@aspruyt/xfg 3.7.2 → 3.7.4

package/dist/index.js

@@ -15,12 +15,14 @@ import { sanitizeBranchName, validateBranchName } from "./git-ops.js";
 import { logger } from "./logger.js";
 import { generateWorkspaceName } from "./workspace-utils.js";
 import { RepositoryProcessor, } from "./repository-processor.js";
-import { writeSummary } from "./github-summary.js";
 import { buildRepoResult, buildErrorResult } from "./summary-utils.js";
 import { RulesetProcessor, } from "./ruleset-processor.js";
 import { getManagedRulesets } from "./manifest.js";
 import { isGitHubRepo } from "./repo-detector.js";
 import { RepoSettingsProcessor, } from "./repo-settings-processor.js";
+import { printPlan } from "./plan-formatter.js";
+import { writePlanSummary } from "./plan-summary.js";
+import { rulesetResultToResources, syncResultToResources, repoSettingsResultToResources, } from "./resource-converters.js";
 /**
  * Default factory that creates a real RepositoryProcessor.
  */
@@ -115,6 +117,8 @@ export async function runSync(options, processorFactory = defaultProcessorFactor
     console.log(`Branch: ${branchName}\n`);
     const processor = processorFactory();
     const results = [];
+    // Build plan for Terraform-style output
+    const plan = { resources: [], errors: [] };
     for (let i = 0; i < config.repos.length; i++) {
         const repoConfig = config.repos[i];
         // Apply CLI merge overrides to repo config
@@ -136,6 +140,10 @@ export async function runSync(options, processorFactory = defaultProcessorFactor
         catch (error) {
             logger.error(current, repoConfig.git, String(error));
             results.push(buildErrorResult(repoConfig.git, error));
+            plan.errors.push({
+                repo: repoConfig.git,
+                message: error instanceof Error ? error.message : String(error),
+            });
             continue;
         }
         const repoName = getRepoDisplayName(repoInfo);
@@ -162,27 +170,27 @@ export async function runSync(options, processorFactory = defaultProcessorFactor
             else {
                 logger.error(current, repoName, result.message);
             }
+            // Collect resources for plan output
+            plan.resources.push(...syncResultToResources(repoName, repoConfig, result));
         }
         catch (error) {
             logger.error(current, repoName, String(error));
             results.push(buildErrorResult(repoName, error));
+            plan.errors.push({
+                repo: repoName,
+                message: error instanceof Error ? error.message : String(error),
+            });
         }
     }
-    logger.summary();
-    // Write GitHub Actions job summary if running in GitHub Actions
-    const succeeded = results.filter((r) => r.status === "succeeded").length;
-    const skipped = results.filter((r) => r.status === "skipped").length;
-    const failed = results.filter((r) => r.status === "failed").length;
-    writeSummary({
+    // Print Terraform-style plan summary
+    console.log("");
+    printPlan(plan);
+    // Write GitHub Actions job summary
+    writePlanSummary(plan, {
         title: "Config Sync Summary",
-        dryRun: options.dryRun,
-        total: config.repos.length,
-        succeeded,
-        skipped,
-        failed,
-        results,
+        dryRun: options.dryRun ?? false,
     });
-    if (logger.hasFailures()) {
+    if (plan.errors && plan.errors.length > 0) {
         process.exit(1);
     }
 }
@@ -228,14 +236,8 @@ export async function runSettings(options, processorFactory = defaultRulesetProc
     const processor = processorFactory();
     const repoProcessor = repoProcessorFactory();
     const results = [];
-    let successCount = 0;
-    let failCount = 0;
-    let skipCount = 0;
-    // Tracking for multi-repo summary in dry-run mode
-    let totalCreates = 0;
-    let totalUpdates = 0;
-    let totalDeletes = 0;
-    let reposWithChanges = 0;
+    // Build plan for Terraform-style output
+    const plan = { resources: [], errors: [] };
     for (let i = 0; i < reposWithRulesets.length; i++) {
         const repoConfig = reposWithRulesets[i];
         let repoInfo;
@@ -247,14 +249,28 @@ export async function runSettings(options, processorFactory = defaultRulesetProc
         catch (error) {
             logger.error(i + 1, repoConfig.git, String(error));
             results.push(buildErrorResult(repoConfig.git, error));
-            failCount++;
+            plan.errors.push({
+                repo: repoConfig.git,
+                message: error instanceof Error ? error.message : String(error),
+            });
             continue;
         }
         const repoName = getRepoDisplayName(repoInfo);
         // Skip non-GitHub repos
         if (!isGitHubRepo(repoInfo)) {
             logger.skip(i + 1, repoName, "GitHub Rulesets only supported for GitHub repos");
-            skipCount++;
+            // Mark all rulesets from this repo as skipped
+            if (repoConfig.settings?.rulesets) {
+                for (const rulesetName of Object.keys(repoConfig.settings.rulesets)) {
+                    plan.resources.push({
+                        type: "ruleset",
+                        repo: repoName,
+                        name: rulesetName,
+                        action: "skipped",
+                        skipReason: "GitHub Rulesets only supported for GitHub repos",
+                    });
+                }
+            }
             continue;
         }
         // Note: For settings command, we don't clone repos - we work with the API directly.
@@ -269,34 +285,11 @@ export async function runSettings(options, processorFactory = defaultRulesetProc
                 managedRulesets,
                 noDelete: options.noDelete,
             });
-            // Display plan output for dry-run mode
-            if (options.dryRun && result.planOutput) {
-                if (result.planOutput.lines.length > 0) {
-                    logger.rulesetPlan(repoName, result.planOutput.lines, {
-                        creates: result.planOutput.creates,
-                        updates: result.planOutput.updates,
-                        deletes: result.planOutput.deletes,
-                        unchanged: result.planOutput.unchanged,
-                    });
-                }
-                // Accumulate totals for multi-repo summary
-                totalCreates += result.planOutput.creates;
-                totalUpdates += result.planOutput.updates;
-                totalDeletes += result.planOutput.deletes;
-                if (result.planOutput.creates +
-                    result.planOutput.updates +
-                    result.planOutput.deletes >
-                    0) {
-                    reposWithChanges++;
-                }
-            }
             if (result.skipped) {
                 logger.skip(i + 1, repoName, result.message);
-                skipCount++;
             }
             else if (result.success) {
                 logger.success(i + 1, repoName, result.message);
-                successCount++;
                 // Update manifest with ruleset tracking if there are rulesets to track
                 if (result.manifestUpdate &&
                     result.manifestUpdate.rulesets.length > 0) {
@@ -316,7 +309,6 @@ export async function runSettings(options, processorFactory = defaultRulesetProc
             }
             else {
                 logger.error(i + 1, repoName, result.message);
-                failCount++;
             }
             results.push({
                 repoName,
@@ -328,11 +320,16 @@ export async function runSettings(options, processorFactory = defaultRulesetProc
                 message: result.message,
                 rulesetPlanDetails: result.planOutput?.entries,
             });
+            // Collect resources for plan output
+            plan.resources.push(...rulesetResultToResources(repoName, result));
         }
         catch (error) {
             logger.error(i + 1, repoName, String(error));
             results.push(buildErrorResult(repoName, error));
-            failCount++;
+            plan.errors.push({
+                repo: repoName,
+                message: error instanceof Error ? error.message : String(error),
+            });
         }
     }
     // Process repo settings
@@ -349,7 +346,10 @@ export async function runSettings(options, processorFactory = defaultRulesetProc
             }
             catch (error) {
                 console.error(`Failed to parse ${repoConfig.git}: ${error}`);
-                failCount++;
+                plan.errors.push({
+                    repo: repoConfig.git,
+                    message: error instanceof Error ? error.message : String(error),
+                });
                 continue;
             }
             const repoName = getRepoDisplayName(repoInfo);
@@ -374,11 +374,9 @@ export async function runSettings(options, processorFactory = defaultRulesetProc
                 }
                 else if (result.success) {
                     console.log(chalk.green(`  ✓ ${repoName}: ${result.message}`));
-                    successCount++;
                 }
                 else {
                     console.log(chalk.red(`  ✗ ${repoName}: ${result.message}`));
-                    failCount++;
                 }
                 // Merge repo settings plan details into existing result or push new
                 if (!result.skipped) {
@@ -395,40 +393,27 @@ export async function runSettings(options, processorFactory = defaultRulesetProc
                         });
                     }
                 }
+                // Collect resources for plan output
+                plan.resources.push(...repoSettingsResultToResources(repoName, result));
             }
             catch (error) {
                 console.error(`  ✗ ${repoName}: ${error}`);
-                failCount++;
+                plan.errors.push({
+                    repo: repoName,
+                    message: error instanceof Error ? error.message : String(error),
+                });
             }
         }
     }
-    // Multi-repo summary for dry-run mode
-    if (options.dryRun && reposWithChanges > 0) {
-        console.log("");
-        console.log(chalk.gray("─".repeat(40)));
-        const totalParts = [];
-        if (totalCreates > 0)
-            totalParts.push(chalk.green(`${totalCreates} to create`));
-        if (totalUpdates > 0)
-            totalParts.push(chalk.yellow(`${totalUpdates} to update`));
-        if (totalDeletes > 0)
-            totalParts.push(chalk.red(`${totalDeletes} to delete`));
-        console.log(chalk.bold(`Total: ${totalParts.join(", ")} across ${reposWithChanges} ${reposWithChanges === 1 ? "repository" : "repositories"}`));
-    }
-    // Summary
-    console.log("\n" + "=".repeat(50));
-    console.log(`Completed: ${successCount} succeeded, ${skipCount} skipped, ${failCount} failed`);
-    // Write GitHub Actions job summary if available
-    writeSummary({
+    // Print Terraform-style plan summary
+    console.log("");
+    printPlan(plan);
+    // Write GitHub Actions job summary
+    writePlanSummary(plan, {
         title: "Repository Settings Summary",
-        dryRun: options.dryRun,
-        total: reposWithRulesets.length + reposWithRepoSettings.length,
-        succeeded: successCount,
-        skipped: skipCount,
-        failed: failCount,
-        results,
+        dryRun: options.dryRun ?? false,
     });
-    if (failCount > 0) {
+    if (plan.errors && plan.errors.length > 0) {
         process.exit(1);
     }
 }

package/dist/logger.d.ts

@@ -1,22 +1,13 @@
 import { FileStatus } from "./diff-utils.js";
-export interface RulesetPlanCounts {
-    creates: number;
-    updates: number;
-    deletes: number;
-    unchanged: number;
-}
 export interface ILogger {
     info(message: string): void;
     fileDiff(fileName: string, status: FileStatus, diffLines: string[]): void;
     diffSummary(newCount: number, modifiedCount: number, unchangedCount: number, deletedCount?: number): void;
-    rulesetPlan(repoName: string, planLines: string[], counts: RulesetPlanCounts): void;
     setTotal(total: number): void;
     progress(current: number, repoName: string, message: string): void;
     success(current: number, repoName: string, message: string): void;
     skip(current: number, repoName: string, reason: string): void;
     error(current: number, repoName: string, error: string): void;
-    summary(): void;
-    hasFailures(): boolean;
 }
 export interface LoggerStats {
     total: number;
@@ -41,11 +32,5 @@ export declare class Logger implements ILogger {
      * Display summary statistics for dry-run diff.
      */
     diffSummary(newCount: number, modifiedCount: number, unchangedCount: number, deletedCount?: number): void;
-    /**
-     * Display ruleset plan output for dry-run mode.
-     */
-    rulesetPlan(repoName: string, planLines: string[], counts: RulesetPlanCounts): void;
-    summary(): void;
-    hasFailures(): boolean;
 }
 export declare const logger: Logger;

package/dist/logger.js

@@ -62,39 +62,5 @@ export class Logger {
             console.log(chalk.gray(`    Summary: ${parts.join(", ")}`));
         }
     }
-    /**
-     * Display ruleset plan output for dry-run mode.
-     */
-    rulesetPlan(repoName, planLines, counts) {
-        console.log("");
-        console.log(chalk.bold(`Repository: ${repoName}`));
-        for (const line of planLines) {
-            console.log(line);
-        }
-        // Summary line
-        const parts = [];
-        if (counts.creates > 0)
-            parts.push(chalk.green(`${counts.creates} to create`));
-        if (counts.updates > 0)
-            parts.push(chalk.yellow(`${counts.updates} to update`));
-        if (counts.deletes > 0)
-            parts.push(chalk.red(`${counts.deletes} to delete`));
-        const unchangedPart = counts.unchanged > 0
-            ? chalk.gray(` (${counts.unchanged} unchanged)`)
-            : "";
-        const summaryLine = parts.length > 0 ? parts.join(", ") + unchangedPart : "No changes";
-        console.log(chalk.gray(`Plan: ${summaryLine}`));
-    }
-    summary() {
-        console.log("");
-        console.log(chalk.bold("Summary:"));
-        console.log(`  Total:     ${this.stats.total}`);
-        console.log(chalk.green(`  Succeeded: ${this.stats.succeeded}`));
-        console.log(chalk.yellow(`  Skipped:   ${this.stats.skipped}`));
-        console.log(chalk.red(`  Failed:    ${this.stats.failed}`));
-    }
-    hasFailures() {
-        return this.stats.failed > 0;
-    }
 }
 export const logger = new Logger();

package/dist/plan-formatter.d.ts

@@ -0,0 +1,39 @@
+export type ResourceType = "file" | "ruleset" | "setting";
+export type ResourceAction = "create" | "update" | "delete" | "unchanged" | "skipped";
+export interface Resource {
+    type: ResourceType;
+    repo: string;
+    name: string;
+    action: ResourceAction;
+    details?: ResourceDetails;
+    skipReason?: string;
+}
+export interface ResourceDetails {
+    diff?: string[];
+    properties?: PropertyChange[];
+}
+export interface PropertyChange {
+    path: string;
+    action: "add" | "change" | "remove";
+    oldValue?: unknown;
+    newValue?: unknown;
+}
+export declare function formatResourceId(resource: Resource): string;
+export declare function formatResourceLine(resource: Resource): string;
+export interface PlanCounts {
+    create: number;
+    update: number;
+    delete: number;
+    skipped?: number;
+}
+export declare function formatPlanSummary(counts: PlanCounts): string;
+export interface Plan {
+    resources: Resource[];
+    errors?: RepoError[];
+}
+export interface RepoError {
+    repo: string;
+    message: string;
+}
+export declare function formatPlan(plan: Plan): string[];
+export declare function printPlan(plan: Plan): void;

package/dist/plan-formatter.js

@@ -0,0 +1,84 @@
+import chalk from "chalk";
+export function formatResourceId(resource) {
+    return `${resource.type} "${resource.repo}/${resource.name}"`;
+}
+export function formatResourceLine(resource) {
+    const id = formatResourceId(resource);
+    switch (resource.action) {
+        case "create":
+            return chalk.green(`+ ${id}`);
+        case "update":
+            return chalk.yellow(`~ ${id}`);
+        case "delete":
+            return chalk.red(`- ${id}`);
+        case "skipped":
+            return chalk.gray(`⊘ ${id}`);
+        case "unchanged":
+            return chalk.gray(`  ${id}`);
+    }
+}
+export function formatPlanSummary(counts) {
+    const parts = [];
+    if (counts.create > 0) {
+        parts.push(chalk.green(`${counts.create} to create`));
+    }
+    if (counts.update > 0) {
+        parts.push(chalk.yellow(`${counts.update} to change`));
+    }
+    if (counts.delete > 0) {
+        parts.push(chalk.red(`${counts.delete} to destroy`));
+    }
+    if (parts.length === 0 && (!counts.skipped || counts.skipped === 0)) {
+        return "No changes. Your repositories match the configuration.";
+    }
+    let summary = parts.length > 0 ? `Plan: ${parts.join(", ")}` : "Plan:";
+    if (counts.skipped && counts.skipped > 0) {
+        summary += chalk.gray(` (${counts.skipped} skipped)`);
+    }
+    return summary;
+}
+export function formatPlan(plan) {
+    const lines = [];
+    // Filter to only changed resources
+    const changedResources = plan.resources.filter((r) => r.action !== "unchanged");
+    // Format each resource
+    for (const resource of changedResources) {
+        lines.push(formatResourceLine(resource));
+        // Add details if present (indented)
+        if (resource.details?.diff) {
+            for (const diffLine of resource.details.diff) {
+                lines.push(`    ${diffLine}`);
+            }
+        }
+    }
+    // Add errors
+    if (plan.errors && plan.errors.length > 0) {
+        for (const error of plan.errors) {
+            lines.push(chalk.red(`✗ ${error.repo}`));
+            lines.push(chalk.red(`    Error: ${error.message}`));
+        }
+    }
+    // Add blank line before summary
+    if (lines.length > 0) {
+        lines.push("");
+    }
+    // Count actions
+    const counts = {
+        create: plan.resources.filter((r) => r.action === "create").length,
+        update: plan.resources.filter((r) => r.action === "update").length,
+        delete: plan.resources.filter((r) => r.action === "delete").length,
+        skipped: plan.resources.filter((r) => r.action === "skipped").length,
+    };
+    lines.push(formatPlanSummary(counts));
+    // Add error count if any
+    if (plan.errors && plan.errors.length > 0) {
+        lines.push(chalk.red(`${plan.errors.length} ${plan.errors.length === 1 ? "repository" : "repositories"} failed.`));
+    }
+    return lines;
+}
+export function printPlan(plan) {
+    const lines = formatPlan(plan);
+    for (const line of lines) {
+        console.log(line);
+    }
+}

package/dist/plan-summary.d.ts

@@ -0,0 +1,8 @@
+import type { Plan, Resource, PlanCounts, RepoError } from "./plan-formatter.js";
+export type { Plan, Resource, PlanCounts, RepoError };
+export interface PlanMarkdownOptions {
+    title: string;
+    dryRun: boolean;
+}
+export declare function formatPlanMarkdown(plan: Plan, options: PlanMarkdownOptions): string;
+export declare function writePlanSummary(plan: Plan, options: PlanMarkdownOptions): void;

package/dist/plan-summary.js

@@ -0,0 +1,110 @@
+import { appendFileSync } from "node:fs";
+function getActionSymbol(action) {
+    switch (action) {
+        case "create":
+            return "+";
+        case "update":
+            return "~";
+        case "delete":
+            return "-";
+        case "skipped":
+            return "⊘";
+        default:
+            return "";
+    }
+}
+function formatResourceIdPlain(resource) {
+    return `${resource.type} "${resource.repo}/${resource.name}"`;
+}
+function countActions(resources) {
+    return {
+        create: resources.filter((r) => r.action === "create").length,
+        update: resources.filter((r) => r.action === "update").length,
+        delete: resources.filter((r) => r.action === "delete").length,
+        skipped: resources.filter((r) => r.action === "skipped").length,
+    };
+}
+function formatPlanSummaryPlain(counts) {
+    const parts = [];
+    if (counts.create > 0)
+        parts.push(`${counts.create} to create`);
+    if (counts.update > 0)
+        parts.push(`${counts.update} to change`);
+    if (counts.delete > 0)
+        parts.push(`${counts.delete} to destroy`);
+    if (parts.length === 0) {
+        return "No changes";
+    }
+    return parts.join(", ");
+}
+export function formatPlanMarkdown(plan, options) {
+    const lines = [];
+    const counts = countActions(plan.resources);
+    const changedResources = plan.resources.filter((r) => r.action !== "unchanged");
+    // Title
+    const titleSuffix = options.dryRun ? " (Dry Run)" : "";
+    lines.push(`## ${options.title}${titleSuffix}`);
+    lines.push("");
+    // Dry-run warning
+    if (options.dryRun) {
+        lines.push("> [!WARNING]");
+        lines.push("> This was a dry run — no changes were applied");
+        lines.push("");
+    }
+    // Plan summary as heading
+    const summaryText = formatPlanSummaryPlain(counts);
+    lines.push(`### Plan: ${summaryText}`);
+    lines.push("");
+    // Resource table (if any changes)
+    if (changedResources.length > 0) {
+        lines.push("<details open>");
+        lines.push("<summary><strong>Resources</strong></summary>");
+        lines.push("");
+        lines.push("| Resource | Action |");
+        lines.push("|----------|--------|");
+        for (const resource of changedResources) {
+            const symbol = getActionSymbol(resource.action);
+            const id = formatResourceIdPlain(resource);
+            lines.push(`| \`${symbol} ${id}\` | ${resource.action} |`);
+        }
+        lines.push("");
+        lines.push("</details>");
+    }
+    // Add diff details for resources that have them
+    const resourcesWithDiffs = changedResources.filter((r) => r.details?.diff && r.details.diff.length > 0);
+    for (const resource of resourcesWithDiffs) {
+        lines.push("");
+        lines.push("<details>");
+        lines.push(`<summary><strong>Diff: ${formatResourceIdPlain(resource)}</strong></summary>`);
+        lines.push("");
+        lines.push("```diff");
+        for (const diffLine of resource.details.diff) {
+            lines.push(diffLine);
+        }
+        lines.push("```");
+        lines.push("");
+        lines.push("</details>");
+    }
+    // Error section
+    if (plan.errors && plan.errors.length > 0) {
+        lines.push("");
+        lines.push("<details open>");
+        lines.push("<summary><strong>Errors</strong></summary>");
+        lines.push("");
+        lines.push("| Repository | Error |");
+        lines.push("|------------|-------|");
+        for (const error of plan.errors) {
+            lines.push(`| ${error.repo} | ${error.message} |`);
+        }
+        lines.push("");
+        lines.push("</details>");
+    }
+    return lines.join("\n");
+}
+export function writePlanSummary(plan, options) {
+    const summaryPath = process.env.GITHUB_STEP_SUMMARY;
+    if (!summaryPath)
+        return;
+    const markdown = formatPlanMarkdown(plan, options);
+    appendFileSync(summaryPath, "\n" + markdown + "\n");
+}

package/dist/repo-settings-diff.js

@@ -22,11 +22,11 @@ const PROPERTY_MAPPING = {
     mergeCommitMessage: "merge_commit_message",
     webCommitSignoffRequired: "web_commit_signoff_required",
     defaultBranch: "default_branch",
-    vulnerabilityAlerts: "_vulnerability_alerts",
-    automatedSecurityFixes: "_automated_security_fixes",
+    vulnerabilityAlerts: "vulnerability_alerts",
+    automatedSecurityFixes: "automated_security_fixes",
     secretScanning: "_secret_scanning",
     secretScanningPushProtection: "_secret_scanning_push_protection",
-    privateVulnerabilityReporting: "_private_vulnerability_reporting",
+    privateVulnerabilityReporting: "private_vulnerability_reporting",
 };
 /**
  * Gets the current value for a property from GitHub API response.

package/dist/repo-settings-processor.js

@@ -91,16 +91,22 @@ export class RepoSettingsProcessor {
     }
     async applyChanges(repoInfo, settings, options) {
         // Extract settings that need separate API calls
-        const { vulnerabilityAlerts, automatedSecurityFixes, ...mainSettings } = settings;
+        const { vulnerabilityAlerts, automatedSecurityFixes, privateVulnerabilityReporting, ...mainSettings } = settings;
         // Update main settings via PATCH /repos
         if (Object.keys(mainSettings).length > 0) {
             await this.strategy.updateSettings(repoInfo, mainSettings, options);
         }
         // Handle vulnerability alerts (separate endpoint)
+        // Must be done before automated security fixes
         if (vulnerabilityAlerts !== undefined) {
             await this.strategy.setVulnerabilityAlerts(repoInfo, vulnerabilityAlerts, options);
         }
+        // Handle private vulnerability reporting (separate endpoint)
+        if (privateVulnerabilityReporting !== undefined) {
+            await this.strategy.setPrivateVulnerabilityReporting(repoInfo, privateVulnerabilityReporting, options);
+        }
         // Handle automated security fixes (separate endpoint)
+        // Done last to ensure vulnerability alerts have been fully processed
         if (automatedSecurityFixes !== undefined) {
             await this.strategy.setAutomatedSecurityFixes(repoInfo, automatedSecurityFixes, options);
         }

package/dist/resource-converters.d.ts

@@ -0,0 +1,25 @@
+import type { Resource } from "./plan-formatter.js";
+import type { RulesetProcessorResult } from "./ruleset-processor.js";
+import type { ProcessorResult } from "./repository-processor.js";
+import type { RepoConfig } from "./config.js";
+/**
+ * Convert RulesetProcessorResult planOutput entries to Resource objects.
+ */
+export declare function rulesetResultToResources(repoName: string, result: RulesetProcessorResult): Resource[];
+/**
+ * Convert sync ProcessorResult diffStats to Resource objects.
+ * Since we don't have per-file details, we represent each file from config
+ * with the aggregate action based on diffStats.
+ */
+export declare function syncResultToResources(repoName: string, repoConfig: Pick<RepoConfig, "files">, result: ProcessorResult): Resource[];
+/**
+ * Convert repo settings processor planOutput entries to Resource objects.
+ */
+export declare function repoSettingsResultToResources(repoName: string, result: {
+    planOutput?: {
+        entries?: Array<{
+            property: string;
+            action: string;
+        }>;
+    };
+}): Resource[];

package/dist/resource-converters.js

@@ -0,0 +1,95 @@
+/**
+ * Convert RulesetProcessorResult planOutput entries to Resource objects.
+ */
+export function rulesetResultToResources(repoName, result) {
+    const resources = [];
+    if (result.planOutput?.entries) {
+        for (const entry of result.planOutput.entries) {
+            let action;
+            switch (entry.action) {
+                case "create":
+                    action = "create";
+                    break;
+                case "update":
+                    action = "update";
+                    break;
+                case "delete":
+                    action = "delete";
+                    break;
+                default:
+                    action = "unchanged";
+            }
+            resources.push({
+                type: "ruleset",
+                repo: repoName,
+                name: entry.name,
+                action,
+            });
+        }
+    }
+    return resources;
+}
+/**
+ * Convert sync ProcessorResult diffStats to Resource objects.
+ * Since we don't have per-file details, we represent each file from config
+ * with the aggregate action based on diffStats.
+ */
+export function syncResultToResources(repoName, repoConfig, result) {
+    const resources = [];
+    if (result.skipped) {
+        // Mark all files as unchanged when skipped
+        for (const file of repoConfig.files) {
+            resources.push({
+                type: "file",
+                repo: repoName,
+                name: file.fileName,
+                action: "unchanged",
+            });
+        }
+        return resources;
+    }
+    if (!result.diffStats) {
+        return resources;
+    }
+    // With aggregate stats, we can show repo-level summary
+    // For now, create one resource per file in config with best-effort action
+    // Note: This is approximate since we don't have per-file tracking
+    const { newCount, modifiedCount, deletedCount } = result.diffStats;
+    for (const file of repoConfig.files) {
+        // Determine action based on aggregate stats - this is a simplification
+        let action = "unchanged";
+        if (newCount > 0) {
+            action = "create";
+        }
+        else if (modifiedCount > 0) {
+            action = "update";
+        }
+        else if (deletedCount > 0) {
+            action = "delete";
+        }
+        resources.push({
+            type: "file",
+            repo: repoName,
+            name: file.fileName,
+            action,
+        });
+    }
+    return resources;
+}
+/**
+ * Convert repo settings processor planOutput entries to Resource objects.
+ */
+export function repoSettingsResultToResources(repoName, result) {
+    const resources = [];
+    if (result.planOutput?.entries) {
+        for (const entry of result.planOutput.entries) {
+            resources.push({
+                type: "setting",
+                repo: repoName,
+                name: entry.property,
+                action: entry.action === "add" ? "create" : "update",
+            });
+        }
+    }
+    return resources;
+}

package/dist/strategies/github-repo-settings-strategy.d.ts

@@ -15,6 +15,10 @@ export declare class GitHubRepoSettingsStrategy implements IRepoSettingsStrategy
     updateSettings(repoInfo: RepoInfo, settings: GitHubRepoSettings, options?: RepoSettingsStrategyOptions): Promise<void>;
     setVulnerabilityAlerts(repoInfo: RepoInfo, enable: boolean, options?: RepoSettingsStrategyOptions): Promise<void>;
     setAutomatedSecurityFixes(repoInfo: RepoInfo, enable: boolean, options?: RepoSettingsStrategyOptions): Promise<void>;
+    setPrivateVulnerabilityReporting(repoInfo: RepoInfo, enable: boolean, options?: RepoSettingsStrategyOptions): Promise<void>;
+    private getVulnerabilityAlerts;
+    private getAutomatedSecurityFixes;
+    private getPrivateVulnerabilityReporting;
     private validateGitHub;
     private ghApi;
 }

package/dist/strategies/github-repo-settings-strategy.js

@@ -76,7 +76,14 @@ export class GitHubRepoSettingsStrategy {
         const github = repoInfo;
         const endpoint = `/repos/${github.owner}/${github.repo}`;
         const result = await this.ghApi("GET", endpoint, undefined, options);
-        return JSON.parse(result);
+        const settings = JSON.parse(result);
+        // Fetch security settings from separate endpoints
+        settings.vulnerability_alerts = await this.getVulnerabilityAlerts(github, options);
+        // Pass vulnerability_alerts state - automated security fixes requires it enabled
+        settings.automated_security_fixes = await this.getAutomatedSecurityFixes(github, options, settings.vulnerability_alerts);
+        settings.private_vulnerability_reporting =
+            await this.getPrivateVulnerabilityReporting(github, options);
+        return settings;
     }
     async updateSettings(repoInfo, settings, options) {
         this.validateGitHub(repoInfo);
@@ -103,6 +110,54 @@ export class GitHubRepoSettingsStrategy {
         const method = enable ? "PUT" : "DELETE";
         await this.ghApi(method, endpoint, undefined, options);
     }
+    async setPrivateVulnerabilityReporting(repoInfo, enable, options) {
+        this.validateGitHub(repoInfo);
+        const github = repoInfo;
+        const endpoint = `/repos/${github.owner}/${github.repo}/private-vulnerability-reporting`;
+        const method = enable ? "PUT" : "DELETE";
+        await this.ghApi(method, endpoint, undefined, options);
+    }
+    async getVulnerabilityAlerts(github, options) {
+        const endpoint = `/repos/${github.owner}/${github.repo}/vulnerability-alerts`;
+        try {
+            await this.ghApi("GET", endpoint, undefined, options);
+            return true; // 204 = enabled
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            if (message.includes("HTTP 404")) {
+                return false; // 404 = disabled
+            }
+            throw error; // Re-throw other errors
+        }
+    }
+    async getAutomatedSecurityFixes(github, options, _vulnerabilityAlertsEnabled) {
+        // Note: GitHub returns JSON with {enabled: boolean} for this endpoint
+        const endpoint = `/repos/${github.owner}/${github.repo}/automated-security-fixes`;
+        try {
+            const result = await this.ghApi("GET", endpoint, undefined, options);
+            // Parse JSON response - GitHub returns {"enabled": true/false}
+            if (result) {
+                const data = JSON.parse(result);
+                return data.enabled === true;
+            }
+            // Empty response (204) means enabled
+            return true;
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            if (message.includes("HTTP 404")) {
+                return false;
+            }
+            throw error;
+        }
+    }
+    async getPrivateVulnerabilityReporting(github, options) {
+        const endpoint = `/repos/${github.owner}/${github.repo}/private-vulnerability-reporting`;
+        const result = await this.ghApi("GET", endpoint, undefined, options);
+        const data = JSON.parse(result);
+        return data.enabled === true;
+    }
     validateGitHub(repoInfo) {
         if (!isGitHubRepo(repoInfo)) {
             throw new Error(`GitHub Repo Settings strategy requires GitHub repositories. Got: ${repoInfo.type}`);

package/dist/strategies/repo-settings-strategy.d.ts

@@ -39,6 +39,9 @@ export interface CurrentRepoSettings {
             status: string;
         };
     };
+    vulnerability_alerts?: boolean;
+    automated_security_fixes?: boolean;
+    private_vulnerability_reporting?: boolean;
 }
 export interface IRepoSettingsStrategy {
     /**
@@ -57,6 +60,10 @@ export interface IRepoSettingsStrategy {
      * Enables or disables automated security fixes.
      */
     setAutomatedSecurityFixes(repoInfo: RepoInfo, enable: boolean, options?: RepoSettingsStrategyOptions): Promise<void>;
+    /**
+     * Enables or disables private vulnerability reporting.
+     */
+    setPrivateVulnerabilityReporting(repoInfo: RepoInfo, enable: boolean, options?: RepoSettingsStrategyOptions): Promise<void>;
 }
 /**
  * Type guard to check if an object implements IRepoSettingsStrategy.

package/dist/strategies/repo-settings-strategy.js

@@ -9,5 +9,6 @@ export function isRepoSettingsStrategy(obj) {
     return (typeof strategy.getSettings === "function" &&
         typeof strategy.updateSettings === "function" &&
         typeof strategy.setVulnerabilityAlerts === "function" &&
-        typeof strategy.setAutomatedSecurityFixes === "function");
+        typeof strategy.setAutomatedSecurityFixes === "function" &&
+        typeof strategy.setPrivateVulnerabilityReporting === "function");
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aspruyt/xfg",
-  "version": "3.7.2",
+  "version": "3.7.4",
   "description": "CLI tool for repository-as-code",
   "type": "module",
   "main": "dist/index.js",
@@ -27,7 +27,7 @@
     "start": "node dist/cli.js",
     "dev": "ts-node src/cli.ts",
     "test": "node --import tsx scripts/run-tests.js",
-    "test:coverage": "c8 --check-coverage --lines 95 --reporter=text --reporter=lcov --all --src=src --exclude='test/**/*.test.ts' --exclude='scripts/**' npm test",
+    "test:coverage": "c8 --check-coverage --lines 95 --reporter=text --reporter=lcov --all --src=src --exclude='test/**/*.test.ts' --exclude='scripts/**' --exclude='src/strategies/commit-strategy.ts' --exclude='src/strategies/ruleset-strategy.ts' --exclude='test/mocks/**' npm test",
     "test:integration:github": "npm run build && node --import tsx --test test/integration/github.test.ts",
     "test:integration:ado": "npm run build && node --import tsx --test test/integration/ado.test.ts",
     "test:integration:gitlab": "npm run build && node --import tsx --test test/integration/gitlab.test.ts",