makit 0.0.147 → 0.0.153

data/lib/generated/makit/v1/spec/spec_manifest_pb.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: makit/v1/spec/spec_manifest.proto
+
+require 'google/protobuf'
+
+require 'google/protobuf/struct_pb'
+require 'makit/v1/spec/message_spec_pb'
+require 'makit/v1/spec/message_spec_suite_pb'
+require 'makit/v1/spec/message_spec_test_pb'
+
+
+descriptor_data = "\n!makit/v1/spec/spec_manifest.proto\x12\rmakit.v1.spec\x1a\x1cgoogle/protobuf/struct.proto\x1a makit/v1/spec/message_spec.proto\x1a&makit/v1/spec/message_spec_suite.proto\x1a%makit/v1/spec/message_spec_test.proto\"\x96\x03\n\x0cSpecManifest\x12\x15\n\rmanifest_name\x18\x01 \x01(\t\x12\x0f\n\x07version\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\x12\x13\n\x0bprotos_path\x18\x04 \x01(\t\x12\x36\n\rmessage_suite\x18\x05 \x01(\x0b\x32\x1f.makit.v1.spec.MessageSpecSuite\x12\x32\n\ntest_suite\x18\x06 \x01(\x0b\x32\x1e.makit.v1.spec.MessageSpecTest\x12\x31\n\x10\x61\x64\x64itional_specs\x18\x07 \x03(\x0b\x32\x17.makit.v1.spec.SpecFile\x12\x33\n\x0c\x64\x65pendencies\x18\x08 \x03(\x0b\x32\x1d.makit.v1.spec.SpecDependency\x12-\n\x08metadata\x18\t \x01(\x0b\x32\x1b.makit.v1.spec.SpecMetadata\x12\x31\n\ngovernance\x18\n \x01(\x0b\x32\x1d.makit.v1.spec.GovernanceInfo\"\x9f\x01\n\x08SpecFile\x12\x11\n\tfile_path\x18\x01 \x01(\t\x12.\n\tfile_type\x18\x02 \x01(\x0e\x32\x1b.makit.v1.spec.SpecFileType\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\x12\x10\n\x08\x63hecksum\x18\x04 \x01(\t\x12\x12\n\nsize_bytes\x18\x05 \x01(\x03\x12\x15\n\rlast_modified\x18\x06 \x01(\t\"\xee\x01\n\x0eSpecDependency\x12\x17\n\x0f\x64\x65pendency_name\x18\x01 \x01(\t\x12\x1a\n\x12version_constraint\x18\x02 \x01(\t\x12\x36\n\x0f\x64\x65pendency_type\x18\x03 \x01(\x0e\x32\x1d.makit.v1.spec.DependencyType\x12\x13\n\x0b\x64\x65scription\x18\x04 \x01(\t\x12/\n\x06source\x18\x05 \x01(\x0e\x32\x1f.makit.v1.spec.DependencySource\x12)\n\x08metadata\x18\x06 \x01(\x0b\x32\x17.google.protobuf.Struct\"\xd4\x02\n\x0eGovernanceInfo\x12)\n\x06\x61uthor\x18\x01 \x01(\x0b\x32\x19.makit.v1.spec.AuthorInfo\x12+\n\x07license\x18\x02 \x01(\x0b\x32\x1a.makit.v1.spec.LicenseInfo\x12\x34\n\x0ereview_process\x18\x03 \x01(\x0b\x32\x1c.makit.v1.spec.ReviewProcess\x12:\n\x11\x63hange_management\x18\x04 \x01(\x0b\x32\x1f.makit.v1.spec.ChangeManagement\x12\x31\n\rquality_gates\x18\x05 \x03(\x0b\x32\x1a.makit.v1.spec.QualityGate\x12\x45\n\x17\x63ompliance_requirements\x18\x06 \x03(\x0b\x32$.makit.v1.spec.ComplianceRequirement\"\x85\x01\n\nAuthorInfo\x12\x16\n\x0eprimary_author\x18\x01 \x01(\t\x12\x1c\n\x14\x63ontributing_authors\x18\x02 \x03(\t\x12\x14\n\x0corganization\x18\x03 \x01(\t\x12+\n\x07\x63ontact\x18\x04 \x01(\x0b\x32\x1a.makit.v1.spec.ContactInfo\"\xb9\x01\n\x0b\x43ontactInfo\x12\r\n\x05\x65mail\x18\x01 \x01(\t\x12\x0f\n\x07website\x18\x02 \x01(\t\x12O\n\x13\x61\x64\x64itional_contacts\x18\x03 \x03(\x0b\x32\x32.makit.v1.spec.ContactInfo.AdditionalContactsEntry\x1a\x39\n\x17\x41\x64\x64itionalContactsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"h\n\x0bLicenseInfo\x12\x14\n\x0clicense_type\x18\x01 \x01(\t\x12\x14\n\x0clicense_text\x18\x02 \x01(\t\x12\x13\n\x0blicense_url\x18\x03 \x01(\t\x12\x18\n\x10\x63opyright_notice\x18\x04 \x01(\t\"\x90\x01\n\rReviewProcess\x12.\n\x0breview_type\x18\x01 \x01(\x0e\x32\x19.makit.v1.spec.ReviewType\x12\x1a\n\x12required_reviewers\x18\x02 \x03(\t\x12\x17\n\x0freview_criteria\x18\x03 \x03(\t\x12\x1a\n\x12\x61pproval_threshold\x18\x04 \x01(\x05\"\x95\x02\n\x10\x43hangeManagement\x12>\n\x10\x61pproval_process\x18\x01 \x01(\x0e\x32$.makit.v1.spec.ChangeApprovalProcess\x12>\n\x13versioning_strategy\x18\x02 \x01(\x0e\x32!.makit.v1.spec.VersioningStrategy\x12\x43\n\x16\x62reaking_change_policy\x18\x03 \x01(\x0b\x32#.makit.v1.spec.BreakingChangePolicy\x12<\n\x12\x64\x65precation_policy\x18\x04 \x01(\x0b\x32 .makit.v1.spec.DeprecationPolicy\"\x8f\x01\n\x14\x42reakingChangePolicy\x12\x13\n\x0b\x64\x65scription\x18\x01 \x01(\t\x12 \n\x18notification_period_days\x18\x02 \x01(\x05\x12%\n\x1dmigration_support_period_days\x18\x03 \x01(\x05\x12\x19\n\x11\x61pproval_required\x18\x04 \x01(\x08\"\x7f\n\x11\x44\x65precationPolicy\x12\x13\n\x0b\x64\x65scription\x18\x01 \x01(\t\x12\x1a\n\x12notice_period_days\x18\x02 \x01(\x05\x12\x1b\n\x13removal_period_days\x18\x03 \x01(\x05\x12\x1c\n\x14migration_assistance\x18\x04 \x01(\x08\"\xe1\x01\n\x0bQualityGate\x12\x11\n\tgate_name\x18\x01 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x02 \x01(\t\x12\x31\n\tgate_type\x18\x03 \x01(\x0e\x32\x1e.makit.v1.spec.QualityGateType\x12.\n\rconfiguration\x18\x04 \x01(\x0b\x32\x17.google.protobuf.Struct\x12\x11\n\tthreshold\x18\x05 \x01(\x01\x12\x34\n\x08severity\x18\x06 \x01(\x0e\x32\".makit.v1.spec.QualityGateSeverity\"\xc8\x01\n\x15\x43omplianceRequirement\x12\x18\n\x10requirement_name\x18\x01 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x02 \x01(\t\x12\x1b\n\x13\x63ompliance_standard\x18\x03 \x01(\t\x12-\n\x05level\x18\x04 \x01(\x0e\x32\x1e.makit.v1.spec.ComplianceLevel\x12\x19\n\x11validation_method\x18\x05 \x01(\t\x12\x19\n\x11\x65vidence_required\x18\x06 \x03(\t*\xe3\x01\n\x0cSpecFileType\x12\x1e\n\x1aSPEC_FILE_TYPE_UNSPECIFIED\x10\x00\x12\x18\n\x14SPEC_FILE_TYPE_PROTO\x10\x01\x12\x1c\n\x18SPEC_FILE_TYPE_JSON_SPEC\x10\x02\x12\x1c\n\x18SPEC_FILE_TYPE_TEST_DATA\x10\x03\x12 \n\x1cSPEC_FILE_TYPE_DOCUMENTATION\x10\x04\x12 \n\x1cSPEC_FILE_TYPE_CONFIGURATION\x10\x05\x12\x19\n\x15SPEC_FILE_TYPE_CUSTOM\x10\x06*\xc6\x01\n\x10\x44\x65pendencySource\x12!\n\x1d\x44\x45PENDENCY_SOURCE_UNSPECIFIED\x10\x00\x12\x1b\n\x17\x44\x45PENDENCY_SOURCE_LOCAL\x10\x01\x12\x19\n\x15\x44\x45PENDENCY_SOURCE_GIT\x10\x02\x12\x1e\n\x1a\x44\x45PENDENCY_SOURCE_REGISTRY\x10\x03\x12\x19\n\x15\x44\x45PENDENCY_SOURCE_URL\x10\x04\x12\x1c\n\x18\x44\x45PENDENCY_SOURCE_CUSTOM\x10\x05*\x9b\x01\n\nReviewType\x12\x1b\n\x17REVIEW_TYPE_UNSPECIFIED\x10\x00\x12\x14\n\x10REVIEW_TYPE_NONE\x10\x01\x12\x14\n\x10REVIEW_TYPE_SELF\x10\x02\x12\x14\n\x10REVIEW_TYPE_PEER\x10\x03\x12\x14\n\x10REVIEW_TYPE_TEAM\x10\x04\x12\x18\n\x14REVIEW_TYPE_EXTERNAL\x10\x05*\xd4\x01\n\x15\x43hangeApprovalProcess\x12\'\n#CHANGE_APPROVAL_PROCESS_UNSPECIFIED\x10\x00\x12 \n\x1c\x43HANGE_APPROVAL_PROCESS_NONE\x10\x01\x12%\n!CHANGE_APPROVAL_PROCESS_AUTOMATIC\x10\x02\x12\"\n\x1e\x43HANGE_APPROVAL_PROCESS_MANUAL\x10\x03\x12%\n!CHANGE_APPROVAL_PROCESS_COMMITTEE\x10\x04*\x9d\x01\n\x12VersioningStrategy\x12#\n\x1fVERSIONING_STRATEGY_UNSPECIFIED\x10\x00\x12 \n\x1cVERSIONING_STRATEGY_SEMANTIC\x10\x01\x12 \n\x1cVERSIONING_STRATEGY_CALENDAR\x10\x02\x12\x1e\n\x1aVERSIONING_STRATEGY_CUSTOM\x10\x03*\x80\x02\n\x0fQualityGateType\x12!\n\x1dQUALITY_GATE_TYPE_UNSPECIFIED\x10\x00\x12#\n\x1fQUALITY_GATE_TYPE_TEST_COVERAGE\x10\x01\x12\"\n\x1eQUALITY_GATE_TYPE_CODE_QUALITY\x10\x02\x12!\n\x1dQUALITY_GATE_TYPE_PERFORMANCE\x10\x03\x12\x1e\n\x1aQUALITY_GATE_TYPE_SECURITY\x10\x04\x12 \n\x1cQUALITY_GATE_TYPE_COMPLIANCE\x10\x05\x12\x1c\n\x18QUALITY_GATE_TYPE_CUSTOM\x10\x06*\xc1\x01\n\x13QualityGateSeverity\x12%\n!QUALITY_GATE_SEVERITY_UNSPECIFIED\x10\x00\x12\"\n\x1eQUALITY_GATE_SEVERITY_CRITICAL\x10\x01\x12\x1e\n\x1aQUALITY_GATE_SEVERITY_HIGH\x10\x02\x12 \n\x1cQUALITY_GATE_SEVERITY_MEDIUM\x10\x03\x12\x1d\n\x19QUALITY_GATE_SEVERITY_LOW\x10\x04*\xa5\x01\n\x0f\x43omplianceLevel\x12 \n\x1c\x43OMPLIANCE_LEVEL_UNSPECIFIED\x10\x00\x12\x19\n\x15\x43OMPLIANCE_LEVEL_MUST\x10\x01\x12\x1b\n\x17\x43OMPLIANCE_LEVEL_SHOULD\x10\x02\x12\x18\n\x14\x43OMPLIANCE_LEVEL_MAY\x10\x03\x12\x1e\n\x1a\x43OMPLIANCE_LEVEL_SHALL_NOT\x10\x04\x42>\n\x10io.makit.v1.specP\x01Z\x18github.com/makit/v1/spec\xaa\x02\rMakit.V1.Specb\x06proto3"
+
+pool = ::Google::Protobuf::DescriptorPool.generated_pool
+pool.add_serialized_file(descriptor_data)
+
+module Makit
+  module V1
+    module Spec
+      SpecManifest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.SpecManifest").msgclass
+      SpecFile = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.SpecFile").msgclass
+      SpecDependency = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.SpecDependency").msgclass
+      GovernanceInfo = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.GovernanceInfo").msgclass
+      AuthorInfo = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.AuthorInfo").msgclass
+      ContactInfo = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.ContactInfo").msgclass
+      LicenseInfo = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.LicenseInfo").msgclass
+      ReviewProcess = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.ReviewProcess").msgclass
+      ChangeManagement = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.ChangeManagement").msgclass
+      BreakingChangePolicy = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.BreakingChangePolicy").msgclass
+      DeprecationPolicy = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.DeprecationPolicy").msgclass
+      QualityGate = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.QualityGate").msgclass
+      ComplianceRequirement = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.ComplianceRequirement").msgclass
+      SpecFileType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.SpecFileType").enummodule
+      DependencySource = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.DependencySource").enummodule
+      ReviewType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.ReviewType").enummodule
+      ChangeApprovalProcess = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.ChangeApprovalProcess").enummodule
+      VersioningStrategy = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.VersioningStrategy").enummodule
+      QualityGateType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.QualityGateType").enummodule
+      QualityGateSeverity = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.QualityGateSeverity").enummodule
+      ComplianceLevel = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.spec.ComplianceLevel").enummodule
+    end
+  end
+end

data/lib/generated/makit/v1/web/link_pb.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: makit/v1/web/link.proto
+
+require 'google/protobuf'
+
+require 'google/protobuf/timestamp_pb'
+require 'google/protobuf/duration_pb'
+
+
+descriptor_data = "\n\x17makit/v1/web/link.proto\x12\x08makit.v1\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x1egoogle/protobuf/duration.proto\"6\n\x04Link\x12\x0b\n\x03url\x18\x01 \x01(\t\x12\x0c\n\x04name\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\tb\x06proto3"
+
+pool = ::Google::Protobuf::DescriptorPool.generated_pool
+pool.add_serialized_file(descriptor_data)
+
+module Makit
+  module V1
+    Link = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("makit.v1.Link").msgclass
+  end
+end

data/lib/makit/azure/blob_storage.rb

@@ -0,0 +1,257 @@
+# frozen_string_literal: true
+
+# Azure Blob Storage helper methods
+module Makit
+  module Azure
+    class BlobStorage
+      # Get Azure Storage account from environment variable or Azure Key Vault
+      # @return [String, nil] The storage account name, or nil if not found
+      def self.storage_account
+        # First try environment variable
+        return ENV["AZURE_STORAGE_ACCOUNT"] if ENV["AZURE_STORAGE_ACCOUNT"] && !ENV["AZURE_STORAGE_ACCOUNT"].empty?
+        
+        # Fall back to Azure Key Vault if available (requires az login)
+        retrieve_from_key_vault("AZURE_STORAGE_ACCOUNT")
+      end
+
+      # Get Azure Storage account key from environment variable or Azure Key Vault
+      # @return [String, nil] The storage account key, or nil if not found
+      def self.storage_account_key
+        # First try environment variable
+        return ENV["AZURE_STORAGE_ACCOUNT_KEY"] if ENV["AZURE_STORAGE_ACCOUNT_KEY"] && !ENV["AZURE_STORAGE_ACCOUNT_KEY"].empty?
+        
+        # Fall back to Azure Key Vault if available (requires az login)
+        retrieve_from_key_vault("AZURE_STORAGE_ACCOUNT_KEY")
+      end
+
+      # Retrieve a secret from Azure Key Vault
+      # Only attempts retrieval if Azure CLI is authenticated (az login has been performed)
+      # @param key [String] The secret key name (e.g., "AZURE_STORAGE_ACCOUNT")
+      # @return [String, nil] The secret value, or nil if not found or Azure CLI not authenticated
+      def self.retrieve_from_key_vault(key)
+        # Check if Azure Key Vault is configured
+        keyvault_name = ENV["AZURE_KEYVAULT_NAME"]
+        return nil unless keyvault_name && !keyvault_name.empty?
+        
+        # Check if Azure CLI is authenticated
+        require_relative "../secrets/azure_key_vault"
+        return nil unless Makit::Secrets::AzureKeyVault.azure_cli_authenticated?
+        
+        # Try to retrieve from Key Vault
+        begin
+          require_relative "../secrets/azure_secrets"
+          azure_secrets = Makit::Secrets::AzureSecrets.new(keyvault_name: keyvault_name)
+          value = azure_secrets.get(key)
+          return value if value && !value.empty?
+        rescue => e
+          # Silently fail - Key Vault retrieval is optional
+          # This allows the code to work without Key Vault if env vars are set
+        end
+        
+        nil
+      end
+
+      # Validate Azure Storage credentials are set
+      # Checks environment variables first, then Azure Key Vault (if az login has been performed)
+      def self.validate_storage_credentials!
+        account = storage_account
+        key = storage_account_key
+        
+        if account.nil? || account.empty?
+          error_msg = "AZURE_STORAGE_ACCOUNT is not set"
+          # Provide helpful message about Key Vault fallback
+          if ENV["AZURE_KEYVAULT_NAME"] && !ENV["AZURE_KEYVAULT_NAME"].empty?
+            require_relative "../secrets/azure_key_vault"
+            if Makit::Secrets::AzureKeyVault.azure_cli_authenticated?
+              error_msg += " (checked environment variables and Azure Key Vault '#{ENV["AZURE_KEYVAULT_NAME"]}')"
+            else
+              error_msg += " (Azure Key Vault available but 'az login' not performed)"
+            end
+          end
+          raise error_msg
+        end
+        
+        if key.nil? || key.empty?
+          error_msg = "AZURE_STORAGE_ACCOUNT_KEY is not set"
+          # Provide helpful message about Key Vault fallback
+          if ENV["AZURE_KEYVAULT_NAME"] && !ENV["AZURE_KEYVAULT_NAME"].empty?
+            require_relative "../secrets/azure_key_vault"
+            if Makit::Secrets::AzureKeyVault.azure_cli_authenticated?
+              error_msg += " (checked environment variables and Azure Key Vault '#{ENV["AZURE_KEYVAULT_NAME"]}')"
+            else
+              error_msg += " (Azure Key Vault available but 'az login' not performed)"
+            end
+          end
+          raise error_msg
+        end
+      end
+
+      # Delete all blobs in a storage path
+      # @param path [String] The storage path (e.g., '$web/apps/portal/v0.1.0')
+      def self.delete_blobs(path)
+        validate_storage_credentials!
+        puts "  Deleting existing files in #{path}/".colorize(:yellow)
+
+        cmd = [
+          "az storage blob delete-batch",
+          "--source '#{path}'",
+          "--account-name #{storage_account}",
+          "--account-key '#{storage_account_key}'",
+          "--pattern '*'",
+          "2>/dev/null",
+        ].join(" ")
+
+        system(cmd)
+        # Don't fail if path doesn't exist (first deployment)
+        true
+      end
+
+      # Upload files to Azure Storage
+      # @param source [String] Local directory to upload from
+      # @param destination [String] Storage path destination (e.g., '$web/apps/portal/v0.1.0')
+      def self.upload_blobs(source, destination)
+        validate_storage_credentials!
+        puts "  Uploading files from #{source} to #{destination}/".colorize(:green)
+
+        unless Dir.exist?(source)
+          raise "Source directory does not exist: #{source}"
+        end
+
+        cmd = [
+          "az storage blob upload-batch",
+          "--destination '#{destination}'",
+          "--source #{source}",
+          "--account-name #{storage_account}",
+          "--account-key '#{storage_account_key}'",
+          "--overwrite",
+        ].join(" ")
+
+        unless system(cmd)
+          raise "Failed to upload blobs to Azure Storage"
+        end
+        true
+      end
+
+      # Get static website endpoint URL for the storage account
+      # @return [String] The static website endpoint URL (e.g., 'https://louparslow.z22.web.core.windows.net')
+      def self.static_website_endpoint
+        validate_storage_credentials!
+
+        unless Cli.available?
+          # Fallback if Azure CLI not available
+          return "https://#{storage_account}.z22.web.core.windows.net"
+        end
+
+        # Try to get the static website endpoint from Azure
+        cmd = "az storage account show --name #{storage_account} --query 'primaryEndpoints.web' --output tsv 2>/dev/null"
+        endpoint = `#{cmd}`.strip
+
+        if endpoint.nil? || endpoint.empty?
+          # Fallback: construct URL from storage account name
+          # This assumes the standard format, but may not work for all storage accounts
+          endpoint = "https://#{storage_account}.z22.web.core.windows.net"
+          puts "  Warning: Could not retrieve static website endpoint, using default format".colorize(:yellow)
+        end
+
+        # Remove trailing slash if present
+        endpoint.chomp("/")
+      end
+
+      # List blobs in a storage path
+      # @param path [String] The storage path (e.g., '$web' or '$web/apps/portal')
+      # @return [Array<String>] Array of blob names/paths (immediate children only, flat listing)
+      def self.list_blobs(path)
+        validate_storage_credentials!
+
+        # Parse path to extract container name and prefix
+        # Path format: "container" or "container/prefix/path"
+        path_parts = path.split("/", 2)
+        container_name = path_parts[0]
+        prefix = path_parts[1] || ""
+
+        # Build Azure CLI command
+        cmd_parts = [
+          "az storage blob list",
+          "--container-name '#{container_name}'",
+          "--account-name #{storage_account}",
+          "--account-key '#{storage_account_key}'",
+          "--output json",
+          "--query '[].name'",
+          "2>/dev/null",
+        ]
+
+        # Add prefix if specified
+        unless prefix.empty?
+          cmd_parts.insert(4, "--prefix '#{prefix}/'")
+        end
+
+        cmd = cmd_parts.join(" ")
+
+        # Execute command and capture output
+        output = `#{cmd}`.strip
+        exit_code = $?.exitstatus
+
+        # Handle command failure
+        # Check exit code - non-zero indicates command failure
+        if exit_code != 0
+          raise "Failed to list blobs from Azure Storage"
+        end
+
+        # Parse JSON output
+        begin
+          require "json"
+          # Empty string is not valid JSON and indicates command failure
+          # Valid empty result from Azure CLI would be "[]", not ""
+          if output.empty?
+            raise "Failed to list blobs from Azure Storage"
+          end
+          blob_data = JSON.parse(output)
+        rescue JSON::ParserError => e
+          # Invalid JSON indicates parsing failure
+          raise "Failed to parse Azure CLI output: #{e.message}"
+        end
+
+        # Return empty array if no blobs found
+        return [] if blob_data.nil? || blob_data.empty?
+
+        # Extract blob names from JSON array
+        # JSON format from Azure CLI: [{"name":"path/to/blob"}, ...] or ["name1", "name2", ...]
+        blob_names = if blob_data.first.is_a?(Hash)
+                      blob_data.map { |item| item["name"] }
+                    else
+                      blob_data
+                    end
+
+        # Filter to get only immediate children (flat listing)
+        prefix_with_slash = prefix.empty? ? "" : "#{prefix}/"
+        immediate_children = []
+
+        blob_names.each do |blob_name|
+          # Remove prefix if specified to get relative path
+          relative_path = if prefix_with_slash.empty?
+                            blob_name
+                          else
+                            # Remove prefix from blob name
+                            blob_name.sub(/^#{Regexp.escape(prefix_with_slash)}/, "")
+                          end
+
+          # Get only immediate children (first level after prefix)
+          # Split by '/' and take first part, but preserve trailing slash if present
+          parts = relative_path.split("/", 2)
+          first_part = parts[0]
+          
+          # If the original blob_name had a trailing slash or ends with "/", preserve it
+          # Check if this is a directory (ends with /) in the original name
+          is_directory = blob_name.end_with?("/") || (parts.length > 1 && relative_path.end_with?("/"))
+          first_part += "/" if is_directory && !first_part.end_with?("/")
+
+          # Add to results if not already included (avoid duplicates)
+          immediate_children << first_part unless immediate_children.include?(first_part)
+        end
+
+        immediate_children
+      end
+    end
+  end
+end
+

data/lib/makit/azure/cli.rb

@@ -0,0 +1,285 @@
+# Azure helper methods for CLI operations
+module Makit
+    module Azure
+      class Cli
+        # Check if Azure CLI is installed
+        def self.available?
+          system("which az > /dev/null 2>&1")
+        end
+  
+        # Check if Azure CLI is authenticated
+        def self.authenticated?
+          return false unless available?
+          system("az account show > /dev/null 2>&1")
+        end
+  
+        # Get Azure Storage account from environment variable
+        def self.storage_account
+          ENV["AZURE_STORAGE_ACCOUNT"]
+        end
+  
+        # Get Azure Storage account key from environment variable
+        def self.storage_account_key
+          ENV["AZURE_STORAGE_ACCOUNT_KEY"]
+        end
+  
+        # Validate Azure Storage credentials are set
+        def self.validate_storage_credentials!
+          if storage_account.nil? || storage_account.empty?
+            raise "AZURE_STORAGE_ACCOUNT environment variable is not set"
+          end
+          if storage_account_key.nil? || storage_account_key.empty?
+            raise "AZURE_STORAGE_ACCOUNT_KEY environment variable is not set"
+          end
+        end
+  
+        # Delete all blobs in a storage path
+        # @param path [String] The storage path (e.g., '$web/apps/portal/v0.1.0')
+        def self.delete_blobs(path)
+          validate_storage_credentials!
+          puts "  Deleting existing files in #{path}/".colorize(:yellow)
+  
+          cmd = [
+            "az storage blob delete-batch",
+            "--source '#{path}'",
+            "--account-name #{storage_account}",
+            "--account-key '#{storage_account_key}'",
+            "--pattern '*'",
+            "2>/dev/null",
+          ].join(" ")
+  
+          system(cmd)
+          # Don't fail if path doesn't exist (first deployment)
+          true
+        end
+  
+        # Upload files to Azure Storage
+        # @param source [String] Local directory to upload from
+        # @param destination [String] Storage path destination (e.g., '$web/apps/portal/v0.1.0')
+        def self.upload_blobs(source, destination)
+          validate_storage_credentials!
+          puts "  Uploading files from #{source} to #{destination}/".colorize(:green)
+  
+          unless Dir.exist?(source)
+            raise "Source directory does not exist: #{source}"
+          end
+  
+          cmd = [
+            "az storage blob upload-batch",
+            "--destination '#{destination}'",
+            "--source #{source}",
+            "--account-name #{storage_account}",
+            "--account-key '#{storage_account_key}'",
+            "--overwrite",
+          ].join(" ")
+  
+          unless system(cmd)
+            raise "Failed to upload blobs to Azure Storage"
+          end
+          true
+        end
+  
+        # Get CDN resource group from environment variable
+        def self.cdn_resource_group
+          ENV["AZURE_CDN_RESOURCE_GROUP"]
+        end
+  
+        # Get CDN profile name from environment variable
+        def self.cdn_profile_name
+          ENV["AZURE_CDN_PROFILE_NAME"]
+        end
+  
+        # Get CDN endpoint name from environment variable
+        def self.cdn_endpoint_name
+          ENV["AZURE_CDN_ENDPOINT_NAME"]
+        end
+  
+        # Check if CDN variables are configured
+        def self.cdn_configured?
+          !cdn_resource_group.nil? && !cdn_resource_group.empty? &&
+            !cdn_profile_name.nil? && !cdn_profile_name.empty? &&
+            !cdn_endpoint_name.nil? && !cdn_endpoint_name.empty?
+        end
+  
+        # Purge CDN cache for a specific path
+        # @param path [String] The path to purge (e.g., '/apps/portal/v0.1.0/*')
+        def self.purge_cdn_cache(path)
+          unless cdn_configured?
+            puts "  CDN variables not configured, skipping cache purge".colorize(:yellow)
+            return false
+          end
+  
+          puts "  Purging Azure CDN cache for #{path}".colorize(:green)
+  
+          cmd = [
+            "az cdn endpoint purge",
+            "--resource-group '#{cdn_resource_group}'",
+            "--profile-name '#{cdn_profile_name}'",
+            "--name '#{cdn_endpoint_name}'",
+            "--content-paths '#{path}'",
+          ].join(" ")
+  
+          success = system(cmd)
+          unless success
+            puts "  Warning: CDN purge failed or CDN not configured".colorize(:yellow)
+          end
+          success
+        end
+  
+        # Get static website endpoint URL for the storage account
+        # @return [String] The static website endpoint URL (e.g., 'https://louparslow.z22.web.core.windows.net')
+        def self.static_website_endpoint
+          validate_storage_credentials!
+  
+          unless available?
+            # Fallback if Azure CLI not available
+            return "https://#{storage_account}.z22.web.core.windows.net"
+          end
+  
+          # Try to get the static website endpoint from Azure
+          cmd = "az storage account show --name #{storage_account} --query 'primaryEndpoints.web' --output tsv 2>/dev/null"
+          endpoint = `#{cmd}`.strip
+  
+          if endpoint.nil? || endpoint.empty?
+            # Fallback: construct URL from storage account name
+            # This assumes the standard format, but may not work for all storage accounts
+            endpoint = "https://#{storage_account}.z22.web.core.windows.net"
+            puts "  Warning: Could not retrieve static website endpoint, using default format".colorize(:yellow)
+          end
+  
+          # Remove trailing slash if present
+          endpoint.chomp("/")
+        end
+  
+        # List Key Vaults in a resource group
+        # @param resource_group [String] The Azure resource group name
+        # @return [Array<Hash>] Array of key vault information hashes, or empty array if none found
+        def self.list_key_vaults(resource_group)
+          unless available?
+            raise "Azure CLI is not installed. Install it from: https://aka.ms/InstallAzureCLI"
+          end
+  
+          unless authenticated?
+            raise "Azure CLI is not authenticated. Run 'az login' first"
+          end
+  
+          if resource_group.nil? || resource_group.empty?
+            raise "Resource group name is required"
+          end
+  
+          puts "  Listing Key Vaults in resource group: #{resource_group}".colorize(:cyan)
+  
+          # Query for key vaults in the resource group
+          cmd = [
+            "az keyvault list",
+            "--resource-group '#{resource_group}'",
+            "--query '[].{Name:name, Location:location, ResourceGroup:resourceGroup, VaultUri:properties.vaultUri}'",
+            "--output json",
+            "2>/dev/null",
+          ].join(" ")
+  
+          output = `#{cmd}`.strip
+  
+          if output.nil? || output.empty?
+            puts "  No Key Vaults found in resource group: #{resource_group}".colorize(:yellow)
+            return []
+          end
+  
+          begin
+            require "json"
+            key_vaults = JSON.parse(output)
+            key_vaults
+          rescue JSON::ParserError => e
+            puts "  Error parsing Key Vault list: #{e.message}".colorize(:red)
+            puts "  Raw output: #{output}".colorize(:yellow)
+            []
+          end
+        end
+  
+        # Grant Key Vault access to a service principal
+        # @param app_id [String] The service principal app ID (client ID)
+        # @param resource_group [String] The Azure resource group name (default: "LouParslow")
+        # @param keyvault_name [String] The Key Vault name (default: "louparslow-dev-secrets")
+        # @return [Boolean] true if successful, raises error on failure
+        def self.grant_keyvault_access(app_id, resource_group: "LouParslow", keyvault_name: "louparslow-dev-secrets")
+          unless available?
+            raise "Azure CLI is not installed. Install it from: https://aka.ms/InstallAzureCLI"
+          end
+  
+          unless authenticated?
+            raise "Azure CLI is not authenticated. Run 'az login' first"
+          end
+  
+          if app_id.nil? || app_id.empty?
+            raise "Service principal app ID (appId) is required"
+          end
+  
+          if resource_group.nil? || resource_group.empty?
+            raise "Resource group name is required"
+          end
+  
+          if keyvault_name.nil? || keyvault_name.empty?
+            raise "Key Vault name is required"
+          end
+  
+          puts "  Granting Key Vault access to service principal...".colorize(:cyan)
+          puts "  App ID: #{app_id}".colorize(:white)
+          puts "  Resource Group: #{resource_group}".colorize(:white)
+          puts "  Key Vault: #{keyvault_name}".colorize(:white)
+  
+          # Get subscription ID
+          puts "  Getting subscription ID...".colorize(:cyan)
+          subscription_cmd = "az account show --query id -o tsv 2>/dev/null"
+          subscription_id = `#{subscription_cmd}`.strip
+  
+          if subscription_id.nil? || subscription_id.empty?
+            raise "Failed to get subscription ID. Ensure you're logged in with 'az login'"
+          end
+  
+          puts "  Subscription ID: #{subscription_id}".colorize(:white)
+  
+          # Get service principal object ID
+          puts "  Getting service principal object ID...".colorize(:cyan)
+          sp_object_id_cmd = "az ad sp show --id '#{app_id}' --query id -o tsv 2>/dev/null"
+          sp_object_id = `#{sp_object_id_cmd}`.strip
+  
+          if sp_object_id.nil? || sp_object_id.empty?
+            raise "Failed to get service principal object ID for app ID: #{app_id}. Ensure the service principal exists."
+          end
+  
+          puts "  Service Principal Object ID: #{sp_object_id}".colorize(:white)
+  
+          # Grant "Key Vault Secrets User" role
+          scope = "/subscriptions/#{subscription_id}/resourceGroups/#{resource_group}/providers/Microsoft.KeyVault/vaults/#{keyvault_name}"
+          puts "  Granting 'Key Vault Secrets User' role...".colorize(:cyan)
+          puts "  Scope: #{scope}".colorize(:white)
+  
+          role_assignment_cmd = [
+            "az role assignment create",
+            "--assignee '#{sp_object_id}'",
+            "--role 'Key Vault Secrets User'",
+            "--scope '#{scope}'",
+            "2>&1",
+          ].join(" ")
+  
+          output = `#{role_assignment_cmd}`
+          exit_code = $?.exitstatus
+  
+          if exit_code != 0
+            # Check if role assignment already exists
+            if output.include?("already exists") || output.include?("RoleAssignmentExists")
+              puts "  Role assignment already exists (this is OK)".colorize(:yellow)
+              return true
+            else
+              puts "  Error output: #{output}".colorize(:red)
+              raise "Failed to grant Key Vault access: #{output}"
+            end
+          end
+  
+          puts "  Successfully granted Key Vault access".colorize(:green)
+          true
+        end
+      end
+    end
+  end
+