Merge remote-tracking branch 'upstream/main' into GetColumnSchemaKeyInfo

Author: campersau

.github/copilot-instructions.md

@@ -129,6 +129,10 @@ When a new issue is created, follow these steps:
 - Suggest release note entries for fixes by updating files under `release-notes/` or by using the `release-notes` prompt (instead of editing `CHANGELOG.md` directly).
 - Tag reviewers based on `CODEOWNERS` file
 
+## 🌿 Branch Naming
+- All branches created by AI agents **must** use the `dev/automation/` prefix (e.g. `dev/automation/fix-connection-timeout`).
+- Do **not** create branches directly under `main`, `dev/`, or any other top-level prefix.
+
 ## 🧠 Contextual Awareness
 - All source code is in `src/Microsoft.Data.SqlClient/src/`. Do NOT add code to legacy `netfx/src/` or `netcore/src/` directories.
 - Only `ref/` folders in `netcore/ref/` and `netfx/ref/` remain active for defining the public API surface.

.github/instructions/onebranch-pipeline-design.instructions.md

@@ -36,6 +36,8 @@ Defined in `stages/build-stages.yml`. Four build stages plus validation, ordered
 - **`build_addons`** (Stage 4) — AKV Provider; `dependsOn: build_dependent`; downloads SqlClient + Abstractions + Logging artifacts
 - **`mds_package_validation`** — Validates signed SqlClient package; `dependsOn: build_dependent`; runs in parallel with Stage 4
 
+Each build job copies PDB files into `$(JOB_OUTPUT)/symbols/` so they are included in the auto-published pipeline artifact alongside the NuGet packages in `$(JOB_OUTPUT)/packages/`.
+
 Stage conditional rules:
 - Wrap stages/jobs in `${{ if }}` compile-time conditionals based on build parameters
 - `buildSqlClient` controls Stages 2, 3, validation, and Logging (when AKV is disabled)
@@ -45,17 +47,32 @@ Stage conditional rules:
 
 ## Job Templates
 
-- **`build-signed-csproj-package-job.yml`** — Generic job for csproj-based packages (Logging, SqlServer.Server, Abstractions, Azure, AKV Provider). Flow: Build DLLs → ESRP DLL signing → NuGet pack (`NoBuild=true`) → ESRP NuGet signing
-- **`build-signed-sqlclient-package-job.yml`** — SqlClient-specific job (nuspec-based). Flow: Build all configurations → ESRP DLL signing (main + resource DLLs) → NuGet pack via nuspec → ESRP NuGet signing
+- **`build-signed-csproj-package-job.yml`** — Generic job for csproj-based packages (Logging, SqlServer.Server, Abstractions, Azure, AKV Provider). Flow: Build DLLs → ESRP DLL signing → NuGet pack (`NoBuild=true`) → ESRP NuGet signing → Copy PDBs to artifact
+- **`build-signed-sqlclient-package-job.yml`** — SqlClient-specific job (nuspec-based). Flow: Build all configurations → ESRP DLL signing (main + resource DLLs) → NuGet pack via nuspec → ESRP NuGet signing → Copy PDBs to artifact
 - **`validate-signed-package-job.yml`** — Validates signed MDS package (signature, strong names, folder structure, target frameworks)
 - **`publish-nuget-package-job.yml`** — Reusable release job using OneBranch `templateContext.type: releaseJob` with `inputs` for artifact download; pushes via `NuGetCommand@2`
+- **`publish-symbols-job.yml`** — Reusable symbols job: downloads a build artifact, locates PDBs under `symbols/`, and invokes `publish-symbols-step.yml`
 
 When adding a new csproj-based package:
 - Use `build-signed-csproj-package-job.yml` with appropriate `packageName`, `packageFullName`, `versionProperties`, and `downloadArtifacts`
 - Add build and pack targets to `build.proj`
 - Add version variables to `variables/common-variables.yml`
 - Add artifact name variable to `variables/onebranch-variables.yml`
 
+## Symbols Publishing Stage
+
+- Defined in `stages/publish-symbols-stage.yml`; produces stage `publish_symbols`
+- Entire stage excluded at compile time when `publishSymbols` is false
+- `dependsOn` is conditional based on which `build*` parameters are set, mirroring the build stage dependency graph
+- One job per package (`publish-symbols-job.yml`), each downloading its build artifact and publishing PDBs from `symbols/`
+- Each package's PDBs are published separately with unique artifact names and version information
+- Build jobs copy PDBs into `$(JOB_OUTPUT)/symbols/` so they are included in the auto-published artifact
+- The `publish-symbols-step.yml` accepts a `symbolsFolder` parameter to point at the downloaded PDB location
+- The publish step calls an extracted `publish-symbols.ps1` script with structured error handling and diagnostic logging
+- Symbols publishing credentials come from the `Symbols Publishing` variable group
+- In the official pipeline, symbol server destination follows `releaseToProduction`: Production when true, PPE when false
+- Non-official pipeline always targets the PPE symbol server
+
 ## Release Stage
 
 - Defined in `stages/release-stages.yml`; produces stage `release_production` (official) or `release_test` (non-official) via `stageNameSuffix` parameter
@@ -84,7 +101,9 @@ Release parameters (all boolean, default `false`):
 - `releaseSqlServerServer`, `releaseLogging`, `releaseAbstractions`, `releaseSqlClient`, `releaseAzure`, `releaseAKVProvider`
 
 Official-only parameter:
-- `releaseToProduction` — push to NuGet Production feed (default `false`)
+- `releaseToProduction` — controls both NuGet target feed and symbol server destination (default `false`):
+  - `true` → NuGet Production feed + Production symbol server
+  - `false` → NuGet Test feed + PPE symbol server
 
 When `isPreview` is true, pipeline resolves `effective*Version` variables to preview versions; otherwise GA versions. All versions defined in `variables/common-variables.yml`.
 
@@ -98,8 +117,7 @@ When `isPreview` is true, pipeline resolves `effective*Version` variables to pre
 - When adding a new package, add GA version, preview version, and assembly file version entries
 
 Variable groups:
-- `Release Variables` — release configuration (in `common-variables.yml`)
-- `Symbols publishing` — symbol publishing credentials (in `common-variables.yml`)
+- `Symbols Publishing` — symbol publishing credentials (in `onebranch-variables.yml`)
 - `ESRP Federated Creds (AME)` — ESRP signing credentials (in `common-variables.yml`)
 
 ## Code Signing (ESRP)
@@ -115,15 +133,19 @@ Variable groups:
 
 - TSA: enabled only in official pipeline; disabled in non-official to avoid spurious alerts
 - ApiScan: enabled in both; currently `break: false` pending package registration
-- Each build job sets `ob_sdl_apiscan_*` variables pointing to `$(Build.SourcesDirectory)/apiScan/<PackageName>/`
+- Each build job sets `ob_sdl_apiscan_softwareFolder` to `$(JOB_OUTPUT)/assemblies` and `ob_sdl_apiscan_symbolsFolder` to `$(JOB_OUTPUT)/symbols`
 - CodeQL, SBOM, Policheck (`break: true`): enabled in both pipelines
 - asyncSdl `enabled: false` in both; individual sub-tools (CredScan, BinSkim, Armory, Roslyn) configured underneath
 - Policheck exclusions: `$(REPO_ROOT)\.config\PolicheckExclusions.xml`
 - CredScan suppressions: `$(REPO_ROOT)/.config/CredScanSuppressions.json`
 
 ## Artifact Conventions
 
-- `ob_outputDirectory` set to `$(PACK_OUTPUT)` (= `$(REPO_ROOT)/output`) — OneBranch auto-publishes this directory
+- `ob_outputDirectory` set to `$(JOB_OUTPUT)` (= `$(REPO_ROOT)/output`) — OneBranch auto-publishes this directory
+- Each published artifact uses subdirectories to separate file types:
+  - `assemblies/` — DLL assemblies for APIScan (preserving TFM folder structure)
+  - `packages/` — NuGet packages (`.nupkg`, `.snupkg`)
+  - `symbols/` — PDB symbol files (preserving TFM folder structure, shared by APIScan and symbol publishing)
 - Artifact names follow `drop_<stageName>_<jobName>` — defined in `variables/onebranch-variables.yml`
 - Downstream jobs download artifacts via `DownloadPipelineArtifact@2` into `$(Build.SourcesDirectory)/packages`
 - Downloaded packages serve as a local NuGet source for `dotnet restore`

.github/prompts/code-review.prompt.md

@@ -1,18 +1,20 @@
 ---
 name: code-review
-description: AI-assisted code review for a pull request in Microsoft.Data.SqlClient.
+description: AI-assisted code review for a pull request or branch in Microsoft.Data.SqlClient.
 argument-hint: <PR number or branch name>
 agent: agent
-tools: ['github/search_issues', 'read/readFile', 'codebase/search']
+tools: ['github/search_issues', 'github/pull_request_read', 'github/get_file_contents', 'github/run_secret_scanning', 'read/readFile', 'search']
 ---
 
-Review the pull request "${input:pr}" in `dotnet/SqlClient`.
+Review the changes in "${input:target}" for `dotnet/SqlClient`.
+
+The target may be either a **PR number** (e.g., `4106`) or a **branch name** (e.g., `dev/user/my-feature`). Determine which by checking whether the value is purely numeric.
 
 Follow this structured review process:
 
 ## 1. Understand the Change
-- Fetch the PR details: title, description, linked issue(s), and diff.
 - Read the PR description to understand the intent and scope of the change.
+- Check for linked issues referenced in the description (e.g., `Fixes #...`).
 - Check which files are modified and categorize them:
   - **Source code** (`src/Microsoft.Data.SqlClient/src/`) — the main review focus
   - **Tests** (`tests/`) — verify coverage

.github/prompts/generate-doc-comments.prompt.md

@@ -1,5 +1,5 @@
 ---
-name: doc-comments
+name: generate-doc-comments
 description: Generate XML documentation comments for C# code following .NET best practices.
 argument-hint: <code>
 agent: agent

.github/prompts/generate-prompt.prompt.md

@@ -2,6 +2,7 @@
 name: generate-prompt
 description: Generates high-quality VS Code Copilot prompt files (.prompt.md) based on user descriptions, leveraging available skills.
 argument-hint: Describe the prompt you want to create (e.g., "A prompt to generate unit tests for C#")
+tools: [read, edit, search, todo]
 ---
 You are an expert AI prompt developer specialized in creating **Visual Studio Code Copilot Prompt Files (`.prompt.md`)**.
 
@@ -34,6 +35,7 @@ Before generating the prompt, review the available skills in the `.github/skills
         *   `name`: A concise, kebab-case name for the prompt.
         *   `description`: A clear, short description of what the prompt does.
         *   `argument-hint`: (Optional) A hint for what arguments the user can provide when using the prompt.
+        *   `tools`: (Recommended) A list of tool identifiers the prompt is allowed to use. See the **Tool Scoping** section below.
     *   **Body Structure**:
         *   **Role**: Define the AI's persona (e.g., "You are an expert C# developer...").
         *   **Context**: Include specific context instructions or references.
@@ -50,19 +52,78 @@ Before generating the prompt, review the available skills in the `.github/skills
     *   Use `${input:variableName}` for user inputs (e.g., `${input:methodName}`).
     *   Use built-in variables like `${selection}`, `${file}`, or `${workspaceFolder}` where appropriate context is needed.
 
-6.  **Best Practices**:
+6.  **Scope Tools**: Restrict the tools available to each prompt using the `tools` frontmatter field. See the **Tool Scoping** section below for detailed guidance.
+
+7.  **Best Practices**:
     *   Be specific and explicit.
     *   Encourage chain-of-thought reasoning if the task is complex.
     *   Reference workspace files using Markdown links `[path/to/file.cs](path/to/file.cs)` only if they are static and necessary for *all* invocations of this prompt.
     *   Prefer referencing skills over duplicating instructions that already exist in skills.
 
+## Tool Scoping
+
+Every generated prompt **should** include a `tools` list in its YAML frontmatter. Scoping tools keeps the model focused by limiting it to approved, known-effective tools for the task. Without tool scoping, the model may invoke irrelevant tools, waste context, or produce unpredictable results.
+
+### Why scope tools?
+- **Focus**: Fewer tools means the model spends less reasoning on tool selection and more on the task.
+- **Reliability**: Restricting to tested tools avoids unexpected side effects (e.g., a read-only review prompt shouldn't have edit tools).
+- **Safety**: Prevents prompts from accidentally running terminal commands or making file changes when they shouldn't.
+
+### How to choose tools
+Apply the **principle of least privilege** — include only the tools the prompt actually needs:
+
+| Prompt type | Recommended tools |
+|---|---|
+| **Read-only analysis** (review, triage, explain) | `read/readFile`, `search/codebase`, `search/textSearch` |
+| **Code editing** (bug fix, feature, refactor) | `edit/editFiles`, `edit/createFile`, `read/readFile`, `search/codebase` |
+| **Needs terminal** (build, test, scripts) | All of the above + `execute/runInTerminal`, `execute/getTerminalOutput` |
+| **Needs GitHub data** (triage, release notes) | All of the above + `github/search_issues` or other GitHub tools |
+| **Needs web content** (docs lookup) | `web/fetch` |
+
+### Available built-in tool identifiers
+
+You can specify individual tools or tool sets (which include all tools in that group).
+
+**Tool sets** (use these to include all tools in a category):
+- `edit` — File creation and editing tools
+- `read` — File and notebook reading tools
+- `search` — Codebase, text, and file search tools
+- `execute` — Terminal, task, and notebook execution tools
+- `web` — Web content fetching tools
+
+**Commonly used individual tools:**
+
+| Tool identifier | Purpose |
+|---|---|
+| `edit/editFiles` | Apply edits to existing files |
+| `edit/createFile` | Create a new file |
+| `read/readFile` | Read file contents |
+| `read/problems` | Get workspace problems/diagnostics |
+| `search/codebase` | Semantic code search |
+| `search/textSearch` | Text/regex search in files |
+| `search/fileSearch` | Search for files by glob pattern |
+| `search/listDirectory` | List directory contents |
+| `search/usages` | Find references and implementations |
+| `execute/runInTerminal` | Run a shell command |
+| `execute/getTerminalOutput` | Get terminal output |
+| `execute/testFailure` | Get test failure details |
+| `web/fetch` | Fetch a web page |
+
+**Extension / MCP tools** can also be included using their identifier (e.g., `github/search_issues`). Use `<server-name>/*` to include all tools from an MCP server.
+
+### Frontmatter syntax
+```yaml
+tools: ['read/readFile', 'search/codebase', 'edit/editFiles']
+```
+
 ## Example Output Structure (with skill reference)
 
 ```markdown
 ---
 name: my-new-prompt
 description: specialized task description
 argument-hint: input parameter hint
+tools: ['edit/editFiles', 'read/readFile', 'search/codebase', 'execute/runInTerminal']
 ---
 You are a specialized agent for...
 
@@ -89,6 +150,7 @@ Use ${input:param1} to...
 name: my-new-prompt
 description: specialized task description
 argument-hint: input parameter hint
+tools: ['read/readFile', 'search/codebase']
 ---
 You are a specialized agent for...
 

.github/prompts/generate-skill.prompt.md

@@ -2,6 +2,8 @@
 name: generate-skill
 description: Generate a GitHub Copilot Agent Skill (SKILL.md) following best practices and official documentation
 argument-hint: Describe the skill you want to create (e.g., "debugging SQL connection issues")
+agent: agent
+tools: ['read/readFile', 'edit/createFile', 'search']
 ---
 You are an expert developer specialized in creating **GitHub Copilot Agent Skills**.
 

.github/prompts/refine-test-overlap.prompt.md

@@ -1,7 +1,9 @@
 ---
-name: test-minimize-overlap
+name: refine-test-overlap
 description: Run coverage overlap analysis and suggest test suite optimizations
 argument-hint: Test filter (e.g. FullyQualifiedName~MyTests) or describe the tests you want to analyze
+agent: agent
+tools: ['edit/editFiles', 'read/readFile', 'search/codebase', 'execute/runInTerminal', 'execute/getTerminalOutput']
 ---
 You are an expert .NET Test Engineer specialized in optimizing test coverage and reducing technical debt.
 
@@ -10,19 +12,19 @@ Your task is to analyze the user's test suite using the `AnalyzeTestOverlap.ps1`
 
 ## Skills
 This prompt leverages the following skills for specific sub-tasks:
-- [generate-mstest-filter](../skills/generate-mstest-filter/SKILL.md) - For generating well-formed MSTest filter expressions
+- [generate-mstest-filter](.github/skills/generate-mstest-filter/SKILL.md) - For generating well-formed MSTest filter expressions
 
 ## Tools
-You have access to the analysis script at `[AnalyzeTestOverlap.ps1](./scripts/AnalyzeTestOverlap.ps1)`.
+You have access to the analysis script at [AnalyzeTestOverlap.ps1](.github/prompts/scripts/AnalyzeTestOverlap.ps1).
 
 ## Workflow
 1.  **Parse or Generate Test Filter**:
     *   If `${input:filter}` is a valid MSTest filter expression (e.g., `FullyQualifiedName~MyTests`), use it directly.
-    *   If `${input:filter}` is a loose description (e.g., "connection tests" or "SqlCommand class"), follow the instructions in the [generate-mstest-filter](../skills/generate-mstest-filter/SKILL.md) skill to generate a proper filter expression.
+    *   If `${input:filter}` is a loose description (e.g., "connection tests" or "SqlCommand class"), follow the instructions in the [generate-mstest-filter](.github/skills/generate-mstest-filter/SKILL.md) skill to generate a proper filter expression.
     *   If `${input:filter}` is empty, ask the user for a test filter or description to target specific tests.
 
 2.  **Run Analysis**:
-    *   Run the script using the filter: `.\scripts\AnalyzeTestOverlap.ps1 -Filter "<filter>"`.
+    *   Run the script from the workspace root: `.\.github\prompts\scripts\AnalyzeTestOverlap.ps1 -Filter "<filter>"`.
     *   *Note*: The script produces a console summary and a `test-coverage-analysis.json` file.
 
 3.  **Review Overlap**:

.github/prompts/update-build-pipelines.prompt.md

@@ -3,7 +3,7 @@ name: update-build-pipelines
 description: Guided workflow for updating Azure DevOps CI/CD pipelines for Microsoft.Data.SqlClient.
 argument-hint: <describe the pipeline change needed>
 agent: agent
-tools: ['edit/createFile', 'edit/editFiles', 'read/readFile', 'codebase/search']
+tools: ['edit/createFile', 'edit/editFiles', 'read/readFile', 'search']
 ---
 
 Update the Azure DevOps build pipelines for: "${input:change}".