sandbox connected and streaming

deploy/k8s/dev/admission-policy-patch.yaml

@@ -4,13 +4,13 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
-  name: dexorder-agent-image-policy
+  name: dexorder-sandbox-image-policy
 spec:
   failurePolicy: Fail
   matchConstraints:
     namespaceSelector:
       matchLabels:
-        dexorder.io/type: agents
+        dexorder.io/type: sandboxes
     resourceRules:
       - apiGroups: ["apps"]
         apiVersions: ["v1"]
@@ -20,13 +20,13 @@ spec:
     # Allow local dev images in addition to production registry
     - expression: |
         object.spec.template.spec.containers.all(c,
-          c.image.startsWith('ghcr.io/dexorder/agent:') ||
-          c.image.startsWith('ghcr.io/dexorder/agent-') ||
-          c.image.startsWith('localhost:5000/dexorder/agent') ||
-          c.image.startsWith('dexorder/agent') ||
-          c.image.startsWith('dexorder/ai-client-py') ||
+          c.image.startsWith('ghcr.io/dexorder/sandbox:') ||
+          c.image.startsWith('ghcr.io/dexorder/sandbox-') ||
+          c.image.startsWith('localhost:5000/dexorder/sandbox') ||
+          c.image.startsWith('dexorder/sandbox') ||
+          c.image.startsWith('dexorder/ai-sandbox') ||
           c.image.startsWith('dexorder/ai-lifecycle-sidecar'))
-      message: "Only approved dexorder agent images are allowed"
+      message: "Only approved dexorder sandbox images are allowed"
       reason: Forbidden
 
     # No privileged containers