alphaswarm-core
The FastAPI gateway for the AlphaSwarm runtime. Every business route
(strategies, bots, backtests, RL experiments, analysis runs, agents,
ingestion, ml-mcp, terraform, tenancy, paper trading, kill switch) is
mounted on this pod. The control plane (alphaswarm-cp) is a sibling
service, not a parent — /manage/* lives there.
Identity
| Field | Value |
|---|---|
| Service id | alphaswarm-core |
| Role | api |
| Package | alphaswarm/ |
| Image (key) | api |
| Built from | alphaswarm_platform/Dockerfile (target api, multi-arch amd64+arm64, Chainguard Wolfi base, uv install) |
Wire
| Field | Value |
|---|---|
| Protocol | HTTP/1.1 + HTTP/2 + WebSocket |
| Port | 8000 |
| Health | GET /readyz (ready) / GET /healthz (live) |
| Public URL | — (private; reached through the per-cell ingress / app.alpha-swarm.ai BFF for SPA traffic) |
| OIDC issuer for tokens it accepts | MsalEntraValidator (Entra primary) → Auth0 fallback per identity.md |
Deployment surfaces
| Surface | Where |
|---|---|
| Compose (local dev) | service api in alphaswarm_platform/compose/docker-compose.yml; also alphaswarm-core in deployments/compose/docker-compose.local.yml |
| Kustomize | deployments/kubernetes/base/alphaswarm-core/ — Deployment + Service + HPA + PDB |
| AQP CR | AQPMonolith — render path emits Deployment + Service + ConfigMap + (optional) Ingress |
| Terraform template | reachable through every aws-*-cell / gcp-full-cell / azure-full-cell template (see services.md) |
Dependencies
Upstream services this pod calls:
postgres(5432) — primary OLTP + Alembic migrations.redis(6379) — session, semantic cache, kill-switch key, Celery broker.neo4j(7687) — ownership graph + lineage DAG.chromadb(8001) andmilvus— vector search (when feature flag on).mlflow(5000) — model registry.otel-collector(4317) — OTLP traces + metrics + logs.polaris/ Iceberg REST +minio— lakehouse reads/writes (via DataMCP).alphaswarm-cp(/manage/*) — workload lifecycle calls (control plane).
Downstream callers (HTTP-only):
alphaswarm-client— Vite SPA + FastAPI gateway.alphaswarm-ui— Next.js dashboard (BFF routes proxy to here).alphaswarm-admin— internal admin (audit-first surface).alphaswarm-ide— Theia IDE (MCP-driven research copilot).alphaswarm-cli— operator CLI.alphaswarm-worker— Celery worker (calls back for progress / lookups).- Bot pods (per-cell
QuantBotCRs).
Key routes
The route tree is the union of alphaswarm/api/routes/*.py. Key
prefixes:
| Prefix | Concept doc |
|---|---|
/strategies/*, /bots/*, /backtests/* | strategy-framework.md |
/agents/*, /workflows/*, /labs/* | agents.md |
/rl/* | rl-framework.md |
/data/*, /ingest/*, /lineage/* | data-plane.md |
/ml/*, /predictors/* | ml-framework.md |
/terraform/* | terraform-control-plane.md |
/tenancy/*, /membership/* | identity.md |
/halt, /kill-switch | observability.md |
/mcp/* (multiple servers) | data-mcp.md |
/ws/* | WebSocket progress streams |
Operations
- Scaling: HPA target
cpu=70%,min=3 / max=12in prod;min=1 / max=3in dev. - Disruption: PDB
minAvailable=2in prod;0in dev. - Step-up MFA: destructive routes (
/manage/terraform/apply,/manage/credentials/cloud-cli/*,/halt) require RFC 9470acr=high. Seeauth-stepup-and-byok. - Audit: every state-mutating action lands a
workload_runsrow throughWorkloadRuntime; every Terraform action lands aterraform_runsrow throughTerraformRuntime. - Redaction:
WorkloadRuntimestrips secrets from audit payloads per the always-onalphaswarm-management-enginerule. Token prefixes (4 chars max) are only printed behind an explicit--unsafe-print-token-prefixesoperator flag.
See also
control-plane-topology.md— how callers find this pod's URL.alphaswarm/AGENTS.md— runtime hard rules (router_complete only path for LLM calls, DataMCP only path for agent reads, etc.).alphaswarm-cp.md— sibling control plane.