Merge origin/main and resolve doc conflicts

Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com>

Author: Copilot

README.md

@@ -251,9 +251,9 @@ the service connections. Approve the permissions and the pipeline is ready.
 | `post-steps` | list | — | Inline steps after agent runs |
 | `setup` | list | — | Separate job before agentic task |
 | `teardown` | list | — | Separate job after safe outputs |
-| `network` | object | — | Additional allowed/blocked hosts |
-| `inlined-imports` | boolean | `false` | Resolve `{{#runtime-import …}}` markers at compile time instead of at pipeline runtime. When `false` (default), prompt-body edits do not require recompilation. |
-| `env` | map | — | Workflow-level environment variables (reserved, not yet implemented) |
+| `network` | object | — | Additional allowed/blocked hosts |
+| `inlined-imports` | boolean | `false` | When `true`, resolves all `{{#runtime-import …}}` markers at compile time; the generated YAML is self-contained but prompt-body edits require recompilation. See [runtime-imports.md](docs/runtime-imports.md). |
+| `env` | map | — | Workflow-level environment variables (reserved, not yet implemented) |
 
 ### Markdown Body
 

prompts/create-ado-agentic-workflow.md

@@ -563,18 +563,15 @@ Omit `parameters:` if no runtime configuration knobs are needed.
 
 ### Step 16 — Inlined Imports (advanced, optional)
 
-Controls when `{{#runtime-import ...}}` markers in the markdown body are resolved. Defaults to `false` — leave it unset for most workflows.
+By default (`inlined-imports: false`), any `{{#runtime-import …}}` markers in the agent body — including the implicit marker that reloads the body itself — are resolved at **pipeline runtime**. This means editing the `.md` agent body does not require recompiling the `.lock.yml` pipeline.
+
+Set `inlined-imports: true` only when you need a fully self-contained pipeline YAML (e.g., for auditing or air-gapped deployment):
 
 ```yaml
-inlined-imports: true   # Resolve all runtime-import markers at compile time
+inlined-imports: true
 ```
 
-| Value | Behavior |
-|-------|----------|
-| `false` (default) | Markers resolved at pipeline runtime — prompt-body edits do **not** require recompiling |
-| `true` | Markers resolved at compile time — the generated `.lock.yml` is fully self-contained, but prompt-body edits require `ado-aw compile` |
-
-Only set `inlined-imports: true` if you need the pipeline file to be completely standalone (e.g., for environments where the source `.md` file is not accessible at pipeline runtime). See `docs/runtime-imports.md` for full details.
+**Trade-off**: with `inlined-imports: true`, every change to the agent instructions requires running `ado-aw compile` and committing the updated `.lock.yml`. Omit this field (or set it to `false`) for the typical edit-without-recompile workflow.
 
 ---
 

site/src/content/docs/setup/cli.mdx

@@ -80,7 +80,9 @@ Options:
 - `--org <url>` -- Azure DevOps organization URL or bare org name
 - `--project <name>` -- Azure DevOps project name
 - `--pat <pat>` -- PAT for ADO API authentication
-- `--definition-ids <ids>` -- explicit comma-separated definition IDs (skips auto-detection)
+- `--definition-ids <ids>` -- explicit comma-separated definition IDs (skips auto-detection); mutually exclusive with `--all-repos` / `--source`
+- `--all-repos` -- **project-scope mode**: search every ado-aw definition in the ADO project, not just those with a local lock file; mutually exclusive with `--definition-ids`
+- `--source <path>` -- filter to definitions whose `# ado-aw-metadata` marker references this template path (e.g. `agents/security-scan.md`); activates the discovery code path; pairs with `--all-repos` to scope across the whole project
 - `--dry-run` -- print the planned set without calling the ADO API
 
 ### `secrets list [path]`
@@ -91,6 +93,7 @@ Options:
 
 - `--json` -- emit machine-readable JSON
 - `--org`, `--project`, `--pat`, `--definition-ids` -- same as `secrets set`
+- `--all-repos`, `--source` -- same as `secrets set`
 
 ### `secrets delete <name> [path]`
 
@@ -99,8 +102,29 @@ Delete a named variable from every matched definition. No-op when the variable i
 Options:
 
 - `--org`, `--project`, `--pat`, `--definition-ids` -- same as `secrets set`
+- `--all-repos`, `--source` -- same as `secrets set`
 - `--dry-run` -- print the planned deletion without calling the ADO API
 
+### Project-scope discovery (`--all-repos` / `--source`)
+
+By default, `secrets` commands match ADO definitions by scanning local lock files. Two opt-in flags activate **Preview-driven discovery** instead — useful when local checkouts of every consumer pipeline aren't available:
+
+- **`--all-repos`** — search every ado-aw definition in the ADO project, including consumer pipelines that include ado-aw templates but live in other repos. No local checkout of those repos is required.
+- **`--source <path>`** — restrict results to definitions whose `# ado-aw-metadata` marker references the given template path. Useful for fan-out token rotation: `ado-aw secrets set GITHUB_TOKEN --source agents/security-scan.md` updates every pipeline that includes that template across the entire project.
+
+Both flags are mutually exclusive with `--definition-ids`. `enable`, `disable`, and `remove` are **not** affected — they retain their source-scoped safety semantics.
+
+```bash
+# Rotate GITHUB_TOKEN on every ado-aw pipeline in the project
+ado-aw secrets set GITHUB_TOKEN --all-repos
+
+# Update only pipelines that include a specific template
+ado-aw secrets set GITHUB_TOKEN --all-repos --source agents/security-scan.md
+
+# Preview which definitions would be updated
+ado-aw secrets set GITHUB_TOKEN --all-repos --dry-run
+```
+
 ### `enable [path]`
 
 Register an ADO build definition for each compiled pipeline discovered under `path` and ensure it is `enabled`. Matches existing definitions by YAML filename first, then by display name; creates a new definition when no match is found.
@@ -240,9 +264,12 @@ ado-aw compile
 # Verify a generated pipeline
 ado-aw check agent.lock.yml
 
-# Set GITHUB_TOKEN on all matched pipelines
+# Set GITHUB_TOKEN on all matched pipelines (local lock files)
 ado-aw secrets set GITHUB_TOKEN
 
+# Set GITHUB_TOKEN on every ado-aw pipeline in the project (no local checkout needed)
+ado-aw secrets set GITHUB_TOKEN --all-repos
+
 # Register pipelines with ADO and set their token in one step
 ado-aw enable --also-set-token
 

src/fuzzy_schedule.rs

@@ -924,9 +924,8 @@ mod tests {
         let cron2 = generate_cron(&schedule, "test/workflow");
         assert_eq!(cron1, cron2, "Same workflow should produce same cron");
 
-        let _cron3 = generate_cron(&schedule, "other/workflow");
-        // Different workflows should (usually) produce different crons
-        // Note: There's a small chance of collision, but it's unlikely
+        let cron3 = generate_cron(&schedule, "other/workflow");
+        assert_ne!(cron1, cron3, "Different workflow IDs should produce different crons");
     }
 
     #[test]
@@ -984,22 +983,6 @@ mod tests {
         assert_eq!(parts[4], "1", "Day of week should be Monday (1)");
     }
 
-    #[test]
-    fn test_between_equal_times_midnight() {
-        // Test edge case: between midnight and midnight
-        let schedule = parse_fuzzy_schedule("daily between midnight and midnight").unwrap();
-        let cron = generate_cron(&schedule, "test/agent");
-
-        let parts: Vec<&str> = cron.split_whitespace().collect();
-        assert_eq!(parts.len(), 5, "Cron should have 5 fields");
-
-        let minute: u32 = parts[0].parse().expect("Minute should be a number");
-        assert!(minute < 60, "Minute should be 0-59");
-
-        let hour: u32 = parts[1].parse().expect("Hour should be a number");
-        assert!(hour < 24, "Hour should be 0-23");
-    }
-
     #[test]
     fn test_generate_schedule_yaml() {
         let yaml = generate_schedule_yaml("daily", "test/agent", &[]).unwrap();
@@ -1039,23 +1022,19 @@ mod tests {
     // ─── invalid hour interval error path ────────────────────────────────────
 
     #[test]
-    fn test_parse_invalid_hour_interval_5h() {
-        let err = parse_fuzzy_schedule("every 5h").unwrap_err();
-        assert!(
-            err.to_string().contains("Valid intervals"),
-            "Error for 5h should mention valid intervals: {}",
-            err
-        );
-    }
-
-    #[test]
-    fn test_parse_invalid_hour_interval_7h() {
-        let err = parse_fuzzy_schedule("every 7h").unwrap_err();
-        assert!(
-            err.to_string().contains("not recommended"),
-            "Error for 7h should say 'not recommended': {}",
-            err
-        );
+    fn test_parse_invalid_hour_interval() {
+        for input in &["every 5h", "every 7h"] {
+            let err = parse_fuzzy_schedule(input).unwrap_err();
+            let msg = err.to_string();
+            assert!(
+                msg.contains("not recommended"),
+                "Error for {input} should say 'not recommended': {msg}"
+            );
+            assert!(
+                msg.contains("Valid intervals"),
+                "Error for {input} should list valid intervals: {msg}"
+            );
+        }
     }
 
     #[test]
@@ -1069,12 +1048,29 @@ mod tests {
     }
 
     #[test]
-    fn test_backward_compatibility() {
-        // Test that simple "hourly" and "daily" still work
+    fn test_backward_compatibility_hourly() {
+        // "hourly" should produce a cron where only the minute varies (all other fields are `*`)
         let yaml = generate_schedule_yaml("hourly", "test", &[]).unwrap();
         assert!(yaml.contains("cron:"));
-
-        let yaml = generate_schedule_yaml("daily", "test", &[]).unwrap();
-        assert!(yaml.contains("cron:"));
+        // Extract the cron expression from the YAML: `  - cron: "N * * * *"`
+        let cron_line = yaml
+            .lines()
+            .find(|l| l.trim_start().starts_with("- cron:"))
+            .expect("YAML should contain a `- cron:` line");
+        let cron = cron_line
+            .trim()
+            .trim_start_matches("- cron:")
+            .trim()
+            .trim_matches('"');
+        let parts: Vec<&str> = cron.split_whitespace().collect();
+        assert_eq!(parts.len(), 5, "Hourly cron should have 5 fields");
+        // Hour, day-of-month, month, day-of-week must all be `*`
+        assert_eq!(parts[1], "*", "Hour field should be * for hourly");
+        assert_eq!(parts[2], "*", "Day-of-month field should be * for hourly");
+        assert_eq!(parts[3], "*", "Month field should be * for hourly");
+        assert_eq!(parts[4], "*", "Day-of-week field should be * for hourly");
+        // Minute must be a valid 0-59 integer
+        let minute: u32 = parts[0].parse().expect("Minute field should be a number");
+        assert!(minute < 60, "Minute should be 0-59");
     }
 }

src/safeoutputs/add_build_tag.rs

@@ -127,20 +127,20 @@ impl Executor for AddBuildTagResult {
         // Compare in u64 space so that ADO build IDs larger than i32::MAX are
         // still enforced (the agent-supplied i32 simply cannot match such
         // values, which is the desired behavior).
-        if !config.allow_any_build {
-            if let Some(current_id) = ctx.build_id {
-                // self.build_id is validated > 0, so the cast to u64 is exact;
-                // values that don't fit in i32 simply cannot match current_id.
-                if self.build_id as u64 != current_id {
-                    return Ok(ExecutionResult::failure(format!(
-                        "Build #{} cannot be tagged: only the current build (#{}) is \
-                         allowed unless 'allow-any-build: true' is configured",
-                        self.build_id, current_id
-                    )));
-                }
+        if !config.allow_any_build
+            && let Some(current_id) = ctx.build_id
+        {
+            // self.build_id is validated > 0, so the cast to u64 is exact;
+            // values that don't fit in i32 simply cannot match current_id.
+            if self.build_id as u64 != current_id {
+                return Ok(ExecutionResult::failure(format!(
+                    "Build #{} cannot be tagged: only the current build (#{}) is \
+                     allowed unless 'allow-any-build: true' is configured",
+                    self.build_id, current_id
+                )));
             }
-            // If build_id is not set (e.g. local execution), allow any build
         }
+        // If build_id is not set (e.g. local execution), allow any build
 
         // 3. Apply tag prefix if configured
         let final_tag = match &config.tag_prefix {

src/safeoutputs/add_pr_comment.rs

@@ -269,13 +269,13 @@ impl Executor for AddPrCommentResult {
         };
 
         // Validate file_path if present
-        if let Some(ref fp) = self.file_path {
-            if let Err(e) = validate_file_path(fp) {
-                return Ok(ExecutionResult::failure(format!(
-                    "Invalid file_path: {}",
-                    e
-                )));
-            }
+        if let Some(ref fp) = self.file_path
+            && let Err(e) = validate_file_path(fp)
+        {
+            return Ok(ExecutionResult::failure(format!(
+                "Invalid file_path: {}",
+                e
+            )));
         }
 
         // Determine the repository name for the API call

src/safeoutputs/queue_build.rs

@@ -232,12 +232,12 @@ impl Executor for QueueBuildResult {
         });
 
         // Add template parameters as a JSON string if provided
-        if let Some(params) = &self.parameters {
-            if !params.is_empty() {
-                let params_json = serde_json::to_string(params)
-                    .context("Failed to serialize template parameters")?;
-                body["parameters"] = serde_json::Value::String(params_json);
-            }
+        if let Some(params) = &self.parameters
+            && !params.is_empty()
+        {
+            let params_json = serde_json::to_string(params)
+                .context("Failed to serialize template parameters")?;
+            body["parameters"] = serde_json::Value::String(params_json);
         }
 
         // Build the API URL

src/safeoutputs/update_work_item.rs

@@ -465,24 +465,24 @@ impl Executor for UpdateWorkItemResult {
             return Ok(result);
         }
 
-        // Validate agent-provided tags against allowed-tags (if configured)
-        if let Some(tags) = &self.tags {
-            if !config.allowed_tags.is_empty() {
-                let disallowed: Vec<_> = tags
-                    .iter()
-                    .filter(|tag| {
-                        !config
-                            .allowed_tags
-                            .iter()
-                            .any(|pattern| super::tag_matches_pattern(tag, pattern))
-                    })
-                    .collect();
-                if !disallowed.is_empty() {
-                    return Ok(ExecutionResult::failure(format!(
-                        "Agent-provided tags not in allowed-tags: {}",
-                        disallowed.iter().map(|t| t.as_str()).collect::<Vec<_>>().join(", ")
-                    )));
-                }
+                // Validate agent-provided tags against allowed-tags (if configured)
+        if let Some(tags) = &self.tags
+            && !config.allowed_tags.is_empty()
+        {
+            let disallowed: Vec<_> = tags
+                .iter()
+                .filter(|tag| {
+                    !config
+                        .allowed_tags
+                        .iter()
+                        .any(|pattern| super::tag_matches_pattern(tag, pattern))
+                })
+                .collect();
+            if !disallowed.is_empty() {
+                return Ok(ExecutionResult::failure(format!(
+                    "Agent-provided tags not in allowed-tags: {}",
+                    disallowed.iter().map(|t| t.as_str()).collect::<Vec<_>>().join(", ")
+                )));
             }
         }
 

src/safeoutputs/upload_build_attachment.rs

@@ -322,14 +322,14 @@ impl Executor for UploadBuildAttachmentResult {
         // Validate name-prefix length before applying. A long prefix would
         // be caught later by the final_name.len() > 100 check, but rejecting
         // early gives operators a clearer error message.
-        if let Some(prefix) = &config.name_prefix {
-            if prefix.len() > 50 {
-                return Ok(ExecutionResult::failure(format!(
-                    "name-prefix '{}...' is too long ({} chars, max 50)",
-                    prefix.chars().take(20).collect::<String>(),
-                    prefix.len()
-                )));
-            }
+        if let Some(prefix) = &config.name_prefix
+            && prefix.len() > 50
+        {
+            return Ok(ExecutionResult::failure(format!(
+                "name-prefix '{}...' is too long ({} chars, max 50)",
+                prefix.chars().take(20).collect::<String>(),
+                prefix.len()
+            )));
         }
 
         // Apply name-prefix and re-validate the resulting name's charset (the

src/safeoutputs/upload_pipeline_artifact.rs

@@ -319,14 +319,14 @@ impl Executor for UploadPipelineArtifactResult {
         }
 
         // ── Name-prefix ─────────────────────────────────────────────────
-        if let Some(prefix) = &config.name_prefix {
-            if prefix.len() > 50 {
-                return Ok(ExecutionResult::failure(format!(
-                    "name-prefix '{}...' is too long ({} chars, max 50)",
-                    prefix.chars().take(20).collect::<String>(),
-                    prefix.len()
-                )));
-            }
+        if let Some(prefix) = &config.name_prefix
+            && prefix.len() > 50
+        {
+            return Ok(ExecutionResult::failure(format!(
+                "name-prefix '{}...' is too long ({} chars, max 50)",
+                prefix.chars().take(20).collect::<String>(),
+                prefix.len()
+            )));
         }
         let final_name = match &config.name_prefix {
             Some(prefix) => format!("{}{}", prefix, self.artifact_name),