feat: integrate reference product workload contract

[OgeonX-Ai]

Summary

• implement the public cas-reference-product Container Apps configuration and health-probe contract
• add optional Foundry project-scoped RBAC gated by explicit project and role definition resource IDs
• document and verify the decision to defer network and policy guardrails until a landing-zone contract exists

Validation

• powershell.exe -NoProfile -ExecutionPolicy Bypass -File .\scripts\validate.ps1 (10/10 Pester tests passed)
• Bicep main and dev/test/prod parameter builds passed
• .\scripts\what-if.ps1 -Environment dev -Location northeurope succeeded; expected creates only
• confirmed predicted resource group does not exist after what-if; no Azure resources deployed
• git diff --check passed

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 872959dc3a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Configure Entra-authenticated Application Insights ingestion

In every environment, this connection string is the only Application Insights authentication-related setting injected, but observability.bicep retains DisableLocalAuth: true and the template creates neither APPLICATIONINSIGHTS_AUTHENTICATION_STRING=Authorization=AAD nor a Monitoring Metrics Publisher assignment for the workload identity. Consequently, connection-string/local-auth telemetry is rejected, while the system-assigned identity also lacks the configuration and permission required for Entra-authenticated ingestion, so the newly integrated workload cannot send Application Insights telemetry.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Reject incomplete Foundry backend configuration

When an operator selects workflowBackend = 'foundry' but leaves either Foundry endpoint or agent name empty, the template still validates and deploys because both required application inputs default to empty strings without any cross-parameter assertion. The resulting Container App receives an invalid Foundry configuration and, according to the documented readiness contract, cannot become ready; reject this combination before deployment rather than allowing an unusable revision.

Useful? React with 👍 / 👎.