feat(deploy): add AWS deployment scripts and configurations for AntiAtropos

- Add deploy/aws/deploy.sh to automate full AWS deployment on EKS
- Create eksctl cluster config with managed node groups and addons
- Add Kubernetes manifests for namespace, configmap, deployment, service,
secret, and optional ALB ingress
- Provide Prometheus agent Helm values for remote write to AMP workspace
- Include Grafana dashboard JSON placeholders for overview and live views
- Add IAM trust policy JSON for Grafana role setup
- Write comprehensive README.md with step-by-step AWS deployment guide,
instructions, and troubleshooting tips
- Enable IRSA setup for Prometheus and AntiAtropos service accounts
- Integrate building and pushing AntiAtropos Docker image to ECR
- Support ALB ingress with AWS Load Balancer Controller annotations
- Configurefeat(deploy/aws): add complete AWS deployment setup for AntiAtropos

- Add deploy script to create E metrics scraping, liveness/readiness probes, and resource limitsKS cluster, AMP workspace, IAM roles, and deploy app
- Provide eksctl cluster config with managed node

deploy/aws/README.md

@@ -0,0 +1,365 @@
+# AntiAtropos AWS Deployment Guide
+
+Complete guide for deploying AntiAtropos on AWS with EKS, Amazon Managed Prometheus (AMP), and Amazon Managed Grafana (AMG).
+
+## Architecture
+
+```
+AWS Region (us-east-1)
+├── EKS Cluster
+│   ├── AntiAtropos FastAPI pod
+│   ├── Prometheus Agent pod (remote-writes to AMP)
+│   └── Sample workload pods (optional, for live mode)
+├── Amazon Managed Prometheus (AMP)
+│   └── Workspace: antiatropos-metrics
+├── Amazon Managed Grafana (AMG)
+│   └── Workspace: antiatropos-dashboards
+├── ALB (Application Load Balancer)
+│   └── / → FastAPI, /grafana → AMG
+└── ECR (Container Registry)
+    └── antiatropos:latest
+```
+
+---
+
+## Phase 0: Prerequisites
+
+```bash
+# Install CLI tools (if not already installed)
+# AWS CLI v2
+curl "https://awscli.amazonaws.com/AWSCLIV2.msi" -o "AWSCLIV2.msi"
+msiexec /i AWSCLIV2.msi
+
+# eksctl (EKS management)
+choco install eksctl   # or: winget install --id=FluxCD.eksctl
+
+# kubectl
+choco install kubernetes-cli
+
+# Helm
+choco install kubernetes-helm
+
+# Authenticate AWS
+aws configure
+# Enter: Access Key ID, Secret Access Key, Region (us-east-1), Output (json)
+```
+
+---
+
+## Phase 1: Create the EKS Cluster
+
+### Option A: eksctl (recommended, fastest)
+
+Create file `deploy/aws/eksctl-cluster.yaml` then run:
+
+```bash
+eksctl create cluster -f deploy/aws/eksctl-cluster.yaml
+```
+
+### Option B: AWS Console
+
+1. Go to EKS → Create Cluster
+2. Name: `antiatropos`, Kubernetes 1.30
+3. Cluster service role: Create new (let EKS create it)
+4. Networking: Default VPC, all AZs
+5. Add node group: `linux-nodes`, t3.medium, 2-4 nodes
+6. Create and wait ~15 minutes
+
+### Verify
+
+```bash
+aws eks update-kubeconfig --name antiatropos --region us-east-1
+kubectl get nodes
+```
+
+---
+
+## Phase 2: Set Up Amazon Managed Prometheus (AMP)
+
+### Create AMP Workspace
+
+```bash
+aws amp create-workspace \
+  --alias antiatropos-metrics \
+  --region us-east-1
+
+# Note the workspace ARN and ID from the output
+aws amp list-workspaces --alias antiatropos-metrics --region us-east-1
+```
+
+### Install Prometheus Agent on EKS (remote-writes to AMP)
+
+```bash
+# Add the Prometheus Community Helm repo
+helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
+helm repo update
+
+# Install prometheus agent with AMP remote write
+# Replace WORKSPACE_ID with your AMP workspace ID
+helm install prometheus-agent prometheus-community/prometheus \
+  --namespace monitoring --create-namespace \
+  -f deploy/aws/prometheus-agent-values.yaml \
+  --set prometheus.prometheusSpec.remoteWrite[0].url="https://aps-workspaces.us-east-1.amazonaws.com/workspaces/WORKSPACE_ID/api/v1/remote_write"
+```
+
+### Verify AMP is Receiving Data
+
+```bash
+# Port-forward to query AMP directly
+aws amp query-status --workspace-id WORKSPACE_ID --region us-east-1
+
+# Or use awscurl for instant queries
+pip install awscurl
+awscurl --service aps "https://aps-workspaces.us-east-1.amazonaws.com/workspaces/WORKSPACE_ID/api/v1/query?query=up" --region us-east-1
+```
+
+---
+
+## Phase 3: Set Up Amazon Managed Grafana (AMG)
+
+### Create AMG Workspace
+
+```bash
+# First, create the IAM role for Grafana (allows it to read AMP)
+aws iam create-role \
+  --role-name AntiAtroposGrafanaRole \
+  --assume-role-policy-document file://deploy/aws/grafana-trust-policy.json
+
+aws iam attach-role-policy \
+  --role-name AntiAtroposGrafanaRole \
+  --policy-arn arn:aws:iam::aws:policy/AmazonPrometheusQueryAccess
+
+aws iam attach-role-policy \
+  --role-name AntiAtroposGrafanaRole \
+  --policy-arn arn:aws:iam::aws:policy/AmazonPrometheusRemoteWriteAccess
+
+# Create the Grafana workspace
+aws grafana create-workspace \
+  --workspace-name antiatropos-dashboards \
+  --account-access-type CURRENT_ACCOUNT \
+  --authentication-method AWS_SSO \
+  --permission-type SERVICE_MANAGED \
+  --data-sources PROMETHEUS \
+  --region us-east-1
+
+# Note the workspace URL from the output
+aws grafana list-workspaces --region us-east-1
+```
+
+### Add AMP as a Data Source in AMG
+
+1. Open the AMG workspace URL in your browser
+2. Sign in with AWS SSO
+3. Go to Configuration → Data Sources
+4. AMP should auto-discover if in same account/region
+5. Select the `antiatropos-metrics` workspace
+
+### Import AntiAtropos Dashboards
+
+```bash
+# Use the Grafana API to import dashboards
+# Replace GRAFANA_URL and API_KEY
+GRAFANA_URL="https://YOUR-WORKSPACE-id.grafana.us-east-1.amazonaws.com"
+API_KEY="YOUR-API-KEY"
+
+# Import the overview dashboard
+curl -X POST "$GRAFANA_URL/api/dashboards/db" \
+  -H "Authorization: Bearer $API_KEY" \
+  -H "Content-Type: application/json" \
+  -d @deploy/aws/grafana-dashboard-overview.json
+
+# Import the live dashboard
+curl -X POST "$GRAFANA_URL/api/dashboards/db" \
+  -H "Authorization: Bearer $API_KEY" \
+  -H "Content-Type: application/json" \
+  -d @deploy/aws/grafana-dashboard-live.json
+```
+
+---
+
+## Phase 4: Build and Push the Docker Image
+
+```bash
+# Create ECR repository
+aws ecr create-repository \
+  --repository-name antiatropos \
+  --region us-east-1
+
+# Login to ECR
+aws ecr get-login-password --region us-east-1 | \
+  docker login --username AWS --password-stdin \
+  $(aws sts get-caller-identity --query Account --output text).dkr.ecr.us-east-1.amazonaws.com
+
+# Build and push
+ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+ECR_URI=$ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/antiatropos
+
+docker build -t antiatropos:latest .
+docker tag antiatropos:latest $ECR_URI:latest
+docker push $ECR_URI:latest
+```
+
+---
+
+## Phase 5: Deploy AntiAtropos to EKS
+
+```bash
+# Apply Kubernetes manifests
+kubectl apply -f deploy/aws/k8s-namespace.yaml
+kubectl apply -f deploy/aws/k8s-configmap.yaml
+kubectl apply -f deploy/aws/k8s-deployment.yaml
+kubectl apply -f deploy/aws/k8s-service.yaml
+
+# If using AWS Load Balancer Controller (recommended)
+kubectl apply -f deploy/aws/k8s-ingress.yaml
+
+# Check rollout
+kubectl rollout status deployment/antiatropos -n antiatropos
+kubectl get pods -n antiatropos
+kubectl logs -f deployment/antiatropos -n antiatropos
+```
+
+### Environment Variables for Live Mode
+
+The deployment manifest sets these to connect AntiAtropos to real infrastructure:
+
+```yaml
+env:
+  - name: ANTIATROPOS_ENV_MODE
+    value: "live"
+  - name: PROMETHEUS_URL
+    value: "https://aps-workspaces.us-east-1.amazonaws.com/workspaces/WORKSPACE_ID"
+  - name: KUBECONFIG
+    value: ""  # Empty = use in-cluster config
+  - name: ANTIATROPOS_WORKLOAD_MAP
+    value: '{"node-0":{"deployment":"payments","namespace":"prod-sre"},"node-1":{"deployment":"checkout","namespace":"prod-sre"}}'
+```
+
+---
+
+## Phase 6: Access Your Deployment
+
+### Get the ALB URL
+
+```bash
+kubectl get ingress -n antiatropos
+# Copy the ADDRESS column
+```
+
+### Endpoints
+
+| Endpoint | URL |
+|---|---|
+| Landing Page | `http://ALB_ADDRESS/` |
+| API Health | `http://ALB_ADDRESS/health` |
+| Prometheus Metrics | `http://ALB_ADDRESS/metrics` |
+| Grafana Dashboards | AMG workspace URL (separate) |
+
+### Port-Forward for Local Debugging
+
+```bash
+# FastAPI
+kubectl port-forward -n antiatropos deployment/antiatropos 8000:8000
+
+# Direct pod metrics
+curl http://localhost:8000/metrics
+```
+
+---
+
+## Phase 7: IRSA (IAM Roles for Service Accounts)
+
+This lets the AntiAtropos pod authenticate with AMP without hardcoded credentials.
+
+```bash
+# Create OIDC provider for the EKS cluster
+eksctl utils associate-iam-oidc-provider \
+  --cluster antiatropos --region us-east-1 --approve
+
+# Create IAM role for the AntiAtropos service account
+eksctl create iamserviceaccount \
+  --cluster antiatropos \
+  --namespace antiatropos \
+  --name antiatropos-sa \
+  --attach-policy-arn arn:aws:iam::aws:policy/AmazonPrometheusQueryAccess \
+  --attach-policy-arn arn:aws:iam::aws:policy/AmazonPrometheusRemoteWriteAccess \
+  --approve \
+  --override-existing-serviceaccounts
+
+# Redeploy to pick up the new service account
+kubectl rollout restart deployment/antiatropos -n antiatropos
+```
+
+---
+
+## Cost Estimates
+
+| Resource | Config | Monthly Cost (approx) |
+|---|---|---|
+| EKS Control Plane | 1 cluster | $73 |
+| EKS Nodes | 2x t3.medium | $60 |
+| AMP | <10GB ingest | ~$3-5 |
+| AMG | 1 editor + viewers | Free tier or ~$9 |
+| ALB | 1 load balancer | $16 |
+| ECR | <1GB storage | <$1 |
+| **Total** | | **~$150-160/month** |
+
+### Cost-Saving Tips
+
+- Use `t3.spot` for node groups (60-70% cheaper)
+- Scale nodes to 0 when not training: `kubectl cordon` + drain
+- Use Fargate profiles for the AntiAtropos pod (pay-per-pod-second)
+- Delete the cluster between training runs with `eksctl delete cluster`
+
+---
+
+## Teardown
+
+```bash
+# Delete everything in reverse order
+kubectl delete -f deploy/aws/k8s-ingress.yaml
+kubectl delete -f deploy/aws/k8s-service.yaml
+kubectl delete -f deploy/aws/k8s-deployment.yaml
+kubectl delete -f deploy/aws/k8s-configmap.yaml
+kubectl delete -f deploy/aws/k8s-namespace.yaml
+
+aws grafana delete-workspace --workspace-id AMG_WORKSPACE_ID
+aws amp delete-workspace --workspace-id AMP_WORKSPACE_ID
+aws ecr delete-repository --repository-name antiatropos --force
+
+eksctl delete cluster --name antiatropos --region us-east-1
+```
+
+---
+
+## Troubleshooting
+
+### Pods not starting
+```bash
+kubectl describe pod -n antiatropos -l app=antiatropos
+kubectl logs -n antiatropos -l app=antiatropos --previous
+```
+
+### AMP not receiving metrics
+```bash
+# Check the prometheus agent logs
+kubectl logs -n monitoring -l app.kubernetes.io/name=prometheus
+
+# Verify remote-write endpoint
+aws amp describe-workspace --workspace-id WORKSPACE_ID
+```
+
+### Can't reach AMP from pod
+```bash
+# Verify IRSA is attached
+kubectl get pod -n antiatropos -o yaml | grep -A5 serviceAccount
+
+# Check pod can reach AMP
+kubectl exec -n antiatropos deployment/antiatropos -- \
+  curl -s "https://aps-workspaces.us-east-1.amazonaws.com/workspaces/WORKSPACE_ID/api/v1/query?query=up"
+```
+
+### Grafana dashboard shows no data
+1. Verify the data source URL in AMG points to the correct AMP workspace
+2. Check time range (AMP has a retention period; default 30 days)
+3. Verify the PromQL queries in dashboards match your metric names

deploy/aws/deploy.sh

@@ -0,0 +1,208 @@
+#!/usr/bin/env bash
+# AntiAtropos AWS Quick Deploy Script
+# 
+# Prerequisites: aws cli, eksctl, kubectl, helm, docker
+# 
+# Usage:
+#   chmod +x deploy/aws/deploy.sh
+#   ./deploy/aws/deploy.sh
+#
+# This script creates all AWS resources and deploys AntiAtropos to EKS.
+# Set these environment variables before running:
+#   OPENAI_API_KEY     - Your OpenAI API key (required)
+#   AWS_REGION         - AWS region (default: us-east-1)
+#   CLUSTER_NAME       - EKS cluster name (default: antiatropos)
+
+set -euo pipefail
+
+REGION="${AWS_REGION:-us-east-1}"
+CLUSTER_NAME="${CLUSTER_NAME:-antiatropos}"
+AWS_DIR="$(cd "$(dirname "$0")" && pwd)"
+
+echo "=== AntiAtropos AWS Deployment ==="
+echo "Region:      $REGION"
+echo "Cluster:     $CLUSTER_NAME"
+echo ""
+
+# --- Check prerequisites ---
+for cmd in aws eksctl kubectl helm docker; do
+    if ! command -v "$cmd" &>/dev/null; then
+        echo "ERROR: $cmd is not installed. Please install it first."
+        exit 1
+    fi
+done
+
+if [ -z "${OPENAI_API_KEY:-}" ]; then
+    echo "ERROR: OPENAI_API_KEY environment variable is not set."
+    exit 1
+fi
+
+# --- Phase 1: Create EKS Cluster ---
+echo ""
+echo ">>> Phase 1: Creating EKS cluster..."
+if eksctl get cluster --name "$CLUSTER_NAME" --region "$REGION" &>/dev/null; then
+    echo "Cluster $CLUSTER_NAME already exists, skipping creation."
+else
+    eksctl create cluster -f "$AWS_DIR/eksctl-cluster.yaml"
+    echo "Cluster created."
+fi
+
+aws eks update-kubeconfig --name "$CLUSTER_NAME" --region "$REGION"
+echo "kubeconfig updated."
+
+# --- Phase 2: Create AMP Workspace ---
+echo ""
+echo ">>> Phase 2: Creating Amazon Managed Prometheus workspace..."
+AMP_WS_ID=$(aws amp list-workspaces --alias antiatropos-metrics --region "$REGION" --query 'workspaces[0].workspaceId' --output text 2>/dev/null || echo "")
+
+if [ -z "$AMP_WS_ID" ] || [ "$AMP_WS_ID" = "None" ]; then
+    AMP_WS_ID=$(aws amp create-workspace \
+        --alias antiatropos-metrics \
+        --region "$REGION" \
+        --query 'workspaceId' \
+        --output text)
+    echo "AMP workspace created: $AMP_WS_ID"
+else
+    echo "AMP workspace already exists: $AMP_WS_ID"
+fi
+
+AMP_URL="https://aps-workspaces.$REGION.amazonaws.com/workspaces/$AMP_WS_ID"
+echo "AMP URL: $AMP_URL"
+
+# --- Phase 3: Set up IAM Roles for Service Accounts (IRSA) ---
+echo ""
+echo ">>> Phase 3: Setting up IRSA..."
+CLUSTER_OIDC=$(aws eks describe-cluster --name "$CLUSTER_NAME" --region "$REGION" --query 'cluster.identity.oidc.issuer' --output text | sed 's|https://||')
+ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+
+# Prometheus service account
+if kubectl get serviceaccount prometheus-sa -n monitoring &>/dev/null; then
+    echo "prometheus-sa already exists."
+else
+    eksctl create iamserviceaccount \
+        --cluster "$CLUSTER_NAME" \
+        --namespace monitoring \
+        --name prometheus-sa \
+        --attach-policy-arn arn:aws:iam::aws:policy/AmazonPrometheusRemoteWriteAccess \
+        --approve \
+        --override-existing-serviceaccounts
+    echo "prometheus-sa created."
+fi
+
+# AntiAtropos service account
+if kubectl get serviceaccount antiatropos-sa -n antiatropos &>/dev/null; then
+    echo "antiatropos-sa already exists."
+else
+    eksctl create iamserviceaccount \
+        --cluster "$CLUSTER_NAME" \
+        --namespace antiatropos \
+        --name antiatropos-sa \
+        --attach-policy-arn arn:aws:iam::aws:policy/AmazonPrometheusQueryAccess \
+        --approve \
+        --override-existing-serviceaccounts
+    echo "antiatropos-sa created."
+fi
+
+# --- Phase 4: Install Prometheus Agent ---
+echo ""
+echo ">>> Phase 4: Installing Prometheus Agent (remote-writes to AMP)..."
+helm repo add prometheus-community https://prometheus-community.github.io/helm-charts 2>/dev/null || true
+helm repo update
+
+if helm status prometheus-agent -n monitoring &>/dev/null; then
+    echo "prometheus-agent already installed, upgrading..."
+    helm upgrade prometheus-agent prometheus-community/prometheus \
+        --namespace monitoring \
+        -f "$AWS_DIR/prometheus-agent-values.yaml" \
+        --set "prometheus.prometheusSpec.remoteWrite[0].url=$AMP_URL/api/v1/remote_write"
+else
+    helm install prometheus-agent prometheus-community/prometheus \
+        --namespace monitoring --create-namespace \
+        -f "$AWS_DIR/prometheus-agent-values.yaml" \
+        --set "prometheus.prometheusSpec.remoteWrite[0].url=$AMP_URL/api/v1/remote_write"
+    echo "prometheus-agent installed."
+fi
+
+# --- Phase 5: Build and Push Docker Image ---
+echo ""
+echo ">>> Phase 5: Building and pushing Docker image to ECR..."
+ECR_URI="$ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com/antiatropos"
+
+if aws ecr describe-repositories --repository-name antiatropos --region "$REGION" &>/dev/null; then
+    echo "ECR repository already exists."
+else
+    aws ecr create-repository --repository-name antiatropos --region "$REGION"
+    echo "ECR repository created."
+fi
+
+aws ecr get-login-password --region "$REGION" | \
+    docker login --username AWS --password-stdin \
+    "$ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com"
+
+docker build -t antiatropos:latest "$AWS_DIR/../.."
+docker tag antiatropos:latest "$ECR_URI:latest"
+docker push "$ECR_URI:latest"
+echo "Image pushed to $ECR_URI:latest"
+
+# --- Phase 6: Deploy AntiAtropos ---
+echo ""
+echo ">>> Phase 6: Deploying AntiAtropos to EKS..."
+
+# Apply namespace first
+kubectl apply -f "$AWS_DIR/k8s-namespace.yaml"
+
+# Create/update configmap with the real AMP URL
+kubectl create configmap antiatropos-config \
+    --from-literal=ANTIATROPOS_ENV_MODE=live \
+    --from-literal=ANTIATROPOS_STRICT_REAL=false \
+    --from-literal="PROMETHEUS_URL=$AMP_URL" \
+    --from-literal=KUBECONFIG="" \
+    --from-literal=ANTIATROPOS_K8S_NAMESPACE=default \
+    --from-literal=ANTIATROPOS_DEPLOYMENT_PREFIX="" \
+    --from-literal=ANTIATROPOS_MIN_REPLICAS=1 \
+    --from-literal=ANTIATROPOS_MAX_REPLICAS=20 \
+    --from-literal=ANTIATROPOS_SCALE_STEP=3 \
+    --from-literal=ANTIATROPOS_WORKLOAD_MAP='{}' \
+    --from-literal=ANTIATROPOS_NODE_DEPLOYMENT_MAP='{}' \
+    --from-literal=ANTIATROPOS_PROM_TIMEOUT_S=5.0 \
+    --from-literal=ANTIATROPOS_METRIC_AGGREGATION=sum \
+    -n antiatropos \
+    --dry-run=client -o yaml | kubectl apply -f -
+
+# Create secret with OpenAI API key
+kubectl create secret generic antiatropos-secrets \
+    --from-literal=openai-api-key="$OPENAI_API_KEY" \
+    -n antiatropos \
+    --dry-run=client -o yaml | kubectl apply -f -
+
+# Apply deployment with the correct ECR image
+sed "s|ACCOUNT_ID|$ACCOUNT_ID|g; s|us-east-1|$REGION|g" "$AWS_DIR/k8s-deployment.yaml" | kubectl apply -f -
+kubectl apply -f "$AWS_DIR/k8s-service.yaml"
+
+# Wait for rollout
+echo "Waiting for deployment to be ready..."
+kubectl rollout status deployment/antiatropos -n antiatropos --timeout=300s
+
+# --- Done ---
+echo ""
+echo "=========================================="
+echo "   AntiAtropos AWS Deployment Complete!"
+echo "=========================================="
+echo ""
+echo "AMP Workspace ID: $AMP_WS_ID"
+echo "AMP URL:          $AMP_URL"
+echo ""
+echo "Next steps:"
+echo "  1. Create an Amazon Managed Grafana workspace:"
+echo "     aws grafana create-workspace --workspace-name antiatropos-dashboards \\"
+echo "       --account-access-type CURRENT_ACCOUNT --authentication-method AWS_SSO \\"
+echo "       --permission-type SERVICE_MANAGED --data-sources PROMETHEUS --region $REGION"
+echo ""
+echo "  2. Add AMP as a data source in AMG and import dashboards from:"
+echo "     deploy/grafana/provisioning/dashboards/json/"
+echo ""
+echo "  3. Get the AntiAtropos service URL:"
+echo "     kubectl get svc -n antiatropos antiatropos"
+echo ""
+echo "  4. Port-forward for local testing:"
+echo "     kubectl port-forward -n antiatropos deployment/antiatropos 8000:8000"

deploy/aws/eksctl-cluster.yaml

@@ -0,0 +1,65 @@
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+
+metadata:
+  name: antiatropos
+  region: us-east-1
+  version: "1.30"
+  tags:
+    Project: AntiAtropos
+    Environment: production
+
+iam:
+  withOIDC: true
+
+addons:
+  - name: vpc-cni
+    version: latest
+  - name: coredns
+    version: latest
+  - name: kube-proxy
+    version: latest
+  - name: aws-ebs-csi-driver
+    version: latest
+    wellKnownPolicies:
+      ebsCSIController: true
+
+managedNodeGroups:
+  - name: linux-nodes
+    instanceType: t3.medium
+    desiredCapacity: 2
+    minSize: 1
+    maxSize: 4
+    volumeSize: 50
+    volumeType: gp3
+    labels:
+      role: worker
+    tags:
+      Project: AntiAtropos
+      NodeGroup: linux-nodes
+    iam:
+      withAddonPolicies:
+        ebs: true
+        cloudWatch: true
+        autoScaler: true
+
+  # Optional: Spot instance group for cost savings
+  # - name: spot-nodes
+  #   instanceType: t3.medium
+  #   desiredCapacity: 1
+  #   minSize: 0
+  #   maxSize: 3
+  #   volumeSize: 30
+  #   volumeType: gp3
+  #   spot: true
+  #   labels:
+  #     role: spot-worker
+  #   tags:
+  #     Project: AntiAtropos
+
+cloudWatch:
+  clusterLogging:
+    enableTypes:
+      - api
+      - audit
+      - authenticator

deploy/aws/grafana-dashboard-live.json

@@ -0,0 +1,37 @@
+{
+  "dashboard": {
+    "__inputs": [],
+    "__requires": [],
+    "annotations": {
+      "list": []
+    },
+    "description": "AntiAtropos SRE Environment Live Dashboard - AWS Deployment. Import the full dashboard from deploy/grafana/provisioning/dashboards/json/antiatropos-live.json via the AMG UI (Dashboards > Import > Upload JSON file). After import, change the data source from the local Prometheus (UID: PBFA97CFB590B2093) to your AMP workspace data source.",
+    "editable": true,
+    "fiscalYearStartMonth": 0,
+    "graphTooltip": 1,
+    "id": null,
+    "links": [],
+    "panels": [
+      {
+        "title": "Import the full dashboard",
+        "type": "text",
+        "gridPos": {"h": 4, "w": 24, "x": 0, "y": 0},
+        "options": {
+          "mode": "markdown",
+          "content": "## Import Instructions\n\nThis is a placeholder panel. Import the full dashboard from:\n\n```\ndeploy/grafana/provisioning/dashboards/json/antiatropos-live.json\n```\n\nvia the AMG UI: **Dashboards > Import > Upload JSON file**\n\nAfter import, change the data source from the local Prometheus (UID: `PBFA97CFB590B2093`) to your AMP workspace data source."
+        }
+      }
+    ],
+    "schemaVersion": 39,
+    "tags": ["antiatropos", "sre", "aws", "live"],
+    "templating": {"list": []},
+    "time": {"from": "now-5m", "to": "now"},
+    "timepicker": {},
+    "timezone": "utc",
+    "title": "AntiAtropos Live (AWS)",
+    "uid": "antiatropos-live-aws",
+    "version": 0,
+    "refresh": "5s"
+  },
+  "overwrite": true
+}

deploy/aws/grafana-dashboard-overview.json

@@ -0,0 +1,36 @@
+{
+  "dashboard": {
+    "__inputs": [],
+    "__requires": [],
+    "annotations": {
+      "list": []
+    },
+    "description": "AntiAtropos SRE Environment Overview - AWS Deployment. Import the full dashboard from deploy/grafana/provisioning/dashboards/json/antiatropos-overview.json via the AMG UI (Dashboards > Import > Upload JSON file). After import, change the data source from the local Prometheus (UID: PBFA97CFB590B2093) to your AMP workspace data source.",
+    "editable": true,
+    "fiscalYearStartMonth": 0,
+    "graphTooltip": 1,
+    "id": null,
+    "links": [],
+    "panels": [
+      {
+        "title": "Import the full dashboard",
+        "type": "text",
+        "gridPos": {"h": 4, "w": 24, "x": 0, "y": 0},
+        "options": {
+          "mode": "markdown",
+          "content": "## Import Instructions\n\nThis is a placeholder panel. Import the full dashboard from:\n\n```\ndeploy/grafana/provisioning/dashboards/json/antiatropos-overview.json\n```\n\nvia the AMG UI: **Dashboards > Import > Upload JSON file**\n\nAfter import, change the data source from the local Prometheus (UID: `PBFA97CFB590B2093`) to your AMP workspace data source."
+        }
+      }
+    ],
+    "schemaVersion": 39,
+    "tags": ["antiatropos", "sre", "aws"],
+    "templating": {"list": []},
+    "time": {"from": "now-1h", "to": "now"},
+    "timepicker": {},
+    "timezone": "utc",
+    "title": "AntiAtropos Overview (AWS)",
+    "uid": "antiatropos-overview-aws",
+    "version": 0
+  },
+  "overwrite": true
+}

deploy/aws/grafana-trust-policy.json

@@ -0,0 +1,17 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "grafana.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": "YOUR_ACCOUNT_ID"
+        }
+      }
+    }
+  ]
+}

deploy/aws/k8s-configmap.yaml

@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: antiatropos-config
+  namespace: antiatropos
+data:
+  # Environment mode: "simulated" for mock, "live" for real K8s + Prometheus
+  ANTIATROPOS_ENV_MODE: "live"
+  ANTIATROPOS_STRICT_REAL: "false"
+  
+  # Prometheus URL — replace WORKSPACE_ID with your AMP workspace ID
+  # The pod uses IRSA to authenticate; no API key needed
+  PROMETHEUS_URL: "https://aps-workspaces.us-east-1.amazonaws.com/workspaces/WORKSPACE_ID"
+  
+  # Kubernetes executor config — empty KUBECONFIG = in-cluster config
+  KUBECONFIG: ""
+  ANTIATROPOS_K8S_NAMESPACE: "default"
+  ANTIATROPOS_DEPLOYMENT_PREFIX: ""
+  ANTIATROPOS_MIN_REPLICAS: "1"
+  ANTIATROPOS_MAX_REPLICAS: "20"
+  ANTIATROPOS_SCALE_STEP: "3"
+  
+  # Workload mapping — maps simulator nodes to real K8s deployments
+  # Customize this to match your actual deployments
+  ANTIATROPOS_WORKLOAD_MAP: |
+    {
+      "node-0": {"deployment": "payments", "namespace": "prod-sre"},
+      "node-1": {"deployment": "checkout", "namespace": "prod-sre"},
+      "node-2": {"deployment": "catalog", "namespace": "prod-sre"},
+      "node-3": {"deployment": "cart", "namespace": "prod-sre"},
+      "node-4": {"deployment": "auth", "namespace": "prod-sre"}
+    }
+  ANTIATROPOS_NODE_DEPLOYMENT_MAP: "{}"
+  
+  # Prometheus query timeout
+  ANTIATROPOS_PROM_TIMEOUT_S: "5.0"
+  
+  # Metric aggregation strategy
+  ANTIATROPOS_METRIC_AGGREGATION: "sum"

deploy/aws/k8s-deployment.yaml

@@ -0,0 +1,82 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: antiatropos
+  namespace: antiatropos
+  labels:
+    app: antiatropos
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: antiatropos
+  template:
+    metadata:
+      labels:
+        app: antiatropos
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "8000"
+        prometheus.io/path: "/metrics"
+    spec:
+      serviceAccountName: antiatropos-sa
+      containers:
+        - name: antiatropos
+          # Replace ACCOUNT_ID with your AWS account ID
+          image: ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/antiatropos:latest
+          ports:
+            - containerPort: 8000
+              name: http
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: antiatropos-config
+          env:
+            # Secrets should come from AWS Secrets Manager or Kubernetes Secrets
+            - name: OPENAI_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: antiatropos-secrets
+                  key: openai-api-key
+            - name: ANTIATROPOS_TASK
+              value: "task-1"
+          resources:
+            requests:
+              cpu: 500m
+              memory: 512Mi
+            limits:
+              cpu: 2000m
+              memory: 2Gi
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 8000
+            initialDelaySeconds: 15
+            periodSeconds: 30
+            timeoutSeconds: 5
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 8000
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            timeoutSeconds: 3
+            failureThreshold: 3
+      # Allow scheduling on spot instances too
+      tolerations:
+        - key: "spot"
+          operator: "Equal"
+          value: "true"
+          effect: "NoSchedule"
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 50
+              preference:
+                matchExpressions:
+                  - key: role
+                    operator: In
+                    values:
+                      - worker
+                      - spot-worker

deploy/aws/k8s-ingress.yaml

@@ -0,0 +1,34 @@
+# ALB Ingress — requires AWS Load Balancer Controller installed on the cluster
+# Install it first: https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html
+#
+# If you prefer a simpler setup, just use the k8s-service.yaml LoadBalancer
+# and skip this Ingress entirely.
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: antiatropos-ingress
+  namespace: antiatropos
+  annotations:
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/target-type: ip
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]'
+    # Uncomment for HTTPS (requires ACM certificate):
+    # alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 443}]'
+    # alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:ACCOUNT_ID:certificate/CERT_ID
+    alb.ingress.kubernetes.io/healthcheck-path: /health
+    alb.ingress.kubernetes.io/healthcheck-interval-seconds: "30"
+    alb.ingress.kubernetes.io/success-codes: "200"
+    alb.ingress.kubernetes.io/tags: Project=AntiAtropos
+spec:
+  ingressClassName: alb
+  rules:
+    - http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: antiatropos
+                port:
+                  number: 80

deploy/aws/k8s-namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: antiatropos
+  labels:
+    app.kubernetes.io/name: antiatropos
+    app.kubernetes.io/part-of: antiatropos

deploy/aws/k8s-secret.yaml

@@ -0,0 +1,18 @@
+# Create this secret before deploying AntiAtropos
+# Replace the value with your actual OpenAI API key (base64-encoded)
+#
+# To encode your key:
+#   echo -n 'sk-your-key-here' | base64
+#
+# Then apply:
+#   kubectl apply -f k8s-secret.yaml
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: antiatropos-secrets
+  namespace: antiatropos
+type: Opaque
+data:
+  # base64-encoded OpenAI API key
+  openai-api-key: U0tZT1VSX09QRU5BSV9BUElfS0VZX0hFUkU=  # placeholder — replace!

deploy/aws/k8s-service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: antiatropos
+  namespace: antiatropos
+  labels:
+    app: antiatropos
+  annotations:
+    # Required for AWS Load Balancer Controller to create an NLB
+    service.beta.kubernetes.io/aws-load-balancer-type: external
+    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
+    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+spec:
+  type: LoadBalancer
+  selector:
+    app: antiatropos
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8000
+      protocol: TCP

deploy/aws/prometheus-agent-values.yaml

@@ -0,0 +1,86 @@
+# Helm values for Prometheus Agent that remote-writes to Amazon Managed Prometheus
+#
+# Usage:
+#   helm install prometheus-agent prometheus-community/prometheus \
+#     --namespace monitoring --create-namespace \
+#     -f prometheus-agent-values.yaml \
+#     --set prometheus.prometheusSpec.remoteWrite[0].url="https://aps-workspaces.us-east-1.amazonaws.com/workspaces/WORKSPACE_ID/api/v1/remote_write"
+#
+# Prerequisite: Create an IAM service account for the prometheus pod
+#   eksctl create iamserviceaccount \
+#     --cluster antiatropos \
+#     --namespace monitoring \
+#     --name prometheus-sa \
+#     --attach-policy-arn arn:aws:iam::aws:policy/AmazonPrometheusRemoteWriteAccess \
+#     --approve
+
+prometheus:
+  prometheusSpec:
+    # Run as agent mode (remote-write only, no local query API)
+    agentMode: true
+
+    # Remote write — override via --set on the command line
+    remoteWrite:
+      - url: "https://aps-workspaces.us-east-1.amazonaws.com/workspaces/REPLACE_WORKSPACE_ID/api/v1/remote_write"
+        sigv4:
+          region: us-east-1
+
+    # Scrape the AntiAtropos FastAPI /metrics endpoint
+    additionalScrapeConfigs:
+      - job_name: antiatropos
+        metrics_path: /metrics
+        scrape_interval: 15s
+        kubernetes_sd_configs:
+          - role: pod
+            namespaces:
+              names:
+                - antiatropos
+        relabel_configs:
+          - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
+            action: keep
+            regex: true
+          - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
+            action: replace
+            target_label: __metrics_path__
+            regex: (.+)
+          - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
+            action: replace
+            regex: ([^:]+)(?::\d+)?;(\d+)
+            replacement: $1:$2
+            target_label: __address__
+          - action: labelmap
+            regex: __meta_kubernetes_pod_label_(.+)
+          - source_labels: [__meta_kubernetes_namespace]
+            action: replace
+            target_label: namespace
+          - source_labels: [__meta_kubernetes_pod_name]
+            action: replace
+            target_label: pod
+
+    resources:
+      requests:
+        cpu: 100m
+        memory: 256Mi
+      limits:
+        cpu: 500m
+        memory: 512Mi
+
+    # Short retention since we're remote-writing everything to AMP
+    retention: 2h
+
+  # Use the IAM service account for AMP authentication
+  serviceAccount:
+    name: prometheus-sa
+    create: false
+
+# Disable alertmanager (AMP handles alerting if needed)
+alertmanager:
+  enabled: false
+
+# Disable pushgateway
+pushgateway:
+  enabled: false
+
+# Disable server (we only need the agent)
+server:
+  enabled: false