azdo-cli 0.5.0-develop.156 → 0.5.0-hotfix-0-10-1.266

package/dist/index.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // src/index.ts
-import { Command as Command13 } from "commander";
+import { Command as Command15 } from "commander";
 
 // src/version.ts
 import { readFileSync } from "fs";
@@ -166,17 +166,33 @@ async function getWorkItemFields(context, id, pat) {
   const data = await response.json();
   return data.fields;
 }
-async function getWorkItem(context, id, pat, extraFields) {
+function extractAttachments(relations) {
+  if (!relations) return null;
+  const attachments = relations.filter((r) => r.rel === "AttachedFile").map((r) => ({
+    name: r.attributes.name ?? "unknown",
+    size: r.attributes.resourceSize ?? 0,
+    url: r.url
+  }));
+  return attachments.length > 0 ? attachments : null;
+}
+function buildWorkItemUrl(context, id, options = {}) {
   const url = new URL(
     `https://dev.azure.com/${encodeURIComponent(context.org)}/${encodeURIComponent(context.project)}/_apis/wit/workitems/${id}`
   );
   url.searchParams.set("api-version", "7.1");
-  const normalizedExtraFields = extraFields ? normalizeFieldList(extraFields) : [];
-  if (normalizedExtraFields.length > 0) {
-    const allFields = normalizeFieldList([...DEFAULT_FIELDS, ...normalizedExtraFields]);
-    url.searchParams.set("fields", allFields.join(","));
+  if (options.includeRelations) {
+    url.searchParams.set("$expand", "relations");
   }
-  const response = await fetchWithErrors(url.toString(), { headers: authHeaders(pat) });
+  if (options.fields && options.fields.length > 0) {
+    url.searchParams.set("fields", options.fields.join(","));
+  }
+  return url;
+}
+async function fetchWorkItemResponse(context, id, pat, options = {}) {
+  const response = await fetchWithErrors(
+    buildWorkItemUrl(context, id, options).toString(),
+    { headers: authHeaders(pat) }
+  );
   if (response.status === 400) {
     const serverMessage = await readResponseMessage(response);
     if (serverMessage) {
@@ -186,7 +202,14 @@ async function getWorkItem(context, id, pat, extraFields) {
   if (!response.ok) {
     throw new Error(`HTTP_${response.status}`);
   }
-  const data = await response.json();
+  return await response.json();
+}
+async function getWorkItem(context, id, pat, extraFields) {
+  const normalizedExtraFields = extraFields ? normalizeFieldList(extraFields) : [];
+  const data = normalizedExtraFields.length > 0 ? await fetchWorkItemResponse(context, id, pat, {
+    fields: normalizeFieldList([...DEFAULT_FIELDS, ...normalizedExtraFields])
+  }) : await fetchWorkItemResponse(context, id, pat, { includeRelations: true });
+  const relationsData = normalizedExtraFields.length > 0 ? await fetchWorkItemResponse(context, id, pat, { includeRelations: true }) : data;
   const descriptionParts = [];
   if (data.fields["System.Description"]) {
     descriptionParts.push({ label: "Description", value: data.fields["System.Description"] });
@@ -214,7 +237,8 @@ async function getWorkItem(context, id, pat, extraFields) {
     areaPath: data.fields["System.AreaPath"],
     iterationPath: data.fields["System.IterationPath"],
     url: data._links.html.href,
-    extraFields: normalizedExtraFields.length > 0 ? buildExtraFields(data.fields, normalizedExtraFields) : null
+    extraFields: normalizedExtraFields.length > 0 ? buildExtraFields(data.fields, normalizedExtraFields) : null,
+    attachments: extractAttachments(relationsData.relations)
   };
 }
 async function getWorkItemFieldValue(context, id, pat, fieldName) {
@@ -263,8 +287,10 @@ async function listWorkItemComments(context, id, pat) {
     comments
   };
 }
-async function addWorkItemComment(context, id, pat, text) {
-  const response = await fetchWithErrors(buildWorkItemCommentsUrl(context, id).toString(), {
+async function addWorkItemComment(context, id, pat, text, format = "html") {
+  const url = buildWorkItemCommentsUrl(context, id);
+  url.searchParams.set("format", format);
+  const response = await fetchWithErrors(url.toString(), {
     method: "POST",
     headers: {
       ...authHeaders(pat),
@@ -326,44 +352,340 @@ async function applyWorkItemPatch(context, id, pat, operations) {
   });
   return readWriteResponse(response, "UPDATE_REJECTED");
 }
+async function downloadAttachment(url, pat) {
+  const response = await fetchWithErrors(url, { headers: authHeaders(pat) });
+  if (!response.ok) {
+    throw new Error(`HTTP_${response.status}`);
+  }
+  return response.arrayBuffer();
+}
 
 // src/services/auth.ts
 import { createInterface } from "readline";
+import { existsSync, readFileSync as readFileSync2 } from "fs";
+import { dirname as dirname2, join } from "path";
 
 // src/services/credential-store.ts
 import { Entry } from "@napi-rs/keyring";
-var SERVICE = "azdo-cli";
-var ACCOUNT = "pat";
-async function getPat() {
+
+// src/types/credential.ts
+var CredentialStoreUnavailableError = class extends Error {
+  backend;
+  constructor(backend, cause) {
+    super(`OS secret backend unavailable (${backend}). Install the platform's credential service and try again.`);
+    this.name = "CredentialStoreUnavailableError";
+    this.backend = backend;
+    if (cause instanceof Error) {
+      this.cause = cause;
+    }
+  }
+};
+
+// src/services/audit-log.ts
+import fs from "fs";
+import os from "os";
+import path from "path";
+function getAuditLogPath() {
+  return path.join(os.homedir(), ".azdo", "audit.log");
+}
+function ensureDirWithPerms(dir) {
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true, mode: 448 });
+    return;
+  }
   try {
-    const entry = new Entry(SERVICE, ACCOUNT);
-    return entry.getPassword();
+    fs.chmodSync(dir, 448);
   } catch {
-    return null;
   }
 }
-async function storePat(pat) {
+function ensureFileWithPerms(file) {
+  if (!fs.existsSync(file)) {
+    fs.writeFileSync(file, "", { mode: 384 });
+    return;
+  }
   try {
-    const entry = new Entry(SERVICE, ACCOUNT);
-    entry.setPassword(pat);
+    fs.chmodSync(file, 384);
   } catch {
   }
 }
-async function deletePat() {
+function appendAuthAuditEvent(input) {
+  const auditLog = getAuditLogPath();
+  const dir = path.dirname(auditLog);
+  ensureDirWithPerms(dir);
+  ensureFileWithPerms(auditLog);
+  const record = {
+    ts: (/* @__PURE__ */ new Date()).toISOString(),
+    event: input.event,
+    org: input.org,
+    backend: input.backend,
+    ...input.masked_pat !== void 0 ? { masked_pat: input.masked_pat } : {}
+  };
+  fs.appendFileSync(auditLog, `${JSON.stringify(record)}
+`);
+}
+function readAuditEvents() {
+  const auditLog = getAuditLogPath();
+  if (!fs.existsSync(auditLog)) {
+    return [];
+  }
+  const contents = fs.readFileSync(auditLog, "utf8");
+  const out = [];
+  for (const line of contents.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    try {
+      const parsed = JSON.parse(trimmed);
+      if (parsed && typeof parsed === "object" && typeof parsed.event === "string") {
+        out.push(parsed);
+      }
+    } catch {
+    }
+  }
+  return out;
+}
+
+// src/services/config-store.ts
+import fs2 from "fs";
+import path2 from "path";
+import os2 from "os";
+var SETTINGS = [
+  {
+    key: "org",
+    description: "Azure DevOps organization name",
+    type: "string",
+    example: "mycompany",
+    required: true
+  },
+  {
+    key: "project",
+    description: "Azure DevOps project name",
+    type: "string",
+    example: "MyProject",
+    required: true
+  },
+  {
+    key: "fields",
+    description: "Extra work item fields to include (comma-separated reference names)",
+    type: "string[]",
+    example: "System.Tags,Custom.Priority",
+    required: false
+  },
+  {
+    key: "markdown",
+    description: "Convert rich text fields to markdown on display",
+    type: "boolean",
+    example: "true",
+    required: false
+  }
+];
+var VALID_KEYS = SETTINGS.map((s) => s.key);
+function getConfigPath() {
+  return path2.join(os2.homedir(), ".azdo", "config.json");
+}
+function loadConfig() {
+  const configPath = getConfigPath();
+  let raw;
   try {
-    const entry = new Entry(SERVICE, ACCOUNT);
-    entry.deletePassword();
-    return true;
+    raw = fs2.readFileSync(configPath, "utf-8");
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      return {};
+    }
+    throw err;
+  }
+  try {
+    return JSON.parse(raw);
   } catch {
-    return false;
+    process.stderr.write(`Warning: Config file ${configPath} contains invalid JSON. Using defaults.
+`);
+    return {};
   }
 }
+function saveConfig(config) {
+  const configPath = getConfigPath();
+  const dir = path2.dirname(configPath);
+  fs2.mkdirSync(dir, { recursive: true });
+  fs2.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
+}
+function validateKey(key) {
+  if (!VALID_KEYS.includes(key)) {
+    throw new Error(`Unknown setting key "${key}". Valid keys: ${VALID_KEYS.join(", ")}`);
+  }
+}
+function getConfigValue(key) {
+  validateKey(key);
+  const config = loadConfig();
+  return config[key];
+}
+function setConfigValue(key, value) {
+  validateKey(key);
+  const config = loadConfig();
+  if (value === "") {
+    delete config[key];
+  } else if (key === "markdown") {
+    if (value !== "true" && value !== "false") {
+      throw new Error(`Invalid value "${value}" for markdown. Must be "true" or "false".`);
+    }
+    config.markdown = value === "true";
+  } else if (key === "fields") {
+    config.fields = value.split(",").map((s) => s.trim());
+  } else {
+    config[key] = value;
+  }
+  saveConfig(config);
+}
+function unsetConfigValue(key) {
+  validateKey(key);
+  const config = loadConfig();
+  delete config[key];
+  saveConfig(config);
+}
 
-// src/services/auth.ts
+// src/services/auth-masking.ts
+var VISIBLE_CHARS = 5;
+function maskedDisplay(pat) {
+  if (pat.length <= VISIBLE_CHARS * 2) {
+    return pat;
+  }
+  const hiddenCount = pat.length - VISIBLE_CHARS * 2;
+  return pat.slice(0, VISIBLE_CHARS) + "*".repeat(hiddenCount) + pat.slice(-VISIBLE_CHARS);
+}
 function normalizePat(rawPat) {
   const trimmedPat = rawPat.trim();
   return trimmedPat.length > 0 ? trimmedPat : null;
 }
+
+// src/services/credential-store.ts
+var SERVICE = "azdo-cli";
+var LEGACY_ACCOUNT = "pat";
+function accountFor(org) {
+  return `pat:${org}`;
+}
+function probeBackend() {
+  switch (process.platform) {
+    case "win32":
+      return "windows-credential-manager";
+    case "darwin":
+      return "macos-keychain";
+    case "linux":
+      return "linux-libsecret";
+    default:
+      return "unknown";
+  }
+}
+function wrapUnavailable(fn) {
+  try {
+    return fn();
+  } catch (err) {
+    throw new CredentialStoreUnavailableError(probeBackend(), err);
+  }
+}
+var legacyUnsetNoticeEmitted = false;
+function emitLegacyUnsetNoticeOnce() {
+  if (legacyUnsetNoticeEmitted) return;
+  legacyUnsetNoticeEmitted = true;
+  process.stderr.write(
+    'A legacy PAT exists in the OS vault from a previous azdo-cli version, but no "org" is set in config. Run `azdo auth --org <name>` to re-store it under the per-org key, then `azdo clear-pat` to remove the legacy slot.\n'
+  );
+}
+async function maybeMigrateLegacy(targetOrg) {
+  const config = loadConfig();
+  if (!config.org || config.org !== targetOrg) {
+    if (!config.org) {
+      let legacyExists;
+      try {
+        const legacyEntry2 = new Entry(SERVICE, LEGACY_ACCOUNT);
+        legacyExists = legacyEntry2.getPassword() !== null;
+      } catch {
+        legacyExists = false;
+      }
+      if (legacyExists) {
+        emitLegacyUnsetNoticeOnce();
+      }
+    }
+    return null;
+  }
+  const newEntry = new Entry(SERVICE, accountFor(targetOrg));
+  const existingNew = wrapUnavailable(() => newEntry.getPassword());
+  if (existingNew !== null) {
+    return null;
+  }
+  const legacyEntry = new Entry(SERVICE, LEGACY_ACCOUNT);
+  const legacy = wrapUnavailable(() => legacyEntry.getPassword());
+  if (legacy === null) {
+    return null;
+  }
+  wrapUnavailable(() => {
+    newEntry.setPassword(legacy);
+    legacyEntry.deletePassword();
+  });
+  appendAuthAuditEvent({
+    event: "auth.store",
+    org: targetOrg,
+    backend: probeBackend(),
+    masked_pat: maskedDisplay(legacy)
+  });
+  process.stderr.write(`Migrated legacy PAT to org ${targetOrg}.
+`);
+  return legacy;
+}
+async function getPat(org) {
+  const entry = new Entry(SERVICE, accountFor(org));
+  const value = wrapUnavailable(() => entry.getPassword());
+  if (value !== null) {
+    return value;
+  }
+  const migrated = await maybeMigrateLegacy(org);
+  return migrated;
+}
+async function storePat(org, pat) {
+  const entry = new Entry(SERVICE, accountFor(org));
+  wrapUnavailable(() => entry.setPassword(pat));
+  appendAuthAuditEvent({
+    event: "auth.store",
+    org,
+    backend: probeBackend(),
+    masked_pat: maskedDisplay(pat)
+  });
+}
+async function deletePat(org) {
+  const entry = new Entry(SERVICE, accountFor(org));
+  const existing = wrapUnavailable(() => entry.getPassword());
+  if (existing === null) {
+    return false;
+  }
+  wrapUnavailable(() => entry.deletePassword());
+  appendAuthAuditEvent({
+    event: "auth.delete",
+    org,
+    backend: probeBackend(),
+    masked_pat: maskedDisplay(existing)
+  });
+  return true;
+}
+async function listOrgsWithStoredPat() {
+  const seen = /* @__PURE__ */ new Set();
+  for (const ev of readAuditEvents()) {
+    if (ev.event === "auth.store") {
+      seen.add(ev.org);
+    } else if (ev.event === "auth.delete") {
+      seen.delete(ev.org);
+    }
+  }
+  const present = [];
+  for (const org of seen) {
+    const entry = new Entry(SERVICE, accountFor(org));
+    const value = wrapUnavailable(() => entry.getPassword());
+    if (value !== null) {
+      present.push(org);
+    }
+  }
+  present.sort((a, b) => a.localeCompare(b));
+  return present;
+}
+
+// src/services/auth.ts
+var PAT_PROMPT = "Enter your Azure DevOps PAT: ";
 async function promptForPat() {
   if (!process.stdin.isTTY) {
     return null;
@@ -371,12 +693,16 @@ async function promptForPat() {
   return new Promise((resolve2) => {
     const rl = createInterface({
       input: process.stdin,
-      output: process.stderr
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      output: null
     });
-    process.stderr.write("Enter your Azure DevOps PAT: ");
+    process.stderr.write(PAT_PROMPT);
     process.stdin.setRawMode(true);
     process.stdin.resume();
     let pat = "";
+    const redraw = () => {
+      process.stderr.write(`\r${PAT_PROMPT}${maskedDisplay(pat)}\x1B[K`);
+    };
     const onData = (key) => {
       const ch = key.toString("utf8");
       if (ch === "") {
@@ -394,37 +720,77 @@ async function promptForPat() {
       } else if (ch === "\x7F" || ch === "\b") {
         if (pat.length > 0) {
           pat = pat.slice(0, -1);
-          process.stderr.write("\b \b");
+          redraw();
         }
       } else {
         pat += ch;
-        process.stderr.write("*".repeat(ch.length));
+        redraw();
       }
     };
     process.stdin.on("data", onData);
   });
 }
-async function resolvePat() {
+function findDotEnvPat(startDir = process.cwd()) {
+  let current = startDir;
+  while (true) {
+    const envFile = join(current, ".env");
+    if (existsSync(envFile)) {
+      const contents = readFileSync2(envFile, "utf8");
+      for (const line of contents.split("\n")) {
+        const match = line.match(/^AZDO_PAT\s*=\s*(.+)$/);
+        if (match) {
+          const value = match[1].trim().replace(/^["']|["']$/g, "");
+          if (value.length > 0) return value;
+        }
+      }
+    }
+    const parent = dirname2(current);
+    if (parent === current) break;
+    current = parent;
+  }
+  return null;
+}
+async function resolvePat(org) {
   const envPat = process.env.AZDO_PAT;
-  if (envPat) {
+  if (envPat && envPat.length > 0) {
     return { pat: envPat, source: "env" };
   }
-  const storedPat = await getPat();
+  const storedPat = await getPat(org);
   if (storedPat !== null) {
     return { pat: storedPat, source: "credential-store" };
   }
-  const promptedPat = await promptForPat();
-  if (promptedPat !== null) {
-    const normalizedPat = normalizePat(promptedPat);
-    if (normalizedPat !== null) {
-      await storePat(normalizedPat);
-      return { pat: normalizedPat, source: "prompt" };
-    }
+  const dotEnvPat = findDotEnvPat();
+  if (dotEnvPat !== null) {
+    return { pat: dotEnvPat, source: "env" };
+  }
+  return null;
+}
+async function requirePat(org) {
+  const cred = await resolvePat(org);
+  if (cred !== null) {
+    return cred;
   }
   throw new Error(
-    "Authentication cancelled. Set AZDO_PAT environment variable or run again to enter a PAT."
+    `No PAT available for org "${org}". Set AZDO_PAT environment variable or run \`azdo auth --org ${org}\`.`
   );
 }
+async function validatePatAgainstAzdo(pat, org) {
+  const url = `https://dev.azure.com/${encodeURIComponent(org)}/_apis/projects?$top=1&api-version=7.1`;
+  const auth = Buffer.from(`:${pat}`).toString("base64");
+  const response = await fetch(url, {
+    headers: {
+      Authorization: `Basic ${auth}`,
+      Accept: "application/json"
+    }
+  });
+  if (response.status === 200) {
+    return { ok: true, status: 200 };
+  }
+  if (response.status === 401 || response.status === 403) {
+    return { ok: false, status: response.status };
+  }
+  throw new Error(`Azure DevOps returned HTTP ${response.status} while validating PAT for org "${org}".`);
+}
 
 // src/services/git-remote.ts
 import { execSync } from "child_process";
@@ -496,122 +862,57 @@ function getCurrentBranch() {
   return branch;
 }
 
-// src/services/config-store.ts
-import fs from "fs";
-import path from "path";
-import os from "os";
-var SETTINGS = [
-  {
-    key: "org",
-    description: "Azure DevOps organization name",
-    type: "string",
-    example: "mycompany",
-    required: true
-  },
-  {
-    key: "project",
-    description: "Azure DevOps project name",
-    type: "string",
-    example: "MyProject",
-    required: true
-  },
-  {
-    key: "fields",
-    description: "Extra work item fields to include (comma-separated reference names)",
-    type: "string[]",
-    example: "System.Tags,Custom.Priority",
-    required: false
-  },
-  {
-    key: "markdown",
-    description: "Convert rich text fields to markdown on display",
-    type: "boolean",
-    example: "true",
-    required: false
-  }
-];
-var VALID_KEYS = SETTINGS.map((s) => s.key);
-function getConfigPath() {
-  return path.join(os.homedir(), ".azdo", "config.json");
-}
-function loadConfig() {
-  const configPath = getConfigPath();
-  let raw;
+// src/services/org-resolver.ts
+function defaultDetectFromGit() {
   try {
-    raw = fs.readFileSync(configPath, "utf-8");
-  } catch (err) {
-    if (err.code === "ENOENT") {
-      return {};
-    }
-    throw err;
-  }
-  try {
-    return JSON.parse(raw);
+    return detectAzdoContext().org ?? null;
   } catch {
-    process.stderr.write(`Warning: Config file ${configPath} contains invalid JSON. Using defaults.
-`);
-    return {};
+    return null;
   }
 }
-function saveConfig(config) {
-  const configPath = getConfigPath();
-  const dir = path.dirname(configPath);
-  fs.mkdirSync(dir, { recursive: true });
-  fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
+function defaultReadConfig() {
+  return loadConfig();
 }
-function validateKey(key) {
-  if (!VALID_KEYS.includes(key)) {
-    throw new Error(`Unknown setting key "${key}". Valid keys: ${VALID_KEYS.join(", ")}`);
+function resolveOrg(options) {
+  if (options.org && options.org.length > 0) {
+    return { org: options.org, source: "flag" };
   }
-}
-function getConfigValue(key) {
-  validateKey(key);
-  const config = loadConfig();
-  return config[key];
-}
-function setConfigValue(key, value) {
-  validateKey(key);
-  const config = loadConfig();
-  if (value === "") {
-    delete config[key];
-  } else if (key === "markdown") {
-    if (value !== "true" && value !== "false") {
-      throw new Error(`Invalid value "${value}" for markdown. Must be "true" or "false".`);
-    }
-    config.markdown = value === "true";
-  } else if (key === "fields") {
-    config.fields = value.split(",").map((s) => s.trim());
-  } else {
-    config[key] = value;
+  const gitOrg = (options.detectFromGit ?? defaultDetectFromGit)();
+  if (gitOrg && gitOrg.length > 0) {
+    return { org: gitOrg, source: "git" };
   }
-  saveConfig(config);
+  const configOrg = (options.readConfig ?? defaultReadConfig)().org;
+  if (configOrg && configOrg.length > 0) {
+    return { org: configOrg, source: "config" };
+  }
+  return null;
 }
-function unsetConfigValue(key) {
-  validateKey(key);
-  const config = loadConfig();
-  delete config[key];
-  saveConfig(config);
+function formatResolutionError() {
+  return [
+    "Could not resolve an Azure DevOps organization. Options (in priority order):",
+    "  1. Pass --org <name> on the command line.",
+    "  2. Run this command from a git repo whose origin remote is an Azure DevOps URL.",
+    "  3. Run `azdo config set org <name>` once to set a persistent default."
+  ].join("\n");
 }
 
 // src/services/context.ts
 function resolveContext(options) {
-  if (options.org && options.project) {
-    return { org: options.org, project: options.project };
-  }
-  const config = loadConfig();
-  if (config.org && config.project) {
-    return { org: config.org, project: config.project };
-  }
+  const resolvedOrg = resolveOrg({ org: options.org });
   let gitContext = null;
   try {
     gitContext = detectAzdoContext();
   } catch {
   }
-  const org = config.org || gitContext?.org;
-  const project = config.project || gitContext?.project;
+  const config = loadConfig();
+  const org = resolvedOrg?.org;
+  const project = options.project || (gitContext?.project && gitContext.project.length > 0 ? gitContext.project : void 0) || config.project;
   if (org && project) {
     return { org, project };
   }
+  if (!org) {
+    throw new Error(formatResolutionError());
+  }
   throw new Error(
     'Could not determine org/project. Use --org and --project flags, work from an Azure DevOps git repo, or run "azdo config set org/project".'
   );
@@ -771,7 +1072,7 @@ function stripHtml(html) {
   text = text.replaceAll(/<br\s*\/?>/gi, "\n");
   text = text.replaceAll(/<\/?(p|div)>/gi, "\n");
   text = text.replaceAll(/<li>/gi, "\n");
-  text = text.replaceAll(/<[^>]*>/g, "");
+  text = removeHtmlTags(text);
   text = text.replaceAll("&amp;", "&");
   text = text.replaceAll("&lt;", "<");
   text = text.replaceAll("&gt;", ">");
@@ -781,22 +1082,71 @@ function stripHtml(html) {
   text = text.replaceAll(/\n{3,}/g, "\n\n");
   return text.trim();
 }
+function removeHtmlTags(value) {
+  let result = "";
+  let insideTag = false;
+  for (const char of value) {
+    if (char === "<") {
+      insideTag = true;
+      continue;
+    }
+    if (char === ">" && insideTag) {
+      insideTag = false;
+      continue;
+    }
+    if (!insideTag) {
+      result += char;
+    }
+  }
+  return result;
+}
 function convertRichText(html, markdown) {
   if (!html) return "";
   return markdown ? toMarkdown(html) : stripHtml(html);
 }
+function formatMarkdownField(fieldLabel, value) {
+  if (value.includes("\n")) {
+    return `${fieldLabel}:
+${value}`;
+  }
+  return `${fieldLabel}: ${value}`;
+}
 function formatExtraFields(extraFields, markdown) {
   return Object.entries(extraFields).map(([refName, value]) => {
     const fieldLabel = refName.includes(".") ? refName.split(".").pop() : refName;
-    const displayValue = markdown ? toMarkdown(value) : value;
-    return `${fieldLabel.padEnd(13)}${displayValue}`;
+    if (markdown) {
+      const displayValue = toMarkdown(value);
+      return formatMarkdownField(fieldLabel, displayValue);
+    }
+    return formatMarkdownField(fieldLabel, value);
   });
 }
-function summarizeDescription(text, label) {
+function summarizeDescription(text, label, markdown) {
   const descLines = text.split("\n").filter((l) => l.trim() !== "");
   const firstThree = descLines.slice(0, 3);
   const suffix = descLines.length > 3 ? "\n..." : "";
-  return [`${label("Description:")}${firstThree.join("\n")}${suffix}`];
+  const content = `${firstThree.join("\n")}${suffix}`;
+  if (markdown) {
+    return [formatMarkdownField("Description", content)];
+  }
+  return [`${label("Description:")}${content}`];
+}
+function formatFileSize(bytes) {
+  if (bytes < 1024) return `${bytes} B`;
+  const kb = bytes / 1024;
+  if (kb < 1024) return `${kb.toFixed(1)} KB`;
+  const mb = kb / 1024;
+  return `${mb.toFixed(1)} MB`;
+}
+function formatAttachments(attachments, short) {
+  if (short) {
+    return [`Attachments: ${attachments.length}`];
+  }
+  const lines = ["", "Attachments:"];
+  for (const att of attachments) {
+    lines.push(`  ${att.name} (${formatFileSize(att.size)})`);
+  }
+  return lines;
 }
 function formatWorkItem(workItem, short, markdown = false) {
   const label = (name) => name.padEnd(13);
@@ -813,59 +1163,361 @@ function formatWorkItem(workItem, short, markdown = false) {
       `${label("Iteration:")}${workItem.iterationPath}`
     );
   }
-  lines.push(`${label("URL:")}${workItem.url}`);
-  if (workItem.extraFields) {
-    lines.push(...formatExtraFields(workItem.extraFields, markdown));
+  lines.push(`${label("URL:")}${workItem.url}`);
+  if (workItem.extraFields) {
+    lines.push(...formatExtraFields(workItem.extraFields, markdown));
+  }
+  lines.push("");
+  const descriptionText = convertRichText(workItem.description, markdown);
+  if (short) {
+    lines.push(...summarizeDescription(descriptionText, label, markdown));
+  } else {
+    lines.push("Description:", descriptionText);
+  }
+  if (workItem.attachments) {
+    lines.push(...formatAttachments(workItem.attachments, short));
+  }
+  return lines.join("\n");
+}
+function createGetItemCommand() {
+  const command = new Command("get-item");
+  command.description("Retrieve an Azure DevOps work item by ID").argument("<id>", "work item ID").option("--org <org>", "Azure DevOps organization").option("--project <project>", "Azure DevOps project").option("--short", "show abbreviated output").option("--fields <fields>", "comma-separated additional field reference names").option("--markdown", "convert rich text fields to markdown").action(
+    async (idStr, options) => {
+      const id = parseWorkItemId(idStr);
+      validateOrgProjectPair(options);
+      let context;
+      try {
+        context = resolveContext(options);
+        const credential = await requirePat(context.org);
+        const fieldsList = options.fields === void 0 ? parseRequestedFields(loadConfig().fields) : parseRequestedFields(options.fields);
+        const workItem = await getWorkItem(context, id, credential.pat, fieldsList);
+        const markdownEnabled = options.markdown ?? loadConfig().markdown ?? false;
+        const output = formatWorkItem(workItem, options.short ?? false, markdownEnabled);
+        process.stdout.write(output + "\n");
+      } catch (err) {
+        handleCommandError(err, id, context, "read", false);
+      }
+    }
+  );
+  return command;
+}
+
+// src/commands/clear-pat.ts
+import { Command as Command2 } from "commander";
+function createClearPatCommand() {
+  const command = new Command2("clear-pat");
+  command.description("Remove a stored Azure DevOps PAT (deprecated: use `azdo auth logout`)").option("--org <name>", "Azure DevOps organization (overrides auto-detect / config)").action(async (options) => {
+    process.stderr.write("`azdo clear-pat` is deprecated; use `azdo auth logout [--org <name>]` instead.\n");
+    const resolved = resolveOrg({ org: options.org });
+    if (!resolved) {
+      process.stderr.write(`${formatResolutionError()}
+`);
+      process.exitCode = 3;
+      return;
+    }
+    const deleted = await deletePat(resolved.org);
+    if (deleted) {
+      process.stdout.write(`PAT removed for org ${resolved.org}.
+`);
+    } else {
+      process.stdout.write(`No stored PAT found for org ${resolved.org}.
+`);
+    }
+  });
+  return command;
+}
+
+// src/commands/auth.ts
+import { Command as Command3 } from "commander";
+
+// src/services/browser-open.ts
+import { execFile } from "child_process";
+function isHeadless(platform, hasDisplay) {
+  if (platform === "linux") {
+    return !hasDisplay;
+  }
+  return false;
+}
+function commandForPlatform(platform) {
+  switch (platform) {
+    case "darwin":
+      return { cmd: "open", args: (url) => [url] };
+    case "win32":
+      return { cmd: "cmd", args: (url) => ["/c", "start", '""', url] };
+    case "linux":
+      return { cmd: "xdg-open", args: (url) => [url] };
+    default:
+      return null;
+  }
+}
+async function openUrl(url, opts = {}) {
+  const platform = opts.platform ?? process.platform;
+  const hasDisplay = opts.hasDisplay ?? (process.env.DISPLAY !== void 0 && process.env.DISPLAY !== "");
+  const forcePrint = opts.forcePrint ?? false;
+  if (forcePrint || isHeadless(platform, hasDisplay)) {
+    process.stderr.write(`Open this URL in your browser: ${url}
+`);
+    return "printed";
+  }
+  const spec = commandForPlatform(platform);
+  if (!spec) {
+    process.stderr.write(`Open this URL in your browser: ${url}
+`);
+    return "printed";
+  }
+  const runner = opts.execFileFn ?? ((cmd, args, cb) => execFile(cmd, args, { timeout: 5e3 }, (err) => cb(err)));
+  return await new Promise((resolve2) => {
+    try {
+      runner(spec.cmd, spec.args(url), (err) => {
+        if (err) {
+          process.stderr.write(`Open this URL in your browser: ${url}
+`);
+          resolve2("printed");
+        } else {
+          resolve2("opened");
+        }
+      });
+    } catch {
+      process.stderr.write(`Open this URL in your browser: ${url}
+`);
+      resolve2("printed");
+    }
+  });
+}
+
+// src/commands/auth.ts
+async function readStdinToString() {
+  const chunks = [];
+  for await (const chunk of process.stdin) {
+    chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
+  }
+  return Buffer.concat(chunks).toString("utf8");
+}
+async function confirmOverwrite(org) {
+  if (!process.stdin.isTTY) return true;
+  process.stderr.write(`A PAT is already stored for org ${org}. Overwrite? [y/N] `);
+  return await new Promise((resolve2) => {
+    process.stdin.setEncoding("utf8");
+    let answered = false;
+    const handler = (data) => {
+      if (answered) return;
+      answered = true;
+      process.stdin.removeListener("data", handler);
+      process.stdin.pause();
+      const trimmed = data.trim().toLowerCase();
+      resolve2(trimmed === "y" || trimmed === "yes");
+    };
+    process.stdin.resume();
+    process.stdin.on("data", handler);
+  });
+}
+async function handleAuthRoot(options) {
+  const resolved = resolveOrg({ org: options.org });
+  if (!resolved) {
+    process.stderr.write(`${formatResolutionError()}
+`);
+    process.exitCode = 3;
+    return;
+  }
+  const org = resolved.org;
+  const wantBrowser = options.browser !== false && !options.fromStdin;
+  if (wantBrowser) {
+    const url = `https://dev.azure.com/${encodeURIComponent(org)}/_usersSettings/tokens`;
+    await openUrl(url);
+  }
+  const raw = options.fromStdin ? await readStdinToString() : await promptForPat();
+  const pat = raw ? normalizePat(raw) : null;
+  if (!pat) {
+    process.stderr.write("No PAT provided. Aborting.\n");
+    process.exitCode = 1;
+    return;
+  }
+  let validation;
+  try {
+    validation = await validatePatAgainstAzdo(pat, org);
+  } catch (err) {
+    process.stderr.write(`Could not reach Azure DevOps to validate PAT: ${err.message}
+`);
+    process.exitCode = 1;
+    return;
+  }
+  if (!validation.ok) {
+    appendAuthAuditEvent({ event: "auth.validate.fail", org, backend: probeBackend() });
+    process.stderr.write(`PAT validation failed (HTTP ${validation.status}). Token NOT stored.
+`);
+    process.exitCode = 2;
+    return;
+  }
+  appendAuthAuditEvent({
+    event: "auth.validate.ok",
+    org,
+    backend: probeBackend(),
+    masked_pat: maskedDisplay(pat)
+  });
+  try {
+    const existing = await getPat(org);
+    if (existing !== null) {
+      const overwrite = await confirmOverwrite(org);
+      if (!overwrite) {
+        process.stderr.write("Aborted. Existing PAT preserved.\n");
+        process.exitCode = 1;
+        return;
+      }
+    }
+    await storePat(org, pat);
+  } catch (err) {
+    if (err instanceof CredentialStoreUnavailableError) {
+      process.stderr.write(`${err.message}
+`);
+      process.exitCode = 4;
+      return;
+    }
+    throw err;
+  }
+  process.stdout.write(`PAT stored for org ${org} in ${probeBackend()}.
+`);
+}
+async function handleStatus(options, org) {
+  let backend;
+  let value;
+  try {
+    backend = probeBackend();
+    value = await getPat(org);
+  } catch (err) {
+    if (err instanceof CredentialStoreUnavailableError) {
+      process.stderr.write(`${err.message}
+`);
+      process.exitCode = 4;
+      return;
+    }
+    throw err;
   }
-  lines.push("");
-  const descriptionText = convertRichText(workItem.description, markdown);
-  if (short) {
-    lines.push(...summarizeDescription(descriptionText, label));
+  const storedEvents = readAuditEvents().filter((ev) => ev.org === org && ev.event === "auth.store");
+  const last = storedEvents[storedEvents.length - 1];
+  const updatedAt = last?.ts ?? null;
+  if (!value) {
+    if (options.json) {
+      process.stdout.write(
+        `${JSON.stringify({ org, backend, stored: false, masked: null, updated_at: updatedAt })}
+`
+      );
+    } else {
+      process.stdout.write(`Organization: ${org}
+Backend:      ${backend}
+Stored:       no
+`);
+    }
+    process.exitCode = 1;
+    return;
+  }
+  const masked = maskedDisplay(value);
+  if (options.json) {
+    process.stdout.write(
+      `${JSON.stringify({ org, backend, stored: true, masked, updated_at: updatedAt })}
+`
+    );
   } else {
-    lines.push("Description:", descriptionText);
+    process.stdout.write(
+      `Organization: ${org}
+Backend:      ${backend}
+Stored:       yes
+Identifier:   ${masked}
+` + (updatedAt ? `Last updated: ${updatedAt}
+` : "")
+    );
   }
-  return lines.join("\n");
 }
-function createGetItemCommand() {
-  const command = new Command("get-item");
-  command.description("Retrieve an Azure DevOps work item by ID").argument("<id>", "work item ID").option("--org <org>", "Azure DevOps organization").option("--project <project>", "Azure DevOps project").option("--short", "show abbreviated output").option("--fields <fields>", "comma-separated additional field reference names").option("--markdown", "convert rich text fields to markdown").action(
-    async (idStr, options) => {
-      const id = parseWorkItemId(idStr);
-      validateOrgProjectPair(options);
-      let context;
+async function handleLogout(options, orgFromGlobal) {
+  if (options.all && orgFromGlobal) {
+    process.stderr.write("--org and --all are mutually exclusive.\n");
+    process.exitCode = 1;
+    return;
+  }
+  if (options.all) {
+    let orgs;
+    try {
+      orgs = await listOrgsWithStoredPat();
+    } catch (err) {
+      if (err instanceof CredentialStoreUnavailableError) {
+        process.stderr.write(`${err.message}
+`);
+        process.exitCode = 4;
+        return;
+      }
+      throw err;
+    }
+    if (orgs.length === 0) {
+      process.stdout.write("No stored PATs to remove.\n");
+      return;
+    }
+    for (const org of orgs) {
       try {
-        context = resolveContext(options);
-        const credential = await resolvePat();
-        const fieldsList = options.fields === void 0 ? parseRequestedFields(loadConfig().fields) : parseRequestedFields(options.fields);
-        const workItem = await getWorkItem(context, id, credential.pat, fieldsList);
-        const markdownEnabled = options.markdown ?? loadConfig().markdown ?? false;
-        const output = formatWorkItem(workItem, options.short ?? false, markdownEnabled);
-        process.stdout.write(output + "\n");
+        await deletePat(org);
+        process.stdout.write(`PAT removed for org ${org}.
+`);
       } catch (err) {
-        handleCommandError(err, id, context, "read", false);
+        process.stderr.write(`Failed to remove PAT for org ${org}: ${err.message}
+`);
+        process.exitCode = 1;
       }
     }
-  );
-  return command;
-}
-
-// src/commands/clear-pat.ts
-import { Command as Command2 } from "commander";
-function createClearPatCommand() {
-  const command = new Command2("clear-pat");
-  command.description("Remove the stored Azure DevOps PAT from the credential store").action(async () => {
-    const deleted = await deletePat();
-    if (deleted) {
-      process.stdout.write("PAT removed from credential store.\n");
+    return;
+  }
+  const resolved = resolveOrg({ org: orgFromGlobal });
+  if (!resolved) {
+    process.stderr.write(`${formatResolutionError()}
+`);
+    process.exitCode = 3;
+    return;
+  }
+  try {
+    const removed = await deletePat(resolved.org);
+    if (removed) {
+      process.stdout.write(`PAT removed for org ${resolved.org}.
+`);
     } else {
-      process.stdout.write("No stored PAT found.\n");
+      process.stdout.write(`No stored PAT found for org ${resolved.org}.
+`);
+    }
+  } catch (err) {
+    if (err instanceof CredentialStoreUnavailableError) {
+      process.stderr.write(`${err.message}
+`);
+      process.exitCode = 4;
+      return;
+    }
+    throw err;
+  }
+}
+function createAuthCommand() {
+  const command = new Command3("auth");
+  command.description("Manage Azure DevOps Personal Access Tokens (PAT) in the OS secret vault");
+  command.option("--org <name>", "Azure DevOps organization (flag wins over auto-detect / config)").option("--from-stdin", "read PAT from stdin instead of prompting", false).option("--no-browser", "do not open the Azure DevOps PAT page in a browser");
+  command.action(async (options) => {
+    await handleAuthRoot(options);
+  });
+  const statusCmd = command.command("status").description("Report whether a PAT is stored for the resolved org (masked, never the full value)").option("--json", "emit a JSON object", false);
+  statusCmd.action(async (options) => {
+    const globals = statusCmd.optsWithGlobals();
+    const resolved = resolveOrg({ org: globals.org });
+    if (!resolved) {
+      process.stderr.write(`${formatResolutionError()}
+`);
+      process.exitCode = 3;
+      return;
     }
+    await handleStatus(options, resolved.org);
+  });
+  const logoutCmd = command.command("logout").description("Remove the stored PAT for an org (or all orgs with --all)").option("--all", "remove the stored PAT for every org", false);
+  logoutCmd.action(async (options) => {
+    const globals = logoutCmd.optsWithGlobals();
+    await handleLogout(options, globals.org);
   });
   return command;
 }
 
 // src/commands/config.ts
-import { Command as Command3 } from "commander";
+import { Command as Command4 } from "commander";
 import { createInterface as createInterface2 } from "readline";
 function formatConfigValue(value, unsetFallback = "") {
   if (value === void 0) {
@@ -925,9 +1577,9 @@ async function promptForSetting(cfg, setting, ask) {
 `);
 }
 function createConfigCommand() {
-  const config = new Command3("config");
+  const config = new Command4("config");
   config.description("Manage CLI settings");
-  const set = new Command3("set");
+  const set = new Command4("set");
   set.description("Set a configuration value").argument("<key>", "setting key (org, project, fields)").argument("<value>", "setting value").option("--json", "output in JSON format").action((key, value, options) => {
     try {
       setConfigValue(key, value);
@@ -948,7 +1600,7 @@ function createConfigCommand() {
       process.exit(1);
     }
   });
-  const get = new Command3("get");
+  const get = new Command4("get");
   get.description("Get a configuration value").argument("<key>", "setting key (org, project, fields)").option("--json", "output in JSON format").action((key, options) => {
     try {
       const value = getConfigValue(key);
@@ -971,7 +1623,7 @@ function createConfigCommand() {
       process.exit(1);
     }
   });
-  const list = new Command3("list");
+  const list = new Command4("list");
   list.description("List all configuration values").option("--json", "output in JSON format").action((options) => {
     const cfg = loadConfig();
     if (options.json) {
@@ -980,7 +1632,7 @@ function createConfigCommand() {
     }
     writeConfigList(cfg);
   });
-  const unset = new Command3("unset");
+  const unset = new Command4("unset");
   unset.description("Remove a configuration value").argument("<key>", "setting key (org, project, fields)").option("--json", "output in JSON format").action((key, options) => {
     try {
       unsetConfigValue(key);
@@ -997,7 +1649,7 @@ function createConfigCommand() {
       process.exit(1);
     }
   });
-  const wizard = new Command3("wizard");
+  const wizard = new Command4("wizard");
   wizard.description("Interactive wizard to configure all settings").action(async () => {
     if (!process.stdin.isTTY) {
       process.stderr.write(
@@ -1028,9 +1680,9 @@ function createConfigCommand() {
 }
 
 // src/commands/set-state.ts
-import { Command as Command4 } from "commander";
+import { Command as Command5 } from "commander";
 function createSetStateCommand() {
-  const command = new Command4("set-state");
+  const command = new Command5("set-state");
   command.description("Change the state of a work item").argument("<id>", "work item ID").argument("<state>", 'target state (e.g., "Active", "Closed")').option("--org <org>", "Azure DevOps organization").option("--project <project>", "Azure DevOps project").option("--json", "output result as JSON").action(
     async (idStr, state, options) => {
       const id = parseWorkItemId(idStr);
@@ -1038,7 +1690,7 @@ function createSetStateCommand() {
       let context;
       try {
         context = resolveContext(options);
-        const credential = await resolvePat();
+        const credential = await requirePat(context.org);
         const operations = [
           { op: "add", path: "/fields/System.State", value: state }
         ];
@@ -1066,9 +1718,9 @@ function createSetStateCommand() {
 }
 
 // src/commands/assign.ts
-import { Command as Command5 } from "commander";
+import { Command as Command6 } from "commander";
 function createAssignCommand() {
-  const command = new Command5("assign");
+  const command = new Command6("assign");
   command.description("Assign a work item to a user, or unassign it").argument("<id>", "work item ID").argument("[name]", "user display name or email").option("--unassign", "clear the Assigned To field").option("--org <org>", "Azure DevOps organization").option("--project <project>", "Azure DevOps project").option("--json", "output result as JSON").action(
     async (idStr, name, options) => {
       const id = parseWorkItemId(idStr);
@@ -1088,7 +1740,7 @@ function createAssignCommand() {
       let context;
       try {
         context = resolveContext(options);
-        const credential = await resolvePat();
+        const credential = await requirePat(context.org);
         const value = options.unassign ? "" : name;
         const operations = [
           { op: "add", path: "/fields/System.AssignedTo", value }
@@ -1118,9 +1770,9 @@ function createAssignCommand() {
 }
 
 // src/commands/set-field.ts
-import { Command as Command6 } from "commander";
+import { Command as Command7 } from "commander";
 function createSetFieldCommand() {
-  const command = new Command6("set-field");
+  const command = new Command7("set-field");
   command.description("Set any work item field by its reference name").argument("<id>", "work item ID").argument("<field>", "field reference name (e.g., System.Title)").argument("<value>", "new value for the field").option("--org <org>", "Azure DevOps organization").option("--project <project>", "Azure DevOps project").option("--json", "output result as JSON").action(
     async (idStr, field, value, options) => {
       const id = parseWorkItemId(idStr);
@@ -1128,7 +1780,7 @@ function createSetFieldCommand() {
       let context;
       try {
         context = resolveContext(options);
-        const credential = await resolvePat();
+        const credential = await requirePat(context.org);
         const operations = [
           { op: "add", path: `/fields/${field}`, value }
         ];
@@ -1156,9 +1808,9 @@ function createSetFieldCommand() {
 }
 
 // src/commands/get-md-field.ts
-import { Command as Command7 } from "commander";
+import { Command as Command8 } from "commander";
 function createGetMdFieldCommand() {
-  const command = new Command7("get-md-field");
+  const command = new Command8("get-md-field");
   command.description("Get a work item field value, converting HTML to markdown").argument("<id>", "work item ID").argument("<field>", "field reference name (e.g., System.Description)").option("--org <org>", "Azure DevOps organization").option("--project <project>", "Azure DevOps project").action(
     async (idStr, field, options) => {
       const id = parseWorkItemId(idStr);
@@ -1166,7 +1818,7 @@ function createGetMdFieldCommand() {
       let context;
       try {
         context = resolveContext(options);
-        const credential = await resolvePat();
+        const credential = await requirePat(context.org);
         const value = await getWorkItemFieldValue(context, id, credential.pat, field);
         if (value === null) {
           process.stdout.write("\n");
@@ -1182,8 +1834,8 @@ function createGetMdFieldCommand() {
 }
 
 // src/commands/set-md-field.ts
-import { existsSync, readFileSync as readFileSync2 } from "fs";
-import { Command as Command8 } from "commander";
+import { existsSync as existsSync2, readFileSync as readFileSync3 } from "fs";
+import { Command as Command9 } from "commander";
 function fail(message) {
   process.stderr.write(`Error: ${message}
 `);
@@ -1202,11 +1854,11 @@ function resolveContent(inlineContent, options) {
   return null;
 }
 function readFileContent(filePath) {
-  if (!existsSync(filePath)) {
+  if (!existsSync2(filePath)) {
     fail(`File not found: ${filePath}`);
   }
   try {
-    return readFileSync2(filePath, "utf-8");
+    return readFileSync3(filePath, "utf-8");
   } catch {
     fail(`Cannot read file: ${filePath}`);
   }
@@ -1245,7 +1897,7 @@ function formatOutput(result, options, field) {
   }
 }
 function createSetMdFieldCommand() {
-  const command = new Command8("set-md-field");
+  const command = new Command9("set-md-field");
   command.description("Set a work item field with markdown content").argument("<id>", "work item ID").argument("<field>", "field reference name (e.g., System.Description)").argument("[content]", "markdown content to set").option("--org <org>", "Azure DevOps organization").option("--project <project>", "Azure DevOps project").option("--json", "output result as JSON").option("--file <path>", "read markdown content from file").action(
     async (idStr, field, inlineContent, options) => {
       const id = parseWorkItemId(idStr);
@@ -1254,7 +1906,7 @@ function createSetMdFieldCommand() {
       let context;
       try {
         context = resolveContext(options);
-        const credential = await resolvePat();
+        const credential = await requirePat(context.org);
         const operations = [
           { op: "add", path: `/fields/${field}`, value: content },
           { op: "add", path: `/multilineFieldsFormat/${field}`, value: "Markdown" }
@@ -1270,8 +1922,8 @@ function createSetMdFieldCommand() {
 }
 
 // src/commands/upsert.ts
-import { existsSync as existsSync2, readFileSync as readFileSync3, unlinkSync } from "fs";
-import { Command as Command9 } from "commander";
+import { existsSync as existsSync3, readFileSync as readFileSync4, unlinkSync } from "fs";
+import { Command as Command10 } from "commander";
 
 // src/services/task-document.ts
 var FIELD_ALIASES = /* @__PURE__ */ new Map([
@@ -1434,12 +2086,12 @@ function loadSourceContent(options) {
     return { content: options.content };
   }
   const filePath = options.file;
-  if (!existsSync2(filePath)) {
+  if (!existsSync3(filePath)) {
     fail2(`File not found: ${filePath}`);
   }
   try {
     return {
-      content: readFileSync3(filePath, "utf-8"),
+      content: readFileSync4(filePath, "utf-8"),
       sourceFile: filePath
     };
   } catch {
@@ -1555,7 +2207,7 @@ function handleUpsertError(err, id, context) {
   process.exit(1);
 }
 function createUpsertCommand() {
-  const command = new Command9("upsert");
+  const command = new Command10("upsert");
   command.description("Create or update a work item from a markdown document").argument("[id]", "work item ID to update; omit to create a new work item").option("--content <markdown>", "task document content").option("--file <path>", "read task document from file").option("--type <workItemType>", "create mode work item type (defaults to Task)").option("--json", "output result as JSON").option("--org <org>", "Azure DevOps organization").option("--project <project>", "Azure DevOps project").action(async (idStr, options) => {
     validateOrgProjectPair(options);
     const id = idStr === void 0 ? void 0 : parseWorkItemId(idStr);
@@ -1570,7 +2222,7 @@ function createUpsertCommand() {
         ensureTitleForCreate(document.fields);
       }
       const operations = toPatchOperations(document.fields, action);
-      const credential = await resolvePat();
+      const credential = await requirePat(context.org);
       let writeResult;
       if (action === "created") {
         writeResult = await createWorkItem(context, createType, credential.pat, operations);
@@ -1596,7 +2248,7 @@ function createUpsertCommand() {
 }
 
 // src/commands/list-fields.ts
-import { Command as Command10 } from "commander";
+import { Command as Command11 } from "commander";
 function stringifyValue(value) {
   if (value === null || value === void 0) return "";
   if (typeof value === "object") return JSON.stringify(value);
@@ -1628,7 +2280,7 @@ function formatFieldList(fields) {
   }).join("\n");
 }
 function createListFieldsCommand() {
-  const command = new Command10("list-fields");
+  const command = new Command11("list-fields");
   command.description("List all fields of an Azure DevOps work item").argument("<id>", "work item ID").option("--org <org>", "Azure DevOps organization").option("--project <project>", "Azure DevOps project").option("--json", "output result as JSON").action(
     async (idStr, options) => {
       const id = parseWorkItemId(idStr);
@@ -1636,7 +2288,7 @@ function createListFieldsCommand() {
       let context;
       try {
         context = resolveContext(options);
-        const credential = await resolvePat();
+        const credential = await requirePat(context.org);
         const fields = await getWorkItemFields(context, id, credential.pat);
         if (options.json) {
           process.stdout.write(JSON.stringify({ id, fields }, null, 2) + "\n");
@@ -1655,7 +2307,7 @@ function createListFieldsCommand() {
 }
 
 // src/commands/pr.ts
-import { Command as Command11 } from "commander";
+import { Command as Command12 } from "commander";
 
 // src/services/pr-client.ts
 function buildPullRequestsUrl(context, repo, sourceBranch, opts) {
@@ -1672,6 +2324,13 @@ function buildPullRequestsUrl(context, repo, sourceBranch, opts) {
   }
   return url;
 }
+function buildPullRequestStatusesUrl(context, repo, prId) {
+  const url = new URL(
+    `https://dev.azure.com/${encodeURIComponent(context.org)}/${encodeURIComponent(context.project)}/_apis/git/repositories/${encodeURIComponent(repo)}/pullRequests/${prId}/statuses`
+  );
+  url.searchParams.set("api-version", "7.1");
+  return url;
+}
 function mapPullRequest(repo, pullRequest) {
   return {
     id: pullRequest.pullRequestId,
@@ -1681,7 +2340,36 @@ function mapPullRequest(repo, pullRequest) {
     targetRefName: pullRequest.targetRefName,
     status: pullRequest.status,
     createdBy: pullRequest.createdBy?.displayName ?? null,
-    url: pullRequest._links.web.href
+    url: pullRequest._links?.web?.href ?? null
+  };
+}
+function mapPullRequestCheckName(status) {
+  const genre = status.context?.genre?.trim();
+  const name = status.context?.name?.trim();
+  if (genre && name) {
+    return `${genre}/${name}`;
+  }
+  if (name) {
+    return name;
+  }
+  if (genre) {
+    return genre;
+  }
+  return `Status #${status.id}`;
+}
+function mapPullRequestCheck(status) {
+  if (status.state === "notApplicable" || status.state === "notSet") {
+    return null;
+  }
+  return {
+    id: status.id,
+    state: status.state,
+    name: mapPullRequestCheckName(status),
+    description: status.description ?? null,
+    targetUrl: status.targetUrl ?? null,
+    createdBy: status.createdBy?.displayName ?? null,
+    createdAt: status.creationDate ?? null,
+    updatedAt: status.updatedDate ?? null
   };
 }
 function mapComment(comment) {
@@ -1697,9 +2385,6 @@ function mapComment(comment) {
   };
 }
 function mapThread(thread) {
-  if (thread.status !== "active" && thread.status !== "pending") {
-    return null;
-  }
   const comments = thread.comments.map(mapComment).filter((comment) => comment !== null);
   if (comments.length === 0) {
     return null;
@@ -1711,12 +2396,49 @@ function mapThread(thread) {
     comments
   };
 }
+function toActiveCommentThread(thread) {
+  return {
+    id: thread.id,
+    status: thread.status,
+    threadContext: thread.threadContext?.filePath ?? null,
+    comments: thread.comments.map(mapComment).filter((comment) => comment !== null)
+  };
+}
+var RESOLVED_THREAD_STATUSES = /* @__PURE__ */ new Set(["fixed", "wontFix", "closed", "byDesign"]);
+function isThreadResolved(status) {
+  return RESOLVED_THREAD_STATUSES.has(status);
+}
 async function readJsonResponse(response) {
   if (!response.ok) {
     throw new Error(`HTTP_${response.status}`);
   }
   return response.json();
 }
+async function patchThreadStatus(context, repo, pat, prId, threadId, status) {
+  const url = new URL(
+    `https://dev.azure.com/${encodeURIComponent(context.org)}/${encodeURIComponent(context.project)}/_apis/git/repositories/${encodeURIComponent(repo)}/pullRequests/${prId}/threads/${threadId}`
+  );
+  url.searchParams.set("api-version", "7.1");
+  const response = await fetchWithErrors(url.toString(), {
+    method: "PATCH",
+    headers: {
+      ...authHeaders(pat),
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({ status })
+  });
+  const data = await readJsonResponse(response);
+  return toActiveCommentThread(data);
+}
+async function getPullRequestById(context, repo, pat, prId) {
+  const url = new URL(
+    `https://dev.azure.com/${encodeURIComponent(context.org)}/${encodeURIComponent(context.project)}/_apis/git/repositories/${encodeURIComponent(repo)}/pullRequests/${prId}`
+  );
+  url.searchParams.set("api-version", "7.1");
+  const response = await fetchWithErrors(url.toString(), { headers: authHeaders(pat) });
+  const data = await readJsonResponse(response);
+  return mapPullRequest(repo, data);
+}
 async function listPullRequests(context, repo, pat, sourceBranch, opts) {
   const response = await fetchWithErrors(
     buildPullRequestsUrl(context, repo, sourceBranch, opts).toString(),
@@ -1725,6 +2447,14 @@ async function listPullRequests(context, repo, pat, sourceBranch, opts) {
   const data = await readJsonResponse(response);
   return data.value.map((pullRequest) => mapPullRequest(repo, pullRequest));
 }
+async function getPullRequestChecks(context, repo, pat, prId) {
+  const response = await fetchWithErrors(
+    buildPullRequestStatusesUrl(context, repo, prId).toString(),
+    { headers: authHeaders(pat) }
+  );
+  const data = await readJsonResponse(response);
+  return data.value.map(mapPullRequestCheck).filter((check) => check !== null);
+}
 async function openPullRequest(context, repo, pat, sourceBranch, title, description) {
   const existing = await listPullRequests(context, repo, pat, sourceBranch, {
     status: "active",
@@ -1778,56 +2508,86 @@ async function getPullRequestThreads(context, repo, pat, prId) {
 }
 
 // src/commands/pr.ts
+function parsePositivePrNumber(raw) {
+  if (!/^\d+$/.test(raw)) {
+    return null;
+  }
+  const n = Number.parseInt(raw, 10);
+  return Number.isFinite(n) && n > 0 ? n : null;
+}
 function formatBranchName(refName) {
   return refName.startsWith("refs/heads/") ? refName.slice("refs/heads/".length) : refName;
 }
 function writeError(message) {
   process.stderr.write(`Error: ${message}
 `);
-  process.exit(1);
+  process.exitCode = 1;
 }
 function handlePrCommandError(err, context, mode = "read") {
   const error = err instanceof Error ? err : new Error(String(err));
   if (error.message === "AUTH_FAILED") {
     const scopeLabel = mode === "write" ? "Code (Read & Write)" : "Code (Read)";
     writeError(`Authentication failed. Check that your PAT is valid and has the "${scopeLabel}" scope.`);
+    return;
   }
   if (error.message === "PERMISSION_DENIED") {
     writeError(`Access denied. Your PAT may lack ${mode} permissions for project "${context?.project}".`);
+    return;
   }
   if (error.message === "NETWORK_ERROR") {
     writeError("Could not connect to Azure DevOps. Check your network connection.");
+    return;
   }
   if (error.message.startsWith("NOT_FOUND")) {
     writeError(`Azure DevOps repository not found in ${context?.org}/${context?.project}.`);
+    return;
   }
   if (error.message.startsWith("HTTP_")) {
     writeError(`Azure DevOps request failed with ${error.message}.`);
+    return;
   }
   writeError(error.message);
 }
+function formatPullRequestChecks(checks) {
+  if (checks.length === 0) {
+    return ["Checks: none reported by Azure DevOps"];
+  }
+  const lines = ["Checks:"];
+  for (const check of checks) {
+    lines.push(`- [${check.state}] ${check.name}`);
+    if ((check.state === "failed" || check.state === "error") && check.description) {
+      lines.push(`  Detail: ${check.description}`);
+    }
+  }
+  return lines;
+}
 function formatPullRequestBlock(pullRequest) {
   return [
     `#${pullRequest.id} [${pullRequest.status}] ${pullRequest.title}`,
     `${formatBranchName(pullRequest.sourceRefName)} -> ${formatBranchName(pullRequest.targetRefName)}`,
-    pullRequest.url
+    pullRequest.url ?? "\u2014",
+    ...formatPullRequestChecks(pullRequest.checks)
   ].join("\n");
 }
+function threadStatusLabel(status) {
+  return isThreadResolved(status) ? "resolved" : status;
+}
 function formatThreads(prId, title, threads) {
-  const lines = [`Active comments for pull request #${prId}: ${title}`];
+  const lines = [`Comment threads for pull request #${prId}: ${title}`];
   for (const thread of threads) {
-    lines.push("", `Thread #${thread.id} [${thread.status}] ${thread.threadContext ?? "(general)"}`);
+    lines.push("", `Thread #${thread.id} [${threadStatusLabel(thread.status)}] ${thread.threadContext ?? "(general)"}`);
     for (const comment of thread.comments) {
       lines.push(`  ${comment.author ?? "Unknown"}: ${comment.content}`);
     }
   }
   return lines.join("\n");
 }
-async function resolvePrCommandContext(options) {
+async function resolvePrCommandContext(options, resolveOpts = {}) {
+  const requireBranch = resolveOpts.requireBranch ?? true;
   const context = resolveContext(options);
   const repo = detectRepoName();
-  const branch = getCurrentBranch();
-  const credential = await resolvePat();
+  const branch = requireBranch ? getCurrentBranch() : null;
+  const credential = await requirePat(context.org);
   return {
     context,
     repo,
@@ -1836,27 +2596,33 @@ async function resolvePrCommandContext(options) {
   };
 }
 function createPrStatusCommand() {
-  const command = new Command11("status");
+  const command = new Command12("status");
   command.description("Check pull requests for the current branch").option("--org <org>", "Azure DevOps organization").option("--project <project>", "Azure DevOps project").option("--json", "output JSON").action(async (options) => {
     validateOrgProjectPair(options);
     let context;
     try {
       const resolved = await resolvePrCommandContext(options);
       context = resolved.context;
-      const pullRequests = await listPullRequests(resolved.context, resolved.repo, resolved.pat, resolved.branch);
-      const { branch, repo } = resolved;
-      const result = { branch, repository: repo, pullRequests };
+      const branch = resolved.branch;
+      const pullRequests = await listPullRequests(resolved.context, resolved.repo, resolved.pat, branch);
+      const pullRequestsWithChecks = await Promise.all(
+        pullRequests.map(async (pullRequest) => ({
+          ...pullRequest,
+          checks: await getPullRequestChecks(resolved.context, resolved.repo, resolved.pat, pullRequest.id)
+        }))
+      );
+      const result = { branch, repository: resolved.repo, pullRequests: pullRequestsWithChecks };
       if (options.json) {
         process.stdout.write(`${JSON.stringify(result, null, 2)}
 `);
         return;
       }
-      if (pullRequests.length === 0) {
+      if (pullRequestsWithChecks.length === 0) {
         process.stdout.write(`No pull requests found for branch ${branch}.
 `);
         return;
       }
-      process.stdout.write(`${pullRequests.map(formatPullRequestBlock).join("\n\n")}
+      process.stdout.write(`${pullRequestsWithChecks.map(formatPullRequestBlock).join("\n\n")}
 `);
     } catch (err) {
       handlePrCommandError(err, context, "read");
@@ -1865,16 +2631,18 @@ function createPrStatusCommand() {
   return command;
 }
 function createPrOpenCommand() {
-  const command = new Command11("open");
+  const command = new Command12("open");
   command.description("Open a pull request from the current branch to develop").option("--title <title>", "pull request title").option("--description <description>", "pull request description").option("--org <org>", "Azure DevOps organization").option("--project <project>", "Azure DevOps project").option("--json", "output JSON").action(async (options) => {
     validateOrgProjectPair(options);
     const title = options.title?.trim();
     if (!title) {
       writeError("--title is required for pull request creation.");
+      return;
     }
     const description = options.description?.trim();
     if (!description) {
       writeError("--description is required for pull request creation.");
+      return;
     }
     let context;
     try {
@@ -1882,12 +2650,14 @@ function createPrOpenCommand() {
       context = resolved.context;
       if (resolved.branch === "develop") {
         writeError("Pull request creation requires a source branch other than develop.");
+        return;
       }
+      const openBranch = resolved.branch;
       const result = await openPullRequest(
         resolved.context,
         resolved.repo,
         resolved.pat,
-        resolved.branch,
+        openBranch,
         title,
         description
       );
@@ -1898,19 +2668,20 @@ function createPrOpenCommand() {
       }
       if (result.created) {
         process.stdout.write(`Created pull request #${result.pullRequest.id}: ${result.pullRequest.title}
-${result.pullRequest.url}
+${result.pullRequest.url ?? "\u2014"}
 `);
         return;
       }
       process.stdout.write(
         `Active pull request already exists for ${resolved.branch} -> develop: #${result.pullRequest.id}
-${result.pullRequest.url}
+${result.pullRequest.url ?? "\u2014"}
 `
       );
     } catch (err) {
       if (err instanceof Error && err.message.startsWith("AMBIGUOUS_PRS:")) {
         const ids = err.message.replace("AMBIGUOUS_PRS:", "").split(",").map((id) => `#${id}`).join(", ");
         writeError(`Multiple active pull requests already exist for this branch targeting develop: ${ids}. Use pr status to review them.`);
+        return;
       }
       handlePrCommandError(err, context, "write");
     }
@@ -1918,34 +2689,66 @@ ${result.pullRequest.url}
   return command;
 }
 function createPrCommentsCommand() {
-  const command = new Command11("comments");
-  command.description("List active pull request comments for the current branch").option("--org <org>", "Azure DevOps organization").option("--project <project>", "Azure DevOps project").option("--json", "output JSON").action(async (options) => {
+  const command = new Command12("comments");
+  command.description("List pull request comment threads for the current branch").option("--org <org>", "Azure DevOps organization").option("--project <project>", "Azure DevOps project").option("--pr-number <N>", "target the pull request with this numeric id, instead of the current branch's PR").option("--hide-resolved", "hide threads whose status is resolved / won't fix / closed / by design").option("--json", "output JSON").action(async (options) => {
     validateOrgProjectPair(options);
     let context;
+    let explicitPrId = null;
+    if (options.prNumber !== void 0) {
+      explicitPrId = parsePositivePrNumber(options.prNumber);
+      if (explicitPrId === null) {
+        writeError(`Invalid --pr-number "${options.prNumber}"; expected a positive integer.`);
+        return;
+      }
+    }
     try {
-      const resolved = await resolvePrCommandContext(options);
+      const resolved = await resolvePrCommandContext(options, { requireBranch: explicitPrId === null });
       context = resolved.context;
-      const pullRequests = await listPullRequests(resolved.context, resolved.repo, resolved.pat, resolved.branch, {
-        status: "active"
-      });
-      if (pullRequests.length === 0) {
-        writeError(`No active pull request found for branch ${resolved.branch}.`);
-      }
-      if (pullRequests.length > 1) {
-        const ids = pullRequests.map((pullRequest2) => `#${pullRequest2.id}`).join(", ");
-        writeError(`Multiple active pull requests found for branch ${resolved.branch}: ${ids}. Use pr status to review them.`);
+      let pullRequest;
+      let branchLabel;
+      if (explicitPrId !== null) {
+        try {
+          pullRequest = await getPullRequestById(resolved.context, resolved.repo, resolved.pat, explicitPrId);
+        } catch (err) {
+          if (err instanceof Error && err.message.startsWith("NOT_FOUND")) {
+            writeError(`Pull request #${explicitPrId} not found in ${resolved.context.org}/${resolved.context.project}/${resolved.repo}.`);
+            return;
+          }
+          throw err;
+        }
+        branchLabel = resolved.branch ?? pullRequest.sourceRefName;
+      } else {
+        const pullRequests = await listPullRequests(resolved.context, resolved.repo, resolved.pat, resolved.branch, {
+          status: "active"
+        });
+        if (pullRequests.length === 0) {
+          writeError(`No active pull request found for branch ${resolved.branch}.`);
+          return;
+        }
+        if (pullRequests.length > 1) {
+          const ids = pullRequests.map((pr) => `#${pr.id}`).join(", ");
+          writeError(`Multiple active pull requests found for branch ${resolved.branch}: ${ids}. Use pr status to review them.`);
+          return;
+        }
+        pullRequest = pullRequests[0];
+        branchLabel = resolved.branch;
       }
-      const pullRequest = pullRequests[0];
-      const threads = await getPullRequestThreads(resolved.context, resolved.repo, resolved.pat, pullRequest.id);
-      const result = { branch: resolved.branch, pullRequest, threads };
+      const allThreads = await getPullRequestThreads(resolved.context, resolved.repo, resolved.pat, pullRequest.id);
+      const threads = options.hideResolved ? allThreads.filter((thread) => !isThreadResolved(thread.status)) : allThreads;
+      const result = { branch: branchLabel, pullRequest, threads };
       if (options.json) {
         process.stdout.write(`${JSON.stringify(result, null, 2)}
 `);
         return;
       }
       if (threads.length === 0) {
-        process.stdout.write(`Pull request #${pullRequest.id} has no active comments.
+        if (options.hideResolved && allThreads.length > 0) {
+          process.stdout.write(`Pull request #${pullRequest.id} has no unresolved comment threads (${allThreads.length} resolved thread${allThreads.length === 1 ? "" : "s"} hidden by --hide-resolved).
+`);
+        } else {
+          process.stdout.write(`Pull request #${pullRequest.id} has no comment threads.
 `);
+        }
         return;
       }
       process.stdout.write(`${formatThreads(pullRequest.id, pullRequest.title, threads)}
@@ -1956,17 +2759,136 @@ function createPrCommentsCommand() {
   });
   return command;
 }
+async function resolveThreadTarget(threadIdRaw, options) {
+  validateOrgProjectPair(options);
+  const threadId = parsePositivePrNumber(threadIdRaw);
+  if (threadId === null) {
+    writeError(`Invalid thread id "${threadIdRaw}"; expected a positive integer.`);
+    return null;
+  }
+  let explicitPrId = null;
+  if (options.prNumber !== void 0) {
+    explicitPrId = parsePositivePrNumber(options.prNumber);
+    if (explicitPrId === null) {
+      writeError(`Invalid --pr-number "${options.prNumber}"; expected a positive integer.`);
+      return null;
+    }
+  }
+  const resolved = await resolvePrCommandContext(options, { requireBranch: explicitPrId === null });
+  let pullRequest;
+  if (explicitPrId !== null) {
+    try {
+      pullRequest = await getPullRequestById(resolved.context, resolved.repo, resolved.pat, explicitPrId);
+    } catch (err) {
+      if (err instanceof Error && err.message.startsWith("NOT_FOUND")) {
+        writeError(`Pull request #${explicitPrId} not found in ${resolved.context.org}/${resolved.context.project}/${resolved.repo}.`);
+        return null;
+      }
+      throw err;
+    }
+  } else {
+    const pullRequests = await listPullRequests(resolved.context, resolved.repo, resolved.pat, resolved.branch, {
+      status: "active"
+    });
+    if (pullRequests.length === 0) {
+      writeError(`No active pull request found for branch ${resolved.branch}.`);
+      return null;
+    }
+    if (pullRequests.length > 1) {
+      const ids = pullRequests.map((pr) => `#${pr.id}`).join(", ");
+      writeError(`Multiple active pull requests found for branch ${resolved.branch}: ${ids}. Use pr status to review them.`);
+      return null;
+    }
+    pullRequest = pullRequests[0];
+  }
+  return { context: resolved.context, repo: resolved.repo, pat: resolved.pat, pullRequest, threadId };
+}
+async function runThreadStateChange(threadIdRaw, options, direction) {
+  let context;
+  try {
+    const target = await resolveThreadTarget(threadIdRaw, options);
+    if (target === null) {
+      return;
+    }
+    context = target.context;
+    const threads = await getPullRequestThreads(target.context, target.repo, target.pat, target.pullRequest.id);
+    const thread = threads.find((t) => t.id === target.threadId);
+    if (!thread) {
+      writeError(`Thread #${target.threadId} not found on pull request #${target.pullRequest.id}.`);
+      return;
+    }
+    const alreadyInTargetState = direction === "resolve" ? isThreadResolved(thread.status) : !isThreadResolved(thread.status);
+    const targetStatus = direction === "resolve" ? "fixed" : "active";
+    if (alreadyInTargetState) {
+      const humanLabel = direction === "resolve" ? "resolved" : "active";
+      const noopResult = {
+        pullRequestId: target.pullRequest.id,
+        threadId: target.threadId,
+        status: thread.status,
+        noop: true
+      };
+      if (options.json) {
+        process.stdout.write(`${JSON.stringify(noopResult, null, 2)}
+`);
+        return;
+      }
+      process.stdout.write(`Thread #${target.threadId} is already ${humanLabel} on pull request #${target.pullRequest.id} (current status: ${thread.status}).
+`);
+      return;
+    }
+    const updated = await patchThreadStatus(
+      target.context,
+      target.repo,
+      target.pat,
+      target.pullRequest.id,
+      target.threadId,
+      targetStatus
+    );
+    const result = {
+      pullRequestId: target.pullRequest.id,
+      threadId: target.threadId,
+      status: targetStatus,
+      noop: false
+    };
+    if (options.json) {
+      process.stdout.write(`${JSON.stringify(result, null, 2)}
+`);
+      return;
+    }
+    const verb = direction === "resolve" ? "resolved" : "reopened";
+    process.stdout.write(`Thread #${target.threadId} ${verb} on pull request #${target.pullRequest.id} (status: ${updated.status}).
+`);
+  } catch (err) {
+    handlePrCommandError(err, context, "write");
+  }
+}
+function createPrCommentResolveCommand() {
+  const command = new Command12("comment-resolve");
+  command.description("Mark a pull request comment thread as resolved").argument("<threadId>", "numeric id of the thread to resolve").option("--org <org>", "Azure DevOps organization").option("--project <project>", "Azure DevOps project").option("--pr-number <N>", "target the pull request with this numeric id, instead of the current branch's PR").option("--json", "output JSON").action(async (threadIdRaw, options) => {
+    await runThreadStateChange(threadIdRaw, options, "resolve");
+  });
+  return command;
+}
+function createPrCommentReopenCommand() {
+  const command = new Command12("comment-reopen");
+  command.description("Reopen (set to active) a previously resolved pull request comment thread").argument("<threadId>", "numeric id of the thread to reopen").option("--org <org>", "Azure DevOps organization").option("--project <project>", "Azure DevOps project").option("--pr-number <N>", "target the pull request with this numeric id, instead of the current branch's PR").option("--json", "output JSON").action(async (threadIdRaw, options) => {
+    await runThreadStateChange(threadIdRaw, options, "reopen");
+  });
+  return command;
+}
 function createPrCommand() {
-  const command = new Command11("pr");
+  const command = new Command12("pr");
   command.description("Manage Azure DevOps pull requests");
   command.addCommand(createPrStatusCommand());
   command.addCommand(createPrOpenCommand());
   command.addCommand(createPrCommentsCommand());
+  command.addCommand(createPrCommentResolveCommand());
+  command.addCommand(createPrCommentReopenCommand());
   return command;
 }
 
 // src/commands/comments.ts
-import { Command as Command12 } from "commander";
+import { Command as Command13 } from "commander";
 function writeError2(message) {
   process.stderr.write(`Error: ${message}
 `);
@@ -1977,22 +2899,23 @@ function formatCommentHeader(comment) {
   const timestamp = comment.modifiedAt ?? comment.createdAt ?? "Unknown time";
   return `Comment #${comment.id} by ${author} at ${timestamp}`;
 }
-function formatComments(result) {
+function formatComments(result, convertMarkdown) {
   const lines = [`Comments for work item #${result.workItemId}`];
   for (const comment of result.comments) {
-    lines.push("", formatCommentHeader(comment), comment.text);
+    const text = convertMarkdown ? toMarkdown(comment.text) : comment.text;
+    lines.push("", formatCommentHeader(comment), text);
   }
   return lines.join("\n");
 }
 function createCommentsListCommand() {
-  const command = new Command12("list");
-  command.description("List visible comments for a work item").argument("<id>", "work item ID").option("--org <org>", "Azure DevOps organization").option("--project <project>", "Azure DevOps project").option("--json", "output JSON").action(async (idStr, options) => {
+  const command = new Command13("list");
+  command.description("List visible comments for a work item").argument("<id>", "work item ID").option("--org <org>", "Azure DevOps organization").option("--project <project>", "Azure DevOps project").option("--json", "output JSON").option("--markdown", "convert HTML comment bodies to markdown").action(async (idStr, options) => {
     validateOrgProjectPair(options);
     const id = parseWorkItemId(idStr);
     let context;
     try {
       context = resolveContext(options);
-      const credential = await resolvePat();
+      const credential = await requirePat(context.org);
       const result = await listWorkItemComments(context, id, credential.pat);
       if (options.json) {
         process.stdout.write(`${JSON.stringify(result, null, 2)}
@@ -2004,7 +2927,7 @@ function createCommentsListCommand() {
 `);
         return;
       }
-      process.stdout.write(`${formatComments(result)}
+      process.stdout.write(`${formatComments(result, options.markdown === true)}
 `);
     } catch (err) {
       handleCommandError(err, id, context, "read");
@@ -2013,8 +2936,8 @@ function createCommentsListCommand() {
   return command;
 }
 function createCommentsAddCommand() {
-  const command = new Command12("add");
-  command.description("Add a comment to a work item").argument("<id>", "work item ID").argument("<text>", "comment text").option("--org <org>", "Azure DevOps organization").option("--project <project>", "Azure DevOps project").option("--json", "output JSON").action(async (idStr, text, options) => {
+  const command = new Command13("add");
+  command.description("Add a comment to a work item").argument("<id>", "work item ID").argument("<text>", "comment text").option("--org <org>", "Azure DevOps organization").option("--project <project>", "Azure DevOps project").option("--json", "output JSON").option("--markdown", "post comment as markdown").action(async (idStr, text, options) => {
     validateOrgProjectPair(options);
     const id = parseWorkItemId(idStr);
     if (text.trim() === "") {
@@ -2023,8 +2946,9 @@ function createCommentsAddCommand() {
     let context;
     try {
       context = resolveContext(options);
-      const credential = await resolvePat();
-      const result = await addWorkItemComment(context, id, credential.pat, text);
+      const credential = await requirePat(context.org);
+      const format = options.markdown === true ? "markdown" : "html";
+      const result = await addWorkItemComment(context, id, credential.pat, text, format);
       if (options.json) {
         process.stdout.write(`${JSON.stringify(result, null, 2)}
 `);
@@ -2039,17 +2963,65 @@ function createCommentsAddCommand() {
   return command;
 }
 function createCommentsCommand() {
-  const command = new Command12("comments");
+  const command = new Command13("comments");
   command.description("Manage Azure DevOps work item comments");
   command.addCommand(createCommentsListCommand());
   command.addCommand(createCommentsAddCommand());
   return command;
 }
 
+// src/commands/download-attachment.ts
+import { Command as Command14 } from "commander";
+import { writeFile } from "fs/promises";
+import { existsSync as existsSync4 } from "fs";
+import { join as join2 } from "path";
+function createDownloadAttachmentCommand() {
+  const command = new Command14("download-attachment");
+  command.description("Download an attachment from an Azure DevOps work item").argument("<id>", "work item ID").argument("<filename>", "name of the attachment to download").option("--org <org>", "Azure DevOps organization").option("--project <project>", "Azure DevOps project").option("--output <dir>", "target directory for the downloaded file").action(
+    async (idStr, filename, options) => {
+      const id = parseWorkItemId(idStr);
+      validateOrgProjectPair(options);
+      let context;
+      try {
+        context = resolveContext(options);
+        const credential = await requirePat(context.org);
+        const outputDir = options.output ?? ".";
+        if (!existsSync4(outputDir)) {
+          process.stderr.write(`Error: Output directory "${outputDir}" does not exist.
+`);
+          process.exit(1);
+        }
+        const workItem = await getWorkItem(context, id, credential.pat);
+        const attachment = workItem.attachments?.find(
+          (a) => a.name === filename
+        );
+        if (!attachment) {
+          process.stderr.write(
+            `Error: Attachment "${filename}" not found on work item ${id}.
+`
+          );
+          process.exit(1);
+        }
+        const data = await downloadAttachment(attachment.url, credential.pat);
+        const outputPath = join2(outputDir, filename);
+        await writeFile(outputPath, Buffer.from(data));
+        process.stdout.write(
+          `Downloaded "${filename}" (${formatFileSize(attachment.size)}) to ${outputPath}
+`
+        );
+      } catch (err) {
+        handleCommandError(err, id, context, "read", false);
+      }
+    }
+  );
+  return command;
+}
+
 // src/index.ts
-var program = new Command13();
+var program = new Command15();
 program.name("azdo").description("Azure DevOps CLI tool").version(version, "-v, --version");
 program.addCommand(createGetItemCommand());
+program.addCommand(createAuthCommand());
 program.addCommand(createClearPatCommand());
 program.addCommand(createConfigCommand());
 program.addCommand(createSetStateCommand());
@@ -2061,6 +3033,7 @@ program.addCommand(createUpsertCommand());
 program.addCommand(createListFieldsCommand());
 program.addCommand(createPrCommand());
 program.addCommand(createCommentsCommand());
+program.addCommand(createDownloadAttachmentCommand());
 program.showHelpAfterError();
 program.parse();
 if (process.argv.length <= 2) {