Internal build break: verify-cli-archive.ps1 fails on signed-build agents (aspire-managed --help; aspire new aspire-ts-starter restore)

[radical]

The signed build+sign pipeline (microsoft-aspire, definition 1602) has been failing on main since #17274 merged. Two distinct failures from the same PR, both in eng/scripts/verify-cli-archive.ps1.

Repro

Internal: microsoft-aspire pipeline 1602 (batched CI on main). The verifier only ever runs in the post-merge build+sign pipeline; it does not run on GitHub PRs, which is why both regressions reached main.

• First failed run: https://dev.azure.com/dnceng/internal/_build/results?buildId=2980569 (osx-arm64, linux-x64, win-x64)
• Latest run with aspire-managed fix (Fix internal build break: 'aspire-managed --help' in CLI archive verifier returns exit 1 #17341) applied: https://dev.azure.com/dnceng/internal/_build/results?buildId=2980609 (linux-x64, win-x64)

Failure 1 — aspire-managed --help (fixed by #17341, mitigated)

Test-ExtractedBundleLayout smoke-tested the bundled server with aspire-managed --help and asserted exit 0:

❌ Verification failed: aspire-managed failed with exit code 1.
   Output: Usage: aspire-managed <dashboard|server|nuget> [args...]

Aspire.Managed's entry point (src/Aspire.Managed/Program.cs:22-28,58-62) is a hard args switch on dashboard|server|nuget; anything else — including --help — falls through to ShowUsage() and returns 1.

Failure 2 — aspire new aspire-ts-starter auto-restore hits nuget.org

Test-TypeScriptStarterProject invokes aspire new aspire-ts-starter, which after templating runs an automatic packager-managed AppHost-server bootstrap. That bootstrap performs a NuGet restore for Aspire.Hosting, Aspire.Hosting.JavaScript, Aspire.Hosting.CodeGeneration.TypeScript and their transitive deps. Aspire-owned packages route to the dnceng internal feed (resolved fine), but transitive Microsoft.Extensions.*, Grpc.*, OpenTelemetry.*, Newtonsoft.Json, ModelContextProtocol, … route to https://api.nuget.org/v3/index.json — which the 1ES signed-build agent has no egress to:

ERROR: Unable to load the service index for source https://api.nuget.org/v3/index.json.
  Permission denied (api.nuget.org:443)
  Permission denied

  channel:  daily
  packages: Aspire.Hosting 13.4.0-preview.1.26270.9,
            Aspire.Hosting.JavaScript 13.4.0-preview.1.26270.9,
            Aspire.Hosting.CodeGeneration.TypeScript 13.4.0-preview.1.26270.9
❌ Failed to prepare AppHost server.
❌ Automatic 'aspire restore' failed for the new TypeScript starter project.
❌ 'aspire new aspire-ts-starter' failed with exit code 6

The C# starter check is unaffected because aspire new aspire-starter does not trigger a restore.

Expected

verify-cli-archive.ps1 succeeds end-to-end on the signed-build agents for all three RIDs.

Why both were missed pre-merge

Both checks were added in the same PR (#17274) and were validated against a synthetic fake archive in the acquisition tests. The real-archive verifier only runs in the build+sign pipeline, which never runs on GitHub PRs — so neither incompatibility surfaced until after merge to main.

[joperezr]

🤖 Aspire triage pass — 2026-05-21 06:05 UTC

Area: area-acquisition, area-engineering-systems, area-cli
Kind: regression
Repro: yes-minimal — internal pipeline links + failing commands cited in issue body (post-merge of #17274)
Affected version(s): 13.4.0-preview.1.26270.9 daily builds on main (latest preview)
Severity: S2 — internal signed build+sign pipeline broken on main across osx-arm64, linux-x64, win-x64; partial mitigation in #17341, second failure (aspire new aspire-ts-starter restore reaching api.nuget.org from 1ES agent) still open

Urgency: 🟡 vNext — recommend milestone 13.4
Reason: regression introduced by #17274 in 13.4 preview bits, not in shipping 13.3.x; blocks 13.4 signed builds and must land before the next 13.4 preview. Not a servicing candidate (13.3.x bits are unaffected).

Suggested owner(s): @sebastienros (score 9), backup @joperezr (score 6)
Evidence:

• sebastienros authored the regressing PR Validate TypeScript CLI archive layout #17274 ("Validate TypeScript CLI archive layout") which added both failing checks to eng/scripts/verify-cli-archive.ps1
• joperezr has multiple recent eng/scripts + CLI archive / release-pipeline PRs in the last 90d (Use ' - ' separator in release-version build tag #17236, Fix release pipeline: GitHubTasks stage deps and aspire-cli-* download pattern #17248, Skip WinGet/Homebrew downloads in PrepareArtifacts stage when publish is skipped #17069, Chain release-github-tasks workflow from AzDO release pipeline #17073) and owns the build+sign pipeline plumbing
• Reporter @radical already shipped partial fix Fix internal build break: 'aspire-managed --help' in CLI archive verifier returns exit 1 #17341 for failure 1, so excluded from suggested owners

Confidence: high
Needs human?: no

Dry-run mode — no labels or milestone applied. Reply /triage apply to promote, or edit and reapply.

[radical]

Fix landing in #17346, which surgically removes the two failing checks (Test-TypeScriptStarterProject and Test-ExtractedBundleLayout), keeps the orthogonal helpers from #17274, adds slim GitHub-CI coverage so the verifier's remaining contract is testable without the AzDO pipeline, and fixes a latent Test-ArchiveSidecar scope-narrowing bug surfaced by review.

Re-introducing the removed TS-starter / bundle-layout coverage is tracked separately in #17349.