feat(secrets): embed ADO org+repo in marker JSON for disambiguation

When two repos in the same ADO project both define a file of the
same name (e.g. each has its own `agents/foo.md`), today's
`--source agents/foo.md` would silently match consumers of either
template — the marker JSON carried only `source` and operators had
no way to scope writes to "my" agents/foo.md.

Add `org` and `repo` to the marker payload:

* `src/detect.rs` — `MarkerMetadata` gains two `#[serde(default)]`
  `String` fields; struct now derives `Default` so test fixtures
  can use the `..Default::default()` spread.
* `src/compile/extensions/ado_aw_marker.rs` — pull org from
  `ctx.ado_org()` and repo from `ctx.ado_context.repo_name`,
  lower-cased (ADO identifiers are case-insensitive). Empty when the
  compiler ran outside an ADO checkout; the non-GitHub-remote guard
  ensures this is rare in production. Echo line gains
  `org=... repo=...` for build-log readability.
* `src/ado/mod.rs` — add `AdoContext::org_name()` accessor that
  mirrors `CompileContext::ado_org`; lives on the struct so
  non-compile callers (Preview-driven discovery) can reuse it.
* `src/ado/discovery.rs` — when `source_filter` is active,
  `resolve_definitions_via_discovery` also requires the marker's
  `(org, repo)` to equal the current `ctx`'s. Markers with empty
  `org` and `repo` (legacy / non-ADO compiles) match leniently
  so already-deployed pipelines remain discoverable until they are
  recompiled. Helper `marker_origin_matches` extracted with four
  dedicated unit tests covering strict, case-insensitive, lenient,
  and half-populated cases.

Schema version stays at 1 — this PR has not shipped, so there are
no v1-without-org/repo markers in the wild that would need the
bump for forward-compat detection. New fields parse fine on either
side via `#[serde(default)]`.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jamesadevine

src/ado/discovery.rs

@@ -519,6 +519,27 @@ fn is_direct_match(def: &DefinitionSummary, markers: &[MarkerMetadata]) -> bool
     yaml_normalized == stem
 }
 
+/// Decide whether a marker's `(org, repo)` identifies the same
+/// repository as the discovery context. Empty marker fields (legacy
+/// markers produced before the org/repo embed landed, or markers from
+/// non-ADO compile environments) are treated as wildcards so existing
+/// deployments are not silently excluded. Once those lock files are
+/// recompiled, the match becomes strict.
+fn marker_origin_matches(
+    marker: &MarkerMetadata,
+    current_org_lc: &str,
+    current_repo_lc: &str,
+) -> bool {
+    if marker.org.is_empty() && marker.repo.is_empty() {
+        return true;
+    }
+    // Marker fields are already lower-cased at emit time. Be defensive
+    // anyway — round-tripping through serde_json doesn't change case
+    // but a hand-edited fixture or future producer might.
+    marker.org.eq_ignore_ascii_case(current_org_lc)
+        && marker.repo.eq_ignore_ascii_case(current_repo_lc)
+}
+
 async fn parse_local_lock(path: &Path) -> Option<MarkerMetadata> {
     let content = tokio::fs::read_to_string(path).await.ok()?;
     // Two surfaces, in order of preference:
@@ -535,6 +556,8 @@ async fn parse_local_lock(path: &Path) -> Option<MarkerMetadata> {
             return Some(MarkerMetadata {
                 schema: 0,
                 source: h.source,
+                org: String::new(),
+                repo: String::new(),
                 version: h.version,
                 target: String::new(),
             });
@@ -614,6 +637,17 @@ pub fn discovered_to_matched(d: &DiscoveredPipeline) -> Option<MatchedDefinition
 /// **case-sensitive** even on Windows; pass the path in the same case
 /// it was compiled with.
 ///
+/// Source-only matching is ambiguous when two repos in the same ADO
+/// project happen to define a file of the same name (e.g. both have
+/// `agents/foo.md`). To disambiguate, the marker carries the ADO
+/// `org` and `repo` of the compiling repository (lower-cased). When
+/// `source_filter` is active, the marker's `(org, repo)` must also
+/// equal `ctx`'s — i.e. the operator gets only consumers whose
+/// template originated in the **current repo**. Markers with empty
+/// `org` / `repo` (legacy or non-ADO compilers) match leniently so
+/// pre-existing deployments are not silently excluded; once everything
+/// is recompiled with this version, the match becomes strict.
+///
 /// Skip-summary warnings are emitted differently depending on whether
 /// `source_filter` is active:
 ///
@@ -648,6 +682,20 @@ pub async fn resolve_definitions_via_discovery(
     let normalized_filter: Option<String> = source_filter
         .map(|s| crate::compile::normalize_source_path(Path::new(s)));
 
+    // Origin scoping: when filtering by `--source`, also require the
+    // marker's (org, repo) to identify the current repository. This
+    // disambiguates the source field when two repos in the same
+    // project define files of the same name. Lower-cased to align with
+    // the marker's lower-casing at emit time (ADO identifiers are
+    // case-insensitive). Markers with empty fields (legacy / non-ADO
+    // compiles) match leniently so already-deployed pipelines remain
+    // discoverable until they are recompiled.
+    let current_org = ctx
+        .org_name()
+        .map(|s| s.to_ascii_lowercase())
+        .unwrap_or_default();
+    let current_repo = ctx.repo_name.to_ascii_lowercase();
+
     // Pass 1: classify each discovered definition into "keep / skip
     // silently / skip with reason". The previous shape stuffed all of
     // this into a side-effecting `.filter()` closure that mutated
@@ -662,7 +710,9 @@ pub async fn resolve_definitions_via_discovery(
 
     for d in discovered {
         let matches_filter = match normalized_filter.as_deref() {
-            Some(src) => d.markers.iter().any(|m| m.source == src),
+            Some(src) => d.markers.iter().any(|m| {
+                m.source == src && marker_origin_matches(m, &current_org, &current_repo)
+            }),
             None => true,
         };
 
@@ -844,6 +894,7 @@ mod tests {
             source: "agents/foo.md".to_string(),
             version: "0.30.0".to_string(),
             target: "standalone".to_string(),
+            ..Default::default()
         }];
         assert!(is_direct_match(&def, &markers));
     }
@@ -859,6 +910,7 @@ mod tests {
             source: "agents/foo.md".to_string(),
             version: "0.30.0".to_string(),
             target: "standalone".to_string(),
+            ..Default::default()
         }];
         assert!(is_direct_match(&def, &markers));
     }
@@ -877,6 +929,7 @@ mod tests {
             source: "agents/foo.md".to_string(),
             version: "0.30.0".to_string(),
             target: "standalone".to_string(),
+            ..Default::default()
         }];
         assert!(!is_direct_match(&def, &markers));
     }
@@ -889,6 +942,7 @@ mod tests {
             source: "agents/foo.md".to_string(),
             version: "0.30.0".to_string(),
             target: "stage".to_string(),
+            ..Default::default()
         }];
         assert!(!is_direct_match(&def, &markers));
     }
@@ -902,12 +956,14 @@ mod tests {
                 source: "agents/foo.md".to_string(),
                 version: "0.30.0".to_string(),
                 target: "stage".to_string(),
+                ..Default::default()
             },
             MarkerMetadata {
                 schema: 1,
                 source: "agents/bar.md".to_string(),
                 version: "0.30.0".to_string(),
                 target: "job".to_string(),
+                ..Default::default()
             },
         ];
         // Multiple markers = at least one template is being included
@@ -972,6 +1028,62 @@ mod tests {
         );
     }
 
+    // ── marker_origin_matches ────────────────────────────────────────
+
+    #[test]
+    fn origin_matches_strict_when_marker_has_org_and_repo() {
+        let marker = MarkerMetadata {
+            org: "myorg".to_string(),
+            repo: "templates-a".to_string(),
+            source: "agents/foo.md".to_string(),
+            ..Default::default()
+        };
+        assert!(marker_origin_matches(&marker, "myorg", "templates-a"));
+        assert!(!marker_origin_matches(&marker, "myorg", "templates-b"));
+        assert!(!marker_origin_matches(&marker, "otherorg", "templates-a"));
+    }
+
+    #[test]
+    fn origin_matches_case_insensitively() {
+        // ADO identifiers are case-insensitive. Marker fields are
+        // lower-cased at emit time, but a fixture or hand-edited
+        // marker might carry uppercase — accept either.
+        let marker = MarkerMetadata {
+            org: "MyOrg".to_string(),
+            repo: "Templates-A".to_string(),
+            source: "agents/foo.md".to_string(),
+            ..Default::default()
+        };
+        assert!(marker_origin_matches(&marker, "myorg", "templates-a"));
+    }
+
+    #[test]
+    fn origin_matches_leniently_when_marker_org_repo_empty() {
+        // Legacy markers (pre-org/repo embed) and markers compiled
+        // outside an ADO checkout carry empty org/repo. Match anything
+        // so existing deployments keep working until recompiled.
+        let marker = MarkerMetadata {
+            source: "agents/foo.md".to_string(),
+            ..Default::default()
+        };
+        assert!(marker_origin_matches(&marker, "myorg", "templates-a"));
+        assert!(marker_origin_matches(&marker, "", ""));
+    }
+
+    #[test]
+    fn origin_matches_strictly_when_only_one_field_empty() {
+        // If only one half of (org, repo) is set, we treat the marker
+        // as non-legacy and require both to match. Pre-empts a
+        // malformed fixture passing through the lenient path.
+        let half_marker = MarkerMetadata {
+            org: "myorg".to_string(),
+            repo: String::new(),
+            source: "agents/foo.md".to_string(),
+            ..Default::default()
+        };
+        assert!(!marker_origin_matches(&half_marker, "myorg", "templates-a"));
+    }
+
     // ── discovered_to_matched ────────────────────────────────────────
 
     fn discovered(status: DiscoveryStatus) -> DiscoveredPipeline {
@@ -1027,12 +1139,14 @@ mod tests {
                 source: "agents/a.md".to_string(),
                 version: "1.0".to_string(),
                 target: "job".to_string(),
+                ..Default::default()
             },
             MarkerMetadata {
                 schema: 1,
                 source: "agents/b.md".to_string(),
                 version: "1.0".to_string(),
                 target: "stage".to_string(),
+                ..Default::default()
             },
         ];
         let matched = discovered_to_matched(&d).expect("Consumer kept");
@@ -1063,6 +1177,7 @@ mod tests {
             source: "agents/##vso[task.setvariable variable=X]value.md".to_string(),
             version: "1.0".to_string(),
             target: "job".to_string(),
+            ..Default::default()
         }];
         let matched = discovered_to_matched(&d).expect("Consumer kept");
         assert!(

src/ado/mod.rs

@@ -79,6 +79,17 @@ pub struct AdoContext {
     pub repo_name: String,
 }
 
+impl AdoContext {
+    /// Extract just the org slug from `org_url` (e.g.
+    /// `https://dev.azure.com/MyOrg/` → `Some("MyOrg")`). Mirrors the
+    /// inline parse in `CompileContext::ado_org`; lives here so
+    /// non-compile callers (Preview-driven discovery) can reuse it.
+    pub fn org_name(&self) -> Option<&str> {
+        let org = self.org_url.trim_end_matches('/').rsplit('/').next()?;
+        if org.is_empty() { None } else { Some(org) }
+    }
+}
+
 /// Parse the ADO org, project, and repo from a git remote URL.
 ///
 /// Supports:

src/compile/extensions/ado_aw_marker.rs

@@ -56,9 +56,28 @@ impl CompilerExtension for AdoAwMarkerExtension {
         let version = env!("CARGO_PKG_VERSION");
         let target = ctx.front_matter.target.as_str();
 
+        // ADO origin of the source markdown — disambiguates the
+        // `source` field when two repos in the same project happen to
+        // have files of the same name (e.g. both define `agents/foo.md`).
+        // Lower-cased so case-insensitive ADO identifiers compare cleanly.
+        // Empty strings when no ADO context could be inferred — production
+        // runs always have one thanks to the non-GitHub-remote guard, but
+        // unit-test contexts via `CompileContext::for_test` will not.
+        let org = ctx
+            .ado_org()
+            .map(|s| s.to_ascii_lowercase())
+            .unwrap_or_default();
+        let repo = ctx
+            .ado_context
+            .as_ref()
+            .map(|c| c.repo_name.to_ascii_lowercase())
+            .unwrap_or_default();
+
         let metadata_json = serde_json::json!({
             "schema": 1,
             "source": source,
+            "org": org,
+            "repo": repo,
             "version": version,
             "target": target,
         })
@@ -69,7 +88,7 @@ impl CompilerExtension for AdoAwMarkerExtension {
         // the build log at runtime, which is a free human-discoverability
         // bonus and costs nothing because the step runs in milliseconds.
         //
-        // The echo's source value goes through two sanitisations:
+        // The echo's user-controlled values go through two sanitisations:
         //
         //  1. `crate::sanitize::neutralize_pipeline_commands` neutralises
         //     `##vso[` and `##[` prefixes by wrapping them in backticks.
@@ -84,16 +103,28 @@ impl CompilerExtension for AdoAwMarkerExtension {
         //     filename containing `'` (e.g. `agents/foo's.md`) doesn't
         //     produce syntactically broken bash. `version` and `target`
         //     are controlled inputs and can't contain either.
+        //
+        // `org` and `repo` are derived from ADO remote parsing, which
+        // already restricts them to a safe character set, but we apply
+        // the same defence-in-depth pattern for consistency.
         let echo_source = bash_single_quote_escape(
             &crate::sanitize::neutralize_pipeline_commands(&source),
         );
+        let echo_org = bash_single_quote_escape(
+            &crate::sanitize::neutralize_pipeline_commands(&org),
+        );
+        let echo_repo = bash_single_quote_escape(
+            &crate::sanitize::neutralize_pipeline_commands(&repo),
+        );
         let step = format!(
             "- bash: |\n    \
                 # ado-aw-metadata: {metadata}\n    \
-                echo 'ado-aw metadata: source={echo_source} version={version} target={target}'\n  \
+                echo 'ado-aw metadata: source={echo_source} org={echo_org} repo={echo_repo} version={version} target={target}'\n  \
             displayName: \"ado-aw\"\n",
             metadata = metadata_json,
             echo_source = echo_source,
+            echo_org = echo_org,
+            echo_repo = echo_repo,
             version = version,
             target = target,
         );
@@ -150,6 +181,49 @@ mod tests {
         assert!(step.contains("\"source\":\"agents/foo.md\""), "step missing source field:\n{step}");
         assert!(step.contains("\"target\":\"standalone\""), "step missing target field:\n{step}");
         assert!(step.contains("\"schema\":1"), "step missing schema field:\n{step}");
+        // No ado_context => org/repo emit as empty strings.
+        assert!(step.contains("\"org\":\"\""), "step missing org field:\n{step}");
+        assert!(step.contains("\"repo\":\"\""), "step missing repo field:\n{step}");
+    }
+
+    #[test]
+    fn org_and_repo_embed_from_ado_context_lowercased() {
+        // When the compiler runs inside an ADO checkout (the production
+        // path — the non-GitHub-remote guard enforces this), the JSON
+        // marker carries `org` and `repo` so discovery can disambiguate
+        // a same-named `source` across two repos in the same project.
+        let fm = parse_fm("name: t\ndescription: x\n");
+        let input_path = Path::new("agents/foo.md");
+        let ctx = CompileContext {
+            agent_name: &fm.name,
+            front_matter: &fm,
+            ado_context: Some(crate::ado::AdoContext {
+                org_url: "https://dev.azure.com/MyOrg".to_string(),
+                project: "MyProject".to_string(),
+                repo_name: "Templates-A".to_string(),
+            }),
+            engine: crate::engine::Engine::Copilot,
+            compile_dir: None,
+            input_path: Some(input_path),
+        };
+        let steps = AdoAwMarkerExtension.setup_steps(&ctx).unwrap();
+        assert_eq!(steps.len(), 1);
+        let step = &steps[0];
+        // ADO identifiers are case-insensitive; lowercase to make
+        // comparisons in discovery deterministic.
+        assert!(
+            step.contains("\"org\":\"myorg\""),
+            "expected lowercased org field:\n{step}"
+        );
+        assert!(
+            step.contains("\"repo\":\"templates-a\""),
+            "expected lowercased repo field:\n{step}"
+        );
+        // The echo line surfaces them too for build-log readability.
+        assert!(
+            step.contains("org=myorg repo=templates-a"),
+            "expected echo to include org/repo:\n{step}"
+        );
     }
 
     #[test]

src/detect.rs

@@ -140,7 +140,7 @@ pub const MARKER_STEP_PREFIX: &str = "# ado-aw-metadata:";
 /// The schema is forward-compatible: unknown JSON fields are ignored,
 /// and missing fields fall through to defaults (empty string / zero).
 /// Callers that need a specific field should check it explicitly.
-#[derive(Debug, Clone, Deserialize, PartialEq, Eq)]
+#[derive(Debug, Clone, Default, Deserialize, PartialEq, Eq)]
 pub struct MarkerMetadata {
     /// Schema version; `1` for the initial release.
     #[serde(default)]
@@ -149,6 +149,22 @@ pub struct MarkerMetadata {
     /// `agents/release-readiness.md`).
     #[serde(default)]
     pub source: String,
+    /// ADO organisation name the source markdown was compiled in
+    /// (e.g. `myorg`). Lowercased at emit time. Combined with
+    /// [`MarkerMetadata::repo`] this disambiguates the marker's
+    /// `source` field when two repos in the same ADO project happen
+    /// to have files of the same name (e.g. both define
+    /// `agents/foo.md`). Empty string when the compiler ran outside
+    /// an ADO checkout (rare in production thanks to the
+    /// non-GitHub-remote guard).
+    #[serde(default)]
+    pub org: String,
+    /// ADO repository name the source markdown was compiled in
+    /// (e.g. `templates-a`). Lowercased at emit time. See
+    /// [`MarkerMetadata::org`] for rationale. Empty string when the
+    /// compiler ran outside an ADO checkout.
+    #[serde(default)]
+    pub repo: String,
     /// Compiler version that produced this YAML (`CARGO_PKG_VERSION`).
     #[serde(default)]
     pub version: String,