feat(my-deepagent): v0.2 PR #3 — FastAPI + SSE + minimal Web GUI (mydeepagent serve)

Closes the "GUI 미존재" gap from the user's first-session requirements
(REPL + workflow + GUI). v0.2 PR #1's Postgres migration made a second
concurrent writer safe; v0.2 PR #2a/#2b wired durable resume; this commit
ships the HTTP + browser surface that uses them.

No auth, no multi-tenant, single uvicorn worker — per DR-3 boundaries.
v0.3+ will add auth, multi-worker fanout, LISTEN/NOTIFY SSE upgrade.

Backend
- `src/my_deepagent/api/`:
  - `app.py` create_app() factory. lifespan stores db/config/personas/
    workflows on app.state. CORS allow_origin_regex http://localhost(:port)?.
    /static mount + /, /{page}.html for the HTML frontend.
  - `models.py` — pydantic v2 DTOs (extra="forbid") for every route. Auto
    OpenAPI/Swagger via FastAPI's response_model.
  - `deps.py` — get_db / get_config / get_personas / get_workflows.
  - `runner.py` — start_new_run / start_resume. Pre-allocates run_id via
    new `WorkflowEngine.run(pre_allocated_run_id=...)` so the route returns
    the id immediately while the engine runs in asyncio.create_task.
  - `sse.py` — 0.5 s poll over run_events.seq. Emits ServerSentEvent rows;
    sends `event: done` and HTTP-200-closes when run hits terminal.
  - `routes/{runs,personas,workflows,budget}.py`:
      GET  /api/runs              (list, ?limit + ?state)
      GET  /api/runs/{id}         (detail + phases + artifacts + events)
      POST /api/runs              (start; mock-able via runner.start_new_run)
      POST /api/runs/{id}/resume
      POST /api/runs/{id}/abort
      GET  /api/runs/{id}/events  (SSE; Last-Event-ID header + ?last_event_id)
      GET  /api/personas
      GET  /api/workflows
      GET  /api/budget

CLI
- `cli/serve.py` mydeepagent serve [--host 127.0.0.1] [--port 8000].
  Loud stderr warning if --host is not loopback (no auth = footgun).
  uvicorn.run(factory=True, workers=1).
- `cli/main.py` serve command registered.

Static frontend (vanilla HTML/JS/CSS, no build system)
- index.html — runs list + budget summary
- new.html — start-run form (workflow select, repo path, requirements,
  per-role persona override)
- run.html — run detail + live SSE event log + Resume/Abort buttons
- app.js — fetch + EventSource. XSS policy HARDCODED at file top:
  textContent only, innerHTML/insertAdjacentHTML/outerHTML forbidden.
- style.css — dark theme, single file.

Engine
- WorkflowEngine.run(... pre_allocated_run_id: UUID|None = None). None →
  uuid4() (existing behavior). Set → use that UUID. Backward compatible.

Tests
- tests/integration/test_api_read.py (5): list empty, get 404, personas
  seed count (12), workflows seed (>=3), budget empty.
- tests/integration/test_api_write.py (5): missing template 400, extra
  field 422, resume 404, abort 404, mock-runner happy path.
- tests/integration/test_api_sse.py (1): seed terminal run + 3 events,
  drain stream, assert types present + stream closes within 3 s.
- tests/integration/test_api_static.py (5): index/new/run HTML 200,
  app.js content-type + XSS-policy substring assertion, style.css
  content-type.
- All fixtures use httpx ASGITransport + app.router.lifespan_context
  (httpx does NOT auto-trigger FastAPI lifespan) + sqlite tmp_path.

Gates
- ruff check + ruff format --check + mypy --strict: PASS (120 source files)
- pytest non-E2E: 603 PASS (12.15 s) — +16 from new API tests
- pytest E2E real OpenRouter on Postgres: PASS 60.44 s (baseline 71–122 s
  range; well within DR-3 acceptance threshold ≤+20%)

Manual browser verification deferred to a follow-up (docker compose up,
mydeepagent serve, open http://localhost:8000).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

my-deepagent/src/my_deepagent/api/models.py

@@ -0,0 +1,146 @@
+"""pydantic v2 response models for the my-deepagent HTTP API.
+
+These shapes are stable contracts the Web GUI depends on. Internal ORM models
+in `my_deepagent.persistence.models` are NOT exposed directly; routes convert
+ORM rows into these DTOs.
+"""
+
+from __future__ import annotations
+
+from pydantic import BaseModel, ConfigDict, Field
+
+
+class _Strict(BaseModel):
+    """Base for API DTOs — extra=forbid to catch typos at deserialization time."""
+
+    model_config = ConfigDict(extra="forbid", frozen=True)
+
+
+# ---------------------------------------------------------------------------
+# /api/runs
+# ---------------------------------------------------------------------------
+
+
+class RunSummary(_Strict):
+    id: str
+    state: str
+    repo_path: str
+    base_branch: str
+    worktree_root: str
+    created_at: str
+    ended_at: str | None = None
+    final_report_path: str | None = None
+
+
+class PhaseInfo(_Strict):
+    id: str
+    phase_key: str
+    seq: int
+    state: str
+    attempts: int
+    started_at: str | None = None
+    ended_at: str | None = None
+
+
+class ArtifactInfo(_Strict):
+    id: str
+    phase_id: str
+    schema_id: str
+    path: str
+    valid: bool
+    created_at: str
+
+
+class EventInfo(_Strict):
+    seq: int
+    phase_id: str | None = None
+    type: str
+    ts: str
+    payload: dict[str, object] | None = None
+
+
+class RunDetail(_Strict):
+    run: RunSummary
+    phases: list[PhaseInfo]
+    artifacts: list[ArtifactInfo]
+    events: list[EventInfo]
+
+
+# ---------------------------------------------------------------------------
+# /api/runs POST body
+# ---------------------------------------------------------------------------
+
+
+class StartRunRequest(BaseModel):
+    """User-submitted body for POST /api/runs (NOT frozen — input not response)."""
+
+    model_config = ConfigDict(extra="forbid")
+    template_path: str = Field(min_length=1)
+    repo_path: str = Field(min_length=1)
+    base_branch: str = "main"
+    requirements_md: str = ""
+    override: dict[str, str] | None = None
+
+
+class StartRunResponse(_Strict):
+    run_id: str
+    state: str
+    message: str = "started"
+
+
+# ---------------------------------------------------------------------------
+# /api/personas
+# ---------------------------------------------------------------------------
+
+
+class PersonaSummary(_Strict):
+    name: str
+    version: int
+    description: str | None = None
+    model: str
+    capabilities: list[str]
+    max_risk_level: str
+
+
+# ---------------------------------------------------------------------------
+# /api/workflows
+# ---------------------------------------------------------------------------
+
+
+class WorkflowRoleSummary(_Strict):
+    id: str
+    required_capabilities: list[str]
+
+
+class WorkflowPhaseSummary(_Strict):
+    key: str
+    title: str
+    risk: str
+    role: str
+
+
+class WorkflowSummary(_Strict):
+    path: str  # relative path under docs/schemas/workflows/
+    name: str
+    version: int
+    description: str | None = None
+    roles: list[WorkflowRoleSummary]
+    phases: list[WorkflowPhaseSummary]
+
+
+# ---------------------------------------------------------------------------
+# /api/budget
+# ---------------------------------------------------------------------------
+
+
+class BudgetScopeEntry(_Strict):
+    scope: str
+    spent_usd: float
+    cap_usd: float | None
+    warn_usd: float | None = None
+
+
+class BudgetSummary(_Strict):
+    day: BudgetScopeEntry | None
+    runs: list[BudgetScopeEntry]
+    personas: list[BudgetScopeEntry]