Olympus Docs
Internalsoctl

Octl, stack bundle

How octl ships platform configs inside its npm package

@olympusoss/octl is the local-development CLI. To make npx @olympusoss/octl deploy work from any empty directory, the package bundles all the platform configs it needs.

What's in the bundle

octl/stack/:

  • compose.dev.yml, the dev Compose file.
  • ciam-kratos/kratos.yml, identity schemas
  • iam-kratos/kratos.yml, identity schemas
  • ciam-hydra/hydra.yml
  • iam-hydra/hydra.yml
  • Caddyfile, dev variant
  • init-db.sql
  • iam-seed-dev.sh
  • pgadmin-claims-mapper.jsonnet

These are vendored copies of the corresponding files in platform/dev/.

Why vendor

Two alternatives:

  1. Have octl clone the platform repo at runtime. Requires network, requires the user to authenticate.
  2. Vendor the files inside the package.

Vendoring is simpler. npx @olympusoss/octl deploy runs offline (once images are cached).

The trade-off: bundle drift. If platform/dev/ changes and the octl bundle isn't synced, dev environments differ from prod expectations.

Syncing the bundle

octl/scripts/sync-stack.sh:

#!/usr/bin/env bash
set -euo pipefail

REF=${1:-main}   # platform git ref to sync from

cd $(mktemp -d)
git clone --depth 1 --branch "$REF" https://github.com/OlympusOSS/platform .
cp -r dev/* "$OCTL_ROOT/stack/"

cd "$OCTL_ROOT"
bun run typecheck   # ensure the new bundle still works with octl's code

Run via:

cd octl
bun run sync-stack -- v1.5.2  # or main

CI runs this before publishing octl to ensure the bundle is fresh against the platform commit being pinned.

Bundle version tracking

octl/stack/PLATFORM_REF records the platform git ref the bundle was synced from:

v1.5.2
abc123def456...   # commit SHA

When publishing octl, this is committed alongside.

Bundle vs platform divergence

If you've made local changes to platform/dev/ for testing, those don't go through octl. The dev stack via octl deploy uses the bundled configs, not the local ones.

To test local platform changes:

cd platform/dev
podman compose -f compose.dev.yml up -d

Skip octl entirely; run compose directly.

What octl deploy does at runtime

  1. Checks for Podman; installs if missing (macOS Homebrew).
  2. podman machine init + podman machine start if needed.
  3. Reads bundled compose.dev.yml.
  4. Generates .env.dev with development secrets (deterministic for dev, same value across runs of octl deploy so caches work).
  5. Runs podman compose up -d.
  6. Polls healthchecks.
  7. Prints access URLs + test credentials.

.env.dev contains:

  • ENCRYPTION_KEY, a dev-safe value (not on the blocklist).
  • SESSION_SIGNING_KEY, similarly.
  • Per-domain reload API keys.
  • Empty Turnstile (captcha disabled).
  • Pointers to MailSlurper (no real email).

When the bundle becomes stale

Symptoms:

  • octl deploy succeeds but Athena says "schema not found."
  • Identity schema mismatch between dev and prod.
  • New Kratos features don't work in dev.

Fix: bump octl. The maintainer publishes new octl versions as platform evolves.

Octl, Podman detection

How octl probes for Podman and installs if needed

SDK, connection pool

How the SDK manages Postgres connections

On this page

What's in the bundleWhy vendorSyncing the bundleBundle version trackingBundle vs platform divergenceWhat octl deploy does at runtimeWhen the bundle becomes staleRelated