dims · May 25, 2026 12:09
diff --git a/helpdesk-intern-demo.sh b/helpdesk-intern-demo.sh
 # set PATH and check if cluster is present (all terminals)
 export PATH=$HOME/go/bin:$PATH:
 kubectl version

 # ============================================================
 # Terminal A — keep this running, watches and port-forwards.
 # ============================================================
 kubectl port-forward -n ate-system svc/atenet-router 8000:80 &
 kubectl port-forward -n ate-openshell-m0 svc/openshell-gateway-substrate 50051:50051 &

 # ============================================================
 # Terminal B — the demo. Run beats one at a time.
 # ============================================================
 # (optional, middle pane on a 3-pane demo)
 watch -n 1 'kubectl get pods -n ate-demo-helpdesk; echol; kubectl ate get actors; echo; kubectl ate get workers'

 # ============================================================
 # Terminal C — the demo. Run beats one at a time.
 # ============================================================
 export OPENSHELL_GATEWAY=localhost:50051
 export ROUTER=http://localhost:8000
 export SUPERVISOR_IMAGE=$(kubectl get actortemplate -n ate-demo-helpdesk helpdesk-agent -o jsonpath='{.spec.containers[0].image}')
 echo "$SUPERVISOR_IMAGE"

 # ---- Beat 1: provision alice via the gateway → driver → substrate ----
 ALICE=$(kubectl osh create sandbox alice \
          --image=$SUPERVISOR_IMAGE --template=helpdesk-agent \
          -o json | jq -r '.metadata.id')
 echo "alice: $ALICE"
 # Observe in Terminal A: a worker pod transitions FREE → ASSIGNED.

 # ---- Beat 2: provision bob (second tenant in the same pool) ----
 BOB=$(kubectl osh create sandbox bob \
        --image=$SUPERVISOR_IMAGE --template=helpdesk-agent \
        -o json | jq -r '.metadata.id')
 echo "bob: $BOB"
 # Both alice and bob now share a worker pool, isolated from each other.

 # ---- Beat 3: list sandboxes (read path through the gateway) ----
 kubectl osh get sandboxes
 # Two sandboxes; both READY.

 # ---- Beat 4: cold ask to alice (data-plane via atenet) ----
 curl -sS -X POST -H "Host: $ALICE.actors.resources.substrate.ate.dev" \
     -H "Content-Type: application/json" \
     -d '{"message":"User foo reports their database is timing out — give me a triage checklist."}' \
     $ROUTER/chat
 echo
 # Reply comes from the helpdesk-agent inside the supervisor. The
 # supervisor routed the outbound LLM call through its HTTP CONNECT
 # proxy, which OPA approved.

 # Quiesce so gVisor's cgroup hierarchy drains before suspend.
 sleep 15

 # ---- Beat 5: suspend alice — no public Suspend RPC, drop to kubectl-ate ----
 kubectl ate suspend actor "$ALICE"
 kubectl ate get actor "$ALICE"           # STATUS_SUSPENDED, ATEOM POD empty
 # Worker is now FREE. Substrate checkpointed the sandbox state to disk.

 # ---- Beat 6: idle period — capacity recovered ----
 kubectl ate get workers
 sleep 20
 kubectl ate get workers
 # Same picture: alice's worker stays FREE, bob's stays ASSIGNED.

 # ---- Beat 7: follow-up to alice (implicit resume, memory preserved) ----
 curl -sS -X POST -H "Host: $ALICE.actors.resources.substrate.ate.dev" \
     -H "Content-Type: application/json" \
     -d '{"message":"What was the user issue I just asked you about?"}' \
     $ROUTER/chat
 echo
 # Reply references the database-timeout issue → chat history survived

 # checkpoint/restore. Resume happened automatically on the data-plane call.
 ALICE_WORKER=$(kubectl ate get actor "$ALICE" -o json | jq -r '.actors[0].ateomPodName')
 echo "alice now on: $ALICE_WORKER"

 # ---- Beat 8: exfil attempt from bob (expect blocked by OPA) ----
 curl -sS -X POST -H "Host: $BOB.actors.resources.substrate.ate.dev" \
     -H "Content-Type: application/json" \
     -d '{}' $ROUTER/probe
 echo
 # {"blocked": true, "http_status": 403, ...} — supervisor's CONNECT
 # proxy denied per the baked-in OPA policy. Network-policy half of
 # enforcement (cooperating-client model — see sharp-edge #11).

 # ---- Beat 9: kill alice's pod — alice migrates, bob untouched ----
 kubectl delete pod -n ate-demo-helpdesk "$ALICE_WORKER" --wait=false
 sleep 5
 curl -sS -X POST -H "Host: $ALICE.actors.resources.substrate.ate.dev" \
     -H "Content-Type: application/json" \
     -d '{"message":"Confirm you still remember the user issue."}' \
     $ROUTER/chat
 echo
 kubectl ate get actor "$ALICE" | tail -n+1
 kubectl ate get actor "$BOB"   | tail -n+1
 # alice's actor migrated to a different worker pod with chat history
 # intact. bob's worker is unchanged.

 # ---- Beat 10: delete alice via the gateway ----
 kubectl osh delete sandbox alice
 kubectl osh get sandboxes
 # Only bob remains. The pre-provisioned ActorTemplate is untouched:
 kubectl get actortemplate -n ate-demo-helpdesk helpdesk-agent

 # ---- Cleanup ----
 kubectl osh delete sandbox bob --ignore-not-found
 # In Terminal A: kill the port-forwards (fg + Ctrl-C, or `kill %1 %2`).
	# set PATH and check if cluster is present (all terminals)
	export PATH=$HOME/go/bin:$PATH:
	kubectl version

	# ============================================================
	# Terminal A — keep this running, watches and port-forwards.
	# ============================================================
	kubectl port-forward -n ate-system svc/atenet-router 8000:80 &
	kubectl port-forward -n ate-openshell-m0 svc/openshell-gateway-substrate 50051:50051 &

	# ============================================================
	# Terminal B — the demo. Run beats one at a time.
	# ============================================================
	# (optional, middle pane on a 3-pane demo)
	watch -n 1 'kubectl get pods -n ate-demo-helpdesk; echol; kubectl ate get actors; echo; kubectl ate get workers'

	# ============================================================
	# Terminal C — the demo. Run beats one at a time.
	# ============================================================
	export OPENSHELL_GATEWAY=localhost:50051
	export ROUTER=http://localhost:8000
	export SUPERVISOR_IMAGE=$(kubectl get actortemplate -n ate-demo-helpdesk helpdesk-agent -o jsonpath='{.spec.containers[0].image}')
	echo "$SUPERVISOR_IMAGE"

	# ---- Beat 1: provision alice via the gateway → driver → substrate ----
	ALICE=$(kubectl osh create sandbox alice \
	--image=$SUPERVISOR_IMAGE --template=helpdesk-agent \
	-o json \| jq -r '.metadata.id')
	echo "alice: $ALICE"
	# Observe in Terminal A: a worker pod transitions FREE → ASSIGNED.

	# ---- Beat 2: provision bob (second tenant in the same pool) ----
	BOB=$(kubectl osh create sandbox bob \
	--image=$SUPERVISOR_IMAGE --template=helpdesk-agent \
	-o json \| jq -r '.metadata.id')
	echo "bob: $BOB"
	# Both alice and bob now share a worker pool, isolated from each other.

	# ---- Beat 3: list sandboxes (read path through the gateway) ----
	kubectl osh get sandboxes
	# Two sandboxes; both READY.

	# ---- Beat 4: cold ask to alice (data-plane via atenet) ----
	curl -sS -X POST -H "Host: $ALICE.actors.resources.substrate.ate.dev" \
	-H "Content-Type: application/json" \
	-d '{"message":"User foo reports their database is timing out — give me a triage checklist."}' \
	$ROUTER/chat
	echo
	# Reply comes from the helpdesk-agent inside the supervisor. The
	# supervisor routed the outbound LLM call through its HTTP CONNECT
	# proxy, which OPA approved.

	# Quiesce so gVisor's cgroup hierarchy drains before suspend.
	sleep 15

	# ---- Beat 5: suspend alice — no public Suspend RPC, drop to kubectl-ate ----
	kubectl ate suspend actor "$ALICE"
	kubectl ate get actor "$ALICE" # STATUS_SUSPENDED, ATEOM POD empty
	# Worker is now FREE. Substrate checkpointed the sandbox state to disk.

	# ---- Beat 6: idle period — capacity recovered ----
	kubectl ate get workers
	sleep 20
	kubectl ate get workers
	# Same picture: alice's worker stays FREE, bob's stays ASSIGNED.

	# ---- Beat 7: follow-up to alice (implicit resume, memory preserved) ----
	curl -sS -X POST -H "Host: $ALICE.actors.resources.substrate.ate.dev" \
	-H "Content-Type: application/json" \
	-d '{"message":"What was the user issue I just asked you about?"}' \
	$ROUTER/chat
	echo
	# Reply references the database-timeout issue → chat history survived

	# checkpoint/restore. Resume happened automatically on the data-plane call.
	ALICE_WORKER=$(kubectl ate get actor "$ALICE" -o json \| jq -r '.actors[0].ateomPodName')
	echo "alice now on: $ALICE_WORKER"

	# ---- Beat 8: exfil attempt from bob (expect blocked by OPA) ----
	curl -sS -X POST -H "Host: $BOB.actors.resources.substrate.ate.dev" \
	-H "Content-Type: application/json" \
	-d '{}' $ROUTER/probe
	echo
	# {"blocked": true, "http_status": 403, ...} — supervisor's CONNECT
	# proxy denied per the baked-in OPA policy. Network-policy half of
	# enforcement (cooperating-client model — see sharp-edge #11).

	# ---- Beat 9: kill alice's pod — alice migrates, bob untouched ----
	kubectl delete pod -n ate-demo-helpdesk "$ALICE_WORKER" --wait=false
	sleep 5
	curl -sS -X POST -H "Host: $ALICE.actors.resources.substrate.ate.dev" \
	-H "Content-Type: application/json" \
	-d '{"message":"Confirm you still remember the user issue."}' \
	$ROUTER/chat
	echo
	kubectl ate get actor "$ALICE" \| tail -n+1
	kubectl ate get actor "$BOB" \| tail -n+1
	# alice's actor migrated to a different worker pod with chat history
	# intact. bob's worker is unchanged.

	# ---- Beat 10: delete alice via the gateway ----
	kubectl osh delete sandbox alice
	kubectl osh get sandboxes
	# Only bob remains. The pre-provisioned ActorTemplate is untouched:
	kubectl get actortemplate -n ate-demo-helpdesk helpdesk-agent

	# ---- Cleanup ----
	kubectl osh delete sandbox bob --ignore-not-found
	# In Terminal A: kill the port-forwards (fg + Ctrl-C, or `kill %1 %2`).
No results found