diff --git a/.claude/rules/git.md b/.claude/rules/git.md
index 058e8ca80..d1be68114 100644
--- a/.claude/rules/git.md
+++ b/.claude/rules/git.md
@@ -1,5 +1,6 @@
 # Git Commits & Pull Requests
 
+- **Always create a new branch from `main` before starting any new work** — never commit directly to `main` or reuse an existing feature branch for unrelated changes
 - Use conventional commit format: `fix:`, `feat:`, `refactor:`, `docs:`, `test:`, `chore:`
 - Keep commits atomic - one logical change per commit
 - Commit message body should be concise (1-2 sentences max)
diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml
index b56a60e39..5de1ac791 100644
--- a/.github/workflows/duplicate-code-detector.lock.yml
+++ b/.github/workflows/duplicate-code-detector.lock.yml
@@ -25,7 +25,7 @@
 #
 # Source: github/gh-aw/.github/workflows/duplicate-code-detector.md@94662b1dee8ce96c876ba9f33b3ab8be32de82a4
 #
-# frontmatter-hash: 4f5ec56c246974a11457868d57abe2ca8f6155d265e3d04d121dfc0cf9f4b0e0
+# frontmatter-hash: d551d980ae6a7f34b4091e64f2a0f024da1052b6f89a5239d9b04e2da5107d87
 
 name: "Duplicate Code Detector"
 "on":
@@ -43,6 +43,10 @@ concurrency:
 
 run-name: "Duplicate Code Detector"
 
+env:
+  ANTHROPIC_FOUNDRY_API_KEY: ${{ secrets.AZURE_ANTHROPIC_API_KEY }}
+  ANTHROPIC_FOUNDRY_BASE_URL: ${{ secrets.AZURE_ANTHROPIC_ENDPOINT }}
+
 jobs:
   activation:
     needs: pre_activation
diff --git a/.github/workflows/duplicate-code-detector.md b/.github/workflows/duplicate-code-detector.md
index 39eae5354..6006d410c 100644
--- a/.github/workflows/duplicate-code-detector.md
+++ b/.github/workflows/duplicate-code-detector.md
@@ -10,6 +10,9 @@ permissions:
   issues: read
   pull-requests: read
 engine: claude
+env:
+  ANTHROPIC_FOUNDRY_API_KEY: ${{ secrets.AZURE_ANTHROPIC_API_KEY }}
+  ANTHROPIC_FOUNDRY_BASE_URL: ${{ secrets.AZURE_ANTHROPIC_ENDPOINT }}
 tools:
   serena: ["python"]
 safe-outputs: