@yemi33/minions 0.1.1688 → 0.1.1689

package/CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## 0.1.1689 (2026-05-03)
+
+### Features
+- prefer az cli for ado tokens (#1996)
+
 ## 0.1.1688 (2026-05-02)
 
 ### Fixes

package/docs/auto-discovery.md

@@ -141,7 +141,7 @@ The engine directly polls the host REST API for **all** PR metadata: build/CI st
 | `buildStatus` | PR statuses (codecoverage/deploy/build/ci contexts) | `passing` / `failing` / `running` / `none` |
 | `buildFailReason` | Failed status description | Set on failure, cleared otherwise |
 
-**Auth:** Bearer token via `azureauth ado token --mode iwa --mode broker --output token --timeout 1` (cached 30 minutes). The `--timeout 1` flag is required — without it, azureauth can hang indefinitely in headless sessions. (GitHub polling uses the ambient `gh` CLI credentials, not azureauth.)
+**Auth:** Bearer token via shared `engine/ado-token.js`: prefer `az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query accessToken -o tsv`, then fall back to `azureauth ado token --mode iwa --mode broker --output token --timeout 1` (cached 30 minutes). The `--timeout 1` flag is required — without it, azureauth can hang indefinitely in headless sessions. (GitHub polling uses the ambient `gh` CLI credentials, not azureauth.)
 
 This feeds `discoverFromPrs` — when `buildStatus` flips to `"failing"`, the next discovery tick dispatches a fix agent. When `status` becomes `"merged"`, the PR drops out of active polling.
 

package/engine/ado-mcp-wrapper.js

@@ -1,24 +1,18 @@
 #!/usr/bin/env node
 /**
- * Wrapper for @azure-devops/mcp that fetches an ADO token via azureauth
- * broker (no browser popup) and sets AZURE_DEVOPS_EXT_PAT before launching
- * the MCP server.
+ * Wrapper for @azure-devops/mcp that fetches an ADO token via the shared
+ * az-first provider chain and sets AZURE_DEVOPS_EXT_PAT before launching the
+ * MCP server.
  */
-const { execSync, spawn } = require('child_process');
-const path = require('path');
+const { spawn } = require('child_process');
+const { acquireAdoTokenSync } = require('./ado-token');
 
-// Fetch token via azureauth broker (corp tool, no browser)
 let token;
 try {
-  token = execSync('azureauth ado token --mode broker --output token --timeout 1', {
-    encoding: 'utf8',
-    timeout: 30000,
-    windowsHide: true,
-  }).trim();
+  token = acquireAdoTokenSync().token;
 } catch (e) {
-  // Broker failed — do NOT fall back to web mode (opens browser in automated context)
-  process.stderr.write('ado-mcp-wrapper: Broker auth failed: ' + e.message + '\n');
-  process.stderr.write('ado-mcp-wrapper: Run "azureauth ado token --mode web" manually to refresh\n');
+  process.stderr.write('ado-mcp-wrapper: ADO auth failed: ' + e.message + '\n');
+  process.stderr.write('ado-mcp-wrapper: Run "az login" or refresh azureauth manually, then retry\n');
   process.exit(1);
 }
 
@@ -31,7 +25,7 @@ const child = spawn(process.platform === 'win32' ? 'npx.cmd' : 'npx', [
   ...args
 ], {
   stdio: 'inherit',
-  env: { ...process.env, AZURE_DEVOPS_EXT_PAT: token },
+  env: { ...process.env, AZURE_DEVOPS_EXT_PAT: token, AZURE_DEVOPS_EXT_AZURE_RM_PAT: token },
   windowsHide: true,
   shell: false,
 });

package/engine/ado-status.js

@@ -3,8 +3,8 @@
  * engine/ado-status.js — CLI shim for querying PR and build status.
  *
  * Agents steered to "check on the builds" or "is CI green for PR #123" should
- * use this instead of raw curl + azureauth calls. All ADO auth and retry logic
- * is handled by ado.js internally.
+ * use this instead of raw curl + ad-hoc auth calls. All ADO auth and retry
+ * logic is handled by ado.js internally.
  *
  * Usage:
  *   node engine/ado-status.js <prNumber>

package/engine/ado-token.js

@@ -0,0 +1,104 @@
+/**
+ * Shared Azure DevOps token acquisition.
+ *
+ * Prefer Azure CLI because it is the most common authenticated tool in agent
+ * environments; keep azureauth as the non-interactive fallback for corp setups.
+ */
+
+const { exec, execSync } = require('child_process');
+
+const ADO_RESOURCE_ID = '499b84ac-1321-427f-aa17-267ca6975798';
+const AZ_CLI_ADO_TOKEN_COMMAND = `az account get-access-token --resource ${ADO_RESOURCE_ID} --query accessToken -o tsv`;
+const AZUREAUTH_ADO_TOKEN_COMMAND = 'azureauth ado token --mode iwa --mode broker --output token --timeout 1';
+const DEFAULT_ADO_TOKEN_TIMEOUT_MS = 30000;
+
+const ADO_TOKEN_PROVIDERS = Object.freeze([
+  Object.freeze({ source: 'az', command: AZ_CLI_ADO_TOKEN_COMMAND }),
+  Object.freeze({ source: 'azureauth', command: AZUREAUTH_ADO_TOKEN_COMMAND }),
+]);
+
+function normalizeAdoToken(value) {
+  return String(value || '').trim();
+}
+
+function isLikelyAdoToken(token) {
+  return typeof token === 'string' && token.startsWith('eyJ');
+}
+
+function _commandOptions({ timeout = DEFAULT_ADO_TOKEN_TIMEOUT_MS, encoding = 'utf8', windowsHide = true } = {}) {
+  return { encoding, timeout, windowsHide };
+}
+
+function _attemptMessage(attempt) {
+  return `${attempt.source}: ${attempt.error}`;
+}
+
+function _buildAdoTokenError(attempts) {
+  const err = new Error(`Failed to get ADO token via az CLI or azureauth: ${attempts.map(_attemptMessage).join('; ')}`);
+  err.attempts = attempts;
+  return err;
+}
+
+function _recordInvalidToken(attempts, provider) {
+  attempts.push({ source: provider.source, command: provider.command, error: 'invalid token output' });
+}
+
+function acquireAdoTokenSync({ execSync: run = execSync, timeout, encoding, windowsHide } = {}) {
+  const opts = _commandOptions({ timeout, encoding, windowsHide });
+  const attempts = [];
+  for (const provider of ADO_TOKEN_PROVIDERS) {
+    try {
+      const token = normalizeAdoToken(run(provider.command, opts));
+      if (isLikelyAdoToken(token)) {
+        return { token, source: provider.source, command: provider.command };
+      }
+      _recordInvalidToken(attempts, provider);
+    } catch (e) {
+      attempts.push({ source: provider.source, command: provider.command, error: e.message });
+    }
+  }
+  throw _buildAdoTokenError(attempts);
+}
+
+function _defaultExecAsync(command, opts) {
+  return new Promise((resolve, reject) => {
+    exec(command, opts, (err, stdout, stderr) => {
+      if (err) {
+        err.stdout = stdout;
+        err.stderr = stderr;
+        reject(err);
+        return;
+      }
+      resolve(stdout);
+    });
+  });
+}
+
+async function acquireAdoToken({ execAsync: run = _defaultExecAsync, timeout, encoding, windowsHide } = {}) {
+  const opts = _commandOptions({ timeout, encoding, windowsHide });
+  const attempts = [];
+  for (const provider of ADO_TOKEN_PROVIDERS) {
+    try {
+      const token = normalizeAdoToken(await run(provider.command, opts));
+      if (isLikelyAdoToken(token)) {
+        return { token, source: provider.source, command: provider.command };
+      }
+      _recordInvalidToken(attempts, provider);
+    } catch (e) {
+      attempts.push({ source: provider.source, command: provider.command, error: e.message });
+    }
+  }
+  throw _buildAdoTokenError(attempts);
+}
+
+module.exports = {
+  ADO_RESOURCE_ID,
+  AZ_CLI_ADO_TOKEN_COMMAND,
+  AZUREAUTH_ADO_TOKEN_COMMAND,
+  DEFAULT_ADO_TOKEN_TIMEOUT_MS,
+  ADO_TOKEN_PROVIDERS,
+  acquireAdoToken,
+  acquireAdoTokenSync,
+  isLikelyAdoToken,
+  normalizeAdoToken,
+};

package/engine/ado.js

@@ -8,6 +8,7 @@ const shared = require('./shared');
 const { exec, execAsync, getAdoOrgBase, log, ts, dateStamp, PR_STATUS, createThrottleTracker } = shared;
 const { getPrs } = require('./queries');
 const { mutateJsonFileLocked } = shared;
+const { acquireAdoToken } = require('./ado-token');
 
 // Lazy require to avoid circular dependency — only needed for engine().handlePostMerge
 let _engine = null;
@@ -199,7 +200,7 @@ function votesToReviewStatus(votes) {
 // ─── ADO Token Cache ─────────────────────────────────────────────────────────
 
 let _adoTokenCache = { token: null, expiresAt: 0 };
-let _adoTokenFailedUntil = 0; // backoff: skip azureauth calls until this timestamp
+let _adoTokenFailedUntil = 0; // backoff: skip token acquisition calls until this timestamp
 
 // ─── ADO Throttle State ─────────────────────────────────────────────────────
 // Tracks rate-limiting (HTTP 429/503) from ADO API responses.
@@ -224,23 +225,17 @@ async function getAdoToken() {
   if (_adoTokenCache.token && Date.now() < _adoTokenCache.expiresAt) {
     return _adoTokenCache.token;
   }
-  // If recent fetch failed, don't retry until backoff expires (avoids repeated browser popups)
+  // If recent fetch failed, don't retry until backoff expires.
   if (Date.now() < _adoTokenFailedUntil) return null;
   try {
-    // azureauth supports multiple --mode flags as an ordered fallback chain:
-    // tries IWA (Integrated Windows Auth) first, falls back to broker if unavailable.
-    // Uses execAsync to avoid blocking the event loop on Windows (spawnSync ETIMEDOUT).
-    const token = (await execAsync('azureauth ado token --mode iwa --mode broker --output token --timeout 1', {
-      timeout: 15000, encoding: 'utf-8', windowsHide: true    })).trim();
-    if (token && token.startsWith('eyJ')) {
-      _adoTokenCache = { token, expiresAt: Date.now() + 30 * 60 * 1000 };
-      _adoTokenFailedUntil = 0;
-      return token;
-    }
+    const { token } = await acquireAdoToken({ execAsync, timeout: 15000 });
+    _adoTokenCache = { token, expiresAt: Date.now() + 30 * 60 * 1000 };
+    _adoTokenFailedUntil = 0;
+    return token;
   } catch (e) {
     log('warn', `Failed to get ADO token: ${e.message}`);
   }
-  // Back off for 10 minutes to avoid spamming browser auth popups
+  // Back off for 10 minutes to avoid spamming auth commands.
   _adoTokenFailedUntil = Date.now() + 10 * 60 * 1000;
   return null;
 }

package/engine/copilot-models.json

@@ -1,5 +1,5 @@
 {
   "runtime": "copilot",
   "models": null,
-  "cachedAt": "2026-05-02T19:44:35.476Z"
+  "cachedAt": "2026-05-03T15:01:38.322Z"
 }

package/engine/spawn-agent.js

@@ -35,9 +35,9 @@
 const fs = require('fs');
 const os = require('os');
 const path = require('path');
-const { execSync } = require('child_process');
 const { runFile, cleanChildEnv, killGracefully, killImmediate, ts } = require('./shared');
 const { resolveRuntime } = require('./runtimes');
+const { acquireAdoTokenSync, isLikelyAdoToken } = require('./ado-token');
 
 // ─── Pure helpers (exported for tests) ──────────────────────────────────────
 
@@ -129,20 +129,19 @@ function normalizeRuntimeExit(code, signal) {
   return 1;
 }
 
-function injectAdoTokenEnv(env, { execSync: _execSync = execSync, warn = (msg) => process.stderr.write(msg + '\n') } = {}) {
-  let token;
+function injectAdoTokenEnv(env, { execSync: _execSync, acquireToken, warn = (msg) => process.stderr.write(msg + '\n') } = {}) {
+  let result;
   try {
-    token = String(_execSync('azureauth ado token --mode iwa --mode broker --output token --timeout 1', {
-      encoding: 'utf8',
-      timeout: 30000,
-      windowsHide: true,
-    }) || '').trim();
+    result = typeof acquireToken === 'function'
+      ? acquireToken()
+      : acquireAdoTokenSync({ execSync: _execSync });
   } catch (err) {
     warn(`spawn-agent.js: ADO token fetch failed: ${err.message}`);
     return false;
   }
-  if (!token || !token.startsWith('eyJ')) {
-    warn('spawn-agent.js: invalid ADO token from azureauth; continuing without Azure DevOps PAT env');
+  const token = typeof result === 'string' ? result : result?.token;
+  if (!isLikelyAdoToken(token)) {
+    warn('spawn-agent.js: invalid ADO token; continuing without Azure DevOps PAT env');
     return false;
   }
   env.AZURE_DEVOPS_EXT_PAT = token;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yemi33/minions",
-  "version": "0.1.1688",
+  "version": "0.1.1689",
   "description": "Multi-agent AI dev team that runs from ~/.minions/ — five autonomous agents share a single engine, dashboard, and knowledge base",
   "bin": {
     "minions": "bin/minions.js"