Epic: DAG-based ephemeral pod orchestration on AKS

[principle-lgtm]

Epic 1 — Sovereign Graph Orchestrator

Establish oxidizedgraph as the high-performance, memory-safe orchestrator that manages the lifecycle of ephemeral AI worker pods on Azure AKS.

Cross-org tracker: `lornu-ai/plans#14` (private)

Goal

Operate oxidizedgraph as a long-lived Axum service on the AKS hub. Worker agents are spawned as ephemeral `v1.Job` resources via Crossplane. Tasks are assigned over the A2A protocol using JSON-RPC. Compute is only consumed while code is actively being written.

Acceptance criteria

• oxidizedgraph runs as a long-lived `Deployment` on the AKS hub control plane
• Worker agents spawn as `batch/v1.Job` resources (one per build task, with TTL)
• Task dispatch uses A2A protocol over JSON-RPC
• Container image built from the existing `flake.nix` via `nix2container` / `dockerTools` — no Dockerfile in the final tree
• Orchestrator authenticates to the K8s API via Azure AD Workload Identity (no static kubeconfig)

Tasks

• 1.1 — Task 1.1: Deploy oxidizedgraph Axum server to AKS hub + Nix OCI image #42 Deploy oxidizedgraph Axum server to AKS hub + retire Dockerfile (this repo)
• 1.2 — stevedores-org/crossplane-heaven#4 Kustomize templates for ADK Agent Jobs
• 1.3 — stevedores-org/crossplane-heaven#5 Azure AD Workload Identity for orchestrator

🤖 Generated with Claude Code