Sync upstream skills and add deploy confirmation guardrails

- Sync ghcp4a-skills from microsoft/GitHub-Copilot-for-Azure upstream
- Restructure service docs into per-service subdirectories
- Add SDK reference docs across skills
- Add new skills: azure-messaging, azure-resource-lookup, azure-rbac
- Remove deprecated skills: github-copilot, azure-role-selector
- Slim microsoft-foundry SKILL.md, move content to subdirectories
- Add skills_test.go and validation_test.go
- Require explicit user confirmation before Azure deployments
- Clarify --no-prompt vs ask_user in azure-functions skill

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jongio

cli/src/internal/assets/agents/azure-manager.md

@@ -12,14 +12,15 @@ You build apps and deploy them to Azure. That's it.
 
 1. **NEVER ask "do you want to build this on Azure?"** - YES, ALWAYS.
 2. **NEVER ask "do you want a local app or cloud app?"** - CLOUD, ALWAYS.
-3. **NEVER ask "should I deploy this?"** - YES, ALWAYS.
+3. **ALWAYS confirm before deploying** - Use `ask_user` to confirm before running `azd up`, `azd provision`, or `azd deploy`. Provisioning creates real Azure resources that cost money.
 4. **NEVER offer alternatives to Azure** - Azure is the only option.
 5. **NEVER just give instructions** - DO the work yourself.
 
 The user ran `azd copilot`. That means:
 - They want an Azure app
 - They want it deployed to Azure
 - They want you to build it, not explain how
+- But **always confirm before provisioning or deploying** — the user must approve spending real money
 
 ## What You Do
 
@@ -29,7 +30,7 @@ You are the **coordinator**. You plan the work and delegate to specialized agent
 2. **Classify complexity** — simple (do it yourself) vs standard (delegate to agents)
 3. Create `docs/spec.md` with the design
 4. **Delegate or execute** the build phases
-5. Run `azd up` to deploy (always do this yourself)
+5. **Confirm with user**, then run `azd up` to deploy (always do this yourself)
 6. Report the live URLs
 
 ## Agent Delegation
@@ -64,7 +65,7 @@ These agents produce independent file sets — run them **simultaneously**:
 ### Phase 4: Ship (sequential — you do this)
 | Agent | Task |
 |-------|------|
-| **You (manager)** | Run `azd up`, verify endpoints, report URLs |
+| **You (manager)** | Confirm with user, then run `azd up`, verify endpoints, report URLs |
 | `azure-docs` | *(after deploy)* Generate README, API docs, ADR | `README.md`, `docs/` |
 | `azure-analytics` | *(optional)* Set up monitoring dashboards, KQL queries |
 | `azure-marketing` | *(optional)* Landing page copy, feature descriptions |
@@ -94,7 +95,7 @@ Common failure mode: you SAY "I'll delegate to azure-architect and azure-dev" an
 - **Reclassify immediately** — the app is now standard complexity
 - **Delegate infrastructure changes to `azure-architect`** — do NOT iterate on Bicep yourself when adding Container Apps, ACR, databases, or multi-service architectures. The architect agent has specialized knowledge of AVM module params, dependency ordering, and ACR authentication patterns.
 - **Delegate code changes to `azure-dev`** — the dev agent handles backend API scaffolding, Dockerfile creation, and frontend-backend wiring
-- The only thing you still do yourself: run `azd up` and verify endpoints
+- The only thing you still do yourself: confirm with user, run `azd up`, and verify endpoints
 - **Skip `azure-prepare` for upgrades** — if `azure.yaml` already exists and you're adding a service to a running app, do NOT invoke `azure-prepare`. The subscription, region, and environment are already configured. Just read the current files, update the spec, and delegate. Reading 7+ reference files and asking the user to re-confirm subscription/region wastes time.
 
 ## Escalation Rules — Stop Guessing After 3 Failures
@@ -146,7 +147,7 @@ Common failure mode: you SAY "I'll delegate to azure-architect and azure-dev" an
 **Simple app ideal turn sequence (target: 5 turns):**
 1. View workspace + invoke `avm-bicep-rules` skill + check Free SKU count via PowerShell (parallel)
 2. Create ALL files in ONE turn: spec.md, app code, azure.yaml, **main.parameters.json**, Bicep files, .gitignore, .gitattributes, package.json (if SWA). Use `powershell` to create directories first in this same turn if needed. **Never forget main.parameters.json — azd up will fail without it.**
-3. Chain deployment prep + deploy in ONE command: `azd env new <project>-<random4digits> --no-prompt && azd env set AZURE_LOCATION <region> --no-prompt && azd up --no-prompt`
+3. Set up environment: `azd env new <project>-<random4digits> --no-prompt && azd env set AZURE_LOCATION <region> --no-prompt`. Then **use `ask_user` to confirm** the user wants to deploy (show subscription, region, and what will be created). Only after confirmation, run `azd up --no-prompt`.
 4. If deploy step fails with tag error but provision succeeded, wait 15-30s then retry `azd deploy --no-prompt`.
 5. Verify endpoint + update spec checkboxes (all in one turn)
 
@@ -240,8 +241,8 @@ Optional in this phase:
 - Check box: `- [x] Security review`, `- [x] Tests created`
 
 ### 4. Deploy (ALWAYS DO THIS YOURSELF — never delegate)
-**Simple:** Chain deploy in one command.
-**Standard:** Run `azd up` after verifying architect + dev output.
+**Simple:** Set up environment, confirm with user, then deploy.
+**Standard:** Verify architect + dev output, confirm with user, then run `azd up`.
 
 **CRITICAL: Use a unique environment name to avoid resource conflicts!**
 
@@ -270,15 +271,26 @@ For **standard** apps:
 ```bash
 # ALWAYS set the location first to avoid default-region mismatch
 azd env set AZURE_LOCATION <confirmed-region> --no-prompt
-# Then deploy
+```
+
+**⛔ MANDATORY: Use `ask_user` to confirm before deploying.** Show the user what will happen (subscription, region, resources to be created) and ask for explicit confirmation:
+```
+ask_user(
+  question: "Ready to deploy to Azure? This will provision resources in subscription '<name>' in region '<region>'. Proceed?",
+  choices: ["Yes, deploy now", "No, cancel"]
+)
+```
+
+Only after the user confirms, run:
+```bash
 azd up --no-prompt
 ```
 
 > ⚠️ **Never skip `azd env set AZURE_LOCATION`** — without it, `azd up` may default to a region where your services aren't available (e.g., SWA is only in 5 regions). This was observed causing full deployment failures.
 
 > ⚠️ **Tag propagation delay**: If `azd up` provisions successfully but deploy fails with "resource not found: unable to find a resource tagged with 'azd-service-name'" — this is a known Azure tag propagation delay. Wait 15-30 seconds, then retry `azd deploy --no-prompt`. Do NOT re-provision (`azd provision`). A single retry of `azd deploy` is almost always sufficient.
 
-**Run this yourself. Do NOT tell user to run it.**
+**Run this yourself after user confirms. Do NOT tell user to run it.**
 
 If it fails:
 - **"resource not found" + tag error after successful provision** → wait 15-30 seconds, then retry `azd deploy --no-prompt`. Do NOT re-provision.
@@ -346,7 +358,7 @@ skill("azure-prepare")
 
 1. **ALWAYS create docs/spec.md first** - before any code
 2. **ALWAYS save checkpoints** - after each phase (standard complexity only)
-3. **ALWAYS run azd up** - never just give instructions
+3. **ALWAYS confirm with user before deploying** - then run azd up yourself, never just give instructions
 4. **ALWAYS set AZURE_LOCATION before azd up** - prevent region mismatch failures
 5. **ALWAYS update task checkboxes** - track progress in spec.md
 6. **Bias to action** - build first, refine later

cli/src/internal/assets/ghcp4a-skills/appinsights-instrumentation/SKILL.md

@@ -1,15 +1,33 @@
 ---
 name: appinsights-instrumentation
-description: "Instrument web applications to send telemetry data to Azure Application Insights for observability and monitoring. USE FOR: instrument app with app insights, add appinsights instrumentation, configure application insights, set up telemetry monitoring, enable app insights auto-instrumentation, add observability to azure web app, instrument webapp to send data to app insights, configure telemetry for app service. DO NOT USE FOR: non-Azure monitoring (use CloudWatch for AWS, Datadog for third-party), log analysis (use azure-kusto), cost monitoring (use azure-cost-optimization), security monitoring (use azure-security)."
+description: >-
+  Guidance for instrumenting webapps with Azure Application Insights. Provides telemetry patterns, SDK setup, and configuration references.
+  USE FOR: how to instrument app, App Insights SDK, telemetry patterns, what is App Insights, Application Insights guidance, instrumentation examples, APM best practices.
+  DO NOT USE FOR: adding App Insights to my app (use azure-prepare), add telemetry to my project (use azure-prepare), add monitoring (use azure-prepare). This skill provides guidance—azure-prepare orchestrates component changes.
 ---
 
-# AppInsights instrumentation
+# AppInsights Instrumentation Guide
 
-This skill enables sending telemetry data of a webapp to Azure App Insights for better observability of the app's health.
+This skill provides **guidance and reference material** for instrumenting webapps with Azure Application Insights.
 
-## When to use this skill
+> **⛔ ADDING COMPONENTS?**
+>
+> If the user wants to **add App Insights to their app**, invoke **azure-prepare** instead.
+> This skill provides reference material—azure-prepare orchestrates the actual changes.
 
-Use this skill when the user wants to enable telemetry for their webapp.
+## When to Use This Skill
+
+- User asks **how** to instrument (guidance, patterns, examples)
+- User needs SDK setup instructions
+- azure-prepare invokes this skill during research phase
+- User wants to understand App Insights concepts
+
+## When to Use azure-prepare Instead
+
+- User says "add telemetry to my app"
+- User says "add App Insights" 
+- User wants to modify their project
+- Any request to change/add components
 
 ## Prerequisites
 
@@ -46,3 +64,8 @@ No matter which option you choose, recommend the user to create the App Insights
 - If the app is an ASP.NET Core app, see [ASPNETCORE guide](references/aspnetcore.md) for how to modify the C# code.
 - If the app is a Node.js app, see [NODEJS guide](references/nodejs.md) for how to modify the JavaScript/TypeScript code.
 - If the app is a Python app, see [PYTHON guide](references/python.md) for how to modify the Python code.
+
+## SDK Quick References
+
+- **OpenTelemetry Distro**: [Python](references/sdk/azure-monitor-opentelemetry-py.md) | [TypeScript](references/sdk/azure-monitor-opentelemetry-ts.md)
+- **OpenTelemetry Exporter**: [Python](references/sdk/azure-monitor-opentelemetry-exporter-py.md) | [Java](references/sdk/azure-monitor-opentelemetry-exporter-java.md)

cli/src/internal/assets/ghcp4a-skills/appinsights-instrumentation/references/aspnetcore.md

@@ -16,14 +16,14 @@ An ASP.NET Core app typically has a Program.cs file that "builds" the app. Find
 
 ## Configure App Insights connection string
 
-The App Insights resource has a connection string. Add the connection string as an environment variable of the running app. You can use Azure CLI to query the connection string of the App Insights resource. See [scripts/appinsights.ps1](scripts/appinsights.ps1) for what Azure CLI command to execute for querying the connection string.
+The App Insights resource has a connection string. Add the connection string as an environment variable of the running app. You can use Azure CLI to query the connection string of the App Insights resource. See [scripts/appinsights.ps1](../scripts/appinsights.ps1) for what Azure CLI command to execute for querying the connection string.
 
 After getting the connection string, set this environment variable with its value.
 
 ```
 "APPLICATIONINSIGHTS_CONNECTION_STRING={your_application_insights_connection_string}"
 ```
 
-If the app has IaC template such as Bicep or terraform files representing its cloud instance, this environment variable should be added to the IaC template to be applied in each deployment. Otherwise, use Azure CLI to manually apply the environment variable to the cloud instance of the app. See [scripts/appinsights.ps1](scripts/appinsights.ps1) for what Azure CLI command to execute for setting this environment variable.
+If the app has IaC template such as Bicep or terraform files representing its cloud instance, this environment variable should be added to the IaC template to be applied in each deployment. Otherwise, use Azure CLI to manually apply the environment variable to the cloud instance of the app. See [scripts/appinsights.ps1](../scripts/appinsights.ps1) for what Azure CLI command to execute for setting this environment variable.
 
 > Important: Don't modify appsettings.json. It was a deprecated way to configure App Insights. The environment variable is the new recommended way.

cli/src/internal/assets/ghcp4a-skills/appinsights-instrumentation/references/sdk/azure-monitor-opentelemetry-exporter-java.md

@@ -0,0 +1,31 @@
+# Azure Monitor OpenTelemetry Exporter — Java SDK Quick Reference
+
+> Condensed from **azure-monitor-opentelemetry-exporter-java**. Full patterns
+> (trace/metric/log export, spans, semantic conventions)
+> in the **azure-monitor-opentelemetry-exporter-java** plugin skill if installed.
+
+## Install
+```xml
+<dependency>
+    <groupId>com.azure</groupId>
+    <artifactId>azure-monitor-opentelemetry-exporter</artifactId>
+    <version>1.0.0-beta.x</version>
+</dependency>
+```
+
+> **DEPRECATED**: Migrate to `azure-monitor-opentelemetry-autoconfigure`.
+
+## Quick Start
+```java
+// Prefer autoconfigure instead:
+// <artifactId>azure-monitor-opentelemetry-autoconfigure</artifactId>
+```
+
+## Best Practices
+- Use autoconfigure — migrate to `azure-monitor-opentelemetry-autoconfigure`
+- Set meaningful span names — use descriptive operation names
+- Add relevant attributes — include contextual data for debugging
+- Handle exceptions — always record exceptions on spans
+- Use semantic conventions — follow OpenTelemetry semantic conventions
+- End spans in finally — ensure spans are always ended
+- Use try-with-resources — scope management with try-with-resources pattern

cli/src/internal/assets/ghcp4a-skills/appinsights-instrumentation/references/sdk/azure-monitor-opentelemetry-exporter-py.md

@@ -0,0 +1,22 @@
+# Azure Monitor OpenTelemetry Exporter — Python SDK Quick Reference
+
+> Condensed from **azure-monitor-opentelemetry-exporter-py**. Full patterns
+> (metric exporter, log exporter, offline storage, sovereign clouds)
+> in the **azure-monitor-opentelemetry-exporter-py** plugin skill if installed.
+
+## Install
+pip install azure-monitor-opentelemetry-exporter
+
+## Quick Start
+```python
+from azure.monitor.opentelemetry.exporter import AzureMonitorTraceExporter
+exporter = AzureMonitorTraceExporter()  # reads APPLICATIONINSIGHTS_CONNECTION_STRING
+```
+
+## Best Practices
+- Use BatchSpanProcessor for production (not SimpleSpanProcessor)
+- Use ApplicationInsightsSampler for consistent sampling across services
+- Enable offline storage for reliability in production
+- Use AAD authentication instead of instrumentation keys
+- Set export intervals appropriate for your workload
+- Use the distro (azure-monitor-opentelemetry) unless you need custom pipelines

cli/src/internal/assets/ghcp4a-skills/appinsights-instrumentation/references/sdk/azure-monitor-opentelemetry-py.md

@@ -0,0 +1,23 @@
+# Azure Monitor OpenTelemetry — Python SDK Quick Reference
+
+> Condensed from **azure-monitor-opentelemetry-py**. Full patterns
+> (Flask/Django/FastAPI, custom metrics, sampling, live metrics)
+> in the **azure-monitor-opentelemetry-py** plugin skill if installed.
+
+## Install
+pip install azure-monitor-opentelemetry
+
+## Quick Start
+```python
+from azure.monitor.opentelemetry import configure_azure_monitor
+configure_azure_monitor()
+```
+
+## Best Practices
+- Call configure_azure_monitor() early — before importing instrumented libraries
+- Use environment variables for connection string in production
+- Set cloud role name for multi-service Application Map
+- Enable sampling in high-traffic applications
+- Use structured logging for better log analytics queries
+- Add custom attributes to spans for better debugging
+- Use AAD authentication for production workloads

cli/src/internal/assets/ghcp4a-skills/appinsights-instrumentation/references/sdk/azure-monitor-opentelemetry-ts.md

@@ -0,0 +1,26 @@
+# Azure Monitor OpenTelemetry — TypeScript SDK Quick Reference
+
+> Condensed from **azure-monitor-opentelemetry-ts**. Full patterns
+> (ESM loader, custom span processors, manual exporters, live metrics)
+> in the **azure-monitor-opentelemetry-ts** plugin skill if installed.
+
+## Install
+npm install @azure/monitor-opentelemetry
+
+## Quick Start
+```typescript
+import { useAzureMonitor } from "@azure/monitor-opentelemetry";
+useAzureMonitor({
+  azureMonitorExporterOptions: {
+    connectionString: process.env.APPLICATIONINSIGHTS_CONNECTION_STRING
+  }
+});
+```
+
+## Best Practices
+- Call useAzureMonitor() first — before importing other modules
+- Use ESM loader for ESM projects — `--import @azure/monitor-opentelemetry/loader`
+- Enable offline storage for reliable telemetry in disconnected scenarios
+- Set sampling ratio for high-traffic applications
+- Add custom dimensions — use span processors for enrichment
+- Graceful shutdown — call shutdownAzureMonitor() to flush telemetry

cli/src/internal/assets/ghcp4a-skills/azure-ai/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: azure-ai
-description: "Use for Azure AI: Search, Speech, Foundry, OpenAI, Document Intelligence. Helps with search, vector/hybrid search, speech-to-text, text-to-speech, transcription, AI agents, prompt flows, OCR. USE FOR: AI Search, query search, vector search, hybrid search, semantic search, speech-to-text, text-to-speech, transcribe, AI agent, prompt flow, Foundry, OCR, convert text to speech. DO NOT USE FOR: Function apps/Functions (use azure-functions), databases (azure-postgres/azure-kusto), resources."
+description: "Use for Azure AI: Search, Speech, OpenAI, Document Intelligence. Helps with search, vector/hybrid search, speech-to-text, text-to-speech, transcription, OCR. USE FOR: AI Search, query search, vector search, hybrid search, semantic search, speech-to-text, text-to-speech, transcribe, OCR, convert text to speech. DO NOT USE FOR: Function apps/Functions (use azure-functions), databases (azure-postgres/azure-kusto), general Azure resources."
 ---
 
 # Azure AI Services
@@ -11,7 +11,6 @@ description: "Use for Azure AI: Search, Speech, Foundry, OpenAI, Document Intell
 |---------|----------|-----------|-----|
 | AI Search | Full-text, vector, hybrid search | `azure__search` | `az search` |
 | Speech | Speech-to-text, text-to-speech | `azure__speech` | - |
-| Foundry | AI models, agents, prompt flows | `azure__foundry` | `az ml` |
 | OpenAI | GPT models, embeddings, DALL-E | - | `az cognitiveservices` |
 | Document Intelligence | Form extraction, OCR | - | - |
 
@@ -28,11 +27,6 @@ When Azure MCP is enabled:
 - `azure__speech` with command `speech_transcribe` - Speech to text
 - `azure__speech` with command `speech_synthesize` - Text to speech
 
-### Foundry
-- `azure__foundry` with command `foundry_model_list` - List AI models
-- `azure__foundry` with command `foundry_deployment_list` - List deployments
-- `azure__foundry` with command `foundry_agent_list` - List AI agents
-
 **If Azure MCP is not enabled:** Run `/azure:setup` or enable via `/mcp`.
 
 ## AI Search Capabilities
@@ -53,19 +47,21 @@ When Azure MCP is enabled:
 | Speaker diarization | Identify who spoke when |
 | Custom models | Domain-specific vocabulary |
 
-## Foundry Capabilities
+## SDK Quick References
 
-| Feature | Description |
-|---------|-------------|
-| Model catalog | GPT-4, Llama, Mistral, custom |
-| AI agents | Multi-turn, tool calling, RAG |
-| Prompt flow | Orchestration, evaluation |
-| Fine-tuning | Custom model training |
+For programmatic access to these services, see the condensed SDK guides:
+
+- **AI Search**: [Python](references/sdk/azure-search-documents-py.md) | [TypeScript](references/sdk/azure-search-documents-ts.md) | [.NET](references/sdk/azure-search-documents-dotnet.md)
+- **OpenAI**: [.NET](references/sdk/azure-ai-openai-dotnet.md)
+- **Vision**: [Python](references/sdk/azure-ai-vision-imageanalysis-py.md) | [Java](references/sdk/azure-ai-vision-imageanalysis-java.md)
+- **Transcription**: [Python](references/sdk/azure-ai-transcription-py.md)
+- **Translation**: [Python](references/sdk/azure-ai-translation-text-py.md) | [TypeScript](references/sdk/azure-ai-translation-ts.md)
+- **Document Intelligence**: [.NET](references/sdk/azure-ai-document-intelligence-dotnet.md) | [TypeScript](references/sdk/azure-ai-document-intelligence-ts.md)
+- **Content Safety**: [Python](references/sdk/azure-ai-contentsafety-py.md) | [TypeScript](references/sdk/azure-ai-contentsafety-ts.md) | [Java](references/sdk/azure-ai-contentsafety-java.md)
 
 ## Service Details
 
 For deep documentation on specific services:
 
 - AI Search indexing and queries -> [Azure AI Search documentation](https://learn.microsoft.com/azure/search/search-what-is-azure-search)
 - Speech transcription patterns -> [Azure AI Speech documentation](https://learn.microsoft.com/azure/ai-services/speech-service/overview)
-- Foundry agents and flows -> [Azure AI Foundry documentation](https://learn.microsoft.com/azure/ai-studio/what-is-ai-studio)