altour_vertex_twosprints.py

1. import pandas as pd
2. from textwrap import dedent
3.  
4. rows = []
5.  
6. def add_item(id_, sprint, epic, story, criteria, tasks, dod, owner="Engineer", deps=""):
7.     rows.append({
8.         "ID": id_,
9.         "Sprint": sprint,
10.         "Epic": epic,
11.         "User Story": story.strip(),
12.         "Acceptance Criteria (Given/When/Then)": criteria.strip(),
13.         "Key Tasks": tasks.strip(),
14.         "Definition of Done": dod.strip(),
15.         "Owner": owner,
16.         "Dependencies": deps.strip()
17.     })
18.  
19. # Sprint 1 – Platform & Access (Vertex AI)
20. add_item(
21.     "GCP-01", "Sprint 1", "GCP Org & Vertex AI Setup",
22.     "As a Platform Admin, I want a dedicated GCP project and billing with budgets & alerts so that spend and access are controlled from day one.",
23.     dedent("""\
24.    Given the AltourMX organization/folder,
25.    When the Vertex project is created and linked to billing,
26.    Then monthly budgets and 80/100/120% alerts are active and owners notified."""),
27.     dedent("""\
28.    • Create GCP project under correct folder
29.    • Link billing account; enable budget & anomaly detection
30.    • Enable APIs: Vertex AI, Cloud Logging, Monitoring, Secret Manager
31.    • Name & tag standards (labels: env, owner, cost_center)"""),
32.     "Project created; budgets & alerts firing in test; APIs enabled; labels validated.",
33.     owner="Cloud Platform"
34. )
35.  
36. add_item(
37.     "GCP-02", "Sprint 1", "Identity & Security",
38.     "As a Security Engineer, I want IAM roles, service accounts, and secrets configured according to least-privilege so that no long-lived keys or over-scoped roles are used.",
39.     dedent("""\
40.    Given CI/CD and runtime services,
41.    When roles are assigned,
42.    Then service accounts have least-privilege IAM; no user-managed keys; secrets in Secret Manager."""),
43.     dedent("""\
44.    • Define service accounts (orchestrator-sa, router-sa)
45.    • Assign minimal Vertex AI, Logging, Monitoring roles
46.    • Store provider secrets in Secret Manager (no .env keys)
47.    • Workload Identity Federation for GitHub/GitLab CI"""),
48.     "IAM policy reviewed; no key leaks; secrets rotated; WIF tested in CI.",
49.     owner="Security/Platform"
50. )
51.  
52. add_item(
53.     "GCP-03", "Sprint 1", "Private Access & Perimeters",
54.     "As a NetSec Engineer, I want private access to Vertex endpoints and a VPC Service Controls perimeter so that data stays in approved boundaries.",
55.     dedent("""\
56.    Given the project VPC,
57.    When private access is configured,
58.    Then calls to Vertex Online Prediction use Private Service Connect (PSC) or private routing, and the project is within a VPC SC perimeter (Vertex, Storage, BigQuery)."""),
59.     dedent("""\
60.    • Create VPC, subnets, Cloud NAT if needed
61.    • Configure Private Service Connect for Vertex Online Prediction (where supported)
62.    • Define VPC SC perimeter incl. Vertex AI, GCS, BQ
63.    • Test egress restrictions and perimeter audit"""),
64.     "LLM calls succeed over private path; perimeter audit passes; no public egress in tests.",
65.     owner="NetSec"
66. )
67.  
68. # Sprint 1 – App Control Plane (Routing/Guardrails)
69. add_item(
70.     "RGV-01", "Sprint 1", "Routing & Guardrails on Vertex",
71.     "As an Intake Orchestrator, I want pre-model PII masking and normalization so that prompts and logs do not contain raw sensitive data.",
72.     dedent("""\
73.    Given an inbound Spanish Case with PII,
74.    When the request is prepared,
75.    Then PII is masked in the prompt/logs and originals are encrypted and not sent to the model."""),
76.     dedent("""\
77.    • PII detectors (regex + NER-lite)
78.    • Masking policy; originals to CMEK/GCS or DB
79.    • Pre-normalize dates (ISO-8601), IATA, currency"""),
80.     "Zero PII in prompts/logs on test set; security sign-off.",
81.     owner="Backend"
82. )
83.  
84. add_item(
85.     "RGV-02", "Sprint 1", "Routing & Guardrails on Vertex",
86.     "As a Policy Admin, I want locked system prompts and decoding params so users cannot override core instructions.",
87.     dedent("""\
88.    Given adversarial instructions in the email,
89.    When normalization runs,
90.    Then system prompt loads from config, user overrides are stripped, and JSON schema mode is enforced (temperature=0)."""),
91.     dedent("""\
92.    • Prompt registry with version hash
93.    • Strip user overrides
94.    • JSON-constrained decoding / schema mode"""),
95.     "Prompt hash logged per call; unit test proves override stripping."
96. )
97.  
98. add_item(
99.     "RGV-03", "Sprint 1", "Routing & Guardrails on Vertex",
100.     "As an Intake Engineer, I want language/complexity routing so common Spanish cases go to Llama 4 Scout and edge/long cases to Qwen3 32B (if self-hosted) or remain in Llama with repair loops.",
101.     dedent("""\
102.    Given an inbound Case,
103.    When language=es-* and below thresholds,
104.    Then route to Llama 4 Scout; else use fallback path (Qwen3 on custom endpoint or two-step extract+verify)."""),
105.     dedent("""\
106.    • Implement classifier & thresholds
107.    • Fallback strategy (custom Vertex endpoint or two-step flow)
108.    • Feature flag to force single-model path"""),
109.     "Routing logged with reasons; flags work in staging."
110. )
111.  
112. add_item(
113.     "RGV-04", "Sprint 1", "Schema & Repair Loop",
114.     "As a Validator, I want strict JSON Schema validation against checklist_universal_gds and an automated repair loop.",
115.     dedent("""\
116.    Given a model response,
117.    When validated,
118.    Then either it passes or precise errors trigger repair prompts (max 2 retries)."""),
119.     dedent("""\
120.    • Integrate JSON Schema validator
121.    • Implement repair prompt strategy
122.    • Cap retries; status codes & metrics"""),
123.     "≥95% schema pass on happy-path; invalid-JSON <0.5% after repair."
124. )
125.  
126. add_item(
127.     "RGV-05", "Sprint 1", "Deterministic Validators",
128.     "As Operations, I want deterministic validators (IATA, dates, phones, emails) so outputs are normalized and trustworthy.",
129.     dedent("""\
130.    Given a validated JSON,
131.    When validators run,
132.    Then fields are normalized or flagged with reasons."""),
133.     dedent("""\
134.    • Implement validators/normalizers
135.    • Error taxonomy & messages"""),
136.     "Validators pass on Golden Set; clear remediation messages."
137. )
138.  
139. # Sprint 1 – Observability & Cost
140. add_item(
141.     "OBS-01", "Sprint 1", "Observability & Cost on GCP",
142.     "As an SRE, I want per-call metrics (latency, tokens, cost, schema status) exported to Cloud Monitoring so that reliability and cost are visible.",
143.     dedent("""\
144.    Given any model call,
145.    When it completes,
146.    Then metrics are recorded and visible in dashboards (p95 latency, tokens, USD/case, schema pass/fail)."""),
147.     dedent("""\
148.    • Emit metrics via OpenTelemetry to Cloud Monitoring
149.    • Estimate cost per call (Vertex billing export or token estimator)
150.    • Build initial dashboard (6 KPIs)"""),
151.     "Dashboard live; cost estimates validated against sample invoices."
152. )
153.  
154. add_item(
155.     "OBS-02", "Sprint 1", "Observability & Cost on GCP",
156.     "As a Compliance Officer, I want immutable audit logs with correlation IDs so I can reconstruct any case end-to-end.",
157.     dedent("""\
158.    Given a processed Case,
159.    When routing/guardrail/validator actions occur,
160.    Then append-only audit events are written with minimal PII, stored with CMEK, and retention set."""),
161.     dedent("""\
162.    • Define audit schema
163.    • Write to Cloud Logging + export to WORM storage (Bucket with retention lock)
164.    • Correlation IDs across services"""),
165.     "Audit trace reconstructs full path in test; retention policies enforced."
166. )
167.  
168. add_item(
169.     "OBS-03", "Sprint 1", "Observability & Cost on GCP",
170.     "As an On-Call Engineer, I want alerts for error spikes, latency SLO breaches, and cost anomalies so I can respond quickly.",
171.     dedent("""\
172.    Given production traffic,
173.    When error rate >0.5% (5m), p95 latency >1.2s (15m), or daily spend >2× baseline,
174.    Then send alert to PagerDuty/Chat/Teams with runbook link."""),
175.     dedent("""\
176.    • Alerting policies in Cloud Monitoring
177.    • Notification channels & runbooks
178.    • Synthetic load tests to validate alerts"""),
179.     "Alerts verified in staging; on-call ack within 5 minutes."
180. )
181.  
182. # Sprint 2 – Hardening & CI/CD
183. add_item(
184.     "GCP-04", "Sprint 2", "CMEK & Data Governance",
185.     "As a Security Engineer, I want CMEK for storage and logs so that we control encryption keys and access.",
186.     dedent("""\
187.    Given storage/logs with PII,
188.    When configured,
189.    Then all artifacts and logs are encrypted with CMKs; key rotation and access policies defined."""),
190.     dedent("""\
191.    • Create KMS keyring & keys; bind to buckets/logs
192.    • Rotation policy; key access approvals
193.    • Verify encryption in object metadata"""),
194.     "Objects/logs show CMEK; rotation tested; access reviewed."
195. )
196.  
197. add_item(
198.     "GCP-05", "Sprint 2", "CI/CD & Environments",
199.     "As a Platform Owner, I want CI/CD with GitHub Actions/Cloud Build so changes to routing/prompts and config are promoted safely across dev/stg/prod.",
200.     dedent("""\
201.    Given a change,
202.    When merged,
203.    Then pipelines run tests, eval gates, and deploy via IaC (Terraform) with approvals."""),
204.     dedent("""\
205.    • Configure Cloud Build or GitHub Actions with WIF
206.    • Terraform for Vertex resources & alerting
207.    • Environment promotion with approvals"""),
208.     "Green pipeline; promotion logged; IaC drift-free post-deploy."
209. )
210.  
211. add_item(
212.     "RGV-06", "Sprint 2", "Escalation & Human-in-the-Loop",
213.     "As an Intake Orchestrator, I want escalation to a human queue with context bundle after repeated failures or low confidence.",
214.     dedent("""\
215.    Given two failed repairs or low confidence,
216.    When evaluated,
217.    Then route to a Salesforce human queue with full context and reasons."""),
218.     dedent("""\
219.    • Confidence score & thresholds
220.    • Salesforce queue integration
221.    • Context bundle (inputs, attempts, validator errors)"""),
222.     "Escalations appear with full context; QA sign-off."
223. )
224.  
225. add_item(
226.     "RGV-07", "Sprint 2", "Output Safety & Policy Checks",
227.     "As a Security Engineer, I want post-model safety scans preventing PII leakage or policy-violating content from leaving the system.",
228.     dedent("""\
229.    Given a model output,
230.    When safety scan runs,
231.    Then unauthorized PII or policy violations block delivery and trigger remediation."""),
232.     dedent("""\
233.    • Output PII scan & policy rules
234.    • Block/remediate workflow
235.    • Tests incl. adversarial samples"""),
236.     "Zero known PII leaks on Golden Set; blocks logged with audit trail."
237. )
238.  
239. add_item(
240.     "OBS-04", "Sprint 2", "KPI Dashboards & Exec Reports",
241.     "As a Product Owner, I want KPI dashboards (schema fill-rate, invalid JSON, cost per 100 cases) and weekly reports for leadership.",
242.     dedent("""\
243.    Given a week of data,
244.    When viewing the dashboard,
245.    Then I see KPI trendlines by queue and an auto-generated weekly PDF summary."""),
246.     dedent("""\
247.    • Build KPI panels in Cloud Monitoring
248.    • Per-queue/client breakdowns
249.    • Scheduled report export"""),
250.     "Stakeholder sign-off; first weekly report delivered."
251. )
252.  
253. add_item(
254.     "OBS-05", "Sprint 2", "Evaluation Harness (Spanish Golden Set)",
255.     "As a QA Lead, I want an evaluation harness with a Spanish Golden Set so regressions are caught pre-release.",
256.     dedent("""\
257.    Given a candidate change,
258.    When the eval suite runs,
259.    Then it computes accuracy and schema fill-rate gates before rollout."""),
260.     dedent("""\
261.    • Curate & label 200–500 Spanish emails
262.    • Offline eval runner & gates
263.    • Block release on gate failure"""),
264.     "CI blocks failing builds; reports archived per build."
265. )
266.  
267. # Save
268. df = pd.DataFrame(rows)
269. csv_path = "/mnt/data/AltourMX_TwoSprint_Checklist_VertexAI.csv"
270. xlsx_path = "/mnt/data/AltourMX_TwoSprint_Checklist_VertexAI.xlsx"
271. df.to_csv(csv_path, index=False)
272. with pd.ExcelWriter(xlsx_path, engine="xlsxwriter") as writer:
273.     df.to_excel(writer, index=False, sheet_name="Checklist")
274.     # Autofit columns
275.     for idx, col in enumerate(df.columns):
276.         max_len = max(df[col].astype(str).map(len).max(), len(col)) + 2
277.         writer.sheets["Checklist"].set_column(idx, idx, min(max_len, 60))
278.  
279. import ace_tools as tools; tools.display_dataframe_to_user("AltourMX Two-Sprint Checklist (Vertex AI)", df)
280.  
281. (csv_path, xlsx_path)
282.