Audit an Azure tenant for Sovereign Landing Zone (SLZ) readiness against a vendored, SHA-pinned Cloud Adoption Framework baseline.
A Copilot plugin that helps Azure customers check their landing zone against the CAF/ALZ baseline plus SLZ sovereignty overlay, and scaffolds Azure Verified Modules (AVM) Bicep for the gaps — read-only, deterministic, and human-in-the-loop by design.
Five phases, each one small and verifiable on its own:
Discover → read-only az / Azure MCP queries → artifacts/<run>/findings.json
Reconcile → operator-confirmed MG role aliases → artifacts/<run>/mg_alias.json
Evaluate → pure Python rule engine (NO LLM) → artifacts/<run>/gaps.json
Plan → LLM + sequential-thinking, cites rule ids → artifacts/<run>/plan.md
Scaffold → AVM templates filled with params (no free-form) → artifacts/<run>/bicep/
The plugin never deploys anything. You review the Bicep, run az deployment ... what-if, and apply in your own pipeline.
Primary — direct from GitHub:
copilot
/plugin install msucharda/slz-readiness
Copilot fetches the repo, reads .github/plugin/plugin.json, and registers the agent, skills, slash commands, hooks, and MCP servers. The six slash commands (/slz-discover, /slz-reconcile, /slz-evaluate, /slz-plan, /slz-scaffold, /slz-run) appear in the / menu.
Requirements (all platforms): Python 3.11+, az CLI (logged in), git. No pip install is needed for normal use — the skills invoke the engine via python -m slz_readiness.<phase>.cli. Works on Windows, macOS and Linux without WSL.
Replace
msucharda/slz-readinesswith your fork if you've forked this repo.
Optional — as a marketplace:
/plugin marketplace add msucharda/slz-readiness
/plugin install slz-readiness@slz-readiness
Dev / from local clone (contributors only):
git clone https://github.com/msucharda/slz-readiness.git
cd slz-readiness
pip install -e ".[dev]" # installs slz-* console scripts + test depsThen inside Copilot CLI, from the repo root:
/plugin install .
From a packed release (once a v* tag is published):
Download slz-readiness-vX.Y.Z.zip from Releases, unzip it somewhere, then:
/plugin install /absolute/path/to/unpacked/slz-readiness
/slz-run # end-to-end, pauses for approval between phases (default)
/slz-discover # phase 1 only
/slz-reconcile # phase 2 only (brownfield MG alias mapping)
/slz-evaluate # phase 3 only (deterministic)
/slz-plan # phase 4 only
/slz-scaffold # phase 5 only
Every claim the plugin makes is backed by a rule YAML that cites a specific file in data/baseline/ at a specific SHA. If the baseline file can't be resolved, CI fails. See docs/anti-hallucination.md.
Version strings live in five files (apm.yml, .github/plugin/plugin.json, scripts/slz_readiness/__init__.py, data/baseline/VERSIONS.json, pyproject.toml). Use the release script — do not bump by hand:
python scripts/release.py 0.14.9The script bumps all five files. The release.yml workflow verifies that the tag matches every manifest version and refuses to publish on mismatch, then builds and attaches slz-readiness-vX.Y.Z.zip to the GitHub Release.
Consumers install with /plugin install msucharda/slz-readiness inside the Copilot CLI (not apm install — APM expects a .apm/ tree this plugin does not ship).
MIT. See LICENSE.