================================================================================
VIOLATION REPORT FOR TASK 7_withouths_drift_alert_1_412225437_new
================================================================================

Total Violations: 5
================================================================================


================================================================================
VIOLATION #1
================================================================================

Step Index: 2
Assertion Name: kusto_invocation_requires_predefined_query_and_correct_cluster
Invariant Type: CAPABILITY
Check Type: python_check
Severity: medium

Check Hint:
----------------------------------------
When KustoAgent runs a query, it must be a predefined query present in the plan or prior Orchestrator instruction, and the query must be tailored to the incident's cluster (no placeholders like TODO/TBD/<CLUSTER>). Verify that a kusto code block exists earlier and that the current query's clusterName matches the cluster parsed from the incident description.
----------------------------------------

Evidence:
----------------------------------------
Current Event:
  Role: KustoAgent
  Content:
    **Kusto Query:**
    let driftedSettingName = 'VncEndpointCandidates';
    cluster('azurecm').database('AzureCM').NetworkServiceManagerEvents
    | where PreciseTimeStamp > ago(6h)
    | where TaskName == 'ChangedSetting' and Message has driftedSettingName
    | parse Message with 'name="' SettingName '" value="' SettingValue '" buildVersion="' BuildVersion '"'
    | project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region
    | summarize arg_max(nsmTime, *) by Region, Tenant, SettingName
    | extend _key = tolower(Tenant)
    | join kind = leftouter (
    cluster('aznwsdn').database('aznwmds').NSMGoalState
    | where DataIngestionTime > ago(1d)
    | where not(InFlight)
    | where SettingName =~ driftedSettingName
    | summarize arg_max(DataIngestionTime, *) by ClusterName
    | project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)
    ) on _key
    | where ClusterName != ""
    | where ActualValue !~ ExpectedValue
    | project Region, ClusterName, ExpectedValue
    
     semantic_query_matcher: True 
    
    stub match:True 
    
    **Kusto result:**
    Query successful. 5 rows stored in Pandas DataFrame.
    df.head():
    |    | Region      | ClusterName   | ExpectedValue   |
    |---:|:------------|:--------------|:----------------|
    |  0 | usstagesc   | TPA20PrdApp75 | AsyncWcf        |
    |  1 | useast2euap | GGA20PrdApp49 | 20              |
    |  2 | usstagesc   | ORA20PrdApp83 | AsyncWcf        |
    |  3 | usstagesc   | QHA20PrdApp32 | 20              |
    |  4 | usstagee    | XTA20PrdApp12 | False           |

Matched Substeps:
  Sub-index: 5
  Role: KustoAgent
----------------------------------------

Taxonomy Targets:
  - InvalidInvocation
  - Instruction/PlanAdherenceFailure
  - IntentPlanMisalignment

================================================================================
VIOLATION #2
================================================================================

Step Index: 4
Assertion Name: kusto_invocation_requires_predefined_query_and_correct_cluster
Invariant Type: CAPABILITY
Check Type: python_check
Severity: medium

Check Hint:
----------------------------------------
When KustoAgent runs a query, it must be a predefined query present in the plan or prior Orchestrator instruction, and the query must be tailored to the incident's cluster (no placeholders like TODO/TBD/<CLUSTER>). Verify that a kusto code block exists earlier and that the current query's clusterName matches the cluster parsed from the incident description.
----------------------------------------

Evidence:
----------------------------------------
Current Event:
  Role: KustoAgent
  Content:
    **Kusto Query:**
    let clusterName = 'TPA20PrdApp75';
    cluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot
    | where PreciseTimeStamp > ago(1d) and Tenant == clusterName
    | summarize dcount(serviceId)
    
    let clusterName = 'GGA20PrdApp49';
    cluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot
    | where PreciseTimeStamp > ago(1d) and Tenant == clusterName
    | summarize dcount(serviceId)
    
    let clusterName = 'ORA20PrdApp83';
    cluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot
    | where PreciseTimeStamp > ago(1d) and Tenant == clusterName
    | summarize dcount(serviceId)
    
    let clusterName = 'QHA20PrdApp32';
    cluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot
    | where PreciseTimeStamp > ago(1d) and Tenant == clusterName
    | summarize dcount(serviceId)
    
    let clusterName = 'XTA20PrdApp12';
    cluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot
    | where PreciseTimeStamp > ago(1d) and Tenant == clusterName
    | summarize dcount(serviceId)
    
     semantic_query_matcher: True 
    
    stub match:False 
    
    **Kusto result:**
    KustoApiError: Request is invalid and cannot be processed: Syntax error: SYN0002: Expected: , [line:position=4:30]; 

Matched Substeps:
  Sub-index: 5
  Role: KustoAgent
  Sub-index: 10
  Role: KustoAgent
  Sub-index: 15
  Role: KustoAgent
  Sub-index: 24
  Role: KustoAgent
----------------------------------------

Taxonomy Targets:
  - InvalidInvocation
  - Instruction/PlanAdherenceFailure
  - IntentPlanMisalignment

================================================================================
VIOLATION #3
================================================================================

Step Index: 4
Assertion Name: kusto_agent_must_execute_single_query_per_invocation
Invariant Type: CAPABILITY
Check Type: python_check
Severity: medium

Check Hint:
----------------------------------------
For Step-4 cluster traffic verification, the KustoAgent must execute exactly one Kusto query per invocation. Detect and flag any KustoAgent substep content that includes multiple 'let clusterName =' declarations or multiple 'cluster(' calls, which indicates batching multiple queries in a single call and will cause syntax errors.
----------------------------------------

Evidence:
----------------------------------------
Current Event:
  Role: KustoAgent
  Content:
    **Kusto Query:**
    let clusterName = 'TPA20PrdApp75';
    cluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot
    | where PreciseTimeStamp > ago(1d) and Tenant == clusterName
    | summarize dcount(serviceId)
    
    let clusterName = 'GGA20PrdApp49';
    cluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot
    | where PreciseTimeStamp > ago(1d) and Tenant == clusterName
    | summarize dcount(serviceId)
    
    let clusterName = 'ORA20PrdApp83';
    cluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot
    | where PreciseTimeStamp > ago(1d) and Tenant == clusterName
    | summarize dcount(serviceId)
    
    let clusterName = 'QHA20PrdApp32';
    cluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot
    | where PreciseTimeStamp > ago(1d) and Tenant == clusterName
    | summarize dcount(serviceId)
    
    let clusterName = 'XTA20PrdApp12';
    cluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot
    | where PreciseTimeStamp > ago(1d) and Tenant == clusterName
    | summarize dcount(serviceId)
    
     semantic_query_matcher: True 
    
    stub match:False 
    
    **Kusto result:**
    KustoApiError: Request is invalid and cannot be processed: Syntax error: SYN0002: Expected: , [line:position=4:30]; 

Matched Substeps:
  Sub-index: 5
  Role: KustoAgent
  Sub-index: 10
  Role: KustoAgent
  Sub-index: 15
  Role: KustoAgent
  Sub-index: 24
  Role: KustoAgent
----------------------------------------

Taxonomy Targets:
  - InvalidInvocation
  - Instruction/PlanAdherenceFailure

================================================================================
VIOLATION #4
================================================================================

Step Index: 4
Assertion Name: tenant_count_query_cluster_must_be_in_drifted_clusters
Invariant Type: RELATIONAL_POST
Check Type: python_check
Severity: medium

Check Hint:
----------------------------------------
Ensure that in Step-4, the clusterName used in the tenant count Kusto query matches one of the clusters identified as drifted in Step-2's KustoAgent result. Extract cluster names from Step-2 df.head and verify each 'let clusterName' in Step-4 KustoAgent content belongs to that set. If parsed and found mismatched (e.g., a different cluster like BY1PrdApp28), flag as violation.
----------------------------------------

Evidence:
----------------------------------------
Current Event:
  Role: KustoAgent
  Content:
    **Kusto Query:**
    let clusterName = 'TPA20PrdApp75';
    cluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot
    | where PreciseTimeStamp > ago(1d) and Tenant == clusterName
    | summarize dcount(serviceId)
    
    let clusterName = 'GGA20PrdApp49';
    cluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot
    | where PreciseTimeStamp > ago(1d) and Tenant == clusterName
    | summarize dcount(serviceId)
    
    let clusterName = 'ORA20PrdApp83';
    cluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot
    | where PreciseTimeStamp > ago(1d) and Tenant == clusterName
    | summarize dcount(serviceId)
    
    let clusterName = 'QHA20PrdApp32';
    cluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot
    | where PreciseTimeStamp > ago(1d) and Tenant == clusterName
    | summarize dcount(serviceId)
    
    let clusterName = 'XTA20PrdApp12';
    cluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot
    | where PreciseTimeStamp > ago(1d) and Tenant == clusterName
    | summarize dcount(serviceId)
    
     semantic_query_matcher: True 
    
    stub match:False 
    
    **Kusto result:**
    KustoApiError: Request is invalid and cannot be processed: Syntax error: SYN0002: Expected: , [line:position=4:30]; 

Matched Substeps:
  Sub-index: 5
  Role: KustoAgent
  Sub-index: 10
  Role: KustoAgent
  Sub-index: 15
  Role: KustoAgent
  Sub-index: 24
  Role: KustoAgent
----------------------------------------

Taxonomy Targets:
  - IntentPlanMisalignment
  - RELATIONAL_POST

================================================================================
VIOLATION #5
================================================================================

Step Index: 5
Assertion Name: mitigation_clusters_must_be_subset_of_non_stage_drifted_set
Invariant Type: RELATIONAL_POST
Check Type: python_check
Severity: medium

Check Hint:
----------------------------------------
Any clusters referenced for mitigation at Step-5 must come from the previously identified drifted clusters after filtering out stage/canary regions in Step-3. Parse Step-2 Kusto df.head for (Region, ClusterName), remove stage/canary regions, then ensure Step-5 referenced cluster names are a subset of that non-stage set. If Step-3 indicated the filtered result is empty, Step-5 must not reference any clusters.
----------------------------------------

Evidence:
----------------------------------------
Current Event:
  Role: Orchestrator (Step-5)
  Content:
    
    Step-5

Matched Substeps:
  Sub-index: 1
  Role: Orchestrator (Step-5)
  Sub-index: 2
  Role: Orchestrator (thought)
  Sub-index: 3
  Role: Orchestrator (thought)
  Sub-index: 4
  Role: Orchestrator (thought)
  Sub-index: 5
  Role: Orchestrator (FINAL_ANSWER)
  Sub-index: 6
  Role: Orchestrator (final answer)
  Sub-index: 7
  Role: Orchestrator (termination condition)
----------------------------------------

Taxonomy Targets:
  - InventionOfNewInformation
  - IntentPlanMisalignment

================================================================================
END OF VIOLATION REPORT
================================================================================