tmeckel · tmeckel · Oct 24, 2025 · Oct 24, 2025 · Oct 24, 2025 · Oct 24, 2025
diff --git a/docs/azdo_graph_user_list.md b/docs/azdo_graph_user_list.md
@@ -28,7 +28,7 @@ prefix-based filtering on user display names.
 
 	Output JSON with the specified fields. Prefix a field with &#39;-&#39; to exclude it.
 
-* `-L`, `--limit` `int`
+* `-L`, `--limit` `int` (default `20`)
 
 	Maximum number of users to return (pagination client-side)
 

diff --git a/docs/azdo_help_reference.md b/docs/azdo_help_reference.md
@@ -655,13 +655,13 @@ p, perm, permissions
 
 #### `azdo security permission list [TARGET] [flags]`
 
-List security ACLs for a namespace, optionally filtered by subject.
+List security ACEs for a namespace, optionally filtered by subject.
 
 ```
 -q, --jq expression         Filter JSON output using a jq expression
     --json fields[=*]       Output JSON with the specified fields. Prefix a field with '-' to exclude it.
 -n, --namespace-id string   ID of the security namespace to query (required).
-    --recurse               Include child ACLs for the specified token when supported.
+    --recurse               Include child ACEs for the specified token when supported.
 -t, --template string       Format JSON output using a Go template; see "azdo help formatting"
     --token string          Security token to filter the results.
 ```
@@ -715,6 +715,24 @@ Aliases
 s
 ```
 
+#### `azdo security permission show <TARGET> [flags]`
+
+Show permissions for a user or group.
+
+```
+-q, --jq expression         Filter JSON output using a jq expression
+    --json fields[=*]       Output JSON with the specified fields. Prefix a field with '-' to exclude it.
+-n, --namespace-id string   ID of the security namespace to query (required).
+-t, --template string       Format JSON output using a Go template; see "azdo help formatting"
+    --token string          Security token to query (required).
+```
+
+Aliases
+
+```
+s
+```
+
 
 
 ### See also

diff --git a/docs/azdo_pr_comment.md b/docs/azdo_pr_comment.md
@@ -17,7 +17,7 @@ If there are more than one pull request associated with the current branch, one
 
 	Comment to add to the pull request. Use &#39;-&#39; to read from stdin.
 
-* `-t`, `--thread` `int`
+* `-t`, `--thread` `int` (default `0`)
 
 	ID of the thread to reply to.
 

diff --git a/docs/azdo_pr_diff.md b/docs/azdo_pr_diff.md
@@ -14,7 +14,7 @@ If there are more than one pull request associated with the current branch, one
 ### Options
 
 
-* `--color` `string`
+* `--color` `string` (default `&#34;auto&#34;`)
 
 	Use color in diff output: {always|never|auto}
 

diff --git a/docs/azdo_pr_list.md b/docs/azdo_pr_list.md
@@ -38,7 +38,7 @@ List pull requests in a Azure DevOps repository or project.
 
 	Filter by label
 
-* `-L`, `--limit` `int`
+* `-L`, `--limit` `int` (default `30`)
 
 	Maximum number of items to fetch
 
@@ -50,7 +50,7 @@ List pull requests in a Azure DevOps repository or project.
 
 	Filter by reviewer
 
-* `-s`, `--state` `string`
+* `-s`, `--state` `string` (default `&#34;active&#34;`)
 
 	Filter by state: {abandoned|active|all|completed}
 

diff --git a/docs/azdo_pr_merge.md b/docs/azdo_pr_merge.md
@@ -19,15 +19,15 @@ If required checks have not yet passed, auto-complete will be enabled.
 
 	Delete the source branch after merging
 
-* `--merge-strategy` `string`
+* `--merge-strategy` `string` (default `&#34;NoFastForward&#34;`)
 
 	Merge strategy to use: {noFastForward|squash|rebase|rebaseMerge}
 
 * `-m`, `--message` `string`
 
 	Message to include when completing the pull request
 
-* `--transition-work-items`
+* `--transition-work-items` (default `true`)
 
 	Transition linked work item statuses upon merging
 

diff --git a/docs/azdo_pr_view.md b/docs/azdo_pr_view.md
@@ -13,11 +13,11 @@ is displayed.
 ### Options
 
 
-* `--comment-sort` `string`
+* `--comment-sort` `string` (default `&#34;desc&#34;`)
 
 	Sort comments by creation time; defaults to &#39;desc&#39; (newest first): {desc|asc}
 
-* `--comment-type` `string`
+* `--comment-type` `string` (default `&#34;text&#34;`)
 
 	Filter comments by type; defaults to &#39;text&#39;: {text|system|all}
 

diff --git a/docs/azdo_pr_vote.md b/docs/azdo_pr_vote.md
@@ -12,7 +12,7 @@ Without an argument, the pull request associated with the current branch is sele
 ### Options
 
 
-* `--vote` `string`
+* `--vote` `string` (default `&#34;approve&#34;`)
 
 	Vote value to set: {approve|approve-with-suggestions|reject|reset|wait-for-author}
 

diff --git a/docs/azdo_project_create.md b/docs/azdo_project_create.md
@@ -32,27 +32,27 @@ If the organization name is omitted from the project argument, the default confi
 
 	Output JSON with the specified fields. Prefix a field with &#39;-&#39; to exclude it.
 
-* `--max-wait` `int`
+* `--max-wait` `int` (default `3600`)
 
 	Maximum wait time in seconds
 
 * `--no-wait`
 
 	Do not wait for the project to be created
 
-* `-p`, `--process` `string`
+* `-p`, `--process` `string` (default `&#34;Agile&#34;`)
 
 	Process to use (e.g., Scrum, Agile, CMMI)
 
-* `-s`, `--source-control` `string`
+* `-s`, `--source-control` `string` (default `&#34;git&#34;`)
 
 	Source control type (git or tfvc)
 
 * `-t`, `--template` `string`
 
 	Format JSON output using a Go template; see &#34;azdo help formatting&#34;
 
-* `--visibility` `string`
+* `--visibility` `string` (default `&#34;private&#34;`)
 
 	Project visibility (private or public)
 

diff --git a/docs/azdo_project_delete.md b/docs/azdo_project_delete.md
@@ -17,7 +17,7 @@ azdo project delete [ORGANIZATION/]PROJECT [flags]
 
 	Output JSON with the specified fields. Prefix a field with &#39;-&#39; to exclude it.
 
-* `--max-wait` `int`
+* `--max-wait` `int` (default `3600`)
 
 	Maximum wait time in seconds
 

diff --git a/docs/azdo_project_list.md b/docs/azdo_project_list.md
@@ -9,11 +9,11 @@ azdo project list [organization] [flags]
 ### Options
 
 
-* `--format` `string`
+* `--format` `string` (default `&#34;table&#34;`)
 
 	Output format: {json}
 
-* `-l`, `--limit` `int`
+* `-l`, `--limit` `int` (default `30`)
 
 	Maximum number of projects to fetch
 

diff --git a/docs/azdo_repo_clone.md b/docs/azdo_repo_clone.md
@@ -22,7 +22,7 @@ or the value from the AZDO_ORGANIZATION environment variable.
 
 	Update all submodules after checkout
 
-* `-u`, `--upstream-remote-name` `string`
+* `-u`, `--upstream-remote-name` `string` (default `&#34;upstream&#34;`)
 
 	Upstream remote name when cloning a fork
 

diff --git a/docs/azdo_repo_list.md b/docs/azdo_repo_list.md
@@ -9,15 +9,15 @@ azdo repo list [organization/]<project> [flags]
 ### Options
 
 
-* `--format` `string`
+* `--format` `string` (default `&#34;table&#34;`)
 
 	Output format: {json}
 
 * `--include-hidden`
 
 	Include hidden repositories
 
-* `-L`, `--limit` `int`
+* `-L`, `--limit` `int` (default `30`)
 
 	Maximum number of repositories to list
 

diff --git a/docs/azdo_security_group_membership_list.md b/docs/azdo_security_group_membership_list.md
@@ -17,7 +17,7 @@ azdo security group membership list [ORGANIZATION/]GROUP | [ORGANIZATION/]PROJEC
 
 	Output JSON with the specified fields. Prefix a field with &#39;-&#39; to exclude it.
 
-* `-r`, `--relationship` `string`
+* `-r`, `--relationship` `string` (default `&#34;members&#34;`)
 
 	Relationship type: members or memberof: {members|memberof}
 

diff --git a/docs/azdo_security_permission.md b/docs/azdo_security_permission.md
@@ -6,6 +6,7 @@ Manage Azure DevOps security permissions.
 
 * [azdo security permission list](./azdo_security_permission_list.md)
 * [azdo security permission namespace](./azdo_security_permission_namespace.md)
+* [azdo security permission show](./azdo_security_permission_show.md)
 
 ### ALIASES
 

diff --git a/docs/azdo_security_permission_list.md b/docs/azdo_security_permission_list.md
@@ -8,9 +8,9 @@ List security access control entries (ACEs) for an Azure DevOps security namespa
 
 Accepted TARGET formats:
   - (empty)                        → use the default organization
-  - ORGANIZATION                   → list all ACLs for the namespace in the organization
-  - ORGANIZATION/SUBJECT           → list ACLs for the specified subject
-  - ORGANIZATION/PROJECT/SUBJECT   → list ACLs for the subject scoped to the project
+  - ORGANIZATION                   → list all ACEs for the namespace in the organization
+  - ORGANIZATION/SUBJECT           → list ACEs for the specified subject
+  - ORGANIZATION/PROJECT/SUBJECT   → list ACEs for the subject scoped to the project
 
 
 ### Options
@@ -30,7 +30,7 @@ Accepted TARGET formats:
 
 * `--recurse`
 
-	Include child ACLs for the specified token when supported.
+	Include child ACEs for the specified token when supported.
 
 * `-t`, `--template` `string`
 
@@ -53,16 +53,16 @@ Accepted TARGET formats:
 ### Examples
 
 ```bash
-# List all ACLs for a namespace using the default organization
+# List all ACEs for a namespace using the default organization
 azdo security permission list --namespace-id 5a27515b-ccd7-42c9-84f1-54c998f03866
 
-# List all ACLs for a namespace in an explicit organization
+# List all ACEs for a namespace in an explicit organization
 azdo security permission list fabrikam --namespace-id 5a27515b-ccd7-42c9-84f1-54c998f03866
 
 # List all tokens for a specific user
 azdo security permission list fabrikam/contoso@example.com --namespace-id 5a27515b-ccd7-42c9-84f1-54c998f03866
 
-# List ACLs for a project-scoped group
+# List ACEs for a project-scoped group
 azdo security permission list fabrikam/ProjectAlpha/vssgp.Uy0xLTktMTIzNDU2 --namespace-id 5a27515b-ccd7-42c9-84f1-54c998f03866 --recurse
 ```
 

diff --git a/docs/azdo_security_permission_show.md b/docs/azdo_security_permission_show.md
@@ -0,0 +1,58 @@
+## Command `azdo security permission show`
+
+```
+azdo security permission show <TARGET> [flags]
+```
+
+Show the explicit and effective permissions for a user or group on a specific securable resource (identified by a token).
+
+Accepted TARGET formats:
+  - ORGANIZATION/SUBJECT           → show permissions for the specified subject
+  - ORGANIZATION/PROJECT/SUBJECT   → show permissions for the subject scoped to the project
+
+
+### Options
+
+
+* `-q`, `--jq` `expression`
+
+	Filter JSON output using a jq expression
+
+* `--json` `fields`
+
+	Output JSON with the specified fields. Prefix a field with &#39;-&#39; to exclude it.
+
+* `-n`, `--namespace-id` `string`
+
+	ID of the security namespace to query (required).
+
+* `-t`, `--template` `string`
+
+	Format JSON output using a Go template; see &#34;azdo help formatting&#34;
+
+* `--token` `string`
+
+	Security token to query (required).
+
+
+### ALIASES
+
+- `s`
+
+### JSON Fields
+
+`allow`, `deny`, `descriptor`, `effectiveAllow`, `effectiveDeny`, `inheritPermissions`, `inheritedAllow`, `inheritedDeny`, `token`
+
+### Examples
+
+```bash
+# Show permissions for a user
+azdo security permission show fabrikam/contoso@example.com --namespace-id 5a27515b-ccd7-42c9-84f1-54c998f03866 --token /projects/a6880f5a-60e1-4103-89f2-69533e4d139f
+
+# Show permissions for a project-scoped group
+azdo security permission show fabrikam/ProjectAlpha/vssgp.Uy0xLTktMTIzNDU2 --namespace-id 33344d9c-fc72-4d6f-aba5-fa317101a7e9 --token /
+```
+
+### See also
+
+* [azdo security permission](./azdo_security_permission.md)
diff --git a/internal/azdo/extensions/extension.go b/internal/azdo/extensions/extension.go
@@ -22,6 +22,8 @@ type Client interface {
 	// FindGroupsByDisplayName locates Azure DevOps security groups that match the provided display name,
 	// optionally scoped to a project descriptor, and returns their full details.
 	FindGroupsByDisplayName(ctx context.Context, displayName string, scopeDescriptor *string) ([]*graph.GraphGroup, error)
+	// ResolveMemberDescriptor resolves a member identifier (descriptor, email, or principal name) into a graph subject descriptor.
+	ResolveMemberDescriptor(ctx context.Context, member string) (*graph.GraphSubject, error)
 }
 
 type extensionClient struct {