Audit: auth.py exception cascade -- 15 clauses need security-aware review

[sergio-sisternes-epam]

Summary

src/apm_cli/core/auth.py contains 15 exception handler clauses in a security-critical authentication cascade. Several handlers silently swallow exceptions, which can mask credential resolution failures and make debugging authentication issues extremely difficult.

Context

Identified during Round 2 of the APM codebase quality audit (PR #918 discussion). The Python Architect and APM CEO agreed this requires a dedicated Auth Expert review due to the security sensitivity of the code.

What needs review

1. Silent exception swallowing: Several except Exception: pass handlers hide credential resolution failures from users and logs
2. Overly broad catches: Some handlers catch Exception where more specific types (e.g., FileNotFoundError, subprocess.CalledProcessError) would be appropriate
3. Missing diagnostic logging: When a credential source fails, there is no logger.debug() trace to help users diagnose auth failures
4. Fallback chain visibility: The cascade tries multiple credential sources (token manager, env vars, git credential helpers) but failures in early sources are invisible

Recommended approach

• Add logger.debug() to every exception handler so --verbose reveals the credential resolution path
• Narrow except Exception to the specific exception types each block can actually raise
• Preserve the existing fallback behaviour -- do NOT change which credential source wins
• Consider adding a summary log line showing which source ultimately provided the token

Labels

This is an internal quality improvement with no user-facing behaviour change (except better --verbose output).

Related

• PR refactor: complexity audit -- eliminate god-method forks, O(n^2) loops, redundant I/O #918: Complexity audit and benchmarks
• Round 2 finding F1 (CEO-ratified)