Justin0504
diff --git a/‎README.md‎
Lines changed: 20 additions & 4 deletions b/‎README.md‎
Lines changed: 20 additions & 4 deletions
diff --git a/‎docs/CONFIG.md‎
Lines changed: 106 additions & 0 deletions b/‎docs/CONFIG.md‎
Lines changed: 106 additions & 0 deletions
diff --git a/‎docs/MULTI_INSTANCE.md‎
Lines changed: 22 additions & 0 deletions b/‎docs/MULTI_INSTANCE.md‎
Lines changed: 22 additions & 0 deletions
@@ -21,6 +21,8 @@
 
 # Sovereign-OS
 
+**宪法优先的 AI 编排底座：一条 Charter 定义身份与预算，CEO 规划、CFO 把关、Auditor 判分、Ledger 不可篡改。** [快速开始](#-quick-start) · [Quick Start](#-quick-start)
+
 **One command. One Charter. A digital corporation that thinks, spends, and answers for every token.**
 
 Not another chatbot. Not another “AI agent framework.” Sovereign-OS is the **constitution-first substrate**: one YAML defines who the entity is, what it may spend, and how success is measured. The CEO plans. The CFO gates. The Auditor judges. **The Ledger never lies.**
@@ -56,7 +58,9 @@ python -m sovereign_os.web.app
 # Open http://localhost:8000 — run missions, approve jobs, watch balance & token usage.
 ```
 
-**Want to charge for work?** [3-step guide →](docs/QUICKSTART.md) (Stripe + one LLM key; 13 built-in workers out of the box.)
+**Want to charge for work?** [3-step guide →](docs/QUICKSTART.md) (Stripe + one LLM key; 16 built-in workers out of the box.)
+
+**One-click deploy:** [DEPLOY.md](docs/DEPLOY.md) — Docker Compose, volumes, graceful shutdown.
 
 ---
 
@@ -107,12 +111,18 @@ Phases 1–6a done (governance, ledger, MCP, audit trail, Stripe, webhook). Phas
 
 ## 🚀 Features
 
-- **📦 13 built-in workers** — summarize, research, reply, write_article, solve_problem, write_email, write_post, meeting_minutes, translate, rewrite_polish, collect_info, extract_structured, spec_writer. No code; configure Stripe + one LLM key and run paid jobs. [QUICKSTART](docs/QUICKSTART.md)
+- **📦 16 built-in workers** — summarize, research, reply, write_article, solve_problem, write_email, write_post, meeting_minutes, translate, rewrite_polish, collect_info, extract_structured, spec_writer, **assistant_chat**, **code_assistant**, **code_review**. No code; configure Stripe + one LLM key and run paid jobs. [QUICKSTART](docs/QUICKSTART.md)
 - **🔄 Multi-model** — Strategist and workers can use different backends (e.g. GPT-4o for planning, cheaper models for execution).
 - **🔐 SovereignAuth** — RBAC by TrustScore. READ_FILES, WRITE_FILES, SPEND_USD, CALL_API gated; agents earn capabilities.
 - **🌐 Web Dashboard (24/7)** — Run missions, job queue, approve/retry, health, token usage, audit trail. Optional ingest from URL; Stripe charges; webhook on completion.
 - **🔌 MCP native** — Plug into the same tool graph as the rest of the ecosystem.
-- **📊 Observability** — OpenTelemetry, Prometheus metrics, verifiable audit trail with `proof_hash`.
+- **📊 Observability** — OpenTelemetry, Prometheus metrics (`GET /metrics`: job counters, duration, queue gauges), verifiable audit trail with `proof_hash`.
+- **🔒 Security** — API key via env; constant-time comparison; job input validation; optional IP whitelist and rate limit. [CONFIG](docs/CONFIG.md).
+
+<p align="center">
+  <a href="docs/dashboard.png"><img src="docs/dashboard.png" alt="Dashboard" width="720" style="max-width:100%"/></a>
+</p>
+<sub align="center">Add <code>docs/dashboard.png</code> for a Dashboard screenshot; link and size above are ready.</sub>
 
 ---
 
@@ -125,7 +135,7 @@ sovereign_os/
 ├── governance/   # CEO (Strategist) + CFO (Treasury) + Engine
 ├── agents/       # Workers, Registry, SovereignAuth
 ├── auditor/      # ReviewEngine, AuditReport (proof_hash)
-├── jobs/         # JobStore (SQLite queue)
+├── jobs/         # JobStore (SQLite), RedisJobStore (Redis queue)
 ├── ingest/       # Poll URL → enqueue jobs
 ├── web/          # FastAPI dashboard, /api/jobs, /health, Stripe webhook
 └── ui/           # Textual TUI (optional)
@@ -146,6 +156,12 @@ tests/            # pytest
 | [Monetization](docs/MONETIZATION.md) | Job queue, Stripe, approval, compliance, human-out-of-loop. |
 | [Audit proof](docs/AUDIT_PROOF.md) | Verifiable trail, `proof_hash`, integrity check. |
 | [Optimization roadmap](docs/OPTIMIZATION_ROADMAP.md) | Next steps: reliability, observability, security, scale. |
+| [Future development plan](docs/FUTURE_DEVELOPMENT.md) | Wave-by-wave plan: stability, UX/deploy, workers/scale, community. |
+| [Deploy (Docker)](docs/DEPLOY.md) | One-click deploy, volumes, health, graceful shutdown. |
+| [Backup](docs/BACKUP.md) | Back up job DB and ledger for disaster recovery. |
+| [Multi-instance](docs/MULTI_INSTANCE.md) | Concurrency, Redis queue for multi-instance workers, scaling. |
+| [Good first issues](docs/GOOD_FIRST_ISSUES.md) | Contribution ideas: docs, tests, examples. |
+| [Release process](docs/RELEASE.md) | How to cut a release and update CHANGELOG. |
 
 ---
 
 
@@ -0,0 +1,106 @@
+# Configuration & environment variables
+
+All optional unless noted. Set in the shell, `.env`, or your process manager (e.g. Docker Compose).
+
+## Core
+
+| Variable | Description |
+|----------|-------------|
+| `SOVEREIGN_LEDGER_PATH` | Path to the ledger JSONL file (append-only USD/token log). If unset, ledger is in-memory. |
+| `SOVEREIGN_JOB_DB` | Path to the SQLite job queue DB (e.g. `jobs.db`). Used only when `REDIS_URL` is not set. If both unset, jobs are in-memory. |
+| `REDIS_URL` | When set, use Redis as job store and shared approved queue (multi-instance workers). Install with `pip install -e ".[deploy]"`. |
+| `SOVEREIGN_CHARTER` | Default charter name shown in the Web UI (e.g. `Default`). |
+
+## Web UI & API
+
+| Variable | Description |
+|----------|-------------|
+| `SOVEREIGN_API_KEY` | If set, `POST /api/jobs` requires `X-API-Key` or `Authorization: Bearer <key>`. |
+| `SOVEREIGN_JOB_RATE_LIMIT_PER_MIN` | If set (e.g. `60`), limits how many `POST /api/jobs` requests each client IP can make per minute; returns 429 when exceeded. |
+| `SOVEREIGN_JOB_MAX_RETRIES` | Max retries for a single job via `POST /api/jobs/{id}/retry` (default `2`). Only `failed` / `payment_failed` jobs are retryable. |
+| `SOVEREIGN_JOB_WORKER_CONCURRENCY` | Max jobs run in parallel by the worker (default `1`). Set to `2` or more for higher throughput. |
+| `SOVEREIGN_JOB_IP_WHITELIST` | Optional. Comma-separated IPs allowed to call `POST /api/jobs` and `POST /api/jobs/batch`; others get 403. |
+| (none) | Web UI: `GET /` (dashboard), `GET /health`, `GET /docs` (FastAPI Swagger). Dashboard shows “Auto-approve ON” / “Compliance auto ON” when those env vars are set. |
+
+**`GET /health` response** (for operators): `status`, `ledger`, `redis`, `config_warnings`, `jobs_total`, `jobs_pending`, `jobs_running`, `last_job_completed_at` (Unix timestamp of last completed/failed job), `auto_approve_jobs`, `compliance_auto_proceed`. **Production hints in config_warnings:** when `STRIPE_API_KEY` contains `sk_live_` or when Stripe is set but `SOVEREIGN_API_KEY` is not, a warning is added. Use `config_warnings` to detect incomplete or unsafe production setup.
+
+**Job creation:** `POST /api/jobs` validates `goal` length (max 20 000 chars), `amount_cents` (0–1 000 000), and `callback_url` (must be valid http(s) URL). Rate limit: set `SOVEREIGN_JOB_RATE_LIMIT_PER_MIN` (per client IP). Optional body: `priority` (int; higher runs first), `run_after_ts` or `run_after_sec`. Failed/payment_failed jobs can be retried via `POST /api/jobs/{id}/retry` up to `SOVEREIGN_JOB_MAX_RETRIES` (default 2). **Metrics:** `GET /metrics` returns Prometheus text (sovereign_jobs_completed_total, sovereign_job_duration_seconds, sovereign_jobs_pending/running).
+
+## 24/7 & ingestion
+
+The Web process is designed for **24/7** operation: a background thread continuously picks approved jobs from the queue (every few seconds), and when `SOVEREIGN_INGEST_URL` is set, another thread polls that URL for new work. Run the process under Docker (`restart: unless-stopped`), systemd, or another process manager so it stays up and restarts on failure. Use `SOVEREIGN_JOB_DB` and `SOVEREIGN_LEDGER_PATH` so jobs and ledger persist across restarts.
+
+| Variable | Description |
+|----------|-------------|
+| `SOVEREIGN_INGEST_URL` | JSON URL to poll for new jobs. Response: array or `{ "jobs": [...] }` with `goal`, optional `charter`, `amount_cents`, `currency`. |
+| `SOVEREIGN_INGEST_INTERVAL_SEC` | Polling interval in seconds (default `60`). |
+| `SOVEREIGN_INGEST_DEDUP_SEC` | If set (e.g. `300`), the ingest poller will not enqueue a job when one with the same `goal` and `amount_cents` was already created within this many seconds. Reduces duplicate jobs from repeated polling. |
+
+## Audit trail (verifiable)
+
+| Variable | Description |
+|----------|-------------|
+| `SOVEREIGN_AUDIT_TRAIL_PATH` | Path to JSONL file where each `AuditReport` is appended (with `proof_hash`). Enables `GET /api/audit_trail`. |
+
+## Compliance (Phase 6b)
+
+| Variable | Description |
+|----------|-------------|
+| `SOVEREIGN_COMPLIANCE_SPEND_THRESHOLD_CENTS` | If set to a positive number, the Web UI engine uses `ThresholdComplianceHook`: when a task’s estimated cost (cents) is ≥ this value, the job is put back to `pending` with “Human approval required” until a second approval. See [MONETIZATION.md](MONETIZATION.md) and [PHASE6.md](PHASE6.md). |
+| `SOVEREIGN_COMPLIANCE_AUTO_PROCEED` | When set to `true` (or `1`/`yes`), the CFO does **not** require human approval when the compliance hook returns “request human approval” for spend above the threshold; the task is allowed to proceed (human-out-of-loop for high spend). Use only when you accept the risk. |
+
+## Human out of loop
+
+| Variable | Description |
+|----------|-------------|
+| `SOVEREIGN_AUTO_APPROVE_JOBS` | When set to `true` (or `1`/`yes`), every new job (from `POST /api/jobs` or ingest) is immediately set to `approved` so the worker runs it without a human clicking Approve. Full **human-out-of-loop**: ingest → auto-approve → run → charge → webhook. |
+| `SOVEREIGN_COMPLIANCE_AUTO_PROCEED` | See Compliance above. Together with `SOVEREIGN_AUTO_APPROVE_JOBS`, both gates can be automated. |
+
+## Job completion webhook (delivery / proactive contact)
+
+| Variable | Description |
+|----------|-------------|
+| `SOVEREIGN_WEBHOOK_URL` | When a job reaches `completed` or `payment_failed`, a POST is sent to this URL with a JSON payload (job_id, status, goal, amount_cents, result_summary, audit_score, etc.). Optional. |
+| `SOVEREIGN_WEBHOOK_SECRET` | If set, the request body is signed with HMAC-SHA256 and sent in header `X-Sovereign-Signature: sha256=<hex>`. Receivers should verify this. |
+| `SOVEREIGN_WEBHOOK_LOG_PATH` | If set (default `data/webhook_log.jsonl` when logging is enabled), failed webhook deliveries (after all retries) are appended as one JSONL line per failure (url, job_id, status, error, ts). |
+| Per-job `callback_url` | In `POST /api/jobs` body you can pass `callback_url`; when that job completes, the webhook is sent to this URL instead of (or in addition to) the global `SOVEREIGN_WEBHOOK_URL`. |
+| (payload) | Each job gets a `request_id` (trace id) at creation; it is included in the webhook payload when set, for correlating logs and delivery. |
+
+Payload format and retries: see [OPEN_SOURCE_READY_PLAN.md](OPEN_SOURCE_READY_PLAN.md) (Webhook 载荷规范). Typical use: your backend receives the webhook and then notifies the customer (email, Slack, etc.).
+
+## Payments (Stripe)
+
+| Variable | Description |
+|----------|-------------|
+| `STRIPE_API_KEY` | Stripe secret key for charges. |
+| `STRIPE_WEBHOOK_SECRET` | Webhook signing secret; if set, `POST /api/webhooks/stripe` verifies `Stripe-Signature`. |
+
+## Infrastructure
+
+| Variable | Description |
+|----------|-------------|
+| `REDIS_URL` | Redis connection URL. If set, `GET /health` checks Redis; used for optional state/cache. |
+
+## LLM & optional extras
+
+- **LLM:** Configured via `sovereign_os.llm.providers` (e.g. `OPENAI_API_KEY`, `ANTHROPIC_API_KEY`). See `[llm]` optional dependency. If only `ANTHROPIC_API_KEY` is set (no `OPENAI_API_KEY`), the default provider is `anthropic` with model `claude-3-5-sonnet-20241022`; no need to set `SOVEREIGN_LLM_PROVIDER` for Anthropic-only use.
+- **Memory (ChromaDB):** Optional; see `[memory]` and `sovereign_os.memory.manager`.
+- **Telemetry:** Optional OpenTelemetry/Prometheus; see `[telemetry]` and `sovereign_os.telemetry.tracer`.
+
+## Example (Docker Compose)
+
+```yaml
+environment:
+  SOVEREIGN_LEDGER_PATH: /app/data/ledger.jsonl
+  SOVEREIGN_JOB_DB: /app/data/jobs.db
+  SOVEREIGN_AUDIT_TRAIL_PATH: /app/data/audit.jsonl
+  SOVEREIGN_API_KEY: "${SOVEREIGN_API_KEY}"
+  REDIS_URL: redis://redis:6379/0
+```
+
+## CLI
+
+- **Charter path:** Required for `sovereign run` (e.g. `-c charter.example.yaml`). Exits with error if the file is missing.
+- **Ledger:** `sovereign run --ledger /path/to/ledger.jsonl` or `SOVEREIGN_LEDGER_PATH` to persist ledger.
+- **Audit trail:** `sovereign run --audit-trail /path/to/audit.jsonl` or `SOVEREIGN_AUDIT_TRAIL_PATH` to append AuditReports.
+- **Version:** `sovereign --version` prints the package version.
@@ -0,0 +1,22 @@
+# Multi-instance and horizontal scaling
+
+By default, the job queue is stored in **SQLite** (`SOVEREIGN_JOB_DB`). A single Web process runs the job worker; with `SOVEREIGN_JOB_WORKER_CONCURRENCY` you can run several jobs in parallel on that same process.
+
+## Single instance (current)
+
+- One Web process = one writer to the SQLite DB.
+- **Concurrency:** Set `SOVEREIGN_JOB_WORKER_CONCURRENCY=2` (or higher) to run multiple jobs in parallel on that instance.
+- **Backup:** See [BACKUP.md](BACKUP.md) for backing up the job DB and ledger.
+
+## Multiple instances (Redis queue)
+
+When **`REDIS_URL`** is set, the app uses **Redis** as the job store and approved queue. Any number of Web processes can run; workers claim the next approved job via `BRPOP` on `sovereign:queue:approved`. Install with `pip install -e ".[deploy]"` (adds `redis`). Jobs are stored in Redis hashes; approval pushes the job id to the shared list so any instance can pop and run it.
+
+| Env | Effect |
+|-----|--------|
+| `REDIS_URL` | Use Redis for job storage and approved queue; enables multi-instance workers. |
+| `SOVEREIGN_JOB_DB` | Used only when `REDIS_URL` is not set; SQLite path for single-instance persistence. |
+
+## Single worker + multiple API servers (SQLite)
+
+To run **multiple Web processes** with SQLite (no Redis), use a **single worker process** that has `SOVEREIGN_JOB_DB` and the worker loop, and one or more **API-only** processes (no worker) that share the same DB path over a shared volume. Only the single worker should write. Prefer Redis or one instance with `SOVEREIGN_JOB_WORKER_CONCURRENCY` for simplicity.