feat(azure-compute): add VM creation workflow with approval gate before deploy

[deankroker]

What this does

Before this PR, asking Copilot for Azure to "create a VM" jumped straight to generating Bicep or running az vm create. The user had no chance to review what was about to be deployed, and for VM scale sets the model often missed the intent entirely.

This PR adds a guided workflow so the same request now:

1. Asks 2–3 short questions to figure out what the user actually needs (region, size, OS, network exposure)
2. Shows a Plan Card — a 14–21 row summary of every parameter the deployment will use, with each value labeled by where it came from (user input, default, recommendation)
3. Waits for the user to approve, edit, or change format — in a single picker, not three sequential prompts
4. Only then generates Bicep / Terraform / az CLI / MCP calls

It also recognizes VMSS intent without the user having to say "VMSS" (e.g. "fleet that autoscales" → Flexible orchestration scale set), and refuses to deploy templates that would leave SSH open to the internet.

What's in the PR

Workflow + supporting docs

• 57789bd — new vm-creator workflow under plugin/skills/azure-compute/, with depth-probe references (beginner / cost / networking / security / spec) so the question set adapts to user expertise. Output adapters for az CLI, Bicep, Terraform, and Azure MCP. Trims vm-recommender.md and pulls verbose web_fetch rules into a reference file.
• a7c7954 — Plan Card approval is now one batched picker (approve / edit / change format) instead of three sequential questions.

Plumbing

• e729b2f — switches the Azure MCP CLI to --mode single, collapsing ~26 per-service tool schemas (~30K tokens) behind one routing tool (~3K tokens). Same APIs, same auth — the schemas just don't load until the tool is called. This is what makes the workflow fit in context without truncating.

Eval coverage

• 4592b1f — evals/azure-compute/eval.yaml with 16 stimuli covering router accuracy, depth-probe branches, VMSS recognition, Plan Card gate, and output adapter coverage. Smoke tier (5 × 3) was 3/5 flaky before; this PR brings it to 5/5 passing 3-for-3.

Follow-ups during review

• 710e3f7 — fixes Skill Structure CI: a few cross-file references pointed at paths that didn't exist after the workflow split.
• a590be1 — rewrites the skill frontmatter description: from a >- folded scalar to an inline double-quoted string. skills.sh only accepts the inline form.
• ef08203 — removes the '*' default on sshSourceAddressPrefix (Bicep) and ssh_source_address_prefix (Terraform). The templates now require the caller to pass their own IP or a trusted CIDR; opening port 22 to the entire internet has to be an explicit, accepted choice. Resolves the open Copilot security suggestions.

Why it matters

The visible change: a user asking for a VM gets to see and edit what's about to be deployed, instead of finding out after the fact. The eval suite locks the behavior in so it doesn't regress.

The invisible change (e729b2f): the whole workflow used to run out of context room around turn 3 because the Azure MCP server was loading every service's tool schema up front. With --mode single, schemas load on demand and the workflow holds end-to-end.

Test plan

• vally run evals/azure-compute/eval.yaml --tier smoke — 5/5 stimuli × 3 trials
• Manual: "I need a small Ubuntu VM to test something" → beginner depth probe → 2 questions → Plan Card → batched picker. PASS (5 turns, $0.42)
• Manual: "set up an autoscaling web tier for ~500 rps" → VMSS recognized without user saying VMSS → Flexible orchestration recommended. PASS (4 turns, $0.39)
• Manual: "apply via MCP" end-to-end — verify the single MCP routing tool stays responsive past turn 3. PASS through 16 turns (quota validation caught zero D2s_v5 quota, model auto-switched to B1s). Apply step was cancelled at the permission prompt, which is orthogonal to the schema-cost fix being tested.
• No regressions in vm-recommender standalone (recommend-only, no hand-off to creator). PASS (1 turn, $0.30)
• All 11 CI checks pass on the latest commit (ef08203)

Manual items run via the claude-copilot proxy on claude-sonnet-4.6 with the plugin loaded from a working tree clone.

[Copilot]

Pull request overview

This PR expands the azure-compute skill from recommendation/troubleshooting routing into a fuller VM/VMSS creation workflow, adds MCP single-tool mode context optimization, and introduces an eval suite to guard routing and Plan Card behavior.

Changes:

• Adds a new vm-creator workflow with depth probes, validation gates, Plan Card approval, output adapters, delivery options, and example Bicep/Terraform artifacts.
• Updates the existing VM recommender and main skill router to hand off provisioning requests to vm-creator.
• Adds Azure Compute Vally eval coverage and switches Azure MCP startup to --mode single.

Reviewed changes

Copilot reviewed 31 out of 31 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
plugin/skills/azure-compute/SKILL.md	Updates router description and adds vm-creator routing.
plugin/.mcp.json	Starts Azure MCP in single-tool mode.
evals/azure-compute/eval.yaml	Adds azure-compute routing/workflow eval suite.
plugin/skills/azure-compute/workflows/vm-recommender/vm-recommender.md	Trims recommender workflow and adds creator handoff.
plugin/skills/azure-compute/workflows/vm-recommender/references/web-fetch-policy.md	Adds live-doc verification fallback policy.
plugin/skills/azure-compute/workflows/vm-recommender/references/handoff-to-creator.md	Defines recommender-to-creator handoff rules.
plugin/skills/azure-compute/workflows/vm-creator/vm-creator.md	Adds top-level VM/VMSS creation workflow.
plugin/skills/azure-compute/workflows/vm-creator/references/validation-gates.md	Documents required pre-Plan Card validation checks.
plugin/skills/azure-compute/workflows/vm-creator/references/plan-card.md	Defines Plan Card schema and approval picker.
plugin/skills/azure-compute/workflows/vm-creator/references/mcp-tools.md	Documents MCP commands and CLI fallbacks.
plugin/skills/azure-compute/workflows/vm-creator/references/depth-probe/index.md	Adds depth-probe branch selection.
plugin/skills/azure-compute/workflows/vm-creator/references/depth-probe/beginner.md	Adds beginner fast-path defaults.
plugin/skills/azure-compute/workflows/vm-creator/references/depth-probe/cost-deep.md	Adds cost-focused questioning guidance.
plugin/skills/azure-compute/workflows/vm-creator/references/depth-probe/networking-deep.md	Adds networking-focused questioning guidance.
plugin/skills/azure-compute/workflows/vm-creator/references/depth-probe/security-deep.md	Adds security-focused questioning guidance.
plugin/skills/azure-compute/workflows/vm-creator/references/depth-probe/spec-deep.md	Adds SKU/spec-focused questioning guidance.
plugin/skills/azure-compute/workflows/vm-creator/references/output-adapters/index.md	Adds shared output adapter routing and field mapping.
plugin/skills/azure-compute/workflows/vm-creator/references/output-adapters/az-cli.md	Adds az CLI output adapter.
plugin/skills/azure-compute/workflows/vm-creator/references/output-adapters/bicep.md	Adds Bicep output adapter.
plugin/skills/azure-compute/workflows/vm-creator/references/output-adapters/terraform.md	Adds Terraform output adapter.
plugin/skills/azure-compute/workflows/vm-creator/references/output-adapters/mcp-apply.md	Adds live Azure MCP apply adapter.
plugin/skills/azure-compute/workflows/vm-creator/references/delivery-options/index.md	Adds delivery mode decision logic.
plugin/skills/azure-compute/workflows/vm-creator/references/delivery-options/print.md	Adds print-in-chat delivery mode.
plugin/skills/azure-compute/workflows/vm-creator/references/delivery-options/save-local.md	Adds local file save delivery mode.
plugin/skills/azure-compute/workflows/vm-creator/references/delivery-options/github-pr.md	Adds GitHub PR delivery mode.
plugin/skills/azure-compute/workflows/vm-creator/examples/bicep/main.bicep	Adds deployable Bicep VM example.
plugin/skills/azure-compute/workflows/vm-creator/examples/bicep/README.md	Adds Bicep example usage documentation.
plugin/skills/azure-compute/workflows/vm-creator/examples/terraform/main.tf	Adds deployable Terraform VM example.
plugin/skills/azure-compute/workflows/vm-creator/examples/terraform/variables.tf	Adds Terraform input variables.
plugin/skills/azure-compute/workflows/vm-creator/examples/terraform/outputs.tf	Adds Terraform outputs.
plugin/skills/azure-compute/workflows/vm-creator/examples/terraform/README.md	Adds Terraform example usage documentation.

[deankroker]

Pushed ef08203 to address the open Copilot review suggestions. Audited all 6; 3 had real underlying problems that needed code changes, 3 were already correct as written.

Fixed (ef08203):

File	Change
examples/bicep/main.bicep	sshSourceAddressPrefix no longer defaults to '*' — now required; description explains the tradeoff
examples/terraform/variables.tf	ssh_source_address_prefix no longer defaults to "*" — now required; description explains the tradeoff
examples/terraform/README.md	Quickstart derives MY_IP=$(curl -s ifconfig.me)/32 and passes it explicitly to plan/apply; variables table marks the var required; Notes call out why; Cleanup command updated to match

Templates now refuse to deploy without an explicit source prefix — the open-to-internet path requires the user to pass "*" and accept the risk.

Audited, no change needed:

Comment	Why no change
plan-card.md "4 options" vs 6 listed	File already says "6 options" on the relevant line; suggestion was based on stale context
mcp-apply.md familyPrefix → family	The doc uses familyPrefix for compute_vm_list-skus (correct param for that command) and family for compute_vm_check-quota (correct param for that command) — confirmed against references/mcp-tools.md
depth-probe/beginner.md SSH/RDP defaults to *	Beginner path already defaults to the user's current public IP via curl -s ifconfig.me; * is only the fallback if detection fails, and is always flagged with ⚠

Watching CI; will flag if anything regresses.