@polymorphism-tech/morph-spec 3.0.0 → 3.0.1

package/src/commands/deploy.js

@@ -1,780 +1,780 @@
-/**
- * MORPH-SPEC Deploy Command
- * Azure Container Apps deployment orchestrator with playbook-driven approach
- */
-
-import fs from 'fs';
-import path from 'path';
-import ora from 'ora';
-import chalk from 'chalk';
-import { execSync, exec } from 'child_process';
-import { logger } from '../utils/logger.js';
-import * as CostCalculator from '../lib/cost-calculator.js';
-
-// ============================================================================
-// Configuration Detection
-// ============================================================================
-
-/**
- * Find appsettings.json files in project
- * @param {string} projectPath - Root path to search
- * @returns {string[]} - Array of appsettings file paths
- */
-export function findAppSettingsFiles(projectPath = '.') {
-  const files = [];
-  const patterns = ['appsettings.json', 'appsettings.*.json'];
-
-  function searchDir(dir) {
-    try {
-      const entries = fs.readdirSync(dir, { withFileTypes: true });
-      for (const entry of entries) {
-        const fullPath = path.join(dir, entry.name);
-
-        // Skip node_modules, bin, obj, .git
-        if (entry.isDirectory() && !['node_modules', 'bin', 'obj', '.git', '.morph'].includes(entry.name)) {
-          searchDir(fullPath);
-        } else if (entry.isFile() && patterns.some(p =>
-          entry.name === 'appsettings.json' || entry.name.match(/^appsettings\..+\.json$/)
-        )) {
-          files.push(fullPath);
-        }
-      }
-    } catch (err) {
-      // Ignore permission errors
-    }
-  }
-
-  searchDir(projectPath);
-  return files;
-}
-
-/**
- * Find Program.cs files in project
- * @param {string} projectPath - Root path to search
- * @returns {string[]} - Array of Program.cs paths
- */
-export function findProgramCsFiles(projectPath = '.') {
-  const files = [];
-
-  function searchDir(dir) {
-    try {
-      const entries = fs.readdirSync(dir, { withFileTypes: true });
-      for (const entry of entries) {
-        const fullPath = path.join(dir, entry.name);
-
-        if (entry.isDirectory() && !['node_modules', 'bin', 'obj', '.git'].includes(entry.name)) {
-          searchDir(fullPath);
-        } else if (entry.isFile() && entry.name === 'Program.cs') {
-          files.push(fullPath);
-        }
-      }
-    } catch (err) {
-      // Ignore permission errors
-    }
-  }
-
-  searchDir(projectPath);
-  return files;
-}
-
-/**
- * Parse appsettings.json and extract configuration paths
- * @param {string} filePath - Path to appsettings.json
- * @returns {Object} - Parsed configuration with paths
- */
-export function parseAppSettings(filePath) {
-  const content = fs.readFileSync(filePath, 'utf-8');
-  const config = JSON.parse(content);
-  const paths = [];
-
-  function extractPaths(obj, prefix = '') {
-    for (const [key, value] of Object.entries(obj)) {
-      const currentPath = prefix ? `${prefix}:${key}` : key;
-
-      if (typeof value === 'object' && value !== null && !Array.isArray(value)) {
-        extractPaths(value, currentPath);
-      } else {
-        paths.push({
-          configPath: currentPath,
-          envVar: currentPath.replace(/:/g, '__').toUpperCase(),
-          value: typeof value === 'string' && value.includes('your-') ? '(placeholder)' :
-                 typeof value === 'string' && value.length > 50 ? '(long-value)' : value,
-          isSecret: key.toLowerCase().includes('secret') ||
-                    key.toLowerCase().includes('password') ||
-                    key.toLowerCase().includes('key') ||
-                    key.toLowerCase().includes('connection') ||
-                    currentPath.toLowerCase().includes('connectionstrings')
-        });
-      }
-    }
-  }
-
-  extractPaths(config);
-  return { file: filePath, paths };
-}
-
-/**
- * Detect Blazor Server patterns in Program.cs
- * @param {string} filePath - Path to Program.cs
- * @returns {Object} - Detection results
- */
-export function detectBlazorServer(filePath) {
-  const content = fs.readFileSync(filePath, 'utf-8');
-
-  const patterns = {
-    interactiveServer: /\.AddInteractiveServerComponents\s*\(/,
-    serverSideBlazor: /\.AddServerSideBlazor\s*\(/,
-    razorComponents: /\.AddRazorComponents\s*\(\)\.AddInteractiveServerComponents\s*\(/,
-    blazorHub: /\.MapBlazorHub\s*\(/,
-    signalR: /\.AddSignalR\s*\(/
-  };
-
-  const detected = {};
-  for (const [name, pattern] of Object.entries(patterns)) {
-    detected[name] = pattern.test(content);
-  }
-
-  const isBlazorServer = detected.interactiveServer ||
-                          detected.serverSideBlazor ||
-                          detected.razorComponents ||
-                          detected.blazorHub;
-
-  return {
-    isBlazorServer,
-    requiresStickySessions: isBlazorServer,
-    patterns: detected
-  };
-}
-
-/**
- * Detect authentication patterns in Program.cs
- * @param {string} filePath - Path to Program.cs
- * @returns {Object} - Auth detection results
- */
-export function detectAuthentication(filePath) {
-  const content = fs.readFileSync(filePath, 'utf-8');
-
-  const patterns = {
-    azureAd: /\.AddMicrosoftIdentityWebApp\s*\(|GetSection\s*\(\s*["']AzureAd["']\s*\)/,
-    clerk: /Clerk|ClerkOptions|AddClerk/i,
-    identity: /\.AddIdentity\s*\(|\.AddDefaultIdentity\s*\(/,
-    jwt: /\.AddJwtBearer\s*\(/,
-    cookie: /\.AddCookie\s*\(/
-  };
-
-  const detected = {};
-  for (const [name, pattern] of Object.entries(patterns)) {
-    detected[name] = pattern.test(content);
-  }
-
-  return {
-    hasAuth: Object.values(detected).some(v => v),
-    providers: detected
-  };
-}
-
-/**
- * Detect Hangfire patterns
- * @param {string} filePath - Path to Program.cs
- * @returns {boolean} - Whether Hangfire is detected
- */
-export function detectHangfire(filePath) {
-  const content = fs.readFileSync(filePath, 'utf-8');
-  return /AddHangfire\s*\(|UseHangfireDashboard\s*\(/i.test(content);
-}
-
-/**
- * Generate complete configuration mapping
- * @param {string} projectPath - Root path
- * @returns {Object} - Complete configuration analysis
- */
-export function detectProjectConfig(projectPath = '.') {
-  const appSettingsFiles = findAppSettingsFiles(projectPath);
-  const programCsFiles = findProgramCsFiles(projectPath);
-
-  const configs = appSettingsFiles.map(f => parseAppSettings(f));
-
-  let blazorServer = { isBlazorServer: false, requiresStickySessions: false };
-  let auth = { hasAuth: false, providers: {} };
-  let hangfire = false;
-
-  for (const file of programCsFiles) {
-    const blazorResult = detectBlazorServer(file);
-    if (blazorResult.isBlazorServer) {
-      blazorServer = blazorResult;
-    }
-
-    const authResult = detectAuthentication(file);
-    if (authResult.hasAuth) {
-      auth = authResult;
-    }
-
-    if (detectHangfire(file)) {
-      hangfire = true;
-    }
-  }
-
-  // Consolidate all config paths
-  const allPaths = [];
-  const seen = new Set();
-
-  for (const config of configs) {
-    for (const p of config.paths) {
-      if (!seen.has(p.configPath)) {
-        seen.add(p.configPath);
-        allPaths.push(p);
-      }
-    }
-  }
-
-  return {
-    appSettingsFiles,
-    programCsFiles,
-    configs: allPaths,
-    blazorServer,
-    auth,
-    hangfire,
-    envVarsMapping: allPaths.map(p => ({
-      configPath: p.configPath,
-      envVar: p.envVar,
-      isSecret: p.isSecret,
-      type: p.isSecret ? 'Secret' : 'Plain'
-    }))
-  };
-}
-
-/**
- * Generate environment variables mapping for display
- * @param {Object} config - Project configuration
- * @returns {string} - Formatted mapping table
- */
-export function generateEnvVarsMapping(config) {
-  const secrets = config.envVarsMapping.filter(e => e.isSecret);
-  const plain = config.envVarsMapping.filter(e => !e.isSecret);
-
-  let output = '\n## Environment Variables Mapping\n\n';
-
-  if (secrets.length > 0) {
-    output += '### Secrets (require user input)\n';
-    output += '| Config Path | Environment Variable | Type |\n';
-    output += '|-------------|---------------------|------|\n';
-    secrets.forEach(s => {
-      output += `| ${s.configPath} | ${s.envVar} | Secret |\n`;
-    });
-    output += '\n';
-  }
-
-  if (plain.length > 0) {
-    output += '### Plain Values\n';
-    output += '| Config Path | Environment Variable |\n';
-    output += '|-------------|---------------------|\n';
-    plain.slice(0, 10).forEach(p => {
-      output += `| ${p.configPath} | ${p.envVar} |\n`;
-    });
-    if (plain.length > 10) {
-      output += `| ... and ${plain.length - 10} more |\n`;
-    }
-    output += '\n';
-  }
-
-  return output;
-}
-
-// ============================================================================
-// Prerequisites Validation
-// ============================================================================
-
-/**
- * Validate all prerequisites for deployment
- * @returns {Object} - Validation results
- */
-export function validatePrerequisites() {
-  const checks = [];
-
-  // Azure CLI
-  try {
-    const azVersion = execSync('az --version', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
-    const versionMatch = azVersion.match(/azure-cli\s+(\d+\.\d+\.\d+)/);
-    checks.push({
-      name: 'Azure CLI',
-      passed: true,
-      version: versionMatch ? versionMatch[1] : 'unknown',
-      message: `Azure CLI ${versionMatch ? versionMatch[1] : ''} installed`
-    });
-  } catch {
-    checks.push({
-      name: 'Azure CLI',
-      passed: false,
-      message: 'Azure CLI not found',
-      fix: 'Download from: https://aka.ms/installazurecliwindows'
-    });
-  }
-
-  // Azure Login
-  try {
-    const account = execSync('az account show --output json', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
-    const accountInfo = JSON.parse(account);
-    checks.push({
-      name: 'Azure Login',
-      passed: true,
-      subscription: accountInfo.name,
-      subscriptionId: accountInfo.id,
-      message: `Logged in to ${accountInfo.name}`
-    });
-  } catch {
-    checks.push({
-      name: 'Azure Login',
-      passed: false,
-      message: 'Not logged in to Azure',
-      fix: 'Run: az login --tenant <TENANT-ID>'
-    });
-  }
-
-  // Docker
-  try {
-    execSync('docker info', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
-    const dockerVersion = execSync('docker --version', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
-    checks.push({
-      name: 'Docker',
-      passed: true,
-      message: dockerVersion.trim()
-    });
-  } catch {
-    checks.push({
-      name: 'Docker',
-      passed: false,
-      message: 'Docker not running',
-      fix: 'Start Docker Desktop'
-    });
-  }
-
-  // .NET SDK
-  try {
-    const dotnetVersion = execSync('dotnet --version', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
-    checks.push({
-      name: '.NET SDK',
-      passed: true,
-      version: dotnetVersion.trim(),
-      message: `.NET ${dotnetVersion.trim()} installed`
-    });
-  } catch {
-    checks.push({
-      name: '.NET SDK',
-      passed: false,
-      message: '.NET SDK not found',
-      fix: 'Download from: https://dot.net/download'
-    });
-  }
-
-  // dotnet-ef
-  try {
-    const efList = execSync('dotnet tool list --global', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
-    const hasEf = efList.includes('dotnet-ef');
-    if (hasEf) {
-      checks.push({
-        name: 'dotnet-ef',
-        passed: true,
-        message: 'EF Core tools installed'
-      });
-    } else {
-      throw new Error('Not found');
-    }
-  } catch {
-    checks.push({
-      name: 'dotnet-ef',
-      passed: false,
-      message: 'EF Core tools not found',
-      fix: 'Run: dotnet tool install --global dotnet-ef'
-    });
-  }
-
-  // Bicep files
-  const hasBicep = fs.existsSync('infra/main.bicep');
-  checks.push({
-    name: 'Bicep templates',
-    passed: hasBicep,
-    message: hasBicep ? 'infra/main.bicep found' : 'No Bicep templates found',
-    fix: hasBicep ? null : 'Run: /morph-infra init'
-  });
-
-  // Dockerfile
-  const hasDockerfile = fs.existsSync('Dockerfile');
-  checks.push({
-    name: 'Dockerfile',
-    passed: hasDockerfile,
-    message: hasDockerfile ? 'Dockerfile found' : 'No Dockerfile found',
-    fix: hasDockerfile ? null : 'Create Dockerfile for the project'
-  });
-
-  return {
-    allPassed: checks.every(c => c.passed),
-    checks
-  };
-}
-
-/**
- * Validate password for special characters
- * @param {string} password - Password to validate
- * @returns {Object} - Validation result
- */
-export function validatePassword(password) {
-  const specialChars = /[!@#$%^&*()+=\[\]{}|;:'",<>?/\\`~]/;
-  const hasSpecial = specialChars.test(password);
-
-  return {
-    valid: !hasSpecial && password.length >= 16,
-    hasSpecialChars: hasSpecial,
-    length: password.length,
-    warnings: [
-      hasSpecial ? 'Contains special characters that may cause escape issues' : null,
-      password.length < 16 ? 'Password should be at least 16 characters' : null
-    ].filter(Boolean)
-  };
-}
-
-// ============================================================================
-// Rollback Functions
-// ============================================================================
-
-/**
- * List available revisions for rollback
- * @param {string} appName - Container App name
- * @param {string} resourceGroup - Resource group name
- * @returns {string[]} - List of revision names
- */
-export function listRevisions(appName, resourceGroup) {
-  try {
-    const result = execSync(
-      `az containerapp revision list --name ${appName} --resource-group ${resourceGroup} --query "[].{name:name,active:properties.active,traffic:properties.trafficWeight,created:properties.createdTime}" -o json`,
-      { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }
-    );
-    return JSON.parse(result);
-  } catch (error) {
-    throw new Error(`Failed to list revisions: ${error.message}`);
-  }
-}
-
-/**
- * Execute rollback to previous revision
- * @param {string} appName - Container App name
- * @param {string} resourceGroup - Resource group name
- * @param {string} revision - Target revision name
- */
-export function executeRollback(appName, resourceGroup, revision) {
-  try {
-    execSync(
-      `az containerapp revision activate --name ${appName} --resource-group ${resourceGroup} --revision ${revision}`,
-      { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }
-    );
-    return { success: true, revision };
-  } catch (error) {
-    throw new Error(`Rollback failed: ${error.message}`);
-  }
-}
-
-// ============================================================================
-// Azure DevOps Pipeline Generation
-// ============================================================================
-
-/**
- * Generate Azure DevOps pipeline YAML
- * @param {Object} options - Pipeline options
- * @returns {string} - YAML content
- */
-export function generatePipelineYaml(options = {}) {
-  const {
-    projectName = 'myapp',
-    acrName = 'myacr',
-    environments = ['dev', 'staging', 'prod']
-  } = options;
-
-  let yaml = `# Azure DevOps Pipeline for ${projectName}
-# Generated by MORPH-SPEC Azure Deploy Specialist
-
-trigger:
-  branches:
-    include:
-      - main
-      - develop
-
-pr:
-  branches:
-    include:
-      - main
-
-variables:
-  - group: 'deploy-secrets'
-  - name: projectName
-    value: '${projectName}'
-  - name: acrName
-    value: '${acrName}'
-
-stages:
-  - stage: Build
-    displayName: 'Build and Push Docker Image'
-    jobs:
-      - job: BuildAndPush
-        pool:
-          vmImage: 'ubuntu-latest'
-        steps:
-          - task: Docker@2
-            displayName: 'Build and Push'
-            inputs:
-              containerRegistry: 'acr-service-connection'
-              repository: '\$(projectName)'
-              command: 'buildAndPush'
-              Dockerfile: '**/Dockerfile'
-              tags: |
-                \$(Build.BuildId)
-                latest
-
-`;
-
-  // Add deployment stages for each environment
-  for (const env of environments) {
-    const condition = env === 'prod'
-      ? `and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))`
-      : env === 'staging'
-      ? `and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))`
-      : `succeeded()`;
-
-    yaml += `
-  - stage: Deploy${env.charAt(0).toUpperCase() + env.slice(1)}
-    displayName: 'Deploy to ${env.toUpperCase()}'
-    dependsOn: Build
-    condition: ${condition}
-    jobs:
-      - deployment: DeployTo${env.charAt(0).toUpperCase() + env.slice(1)}
-        displayName: 'Deploy to ${env}'
-        pool:
-          vmImage: 'ubuntu-latest'
-        environment: '${env}'
-        strategy:
-          runOnce:
-            deploy:
-              steps:
-                - task: AzureCLI@2
-                  displayName: 'Deploy Container App'
-                  inputs:
-                    azureSubscription: 'azure-service-connection'
-                    scriptType: 'bash'
-                    scriptLocation: 'inlineScript'
-                    inlineScript: |
-                      npx @polymorphism-tech/morph-spec deploy ${env} --auto \\
-                        --sql-password "\$(SqlPassword${env.charAt(0).toUpperCase() + env.slice(1)})" \\
-                        --skip-confirmation
-
-`;
-  }
-
-  return yaml;
-}
-
-// ============================================================================
-// Main Command
-// ============================================================================
-
-/**
- * Main deploy command
- * @param {string} environment - Target environment (dev, staging, prod)
- * @param {Object} options - CLI options
- */
-export async function deployCommand(environment, options) {
-  logger.header('MORPH-SPEC Azure Deploy Specialist');
-  logger.blank();
-
-  // Validate environment
-  const validEnvs = ['dev', 'staging', 'prod'];
-  if (environment && !validEnvs.includes(environment)) {
-    logger.error(`Invalid environment: ${environment}`);
-    logger.dim(`  Valid options: ${validEnvs.join(', ')}`);
-    process.exit(1);
-  }
-
-  // Handle special commands
-  if (options.rollback) {
-    return handleRollback(options);
-  }
-
-  if (options.generatePipeline) {
-    return handleGeneratePipeline(options);
-  }
-
-  // Default: analyze project
-  if (!environment) {
-    return analyzeProject(options);
-  }
-
-  // Full deploy flow
-  return executeDeployFlow(environment, options);
-}
-
-/**
- * Analyze project configuration
- */
-async function analyzeProject(options) {
-  logger.info('Analyzing project configuration...');
-  logger.blank();
-
-  const spinner = ora('Detecting configuration...').start();
-
-  try {
-    const config = detectProjectConfig('.');
-    spinner.succeed('Configuration detected');
-    logger.blank();
-
-    // Prerequisites
-    logger.header('Prerequisites');
-    const prereqs = validatePrerequisites();
-    prereqs.checks.forEach(check => {
-      if (check.passed) {
-        logger.success(`  ${check.name}: ${check.message}`);
-      } else {
-        logger.error(`  ${check.name}: ${check.message}`);
-        if (check.fix) {
-          logger.dim(`    Fix: ${check.fix}`);
-        }
-      }
-    });
-    logger.blank();
-
-    // Configuration files
-    logger.header('Configuration Files');
-    logger.dim(`  appsettings.json files: ${config.appSettingsFiles.length}`);
-    config.appSettingsFiles.forEach(f => logger.dim(`    - ${f}`));
-    logger.dim(`  Program.cs files: ${config.programCsFiles.length}`);
-    logger.blank();
-
-    // Blazor Server
-    if (config.blazorServer.isBlazorServer) {
-      logger.header('Blazor Server Detected');
-      logger.warn('  Sticky sessions REQUIRED for Blazor Server');
-      logger.dim('  Will be configured automatically during deploy');
-      logger.blank();
-    }
-
-    // Authentication
-    if (config.auth.hasAuth) {
-      logger.header('Authentication Detected');
-      Object.entries(config.auth.providers).forEach(([provider, detected]) => {
-        if (detected) {
-          logger.dim(`  - ${provider}`);
-        }
-      });
-      logger.blank();
-    }
-
-    // Hangfire
-    if (config.hangfire) {
-      logger.header('Hangfire Detected');
-      logger.dim('  Background jobs will be configured');
-      logger.blank();
-    }
-
-    // Environment Variables
-    logger.header('Environment Variables');
-    const secrets = config.envVarsMapping.filter(e => e.isSecret);
-    const plain = config.envVarsMapping.filter(e => !e.isSecret);
-    logger.dim(`  Secrets: ${secrets.length}`);
-    logger.dim(`  Plain: ${plain.length}`);
-    logger.blank();
-
-    if (secrets.length > 0) {
-      logger.header('Secrets Required (will prompt during deploy)');
-      secrets.forEach(s => {
-        logger.dim(`  - ${s.configPath} -> ${s.envVar}`);
-      });
-      logger.blank();
-    }
-
-    // JSON output
-    if (options.json) {
-      console.log(JSON.stringify({
-        prerequisites: prereqs,
-        configuration: config
-      }, null, 2));
-    }
-
-    // Next steps
-    logger.header('Next Steps');
-    if (!prereqs.allPassed) {
-      logger.warn('  1. Fix prerequisites issues listed above');
-    }
-    logger.dim('  1. Run: morph-spec deploy dev');
-    logger.dim('  2. Provide secrets when prompted');
-    logger.dim('  3. Confirm what-if before deploy');
-    logger.blank();
-
-  } catch (error) {
-    spinner.fail('Analysis failed');
-    logger.error(error.message);
-    process.exit(1);
-  }
-}
-
-/**
- * Handle rollback command
- */
-async function handleRollback(options) {
-  logger.header('Rollback');
-  logger.warn('Rollback functionality requires interactive mode');
-  logger.dim('  Use: /morph-deploy --rollback in Claude Code');
-  logger.blank();
-  process.exit(0);
-}
-
-/**
- * Handle pipeline generation
- */
-async function handleGeneratePipeline(options) {
-  logger.header('Generate Azure DevOps Pipeline');
-  logger.blank();
-
-  const yaml = generatePipelineYaml({
-    projectName: options.projectName || 'myapp',
-    acrName: options.acrName || 'myacr',
-    environments: ['dev', 'staging', 'prod']
-  });
-
-  const outputPath = 'azure-pipelines.yml';
-  fs.writeFileSync(outputPath, yaml);
-
-  logger.success(`Pipeline generated: ${outputPath}`);
-  logger.blank();
-  logger.dim('Next steps:');
-  logger.dim('  1. Review and customize the generated pipeline');
-  logger.dim('  2. Create service connections in Azure DevOps');
-  logger.dim('  3. Create variable group "deploy-secrets" with your secrets');
-  logger.dim('  4. Commit and push to trigger the pipeline');
-  logger.blank();
-}
-
-/**
- * Execute full deploy flow
- */
-async function executeDeployFlow(environment, options) {
-  logger.info(`Starting deploy to ${environment.toUpperCase()}...`);
-  logger.blank();
-
-  if (options.auto) {
-    logger.warn('Running in AUTO mode (CI/CD)');
-    logger.blank();
-  }
-
-  // This is primarily for analysis - full deployment is orchestrated by Claude
-  // using the slash command /morph-deploy which has interactive capabilities
-
-  logger.warn('Full deployment requires interactive mode');
-  logger.dim('  Use: /morph-deploy ' + environment + ' in Claude Code');
-  logger.blank();
-  logger.dim('  The slash command provides:');
-  logger.dim('  - Interactive secret collection');
-  logger.dim('  - What-if confirmation');
-  logger.dim('  - Progress tracking');
-  logger.dim('  - Automatic rollback on failure');
-  logger.blank();
-
-  if (options.dryRun) {
-    logger.info('Dry run completed. No changes made.');
-  }
-}
+/**
+ * MORPH-SPEC Deploy Command
+ * Azure Container Apps deployment orchestrator with playbook-driven approach
+ */
+
+import fs from 'fs';
+import path from 'path';
+import ora from 'ora';
+import chalk from 'chalk';
+import { execSync, exec } from 'child_process';
+import { logger } from '../utils/logger.js';
+import * as CostCalculator from '../lib/cost-calculator.js';
+
+// ============================================================================
+// Configuration Detection
+// ============================================================================
+
+/**
+ * Find appsettings.json files in project
+ * @param {string} projectPath - Root path to search
+ * @returns {string[]} - Array of appsettings file paths
+ */
+export function findAppSettingsFiles(projectPath = '.') {
+  const files = [];
+  const patterns = ['appsettings.json', 'appsettings.*.json'];
+
+  function searchDir(dir) {
+    try {
+      const entries = fs.readdirSync(dir, { withFileTypes: true });
+      for (const entry of entries) {
+        const fullPath = path.join(dir, entry.name);
+
+        // Skip node_modules, bin, obj, .git
+        if (entry.isDirectory() && !['node_modules', 'bin', 'obj', '.git', '.morph'].includes(entry.name)) {
+          searchDir(fullPath);
+        } else if (entry.isFile() && patterns.some(p =>
+          entry.name === 'appsettings.json' || entry.name.match(/^appsettings\..+\.json$/)
+        )) {
+          files.push(fullPath);
+        }
+      }
+    } catch (err) {
+      // Ignore permission errors
+    }
+  }
+
+  searchDir(projectPath);
+  return files;
+}
+
+/**
+ * Find Program.cs files in project
+ * @param {string} projectPath - Root path to search
+ * @returns {string[]} - Array of Program.cs paths
+ */
+export function findProgramCsFiles(projectPath = '.') {
+  const files = [];
+
+  function searchDir(dir) {
+    try {
+      const entries = fs.readdirSync(dir, { withFileTypes: true });
+      for (const entry of entries) {
+        const fullPath = path.join(dir, entry.name);
+
+        if (entry.isDirectory() && !['node_modules', 'bin', 'obj', '.git'].includes(entry.name)) {
+          searchDir(fullPath);
+        } else if (entry.isFile() && entry.name === 'Program.cs') {
+          files.push(fullPath);
+        }
+      }
+    } catch (err) {
+      // Ignore permission errors
+    }
+  }
+
+  searchDir(projectPath);
+  return files;
+}
+
+/**
+ * Parse appsettings.json and extract configuration paths
+ * @param {string} filePath - Path to appsettings.json
+ * @returns {Object} - Parsed configuration with paths
+ */
+export function parseAppSettings(filePath) {
+  const content = fs.readFileSync(filePath, 'utf-8');
+  const config = JSON.parse(content);
+  const paths = [];
+
+  function extractPaths(obj, prefix = '') {
+    for (const [key, value] of Object.entries(obj)) {
+      const currentPath = prefix ? `${prefix}:${key}` : key;
+
+      if (typeof value === 'object' && value !== null && !Array.isArray(value)) {
+        extractPaths(value, currentPath);
+      } else {
+        paths.push({
+          configPath: currentPath,
+          envVar: currentPath.replace(/:/g, '__').toUpperCase(),
+          value: typeof value === 'string' && value.includes('your-') ? '(placeholder)' :
+                 typeof value === 'string' && value.length > 50 ? '(long-value)' : value,
+          isSecret: key.toLowerCase().includes('secret') ||
+                    key.toLowerCase().includes('password') ||
+                    key.toLowerCase().includes('key') ||
+                    key.toLowerCase().includes('connection') ||
+                    currentPath.toLowerCase().includes('connectionstrings')
+        });
+      }
+    }
+  }
+
+  extractPaths(config);
+  return { file: filePath, paths };
+}
+
+/**
+ * Detect Blazor Server patterns in Program.cs
+ * @param {string} filePath - Path to Program.cs
+ * @returns {Object} - Detection results
+ */
+export function detectBlazorServer(filePath) {
+  const content = fs.readFileSync(filePath, 'utf-8');
+
+  const patterns = {
+    interactiveServer: /\.AddInteractiveServerComponents\s*\(/,
+    serverSideBlazor: /\.AddServerSideBlazor\s*\(/,
+    razorComponents: /\.AddRazorComponents\s*\(\)\.AddInteractiveServerComponents\s*\(/,
+    blazorHub: /\.MapBlazorHub\s*\(/,
+    signalR: /\.AddSignalR\s*\(/
+  };
+
+  const detected = {};
+  for (const [name, pattern] of Object.entries(patterns)) {
+    detected[name] = pattern.test(content);
+  }
+
+  const isBlazorServer = detected.interactiveServer ||
+                          detected.serverSideBlazor ||
+                          detected.razorComponents ||
+                          detected.blazorHub;
+
+  return {
+    isBlazorServer,
+    requiresStickySessions: isBlazorServer,
+    patterns: detected
+  };
+}
+
+/**
+ * Detect authentication patterns in Program.cs
+ * @param {string} filePath - Path to Program.cs
+ * @returns {Object} - Auth detection results
+ */
+export function detectAuthentication(filePath) {
+  const content = fs.readFileSync(filePath, 'utf-8');
+
+  const patterns = {
+    azureAd: /\.AddMicrosoftIdentityWebApp\s*\(|GetSection\s*\(\s*["']AzureAd["']\s*\)/,
+    clerk: /Clerk|ClerkOptions|AddClerk/i,
+    identity: /\.AddIdentity\s*\(|\.AddDefaultIdentity\s*\(/,
+    jwt: /\.AddJwtBearer\s*\(/,
+    cookie: /\.AddCookie\s*\(/
+  };
+
+  const detected = {};
+  for (const [name, pattern] of Object.entries(patterns)) {
+    detected[name] = pattern.test(content);
+  }
+
+  return {
+    hasAuth: Object.values(detected).some(v => v),
+    providers: detected
+  };
+}
+
+/**
+ * Detect Hangfire patterns
+ * @param {string} filePath - Path to Program.cs
+ * @returns {boolean} - Whether Hangfire is detected
+ */
+export function detectHangfire(filePath) {
+  const content = fs.readFileSync(filePath, 'utf-8');
+  return /AddHangfire\s*\(|UseHangfireDashboard\s*\(/i.test(content);
+}
+
+/**
+ * Generate complete configuration mapping
+ * @param {string} projectPath - Root path
+ * @returns {Object} - Complete configuration analysis
+ */
+export function detectProjectConfig(projectPath = '.') {
+  const appSettingsFiles = findAppSettingsFiles(projectPath);
+  const programCsFiles = findProgramCsFiles(projectPath);
+
+  const configs = appSettingsFiles.map(f => parseAppSettings(f));
+
+  let blazorServer = { isBlazorServer: false, requiresStickySessions: false };
+  let auth = { hasAuth: false, providers: {} };
+  let hangfire = false;
+
+  for (const file of programCsFiles) {
+    const blazorResult = detectBlazorServer(file);
+    if (blazorResult.isBlazorServer) {
+      blazorServer = blazorResult;
+    }
+
+    const authResult = detectAuthentication(file);
+    if (authResult.hasAuth) {
+      auth = authResult;
+    }
+
+    if (detectHangfire(file)) {
+      hangfire = true;
+    }
+  }
+
+  // Consolidate all config paths
+  const allPaths = [];
+  const seen = new Set();
+
+  for (const config of configs) {
+    for (const p of config.paths) {
+      if (!seen.has(p.configPath)) {
+        seen.add(p.configPath);
+        allPaths.push(p);
+      }
+    }
+  }
+
+  return {
+    appSettingsFiles,
+    programCsFiles,
+    configs: allPaths,
+    blazorServer,
+    auth,
+    hangfire,
+    envVarsMapping: allPaths.map(p => ({
+      configPath: p.configPath,
+      envVar: p.envVar,
+      isSecret: p.isSecret,
+      type: p.isSecret ? 'Secret' : 'Plain'
+    }))
+  };
+}
+
+/**
+ * Generate environment variables mapping for display
+ * @param {Object} config - Project configuration
+ * @returns {string} - Formatted mapping table
+ */
+export function generateEnvVarsMapping(config) {
+  const secrets = config.envVarsMapping.filter(e => e.isSecret);
+  const plain = config.envVarsMapping.filter(e => !e.isSecret);
+
+  let output = '\n## Environment Variables Mapping\n\n';
+
+  if (secrets.length > 0) {
+    output += '### Secrets (require user input)\n';
+    output += '| Config Path | Environment Variable | Type |\n';
+    output += '|-------------|---------------------|------|\n';
+    secrets.forEach(s => {
+      output += `| ${s.configPath} | ${s.envVar} | Secret |\n`;
+    });
+    output += '\n';
+  }
+
+  if (plain.length > 0) {
+    output += '### Plain Values\n';
+    output += '| Config Path | Environment Variable |\n';
+    output += '|-------------|---------------------|\n';
+    plain.slice(0, 10).forEach(p => {
+      output += `| ${p.configPath} | ${p.envVar} |\n`;
+    });
+    if (plain.length > 10) {
+      output += `| ... and ${plain.length - 10} more |\n`;
+    }
+    output += '\n';
+  }
+
+  return output;
+}
+
+// ============================================================================
+// Prerequisites Validation
+// ============================================================================
+
+/**
+ * Validate all prerequisites for deployment
+ * @returns {Object} - Validation results
+ */
+export function validatePrerequisites() {
+  const checks = [];
+
+  // Azure CLI
+  try {
+    const azVersion = execSync('az --version', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+    const versionMatch = azVersion.match(/azure-cli\s+(\d+\.\d+\.\d+)/);
+    checks.push({
+      name: 'Azure CLI',
+      passed: true,
+      version: versionMatch ? versionMatch[1] : 'unknown',
+      message: `Azure CLI ${versionMatch ? versionMatch[1] : ''} installed`
+    });
+  } catch {
+    checks.push({
+      name: 'Azure CLI',
+      passed: false,
+      message: 'Azure CLI not found',
+      fix: 'Download from: https://aka.ms/installazurecliwindows'
+    });
+  }
+
+  // Azure Login
+  try {
+    const account = execSync('az account show --output json', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+    const accountInfo = JSON.parse(account);
+    checks.push({
+      name: 'Azure Login',
+      passed: true,
+      subscription: accountInfo.name,
+      subscriptionId: accountInfo.id,
+      message: `Logged in to ${accountInfo.name}`
+    });
+  } catch {
+    checks.push({
+      name: 'Azure Login',
+      passed: false,
+      message: 'Not logged in to Azure',
+      fix: 'Run: az login --tenant <TENANT-ID>'
+    });
+  }
+
+  // Docker
+  try {
+    execSync('docker info', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+    const dockerVersion = execSync('docker --version', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+    checks.push({
+      name: 'Docker',
+      passed: true,
+      message: dockerVersion.trim()
+    });
+  } catch {
+    checks.push({
+      name: 'Docker',
+      passed: false,
+      message: 'Docker not running',
+      fix: 'Start Docker Desktop'
+    });
+  }
+
+  // .NET SDK
+  try {
+    const dotnetVersion = execSync('dotnet --version', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+    checks.push({
+      name: '.NET SDK',
+      passed: true,
+      version: dotnetVersion.trim(),
+      message: `.NET ${dotnetVersion.trim()} installed`
+    });
+  } catch {
+    checks.push({
+      name: '.NET SDK',
+      passed: false,
+      message: '.NET SDK not found',
+      fix: 'Download from: https://dot.net/download'
+    });
+  }
+
+  // dotnet-ef
+  try {
+    const efList = execSync('dotnet tool list --global', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+    const hasEf = efList.includes('dotnet-ef');
+    if (hasEf) {
+      checks.push({
+        name: 'dotnet-ef',
+        passed: true,
+        message: 'EF Core tools installed'
+      });
+    } else {
+      throw new Error('Not found');
+    }
+  } catch {
+    checks.push({
+      name: 'dotnet-ef',
+      passed: false,
+      message: 'EF Core tools not found',
+      fix: 'Run: dotnet tool install --global dotnet-ef'
+    });
+  }
+
+  // Bicep files
+  const hasBicep = fs.existsSync('infra/main.bicep');
+  checks.push({
+    name: 'Bicep templates',
+    passed: hasBicep,
+    message: hasBicep ? 'infra/main.bicep found' : 'No Bicep templates found',
+    fix: hasBicep ? null : 'Run: /morph-infra init'
+  });
+
+  // Dockerfile
+  const hasDockerfile = fs.existsSync('Dockerfile');
+  checks.push({
+    name: 'Dockerfile',
+    passed: hasDockerfile,
+    message: hasDockerfile ? 'Dockerfile found' : 'No Dockerfile found',
+    fix: hasDockerfile ? null : 'Create Dockerfile for the project'
+  });
+
+  return {
+    allPassed: checks.every(c => c.passed),
+    checks
+  };
+}
+
+/**
+ * Validate password for special characters
+ * @param {string} password - Password to validate
+ * @returns {Object} - Validation result
+ */
+export function validatePassword(password) {
+  const specialChars = /[!@#$%^&*()+=\[\]{}|;:'",<>?/\\`~]/;
+  const hasSpecial = specialChars.test(password);
+
+  return {
+    valid: !hasSpecial && password.length >= 16,
+    hasSpecialChars: hasSpecial,
+    length: password.length,
+    warnings: [
+      hasSpecial ? 'Contains special characters that may cause escape issues' : null,
+      password.length < 16 ? 'Password should be at least 16 characters' : null
+    ].filter(Boolean)
+  };
+}
+
+// ============================================================================
+// Rollback Functions
+// ============================================================================
+
+/**
+ * List available revisions for rollback
+ * @param {string} appName - Container App name
+ * @param {string} resourceGroup - Resource group name
+ * @returns {string[]} - List of revision names
+ */
+export function listRevisions(appName, resourceGroup) {
+  try {
+    const result = execSync(
+      `az containerapp revision list --name ${appName} --resource-group ${resourceGroup} --query "[].{name:name,active:properties.active,traffic:properties.trafficWeight,created:properties.createdTime}" -o json`,
+      { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }
+    );
+    return JSON.parse(result);
+  } catch (error) {
+    throw new Error(`Failed to list revisions: ${error.message}`);
+  }
+}
+
+/**
+ * Execute rollback to previous revision
+ * @param {string} appName - Container App name
+ * @param {string} resourceGroup - Resource group name
+ * @param {string} revision - Target revision name
+ */
+export function executeRollback(appName, resourceGroup, revision) {
+  try {
+    execSync(
+      `az containerapp revision activate --name ${appName} --resource-group ${resourceGroup} --revision ${revision}`,
+      { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }
+    );
+    return { success: true, revision };
+  } catch (error) {
+    throw new Error(`Rollback failed: ${error.message}`);
+  }
+}
+
+// ============================================================================
+// Azure DevOps Pipeline Generation
+// ============================================================================
+
+/**
+ * Generate Azure DevOps pipeline YAML
+ * @param {Object} options - Pipeline options
+ * @returns {string} - YAML content
+ */
+export function generatePipelineYaml(options = {}) {
+  const {
+    projectName = 'myapp',
+    acrName = 'myacr',
+    environments = ['dev', 'staging', 'prod']
+  } = options;
+
+  let yaml = `# Azure DevOps Pipeline for ${projectName}
+# Generated by MORPH-SPEC Azure Deploy Specialist
+
+trigger:
+  branches:
+    include:
+      - main
+      - develop
+
+pr:
+  branches:
+    include:
+      - main
+
+variables:
+  - group: 'deploy-secrets'
+  - name: projectName
+    value: '${projectName}'
+  - name: acrName
+    value: '${acrName}'
+
+stages:
+  - stage: Build
+    displayName: 'Build and Push Docker Image'
+    jobs:
+      - job: BuildAndPush
+        pool:
+          vmImage: 'ubuntu-latest'
+        steps:
+          - task: Docker@2
+            displayName: 'Build and Push'
+            inputs:
+              containerRegistry: 'acr-service-connection'
+              repository: '\$(projectName)'
+              command: 'buildAndPush'
+              Dockerfile: '**/Dockerfile'
+              tags: |
+                \$(Build.BuildId)
+                latest
+
+`;
+
+  // Add deployment stages for each environment
+  for (const env of environments) {
+    const condition = env === 'prod'
+      ? `and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))`
+      : env === 'staging'
+      ? `and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))`
+      : `succeeded()`;
+
+    yaml += `
+  - stage: Deploy${env.charAt(0).toUpperCase() + env.slice(1)}
+    displayName: 'Deploy to ${env.toUpperCase()}'
+    dependsOn: Build
+    condition: ${condition}
+    jobs:
+      - deployment: DeployTo${env.charAt(0).toUpperCase() + env.slice(1)}
+        displayName: 'Deploy to ${env}'
+        pool:
+          vmImage: 'ubuntu-latest'
+        environment: '${env}'
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - task: AzureCLI@2
+                  displayName: 'Deploy Container App'
+                  inputs:
+                    azureSubscription: 'azure-service-connection'
+                    scriptType: 'bash'
+                    scriptLocation: 'inlineScript'
+                    inlineScript: |
+                      npx @polymorphism-tech/morph-spec deploy ${env} --auto \\
+                        --sql-password "\$(SqlPassword${env.charAt(0).toUpperCase() + env.slice(1)})" \\
+                        --skip-confirmation
+
+`;
+  }
+
+  return yaml;
+}
+
+// ============================================================================
+// Main Command
+// ============================================================================
+
+/**
+ * Main deploy command
+ * @param {string} environment - Target environment (dev, staging, prod)
+ * @param {Object} options - CLI options
+ */
+export async function deployCommand(environment, options) {
+  logger.header('MORPH-SPEC Azure Deploy Specialist');
+  logger.blank();
+
+  // Validate environment
+  const validEnvs = ['dev', 'staging', 'prod'];
+  if (environment && !validEnvs.includes(environment)) {
+    logger.error(`Invalid environment: ${environment}`);
+    logger.dim(`  Valid options: ${validEnvs.join(', ')}`);
+    process.exit(1);
+  }
+
+  // Handle special commands
+  if (options.rollback) {
+    return handleRollback(options);
+  }
+
+  if (options.generatePipeline) {
+    return handleGeneratePipeline(options);
+  }
+
+  // Default: analyze project
+  if (!environment) {
+    return analyzeProject(options);
+  }
+
+  // Full deploy flow
+  return executeDeployFlow(environment, options);
+}
+
+/**
+ * Analyze project configuration
+ */
+async function analyzeProject(options) {
+  logger.info('Analyzing project configuration...');
+  logger.blank();
+
+  const spinner = ora('Detecting configuration...').start();
+
+  try {
+    const config = detectProjectConfig('.');
+    spinner.succeed('Configuration detected');
+    logger.blank();
+
+    // Prerequisites
+    logger.header('Prerequisites');
+    const prereqs = validatePrerequisites();
+    prereqs.checks.forEach(check => {
+      if (check.passed) {
+        logger.success(`  ${check.name}: ${check.message}`);
+      } else {
+        logger.error(`  ${check.name}: ${check.message}`);
+        if (check.fix) {
+          logger.dim(`    Fix: ${check.fix}`);
+        }
+      }
+    });
+    logger.blank();
+
+    // Configuration files
+    logger.header('Configuration Files');
+    logger.dim(`  appsettings.json files: ${config.appSettingsFiles.length}`);
+    config.appSettingsFiles.forEach(f => logger.dim(`    - ${f}`));
+    logger.dim(`  Program.cs files: ${config.programCsFiles.length}`);
+    logger.blank();
+
+    // Blazor Server
+    if (config.blazorServer.isBlazorServer) {
+      logger.header('Blazor Server Detected');
+      logger.warn('  Sticky sessions REQUIRED for Blazor Server');
+      logger.dim('  Will be configured automatically during deploy');
+      logger.blank();
+    }
+
+    // Authentication
+    if (config.auth.hasAuth) {
+      logger.header('Authentication Detected');
+      Object.entries(config.auth.providers).forEach(([provider, detected]) => {
+        if (detected) {
+          logger.dim(`  - ${provider}`);
+        }
+      });
+      logger.blank();
+    }
+
+    // Hangfire
+    if (config.hangfire) {
+      logger.header('Hangfire Detected');
+      logger.dim('  Background jobs will be configured');
+      logger.blank();
+    }
+
+    // Environment Variables
+    logger.header('Environment Variables');
+    const secrets = config.envVarsMapping.filter(e => e.isSecret);
+    const plain = config.envVarsMapping.filter(e => !e.isSecret);
+    logger.dim(`  Secrets: ${secrets.length}`);
+    logger.dim(`  Plain: ${plain.length}`);
+    logger.blank();
+
+    if (secrets.length > 0) {
+      logger.header('Secrets Required (will prompt during deploy)');
+      secrets.forEach(s => {
+        logger.dim(`  - ${s.configPath} -> ${s.envVar}`);
+      });
+      logger.blank();
+    }
+
+    // JSON output
+    if (options.json) {
+      console.log(JSON.stringify({
+        prerequisites: prereqs,
+        configuration: config
+      }, null, 2));
+    }
+
+    // Next steps
+    logger.header('Next Steps');
+    if (!prereqs.allPassed) {
+      logger.warn('  1. Fix prerequisites issues listed above');
+    }
+    logger.dim('  1. Run: morph-spec deploy dev');
+    logger.dim('  2. Provide secrets when prompted');
+    logger.dim('  3. Confirm what-if before deploy');
+    logger.blank();
+
+  } catch (error) {
+    spinner.fail('Analysis failed');
+    logger.error(error.message);
+    process.exit(1);
+  }
+}
+
+/**
+ * Handle rollback command
+ */
+async function handleRollback(options) {
+  logger.header('Rollback');
+  logger.warn('Rollback functionality requires interactive mode');
+  logger.dim('  Use: /morph-deploy --rollback in Claude Code');
+  logger.blank();
+  process.exit(0);
+}
+
+/**
+ * Handle pipeline generation
+ */
+async function handleGeneratePipeline(options) {
+  logger.header('Generate Azure DevOps Pipeline');
+  logger.blank();
+
+  const yaml = generatePipelineYaml({
+    projectName: options.projectName || 'myapp',
+    acrName: options.acrName || 'myacr',
+    environments: ['dev', 'staging', 'prod']
+  });
+
+  const outputPath = 'azure-pipelines.yml';
+  fs.writeFileSync(outputPath, yaml);
+
+  logger.success(`Pipeline generated: ${outputPath}`);
+  logger.blank();
+  logger.dim('Next steps:');
+  logger.dim('  1. Review and customize the generated pipeline');
+  logger.dim('  2. Create service connections in Azure DevOps');
+  logger.dim('  3. Create variable group "deploy-secrets" with your secrets');
+  logger.dim('  4. Commit and push to trigger the pipeline');
+  logger.blank();
+}
+
+/**
+ * Execute full deploy flow
+ */
+async function executeDeployFlow(environment, options) {
+  logger.info(`Starting deploy to ${environment.toUpperCase()}...`);
+  logger.blank();
+
+  if (options.auto) {
+    logger.warn('Running in AUTO mode (CI/CD)');
+    logger.blank();
+  }
+
+  // This is primarily for analysis - full deployment is orchestrated by Claude
+  // using the slash command /morph-deploy which has interactive capabilities
+
+  logger.warn('Full deployment requires interactive mode');
+  logger.dim('  Use: /morph-deploy ' + environment + ' in Claude Code');
+  logger.blank();
+  logger.dim('  The slash command provides:');
+  logger.dim('  - Interactive secret collection');
+  logger.dim('  - What-if confirmation');
+  logger.dim('  - Progress tracking');
+  logger.dim('  - Automatic rollback on failure');
+  logger.blank();
+
+  if (options.dryRun) {
+    logger.info('Dry run completed. No changes made.');
+  }
+}