The Trilogy Times

## Summary

- Migrates 6 pipelines from \klair-udm\/\klair-misc\/\klair-api\ into Surtr CDK infrastructure

- All schedules disabled (\enabled: false\) — enable after prod validation

- \cdk synth\ passes for all 6 pipelines (dev stacks)

## Pipelines

| Pipeline | Compute | Klair source | Writes to |

|---|---|---|---|

| \google-sheets-surveys-sync\ | Lambda | \klair-api/edu_schools/surveys/\ | \staging_education.surveys_t2p\, \surveys_parent_session\, \surveys_dop_goal_meetings\ |

| \school-financial-models-sync\ | Lambda | \klair-api/edu_schools/google_sheets_models/\ | \staging_education.google_sheets_school_financial_models\ |

| \holdings-model-sync\ | Lambda | \klair-api/edu_schools/google_sheets_models/\ | \staging_education.holdings_unit_economics\ |

| \kubera-passive-investments\ | Lambda | \klair-udm/kubera/\ | \core_finance.passive_investments_portfolio_*\ |

| \quicksight-data-scraping\ | ECS/Fargate | \klair-misc/qs_data_scraping/\ | \staging_education.fall_to_spring_growth\, \student_growth_by_language\ |

| \brokerage-ocr\ | Lambda (thin wrapper) | \klair-udm/brokerage-ocr/\ (SAM) | S3 (via existing SAM state machine) |

---

## Migration plans

### google-sheets-surveys-sync

What it does: Reads three Google Sheets survey sources (T2P, Parent Session, DOP Goal Meetings) and does TRUNCATE + INSERT into three Redshift tables in \staging_education\. Fully idempotent.

Current trigger: Daily cron in Klair (enabled). Klair source: \klair-api/edu_schools/surveys/sync_surveys_to_redshift.py\.

Cutover sequence:

1. Provision \surtr/google-service-account\ secret (service account JSON)

2. Provision \surtr/surveys-sheet-urls\ secret (JSON with keys \t2p_sheets\, \parent_session_sheets\, \dop_sheets\ — copy sheet URLs from Klair config)

3. Deploy: \npx cdk deploy Pipeline-google-sheets-surveys-sync-dev -c env=dev\

4. Run manually and validate row counts in Redshift match Klair output

5. Disable Klair schedule, enable Surtr schedule (\enabled: true\)

---

### school-financial-models-sync

What it does: Reads specific cell ranges from the Austin K-8 financial model Google Sheet and does TRUNCATE + INSERT into \staging_education.google_sheets_school_financial_models\. Fully idempotent. School config is hardcoded in \handler.py\ (44 cell references for Austin K-8).

Current trigger: Manual / ad-hoc in Klair. Klair source: \klair-api/edu_schools/google_sheets_models/sync_school_financial_models.py\.

Cutover sequence:

1. Provision \surtr/google-service-account\ secret (shared with other Google Sheets pipelines)

2. Deploy: \npx cdk deploy Pipeline-school-financial-models-sync-dev -c env=dev\

3. Run manually and validate row counts match Klair output

4. Enable Surtr schedule if desired (currently no Klair schedule to disable)

---

### holdings-model-sync

What it does: Reads the AlphaSchools tab from the Alpha Holdings Model Google Sheet and does TRUNCATE + INSERT into \staging_education.holdings_unit_economics\. Fully idempotent.

Current trigger: Daily cron in Klair (enabled). Klair source: \klair-api/edu_schools/google_sheets_models/sync_holdings_model.py\.

Cutover sequence:

1. Provision \surtr/google-service-account\ secret (shared)

2. Provision \surtr/holdings-model-config\ secret: \{"sheet_url": "<Alpha Holdings Model URL>"}\

3. Deploy: \npx cdk deploy Pipeline-holdings-model-sync-dev -c env=dev\

4. Run manually and validate Redshift output

5. Disable Klair schedule, enable Surtr schedule

---

### kubera-passive-investments

What it does: Refreshes 5 portfolio overview cache tables in \core_finance\ (summary, metrics, performance, risk, chart data) by reading from existing \passive_investments_holding_over_time\ and related tables. Runs in overview-only mode by default (step 5 only — steps 1–4 are handled at runtime by the Klair API). Full rebuild can be triggered via \params.override_all_assets=true\.

Idempotency: Yes — TRUNCATE + INSERT on all 5 cache tables.

Current trigger: Daily cron in Klair (enabled). Klair source: \klair-udm/kubera/lambda_handler.py\.

Porting notes: Uses \redshift-connector\ with \iam=True\ (Lambda execution role) to preserve the complex pandas-based query patterns from \run_investment_pipeline.py\. Removed module-level \raise ValueError\ guards for unused env vars (ALPHA_VANTAGE_API_KEY, S3_DUMP_PATH, S3_TEMP_PATH, IAM_ROLE) so the module can be imported in overview-only mode without those vars set.

Cutover sequence:

1. Verify Lambda execution role has \redshift:GetClusterCredentials\ for the cluster (IAM statement already in \pipeline.json\)

2. Deploy: \npx cdk deploy Pipeline-kubera-passive-investments-dev -c env=dev\

3. Run manually (overview-only) and verify the 5 cache tables are populated correctly

4. Disable Klair schedule, enable Surtr schedule

---

### quicksight-data-scraping

What it does: Uses Playwright (headless Chromium) to log into the QuickSight dashboard, set the Campus filter to Alpha Austin, download two CSV exports ("Fall to Spring Growth Multiples" and "MAP Growth per Level"), then DELETE + INSERT into two Redshift tables. Requires ECS/Fargate because Playwright browser binaries exceed Lambda's 250 MB package limit.

Idempotency: Yes — DELETE + INSERT on each run.

Current trigger: Manual / ad-hoc in Klair. Klair source: \klair-misc/qs_data_scraping/\.

Porting notes: Replaced \push_bulk_to_redshift\ (S3 COPY) with \push_batch_to_redshift\ (direct INSERT via redshift-connector IAM auth) to avoid needing an S3 staging bucket. Credentials fetched from Secrets Manager at runtime instead of env file.

Cutover sequence:

1. Provision \surtr/quicksight-credentials\ secret:

\\\json

{

"username": "user@alphaschool.org",

"password": "...",

"dashboard_url": "https://us-east-1.quicksight.aws.amazon.com/...",

"login_method": "aws_sso"

}

\\\

2. Deploy: \npx cdk deploy Pipeline-quicksight-data-scraping-dev -c env=dev\

3. Run manually via ECS (or Step Functions console) and validate Redshift tables

4. Enable Surtr schedule if desired (no Klair schedule to disable)

---

### brokerage-ocr

What it does: Thin Lambda wrapper that starts the existing Brokerage OCR SAM Step Functions state machine and polls until completion. The actual OCR logic lives untouched in the SAM stack — this wrapper purely adds Surtr dashboard visibility and run history.

Current trigger: Manual in Klair. Underlying SAM state machine handles scheduling independently.

Porting notes: No business logic change. The SAM state machine ARN must be set in \pipeline.json\ under \environment.BROKERAGE_OCR_STATE_MACHINE_ARN\ before deploying.

Cutover sequence:

1. Find the SAM state machine ARN (check CloudFormation or Step Functions console)

2. Set \BROKERAGE_OCR_STATE_MACHINE_ARN\ in \pipelines/runners/brokerage-ocr/pipeline.json\

3. Deploy: \npx cdk deploy Pipeline-brokerage-ocr-dev -c env=dev\

4. Trigger a manual run from Surtr and confirm the SAM execution completes successfully

---

## Key porting decisions

- gspread auth: Switched from file-based \service_account(filename=...)\ to \service_account_from_dict()\ (reads from Secrets Manager JSON)

- Redshift writes: Lambda pipelines use Redshift Data API; kubera uses \redshift-connector\ with \iam=True\ to preserve complex pandas query patterns

- numpy pin: Pinned \numpy<2.0\ to avoid GCC 9.3 requirement on the CDK Lambda build container (Amazon Linux 2 / GCC 7.3.1)

- quicksight S3 COPY → batch INSERT: Avoids needing an S3 staging bucket in Surtr

## Test plan

- [x] \cdk synth\ passes for all 6 pipelines (dev stacks)

- [ ] Deploy each pipeline to dev

- [ ] Provision required secrets in dev

- [ ] Manual Step Functions / ECS execution for each pipeline

- [ ] Validate Redshift row counts match Klair output

- [ ] Disable Klair schedules and enable Surtr schedules

🤖 Generated with [Claude Code](https://claude.com/claude-code)

## Screenshots

<img width="1919" height="940" alt="image" src="https://github.com/user-attachments/assets/edb8ef0e-5aa2-4857-a30e-f10e2b266080" />

<img width="1919" height="818" alt="image" src="https://github.com/user-attachments/assets/dd7c3cc8-e36b-4e33-a0ad-e1c81746d790" />

---

## Summary

- Fix the Review panel data-source regression for BU plans so Skyvera does not report CF-only sources like pnl_cf_plan_comparison as failed/missing.

- Add the right-rail Review shell plus DS8 triage actions and DS9 finding click-through.

- Make click-through target stable section anchors instead of inferring section identity from raw document heading order.

- Switch the doc sync handler from selective insertText to wholesale HTML republish so markdown tables render as real Google Doc tables (rather than literal pipe-delimited text).

- Drive-by: add strawberry.Info annotations on three GraphQL resolver info parameters — defensive against a future Strawberry version bump (the current pin doesn't enforce, but newer versions do).

## Demo Scope

Demo path is intentionally narrow: Skyvera (BU), Q2 planning run only. CF behavior, multi-session regression sweeps, reduced-motion checks, and GraphQL startup smoke tests are useful later, but they are not required for this demo.

## Changes

### Backend

- canonical_required_data(spec) is now entity-aware, so BU review runs do not ask for CF-only sources and CF review runs do not ask for BU-only ARR sources.

- _build_completeness(...) uses entity-aware required flags so missing_sources matches what actually matters for the current entity type.

- /review tops up the session data package with the canonical required sources for the session spec before running checks.

- Sync semantics change: wizard_sync_to_doc now calls assemble_markdown + publish_to_google_doc(... is_refresh=True) (wholesale HTML republish) instead of the prior per-section insertText path. Motivation: insertText rendered markdown tables as literal pipe-delimited text. Consequence reviewers should know about: any Google Doc content not tracked by the wizard session is replaced on the next sync (the existing detect_external_changes 409 guard still protects users who edited the doc directly, by forcing a refresh first). The vestigial sections_skipped / skipped_ids response fields were removed since the new path has no "skipped" concept.

- New router-level smoke tests (test_wizard_sync_endpoint.py, 5 tests) lock the parameter contract to publish_to_google_doc, the response shape, and the 400 / 409 / 502 error branches.

- GraphQL (out of Budget Bot scope, but blocking local startup on some lockfile resolutions): add strawberry.Info annotations on info parameters in graphql_api/types/{milestone,school,task}.py. Strawberry tightened its argument-annotation requirement after 0.292.0; the current pin is fine, but anyone whose uv sync resolves to 0.314.x+ (as my local did at one point) hits a hard MissingArgumentsAnnotationsError at schema-build time. Annotations are correct under both versions — defensive only.

### Frontend

- ReviewPanel lives in a RightRail shell and supports running/re-running reviews from the editor page.

- FindingCard supports Mark addressed, Reopen, and Dismiss actions for demo triage.

- Supporting data renders with key-aware units such as $7,991,832, 60.3%, and -9.7pp.

- Finding section pills call into the editor, scroll to the matching section, and flash the section heading.

- The editor now uses explicit section anchors keyed by section.id, so imported/internal headings do not shift click-through targets.

- DS9 click-through now console.warns instead of silently no-op'ing when a finding's section_id doesn't match any rendered section H2 (renamed section, drifted heading text). splitBySections warns when content above the first section heading would be dropped on save.

## Test Plan

### Automated checks already run by the branch author

- cd klair-api && pytest tests/board_doc/ for the touched Budget Bot scope (160 passing in scope, including 5 new sync endpoint tests).

- cd klair-client && npx vitest run src/screens/BoardDoc for the touched BoardDoc frontend scope (43 passing).

- npx tsc --noEmit.

- ruff format --check and ruff check on touched backend files.

- pnpm lint --max-warnings 0 on touched frontend files.

### Pre-existing test failures NOT caused by this PR

Confirmed against origin/main — these fail on main too and are out of scope:

- test_m8_features.py::TestHandleCurrentGoals::test_draft_calls_llm

- test_refresh_numbers.py::TestLlmUpdateNumbers::test_extracts_updated_text_from_tags

- test_refresh_numbers.py::TestRefreshCommentaryNumbers::test_updates_goals_review

- test_refresh_numbers.py::TestRefreshCommentaryNumbers::test_updates_product_commentary

- test_wizard_orchestrator.py::TestSummarizeBrainlift::test_long_content_calls_llm

All five are LLM-mock tests; the count is creeping up. Worth a tracking ticket for whoever owns the LLM mocking layer.

### Manual QA required for the demo (already executed)

Scope: Skyvera (BU), Q2 planning run only.

Skyvera BU review run

- [x] Start or open a Skyvera Q2 planning session with USE_BUDGET_TEMPLATE=true and the expected brainlift configured.

- [x] Click Run review. Confirm the run completes and the panel reaches the ready state.

- [x] Confirm the rail does not show pnl_cf_plan_comparison in failed_sources or missing_sources for Skyvera.

- [x] Confirm the panel shows the expected C2.1 / C2.6 findings or pass states based on the Skyvera Q2 data.

Click-through + flash

- [x] Click a finding's section pill. Confirm the editor scrolls to the correct top-level section heading and the heading flashes.

- [x] Re-click the same finding mid-flash. Confirm the flash restarts cleanly.

- [x] Click between two findings that target different sections. Confirm each lands on the correct section with no cross-talk.

Triage + supporting numbers

- [x] Expand a finding. Click Mark addressed and confirm the card becomes addressed/dimmed with Reopen and Dismiss actions.

- [x] Click Reopen and confirm the card returns to its active state.

- [x] Click Dismiss and confirm the card disappears from the active list.

- [x] Verify supporting numbers render with expected units, e.g. $7,991,832, 60.3%, -9.7pp.

Layout sanity

- [x] Confirm the editor and Review panel are usable at demo resolution and the rail does not obscure editing.

- [x] Collapse and reopen the Review panel from the header and rail controls.

- [x] Refresh/reopen the same Skyvera session and confirm the editor/review UI loads cleanly.

## Follow-ups After Demo

- Broader manual regression for CF sessions and multi-session navigation.

- Persisted/stable finding_id generation so triage can survive re-run clicks.

- DS10-DS12: section-aware chat and side-by-side chat/review rail layout.

- Tracking ticket for the 5 pre-existing LLM-mock test failures.

## Demo

Go to "http://localhost:3000/aws-spend"

Click "SaaS Budgeting" on top right

<img width="3423" height="2093" alt="image" src="https://github.com/user-attachments/assets/2b8d44d8-c192-409c-b2ba-29994bb14ee9" />

## Summary

Ships the "Docker (Compute)" portion of the SaaS Budgeting feature on the AWS Spend dashboard end-to-end: a new top-level mode (relabeled Finance Budgeting) where finance / super-admin users pick a target quarter and a subset of weekly Docker memory snapshots to use as the basis for the SaaS budget. Started as a docs-only draft; the three follow-up specs (pipeline, API, UI) all landed here.

## Specs implemented

### Spec 01 — Pipeline + schema for unit consumption

*Files: aws-saas-budget-scripts/, scripts/sql/create_aws_spend_saas_budget_unit_consumption.sql*

- New Redshift table core_finance.aws_spend_saas_budget_unit_consumption (long format, keyed on (unit_type, snapshot_year, snapshot_week, resource_name)).

- Operator-driven uv run python -m pipeline.main CLI under aws-saas-budget-scripts/pipeline/ — pulls weekly Docker memory snapshots from the units-docker Google Drive folder, joins them to core_finance.bu_class_registry, upserts into the new table.

- Idempotent DELETE+INSERT per (snapshot_year, snapshot_week, unit_type). Flags: --reingest YYYY-WWW,..., --quarter YYYY-Qn, --dry-run.

- Unit-type column reserved so non-Docker folders can be added later without schema churn.

- Supporting reference scripts retained (build_saas_budget_table.py, check_drive_access.py, compare_l5_*.py, inspect_sheet.py).

### Spec 02 — Backend API for unit consumption

*Files: klair-api/{routers,services,models}/saas_budgeting_*.py, klair-api/tests/routers/test_saas_budgeting_router.py*

- Three FastAPI read endpoints: GET /quarters, GET /weeks?quarter=..., GET /table?quarter=...&weeks=....

- Pydantic v2 models with camelCase aliases; sync service over RedshiftHandler, wrapped in asyncio.to_thread.

- Cache: 1h memory / 2h disk on /quarters and /weeks; /table uncached.

- Auth via existing Clerk _require_auth; dedicated permission deferred (documented in spec out-of-scope).

- Router test coverage on success + error paths.

### Spec 03 — UI for budget basis pivot

*Files: klair-client/src/screens/AWSSpend/{AWSSpendShell.tsx,components/SaaSBudgeting/*,hooks/useSaaSBudgeting*}, klair-client/src/services/awsSpendApi.ts*

- New top-level Finance Budgeting mode on AWSSpendShell (promoted from a sub-tab; gated on isSuperAdmin).

- Quarter dropdown + week multi-select (reverse-chronological options, all weeks selected by default).

- Nested tri-state UNMAPPED-grouped table: mapped → "Class missing from registry" → "No L5 in source".

- Client-side CSV export.

- Three hooks against the spec 02 endpoints, plus unit tests for budgetTableTransform, csvExport, and isoWeekDates.

## Polish included after spec 03 landed

- bcba097c4 — Promote Finance Budgeting from sub-tab to top-level mode button on the shell.

- 285efefec — Rename label from "Budget Creation" to "Finance Budgeting".

- 06a8500b3 — Nest table by unit type and auto-select all weeks in the multi-select.

## What a reviewer should focus on

- Spec 02 ⇄ Spec 03 contract alignment: TS interfaces mirror Pydantic camelCase aliases; memoryByWeek keys are "YYYY-W<WW>"; weeks query param is multi-value (?weeks=14&weeks=15), not comma-joined.

- UNMAPPED semantics: tri-state is_class_in_registry (true / false / null) is preserved end-to-end and rendered as three labeled groups in the UI.

- Permission model: v1 reuses isSuperAdmin (UI) + Clerk auth (backend); dedicated aws_spend.saas_budgeting.view permission intentionally deferred.

- Pipeline trigger: operator-run by design — no automated schedule yet.

## Test plan

- [ ] cd klair-api && uv run pytest tests/routers/test_saas_budgeting_router.py

- [ ] cd klair-client && pnpm test src/screens/AWSSpend/components/SaaSBudgeting

- [ ] cd klair-client && pnpm lint:pr (zero warnings)

- [ ] Run pipeline locally against staging with --dry-run, then a real --reingest for one week, and confirm core_finance.aws_spend_saas_budget_unit_consumption rows match the source Drive sheet.

- [ ] Smoke the UI: pick a quarter, confirm all weeks auto-select, expand the nested table, verify the three UNMAPPED groups render, export CSV.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

## Summary

Adds the AWS Spend (Net Amortized) lane to the SaaS Budgeting sub-view, stacked above the existing Docker card. Two new backend endpoints (spec 04) feed an AWSSpendCard component (spec 05) with a BU → Class → Account hierarchy and a separate band for unmapped accounts.

Linear: [KLAIR-2591](https://linear.app/builder-team/issue/KLAIR-2591/saas-budgeting-aws-spend-net-amortized-card)

Stacked on: #2672

## What ships

Backend (spec 04)

- GET /api/aws-spend/saas-budgeting/aws-net-amortized-table — BU/Class-mapped accounts with weekly net-amortized cost for the quarter.

- GET /api/aws-spend/saas-budgeting/aws-net-amortized-unmapped — accounts with cost in the quarter but no (bu, class) mapping.

- Both endpoints are quarter-driven, super-admin only, and accept include_bedrock (default false).

- Pydantic v2 models with strict keyset validation between weeks and per-row cost_by_week.

Frontend (spec 05)

- New AWSSpendCard mounted above the Docker card in SaaSBudgetingSection.

- 3-level expandable BU → Class → AWS Account hierarchy with one column per ISO week + derived Total column.

- ISO-week multi-select, weeks caption, and CSV export — chrome matches the Docker card.

- Separate Unmapped AWS Accounts band below the main hierarchy, conditionally rendered when orphans exist; failures in the orphan fetch are isolated and do not break the main panel.

- Bedrock excluded by hardcoded client default for v1 (no UI toggle).

## Out of scope

- Bedrock-include UI toggle.

- Re-attribution UX for orphans (lives in Account Mapping screen).

- View toggle (Nested ↔ Flat).

- Cross-card aggregation or week-filter sync between Docker and AWS cards.

## Tests

- Backend (klair-api): 41 unit tests across service, router, and model validators — pivot shape, ISO-53/01 boundary, bedrock filter, redshift-error propagation, empty-mapping WARNING log, keyset validator.

- Frontend (klair-client): 30 vitest cases across the transform, both hooks, and the card — render-ladder branches, unmapped-band visibility, isolated band error, stale-response race in the main hook.

## Test plan

- [ ] Open the AWS Spend dashboard as a super-admin → SaaS Budgeting sub-view shows the new AWS Spend card above the Docker card.

- [ ] Apply a curated quarter (e.g. 2026-Q2) → main hierarchy expands to the BU level by default; classes and accounts collapse on click.

- [ ] Toggle ISO-week chips → weeks caption + Total column update for both the main panel and the Unmapped band.

- [ ] CSV export from the main table and (when orphans exist) the Unmapped band download with the expected file names.

- [ ] Apply a quarter with no mapping → main panel shows "No AWS accounts mapped for the selected quarter."; Unmapped band still renders if orphans exist.

- [ ] Apply a quarter with mapping but no costs → main panel shows "No AWS spend recorded for the selected quarter."

## Specs

- [features/aws-spend/saas-budgeting/specs/04-saas-budgeting-aws-spend-backend/spec.md](features/aws-spend/saas-budgeting/specs/04-saas-budgeting-aws-spend-backend/spec.md)

- [features/aws-spend/saas-budgeting/specs/05-saas-budgeting-aws-spend-ui/spec.md](features/aws-spend/saas-budgeting/specs/05-saas-budgeting-aws-spend-ui/spec.md)

Linear: [KLAIR-2590](https://linear.app/builder-team/issue/KLAIR-2590/ai-spend-budget-vs-actuals-ingest-pipeline-read-api-and-dashboard)

## Demo

<img width="2212" height="1636" alt="image" src="https://github.com/user-attachments/assets/fa924fb2-5c9d-4a05-9e7c-5e585a7a9063" />

## Summary

Four stacked specs in the [ai-spend-budget-vs-actuals](https://github.com/AI-Builder-Team/Klair/tree/main/features/ai-spend-and-adoption/ai-spend-budget-vs-actuals) feature, building AI Spend Budget vs Actuals end-to-end.

Spec 01 — Ingestion pipeline (d9c184e6a)

- Operator-driven uv run pipeline (klair-misc/ai-spend-budget-ingest/) that pulls per-quarter, per-BU, per-class, per-provider budgets from Google Sheets, normalises + validates, and writes to core_finance.ai_spend_budget.

Spec 02 — Read API + Budget vs Actuals card / detail view (0412ec164, 620b7423f, 2f9b82952)

- Backend: GET /api/ai-costs/budget?quarter=YYYY-Qn and GET /api/ai-costs/budget/quarters reading core_finance.ai_spend_budget. Auth via verify_token_clerk_or_api_key. Quarter validated server-side; class keyword handled via Pydantic alias + response_model_by_alias=True.

- Frontend: super-admin Budget vs Actuals card on the AI Spend dashboard, opening a 'bva' shell mode with quarter dropdown (Q{N}'{YY} labels), metrics strip (Total Budget / BU Count / Provider Count), and a sortable UnifiedTable grouped by BU → Class with subtotals, a totals row, and repeated-cell suppression under group headers.

- Loading, error (with retry), and empty states for both quarters list and rows.

Spec 03 — BvA backend endpoint (1df1629ac, f78bc0b88)

- GET /api/ai-costs/budget-vs-actuals?quarter=YYYY-Qn joining the canonical budget with QTD actuals via AICostsService.get_by_bu. Maps the 5 budget-canonical providers (OpenAI / Anthropic / AS Bedrock / Cursor / GCP) to actuals buckets, collapses multi-class rows for the same (bu, provider) into a single "Multiple" row with sorted class_list, emits synthetic Azure rows for BUs with Azure spend (with is_synthetic_azure=true), and clamps QTD end to today for current quarters.

Spec 04 — BvA frontend section (f97d160d9)

- Replaces the spec-02 placeholder card with a richer Budget vs Actuals section in CostSection: independent quarter selector (defaults to latest), four headline MetricV2 tiles (Total Budget / Total Actuals (QTD) / Variance ($) / % of Budget Used), and an 8-column hierarchical UnifiedTable grouped by BU with provider leaves. Includes Multiple-class native tooltip from class_list, synthetic Azure " (unbudgeted)" suffix, and a Total row driven by the builder's grandTotal.

- Pure builder + co-located formatter unit tests (buildBvASections.spec.ts, formatBvA.spec.ts); component integration tests intentionally out of scope per spec 04.

## Test plan

- [ ] pytest klair-api/tests/test_ai_spend_budget_service.py — service unit tests (36 cases covering spec 02 + spec 03: empty results, alias mapping, nullable strings, error propagation, parameterized query, BvA model round-trip, all 5 mapped providers, mixed-class collapse, QTD clamp).

- [ ] pytest klair-api/tests/routers/test_ai_spend_budget_router.py — router tests for /budget, /budget/quarters, /budget-vs-actuals (200/400/422/500 paths).

- [ ] pnpm test in klair-client/ — buildBvASections.spec.ts (7), formatBvA.spec.ts (4), plus existing buildBudgetSections.spec.ts and formatQuarterLabel.spec.ts.

- [ ] Manual: log in as super admin, open AI Spend dashboard, verify the new Budget vs Actuals section renders above the metrics row with the 4 tiles + 8-column table, switch quarters, click "View detailed budget breakdown" to confirm the spec-02 detail view still opens.

- [ ] Manual: confirm the section is hidden for non-super-admin users.

🤖 Generated with [Claude Code](https://claude.com/claude-code)