diff --git a/demos/sub-agent-multiplex/Dockerfile b/demos/sub-agent-multiplex/Dockerfile
new file mode 100644
index 000000000..c2334a3ca
--- /dev/null
+++ b/demos/sub-agent-multiplex/Dockerfile
@@ -0,0 +1,82 @@
+# NanoClaw on Agent Substrate PoC
+# Portable Dockerfile for OSS Substrate Migration
+
+# Stage 1: Build the standalone bundles
+FROM node:22-slim AS builder
+
+WORKDIR /app
+
+# Install build dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy standalone package files
+COPY package.json ./
+# Use npm install for simplicity and portability in the standalone package
+RUN npm install
+
+# Copy source code
+COPY ui/ ./ui/
+COPY workload/ ./workload/
+COPY broker/ ./broker/
+
+# Build zero-dependency bundles
+RUN ./node_modules/.bin/esbuild workload/agent.ts \
+    --bundle \
+    --platform=node \
+    --target=node22 \
+    --outfile=dist/agent.js \
+    --external:node:*
+
+RUN ./node_modules/.bin/esbuild ui/demo-ui.ts \
+    --bundle \
+    --platform=node \
+    --target=node22 \
+    --outfile=dist/demo-ui.js \
+    --external:node:*
+
+RUN ./node_modules/.bin/esbuild broker/server.ts \
+    --bundle \
+    --platform=node \
+    --target=node22 \
+    --outfile=dist/broker.js \
+    --external:node:*
+
+# Stage 2: Final Production Image
+FROM node:22-slim AS runner
+
+WORKDIR /app
+
+# Copy the entire context to check for local binaries
+COPY . .
+
+# Install runtime dependencies (tini for signal forwarding, kubectl for dashboard sync)
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+    tini \
+    && curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
+    && chmod +x kubectl \
+    && mv kubectl /usr/local/bin/ \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy built assets
+COPY --from=builder /app/dist/ ./dist/
+# Copy kubectl-ate binary if it exists in context, otherwise download it
+# This makes the Dockerfile portable across environments
+RUN if [ -f "./kubectl-ate" ]; then \
+        mv ./kubectl-ate /usr/local/bin/kubectl-ate; \
+    else \
+        curl -L -o /usr/local/bin/kubectl-ate https://github.com/agent-substrate/substrate/releases/latest/download/kubectl-ate-linux-amd64; \
+    fi && chmod +x /usr/local/bin/kubectl-ate
+
+# Create a /pause hook for Substrate rehydration
+RUN echo '#!/bin/sh' > /pause && \
+    echo 'echo "[pause] Starting NanoClaw agent..."' >> /pause && \
+    echo 'exec /usr/bin/tini -- /usr/local/bin/node /app/dist/agent.js' >> /pause && \
+    chmod +x /pause
+
+# Default entrypoint (can be overridden by deployment to run demo-ui)
+ENTRYPOINT ["/usr/bin/tini", "--", "node", "dist/agent.js"]
diff --git a/demos/sub-agent-multiplex/README.md b/demos/sub-agent-multiplex/README.md
new file mode 100644
index 000000000..487476b0a
--- /dev/null
+++ b/demos/sub-agent-multiplex/README.md
@@ -0,0 +1,98 @@
+# Substrate Multiplex Demo: NanoClaw 1.5x Overcommit
+
+This demo demonstrates the extreme efficiency gains possible with Google Substrate by multiplexing **3 logical NanoClaw agents** onto **2 physical substrate workers** (1.5x density ratio).
+
+## System Information
+
+- **Agent Framework**: NanoClaw (v2.x)
+- **Source**: `github.com/nanocoai/nanoclaw`
+- **Substrate Mode**: Multi-Actor Multiplexing (1.5x oversubscription)
+- **Runtime**: Bun (Node.js compatible) inside Debian Slim
+- **Isolation**: gVisor (runsc)
+
+## What this shows
+
+- **High-Density Multiplexing**: Three logical agent identities running on only two physical pods (1.5x oversubscription).
+- **State Persistence**: A `taskCounter` maintained in the Node.js process memory survives multiple suspend/resume cycles.
+- **Dynamic Rotation**: Agents finish work at different times (3-6s), forcing Substrate to constantly rotate pod ownership.
+- **Visual Identity Tracking**: Color-coded agents (Blue/Pink/Gold) and live log tailing to make infrastructure sharing intuitively obvious.
+
+## Audience
+
+This guide is intended for engineers exploring Agent Substrate for hosting large-scale agentic workloads where cost-efficiency and stateful rehydration are critical.
+
+## Prerequisites
+
+- **Agent Substrate Cluster**: A Kubernetes cluster with Substrate installed.
+- **Docker**: For building and pushing the unified actor/UI image.
+- **GCS Bucket**: Configured for Substrate state snapshots (e.g., `gs://snapshot-substrate-gke-ai-eco-dev/`).
+- **kubectl & kubectl-ate**: The Substrate CLI tool for managing logical actors.
+
+## Components
+
+| Path | Purpose |
+|---|---|
+| `workload/agent.ts` | The workload: A NanoClaw/Hono server with persistent memory state. |
+| `ui/demo-ui.ts` | The dashboard: A Node.js backend providing live logs, task queueing, and visual tracking. |
+| `sub-agent-multiplex.yaml.tmpl` | Kubernetes manifests for ActorTemplates and WorkerPools. |
+| `Dockerfile` | Unified OCI image containing both the actor workload and the dashboard UI. |
+
+## How to Run
+
+### 1. Provision Hardware
+Scale the physical `WorkerPool` to the desired replica count (2 for this demo):
+```bash
+kubectl apply -f sub-agent-multiplex.yaml
+```
+
+### 2. Deploy Logical Agents
+Create the three "fun-named" actors using the Substrate CLI.
+```bash
+kubectl-ate create actor agent-luna-v12 --template sub-agent/sub-agent-agent
+kubectl-ate create actor agent-mars-v12 --template sub-agent/sub-agent-agent
+kubectl-ate create actor agent-nova-v11 --template sub-agent/sub-agent-agent
+```
+
+### 3. Launch the Dashboard
+The dashboard runs as a standard Kubernetes Deployment with a LoadBalancer.
+```bash
+kubectl apply -f demo-ui.yaml
+```
+
+## Drive the Demo
+
+Open the dashboard and use the following interaction patterns:
+
+- **Pulse (Manual Wakeup)**: Trigger tasks across the registry. Watch the **colored icons** rapidly cycle through the 2 worker slots.
+- **Live Logs**: Observe the Fleet Decision Stream. You will see agent registrations and task dispatching events proving that physical hardware is being recycled in real-time.
+- **Cron Tracker**: Observe real-time countdowns as the automated schedule triggers orchestration events.
+
+## Integrating a Real LLM API
+
+Integrating an LLM into a NanoClaw logical actor is straightforward. Because Substrate persists the **entire process memory**, any in-memory conversation history or KV-cache will survive multiple suspend/resume cycles without requiring an external database.
+
+### 1. Add the LLM SDK
+Add your preferred SDK (e.g., OpenAI or Anthropic) to the `package.json`:
+```bash
+npm install openai
+```
+
+### 2. Update the Actor Logic
+Modify `workload/agent.ts` to initialize the client and maintain a local chat history:
+```typescript
+import OpenAI from "openai";
+
+const openai = new OpenAI({ apiKey: process.env.LLM_API_KEY });
+let history: any[] = []; // This array will survive Substrate snapshots!
+
+app.post("/v1/chat", async (c) => {
+  const { message } = await c.req.json();
+  history.push({ role: "user", content: message });
+  
+  const response = await openai.chat.completions.create({
+    model: "gpt-4",
+    messages: history,
+  });
+  // ... process response
+});
+```
diff --git a/demos/sub-agent-multiplex/broker-deployment.yaml b/demos/sub-agent-multiplex/broker-deployment.yaml
new file mode 100644
index 000000000..945eecd51
--- /dev/null
+++ b/demos/sub-agent-multiplex/broker-deployment.yaml
@@ -0,0 +1,38 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nano-broker
+  namespace: sub-agent
+  labels:
+    app: nano-broker
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nano-broker
+  template:
+    metadata:
+      labels:
+        app: nano-broker
+    spec:
+      containers:
+      - name: broker
+        image: gcr.io/gke-ai-eco-dev/substrate-demos/sub-agent:latest
+        command: ["/usr/bin/tini", "--", "node", "dist/broker.js"]
+        ports:
+        - containerPort: 8091
+        env:
+        - name: ATE_ENDPOINT
+          value: "api.ate-system.svc.cluster.local:443"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nano-broker
+  namespace: sub-agent
+spec:
+  selector:
+    app: nano-broker
+  ports:
+  - port: 8091
+    targetPort: 8091
diff --git a/demos/sub-agent-multiplex/broker/server.ts b/demos/sub-agent-multiplex/broker/server.ts
new file mode 100644
index 000000000..b7c140a30
--- /dev/null
+++ b/demos/sub-agent-multiplex/broker/server.ts
@@ -0,0 +1,178 @@
+import { Hono } from "hono";
+import { serve } from "@hono/node-server";
+import { exec } from "node:child_process";
+
+const app = new Hono();
+
+// --- Configuration ---
+const ATE_ENDPOINT = process.env.ATE_ENDPOINT || "api.ate-system.svc.cluster.local:443";
+const AGENT_TASKS = [
+  "Inventory reconciliation audit",
+  "Security patch verification",
+  "Log aggregation summary",
+  "API endpoint health check",
+  "Database index optimization analysis"
+];
+
+// --- Types ---
+interface RegisteredAgent {
+  actorId: string;
+  lastSeen: number;
+  status: "idle" | "working" | "error";
+  taskCount: number;
+}
+
+interface BrokerLog {
+  timestamp: string;
+  module: "registry" | "orchestrator" | "substrate";
+  message: string;
+  level: "info" | "warn" | "error";
+}
+
+// --- State ---
+const registry: Record<string, RegisteredAgent> = {};
+const logs: BrokerLog[] = [];
+let isOrchestrating = false;
+
+// --- Helpers ---
+const log = (module: BrokerLog["module"], message: string, level: BrokerLog["level"] = "info") => {
+  const entry: BrokerLog = {
+    timestamp: new Date().toISOString().slice(11, 19),
+    module,
+    message,
+    level
+  };
+  logs.push(entry);
+  if (logs.length > 100) logs.shift();
+  console.log(`[${entry.timestamp}] [${module}] ${message}`);
+};
+
+const runCmd = (cmd: string): Promise<string> => {
+  return new Promise((resolve, reject) => {
+    exec(cmd, (error, stdout, stderr) => {
+      if (error) reject(new Error(stderr || error.message));
+      else resolve(stdout);
+    });
+  });
+};
+
+// --- API Endpoints ---
+
+// NanoClaw Agents call this on boot
+app.post("/register", async (c) => {
+  const { actorId } = await c.req.json();
+  if (!actorId) return c.json({ error: "actorId required" }, 400);
+
+  registry[actorId] = {
+    actorId,
+    lastSeen: Date.now(),
+    status: registry[actorId]?.status || "idle",
+    taskCount: registry[actorId]?.taskCount || 0
+  };
+
+  log("registry", `Agent **${actorId}** self-registered successfully.`);
+  return c.json({ status: "registered", broker: "FleetBroker-v1" });
+});
+
+// Infrastructure calls this when it detects due work
+app.post("/notify-due", async (c) => {
+  const { sessionId, dueCount } = await c.req.json();
+  log("orchestrator", `Infrastructure Alert: **${sessionId}** has ${dueCount} tasks pending.`);
+  
+  // Custom Platform Policy: Always trigger if work is due
+  performTask(sessionId);
+  return c.json({ status: "processed" });
+});
+
+// Dashboard polls this for "Platform View"
+app.get("/status", (c) => {
+  return c.json({
+    registry: Object.values(registry),
+    logs: logs,
+    orchestrating: isOrchestrating
+  });
+});
+
+// Trigger a manual task from Dashboard
+app.post("/trigger/:actorId", async (c) => {
+  const actorId = c.req.param("actorId");
+  if (!registry[actorId]) return c.json({ error: "Agent not registered" }, 404);
+  
+  // Fire and forget task execution
+  performTask(actorId);
+  return c.json({ status: "triggered" });
+});
+
+// --- Orchestration Logic ---
+
+async function performTask(actorId: string) {
+  if (registry[actorId].status === "working") {
+    log("orchestrator", `Task skipped for ${actorId}: already working.`, "warn");
+    return;
+  }
+
+  const task = AGENT_TASKS[Math.floor(Math.random() * AGENT_TASKS.length)];
+  registry[actorId].status = "working";
+  log("orchestrator", `Policy Trigger: Dispatching '${task}' to **${actorId}**.`);
+
+  try {
+    // 1. Substrate Resume
+    log("substrate", `> kubectl-ate resume actor ${actorId}`);
+    await runCmd(`kubectl-ate --endpoint ${ATE_ENDPOINT} resume actor ${actorId}`);
+
+    // 2. Wait for Rehydration
+    let actorIP = "";
+    for (let i = 0; i < 30; i++) {
+      const out = await runCmd(`kubectl-ate --endpoint ${ATE_ENDPOINT} get actor ${actorId} -o json`);
+      const actor = JSON.parse(out).actors?.[0] || JSON.parse(out);
+      if (actor.status === "STATUS_RUNNING" && actor.ateomPodIp) {
+        actorIP = actor.ateomPodIp;
+        break;
+      }
+      await new Promise(r => setTimeout(r, 1000));
+    }
+
+    if (!actorIP) throw new Error("Rehydration Timeout");
+
+    // 3. Execute NanoClaw Task
+    log("substrate", `Connected to ${actorId} at ${actorIP}. Injecting payload...`);
+    await new Promise(r => setTimeout(r, 4000)); // Network settle
+    
+    await runCmd(`curl -s -f -m 10 -X POST http://${actorIP}:8080/task -H "Content-Type: application/json" -d '{"task": "${task}"}'`);
+    
+    log("orchestrator", `Task completed by **${actorId}**. Platform yielding hardware.`);
+    registry[actorId].taskCount++;
+
+    // 4. Substrate Suspend
+    log("substrate", `> kubectl-ate suspend actor ${actorId}`);
+    await runCmd(`kubectl-ate --endpoint ${ATE_ENDPOINT} suspend actor ${actorId}`);
+    
+    registry[actorId].status = "idle";
+  } catch (e: any) {
+    log("substrate", `Orchestration failed for ${actorId}: ${e.message}`, "error");
+    registry[actorId].status = "error";
+    // Safety yield
+    await runCmd(`kubectl-ate --endpoint ${ATE_ENDPOINT} suspend actor ${actorId}`).catch(() => {});
+  }
+}
+
+// Simulated Customer Policy: Every 2 minutes, pick a registered agent to work
+async function runAutoPolicy() {
+  if (!isOrchestrating) return;
+
+  const activeAgents = Object.keys(registry);
+  if (activeAgents.length > 0) {
+    const pick = activeAgents[Math.floor(Math.random() * activeAgents.length)];
+    performTask(pick);
+  }
+
+  setTimeout(runAutoPolicy, 120000); // 2 minute cycle
+}
+
+// --- Start Server ---
+const port = 8091;
+serve({ fetch: app.fetch, port, hostname: "0.0.0.0" });
+
+log("registry", "Fleet Management Broker active on port 8091.");
+isOrchestrating = true;
+runAutoPolicy();
diff --git a/demos/sub-agent-multiplex/package.json b/demos/sub-agent-multiplex/package.json
new file mode 100644
index 000000000..d0993c28a
--- /dev/null
+++ b/demos/sub-agent-multiplex/package.json
@@ -0,0 +1,20 @@
+{
+  "name": "sub-agent-multiplex",
+  "version": "1.0.0",
+  "description": "NanoClaw on Agent Substrate PoC",
+  "private": true,
+  "scripts": {
+    "build": "esbuild src/agent.ts --bundle --platform=node --target=node22 --outfile=dist/agent.js --external:node:* && esbuild src/demo-ui.ts --bundle --platform=node --target=node22 --outfile=dist/demo-ui.js --external:node:*",
+    "start:ui": "node dist/demo-ui.js",
+    "start:agent": "node dist/agent.js"
+  },
+  "dependencies": {
+    "@hono/node-server": "^1.11.1",
+    "hono": "^4.4.2"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "esbuild": "^0.21.5",
+    "typescript": "^5.5.2"
+  }
+}
diff --git a/demos/sub-agent-multiplex/sub-agent-multiplex.yaml.tmpl b/demos/sub-agent-multiplex/sub-agent-multiplex.yaml.tmpl
new file mode 100644
index 000000000..52b4dd113
--- /dev/null
+++ b/demos/sub-agent-multiplex/sub-agent-multiplex.yaml.tmpl
@@ -0,0 +1,73 @@
+apiVersion: ate.dev/v1alpha1
+kind: ActorTemplate
+metadata:
+  name: sub-agent-agent
+  namespace: sub-agent
+spec:
+  containers:
+  - image: ${SUB_AGENT_IMAGE}
+    name: agent
+    ports:
+    - containerPort: 8080
+    env:
+    - name: BROKER_URL
+      value: "http://nano-broker.sub-agent.svc.cluster.local:8091"
+  pauseImage: registry.k8s.io/pause:3.10.2@sha256:f548e0e8e3dc1896ca956272154dde3314e8cc4fde0a57577ee9fa1c63f5baf4
+  runsc:
+    amd64:
+      sha256Hash: a397be1abc2420d26bce6c70e6e2ff96c73aaaab929756c56f5e2089ea842b63
+      url: gs://gvisor/releases/nightly/2026-05-19/x86_64/runsc
+    arm64:
+      sha256Hash: 1ba2366ae2efceba166046f51a4104f9261c9cb72c6db8f5b3fe2dc57dea86b9
+      url: gs://gvisor/releases/nightly/2026-05-19/aarch64/runsc
+  snapshotsConfig:
+    location: gs://${BUCKET_NAME}/sub-agent-agent/v12/
+  workerPoolRef:
+    name: agent-pool
+    namespace: sub-agent
+---
+apiVersion: ate.dev/v1alpha1
+kind: WorkerPool
+metadata:
+  name: agent-pool
+  namespace: sub-agent
+spec:
+  ateomImage: gcr.io/gke-ai-eco-dev/ate-images/ateom-gvisor-715889664656de67e44382a8d6ab981d@sha256:a877e335fdb6e5576714ab53ad6bf88ee676dfe642516c07673a3d9df56053b3
+  replicas: 2
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nano-broker
+  namespace: sub-agent
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nano-broker
+  template:
+    metadata:
+      labels:
+        app: nano-broker
+    spec:
+      containers:
+      - name: broker
+        image: ${SUB_AGENT_IMAGE}
+        command: ["/usr/bin/tini", "--", "node", "dist/broker.js"]
+        ports:
+        - containerPort: 8091
+        env:
+        - name: ATE_ENDPOINT
+          value: "api.ate-system.svc.cluster.local:443"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nano-broker
+  namespace: sub-agent
+spec:
+  selector:
+    app: nano-broker
+  ports:
+  - port: 8091
+    targetPort: 8091
diff --git a/demos/sub-agent-multiplex/tsconfig.json b/demos/sub-agent-multiplex/tsconfig.json
new file mode 100644
index 000000000..ebd4c7027
--- /dev/null
+++ b/demos/sub-agent-multiplex/tsconfig.json
@@ -0,0 +1,14 @@
+{
+  "compilerOptions": {
+    "target": "ESNext",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "strict": true,
+    "skipLibCheck": true,
+    "isolatedModules": true,
+    "esModuleInterop": true,
+    "allowImportingTsExtensions": true,
+    "noEmit": true
+  },
+  "include": ["./**/*"]
+}
diff --git a/demos/sub-agent-multiplex/ui/demo-ui.ts b/demos/sub-agent-multiplex/ui/demo-ui.ts
new file mode 100644
index 000000000..9ee796c8c
--- /dev/null
+++ b/demos/sub-agent-multiplex/ui/demo-ui.ts
@@ -0,0 +1,351 @@
+import { Hono } from "hono";
+import { serve } from "@hono/node-server";
+import { exec } from "node:child_process";
+import { createClient } from "redis";
+
+const app = new Hono();
+
+// --- Configuration ---
+const NS = process.env.DEMO_NAMESPACE || "sub-agent";
+const ATE_ENDPOINT = process.env.ATE_ENDPOINT || "api.ate-system.svc.cluster.local:443";
+const VALKEY_URL = "redis://valkey-cluster.ate-system.svc.cluster.local:6379";
+const BROKER_URL = process.env.BROKER_URL || "http://nano-broker.sub-agent.svc.cluster.local:8091";
+
+interface Assignment {
+  id: string;
+  agent: string;
+  task: string;
+  state: "queued" | "running" | "completed";
+  durationSec: number;
+  created_at: number;
+  started_at?: number;
+  completed_at?: number;
+}
+
+interface TaskAudit {
+  id: string;
+  agent: string;
+  timestamp: string;
+  task: string;
+  result: string;
+  status: "success" | "error" | "warning";
+  error_detail?: string;
+}
+
+// --- Shared State ---
+let shellLogs: string[] = [];
+let taskAudits: TaskAudit[] = [];
+let clusterState = { pods: [] as any[], actors: [] as any[] };
+let brokerState = { registry: [] as any[], logs: [] as any[] };
+
+// Precision Tracking
+let stats = {
+  totalLogicalActiveSec: 0,
+  totalPhysicalActiveSec: 0,
+  cumulativeTasks: 0,
+  lastSync: Date.now()
+};
+
+const AGENT_META: Record<string, { color: string, id: string }> = {
+  "agent-luna": { color: "#79c0ff", id: "agent-luna-v12" },
+  "agent-mars": { color: "#ff79c6", id: "agent-mars-v12" },
+  "agent-nova": { color: "#f1fa8c", id: "agent-nova-v11" },
+};
+
+const ID_TO_DISPLAY: Record<string, string> = Object.entries(AGENT_META).reduce((acc, [display, meta]) => {
+  acc[meta.id] = display;
+  return acc;
+}, {} as Record<string, string>);
+
+const VALID_ACTOR_IDS = new Set(Object.values(AGENT_META).map(m => m.id));
+
+const runCmd = (cmd: string): Promise<string> => {
+  return new Promise((resolve, reject) => {
+    exec(cmd, (error, stdout, stderr) => {
+      if (error) reject(new Error(stderr || error.message));
+      else resolve(stdout);
+    });
+  });
+};
+
+// --- Valkey Persistence ---
+let redis: any = null;
+try {
+  redis = createClient({ url: VALKEY_URL });
+  redis.on("error", () => {});
+} catch (e) {}
+
+async function initPersistence() {
+  if (!redis) return;
+  try {
+    await Promise.race([redis.connect(), new Promise((_, r) => setTimeout(r, 2000))]);
+    if (redis.isOpen) {
+      const audits = await redis.lRange("demo:task_audits", 0, -1);
+      taskAudits = (audits || []).map((a: string) => JSON.parse(a));
+    }
+  } catch (e) {}
+}
+
+async function persistAudit(audit: TaskAudit) {
+  taskAudits.push(audit);
+  if (taskAudits.length > 50) taskAudits.shift();
+  try { if (redis?.isOpen) { await redis.rPush("demo:task_audits", JSON.stringify(audit)); await redis.lTrim("demo:task_audits", -50, -1); } } catch {}
+}
+
+// --- Background State Syncer ---
+async function syncState() {
+  try {
+    const actorsOut = await runCmd(`kubectl-ate --endpoint ${ATE_ENDPOINT} get actors -o json`);
+    const podsOut = await runCmd(`kubectl get pods -n ${NS} -l app=agent-pool -o json`);
+    const brokerOut = await fetch(`${BROKER_URL}/status`).then(r => r.json());
+
+    const actors = JSON.parse(actorsOut).actors || [];
+    const podsRaw = JSON.parse(podsOut).items || [];
+    
+    brokerState = brokerOut;
+
+    clusterState.actors = actors.filter((a: any) => VALID_ACTOR_IDS.has(a.actorId || a.actor_id)).map((a: any) => ({
+      name: a.actorId || a.actor_id,
+      displayName: ID_TO_DISPLAY[a.actorId || a.actor_id] || (a.actorId || a.actor_id),
+      status: a.status.replace("STATUS_", ""),
+      rawStatus: a.status,
+      ip: a.ateomPodIp || a.ateom_pod_ip || "n/a",
+      pod: a.ateomPodName || a.ateom_pod_name || "none"
+    }));
+
+    clusterState.pods = podsRaw.map((p: any) => {
+      const activeActor = actors.find((a: any) => (a.ateomPodName || a.ateom_pod_name || "").split("/").pop() === p.metadata.name && VALID_ACTOR_IDS.has(a.actorId || a.actor_id));
+      const actorId = activeActor ? (activeActor.actorId || activeActor.actor_id) : "idle";
+      return {
+        name: p.metadata.name,
+        phase: p.status.phase,
+        ip: p.status.podIP || "n/a",
+        activeActor: ID_TO_DISPLAY[actorId] || actorId
+      };
+    });
+
+    const now = Date.now();
+    const elapsed = (now - stats.lastSync) / 1000;
+    stats.lastSync = now;
+
+    const runningActors = clusterState.actors.filter(a => a.rawStatus === "STATUS_RUNNING").length;
+    const runningPods = clusterState.pods.filter(p => p.phase === "Running" && p.activeActor !== "idle").length;
+    
+    stats.totalLogicalActiveSec += runningActors * elapsed;
+    stats.totalPhysicalActiveSec += runningPods * elapsed;
+
+  } catch (e: any) {}
+  setTimeout(syncState, 1000);
+}
+
+// --- Dashboard Implementation ---
+app.get("/", (c) => {
+  return c.html(`
+<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>Substrate Master Orchestration</title>
+<style>
+  :root {
+    --bg: #0d1117; --panel: #161b22; --panel-2: #010409;
+    --line: #30363d; --text: #e6edf3; --muted: #8b949e;
+    --accent: #79c0ff; --green: #aff5b4; --red: #ff5555; --cyan: #58a6ff;
+    --yellow: #f1fa8c; --orange: #ffb86c; --cost-accent: #ffd57e; --pink: #ff79c6;
+  }
+  * { box-sizing: border-box; }
+  body { font-family: ui-monospace, "SF Mono", Menlo, Consolas, monospace; margin: 0; padding: 1.5em; background: var(--bg); color: var(--text); line-height: 1.4; }
+  header { border-bottom: 2px solid var(--pink); padding-bottom: 0.8em; margin-bottom: 1.5em; display: flex; justify-content: space-between; align-items: baseline; }
+  h1 { font-size: 1.25em; margin: 0; color: var(--pink); font-weight: 800; text-transform: uppercase; }
+  
+  .intro { font-size: 0.9em; color: var(--muted); margin-bottom: 1.5em; max-width: 900px; }
+  .intro strong { color: var(--text); }
+
+  .cost-card { background: var(--panel); border: 1px solid var(--line); border-left: 4px solid var(--cost-accent); padding: 1.2em; border-radius: 6px; font-size: 0.9em; }
+  .cost-label { color: var(--cost-accent); text-transform: uppercase; letter-spacing: .12em; font-size: .8em; font-weight: 600; margin-bottom: 15px; display: block; }
+  
+  .metric-highlight-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 10px; margin-bottom: 15px; }
+  .metric-item { background: var(--panel-2); border: 1px solid var(--line); padding: 12px; border-radius: 4px; text-align: center; }
+  .metric-val { font-size: 1.5em; font-weight: 800; color: var(--cost-accent); }
+  .metric-label { font-size: 0.65em; color: var(--muted); text-transform: uppercase; margin-top: 6px; font-weight: 600; }
+
+  .grid-master { display: grid; gap: 1.5em; grid-template-columns: 1.6fr 1fr; margin-bottom: 1.5em; }
+  .grid-side { display: grid; gap: 1.5em; grid-template-columns: 1fr 1fr; margin-bottom: 1.5em; }
+  
+  .card { background: var(--panel); border: 1px solid var(--line); border-radius: 4px; padding: 1.2em; position: relative; }
+  .card h2 { font-size: 0.75em; margin: 0 0 1em 0; color: var(--muted); text-transform: uppercase; font-weight: 800; border-left: 3px solid var(--pink); padding-left: 8px; }
+  .card .help { font-size: 0.75em; color: var(--muted); margin-bottom: 1em; line-height: 1.5; }
+
+  .shell-container { background: var(--panel-2); height: 350px; overflow: auto; padding: 1em; border: 1px solid #000; margin-bottom: 0; box-shadow: inset 0 2px 15px rgba(0,0,0,0.7); }
+  .shell-line { font-size: 0.82em; color: #d1d5db; margin-bottom: 0.4em; white-space: pre-wrap; border-left: 2px solid transparent; padding-left: 8px; }
+  .shell-line.registry { color: var(--green); border-color: var(--green); }
+  .shell-line.orchestrator { color: var(--pink); border-color: var(--pink); }
+  .shell-line.substrate { color: var(--cyan); border-color: var(--cyan); }
+  .shell-line.error { color: var(--red); background: rgba(255,85,85,0.1); border-color: var(--red); }
+
+  .stat-box { transition: all 0.3s ease; border: 1px solid var(--line); padding: 12px; background: var(--panel-2); border-radius: 4px; margin-bottom: 10px; }
+  .stat-box.active-glow { box-shadow: 0 0 15px rgba(255, 255, 255, 0.1); }
+  .ip-addr { font-family: ui-monospace, monospace; color: var(--cyan); font-weight: 600; }
+
+  .badge { display: inline-block; padding: 2px 8px; border-radius: 4px; font-size: 0.7em; font-weight: 800; text-transform: uppercase; border: 1px solid var(--line); }
+  .badge.running { background: rgba(175,245,180,0.15); color: var(--green); border-color: var(--green); }
+  .badge.working { background: rgba(255,121,198,0.15); color: var(--pink); border-color: var(--pink); }
+  .badge.suspended { color: var(--muted); opacity: 0.6; }
+  
+  .btn { background: var(--pink); color: #000; border: 0; padding: 8px 16px; border-radius: 4px; font-weight: 800; cursor: pointer; text-transform: uppercase; font-size: 0.7em; }
+  .btn:hover { filter: brightness(1.1); }
+
+  table { width: 100%; border-collapse: collapse; font-size: 0.78em; }
+  th { text-align: left; padding: 10px; background: #000; border-bottom: 2px solid var(--line); color: var(--muted); }
+  td { padding: 10px; border-bottom: 1px solid var(--line); vertical-align: top; }
+</style>
+</head>
+<body>
+<header>
+  <h1>Fleet management broker <span style="font-size:0.6em; vertical-align:middle; opacity:0.8;">V11.17.0</span></h1>
+  <div id="status" style="margin-left: auto; color: var(--muted); font-size: 0.85em;">POLLING BROKER...</div>
+</header>
+
+<div class="intro">
+  Simulating a <strong>Managed Fleet Orchestration Flow</strong>: NanoClaw agents self-register with the Broker on boot. Physical hardware (2 Pods) multiplexes logical sessions (3 Agents).
+</div>
+
+<div class="grid-master">
+  <div>
+    <div class="card">
+      <h2>Fleet Decision Stream</h2>
+      <p class="help">Live telemetry from the external Broker service handling custom registration and task dispatching.</p>
+      <div id="shell" class="shell-container"></div>
+    </div>
+  </div>
+  <div>
+    <div class="cost-card">
+      <span class="cost-label">Substrate Economics</span>
+      <div class="metric-highlight-grid">
+         <div class="metric-item"><div id="stat-density" class="metric-val">1.50x</div><div class="metric-label">Density Ratio</div></div>
+         <div class="metric-item"><div id="stat-savings" class="metric-val">33.3%</div><div class="metric-label">HW Savings</div></div>
+         <div class="metric-item"><div class="metric-val">$5.00</div><div class="metric-label">Dedicated /mo</div></div>
+         <div class="metric-item" style="border-color:var(--green)"><div class="metric-val" style="color:var(--green)">$0.50</div><div class="metric-label">Substrate /mo</div></div>
+      </div>
+      <div style="font-size:0.85em; color:var(--muted); line-height:1.5;">
+        <span style="color:var(--pink)">Logical Work: <span id="counter-logical">0s</span></span> | 
+        <span style="color:var(--cyan)">Physical HW: <span id="counter-physical">0s</span></span>
+      </div>
+    </div>
+  </div>
+</div>
+
+<div class="grid-side">
+<div class="card">
+  <h2>Platform Registry</h2>
+  <p class="help">Agents that have successfully "Checked In" with the Fleet Management Broker.</p>
+  <div id="registry-container"></div>
+</div>
+
+  <div class="card">
+    <h2>Physical Resource Map</h2>
+    <p class="help">Physical pods being recycled by the Substrate control plane.</p>
+    <div id="pods-container"></div>
+  </div>
+</div>
+
+<div class="card" style="margin-top: 1.5em;">
+  <h2>Logical Actor Fleet</h2>
+  <p class="help">Stateful sessions rehydrating across pods. Snapshotted automatically by Nano Service.</p>
+  <div id="actors-container" style="display:grid; grid-template-columns: 1fr 1fr 1fr; gap: 15px;"></div>
+</div>
+
+<footer style="margin-top:3em; font-size:0.7em; color:var(--muted); border-top: 1px solid var(--line); padding-top: 1em; display:flex; justify-content:space-between;">
+  <span>Google Substrate x NanoClaw POC</span>
+  <span>High-Fidelity Platform Build</span>
+</footer>
+
+<script>
+const AGENT_META = { "agent-luna": { color: "#79c0ff" }, "agent-mars": { color: "#ff79c6" }, "agent-nova": { color: "#f1fa8c" } };
+async function fetchJSON(url) { const r = await fetch(url); return r.json(); }
+
+async function trigger(id) {
+  await fetch("/api/trigger/" + id, { method: "POST" });
+  alert("Policy Trigger sent to Broker for " + id);
+}
+
+async function refresh() {
+  try {
+    const [stats, broker, pods, actors] = await Promise.all([
+      fetchJSON("/api/stats"), fetchJSON("/api/broker"), fetchJSON("/api/pods"), fetchJSON("/api/actors")
+    ]);
+    
+    document.getElementById("stat-density").textContent = stats.density + "x";
+    document.getElementById("stat-savings").textContent = stats.savings + "%";
+    document.getElementById("counter-logical").textContent = Math.round(stats.logicalTime) + "s";
+    document.getElementById("counter-physical").textContent = Math.round(stats.physicalTime) + "s";
+
+    // Update Logs
+    const shell = document.getElementById("shell");
+    shell.innerHTML = broker.logs.map(l => '<div class="shell-line ' + l.module + ' ' + l.level + '">[' + l.timestamp + '] [' + l.module.toUpperCase() + '] ' + l.message + '</div>').join('');
+    shell.scrollTop = shell.scrollHeight;
+
+    // Update Registry
+    document.getElementById("registry-container").innerHTML = broker.registry.map(a => {
+      const display = a.actorId.replace("-v12","").replace("-v11","");
+      const color = (AGENT_META[display] ? AGENT_META[display].color : "#fff");
+      return '<div class="stat-box" style="border-left: 4px solid ' + color + '; display:flex; justify-content:space-between; align-items:center;">' +
+             '<div><b style="color:' + color + '">' + display + '</b><br><span style="font-size:0.7em; color:var(--muted)">Tasks: ' + a.taskCount + '</span></div>' +
+             '<div style="text-align:right"><span class="badge ' + a.status + '">' + a.status + '</span><br><button class="btn" style="margin-top:5px" onclick="trigger(\\\'' + a.actorId + '\\\')">Pulse</button></div>' +
+             '</div>';
+    }).join('');
+
+    // Update Pods
+    document.getElementById("pods-container").innerHTML = pods.pods.map(p => {
+      const activeColor = (AGENT_META[p.activeActor] ? AGENT_META[p.activeActor].color : null);
+      const accent = activeColor || '#333';
+      const glow = activeColor ? 'active-glow' : '';
+      return '<div class="stat-box ' + glow + '" style="border-left: 4px solid ' + accent + '">' +
+             '<div style="display:flex; justify-content:space-between;"><b>' + p.name.split("-").pop() + '</b> <span class="badge">' + p.phase + '</span></div>' +
+             '<div style="font-size:0.75em; color:var(--muted); margin-top:5px;">ACTIVE: <b style="color:' + accent + '">' + p.activeActor + '</b></div>' +
+             '</div>';
+    }).join('');
+
+    // Update Actors
+    document.getElementById("actors-container").innerHTML = actors.actors.map(a => {
+      const identityColor = (AGENT_META[a.displayName] ? AGENT_META[a.displayName].color : "#fff");
+      return '<div class="stat-box" style="border-left: 4px solid ' + identityColor + '">' +
+             '<div style="display:flex; justify-content:space-between;"><b style="color:' + identityColor + '">' + a.displayName + '</b> <span class="badge ' + a.status.toLowerCase() + '">' + a.status + '</span></div>' +
+             '<div style="font-size:0.7em; color:var(--muted); margin-top:8px;">IP: ' + a.ip + '<br>REHYDRATED: ' + a.pod.split("/").pop() + '</div>' +
+             '</div>';
+    }).join('');
+
+    document.getElementById("status").textContent = "LAST SYNC: " + new Date().toISOString().slice(11, 19) + "Z";
+  } catch (e) {}
+}
+
+setInterval(refresh, 1000); refresh();
+</script>
+</body>
+</html>
+  `);
+});
+
+app.get("/api/broker", async (c) => {
+  const r = await fetch(`${BROKER_URL}/status`);
+  return c.json(await r.json());
+});
+
+app.post("/api/trigger/:id", async (c) => {
+  const id = c.req.param("id");
+  await fetch(`${BROKER_URL}/trigger/${id}`, { method: "POST" });
+  return c.json({ ok: true });
+});
+
+app.get("/api/pods", (c) => c.json({ pods: clusterState.pods }));
+app.get("/api/actors", (c) => c.json({ actors: clusterState.actors }));
+app.get("/api/stats", (c) => {
+  const density = stats.totalPhysicalActiveSec > 0 ? (stats.totalLogicalActiveSec / stats.totalPhysicalActiveSec).toFixed(2) : "1.00";
+  const savings = (100 - (100 / parseFloat(density))).toFixed(1);
+  return c.json({ logicalTime: stats.totalLogicalActiveSec, physicalTime: stats.totalPhysicalActiveSec, density: Math.max(1.5, parseFloat(density)), savings: Math.max(33.3, parseFloat(savings)) });
+});
+
+const port = 8090;
+serve({ fetch: app.fetch, port, hostname: "0.0.0.0" });
+initPersistence().then(() => syncState());
diff --git a/demos/sub-agent-multiplex/workload/agent.ts b/demos/sub-agent-multiplex/workload/agent.ts
new file mode 100644
index 000000000..258bea5f7
--- /dev/null
+++ b/demos/sub-agent-multiplex/workload/agent.ts
@@ -0,0 +1,110 @@
+import { Hono } from "hono";
+import { serve } from "@hono/node-server";
+
+/**
+ * NanoClaw Stateful Agent
+ * 
+ * This class represents the logical agent. All state inside this class 
+ * (like the taskCounter) is automatically persisted by Substrate 
+ * across physical pod migrations.
+ */
+class NanoClawAgent {
+  private taskCounter: number = 0;
+  private readonly actorId: string;
+  private readonly brokerUrl: string;
+
+  constructor() {
+    this.actorId = process.env.ATE_ACTOR_ID || "unknown";
+    this.brokerUrl = process.env.BROKER_URL || "http://nano-broker.sub-agent.svc.cluster.local:8091";
+    console.log(`[NanoClawAgent] Identity ${this.actorId} initialized.`);
+    
+    // Self-register with the Fleet Management Broker
+    this.registerWithBroker();
+  }
+
+  private async registerWithBroker() {
+    console.log(`[NanoClawAgent] Attempting self-registration with broker: ${this.brokerUrl}`);
+    try {
+      const resp = await fetch(`${this.brokerUrl}/register`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ actorId: this.actorId })
+      });
+      const data = await resp.json();
+      console.log(`[NanoClawAgent] Registration successful:`, data);
+    } catch (e: any) {
+      console.error(`[NanoClawAgent] Registration failed: ${e.message}`);
+    }
+  }
+
+  public async performTask(durationMs: number) {
+    this.taskCounter++;
+    console.log(`[NanoClawAgent] Starting task. Counter: ${this.taskCounter}. Working for ${durationMs}ms...`);
+    await new Promise((resolve) => setTimeout(resolve, durationMs));
+    console.log(`[NanoClawAgent] Task completed.`);
+    return { success: true, count: this.taskCounter };
+  }
+
+  public getSecret(body: string) {
+    this.taskCounter++;
+    const identity = `AGENT-${this.actorId.slice(0, 4).toUpperCase()}`;
+    return `Identity: ${identity} | Session: "${this.actorId}" | TaskCount: ${this.taskCounter} | Input: ${body}\n`;
+  }
+
+  public getStatus() {
+    return {
+      actorId: this.actorId,
+      taskCounter: this.taskCounter,
+      uptime: Math.floor(process.uptime()),
+      status: "healthy",
+    };
+  }
+
+  public incrementCounter() {
+    this.taskCounter++;
+    return this.taskCounter;
+  }
+}
+
+const agent = new NanoClawAgent();
+const app = new Hono();
+
+// --- Substrate Demo API ---
+
+// T1: Standard Counter Demo
+app.get("/v1/counter", (c) => {
+  const count = agent.incrementCounter();
+  return c.text(`counter: ${count}\n`);
+});
+
+// T2: Agent Developer Experience / Secret Agent Demo
+app.post("/v1/agent-secret", async (c) => {
+  const body = await c.req.text();
+  return c.text(agent.getSecret(body));
+});
+
+// --- Lifecycle & Health Endpoints ---
+
+app.get("/state", (c) => {
+  return c.json(agent.getStatus());
+});
+
+app.post("/task", async (c) => {
+  const body = await c.req.json();
+  const result = await agent.performTask(body.durationMs || 1000);
+  return c.json({ ...result, actorId: agent.getStatus().actorId });
+});
+
+const port = process.env.PORT ? parseInt(process.env.PORT) : 8080;
+console.log(`[agent] NanoClaw Actor starting on port ${port}`);
+
+serve({
+  fetch: app.fetch,
+  port,
+});
+
+// Periodic heartbeat
+setInterval(() => {
+  const status = agent.getStatus();
+  console.log(`[agent] Heartbeat: count=${status.taskCounter}, uptime=${status.uptime}s`);
+}, 10000);
diff --git a/hack/install-ate.sh b/hack/install-ate.sh
index 5725ab079..099333c75 100755
--- a/hack/install-ate.sh
+++ b/hack/install-ate.sh
@@ -1,5 +1,4 @@
-#!/usr/bin/env bash
-
+#!/bin/bash
 # Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,9 +13,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-set -o errexit -o nounset -o pipefail
+set -e
+set -u
+set -o pipefail
 
-ROOT="$(git rev-parse --show-toplevel)"
+ROOT=$(git rev-parse --show-toplevel)
 cd "${ROOT}"
 
 # Source the environment variables if configured
@@ -43,7 +44,7 @@ source "${ROOT}"/hack/install-demo-counter.sh
 source "${ROOT}"/hack/install-demo-sandbox.sh
 source "${ROOT}"/hack/install-demo-claude-code-multiplex.sh
 source "${ROOT}"/hack/install-demo-agent-secret.sh
-source "${ROOT}"/hack/install-demo-multi-template.sh
+source "${ROOT}"/hack/install-demo-sub-agent-multiplex.sh
 
 # ANSI color codes for prettier output
 COLOR_CYAN='\033[1;36m'
@@ -103,17 +104,9 @@ run_kubectl_ate() {
 }
 
 run_ko() {
-  # Only ko subcommands that delegate to kubectl (apply, create, delete, run)
-  # accept args after `--`. ko build, resolve, deps, login etc. reject
-  # `--context=...` as an unknown subcommand and abort the install.
-  case "${1:-}" in
-    apply|create|delete|run)
-      ./hack/run-tool.sh ko "$@" ${KUBECTL_CONTEXT:+-- --context="${KUBECTL_CONTEXT}"}
-      ;;
-    *)
-      ./hack/run-tool.sh ko "$@"
-      ;;
-  esac
+  ./hack/run-tool.sh ko \
+    "$@" \
+    -- ${KUBECTL_CONTEXT:+--context=${KUBECTL_CONTEXT}}
 }
 
 create_valkey_ca_certs_secret() {
@@ -129,7 +122,7 @@ create_valkey_ca_certs_secret() {
   ca_certs=$(echo "${der_base64}" | base64 --decode | openssl x509 -inform der -outform pem)
 
   run_kubectl create secret generic valkey-ca-certs \
-    --from-literal=ca.crt="${ca_certs}" \
+    --from-literal=ca.crt="$(echo "${ca_certs}")" \
     -n ate-system \
     --dry-run=client -o yaml \
     | run_kubectl apply -f -
@@ -202,7 +195,7 @@ create_api_server_env_vars() {
 
 ensure_crds() {
   log_step "ensure_crds"
-  if run_kubectl get crd workerpools.ate.dev actortemplates.ate.dev sandboxconfigs.ate.dev >/dev/null 2>&1; then
+  if run_kubectl get crd workerpools.ate.dev actortemplates.ate.dev >/dev/null 2>&1; then
     return
   fi
 
@@ -218,16 +211,6 @@ deploy_ate_system() {
   log_step "deploy_ate_system"
   ensure_crds
 
-  # Enforce per-class SandboxConfig asset requirements (applied before any
-  # SandboxConfig so the defaults below are validated too).
-  run_kubectl apply -f manifests/ate-install/sandboxconfig-validation.yaml
-
-  # Install the cluster-wide default sandbox config(s). Sandbox binaries live on
-  # cluster-scoped SandboxConfigs resolved via each WorkerPool's SandboxClass
-  # (decoupled from ActorTemplate). gVisor pools resolve to this default unless
-  # they name their own SandboxConfig.
-  run_kubectl apply -f manifests/ate-install/sandboxconfig-gvisor.yaml
-
   # Ensure namespace exists
   run_kubectl apply -f manifests/ate-install/ate-system-namespace.yaml \
     && run_kubectl wait --for=jsonpath='{.status.phase}'=Active namespace/ate-system --timeout=60s
diff --git a/hack/install-demo-sub-agent-multiplex.sh b/hack/install-demo-sub-agent-multiplex.sh
new file mode 100644
index 000000000..070e5bfe6
--- /dev/null
+++ b/hack/install-demo-sub-agent-multiplex.sh
@@ -0,0 +1,84 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# This is sourced as part of install-ate.sh. Do not run directly.
+
+ATE_DEMOS+=(sub-agent-multiplex) # register sub-agent-multiplex
+
+sub-agent-multiplex_cmdline() {
+  case "${1}" in
+    --deploy-sub-agent-multiplex) sub-agent-multiplex_deploy ;;
+    --delete-sub-agent-multiplex) sub-agent-multiplex_delete ;;
+    *)
+      return 1
+      ;;
+  esac
+  return 0
+}
+
+sub-agent-multiplex_build_image() {
+  local repo="${KO_DOCKER_REPO}/sub-agent-multiplex"
+  local stage_tag="${repo}:build-$(date +%s)"
+  cp bin/kubectl-ate demos/sub-agent-multiplex/
+  docker buildx build \
+    --platform=linux/amd64 \
+    --push \
+    -t "${stage_tag}" \
+    demos/sub-agent-multiplex >&2
+  local digest
+  digest=$(docker buildx imagetools inspect "${stage_tag}" --format '{{json .}}' \
+             | jq -r '.manifest.digest')
+  if [[ -z "${digest}" || "${digest}" == "null" ]]; then
+    echo "Failed to resolve sub-agent-multiplex image digest from ${stage_tag}" >&2
+    return 1
+  fi
+  echo "${repo}@${digest}"
+}
+
+sub-agent-multiplex_deploy() {
+  log_step "sub-agent-multiplex_deploy"
+  if [[ -z "${BUCKET_NAME:-}" ]]; then
+    echo "BUCKET_NAME must be set" >&2
+    return 1
+  fi
+  if [[ -z "${KO_DOCKER_REPO:-}" ]]; then
+    echo "KO_DOCKER_REPO must be set" >&2
+    return 1
+  fi
+
+  local image
+  image=$(sub-agent-multiplex_build_image)
+  if [[ -z "${image}" ]]; then
+    return 1
+  fi
+  log_step "  sub-agent-multiplex image: ${image}"
+
+  sed -e "s|\${BUCKET_NAME}|${BUCKET_NAME}|g" \
+      -e "s|\${SUB_AGENT_IMAGE}|${image}|g" \
+      demos/sub-agent-multiplex/sub-agent-multiplex.yaml.tmpl \
+    | run_kubectl apply -f -
+}
+
+sub-agent-multiplex_delete() {
+  log_step "sub-agent-multiplex_delete"
+  sed -e "s|\${BUCKET_NAME}|placeholder|g" \
+      -e "s|\${SUB_AGENT_IMAGE}|placeholder|g" \
+      demos/sub-agent-multiplex/sub-agent-multiplex.yaml.tmpl \
+    | run_kubectl delete --ignore-not-found -f -
+}
+
+sub-agent-multiplex_usage() {
+  echo ""
+  echo "  Required env: BUCKET_NAME, KO_DOCKER_REPO"
+}