Sync plugin files from GitHub-Copilot-for-Azure (run 23292182577)

.github/plugins/azure-skills/.claude-plugin/plugin.json

@@ -1,11 +1,24 @@
 {
   "name": "azure",
   "description": "Microsoft Azure MCP integration for cloud resource management, deployments, and Azure services. Manage your Azure infrastructure, monitor applications, and deploy resources directly from Claude Code.",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "author": {
     "name": "Microsoft",
     "url": "https://www.microsoft.com"
   },
   "homepage": "https://github.com/microsoft/github-copilot-for-azure",
-  "keywords": ["azure", "cloud", "infrastructure", "deployment", "microsoft", "devops"]
+  "repository": "https://github.com/microsoft/GitHub-Copilot-for-Azure",
+  "license": "MIT",
+  "keywords": [
+    "azure",
+    "cloud",
+    "infrastructure",
+    "deployment",
+    "microsoft",
+    "devops",
+    "foundry",
+    "diagnostics"
+  ],
+  "skills": "./skills/",
+  "mcpServers": "./.mcp.json"
 }

.github/plugins/azure-skills/.mcp.json

@@ -4,9 +4,9 @@
       "command": "npx",
       "args": ["-y", "@azure/mcp@latest", "server", "start"]
     },
-    "foundry-mcp": { 
-      "type": "http", 
-      "url": "https://mcp.ai.azure.com" 
-    } 
+    "context7": {
+      "command": "npx",
+      "args": ["-y", "@upstash/context7-mcp@latest"]
+    }
   }
 }

.github/plugins/azure-skills/.plugin/plugin.json

@@ -0,0 +1,24 @@
+{
+  "name": "azure",
+  "description": "Microsoft Azure MCP integration for cloud resource management, deployments, and Azure services. Manage your Azure infrastructure, monitor applications, and deploy resources directly from your development environment.",
+  "version": "1.0.1",
+  "author": {
+    "name": "Microsoft",
+    "url": "https://www.microsoft.com"
+  },
+  "homepage": "https://github.com/microsoft/github-copilot-for-azure",
+  "repository": "https://github.com/microsoft/GitHub-Copilot-for-Azure",
+  "license": "MIT",
+  "keywords": [
+    "azure",
+    "cloud",
+    "infrastructure",
+    "deployment",
+    "microsoft",
+    "devops",
+    "foundry",
+    "diagnostics"
+  ],
+  "skills": "./skills/",
+  "mcpServers": "./.mcp.json"
+}

.github/plugins/azure-skills/CHANGELOG.md

@@ -0,0 +1,49 @@
+# Changelog
+
+All notable changes to the Azure plugin will be documented in this file.
+
+This project adheres to [Semantic Versioning](https://semver.org/).
+
+## [1.0.1] - 2026-03-13
+
+### Added
+
+- `azure-upgrade` — Assess and upgrade Azure workloads between plans, tiers, or SKUs.
+
+### Changed
+
+- Removed `foundry-mcp` HTTP server from `.mcp.json` (non-spec `type`/`url` fields).
+- Updated `azure-diagnostics` description.
+- Updated `microsoft-foundry` description and bumped to version 1.0.5.
+
+## [1.0.0] - 2025-03-12
+
+### Added
+
+- Initial release of the Azure plugin.
+- Vendor-neutral `.plugin/plugin.json` manifest following the [Open Plugins Specification](https://open-plugins.com/plugin-builders/specification).
+- Claude Code manifest (`.claude-plugin/plugin.json`).
+- MCP server configuration (`.mcp.json`) for Azure MCP, Foundry MCP, and Context7.
+- MIT `LICENSE` file at the plugin root.
+- 21 agent skills:
+  - `appinsights-instrumentation` — Azure Application Insights telemetry setup.
+  - `azure-ai` — Azure AI Search, Speech, OpenAI, and Document Intelligence.
+  - `azure-aigateway` — Azure API Management as an AI Gateway.
+  - `azure-cloud-migrate` — Cross-cloud migration assessment and code conversion.
+  - `azure-compliance` — Security auditing and best practices assessment.
+  - `azure-compute` — VM size recommendation and configuration.
+  - `azure-cost-optimization` — Cost savings analysis and recommendations.
+  - `azure-deploy` — Azure deployment execution (azd, Bicep, Terraform).
+  - `azure-diagnostics` — Production issue debugging and log analysis.
+  - `azure-hosted-copilot-sdk` — Build and deploy GitHub Copilot SDK apps to Azure.
+  - `azure-kusto` — Azure Data Explorer KQL queries.
+  - `azure-messaging` — Event Hubs and Service Bus SDK troubleshooting.
+  - `azure-prepare` — Application preparation for Azure deployment.
+  - `azure-quotas` — Quota and usage management.
+  - `azure-rbac` — RBAC role recommendation and assignment.
+  - `azure-resource-lookup` — Azure resource discovery and listing.
+  - `azure-resource-visualizer` — Mermaid architecture diagram generation.
+  - `azure-storage` — Blob, File, Queue, Table, and Data Lake storage.
+  - `azure-validate` — Pre-deployment validation checks.
+  - `entra-app-registration` — Microsoft Entra ID app registration and OAuth setup.
+  - `microsoft-foundry` — Foundry agent deployment, evaluation, and management.

.github/plugins/azure-skills/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright 2025 (c) Microsoft Corporation.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE

.github/plugins/azure-skills/README.md

@@ -47,11 +47,13 @@ When running on Azure resources (VMs, Container Apps, etc.), the server automati
 For more authentication options, see the [Azure Identity documentation](https://learn.microsoft.com/azure/developer/azure-mcp-server/).
 
 ### 4. Install the Plugins
+```bash
 # Add the repo as a plugin marketplace
-/plugin marketplace add microsoft/github-copilot-for-azure
+/plugin marketplace add microsoft/azure-skills
 
 # Pull in the Azure plugin
-/plugin install azure@github-copilot-for-azure
+/plugin install azure@azure-skills
+```
 
 ## Available Tools
 

.github/plugins/azure-skills/skills/appinsights-instrumentation/SKILL.md

@@ -1,9 +1,10 @@
 ---
 name: appinsights-instrumentation
-description: |
-  Guidance for instrumenting webapps with Azure Application Insights. Provides telemetry patterns, SDK setup, and configuration references.
-  USE FOR: how to instrument app, App Insights SDK, telemetry patterns, what is App Insights, Application Insights guidance, instrumentation examples, APM best practices.
-  DO NOT USE FOR: adding App Insights to my app (use azure-prepare), add telemetry to my project (use azure-prepare), add monitoring (use azure-prepare). This skill provides guidance—azure-prepare orchestrates component changes.
+description: "Guidance for instrumenting webapps with Azure Application Insights. Provides telemetry patterns, SDK setup, and configuration references. WHEN: how to instrument app, App Insights SDK, telemetry patterns, what is App Insights, Application Insights guidance, instrumentation examples, APM best practices."
+license: MIT
+metadata:
+  author: Microsoft
+  version: "1.0.2"
 ---
 
 # AppInsights Instrumentation Guide

.github/plugins/azure-skills/skills/appinsights-instrumentation/references/sdk/azure-monitor-opentelemetry-exporter-py.md

@@ -5,7 +5,9 @@
 > in the **azure-monitor-opentelemetry-exporter-py** plugin skill if installed.
 
 ## Install
+```bash
 pip install azure-monitor-opentelemetry-exporter
+```
 
 ## Quick Start
 ```python

.github/plugins/azure-skills/skills/appinsights-instrumentation/references/sdk/azure-monitor-opentelemetry-py.md

@@ -5,7 +5,9 @@
 > in the **azure-monitor-opentelemetry-py** plugin skill if installed.
 
 ## Install
+```bash
 pip install azure-monitor-opentelemetry
+```
 
 ## Quick Start
 ```python

.github/plugins/azure-skills/skills/azure-ai/SKILL.md

@@ -1,6 +1,10 @@
 ---
 name: azure-ai
-description: "Use for Azure AI: Search, Speech, OpenAI, Document Intelligence. Helps with search, vector/hybrid search, speech-to-text, text-to-speech, transcription, OCR. USE FOR: AI Search, query search, vector search, hybrid search, semantic search, speech-to-text, text-to-speech, transcribe, OCR, convert text to speech. DO NOT USE FOR: Function apps/Functions (use azure-functions), databases (azure-postgres/azure-kusto), general Azure resources."
+description: "Use for Azure AI: Search, Speech, OpenAI, Document Intelligence. Helps with search, vector/hybrid search, speech-to-text, text-to-speech, transcription, OCR. WHEN: AI Search, query search, vector search, hybrid search, semantic search, speech-to-text, text-to-speech, transcribe, OCR, convert text to speech."
+license: MIT
+metadata:
+  author: Microsoft
+  version: "1.0.1"
 ---
 
 # Azure AI Services

.github/plugins/azure-skills/skills/azure-ai/references/auth-best-practices.md

@@ -0,0 +1,128 @@
+# Azure Authentication Best Practices
+
+> Source: [Microsoft — Passwordless connections for Azure services](https://learn.microsoft.com/azure/developer/intro/passwordless-overview) and [Azure Identity client libraries](https://learn.microsoft.com/dotnet/azure/sdk/authentication/).
+
+## Golden Rule
+
+Use **managed identities** and **Azure RBAC** in production. Reserve `DefaultAzureCredential` for **local development only**.
+
+## Authentication by Environment
+
+| Environment | Recommended Credential | Why |
+|---|---|---|
+| **Production (Azure-hosted)** | `ManagedIdentityCredential` (system- or user-assigned) | No secrets to manage; auto-rotated by Azure |
+| **Production (on-premises)** | `ClientCertificateCredential` or `WorkloadIdentityCredential` | Deterministic; no fallback chain overhead |
+| **CI/CD pipelines** | `AzurePipelinesCredential` / `WorkloadIdentityCredential` | Scoped to pipeline identity |
+| **Local development** | `DefaultAzureCredential` | Chains CLI, PowerShell, and VS Code credentials for convenience |
+
+## Why Not `DefaultAzureCredential` in Production?
+
+1. **Unpredictable fallback chain** — walks through multiple credential types, adding latency and making failures harder to diagnose.
+2. **Broad surface area** — checks environment variables, CLI tokens, and other sources that should not exist in production.
+3. **Non-deterministic** — which credential actually authenticates depends on the environment, making behavior inconsistent across deployments.
+4. **Performance** — each failed credential attempt adds network round-trips before falling back to the next.
+
+## Production Patterns
+
+### .NET
+
+```csharp
+using Azure.Identity;
+
+var credential = Environment.GetEnvironmentVariable("AZURE_FUNCTIONS_ENVIRONMENT") == "Development"
+    ? new DefaultAzureCredential()                          // local dev — uses CLI/VS credentials
+    : new ManagedIdentityCredential();                      // production — deterministic, no fallback chain
+// For user-assigned identity: new ManagedIdentityCredential("<client-id>")
+```
+
+### TypeScript / JavaScript
+
+```typescript
+import { DefaultAzureCredential, ManagedIdentityCredential } from "@azure/identity";
+
+const credential = process.env.NODE_ENV === "development"
+  ? new DefaultAzureCredential()                          // local dev — uses CLI/VS credentials
+  : new ManagedIdentityCredential();                      // production — deterministic, no fallback chain
+// For user-assigned identity: new ManagedIdentityCredential("<client-id>")
+```
+
+### Python
+
+```python
+import os
+from azure.identity import DefaultAzureCredential, ManagedIdentityCredential
+
+credential = (
+    DefaultAzureCredential()                              # local dev — uses CLI/VS credentials
+    if os.getenv("AZURE_FUNCTIONS_ENVIRONMENT") == "Development"
+    else ManagedIdentityCredential()                      # production — deterministic, no fallback chain
+)
+# For user-assigned identity: ManagedIdentityCredential(client_id="<client-id>")
+```
+
+### Java
+
+```java
+import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+
+var credential = "Development".equals(System.getenv("AZURE_FUNCTIONS_ENVIRONMENT"))
+    ? new DefaultAzureCredentialBuilder().build()          // local dev — uses CLI/VS credentials
+    : new ManagedIdentityCredentialBuilder().build();      // production — deterministic, no fallback chain
+// For user-assigned identity: new ManagedIdentityCredentialBuilder().clientId("<client-id>").build()
+```
+
+## Local Development Setup
+
+`DefaultAzureCredential` is ideal for local dev because it automatically picks up credentials from developer tools:
+
+1. **Azure CLI** — `az login`
+2. **Azure Developer CLI** — `azd auth login`
+3. **Azure PowerShell** — `Connect-AzAccount`
+4. **Visual Studio / VS Code** — sign in via Azure extension
+
+```typescript
+import { DefaultAzureCredential } from "@azure/identity";
+
+// Local development only — uses CLI/PowerShell/VS Code credentials
+const credential = new DefaultAzureCredential();
+```
+
+## Environment-Aware Pattern
+
+Detect the runtime environment and select the appropriate credential. The key principle: use `DefaultAzureCredential` only when running locally, and a specific credential in production.
+
+> **Tip:** Azure Functions sets `AZURE_FUNCTIONS_ENVIRONMENT` to `"Development"` when running locally. For App Service or containers, use any environment variable you control (e.g. `NODE_ENV`, `ASPNETCORE_ENVIRONMENT`).
+
+```typescript
+import { DefaultAzureCredential, ManagedIdentityCredential } from "@azure/identity";
+
+function getCredential() {
+  if (process.env.NODE_ENV === "development") {
+    return new DefaultAzureCredential();          // picks up az login / VS Code creds
+  }
+  return process.env.AZURE_CLIENT_ID
+    ? new ManagedIdentityCredential(process.env.AZURE_CLIENT_ID)  // user-assigned
+    : new ManagedIdentityCredential();                            // system-assigned
+}
+```
+
+## Security Checklist
+
+- [ ] Use managed identity for all Azure-hosted apps
+- [ ] Never hardcode credentials, connection strings, or keys
+- [ ] Apply least-privilege RBAC roles at the narrowest scope
+- [ ] Use `ManagedIdentityCredential` (not `DefaultAzureCredential`) in production
+- [ ] Store any required secrets in Azure Key Vault
+- [ ] Rotate secrets and certificates on a schedule
+- [ ] Enable Microsoft Defender for Cloud on production resources
+
+## Further Reading
+
+- [Passwordless connections overview](https://learn.microsoft.com/azure/developer/intro/passwordless-overview)
+- [Managed identities overview](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview)
+- [Azure RBAC overview](https://learn.microsoft.com/azure/role-based-access-control/overview)
+- [.NET authentication guide](https://learn.microsoft.com/dotnet/azure/sdk/authentication/)
+- [Python identity library](https://learn.microsoft.com/python/api/overview/azure/identity-readme)
+- [JavaScript identity library](https://learn.microsoft.com/javascript/api/overview/azure/identity-readme)
+- [Java identity library](https://learn.microsoft.com/java/api/overview/azure/identity-readme)

.github/plugins/azure-skills/skills/azure-ai/references/sdk/azure-ai-document-intelligence-dotnet.md

@@ -22,7 +22,7 @@ var adminClient = new DocumentIntelligenceAdministrationClient(new Uri(endpoint)
 - Entra ID requires custom subdomain, not regional endpoint
 
 ## Best Practices
-1. Use DefaultAzureCredential for production
+1. Use DefaultAzureCredential for **local development only**. In production, use ManagedIdentityCredential — see [auth-best-practices.md](../auth-best-practices.md)
 2. Reuse client instances — clients are thread-safe
 3. Handle long-running operations with `WaitUntil.Completed`
 4. Check field confidence — always verify `Confidence` property

.github/plugins/azure-skills/skills/azure-ai/references/sdk/azure-ai-document-intelligence-ts.md

@@ -9,6 +9,9 @@ npm install @azure-rest/ai-document-intelligence @azure/identity
 ```
 
 ## Quick Start
+
+> **Auth:** `DefaultAzureCredential` is for local development. See [auth-best-practices.md](../auth-best-practices.md) for production patterns.
+
 ```typescript
 import DocumentIntelligence, { isUnexpected, getLongRunningPoller, AnalyzeOperationOutput } from "@azure-rest/ai-document-intelligence";
 const client = DocumentIntelligence(endpoint, new DefaultAzureCredential());

.github/plugins/azure-skills/skills/azure-ai/references/sdk/azure-search-documents-dotnet.md

@@ -21,7 +21,7 @@ var client = new SearchClient(new Uri(endpoint), indexName, credential);
 - Semantic answers: `result.Value.SemanticSearch.Answers` / captions on each result
 
 ## Best Practices
-1. Use `DefaultAzureCredential` over API keys for production
+1. Use `DefaultAzureCredential` for **local development only**. In production, use `ManagedIdentityCredential` — see [auth-best-practices.md](../auth-best-practices.md)
 2. Use `FieldBuilder` with model attributes for type-safe index definitions
 3. Use `CreateOrUpdateIndexAsync` for idempotent index creation
 4. Batch document operations for better throughput