Labsco
microsoft logo

auth

✓ Official3,100

by microsoft · part of microsoft/apm

All auth flows MUST go through AuthResolver . No direct os.getenv() for token variables in application code.

🔥🔥FreeQuick setup
🔒 Repo-maintenance skill. It exists to help maintain microsoft/apm itself — it's only useful if you contribute code to that project.

This is the playbook your agent receives when the skill activates — you don't need to read it to use the skill, but it's here to audit before installing.


name: auth description: > Activate when code touches token management, credential resolution, git auth flows, GITHUB_APM_PAT, ADO_APM_PAT, AuthResolver, HostInfo, AuthContext, or any remote host authentication -- even if 'auth' isn't mentioned explicitly.

Auth Skill

Auth expert persona

When to activate

  • Any change to src/apm_cli/core/auth.py or src/apm_cli/core/token_manager.py
  • Code that reads GITHUB_APM_PAT, GITHUB_TOKEN, GH_TOKEN, ADO_APM_PAT
  • Code using git ls-remote, git clone, or GitHub/ADO API calls
  • Error messages mentioning tokens, authentication, or credentials
  • Changes to github_downloader.py auth paths
  • Per-host or per-org token resolution logic

Key rule

All auth flows MUST go through AuthResolver. No direct os.getenv() for token variables in application code.

Canonical reference

The full per-org -> global -> credential-fill -> fallback resolution flow is in docs/src/content/docs/getting-started/authentication.md (mermaid flowchart). Treat it as the single source of truth; if behavior diverges, fix the diagram in the same PR.

Bearer-token authentication for ADO

ADO hosts (dev.azure.com, *.visualstudio.com) resolve auth in this order:

  1. ADO_APM_PAT env var if set
  2. AAD bearer via az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 if az is installed and az account show succeeds
  3. Otherwise: auth-failed error from build_error_context

ADO_APM_PAT is the env var name used by the auth flow. The AAD bearer source constant lives in src/apm_cli/core/token_manager.py as GitHubTokenManager.ADO_BEARER_SOURCE = "AAD_BEARER_AZ_CLI".

Stale-PAT silent fallback: if ADO_APM_PAT is rejected with HTTP 401, APM retries with the az bearer and emits:

[!] ADO_APM_PAT was rejected for {host} (HTTP 401); fell back to az cli bearer.
[!]     Consider unsetting the stale variable.

Verbose source line (one per host, emitted under --verbose):

[i] dev.azure.com -- using bearer from az cli (source: AAD_BEARER_AZ_CLI)
[i] dev.azure.com -- token from ADO_APM_PAT

Diagnostic cases (_emit_stale_pat_diagnostic + build_error_context in src/apm_cli/core/auth.py):

  1. No PAT, no az: No ADO_APM_PAT was set and az CLI is not installed. -> install az, run az login --tenant <tenant>, or set ADO_APM_PAT.
  2. No PAT, az not signed in: az CLI is installed but no active session was found. -> run az login --tenant <tenant> against the tenant that owns the org, or set ADO_APM_PAT.
  3. No PAT, wrong tenant: az CLI returned a token but the org does not accept it (likely a tenant mismatch). -> run az login --tenant <correct-tenant>, or set ADO_APM_PAT.
  4. PAT 401, no az fallback: ADO_APM_PAT was rejected (HTTP 401) and no az cli fallback was available. -> rotate the PAT, or install az and run az login --tenant <tenant>.