feat(infra): Add private networking ACI deployment with managed identity

Infrastructure:
- Add skipContainerDeployment parameter for 2-phase ACI deployment
- Add container-instance.bicep module with UserAssigned identity
- Add virtualNetwork.bicep module with NSGs and subnet config
- Add main.parameters.json for azd env variable mapping
- Update azure.yaml with workflow for automatic image build/push

Scripts:
- Add assign_aci_roles.sh for ACI role assignments
- Add local_dev.sh/ps1 for local development
- Add product_ingestion.py for data loading
- Add scripts/README.md documentation

Frontend:
- Remove unused components (BriefConfirmation, ProductSelector)
- Fix scroll behavior in ChatPanel
- Update frontend build assets

Backend:
- Clean up unused models and imports
- Remove debug logging

Deployment flow:
1. First provision creates ACR, skips ACI (no image yet)
2. postprovision hook builds/pushes image to ACR
3. Re-runs provision to deploy ACI with image

Author: hunterjam

content-gen/.env.template

@@ -5,8 +5,6 @@
 # Azure Authentication
 # =============================================================================
 AZURE_CLIENT_ID=
-AZURE_TENANT_ID=
-AZURE_SUBSCRIPTION_ID=
 
 # =============================================================================
 # Azure OpenAI Configuration
@@ -32,13 +30,6 @@ AZURE_OPENAI_PREVIEW_API_VERSION=2024-02-01
 AZURE_OPENAI_TEMPERATURE=0.7
 AZURE_OPENAI_MAX_TOKENS=2000
 
-# =============================================================================
-# Azure AI Foundry (Agent Framework)
-# =============================================================================
-AZURE_AI_AGENT_ENDPOINT=https://your-project.services.ai.azure.com/api/projects/your-project
-AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME=gpt-5.1
-AZURE_AI_AGENT_API_VERSION=2024-12-01-preview
-
 # =============================================================================
 # Azure Cosmos DB
 # =============================================================================
@@ -47,10 +38,6 @@ AZURE_COSMOS_DATABASE_NAME=content-generation
 AZURE_COSMOS_PRODUCTS_CONTAINER=products
 AZURE_COSMOS_CONVERSATIONS_CONTAINER=conversations
 
-# For local development with emulator (optional)
-# AZURE_COSMOS_ENDPOINT=https://localhost:8081
-# AZURE_COSMOSDB_ACCOUNT_KEY=your-emulator-key
-
 # =============================================================================
 # Azure Blob Storage
 # =============================================================================
@@ -64,7 +51,6 @@ AZURE_BLOB_GENERATED_IMAGES_CONTAINER=generated-images
 AZURE_AI_SEARCH_ENDPOINT=https://your-search.search.windows.net
 AZURE_AI_SEARCH_PRODUCTS_INDEX=products
 AZURE_AI_SEARCH_IMAGE_INDEX=product-images
-AZURE_OPENAI_EMBEDDING_MODEL=text-embedding-ada-002
 
 # =============================================================================
 # UI Configuration
@@ -103,17 +89,7 @@ BRAND_REQUIRED_DISCLOSURES=
 # Server configuration
 PORT=5000
 WORKERS=4
-LOG_LEVEL=info
 
 # Feature flags
 AUTH_ENABLED=false
 SANITIZE_ANSWER=false
-
-# =============================================================================
-# Development Settings
-# =============================================================================
-# Set to true for verbose logging
-DEBUG=true
-
-# Python path (usually set automatically)
-PYTHONPATH=.

content-gen/aci-deployment.yaml

@@ -4,7 +4,7 @@ environment:
 
 name: content-generation
 metadata:
-  template: content-generation@1.0
+  template: content-generation@1.22
 
 requiredVersions:
   azd: '>= 1.18.0'
@@ -13,39 +13,223 @@ parameters:
   solutionPrefix:
     type: string
     default: contentgen
-  otherLocation:
+    displayName: Solution Prefix
+    description: A unique prefix for all resources (3-15 chars)
+  azureAiServiceLocation:
     type: string
-    default: eastus2
-  baseUrl:
-    type: string
-    default: 'https://github.com/microsoft/content-generation-solution-accelerator'
+    default: eastus
+    displayName: AI Services Location
+    description: Location for Azure AI Services deployments
+  enableMonitoring:
+    type: boolean
+    default: false
+    displayName: Enable Monitoring (WAF)
+    description: Enable Log Analytics and Application Insights
+  enableScalability:
+    type: boolean
+    default: false
+    displayName: Enable Scalability (WAF)
+    description: Enable auto-scaling and higher SKUs
+  enableRedundancy:
+    type: boolean
+    default: false
+    displayName: Enable Redundancy (WAF)
+    description: Enable zone redundancy and geo-replication
+  enablePrivateNetworking:
+    type: boolean
+    default: false
+    displayName: Enable Private Networking (WAF)
+    description: Enable VNet integration and private endpoints
+
+infra:
+  provider: bicep
+  path: ./infra
+  module: main
 
-deployment:
-  mode: Incremental
-  template: ./infra/main.bicep
-  parameters:
-    solutionPrefix: ${parameters.solutionPrefix}
-    otherLocation: ${parameters.otherLocation}
-    baseUrl: ${parameters.baseUrl}
+# Custom workflow: 
+# 1. First provision creates infrastructure (skips ACI for private networking)
+# 2. Build container image to ACR
+# 3. Second provision creates ACI with the now-available image
+workflows:
+  up:
+    steps:
+      - azd: provision
 
 hooks:
+  preprovision:
+    windows:
+      run: |
+        Write-Host "Preparing Content Generation Solution Accelerator deployment..." -ForegroundColor Cyan
+        Write-Host "Checking Azure CLI authentication..."
+        az account show --query "{name:name, id:id}" -o table
+        
+        # For private networking on first run, skip ACI (image not yet in ACR)
+        $currentSkip = azd env get-value skipContainerDeployment 2>$null
+        if ($env:enablePrivateNetworking -eq 'true' -and -not $env:ACR_NAME -and $currentSkip -ne 'false') {
+          Write-Host "Private networking enabled - skipping container deployment until image is built" -ForegroundColor Yellow
+          azd env set skipContainerDeployment true
+        }
+      shell: pwsh
+      continueOnError: false
+    posix:
+      run: |
+        echo "Preparing Content Generation Solution Accelerator deployment..."
+        echo "Checking Azure CLI authentication..."
+        az account show --query "{name:name, id:id}" -o table
+        
+        # For private networking on first run, skip ACI (image not yet in ACR)
+        current_skip=$(azd env get-value skipContainerDeployment 2>/dev/null || echo "")
+        if [ "$enablePrivateNetworking" = "true" ] && [ -z "$ACR_NAME" ] && [ "$current_skip" != "false" ]; then
+          echo "Private networking enabled - skipping container deployment until image is built"
+          azd env set skipContainerDeployment true
+        fi
+      shell: sh
+      continueOnError: false
+
   postprovision:
     windows:
       run: |
-        Write-Host "Web app URL: "
+        Write-Host "===== Provision Complete =====" -ForegroundColor Green
+        Write-Host ""
+        Write-Host "Web App URL: " -NoNewline
         Write-Host "$env:WEB_APP_URL" -ForegroundColor Cyan
-        Write-Host "`nTo upload product data, run:"
-        Write-Host "python ./scripts/product_ingestion.py" -ForegroundColor Cyan
+        Write-Host "Storage Account: " -NoNewline
+        Write-Host "$env:STORAGE_ACCOUNT_NAME" -ForegroundColor Cyan
+        Write-Host "AI Search Service: " -NoNewline
+        Write-Host "$env:AI_SEARCH_SERVICE_NAME" -ForegroundColor Cyan
+        Write-Host "AI Search Index: " -NoNewline
+        Write-Host "$env:AI_SEARCH_INDEX" -ForegroundColor Cyan
+        Write-Host "AI Service Location: " -NoNewline
+        Write-Host "$env:AI_SERVICE_LOCATION" -ForegroundColor Cyan
+        
+        # Run post-deployment role assignments
+        Write-Host ""
+        Write-Host "===== Running Post-Deployment Configuration =====" -ForegroundColor Yellow
+        
+        # Assign Cosmos DB role to current user
+        Write-Host "Assigning Cosmos DB Data Contributor role..."
+        $signedUserId = az ad signed-in-user show --query id -o tsv
+        az cosmosdb sql role assignment create --resource-group $env:RESOURCE_GROUP_NAME --account-name $env:COSMOSDB_ACCOUNT_NAME --role-definition-id "00000000-0000-0000-0000-000000000002" --principal-id $signedUserId --scope "/" 2>$null
+        if ($LASTEXITCODE -eq 0) {
+          Write-Host "  Cosmos DB role assigned successfully" -ForegroundColor Green
+        } else {
+          Write-Host "  Cosmos DB role may already be assigned" -ForegroundColor Yellow
+        }
+        
+        # Build container image and deploy ACI if ACR exists and ACI was skipped
+        $skipContainer = azd env get-value skipContainerDeployment 2>$null
+        if ($env:ACR_NAME -and $skipContainer -eq 'true') {
+          Write-Host ""
+          Write-Host "===== Building Container Image =====" -ForegroundColor Yellow
+          Write-Host "Building and pushing image to ACR: $env:ACR_NAME" -ForegroundColor Cyan
+          
+          az acr build --registry $env:ACR_NAME --image content-gen-app:latest ./src
+          
+          if ($LASTEXITCODE -eq 0) {
+            Write-Host "Container image built and pushed successfully!" -ForegroundColor Green
+            
+            # Enable container deployment and re-provision
+            Write-Host ""
+            Write-Host "===== Deploying Container Instance =====" -ForegroundColor Yellow
+            azd env set skipContainerDeployment false
+            
+            Write-Host "Re-running provision to deploy ACI..." -ForegroundColor Cyan
+            azd provision --no-prompt
+            
+            if ($LASTEXITCODE -eq 0) {
+              Write-Host "Container Instance deployed successfully!" -ForegroundColor Green
+            } else {
+              Write-Host "Container Instance deployment failed" -ForegroundColor Red
+            }
+          } else {
+            Write-Host "Failed to build container image" -ForegroundColor Red
+          }
+        } elseif ($env:CONTAINER_INSTANCE_NAME) {
+          Write-Host ""
+          Write-Host "Container Instance: " -NoNewline
+          Write-Host "$env:CONTAINER_INSTANCE_NAME" -ForegroundColor Cyan
+          Write-Host "Container Private IP: " -NoNewline
+          Write-Host "$env:CONTAINER_INSTANCE_PRIVATE_IP" -ForegroundColor Cyan
+        } elseif ($env:ACR_NAME) {
+          Write-Host ""
+          Write-Host "Container Registry: " -NoNewline
+          Write-Host "$env:ACR_NAME" -ForegroundColor Cyan
+        }
+        
+        Write-Host ""
+        Write-Host "===== Next Steps =====" -ForegroundColor Yellow
+        Write-Host "1. Upload product data:"
+        Write-Host "   python ./scripts/product_ingestion.py --data-path ./sample_data" -ForegroundColor Cyan
+        Write-Host ""
+        Write-Host "2. Access the web application:"
+        Write-Host "   $env:WEB_APP_URL" -ForegroundColor Cyan
       shell: pwsh
       continueOnError: false
       interactive: true
     posix:
       run: |
-        echo "Web app URL: "
-        echo $WEB_APP_URL
+        echo "===== Provision Complete ====="
+        echo ""
+        echo "Web App URL: $WEB_APP_URL"
+        echo "Storage Account: $STORAGE_ACCOUNT_NAME"
+        echo "AI Search Service: $AI_SEARCH_SERVICE_NAME"
+        echo "AI Search Index: $AI_SEARCH_INDEX"
+        echo "AI Service Location: $AI_SERVICE_LOCATION"
+        
+        # Run post-deployment role assignments
+        echo ""
+        echo "===== Running Post-Deployment Configuration ====="
+        
+        # Assign Cosmos DB role to current user
+        echo "Assigning Cosmos DB Data Contributor role..."
+        signed_user_id=$(az ad signed-in-user show --query id -o tsv)
+        az cosmosdb sql role assignment create \
+          --resource-group "$RESOURCE_GROUP_NAME" \
+          --account-name "$COSMOSDB_ACCOUNT_NAME" \
+          --role-definition-id "00000000-0000-0000-0000-000000000002" \
+          --principal-id "$signed_user_id" \
+          --scope "/" 2>/dev/null && echo "  Cosmos DB role assigned successfully" || echo "  Cosmos DB role may already be assigned"
+        
+        # Build container image and deploy ACI if ACR exists and ACI was skipped
+        skip_container=$(azd env get-value skipContainerDeployment 2>/dev/null || echo "")
+        if [ -n "$ACR_NAME" ] && [ "$skip_container" = "true" ]; then
+          echo ""
+          echo "===== Building Container Image ====="
+          echo "Building and pushing image to ACR: $ACR_NAME"
+          
+          if az acr build --registry "$ACR_NAME" --image content-gen-app:latest ./src; then
+            echo "Container image built and pushed successfully!"
+            
+            # Enable container deployment and re-provision
+            echo ""
+            echo "===== Deploying Container Instance ====="
+            azd env set skipContainerDeployment false
+            
+            echo "Re-running provision to deploy ACI..."
+            if azd provision --no-prompt; then
+              echo "Container Instance deployed successfully!"
+            else
+              echo "Container Instance deployment failed"
+            fi
+          else
+            echo "Failed to build container image"
+          fi
+        elif [ -n "$CONTAINER_INSTANCE_NAME" ]; then
+          echo ""
+          echo "Container Instance: $CONTAINER_INSTANCE_NAME"
+          echo "Container Private IP: $CONTAINER_INSTANCE_PRIVATE_IP"
+        elif [ -n "$ACR_NAME" ]; then
+          echo ""
+          echo "Container Registry: $ACR_NAME"
+        fi
+        
+        echo ""
+        echo "===== Next Steps ====="
+        echo "1. Upload product data:"
+        echo "   python ./scripts/product_ingestion.py --data-path ./sample_data"
         echo ""
-        echo "To upload product data, run:"
-        echo "python ./scripts/product_ingestion.py"
+        echo "2. Access the web application:"
+        echo "   $WEB_APP_URL"
       shell: sh
       continueOnError: false
       interactive: true