docs: add comprehensive architecture document

[hzxuzhonghu]

Summary

This PR replaces the existing overview.md with a comprehensive architecture.md that documents the full AgentCube system design based on a thorough review of the design proposals, codebase, and the official architecture diagram.

What's included

Coverage

• System Overview — layered ASCII diagram showing Client/SDK → Data Plane → Control Plane → Session Store → Kubernetes API → Runtime Sandboxes (with all workload types)
• Component deep-dives — Router, Workload Manager, PicoD, agentd, Session Store
• CRD Hierarchy — all 6 CRDs (AgentRuntime, CodeInterpreter + 4 agent-sandbox CRDs) with relationship explanations
• Key Flows — new session request (Mermaid sequence diagram), garbage collection paths
• Sandbox State Machine — Mermaid stateDiagram-v2
• Warm Pool Mechanism — CodeInterpreter pre-warming flow
• Authentication Architecture — RSA key bootstrap → provisioning → JWT runtime verification
• Supported Workload Types — table covering Custom AI Agent, Code Interpreter, MCP Server, Browser-Use, Computer-Use
• Binary/Entry Point Summary, Package Dependency Map, Configuration Reference
• Design Principles — 7 core principles including workload-agnostic sandboxes

Diagrams (Mermaid)

• New session request sequence diagram
• Sandbox state machine

Files changed

• docs/agentcube/docs/architecture/architecture.md — new comprehensive architecture document (391 lines)
• docs/agentcube/docs/architecture/overview.md — removed (content superseded)

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive architecture document for AgentCube, detailing its split-plane design, core components, and sandbox lifecycle. The review identifies several inconsistencies between the new documentation and the existing codebase, specifically regarding supported HTTP methods, default workspace paths, and binary initialization logic. Additionally, it notes missing implementation for documented configuration variables and recommends enforcing request body limits in PicoD to align with the architectural specifications.

[gemini-code-assist]

The documentation mentions a Max body: 32 MB limit for PicoD, but this limit is not explicitly enforced in pkg/picod/server.go. It is recommended to implement a request body limit (e.g., using http.MaxBytesReader) to match the architectural specification and prevent potential DoS attacks.

[gemini-code-assist]

The statement that all binaries use controller-runtime and signal.NotifyContext() is inaccurate. For instance, cmd/router does not use controller-runtime, cmd/workload-manager uses signal.Notify instead of signal.NotifyContext, and cmd/picod does not implement explicit signal handling in its main.go.

Suggested change

	All binaries use `controller-runtime` for Kubernetes integration and `signal.NotifyContext()` for graceful shutdown.
	Binaries use controller-runtime or signal handling (e.g., signal.NotifyContext) for Kubernetes integration and graceful shutdown.

[gemini-code-assist]

The configuration reference for the Router lists WORKLOAD_MANAGER_ADDR and AGENTCUBE_NAMESPACE as environment variables, but these are not currently implemented as flags or part of the router.Config struct in cmd/router/main.go.

[gemini-code-assist]

The documentation states the default workspace is /workspace, but the implementation in pkg/picod/server.go (lines 58-65) defaults to the current working directory if the workspace is not specified.

Suggested change

	| `WORKSPACE` | `/workspace` | Working directory for file operations |
	| WORKSPACE | (current directory) | Working directory for file operations |

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 43.46%. Comparing base (845b798) to head (d2f5a98).
⚠️ Report is 151 commits behind head on main.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #250      +/-   ##
==========================================
+ Coverage   35.60%   43.46%   +7.85%     
==========================================
  Files          29       30       +1     
  Lines        2533     2616      +83     
==========================================
+ Hits          902     1137     +235     
+ Misses       1505     1358     -147     
+ Partials      126      121       -5     

Flag	Coverage Δ
unittests	43.46% <100.00%> (+7.85%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Replaces the old, high-level architecture overview with a much more comprehensive system design document for AgentCube, covering the split-plane architecture, components, CRDs, key flows, and operational behavior.

Changes:

• Removed overview.md and introduced a new long-form architecture.md.
• Added detailed descriptions of Router, Workload Manager, PicoD, agentd, session store, CRD relationships, and key lifecycle flows.
• Added Mermaid diagrams (sequence + state machine) and configuration/build/dependency reference sections.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.

File	Description
docs/agentcube/docs/architecture/architecture.md	New comprehensive architecture doc; several sections need alignment with current code (routes/methods, config flags vs env vars, build targets, deps, interfaces).
docs/agentcube/docs/architecture/overview.md	Removed legacy overview content (superseded by architecture.md).

[Copilot]

Router invocation endpoints support both GET and POST (GET is used for file download); the doc currently lists only POST. Also, an invalid/nonexistent session ID is returned as a 404 (NotFound) via api.NewSessionNotFoundError, not a 400. Please update the route list and error-response codes to match the router implementation (see pkg/router/server.go and pkg/api/errors.go).

[Copilot]

JWT claims list mentions sandbox_id, but Router currently only adds session_id as a custom claim when signing requests (plus standard exp, iat, iss). Either document only the claims that are actually present, or update the signer/verifier to include and validate sandbox_id if it's required for the design.

Suggested change

	**JWT Claims**: `session_id`, `sandbox_id`, `exp` (expiration), `iat` (issued at)
	**JWT Claims**: `session_id`, `exp` (expiration), `iat` (issued at), `iss` (issuer)

[acsoto]

Yes we do not have sandbox_id

[hzxuzhonghu]

good, will remove

[Copilot]

make build-picod is referenced as the PicoD build target, but the repo Makefile does not define a build-picod target (only docker-build-picod). Please update the table to the correct build target/command so readers can reproduce builds reliably.

Suggested change

	| `picod` | `cmd/picod/main.go` | `make build-picod` | In-sandbox daemon: execute + files |
	| `picod` | `cmd/picod/main.go` | `make docker-build-picod` | In-sandbox daemon: execute + files |

[hzxuzhonghu]

I would like to remove the build, that does not belong to arch

[Copilot]

Statement that all binaries use controller-runtime and signal.NotifyContext() is inaccurate: Router uses signal.NotifyContext, Workload Manager uses a manual signal channel, agentd uses ctrl.SetupSignalHandler(), and PicoD does not use controller-runtime. Please adjust this line to reflect the actual shutdown/integration patterns per binary.

Suggested change

	All binaries use `controller-runtime` for Kubernetes integration and `signal.NotifyContext()` for graceful shutdown.
	Router uses `signal.NotifyContext()` for graceful shutdown, Workload Manager integrates with Kubernetes via `controller-runtime` but uses a manual signal channel, `agentd` uses `controller-runtime`'s `ctrl.SetupSignalHandler()`, and `picod` is a standalone binary without `controller-runtime` integration.

[Copilot]

Package dependency map shows cmd/agentd → pkg/agentd → pkg/apis/runtime/v1alpha1, but agentd actually imports agent-sandbox types and pkg/workloadmanager (for the annotation key), not the runtime v1alpha1 API. Please update this mapping to match the current imports to avoid misleading maintainers.

Suggested change

	cmd/agentd → pkg/agentd → pkg/apis/runtime/v1alpha1
	cmd/agentd → pkg/agentd → agent-sandbox types, pkg/workloadmanager

[Copilot]

Configuration is documented as environment variables for Router/Workload Manager/PicoD, but in the code these are primarily CLI flags (e.g., router --port, --enable-tls, --max-concurrent-requests; workload-manager --runtime-class-name, --enable-auth; picod --workspace). Also WORKSPACE env var is not used by PicoD. Please revise this section to distinguish real env vars (e.g., WORKLOAD_MANAGER_ADDR, AGENTCUBE_NAMESPACE, STORE_TYPE, REDIS_ADDR, etc.) from flags.

[volcano-sh-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from hzxuzhonghu. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• docs/OWNERS
• pkg/picod/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[acsoto]

Yes we do not have sandbox_id

[acsoto]

Only in CodeInterpreter with AuthModePicoD

[hzxuzhonghu]

you mean i should mention the picod auth mode? I am thinking the auth may change

[acsoto]

Yes. If the auth will change, ignore it~

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.