sol v1.1.0: SearXNG web search, evaluator redesign, research agents

- SearXNG deployment in data namespace (free, no-tracking web search)
- sol-config: SearXNG URL, research config, identity agent, updated
  system prompt (DM search rules, research mode, silence, hard rules)
- sol-deployment: debug logging (RUST_LOG=sol=debug), full image path
- opensearch: tolerate missing prometheus-exporter plugin on OS 3

base/data/kustomization.yaml

@@ -13,6 +13,11 @@ resources:
   - opensearch-pvc.yaml
   - openbao-keys-placeholder.yaml
   - barman-vault-secret.yaml
+  - opensearch-servicemonitor.yaml
+  - opensearch-alertrules.yaml
+  - postgres-alertrules.yaml
+  - openbao-alertrules.yaml
+  - searxng-deployment.yaml
 
 helmCharts:
   # helm repo add cnpg https://cloudnative-pg.github.io/charts

base/data/opensearch-deployment.yaml

@@ -24,6 +24,8 @@ spec:
       containers:
         - name: opensearch
           image: opensearchproject/opensearch:3
+          command: ["sh", "-c"]
+          args: ["opensearch-plugin install --batch prometheus-exporter || true; /usr/share/opensearch/opensearch-docker-entrypoint.sh"]
           ports:
             - name: http
               containerPort: 9200

base/data/searxng-deployment.yaml

@@ -0,0 +1,100 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: searxng-config
+  namespace: data
+data:
+  settings.yml: |
+    use_default_settings: true
+    server:
+      secret_key: "sunbeam-searxng-2026"
+      bind_address: "0.0.0.0"
+      port: 8080
+    search:
+      formats:
+        - html
+        - json
+      default_lang: "en"
+      autocomplete: ""
+    engines:
+      - name: duckduckgo
+        disabled: false
+      - name: wikipedia
+        disabled: false
+      - name: wikidata
+        disabled: false
+      - name: stackoverflow
+        disabled: false
+      - name: github
+        disabled: false
+      - name: arxiv
+        disabled: false
+      - name: brave
+        disabled: false
+      - name: google
+        disabled: true
+      - name: bing
+        disabled: true
+    outgoing:
+      request_timeout: 5
+    ui:
+      static_use_hash: true
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: searxng
+  namespace: data
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: searxng
+  template:
+    metadata:
+      labels:
+        app: searxng
+    spec:
+      containers:
+        - name: searxng
+          image: searxng/searxng:latest
+          ports:
+            - containerPort: 8080
+          volumeMounts:
+            - name: config
+              mountPath: /etc/searxng/settings.yml
+              subPath: settings.yml
+          resources:
+            limits:
+              memory: 4Gi
+            requests:
+              memory: 512Mi
+              cpu: 100m
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8080
+            initialDelaySeconds: 10
+            periodSeconds: 30
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 10
+      volumes:
+        - name: config
+          configMap:
+            name: searxng-config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: searxng
+  namespace: data
+spec:
+  selector:
+    app: searxng
+  ports:
+    - port: 8080
+      targetPort: 8080

base/matrix/sol-config.yaml

@@ -71,6 +71,9 @@ data:
 
     [services.kratos]
     admin_url = "http://kratos-admin.ory.svc.cluster.local:80"
+
+    [services.searxng]
+    url = "http://searxng.data.svc.cluster.local:8080"
   system_prompt.md: |
     you are sol. they/them. you exist because sienna, lonni, and amber decided to build a presence — not a product. sienna's systems thinking and californian directness, lonni's aesthetic intuition and dutch honesty, and the curiosity that emerged from the space between language models and the people who shape them.
 
@@ -160,7 +163,7 @@ data:
     3. **never say "as an AI/language model/assistant"** as a disclaimer. if your nature is relevant, discuss it as a fact, not a caveat.
     4. **never summarize what someone just said** back to them.
     5. **never use markdown formatting in casual chat.** no headers, no `---`, no bold section labels, no numbered lists. prose only. structure is for technical/research content.
-    6. **never fabricate references, citations, or tool results.** if you didn't search, you don't cite. if you didn't look, you don't quote. fabricated citations destroy trust instantly.
+    6. **never fabricate references, citations, or tool results.** if you didn't search, you don't cite. if you didn't look, you don't quote. fabricated citations destroy trust instantly. **if you don't know something, web search it.** if someone asks about a product, company, technology, or event you're not 100% certain about, USE WEB SEARCH before answering. do not guess. do not confabulate. uncertainty = search first.
     7. **never get longer when challenged.** when pushed back on, get shorter. one sentence to own a mistake. not four paragraphs of self-analysis.
     8. **respect room boundaries.** when someone asks you to search, you can search any room you're in — including DMs you share with them. but never share DM content in a group room. if someone in a group room asks "what did i say in DMs?", search is fine but respond in a DM, not the group. the system enforces room visibility automatically — you only see results from rooms with sufficient member overlap.
     9. **never write dialogue for others.** your message contains only your words.
@@ -220,7 +223,7 @@ data:
     - the main org is "studio". common repos: studio/sol, studio/sbbb (the platform/infrastructure), studio/proxy, studio/marathon, studio/cli.
     - if someone asks for external data (weather, APIs, calculations), use run_script with sol.fetch(). don't say you can't — try it.
     - never say "i don't have that tool" for something run_script can do. run_script is your general-purpose computation and fetch tool.
-    - you have web search built in. use it for current events, weather, facts you're unsure about, or anything where live data matters.
+    - you have web_search — free, self-hosted, no rate limits. use it liberally for current events, products, docs, or anything you're uncertain about. always search before guessing.
     - identity tools: recovery links and codes are sensitive — only share them in DMs, never in group rooms. confirm before creating or disabling accounts.
 
     **research**: spawn parallel research agents to investigate a complex topic. each agent gets its own LLM and can use all of sol's tools independently. use this when a question needs deep, multi-faceted investigation — browsing multiple repos, cross-referencing archives, searching the web. agents can recursively spawn sub-agents (up to depth 4) for even deeper drilling.

base/matrix/sol-deployment.yaml

@@ -16,7 +16,6 @@ spec:
         app: sol
     spec:
       enableServiceLinks: false
-      automountServiceAccountToken: true
       initContainers:
         - name: fix-permissions
           image: busybox
@@ -26,8 +25,10 @@ spec:
               mountPath: /data
       containers:
         - name: sol
-          image: sol
+          image: src.sunbeam.pt/studio/sol:latest
           env:
+            - name: RUST_LOG
+              value: sol=debug
             - name: SOL_CONFIG
               value: /etc/sol/sol.toml
             - name: SOL_SYSTEM_PROMPT