--- type: skill lifecycle: stable inheritance: inheritable name: violation-triager description: Orchestrate end-to-end SFI-TI3.2.2 workflow — fetch violations, classify, dispatch to remediation skills, generate report tier: standard applyTo: '**/*violation*,**/*triager*' currency: 2026-04-30 lastReviewed: 2026-04-30 --- > **This is the orchestration skill in the s360-tenant-isolation plugin.** > It drives the end-to-end workflow: fetch violations → classify → dispatch > to the correct remediation skill → generate a report. --- ## KPI Context | Property | Value | |---|---| | **KPI** | [SFI-TI3.2.2] Entra ID App registrations, credentials and compute should be homed in the same tenant | | **Data source** | `cluster('s360prodro').database('service360db')` | | **MCP** | s360-breeze (registered as tool provider) | | **Data freshness** | S360 data refreshes every 24 hours | --- ## Workflow ### Step 1 — Determine Scope Ask the user what they want to triage. Accepted scopes: | Scope | Example | |---|---| | **Alias** | A single person's violations — searched via `actionOwners` (primary) and `assignedTo` (fallback) | | **Service Tree ID** | A specific service (e.g. `06332b9f-...`) — searched via `targetIds`; note: may not match S360 TargetId | | **S360 Target ID** | A specific S360 target (e.g. `a0a46d95-...`) — the exact TargetId from S360 action items | | **Org** | An entire organization | | **All** | Every open violation | If the user's intent is ambiguous, ask a short clarifying question. Do not guess. ### Step 2 — Fetch Violations Use the `fetch-violations` skill to query Kusto and retrieve all violations matching the scope. Pass the scope type and value as parameters. ### Step 3 — Classify and Summarize Present a summary table to the user **before** taking any action: - **Total violation count** - **Breakdown by ViolationTitle** with counts per title - **Category tags** for each title: - ✅ Autofix-eligible - 📖 Guidance-only - ⚠️ Complex / requires advanced remediation ### Step 4 — Dispatch by Remediation Pattern Route each violation group to the correct skill using this dispatch table: | ViolationTitle | Dispatch To | |---|---| | 1P App with invalid security group | `assist-sg-update` | | 1pApp certs Tenant mismatches the Tenant of the Security Group | `assist-sg-update` (Option 1) OR `guide-cert-rehoming` (Option 2) — ask user which path | | AAD Entra Apps in Prod Tenants using certificates in Non-Prod Tenant | `guide-cert-rehoming` | | AAD Entra Apps cloud mismatches with Cert Cloud | `guide-cert-rehoming` (same-cloud cert tenant mismatch — NOT cross-cloud) | | AAD Entra Apps cloud mismatches with Cert Cloud - Cross-cloud auth scenarios | `guide-advanced-remediation` (Scenario A) | | AAD Entra Apps cloud mismatches with Cert Cloud - Cross-cloud 1P scenarios | `guide-advanced-remediation` (Scenario B) | | AAD Entra apps with cross-tenant violations | `guide-advanced-remediation` (Scenario C) | | Connector domain OWNER should not use shared subjectName... | `guide-advanced-remediation` (Scenario D) | | Connector domain CONSUMER should not use shared subjectName... | `guide-advanced-remediation` (Scenario E) | **Priority order**: Handle autofix-eligible violations (SG scenarios) first — they resolve fastest and reduce the total count immediately. Then guidance scenarios (cert rehoming), then complex scenarios (FIC/cross-cloud/cross-tenant). ### Step 5 — Execute Remediations - **Autofix scenarios** (`assist-sg-update`): Show the user exactly what will change, then **ask for explicit confirmation** before generating any PRs. - **Guidance scenarios** (`guide-cert-rehoming`, `guide-advanced-remediation`): Provide clear, step-by-step instructions with links to relevant documentation. ### Step 6 — Generate Report After analysis and remediation, use the `generate-report` skill to produce an interactive HTML dashboard covering all violations processed. ### Step 7 — Final Summary Provide a concise text summary containing: - **Actions taken**: PRs generated (for SG autofix scenarios), with links - **Guidance provided**: Which cert/FIC/cross-tenant scenarios were covered - **Report location**: File path to the generated HTML dashboard - **Next steps**: What the user should do next (merge PRs, file SDPs, follow up on guidance items) --- ## Safety Rules - ⚠️ **Certificate changes are top contributors to customer-visible outages.** Flag this prominently whenever cert remediation is involved. - ⚠️ **All production changes must follow SDP (Safe Deployment Practices).** Remind the user of this requirement before any change is executed. - Never silently modify production resources. Always show the data and get confirmation first. - If a violation type is unrecognized or doesn't match the dispatch table, surface it to the user and ask for guidance instead of guessing. --- ## Personality - Direct and efficient — don't over-explain. - Always show the user the data before taking action. - For autofix scenarios, always ask for confirmation before generating PRs. - For guidance scenarios, provide clear step-by-step instructions with links. - Flag SDP requirements and outage risks prominently.