docs: redesign README with Mermaid architecture diagram and badges

Author: AlexsJones

README.md

@@ -1,69 +1,79 @@
 # K8sClaw
----
+
 <p align="center">
   <img src="icon.svg" alt="k8sclaw icon" width="128" height="128">
 </p>
 
-**Kubernetes-native AI Agent Management Platform**
-
-K8sClaw decomposes a monolithic AI agent gateway into a multi-tenant, horizontally scalable system where every sub-agent runs as an ephemeral Kubernetes pod.
-
-### Quick install (macOS / Linux)
+<p align="center">
+  <strong>Kubernetes-native AI Agent Management Platform</strong><br>
+  <em>Decompose monolithic AI agent gateways into multi-tenant, horizontally scalable systems where every sub-agent runs as an ephemeral Kubernetes pod.</em>
+</p>
 
-```bash
-curl -fsSL https://deploy.k8sclaw.ai/install.sh | sh
-```
+<p align="center">
+  <a href="https://github.com/AlexsJones/k8sclaw/actions"><img src="https://github.com/AlexsJones/k8sclaw/actions/workflows/build.yaml/badge.svg" alt="Build"></a>
+  <a href="https://github.com/AlexsJones/k8sclaw/releases/latest"><img src="https://img.shields.io/github/v/release/AlexsJones/k8sclaw" alt="Release"></a>
+  <a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache%202.0-blue" alt="License"></a>
+</p>
 
-Downloads the latest CLI binary from GitHub and installs it to `/usr/local/bin` (or `~/.local/bin`).
+---
 
-### Deploy to your cluster
+### Quick Install (macOS / Linux)
 
 ```bash
-k8sclaw install
+curl -fsSL https://deploy.k8sclaw.ai/install.sh | sh
 ```
 
-That's it. This downloads the release manifests and applies CRDs, controllers, webhook, RBAC, and network policies to your current `kubectl` context.
-
-To remove:
+### Deploy to Your Cluster
 
 ```bash
-k8sclaw uninstall
+k8sclaw install          # CRDs, controllers, webhook, NATS, RBAC, network policies
+k8sclaw uninstall        # clean removal
 ```
 
 ## Architecture
 
-```
-┌─────────────────────────────────────────────────────┐
-│                  Control Plane                       │
-│  ┌──────────┐  ┌──────────┐  ┌────────────────────┐│
-│  │Controller │  │   API    │  │     Admission      ││
-│  │ Manager   │  │  Server  │  │     Webhook        ││
-│  └────┬─────┘  └────┬─────┘  └────────────────────┘│
-│       │              │                               │
-│  ┌────┴──────────────┴────┐                         │
-│  │    NATS Event Bus      │                         │
-│  └────────────────────────┘                         │
-│                                                      │
-│  ┌──────────┐  ┌──────────┐  ┌──────────┐          │
-│  │ Telegram │  │  Slack   │  │ Discord  │  ...      │
-│  │ Channel  │  │ Channel  │  │ Channel  │          │
-│  └──────────┘  └──────────┘  └──────────┘          │
-│                                                      │
-│  ┌──────────────────────────────────────┐           │
-│  │         Agent Pods (ephemeral)        │          │
-│  │  ┌─────────┐ ┌───────┐ ┌──────────┐ │          │
-│  │  │  Agent  │ │  IPC  │ │ Sandbox  │ │          │
-│  │  │Container│ │Bridge │ │(optional)│ │          │
-│  │  └─────────┘ └───────┘ └──────────┘ │          │
-│  └──────────────────────────────────────┘           │
-└─────────────────────────────────────────────────────┘
+```mermaid
+graph TB
+    subgraph CP["Control Plane"]
+        CM[Controller Manager]
+        API[API Server]
+        WH[Admission Webhook]
+        NATS[(NATS JetStream)]
+        CM --- NATS
+        API --- NATS
+        WH -.- CM
+    end
+
+    subgraph CH["Channel Pods"]
+        TG[Telegram]
+        SL[Slack]
+        DC[Discord]
+        WA[WhatsApp]
+    end
+
+    subgraph AP["Agent Pods · ephemeral"]
+        direction LR
+        A1[Agent Container]
+        IPC[IPC Bridge]
+        SB[Sandbox]
+    end
+
+    TG & SL & DC & WA --- NATS
+    NATS --- IPC
+    A1 -. "/ipc volume" .- IPC
+    A1 -. optional .- SB
+
+    style CP fill:#1a1a2e,stroke:#e94560,color:#fff
+    style CH fill:#16213e,stroke:#0f3460,color:#fff
+    style AP fill:#0f3460,stroke:#53354a,color:#fff
+    style NATS fill:#e94560,stroke:#fff,color:#fff
 ```
 
 ## Custom Resources
 
 | CRD | Description |
 |-----|-------------|
-| `ClawInstance` | Per-user/per-tenant gateway configuration |
+| `ClawInstance` | Per-user / per-tenant gateway configuration |
 | `AgentRun` | Ephemeral agent execution (maps to a K8s Job) |
 | `ClawPolicy` | Feature and tool gating policy |
 | `SkillPack` | Portable skill bundles (generates ConfigMaps) |
@@ -89,48 +99,36 @@ k8sclaw/
 │   ├── session/            # Session persistence (PostgreSQL)
 │   └── channel/            # Channel base types
 ├── channels/               # Channel pod implementations
-│   ├── telegram/
-│   ├── whatsapp/
-│   ├── discord/
-│   └── slack/
 ├── images/                 # Dockerfiles
 ├── config/                 # Kubernetes manifests
 │   ├── crd/bases/          # CRD YAML definitions
 │   ├── manager/            # Controller + API server deployment
 │   ├── rbac/               # ServiceAccount, ClusterRole, bindings
 │   ├── webhook/            # Webhook deployment + configuration
 │   ├── network/            # NetworkPolicy for agent isolation
+│   ├── nats/               # NATS JetStream deployment
+│   ├── cert/               # TLS certificate resources
 │   └── samples/            # Example custom resources
 ├── migrations/             # PostgreSQL schema migrations
 ├── docs/                   # Design documentation
-├── go.mod
 ├── Makefile
 └── README.md
 ```
 
 ## Prerequisites
 
 - Kubernetes cluster (v1.28+)
-- NATS with JetStream enabled
-- PostgreSQL with pgvector extension
 - `kubectl` configured to your cluster
 
-## Quick Start
+> NATS and cert-manager are installed automatically by `k8sclaw install`.
 
-### Install the CLI
+## Quick Start
 
 ```bash
-# macOS / Linux
+# Install the CLI
 curl -fsSL https://deploy.k8sclaw.ai/install.sh | sh
 
-# Or build from source
-make build-k8sclaw
-```
-
-### Deploy K8sClaw
-
-```bash
-# Install to your cluster
+# Deploy to your cluster
 k8sclaw install
 
 # Or install a specific version
@@ -140,56 +138,37 @@ k8sclaw install --version v0.1.0
 kubectl apply -f https://raw.githubusercontent.com/AlexsJones/k8sclaw/main/config/samples/clawinstance_sample.yaml
 ```
 
-### Use the CLI
-
-```bash
-# List instances
-k8sclaw instances list
-
-# List agent runs
-k8sclaw runs list
-
-# Enable a feature gate
-k8sclaw features enable browser-automation --policy default-policy
-
-# List feature gates
-k8sclaw features list --policy default-policy
-```
-
-### Remove K8sClaw
+### CLI Usage
 
 ```bash
-k8sclaw uninstall
+k8sclaw instances list                              # list instances
+k8sclaw runs list                                   # list agent runs
+k8sclaw features enable browser-automation \
+  --policy default-policy                           # enable a feature gate
+k8sclaw features list --policy default-policy       # list feature gates
 ```
 
 ## Development
 
 ```bash
-# Run tests
-make test
-
-# Run linter
-make lint
-
-# Generate CRD manifests
-make manifests
-
-# Run the controller locally (requires kubeconfig)
-make run
+make test        # run tests
+make lint        # run linter
+make manifests   # generate CRD manifests
+make run         # run controller locally (needs kubeconfig)
 ```
 
 ## Key Design Decisions
 
-- **Ephemeral Agent Pods**: Each agent run creates a Kubernetes Job with a pod containing the agent container, IPC bridge sidecar, and optional sandbox sidecar
-- **IPC via filesystem**: Agent ↔ control plane communication uses filesystem-based IPC (`/ipc` volume) watched by the bridge sidecar, enabling language-agnostic agent implementations
-- **NATS JetStream**: Used as the event bus for decoupled inter-component communication with durable subscriptions
-- **NetworkPolicy isolation**: Agent pods run with deny-all network policies; only the IPC bridge sidecar connects to the event bus
-- **Policy-as-CRD**: ClawPolicy resources gate tool access, sandbox requirements, and feature flags, enforced by admission webhooks
+| Decision | Rationale |
+|----------|-----------|
+| **Ephemeral Agent Pods** | Each agent run creates a K8s Job — agent container + IPC bridge sidecar + optional sandbox |
+| **Filesystem IPC** | Agent ↔ control plane via `/ipc` volume watched by the bridge sidecar — language-agnostic |
+| **NATS JetStream** | Decoupled event bus with durable subscriptions |
+| **NetworkPolicy isolation** | Agent pods get deny-all; only the IPC bridge connects to the bus |
+| **Policy-as-CRD** | `ClawPolicy` resources gate tools, sandboxes, and feature flags via admission webhooks |
 
 ## Configuration
 
-### Environment Variables
-
 | Variable | Component | Description |
 |----------|-----------|-------------|
 | `EVENT_BUS_URL` | All | NATS server URL |