feat: database detection + AKS workload identity support

[gambtho]

Summary

• Database detector (analyze-repo): new detectDatabases() function identifies databases from dependency lists across Node, Python, Java, .NET, Go, and Rust ecosystems. Results surface as detectedDatabases on each module in the analysis output and in the summary line.
• Gradle parser fix: expanded dependency regex to capture runtimeOnly, api, and compileOnly scopes (previously only implementation), so DB drivers like org.postgresql:postgresql declared as runtimeOnly are no longer missed.
• K8s manifest generation: when database dependencies are detected, automatically includes serviceaccount.yaml and appends workload identity guidance (annotations, pod labels, passwordless auth) to the manifest plan.
• AKS loop prompt: inserts a new "Check for database dependencies" step after repo analysis, and passes DB types as detectedDependencies to manifest generation.
• Knowledge packs: 3 new Kubernetes entries (workload identity SA, pod label, passwordless DB auth) and 1 new database entry (Azure managed DB migration pattern with ConfigMap + workload identity).

Test plan

• 27 unit tests for detectDatabases covering all ecosystems, groupId:artifactId (Java), Go module paths, dedup, and case-insensitivity
• Existing analyze-repo tests pass (41 total)
• Manual validation against tmp/spring-petclinic — detects MySQL + PostgreSQL from Gradle runtimeOnly deps
• Run npm run validate (pre-existing embedded-packs build issue unrelated to this PR)
• End-to-end test via MCP inspector: analyze-repo → generate-k8s-manifests with detected DB types

[Copilot]

Pull request overview

Adds database dependency detection to analyze-repo and threads that signal into AKS/Kubernetes manifest generation guidance (including workload identity ServiceAccount hints), plus supporting prompt steps and knowledge-pack recommendations.

Changes:

• Introduces a detectDatabases() mapper and exposes results as modules[].detectedDatabases in analyze-repo output (and summary text).
• Updates k8s manifest planning to optionally include serviceaccount.yaml and workload identity instructions when DB types are detected.
• Expands Gradle dependency extraction and adds knowledge-pack entries + new unit tests for DB detection.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
test/unit/tools/database-detector.test.ts	Adds unit coverage for the new DB detection function.
src/tools/generate-k8s-manifests/tool.ts	Conditionally adds ServiceAccount manifest + workload identity instruction based on detected DB types.
src/tools/analyze-repo/tool.ts	Calls DB detector and adds detected DB types to the user-facing analysis summary.
src/tools/analyze-repo/schema.ts	Extends module schema with optional detectedDatabases output.
src/tools/analyze-repo/parsers.ts	Broadens Gradle dependency keyword matching.
src/tools/analyze-repo/database-detector.ts	New dependency-to-database detection/normalization logic (core of feature).
src/prompts/shared/steps.ts	Adds a prompt step instructing the workflow to check detected DBs.
src/prompts/aks-loop/prompt.ts	Updates AKS loop prompt to pass detected DB info into manifest generation.
knowledge/packs/kubernetes-pack.json	Adds AKS workload identity ServiceAccount + pod-label recommendations.
knowledge/packs/database-pack.json	Adds Azure-managed DB migration/config guidance for k8s + workload identity.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

Copilot reviewed 15 out of 15 changed files in this pull request and generated 7 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[davidgamero]

let's use TOOL_NAME var properties to ref the tools here so they don't drift
ex: TOOL_NAME.VERIFY_DEPLOY

[davidgamero]

we can probably move this out into a separate detection task within analyze repo next

[Copilot]

Pull request overview

Copilot reviewed 15 out of 15 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

partitionEnvVarNames currently groups both 'secret' and 'database' classifications into secretNames. This causes DB_* vars like DB_HOST/DB_PORT to be treated as secrets downstream (Secret generation + 'do not bake' warnings), which conflicts with the separate 'database' classification and common practice of putting non-secret DB connection details into ConfigMaps. Consider returning separate arrays (config/database/secret) or at least grouping 'database' with configNames for downstream guidance.

[Copilot]

detectEnvVarsFromSpringConfig hard-codes source='application.properties', so vars extracted from application.yml will be attributed to the wrong file. Also, the placeholder regex allows dots in the variable name ([A-Za-z0-9_.]), which will capture property placeholders like ${spring.profiles.active} as "env vars". Consider accepting a source param and restricting names to env-var-like tokens (e.g., [A-Za-z_][A-Za-z0-9_]), or filtering out keys with '.' to reduce false positives.

[Copilot]

The instruction text says "Reference Secrets for secret vars via envFrom: <VAR1, VAR2>" but envFrom references Secret/ConfigMap resources, not individual environment variable names/keys. This is likely to generate invalid manifests. Rephrase to something like "Create a Secret with keys: ... and reference it via envFrom/secretKeyRef" (and similarly for ConfigMap) so the generated YAML is syntactically correct.

Suggested change

	envVarInstruction += ` Create ConfigMap with config vars: ${configNames.join(', ')}.`;
	}
	if (secretNames.length > 0) {
	envVarInstruction += ` Reference Secrets for secret vars via envFrom: ${secretNames.join(', ')}.`;
	envVarInstruction += ` Create a ConfigMap with keys for config vars: ${configNames.join(', ')} and reference it from the workload via envFrom/configMapRef or individual env entries with configMapKeyRef as appropriate.`;
	}
	if (secretNames.length > 0) {
	envVarInstruction += ` Create a Secret with keys for secret vars: ${secretNames.join(', ')} and reference it from the workload via envFrom/secretRef or individual env entries with secretKeyRef as appropriate.`;

[Copilot]

Because partitionEnvVarNames treats classification==='database' as a secret, secretNames will include DB_HOST/DB_PORT/etc. This will (1) create secret.yaml instead of configmap.yaml for non-secret DB settings, and (2) omit configmap.yaml entirely when only database vars exist and ports are empty. Once partitioning is fixed, consider adjusting these manifest file decisions so 'database' vars map to a ConfigMap (and only credentials/connection strings map to a Secret).

[Copilot]

PR description focuses on database detection + workload identity, but this PR also introduces a full env var detection/inference pipeline (new analyze-repo output fields, prompt step, Dockerfile/K8s instruction changes). Please update the PR description/test plan to explicitly call out env var detection changes and any expected user-facing behavior (e.g., always-inferred vars) so reviewers/users know what’s being introduced.