EEM-Hub/gcp-expert

GCP Expert

Expert knowledge base for Google Cloud Platform service behavior, defaults, and operational pitfalls. Contains 863 justified beliefs covering GCE, GCS, Cloud Run, GKE, Cloud SQL, Pub/Sub, Secret Manager, VPC networking, IAM, KMS, and cross-service interactions.

What is this?

This is an External Epistemic Memory (EEM) — a model-agnostic knowledge base that any LLM can use via the reasons CLI or tool calling. Unlike a LoRA or fine-tune, this knowledge is not baked into model weights. It is external, inspectable, correctable, and works with any model.

Stats

Metric	Value
Total beliefs	863
Status	863 IN / 0 OUT
Premises (observations)	709
Derived (justified conclusions)	154
Nogoods (contradictions)	0
Retraction rate	0%
Max derivation depth	8

Top Topics

Topic	Beliefs
gce	77
vpc	73
gcs	70
cloudrun	67
gke	64
cloud	60
gcp	58
cloudsql	50
iam	43
pubsub	43
secretmanager	43
interconnect	36
kms	35
cloudbuild	30
private	27
dns	24

Domain Coverage

• GCE: instance lifecycle, machine types, persistent disks, preemptible/spot VMs, metadata, live migration (75 beliefs)
• GCS: bucket policies, lifecycle rules, versioning, access control, retention, cross-region replication (68 beliefs)
• Cloud Run: container deployment, autoscaling, concurrency limits, networking, service mesh, cold starts (66 beliefs)
• GKE: cluster management, node pools, networking, Workload Identity, autopilot vs standard, upgrades (60 beliefs)
• GCP Cross-Cutting: default configurations, security posture, architectural commitments, cross-service patterns (56 beliefs)
• Cloud SQL: HA configuration, private networking via VPC peering, backup/PITR, production architecture costs (49 beliefs)
• VPC & Networking: peering constraints, Private Service Connect, Cloud Interconnect, firewall rules, DNS, subnets (35 beliefs)
• Secret Manager: rotation patterns (notification-only), access patterns, versioning, production usage (43 beliefs)
• Pub/Sub: message ordering, dead lettering, exactly-once delivery, subscriptions, push vs pull (42 beliefs)
• Artifact Registry: container images, language packages, vulnerability scanning, repository management (31 beliefs)
• KMS/CMEK: key rotation decoupled from re-encryption, data governance control plane, cross-service encryption (32 beliefs)
• Cloud Build: CI/CD pipelines, triggers, build steps, artifact management (29 beliefs)
• IAM: policy hierarchy, service accounts, Workload Identity Federation, conditions, org policies (28 beliefs)
• Cloud Interconnect: dedicated vs partner, VLAN attachments, redundancy requirements (20 beliefs)
• Memorystore: Redis/Memcached managed instances, HA, networking constraints (20 beliefs)
• Monitoring & Logging: Cloud Monitoring metrics, Cloud Logging, alerting policies, SLO tracking (34 beliefs)
• Security: Cloud Armor edge filtering, automatic DDoS protection, CMEK governance, default hardening (10 beliefs)

How to Use

Import into a reasons database

reasons init
reasons import-json network.json

Query beliefs

reasons search "Cloud SQL private networking"
reasons explain cmek-single-control-plane-for-data-governance
reasons show gcp-security-requires-upfront-architectural-commitment

Use as an MCP tool or CLI

Any LLM agent that can call reasons search, reasons show, and reasons explain can use this knowledge base. The agent does not need to be told it is an expert — the knowledge base speaks for itself.

Key Beliefs

Node	Summary
cmek-single-control-plane-for-data-governance	CMEK key lifecycle serves as the single control plane for data governance across GCP
gcp-security-requires-upfront-architectural-commitment	GCP's dual security governance (IAM + CMEK) compounds with cross-layer interactions
secretmanager-rotation-notification-only	Secret Manager rotation is notification-only: it sends a Pub/Sub message rather than rotating
vpc-peering-limited-connectivity-model	VPC peering is non-transitive, never exchanges IAM policies, and has a 25 peering limit
cloudsql-private-networking-doubly-constrained-by-peering	Cloud SQL private IP inherits VPC peering constraints (non-transitivity, 25 peering limit)
cloudsql-production-architecture-requires-triple-investment	Production Cloud SQL requires concurrent HA, backup, and private networking investment
cloud-armor-operates-at-edge	Cloud Armor filters traffic at the Google Cloud edge before it reaches backends
cloud-armor-auto-ddos-global-external-alb	DDoS protection is automatic for global external Application Load Balancers
kms-rotation-decoupled-from-reencryption	KMS key rotation creates new versions without re-encrypting existing data
secretmanager-production-access-pattern	Production secret access should use the API directly, pin to specific versions

Sources

Built from exploration of GCP documentation, API behavior, and operational experience across GCE, GCS, Cloud Run, GKE, Cloud SQL, Pub/Sub, Secret Manager, VPC, IAM, KMS, and 15+ additional GCP services.

Files

File	Description
network.json	Full belief network (machine-readable, portable)
reasons.db	SQLite database (gitignored, regenerate with reasons import-json network.json)
CLAUDE.md	Agent instructions for using this knowledge base
entries/	114 exploration entries — raw observations behind the premises

Quality

• All 863 beliefs are IN (none retracted)
• 709 premises grounded in direct observations of GCP service behavior
• 154 derived beliefs justified from premises via SL justifications
• 0 nogoods — no contradictions detected
• Max derivation depth of 8, indicating multi-step reasoning chains
• Built and reviewed using ftl-reasons derive and review-beliefs pipeline

Limitations

• Focused on GCP service behavior and defaults as of mid-2026
• GCP services evolve; some beliefs may become stale as features change
• Heavier coverage of GCE, GCS, and Cloud Run than other services
• Does not cover pricing in detail beyond capacity/commitment mechanics
• No ATMS or assumption-based beliefs (single-context TMS only)

Authors

• Ben Thomasson (@benthomasson)

License

mit