redesign fully scaffolded and web login works

deploy/k8s/base/gateway-ingress.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gateway-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/rewrite-target: /$1
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - dexorder.ai
+    secretName: gateway-tls
+  rules:
+  - host: dexorder.ai
+    http:
+      paths:
+      # Gateway API routes - strip /api prefix
+      - path: /api/(.*)
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: gateway
+            port:
+              number: 3000

deploy/k8s/base/gateway-rbac.yaml

@@ -7,7 +7,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: gateway
-  namespace: dexorder-system
 ---
 # Role scoped to dexorder-agents namespace only
 apiVersion: rbac.authorization.k8s.io/v1
@@ -20,27 +19,27 @@ rules:
   - apiGroups: ["apps"]
     resources: ["deployments"]
     verbs: ["create", "get", "list", "watch", "patch", "update"]
-  
+
   # PVCs: create and read (deletion handled by sidecar)
   - apiGroups: [""]
     resources: ["persistentvolumeclaims"]
     verbs: ["create", "get", "list", "watch"]
-  
+
   # Services: create and manage agent MCP endpoints
   - apiGroups: [""]
     resources: ["services"]
     verbs: ["create", "get", "list", "watch", "patch", "update"]
-  
+
   # Read-only pod access for status checks (no exec!)
   - apiGroups: [""]
     resources: ["pods"]
     verbs: ["get", "list", "watch"]
-  
+
   # Pod logs for debugging (read-only)
   - apiGroups: [""]
     resources: ["pods/log"]
     verbs: ["get"]
-  
+
   # Explicitly NOT included:
   # - deployments/delete - handled by lifecycle sidecar
   # - pvc/delete - handled by lifecycle sidecar
@@ -58,7 +57,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: gateway
-    namespace: dexorder-system
+    namespace: default
 roleRef:
   kind: Role
   name: agent-creator

deploy/k8s/base/gateway.yaml

@@ -0,0 +1,101 @@
+# Gateway deployment
+# Multi-channel gateway with automatic container provisioning
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gateway
+spec:
+  selector:
+    app: gateway
+  ports:
+    - name: http
+      protocol: TCP
+      port: 3000
+      targetPort: http
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gateway
+  labels:
+    app: gateway
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gateway
+  template:
+    metadata:
+      labels:
+        app: gateway
+    spec:
+      serviceAccountName: gateway
+
+      initContainers:
+        - name: wait-for-postgres
+          image: busybox:1.36
+          command: ['sh', '-c', 'until nc -z postgres 5432; do echo waiting for postgres; sleep 2; done;']
+        - name: wait-for-dragonfly
+          image: busybox:1.36
+          command: ['sh', '-c', 'until nc -z dragonfly 6379; do echo waiting for dragonfly; sleep 2; done;']
+        - name: wait-for-qdrant
+          image: busybox:1.36
+          command: ['sh', '-c', 'until nc -z qdrant 6333; do echo waiting for qdrant; sleep 2; done;']
+
+      volumes:
+        - name: config
+          configMap:
+            name: gateway-config
+        - name: secrets
+          secret:
+            secretName: gateway-secrets
+
+      containers:
+        - name: gateway
+          image: ghcr.io/dexorder/gateway:latest
+          imagePullPolicy: Always
+
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+
+          volumeMounts:
+            - name: config
+              mountPath: /config/config.yaml
+              subPath: config.yaml
+              readOnly: true
+            - name: secrets
+              mountPath: /config/secrets.yaml
+              subPath: secrets.yaml
+              readOnly: true
+
+          env:
+            - name: CONFIG_PATH
+              value: "/config/config.yaml"
+            - name: SECRETS_PATH
+              value: "/config/secrets.yaml"
+
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "100m"
+            limits:
+              memory: "512Mi"
+              cpu: "500m"
+
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 30
+
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10

deploy/k8s/base/ingress.yaml

@@ -14,4 +14,12 @@ spec:
   rules:
   - host: dexorder.ai
     http:
-      paths: []
+      paths:
+      # Web application at root
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: ai-web
+            port:
+              number: 5173

deploy/k8s/base/kustomization.yaml

@@ -16,11 +16,11 @@ resources:
   - agent-quotas.yaml
   # Network isolation policies
   - network-policies.yaml
-  # Gateway service (uncomment when ready)
-  # - gateway.yaml
+  # Gateway service
+  - gateway.yaml
+  - gateway-ingress.yaml
   # Example agent deployment (for reference, not applied by default)
   # - agent-deployment-example.yaml
-  # Services (uncomment as needed)
-  # - backend.yaml
-  # - web.yaml
-  # - ingress.yaml
+  # Services
+  - web.yaml
+  - ingress.yaml

deploy/k8s/base/namespaces.yaml

@@ -1,17 +1,9 @@
 # Namespace definitions for dexorder AI platform
-# - dexorder-system: gateway, flink, kafka, and other infrastructure
+# - default: gateway, web, and infrastructure services
 # - dexorder-agents: user agent containers (isolated, restricted)
 ---
 apiVersion: v1
 kind: Namespace
-metadata:
-  name: dexorder-system
-  labels:
-    app.kubernetes.io/part-of: dexorder
-    dexorder.io/type: system
----
-apiVersion: v1
-kind: Namespace
 metadata:
   name: dexorder-agents
   labels:

deploy/k8s/base/network-policies.yaml

@@ -28,10 +28,7 @@ spec:
     - Ingress
   ingress:
     - from:
-        - namespaceSelector:
-            matchLabels:
-              dexorder.io/type: system
-          podSelector:
+        - podSelector:
             matchLabels:
               app: gateway
       ports:
@@ -64,17 +61,14 @@ spec:
           port: 53
         - protocol: TCP
           port: 53
-    # Gateway in system namespace (for callbacks)
+    # Gateway (for callbacks)
     - to:
-        - namespaceSelector:
-            matchLabels:
-              dexorder.io/type: system
-          podSelector:
+        - podSelector:
             matchLabels:
               app: gateway
       ports:
         - protocol: TCP
-          port: 8080
+          port: 3000
     # Kafka/Redpanda for data subscriptions
     - to:
         - namespaceSelector:
@@ -99,12 +93,11 @@ spec:
         - protocol: TCP
           port: 443
 ---
-# System namespace: allow ingress from agents
+# Default namespace: allow ingress from agents to gateway
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: allow-agent-callbacks
-  namespace: dexorder-system
 spec:
   podSelector:
     matchLabels:
@@ -118,4 +111,4 @@ spec:
               dexorder.io/type: agents
       ports:
         - protocol: TCP
-          port: 8080
+          port: 3000

deploy/k8s/base/web.yaml

@@ -32,7 +32,7 @@ spec:
         ports:
         - containerPort: 5173
         env:
-        - name: VITE_BASE_PATH
-          value: "/cryptochimp/"
+        - name: VITE_GATEWAY_URL
+          value: "https://dexorder.ai/api"
         - name: VITE_WS_URL
           value: "wss://dexorder.ai/ws"