Skip to content

Port Cursor rules/skills to GitHub Copilot instructions + Azure Container Apps deployment infra#376

Open
fabioc-aloha wants to merge 20 commits into
microsoft:devfrom
fabioc-aloha:main
Open

Port Cursor rules/skills to GitHub Copilot instructions + Azure Container Apps deployment infra#376
fabioc-aloha wants to merge 20 commits into
microsoft:devfrom
fabioc-aloha:main

Conversation

@fabioc-aloha

Copy link
Copy Markdown

Summary

  • Installed the Alex ACT Edition framework (.github/instructions, skills, prompts, agents, scripts, config) for Copilot Chat in VS Code.
  • Ported the project's existing .cursor/rules/.mdc and .cursor/skills//SKILL.md conventions to native Copilot equivalents (.github/instructions/df-*.instructions.md and .github/skills/{error-handling,language-injection,path-safety}) so Copilot-only contributors get the same dev-convention guardrails Cursor users already have. .cursor/ is left untouched.
  • Added infra/*.bicep + azure.yaml: an azd-deployable Azure Container Apps + private Azure OpenAI (Entra ID auth, DLP, content-filter policy) reference deployment, developed and validated against a live governed subscription.
  • See COPILOT_PORTING_GUIDE.md at repo root for the full rationale and file-by-file mapping.

Commits

  • Install Alex ACT Edition framework
  • Un-ignore .vscode/markdown-light.css referenced by settings.json
  • Un-ignore .vscode/; remove Container Apps subnet delegation from network.bicep

- package nested demo assets and register modern image MIME types
- stabilize model probes, reasoning compatibility, and error classification
- align governed Azure model infrastructure with the live three-model set
- add regression coverage, audit log, meditation, and session handoff

Validation: Python compileall, Bicep build, Markdown lint, editor diagnostics, staged diff check, redacted secret scan, and live browser/API checks. Full pytest unavailable in the local environment.
@Chenglong-MS Chenglong-MS changed the base branch from main to dev July 9, 2026 21:28
@Chenglong-MS

Copy link
Copy Markdown
Collaborator

the latest development is in dev! let's consolidated a bit and then put it into main together?

fabioc-aloha and others added 15 commits July 9, 2026 20:24
Resolve the non-connector readiness backlog with bounded request and memory limits, safer loader lifecycle and persistence, OAuth state isolation, production serving, retry controls, and concurrency protection.

Add focused regression coverage and connector implementation plans. Record that the single-replica source mitigation is validated but its live deployment remains blocked by unrelated infrastructure drift.
Preserve production Container App ingress, policy-managed network state, registry defaults, and model deployment settings during full Bicep provisioning.

Add deployment safety tests and document the required what-if and post-deployment verification workflow.
Add connector-and-audience token isolation, token-free OAuth popup handling, ODBC access-token support, proxy-safe callbacks, and Driver 18 in the runtime image.

Harden token persistence and concurrent state boundaries, repair the TypeScript and ESLint baseline, and update connector plans and operational documentation.
- upgrade ACT Edition assets and relocate heir-owned guidance into local paths
- add delegated Azure SQL OAuth with managed identity federation and hardened ODBC handling
- resolve OAuth state concurrency, repository hygiene, and backend/frontend test debt
- document consent, deployment, audit evidence, and remaining session migration gates
- deploy ebada59 as healthy Container App revision 0000010
- record image provenance, OAuth, Driver 18, endpoint, and log checks
- exclude local environments and paper archives from remote build contexts
- document audit and deployment status plus enterprise data-access decision
- add Chenglong meeting brief, paper insights, and source artifacts
- clear persisted workspaces missing from server storage before autosave
- remove unused image preloads and unconditional startup debug logs
- record revision, image digest, validation, and image-based rollback
- update handoff, consent runbook, issue ledger, and meeting status
- lazily initialize no-auth connector loaders for catalog and status calls
- bound LiteLLM attempts to 90 seconds and logical retries to 120 seconds
- retry streams only before first output and preserve structured timeout errors
- pin LiteLLM 1.91.1 and add DF-024/DF-025 regression evidence

ACT: Considered one cohesive runtime-hardening commit versus splitting shared ledger changes.
Going with H1: keep validated connector and model lifecycle changes atomic.
Would revise if: staged paths include Agency files, tests fail, or remote main advances.
Validation: 2032 passed, 13 skipped; uv lock check; staged diff and secret scan clean.
- validate installer inputs before any target writes
- make verification failures enforce nonzero exit and version drift checks
- preserve process PATH entries and keep verification-only mode read-only
- ignore the generated local tool snapshot and remove broken target links

ACT: Considered an independent Agency commit versus bundling deployment records.
Going with H1: keep tooling synchronization independently reviewable and reversible.
Would revise if: staged paths include deployment docs or validation/secret scans fail.
Validation: PowerShell parse, disposable dry run, generated baseline, no-flag verifier, diagnostics, diff check, and secret scan pass.
- record revision azd-1784046335 and immutable image digest
- mark DF-024 and DF-025 production verified
- capture connector, Azure OpenAI, browser, replica, and cleanup evidence
- retain recreate-11dfb1fd3d3c as the immediate rollback image

ACT: Considered committing verified live state separately from Agency tooling.
Going with H1: preserve deployment evidence as an independently auditable record.
Would revise if: live revision/image/traffic changes or staged scope/secret scan fails.
Validation: one ready replica, zero restarts, 100% traffic, catalog 16 nodes, LiteLLM 1.91.1, ODBC 18, all models connected, non-streaming and streaming tool paths pass, browser clean, smoke sessions empty.
- chronicle connector, model, client-state, deployment, and documentation work
- record build-versus-rollout recovery and workspace-bound smoke patterns
- map shipped commits, rollback state, validation, and owned remaining gates
- index the session for future retrieval

Validation: Markdown diagnostics, diff check, and no-context comprehension review pass.
- add profile contracts, internal FastMCP gateway, auth, approvals, and drift checks
- add feature-gated gateway container and Bicep provisioning foundation
- document Entra consent, Fabric fixture, rollout, and handoff state
Materiality: High - this changes authentication, authorization, approval, and governed data-access behavior on main.
Hypothesis H1: ship the accumulated governed MCP increments together because their contracts, tests, and trackers form one coherent safety boundary.
Alternative H2: split the increments because smaller commits are easier to review, but that would separate mutually dependent profile, client, approval, loader, and test contracts after the user explicitly requested committing all.
Disconfirmers: would revise H1 if staged review found a blocking defect, tests failed, sensitive literals appeared, or origin/main had advanced.
Audit priors: scope comes from the staged 37-file diff; verification comes from the local 273-test run, staged diff check, secret-pattern scan, and read-only code review.
Severity: if H1 is false, the exact-audience token tests, same-subject approval races, immutable manifest tests, bounded result validation, and catalog lifecycle regressions should reveal the unsafe boundary.

- add immutable governed profiles, source manifests, and offline bootstrap
- add authenticated fixed-operation client and exact audience token isolation
- harden same-subject approval confirmation, denial, races, and replay handling
- add catalog-only governed loader with stable provenance and lifecycle coverage
- update implementation plans, tracker evidence, and authentication guidance

Tests: 273 passed

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- record the shipped governed MCP lifecycle and local production-composition plan
- preserve external consent, deployment, fixture, and live-validation gates
- fix cross-table false positives in the Markdown converter validator with regression coverage

ACT pass:
H1 - ship one behavior-tagged closeout commit because the validator fix was discovered by this documentation gate.
H2 - split documentation and validator commits because they are independently revertible.
Would revise H1 if staged review found runtime or infrastructure changes, credential-like literals, or failing validation.
Prior audit - the user requested commit all and push; repository evidence limits the scope to documentation plus the validator regression.
Severity - high because this updates main; remote divergence, staged review, tests, and post-push SHA comparison are the controls.
Going with H1 because all staged changes are jointly validated and preserve the local-only boundary.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants