mobbdev 0.0.74 → 0.0.77

package/dist/index.mjs

@@ -14,6 +14,7 @@ import { hideBin } from "yargs/helpers";
 
 // src/types.ts
 var mobbCliCommand = {
+  addScmToken: "add-scm-token",
   scan: "scan",
   analyze: "analyze",
   review: "review"
@@ -24,7 +25,11 @@ import chalk9 from "chalk";
 import yargs from "yargs/yargs";
 
 // src/args/commands/analyze.ts
+import fs5 from "node:fs";
+
+// src/commands/index.ts
 import fs4 from "node:fs";
+import path7 from "node:path";
 
 // src/constants.ts
 import path from "node:path";
@@ -36,6 +41,11 @@ import { z } from "zod";
 var debug = Debug("mobbdev:constants");
 var __dirname = path.dirname(fileURLToPath(import.meta.url));
 dotenv.config({ path: path.join(__dirname, "../.env") });
+var ScmTypes = {
+  Github: "GitHub",
+  Gitlab: "GitLab",
+  AzureDevOps: "Ado"
+};
 var SCANNERS = {
   Checkmarx: "checkmarx",
   Codeql: "codeql",
@@ -83,7 +93,16 @@ var API_URL = envVariables.API_URL;
 var errorMessages = {
   missingCxProjectName: `project name ${chalk.bold(
     "(--cx-project-name)"
-  )} is needed if you're using checkmarx`
+  )} is needed if you're using checkmarx`,
+  missingScmType: `SCM type ${chalk.bold(
+    "(--scm-type)"
+  )} is needed if you're adding an SCM token`,
+  invalidScmType: `SCM type ${chalk.bold(
+    "(--scm-type)"
+  )} is invalid, please use one of: ${Object.values(ScmTypes).join(", ")}`,
+  missingToken: `SCM token ${chalk.bold(
+    "(--token)"
+  )} is needed if you're adding an SCM token`
 };
 
 // src/features/analysis/index.ts
@@ -163,7 +182,7 @@ import fetch3 from "node-fetch";
 import open2 from "open";
 import semver from "semver";
 import tmp2 from "tmp";
-import { z as z9 } from "zod";
+import { z as z10 } from "zod";
 
 // src/features/analysis/git.ts
 import Debug2 from "debug";
@@ -216,6 +235,28 @@ import { v4 as uuidv4 } from "uuid";
 
 // src/features/analysis/graphql/mutations.ts
 import { gql } from "graphql-request";
+var UPDATE_SCM_TOKEN = gql`
+  mutation updateScmToken(
+    $type: ScmType!
+    $token: String!
+    $org: String
+    $username: String
+    $refreshToken: String
+  ) {
+    updateScmToken(
+      type: $type
+      token: $token
+      org: $org
+      username: $username
+      refreshToken: $refreshToken
+    ) {
+      id
+      adoAccessToken
+      gitlabAccessToken
+      gitHubAccessToken
+    }
+  }
+`;
 var UPLOAD_S3_BUCKET_INFO = gql`
   mutation uploadS3BucketInfo($fileName: String!) {
     uploadS3BucketInfo(fileName: $fileName) {
@@ -329,6 +370,8 @@ var ME = gql2`
       email
       githubToken
       gitlabToken
+      adoToken
+      adoOrg
     }
   }
 `;
@@ -520,6 +563,14 @@ function subscribe(query, variables, callback, wsClientOptions) {
 
 // src/features/analysis/graphql/types.ts
 import { z as z2 } from "zod";
+var UpdateScmTokenZ = z2.object({
+  updateScmToken: z2.object({
+    id: z2.string(),
+    gitHubAccessToken: z2.string().nullable(),
+    gitlabAccessToken: z2.string().nullable(),
+    adoAccessToken: z2.string().nullable()
+  })
+});
 var UploadFieldsZ = z2.object({
   bucket: z2.string(),
   "X-Amz-Algorithm": z2.string(),
@@ -751,6 +802,17 @@ var GQLClient = class {
       debug3("create community user failed %o", e);
     }
   }
+  async updateScmToken(args) {
+    const { type: type2, token, org, username, refreshToken } = args;
+    const updateScmTokenResult = await this._client.request(UPDATE_SCM_TOKEN, {
+      type: type2,
+      token,
+      org,
+      username,
+      refreshToken
+    });
+    return UpdateScmTokenZ.parse(updateScmTokenResult);
+  }
   async uploadS3BucketInfo() {
     const uploadS3BucketInfoResult = await this._client.request(UPLOAD_S3_BUCKET_INFO, {
       fileName: "report.json"
@@ -902,20 +964,16 @@ var GQLClient = class {
 // src/features/analysis/handle_finished_analysis.ts
 import Debug4 from "debug";
 import parseDiff from "parse-diff";
-import { z as z8 } from "zod";
-
-// src/features/analysis/scm/constants.ts
-var MOBB_ICON_IMG = "https://svgshare.com/i/12DK.svg";
-var COMMIT_FIX_SVG = `https://app.mobb.ai/gh-action/commit-button.svg`;
+import { z as z9 } from "zod";
 
-// src/features/analysis/scm/gitlab.ts
-import querystring from "node:querystring";
-import { Gitlab } from "@gitbeaker/rest";
-import { z as z7 } from "zod";
+// src/features/analysis/scm/ado.ts
+import querystring2 from "node:querystring";
+import * as api from "azure-devops-node-api";
+import { z as z8 } from "zod";
 
 // src/features/analysis/scm/scm.ts
 import { Octokit as Octokit2 } from "@octokit/core";
-import { z as z6 } from "zod";
+import { z as z7 } from "zod";
 
 // src/features/analysis/scm/github/encryptSecret.ts
 import sodium from "libsodium-wrappers";
@@ -934,12 +992,22 @@ import { z as z3 } from "zod";
 
 // src/features/analysis/scm/urlParser.ts
 var pathnameParsingMap = {
+  "dev.azure.com": (pathname) => {
+    if (pathname.length < 2)
+      return null;
+    return {
+      organization: pathname[0],
+      repoName: pathname[pathname.length - 1],
+      projectName: pathname[1]
+    };
+  },
   "gitlab.com": (pathname) => {
     if (pathname.length < 2)
       return null;
     return {
       organization: pathname[0],
-      repoName: pathname[pathname.length - 1]
+      repoName: pathname[pathname.length - 1],
+      projectName: void 0
     };
   },
   "github.com": (pathname) => {
@@ -947,7 +1015,8 @@ var pathnameParsingMap = {
       return null;
     return {
       organization: pathname[0],
-      repoName: pathname[1]
+      repoName: pathname[1],
+      projectName: void 0
     };
   }
 };
@@ -964,7 +1033,7 @@ var parseScmURL = (scmURL) => {
     );
     if (!repo)
       return null;
-    const { organization, repoName } = repo;
+    const { organization, repoName, projectName } = repo;
     if (!organization || !repoName)
       return null;
     if (!organization.match(NAME_REGEX) || !repoName.match(NAME_REGEX))
@@ -973,7 +1042,9 @@ var parseScmURL = (scmURL) => {
       hostname: url.hostname,
       organization,
       projectPath,
-      repoName
+      repoName,
+      projectName,
+      pathElements: projectPath.split("/")
     };
   } catch (e) {
     return null;
@@ -1034,7 +1105,7 @@ async function githubValidateParams(url, accessToken) {
       await oktoKit.rest.users.getAuthenticated();
     }
     if (url) {
-      const { owner, repo } = parseOwnerAndRepo(url);
+      const { owner, repo } = parseGithubOwnerAndRepo(url);
       await oktoKit.rest.repos.get({ repo, owner });
     }
   } catch (e) {
@@ -1056,7 +1127,7 @@ async function getGithubUsername(accessToken) {
 }
 async function getGithubIsUserCollaborator(username, accessToken, repoUrl) {
   try {
-    const { owner, repo } = parseOwnerAndRepo(repoUrl);
+    const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
     const oktoKit = getOktoKit({ githubAuthToken: accessToken });
     const res = await oktoKit.rest.repos.checkCollaborator({
       owner,
@@ -1072,7 +1143,7 @@ async function getGithubIsUserCollaborator(username, accessToken, repoUrl) {
   return false;
 }
 async function getGithubPullRequestStatus(accessToken, repoUrl, prNumber) {
-  const { owner, repo } = parseOwnerAndRepo(repoUrl);
+  const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
   const oktoKit = getOktoKit({ githubAuthToken: accessToken });
   const res = await oktoKit.rest.pulls.get({
     owner,
@@ -1088,7 +1159,7 @@ async function getGithubPullRequestStatus(accessToken, repoUrl, prNumber) {
   return res.data.state;
 }
 async function getGithubIsRemoteBranch(accessToken, repoUrl, branch) {
-  const { owner, repo } = parseOwnerAndRepo(repoUrl);
+  const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
   const oktoKit = getOktoKit({ githubAuthToken: accessToken });
   try {
     const res = await oktoKit.rest.repos.getBranch({
@@ -1132,7 +1203,7 @@ async function getGithubRepoList(accessToken) {
   }
 }
 async function getGithubBranchList(accessToken, repoUrl) {
-  const { owner, repo } = parseOwnerAndRepo(repoUrl);
+  const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
   const oktoKit = getOktoKit({ githubAuthToken: accessToken });
   const res = await oktoKit.rest.repos.listBranches({
     owner,
@@ -1143,7 +1214,7 @@ async function getGithubBranchList(accessToken, repoUrl) {
   return res.data.map((branch) => branch.name);
 }
 async function createPullRequest(options) {
-  const { owner, repo } = parseOwnerAndRepo(options.repoUrl);
+  const { owner, repo } = parseGithubOwnerAndRepo(options.repoUrl);
   const oktoKit = getOktoKit({ githubAuthToken: options.accessToken });
   const res = await oktoKit.rest.pulls.create({
     owner,
@@ -1158,7 +1229,7 @@ async function createPullRequest(options) {
   return res.data.number;
 }
 async function forkRepo(options) {
-  const { owner, repo } = parseOwnerAndRepo(options.repoUrl);
+  const { owner, repo } = parseGithubOwnerAndRepo(options.repoUrl);
   const oktoKit = getOktoKit({ githubAuthToken: options.accessToken });
   const res = await oktoKit.rest.repos.createFork({
     owner,
@@ -1178,11 +1249,11 @@ async function getRepos(oktoKit) {
 }
 async function getGithubRepoDefaultBranch(repoUrl, options) {
   const oktoKit = getOktoKit(options);
-  const { owner, repo } = parseOwnerAndRepo(repoUrl);
+  const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
   return (await oktoKit.rest.repos.get({ repo, owner })).data.default_branch;
 }
 async function getGithubReferenceData({ ref, gitHubUrl }, options) {
-  const { owner, repo } = parseOwnerAndRepo(gitHubUrl);
+  const { owner, repo } = parseGithubOwnerAndRepo(gitHubUrl);
   let res;
   try {
     const oktoKit = getOktoKit(options);
@@ -1257,7 +1328,7 @@ async function getCommit({
     commit_sha: commitSha
   });
 }
-function parseOwnerAndRepo(gitHubUrl) {
+function parseGithubOwnerAndRepo(gitHubUrl) {
   gitHubUrl = removeTrailingSlash(gitHubUrl);
   const parsingResult = parseScmURL(gitHubUrl);
   if (!parsingResult || parsingResult.hostname !== "github.com") {
@@ -1291,12 +1362,12 @@ async function queryGithubGraphql(query, variables, options) {
     throw e;
   }
 }
-async function getGithubBlameRanges({ ref, gitHubUrl, path: path8 }, options) {
-  const { owner, repo } = parseOwnerAndRepo(gitHubUrl);
+async function getGithubBlameRanges({ ref, gitHubUrl, path: path9 }, options) {
+  const { owner, repo } = parseGithubOwnerAndRepo(gitHubUrl);
   const variables = {
     owner,
     repo,
-    path: path8,
+    path: path9,
     ref
   };
   const res = await queryGithubGraphql(
@@ -1323,8 +1394,8 @@ async function createPr({
   body
 }, options) {
   const oktoKit = getOktoKit(options);
-  const { owner: sourceOwner, repo: sourceRepo } = parseOwnerAndRepo(sourceRepoUrl);
-  const { owner, repo } = parseOwnerAndRepo(userRepoUrl);
+  const { owner: sourceOwner, repo: sourceRepo } = parseGithubOwnerAndRepo(sourceRepoUrl);
+  const { owner, repo } = parseGithubOwnerAndRepo(userRepoUrl);
   const [sourceFilePath, secondFilePath] = filesPaths;
   const sourceFileContentResponse = await oktoKit.rest.repos.getContent({
     owner: sourceOwner,
@@ -1445,83 +1516,326 @@ function getARepositoryPublicKey(client, params) {
   return client.request(GET_A_REPOSITORY_PUBLIC_KEY, params);
 }
 
+// src/features/analysis/scm/gitlab.ts
+import querystring from "node:querystring";
+import { Gitlab } from "@gitbeaker/rest";
+import { z as z4 } from "zod";
+function removeTrailingSlash2(str) {
+  return str.trim().replace(/\/+$/, "");
+}
+var EnvVariablesZod2 = z4.object({
+  GITLAB_API_TOKEN: z4.string().optional()
+});
+var { GITLAB_API_TOKEN } = EnvVariablesZod2.parse(process.env);
+function getGitBeaker(options) {
+  const token = options?.gitlabAuthToken ?? GITLAB_API_TOKEN ?? "";
+  if (token?.startsWith("glpat-") || token === "") {
+    return new Gitlab({ token });
+  }
+  return new Gitlab({ oauthToken: token });
+}
+async function gitlabValidateParams({
+  url,
+  accessToken
+}) {
+  try {
+    const api2 = getGitBeaker({ gitlabAuthToken: accessToken });
+    if (accessToken) {
+      await api2.Users.showCurrentUser();
+    }
+    if (url) {
+      const { projectPath } = parseGitlabOwnerAndRepo(url);
+      await api2.Projects.show(projectPath);
+    }
+  } catch (e) {
+    const error = e;
+    const code = error.code || error.status || error.statusCode || error.response?.status || error.response?.statusCode || error.response?.code;
+    const description = error.description || `${e}`;
+    if (code === 401 || code === 403 || description.includes("401") || description.includes("403")) {
+      throw new InvalidAccessTokenError(`invalid gitlab access token`);
+    }
+    if (code === 404 || description.includes("404") || description.includes("Not Found")) {
+      throw new InvalidRepoUrlError(`invalid gitlab repo URL: ${url}`);
+    }
+    throw e;
+  }
+}
+async function getGitlabUsername(accessToken) {
+  const api2 = getGitBeaker({ gitlabAuthToken: accessToken });
+  const res = await api2.Users.showCurrentUser();
+  return res.username;
+}
+async function getGitlabIsUserCollaborator({
+  username,
+  accessToken,
+  repoUrl
+}) {
+  try {
+    const { projectPath } = parseGitlabOwnerAndRepo(repoUrl);
+    const api2 = getGitBeaker({ gitlabAuthToken: accessToken });
+    const res = await api2.Projects.show(projectPath);
+    const members = await api2.ProjectMembers.all(res.id, {
+      includeInherited: true
+    });
+    return !!members.find((member) => member.username === username);
+  } catch (e) {
+    return false;
+  }
+}
+async function getGitlabMergeRequestStatus({
+  accessToken,
+  repoUrl,
+  mrNumber
+}) {
+  const { projectPath } = parseGitlabOwnerAndRepo(repoUrl);
+  const api2 = getGitBeaker({ gitlabAuthToken: accessToken });
+  const res = await api2.MergeRequests.show(projectPath, mrNumber);
+  switch (res.state) {
+    case "merged" /* merged */:
+    case "opened" /* opened */:
+    case "closed" /* closed */:
+      return res.state;
+    default:
+      throw new Error(`unknown merge request state ${res.state}`);
+  }
+}
+async function getGitlabIsRemoteBranch({
+  accessToken,
+  repoUrl,
+  branch
+}) {
+  const { projectPath } = parseGitlabOwnerAndRepo(repoUrl);
+  const api2 = getGitBeaker({ gitlabAuthToken: accessToken });
+  try {
+    const res = await api2.Branches.show(projectPath, branch);
+    return res.name === branch;
+  } catch (e) {
+    return false;
+  }
+}
+async function getGitlabRepoList(accessToken) {
+  const api2 = getGitBeaker({ gitlabAuthToken: accessToken });
+  const res = await api2.Projects.all({
+    membership: true,
+    //TODO: a bug in the sorting mechanism of this api call
+    //disallows us to sort by updated_at in descending order
+    //so we have to sort by updated_at in ascending order.
+    //We can wait for the bug to be fixed or call the api
+    //directly with fetch()
+    sort: "asc",
+    orderBy: "updated_at",
+    perPage: 100
+  });
+  return Promise.all(
+    res.map(async (project) => {
+      const proj = await api2.Projects.show(project.id);
+      const owner = proj.namespace.name;
+      const repoLanguages = await api2.Projects.showLanguages(project.id);
+      return {
+        repoName: project.path,
+        repoUrl: project.web_url,
+        repoOwner: owner,
+        repoLanguages: Object.keys(repoLanguages),
+        repoIsPublic: project.visibility === "public",
+        repoUpdatedAt: project.last_activity_at
+      };
+    })
+  );
+}
+async function getGitlabBranchList({
+  accessToken,
+  repoUrl
+}) {
+  const { projectPath } = parseGitlabOwnerAndRepo(repoUrl);
+  const api2 = getGitBeaker({ gitlabAuthToken: accessToken });
+  try {
+    const res = await api2.Branches.all(projectPath, {
+      perPage: 100,
+      pagination: "keyset",
+      orderBy: "updated_at",
+      sort: "dec"
+    });
+    return res.map((branch) => branch.name);
+  } catch (e) {
+    return [];
+  }
+}
+async function createMergeRequest(options) {
+  const { projectPath } = parseGitlabOwnerAndRepo(options.repoUrl);
+  const api2 = getGitBeaker({ gitlabAuthToken: options.accessToken });
+  const res = await api2.MergeRequests.create(
+    projectPath,
+    options.sourceBranchName,
+    options.targetBranchName,
+    options.title,
+    {
+      description: options.body
+    }
+  );
+  return res.iid;
+}
+async function getGitlabRepoDefaultBranch(repoUrl, options) {
+  const api2 = getGitBeaker({ gitlabAuthToken: options?.gitlabAuthToken });
+  const { projectPath } = parseGitlabOwnerAndRepo(repoUrl);
+  const project = await api2.Projects.show(projectPath);
+  if (!project.default_branch) {
+    throw new Error("no default branch");
+  }
+  return project.default_branch;
+}
+async function getGitlabReferenceData({ ref, gitlabUrl }, options) {
+  const { projectPath } = parseGitlabOwnerAndRepo(gitlabUrl);
+  const api2 = getGitBeaker({ gitlabAuthToken: options?.gitlabAuthToken });
+  const results = await Promise.allSettled([
+    (async () => {
+      const res = await api2.Branches.show(projectPath, ref);
+      return {
+        sha: res.commit.id,
+        type: "BRANCH" /* BRANCH */,
+        date: res.commit.committed_date ? new Date(res.commit.committed_date) : void 0
+      };
+    })(),
+    (async () => {
+      const res = await api2.Commits.show(projectPath, ref);
+      return {
+        sha: res.id,
+        type: "COMMIT" /* COMMIT */,
+        date: res.committed_date ? new Date(res.committed_date) : void 0
+      };
+    })(),
+    (async () => {
+      const res = await api2.Tags.show(projectPath, ref);
+      return {
+        sha: res.commit.id,
+        type: "TAG" /* TAG */,
+        date: res.commit.committed_date ? new Date(res.commit.committed_date) : void 0
+      };
+    })()
+  ]);
+  const [branchRes, commitRes, tagRes] = results;
+  if (tagRes.status === "fulfilled") {
+    return tagRes.value;
+  }
+  if (branchRes.status === "fulfilled") {
+    return branchRes.value;
+  }
+  if (commitRes.status === "fulfilled") {
+    return commitRes.value;
+  }
+  throw new RefNotFoundError(`ref: ${ref} does not exist`);
+}
+function parseGitlabOwnerAndRepo(gitlabUrl) {
+  gitlabUrl = removeTrailingSlash2(gitlabUrl);
+  const parsingResult = parseScmURL(gitlabUrl);
+  if (!parsingResult || parsingResult.hostname !== "gitlab.com") {
+    throw new InvalidUrlPatternError(`invalid gitlab repo Url ${gitlabUrl}`);
+  }
+  const { organization, repoName, projectPath } = parsingResult;
+  return { owner: organization, repo: repoName, projectPath };
+}
+async function getGitlabBlameRanges({ ref, gitlabUrl, path: path9 }, options) {
+  const { projectPath } = parseGitlabOwnerAndRepo(gitlabUrl);
+  const api2 = getGitBeaker({ gitlabAuthToken: options?.gitlabAuthToken });
+  const resp = await api2.RepositoryFiles.allFileBlames(projectPath, path9, ref);
+  let lineNumber = 1;
+  return resp.filter((range) => range.lines).map((range) => {
+    const oldLineNumber = lineNumber;
+    if (!range.lines) {
+      throw new Error("range.lines should not be undefined");
+    }
+    lineNumber += range.lines.length;
+    return {
+      startingLine: oldLineNumber,
+      endingLine: lineNumber - 1,
+      login: range.commit.author_email,
+      email: range.commit.author_email,
+      name: range.commit.author_name
+    };
+  });
+}
+var GitlabAuthResultZ = z4.object({
+  access_token: z4.string(),
+  token_type: z4.string(),
+  refresh_token: z4.string()
+});
+
 // src/features/analysis/scm/scmSubmit/index.ts
 import fs from "node:fs/promises";
 import os from "os";
 import path3 from "path";
 import { simpleGit as simpleGit2 } from "simple-git";
 import tmp from "tmp";
-import { z as z5 } from "zod";
+import { z as z6 } from "zod";
 
 // src/features/analysis/scm/scmSubmit/types.ts
-import { z as z4 } from "zod";
-var BaseSubmitToScmMessageZ = z4.object({
-  submitFixRequestId: z4.string().uuid(),
-  fixes: z4.array(
-    z4.object({
-      fixId: z4.string().uuid(),
-      diff: z4.string()
+import { z as z5 } from "zod";
+var BaseSubmitToScmMessageZ = z5.object({
+  submitFixRequestId: z5.string().uuid(),
+  fixes: z5.array(
+    z5.object({
+      fixId: z5.string().uuid(),
+      diff: z5.string()
     })
   ),
-  commitHash: z4.string(),
-  repoUrl: z4.string()
+  commitHash: z5.string(),
+  repoUrl: z5.string()
 });
 var submitToScmMessageType = {
   commitToSameBranch: "commitToSameBranch",
   submitFixesForDifferentBranch: "submitFixesForDifferentBranch"
 };
 var CommitToSameBranchParamsZ = BaseSubmitToScmMessageZ.merge(
-  z4.object({
-    type: z4.literal(submitToScmMessageType.commitToSameBranch),
-    branch: z4.string(),
-    commitMessage: z4.string(),
-    commitDescription: z4.string().nullish(),
-    githubCommentId: z4.number().nullish()
+  z5.object({
+    type: z5.literal(submitToScmMessageType.commitToSameBranch),
+    branch: z5.string(),
+    commitMessage: z5.string(),
+    commitDescription: z5.string().nullish(),
+    githubCommentId: z5.number().nullish()
   })
 );
-var SubmitFixesToDifferentBranchParamsZ = z4.object({
-  type: z4.literal(submitToScmMessageType.submitFixesForDifferentBranch),
-  submitBranch: z4.string(),
-  baseBranch: z4.string()
+var SubmitFixesToDifferentBranchParamsZ = z5.object({
+  type: z5.literal(submitToScmMessageType.submitFixesForDifferentBranch),
+  submitBranch: z5.string(),
+  baseBranch: z5.string()
 }).merge(BaseSubmitToScmMessageZ);
-var SubmitFixesMessageZ = z4.union([
+var SubmitFixesMessageZ = z5.union([
   CommitToSameBranchParamsZ,
   SubmitFixesToDifferentBranchParamsZ
 ]);
-var FixResponseArrayZ = z4.array(
-  z4.object({
-    fixId: z4.string().uuid()
+var FixResponseArrayZ = z5.array(
+  z5.object({
+    fixId: z5.string().uuid()
   })
 );
-var SubmitFixesBaseResponseMessageZ = z4.object({
-  submitFixRequestId: z4.string().uuid(),
-  submitBranches: z4.array(
-    z4.object({
-      branchName: z4.string(),
+var SubmitFixesBaseResponseMessageZ = z5.object({
+  submitFixRequestId: z5.string().uuid(),
+  submitBranches: z5.array(
+    z5.object({
+      branchName: z5.string(),
       fixes: FixResponseArrayZ
     })
   ),
-  error: z4.object({
-    type: z4.enum([
+  error: z5.object({
+    type: z5.enum([
       "InitialRepoAccessError",
       "PushBranchError",
       "UnknownError"
     ]),
-    info: z4.object({
-      message: z4.string(),
-      pushBranchName: z4.string().optional()
+    info: z5.object({
+      message: z5.string(),
+      pushBranchName: z5.string().optional()
     })
   }).optional()
 });
-var SubmitFixesToSameBranchResponseMessageZ = z4.object({
-  type: z4.literal(submitToScmMessageType.commitToSameBranch),
-  githubCommentId: z4.number().nullish()
+var SubmitFixesToSameBranchResponseMessageZ = z5.object({
+  type: z5.literal(submitToScmMessageType.commitToSameBranch),
+  githubCommentId: z5.number().nullish()
 }).merge(SubmitFixesBaseResponseMessageZ);
-var SubmitFixesToDifferentBranchResponseMessageZ = z4.object({
-  type: z4.literal(submitToScmMessageType.submitFixesForDifferentBranch),
-  githubCommentId: z4.number().optional()
+var SubmitFixesToDifferentBranchResponseMessageZ = z5.object({
+  type: z5.literal(submitToScmMessageType.submitFixesForDifferentBranch),
+  githubCommentId: z5.number().optional()
 }).merge(SubmitFixesBaseResponseMessageZ);
-var SubmitFixeResponseMessageZ = z4.discriminatedUnion("type", [
+var SubmitFixesResponseMessageZ = z5.discriminatedUnion("type", [
   SubmitFixesToSameBranchResponseMessageZ,
   SubmitFixesToDifferentBranchResponseMessageZ
 ]);
@@ -1539,7 +1853,7 @@ var isValidBranchName = async (branchName) => {
     return false;
   }
 };
-var FixesZ = z5.array(z5.object({ fixId: z5.string(), diff: z5.string() })).nonempty();
+var FixesZ = z6.array(z6.object({ fixId: z6.string(), diff: z6.string() })).nonempty();
 
 // src/features/analysis/scm/scm.ts
 function getScmLibTypeFromUrl(url) {
@@ -1552,19 +1866,25 @@ function getScmLibTypeFromUrl(url) {
   if (url.toLowerCase().startsWith("https://github.com/")) {
     return "GITHUB" /* GITHUB */;
   }
+  if (url.toLowerCase().startsWith("https://dev.azure.com/")) {
+    return "ADO" /* ADO */;
+  }
   return void 0;
 }
 async function scmCanReachRepo({
   repoUrl,
   githubToken,
-  gitlabToken
+  gitlabToken,
+  adoToken,
+  scmOrg
 }) {
   try {
     const scmLibType = getScmLibTypeFromUrl(repoUrl);
     await SCMLib.init({
       url: repoUrl,
-      accessToken: scmLibType === "GITHUB" /* GITHUB */ ? githubToken : scmLibType === "GITLAB" /* GITLAB */ ? gitlabToken : "",
-      scmType: scmLibType
+      accessToken: scmLibType === "GITHUB" /* GITHUB */ ? githubToken : scmLibType === "GITLAB" /* GITLAB */ ? gitlabToken : scmLibType === "ADO" /* ADO */ ? adoToken : "",
+      scmType: scmLibType,
+      scmOrg
     });
     return true;
   } catch (e) {
@@ -1597,11 +1917,13 @@ var RepoNoTokenAccessError = class extends Error {
   }
 };
 var SCMLib = class {
-  constructor(url, accessToken) {
+  constructor(url, accessToken, scmOrg) {
     __publicField(this, "url");
     __publicField(this, "accessToken");
+    __publicField(this, "scmOrg");
     this.accessToken = accessToken;
     this.url = url;
+    this.scmOrg = scmOrg;
   }
   async getUrlWithCredentials() {
     if (!this.url) {
@@ -1612,9 +1934,13 @@ var SCMLib = class {
     if (!this.accessToken) {
       return trimmedUrl;
     }
-    const username = await this._getUsernameForAuthUrl();
+    const scmLibType = getScmLibTypeFromUrl(trimmedUrl);
+    if (scmLibType === "ADO" /* ADO */) {
+      return `https://${this.accessToken}@${trimmedUrl.toLowerCase().replace("https://", "")}`;
+    }
     const is_http = trimmedUrl.toLowerCase().startsWith("http://");
     const is_https = trimmedUrl.toLowerCase().startsWith("https://");
+    const username = await this._getUsernameForAuthUrl();
     if (is_http) {
       return `http://${username}:${this.accessToken}@${trimmedUrl.toLowerCase().replace("http://", "")}`;
     } else if (is_https) {
@@ -1642,7 +1968,8 @@ var SCMLib = class {
   static async init({
     url,
     accessToken,
-    scmType
+    scmType,
+    scmOrg
   }) {
     let trimmedUrl = void 0;
     if (url) {
@@ -1650,12 +1977,17 @@ var SCMLib = class {
     }
     try {
       if ("GITHUB" /* GITHUB */ === scmType) {
-        const scm = new GithubSCMLib(trimmedUrl, accessToken);
+        const scm = new GithubSCMLib(trimmedUrl, accessToken, scmOrg);
         await scm.validateParams();
         return scm;
       }
       if ("GITLAB" /* GITLAB */ === scmType) {
-        const scm = new GitlabSCMLib(trimmedUrl, accessToken);
+        const scm = new GitlabSCMLib(trimmedUrl, accessToken, scmOrg);
+        await scm.validateParams();
+        return scm;
+      }
+      if ("ADO" /* ADO */ === scmType) {
+        const scm = new AdoSCMLib(trimmedUrl, accessToken, scmOrg);
         await scm.validateParams();
         return scm;
       }
@@ -1664,7 +1996,170 @@ var SCMLib = class {
         throw new RepoNoTokenAccessError("no access to repo");
       }
     }
-    return new StubSCMLib(trimmedUrl);
+    return new StubSCMLib(trimmedUrl, void 0, void 0);
+  }
+};
+var AdoSCMLib = class extends SCMLib {
+  updatePrComment(_params, _oktokit) {
+    throw new Error("updatePrComment not implemented.");
+  }
+  getPrComment(_commentId) {
+    throw new Error("getPrComment not implemented.");
+  }
+  async forkRepo() {
+    throw new Error("forkRepo not supported yet");
+  }
+  async createOrUpdateRepositorySecret() {
+    throw new Error("createOrUpdateRepositorySecret not supported yet");
+  }
+  async createPullRequestWithNewFile(_sourceRepoUrl, _filesPaths, _userRepoUrl, _title, _body) {
+    throw new Error("createPullRequestWithNewFile not supported yet");
+  }
+  async createSubmitRequest(targetBranchName, sourceBranchName, title, body) {
+    if (!this.accessToken || !this.url) {
+      console.error("no access token or no url");
+      throw new Error("no access token or no url");
+    }
+    return String(
+      await createAdoPullRequest({
+        title,
+        body,
+        targetBranchName,
+        sourceBranchName,
+        repoUrl: this.url,
+        accessToken: this.accessToken,
+        tokenOrg: this.scmOrg
+      })
+    );
+  }
+  async validateParams() {
+    return adoValidateParams({
+      url: this.url,
+      accessToken: this.accessToken,
+      tokenOrg: this.scmOrg
+    });
+  }
+  async getRepoList(scmOrg) {
+    if (!this.accessToken) {
+      console.error("no access token");
+      throw new Error("no access token");
+    }
+    return getAdoRepoList({
+      orgName: scmOrg,
+      tokenOrg: this.scmOrg,
+      accessToken: this.accessToken
+    });
+  }
+  async getBranchList() {
+    if (!this.accessToken || !this.url) {
+      console.error("no access token or no url");
+      throw new Error("no access token or no url");
+    }
+    return getAdoBranchList({
+      accessToken: this.accessToken,
+      tokenOrg: this.scmOrg,
+      repoUrl: this.url
+    });
+  }
+  getAuthHeaders() {
+    if (this.accessToken) {
+      if (getAdoTokenType(this.accessToken) === "OAUTH" /* OAUTH */) {
+        return {
+          authorization: `Bearer ${this.accessToken}`
+        };
+      } else {
+        return {
+          authorization: `Basic ${Buffer.from(":" + this.accessToken).toString(
+            "base64"
+          )}`
+        };
+      }
+    }
+    return {};
+  }
+  getDownloadUrl(sha) {
+    if (!this.url) {
+      console.error("no url");
+      throw new Error("no url");
+    }
+    return getAdoDownloadUrl({ repoUrl: this.url, branch: sha });
+  }
+  async _getUsernameForAuthUrl() {
+    throw new Error("_getUsernameForAuthUrl() is not relevant for ADO");
+  }
+  async getIsRemoteBranch(branch) {
+    if (!this.accessToken || !this.url) {
+      console.error("no access token or no url");
+      throw new Error("no access token or no url");
+    }
+    return getAdoIsRemoteBranch({
+      accessToken: this.accessToken,
+      tokenOrg: this.scmOrg,
+      repoUrl: this.url,
+      branch
+    });
+  }
+  async getUserHasAccessToRepo() {
+    if (!this.accessToken || !this.url) {
+      console.error("no access token or no url");
+      throw new Error("no access token or no url");
+    }
+    return getAdoIsUserCollaborator({
+      accessToken: this.accessToken,
+      tokenOrg: this.scmOrg,
+      repoUrl: this.url
+    });
+  }
+  async getUsername() {
+    throw new Error("getUsername() is not relevant for ADO");
+  }
+  async getSubmitRequestStatus(scmSubmitRequestId) {
+    if (!this.accessToken || !this.url) {
+      console.error("no access token or no url");
+      throw new Error("no access token or no url");
+    }
+    const state = await getAdoPullRequestStatus({
+      accessToken: this.accessToken,
+      tokenOrg: this.scmOrg,
+      repoUrl: this.url,
+      prNumber: Number(scmSubmitRequestId)
+    });
+    switch (state) {
+      case "completed" /* completed */:
+        return "MERGED" /* MERGED */;
+      case "active" /* active */:
+        return "OPEN" /* OPEN */;
+      case "abandoned" /* abandoned */:
+        return "CLOSED" /* CLOSED */;
+      default:
+        throw new Error(`unknown state ${state}`);
+    }
+  }
+  async getRepoBlameRanges(_ref, _path) {
+    return await getAdoBlameRanges();
+  }
+  async getReferenceData(ref) {
+    if (!this.url) {
+      console.error("no url");
+      throw new Error("no url");
+    }
+    return await getAdoReferenceData({
+      ref,
+      repoUrl: this.url,
+      accessToken: this.accessToken,
+      tokenOrg: this.scmOrg
+    });
+  }
+  async getRepoDefaultBranch() {
+    if (!this.url) {
+      console.error("no url");
+      throw new Error("no url");
+    }
+    return await getAdoRepoDefaultBranch({
+      repoUrl: this.url,
+      tokenOrg: this.scmOrg,
+      accessToken: this.accessToken
+    });
   }
 };
 var GitlabSCMLib = class extends SCMLib {
@@ -1707,7 +2202,7 @@ var GitlabSCMLib = class extends SCMLib {
   async createPullRequestWithNewFile(_sourceRepoUrl, _filesPaths, _userRepoUrl, _title, _body) {
     throw new Error("not implemented");
   }
-  async getRepoList() {
+  async getRepoList(_scmOrg) {
     if (!this.accessToken) {
       console.error("no access token");
       throw new Error("no access token");
@@ -1795,13 +2290,13 @@ var GitlabSCMLib = class extends SCMLib {
         throw new Error(`unknown state ${state}`);
     }
   }
-  async getRepoBlameRanges(ref, path8) {
+  async getRepoBlameRanges(ref, path9) {
     if (!this.url) {
       console.error("no url");
       throw new Error("no url");
     }
     return await getGitlabBlameRanges(
-      { ref, path: path8, gitlabUrl: this.url },
+      { ref, path: path9, gitlabUrl: this.url },
       {
         gitlabAuthToken: this.accessToken
       }
@@ -1837,8 +2332,8 @@ var GitlabSCMLib = class extends SCMLib {
 };
 var GithubSCMLib = class extends SCMLib {
   // we don't always need a url, what's important is that we have an access token
-  constructor(url, accessToken) {
-    super(url, accessToken);
+  constructor(url, accessToken, scmOrg) {
+    super(url, accessToken, scmOrg);
     __publicField(this, "oktokit");
     this.oktokit = new Octokit2({ auth: accessToken });
   }
@@ -1873,7 +2368,7 @@ var GithubSCMLib = class extends SCMLib {
       throw new Error("cannot delete comment without access token or url");
     }
     const oktokit = _oktokit || this.oktokit;
-    const { owner, repo } = parseOwnerAndRepo(this.url);
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
     const { data: repositoryPublicKeyResponse } = await getARepositoryPublicKey(
       oktokit,
       {
@@ -1914,7 +2409,7 @@ var GithubSCMLib = class extends SCMLib {
       throw new Error("cannot post on PR without access token or url");
     }
     const oktokit = _oktokit || this.oktokit;
-    const { owner, repo } = parseOwnerAndRepo(this.url);
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
     return postPrComment(oktokit, {
       ...params,
       owner,
@@ -1926,7 +2421,7 @@ var GithubSCMLib = class extends SCMLib {
       throw new Error("cannot update on PR without access token or url");
     }
     const oktokit = _oktokit || this.oktokit;
-    const { owner, repo } = parseOwnerAndRepo(this.url);
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
     return updatePrComment(oktokit, {
       ...params,
       owner,
@@ -1938,7 +2433,7 @@ var GithubSCMLib = class extends SCMLib {
       throw new Error("cannot delete comment without access token or url");
     }
     const oktokit = _oktokit || this.oktokit;
-    const { owner, repo } = parseOwnerAndRepo(this.url);
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
     return deleteComment(oktokit, {
       ...params,
       owner,
@@ -1950,7 +2445,7 @@ var GithubSCMLib = class extends SCMLib {
       throw new Error("cannot get Pr Comments without access token or url");
     }
     const oktokit = _oktokit || this.oktokit;
-    const { owner, repo } = parseOwnerAndRepo(this.url);
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
     return getPrComments(oktokit, {
       per_page: 100,
       ...params,
@@ -1962,15 +2457,15 @@ var GithubSCMLib = class extends SCMLib {
     if (!this.accessToken || !this.url) {
       throw new Error("cannot get Pr Comments without access token or url");
     }
-    const { owner, repo } = parseOwnerAndRepo(this.url);
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
     const prRes = await getPrDiff(this.oktokit, {
       ...params,
       owner,
       repo
     });
-    return z6.string().parse(prRes.data);
+    return z7.string().parse(prRes.data);
   }
-  async getRepoList() {
+  async getRepoList(_scmOrg) {
     if (!this.accessToken) {
       console.error("no access token");
       throw new Error("no access token");
@@ -2042,13 +2537,13 @@ var GithubSCMLib = class extends SCMLib {
     }
     throw new Error(`unknown state ${state}`);
   }
-  async getRepoBlameRanges(ref, path8) {
+  async getRepoBlameRanges(ref, path9) {
     if (!this.url) {
       console.error("no url");
       throw new Error("no url");
     }
     return await getGithubBlameRanges(
-      { ref, path: path8, gitHubUrl: this.url },
+      { ref, path: path9, gitHubUrl: this.url },
       {
         githubAuthToken: this.accessToken
       }
@@ -2071,7 +2566,7 @@ var GithubSCMLib = class extends SCMLib {
       console.error("no url");
       throw new Error("no url");
     }
-    const { owner, repo } = parseOwnerAndRepo(this.url);
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
     return await getPrComment(this.oktokit, {
       repo,
       owner,
@@ -2125,9 +2620,9 @@ var StubSCMLib = class extends SCMLib {
     console.error("createPullRequestWithNewFile() not implemented");
     throw new Error("createPullRequestWithNewFile() not implemented");
   }
-  async getRepoList() {
-    console.error("getBranchList() not implemented");
-    throw new Error("getBranchList() not implemented");
+  async getRepoList(_scmOrg) {
+    console.error("getRepoList() not implemented");
+    throw new Error("getRepoList() not implemented");
   }
   async getBranchList() {
     console.error("getBranchList() not implemented");
@@ -2167,196 +2662,415 @@ var StubSCMLib = class extends SCMLib {
   }
 };
 
-// src/features/analysis/scm/gitlab.ts
-function removeTrailingSlash2(str) {
+// src/features/analysis/scm/ado.ts
+function removeTrailingSlash3(str) {
   return str.trim().replace(/\/+$/, "");
 }
-var EnvVariablesZod2 = z7.object({
-  GITLAB_API_TOKEN: z7.string().optional()
-});
-var { GITLAB_API_TOKEN } = EnvVariablesZod2.parse(process.env);
-function getGitBeaker(options) {
-  const token = options?.gitlabAuthToken ?? GITLAB_API_TOKEN ?? "";
-  if (token?.startsWith("glpat-") || token === "") {
-    return new Gitlab({ token });
+async function _getOrgsForOauthToken({ oauthToken }) {
+  const profileZ = z8.object({
+    displayName: z8.string(),
+    publicAlias: z8.string().min(1),
+    emailAddress: z8.string(),
+    coreRevision: z8.number(),
+    timeStamp: z8.string(),
+    id: z8.string(),
+    revision: z8.number()
+  });
+  const accountsZ = z8.object({
+    count: z8.number(),
+    value: z8.array(
+      z8.object({
+        accountId: z8.string(),
+        accountUri: z8.string(),
+        accountName: z8.string()
+      })
+    )
+  });
+  const profileRes = await fetch(
+    "https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=6.0",
+    {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${oauthToken}`
+      }
+    }
+  );
+  const profileJson = await profileRes.json();
+  const profile = profileZ.parse(profileJson);
+  const accountsRes = await fetch(
+    `https://app.vssps.visualstudio.com/_apis/accounts?memberId=${profile.publicAlias}&api-version=6.0`,
+    {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${oauthToken}`
+      }
+    }
+  );
+  const accountsJson = await accountsRes.json();
+  const accounts = accountsZ.parse(accountsJson);
+  const orgs = accounts.value.map((account) => account.accountName).filter((value, index, array) => array.indexOf(value) === index);
+  return orgs;
+}
+function _getPublicAdoClient({ orgName }) {
+  const orgUrl = `https://dev.azure.com/${orgName}`;
+  const authHandler = api.getPersonalAccessTokenHandler("");
+  authHandler.canHandleAuthentication = () => false;
+  authHandler.prepareRequest = (_options) => {
+    return;
+  };
+  const connection = new api.WebApi(orgUrl, authHandler);
+  return connection;
+}
+function getAdoTokenType(token) {
+  if (token.includes(".")) {
+    return "OAUTH" /* OAUTH */;
   }
-  return new Gitlab({ oauthToken: token });
+  return "PAT" /* PAT */;
 }
-async function gitlabValidateParams({
+async function getAdoApiClient({
+  accessToken,
+  tokenOrg,
+  orgName
+}) {
+  if (!accessToken || tokenOrg && tokenOrg !== orgName) {
+    return _getPublicAdoClient({ orgName });
+  }
+  const orgUrl = `https://dev.azure.com/${orgName}`;
+  if (getAdoTokenType(accessToken) === "OAUTH" /* OAUTH */) {
+    const connection2 = new api.WebApi(orgUrl, api.getBearerHandler(accessToken));
+    return connection2;
+  }
+  const authHandler = api.getPersonalAccessTokenHandler(accessToken);
+  const connection = new api.WebApi(orgUrl, authHandler);
+  return connection;
+}
+async function adoValidateParams({
   url,
-  accessToken
+  accessToken,
+  tokenOrg
 }) {
   try {
-    const api = getGitBeaker({ gitlabAuthToken: accessToken });
-    if (accessToken) {
-      await api.Users.showCurrentUser();
+    if (!url && accessToken && getAdoTokenType(accessToken) === "OAUTH" /* OAUTH */) {
+      await _getOrgsForOauthToken({ oauthToken: accessToken });
+      return;
     }
+    let org = tokenOrg;
     if (url) {
-      const { projectPath } = parseOwnerAndRepo2(url);
-      await api.Projects.show(projectPath);
+      const { owner } = parseAdoOwnerAndRepo(url);
+      org = owner;
+    }
+    if (!org) {
+      throw new InvalidRepoUrlError(`invalid ADO ORG ${org}`);
     }
+    const api2 = await getAdoApiClient({
+      accessToken,
+      tokenOrg,
+      orgName: org
+    });
+    await api2.connect();
   } catch (e) {
     const error = e;
     const code = error.code || error.status || error.statusCode || error.response?.status || error.response?.statusCode || error.response?.code;
     const description = error.description || `${e}`;
     if (code === 401 || code === 403 || description.includes("401") || description.includes("403")) {
-      throw new InvalidAccessTokenError(`invalid gitlab access token`);
+      throw new InvalidAccessTokenError(`invalid ADO access token`);
     }
     if (code === 404 || description.includes("404") || description.includes("Not Found")) {
-      throw new InvalidRepoUrlError(`invalid gitlab repo Url ${url}`);
+      throw new InvalidRepoUrlError(`invalid ADO repo URL ${url}`);
     }
     throw e;
   }
 }
-async function getGitlabUsername(accessToken) {
-  const api = getGitBeaker({ gitlabAuthToken: accessToken });
-  const res = await api.Users.showCurrentUser();
-  return res.username;
-}
-async function getGitlabIsUserCollaborator({
-  username,
+async function getAdoIsUserCollaborator({
   accessToken,
+  tokenOrg,
   repoUrl
 }) {
   try {
-    const { projectPath } = parseOwnerAndRepo2(repoUrl);
-    const api = getGitBeaker({ gitlabAuthToken: accessToken });
-    const res = await api.Projects.show(projectPath);
-    const members = await api.ProjectMembers.all(res.id, {
-      includeInherited: true
+    const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+    const api2 = await getAdoApiClient({
+      accessToken,
+      tokenOrg,
+      orgName: owner
     });
-    return !!members.find((member) => member.username === username);
+    const git = await api2.getGitApi();
+    const branches = await git.getBranches(repo, projectName);
+    if (!branches || branches.length === 0) {
+      throw new InvalidRepoUrlError("no branches");
+    }
+    return true;
   } catch (e) {
     return false;
   }
 }
-async function getGitlabMergeRequestStatus({
+var adoStatusNumberToEnumMap = {
+  1: "active" /* active */,
+  2: "abandoned" /* abandoned */,
+  3: "completed" /* completed */,
+  4: "all" /* all */
+};
+async function getAdoPullRequestStatus({
   accessToken,
+  tokenOrg,
   repoUrl,
-  mrNumber
+  prNumber
 }) {
-  const { projectPath } = parseOwnerAndRepo2(repoUrl);
-  const api = getGitBeaker({ gitlabAuthToken: accessToken });
-  const res = await api.MergeRequests.show(projectPath, mrNumber);
-  switch (res.state) {
-    case "merged" /* merged */:
-    case "opened" /* opened */:
-    case "closed" /* closed */:
-      return res.state;
-    default:
-      throw new Error(`unknown merge request state ${res.state}`);
+  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+  const api2 = await getAdoApiClient({
+    accessToken,
+    tokenOrg,
+    orgName: owner
+  });
+  const git = await api2.getGitApi();
+  const res = await git.getPullRequest(repo, prNumber, projectName);
+  if (!res.status || res.status < 1 || res.status > 3) {
+    throw new Error("bad pr status for ADO");
   }
+  return adoStatusNumberToEnumMap[res.status];
 }
-async function getGitlabIsRemoteBranch({
+async function getAdoIsRemoteBranch({
   accessToken,
+  tokenOrg,
   repoUrl,
   branch
 }) {
-  const { projectPath } = parseOwnerAndRepo2(repoUrl);
-  const api = getGitBeaker({ gitlabAuthToken: accessToken });
+  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+  const api2 = await getAdoApiClient({
+    accessToken,
+    tokenOrg,
+    orgName: owner
+  });
+  const git = await api2.getGitApi();
   try {
-    const res = await api.Branches.show(projectPath, branch);
-    return res.name === branch;
+    const branchStatus = await git.getBranch(repo, branch, projectName);
+    if (!branchStatus || !branchStatus.commit) {
+      throw new InvalidRepoUrlError("no branch status");
+    }
+    return branchStatus.name === branch;
   } catch (e) {
     return false;
   }
 }
-async function getGitlabRepoList(accessToken) {
-  const api = getGitBeaker({ gitlabAuthToken: accessToken });
-  const res = await api.Projects.all({
-    membership: true,
-    //TODO: a bug in the sorting mechanism of this api call
-    //disallows us to sort by updated_at in descending order
-    //so we have to sort by updated_at in ascending order.
-    //We can wait for the bug to be fixed or call the api
-    //directly with fetch()
-    sort: "asc",
-    orderBy: "updated_at",
-    perPage: 100
-  });
-  return Promise.all(
-    res.map(async (project) => {
-      const proj = await api.Projects.show(project.id);
-      const owner = proj.namespace.name;
-      const repoLanguages = await api.Projects.showLanguages(project.id);
-      return {
-        repoName: project.path,
-        repoUrl: project.web_url,
-        repoOwner: owner,
-        repoLanguages: Object.keys(repoLanguages),
-        repoIsPublic: project.visibility === "public",
-        repoUpdatedAt: project.last_activity_at
-      };
+async function getAdoRepoList({
+  orgName,
+  tokenOrg,
+  accessToken
+}) {
+  let orgs = [];
+  if (getAdoTokenType(accessToken) === "OAUTH" /* OAUTH */) {
+    orgs = await _getOrgsForOauthToken({ oauthToken: accessToken });
+  }
+  if (orgs.length === 0 && !orgName) {
+    throw new Error(`no orgs for ADO`);
+  } else if (orgs.length === 0 && orgName) {
+    orgs = [orgName];
+  }
+  const repos = (await Promise.allSettled(
+    orgs.map(async (org) => {
+      const orgApi = await getAdoApiClient({
+        accessToken,
+        tokenOrg,
+        orgName: org
+      });
+      const gitOrg = await orgApi.getGitApi();
+      const orgRepos = await gitOrg.getRepositories();
+      const repoInfoList = (await Promise.allSettled(
+        orgRepos.map(async (repo) => {
+          if (!repo.name || !repo.remoteUrl || !repo.defaultBranch) {
+            throw new InvalidRepoUrlError("bad repo");
+          }
+          const branch = await gitOrg.getBranch(
+            repo.name,
+            repo.defaultBranch.replace(/^refs\/heads\//, ""),
+            repo.project?.name
+          );
+          return {
+            repoName: repo.name,
+            repoUrl: repo.remoteUrl.replace(
+              /^[hH][tT][tT][pP][sS]:\/\/[^/]+@/,
+              "https://"
+            ),
+            repoOwner: org,
+            repoIsPublic: repo.project?.visibility === 2,
+            //2 is public in the ADO API
+            repoLanguages: [],
+            repoUpdatedAt: branch.commit?.committer?.date?.toDateString() || repo.project?.lastUpdateTime?.toDateString() || (/* @__PURE__ */ new Date()).toDateString()
+          };
+        })
+      )).reduce((acc, res) => {
+        if (res.status === "fulfilled") {
+          acc.push(res.value);
+        }
+        return acc;
+      }, []);
+      return repoInfoList;
     })
-  );
+  )).reduce((acc, res) => {
+    if (res.status === "fulfilled") {
+      return acc.concat(res.value);
+    }
+    return acc;
+  }, []);
+  return repos;
 }
-async function getGitlabBranchList({
+function getAdoDownloadUrl({
+  repoUrl,
+  branch
+}) {
+  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+  return `https://dev.azure.com/${owner}/${projectName}/_apis/git/repositories/${repo}/items/items?path=/&versionDescriptor[versionOptions]=0&versionDescriptor[versionType]=commit&versionDescriptor[version]=${branch}&resolveLfs=true&$format=zip&api-version=5.0&download=true`;
+}
+async function getAdoBranchList({
   accessToken,
+  tokenOrg,
   repoUrl
 }) {
-  const { projectPath } = parseOwnerAndRepo2(repoUrl);
-  const api = getGitBeaker({ gitlabAuthToken: accessToken });
+  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+  const api2 = await getAdoApiClient({
+    accessToken,
+    tokenOrg,
+    orgName: owner
+  });
+  const git = await api2.getGitApi();
   try {
-    const res = await api.Branches.all(projectPath, {
-      perPage: 100,
-      pagination: "keyset",
-      orderBy: "updated_at",
-      sort: "dec"
+    const res = await git.getBranches(repo, projectName);
+    res.sort((a, b) => {
+      if (!a.commit?.committer?.date || !b.commit?.committer?.date) {
+        return 0;
+      }
+      return b.commit?.committer?.date.getTime() - a.commit?.committer?.date.getTime();
     });
-    return res.map((branch) => branch.name);
+    return res.reduce((acc, branch) => {
+      if (!branch.name) {
+        return acc;
+      }
+      acc.push(branch.name);
+      return acc;
+    }, []);
   } catch (e) {
     return [];
   }
 }
-async function createMergeRequest(options) {
-  const { projectPath } = parseOwnerAndRepo2(options.repoUrl);
-  const api = getGitBeaker({ gitlabAuthToken: options.accessToken });
-  const res = await api.MergeRequests.create(
-    projectPath,
-    options.sourceBranchName,
-    options.targetBranchName,
-    options.title,
+async function createAdoPullRequest(options) {
+  const { owner, repo, projectName } = parseAdoOwnerAndRepo(options.repoUrl);
+  const api2 = await getAdoApiClient({
+    accessToken: options.accessToken,
+    tokenOrg: options.tokenOrg,
+    orgName: owner
+  });
+  const git = await api2.getGitApi();
+  const res = await git.createPullRequest(
     {
+      sourceRefName: `refs/heads/${options.sourceBranchName}`,
+      targetRefName: `refs/heads/${options.targetBranchName}`,
+      title: options.title,
       description: options.body
-    }
+    },
+    repo,
+    projectName
   );
-  return res.iid;
+  return res.pullRequestId;
 }
-async function getGitlabRepoDefaultBranch(repoUrl, options) {
-  const api = getGitBeaker({ gitlabAuthToken: options?.gitlabAuthToken });
-  const { projectPath } = parseOwnerAndRepo2(repoUrl);
-  const project = await api.Projects.show(projectPath);
-  if (!project.default_branch) {
-    throw new Error("no default branch");
+async function getAdoRepoDefaultBranch({
+  repoUrl,
+  tokenOrg,
+  accessToken
+}) {
+  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+  const api2 = await getAdoApiClient({
+    accessToken,
+    tokenOrg,
+    orgName: owner
+  });
+  const git = await api2.getGitApi();
+  const branches = await git.getBranches(repo, projectName);
+  if (!branches || branches.length === 0) {
+    throw new InvalidRepoUrlError("no branches");
   }
-  return project.default_branch;
+  const res = branches.find((branch) => branch.isBaseVersion);
+  if (!res || !res.name) {
+    throw new InvalidRepoUrlError("no default branch");
+  }
+  return res.name;
 }
-async function getGitlabReferenceData({ ref, gitlabUrl }, options) {
-  const { projectPath } = parseOwnerAndRepo2(gitlabUrl);
-  const api = getGitBeaker({ gitlabAuthToken: options?.gitlabAuthToken });
+async function getAdoReferenceData({
+  ref,
+  repoUrl,
+  accessToken,
+  tokenOrg
+}) {
+  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+  const api2 = await getAdoApiClient({
+    accessToken,
+    tokenOrg,
+    orgName: owner
+  });
+  if (!projectName) {
+    throw new InvalidUrlPatternError("no project name");
+  }
+  const git = await api2.getGitApi();
   const results = await Promise.allSettled([
     (async () => {
-      const res = await api.Branches.show(projectPath, ref);
+      const res = await git.getBranch(repo, ref, projectName);
+      if (!res.commit || !res.commit.commitId) {
+        throw new InvalidRepoUrlError("no commit on branch");
+      }
       return {
-        sha: res.commit.id,
+        sha: res.commit.commitId,
         type: "BRANCH" /* BRANCH */,
-        date: res.commit.committed_date ? new Date(res.commit.committed_date) : void 0
+        date: res.commit.committer?.date || /* @__PURE__ */ new Date()
       };
     })(),
     (async () => {
-      const res = await api.Commits.show(projectPath, ref);
+      const res = await git.getCommits(
+        repo,
+        {
+          fromCommitId: ref,
+          toCommitId: ref,
+          $top: 1
+        },
+        projectName
+      );
+      const commit = res[0];
+      if (!commit || !commit.commitId) {
+        throw new Error("no commit");
+      }
       return {
-        sha: res.id,
+        sha: commit.commitId,
         type: "COMMIT" /* COMMIT */,
-        date: res.committed_date ? new Date(res.committed_date) : void 0
+        date: commit.committer?.date || /* @__PURE__ */ new Date()
       };
     })(),
     (async () => {
-      const res = await api.Tags.show(projectPath, ref);
+      const res = await git.getRefs(repo, projectName, `tags/${ref}`);
+      if (!res[0] || !res[0].objectId) {
+        throw new Error("no tag ref");
+      }
+      let objectId = res[0].objectId;
+      try {
+        const tag = await git.getAnnotatedTag(projectName, repo, objectId);
+        if (tag.taggedObject?.objectId) {
+          objectId = tag.taggedObject.objectId;
+        }
+      } catch (e) {
+      }
+      const commitRes2 = await git.getCommits(
+        repo,
+        {
+          fromCommitId: objectId,
+          toCommitId: objectId,
+          $top: 1
+        },
+        projectName
+      );
+      const commit = commitRes2[0];
+      if (!commit) {
+        throw new Error("no commit");
+      }
       return {
-        sha: res.commit.id,
+        sha: objectId,
         type: "TAG" /* TAG */,
-        date: res.commit.committed_date ? new Date(res.commit.committed_date) : void 0
+        date: commit.committer?.date || /* @__PURE__ */ new Date()
       };
     })()
   ]);
@@ -2372,41 +3086,34 @@ async function getGitlabReferenceData({ ref, gitlabUrl }, options) {
   }
   throw new RefNotFoundError(`ref: ${ref} does not exist`);
 }
-function parseOwnerAndRepo2(gitlabUrl) {
-  gitlabUrl = removeTrailingSlash2(gitlabUrl);
-  const parsingResult = parseScmURL(gitlabUrl);
-  if (!parsingResult || parsingResult.hostname !== "gitlab.com") {
-    throw new InvalidUrlPatternError(`invalid gitlab repo Url ${gitlabUrl}`);
+function parseAdoOwnerAndRepo(adoUrl) {
+  adoUrl = removeTrailingSlash3(adoUrl);
+  const parsingResult = parseScmURL(adoUrl);
+  if (!parsingResult || parsingResult.hostname !== "dev.azure.com") {
+    throw new InvalidUrlPatternError(`invalid ADO repo URL: ${adoUrl}`);
   }
-  const { organization, repoName, projectPath } = parsingResult;
-  return { owner: organization, repo: repoName, projectPath };
+  const { organization, repoName, projectName, projectPath, pathElements } = parsingResult;
+  return {
+    owner: organization,
+    repo: repoName,
+    projectName,
+    projectPath,
+    pathElements
+  };
 }
-async function getGitlabBlameRanges({ ref, gitlabUrl, path: path8 }, options) {
-  const { projectPath } = parseOwnerAndRepo2(gitlabUrl);
-  const api = getGitBeaker({ gitlabAuthToken: options?.gitlabAuthToken });
-  const resp = await api.RepositoryFiles.allFileBlames(projectPath, path8, ref);
-  let lineNumber = 1;
-  return resp.filter((range) => range.lines).map((range) => {
-    const oldLineNumber = lineNumber;
-    if (!range.lines) {
-      throw new Error("range.lines should not be undefined");
-    }
-    lineNumber += range.lines.length;
-    return {
-      startingLine: oldLineNumber,
-      endingLine: lineNumber - 1,
-      login: range.commit.author_email,
-      email: range.commit.author_email,
-      name: range.commit.author_name
-    };
-  });
+async function getAdoBlameRanges() {
+  return [];
 }
-var GitlabAuthResultZ = z7.object({
-  access_token: z7.string(),
-  token_type: z7.string(),
-  refresh_token: z7.string()
+var AdoAuthResultZ = z8.object({
+  access_token: z8.string().min(1),
+  token_type: z8.string().min(1),
+  refresh_token: z8.string().min(1)
 });
 
+// src/features/analysis/scm/constants.ts
+var MOBB_ICON_IMG = "https://svgshare.com/i/12DK.svg";
+var COMMIT_FIX_SVG = `https://app.mobb.ai/gh-action/commit-button.svg`;
+
 // src/features/analysis/scm/utils/get_issue_type.ts
 var getIssueType = (issueType) => {
   switch (issueType) {
@@ -2569,7 +3276,7 @@ async function getFixesFromDiff(params) {
     });
     const lineAddedRanges = calculateRanges(fileNumbers);
     const fileFilter = {
-      path: z8.string().parse(file.to),
+      path: z9.string().parse(file.to),
       ranges: lineAddedRanges.map(([startLine, endLine]) => ({
         endLine,
         startLine
@@ -2629,7 +3336,7 @@ async function handleFinishedAnalysis({
   return Promise.all(
     vulnerabilityReportIssueCodeNodes.map(
       async (vulnerabilityReportIssueCodeNodes2) => {
-        const { path: path8, startLine, vulnerabilityReportIssue } = vulnerabilityReportIssueCodeNodes2;
+        const { path: path9, startLine, vulnerabilityReportIssue } = vulnerabilityReportIssueCodeNodes2;
         const { fixId } = vulnerabilityReportIssue;
         const { fix_by_pk } = await gqlClient.getFix(fixId);
         const {
@@ -2640,7 +3347,7 @@ async function handleFinishedAnalysis({
             body: "empty",
             pull_number: pullRequest,
             commit_id: commitSha,
-            path: path8,
+            path: path9,
             line: startLine
           },
           githubActionOctokit
@@ -2998,8 +3705,8 @@ async function forkSnyk(args, { display }) {
 }
 async function getSnykReport(reportPath, repoRoot, { skipPrompts = false }) {
   debug7("get snyk report start %s %s", reportPath, repoRoot);
-  const config3 = await forkSnyk(["config"], { display: false });
-  const { message: configMessage } = config3;
+  const config4 = await forkSnyk(["config"], { display: false });
+  const { message: configMessage } = config4;
   if (!configMessage.includes("api: ")) {
     const snykLoginSpinner = createSpinner3().start();
     if (!skipPrompts) {
@@ -3011,7 +3718,7 @@ async function getSnykReport(reportPath, repoRoot, { skipPrompts = false }) {
     snykLoginSpinner.update({
       text: "\u{1F513} Waiting for Snyk login to complete"
     });
-    debug7("no token in the config %s", config3);
+    debug7("no token in the config %s", config4);
     await forkSnyk(["auth"], { display: true });
     snykLoginSpinner.success({ text: "\u{1F513} Login to Snyk Successful" });
   }
@@ -3083,8 +3790,6 @@ async function uploadFile({
 // src/features/analysis/index.ts
 var { CliError: CliError2, Spinner: Spinner2, keypress: keypress2, getDirName: getDirName2 } = utils_exports;
 var webLoginUrl = `${WEB_APP_URL}/cli-login`;
-var githubAuthUrl = `${WEB_APP_URL}/github-auth`;
-var gitlabAuthUrl = `${WEB_APP_URL}/gitlab-auth`;
 async function downloadRepo({
   repoUrl,
   authHeaders,
@@ -3096,6 +3801,7 @@ async function downloadRepo({
   const repoSpinner = createSpinner4("\u{1F4BE} Downloading Repo").start();
   debug9("download repo %s %s %s", repoUrl, dirname);
   const zipFilePath = path6.join(dirname, "repo.zip");
+  debug9("download URL: %s auth headers: %o", downloadUrl, authHeaders);
   const response = await fetch3(downloadUrl, {
     method: "GET",
     headers: {
@@ -3158,6 +3864,38 @@ async function runAnalysis(params, options) {
     tmpObj.removeCallback();
   }
 }
+function _getTokenAndUrlForScmType({
+  scmLibType,
+  githubToken,
+  gitlabToken,
+  adoToken
+}) {
+  const githubAuthUrl = `${WEB_APP_URL}/github-auth`;
+  const gitlabAuthUrl = `${WEB_APP_URL}/gitlab-auth`;
+  const adoAuthUrl = `${WEB_APP_URL}/ado-auth`;
+  switch (scmLibType) {
+    case "GITHUB" /* GITHUB */:
+      return {
+        token: githubToken,
+        authUrl: githubAuthUrl
+      };
+    case "GITLAB" /* GITLAB */:
+      return {
+        token: gitlabToken,
+        authUrl: gitlabAuthUrl
+      };
+    case "ADO" /* ADO */:
+      return {
+        token: adoToken,
+        authUrl: adoAuthUrl
+      };
+    default:
+      return {
+        token: void 0,
+        authUrl: void 0
+      };
+  }
+}
 async function _scan(params, { skipPrompts = false } = {}) {
   const {
     dirname,
@@ -3196,26 +3934,35 @@ async function _scan(params, { skipPrompts = false } = {}) {
     throw new Error("repo is required in case srcPath is not provided");
   }
   const userInfo = await gqlClient.getUserInfo();
-  const { githubToken, gitlabToken } = userInfo;
+  const { githubToken, gitlabToken, adoToken, adoOrg } = userInfo;
   const isRepoAvailable = await scmCanReachRepo({
     repoUrl: repo,
     githubToken,
-    gitlabToken
+    gitlabToken,
+    adoToken,
+    scmOrg: adoOrg
   });
   const scmLibType = getScmLibTypeFromUrl(repo);
-  const scmAuthUrl = scmLibType === "GITHUB" /* GITHUB */ ? githubAuthUrl : scmLibType === "GITLAB" /* GITLAB */ ? gitlabAuthUrl : void 0;
-  let token = scmLibType === "GITHUB" /* GITHUB */ ? githubToken : scmLibType === "GITLAB" /* GITLAB */ ? gitlabToken : void 0;
+  const { authUrl: scmAuthUrl, token } = _getTokenAndUrlForScmType({
+    scmLibType,
+    githubToken,
+    gitlabToken,
+    adoToken
+  });
+  let myToken = token;
   if (!isRepoAvailable) {
     if (ci || !scmLibType || !scmAuthUrl) {
       const errorMessage = scmAuthUrl ? `Cannot access repo ${repo}` : `Cannot access repo ${repo} with the provided token, please visit ${scmAuthUrl} to refresh your source control management system token`;
       throw new Error(errorMessage);
     }
     if (scmLibType && scmAuthUrl) {
-      token = await handleScmIntegration(token, scmLibType, scmAuthUrl) || "";
+      myToken = await handleScmIntegration(token, scmLibType, scmAuthUrl) || "";
       const isRepoAvailable2 = await scmCanReachRepo({
         repoUrl: repo,
-        githubToken: token,
-        gitlabToken: token
+        githubToken: myToken,
+        gitlabToken: myToken,
+        adoToken: myToken,
+        scmOrg: adoOrg
       });
       if (!isRepoAvailable2) {
         throw new Error(
@@ -3227,7 +3974,8 @@ async function _scan(params, { skipPrompts = false } = {}) {
   const scm = await SCMLib.init({
     url: repo,
     accessToken: token,
-    scmType: scmLibType
+    scmType: scmLibType,
+    scmOrg: adoOrg
   });
   const reference = ref ?? await scm.getRepoDefaultBranch();
   const { sha } = await scm.getReferenceData(reference);
@@ -3270,7 +4018,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
         gqlClient,
         scm,
         githubActionOctokit: new Octokit3({ auth: githubActionToken }),
-        scanner: z9.nativeEnum(SCANNERS).parse(scanner)
+        scanner: z10.nativeEnum(SCANNERS).parse(scanner)
       })
     );
   }
@@ -3282,7 +4030,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
     try {
       const sumbitRes = await gqlClient.submitVulnerabilityReport({
         fixReportId: reportUploadInfo.fixReportId,
-        repoUrl: z9.string().parse(repo),
+        repoUrl: z10.string().parse(repo),
         reference,
         projectId,
         vulnerabilityReportFileName: "report.json",
@@ -3400,7 +4148,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
     }
   }
   async function handleScmIntegration(oldToken, scmLibType2, scmAuthUrl2) {
-    const scmName = scmLibType2 === "GITHUB" /* GITHUB */ ? "Github" : scmLibType2 === "GITLAB" /* GITLAB */ ? "Gitlab" : "";
+    const scmName = scmLibType2 === "GITHUB" /* GITHUB */ ? "Github" : scmLibType2 === "GITLAB" /* GITLAB */ ? "Gitlab" : scmLibType2 === "ADO" /* ADO */ ? "Azure DevOps" : "";
     const addScmIntegration = skipPrompts ? true : await scmIntegrationPrompt(scmName);
     const scmSpinner = createSpinner4(
       `\u{1F517} Waiting for ${scmName} integration...`
@@ -3513,6 +4261,8 @@ async function _scan(params, { skipPrompts = false } = {}) {
 
 // src/commands/index.ts
 import chalkAnimation from "chalk-animation";
+import Configstore2 from "configstore";
+var { getDirName: getDirName3 } = utils_exports;
 async function review(params, { skipPrompts = true } = {}) {
   const {
     repo,
@@ -3569,6 +4319,23 @@ async function analyze({
     { skipPrompts }
   );
 }
+var packageJson2 = JSON.parse(
+  fs4.readFileSync(path7.join(getDirName3(), "../package.json"), "utf8")
+);
+var config3 = new Configstore2(packageJson2.name, { apiToken: "" });
+async function addScmToken(addScmTokenOptions) {
+  const { apiKey, token, organization, scm, username, refreshToken } = addScmTokenOptions;
+  const gqlClient = new GQLClient({
+    apiKey: apiKey || config3.get("apiToken")
+  });
+  await gqlClient.updateScmToken({
+    type: scm,
+    token,
+    org: organization,
+    username,
+    refreshToken
+  });
+}
 async function scan(scanOptions, { skipPrompts = false } = {}) {
   const { scanner, ci } = scanOptions;
   !ci && await showWelcomeMessage(skipPrompts);
@@ -3603,7 +4370,7 @@ var repoOption = {
   alias: "r",
   demandOption: true,
   type: "string",
-  describe: chalk5.bold("Github / GitLab repository URL")
+  describe: chalk5.bold("Github / GitLab / Azure DevOps repository URL")
 };
 var projectNameOption = {
   type: "string",
@@ -3645,11 +4412,31 @@ var commitHashOption = {
   describe: chalk5.bold("Hash of the commit"),
   type: "string"
 };
+var scmTypeOption = {
+  describe: chalk5.bold("SCM type (GitHub, GitLab, Ado)"),
+  type: "string"
+};
+var scmOrgOption = {
+  describe: chalk5.bold("Organization name in SCM (used in Azure DevOps)"),
+  type: "string"
+};
+var scmUsernameOption = {
+  describe: chalk5.bold("Username in SCM (used in GitHub)"),
+  type: "string"
+};
+var scmRefreshTokenOption = {
+  describe: chalk5.bold("SCM refresh token (used in GitLab)"),
+  type: "string"
+};
+var scmTokenOption = {
+  describe: chalk5.bold("SCM API token"),
+  type: "string"
+};
 
 // src/args/validation.ts
 import chalk6 from "chalk";
-import path7 from "path";
-import { z as z10 } from "zod";
+import path8 from "path";
+import { z as z11 } from "zod";
 function throwRepoUrlErrorMessage({
   error,
   repoUrl,
@@ -3666,10 +4453,10 @@ Example:
   )}`;
   throw new CliError(formattedErrorMessage);
 }
-var UrlZ = z10.string({
-  invalid_type_error: "is not a valid GitHub / GitLab URL"
+var UrlZ = z11.string({
+  invalid_type_error: "is not a valid GitHub / GitLab / ADO URL"
 }).refine((data) => !!parseScmURL(data), {
-  message: "is not a valid GitHub / GitLab URL"
+  message: "is not a valid GitHub / GitLab / ADO URL"
 });
 function validateRepoUrl(args) {
   const repoSafeParseResult = UrlZ.safeParse(args.repo);
@@ -3688,7 +4475,7 @@ function validateRepoUrl(args) {
 }
 var supportExtensions = [".json", ".xml", ".fpr", ".sarif"];
 function validateReportFileFormat(reportFile) {
-  if (!supportExtensions.includes(path7.extname(reportFile))) {
+  if (!supportExtensions.includes(path8.extname(reportFile))) {
     throw new CliError(
       `
 ${chalk6.bold(
@@ -3726,7 +4513,7 @@ function analyzeBuilder(yargs2) {
   ).help();
 }
 function validateAnalyzeOptions(argv) {
-  if (!fs4.existsSync(argv.f)) {
+  if (!fs5.existsSync(argv.f)) {
     throw new CliError(`
 Can't access ${chalk7.bold(argv.f)}`);
   }
@@ -3747,7 +4534,7 @@ async function analyzeHandler(args) {
 }
 
 // src/args/commands/review.ts
-import fs5 from "node:fs";
+import fs6 from "node:fs";
 import chalk8 from "chalk";
 function reviewBuilder(yargs2) {
   return yargs2.option("f", {
@@ -3777,7 +4564,7 @@ function reviewBuilder(yargs2) {
   ).help();
 }
 function validateReviewOptions(argv) {
-  if (!fs5.existsSync(argv.f)) {
+  if (!fs6.existsSync(argv.f)) {
     throw new CliError(`
 Can't access ${chalk8.bold(argv.f)}`);
   }
@@ -3813,6 +4600,37 @@ async function scanHandler(args) {
   await scan(args, { skipPrompts: args.yes });
 }
 
+// src/args/commands/token.ts
+function addScmTokenBuilder(args) {
+  return args.option("scm", scmTypeOption).option("token", scmTokenOption).option("organization", scmOrgOption).option("username", scmUsernameOption).option("refresh-token", scmRefreshTokenOption).option("api-key", apiKeyOption).example(
+    "$0 add-scm-token --scm ado --token abcdef0123456 --organization myOrg",
+    "Add your SCM (Github, Gitlab, Azure DevOps) token to Mobb to enable automated fixes."
+  ).help().demandOption(["scm", "token"]);
+}
+function validateAddScmTokenOptions(argv) {
+  if (!argv.scm) {
+    throw new CliError(errorMessages.missingScmType);
+  }
+  if (!Object.values(ScmTypes).includes(argv.scm)) {
+    throw new CliError(errorMessages.invalidScmType);
+  }
+  if (!argv.token) {
+    throw new CliError(errorMessages.missingToken);
+  }
+  if (argv.scm === ScmTypes.AzureDevOps && !argv.organization) {
+    throw new CliError(
+      "\nError: --organization flag is required for Azure DevOps"
+    );
+  }
+  if (argv.scm === ScmTypes.Github && !argv.username) {
+    throw new CliError("\nError: --username flag is required for GitHub");
+  }
+}
+async function addScmTokenHandler(args) {
+  validateAddScmTokenOptions(args);
+  await addScmToken(args);
+}
+
 // src/args/yargs.ts
 var parseArgs = async (args) => {
   const yargsInstance = yargs(args);
@@ -3830,6 +4648,13 @@ var parseArgs = async (args) => {
     )} ${chalk9.dim("[options]")}
             `
   ).version(false).command(
+    mobbCliCommand.addScmToken,
+    chalk9.bold(
+      "Add your SCM (Github, Gitlab, Azure DevOps) token to Mobb to enable automated fixes."
+    ),
+    addScmTokenBuilder,
+    addScmTokenHandler
+  ).command(
     mobbCliCommand.scan,
     chalk9.bold(
       "Scan your code for vulnerabilities, get automated fixes right away."