@marcfargas/skills 0.4.0 → 0.5.0

package/.well-known/skills/index.json

@@ -0,0 +1,46 @@
+{
+  "version": "1.0",
+  "repository": "https://github.com/marcfargas/skills",
+  "skills": [
+    {
+      "name": "azcli",
+      "description": "Azure CLI (az). Use when: managing Azure resources, deploying to App Service/Functions/Container Apps/AKS, working with Storage, SQL Database, Cosmos DB, VMs, VNets, NSGs, Key Vault, Entra ID (Azure AD), RBAC, Service Bus, Event Hubs, Container Registry, Azure Monitor, DNS, or any Azure service. Also covers: authentication, subscription management, CI/CD integration (GitHub Actions/Azure DevOps), Bicep/ARM templates, managed identities, and infrastructure automation.",
+      "path": "azure/azcli"
+    },
+    {
+      "name": "gcloud",
+      "description": "Google Cloud Platform CLI (gcloud, gcloud storage, bq). Use when: managing GCP resources, deploying to Cloud Run/Cloud Functions/GKE/App Engine, working with Cloud Storage, BigQuery, IAM, Compute Engine, Cloud SQL, Pub/Sub, Secret Manager, Artifact Registry, Cloud Build, Cloud Scheduler, Cloud Tasks, Vertex AI, VPC/networking, DNS, logging/monitoring, or any GCP service. Also covers: authentication, project/config management, CI/CD integration, serverless deployments, container registry, docker push to GCP, managing secrets, Workload Identity Federation, and infrastructure automation.",
+      "path": "google-cloud/gcloud"
+    },
+    {
+      "name": "pm2",
+      "description": "Process management with PM2 — start, stop, restart, monitor long-running processes. Use when: keeping services alive, auto-restart on crash, managing daemon processes, ecosystem configs, log management, startup scripts, process monitoring. Triggers: pm2, process manager, keep alive, daemon, auto-restart, ecosystem config, process monitoring.",
+      "path": "process/pm2"
+    },
+    {
+      "name": "pre-release",
+      "description": "Pre-release review and changeset generation for npm packages using @changesets/cli. Use when: preparing a release, generating changelogs, pre-release checklist, version bump, writing release notes, reviewing README before publish. Triggers: \"prepare release\", \"pre-release\", \"generate changelog\", \"write changesets\", \"release checklist\".",
+      "path": "release/pre-release"
+    },
+    {
+      "name": "repo-hygiene",
+      "description": "Periodic repository health check — dependencies, git, CI/CD, code quality, docs, security. Use when: onboarding to a repo, weekly maintenance, after big refactors, before audits, \"is this repo in good shape?\". Triggers: \"repo hygiene\", \"health check\", \"repo health\", \"clean up repo\", \"maintenance check\", \"audit repo\", \"repo audit\".",
+      "path": "maintenance/repo-hygiene"
+    },
+    {
+      "name": "sheet-model",
+      "description": "Headless spreadsheet engine for financial modeling, data analysis, and scenario comparison. Use when: building financial models with ratios and what-if scenarios, computing derived values from tabular data with formulas, producing .xlsx files with live formulas (not static values) for human review, any task where the agent would otherwise write imperative code to manipulate numbers that a spreadsheet does naturally. Triggers: financial model, scenario analysis, ratio computation, balance sheet, P&L, what-if, sensitivity analysis, banking ratios, spreadsheet model, build a model, projection, forecast. Do NOT use for: simple CSV/Excel read/write (use the xlsx skill), chart-only tasks, or data volumes exceeding ~5000 rows.",
+      "path": "sheet-model"
+    },
+    {
+      "name": "vhs",
+      "description": "Record terminal sessions as GIF/MP4/WebM using VHS (Charm.sh). Use when: create demo GIF, record terminal, terminal recording, demo video, tape file, animate CLI, screencast terminal, showcase command output, README demo, document CLI tool, generate terminal animation.",
+      "path": "terminal/vhs"
+    },
+    {
+      "name": "web-search",
+      "description": "Web search and content extraction using ddgs (multi-engine metasearch). No API keys required. Use when: searching documentation, facts, current information, news, fetching web content. Triggers: search the web, look up, find information, web search, news search, fetch page.",
+      "path": "search/web-search"
+    }
+  ]
+}

package/README.md

@@ -6,10 +6,13 @@ Reusable skills for AI coding agents. Works with [pi](https://github.com/marioze
 
 | Category | Skill | Description |
 |----------|-------|-------------|
+| ☁️ Azure | [azcli](azure/azcli/) | Azure CLI with agent safety model — hub + reference files |
 | ☁️ Google Cloud | [gcloud](google-cloud/gcloud/) | GCP CLI with agent safety model — hub + 7 reference files |
+| 🔧 Maintenance | [repo-hygiene](maintenance/repo-hygiene/) | Periodic repo health check — deps, git, CI, code quality, docs, security |
 | ⚙️ Process | [pm2](process/pm2/) | Process management — keep services alive, auto-restart, monitoring, ecosystem configs |
 | 🚀 Release | [pre-release](release/pre-release/) | Pre-release checklist + AI-written changesets via @changesets/cli |
 | 🔍 Search | [web-search](search/web-search/) | Web search + content extraction via [ddgs](https://github.com/deedy5/ddgs) — no API keys |
+| 📊 Modeling | [sheet-model](sheet-model/) | Headless spreadsheet engine for financial modeling, scenario analysis, .xlsx with live formulas |
 | 🎬 Terminal | [vhs](terminal/vhs/) | Record terminal sessions as GIF/MP4 with [VHS](https://github.com/charmbracelet/vhs) |
 
 ## Install
@@ -67,16 +70,21 @@ Skills use a **hub + spoke** architecture. The SKILL.md hub is ~140 lines — ju
 
 ## Structure
 
-```
+```text
 skills/
+├── azure/
+│   └── azcli/           # Azure CLI skill
 ├── google-cloud/
 │   └── gcloud/          # 8 files, ~1100 lines total
+├── maintenance/
+│   └── repo-hygiene/    # 1 file — periodic health check
 ├── process/
 │   └── pm2/             # 1 file
 ├── release/
 │   └── pre-release/     # 1 file
 ├── search/
 │   └── web-search/      # SKILL.md + search.js + content.js
+├── sheet-model/         # Headless spreadsheet engine
 ├── terminal/
 │   └── vhs/             # 1 file
 └── README.md

package/azure/azcli/SKILL.md

@@ -0,0 +1,150 @@
+---
+name: azcli
+description: >-
+  Azure CLI (az). Use when: managing Azure resources, deploying to App Service/Functions/Container Apps/AKS,
+  working with Storage, SQL Database, Cosmos DB, VMs, VNets, NSGs, Key Vault,
+  Entra ID (Azure AD), RBAC, Service Bus, Event Hubs, Container Registry,
+  Azure Monitor, DNS, or any Azure service.
+  Also covers: authentication, subscription management, CI/CD integration (GitHub Actions/Azure DevOps),
+  Bicep/ARM templates, managed identities, and infrastructure automation.
+---
+
+# azcli — Azure Command-Line Interface
+
+Command-line interface for managing Azure resources.
+Covers `az` and its 200+ command groups for all Azure services.
+
+Docs: https://learn.microsoft.com/en-us/cli/azure/
+
+## Platform Notes (Windows + Git Bash)
+
+- Install: `winget install --exact --id Microsoft.AzureCLI` (preferred) or MSI from https://aka.ms/installazurecliwindows
+- After install/update: **close and reopen terminal** — required for PATH
+- Config: `~/.azure/` (credentials, config, profiles)
+- Secrets: use Key Vault or env vars, **never commit credentials**
+- Extensions: `az extension add --name NAME` (some features require extensions)
+- Version: `az version` (check for updates: `az upgrade`)
+
+### ⚠️ Quoting Gotchas
+
+Git Bash, PowerShell, and cmd have different quoting rules for `--query` (JMESPath):
+
+```bash
+# Git Bash — use single quotes for JMESPath
+az vm list --query '[].name' -o tsv
+
+# PowerShell — use single quotes or escaped double quotes
+az vm list --query '[].name' -o tsv
+
+# Avoid: Git Bash may mangle double-quoted JMESPath
+```
+
+> **⚠️ Cost**: Commands that create resources (VMs, databases, clusters) incur
+> Azure charges. Always confirm subscription and region before creating.
+
+## Agent Safety Model
+
+Operations classified by risk. **Follow this model for all az commands.**
+
+| Level | Gate | Examples |
+|-------|------|----------|
+| **READ** | Proceed autonomously | `list`, `show`, `get`, `account show`, `monitor log-analytics query` |
+| **WRITE** | Confirm with user; note cost if billable | `create`, `deploy`, `update`, `az storage blob upload` |
+| **DESTRUCTIVE** | Always confirm; show what's affected | `delete`, `purge`, `az group delete`, RBAC removal |
+| **EXPENSIVE** | Confirm + state approximate cost | AKS clusters (~$70+/mo), SQL Database (~$5-2k/mo), VMs (~$5-2k/mo) |
+| **SECURITY** | Confirm + explain impact | NSG rules opening ports, `--allow-unauthenticated`, RBAC owner/contributor grants, Key Vault access policies |
+| **FORBIDDEN** | Refuse; escalate to human | `az ad app credential reset` with plaintext secrets, `az group delete` on production RGs, passwords in CLI args |
+
+**Rules**:
+
+- **Never combine `--yes` with destructive operations** — it suppresses the only safety gate
+- **Never put passwords/secrets as command-line arguments** — visible in process list & shell history
+- **Always use `-o json`** for machine-parseable output (agents can't reliably parse tables)
+- **When in doubt, treat as DESTRUCTIVE**
+
+## Command Structure
+
+```text
+az [GROUP] [SUBGROUP] COMMAND [ARGS] [FLAGS]
+```
+
+Key global flags: `--subscription`, `--output` (`-o`), `--query`, `--verbose`, `--debug`, `--only-show-errors`, `--yes`
+
+## Service Reference
+
+| Service | File | Key Commands |
+|---------|------|-------------|
+| Auth & Config | [auth.md](auth.md) | Login, service principals, managed identities, subscriptions, config |
+| IAM & Resources | [iam.md](iam.md) | Resource groups, RBAC, Entra ID (Azure AD), Key Vault |
+| Compute & Networking | [compute.md](compute.md) | VMs, VNets, NSGs, DNS, load balancers, monitoring |
+| Serverless & Containers | [serverless.md](serverless.md) | App Service, Functions, Container Apps, AKS, Container Registry |
+| Storage | [storage.md](storage.md) | Storage accounts, blobs, file shares, queues, tables |
+| Data | [data.md](data.md) | SQL Database, Cosmos DB, Service Bus, Event Hubs |
+| Automation & CI/CD | [automation.md](automation.md) | Scripting, output formats, JMESPath, Bicep/ARM, GitHub Actions |
+
+**Read the per-service file for full command reference.**
+
+## Pre-Flight Checks
+
+Before working with any Azure service:
+
+```bash
+# 1. Logged in?
+az account show -o json
+
+# 2. Correct subscription?
+az account show --query '{Name:name, Id:id, State:state}' -o json
+
+# 3. Change subscription if needed
+az account set --subscription "<name-or-id>"
+
+# 4. Default location set?
+az config get defaults.location 2>/dev/null
+
+# 5. Set default location (optional)
+az config set defaults.location=westeurope
+
+# 6. Resource provider registered? (most are auto-registered)
+az provider show --namespace Microsoft.ContainerApp --query "registrationState" -o tsv
+az provider register --namespace Microsoft.ContainerApp --wait
+```
+
+## Troubleshooting
+
+| Problem | Diagnosis | Fix |
+|---------|-----------|-----|
+| Auth failure | `az account show` | `az login` or check service principal |
+| Permission denied | Check RBAC (see [iam.md](iam.md)) | Grant correct role |
+| Provider not registered | Error says which provider | `az provider register --namespace Microsoft.X` |
+| Quota exceeded | Error message | Request increase in Portal or `az quota` |
+| Wrong subscription | `az account show` | `az account set --subscription X` |
+| Wrong region | Check resource's `location` | Recreate in correct region |
+| Extension missing | `az extension list` | `az extension add --name NAME` |
+| Slow commands | Large result set | Use `--query`, `--top`, or `--output tsv` |
+
+```bash
+# Debug mode
+az vm list --debug 2>&1 | head -50
+
+# Full environment info
+az version
+az account show -o json
+```
+
+## Quick Reference
+
+| Task | Command |
+|------|---------|
+| Login | `az login` |
+| Set subscription | `az account set --subscription "NAME_OR_ID"` |
+| Current subscription | `az account show -o json` |
+| List subscriptions | `az account list -o table` |
+| Register provider | `az provider register --namespace Microsoft.X` |
+| List anything | `az RESOURCE list -o json` |
+| Show anything | `az RESOURCE show --name NAME -g RG -o json` |
+| JSON output | `-o json` |
+| TSV (single values) | `-o tsv` |
+| JMESPath query | `--query "expression"` |
+| Suppress prompts ⚠️ | `--yes` — suppresses ALL confirmations |
+| Help | `az RESOURCE --help` or `az find "search term"` |
+| Upgrade CLI | `az upgrade` |

package/azure/azcli/auth.md

@@ -0,0 +1,160 @@
+# Auth & Configuration
+
+## Authentication Methods
+
+| Method | Use Case |
+|--------|----------|
+| Interactive (`az login`) | Local development |
+| Service principal | Scripts, CI/CD |
+| Managed identity | Azure-hosted workloads (VMs, App Service, Functions) |
+| Device code | Headless / remote terminals |
+
+## Interactive Login
+
+```bash
+# Opens browser for sign-in
+az login
+
+# Device code flow (headless / SSH sessions)
+az login --use-device-code
+
+# Specific tenant
+az login --tenant TENANT_ID
+
+# Check who's logged in
+az account show -o json
+
+# List all accounts
+az account list -o table
+
+# Logout
+az logout
+```
+
+## Service Principal (CI/CD, Automation)
+
+**Prefer managed identities when running on Azure. Use service principals for external CI/CD.**
+
+```bash
+# Create service principal with Contributor role on a subscription
+az ad sp create-for-rbac --name "my-ci-sp" \
+  --role Contributor \
+  --scopes /subscriptions/SUBSCRIPTION_ID
+
+# Output (save securely — shown only once):
+# {
+#   "appId": "...",
+#   "displayName": "my-ci-sp",
+#   "password": "...",
+#   "tenant": "..."
+# }
+
+# Login with service principal
+az login --service-principal \
+  --username APP_ID \
+  --password CLIENT_SECRET \
+  --tenant TENANT_ID
+
+# Login with certificate (more secure — no shared secret)
+az login --service-principal \
+  --username APP_ID \
+  --certificate /path/to/cert.pem \
+  --tenant TENANT_ID
+
+# Login with federated credential (GitHub Actions — no secrets at all)
+az login --service-principal \
+  --username APP_ID \
+  --tenant TENANT_ID \
+  --federated-token "$GITHUB_TOKEN"
+```
+
+> ⚠️ **Never commit service principal credentials.** Store in Key Vault,
+> GitHub Secrets, or Azure DevOps variable groups. Rotate regularly.
+
+## Managed Identity (Azure-hosted only)
+
+```bash
+# Login with system-assigned managed identity
+az login --identity
+
+# Login with user-assigned managed identity
+az login --identity --username MANAGED_IDENTITY_CLIENT_ID
+```
+
+No credentials to manage — Azure handles token refresh automatically.
+
+## Subscription Management
+
+```bash
+# List all subscriptions
+az account list -o table
+
+# Show current subscription
+az account show -o json
+
+# Switch subscription
+az account set --subscription "My Subscription Name"
+az account set --subscription "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+
+# Get subscription ID for scripting
+SUB_ID=$(az account show --query id -o tsv)
+
+# Per-command subscription override
+az vm list --subscription "Other Sub" -o json
+```
+
+## Tenant Management
+
+```bash
+# List tenants
+az account tenant list -o json
+
+# Switch tenant (requires re-login)
+az login --tenant TENANT_ID
+
+# Show current tenant
+az account show --query tenantId -o tsv
+```
+
+## Access Tokens
+
+```bash
+# Get access token for current subscription
+az account get-access-token -o json
+
+# Get token for specific resource
+az account get-access-token --resource https://management.azure.com/ -o json
+az account get-access-token --resource https://vault.azure.net/ -o json
+az account get-access-token --resource https://graph.microsoft.com/ -o json
+```
+
+## Configuration
+
+```bash
+# Set defaults (reduces repetition in commands)
+az config set defaults.location=westeurope
+az config set defaults.group=my-resource-group
+
+# View config
+az config get
+
+# Unset
+az config unset defaults.location
+
+# Per-command overrides always take precedence
+az vm create --location eastus ...  # overrides default
+```
+
+### Region Consistency
+
+Related Azure resources should be in the same region. Before creating any resource:
+
+```bash
+# Check defaults
+az config get defaults.location 2>/dev/null
+
+# List available locations
+az account list-locations --query "[].name" -o tsv
+```
+
+Common regions: `westeurope`, `northeurope`, `eastus`, `eastus2`, `westus2`, `centralus`

package/azure/azcli/automation.md

@@ -0,0 +1,270 @@
+# Automation, Scripting & CI/CD
+
+## Output Formats
+
+**Always use `-o json` for agent consumption.** Table output breaks parsing.
+
+```bash
+az vm list -o json                      # Full JSON
+az vm list -o tsv                       # Tab-separated values
+az vm list -o table                     # Human-readable table
+az vm list -o yaml                      # YAML
+az vm list -o jsonc                     # Colorized JSON (human)
+az vm list --query "[].name" -o tsv     # Single column, one per line
+```
+
+## JMESPath Queries (`--query`)
+
+Azure CLI uses JMESPath (not the `--filter` syntax of gcloud). Queries run **client-side**.
+
+```bash
+# Single field
+az vm show -g my-rg -n my-vm --query "name" -o tsv
+
+# Multiple fields (dictionary)
+az vm show -g my-rg -n my-vm --query "{Name:name, Size:hardwareProfile.vmSize}" -o json
+
+# Array projection
+az vm list --query "[].{Name:name, RG:resourceGroup, Size:hardwareProfile.vmSize}" -o table
+
+# Filter array
+az vm list --query "[?location=='westeurope'].name" -o tsv
+
+# Contains (string search)
+az vm list --query "[?contains(name, 'web')].{Name:name, Location:location}" -o table
+
+# Nested access
+az vm show -g my-rg -n my-vm --query "osProfile.adminUsername" -o tsv
+
+# First item
+az vm list --query "[0].name" -o tsv
+
+# Count
+az vm list --query "length([])" -o tsv
+
+# Pipe (apply after flattening)
+az vm list --query "[].{Name:name, OS:storageProfile.osDisk.osType} | [?OS=='Linux']" -o table
+
+# Sort
+az vm list --query "sort_by([], &name)[].{Name:name, Location:location}" -o table
+```
+
+### JMESPath Tips for Agents
+
+- Always use single quotes around JMESPath in Git Bash
+- `--query "[].field"` returns a flat list
+- `--query "{Alias:field}"` returns a renamed dictionary
+- Combine `--query` + `-o tsv` for scriptable single values
+- JMESPath is case-sensitive
+
+## Idempotent Patterns
+
+```bash
+# Check-before-create
+if ! az group show --name my-rg &>/dev/null; then
+  az group create --name my-rg --location westeurope
+else
+  echo "Resource group already exists"
+fi
+
+# Using `az group exists`
+if [ "$(az group exists --name my-rg)" = "false" ]; then
+  az group create --name my-rg --location westeurope
+fi
+
+# Delete-if-exists (suppress error)
+az vm delete --name my-vm --resource-group my-rg --yes 2>/dev/null || true
+```
+
+## Error Handling
+
+```bash
+# Capture and check
+OUTPUT=$(az vm create --resource-group my-rg --name my-vm --image Ubuntu2204 2>&1)
+if [ $? -ne 0 ]; then
+  echo "Error: $OUTPUT" >&2
+  exit 1
+fi
+
+# Retry with backoff
+for i in 1 2 3 4 5; do
+  az webapp up --name my-app --resource-group my-rg && break
+  echo "Attempt $i failed, retrying in $((i * 5))s..."
+  sleep $((i * 5))
+done
+```
+
+## Waiting for Long-Running Operations
+
+Many Azure operations return before completion. Use `--no-wait` + explicit polling.
+
+```bash
+# Option 1: Synchronous (default — blocks until done)
+az vm create --resource-group my-rg --name my-vm --image Ubuntu2204
+
+# Option 2: Async + poll
+az vm create --resource-group my-rg --name my-vm --image Ubuntu2204 --no-wait
+az vm wait --name my-vm --resource-group my-rg --created
+az vm wait --name my-vm --resource-group my-rg --custom "powerState=='VM running'"
+
+# Wait conditions: --created, --updated, --deleted, --exists, --custom "JMESPath expr"
+```
+
+## Bicep (Infrastructure as Code)
+
+Bicep is Azure's native IaC language (compiles to ARM JSON).
+
+```bash
+# Install/upgrade Bicep
+az bicep install
+az bicep upgrade
+
+# Deploy Bicep template
+az deployment group create \
+  --resource-group my-rg \
+  --template-file main.bicep \
+  --parameters @parameters.json
+
+# What-if (dry run — shows changes without applying)
+az deployment group what-if \
+  --resource-group my-rg \
+  --template-file main.bicep \
+  --parameters @parameters.json
+
+# Subscription-level deployment
+az deployment sub create \
+  --location westeurope \
+  --template-file main.bicep
+
+# List deployments
+az deployment group list --resource-group my-rg -o table
+
+# Show deployment details (includes outputs)
+az deployment group show --name my-deployment --resource-group my-rg -o json
+
+# Export existing resource as ARM/Bicep
+az group export --name my-rg > exported.json
+az bicep decompile --file exported.json  # Convert ARM → Bicep
+```
+
+## ARM Templates
+
+```bash
+# Deploy ARM template
+az deployment group create \
+  --resource-group my-rg \
+  --template-file azuredeploy.json \
+  --parameters @azuredeploy.parameters.json
+
+# Deploy from URI
+az deployment group create \
+  --resource-group my-rg \
+  --template-uri "https://raw.githubusercontent.com/.../azuredeploy.json"
+
+# Validate (dry run)
+az deployment group validate \
+  --resource-group my-rg \
+  --template-file azuredeploy.json
+```
+
+## CI/CD: GitHub Actions
+
+### With Federated Credentials (OIDC — preferred, no secrets)
+
+```yaml
+permissions:
+  id-token: write
+  contents: read
+
+steps:
+- uses: azure/login@v2
+  with:
+    client-id: ${{ secrets.AZURE_CLIENT_ID }}
+    tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+    subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+- run: az webapp deploy --name my-app --resource-group my-rg --src-path app.zip
+```
+
+Setup:
+
+```bash
+# Create app registration + federated credential
+az ad app create --display-name "github-actions-myrepo"
+APP_ID=$(az ad app list --display-name "github-actions-myrepo" --query "[0].appId" -o tsv)
+az ad sp create --id $APP_ID
+
+# Add federated credential for GitHub
+az ad app federated-credential create --id $APP_ID --parameters '{
+  "name": "github-main",
+  "issuer": "https://token.actions.githubusercontent.com",
+  "subject": "repo:ORG/REPO:ref:refs/heads/main",
+  "audiences": ["api://AzureADTokenExchange"]
+}'
+
+# Grant role
+az role assignment create --assignee $APP_ID --role Contributor \
+  --scope /subscriptions/SUB_ID/resourceGroups/my-rg
+```
+
+### With Service Principal Secret (fallback)
+
+```yaml
+steps:
+- uses: azure/login@v2
+  with:
+    creds: ${{ secrets.AZURE_CREDENTIALS }}
+    # JSON: {"clientId":"...","clientSecret":"...","subscriptionId":"...","tenantId":"..."}
+
+- run: az webapp deploy --name my-app --resource-group my-rg --src-path app.zip
+```
+
+## CI/CD: Azure DevOps Pipelines
+
+```yaml
+steps:
+- task: AzureCLI@2
+  inputs:
+    azureSubscription: 'my-service-connection'
+    scriptType: 'bash'
+    scriptLocation: 'inlineScript'
+    inlineScript: |
+      az webapp deploy --name my-app --resource-group my-rg --src-path app.zip
+```
+
+## Environment Variables
+
+```bash
+# Make scripts portable
+RG="${AZURE_RESOURCE_GROUP:-my-default-rg}"
+LOCATION="${AZURE_LOCATION:-westeurope}"
+SUB="${AZURE_SUBSCRIPTION_ID:-}"
+
+if [ -n "$SUB" ]; then
+  az account set --subscription "$SUB"
+fi
+```
+
+## Tags (Resource Organization)
+
+```bash
+# Tag a resource
+az resource tag --tags env=production team=backend \
+  --ids "/subscriptions/SUB_ID/resourceGroups/my-rg/providers/Microsoft.Web/sites/my-app"
+
+# Tag a resource group
+az group update --name my-rg --tags env=production
+
+# Find resources by tag
+az resource list --tag env=production -o table
+```
+
+## Azure Policy (overview)
+
+```bash
+# List assigned policies
+az policy assignment list --resource-group my-rg -o table
+
+# Show non-compliant resources
+az policy state list --resource-group my-rg --filter "complianceState eq 'NonCompliant'" -o table
+```