fix(configure): support Azure CLI auth and fix YAML path matching (#98)

* fix(configure): support Azure CLI auth and fix YAML path matching

- Add Azure CLI token acquisition as fallback when no PAT is provided
  (resolution order: --pat/env var > az account get-access-token > prompt)
- Introduce AdoAuth enum to handle both Basic (PAT) and Bearer (CLI) auth
- Fix list_definitions API call to include includeAllProperties=true,
  which is required for process.yamlFilename to be returned by ADO
- Improve JSON parse error diagnostics to show response body snippet
- Add debug logging for definition yaml paths and match comparisons

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(configure): address PR review feedback

- Use .query() consistently for all URL parameters in list_definitions
- Add tests for YAML path matching using make_def_with_yaml helper
- AdoAuth is scoped to configure only; tools run in pipeline context
  where tokens are always PATs from SYSTEM_ACCESSTOKEN

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jamesadevine

src/configure.rs

@@ -7,12 +7,60 @@
 //! (reqwest + `.basic_auth("", Some(token))` for authentication).
 
 use anyhow::{Context, Result};
-use log::{debug, info};
+use log::{debug, info, warn};
 use serde::Deserialize;
 use std::path::Path;
 
 use crate::detect;
 
+/// ADO resource ID for minting ADO-scoped tokens via Azure CLI.
+const ADO_RESOURCE_ID: &str = "499b84ac-1321-427f-aa17-267ca6975798";
+
+/// Attempt to acquire an ADO-scoped access token via `az account get-access-token`.
+/// Returns `Ok(token)` if the Azure CLI is installed and the user is logged in,
+/// or an error if the CLI is missing or the command fails.
+async fn try_azure_cli_token() -> Result<String> {
+    // On Windows, `az` is a .cmd batch script that must be invoked via cmd.exe.
+    let output = if cfg!(windows) {
+        tokio::process::Command::new("cmd")
+            .args([
+                "/C", "az", "account", "get-access-token",
+                "--resource", ADO_RESOURCE_ID,
+                "--query", "accessToken",
+                "-o", "tsv",
+            ])
+            .output()
+            .await
+    } else {
+        tokio::process::Command::new("az")
+            .args([
+                "account", "get-access-token",
+                "--resource", ADO_RESOURCE_ID,
+                "--query", "accessToken",
+                "-o", "tsv",
+            ])
+            .output()
+            .await
+    }
+    .context("Failed to run 'az account get-access-token'. Is the Azure CLI installed?")?;
+
+    if !output.status.success() {
+        let stderr = String::from_utf8_lossy(&output.stderr);
+        anyhow::bail!("Azure CLI token acquisition failed: {}", stderr.trim());
+    }
+
+    let token = String::from_utf8(output.stdout)
+        .context("Azure CLI returned non-UTF-8 token")?
+        .trim()
+        .to_string();
+
+    if token.is_empty() {
+        anyhow::bail!("Azure CLI returned an empty token");
+    }
+
+    Ok(token)
+}
+
 // ==================== ADO context from git remote ====================
 
 /// ADO context extracted from the git remote URL.
@@ -121,6 +169,23 @@ async fn get_git_remote_url(repo_path: &Path) -> Result<String> {
 
 // ==================== ADO Build Definitions API ====================
 
+/// Authentication method for ADO API calls.
+/// PATs use HTTP Basic auth; Azure CLI tokens use Bearer auth.
+#[derive(Clone)]
+enum AdoAuth {
+    Pat(String),
+    Bearer(String),
+}
+
+impl AdoAuth {
+    fn apply(&self, request: reqwest::RequestBuilder) -> reqwest::RequestBuilder {
+        match self {
+            AdoAuth::Pat(pat) => request.basic_auth("", Some(pat)),
+            AdoAuth::Bearer(token) => request.bearer_auth(token),
+        }
+    }
+}
+
 /// Minimal subset of an ADO Build Definition for listing.
 #[derive(Debug, Deserialize)]
 struct DefinitionListResponse {
@@ -169,21 +234,22 @@ struct MatchedDefinition {
 async fn list_definitions(
     client: &reqwest::Client,
     ctx: &AdoContext,
-    pat: &str,
+    auth: &AdoAuth,
 ) -> Result<Vec<DefinitionSummary>> {
     let mut all_definitions = Vec::new();
     let mut continuation_token: Option<String> = None;
 
     loop {
-        let url = format!(
-            "{}/{}/_apis/build/definitions?api-version=7.1",
+        let base_url = format!(
+            "{}/{}/_apis/build/definitions",
             ctx.org_url.trim_end_matches('/'),
             ctx.project
         );
 
-        debug!("Listing definitions: {}", url);
+        debug!("Listing definitions: {}", base_url);
 
-        let mut request = client.get(&url).basic_auth("", Some(pat));
+        let mut request = auth.apply(client.get(&base_url))
+            .query(&[("includeAllProperties", "true"), ("api-version", "7.1")]);
         if let Some(ref token) = continuation_token {
             request = request.query(&[("continuationToken", token)]);
         }
@@ -210,10 +276,16 @@ async fn list_definitions(
             .and_then(|v| v.to_str().ok())
             .map(|s| s.to_string());
 
-        let response: DefinitionListResponse = resp
-            .json()
-            .await
-            .context("Failed to parse definitions response")?;
+        let body = resp.text().await.context("Failed to read definitions response body")?;
+        let response: DefinitionListResponse = serde_json::from_str(&body)
+            .with_context(|| {
+                let snippet: String = body.chars().take(500).collect();
+                format!(
+                    "Failed to parse definitions response as JSON. \
+                     This usually means the PAT is invalid or expired. \
+                     Response body (first 500 chars):\n{snippet}"
+                )
+            })?;
 
         all_definitions.extend(response.value);
 
@@ -287,10 +359,10 @@ fn normalize_ado_yaml_path(path: &str) -> String {
 async fn match_definitions(
     client: &reqwest::Client,
     ctx: &AdoContext,
-    pat: &str,
+    auth: &AdoAuth,
     detected: &[detect::DetectedPipeline],
 ) -> Result<Vec<MatchedDefinition>> {
-    let definitions = list_definitions(client, ctx, pat).await?;
+    let definitions = list_definitions(client, ctx, auth).await?;
     info!(
         "Found {} pipeline definitions in {}/{}",
         definitions.len(),
@@ -300,9 +372,28 @@ async fn match_definitions(
 
     let mut matched = Vec::new();
 
+    // Log all definition yaml paths for debugging
+    for def in &definitions {
+        let yaml_path = def
+            .process
+            .as_ref()
+            .and_then(|p| p.yaml_filename.as_ref())
+            .map(|f| normalize_ado_yaml_path(f));
+        debug!(
+            "ADO definition: '{}' (id={}) yamlFilename={:?} normalized={:?}",
+            def.name, def.id,
+            def.process.as_ref().and_then(|p| p.yaml_filename.as_ref()),
+            yaml_path
+        );
+    }
+
     for pipeline in detected {
         let yaml_path_str = pipeline.yaml_path.to_string_lossy();
         let yaml_path_normalized = yaml_path_str.replace('\\', "/");
+        debug!(
+            "Matching local pipeline: raw={:?} normalized={:?} source={:?}",
+            yaml_path_str, yaml_path_normalized, pipeline.source
+        );
 
         // Strategy 1: Match by YAML filename in the definition.
         // ADO stores yamlFilename with a leading '/' (e.g., "/.azdo/pipelines/agent.yml"),
@@ -373,16 +464,13 @@ async fn match_definitions(
 
 /// Update the GITHUB_TOKEN pipeline variable on a definition.
 ///
-/// Uses the same `.basic_auth("", Some(token))` pattern as the existing
-/// tools in `src/tools/` (e.g., create_work_item, create_pr).
-///
 /// Note: The GET→PUT cycle is not atomic. Concurrent `configure` runs against
 /// the same definition could overwrite each other's variables. This is acceptable
 /// for a CLI tool typically run by a single operator.
 async fn update_pipeline_variable(
     client: &reqwest::Client,
     ctx: &AdoContext,
-    pat: &str,
+    auth: &AdoAuth,
     definition_id: u64,
     variable_name: &str,
     variable_value: &str,
@@ -396,9 +484,8 @@ async fn update_pipeline_variable(
 
     debug!("Fetching definition {}: {}", definition_id, get_url);
 
-    let resp = client
-        .get(&get_url)
-        .basic_auth("", Some(pat))
+    let resp = auth
+        .apply(client.get(&get_url))
         .send()
         .await
         .context("Failed to get pipeline definition")?;
@@ -414,10 +501,17 @@ async fn update_pipeline_variable(
         );
     }
 
-    let mut definition: serde_json::Value = resp
-        .json()
-        .await
-        .context("Failed to parse definition JSON")?;
+    let body = resp.text().await.context("Failed to read definition response body")?;
+    let mut definition: serde_json::Value = serde_json::from_str(&body)
+        .with_context(|| {
+            let snippet: String = body.chars().take(500).collect();
+            format!(
+                "Failed to parse definition {} as JSON. \
+                 This usually means the PAT is invalid or expired. \
+                 Response body (first 500 chars):\n{snippet}",
+                definition_id
+            )
+        })?;
 
     // Ensure variables object exists
     if definition.get("variables").is_none() {
@@ -449,9 +543,8 @@ async fn update_pipeline_variable(
 
     debug!("Updating definition {}: {}", definition_id, put_url);
 
-    let resp = client
-        .put(&put_url)
-        .basic_auth("", Some(pat))
+    let resp = auth
+        .apply(client.put(&put_url))
         .header("Content-Type", "application/json")
         .json(&definition)
         .send()
@@ -501,13 +594,29 @@ pub async fn run(
             .context("Failed to read token from interactive prompt")?,
     };
 
-    // Resolve PAT: CLI flag > env var (handled by clap) > interactive prompt
-    let resolved_pat = match pat {
-        Some(p) => p.to_string(),
-        None => inquire::Password::new("Enter your Azure DevOps PAT:")
-            .without_confirmation()
-            .prompt()
-            .context("Failed to read PAT from interactive prompt. Set AZURE_DEVOPS_EXT_PAT env var or use --pat flag.")?,
+    // Resolve auth: CLI flag > env var (handled by clap) > Azure CLI > interactive prompt
+    let auth = match pat {
+        Some(p) => {
+            info!("Using PAT from --pat flag or AZURE_DEVOPS_EXT_PAT env var");
+            AdoAuth::Pat(p.to_string())
+        }
+        None => {
+            info!("No PAT provided, trying Azure CLI authentication...");
+            match try_azure_cli_token().await {
+                Ok(token) => {
+                    println!("Using Azure CLI authentication (az account get-access-token)");
+                    AdoAuth::Bearer(token)
+                }
+                Err(e) => {
+                    warn!("Azure CLI auth failed: {:#}. Falling back to interactive prompt.", e);
+                    let pat = inquire::Password::new("Enter your Azure DevOps PAT:")
+                        .without_confirmation()
+                        .prompt()
+                        .context("Failed to read PAT from interactive prompt. Set AZURE_DEVOPS_EXT_PAT env var, log in with 'az login', or use --pat flag.")?;
+                    AdoAuth::Pat(pat)
+                }
+            }
+        }
     };
 
     // Step 1: Detect agentic pipelines
@@ -565,7 +674,7 @@ pub async fn run(
         .timeout(std::time::Duration::from_secs(30))
         .build()
         .context("Failed to create HTTP client")?;
-    let matched = match_definitions(&client, &ado_ctx, &resolved_pat, &detected).await?;
+    let matched = match_definitions(&client, &ado_ctx, &auth, &detected).await?;
 
     if matched.is_empty() {
         println!("No matching ADO pipeline definitions found.");
@@ -600,7 +709,7 @@ pub async fn run(
         match update_pipeline_variable(
             &client,
             &ado_ctx,
-            &resolved_pat,
+            &auth,
             m.id,
             "GITHUB_TOKEN",
             &token,
@@ -729,6 +838,40 @@ mod tests {
         );
     }
 
+    #[test]
+    fn test_yaml_path_match_finds_definition_by_yaml_filename() {
+        let defs = vec![
+            make_def(1, "Unrelated Pipeline"),
+            make_def_with_yaml(2, "My Agent", "/.azdo/pipelines/agent.yml"),
+            make_def(3, "Another Pipeline"),
+        ];
+        let local_path = ".azdo/pipelines/agent.yml";
+        let path_match = defs.iter().find(|d| {
+            d.process
+                .as_ref()
+                .and_then(|p| p.yaml_filename.as_ref())
+                .is_some_and(|f| normalize_ado_yaml_path(f) == local_path)
+        });
+        assert!(path_match.is_some());
+        assert_eq!(path_match.unwrap().id, 2);
+    }
+
+    #[test]
+    fn test_yaml_path_match_no_match_when_process_is_none() {
+        let defs = vec![
+            make_def(1, "Classic Pipeline"),
+            make_def(2, "Another Classic"),
+        ];
+        let local_path = ".azdo/pipelines/agent.yml";
+        let path_match = defs.iter().find(|d| {
+            d.process
+                .as_ref()
+                .and_then(|p| p.yaml_filename.as_ref())
+                .is_some_and(|f| normalize_ado_yaml_path(f) == local_path)
+        });
+        assert!(path_match.is_none());
+    }
+
     #[test]
     fn test_fuzzy_match_single_unambiguous() {
         let defs = vec![