… Deploy commands. (#22)

* Improve resilience, logging, and code maintainability

- Added `Polly` for retry and resilience policies.
- Refactored `PublishCommand.cs` with modular manifest updates
  and retry logic for title access using exponential backoff.
- Enhanced error handling in `DeployCommand.cs` with broader
  exception handling and a new `DeployAppException`.
- Updated `DeployAppException` to support inner exceptions.
- Adjusted log levels in `ConfigService.cs` for less intrusive
  stale config warnings.
- Optimized `PythonBuilder.cs` by reordering publish directory
  cleanup and limiting Python syntax checks to the top-level.
- Cleaned up `Directory.Packages.props` for better readability.
- General code cleanup for improved readability and maintainability.

* Fix log message and clarify Python build comment

Updated a log message in `PublishCommand.cs` to correct a grammatical issue for improved clarity. Revised a comment in `PythonBuilder.cs` to specify that `python -m py_compile` targets `.py` files only in the project root directory, enhancing the precision of the documentation.

…aph, tests)

Exit codes (#7, #8/#9):
- Set Environment.ExitCode = 1 in ValidateDeploymentPrerequisitesAsync before
  each null return so callers exit non-zero on config/Web App validation failure
- Replace deploy-mcp guard `return` with ExceptionHandler.ExitWithCleanup(1)
  for AgentBlueprintId, AgenticAppId, and TenantId missing-config cases

Log severity (#15, #16, #17):
- LogCheckWarning: LogInformation -> LogWarning
- LogCheckFailure: all three LogInformation -> LogError
- ExecuteCheckWithLoggingAsync warning path: log ErrorMessage ?? Details
  so the primary warning message is no longer silently dropped

skip-graph regressions (#21, #22):
- Guard RunChecksOrExitAsync(MOS checks) behind if (!skipGraph)
- Guard clientAppId null check behind !skipGraph in PublishCommand

Unused parameter (#14):
- Remove IPrerequisiteRunner from BlueprintSubcommand.CreateCommand signature
- Update SetupCommand.cs call site and BlueprintSubcommandTests accordingly

InfrastructureRequirementCheck (#5, #6):
- Add I1/I2/I3/I1V2/I2V2/I3V2 (Isolated) SKUs to validation error message
- Wrap CheckAsync with ExecuteCheckWithLoggingAsync so [PASS]/[FAIL] is printed

PrerequisiteRunner warning message (#3):
- Log ErrorMessage ?? Details, log even when both are empty

IsCaeError gap (#18):
- Add InvalidAuthenticationToken to IsCaeError in ClientAppValidator

Stale comment (#10):
- Update ValidateDeploymentPrerequisitesAsync doc to remove "environment"

Tests (#19, #20):
- Add AppServiceAuthRequirementCheckTests (success, failure, metadata, null guard)
- Add MosPrerequisitesRequirementCheckTests (exception->failure, metadata, null guards)
- Update FrontierPreviewRequirementCheckTests: [WARN] now at LogWarning not LogInformation

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

…siteRunner (#106) (#312)

* feat: unify prerequisite validation via IRequirementCheck + IPrerequisiteRunner (#106)

Commands now declare prerequisites using IRequirementCheck and fail early
with actionable messages before any side effects occur.

Phase 1 - pure reorganization (zero behavioral change):
- Add AzureAuthRequirementCheck and InfrastructureRequirementCheck adapters
- Add IPrerequisiteRunner / PrerequisiteRunner to run checks in order
- Route AllSubcommand, BlueprintSubcommand, InfrastructureSubcommand,
  and DeployCommand through the shared runner instead of ad-hoc validators
- Delete dead code: ISubCommand.ValidateAsync, IAzureValidator/AzureValidator
- Make AzureAuthValidator.ValidateAuthenticationAsync virtual for testability

Phase 2 - minimal early-fail additions:
- cleanup azure: auth check before preview display
- deploy mcp: explicit early guards for agentBlueprintId and agenticAppId
  before any Graph/network calls

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: three CLI polish fixes

- ConfigFileNotFoundException now extends Agent365Exception so missing
  config errors surface as clean user messages (no stack trace) on all
  commands, not just those with local catch blocks. Removes ad-hoc
  FileNotFoundException catches in CleanupCommand and CreateInstanceCommand.

- config init: expand relative/dot deployment paths to absolute before
  saving so the stored value is portable across directories. Update help
  text to clarify relative paths are accepted.

- config init: drop platform-specific parenthetical from 'Allow public
  client flows' log message -- the setting is required on all platforms.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Polish CLI output: reduce noise, fix ordering, add TraceId

- Move "Running all setup steps..." to after requirements check output
- Remove redundant "Agent 365 Setup" header (user already knows the command)
- Change CorrelationId log to LogDebug for setup all and blueprint; surface
  as TraceId inline on the action line ("Running all setup steps... (TraceId: ...)")
  so it is always captured in setup.log as [INF] and visible on console
- Demote PlatformDetector internal logs to LogDebug; single "Detected project
  platform: X" line remains as the user-facing output
- Add AzureAuthRequirementCheck to GetConfigRequirementChecks so Azure auth
  appears in requirements output for all setup subcommands
- Remove redundant mid-execution auth gate from BlueprintSubcommand that caused
  duplicate [PASS] Azure Authentication output
- Fix RequirementCheck base class: use LogInformation for all check result lines
  to avoid WARNING:/ERROR: prefix doubling from logger formatter
- Collapse verbose requirements summary to single line:
  "Requirements: X passed, Y warnings, Z failed"
- Update tests to match new message text and log level assertions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat: add fail-early requirement checks to remaining commands

Extends fail-early validation to setup infrastructure, setup permissions,
setup copilot-studio, cleanup azure, deploy, and publish commands.
Each command now runs targeted IRequirementCheck-based pre-flight checks
with formatted [PASS]/[FAIL] output before executing destructive or
slow operations, surfacing auth and config failures immediately.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor: structured requirement check composition + fix CAE token revocation UX

Phase 1 (zero behavioral change):
- Add GetBaseChecks() to SetupCommand and CleanupCommand for explicit check composition
- Add GetChecks() to each setup subcommand so check lists are co-located with their command
- Add RunChecksOrExitAsync() helper to RequirementsSubcommand to eliminate four-line boilerplate
- Guard all requirement check calls with if (!dryRun) to avoid spurious network calls
- Update RequirementsSubcommandTests to use public API after making internal helpers private

Fix CAE token revocation UX:
- Add ClientAppValidationException.TokenRevoked() factory for clear re-auth guidance
- Detect server-side CAE token revocation in GetClientAppInfoAsync and throw TokenRevoked
  instead of returning null (which was misreported as "app not found")
- Pass suppressErrorLogging: true to all az CLI calls in ClientAppValidator so raw error
  output no longer leaks to console before the formatted [FAIL] message
- Update ClientAppValidatorTests mocks to match suppressErrorLogging parameter

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: suppress raw subprocess output leaking before structured check results

AzureAuthValidator: add suppressErrorLogging to az account show call to
prevent CommandExecutor from printing raw stderr before [FAIL] output.
Remove verbose LogError/LogInformation guidance blocks — the validator
returns bool only; issue/resolution messaging belongs in the check layer.

PowerShellModulesRequirementCheck: downgrade auto-install progress from
LogInformation/LogWarning to LogDebug so they don't print before [PASS].

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat: add cleanup azure --dry-run, AppService/MOS checks, update docs

- Add `--dry-run` flag to `a365 cleanup azure`: previews resources that
  would be deleted without requiring Azure auth or making any changes
- Add `AppServiceAuthRequirementCheck`: validates App Service deployment
  token before `a365 deploy`, catching AADSTS50173 token revocation early
- Add `MosPrerequisitesRequirementCheck`: validates MOS service principals
  before `a365 publish` proceeds, converting SetupValidationException to
  structured failure output
- Wire new checks into DeployCommand and PublishCommand via
  RunChecksOrExitAsync, replacing ad-hoc inline validation
- Add `GetChecks(AzureAuthValidator)` to InfrastructureSubcommand for
  explicit check composition
- Add `GetAppServiceTokenAsync` to AzureAuthValidator
- Update CLI design.md: add Requirements/ to project structure and
  document the IRequirementCheck prerequisite validation pattern
- Update CHANGELOG.md with user-visible additions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: address PR #312 review comments (exit codes, log levels, skip-graph, tests)

Exit codes (#7, #8/#9):
- Set Environment.ExitCode = 1 in ValidateDeploymentPrerequisitesAsync before
  each null return so callers exit non-zero on config/Web App validation failure
- Replace deploy-mcp guard `return` with ExceptionHandler.ExitWithCleanup(1)
  for AgentBlueprintId, AgenticAppId, and TenantId missing-config cases

Log severity (#15, #16, #17):
- LogCheckWarning: LogInformation -> LogWarning
- LogCheckFailure: all three LogInformation -> LogError
- ExecuteCheckWithLoggingAsync warning path: log ErrorMessage ?? Details
  so the primary warning message is no longer silently dropped

skip-graph regressions (#21, #22):
- Guard RunChecksOrExitAsync(MOS checks) behind if (!skipGraph)
- Guard clientAppId null check behind !skipGraph in PublishCommand

Unused parameter (#14):
- Remove IPrerequisiteRunner from BlueprintSubcommand.CreateCommand signature
- Update SetupCommand.cs call site and BlueprintSubcommandTests accordingly

InfrastructureRequirementCheck (#5, #6):
- Add I1/I2/I3/I1V2/I2V2/I3V2 (Isolated) SKUs to validation error message
- Wrap CheckAsync with ExecuteCheckWithLoggingAsync so [PASS]/[FAIL] is printed

PrerequisiteRunner warning message (#3):
- Log ErrorMessage ?? Details, log even when both are empty

IsCaeError gap (#18):
- Add InvalidAuthenticationToken to IsCaeError in ClientAppValidator

Stale comment (#10):
- Update ValidateDeploymentPrerequisitesAsync doc to remove "environment"

Tests (#19, #20):
- Add AppServiceAuthRequirementCheckTests (success, failure, metadata, null guard)
- Add MosPrerequisitesRequirementCheckTests (exception->failure, metadata, null guards)
- Update FrontierPreviewRequirementCheckTests: [WARN] now at LogWarning not LogInformation

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>