refactor: implement polars engine and decouple CI/CD infrastructure

- Implemented Polars as assembly and semantic stage engine with full lazy/streaming support
- Enforced IaC and decoupled application CI/CD from infrastructure provisioning
- Restructured logging and resolved logical error handling bugs
- Simplified report structure initialization in semantic stage
- Aligned test suites and documentation with stage refactoring

Author: BLMgithub

.dockerignore

@@ -14,6 +14,7 @@ __pycache__/
 .pytest_cache/
 .coverage
 .coveragerc
+.ruff_cache/
 
 .vscode/
 .idea/

.gcp/terraforms/jobs.tf

@@ -0,0 +1,78 @@
+resource "google_cloud_run_v2_job" "pipeline" {
+  name       = "operations-pipeline-${var.environment}"
+  location   = var.region
+  depends_on = [google_project_service.enabled_APIs]
+
+  template {
+    template {
+      service_account = google_service_account.platform_accounts["ops-pipeline-sa"].email
+
+      # 30-minute timeout and 0 retries
+      timeout     = "1800s"
+      max_retries = 0
+
+      containers {
+        image = "us-docker.pkg.dev/cloudrun/container/hello"
+
+        resources {
+          limits = {
+            cpu    = "2"
+            memory = "4Gi"
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    ignore_changes = [
+      template[0].template[0].containers[0].image,
+      client,
+      client_version
+    ]
+  }
+}
+
+resource "google_cloud_run_v2_job" "extractor" {
+  name       = "drive-extractor-${var.environment}"
+  location   = var.region
+  depends_on = [google_project_service.enabled_APIs]
+
+  template {
+    template {
+      service_account = google_service_account.platform_accounts["drive-extractor-sa"].email
+
+      # 15-minute timeout and 2 retry
+      timeout     = "900s"
+      max_retries = 2
+
+      containers {
+        image = "us-docker.pkg.dev/cloudrun/container/hello"
+
+        resources {
+          limits = {
+            cpu    = "1"
+            memory = "1Gi"
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    ignore_changes = [
+      template[0].template[0].containers[0].image,
+      client,
+      client_version
+    ]
+  }
+}
+
+
+
+
+resource "google_artifact_registry_repository" "ops_repo" {
+  location      = var.region
+  repository_id = "operations-artifacts-${var.environment}"
+  description   = "Operations Artifacts Repository"
+  format        = "DOCKER"
+}
+

.gcp/terraforms/main.tf

@@ -1,8 +1,25 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 7.0"
+    }
+  }
+}
+
 provider "google" {
   project = var.project_id
   region  = var.region
 }
 
+# Upload tfstate to state storage
+terraform {
+  backend "gcs" {
+    bucket = "operations-terraform-state-vault-2026"
+    prefix = "terraform/state"
+  }
+}
+
 # Enable needed GCP APIs
 locals {
   services = [
@@ -12,7 +29,7 @@ locals {
     "workflows.googleapis.com",
     "eventarc.googleapis.com",
     "cloudscheduler.googleapis.com",
-    "iamcredentials.googleapis.com"
+    "iamcredentials.googleapis.com",
   ]
 }
 

.gcp/terraforms/monitoring.tf

@@ -0,0 +1,192 @@
+resource "google_monitoring_notification_channel" "email" {
+
+  for_each     = nonsensitive(var.alert_email_map)
+  display_name = "Pipeline Alert - ${each.value}"
+  type         = "email"
+  labels       = { email_address = each.value }
+}
+
+# All severity CRITICAL are open for 6 hours with 30mins interval repeat notification
+resource "google_monitoring_alert_policy" "pipeline_failure" {
+  display_name = "Pipeline Failure Alert"
+  combiner     = "OR"
+  severity     = "CRITICAL"
+
+  notification_channels = [for channel in google_monitoring_notification_channel.email : channel.name]
+
+  conditions {
+    display_name = "pipeline_crashed"
+
+    condition_matched_log {
+      filter = <<-EOT
+      resource.type="cloud_run_job"
+      resource.labels.job_name="operations-pipeline${var.environment}"
+      textPayload:"[ERROR]"
+      EOT
+    }
+  }
+  alert_strategy {
+
+    auto_close           = "21600s"
+    notification_prompts = ["OPENED"]
+
+    notification_rate_limit {
+      period = "1800s"
+    }
+  }
+
+  documentation {
+    mime_type = "text/markdown"
+    content   = <<-EOT
+    ## ALERT: Operations Pipeline Processing Failed!
+
+    **What Happened:** The `operations-pipeline-${var.environment}` Cloud Run Job crashed during data processing.
+
+    **Impact:** The raw data was extracted, but the final Parquet files were NOT updated. Dashboards will show yesterday's data.
+
+    **Next Steps for On-Call:**
+
+    1. Check job logs: Did it run out of memory (OOM)?
+    2. Check runtime artifact logs: Was there any captured error logs?
+    4. Fix the underlying issue and manually execute the pipeline job.
+    EOT
+  }
+}
+
+resource "google_monitoring_alert_policy" "extractor_failure" {
+
+  display_name = "Drive Extractor Failure Alert"
+  combiner     = "OR"
+  severity     = "CRITICAL"
+
+  notification_channels = [for channel in google_monitoring_notification_channel.email : channel.name]
+
+  conditions {
+    display_name = "extractor_crashed"
+
+    condition_matched_log {
+      filter = <<-EOT
+        resource.type="cloud_run_job"
+        resource.labels.job_name="drive-extractor-${var.environment}"
+        severity="ERROR"
+      EOT
+    }
+  }
+
+  alert_strategy {
+    auto_close           = "21600s"
+    notification_prompts = ["OPENED"]
+
+    notification_rate_limit {
+      period = "1800s"
+    }
+  }
+
+  documentation {
+    mime_type = "text/markdown"
+    content   = <<-EOT
+    ## ALERT: Drive Extractor Job Crashed!
+
+    **What Happened:** The `drive-extractor-${var.environment}` Cloud Run Job threw a fatal error. The pipeline is halted.
+
+    **Impact:**
+    - Raw CSVs were not successfully pulled from Drive.
+    - The `metadata.json` was not written.
+    - Or the `.success` flag was not planted.
+
+    **Next Steps for On-Call Responder:**
+    1. Check Cloud Run Job logs for Python tracebacks.
+    2. Verify that the Google Drive folder is shared with the Drive Extractor SA email.
+    3. Once fixed, manually execute the job.
+    EOT
+  }
+}
+
+
+resource "google_monitoring_alert_policy" "workflow_failure" {
+  display_name = "Pipeline Dispatcher Failure Alert"
+  combiner     = "OR"
+  severity     = "CRITICAL"
+
+  notification_channels = [for channel in google_monitoring_notification_channel.email : channel.name]
+
+  conditions {
+    display_name = "pipeline_dispatch_failed"
+
+    condition_matched_log {
+      filter = <<-EOT
+        resource.type="workflows.googleapis.com/Workflow"
+        resource.labels.workflow_id="pipeline-dispatcher-${var.environment}"
+        severity>=ERROR
+        EOT 
+    }
+  }
+  alert_strategy {
+    auto_close           = "21600s"
+    notification_prompts = ["OPENED"]
+
+    notification_rate_limit {
+      period = "1800s"
+    }
+  }
+  documentation {
+    mime_type = "text/markdown"
+    content   = <<EOT
+    ## ALERT: Running Operations Pipeline has failed!
+
+    **What Happened**: The Eventarc Workflow `pipeline-dispatcher-${var.environment}` encountered a fatal error.
+
+    **Impact**: Dashboard consumers will see stale data.
+
+    **Next Steps for On-Call Responder:**
+
+    1. Click the "View Logs" button below to see the exact error.
+    2. Check if the `drive-extractor` successfully dropped the `.success` file.
+    3. Check if the `operations-pipeline` Cloud Run Job ran out of memory.
+    EOT
+  }
+}
+
+
+resource "google_monitoring_alert_policy" "scheduler_failure" {
+  display_name = "Midnight Scheduler Failure Alert"
+  combiner     = "OR"
+  severity     = "CRITICAL"
+
+  notification_channels = [for channel in google_monitoring_notification_channel.email : channel.name]
+
+  conditions {
+    display_name = "midnight_scheduler_failed"
+
+    condition_matched_log {
+      filter = <<EOT
+      resource.type="cloud_scheduler_job"
+      jsonPayload.debugInfo="URL_ERROR-ERROR_NOT_FOUND. Original HTTP response code number = 404" OR jsonPayload.debugInfo="URL_ERROR-ERROR_AUTHENTICATION. Original HTTP response code number = 401"
+      resource.labels.job_id="midnight-trigger-${var.environment}"
+      EOT
+    }
+  }
+  alert_strategy {
+    auto_close           = "21600s"
+    notification_prompts = ["OPENED"]
+
+    notification_rate_limit {
+      period = "1800s"
+    }
+  }
+  documentation {
+    mime_type = "text/markdown"
+    content   = <<EOT
+    ## ALERT: Cloud Scheduler Failed to Run!
+      
+    **What Happened:** The `midnight-trigger-${var.environment}` job failed to execute.
+    
+    **Impact:** The entire data pipeline has not started today.
+
+    **Next Steps for On-Call Responder:**
+
+    1. Check the Cloud Scheduler logs. Look for a 401 (Auth token expired) or 403 (IAM permission revoked).
+    2. Manually click "Force Run" in the Cloud Scheduler console to start today's extraction.
+    EOT
+  }
+}

.gcp/terraforms/orchestration.tf

@@ -1,6 +1,6 @@
 # Google Workflows
 resource "google_workflows_workflow" "pipeline_dispatcher" {
-  name            = "pipeline-trigger-flow-${var.environment}"
+  name            = "pipeline-dispatcher-${var.environment}"
   region          = var.region
   description     = "Evaluates .success files and triggers pipeline"
   service_account = google_service_account.platform_accounts["eventarc-invoker-sa"].email
@@ -12,8 +12,8 @@ resource "google_workflows_workflow" "pipeline_dispatcher" {
 }
 
 # Pipeline Trigger: Eventarc
-resource "google_eventarc_trigger" "archival_success_trigger" {
-  name     = "archival-success-trigger-${var.environment}"
+resource "google_eventarc_trigger" "pipeline_dispatcher" {
+  name     = "pipeline-trigger-${var.environment}"
   location = var.region
 
   # Monitor Archival Bucket
@@ -33,7 +33,6 @@ resource "google_eventarc_trigger" "archival_success_trigger" {
 
   service_account = google_service_account.platform_accounts["eventarc-invoker-sa"].email
 
-  # Waits on these SAs
   depends_on = [
     google_project_iam_member.eventarc_event_receiver,
     google_project_iam_member.eventarc_workflows_invoker
@@ -42,7 +41,7 @@ resource "google_eventarc_trigger" "archival_success_trigger" {
 
 # Drive Extractor Trigger: Cloud Scheduler
 resource "google_cloud_scheduler_job" "extractor_trigger" {
-  name        = "midnight-extractor-trigger-${var.environment}"
+  name        = "midnight-trigger-${var.environment}"
   description = "Execute drive-extractor daily 12AM (PHT)"
   schedule    = "0 0 * * *"
   time_zone   = "Asia/Manila"
@@ -51,7 +50,7 @@ resource "google_cloud_scheduler_job" "extractor_trigger" {
   http_target {
     http_method = "POST"
     # Points to the Deployed Cloud Run job (data extractor)
-    uri = "https://${var.region}-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/${var.project_id}/jobs/drive-extractor:run"
+    uri = "https://${var.region}-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/${var.project_id}/jobs/drive-extractor-${var.environment}:run"
 
     oauth_token {
       service_account_email = google_service_account.platform_accounts["job-invoker-sa"].email

.gcp/terraforms/storage.tf

@@ -1,6 +1,6 @@
 # Archival Bucket
 resource "google_storage_bucket" "ops_archival_bucket" {
-  name                        = "ops-archival-bucket-${var.environment}"
+  name                        = "ops-archival-storage-${var.environment}"
   location                    = var.region
   force_destroy               = false
   uniform_bucket_level_access = true
@@ -30,7 +30,7 @@ resource "google_storage_bucket" "ops_archival_bucket" {
 
 # Pipeline Bucket
 resource "google_storage_bucket" "ops_pipeline_bucket" {
-  name                        = "ops-pipeline-bucket-${var.environment}"
+  name                        = "ops-pipeline-storage-${var.environment}"
   location                    = var.region
   force_destroy               = false
   uniform_bucket_level_access = true

.gcp/terraforms/variables.tf

@@ -18,3 +18,9 @@ variable "github_repo" {
   description = "GitHub Repository (Format: owner/repository)"
   type        = string
 }
+
+variable "alert_email_map" {
+  type        = map(string)
+  description = "List of emails to receive pipeline alerts"
+  sensitive   = true
+}

.gcp/terraforms/wif.tf

@@ -28,8 +28,8 @@ resource "google_iam_workload_identity_pool_provider" "github_provider" {
   }
 }
 
-# CLI output 
 output "GITHUB_WIF_PROVIDER_NAME" {
   value       = google_iam_workload_identity_pool_provider.github_provider.name
   description = "GitHub Repository Secret: WIF_PROVIDER"
+  sensitive   = true
 }