feat(analyze): private GitHub repos via PAT + Azure DevOps Server support (#2076, #2210) #2223

Summary

Combines two community contributions onto current main as one mergeable branch, with conflicts resolved and original authors credited as co-authors:

• #2076 — optional Personal Access Token for cloning private GitHub repos (by @apecia-kenghzou)
• #2210 — Azure DevOps Server (on-premise) + cloud repository support (by @cagriman)

Both PRs touched the same files (git-clone.ts, api.ts, RepoAnalyzer.tsx, the locale JSON, and git-clone.test.ts); #2076 also conflicted with main after its /api/analyze refactor. This branch resolves all of that in one place.

What each feature does

Private GitHub repos (#2076). An optional PAT field on the GitHub mode of the analyze form. The token travels form → POST /api/analyze → cloneOrPull and is injected into git via the GIT_CONFIG_* env protocol (http.extraHeader = "Authorization: Basic …"), so it never appears in argv, the URL, or the process listing. Transient (form state only), never persisted, cleared on mode change, cancel, and completion. Backend validates token shape (1–256 chars, restricted charset) to block CRLF header smuggling.

Azure DevOps (#2210). resolveRemoteUrl detects the _git path pattern for self-hosted (AZURE_DEVOPS_URL) and cloud (dev.azure.com / *.visualstudio.com) instances, injecting a PAT from AZURE_DEVOPS_PAT via -c http.extraHeader (scoped to the single git invocation, never written to .git/config). New Azure DevOps onboarding tab in RepoAnalyzer, the AzureDevops icon, i18n strings (en, zh-CN), and .env.example docs.

Conflict resolution notes

• git-clone.ts — runGit now takes a single options bag { token?, url? } carrying both mechanisms: token → buildGitEnv (env-based GitHub PAT), url → buildAuthArgs (arg-based Azure PAT). The two auth paths are independent; a request may use either, both, or neither.
• api.ts — re-threaded #2076's token destructuring + validation onto main's refactored /api/analyze route (kept requireLocalhostOrigin and the simplified path validation), and threaded the token into the actual cloneOrPull call.
• RepoAnalyzer.tsx — kept main's extracted trackJob helper and re-homed the GitHub-token reset into it; the GitHub-token UI and the Azure tab/input coexist.

Testing

• npx tsc --noEmit clean (gitnexus) and npx tsc -b --noEmit clean (gitnexus-web)
• git-clone.test.ts 78/78 (covers buildGitEnv token injection + isAzureDevOpsUrl / Azure URL handling)
• rate-limit.test.ts 23/23
• pre-commit gate (prettier + eslint + tsc, both packages) passed

Relationship to existing PRs

Supersedes #2076 and #2210 — once this merges, both can be closed. Credit is preserved via Co-authored-by trailers on each commit.

🤖 Generated with Claude Code

🎬 Cutter preview — PR #2223

Select Azure DevOps tab — Azure DevOps tab adds a repository URL input for analyzing Azure-hosted repos.

Enter Azure DevOps Repository URL — Repo analyzer now accepts Azure DevOps URLs, with live validation on the pasted link.