feat: add OpenAI embeddings component, agent-orchestrator, and update model assignments

- Add openai-embeddings Kustomize Component (OnePasswordItem + StatefulSet envFrom patch)
- Wire component into all 6 agents via kustomization.yaml
- Add memorySearch config (openai/text-embedding-3-small) to all agent ConfigMaps
- Create agent-orchestrator (Atlas) with full scaffold
- Model assignments: codex-5.3 for coder/sre, gpt-5 for others
- Fallbacks: codex-mini-latest for coder/sre, gpt-5-mini for others

Author: zach-source

flux/apps/components/openai-embeddings/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - onepassword-openai-api-key.yaml
+patches:
+  - target:
+      kind: StatefulSet
+    patch: |
+      - op: add
+        path: /spec/template/spec/containers/0/envFrom/-
+        value:
+          secretRef:
+            name: openai-api-key

flux/apps/components/openai-embeddings/onepassword-openai-api-key.yaml

@@ -0,0 +1,6 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: openai-api-key
+spec:
+  itemPath: "vaults/Personal Agents/items/nixfleet-openai-api-key"

flux/apps/overlays/nixfleet/agent-coder/configmap.yaml

@@ -18,8 +18,12 @@ data:
       "agents": {
         "defaults": {
           "model": {
-            "primary": "zai/glm-5",
-            "fallbacks": ["openai/gpt-4.1-mini"]
+            "primary": "openai/gpt-5.3-codex",
+            "fallbacks": ["openai/codex-mini-latest"]
+          },
+          "memorySearch": {
+            "provider": "openai",
+            "model": "text-embedding-3-small"
           }
         }
       },

flux/apps/overlays/nixfleet/agent-coder/kustomization.yaml

@@ -1,9 +1,12 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+namespace: agent-coder
 resources:
   - namespace.yaml
   - onepassword-item.yaml
   - configmap.yaml
   - statefulset.yaml
   - service.yaml
   - networkpolicy.yaml
+components:
+  - ../../../components/openai-embeddings

flux/apps/overlays/nixfleet/agent-orchestrator/configmap.yaml

@@ -0,0 +1,74 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: agent-orchestrator-config
+  namespace: agent-orchestrator
+data:
+  openclaw.json: |
+    {
+      "gateway": {
+        "port": 18789,
+        "mode": "local",
+        "bind": "loopback",
+        "auth": {
+          "mode": "token",
+          "token": "${OPENCLAW_GATEWAY_TOKEN}"
+        }
+      },
+      "agents": {
+        "defaults": {
+          "model": {
+            "primary": "openai/gpt-5",
+            "fallbacks": ["openai/gpt-5-mini"]
+          },
+          "memorySearch": {
+            "provider": "openai",
+            "model": "text-embedding-3-small"
+          }
+        }
+      },
+      "channels": {
+        "slack": {
+          "enabled": true,
+          "mode": "socket",
+          "botToken": "${SLACK_BOT_TOKEN}",
+          "appToken": "${SLACK_APP_TOKEN}",
+          "requireMention": true,
+          "allowBots": true,
+          "groupPolicy": "open"
+        }
+      },
+      "plugins": {
+        "entries": {
+          "slack": { "enabled": true }
+        }
+      },
+      "tools": {
+        "profile": "full",
+        "web": {
+          "search": { "enabled": true },
+          "fetch": { "enabled": true }
+        }
+      }
+    }
+  cron-jobs.json: |
+    {
+      "version": 1,
+      "jobs": [
+        {
+          "id": "inbox-check",
+          "name": "Inbox Check",
+          "description": "Check Graphiti message board for tasks and requests",
+          "enabled": true,
+          "schedule": {
+            "kind": "cron",
+            "expr": "58 * * * *"
+          },
+          "sessionTarget": "isolated",
+          "payload": {
+            "kind": "agentTurn",
+            "message": "Inbox check. Search the Graphiti message board for messages addressed to you (@Atlas) in group_id 'messages'. If you find actionable requests, work on them. Also check your personal memory (group_id 'agent-orchestrator') for any in-progress work. After completing any tasks, store the results in your personal memory and reply to the sender via the message board."
+          }
+        }
+      ]
+    }

flux/apps/overlays/nixfleet/agent-orchestrator/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: agent-orchestrator
+resources:
+  - namespace.yaml
+  - onepassword-item.yaml
+  - configmap.yaml
+  - statefulset.yaml
+  - service.yaml
+  - networkpolicy.yaml
+components:
+  - ../../../components/openai-embeddings

flux/apps/overlays/nixfleet/agent-orchestrator/namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: agent-orchestrator
+  labels:
+    nixfleet.io/component: agent
+    nixfleet.io/tenant: work

flux/apps/overlays/nixfleet/agent-orchestrator/networkpolicy.yaml

@@ -0,0 +1,40 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: agent-orchestrator-egress
+  namespace: agent-orchestrator
+spec:
+  endpointSelector: {}
+  egress:
+    - toFQDNs:
+        - matchName: "api.zai.com"
+        - matchName: "open.bigmodel.cn"
+        - matchName: "api.openai.com"
+        - matchName: "api.github.com"
+        - matchName: "wss-primary.slack.com"
+        - matchName: "wss-backup.slack.com"
+        - matchName: "slack.com"
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+    # Graphiti MCP server (cluster-internal)
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: graphiti
+            app: graphiti-mcp
+      toPorts:
+        - ports:
+            - port: "8000"
+              protocol: TCP
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: kube-system
+            k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+            - port: "53"
+              protocol: TCP
+  ingress: []

flux/apps/overlays/nixfleet/agent-orchestrator/onepassword-item.yaml

@@ -0,0 +1,7 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: agent-orchestrator-secrets
+  namespace: agent-orchestrator
+spec:
+  itemPath: "vaults/Personal Agents/items/Agent Orchestrator"

flux/apps/overlays/nixfleet/agent-orchestrator/service.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: agent-orchestrator
+  namespace: agent-orchestrator
+spec:
+  clusterIP: None
+  selector:
+    app: agent-orchestrator