learning_ai_invt_trdg/docs/AZURE_INFRASTRUCTURE.md

# Azure Infrastructure — invttrdg (ByteLyst Trading)

Audit trail of all Azure resources, secrets, and configuration for the trading platform.

---

## Subscription

| Field | Value |
|---|---|
| Subscription | Azure subscription 1 |
| Subscription ID | `0e0ceaea-2677-4097-9401-1102707db826` |
| Tenant ID | `ab33246e-c9c9-4cb9-9a87-3616bb4920f0` |

---

## Resource Group

**`rg-mywisprai`** — `eastus` — all trading resources share this group. No new resource groups were created.

---

## Azure Cosmos DB

| Field | Value |
|---|---|
| Account | `cosmos-mywisprai` |
| Location | `westus2` |
| Kind | `GlobalDocumentDB` (Serverless) |
| Consistency | Session |
| Endpoint | `https://cosmos-mywisprai.documents.azure.com:443/` |
| **Database** | **`invttrdg`** (created 2026-04-05) |

### Containers (all created 2026-04-05, partition key `/productId`)

| Container | Purpose |
|---|---|
| `trade_profiles` | Per-user trading strategy profiles |
| `trading_users` | User accounts + exchange API keys |
| `capital_ledgers` | Per-profile capital allocation tracking |
| `trade_orders` | Live runtime order state |
| `trade_history` | Completed trade ledger |
| `manual_entries` | Dashboard manual trade entries |
| `reconciliation_backfill_audit` | Exit backfill evidence audit log |
| `dynamic_config` | Runtime key-value config overrides |
| `trading_controls` | Kill-switch + trading behaviour controls |
| `bot_state_snapshots` | Bot state snapshots for recovery |
| `runtime_locks` | Distributed locks (prevent concurrent edits) |
| `strategy_presets` | Pre-built strategy templates |
| `audit-events` | Trade audit event log (90-day TTL) — activate: partition key `/productId`, TTL 7776000 s |

### Key Vault secret names
- `invttrdg-cosmos-endpoint`
- `invttrdg-cosmos-key`
- `invttrdg-cosmos-database`

---

## Azure OpenAI (AI Foundry)

| Field | Value |
|---|---|
| Account | `mywisprai-openai-sweden` |
| Location | `swedencentral` |
| Endpoint | `https://swedencentral.api.cognitive.microsoft.com/` |
| SKU | S0 Standard |

### Deployments

| Deployment Name | Model | Version | SKU | Capacity | Created |
|---|---|---|---|---|---|
| `gpt-4o-mini` | `gpt-4.1-mini` | 2025-04-14 | Standard | 1 | pre-existing |
| `gpt-4o` | `gpt-4o` | 2024-11-20 | GlobalStandard | 10 | 2026-04-05 |

**Default deployment for trading:** `gpt-4o` (stored in Key Vault as `invttrdg-azure-openai-deployment`)  
**Fallback deployment:** `gpt-4o-mini` (stored as `invttrdg-azure-openai-deployment-gpt4o`)

### Key Vault secret names
- `invttrdg-azure-openai-endpoint`
- `invttrdg-azure-openai-key`
- `invttrdg-azure-openai-deployment` → `gpt-4o`
- `invttrdg-azure-openai-deployment-gpt4o` → `gpt-4o`

---

## Azure Key Vault

| Field | Value |
|---|---|
| Name | `kv-mywisprai` |
| Location | `eastus` |
| URI | `https://kv-mywisprai.vault.azure.net/` |

### All `invttrdg-*` secrets (set 2026-04-05)

| Secret Name | Value (description) |
|---|---|
| `invttrdg-product-id` | `invttrdg` |
| `invttrdg-cosmos-endpoint` | `https://cosmos-mywisprai.documents.azure.com:443/` |
| `invttrdg-cosmos-key` | Cosmos DB primary master key |
| `invttrdg-cosmos-database` | `invttrdg` |
| `invttrdg-azure-openai-endpoint` | `https://swedencentral.api.cognitive.microsoft.com/` |
| `invttrdg-azure-openai-key` | Azure OpenAI API key |
| `invttrdg-azure-openai-deployment` | `gpt-4o` |
| `invttrdg-azure-openai-deployment-gpt4o` | `gpt-4o` |

---

## Other Shared Azure Resources

These exist in `rg-mywisprai` and are shared across the ecosystem (not trading-specific):

| Resource | Type | Notes |
|---|---|---|
| `bytelystblobs` | Storage Account (`westus2`) | Blob storage, shared |
| `bytelyst-appinsights` | Application Insights (`eastus`) | Shared telemetry |
| `mywisprai-speech` | Cognitive Services Speech (`eastus`) | Not used by trading |

---

## Application Configuration

Set these in your `.env` (pull from Key Vault for production):

```env
# Cosmos DB
COSMOS_ENDPOINT=https://cosmos-mywisprai.documents.azure.com:443/
COSMOS_KEY=<from kv-mywisprai / invttrdg-cosmos-key>
COSMOS_DATABASE=invttrdg

# Azure OpenAI (use instead of direct OpenAI for production)
AZURE_OPENAI_ENDPOINT=https://swedencentral.api.cognitive.microsoft.com/
AZURE_OPENAI_KEY=<from kv-mywisprai / invttrdg-azure-openai-key>
AZURE_OPENAI_DEPLOYMENT=gpt-4o
LLM_PROVIDER=azure
```

---

## Pending Work

- [x] Wire Key Vault secret resolution at app startup — `bootstrap.ts` uses `@bytelyst/config` `resolveSecrets()` with `DefaultAzureCredential` (2026-04-05)
- [x] Switch `aiClient.ts` to use `AzureOpenAIProvider` when Azure config is present — auto-detected from `AZURE_OPENAI_ENDPOINT` + `AZURE_OPENAI_KEY` + `AZURE_OPENAI_DEPLOYMENT` (2026-04-05)
- [ ] Configure Managed Identity on the backend app service to access Key Vault without a connection string
- [ ] Set up TTL policy on `runtime_locks` container (e.g. 3600s) to auto-expire stale locks
- [ ] Enable Cosmos DB diagnostic logs to Log Analytics workspace

---

## Change Log

| Date | Action | By |
|---|---|---|
| 2026-04-05 | Created `invttrdg` database in `cosmos-mywisprai` | Claude Code / CLI |
| 2026-04-05 | Created 12 containers in `invttrdg` (all `/productId` partition key) | Claude Code / CLI |
| 2026-04-05 | Deployed `gpt-4o` (2024-11-20) to `mywisprai-openai-sweden` | Claude Code / CLI |
| 2026-04-05 | Stored 8 `invttrdg-*` secrets in `kv-mywisprai` | Claude Code / CLI |
| 2026-04-05 | Added `bootstrap.ts` — Key Vault secret resolution at startup via `DefaultAzureCredential` | Claude Code |
| 2026-04-05 | `aiClient.ts` auto-selects `AzureOpenAIProvider` when Azure OpenAI env vars are set | Claude Code |