argus-cloud-optimizer 0.2.0__py3-none-any.whl

argus_cloud_optimizer-0.2.0.dist-info/RECORD

@@ -0,0 +1,62 @@
+adapters/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+adapters/base.py,sha256=fF5MSnjAtaOBb8yPfetUWoYIu2QoIzlSXQOgwD9eXuI,3211
+adapters/aws/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+adapters/aws/adapter.py,sha256=La_fi8Q81AJbFdQjEHUnivPFnnbO3QJGkIvMVqM6KJY,2457
+adapters/aws/auth.py,sha256=SwMw9LIpFPQXVxX2x0ISI6N15kZfCgqgjBV78xGoXdA,1945
+adapters/aws/cloudtrail.py,sha256=tBYJ_eQGfAftRYihLkBn86kIZuxGmxIoHtbXvthVzFE,2465
+adapters/aws/cloudwatch.py,sha256=TpAxLkXIzmorWbHmI4hWLMtn0tmsEkm3pNxARTF9JFU,34769
+adapters/aws/config.py,sha256=2SYo2FCXEtEULLMnEOh-f7HFfT0_9knmhJLjYAAf_2M,182
+adapters/aws/cost_explorer.py,sha256=NH3_Nk8pfo-DUZWeE8GLwBqq5b3_mH4wpYw3Sm8c-Bg,4033
+adapters/aws/resource_explorer.py,sha256=o40G20sFdFURtqiBAwAAf7NjXkZASyFBEUEOMKIsZrs,6950
+adapters/aws/retry.py,sha256=LgS_QzcxFdzeIduvQfaGCe1S13dAwZ9eSUdPbqgNH2A,1431
+adapters/azure/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+adapters/azure/activity_log.py,sha256=OqN5Xxy1n9gvwkE02Qr-ykmenGknI9FY4neqlT8vKKU,4869
+adapters/azure/adapter.py,sha256=1DBv35iovPuw0y4xokr3bh3JedM6mlhxHIdxENUDuYw,3702
+adapters/azure/cost_management.py,sha256=Jxg7RpcSixCfKvbOirvy2NzUwsCqAze-G-qAUP6J75Y,4147
+adapters/azure/monitor.py,sha256=0nEFCWuMJ0gJ6YKhifUqPEu2MKA26uKWsiJ0lDsKzYg,9657
+adapters/azure/resource_graph.py,sha256=dKyVK6U_qhHV9AQanhEvHJmyGP-rsumlLg1xcNRlFiE,3634
+adapters/azure/retry.py,sha256=MCEoXB-n8i0jwAg4yUQV_Y5g-MJSLV38VL86noDweUw,1611
+adapters/gcp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+adapters/gcp/adapter.py,sha256=QbIOwEBkvJhsF6OUNprhBNOd5RAZ6z6WC-8JmPmNLrk,2661
+adapters/gcp/asset_inventory.py,sha256=BHb0ZtcboYDr1dS3xCZDrC3JcXT-KufcIWDwLaFwcuw,4011
+adapters/gcp/billing.py,sha256=Gk3Z06jExvlI7drgMTfr2o36JMjL_vPXD_3ADcodbmM,4144
+adapters/gcp/cloud_logging.py,sha256=ozYlqVMmo4qP8KAq5pWIYWnEWl3VieAFfLMRPBoyNoM,3600
+adapters/gcp/cloud_monitoring.py,sha256=4YxdPVXLk9VxNumO7SIo20dcTLxUMt5s_Rt8hQJS8Gs,10392
+adapters/gcp/retry.py,sha256=sl_vs0EQmB4F4gWv5DaxCKqNZM9KDLWfQP2UTD9ZWIw,1220
+ai/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+ai/anthropic.py,sha256=sDz8YmudxIzJ2jWF_HPy4lWQOnVuPi8TjLcsN3WsvKg,6129
+ai/azure_openai.py,sha256=qTj718fLwtOegW_TiHe0hygWX8jntHrWDxAjr0zs1lc,8368
+ai/base.py,sha256=8hmbU0SFkm6h11swAl-LXZjNZNxc_WIQx4cDK6iCbMQ,1765
+ai/bedrock.py,sha256=R17slWJEWJyvtfs-aTUyrpz0AV0o112Mh8Twpd_ocNc,5736
+ai/vertexai.py,sha256=nnGHjw-u1IwqOFZgjsvLgsTwDF9aP_yRVjpYaXfdnGo,8198
+argus_cloud_optimizer-0.2.0.dist-info/licenses/LICENSE,sha256=4suQFFXzS6jjYY4AdtOSf9gQ3NGIVb_I6wFpMKoaaA4,1079
+core/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+core/__version__.py,sha256=Zn1KFblwuFHiDRdRAiRnDBRkbPttWh44jKa5zG2ov0E,22
+core/config.py,sha256=ODRqMlhI34pGRml65g14oB01QgOdjbC-eKWDOUFC7gc,8536
+core/log.py,sha256=T1s8yR4m6MPHiwjAF0ThK6UMzVJgrXQZ2qU4D3e_1cQ,2140
+core/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+core/secrets.py,sha256=DAub5i22_DoKcxOjPzJiOnKxDvSqEcYcnQkhKjrMsFo,4864
+core/token_tracker.py,sha256=pVmQaAB4TBJBmWN_lgwBrDAO-mm3z8YOO_6S2augLpI,3266
+core/validation.py,sha256=1eBY-uYknu6kLTXrSrEDltG9O_I75QY01RgVsbKC2mw,7221
+core/agent/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+core/agent/loop.py,sha256=DsfFywqYtZ6cQdQlSBdGjyX9cl4crvRMC0Ve9At6xSI,14660
+core/agent/prompts.py,sha256=IMcbEObOe7lYchfrV8EEG9djbadVNd-CZNL5eR5PdC0,14240
+core/models/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+core/models/finding.py,sha256=fI70eENPr6yALRusDgb0eECQcNotYR6WUnLP2Te6z-8,2803
+core/reports/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+core/reports/comparison.py,sha256=NFam-wleVq4fJ3AF_Os-DcIqRhjBFAwD4h4J05gCApU,1730
+core/reports/delivery.py,sha256=3ljRwHQun2gRyMbQiEnyCzXnNMzo0V7J2ttBdkefKEE,10752
+core/reports/export.py,sha256=qxyHiXICNYqvaXp4SH9vb5WmnagOWYKhup4EnLA8vw0,3812
+core/reports/generator.py,sha256=z7fQSoGAMpEjRcfRe4IiYk_LtRPAELr-3nAhmAOYwqM,5365
+core/reports/html.py,sha256=6OJ1-mSySz3fo667FdmURex5UbwONbGakZ9m_fVTr1o,11963
+core/reports/multi_cloud.py,sha256=BlHYvSNBI2e8aaOvIXBRc3s-hiABW04AxvvK0SFpU4M,5448
+entrypoints/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+entrypoints/aws_lambda.py,sha256=7K1YjJU7MJ2kT5RFWf0rFE7Ml7NpAZvhO8LgyyO9vZI,10630
+entrypoints/azure_function.py,sha256=mK_bfBukPb-JZVb5MrtK0XNm9zvet888GCc4P-b96fI,9738
+entrypoints/cli.py,sha256=nkFtjHiCF2TGHuIEWuP4oI7TzgrNYLwe8ap4pR7vQG4,4856
+entrypoints/gcp_cloudrun.py,sha256=dVqBGc5sd6bJEleIrjMQVaoOTcc5CO0ndJHyGTvMLIk,7513
+argus_cloud_optimizer-0.2.0.dist-info/METADATA,sha256=z9vVUUQRk3wiBWR8WwwYgRWKINe4N4k8PltdoRJsyMo,17293
+argus_cloud_optimizer-0.2.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+argus_cloud_optimizer-0.2.0.dist-info/entry_points.txt,sha256=FiDJzCVQfrUrBj_s90I_IYtOOGui971C8hjBMjvnZII,47
+argus_cloud_optimizer-0.2.0.dist-info/top_level.txt,sha256=geIgqBOobcCsO7BiWtKL3hhrj91M86KlN1oxO9EuCcM,29
+argus_cloud_optimizer-0.2.0.dist-info/RECORD,,

argus_cloud_optimizer-0.2.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

argus_cloud_optimizer-0.2.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+argus = entrypoints.cli:main

argus_cloud_optimizer-0.2.0.dist-info/licenses/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Vamshi Siddarth Gaddam
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

argus_cloud_optimizer-0.2.0.dist-info/top_level.txt

@@ -0,0 +1,4 @@
+adapters
+ai
+core
+entrypoints

core/__version__.py

@@ -0,0 +1 @@
+__version__ = "0.2.0"

core/agent/loop.py

@@ -0,0 +1,390 @@
+from __future__ import annotations
+
+import json
+from concurrent.futures import ThreadPoolExecutor, as_completed
+from datetime import datetime, timezone
+from typing import Any
+
+import structlog
+
+from adapters.base import CloudAdapter
+from ai.base import AIProvider, Message, Tool, ToolCall, ToolResult
+from core.agent.prompts import build_system_prompt, build_tool_schemas
+from core.config import get_settings
+from core.models.finding import ResourceFinding
+from core.token_tracker import BudgetExceededError, TokenTracker
+
+logger = structlog.get_logger(__name__)
+
+_PARALLELIZABLE_TOOLS = frozenset({"get_metrics", "get_last_activity"})
+
+
+class AgentLoop:
+    """
+    ReAct (Reason + Act) agent loop.
+
+    The AI decides which tools to call and in what order. This class:
+      - Manages the conversation history
+      - Dispatches tool calls to the CloudAdapter
+      - Terminates when the AI calls submit_findings
+      - Never contains cloud-specific logic
+    """
+
+    def __init__(self, ai_provider: AIProvider, cloud_adapter: CloudAdapter) -> None:
+        self._ai = ai_provider
+        self._adapter = cloud_adapter
+        self._tools: list[Tool] = [
+            Tool(
+                name=t["name"],
+                description=t["description"],
+                input_schema=t["input_schema"],
+            )
+            for t in build_tool_schemas()
+        ]
+
+    def run(
+        self,
+        cloud: str,
+        ignore_regions: list[str],
+        accounts: list[dict[str, Any]],
+    ) -> tuple[list[ResourceFinding], str]:
+        """
+        Run the full agent analysis for one cloud + account combination.
+
+        Returns:
+            (findings, executive_summary)
+            findings: ResourceFinding list sorted by estimated_monthly_cost desc
+            executive_summary: AI-written 3-5 sentence summary for managers
+        """
+        system_prompt = build_system_prompt(
+            cloud=cloud, ignore_regions=ignore_regions, accounts=accounts
+        )
+
+        # ------------------------------------------------------------------
+        # Phase 0 — pre-filter (outside AI context, no tokens consumed)
+        # Fetch all resources + batch cost, then hand only the top-N by cost
+        # to the agent. This keeps context small regardless of account size.
+        # ------------------------------------------------------------------
+        self._prefilter_resources(ignore_regions)
+
+        settings = get_settings()
+        self.tracker = TokenTracker(
+            budget_usd=settings.scan.llm_budget_usd,
+            provider=settings.ai.provider,
+        )
+        max_iterations = settings.scan.max_iterations
+
+        messages: list[Message] = [
+            Message(role="user", text="Begin your cloud cost analysis now.")
+        ]
+
+        for iteration in range(1, max_iterations + 1):
+            logger.info("agent_iteration", iteration=iteration)
+
+            response = self._ai.chat(messages, self._tools, system_prompt=system_prompt)
+
+            try:
+                self.tracker.record(response.input_tokens, response.output_tokens)
+            except BudgetExceededError:
+                logger.warning(
+                    "budget_exceeded_stopping",
+                    **self.tracker.summary(),
+                )
+                return [], (
+                    f"Scan aborted: LLM budget of "
+                    f"${self.tracker.budget_usd:.2f} exceeded "
+                    f"(${self.tracker.estimated_cost_usd:.4f} spent "
+                    f"after {self.tracker.iteration_count} iterations). "
+                    f"Increase LLM_BUDGET_USD or reduce MAX_RESOURCES_PER_SCAN."
+                )
+
+            if response.stop_reason == "tool_use":
+                # Check first — submit_findings terminates the loop immediately
+                for tc in response.tool_calls:
+                    if tc.name == "submit_findings":
+                        logger.info(
+                            "agent_complete",
+                            findings_count=len(tc.arguments.get("findings", [])),
+                            **self.tracker.summary(),
+                        )
+                        return _parse_findings(tc.arguments, cloud=cloud)
+
+                # Persist the assistant turn before executing tools
+                messages.append(
+                    Message(
+                        role="assistant",
+                        text=response.text,
+                        tool_calls=response.tool_calls,
+                    )
+                )
+
+                # Parallel for metrics/activity, sequential for the rest
+                tool_results = self._execute_tool_calls(response.tool_calls)
+
+                messages.append(Message(role="user", tool_results=tool_results))
+
+            else:
+                # end_turn or max_tokens without submit_findings — shouldn't happen
+                # if the prompt is working, but handle gracefully
+                logger.warning(
+                    "agent_stopped_without_findings",
+                    stop_reason=response.stop_reason,
+                    **self.tracker.summary(),
+                )
+                return [], response.text or ""
+
+        raise RuntimeError(
+            f"Agent loop exceeded {max_iterations} iterations "
+            "without submitting findings. "
+            "Check the system prompt or increase MAX_AGENT_ITERATIONS."
+        )
+
+    def _execute_tool_calls(self, tool_calls: list[ToolCall]) -> list[ToolResult]:
+        parallel = [tc for tc in tool_calls if tc.name in _PARALLELIZABLE_TOOLS]
+        sequential = [tc for tc in tool_calls if tc.name not in _PARALLELIZABLE_TOOLS]
+
+        results_by_id: dict[str, ToolResult] = {}
+
+        for tc in sequential:
+            content, is_error = self._execute(tc)
+            logger.info("tool_executed", tool=tc.name, is_error=is_error)
+            results_by_id[tc.id] = ToolResult(
+                tool_call_id=tc.id, content=content, is_error=is_error
+            )
+
+        if parallel:
+            results_by_id.update(self._execute_parallel(parallel))
+
+        return [results_by_id[tc.id] for tc in tool_calls]
+
+    def _execute_parallel(self, tool_calls: list[ToolCall]) -> dict[str, ToolResult]:
+        results: dict[str, ToolResult] = {}
+        max_workers = min(get_settings().scan.adapter_concurrency, len(tool_calls))
+
+        with ThreadPoolExecutor(max_workers=max_workers) as executor:
+            future_to_tc = {executor.submit(self._execute, tc): tc for tc in tool_calls}
+            for future in as_completed(future_to_tc):
+                tc = future_to_tc[future]
+                content, is_error = future.result()
+                logger.info(
+                    "tool_executed", tool=tc.name, is_error=is_error, parallel=True
+                )
+                results[tc.id] = ToolResult(
+                    tool_call_id=tc.id, content=content, is_error=is_error
+                )
+
+        return results
+
+    def _prefilter_resources(self, ignore_regions: list[str]) -> list[dict]:
+        """
+        Phase 0: enumerate all resources + batch-fetch cost outside the AI loop.
+
+        Steps:
+          1. list_resources — discovers all billable resources
+          2. get_cost (one batched call) — fetches USD cost for all of them
+          3. Sort by cost descending, keep top get_settings().scan.max_resources
+          4. Build the compact payload that will be handed to the AI on its
+             first list_resources call
+
+        This keeps the AI context bounded regardless of account size:
+          - 10K raw resources → ~3K after non-billable filter → top 200 by cost
+          - The AI never sees zero-cost noise
+        """
+        logger.info("prefilter_start")
+
+        resources = self._adapter.list_resources(ignore_regions=ignore_regions or None)
+        resources = _apply_exclusion_filters(resources)
+        total_discovered = len(resources)
+
+        if not resources:
+            self._prefiltered_payload = []
+            logger.info("prefilter_complete", discovered=0, sent_to_ai=0)
+            return []
+
+        # Batch cost fetch — one API call for all resource IDs
+        resource_ids = [r.resource_id for r in resources]
+        try:
+            costs = self._adapter.get_cost(resource_ids=resource_ids)
+        except Exception as exc:  # noqa: BLE001
+            logger.warning("prefilter_cost_fetch_failed", error=str(exc))
+            costs = {}
+
+        # Attach cost to each resource and sort descending
+        resources_with_cost = [(r, costs.get(r.resource_id, 0.0)) for r in resources]
+        resources_with_cost.sort(key=lambda x: x[1], reverse=True)
+
+        # Cap at get_settings().scan.max_resources
+        capped = resources_with_cost[:get_settings().scan.max_resources]
+        dropped = total_discovered - len(capped)
+
+        if dropped > 0:
+            logger.info(
+                "prefilter_capped",
+                discovered=total_discovered,
+                sent_to_ai=len(capped),
+                dropped_zero_cost=dropped,
+                cap=get_settings().scan.max_resources,
+            )
+
+        # Build compact payload — include cost so AI doesn't need to call get_cost
+        # for the initial triage (it already has it)
+        payload = []
+        for resource, cost in capped:
+            entry = _compress_resource(resource.to_dict())
+            if cost > 0.0:
+                entry["cost_usd"] = round(cost, 2)
+            payload.append(entry)
+
+        self._prefiltered_payload = payload
+
+        logger.info(
+            "prefilter_complete",
+            discovered=total_discovered,
+            sent_to_ai=len(payload),
+        )
+        return payload
+
+    def _execute(self, tc: ToolCall) -> tuple[str, bool]:
+        """Dispatch a tool call to the adapter. Returns (result_str, is_error)."""
+        try:
+            match tc.name:
+                case "list_resources":
+                    # Return the pre-filtered, cost-sorted list built in Phase 0.
+                    # The adapter is NOT called again here — avoids a second full
+                    # Resource Explorer / Asset Inventory scan mid-conversation.
+                    return (
+                        json.dumps(
+                            self._prefiltered_payload,
+                            default=str,
+                            separators=(",", ":"),
+                        ),
+                        False,
+                    )
+
+                case "get_metrics":
+                    summary = self._adapter.get_metrics(**tc.arguments)
+                    return (
+                        json.dumps(
+                            summary.to_dict(), default=str, separators=(",", ":")
+                        ),
+                        False,
+                    )
+
+                case "get_cost":
+                    costs = self._adapter.get_cost(**tc.arguments)
+                    return json.dumps(costs, default=str, separators=(",", ":")), False
+
+                case "get_last_activity":
+                    activity = self._adapter.get_last_activity(**tc.arguments)
+                    result = activity.isoformat() if activity else "null"
+                    return result, False
+
+                case _:
+                    return f"Unknown tool: {tc.name!r}", True
+
+        except Exception as exc:  # noqa: BLE001
+            logger.error("tool_error", tool=tc.name, error=str(exc))
+            return f"Tool error: {exc}", True
+
+
+# ------------------------------------------------------------------
+# Internal helpers
+# ------------------------------------------------------------------
+
+
+def _apply_exclusion_filters(resources: list[Any]) -> list[Any]:
+    exclude_tags = _parse_exclude_tags()
+    exclude_types = _parse_exclude_types()
+
+    if not exclude_tags and not exclude_types:
+        return resources
+
+    filtered = []
+    excluded_count = 0
+    for r in resources:
+        if exclude_types and r.resource_type in exclude_types:
+            excluded_count += 1
+            continue
+        if exclude_tags and _tags_match(r.tags, exclude_tags):
+            excluded_count += 1
+            continue
+        filtered.append(r)
+
+    if excluded_count > 0:
+        logger.info(
+            "exclusion_filter_applied",
+            excluded=excluded_count,
+            remaining=len(filtered),
+        )
+    return filtered
+
+
+def _parse_exclude_tags() -> dict[str, str]:
+    raw = get_settings().scan.exclude_tags.strip()
+    if not raw:
+        return {}
+    try:
+        parsed = json.loads(raw)
+        if isinstance(parsed, dict):
+            return {str(k): str(v) for k, v in parsed.items()}
+    except (json.JSONDecodeError, TypeError):
+        logger.warning("exclude_tags_invalid_json", raw=raw)
+    return {}
+
+
+def _parse_exclude_types() -> set[str]:
+    return set(get_settings().scan.exclude_resource_types_list)
+
+
+def _tags_match(resource_tags: dict[str, str], exclude_tags: dict[str, str]) -> bool:
+    for key, value in exclude_tags.items():
+        if resource_tags.get(key) == value:
+            return True
+    return False
+
+
+def _compress_resource(r: dict) -> dict:
+    """
+    Return a compact resource dict to minimise tokens sent to the AI.
+
+    Strategy:
+    - Shorten key names (resource_id → id, resource_type → type)
+    - Truncate long ARNs to their short form for the list view.
+      The full ARN is passed back by the AI when it calls get_metrics /
+      get_cost / get_last_activity, so the adapter always receives the
+      canonical identifier.
+    - Drop None / empty values entirely
+    - Keep tags only if non-empty (they carry owner/env signals)
+    """
+    resource_id = r["resource_id"]
+    out: dict = {
+        "id": resource_id,
+        "type": r["resource_type"],
+        "region": r["region"],
+    }
+    if r.get("name"):
+        out["name"] = r["name"]
+    if r.get("tags"):
+        out["tags"] = r["tags"]
+    # cloud field is redundant (the AI already knows the cloud from system prompt)
+    return out
+
+
+def _parse_findings(
+    args: dict[str, Any],
+    cloud: str,
+) -> tuple[list[ResourceFinding], str]:
+    """Convert the AI's submit_findings arguments into ResourceFinding objects."""
+    scan_time = datetime.now(tz=timezone.utc)
+    raw_findings: list[dict] = args.get("findings", [])
+    executive_summary: str = args.get("executive_summary", "")
+
+    findings = [
+        ResourceFinding.from_dict({**f, "cloud": f.get("cloud", cloud)}, scan_time)
+        for f in raw_findings
+    ]
+
+    # Ensure descending cost order regardless of what the AI returned
+    findings.sort(key=lambda f: f.estimated_monthly_cost, reverse=True)
+
+    return findings, executive_summary