airbyte-internal-ops 0.2.4__py3-none-any.whl → 0.3.1__py3-none-any.whl

airbyte_ops_mcp/connection_config_retriever/audit_logging.py

@@ -11,9 +11,8 @@ import logging
 import subprocess
 from typing import TYPE_CHECKING, Any, Callable
 
-from google.cloud import logging as gcloud_logging
-
 from airbyte_ops_mcp.constants import GCP_PROJECT_NAME
+from airbyte_ops_mcp.gcp_auth import get_logging_client
 
 if TYPE_CHECKING:
     from airbyte_ops_mcp.connection_config_retriever.retrieval import (
@@ -23,21 +22,18 @@ if TYPE_CHECKING:
 LOGGER = logging.getLogger(__name__)
 
 # Lazy-initialized to avoid import-time GCP calls
-_logging_client: gcloud_logging.Client | None = None
 _airbyte_gcloud_logger: Any = None
 
 
 def _get_logger() -> Any:
     """Get the GCP Cloud Logger, initializing lazily on first use."""
-    global _logging_client, _airbyte_gcloud_logger
+    global _airbyte_gcloud_logger
 
     if _airbyte_gcloud_logger is not None:
         return _airbyte_gcloud_logger
 
-    _logging_client = gcloud_logging.Client(project=GCP_PROJECT_NAME)
-    _airbyte_gcloud_logger = _logging_client.logger(
-        "airbyte-cloud-connection-retriever"
-    )
+    logging_client = get_logging_client(GCP_PROJECT_NAME)
+    _airbyte_gcloud_logger = logging_client.logger("airbyte-cloud-connection-retriever")
     return _airbyte_gcloud_logger
 
 

airbyte_ops_mcp/constants.py

@@ -10,6 +10,9 @@ from airbyte.exceptions import PyAirbyteInputError
 MCP_SERVER_NAME = "airbyte-internal-ops"
 """The name of the MCP server."""
 
+USER_AGENT = "Airbyte-Internal-Ops Python client"
+"""User-Agent string for HTTP requests to Airbyte Cloud APIs."""
+
 # Environment variable names for internal admin authentication
 ENV_AIRBYTE_INTERNAL_ADMIN_FLAG = "AIRBYTE_INTERNAL_ADMIN_FLAG"
 ENV_AIRBYTE_INTERNAL_ADMIN_USER = "AIRBYTE_INTERNAL_ADMIN_USER"

airbyte_ops_mcp/gcp_auth.py

@@ -6,94 +6,187 @@ the airbyte-ops-mcp codebase. It supports both standard Application Default
 Credentials (ADC) and the GCP_PROD_DB_ACCESS_CREDENTIALS environment variable
 used internally at Airbyte.
 
+The preferred approach is to pass credentials directly to GCP client constructors
+rather than relying on file-based ADC discovery. This module provides helpers
+that construct credentials from JSON content in environment variables.
+
 Usage:
-    from airbyte_ops_mcp.gcp_auth import get_secret_manager_client
+    from airbyte_ops_mcp.gcp_auth import get_gcp_credentials, get_secret_manager_client
+
+    # Get credentials object to pass to any GCP client
+    credentials = get_gcp_credentials()
+    client = logging.Client(project="my-project", credentials=credentials)
 
-    # Get a properly authenticated Secret Manager client
+    # Or use the convenience helper for Secret Manager
     client = get_secret_manager_client()
 """
 
 from __future__ import annotations
 
+import json
 import logging
 import os
-import tempfile
-from pathlib import Path
+import sys
+import threading
 
+import google.auth
+from google.cloud import logging as gcp_logging
 from google.cloud import secretmanager
+from google.oauth2 import service_account
 
 from airbyte_ops_mcp.constants import ENV_GCP_PROD_DB_ACCESS_CREDENTIALS
 
 logger = logging.getLogger(__name__)
 
-# Environment variable name (internal to GCP libraries)
-ENV_GOOGLE_APPLICATION_CREDENTIALS = "GOOGLE_APPLICATION_CREDENTIALS"
 
-# Module-level cache for the credentials file path
-_credentials_file_path: str | None = None
+def _get_identity_from_service_account_info(info: dict) -> str | None:
+    """Extract service account identity from parsed JSON info.
+
+    Only accesses the 'client_email' key to avoid any risk of leaking
+    other credential material.
 
+    Args:
+        info: Parsed service account JSON as a dict.
 
-def ensure_adc_credentials() -> str | None:
-    """Ensure GCP Application Default Credentials are available.
+    Returns:
+        The client_email if present and a string, otherwise None.
+    """
+    client_email = info.get("client_email")
+    if isinstance(client_email, str):
+        return client_email
+    return None
 
-    If GOOGLE_APPLICATION_CREDENTIALS is not set but GCP_PROD_DB_ACCESS_CREDENTIALS is,
-    write the JSON credentials to a temp file and set GOOGLE_APPLICATION_CREDENTIALS
-    to point to that file. This provides a fallback for internal employees who use
-    GCP_PROD_DB_ACCESS_CREDENTIALS as their standard credential source.
 
-    Note: GOOGLE_APPLICATION_CREDENTIALS must be a file path, not JSON content.
-    The GCP_PROD_DB_ACCESS_CREDENTIALS env var contains the JSON content directly,
-    so we write it to a temp file first.
+def _get_identity_from_credentials(
+    credentials: google.auth.credentials.Credentials,
+) -> str | None:
+    """Extract identity from a credentials object using safe attribute access.
 
-    This function is idempotent and safe to call multiple times.
+    Only accesses known-safe attributes that don't trigger network calls
+    or token refresh.
+
+    Args:
+        credentials: A GCP credentials object.
 
     Returns:
-        The path to the credentials file if one was created, or None if
-        GOOGLE_APPLICATION_CREDENTIALS was already set.
+        The service account email if available, otherwise None.
     """
-    global _credentials_file_path
+    # Try service_account_email first (most common for service accounts)
+    identity = getattr(credentials, "service_account_email", None)
+    if isinstance(identity, str):
+        return identity
+
+    # Try signer_email as fallback (sometimes present on impersonated creds)
+    identity = getattr(credentials, "signer_email", None)
+    if isinstance(identity, str):
+        return identity
+
+    return None
+
 
-    # If GOOGLE_APPLICATION_CREDENTIALS is already set, nothing to do
-    if ENV_GOOGLE_APPLICATION_CREDENTIALS in os.environ:
-        return None
+# Default scopes for GCP services used by this module
+DEFAULT_GCP_SCOPES = ["https://www.googleapis.com/auth/cloud-platform"]
 
-    # Check if we have the fallback credentials
-    gsm_creds = os.getenv(ENV_GCP_PROD_DB_ACCESS_CREDENTIALS)
-    if not gsm_creds:
-        return None
+# Module-level cache for credentials (thread-safe)
+_cached_credentials: google.auth.credentials.Credentials | None = None
+_credentials_lock = threading.Lock()
 
-    # Reuse the same file path if we've already written credentials and file still exists
-    if _credentials_file_path is not None and Path(_credentials_file_path).exists():
-        os.environ[ENV_GOOGLE_APPLICATION_CREDENTIALS] = _credentials_file_path
-        return _credentials_file_path
 
-    # Write credentials to a temp file
-    # Use a unique filename based on PID to avoid collisions between processes
-    creds_file = Path(tempfile.gettempdir()) / f"gcp_prod_db_creds_{os.getpid()}.json"
-    creds_file.write_text(gsm_creds)
+def get_gcp_credentials() -> google.auth.credentials.Credentials:
+    """Get GCP credentials, preferring direct JSON parsing over file-based ADC.
 
-    # Set restrictive permissions (owner read/write only)
-    creds_file.chmod(0o600)
+    This function resolves credentials in the following order:
+    1. GCP_PROD_DB_ACCESS_CREDENTIALS env var (JSON content) - parsed directly
+    2. Standard ADC discovery (workload identity, gcloud auth, GOOGLE_APPLICATION_CREDENTIALS)
 
-    _credentials_file_path = str(creds_file)
-    os.environ[ENV_GOOGLE_APPLICATION_CREDENTIALS] = _credentials_file_path
+    The credentials are cached after first resolution for efficiency.
+    Uses the cloud-platform scope which provides access to all GCP services.
 
-    logger.debug(
-        f"Wrote {ENV_GCP_PROD_DB_ACCESS_CREDENTIALS} to {creds_file} and set "
-        f"{ENV_GOOGLE_APPLICATION_CREDENTIALS}"
-    )
+    Returns:
+        A Credentials object that can be passed to any GCP client constructor.
 
-    return _credentials_file_path
+    Raises:
+        google.auth.exceptions.DefaultCredentialsError: If no credentials can be found.
+    """
+    global _cached_credentials
+
+    # Return cached credentials if available (fast path without lock)
+    if _cached_credentials is not None:
+        return _cached_credentials
+
+    # Acquire lock for thread-safe credential initialization
+    with _credentials_lock:
+        # Double-check after acquiring lock (another thread may have initialized)
+        if _cached_credentials is not None:
+            return _cached_credentials
+
+        # Try GCP_PROD_DB_ACCESS_CREDENTIALS first (JSON content in env var)
+        creds_json = os.getenv(ENV_GCP_PROD_DB_ACCESS_CREDENTIALS)
+        if creds_json:
+            try:
+                creds_dict = json.loads(creds_json)
+                credentials = service_account.Credentials.from_service_account_info(
+                    creds_dict,
+                    scopes=DEFAULT_GCP_SCOPES,
+                )
+                # Extract identity safely (only after successful credential creation)
+                identity = _get_identity_from_service_account_info(creds_dict)
+                identity_str = f" (identity: {identity})" if identity else ""
+                print(
+                    f"GCP credentials loaded from {ENV_GCP_PROD_DB_ACCESS_CREDENTIALS}{identity_str}",
+                    file=sys.stderr,
+                )
+                logger.debug(
+                    f"Loaded GCP credentials from {ENV_GCP_PROD_DB_ACCESS_CREDENTIALS} env var"
+                )
+                _cached_credentials = credentials
+                return credentials
+            except (json.JSONDecodeError, ValueError) as e:
+                # Log only exception type to avoid any risk of leaking credential content
+                logger.warning(
+                    f"Failed to parse {ENV_GCP_PROD_DB_ACCESS_CREDENTIALS}: "
+                    f"{type(e).__name__}. Falling back to ADC discovery."
+                )
+
+        # Fall back to standard ADC discovery
+        credentials, project = google.auth.default(scopes=DEFAULT_GCP_SCOPES)
+        # Extract identity safely from ADC credentials
+        identity = _get_identity_from_credentials(credentials)
+        identity_str = f" (identity: {identity})" if identity else ""
+        project_str = f" (project: {project})" if project else ""
+        print(
+            f"GCP credentials loaded via ADC{project_str}{identity_str}",
+            file=sys.stderr,
+        )
+        logger.debug(f"Loaded GCP credentials via ADC discovery (project: {project})")
+        _cached_credentials = credentials
+        return credentials
 
 
 def get_secret_manager_client() -> secretmanager.SecretManagerServiceClient:
     """Get a Secret Manager client with proper credential handling.
 
-    This function ensures GCP credentials are available (supporting the
-    GCP_PROD_DB_ACCESS_CREDENTIALS fallback) before creating the client.
+    This function uses get_gcp_credentials() to resolve credentials and passes
+    them directly to the client constructor.
 
     Returns:
         A configured SecretManagerServiceClient instance.
     """
-    ensure_adc_credentials()
-    return secretmanager.SecretManagerServiceClient()
+    credentials = get_gcp_credentials()
+    return secretmanager.SecretManagerServiceClient(credentials=credentials)
+
+
+def get_logging_client(project: str) -> gcp_logging.Client:
+    """Get a Cloud Logging client with proper credential handling.
+
+    This function uses get_gcp_credentials() to resolve credentials and passes
+    them directly to the client constructor.
+
+    Args:
+        project: The GCP project ID to use for logging operations.
+
+    Returns:
+        A configured Cloud Logging Client instance.
+    """
+    credentials = get_gcp_credentials()
+    return gcp_logging.Client(project=project, credentials=credentials)

airbyte_ops_mcp/gcp_logs/__init__.py

@@ -0,0 +1,18 @@
+# Copyright (c) 2025 Airbyte, Inc., all rights reserved.
+"""GCP Cloud Logging utilities for fetching error details by error ID."""
+
+from airbyte_ops_mcp.gcp_logs.error_lookup import (
+    GCPLogEntry,
+    GCPLogPayload,
+    GCPLogSearchResult,
+    GCPSeverity,
+    fetch_error_logs,
+)
+
+__all__ = [
+    "GCPLogEntry",
+    "GCPLogPayload",
+    "GCPLogSearchResult",
+    "GCPSeverity",
+    "fetch_error_logs",
+]

airbyte_ops_mcp/gcp_logs/error_lookup.py

@@ -0,0 +1,384 @@
+# Copyright (c) 2025 Airbyte, Inc., all rights reserved.
+"""Fetch full stack traces from Google Cloud Logs by error ID.
+
+This module provides functionality to look up error details from GCP Cloud Logging
+using an error ID (UUID). This is useful for debugging API errors that return
+only an error ID in the response.
+
+Example:
+    from airbyte_ops_mcp.gcp_logs import fetch_error_logs
+
+    result = fetch_error_logs(
+        error_id="3173452e-8f22-4286-a1ec-b0f16c1e078a",
+        project="prod-ab-cloud-proj",
+        lookback_days=7,
+    )
+    for entry in result.entries:
+        print(entry.message)
+"""
+
+from __future__ import annotations
+
+import re
+from datetime import UTC, datetime, timedelta
+from enum import StrEnum
+from typing import Any
+
+from google.cloud import logging as gcp_logging
+from google.cloud.logging_v2 import entries
+from pydantic import BaseModel, Field
+
+from airbyte_ops_mcp.gcp_auth import get_logging_client
+
+# Default GCP project for Airbyte Cloud
+DEFAULT_GCP_PROJECT = "prod-ab-cloud-proj"
+
+
+class GCPSeverity(StrEnum):
+    """Valid GCP Cloud Logging severity levels."""
+
+    DEBUG = "DEBUG"
+    INFO = "INFO"
+    NOTICE = "NOTICE"
+    WARNING = "WARNING"
+    ERROR = "ERROR"
+    CRITICAL = "CRITICAL"
+    ALERT = "ALERT"
+    EMERGENCY = "EMERGENCY"
+
+
+class GCPLogResourceLabels(BaseModel):
+    """Resource labels from a GCP log entry."""
+
+    pod_name: str | None = Field(default=None, description="Kubernetes pod name")
+    container_name: str | None = Field(
+        default=None, description="Container name within the pod"
+    )
+    namespace_name: str | None = Field(default=None, description="Kubernetes namespace")
+    cluster_name: str | None = Field(default=None, description="GKE cluster name")
+
+
+class GCPLogResource(BaseModel):
+    """Resource information from a GCP log entry."""
+
+    type: str | None = Field(default=None, description="Resource type")
+    labels: GCPLogResourceLabels = Field(
+        default_factory=GCPLogResourceLabels, description="Resource labels"
+    )
+
+
+class GCPLogSourceLocation(BaseModel):
+    """Source location information from a GCP log entry."""
+
+    file: str | None = Field(default=None, description="Source file path")
+    line: int | None = Field(default=None, description="Line number")
+    function: str | None = Field(default=None, description="Function name")
+
+
+class GCPLogEntry(BaseModel):
+    """A single log entry from GCP Cloud Logging."""
+
+    timestamp: datetime | None = Field(
+        default=None, description="When the log entry was created"
+    )
+    severity: str | None = Field(
+        default=None, description="Log severity (DEBUG, INFO, WARNING, ERROR, etc.)"
+    )
+    log_name: str | None = Field(default=None, description="Full log name path")
+    insert_id: str | None = Field(
+        default=None, description="Unique identifier for the log entry"
+    )
+    trace: str | None = Field(
+        default=None, description="Trace ID for distributed tracing"
+    )
+    span_id: str | None = Field(default=None, description="Span ID within the trace")
+    payload: Any = Field(default=None, description="Log entry payload (text or struct)")
+    payload_type: str | None = Field(
+        default=None, description="Type of payload (text, struct, protobuf)"
+    )
+    resource: GCPLogResource = Field(
+        default_factory=GCPLogResource, description="Resource information"
+    )
+    source_location: GCPLogSourceLocation | None = Field(
+        default=None, description="Source code location"
+    )
+    labels: dict[str, str] = Field(
+        default_factory=dict, description="User-defined labels"
+    )
+
+
+class GCPLogPayload(BaseModel):
+    """Extracted and combined payload from grouped log entries."""
+
+    timestamp: datetime | None = Field(
+        default=None, description="Timestamp of the first entry in the group"
+    )
+    severity: str | None = Field(default=None, description="Severity of the log group")
+    resource: GCPLogResource = Field(
+        default_factory=GCPLogResource, description="Resource information"
+    )
+    num_log_lines: int = Field(
+        default=0, description="Number of log lines combined into this payload"
+    )
+    message: str = Field(default="", description="Combined message from all log lines")
+
+
+class GCPLogSearchResult(BaseModel):
+    """Result of searching GCP Cloud Logging for an error ID."""
+
+    error_id: str = Field(description="The error ID that was searched for")
+    project: str = Field(description="GCP project that was searched")
+    lookback_days_searched: int = Field(
+        description="Number of lookback days that were searched"
+    )
+    total_entries_found: int = Field(
+        description="Total number of log entries found (including related entries)"
+    )
+    entries: list[GCPLogEntry] = Field(
+        default_factory=list, description="Raw log entries found"
+    )
+    payloads: list[GCPLogPayload] = Field(
+        default_factory=list,
+        description="Extracted and grouped payloads (reconstructed stack traces)",
+    )
+
+
+def _build_filter(
+    error_id: str,
+    lookback_days: int,
+    min_severity_filter: GCPSeverity | None,
+) -> str:
+    """Build the Cloud Logging filter query."""
+    filter_parts = [f'"{error_id}"']
+
+    start_time = datetime.now(UTC) - timedelta(days=lookback_days)
+    filter_parts.append(f'timestamp >= "{start_time.isoformat()}"')
+
+    if min_severity_filter:
+        filter_parts.append(f"severity>={min_severity_filter}")
+
+    return " AND ".join(filter_parts)
+
+
+def _entry_to_model(
+    entry: entries.StructEntry | entries.TextEntry | entries.ProtobufEntry,
+) -> GCPLogEntry:
+    """Convert a GCP log entry to a Pydantic model."""
+    resource_labels = {}
+    if entry.resource and entry.resource.labels:
+        resource_labels = dict(entry.resource.labels)
+
+    resource = GCPLogResource(
+        type=entry.resource.type if entry.resource else None,
+        labels=GCPLogResourceLabels(
+            pod_name=resource_labels.get("pod_name"),
+            container_name=resource_labels.get("container_name"),
+            namespace_name=resource_labels.get("namespace_name"),
+            cluster_name=resource_labels.get("cluster_name"),
+        ),
+    )
+
+    source_location = None
+    if entry.source_location:
+        source_location = GCPLogSourceLocation(
+            file=entry.source_location.get("file"),
+            line=entry.source_location.get("line"),
+            function=entry.source_location.get("function"),
+        )
+
+    payload: Any = None
+    payload_type = "unknown"
+    if isinstance(entry, entries.StructEntry):
+        payload = entry.payload
+        payload_type = "struct"
+    elif isinstance(entry, entries.TextEntry):
+        payload = entry.payload
+        payload_type = "text"
+    elif isinstance(entry, entries.ProtobufEntry):
+        payload = str(entry.payload)
+        payload_type = "protobuf"
+
+    return GCPLogEntry(
+        timestamp=entry.timestamp,
+        severity=entry.severity,
+        log_name=entry.log_name,
+        insert_id=entry.insert_id,
+        trace=entry.trace,
+        span_id=entry.span_id,
+        payload=payload,
+        payload_type=payload_type,
+        resource=resource,
+        source_location=source_location,
+        labels=dict(entry.labels) if entry.labels else {},
+    )
+
+
+def _group_entries_by_occurrence(
+    log_entries: list[GCPLogEntry],
+) -> list[list[GCPLogEntry]]:
+    """Group log entries by occurrence (timestamp clusters within 1 second)."""
+    if not log_entries:
+        return []
+
+    sorted_entries = sorted(
+        log_entries, key=lambda x: x.timestamp or datetime.min.replace(tzinfo=UTC)
+    )
+
+    groups: list[list[GCPLogEntry]] = []
+    current_group = [sorted_entries[0]]
+    current_timestamp = sorted_entries[0].timestamp or datetime.min.replace(tzinfo=UTC)
+
+    for entry in sorted_entries[1:]:
+        entry_timestamp = entry.timestamp or datetime.min.replace(tzinfo=UTC)
+        time_diff = abs((entry_timestamp - current_timestamp).total_seconds())
+
+        current_pod = current_group[0].resource.labels.pod_name
+        entry_pod = entry.resource.labels.pod_name
+
+        if time_diff <= 1 and entry_pod == current_pod:
+            current_group.append(entry)
+        else:
+            groups.append(current_group)
+            current_group = [entry]
+            current_timestamp = entry_timestamp
+
+    if current_group:
+        groups.append(current_group)
+
+    return groups
+
+
+def _extract_payloads(log_entries: list[GCPLogEntry]) -> list[GCPLogPayload]:
+    """Extract and group payloads by occurrence."""
+    if not log_entries:
+        return []
+
+    grouped = _group_entries_by_occurrence(log_entries)
+
+    results = []
+    for group in grouped:
+        payloads = []
+        for entry in group:
+            if entry.payload:
+                payload_text = str(entry.payload)
+                payload_text = re.sub(r"\x1b\[[0-9;]*m", "", payload_text)
+                payloads.append(payload_text)
+
+        combined_message = "\n".join(payloads)
+
+        first_entry = group[0]
+        result = GCPLogPayload(
+            timestamp=first_entry.timestamp,
+            severity=first_entry.severity,
+            resource=first_entry.resource,
+            num_log_lines=len(group),
+            message=combined_message,
+        )
+        results.append(result)
+
+    return results
+
+
+def fetch_error_logs(
+    error_id: str,
+    project: str = DEFAULT_GCP_PROJECT,
+    lookback_days: int = 7,
+    min_severity_filter: GCPSeverity | None = None,
+    include_log_envelope_seconds: float = 1.0,
+    max_log_entries: int | None = None,
+) -> GCPLogSearchResult:
+    """Fetch logs from Google Cloud Logging by error ID.
+
+    This function searches GCP Cloud Logging for log entries containing the
+    specified error ID, then fetches related log entries (multi-line stack traces)
+    from the same timestamp and resource.
+    """
+    client = get_logging_client(project)
+
+    filter_str = _build_filter(error_id, lookback_days, min_severity_filter)
+
+    entries_iterator = client.list_entries(
+        filter_=filter_str,
+        order_by=gcp_logging.DESCENDING,
+    )
+
+    initial_matches = list(entries_iterator)
+
+    if not initial_matches:
+        return GCPLogSearchResult(
+            error_id=error_id,
+            project=project,
+            lookback_days_searched=lookback_days,
+            total_entries_found=0,
+            entries=[],
+            payloads=[],
+        )
+
+    all_results: list[GCPLogEntry] = []
+    seen_insert_ids: set[str] = set()
+
+    for match in initial_matches:
+        timestamp = match.timestamp
+        resource_type_val = match.resource.type if match.resource else None
+        resource_labels = (
+            dict(match.resource.labels)
+            if match.resource and match.resource.labels
+            else {}
+        )
+        log_name = match.log_name
+
+        start_time = timestamp - timedelta(seconds=include_log_envelope_seconds)
+        end_time = timestamp + timedelta(seconds=include_log_envelope_seconds)
+
+        related_filter_parts = [
+            f'timestamp >= "{start_time.isoformat()}"',
+            f'timestamp <= "{end_time.isoformat()}"',
+        ]
+
+        if log_name:
+            related_filter_parts.append(f'logName="{log_name}"')
+
+        if resource_type_val:
+            related_filter_parts.append(f'resource.type="{resource_type_val}"')
+
+        if "pod_name" in resource_labels:
+            related_filter_parts.append(
+                f'resource.labels.pod_name="{resource_labels["pod_name"]}"'
+            )
+        if "container_name" in resource_labels:
+            related_filter_parts.append(
+                f'resource.labels.container_name="{resource_labels["container_name"]}"'
+            )
+
+        # Note: resource_type_val is extracted from the matched entry, and
+        # min_severity_filter is already applied in the initial search filter
+
+        related_filter = " AND ".join(related_filter_parts)
+
+        related_entries = client.list_entries(
+            filter_=related_filter,
+            order_by=gcp_logging.ASCENDING,
+        )
+
+        for entry in related_entries:
+            if entry.insert_id and entry.insert_id not in seen_insert_ids:
+                seen_insert_ids.add(entry.insert_id)
+                all_results.append(_entry_to_model(entry))
+
+    all_results.sort(
+        key=lambda x: x.timestamp or datetime.min.replace(tzinfo=UTC), reverse=True
+    )
+
+    if max_log_entries:
+        all_results = all_results[:max_log_entries]
+
+    payloads = _extract_payloads(all_results)
+
+    return GCPLogSearchResult(
+        error_id=error_id,
+        project=project,
+        lookback_days_searched=lookback_days,
+        total_entries_found=len(all_results),
+        entries=all_results,
+        payloads=payloads,
+    )