Roadmap

v1.7-beta

Entra — /devicelogin interactive sign-in page

	Feature	Description
Preview	GET /devicelogin page	Serve an HTML form that accepts a user_code and a username; completing the form marks the corresponding device code as authorized for the submitted user
Preview	POST /devicelogin handler	Look up the device code by user_code, write into DeviceCodeEndpoint.AuthorizedDeviceCodes, and redirect to a confirmation page
Preview	Proper authorization_pending polling	Token polling returns {"error":"authorization_pending"} until the /devicelogin form is submitted, matching real Azure device code flow semantics

Virtual Network — Private Endpoint IP tracking

	Feature	Description
Preview	Private Endpoint IP tracking	Extend the IP allocation registry to record IPs for Private Endpoints; requires implementing the Microsoft.Network/privateEndpoints control plane (PUT/GET/DELETE/LIST) and hooking it into IpAllocationRegistry

Storage — Service SAS permission enforcement

	Feature	Description
Preview	Service SAS permission-letter enforcement	Map sp= letters to HTTP verb; return 403 AuthorizationPermissionMismatch on mismatch for Blob, Queue, and Table
Preview	SAS source IP (sip) enforcement	Parse single-address and hyphenated-range sip= values; return 403 AuthorizationSourceIPMismatch when the request source IP falls outside the declared range; applies to Blob, Queue, and Table

Azure Cosmos DB — SQL API data plane

	Feature	Description
Preview	Data plane scaffold and master-key auth	Dedicated port; HMAC-SHA256 master-key signature validation (verb/resourceType/resourceLink/date StringToSign); 401 on invalid or expired signatures
Preview	Database operations	POST /dbs, GET /dbs/{db}, DELETE /dbs/{db}, GET /dbs — full resource lifecycle with _rid, _self, _etag, _ts and x-ms-request-charge header
Preview	Collection operations	POST/GET/PUT/DELETE /dbs/{db}/colls/{coll}, GET /dbs/{db}/colls — create, replace, and delete collections including indexingPolicy and partitionKey
Preview	Document CRUD	POST/GET/PUT/PATCH/DELETE /dbs/{db}/colls/{coll}/docs/{id} — full item lifecycle with partition key enforcement, ETag optimistic concurrency (If-Match / 412), and JSON Patch partial updates
Preview	SQL query execution	POST /dbs/{db}/colls/{coll}/docs with x-ms-documentdb-isquery: true — parameterised SQL subset: SELECT, FROM, WHERE, ORDER BY, OFFSET/LIMIT, aggregates (COUNT, SUM, MIN, MAX, AVG); continuation-token pagination
Preview	MCP Server tools	CreateCosmosDbAccount, CreateCosmosDbDatabase, CreateCosmosDbContainer; GetConnectionStrings extended with Cosmos DB endpoint and key
Preview	Public IP Address API	Microsoft.Network/publicIPAddresses — PUT/GET/DELETE/LIST/PATCH endpoints; stub ipAddress assigned on creation; supports az vm create public IP flow
Preview	CLI configurable defaults	topaz configure command persists default --subscription-id, --resource-group, and --location to ~/.topaz/defaults.json; all commands apply them when the flag is omitted, following the precedence: explicit flag > environment variable > config file

Azure App Service — Kudu / SCM data plane

	Feature	Description
Preview	Kudu zip deploy	POST /api/zipdeploy on *.scm.azurewebsites.topaz.local.dev:8896 — accepts a zip archive, stores it to disk, persists a DeploymentRecord, returns 202 Accepted with a Location header
Preview	Deployment list	GET /api/deployments — returns the persisted deployment records for the site as a JSON array

Azure Load Balancer — initial control plane

	Feature	Description
Stable	New service scaffold	Topaz.Service.LoadBalancer project with models (LoadBalancerResource, LoadBalancerResourceProperties), resource provider, control plane (including Deploy()), host registration, and RouteDeployment() case for Microsoft.Network/loadBalancers
Preview	Load Balancer CRUD	Create, get, update tags, delete, list by resource group, and list by subscription for Microsoft.Network/loadBalancers; all structural properties (frontend IP configurations, backend pools, LB rules, probes, inbound NAT rules, outbound rules) persisted and round-tripped; provisioningState always Succeeded

Service Bus — advanced messaging features

	Feature	Description
Preview	Dead letter queues	Move messages exceeding MaxDeliveryCount or explicitly dead-lettered to <entity>/$DeadLetterQueue; expose as an addressable AMQP entity so SDK receivers can consume it
Preview	Message sessions	Session-based messaging (requiresSession = true) for queues and subscriptions; session-filtered AMQP Attach frames; per-session lock enforcement; RenewSessionLock, GetSessionState, and SetSessionState via AMQP management link
Preview	Topic filters and rules	Full ARM CRUD for subscription rules (CorrelationRuleFilter, SqlRuleFilter, SqlRuleAction); message routing at publish time evaluates active rules and only forwards matching messages to each subscription
Preview	Authorization rules and SAS keys	Per-namespace, per-queue, and per-topic authorization rule CRUD; listKeys and regenerateKeys actions; 256-bit SAS key pairs persisted and rotatable

ARM Deployments — subscription-scoped Bicep support

	Feature	Description
Preview	Microsoft.Resources/resourceGroups template resource	Handle resourceGroups entries in subscription-scoped templates: create or update the resource group before processing dependent resources; required for any Bicep file compiled with targetScope = 'subscription'
Preview	Microsoft.Resources/deployments nested deployment	Execute inline nested deployment resources: extract the properties.template payload, resolve scope to the target resource group, and recursively provision all inner resources; persist the nested deployment as a child object retrievable via ARM GET
Preview	Deployment outputs populated on completion	After all template resources are provisioned, evaluate the outputs block and persist the result; return populated outputs on every subsequent GET so that az deployment sub create, azure/arm-deploy, and the Terraform azurerm provider can read cross-stage values

Container Registry — Real Docker build-and-push execution

	Feature	Description
Preview	Real Docker execution for ACR Tasks	Upgrade the ACR run emulation from immediate-Succeeded to real container workloads: detect Docker at host startup, git clone the contextPath, spawn docker build + docker push to the local OCI registry, drive real status transitions (Queued → Running → Succeeded / Failed), and stream actual build output to the log endpoint

---

v1.8-preview

ARM Deployments — deployment operations tracking

	Feature	Description
Preview	Get deployment operation (resource group / subscription scope)	GET .../deployments/{name}/operations/{operationId} — requires per-resource operation tracking in the orchestrator
Preview	List / Get deployment operations at management group scope	GET .../managementGroups/{id}/providers/Microsoft.Resources/deployments/{name}/operations[/{operationId}]
Preview	List / Get deployment operations at tenant scope	GET /providers/Microsoft.Resources/deployments/{name}/operations[/{operationId}]

Azure Storage — Blob authentication enforcement

	Feature	Description
Preview	Reject unauthenticated requests to private containers	Return 401 + WWW-Authenticate when a Blob data-plane request has no Authorization header and no valid SAS query string, and the target container's public-access level is none
Preview	Revoke User Delegation Keys	ARM POST .../revokeUserDelegationKeys — persist a per-account revocation timestamp and reject User Delegation SAS tokens whose skt predates it

Azure App Service — transparent request forwarding

	Feature	Description
Preview	HTTP request forwarding	Data-plane endpoint on *.azurewebsites.topaz.local.dev:8895 that proxies all traffic to the user's Docker Compose container; target port read from the WEBSITES_PORT app setting (default 80), container resolved by matching the Compose service name to the App Service site name

Chaos Engineering — controllable fault injection

	Feature	Description
Stable	Chaos mode toggle and CLI	topaz chaos enable/disable/status CLI commands and corresponding REST control-plane endpoints (POST /topaz/chaos/enable, POST /topaz/chaos/disable, GET /topaz/chaos/status); state is in-memory
Preview	Fault rule configuration	Per-service (or global *) fault rules with fields: serviceNamespace, faultType (Timeout | TransientError | Throttle | ServiceUnavailable), faultRate (0–1), and optional httpStatusCode; CRUD via PUT/GET/DELETE /topaz/chaos/rules/{ruleId}
Preview	Router-level fault injection middleware	When chaos mode is enabled, the router evaluates active rules before dispatching: injects configurable delays, 429/500/503 responses, or connection drops at the configured probability; every injected fault is logged

Azure App Configuration — initial control plane and data plane

	Feature	Description
Stable	New service scaffold	Topaz.Service.AppConfiguration project with ConfigurationStoreResource, ConfigurationStoreResourceProperties, resource provider, control plane (including Deploy()), host registration, and RouteDeployment() case for Microsoft.AppConfiguration/configurationStores
Preview	ConfigurationStore CRUD	Create, get, update (tags, SKU, publicNetworkAccess), delete, list by resource group, and list by subscription; endpoint field emitted as https://{name}.azconfig.topaz.local.dev:<port>/
Stable	Access key management	listKeys and regenerateKey ARM actions; two read-write and two read-only key pairs persisted and rotatable
Preview	Data plane — key-value API	GET/PUT/DELETE /kv/{key} and GET /kv (list with ?key=, ?label=, $select= filtering); GET /labels; PUT/DELETE /locks/{key}; HMAC-SHA256 credential authentication; ETag / If-Match concurrency
Preview	Feature flag support	Key-values with content type application/vnd.microsoft.appconfig.ff+json under the .appconfig.featureflag/ key prefix; compatible with the Azure SDK FeatureFlagConfigurationSetting model
Stable	MCP Server tool	CreateAppConfigurationStore tool; GetConnectionStrings extended with App Configuration connection string

Azure Disks — SAS access LRO polling

	Feature	Description
Preview	LRO polling for beginGetAccess	Upgrade beginGetAccess to return 202 Accepted + Azure-AsyncOperation polling URL; GET on the URL transitions InProgress → Succeeded with the accessSAS stub in properties.output; LRO state held in-memory per disk

---

v1.9-preview

Application Insights — initial control plane and ingestion

	Feature	Description
Stable	New service scaffold	Topaz.Service.ApplicationInsights project with models, resource provider, control plane (including Deploy()), host registration, and RouteDeployment() case for microsoft.insights/components
Preview	Component CRUD	Create, get, update (tags, retentionInDays), delete, list microsoft.insights/components; instrumentationKey and connectionString generated on creation and stable across updates
Preview	Telemetry ingestion	POST /v2/track accepts JSON arrays of Application Insights telemetry envelopes (RequestData, TraceData, ExceptionData, EventData, MetricData, DependencyData); persists to disk per instrumentation key
Preview	Basic query API	POST /v1/apps/{instrumentationKey}/query — minimal KQL subset over persisted telemetry; supports requests, traces, exceptions, customEvents, customMetrics, dependencies tables; where, project, summarize count(), order by, take operators; returns standard {"tables":[...]} schema

Log Analytics — initial control plane and ingestion

	Feature	Description
Stable	New service scaffold	Topaz.Service.LogAnalytics project with WorkspaceResource, WorkspaceResourceProperties, resource provider, control plane (including Deploy()), host registration, and RouteDeployment() case for Microsoft.OperationalInsights/workspaces
Preview	Workspace CRUD	Create, get, update (tags, retentionInDays, SKU), delete, list Microsoft.OperationalInsights/workspaces; workspaceId / customerId generated as stable GUIDs on creation
Preview	Logs Ingestion API	POST https://{workspaceId}.ods.opinsights.topaz.local.dev/api/logs — accepts JSON log arrays with Log-Type header; persists records per custom table name; returns 200 with empty body
Preview	KQL query API	POST /v1/workspaces/{workspaceId}/query — minimal KQL subset over ingested custom tables; where, project, extend, summarize, order by, take, union operators; returns standard {"tables":[...]} schema

Azure Disks — full disk data streaming (azcopy)

	Feature	Description
Preview	Full azcopy-compatible disk streaming	Upgrade the SAS endpoint from empty-body to a fully streamable sparse disk image: GET /disk-sas/{uniqueId} honours Range requests; PUT accepts page-blob byte-range uploads; HEAD reports Content-Length = diskSizeGB * 1073741824; large disks use an on-disk .topaz/disks/{uniqueId}.vhd sparse file

Azure Storage — geo-replication sync simulation

	Feature	Description
Preview	Geo-replication sync scheduler	Background service (GeoReplicationSyncScheduler) that periodically updates LastGeoSyncTime on RA-GRS/RAGZRS accounts; stats endpoints return the persisted timestamp instead of wall-clock time, simulating realistic replication lag

Azure Cosmos DB — SQL Container advanced features

	Feature	Description
Preview	TTL enforcement	Background scheduler that purges expired documents from SQL containers where defaultTtl is set; prerequisite: data-plane document store (v1.7-beta)
Preview	Container-level RBAC	Per-container access policy enforcement integrated with the data-plane auth layer; prerequisite: data-plane authentication surface (v1.7-beta)

v1.10-preview

Azure API Management — initial control plane and data plane

	Feature	Description
Stable	New service scaffold	Topaz.Service.ApiManagement project with ApiManagementServiceResource, ApiManagementServiceResourceProperties, resource provider, control plane (including Deploy()), host registration, and RouteDeployment() case for Microsoft.ApiManagement/service
Preview	Service CRUD	Create, get, update (tags, SKU, publisherEmail), delete, list by resource group, and list by subscription for Microsoft.ApiManagement/service; gatewayUrl, portalUrl, and managementApiUrl derived from service name and persisted on creation
Preview	APIs CRUD	Create, get, update, delete, and list API definitions under a service instance; fields: displayName, description, serviceUrl, path, protocols, apiType (http/soap/websocket/graphql); persisted as subresources
Preview	Products CRUD	Create, get, update, delete, and list Products; product-to-API association via PUT/DELETE/GET .../products/{id}/apis/{apiId}; fields: displayName, description, state, subscriptionRequired, approvalRequired
Preview	Backends CRUD	Create, get, update, delete, and list Backends; fields: url, protocol, description, title, resourceId; backends are referenced by policy expressions and persisted as subresources
Preview	Policies CRUD	Service-level and API-level policy documents stored and returned as raw APIM XML; no policy execution in v1.10 — storage and round-trip only

Azure Container Instances — initial control plane

	Feature	Description
Stable	New service scaffold	Topaz.Service.ContainerInstances project with ContainerGroupResource, ContainerGroupResourceProperties, resource provider, control plane (including Deploy()), host registration, and RouteDeployment() case for Microsoft.ContainerInstance/containerGroups
Preview	Container Groups CRUD	Create, get, update (tags), delete, list by resource group, and list by subscription for Microsoft.ContainerInstance/containerGroups; provisioningState is always Succeeded; instanceView.state is always Running
Preview	Lifecycle operations	Start, stop, and restart container group operations (no-op in emulation; provisioningState and instanceView.state remain unchanged)
Preview	Container logs	GET .../containers/{containerName}/logs returns a stub log line; satisfies az container logs without running real containers

Availability Sets — initial control plane

	Feature	Description
Stable	Availability Set CRUD	Create, get, update (tags, platformFaultDomainCount), delete, list by resource group, and list by subscription for Microsoft.Compute/availabilitySets; provisioningState is always Succeeded; full Deploy() and RouteDeployment() support
Preview	List available VM sizes	GET .../availabilitySets/{name}/vmSizes returns the same stub catalogue as the compute SKUs endpoint

Private Endpoints — initial control plane

	Feature	Description
Stable	Private Endpoint CRUD	Create, get, delete, list by resource group, and list by subscription for Microsoft.Network/privateEndpoints; assigns an IP from the linked subnet CIDR via IpAllocationRegistry on creation; privateLinkServiceConnectionState is always Approved; full Deploy() and RouteDeployment() support

Azure Redis Cache — initial control plane

	Feature	Description
Stable	New service scaffold	Topaz.Service.Redis project with RedisResource, RedisResourceProperties, resource provider, control plane (including Deploy()), host registration, and RouteDeployment() case for Microsoft.Cache/redis
Preview	Redis Cache CRUD	Create, get, update (tags, SKU, enableNonSslPort, minimumTlsVersion, redisConfiguration), delete, list by resource group, and list by subscription; access keys generated on creation and exposed via listKeys / regenerateKey
Preview	Firewall Rules CRUD	Create, get, update, delete, and list firewall rules per cache; no actual IP filtering enforced in the emulator
Preview	MCP provisioning tool	CreateRedisCache MCP tool; GetConnectionStrings extended with Redis connection string

---

Future / Unplanned

Ideas not yet tied to a specific milestone.

OpenTofu integration

	Feature	Description
Preview	Verified compatibility & test suite	Dedicated Topaz.Tests.OpenTofu project mirroring the Terraform suite; build script and integration guide