{"results":[{"id":"cloudbuild-logs-default-both-logging-and-gcs","text":"Cloud Build logs go to both Cloud Logging and Cloud Storage by default; `logging: GCS_ONLY` stores only in GCS.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cmek-single-control-plane-for-data-governance","text":"CMEK key lifecycle serves as the single control plane for data governance across GCP: rotation is operationally safe (ciphertext self-identifies its key version), but destruction permanently shreds all encrypted data across every service — and GCS's tiered encryption model means choosing CMEK explicitly opts into this asymmetric risk, trading storage durability for cryptographic access control at the KMS layer.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcp-data-domain-deepest-expertise-behind-simplest-interface","text":"GCP data services demand the deepest expertise behind the simplest interfaces: data management is the highest-complexity operational domain (four-dimensional GCS engineering, per-service protection investment, CMEK cross-service blast radius) while the abstraction inversion ensures this complexity is hidden behind managed interfaces that make cost and risk appear simpler than they are.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcp-data-durability-requires-dual-scale-governance","text":"GCP data durability requires governance at two independent scales: per-service protection engineering (Cloud SQL triple investment in HA/replicas/private networking, GCS defense-in-depth across immutability/namespace/encryption tiers) AND cross-service CMEK blast radius management (a single key destruction cascades data loss across every service using that key, voiding per-service durability guarantees regardless of investment).","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcp-data-governance-requires-upfront-commitment-and-ongoing-engineering","text":"GCP data governance demands simultaneous mastery of two orthogonal time horizons: upfront architectural commitment (immutable infrastructure decisions, dual IAM/CMEK control planes compounding with cross-layer irrecoverability) AND ongoing per-service protection engineering (Cloud SQL triple investment, GCS defense-in-depth, CMEK blast radius management) — neither dimension compensates for deficiency in the other.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcp-data-management-highest-complexity-domain","text":"GCP data management is the highest-complexity operational domain: GCS alone requires four-dimensional engineering (storage class economics, defense-in-depth protection, namespace security, CMEK governance with cross-service blast radius), and this per-service engineering pattern repeats independently across Cloud SQL (triple investment: HA + replicas + private networking), Memorystore (constrained operational model), and Secret Manager (application-level awareness) — with no shared platform abstraction to amortize the complexity.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcp-data-services-require-per-service-protection-engineering","text":"GCP data protection is a per-service engineering effort, not a platform abstraction: Cloud SQL requires triple investment (HA + replicas + private networking) with each dimension independently constrained, while GCS requires defense in depth across three orthogonal dimensions (object immutability with versioned recovery, namespace security with organizational controls, four-tier encryption) — neither service's protection model transfers to the other.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcs-all-classes-11-nines-durability","text":"All Cloud Storage classes share 99.999999999% (eleven 9s) annual durability.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcs-archive-millisecond-access","text":"Archive storage class provides millisecond-latency access, unlike competing cloud providers' cold tiers which may take hours/days.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcs-bucket-dot-names-require-domain-verification","text":"Bucket names containing dots require domain ownership verification.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcs-bucket-name-location-immutable","text":"Bucket name and location are set at creation and cannot be changed afterward.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcs-bucket-names-globally-unique-public","text":"GCS bucket names are in a single global namespace — every name must be globally unique and is publicly visible.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcs-bucket-naming-rules","text":"Bucket names must be 3–63 characters, lowercase letters/numbers/dashes/underscores/dots only, cannot begin with `goog`, cannot contain `google`, and cannot be an IP address in dotted-decimal notation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcs-buckets-cannot-be-nested","text":"GCS buckets cannot be nested inside other buckets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcs-change-object-class-two-methods","text":"Two ways to change an object's storage class: rewrite the object or use Object Lifecycle Management.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcs-changing-default-class-not-retroactive","text":"Changing a bucket's default storage class does not affect existing objects — they retain their original class.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcs-client-side-encryption-double-layer","text":"Client-side encrypted data is also encrypted server-side, resulting in layered encryption.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcs-cmek-three-backends","text":"CMEK supports three key storage backends: software, HSM, and external (EKM).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcs-cmek-vs-csek-storage","text":"CMEK keys are stored in Cloud KMS (Google stores them, customer manages them); CSEK keys are provided per-request and never stored by Google.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcs-credential-access-boundaries-downscope","text":"Credential Access Boundaries downscope OAuth 2.0 tokens to limit access to specific buckets and permission sets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":76,"limit":20,"offset":0}