@aspruyt/xfg 3.13.1 → 4.0.1

package/dist/settings/rulesets/formatter.js

@@ -1,7 +1,6 @@
 import chalk from "chalk";
 import { projectToDesiredShape, normalizeRuleset, } from "./diff.js";
-import { computePropertyDiffs, isObject, } from "./index.js";
-export { computePropertyDiffs } from "./index.js";
+import { computePropertyDiffs, isObject, } from "./diff-algorithm.js";
 /**
  * Build a tree structure from flat property diffs.
  */
@@ -187,9 +186,6 @@ export function formatPropertyTree(diffs) {
     const tree = buildTree(diffs);
     return renderTree(tree);
 }
-// =============================================================================
-// Ruleset Plan Formatter
-// =============================================================================
 /**
  * Format a full ruleset config as tree lines (for create action).
  */
@@ -253,7 +249,6 @@ export function formatRulesetPlan(changes) {
     updates = updateChanges.length;
     deletes = deleteChanges.length;
     unchanged = unchangedChanges.length;
-    // Format creates
     if (createChanges.length > 0) {
         lines.push(chalk.bold("  Create:"));
         for (const change of createChanges) {
@@ -273,7 +268,6 @@ export function formatRulesetPlan(changes) {
             lines.push(""); // Blank line between rulesets
         }
     }
-    // Format updates
     if (updateChanges.length > 0) {
         lines.push(chalk.bold("  Update:"));
         for (const change of updateChanges) {
@@ -303,7 +297,6 @@ export function formatRulesetPlan(changes) {
             lines.push(""); // Blank line between rulesets
         }
     }
-    // Format deletes
     if (deleteChanges.length > 0) {
         lines.push(chalk.bold("  Delete:"));
         for (const change of deleteChanges) {

package/dist/settings/rulesets/github-ruleset-strategy.d.ts

@@ -1,41 +1,13 @@
 import { ICommandExecutor } from "../../shared/command-executor.js";
 import { RepoInfo } from "../../shared/repo-detector.js";
+import { type GhApiOptions } from "../../shared/gh-api-utils.js";
 import type { Ruleset } from "../../config/index.js";
-import type { IRulesetStrategy } from "./types.js";
-/**
- * GitHub Ruleset response from API (snake_case).
- */
-export interface GitHubRuleset {
-    id: number;
-    name: string;
-    target: "branch" | "tag";
-    enforcement: "active" | "disabled" | "evaluate";
-    bypass_actors?: GitHubBypassActor[];
-    conditions?: GitHubRulesetConditions;
-    rules?: GitHubRule[];
-    source_type?: string;
-    source?: string;
-}
-export interface GitHubBypassActor {
-    actor_id: number;
-    actor_type: "Team" | "User" | "Integration";
-    bypass_mode?: "always" | "pull_request";
-}
-export interface GitHubRulesetConditions {
-    ref_name?: {
-        include?: string[];
-        exclude?: string[];
-    };
-}
-export interface GitHubRule {
-    type: string;
-    parameters?: Record<string, unknown>;
-}
+import type { IRulesetStrategy, GitHubRuleset, GitHubBypassActor, GitHubRulesetConditions, GitHubRule } from "./types.js";
 /**
  * Converts camelCase config ruleset to snake_case GitHub API format.
  */
 export declare function configToGitHub(name: string, ruleset: Ruleset): GitHubRulesetPayload;
-export interface GitHubRulesetPayload {
+interface GitHubRulesetPayload {
     name: string;
     target: "branch" | "tag";
     enforcement: "active" | "disabled" | "evaluate";
@@ -43,11 +15,7 @@ export interface GitHubRulesetPayload {
     conditions?: GitHubRulesetConditions;
     rules?: GitHubRule[];
 }
-export interface RulesetStrategyOptions {
-    token?: string;
-    host?: string;
-}
-export interface GitHubRulesetStrategyOptions {
+interface GitHubRulesetStrategyOptions {
     retries?: number;
 }
 /**
@@ -55,35 +23,27 @@ export interface GitHubRulesetStrategyOptions {
  * Uses `gh api` CLI for authentication and API calls.
  */
 export declare class GitHubRulesetStrategy implements IRulesetStrategy {
-    private executor;
-    private retries;
+    private api;
     constructor(executor?: ICommandExecutor, options?: GitHubRulesetStrategyOptions);
     /**
      * Lists all rulesets for a repository.
      */
-    list(repoInfo: RepoInfo, options?: RulesetStrategyOptions): Promise<GitHubRuleset[]>;
+    list(repoInfo: RepoInfo, options?: GhApiOptions): Promise<GitHubRuleset[]>;
     /**
      * Gets a single ruleset by ID.
      */
-    get(repoInfo: RepoInfo, rulesetId: number, options?: RulesetStrategyOptions): Promise<GitHubRuleset>;
+    get(repoInfo: RepoInfo, rulesetId: number, options?: GhApiOptions): Promise<GitHubRuleset>;
     /**
      * Creates a new ruleset.
      */
-    create(repoInfo: RepoInfo, name: string, ruleset: Ruleset, options?: RulesetStrategyOptions): Promise<GitHubRuleset>;
+    create(repoInfo: RepoInfo, name: string, ruleset: Ruleset, options?: GhApiOptions): Promise<GitHubRuleset>;
     /**
      * Updates an existing ruleset.
      */
-    update(repoInfo: RepoInfo, rulesetId: number, name: string, ruleset: Ruleset, options?: RulesetStrategyOptions): Promise<GitHubRuleset>;
+    update(repoInfo: RepoInfo, rulesetId: number, name: string, ruleset: Ruleset, options?: GhApiOptions): Promise<GitHubRuleset>;
     /**
      * Deletes a ruleset.
      */
-    delete(repoInfo: RepoInfo, rulesetId: number, options?: RulesetStrategyOptions): Promise<void>;
-    /**
-     * Validates that the repo is a GitHub repository.
-     */
-    private validateGitHub;
-    /**
-     * Executes a GitHub API call using the gh CLI.
-     */
-    private ghApi;
+    delete(repoInfo: RepoInfo, rulesetId: number, options?: GhApiOptions): Promise<void>;
 }
+export {};

package/dist/settings/rulesets/github-ruleset-strategy.js

@@ -1,10 +1,7 @@
 import { defaultExecutor, } from "../../shared/command-executor.js";
-import { isGitHubRepo, } from "../../shared/repo-detector.js";
-import { escapeShellArg } from "../../shared/shell-utils.js";
-import { withRetry } from "../../shared/retry-utils.js";
-// =============================================================================
-// Conversion Functions
-// =============================================================================
+import { assertGitHubRepo } from "../../shared/repo-detector.js";
+import { camelToSnake } from "../../shared/string-utils.js";
+import { GhApiClient, parseApiJson, } from "../../shared/gh-api-utils.js";
 /**
  * Converts camelCase config ruleset to snake_case GitHub API format.
  */
@@ -101,117 +98,59 @@ function convertValue(value) {
     }
     return value;
 }
-/**
- * Converts camelCase to snake_case.
- */
-function camelToSnake(str) {
-    return str.replace(/([A-Z])/g, "_$1").toLowerCase();
-}
 /**
  * GitHub Ruleset Strategy for managing repository rulesets via GitHub REST API.
  * Uses `gh api` CLI for authentication and API calls.
  */
 export class GitHubRulesetStrategy {
-    executor;
-    retries;
+    api;
     constructor(executor, options) {
-        this.executor = executor ?? defaultExecutor;
-        this.retries = options?.retries ?? 3;
+        this.api = new GhApiClient(executor ?? defaultExecutor, options?.retries ?? 3);
     }
     /**
      * Lists all rulesets for a repository.
      */
     async list(repoInfo, options) {
-        this.validateGitHub(repoInfo);
-        const github = repoInfo;
-        const endpoint = `/repos/${github.owner}/${github.repo}/rulesets`;
-        const result = await this.ghApi("GET", endpoint, undefined, options);
-        return JSON.parse(result);
+        assertGitHubRepo(repoInfo, "GitHub Ruleset strategy");
+        const endpoint = `/repos/${repoInfo.owner}/${repoInfo.repo}/rulesets`;
+        const result = await this.api.call("GET", endpoint, undefined, options);
+        return parseApiJson(result, "rulesets response");
     }
     /**
      * Gets a single ruleset by ID.
      */
     async get(repoInfo, rulesetId, options) {
-        this.validateGitHub(repoInfo);
-        const github = repoInfo;
-        const endpoint = `/repos/${github.owner}/${github.repo}/rulesets/${rulesetId}`;
-        const result = await this.ghApi("GET", endpoint, undefined, options);
-        return JSON.parse(result);
+        assertGitHubRepo(repoInfo, "GitHub Ruleset strategy");
+        const endpoint = `/repos/${repoInfo.owner}/${repoInfo.repo}/rulesets/${rulesetId}`;
+        const result = await this.api.call("GET", endpoint, undefined, options);
+        return parseApiJson(result, "ruleset response");
     }
     /**
      * Creates a new ruleset.
      */
     async create(repoInfo, name, ruleset, options) {
-        this.validateGitHub(repoInfo);
-        const github = repoInfo;
-        const endpoint = `/repos/${github.owner}/${github.repo}/rulesets`;
+        assertGitHubRepo(repoInfo, "GitHub Ruleset strategy");
+        const endpoint = `/repos/${repoInfo.owner}/${repoInfo.repo}/rulesets`;
         const payload = configToGitHub(name, ruleset);
-        const result = await this.ghApi("POST", endpoint, payload, options);
-        return JSON.parse(result);
+        const result = await this.api.call("POST", endpoint, payload, options);
+        return parseApiJson(result, "ruleset response");
     }
     /**
      * Updates an existing ruleset.
      */
     async update(repoInfo, rulesetId, name, ruleset, options) {
-        this.validateGitHub(repoInfo);
-        const github = repoInfo;
-        const endpoint = `/repos/${github.owner}/${github.repo}/rulesets/${rulesetId}`;
+        assertGitHubRepo(repoInfo, "GitHub Ruleset strategy");
+        const endpoint = `/repos/${repoInfo.owner}/${repoInfo.repo}/rulesets/${rulesetId}`;
         const payload = configToGitHub(name, ruleset);
-        const result = await this.ghApi("PUT", endpoint, payload, options);
-        return JSON.parse(result);
+        const result = await this.api.call("PUT", endpoint, payload, options);
+        return parseApiJson(result, "ruleset response");
     }
     /**
      * Deletes a ruleset.
      */
     async delete(repoInfo, rulesetId, options) {
-        this.validateGitHub(repoInfo);
-        const github = repoInfo;
-        const endpoint = `/repos/${github.owner}/${github.repo}/rulesets/${rulesetId}`;
-        await this.ghApi("DELETE", endpoint, undefined, options);
-    }
-    /**
-     * Validates that the repo is a GitHub repository.
-     */
-    validateGitHub(repoInfo) {
-        if (!isGitHubRepo(repoInfo)) {
-            throw new Error(`GitHub Ruleset strategy requires GitHub repositories. Got: ${repoInfo.type}`);
-        }
-    }
-    /**
-     * Executes a GitHub API call using the gh CLI.
-     */
-    async ghApi(method, endpoint, payload, options) {
-        const args = ["gh", "api"];
-        // Add method flag
-        if (method !== "GET") {
-            args.push("-X", method);
-        }
-        // Add host flag for GitHub Enterprise
-        if (options?.host && options.host !== "github.com") {
-            args.push("--hostname", escapeShellArg(options.host));
-        }
-        // Add endpoint
-        args.push(escapeShellArg(endpoint));
-        // Build base command
-        const baseCommand = args.join(" ");
-        // Add GH_TOKEN environment variable prefix if token provided
-        // Token is escaped to prevent command injection
-        const tokenPrefix = options?.token
-            ? `GH_TOKEN=${escapeShellArg(options.token)} `
-            : "";
-        // For POST/PUT with payload, use echo pipe pattern (same as graphql-commit-strategy)
-        // This is safer than heredoc as escapeShellArg properly escapes the content
-        if (payload && (method === "POST" || method === "PUT")) {
-            const payloadJson = JSON.stringify(payload);
-            const command = `echo ${escapeShellArg(payloadJson)} | ${tokenPrefix}${baseCommand} --input -`;
-            return await withRetry(() => this.executor.exec(command, process.cwd()), {
-                retries: this.retries,
-            });
-        }
-        // For GET/DELETE, run command directly
-        const command = `${tokenPrefix}${baseCommand}`;
-        return await withRetry(() => this.executor.exec(command, process.cwd()), {
-            retries: this.retries,
-        });
+        assertGitHubRepo(repoInfo, "GitHub Ruleset strategy");
+        const endpoint = `/repos/${repoInfo.owner}/${repoInfo.repo}/rulesets/${rulesetId}`;
+        await this.api.call("DELETE", endpoint, undefined, options);
     }
 }

package/dist/settings/rulesets/index.d.ts

@@ -1,6 +1,3 @@
-export type { IRulesetStrategy } from "./types.js";
-export { computePropertyDiffs, diffObjectArrays, deepEqual, isObject, isArrayOfObjects, type DiffAction, type PropertyDiff, } from "./diff-algorithm.js";
-export { RulesetProcessor, type IRulesetProcessor, type RulesetProcessorOptions, type RulesetProcessorResult, } from "./processor.js";
-export { diffRulesets, normalizeRuleset, projectToDesiredShape, type RulesetAction, type RulesetChange, } from "./diff.js";
-export { formatRulesetPlan, type RulesetPlanResult, type RulesetPlanEntry, } from "./formatter.js";
-export { GitHubRulesetStrategy, configToGitHub, type GitHubRuleset, type GitHubBypassActor, type GitHubRulesetConditions, type GitHubRule, type RulesetStrategyOptions, } from "./github-ruleset-strategy.js";
+export { computePropertyDiffs, deepEqual, isObject, isArrayOfObjects, type PropertyDiff, } from "./diff-algorithm.js";
+export { formatPropertyTree, type RulesetPlanEntry } from "./formatter.js";
+export { RulesetProcessor, type IRulesetProcessor } from "./processor.js";

package/dist/settings/rulesets/index.js

@@ -1,10 +1,6 @@
 // Diff algorithm - property-level diffing for ruleset comparisons
-export { computePropertyDiffs, diffObjectArrays, deepEqual, isObject, isArrayOfObjects, } from "./diff-algorithm.js";
-// Ruleset processor
-export { RulesetProcessor, } from "./processor.js";
-// Ruleset diff
-export { diffRulesets, normalizeRuleset, projectToDesiredShape, } from "./diff.js";
-// Ruleset formatter
-export { formatRulesetPlan, } from "./formatter.js";
-// Ruleset strategies
-export { GitHubRulesetStrategy, configToGitHub, } from "./github-ruleset-strategy.js";
+export { computePropertyDiffs, deepEqual, isObject, isArrayOfObjects, } from "./diff-algorithm.js";
+// Formatter
+export { formatPropertyTree } from "./formatter.js";
+// Processor
+export { RulesetProcessor } from "./processor.js";

package/dist/settings/rulesets/processor.d.ts

@@ -1,32 +1,14 @@
 import type { RepoConfig } from "../../config/index.js";
 import type { RepoInfo } from "../../shared/repo-detector.js";
-import { GitHubRulesetStrategy } from "./github-ruleset-strategy.js";
+import type { IRulesetStrategy } from "./types.js";
 import { RulesetPlanResult } from "./formatter.js";
-export interface IRulesetProcessor {
-    process(repoConfig: RepoConfig, repoInfo: RepoInfo, options: RulesetProcessorOptions): Promise<RulesetProcessorResult>;
-}
-export interface RulesetProcessorOptions {
-    configId: string;
-    dryRun?: boolean;
-    managedRulesets: string[];
+import { type BaseProcessorOptions, type BaseProcessorResult, type ISettingsProcessor, type ChangeCounts } from "../base-processor.js";
+export type IRulesetProcessor = ISettingsProcessor<RulesetProcessorOptions, RulesetProcessorResult>;
+export interface RulesetProcessorOptions extends BaseProcessorOptions {
     noDelete?: boolean;
-    token?: string;
 }
-export interface RulesetProcessorResult {
-    success: boolean;
-    repoName: string;
-    message: string;
-    skipped?: boolean;
-    dryRun?: boolean;
-    changes?: {
-        create: number;
-        update: number;
-        delete: number;
-        unchanged: number;
-    };
-    manifestUpdate?: {
-        rulesets: string[];
-    };
+export interface RulesetProcessorResult extends BaseProcessorResult {
+    changes?: ChangeCounts;
     planOutput?: RulesetPlanResult;
 }
 /**
@@ -35,24 +17,7 @@ export interface RulesetProcessorResult {
  */
 export declare class RulesetProcessor implements IRulesetProcessor {
     private readonly strategy;
-    private readonly tokenManager;
-    constructor(strategy?: GitHubRulesetStrategy);
-    /**
-     * Process rulesets for a single repository.
-     */
+    constructor(strategy?: IRulesetStrategy);
     process(repoConfig: RepoConfig, repoInfo: RepoInfo, options: RulesetProcessorOptions): Promise<RulesetProcessorResult>;
-    /**
-     * Format change counts into a summary string.
-     */
-    private formatChangeSummary;
-    /**
-     * Compute manifest update based on current config.
-     * Only rulesets with deleteOrphaned enabled should be tracked.
-     */
-    private computeManifestUpdate;
-    /**
-     * Resolves a GitHub App installation token for the given repo.
-     * Returns undefined if no token manager or token resolution fails.
-     */
-    private getInstallationToken;
+    private processSettings;
 }

package/dist/settings/rulesets/processor.js

@@ -1,188 +1,80 @@
-import { isGitHubRepo, getRepoDisplayName, } from "../../shared/repo-detector.js";
-import { GitHubRulesetStrategy, } from "./github-ruleset-strategy.js";
+import { GitHubRulesetStrategy } from "./github-ruleset-strategy.js";
 import { diffRulesets } from "./diff.js";
 import { formatRulesetPlan } from "./formatter.js";
-import { hasGitHubAppCredentials } from "../../vcs/index.js";
-import { GitHubAppTokenManager } from "../../vcs/github-app-token-manager.js";
-// =============================================================================
-// Processor Implementation
-// =============================================================================
+import { withGitHubGuards, countActions, buildDryRunResult, buildApplyResult, } from "../base-processor.js";
 /**
  * Processes ruleset configuration for a repository.
  * Handles create/update/delete operations via GitHub Rulesets API.
  */
 export class RulesetProcessor {
     strategy;
-    tokenManager;
     constructor(strategy) {
         this.strategy = strategy ?? new GitHubRulesetStrategy();
-        if (hasGitHubAppCredentials()) {
-            this.tokenManager = new GitHubAppTokenManager(process.env.XFG_GITHUB_APP_ID, process.env.XFG_GITHUB_APP_PRIVATE_KEY);
-        }
-        else {
-            this.tokenManager = null;
-        }
     }
-    /**
-     * Process rulesets for a single repository.
-     */
     async process(repoConfig, repoInfo, options) {
-        const repoName = getRepoDisplayName(repoInfo);
-        const { dryRun, managedRulesets, noDelete, token } = options;
-        // Check if this is a GitHub repo
-        if (!isGitHubRepo(repoInfo)) {
-            return {
-                success: true,
-                repoName,
-                message: `Skipped: ${repoName} is not a GitHub repository`,
-                skipped: true,
-            };
-        }
-        const githubRepo = repoInfo;
+        return withGitHubGuards(repoConfig, repoInfo, options, {
+            hasDesiredSettings: (rc) => Object.keys(rc.settings?.rulesets ?? {}).length > 0,
+            emptySettingsMessage: "No rulesets configured",
+            processSettings: (githubRepo, rc, opts, token, repoName) => this.processSettings(githubRepo, rc, opts, token, repoName),
+        });
+    }
+    async processSettings(githubRepo, repoConfig, options, effectiveToken, repoName) {
+        const { dryRun, noDelete } = options;
         const settings = repoConfig.settings;
         const desiredRulesets = settings?.rulesets ?? {};
         const deleteOrphaned = settings?.deleteOrphaned ?? false;
-        // If no rulesets configured, skip
-        if (Object.keys(desiredRulesets).length === 0 &&
-            managedRulesets.length === 0) {
-            return {
-                success: true,
-                repoName,
-                message: "No rulesets configured",
-                skipped: true,
-            };
-        }
-        try {
-            // Resolve App token if available, fall back to provided token
-            const effectiveToken = token ?? (await this.getInstallationToken(githubRepo));
-            const strategyOptions = { token: effectiveToken, host: githubRepo.host };
-            const currentRulesets = await this.strategy.list(githubRepo, strategyOptions);
-            // Convert desired rulesets to Map
-            const desiredMap = new Map(Object.entries(desiredRulesets));
-            // Hydrate rulesets that match desired names with full details from get()
-            // The list endpoint only returns summary fields (id, name, target, enforcement)
-            // but not rules, conditions, or bypass_actors needed for accurate diffing
-            const fullRulesets = [];
-            for (const summary of currentRulesets) {
-                if (desiredMap.has(summary.name)) {
-                    const full = await this.strategy.get(githubRepo, summary.id, strategyOptions);
-                    fullRulesets.push(full);
-                }
-                else {
-                    fullRulesets.push(summary);
-                }
-            }
-            // Compute diff
-            const changes = diffRulesets(fullRulesets, desiredMap, managedRulesets);
-            // Count changes by type
-            const changeCounts = {
-                create: changes.filter((c) => c.action === "create").length,
-                update: changes.filter((c) => c.action === "update").length,
-                delete: changes.filter((c) => c.action === "delete").length,
-                unchanged: changes.filter((c) => c.action === "unchanged").length,
-            };
-            const planOutput = formatRulesetPlan(changes);
-            // Dry run mode - report planned changes without applying
-            if (dryRun) {
-                const summary = this.formatChangeSummary(changeCounts);
-                return {
-                    success: true,
-                    repoName,
-                    message: `[DRY RUN] ${summary}`,
-                    dryRun: true,
-                    changes: changeCounts,
-                    planOutput,
-                    manifestUpdate: this.computeManifestUpdate(desiredRulesets, deleteOrphaned),
-                };
+        const strategyOptions = { token: effectiveToken, host: githubRepo.host };
+        const currentRulesets = await this.strategy.list(githubRepo, strategyOptions);
+        const desiredMap = new Map(Object.entries(desiredRulesets));
+        // Hydrate rulesets that match desired names with full details from get()
+        // The list endpoint only returns summary fields (id, name, target, enforcement)
+        // but not rules, conditions, or bypass_actors needed for accurate diffing
+        const fullRulesets = [];
+        for (const summary of currentRulesets) {
+            if (desiredMap.has(summary.name)) {
+                const full = await this.strategy.get(githubRepo, summary.id, strategyOptions);
+                fullRulesets.push(full);
             }
-            // Apply changes
-            let appliedCount = 0;
-            for (const change of changes) {
-                switch (change.action) {
-                    case "create":
-                        if (change.desired) {
-                            await this.strategy.create(githubRepo, change.name, change.desired, strategyOptions);
-                            appliedCount++;
-                        }
-                        break;
-                    case "update":
-                        if (change.rulesetId !== undefined && change.desired) {
-                            await this.strategy.update(githubRepo, change.rulesetId, change.name, change.desired, strategyOptions);
-                            appliedCount++;
-                        }
-                        break;
-                    case "delete":
-                        // Check if deletion is allowed
-                        if (!noDelete && deleteOrphaned && change.rulesetId !== undefined) {
-                            await this.strategy.delete(githubRepo, change.rulesetId, strategyOptions);
-                            appliedCount++;
-                        }
-                        break;
-                    case "unchanged":
-                        // No action needed
-                        break;
-                }
+            else {
+                fullRulesets.push(summary);
             }
-            const summary = this.formatChangeSummary(changeCounts);
-            return {
-                success: true,
-                repoName,
-                message: appliedCount > 0 ? `Applied: ${summary}` : "No changes needed",
-                changes: changeCounts,
-                planOutput,
-                manifestUpdate: this.computeManifestUpdate(desiredRulesets, deleteOrphaned),
-            };
         }
-        catch (error) {
-            const message = error instanceof Error ? error.message : String(error);
-            return {
-                success: false,
-                repoName,
-                message: `Failed: ${message}`,
-            };
+        const changes = diffRulesets(fullRulesets, desiredMap, deleteOrphaned);
+        const changeCounts = countActions(changes);
+        const planOutput = formatRulesetPlan(changes);
+        if (dryRun) {
+            return buildDryRunResult(repoName, changeCounts, { planOutput });
         }
-    }
-    /**
-     * Format change counts into a summary string.
-     */
-    formatChangeSummary(counts) {
-        const parts = [];
-        if (counts.create > 0)
-            parts.push(`${counts.create} created`);
-        if (counts.update > 0)
-            parts.push(`${counts.update} updated`);
-        if (counts.delete > 0)
-            parts.push(`${counts.delete} deleted`);
-        if (counts.unchanged > 0)
-            parts.push(`${counts.unchanged} unchanged`);
-        return parts.length > 0 ? parts.join(", ") : "no changes";
-    }
-    /**
-     * Compute manifest update based on current config.
-     * Only rulesets with deleteOrphaned enabled should be tracked.
-     */
-    computeManifestUpdate(rulesets, deleteOrphaned) {
-        if (!deleteOrphaned) {
-            return undefined;
-        }
-        // Track all ruleset names when deleteOrphaned is enabled
-        const rulesetNames = Object.keys(rulesets).sort();
-        return { rulesets: rulesetNames };
-    }
-    /**
-     * Resolves a GitHub App installation token for the given repo.
-     * Returns undefined if no token manager or token resolution fails.
-     */
-    async getInstallationToken(repoInfo) {
-        if (!this.tokenManager) {
-            return undefined;
-        }
-        try {
-            const token = await this.tokenManager.getTokenForRepo(repoInfo);
-            return token ?? undefined;
-        }
-        catch {
-            return undefined;
+        // Apply changes
+        let appliedCount = 0;
+        for (const change of changes) {
+            switch (change.action) {
+                case "create":
+                    if (change.desired) {
+                        await this.strategy.create(githubRepo, change.name, change.desired, strategyOptions);
+                        appliedCount++;
+                    }
+                    break;
+                case "update":
+                    if (change.rulesetId !== undefined && change.desired) {
+                        await this.strategy.update(githubRepo, change.rulesetId, change.name, change.desired, strategyOptions);
+                        appliedCount++;
+                    }
+                    break;
+                case "delete":
+                    // Check if deletion is allowed
+                    if (!noDelete && deleteOrphaned && change.rulesetId !== undefined) {
+                        await this.strategy.delete(githubRepo, change.rulesetId, strategyOptions);
+                        appliedCount++;
+                    }
+                    break;
+                case "unchanged":
+                    // No action needed
+                    break;
+            }
         }
+        return buildApplyResult(repoName, changeCounts, appliedCount, {
+            planOutput,
+        });
     }
 }