prod deployment

doc/container_lifecycle_management.md

@@ -85,7 +85,7 @@ Runs alongside the agent container with shared PID namespace. Monitors the main
 - `USER_TYPE`: License tier (`anonymous`, `free`, `paid`, `enterprise`)
 - `MAIN_CONTAINER_PID`: PID of main container (default: 1)
 
-**RBAC**: Has permission to delete deployments and PVCs **only in dexorder-sandboxes namespace**. Cannot delete other deployments due to:
+**RBAC**: Has permission to delete deployments and PVCs **only in sandbox namespace**. Cannot delete other deployments due to:
 1. Only knows its own deployment name (from env)
 2. RBAC scoped to namespace
 3. No cross-pod communication
@@ -164,12 +164,12 @@ Configured via `USER_TYPE` env var in deployment.
 **Lifecycle Sidecar**:
 - Can delete its own deployment only
 - Cannot delete other deployments
-- Scoped to dexorder-sandboxes namespace
+- Scoped to sandbox namespace
 - No exec, no secrets access
 
 ### Admission Control
 
-All deployments in `dexorder-sandboxes` namespace are subject to:
+All deployments in `sandbox` namespace are subject to:
 - Image allowlist (only approved images)
 - Security context enforcement (non-root, drop caps, read-only rootfs)
 - Resource limits required
@@ -198,7 +198,7 @@ kubectl apply -k deploy/k8s/dev  # or prod
 ```
 
 This creates:
-- Namespaces (`dexorder-system`, `dexorder-sandboxes`)
+- Namespaces (`dexorder-system`, `sandbox`)
 - RBAC (gateway, lifecycle sidecar)
 - Admission policies
 - Network policies
@@ -257,7 +257,7 @@ cd lifecycle-sidecar
 go build -o lifecycle-sidecar main.go
 
 # Run (requires k8s config)
-export NAMESPACE=dexorder-sandboxes
+export NAMESPACE=sandbox
 export DEPLOYMENT_NAME=agent-test
 export USER_TYPE=free
 ./lifecycle-sidecar
@@ -277,7 +277,7 @@ export USER_TYPE=free
 
 Check logs:
 ```bash
-kubectl logs -n dexorder-sandboxes sandbox-user-abc123 -c agent
+kubectl logs -n sandbox sandbox-user-abc123 -c agent
 ```
 
 Verify:
@@ -289,19 +289,19 @@ Verify:
 
 Check sidecar logs:
 ```bash
-kubectl logs -n dexorder-sandboxes sandbox-user-abc123 -c lifecycle-sidecar
+kubectl logs -n sandbox sandbox-user-abc123 -c lifecycle-sidecar
 ```
 
 Verify:
 - Exit code file exists: `/var/run/agent/exit_code` contains `42`
-- RBAC permissions: `kubectl auth can-i delete deployments --as=system:serviceaccount:dexorder-sandboxes:sandbox-lifecycle -n dexorder-sandboxes`
+- RBAC permissions: `kubectl auth can-i delete deployments --as=system:serviceaccount:sandbox:sandbox-lifecycle -n sandbox`
 - Deployment name matches: Check `DEPLOYMENT_NAME` env var
 
 ### Gateway can't create deployments
 
 Check gateway logs and verify:
 - ServiceAccount exists: `kubectl get sa gateway -n dexorder-system`
-- RoleBinding exists: `kubectl get rolebinding gateway-sandbox-creator -n dexorder-sandboxes`
+- RoleBinding exists: `kubectl get rolebinding gateway-sandbox-creator -n sandbox`
 - Admission policy allows image: Check image name matches allowlist in `admission-policy.yaml`
 
 ## Future Enhancements