-
Notifications
You must be signed in to change notification settings - Fork 0
Snowflake
BRYAN DAVID WHITE edited this page Mar 7, 2026
·
2 revisions
Dual-mode connector for Snowflake: Cortex AI for LLM completions and embeddings, plus warehouse SQL for structured query and table sync.
Snowflake serves two roles in the OVERWATCH stack:
-
Cortex AI -- LLM completions (
cortex.complete) and embedding generation (cortex.embed) via the Cortex REST API. -
Warehouse -- SQL query execution (
snowflake.query), table listing (snowflake.tables), and bidirectional table sync (snowflake.sync).
Both modes share a single auth layer and route all activity through the Exhaust Inbox.
| Method | Use Case | Config Key |
|---|---|---|
| JWT Keypair | Service accounts, CI/CD | auth.keypair |
| OAuth | Interactive / SSO | auth.oauth |
| PAT (Personal Access Token) | Developer local | auth.pat |
from deepsigma.adapters.snowflake import SnowflakeConnector
conn = SnowflakeConnector(
account="org-acct",
auth_method="keypair",
private_key_path="/secrets/rsa_key.p8",
)Cortex endpoints are accessed via the Snowflake REST API under /api/v2/cortex.
# LLM completion
result = conn.cortex_complete(
model="snowflake-arctic",
prompt="Classify this alert...",
dte_id="dte-xyz-456",
)
# Embedding
vec = conn.cortex_embed(
model="e5-base-v2",
text="network intrusion detected",
)Each call is DTE-gated (budget, TTL, scope) before execution.
Standard SQL query execution against any warehouse the service account can access.
rows = conn.query("SELECT * FROM threat_intel.iocs LIMIT 100")
tables = conn.list_tables(schema="threat_intel")
conn.sync(source_table="stg.raw_events", target="canonical.episodes")snowflake.sync performs an incremental merge using a _updated_at watermark column.
Both Cortex and warehouse operations emit EpisodeEvent records:
adapter = ExhaustAdapter(source="snowflake")
# Fields: mode (cortex|warehouse), operation, latency_ms,
# rows_affected, token_count, cost_usd, dte_id| Tool | Mode | Description |
|---|---|---|
cortex.complete |
Cortex | DTE-gated LLM completion |
cortex.embed |
Cortex | Generate embeddings |
snowflake.query |
Warehouse | Execute a SQL query |
snowflake.tables |
Warehouse | List tables/views in a schema |
snowflake.sync |
Warehouse | Incremental table sync |
{
"tool": "cortex.complete",
"arguments": {
"model": "snowflake-arctic",
"prompt": "Summarize IOC findings",
"dte_id": "dte-xyz-456",
"max_tokens": 1024
}
}# config/snowflake.yaml
snowflake:
account: org-acct
auth:
method: keypair
private_key_env: SNOWFLAKE_PRIVATE_KEY
cortex:
default_model: snowflake-arctic
embed_model: e5-base-v2
warehouse:
default_wh: COMPUTE_WH
sync_watermark: _updated_at
exhaust:
adapter: snowflakeΣ OVERWATCH — Coherence Ops Platform • Current release: v2.1.0 • DeepSigma
- Start
- Core
- Schemas
- FEEDS + Exhaust
- Integrations
- Reference Layer
- Ops
- Excel-First
- EDGE + ABP
- Domain Modes
- Governance
- Meta
