCS bucket (admin)").option("--gcp-bucket <name>", `GCS bucket name (default: ${DEFAULT_CREDENTIALS_BUCKET})`).option("--gcp-project <id>", "GCP project (default: gcloud active project)").action((opts) => {
+  credentials.command("push").description("Upload local secret bearers to the shared GCS bucket (admin)").option("--gcp-bucket <name>", "GCS bucket or gs://bucket/prefix path (overrides OLAM_CREDENTIALS_BUCKET / config)").option("--gcp-project <id>", "GCP project (default: gcloud active project)").action((opts) => {
+    const resolved = resolveCredentialsBucket(opts.gcpBucket);
+    if (!resolved.ok) fail(resolved.error, resolved.remedy);
+    const { bucket, prefix } = resolved;
     const pre = preflightGcp(opts.gcpProject);
     if (!pre.ok) fail(pre.error ?? "gcloud preflight failed", pre.remedy);
-    const bucket = opts.gcpBucket ?? DEFAULT_CREDENTIALS_BUCKET;
+    const uri = prefix ? `gs://${bucket}/${prefix}` : `gs://${bucket}`;
     printInfo("account", pre.account ?? "?");
     printInfo("project", pre.project ?? "?");
-    printInfo("bucket", `gs://${bucket}`);
-    const result = pushCredentials({ bucket, project: pre.project });
+    printInfo("bucket", `${uri}  (${resolved.source})`);
+    const result = pushCredentials({ bucket, prefix, project: pre.project });
     if (!result.ok) fail(result.error ?? "push failed");
-    printSuccess(`pushed ${result.pushed?.length ?? 0} secret(s) to gs://${bucket}`);
+    printSuccess(`pushed ${result.pushed?.length ?? 0} secret(s) to ${uri}`);
     for (const o of result.pushed ?? []) printInfo("\u2191", o);
     if (result.skipped && result.skipped.length > 0) {
       printWarning(`skipped (not present locally): ${result.skipped.join(", ")}`);
     }
   });
-  credentials.command("pull").description("Download secret bearers from the shared GCS bucket into ~/.olam/ (0600)").option("--gcp-bucket <name>", `GCS bucket name (default: ${DEFAULT_CREDENTIALS_BUCKET})`).option("--gcp-project <id>", "GCP project (default: gcloud active project)").action((opts) => {
+  credentials.command("pull").description("Download secret bearers from the shared GCS bucket into ~/.olam/ (0600)").option("--gcp-bucket <name>", "GCS bucket or gs://bucket/prefix path (overrides OLAM_CREDENTIALS_BUCKET / config)").option("--gcp-project <id>", "GCP project (default: gcloud active project)").action((opts) => {
+    const resolved = resolveCredentialsBucket(opts.gcpBucket);
+    if (!resolved.ok) fail(resolved.error, resolved.remedy);
+    const { bucket, prefix } = resolved;
     const pre = preflightGcp(opts.gcpProject);
     if (!pre.ok) fail(pre.error ?? "gcloud preflight failed", pre.remedy);
-    const bucket = opts.gcpBucket ?? DEFAULT_CREDENTIALS_BUCKET;
+    const uri = prefix ? `gs://${bucket}/${prefix}` : `gs://${bucket}`;
     printInfo("account", pre.account ?? "?");
-    printInfo("bucket", `gs://${bucket}`);
-    const result = pullCredentials({ bucket, project: pre.project });
+    printInfo("bucket", `${uri}  (${resolved.source})`);
+    const result = pullCredentials({ bucket, prefix, project: pre.project });
     if (!result.ok) fail(result.error ?? "pull failed", "verify the bucket name and your IAM access (roles/storage.objectViewer)");
     printSuccess(`pulled ${result.pulled?.length ?? 0} secret(s) into ~/.olam/ (0600)`);
     for (const o of result.pulled ?? []) printInfo("\u2193", o);

package/dist/mcp-server.js

@@ -10909,37 +10909,37 @@ var require_dist = __commonJS({
 });
 
 // ../core/dist/paths/olam-paths.js
-import { homedir } from "node:os";
-import { join as join2 } from "node:path";
+import { homedir as homedir2 } from "node:os";
+import { join as join3 } from "node:path";
 function olamHome() {
   const fromEnv = process.env["OLAM_HOME"];
   if (fromEnv && fromEnv.length > 0)
     return fromEnv;
-  return join2(homedir(), ".olam");
+  return join3(homedir2(), ".olam");
 }
 function claudeDir() {
   const fromEnv = process.env["OLAM_CLAUDE_DIR"];
   if (fromEnv && fromEnv.length > 0)
     return fromEnv;
-  return join2(homedir(), ".claude");
+  return join3(homedir2(), ".claude");
 }
 function globalConfigPath() {
   const override = process.env["OLAM_GLOBAL_CONFIG_PATH"];
   if (override && override.length > 0)
     return override;
-  return join2(olamHome(), "config.json");
+  return join3(olamHome(), "config.json");
 }
 function stateDir() {
   const override = process.env["OLAM_STATE_DIR"];
   if (override && override.length > 0)
     return override;
-  return join2(olamHome(), "state");
+  return join3(olamHome(), "state");
 }
 function skillSourcesDir() {
   const override = process.env["OLAM_SKILL_SOURCES_DIR"];
   if (override && override.length > 0)
     return override;
-  return join2(stateDir(), "skill-sources");
+  return join3(stateDir(), "skill-sources");
 }
 var init_olam_paths = __esm({
   "../core/dist/paths/olam-paths.js"() {
@@ -11086,8 +11086,8 @@ var init_version2 = __esm({
 });
 
 // ../core/dist/world/repo-manifest.js
-import { existsSync as existsSync5, lstatSync, readFileSync as readFileSync3 } from "node:fs";
-import { join as join6, resolve as resolve3, sep } from "node:path";
+import { existsSync as existsSync6, lstatSync, readFileSync as readFileSync4 } from "node:fs";
+import { join as join7, resolve as resolve3, sep } from "node:path";
 import YAML from "yaml";
 function bootstrapStepCmd(entry) {
   return typeof entry === "string" ? entry : entry.cmd;
@@ -11151,14 +11151,14 @@ function isPlainObject3(value) {
   return value !== null && typeof value === "object" && !Array.isArray(value) && Object.getPrototypeOf(value) === Object.prototype;
 }
 function loadRepoManifest(repoDir) {
-  const olamPath = join6(repoDir, ".olam.yaml");
-  const adbPath = join6(repoDir, ".adb.yaml");
+  const olamPath = join7(repoDir, ".olam.yaml");
+  const adbPath = join7(repoDir, ".adb.yaml");
   let manifestPath2;
   let source;
-  if (existsSync5(olamPath)) {
+  if (existsSync6(olamPath)) {
     manifestPath2 = olamPath;
     source = "olam";
-  } else if (existsSync5(adbPath)) {
+  } else if (existsSync6(adbPath)) {
     manifestPath2 = adbPath;
     source = "adb";
   } else {
@@ -11168,10 +11168,10 @@ function loadRepoManifest(repoDir) {
   if (stat2.isSymbolicLink()) {
     throw new Error(`[manifest] ${manifestPath2}: symbolic links are not permitted`);
   }
-  const raw = readFileSync3(manifestPath2, "utf-8");
+  const raw = readFileSync4(manifestPath2, "utf-8");
   const parsed = YAML.parse(raw, { maxAliasCount: 100 });
   if (parsed === null || parsed === void 0) {
-    if (source === "olam" && existsSync5(adbPath)) {
+    if (source === "olam" && existsSync6(adbPath)) {
       console.warn(`[manifest] ${manifestPath2}: file is empty; .adb.yaml is NOT consulted (delete .olam.yaml to fall back)`);
     }
     return null;
@@ -11191,14 +11191,14 @@ function loadRepoManifest(repoDir) {
     if (!inheritedAbs.startsWith(repoDirAbs + sep) && inheritedAbs !== repoDirAbs) {
       throw new Error(`[manifest] ${manifestPath2}: inherits target "${inheritsRaw}" escapes repo dir`);
     }
-    if (!existsSync5(inheritedAbs)) {
+    if (!existsSync6(inheritedAbs)) {
       throw new Error(`[manifest] ${manifestPath2}: inherits target "${inheritsRaw}" not found`);
     }
     const inheritedStat = lstatSync(inheritedAbs);
     if (inheritedStat.isSymbolicLink()) {
       throw new Error(`[manifest] ${manifestPath2}: inherits target "${inheritsRaw}" is a symlink (not permitted)`);
     }
-    const inheritedRaw = readFileSync3(inheritedAbs, "utf-8");
+    const inheritedRaw = readFileSync4(inheritedAbs, "utf-8");
     const inheritedParsed = YAML.parse(inheritedRaw, { maxAliasCount: 100 });
     if (inheritedParsed !== null && inheritedParsed !== void 0) {
       if (typeof inheritedParsed !== "object" || Array.isArray(inheritedParsed)) {
@@ -11417,7 +11417,7 @@ var init_path = __esm({
 import * as fs5 from "node:fs";
 import * as os4 from "node:os";
 import * as path7 from "node:path";
-import { parse as parseYaml, stringify as stringifyYaml } from "yaml";
+import { parse as parseYaml2, stringify as stringifyYaml } from "yaml";
 function workspacesDir() {
   const override = process.env["OLAM_WORKSPACES_DIR"];
   if (override && override.length > 0)
@@ -11441,7 +11441,7 @@ function listWorkspaces() {
   for (const entry of entries) {
     try {
       const raw = fs5.readFileSync(path7.join(dir, entry), "utf-8");
-      const parsed = parseYaml(raw);
+      const parsed = parseYaml2(raw);
       const ws = WorkspaceSchema.parse(parsed);
       result.push(ws);
     } catch (err) {
@@ -11466,7 +11466,7 @@ function readWorkspace(name) {
   if (!fs5.existsSync(file2))
     return null;
   const raw = fs5.readFileSync(file2, "utf-8");
-  return WorkspaceSchema.parse(parseYaml(raw));
+  return WorkspaceSchema.parse(parseYaml2(raw));
 }
 function writeWorkspace(ws, options = {}) {
   validateName(ws.name);
@@ -12392,7 +12392,7 @@ __export(loader_exports, {
 });
 import * as fs8 from "node:fs";
 import * as path9 from "node:path";
-import { parse as parseYaml2 } from "yaml";
+import { parse as parseYaml3 } from "yaml";
 function findConfigFile(startDir) {
   const searched = [];
   let current = path9.resolve(startDir);
@@ -12432,7 +12432,7 @@ function loadConfig(startDir) {
   }
   let parsed;
   try {
-    parsed = parseYaml2(rawContent);
+    parsed = parseYaml3(rawContent);
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
     throw new Error(`Invalid YAML in ${found.path}: ${message}`);
@@ -13387,7 +13387,7 @@ var init_cleanup = __esm({
 
 // ../adapters/dist/ssh/connection.js
 import { Client as SSHClient } from "ssh2";
-import { readFileSync as readFileSync10 } from "node:fs";
+import { readFileSync as readFileSync11 } from "node:fs";
 var SSHConnectionPool;
 var init_connection = __esm({
   "../adapters/dist/ssh/connection.js"() {
@@ -13482,7 +13482,7 @@ var init_connection = __esm({
             host: config2.host,
             port: config2.port ?? 22,
             username: config2.user,
-            ...config2.key ? { privateKey: readFileSync10(config2.key) } : {},
+            ...config2.key ? { privateKey: readFileSync11(config2.key) } : {},
             ...config2.password ? { password: config2.password } : {}
           });
         });
@@ -16305,9 +16305,9 @@ var init_model_router = __esm({
 });
 
 // ../core/dist/meta-hooks/model-router-deploy.js
-import { existsSync as existsSync32, mkdirSync as mkdirSync16, readFileSync as readFileSync23, writeFileSync as writeFileSync15 } from "node:fs";
-import { homedir as homedir14 } from "node:os";
-import { dirname as dirname13, join as join30, resolve as resolve7 } from "node:path";
+import { existsSync as existsSync33, mkdirSync as mkdirSync16, readFileSync as readFileSync24, writeFileSync as writeFileSync15 } from "node:fs";
+import { homedir as homedir15 } from "node:os";
+import { dirname as dirname13, join as join31, resolve as resolve7 } from "node:path";
 import { fileURLToPath as fileURLToPath3 } from "node:url";
 function resolveModelRouterSourcePath() {
   const here = dirname13(fileURLToPath3(import.meta.url));
@@ -16321,21 +16321,21 @@ function resolveModelRouterSourcePath() {
     resolve7(here, "..", "..", "hooks", MODEL_ROUTER_SCRIPT_BASENAME)
   ];
   for (const candidate of candidates) {
-    if (existsSync32(candidate))
+    if (existsSync33(candidate))
       return candidate;
   }
   return candidates[0];
 }
 function deployModelRouterScript(opts = {}) {
-  const targetDir = opts.targetDir ?? join30(homedir14(), ".claude", "hooks");
-  const targetPath = join30(targetDir, MODEL_ROUTER_SCRIPT_BASENAME);
+  const targetDir = opts.targetDir ?? join31(homedir15(), ".claude", "hooks");
+  const targetPath = join31(targetDir, MODEL_ROUTER_SCRIPT_BASENAME);
   const sourcePath = opts.sourcePath ?? resolveModelRouterSourcePath();
-  if (!existsSync32(sourcePath)) {
+  if (!existsSync33(sourcePath)) {
     return { basename: MODEL_ROUTER_SCRIPT_BASENAME, action: "source-missing", targetPath };
   }
-  const newContent = readFileSync23(sourcePath, "utf8");
-  if (existsSync32(targetPath)) {
-    const existing = readFileSync23(targetPath, "utf8");
+  const newContent = readFileSync24(sourcePath, "utf8");
+  if (existsSync33(targetPath)) {
+    const existing = readFileSync24(targetPath, "utf8");
     if (existing === newContent) {
       return { basename: MODEL_ROUTER_SCRIPT_BASENAME, action: "unchanged", targetPath };
     }
@@ -16613,7 +16613,7 @@ var init_schema5 = __esm({
 import { execFileSync as execFileSync4 } from "node:child_process";
 import * as fs30 from "node:fs";
 import * as path28 from "node:path";
-import { parse as parseYaml3 } from "yaml";
+import { parse as parseYaml4 } from "yaml";
 function findProjectOverride(startDir) {
   let dir = path28.resolve(startDir);
   const root = path28.parse(dir).root;
@@ -16623,7 +16623,7 @@ function findProjectOverride(startDir) {
       const raw = fs30.readFileSync(candidate, "utf-8");
       let parsed;
       try {
-        parsed = parseYaml3(raw);
+        parsed = parseYaml4(raw);
       } catch (err) {
         const msg = err instanceof Error ? err.message : String(err);
         throw new Error(`failed to parse "${candidate}" as YAML: ${msg}`);
@@ -16854,13 +16854,13 @@ var init_file_lock = __esm({
 });
 
 // ../core/dist/lib/min-version-filter.js
-import { existsSync as existsSync35, readFileSync as readFileSync27 } from "node:fs";
+import { existsSync as existsSync36, readFileSync as readFileSync28 } from "node:fs";
 function readOlamMinVersion(filepath) {
-  if (!existsSync35(filepath))
+  if (!existsSync36(filepath))
     return void 0;
   let text;
   try {
-    text = readFileSync27(filepath, "utf8");
+    text = readFileSync28(filepath, "utf8");
   } catch {
     return void 0;
   }
@@ -17536,7 +17536,7 @@ var init_meta_hook_injector = __esm({
 
 // ../core/dist/lib/markdown-merger.js
 import { createHash as createHash5 } from "node:crypto";
-import { readFileSync as readFileSync31, existsSync as existsSync38, statSync as statSync10 } from "node:fs";
+import { readFileSync as readFileSync32, existsSync as existsSync39, statSync as statSync10 } from "node:fs";
 function parseFrontmatter(text) {
   const match = FM_RE2.exec(text);
   if (match === null)
@@ -17665,9 +17665,9 @@ function mergeMarkdown(upstreamText, overlayText, labelForError, upstreamPath, o
   return { merged: fmBlock !== "" ? fmBlock + mergedBody : mergedBody };
 }
 function sha256OfPath(p) {
-  if (!existsSync38(p) || !statSync10(p).isFile())
+  if (!existsSync39(p) || !statSync10(p).isFile())
     return "MISSING";
-  return createHash5("sha256").update(readFileSync31(p)).digest("hex");
+  return createHash5("sha256").update(readFileSync32(p)).digest("hex");
 }
 var FM_RE2, H2_RE;
 var init_markdown_merger = __esm({
@@ -17935,26 +17935,26 @@ var init_prefix_deploy = __esm({
 });
 
 // ../core/dist/skill-sync/resolve-source-config.js
-import { readFileSync as readFileSync33, existsSync as existsSync39 } from "node:fs";
-import { join as join39 } from "node:path";
-import { parse as parseYaml4 } from "yaml";
+import { readFileSync as readFileSync34, existsSync as existsSync40 } from "node:fs";
+import { join as join40 } from "node:path";
+import { parse as parseYaml5 } from "yaml";
 function sourceConfigPath(clonePath) {
-  return join39(clonePath, "shared", "source-config.yaml");
+  return join40(clonePath, "shared", "source-config.yaml");
 }
 function readSourceConfig(clonePath, sourceId) {
   const path62 = sourceConfigPath(clonePath);
-  if (!existsSync39(path62))
+  if (!existsSync40(path62))
     return void 0;
   let raw;
   try {
-    raw = readFileSync33(path62, "utf-8");
+    raw = readFileSync34(path62, "utf-8");
   } catch (err) {
     emitMalformedWarning(sourceId, `read failed: ${errToMsg(err)}`);
     return void 0;
   }
   let parsed;
   try {
-    parsed = parseYaml4(raw);
+    parsed = parseYaml5(raw);
   } catch (err) {
     emitMalformedWarning(sourceId, `YAML parse failed: ${errToMsg(err)}`);
     return void 0;
@@ -39602,6 +39602,68 @@ var EMPTY_COMPLETION_RESULT = {
   }
 };
 
+// ../mcp-server/src/cloud-visibility.ts
+import { existsSync, readFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { parse as parseYaml } from "yaml";
+var DEFAULT_MCP_MODE = "cloud";
+var SHOW_ALL_TOOLS_ENV = "OLAM_MCP_SHOW_ALL_TOOLS";
+var MCP_LOCAL_ONLY_TOOLS = /* @__PURE__ */ new Set([
+  "olam_enter",
+  // world-enter   — literal `docker exec -it … tmux attach`
+  "olam_observe",
+  // world-observe — local better-sqlite3 world DB read
+  "olam_web_task",
+  // web-task      — host venv `spawn(python -m webwright)`
+  "olam_create_lane",
+  // lane-create   — in-container .exec curl (CF exec unsupported)
+  "olam_list_lanes",
+  // lane-list     — in-container .exec curl
+  "olam_dispatch_lane",
+  // lane-dispatch — in-container .exec curl
+  "olam_destroy_lane",
+  // lane-destroy  — in-container .exec curl
+  "olam_merge_lane"
+  // lane-merge    — in-container .exec curl
+]);
+function resolveConfigPath() {
+  const override = process.env["OLAM_CONFIG_PATH"];
+  if (override && override.trim() !== "") return override;
+  const home = join(homedir(), ".olam");
+  const jsonPath = join(home, "config.json");
+  const yamlPath = join(home, "config.yaml");
+  if (existsSync(jsonPath)) return jsonPath;
+  if (existsSync(yamlPath)) return yamlPath;
+  return jsonPath;
+}
+function isYamlPath(p) {
+  return p.endsWith(".yaml") || p.endsWith(".yml");
+}
+function readMcpMode(opts = {}) {
+  try {
+    const configPath = opts.configPath ?? resolveConfigPath();
+    if (!existsSync(configPath)) return DEFAULT_MCP_MODE;
+    const raw = readFileSync(configPath, "utf8");
+    const parsed = isYamlPath(configPath) ? parseYaml(raw) : JSON.parse(raw);
+    const mode = parsed?.host?.mode;
+    return mode === "local" ? "local" : DEFAULT_MCP_MODE;
+  } catch {
+    return DEFAULT_MCP_MODE;
+  }
+}
+function isCloudMode(opts = {}) {
+  return readMcpMode(opts) === "cloud";
+}
+function showAllToolsForced() {
+  return process.env[SHOW_ALL_TOOLS_ENV] === "1";
+}
+function resolveDeniedTools(opts = {}) {
+  if (opts.showAll || showAllToolsForced()) return /* @__PURE__ */ new Set();
+  if (!isCloudMode({ configPath: opts.configPath })) return /* @__PURE__ */ new Set();
+  return MCP_LOCAL_ONLY_TOOLS;
+}
+
 // ../mcp-server/src/tool-filter.ts
 function getToolFilterContextFromEnv() {
   const raw = process.env.OLAM_ALLOWED_TOOLS;
@@ -39616,20 +39678,29 @@ function getToolFilterContextFromEnv() {
       context.allowedTools = allowedTools;
     }
   }
+  const denied = resolveDeniedTools();
+  if (denied.size > 0) {
+    context.deniedTools = denied;
+  }
   return context;
 }
 function withFilteredTools(server, context) {
   const allowed = context.allowedTools;
-  if (!allowed || allowed.length === 0) {
+  const denied = context.deniedTools;
+  const hasAllow = !!allowed && allowed.length > 0;
+  const hasDeny = !!denied && denied.size > 0;
+  if (!hasAllow && !hasDeny) {
     return { server, finalize: () => {
     } };
   }
-  const allowedSet = new Set(allowed);
+  const allowedSet = hasAllow ? new Set(allowed) : null;
   const registered = /* @__PURE__ */ new Set();
   const host = server;
   const original = host.tool;
   const filtered = function(name, ...rest) {
-    if (typeof name === "string" && allowedSet.has(name)) {
+    const passesAllow = typeof name === "string" && (!allowedSet || allowedSet.has(name));
+    const passesDeny = !hasDeny || !denied.has(name);
+    if (passesAllow && passesDeny) {
       registered.add(name);
       return original.apply(
         server,
@@ -39643,12 +39714,14 @@ function withFilteredTools(server, context) {
     server,
     finalize: () => {
       host.tool = original;
-      for (const name of allowedSet) {
-        if (!registered.has(name)) {
-          process.stderr.write(
-            `[tool-filter] warning: unknown tool name in OLAM_ALLOWED_TOOLS: "${name}"
+      if (allowedSet) {
+        for (const name of allowedSet) {
+          if (!registered.has(name) && !(hasDeny && denied.has(name))) {
+            process.stderr.write(
+              `[tool-filter] warning: unknown tool name in OLAM_ALLOWED_TOOLS: "${name}"
 `
-          );
+            );
+          }
         }
       }
     }
@@ -40171,7 +40244,7 @@ function sleep(ms) {
 
 // ../core/dist/auth/container.js
 import { execFileSync, spawnSync } from "node:child_process";
-import { chmodSync as chmodSync3, existsSync as existsSync4, mkdtempSync, rmSync, writeFileSync as writeFileSync3 } from "node:fs";
+import { chmodSync as chmodSync3, existsSync as existsSync5, mkdtempSync, rmSync, writeFileSync as writeFileSync3 } from "node:fs";
 import { tmpdir } from "node:os";
 import * as path4 from "node:path";
 import { fileURLToPath } from "node:url";
@@ -40240,7 +40313,7 @@ var AuthContainerController = class {
    */
   buildImage() {
     const dockerfileDir = resolveAuthServicePath();
-    if (!existsSync4(path4.join(dockerfileDir, "Dockerfile"))) {
+    if (!existsSync5(path4.join(dockerfileDir, "Dockerfile"))) {
       throw new Error(`auth image '${this.imageTag}' is not present locally and no Dockerfile is available at ${dockerfileDir} to build from. Run \`olam bootstrap\` to pull the published image, or check out the olam source tree.`);
     }
     execFileSync("docker", ["build", "--tag", this.imageTag, dockerfileDir], { stdio: "inherit" });
@@ -41390,12 +41463,12 @@ var logger = {
 // ../mcp-server/src/utils/profile-sync.ts
 import { execFile } from "node:child_process";
 import { promisify } from "node:util";
-import { readFileSync as readFileSync5, existsSync as existsSync7, statSync } from "node:fs";
-import { homedir as homedir5 } from "node:os";
-import { join as join9 } from "node:path";
+import { readFileSync as readFileSync6, existsSync as existsSync8, statSync } from "node:fs";
+import { homedir as homedir6 } from "node:os";
+import { join as join10 } from "node:path";
 var execFileP = promisify(execFile);
 async function tarSkillsDir(skillsDir) {
-  if (!existsSync7(skillsDir) || !statSync(skillsDir).isDirectory()) {
+  if (!existsSync8(skillsDir) || !statSync(skillsDir).isDirectory()) {
     return null;
   }
   const { stdout } = await execFileP(
@@ -41406,12 +41479,12 @@ async function tarSkillsDir(skillsDir) {
   return stdout;
 }
 function extractMcpConfig(claudeJsonPath) {
-  if (!existsSync7(claudeJsonPath)) {
+  if (!existsSync8(claudeJsonPath)) {
     return { mcpServers: {}, secrets: {} };
   }
   let parsed;
   try {
-    const raw = readFileSync5(claudeJsonPath, "utf8");
+    const raw = readFileSync6(claudeJsonPath, "utf8");
     parsed = JSON.parse(raw);
   } catch (err) {
     logger.warn("Failed to parse ~/.claude.json", {
@@ -41449,19 +41522,19 @@ function extractMcpConfig(claudeJsonPath) {
   return { mcpServers, secrets };
 }
 function readOptional(path62) {
-  if (!existsSync7(path62)) return null;
+  if (!existsSync8(path62)) return null;
   try {
-    return readFileSync5(path62, "utf8");
+    return readFileSync6(path62, "utf8");
   } catch {
     return null;
   }
 }
 async function syncProfileToCloudflare(opts) {
-  const home = opts.homeDir ?? homedir5();
-  const skillsDir = join9(home, ".claude", "skills");
-  const claudeJsonPath = join9(home, ".claude.json");
-  const claudeMdPath = join9(home, ".claude", "CLAUDE.md");
-  const agentsMdPath = join9(home, ".claude", "AGENTS.md");
+  const home = opts.homeDir ?? homedir6();
+  const skillsDir = join10(home, ".claude", "skills");
+  const claudeJsonPath = join10(home, ".claude.json");
+  const claudeMdPath = join10(home, ".claude", "CLAUDE.md");
+  const agentsMdPath = join10(home, ".claude", "AGENTS.md");
   const form = new FormData();
   const skillsBuf = await tarSkillsDir(skillsDir);
   if (skillsBuf) {
@@ -43618,7 +43691,7 @@ __export(world_observe_exports, {
   register: () => register9
 });
 import { createRequire as createRequire3 } from "node:module";
-import { existsSync as existsSync12 } from "node:fs";
+import { existsSync as existsSync13 } from "node:fs";
 
 // ../skill-runtime/dist/skills/world-observe.js
 init_v3();
@@ -43669,7 +43742,7 @@ function readWorldChunks(dbPath, params) {
       limit
     }
   });
-  if (!existsSync12(dbPath)) return empty();
+  if (!existsSync13(dbPath)) return empty();
   const Sqlite = require2("better-sqlite3");
   const db = new Sqlite(dbPath, { readonly: true, fileMustExist: true });
   try {
@@ -44582,12 +44655,12 @@ __export(capture_view_exports, {
 });
 init_v3();
 import { mkdir } from "node:fs/promises";
-import { join as join16, resolve as resolvePath } from "node:path";
+import { join as join17, resolve as resolvePath } from "node:path";
 
 // ../mcp-server/src/tools/_capture/manifest.ts
 import { createHash as createHash3 } from "node:crypto";
 import { readFile, writeFile } from "node:fs/promises";
-import { basename as basename2, join as join15 } from "node:path";
+import { basename as basename2, join as join16 } from "node:path";
 function redactUrl(url3) {
   if (url3.startsWith("world://")) return url3;
   let parsed;
@@ -44630,7 +44703,7 @@ async function writeManifest(args) {
     capturedAt: args.capturedAt ?? (/* @__PURE__ */ new Date()).toISOString(),
     shots: entries
   };
-  const path62 = join15(args.outDir, "manifest.json");
+  const path62 = join16(args.outDir, "manifest.json");
   await writeFile(path62, `${JSON.stringify(manifest, null, 2)}
 `, "utf8");
   return { path: path62, manifest };
@@ -45428,7 +45501,7 @@ function releaseLaunchSlot() {
 function resolveShootsRoot() {
   const fromEnv = process.env.OLAM_SHOOTS_ROOT;
   if (fromEnv && fromEnv.length > 0) return resolvePath(fromEnv);
-  return resolvePath(join16(process.cwd(), ".olam", "shoots"));
+  return resolvePath(join17(process.cwd(), ".olam", "shoots"));
 }
 function isUnderRoot(absPath, root) {
   if (absPath === root) return true;
@@ -45729,7 +45802,7 @@ async function runShot(browser, shot, outDir, format, jpegQuality, allowEval, as
       await page.waitForTimeout(shot.afterLoadMs);
     }
     const ext = format === "jpeg" ? "jpg" : "png";
-    const path62 = join16(outDir, `${shot.name}.${ext}`);
+    const path62 = join17(outDir, `${shot.name}.${ext}`);
     await page.screenshot({
       path: path62,
       type: format,
@@ -46041,20 +46114,20 @@ var webTaskShape = external_exports2.object(webTaskInput);
 
 // ../mcp-server/src/tools/_web_task/provision.ts
 import { spawn as spawn3 } from "node:child_process";
-import { existsSync as existsSync14 } from "node:fs";
-import { homedir as homedir9 } from "node:os";
-import { join as join17 } from "node:path";
+import { existsSync as existsSync15 } from "node:fs";
+import { homedir as homedir10 } from "node:os";
+import { join as join18 } from "node:path";
 var WEBWRIGHT_SETUP_COMMAND = "olam webwright setup";
 function resolveVenvPath(cfg) {
   if (cfg?.venvPath && cfg.venvPath.length > 0) return cfg.venvPath;
-  return join17(homedir9(), ".olam", "venvs", "webwright");
+  return join18(homedir10(), ".olam", "venvs", "webwright");
 }
 function resolveConfigDir(cfg) {
   if (cfg?.configDir && cfg.configDir.length > 0) {
-    return existsSync14(cfg.configDir) ? cfg.configDir : null;
+    return existsSync15(cfg.configDir) ? cfg.configDir : null;
   }
-  const candidate = join17(
-    homedir9(),
+  const candidate = join18(
+    homedir10(),
     ".claude",
     "plugins",
     "marketplaces",
@@ -46063,7 +46136,7 @@ function resolveConfigDir(cfg) {
     "webwright",
     "config"
   );
-  return existsSync14(candidate) ? candidate : null;
+  return existsSync15(candidate) ? candidate : null;
 }
 function isWebwrightEnabled(cfg) {
   const env = process.env.OLAM_WEBWRIGHT_ENABLED;
@@ -46071,10 +46144,10 @@ function isWebwrightEnabled(cfg) {
   return cfg?.enabled === true;
 }
 function venvPython(venvPath) {
-  const posix = join17(venvPath, "bin", "python");
-  if (existsSync14(posix)) return posix;
-  const win = join17(venvPath, "Scripts", "python.exe");
-  if (existsSync14(win)) return win;
+  const posix = join18(venvPath, "bin", "python");
+  if (existsSync15(posix)) return posix;
+  const win = join18(venvPath, "Scripts", "python.exe");
+  if (existsSync15(win)) return win;
   return null;
 }
 async function probeWebwrightImportable(pythonPath, opts = {}) {
@@ -46120,7 +46193,7 @@ async function checkWebwrightProvisioned(cfg, probe = probeWebwrightImportable)
     };
   }
   const venvPath = resolveVenvPath(cfg);
-  if (!existsSync14(venvPath)) {
+  if (!existsSync15(venvPath)) {
     return {
       ok: false,
       reason: "venv_missing",
@@ -46157,14 +46230,14 @@ async function checkWebwrightProvisioned(cfg, probe = probeWebwrightImportable)
 // ../mcp-server/src/tools/_web_task/spawn-executor.ts
 import { spawn as spawn4 } from "node:child_process";
 import { mkdir as mkdir2, mkdtemp, readFile as readFile3, readdir, rm, writeFile as writeFile2 } from "node:fs/promises";
-import { existsSync as existsSync15 } from "node:fs";
+import { existsSync as existsSync16 } from "node:fs";
 import { tmpdir as tmpdir2 } from "node:os";
-import { join as join19, resolve as resolvePath2 } from "node:path";
+import { join as join20, resolve as resolvePath2 } from "node:path";
 
 // ../mcp-server/src/tools/_web_task/model-config.ts
 import { readFile as readFile2 } from "node:fs/promises";
-import { homedir as homedir10 } from "node:os";
-import { join as join18 } from "node:path";
+import { homedir as homedir11 } from "node:os";
+import { join as join19 } from "node:path";
 var PLACEHOLDER_ANTHROPIC_API_KEY = "olam-vault-routed-placeholder-stripped-by-proxy";
 var DEFAULT_WEB_TASK_MODEL = "claude-opus-4-7";
 var AnthropicBaseUrlMissingError = class extends Error {
@@ -46179,7 +46252,7 @@ async function resolveVaultBaseUrl(opts = {}) {
   const env = opts.env ?? process.env;
   const fromEnv = env.OLAM_ANTHROPIC_BASE_URL;
   if (fromEnv && fromEnv.trim().length > 0) return fromEnv.trim();
-  const file2 = opts.baseUrlFile ?? join18(homedir10(), ".olam", "anthropic-base-url");
+  const file2 = opts.baseUrlFile ?? join19(homedir11(), ".olam", "anthropic-base-url");
   let raw;
   try {
     raw = await readFile2(file2, "utf-8");
@@ -46229,7 +46302,7 @@ var WebTaskSpawnError = class extends Error {
 function resolveWebTaskRoot() {
   const fromEnv = process.env.OLAM_WEB_TASK_ROOT;
   if (fromEnv && fromEnv.length > 0) return resolvePath2(fromEnv);
-  return resolvePath2(join19(process.cwd(), ".olam", "web-tasks"));
+  return resolvePath2(join20(process.cwd(), ".olam", "web-tasks"));
 }
 function isUnderRoot2(absPath, root) {
   if (absPath === root) return true;
@@ -46292,7 +46365,7 @@ async function runWebwright(pythonPath, args, spawnEnv, timeoutMs, deps) {
   });
 }
 async function locateRunDir(outDir) {
-  if (existsSync15(join19(outDir, "trajectory.json"))) return outDir;
+  if (existsSync16(join20(outDir, "trajectory.json"))) return outDir;
   let entries = [];
   try {
     entries = await readdir(outDir);
@@ -46301,8 +46374,8 @@ async function locateRunDir(outDir) {
   }
   const candidates = [];
   for (const name of entries) {
-    const sub = join19(outDir, name);
-    if (existsSync15(join19(sub, "trajectory.json"))) candidates.push({ dir: sub });
+    const sub = join20(outDir, name);
+    if (existsSync16(join20(sub, "trajectory.json"))) candidates.push({ dir: sub });
   }
   if (candidates.length === 0) return outDir;
   candidates.sort((a, b) => a.dir < b.dir ? 1 : -1);
@@ -46315,14 +46388,14 @@ async function collectScreenshots(runDir) {
   } catch {
     return [];
   }
-  const shots = entries.filter((n) => /\.(png|jpe?g)$/i.test(n)).sort().map((n, i) => ({ step: i, path: join19(runDir, n) }));
+  const shots = entries.filter((n) => /\.(png|jpe?g)$/i.test(n)).sort().map((n, i) => ({ step: i, path: join20(runDir, n) }));
   return shots;
 }
 async function readTrajectoryFacts(runDir, stdoutTail) {
   let answer = null;
   let modelCalls = null;
   try {
-    const raw = await readFile3(join19(runDir, "trajectory.json"), "utf-8");
+    const raw = await readFile3(join20(runDir, "trajectory.json"), "utf-8");
     const parsed = JSON.parse(raw);
     answer = extractFinalAnswer(parsed);
     modelCalls = extractModelCalls(parsed);
@@ -46455,11 +46528,11 @@ async function runSpawnExecutor(spec, ctx, provision, deps = { spawn: spawn4 })
   } catch (err) {
     throw new WebTaskSpawnError("vault_base_url_missing", err.message);
   }
-  const tmpDirRoot = await mkdtemp(join19(tmpdir2(), "olam-web-task-"));
-  const modelYamlPath = join19(tmpDirRoot, "model_olam.yaml");
+  const tmpDirRoot = await mkdtemp(join20(tmpdir2(), "olam-web-task-"));
+  const modelYamlPath = join20(tmpDirRoot, "model_olam.yaml");
   await writeFile2(modelYamlPath, modelYaml.yaml, "utf-8");
   try {
-    const baseYaml = join19(provision.configDir, "base.yaml");
+    const baseYaml = join20(provision.configDir, "base.yaml");
     const args = [
       "-m",
       "webwright.run.cli",
@@ -46513,10 +46586,10 @@ ${tail}` : ""}`
       );
     }
     const runDir = await locateRunDir(absOutDir);
-    const trajectoryPath = join19(runDir, "trajectory.json");
+    const trajectoryPath = join20(runDir, "trajectory.json");
     const screenshots = await collectScreenshots(runDir);
     const facts = await readTrajectoryFacts(runDir, outcome.stdout);
-    const scriptPath = existsSync15(join19(runDir, "final_script.py")) ? join19(runDir, "final_script.py") : void 0;
+    const scriptPath = existsSync16(join20(runDir, "final_script.py")) ? join20(runDir, "final_script.py") : void 0;
     return {
       result: facts.answer,
       trajectoryPath,
@@ -50238,8 +50311,14 @@ var toolModules = [
   memory_reinforce_exports,
   cloud_dispatch_exports
 ];
-function registerAllTools(server, ctx, initError) {
+function registerAllTools(server, ctx, initError, options = {}) {
   const filterContext = getToolFilterContextFromEnv();
+  if (options.showAll) {
+    delete filterContext.deniedTools;
+  } else {
+    const denied = resolveDeniedTools();
+    if (denied.size > 0) filterContext.deniedTools = denied;
+  }
   const { server: filtered, finalize: finalize2 } = withFilteredTools(server, filterContext);
   try {
     for (const mod of toolModules) {
@@ -50596,7 +50675,8 @@ function describeParam(schema) {
     constrained: isConstrained(base)
   };
 }
-function extractToolCatalog() {
+function extractToolCatalog(opts = {}) {
+  const showAll = opts.showAll ?? true;
   const captured = [];
   const recordingServer = {
     tool(name, description, inputSchema, _handler) {
@@ -50609,7 +50689,12 @@ function extractToolCatalog() {
       captured.push({ name, description: description ?? "", params });
     }
   };
-  registerAllTools(recordingServer, void 0, void 0);
+  registerAllTools(
+    recordingServer,
+    void 0,
+    void 0,
+    { showAll }
+  );
   return [...captured].sort((a, b) => a.name.localeCompare(b.name));
 }
 
@@ -50637,7 +50722,7 @@ function buildToolsCatalogPayload(catalog) {
   };
 }
 function createToolsCatalogResource(deps = {}) {
-  const extract = deps.extract ?? extractToolCatalog;
+  const extract = deps.extract ?? (() => extractToolCatalog({ showAll: false }));
   let cachedPayload = null;
   return {
     name: "olam-tools",
@@ -52269,8 +52354,8 @@ import * as fs51 from "node:fs";
 import * as path50 from "node:path";
 
 // ../core/dist/kg/storage-paths.js
-import { homedir as homedir26 } from "node:os";
-import { join as join53, resolve as resolve11 } from "node:path";
+import { homedir as homedir27 } from "node:os";
+import { join as join54, resolve as resolve11 } from "node:path";
 
 // ../core/dist/world/workspace-name.js
 var InvalidWorkspaceNameError = class extends Error {
@@ -52291,13 +52376,13 @@ function validateWorkspaceName(name) {
 
 // ../core/dist/kg/storage-paths.js
 function olamHome3() {
-  return process.env.OLAM_HOME ?? join53(homedir26(), ".olam");
+  return process.env.OLAM_HOME ?? join54(homedir27(), ".olam");
 }
 function kgRoot() {
-  return join53(olamHome3(), "kg");
+  return join54(olamHome3(), "kg");
 }
 function worldsRoot() {
-  return join53(olamHome3(), "worlds");
+  return join54(olamHome3(), "worlds");
 }
 function assertWithinPrefix(path62, prefix, label) {
   if (!path62.startsWith(prefix + "/")) {
@@ -52307,7 +52392,7 @@ function assertWithinPrefix(path62, prefix, label) {
 function kgPristinePath(workspace) {
   validateWorkspaceName(workspace);
   const root = kgRoot();
-  const path62 = resolve11(join53(root, workspace));
+  const path62 = resolve11(join54(root, workspace));
   assertWithinPrefix(path62, root, "kgPristinePath");
   return path62;
 }
@@ -52408,8 +52493,8 @@ import * as fs52 from "node:fs";
 import * as os26 from "node:os";
 import * as path51 from "node:path";
 var DEFAULT_MAX_BUFFER_BYTES = 50 * 1024 * 1024;
-function expandHome2(p, homedir33) {
-  return p.replace(/^~(?=$|\/|\\)/, homedir33());
+function expandHome2(p, homedir34) {
+  return p.replace(/^~(?=$|\/|\\)/, homedir34());
 }
 function sanitizeRepoFilename(name) {
   const sanitized = name.replace(/[^A-Za-z0-9._-]/g, "_");
@@ -52432,7 +52517,7 @@ ${stderr}`;
 }
 function snapshotBaselineDiff(repos, workspacePath, deps = {}) {
   const exec = deps.exec ?? ((cmd, args, opts) => execFileSync7(cmd, args, opts));
-  const homedir33 = deps.homedir ?? (() => os26.homedir());
+  const homedir34 = deps.homedir ?? (() => os26.homedir());
   const baselineDir = path51.join(workspacePath, ".olam", "baseline");
   try {
     fs52.mkdirSync(baselineDir, { recursive: true });
@@ -52448,7 +52533,7 @@ function snapshotBaselineDiff(repos, workspacePath, deps = {}) {
       continue;
     const filename = `${sanitizeRepoFilename(repo.name)}.diff`;
     const outPath = path51.join(baselineDir, filename);
-    const repoPath = expandHome2(repo.path, homedir33);
+    const repoPath = expandHome2(repo.path, homedir34);
     if (!fs52.existsSync(repoPath)) {
       writeBaselineFile(outPath, `# repo: ${repo.name}
 # (skipped: path ${repoPath} does not exist)
@@ -52584,8 +52669,8 @@ function extractStderr(err) {
 }
 function carryUncommittedEdits(repos, workspacePath, deps = {}) {
   const exec = deps.exec ?? ((cmd, args, opts) => execFileSync7(cmd, args, opts));
-  const homedir33 = deps.homedir ?? (() => os26.homedir());
-  const existsSync61 = deps.existsSync ?? ((p) => fs52.existsSync(p));
+  const homedir34 = deps.homedir ?? (() => os26.homedir());
+  const existsSync62 = deps.existsSync ?? ((p) => fs52.existsSync(p));
   const copyFileSync10 = deps.copyFileSync ?? ((src, dest) => fs52.copyFileSync(src, dest));
   const mkdirSync34 = deps.mkdirSync ?? ((dirPath, opts) => {
     fs52.mkdirSync(dirPath, opts);
@@ -52594,11 +52679,11 @@ function carryUncommittedEdits(repos, workspacePath, deps = {}) {
   for (const repo of repos) {
     if (!repo.path)
       continue;
-    const repoPath = expandHome2(repo.path, homedir33);
+    const repoPath = expandHome2(repo.path, homedir34);
     const worktreePath = path51.join(workspacePath, repo.name);
-    if (!existsSync61(repoPath))
+    if (!existsSync62(repoPath))
       continue;
-    if (!existsSync61(worktreePath)) {
+    if (!existsSync62(worktreePath)) {
       console.warn(`[carry] ${repo.name}: world worktree ${worktreePath} missing; skipping carry for this repo`);
       continue;
     }
@@ -52658,7 +52743,7 @@ function carryUncommittedEdits(repos, workspacePath, deps = {}) {
     for (const rel of plan.diff.untracked) {
       const src = path51.join(plan.repoPath, rel);
       const dest = path51.join(plan.worktreePath, rel);
-      if (!existsSync61(src))
+      if (!existsSync62(src))
         continue;
       try {
         mkdirSync34(path51.dirname(dest), { recursive: true });
@@ -53917,14 +54002,14 @@ function enrichReposWithManifests(repos, workspacePath) {
 // ../core/dist/policies/loader.js
 import * as fs55 from "node:fs";
 import * as path55 from "node:path";
-import { parse as parseYaml5 } from "yaml";
+import { parse as parseYaml6 } from "yaml";
 function parseFrontmatter2(content) {
   const match = /^---\r?\n([\s\S]*?)\r?\n---\r?\n([\s\S]*)$/m.exec(content);
   if (!match)
     return null;
   const [, yamlText = "", body = ""] = match;
   try {
-    const frontmatter = parseYaml5(yamlText);
+    const frontmatter = parseYaml6(yamlText);
     return { frontmatter, body };
   } catch {
     return null;
@@ -57385,8 +57470,8 @@ var PleriClient = class {
 };
 
 // ../mcp-server/src/env-loader.ts
-import { readFileSync as readFileSync47, existsSync as existsSync60, statSync as statSync16 } from "node:fs";
-import { join as join65, dirname as dirname31, resolve as resolve15 } from "node:path";
+import { readFileSync as readFileSync48, existsSync as existsSync61, statSync as statSync16 } from "node:fs";
+import { join as join66, dirname as dirname31, resolve as resolve15 } from "node:path";
 var PROJECT_MARKERS = [
   ".olam/config.yaml",
   ".olam/config.yml",
@@ -57398,12 +57483,12 @@ function findProjectRoot2(startDir) {
   const root = resolve15("/");
   while (true) {
     for (const marker of PROJECT_MARKERS) {
-      if (existsSync60(join65(dir, marker))) return dir;
+      if (existsSync61(join66(dir, marker))) return dir;
     }
-    const pkg = join65(dir, "package.json");
-    if (existsSync60(pkg)) {
+    const pkg = join66(dir, "package.json");
+    if (existsSync61(pkg)) {
       try {
-        const json2 = JSON.parse(readFileSync47(pkg, "utf8"));
+        const json2 = JSON.parse(readFileSync48(pkg, "utf8"));
         const isOlamWorkspace = typeof json2.name === "string" && json2.name.startsWith("@olam/");
         const hasOlamDep = json2.dependencies && Object.keys(json2.dependencies).some((k) => k.startsWith("@olam/")) || json2.devDependencies && Object.keys(json2.devDependencies).some((k) => k.startsWith("@olam/"));
         if (isOlamWorkspace || hasOlamDep) return dir;
@@ -57417,7 +57502,7 @@ function findProjectRoot2(startDir) {
 }
 function parseEnvFile(path62) {
   const out = {};
-  const raw = readFileSync47(path62, "utf8");
+  const raw = readFileSync48(path62, "utf8");
   for (const line of raw.split(/\r?\n/)) {
     const trimmed = line.trim();
     if (!trimmed || trimmed.startsWith("#")) continue;
@@ -57440,8 +57525,8 @@ function loadProjectEnv(startDir = process.cwd()) {
   const filesRead = [];
   const merged = {};
   for (const name of [".env", ".env.local"]) {
-    const p = join65(root, name);
-    if (existsSync60(p) && statSync16(p).isFile()) {
+    const p = join66(root, name);
+    if (existsSync61(p) && statSync16(p).isFile()) {
       Object.assign(merged, parseEnvFile(p));
       filesRead.push(p);
     }

package/hermes-bundle/version.json

@@ -1,4 +1,4 @@
 {
-  "bundledAt": "2026-06-03T07:06:37.421Z",
+  "bundledAt": "2026-06-03T07:50:57.230Z",
   "kgFirstSha": "29a9ccce1b115d049e375c4a90eb5cf7c123e610e2d0590270a4db2cdbc64a28"
 }

package/host-cp/k8s/manifests/50-deployment.yaml

@@ -118,7 +118,7 @@ spec:
         # k3d), started by `olam upgrade` Step 0.7 — not inside this Pod.
       containers:
         - name: olam-host-cp
-          image: ghcr.io/pleri/olam-host-cp@sha256:5d8726cbe667359e64d2abe53150c80c870a2d71960c2f41833a3c8719abee12
+          image: ghcr.io/pleri/olam-host-cp@sha256:1818b62ee1475cf42f8d55c3ba3cbda9c27b799dc99abcff6c63f02d54574893
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/auth-service/50-deployment.yaml

@@ -70,7 +70,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-auth-service
-          image: ghcr.io/pleri/olam-auth@sha256:90c00c3d75cc697539a0d6663fdf30d67fac787171ff1c53a3c1fa1755fcecb3
+          image: ghcr.io/pleri/olam-auth@sha256:7a206b619cd92d39b2550a09e270e9999a6c0b1a70e391e72b46c2cfbbf0be9c
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/kg-service/50-deployment.yaml

@@ -61,7 +61,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-kg-service
-          image: ghcr.io/pleri/olam-kg-service@sha256:829de080754fe0728b0c0368b6083a6679baff33745dd81c68fadc4ccea7bf7d
+          image: ghcr.io/pleri/olam-kg-service@sha256:b74d2099752a0299317c95feab19893764a291db375c4ce0fd96d06691defb9f
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/mcp-auth-service/50-deployment.yaml

@@ -68,7 +68,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-mcp-auth-service
-          image: ghcr.io/pleri/olam-mcp-auth@sha256:c7041e093e23acdad36eb2a611e66e925061b79e41a5b8a3be28bba57d6624c5
+          image: ghcr.io/pleri/olam-mcp-auth@sha256:9e1b11d9a67005a1a3c65f63b5c4c94d311a35f6b424e576d63bba82290f86cf
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/memory-service/50-deployment.yaml

@@ -70,7 +70,7 @@ spec:
           # bootstrap-placeholder comment + run `npm run refresh:manifest-digests`
           # once ghcr.io/pleri/olam-memory-service has a real published digest.
           # bootstrap-placeholder: pre-publish; refresh after first release
-          image: ghcr.io/pleri/olam-memory-service@sha256:2b40d835b807fa49316a9db0215ee4ac6b36e2403c8170cfb4a70067115ad292
+          image: ghcr.io/pleri/olam-memory-service@sha256:847d97e6970158f5037821c5664836a1781949750ce69caab08128e1c9c6a157
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/src/server.mjs

@@ -3308,8 +3308,14 @@ const server = http.createServer(instrumentHandler('host-cp', async (req, res) =
       // binding hops (plan-DO) because those bypass the CF Access edge; a CF
       // Access app in front of plan-DO would still not receive service-binding
       // traffic. See docs/runbooks/cf-access-service-token.md.
+      // Phase B (cloud-plan-execute-split): a `mode: 'plan'` dispatch routes to
+      // plan-DO's /v1/plan endpoint (the light Sandbox pool, no-push planning
+      // role) instead of /v1/dispatch (the execute/world path). Any other value
+      // (incl. absent) keeps the existing /v1/dispatch route — zero behaviour
+      // change for execute dispatches. The SPA opts in by setting body.mode.
+      const dispatchPath = parsed.mode === 'plan' ? '/v1/plan' : '/v1/dispatch';
       const upstream = await fetch(
-        `${cloudUrl.replace(/\/+$/, '')}/v1/dispatch?plan_id=${encodeURIComponent(planId)}`,
+        `${cloudUrl.replace(/\/+$/, '')}${dispatchPath}?plan_id=${encodeURIComponent(planId)}`,
         {
           method: 'POST',
           headers: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pleri/olam-cli",
-  "version": "0.1.210",
+  "version": "0.1.212",
   "type": "module",
   "bin": {
     "olam": "./bin/olam.cjs"