@aspruyt/xfg 3.1.5 → 3.3.2

package/dist/command-executor.js

@@ -1,4 +1,5 @@
 import { execSync } from "node:child_process";
+import { sanitizeCredentials } from "./sanitize-utils.js";
 /**
  * Default implementation that uses Node.js child_process.execSync.
  * Note: Commands are escaped using escapeShellArg before being passed here.
@@ -18,9 +19,17 @@ export class ShellCommandExecutor {
             if (execError.stderr && typeof execError.stderr !== "string") {
                 execError.stderr = execError.stderr.toString();
             }
-            // Include stderr in error message for better debugging
+            // Sanitize credentials from stderr before including in error
+            if (execError.stderr) {
+                execError.stderr = sanitizeCredentials(execError.stderr);
+            }
+            // Include sanitized stderr in error message for better debugging
             if (execError.stderr && execError.message) {
-                execError.message = `${execError.message}\n${execError.stderr}`;
+                execError.message =
+                    sanitizeCredentials(execError.message) + "\n" + execError.stderr;
+            }
+            else if (execError.message) {
+                execError.message = sanitizeCredentials(execError.message);
             }
             throw error;
         }

package/dist/config-normalizer.js

@@ -60,14 +60,30 @@ export function mergeSettings(root, perRepo) {
     // Merge rulesets by name - each ruleset is deep merged
     const rootRulesets = root?.rulesets ?? {};
     const repoRulesets = perRepo?.rulesets ?? {};
+    // Check if repo opts out of all inherited rulesets
+    const inheritRulesets = repoRulesets?.inherit !== false;
     const allRulesetNames = new Set([
-        ...Object.keys(rootRulesets),
-        ...Object.keys(repoRulesets),
+        ...Object.keys(rootRulesets).filter((name) => name !== "inherit"),
+        ...Object.keys(repoRulesets).filter((name) => name !== "inherit"),
     ]);
     if (allRulesetNames.size > 0) {
         result.rulesets = {};
         for (const name of allRulesetNames) {
-            result.rulesets[name] = mergeRuleset(rootRulesets[name], repoRulesets[name]);
+            const rootRuleset = rootRulesets[name];
+            const repoRuleset = repoRulesets[name];
+            // Skip if repo explicitly opts out of this ruleset
+            if (repoRuleset === false) {
+                continue;
+            }
+            // Skip root rulesets if inherit: false (unless repo has override)
+            if (!inheritRulesets && !repoRuleset && rootRuleset) {
+                continue;
+            }
+            result.rulesets[name] = mergeRuleset(rootRuleset, repoRuleset);
+        }
+        // Clean up empty rulesets object
+        if (Object.keys(result.rulesets).length === 0) {
+            delete result.rulesets;
         }
     }
     // deleteOrphaned: per-repo overrides root
@@ -89,13 +105,23 @@ export function normalizeConfig(raw) {
         const gitUrls = Array.isArray(rawRepo.git) ? rawRepo.git : [rawRepo.git];
         for (const gitUrl of gitUrls) {
             const files = [];
+            // Check if repo opts out of all inherited files
+            const inheritFiles = rawRepo.files?.inherit !==
+                false;
             // Step 2: Process each file definition
             for (const fileName of fileNames) {
+                // Skip reserved key
+                if (fileName === "inherit")
+                    continue;
                 const repoOverride = rawRepo.files?.[fileName];
                 // Skip excluded files (set to false)
                 if (repoOverride === false) {
                     continue;
                 }
+                // Skip if inherit: false and no repo-specific override
+                if (!inheritFiles && !repoOverride) {
+                    continue;
+                }
                 const fileConfig = raw.files[fileName];
                 const fileStrategy = fileConfig.mergeStrategy ?? "replace";
                 // Step 3: Compute merged content for this file
@@ -190,12 +216,34 @@ export function normalizeConfig(raw) {
             });
         }
     }
+    // Normalize root settings (filter out inherit key if present)
+    let normalizedRootSettings;
+    if (raw.settings) {
+        normalizedRootSettings = {};
+        if (raw.settings.rulesets) {
+            const filteredRulesets = {};
+            for (const [name, ruleset] of Object.entries(raw.settings.rulesets)) {
+                if (name === "inherit" || ruleset === false)
+                    continue;
+                filteredRulesets[name] = ruleset;
+            }
+            if (Object.keys(filteredRulesets).length > 0) {
+                normalizedRootSettings.rulesets = filteredRulesets;
+            }
+        }
+        if (raw.settings.deleteOrphaned !== undefined) {
+            normalizedRootSettings.deleteOrphaned = raw.settings.deleteOrphaned;
+        }
+        if (Object.keys(normalizedRootSettings).length === 0) {
+            normalizedRootSettings = undefined;
+        }
+    }
     return {
         id: raw.id,
         repos: expandedRepos,
         prTemplate: raw.prTemplate,
         githubHosts: raw.githubHosts,
         deleteOrphaned: raw.deleteOrphaned,
-        settings: raw.settings,
+        settings: normalizedRootSettings,
     };
 }

package/dist/config-validator.d.ts

@@ -7,7 +7,7 @@ export declare function validateRawConfig(config: RawConfig): void;
 /**
  * Validates settings object containing rulesets.
  */
-export declare function validateSettings(settings: unknown, context: string): void;
+export declare function validateSettings(settings: unknown, context: string, rootRulesetNames?: string[]): void;
 /**
  * Validates that config is suitable for the sync command.
  * @throws Error if files section is missing or empty

package/dist/config-validator.js

@@ -49,6 +49,10 @@ export function validateRawConfig(config) {
             "Use 'files' to sync configuration files, or 'settings' to manage repository settings.");
     }
     const fileNames = hasFiles ? Object.keys(config.files) : [];
+    // Check for reserved key 'inherit' at root files level
+    if (hasFiles && "inherit" in config.files) {
+        throw new Error("'inherit' is a reserved key and cannot be used as a filename");
+    }
     // Validate each file definition
     for (const fileName of fileNames) {
         validateFileName(fileName);
@@ -127,6 +131,10 @@ export function validateRawConfig(config) {
     // Validate root settings
     if (config.settings !== undefined) {
         validateSettings(config.settings, "Root");
+        // Check for reserved key 'inherit' at root rulesets level
+        if (config.settings.rulesets && "inherit" in config.settings.rulesets) {
+            throw new Error("'inherit' is a reserved key and cannot be used as a ruleset name");
+        }
     }
     // Validate githubHosts if provided
     if (config.githubHosts !== undefined) {
@@ -161,6 +169,14 @@ export function validateRawConfig(config) {
                 throw new Error(`Repo at index ${i}: files must be an object`);
             }
             for (const fileName of Object.keys(repo.files)) {
+                // Skip reserved key 'inherit'
+                if (fileName === "inherit") {
+                    const inheritValue = repo.files.inherit;
+                    if (typeof inheritValue !== "boolean") {
+                        throw new Error(`Repo at index ${i}: files.inherit must be a boolean`);
+                    }
+                    continue;
+                }
                 // Ensure the file is defined at root level
                 if (!config.files || !config.files[fileName]) {
                     throw new Error(`Repo at index ${i} references undefined file '${fileName}'. File must be defined in root 'files' object.`);
@@ -233,7 +249,10 @@ export function validateRawConfig(config) {
         }
         // Validate per-repo settings
         if (repo.settings !== undefined) {
-            validateSettings(repo.settings, `Repo ${getGitDisplayName(repo.git)}`);
+            const rootRulesetNames = config.settings?.rulesets
+                ? Object.keys(config.settings.rulesets).filter((k) => k !== "inherit")
+                : [];
+            validateSettings(repo.settings, `Repo ${getGitDisplayName(repo.git)}`, rootRulesetNames);
         }
     }
 }
@@ -465,7 +484,7 @@ function validateRuleset(ruleset, name, context) {
 /**
  * Validates settings object containing rulesets.
  */
-export function validateSettings(settings, context) {
+export function validateSettings(settings, context, rootRulesetNames) {
     if (typeof settings !== "object" ||
         settings === null ||
         Array.isArray(settings)) {
@@ -480,6 +499,16 @@ export function validateSettings(settings, context) {
         }
         const rulesets = s.rulesets;
         for (const [name, ruleset] of Object.entries(rulesets)) {
+            // Skip reserved key
+            if (name === "inherit")
+                continue;
+            // Check for opt-out of non-existent root ruleset
+            if (ruleset === false) {
+                if (rootRulesetNames && !rootRulesetNames.includes(name)) {
+                    throw new Error(`${context}: Cannot opt out of '${name}' - not defined in root settings.rulesets`);
+                }
+                continue; // Skip further validation for false entries
+            }
             validateRuleset(ruleset, name, context);
         }
     }

package/dist/config.d.ts

@@ -239,12 +239,16 @@ export interface RawRepoFileOverride {
     deleteOrphaned?: boolean;
 }
 export interface RawRepoSettings {
-    rulesets?: Record<string, Ruleset>;
+    rulesets?: Record<string, Ruleset | false> & {
+        inherit?: boolean;
+    };
     deleteOrphaned?: boolean;
 }
 export interface RawRepoConfig {
     git: string | string[];
-    files?: Record<string, RawRepoFileOverride | false>;
+    files?: Record<string, RawRepoFileOverride | false> & {
+        inherit?: boolean;
+    };
     prOptions?: PRMergeOptions;
     settings?: RawRepoSettings;
 }

package/dist/index.js

@@ -208,19 +208,15 @@ export async function runSettings(options, processorFactory = defaultRulesetProc
         return;
     }
     console.log(`Found ${reposWithRulesets.length} repositories with rulesets\n`);
+    logger.setTotal(reposWithRulesets.length);
     const processor = processorFactory();
     const repoProcessor = repoProcessorFactory();
     const results = [];
     let successCount = 0;
     let failCount = 0;
     let skipCount = 0;
-    for (let i = 0; i < config.repos.length; i++) {
-        const repoConfig = config.repos[i];
-        // Skip repos without rulesets
-        if (!repoConfig.settings?.rulesets ||
-            Object.keys(repoConfig.settings.rulesets).length === 0) {
-            continue;
-        }
+    for (let i = 0; i < reposWithRulesets.length; i++) {
+        const repoConfig = reposWithRulesets[i];
         let repoInfo;
         try {
             repoInfo = parseGitUrl(repoConfig.git, {

package/dist/retry-utils.js

@@ -1,5 +1,6 @@
 import pRetry, { AbortError } from "p-retry";
 import { logger } from "./logger.js";
+import { sanitizeCredentials } from "./sanitize-utils.js";
 /**
  * Default patterns indicating permanent errors that should NOT be retried.
  * These typically indicate configuration issues, auth failures, or invalid resources.
@@ -121,7 +122,7 @@ export async function withRetry(fn, options) {
         onFailedAttempt: (context) => {
             // Only log if this isn't the last attempt
             if (context.retriesLeft > 0) {
-                const msg = context.error.message || "Unknown error";
+                const msg = sanitizeCredentials(context.error.message) || "Unknown error";
                 logger.info(`Attempt ${context.attemptNumber}/${retries + 1} failed: ${msg}. Retrying...`);
                 options?.onRetry?.(context.error, context.attemptNumber);
             }

package/dist/sanitize-utils.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Sanitizes credentials from error messages and logs.
+ * Replaces sensitive tokens/passwords with '***' to prevent leakage.
+ *
+ * @param message The message that may contain credentials
+ * @returns The sanitized message with credentials replaced by '***'
+ */
+export declare function sanitizeCredentials(message: string | undefined | null): string;

package/dist/sanitize-utils.js

@@ -0,0 +1,20 @@
+/**
+ * Sanitizes credentials from error messages and logs.
+ * Replaces sensitive tokens/passwords with '***' to prevent leakage.
+ *
+ * @param message The message that may contain credentials
+ * @returns The sanitized message with credentials replaced by '***'
+ */
+export function sanitizeCredentials(message) {
+    if (!message) {
+        return "";
+    }
+    let result = message;
+    // Handle URL credentials (most common case)
+    // Replace password portion in https://user:password@host patterns
+    result = result.replace(/(https:\/\/[^:]+:)([^@]+)(@)/g, "$1***$3");
+    // Handle Authorization headers
+    result = result.replace(/(Authorization:\s*Bearer\s+)(\S+)/gi, "$1***");
+    result = result.replace(/(Authorization:\s*Basic\s+)(\S+)/gi, "$1***");
+    return result;
+}

package/dist/strategies/azure-pr-strategy.js

@@ -5,6 +5,7 @@ import { isAzureDevOpsRepo } from "../repo-detector.js";
 import { BasePRStrategy, } from "./pr-strategy.js";
 import { logger } from "../logger.js";
 import { withRetry, isPermanentError } from "../retry-utils.js";
+import { sanitizeCredentials } from "../sanitize-utils.js";
 export class AzurePRStrategy extends BasePRStrategy {
     constructor(executor) {
         super(executor);
@@ -35,7 +36,7 @@ export class AzurePRStrategy extends BasePRStrategy {
                 }
                 const stderr = error.stderr ?? "";
                 if (stderr && !stderr.includes("does not exist")) {
-                    logger.info(`Debug: Azure PR check failed - ${stderr.trim()}`);
+                    logger.info(`Debug: Azure PR check failed - ${sanitizeCredentials(stderr).trim()}`);
                 }
             }
             return null;

package/dist/strategies/github-pr-strategy.js

@@ -5,6 +5,7 @@ import { isGitHubRepo } from "../repo-detector.js";
 import { BasePRStrategy, } from "./pr-strategy.js";
 import { logger } from "../logger.js";
 import { withRetry, isPermanentError } from "../retry-utils.js";
+import { sanitizeCredentials } from "../sanitize-utils.js";
 /**
  * Get the repo flag value for gh CLI commands.
  * Returns HOST/OWNER/REPO for GHE, OWNER/REPO for github.com.
@@ -66,7 +67,7 @@ export class GitHubPRStrategy extends BasePRStrategy {
                 // Log unexpected errors for debugging (expected: empty result means no PR)
                 const stderr = error.stderr ?? "";
                 if (stderr && !stderr.includes("no pull requests match")) {
-                    logger.info(`Debug: GitHub PR check failed - ${stderr.trim()}`);
+                    logger.info(`Debug: GitHub PR check failed - ${sanitizeCredentials(stderr).trim()}`);
                 }
             }
             return null;

package/dist/strategies/gitlab-pr-strategy.js

@@ -5,6 +5,7 @@ import { isGitLabRepo } from "../repo-detector.js";
 import { BasePRStrategy, } from "./pr-strategy.js";
 import { logger } from "../logger.js";
 import { withRetry, isPermanentError } from "../retry-utils.js";
+import { sanitizeCredentials } from "../sanitize-utils.js";
 export class GitLabPRStrategy extends BasePRStrategy {
     constructor(executor) {
         super(executor);
@@ -89,7 +90,7 @@ export class GitLabPRStrategy extends BasePRStrategy {
                 // Log unexpected errors for debugging
                 const stderr = error.stderr ?? "";
                 if (stderr && !stderr.includes("no merge requests")) {
-                    logger.info(`Debug: GitLab MR check failed - ${stderr.trim()}`);
+                    logger.info(`Debug: GitLab MR check failed - ${sanitizeCredentials(stderr).trim()}`);
                 }
             }
             return null;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aspruyt/xfg",
-  "version": "3.1.5",
+  "version": "3.3.2",
   "description": "CLI tool for repository-as-code",
   "type": "module",
   "main": "dist/index.js",