feat(agent): complete EvoAgent integration for all 6 agent roles

Migrate all agent roles from Legacy to EvoAgent architecture: - fundamentals_analyst, technical_analyst, sentiment_analyst, valuation_analyst - risk_manager, portfolio_manager Key changes: - EvoAgent now supports Portfolio Manager compatibility methods (_make_decision, get_decisions, get_portfolio_state, load_portfolio_state, update_portfolio) - Add UnifiedAgentFactory for centralized agent creation - ToolGuard with batch approval API and WebSocket broadcast - Legacy agents marked deprecated (AnalystAgent, RiskAgent, PMAgent) - Remove backend/agents/compat.py migration shim - Add run_id alongside workspace_id for semantic clarity - Complete integration test coverage (13 tests) - All smoke tests passing for 6 agent roles Constraint: Must maintain backward compatibility with existing run configs Constraint: Memory support must work with EvoAgent (no fallback to Legacy) Rejected: Separate PM implementation for EvoAgent | unified approach cleaner Confidence: high Scope-risk: broad Directive: EVO_AGENT_IDS env var still respected but defaults to all roles Not-tested: Kubernetes sandbox mode for skill execution
2026-04-02 00:55:08 +08:00
parent 0fa413380c
commit 16b54d5ccc
73 changed files with 9454 additions and 904 deletions
--- a/deploy/README.md
+++ b/deploy/README.md
@@ -3,6 +3,11 @@
 This directory contains the current production-oriented deployment artifacts for
 the 大时代 frontend site and the live gateway process.

+This deployment shape is narrower than the current application architecture. For
+the code-level architecture, see [docs/current-architecture.md](../docs/current-architecture.md).
+For the planned convergence work, see
+[docs/development-roadmap.md](../docs/development-roadmap.md).
+
 ## Contents

 - [deploy/systemd/evotraders.service](./systemd/evotraders.service)
@@ -14,9 +19,13 @@ the 大时代 frontend site and the live gateway process.
 - [deploy/nginx/bigtime.cillinn.com.http.conf](./nginx/bigtime.cillinn.com.http.conf)
  - plain HTTP/static-site variant

-## Current Production Shape
+## Deployment Topology Options

-The checked-in production path is intentionally minimal:
+This directory documents two deployment topologies:
+
+### 1. Compatibility Topology (backend.main) - CURRENT PRODUCTION DEFAULT
+
+The checked-in production path uses the **compatibility gateway** (`backend.main`):

 - nginx serves the built frontend from `/var/www/bigtime/current`
 - public domain examples use `bigtime.cillinn.com`
@@ -24,8 +33,39 @@ The checked-in production path is intentionally minimal:
 - systemd runs `scripts/run_prod.sh`
 - `scripts/run_prod.sh` starts `python3 -m backend.main` in live mode on `127.0.0.1:8765`

-This means the checked-in production example is centered on the gateway and
-frontend, not on exposing the split FastAPI services directly.
+This is a **monolithic gateway** that embeds all services internally. It is the
+current production default for simplicity but does not expose the split FastAPI
+services directly.
+
+**When to use**: Single-server deployments, simpler operational requirements,
+backwards compatibility with existing monitoring.
+
+### 2. Preferred Topology (Split Services) - RECOMMENDED FOR NEW DEPLOYMENTS
+
+The modern architecture exposes individual FastAPI services:
+
+| Service | Port | Purpose |
+|---------|------|---------|
+| agent_service | 8000 | Control plane for workspaces, agents, skills |
+| trading_service | 8001 | Read-only trading data APIs |
+| news_service | 8002 | Read-only explain/news APIs |
+| runtime_service | 8003 | Runtime lifecycle APIs |
+| gateway | 8765 | WebSocket event channel |
+
+**When to use**: Multi-service deployments, independent scaling needs,
+service-level monitoring, or when following the architecture documented in
+[docs/current-architecture.md](../docs/current-architecture.md).
+
+To deploy in split-service mode, you would:
+1. Deploy each service with its own systemd unit
+2. Configure nginx to route `/api/*` to the appropriate service
+3. Keep WebSocket proxy to gateway on port 8765
+4. Set environment variables for service discovery:
+   ```
+   TRADING_SERVICE_URL=http://localhost:8001
+   NEWS_SERVICE_URL=http://localhost:8002
+   RUNTIME_SERVICE_URL=http://localhost:8003
+   ```

 ## Important Paths And Ports

@@ -108,7 +148,7 @@ PYTHONPATH=/root/code/evotraders/.pydeps:.
 TICKERS=${TICKERS:-AAPL,MSFT,GOOGL,AMZN,NVDA,META,TSLA,AMD,NFLX,AVGO,PLTR,COIN}
 ```

-It then launches:
+It then launches the current compatibility gateway/runtime process:

 ```bash
 python3 -m backend.main \
@@ -120,6 +160,32 @@ python3 -m backend.main \
  --poll-interval 15
 ```

+## Skill Sandbox Configuration
+
+Production deployments should enable Docker-based skill sandbox for security isolation:
+
+```bash
+# Install with sandbox support
+pip install -e ".[docker-sandbox]"
+
+# Verify Docker daemon is running
+docker info
+```
+
+Environment variables (set by `scripts/run_prod.sh` with defaults):
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `SKILL_SANDBOX_MODE` | `docker` | Sandbox mode: `none` \| `docker` \| `kubernetes` |
+| `SKILL_SANDBOX_IMAGE` | `python:3.11-slim` | Docker image for sandbox |
+| `SKILL_SANDBOX_MEMORY_LIMIT` | `512m` | Memory limit per skill execution |
+| `SKILL_SANDBOX_CPU_LIMIT` | `1.0` | CPU limit per skill execution |
+| `SKILL_SANDBOX_NETWORK` | `none` | Network mode: `none` \| `bridge` |
+| `SKILL_SANDBOX_TIMEOUT` | `60` | Execution timeout in seconds |
+
+**Security recommendation**: Always use `SKILL_SANDBOX_MODE=docker` in production.
+The `none` mode (direct execution) is for development only and displays a security warning.
+
 ## What This Deployment Does Not Yet Cover

 The checked-in deployment artifacts do not currently document or automate:
--- a/deploy/systemd/evotraders.service
+++ b/deploy/systemd/evotraders.service
@@ -1,6 +1,14 @@
 [Unit]
 Description=大时代 Production Service
 After=network.target
+# COMPATIBILITY_SURFACE: stable
+# OWNER: ops-team
+# SEE: docs/legacy-inventory.md#gateway-first-production-example
+#
+# This systemd unit runs the gateway-first production topology.
+# It executes scripts/run_prod.sh which launches backend.main as the
+# primary gateway/runtime process. For split-service deployment topology,
+# see docs/current-architecture.md and deploy/README.md

 [Service]
 Type=simple