FROM pytorch/pytorch:2.6.0-cuda12.4-cudnn9-runtime

# Pre-install all dependencies (no runtime downloads)
RUN pip install --no-cache-dir \
    transformers==4.47.0 \
    peft==0.14.0 \
    trl==0.13.0 \
    bitsandbytes==0.45.0 \
    datasets==3.2.0 \
    accelerate==1.2.1 \
    safetensors \
    sentencepiece \
    protobuf

# Identifies natural breakpoints
sections = splitter.split(prompt)
# → [heading1_content, list_items, paragraph_block, ...]

# Preserves shared context across sub-tasks
for section in sections:
    subtask = f"{shared_context}\n\n{section}"

async with asyncio.Semaphore(3):  # Max 3 concurrent
    results = await asyncio.gather(*subtask_calls)

from ml.agents import OllamaDecompositionAgent, AgentConfig

config = AgentConfig(
    ollama_host="192.168.2.2:11434",
    ollama_model="deepseek-r1:32b",
    max_parallel_tasks=3,
    aggregation_strategy="auto"
)

agent = OllamaDecompositionAgent(config)
result = await agent.process(large_prompt)

print(f"Response: {result.final_response}")
print(f"Tokens: {result.total_tokens_used}")
print(f"Duration: {result.total_duration_seconds:.2f}s")

# Simple prompt
python ml/agents/examples/cli_tool.py "Your prompt here"

# Load from file
python ml/agents/examples/cli_tool.py @large-document.txt

# Custom configuration
python ml/agents/examples/cli_tool.py @prompt.txt \
    --model deepseek-r1:32b \
    --max-tokens 16384 \
    --parallel 4 \
    --aggregation-strategy hierarchical

AgentConfig(
    # Ollama
    ollama_host="192.168.2.2:11434",
    ollama_model="deepseek-r1:32b",
    
    # Context Management
    max_context_tokens=8192,
    response_reserve_tokens=2048,
    chunk_overlap_tokens=200,
    
    # Execution
    max_parallel_tasks=3,
    timeout_seconds=300,
    
    # Performance (v2.0+)
    enable_token_count_cache=True,
    enable_async_file_io=True,
    enable_result_caching=False,
)

Organization Structure (15+ Accounts):

Management OU:
  - management: Root account, Control Tower, Organizations
  - logging: Centralized logging (CloudTrail, Config, Flow Logs)
  - security: Security Hub, GuardDuty findings aggregation
  - audit: Read-only audit access for compliance

Infrastructure OU:
  - network: Transit Gateway, shared networking
  - shared-services: DNS, Active Directory, central repositories

Workloads OU:
  Production:
    - prod-cde: PCI DSS Cardholder Data Environment
    - prod-non-cde: Non-CDE production workloads

  Non-Production:
    - staging: Pre-production testing environment
    - dev: Development environment
    - sandbox: Experimentation and POCs

Security OU:
  - security-tooling: Security tools and scanning
  - incident-response: IR automation and forensics

Transit Gateway (TGW) Hub:
  Purpose: Central routing for all VPCs
  Regions:
    - Primary: eu-west-1 (Ireland)
    - DR: eu-west-2 (London)

  Routing:
    - Centralized egress via NAT Gateways
    - Inter-VPC communication controls
    - On-premise connectivity (future VPN/Direct Connect)
    - Route table segmentation for CDE isolation

VPC Design per Account:
  Subnets:
    - Public: NAT GW, ALB, bastion (jump hosts)
    - Private: Application tier, EKS nodes
    - Data: Databases, ElastiCache, MSK
    - Management: Systems Manager endpoints

  CIDR Strategy:
    - Non-overlapping ranges across all accounts
    - /16 for production, /20 for non-production
    - Reserved ranges for future expansion

Network Firewall:
  - Centralized in network account
  - Deep packet inspection
  - Intrusion prevention (IPS)
  - Domain filtering for egress
  - Threat intelligence integration

Multi-Layer Protection:
  1. NACLs: Subnet-level stateless filtering
  2. Security Groups: Instance-level stateful filtering
  3. WAF: Application layer protection (ALB/CloudFront)
  4. Shield Standard: DDoS protection (all accounts)
  5. VPC Flow Logs: Network traffic analysis

Repository Structure:
  terraform-live/
    ├── management/
    ├── production/
    │   ├── eu-west-1/
    │   │   ├── vpc/
    │   │   ├── eks/
    │   │   ├── rds/
    │   │   └── security/
    │   └── eu-west-2/
    ├── staging/
    └── modules/
        ├── vpc/
        ├── eks/
        ├── rds-aurora/
        └── security-baseline/

Terraform Stack:
  - 1000+ AWS resources managed
  - Terragrunt for DRY configuration
  - Remote state: S3 + DynamoDB locking
  - State encryption with KMS
  - Module versioning and testing

Security Scanning:
  - Checkov: Compliance and security checks
  - tfsec: Terraform security scanning
  - Terrascan: Policy as code enforcement
  - Automated in CI/CD before apply
  - Drift detection and remediation

Pipeline Stages:
  1. Validate:
     - terraform validate
     - terraform fmt check
     - Module version verification

  2. Security Scan:
     - Checkov (CIS, PCI DSS policies)
     - tfsec (AWS security best practices)
     - Secret detection (gitleaks)

  3. Plan:
     - terraform plan
     - Cost estimation (Infracost)
     - Plan review and approval

  4. Apply:
     - Manual approval gate
     - terraform apply
     - Drift detection scheduling

Landing Zone Features:
  Account Factory:
    - Automated account provisioning
    - Baseline security configuration
    - IAM Identity Center (SSO) integration
    - CloudTrail and Config enabled by default

  Guardrails (SCPs):
    Mandatory:
      - Deny disabling CloudTrail
      - Deny modifying Config rules
      - Deny root user access keys
      - Enforce MFA for root user

    Strongly Recommended:
      - Deny leaving organization
      - Deny disabling EBS encryption
      - Deny public S3 buckets
      - Enforce encrypted volumes

    Custom (PCI DSS):
      - Deny non-approved regions
      - Enforce KMS encryption
      - Restrict instance types
      - Deny IMDSv1 (require IMDSv2)

Account Baseline:
  - VPC with private subnets
  - NAT Gateway for outbound
  - VPC endpoints for AWS services
  - CloudWatch log groups
  - SNS topics for alerts
  - Systems Manager access

Production EKS Clusters:
  Primary (eu-west-1):
    - 3 Availability Zones
    - Managed node groups (on-demand)
    - Spot instances for batch jobs
    - Fargate for serverless workloads

  DR (eu-west-2):
    - Pilot-light configuration
    - Minimal capacity (cost-optimized)
    - Automated scale-up on failover

Node Configuration:
  - Instance types: m5.xlarge, r5.xlarge
  - Auto Scaling: Cluster Autoscaler
  - OS: Amazon Linux 2
  - Container runtime: containerd
  - IRSA for pod-level IAM permissions

Control Plane:
  - Control plane logging to CloudWatch
  - Private endpoint (VPC-only access)
  - Kubernetes version: 1.27+
  - Encryption: KMS for secrets

Deployment Strategy:
  - ArgoCD deployed in EKS
  - Git as single source of truth
  - 80+ microservices managed
  - Application-per-repo pattern
  - Automated sync (with approval for prod)

Progressive Delivery (Argo Rollouts):
  Strategies:
    - Blue-Green deployments
    - Canary releases (10% → 50% → 100%)
    - Automated rollback on metrics

  Analysis:
    - Prometheus metrics integration
    - Success rate, latency, error rate
    - Automated promotion or rollback

Prometheus Architecture:
  - Thanos for long-term storage (S3)
  - Multi-cluster monitoring
  - 7-day local retention
  - 1-year Thanos retention
  - AlertManager for notifications

Grafana Dashboards:
  Infrastructure:
    - EKS cluster health
    - Node and pod metrics
    - Network performance
    - Storage utilization

  Application:
    - Service-level metrics
    - Payment processing metrics
    - API response times
    - Error rates and SLIs

  Security:
    - GuardDuty findings
    - WAF blocked requests
    - Failed authentication attempts
    - Compliance posture

  Cost:
    - Per-service costs (Kubecost)
    - AWS Cost Explorer integration
    - Budget vs actual tracking

OpenSearch (ELK):
  - Centralized log aggregation
  - 30-day retention in hot tier
  - 1-year retention in S3 (cold tier)
  - Vector for log collection
  - Kibana for visualization

Loki + Promtail:
  - Kubernetes-native logging
  - Label-based log queries
  - Grafana integration
  - Lower storage costs vs ELK
  - Real-time log streaming

Log Sources:
  - Application logs (stdout/stderr)
  - AWS CloudTrail (API calls)
  - VPC Flow Logs (network traffic)
  - EKS control plane logs
  - Load balancer access logs
  - WAF logs

Configuration:
  - Centralized user management
  - Azure AD integration (SAML)
  - MFA enforcement
  - Permission sets per role:
    * Admin: Full access (break-glass only)
    * DevOps: Infrastructure management
    * Developer: Application deployment
    * ReadOnly: Audit and compliance
    * Security: Security tools access

  Access Patterns:
    - Time-limited sessions (8 hours)
    - JIT access for production
    - Approval workflow for sensitive accounts
    - Audit logging of all access

HashiCorp Vault:
  Deployment:
    - HA cluster on EKS
    - Auto-unseal with AWS KMS
    - Consul storage backend
    - Cross-region replication

  Use Cases:
    - Database credentials (dynamic)
    - API keys and tokens
    - TLS certificates (PKI engine)
    - Encryption as a service

  Authentication:
    - Kubernetes auth for pods
    - AWS IAM for services
    - OIDC for users

AWS Secrets Manager:
  - RDS password rotation
  - Cross-account secret sharing
  - Lambda rotation functions
  - Backup to Vault for redundancy

Amazon Aurora PostgreSQL:
  Configuration:
    - Multi-AZ deployment
    - Read replicas (3x)
    - Cross-region read replica (DR)
    - Performance Insights enabled

  Security:
    - Encryption at rest (KMS)
    - Encryption in transit (TLS 1.3)
    - IAM database authentication
    - Private subnet deployment
    - Security group restrictions

  Backup:
    - Automated daily snapshots
    - 35-day retention
    - Cross-region snapshot copy
    - Point-in-time recovery (PITR)

MongoDB Atlas:
  - Managed service (AWS VPC peering)
  - Replica set configuration
  - Automated backups
  - Performance monitoring

ElastiCache Redis:
  - Cluster mode enabled
  - Multi-AZ automatic failover
  - Encryption in-transit and at-rest
  - Session storage and caching

Multi-Region Strategy:
  Primary: eu-west-1 (Ireland)
  DR: eu-west-2 (London)

  Approach: Pilot Light
    - Network infrastructure pre-deployed
    - EKS cluster in standby (minimal nodes)
    - Database read replica in DR region
    - S3 cross-region replication
    - Route 53 health checks and failover

Automation:
  - Lambda-based failover orchestration
  - Automated DNS cutover (Route 53)
  - EKS cluster scale-up automation
  - Database promotion scripts
  - Runbooks in Confluence

Testing:
  - Quarterly DR drills
  - Documented runbooks
  - Automated validation scripts
  - RTO: 4 hours
  - RPO: 15 minutes

Backup Strategy:
  - Velero for EKS (daily)
  - RDS automated snapshots
  - S3 versioning enabled
  - Configuration backups in Git
  - 3-2-1 backup rule adherence

On-Premise Infrastructure (Colocation):
  Purpose: Core trading engine and cold wallet storage
  Resources:
    - 50 physical servers
    - VMware ESXi virtualization platform
    - Ceph distributed storage (200TB)
    - OPNsense firewall cluster

Hetzner Cloud:
  Purpose: Additional compute and redundancy
  Resources:
    - Dedicated servers
    - Automated provisioning via Ansible
    - Load balancing tier

Google Cloud Platform:
  Purpose: Public-facing services and analytics
  Resources:
    - GKE (Google Kubernetes Engine)
    - Cloud SQL for relational data
    - Cloud Armor for DDoS protection
    - Global load balancing

Production Clusters:
  GKE (Google Cloud):
    - Public-facing trading interface
    - API gateway services
    - Real-time market data feeds
    - User authentication services

  K3s (On-Premise):
    - Core trading engine
    - Order matching engine
    - Wallet management services
    - Blockchain node management

  Management:
    - Rancher for centralized cluster management
    - Unified monitoring and logging
    - Cross-cluster service mesh

Nexus Registry:
  - Private container registry
  - Vulnerability scanning integration
  - Image signing and verification
  - Access control and audit logging

Security Measures:
  - Network policies for pod-to-pod communication
  - RBAC with least privilege access
  - Secret management with encrypted storage
  - Regular security scanning and updates

Architecture:
  Pools:
    - Hot data pool (SSD): Trading data, active wallets
    - Cold data pool (HDD): Historical data, backups
    - Metadata pool: File system metadata

  Replication:
    - 3x replication for critical data
    - 2x replication for warm data
    - Erasure coding for cold storage

  Performance:
    - IOPS optimization for trading engine
    - Low-latency access for hot wallets
    - Bandwidth optimization for blockchain sync

Other Storage Solutions:
  - Linstor for Kubernetes persistent volumes
  - PortWorx for database workloads
  - MinIO for object storage (S3 compatible)
  - NFS for shared application data

Supported Blockchains:
  - Bitcoin (BTC): Full node + pruned nodes
  - Ethereum (ETH): Geth full nodes
  - Litecoin (LTC): Full node
  - Other altcoins: Selective node deployment

Node Management:
  - Automated synchronization monitoring
  - Health checks and auto-healing
  - Version management and updates
  - Performance optimization

Hot Wallets (Online):
  Location: Kubernetes pods with strict security
  Purpose: Active trading and withdrawals
  Security:
    - Multi-signature requirements
    - Rate limiting on withdrawals
    - Real-time monitoring and alerts
    - Encrypted keys with HSM integration

Cold Wallets (Offline):
  Location: Air-gapped servers in colocation
  Purpose: Long-term storage of customer funds
  Security:
    - Hardware security modules (HSM)
    - Physical security controls
    - Multi-party authorization
    - Regular security audits

Warm Wallets (Semi-Online):
  Purpose: Balance between hot and cold
  Process: Automated cold-to-warm-to-hot transfers

Pipeline Architecture:
  - Jenkins master on Kubernetes
  - Dynamic agent provisioning
  - Parallel job execution
  - Docker-in-Docker builds

Stages:
  1. Code checkout and validation
  2. Unit and integration tests
  3. Security scanning:
     - Trivy for vulnerabilities
     - SonarQube for code quality
  4. Container image build and push
  5. Helm chart packaging
  6. Deployment to staging
  7. Automated testing
  8. Production deployment (manual approval)

GitLab Integration:
  - Self-hosted GitLab instance
  - Git repository management
  - Code review and merge requests
  - 100+ Helm charts for deployments

OPNsense Firewall:
  - High-availability cluster
  - Intrusion Detection System (IDS)
  - Intrusion Prevention System (IPS)
  - VPN for secure remote access
  - Traffic analysis and logging

Network Segmentation:
  - Isolated trading network
  - Separate blockchain node network
  - DMZ for public-facing services
  - Management network isolation
  - Strict firewall rules between segments

DDoS Protection:
  - Cloud Armor (GCP) for public endpoints
  - Rate limiting at multiple layers
  - Traffic scrubbing and filtering
  - Automated incident response

Security Measures:
  - Two-factor authentication (2FA) mandatory
  - IP whitelisting for API access
  - API rate limiting per user/IP
  - Session management and timeout
  - Encrypted communication (TLS 1.3)
  - Regular penetration testing
  - Bug bounty program

Infrastructure Monitoring (Zabbix):
  - Server hardware metrics
  - Network device monitoring
  - Service availability checks
  - Capacity planning metrics
  - Alerting and escalation

Application Monitoring (Prometheus/Grafana):
  - Trading engine performance
  - Order processing latency
  - Wallet transaction metrics
  - API response times
  - Custom business metrics

Log Aggregation (ELK Stack):
  - Centralized logging
  - Security event correlation
  - Audit trail for compliance
  - Real-time log analysis
  - Long-term log retention

Distributed Tracing (Jaeger):
  - Request flow visualization
  - Performance bottleneck identification
  - Dependency mapping

Infrastructure:
  - WebRTC signaling servers on Kubernetes
  - TURN/STUN servers for NAT traversal
  - Media servers for group calls
  - Load balancing for 1000+ concurrent users

Features:
  - Peer-to-peer video/audio calls
  - Screen sharing capabilities
  - Recording and playback
  - Integration with trading platform

Performance:
  - Low latency (<100ms)
  - Adaptive bitrate streaming
  - Network resilience
  - Quality monitoring