Epic: Auth + Logging Architecture Overhaul
Problem Statement
Three architectural gaps compound into broken user experience:
-
Auth is scattered and inconsistent. 95+ auth touchpoints across the codebase. Four call sites re-implement token lookup differently. Two files bypass GitHubTokenManager entirely. Token binding happens at GitHubPackageDownloader.__init__() — ONE token for all deps.
-
Logging is ad-hoc. 766+ output calls across 27 files, 13 commands. Each command manually checks verbose/dry_run/partial. No shared lifecycle.
-
Auth is single-token, not per-dependency. GitHub PATs can be org-scoped. Enterprise policies forbid user-level PATs. A manifest with deps from multiple orgs needs per-org tokens.
Solution
AuthResolver — single source of truth for auth. Per-dependency design from day 1 with (host, org) cache key. Wraps GitHubTokenManager, adds host classification, fallback chains, EMU detection, actionable errors.CommandLogger — base class for ALL commands. Lifecycle: start → validate → progress → complete → summary. Verbose/dry-run/diagnostics built in. InstallLogger subclass for install-specific phases.CATEGORY_AUTH in DiagnosticCollector — auth diagnostics in end-of-operation summaries.- Per-org env var —
GITHUB_APM_PAT_{ORG} checked, falls back to global.
Phases
- Phase 1: Foundation (
AuthResolver, CommandLogger, DiagnosticCollector, skill refactor)
- Phase 2: Auth wiring (github_downloader, validation, bypassing modules, error messages)
- Phase 3: Logging wiring (ALL 13 commands + support modules, 766+ calls)
- Phase 4: Tests (unit + integration E2E + script updates)
- Phase 5: Docs + Agent personas + Skills
Files (47 total: 8 NEW, 39 EDIT/REWRITE)
See plan.md in session workspace for full file list and dependency graph.
Key Decisions
AuthContext is frozen (immutable) — thread-safe for parallel downloadsCommandLogger delegates to existing _rich_* helpers — no new output primitives- Progressive adoption: InstallLogger first, other commands follow same pattern
- Per-org env var (
GITHUB_APM_PAT_{ORG}) checked today; config file deferred to v2
Epic: Auth + Logging Architecture Overhaul
Problem Statement
Three architectural gaps compound into broken user experience:
Auth is scattered and inconsistent. 95+ auth touchpoints across the codebase. Four call sites re-implement token lookup differently. Two files bypass
GitHubTokenManagerentirely. Token binding happens atGitHubPackageDownloader.__init__()— ONE token for all deps.Logging is ad-hoc. 766+ output calls across 27 files, 13 commands. Each command manually checks
verbose/dry_run/partial. No shared lifecycle.Auth is single-token, not per-dependency. GitHub PATs can be org-scoped. Enterprise policies forbid user-level PATs. A manifest with deps from multiple orgs needs per-org tokens.
Solution
AuthResolver— single source of truth for auth. Per-dependency design from day 1 with(host, org)cache key. WrapsGitHubTokenManager, adds host classification, fallback chains, EMU detection, actionable errors.CommandLogger— base class for ALL commands. Lifecycle: start → validate → progress → complete → summary. Verbose/dry-run/diagnostics built in.InstallLoggersubclass for install-specific phases.CATEGORY_AUTHinDiagnosticCollector— auth diagnostics in end-of-operation summaries.GITHUB_APM_PAT_{ORG}checked, falls back to global.Phases
AuthResolver,CommandLogger,DiagnosticCollector, skill refactor)Files (47 total: 8 NEW, 39 EDIT/REWRITE)
See plan.md in session workspace for full file list and dependency graph.
Key Decisions
AuthContextis frozen (immutable) — thread-safe for parallel downloadsCommandLoggerdelegates to existing_rich_*helpers — no new output primitivesGITHUB_APM_PAT_{ORG}) checked today; config file deferred to v2