Skip to content

Harden Cloud Shell bootstrap with verification safeguards #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Harden Cloud Shell bootstrap with verification safeguards #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
SHELL := /bin/bash

.PHONY: test lint

test: lint

lint:
shellcheck deploy/cloudshell_deploy.sh
62 changes: 61 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,61 @@
# XMIND# XMIND
# XMIND Quant Sports AI Platform

This repository packages architecture documentation and a Google Cloud Shell bootstrap script for deploying the XMIND advanced reasoning platform tailored for quant-level sports betting analysis.

## Contents
- `docs/architecture.md` – Detailed system design covering services, agents, and workflows.
- `deploy/cloudshell_deploy.sh` – One-command bootstrap script to initialize Google Cloud resources.

## Quick Start
1. Open [Google Cloud Shell](https://shell.cloud.google.com) in the project you wish to use.
2. Clone this repository or copy the `deploy/cloudshell_deploy.sh` script into Cloud Shell.
3. Confirm you have an active gcloud account (`gcloud auth login`) and set required environment variables:
```bash
export PROJECT_ID="your-project-id"
export REGION="us-central1"
export USER_EMAIL="you@example.com"
export ZONE="us-central1-a" # Optional: overrides default REGION-derived zone
export APP_ENGINE_LOCATION="us-central" # Optional: override for App Engine app required by Cloud Scheduler
```
Optional overrides include:
- `SCHEDULER_LOCATION` to target a specific Cloud Scheduler region (defaults to `REGION`).
- `CLOUD_TASKS_QUEUE` to rename the orchestration queue (defaults to `orchestration-dispatch`).
- `BQ_DATASET`, `BQ_LOCATION`, `GCS_BUCKET`, and `ENVIRONMENT_LABEL` for data residency and labeling preferences.
4. Run the deploy script (it will validate credentials, set Cloud defaults, and double-check created resources):
```bash
bash deploy/cloudshell_deploy.sh
```
5. Replace Secret Manager placeholders with your actual meta-engineered prompt and external API keys.
6. Review the created Pub/Sub subscriptions, Cloud Tasks queue, and Scheduler jobs to align them with your ingestion cadence.
7. Confirm the verification summary at the end of the script for Pub/Sub topics, Cloud Run services, Cloud Tasks queue, BigQuery dataset, and Cloud Storage bucket.
8. Build and deploy service code (orchestrator, verifier, UI, tooling) using Cloud Build and Cloud Run as described in the architecture doc.

## Post-Deployment Checklist
- Configure Identity-Aware Proxy (IAP) for the Cloud Run UI.
- Wire API Gateway or load balancer routing for unified entry points.
- Connect Vertex AI Extensions/tools for sportsbook APIs, simulations, and compliance automation.
- Enable Cloud Monitoring dashboards, alerting policies, and QA/governance audit exports.
- Populate new BigQuery tables (`qa_audits`, `portfolio_positions`) and the `recommendation_summary` view with your historical data.

## Provisioned Resources at a Glance
- **Networking:** Custom VPC and subnet with environment labels.
- **Storage:** Regional GCS bucket plus folders for prompts, model artifacts, and simulation outputs.
- **Messaging:** Pub/Sub topics and opinionated subscriptions for orchestrator, verifier, UI, and governance agents.
- **Data Warehouse:** BigQuery dataset seeded with live odds, bet recommendations, QA audits, portfolio positions, and metrics tables.
- **Orchestration:** Cloud Tasks queue and Cloud Scheduler jobs for odds refresh, QA sweeping, and governance alerts.
- **Security & Secrets:** Service accounts with scoped IAM roles (including Cloud Tasks enqueue, Pub/Sub pub/sub, BigQuery viewer access, and Run invoker bindings) and Secret Manager placeholders (including a governance policy slot).
- **Compute Skeletons:** Cloud Run services deployed with baseline environment variables and Vertex AI Workbench instance placeholder.

## Notes
- The bootstrap script now performs pre-flight checks for `gcloud`, `bq`, and `gsutil` before provisioning resources.
- App Engine is created automatically (configurable via `APP_ENGINE_LOCATION`) so Cloud Scheduler jobs succeed on first run.
- Adjust IAM roles and resource sizing to match your risk tolerance and compliance requirements.
- Update the created Scheduler jobs to call your deployed service revisions once application images are available.


## Testing
Run ShellCheck to validate the bootstrap script syntax before deploying:
```bash
make test
```
Ensure [`shellcheck`](https://www.shellcheck.net/) is installed in your environment or use Cloud Shell's package manager to install it (e.g., `sudo apt-get install -y shellcheck`).
Loading