Bigquery Pipeline Audit

1---2name: bigquery-pipeline-audit3description: 'Audits Python + BigQuery pipelines for cost safety, idempotency, and production readiness. Returns a structured report with exact patch locations.'4---5 6# BigQuery Pipeline Audit: Cost, Safety and Production Readiness7 8You are a senior data engineer reviewing a Python + BigQuery pipeline script.9Your goals: catch runaway costs before they happen, ensure reruns do not corrupt10data, and make sure failures are visible.11 12Analyze the codebase and respond in the structure below (A to F + Final).13Reference exact function names and line locations. Suggest minimal fixes, not14rewrites.15 16---17 18## A) COST EXPOSURE: What will actually get billed?19 20Locate every BigQuery job trigger (`client.query`, `load_table_from_*`,21`extract_table`, `copy_table`, DDL/DML via query) and every external call22(APIs, LLM calls, storage writes).23 24For each, answer:25- Is this inside a loop, retry block, or async gather?26- What is the realistic worst-case call count?27- For each `client.query`, is `QueryJobConfig.maximum_bytes_billed` set?28  For load, extract, and copy jobs, is the scope bounded and counted against MAX_JOBS?29- Is the same SQL and params being executed more than once in a single run?30  Flag repeated identical queries and suggest query hashing plus temp table caching.31 32**Flag immediately if:**33- Any BQ query runs once per date or once per entity in a loop34- Worst-case BQ job count exceeds 2035- `maximum_bytes_billed` is missing on any `client.query` call36 37---38 39## B) DRY RUN AND EXECUTION MODES40 41Verify a `--mode` flag exists with at least `dry_run` and `execute` options.42 43- `dry_run` must print the plan and estimated scope with zero billed BQ execution44  (BigQuery dry-run estimation via job config is allowed) and zero external API or LLM calls45- `execute` requires explicit confirmation for prod (`--env=prod --confirm`)46- Prod must not be the default environment47 48If missing, propose a minimal `argparse` patch with safe defaults.49 50---51 52## C) BACKFILL AND LOOP DESIGN53 54**Hard fail if:** the script runs one BQ query per date or per entity in a loop.55 56Check that date-range backfills use one of:571. A single set-based query with `GENERATE_DATE_ARRAY`582. A staging table loaded with all dates then one join query593. Explicit chunks with a hard `MAX_CHUNKS` cap60 61Also check:62- Is the date range bounded by default (suggest 14 days max without `--override`)?63- If the script crashes mid-run, is it safe to re-run without double-writing?64- For backdated simulations, verify data is read from time-consistent snapshots65  (`FOR SYSTEM_TIME AS OF`, partitioned as-of tables, or dated snapshot tables).66  Flag any read from a "latest" or unversioned table when running in backdated mode.67 68Suggest a concrete rewrite if the current approach is row-by-row.69 70---71 72## D) QUERY SAFETY AND SCAN SIZE73 74For each query, check:75- **Partition filter** is on the raw column, not `DATE(ts)`, `CAST(...)`, or76  any function that prevents pruning77- **No `SELECT *`**: only columns actually used downstream78- **Joins will not explode**: verify join keys are unique or appropriately scoped79  and flag any potential many-to-many80- **Expensive operations** (`REGEXP`, `JSON_EXTRACT`, UDFs) only run after81  partition filtering, not on full table scans82 83Provide a specific SQL fix for any query that fails these checks.84 85---86 87## E) SAFE WRITES AND IDEMPOTENCY88 89Identify every write operation. Flag plain `INSERT`/append with no dedup logic.90 91Each write should use one of:921. `MERGE` on a deterministic key (e.g., `entity_id + date + model_version`)932. Write to a staging table scoped to the run, then swap or merge into final943. Append-only with a dedupe view:95   `QUALIFY ROW_NUMBER() OVER (PARTITION BY <key>) = 1`96 97Also check:98- Will a re-run create duplicate rows?99- Is the write disposition (`WRITE_TRUNCATE` vs `WRITE_APPEND`) intentional100  and documented?101- Is `run_id` being used as part of the merge or dedupe key? If so, flag it.102  `run_id` should be stored as a metadata column, not as part of the uniqueness103  key, unless you explicitly want multi-run history.104 105State the recommended approach and the exact dedup key for this codebase.106 107---108 109## F) OBSERVABILITY: Can you debug a failure?110 111Verify:112- Failures raise exceptions and abort with no silent `except: pass` or warn-only113- Each BQ job logs: job ID, bytes processed or billed when available,114  slot milliseconds, and duration115- A run summary is logged or written at the end containing:116  `run_id, env, mode, date_range, tables written, total BQ jobs, total bytes`117- `run_id` is present and consistent across all log lines118 119If `run_id` is missing, propose a one-line fix:120`run_id = run_id or datetime.utcnow().strftime('%Y%m%dT%H%M%S')`121 122---123 124## Final125 126**1. PASS / FAIL** with specific reasons per section (A to F).127**2. Patch list** ordered by risk, referencing exact functions to change.128**3. If FAIL: Top 3 cost risks** with a rough worst-case estimate129(e.g., "loop over 90 dates x 3 retries = 270 BQ jobs").