feat(deployments): add config-driven Basilica tenant lifecycle

Adds a stateless multi-tenant provisioning layer for LLMTrace on
Basilica, with a thin GitHub Actions surface for triggering from the
product API.

- deployments/basilica/lifecycle.py: ComponentSpec + TenantSpec
  dataclasses driving provision / update / deprovision / status. Caller
  owns the tenant_id -> UUID mapping (Basilica's SDK exposes deployment
  state only by server-assigned UUID, so identity cannot live in the
  library).
- deployments/basilica/cli.py: loads YAML/JSON config (or inline JSON
  via --config-json), substitutes ${VAR} / ${VAR:-default} from
  environment for secret injection, emits JSON to stdout with exit
  0 / 2 / 3 codes.
- deployments/basilica/configs/examples/{starter,pro}.yaml: example
  tenant configs covering single- and multi-replica plans.
- .github/workflows/tenant-lifecycle.yml: workflow_dispatch trigger
  exposing the four lifecycle actions, surfacing proxy/dashboard UUIDs
  and URLs as step outputs so the app can persist them.

Validated end-to-end against a live Basilica account (tenant rt-919126):
provision -> status -> recreate -> HTTP 200 on both URLs -> deprovision
-> idempotent re-deprovision. update --strategy=restart surfaces a
Basilica server-side limitation (k8s Deployment CR not materialised on
fresh instances) cleanly via exit 3 + structured JSON error.

Author: epappas

.github/workflows/tenant-lifecycle.yml

@@ -0,0 +1,180 @@
+name: tenant-lifecycle
+
+on:
+  workflow_dispatch:
+    inputs:
+      tenant_id:
+        description: "DNS-safe tenant slug (^[a-z0-9][a-z0-9-]{0,29}$)"
+        required: true
+        type: string
+      action:
+        description: "Lifecycle action"
+        required: true
+        type: choice
+        options:
+          - provision
+          - update
+          - status
+          - deprovision
+      config_path:
+        description: "Path in repo to a YAML/JSON tenant config (provision/update only)"
+        required: false
+        type: string
+        default: ""
+      config_json:
+        description: "Inline JSON tenant config (provision/update only, takes precedence over config_path)"
+        required: false
+        type: string
+        default: ""
+      proxy_instance_id:
+        description: "Basilica UUID of existing proxy (required for update; optional for status/deprovision)"
+        required: false
+        type: string
+        default: ""
+      dashboard_instance_id:
+        description: "Basilica UUID of existing dashboard (required for update; optional for status/deprovision)"
+        required: false
+        type: string
+        default: ""
+      strategy:
+        description: "Update strategy (update only): recreate (URL changes) or restart (URL stable)"
+        required: false
+        type: choice
+        default: recreate
+        options:
+          - recreate
+          - restart
+
+permissions:
+  contents: read
+
+jobs:
+  lifecycle:
+    runs-on: ubuntu-latest
+    timeout-minutes: 25
+    env:
+      # Secrets used both for the API client and for ${VAR} substitution
+      # inside the loaded tenant config. Add per-tenant secrets here as
+      # needed — they will be resolved at deploy time.
+      BASILICA_API_TOKEN: ${{ secrets.BASILICA_API_TOKEN }}
+      LLMTRACE_UPSTREAM_URL: ${{ secrets.LLMTRACE_UPSTREAM_URL }}
+      OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+      LLMTRACE_AUTH_ADMIN_KEY: ${{ secrets.LLMTRACE_AUTH_ADMIN_KEY }}
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
+        with:
+          python-version: "3.12"
+
+      - name: Install deps
+        run: |
+          python3 -m pip install --upgrade pip
+          python3 -m pip install basilica-sdk PyYAML
+
+      - name: Validate inputs
+        env:
+          ACTION: ${{ inputs.action }}
+          CONFIG_PATH: ${{ inputs.config_path }}
+          CONFIG_JSON: ${{ inputs.config_json }}
+          PROXY_ID: ${{ inputs.proxy_instance_id }}
+          DASHBOARD_ID: ${{ inputs.dashboard_instance_id }}
+        run: |
+          set -euo pipefail
+          if [[ -z "${BASILICA_API_TOKEN:-}" ]]; then
+            echo "::error::BASILICA_API_TOKEN secret is not configured"
+            exit 2
+          fi
+          case "${ACTION}" in
+            provision)
+              if [[ -z "${CONFIG_PATH}" && -z "${CONFIG_JSON}" ]]; then
+                echo "::error::action=provision requires config_path or config_json"
+                exit 2
+              fi
+              ;;
+            update)
+              if [[ -z "${CONFIG_PATH}" && -z "${CONFIG_JSON}" ]]; then
+                echo "::error::action=update requires config_path or config_json"
+                exit 2
+              fi
+              if [[ -z "${PROXY_ID}" || -z "${DASHBOARD_ID}" ]]; then
+                echo "::error::action=update requires proxy_instance_id and dashboard_instance_id"
+                exit 2
+              fi
+              ;;
+          esac
+
+      - name: Run lifecycle action
+        id: run
+        env:
+          TENANT_ID: ${{ inputs.tenant_id }}
+          ACTION: ${{ inputs.action }}
+          CONFIG_PATH: ${{ inputs.config_path }}
+          CONFIG_JSON: ${{ inputs.config_json }}
+          PROXY_ID: ${{ inputs.proxy_instance_id }}
+          DASHBOARD_ID: ${{ inputs.dashboard_instance_id }}
+          STRATEGY: ${{ inputs.strategy }}
+        run: |
+          set -euo pipefail
+          args=("--tenant-id" "${TENANT_ID}")
+          case "${ACTION}" in
+            provision)
+              if [[ -n "${CONFIG_JSON}" ]]; then
+                args+=("--config-json" "${CONFIG_JSON}")
+              else
+                args+=("--config" "${CONFIG_PATH}")
+              fi
+              ;;
+            update)
+              args+=("--strategy" "${STRATEGY}")
+              args+=("--proxy-instance-id" "${PROXY_ID}")
+              args+=("--dashboard-instance-id" "${DASHBOARD_ID}")
+              if [[ -n "${CONFIG_JSON}" ]]; then
+                args+=("--config-json" "${CONFIG_JSON}")
+              else
+                args+=("--config" "${CONFIG_PATH}")
+              fi
+              ;;
+            status|deprovision)
+              [[ -n "${PROXY_ID}" ]] && args+=("--proxy-instance-id" "${PROXY_ID}")
+              [[ -n "${DASHBOARD_ID}" ]] && args+=("--dashboard-instance-id" "${DASHBOARD_ID}")
+              ;;
+            *)
+              echo "::error::unknown action ${ACTION}"
+              exit 2
+              ;;
+          esac
+
+          set +e
+          python3 -m deployments.basilica.cli "${ACTION}" "${args[@]}" > result.json
+          code=$?
+          set -e
+          cat result.json
+          echo "exit_code=${code}" >> "${GITHUB_OUTPUT}"
+          python3 - <<'PY' >> "${GITHUB_OUTPUT}"
+          import json, pathlib
+          data = json.loads(pathlib.Path("result.json").read_text() or "{}")
+          print(f"proxy_instance_id={data.get('proxy_instance_id') or ''}")
+          print(f"dashboard_instance_id={data.get('dashboard_instance_id') or ''}")
+          print(f"proxy_url={data.get('proxy_url') or ''}")
+          print(f"dashboard_url={data.get('dashboard_url') or ''}")
+          PY
+          if [[ "${code}" -ne 0 ]]; then
+            exit "${code}"
+          fi
+
+      - name: Write step summary
+        if: always()
+        env:
+          ACTION: ${{ inputs.action }}
+          TENANT_ID: ${{ inputs.tenant_id }}
+        run: |
+          set -euo pipefail
+          {
+            echo "## tenant-lifecycle: ${ACTION} ${TENANT_ID}"
+            echo ""
+            echo '```json'
+            cat result.json 2>/dev/null || echo "{}"
+            echo '```'
+          } >> "${GITHUB_STEP_SUMMARY}"

deployments/basilica/__init__.py

@@ -0,0 +1 @@
+"""LLMTrace deployment automation for the Basilica platform."""