kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
81f72e8068a9b5ea52f31410a436058ddedb3ee8
hunfabric/skills/fast/prerequisites/references/phase2-admin-and-baseline.md
Ludovico Magnocavallo 81f72e8068 Add FAST Prerequisites Skill and Gemini Skill Test Harness (#3979) 
* initial version of a FAST pre-install skill

* first round of testing

* Update fast-0-org-setup-prereqs skill with improved UX and local path handling

- Add explicit lockout warning and stop condition if the user is not a member of the provided Admin Principal group.
- Streamline bootstrap project selection to only prompt for an override if the active gcloud project is rejected.
- Restrict dataset discovery strictly to the `fast/stages/0-org-setup/datasets/` directory.
- Improve location handling by referencing `defaults.schema.json` for Standard GCP and auto-configuring fixed regions for GCD.
- Add comprehensive `local_path` management: prompt for customization, create directories, move `defaults.yaml` to the local data folder, and symlink `0-org-setup.auto.tfvars` back to the stage directory.

* add testing scenarios, implement initial changes for scenario 2

* move skills

* move to a skills/fast subfolder

* Refactor fast-0-org-setup prereqs skill

* Add skill-turn-harness utility tool

* Use relative markdown links for skill references

* Use descriptive titles for markdown links in skill references

* Add descriptions to each phase in the prerequisites workflow map

* Use backslash for markdown line breaks in skill map

* Update README security warning to mention default .gitignore

* shebang

* Update fast prereqs skill rules to force sequential question flow and refine harness tool with proper ctrl+c handling and slugified log paths

* Move playbook-gcp-dev.yaml to fast/prerequisites/gcp-dev.yaml and update fast prerequisites

* docs(skill-turn-harness): detail autonomous pond testing approach

* docs(skill-turn-harness): add final_state_checks to pond architecture and update toc

* Refine fast prereqs SKILL and gcp-dev playbook to strictly align with one-question-at-a-time rule

* feat(skill-turn-harness): update playbook schema for autonomous persona mode

* feat(skill-turn-harness): implement autonomous persona testing mode and fallback logic

* docs(skill-turn-harness): document the three modes of testing and update ToC

* implement timeout, schema validation, configurable cli

* chore: remove accidentally committed log files

* chore: ignore logs directory

* feat(skill-harness): implement tool execution interception, configurable workspace, and modularized validation

* feat(skill-harness): add model configuration and update README

* fix(skill-harness): automatically inject -y flag to gemini commands

* docs(skill-harness): add TODO.md with analysis for skill environment dependencies

* feat(skill-harness): add working_dir support and clean up fixtures

- Implement working_dir in harness to run tests in specific directories.
- Rename test fixtures and playbooks to be more descriptive.
- Add E2E test for working_dir.
- Apply code quality improvements to harness.py (imports, linting).
- Update README with working directory considerations and usage notes.
- Update phase3-bootstrap-and-iam.md skill doc to add execution rule against creating temp scripts.

* fix: capture customer_id and respect relative paths

* Implement isolated temp workspace sandboxing with symlinks in test harness

* Configure GCD manual autonomous playbook and align Phase 3/4 steps order

* Fix linting and schema tests failures

- Add missing license headers to tools/skill-turn-harness files.

- Fix trailing spaces and newlines in playbooks.

- Ignore tools directory in schema tests workflow.

TAG=agy

CONV=1bb75453-c3e2-448b-bae9-8e332a068012

* Fix Python formatting with yapf

TAG=agy

CONV=1bb75453-c3e2-448b-bae9-8e332a068012

* Refactor skill-turn-harness to use Antigravity SDK

- Migrated harness from gemini-cli subprocesses to Antigravity SDK.
- Implemented real-time step streaming and console logging.
- Added color-coded terminal output (dark gray headers, blue inputs, pink outputs).
- Collapsed excessive newlines in streamed thoughts.
- Excluded harness codebase from workspace copy to prevent agent cheating.
- Enabled skills folder copy to resolve agent lookup loops.
- Added key validation and CLI --debug flag.

* Fix autonomous turn layout: print Turn ID before execution

- Moved the [Autonomous Turn X] header print to before running the agent turn.
- This groups the real-time thinking and tool calls under the correct Turn ID block, instead of displaying them before the label.

* Remove obsolete .log.md from prerequisites skill directory
2026-05-22 17:16:54 +00:00

5.7 KiB
Raw Blame History

Phase 2: Admin Principal & Baseline Info

Step 3: Admin Principal Definition

  1. Explain the concept of the Admin Principal. This is the identity (or group of identities) that will be granted the necessary FAST roles to deploy the foundation and manage critical organization-level configurations and policies thereafter.
  2. Determine the Admin Principal approach by asking the user to choose between two options:
    • Approach A (Preferred): Use a pre-created Group.
      • Action: Explain that using a group (e.g., group:gcp-organization-admins@example.com) is the standard and preferred way. Crucially, clarify that the group provided MUST be a group that the user's current authenticated identity belongs to, otherwise they will lock themselves out.
      • Action: Ask the user to provide the group email address.
      • Action: Explicitly ask the user to confirm that their current identity (the one they just authenticated with) is already a member of this group.
      • Action: If the user answers "No" to the membership confirmation, DO NOT PROCEED. Inform the user that proceeding will lock them out. Ask them to either authenticate with an identity that is a member of the group (and restart the authentication step), or provide a different group that their current identity belongs to.
    • Approach B (Fallback): Use a Single User.
      • Action: Explain that this flow uses a single user as the sole GCP Org Admin, but more can be added later.
      • Action: Run (or ask the user to run) gcloud config list account --format="value(core.account)" to retrieve their current authenticated principal.
      • Action: Show the user their current principal and explicitly ask them to confirm this is the identity they want to use as the Admin Principal.

Step 4: Baseline Information Gathering

  1. Gather baseline information required for 0-org-setup:
    • Organization ID (and the associated Directory Customer ID, which is important for Standard GCP but not required for GCD)
    • Billing Account ID (Mandatory for subsequent stages, even if not required for the GCD temporary project) Action: When prompting the user for the Organization ID and Billing Account ID, explicitly instruct them in the prompt/question that they can leave the field blank (or type "list") to have you automatically run the relevant gcloud command (gcloud organizations list --format="json" or gcloud beta billing accounts list). Also, instruct them that they can type a keyword to filter the list. Action: If the user leaves the field blank or types "list", run the gcloud command without filters. If the user types a keyword that is not a valid Organization ID (numeric) or Billing Account ID (e.g., 012345-6789AB-CDEF01), run the gcloud command and use that keyword to filter the results using a case-insensitive regex match. Ensure the regex pattern is enclosed in single quotes within the filter argument (e.g., --filter="displayName~'(?i)KEYWORD'"). Do NOT use * wildcards in the filter. Action: If the filtered gcloud command returns no results, inform the user and use the ask_user tool to ask if they want to provide a different keyword or fetch all items (run without a filter). Action: Once you have results for Organizations (filtered or unfiltered), extract the Organization ID, the Display Name (domain), and the Directory Customer ID (found in owner.directoryCustomerId in the JSON output). Sort them alphabetically by the display name, and then output the sorted results as a clearly formatted numbered list in the chat. Then, use the ask_user tool (type: text) to ask the user to enter the number corresponding to their selection. Note the Organization ID, Domain, and Customer ID for Phase 4. For Billing Accounts, do the same sorting and prompting.
  2. Determine the Admin Principal's access level to the provided Billing Account ID. Ask which of the following three scenarios applies to the Admin Principal (not necessarily the current user):
    • Scenario 1 (Billing Administrator): The Admin Principal has roles/billing.admin.
      • Action: Ask a follow-up question: "Is your billing account managed by the same organization where we are installing FAST, or outside of it? (You can check this in the Google Cloud Console by going to Billing -> using the organization picker on top -> checking if the account is listed under this organization)."
      • If Inside the Org: Note that roles/billing.admin WILL be assigned at the Organization level in Step 6. Instruct the user that we will deactivate the billing factories path for now, but if account-level IAM also needs to be managed via FAST later, they can reactivate the path and use the billing YAML to do it.
      • If Outside the Org: Note that roles/billing.admin WILL NOT be assigned at the Organization level in Step 6.
    • Scenario 2 (Billing User): The Admin Principal has roles/billing.user but NOT admin rights.
      • Action: Note that roles/billing.admin WILL NOT be assigned at the Organization level in Step 6. Either disable the billing YAML via the factories_config variable or comment it out, since the Admin Principal cannot control IAM on the account.
      • Action: Explain to the user: The service accounts for IaC (and therefore the provider switch and subsequent stages, except for VPC-SC) will not be operative until the correct billing permissions have been assigned to them outside of FAST.
    • Scenario 3 (No Access): The Admin Principal has absolutely no rights on the billing account.
      • Action: Clearly state: This scenario is mostly used for development purposes, is strongly discouraged, and requires advanced Terraform skills and FAST knowledge to proceed.