Improve bootstrap script logging for clarity and debuggability

[amaralc]

Summary

Enhanced the bootstrap script logging to be more friendly, less verbose, and provide better visibility into script execution:

• Exit on first error: Added set -e to stop on any failure
• Clear section hierarchy: Organized steps into logical subsections (1a, 1b, 1c, 1d)
• Suppressed verbose output: All gcloud and gsutil commands redirect to /dev/null
• Idempotency feedback: Shows ○ existing vs ✓ created for resource status
• Completion summary: Added actionable next steps at the end
• Updated project insights: Captured logging patterns as long-term and short-term insights

Example Output

Before:

Operation "operations/acat.p2-707221884363-e5977a06-efc9-4ebb-b1bb-8d60c7a506ad" finished successfully.
Operation "operations/acat.p2-707221884363-970ba6b8-652e-416e-9940-f7c6e7855c7f" finished successfully.
...

After:

Setting up GCP project bootstrap-5541...
  ○ Tag key 'environment' already exists
  ✓ Tag value 'production' created
  ✓ Project created
  ✓ Billing linked
  ✓ APIs enabled
  ✓ Firebase label added

Test Plan

• Script runs successfully with clean output
• Idempotent operations show existing vs created status
• Completion summary provides clear next steps
• Script fails fast on first error

Closes #200

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation

  • Updated short-term insights with several new entries and removals; revised a long-term insight to focus on grouped operations and reduced CLI verbosity.
  • Expanded bootstrap README with more comprehensive setup parameters and automated organization-level role provisioning.

• Chores

  • Refactored bootstrap and cleanup scripts for stricter error handling, clearer phased flow, and quieter non-interactive output.
  • Switched Terraform state storage to a new backend bucket.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
explore	Ready	Preview, Comment	Feb 13, 2026 9:43pm

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

Updates docs and bootstrap tooling: refactors bootstrap scripts into labeled idempotent phases, adds strict error handling and WIF/GitHub setup, automates organization-level IAM role grants, adjusts Terraform backend bucket, and refreshes long‑ and short‑term insights content.

Changes

Cohort / File(s)	Summary
Documentation docs/insights-long-term.md, docs/insights-short-term.md	Replaced insight #100 text to recommend grouping operations and suppressing verbose CLI output; refreshed short-term insights with several new timestamped entries and removal of older entries.
Bootstrap README teams/kernel/iac/bootstrap/README.md	Rewrote usage and invocation examples, added many new required inputs, renamed params, and documented automated organization-level IAM role grants (removed manual console steps).
Bootstrap scripts teams/kernel/iac/bootstrap/project-setup.sh, teams/kernel/iac/bootstrap/project-cleanup.sh	Major refactor: added set -e, repo/path validation, reorganized into labeled phases (GCP project, WIF/OIDC, IAM role grants, support group/artifact registry, GitHub secrets/environments, Terraform backend), quieter output, idempotent checks, and improved status messages.
Terraform backend teams/kernel/iac/production/backend.tf	Changed GCS backend bucket name from bootstrap-9b47-tfstate to bootstrap-5541-tfstate (state location change).

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant Script as project-setup.sh
    participant GCP as Google Cloud
    participant GH as GitHub
    participant GCS as GCS (Terraform backend)

    Dev->>Script: run setup (flags, repo path)
    Script->>GCP: ensure project exists, enable APIs
    Script->>GCP: create WIF pool & OIDC provider
    Script->>GCP: grant org/project IAM roles to SA
    Script->>GH: create repos/environments, push secrets (WIF configs)
    Script->>GCS: create/update backend bucket / backend.tf
    GCS-->>Script: confirm backend ready
    GH-->>Script: confirm secrets/environments created
    GCP-->>Script: confirm roles & WIF bindings
    Script-->>Dev: summary / completion status

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix(kernel-iac-bootstrap): resolve variable ordering issues in project setup #250 — Overlaps bootstrap script changes, fixes variable ordering and project ID generation used by this refactor.
• fix: update bootstrap script to use Workload Identity Federation #234 — Related WIF/OIDC and removal of service-account key usage; touches GitHub Actions and bootstrap auth flow.

Poem

🐰 I hopped through scripts at break of day,

folded phases neat along the way,
WIF and roles now hum in tune,
GCS holds state beneath the moon,
Hooray — the setup hops and plays.

🚥 Pre-merge checks | ✅ 4 | ❌ 2

❌ Failed checks (2 inconclusive)

Check name	Status	Explanation	Resolution
Linked Issues check	❓ Inconclusive	The PR addresses linked issue #200 by improving bootstrap script logging and automation. However, #200 requires eliminating all manual steps to release and achieving a fully automated CI/CD pipeline—broader goals than logging improvements alone. The PR only partially fulfills these larger objectives [#200].	Clarify whether this PR is intended as an incremental step toward #200's target condition or if additional changes are needed to fully close the issue. The logging improvements alone do not fully address the comprehensive CI/CD automation requirements outlined in #200.
Out of Scope Changes check	❓ Inconclusive	Most changes directly support the stated objective of improving logging and debuggability. However, updates to short-term and long-term insights docs, backend.tf bucket name, and README parameter documentation appear tangential to the core logging improvement focus.	Verify that documentation updates (insights, README, backend bucket name) are intended as part of this PR or if they should be separated into distinct changes focused solely on logging improvements.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Improve bootstrap script logging for clarity and debuggability' is concise and directly summarizes the main changes in the changeset, which focus on enhancing script logging with better structure, less noise, and clearer status indicators.
Description check	✅ Passed	The PR description fully addresses the template requirements with clear sections on what was modified (logging improvements, fail-fast behavior, structured output) and how it was implemented (code changes, examples, test plan). The template's experiment record section is not required for all PRs based on context.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 200-enhance-project-setup-docs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 8091f25

Command	Status	Duration	Result
nx affected --target=build --base=origin/main -...	✅ Succeeded	<1s	View ↗
nx affected --target=test --base=origin/main --...	✅ Succeeded	<1s	View ↗
nx affected --target=lint --base=origin/main --...	✅ Succeeded	<1s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-02-13 21:42:48 UTC

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

teams/kernel/iac/bootstrap/project-setup.sh (1)

173-176: ⚠️ Potential issue | 🟡 Minor

Typo in error message: underscore instead of hyphen.

The error message says --nx-cloud-access_token-read-write but the actual flag is --nx-cloud-access-token-read-write.

🐛 Proposed fix

 if [ -z "$NX_CLOUD_ACCESS_TOKEN_READ_WRITE" ]
 then
-    echo "Error: --nx-cloud-access_token-read-write flag is required"
+    echo "Error: --nx-cloud-access-token-read-write flag is required"
     exit 1
 fi

🤖 Fix all issues with AI agents

In `@teams/kernel/iac/bootstrap/project-setup.sh`:
- Around line 1-2: The script declares a POSIX shell with "#!/bin/sh" but uses
bash-only redirections "&>/dev/null"; replace every "&>/dev/null" occurrence
(e.g., the redirections used in commands around lines referenced in the review)
with the POSIX-compliant form ">/dev/null 2>&1" so the script is portable under
dash/ash; search for the string "&>/dev/null" and update those instances in the
script (project-setup.sh) to the recommended redirect syntax.

In `@teams/kernel/iac/bootstrap/README.md`:
- Around line 52-54: Remove the unused parameter mention
--mongodb-atlas-group-id from the README header comments so the documented
expected parameters match the script and example invocation; locate the header
block that lists script flags (references to --mongodb-atlas-group-id and
MONGODB_ATLAS_GROUP_ID) and delete that flag and any associated variable name
from the list, ensuring the remaining parameters (e.g.,
--mongodb-atlas-public-key, --mongodb-atlas-private-key) remain intact and the
example command and header are consistent.

🧹 Nitpick comments (1)

teams/kernel/iac/bootstrap/project-setup.sh (1)

473-475: Consider reviewing the roles/editor grant for least-privilege compliance.

The roles/editor primitive role grants broad permissions that overlap with many of the specific roles already granted (e.g., storage.admin, cloudsql.admin). While this may be intentional for bootstrap convenience, it's worth verifying whether such broad access is required, or if the specific roles alone would suffice.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

POSIX shell declared but bash-specific syntax used throughout.

The shebang specifies #!/bin/sh for POSIX compatibility, but the script uses &>/dev/null (a bash-specific redirect) on multiple lines (300, 308, 318, 359, 367, 381, 394, 510, 523). On systems where /bin/sh is dash, ash, or another strict POSIX shell, these redirections will fail.

🔧 Proposed fix: Use POSIX-compliant redirections

Replace all occurrences of &>/dev/null with >/dev/null 2>&1:

-if gcloud resource-manager tags keys describe "$GCP_ORGANIZATION_ID/$GCP_TAG_KEY_SHORT_NAME" &>/dev/null; then
+if gcloud resource-manager tags keys describe "$GCP_ORGANIZATION_ID/$GCP_TAG_KEY_SHORT_NAME" >/dev/null 2>&1; then

Apply the same pattern to lines 308, 318, 359, 367, 381, 394, 510, and 523.

🤖 Prompt for AI Agents

In `@teams/kernel/iac/bootstrap/project-setup.sh` around lines 1 - 2, The script
declares a POSIX shell with "#!/bin/sh" but uses bash-only redirections
"&>/dev/null"; replace every "&>/dev/null" occurrence (e.g., the redirections
used in commands around lines referenced in the review) with the POSIX-compliant
form ">/dev/null 2>&1" so the script is portable under dash/ash; search for the
string "&>/dev/null" and update those instances in the script (project-setup.sh)
to the recommended redirect syntax.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

rg -n "mongodb-atlas-group-id|MONGODB_ATLAS_GROUP_ID" teams/kernel/iac/bootstrap/project-setup.sh

Repository: amaralc/explore

Length of output: 88

---

🏁 Script executed:

head -n 30 teams/kernel/iac/bootstrap/project-setup.sh | cat -n

Repository: amaralc/explore

Length of output: 2137

---

🏁 Script executed:

sed -n '25p' teams/kernel/iac/bootstrap/project-setup.sh

Repository: amaralc/explore

Length of output: 730

---

Remove unused --mongodb-atlas-group-id from the script's expected parameters list.

The script's header comments (lines 6–21) list --mongodb-atlas-group-id as an expected parameter, but it is never used in the script logic and is omitted from the script's own example command (line 25). The README is consistent with the script's documented example, so the inconsistency should be resolved by removing --mongodb-atlas-group-id from the header comments.

🤖 Prompt for AI Agents

In `@teams/kernel/iac/bootstrap/README.md` around lines 52 - 54, Remove the unused
parameter mention --mongodb-atlas-group-id from the README header comments so
the documented expected parameters match the script and example invocation;
locate the header block that lists script flags (references to
--mongodb-atlas-group-id and MONGODB_ATLAS_GROUP_ID) and delete that flag and
any associated variable name from the list, ensuring the remaining parameters
(e.g., --mongodb-atlas-public-key, --mongodb-atlas-private-key) remain intact
and the example command and header are consistent.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud