feat: comprehensive telemetry audit - add command-specific usage attributes

- Add telemetry to auth, config, env, hooks, templates, pipeline, monitor, show, infra commands
- Add 16 new telemetry field constants for command-specific attributes
- Fix user identity tracking with Anonymous account type fallback
- Fix flaky TestStateCacheManager_TTL timing issue
- Add audit documentation: feature matrix, schema, privacy checklist, audit process
- Add telemetry field contract tests and CI coverage check

Resolves #1772

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jongio

cli/azd/cmd/auth_login.go

@@ -20,6 +20,8 @@ import (
 	"github.com/azure/azure-dev/cli/azd/cmd/actions"
 	"github.com/azure/azure-dev/cli/azd/internal"
 	"github.com/azure/azure-dev/cli/azd/internal/runcontext"
+	"github.com/azure/azure-dev/cli/azd/internal/tracing"
+	"github.com/azure/azure-dev/cli/azd/internal/tracing/fields"
 	"github.com/azure/azure-dev/cli/azd/pkg/account"
 	"github.com/azure/azure-dev/cli/azd/pkg/auth"
 	"github.com/azure/azure-dev/cli/azd/pkg/contracts"
@@ -307,6 +309,7 @@ func (la *loginAction) Run(ctx context.Context) (*actions.ActionResult, error) {
 	}
 
 	if la.flags.onlyCheckStatus {
+		tracing.SetUsageAttributes(fields.AuthMethodKey.String("check-status"))
 		// In check status mode, we always print the final status to stdout.
 		// We print any non-setup related errors to stderr.
 		// We always return a zero exit code.
@@ -452,6 +455,11 @@ func runningOnCodespacesBrowser(ctx context.Context, commandRunner exec.CommandR
 }
 
 func (la *loginAction) login(ctx context.Context) error {
+	// Track hashed tenant ID if provided (before resolving from env vars)
+	if la.flags.tenantID != "" {
+		tracing.SetUsageAttributes(fields.StringHashed(fields.TenantIdKey, la.flags.tenantID))
+	}
+
 	if la.flags.federatedTokenProvider == azurePipelinesProvider {
 		if la.flags.clientID == "" {
 			log.Printf("setting client id from environment variable %s", azurePipelinesClientIDEnvVarName)
@@ -465,6 +473,7 @@ func (la *loginAction) login(ctx context.Context) error {
 	}
 
 	if la.flags.managedIdentity {
+		tracing.SetUsageAttributes(fields.AuthMethodKey.String("managed-identity"))
 		if _, err := la.authManager.LoginWithManagedIdentity(
 			ctx, la.flags.clientID,
 		); err != nil {
@@ -494,6 +503,7 @@ func (la *loginAction) login(ctx context.Context) error {
 
 		switch {
 		case la.flags.clientSecret.ptr != nil:
+			tracing.SetUsageAttributes(fields.AuthMethodKey.String("service-principal-secret"))
 			if *la.flags.clientSecret.ptr == "" {
 				v, err := la.console.Prompt(ctx, input.ConsoleOptions{
 					Message: "Enter your client secret",
@@ -510,6 +520,7 @@ func (la *loginAction) login(ctx context.Context) error {
 				return fmt.Errorf("logging in: %w", err)
 			}
 		case la.flags.clientCertificate != "":
+			tracing.SetUsageAttributes(fields.AuthMethodKey.String("service-principal-certificate"))
 			certFile, err := os.Open(la.flags.clientCertificate)
 			if err != nil {
 				return fmt.Errorf("reading certificate: %w", err)
@@ -527,12 +538,14 @@ func (la *loginAction) login(ctx context.Context) error {
 				return fmt.Errorf("logging in: %w", err)
 			}
 		case la.flags.federatedTokenProvider == "github":
+			tracing.SetUsageAttributes(fields.AuthMethodKey.String("federated-github"))
 			if _, err := la.authManager.LoginWithGitHubFederatedTokenProvider(
 				ctx, la.flags.tenantID, la.flags.clientID,
 			); err != nil {
 				return fmt.Errorf("logging in: %w", err)
 			}
 		case la.flags.federatedTokenProvider == azurePipelinesProvider:
+			tracing.SetUsageAttributes(fields.AuthMethodKey.String("federated-azure-pipelines"))
 			serviceConnectionID := os.Getenv(azurePipelinesServiceConnectionIDEnvVarName)
 
 			if serviceConnectionID == "" {
@@ -546,6 +559,7 @@ func (la *loginAction) login(ctx context.Context) error {
 				return fmt.Errorf("logging in: %w", err)
 			}
 		case la.flags.federatedTokenProvider == "oidc": // generic oidc provider
+			tracing.SetUsageAttributes(fields.AuthMethodKey.String("federated-oidc"))
 			if _, err := la.authManager.LoginWithOidcFederatedTokenProvider(
 				ctx, la.flags.tenantID, la.flags.clientID,
 			); err != nil {
@@ -557,6 +571,7 @@ func (la *loginAction) login(ctx context.Context) error {
 	}
 
 	if la.authManager.UseExternalAuth() {
+		tracing.SetUsageAttributes(fields.AuthMethodKey.String("external"))
 		// Request a token and assume the external auth system will prompt the user to log in.
 		//
 		// TODO(ellismg): We may want instead to call some explicit `/login` endpoint on the external auth system instead
@@ -581,6 +596,7 @@ func (la *loginAction) login(ctx context.Context) error {
 	}
 
 	if useDevCode {
+		tracing.SetUsageAttributes(fields.AuthMethodKey.String("device-code"))
 		_, err = la.authManager.LoginWithDeviceCode(ctx, la.flags.tenantID, la.flags.scopes, claims,
 			func(url string) error {
 				if !la.flags.global.NoPrompt {
@@ -598,8 +614,10 @@ func (la *loginAction) login(ctx context.Context) error {
 	}
 
 	if oneauth.Supported && !la.flags.browser {
+		tracing.SetUsageAttributes(fields.AuthMethodKey.String("oneauth"))
 		err = la.authManager.LoginWithOneAuth(ctx, la.flags.tenantID, la.flags.scopes)
 	} else {
+		tracing.SetUsageAttributes(fields.AuthMethodKey.String("browser"))
 		_, err = la.authManager.LoginInteractive(ctx, la.flags.scopes, claims,
 			&auth.LoginInteractiveOptions{
 				TenantID:     la.flags.tenantID,

cli/azd/cmd/auth_logout.go

@@ -9,6 +9,8 @@ import (
 	"io"
 
 	"github.com/azure/azure-dev/cli/azd/cmd/actions"
+	"github.com/azure/azure-dev/cli/azd/internal/tracing"
+	"github.com/azure/azure-dev/cli/azd/internal/tracing/fields"
 	"github.com/azure/azure-dev/cli/azd/pkg/account"
 	"github.com/azure/azure-dev/cli/azd/pkg/auth"
 	"github.com/azure/azure-dev/cli/azd/pkg/input"
@@ -54,6 +56,8 @@ func newLogoutAction(
 }
 
 func (la *logoutAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.AuthMethodKey.String("logout"))
+
 	if la.annotations[loginCmdParentAnnotation] == "" {
 		fmt.Fprintln(
 			la.console.Handles().Stderr,

cli/azd/cmd/auth_status.go

@@ -14,6 +14,8 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/azure/azure-dev/cli/azd/cmd/actions"
 	"github.com/azure/azure-dev/cli/azd/internal"
+	"github.com/azure/azure-dev/cli/azd/internal/tracing"
+	"github.com/azure/azure-dev/cli/azd/internal/tracing/fields"
 	"github.com/azure/azure-dev/cli/azd/internal/tracing/resource"
 	"github.com/azure/azure-dev/cli/azd/pkg/auth"
 	"github.com/azure/azure-dev/cli/azd/pkg/contracts"
@@ -71,6 +73,7 @@ func newAuthStatusAction(
 }
 
 func (a *authStatusAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.AuthMethodKey.String("check-status"))
 	loginMode, err := a.authManager.Mode()
 	if err != nil {
 		log.Printf("error: fetching auth mode: %v", err)

cli/azd/cmd/config.go

@@ -17,6 +17,8 @@ import (
 	"github.com/MakeNowJust/heredoc/v2"
 	"github.com/azure/azure-dev/cli/azd/cmd/actions"
 	"github.com/azure/azure-dev/cli/azd/internal"
+	"github.com/azure/azure-dev/cli/azd/internal/tracing"
+	"github.com/azure/azure-dev/cli/azd/internal/tracing/fields"
 	"github.com/azure/azure-dev/cli/azd/pkg/alpha"
 	"github.com/azure/azure-dev/cli/azd/pkg/config"
 	"github.com/azure/azure-dev/cli/azd/pkg/input"
@@ -207,6 +209,7 @@ func newConfigShowAction(
 
 // Executes the `azd config show` action
 func (a *configShowAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.ConfigOperationKey.String("show"))
 	azdConfig, err := a.configManager.Load()
 	if err != nil {
 		return nil, err
@@ -276,6 +279,7 @@ func newConfigGetAction(
 
 // Executes the `azd config get <path>` action
 func (a *configGetAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.ConfigOperationKey.String("get"))
 	azdConfig, err := a.configManager.Load()
 	if err != nil {
 		return nil, err
@@ -317,6 +321,7 @@ func newConfigSetAction(configManager config.UserConfigManager, args []string) a
 
 // Executes the `azd config set <path> <value>` action
 func (a *configSetAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.ConfigOperationKey.String("set"))
 	azdConfig, err := a.configManager.Load()
 	if err != nil {
 		return nil, err
@@ -349,6 +354,7 @@ func newConfigUnsetAction(configManager config.UserConfigManager, args []string)
 
 // Executes the `azd config unset <path>` action
 func (a *configUnsetAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.ConfigOperationKey.String("unset"))
 	azdConfig, err := a.configManager.Load()
 	if err != nil {
 		return nil, err
@@ -399,6 +405,7 @@ func newConfigResetAction(
 
 // Executes the `azd config reset` action
 func (a *configResetAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.ConfigOperationKey.String("reset"))
 	a.console.MessageUxItem(ctx, &ux.MessageTitle{
 		Title: "Reset configuration (azd config reset)",
 	})
@@ -473,6 +480,7 @@ type configListAlphaAction struct {
 }
 
 func (a *configListAlphaAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.ConfigOperationKey.String("list-alpha"))
 	features, err := a.alphaFeaturesManager.ListFeatures()
 	if err != nil {
 		return nil, err
@@ -569,6 +577,7 @@ func newConfigOptionsAction(
 }
 
 func (a *configOptionsAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.ConfigOperationKey.String("options"))
 	options := config.GetAllConfigOptions()
 
 	// Load current config to show current values

cli/azd/cmd/env.go

@@ -17,6 +17,8 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
 	"github.com/azure/azure-dev/cli/azd/cmd/actions"
 	"github.com/azure/azure-dev/cli/azd/internal"
+	"github.com/azure/azure-dev/cli/azd/internal/tracing"
+	"github.com/azure/azure-dev/cli/azd/internal/tracing/fields"
 	"github.com/azure/azure-dev/cli/azd/pkg/account"
 	"github.com/azure/azure-dev/cli/azd/pkg/alpha"
 	"github.com/azure/azure-dev/cli/azd/pkg/azapi"
@@ -213,6 +215,7 @@ func newEnvSetAction(
 }
 
 func (e *envSetAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.EnvOperationKey.String("set"))
 	// To track case conflicts
 	dotEnv := e.env.Dotenv()
 	keyValues := make(map[string]string)
@@ -364,6 +367,7 @@ type envSetSecretAction struct {
 }
 
 func (e *envSetSecretAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.EnvOperationKey.String("set-secret"))
 	if len(e.args) < 1 {
 		return nil, &internal.ErrorWithSuggestion{
 			Err:        internal.ErrNoArgsProvided,
@@ -784,6 +788,7 @@ func newEnvSelectAction(
 }
 
 func (e *envSelectAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.EnvOperationKey.String("select"))
 	var environmentName string
 
 	// If no argument provided, prompt the user to select an environment
@@ -868,12 +873,15 @@ func newEnvListAction(
 }
 
 func (e *envListAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.EnvOperationKey.String("list"))
 	envs, err := e.envManager.List(ctx)
 
 	if err != nil {
 		return nil, fmt.Errorf("listing environments: %w", err)
 	}
 
+	tracing.SetUsageAttributes(fields.EnvCountKey.Int(len(envs)))
+
 	if e.formatter.Kind() == output.TableFormat {
 		columns := []output.Column{
 			{
@@ -967,6 +975,7 @@ func newEnvNewAction(
 }
 
 func (en *envNewAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.EnvOperationKey.String("new"))
 	environmentName := ""
 	if len(en.args) >= 1 {
 		environmentName = en.args[0]
@@ -1141,6 +1150,7 @@ func newEnvRefreshAction(
 }
 
 func (ef *envRefreshAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.EnvOperationKey.String("refresh"))
 	// Command title
 	ef.console.MessageUxItem(ctx, &ux.MessageTitle{
 		Title: fmt.Sprintf("Refreshing environment %s (azd env refresh)", ef.env.Name()),
@@ -1301,6 +1311,7 @@ func newEnvGetValuesAction(
 }
 
 func (eg *envGetValuesAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.EnvOperationKey.String("get-values"))
 	name, err := eg.azdCtx.GetDefaultEnvironmentName()
 	if err != nil {
 		return nil, err
@@ -1393,6 +1404,7 @@ func newEnvGetValueAction(
 }
 
 func (eg *envGetValueAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.EnvOperationKey.String("get-value"))
 	if len(eg.args) < 1 {
 		return nil, &internal.ErrorWithSuggestion{
 			Err:        internal.ErrNoKeyNameProvided,
@@ -1497,6 +1509,7 @@ func newEnvConfigGetAction(
 }
 
 func (a *envConfigGetAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.EnvOperationKey.String("config-get"))
 	name, err := a.azdCtx.GetDefaultEnvironmentName()
 	if err != nil {
 		return nil, err
@@ -1595,6 +1608,7 @@ func newEnvConfigSetAction(
 }
 
 func (a *envConfigSetAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.EnvOperationKey.String("config-set"))
 	name, err := a.azdCtx.GetDefaultEnvironmentName()
 	if err != nil {
 		return nil, err
@@ -1695,6 +1709,7 @@ func newEnvConfigUnsetAction(
 }
 
 func (a *envConfigUnsetAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.EnvOperationKey.String("config-unset"))
 	name, err := a.azdCtx.GetDefaultEnvironmentName()
 	if err != nil {
 		return nil, err

cli/azd/cmd/env_remove.go

@@ -12,6 +12,8 @@ import (
 
 	"github.com/azure/azure-dev/cli/azd/cmd/actions"
 	"github.com/azure/azure-dev/cli/azd/internal"
+	"github.com/azure/azure-dev/cli/azd/internal/tracing"
+	"github.com/azure/azure-dev/cli/azd/internal/tracing/fields"
 	"github.com/azure/azure-dev/cli/azd/pkg/environment"
 	"github.com/azure/azure-dev/cli/azd/pkg/environment/azdcontext"
 	"github.com/azure/azure-dev/cli/azd/pkg/input"
@@ -111,6 +113,7 @@ func newEnvRemoveAction(
 }
 
 func (er *envRemoveAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	tracing.SetUsageAttributes(fields.EnvOperationKey.String("remove"))
 	// Command title
 	er.console.MessageUxItem(ctx, &ux.MessageTitle{
 		Title: "Remove an environment (azd env remove)",

cli/azd/cmd/hooks.go

@@ -9,6 +9,8 @@ import (
 
 	"github.com/azure/azure-dev/cli/azd/cmd/actions"
 	"github.com/azure/azure-dev/cli/azd/internal"
+	"github.com/azure/azure-dev/cli/azd/internal/tracing"
+	"github.com/azure/azure-dev/cli/azd/internal/tracing/fields"
 	"github.com/azure/azure-dev/cli/azd/pkg/environment"
 	"github.com/azure/azure-dev/cli/azd/pkg/exec"
 	"github.com/azure/azure-dev/cli/azd/pkg/ext"
@@ -118,6 +120,15 @@ const (
 func (hra *hooksRunAction) Run(ctx context.Context) (*actions.ActionResult, error) {
 	hookName := hra.args[0]
 
+	hookType := "project"
+	if hra.flags.service != "" {
+		hookType = "service"
+	}
+	tracing.SetUsageAttributes(
+		fields.HooksNameKey.String(hookName),
+		fields.HooksTypeKey.String(hookType),
+	)
+
 	// Command title
 	hra.console.MessageUxItem(ctx, &ux.MessageTitle{
 		Title: "Running hooks (azd hooks run)",

cli/azd/cmd/infra_generate.go

@@ -13,6 +13,8 @@ import (
 
 	"github.com/azure/azure-dev/cli/azd/cmd/actions"
 	"github.com/azure/azure-dev/cli/azd/internal"
+	"github.com/azure/azure-dev/cli/azd/internal/tracing"
+	"github.com/azure/azure-dev/cli/azd/internal/tracing/fields"
 	"github.com/azure/azure-dev/cli/azd/pkg/alpha"
 	"github.com/azure/azure-dev/cli/azd/pkg/environment/azdcontext"
 	"github.com/azure/azure-dev/cli/azd/pkg/input"
@@ -85,6 +87,11 @@ func newInfraGenerateAction(
 }
 
 func (a *infraGenerateAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	// Track infra provider from project configuration
+	if a.projectConfig != nil && a.projectConfig.Infra.Provider != "" {
+		tracing.SetUsageAttributes(fields.InfraProviderKey.String(string(a.projectConfig.Infra.Provider)))
+	}
+
 	if a.calledAs == "synth" {
 		fmt.Fprintln(
 			a.console.Handles().Stderr,

cli/azd/cmd/monitor.go

@@ -9,6 +9,8 @@ import (
 
 	"github.com/azure/azure-dev/cli/azd/cmd/actions"
 	"github.com/azure/azure-dev/cli/azd/internal"
+	"github.com/azure/azure-dev/cli/azd/internal/tracing"
+	"github.com/azure/azure-dev/cli/azd/internal/tracing/fields"
 	"github.com/azure/azure-dev/cli/azd/pkg/account"
 	"github.com/azure/azure-dev/cli/azd/pkg/alpha"
 	"github.com/azure/azure-dev/cli/azd/pkg/apphost"
@@ -100,6 +102,15 @@ func (m *monitorAction) Run(ctx context.Context) (*actions.ActionResult, error)
 		m.flags.monitorOverview = true
 	}
 
+	// Track which monitor type was selected
+	monitorType := "overview"
+	if m.flags.monitorLive {
+		monitorType = "live"
+	} else if m.flags.monitorLogs {
+		monitorType = "logs"
+	}
+	tracing.SetUsageAttributes(fields.MonitorTypeKey.String(monitorType))
+
 	if m.env.GetSubscriptionId() == "" {
 		return nil, &internal.ErrorWithSuggestion{
 			Err:        internal.ErrInfraNotProvisioned,