@sascha384/tic 2.1.0 → 3.0.0

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "tic",
   "description": "Issue tracking skills for Claude Code",
-  "version": "2.1.0",
+  "version": "3.0.0",
   "author": {
     "name": "Sascha Krug"
   },

package/README.md

@@ -7,7 +7,8 @@ Built with TypeScript and [Ink](https://github.com/vadimdemedes/ink).
 ## Features
 
 - **Keyboard-driven TUI** — browse, create, edit, and manage work items without leaving the terminal
-- **Multiple backends** — GitHub (via `gh`), GitLab (via `glab`), Azure DevOps (via `az`), Jira (via REST API)
+- **Multiple backends** — GitHub (REST/GraphQL API), GitLab (via `glab`), Azure DevOps (REST API), Jira (REST API)
+- **Built-in authentication** — OAuth device flow for GitHub and Azure DevOps, with PAT fallback
 - **Automatic backend detection** — selects backend based on git remote, or configure manually
 - **SQLite storage** — all data stored locally in `.tic/tic.db` with optional sync to remote backends
 - **CLI commands** — scriptable commands for all operations (`tic item list`, `tic item create`, etc.)
@@ -186,40 +187,54 @@ tic iteration list                   # List iterations
 tic iteration set sprint-2           # Set current iteration
 tic config get backend               # Get config value
 tic config set backend github        # Set config value
+tic auth login github                # Authenticate with GitHub (OAuth device flow)
+tic auth login azure                 # Authenticate with Azure DevOps (Entra ID)
+tic auth login azure --pat           # Authenticate with a Personal Access Token
+tic auth status                      # Show authentication status
+tic auth logout github               # Remove stored credentials
 ```
 
 Add `--json` to any command for machine-readable output, or `--quiet` to suppress non-essential output.
 
 ## Backends
 
-| Backend | CLI Tool | Detection |
-|---------|----------|-----------|
+| Backend | Auth Method | Detection |
+|---------|-------------|-----------|
 | Local only (SQLite) | — | Default fallback |
-| GitHub Issues | [`gh`](https://cli.github.com/) | `github.com` in git remote |
-| GitLab Issues | [`glab`](https://gitlab.com/gitlab-org/cli) | `gitlab.com` in git remote |
-| Azure DevOps Work Items | [`az`](https://learn.microsoft.com/en-us/cli/azure/) | `dev.azure.com` or `visualstudio.com` in git remote |
-| Jira | REST API | Configured via settings |
+| GitHub Issues | `tic auth login github` (OAuth) or existing `gh` token | `github.com` in git remote |
+| GitLab Issues | [`glab`](https://gitlab.com/gitlab-org/cli) CLI | `gitlab.com` in git remote |
+| Azure DevOps Work Items | `tic auth login azure` (Entra ID) or `--pat` | `dev.azure.com` or `visualstudio.com` in git remote |
+| Jira | REST API (configured in settings) | Configured via settings |
 
 Each backend supports a different set of capabilities (types, statuses, iterations, relationships, etc.). The TUI and CLI automatically adapt to show only what the active backend supports.
 
 You can switch backends from within the TUI by pressing `,` to open settings. For Jira, you'll need to configure your site URL, project key, and optionally a board ID.
 
-### Azure DevOps Authentication
+### Authentication
 
-Azure DevOps requires the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/) (`az`) with the `azure-devops` extension. There are two authentication methods, and **both are recommended** for full functionality:
+GitHub and Azure DevOps use tic's built-in authentication with credentials stored securely in your OS keychain. If not already authenticated, the TUI will prompt you to log in when a remote backend is detected.
 
-| Method | Command | What it enables |
-|--------|---------|-----------------|
-| PAT (Personal Access Token) | `az devops login` | Work items, queries, iterations, relations |
-| Azure AD / Entra ID | `az login` | Comments (read and write) |
+**GitHub:**
 
-The Work Item Comments API is a preview endpoint that requires Azure AD tokens. If you only use `az devops login`, everything works except comments — they will silently be unavailable when viewing items and explicitly fail when adding comments.
+```bash
+tic auth login github   # Opens browser for OAuth device flow
+```
+
+Falls back to an existing `gh` CLI token if available.
+
+**Azure DevOps:**
+
+```bash
+tic auth login azure        # Entra ID device code flow (recommended)
+tic auth login azure --pat  # Personal Access Token
+```
 
-For full functionality:
+**Managing credentials:**
 
 ```bash
-az login                # Azure AD — needed for comments
-az devops login         # PAT — needed for work items
+tic auth status             # Show auth status for all providers
+tic auth logout github      # Remove stored credentials
+tic auth logout azure
 ```
 
 ## Contributing

package/dist/app.js

@@ -1,9 +1,10 @@
-import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { jsx as _jsx, jsxs as _jsxs, Fragment as _Fragment } from "react/jsx-runtime";
 import { lazy, Suspense, useEffect } from 'react';
 import { Box } from 'ink';
 import { WorkItemList } from './components/WorkItemList.js';
 import { Header } from './components/Header.js';
 import { useConfigStore } from './stores/configStore.js';
+import { useBackendDataStore } from './stores/backendDataStore.js';
 import { navigationStore, useNavigationStore, } from './stores/navigationStore.js';
 // Lazy — loaded on demand when screen changes
 const WorkItemForm = lazy(() => import('./components/WorkItemForm.js').then((m) => ({
@@ -19,10 +20,14 @@ const StatusScreen = lazy(() => import('./components/StatusScreen.js').then((m)
 const HelpScreen = lazy(() => import('./components/HelpScreen.js').then((m) => ({
     default: m.HelpScreen,
 })));
+const AuthPrompt = lazy(() => import('./components/AuthPrompt.js').then((m) => ({
+    default: m.AuthPrompt,
+})));
 export function App() {
     const screen = useNavigationStore((s) => s.screen);
     const previousScreen = useNavigationStore((s) => s.previousScreen);
     const autoUpdate = useConfigStore((s) => s.config.autoUpdate);
+    const authPrompt = useBackendDataStore((s) => s.authPrompt);
     // Update check on mount
     useEffect(() => {
         if (autoUpdate !== false) {
@@ -32,6 +37,6 @@ export function App() {
             }));
         }
     }, [autoUpdate]);
-    return (_jsxs(Box, { flexDirection: "column", children: [_jsx(Header, {}), screen === 'list' && _jsx(WorkItemList, {}), _jsxs(Suspense, { fallback: null, children: [screen === 'form' && _jsx(WorkItemForm, {}), screen === 'iteration-picker' && _jsx(IterationPicker, {}), screen === 'settings' && _jsx(Settings, {}), screen === 'status' && _jsx(StatusScreen, {}), screen === 'help' && _jsx(HelpScreen, { sourceScreen: previousScreen })] })] }));
+    return (_jsxs(Box, { flexDirection: "column", children: [_jsx(Header, {}), authPrompt ? (_jsx(Suspense, { fallback: null, children: _jsx(AuthPrompt, {}) })) : (_jsxs(_Fragment, { children: [screen === 'list' && _jsx(WorkItemList, {}), _jsxs(Suspense, { fallback: null, children: [screen === 'form' && _jsx(WorkItemForm, {}), screen === 'iteration-picker' && _jsx(IterationPicker, {}), screen === 'settings' && _jsx(Settings, {}), screen === 'status' && _jsx(StatusScreen, {}), screen === 'help' && _jsx(HelpScreen, { sourceScreen: previousScreen })] })] }))] }));
 }
 //# sourceMappingURL=app.js.map

package/dist/app.js.map

@@ -1 +1 @@
-{"version":3,"file":"app.js","sourceRoot":"","sources":["../src/app.tsx"],"names":[],"mappings":";AAAA,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAClD,OAAO,EAAE,GAAG,EAAE,MAAM,KAAK,CAAC;AAC1B,OAAO,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAC5D,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,EACL,eAAe,EACf,kBAAkB,GACnB,MAAM,6BAA6B,CAAC;AAKrC,8CAA8C;AAC9C,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAC7B,MAAM,CAAC,8BAA8B,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClD,OAAO,EAAE,CAAC,CAAC,YAAY;CACxB,CAAC,CAAC,CACJ,CAAC;AACF,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,EAAE,CAChC,MAAM,CAAC,iCAAiC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACrD,OAAO,EAAE,CAAC,CAAC,eAAe;CAC3B,CAAC,CAAC,CACJ,CAAC;AACF,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,CACzB,MAAM,CAAC,0BAA0B,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAC1E,CAAC;AACF,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAC7B,MAAM,CAAC,8BAA8B,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClD,OAAO,EAAE,CAAC,CAAC,YAAY;CACxB,CAAC,CAAC,CACJ,CAAC;AACF,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,CAC3B,MAAM,CAAC,4BAA4B,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAChD,OAAO,EAAE,CAAC,CAAC,UAAU;CACtB,CAAC,CAAC,CACJ,CAAC;AAEF,MAAM,UAAU,GAAG;IACjB,MAAM,MAAM,GAAG,kBAAkB,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IACnD,MAAM,cAAc,GAAG,kBAAkB,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;IACnE,MAAM,UAAU,GAAG,cAAc,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAE9D,wBAAwB;IACxB,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,UAAU,KAAK,KAAK,EAAE,CAAC;YACzB,KAAK,MAAM,CAAC,qBAAqB,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,cAAc,EAAE,EAAE,EAAE,CAC7D,cAAc,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;gBAC7B,IAAI,IAAI;oBAAE,eAAe,CAAC,QAAQ,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;YAC3D,CAAC,CAAC,CACH,CAAC;QACJ,CAAC;IACH,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;IAEjB,OAAO,CACL,MAAC,GAAG,IAAC,aAAa,EAAC,QAAQ,aACzB,KAAC,MAAM,KAAG,EACT,MAAM,KAAK,MAAM,IAAI,KAAC,YAAY,KAAG,EACtC,MAAC,QAAQ,IAAC,QAAQ,EAAE,IAAI,aACrB,MAAM,KAAK,MAAM,IAAI,KAAC,YAAY,KAAG,EACrC,MAAM,KAAK,kBAAkB,IAAI,KAAC,eAAe,KAAG,EACpD,MAAM,KAAK,UAAU,IAAI,KAAC,QAAQ,KAAG,EACrC,MAAM,KAAK,QAAQ,IAAI,KAAC,YAAY,KAAG,EACvC,MAAM,KAAK,MAAM,IAAI,KAAC,UAAU,IAAC,YAAY,EAAE,cAAc,GAAI,IACzD,IACP,CACP,CAAC;AACJ,CAAC"}
+{"version":3,"file":"app.js","sourceRoot":"","sources":["../src/app.tsx"],"names":[],"mappings":";AAAA,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAClD,OAAO,EAAE,GAAG,EAAE,MAAM,KAAK,CAAC;AAC1B,OAAO,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAC5D,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EACL,eAAe,EACf,kBAAkB,GACnB,MAAM,6BAA6B,CAAC;AAKrC,8CAA8C;AAC9C,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAC7B,MAAM,CAAC,8BAA8B,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClD,OAAO,EAAE,CAAC,CAAC,YAAY;CACxB,CAAC,CAAC,CACJ,CAAC;AACF,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,EAAE,CAChC,MAAM,CAAC,iCAAiC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACrD,OAAO,EAAE,CAAC,CAAC,eAAe;CAC3B,CAAC,CAAC,CACJ,CAAC;AACF,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,CACzB,MAAM,CAAC,0BAA0B,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAC1E,CAAC;AACF,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAC7B,MAAM,CAAC,8BAA8B,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClD,OAAO,EAAE,CAAC,CAAC,YAAY;CACxB,CAAC,CAAC,CACJ,CAAC;AACF,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,CAC3B,MAAM,CAAC,4BAA4B,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAChD,OAAO,EAAE,CAAC,CAAC,UAAU;CACtB,CAAC,CAAC,CACJ,CAAC;AACF,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,CAC3B,MAAM,CAAC,4BAA4B,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAChD,OAAO,EAAE,CAAC,CAAC,UAAU;CACtB,CAAC,CAAC,CACJ,CAAC;AAEF,MAAM,UAAU,GAAG;IACjB,MAAM,MAAM,GAAG,kBAAkB,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IACnD,MAAM,cAAc,GAAG,kBAAkB,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;IACnE,MAAM,UAAU,GAAG,cAAc,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAC9D,MAAM,UAAU,GAAG,mBAAmB,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;IAE5D,wBAAwB;IACxB,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,UAAU,KAAK,KAAK,EAAE,CAAC;YACzB,KAAK,MAAM,CAAC,qBAAqB,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,cAAc,EAAE,EAAE,EAAE,CAC7D,cAAc,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;gBAC7B,IAAI,IAAI;oBAAE,eAAe,CAAC,QAAQ,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;YAC3D,CAAC,CAAC,CACH,CAAC;QACJ,CAAC;IACH,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;IAEjB,OAAO,CACL,MAAC,GAAG,IAAC,aAAa,EAAC,QAAQ,aACzB,KAAC,MAAM,KAAG,EACT,UAAU,CAAC,CAAC,CAAC,CACZ,KAAC,QAAQ,IAAC,QAAQ,EAAE,IAAI,YACtB,KAAC,UAAU,KAAG,GACL,CACZ,CAAC,CAAC,CAAC,CACF,8BACG,MAAM,KAAK,MAAM,IAAI,KAAC,YAAY,KAAG,EACtC,MAAC,QAAQ,IAAC,QAAQ,EAAE,IAAI,aACrB,MAAM,KAAK,MAAM,IAAI,KAAC,YAAY,KAAG,EACrC,MAAM,KAAK,kBAAkB,IAAI,KAAC,eAAe,KAAG,EACpD,MAAM,KAAK,UAAU,IAAI,KAAC,QAAQ,KAAG,EACrC,MAAM,KAAK,QAAQ,IAAI,KAAC,YAAY,KAAG,EACvC,MAAM,KAAK,MAAM,IAAI,KAAC,UAAU,IAAC,YAAY,EAAE,cAAc,GAAI,IACzD,IACV,CACJ,IACG,CACP,CAAC;AACJ,CAAC"}

package/dist/auth/ado.d.ts

@@ -0,0 +1,31 @@
+export declare const ADO_ACCOUNT = "dev.azure.com";
+export declare const ADO_REFRESH_ACCOUNT = "dev.azure.com:refresh";
+export declare const ADO_PAT_ACCOUNT = "dev.azure.com:pat";
+export declare const AZURE_CLI_CLIENT_ID = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";
+export declare function getAdoToken(): string | null;
+export declare function getAdoRefreshToken(): string | null;
+export declare function getAdoPat(): string | null;
+export declare function setAdoPat(pat: string): void;
+export declare function clearAdoTokens(): void;
+export interface AuthenticateAdoOptions {
+    onCode?: (userCode: string, verificationUri: string) => void;
+}
+/**
+ * Refresh an expired access token using the stored refresh token.
+ * Returns the new access token, or null if refresh fails.
+ */
+export declare function refreshAdoToken(refreshToken: string): Promise<string | null>;
+/**
+ * Run the Entra ID device code flow to authenticate with Azure DevOps.
+ *
+ * 1. Requests a device code from Entra ID
+ * 2. Calls onCode callback so the caller can display the code/URL
+ * 3. Polls for the access token at the specified interval
+ * 4. Stores access + refresh tokens in keychain on success
+ *
+ * Note: Entra ID returns HTTP 400 (not 200) for pending/slow_down/denied
+ * errors during polling, unlike GitHub which returns 200 with error in body.
+ *
+ * @returns The access token
+ */
+export declare function authenticateAdo(options?: AuthenticateAdoOptions): Promise<string>;

package/dist/auth/ado.js

@@ -0,0 +1,136 @@
+import { getToken, setToken, deleteToken } from './keychain.js';
+export const ADO_ACCOUNT = 'dev.azure.com';
+export const ADO_REFRESH_ACCOUNT = 'dev.azure.com:refresh';
+export const ADO_PAT_ACCOUNT = 'dev.azure.com:pat';
+// Azure CLI's well-known public client ID — no app registration needed
+export const AZURE_CLI_CLIENT_ID = '04b07795-8ddb-461a-bbee-02f9e1bf7b46';
+const AUTHORITY = 'https://login.microsoftonline.com/organizations';
+const ADO_SCOPE = '499b84ac-1321-427f-aa17-267ca6975798/.default offline_access';
+export function getAdoToken() {
+    return getToken(ADO_ACCOUNT);
+}
+export function getAdoRefreshToken() {
+    return getToken(ADO_REFRESH_ACCOUNT);
+}
+export function getAdoPat() {
+    return getToken(ADO_PAT_ACCOUNT);
+}
+export function setAdoPat(pat) {
+    setToken(ADO_PAT_ACCOUNT, pat);
+}
+export function clearAdoTokens() {
+    deleteToken(ADO_ACCOUNT);
+    deleteToken(ADO_REFRESH_ACCOUNT);
+    deleteToken(ADO_PAT_ACCOUNT);
+}
+function isTokenError(response) {
+    return 'error' in response;
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function urlEncode(params) {
+    return Object.entries(params)
+        .map(([k, v]) => `${encodeURIComponent(k)}=${encodeURIComponent(v)}`)
+        .join('&');
+}
+/**
+ * Refresh an expired access token using the stored refresh token.
+ * Returns the new access token, or null if refresh fails.
+ */
+export async function refreshAdoToken(refreshToken) {
+    try {
+        const response = await fetch(`${AUTHORITY}/oauth2/v2.0/token`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: urlEncode({
+                client_id: AZURE_CLI_CLIENT_ID,
+                grant_type: 'refresh_token',
+                refresh_token: refreshToken,
+                scope: ADO_SCOPE,
+            }),
+        });
+        if (!response.ok)
+            return null;
+        const data = (await response.json());
+        if (isTokenError(data))
+            return null;
+        setToken(ADO_ACCOUNT, data.access_token);
+        if (data.refresh_token) {
+            setToken(ADO_REFRESH_ACCOUNT, data.refresh_token);
+        }
+        return data.access_token;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Run the Entra ID device code flow to authenticate with Azure DevOps.
+ *
+ * 1. Requests a device code from Entra ID
+ * 2. Calls onCode callback so the caller can display the code/URL
+ * 3. Polls for the access token at the specified interval
+ * 4. Stores access + refresh tokens in keychain on success
+ *
+ * Note: Entra ID returns HTTP 400 (not 200) for pending/slow_down/denied
+ * errors during polling, unlike GitHub which returns 200 with error in body.
+ *
+ * @returns The access token
+ */
+export async function authenticateAdo(options) {
+    // Step 1: Request device code
+    const codeResponse = await fetch(`${AUTHORITY}/oauth2/v2.0/devicecode`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: urlEncode({
+            client_id: AZURE_CLI_CLIENT_ID,
+            scope: ADO_SCOPE,
+        }),
+    });
+    if (!codeResponse.ok) {
+        throw new Error(`Failed to request device code: ${codeResponse.status} ${codeResponse.statusText}`);
+    }
+    const deviceCode = (await codeResponse.json());
+    // Step 2: Notify caller with user code and verification URL
+    options?.onCode?.(deviceCode.user_code, deviceCode.verification_uri);
+    // Step 3: Poll for access token
+    let interval = deviceCode.interval * 1000;
+    while (true) {
+        await sleep(interval);
+        const tokenResponse = await fetch(`${AUTHORITY}/oauth2/v2.0/token`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: urlEncode({
+                client_id: AZURE_CLI_CLIENT_ID,
+                grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+                device_code: deviceCode.device_code,
+            }),
+        });
+        // Entra ID returns 400 for pending/slow_down/declined/expired errors
+        if (!tokenResponse.ok) {
+            const data = (await tokenResponse.json());
+            switch (data.error) {
+                case 'authorization_pending':
+                    continue;
+                case 'slow_down':
+                    interval += 5000;
+                    continue;
+                case 'authorization_declined':
+                    throw new Error('Authorization was denied by the user');
+                case 'expired_token':
+                    throw new Error('Device code has expired. Please restart the authentication flow.');
+                default:
+                    throw new Error(`Authentication failed: ${data.error}${data.error_description ? ` - ${data.error_description}` : ''}`);
+            }
+        }
+        const data = (await tokenResponse.json());
+        // Success — store both tokens and return
+        setToken(ADO_ACCOUNT, data.access_token);
+        if (data.refresh_token) {
+            setToken(ADO_REFRESH_ACCOUNT, data.refresh_token);
+        }
+        return data.access_token;
+    }
+}
+//# sourceMappingURL=ado.js.map

package/dist/auth/ado.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ado.js","sourceRoot":"","sources":["../../src/auth/ado.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAEhE,MAAM,CAAC,MAAM,WAAW,GAAG,eAAe,CAAC;AAC3C,MAAM,CAAC,MAAM,mBAAmB,GAAG,uBAAuB,CAAC;AAC3D,MAAM,CAAC,MAAM,eAAe,GAAG,mBAAmB,CAAC;AAEnD,uEAAuE;AACvE,MAAM,CAAC,MAAM,mBAAmB,GAAG,sCAAsC,CAAC;AAE1E,MAAM,SAAS,GAAG,iDAAiD,CAAC;AACpE,MAAM,SAAS,GACb,8DAA8D,CAAC;AAEjE,MAAM,UAAU,WAAW;IACzB,OAAO,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC/B,CAAC;AAED,MAAM,UAAU,kBAAkB;IAChC,OAAO,QAAQ,CAAC,mBAAmB,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,SAAS;IACvB,OAAO,QAAQ,CAAC,eAAe,CAAC,CAAC;AACnC,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,GAAW;IACnC,QAAQ,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,WAAW,CAAC,WAAW,CAAC,CAAC;IACzB,WAAW,CAAC,mBAAmB,CAAC,CAAC;IACjC,WAAW,CAAC,eAAe,CAAC,CAAC;AAC/B,CAAC;AA8BD,SAAS,YAAY,CACnB,QAA2B;IAE3B,OAAO,OAAO,IAAI,QAAQ,CAAC;AAC7B,CAAC;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED,SAAS,SAAS,CAAC,MAA8B;IAC/C,OAAO,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;SAC1B,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,kBAAkB,CAAC,CAAC,CAAC,IAAI,kBAAkB,CAAC,CAAC,CAAC,EAAE,CAAC;SACpE,IAAI,CAAC,GAAG,CAAC,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,YAAoB;IAEpB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,SAAS,oBAAoB,EAAE;YAC7D,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,SAAS,CAAC;gBACd,SAAS,EAAE,mBAAmB;gBAC9B,UAAU,EAAE,eAAe;gBAC3B,aAAa,EAAE,YAAY;gBAC3B,KAAK,EAAE,SAAS;aACjB,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QAE9B,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAsB,CAAC;QAC1D,IAAI,YAAY,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QAEpC,QAAQ,CAAC,WAAW,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QACzC,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,QAAQ,CAAC,mBAAmB,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;QACpD,CAAC;QACD,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,OAAgC;IAEhC,8BAA8B;IAC9B,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,GAAG,SAAS,yBAAyB,EAAE;QACtE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI,EAAE,SAAS,CAAC;YACd,SAAS,EAAE,mBAAmB;YAC9B,KAAK,EAAE,SAAS;SACjB,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CACb,kCAAkC,YAAY,CAAC,MAAM,IAAI,YAAY,CAAC,UAAU,EAAE,CACnF,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,CAAC,MAAM,YAAY,CAAC,IAAI,EAAE,CAAuB,CAAC;IAErE,4DAA4D;IAC5D,OAAO,EAAE,MAAM,EAAE,CAAC,UAAU,CAAC,SAAS,EAAE,UAAU,CAAC,gBAAgB,CAAC,CAAC;IAErE,gCAAgC;IAChC,IAAI,QAAQ,GAAG,UAAU,CAAC,QAAQ,GAAG,IAAI,CAAC;IAE1C,OAAO,IAAI,EAAE,CAAC;QACZ,MAAM,KAAK,CAAC,QAAQ,CAAC,CAAC;QAEtB,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,GAAG,SAAS,oBAAoB,EAAE;YAClE,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,SAAS,CAAC;gBACd,SAAS,EAAE,mBAAmB;gBAC9B,UAAU,EAAE,8CAA8C;gBAC1D,WAAW,EAAE,UAAU,CAAC,WAAW;aACpC,CAAC;SACH,CAAC,CAAC;QAEH,qEAAqE;QACrE,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;YACtB,MAAM,IAAI,GAAG,CAAC,MAAM,aAAa,CAAC,IAAI,EAAE,CAAuB,CAAC;YAChE,QAAQ,IAAI,CAAC,KAAK,EAAE,CAAC;gBACnB,KAAK,uBAAuB;oBAC1B,SAAS;gBACX,KAAK,WAAW;oBACd,QAAQ,IAAI,IAAI,CAAC;oBACjB,SAAS;gBACX,KAAK,wBAAwB;oBAC3B,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;gBAC1D,KAAK,eAAe;oBAClB,MAAM,IAAI,KAAK,CACb,kEAAkE,CACnE,CAAC;gBACJ;oBACE,MAAM,IAAI,KAAK,CACb,0BAA0B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CACtG,CAAC;YACN,CAAC;QACH,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,aAAa,CAAC,IAAI,EAAE,CAAyB,CAAC;QAElE,yCAAyC;QACzC,QAAQ,CAAC,WAAW,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QACzC,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,QAAQ,CAAC,mBAAmB,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;QACpD,CAAC;QACD,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;AACH,CAAC"}

package/dist/auth/index.d.ts

@@ -1,3 +1,5 @@
 export { getToken, setToken, deleteToken } from './keychain.js';
 export { GITHUB_ACCOUNT, DEFAULT_CLIENT_ID, getGitHubToken, clearGitHubToken, authenticateGitHub, } from './github.js';
 export type { AuthenticateGitHubOptions } from './github.js';
+export { ADO_ACCOUNT, ADO_REFRESH_ACCOUNT, ADO_PAT_ACCOUNT, AZURE_CLI_CLIENT_ID, getAdoToken, getAdoRefreshToken, getAdoPat, setAdoPat, clearAdoTokens, refreshAdoToken, authenticateAdo, } from './ado.js';
+export type { AuthenticateAdoOptions } from './ado.js';

package/dist/auth/index.js

@@ -1,3 +1,4 @@
 export { getToken, setToken, deleteToken } from './keychain.js';
 export { GITHUB_ACCOUNT, DEFAULT_CLIENT_ID, getGitHubToken, clearGitHubToken, authenticateGitHub, } from './github.js';
+export { ADO_ACCOUNT, ADO_REFRESH_ACCOUNT, ADO_PAT_ACCOUNT, AZURE_CLI_CLIENT_ID, getAdoToken, getAdoRefreshToken, getAdoPat, setAdoPat, clearAdoTokens, refreshAdoToken, authenticateAdo, } from './ado.js';
 //# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAChE,OAAO,EACL,cAAc,EACd,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,kBAAkB,GACnB,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAChE,OAAO,EACL,cAAc,EACd,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,kBAAkB,GACnB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,WAAW,EACX,mBAAmB,EACnB,eAAe,EACf,mBAAmB,EACnB,WAAW,EACX,kBAAkB,EAClB,SAAS,EACT,SAAS,EACT,cAAc,EACd,eAAe,EACf,eAAe,GAChB,MAAM,UAAU,CAAC"}

package/dist/backends/ado/api.d.ts

@@ -0,0 +1,19 @@
+import { BaseApiClient } from '../shared/api-client.js';
+export type AdoAuth = {
+    type: 'bearer';
+    token: string;
+} | {
+    type: 'basic';
+    pat: string;
+};
+export declare class AdoApiClient extends BaseApiClient {
+    private auth;
+    constructor(auth: AdoAuth, org: string);
+    private getAuthHeader;
+    private appendApiVersion;
+    protected fetch<T>(method: string, path: string, body?: unknown, contentType?: string): Promise<T>;
+    rest<T>(method: string, path: string, body?: unknown, contentType?: string): Promise<T>;
+    wiql<T>(project: string, query: string): Promise<T>;
+    batchGetWorkItems<T>(ids: number[]): Promise<T>;
+    paginate<T>(path: string): AsyncGenerator<T[]>;
+}

package/dist/backends/ado/api.js

@@ -0,0 +1,110 @@
+import { BaseApiClient, AuthError } from '../shared/api-client.js';
+import { getAdoRefreshToken, refreshAdoToken } from '../../auth/ado.js';
+const ADO_API_VERSION = '7.1';
+export class AdoApiClient extends BaseApiClient {
+    auth;
+    constructor(auth, org) {
+        const token = auth.type === 'bearer' ? auth.token : auth.pat;
+        super(token, `https://dev.azure.com/${org}`);
+        this.auth = auth;
+    }
+    getAuthHeader() {
+        if (this.auth.type === 'bearer') {
+            return `Bearer ${this.auth.token}`;
+        }
+        return `Basic ${Buffer.from(`:${this.auth.pat}`).toString('base64')}`;
+    }
+    appendApiVersion(path) {
+        const separator = path.includes('?') ? '&' : '?';
+        return `${path}${separator}api-version=${ADO_API_VERSION}`;
+    }
+    async fetch(method, path, body, contentType) {
+        const url = this.baseUrl + this.appendApiVersion(path);
+        const headers = {
+            Authorization: this.getAuthHeader(),
+            Accept: 'application/json',
+        };
+        const init = { method, headers };
+        if (body !== undefined && ['POST', 'PATCH', 'PUT'].includes(method)) {
+            headers['Content-Type'] = contentType ?? 'application/json';
+            init.body = JSON.stringify(body);
+        }
+        let response = await globalThis.fetch(url, init);
+        this.checkRateLimit(response.headers);
+        // Try token refresh on 401 for OAuth auth
+        if (response.status === 401 && this.auth.type === 'bearer') {
+            const refreshToken = getAdoRefreshToken();
+            if (refreshToken) {
+                const newToken = await refreshAdoToken(refreshToken);
+                if (newToken) {
+                    this.auth = { type: 'bearer', token: newToken };
+                    this.token = newToken;
+                    headers['Authorization'] = `Bearer ${newToken}`;
+                    response = await globalThis.fetch(url, {
+                        method,
+                        headers,
+                        body: init.body,
+                    });
+                }
+            }
+        }
+        if (response.status === 401) {
+            throw new AuthError();
+        }
+        if (!response.ok) {
+            const text = await response.text();
+            throw new Error(`HTTP ${response.status}: ${text}`);
+        }
+        return (await response.json());
+    }
+    async rest(method, path, body, contentType) {
+        return this.retry(() => this.fetch(method, path, body, contentType));
+    }
+    async wiql(project, query) {
+        return this.rest('POST', `/${project}/_apis/wit/wiql`, { query });
+    }
+    async batchGetWorkItems(ids) {
+        const CHUNK_SIZE = 200;
+        const allValues = [];
+        for (let i = 0; i < ids.length; i += CHUNK_SIZE) {
+            const chunk = ids.slice(i, i + CHUNK_SIZE);
+            const result = await this.rest('POST', '/_apis/wit/workitemsbatch', { ids: chunk, $expand: 4 });
+            allValues.push(...result.value);
+        }
+        return { value: allValues };
+    }
+    async *paginate(path) {
+        let url = this.baseUrl + this.appendApiVersion(path);
+        while (url) {
+            const headers = {
+                Authorization: this.getAuthHeader(),
+                Accept: 'application/json',
+            };
+            const response = await globalThis.fetch(url, {
+                method: 'GET',
+                headers,
+            });
+            this.checkRateLimit(response.headers);
+            if (response.status === 401) {
+                throw new AuthError();
+            }
+            if (!response.ok) {
+                const text = await response.text();
+                throw new Error(`HTTP ${response.status}: ${text}`);
+            }
+            const json = (await response.json());
+            yield json.value;
+            const continuationToken = response.headers.get('x-ms-continuationtoken');
+            if (continuationToken) {
+                const separator = path.includes('?') ? '&' : '?';
+                url =
+                    this.baseUrl +
+                        this.appendApiVersion(`${path}${separator}continuationToken=${continuationToken}`);
+            }
+            else {
+                url = null;
+            }
+        }
+    }
+}
+//# sourceMappingURL=api.js.map

package/dist/backends/ado/api.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api.js","sourceRoot":"","sources":["../../../src/backends/ado/api.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAExE,MAAM,eAAe,GAAG,KAAK,CAAC;AAM9B,MAAM,OAAO,YAAa,SAAQ,aAAa;IACrC,IAAI,CAAU;IAEtB,YAAY,IAAa,EAAE,GAAW;QACpC,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;QAC7D,KAAK,CAAC,KAAK,EAAE,yBAAyB,GAAG,EAAE,CAAC,CAAC;QAC7C,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;IAEO,aAAa;QACnB,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAChC,OAAO,UAAU,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QACrC,CAAC;QACD,OAAO,SAAS,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;IACxE,CAAC;IAEO,gBAAgB,CAAC,IAAY;QACnC,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;QACjD,OAAO,GAAG,IAAI,GAAG,SAAS,eAAe,eAAe,EAAE,CAAC;IAC7D,CAAC;IAEkB,KAAK,CAAC,KAAK,CAC5B,MAAc,EACd,IAAY,EACZ,IAAc,EACd,WAAoB;QAEpB,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAEvD,MAAM,OAAO,GAA2B;YACtC,aAAa,EAAE,IAAI,CAAC,aAAa,EAAE;YACnC,MAAM,EAAE,kBAAkB;SAC3B,CAAC;QAEF,MAAM,IAAI,GAAgB,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;QAE9C,IAAI,IAAI,KAAK,SAAS,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACpE,OAAO,CAAC,cAAc,CAAC,GAAG,WAAW,IAAI,kBAAkB,CAAC;YAC5D,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACnC,CAAC;QAED,IAAI,QAAQ,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAEjD,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAEtC,0CAA0C;QAC1C,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC3D,MAAM,YAAY,GAAG,kBAAkB,EAAE,CAAC;YAC1C,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,YAAY,CAAC,CAAC;gBACrD,IAAI,QAAQ,EAAE,CAAC;oBACb,IAAI,CAAC,IAAI,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;oBAChD,IAAI,CAAC,KAAK,GAAG,QAAQ,CAAC;oBACtB,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,QAAQ,EAAE,CAAC;oBAChD,QAAQ,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,GAAG,EAAE;wBACrC,MAAM;wBACN,OAAO;wBACP,IAAI,EAAE,IAAI,CAAC,IAAI;qBAChB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAI,SAAS,EAAE,CAAC;QACxB,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,IAAI,KAAK,CAAC,QAAQ,QAAQ,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC,CAAC;QACtD,CAAC;QAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAM,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,IAAI,CACR,MAAc,EACd,IAAY,EACZ,IAAc,EACd,WAAoB;QAEpB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAI,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC;IAC1E,CAAC;IAED,KAAK,CAAC,IAAI,CAAI,OAAe,EAAE,KAAa;QAC1C,OAAO,IAAI,CAAC,IAAI,CAAI,MAAM,EAAE,IAAI,OAAO,iBAAiB,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;IACvE,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAI,GAAa;QACtC,MAAM,UAAU,GAAG,GAAG,CAAC;QACvB,MAAM,SAAS,GAAc,EAAE,CAAC;QAEhC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,UAAU,EAAE,CAAC;YAChD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,CAAC;YAC3C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAC5B,MAAM,EACN,2BAA2B,EAC3B,EAAE,GAAG,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,EAAE,CAC3B,CAAC;YACF,SAAS,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QAClC,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,SAAS,EAAO,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,CAAC,QAAQ,CAAI,IAAY;QAC7B,IAAI,GAAG,GAAkB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAEpE,OAAO,GAAG,EAAE,CAAC;YACX,MAAM,OAAO,GAA2B;gBACtC,aAAa,EAAE,IAAI,CAAC,aAAa,EAAE;gBACnC,MAAM,EAAE,kBAAkB;aAC3B,CAAC;YAEF,MAAM,QAAQ,GAAa,MAAM,UAAU,CAAC,KAAK,CAAC,GAAG,EAAE;gBACrD,MAAM,EAAE,KAAK;gBACb,OAAO;aACR,CAAC,CAAC;YAEH,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAEtC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,SAAS,EAAE,CAAC;YACxB,CAAC;YAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACnC,MAAM,IAAI,KAAK,CAAC,QAAQ,QAAQ,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC,CAAC;YACtD,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAmC,CAAC;YACvE,MAAM,IAAI,CAAC,KAAK,CAAC;YAEjB,MAAM,iBAAiB,GAAkB,QAAQ,CAAC,OAAO,CAAC,GAAG,CAC3D,wBAAwB,CACzB,CAAC;YACF,IAAI,iBAAiB,EAAE,CAAC;gBACtB,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBACjD,GAAG;oBACD,IAAI,CAAC,OAAO;wBACZ,IAAI,CAAC,gBAAgB,CACnB,GAAG,IAAI,GAAG,SAAS,qBAAqB,iBAAiB,EAAE,CAC5D,CAAC;YACN,CAAC;iBAAM,CAAC;gBACN,GAAG,GAAG,IAAI,CAAC;YACb,CAAC;QACH,CAAC;IACH,CAAC;CACF"}

package/dist/backends/ado/index.d.ts

@@ -1,12 +1,16 @@
 import { BaseBackend } from '../types.js';
 import type { BackendCapabilities } from '../types.js';
 import type { WorkItem, NewWorkItem, NewComment, Comment, Template } from '../../types.js';
+export interface AzureDevOpsBackendOptions {
+    skipAuth?: boolean;
+}
 export declare class AzureDevOpsBackend extends BaseBackend {
-    private cwd;
+    private api;
     private org;
     private project;
     private types;
-    constructor(cwd: string);
+    private constructor();
+    static create(cwd: string, options?: AzureDevOpsBackendOptions): Promise<AzureDevOpsBackend>;
     getCapabilities(): BackendCapabilities;
     getStatuses(): Promise<string[]>;
     getWorkItemTypes(): Promise<string[]>;
@@ -22,16 +26,6 @@ export declare class AzureDevOpsBackend extends BaseBackend {
     createWorkItem(data: NewWorkItem): Promise<WorkItem>;
     updateWorkItem(id: string, data: Partial<WorkItem>): Promise<WorkItem>;
     deleteWorkItem(id: string): Promise<void>;
-    /**
-     * Add a comment to a work item.
-     *
-     * The Work Item Comments API is preview-only (7.1-preview.4) and cannot be
-     * called via `az devops invoke` (it fails to parse preview version strings),
-     * so we use `az rest` instead. Unlike `az devops` commands which honor PAT
-     * auth from `az devops login`, `az rest --resource` requires an Azure AD
-     * token obtained via `az login`. If only PAT auth is available, this method
-     * throws a descriptive error directing the user to run `az login`.
-     */
     addComment(workItemId: string, comment: NewComment): Promise<Comment>;
     getChildren(id: string): Promise<WorkItem[]>;
     getDependents(id: string): Promise<WorkItem[]>;