kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
81f72e8068a9b5ea52f31410a436058ddedb3ee8
hunfabric/skills/fast/prerequisites/references/phase3-bootstrap-and-iam.md
Ludovico Magnocavallo 81f72e8068 Add FAST Prerequisites Skill and Gemini Skill Test Harness (#3979) 
* initial version of a FAST pre-install skill

* first round of testing

* Update fast-0-org-setup-prereqs skill with improved UX and local path handling

- Add explicit lockout warning and stop condition if the user is not a member of the provided Admin Principal group.
- Streamline bootstrap project selection to only prompt for an override if the active gcloud project is rejected.
- Restrict dataset discovery strictly to the `fast/stages/0-org-setup/datasets/` directory.
- Improve location handling by referencing `defaults.schema.json` for Standard GCP and auto-configuring fixed regions for GCD.
- Add comprehensive `local_path` management: prompt for customization, create directories, move `defaults.yaml` to the local data folder, and symlink `0-org-setup.auto.tfvars` back to the stage directory.

* add testing scenarios, implement initial changes for scenario 2

* move skills

* move to a skills/fast subfolder

* Refactor fast-0-org-setup prereqs skill

* Add skill-turn-harness utility tool

* Use relative markdown links for skill references

* Use descriptive titles for markdown links in skill references

* Add descriptions to each phase in the prerequisites workflow map

* Use backslash for markdown line breaks in skill map

* Update README security warning to mention default .gitignore

* shebang

* Update fast prereqs skill rules to force sequential question flow and refine harness tool with proper ctrl+c handling and slugified log paths

* Move playbook-gcp-dev.yaml to fast/prerequisites/gcp-dev.yaml and update fast prerequisites

* docs(skill-turn-harness): detail autonomous pond testing approach

* docs(skill-turn-harness): add final_state_checks to pond architecture and update toc

* Refine fast prereqs SKILL and gcp-dev playbook to strictly align with one-question-at-a-time rule

* feat(skill-turn-harness): update playbook schema for autonomous persona mode

* feat(skill-turn-harness): implement autonomous persona testing mode and fallback logic

* docs(skill-turn-harness): document the three modes of testing and update ToC

* implement timeout, schema validation, configurable cli

* chore: remove accidentally committed log files

* chore: ignore logs directory

* feat(skill-harness): implement tool execution interception, configurable workspace, and modularized validation

* feat(skill-harness): add model configuration and update README

* fix(skill-harness): automatically inject -y flag to gemini commands

* docs(skill-harness): add TODO.md with analysis for skill environment dependencies

* feat(skill-harness): add working_dir support and clean up fixtures

- Implement working_dir in harness to run tests in specific directories.
- Rename test fixtures and playbooks to be more descriptive.
- Add E2E test for working_dir.
- Apply code quality improvements to harness.py (imports, linting).
- Update README with working directory considerations and usage notes.
- Update phase3-bootstrap-and-iam.md skill doc to add execution rule against creating temp scripts.

* fix: capture customer_id and respect relative paths

* Implement isolated temp workspace sandboxing with symlinks in test harness

* Configure GCD manual autonomous playbook and align Phase 3/4 steps order

* Fix linting and schema tests failures

- Add missing license headers to tools/skill-turn-harness files.

- Fix trailing spaces and newlines in playbooks.

- Ignore tools directory in schema tests workflow.

TAG=agy

CONV=1bb75453-c3e2-448b-bae9-8e332a068012

* Fix Python formatting with yapf

TAG=agy

CONV=1bb75453-c3e2-448b-bae9-8e332a068012

* Refactor skill-turn-harness to use Antigravity SDK

- Migrated harness from gemini-cli subprocesses to Antigravity SDK.
- Implemented real-time step streaming and console logging.
- Added color-coded terminal output (dark gray headers, blue inputs, pink outputs).
- Collapsed excessive newlines in streamed thoughts.
- Excluded harness codebase from workspace copy to prevent agent cheating.
- Enabled skills folder copy to resolve agent lookup loops.
- Added key validation and CLI --debug flag.

* Fix autonomous turn layout: print Turn ID before execution

- Moved the [Autonomous Turn X] header print to before running the agent turn.
- This groups the real-time thinking and tool calls under the correct Turn ID block, instead of displaying them before the label.

* Remove obsolete .log.md from prerequisites skill directory
2026-05-22 17:16:54 +00:00

3.2 KiB
Raw Blame History

Phase 3: Bootstrap Project & IAM

Step 5: IAM Role Assignments

  1. Grant the following roles to the chosen Admin Principal at the Organization level. CRITICAL: Only include roles/billing.admin in this list if the user selected Scenario 1 (Billing Administrator) AND confirmed the billing account is managed Inside the Organization in Step 4. CRITICAL EXECUTION RULE: Do NOT create temporary bash scripts (e.g., assign_roles.sh) to execute this loop. You MUST execute the for loop inline directly using the run_shell_command tool, or output the exact inline loop for the user to copy/paste. 
    # Roles to assign:
# [roles/billing.admin] <-- CONDITIONAL (See above)
# roles/logging.admin
# roles/iam.organizationRoleAdmin
# roles/orgpolicy.policyAdmin
# roles/resourcemanager.folderAdmin
# roles/resourcemanager.organizationAdmin
# roles/resourcemanager.projectCreator
# roles/resourcemanager.tagAdmin
# roles/owner

# Loop example for the user or tool execution:
for role in [ROLES_LIST]; do
  gcloud organizations add-iam-policy-binding <ORG_ID> \
    --member="<ADMIN_PRINCIPAL>" --role="$role" --condition=None
done

Step 6: Bootstrap Project Setup

  1. Explain that a temporary bootstrap project is required to track API quota before organization policies are fully established.
  2. Ask the user if they already have a suitable project they can use for this purpose.
    • If yes: Ask if this project is already configured as the active project in gcloud. If the user does not know, run gcloud config list project --format="value(core.project)" to check for them.
      • If it is already configured, fetch the Project ID using gcloud config list project --format="value(core.project)". Explicitly ask the user to confirm if this fetched Project ID is the one they want to use. Only if they answer "No" to this confirmation, ask them to provide the correct Project ID.
      • If it is not configured, ask the user to provide the Project ID.
    • If no: Ask the user to use the Cloud Console to create a temporary project (must be linked to the billing account). Ask them to provide the new Project ID once created.
  3. Once the Project ID is provided or fetched, ensure it is set as the default project. If it is not already set, run: 
    gcloud config set project <TEMP_PROJECT_ID>
  4. Enable the required baseline APIs on the project:
    • The required APIs are: bigquery.googleapis.com, cloudbilling.googleapis.com, cloudresourcemanager.googleapis.com, essentialcontacts.googleapis.com, iam.googleapis.com, logging.googleapis.com, orgpolicy.googleapis.com, serviceusage.googleapis.com.
    • If the project was pre-existing: Ask the user if they want you to check which services are already enabled.
      • If yes: Run gcloud services list --enabled --format="value(config.name)" to get the current list. Compute the delta between the enabled services and the required list. Only run gcloud services enable <MISSING_APIS> for the ones that are missing.
      • If no: Run the full gcloud services enable command for all required APIs.
    • If the project is new: Run the full gcloud services enable command for all required APIs.