feat(project-management): ops skill + centralised auth#153
Merged
Conversation
…min operations Introduces a new skill that enables natural language execution of AEM Edge Delivery Services admin tasks: content preview/publish, cache management, code sync, indexing, user management, logs, jobs, config, secrets, and more. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add curl timeouts (--connect-timeout 15, --max-time 120) for network reliability - Document all 8 roles (admin, author, publish, develop, basic_author, basic_publish, config, config_admin) - Fix URL parsing to handle hyphenated org/site names using awk - Add bulk operations with job tracking and workflow shortcuts - Remove admin role enforcement - let API return 403 for permission errors - Add POSIX-compatible shell commands for cross-platform support - Expand help triggers and improve error handling guidance - Update README with comprehensive command reference and role documentation Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…ring resource - Enhanced API documentation across all ops resources with clearer examples - Added new da.md resource for Document Authoring operations - Improved parameter descriptions and response formats - Standardized endpoint documentation structure - Added .claude-plugin/ to .gitignore Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…ety protocols Corrects DA API usage (form-data for copy/move/config), documents versioning flow (no restore endpoint — list + get + write back), and adds config update, publish, and secret-creation safety guardrails. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Replaces cookie-based x-auth-token authentication with Adobe IMS OAuth Bearer tokens. A single IMS token now works across admin.hlx.page, admin.da.live, and the Config Service. Adds expiry tracking and auto-captures the token via a local HTTP callback (no more manual browser close). BREAKING CHANGE: storage schema changed (authToken → imsToken + imsTokenExpiry) and header format changed (x-auth-token → Authorization: Bearer). Consumers must re-authenticate on first use. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Updates admin, authoring, development, and handover skills to delegate authentication to the dedicated auth skill instead of performing their own browser-based login flow. Switches API calls from the legacy x-auth-token header to Authorization: Bearer with IMS tokens, and replaces brittle grep-based JSON parsing of project-config.json with proper JSON.parse via node. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…avior
- Replace shell-style ${var} with API path placeholder {var} in apikeys,
secrets, tokens, and users resource tables
- Add missing IMS Bearer auth to sites.json curl examples in code.md and
sites.md
- Document that config POST replaces the entire org/site config (not a
merge) so callers GET → modify → POST the full object
- Correct DA folder delete/copy continuation flow: HTTP 206 with JSON
body and continuation-token form field (not response header)
- Switch DA version restore to form-data upload so it works for both
HTML and JSON files
# Conflicts: # .gitignore
Apply a consistent 3-step gate (state impact → ask yes/no → only execute on
yes) across all destructive operations: cache wildcard purge, code delete,
content delete preview, jobs stop, snapshots remove resource, tokens revoke,
users remove org user, versioning delete/restore, and config-api updates.
DA copy gains the same gate as the existing move flow, and stop job is
upgraded from a one-liner warning. SKILL.md risk table updated to match.
Also fix a doc bug in da.md: copy/move destination must be the full
/{org}/{site}/{path} prefix. Site-relative paths silently return HTTP 204
without performing the operation (verified via live testing on asthabh23).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Three changes bundled together, all driven by live testing against a
non-production org:
1. Drop `--connect-timeout 15 --max-time 120` from every curl example
(22 files). The Bash tool harness already enforces a 120s default
timeout, and the explicit cap was silently failing legitimate slow
operations like bulk publishes and large media uploads.
2. Fix the auto-track polling loop in jobs.md. Progress fields are nested
under `progress` in the API response, not at the top level, so the loop
was always reporting 0/0. Updated the loop and the API reference note.
3. Document accurate response shapes for endpoints that return data:
- apikeys.md / tokens.md: response is keyed-object / array; add
critical warning that empty POST creates a credential with default
role and 1-year expiry, with the secret value returned exactly once.
- logs.md: actual response wraps entries in `{from, to, entries[]}`
with `route` / `method` fields, not flat "Operation".
- snapshots.md: response is `{snapshots: [...], links: {...}}`.
Also drops the leftover doc note in SKILL.md that referenced the removed
curl flags.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds a Sensitive Data Handling section to the ops skill covering redaction defaults, memory rules, and POST safety on credential endpoints. The redaction default applies uniformly across all org types (personal/dev/stage/prod) — customer dev environments hold real PII just like prod. secrets.md gets the same empty-POST warning and create-confirmation gate already present in apikeys.md and tokens.md, since POST to secrets.json with an empty body creates a real secret on the server. Verified behavioral compliance in a fresh session: redaction holds on "list users" prompts and credential values are not re-echoed after creation. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
… config to ~/.aem/ops-config.json All skills now read the IMS token from a single user-level file (~/.aem/ims-token.json) instead of per-project project-config.json. The ops skill uses ~/.aem/ops-config.json for org/site context so it works from any directory. Other skills (handover, authoring, development, admin) retain .claude-plugin/project-config.json for project-level context. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…tes, fix markdown
- da.md: destination field is site-relative, not full /{org}/{site}/ path
- snapshots.md: add 3-step confirmation for publish-entire and approve
- config-api.md: close missing ** in "Fails if org already exists"
- SKILL.md: add publish/approve snapshot to destructive ops table (HIGH)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Tessl Skill Lint
|
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Tokens are now stored at ~/.aem/ims-token.json, not in .claude-plugin/project-config.json. Update the gitignore comment in all guide skills to say "contains project config" and update admin skill auth reads to use the new path. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
trieloff
approved these changes
May 29, 2026
|
🎉 This PR is included in version 1.0.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
~/.aem/ims-token.json). Auth skill writes here; consuming skills read from here — one login covers all projects.~/.aem/ops-config.jsonfor org/site context, so it works from any directory without needing a project repo checkout. On each invocation it confirms the stored org with the user.destinationfield confirmed to require full/{org}/{site}/{path}prefix (site-relative silently fails).Config layout
~/.aem/ims-token.json~/.aem/ops-config.json.claude-plugin/project-config.jsonTest plan
~/.aem/ims-token.json~/.aem/ims-token.jsonwithout re-auth~/.aem/ops-config.jsonand confirms with userwho am ireturns profile via centralised auth/{org}/{site}/destination against admin.da.live🤖 Generated with Claude Code