Route ADO API host derivation through a tested helper (groundwork for on-prem, #12)

Extract the inline organization-URL normalization and the hardcoded
dev.azure.com subdomain derivation into a single Resolve-AdoApiHosts helper.

- Cloud (Azure DevOps Services) behavior is preserved exactly and pinned by
  tests (short name, dev.azure.com URL, *.visualstudio.com URL).
- On-prem (Azure DevOps Server) collection URLs are now recognized and produce
  collection-relative API hosts instead of the broken
  vssps.dev.azure.com/<full-url> strings the old inline code produced.
- A run against an on-prem URL emits a warning that this path is experimental.

EXPERIMENTAL / RFC: this addresses URL derivation only. On-prem auth still uses
an Entra ID token via 'az account get-access-token' (typically rejected on-prem;
PAT support is the remaining blocker), and Services-only checks (e.g. audit log
streaming) will report NOT CHECKED. Opening as groundwork for #12.

Author: ngtanthanh-qc

CHANGELOG.md

@@ -8,6 +8,7 @@ and this project adheres to Semantic Versioning.
 ## [Unreleased]
 
 ### Added
+- Experimental Azure DevOps Server (on-prem) URL handling: organization/collection input is now routed through a single, tested `Resolve-AdoApiHosts` helper that derives the graph/extension/audit/feeds API hosts. Cloud behavior is unchanged; on-prem collection URLs derive collection-relative hosts. NOTE: on-prem authentication (PAT) and Services-only checks are not yet supported — see issue #12.
 - Executive summary now includes an Organization Extensions section that lists all extensions with Installed vs Default classification and installed-first ordering.
 - Top navigation now includes an Extensions anchor placed before Run Comparison for faster access to extension findings.
 

invoke-adoqr.ps1

@@ -5529,6 +5529,78 @@ function Import-AdoqrSettings {
     return $settings
 }
 
+function Resolve-AdoApiHosts {
+    <#
+    .SYNOPSIS
+        Derives the organization URL plus the specialized ADO REST API host URLs
+        from the -Organization input.
+    .DESCRIPTION
+        Azure DevOps Services (cloud) serves several APIs from dedicated
+        subdomains keyed by org short name: vssps (graph/identity), extmgmt
+        (extensions), auditservice (audit log), and feeds (packaging). Azure
+        DevOps Server (on-premises) has no such subdomains — those APIs are
+        served collection-relative under the same host. Centralizing the mapping
+        here keeps the rest of the script host-agnostic.
+
+        EXPERIMENTAL: on-prem support here covers URL derivation only. It does
+        NOT yet solve authentication — the script still acquires an Entra ID
+        (AAD) bearer token via `az account get-access-token`, which a typical
+        on-prem deployment will not accept (those use PAT/Windows auth). Some
+        controls (e.g. audit log streaming) are Services-only features with no
+        on-prem equivalent and are expected to report NOT CHECKED. See issue #12.
+    .PARAMETER Organization
+        The -Organization value: a short name, a cloud org URL
+        (https://dev.azure.com/org or https://org.visualstudio.com), or an
+        on-prem collection URL (e.g. https://server/tfs/DefaultCollection).
+    .OUTPUTS
+        Hashtable with keys OrgUrl, OrgShortName, VsspsUrl, ExtMgmtUrl,
+        AuditUrl, FeedsUrl, and IsOnPrem.
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory)][string]$Organization
+    )
+
+    # A bare short name always refers to the cloud service.
+    if ($Organization -notmatch '^https?://') {
+        $orgUrl = "https://dev.azure.com/$Organization"
+    }
+    else {
+        $orgUrl = $Organization.TrimEnd('/')
+    }
+
+    $isCloud = ($orgUrl -match '^https?://dev\.azure\.com/') -or
+               ($orgUrl -match '^https?://[^/]+\.visualstudio\.com')
+
+    if ($isCloud) {
+        $orgShortName = $orgUrl -replace '^https?://dev\.azure\.com/', '' -replace '^https?://([^.]+)\.visualstudio\.com.*', '$1'
+        return @{
+            OrgUrl       = $orgUrl
+            OrgShortName = $orgShortName
+            VsspsUrl     = "https://vssps.dev.azure.com/$orgShortName"
+            ExtMgmtUrl   = "https://extmgmt.dev.azure.com/$orgShortName"
+            AuditUrl     = "https://auditservice.dev.azure.com/$orgShortName"
+            FeedsUrl     = "https://feeds.dev.azure.com/$orgShortName"
+            IsOnPrem     = $false
+        }
+    }
+
+    # On-prem Azure DevOps Server: graph and packaging APIs are collection-
+    # relative under the same host, so the collection URL is the base for all of
+    # them. Extension management and audit have no standard on-prem endpoint, so
+    # reuse the collection URL and let those specific checks degrade gracefully.
+    $orgShortName = ($orgUrl -split '/') | Where-Object { $_ } | Select-Object -Last 1
+    return @{
+        OrgUrl       = $orgUrl
+        OrgShortName = $orgShortName
+        VsspsUrl     = $orgUrl
+        ExtMgmtUrl   = $orgUrl
+        AuditUrl     = $orgUrl
+        FeedsUrl     = $orgUrl
+        IsOnPrem     = $true
+    }
+}
+
 #endregion
 
 #region Main
@@ -5540,21 +5612,22 @@ if ($_userSettings.ContainsKey('InactiveRepoDays')) {
     Write-Verbose "Settings: InactiveRepoDays overridden to $($script:InactiveRepoDays) (from adoqr.settings.psd1)"
 }
 
-# Normalize organization URL
-if ($Organization -notmatch '^https?://') {
-    $OrgUrl = "https://dev.azure.com/$Organization"
-} else {
-    $OrgUrl = $Organization.TrimEnd('/')
+# Normalize organization URL and derive the specialized ADO REST API hosts.
+# Cloud uses dedicated subdomains; on-prem Azure DevOps Server serves them
+# collection-relative (experimental — see Resolve-AdoApiHosts and issue #12).
+$adoHosts          = Resolve-AdoApiHosts -Organization $Organization
+$OrgUrl            = $adoHosts.OrgUrl
+$OrgShortName      = $adoHosts.OrgShortName
+$script:VsspsUrl   = $adoHosts.VsspsUrl
+$script:ExtMgmtUrl = $adoHosts.ExtMgmtUrl
+$script:AuditUrl   = $adoHosts.AuditUrl
+$script:FeedsUrl   = $adoHosts.FeedsUrl
+$script:IsOnPrem   = $adoHosts.IsOnPrem
+
+if ($script:IsOnPrem) {
+    Write-Warning "On-prem Azure DevOps Server URL detected ($OrgUrl). On-prem support is experimental: authentication still uses an Entra ID token via 'az login' (typically rejected on-prem), and Services-only checks such as audit log streaming will report NOT CHECKED. See https://github.com/microsoft/adoqr/issues/12."
 }
 
-$OrgShortName = $OrgUrl -replace '^https?://dev\.azure\.com/', '' -replace '^https?://([^.]+)\.visualstudio\.com.*', '$1'
-
-# Subdomain URLs for specialized ADO REST APIs
-$script:VsspsUrl   = "https://vssps.dev.azure.com/$OrgShortName"
-$script:ExtMgmtUrl = "https://extmgmt.dev.azure.com/$OrgShortName"
-$script:AuditUrl   = "https://auditservice.dev.azure.com/$OrgShortName"
-$script:FeedsUrl   = "https://feeds.dev.azure.com/$OrgShortName"
-
 # Ensure output directory exists — create timestamped subfolder per run
 $timestamp = Get-Date -Format "yyyy-MM-dd-HHmmss"
 $orgSafeForPath = ($OrgShortName -replace '[^a-zA-Z0-9\-]', '-').ToLower().Trim('-')

tests/ApiHosts.Tests.ps1

@@ -0,0 +1,58 @@
+#Requires -Modules @{ ModuleName = 'Pester'; ModuleVersion = '5.0.0' }
+
+BeforeAll {
+    . $PSScriptRoot/_Bootstrap.ps1
+}
+
+Describe 'Resolve-AdoApiHosts' {
+    Context 'Azure DevOps Services (cloud)' {
+        # These cases pin the exact behavior of the previous inline derivation
+        # so the refactor cannot regress the cloud path.
+        It 'expands a bare short name to the dev.azure.com org URL and subdomains' {
+            $h = Resolve-AdoApiHosts -Organization 'MyOrg'
+            $h.OrgUrl       | Should -Be 'https://dev.azure.com/MyOrg'
+            $h.OrgShortName | Should -Be 'MyOrg'
+            $h.VsspsUrl     | Should -Be 'https://vssps.dev.azure.com/MyOrg'
+            $h.ExtMgmtUrl   | Should -Be 'https://extmgmt.dev.azure.com/MyOrg'
+            $h.AuditUrl     | Should -Be 'https://auditservice.dev.azure.com/MyOrg'
+            $h.FeedsUrl     | Should -Be 'https://feeds.dev.azure.com/MyOrg'
+            $h.IsOnPrem     | Should -BeFalse
+        }
+
+        It 'accepts a full dev.azure.com org URL and trims a trailing slash' {
+            $h = Resolve-AdoApiHosts -Organization 'https://dev.azure.com/MyOrg/'
+            $h.OrgUrl       | Should -Be 'https://dev.azure.com/MyOrg'
+            $h.OrgShortName | Should -Be 'MyOrg'
+            $h.VsspsUrl     | Should -Be 'https://vssps.dev.azure.com/MyOrg'
+            $h.IsOnPrem     | Should -BeFalse
+        }
+
+        It 'maps a legacy *.visualstudio.com URL to the short name' {
+            $h = Resolve-AdoApiHosts -Organization 'https://myorg.visualstudio.com'
+            $h.OrgShortName | Should -Be 'myorg'
+            $h.VsspsUrl     | Should -Be 'https://vssps.dev.azure.com/myorg'
+            $h.FeedsUrl     | Should -Be 'https://feeds.dev.azure.com/myorg'
+            $h.IsOnPrem     | Should -BeFalse
+        }
+    }
+
+    Context 'Azure DevOps Server (on-prem, experimental)' {
+        It 'treats a collection URL as on-prem and serves APIs collection-relative' {
+            $h = Resolve-AdoApiHosts -Organization 'https://tfs.contoso.com/DefaultCollection'
+            $h.OrgUrl       | Should -Be 'https://tfs.contoso.com/DefaultCollection'
+            $h.OrgShortName | Should -Be 'DefaultCollection'
+            $h.VsspsUrl     | Should -Be 'https://tfs.contoso.com/DefaultCollection'
+            $h.ExtMgmtUrl   | Should -Be 'https://tfs.contoso.com/DefaultCollection'
+            $h.FeedsUrl     | Should -Be 'https://tfs.contoso.com/DefaultCollection'
+            $h.IsOnPrem     | Should -BeTrue
+        }
+
+        It 'handles a /tfs/ virtual directory and trailing slash' {
+            $h = Resolve-AdoApiHosts -Organization 'https://server/tfs/MyCollection/'
+            $h.OrgUrl       | Should -Be 'https://server/tfs/MyCollection'
+            $h.OrgShortName | Should -Be 'MyCollection'
+            $h.VsspsUrl     | Should -Be 'https://server/tfs/MyCollection'
+            $h.IsOnPrem     | Should -BeTrue
+        }
+    }
+}

tests/_Bootstrap.ps1

@@ -35,6 +35,7 @@ $wantedFns = @(
     'Get-AdoqrHeaderCss'
     'Get-AdoqrHeaderHtml'
     'Import-AdoqrSettings'
+    'Resolve-AdoApiHosts'
 )
 
 $funcs = $tree.FindAll({