From 23634fb238874794d91374ec45dd8c874f98f90a Mon Sep 17 00:00:00 2001
From: Shayne Boyer <spboyer@live.com>
Date: Mon, 23 Mar 2026 10:54:16 -0400
Subject: [PATCH 01/12] Detect active deployments before provisioning (#7248)

Before starting a Bicep deployment, check the target scope for
in-progress ARM deployments and wait for them to complete. This avoids
the DeploymentActive error that ARM returns after ~5 minutes when a
concurrent deployment is already running on the same resource group.

Changes:
- Add IsActiveDeploymentState() helper in azapi to classify provisioning
  states as active or terminal.
- Add ListActiveDeployments() to the infra.Scope interface and both
  ResourceGroupScope / SubscriptionScope implementations.
- Add waitForActiveDeployments() in the Bicep provider, called after
  preflight validation and before deployment submission. It polls until
  active deployments clear or a 30-minute timeout is reached.
- Add a DeploymentActive error suggestion rule to error_suggestions.yaml.
- Add unit tests for state classification, polling, timeout, error
  handling, and context cancellation.

Fixes #7248

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 cli/azd/pkg/azapi/deployment_state_test.go    |  49 +++++
 cli/azd/pkg/azapi/deployments.go              |  22 ++
 .../bicep/active_deployment_check_test.go     | 193 ++++++++++++++++++
 .../provisioning/bicep/bicep_provider.go      |  92 +++++++++
 .../provisioning/bicep/bicep_provider_test.go |   4 +
 cli/azd/pkg/infra/scope.go                    |  42 ++++
 cli/azd/resources/error_suggestions.yaml      |  16 ++
 7 files changed, 418 insertions(+)
 create mode 100644 cli/azd/pkg/azapi/deployment_state_test.go
 create mode 100644 cli/azd/pkg/infra/provisioning/bicep/active_deployment_check_test.go

diff --git a/cli/azd/pkg/azapi/deployment_state_test.go b/cli/azd/pkg/azapi/deployment_state_test.go
new file mode 100644
index 00000000000..ae100b98924
--- /dev/null
+++ b/cli/azd/pkg/azapi/deployment_state_test.go
@@ -0,0 +1,49 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package azapi
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestIsActiveDeploymentState(t *testing.T) {
+	active := []DeploymentProvisioningState{
+		DeploymentProvisioningStateAccepted,
+		DeploymentProvisioningStateCanceling,
+		DeploymentProvisioningStateCreating,
+		DeploymentProvisioningStateDeleting,
+		DeploymentProvisioningStateDeletingResources,
+		DeploymentProvisioningStateDeploying,
+		DeploymentProvisioningStateRunning,
+		DeploymentProvisioningStateUpdating,
+		DeploymentProvisioningStateUpdatingDenyAssignments,
+		DeploymentProvisioningStateValidating,
+		DeploymentProvisioningStateWaiting,
+	}
+
+	for _, state := range active {
+		t.Run(string(state), func(t *testing.T) {
+			require.True(t, IsActiveDeploymentState(state),
+				"expected %s to be active", state)
+		})
+	}
+
+	inactive := []DeploymentProvisioningState{
+		DeploymentProvisioningStateSucceeded,
+		DeploymentProvisioningStateFailed,
+		DeploymentProvisioningStateCanceled,
+		DeploymentProvisioningStateDeleted,
+		DeploymentProvisioningStateNotSpecified,
+		DeploymentProvisioningStateReady,
+	}
+
+	for _, state := range inactive {
+		t.Run(string(state), func(t *testing.T) {
+			require.False(t, IsActiveDeploymentState(state),
+				"expected %s to be inactive", state)
+		})
+	}
+}
diff --git a/cli/azd/pkg/azapi/deployments.go b/cli/azd/pkg/azapi/deployments.go
index 1e079370a4c..886d1e7c47c 100644
--- a/cli/azd/pkg/azapi/deployments.go
+++ b/cli/azd/pkg/azapi/deployments.go
@@ -107,6 +107,28 @@ const (
 	DeploymentProvisioningStateUpdating                DeploymentProvisioningState = "Updating"
 )
 
+// IsActiveDeploymentState reports whether the given provisioning state
+// indicates a deployment that is still in progress, including transitional
+// states like canceling or deleting that can still block new deployments.
+func IsActiveDeploymentState(state DeploymentProvisioningState) bool {
+	switch state {
+	case DeploymentProvisioningStateAccepted,
+		DeploymentProvisioningStateCanceling,
+		DeploymentProvisioningStateCreating,
+		DeploymentProvisioningStateDeleting,
+		DeploymentProvisioningStateDeletingResources,
+		DeploymentProvisioningStateDeploying,
+		DeploymentProvisioningStateRunning,
+		DeploymentProvisioningStateUpdating,
+		DeploymentProvisioningStateUpdatingDenyAssignments,
+		DeploymentProvisioningStateValidating,
+		DeploymentProvisioningStateWaiting:
+		return true
+	default:
+		return false
+	}
+}
+
 type DeploymentService interface {
 	GenerateDeploymentName(baseName string) string
 	CalculateTemplateHash(
diff --git a/cli/azd/pkg/infra/provisioning/bicep/active_deployment_check_test.go b/cli/azd/pkg/infra/provisioning/bicep/active_deployment_check_test.go
new file mode 100644
index 00000000000..4d608b2a688
--- /dev/null
+++ b/cli/azd/pkg/infra/provisioning/bicep/active_deployment_check_test.go
@@ -0,0 +1,193 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package bicep
+
+import (
+	"context"
+	"fmt"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/azure/azure-dev/cli/azd/pkg/azapi"
+	"github.com/azure/azure-dev/cli/azd/pkg/infra"
+	"github.com/azure/azure-dev/cli/azd/test/mocks/mockinput"
+	"github.com/stretchr/testify/require"
+)
+
+// activeDeploymentScope is a test helper that implements infra.Scope and lets
+// the caller control what ListActiveDeployments returns on each call.
+type activeDeploymentScope struct {
+	// calls tracks how many times ListActiveDeployments has been invoked.
+	calls atomic.Int32
+	// activePerCall maps a 0-based call index to the list of active deployments
+	// returned for that call.  If the index is missing, nil is returned.
+	activePerCall map[int][]*azapi.ResourceDeployment
+	// errOnCall, if non-nil, maps a call index to an error to return.
+	errOnCall map[int]error
+}
+
+func (s *activeDeploymentScope) SubscriptionId() string { return "test-sub" }
+
+func (s *activeDeploymentScope) Deployment(_ string) infra.Deployment { return nil }
+
+func (s *activeDeploymentScope) ListDeployments(
+	_ context.Context,
+) ([]*azapi.ResourceDeployment, error) {
+	return nil, nil
+}
+
+func (s *activeDeploymentScope) ListActiveDeployments(
+	ctx context.Context,
+) ([]*azapi.ResourceDeployment, error) {
+	idx := int(s.calls.Add(1)) - 1
+	if s.errOnCall != nil {
+		if e, ok := s.errOnCall[idx]; ok {
+			return nil, e
+		}
+	}
+	if s.activePerCall != nil {
+		return s.activePerCall[idx], nil
+	}
+	return nil, nil
+}
+
+// newTestProvider returns a BicepProvider with fast poll settings for tests.
+func newTestProvider() *BicepProvider {
+	return &BicepProvider{
+		console:                  mockinput.NewMockConsole(),
+		activeDeployPollInterval: 10 * time.Millisecond,
+		activeDeployTimeout:      2 * time.Second,
+	}
+}
+
+func TestWaitForActiveDeployments_NoActive(t *testing.T) {
+	scope := &activeDeploymentScope{}
+	p := newTestProvider()
+
+	err := p.waitForActiveDeployments(t.Context(), scope)
+	require.NoError(t, err)
+	require.Equal(t, int32(1), scope.calls.Load(),
+		"should call ListActiveDeployments once")
+}
+
+func TestWaitForActiveDeployments_InitialListError_NotFound(t *testing.T) {
+	scope := &activeDeploymentScope{
+		errOnCall: map[int]error{
+			0: fmt.Errorf("listing: %w", infra.ErrDeploymentsNotFound),
+		},
+	}
+	p := newTestProvider()
+
+	// ErrDeploymentsNotFound (resource group doesn't exist yet) is safe to ignore.
+	err := p.waitForActiveDeployments(t.Context(), scope)
+	require.NoError(t, err)
+}
+
+func TestWaitForActiveDeployments_InitialListError_Other(t *testing.T) {
+	scope := &activeDeploymentScope{
+		errOnCall: map[int]error{
+			0: fmt.Errorf("auth failure: access denied"),
+		},
+	}
+	p := newTestProvider()
+
+	// Non-NotFound errors should propagate so the user knows the check failed.
+	err := p.waitForActiveDeployments(t.Context(), scope)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "checking for active deployments")
+}
+
+func TestWaitForActiveDeployments_ActiveThenClear(t *testing.T) {
+	running := []*azapi.ResourceDeployment{
+		{
+			Name:              "deploy-1",
+			ProvisioningState: azapi.DeploymentProvisioningStateRunning,
+		},
+	}
+	scope := &activeDeploymentScope{
+		activePerCall: map[int][]*azapi.ResourceDeployment{
+			0: running, // first call: active
+			// second call (index 1): missing key → returns nil (no active)
+		},
+	}
+	p := newTestProvider()
+
+	err := p.waitForActiveDeployments(t.Context(), scope)
+	require.NoError(t, err)
+	require.Equal(t, int32(2), scope.calls.Load(),
+		"should poll once, then see clear")
+}
+
+func TestWaitForActiveDeployments_CancelledContext(t *testing.T) {
+	ctx, cancel := context.WithCancel(t.Context())
+
+	running := []*azapi.ResourceDeployment{
+		{
+			Name:              "deploy-forever",
+			ProvisioningState: azapi.DeploymentProvisioningStateRunning,
+		},
+	}
+	scope := &activeDeploymentScope{
+		// Always return active deployments.
+		activePerCall: map[int][]*azapi.ResourceDeployment{
+			0: running,
+		},
+	}
+	p := newTestProvider()
+
+	// Cancel immediately so the wait loop exits on the first select.
+	cancel()
+
+	err := p.waitForActiveDeployments(ctx, scope)
+	require.ErrorIs(t, err, context.Canceled)
+}
+
+func TestWaitForActiveDeployments_PollError(t *testing.T) {
+	running := []*azapi.ResourceDeployment{
+		{
+			Name:              "deploy-1",
+			ProvisioningState: azapi.DeploymentProvisioningStateRunning,
+		},
+	}
+	scope := &activeDeploymentScope{
+		activePerCall: map[int][]*azapi.ResourceDeployment{
+			0: running,
+		},
+		errOnCall: map[int]error{
+			1: fmt.Errorf("transient ARM failure"),
+		},
+	}
+	p := newTestProvider()
+
+	err := p.waitForActiveDeployments(t.Context(), scope)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "transient ARM failure")
+}
+
+func TestWaitForActiveDeployments_Timeout(t *testing.T) {
+	running := []*azapi.ResourceDeployment{
+		{
+			Name:              "stuck-deploy",
+			ProvisioningState: azapi.DeploymentProvisioningStateRunning,
+		},
+	}
+	// Return active on every call.
+	perCall := make(map[int][]*azapi.ResourceDeployment)
+	for i := range 200 {
+		perCall[i] = running
+	}
+
+	scope := &activeDeploymentScope{activePerCall: perCall}
+	p := &BicepProvider{
+		console:                  mockinput.NewMockConsole(),
+		activeDeployPollInterval: 5 * time.Millisecond,
+		activeDeployTimeout:      50 * time.Millisecond,
+	}
+
+	err := p.waitForActiveDeployments(t.Context(), scope)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "timed out")
+	require.Contains(t, err.Error(), "stuck-deploy")
+}
diff --git a/cli/azd/pkg/infra/provisioning/bicep/bicep_provider.go b/cli/azd/pkg/infra/provisioning/bicep/bicep_provider.go
index 8f00c63a7ca..5bd0e7fdc87 100644
--- a/cli/azd/pkg/infra/provisioning/bicep/bicep_provider.go
+++ b/cli/azd/pkg/infra/provisioning/bicep/bicep_provider.go
@@ -91,6 +91,12 @@ type BicepProvider struct {
 	// Internal state
 	// compileBicepResult is cached to avoid recompiling the same bicep file multiple times in the same azd run.
 	compileBicepMemoryCache *compileBicepResult
+
+	// activeDeployPollInterval and activeDeployTimeout override the defaults
+	// for the active-deployment wait loop. Zero means use the default. These
+	// are only set in tests.
+	activeDeployPollInterval time.Duration
+	activeDeployTimeout      time.Duration
 }
 
 // Name gets the name of the infra provider
@@ -607,6 +613,87 @@ func logDS(msg string, v ...any) {
 	log.Printf("%s : %s", "deployment-state: ", fmt.Sprintf(msg, v...))
 }
 
+const (
+	// defaultActiveDeploymentPollInterval is how often we re-check for active deployments.
+	defaultActiveDeploymentPollInterval = 30 * time.Second
+	// defaultActiveDeploymentTimeout caps the total wait time for active deployments.
+	defaultActiveDeploymentTimeout = 30 * time.Minute
+)
+
+// waitForActiveDeployments checks for deployments that are already in progress
+// at the target scope. If any are found it logs a warning and polls until they
+// finish or the timeout is reached.
+func (p *BicepProvider) waitForActiveDeployments(
+	ctx context.Context,
+	scope infra.Scope,
+) error {
+	active, err := scope.ListActiveDeployments(ctx)
+	if err != nil {
+		// If the resource group doesn't exist yet, there are no active
+		// deployments — proceed normally.
+		if errors.Is(err, infra.ErrDeploymentsNotFound) {
+			return nil
+		}
+		// For other errors (auth, throttling, transient), surface them
+		// so the user knows the pre-check couldn't run.
+		log.Printf(
+			"active-deployment-check: unable to list deployments: %v", err)
+		return fmt.Errorf("checking for active deployments: %w", err)
+	}
+
+	if len(active) == 0 {
+		return nil
+	}
+
+	names := make([]string, len(active))
+	for i, d := range active {
+		names[i] = d.Name
+	}
+	p.console.MessageUxItem(ctx, &ux.WarningMessage{
+		Description: fmt.Sprintf(
+			"Waiting for %d active deployment(s) to complete: %s",
+			len(active), strings.Join(names, ", ")),
+	})
+
+	p.console.ShowSpinner(ctx,
+		"Waiting for active deployment(s) to complete", input.Step)
+	defer p.console.StopSpinner(ctx, "", input.StepDone)
+
+	pollInterval := p.activeDeployPollInterval
+	if pollInterval == 0 {
+		pollInterval = defaultActiveDeploymentPollInterval
+	}
+	timeout := p.activeDeployTimeout
+	if timeout == 0 {
+		timeout = defaultActiveDeploymentTimeout
+	}
+
+	deadline := time.After(timeout)
+	ticker := time.NewTicker(pollInterval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-deadline:
+			return fmt.Errorf(
+				"timed out after %s waiting for active "+
+					"deployment(s) to complete: %s",
+				timeout, strings.Join(names, ", "))
+		case <-ticker.C:
+			active, err = scope.ListActiveDeployments(ctx)
+			if err != nil {
+				return fmt.Errorf(
+					"checking active deployments: %w", err)
+			}
+			if len(active) == 0 {
+				return nil
+			}
+		}
+	}
+}
+
 // Provisioning the infrastructure within the specified template
 func (p *BicepProvider) Deploy(ctx context.Context) (*provisioning.DeployResult, error) {
 	if p.ignoreDeploymentState {
@@ -718,6 +805,11 @@ func (p *BicepProvider) Deploy(ctx context.Context) (*provisioning.DeployResult,
 		p.console.StopSpinner(ctx, "", input.StepDone)
 	}
 
+	// Check for active deployments at the target scope and wait if any are in progress
+	if err := p.waitForActiveDeployments(ctx, deployment); err != nil {
+		return nil, err
+	}
+
 	progressCtx, cancelProgress := context.WithCancel(ctx)
 	var wg sync.WaitGroup
 	wg.Add(1)
diff --git a/cli/azd/pkg/infra/provisioning/bicep/bicep_provider_test.go b/cli/azd/pkg/infra/provisioning/bicep/bicep_provider_test.go
index 1bb52ef0a11..007ac6c6649 100644
--- a/cli/azd/pkg/infra/provisioning/bicep/bicep_provider_test.go
+++ b/cli/azd/pkg/infra/provisioning/bicep/bicep_provider_test.go
@@ -1085,6 +1085,10 @@ func (m *mockedScope) ListDeployments(ctx context.Context) ([]*azapi.ResourceDep
 	}, nil
 }
 
+func (m *mockedScope) ListActiveDeployments(ctx context.Context) ([]*azapi.ResourceDeployment, error) {
+	return nil, nil
+}
+
 func TestUserDefinedTypes(t *testing.T) {
 	mockContext := mocks.NewMockContext(context.Background())
 	mockContext.CommandRunner.When(func(args exec.RunArgs, command string) bool {
diff --git a/cli/azd/pkg/infra/scope.go b/cli/azd/pkg/infra/scope.go
index 303766d2d95..f7b63d6b74e 100644
--- a/cli/azd/pkg/infra/scope.go
+++ b/cli/azd/pkg/infra/scope.go
@@ -21,6 +21,8 @@ type Scope interface {
 	SubscriptionId() string
 	// ListDeployments returns all the deployments at this scope.
 	ListDeployments(ctx context.Context) ([]*azapi.ResourceDeployment, error)
+	// ListActiveDeployments returns only the deployments that are currently in progress.
+	ListActiveDeployments(ctx context.Context) ([]*azapi.ResourceDeployment, error)
 	Deployment(deploymentName string) Deployment
 }
 
@@ -228,6 +230,26 @@ func (s *ResourceGroupScope) ListDeployments(ctx context.Context) ([]*azapi.Reso
 	return deployments, err
 }
 
+// ListActiveDeployments returns only the deployments in this resource group
+// that are currently in progress (e.g. Running, Deploying, Accepted).
+func (s *ResourceGroupScope) ListActiveDeployments(
+	ctx context.Context,
+) ([]*azapi.ResourceDeployment, error) {
+	all, err := s.ListDeployments(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	var active []*azapi.ResourceDeployment
+	for _, d := range all {
+		if azapi.IsActiveDeploymentState(d.ProvisioningState) {
+			active = append(active, d)
+		}
+	}
+
+	return active, nil
+}
+
 // Deployment gets the deployment with the specified name.
 func (s *ResourceGroupScope) Deployment(deploymentName string) Deployment {
 	return NewResourceGroupDeployment(s, deploymentName)
@@ -381,6 +403,26 @@ func (s *SubscriptionScope) ListDeployments(ctx context.Context) ([]*azapi.Resou
 	return s.deploymentService.ListSubscriptionDeployments(ctx, s.subscriptionId)
 }
 
+// ListActiveDeployments returns only subscription-scoped deployments
+// that are currently in progress (e.g. Running, Deploying, Accepted).
+func (s *SubscriptionScope) ListActiveDeployments(
+	ctx context.Context,
+) ([]*azapi.ResourceDeployment, error) {
+	all, err := s.ListDeployments(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	var active []*azapi.ResourceDeployment
+	for _, d := range all {
+		if azapi.IsActiveDeploymentState(d.ProvisioningState) {
+			active = append(active, d)
+		}
+	}
+
+	return active, nil
+}
+
 func newSubscriptionScope(
 	deploymentsService azapi.DeploymentService,
 	subscriptionId string,
diff --git a/cli/azd/resources/error_suggestions.yaml b/cli/azd/resources/error_suggestions.yaml
index e746c1e1d9b..bf6131c0ac4 100644
--- a/cli/azd/resources/error_suggestions.yaml
+++ b/cli/azd/resources/error_suggestions.yaml
@@ -49,6 +49,22 @@ rules:
   # 4th most common error category (~128,054 errors in 90-day analysis)
   # ============================================================================
 
+  # ============================================================================
+  # ARM Deployment Errors — Active deployment conflict
+  # ============================================================================
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "DeploymentActive"
+    message: "Another deployment is already in progress on this resource group."
+    suggestion: >
+      Wait for the current deployment to complete, then retry.
+      You can check deployment status in the Azure portal under your
+      resource group's Deployments blade.
+    links:
+      - url: "https://learn.microsoft.com/azure/azure-resource-manager/troubleshooting/error-deployment-active"
+        title: "Troubleshoot DeploymentActive errors"
+
   - errorType: "DeploymentErrorLine"
     properties:
       Code: "FlagMustBeSetForRestore"

From 2e0f714dd2ab1080e5c2b14a7eb48e54627ff2ab Mon Sep 17 00:00:00 2001
From: Shayne Boyer <spboyer@live.com>
Date: Mon, 23 Mar 2026 11:59:28 -0400
Subject: [PATCH 02/12] Retrigger CI

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

From 325adb8d0dedbd244b0a5f46e7ccaef10f23ea1d Mon Sep 17 00:00:00 2001
From: Shayne Boyer <spboyer@live.com>
Date: Mon, 23 Mar 2026 12:32:05 -0400
Subject: [PATCH 03/12] Address review: fix range, scope-agnostic wording,
 extract filter helper, refresh timeout names

- Fix 'range 200' compile error (not valid in all Go versions)
- Make DeploymentActive YAML rule scope-agnostic
- Extract filterActiveDeployments helper to deduplicate scope logic
- Refresh deployment names from latest poll on timeout message

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../bicep/active_deployment_check_test.go     |   2 +-
 .../provisioning/bicep/bicep_provider.go      |   7 +-
 cli/azd/pkg/infra/scope.go                    |  19 +-
 cli/azd/resources/error_suggestions.yaml      | 941 +++++++++---------
 4 files changed, 485 insertions(+), 484 deletions(-)

diff --git a/cli/azd/pkg/infra/provisioning/bicep/active_deployment_check_test.go b/cli/azd/pkg/infra/provisioning/bicep/active_deployment_check_test.go
index 4d608b2a688..094421932af 100644
--- a/cli/azd/pkg/infra/provisioning/bicep/active_deployment_check_test.go
+++ b/cli/azd/pkg/infra/provisioning/bicep/active_deployment_check_test.go
@@ -175,7 +175,7 @@ func TestWaitForActiveDeployments_Timeout(t *testing.T) {
 	}
 	// Return active on every call.
 	perCall := make(map[int][]*azapi.ResourceDeployment)
-	for i := range 200 {
+	for i := 0; i < 200; i++ {
 		perCall[i] = running
 	}
 
diff --git a/cli/azd/pkg/infra/provisioning/bicep/bicep_provider.go b/cli/azd/pkg/infra/provisioning/bicep/bicep_provider.go
index 5bd0e7fdc87..086271416a6 100644
--- a/cli/azd/pkg/infra/provisioning/bicep/bicep_provider.go
+++ b/cli/azd/pkg/infra/provisioning/bicep/bicep_provider.go
@@ -677,10 +677,15 @@ func (p *BicepProvider) waitForActiveDeployments(
 		case <-ctx.Done():
 			return ctx.Err()
 		case <-deadline:
+			// Refresh names from latest poll for an accurate timeout message
+			currentNames := make([]string, len(active))
+			for i, d := range active {
+				currentNames[i] = d.Name
+			}
 			return fmt.Errorf(
 				"timed out after %s waiting for active "+
 					"deployment(s) to complete: %s",
-				timeout, strings.Join(names, ", "))
+				timeout, strings.Join(currentNames, ", "))
 		case <-ticker.C:
 			active, err = scope.ListActiveDeployments(ctx)
 			if err != nil {
diff --git a/cli/azd/pkg/infra/scope.go b/cli/azd/pkg/infra/scope.go
index f7b63d6b74e..b6b09a87b14 100644
--- a/cli/azd/pkg/infra/scope.go
+++ b/cli/azd/pkg/infra/scope.go
@@ -240,14 +240,7 @@ func (s *ResourceGroupScope) ListActiveDeployments(
 		return nil, err
 	}
 
-	var active []*azapi.ResourceDeployment
-	for _, d := range all {
-		if azapi.IsActiveDeploymentState(d.ProvisioningState) {
-			active = append(active, d)
-		}
-	}
-
-	return active, nil
+	return filterActiveDeployments(all), nil
 }
 
 // Deployment gets the deployment with the specified name.
@@ -413,14 +406,18 @@ func (s *SubscriptionScope) ListActiveDeployments(
 		return nil, err
 	}
 
+	return filterActiveDeployments(all), nil
+}
+
+// filterActiveDeployments returns only deployments with an active provisioning state.
+func filterActiveDeployments(deployments []*azapi.ResourceDeployment) []*azapi.ResourceDeployment {
 	var active []*azapi.ResourceDeployment
-	for _, d := range all {
+	for _, d := range deployments {
 		if azapi.IsActiveDeploymentState(d.ProvisioningState) {
 			active = append(active, d)
 		}
 	}
-
-	return active, nil
+	return active
 }
 
 func newSubscriptionScope(
diff --git a/cli/azd/resources/error_suggestions.yaml b/cli/azd/resources/error_suggestions.yaml
index bf6131c0ac4..f18614c2515 100644
--- a/cli/azd/resources/error_suggestions.yaml
+++ b/cli/azd/resources/error_suggestions.yaml
@@ -1,471 +1,470 @@
-# yaml-language-server: $schema=error_suggestions.schema.json
-# Error Suggestions Configuration
-# ================================
-# This file maps well-known error patterns to user-friendly messages and actionable suggestions.
-# Rules are evaluated in order; the first matching rule wins.
-#
-# Matching Fields (at least one required):
-#   - patterns:   List of strings/regex to match against error message text
-#   - errorType:  Go error struct type name to match via reflection (e.g., "AzureDeploymentError")
-#   - properties: Map of dot-path property names to expected values on the matched error type
-#
-# When multiple matching fields are specified, ALL must match for the rule to trigger.
-#
-# Response Fields:
-#   - message:    User-friendly explanation of what went wrong
-#   - suggestion: Actionable next steps to resolve the issue
-#   - links:      Optional list of reference links (each with url and optional title)
-#   - handler:    Optional name of a registered ErrorHandler for dynamic suggestions
-#
-# Pattern Types:
-#   - Default: Case-insensitive substring match (e.g., "quota exceeded")
-#   - Regex: Set "regex: true" on the rule to treat all patterns and property
-#     values as regular expressions (e.g., "BCP\\d{3}")
-#
-# Examples:
-#   # Text pattern matching:
-#   - patterns:
-#       - "some error text"
-#     message: "A brief, user-friendly explanation."
-#     suggestion: "Clear instruction on how to fix."
-#
-#   # Typed error matching with properties:
-#   - errorType: "DeploymentErrorLine"
-#     properties:
-#       Code: "InsufficientQuota"
-#     message: "Quota limit reached."
-#     suggestion: "Request a quota increase."
-
-rules:
-  # ============================================================================
-  # ORDERING: Most specific rules first, least specific last.
-  # Typed error rules (errorType + properties) are naturally more specific
-  # than text-only pattern rules. Within each group, rules with additional
-  # constraints (patterns, keywords) come before bare code matches.
-  # ============================================================================
-
-  # ============================================================================
-  # ARM Deployment Errors — Soft-delete conflicts (most specific first)
-  # 4th most common error category (~128,054 errors in 90-day analysis)
-  # ============================================================================
-
-  # ============================================================================
-  # ARM Deployment Errors — Active deployment conflict
-  # ============================================================================
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "DeploymentActive"
-    message: "Another deployment is already in progress on this resource group."
-    suggestion: >
-      Wait for the current deployment to complete, then retry.
-      You can check deployment status in the Azure portal under your
-      resource group's Deployments blade.
-    links:
-      - url: "https://learn.microsoft.com/azure/azure-resource-manager/troubleshooting/error-deployment-active"
-        title: "Troubleshoot DeploymentActive errors"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "FlagMustBeSetForRestore"
-    message: "A soft-deleted resource with this name exists and is blocking deployment."
-    suggestion: >
-      Purge the resource in the Azure portal or via the Azure CLI,
-      then retry with 'azd up'. If the resources are still provisioned,
-      running 'azd down --purge' will delete and purge them.
-    links:
-      - url: "https://learn.microsoft.com/azure/key-vault/general/key-vault-recovery"
-        title: "Azure Key Vault soft-delete recovery"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "ConflictError"
-    message: "A resource conflict occurred, possibly caused by a soft-deleted resource."
-    suggestion: >
-      Purge the resource in the Azure portal or via the Azure CLI,
-      then retry with 'azd up'. If the resources are still provisioned,
-      running 'azd down --purge' will delete and purge them.
-
-  # Conflict + soft-delete keywords (more specific than bare Conflict)
-  - errorType: "DeploymentErrorLine"
-    regex: true
-    properties:
-      Code: "Conflict"
-    patterns:
-      - "(?i)soft.?delete"
-      - "(?i)purge"
-      - "(?i)deleted vault"
-      - "(?i)deleted resource"
-      - "(?i)recover or purge"
-    message: "A soft-deleted resource is causing a deployment conflict."
-    suggestion: >
-      Purge the soft-deleted resource in the Azure portal or via the
-      Azure CLI, then retry with 'azd up'. If the resources are still
-      provisioned, running 'azd down --purge' will delete and purge them.
-    links:
-      - url: "https://learn.microsoft.com/azure/key-vault/general/key-vault-recovery"
-        title: "Azure Key Vault soft-delete recovery"
-
-  - errorType: "DeploymentErrorLine"
-    regex: true
-    properties:
-      Code: "RequestConflict"
-    patterns:
-      - "(?i)soft.?delete"
-      - "(?i)purge"
-      - "(?i)deleted vault"
-      - "(?i)deleted resource"
-      - "(?i)recover or purge"
-    message: "A soft-deleted resource is causing a deployment conflict."
-    suggestion: >
-      Purge the soft-deleted resource in the Azure portal or via the
-      Azure CLI, then retry with 'azd up'. If the resources are still
-      provisioned, running 'azd down --purge' will delete and purge them.
-
-  # ============================================================================
-  # ARM Deployment Errors — Specific error codes
-  # ============================================================================
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "InsufficientQuota"
-    message: "Your subscription has insufficient quota for this resource."
-    suggestion: >
-      Check current usage with 'az vm list-usage --location <region>'
-      or request a quota increase in the Azure portal.
-    links:
-      - url: "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal"
-        title: "Increase Azure subscription quotas"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "SubscriptionIsOverQuotaForSku"
-    message: "Your subscription quota for this SKU is exceeded."
-    suggestion: "Request a quota increase or use a different SKU."
-    links:
-      - url: "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal"
-        title: "Increase Azure subscription quotas"
-
-  # ResponseError from ARM SDK (e.g., validation fails before polling)
-  - errorType: "ResponseError"
-    properties:
-      ErrorCode: "LocationNotAvailableForResourceType"
-    handler: "resourceNotAvailableHandler"
-    links:
-      - url: "https://learn.microsoft.com/azure/azure-resource-manager/troubleshooting/error-sku-not-available"
-        title: "Resolve SKU not available errors"
-      - url: "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/table"
-        title: "Azure products available by region"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "LocationNotAvailableForResourceType"
-    handler: "resourceNotAvailableHandler"
-    links:
-      - url: "https://learn.microsoft.com/azure/azure-resource-manager/troubleshooting/error-sku-not-available"
-        title: "Resolve SKU not available errors"
-      - url: "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/table"
-        title: "Azure products available by region"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "AuthorizationFailed"
-    message: "You do not have sufficient permissions for this deployment."
-    suggestion: >
-      Ensure you have the required RBAC role (e.g., Owner or Contributor)
-      on the target subscription. If the template creates role assignments,
-      the Owner or User Access Administrator role is required.
-    links:
-      - url: "https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal"
-        title: "Assign Azure roles"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "Unauthorized"
-    message: "The request was unauthorized."
-    suggestion: >
-      Run 'azd auth login' to re-authenticate, then verify you have
-      the required RBAC role on the target subscription or resource group.
-    links:
-      - url: "https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal"
-        title: "Assign Azure roles"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "Forbidden"
-    message: "Access to this resource is forbidden."
-    suggestion: >
-      You may lack the required RBAC role, or an Azure Policy is
-      blocking the operation. Check your role assignments and any
-      deny assignments or policies on the target scope.
-    links:
-      - url: "https://learn.microsoft.com/azure/role-based-access-control/troubleshooting"
-        title: "Troubleshoot Azure RBAC"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "RequestDisallowedByPolicy"
-    message: "An Azure Policy is blocking this deployment."
-    suggestion: >
-      Check which policies are assigned to your subscription or
-      resource group with 'az policy assignment list'. Contact your
-      administrator to add an exemption or adjust the policy.
-    links:
-      - url: "https://learn.microsoft.com/azure/governance/policy/troubleshoot/general"
-        title: "Troubleshoot Azure Policy"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "RoleAssignmentExists"
-    message: "A role assignment with this configuration already exists."
-    suggestion: >
-      This is usually safe to ignore on re-deployment. The role
-      assignment was already created in a previous run.
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "PrincipalNotFound"
-    message: "The security principal for a role assignment was not found."
-    suggestion: >
-      The user, group, or service principal may have been deleted.
-      Check that the principal ID in your template is valid, or
-      remove the stale role assignment.
-    links:
-      - url: "https://learn.microsoft.com/azure/role-based-access-control/troubleshooting"
-        title: "Troubleshoot Azure RBAC"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "NoRegisteredProviderFound"
-    message: "A required Azure resource provider is not registered."
-    suggestion: >
-      Register the missing provider with
-      'az provider register --namespace <provider>'.
-      Common providers: Microsoft.CognitiveServices,
-      Microsoft.Search, Microsoft.App, Microsoft.ContainerRegistry.
-    links:
-      - url: "https://learn.microsoft.com/azure/azure-resource-manager/troubleshooting/error-register-resource-provider"
-        title: "Resolve resource provider registration errors"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "InvalidTemplate"
-    message: "The deployment template contains errors."
-    suggestion: "Run 'azd provision --preview' to validate before deploying."
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "ValidationError"
-    message: "The deployment failed validation."
-    suggestion: >
-      Check resource property values and API versions
-      in your Bicep/Terraform files.
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "ResourceNotFound"
-    message: "A referenced resource was not found."
-    suggestion: >
-      Check resource dependencies and deployment ordering
-      in your template.
-
-  # Bare Conflict — least specific ARM code rule, must be AFTER
-  # Conflict + keyword rules above
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "Conflict"
-    message: "A resource with this name already exists or is in a conflicting state."
-    suggestion: "Check for existing or soft-deleted resources in the Azure portal."
-
-  # ============================================================================
-  # Container App Errors
-  # ~2.46% of all azd errors (~3,152 in 90-day analysis)
-  # ============================================================================
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "ContainerAppSecretInvalid"
-    message: "A secret referenced by the container app is missing or invalid."
-    suggestion: >
-      Check your secret definitions in the Bicep template. Ensure all
-      secrets referenced by environment variables or ingress exist and
-      have valid values.
-    links:
-      - url: "https://learn.microsoft.com/azure/container-apps/manage-secrets"
-        title: "Manage secrets in Azure Container Apps"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "ContainerAppOperationError"
-    patterns:
-      - "image"
-    message: "The container image could not be pulled."
-    suggestion: >
-      Verify the image name and tag, ensure the container registry
-      is accessible, and check that registry credentials are configured
-      correctly (admin enabled or managed identity assigned).
-    links:
-      - url: "https://learn.microsoft.com/azure/container-apps/containers"
-        title: "Containers in Azure Container Apps"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "ContainerAppOperationError"
-    message: "A Container App operation failed during deployment."
-    suggestion: >
-      Inspect the container app revision logs with
-      'az containerapp logs show --name <app> -g <resource-group> --follow'.
-      Common causes include invalid environment variables, port
-      mismatches, or insufficient resources.
-    links:
-      - url: "https://learn.microsoft.com/azure/container-apps/troubleshooting"
-        title: "Troubleshoot Azure Container Apps"
-
-  - errorType: "DeploymentErrorLine"
-    regex: true
-    properties:
-      Code: "InvalidParameterValueInContainerTemplate"
-    message: "The container app template has an invalid parameter."
-    suggestion: >
-      Check container resource limits (CPU/memory), port
-      configuration, and environment variable values in your template.
-    links:
-      - url: "https://learn.microsoft.com/azure/container-apps/containers"
-        title: "Containers in Azure Container Apps"
-
-  # ============================================================================
-  # PowerShell Hook Failures (errorType + properties + patterns)
-  # ~5% of all azd errors (~6,347); AI templates hit 6.59%
-  # ============================================================================
-
-  - errorType: "ExitError"
-    regex: true
-    properties:
-      Cmd: "(?i)pwsh|powershell"
-    patterns:
-      - "Import-Module"
-      - "not loaded"
-    message: "A required PowerShell module could not be loaded."
-    suggestion: "Install the missing module with 'Install-Module <ModuleName> -Scope CurrentUser'."
-
-  - errorType: "ExitError"
-    regex: true
-    properties:
-      Cmd: "(?i)pwsh|powershell"
-    patterns:
-      - "(?i)Az\\.\\S+.*is not recognized"
-    message: "The Azure PowerShell module (Az) is required but not installed."
-    suggestion: "Install it with 'Install-Module Az -Scope CurrentUser -Repository PSGallery -Force'."
-    links:
-      - url: "https://learn.microsoft.com/powershell/azure/install-azure-powershell"
-        title: "Install Azure PowerShell"
-
-  - errorType: "ExitError"
-    regex: true
-    properties:
-      Cmd: "(?i)pwsh|powershell"
-    patterns:
-      - "UnauthorizedAccess"
-    message: "PowerShell execution policy is blocking the script."
-    suggestion: >
-      Check your policy with 'Get-ExecutionPolicy' and consider setting it with
-      'Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser'.
-
-  - errorType: "ExitError"
-    regex: true
-    properties:
-      Cmd: "(?i)pwsh|powershell"
-    patterns:
-      - "ErrorActionPreference"
-    message: "The hook script has an issue with error handling configuration."
-    suggestion: "Ensure '$ErrorActionPreference = \"Stop\"' is set at the top of the script."
-
-  - errorType: "ExitError"
-    regex: true
-    properties:
-      Cmd: "(?i)pwsh|powershell"
-    patterns:
-      - "Connect-AzAccount"
-    message: "The Azure authentication session may have expired."
-    suggestion: "Run 'azd auth login' to refresh your credentials, then retry."
-
-  - errorType: "ExitError"
-    regex: true
-    properties:
-      Cmd: "(?i)pwsh|powershell"
-    patterns:
-      - "(?i)login.*expired|expired.*login"
-    message: "The Azure authentication session may have expired."
-    suggestion: "Run 'azd auth login' to refresh your credentials, then retry."
-
-  # ============================================================================
-  # Subscription Errors
-  # ============================================================================
-
-  - patterns:
-      - "no subscriptions found"
-      - "no subscription found"
-    message: "No Azure subscriptions were found for your account."
-    suggestion: >
-      Ensure you have an active subscription at https://portal.azure.com.
-      If you have multiple tenants, run 'azd auth login --tenant-id <tenant-id>'
-      to sign in to a specific tenant. Multi-factor authentication (MFA) may prevent
-      automatic access to all tenants — visit the Azure portal and switch to each tenant
-      to refresh your MFA sessions, then retry 'azd auth login'.
-    links:
-      - url: "https://learn.microsoft.com/azure/developer/azure-developer-cli/reference#azd-auth-login"
-        title: "azd auth login reference"
-
-  # ============================================================================
-  # Text Pattern Rules — Specific patterns first
-  # These are fallbacks for errors without typed Go structs.
-  # ============================================================================
-
-  - patterns:
-      - "parsing project file"
-    message: "Your azure.yaml file is invalid."
-    suggestion: "Check the syntax of your azure.yaml file and fix any errors."
-    links:
-      - url: "https://learn.microsoft.com/azure/developer/azure-developer-cli/azd-schema"
-        title: "azure.yaml schema reference"
-
-  - patterns:
-      - "InvalidAuthenticationToken"
-      - "ExpiredAuthenticationToken"
-      - "TokenExpired"
-    message: "Your authentication token has expired."
-    suggestion: "Run 'azd auth login' to sign in again."
-    links:
-      - url: "https://learn.microsoft.com/azure/developer/azure-developer-cli/reference#azd-auth-login"
-        title: "azd auth login reference"
-
-  - regex: true
-    patterns:
-      - "BCP\\d{3}"
-    message: "Your Bicep template has an error."
-    suggestion: "Review the error message for the specific issue and line number in your .bicep file."
-    links:
-      - url: "https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-error-codes"
-        title: "Bicep error codes reference"
-
-  # ============================================================================
-  # Text Pattern Rules — Broad/generic patterns (least specific, must be last)
-  # ============================================================================
-
-  - patterns:
-      - "AADSTS"
-    message: "Authentication with Azure failed."
-    suggestion: "Run 'azd auth login' to sign in again."
-    links:
-      - url: "https://learn.microsoft.com/azure/developer/azure-developer-cli/reference#azd-auth-login"
-        title: "azd auth login reference"
-
-  - patterns:
-      - "QuotaExceeded"
-      - "quota exceeded"
-      - "exceeds quota"
-    message: "Your Azure subscription has reached a resource quota limit."
-    suggestion: "Request a quota increase through the Azure portal, or try deploying to a different region."
-    links:
-      - url: "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal"
-        title: "Increase Azure subscription quotas"
+# yaml-language-server: $schema=error_suggestions.schema.json
+# Error Suggestions Configuration
+# ================================
+# This file maps well-known error patterns to user-friendly messages and actionable suggestions.
+# Rules are evaluated in order; the first matching rule wins.
+#
+# Matching Fields (at least one required):
+#   - patterns:   List of strings/regex to match against error message text
+#   - errorType:  Go error struct type name to match via reflection (e.g., "AzureDeploymentError")
+#   - properties: Map of dot-path property names to expected values on the matched error type
+#
+# When multiple matching fields are specified, ALL must match for the rule to trigger.
+#
+# Response Fields:
+#   - message:    User-friendly explanation of what went wrong
+#   - suggestion: Actionable next steps to resolve the issue
+#   - links:      Optional list of reference links (each with url and optional title)
+#   - handler:    Optional name of a registered ErrorHandler for dynamic suggestions
+#
+# Pattern Types:
+#   - Default: Case-insensitive substring match (e.g., "quota exceeded")
+#   - Regex: Set "regex: true" on the rule to treat all patterns and property
+#     values as regular expressions (e.g., "BCP\\d{3}")
+#
+# Examples:
+#   # Text pattern matching:
+#   - patterns:
+#       - "some error text"
+#     message: "A brief, user-friendly explanation."
+#     suggestion: "Clear instruction on how to fix."
+#
+#   # Typed error matching with properties:
+#   - errorType: "DeploymentErrorLine"
+#     properties:
+#       Code: "InsufficientQuota"
+#     message: "Quota limit reached."
+#     suggestion: "Request a quota increase."
+
+rules:
+  # ============================================================================
+  # ORDERING: Most specific rules first, least specific last.
+  # Typed error rules (errorType + properties) are naturally more specific
+  # than text-only pattern rules. Within each group, rules with additional
+  # constraints (patterns, keywords) come before bare code matches.
+  # ============================================================================
+
+  # ============================================================================
+  # ARM Deployment Errors — Soft-delete conflicts (most specific first)
+  # 4th most common error category (~128,054 errors in 90-day analysis)
+  # ============================================================================
+
+  # ============================================================================
+  # ARM Deployment Errors — Active deployment conflict
+  # ============================================================================
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "DeploymentActive"
+    message: "Another deployment is already in progress on this scope."
+    suggestion: >
+      Wait for the current deployment to complete, then retry.
+      You can check deployment status in the Azure portal under the Deployments blade.
+    links:
+      - url: "https://learn.microsoft.com/azure/azure-resource-manager/troubleshooting/error-deployment-active"
+        title: "Troubleshoot DeploymentActive errors"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "FlagMustBeSetForRestore"
+    message: "A soft-deleted resource with this name exists and is blocking deployment."
+    suggestion: >
+      Purge the resource in the Azure portal or via the Azure CLI,
+      then retry with 'azd up'. If the resources are still provisioned,
+      running 'azd down --purge' will delete and purge them.
+    links:
+      - url: "https://learn.microsoft.com/azure/key-vault/general/key-vault-recovery"
+        title: "Azure Key Vault soft-delete recovery"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "ConflictError"
+    message: "A resource conflict occurred, possibly caused by a soft-deleted resource."
+    suggestion: >
+      Purge the resource in the Azure portal or via the Azure CLI,
+      then retry with 'azd up'. If the resources are still provisioned,
+      running 'azd down --purge' will delete and purge them.
+
+  # Conflict + soft-delete keywords (more specific than bare Conflict)
+  - errorType: "DeploymentErrorLine"
+    regex: true
+    properties:
+      Code: "Conflict"
+    patterns:
+      - "(?i)soft.?delete"
+      - "(?i)purge"
+      - "(?i)deleted vault"
+      - "(?i)deleted resource"
+      - "(?i)recover or purge"
+    message: "A soft-deleted resource is causing a deployment conflict."
+    suggestion: >
+      Purge the soft-deleted resource in the Azure portal or via the
+      Azure CLI, then retry with 'azd up'. If the resources are still
+      provisioned, running 'azd down --purge' will delete and purge them.
+    links:
+      - url: "https://learn.microsoft.com/azure/key-vault/general/key-vault-recovery"
+        title: "Azure Key Vault soft-delete recovery"
+
+  - errorType: "DeploymentErrorLine"
+    regex: true
+    properties:
+      Code: "RequestConflict"
+    patterns:
+      - "(?i)soft.?delete"
+      - "(?i)purge"
+      - "(?i)deleted vault"
+      - "(?i)deleted resource"
+      - "(?i)recover or purge"
+    message: "A soft-deleted resource is causing a deployment conflict."
+    suggestion: >
+      Purge the soft-deleted resource in the Azure portal or via the
+      Azure CLI, then retry with 'azd up'. If the resources are still
+      provisioned, running 'azd down --purge' will delete and purge them.
+
+  # ============================================================================
+  # ARM Deployment Errors — Specific error codes
+  # ============================================================================
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "InsufficientQuota"
+    message: "Your subscription has insufficient quota for this resource."
+    suggestion: >
+      Check current usage with 'az vm list-usage --location <region>'
+      or request a quota increase in the Azure portal.
+    links:
+      - url: "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal"
+        title: "Increase Azure subscription quotas"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "SubscriptionIsOverQuotaForSku"
+    message: "Your subscription quota for this SKU is exceeded."
+    suggestion: "Request a quota increase or use a different SKU."
+    links:
+      - url: "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal"
+        title: "Increase Azure subscription quotas"
+
+  # ResponseError from ARM SDK (e.g., validation fails before polling)
+  - errorType: "ResponseError"
+    properties:
+      ErrorCode: "LocationNotAvailableForResourceType"
+    handler: "resourceNotAvailableHandler"
+    links:
+      - url: "https://learn.microsoft.com/azure/azure-resource-manager/troubleshooting/error-sku-not-available"
+        title: "Resolve SKU not available errors"
+      - url: "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/table"
+        title: "Azure products available by region"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "LocationNotAvailableForResourceType"
+    handler: "resourceNotAvailableHandler"
+    links:
+      - url: "https://learn.microsoft.com/azure/azure-resource-manager/troubleshooting/error-sku-not-available"
+        title: "Resolve SKU not available errors"
+      - url: "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/table"
+        title: "Azure products available by region"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "AuthorizationFailed"
+    message: "You do not have sufficient permissions for this deployment."
+    suggestion: >
+      Ensure you have the required RBAC role (e.g., Owner or Contributor)
+      on the target subscription. If the template creates role assignments,
+      the Owner or User Access Administrator role is required.
+    links:
+      - url: "https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal"
+        title: "Assign Azure roles"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "Unauthorized"
+    message: "The request was unauthorized."
+    suggestion: >
+      Run 'azd auth login' to re-authenticate, then verify you have
+      the required RBAC role on the target subscription or resource group.
+    links:
+      - url: "https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal"
+        title: "Assign Azure roles"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "Forbidden"
+    message: "Access to this resource is forbidden."
+    suggestion: >
+      You may lack the required RBAC role, or an Azure Policy is
+      blocking the operation. Check your role assignments and any
+      deny assignments or policies on the target scope.
+    links:
+      - url: "https://learn.microsoft.com/azure/role-based-access-control/troubleshooting"
+        title: "Troubleshoot Azure RBAC"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "RequestDisallowedByPolicy"
+    message: "An Azure Policy is blocking this deployment."
+    suggestion: >
+      Check which policies are assigned to your subscription or
+      resource group with 'az policy assignment list'. Contact your
+      administrator to add an exemption or adjust the policy.
+    links:
+      - url: "https://learn.microsoft.com/azure/governance/policy/troubleshoot/general"
+        title: "Troubleshoot Azure Policy"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "RoleAssignmentExists"
+    message: "A role assignment with this configuration already exists."
+    suggestion: >
+      This is usually safe to ignore on re-deployment. The role
+      assignment was already created in a previous run.
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "PrincipalNotFound"
+    message: "The security principal for a role assignment was not found."
+    suggestion: >
+      The user, group, or service principal may have been deleted.
+      Check that the principal ID in your template is valid, or
+      remove the stale role assignment.
+    links:
+      - url: "https://learn.microsoft.com/azure/role-based-access-control/troubleshooting"
+        title: "Troubleshoot Azure RBAC"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "NoRegisteredProviderFound"
+    message: "A required Azure resource provider is not registered."
+    suggestion: >
+      Register the missing provider with
+      'az provider register --namespace <provider>'.
+      Common providers: Microsoft.CognitiveServices,
+      Microsoft.Search, Microsoft.App, Microsoft.ContainerRegistry.
+    links:
+      - url: "https://learn.microsoft.com/azure/azure-resource-manager/troubleshooting/error-register-resource-provider"
+        title: "Resolve resource provider registration errors"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "InvalidTemplate"
+    message: "The deployment template contains errors."
+    suggestion: "Run 'azd provision --preview' to validate before deploying."
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "ValidationError"
+    message: "The deployment failed validation."
+    suggestion: >
+      Check resource property values and API versions
+      in your Bicep/Terraform files.
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "ResourceNotFound"
+    message: "A referenced resource was not found."
+    suggestion: >
+      Check resource dependencies and deployment ordering
+      in your template.
+
+  # Bare Conflict — least specific ARM code rule, must be AFTER
+  # Conflict + keyword rules above
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "Conflict"
+    message: "A resource with this name already exists or is in a conflicting state."
+    suggestion: "Check for existing or soft-deleted resources in the Azure portal."
+
+  # ============================================================================
+  # Container App Errors
+  # ~2.46% of all azd errors (~3,152 in 90-day analysis)
+  # ============================================================================
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "ContainerAppSecretInvalid"
+    message: "A secret referenced by the container app is missing or invalid."
+    suggestion: >
+      Check your secret definitions in the Bicep template. Ensure all
+      secrets referenced by environment variables or ingress exist and
+      have valid values.
+    links:
+      - url: "https://learn.microsoft.com/azure/container-apps/manage-secrets"
+        title: "Manage secrets in Azure Container Apps"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "ContainerAppOperationError"
+    patterns:
+      - "image"
+    message: "The container image could not be pulled."
+    suggestion: >
+      Verify the image name and tag, ensure the container registry
+      is accessible, and check that registry credentials are configured
+      correctly (admin enabled or managed identity assigned).
+    links:
+      - url: "https://learn.microsoft.com/azure/container-apps/containers"
+        title: "Containers in Azure Container Apps"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "ContainerAppOperationError"
+    message: "A Container App operation failed during deployment."
+    suggestion: >
+      Inspect the container app revision logs with
+      'az containerapp logs show --name <app> -g <resource-group> --follow'.
+      Common causes include invalid environment variables, port
+      mismatches, or insufficient resources.
+    links:
+      - url: "https://learn.microsoft.com/azure/container-apps/troubleshooting"
+        title: "Troubleshoot Azure Container Apps"
+
+  - errorType: "DeploymentErrorLine"
+    regex: true
+    properties:
+      Code: "InvalidParameterValueInContainerTemplate"
+    message: "The container app template has an invalid parameter."
+    suggestion: >
+      Check container resource limits (CPU/memory), port
+      configuration, and environment variable values in your template.
+    links:
+      - url: "https://learn.microsoft.com/azure/container-apps/containers"
+        title: "Containers in Azure Container Apps"
+
+  # ============================================================================
+  # PowerShell Hook Failures (errorType + properties + patterns)
+  # ~5% of all azd errors (~6,347); AI templates hit 6.59%
+  # ============================================================================
+
+  - errorType: "ExitError"
+    regex: true
+    properties:
+      Cmd: "(?i)pwsh|powershell"
+    patterns:
+      - "Import-Module"
+      - "not loaded"
+    message: "A required PowerShell module could not be loaded."
+    suggestion: "Install the missing module with 'Install-Module <ModuleName> -Scope CurrentUser'."
+
+  - errorType: "ExitError"
+    regex: true
+    properties:
+      Cmd: "(?i)pwsh|powershell"
+    patterns:
+      - "(?i)Az\\.\\S+.*is not recognized"
+    message: "The Azure PowerShell module (Az) is required but not installed."
+    suggestion: "Install it with 'Install-Module Az -Scope CurrentUser -Repository PSGallery -Force'."
+    links:
+      - url: "https://learn.microsoft.com/powershell/azure/install-azure-powershell"
+        title: "Install Azure PowerShell"
+
+  - errorType: "ExitError"
+    regex: true
+    properties:
+      Cmd: "(?i)pwsh|powershell"
+    patterns:
+      - "UnauthorizedAccess"
+    message: "PowerShell execution policy is blocking the script."
+    suggestion: >
+      Check your policy with 'Get-ExecutionPolicy' and consider setting it with
+      'Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser'.
+
+  - errorType: "ExitError"
+    regex: true
+    properties:
+      Cmd: "(?i)pwsh|powershell"
+    patterns:
+      - "ErrorActionPreference"
+    message: "The hook script has an issue with error handling configuration."
+    suggestion: "Ensure '$ErrorActionPreference = \"Stop\"' is set at the top of the script."
+
+  - errorType: "ExitError"
+    regex: true
+    properties:
+      Cmd: "(?i)pwsh|powershell"
+    patterns:
+      - "Connect-AzAccount"
+    message: "The Azure authentication session may have expired."
+    suggestion: "Run 'azd auth login' to refresh your credentials, then retry."
+
+  - errorType: "ExitError"
+    regex: true
+    properties:
+      Cmd: "(?i)pwsh|powershell"
+    patterns:
+      - "(?i)login.*expired|expired.*login"
+    message: "The Azure authentication session may have expired."
+    suggestion: "Run 'azd auth login' to refresh your credentials, then retry."
+
+  # ============================================================================
+  # Subscription Errors
+  # ============================================================================
+
+  - patterns:
+      - "no subscriptions found"
+      - "no subscription found"
+    message: "No Azure subscriptions were found for your account."
+    suggestion: >
+      Ensure you have an active subscription at https://portal.azure.com.
+      If you have multiple tenants, run 'azd auth login --tenant-id <tenant-id>'
+      to sign in to a specific tenant. Multi-factor authentication (MFA) may prevent
+      automatic access to all tenants — visit the Azure portal and switch to each tenant
+      to refresh your MFA sessions, then retry 'azd auth login'.
+    links:
+      - url: "https://learn.microsoft.com/azure/developer/azure-developer-cli/reference#azd-auth-login"
+        title: "azd auth login reference"
+
+  # ============================================================================
+  # Text Pattern Rules — Specific patterns first
+  # These are fallbacks for errors without typed Go structs.
+  # ============================================================================
+
+  - patterns:
+      - "parsing project file"
+    message: "Your azure.yaml file is invalid."
+    suggestion: "Check the syntax of your azure.yaml file and fix any errors."
+    links:
+      - url: "https://learn.microsoft.com/azure/developer/azure-developer-cli/azd-schema"
+        title: "azure.yaml schema reference"
+
+  - patterns:
+      - "InvalidAuthenticationToken"
+      - "ExpiredAuthenticationToken"
+      - "TokenExpired"
+    message: "Your authentication token has expired."
+    suggestion: "Run 'azd auth login' to sign in again."
+    links:
+      - url: "https://learn.microsoft.com/azure/developer/azure-developer-cli/reference#azd-auth-login"
+        title: "azd auth login reference"
+
+  - regex: true
+    patterns:
+      - "BCP\\d{3}"
+    message: "Your Bicep template has an error."
+    suggestion: "Review the error message for the specific issue and line number in your .bicep file."
+    links:
+      - url: "https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-error-codes"
+        title: "Bicep error codes reference"
+
+  # ============================================================================
+  # Text Pattern Rules — Broad/generic patterns (least specific, must be last)
+  # ============================================================================
+
+  - patterns:
+      - "AADSTS"
+    message: "Authentication with Azure failed."
+    suggestion: "Run 'azd auth login' to sign in again."
+    links:
+      - url: "https://learn.microsoft.com/azure/developer/azure-developer-cli/reference#azd-auth-login"
+        title: "azd auth login reference"
+
+  - patterns:
+      - "QuotaExceeded"
+      - "quota exceeded"
+      - "exceeds quota"
+    message: "Your Azure subscription has reached a resource quota limit."
+    suggestion: "Request a quota increase through the Azure portal, or try deploying to a different region."
+    links:
+      - url: "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal"
+        title: "Increase Azure subscription quotas"

From 72f489b4325ef7292bc8eda834919301ae20f356 Mon Sep 17 00:00:00 2001
From: Shayne Boyer <spboyer@live.com>
Date: Mon, 23 Mar 2026 12:45:50 -0400
Subject: [PATCH 04/12] Restore range-over-int (Go 1.26, enforced by go fix)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../infra/provisioning/bicep/active_deployment_check_test.go    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cli/azd/pkg/infra/provisioning/bicep/active_deployment_check_test.go b/cli/azd/pkg/infra/provisioning/bicep/active_deployment_check_test.go
index 094421932af..4d608b2a688 100644
--- a/cli/azd/pkg/infra/provisioning/bicep/active_deployment_check_test.go
+++ b/cli/azd/pkg/infra/provisioning/bicep/active_deployment_check_test.go
@@ -175,7 +175,7 @@ func TestWaitForActiveDeployments_Timeout(t *testing.T) {
 	}
 	// Return active on every call.
 	perCall := make(map[int][]*azapi.ResourceDeployment)
-	for i := 0; i < 200; i++ {
+	for i := range 200 {
 		perCall[i] = running
 	}
 

From edf9906944282b92f4972a2d9891ad29e3870ae1 Mon Sep 17 00:00:00 2001
From: Shayne Boyer <spboyer@live.com>
Date: Mon, 23 Mar 2026 11:33:13 -0700
Subject: [PATCH 05/12] Retrigger CI (ADO pool flake)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

From 38516a8e1fc5554224042151baa2016266c701ab Mon Sep 17 00:00:00 2001
From: Shayne Boyer <spboyer@live.com>
Date: Mon, 23 Mar 2026 14:32:03 -0700
Subject: [PATCH 06/12] Retrigger CI

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

From dfc6a99699a2ee72fca8726898432f4d70a31b92 Mon Sep 17 00:00:00 2001
From: Shayne Boyer <spboyer@live.com>
Date: Tue, 24 Mar 2026 06:57:34 -0700
Subject: [PATCH 07/12] Retrigger CI

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

From 9919289029300badbee15fba42d2715242d53ab2 Mon Sep 17 00:00:00 2001
From: Shayne Boyer <spboyer@live.com>
Date: Tue, 24 Mar 2026 08:06:18 -0700
Subject: [PATCH 08/12] Fix: remove ListActiveDeployments from Scope interface

Move ListActiveDeployments to a standalone function instead of adding
it to the exported Scope interface. Adding methods to exported
interfaces is a breaking change for any external implementation
(including test mocks in CI).

The standalone infra.ListActiveDeployments(ctx, scope) function calls
scope.ListDeployments and filters for active states, achieving the
same result without widening the interface contract.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../bicep/active_deployment_check_test.go     | 13 ++--
 .../provisioning/bicep/bicep_provider.go      |  4 +-
 cli/azd/pkg/infra/scope.go                    | 64 ++++++++-----------
 3 files changed, 31 insertions(+), 50 deletions(-)

diff --git a/cli/azd/pkg/infra/provisioning/bicep/active_deployment_check_test.go b/cli/azd/pkg/infra/provisioning/bicep/active_deployment_check_test.go
index 4d608b2a688..00d1359b657 100644
--- a/cli/azd/pkg/infra/provisioning/bicep/active_deployment_check_test.go
+++ b/cli/azd/pkg/infra/provisioning/bicep/active_deployment_check_test.go
@@ -17,11 +17,12 @@ import (
 )
 
 // activeDeploymentScope is a test helper that implements infra.Scope and lets
-// the caller control what ListActiveDeployments returns on each call.
+// the caller control what ListDeployments returns on each call. The standalone
+// infra.ListActiveDeployments function filters these results.
 type activeDeploymentScope struct {
-	// calls tracks how many times ListActiveDeployments has been invoked.
+	// calls tracks how many times ListDeployments has been invoked.
 	calls atomic.Int32
-	// activePerCall maps a 0-based call index to the list of active deployments
+	// activePerCall maps a 0-based call index to the list of deployments
 	// returned for that call.  If the index is missing, nil is returned.
 	activePerCall map[int][]*azapi.ResourceDeployment
 	// errOnCall, if non-nil, maps a call index to an error to return.
@@ -34,12 +35,6 @@ func (s *activeDeploymentScope) Deployment(_ string) infra.Deployment { return n
 
 func (s *activeDeploymentScope) ListDeployments(
 	_ context.Context,
-) ([]*azapi.ResourceDeployment, error) {
-	return nil, nil
-}
-
-func (s *activeDeploymentScope) ListActiveDeployments(
-	ctx context.Context,
 ) ([]*azapi.ResourceDeployment, error) {
 	idx := int(s.calls.Add(1)) - 1
 	if s.errOnCall != nil {
diff --git a/cli/azd/pkg/infra/provisioning/bicep/bicep_provider.go b/cli/azd/pkg/infra/provisioning/bicep/bicep_provider.go
index 086271416a6..9a859cfa44c 100644
--- a/cli/azd/pkg/infra/provisioning/bicep/bicep_provider.go
+++ b/cli/azd/pkg/infra/provisioning/bicep/bicep_provider.go
@@ -627,7 +627,7 @@ func (p *BicepProvider) waitForActiveDeployments(
 	ctx context.Context,
 	scope infra.Scope,
 ) error {
-	active, err := scope.ListActiveDeployments(ctx)
+	active, err := infra.ListActiveDeployments(ctx, scope)
 	if err != nil {
 		// If the resource group doesn't exist yet, there are no active
 		// deployments — proceed normally.
@@ -687,7 +687,7 @@ func (p *BicepProvider) waitForActiveDeployments(
 					"deployment(s) to complete: %s",
 				timeout, strings.Join(currentNames, ", "))
 		case <-ticker.C:
-			active, err = scope.ListActiveDeployments(ctx)
+			active, err = infra.ListActiveDeployments(ctx, scope)
 			if err != nil {
 				return fmt.Errorf(
 					"checking active deployments: %w", err)
diff --git a/cli/azd/pkg/infra/scope.go b/cli/azd/pkg/infra/scope.go
index b6b09a87b14..dcccc79c479 100644
--- a/cli/azd/pkg/infra/scope.go
+++ b/cli/azd/pkg/infra/scope.go
@@ -21,11 +21,34 @@ type Scope interface {
 	SubscriptionId() string
 	// ListDeployments returns all the deployments at this scope.
 	ListDeployments(ctx context.Context) ([]*azapi.ResourceDeployment, error)
-	// ListActiveDeployments returns only the deployments that are currently in progress.
-	ListActiveDeployments(ctx context.Context) ([]*azapi.ResourceDeployment, error)
 	Deployment(deploymentName string) Deployment
 }
 
+// ListActiveDeployments lists all deployments at the given scope and returns
+// only those with an active provisioning state (Running, Deploying, etc.).
+func ListActiveDeployments(
+	ctx context.Context,
+	scope Scope,
+) ([]*azapi.ResourceDeployment, error) {
+	all, err := scope.ListDeployments(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return filterActiveDeployments(all), nil
+}
+
+// filterActiveDeployments returns only deployments with an active provisioning state.
+func filterActiveDeployments(deployments []*azapi.ResourceDeployment) []*azapi.ResourceDeployment {
+	var active []*azapi.ResourceDeployment
+	for _, d := range deployments {
+		if azapi.IsActiveDeploymentState(d.ProvisioningState) {
+			active = append(active, d)
+		}
+	}
+	return active
+}
+
 type Deployment interface {
 	Scope
 	// Name is the name of this deployment.
@@ -230,19 +253,6 @@ func (s *ResourceGroupScope) ListDeployments(ctx context.Context) ([]*azapi.Reso
 	return deployments, err
 }
 
-// ListActiveDeployments returns only the deployments in this resource group
-// that are currently in progress (e.g. Running, Deploying, Accepted).
-func (s *ResourceGroupScope) ListActiveDeployments(
-	ctx context.Context,
-) ([]*azapi.ResourceDeployment, error) {
-	all, err := s.ListDeployments(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return filterActiveDeployments(all), nil
-}
-
 // Deployment gets the deployment with the specified name.
 func (s *ResourceGroupScope) Deployment(deploymentName string) Deployment {
 	return NewResourceGroupDeployment(s, deploymentName)
@@ -396,30 +406,6 @@ func (s *SubscriptionScope) ListDeployments(ctx context.Context) ([]*azapi.Resou
 	return s.deploymentService.ListSubscriptionDeployments(ctx, s.subscriptionId)
 }
 
-// ListActiveDeployments returns only subscription-scoped deployments
-// that are currently in progress (e.g. Running, Deploying, Accepted).
-func (s *SubscriptionScope) ListActiveDeployments(
-	ctx context.Context,
-) ([]*azapi.ResourceDeployment, error) {
-	all, err := s.ListDeployments(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return filterActiveDeployments(all), nil
-}
-
-// filterActiveDeployments returns only deployments with an active provisioning state.
-func filterActiveDeployments(deployments []*azapi.ResourceDeployment) []*azapi.ResourceDeployment {
-	var active []*azapi.ResourceDeployment
-	for _, d := range deployments {
-		if azapi.IsActiveDeploymentState(d.ProvisioningState) {
-			active = append(active, d)
-		}
-	}
-	return active
-}
-
 func newSubscriptionScope(
 	deploymentsService azapi.DeploymentService,
 	subscriptionId string,

From 44c2197df1748f92255108af911bf8150a2c46c2 Mon Sep 17 00:00:00 2001
From: Shayne Boyer <spboyer@live.com>
Date: Tue, 24 Mar 2026 08:28:57 -0700
Subject: [PATCH 09/12] Fix: reset error_suggestions.yaml, add only
 DeploymentActive rule

The agent rewrote the entire YAML file causing a 925-line diff that
broke CI tests. Reset to main and add only the DeploymentActive rule
(11 lines) as intended.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 cli/azd/resources/error_suggestions.yaml | 936 +++++++++++------------
 1 file changed, 466 insertions(+), 470 deletions(-)

diff --git a/cli/azd/resources/error_suggestions.yaml b/cli/azd/resources/error_suggestions.yaml
index f18614c2515..f41289a91b9 100644
--- a/cli/azd/resources/error_suggestions.yaml
+++ b/cli/azd/resources/error_suggestions.yaml
@@ -1,470 +1,466 @@
-# yaml-language-server: $schema=error_suggestions.schema.json
-# Error Suggestions Configuration
-# ================================
-# This file maps well-known error patterns to user-friendly messages and actionable suggestions.
-# Rules are evaluated in order; the first matching rule wins.
-#
-# Matching Fields (at least one required):
-#   - patterns:   List of strings/regex to match against error message text
-#   - errorType:  Go error struct type name to match via reflection (e.g., "AzureDeploymentError")
-#   - properties: Map of dot-path property names to expected values on the matched error type
-#
-# When multiple matching fields are specified, ALL must match for the rule to trigger.
-#
-# Response Fields:
-#   - message:    User-friendly explanation of what went wrong
-#   - suggestion: Actionable next steps to resolve the issue
-#   - links:      Optional list of reference links (each with url and optional title)
-#   - handler:    Optional name of a registered ErrorHandler for dynamic suggestions
-#
-# Pattern Types:
-#   - Default: Case-insensitive substring match (e.g., "quota exceeded")
-#   - Regex: Set "regex: true" on the rule to treat all patterns and property
-#     values as regular expressions (e.g., "BCP\\d{3}")
-#
-# Examples:
-#   # Text pattern matching:
-#   - patterns:
-#       - "some error text"
-#     message: "A brief, user-friendly explanation."
-#     suggestion: "Clear instruction on how to fix."
-#
-#   # Typed error matching with properties:
-#   - errorType: "DeploymentErrorLine"
-#     properties:
-#       Code: "InsufficientQuota"
-#     message: "Quota limit reached."
-#     suggestion: "Request a quota increase."
-
-rules:
-  # ============================================================================
-  # ORDERING: Most specific rules first, least specific last.
-  # Typed error rules (errorType + properties) are naturally more specific
-  # than text-only pattern rules. Within each group, rules with additional
-  # constraints (patterns, keywords) come before bare code matches.
-  # ============================================================================
-
-  # ============================================================================
-  # ARM Deployment Errors — Soft-delete conflicts (most specific first)
-  # 4th most common error category (~128,054 errors in 90-day analysis)
-  # ============================================================================
-
-  # ============================================================================
-  # ARM Deployment Errors — Active deployment conflict
-  # ============================================================================
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "DeploymentActive"
-    message: "Another deployment is already in progress on this scope."
-    suggestion: >
-      Wait for the current deployment to complete, then retry.
-      You can check deployment status in the Azure portal under the Deployments blade.
-    links:
-      - url: "https://learn.microsoft.com/azure/azure-resource-manager/troubleshooting/error-deployment-active"
-        title: "Troubleshoot DeploymentActive errors"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "FlagMustBeSetForRestore"
-    message: "A soft-deleted resource with this name exists and is blocking deployment."
-    suggestion: >
-      Purge the resource in the Azure portal or via the Azure CLI,
-      then retry with 'azd up'. If the resources are still provisioned,
-      running 'azd down --purge' will delete and purge them.
-    links:
-      - url: "https://learn.microsoft.com/azure/key-vault/general/key-vault-recovery"
-        title: "Azure Key Vault soft-delete recovery"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "ConflictError"
-    message: "A resource conflict occurred, possibly caused by a soft-deleted resource."
-    suggestion: >
-      Purge the resource in the Azure portal or via the Azure CLI,
-      then retry with 'azd up'. If the resources are still provisioned,
-      running 'azd down --purge' will delete and purge them.
-
-  # Conflict + soft-delete keywords (more specific than bare Conflict)
-  - errorType: "DeploymentErrorLine"
-    regex: true
-    properties:
-      Code: "Conflict"
-    patterns:
-      - "(?i)soft.?delete"
-      - "(?i)purge"
-      - "(?i)deleted vault"
-      - "(?i)deleted resource"
-      - "(?i)recover or purge"
-    message: "A soft-deleted resource is causing a deployment conflict."
-    suggestion: >
-      Purge the soft-deleted resource in the Azure portal or via the
-      Azure CLI, then retry with 'azd up'. If the resources are still
-      provisioned, running 'azd down --purge' will delete and purge them.
-    links:
-      - url: "https://learn.microsoft.com/azure/key-vault/general/key-vault-recovery"
-        title: "Azure Key Vault soft-delete recovery"
-
-  - errorType: "DeploymentErrorLine"
-    regex: true
-    properties:
-      Code: "RequestConflict"
-    patterns:
-      - "(?i)soft.?delete"
-      - "(?i)purge"
-      - "(?i)deleted vault"
-      - "(?i)deleted resource"
-      - "(?i)recover or purge"
-    message: "A soft-deleted resource is causing a deployment conflict."
-    suggestion: >
-      Purge the soft-deleted resource in the Azure portal or via the
-      Azure CLI, then retry with 'azd up'. If the resources are still
-      provisioned, running 'azd down --purge' will delete and purge them.
-
-  # ============================================================================
-  # ARM Deployment Errors — Specific error codes
-  # ============================================================================
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "InsufficientQuota"
-    message: "Your subscription has insufficient quota for this resource."
-    suggestion: >
-      Check current usage with 'az vm list-usage --location <region>'
-      or request a quota increase in the Azure portal.
-    links:
-      - url: "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal"
-        title: "Increase Azure subscription quotas"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "SubscriptionIsOverQuotaForSku"
-    message: "Your subscription quota for this SKU is exceeded."
-    suggestion: "Request a quota increase or use a different SKU."
-    links:
-      - url: "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal"
-        title: "Increase Azure subscription quotas"
-
-  # ResponseError from ARM SDK (e.g., validation fails before polling)
-  - errorType: "ResponseError"
-    properties:
-      ErrorCode: "LocationNotAvailableForResourceType"
-    handler: "resourceNotAvailableHandler"
-    links:
-      - url: "https://learn.microsoft.com/azure/azure-resource-manager/troubleshooting/error-sku-not-available"
-        title: "Resolve SKU not available errors"
-      - url: "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/table"
-        title: "Azure products available by region"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "LocationNotAvailableForResourceType"
-    handler: "resourceNotAvailableHandler"
-    links:
-      - url: "https://learn.microsoft.com/azure/azure-resource-manager/troubleshooting/error-sku-not-available"
-        title: "Resolve SKU not available errors"
-      - url: "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/table"
-        title: "Azure products available by region"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "AuthorizationFailed"
-    message: "You do not have sufficient permissions for this deployment."
-    suggestion: >
-      Ensure you have the required RBAC role (e.g., Owner or Contributor)
-      on the target subscription. If the template creates role assignments,
-      the Owner or User Access Administrator role is required.
-    links:
-      - url: "https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal"
-        title: "Assign Azure roles"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "Unauthorized"
-    message: "The request was unauthorized."
-    suggestion: >
-      Run 'azd auth login' to re-authenticate, then verify you have
-      the required RBAC role on the target subscription or resource group.
-    links:
-      - url: "https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal"
-        title: "Assign Azure roles"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "Forbidden"
-    message: "Access to this resource is forbidden."
-    suggestion: >
-      You may lack the required RBAC role, or an Azure Policy is
-      blocking the operation. Check your role assignments and any
-      deny assignments or policies on the target scope.
-    links:
-      - url: "https://learn.microsoft.com/azure/role-based-access-control/troubleshooting"
-        title: "Troubleshoot Azure RBAC"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "RequestDisallowedByPolicy"
-    message: "An Azure Policy is blocking this deployment."
-    suggestion: >
-      Check which policies are assigned to your subscription or
-      resource group with 'az policy assignment list'. Contact your
-      administrator to add an exemption or adjust the policy.
-    links:
-      - url: "https://learn.microsoft.com/azure/governance/policy/troubleshoot/general"
-        title: "Troubleshoot Azure Policy"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "RoleAssignmentExists"
-    message: "A role assignment with this configuration already exists."
-    suggestion: >
-      This is usually safe to ignore on re-deployment. The role
-      assignment was already created in a previous run.
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "PrincipalNotFound"
-    message: "The security principal for a role assignment was not found."
-    suggestion: >
-      The user, group, or service principal may have been deleted.
-      Check that the principal ID in your template is valid, or
-      remove the stale role assignment.
-    links:
-      - url: "https://learn.microsoft.com/azure/role-based-access-control/troubleshooting"
-        title: "Troubleshoot Azure RBAC"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "NoRegisteredProviderFound"
-    message: "A required Azure resource provider is not registered."
-    suggestion: >
-      Register the missing provider with
-      'az provider register --namespace <provider>'.
-      Common providers: Microsoft.CognitiveServices,
-      Microsoft.Search, Microsoft.App, Microsoft.ContainerRegistry.
-    links:
-      - url: "https://learn.microsoft.com/azure/azure-resource-manager/troubleshooting/error-register-resource-provider"
-        title: "Resolve resource provider registration errors"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "InvalidTemplate"
-    message: "The deployment template contains errors."
-    suggestion: "Run 'azd provision --preview' to validate before deploying."
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "ValidationError"
-    message: "The deployment failed validation."
-    suggestion: >
-      Check resource property values and API versions
-      in your Bicep/Terraform files.
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "ResourceNotFound"
-    message: "A referenced resource was not found."
-    suggestion: >
-      Check resource dependencies and deployment ordering
-      in your template.
-
-  # Bare Conflict — least specific ARM code rule, must be AFTER
-  # Conflict + keyword rules above
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "Conflict"
-    message: "A resource with this name already exists or is in a conflicting state."
-    suggestion: "Check for existing or soft-deleted resources in the Azure portal."
-
-  # ============================================================================
-  # Container App Errors
-  # ~2.46% of all azd errors (~3,152 in 90-day analysis)
-  # ============================================================================
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "ContainerAppSecretInvalid"
-    message: "A secret referenced by the container app is missing or invalid."
-    suggestion: >
-      Check your secret definitions in the Bicep template. Ensure all
-      secrets referenced by environment variables or ingress exist and
-      have valid values.
-    links:
-      - url: "https://learn.microsoft.com/azure/container-apps/manage-secrets"
-        title: "Manage secrets in Azure Container Apps"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "ContainerAppOperationError"
-    patterns:
-      - "image"
-    message: "The container image could not be pulled."
-    suggestion: >
-      Verify the image name and tag, ensure the container registry
-      is accessible, and check that registry credentials are configured
-      correctly (admin enabled or managed identity assigned).
-    links:
-      - url: "https://learn.microsoft.com/azure/container-apps/containers"
-        title: "Containers in Azure Container Apps"
-
-  - errorType: "DeploymentErrorLine"
-    properties:
-      Code: "ContainerAppOperationError"
-    message: "A Container App operation failed during deployment."
-    suggestion: >
-      Inspect the container app revision logs with
-      'az containerapp logs show --name <app> -g <resource-group> --follow'.
-      Common causes include invalid environment variables, port
-      mismatches, or insufficient resources.
-    links:
-      - url: "https://learn.microsoft.com/azure/container-apps/troubleshooting"
-        title: "Troubleshoot Azure Container Apps"
-
-  - errorType: "DeploymentErrorLine"
-    regex: true
-    properties:
-      Code: "InvalidParameterValueInContainerTemplate"
-    message: "The container app template has an invalid parameter."
-    suggestion: >
-      Check container resource limits (CPU/memory), port
-      configuration, and environment variable values in your template.
-    links:
-      - url: "https://learn.microsoft.com/azure/container-apps/containers"
-        title: "Containers in Azure Container Apps"
-
-  # ============================================================================
-  # PowerShell Hook Failures (errorType + properties + patterns)
-  # ~5% of all azd errors (~6,347); AI templates hit 6.59%
-  # ============================================================================
-
-  - errorType: "ExitError"
-    regex: true
-    properties:
-      Cmd: "(?i)pwsh|powershell"
-    patterns:
-      - "Import-Module"
-      - "not loaded"
-    message: "A required PowerShell module could not be loaded."
-    suggestion: "Install the missing module with 'Install-Module <ModuleName> -Scope CurrentUser'."
-
-  - errorType: "ExitError"
-    regex: true
-    properties:
-      Cmd: "(?i)pwsh|powershell"
-    patterns:
-      - "(?i)Az\\.\\S+.*is not recognized"
-    message: "The Azure PowerShell module (Az) is required but not installed."
-    suggestion: "Install it with 'Install-Module Az -Scope CurrentUser -Repository PSGallery -Force'."
-    links:
-      - url: "https://learn.microsoft.com/powershell/azure/install-azure-powershell"
-        title: "Install Azure PowerShell"
-
-  - errorType: "ExitError"
-    regex: true
-    properties:
-      Cmd: "(?i)pwsh|powershell"
-    patterns:
-      - "UnauthorizedAccess"
-    message: "PowerShell execution policy is blocking the script."
-    suggestion: >
-      Check your policy with 'Get-ExecutionPolicy' and consider setting it with
-      'Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser'.
-
-  - errorType: "ExitError"
-    regex: true
-    properties:
-      Cmd: "(?i)pwsh|powershell"
-    patterns:
-      - "ErrorActionPreference"
-    message: "The hook script has an issue with error handling configuration."
-    suggestion: "Ensure '$ErrorActionPreference = \"Stop\"' is set at the top of the script."
-
-  - errorType: "ExitError"
-    regex: true
-    properties:
-      Cmd: "(?i)pwsh|powershell"
-    patterns:
-      - "Connect-AzAccount"
-    message: "The Azure authentication session may have expired."
-    suggestion: "Run 'azd auth login' to refresh your credentials, then retry."
-
-  - errorType: "ExitError"
-    regex: true
-    properties:
-      Cmd: "(?i)pwsh|powershell"
-    patterns:
-      - "(?i)login.*expired|expired.*login"
-    message: "The Azure authentication session may have expired."
-    suggestion: "Run 'azd auth login' to refresh your credentials, then retry."
-
-  # ============================================================================
-  # Subscription Errors
-  # ============================================================================
-
-  - patterns:
-      - "no subscriptions found"
-      - "no subscription found"
-    message: "No Azure subscriptions were found for your account."
-    suggestion: >
-      Ensure you have an active subscription at https://portal.azure.com.
-      If you have multiple tenants, run 'azd auth login --tenant-id <tenant-id>'
-      to sign in to a specific tenant. Multi-factor authentication (MFA) may prevent
-      automatic access to all tenants — visit the Azure portal and switch to each tenant
-      to refresh your MFA sessions, then retry 'azd auth login'.
-    links:
-      - url: "https://learn.microsoft.com/azure/developer/azure-developer-cli/reference#azd-auth-login"
-        title: "azd auth login reference"
-
-  # ============================================================================
-  # Text Pattern Rules — Specific patterns first
-  # These are fallbacks for errors without typed Go structs.
-  # ============================================================================
-
-  - patterns:
-      - "parsing project file"
-    message: "Your azure.yaml file is invalid."
-    suggestion: "Check the syntax of your azure.yaml file and fix any errors."
-    links:
-      - url: "https://learn.microsoft.com/azure/developer/azure-developer-cli/azd-schema"
-        title: "azure.yaml schema reference"
-
-  - patterns:
-      - "InvalidAuthenticationToken"
-      - "ExpiredAuthenticationToken"
-      - "TokenExpired"
-    message: "Your authentication token has expired."
-    suggestion: "Run 'azd auth login' to sign in again."
-    links:
-      - url: "https://learn.microsoft.com/azure/developer/azure-developer-cli/reference#azd-auth-login"
-        title: "azd auth login reference"
-
-  - regex: true
-    patterns:
-      - "BCP\\d{3}"
-    message: "Your Bicep template has an error."
-    suggestion: "Review the error message for the specific issue and line number in your .bicep file."
-    links:
-      - url: "https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-error-codes"
-        title: "Bicep error codes reference"
-
-  # ============================================================================
-  # Text Pattern Rules — Broad/generic patterns (least specific, must be last)
-  # ============================================================================
-
-  - patterns:
-      - "AADSTS"
-    message: "Authentication with Azure failed."
-    suggestion: "Run 'azd auth login' to sign in again."
-    links:
-      - url: "https://learn.microsoft.com/azure/developer/azure-developer-cli/reference#azd-auth-login"
-        title: "azd auth login reference"
-
-  - patterns:
-      - "QuotaExceeded"
-      - "quota exceeded"
-      - "exceeds quota"
-    message: "Your Azure subscription has reached a resource quota limit."
-    suggestion: "Request a quota increase through the Azure portal, or try deploying to a different region."
-    links:
-      - url: "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal"
-        title: "Increase Azure subscription quotas"
+# yaml-language-server: $schema=error_suggestions.schema.json
+# Error Suggestions Configuration
+# ================================
+# This file maps well-known error patterns to user-friendly messages and actionable suggestions.
+# Rules are evaluated in order; the first matching rule wins.
+#
+# Matching Fields (at least one required):
+#   - patterns:   List of strings/regex to match against error message text
+#   - errorType:  Go error struct type name to match via reflection (e.g., "AzureDeploymentError")
+#   - properties: Map of dot-path property names to expected values on the matched error type
+#
+# When multiple matching fields are specified, ALL must match for the rule to trigger.
+#
+# Response Fields:
+#   - message:    User-friendly explanation of what went wrong
+#   - suggestion: Actionable next steps to resolve the issue
+#   - links:      Optional list of reference links (each with url and optional title)
+#   - handler:    Optional name of a registered ErrorHandler for dynamic suggestions
+#
+# Pattern Types:
+#   - Default: Case-insensitive substring match (e.g., "quota exceeded")
+#   - Regex: Set "regex: true" on the rule to treat all patterns and property
+#     values as regular expressions (e.g., "BCP\\d{3}")
+#
+# Examples:
+#   # Text pattern matching:
+#   - patterns:
+#       - "some error text"
+#     message: "A brief, user-friendly explanation."
+#     suggestion: "Clear instruction on how to fix."
+#
+#   # Typed error matching with properties:
+#   - errorType: "DeploymentErrorLine"
+#     properties:
+#       Code: "InsufficientQuota"
+#     message: "Quota limit reached."
+#     suggestion: "Request a quota increase."
+
+rules:
+  # ============================================================================
+  # ORDERING: Most specific rules first, least specific last.
+  # Typed error rules (errorType + properties) are naturally more specific
+  # than text-only pattern rules. Within each group, rules with additional
+  # constraints (patterns, keywords) come before bare code matches.
+  # ============================================================================
+
+  # ============================================================================
+  # ARM Deployment Errors — Soft-delete conflicts (most specific first)
+  # 4th most common error category (~128,054 errors in 90-day analysis)
+  # ============================================================================
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "FlagMustBeSetForRestore"
+    message: "A soft-deleted resource with this name exists and is blocking deployment."
+    suggestion: >
+      Purge the resource in the Azure portal or via the Azure CLI,
+      then retry with 'azd up'. If the resources are still provisioned,
+      running 'azd down --purge' will delete and purge them.
+    links:
+      - url: "https://learn.microsoft.com/azure/key-vault/general/key-vault-recovery"
+        title: "Azure Key Vault soft-delete recovery"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "DeploymentActive"
+    message: "Another deployment is already in progress on this scope."
+    suggestion: >-
+      Wait for the current deployment to complete, then retry.
+      You can check deployment status in the Azure portal under the Deployments blade.
+    links:
+      - url: "https://learn.microsoft.com/azure/azure-resource-manager/troubleshooting/error-deployment-active"
+        title: "Troubleshoot DeploymentActive errors"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "ConflictError"
+    message: "A resource conflict occurred, possibly caused by a soft-deleted resource."
+    suggestion: >
+      Purge the resource in the Azure portal or via the Azure CLI,
+      then retry with 'azd up'. If the resources are still provisioned,
+      running 'azd down --purge' will delete and purge them.
+
+  # Conflict + soft-delete keywords (more specific than bare Conflict)
+  - errorType: "DeploymentErrorLine"
+    regex: true
+    properties:
+      Code: "Conflict"
+    patterns:
+      - "(?i)soft.?delete"
+      - "(?i)purge"
+      - "(?i)deleted vault"
+      - "(?i)deleted resource"
+      - "(?i)recover or purge"
+    message: "A soft-deleted resource is causing a deployment conflict."
+    suggestion: >
+      Purge the soft-deleted resource in the Azure portal or via the
+      Azure CLI, then retry with 'azd up'. If the resources are still
+      provisioned, running 'azd down --purge' will delete and purge them.
+    links:
+      - url: "https://learn.microsoft.com/azure/key-vault/general/key-vault-recovery"
+        title: "Azure Key Vault soft-delete recovery"
+
+  - errorType: "DeploymentErrorLine"
+    regex: true
+    properties:
+      Code: "RequestConflict"
+    patterns:
+      - "(?i)soft.?delete"
+      - "(?i)purge"
+      - "(?i)deleted vault"
+      - "(?i)deleted resource"
+      - "(?i)recover or purge"
+    message: "A soft-deleted resource is causing a deployment conflict."
+    suggestion: >
+      Purge the soft-deleted resource in the Azure portal or via the
+      Azure CLI, then retry with 'azd up'. If the resources are still
+      provisioned, running 'azd down --purge' will delete and purge them.
+
+  # ============================================================================
+  # ARM Deployment Errors — Specific error codes
+  # ============================================================================
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "InsufficientQuota"
+    message: "Your subscription has insufficient quota for this resource."
+    suggestion: >
+      Check current usage with 'az vm list-usage --location <region>'
+      or request a quota increase in the Azure portal.
+    links:
+      - url: "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal"
+        title: "Increase Azure subscription quotas"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "SubscriptionIsOverQuotaForSku"
+    message: "Your subscription quota for this SKU is exceeded."
+    suggestion: "Request a quota increase or use a different SKU."
+    links:
+      - url: "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal"
+        title: "Increase Azure subscription quotas"
+
+  # ResponseError from ARM SDK (e.g., validation fails before polling)
+  - errorType: "ResponseError"
+    properties:
+      ErrorCode: "LocationNotAvailableForResourceType"
+    handler: "resourceNotAvailableHandler"
+    links:
+      - url: "https://learn.microsoft.com/azure/azure-resource-manager/troubleshooting/error-sku-not-available"
+        title: "Resolve SKU not available errors"
+      - url: "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/table"
+        title: "Azure products available by region"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "LocationNotAvailableForResourceType"
+    handler: "resourceNotAvailableHandler"
+    links:
+      - url: "https://learn.microsoft.com/azure/azure-resource-manager/troubleshooting/error-sku-not-available"
+        title: "Resolve SKU not available errors"
+      - url: "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/table"
+        title: "Azure products available by region"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "AuthorizationFailed"
+    message: "You do not have sufficient permissions for this deployment."
+    suggestion: >
+      Ensure you have the required RBAC role (e.g., Owner or Contributor)
+      on the target subscription. If the template creates role assignments,
+      the Owner or User Access Administrator role is required.
+    links:
+      - url: "https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal"
+        title: "Assign Azure roles"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "Unauthorized"
+    message: "The request was unauthorized."
+    suggestion: >
+      Run 'azd auth login' to re-authenticate, then verify you have
+      the required RBAC role on the target subscription or resource group.
+    links:
+      - url: "https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal"
+        title: "Assign Azure roles"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "Forbidden"
+    message: "Access to this resource is forbidden."
+    suggestion: >
+      You may lack the required RBAC role, or an Azure Policy is
+      blocking the operation. Check your role assignments and any
+      deny assignments or policies on the target scope.
+    links:
+      - url: "https://learn.microsoft.com/azure/role-based-access-control/troubleshooting"
+        title: "Troubleshoot Azure RBAC"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "RequestDisallowedByPolicy"
+    message: "An Azure Policy is blocking this deployment."
+    suggestion: >
+      Check which policies are assigned to your subscription or
+      resource group with 'az policy assignment list'. Contact your
+      administrator to add an exemption or adjust the policy.
+    links:
+      - url: "https://learn.microsoft.com/azure/governance/policy/troubleshoot/general"
+        title: "Troubleshoot Azure Policy"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "RoleAssignmentExists"
+    message: "A role assignment with this configuration already exists."
+    suggestion: >
+      This is usually safe to ignore on re-deployment. The role
+      assignment was already created in a previous run.
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "PrincipalNotFound"
+    message: "The security principal for a role assignment was not found."
+    suggestion: >
+      The user, group, or service principal may have been deleted.
+      Check that the principal ID in your template is valid, or
+      remove the stale role assignment.
+    links:
+      - url: "https://learn.microsoft.com/azure/role-based-access-control/troubleshooting"
+        title: "Troubleshoot Azure RBAC"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "NoRegisteredProviderFound"
+    message: "A required Azure resource provider is not registered."
+    suggestion: >
+      Register the missing provider with
+      'az provider register --namespace <provider>'.
+      Common providers: Microsoft.CognitiveServices,
+      Microsoft.Search, Microsoft.App, Microsoft.ContainerRegistry.
+    links:
+      - url: "https://learn.microsoft.com/azure/azure-resource-manager/troubleshooting/error-register-resource-provider"
+        title: "Resolve resource provider registration errors"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "InvalidTemplate"
+    message: "The deployment template contains errors."
+    suggestion: "Run 'azd provision --preview' to validate before deploying."
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "ValidationError"
+    message: "The deployment failed validation."
+    suggestion: >
+      Check resource property values and API versions
+      in your Bicep/Terraform files.
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "ResourceNotFound"
+    message: "A referenced resource was not found."
+    suggestion: >
+      Check resource dependencies and deployment ordering
+      in your template.
+
+  # Bare Conflict — least specific ARM code rule, must be AFTER
+  # Conflict + keyword rules above
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "Conflict"
+    message: "A resource with this name already exists or is in a conflicting state."
+    suggestion: "Check for existing or soft-deleted resources in the Azure portal."
+
+  # ============================================================================
+  # Container App Errors
+  # ~2.46% of all azd errors (~3,152 in 90-day analysis)
+  # ============================================================================
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "ContainerAppSecretInvalid"
+    message: "A secret referenced by the container app is missing or invalid."
+    suggestion: >
+      Check your secret definitions in the Bicep template. Ensure all
+      secrets referenced by environment variables or ingress exist and
+      have valid values.
+    links:
+      - url: "https://learn.microsoft.com/azure/container-apps/manage-secrets"
+        title: "Manage secrets in Azure Container Apps"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "ContainerAppOperationError"
+    patterns:
+      - "image"
+    message: "The container image could not be pulled."
+    suggestion: >
+      Verify the image name and tag, ensure the container registry
+      is accessible, and check that registry credentials are configured
+      correctly (admin enabled or managed identity assigned).
+    links:
+      - url: "https://learn.microsoft.com/azure/container-apps/containers"
+        title: "Containers in Azure Container Apps"
+
+  - errorType: "DeploymentErrorLine"
+    properties:
+      Code: "ContainerAppOperationError"
+    message: "A Container App operation failed during deployment."
+    suggestion: >
+      Inspect the container app revision logs with
+      'az containerapp logs show --name <app> -g <resource-group> --follow'.
+      Common causes include invalid environment variables, port
+      mismatches, or insufficient resources.
+    links:
+      - url: "https://learn.microsoft.com/azure/container-apps/troubleshooting"
+        title: "Troubleshoot Azure Container Apps"
+
+  - errorType: "DeploymentErrorLine"
+    regex: true
+    properties:
+      Code: "InvalidParameterValueInContainerTemplate"
+    message: "The container app template has an invalid parameter."
+    suggestion: >
+      Check container resource limits (CPU/memory), port
+      configuration, and environment variable values in your template.
+    links:
+      - url: "https://learn.microsoft.com/azure/container-apps/containers"
+        title: "Containers in Azure Container Apps"
+
+  # ============================================================================
+  # PowerShell Hook Failures (errorType + properties + patterns)
+  # ~5% of all azd errors (~6,347); AI templates hit 6.59%
+  # ============================================================================
+
+  - errorType: "ExitError"
+    regex: true
+    properties:
+      Cmd: "(?i)pwsh|powershell"
+    patterns:
+      - "Import-Module"
+      - "not loaded"
+    message: "A required PowerShell module could not be loaded."
+    suggestion: "Install the missing module with 'Install-Module <ModuleName> -Scope CurrentUser'."
+
+  - errorType: "ExitError"
+    regex: true
+    properties:
+      Cmd: "(?i)pwsh|powershell"
+    patterns:
+      - "(?i)Az\\.\\S+.*is not recognized"
+    message: "The Azure PowerShell module (Az) is required but not installed."
+    suggestion: "Install it with 'Install-Module Az -Scope CurrentUser -Repository PSGallery -Force'."
+    links:
+      - url: "https://learn.microsoft.com/powershell/azure/install-azure-powershell"
+        title: "Install Azure PowerShell"
+
+  - errorType: "ExitError"
+    regex: true
+    properties:
+      Cmd: "(?i)pwsh|powershell"
+    patterns:
+      - "UnauthorizedAccess"
+    message: "PowerShell execution policy is blocking the script."
+    suggestion: >
+      Check your policy with 'Get-ExecutionPolicy' and consider setting it with
+      'Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser'.
+
+  - errorType: "ExitError"
+    regex: true
+    properties:
+      Cmd: "(?i)pwsh|powershell"
+    patterns:
+      - "ErrorActionPreference"
+    message: "The hook script has an issue with error handling configuration."
+    suggestion: "Ensure '$ErrorActionPreference = \"Stop\"' is set at the top of the script."
+
+  - errorType: "ExitError"
+    regex: true
+    properties:
+      Cmd: "(?i)pwsh|powershell"
+    patterns:
+      - "Connect-AzAccount"
+    message: "The Azure authentication session may have expired."
+    suggestion: "Run 'azd auth login' to refresh your credentials, then retry."
+
+  - errorType: "ExitError"
+    regex: true
+    properties:
+      Cmd: "(?i)pwsh|powershell"
+    patterns:
+      - "(?i)login.*expired|expired.*login"
+    message: "The Azure authentication session may have expired."
+    suggestion: "Run 'azd auth login' to refresh your credentials, then retry."
+
+  # ============================================================================
+  # Subscription Errors
+  # ============================================================================
+
+  - patterns:
+      - "no subscriptions found"
+      - "no subscription found"
+    message: "No Azure subscriptions were found for your account."
+    suggestion: >
+      Ensure you have an active subscription at https://portal.azure.com.
+      If you have multiple tenants, run 'azd auth login --tenant-id <tenant-id>'
+      to sign in to a specific tenant. Multi-factor authentication (MFA) may prevent
+      automatic access to all tenants — visit the Azure portal and switch to each tenant
+      to refresh your MFA sessions, then retry 'azd auth login'.
+    links:
+      - url: "https://learn.microsoft.com/azure/developer/azure-developer-cli/reference#azd-auth-login"
+        title: "azd auth login reference"
+
+  # ============================================================================
+  # Text Pattern Rules — Specific patterns first
+  # These are fallbacks for errors without typed Go structs.
+  # ============================================================================
+
+  - patterns:
+      - "parsing project file"
+    message: "Your azure.yaml file is invalid."
+    suggestion: "Check the syntax of your azure.yaml file and fix any errors."
+    links:
+      - url: "https://learn.microsoft.com/azure/developer/azure-developer-cli/azd-schema"
+        title: "azure.yaml schema reference"
+
+  - patterns:
+      - "InvalidAuthenticationToken"
+      - "ExpiredAuthenticationToken"
+      - "TokenExpired"
+    message: "Your authentication token has expired."
+    suggestion: "Run 'azd auth login' to sign in again."
+    links:
+      - url: "https://learn.microsoft.com/azure/developer/azure-developer-cli/reference#azd-auth-login"
+        title: "azd auth login reference"
+
+  - regex: true
+    patterns:
+      - "BCP\\d{3}"
+    message: "Your Bicep template has an error."
+    suggestion: "Review the error message for the specific issue and line number in your .bicep file."
+    links:
+      - url: "https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-error-codes"
+        title: "Bicep error codes reference"
+
+  # ============================================================================
+  # Text Pattern Rules — Broad/generic patterns (least specific, must be last)
+  # ============================================================================
+
+  - patterns:
+      - "AADSTS"
+    message: "Authentication with Azure failed."
+    suggestion: "Run 'azd auth login' to sign in again."
+    links:
+      - url: "https://learn.microsoft.com/azure/developer/azure-developer-cli/reference#azd-auth-login"
+        title: "azd auth login reference"
+
+  - patterns:
+      - "QuotaExceeded"
+      - "quota exceeded"
+      - "exceeds quota"
+    message: "Your Azure subscription has reached a resource quota limit."
+    suggestion: "Request a quota increase through the Azure portal, or try deploying to a different region."
+    links:
+      - url: "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal"
+        title: "Increase Azure subscription quotas"

From 5479ef75bea5096dd1d38524e49382703bd857fd Mon Sep 17 00:00:00 2001
From: Shayne Boyer <spboyer@live.com>
Date: Tue, 24 Mar 2026 08:54:47 -0700
Subject: [PATCH 10/12] Remove orphaned ListActiveDeployments from mockedScope

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 cli/azd/pkg/infra/provisioning/bicep/bicep_provider_test.go | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/cli/azd/pkg/infra/provisioning/bicep/bicep_provider_test.go b/cli/azd/pkg/infra/provisioning/bicep/bicep_provider_test.go
index 007ac6c6649..1bb52ef0a11 100644
--- a/cli/azd/pkg/infra/provisioning/bicep/bicep_provider_test.go
+++ b/cli/azd/pkg/infra/provisioning/bicep/bicep_provider_test.go
@@ -1085,10 +1085,6 @@ func (m *mockedScope) ListDeployments(ctx context.Context) ([]*azapi.ResourceDep
 	}, nil
 }
 
-func (m *mockedScope) ListActiveDeployments(ctx context.Context) ([]*azapi.ResourceDeployment, error) {
-	return nil, nil
-}
-
 func TestUserDefinedTypes(t *testing.T) {
 	mockContext := mocks.NewMockContext(context.Background())
 	mockContext.CommandRunner.When(func(args exec.RunArgs, command string) bool {

From 37327189a2231d204859a10ac5c7889a79a85b60 Mon Sep 17 00:00:00 2001
From: Shayne Boyer <spboyer@live.com>
Date: Tue, 24 Mar 2026 09:18:20 -0700
Subject: [PATCH 11/12] Fix: use scopeForTemplate instead of deployment for
 active check

The deployment object returned by generateDeploymentObject embeds a
Scope that can be nil in test environments (e.g. mockedScope returns
an empty SubscriptionDeployment). Using scopeForTemplate resolves
the scope from the provider's configuration, avoiding nil panics
in existing tests.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 cli/azd/pkg/infra/provisioning/bicep/bicep_provider.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/cli/azd/pkg/infra/provisioning/bicep/bicep_provider.go b/cli/azd/pkg/infra/provisioning/bicep/bicep_provider.go
index 9a859cfa44c..23af048a9bf 100644
--- a/cli/azd/pkg/infra/provisioning/bicep/bicep_provider.go
+++ b/cli/azd/pkg/infra/provisioning/bicep/bicep_provider.go
@@ -810,9 +810,13 @@ func (p *BicepProvider) Deploy(ctx context.Context) (*provisioning.DeployResult,
 		p.console.StopSpinner(ctx, "", input.StepDone)
 	}
 
-	// Check for active deployments at the target scope and wait if any are in progress
-	if err := p.waitForActiveDeployments(ctx, deployment); err != nil {
-		return nil, err
+	// Check for active deployments at the target scope and wait if any are in progress.
+	// Use scopeForTemplate to get the raw scope — deployment.Scope may have a nil
+	// inner scope in test mocks.
+	if activeScope, err := p.scopeForTemplate(planned.Template); err == nil {
+		if err := p.waitForActiveDeployments(ctx, activeScope); err != nil {
+			return nil, err
+		}
 	}
 
 	progressCtx, cancelProgress := context.WithCancel(ctx)

From 153c731302d69696ba3540483147feb5d3865b97 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 24 Mar 2026 16:25:21 +0000
Subject: [PATCH 12/12] Initial plan