@pleri/olam-cli 0.1.55 → 0.1.57

package/dist/commands/services.js

@@ -0,0 +1,220 @@
+/**
+ * `olam services` — umbrella verb for managing Olam service containers.
+ *
+ * Subcommands:
+ *   olam services up     — start olam-auth + olam-mcp-auth (idempotent)
+ *   olam services down   — stop both containers
+ *   olam services status — show state of both containers
+ *
+ * `olam auth up/down/status` delegates here with a deprecation warning.
+ */
+import { execFileSync, spawnSync } from 'node:child_process';
+import pc from 'picocolors';
+import { AuthContainerController } from '@olam/core/src/auth/index.js';
+import { printError, printHeader, printInfo, printSuccess, printWarning } from '../output.js';
+// ── McpAuthContainerController ────────────────────────────────────
+//
+// Mirrors AuthContainerController (packages/core/src/auth/container.ts).
+// mcp-auth-service is not a @olam/core package, so the controller lives
+// here in the CLI layer.
+const MCP_AUTH_PORT = 9998;
+const MCP_AUTH_VOLUME = 'olam-mcp-auth-data';
+const MCP_AUTH_CONTAINER = 'olam-mcp-auth';
+const MCP_AUTH_LOCAL_TAG = 'olam-mcp-auth:local';
+const MCP_AUTH_PUBLISHED_TAG = 'ghcr.io/pleri/olam-mcp-auth:latest';
+const MCP_AUTH_HEALTH_URL = `http://127.0.0.1:${MCP_AUTH_PORT}/health`;
+const MCP_AUTH_HEALTH_TIMEOUT_MS = 15_000;
+export class McpAuthContainerController {
+    imageTag = MCP_AUTH_LOCAL_TAG;
+    status() {
+        const r = spawnSync('docker', ['inspect', '--format', '{{.State.Status}}|{{.Id}}', MCP_AUTH_CONTAINER], { encoding: 'utf-8' });
+        if (r.status === 0) {
+            const [stateRaw, id] = r.stdout.trim().split('|');
+            return {
+                state: stateRaw === 'running' ? 'running' : 'stopped',
+                port: MCP_AUTH_PORT,
+                containerId: id,
+            };
+        }
+        return { state: 'missing', port: MCP_AUTH_PORT };
+    }
+    imageExists(tag = this.imageTag) {
+        return spawnSync('docker', ['image', 'inspect', tag], { encoding: 'utf-8' }).status === 0;
+    }
+    start() {
+        const current = this.status();
+        if (current.state === 'running')
+            return;
+        if (current.state === 'stopped') {
+            execFileSync('docker', ['start', MCP_AUTH_CONTAINER], { stdio: 'pipe' });
+            return;
+        }
+        if (!this.imageExists()) {
+            if (this.imageTag !== MCP_AUTH_PUBLISHED_TAG && this.imageExists(MCP_AUTH_PUBLISHED_TAG)) {
+                this.imageTag = MCP_AUTH_PUBLISHED_TAG;
+            }
+            else {
+                throw new Error(`mcp-auth image '${this.imageTag}' not found locally. ` +
+                    'Run `olam bootstrap` to pull the published image.');
+            }
+        }
+        execFileSync('docker', [
+            'run',
+            '--detach',
+            '--name', MCP_AUTH_CONTAINER,
+            '--restart', 'unless-stopped',
+            '--publish', `${MCP_AUTH_PORT}:${MCP_AUTH_PORT}`,
+            '--volume', `${MCP_AUTH_VOLUME}:/mcp-auth-data`,
+            this.imageTag,
+        ], { stdio: 'pipe' });
+    }
+    stop() {
+        const current = this.status();
+        if (current.state !== 'running')
+            return;
+        execFileSync('docker', ['stop', MCP_AUTH_CONTAINER], { stdio: 'pipe' });
+    }
+    remove() {
+        spawnSync('docker', ['rm', '-f', MCP_AUTH_CONTAINER], { stdio: 'pipe' });
+    }
+    async waitForReady(timeoutMs = MCP_AUTH_HEALTH_TIMEOUT_MS) {
+        const deadline = Date.now() + timeoutMs;
+        while (Date.now() < deadline) {
+            try {
+                const res = await fetch(MCP_AUTH_HEALTH_URL, { signal: AbortSignal.timeout(1_500) });
+                if (res.ok)
+                    return true;
+            }
+            catch {
+                // not ready yet
+            }
+            await sleep(500);
+        }
+        return false;
+    }
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+// ── Services orchestration ────────────────────────────────────────
+/** Start both auth containers, idempotent. */
+export async function servicesUp() {
+    const auth = new AuthContainerController();
+    const mcpAuth = new McpAuthContainerController();
+    // Start olam-auth
+    const authStatus = auth.status();
+    if (authStatus.state === 'running') {
+        printSuccess(`olam-auth already running on :${authStatus.port}`);
+    }
+    else {
+        try {
+            auth.start();
+        }
+        catch (err) {
+            printError(`olam-auth failed to start: ${err instanceof Error ? err.message : String(err)}`);
+            return { exitCode: 1 };
+        }
+        const ready = await auth.waitForReady(15_000);
+        if (!ready) {
+            printWarning('olam-auth started but /health did not respond within 15s.');
+            return { exitCode: 1 };
+        }
+        printSuccess('olam-auth started');
+    }
+    // Start olam-mcp-auth
+    const mcpStatus = mcpAuth.status();
+    if (mcpStatus.state === 'running') {
+        printSuccess(`olam-mcp-auth already running on :${mcpStatus.port}`);
+    }
+    else {
+        try {
+            mcpAuth.start();
+        }
+        catch (err) {
+            printError(`olam-mcp-auth failed to start: ${err instanceof Error ? err.message : String(err)}`);
+            return { exitCode: 1 };
+        }
+        const ready = await mcpAuth.waitForReady();
+        if (!ready) {
+            printWarning('olam-mcp-auth started but /health did not respond within 15s.');
+            return { exitCode: 1 };
+        }
+        printSuccess('olam-mcp-auth started');
+    }
+    printHeader('Services up');
+    printInfo('olam-auth', ':9999');
+    printInfo('olam-mcp-auth', ':9998');
+    return { exitCode: 0 };
+}
+/** Stop both auth containers. */
+export function servicesDown() {
+    const auth = new AuthContainerController();
+    const mcpAuth = new McpAuthContainerController();
+    let exitCode = 0;
+    try {
+        auth.stop();
+        printSuccess('olam-auth stopped.');
+    }
+    catch (err) {
+        printError(`olam-auth: ${err instanceof Error ? err.message : String(err)}`);
+        exitCode = 1;
+    }
+    try {
+        mcpAuth.stop();
+        printSuccess('olam-mcp-auth stopped.');
+    }
+    catch (err) {
+        printError(`olam-mcp-auth: ${err instanceof Error ? err.message : String(err)}`);
+        exitCode = 1;
+    }
+    return { exitCode };
+}
+/** Show container state for both services. */
+export function servicesStatus() {
+    const auth = new AuthContainerController();
+    const mcpAuth = new McpAuthContainerController();
+    printHeader('Services status');
+    const authState = auth.status();
+    const authStateStr = authState.state === 'running'
+        ? pc.green('running')
+        : authState.state === 'stopped'
+            ? pc.yellow('stopped')
+            : pc.red('missing');
+    printInfo('olam-auth', `${authStateStr}  :${authState.port}`);
+    const mcpState = mcpAuth.status();
+    const mcpStateStr = mcpState.state === 'running'
+        ? pc.green('running')
+        : mcpState.state === 'stopped'
+            ? pc.yellow('stopped')
+            : pc.red('missing');
+    printInfo('olam-mcp-auth', `${mcpStateStr}  :${mcpState.port}`);
+}
+// ── Commander registration ────────────────────────────────────────
+export function registerServices(program) {
+    const services = program
+        .command('services')
+        .description('Manage Olam service containers (olam-auth, olam-mcp-auth)');
+    services
+        .command('up')
+        .description('Start all service containers (idempotent)')
+        .action(async () => {
+        const result = await servicesUp();
+        if (result.exitCode !== 0)
+            process.exitCode = result.exitCode;
+    });
+    services
+        .command('down')
+        .description('Stop all service containers')
+        .action(() => {
+        const result = servicesDown();
+        if (result.exitCode !== 0)
+            process.exitCode = result.exitCode;
+    });
+    services
+        .command('status')
+        .description('Show state of all service containers')
+        .action(() => {
+        servicesStatus();
+    });
+}
+//# sourceMappingURL=services.js.map

package/dist/commands/services.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"services.js","sourceRoot":"","sources":["../../src/commands/services.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC7D,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,SAAS,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE9F,qEAAqE;AACrE,EAAE;AACF,yEAAyE;AACzE,wEAAwE;AACxE,yBAAyB;AAEzB,MAAM,aAAa,GAAG,IAAI,CAAC;AAC3B,MAAM,eAAe,GAAG,oBAAoB,CAAC;AAC7C,MAAM,kBAAkB,GAAG,eAAe,CAAC;AAC3C,MAAM,kBAAkB,GAAG,qBAAqB,CAAC;AACjD,MAAM,sBAAsB,GAAG,oCAAoC,CAAC;AACpE,MAAM,mBAAmB,GAAG,oBAAoB,aAAa,SAAS,CAAC;AACvE,MAAM,0BAA0B,GAAG,MAAM,CAAC;AAU1C,MAAM,OAAO,0BAA0B;IAC7B,QAAQ,GAAW,kBAAkB,CAAC;IAE9C,MAAM;QACJ,MAAM,CAAC,GAAG,SAAS,CACjB,QAAQ,EACR,CAAC,SAAS,EAAE,UAAU,EAAE,2BAA2B,EAAE,kBAAkB,CAAC,EACxE,EAAE,QAAQ,EAAE,OAAO,EAAE,CACtB,CAAC;QACF,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACnB,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAClD,OAAO;gBACL,KAAK,EAAE,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;gBACrD,IAAI,EAAE,aAAa;gBACnB,WAAW,EAAE,EAAE;aAChB,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC;IACnD,CAAC;IAEO,WAAW,CAAC,GAAG,GAAG,IAAI,CAAC,QAAQ;QACrC,OAAO,SAAS,CAAC,QAAQ,EAAE,CAAC,OAAO,EAAE,SAAS,EAAE,GAAG,CAAC,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;IAC5F,CAAC;IAED,KAAK;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QAC9B,IAAI,OAAO,CAAC,KAAK,KAAK,SAAS;YAAE,OAAO;QACxC,IAAI,OAAO,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;YAChC,YAAY,CAAC,QAAQ,EAAE,CAAC,OAAO,EAAE,kBAAkB,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;YACzE,OAAO;QACT,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,IAAI,IAAI,CAAC,QAAQ,KAAK,sBAAsB,IAAI,IAAI,CAAC,WAAW,CAAC,sBAAsB,CAAC,EAAE,CAAC;gBACzF,IAAI,CAAC,QAAQ,GAAG,sBAAsB,CAAC;YACzC,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,KAAK,CACb,mBAAmB,IAAI,CAAC,QAAQ,uBAAuB;oBACrD,mDAAmD,CACtD,CAAC;YACJ,CAAC;QACH,CAAC;QACD,YAAY,CACV,QAAQ,EACR;YACE,KAAK;YACL,UAAU;YACV,QAAQ,EAAE,kBAAkB;YAC5B,WAAW,EAAE,gBAAgB;YAC7B,WAAW,EAAE,GAAG,aAAa,IAAI,aAAa,EAAE;YAChD,UAAU,EAAE,GAAG,eAAe,iBAAiB;YAC/C,IAAI,CAAC,QAAQ;SACd,EACD,EAAE,KAAK,EAAE,MAAM,EAAE,CAClB,CAAC;IACJ,CAAC;IAED,IAAI;QACF,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QAC9B,IAAI,OAAO,CAAC,KAAK,KAAK,SAAS;YAAE,OAAO;QACxC,YAAY,CAAC,QAAQ,EAAE,CAAC,MAAM,EAAE,kBAAkB,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM;QACJ,SAAS,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,kBAAkB,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;IAC3E,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,SAAS,GAAG,0BAA0B;QACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QACxC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,mBAAmB,EAAE,EAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;gBACrF,IAAI,GAAG,CAAC,EAAE;oBAAE,OAAO,IAAI,CAAC;YAC1B,CAAC;YAAC,MAAM,CAAC;gBACP,gBAAgB;YAClB,CAAC;YACD,MAAM,KAAK,CAAC,GAAG,CAAC,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED,qEAAqE;AAErE,8CAA8C;AAC9C,MAAM,CAAC,KAAK,UAAU,UAAU;IAC9B,MAAM,IAAI,GAAG,IAAI,uBAAuB,EAAE,CAAC;IAC3C,MAAM,OAAO,GAAG,IAAI,0BAA0B,EAAE,CAAC;IAEjD,kBAAkB;IAClB,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;IACjC,IAAI,UAAU,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QACnC,YAAY,CAAC,iCAAiC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;IACnE,CAAC;SAAM,CAAC;QACN,IAAI,CAAC;YACH,IAAI,CAAC,KAAK,EAAE,CAAC;QACf,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,UAAU,CAAC,8BAA8B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC7F,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QACzB,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAC9C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,YAAY,CAAC,2DAA2D,CAAC,CAAC;YAC1E,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QACzB,CAAC;QACD,YAAY,CAAC,mBAAmB,CAAC,CAAC;IACpC,CAAC;IAED,sBAAsB;IACtB,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IACnC,IAAI,SAAS,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAClC,YAAY,CAAC,qCAAqC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;IACtE,CAAC;SAAM,CAAC;QACN,IAAI,CAAC;YACH,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,UAAU,CAAC,kCAAkC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACjG,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QACzB,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,YAAY,EAAE,CAAC;QAC3C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,YAAY,CAAC,+DAA+D,CAAC,CAAC;YAC9E,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QACzB,CAAC;QACD,YAAY,CAAC,uBAAuB,CAAC,CAAC;IACxC,CAAC;IAED,WAAW,CAAC,aAAa,CAAC,CAAC;IAC3B,SAAS,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IAChC,SAAS,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;IACpC,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;AACzB,CAAC;AAED,iCAAiC;AACjC,MAAM,UAAU,YAAY;IAC1B,MAAM,IAAI,GAAG,IAAI,uBAAuB,EAAE,CAAC;IAC3C,MAAM,OAAO,GAAG,IAAI,0BAA0B,EAAE,CAAC;IACjD,IAAI,QAAQ,GAAG,CAAC,CAAC;IAEjB,IAAI,CAAC;QACH,IAAI,CAAC,IAAI,EAAE,CAAC;QACZ,YAAY,CAAC,oBAAoB,CAAC,CAAC;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,UAAU,CAAC,cAAc,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC7E,QAAQ,GAAG,CAAC,CAAC;IACf,CAAC;IAED,IAAI,CAAC;QACH,OAAO,CAAC,IAAI,EAAE,CAAC;QACf,YAAY,CAAC,wBAAwB,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,UAAU,CAAC,kBAAkB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACjF,QAAQ,GAAG,CAAC,CAAC;IACf,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,CAAC;AACtB,CAAC;AAED,8CAA8C;AAC9C,MAAM,UAAU,cAAc;IAC5B,MAAM,IAAI,GAAG,IAAI,uBAAuB,EAAE,CAAC;IAC3C,MAAM,OAAO,GAAG,IAAI,0BAA0B,EAAE,CAAC;IAEjD,WAAW,CAAC,iBAAiB,CAAC,CAAC;IAE/B,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;IAChC,MAAM,YAAY,GAChB,SAAS,CAAC,KAAK,KAAK,SAAS;QAC3B,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC;QACrB,CAAC,CAAC,SAAS,CAAC,KAAK,KAAK,SAAS;YAC7B,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC;YACtB,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC1B,SAAS,CAAC,WAAW,EAAE,GAAG,YAAY,MAAM,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;IAE9D,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAClC,MAAM,WAAW,GACf,QAAQ,CAAC,KAAK,KAAK,SAAS;QAC1B,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC;QACrB,CAAC,CAAC,QAAQ,CAAC,KAAK,KAAK,SAAS;YAC5B,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC;YACtB,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC1B,SAAS,CAAC,eAAe,EAAE,GAAG,WAAW,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;AAClE,CAAC;AAED,qEAAqE;AAErE,MAAM,UAAU,gBAAgB,CAAC,OAAgB;IAC/C,MAAM,QAAQ,GAAG,OAAO;SACrB,OAAO,CAAC,UAAU,CAAC;SACnB,WAAW,CAAC,2DAA2D,CAAC,CAAC;IAE5E,QAAQ;SACL,OAAO,CAAC,IAAI,CAAC;SACb,WAAW,CAAC,2CAA2C,CAAC;SACxD,MAAM,CAAC,KAAK,IAAI,EAAE;QACjB,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;QAClC,IAAI,MAAM,CAAC,QAAQ,KAAK,CAAC;YAAE,OAAO,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;IAChE,CAAC,CAAC,CAAC;IAEL,QAAQ;SACL,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,6BAA6B,CAAC;SAC1C,MAAM,CAAC,GAAG,EAAE;QACX,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;QAC9B,IAAI,MAAM,CAAC,QAAQ,KAAK,CAAC;YAAE,OAAO,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;IAChE,CAAC,CAAC,CAAC;IAEL,QAAQ;SACL,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,sCAAsC,CAAC;SACnD,MAAM,CAAC,GAAG,EAAE;QACX,cAAc,EAAE,CAAC;IACnB,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/commands/upgrade.d.ts

@@ -144,18 +144,6 @@ export interface SmokeResult {
     readonly bakedSha: string | null;
     readonly error?: string;
 }
-/**
- * Run docker create + docker inspect for a single image.
- *
- * Returns ok=true when:
- *   - `docker create <image>` exits 0 (image manifest valid, layers downloadable).
- *   - `docker inspect <image> --format '{{index .Config.Labels "olam.build.sha"}}'`
- *     returns the expected `targetSha`.
- *
- * The container created by `docker create` is removed via `docker rm` even on
- * failure paths (best-effort cleanup; orphans are harmless and pruned by the
- * daemon's GC eventually).
- */
 export declare function smokeImage(image: string, targetSha: string): SmokeResult;
 /**
  * Per-image swap mapping (Phase 2a — A6).
@@ -383,6 +371,17 @@ export interface UpgradePullDeps {
         ok: boolean;
         error?: string;
     }>;
+    /**
+     * mcp-auth-service recreate driver. Default: stop + rm + start the
+     * mcp-auth container. Only invoked when the mcp-auth digest is present
+     * in the digests manifest — older tarballs without the entry skip this
+     * step entirely (tracker test "exits 0 and skips mcp-auth recreate when
+     * digest absent"). Tests inject a stub.
+     */
+    readonly recreateMcpAuth?: () => Promise<{
+        ok: boolean;
+        error?: string;
+    }>;
     /**
      * Path to packages/host-cp/compose.yaml. Defaults to findComposeFile()
      * (bundled path first, then monorepo cwd fallbacks).

package/dist/commands/upgrade.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"upgrade.d.ts","sourceRoot":"","sources":["../../src/commands/upgrade.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAYzC,OAAO,EAIL,KAAK,UAAU,EACf,KAAK,YAAY,EAClB,MAAM,gBAAgB,CAAC;AAaxB,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,2EAA2E;IAC3E,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,iEAAiE;IACjE,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,yEAAyE;IACzE,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,yEAAyE;IACzE,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,yDAAyD;IACzD,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B;;;;;OAKG;IACH,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;CAC9B;AAED;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAaxD;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE;IAAE,WAAW,EAAE,OAAO,CAAA;CAAE,EAC9B,GAAG,EAAE,MAAM,GACV;IAAE,IAAI,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,IAAI,EAAE,KAAK,CAAA;CAAE,CAQlD;AAED,+CAA+C;AAC/C,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAWzF;AAED,6DAA6D;AAC7D,wBAAgB,gBAAgB,CAAC,GAAG,EAAE;IACpC,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB,GAAG,WAAW,CAqBd;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAGlE;AAuDD;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAWzD;AAED,qEAAqE;AACrE,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEjD;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAUhD;AAED;;;;;;;;;GASG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,aAAa,CAAC,QAAQ,CAAC,GAAG,MAAM,GAAG,IAAI,CAInF;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,WAAW,CAgExE;AAED;;;;;;GAMG;AACH,MAAM,WAAW,QAAQ;IACvB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED,eAAO,MAAM,oBAAoB,EAAE,aAAa,CAAC,QAAQ,CAIxD,CAAC;AAEF,0CAA0C;AAC1C,UAAU,eAAe;IACvB,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;;;GASG;AACH,wBAAgB,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,eAAe,CAiBvE;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,kGAAkG;IAClG,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC;IAChC,8EAA8E;IAC9E,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;CAClC;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,cAAc,CAAC,CAAC;IAC9C,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;OAWG;IACH,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACnC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,aAAa,CAAC,QAAQ,CAAC,GAAG,UAAU,CA2E3E;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,aAAa,CAAC,QAAQ,CAAC,GAAG;IAClE,EAAE,EAAE,OAAO,CAAC;IACZ,OAAO,EAAE,aAAa,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACvE,OAAO,EAAE,MAAM,CAAC;CACjB,CAeA;AA8BD;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,MAAM,EAAE;QAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAA;KAAE,CAAC;IAC3G,QAAQ,CAAC,WAAW,EAAE;QAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAA;KAAE,CAAC;IAChH,QAAQ,CAAC,MAAM,EAAE;QAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAA;KAAE,CAAC;IAC3G,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,mBAAmB,CACvC,SAAS,EAAE,MAAM,EACjB,SAAS,SAAS,EAClB,cAAc,SAAQ,GACrB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,eAAe,GAAG,IAAI,CAAA;CAAE,CAAC,CAyBjE;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CACnC,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,eAAe,GAAG,IAAI,GAC/B,MAAM,CAYR;AAoGD;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,MAAM,CAAC,EAAE,UAAU,CAAC;IAC7B,QAAQ,CAAC,OAAO,CAAC,EAAE,YAAY,CAAC;IAChC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B;;;OAGG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,CACxB,IAAI,EAAE,SAAS,MAAM,EAAE,EACvB,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAC7B;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IACrD;;;OAGG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,OAAO,CAAC;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACvE;;;;OAIG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,6DAA6D;IAC7D,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC;;;;OAIG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,KAAK;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAClF;AAED,wBAAsB,sBAAsB,CAC1C,IAAI,GAAE,eAAoB,GACzB,OAAO,CAAC,iBAAiB,CAAC,CA4K5B;AAorBD,wBAAgB,eAAe,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAuFtD"}
+{"version":3,"file":"upgrade.d.ts","sourceRoot":"","sources":["../../src/commands/upgrade.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAYzC,OAAO,EAIL,KAAK,UAAU,EACf,KAAK,YAAY,EAClB,MAAM,gBAAgB,CAAC;AAaxB,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,2EAA2E;IAC3E,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,iEAAiE;IACjE,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,yEAAyE;IACzE,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,yEAAyE;IACzE,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,yDAAyD;IACzD,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B;;;;;OAKG;IACH,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;CAC9B;AAED;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAaxD;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE;IAAE,WAAW,EAAE,OAAO,CAAA;CAAE,EAC9B,GAAG,EAAE,MAAM,GACV;IAAE,IAAI,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,IAAI,EAAE,KAAK,CAAA;CAAE,CAQlD;AAED,+CAA+C;AAC/C,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAWzF;AAED,6DAA6D;AAC7D,wBAAgB,gBAAgB,CAAC,GAAG,EAAE;IACpC,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB,GAAG,WAAW,CAqBd;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAGlE;AAuDD;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAWzD;AAED,qEAAqE;AACrE,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEjD;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAUhD;AAED;;;;;;;;;GASG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,aAAa,CAAC,QAAQ,CAAC,GAAG,MAAM,GAAG,IAAI,CAInF;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AAuBD,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,WAAW,CAmExE;AAED;;;;;;GAMG;AACH,MAAM,WAAW,QAAQ;IACvB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED,eAAO,MAAM,oBAAoB,EAAE,aAAa,CAAC,QAAQ,CAIxD,CAAC;AAEF,0CAA0C;AAC1C,UAAU,eAAe;IACvB,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;;;GASG;AACH,wBAAgB,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,eAAe,CAiBvE;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,kGAAkG;IAClG,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC;IAChC,8EAA8E;IAC9E,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;CAClC;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,cAAc,CAAC,CAAC;IAC9C,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;OAWG;IACH,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACnC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,aAAa,CAAC,QAAQ,CAAC,GAAG,UAAU,CA2E3E;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,aAAa,CAAC,QAAQ,CAAC,GAAG;IAClE,EAAE,EAAE,OAAO,CAAC;IACZ,OAAO,EAAE,aAAa,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACvE,OAAO,EAAE,MAAM,CAAC;CACjB,CAeA;AA8BD;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,MAAM,EAAE;QAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAA;KAAE,CAAC;IAC3G,QAAQ,CAAC,WAAW,EAAE;QAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAA;KAAE,CAAC;IAChH,QAAQ,CAAC,MAAM,EAAE;QAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAA;KAAE,CAAC;IAC3G,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,mBAAmB,CACvC,SAAS,EAAE,MAAM,EACjB,SAAS,SAAS,EAClB,cAAc,SAAQ,GACrB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,eAAe,GAAG,IAAI,CAAA;CAAE,CAAC,CAyBjE;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CACnC,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,eAAe,GAAG,IAAI,GAC/B,MAAM,CAYR;AAoGD;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,MAAM,CAAC,EAAE,UAAU,CAAC;IAC7B,QAAQ,CAAC,OAAO,CAAC,EAAE,YAAY,CAAC;IAChC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B;;;OAGG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,CACxB,IAAI,EAAE,SAAS,MAAM,EAAE,EACvB,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAC7B;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IACrD;;;OAGG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,OAAO,CAAC;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACvE;;;;;;OAMG;IACH,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,OAAO,CAAC;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC1E;;;;OAIG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,6DAA6D;IAC7D,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC;;;;OAIG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,KAAK;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAClF;AAED,wBAAsB,sBAAsB,CAC1C,IAAI,GAAE,eAAoB,GACzB,OAAO,CAAC,iBAAiB,CAAC,CAgN5B;AAstBD,wBAAgB,eAAe,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAuFtD"}

package/dist/commands/upgrade.js

@@ -221,11 +221,20 @@ export function checkRollbackSetExists(plan) {
  * failure paths (best-effort cleanup; orphans are harmless and pruned by the
  * daemon's GC eventually).
  */
+// Cap each docker shellout. The smoke path expects the image to already
+// be present locally (post-pull), so docker create / inspect / rm are
+// sub-second on the happy path. The cap protects two real-world hangs:
+// (1) a wedged dockerd not responding, and (2) a missing image where
+// docker tries to pull from Docker Hub and the registry's 404 is slow
+// enough to blow vitest's default test budget. 30s is generous for the
+// happy path and bounded enough for production callers.
+const SMOKE_DOCKER_TIMEOUT_MS = 30_000;
 export function smokeImage(image, targetSha) {
     // 1. docker create — allocates the container; doesn't start the entrypoint.
     const createResult = spawnSync('docker', ['create', '--name', `olam-smoke-${Date.now()}`, image], {
         encoding: 'utf-8',
         stdio: ['ignore', 'pipe', 'pipe'],
+        timeout: SMOKE_DOCKER_TIMEOUT_MS,
     });
     if (createResult.status !== 0) {
         return {
@@ -240,12 +249,14 @@ export function smokeImage(image, targetSha) {
     const inspectResult = spawnSync('docker', ['inspect', '--format', '{{index .Config.Labels "olam.build.sha"}}', image], {
         encoding: 'utf-8',
         stdio: ['ignore', 'pipe', 'pipe'],
+        timeout: SMOKE_DOCKER_TIMEOUT_MS,
     });
     // 3. Cleanup — best-effort; ignore exit code.
     if (containerId.length > 0) {
         spawnSync('docker', ['rm', '-f', containerId], {
             encoding: 'utf-8',
             stdio: ['ignore', 'ignore', 'ignore'],
+            timeout: SMOKE_DOCKER_TIMEOUT_MS,
         });
     }
     if (inspectResult.status !== 0) {
@@ -658,13 +669,23 @@ export async function runUpgradePullByDigest(deps = {}) {
         return { exitCode: EXIT_GENERIC_ERROR, summary: 'docker daemon not reachable' };
     }
     infoSpinner.succeed('docker daemon reachable');
-    // Step 2 — parallel pull all 3 images by digest.
-    const imageRefs = [
+    // Step 2 — parallel pull images by digest. mcp-auth is conditional on
+    // the digest being present in the manifest (older tarballs don't have
+    // it; pre-mcp-auth releases shipped 3 images, post-mcp-auth ship 4).
+    const hasMcpAuthDigest = typeof digests['mcp-auth'] === 'string' && digests['mcp-auth'].length > 0;
+    const baseRefs = [
         { name: 'host-cp', ref: `${registry}/olam-host-cp@${digests['host-cp']}` },
         { name: 'auth', ref: `${registry}/olam-auth@${digests.auth}` },
         { name: 'devbox', ref: `${registry}/olam-devbox@${digests.devbox}` },
     ];
-    const pullSpinner = ora('Pulling images (3 parallel)').start();
+    if (hasMcpAuthDigest) {
+        baseRefs.push({
+            name: 'mcp-auth',
+            ref: `${registry}/olam-mcp-auth@${digests['mcp-auth']}`,
+        });
+    }
+    const imageRefs = baseRefs;
+    const pullSpinner = ora(`Pulling images (${imageRefs.length} parallel)`).start();
     const pullStart = Date.now();
     const pullResults = await Promise.all(imageRefs.map(async ({ name, ref }) => ({
         name,
@@ -687,7 +708,7 @@ export async function runUpgradePullByDigest(deps = {}) {
             summary: `pull failed: ${failed.map((r) => r.name).join(', ')}`,
         };
     }
-    pullSpinner.succeed(`Pulled 3 images in ${pullElapsed}s`);
+    pullSpinner.succeed(`Pulled ${imageRefs.length} images in ${pullElapsed}s`);
     // Step 3 — protocol-version handshake on every image.
     const handshakeSpinner = ora('Verifying olam.protocol.versions handshake').start();
     for (const { name, ref } of imageRefs) {
@@ -709,7 +730,7 @@ export async function runUpgradePullByDigest(deps = {}) {
             };
         }
     }
-    handshakeSpinner.succeed('Protocol handshake passed (all 3 images)');
+    handshakeSpinner.succeed(`Protocol handshake passed (all ${imageRefs.length} images)`);
     // Step 4 — re-tag pulled-by-digest images to the canonical local tags
     // that compose.yaml + AuthContainerController expect. Pulling by
     // digest only writes a content-addressed reference; compose / the
@@ -729,7 +750,7 @@ export async function runUpgradePullByDigest(deps = {}) {
     // Fix: retag BOTH names. The bare-name tag is kept for legacy callers
     // (e.g. `docker run olam-host-cp:latest` in scripts); the registry-
     // prefixed tag is what compose + AuthContainerController actually use.
-    const tagPlan = [
+    const tagPlanBase = [
         { from: imageRefs[0].ref, to: 'olam-host-cp:latest', name: 'host-cp (bare)' },
         { from: imageRefs[0].ref, to: `${registry}/olam-host-cp:latest`, name: 'host-cp (registry)' },
         { from: imageRefs[1].ref, to: 'olam-auth:local', name: 'auth (bare)' },
@@ -737,6 +758,10 @@ export async function runUpgradePullByDigest(deps = {}) {
         { from: imageRefs[2].ref, to: 'olam-devbox:latest', name: 'devbox (bare)' },
         { from: imageRefs[2].ref, to: `${registry}/olam-devbox:latest`, name: 'devbox (registry)' },
     ];
+    if (hasMcpAuthDigest && imageRefs[3]) {
+        tagPlanBase.push({ from: imageRefs[3].ref, to: 'olam-mcp-auth:local', name: 'mcp-auth (bare)' }, { from: imageRefs[3].ref, to: `${registry}/olam-mcp-auth:latest`, name: 'mcp-auth (registry)' });
+    }
+    const tagPlan = tagPlanBase;
     const tagSpinner = ora('Tagging digests → canonical local refs').start();
     const tagger = deps.tagImpl ?? dockerTag;
     for (const t of tagPlan) {
@@ -778,12 +803,62 @@ export async function runUpgradePullByDigest(deps = {}) {
         return { exitCode: EXIT_GENERIC_ERROR, summary: 'auth recreate failed' };
     }
     authSpinner.succeed('auth-service running on new image');
+    // Step 7 — recreate mcp-auth-service when its digest is in the manifest.
+    // Older tarballs (pre-services-bringup) skip this step entirely.
+    if (hasMcpAuthDigest) {
+        const mcpSpinner = ora('recreate mcp-auth-service').start();
+        const mcpRecreate = deps.recreateMcpAuth ?? defaultRecreateMcpAuthForUpgrade;
+        const mcpResult = await mcpRecreate();
+        if (!mcpResult.ok) {
+            mcpSpinner.fail('mcp-auth-service recreate failed');
+            process.stderr.write(`${pc.red('error')} ${mcpResult.error ?? 'unknown failure'}\n`);
+            return { exitCode: EXIT_GENERIC_ERROR, summary: 'mcp-auth recreate failed' };
+        }
+        mcpSpinner.succeed('mcp-auth-service running on new image');
+    }
     printSuccess('Upgrade complete (pull-by-digest)');
     printInfo('host-cp', `running (${digests['host-cp'].slice(0, 19)}…)`);
     printInfo('auth', `running (${digests.auth.slice(0, 19)}…)`);
     printInfo('devbox', `pulled (${digests.devbox.slice(0, 19)}…)`);
+    if (hasMcpAuthDigest) {
+        printInfo('mcp-auth', `running (${digests['mcp-auth'].slice(0, 19)}…)`);
+    }
     return { exitCode: 0, summary: 'stack upgraded' };
 }
+/**
+ * Default mcp-auth-service recreate driver for the pull-by-digest upgrade
+ * path. Stops the existing container, removes it, then starts a fresh one
+ * via the new image. Mirrors `defaultRecreateAuthForUpgrade` shape.
+ *
+ * Implementation lives in @olam/core's container controllers — but for the
+ * upgrade path we just docker-rm + docker-run because the controller
+ * encapsulates start-with-image semantics that match what we want here.
+ */
+async function defaultRecreateMcpAuthForUpgrade() {
+    // Reuse the existing recreateAuthService logic as a template — the
+    // mcp-auth service follows the same lifecycle (atomic-rename store,
+    // health-checked start). When the McpAuthContainerController lands as
+    // a sibling, this function should switch to controller.start().
+    try {
+        const { spawnSync: ss } = await import('node:child_process');
+        ss('docker', ['stop', 'olam-mcp-auth'], { stdio: 'ignore' });
+        ss('docker', ['rm', '-f', 'olam-mcp-auth'], { stdio: 'ignore' });
+        const startResult = ss('docker', [
+            'run', '-d', '--name', 'olam-mcp-auth',
+            '-p', '9998:9998',
+            '-v', 'olam-mcp-auth-data:/mcp-auth-data',
+            '--restart', 'unless-stopped',
+            'olam-mcp-auth:local',
+        ], { stdio: 'pipe' });
+        if (startResult.status !== 0) {
+            return { ok: false, error: `docker run failed: ${startResult.stderr?.toString() ?? 'unknown'}` };
+        }
+        return { ok: true };
+    }
+    catch (err) {
+        return { ok: false, error: err instanceof Error ? err.message : String(err) };
+    }
+}
 /**
  * Default auth-recreate driver for the pull-by-digest upgrade path.
  * Mirrors recreateAuthService() defined later in this file but trimmed