Move global-rules.md (#826)

* Move global-rules.md

Related to #812.

The plugin/skills/_shared/global-rules.md file includes instructions about how to handle destructive operations and the importance of confirming subscription IDs and regions with the user. The idea is that these instructions apply to multiple skills so they should be picked up from a single shared file.

However, skills are not able to reference files outside of their directory and as such this file is never read by the LM. This makes sense from a security point of view--you wouldn't want a skill to be able to read in an arbitrary file from the file system. In YOLO/autopilot mode Copilot won't even ask for permission before reading the file.

The instructions about destructive operations are especially important, so for the moment we solve this issue by copying the global-rules.md file to each of the three skills (`azure-prepare`, `azure-validate`, `azure-deploy`) that currently use it.

* Fix references

Fix references to pre-deploy-checklist.md. In a couple of cases this means removing the reference as it points to a file in a different skill, and that will never be loaded.

Author: tmeschter

plugin/skills/azure-deploy/SKILL.md

@@ -24,7 +24,7 @@ Activate this skill when user wants to:
 1. Run after azure-prepare and azure-validate
 2. Manifest must exist with status `Validated`
 3. **Pre-deploy checklist required** — [pre-deploy-checklist](references/pre-deploy-checklist.md)
-4. ⛔ **Destructive actions require `ask_user`** — [global-rules](../_shared/global-rules.md)
+4. ⛔ **Destructive actions require `ask_user`** — [global-rules](references/global-rules.md)
 
 ---
 

plugin/skills/_shared/global-rules.md …/azure-deploy/references/global-rules.mdplugin/skills/_shared/global-rules.md renamed to plugin/skills/azure-deploy/references/global-rules.md plugin/skills/_shared/global-rules.md renamed to plugin/skills/azure-deploy/references/global-rules.md

@@ -39,4 +39,4 @@ ask_user(
 - Azure subscription (show actual name and ID)
 - Azure region/location
 
-See [pre-deploy-checklist](../azure-deploy/references/pre-deploy-checklist.md).
+See [pre-deploy-checklist](pre-deploy-checklist.md).

plugin/skills/azure-prepare/SKILL.md

@@ -31,7 +31,7 @@ Activate this skill when user wants to:
 4. Follow linked references for best practices and guidance
 5. Update `.azure/preparation-manifest.md` after each phase
 6. Invoke **azure-validate** before any deployment
-7. ⛔ **Destructive actions require `ask_user`** — [global-rules](../_shared/global-rules.md)
+7. ⛔ **Destructive actions require `ask_user`** — [global-rules](references/global-rules.md)
 
 > **⛔ MANDATORY USER CONFIRMATION REQUIRED**
 >

plugin/skills/azure-prepare/references/global-rules.md

@@ -0,0 +1,40 @@
+# Global Rules
+
+> **MANDATORY** — These rules apply to ALL skills. Violations are unacceptable.
+
+## Rule 1: Destructive Actions Require User Confirmation
+
+⛔ **ALWAYS use `ask_user`** before ANY destructive action.
+
+### What is Destructive?
+
+| Category | Examples |
+|----------|----------|
+| **Delete** | `az group delete`, `azd down`, `rm -rf`, delete resource |
+| **Overwrite** | Replace existing files, overwrite config, reset settings |
+| **Irreversible** | Purge Key Vault, delete storage account, drop database |
+| **Cost Impact** | Provision expensive resources, scale up significantly |
+| **Security** | Expose secrets, change access policies, modify RBAC |
+
+### How to Confirm
+
+```
+ask_user(
+  question: "This will permanently delete resource group 'rg-myapp'. Continue?",
+  choices: ["Yes, delete it", "No, cancel"]
+)
+```
+
+### No Exceptions
+
+- Do NOT assume user wants to delete/overwrite
+- Do NOT proceed based on "the user asked to deploy" (deploy ≠ delete old)
+- Do NOT batch destructive actions without individual confirmation
+
+---
+
+## Rule 2: Never Assume Subscription or Location
+
+⛔ **ALWAYS use `ask_user`** to confirm:
+- Azure subscription (show actual name and ID)
+- Azure region/location

plugin/skills/azure-validate/SKILL.md

@@ -18,7 +18,7 @@ description: "**CRITICAL**: Run azure-validate before deploying Azure resources.
 
 1. Run after azure-prepare, before azure-deploy
 2. All checks must pass—do not deploy with failures
-3. ⛔ **Destructive actions require `ask_user`** — [global-rules](../_shared/global-rules.md)
+3. ⛔ **Destructive actions require `ask_user`** — [global-rules](references/global-rules.md)
 
 ## Steps
 

plugin/skills/azure-validate/references/global-rules.md

@@ -0,0 +1,40 @@
+# Global Rules
+
+> **MANDATORY** — These rules apply to ALL skills. Violations are unacceptable.
+
+## Rule 1: Destructive Actions Require User Confirmation
+
+⛔ **ALWAYS use `ask_user`** before ANY destructive action.
+
+### What is Destructive?
+
+| Category | Examples |
+|----------|----------|
+| **Delete** | `az group delete`, `azd down`, `rm -rf`, delete resource |
+| **Overwrite** | Replace existing files, overwrite config, reset settings |
+| **Irreversible** | Purge Key Vault, delete storage account, drop database |
+| **Cost Impact** | Provision expensive resources, scale up significantly |
+| **Security** | Expose secrets, change access policies, modify RBAC |
+
+### How to Confirm
+
+```
+ask_user(
+  question: "This will permanently delete resource group 'rg-myapp'. Continue?",
+  choices: ["Yes, delete it", "No, cancel"]
+)
+```
+
+### No Exceptions
+
+- Do NOT assume user wants to delete/overwrite
+- Do NOT proceed based on "the user asked to deploy" (deploy ≠ delete old)
+- Do NOT batch destructive actions without individual confirmation
+
+---
+
+## Rule 2: Never Assume Subscription or Location
+
+⛔ **ALWAYS use `ask_user`** to confirm:
+- Azure subscription (show actual name and ID)
+- Azure region/location