Progress: core runtime refactor checkpoints

.github/workflows/deploy-staging.yml

@@ -7,6 +7,9 @@ name: Deploy Staging
 # Both update the staging apps to the target branch, then deploy.
 
 on:
+  push:
+    branches:
+      - pr188-agent-optimize
   pull_request:
     types: [labeled]
   workflow_dispatch:
@@ -23,43 +26,112 @@ jobs:
   deploy-staging:
     # For label trigger: only run when the label is exactly "deploy-staging"
     if: >
+      github.event_name == 'push' ||
       github.event_name == 'workflow_dispatch' ||
       (github.event_name == 'pull_request' && github.event.label.name == 'deploy-staging')
     runs-on: ubuntu-latest
+    env:
+      STAGING_STACK_UUID: fasbsube26s75ag6qus5bpi2
 
     steps:
       - name: Resolve target ref
         id: ref
         run: |
           if [ "${{ github.event_name }}" = "pull_request" ]; then
             echo "ref=${{ github.head_ref }}" >> "$GITHUB_OUTPUT"
+          elif [ "${{ github.event_name }}" = "push" ]; then
+            echo "ref=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
           else
             echo "ref=${{ inputs.ref }}" >> "$GITHUB_OUTPUT"
           fi
 
-      - name: Update staging backend branch
+      - name: Check out target ref
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.ref.outputs.ref }}
+
+      - name: Resolve target commit
+        id: target
         run: |
-          curl -s -X PATCH "${{ secrets.COOLIFY_URL }}/api/v1/applications/${{ secrets.COOLIFY_BACKEND_STAGING_UUID }}" \
-            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}" \
-            -H "Content-Type: application/json" \
-            -d '{"git_branch": "${{ steps.ref.outputs.ref }}"}'
+          set -euo pipefail
+          echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
+
+      - name: Assert repo staging compose contract
+        run: |
+          set -euo pipefail
+          grep -F "leon-home:/root/.leon" docker-compose.yml >/dev/null
+          grep -F "volumes:" docker-compose.yml >/dev/null
 
-      - name: Update staging frontend branch
+      - name: Update staging stack branch
         run: |
-          curl -s -X PATCH "${{ secrets.COOLIFY_URL }}/api/v1/applications/${{ secrets.COOLIFY_FRONTEND_STAGING_UUID }}" \
+          set -euo pipefail
+          body="$(curl -sS --fail-with-body -X PATCH "${{ secrets.COOLIFY_URL }}/api/v1/applications/${STAGING_STACK_UUID}" \
             -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}" \
             -H "Content-Type: application/json" \
-            -d '{"git_branch": "${{ steps.ref.outputs.ref }}"}'
+            -d "{\"git_branch\": \"${{ steps.ref.outputs.ref }}\"}")"
+          echo "$body"
+          printf '%s' "$body" | jq -e --arg uuid "$STAGING_STACK_UUID" '.uuid == $uuid' >/dev/null
+
+      - name: Deploy staging stack
+        id: deploy
+        run: |
+          set -euo pipefail
+          body="$(curl -sS --fail-with-body "${{ secrets.COOLIFY_URL }}/api/v1/deploy?uuid=${STAGING_STACK_UUID}&force=false" \
+            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}")"
+          echo "$body"
+          printf '%s' "$body" | jq -e --arg uuid "$STAGING_STACK_UUID" '.deployments[0].resource_uuid == $uuid' >/dev/null
+          echo "deployment_uuid=$(printf '%s' "$body" | jq -r '.deployments[0].deployment_uuid')" >> "$GITHUB_OUTPUT"
+
+      - name: Wait for staging deployment
+        run: |
+          set -euo pipefail
+          deployment_uuid="${{ steps.deploy.outputs.deployment_uuid }}"
+          for _ in $(seq 1 60); do
+            body="$(curl -sS --fail-with-body "${{ secrets.COOLIFY_URL }}/api/v1/deployments/${deployment_uuid}" \
+              -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}")"
+            status="$(printf '%s' "$body" | jq -r '.status')"
+            echo "deployment status: $status"
+            if [ "$status" = "finished" ]; then
+              exit 0
+            fi
+            if [ "$status" != "queued" ] && [ "$status" != "in_progress" ]; then
+              echo "$body"
+              exit 1
+            fi
+            sleep 10
+          done
+          echo "Timed out waiting for staging deployment ${deployment_uuid}"
+          exit 1
 
-      - name: Deploy backend to staging
+      - name: Verify Coolify staging contract
         run: |
-          curl -sX GET "${{ secrets.COOLIFY_URL }}/api/v1/deploy?uuid=${{ secrets.COOLIFY_BACKEND_STAGING_UUID }}&force=false" \
-            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
+          set -euo pipefail
+          body="$(curl -sS --fail-with-body "${{ secrets.COOLIFY_URL }}/api/v1/applications/${STAGING_STACK_UUID}" \
+            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}")"
+          echo "$body" | jq '{uuid,git_branch,docker_compose_location}'
+          printf '%s' "$body" | jq -e --arg ref "${{ steps.ref.outputs.ref }}" '.git_branch == $ref' >/dev/null
+          printf '%s' "$body" | jq -e '.docker_compose_raw | contains("leon-home:/root/.leon")' >/dev/null
+          printf '%s' "$body" | jq -e --arg volume "${STAGING_STACK_UUID}_leon-home:/root/.leon" '.docker_compose | contains($volume)' >/dev/null
+          printf '%s' "$body" | jq -e --arg sha "${{ steps.target.outputs.sha }}" '.docker_compose | contains($sha)' >/dev/null
 
-      - name: Deploy frontend to staging
+      - name: Verify staging health contract
         run: |
-          curl -sX GET "${{ secrets.COOLIFY_URL }}/api/v1/deploy?uuid=${{ secrets.COOLIFY_FRONTEND_STAGING_UUID }}&force=false" \
-            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
+          set -euo pipefail
+          for attempt in $(seq 1 18); do
+            status="$(curl -sS -o /tmp/staging-health.json -w '%{http_code}' "https://app.staging.mycel.nextmind.space/api/monitor/health")"
+            echo "health attempt ${attempt}: status=${status}"
+            if [ "$status" = "200" ]; then
+              body="$(cat /tmp/staging-health.json)"
+              echo "$body"
+              printf '%s' "$body" | jq -e '.db.path == "/root/.leon/sandbox.db"' >/dev/null
+              printf '%s' "$body" | jq -e '.db.exists == true' >/dev/null
+              exit 0
+            fi
+            cat /tmp/staging-health.json || true
+            sleep 10
+          done
+          echo "Staging health contract did not become ready in time"
+          exit 1
 
       - name: Comment on PR with staging URL
         if: github.event_name == 'pull_request'
@@ -70,5 +142,5 @@ jobs:
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,
-              body: `🚀 **预发部署已触发**\n\n- 前端: https://app.staging.mycel.nextmind.space\n- 后端: https://api.staging.mycel.nextmind.space\n\n分支: \`${{ steps.ref.outputs.ref }}\``
+              body: `🚀 **预发部署已触发**\n\n- 共享 Staging: https://app.staging.mycel.nextmind.space\n- API（同域反代）: https://app.staging.mycel.nextmind.space/api\n\n分支: \`${{ steps.ref.outputs.ref }}\``
             })

Dockerfile

@@ -7,11 +7,13 @@ COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv
 
 # Install dependencies (cached layer before source copy)
 COPY pyproject.toml uv.lock ./
-RUN uv sync --frozen --no-dev --no-install-project
+# @@@sandbox-sdk-image-parity - shared staging/provider inventory should reflect runtime truth,
+# not "SDK missing from image" accidents while config files are present.
+RUN uv sync --frozen --no-dev --extra sandbox --extra e2b --extra daytona --no-install-project
 
 # Copy source and install project
 COPY . .
-RUN uv sync --frozen --no-dev
+RUN uv sync --frozen --no-dev --extra sandbox --extra e2b --extra daytona
 
 ENV PATH="/app/.venv/bin:$PATH"
 

README.md

@@ -95,16 +95,18 @@ Full-featured web platform for managing and interacting with agents:
 
 ### Multi-Agent Communication
 
-Agents are first-class social entities. They can discover each other, send messages, and collaborate autonomously:
+Agents are first-class social entities. They can list chats, read messages, send messages, and collaborate autonomously:
 
 ```
 Member (template)
   └→ Entity (social identity — agents and humans both get one)
        └→ Thread (agent brain / conversation)
 ```
 
-- **`chat_send`**: Agent A messages Agent B; B responds autonomously
-- **`directory`**: Agents browse and discover other entities
+- **`list_chats`**: List active conversations with unread counts and participants
+- **`read_messages`**: Read message history before responding
+- **`send_message`**: Agent A messages Agent B; B responds autonomously
+- **`search_messages`**: Search message history across chats
 - **Real-time delivery**: SSE-based chat with typing indicators and read receipts
 
 Humans also have entities — agents can initiate conversations with humans, not just the other way around.

README.zh.md

@@ -95,16 +95,18 @@ cd frontend/app && npm run dev
 
 ### 多 Agent 通讯
 
-Agent 是一等公民的社交实体，可以互相发现、发送消息、自主协作：
+Agent 是一等公民的社交实体，可以列出对话、读取消息、发送消息、自主协作：
 
 ```
 Member（模板）
   └→ Entity（社交身份——Agent 和人类都有）
        └→ Thread（Agent 大脑 / 对话）
 ```
 
-- **`chat_send`**：Agent A 给 Agent B 发消息，B 自主回复
-- **`directory`**：Agent 浏览和发现其他实体
+- **`list_chats`**：列出活跃对话、未读数和参与者
+- **`read_messages`**：先读取消息历史，再决定如何回复
+- **`send_message`**：Agent A 给 Agent B 发消息，B 自主回复
+- **`search_messages`**：跨对话搜索消息历史
 - **实时投递**：基于 SSE 的聊天，支持输入提示和已读回执
 
 人类也有 Entity——Agent 可以主动找人类对话，而不只是被动响应。

backend/web/core/dependencies.py

@@ -1,26 +1,13 @@
 """FastAPI dependency injection functions."""
 
 import asyncio
-import os
 from typing import Annotated, Any
 
 from fastapi import Depends, FastAPI, HTTPException, Request
 
 from backend.web.services.agent_pool import get_or_create_agent, resolve_thread_sandbox
 from sandbox.thread_context import set_current_thread_id
 
-# Dev bypass: set LEON_DEV_SKIP_AUTH=1 to skip JWT verification and inject a mock identity.
-# WARNING: this bypasses ALL auth — never set in production.
-_DEV_SKIP_AUTH = os.environ.get("LEON_DEV_SKIP_AUTH", "").lower() in ("1", "true", "yes")
-_DEV_PAYLOAD = {"user_id": "dev-user"}
-
-if _DEV_SKIP_AUTH:
-    import logging as _logging
-
-    _logging.getLogger(__name__).warning(
-        "LEON_DEV_SKIP_AUTH is active — JWT auth is BYPASSED for all requests. This must never be enabled in production."
-    )
-
 
 async def get_app(request: Request) -> FastAPI:
     """Get FastAPI app instance from request."""
@@ -36,9 +23,7 @@ def _get_auth_service(app: FastAPI):
 
 
 def _extract_jwt_payload(request: Request) -> dict:
-    """Extract and verify JWT payload from Bearer token. Returns {user_id}."""
-    if _DEV_SKIP_AUTH:
-        return _DEV_PAYLOAD
+    """Extract and verify JWT payload from Bearer token. Returns {user_id, entity_id}."""
     auth_header = request.headers.get("Authorization", "")
     if not auth_header.startswith("Bearer "):
         raise HTTPException(401, "Missing or invalid Authorization header")
@@ -52,14 +37,29 @@ def _extract_jwt_payload(request: Request) -> dict:
 async def get_current_user_id(request: Request) -> str:
     """Extract user_id from JWT and verify user exists. Returns 401 if user was deleted (e.g. DB reset)."""
     user_id = _extract_jwt_payload(request)["user_id"]
-    if _DEV_SKIP_AUTH:
-        return user_id
     member_repo = getattr(request.app.state, "member_repo", None)
     if member_repo and member_repo.get_by_id(user_id) is None:
         raise HTTPException(401, "User no longer exists — please re-login")
     return user_id
 
 
+async def get_current_entity_id(request: Request) -> str:
+    """Derive entity_id for the authenticated human user.
+
+    Supabase JWTs may omit custom entity claims, so keep the older
+    direct-claim path when present and otherwise derive the stable
+    human entity convention: f"{user_id}-1".
+    """
+    payload = _extract_jwt_payload(request)
+    entity_id = payload.get("entity_id")
+    if entity_id:
+        return entity_id
+    user_id = payload.get("user_id")
+    if not user_id:
+        raise HTTPException(401, "Token missing user_id")
+    return f"{user_id}-1"
+
+
 async def verify_thread_owner(
     thread_id: str,
     user_id: Annotated[str, Depends(get_current_user_id)],