$ loading_
Activate when code touches token management, credential resolution, git auth flows, GITHUB_APM_PAT, ADO_APM_PAT, AuthResolver, HostInfo, AuthContext, or any remote host authentication -- even if 'auth' isn't mentioned explicitly.
复制安装指令,让 AI 自动完成配置 · 推荐新手
请帮我安装 askskill 上的 "auth" 技能: 1. 下载 https://raw.githubusercontent.com/microsoft/apm/main/.agents/skills/auth/SKILL.md 2. 保存为 ~/.claude/skills/auth/SKILL.md 3. 装好后重载技能,告诉我可以用了
Auth expert persona
src/apm_cli/core/auth.py or src/apm_cli/core/token_manager.pyGITHUB_APM_PAT, GITHUB_TOKEN, GH_TOKEN, ADO_APM_PATgit ls-remote, git clone, or GitHub/ADO API callsgithub_downloader.py auth pathsAll auth flows MUST go through AuthResolver. No direct os.getenv() for token variables in application code.
The full per-org -> global -> credential-fill -> fallback resolution flow is in docs/src/content/docs/getting-started/authentication.md (mermaid flowchart). Treat it as the single source of truth; if behavior diverges, fix the diagram in the same PR.
ADO hosts (dev.azure.com, *.visualstudio.com) resolve auth in this order:
ADO_APM_PAT env var if setaz account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 if az is installed and az account show succeedsbuild_error_contextADO_APM_PAT is the env var name used by the auth flow. The AAD bearer source constant lives in src/apm_cli/core/token_manager.py as GitHubTokenManager.ADO_BEARER_SOURCE = "AAD_BEARER_AZ_CLI".
Stale-PAT silent fallback: if ADO_APM_PAT is rejected with HTTP 401, APM retries with the az bearer and emits:
[!] ADO_APM_PAT was rejected for {host} (HTTP 401); fell back to az cli bearer.
[!] Consider unsetting the stale variable.
Verbose source line (one per host, emitted under --verbose):
[i] dev.azure.com -- using bearer from az cli (source: AAD_BEARER_AZ_CLI)
[i] dev.azure.com -- token from ADO_APM_PAT
Diagnostic cases (_emit_stale_pat_diagnostic + build_error_context in src/apm_cli/core/auth.py):
az: No ADO_APM_PAT was set and az CLI is not installed. -> install az, run az login --tenant <tenant>, or set ADO_APM_PAT.az not signed in: az CLI is installed but no active session was found. -> run az login --tenant <tenant> against the tenant that owns the org, or set ADO_APM_PAT.az CLI returned a token but the org does not accept it (likely a tenant mismatch). -> run az login --tenant <correct-tenant>, or set ADO_APM_PAT.az fallback: ADO_APM_PAT was rejected (HTTP 401) and no az cli fallback was available. -> rotate the PAT, or install az and run az login --tenant <tenant>.Use this skill to run a multi-persona expert advisory review on a labelled pull request in microsoft/apm. The panel fans out to five mandatory specialists plus a test-coverage specialist (active on every PR that touches src/) plus two conditional specialists (auth, doc-writer), all running in their own agent threads, and a CEO synthesizer. The orchestrator is the sole writer to the PR: ONE recommendation comment, no verdict labels, no merge gating. The panel is advisory -- it surfaces findings, prioritizes follow-ups, and renders a ship-recommendation that the maintainer and author weigh. Activate when a non-trivial PR needs a cross-cutting recommendation (architecture, CLI logging, DevX UX, supply-chain security, growth/positioning, optionally auth, docs, and test coverage, with CEO arbitration).
Use this skill to run a four-panel adversarial advisory review on any pull request that touches the OpenAPM specification artifact (docs/src/content/docs/specs/openapm-*.md), its inline / sidecar JSON Schemas (docs/src/content/docs/specs/schemas/*.schema.json), or the conformance fixture seed (tests/fixtures/spec-conformance/**). The panel fans out to four spec-ecosystem reviewers (swagger-openapi-editor, oci-distribution-editor, pkgmgr-registry-contract-editor, w3c-tag-architect), each running in its own agent thread, and a spec-editor synthesizer that produces a fold-now / defer-v0.1.1 / defer-v0.2 / reject list plus a ship decision keyed off a 1..10 shocked_meter scale. The orchestrator is the sole writer to the PR: ONE consolidated comment, no verdict labels, no merge gating. The panel is advisory -- it surfaces findings, prioritizes folds, and renders a ship recommendation that the maintainer weighs.
Activate for changes to project positioning, release communication, community-facing artifacts, or breaking-change decisions in microsoft/apm. Triggers on README, MANIFESTO, PRD, CHANGELOG, release workflows, and issue templates.
Use this skill to triage a single newly opened, reopened, or `status/needs-triage`-labelled issue in microsoft/apm. Emit one synthesized comment with a triage decision, label set, milestone, and suggested next action.
Use this skill to drive a batch of suspected bugs in microsoft/apm from raw issue list to mergeable PR queue. Fan out one triage subagent per issue (LEGIT / UNCLEAR / FIXED-AT-HEAD), gate every legit bug against PRINCIPLES.md via an apm-ceo strategic-alignment pass, cross-reference legit issues against open PRs, then open a fix PR (TDD + mutation-break gate) for greenfield bugs. Drive every PR -- community in-flight and own fix alike -- to mergeable by composing the shepherd-driver skill: one driver per PR runs the review panel, folds non-blocking recommendations, pushes (preserving author), and watches CI to green. Re-probe mergeability and resolve conflicts via shepherd-driver. Maintain a plan.md ground-truth table as canonical state. Activate when the maintainer asks to triage issues, sweep the bug queue, shepherd bug-flagged issues, run a weekly community sweep, or drive in-flight community PRs to merge -- even if "shepherd" or "batch" is not named.
Use this skill to drive any open microsoft/apm issue (bug, feature, docs, refactor, perf) from raw intake to a mergeable PR with triage as the central, paramount gate. Run the apm-triage-panel rubric per issue first, then present ONE consolidated triage review for the whole batch and escalate to the maintainer BY DEFAULT on any doubt (needs-design, decline, duplicate, defer, auto-handle, breaking- change, auth/security/governance surface, low arbiter confidence, unbounded scope, or a missing brief); only auto-implement clear, bounded, high-confidence accepts the maintainer approved. Then drive each accepted PR to mergeability batch-bug- shepherd style via the shepherd-driver loop: fold copilot + panel follow-ups by default, watch CI green, iterate under a bounded cap. Invoke MANUALLY, in-session, on an issue list or queue -- never by label or event. Activate when the maintainer asks to auto-tackle the issue queue, clear the backlog to PRs, or run issues to merge -- even if "autopilot" is not named.