feat: add Application Insights for OTEL tracing and uat->staging rename

.github/actions/import-container-app/action.yml

@@ -10,7 +10,7 @@ inputs:
     description: Project name component of the Container App name (TF_VAR_projname)
   env:
     required: true
-    description: Environment name (dev|uat|prod)
+    description: Environment name (dev|staging|prod)
   location_short:
     required: true
     description: Short location code (TF_VAR_location_short)

.github/pull_request_template.md

@@ -15,10 +15,10 @@
 - [ ] No environment/config changes required
 - [ ] Environment/config changes required (describe below)
 
-## UAT Toggle (PRs to `main`)
+## Staging Toggle (PRs to `main`)
 
-- Add label `run-uat` to this PR to enable UAT deployment (`deploy-uat`).
-- Remove label `run-uat` to skip UAT deployment.
+- Add label `run-staging` to this PR to enable staging deployment (`deploy-staging`).
+- Remove label `run-staging` to skip staging deployment.
 
 ## Risk / Rollback
 

.github/workflows/deploy.yaml

@@ -33,23 +33,23 @@ env:
 
 jobs:
   plan:
-    # PR into dev → dev | PR into main + label 'run-uat' → uat | Push to main/workflow_dispatch → prod
+    # PR into dev → dev | PR into main + label 'run-staging' → staging | Push to main/workflow_dispatch → prod
     # Skip plan for PRs from forks (no repo secrets; avoids AADSTS700213)
-    # Runtime UAT toggle: add PR label 'run-uat' to enable UAT on PRs into main.
+    # Runtime staging toggle: add PR label 'run-staging' to enable staging on PRs into main.
     if: |
       (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) &&
       (
         (github.event_name == 'push' && github.ref == 'refs/heads/main') ||
         (github.event_name == 'workflow_dispatch') ||
         (github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'dev') ||
-        (github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'main' && contains(join(github.event.pull_request.labels.*.name, ','), 'run-uat'))
+        (github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'main' && contains(join(github.event.pull_request.labels.*.name, ','), 'run-staging'))
       )
     name: Plan ${{ matrix.environment }}
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        environment: ${{ (github.event_name == 'workflow_dispatch' && fromJSON('["prod"]')) || (github.event_name == 'push' && github.ref == 'refs/heads/main' && fromJSON('["prod"]')) || (github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'dev' && fromJSON('["dev"]')) || (github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'main' && contains(join(github.event.pull_request.labels.*.name, ','), 'run-uat') && fromJSON('["uat"]')) || fromJSON('["prod"]') }}
+        environment: ${{ (github.event_name == 'workflow_dispatch' && fromJSON('["prod"]')) || (github.event_name == 'push' && github.ref == 'refs/heads/main' && fromJSON('["prod"]')) || (github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'dev' && fromJSON('["dev"]')) || (github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'main' && contains(join(github.event.pull_request.labels.*.name, ','), 'run-staging') && fromJSON('["staging"]')) || fromJSON('["prod"]') }}
     environment: ${{ matrix.environment }}
     defaults:
       run:
@@ -324,18 +324,18 @@ jobs:
 
           jq -e '.enabled == true' /tmp/selection-get.json > /dev/null
 
-  deploy-uat:
-    name: Deploy uat
+  deploy-staging:
+    name: Deploy staging
     needs: plan
     runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'main' && contains(join(github.event.pull_request.labels.*.name, ','), 'run-uat')
-    environment: uat
+    if: github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'main' && contains(join(github.event.pull_request.labels.*.name, ','), 'run-staging')
+    environment: staging
     defaults:
       run:
-        working-directory: infra/env/uat
+        working-directory: infra/env/staging
 
     env:
-      TF_VAR_env: "uat"
+      TF_VAR_env: "staging"
       TF_VAR_projname: "aigateway"
       TF_VAR_location: "southafricanorth"
       TF_VAR_location_short: "san"
@@ -407,7 +407,7 @@ jobs:
             -backend-config="resource_group_name=${TF_BACKEND_RG}" \
             -backend-config="storage_account_name=${TF_BACKEND_SA}" \
             -backend-config="container_name=${TF_BACKEND_CONTAINER}" \
-            -backend-config="key=uat.terraform.tfstate"
+            -backend-config="key=staging.terraform.tfstate"
 
       - name: Import existing Container App into Terraform state
         uses: ./.github/actions/import-container-app
@@ -416,7 +416,7 @@ jobs:
           env: ${{ env.TF_VAR_env }}
           location_short: ${{ env.TF_VAR_location_short }}
           subscription_id: ${{ env.AZURE_SUBSCRIPTION_ID }}
-          terraform_working_directory: infra/env/uat
+          terraform_working_directory: infra/env/staging
 
       - name: Terraform Plan
         run: |

README.md

@@ -28,7 +28,7 @@ Creates the shared resource group, storage account, and container for Terraform
 
 ### 2. Add GitHub secrets
 
-Add these secrets to each GitHub **Environment** (dev, uat, prod): **Settings → Environments → <env> → Environment secrets**.
+Add these secrets to each GitHub **Environment** (dev, staging, prod): **Settings → Environments → <env> → Environment secrets**.
 
 | Secret                  | Description                       | Example                                       |
 | ----------------------- | --------------------------------- | --------------------------------------------- |
@@ -53,16 +53,16 @@ Bootstrap prints these values. For local runs, copy `infra/.env.local.example` t
 **Bash:**
 
 ```bash
-./infra/scripts/terraform-init.sh dev   # or uat, prod
+./infra/scripts/terraform-init.sh dev   # or staging, prod
 ```
 
 **PowerShell:**
 
 ```powershell
-.\infra\scripts\terraform-init.ps1 -Env dev   # or uat, prod
+.\infra\scripts\terraform-init.ps1 -Env dev   # or staging, prod
 ```
 
-Valid environments: `dev`, `uat`, `prod`.
+Valid environments: `dev`, `staging`, `prod`.
 
 ### 4. Plan and apply
 
@@ -74,11 +74,11 @@ terraform apply
 
 ## Environments
 
-| Env  | Purpose         |
-| ---- | --------------- |
-| dev  | Development     |
-| uat  | User acceptance |
-| prod | Production      |
+| Env     | Purpose     |
+| ------- | ----------- |
+| dev     | Development |
+| staging | Staging     |
+| prod    | Production  |
 
 ## CI/CD
 
@@ -104,6 +104,6 @@ pnpm format
 
 - [PRD](docs/PRD.md) – Product requirements
 - [Terraform Blueprint](docs/Terraform_Blueprint.md) – Infrastructure design
-- [CI/CD Runbook](docs/CI_CD.md) – workflow behavior, UAT toggle, smoke tests
+- [CI/CD Runbook](docs/CI_CD.md) – workflow behavior, staging toggle, smoke tests
 - [Azure OIDC Setup](docs/AZURE_OIDC_SETUP.md) – GitHub Actions OIDC configuration
 - [Secrets Checklist](docs/SECRETS.md) – Copy/paste setup for GitHub environment secrets

dashboard/app.js

@@ -53,7 +53,7 @@ function escHtml(s) {
 
 function deriveEnv(url) {
   if (!url) return null;
-  const m = url.match(/pvc-(dev|uat|prod)-/);
+  const m = url.match(/pvc-(dev|staging|prod)-/);
   return m ? m[1] : null;
 }
 

docs/AZURE_OIDC_SETUP.md

@@ -12,7 +12,7 @@ If you see:
 Error: AADSTS700213: No matching federated identity record found for presented assertion subject 'repo:phoenixvc/ai-gateway:environment:dev'
 ```
 
-**Cause:** The workflow uses `environment: dev` (and uat/prod), so the OIDC subject is `repo:org/repo:environment:dev`. Azure must have a federated credential with that exact subject.
+**Cause:** The workflow uses `environment: dev` (and staging/prod), so the OIDC subject is `repo:org/repo:environment:dev`. Azure must have a federated credential with that exact subject.
 
 ### Fix: Add environment federated credentials
 
@@ -32,21 +32,21 @@ az ad app list --display-name pvc-shared-github-actions-oidc --query "[0].appId"
 
 1. Go to **Azure Portal** → **Microsoft Entra ID** → **App registrations** → your app (e.g. `pvc-shared-github-actions-oidc`)
 2. **Certificates & secrets** → **Federated credentials** → **Add credential**
-3. For each environment (dev, uat, prod), add:
+3. For each environment (dev, staging, prod), add:
    - **Federated credential scenario:** GitHub Actions deploying Azure resources
    - **Organization:** phoenixvc
    - **Repository:** ai-gateway
    - **Entity type:** Environment
-   - **Environment name:** dev (or uat, prod)
-   - **Name:** github-actions-dev (or uat, prod)
+   - **Environment name:** dev (or staging, prod)
+   - **Name:** github-actions-dev (or staging, prod)
 
 ### Subject formats
 
-| Workflow config      | OIDC subject                                    |
-| -------------------- | ----------------------------------------------- |
-| `environment: dev`   | `repo:phoenixvc/ai-gateway:environment:dev`     |
-| `environment: uat`   | `repo:phoenixvc/ai-gateway:environment:uat`     |
-| `environment: prod`  | `repo:phoenixvc/ai-gateway:environment:prod`    |
-| Branch only (no env) | `repo:phoenixvc/ai-gateway:ref:refs/heads/main` |
+| Workflow config        | OIDC subject                                    |
+| ---------------------- | ----------------------------------------------- |
+| `environment: dev`     | `repo:phoenixvc/ai-gateway:environment:dev`     |
+| `environment: staging` | `repo:phoenixvc/ai-gateway:environment:staging` |
+| `environment: prod`    | `repo:phoenixvc/ai-gateway:environment:prod`    |
+| Branch only (no env)   | `repo:phoenixvc/ai-gateway:ref:refs/heads/main` |
 
 The federated credential **Subject** in Azure must match exactly.

docs/CI_CD.md

@@ -6,15 +6,15 @@ This document describes the current GitHub Actions deployment behavior for `ai-g
 
 - PRs from forks are skipped for deployment-related jobs (no repo secrets).
 - PRs targeting `dev` run `plan` + `deploy-dev`.
-- PRs targeting `main` run UAT only when the PR has label `run-uat`.
+- PRs targeting `main` run staging only when the PR has label `run-staging`.
 - Push to `main` and `workflow_dispatch` run `plan` + `deploy-prod`.
 
-## Runtime UAT toggle
+## Runtime staging toggle
 
-UAT deployment for PRs to `main` is controlled by PR label:
+staging deployment for PRs to `main` is controlled by PR label:
 
-- Add label `run-uat` to enable `deploy-uat` for that PR.
-- Remove label `run-uat` to disable UAT for that PR.
+- Add label `run-staging` to enable `deploy-staging` for that PR.
+- Remove label `run-staging` to disable staging for that PR.
 
 ## Smoke test behavior
 

docs/PRD.md

@@ -15,7 +15,7 @@ Roo/Qoder currently struggles with Azure model/operation mismatches. A gateway n
 2.  Support:
     - `POST /v1/responses` routed to Azure **Responses** endpoint for configurable model (default: `gpt-5.3-codex`).
     - `POST /v1/embeddings` routed to Azure embeddings deployment.
-3.  Enable **multiple environments** (dev/uat/prod) and **multiple downstream projects**.
+3.  Enable **multiple environments** (dev/staging/prod) and **multiple downstream projects**.
 4.  Infrastructure managed with **Terraform**.
 5.  CI/CD via **GitHub Actions** using **Azure OIDC** (no long-lived secrets).
 6.  “Get it working” first; hardening follows.
@@ -29,7 +29,7 @@ Roo/Qoder currently struggles with Azure model/operation mismatches. A gateway n
 ## 3) Environments
 
 - `dev`
-- `uat`
+- `staging`
 - `prod`
 
 Each env is independently deployable.
@@ -150,7 +150,7 @@ Gateway must expose:
   - `docs/` - Documentation.
   - `infra/`
     - `modules/aigateway_aca` - Core Terraform module.
-    - `env/dev|uat|prod` - Environment-specific configurations.
+    - `env/dev|staging|prod` - Environment-specific configurations.
   - `.github/workflows/` - CI/CD pipelines.
   - `scripts/` - Helper scripts (bootstrap).
 
@@ -161,13 +161,13 @@ Gateway must expose:
 - **Phase 1: Terraform & CI/CD**
   - Terraform defines infra.
   - GitHub Actions deploys using Azure OIDC.
-  - Dev auto-apply on merge; UAT/Prod gated with environment approvals.
+  - Dev auto-apply on merge; Staging/Prod gated with environment approvals.
 
 ## 10) Acceptance criteria
 
 1.  Roo/Qoder can use gateway for coding with configured model (default `gpt-5.3-codex`) without `chatCompletion operation does not work`.
 2.  Codebase indexing completes using embeddings through the gateway.
-3.  Dev/UAT/Prod are reproducible via Terraform + Actions.
+3.  Dev/staging/Prod are reproducible via Terraform + Actions.
 4.  No secrets committed.
 
 ## 11) Risks & mitigations
@@ -180,5 +180,5 @@ Gateway must expose:
 
 - M0: Repo setup, Bootstrap scripts (OIDC, State Backend).
 - M1: Dev env deployed; smoke tests pass; Roo works.
-- M2: UAT + Prod; environment approvals.
+- M2: staging + Prod; environment approvals.
 - M3: Hardening (Front Door/WAF, Entra auth).

docs/SECRETS.md

@@ -2,17 +2,17 @@
 
 Copy this checklist when setting up environments for this repo.
 
-For workflow behavior (dev/uat/prod triggers, PR label `run-uat`, and smoke-test flow), see [CI_CD.md](CI_CD.md).
+For workflow behavior (dev/staging/prod triggers, PR label `run-staging`, and smoke-test flow), see [CI_CD.md](CI_CD.md).
 
 ## Where to add secrets
 
 Add these as **Environment secrets** in GitHub:
 
 - **Settings → Environments → dev → Environment secrets**
-- **Settings → Environments → uat → Environment secrets**
+- **Settings → Environments → staging → Environment secrets**
 - **Settings → Environments → prod → Environment secrets**
 
-> This workflow is environment-based (`environment: dev|uat|prod`), so each environment should have the full secret set.
+> This workflow is environment-based (`environment: dev|staging|prod`), so each environment should have the full secret set.
 
 ## Required secrets (all environments)
 
@@ -53,7 +53,7 @@ When `STATE_SERVICE_CONTAINER_IMAGE` is set (state-service enabled), set this se
 
 ## Copy/paste template
 
-Use this block as a setup checklist when creating/updating `dev`, `uat`, and `prod`:
+Use this block as a setup checklist when creating/updating `dev`, `staging`, and `prod`:
 
 ```text
 AZURE_CLIENT_ID=<GUID>
@@ -82,13 +82,13 @@ STATE_SERVICE_REGISTRY_PASSWORD=<ghcr-read-packages-token>   # required for priv
 - [ ] `AIGATEWAY_KEY` matches the key expected by the deployed gateway.
 - [ ] OIDC federated credentials exist for each environment subject:
   - `repo:phoenixvc/ai-gateway:environment:dev`
-  - `repo:phoenixvc/ai-gateway:environment:uat`
+  - `repo:phoenixvc/ai-gateway:environment:staging`
   - `repo:phoenixvc/ai-gateway:environment:prod`
 
-## Runtime UAT toggle
+## Runtime staging toggle
 
-- UAT deploy on PRs into `main` is controlled by PR label `run-uat`.
-- Add label `run-uat` to enable `deploy-uat` for that PR.
-- Remove label `run-uat` to skip UAT for that PR.
+- Staging deploy on PRs into `main` is controlled by PR label `run-staging`.
+- Add label `run-staging` to enable `deploy-staging` for that PR.
+- Remove label `run-staging` to skip staging for that PR.
 
 For OIDC troubleshooting, see [AZURE_OIDC_SETUP.md](AZURE_OIDC_SETUP.md).

docs/Terraform_Blueprint.md

@@ -3,7 +3,7 @@
 This canvas includes a working Terraform scaffold:
 
 - `infra/modules/aigateway_aca`
-- `infra/env/dev|uat|prod`
+- `infra/env/dev|staging|prod`
 - Shared state configured via `terraform init -backend-config=...` in GitHub Actions
 
 > Notes:
@@ -27,7 +27,7 @@ infra/
       main.tf
       variables.tf
       terraform.tfvars
-    uat/
+    staging/
       main.tf
       variables.tf
       terraform.tfvars
@@ -44,7 +44,7 @@ infra/
 ```hcl
 variable "env" {
   type        = string
-  description = "Environment name (dev|uat|prod)"
+  description = "Environment name (dev|staging|prod)"
 }
 
 variable "projname" {
@@ -343,7 +343,7 @@ output "key_vault_name" {
 
 ## 5) Env stacks
 
-### 5.1 `infra/env/dev/variables.tf` (repeat for uat/prod)
+### 5.1 `infra/env/dev/variables.tf` (repeat for staging/prod)
 
 ```hcl
 variable "env" { type = string }
@@ -441,7 +441,7 @@ tags = {
 }
 ```
 
-Repeat the env folders for `uat` and `prod`, changing only `env` and tags.
+Repeat the env folders for `staging` and `prod`, changing only `env` and tags.
 
 ---