cleancloud-io
diff --git a/‎README.fr.md‎
Lines changed: 14 additions & 7 deletions b/‎README.fr.md‎
Lines changed: 14 additions & 7 deletions
diff --git a/‎README.md‎
Lines changed: 14 additions & 7 deletions b/‎README.md‎
Lines changed: 14 additions & 7 deletions
diff --git a/‎cleancloud/demo/command.py‎
Lines changed: 8 additions & 3 deletions b/‎cleancloud/demo/command.py‎
Lines changed: 8 additions & 3 deletions
diff --git a/‎cleancloud/demo/findings.py‎
Lines changed: 70 additions & 4 deletions b/‎cleancloud/demo/findings.py‎
Lines changed: 70 additions & 4 deletions
diff --git a/‎cleancloud/doctor/command.py‎
Lines changed: 2 additions & 5 deletions b/‎cleancloud/doctor/command.py‎
Lines changed: 2 additions & 5 deletions
@@ -15,7 +15,8 @@
 
 ```bash
 pipx install cleancloud
-cleancloud demo        # visualisez des findings — aucun credential requis
+cleancloud demo                      # visualisez des findings — aucun credential requis
+cleancloud demo --category ai        # findings IA/ML (SageMaker, AML, Vertex AI — endpoints/clusters GPU intensifs)
 ```
 
 Scannez votre cloud :
@@ -24,21 +25,23 @@ Scannez votre cloud :
 cleancloud scan --provider aws --all-regions
 cleancloud scan --provider azure
 cleancloud scan --provider gcp --all-projects
+cleancloud scan --provider aws --category ai   # détectez les endpoints SageMaker inactifs
 ```
 
 ---
 
-**CleanCloud est le moteur d'hygiène cloud — la couche manquante entre la visibilité des coûts et le nettoyage.**
+**CleanCloud est le moteur d'hygiène cloud — détecte le gaspillage d'infrastructure inactive et de ressources IA/ML coûteuses sur AWS, Azure et GCP.**
 
 **Supporte :** AWS · Azure · GCP
 
-CleanCloud scanne vos environnements AWS, Azure et GCP et vous indique exactement ce qu'il faut nettoyer — avec des estimations de coût par ressource. Aucun agent. Pas de SaaS. Lecture seule. S'exécute entièrement dans votre environnement.
+CleanCloud scanne vos environnements AWS, Azure et GCP et vous indique exactement ce qu'il faut nettoyer — infrastructure inactive et ressources IA/ML coûteuses (endpoints SageMaker, clusters AML Compute, endpoints Vertex AI) — avec des estimations de coût par ressource. Aucun agent. Pas de SaaS. Lecture seule. S'exécute entièrement dans votre environnement.
 
 | | Outils natifs AWS/Azure/GCP | Plateformes FinOps SaaS | **CleanCloud** |
 |---|:---:|:---:|:---:|
 | Affiche les tendances de coûts | ✅ | ✅ | — |
 | Nomme exactement les ressources à nettoyer | ❌ | partiel | ✅ |
 | Estimation de coût déterministe par ressource | ❌ | ❌ | ✅ |
+| Détecte le gaspillage IA/ML (SageMaker, AML, Vertex AI — dont les endpoints GPU) | ❌ | ❌ | ✅ |
 | Lecture seule, aucun agent | ✅ | ❌ | ✅ |
 | Fonctionne en environnements air-gapped / réglementés | ❌ | ❌ | ✅ |
 | Aucun compte SaaS ni accès vendor requis | ❌ | ❌ | ✅ |
@@ -141,7 +144,10 @@ Pas encore de compte cloud ? `cleancloud demo` affiche un exemple de sortie sans
 
 ## Fonctionnalités clés
 
-- **32 règles de détection sélectives et haut signal :** volumes orphelins, bases de données inactives, instances arrêtées, registres inutilisés, et plus — conçues pour éviter les faux positifs en environnements IaC, chacune avec une estimation de coût déterministe. Les règles IA/ML (SageMaker, Azure ML) sont opt-in via `--category ai`
+- **Détection du gaspillage IA/ML sur les 3 clouds :** endpoints SageMaker inactifs (AWS), clusters AML Compute inactifs (Azure), et endpoints Vertex AI Online Prediction inactifs (GCP) — ressources GPU toujours provisionnées flaggées risque HIGH, avec un gaspillage typique de $449 à $23K+/mois. Opt-in via `--category ai` ou `--category all`
+
+  De nombreuses ressources IA/ML restent provisionnées en permanence (min replicas / baseline capacity) et continuent de facturer même sans trafic — CleanCloud détecte ces déploiements abandonnés ou sous-utilisés dès le début.
+- **33 règles de détection sélectives et haut signal :** volumes orphelins, bases de données inactives, instances arrêtées, registres inutilisés, et plus — conçues pour éviter les faux positifs en environnements IaC, chacune avec une estimation de coût déterministe
 - **Gouvernance et application de politique (opt-in) :** `--fail-on-confidence HIGH` ou `--fail-on-cost 100` — appliquer des seuils de gaspillage sur un planning, géré par les équipes platform ou FinOps
 - **Scan multi-comptes (AWS) :** scannez des AWS Organizations entières en une exécution — fichier de config, IDs inline, ou auto-découverte via `--org`
 - **Scan multi-abonnements (Azure) :** scannez tous les abonnements Azure en parallèle — auto-découverte via Management Group, détail des coûts par abonnement inclus
@@ -227,7 +233,7 @@ Pas sûr que vos credentials aient les bonnes permissions ? Lancez d'abord `clea
 | Flag | Fonction |
 |---|---|
 | `--provider aws\|azure\|gcp` | Fournisseur cloud à scanner *(obligatoire)* |
-| `--category hygiene\|ai\|all` | Catégorie de règles : `hygiene` (défaut), `ai` (SageMaker sur AWS, AML Compute sur Azure) ou `all` (hygiene + IA) |
+| `--category hygiene\|ai\|all` | Catégorie de règles : `hygiene` (défaut), `ai` (SageMaker sur AWS, AML Compute sur Azure, Vertex AI sur GCP) ou `all` (hygiene + IA) |
 | `--region REGION` | Scanner une seule région |
 | `--all-regions` | Toutes les régions actives — AWS/Azure uniquement |
 | **AWS multi-comptes** | |
@@ -344,7 +350,7 @@ Pour des exemples de sortie complets incluant `doctor`, JSON, CSV et markdown :
 
 ## Ce que CleanCloud détecte
 
-32 règles pour AWS, Azure et GCP — conservatives, haut signal, conçues pour éviter les faux positifs en environnements IaC.
+33 règles pour AWS, Azure et GCP — conservatives, haut signal, conçues pour éviter les faux positifs en environnements IaC.
 
 **AWS :**
 - Compute : instances arrêtées 30+ jours (charges EBS continuent)
@@ -368,6 +374,7 @@ Pour des exemples de sortie complets incluant `doctor`, JSON, CSV et markdown :
 - Stockage : Persistent Disks non attachés (HIGH), anciens snapshots 90+ jours
 - Réseau : IPs statiques réservées — régionales et globales — en état RESERVED (HIGH)
 - Plateforme : instances Cloud SQL inactives avec zéro connexion 14+ jours (HIGH)
+- IA/ML *(opt-in : `--category ai`)* : endpoints Vertex AI Online Prediction inactifs avec zéro ou quasi-zéro prédiction depuis 14+ jours (les nœuds dédiés continuent de facturer quel que soit le trafic) — endpoints GPU flaggés risque HIGH ($449–$23K+/mois)
 
 Les règles sans marqueur de confiance sont MEDIUM — elles utilisent des heuristiques temporelles ou des signaux multiples. Commencez par `--fail-on-confidence HIGH` pour les gaspillages évidents, puis resserrez au fil de la validation par votre équipe.
 
@@ -603,7 +610,7 @@ Guide complet : [Configuration GCP →](docs/gcp.md)
 
 **Policy-as-code** — `cleancloud.yaml` avec packs de règles, exceptions par équipe, et seuils de coût en config — la principale demande de gouvernance FinOps pour 2025/2026
 
-**Plus de règles IA/ML** — endpoints Vertex AI inactifs, instances de notebook SageMaker inutilisées, artefacts d'entraînement orphelins
+**Plus de règles IA/ML** — instances de notebook SageMaker inutilisées, artefacts d'entraînement orphelins, instances de notebook Vertex AI inactives
 
 **Plus de règles AWS** — lacunes de cycle de vie S3, Redshift inactif, fuite de coût NAT Gateway, VPC endpoints inutilisés
 
 
@@ -15,7 +15,8 @@
 
 ```bash
 pipx install cleancloud
-cleancloud demo        # see sample findings — no credentials needed
+cleancloud demo                      # see sample findings — no credentials needed
+cleancloud demo --category ai        # see AI/ML waste findings (SageMaker, AML, Vertex AI — GPU-heavy endpoints/clusters)
 ```
 
 Scan your cloud:
@@ -24,21 +25,23 @@ Scan your cloud:
 cleancloud scan --provider aws --all-regions
 cleancloud scan --provider azure
 cleancloud scan --provider gcp --all-projects
+cleancloud scan --provider aws --category ai   # detect idle SageMaker endpoints
 ```
 
 ---
 
-**CleanCloud is the Cloud Hygiene Engine — the missing layer between cost visibility and cleanup.**
+**CleanCloud is the Cloud Hygiene Engine — detects idle infrastructure and high-cost AI/ML waste across AWS, Azure, and GCP.**
 
 **Supports:** AWS · Azure · GCP
 
-CleanCloud scans your AWS, Azure, and GCP environments and tells you exactly what to clean up — with per-resource cost estimates. No agents. No SaaS. Read-only. Runs entirely in your environment.
+CleanCloud scans your AWS, Azure, and GCP environments and tells you exactly what to clean up — idle infrastructure and high-cost AI/ML resources (SageMaker endpoints, AML compute clusters, Vertex AI endpoints) — with per-resource cost estimates. No agents. No SaaS. Read-only. Runs entirely in your environment.
 
 | | AWS/Azure/GCP native cost tools | FinOps SaaS platforms | **CleanCloud** |
 |---|:---:|:---:|:---:|
 | Shows cost trends | ✅ | ✅ | — |
 | Names exactly which resources to clean up | ❌ | partial | ✅ |
 | Deterministic cost estimate per resource | ❌ | ❌ | ✅ |
+| Detects idle AI/ML waste (SageMaker, AML, Vertex AI — including GPU-backed endpoints) | ❌ | ❌ | ✅ |
 | Read-only, no agents | ✅ | ❌ | ✅ |
 | Runs in air-gapped / regulated environments | ❌ | ❌ | ✅ |
 | No SaaS account or vendor access required | ❌ | ❌ | ✅ |
@@ -141,7 +144,10 @@ No cloud account yet? `cleancloud demo` shows sample output without any credenti
 
 ## Key Features
 
-- **32 curated, high-signal detection rules:** orphaned volumes, idle databases, stopped instances, unused registries, and more — designed to avoid false positives in IaC environments, each with a deterministic cost estimate. AI/ML rules (SageMaker, Azure ML) are opt-in via `--category ai`
+- **AI/ML waste detection across all 3 clouds:** idle SageMaker endpoints (AWS), idle AML compute clusters (Azure), and idle Vertex AI Online Prediction endpoints (GCP) — always-on GPU-backed resources flagged HIGH risk, with typical waste ranging from $449–$23K+/month. Opt-in via `--category ai` or `--category all`
+
+  Many AI/ML serving resources remain permanently provisioned (min replicas / baseline capacity) and continue billing even with zero traffic — CleanCloud detects these abandoned or underutilized deployments early.
+- **33 curated, high-signal detection rules:** orphaned volumes, idle databases, stopped instances, unused registries, and more — designed to avoid false positives in IaC environments, each with a deterministic cost estimate
 - **Governance enforcement (opt-in):** `--fail-on-confidence HIGH` or `--fail-on-cost 100` — enforce waste thresholds on a schedule, owned by platform or FinOps teams
 - **Multi-account scanning (AWS):** scan entire AWS Organizations in one run — config file, inline IDs, or auto-discovery via `--org`
 - **Multi-subscription scanning (Azure):** scan all Azure subscriptions in parallel — auto-discovery via Management Group, per-subscription cost breakdown included
@@ -229,7 +235,7 @@ Run `cleancloud doctor --provider aws`, `cleancloud doctor --provider azure`, or
 | Flag | What it does |
 |---|---|
 | `--provider aws\|azure\|gcp` | Cloud provider to scan *(required)* |
-| `--category hygiene\|ai\|all` | Rule category: `hygiene` (default), `ai` (SageMaker on AWS, AML Compute on Azure), or `all` (hygiene + AI) |
+| `--category hygiene\|ai\|all` | Rule category: `hygiene` (default), `ai` (SageMaker on AWS, AML Compute on Azure, Vertex AI on GCP), or `all` (hygiene + AI) |
 | `--region REGION` | Scan a single region |
 | `--all-regions` | Scan all active regions — AWS/Azure only |
 | **AWS multi-account** | |
@@ -346,7 +352,7 @@ For full output examples including `doctor`, JSON, CSV, and markdown: [`docs/exa
 
 ## What CleanCloud Detects
 
-32 rules across AWS, Azure, and GCP — conservative, high-signal, designed to avoid false positives in IaC environments.
+33 rules across AWS, Azure, and GCP — conservative, high-signal, designed to avoid false positives in IaC environments.
 
 **AWS:**
 - Compute: stopped instances 30+ days (EBS charges continue)
@@ -370,6 +376,7 @@ For full output examples including `doctor`, JSON, CSV, and markdown: [`docs/exa
 - Storage: unattached Persistent Disks (HIGH), old snapshots 90+ days
 - Network: unused reserved static IPs — regional and global (HIGH)
 - Platform: idle Cloud SQL instances with zero connections 14+ days (HIGH)
+- AI/ML *(opt-in: `--category ai`)*: idle Vertex AI Online Prediction endpoints with zero or near-zero predictions 14+ days (dedicated nodes continue billing regardless of traffic) — GPU-backed endpoints flagged HIGH risk ($449–$23K+/month)
 
 Rules without a confidence marker are MEDIUM — they use time-based heuristics or multiple signals. Start with `--fail-on-confidence HIGH` to catch obvious waste, then tighten as your team validates.
 
@@ -605,7 +612,7 @@ Full setup guide: [GCP setup →](docs/gcp.md)
 
 **Policy-as-code** — `cleancloud.yaml` with rule packs, per-team exceptions, and cost thresholds in config — the top FinOps governance ask for 2025/2026
 
-**More AI/ML waste rules** — Vertex AI endpoints idle, SageMaker notebook instances running unused, orphaned training artifacts
+**More AI/ML waste rules** — SageMaker notebook instances running unused, orphaned training artifacts, Vertex AI notebook instances idle
 
 **More AWS rules** — S3 lifecycle gaps, Redshift idle, NAT Gateway cost leakage (internal services routing through NAT instead of VPC endpoints — S3, DynamoDB, ECR, SSM), unused VPC endpoints
 
 
@@ -9,6 +9,7 @@
     AWS_FINDINGS,
     AZURE_AI_FINDINGS,
     AZURE_FINDINGS,
+    GCP_AI_FINDINGS,
     GCP_FINDINGS,
 )
 from cleancloud.output.human import print_human
@@ -26,7 +27,7 @@
     "--category",
     type=click.Choice(["hygiene", "ai"]),
     default="hygiene",
-    help="Rule category to demo: hygiene (default) or ai (SageMaker on AWS, AML Compute on Azure)",
+    help="Rule category to demo: hygiene (default) or ai (SageMaker/AWS, AML Compute/Azure, Vertex AI/GCP)",
 )
 def demo(provider: Optional[str], category: str):
     """Show realistic sample findings without cloud credentials."""
@@ -45,9 +46,13 @@ def demo(provider: Optional[str], category: str):
             findings = AZURE_AI_FINDINGS
             regions = ["East US"]
             region_mode = "all"
+        elif provider == "gcp":
+            findings = GCP_AI_FINDINGS
+            regions = ["us-central1"]
+            region_mode = "all"
         else:
-            findings = AWS_AI_FINDINGS + AZURE_AI_FINDINGS
-            regions = ["us-east-1", "East US"]
+            findings = AWS_AI_FINDINGS + AZURE_AI_FINDINGS + GCP_AI_FINDINGS
+            regions = ["us-east-1", "East US", "us-central1"]
             region_mode = "all"
     elif provider == "aws":
         findings = AWS_FINDINGS
 
@@ -551,8 +551,10 @@
                 "Status: READY",
                 "Disk size: 400 GB",
                 "Estimated cost: ~$10.4/month (disk size used as proxy)",
-                "Source disk reference missing — likely orphaned snapshot "
-                "(GCP clears sourceDisk when the backing disk is deleted)",
+                (
+                    "Source disk reference missing — likely orphaned snapshot "
+                    "(GCP clears sourceDisk when the backing disk is deleted)"
+                ),
             ],
             signals_not_checked=[
                 "Compliance or regulatory data retention requirements",
@@ -595,8 +597,10 @@
         evidence=Evidence(
             signals_used=[
                 "Instance state: RUNNABLE",
-                "Zero TCP connections observed via Cloud Monitoring over 14 days "
-                "(metric: cloudsql.googleapis.com/database/network/connections)",
+                (
+                    "Zero TCP connections observed via Cloud Monitoring over 14 days "
+                    "(metric: cloudsql.googleapis.com/database/network/connections)"
+                ),
                 "Database version: POSTGRES_14",
                 "Tier 'db-n1-standard-2' costs ~$93.10/month (compute only, no HA)",
                 "Storage: 100 GB (PD_SSD) — billed separately from compute",
@@ -613,6 +617,68 @@
     ),
 ]
 
+GCP_AI_FINDINGS: List[Finding] = [
+    Finding(
+        provider="gcp",
+        rule_id="gcp.vertex.endpoint.idle",
+        resource_type="gcp.vertex.endpoint",
+        resource_id="projects/my-project/locations/us-central1/endpoints/8842019374650589184",
+        region="us-central1",
+        title="Idle Vertex AI Endpoint (No Predictions for 21 Days)",
+        summary=(
+            "Vertex AI endpoint 'llm-serving-v2' in 'us-central1' has received zero predictions "
+            "for 21 days but keeps 1 dedicated node running continuously, incurring compute charges."
+        ),
+        reason=(
+            "Vertex AI endpoint has zero predictions for 21 days "
+            "with dedicated capacity (minReplicaCount=1)"
+        ),
+        risk=RiskLevel.HIGH,
+        confidence=ConfidenceLevel.HIGH,
+        detected_at=_NOW,
+        details={
+            "endpoint_id": "8842019374650589184",
+            "display_name": "llm-serving-v2",
+            "location": "us-central1",
+            "machine_type": "n1-standard-4",
+            "accelerator_type": "NVIDIA_TESLA_T4",
+            "accelerator_count": 1,
+            "is_gpu": True,
+            "min_replica_count": 1,
+            "age_days": 21,
+            "idle_window_days": 21,
+            "idle_days_threshold": 14,
+            "estimated_monthly_cost": "~$449/month",
+        },
+        evidence=Evidence(
+            signals_used=[
+                (
+                    "Zero prediction requests for 21 days "
+                    "(Cloud Monitoring: aiplatform.googleapis.com/prediction/online/request_count)"
+                ),
+                (
+                    "Dedicated capacity configured: minReplicaCount=1 "
+                    "(always-on compute — billed continuously regardless of traffic)"
+                ),
+                "Endpoint age: 21 days",
+                "Machine type: n1-standard-4",
+                "Accelerator: NVIDIA_TESLA_T4 × 1",
+                "GPU-backed endpoint — high continuous cost",
+                "Display name: llm-serving-v2",
+            ],
+            signals_not_checked=[
+                "Scheduled or batch prediction requests outside the observation window",
+                "Internal health-check or canary traffic not tracked by Cloud Monitoring",
+                "Planned future usage or upcoming model promotion",
+                "Shadow mode or A/B test routing with low traffic share",
+                "Endpoints kept warm for latency-sensitive production traffic",
+            ],
+            time_window="21 days",
+        ),
+        estimated_monthly_cost_usd=449.0,
+    ),
+]
+
 ALL_FINDINGS: List[Finding] = AWS_FINDINGS + AZURE_FINDINGS + GCP_FINDINGS
 
 AZURE_AI_FINDINGS: List[Finding] = [
 
@@ -58,11 +58,8 @@ def doctor(
     click.echo("Running CleanCloud doctor")
     click.echo()
 
-    if category == "ai" and provider not in (None, "aws"):
-        raise click.UsageError(
-            "--category ai is only supported with --provider aws (SageMaker rules). "
-            "AI/ML rules for Azure and GCP are on the roadmap."
-        )
+    if category == "ai" and provider not in (None, "aws", "azure", "gcp"):
+        raise click.UsageError("--category ai is only supported with --provider aws, azure, or gcp")
 
     if multi_account_file:
         if provider != "aws" and provider is not None: