@slamb2k/mad-skills 2.0.28 → 2.0.29

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "mad-skills",
   "description": "AI-assisted planning, development and governance tools",
-  "version": "2.0.28",
+  "version": "2.0.29",
   "author": {
     "name": "slamb2k",
     "url": "https://github.com/slamb2k"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@slamb2k/mad-skills",
-  "version": "2.0.28",
+  "version": "2.0.29",
   "description": "Claude Code skills collection — full lifecycle development tools",
   "type": "module",
   "repository": {

package/skills/dock/SKILL.md

@@ -81,6 +81,27 @@ Status icons: ✅ done · ❌ failed · ⚠️ degraded · ⏳ working · ⏭️
 
 ---
 
+## Platform Detection
+
+Detect the hosting platform **before** pre-flight so dependency checks are
+platform-specific:
+
+```bash
+REMOTE_URL=$(git remote get-url origin 2>/dev/null)
+if echo "$REMOTE_URL" | grep -qiE 'dev\.azure\.com|visualstudio\.com'; then
+  PLATFORM="azdo"
+elif echo "$REMOTE_URL" | grep -qi 'github\.com'; then
+  PLATFORM="github"
+else
+  PLATFORM="github"   # default fallback
+fi
+```
+
+Pass `{PLATFORM}` into all phase prompts. Each phase uses the appropriate
+CLI tool and registry defaults based on the detected platform.
+
+---
+
 ## Pre-flight
 
 Before starting, check dependencies:
@@ -90,12 +111,101 @@ Before starting, check dependencies:
 | docker | cli | `docker --version` | no | ask | Needed for local build verification; skip verify phase if absent |
 | git | cli | `git --version` | yes | stop | Install from https://git-scm.com |
 | sync | skill | `~/.claude/skills/sync/SKILL.md` or `~/.claude/plugins/marketplaces/slamb2k/skills/sync/SKILL.md` | no | fallback | Repo sync; falls back to manual git pull |
+| az devops | cli | `az devops -h 2>/dev/null` | no | fallback | Falls back to REST API with PAT; see AzDO tooling below |
+
+**Platform-conditional rules:**
+- **`az devops`**: Only checked when `PLATFORM == azdo`. Skip for GitHub repos.
+
+For each applicable row, in order:
+1. Skip rows that don't apply to the detected `{PLATFORM}`
+2. Run the Check command (for cli/npm) or test file existence (for agent/skill)
+3. If found: continue silently
+4. If missing: apply Resolution strategy
+   - **stop**: notify user with Detail, halt execution
+   - **url**: notify user with Detail (install link), halt execution
+   - **install**: notify user, run the command in Detail, continue if successful
+   - **ask**: notify user, offer to run command in Detail, continue either way (or halt if required)
+   - **fallback**: notify user with Detail, continue with degraded behavior
+5. After all checks: summarize what's available and what's degraded
+
+### AzDO Tooling Detection
+
+When `PLATFORM == azdo`, determine which tooling is available. Set `AZDO_MODE`
+for use in all subsequent phases:
+
+```bash
+if az devops -h &>/dev/null; then
+  AZDO_MODE="cli"
+else
+  AZDO_MODE="rest"
+fi
+```
+
+- **`cli`**: Use `az repos` / `az pipelines` commands (preferred)
+- **`rest`**: Use Azure DevOps REST API via `curl`. Requires a PAT (personal
+  access token) in `AZURE_DEVOPS_EXT_PAT` or `AZDO_PAT` env var. If no PAT
+  is found, prompt the user to either install the CLI or set the env var.
+
+Report in pre-flight:
+- ✅ `az devops cli` — version found
+- ⚠️ `az devops cli` — not found → using REST API fallback
+- ❌ `az devops cli` — not found, no PAT configured → halt with setup instructions
+
+### AzDO Configuration Validation
+
+When `PLATFORM == azdo`, extract organization and project from the remote URL
+and validate they are usable. These values are needed by every `az repos` /
+`az pipelines` command and every REST API call.
+
+```bash
+# Extract org and project from remote URL patterns:
+#   https://dev.azure.com/{ORG}/{PROJECT}/_git/{REPO}
+#   https://{ORG}@dev.azure.com/{ORG}/{PROJECT}/_git/{REPO}
+#   {ORG}@vs-ssh.visualstudio.com:v3/{ORG}/{PROJECT}/{REPO}
+
+REMOTE_URL=$(git remote get-url origin 2>/dev/null)
+
+if echo "$REMOTE_URL" | grep -q 'dev\.azure\.com'; then
+  AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*dev\.azure\.com/\([^/]*\)/.*|\1|p')
+  AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*dev\.azure\.com/[^/]*/\([^/]*\)/.*|\1|p')
+  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
+elif echo "$REMOTE_URL" | grep -q 'vs-ssh\.visualstudio\.com'; then
+  AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*vs-ssh\.visualstudio\.com:v3/\([^/]*\)/.*|\1|p')
+  AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*vs-ssh\.visualstudio\.com:v3/[^/]*/\([^/]*\)/.*|\1|p')
+  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
+elif echo "$REMOTE_URL" | grep -q 'visualstudio\.com'; then
+  AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*//\([^.]*\)\.visualstudio\.com.*|\1|p')
+  AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*/\([^/]*\)/_git/.*|\1|p')
+  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
+fi
+
+if [ -z "$AZDO_ORG" ] || [ -z "$AZDO_PROJECT" ]; then
+  echo "❌ Could not extract organization/project from remote URL"
+  echo "   Remote: $REMOTE_URL"
+  echo ""
+  echo "Ensure the remote URL follows one of these formats:"
+  echo "  https://dev.azure.com/{ORG}/{PROJECT}/_git/{REPO}"
+  echo "  https://{ORG}.visualstudio.com/{PROJECT}/_git/{REPO}"
+  echo "  {ORG}@vs-ssh.visualstudio.com:v3/{ORG}/{PROJECT}/{REPO}"
+  # HALT — cannot proceed without org/project context
+fi
+```
+
+When `AZDO_MODE == cli`, also configure the defaults so commands work correctly:
+```bash
+az devops configure --defaults organization="$AZDO_ORG_URL" project="$AZDO_PROJECT"
+```
+
+When `AZDO_MODE == rest`, store these for API calls:
+- Base URL: `$AZDO_ORG_URL/$AZDO_PROJECT/_apis`
+- Auth header: `Authorization: Basic $(echo -n ":$PAT" | base64)`
+
+Report in pre-flight:
+- ✅ `azdo context` — org: `{AZDO_ORG}`, project: `{AZDO_PROJECT}`
+- ❌ `azdo context` — could not parse from remote URL → halt with instructions
 
-For each row:
-1. Run the Check command
-2. If found: continue silently
-3. If missing: apply Resolution strategy
-4. After all checks: summarize availability
+Pass `{AZDO_MODE}`, `{AZDO_ORG}`, `{AZDO_PROJECT}`, `{AZDO_ORG_URL}` into
+all phase prompts alongside `{PLATFORM}`.
 
 ---
 
@@ -206,8 +316,10 @@ Optional — ask only if deploying to platforms that need this:
 - **Blue-green**: maintain two environments, swap traffic
 - **Canary**: gradual traffic shift with automatic rollback on error thresholds
 
-**If `--skip-interview` flag**: Use detected defaults + sensible defaults for
-everything else (ghcr.io, 3-stage, GitHub Secrets, simple rollback).
+**If `--skip-interview` flag**: Use detected defaults + sensible platform-aware
+defaults for everything else:
+- **GitHub** (`PLATFORM == github`): ghcr.io, 3-stage, GitHub Secrets, simple rollback
+- **Azure DevOps** (`PLATFORM == azdo`): Azure Container Registry, 3-stage, Azure Key Vault, simple rollback
 
 Compile all answers into a DOCK_CONFIG object for Phase 3.
 

package/skills/dock/references/dockerfile-templates.md

@@ -141,6 +141,9 @@ CMD ["gunicorn", "--bind", "0.0.0.0:{PORT}", "--workers", "4", "app:app"]
 FROM python:3.12-slim AS deps
 WORKDIR /app
 COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv
+# NOTE: ghcr.io/astral-sh/uv is the official uv installer image, not your app registry.
+# If ghcr.io is blocked (e.g., corporate firewall), mirror this image to your
+# internal registry: COPY --from={INTERNAL_REGISTRY}/astral-sh/uv:latest /uv /usr/local/bin/uv
 COPY pyproject.toml uv.lock ./
 RUN uv sync --frozen --no-dev --no-install-project
 

package/skills/dock/references/interview-guide.md

@@ -117,7 +117,9 @@ Mapping:
 - GitHub Actions → suggest ghcr.io
 - Azure Pipelines → suggest Azure Container Registry
 - GitLab CI → suggest GitLab Container Registry
-- No CI → suggest ghcr.io (most universal)
+- No CI → detect platform from git remote URL:
+  - AzDO remote → suggest Azure Container Registry
+  - GitHub remote or unknown → suggest ghcr.io (most universal)
 
 ### Environment Topology
 
@@ -181,6 +183,10 @@ Options:
 5. Doppler
 6. 1Password (via CLI)
 7. HashiCorp Vault
+
+Default selection based on platform:
+- `PLATFORM == github` → default to GitHub Secrets / Variables
+- `PLATFORM == azdo` → default to Azure Key Vault
 ```
 
 ### Rollback Strategy

package/skills/dock/tests/evals.json

@@ -32,5 +32,14 @@
       { "type": "semantic", "value": "Supports different deployment targets per environment" },
       { "type": "semantic", "value": "References both Azure Container Apps and Dokku as deployment platforms" }
     ]
+  },
+  {
+    "name": "azdo-awareness",
+    "prompt": "/dock for a Python FastAPI app in an Azure DevOps repo with azure-pipelines.yml already present",
+    "assertions": [
+      { "type": "semantic", "value": "Detects or acknowledges Azure DevOps as the platform based on the repository context" },
+      { "type": "semantic", "value": "Suggests Azure Container Registry rather than ghcr.io as the default registry" },
+      { "type": "semantic", "value": "References Azure Pipelines as the CI system for the generated workflow" }
+    ]
   }
 ]

package/skills/keel/SKILL.md

@@ -68,9 +68,31 @@ Stage headers: `━━ {N} · {Name} ━━━━━━━━━━━━━`. I
 
 ---
 
+## Platform Detection
+
+Detect the hosting platform **before** pre-flight so dependency checks are
+platform-specific:
+
+```bash
+REMOTE_URL=$(git remote get-url origin 2>/dev/null)
+if echo "$REMOTE_URL" | grep -qiE 'dev\.azure\.com|visualstudio\.com'; then
+  PLATFORM="azdo"
+elif echo "$REMOTE_URL" | grep -qi 'github\.com'; then
+  PLATFORM="github"
+else
+  PLATFORM="github"   # default fallback
+fi
+```
+
+Pass `{PLATFORM}` into all phase prompts. Each phase uses the appropriate
+CLI tool: `gh` for GitHub, `az repos`/`az pipelines` for Azure DevOps.
+
+---
+
 ## Pre-flight
 
-Before starting, check dependencies:
+Before starting, check all dependencies in this table. The table contains
+**all** dependencies — some are platform-conditional (see notes after table).
 
 | Dependency | Type | Check | Required | Resolution | Detail |
 |-----------|------|-------|----------|------------|--------|
@@ -80,10 +102,107 @@ Before starting, check dependencies:
 | az | cli | `az --version` | no | fallback | Needed for Bicep; suggest install from https://aka.ms/install-azure-cli |
 | pulumi | cli | `pulumi version` | no | fallback | Detected if user wants Pulumi; suggest install from https://pulumi.com |
 | cdk | cli | `cdk --version` | no | fallback | Detected if user wants AWS CDK; install via npm |
+| gh | cli | `gh --version` | yes | url | https://cli.github.com |
+| az devops | cli | `az devops -h 2>/dev/null` | no | fallback | Falls back to REST API with PAT; see AzDO tooling below |
+
+**Platform-conditional rules:**
+- **`gh`**: Only required when `PLATFORM == github`. Skip for AzDO repos.
+- **`az devops`**: Only checked when `PLATFORM == azdo`. Skip for GitHub repos.
 
-Only check the tool that matches the user's choice (or detected default).
+Only check the IaC tool row that matches the user's choice (or detected default).
 Skip checks for tools not being used.
 
+For each applicable row, in order:
+1. Skip rows that don't apply to the detected `{PLATFORM}`
+2. Run the Check command (for cli/npm) or test file existence (for agent/skill)
+3. If found: continue silently
+4. If missing: apply Resolution strategy
+   - **stop**: notify user with Detail, halt execution
+   - **url**: notify user with Detail (install link), halt execution
+   - **install**: notify user, run the command in Detail, continue if successful
+   - **ask**: notify user, offer to run command in Detail, continue either way (or halt if required)
+   - **fallback**: notify user with Detail, continue with degraded behavior
+5. After all checks: summarize what's available and what's degraded
+
+### AzDO Tooling Detection
+
+When `PLATFORM == azdo`, determine which tooling is available. Set `AZDO_MODE`
+for use in all subsequent phases:
+
+```bash
+if az devops -h &>/dev/null; then
+  AZDO_MODE="cli"
+else
+  AZDO_MODE="rest"
+fi
+```
+
+- **`cli`**: Use `az repos` / `az pipelines` commands (preferred)
+- **`rest`**: Use Azure DevOps REST API via `curl`. Requires a PAT (personal
+  access token) in `AZURE_DEVOPS_EXT_PAT` or `AZDO_PAT` env var. If no PAT
+  is found, prompt the user to either install the CLI or set the env var.
+
+Report in pre-flight:
+- ✅ `az devops cli` — version found
+- ⚠️ `az devops cli` — not found → using REST API fallback
+- ❌ `az devops cli` — not found, no PAT configured → halt with setup instructions
+
+### AzDO Configuration Validation
+
+When `PLATFORM == azdo`, extract organization and project from the remote URL
+and validate they are usable. These values are needed by every `az repos` /
+`az pipelines` command and every REST API call.
+
+```bash
+# Extract org and project from remote URL patterns:
+#   https://dev.azure.com/{ORG}/{PROJECT}/_git/{REPO}
+#   https://{ORG}@dev.azure.com/{ORG}/{PROJECT}/_git/{REPO}
+#   {ORG}@vs-ssh.visualstudio.com:v3/{ORG}/{PROJECT}/{REPO}
+
+REMOTE_URL=$(git remote get-url origin 2>/dev/null)
+
+if echo "$REMOTE_URL" | grep -q 'dev\.azure\.com'; then
+  AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*dev\.azure\.com/\([^/]*\)/.*|\1|p')
+  AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*dev\.azure\.com/[^/]*/\([^/]*\)/.*|\1|p')
+  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
+elif echo "$REMOTE_URL" | grep -q 'vs-ssh\.visualstudio\.com'; then
+  AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*vs-ssh\.visualstudio\.com:v3/\([^/]*\)/.*|\1|p')
+  AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*vs-ssh\.visualstudio\.com:v3/[^/]*/\([^/]*\)/.*|\1|p')
+  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
+elif echo "$REMOTE_URL" | grep -q 'visualstudio\.com'; then
+  AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*//\([^.]*\)\.visualstudio\.com.*|\1|p')
+  AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*/\([^/]*\)/_git/.*|\1|p')
+  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
+fi
+
+if [ -z "$AZDO_ORG" ] || [ -z "$AZDO_PROJECT" ]; then
+  echo "❌ Could not extract organization/project from remote URL"
+  echo "   Remote: $REMOTE_URL"
+  echo ""
+  echo "Ensure the remote URL follows one of these formats:"
+  echo "  https://dev.azure.com/{ORG}/{PROJECT}/_git/{REPO}"
+  echo "  https://{ORG}.visualstudio.com/{PROJECT}/_git/{REPO}"
+  echo "  {ORG}@vs-ssh.visualstudio.com:v3/{ORG}/{PROJECT}/{REPO}"
+  # HALT — cannot proceed without org/project context
+fi
+```
+
+When `AZDO_MODE == cli`, also configure the defaults so commands work correctly:
+```bash
+az devops configure --defaults organization="$AZDO_ORG_URL" project="$AZDO_PROJECT"
+```
+
+When `AZDO_MODE == rest`, store these for API calls:
+- Base URL: `$AZDO_ORG_URL/$AZDO_PROJECT/_apis`
+- Auth header: `Authorization: Basic $(echo -n ":$PAT" | base64)`
+
+Report in pre-flight:
+- ✅ `azdo context` — org: `{AZDO_ORG}`, project: `{AZDO_PROJECT}`
+- ❌ `azdo context` — could not parse from remote URL → halt with instructions
+
+Pass `{AZDO_MODE}`, `{AZDO_ORG}`, `{AZDO_PROJECT}`, `{AZDO_ORG_URL}` into
+all phase prompts alongside `{PLATFORM}`.
+
 ---
 
 ## Phase 0: Sync
@@ -360,6 +479,13 @@ Use the provider-specific template from `references/iac-pipeline-templates.md#bo
 
 Read the appropriate template from `references/iac-pipeline-templates.md`.
 
+**Platform branching:**
+- When `PLATFORM == github`: Generate a GitHub Actions workflow. Output file:
+  `.github/workflows/infra.yml`. Use templates from the "GitHub Actions" section.
+- When `PLATFORM == azdo`: Generate an Azure DevOps Pipelines YAML file. Output
+  file: `azure-pipelines-infra.yml`. Use templates from the "Azure DevOps
+  Pipelines" section.
+
 Generate a workflow that implements:
 
 **On pull request:**
@@ -408,8 +534,16 @@ for pushing images, the compute endpoint for deploying containers, etc.
 ### 3.5 — Environment Variables Bridge
 
 Generate a script or workflow step that reads IaC outputs and writes them as
-CI/CD secrets/variables for /dock's pipelines:
+CI/CD secrets/variables for /dock's pipelines.
 
+**Platform branching:**
+- When `PLATFORM == github`: Use `gh secret set` / `gh variable set` commands.
+  Reference `references/iac-pipeline-templates.md#infra/sync-outputs.sh`.
+- When `PLATFORM == azdo`: Use `az pipelines variable-group variable update` /
+  `az pipelines variable-group variable create` commands. Reference
+  `references/iac-pipeline-templates.md#infra/sync-outputs.sh (Azure DevOps)`.
+
+**GitHub example:**
 ```bash
 # infra/sync-outputs.sh
 REGISTRY_URL=$(terraform output -raw registry_url)
@@ -417,6 +551,14 @@ gh secret set REGISTRY_URL --body "$REGISTRY_URL"
 gh secret set DATABASE_URL --body "$(terraform output -raw database_connection_string)"
 ```
 
+**Azure DevOps example:**
+```bash
+# infra/sync-outputs.sh
+REGISTRY_URL=$(terraform output -raw registry_url)
+az pipelines variable-group variable update --group-id "$VG_ID" --name REGISTRY_URL --value "$REGISTRY_URL"
+az pipelines variable-group variable update --group-id "$VG_ID" --name DATABASE_URL --value "$(terraform output -raw database_connection_string)" --secret true
+```
+
 ---
 
 ## Phase 4: Verify

package/skills/keel/references/iac-pipeline-templates.md

@@ -10,6 +10,8 @@ Template variables:
 - `{STATE_BACKEND}`: backend config details
 - `{INFRA_DIR}`: path to IaC files (default: infra/)
 - `{ENVIRONMENTS}`: list of environments (dev, staging, prod)
+- `{PLATFORM}`: github or azdo — determines which pipeline template to use
+- `{SERVICE_CONNECTION}`: Azure DevOps service connection name (AzDO only)
 
 ---
 
@@ -411,6 +413,96 @@ stages:
                     environmentServiceNameAzureRM: $(serviceConnection)
 ```
 
+### Bicep
+
+File: `azure-pipelines-infra.yml`
+
+```yaml
+trigger:
+  branches:
+    include: [{DEFAULT_BRANCH}]
+  paths:
+    include: [infra/*]
+
+pr:
+  paths:
+    include: [infra/*]
+
+variables:
+  infraDir: infra
+  serviceConnection: "{SERVICE_CONNECTION}"
+  location: "{REGION}"
+
+stages:
+  - stage: WhatIf
+    condition: eq(variables['Build.Reason'], 'PullRequest')
+    jobs:
+      - job: BicepWhatIf
+        pool:
+          vmImage: ubuntu-latest
+        steps:
+          - task: AzureCLI@2
+            displayName: Bicep What-If
+            inputs:
+              azureSubscription: $(serviceConnection)
+              scriptType: bash
+              scriptLocation: inlineScript
+              inlineScript: |
+                az deployment sub what-if \
+                  --location $(location) \
+                  --template-file $(infraDir)/main.bicep \
+                  --parameters $(infraDir)/environments/dev.bicepparam \
+                  --no-pretty-print
+
+  - stage: DeployDev
+    condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/{DEFAULT_BRANCH}'))
+    jobs:
+      - deployment: DeployDev
+        environment: dev
+        pool:
+          vmImage: ubuntu-latest
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
+                - task: AzureCLI@2
+                  displayName: Deploy Dev
+                  inputs:
+                    azureSubscription: $(serviceConnection)
+                    scriptType: bash
+                    scriptLocation: inlineScript
+                    inlineScript: |
+                      az deployment sub create \
+                        --location $(location) \
+                        --template-file $(infraDir)/main.bicep \
+                        --parameters $(infraDir)/environments/dev.bicepparam
+
+  - stage: DeployEnv
+    condition: eq(variables['Build.Reason'], 'Manual')
+    jobs:
+      - deployment: DeployEnv
+        environment: $(targetEnvironment)
+        pool:
+          vmImage: ubuntu-latest
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
+                - task: AzureCLI@2
+                  displayName: Deploy $(targetEnvironment)
+                  inputs:
+                    azureSubscription: $(serviceConnection)
+                    scriptType: bash
+                    scriptLocation: inlineScript
+                    inlineScript: |
+                      az deployment sub create \
+                        --location $(location) \
+                        --template-file $(infraDir)/main.bicep \
+                        --parameters $(infraDir)/environments/$(targetEnvironment).bicepparam
+```
+
 ---
 
 ## Bootstrap Scripts
@@ -517,3 +609,58 @@ DB_URL=$(terraform output -raw database_connection_string 2>/dev/null) || true
 
 echo "Outputs synced to GitHub."
 ```
+
+### infra/sync-outputs.sh (Azure DevOps)
+
+Reads IaC outputs and sets them as Azure DevOps variable group variables for /dock pipelines:
+
+```bash
+#!/bin/bash
+# Sync Terraform outputs to Azure DevOps variable group for /dock
+set -euo pipefail
+
+cd "$(dirname "$0")"
+
+PROJECT="{PROJECT}"
+VG_NAME="${PROJECT}-infra-outputs"
+
+echo "Syncing infrastructure outputs to Azure DevOps..."
+
+# Resolve or create the variable group
+VG_ID=$(az pipelines variable-group list \
+  --query "[?name=='${VG_NAME}'].id | [0]" -o tsv 2>/dev/null)
+
+if [ -z "$VG_ID" ]; then
+  echo "Creating variable group: ${VG_NAME}"
+  VG_ID=$(az pipelines variable-group create \
+    --name "$VG_NAME" \
+    --variables placeholder=true \
+    --query "id" -o tsv)
+fi
+
+# Helper: update or create a variable in the group
+upsert_var() {
+  local name="$1" value="$2" secret="${3:-false}"
+  if az pipelines variable-group variable list --group-id "$VG_ID" \
+      --query "\"${name}\"" -o tsv &>/dev/null; then
+    az pipelines variable-group variable update \
+      --group-id "$VG_ID" --name "$name" --value "$value" --secret "$secret" --output none
+  else
+    az pipelines variable-group variable create \
+      --group-id "$VG_ID" --name "$name" --value "$value" --secret "$secret" --output none
+  fi
+}
+
+# Public values
+REGISTRY_URL=$(terraform output -raw registry_url 2>/dev/null) || true
+[ -n "$REGISTRY_URL" ] && upsert_var "REGISTRY_URL" "$REGISTRY_URL"
+
+COMPUTE_ENDPOINT=$(terraform output -raw compute_endpoint 2>/dev/null) || true
+[ -n "$COMPUTE_ENDPOINT" ] && upsert_var "COMPUTE_ENDPOINT" "$COMPUTE_ENDPOINT"
+
+# Sensitive values
+DB_URL=$(terraform output -raw database_connection_string 2>/dev/null) || true
+[ -n "$DB_URL" ] && upsert_var "DATABASE_URL" "$DB_URL" true
+
+echo "Outputs synced to Azure DevOps variable group: ${VG_NAME} (ID: ${VG_ID})"
+```

package/skills/keel/tests/evals.json

@@ -31,5 +31,14 @@
       { "type": "semantic", "value": "Describes or generates a CI/CD pipeline that plans on pull requests and applies on merge" },
       { "type": "semantic", "value": "Mentions state management for Terraform such as S3 backend or remote state" }
     ]
+  },
+  {
+    "name": "azdo-awareness",
+    "prompt": "/keel for a Bicep project hosted in Azure DevOps",
+    "assertions": [
+      { "type": "semantic", "value": "Detects or acknowledges Azure DevOps as the hosting platform rather than assuming GitHub" },
+      { "type": "semantic", "value": "Mentions Azure Pipelines or Azure DevOps pipeline generation rather than GitHub Actions" },
+      { "type": "regex", "value": "(?i)(azure devops|azdo|azure.pipelines|az pipelines)" }
+    ]
   }
 ]

package/skills/manifest.json

@@ -1,5 +1,5 @@
 {
-  "generated": "2026-03-12T13:35:25.365Z",
+  "generated": "2026-03-12T15:57:08.604Z",
   "count": 10,
   "skills": [
     {
@@ -36,7 +36,7 @@
       "name": "dock",
       "directory": "dock",
       "description": ">- Generate container-based release pipelines that build once and promote immutable artifacts through environments (dev → staging → prod). Detects your stack, interviews for infrastructure choices, then outputs deterministic CI/CD files (Dockerfile, workflows, deployment manifests) that run without an LLM. Use when setting up deployment pipelines, containerizing an app, creating release workflows, or connecting CI to container-friendly infrastructure (Azure Container Apps, AWS Fargate, Google Cloud Run, Kubernetes, Dokku, Coolify, CapRover, etc.).",
-      "lines": 394,
+      "lines": 506,
       "hasScripts": false,
       "hasReferences": true,
       "hasAssets": false,
@@ -46,7 +46,7 @@
       "name": "keel",
       "directory": "keel",
       "description": ">- Generate Infrastructure as Code (IaC) pipelines that provision the cloud and container infrastructure your app deploys to. Interview-driven: detects your stack and cloud provider, then outputs deterministic IaC files (Terraform, Bicep, Pulumi, or CDK) plus CI/CD pipelines that plan on PR and apply on merge. Use when setting up cloud infrastructure, provisioning container registries, databases, networking, DNS, or any infrastructure that containers deploy onto. Designed to run before /dock — /keel lays the infrastructure, /dock deploys to it.",
-      "lines": 496,
+      "lines": 638,
       "hasScripts": false,
       "hasReferences": true,
       "hasAssets": false,