Address all architecture review findings:
P0 fixes:
- Add API key authentication for admin endpoints (analytics, replay, openapi)
and WebSocket connections via ADMIN_API_KEY env var
- Add PostgreSQL-backed PgSessionManager and PgInterruptManager for
multi-worker production deployments (in-memory defaults preserved)
P1 fixes:
- Implement actual tool generation in OpenAPI approve_job endpoint
using generate_tool_code() and generate_agent_yaml()
- Add missing clarification, interrupt_expired, and tool_result message
handlers in frontend ChatPage
P2 fixes:
- Replace monkey-patching on CompiledStateGraph with typed GraphContext
- Replace 9-param dispatch_message with WebSocketContext dataclass
- Extract duplicate _envelope() into shared app/api_utils.py
- Replace mutable module-level counter with crypto.randomUUID()
- Remove hardcoded mock data from ReviewPage, use api.ts wrappers
- Remove `as any` type escape from ReplayPage
All 516 tests passing, 0 TypeScript errors.
