sandbox connected and streaming

doc/architecture.md

@@ -109,7 +109,7 @@ DexOrder is an AI-powered trading platform that combines real-time market data p
 
 ### 2. User Containers
 
-**Location:** `client-py/`
+**Location:** `sandbox/`
 **Language:** Python
 **Purpose:** Per-user isolated workspace and data storage
 
@@ -415,12 +415,12 @@ User authenticates → Gateway checks if deployment exists
 ### RBAC
 
 **Gateway ServiceAccount:**
-- Create deployments/services/PVCs in `dexorder-agents` namespace
+- Create deployments/services/PVCs in `dexorder-sandboxes` namespace
 - Read pod status and logs
 - Cannot delete, exec, or access secrets
 
 **Lifecycle Sidecar ServiceAccount:**
-- Delete deployments in `dexorder-agents` namespace
+- Delete deployments in `dexorder-sandboxes` namespace
 - Delete PVCs (conditional on user type)
 - Cannot access other resources
 
@@ -428,7 +428,7 @@ User authenticates → Gateway checks if deployment exists
 
 ### Admission Control
 
-All pods in `dexorder-agents` namespace must:
+All pods in `dexorder-sandboxes` namespace must:
 - Use approved images only (allowlist)
 - Run as non-root
 - Drop all capabilities
@@ -544,13 +544,13 @@ kubectl apply -k deploy/k8s/prod
 
 # Push images to registry
 docker push ghcr.io/dexorder/gateway:latest
-docker push ghcr.io/dexorder/agent:latest
+docker push ghcr.io/dexorder/sandbox:latest
 docker push ghcr.io/dexorder/lifecycle-sidecar:latest
 ```
 
 **Namespaces:**
 - `dexorder-system` - Platform services (gateway, infrastructure)
-- `dexorder-agents` - User containers (isolated)
+- `dexorder-sandboxes` - User containers (isolated)
 
 ---