Conversation
Textual 8.x reserves Ctrl+C for clipboard copy in TextArea widgets, making it unreliable as a quit shortcut. Switch to Ctrl+Q (Textual's built-in quit binding) and update info bar text accordingly. Remove the SIGINT suppression hack from _run_tui() that was attempting to work around this. Also: add explicit call-to-action after initial AI response in discovery so the user knows the session is waiting for input, and fix biz-analyst prompt to always end with actual questions.
…ixes - Artifact inventory with SHA-256 hashing: tracks file content hashes in discovery.yaml so re-runs only process new or changed artifacts - Governor agent with embedding-based policy retrieval: replaces the ~40KB raw policy injection with semantic retrieval (pre-computed neural embeddings shipped with wheel, TF-IDF fallback for custom policies) - Exhaustive debug logging (DEBUG_PROTOTYPE=true): full AI payloads, state mutations, decision branches, slash commands, and error tracebacks - Fix: slash commands no longer consume section loop iterations - Fix: /restart breaks out of section loop cleanly - Fix: --context timeout on re-entry (lightweight AI call for classification) - Improved /why output with topic context and 500-char snippets - PRU tracking for Copilot users (computed from official multiplier table) - Copilot default timeout increased from 300s to 480s - Strip trailing colons from topic headings in stage tree - Build scripts and CI/CD workflows compute policy embeddings before wheel - Removed dead code: _SECTION_COMPLETE_MARKER, build_incremental_update_prompt, items_by_kind
parse_sections() and extract_section_headers() now only create sections from level-2 (##) headings. Level-3 (###) subsections are folded into their parent topic's content, so the user responds once per topic instead of being prompted for each sub-category. Biz-analyst prompt updated to explicitly prohibit ### sub-headings and instruct the AI to use bold text or bullet points for sub-categories.
…through - Context directives (e.g. "change app name to X") are now recorded as confirmed decisions in discovery state, ensuring they reach the architect - When context_only=True and no new topics are needed, the session exits immediately instead of resuming pending topics - Section loop now only walks kind="topic" items; kind="decision" items (auto-extracted implementation questions) are tracked but not walked interactively
- prototype_build() and prototype_deploy() now launch the TUI (PrototypeApp) for interactive sessions, matching the pattern prototype_design() uses - TUI is skipped for dry-run, --json, single-stage deploy, or non-interactive contexts (sys.stdout.isatty() check prevents test hangs) - Fix isort ordering in governance/policy_index.py
- README.md, FEATURES.md: 11 agents → 12 (added governor) - Added governor row to agent table in README.md - MODELS.md: Copilot timeout 300s → 480s
- Stage orchestrator now dispatches _run_build() and _run_deploy() when launched with start_stage="build" or "deploy" (previously only "design") - Stage kwargs (--reset, --scope, etc.) passed through to stage execution - Target stage marked IN_PROGRESS before execution, overriding stale COMPLETED status from _populate_from_state()
When the user re-runs design after build+deploy have completed, build and deploy now show as pending (not completed) since they depend on the design output and will need to be re-run.
TokenTracker now supports an _on_update callback that fires after each record() call. All four sessions (discovery, build, deploy, backlog) wire this to console.print_token_status() so the bottom-right status bar updates after every AI call — not just during specific phases.
The TUI adapter's print_token_status is passed as status_fn from the orchestrator through the stage to the session. This ensures the bottom-right status bar updates during all AI calls (including deployment plan derivation) in TUI mode, where console is None.
_maybe_spinner in build and deploy sessions now runs a background thread that updates the status bar every second with elapsed time (e.g. "Analyzing architecture... (5s)") while the AI call is in progress. Replaces with token counts after the response arrives.
The _maybe_spinner finally block now sends token status via the "tokens" event after the "end" event, so the status bar switches from elapsed time to token counts/PRUs once the AI call completes.
PromptInput widget blocks empty submissions by default. Added allow_empty parameter to TUI adapter's input_fn and enabled it for "Press Enter to start" confirmation prompts in build and deploy sessions so pressing Enter without typing proceeds as documented.
Build deployment plan stages now appear as sub-items under "Build" in the TUI tree. Each stage is marked in-progress when generation starts and completed when files are written. Callbacks (section_fn, update_task_fn) are wired from the orchestrator through the build stage to the build session, matching the design stage pattern.
PromptInput.disable() now clears text and sets display=False so the widget doesn't take up space or show stale content while the session is processing. PromptInput.enable() restores display=True.
Before each stage's agent generates code, the governor produces a policy brief specific to that stage's context (stage name + service names) and injects it via set_governor_brief(). This ensures generated IaC code is policy-compliant from the start (e.g. private endpoints, managed identity) rather than relying solely on post-generation QA to catch violations. Deploy stage does not need governor briefs — it executes existing code via subprocess (terraform apply, az deployment), not generates.
- Governor policy brief is now injected as "MANDATORY GOVERNANCE RULES" directly in the task prompt near the end (where models pay the most attention), not just buried in system messages where it was drowned out in 600KB+ prompts - Terraform and Bicep agents now have explicit constraints: disable public network access, use private endpoints, never guess API versions
Step 1: Lightweight AI call extracts stage-relevant architecture
context plus minimum dependency info from the full document (~2-5KB
output from ~50KB input).
Step 2: Generation call uses focused context + governor brief + task
instructions (~15-20KB total instead of 622KB). Governance brief is
now ~10% of the prompt vs 0.24% previously.
QA remediation loop updated: max 3 attempts with escalating severity
("MUST fix" → "CRITICAL" → "FINAL ATTEMPT"). Each attempt uses
focused context and re-applies the governor brief.
- Full 542KB architecture is condensed into per-stage context summaries (~1KB each) via a single AI call after plan derivation, cached in build_state.stage_contexts - Each generation call uses condensed context + governor brief + task (~14KB total). Governor brief is 11% of prompt (was 0.24%) - Knowledge docs and standards stripped from generation calls - Agent settings temporarily disabled during generation, restored after - QA remediation uses cached contexts, not full architecture - Governor brief now includes rationale for MUST rules - Removed per-stage context extraction AI call (_extract_stage_context)
…ates
The finally block's continue statement caused ALL code after the
try/except/finally to be dead code — mark_stage_generated() and
update_task_fn("completed") never executed. Moved agent settings
restore and continue into the except block (error path only),
with a separate restore on the success path.
Logs content length, content preview, parse_file_blocks() results (file count and filenames), and written_paths for each stage. This will identify exactly where the pipeline breaks when AI generates responses but no files appear on disk.
The embedding retrieval was missing network isolation rules (NET-001, NET-002) for stages whose description didn't mention "network" or "private endpoints." Now all rules with severity="required" are included in every brief, ensuring universal governance constraints like private endpoints and VNET integration are never omitted.
…rief - NET-001 updated: explicitly requires disabling public network access AND using private endpoints (was only "use private endpoints") - NET-005 added: requires publicNetworkAccess = Disabled in both Terraform azapi body blocks and Bicep properties - Anti-pattern safe_patterns: networking check now exempts correct values (= false, = "Disabled") - Governor brief _format_brief() appends ALL anti-patterns as NEVER GENERATE directives — loaded from governance YAML files with zero hardcoded logic. 33 checks across 9 domains. - Re-computed policy embeddings (65 rules, was 64)
_apply_governor_brief() was called AFTER _build_stage_task(), so when _build_stage_task() checked getattr(agent, "_governor_brief", "") to inject the ## MANDATORY GOVERNANCE RULES section into the task string, the brief was always empty. The governance rules only appeared in system message [2] — never in the task string where the model pays the most attention. Fix: call _apply_governor_brief() BEFORE _build_stage_task(). Added _select_agent() to separate agent selection from task construction. Now the MANDATORY GOVERNANCE RULES section (including all NEVER GENERATE directives) appears at the end of the task string.
Adds 'Stage N post-transform' debug entry with transformed_full= containing all written files reassembled in fenced code block format, matching the content_full format from the response log entry. Enables extraction scripts to compare pre-transform vs post-transform quality.
…ponse CP_RESPONSE files now extract transformed_full from the post-transform log entry — the final output after governance transforms. Falls back to content_full if no transforms were applied.
Tests updated to use code-generating agent names (terraform-agent) for anti-pattern detection tests. Non-code agents (biz-analyst, cost-analyst, project-manager, cloud-architect) correctly no longer trigger anti-patterns since they aren't in applies_to lists.
…Python/React knowledge 1. TERRAFORM_PROMPT: response_export_values now required on EVERY azapi_resource — explicit violations section with rejected examples 2. TFM-TF-002: structured transform auto-adds response_export_values to azapi_resource blocks missing it 3. TFM-NET-001: structured transform removes PE/DNS resources from non-networking stages 4. Python knowledge: Common Pitfalls — module-level instantiation, mutable defaults, hmac.new, Protocol interfaces, pinned deps 5. React knowledge: Common Pitfalls — require() in Vitest, dynamic import() in tests, InstrumentationKey deprecation, MSAL mocking
…ocks
Resource groups require parent_id = /subscriptions/${var.subscription_id}
but the AI consistently omits it. Structured transform detects resource
group type and injects parent_id after the name line.
…s lists _normalize_stages now adds resourceGroups to the services list for all core/infra/data stages that don't already have it. This ensures governance targeting (transforms, anti-patterns, policies) fires correctly — resource groups are created inline in every IaC stage but weren't previously listed as a service. TFM-RG-001 targets services: [] as a safety net since the handler already scopes to resourceGroups type blocks only.
Adding Microsoft.Resources/resourceGroups to every IaC stage caused AZ-RG-001/002 policies to fire on stages that don't create resource groups, adding noise and potentially causing duplicate RG creation. TFM-RG-001 with services: [] handles the parent_id fix regardless of the services list — no injection needed.
QA was flagging empty provider "azapi" {} as CRITICAL, recommending
subscription_id/tenant_id be added. This contradicts the TERRAFORM_PROMPT
which explicitly requires the provider block to stay empty — az CLI
context provides the subscription.
The handler field was defined on the Transform dataclass but never loaded from the YAML entry. All structured transforms (TFM-TF-001, TFM-TF-002, TFM-RG-001, TFM-NET-001) were silently skipped because handler was always empty.
The regex-based block matching stopped at the first closing brace, breaking on nested body/properties blocks. Now uses brace depth counting to find the correct block boundary.
…re variables QA was flagging tenant_id as unused dead code. These variables are used by deploy.sh (az account set), locals.tf (ARM resource ID construction), and parent_id on resource groups — they are not dead code.
The #1 recurring QA failure — every build had 10+ stages generating terraform.tfstate instead of the convention path. Transform detects empty backend local {} and wrong terraform.tfstate paths, replaces with correct ../../../.terraform-state/stage-N-slug.tfstate derived from stage context. Also adds stage dict parameter to apply() for context-dependent structured handlers.
Cross-file fix: _remove_unused_remote_state now accepts stage_content (all stage files concatenated) for reference checking. Prevents false removal of remote state blocks referenced in locals.tf/outputs.tf. apply() accepts stage_content parameter. _apply_stage_transforms reads all files upfront and passes combined content to apply(). 35 unit tests covering all 7 transform handlers: load, filtering, capacityMode, unused remote state (single + cross-file), export values, resource group parent_id, PE removal, state path, and stage context.
Removed centralized .terraform-state/ directory, stage-N-slug.tfstate convention, TFM-TF-003 transform, and STAN-TF-011 standard. Each stage uses the default terraform.tfstate in its own directory. Cross-stage references use relative paths (../stage-1-managed-identity/terraform.tfstate). This eliminates the #1 recurring QA failure — the AI naturally generates backend "local" {} which now just works.
azapi v2 serializes Terraform null as JSON null, but ARM rejects
properties set to null — they must be absent from the body. The AI
was generating vnetConfiguration = var.enable ? {...} : null which
causes 400 Bad Request.
- TERRAFORM_PROMPT: added CRITICAL NO NULL VALUES IN BODY section
with merge() pattern for conditional properties
- Container App Environment knowledge: added pitfall with code example
- AZ-CA-001: added prohibition for conditional null on vnetConfiguration
…e path convention
QA still had the old stage-N-slug.tfstate checklist item (line 263)
causing false CRITICAL on every stage. Updated to accept backend local {}
and default terraform.tfstate. Updated remote state defaults to use
relative paths (../stage-N-name/terraform.tfstate).
Full audit confirmed no other stale references to .terraform-state/ or
stage-N-slug convention remain in code, governance, or tests.
Contributor
There was a problem hiding this comment.
Pull request overview
Implements the 0.2.1b6 governance/agent architecture overhaul, including a new governance validation command, embedding-based policy retrieval scaffolding, expanded policy/anti-pattern catalogs, and multi-agent role refactoring.
Changes:
- Adds new governance policy and anti-pattern document formats (with IDs/targets) plus YAML safe-loading and filtering support.
- Introduces embedding backends and a governor agent to enable brief/review workflows; updates CI to validate governance and compute embeddings.
- Refactors the agent lineup (new architects/developers/advisor), adds
az prototype validate, and enhances token tracking (Copilot PRUs).
Reviewed changes
Copilot reviewed 109 out of 502 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| azext_prototype/governance/policies/azure/messaging/notification-hubs.policy.yaml | Adds Notification Hubs governance policy in the new schema. |
| azext_prototype/governance/policies/azure/management/managed-grafana.policy.yaml | Adds Managed Grafana governance policy in the new schema. |
| azext_prototype/governance/policies/azure/management/logic-apps.policy.yaml | Adds Logic Apps governance policy in the new schema. |
| azext_prototype/governance/policies/azure/management/communication-services.policy.yaml | Adds Communication Services governance policy in the new schema. |
| azext_prototype/governance/policies/azure/management/automation.policy.yaml | Adds Automation governance policy in the new schema. |
| azext_prototype/governance/policies/azure/key-vault.policy.yaml | Removes legacy Key Vault policy document (old schema). |
| azext_prototype/governance/policies/azure/identity/resource-groups.policy.yaml | Adds Resource Groups governance policy in the new schema. |
| azext_prototype/governance/policies/azure/identity/managed-identity.policy.yaml | Adds Managed Identity governance policy in the new schema. |
| azext_prototype/governance/policies/azure/functions.policy.yaml | Removes legacy Functions policy document (old schema). |
| azext_prototype/governance/policies/azure/data/fabric.policy.yaml | Adds Fabric governance policy in the new schema. |
| azext_prototype/governance/policies/azure/cosmos-db.policy.yaml | Removes legacy Cosmos DB policy document (old schema). |
| azext_prototype/governance/policies/azure/container-apps.policy.yaml | Removes legacy Container Apps policy document (old schema). |
| azext_prototype/governance/policies/azure/compute/container-instances.policy.yaml | Adds Container Instances governance policy in the new schema. |
| azext_prototype/governance/policies/azure/app-service.policy.yaml | Removes legacy App Service policy document (old schema). |
| azext_prototype/governance/policies/azure/ai/cognitive-services.policy.yaml | Adds Cognitive Services governance policy in the new schema. |
| azext_prototype/governance/policies/azure/ai/bot-service.policy.yaml | Adds Bot Service governance policy in the new schema. |
| azext_prototype/governance/policies/azure/ai/azure-ai-search.policy.yaml | Adds Azure AI Search governance policy in the new schema. |
| azext_prototype/governance/embeddings.py | Introduces TF-IDF + optional neural embedding backends for retrieval. |
| azext_prototype/governance/anti_patterns/terraform_structure.yaml | Adds Terraform structure anti-pattern domain in the new schema. |
| azext_prototype/governance/anti_patterns/storage.yaml | Migrates Storage anti-patterns to the new schema format with IDs/targets. |
| azext_prototype/governance/anti_patterns/monitoring.yaml | Migrates Monitoring anti-patterns to the new schema format with IDs/targets. |
| azext_prototype/governance/anti_patterns/encryption.yaml | Migrates Encryption anti-patterns to the new schema format with IDs/targets. |
| azext_prototype/governance/anti_patterns/cost.yaml | Migrates Cost anti-patterns to the new schema format with IDs/targets. |
| azext_prototype/governance/anti_patterns/containers.yaml | Migrates Containers anti-patterns to the new schema format with IDs/targets. |
| azext_prototype/governance/anti_patterns/bicep_structure.yaml | Adds Bicep structure anti-pattern domain in the new schema. |
| azext_prototype/governance/anti_patterns/authentication.yaml | Migrates Authentication anti-patterns to the new schema format with IDs/targets. |
| azext_prototype/governance/anti_patterns/init.py | Refactors loader/scanner to support new schema, IDs, and service/agent filtering. |
| azext_prototype/governance/init.py | Adds shared safe_load_yaml helper for consistent YAML load behavior. |
| azext_prototype/custom.py | Adds debug logging init + TUI launch paths for build/deploy + new validate command. |
| azext_prototype/commands.py | Registers az prototype validate CLI command. |
| azext_prototype/azext_metadata.json | Bumps extension version to 0.2.1b6. |
| azext_prototype/ai/token_tracker.py | Adds Copilot PRU tracking + model table updates + callback hook. |
| azext_prototype/ai/provider.py | Adds shared message/tool-call serialization helpers. |
| azext_prototype/ai/github_models.py | Switches to shared serialization helpers. |
| azext_prototype/ai/azure_openai.py | Switches to shared serialization helpers. |
| azext_prototype/agents/governance.py | Propagates agent/tool/service context into anti-pattern scanning. |
| azext_prototype/agents/builtin/security_reviewer.py | Removes Security Reviewer built-in agent implementation. |
| azext_prototype/agents/builtin/security_architect.py | Adds Security Architect agent implementation. |
| azext_prototype/agents/builtin/qa_engineer.py | Increases token budget and routes governance warnings via shared helper. |
| azext_prototype/agents/builtin/project_manager.py | Routes governance warnings via shared helper. |
| azext_prototype/agents/builtin/monitoring_agent.py | Updates diagnostic settings example to azapi and routes governance warnings via shared helper. |
| azext_prototype/agents/builtin/infrastructure_architect.py | Adds Infrastructure Architect agent implementation. |
| azext_prototype/agents/builtin/iac_shared_rules.py | Adds shared IaC rules injected into Terraform/Bicep prompts. |
| azext_prototype/agents/builtin/governor_agent.py | Adds Governor agent (brief/review) to support embedding-based governance. |
| azext_prototype/agents/builtin/doc_agent.py | Expands doc completeness requirements and increases token budget. |
| azext_prototype/agents/builtin/definitions/terraform_agent.yaml | Updates Terraform agent definition to azapi-only conventions and new file layout. |
| azext_prototype/agents/builtin/definitions/security_architect.yaml | Adds Security Architect YAML definition. |
| azext_prototype/agents/builtin/definitions/react_developer.yaml | Adds React developer YAML definition. |
| azext_prototype/agents/builtin/definitions/python_developer.yaml | Adds Python developer YAML definition. |
| azext_prototype/agents/builtin/definitions/infrastructure_architect.yaml | Adds Infrastructure Architect YAML definition. |
| azext_prototype/agents/builtin/definitions/data_architect.yaml | Adds Data Architect YAML definition. |
| azext_prototype/agents/builtin/definitions/csharp_developer.yaml | Adds C# developer YAML definition. |
| azext_prototype/agents/builtin/definitions/application_architect.yaml | Adds Application Architect YAML definition. |
| azext_prototype/agents/builtin/definitions/app_developer.yaml | Refocuses app-developer as a generic fallback agent. |
| azext_prototype/agents/builtin/data_architect.py | Adds Data Architect agent implementation. |
| azext_prototype/agents/builtin/csharp_developer.py | Adds C# developer agent implementation. |
| azext_prototype/agents/builtin/cost_analyst.py | Routes governance warnings via shared helper. |
| azext_prototype/agents/builtin/cloud_architect.py | Updates delegation targets and routes governance warnings via shared helper. |
| azext_prototype/agents/builtin/biz_analyst.py | Tightens heading rules to avoid UI topic splitting. |
| azext_prototype/agents/builtin/bicep_agent.py | Injects shared IaC rules and increases token budget; expands prompt requirements. |
| azext_prototype/agents/builtin/application_architect.py | Adds Application Architect agent implementation. |
| azext_prototype/agents/builtin/app_developer.py | Updates generic developer agent behavior, scope, and token budget. |
| azext_prototype/agents/builtin/advisor.py | Adds Advisor agent for non-blocking trade-off notes. |
| azext_prototype/agents/builtin/init.py | Updates built-in agent registry to include new agents and remove security reviewer. |
| azext_prototype/agents/base.py | Adds new capabilities, sub-layer contracts, and centralizes governance warning handling. |
| azext_prototype/_params.py | Adds CLI parameters for az prototype validate. |
| README.md | Updates agent list blurb and adds governor to the built-in agent table. |
| MODELS.md | Updates Copilot timeout guidance. |
| FEATURES.md | Updates multi-agent system count and includes governance. |
| COMMANDS.md | Renames script resource group flag in docs. |
| .github/workflows/release.yml | Consolidates governance validation and adds embedding computation step. |
| .github/workflows/pr.yml | Consolidates governance validation and adds embedding computation step. |
| .github/workflows/ci.yml | Consolidates governance validation and adds embedding computation step. |
| .gitattributes | Enforces LF line endings (especially for .sh). |
Comments suppressed due to low confidence (1)
README.md:1
- The documented built-in agent count and table entries are inconsistent with the code changes:
security-reviewerwas removed, and multiple new agents were added (e.g., security-architect, infrastructure-architect, data-architect, application-architect, advisor, language-specific developers). Update the README agent count and table to reflect the actual built-in agents shipped inALL_BUILTIN_AGENTS.
# az prototype — Azure CLI Extension
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| class TestAzureApiVersionInjection: | ||
| """Verify agents inject Azure API version into system messages.""" | ||
|
|
||
| def test_terraform_agent_injects_azure_api_version(self): |
| agent = TerraformAgent() | ||
| constraint_text = " ".join(agent.constraints).lower() | ||
| assert "pinned" in constraint_text | ||
|
|
| joined = "\n".join(contents) | ||
| assert "AZURE API VERSION" in joined | ||
| assert "learn.microsoft.com" in joined | ||
|
|
| resource_group="rg-test", | ||
| registry="myregistry.azurecr.io", | ||
| ) | ||
|
|
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
iac_shared_rules.py incorrectly said PEs belong in service stages. Corrected to match constraints.md, infrastructure_architect.py, and TFM-NET-001: networking stage creates all PEs, service stages only set publicNetworkAccess = Disabled.
This was referenced Apr 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
0.2.1b6 — Architectural Hardening & Governance Overhaul
This release is a comprehensive architectural refactoring of the agent system, governance framework, and build pipeline.
Full changelog →
Highlights
Four-Level Taxonomy — Layer → Capability → Component → Resource hierarchy with
taxonomy.yamlas the canonical source of truth. All deployment stages carrylayerandcapabilityfields with namespace-based governance filtering.20-Agent Architecture — 7 new agents (infrastructure/data/application/security architects + C#/Python/React developers) with layer ownership, architect→developer delegation, and sub-layer contracts.
Post-Generation Transforms — New governance type for deterministic fabrication fixes applied automatically before QA. Handlers for
response_export_valuesinjection, resource groupparent_id, private endpoint removal from non-networking stages, unused remote state cleanup, and Cosmos DB schema corrections.Namespace-Based Governance Filtering — Anti-pattern scans, governor briefs, and policy resolution now filter by ARM service namespace (
targets.services). Only governance relevant to the stage's actual resources is sent to the AI or used for scanning.Standards Re-Enabled — Design standards (STAN-*) restored to the build pipeline after being incorrectly disabled. Standards injected into agent prompts (agent-scoped via
applies_to) and QA context (tool/layer-scoped).QA Improvements — FAIL requires CRITICAL (WARNINGs don't block),
agent_namepassed to anti-pattern scans, emptyprovider "azapi" {}accepted,subscription_id/tenant_idrecognized as infrastructure variables.Governance Data Quality — All 778 companion resources have
type/name/description. 591 duplicate rules consolidated. Service targets audited across all 108 files.category→domainon governance docs,category→capabilityon stages.108 Individual Wiki Pages — One page per Azure service, auto-generated with collapsible sidebar. HTML tables for consistent rendering.
Build Quality — azurerm references eliminated from knowledge/governance files. API version child resource lookup fixed. Simplified state management (default
terraform.tfstateper stage directory).