Merge pull request #7 from Jakee4488/chore/update-workflows

docs: add comprehensive operational and deployment documentation for …

Author: Jakee4488

Operational_Documents/CICD_EXECUTION_GRAPH.md

@@ -0,0 +1,207 @@
+# CI/CD & Databricks Execution Graph
+
+Complete end-to-end flow from code commit to running Databricks pipelines.
+
+---
+
+## Full Pipeline Execution Graph
+
+```mermaid
+flowchart TD
+    %% ── Developer Actions ──────────────────────────────────────
+    DEV([👨‍💻 Developer]):::person
+
+    DEV -->|git push feature/branch| PUSH[Push to Feature Branch]
+    PUSH --> PR[Open Pull Request\nto main]
+
+    %% ── Branch Protection ──────────────────────────────────────
+    PR --> PROTECT{protect_main.yml}:::workflow
+
+    PROTECT --> PC1[pr-ready-check\nNot a Draft?]
+    PROTECT --> PC2[branch-name-check\nfeature/* fix/* etc]
+    PROTECT --> PC3[pr-description-check\n≥ 30 chars?]
+
+    PC1 & PC2 & PC3 -->|All pass| MERGE_GATE{👁️ Code Review\n1 Approval Required}
+
+    MERGE_GATE -->|Approved| MERGE[Merge PR → main]
+    MERGE_GATE -->|Changes requested| DEV
+
+    %% ── CI Pipeline ────────────────────────────────────────────
+    MERGE --> CI{ci.yml\nCI Pipeline}:::workflow
+
+    subgraph CI_JOBS["🔵 CI Jobs — Run in Parallel"]
+        direction TB
+        CI --> LINT[lint-and-test\nruff check\nruff format\npytest -m not ci_exclude]
+        CI --> SEC[security-scan\nBandit\nSafety\nSecret scan]
+        LINT --> BV[bundle-validate\ndatabricks bundle validate -t dev]
+        LINT & SEC --> BUILD[build\nuv build → .whl artifact]
+    end
+
+    BV & BUILD -->|All green| CI_PASS{✅ CI Passed}
+    LINT -->|Fail| CI_FAIL[❌ CI Failed\nBlock merge]
+    SEC -->|Fail| CI_FAIL
+    BV -->|Fail| CI_FAIL
+    BUILD -->|Fail| CI_FAIL
+
+    %% ── CD Pipeline ────────────────────────────────────────────
+    CI_PASS --> CD{cd.yml\nCD Pipeline}:::workflow
+
+    %% ── DEV Stage ──────────────────────────────────────────────
+    subgraph DEV_STAGE["🟡 Stage 1 — Deploy Dev"]
+        direction TB
+        CD --> D1[uv build\nBuild .whl]
+        D1 --> D2[databricks bundle validate -t dev]
+        D2 --> D3[databricks bundle deploy -t dev\n--var git_sha --var branch\n--var finnhub_api_key --var alphavantage_api_key]
+        D3 --> D4[Upload .whl to\ndbfs:/Volumes/mlops_dev/.../packages/]
+        D4 --> D5[🔥 Smoke Test\ndatabricks bundle run\nfinancial_retraining_workflow -t dev --no-wait]
+    end
+
+    D5 -->|Success| ACC_GATE{main branch?}
+    D5 -->|Fail| FAIL_DEV[❌ Dev Deploy Failed]
+
+    %% ── ACC Stage ──────────────────────────────────────────────
+    ACC_GATE -->|Yes| ACC_STAGE
+
+    subgraph ACC_STAGE["🟠 Stage 2 — Deploy Acceptance"]
+        direction TB
+        A1[uv build]
+        A2[databricks bundle deploy -t acc\n--var git_sha --var branch\n--var API keys]
+        A3[Upload .whl to\ndbfs:/Volumes/mlops_acc/.../packages/]
+        A4[🧪 Acceptance Test\ndatabricks bundle run\nfinancial_retraining_workflow -t acc --no-wait]
+        A1 --> A2 --> A3 --> A4
+    end
+
+    A4 -->|Success| PRD_STAGE
+
+    %% ── PRD Stage ──────────────────────────────────────────────
+    subgraph PRD_STAGE["🔴 Stage 3 — Deploy Production"]
+        direction TB
+        P1[uv build]
+        P2[databricks bundle deploy -t prd\n--var git_sha --var branch\n--var API keys]
+        P3[Upload .whl to\ndbfs:/Volumes/mlops_prd/.../packages/]
+        P1 --> P2 --> P3
+    end
+
+    P3 -->|Success| PRD_OK[✅ Production Deployed]
+    P3 -->|Fail| ROLLBACK
+
+    subgraph ROLLBACK["🚨 Emergency Rollback"]
+        direction TB
+        R1[databricks bundle deploy -t prd\n--var git_sha=previous_sha]
+    end
+
+    ROLLBACK --> PRD_FAIL[⚠️ Rolled Back to Previous SHA]
+
+    %% ── Databricks Runtime ─────────────────────────────────────
+    PRD_OK --> DB_RUNTIME
+
+    subgraph DB_RUNTIME["☁️ Databricks Workspace — Always-On Pipelines"]
+        direction TB
+
+        subgraph INGEST["📥 Ingestion Workflow — Manual / Event"]
+            direction LR
+            I1[collect_finnhub_stream.py\nFinnhubCollector\nWebSocket → Buffer → Delta]
+            I2[run_streaming_pipeline\nFire DLT trigger]
+            I1 -->|landing zone files| I2
+        end
+
+        subgraph DLT["⚡ Streaming DLT Pipeline — financial-streaming-dlt"]
+            direction LR
+            B[bronze_trades\nAuto Loader\nJSON → Delta]
+            S[silver_trades\nDedup + Validate\n+ Enrich]
+            G[gold_trade_features\nRSI · MACD · VWAP\nBollinger · Volume Z-score]
+            B -->|dlt.read_stream| S -->|dlt.read| G
+        end
+
+        subgraph RETRAIN["🏆 Retraining Workflow — Nightly 00:00 UTC"]
+            direction LR
+            T1[train_tournament.py\n4-Model Tournament\nLightGBM · XGBoost\nRF · IsolationForest]
+            T2[deploy_anomaly_model.py\nChampion/Challenger Gate\nPROMOTE or REJECT]
+            T3[(UC Model Registry\nanomaly_model_champion\nalias: champion)]
+            T1 -->|challenger result| T2 -->|register + alias| T3
+        end
+
+        subgraph MONITOR["📊 Drift Monitoring — Every 30 min"]
+            direction LR
+            M1[detect_drift.py\nLoad reference window\nLoad current window]
+            M2[DriftDetector\nPSI on numericals\nJS on categoricals]
+            M3{overall_drift?}
+            M4[RetrainingTrigger\nCooldown check\nDaily limit check]
+            M5[AlertManager\nWebhook + Delta audit]
+            M6[🔄 Trigger Retraining Job\nWorkspaceClient.jobs.run_now]
+            M1 --> M2 --> M3
+            M3 -->|Yes| M4 --> M5 --> M6
+            M3 -->|No| MEND[✅ No action]
+        end
+
+        I2 -->|triggers| DLT
+        G -->|gold_trade_features| RETRAIN
+        G -->|gold_trade_features| MONITOR
+        M6 -->|triggers| RETRAIN
+    end
+
+    %% ── Manual Triggers ────────────────────────────────────────
+    MANUAL([👨‍💻 Manual\nworkflow_dispatch]):::person
+    MANUAL -->|target: dev/acc/prd| CD
+
+    %% ── Styles ─────────────────────────────────────────────────
+    classDef workflow fill:#1a1a2e,stroke:#4a90d9,color:#fff,rx:6
+    classDef person fill:#2d6a4f,stroke:#52b788,color:#fff,rx:20
+    classDef default fill:#16213e,stroke:#4a4a7a,color:#e0e0e0
+```
+
+---
+
+## Stage-by-Stage Legend
+
+| Symbol | Stage | Runs On |
+|---|---|---|
+| 🔵 | CI Pipeline | GitHub-hosted Ubuntu runner |
+| 🟡 | Deploy Dev | GitHub-hosted Ubuntu runner → Databricks dev |
+| 🟠 | Deploy Acceptance | GitHub-hosted Ubuntu runner → Databricks acc |
+| 🔴 | Deploy Production | GitHub-hosted Ubuntu runner → Databricks prd |
+| 🚨 | Emergency Rollback | Auto-triggers on prd failure |
+| ☁️ | Databricks Always-On | Databricks Serverless / Jobs compute |
+
+---
+
+## Timing Reference
+
+| Event | Expected Duration |
+|---|---|
+| CI (lint + test + build) | ~3–6 minutes |
+| Bundle validate | ~30 seconds |
+| Deploy to dev | ~2–3 minutes |
+| Deploy to acc | ~2–3 minutes |
+| Deploy to prd | ~2–3 minutes |
+| **Full push → production** | **~10–15 minutes** |
+| Ingestion job (5 min run) | 5 minutes |
+| DLT pipeline (trigger mode) | 5–15 minutes |
+| Retraining nightly job | 30–90 minutes (4 models) |
+| Drift monitoring (every 30 min) | 2–5 minutes |
+
+---
+
+## Trigger Summary
+
+```
+Developer push to feature branch
+         │
+         ├──► protect_main.yml  (PR checks: naming, draft, description)
+         │
+         └──► [PR approved] merge to main
+                    │
+                    ├──► ci.yml        (lint + test + bundle validate + build)
+                    │         │
+                    │         └──► cd.yml   (dev → acc → prd)
+                    │                   │
+                    │                   └──► Databricks bundle deploy
+                    │                             │
+                    │                             └──► Smoke test (retrain job --no-wait)
+                    │
+                    └──► [Always running in Databricks]
+                              Ingestion     → every manual/scheduled run
+                              DLT           → triggered by ingestion
+                              Retraining    → nightly 00:00 UTC
+                              Drift Monitor → every 30 minutes
+```

Operational_Documents/COMPREHENSIVE_MLOPS_SETUP_GUIDE.md

@@ -4,7 +4,7 @@ This guide provides an end-to-end setup for:
 - initializing ingestion and Delta Live Tables (DLT) pipelines,
 - evaluating and selecting the best model,
 - deploying the champion model to streaming inference,
-- implementing automated weekly retraining.
+- implementing automated nightly retraining (with drift-triggered retraining on top).
 
 It is written for this repository's Databricks Asset Bundles (DAB) layout.
 
@@ -21,9 +21,10 @@ Target workflow:
 6. **Retrain weekly** (plus drift-triggered retraining if needed).
 
 Core bundle resources:
+- `resources/ingestion_workflow.yml`  -> `financial_api_ingestion_workflow`
 - `resources/streaming_pipeline.yml` -> `financial_streaming_pipeline`
 - `resources/retraining_workflow.yml` -> `financial_retraining_workflow`
-- `resources/drift_monitoring.yml` -> `drift_monitoring_job`
+- `resources/drift_monitoring.yml`   -> `drift_monitoring_job`
 
 ---
 
@@ -38,6 +39,10 @@ databricks auth login
 databricks bundle validate -t dev
 ```
 
+> **Branch protection is active.** Never push directly to `main`. Always work on a
+> `feature/*`, `fix/*`, `chore/*`, or `hotfix/*` branch and open a PR.
+> See `protect_main.yml` and `CICD_EXECUTION_GRAPH.md` for the full flow.
+
 ### 2.2 Unity Catalog infrastructure
 
 Run once (as principal with `CREATE CATALOG` permission):
@@ -165,8 +170,8 @@ Post-deploy validations:
 
 ## 7) Weekly Automated Retraining
 
-Current retraining schedule in `resources/retraining_workflow.yml` is daily:
-- `0 0 0 * * ?`
+Current retraining schedule in `resources/retraining_workflow.yml` is **nightly**:
+- `0 0 0 * * ?` (midnight UTC, every day)
 
 To run weekly (example: Monday 02:00 UTC), change to:
 

Operational_Documents/DEPLOYMENT_VALIDATION_GUIDE.md

@@ -34,15 +34,23 @@ Before running the pipelines, ensure your GitHub repository has the required Env
    - `DATABRICKS_TOKEN` (Or OAuth alternatives: `DATABRICKS_CLIENT_ID` and `DATABRICKS_CLIENT_SECRET`)
    - `FINNHUB_API_KEY`
    - `ALPHAVANTAGE_API_KEY`
+4. **Branch Protection:** Confirm `protect_main.yml` is active and branch protection rules are set in:
+   `Settings → Branches → Add ruleset → Require pull request + require status checks`.
+   See `CICD_EXECUTION_GRAPH.md` for the full enforcement flow.
 
 ---
 
 ## Step 2: Validate Continuous Integration (CI) Pipeline
 **Workflow Source:** `.github/workflows/ci.yml`
 
-The CI pipeline runs on Push (to `main` or `develop`) and Pull Request logic. To test it:
+The CI pipeline runs on push to `main` or `develop`, and on Pull Requests to `main`.
 
-1. **Trigger:** Create a feature branch off of `develop` or `main`. Make a non-breaking code change (e.g., adding a comment), commit, and push. Open a Pull Request targeting `main`.
+> **Note:** Changes only to `Operational_Documents/**` or `README.md` are **ignored** by CI
+> via `paths-ignore` filters added to the workflow. Code changes always trigger CI.
+
+To test it:
+
+1. **Trigger:** Create a **feature branch** (e.g. `feature/my-change`) — direct pushes to `main` are blocked by `protect_main.yml`. Push the branch, then open a Pull Request targeting `main`.
 2. **Monitor Actions:** Navigate to the **Actions** tab in GitHub and click on the "CI Pipeline" run.
 3. **Verify Jobs:**
    - **Lint & Test:** Ensure `ruff` format checks pass and unit tests execute successfully (`pytest`). Verify `test-results.xml` and `coverage.xml` artifacts upload successfully.
@@ -72,6 +80,12 @@ The CD pipeline triggers on pushes to the `main` branch or manually via `workflo
 ## Step 4: Validate Manual Model Validation Gate
 **Workflow Source:** `.github/workflows/model_validation.yml`
 
+> **All active workflows:**
+> - `ci.yml` — Lint, test, bundle validate, build
+> - `cd.yml` — Deploy dev → acc → prd
+> - `protect_main.yml` — Branch protection, PR naming, draft check
+> - `model_validation.yml` — Manual model validation gate
+
 1. **Trigger:** Go to Actions, select "Model Validation Gate", and run it via `workflow_dispatch`.
 2. Provide a dummy `model_version` (e.g., `v1.2.0`).
 3. Ensure the workflow checks out successfully, runs the `ModelValidator` logic verifying PR-AUC and F1 scores, and connects seamlessly to the Unity Catalog MLflow registry. 
@@ -121,7 +135,11 @@ databricks bundle deploy -t dev \
    --var="finnhub_api_key=<key>" \
    --var="alphavantage_api_key=<key>"
 
-databricks fs cp --overwrite dist/<wheel-name>.whl dbfs:/FileStore/financial_ai_mlops_<sha>.whl
+# Upload wheel to Unity Catalog Volume (not DBFS FileStore)
+WHEEL=$(ls -t dist/*.whl | head -n 1)
+databricks fs mkdirs "dbfs:/Volumes/mlops_dev/financial_transactions/packages/"
+databricks fs cp --overwrite "$WHEEL" "dbfs:/Volumes/mlops_dev/financial_transactions/packages/$(basename $WHEEL)"
+
 databricks bundle run financial_retraining_workflow -t dev
 ```
 

Operational_Documents/GETTING_STARTED_PIPELINE_TESTING.md

@@ -38,6 +38,9 @@ Latest verified local result in this workspace (2026-04-08):
 - Runtime about 51s
 - Coverage about 46%
 
+> **Branch protection is active.** Do not push directly to `main`. Create a `feature/*` or
+> `fix/*` branch, push it, and open a Pull Request. See `protect_main.yml` for enforced checks.
+
 ## 2. What Current Tests Cover
 
 Automated tests currently validate:
@@ -80,9 +83,11 @@ Pass condition:
 ### 3.3 Execute pipeline resources
 
 ```bash
-databricks bundle run -t dev financial_streaming_pipeline
-databricks bundle run -t dev financial_retraining_workflow
-databricks bundle run -t dev drift_monitoring_job
+# Run pipelines in dependency order:
+databricks bundle run -t dev financial_api_ingestion_workflow  # Step 1: ingest data
+databricks bundle run -t dev financial_streaming_pipeline      # Step 2: DLT Bronze→Gold
+databricks bundle run -t dev financial_retraining_workflow     # Step 3: train + deploy model
+databricks bundle run -t dev drift_monitoring_job              # Step 4: drift check
 ```
 
 Pass conditions:
@@ -288,13 +293,21 @@ Treat a candidate as ready only when all are true:
 - bundle validate and deploy are green in target env,
 - streaming, retraining, and drift runs are green,
 - rollback process has been validated,
-- no blocking monitoring alerts remain.
+- no blocking monitoring alerts remain,
+- PR was reviewed and merged (not pushed directly to main),
+- `protect_main.yml` branch-name and description checks passed.
 
 ## 6. Useful Paths
 
 - `databricks.yml`
 - `project_config.yml`
+- `resources/ingestion_workflow.yml`
 - `resources/streaming_pipeline.yml`
 - `resources/retraining_workflow.yml`
 - `resources/drift_monitoring.yml`
+- `.github/workflows/ci.yml`
+- `.github/workflows/cd.yml`
+- `.github/workflows/protect_main.yml`
 - `tests/financial_transactions/`
+- `Operational_Documents/CICD_EXECUTION_GRAPH.md`
+- `Operational_Documents/FUNCTION_AND_CONFIG_REFERENCE.md`

Operational_Documents/README.md

@@ -24,6 +24,7 @@ Centralised operational documentation for Financial AI MLOps.
 | Document | Purpose |
 |---|---|
 | [`RUNBOOK.md`](RUNBOOK.md) | On-call incident response procedures |
+| [`CICD_EXECUTION_GRAPH.md`](CICD_EXECUTION_GRAPH.md) | Full CI/CD + Databricks execution flow diagram with timing |
 
 ### Security