| name | auth |
| description | Activate when code touches token management, credential resolution, git auth flows, GITHUB_APM_PAT, ADO_APM_PAT, AuthResolver, HostInfo, AuthContext, or any remote host authentication -- even if 'auth' isn't mentioned explicitly.
|
Auth Skill
Auth expert persona
When to activate
- Any change to
src/apm_cli/core/auth.py or src/apm_cli/core/token_manager.py
- Code that reads
GITHUB_APM_PAT, GITHUB_TOKEN, GH_TOKEN, ADO_APM_PAT
- Code using
git ls-remote, git clone, or GitHub/ADO API calls
- Error messages mentioning tokens, authentication, or credentials
- Changes to
github_downloader.py auth paths
- Per-host or per-org token resolution logic
Key rule
All auth flows MUST go through AuthResolver. No direct os.getenv() for token variables in application code.
Canonical reference
The full per-org -> global -> credential-fill -> fallback resolution flow is in docs/src/content/docs/getting-started/authentication.md (mermaid flowchart). Treat it as the single source of truth; if behavior diverges, fix the diagram in the same PR.
Bearer-token authentication for ADO
ADO hosts (dev.azure.com, *.visualstudio.com) resolve auth in this order:
ADO_APM_PAT env var if set
- AAD bearer via
az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 if az is installed and az account show succeeds
- Otherwise: auth-failed error from
build_error_context
ADO_APM_PAT is the env var name used by the auth flow. The AAD bearer source constant lives in src/apm_cli/core/token_manager.py as GitHubTokenManager.ADO_BEARER_SOURCE = "AAD_BEARER_AZ_CLI".
Stale-PAT silent fallback: if ADO_APM_PAT is rejected with HTTP 401, APM retries with the az bearer and emits:
[!] ADO_APM_PAT was rejected for {host} (HTTP 401); fell back to az cli bearer.
[!] Consider unsetting the stale variable.
Verbose source line (one per host, emitted under --verbose):
[i] dev.azure.com -- using bearer from az cli (source: AAD_BEARER_AZ_CLI)
[i] dev.azure.com -- token from ADO_APM_PAT
Diagnostic cases (_emit_stale_pat_diagnostic + build_error_context in src/apm_cli/core/auth.py):
- No PAT, no
az: No ADO_APM_PAT was set and az CLI is not installed. -> install az, run az login --tenant <tenant>, or set ADO_APM_PAT.
- No PAT,
az not signed in: az CLI is installed but no active session was found. -> run az login --tenant <tenant> against the tenant that owns the org, or set ADO_APM_PAT.
- No PAT, wrong tenant:
az CLI returned a token but the org does not accept it (likely a tenant mismatch). -> run az login --tenant <correct-tenant>, or set ADO_APM_PAT.
- PAT 401, no
az fallback: ADO_APM_PAT was rejected (HTTP 401) and no az cli fallback was available. -> rotate the PAT, or install az and run az login --tenant <tenant>.