@aspruyt/xfg 3.1.3 → 3.1.5

package/dist/authenticated-git-ops.d.ts

@@ -0,0 +1,119 @@
+import { GitOps } from "./git-ops.js";
+/**
+ * Options for authenticated git operations.
+ */
+export interface GitAuthOptions {
+    /** Access token for authentication */
+    token: string;
+    /** Git host (e.g., "github.com", "github.mycompany.com") */
+    host: string;
+    /** Repository owner */
+    owner: string;
+    /** Repository name */
+    repo: string;
+}
+/**
+ * Interface for authenticated git operations.
+ * Enables proper mocking in tests without relying on class inheritance.
+ */
+export interface IAuthenticatedGitOps {
+    clone(gitUrl: string): Promise<void>;
+    fetch(options?: {
+        prune?: boolean;
+    }): Promise<void>;
+    push(branchName: string, options?: {
+        force?: boolean;
+    }): Promise<void>;
+    getDefaultBranch(): Promise<{
+        branch: string;
+        method: string;
+    }>;
+    lsRemote(branchName: string, options?: {
+        skipRetry?: boolean;
+    }): Promise<string>;
+    pushRefspec(refspec: string, options?: {
+        delete?: boolean;
+    }): Promise<void>;
+    fetchBranch(branchName: string): Promise<void>;
+    cleanWorkspace(): void;
+    createBranch(branchName: string): Promise<void>;
+    writeFile(fileName: string, content: string): void;
+    setExecutable(fileName: string): Promise<void>;
+    getFileContent(fileName: string): string | null;
+    wouldChange(fileName: string, content: string): boolean;
+    hasChanges(): Promise<boolean>;
+    getChangedFiles(): Promise<string[]>;
+    hasStagedChanges(): Promise<boolean>;
+    fileExistsOnBranch(fileName: string, branch: string): Promise<boolean>;
+    fileExists(fileName: string): boolean;
+    deleteFile(fileName: string): void;
+    commit(message: string): Promise<boolean>;
+}
+/**
+ * Wrapper around GitOps that adds authentication to network operations.
+ *
+ * When auth options are provided, network operations (clone, fetch, push,
+ * getDefaultBranch) use `-c url.insteadOf` to override credentials per-command.
+ * This allows different tokens for different repos without global git config.
+ *
+ * Local operations (commit, writeFile, etc.) pass through unchanged.
+ */
+export declare class AuthenticatedGitOps implements IAuthenticatedGitOps {
+    private gitOps;
+    private auth?;
+    private executor;
+    private workDir;
+    private retries;
+    constructor(gitOps: GitOps, auth?: GitAuthOptions);
+    private execWithRetry;
+    /**
+     * Build the authenticated remote URL.
+     */
+    private getAuthenticatedUrl;
+    clone(gitUrl: string): Promise<void>;
+    fetch(options?: {
+        prune?: boolean;
+    }): Promise<void>;
+    push(branchName: string, options?: {
+        force?: boolean;
+    }): Promise<void>;
+    getDefaultBranch(): Promise<{
+        branch: string;
+        method: string;
+    }>;
+    /**
+     * Execute ls-remote with authentication.
+     * Used by GraphQLCommitStrategy to check if branch exists on remote.
+     *
+     * @param options.skipRetry - If true, don't retry on failure. Use when checking
+     *   branch existence where failure is expected for new branches.
+     */
+    lsRemote(branchName: string, options?: {
+        skipRetry?: boolean;
+    }): Promise<string>;
+    /**
+     * Execute push with custom refspec (e.g., HEAD:branchName).
+     * Used by GraphQLCommitStrategy for creating/deleting remote branches.
+     */
+    pushRefspec(refspec: string, options?: {
+        delete?: boolean;
+    }): Promise<void>;
+    /**
+     * Fetch a specific branch from remote.
+     * Used by GraphQLCommitStrategy to update local refs.
+     */
+    fetchBranch(branchName: string): Promise<void>;
+    cleanWorkspace(): void;
+    createBranch(branchName: string): Promise<void>;
+    writeFile(fileName: string, content: string): void;
+    setExecutable(fileName: string): Promise<void>;
+    getFileContent(fileName: string): string | null;
+    wouldChange(fileName: string, content: string): boolean;
+    hasChanges(): Promise<boolean>;
+    getChangedFiles(): Promise<string[]>;
+    hasStagedChanges(): Promise<boolean>;
+    fileExistsOnBranch(fileName: string, branch: string): Promise<boolean>;
+    fileExists(fileName: string): boolean;
+    deleteFile(fileName: string): void;
+    commit(message: string): Promise<boolean>;
+}

package/dist/authenticated-git-ops.js

@@ -0,0 +1,177 @@
+import { escapeShellArg } from "./shell-utils.js";
+import { defaultExecutor } from "./command-executor.js";
+import { withRetry } from "./retry-utils.js";
+/**
+ * Wrapper around GitOps that adds authentication to network operations.
+ *
+ * When auth options are provided, network operations (clone, fetch, push,
+ * getDefaultBranch) use `-c url.insteadOf` to override credentials per-command.
+ * This allows different tokens for different repos without global git config.
+ *
+ * Local operations (commit, writeFile, etc.) pass through unchanged.
+ */
+export class AuthenticatedGitOps {
+    gitOps;
+    auth;
+    executor;
+    workDir;
+    retries;
+    constructor(gitOps, auth) {
+        this.gitOps = gitOps;
+        this.auth = auth;
+        // Extract executor and workDir from gitOps via reflection
+        const internal = gitOps;
+        this.executor = internal.executor ?? defaultExecutor;
+        this.workDir = internal.workDir ?? ".";
+        this.retries = internal.retries ?? 3;
+    }
+    async execWithRetry(command) {
+        return withRetry(() => this.executor.exec(command, this.workDir), {
+            retries: this.retries,
+        });
+    }
+    // ============================================================
+    // Network operations - use authenticated command when token provided
+    // ============================================================
+    /**
+     * Build the authenticated remote URL.
+     */
+    getAuthenticatedUrl() {
+        const { token, host, owner, repo } = this.auth;
+        return `https://x-access-token:${token}@${host}/${owner}/${repo}`;
+    }
+    async clone(gitUrl) {
+        if (!this.auth) {
+            return this.gitOps.clone(gitUrl);
+        }
+        // Clone using authenticated URL directly - no insteadOf needed
+        const authUrl = escapeShellArg(this.getAuthenticatedUrl());
+        await this.execWithRetry(`git clone ${authUrl} .`);
+    }
+    async fetch(options) {
+        if (!this.auth) {
+            return this.gitOps.fetch(options);
+        }
+        // Remote URL already has auth from clone, just fetch
+        const pruneFlag = options?.prune ? " --prune" : "";
+        await this.execWithRetry(`git fetch origin${pruneFlag}`);
+    }
+    async push(branchName, options) {
+        if (!this.auth) {
+            return this.gitOps.push(branchName, options);
+        }
+        // Remote URL already has auth from clone, just push
+        const forceFlag = options?.force ? "--force-with-lease " : "";
+        const safeBranch = escapeShellArg(branchName);
+        await this.execWithRetry(`git push ${forceFlag}-u origin ${safeBranch}`);
+    }
+    async getDefaultBranch() {
+        if (!this.auth) {
+            return this.gitOps.getDefaultBranch();
+        }
+        // Network operation - remote URL already has auth from clone
+        try {
+            const remoteInfo = await this.execWithRetry(`git remote show origin`);
+            const match = remoteInfo.match(/HEAD branch: (\S+)/);
+            if (match) {
+                return { branch: match[1], method: "remote HEAD" };
+            }
+        }
+        catch {
+            // Fall through to local checks
+        }
+        // Local operations don't need auth
+        try {
+            await this.executor.exec("git rev-parse --verify origin/main", this.workDir);
+            return { branch: "main", method: "origin/main exists" };
+        }
+        catch {
+            // Continue
+        }
+        try {
+            await this.executor.exec("git rev-parse --verify origin/master", this.workDir);
+            return { branch: "master", method: "origin/master exists" };
+        }
+        catch {
+            // Continue
+        }
+        return { branch: "main", method: "fallback default" };
+    }
+    /**
+     * Execute ls-remote with authentication.
+     * Used by GraphQLCommitStrategy to check if branch exists on remote.
+     *
+     * @param options.skipRetry - If true, don't retry on failure. Use when checking
+     *   branch existence where failure is expected for new branches.
+     */
+    async lsRemote(branchName, options) {
+        // Remote URL already has auth from clone
+        const safeBranch = escapeShellArg(branchName);
+        const command = `git ls-remote --exit-code --heads origin ${safeBranch}`;
+        if (options?.skipRetry) {
+            return this.executor.exec(command, this.workDir);
+        }
+        return this.execWithRetry(command);
+    }
+    /**
+     * Execute push with custom refspec (e.g., HEAD:branchName).
+     * Used by GraphQLCommitStrategy for creating/deleting remote branches.
+     */
+    async pushRefspec(refspec, options) {
+        // Remote URL already has auth from clone
+        const deleteFlag = options?.delete ? "--delete " : "";
+        const safeRefspec = escapeShellArg(refspec);
+        await this.execWithRetry(`git push ${deleteFlag}-u origin ${safeRefspec}`);
+    }
+    /**
+     * Fetch a specific branch from remote.
+     * Used by GraphQLCommitStrategy to update local refs.
+     */
+    async fetchBranch(branchName) {
+        // Remote URL already has auth from clone
+        const safeBranch = escapeShellArg(branchName);
+        await this.execWithRetry(`git fetch origin ${safeBranch}:refs/remotes/origin/${safeBranch}`);
+    }
+    // ============================================================
+    // Local operations - delegate directly to GitOps
+    // ============================================================
+    cleanWorkspace() {
+        return this.gitOps.cleanWorkspace();
+    }
+    async createBranch(branchName) {
+        return this.gitOps.createBranch(branchName);
+    }
+    writeFile(fileName, content) {
+        return this.gitOps.writeFile(fileName, content);
+    }
+    async setExecutable(fileName) {
+        return this.gitOps.setExecutable(fileName);
+    }
+    getFileContent(fileName) {
+        return this.gitOps.getFileContent(fileName);
+    }
+    wouldChange(fileName, content) {
+        return this.gitOps.wouldChange(fileName, content);
+    }
+    async hasChanges() {
+        return this.gitOps.hasChanges();
+    }
+    async getChangedFiles() {
+        return this.gitOps.getChangedFiles();
+    }
+    async hasStagedChanges() {
+        return this.gitOps.hasStagedChanges();
+    }
+    async fileExistsOnBranch(fileName, branch) {
+        return this.gitOps.fileExistsOnBranch(fileName, branch);
+    }
+    fileExists(fileName) {
+        return this.gitOps.fileExists(fileName);
+    }
+    deleteFile(fileName) {
+        return this.gitOps.deleteFile(fileName);
+    }
+    async commit(message) {
+        return this.gitOps.commit(message);
+    }
+}

package/dist/command-executor.d.ts

@@ -2,7 +2,7 @@
  * Interface for executing shell commands.
  * Enables dependency injection for testing and alternative implementations.
  */
-export interface CommandExecutor {
+export interface ICommandExecutor {
     /**
      * Execute a shell command and return the output.
      * @param command The command to execute
@@ -16,10 +16,10 @@ export interface CommandExecutor {
  * Default implementation that uses Node.js child_process.execSync.
  * Note: Commands are escaped using escapeShellArg before being passed here.
  */
-export declare class ShellCommandExecutor implements CommandExecutor {
+export declare class ShellCommandExecutor implements ICommandExecutor {
     exec(command: string, cwd: string): Promise<string>;
 }
 /**
  * Default executor instance for production use.
  */
-export declare const defaultExecutor: CommandExecutor;
+export declare const defaultExecutor: ICommandExecutor;

package/dist/git-ops.d.ts

@@ -1,12 +1,38 @@
-import { CommandExecutor } from "./command-executor.js";
+import { ICommandExecutor } from "./command-executor.js";
+export interface IGitOps {
+    cleanWorkspace(): void;
+    clone(gitUrl: string): Promise<void>;
+    fetch(options?: {
+        prune?: boolean;
+    }): Promise<void>;
+    createBranch(branchName: string): Promise<void>;
+    commit(message: string): Promise<boolean>;
+    push(branchName: string, options?: {
+        force?: boolean;
+    }): Promise<void>;
+    getDefaultBranch(): Promise<{
+        branch: string;
+        method: string;
+    }>;
+    writeFile(fileName: string, content: string): void;
+    setExecutable(fileName: string): Promise<void>;
+    getFileContent(fileName: string): string | null;
+    deleteFile(fileName: string): void;
+    wouldChange(fileName: string, content: string): boolean;
+    hasChanges(): Promise<boolean>;
+    getChangedFiles(): Promise<string[]>;
+    hasStagedChanges(): Promise<boolean>;
+    fileExistsOnBranch(fileName: string, branch: string): Promise<boolean>;
+    fileExists(fileName: string): boolean;
+}
 export interface GitOpsOptions {
     workDir: string;
     dryRun?: boolean;
-    executor?: CommandExecutor;
+    executor?: ICommandExecutor;
     /** Number of retries for network operations (default: 3) */
     retries?: number;
 }
-export declare class GitOps {
+export declare class GitOps implements IGitOps {
     private workDir;
     private dryRun;
     private executor;

package/dist/logger.d.ts

@@ -3,6 +3,13 @@ export interface ILogger {
     info(message: string): void;
     fileDiff(fileName: string, status: FileStatus, diffLines: string[]): void;
     diffSummary(newCount: number, modifiedCount: number, unchangedCount: number, deletedCount?: number): void;
+    setTotal(total: number): void;
+    progress(current: number, repoName: string, message: string): void;
+    success(current: number, repoName: string, message: string): void;
+    skip(current: number, repoName: string, reason: string): void;
+    error(current: number, repoName: string, error: string): void;
+    summary(): void;
+    hasFailures(): boolean;
 }
 export interface LoggerStats {
     total: number;
@@ -10,7 +17,7 @@ export interface LoggerStats {
     failed: number;
     skipped: number;
 }
-export declare class Logger {
+export declare class Logger implements ILogger {
     private stats;
     setTotal(total: number): void;
     progress(current: number, repoName: string, message: string): void;

package/dist/pr-creator.d.ts

@@ -1,6 +1,6 @@
 import { RepoInfo } from "./repo-detector.js";
 import { MergeResult, PRMergeConfig } from "./strategies/index.js";
-import { CommandExecutor } from "./command-executor.js";
+import { ICommandExecutor } from "./command-executor.js";
 export { escapeShellArg } from "./shell-utils.js";
 export interface FileAction {
     fileName: string;
@@ -18,7 +18,7 @@ export interface PROptions {
     /** Custom PR body template */
     prTemplate?: string;
     /** Optional command executor for shell commands (for testing) */
-    executor?: CommandExecutor;
+    executor?: ICommandExecutor;
     /** GitHub App installation token for authentication */
     token?: string;
 }
@@ -51,7 +51,7 @@ export interface MergePROptions {
     dryRun?: boolean;
     retries?: number;
     /** Optional command executor for shell commands (for testing) */
-    executor?: CommandExecutor;
+    executor?: ICommandExecutor;
     /** GitHub App installation token for authentication */
     token?: string;
 }

package/dist/repository-processor.d.ts

@@ -1,9 +1,16 @@
 import { RepoConfig } from "./config.js";
 import { RepoInfo } from "./repo-detector.js";
-import { GitOps, GitOpsOptions } from "./git-ops.js";
+import { GitOpsOptions } from "./git-ops.js";
+import { IAuthenticatedGitOps, GitAuthOptions } from "./authenticated-git-ops.js";
 import { ILogger } from "./logger.js";
-import { CommandExecutor } from "./command-executor.js";
+import { ICommandExecutor } from "./command-executor.js";
 import { DiffStats } from "./diff-utils.js";
+export interface IRepositoryProcessor {
+    process(repoConfig: RepoConfig, repoInfo: RepoInfo, options: ProcessorOptions): Promise<ProcessorResult>;
+    updateManifestOnly(repoInfo: RepoInfo, repoConfig: RepoConfig, options: ProcessorOptions, manifestUpdate: {
+        rulesets: string[];
+    }): Promise<ProcessorResult>;
+}
 export interface ProcessorOptions {
     branchName: string;
     workDir: string;
@@ -13,17 +20,17 @@ export interface ProcessorOptions {
     /** Number of retries for network operations (default: 3) */
     retries?: number;
     /** Command executor for shell commands (for testing) */
-    executor?: CommandExecutor;
+    executor?: ICommandExecutor;
     /** Custom PR body template */
     prTemplate?: string;
     /** Skip deleting orphaned files even if deleteOrphaned is configured */
     noDelete?: boolean;
 }
 /**
- * Factory function type for creating GitOps instances.
+ * Factory function type for creating IAuthenticatedGitOps instances.
  * Allows dependency injection for testing.
  */
-export type GitOpsFactory = (options: GitOpsOptions) => GitOps;
+export type GitOpsFactory = (options: GitOpsOptions, auth?: GitAuthOptions) => IAuthenticatedGitOps;
 export interface ProcessorResult {
     success: boolean;
     repoName: string;
@@ -37,7 +44,7 @@ export interface ProcessorResult {
     };
     diffStats?: DiffStats;
 }
-export declare class RepositoryProcessor {
+export declare class RepositoryProcessor implements IRepositoryProcessor {
     private gitOps;
     private readonly gitOpsFactory;
     private readonly log;
@@ -46,7 +53,7 @@ export declare class RepositoryProcessor {
     private readonly tokenManager;
     /**
      * Creates a new RepositoryProcessor.
-     * @param gitOpsFactory - Optional factory for creating GitOps instances (for testing)
+     * @param gitOpsFactory - Optional factory for creating AuthenticatedGitOps instances (for testing)
      * @param log - Optional logger instance (for testing)
      */
     constructor(gitOpsFactory?: GitOpsFactory, log?: ILogger);

package/dist/repository-processor.js

@@ -4,6 +4,7 @@ import { convertContentToString, } from "./config.js";
 import { getRepoDisplayName, isGitHubRepo, } from "./repo-detector.js";
 import { interpolateXfgContent } from "./xfg-template.js";
 import { GitOps } from "./git-ops.js";
+import { AuthenticatedGitOps, } from "./authenticated-git-ops.js";
 import { createPR, mergePR } from "./pr-creator.js";
 import { logger } from "./logger.js";
 import { getPRStrategy, getCommitStrategy, hasGitHubAppCredentials, } from "./strategies/index.js";
@@ -34,11 +35,13 @@ export class RepositoryProcessor {
     tokenManager;
     /**
      * Creates a new RepositoryProcessor.
-     * @param gitOpsFactory - Optional factory for creating GitOps instances (for testing)
+     * @param gitOpsFactory - Optional factory for creating AuthenticatedGitOps instances (for testing)
      * @param log - Optional logger instance (for testing)
      */
     constructor(gitOpsFactory, log) {
-        this.gitOpsFactory = gitOpsFactory ?? ((opts) => new GitOps(opts));
+        this.gitOpsFactory =
+            gitOpsFactory ??
+                ((opts, auth) => new AuthenticatedGitOps(new GitOps(opts), auth));
         this.log = log ?? logger;
         // Initialize GitHub App token manager if credentials are configured
         if (hasGitHubAppCredentials()) {
@@ -63,11 +66,23 @@ export class RepositoryProcessor {
                 skipped: true,
             };
         }
+        // Build auth options - use installation token OR fall back to GH_TOKEN for PAT flow
+        const effectiveToken = token ?? (isGitHubRepo(repoInfo) ? process.env.GH_TOKEN : undefined);
+        const authOptions = effectiveToken
+            ? {
+                token: effectiveToken,
+                host: isGitHubRepo(repoInfo)
+                    ? repoInfo.host
+                    : "github.com",
+                owner: repoInfo.owner,
+                repo: repoInfo.repo,
+            }
+            : undefined;
         this.gitOps = this.gitOpsFactory({
             workDir,
             dryRun,
             retries: this.retries,
-        });
+        }, authOptions);
         // Determine merge mode early - affects workflow steps
         const mergeMode = repoConfig.prOptions?.merge ?? "auto";
         const isDirectMode = mergeMode === "direct";
@@ -320,6 +335,7 @@ export class RepositoryProcessor {
                         // Use force push (--force-with-lease) for PR branches, not for direct mode
                         force: !isDirectMode,
                         token,
+                        gitOps: this.gitOps,
                     });
                     this.log.info(`Committed: ${commitResult.sha} (verified: ${commitResult.verified})`);
                 }
@@ -454,11 +470,23 @@ export class RepositoryProcessor {
                 skipped: true,
             };
         }
+        // Build auth options - use installation token OR fall back to GH_TOKEN for PAT flow
+        const effectiveToken = token ?? (isGitHubRepo(repoInfo) ? process.env.GH_TOKEN : undefined);
+        const authOptions = effectiveToken
+            ? {
+                token: effectiveToken,
+                host: isGitHubRepo(repoInfo)
+                    ? repoInfo.host
+                    : "github.com",
+                owner: repoInfo.owner,
+                repo: repoInfo.repo,
+            }
+            : undefined;
         this.gitOps = this.gitOpsFactory({
             workDir,
             dryRun,
             retries: this.retries,
-        });
+        }, authOptions);
         const mergeMode = repoConfig.prOptions?.merge ?? "auto";
         const isDirectMode = mergeMode === "direct";
         try {
@@ -534,6 +562,7 @@ export class RepositoryProcessor {
                     retries: this.retries,
                     force: !isDirectMode,
                     token,
+                    gitOps: this.gitOps,
                 });
             }
             catch (error) {

package/dist/ruleset-processor.d.ts

@@ -1,6 +1,9 @@
 import type { RepoConfig } from "./config.js";
 import type { RepoInfo } from "./repo-detector.js";
 import { GitHubRulesetStrategy } from "./strategies/github-ruleset-strategy.js";
+export interface IRulesetProcessor {
+    process(repoConfig: RepoConfig, repoInfo: RepoInfo, options: RulesetProcessorOptions): Promise<RulesetProcessorResult>;
+}
 export interface RulesetProcessorOptions {
     configId: string;
     dryRun?: boolean;
@@ -28,7 +31,7 @@ export interface RulesetProcessorResult {
  * Processes ruleset configuration for a repository.
  * Handles create/update/delete operations via GitHub Rulesets API.
  */
-export declare class RulesetProcessor {
+export declare class RulesetProcessor implements IRulesetProcessor {
     private readonly strategy;
     constructor(strategy?: GitHubRulesetStrategy);
     /**

package/dist/strategies/azure-pr-strategy.d.ts

@@ -1,8 +1,8 @@
 import { PRResult } from "../pr-creator.js";
 import { BasePRStrategy, PRStrategyOptions, CloseExistingPROptions, MergeOptions, MergeResult } from "./pr-strategy.js";
-import { CommandExecutor } from "../command-executor.js";
+import { ICommandExecutor } from "../command-executor.js";
 export declare class AzurePRStrategy extends BasePRStrategy {
-    constructor(executor?: CommandExecutor);
+    constructor(executor?: ICommandExecutor);
     private getOrgUrl;
     private buildPRUrl;
     checkExistingPR(options: PRStrategyOptions): Promise<string | null>;

package/dist/strategies/commit-strategy-selector.d.ts

@@ -1,6 +1,6 @@
 import { RepoInfo } from "../repo-detector.js";
-import { CommitStrategy } from "./commit-strategy.js";
-import { CommandExecutor } from "../command-executor.js";
+import { ICommitStrategy } from "./commit-strategy.js";
+import { ICommandExecutor } from "../command-executor.js";
 /**
  * Checks if GitHub App credentials are configured via environment variables.
  * Both XFG_GITHUB_APP_ID and XFG_GITHUB_APP_PRIVATE_KEY must be set.
@@ -19,4 +19,4 @@ export declare function hasGitHubAppCredentials(): boolean;
  * @param repoInfo - Repository information
  * @param executor - Optional command executor for shell commands
  */
-export declare function getCommitStrategy(repoInfo: RepoInfo, executor?: CommandExecutor): CommitStrategy;
+export declare function getCommitStrategy(repoInfo: RepoInfo, executor?: ICommandExecutor): ICommitStrategy;

package/dist/strategies/commit-strategy.d.ts

@@ -1,4 +1,5 @@
 import { RepoInfo } from "../repo-detector.js";
+import { IAuthenticatedGitOps } from "../authenticated-git-ops.js";
 export interface FileChange {
     path: string;
     content: string | null;
@@ -14,6 +15,8 @@ export interface CommitOptions {
     force?: boolean;
     /** GitHub App installation token for authentication (used by GraphQLCommitStrategy) */
     token?: string;
+    /** Authenticated git operations wrapper (used by GraphQLCommitStrategy for network ops) */
+    gitOps?: IAuthenticatedGitOps;
 }
 export interface CommitResult {
     sha: string;
@@ -24,7 +27,7 @@ export interface CommitResult {
  * Strategy interface for creating commits.
  * Implementations handle platform-specific commit mechanisms.
  */
-export interface CommitStrategy {
+export interface ICommitStrategy {
     /**
      * Create a commit with the given file changes and push to remote.
      * @returns Commit result with SHA and verification status

package/dist/strategies/git-commit-strategy.d.ts

@@ -1,13 +1,13 @@
-import { CommitStrategy, CommitOptions, CommitResult } from "./commit-strategy.js";
-import { CommandExecutor } from "../command-executor.js";
+import { ICommitStrategy, CommitOptions, CommitResult } from "./commit-strategy.js";
+import { ICommandExecutor } from "../command-executor.js";
 /**
  * Git-based commit strategy using standard git commands (add, commit, push).
  * Used with PAT authentication. Commits via this strategy are NOT verified
  * by GitHub (no signature).
  */
-export declare class GitCommitStrategy implements CommitStrategy {
+export declare class GitCommitStrategy implements ICommitStrategy {
     private executor;
-    constructor(executor?: CommandExecutor);
+    constructor(executor?: ICommandExecutor);
     /**
      * Create a commit with the given file changes and push to remote.
      * Runs: git add -A, git commit, git push (with optional --force-with-lease)

package/dist/strategies/git-commit-strategy.js

@@ -18,18 +18,23 @@ export class GitCommitStrategy {
      * @returns Commit result with SHA and verified: false (no signature)
      */
     async commit(options) {
-        const { branchName, message, workDir, retries = 3, force = true } = options;
+        const { branchName, message, workDir, retries = 3, force = true, gitOps, } = options;
         // Stage all changes
         await this.executor.exec("git add -A", workDir);
         // Commit with the message (--no-verify to skip pre-commit hooks)
         await this.executor.exec(`git commit --no-verify -m ${escapeShellArg(message)}`, workDir);
-        // Build push command - use --force-with-lease for PR branches, regular push for direct mode
-        const forceFlag = force ? "--force-with-lease " : "";
-        const pushCommand = `git push ${forceFlag}-u origin ${escapeShellArg(branchName)}`;
-        // Push with retry for transient network failures
-        await withRetry(() => this.executor.exec(pushCommand, workDir), {
-            retries,
-        });
+        // Push with authentication via gitOps if available
+        if (gitOps) {
+            await gitOps.push(branchName, { force });
+        }
+        else {
+            // Fallback for non-authenticated scenarios (shouldn't happen in practice)
+            const forceFlag = force ? "--force-with-lease " : "";
+            const pushCommand = `git push ${forceFlag}-u origin ${escapeShellArg(branchName)}`;
+            await withRetry(() => this.executor.exec(pushCommand, workDir), {
+                retries,
+            });
+        }
         // Get the commit SHA
         const sha = await this.executor.exec("git rev-parse HEAD", workDir);
         return {

package/dist/strategies/github-ruleset-strategy.d.ts

@@ -1,6 +1,7 @@
-import { CommandExecutor } from "../command-executor.js";
+import { ICommandExecutor } from "../command-executor.js";
 import { RepoInfo } from "../repo-detector.js";
 import type { Ruleset } from "../config.js";
+import type { IRulesetStrategy } from "./ruleset-strategy.js";
 /**
  * GitHub Ruleset response from API (snake_case).
  */
@@ -50,9 +51,9 @@ export interface RulesetStrategyOptions {
  * GitHub Ruleset Strategy for managing repository rulesets via GitHub REST API.
  * Uses `gh api` CLI for authentication and API calls.
  */
-export declare class GitHubRulesetStrategy {
+export declare class GitHubRulesetStrategy implements IRulesetStrategy {
     private executor;
-    constructor(executor?: CommandExecutor);
+    constructor(executor?: ICommandExecutor);
     /**
      * Lists all rulesets for a repository.
      */

package/dist/strategies/gitlab-pr-strategy.d.ts

@@ -1,8 +1,8 @@
 import { PRResult } from "../pr-creator.js";
 import { BasePRStrategy, PRStrategyOptions, CloseExistingPROptions, MergeOptions, MergeResult } from "./pr-strategy.js";
-import { CommandExecutor } from "../command-executor.js";
+import { ICommandExecutor } from "../command-executor.js";
 export declare class GitLabPRStrategy extends BasePRStrategy {
-    constructor(executor?: CommandExecutor);
+    constructor(executor?: ICommandExecutor);
     /**
      * Build the repo flag for glab commands.
      * Format: namespace/repo (supports nested groups)

package/dist/strategies/graphql-commit-strategy.d.ts

@@ -1,5 +1,5 @@
-import { CommitStrategy, CommitOptions, CommitResult } from "./commit-strategy.js";
-import { CommandExecutor } from "../command-executor.js";
+import { ICommitStrategy, CommitOptions, CommitResult } from "./commit-strategy.js";
+import { ICommandExecutor } from "../command-executor.js";
 /**
  * Maximum payload size for GitHub GraphQL API (50MB).
  * Base64 encoding adds ~33% overhead, so raw content should be checked.
@@ -29,9 +29,9 @@ export declare function validateBranchName(branchName: string): void;
  *
  * This strategy is GitHub-only and requires the `gh` CLI to be authenticated.
  */
-export declare class GraphQLCommitStrategy implements CommitStrategy {
+export declare class GraphQLCommitStrategy implements ICommitStrategy {
     private executor;
-    constructor(executor?: CommandExecutor);
+    constructor(executor?: ICommandExecutor);
     /**
      * Create a commit with the given file changes using GitHub's GraphQL API.
      * Uses the createCommitOnBranch mutation for verified commits.
@@ -44,20 +44,6 @@ export declare class GraphQLCommitStrategy implements CommitStrategy {
      * Execute the createCommitOnBranch GraphQL mutation.
      */
     private executeGraphQLMutation;
-    /**
-     * Build a git command with optional token authentication override.
-     * When a token is provided, uses -c url.insteadOf to override the global
-     * git config and authenticate with the provided token instead.
-     *
-     * This is critical for GitHub App authentication where the global git config
-     * may have a PAT token embedded, but we need to use the GitHub App installation token.
-     *
-     * Uses a repo-specific URL pattern (including owner/repo) so it has a LONGER
-     * prefix match than the global config and takes precedence.
-     *
-     * Applies to all remote operations: push, fetch, ls-remote, etc.
-     */
-    private buildAuthenticatedGitCommand;
     /**
      * Ensure the branch exists on the remote and matches local HEAD.
      * createCommitOnBranch requires the branch to already exist.

package/dist/strategies/graphql-commit-strategy.js

@@ -69,10 +69,12 @@ export class GraphQLCommitStrategy {
             throw new Error(`GraphQL payload exceeds 50 MB limit (${Math.round(totalSize / (1024 * 1024))} MB). ` +
                 `Consider using smaller files or the git commit strategy.`);
         }
+        // Get gitOps for authenticated network operations
+        const gitOps = options.gitOps;
         // Ensure the branch exists on remote and is up-to-date with local HEAD
         // createCommitOnBranch requires the branch to already exist
         // For PR branches (force=true), we force-update to ensure fresh start from main
-        await this.ensureBranchExistsOnRemote(branchName, workDir, options.force, token, githubInfo.host, githubInfo.owner, githubInfo.repo);
+        await this.ensureBranchExistsOnRemote(branchName, workDir, options.force, gitOps);
         // Retry loop for expectedHeadOid mismatch
         let lastError = null;
         for (let attempt = 0; attempt <= retries; attempt++) {
@@ -80,7 +82,12 @@ export class GraphQLCommitStrategy {
                 // Fetch from remote to ensure we have the latest HEAD
                 // This is critical for expectedHeadOid to match
                 const safeBranch = escapeShellArg(branchName);
-                await this.executor.exec(this.buildAuthenticatedGitCommand(`fetch origin ${safeBranch}:refs/remotes/origin/${safeBranch}`, token, githubInfo.host, githubInfo.owner, githubInfo.repo), workDir);
+                if (gitOps) {
+                    await gitOps.fetchBranch(branchName);
+                }
+                else {
+                    await this.executor.exec(`git fetch origin ${safeBranch}:refs/remotes/origin/${safeBranch}`, workDir);
+                }
                 // Get the remote HEAD SHA for this branch (not local HEAD)
                 const headSha = await this.executor.exec(`git rev-parse origin/${safeBranch}`, workDir);
                 // Build and execute the GraphQL mutation
@@ -171,31 +178,6 @@ export class GraphQLCommitStrategy {
             pushed: true, // GraphQL commits are pushed directly
         };
     }
-    /**
-     * Build a git command with optional token authentication override.
-     * When a token is provided, uses -c url.insteadOf to override the global
-     * git config and authenticate with the provided token instead.
-     *
-     * This is critical for GitHub App authentication where the global git config
-     * may have a PAT token embedded, but we need to use the GitHub App installation token.
-     *
-     * Uses a repo-specific URL pattern (including owner/repo) so it has a LONGER
-     * prefix match than the global config and takes precedence.
-     *
-     * Applies to all remote operations: push, fetch, ls-remote, etc.
-     */
-    buildAuthenticatedGitCommand(gitArgs, token, host = "github.com", owner, repo) {
-        if (!token) {
-            return `git ${gitArgs}`;
-        }
-        // Use repo-specific URL pattern for LONGER prefix match to override global config
-        // Global config: url."https://x-access-token:PAT@github.com/".insteadOf = "https://github.com/"
-        // Our config:    url."https://x-access-token:APP@github.com/owner/repo".insteadOf = "https://github.com/owner/repo"
-        // The longer prefix (owner/repo) takes precedence in git's URL matching
-        const repoPath = owner && repo ? `${owner}/${repo}` : "";
-        const urlOverride = `url."https://x-access-token:${token}@${host}/${repoPath}".insteadOf="https://${host}/${repoPath}"`;
-        return `git -c ${escapeShellArg(urlOverride)} ${gitArgs}`;
-    }
     /**
      * Ensure the branch exists on the remote and matches local HEAD.
      * createCommitOnBranch requires the branch to already exist.
@@ -205,23 +187,41 @@ export class GraphQLCommitStrategy {
      *
      * For direct mode (force=false): just ensure branch exists.
      */
-    async ensureBranchExistsOnRemote(branchName, workDir, force, token, host, owner, repo) {
+    async ensureBranchExistsOnRemote(branchName, workDir, force, gitOps) {
         // Branch name was validated in commit(), safe for shell use
         try {
             // Check if the branch exists on remote
-            await this.executor.exec(this.buildAuthenticatedGitCommand(`ls-remote --exit-code --heads origin ${escapeShellArg(branchName)}`, token, host, owner, repo), workDir);
+            // Use skipRetry because failure is expected for new branches
+            if (gitOps) {
+                await gitOps.lsRemote(branchName, { skipRetry: true });
+            }
+            else {
+                await this.executor.exec(`git ls-remote --exit-code --heads origin ${escapeShellArg(branchName)}`, workDir);
+            }
             // Branch exists - for PR branches, delete and recreate to ensure fresh from main
             if (force) {
-                await this.executor.exec(this.buildAuthenticatedGitCommand(`push origin --delete ${escapeShellArg(branchName)}`, token, host, owner, repo), workDir);
-                // Now push fresh branch from local HEAD
-                await this.executor.exec(this.buildAuthenticatedGitCommand(`push -u origin HEAD:${escapeShellArg(branchName)}`, token, host, owner, repo), workDir);
+                if (gitOps) {
+                    await gitOps.pushRefspec(branchName, { delete: true });
+                    // Now push fresh branch from local HEAD
+                    await gitOps.pushRefspec(`HEAD:${branchName}`);
+                }
+                else {
+                    await this.executor.exec(`git push origin --delete ${escapeShellArg(branchName)}`, workDir);
+                    // Now push fresh branch from local HEAD
+                    await this.executor.exec(`git push -u origin HEAD:${escapeShellArg(branchName)}`, workDir);
+                }
             }
             // For direct mode (force=false), leave existing branch as-is
         }
         catch {
             // Branch doesn't exist on remote, push it
             // This pushes the current local branch to create it on remote
-            await this.executor.exec(this.buildAuthenticatedGitCommand(`push -u origin HEAD:${escapeShellArg(branchName)}`, token, host, owner, repo), workDir);
+            if (gitOps) {
+                await gitOps.pushRefspec(`HEAD:${branchName}`);
+            }
+            else {
+                await this.executor.exec(`git push -u origin HEAD:${escapeShellArg(branchName)}`, workDir);
+            }
         }
     }
     /**

package/dist/strategies/index.d.ts

@@ -1,12 +1,12 @@
 import { RepoInfo } from "../repo-detector.js";
-import type { PRStrategy } from "./pr-strategy.js";
-import { CommandExecutor } from "../command-executor.js";
-export type { PRStrategy, PRStrategyOptions, CloseExistingPROptions, PRMergeConfig, MergeOptions, MergeResult, } from "./pr-strategy.js";
+import type { IPRStrategy } from "./pr-strategy.js";
+import { ICommandExecutor } from "../command-executor.js";
+export type { IPRStrategy, PRStrategyOptions, CloseExistingPROptions, PRMergeConfig, MergeOptions, MergeResult, } from "./pr-strategy.js";
 export { BasePRStrategy, PRWorkflowExecutor } from "./pr-strategy.js";
 export { GitHubPRStrategy } from "./github-pr-strategy.js";
 export { AzurePRStrategy } from "./azure-pr-strategy.js";
 export { GitLabPRStrategy } from "./gitlab-pr-strategy.js";
-export type { CommitStrategy, CommitOptions, CommitResult, FileChange, } from "./commit-strategy.js";
+export type { ICommitStrategy, CommitOptions, CommitResult, FileChange, } from "./commit-strategy.js";
 export { GitCommitStrategy } from "./git-commit-strategy.js";
 export { GraphQLCommitStrategy, MAX_PAYLOAD_SIZE, } from "./graphql-commit-strategy.js";
 export { getCommitStrategy, hasGitHubAppCredentials, } from "./commit-strategy-selector.js";
@@ -15,4 +15,4 @@ export { getCommitStrategy, hasGitHubAppCredentials, } from "./commit-strategy-s
  * @param repoInfo - Repository information
  * @param executor - Optional command executor for shell commands
  */
-export declare function getPRStrategy(repoInfo: RepoInfo, executor?: CommandExecutor): PRStrategy;
+export declare function getPRStrategy(repoInfo: RepoInfo, executor?: ICommandExecutor): IPRStrategy;

package/dist/strategies/pr-strategy.d.ts

@@ -1,6 +1,6 @@
 import { PRResult } from "../pr-creator.js";
 import { RepoInfo } from "../repo-detector.js";
-import { CommandExecutor } from "../command-executor.js";
+import { ICommandExecutor } from "../command-executor.js";
 import type { MergeMode, MergeStrategy } from "../config.js";
 export interface PRMergeConfig {
     mode: MergeMode;
@@ -51,7 +51,7 @@ export interface CloseExistingPROptions {
  * Strategies focus on platform-specific logic (checkExistingPR, create, merge).
  * Use PRWorkflowExecutor for full workflow orchestration with error handling.
  */
-export interface PRStrategy {
+export interface IPRStrategy {
     /**
      * Check if a PR already exists for the given branch
      * @returns PR URL if exists, null otherwise
@@ -79,10 +79,10 @@ export interface PRStrategy {
      */
     execute(options: PRStrategyOptions): Promise<PRResult>;
 }
-export declare abstract class BasePRStrategy implements PRStrategy {
+export declare abstract class BasePRStrategy implements IPRStrategy {
     protected bodyFilePath: string;
-    protected executor: CommandExecutor;
-    constructor(executor?: CommandExecutor);
+    protected executor: ICommandExecutor;
+    constructor(executor?: ICommandExecutor);
     abstract checkExistingPR(options: PRStrategyOptions): Promise<string | null>;
     abstract closeExistingPR(options: CloseExistingPROptions): Promise<boolean>;
     abstract create(options: PRStrategyOptions): Promise<PRResult>;
@@ -110,7 +110,7 @@ export declare abstract class BasePRStrategy implements PRStrategy {
  */
 export declare class PRWorkflowExecutor {
     private readonly strategy;
-    constructor(strategy: PRStrategy);
+    constructor(strategy: IPRStrategy);
     /**
      * Execute the full PR creation workflow with error handling.
      */

package/dist/strategies/ruleset-strategy.d.ts

@@ -0,0 +1,10 @@
+import type { RepoInfo } from "../repo-detector.js";
+import type { Ruleset } from "../config.js";
+import type { GitHubRuleset, RulesetStrategyOptions } from "./github-ruleset-strategy.js";
+export interface IRulesetStrategy {
+    list(repoInfo: RepoInfo, options?: RulesetStrategyOptions): Promise<GitHubRuleset[]>;
+    get(repoInfo: RepoInfo, rulesetId: number, options?: RulesetStrategyOptions): Promise<GitHubRuleset>;
+    create(repoInfo: RepoInfo, name: string, ruleset: Ruleset, options?: RulesetStrategyOptions): Promise<GitHubRuleset>;
+    update(repoInfo: RepoInfo, rulesetId: number, name: string, ruleset: Ruleset, options?: RulesetStrategyOptions): Promise<GitHubRuleset>;
+    delete(repoInfo: RepoInfo, rulesetId: number, options?: RulesetStrategyOptions): Promise<void>;
+}

package/dist/strategies/ruleset-strategy.js

@@ -0,0 +1 @@
+export {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aspruyt/xfg",
-  "version": "3.1.3",
+  "version": "3.1.5",
   "description": "CLI tool for repository-as-code",
   "type": "module",
   "main": "dist/index.js",
@@ -27,7 +27,7 @@
     "start": "node dist/cli.js",
     "dev": "ts-node src/cli.ts",
     "test": "node --import tsx scripts/run-tests.js",
-    "test:coverage": "c8 --check-coverage --lines 95 --reporter=text --reporter=lcov --all --src=src --exclude='src/**/*.test.ts' --exclude='scripts/**' npm test",
+    "test:coverage": "c8 --check-coverage --lines 95 --reporter=text --reporter=lcov --all --src=src --exclude='test/**/*.test.ts' --exclude='scripts/**' npm test",
     "test:integration:github": "npm run build && node --import tsx --test test/integration/github.test.ts",
     "test:integration:ado": "npm run build && node --import tsx --test test/integration/ado.test.ts",
     "test:integration:gitlab": "npm run build && node --import tsx --test test/integration/gitlab.test.ts",