Lock the Azure compute landing zone for sv0-platform: westeurope, IaaS primitives only, Cloudflare Tunnel ingress (no public IPs / no Azure LB), HA prod fleet across two zones, ephemeral per-PR VMs, OIDC-federated TF auth, and a cloud-portability rule set that keeps the design migratable to AWS/GCP.
Target authentication architecture for SecurityV0 — portal UI, API, and infrastructure access. Three IdPs (GitHub at L1 perimeter, WorkOS at L2 application, Entra at L3 Azure RBAC), four SSH tiers including a narrow Tier-1.5 emergency key, an Active subscription-Owner Entra account (no PIM, no backup SP — 2nd-human-Owner is the rollback) with Security Defaults MFA-on-sign-in.
Operationalises ADR-022 §3 (Phase 3f) for the dev tier: the stable demo VM at dev-azure.securityv0.com deploys on every main CI success via Azure Run Command using a new tightly-scoped Entra app + OIDC federation from GitHub Actions. No SSH key in the deploy path. Hetzner stays warm as fallback during cutover (no behavior change on the Hetzner side). PR-preview ephemeral VMs are explicitly out of scope; the design for that surface is banked in [docs/infrastructure/azure-ephemeral-pr-previews-design.md](../../infrastructure/azure-ephemeral-pr-previews-design.md) for re-activation when triggered.
Plan to consolidate duplicated Azure functionality across the entra-servicenow and azure-foundry connectors (ARM RBAC role resolution, scope parsing, Entra Graph SP lookups, credential type detection) into a shared package.
Unified strategy for moving SecurityV0 from manual scans to autonomous operations with built-in cross-validation, observability, and an Azure VM hosting lane — ahead of the MediaPro pilot.
Minimal Azure permissions required to run the Foundry connector pilot
Deferred design for ephemeral Azure PR-preview VMs with a cap-of-3 hard-fail policy, deployment-stacks lifecycle, drift sweeper, and composite RBAC. NOT active infrastructure — the implementation work was cut from ADR-024 (2026-05-14) on the grounds that (a) Hetzner already runs PR previews and (b) no concrete trigger demands the move. This document preserves the design so it can be lifted into an active ADR when a trigger materialises (Hetzner OOM pattern, partner with concurrent-review load, regulatory data-residency requirement, etc.). Lives in docs/infrastructure/ alongside operational infra docs but is distinguishable by the `-design` filename suffix and `status: deferred` frontmatter.
Azure identity-plane integration specification supporting W1 (Agentic AI Exposure Discovery & Assessment)
Implementation plan for ADR-022: current Hetzner inventory, target Azure topology, five-phase migration sequencing, secrets delivery via Key Vault + Managed Identity, and the executable break-glass procedure for the case where TFC is unreachable.
Codex-authored critical architecture review of the connector ETL pipeline (ServiceNow to Azure to Fabric) with focus on correctness, security evidence, and end-to-end auditability. Verdict: not audit-grade deterministic today.
Proposal for automating source system provisioning across Azure, AWS, GCP, and ServiceNow using Terraform modules for cloud identity and per-connector Python setup scripts for SaaS configuration
Synthesized plan from three concurrent architectural reviews (Gemini3, Codex, fresh architect review) to make the connector ETL pipeline produce audit-grade, deterministic execution evidence
Infrastructure automation for SecurityV0 — dev environment provisioning, cloud identity setup, and source system configuration
Integration reference and test scenarios for SecurityV0 source systems
Draft ADR (pending team discussion) on standardizing the platform's classification of Azure managed identities, currently labeled inconsistently across connectors as 'service principal' or 'machine account'.
Design patterns for recovery service principals — lessons from the 2026-05-13 cancelled sv0-azure-backup-owner SP. Reference for the NEXT time a recovery SP is genuinely warranted.
Cross-system scenario showing ServiceNow tickets triggering Azure automations via Service Principal authentication chain