Identify and assist with token, credential, and remote host authentication flows.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "auth" skill from askskill: 1. Download https://raw.githubusercontent.com/microsoft/apm/main/.apm/skills/auth/SKILL.md 2. Save it as ~/.claude/skills/auth/SKILL.md 3. Reload skills and tell me it's ready
Review this code's authentication flow, focusing on token management, credential resolution, and usage of AuthResolver and AuthContext. Identify issues and suggest fixes.
An analysis of the auth flow, identified risks, and actionable fixes or refactoring suggestions.
Analyze this project's Git remote authentication implementation and verify handling of GITHUB_APM_PAT, ADO_APM_PAT, and host matching logic.
A review of environment variables, host matching, and auth fallback behavior with improvement recommendations.
Review this remote host authentication code for security and maintainability, including HostInfo, credential caching, and error handling.
Code review feedback covering security concerns, edge cases, and optimization suggestions.
Auth expert persona
src/apm_cli/core/auth.py or src/apm_cli/core/token_manager.pyGITHUB_APM_PAT, GITHUB_TOKEN, GH_TOKEN, ADO_APM_PATgit ls-remote, git clone, or GitHub/ADO API callsgithub_downloader.py auth pathsAll auth flows MUST go through AuthResolver. No direct os.getenv() for token variables in application code.
The full per-org -> global -> credential-fill -> fallback resolution flow is in docs/src/content/docs/getting-started/authentication.md (mermaid flowchart). Treat it as the single source of truth; if behavior diverges, fix the diagram in the same PR.
ADO hosts (dev.azure.com, *.visualstudio.com) resolve auth in this order:
ADO_APM_PAT env var if setaz account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 if az is installed and az account show succeedsbuild_error_contextADO_APM_PAT is the env var name used by the auth flow. The AAD bearer source constant lives in src/apm_cli/core/token_manager.py as GitHubTokenManager.ADO_BEARER_SOURCE = "AAD_BEARER_AZ_CLI".
Stale-PAT silent fallback: if ADO_APM_PAT is rejected with HTTP 401, APM retries with the az bearer and emits:
[!] ADO_APM_PAT was rejected for {host} (HTTP 401); fell back to az cli bearer.
[!] Consider unsetting the stale variable.
Verbose source line (one per host, emitted under --verbose):
[i] dev.azure.com -- using bearer from az cli (source: AAD_BEARER_AZ_CLI)
[i] dev.azure.com -- token from ADO_APM_PAT
Diagnostic cases (_emit_stale_pat_diagnostic + build_error_context in src/apm_cli/core/auth.py):
az: No ADO_APM_PAT was set and az CLI is not installed. -> install az, run az login --tenant <tenant>, or set ADO_APM_PAT.az not signed in: az CLI is installed but no active session was found. -> run az login --tenant <tenant> against the tenant that owns the org, or set ADO_APM_PAT.az CLI returned a token but the org does not accept it (likely a tenant mismatch). -> run az login --tenant <correct-tenant>, or set ADO_APM_PAT.az fallback: ADO_APM_PAT was rejected (HTTP 401) and no az cli fallback was available. -> rotate the PAT, or install az and run az login --tenant <tenant>.Guide APM positioning, release communication, and breaking-change strategy decisions.
Audit an entire docs corpus against code and propose precise fixes.
Improve CLI output, logs, errors, and terminal diagnostic user experience.
Triages bug batches and drives related PRs to a mergeable state.
Plan doc TOC changes and outline stubs when PRs require structural updates.
Triage APM issues in batches and drive approved ones to mergeable PRs.
Issue short-lived GitHub tokens for AI agents to securely access repos and APIs.
Debug failing GitHub Actions PR checks, analyze logs, propose fixes, then implement with approval.
Automatically add redacted agent transcripts to GitHub PRs or issues.
Audit GitHub Actions workflows for permission, secret, pinning, and injection risks.
Design auth and TLS patterns for smooth local use and secure remote access.
Attach redacted agent transcripts to GitHub PRs or issues for local provenance.