01-projects/phdata

KnowBe4 Demo — Technical Build Plan (phData-side environment)

2026-06-26·technical-plan·status: draft — blocked on environment decision
phdataknowbe4snowflakecortex-analystsnowflake-intelligencemcpcoworkrbacsnow-cli

KnowBe4 Demo — Technical Build Plan

Goal: Build the teaser + fallback demo end-to-end in a phData-side Snowflake environment, mirroring KB4's data shape (security-awareness domain), so the workshop has a bulletproof reference and the live build can fall back to it. Pipeline mirrors Gary's: sample data → semantic view (Cortex Code accelerated) → Cortex Analyst model → Snowflake Intelligence activation → custom Snowflake MCP → Claude Cowork connector → RBAC.

Current state (verified 2026-06-26, this machine)

STEP 0 — Environment decision (the fork — need your pick)

Option A — phData Snowflake sandbox Option B — fresh Snowflake trial (on the mini)
What The real "our env"; you likely have access as a phData employee. A clean 30-day Snowflake trial account you own, for the learning build.
Pros Real, Cortex features enabled, what the team/Gary actually use; no porting. Isolated, you own it, ideal for learning + cert prep, no phData-governance entanglement, I can drive it fully from the mini.
Cons phData infra — I'd need a connection path + creds; governance considerations for an agent on the mini touching it. Separate from the real demo env; the build would need porting to phData's env for the actual workshop. Confirm Cortex Analyst / Intelligence are available on the trial tier.
Best for The actual team demo (lives here eventually, via Gary). Your "build it myself to learn the stack" goal.

My recommendation: build your learning version in Option B (a trial, fully drivable from the mini), keep it portable, and bring it to Gary to merge into the phData env (Option A) for the real workshop. That gets you hands-on the entire stack (great cert prep) without stepping on phData governance, and gives Gary a second reference build to blend.

Build sequence (env-independent once Step 0 is picked)

  1. Tooling — install snow CLI on the mini (brew install snowflake-cli or uv tool install snowflake-cli-labs); wire the connection to the chosen account; creds in Keychain/1Password. Verify with snow connection test.
  2. Bronze — sample data. Load representative security-awareness data mirroring KB4's shape: users, accounts, simulated-phishing campaigns, phishing events, training modules, risk scores, departments. Synthetic but realistic. (Snowflake sample DBs + a generated overlay.)
  3. Silver — model events + entities (the ontology from the workshop): entities (user, account, campaign, training module, department) + events (phish-sent, clicked, reported, training-completed, risk-score-change). Build the silver tables/views with enforced-style modeling.
  4. Gold — semantic view(s). Define reusable semantic view(s) over silver. Use Cortex Code (CoCo) to accelerate the definition (and to demo the AI-assisted build itself).
  5. Cortex Analyst model. Author the semantic-model YAML (logical tables, dimensions, facts, metrics, relationships, synonyms); test NL→governed SQL on the chosen activation question. Embed in Snowflake Intelligence as activation #1.
  6. Custom Snowflake MCP. Stand up the MCP server exposing the semantic layer as typed tools (search / get / query grounding assets). Constraint: must be internet-reachable from Anthropic IP ranges (hosting TBD — note this dependency).
  7. Claude Cowork connector + RBAC. Connect Cowork to the MCP via Custom Connector (OAuth + URL); enforce Snowflake RBAC so the Cowork agent is gated by roles (demo: a restricted role sees less). This is the destination from the teaser.

Open dependencies / what I need from you

  1. Step 0 pick: Option A (phData sandbox + connection path) or B (spin a trial — recommended). On your "go for B," I install snow + set up the trial connection tonight/this weekend and start the build.
  2. Cortex availability confirm (esp. if B): Cortex Analyst + Snowflake Intelligence on the chosen tier/region.
  3. MCP hosting: where the custom MCP runs so it's reachable from Anthropic IPs (a small always-on host; we have the quick-sites/Cloudflare pattern to lean on).

Risk notes