Per-plugin token resolution chain (#28)

* Initial plan

* Implement per-plugin token resolution chain

Co-authored-by: ewega <26189114+ewega@users.noreply.github.com>

* Add explanatory comments per review feedback

Co-authored-by: ewega <26189114+ewega@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: ewega <26189114+ewega@users.noreply.github.com>

Author: Copilot

README.md

@@ -211,10 +211,13 @@ gh devlake configure connection --org my-org --endpoint https://github.example.c
 | `--env-file` | `.devlake.env` | Path to env file containing `GITHUB_PAT` |
 | `--skip-cleanup` | `false` | Don't delete `.devlake.env` after setup |
 
-**Token resolution order:**
+**Token resolution order (per plugin):**
 1. `--token` flag
-2. `.devlake.env` file (`GITHUB_PAT=` or `GITHUB_TOKEN=` or `GH_TOKEN=`)
-3. `$GITHUB_TOKEN` / `$GH_TOKEN` environment variables
+2. `.devlake.env` file — plugin-specific key first, e.g.:
+   - GitHub / GitHub Copilot: `GITHUB_PAT=`, `GITHUB_TOKEN=`, or `GH_TOKEN=`
+   - GitLab: `GITLAB_TOKEN=`
+   - Azure DevOps: `AZURE_DEVOPS_PAT=`
+3. Plugin-specific environment variable (same keys as above, without `GITHUB_PAT`)
 4. Interactive masked prompt (terminal only)
 
 **What it does:**

cmd/configure_connections.go

@@ -91,7 +91,7 @@ func runConfigureConnections(cmd *cobra.Command, args []string) error {
 
 	// ── Resolve token ──
 	fmt.Println("\n🔑 Resolving PAT...")
-	tokResult, err := token.Resolve(connToken, connEnvFile, def.ScopeHint)
+	tokResult, err := token.Resolve(def.Plugin, connToken, connEnvFile, def.ScopeHint)
 	if err != nil {
 		return err
 	}

cmd/configure_full.go

@@ -167,7 +167,10 @@ func runConnectionsInternal(defs []*ConnectionDef, org, enterprise, tokenVal, en
 	// ── Resolve token ──
 	fmt.Println("\n🔑 Resolving GitHub PAT...")
 	scopeHint := aggregateScopeHints(defs)
-	tokResult, err := token.Resolve(tokenVal, envFile, scopeHint)
+	// Both available plugins (github, gh-copilot) share the same GitHub PAT,
+	// so resolving with the first plugin's name is correct. When multi-tool
+	// support lands (v0.4.0), this will need per-plugin token resolution.
+	tokResult, err := token.Resolve(defs[0].Plugin, tokenVal, envFile, scopeHint)
 	if err != nil {
 		return nil, "", "", err
 	}

cmd/connection_types.go

@@ -19,6 +19,8 @@ type ConnectionDef struct {
 	SupportsTest    bool
 	RequiredScopes  []string // PAT scopes needed for this plugin
 	ScopeHint       string   // short hint for error messages
+	EnvVarNames     []string // environment variable names (informational; resolution logic lives in token.Resolve)
+	EnvFileKeys     []string // .devlake.env keys (informational; resolution logic lives in token.Resolve)
 }
 
 // MenuLabel returns the label for interactive menus.
@@ -125,6 +127,8 @@ var connectionRegistry = []*ConnectionDef{
 		SupportsTest:   true,
 		RequiredScopes: []string{"repo", "read:org", "read:user"},
 		ScopeHint:      "repo, read:org, read:user",
+		EnvVarNames:    []string{"GITHUB_TOKEN", "GH_TOKEN"},
+		EnvFileKeys:    []string{"GITHUB_PAT", "GITHUB_TOKEN", "GH_TOKEN"},
 	},
 	{
 		Plugin:          "gh-copilot",
@@ -136,16 +140,22 @@ var connectionRegistry = []*ConnectionDef{
 		SupportsTest:    true,
 		RequiredScopes:  []string{"manage_billing:copilot", "read:org"},
 		ScopeHint:       "manage_billing:copilot, read:org (+ read:enterprise for enterprise metrics)",
+		EnvVarNames:     []string{"GITHUB_TOKEN", "GH_TOKEN"},
+		EnvFileKeys:     []string{"GITHUB_PAT", "GITHUB_TOKEN", "GH_TOKEN"},
 	},
 	{
 		Plugin:      "gitlab",
 		DisplayName: "GitLab",
 		Available:   false,
+		EnvVarNames: []string{"GITLAB_TOKEN"},
+		EnvFileKeys: []string{"GITLAB_TOKEN"},
 	},
 	{
 		Plugin:      "azure-devops",
 		DisplayName: "Azure DevOps",
 		Available:   false,
+		EnvVarNames: []string{"AZURE_DEVOPS_PAT"},
+		EnvFileKeys: []string{"AZURE_DEVOPS_PAT"},
 	},
 }
 

internal/token/resolve.go

@@ -1,9 +1,9 @@
-// Package token resolves a GitHub Personal Access Token from multiple sources.
+// Package token resolves a Personal Access Token from multiple sources.
 //
 // Priority order:
-//  1. Explicit flag value (--token / --github-token)
-//  2. .devlake.env file (GITHUB_PAT=...)
-//  3. Environment variables ($GITHUB_TOKEN / $GH_TOKEN)
+//  1. Explicit flag value (--token)
+//  2. .devlake.env file (plugin-specific key, e.g. GITLAB_TOKEN=...)
+//  3. Plugin-specific environment variable (e.g. $GITLAB_TOKEN)
 //  4. Interactive masked prompt (terminal)
 package token
 
@@ -25,9 +25,10 @@ type ResolveResult struct {
 }
 
 // Resolve attempts to find a PAT using the priority chain.
+// plugin determines which env vars and env file keys to check (e.g. "github", "gitlab", "azure-devops").
 // scopeHint is displayed in the interactive prompt to guide the user on required scopes.
 // Returns an error only if no token can be obtained.
-func Resolve(flagValue, envFilePath, scopeHint string) (*ResolveResult, error) {
+func Resolve(plugin, flagValue, envFilePath, scopeHint string) (*ResolveResult, error) {
 	// 1. Explicit flag
 	if flagValue != "" {
 		return &ResolveResult{Token: flagValue, Source: "flag"}, nil
@@ -38,38 +39,78 @@ func Resolve(flagValue, envFilePath, scopeHint string) (*ResolveResult, error) {
 		envFilePath = ".devlake.env"
 	}
 	if vals, err := envfile.Load(envFilePath); err == nil {
-		for _, key := range []string{"GITHUB_PAT", "GITHUB_TOKEN", "GH_TOKEN"} {
+		for _, key := range pluginEnvFileKeys(plugin) {
 			if v, ok := vals[key]; ok && v != "" {
 				return &ResolveResult{Token: v, Source: "envfile", EnvFilePath: envFilePath}, nil
 			}
 		}
 	}
 
 	// 3. Environment variables
-	for _, key := range []string{"GITHUB_TOKEN", "GH_TOKEN"} {
+	for _, key := range pluginEnvVarKeys(plugin) {
 		if v := os.Getenv(key); v != "" {
 			return &ResolveResult{Token: v, Source: "environment"}, nil
 		}
 	}
 
 	// 4. Interactive masked prompt
+	displayName := pluginDisplayName(plugin)
 	if !term.IsTerminal(int(syscall.Stdin)) {
-		return nil, fmt.Errorf("no GitHub PAT found and stdin is not a terminal.\n" +
-			"Provide a token via --token, .devlake.env file, or $GITHUB_TOKEN")
+		envVarExample := pluginEnvVarKeys(plugin)[0]
+		return nil, fmt.Errorf("no %s PAT found and stdin is not a terminal.\n"+
+			"Provide a token via --token, .devlake.env file, or $%s", displayName, envVarExample)
 	}
 
-	tok, err := promptMasked(scopeHint)
+	tok, err := promptMasked(displayName, scopeHint)
 	if err != nil {
 		return nil, err
 	}
 	return &ResolveResult{Token: tok, Source: "prompt"}, nil
 }
 
-func promptMasked(scopeHint string) (string, error) {
+// pluginEnvFileKeys returns the ordered .devlake.env key names to check for the given plugin.
+func pluginEnvFileKeys(plugin string) []string {
+	switch plugin {
+	case "gitlab":
+		return []string{"GITLAB_TOKEN"}
+	case "azure-devops":
+		return []string{"AZURE_DEVOPS_PAT"}
+	default: // "github", "gh-copilot", or unknown
+		return []string{"GITHUB_PAT", "GITHUB_TOKEN", "GH_TOKEN"}
+	}
+}
+
+// pluginEnvVarKeys returns the ordered environment variable names to check for the given plugin.
+func pluginEnvVarKeys(plugin string) []string {
+	switch plugin {
+	case "gitlab":
+		return []string{"GITLAB_TOKEN"}
+	case "azure-devops":
+		return []string{"AZURE_DEVOPS_PAT"}
+	default: // "github", "gh-copilot", or unknown
+		return []string{"GITHUB_TOKEN", "GH_TOKEN"}
+	}
+}
+
+// pluginDisplayName returns a human-readable label for prompt messages.
+func pluginDisplayName(plugin string) string {
+	switch plugin {
+	case "gh-copilot":
+		return "GitHub Copilot"
+	case "gitlab":
+		return "GitLab"
+	case "azure-devops":
+		return "Azure DevOps"
+	default:
+		return "GitHub"
+	}
+}
+
+func promptMasked(displayName, scopeHint string) (string, error) {
 	if scopeHint != "" {
 		fmt.Fprintf(os.Stderr, "Required PAT scopes: %s\n", scopeHint)
 	}
-	fmt.Fprint(os.Stderr, "GitHub Personal Access Token: ")
+	fmt.Fprintf(os.Stderr, "%s Personal Access Token: ", displayName)
 	raw, err := term.ReadPassword(int(syscall.Stdin))
 	fmt.Fprintln(os.Stderr) // newline after masked input
 	if err != nil {