Bearer-token authentication for ADO

ADO hosts (dev.azure.com, *.visualstudio.com) resolve auth in this order:

1. ADO_APM_PAT env var if set
2. AAD bearer via az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 if az is installed and az account show succeeds
3. Otherwise: auth-failed error from build_error_context

ADO_APM_PAT is the env var name used by the auth flow. The AAD bearer source constant lives in src/apm_cli/core/token_manager.py as GitHubTokenManager.ADO_BEARER_SOURCE = "AAD_BEARER_AZ_CLI".

Stale-PAT silent fallback: if ADO_APM_PAT is rejected with HTTP 401, APM retries with the az bearer and emits:

[!] ADO_APM_PAT was rejected for {host} (HTTP 401); fell back to az cli bearer.
[!]     Consider unsetting the stale variable.

Verbose source line (one per host, emitted under --verbose):

[i] dev.azure.com -- using bearer from az cli (source: AAD_BEARER_AZ_CLI)
[i] dev.azure.com -- token from ADO_APM_PAT

Diagnostic cases (_emit_stale_pat_diagnostic + build_error_context in src/apm_cli/core/auth.py):

1. No PAT, no az: No ADO_APM_PAT was set and az CLI is not installed. -> install az, run az login --tenant <tenant>, or set ADO_APM_PAT.
2. No PAT, az not signed in: az CLI is installed but no active session was found. -> run az login --tenant <tenant> against the tenant that owns the org, or set ADO_APM_PAT.
3. No PAT, wrong tenant: az CLI returned a token but the org does not accept it (likely a tenant mismatch). -> run az login --tenant <correct-tenant>, or set ADO_APM_PAT.
4. PAT 401, no az fallback: ADO_APM_PAT was rejected (HTTP 401) and no az cli fallback was available. -> rotate the PAT, or install az and run az login --tenant <tenant>.

agent-transcript

为 OpenClaw 代理创建的 GitHub PR 或议题自动添加脱敏执行记录。