feat(compile): add target: job and target: stage for ADO template output

Add two new compile targets that produce reusable ADO YAML templates
for embedding agentic stages into existing pipelines:

- target: job — generates a job-level template (jobs: at root) that can
  be included in a flat pipeline or inside a user-defined stage
- target: stage — generates a stage-level template (stages: wrapping
  jobs) for direct inclusion in multi-stage pipelines

Key design decisions:
- Pool is baked in from front matter (not a template parameter)
- dependsOn and condition are set natively at the ADO call site
- Job names are prefixed with PascalCase agent name for uniqueness
  (e.g., DailyReview_Agent, DailyReview_Detection, DailyReview_Execution)
- Triggers (on:) are ignored with a warning in template targets
- Template parameters only include clearMemory and user-defined params

New files:
- src/compile/job.rs — JobCompiler implementing the Compiler trait
- src/compile/stage.rs — StageCompiler implementing the Compiler trait
- src/data/job-base.yml — job-level template derived from base.yml
- src/data/stage-base.yml — stage-level template wrapping jobs in stage

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jamesadevine

AGENTS.md

@@ -52,6 +52,8 @@ Every compiled pipeline runs as three sequential jobs:
 │   │   ├── common.rs     # Shared helpers across targets
 │   │   ├── standalone.rs # Standalone pipeline compiler
 │   │   ├── onees.rs      # 1ES Pipeline Template compiler
+│   │   ├── job.rs        # Job-level ADO template compiler (target: job)
+│   │   ├── stage.rs      # Stage-level ADO template compiler (target: stage)
 │   │   ├── gitattributes.rs # .gitattributes management for compiled pipelines
 │   │   ├── filter_ir.rs  # Filter expression IR: Fact/Predicate types, lowering, validation, codegen
 │   │   ├── pr_filters.rs # PR trigger filter generation (native ADO + gate steps)
@@ -122,6 +124,8 @@ Every compiled pipeline runs as three sequential jobs:
 │   ├── data/
 │   │   ├── base.yml          # Base pipeline template for standalone
 │   │   ├── 1es-base.yml      # Base pipeline template for 1ES target
+│   │   ├── job-base.yml      # Job-level ADO template for target: job
+│   │   ├── stage-base.yml    # Stage-level ADO template for target: stage
 │   │   ├── ecosystem_domains.json # Network allowlists per ecosystem
 │   │   ├── init-agent.md     # Dispatcher agent template for `init` command
 │   │   └── threat-analysis.md # Threat detection analysis prompt template

docs/cli.md

@@ -15,6 +15,7 @@ Global flags (apply to all subcommands): `--verbose, -v` (enable info-level logg
   - `--output, -o <path>` - Optional output path for the generated YAML (only valid when a path is provided). If the path is an existing directory, the compiled YAML is written inside that directory using the default filename derived from the markdown source (e.g. `foo.md` → `<dir>/foo.lock.yml`).
   - `--skip-integrity` - *(debug builds only)* Omit the "Verify pipeline integrity" step from the generated pipeline. Useful during local development when the compiled output won't match a released compiler version. This flag is not available in release builds.
   - `--debug-pipeline` - *(debug builds only)* Include MCPG debug diagnostics in the generated pipeline: `DEBUG=*` environment variable for verbose MCPG logging, stderr streaming to log files, and a "Verify MCP backends" step that probes each backend with MCP initialize + tools/list before the agent runs. This flag is not available in release builds.
+  - For `target: job` and `target: stage`, the output is an ADO YAML template (not a complete pipeline). Job names are prefixed with the agent name for uniqueness. Triggers configured via `on:` are ignored with a warning.
 - `check <pipeline>` - Verify that a compiled pipeline matches its source markdown
   - `<pipeline>` - Path to the pipeline YAML file to verify
   - The source markdown path is auto-detected from the `@ado-aw` header in the pipeline file

docs/front-matter.md

@@ -10,7 +10,7 @@ The compiler expects markdown files with YAML front matter similar to gh-aw:
 ---
 name: "name for this agent"
 description: "One line description for this agent"
-target: standalone # Optional: "standalone" (default) or "1es". See docs/targets.md.
+target: standalone # Optional: "standalone" (default), "1es", "job", or "stage". See docs/targets.md.
 engine: copilot # Engine identifier. Defaults to copilot. Currently only 'copilot' (GitHub Copilot CLI) is supported.
 # engine:                        # Alternative object format (with additional options)
 #   id: copilot

docs/targets.md

@@ -31,3 +31,79 @@ target: 1es
 ```
 
 When using `target: 1es`, the pipeline will extend `1es/1ES.Unofficial.PipelineTemplate.yml@1ESPipelinesTemplates`.
+
+### `job`
+
+Generates a **job-level ADO YAML template** with `jobs:` at root. This is a
+reusable template that can be included in an existing pipeline — it does not
+generate a complete pipeline.
+
+The output contains the same 3-job chain (Agent → Detection → Execution) as
+`standalone`, with:
+- Job names prefixed with the agent name for uniqueness (e.g., `DailyReview_Agent`)
+- No triggers, pipeline name, or resource declarations (the parent pipeline owns those)
+- Pool baked in from the front matter `pool:` field
+
+Example front matter:
+```yaml
+target: job
+```
+
+#### Usage in a flat pipeline
+
+```yaml
+jobs:
+  - job: Build
+    steps: ...
+  - template: agents/review.lock.yml
+```
+
+#### Usage inside a user-defined stage
+
+```yaml
+stages:
+  - stage: Build
+    jobs: ...
+  - stage: AgenticReview
+    dependsOn: Build
+    jobs:
+      - template: agents/review.lock.yml
+```
+
+#### Notes
+
+- Triggers (`on:`) are ignored with a warning (the parent pipeline controls triggers)
+- If the agent declares additional repositories via `repos:`, add them to the
+  parent pipeline's `resources:` block (documented in the generated file header)
+
+### `stage`
+
+Generates a **stage-level ADO YAML template** with `stages:` at root. This
+wraps the 3-job chain inside a stage block for direct inclusion in multi-stage
+pipelines.
+
+Example front matter:
+```yaml
+target: stage
+```
+
+#### Usage
+
+```yaml
+stages:
+  - stage: Build
+    jobs: ...
+  - template: agents/review.lock.yml
+    dependsOn: Build
+    condition: succeeded()
+```
+
+ADO natively supports `dependsOn` and `condition` at the template call site —
+no template parameters are needed for stage ordering.
+
+#### Notes
+
+- Same 3-job chain, job-name prefixing, and pool handling as `target: job`
+- Triggers (`on:`) are ignored with a warning
+- If the agent declares additional repositories via `repos:`, add them to the
+  parent pipeline's `resources:` block

src/compile/common.rs

@@ -999,6 +999,59 @@ pub fn sanitize_filename(name: &str) -> String {
 /// Default pool name
 pub const DEFAULT_POOL: &str = "AZS-1ES-L-MMS-ubuntu-22.04";
 
+/// Derive a valid ADO identifier from the agent name for use as a job-name
+/// prefix and stage name. Converts to PascalCase, stripping non-alphanumeric
+/// characters.
+///
+/// Examples:
+/// - `"Daily Code Review"` → `"DailyCodeReview"`
+/// - `"my-agent-123"` → `"MyAgent123"`
+/// - `""` → `"Agent"` (fallback)
+/// - `"123start"` → `"_123start"` (prefix underscore for leading digit)
+pub fn generate_stage_prefix(name: &str) -> String {
+    let pascal: String = name
+        .split(|c: char| !c.is_alphanumeric())
+        .filter(|s| !s.is_empty())
+        .map(|word| {
+            let mut chars = word.chars();
+            match chars.next() {
+                None => String::new(),
+                Some(first) => {
+                    let upper = first.to_uppercase().to_string();
+                    upper + chars.as_str()
+                }
+            }
+        })
+        .collect();
+
+    if pascal.is_empty() {
+        "Agent".to_string()
+    } else if pascal.starts_with(|c: char| c.is_ascii_digit()) {
+        format!("_{}", pascal)
+    } else {
+        pascal
+    }
+}
+
+/// Generate the template-level `parameters:` YAML block for job/stage
+/// template targets.
+///
+/// Includes clearMemory (if cache-memory enabled) and user-defined
+/// parameters from front matter. Returns empty string if no parameters
+/// are needed.
+pub fn generate_template_parameters(front_matter: &FrontMatter) -> Result<String> {
+    let has_memory = front_matter
+        .tools
+        .as_ref()
+        .and_then(|t| t.cache_memory.as_ref())
+        .is_some_and(|cm| cm.is_enabled());
+    let params = build_parameters(&front_matter.parameters, has_memory);
+    if params.is_empty() {
+        return Ok(String::new());
+    }
+    generate_parameters(&params)
+}
+
 /// Version of the AWF (Agentic Workflow Firewall) binary to download from GitHub Releases.
 /// Update this when upgrading to a new AWF release.
 /// See: https://github.com/github/gh-aw-firewall/releases
@@ -2423,6 +2476,10 @@ pub struct CompileConfig {
     /// to append `GITHUB_PATH: $(GITHUB_PATH)` to the engine env block without
     /// re-collecting path prepends from extensions.
     pub has_awf_paths: bool,
+    /// When true, `compile_shared` omits the standard `# @ado-aw` header.
+    /// Template-producing compilers (Job, Stage) set this to prepend their
+    /// own custom header with usage instructions.
+    pub skip_header: bool,
 }
 
 /// Shared compilation flow used by both standalone and 1ES compilers.
@@ -2704,9 +2761,13 @@ pub async fn compile_shared(
             replace_with_indent(&yaml, placeholder, replacement)
         });
 
-    // 15. Prepend header
-    let header = generate_header_comment(input_path);
-    Ok(format!("{}{}", header, pipeline_yaml))
+    // 15. Prepend header (unless the caller will prepend its own)
+    if config.skip_header {
+        Ok(pipeline_yaml)
+    } else {
+        let header = generate_header_comment(input_path);
+        Ok(format!("{}{}", header, pipeline_yaml))
+    }
 }
 
 #[cfg(test)]

src/compile/job.rs

@@ -0,0 +1,189 @@
+//! Job-level ADO template compiler.
+//!
+//! This compiler generates a reusable ADO YAML template with `jobs:` at root.
+//! Users include it in their existing pipelines via `- template: <path>`.
+//!
+//! Two inclusion patterns:
+//! - Directly in a flat pipeline's `jobs:` list
+//! - Inside a user-defined stage's `jobs:` list
+
+use anyhow::{Context, Result};
+use async_trait::async_trait;
+use log::{info, warn};
+use std::path::Path;
+
+use super::Compiler;
+use super::common::{
+    AWF_VERSION, MCPG_VERSION, MCPG_IMAGE, MCPG_PORT, MCPG_DOMAIN,
+    CompileConfig, compile_shared,
+    generate_allowed_domains,
+    generate_awf_mounts,
+    generate_awf_path_step,
+    collect_awf_path_prepends,
+    generate_enabled_tools_args,
+    generate_mcpg_config, generate_mcpg_docker_env, generate_mcpg_step_env,
+    generate_stage_prefix, generate_template_parameters,
+    generate_header_comment,
+};
+use super::types::FrontMatter;
+
+/// Job-level template compiler.
+pub struct JobCompiler;
+
+#[async_trait]
+impl Compiler for JobCompiler {
+    fn target_name(&self) -> &'static str {
+        "job"
+    }
+
+    async fn compile(
+        &self,
+        input_path: &Path,
+        output_path: &Path,
+        front_matter: &FrontMatter,
+        markdown_body: &str,
+        skip_integrity: bool,
+        debug_pipeline: bool,
+    ) -> Result<String> {
+        info!("Compiling for job template target");
+
+        if front_matter.on_config.is_some() {
+            warn!("on: trigger configuration is ignored for target: job (triggers are the parent pipeline's concern)");
+        }
+
+        // Collect extensions (needed before compile_shared for MCPG config)
+        let extensions = super::extensions::collect_extensions(front_matter);
+
+        // Build compile context for MCPG config generation
+        let input_dir = input_path.parent().unwrap_or(std::path::Path::new("."));
+        let ctx = super::extensions::CompileContext::new(front_matter, input_dir).await?;
+
+        // Generate stage prefix for job-name uniqueness
+        let stage_prefix = generate_stage_prefix(&front_matter.name);
+
+        // Generate template-level parameters
+        let template_params = generate_template_parameters(front_matter)?;
+
+        // Same AWF/MCPG values as standalone
+        let allowed_domains = generate_allowed_domains(front_matter, &extensions)?;
+        let awf_mounts = generate_awf_mounts(&extensions);
+        let awf_paths = collect_awf_path_prepends(&extensions);
+        let awf_path_step = generate_awf_path_step(&awf_paths);
+        let enabled_tools_args = generate_enabled_tools_args(front_matter);
+
+        let config_obj = generate_mcpg_config(front_matter, &ctx, &extensions)?;
+        let mcpg_config_json =
+            serde_json::to_string_pretty(&config_obj).context("Failed to serialize MCPG config")?;
+        let mcpg_docker_env = generate_mcpg_docker_env(front_matter, &extensions);
+        let mcpg_step_env = generate_mcpg_step_env(&extensions);
+
+        let config = CompileConfig {
+            template: include_str!("../data/job-base.yml").to_string(),
+            extra_replacements: vec![
+                ("{{ stage_prefix }}".into(), stage_prefix),
+                ("{{ template_parameters }}".into(), template_params),
+                ("{{ firewall_version }}".into(), AWF_VERSION.into()),
+                ("{{ mcpg_version }}".into(), MCPG_VERSION.into()),
+                ("{{ mcpg_image }}".into(), MCPG_IMAGE.into()),
+                ("{{ mcpg_port }}".into(), MCPG_PORT.to_string()),
+                ("{{ mcpg_domain }}".into(), MCPG_DOMAIN.into()),
+                ("{{ allowed_domains }}".into(), allowed_domains),
+                ("{{ awf_mounts }}".into(), awf_mounts),
+                ("{{ awf_path_step }}".into(), awf_path_step),
+                ("{{ enabled_tools_args }}".into(), enabled_tools_args),
+                ("{{ mcpg_config }}".into(), mcpg_config_json),
+                ("{{ mcpg_docker_env }}".into(), mcpg_docker_env),
+                ("{{ mcpg_step_env }}".into(), mcpg_step_env),
+            ],
+            skip_integrity,
+            debug_pipeline,
+            has_awf_paths: !awf_paths.is_empty(),
+            skip_header: true,
+        };
+
+        let yaml = compile_shared(
+            input_path, output_path, front_matter, markdown_body,
+            &extensions, &ctx, config,
+        ).await?;
+
+        // Prepend custom header with job-template usage instructions
+        let header = generate_job_header(input_path, front_matter);
+        Ok(format!("{}{}", header, yaml))
+    }
+}
+
+/// Generate the header comment block for job-level templates.
+fn generate_job_header(input_path: &Path, front_matter: &FrontMatter) -> String {
+    let base_header = generate_header_comment(input_path);
+    let source_path = input_path
+        .to_string_lossy()
+        .replace('\\', "/");
+
+    let mut header = base_header;
+    header.push_str("#\n");
+    header.push_str("# Job-level ADO template. Include in your pipeline:\n");
+    header.push_str("#\n");
+    header.push_str(&format!("#   jobs:\n"));
+    header.push_str(&format!("#     - template: {}\n", source_path.replace(".md", ".lock.yml")));
+    header.push_str("#\n");
+    header.push_str("# Or inside a stage in a multi-stage pipeline:\n");
+    header.push_str("#\n");
+    header.push_str("#   stages:\n");
+    header.push_str("#     - stage: AgenticReview\n");
+    header.push_str("#       dependsOn: Build\n");
+    header.push_str("#       jobs:\n");
+    header.push_str(&format!("#         - template: {}\n", source_path.replace(".md", ".lock.yml")));
+
+    // Document required resources if agent uses repos
+    if !front_matter.repos.is_empty() || !front_matter.repositories.is_empty() {
+        header.push_str("#\n");
+        header.push_str("# Add these repositories to your pipeline's resources: block:\n");
+        header.push_str("#\n");
+        header.push_str("#   resources:\n");
+        header.push_str("#     repositories:\n");
+        for repo in &front_matter.repositories {
+            header.push_str(&format!("#       - repository: {}\n", repo.repository));
+            header.push_str(&format!("#         type: {}\n", repo.repo_type));
+            header.push_str(&format!("#         name: {}\n", repo.name));
+        }
+    }
+
+    header.push('\n');
+    header
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::compile::common::generate_stage_prefix;
+
+    #[test]
+    fn test_generate_stage_prefix_basic() {
+        assert_eq!(generate_stage_prefix("Daily Code Review"), "DailyCodeReview");
+    }
+
+    #[test]
+    fn test_generate_stage_prefix_hyphens() {
+        assert_eq!(generate_stage_prefix("my-agent-123"), "MyAgent123");
+    }
+
+    #[test]
+    fn test_generate_stage_prefix_empty() {
+        assert_eq!(generate_stage_prefix(""), "Agent");
+    }
+
+    #[test]
+    fn test_generate_stage_prefix_leading_digit() {
+        assert_eq!(generate_stage_prefix("123start"), "_123start");
+    }
+
+    #[test]
+    fn test_generate_stage_prefix_single_word() {
+        assert_eq!(generate_stage_prefix("review"), "Review");
+    }
+
+    #[test]
+    fn test_generate_stage_prefix_underscores() {
+        assert_eq!(generate_stage_prefix("code_review_agent"), "CodeReviewAgent");
+    }
+}