sandbox connected and streaming

deploy/k8s/dev/admission-policy-patch.yaml

@@ -4,13 +4,13 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
-  name: dexorder-agent-image-policy
+  name: dexorder-sandbox-image-policy
 spec:
   failurePolicy: Fail
   matchConstraints:
     namespaceSelector:
       matchLabels:
-        dexorder.io/type: agents
+        dexorder.io/type: sandboxes
     resourceRules:
       - apiGroups: ["apps"]
         apiVersions: ["v1"]
@@ -20,13 +20,13 @@ spec:
     # Allow local dev images in addition to production registry
     - expression: |
         object.spec.template.spec.containers.all(c,
-          c.image.startsWith('ghcr.io/dexorder/agent:') ||
-          c.image.startsWith('ghcr.io/dexorder/agent-') ||
-          c.image.startsWith('localhost:5000/dexorder/agent') ||
-          c.image.startsWith('dexorder/agent') ||
-          c.image.startsWith('dexorder/ai-client-py') ||
+          c.image.startsWith('ghcr.io/dexorder/sandbox:') ||
+          c.image.startsWith('ghcr.io/dexorder/sandbox-') ||
+          c.image.startsWith('localhost:5000/dexorder/sandbox') ||
+          c.image.startsWith('dexorder/sandbox') ||
+          c.image.startsWith('dexorder/ai-sandbox') ||
           c.image.startsWith('dexorder/ai-lifecycle-sidecar'))
-      message: "Only approved dexorder agent images are allowed"
+      message: "Only approved dexorder sandbox images are allowed"
       reason: Forbidden
 
     # No privileged containers

deploy/k8s/dev/configs/gateway-config.yaml

@@ -53,13 +53,18 @@ data:
 
     # Kubernetes configuration
     kubernetes:
-      namespace: dexorder-agents
+      namespace: dexorder-sandboxes
       in_cluster: true
-      agent_image: dexorder/ai-client-py:latest
-      sidecar_image: dexorder/ai-lifecycle-sidecar:latest
+      sandbox_image: dexorder/ai-sandbox:SANDBOX_TAG_PLACEHOLDER
+      sidecar_image: dexorder/ai-lifecycle-sidecar:SIDECAR_TAG_PLACEHOLDER
       storage_class: standard
       image_pull_policy: Never  # For minikube dev - use local images
 
+    # Agent configuration
+    agent:
+      # Number of prior conversation turns loaded as LLM context and flushed to Iceberg at session end
+      conversation_history_limit: 20
+
     # DragonflyDB (Redis-compatible, for hot storage and session management)
     redis:
       url: redis://dragonfly:6379
@@ -76,6 +81,7 @@ data:
       ohlc_catalog_uri: http://iceberg-catalog:8181
       ohlc_namespace: trading
       s3_endpoint: http://minio:9000
+      conversations_bucket: warehouse  # S3 bucket for conversation Parquet cold storage
 
     # Event router (ZeroMQ)
     events:

deploy/k8s/dev/gateway-dev-patch.yaml

@@ -8,7 +8,7 @@ spec:
     spec:
       containers:
         - name: gateway
-          image: dexorder/ai-gateway:latest
+          image: dexorder/ai-gateway
           imagePullPolicy: Never
           env:
             - name: NODE_OPTIONS

deploy/k8s/dev/infrastructure.yaml

@@ -480,7 +480,7 @@ spec:
         command: ['sh', '-c', 'until nc -z iceberg-catalog 8181; do echo waiting for iceberg-catalog; sleep 2; done;']
       containers:
       - name: flink-jobmanager
-        image: dexorder/flink:latest
+        image: dexorder/ai-flink
         imagePullPolicy: Never
         args: ["standalone-job", "--job-classname", "com.dexorder.flink.TradingFlinkApp"]
         ports:
@@ -542,7 +542,7 @@ spec:
         command: ['sh', '-c', 'until nc -z flink-jobmanager 6123; do echo waiting for jobmanager; sleep 2; done;']
       containers:
       - name: flink-taskmanager
-        image: dexorder/flink:latest
+        image: dexorder/ai-flink
         imagePullPolicy: Never
         args: ["taskmanager"]
         env:
@@ -617,7 +617,7 @@ spec:
     spec:
       containers:
       - name: relay
-        image: dexorder/relay:latest
+        image: dexorder/ai-relay
         imagePullPolicy: Never
         ports:
         - containerPort: 5555
@@ -665,7 +665,7 @@ spec:
         command: ['sh', '-c', 'until nc -z kafka 9092; do echo waiting for kafka; sleep 2; done;']
       containers:
       - name: ingestor
-        image: dexorder/ingestor:latest
+        image: dexorder/ai-ingestor
         imagePullPolicy: Never
         env:
         - name: LOG_LEVEL

deploy/k8s/dev/kustomization.yaml

@@ -8,12 +8,12 @@ resources:
   - storage-class.yaml
   - configs/gateway-config.yaml
   - gateway-health-ingress.yaml
-  - agent-config.yaml  # ConfigMap for agent pods in dexorder-agents namespace
+  - sandbox-config.yaml  # ConfigMap for sandbox pods in dexorder-sandboxes namespace
 
 # Dev-specific patches
 patches:
   # Reduced resource quotas for minikube
-  - path: agent-quotas-patch.yaml
+  - path: sandbox-quotas-patch.yaml
   # Allow local registry images
   - path: admission-policy-patch.yaml
   # Web environment variables for dev
@@ -155,6 +155,63 @@ generatorOptions:
 
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 
 
 

deploy/k8s/dev/sandbox-config.yaml

@@ -1,18 +1,18 @@
-# Agent ConfigMap in dexorder-agents namespace
-# This is mounted into dynamically created agent pods
+# Sandbox ConfigMap in dexorder-sandboxes namespace
+# This is mounted into dynamically created sandbox pods
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: agent-config
-  namespace: dexorder-agents
+  name: sandbox-config
+  namespace: dexorder-sandboxes
   labels:
-    app.kubernetes.io/name: agent
+    app.kubernetes.io/name: sandbox
     app.kubernetes.io/component: config
 data:
   config.yaml: |
-    # Default configuration for user agent containers
-    # This is mounted at /app/config/config.yaml in agent pods
+    # Default configuration for user sandbox containers
+    # This is mounted at /app/config/config.yaml in sandbox pods
 
     # Data directory for persistent storage (workspace, strategies, etc.)
     # This is mounted as a PVC at /app/data
@@ -26,10 +26,14 @@ data:
     data:
       iceberg:
         catalog_name: "dexorder"
-        # Catalog properties loaded from secrets
+        catalog_uri: "http://iceberg-catalog.default.svc.cluster.local:8181"
+        namespace: "trading"
+        # S3 endpoint for MinIO in default namespace
+        s3_endpoint: "http://minio.default.svc.cluster.local:9000"
 
       relay:
-        endpoint: "tcp://relay.dexorder.svc.cluster.local:5560"
+        endpoint: "tcp://relay.default.svc.cluster.local:5559"
+        notification_endpoint: "tcp://relay.default.svc.cluster.local:5558"
         timeout_ms: 5000
 
     # Strategy settings

deploy/k8s/dev/sandbox-quotas-patch.yaml

@@ -4,8 +4,8 @@
 apiVersion: v1
 kind: ResourceQuota
 metadata:
-  name: agent-quota
-  namespace: dexorder-agents
+  name: sandbox-quota
+  namespace: dexorder-sandboxes
 spec:
   hard:
     # Reduced for minikube

deploy/k8s/dev/web-dev-patch.yaml

@@ -8,7 +8,7 @@ spec:
     spec:
       containers:
       - name: ai-web
-        image: dexorder/ai-web:latest
+        image: dexorder/ai-web
         imagePullPolicy: Never
         env:
         - name: VITE_GATEWAY_URL