@slamb2k/mad-skills 2.0.28 → 2.0.30

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "mad-skills",
   "description": "AI-assisted planning, development and governance tools",
-  "version": "2.0.28",
+  "version": "2.0.30",
   "author": {
     "name": "slamb2k",
     "url": "https://github.com/slamb2k"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@slamb2k/mad-skills",
-  "version": "2.0.28",
+  "version": "2.0.30",
   "description": "Claude Code skills collection — full lifecycle development tools",
   "type": "module",
   "repository": {

package/skills/dock/SKILL.md

@@ -81,6 +81,27 @@ Status icons: ✅ done · ❌ failed · ⚠️ degraded · ⏳ working · ⏭️
 
 ---
 
+## Platform Detection
+
+Detect the hosting platform **before** pre-flight so dependency checks are
+platform-specific:
+
+```bash
+REMOTE_URL=$(git remote get-url origin 2>/dev/null)
+if echo "$REMOTE_URL" | grep -qiE 'dev\.azure\.com|visualstudio\.com'; then
+  PLATFORM="azdo"
+elif echo "$REMOTE_URL" | grep -qi 'github\.com'; then
+  PLATFORM="github"
+else
+  PLATFORM="github"   # default fallback
+fi
+```
+
+Pass `{PLATFORM}` into all phase prompts. Each phase uses the appropriate
+CLI tool and registry defaults based on the detected platform.
+
+---
+
 ## Pre-flight
 
 Before starting, check dependencies:
@@ -90,12 +111,26 @@ Before starting, check dependencies:
 | docker | cli | `docker --version` | no | ask | Needed for local build verification; skip verify phase if absent |
 | git | cli | `git --version` | yes | stop | Install from https://git-scm.com |
 | sync | skill | `~/.claude/skills/sync/SKILL.md` or `~/.claude/plugins/marketplaces/slamb2k/skills/sync/SKILL.md` | no | fallback | Repo sync; falls back to manual git pull |
-
-For each row:
-1. Run the Check command
-2. If found: continue silently
-3. If missing: apply Resolution strategy
-4. After all checks: summarize availability
+| az devops | cli | `az devops -h 2>/dev/null` | no | fallback | Falls back to REST API with PAT; see AzDO tooling below |
+
+**Platform-conditional rules:**
+- **`az devops`**: Only checked when `PLATFORM == azdo`. Skip for GitHub repos.
+
+For each applicable row, in order:
+1. Skip rows that don't apply to the detected `{PLATFORM}`
+2. Run the Check command (for cli/npm) or test file existence (for agent/skill)
+3. If found: continue silently
+4. If missing: apply Resolution strategy
+   - **stop**: notify user with Detail, halt execution
+   - **url**: notify user with Detail (install link), halt execution
+   - **install**: notify user, run the command in Detail, continue if successful
+   - **ask**: notify user, offer to run command in Detail, continue either way (or halt if required)
+   - **fallback**: notify user with Detail, continue with degraded behavior
+5. After all checks: summarize what's available and what's degraded
+
+When `PLATFORM == azdo`, follow `references/azdo-platform.md` for tooling
+detection (`AZDO_MODE`) and configuration validation (`AZDO_ORG`, `AZDO_PROJECT`).
+Pass these variables into all phase prompts alongside `{PLATFORM}`.
 
 ---
 
@@ -206,8 +241,10 @@ Optional — ask only if deploying to platforms that need this:
 - **Blue-green**: maintain two environments, swap traffic
 - **Canary**: gradual traffic shift with automatic rollback on error thresholds
 
-**If `--skip-interview` flag**: Use detected defaults + sensible defaults for
-everything else (ghcr.io, 3-stage, GitHub Secrets, simple rollback).
+**If `--skip-interview` flag**: Use detected defaults + sensible platform-aware
+defaults for everything else:
+- **GitHub** (`PLATFORM == github`): ghcr.io, 3-stage, GitHub Secrets, simple rollback
+- **Azure DevOps** (`PLATFORM == azdo`): Azure Container Registry, 3-stage, Azure Key Vault, simple rollback
 
 Compile all answers into a DOCK_CONFIG object for Phase 3.
 

package/skills/dock/references/azdo-platform.md

@@ -0,0 +1,83 @@
+# Azure DevOps Platform Support
+
+Shared procedures for AzDO tooling detection and configuration validation.
+Referenced by SKILL.md during pre-flight when `PLATFORM == azdo`.
+
+## AzDO Tooling Detection
+
+When `PLATFORM == azdo`, determine which tooling is available. Set `AZDO_MODE`
+for use in all subsequent phases:
+
+```bash
+if az devops -h &>/dev/null; then
+  AZDO_MODE="cli"
+else
+  AZDO_MODE="rest"
+fi
+```
+
+- **`cli`**: Use `az repos` / `az pipelines` commands (preferred)
+- **`rest`**: Use Azure DevOps REST API via `curl`. Requires a PAT (personal
+  access token) in `AZURE_DEVOPS_EXT_PAT` or `AZDO_PAT` env var. If no PAT
+  is found, prompt the user to either install the CLI or set the env var.
+
+Report in pre-flight:
+- ✅ `az devops cli` — version found
+- ⚠️ `az devops cli` — not found → using REST API fallback
+- ❌ `az devops cli` — not found, no PAT configured → halt with setup instructions
+
+## AzDO Configuration Validation
+
+When `PLATFORM == azdo`, extract organization and project from the remote URL
+and validate they are usable. These values are needed by every `az repos` /
+`az pipelines` command and every REST API call.
+
+```bash
+# Extract org and project from remote URL patterns:
+#   https://dev.azure.com/{ORG}/{PROJECT}/_git/{REPO}
+#   https://{ORG}@dev.azure.com/{ORG}/{PROJECT}/_git/{REPO}
+#   {ORG}@vs-ssh.visualstudio.com:v3/{ORG}/{PROJECT}/{REPO}
+
+REMOTE_URL=$(git remote get-url origin 2>/dev/null)
+
+if echo "$REMOTE_URL" | grep -q 'dev\.azure\.com'; then
+  AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*dev\.azure\.com/\([^/]*\)/.*|\1|p')
+  AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*dev\.azure\.com/[^/]*/\([^/]*\)/.*|\1|p')
+  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
+elif echo "$REMOTE_URL" | grep -q 'vs-ssh\.visualstudio\.com'; then
+  AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*vs-ssh\.visualstudio\.com:v3/\([^/]*\)/.*|\1|p')
+  AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*vs-ssh\.visualstudio\.com:v3/[^/]*/\([^/]*\)/.*|\1|p')
+  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
+elif echo "$REMOTE_URL" | grep -q 'visualstudio\.com'; then
+  AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*//\([^.]*\)\.visualstudio\.com.*|\1|p')
+  AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*/\([^/]*\)/_git/.*|\1|p')
+  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
+fi
+
+if [ -z "$AZDO_ORG" ] || [ -z "$AZDO_PROJECT" ]; then
+  echo "❌ Could not extract organization/project from remote URL"
+  echo "   Remote: $REMOTE_URL"
+  echo ""
+  echo "Ensure the remote URL follows one of these formats:"
+  echo "  https://dev.azure.com/{ORG}/{PROJECT}/_git/{REPO}"
+  echo "  https://{ORG}.visualstudio.com/{PROJECT}/_git/{REPO}"
+  echo "  {ORG}@vs-ssh.visualstudio.com:v3/{ORG}/{PROJECT}/{REPO}"
+  # HALT — cannot proceed without org/project context
+fi
+```
+
+When `AZDO_MODE == cli`, also configure the defaults so commands work correctly:
+```bash
+az devops configure --defaults organization="$AZDO_ORG_URL" project="$AZDO_PROJECT"
+```
+
+When `AZDO_MODE == rest`, store these for API calls:
+- Base URL: `$AZDO_ORG_URL/$AZDO_PROJECT/_apis`
+- Auth header: `Authorization: Basic $(echo -n ":$PAT" | base64)`
+
+Report in pre-flight:
+- ✅ `azdo context` — org: `{AZDO_ORG}`, project: `{AZDO_PROJECT}`
+- ❌ `azdo context` — could not parse from remote URL → halt with instructions
+
+Pass `{AZDO_MODE}`, `{AZDO_ORG}`, `{AZDO_PROJECT}`, `{AZDO_ORG_URL}` into
+all phase prompts alongside `{PLATFORM}`.

package/skills/dock/references/dockerfile-templates.md

@@ -141,6 +141,9 @@ CMD ["gunicorn", "--bind", "0.0.0.0:{PORT}", "--workers", "4", "app:app"]
 FROM python:3.12-slim AS deps
 WORKDIR /app
 COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv
+# NOTE: ghcr.io/astral-sh/uv is the official uv installer image, not your app registry.
+# If ghcr.io is blocked (e.g., corporate firewall), mirror this image to your
+# internal registry: COPY --from={INTERNAL_REGISTRY}/astral-sh/uv:latest /uv /usr/local/bin/uv
 COPY pyproject.toml uv.lock ./
 RUN uv sync --frozen --no-dev --no-install-project
 

package/skills/dock/references/interview-guide.md

@@ -117,7 +117,9 @@ Mapping:
 - GitHub Actions → suggest ghcr.io
 - Azure Pipelines → suggest Azure Container Registry
 - GitLab CI → suggest GitLab Container Registry
-- No CI → suggest ghcr.io (most universal)
+- No CI → detect platform from git remote URL:
+  - AzDO remote → suggest Azure Container Registry
+  - GitHub remote or unknown → suggest ghcr.io (most universal)
 
 ### Environment Topology
 
@@ -181,6 +183,10 @@ Options:
 5. Doppler
 6. 1Password (via CLI)
 7. HashiCorp Vault
+
+Default selection based on platform:
+- `PLATFORM == github` → default to GitHub Secrets / Variables
+- `PLATFORM == azdo` → default to Azure Key Vault
 ```
 
 ### Rollback Strategy

package/skills/dock/tests/evals.json

@@ -32,5 +32,14 @@
       { "type": "semantic", "value": "Supports different deployment targets per environment" },
       { "type": "semantic", "value": "References both Azure Container Apps and Dokku as deployment platforms" }
     ]
+  },
+  {
+    "name": "azdo-awareness",
+    "prompt": "/dock for a Python FastAPI app in an Azure DevOps repo with azure-pipelines.yml already present",
+    "assertions": [
+      { "type": "semantic", "value": "Detects or acknowledges Azure DevOps as the platform based on the repository context" },
+      { "type": "semantic", "value": "Suggests Azure Container Registry rather than ghcr.io as the default registry" },
+      { "type": "semantic", "value": "References Azure Pipelines as the CI system for the generated workflow" }
+    ]
   }
 ]

package/skills/keel/SKILL.md

@@ -68,9 +68,31 @@ Stage headers: `━━ {N} · {Name} ━━━━━━━━━━━━━`. I
 
 ---
 
+## Platform Detection
+
+Detect the hosting platform **before** pre-flight so dependency checks are
+platform-specific:
+
+```bash
+REMOTE_URL=$(git remote get-url origin 2>/dev/null)
+if echo "$REMOTE_URL" | grep -qiE 'dev\.azure\.com|visualstudio\.com'; then
+  PLATFORM="azdo"
+elif echo "$REMOTE_URL" | grep -qi 'github\.com'; then
+  PLATFORM="github"
+else
+  PLATFORM="github"   # default fallback
+fi
+```
+
+Pass `{PLATFORM}` into all phase prompts. Each phase uses the appropriate
+CLI tool: `gh` for GitHub, `az repos`/`az pipelines` for Azure DevOps.
+
+---
+
 ## Pre-flight
 
-Before starting, check dependencies:
+Before starting, check all dependencies in this table. The table contains
+**all** dependencies — some are platform-conditional (see notes after table).
 
 | Dependency | Type | Check | Required | Resolution | Detail |
 |-----------|------|-------|----------|------------|--------|
@@ -80,10 +102,32 @@ Before starting, check dependencies:
 | az | cli | `az --version` | no | fallback | Needed for Bicep; suggest install from https://aka.ms/install-azure-cli |
 | pulumi | cli | `pulumi version` | no | fallback | Detected if user wants Pulumi; suggest install from https://pulumi.com |
 | cdk | cli | `cdk --version` | no | fallback | Detected if user wants AWS CDK; install via npm |
+| gh | cli | `gh --version` | yes | url | https://cli.github.com |
+| az devops | cli | `az devops -h 2>/dev/null` | no | fallback | Falls back to REST API with PAT; see AzDO tooling below |
+
+**Platform-conditional rules:**
+- **`gh`**: Only required when `PLATFORM == github`. Skip for AzDO repos.
+- **`az devops`**: Only checked when `PLATFORM == azdo`. Skip for GitHub repos.
 
-Only check the tool that matches the user's choice (or detected default).
+Only check the IaC tool row that matches the user's choice (or detected default).
 Skip checks for tools not being used.
 
+For each applicable row, in order:
+1. Skip rows that don't apply to the detected `{PLATFORM}`
+2. Run the Check command (for cli/npm) or test file existence (for agent/skill)
+3. If found: continue silently
+4. If missing: apply Resolution strategy
+   - **stop**: notify user with Detail, halt execution
+   - **url**: notify user with Detail (install link), halt execution
+   - **install**: notify user, run the command in Detail, continue if successful
+   - **ask**: notify user, offer to run command in Detail, continue either way (or halt if required)
+   - **fallback**: notify user with Detail, continue with degraded behavior
+5. After all checks: summarize what's available and what's degraded
+
+When `PLATFORM == azdo`, follow `references/azdo-platform.md` for tooling
+detection (`AZDO_MODE`) and configuration validation (`AZDO_ORG`, `AZDO_PROJECT`).
+Pass these variables into all phase prompts alongside `{PLATFORM}`.
+
 ---
 
 ## Phase 0: Sync
@@ -128,160 +172,16 @@ Read the full interview flow from `references/interview-guide.md#interview-quest
 The interview covers these topics in order. Skip questions where detection provided
 high-confidence answers (but confirm with the user).
 
-### 2.1 — Cloud Provider
-
-```
-Which cloud provider(s) will host your infrastructure?
-
-Options:
-1. Azure (Recommended if Azure signals detected)
-2. AWS
-3. Google Cloud
-4. Multi-cloud
-5. Self-hosted / VPS (Dokku, Coolify, CapRover)
-```
-
-If /dock has already run, infer from the deployment targets chosen there.
-
-### 2.2 — IaC Tool
-
-Suggest based on cloud provider:
-- Azure → Bicep (native) or Terraform (universal)
-- AWS → Terraform or CDK
-- GCP → Terraform or Pulumi
-- Multi-cloud → Terraform
-- Self-hosted → Terraform (for VPS provisioning) or skip IaC
-
-```
-Which Infrastructure as Code tool do you want to use?
-
-Options:
-1. Terraform (Recommended — universal, multi-cloud)
-2. Bicep (Azure-native, simpler syntax)
-3. Pulumi (code-first, TypeScript/Python/Go)
-4. AWS CDK (AWS-native, TypeScript/Python)
-```
-
-### 2.3 — Infrastructure Components
-
-Present a checklist based on detected needs. The goal is to provision everything
-/dock needs to deploy to, plus supporting services.
-
-```
-Which infrastructure components do you need?
-
-Container platform:
-  [x] Container registry (required for /dock)
-  [ ] Kubernetes cluster (AKS/EKS/GKE)
-  [ ] Serverless containers (Container Apps/Fargate/Cloud Run)
-  [ ] Self-hosted PaaS (Dokku/Coolify/CapRover on VPS)
-
-Data:
-  [ ] Managed database (PostgreSQL, MySQL, SQL Server, etc.)
-  [ ] Cache (Redis, Memcached)
-  [ ] Object storage (S3, Blob Storage, GCS)
-  [ ] Message queue (SQS, Service Bus, Pub/Sub)
-
-Networking:
-  [ ] DNS zone
-  [ ] CDN / Front Door
-  [ ] Virtual network / VPC
-  [ ] Load balancer (if not using platform-managed)
-  [ ] API Gateway
-
-Security:
-  [ ] Key Vault / Secrets Manager
-  [ ] Managed identity / IAM roles
-  [ ] SSL/TLS certificates
-
-Monitoring:
-  [ ] Log aggregation (Application Insights, CloudWatch, Cloud Logging)
-  [ ] Metrics / dashboards
-  [ ] Alerts
-```
-
-Auto-check components if /dock detection or the codebase signals them:
-- Dockerfile found → container registry checked
-- Database migrations found → managed database checked
-- Redis client in deps → cache checked
-- S3/Blob SDK in deps → object storage checked
-
-### 2.4 — Environment Topology
-
-Align with /dock's environments if it has run. Otherwise ask:
-
-```
-How many environments do you need?
-
-Options:
-1. Simple: dev + prod (Recommended for starting out)
-2. Standard: dev + staging + prod
-3. Custom: define your own
-```
-
-Each environment gets its own IaC state and variable set. Resource sizing
-scales with the environment tier (dev=small, staging=medium, prod=large).
+Topics covered (full prompts and options in `references/interview-guide.md`):
 
-### 2.5 — State Management
-
-Where to store IaC state (critical for team collaboration):
-
-**Terraform:**
-```
-Where should Terraform state be stored?
-
-Options:
-1. Azure Blob Storage (Recommended for Azure)
-2. AWS S3 + DynamoDB (Recommended for AWS)
-3. Google Cloud Storage (Recommended for GCP)
-4. Terraform Cloud
-5. Local (not recommended for teams)
-```
-
-**Bicep:** No state management needed (Azure Resource Manager handles it).
-
-**Pulumi:** Pulumi Cloud (default) or self-managed backend.
-
-**CDK:** CloudFormation handles state.
-
-### 2.6 — CI/CD for Infrastructure
-
-```
-How should infrastructure changes be applied?
-
-Options:
-1. Plan on PR, apply on merge (Recommended)
-2. Plan on PR, manual apply via approval
-3. Plan and apply on merge (no PR preview)
-```
-
-All options generate a pipeline. Option 1 is the default and safest for teams.
-
-### 2.7 — Naming Convention
-
-```
-What naming convention should resources use?
-
-Options:
-1. Azure CAF style: {resource-type}-{project}-{env}-{region} (Recommended)
-2. Simple: {project}-{resource}-{env}
-3. Custom prefix: {user-defined}
-```
-
-### 2.8 — Integration with /dock
-
-If /dock artifacts exist, ask:
-```
-I found /dock deployment config. Should /keel provision the infrastructure
-those pipelines deploy to?
-
-Detected targets:
-  dev:     {platform}
-  staging: {platform}
-  prod:    {platform}
-
-I'll provision: container registry, {platform}-specific compute, networking.
-```
+1. **Cloud Provider** — Azure, AWS, GCP, Multi-cloud, Self-hosted. Infer from /dock if it has run.
+2. **IaC Tool** — Suggest by cloud: Azure→Bicep/Terraform, AWS→Terraform/CDK, GCP→Terraform/Pulumi, Multi-cloud→Terraform.
+3. **Infrastructure Components** — Checklist: container platform, data (DB, cache, storage, queues), networking, security, monitoring. Auto-check from codebase signals (Dockerfile→registry, migrations→DB, Redis client→cache).
+4. **Environment Topology** — Simple (dev+prod), Standard (dev+staging+prod), or Custom. Align with /dock if it has run.
+5. **State Management** — Terraform: cloud storage per provider. Bicep: ARM handles it. Pulumi: Pulumi Cloud. CDK: CloudFormation.
+6. **CI/CD Strategy** — Plan on PR + apply on merge (recommended), manual apply, or auto-apply.
+7. **Naming Convention** — CAF style, simple, or custom prefix.
+8. **Integration with /dock** — If /dock artifacts exist, offer to provision their deployment targets.
 
 **If `--skip-interview`**: Use detected defaults + sensible defaults.
 
@@ -360,6 +260,13 @@ Use the provider-specific template from `references/iac-pipeline-templates.md#bo
 
 Read the appropriate template from `references/iac-pipeline-templates.md`.
 
+**Platform branching:**
+- When `PLATFORM == github`: Generate a GitHub Actions workflow. Output file:
+  `.github/workflows/infra.yml`. Use templates from the "GitHub Actions" section.
+- When `PLATFORM == azdo`: Generate an Azure DevOps Pipelines YAML file. Output
+  file: `azure-pipelines-infra.yml`. Use templates from the "Azure DevOps
+  Pipelines" section.
+
 Generate a workflow that implements:
 
 **On pull request:**
@@ -408,8 +315,16 @@ for pushing images, the compute endpoint for deploying containers, etc.
 ### 3.5 — Environment Variables Bridge
 
 Generate a script or workflow step that reads IaC outputs and writes them as
-CI/CD secrets/variables for /dock's pipelines:
+CI/CD secrets/variables for /dock's pipelines.
 
+**Platform branching:**
+- When `PLATFORM == github`: Use `gh secret set` / `gh variable set` commands.
+  Reference `references/iac-pipeline-templates.md#infra/sync-outputs.sh`.
+- When `PLATFORM == azdo`: Use `az pipelines variable-group variable update` /
+  `az pipelines variable-group variable create` commands. Reference
+  `references/iac-pipeline-templates.md#infra/sync-outputs.sh (Azure DevOps)`.
+
+**GitHub example:**
 ```bash
 # infra/sync-outputs.sh
 REGISTRY_URL=$(terraform output -raw registry_url)
@@ -417,6 +332,14 @@ gh secret set REGISTRY_URL --body "$REGISTRY_URL"
 gh secret set DATABASE_URL --body "$(terraform output -raw database_connection_string)"
 ```
 
+**Azure DevOps example:**
+```bash
+# infra/sync-outputs.sh
+REGISTRY_URL=$(terraform output -raw registry_url)
+az pipelines variable-group variable update --group-id "$VG_ID" --name REGISTRY_URL --value "$REGISTRY_URL"
+az pipelines variable-group variable update --group-id "$VG_ID" --name DATABASE_URL --value "$(terraform output -raw database_connection_string)" --secret true
+```
+
 ---
 
 ## Phase 4: Verify

package/skills/keel/references/azdo-platform.md

@@ -0,0 +1,83 @@
+# Azure DevOps Platform Support
+
+Shared procedures for AzDO tooling detection and configuration validation.
+Referenced by SKILL.md during pre-flight when `PLATFORM == azdo`.
+
+## AzDO Tooling Detection
+
+When `PLATFORM == azdo`, determine which tooling is available. Set `AZDO_MODE`
+for use in all subsequent phases:
+
+```bash
+if az devops -h &>/dev/null; then
+  AZDO_MODE="cli"
+else
+  AZDO_MODE="rest"
+fi
+```
+
+- **`cli`**: Use `az repos` / `az pipelines` commands (preferred)
+- **`rest`**: Use Azure DevOps REST API via `curl`. Requires a PAT (personal
+  access token) in `AZURE_DEVOPS_EXT_PAT` or `AZDO_PAT` env var. If no PAT
+  is found, prompt the user to either install the CLI or set the env var.
+
+Report in pre-flight:
+- ✅ `az devops cli` — version found
+- ⚠️ `az devops cli` — not found → using REST API fallback
+- ❌ `az devops cli` — not found, no PAT configured → halt with setup instructions
+
+## AzDO Configuration Validation
+
+When `PLATFORM == azdo`, extract organization and project from the remote URL
+and validate they are usable. These values are needed by every `az repos` /
+`az pipelines` command and every REST API call.
+
+```bash
+# Extract org and project from remote URL patterns:
+#   https://dev.azure.com/{ORG}/{PROJECT}/_git/{REPO}
+#   https://{ORG}@dev.azure.com/{ORG}/{PROJECT}/_git/{REPO}
+#   {ORG}@vs-ssh.visualstudio.com:v3/{ORG}/{PROJECT}/{REPO}
+
+REMOTE_URL=$(git remote get-url origin 2>/dev/null)
+
+if echo "$REMOTE_URL" | grep -q 'dev\.azure\.com'; then
+  AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*dev\.azure\.com/\([^/]*\)/.*|\1|p')
+  AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*dev\.azure\.com/[^/]*/\([^/]*\)/.*|\1|p')
+  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
+elif echo "$REMOTE_URL" | grep -q 'vs-ssh\.visualstudio\.com'; then
+  AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*vs-ssh\.visualstudio\.com:v3/\([^/]*\)/.*|\1|p')
+  AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*vs-ssh\.visualstudio\.com:v3/[^/]*/\([^/]*\)/.*|\1|p')
+  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
+elif echo "$REMOTE_URL" | grep -q 'visualstudio\.com'; then
+  AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*//\([^.]*\)\.visualstudio\.com.*|\1|p')
+  AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*/\([^/]*\)/_git/.*|\1|p')
+  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
+fi
+
+if [ -z "$AZDO_ORG" ] || [ -z "$AZDO_PROJECT" ]; then
+  echo "❌ Could not extract organization/project from remote URL"
+  echo "   Remote: $REMOTE_URL"
+  echo ""
+  echo "Ensure the remote URL follows one of these formats:"
+  echo "  https://dev.azure.com/{ORG}/{PROJECT}/_git/{REPO}"
+  echo "  https://{ORG}.visualstudio.com/{PROJECT}/_git/{REPO}"
+  echo "  {ORG}@vs-ssh.visualstudio.com:v3/{ORG}/{PROJECT}/{REPO}"
+  # HALT — cannot proceed without org/project context
+fi
+```
+
+When `AZDO_MODE == cli`, also configure the defaults so commands work correctly:
+```bash
+az devops configure --defaults organization="$AZDO_ORG_URL" project="$AZDO_PROJECT"
+```
+
+When `AZDO_MODE == rest`, store these for API calls:
+- Base URL: `$AZDO_ORG_URL/$AZDO_PROJECT/_apis`
+- Auth header: `Authorization: Basic $(echo -n ":$PAT" | base64)`
+
+Report in pre-flight:
+- ✅ `azdo context` — org: `{AZDO_ORG}`, project: `{AZDO_PROJECT}`
+- ❌ `azdo context` — could not parse from remote URL → halt with instructions
+
+Pass `{AZDO_MODE}`, `{AZDO_ORG}`, `{AZDO_PROJECT}`, `{AZDO_ORG_URL}` into
+all phase prompts alongside `{PLATFORM}`.

package/skills/keel/references/iac-pipeline-templates.md

@@ -10,6 +10,8 @@ Template variables:
 - `{STATE_BACKEND}`: backend config details
 - `{INFRA_DIR}`: path to IaC files (default: infra/)
 - `{ENVIRONMENTS}`: list of environments (dev, staging, prod)
+- `{PLATFORM}`: github or azdo — determines which pipeline template to use
+- `{SERVICE_CONNECTION}`: Azure DevOps service connection name (AzDO only)
 
 ---
 
@@ -411,6 +413,96 @@ stages:
                     environmentServiceNameAzureRM: $(serviceConnection)
 ```
 
+### Bicep
+
+File: `azure-pipelines-infra.yml`
+
+```yaml
+trigger:
+  branches:
+    include: [{DEFAULT_BRANCH}]
+  paths:
+    include: [infra/*]
+
+pr:
+  paths:
+    include: [infra/*]
+
+variables:
+  infraDir: infra
+  serviceConnection: "{SERVICE_CONNECTION}"
+  location: "{REGION}"
+
+stages:
+  - stage: WhatIf
+    condition: eq(variables['Build.Reason'], 'PullRequest')
+    jobs:
+      - job: BicepWhatIf
+        pool:
+          vmImage: ubuntu-latest
+        steps:
+          - task: AzureCLI@2
+            displayName: Bicep What-If
+            inputs:
+              azureSubscription: $(serviceConnection)
+              scriptType: bash
+              scriptLocation: inlineScript
+              inlineScript: |
+                az deployment sub what-if \
+                  --location $(location) \
+                  --template-file $(infraDir)/main.bicep \
+                  --parameters $(infraDir)/environments/dev.bicepparam \
+                  --no-pretty-print
+
+  - stage: DeployDev
+    condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/{DEFAULT_BRANCH}'))
+    jobs:
+      - deployment: DeployDev
+        environment: dev
+        pool:
+          vmImage: ubuntu-latest
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
+                - task: AzureCLI@2
+                  displayName: Deploy Dev
+                  inputs:
+                    azureSubscription: $(serviceConnection)
+                    scriptType: bash
+                    scriptLocation: inlineScript
+                    inlineScript: |
+                      az deployment sub create \
+                        --location $(location) \
+                        --template-file $(infraDir)/main.bicep \
+                        --parameters $(infraDir)/environments/dev.bicepparam
+
+  - stage: DeployEnv
+    condition: eq(variables['Build.Reason'], 'Manual')
+    jobs:
+      - deployment: DeployEnv
+        environment: $(targetEnvironment)
+        pool:
+          vmImage: ubuntu-latest
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
+                - task: AzureCLI@2
+                  displayName: Deploy $(targetEnvironment)
+                  inputs:
+                    azureSubscription: $(serviceConnection)
+                    scriptType: bash
+                    scriptLocation: inlineScript
+                    inlineScript: |
+                      az deployment sub create \
+                        --location $(location) \
+                        --template-file $(infraDir)/main.bicep \
+                        --parameters $(infraDir)/environments/$(targetEnvironment).bicepparam
+```
+
 ---
 
 ## Bootstrap Scripts
@@ -517,3 +609,58 @@ DB_URL=$(terraform output -raw database_connection_string 2>/dev/null) || true
 
 echo "Outputs synced to GitHub."
 ```
+
+### infra/sync-outputs.sh (Azure DevOps)
+
+Reads IaC outputs and sets them as Azure DevOps variable group variables for /dock pipelines:
+
+```bash
+#!/bin/bash
+# Sync Terraform outputs to Azure DevOps variable group for /dock
+set -euo pipefail
+
+cd "$(dirname "$0")"
+
+PROJECT="{PROJECT}"
+VG_NAME="${PROJECT}-infra-outputs"
+
+echo "Syncing infrastructure outputs to Azure DevOps..."
+
+# Resolve or create the variable group
+VG_ID=$(az pipelines variable-group list \
+  --query "[?name=='${VG_NAME}'].id | [0]" -o tsv 2>/dev/null)
+
+if [ -z "$VG_ID" ]; then
+  echo "Creating variable group: ${VG_NAME}"
+  VG_ID=$(az pipelines variable-group create \
+    --name "$VG_NAME" \
+    --variables placeholder=true \
+    --query "id" -o tsv)
+fi
+
+# Helper: update or create a variable in the group
+upsert_var() {
+  local name="$1" value="$2" secret="${3:-false}"
+  if az pipelines variable-group variable list --group-id "$VG_ID" \
+      --query "\"${name}\"" -o tsv &>/dev/null; then
+    az pipelines variable-group variable update \
+      --group-id "$VG_ID" --name "$name" --value "$value" --secret "$secret" --output none
+  else
+    az pipelines variable-group variable create \
+      --group-id "$VG_ID" --name "$name" --value "$value" --secret "$secret" --output none
+  fi
+}
+
+# Public values
+REGISTRY_URL=$(terraform output -raw registry_url 2>/dev/null) || true
+[ -n "$REGISTRY_URL" ] && upsert_var "REGISTRY_URL" "$REGISTRY_URL"
+
+COMPUTE_ENDPOINT=$(terraform output -raw compute_endpoint 2>/dev/null) || true
+[ -n "$COMPUTE_ENDPOINT" ] && upsert_var "COMPUTE_ENDPOINT" "$COMPUTE_ENDPOINT"
+
+# Sensitive values
+DB_URL=$(terraform output -raw database_connection_string 2>/dev/null) || true
+[ -n "$DB_URL" ] && upsert_var "DATABASE_URL" "$DB_URL" true
+
+echo "Outputs synced to Azure DevOps variable group: ${VG_NAME} (ID: ${VG_ID})"
+```

package/skills/keel/tests/evals.json

@@ -31,5 +31,14 @@
       { "type": "semantic", "value": "Describes or generates a CI/CD pipeline that plans on pull requests and applies on merge" },
       { "type": "semantic", "value": "Mentions state management for Terraform such as S3 backend or remote state" }
     ]
+  },
+  {
+    "name": "azdo-awareness",
+    "prompt": "/keel for a Bicep project hosted in Azure DevOps",
+    "assertions": [
+      { "type": "semantic", "value": "Detects or acknowledges Azure DevOps as the hosting platform rather than assuming GitHub" },
+      { "type": "semantic", "value": "Mentions Azure Pipelines or Azure DevOps pipeline generation rather than GitHub Actions" },
+      { "type": "regex", "value": "(?i)(azure devops|azdo|azure.pipelines|az pipelines)" }
+    ]
   }
 ]

package/skills/manifest.json

@@ -1,5 +1,5 @@
 {
-  "generated": "2026-03-12T13:35:25.365Z",
+  "generated": "2026-03-12T17:16:55.117Z",
   "count": 10,
   "skills": [
     {
@@ -36,7 +36,7 @@
       "name": "dock",
       "directory": "dock",
       "description": ">- Generate container-based release pipelines that build once and promote immutable artifacts through environments (dev → staging → prod). Detects your stack, interviews for infrastructure choices, then outputs deterministic CI/CD files (Dockerfile, workflows, deployment manifests) that run without an LLM. Use when setting up deployment pipelines, containerizing an app, creating release workflows, or connecting CI to container-friendly infrastructure (Azure Container Apps, AWS Fargate, Google Cloud Run, Kubernetes, Dokku, Coolify, CapRover, etc.).",
-      "lines": 394,
+      "lines": 431,
       "hasScripts": false,
       "hasReferences": true,
       "hasAssets": false,
@@ -46,7 +46,7 @@
       "name": "keel",
       "directory": "keel",
       "description": ">- Generate Infrastructure as Code (IaC) pipelines that provision the cloud and container infrastructure your app deploys to. Interview-driven: detects your stack and cloud provider, then outputs deterministic IaC files (Terraform, Bicep, Pulumi, or CDK) plus CI/CD pipelines that plan on PR and apply on merge. Use when setting up cloud infrastructure, provisioning container registries, databases, networking, DNS, or any infrastructure that containers deploy onto. Designed to run before /dock — /keel lays the infrastructure, /dock deploys to it.",
-      "lines": 496,
+      "lines": 419,
       "hasScripts": false,
       "hasReferences": true,
       "hasAssets": false,