From bb59b918d61225c08a631897cd5484905f777d11 Mon Sep 17 00:00:00 2001 From: Saravana Achu Mac Date: Sun, 5 Apr 2026 13:18:38 -0700 Subject: [PATCH] docs(azure): add infrastructure audit doc for invttrdg Azure resources Records Cosmos DB setup (12 containers), Azure OpenAI deployments (gpt-4o, gpt-4o-mini), Key Vault secrets, and pending work items. Co-Authored-By: Claude Sonnet 4.6 --- docs/AZURE_INFRASTRUCTURE.md | 156 +++++++++++++++++++++++++++++++++++ 1 file changed, 156 insertions(+) create mode 100644 docs/AZURE_INFRASTRUCTURE.md diff --git a/docs/AZURE_INFRASTRUCTURE.md b/docs/AZURE_INFRASTRUCTURE.md new file mode 100644 index 0000000..2b293f5 --- /dev/null +++ b/docs/AZURE_INFRASTRUCTURE.md @@ -0,0 +1,156 @@ +# Azure Infrastructure — invttrdg (ByteLyst Trading) + +Audit trail of all Azure resources, secrets, and configuration for the trading platform. + +--- + +## Subscription + +| Field | Value | +|---|---| +| Subscription | Azure subscription 1 | +| Subscription ID | `0e0ceaea-2677-4097-9401-1102707db826` | +| Tenant ID | `ab33246e-c9c9-4cb9-9a87-3616bb4920f0` | + +--- + +## Resource Group + +**`rg-mywisprai`** — `eastus` — all trading resources share this group. No new resource groups were created. + +--- + +## Azure Cosmos DB + +| Field | Value | +|---|---| +| Account | `cosmos-mywisprai` | +| Location | `westus2` | +| Kind | `GlobalDocumentDB` (Serverless) | +| Consistency | Session | +| Endpoint | `https://cosmos-mywisprai.documents.azure.com:443/` | +| **Database** | **`invttrdg`** (created 2026-04-05) | + +### Containers (all created 2026-04-05, partition key `/productId`) + +| Container | Purpose | +|---|---| +| `trade_profiles` | Per-user trading strategy profiles | +| `trading_users` | User accounts + exchange API keys | +| `capital_ledgers` | Per-profile capital allocation tracking | +| `trade_orders` | Live runtime order state | +| `trade_history` | Completed trade ledger | +| `manual_entries` | Dashboard manual trade entries | +| `reconciliation_backfill_audit` | Exit backfill evidence audit log | +| `dynamic_config` | Runtime key-value config overrides | +| `trading_controls` | Kill-switch + trading behaviour controls | +| `bot_state_snapshots` | Bot state snapshots for recovery | +| `runtime_locks` | Distributed locks (prevent concurrent edits) | +| `strategy_presets` | Pre-built strategy templates | + +### Key Vault secret names +- `invttrdg-cosmos-endpoint` +- `invttrdg-cosmos-key` +- `invttrdg-cosmos-database` + +--- + +## Azure OpenAI (AI Foundry) + +| Field | Value | +|---|---| +| Account | `mywisprai-openai-sweden` | +| Location | `swedencentral` | +| Endpoint | `https://swedencentral.api.cognitive.microsoft.com/` | +| SKU | S0 Standard | + +### Deployments + +| Deployment Name | Model | Version | SKU | Capacity | Created | +|---|---|---|---|---|---| +| `gpt-4o-mini` | `gpt-4.1-mini` | 2025-04-14 | Standard | 1 | pre-existing | +| `gpt-4o` | `gpt-4o` | 2024-11-20 | GlobalStandard | 10 | 2026-04-05 | + +**Default deployment for trading:** `gpt-4o` (stored in Key Vault as `invttrdg-azure-openai-deployment`) +**Fallback deployment:** `gpt-4o-mini` (stored as `invttrdg-azure-openai-deployment-gpt4o`) + +### Key Vault secret names +- `invttrdg-azure-openai-endpoint` +- `invttrdg-azure-openai-key` +- `invttrdg-azure-openai-deployment` → `gpt-4o` +- `invttrdg-azure-openai-deployment-gpt4o` → `gpt-4o` + +--- + +## Azure Key Vault + +| Field | Value | +|---|---| +| Name | `kv-mywisprai` | +| Location | `eastus` | +| URI | `https://kv-mywisprai.vault.azure.net/` | + +### All `invttrdg-*` secrets (set 2026-04-05) + +| Secret Name | Value (description) | +|---|---| +| `invttrdg-product-id` | `invttrdg` | +| `invttrdg-cosmos-endpoint` | `https://cosmos-mywisprai.documents.azure.com:443/` | +| `invttrdg-cosmos-key` | Cosmos DB primary master key | +| `invttrdg-cosmos-database` | `invttrdg` | +| `invttrdg-azure-openai-endpoint` | `https://swedencentral.api.cognitive.microsoft.com/` | +| `invttrdg-azure-openai-key` | Azure OpenAI API key | +| `invttrdg-azure-openai-deployment` | `gpt-4o` | +| `invttrdg-azure-openai-deployment-gpt4o` | `gpt-4o` | + +--- + +## Other Shared Azure Resources + +These exist in `rg-mywisprai` and are shared across the ecosystem (not trading-specific): + +| Resource | Type | Notes | +|---|---|---| +| `bytelystblobs` | Storage Account (`westus2`) | Blob storage, shared | +| `bytelyst-appinsights` | Application Insights (`eastus`) | Shared telemetry | +| `mywisprai-speech` | Cognitive Services Speech (`eastus`) | Not used by trading | + +--- + +## Application Configuration + +Set these in your `.env` (pull from Key Vault for production): + +```env +# Cosmos DB +COSMOS_ENDPOINT=https://cosmos-mywisprai.documents.azure.com:443/ +COSMOS_KEY= +COSMOS_DATABASE=invttrdg + +# Azure OpenAI (use instead of direct OpenAI for production) +AZURE_OPENAI_ENDPOINT=https://swedencentral.api.cognitive.microsoft.com/ +AZURE_OPENAI_KEY= +AZURE_OPENAI_DEPLOYMENT=gpt-4o +LLM_PROVIDER=azure +``` + +--- + +## Pending Work + +- [ ] Wire Key Vault secret retrieval at app startup (replace static `.env` for production) +- [ ] Switch `aiClient.ts` to use `AzureOpenAIProvider` from `@bytelyst/llm` (set `LLM_PROVIDER=azure`) +- [ ] Configure Managed Identity on the backend app service to access Key Vault without a connection string +- [ ] Set up TTL policy on `runtime_locks` container (e.g. 3600s) to auto-expire stale locks +- [ ] Enable Cosmos DB diagnostic logs to Log Analytics workspace + +--- + +## Change Log + +| Date | Action | By | +|---|---|---| +| 2026-04-05 | Created `invttrdg` database in `cosmos-mywisprai` | Claude Code / CLI | +| 2026-04-05 | Created 12 containers in `invttrdg` (all `/productId` partition key) | Claude Code / CLI | +| 2026-04-05 | Deployed `gpt-4o` (2024-11-20) to `mywisprai-openai-sweden` | Claude Code / CLI | +| 2026-04-05 | Stored 8 `invttrdg-*` secrets in `kv-mywisprai` | Claude Code / CLI |