From 3ec370c2a8acd1392c49c1db97114ae003d27e7a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 21 Apr 2026 21:20:36 +0000
Subject: [PATCH 1/4] Initial plan


From 61cc8c9538fadd12e963cd88042bf444162bf4dc Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 21 Apr 2026 21:28:39 +0000
Subject: [PATCH 2/4] refactor: consolidate first-class tools and runtimes into
 colocated modules
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Move compile-time (CompilerExtension) and runtime (Stage 3) code for
each tool/runtime into a single directory:

- tools/cache_memory/ — extension.rs + execute.rs
- tools/azure_devops/ — extension.rs
- runtimes/lean/ — extension.rs + mod.rs (config/helpers)

Infrastructure extensions (GitHub, SafeOutputs) remain in
compile/extensions/ as they are always-on and not user-configured.

compile/extensions/mod.rs re-exports tool/runtime extensions from
their new colocated homes.

Agent-Logs-Url: https://github.com/githubnext/ado-aw/sessions/3cae398b-84f6-450a-8e39-31f2c20687f3

Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com>
---
 src/compile/extensions/mod.rs                       | 10 ++++------
 src/compile/extensions/tests.rs                     |  2 +-
 src/compile/mod.rs                                  |  4 ++++
 .../lean.rs => runtimes/lean/extension.rs}          |  6 +++---
 src/runtimes/{lean.rs => lean/mod.rs}               |  4 ++++
 .../azure_devops/extension.rs}                      |  4 ++--
 src/tools/azure_devops/mod.rs                       |  9 +++++++++
 .../{cache_memory.rs => cache_memory/execute.rs}    |  0
 .../cache_memory/extension.rs}                      |  2 +-
 src/tools/cache_memory/mod.rs                       | 13 +++++++++++++
 src/tools/mod.rs                                    |  7 ++++++-
 11 files changed, 47 insertions(+), 14 deletions(-)
 rename src/{compile/extensions/lean.rs => runtimes/lean/extension.rs} (90%)
 rename src/runtimes/{lean.rs => lean/mod.rs} (98%)
 rename src/{compile/extensions/azure_devops.rs => tools/azure_devops/extension.rs} (99%)
 create mode 100644 src/tools/azure_devops/mod.rs
 rename src/tools/{cache_memory.rs => cache_memory/execute.rs} (100%)
 rename src/{compile/extensions/cache_memory.rs => tools/cache_memory/extension.rs} (97%)
 create mode 100644 src/tools/cache_memory/mod.rs

diff --git a/src/compile/extensions/mod.rs b/src/compile/extensions/mod.rs
index 124e0b5..a2fd0ed 100644
--- a/src/compile/extensions/mod.rs
+++ b/src/compile/extensions/mod.rs
@@ -351,16 +351,14 @@ macro_rules! extension_enum {
     };
 }
 
-mod azure_devops;
-mod cache_memory;
 mod github;
-mod lean;
 mod safe_outputs;
 
-pub use azure_devops::{AdoAuthMode, AzureDevOpsExtension};
-pub use cache_memory::CacheMemoryExtension;
+// Re-export tool/runtime extensions from their colocated homes
+pub use crate::tools::azure_devops::{AdoAuthMode, AzureDevOpsExtension};
+pub use crate::tools::cache_memory::CacheMemoryExtension;
 pub use github::GitHubExtension;
-pub use lean::LeanExtension;
+pub use crate::runtimes::lean::LeanExtension;
 pub use safe_outputs::SafeOutputsExtension;
 
 extension_enum! {
diff --git a/src/compile/extensions/tests.rs b/src/compile/extensions/tests.rs
index 848a136..a7a8771 100644
--- a/src/compile/extensions/tests.rs
+++ b/src/compile/extensions/tests.rs
@@ -1,5 +1,5 @@
 use super::*;
-use crate::compile::common::{ADO_MCP_SERVER_NAME, parse_markdown};
+use crate::compile::{ADO_MCP_SERVER_NAME, parse_markdown};
 use crate::compile::types::{AzureDevOpsToolConfig, CacheMemoryToolConfig};
 use crate::runtimes::lean::LeanRuntimeConfig;
 
diff --git a/src/compile/mod.rs b/src/compile/mod.rs
index 499bc0a..90b1643 100644
--- a/src/compile/mod.rs
+++ b/src/compile/mod.rs
@@ -24,6 +24,10 @@ pub use common::generate_mcpg_config;
 pub use common::MCPG_IMAGE;
 pub use common::MCPG_VERSION;
 pub use common::MCPG_PORT;
+pub use common::ADO_MCP_ENTRYPOINT;
+pub use common::ADO_MCP_IMAGE;
+pub use common::ADO_MCP_PACKAGE;
+pub use common::ADO_MCP_SERVER_NAME;
 pub use types::{CompileTarget, FrontMatter};
 
 /// Trait for pipeline compilers.
diff --git a/src/compile/extensions/lean.rs b/src/runtimes/lean/extension.rs
similarity index 90%
rename from src/compile/extensions/lean.rs
rename to src/runtimes/lean/extension.rs
index 2282b77..f510c19 100644
--- a/src/compile/extensions/lean.rs
+++ b/src/runtimes/lean/extension.rs
@@ -1,7 +1,7 @@
 // ─── Lean 4 ──────────────────────────────────────────────────────────
 
-use super::{CompileContext, CompilerExtension, ExtensionPhase};
-use crate::runtimes::lean::{self, LEAN_BASH_COMMANDS, LeanRuntimeConfig};
+use crate::compile::extensions::{CompileContext, CompilerExtension, ExtensionPhase};
+use super::{LEAN_BASH_COMMANDS, LeanRuntimeConfig, generate_lean_install};
 use anyhow::Result;
 
 /// Lean 4 runtime extension.
@@ -53,7 +53,7 @@ the toolchain. Lean files use the `.lean` extension.\n"
     }
 
     fn prepare_steps(&self) -> Vec<String> {
-        vec![lean::generate_lean_install(&self.config)]
+        vec![generate_lean_install(&self.config)]
     }
 
     fn validate(&self, ctx: &CompileContext) -> Result<Vec<String>> {
diff --git a/src/runtimes/lean.rs b/src/runtimes/lean/mod.rs
similarity index 98%
rename from src/runtimes/lean.rs
rename to src/runtimes/lean/mod.rs
index 8a01a6b..9c37e62 100644
--- a/src/runtimes/lean.rs
+++ b/src/runtimes/lean/mod.rs
@@ -8,6 +8,10 @@
 //! Lean is installed via elan (the Lean toolchain manager) into `$HOME/.elan/bin`,
 //! then symlinked into `/tmp/awf-tools/` for AWF chroot compatibility.
 
+pub mod extension;
+
+pub use extension::LeanExtension;
+
 use ado_aw_derive::SanitizeConfig;
 use serde::Deserialize;
 
diff --git a/src/compile/extensions/azure_devops.rs b/src/tools/azure_devops/extension.rs
similarity index 99%
rename from src/compile/extensions/azure_devops.rs
rename to src/tools/azure_devops/extension.rs
index 03c06d5..667fd0c 100644
--- a/src/compile/extensions/azure_devops.rs
+++ b/src/tools/azure_devops/extension.rs
@@ -1,10 +1,10 @@
 // ─── Azure DevOps MCP ────────────────────────────────────────────────
 
-use super::{
+use crate::compile::extensions::{
     CompileContext, CompilerExtension, ExtensionPhase, McpgServerConfig, PipelineEnvMapping,
 };
 use crate::allowed_hosts::mcp_required_hosts;
-use crate::compile::common::{
+use crate::compile::{
     ADO_MCP_ENTRYPOINT, ADO_MCP_IMAGE, ADO_MCP_PACKAGE, ADO_MCP_SERVER_NAME,
 };
 use crate::compile::types::AzureDevOpsToolConfig;
diff --git a/src/tools/azure_devops/mod.rs b/src/tools/azure_devops/mod.rs
new file mode 100644
index 0000000..1cf2a5e
--- /dev/null
+++ b/src/tools/azure_devops/mod.rs
@@ -0,0 +1,9 @@
+//! Azure DevOps first-class tool.
+//!
+//! Compile-time: injects network hosts (ADO domains), MCPG server entry
+//! (containerized ADO MCP), and compile-time validation (org inference,
+//! duplicate MCP).
+
+pub mod extension;
+
+pub use extension::{AdoAuthMode, AzureDevOpsExtension};
diff --git a/src/tools/cache_memory.rs b/src/tools/cache_memory/execute.rs
similarity index 100%
rename from src/tools/cache_memory.rs
rename to src/tools/cache_memory/execute.rs
diff --git a/src/compile/extensions/cache_memory.rs b/src/tools/cache_memory/extension.rs
similarity index 97%
rename from src/compile/extensions/cache_memory.rs
rename to src/tools/cache_memory/extension.rs
index d00e0a9..b58a2ee 100644
--- a/src/compile/extensions/cache_memory.rs
+++ b/src/tools/cache_memory/extension.rs
@@ -1,4 +1,4 @@
-use super::{CompilerExtension, ExtensionPhase};
+use crate::compile::extensions::{CompilerExtension, ExtensionPhase};
 use crate::compile::types::CacheMemoryToolConfig;
 
 /// Cache memory tool extension.
diff --git a/src/tools/cache_memory/mod.rs b/src/tools/cache_memory/mod.rs
new file mode 100644
index 0000000..a298df8
--- /dev/null
+++ b/src/tools/cache_memory/mod.rs
@@ -0,0 +1,13 @@
+//! Cache memory first-class tool.
+//!
+//! Compile-time: injects pipeline steps (download/restore previous memory)
+//! and a prompt supplement informing the agent about its memory directory.
+//!
+//! Stage 3 runtime: validates and copies sanitized memory files to the
+//! final safe_outputs artifact for pickup by the next run.
+
+pub mod execute;
+pub mod extension;
+
+pub use execute::{MemoryConfig, process_agent_memory};
+pub use extension::CacheMemoryExtension;
diff --git a/src/tools/mod.rs b/src/tools/mod.rs
index 6cace7d..d3d4537 100644
--- a/src/tools/mod.rs
+++ b/src/tools/mod.rs
@@ -1,10 +1,15 @@
 //! First-class tool implementations for the ado-aw compiler.
 //!
-//! These tools are configured via the `tools:` front-matter section and provide
+//! Each tool is colocated in its own subdirectory containing both
+//! compile-time (`extension.rs` — [`CompilerExtension`] impl) and
+//! runtime (`execute.rs` — Stage 3 logic) code where applicable.
+//!
+//! Tools are configured via the `tools:` front-matter section and provide
 //! built-in functionality that the compiler knows how to auto-configure
 //! (pipeline steps, MCPG entries, network allowlists, etc.).
 //!
 //! This is distinct from `safeoutputs/` which contains safe-output MCP tools
 //! that serialize to NDJSON in Stage 1 and execute in Stage 3.
 
+pub mod azure_devops;
 pub mod cache_memory;

From 0569d4b5bfcff24145db4bd1aeb4302f719f8418 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 21 Apr 2026 21:29:49 +0000
Subject: [PATCH 3/4] docs: update AGENTS.md with new directory structure and
 colocation methodology

Agent-Logs-Url: https://github.com/githubnext/ado-aw/sessions/3cae398b-84f6-450a-8e39-31f2c20687f3

Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com>
---
 AGENTS.md | 40 +++++++++++++++++++++++++++++++---------
 1 file changed, 31 insertions(+), 9 deletions(-)

diff --git a/AGENTS.md b/AGENTS.md
index e7f7bd1..93ffb59 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -29,7 +29,10 @@ Alongside the correctly generated pipeline yaml, an agent file is generated from
 │   │   ├── common.rs     # Shared helpers across targets
 │   │   ├── standalone.rs # Standalone pipeline compiler
 │   │   ├── onees.rs      # 1ES Pipeline Template compiler
-│   │   ├── extensions.rs # CompilerExtension trait for runtimes/tools
+│   │   ├── extensions/   # CompilerExtension trait and infrastructure extensions
+│   │   │   ├── mod.rs    # Trait, Extension enum, collect_extensions(), re-exports
+│   │   │   ├── github.rs # Always-on GitHub MCP extension
+│   │   │   └── safe_outputs.rs # Always-on SafeOutputs MCP extension
 │   │   └── types.rs      # Front matter grammar and types
 │   ├── init.rs           # Repository initialization for AI-first authoring
 │   ├── execute.rs        # Stage 3 safe output execution
@@ -65,18 +68,26 @@ Alongside the correctly generated pipeline yaml, an agent file is generated from
 │   │   ├── update_wiki_page.rs
 │   │   ├── update_work_item.rs
 │   │   └── upload_attachment.rs
-│   ├── runtimes/         # Runtime environment implementations
+│   ├── runtimes/         # Runtime environment implementations (one dir per runtime)
 │   │   ├── mod.rs        # Module entry point
-│   │   └── lean.rs       # Lean 4 theorem prover runtime
+│   │   └── lean/         # Lean 4 theorem prover runtime
+│   │       ├── mod.rs    # Config types, install helpers
+│   │       └── extension.rs # CompilerExtension impl
 │   ├── data/
 │   │   ├── base.yml          # Base pipeline template for standalone
 │   │   ├── 1es-base.yml      # Base pipeline template for 1ES target
 │   │   ├── ecosystem_domains.json # Network allowlists per ecosystem
 │   │   ├── init-agent.md     # Dispatcher agent template for `init` command
 │   │   └── threat-analysis.md # Threat detection analysis prompt template
-│   └── tools/            # First-class tool implementations (compiler auto-configures)
+│   └── tools/            # First-class tool implementations (one dir per tool)
 │       ├── mod.rs
-│       └── cache_memory.rs
+│       ├── azure_devops/  # Azure DevOps MCP tool
+│       │   ├── mod.rs
+│       │   └── extension.rs # CompilerExtension impl
+│       └── cache_memory/  # Persistent agent memory tool
+│           ├── mod.rs
+│           ├── extension.rs # CompilerExtension impl (compile-time)
+│           └── execute.rs   # Stage 3 runtime (validate/copy)
 ├── examples/             # Example agent definitions
 ├── tests/                # Integration tests and fixtures
 ├── Cargo.toml            # Rust dependencies
@@ -1489,13 +1500,24 @@ When extending the compiler:
 3. **New front matter fields**: Add fields to `FrontMatter` in `src/compile/types.rs`
 4. **New template markers**: Handle replacements in the target-specific compiler (e.g., `standalone.rs` or `onees.rs`)
 5. **New safe-output tools**: Add to `src/safeoutputs/` — implement `ToolResult`, `Executor`, register in `mod.rs`, `mcp.rs`, `execute.rs`
-6. **New first-class tools**: Add to `src/tools/` — extend `ToolsConfig` in `types.rs`, implement `CompilerExtension` trait in `src/compile/extensions.rs`, add collection in `collect_extensions()`
-7. **New runtimes**: Add to `src/runtimes/` — extend `RuntimesConfig` in `types.rs`, implement `CompilerExtension` trait in `src/compile/extensions.rs`, add collection in `collect_extensions()`
+6. **New first-class tools**: Create `src/tools/<name>/` with `mod.rs` and `extension.rs` (CompilerExtension impl). Add `execute.rs` if the tool has Stage 3 runtime logic. Extend `ToolsConfig` in `types.rs`, add collection in `collect_extensions()`
+7. **New runtimes**: Create `src/runtimes/<name>/` with `mod.rs` (config types) and `extension.rs` (CompilerExtension impl). Extend `RuntimesConfig` in `types.rs`, add collection in `collect_extensions()`
 8. **Validation**: Add compile-time validation for safe outputs and permissions
 
+#### Code Organization Principles
+
+The codebase follows a **colocation** principle for tools and runtimes:
+
+- **Tools** (`tools:` front matter) live in `src/tools/<name>/` — one directory per tool, containing both compile-time (`extension.rs`) and runtime (`execute.rs`) code. This means you can look at a single directory to understand everything a tool does.
+- **Runtimes** (`runtimes:` front matter) live in `src/runtimes/<name>/` — one directory per runtime, with config types in `mod.rs` and the `CompilerExtension` impl in `extension.rs`.
+- **Infrastructure extensions** (GitHub MCP, SafeOutputs MCP) that are always-on and not user-configured stay in `src/compile/extensions/`. These are internal plumbing, not user-facing tools.
+- **Safe outputs** (`safe-outputs:` front matter) stay in `src/safeoutputs/` — they follow a different lifecycle (Stage 1 NDJSON → Stage 3 execution) and are not `CompilerExtension` implementations.
+
+The `src/compile/extensions/mod.rs` file owns the `CompilerExtension` trait, the `Extension` enum, and `collect_extensions()`. It re-exports tool/runtime extension types from their colocated homes so the rest of the compiler can import them from a single path.
+
 #### `CompilerExtension` Trait
 
-Runtimes and first-party tools declare their compilation requirements via the `CompilerExtension` trait (`src/compile/extensions.rs`). Instead of scattering special-case `if` blocks across the compiler, each runtime/tool implements this trait and the compiler collects requirements generically:
+Runtimes and first-party tools declare their compilation requirements via the `CompilerExtension` trait (`src/compile/extensions/mod.rs`). Instead of scattering special-case `if` blocks across the compiler, each runtime/tool implements this trait and the compiler collects requirements generically:
 
 ```rust
 pub trait CompilerExtension: Send {
@@ -1509,7 +1531,7 @@ pub trait CompilerExtension: Send {
 }
 ```
 
-To add a new runtime or tool: (1) create a struct implementing `CompilerExtension`, (2) add a collection check in `collect_extensions()`. No other files need modification.
+To add a new runtime or tool: (1) create a directory under `src/tools/` or `src/runtimes/`, (2) implement `CompilerExtension` in `extension.rs`, (3) add a variant to the `Extension` enum and a collection check in `collect_extensions()` in `src/compile/extensions/mod.rs`.
 
 ### Security Considerations
 

From 249c92e33c3d4fdc9dd2f752040c3c8484438193 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 21 Apr 2026 22:06:14 +0000
Subject: [PATCH 4/4] fix: remove unused MCPG_PORT re-export from
 compile/mod.rs

MCPG_PORT is only used within the compile module (onees.rs,
standalone.rs import via super::common). The pub re-export was
generating an unused_imports warning.

Agent-Logs-Url: https://github.com/githubnext/ado-aw/sessions/cf879e88-1dcc-48b9-94d4-3d0df7bbaba4

Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com>
---
 src/compile/mod.rs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/compile/mod.rs b/src/compile/mod.rs
index 90b1643..341d781 100644
--- a/src/compile/mod.rs
+++ b/src/compile/mod.rs
@@ -23,7 +23,6 @@ pub use common::generate_copilot_params;
 pub use common::generate_mcpg_config;
 pub use common::MCPG_IMAGE;
 pub use common::MCPG_VERSION;
-pub use common::MCPG_PORT;
 pub use common::ADO_MCP_ENTRYPOINT;
 pub use common::ADO_MCP_IMAGE;
 pub use common::ADO_MCP_PACKAGE;