feat: Update Azure Storage documentation and SDK usage examples

- Enhanced Azure Storage documentation with detailed SDK package information for multiple languages.
- Added quick start examples for JavaScript, Python, C#, Java, Go, and Rust using DefaultAzureCredential.
- Introduced a new SDK usage guide with installation commands and quick start examples for Azure Storage services.
- Updated Azure Validate skill documentation to reference global rules correctly.
- Created global rules documentation for mandatory checks across all skills.
- Added GitHub Copilot skill documentation, including setup, deployment, and critical rules.
- Introduced a test harness for verifying Copilot SDK and Extensions functionality post-deployment.
- Updated the web application to reflect the increase in Azure skills from 28 to 29.

Author: jongio

cli/counts.json

@@ -1,4 +1,4 @@
 {
   "agents": 16,
-  "skills": 28
+  "skills": 29
 }

cli/extension.yaml

@@ -6,7 +6,7 @@ displayName: Azure Copilot
 description: |
   AI-powered Azure development assistant. Describe what you want to build,
   and Copilot builds and deploys it to Azure. Includes 16 specialized agents
-  and 28 Azure skills.
+  and 29 Azure skills.
 usage: azd copilot <command> [options]
 version: 0.1.0
 entryPoint: copilot

cli/src/internal/assets/ghcp4a-skills/azure-deploy/SKILL.md

@@ -24,7 +24,7 @@ Activate this skill when user wants to:
 1. Run after azure-prepare and azure-validate
 2. Manifest must exist with status `Validated`
 3. **Pre-deploy checklist required** — [pre-deploy-checklist](references/pre-deploy-checklist.md)
-4. ⛔ **Destructive actions require `ask_user`** — [global-rules](../_shared/global-rules.md)
+4. ⛔ **Destructive actions require `ask_user`** — [global-rules](references/global-rules.md)
 
 ---
 

…ts/ghcp4a-skills/_shared/global-rules.md …/azure-deploy/references/global-rules.mdcli/src/internal/assets/ghcp4a-skills/_shared/global-rules.md renamed to cli/src/internal/assets/ghcp4a-skills/azure-deploy/references/global-rules.md cli/src/internal/assets/ghcp4a-skills/_shared/global-rules.md renamed to cli/src/internal/assets/ghcp4a-skills/azure-deploy/references/global-rules.md

@@ -39,4 +39,4 @@ ask_user(
 - Azure subscription (show actual name and ID)
 - Azure region/location
 
-See [pre-deploy-checklist](../azure-deploy/references/pre-deploy-checklist.md).
+See [pre-deploy-checklist](pre-deploy-checklist.md).

cli/src/internal/assets/ghcp4a-skills/azure-prepare/SKILL.md

@@ -31,7 +31,7 @@ Activate this skill when user wants to:
 4. Follow linked references for best practices and guidance
 5. Update `.azure/preparation-manifest.md` after each phase
 6. Invoke **azure-validate** before any deployment
-7. ⛔ **Destructive actions require `ask_user`** — [global-rules](../_shared/global-rules.md)
+7. ⛔ **Destructive actions require `ask_user`** — [global-rules](references/global-rules.md)
 
 > **⛔ MANDATORY USER CONFIRMATION REQUIRED**
 >

cli/src/internal/assets/ghcp4a-skills/azure-prepare/references/global-rules.md

@@ -0,0 +1,40 @@
+# Global Rules
+
+> **MANDATORY** — These rules apply to ALL skills. Violations are unacceptable.
+
+## Rule 1: Destructive Actions Require User Confirmation
+
+⛔ **ALWAYS use `ask_user`** before ANY destructive action.
+
+### What is Destructive?
+
+| Category | Examples |
+|----------|----------|
+| **Delete** | `az group delete`, `azd down`, `rm -rf`, delete resource |
+| **Overwrite** | Replace existing files, overwrite config, reset settings |
+| **Irreversible** | Purge Key Vault, delete storage account, drop database |
+| **Cost Impact** | Provision expensive resources, scale up significantly |
+| **Security** | Expose secrets, change access policies, modify RBAC |
+
+### How to Confirm
+
+```
+ask_user(
+  question: "This will permanently delete resource group 'rg-myapp'. Continue?",
+  choices: ["Yes, delete it", "No, cancel"]
+)
+```
+
+### No Exceptions
+
+- Do NOT assume user wants to delete/overwrite
+- Do NOT proceed based on "the user asked to deploy" (deploy ≠ delete old)
+- Do NOT batch destructive actions without individual confirmation
+
+---
+
+## Rule 2: Never Assume Subscription or Location
+
+⛔ **ALWAYS use `ask_user`** to confirm:
+- Azure subscription (show actual name and ID)
+- Azure region/location

cli/src/internal/assets/ghcp4a-skills/azure-prepare/references/security.md

@@ -221,6 +221,25 @@ Use Microsoft Defender for Cloud for:
 
 ---
 
+## Azure Identity SDK
+
+All Azure SDKs use their language's Identity library for credential-free authentication via `DefaultAzureCredential` or managed identity. Rust uses `DeveloperToolsCredential` as it doesn't have a `DefaultAzureCredential` equivalent.
+
+| Language | Package | Install |
+|----------|---------|---------|
+| .NET | `Azure.Identity` | `dotnet add package Azure.Identity` |
+| Java | `azure-identity` | Maven: `com.azure:azure-identity` |
+| JavaScript | `@azure/identity` | `npm install @azure/identity` |
+| Python | `azure-identity` | `pip install azure-identity` |
+| Go | `azidentity` | `go get github.com/Azure/azure-sdk-for-go/sdk/azidentity` |
+| Rust | `azure_identity` | `cargo add azure_identity` |
+
+For Key Vault SDK examples, see: [key-vault.md](services/key-vault.md)
+
+For Storage SDK examples, see: [storage.md](services/storage.md)
+
+---
+
 ## Further Reading
 
 - [Key Vault documentation](https://learn.microsoft.com/azure/key-vault/general/overview)

cli/src/internal/assets/ghcp4a-skills/azure-prepare/references/services/key-vault.md

@@ -117,48 +117,102 @@ secrets: [
 ]
 ```
 
-## SDK Access
+## Connection Patterns
 
-### Node.js
+### SDK Packages
 
-```javascript
-const { SecretClient } = require("@azure/keyvault-secrets");
-const { DefaultAzureCredential } = require("@azure/identity");
+| Language | Secrets | Keys | Certificates |
+|----------|---------|------|--------------|
+| .NET | `Azure.Security.KeyVault.Secrets` | `Azure.Security.KeyVault.Keys` | `Azure.Security.KeyVault.Certificates` |
+| Java | `azure-security-keyvault-secrets` | `azure-security-keyvault-keys` | `azure-security-keyvault-certificates` |
+| JavaScript | `@azure/keyvault-secrets` | `@azure/keyvault-keys` | `@azure/keyvault-certificates` |
+| Python | `azure-keyvault-secrets` | `azure-keyvault-keys` | `azure-keyvault-certificates` |
+| Go | `azsecrets` | `azkeys` | `azcertificates` |
+| Rust | `azure_security_keyvault_secrets` | `azure_security_keyvault_keys` | `azure_security_keyvault_certificates` |
+
+### JavaScript
 
-const client = new SecretClient(
-  process.env.KEY_VAULT_URL,
-  new DefaultAzureCredential()
-);
+```javascript
+import { DefaultAzureCredential } from "@azure/identity";
+import { SecretClient } from "@azure/keyvault-secrets";
 
+const client = new SecretClient(process.env.KEY_VAULT_URL, new DefaultAzureCredential());
 const secret = await client.getSecret("database-connection-string");
-console.log(secret.value);
+// Use secret.value securely - do not log secrets
 ```
 
 ### Python
 
 ```python
+import os
 from azure.keyvault.secrets import SecretClient
 from azure.identity import DefaultAzureCredential
 
-client = SecretClient(
-    vault_url=os.environ["KEY_VAULT_URL"],
-    credential=DefaultAzureCredential()
-)
-
+client = SecretClient(vault_url=os.environ["KEY_VAULT_URL"], credential=DefaultAzureCredential())
 secret = client.get_secret("database-connection-string")
-print(secret.value)
+# Use secret.value securely - do not log secrets
 ```
 
-### .NET
+### C#
 
 ```csharp
-var client = new SecretClient(
-    new Uri(Environment.GetEnvironmentVariable("KEY_VAULT_URL")),
-    new DefaultAzureCredential()
-);
+using Azure.Identity;
+using Azure.Security.KeyVault.Secrets;
 
+var client = new SecretClient(new Uri(Environment.GetEnvironmentVariable("KEY_VAULT_URL")), new DefaultAzureCredential());
 KeyVaultSecret secret = await client.GetSecretAsync("database-connection-string");
-Console.WriteLine(secret.Value);
+// Use secret.Value securely - do not log secrets
+```
+
+### Java
+
+```java
+import com.azure.identity.*;
+import com.azure.security.keyvault.secrets.*;
+import com.azure.security.keyvault.secrets.models.*;
+
+SecretClient client = new SecretClientBuilder()
+    .vaultUrl(System.getenv("KEY_VAULT_URL"))
+    .credential(new DefaultAzureCredentialBuilder().build())
+    .buildClient();
+KeyVaultSecret secret = client.getSecret("database-connection-string");
+// Use secret.getValue() securely - do not log secrets
+```
+
+### Go
+
+```go
+package main
+
+import (
+    "context"
+    "os"
+
+    "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+    "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets"
+)
+
+func main() {
+    cred, _ := azidentity.NewDefaultAzureCredential(nil)
+    client, _ := azsecrets.NewClient(os.Getenv("KEY_VAULT_URL"), cred, nil)
+
+    resp, _ := client.GetSecret(context.Background(), "database-connection-string", "", nil)
+    // Use *resp.Value securely - do not log secrets
+}
+```
+
+### Rust
+
+Note: Rust uses `DeveloperToolsCredential` as it doesn't have a `DefaultAzureCredential` equivalent.
+
+```rust
+use azure_identity::DeveloperToolsCredential;
+use azure_security_keyvault_secrets::SecretClient;
+
+let credential = DeveloperToolsCredential::new(None)?;
+let client = SecretClient::new(std::env::var("KEY_VAULT_URL")?, credential.clone(), None)?;
+let secret = client.get_secret("database-connection-string", None).await?.into_model()?;
+// Use secret.value securely - do not log secrets
 ```
 
 ## Environment Variables

cli/src/internal/assets/ghcp4a-skills/azure-prepare/references/services/storage.md

@@ -137,35 +137,122 @@ resource fileShare 'Microsoft.Storage/storageAccounts/fileServices/shares@2023-0
 
 ## Connection Patterns
 
-### Node.js
+### SDK Packages
+
+| Language | Blob | Queue | File Share | Data Lake |
+|----------|------|-------|------------|-----------|
+| .NET | `Azure.Storage.Blobs` | `Azure.Storage.Queues` | `Azure.Storage.Files.Shares` | `Azure.Storage.Files.DataLake` |
+| Java | `azure-storage-blob` | `azure-storage-queue` | `azure-storage-file-share` | `azure-storage-file-datalake` |
+| JavaScript | `@azure/storage-blob` | `@azure/storage-queue` | `@azure/storage-file-share` | `@azure/storage-file-datalake` |
+| Python | `azure-storage-blob` | `azure-storage-queue` | `azure-storage-file-share` | `azure-storage-file-datalake` |
+| Go | `azblob` | `azqueue` | `azfile` | `azdatalake` |
+| Rust | `azure_storage_blob` | `azure_storage_queue` | - | - |
+
+### JavaScript
 
 ```javascript
-const { BlobServiceClient } = require("@azure/storage-blob");
+import { DefaultAzureCredential } from "@azure/identity";
+import { BlobServiceClient } from "@azure/storage-blob";
 
-const blobServiceClient = BlobServiceClient.fromConnectionString(
-  process.env.AZURE_STORAGE_CONNECTION_STRING
+const client = new BlobServiceClient(
+    `https://${process.env.AZURE_STORAGE_ACCOUNT}.blob.core.windows.net`,
+    new DefaultAzureCredential()
 );
-const containerClient = blobServiceClient.getContainerClient("uploads");
+const container = client.getContainerClient("uploads");
+const blob = container.getBlockBlobClient("my-file.txt");
+await blob.uploadData(Buffer.from("Hello, Azure Storage!"));
 ```
 
 ### Python
 
 ```python
+import os
+from azure.identity import DefaultAzureCredential
 from azure.storage.blob import BlobServiceClient
 
-blob_service_client = BlobServiceClient.from_connection_string(
-    os.environ["AZURE_STORAGE_CONNECTION_STRING"]
+service = BlobServiceClient(
+    account_url=f"https://{os.environ['AZURE_STORAGE_ACCOUNT']}.blob.core.windows.net",
+    credential=DefaultAzureCredential()
 )
-container_client = blob_service_client.get_container_client("uploads")
+container = service.get_container_client("uploads")
+blob = container.get_blob_client("my-file.txt")
+blob.upload_blob(b"Hello, Azure Storage!", overwrite=True)
 ```
 
-### .NET
+### C#
 
 ```csharp
-var blobServiceClient = new BlobServiceClient(
-    Environment.GetEnvironmentVariable("AZURE_STORAGE_CONNECTION_STRING")
+using Azure.Identity;
+using Azure.Storage.Blobs;
+
+var accountName = Environment.GetEnvironmentVariable("AZURE_STORAGE_ACCOUNT");
+var client = new BlobServiceClient(
+    new Uri($"https://{accountName}.blob.core.windows.net"),
+    new DefaultAzureCredential()
 );
-var containerClient = blobServiceClient.GetBlobContainerClient("uploads");
+var container = client.GetBlobContainerClient("uploads");
+var blob = container.GetBlobClient("my-file.txt");
+await blob.UploadAsync(BinaryData.FromString("Hello, Azure Storage!"), overwrite: true);
+```
+
+### Java
+
+```java
+import com.azure.identity.*;
+import com.azure.storage.blob.*;
+import com.azure.core.util.BinaryData;
+
+BlobServiceClient client = new BlobServiceClientBuilder()
+    .endpoint("https://" + System.getenv("AZURE_STORAGE_ACCOUNT") + ".blob.core.windows.net")
+    .credential(new DefaultAzureCredentialBuilder().build())
+    .buildClient();
+BlobContainerClient container = client.getBlobContainerClient("uploads");
+BlobClient blob = container.getBlobClient("my-file.txt");
+blob.upload(BinaryData.fromString("Hello, Azure Storage!"), true);
+```
+
+### Go
+
+```go
+package main
+
+import (
+    "context"
+    "os"
+
+    "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+    "github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
+)
+
+func main() {
+    cred, _ := azidentity.NewDefaultAzureCredential(nil)
+    client, _ := azblob.NewClient(
+        "https://"+os.Getenv("AZURE_STORAGE_ACCOUNT")+".blob.core.windows.net",
+        cred, nil,
+    )
+    data := []byte("Hello, Azure Storage!")
+    _, _ = client.UploadBuffer(context.Background(), "uploads", "my-file.txt", data, nil)
+}
+```
+
+### Rust
+
+Note: Rust uses `DeveloperToolsCredential` as it doesn't have a `DefaultAzureCredential` equivalent.
+
+```rust
+use azure_identity::DeveloperToolsCredential;
+use azure_storage_blob::{BlobClient, BlobClientOptions};
+
+let credential = DeveloperToolsCredential::new(None)?;
+let blob_client = BlobClient::new(
+    &format!("https://{}.blob.core.windows.net/", std::env::var("AZURE_STORAGE_ACCOUNT")?),
+    "uploads",
+    "my-file.txt",
+    Some(credential),
+    Some(BlobClientOptions::default()),
+)?;
+let data = b"Hello, Azure Storage!";
+blob_client.upload(None, data.to_vec().into()).await?;
 ```
 
 ## Managed Identity Access

cli/src/internal/assets/ghcp4a-skills/azure-storage/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: azure-storage
-description: Azure Storage Services including Blob Storage, File Shares, Queue Storage, Table Storage, and Data Lake. Provides object storage, SMB file shares, async messaging, NoSQL key-value, and big data analytics capabilities.
+description: Azure Storage Services including Blob Storage, File Shares, Queue Storage, Table Storage, and Data Lake. Provides object storage, SMB file shares, async messaging, NoSQL key-value, and big data analytics capabilities. Includes access tiers (hot, cool, archive) and lifecycle management.
 ---
 
 # Azure Storage Services
@@ -78,3 +78,7 @@ For deep documentation on specific services:
 - Blob storage patterns and lifecycle -> [Blob Storage documentation](https://learn.microsoft.com/azure/storage/blobs/storage-blobs-overview)
 - File shares and Azure File Sync -> [Azure Files documentation](https://learn.microsoft.com/azure/storage/files/storage-files-introduction)
 - Queue patterns and poison handling -> [Queue Storage documentation](https://learn.microsoft.com/azure/storage/queues/storage-queues-introduction)
+
+## Azure SDKs
+
+For building applications that interact with Azure Storage programmatically, Azure provides SDK packages in multiple languages (.NET, Java, JavaScript, Python, Go, Rust). See [SDK Usage Guide](references/sdk-usage.md) for package names, installation commands, and quick start examples.