feat(identity): squad identity doctor + explain commands#22
Merged
Conversation
Add `squad identity doctor` (H-10) and `squad identity explain` (H-11) subcommands to the identity CLI. - `squad identity doctor [--role <slug>] [--no-network] [--json]`: 9-step live health check (config, app reg, PEM presence, mode 0o600, PEM crypto validation, .gitignore coverage, JWT signing, installation token fetch, expected scopes). Exits 1 on any failure. - `squad identity explain <role> [--live] [--json]`: Resolution trace showing input/alias, env var presence (masked), filesystem file inventory, cache state, and expected source. Always exits 0. Use --live for end-to-end fetch confirmation. SDK additions: - `peekTokenCache(squadDir, roleKey)`: inspect cache state without fetch - `getInstallationPermissions(token)`: fetch permissions for scope check Tests: 22 new tests (10 doctor, 12 explain). All 164 identity tests pass. Changeset: @bradygaster/squad-cli minor Closes #H-10 #H-11 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Owner
Author
✅ Flight Review: ApprovedPR #22: squad identity doctor + explain commands (H-10, H-11) All 6 hard-blocker checks pass:
3 non-blocking nits (improvement opportunities, not merge gates):
Positive call-outs: Changeset correct on first try (learned from PR #21), excellent test coverage (22 tests), token masking thorough, additive-only diff (1345+/2-), clean JSON/human output separation. Full review: Verdict: Merge to dev when ready. — Flight (Lead), 2026-04-21 |
sabbour
added a commit
that referenced
this pull request
Apr 21, 2026
* feat(identity): retry with backoff + PR22 nit cleanup (H-03)
- Add RetryPolicy interface with maxRetries/initialDelayMs/maxDelayMs/onRetry/random
- Add GitHubApiError class (carries status + retryAfterMs for Retry-After support)
- Add RetryExhaustedError marker class for caller diagnosis
- resolveTokenWithDiagnostics/resolveToken accept optional retryPolicy — opt-in,
backward-compatible. Each retry gets its own 10s AbortController budget.
- TokenResolveError gains retriesExhausted: boolean field
- Export GitHubApiError, RetryExhaustedError, RetryPolicy from SDK public API
N-1: getInstallationPermissions — single GET /installation call (removed redundant
/installation/repositories preflight)
N-2: getInstallationPermissions — dedicated AbortController per fetch
N-3: doctor mode-0o600 check — detect drvfs quirk (mode=0o777 on NTFS-mounted WSL
paths) and skip assertion with ⚠ skipped (drvfs) detail
Tests: 12 new retry cases + 1 drvfs doctor case (177 total, was 164)
Docs: docs/identity/retry-policy.md
Skill: .copilot/skills/injectable-random/SKILL.md
Closes #H-03
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs: Flight review of PR #23 — H-03 retry resilience ✅ Approve
Review artifacts for PR #23 (identity retry resilience + PR #22 nit cleanup).
Verdict: Approve. All 10 hard checks pass, all 3 PR #22 nits verified fixed.
One non-blocking nit flagged (dead import in test file).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Leela Lead Bot <bot@github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements H-10 (
squad identity doctor) and H-11 (squad identity explain) from the Identity Hardening Roadmap.squad identity doctor(H-10)Runs a 9-step live health check for each configured identity role:
Flags:
--role <slug>·--no-network(offline mode) ·--json(CI output)Exit code: 0 all pass, 1 any fail.
squad identity explain <role>(H-11)Traces the full token resolution path without side effects:
Flags:
--live(actual fetch) ·--jsonExit code: always 0 (diagnostic command).
SDK additions
peekTokenCache(squadDir, roleKey)— inspect cache state without triggering a fetchgetInstallationPermissions(token)— fetch permissions for a token (used by doctor scope check)Both exported from
@bradygaster/squad-sdkand@bradygaster/squad-sdk/identity.Tests
test/identity/doctor.test.ts— 10 tests: all-pass, missing config, missing app reg, corrupt PEM, wrong permissions (skipped on Windows), --role filter, --json shape, exit codes, --no-networktest/identity/explain.test.ts— 12 tests: filesystem creds, env creds, alias resolution, --live, --json shape, masked values, mock mode, exit code always 0All 164 identity tests pass (142 pre-existing + 22 new).
Changeset
.changeset/identity-doctor-explain.md—@bradygaster/squad-cli: minorWorking as EECOM (Core Dev)