diff --git a/.github/instructions/ado-pipeline.instructions.md b/.github/instructions/ado-pipeline.instructions.md
new file mode 100644
index 00000000000..32b7448db54
--- /dev/null
+++ b/.github/instructions/ado-pipeline.instructions.md
@@ -0,0 +1,302 @@
+---
+applyTo: ".github/workflows/ado/*.yml,.github/workflows/ado/templates/*.yml,.github/workflows/scripts/**"
+description: "Authoring and maintenance rules for Azure DevOps YAML pipelines under .github/workflows/ado/ (wrappers + raw stage templates under templates/) and their helper scripts under .github/workflows/scripts/ that run as GitHub PR checks or in the merge queue. Apply when creating or modifying any pipeline in that folder, or any script invoked by one — covers the wrapper/raw split, required OneBranch templates (Official vs NonOfficial), Workload Identity Federation service connections, Control Tower audience URIs, internal-only dependency sources (Go / Python / container images), Python-over-shell scripting, and security hardening."
+---
+
+# Azure DevOps Pipelines (PR check & merge queue)
+
+These instructions cover ADO YAML pipelines under `.github/workflows/ado/` that run as GitHub PR checks or in the merge queue, plus their helper scripts under `.github/workflows/scripts/`. Follow every MUST below — they encode internal Microsoft policy plus security hardening for this repo.
+
+Helper scripts invoked from these pipelines MUST live under `.github/workflows/scripts/<area>/` (one subdirectory per logical area / pipeline). Keep them self-contained and follow the same security hardening rules as the pipeline YAML itself.
+
+> If anything below conflicts with what the user is asking for, **stop and ask the user** rather than guessing — especially for the Official vs NonOfficial template choice.
+
+## Pipeline structure: wrapper + raw stages (MANDATORY)
+
+Every ADO pipeline in this repo is split into **two YAML files**:
+
+1. **Wrapper** — `.github/workflows/ado/<name>.yml`. This is the file passed to ADO as the pipeline definition. It is the *only* place that knows about OneBranch:
+   - declares `resources.repositories` for `OneBranch.Pipelines/GovernedTemplates`,
+   - picks the OneBranch variant via `extends:` (`Official` vs `NonOfficial` — see next section),
+   - configures the OneBranch `parameters.featureFlags`,
+   - injects the raw stages template via `parameters.stages: - template: …@self` and supplies concrete values for its `parameters:`.
+
+   The wrapper MUST NOT contain `stages:`, `jobs:`, or `steps:` directly. If you find yourself adding a `script:` block to a wrapper, stop — it belongs in the raw stages template.
+
+2. **Raw stages template** — `.github/workflows/ado/templates/<name>-stages.yml`. This file declares `parameters:` + `stages:` and contains the actual jobs/steps. It MUST be OneBranch-agnostic:
+   - no `resources:`, no `extends:`, no `featureFlags:`,
+   - no string mentions of `OneBranch` or `GovernedTemplates`,
+   - any value coupled to the OneBranch contract (output dir, artifact base name, container image, pool type, service connection, variable group, timeout) is exposed as a **parameter with a neutral name** and bound by the wrapper.
+
+   `ob_*` job-scope variables and `LinuxContainerImage` still appear here (ADO requires them at job scope), but they are set from `${{ parameters.* }}`, so the raw author never has to know which OneBranch convention they satisfy.
+
+File-pairing convention: a wrapper at `.github/workflows/ado/<name>.yml` pairs with a raw stages template at `.github/workflows/ado/templates/<stem>-stages.yml`. **Multiple wrappers MAY share a single raw stages template** — that is in fact a primary motivation for the split: define several ADO pipelines (e.g. a DEV NonOfficial wrapper and a PROD Official wrapper, or per-environment variants) that all run the same stages/jobs/steps but differ in OneBranch variant, `featureFlags`, service connection, variable group, container image, etc. When wrappers share a raw template, name them so the relationship is obvious (e.g. `sources-upload-dev.yml` + `sources-upload-prod.yml` both pointing at `templates/sources-upload-stages.yml`). The variant choice cannot be hoisted into a shared sub-template because ADO requires `extends:` at the root of the entry pipeline — that is exactly why each wrapper exists.
+
+See [.github/workflows/ado/sources-upload.yml](.github/workflows/ado/sources-upload.yml) and [.github/workflows/ado/templates/sources-upload-stages.yml](.github/workflows/ado/templates/sources-upload-stages.yml) for the canonical example.
+
+## OneBranch templates (MANDATORY — wrapper only)
+
+The rules in this section apply to the **wrapper** file. The raw stages template MUST NOT reference OneBranch at all.
+
+To comply with internal policy, every wrapper MUST extend a OneBranch governed template:
+
+```yaml
+resources:
+  repositories:
+    - repository: templates
+      type: git
+      name: OneBranch.Pipelines/GovernedTemplates
+      ref: refs/heads/main   # exception to the "no floating refs" rule (see Security)
+
+extends:
+  template: v2/OneBranch.<Variant>.CrossPlat.yml@templates
+```
+
+Pick the variant by **what the pipeline talks to at runtime AND how it is classified in ADO**:
+
+| Variant | When to use |
+|---------|-------------|
+| `v2/OneBranch.Official.CrossPlat.yml@templates` | Pipeline interacts with **production** resources, endpoints, registries, or feeds — **OR** the ADO pipeline itself is marked as a production pipeline, regardless of what its YAML logic appears to do. |
+| `v2/OneBranch.NonOfficial.CrossPlat.yml@templates` | Everything else (PR validation hitting dev/staging only, lint/test, dry-runs) **and** the ADO pipeline is not classified as production. |
+
+Production-classified pipelines MUST use `Official` even if the current YAML only does dev-looking work — the classification is the source of truth, not the inline logic. If you cannot determine the classification or whether the pipeline touches production, **ask the user** before choosing — do not default.
+
+### Required / recommended OneBranch variables
+
+OneBranch templates require these per job. In the wrapper/raw split, the raw stages template declares them in its `variables:` block but binds them from `${{ parameters.* }}`; the **wrapper** supplies the concrete values when invoking the raw template.
+
+| Variable | Required? | Purpose | Suggested raw parameter name |
+|----------|-----------|---------|------------------------------|
+| `ob_outputDirectory` | **Required** | Where build outputs are staged (typically `$(Build.ArtifactStagingDirectory)/output`). | `outputDirectory` |
+| `ob_artifactBaseName` | Recommended | Base name for the published artifact; helps when multiple jobs publish artifacts. | `artifactBaseName` |
+| `LinuxContainerImage` | Required when `pool.type: linux` with a container | Must come from `mcr.microsoft.com` (see Container images below). | `containerImage` |
+
+> Consult the **1ES MCP** at `https://eschat.microsoft.com/mcp` for the most current OneBranch guidance and feature flags. If it is not configured in this workspace, follow the setup notes at https://eng.ms/docs/coreai/devdiv/one-engineering-system-1es/1es-docs/es-chat/askeschat-mcp-vscode and surface that link to the user. Do not block on its absence.
+
+## Triggers
+
+Always set both triggers off in the **wrapper** YAML — pipeline wiring (PR check / merge queue) is configured in the ADO pipeline settings, outside the YAML, and is out of scope here. Raw stage templates do not declare triggers (they are not entry points):
+
+```yaml
+trigger: none
+pr: none
+```
+
+## Authentication & Azure access (MANDATORY)
+
+**Service Connections backed by Workload Identity Federation (OIDC) are the only accepted way** to access Azure resources or Control Tower endpoints from these pipelines.
+
+- Use `AzureCLI@2` with `azureSubscription: <service-connection-name>` to obtain credentials/tokens. The task auto-issues a federated token; no secret material is embedded in the pipeline.
+- **Do not** use PATs, account passwords, client secrets stored in pipeline variables, or `az login -u/-p` flows.
+- Use a **separate, least-privilege Service Connection per environment** (e.g. one for dev, one for prod), each scoped to the minimum subscription / resource group / role required.
+- Federated credentials should be scoped to the specific ADO service connection (`subject: sc://<org>/<project>/<sc-name>`).
+
+## Control Tower endpoints
+
+When the pipeline calls a Control Tower API:
+
+- **Audience URI MUST be correct for the target environment.** The token is issued for `api://<ControlTower-ClientId>` and that client ID differs per environment (DEV vs PROD). Pull both the audience URI and the base URL from a **variable group** — never hardcode them in YAML or scripts.
+- Use the per-environment Service Connection that is paired with the matching Control Tower app registration. Mixing dev SC with a prod audience (or vice versa) will fail token validation.
+- To look up Control Tower endpoint shapes and request/response contracts, consult the upstream repo at `https://dev.azure.com/mariner-org/azl/_git/azl-ControlTower`. Default to the `main` branch, but **confirm with the user** whether they want to target a different commit/branch (e.g. an in-flight feature branch).
+- This is a private ADO repo. Two ways to read it, in order of preference:
+  1. Use the **Azure DevOps MCP** (default name `ado`) to browse it directly. If it is not configured, point the user at the setup guide: https://learn.microsoft.com/en-us/azure/devops/mcp-server/mcp-server-overview?view=azure-devops.
+  2. Ask the user to provide a **path to a local clone** of `azl-ControlTower` and read endpoint definitions from there. Confirm which branch/commit the local clone is on before relying on it.
+
+  If neither is available, fall back to best-effort guidance from what is in the current workspace and clearly flag the limitation to the user.
+
+## Internal-only dependency sources (MANDATORY)
+
+Pipelines MUST NOT pull from public/upstream registries. Use the internal mirrors / proxies for every dependency type.
+
+### Go modules
+
+Enable the OneBranch internal Go module proxy via feature flag on the `extends` block:
+
+```yaml
+extends:
+  template: v2/OneBranch.NonOfficial.CrossPlat.yml@templates
+  parameters:
+    featureFlags:
+      golang:
+        internalModuleProxy:
+          enabled: true
+```
+
+### Python (pip) packages
+
+Authenticate pip against the internal feed before any `pip install`:
+
+```yaml
+- task: PipAuthenticate@1
+  displayName: "Authenticate pip"
+  inputs:
+    artifactFeeds: "azl/ControlTowerFeed"
+```
+
+Use the appropriate internal feed name for the workload (this example matches the Control Tower feed). Do not invoke `pip install` from public PyPI without authenticating to an internal feed first.
+
+### Container images
+
+Third-party (non-Microsoft) images MUST come from `mcr.microsoft.com`. This applies to:
+
+- `LinuxContainerImage` (and any `WindowsContainerImage`) on the OneBranch pool.
+- Any image the pipeline pulls or builds from in a step (base images in Dockerfiles, sidecar containers, tools, etc.).
+
+Example:
+
+```yaml
+variables:
+  - name: LinuxContainerImage
+    value: mcr.microsoft.com/onebranch/azurelinux/build:3.0
+```
+
+The authoritative list and rules live at https://eng.ms/docs/more/containers-secure-supply-chain/approved-images. The agent SHOULD attempt to fetch that page for the latest guidance; if the request fails (the page is auth-walled), try the **1ES MCP** at `https://eschat.microsoft.com/mcp` — it can surface the current approved-images guidance directly. If neither source is reachable, give the user both URLs and fall back to the `mcr.microsoft.com` rule above.
+
+## Scripting
+
+Avoid shell scripts beyond the smallest possible wiring (env exports, `##vso[...]` log commands, single-command tool invocations). For anything more complex — argument parsing, control flow, JSON/YAML handling, HTTP, branch-name/SHA parsing — write a **Python script** under `.github/workflows/scripts/<area>/` and invoke it from the pipeline:
+
+```yaml
+- task: AzureCLI@2
+  displayName: "Call Control Tower endpoint"
+  inputs:
+    azureSubscription: <service-connection-name>
+    scriptType: bash
+    scriptLocation: inlineScript
+    inlineScript: |
+      set -euo pipefail
+      python3 .github/workflows/scripts/<area>/<script>.py \
+        --api-audience "$API_AUDIENCE" \
+        --api-base-url "$API_BASE_URL"
+  env:
+    API_AUDIENCE: $(ApiAudience)
+    API_BASE_URL: $(ApiBaseUrl)
+```
+
+Python scripts are easier to test locally, easier to review, and avoid the foot-guns of bash quoting / globbing.
+
+## Security hardening
+
+Apply all of these unless there is a documented reason not to:
+
+- **`set -euo pipefail`** at the top of every non-trivial bash block.
+- **Pass secrets via the `env:` block** of the step, never via inline `$(SecretVar)` interpolation in the script body (interpolation can leak into logs and into argv on `ps`-like inspection).
+- Prefer ADO secret variables sourced from a **variable group linked to Azure Key Vault** over plaintext pipeline variables.
+- **Pin all tool versions** (e.g. `go install ...@<commit>`, `pip install -r requirements.txt`, container image tags). No `@latest` / floating tags. **Single exception:** the OneBranch `GovernedTemplates` repo `ref` may be `refs/heads/main` — that's the documented OneBranch usage pattern.
+- **Validate / sanitize PR-supplied data** (branch names, commit SHAs, PR numbers) with strict regex before using it in shell, file paths, or HTTP calls. Treat anything that came from the PR as untrusted input.
+- Set an explicit, conservative **`timeoutInMinutes`** on each job (long enough to cover the slowest legitimate run, no longer).
+- Do **not** use `persistCredentials: true` on `checkout:` unless a step genuinely needs to push back to the repo; if it does, scope and audit it.
+- Never `echo` secret values or write them to files. Use `##[group]` / `##[endgroup]` to keep logs structured and reviewable.
+- Keep the pipeline definition self-contained — avoid sourcing arbitrary scripts fetched at runtime from the internet.
+
+## Minimal skeletons
+
+Use these as a starting point for a new pipeline. Two files: a wrapper (NonOfficial variant — switch to Official if it touches production) and a raw stages template.
+
+### Wrapper — `.github/workflows/ado/<name>.yml`
+
+```yaml
+trigger: none
+pr: none
+
+resources:
+  repositories:
+    - repository: templates
+      type: git
+      name: OneBranch.Pipelines/GovernedTemplates
+      ref: refs/heads/main
+
+extends:
+  template: v2/OneBranch.NonOfficial.CrossPlat.yml@templates
+  parameters:
+    featureFlags:
+      golang:
+        internalModuleProxy:
+          enabled: true
+    stages:
+      - template: /.github/workflows/ado/templates/<name>-stages.yml@self
+        parameters:
+          outputDirectory: $(Build.ArtifactStagingDirectory)/output
+          artifactBaseName: <artifact-base-name>
+          containerImage: mcr.microsoft.com/onebranch/azurelinux/build:3.0
+          poolType: linux
+          serviceConnection: <service-connection-name>
+          variableGroup: <variable-group-name>
+          timeoutInMinutes: <int>   # explicit, conservative
+```
+
+### Raw stages — `.github/workflows/ado/templates/<name>-stages.yml`
+
+```yaml
+parameters:
+  - name: outputDirectory
+    type: string
+  - name: artifactBaseName
+    type: string
+  - name: containerImage
+    type: string
+  - name: poolType
+    type: string
+    default: linux
+  - name: serviceConnection
+    type: string
+  - name: variableGroup
+    type: string
+  - name: timeoutInMinutes
+    type: number
+
+stages:
+  - stage: <StageName>
+    jobs:
+      - job: <JobName>
+        timeoutInMinutes: ${{ parameters.timeoutInMinutes }}
+        pool:
+          type: ${{ parameters.poolType }}
+        variables:
+          - group: ${{ parameters.variableGroup }}      # audience URI, base URL, etc.
+          - name: ob_outputDirectory
+            value: ${{ parameters.outputDirectory }}
+          - name: ob_artifactBaseName
+            value: ${{ parameters.artifactBaseName }}
+          - name: LinuxContainerImage
+            value: ${{ parameters.containerImage }}
+        steps:
+          - task: PipAuthenticate@1
+            displayName: "Authenticate pip"
+            inputs:
+              artifactFeeds: "<internal-feed>"
+
+          - task: AzureCLI@2
+            displayName: "<what this step does>"
+            inputs:
+              azureSubscription: ${{ parameters.serviceConnection }}
+              scriptType: bash
+              scriptLocation: inlineScript
+              inlineScript: |
+                set -euo pipefail
+                python3 .github/workflows/scripts/<area>/<script>.py \
+                  --api-audience "$API_AUDIENCE" \
+                  --api-base-url "$API_BASE_URL"
+            env:
+              API_AUDIENCE: $(ApiAudience)
+              API_BASE_URL: $(ApiBaseUrl)
+```
+
+Replace every `<...>` placeholder.
+
+## Maintenance checklist
+
+Run through this list whenever you add or modify a pipeline in `.github/workflows/ado/`:
+
+- [ ] Pipeline is split into a **wrapper** (`.github/workflows/ado/<name>.yml`) and a **raw stages template** (`.github/workflows/ado/templates/<stem>-stages.yml`). A raw stages template MAY be shared by multiple wrappers (e.g. DEV vs PROD variants).
+- [ ] Wrapper is the *only* place that names OneBranch — extends a governed template; **Official** vs **NonOfficial** matches whether it touches production.
+- [ ] Wrapper has no `stages:` / `jobs:` / `steps:` / `script:` of its own; it only invokes the raw stages template via `parameters.stages: - template: …@self` and supplies its parameters.
+- [ ] Raw stages template is OneBranch-agnostic: no `resources:`, no `extends:`, no `featureFlags:`, no string mentions of `OneBranch` / `GovernedTemplates`. OneBranch-coupled values (`ob_outputDirectory`, `ob_artifactBaseName`, `LinuxContainerImage`, pool type, service connection, variable group, timeout) are exposed as neutral-named `parameters:` and bound from the wrapper.
+- [ ] `trigger: none` and `pr: none` set in the wrapper YAML.
+- [ ] `ob_outputDirectory` set on every job; `ob_artifactBaseName` set when artifacts are published.
+- [ ] All Azure / Control Tower access goes through `AzureCLI@2` with a least-privilege Service Connection (WIF/OIDC). No PATs or password logins.
+- [ ] Control Tower calls use the correct **per-environment audience URI** sourced from a variable group; nothing hardcoded.
+- [ ] No upstream dependency pulls: Go uses `internalModuleProxy`, Python uses `PipAuthenticate@1`, container images come from `mcr.microsoft.com`.
+- [ ] Any non-trivial logic lives in a Python script under `.github/workflows/scripts/`, not inline bash.
+- [ ] Secrets passed via `env:` (never inline `$(...)`); `set -euo pipefail` in shell blocks; tool versions pinned (only `GovernedTemplates@main` exempted).
+- [ ] Explicit `timeoutInMinutes` on each job; PR-supplied inputs validated with strict regex.
diff --git a/.github/workflows/ado/sources-upload.yml b/.github/workflows/ado/sources-upload.yml
new file mode 100644
index 00000000000..17c46d1b3f5
--- /dev/null
+++ b/.github/workflows/ado/sources-upload.yml
@@ -0,0 +1,72 @@
+# Microsoft Corporation
+#
+# Wrapper pipeline — passed to ADO as the entry point. This file owns all
+# OneBranch-specific wiring (governed templates repo, Official vs NonOfficial
+# variant, featureFlags) and delegates the actual stages/jobs/steps to the
+# raw stages template at:
+#   .github/workflows/ado/templates/sources-upload-stages.yml
+#
+# Authenticates via Workload Identity Federation (OIDC) and calls the Control
+# Tower prcheck API with PR context.
+#
+# Prerequisites (ADO / Azure Portal):
+#   1. Entra ID App Registration with audience URI
+#      "api://<ControlTower-ClientId>" (see variable group below).
+#   2. Federated identity credential on the app registration for the ADO
+#      service connection (issuer: https://vstoken.dev.azure.com/<org-id>,
+#      subject: sc://<org>/<project>/<service-connection-name>).
+#   3. ARM service connection in ADO project settings using Workload Identity
+#      Federation (manual).
+#   4. ADO branch policy or pipeline PR trigger configured to fire on PRs.
+#
+# Variable Group (ADO Pipelines > Library):
+#   Name: "ControlTower-PRCheck"
+#   Required variables:
+#     - ApiAudience          : Entra ID audience URI for the Control Tower app
+#     - ApiBaseUrl           : Base URL of the Control Tower service
+#     - AzldevCommit         : Commit hash for azldev (go install ...@<commit>)
+
+# Trigger controlled by ADO branch policy — not YAML triggers.
+trigger: none
+
+pr: none
+
+resources:
+  repositories:
+    - repository: templates
+      type: git
+      name: OneBranch.Pipelines/GovernedTemplates
+      ref: refs/heads/main
+
+extends:
+  template: v2/OneBranch.Official.CrossPlat.yml@templates
+  parameters:
+    featureFlags:
+      golang:
+        internalModuleProxy:
+          enabled: true
+      LinuxHostVersion:
+        Network: R1
+      runOnHost: true
+      EnableCDPxPAT: false
+
+    # https://aka.ms/obpipelines/sdl
+    globalSdl:
+      disableLegacyManifest: true
+      sbom:
+        enabled: false
+      tsa:
+        enabled: false
+
+    stages:
+      - template: /.github/workflows/ado/templates/sources-upload-stages.yml@self
+        parameters:
+          outputDirectory: $(Build.ArtifactStagingDirectory)/output
+          artifactBaseName: prcheck
+          containerImage: mcr.microsoft.com/onebranch/azurelinux/build:3.0
+          poolType: linux
+          serviceConnection: CT-Endpoints-Access-ServiceConnection-DEV
+          variableGroup: ControlTower-PRCheck
+          # Must exceed the script's --poll-timeout-seconds (default 7200s = 120m)
+          # with enough headroom for setup steps and the final API call.
+          timeoutInMinutes: 150
diff --git a/.github/workflows/ado/templates/sources-upload-stages.yml b/.github/workflows/ado/templates/sources-upload-stages.yml
new file mode 100644
index 00000000000..6eb5dacfde3
--- /dev/null
+++ b/.github/workflows/ado/templates/sources-upload-stages.yml
@@ -0,0 +1,204 @@
+# Microsoft Corporation
+#
+# Raw stages template for the sources-upload PR check pipeline.
+#
+# This template is OneBranch-agnostic: it declares the stages/jobs/steps that
+# do the actual work and exposes the OneBranch-coupled knobs as parameters.
+# The wrapper at .github/workflows/ado/sources-upload.yml is responsible for
+# choosing the OneBranch governed template variant (Official vs NonOfficial),
+# configuring its featureFlags, and supplying concrete values for the
+# parameters declared below.
+
+parameters:
+  - name: outputDirectory
+    type: string
+  - name: artifactBaseName
+    type: string
+  - name: containerImage
+    type: string
+  - name: poolType
+    type: string
+    default: linux
+  - name: serviceConnection
+    type: string
+  - name: variableGroup
+    type: string
+  - name: timeoutInMinutes
+    type: number
+
+stages:
+  - stage: PRCheck
+    jobs:
+      - job: CallControlTowerAPI
+        # Non-blocking PR check: failing steps still render red error annotations
+        # and surface in the build-issues view, but the job resolves to
+        # SucceededWithIssues and the run to PartiallySucceeded, which the Azure
+        # Pipelines GitHub integration reports as success to GitHub PR checks and
+        # the merge queue. Errors and warnings remain visible to the user.
+        # TODO: Remove `continueOnError` once the pipeline is stable so failures
+        #       block PRs and the merge queue.
+        # ADO task: 19179
+        continueOnError: true
+        # Must exceed the script's --poll-timeout-seconds (default 7200s = 120m)
+        # with enough headroom for setup steps and the final API call.
+        timeoutInMinutes: ${{ parameters.timeoutInMinutes }}
+        pool:
+          type: ${{ parameters.poolType }}
+        variables:
+          - group: ${{ parameters.variableGroup }}
+          - name: ob_outputDirectory
+            value: ${{ parameters.outputDirectory }}
+          - name: ob_artifactBaseName
+            value: ${{ parameters.artifactBaseName }}
+          - name: LinuxContainerImage
+            value: ${{ parameters.containerImage }}
+        steps:
+          - task: PipAuthenticate@1
+            displayName: "Authenticate pip"
+            inputs:
+              artifactFeeds: "azl/ControlTowerFeed"
+
+          - script: |
+              set -euo pipefail
+
+              echo "##[group]Mock"
+              tdnf install -y mock mock-rpmautospec python3-chardet
+              sudo usermod -aG mock "$(whoami)"
+              echo "##[endgroup]"
+
+              echo "##[group]Azldev"
+              echo "Installing azldev@${AZLDEV_COMMIT}..."
+              go install "github.com/microsoft/azure-linux-dev-tools/cmd/azldev@${AZLDEV_COMMIT}"
+
+              go_bin_path="$(go env GOPATH)/bin"
+              echo "##vso[task.prependpath]$go_bin_path"
+
+              "$go_bin_path/azldev" --version
+              echo "##[endgroup]"
+
+              echo "##[group]Python dependencies"
+              pip install -r .github/workflows/scripts/control-tower-prcheck/requirements.txt
+              echo "##[endgroup]"
+            displayName: "Install dependencies"
+            env:
+              AZLDEV_COMMIT: $(AzldevCommit)
+
+          - script: |
+              set -euo pipefail
+
+              # Workaround for an ADO git config error during spec rendering.
+              # The config key may not be present on every agent image, so tolerate its absence.
+              git config --unset extensions.worktreeConfig || true
+
+              # Full history is needed for spec rendering to work.
+              if [ "$(git rev-parse --is-shallow-repository)" = "true" ]; then
+                git fetch --unshallow
+              fi
+
+              # TODO: Replace with using the TOML config to read the specs dir once available.
+              #       The '-o "$specs_dir"' should be removed as part of the update. Future command:
+              #         specs_dir="$(azldev config dump -q -f json | jq -r .project.renderedSpecsDir)"
+              #       Similarly, the component rendering below should change to:
+              #         azldev component render -q -a
+              # ADO task: 19149
+              specs_dir="specs"
+
+              echo "##[group]Specs rendering"
+              azldev component render -q -a -o "$specs_dir" --force --clean-stale
+              echo "##[endgroup]"
+
+              # Check for any new or modified files under the specs directory.
+              if ! python3 .github/workflows/scripts/check_rendered_specs.py --specs-dir "$specs_dir"; then
+                echo "##[group]Git diff"
+                git --no-pager diff -- "$specs_dir"
+                echo "##[endgroup]"
+                echo "##[error]Specs are not up to date. Run 'azldev component render -q -a' and try again."
+                exit 1
+              fi
+            displayName: "Verify rendered specs are up to date"
+            # TODO: Re-enabled failing once specs in the main branch are updated and stable.
+            # ADO task: 19179
+            continueOnError: true
+
+          - script: |
+              set -euo pipefail
+
+              # For both triggers, Build.SourceVersion is the relevant source commit:
+              # - PR trigger: ADO sets it to the GitHub-created merge commit (refs/pull/{n}/merge).
+              # - CI/merge-queue trigger: it is the commit that landed on the base branch.
+              source_hash="$SOURCE_COMMIT"
+
+              if [[ "$BUILD_REASON" == "PullRequest" ]]; then
+                # PR trigger: ADO provides the target branch directly.
+                target_hash=$(git ls-remote "$UPSTREAM_REPO_URL" "$PR_TARGET_BRANCH" | cut -f1)
+              else
+                # CI/merge-queue trigger: extract the base branch from the merge-queue branch name.
+                # Branch format: refs/heads/gh-readonly-queue/{base_branch}/pr-{pr_number}-{head_sha}
+                # Using 'test/' branches until ready with the merge queue, but the parsing logic is the same.
+                if ! base_branch=$(grep -oP '(?<=test/gh-readonly-queue/).+(?=/pr-[^/]+$)' <<< "$SOURCE_BRANCH"); then
+                  echo "##[error]Unsupported SOURCE_BRANCH '$SOURCE_BRANCH' for non-PullRequest build. Expected 'refs/heads/gh-readonly-queue/<base>/pr-<n>-<sha>'."
+                  exit 1
+                fi
+                target_hash=$(git ls-remote "$UPSTREAM_REPO_URL" "refs/heads/$base_branch" | cut -f1)
+              fi
+
+              echo "Source commit: $source_hash"
+              echo "Target commit: $target_hash"
+
+              echo "##vso[task.setvariable variable=sourceCommit]$source_hash"
+              echo "##vso[task.setvariable variable=targetCommit]$target_hash"
+            env:
+              BUILD_REASON: $(Build.Reason)
+              PR_TARGET_BRANCH: $(System.PullRequest.TargetBranch)
+              SOURCE_BRANCH: $(Build.SourceBranch)
+              SOURCE_COMMIT: $(Build.SourceVersion)
+              UPSTREAM_REPO_URL: $(Build.Repository.Uri)
+            displayName: "Determine source and target commit hashes"
+
+          - script: |
+              set -euo pipefail
+
+              cat << EOF
+              NOTE: It's possible more components changed between the source and target commits than displayed below.
+                    This workflow only checks for updates in the 'sources' files and ignores all other changes.
+              EOF
+
+              components=()
+              while IFS= read -r line; do
+                components+=("$(basename "$(dirname "$line")")")
+              done < <(git diff "$SOURCE_COMMIT" "$TARGET_COMMIT" --name-only | grep '/sources$' | sort -u)
+
+              components="$(IFS=, ; echo "${components[*]}")"
+              echo "Affected components: $components"
+              echo "##vso[task.setvariable variable=components]$components"
+            env:
+              SOURCE_COMMIT: $(sourceCommit)
+              TARGET_COMMIT: $(targetCommit)
+            displayName: "Determine affected components"
+
+          - task: AzureCLI@2
+            displayName: "Call Control Tower 'prcheck' API"
+            inputs:
+              azureSubscription: ${{ parameters.serviceConnection }}
+              scriptType: bash
+              scriptLocation: inlineScript
+              inlineScript: |
+                set -euo pipefail
+
+                python3 .github/workflows/scripts/control-tower-prcheck/run_control_tower_prcheck.py \
+                  --api-audience "$API_AUDIENCE" \
+                  --api-base-url "$API_BASE_URL" \
+                  --build-reason "$BUILD_REASON" \
+                  --components "$COMPONENTS" \
+                  --source-commit "$SOURCE_COMMIT" \
+                  --repo-uri "$UPSTREAM_REPO_URL"
+            env:
+              API_AUDIENCE: $(ApiAudience)
+              API_BASE_URL: $(ApiBaseUrl)
+              BUILD_REASON: $(Build.Reason)
+              COMPONENTS: $(components)
+              SOURCE_COMMIT: $(sourceCommit)
+              # TODO: Target commit is not used. Will be needed once we move detection of affected components to CT.
+              # ADO task: 18816
+              TARGET_COMMIT: $(targetCommit)
+              UPSTREAM_REPO_URL: $(Build.Repository.Uri)
diff --git a/.github/workflows/scripts/README.md b/.github/workflows/scripts/README.md
index 8ee6ba54ea5..00037382804 100644
--- a/.github/workflows/scripts/README.md
+++ b/.github/workflows/scripts/README.md
@@ -38,7 +38,7 @@ The easiest way to get quick, interactive feedback is with [GitHub Copilot](http
 ```bash
 cd ~/repos/azurelinux
 python -m venv .venv && source .venv/bin/activate
-pip install -r .github/workflows/scripts/requirements.txt
+pip install -r .github/workflows/scripts/spec-review/requirements.txt
     gh copilot
     # OR
     npm install -g @github/copilot
@@ -51,19 +51,19 @@ copilot --version  # verify CLI
 # Defaults: reviews all *.spec in repo, writes to repo root
 #   spec_review_report.json, copilot_log.md, spec_review_kb.md
 
-./.github/workflows/scripts/spec_review.sh \
+./.github/workflows/scripts/spec-review/spec_review.sh \
   --spec base/comps/azurelinux-release/azurelinux-release.spec \
   --spec base/comps/azurelinux-repos/azurelinux-repos.spec
 
 # Validate / inspect
-python .github/workflows/scripts/spec_review_schema.py /tmp/spec_review_report.json --all
-python .github/workflows/scripts/spec_review_schema.py /tmp/spec_review_report.json --json | jq
+python .github/workflows/scripts/spec-review/spec_review_schema.py /tmp/spec_review_report.json --all
+python .github/workflows/scripts/spec-review/spec_review_schema.py /tmp/spec_review_report.json --json | jq
 ```
 
 The script supports additional options (like selecting a model, or using different URLs); run with `--help` for details.
 
 ```bash
-./.github/workflows/scripts/spec_review.sh --help
+./.github/workflows/scripts/spec-review/spec_review.sh --help
 ```
 
 ## Run multi-model review (spec_review_multi.sh)
@@ -79,11 +79,11 @@ uses a third model pass to synthesize their findings into a single high-quality
 
 ```bash
 # Defaults: claude-opus-4.6 + gpt-5.2-codex reviewers, gpt-5.2-codex synthesizer
-./.github/workflows/scripts/spec_review_multi.sh \
+./.github/workflows/scripts/spec-review/spec_review_multi.sh \
   --spec base/comps/azurelinux-release/azurelinux-release.spec
 
 # Custom models
-./.github/workflows/scripts/spec_review_multi.sh \
+./.github/workflows/scripts/spec-review/spec_review_multi.sh \
   --spec foo.spec \
   --model1 gpt-5.2-codex \
   --model2 claude-opus-4.6 \
@@ -101,7 +101,7 @@ ls /tmp/spec_review_workdir/
 Run with `--help` for all options:
 
 ```bash
-./.github/workflows/scripts/spec_review_multi.sh --help
+./.github/workflows/scripts/spec-review/spec_review_multi.sh --help
 ```
 
 ---
@@ -119,7 +119,7 @@ copilot --agent spec-review
 ```bash
 # For semi-automated or fully automated runs, use -i or -p flags:
 prompt="Review: base/comps/azurelinux-release/azurelinux-release.spec against packaging guidelines.\n"\
-"Write JSON to spec_review_report.json and validate with: python .github/workflows/scripts/spec_review_schema.py spec_review_report.json"
+"Write JSON to spec_review_report.json and validate with: python .github/workflows/scripts/spec-review/spec_review_schema.py spec_review_report.json"
 
 # Semi-interactive (runs prompt, then waits for the user)
 copilot --agent spec-review \
@@ -144,7 +144,7 @@ copilot --agent spec-review \
   -p "$prompt"
 
 # Review output
-python .github/workflows/scripts/spec_review_schema.py spec_review_report.json --all
+python .github/workflows/scripts/spec-review/spec_review_schema.py spec_review_report.json --all
 ```
 
 ## Future work
diff --git a/.github/workflows/scripts/check_rendered_specs.py b/.github/workflows/scripts/check_rendered_specs.py
new file mode 100755
index 00000000000..58a05b2cb0a
--- /dev/null
+++ b/.github/workflows/scripts/check_rendered_specs.py
@@ -0,0 +1,608 @@
+#!/usr/bin/env python3
+"""
+Check rendered specs for drift and (optionally) post a PR comment.
+
+Compares the committed specs tree against the working tree (after
+`azldev component render -a` has been run) and reports meaningful differences,
+filtering out changelog-timestamp noise.
+
+Usage:
+    # Just check (local dev, CI without comment posting):
+    python check_rendered_specs.py --specs-dir specs
+
+    # Check and post/update a PR comment:
+    python check_rendered_specs.py --specs-dir specs --repo owner/repo --pr 123
+
+Exit codes:
+    0 — specs are up to date (timestamp-only noise filtered)
+    1 — real diffs, extra files, or missing files detected
+
+Environment:
+    GH_TOKEN — required when --repo/--pr are given
+"""
+
+from __future__ import annotations
+
+import argparse
+import difflib
+import json
+import os
+import re
+import subprocess
+import sys
+from pathlib import Path
+
+# ---------------------------------------------------------------------------
+# Constants
+# ---------------------------------------------------------------------------
+
+COMMENT_MARKER = "<!-- RENDERED_SPEC_CHECK -->"
+MAX_INLINE_DIFFS = 10
+MAX_FILE_LIST = 50  # cap extra/missing file lists in comment
+MAX_COMMENT_CHARS = 60_000  # GH limit is 65 535; leave headroom
+MAX_STEP_SUMMARY = 1_000_000  # GH step summary limit is 1024 KiB
+
+# Matches the azldev-generated changelog line.
+# e.g. "* Wed Apr 08 2026 azldev <> - 1.0-1"
+_CHANGELOG_DATE_RE = re.compile(
+    r"^\* [A-Z][a-z]{2} [A-Z][a-z]{2} [0-9]{2} [0-9]{4} azldev "
+)
+
+# ---------------------------------------------------------------------------
+# Git helpers
+# ---------------------------------------------------------------------------
+
+
+def _git(*args: str) -> str:
+    """Run a git command and return stdout."""
+    return subprocess.run(
+        ["git", *args], capture_output=True, text=True, check=True
+    ).stdout
+
+
+def _git_lines(*args: str) -> list[str]:
+    """Run a git command and return non-empty output lines."""
+    return [line for line in _git(*args).splitlines() if line]
+
+
+# ---------------------------------------------------------------------------
+# Normalisation
+# ---------------------------------------------------------------------------
+
+
+def normalize_changelog_date(text: str) -> str:
+    """Replace the date on azldev changelog entries with a placeholder."""
+    out: list[str] = []
+    for line in text.splitlines(keepends=True):
+        if _CHANGELOG_DATE_RE.match(line):
+            line = _CHANGELOG_DATE_RE.sub("* DATEPLACEHOLDER azldev ", line)
+        out.append(line)
+    return "".join(out)
+
+
+# ---------------------------------------------------------------------------
+# Diff / classification
+# ---------------------------------------------------------------------------
+
+
+def component_from_path(file_path: str) -> str:
+    """Extract the component name from a specs path.
+
+    The component is always the direct parent directory:
+    specs/a/acl/acl.spec → acl
+    /abs/path/specs/n/nano/nano.spec → nano
+    """
+    return Path(file_path).parent.name
+
+
+def classify_changes(specs_dir: Path) -> tuple[list[str], list[str], list[str]]:
+    """Return (changed, extra, missing) file lists under specs_dir.
+
+    The three lists are disjoint: changed contains only modified files,
+    missing contains only deleted files, and extra contains untracked files.
+    """
+    sd = str(specs_dir)
+    changed = _git_lines("diff", "--diff-filter=M", "--name-only", "--", sd)
+    extra = _git_lines("ls-files", "--others", "--exclude-standard", "--", sd)
+    missing = _git_lines("ls-files", "--deleted", "--", sd)
+    return changed, extra, missing
+
+
+def filter_timestamp_noise(changed_files: list[str], specs_dir: Path) -> list[dict]:
+    """Filter changed files to only those with real (non-timestamp) diffs.
+
+    Only .spec files are checked for timestamp noise — other file types
+    (patches, GPG keys, etc.) are always treated as real changes.
+    """
+    real_diffs: list[dict] = []
+    for path_str in changed_files:
+        file_path = Path(path_str)
+        is_spec = file_path.suffix == ".spec"
+
+        # Read committed version — use bytes to handle binary files
+        try:
+            committed_bytes = subprocess.run(
+                ["git", "show", f"HEAD:{path_str}"],
+                capture_output=True,
+                check=True,
+            ).stdout
+        except subprocess.CalledProcessError:
+            continue
+
+        # Try to decode as UTF-8; if it fails, it's binary — always a real diff
+        try:
+            committed = committed_bytes.decode("utf-8")
+        except UnicodeDecodeError:
+            real_diffs.append(
+                {
+                    "path": path_str,
+                    "component": component_from_path(path_str),
+                    "diff": f"Binary file {path_str} differs",
+                }
+            )
+            continue
+
+        try:
+            working = file_path.read_text(encoding="utf-8", errors="replace")
+        except FileNotFoundError:
+            continue
+
+        if is_spec:
+            norm_committed = normalize_changelog_date(committed)
+            norm_working = normalize_changelog_date(working)
+        else:
+            norm_committed = committed
+            norm_working = working
+
+        if norm_committed == norm_working:
+            continue
+
+        udiff = "".join(
+            difflib.unified_diff(
+                norm_committed.splitlines(keepends=True),
+                norm_working.splitlines(keepends=True),
+                fromfile=f"committed/{path_str}",
+                tofile=f"rendered/{path_str}",
+            )
+        )
+
+        real_diffs.append(
+            {
+                "path": path_str,
+                "component": component_from_path(path_str),
+                "diff": udiff,
+            }
+        )
+
+    return real_diffs
+
+
+# ---------------------------------------------------------------------------
+# Report building
+# ---------------------------------------------------------------------------
+
+
+def build_report(
+    content_diffs: list[dict],
+    extra_files: list[str],
+    missing_files: list[str],
+) -> dict:
+    """Build the JSON-serialisable report."""
+    return {
+        "content_diffs": content_diffs,
+        "extra_files": [
+            {"path": p, "component": component_from_path(p)} for p in extra_files
+        ],
+        "missing_files": [
+            {"path": p, "component": component_from_path(p)} for p in missing_files
+        ],
+    }
+
+
+# ---------------------------------------------------------------------------
+# Comment formatting
+# ---------------------------------------------------------------------------
+
+
+def _unique_components(items: list[dict]) -> list[str]:
+    seen: set[str] = set()
+    out: list[str] = []
+    for item in items:
+        c = item["component"]
+        if c not in seen:
+            seen.add(c)
+            out.append(c)
+    out.sort()
+    return out
+
+
+def _render_command(components: list[str], use_all: bool = False) -> str:
+    if use_all or len(components) > 30:
+        return "azldev component render -a"
+    return f"azldev component render {' '.join(components)}"
+
+
+def format_comment(
+    report: dict,
+    artifacts_url: str | None = None,
+    run_id: str | None = None,
+    repo: str | None = None,
+) -> str:
+    content_diffs = report.get("content_diffs", [])
+    extra_files = report.get("extra_files", [])
+    missing_files = report.get("missing_files", [])
+
+    n_diff = len(content_diffs)
+    n_extra = len(extra_files)
+    n_missing = len(missing_files)
+    total = n_diff + n_extra + n_missing
+
+    if total == 0:
+        return f"{COMMENT_MARKER}\n## ✅ Rendered specs are up to date\n"
+
+    all_comps: list[str] = sorted(
+        set(_unique_components(content_diffs) + _unique_components(missing_files))
+    )
+    use_all = bool(extra_files)
+    remediation_cmd = _render_command([] if use_all else all_comps, use_all=use_all)
+
+    lines: list[str] = [
+        COMMENT_MARKER,
+        "## ❌ Rendered specs are out of date",
+        "",
+        "🚧🚧🚧🚧🚧",
+        "",
+        "> [!WARNING]",
+        ">",
+        "> **Disregard this comment.**",
+        ">",
+        "> Spec rendering is still under development and checked-in specs",
+        "> should not be updated in PRs yet.",
+        "> Please ignore this comment for now unless you are actively",
+        "> working on the render pipeline.",
+        "",
+        "🚧🚧🚧🚧🚧",
+        "",
+        "**FIX:** — run this and commit the result:",
+        "",
+        f"```bash\n{remediation_cmd}\n```",
+        "",
+    ]
+
+    if artifacts_url:
+        lines.append(f"Or [download the fix patch]({artifacts_url}) and apply it:")
+        lines.append("")
+        if run_id and repo:
+            lines.append(
+                "```bash\n"
+                f"gh run download {run_id} -R {repo} -n rendered-specs-patch\n"
+                "git apply rendered-specs.patch\n"
+                "```"
+            )
+        else:
+            lines.append("```bash\ngit apply rendered-specs.patch\n```")
+        lines.append("")
+
+    lines.extend(
+        [
+            "| Category | Count |",
+            "|----------|-------|",
+            f"| Content diffs | {n_diff} |",
+            f"| Extra files (untracked) | {n_extra} |",
+            f"| Missing files (deleted) | {n_missing} |",
+            "",
+        ]
+    )
+
+    if content_diffs:
+        lines.append("### Content diffs")
+        lines.append("")
+        shown = 0
+        body_so_far = len("\n".join(lines))
+        for item in content_diffs:
+            if shown >= MAX_INLINE_DIFFS:
+                remaining = n_diff - shown
+                lines.append(
+                    f"*… and {remaining} more file(s). "
+                    "Run the remediation command above to see all changes.*"
+                )
+                lines.append("")
+                break
+            path = item["path"]
+            diff_text = item.get("diff", "")
+            block = (
+                "<details>\n"
+                f"<summary><code>{path}</code></summary>\n\n"
+                f"```diff\n{diff_text}\n```\n\n"
+                "</details>\n"
+            )
+            if body_so_far + len(block) > MAX_COMMENT_CHARS - 2000:
+                remaining = n_diff - shown
+                lines.append(
+                    f"*… and {remaining} more file(s) — comment size limit reached. "
+                    "Run the remediation command above to see all changes.*"
+                )
+                lines.append("")
+                break
+            lines.append(block)
+            body_so_far += len(block)
+            shown += 1
+
+    if extra_files:
+        lines.append("### Files to add")
+        lines.append("")
+        lines.append(
+            "These files are produced by `azldev component render` but are "
+            "missing from your branch. Add them."
+        )
+        lines.append("")
+        for item in extra_files[:MAX_FILE_LIST]:
+            lines.append(f"- `{item['path']}`")
+        if len(extra_files) > MAX_FILE_LIST:
+            lines.append(f"\n*… and {len(extra_files) - MAX_FILE_LIST} more file(s).*")
+        lines.append("")
+
+    if missing_files:
+        lines.append("### Files to remove")
+        lines.append("")
+        lines.append(
+            "These files are in your branch but are not produced by render. "
+            "Remove them."
+        )
+        lines.append("")
+        for item in missing_files[:MAX_FILE_LIST]:
+            lines.append(f"- `{item['path']}`")
+        if len(missing_files) > MAX_FILE_LIST:
+            lines.append(
+                f"\n*… and {len(missing_files) - MAX_FILE_LIST} more file(s).*"
+            )
+        lines.append("")
+
+    return "\n".join(lines)
+
+
+def generate_patch(
+    content_diffs: list[dict],
+    extra_files: list[str],
+    missing_files: list[str],
+) -> bytes:
+    """Generate a git patch covering all detected drift.
+
+    Uses `git add -N` to mark untracked (extra) files as intent-to-add,
+    then runs `git diff` on the specific affected files to capture
+    modified, new, and deleted files in one clean patch.
+    """
+    paths = [d["path"] for d in content_diffs] + extra_files + missing_files
+    if not paths:
+        return b""
+
+    # Mark untracked files as intent-to-add so git diff includes them
+    if extra_files:
+        try:
+            subprocess.run(
+                ["git", "add", "-N", "--", *extra_files],
+                check=True,
+                capture_output=True,
+            )
+        except subprocess.CalledProcessError:
+            pass
+
+    try:
+        result = subprocess.run(
+            ["git", "diff", "--", *paths],
+            capture_output=True,
+            check=True,
+        )
+        patch = result.stdout
+    except subprocess.CalledProcessError:
+        patch = b""
+
+    # Undo the intent-to-add so we don't leave index dirty
+    if extra_files:
+        try:
+            subprocess.run(
+                ["git", "reset", "--", *extra_files],
+                check=True,
+                capture_output=True,
+            )
+        except subprocess.CalledProcessError:
+            pass
+
+    return patch
+
+
+# ---------------------------------------------------------------------------
+# GitHub comment posting
+# ---------------------------------------------------------------------------
+
+
+def _gh(*args: str) -> str:
+    return subprocess.run(
+        ["gh", *args], capture_output=True, text=True, check=True
+    ).stdout.strip()
+
+
+def find_existing_comment(repo: str, pr: str) -> str | None:
+    try:
+        output = _gh(
+            "api",
+            "--paginate",
+            f"/repos/{repo}/issues/{pr}/comments",
+            "--jq",
+            f'.[] | select(.body | contains("{COMMENT_MARKER}")) | .id',
+        )
+    except subprocess.CalledProcessError:
+        return None
+    comment_id = output.split("\n")[0].strip() if output else None
+    return comment_id or None
+
+
+def post_or_update_comment(repo: str, pr: str, body: str) -> None:
+    existing_id = find_existing_comment(repo, pr)
+
+    # Write body to a temp file to avoid ARG_MAX limits
+    body_path = Path("render-check-comment.md")
+    body_path.write_text(body, encoding="utf-8")
+    try:
+        if existing_id:
+            print(f"Updating existing comment {existing_id}")
+            _gh(
+                "api",
+                "--method",
+                "PATCH",
+                f"/repos/{repo}/issues/comments/{existing_id}",
+                "-F",
+                f"body=@{body_path}",
+            )
+        else:
+            print("Creating new comment")
+            _gh("pr", "comment", pr, "--repo", repo, "--body-file", str(body_path))
+    finally:
+        body_path.unlink(missing_ok=True)
+
+
+def delete_comment_if_exists(repo: str, pr: str) -> None:
+    existing_id = find_existing_comment(repo, pr)
+    if existing_id:
+        print(f"Deleting stale comment {existing_id}")
+        try:
+            _gh(
+                "api",
+                "--method",
+                "DELETE",
+                f"/repos/{repo}/issues/comments/{existing_id}",
+            )
+        except subprocess.CalledProcessError:
+            print("Warning: failed to delete stale comment", file=sys.stderr)
+
+
+# ---------------------------------------------------------------------------
+# Main
+# ---------------------------------------------------------------------------
+
+
+def main() -> int:
+    parser = argparse.ArgumentParser(
+        description="Check rendered specs for drift and optionally post a PR comment."
+    )
+    parser.add_argument(
+        "--specs-dir",
+        type=Path,
+        required=True,
+        help="Path to the rendered specs directory",
+    )
+    parser.add_argument(
+        "--report",
+        type=Path,
+        default=None,
+        help="Write JSON report to this path",
+    )
+    parser.add_argument("--repo", default=None, help="GitHub repo (owner/repo)")
+    parser.add_argument("--pr", default=None, help="PR number")
+    parser.add_argument(
+        "--patch",
+        type=Path,
+        default=None,
+        help="Write a .patch file for real content diffs",
+    )
+    parser.add_argument(
+        "--artifacts-url",
+        default=None,
+        help="URL to the workflow run artifacts (linked in PR comment)",
+    )
+    parser.add_argument(
+        "--run-id",
+        default=None,
+        help="GitHub Actions run ID (for gh run download command in PR comment)",
+    )
+    args = parser.parse_args()
+
+    if bool(args.repo) != bool(args.pr):
+        print("Error: --repo and --pr must be provided together", file=sys.stderr)
+        return 1
+
+    specs_dir = args.specs_dir
+
+    # 1. Classify changes
+    changed, extra, missing = classify_changes(specs_dir)
+    print(
+        f"Raw counts: changed={len(changed)} extra={len(extra)} missing={len(missing)}"
+    )
+
+    # 2. Filter timestamp noise from content diffs
+    content_diffs = filter_timestamp_noise(changed, specs_dir)
+    print(f"After timestamp filtering: {len(content_diffs)} real content diff(s)")
+
+    # 3. Build report
+    report = build_report(content_diffs, extra, missing)
+
+    if args.report:
+        args.report.parent.mkdir(parents=True, exist_ok=True)
+        with open(args.report, "w", encoding="utf-8") as f:
+            json.dump(report, f, indent=2)
+        print(f"Report written to {args.report}")
+
+    total = len(content_diffs) + len(extra) + len(missing)
+
+    # 3b. Generate patch for all drift
+    if args.patch and total > 0:
+        patch_content = generate_patch(content_diffs, extra, missing)
+        if patch_content:
+            args.patch.parent.mkdir(parents=True, exist_ok=True)
+            args.patch.write_bytes(patch_content)
+            print(f"Patch written to {args.patch}")
+
+    # 4. Post comment or clean up (best-effort — exit code is authoritative)
+    if args.repo and args.pr:
+        try:
+            if total == 0:
+                delete_comment_if_exists(args.repo, args.pr)
+            else:
+                body = format_comment(
+                    report,
+                    artifacts_url=args.artifacts_url,
+                    run_id=args.run_id,
+                    repo=args.repo,
+                )
+                post_or_update_comment(args.repo, args.pr, body)
+        except (subprocess.CalledProcessError, OSError) as exc:
+            print(f"Warning: failed to post/update PR comment: {exc}", file=sys.stderr)
+
+    # 5. Write to GitHub step summary if available
+    summary_file = os.environ.get("GITHUB_STEP_SUMMARY")
+    if summary_file and total > 0:
+        summary_body = format_comment(
+            report, artifacts_url=args.artifacts_url, run_id=args.run_id, repo=args.repo
+        )
+        if len(summary_body) <= MAX_STEP_SUMMARY:
+            with open(summary_file, "a", encoding="utf-8") as sf:
+                sf.write(summary_body)
+                sf.write("\n")
+        else:
+            print("Warning: step summary too large, skipping", file=sys.stderr)
+
+    # 6. Print summary and exit
+    if total == 0:
+        print("All rendered specs are up to date (timestamp-only noise filtered).")
+        return 0
+
+    print(
+        f"::error::{len(content_diffs)} content diff(s), "
+        f"{len(extra)} extra file(s), {len(missing)} missing file(s)"
+    )
+    all_comps = sorted(
+        set(
+            _unique_components(content_diffs)
+            + _unique_components(report.get("missing_files", []))
+        )
+    )
+    if extra:
+        print("Remediation: azldev component render -a")
+    elif all_comps:
+        print(f"Remediation: {_render_command(all_comps)}")
+
+    return 1
+
+
+if __name__ == "__main__":
+    sys.exit(main())
\ No newline at end of file
diff --git a/.github/workflows/scripts/control-tower-prcheck/requirements.txt b/.github/workflows/scripts/control-tower-prcheck/requirements.txt
new file mode 100644
index 00000000000..97b2555b279
--- /dev/null
+++ b/.github/workflows/scripts/control-tower-prcheck/requirements.txt
@@ -0,0 +1,2 @@
+azure-identity==1.17.0
+requests==2.31.0
diff --git a/.github/workflows/scripts/control-tower-prcheck/run_control_tower_prcheck.py b/.github/workflows/scripts/control-tower-prcheck/run_control_tower_prcheck.py
new file mode 100644
index 00000000000..825e3ad9f50
--- /dev/null
+++ b/.github/workflows/scripts/control-tower-prcheck/run_control_tower_prcheck.py
@@ -0,0 +1,506 @@
+"""Call the Control Tower prcheck API and wait for the resulting job to finish.
+
+Flow:
+    1. POST ``/api/Scenario/prcheck`` with the PR context. The service responds
+       with a ``WorkflowJobStatusDto`` describing the job it just queued.
+    2. Poll ``/api/Workflow/jobs/status/{jobId}`` until the job reaches a
+       terminal state (Completed / Failed / Cancelled / CancelledByAdmin /
+       TimedOut / Unknown) or the local poll timeout elapses.
+    3. Exit 0 only if the terminal status is ``Completed``; otherwise surface
+       the error details from the job status payload and exit 1.
+
+Authentication:
+    Requires an active Azure CLI session (e.g. via an AzureCLI@2 pipeline
+    task with a Workload Identity Federation service connection).
+    ``DefaultAzureCredential`` discovers the session automatically.
+"""
+
+import argparse
+import json
+import sys
+import time
+from dataclasses import dataclass
+from typing import Any, Optional
+
+import requests
+from azure.identity import DefaultAzureCredential
+from requests.adapters import HTTPAdapter
+from urllib3.util.retry import Retry
+
+# JobStatus values from the Control Tower service
+# (azl-ControlTower/ControlTower/Shared/Models/Jobs/JobStatus.cs).
+_NON_TERMINAL_STATUSES = frozenset({"Queued", "Pending", "Running"})
+_SUCCESS_STATUS = "Completed"
+_TERMINAL_FAILURE_STATUSES = frozenset(
+    {"Failed", "Cancelled", "CancelledByAdmin", "Unknown", "TimedOut"}
+)
+
+
+@dataclass
+class _TokenHolder:
+    """Mutable bearer-token holder so helpers can observe in-place refreshes."""
+
+    token: str
+
+
+def _parse_components(value: str) -> list[str]:
+    """Parse a comma-separated string into a list of stripped, non-empty names."""
+    return [c.strip() for c in value.split(",") if c.strip()]
+
+
+def _parse_args() -> argparse.Namespace:
+    parser = argparse.ArgumentParser(
+        description="Call the Control Tower prcheck API and wait for the job to finish.",
+    )
+    parser.add_argument(
+        "--api-audience",
+        required=True,
+        help="Entra ID audience URI (e.g. api://<client-id>)",
+    )
+    parser.add_argument(
+        "--api-base-url", required=True, help="Base URL of the Control Tower service"
+    )
+    parser.add_argument(
+        "--build-reason",
+        required=True,
+        help="ADO build reason (PullRequest, IndividualCI, …)",
+    )
+    parser.add_argument(
+        "--components",
+        required=True,
+        type=_parse_components,
+        help="Comma-separated list of affected component names",
+    )
+    parser.add_argument("--source-commit", default=None, help="Source commit SHA")
+    parser.add_argument(
+        "--source-branch",
+        default=None,
+        help="Source branch name (alternative to --source-commit)",
+    )
+    parser.add_argument("--target-commit", default=None, help="Target commit SHA")
+    parser.add_argument(
+        "--target-branch",
+        default=None,
+        help="Target branch name (alternative to --target-commit)",
+    )
+    parser.add_argument("--repo-uri", required=True, help="Upstream repository URI")
+    parser.add_argument(
+        "--poll-interval-seconds",
+        type=int,
+        default=10,
+        help="How often to poll the job status endpoint (default: 10).",
+    )
+    parser.add_argument(
+        "--poll-timeout-seconds",
+        type=int,
+        default=7200,
+        help="Maximum time to wait for the job to reach a terminal state (default: 7200 = 2h).",
+    )
+    return parser.parse_args()
+
+
+def _make_session() -> requests.Session:
+    """Create a ``requests.Session`` with retries for idempotent GETs only.
+
+    Retry budget is tuned to complete quickly relative to the 10s default poll
+    interval: worst case ~7s of backoff (0.5 + 1 + 2 + 4s capped) across 3
+    attempts on 429/5xx.
+    """
+    session = requests.Session()
+    retry = Retry(
+        total=3,
+        connect=3,
+        read=3,
+        status=3,
+        backoff_factor=0.5,
+        status_forcelist=(429, 500, 502, 503, 504),
+        allowed_methods=frozenset({"GET"}),
+        raise_on_status=False,
+    )
+    adapter = HTTPAdapter(max_retries=retry)
+    session.mount("http://", adapter)
+    session.mount("https://", adapter)
+    return session
+
+
+def _get_token(credential: DefaultAzureCredential, audience: str) -> str:
+    """Acquire a bearer token for the given audience."""
+    return credential.get_token(f"{audience}/.default").token
+
+
+def _auth_headers(token: str) -> dict[str, str]:
+    return {
+        "Authorization": f"Bearer {token}",
+        "Content-Type": "application/json",
+        "Accept": "application/json",
+    }
+
+
+def _format_error(response: requests.Response) -> str:
+    """Render a detailed diagnostic string for a failed CT response.
+
+    Tolerates the three error shapes used by Control Tower:
+      * Global middleware: ``{"error", "correlationId", "timestamp"}``
+      * Controller-returned errors: ``{"message": "..."}``
+      * ASP.NET validation: ``{"title", "errors": {field: [msg, ...]}}``
+    """
+    method = response.request.method if response.request is not None else "?"
+    lines: list[str] = [
+        f"HTTP {response.status_code} {response.reason} from {method} {response.url}"
+    ]
+
+    body: Any
+    try:
+        body = response.json()
+    except ValueError:
+        body = None
+
+    matched_known_key = False
+    if isinstance(body, dict):
+        # Middleware shape.
+        if "error" in body:
+            lines.append(f"  error: {body['error']}")
+            matched_known_key = True
+        # Controller NotFound / explicit errors.
+        if "message" in body:
+            lines.append(f"  message: {body['message']}")
+            matched_known_key = True
+        # Validation errors.
+        if "title" in body and body.get("title") != body.get("error"):
+            lines.append(f"  title: {body['title']}")
+            matched_known_key = True
+        errors = body.get("errors")
+        if isinstance(errors, dict) and errors:
+            lines.append("  validation errors:")
+            for field, messages in errors.items():
+                if isinstance(messages, list):
+                    for msg in messages:
+                        lines.append(f"    - {field}: {msg}")
+                else:
+                    lines.append(f"    - {field}: {messages}")
+            matched_known_key = True
+        correlation_id = body.get("correlationId") or body.get("traceId")
+        if correlation_id:
+            lines.append(f"  correlationId: {correlation_id}")
+
+    # Only dump the raw body when structured parsing found nothing useful —
+    # this keeps logs readable in the common case while preserving forensics
+    # when CT returns an unexpected shape.
+    if not matched_known_key:
+        raw = response.text or ""
+        if raw:
+            truncated = raw if len(raw) <= 4000 else raw[:4000] + "... [truncated]"
+            lines.append("  raw body:")
+            for raw_line in truncated.splitlines() or [truncated]:
+                lines.append(f"    {raw_line}")
+
+    return "\n".join(lines)
+
+
+def _request_with_refresh(
+    session: requests.Session,
+    method: str,
+    url: str,
+    credential: DefaultAzureCredential,
+    audience: str,
+    token_holder: _TokenHolder,
+    *,
+    json_payload: Optional[dict] = None,
+) -> requests.Response:
+    """Issue a request. On a 401, refresh the bearer token once and retry."""
+    response = session.request(
+        method,
+        url,
+        headers=_auth_headers(token_holder.token),
+        json=json_payload,
+        timeout=(10, 60),
+    )
+    if response.status_code == 401:
+        print(
+            "Bearer token rejected (401) — refreshing and retrying once...", flush=True
+        )
+        token_holder.token = _get_token(credential, audience)
+        response = session.request(
+            method,
+            url,
+            headers=_auth_headers(token_holder.token),
+            json=json_payload,
+            timeout=(10, 60),
+        )
+    return response
+
+
+def _parse_json_object(response: requests.Response, context: str) -> dict:
+    """Parse ``response`` body as a JSON object, raising on non-object payloads."""
+    try:
+        body = response.json()
+    except ValueError as exc:
+        raise RuntimeError(
+            f"{context} returned HTTP {response.status_code} "
+            f"but the body was not valid JSON:\n{response.text}"
+        ) from exc
+    if not isinstance(body, dict):
+        raise RuntimeError(
+            f"{context} returned HTTP {response.status_code} with a non-object "
+            f"JSON body (expected an object):\n{response.text}"
+        )
+    return body
+
+
+def _post_prcheck(
+    session: requests.Session,
+    base_url: str,
+    credential: DefaultAzureCredential,
+    audience: str,
+    token_holder: _TokenHolder,
+    payload: dict,
+) -> dict:
+    """POST the prcheck request and return the parsed response dict."""
+    url = f"{base_url}/api/Scenario/prcheck"
+    response = _request_with_refresh(
+        session, "POST", url, credential, audience, token_holder, json_payload=payload
+    )
+    if not response.ok:
+        raise RuntimeError(
+            "Control Tower 'prcheck' request failed.\n" + _format_error(response)
+        )
+    return _parse_json_object(response, "Control Tower 'prcheck'")
+
+
+def _get_job_status(
+    session: requests.Session,
+    base_url: str,
+    credential: DefaultAzureCredential,
+    audience: str,
+    token_holder: _TokenHolder,
+    job_id: str,
+) -> dict:
+    """GET the job status. Refreshes the bearer token on 401 and retries once."""
+    url = f"{base_url}/api/Workflow/jobs/status/{job_id}"
+    response = _request_with_refresh(
+        session, "GET", url, credential, audience, token_holder
+    )
+    if not response.ok:
+        raise RuntimeError(
+            "Control Tower job status request failed.\n" + _format_error(response)
+        )
+    return _parse_json_object(response, "Control Tower job status")
+
+
+def _summarize_tasks(tasks: Any) -> str:
+    """Return a compact one-line summary of task statuses (e.g. ``3/5 Completed``)."""
+    if not isinstance(tasks, list) or not tasks:
+        return ""
+    total = len(tasks)
+    counts: dict[str, int] = {}
+    for task in tasks:
+        if isinstance(task, dict):
+            status = task.get("status", "Unknown")
+            counts[status] = counts.get(status, 0) + 1
+    parts = ", ".join(f"{count} {status}" for status, count in sorted(counts.items()))
+    return f"{total} tasks ({parts})"
+
+
+def _poll_job_until_terminal(
+    session: requests.Session,
+    base_url: str,
+    credential: DefaultAzureCredential,
+    audience: str,
+    token_holder: _TokenHolder,
+    job_id: str,
+    poll_interval_seconds: int,
+    poll_timeout_seconds: int,
+) -> Optional[dict]:
+    """Poll the job status until it reaches a terminal state or the timeout expires.
+
+    Returns the final status dict, or ``None`` if the local timeout was hit
+    before the job reached a terminal state.
+    """
+    start = time.monotonic()
+    deadline = start + poll_timeout_seconds
+    previous_status: Optional[str] = None
+    job_status_object: Optional[dict] = None
+
+    while True:
+        job_status_object = _get_job_status(
+            session, base_url, credential, audience, token_holder, job_id
+        )
+        current_status = job_status_object.get("status", "Unknown")
+        elapsed = int(time.monotonic() - start)
+
+        if current_status != previous_status:
+            task_summary = _summarize_tasks(job_status_object.get("tasks"))
+            transition = (
+                f"{previous_status} -> {current_status}" if previous_status is not None else current_status
+            )
+            suffix = f" | {task_summary}" if task_summary else ""
+            print(
+                f"Job {job_id} status: {transition} (elapsed {elapsed}s){suffix}",
+                flush=True,
+            )
+            previous_status = current_status
+        else:
+            # Heartbeat so the user can see the script is alive and still polling.
+            print(
+                f"[heartbeat] waiting on job {job_id}, status={current_status}, elapsed={elapsed}s",
+                flush=True,
+            )
+
+        if current_status not in _NON_TERMINAL_STATUSES:
+            return job_status_object
+
+        remaining = deadline - time.monotonic()
+        if remaining <= 0:
+            print(
+                f"##[warning]Local poll timeout of {poll_timeout_seconds}s reached "
+                f"while job {job_id} was still in status '{current_status}'."
+            )
+            return None
+
+        time.sleep(min(poll_interval_seconds, max(1, int(remaining))))
+
+
+def _print_final_status(final: dict) -> None:
+    """Pretty-print the final job status payload."""
+    print("Final job status payload:")
+    print(json.dumps(final, indent=2, default=str))
+
+
+def _report_failure(final: dict) -> None:
+    """Emit ADO-style error lines with the most actionable fields from ``final``."""
+    status = final.get("status", "Unknown")
+    error_message = final.get("errorMessage")
+    job_id = final.get("jobId")
+
+    print(f"##[error]Control Tower job {job_id} finished with status '{status}'.")
+    if error_message:
+        print(f"##[error]errorMessage: {error_message}")
+
+    tasks = final.get("tasks")
+    if isinstance(tasks, list):
+        failed = [
+            t
+            for t in tasks
+            if isinstance(t, dict) and t.get("status") in _TERMINAL_FAILURE_STATUSES
+        ]
+        for task in failed:
+            name = task.get("taskName") or task.get("taskId")
+            print(
+                f"##[error]task '{name}' status={task.get('status')} "
+                f"attempt={task.get('attemptNumber')}"
+            )
+
+
+def main() -> None:
+    args = _parse_args()
+
+    if args.poll_interval_seconds <= 0:
+        print("##[error]--poll-interval-seconds must be a positive integer.")
+        sys.exit(2)
+    if args.poll_timeout_seconds <= 0:
+        print("##[error]--poll-timeout-seconds must be a positive integer.")
+        sys.exit(2)
+
+    # Normalize base URL to avoid accidental double slashes if the operator
+    # configured `ApiBaseUrl` with a trailing '/'.
+    base_url = args.api_base_url.rstrip("/")
+
+    # ── Build payload ────────────────────────────────────────────────
+    payload: dict = {
+        "components": args.components,
+        "buildReason": args.build_reason,
+        "repoUri": args.repo_uri,
+    }
+    if args.source_commit is not None:
+        payload["sourceCommitSha"] = args.source_commit
+    if args.source_branch is not None:
+        payload["sourceBranch"] = args.source_branch
+    if args.target_commit is not None:
+        payload["targetCommitSha"] = args.target_commit
+    if args.target_branch is not None:
+        payload["targetBranch"] = args.target_branch
+
+    print("Calling Control Tower 'prcheck' endpoint...")
+    print("Payload:")
+    print(json.dumps(payload, indent=2))
+
+    if args.build_reason == "PullRequest":
+        print(
+            "Skipping Control Tower call - pull request triggers are not supported, yet."
+        )
+        return
+
+    if not args.components:
+        print(
+            "No affected components detected between source and target commits; "
+            "skipping Control Tower call."
+        )
+        return
+
+    # ── Acquire bearer token ─────────────────────────────────────────
+    credential = DefaultAzureCredential()
+    token_holder = _TokenHolder(token=_get_token(credential, args.api_audience))
+
+    session = _make_session()
+
+    # ── Call prcheck API ─────────────────────────────────────────────
+    try:
+        prcheck_response = _post_prcheck(
+            session, base_url, credential, args.api_audience, token_holder, payload
+        )
+    except RuntimeError as exc:
+        print(f"##[error]{exc}")
+        sys.exit(1)
+
+    print("prcheck response:")
+    print(json.dumps(prcheck_response, indent=2, default=str))
+
+    job_id = prcheck_response.get("jobId")
+    if not job_id:
+        print(
+            "##[error]Control Tower 'prcheck' response did not include a 'jobId'. "
+            "Cannot poll for job status."
+        )
+        sys.exit(1)
+
+    # ── Poll for job completion ──────────────────────────────────────
+    print(
+        f"Polling job {job_id} every {args.poll_interval_seconds}s "
+        f"(timeout {args.poll_timeout_seconds}s)..."
+    )
+    try:
+        final = _poll_job_until_terminal(
+            session,
+            base_url,
+            credential,
+            args.api_audience,
+            token_holder,
+            job_id,
+            args.poll_interval_seconds,
+            args.poll_timeout_seconds,
+        )
+    except RuntimeError as exc:
+        print(f"##[error]{exc}")
+        sys.exit(1)
+
+    if final is None:
+        # Local timeout — job may still be running on the service side.
+        print(
+            f"##[error]Timed out locally after {args.poll_timeout_seconds}s "
+            f"waiting for job {job_id} to finish. Inspect the job in Control Tower."
+        )
+        sys.exit(1)
+
+    _print_final_status(final)
+
+    status = final.get("status")
+    if status == _SUCCESS_STATUS:
+        print(f"Control Tower job {job_id} completed successfully.")
+        return
+
+    _report_failure(final)
+    sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/.github/workflows/scripts/_common.py b/.github/workflows/scripts/spec-review/_common.py
similarity index 100%
rename from .github/workflows/scripts/_common.py
rename to .github/workflows/scripts/spec-review/_common.py
diff --git a/.github/workflows/scripts/create_check_annotations.py b/.github/workflows/scripts/spec-review/create_check_annotations.py
similarity index 100%
rename from .github/workflows/scripts/create_check_annotations.py
rename to .github/workflows/scripts/spec-review/create_check_annotations.py
diff --git a/.github/workflows/scripts/format_pr_comment.py b/.github/workflows/scripts/spec-review/format_pr_comment.py
similarity index 100%
rename from .github/workflows/scripts/format_pr_comment.py
rename to .github/workflows/scripts/spec-review/format_pr_comment.py
diff --git a/.github/workflows/scripts/requirements.txt b/.github/workflows/scripts/spec-review/requirements.txt
similarity index 100%
rename from .github/workflows/scripts/requirements.txt
rename to .github/workflows/scripts/spec-review/requirements.txt
diff --git a/.github/workflows/scripts/spec_review.sh b/.github/workflows/scripts/spec-review/spec_review.sh
similarity index 100%
rename from .github/workflows/scripts/spec_review.sh
rename to .github/workflows/scripts/spec-review/spec_review.sh
diff --git a/.github/workflows/scripts/spec_review_multi.sh b/.github/workflows/scripts/spec-review/spec_review_multi.sh
similarity index 100%
rename from .github/workflows/scripts/spec_review_multi.sh
rename to .github/workflows/scripts/spec-review/spec_review_multi.sh
diff --git a/.github/workflows/scripts/spec_review_schema.py b/.github/workflows/scripts/spec-review/spec_review_schema.py
similarity index 100%
rename from .github/workflows/scripts/spec_review_schema.py
rename to .github/workflows/scripts/spec-review/spec_review_schema.py
diff --git a/.github/workflows/spec-review.disabled b/.github/workflows/spec-review.disabled
index 2ab01a3efa2..63c956c82d4 100644
--- a/.github/workflows/spec-review.disabled
+++ b/.github/workflows/spec-review.disabled
@@ -146,7 +146,7 @@ jobs:
 
       - name: Install dependencies
         if: steps.changed-specs.outputs.skip != 'true'
-        run: pip install -r .github/workflows/scripts/requirements.txt
+        run: pip install -r .github/workflows/scripts/spec-review/requirements.txt
 
       - name: Install Copilot CLI
         if: steps.changed-specs.outputs.skip != 'true'
@@ -158,14 +158,14 @@ jobs:
       - name: Run Copilot spec review (multi-model)
         if: steps.changed-specs.outputs.skip != 'true'
         run: |
-          chmod +x .github/workflows/scripts/spec_review_multi.sh
+          chmod +x .github/workflows/scripts/spec-review/spec_review_multi.sh
           # Build a properly-quoted array from the line-delimited spec list file
           SPEC_ARGS=()
           while IFS= read -r spec; do
             [[ -z "$spec" ]] && continue
             SPEC_ARGS+=("--spec" "$spec")
           done < .spec_review_paths.txt
-          .github/workflows/scripts/spec_review_multi.sh "${SPEC_ARGS[@]}" \
+          .github/workflows/scripts/spec-review/spec_review_multi.sh "${SPEC_ARGS[@]}" \
             --work-dir .spec_review/workdir
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -216,9 +216,9 @@ jobs:
       - name: Compare model findings
         if: always() && steps.changed-specs.outputs.skip != 'true'
         run: |
-          # NOTE: Label model names must match defaults in spec_review_multi.sh
+          # NOTE: Label model names must match defaults in spec-review/spec_review_multi.sh
           # (DEFAULT_MODEL1, DEFAULT_MODEL2, DEFAULT_SYNTH_MODEL)
-          python .github/workflows/scripts/spec_review_schema.py compare \
+          python .github/workflows/scripts/spec-review/spec_review_schema.py compare \
             .spec_review/workdir/report_a.json \
             .spec_review/workdir/report_b.json \
             .spec_review/report.json \
@@ -232,7 +232,7 @@ jobs:
         id: validate
         run: |
           # Validate JSON structure
-          python .github/workflows/scripts/spec_review_schema.py .spec_review/report.json --json
+          python .github/workflows/scripts/spec-review/spec_review_schema.py .spec_review/report.json --json
 
           # Count errors and warnings
           ERROR_COUNT=$(jq '[.spec_reviews[].errors | length] | add // 0' .spec_review/report.json)
@@ -251,7 +251,7 @@ jobs:
         if: steps.changed-specs.outputs.skip != 'true'
         run: |
           # Generate workflow commands that create inline annotations
-          python .github/workflows/scripts/create_check_annotations.py .spec_review/report.json \
+          python .github/workflows/scripts/spec-review/create_check_annotations.py .spec_review/report.json \
             --repo-root "$GITHUB_WORKSPACE" --workflow-commands
 
       - name: Post PR comment
@@ -264,7 +264,7 @@ jobs:
         run: |
           # Generate formatted comment to a temp file (avoids ARG_MAX issues with large comments)
           COMMENT_FILE=$(mktemp)
-          python .github/workflows/scripts/format_pr_comment.py \
+          python .github/workflows/scripts/spec-review/format_pr_comment.py \
             .spec_review/report.json \
             --repo "$REPO" \
             --sha "$HEAD_SHA" \
@@ -295,7 +295,7 @@ jobs:
           REPO: ${{ inputs.repo || github.repository }}
           HEAD_SHA: ${{ inputs.pr-head-sha || github.sha }}
         run: |
-          python .github/workflows/scripts/format_pr_comment.py \
+          python .github/workflows/scripts/spec-review/format_pr_comment.py \
             .spec_review/report.json \
             --repo "$REPO" \
             --sha "$HEAD_SHA" \
@@ -320,5 +320,5 @@ jobs:
           echo "Found ${ERROR_COUNT} error(s) in spec review"
           echo ""
           # Print all findings so "View details" shows everything
-          python .github/workflows/scripts/spec_review_schema.py .spec_review/report.json --all
+          python .github/workflows/scripts/spec-review/spec_review_schema.py .spec_review/report.json --all
           exit 1
diff --git a/.vscode/mcp.json b/.vscode/mcp.json
index 6cd395b10fd..bd89230a9f8 100644
--- a/.vscode/mcp.json
+++ b/.vscode/mcp.json
@@ -1,39 +1,73 @@
 {
-  "servers": {
-    "koji": {
-      "type": "stdio",
-      "command": "python3",
-      "args": [
-        ".vscode/mcps/koji-mcp.py"
-      ]
-    },
-    "fedora-distgit": {
-      "type": "stdio",
-      "command": "python3",
-      "args": [
-        ".vscode/mcps/fedora-distgit-mcp.py"
-      ]
-    },
-    "azure-mcp-server": {
-      "type": "stdio",
-      "command": "npx",
-      "args": [
-        "-y",
-        "@azure/mcp@latest",
-        "server",
-        "start",
-        "--tool", "monitor_metrics_definitions",
-        "--tool", "monitor_metrics_query",
-        "--tool", "monitor_workspace_log_query",
-        "--tool", "monitor_activitylog_list",
-        "--tool", "monitor_resource_log_query",
-        "--tool", "monitor_table_list",
-        "--tool", "aks_cluster_get",
-        "--tool", "aks_nodepool_get"
-      ],
-      "env": {
-        "AZURE_TOKEN_CREDENTIALS": "AzureCliCredential"
-      }
-    }
-  }
-}
+	"servers": {
+		"koji": {
+			"type": "stdio",
+			"command": "python3",
+			"args": [
+				".vscode/mcps/koji-mcp.py"
+			]
+		},
+		"fedora-distgit": {
+			"type": "stdio",
+			"command": "python3",
+			"args": [
+				".vscode/mcps/fedora-distgit-mcp.py"
+			]
+		},
+		"azure-mcp-server": {
+			"type": "stdio",
+			"command": "npx",
+			"args": [
+				"-y",
+				"@azure/mcp@latest",
+				"server",
+				"start",
+				"--tool",
+				"monitor_metrics_definitions",
+				"--tool",
+				"monitor_metrics_query",
+				"--tool",
+				"monitor_workspace_log_query",
+				"--tool",
+				"monitor_activitylog_list",
+				"--tool",
+				"monitor_resource_log_query",
+				"--tool",
+				"monitor_table_list",
+				"--tool",
+				"aks_cluster_get",
+				"--tool",
+				"aks_nodepool_get"
+			],
+			"env": {
+				"AZURE_TOKEN_CREDENTIALS": "AzureCliCredential"
+			}
+		},
+		"microsoft/azure-devops-mcp": {
+			"type": "stdio",
+			"command": "npx",
+			"args": [
+				"-y",
+				"@azure-devops/mcp@latest",
+				"${input:ado_org}",
+				"-d",
+				"${input:ado_domain}"
+			],
+			"gallery": "https://api.mcp.github.com",
+			"version": "1.0.0"
+		}
+	},
+	"inputs": [
+		{
+			"id": "ado_org",
+			"type": "promptString",
+			"description": "Azure DevOps organization name  (e.g. 'contoso')"
+		},
+		{
+			"id": "ado_domain",
+			"type": "promptString",
+			"description": "Repeat to enable specific domains: core, work, work-items, search, test-plans, repositories, wiki, pipelines, advanced-security.",
+			"password": false
+		}
+	]
+}
\ No newline at end of file
diff --git a/.vscode/settings.json b/.vscode/settings.json
index d46ca37d1b5..c5c141b6e84 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -18,5 +18,11 @@
         "**/node_modules",
         "**/__pycache__",
         "**/.*"
-    ]
+    ],
+    // Using Azure Pipelines schema for validation of ADO YAMLs.
+    "azure-pipelines.1ESPipelineTemplatesSchemaFile": true,
+    // Associate ADO pipelines with the "azure-pipelines" type instead of GitHub Actions.
+    "files.associations": {
+        "**/.github/workflows/ado/**/*.yml": "azure-pipelines"
+    }
 }