@aspruyt/xfg 4.0.0 → 4.0.2

package/dist/vcs/authenticated-git-ops.js

@@ -1,75 +1,107 @@
 import { escapeShellArg } from "../shared/shell-utils.js";
-import { defaultExecutor, } from "../shared/command-executor.js";
 import { withRetry } from "../shared/retry-utils.js";
+import { toErrorMessage } from "../shared/type-guards.js";
 /**
- * Wrapper around GitOps that adds authentication to network operations.
+ * Adds authentication to network git operations and delegates local ops.
  *
- * When auth options are provided, network operations (clone, fetch, push,
- * getDefaultBranch) use `-c url.insteadOf` to override credentials per-command.
- * This allows different tokens for different repos without global git config.
- *
- * Local operations (commit, writeFile, etc.) pass through unchanged.
+ * When auth options are provided, clone uses an embedded token URL which sets
+ * the remote origin. Subsequent operations (fetch, push, getDefaultBranch)
+ * reuse that authenticated remote URL — no extra auth setup per operation.
  */
 export class AuthenticatedGitOps {
-    gitOps;
-    auth;
+    localOps;
     executor;
     workDir;
     retries;
-    constructor(gitOps, auth) {
-        this.gitOps = gitOps;
+    auth;
+    log;
+    constructor(localOps, executor, workDir, retries, auth, log) {
+        this.localOps = localOps;
+        this.executor = executor;
+        this.workDir = workDir;
+        this.retries = retries;
         this.auth = auth;
-        // Extract executor and workDir from gitOps via reflection
-        const internal = gitOps;
-        this.executor = internal.executor ?? defaultExecutor;
-        this.workDir = internal.workDir ?? ".";
-        this.retries = internal.retries ?? 3;
+        this.log = log;
     }
     async execWithRetry(command) {
         return withRetry(() => this.executor.exec(command, this.workDir), {
             retries: this.retries,
         });
     }
-    // ============================================================
-    // Network operations - use authenticated command when token provided
-    // ============================================================
     /**
      * Build the authenticated remote URL.
      */
     getAuthenticatedUrl() {
+        if (!this.auth) {
+            throw new Error("getAuthenticatedUrl() called without auth options");
+        }
         const { token, host, owner, repo } = this.auth;
         return `https://x-access-token:${token}@${host}/${owner}/${repo}`;
     }
+    // --- ILocalGitOps delegation ---
+    cleanWorkspace() {
+        return this.localOps.cleanWorkspace();
+    }
+    createBranch(branchName) {
+        return this.localOps.createBranch(branchName);
+    }
+    writeFile(fileName, content) {
+        return this.localOps.writeFile(fileName, content);
+    }
+    setExecutable(fileName) {
+        return this.localOps.setExecutable(fileName);
+    }
+    getFileContent(fileName) {
+        return this.localOps.getFileContent(fileName);
+    }
+    wouldChange(fileName, content) {
+        return this.localOps.wouldChange(fileName, content);
+    }
+    hasChanges() {
+        return this.localOps.hasChanges();
+    }
+    getChangedFiles() {
+        return this.localOps.getChangedFiles();
+    }
+    hasStagedChanges() {
+        return this.localOps.hasStagedChanges();
+    }
+    fileExistsOnBranch(fileName, branch) {
+        return this.localOps.fileExistsOnBranch(fileName, branch);
+    }
+    fileExists(fileName) {
+        return this.localOps.fileExists(fileName);
+    }
+    deleteFile(fileName) {
+        return this.localOps.deleteFile(fileName);
+    }
+    commit(message) {
+        return this.localOps.commit(message);
+    }
+    getDefaultBranchLocal() {
+        return this.localOps.getDefaultBranchLocal();
+    }
+    // --- INetworkGitOps with auth wrapping ---
+    // Note: exec() usage here is safe — all user inputs are escaped via escapeShellArg()
     async clone(gitUrl) {
         if (!this.auth) {
-            return this.gitOps.clone(gitUrl);
+            const command = `git clone ${escapeShellArg(gitUrl)} .`;
+            await this.execWithRetry(command);
+            return;
         }
-        // Clone using authenticated URL directly - no insteadOf needed
         const authUrl = escapeShellArg(this.getAuthenticatedUrl());
         await this.execWithRetry(`git clone ${authUrl} .`);
     }
     async fetch(options) {
-        if (!this.auth) {
-            return this.gitOps.fetch(options);
-        }
-        // Remote URL already has auth from clone, just fetch
         const pruneFlag = options?.prune ? " --prune" : "";
         await this.execWithRetry(`git fetch origin${pruneFlag}`);
     }
     async push(branchName, options) {
-        if (!this.auth) {
-            return this.gitOps.push(branchName, options);
-        }
-        // Remote URL already has auth from clone, just push
         const forceFlag = options?.force ? "--force-with-lease " : "";
         const safeBranch = escapeShellArg(branchName);
         await this.execWithRetry(`git push ${forceFlag}-u origin ${safeBranch}`);
     }
     async getDefaultBranch() {
-        if (!this.auth) {
-            return this.gitOps.getDefaultBranch();
-        }
-        // Network operation - remote URL already has auth from clone
         try {
             const remoteInfo = await this.execWithRetry(`git remote show origin`);
             const match = remoteInfo.match(/HEAD branch: (\S+)/);
@@ -77,25 +109,12 @@ export class AuthenticatedGitOps {
                 return { branch: match[1], method: "remote HEAD" };
             }
         }
-        catch {
-            // Fall through to local checks
-        }
-        // Local operations don't need auth
-        try {
-            await this.executor.exec("git rev-parse --verify origin/main", this.workDir);
-            return { branch: "main", method: "origin/main exists" };
-        }
-        catch {
-            // Continue
-        }
-        try {
-            await this.executor.exec("git rev-parse --verify origin/master", this.workDir);
-            return { branch: "master", method: "origin/master exists" };
-        }
-        catch {
-            // Continue
+        catch (error) {
+            const msg = toErrorMessage(error);
+            this.log?.debug(`git remote show origin failed - ${msg}`);
         }
-        return { branch: "main", method: "fallback default" };
+        // Local fallback operations don't need auth — delegate to localOps
+        return this.localOps.getDefaultBranchLocal();
     }
     /**
      * Execute ls-remote with authentication.
@@ -105,7 +124,6 @@ export class AuthenticatedGitOps {
      *   branch existence where failure is expected for new branches.
      */
     async lsRemote(branchName, options) {
-        // Remote URL already has auth from clone
         const safeBranch = escapeShellArg(branchName);
         const command = `git ls-remote --exit-code --heads origin ${safeBranch}`;
         if (options?.skipRetry) {
@@ -118,7 +136,6 @@ export class AuthenticatedGitOps {
      * Used by GraphQLCommitStrategy for creating/deleting remote branches.
      */
     async pushRefspec(refspec, options) {
-        // Remote URL already has auth from clone
         const deleteFlag = options?.delete ? "--delete " : "";
         const safeRefspec = escapeShellArg(refspec);
         await this.execWithRetry(`git push ${deleteFlag}-u origin ${safeRefspec}`);
@@ -128,50 +145,7 @@ export class AuthenticatedGitOps {
      * Used by GraphQLCommitStrategy to update local refs.
      */
     async fetchBranch(branchName) {
-        // Remote URL already has auth from clone
         const safeBranch = escapeShellArg(branchName);
         await this.execWithRetry(`git fetch origin +${safeBranch}:refs/remotes/origin/${safeBranch}`);
     }
-    // ============================================================
-    // Local operations - delegate directly to GitOps
-    // ============================================================
-    cleanWorkspace() {
-        return this.gitOps.cleanWorkspace();
-    }
-    async createBranch(branchName) {
-        return this.gitOps.createBranch(branchName);
-    }
-    writeFile(fileName, content) {
-        return this.gitOps.writeFile(fileName, content);
-    }
-    async setExecutable(fileName) {
-        return this.gitOps.setExecutable(fileName);
-    }
-    getFileContent(fileName) {
-        return this.gitOps.getFileContent(fileName);
-    }
-    wouldChange(fileName, content) {
-        return this.gitOps.wouldChange(fileName, content);
-    }
-    async hasChanges() {
-        return this.gitOps.hasChanges();
-    }
-    async getChangedFiles() {
-        return this.gitOps.getChangedFiles();
-    }
-    async hasStagedChanges() {
-        return this.gitOps.hasStagedChanges();
-    }
-    async fileExistsOnBranch(fileName, branch) {
-        return this.gitOps.fileExistsOnBranch(fileName, branch);
-    }
-    fileExists(fileName) {
-        return this.gitOps.fileExists(fileName);
-    }
-    deleteFile(fileName) {
-        return this.gitOps.deleteFile(fileName);
-    }
-    async commit(message) {
-        return this.gitOps.commit(message);
-    }
 }

package/dist/vcs/azure-pr-strategy.d.ts

@@ -1,11 +1,13 @@
-import { PRResult } from "./pr-creator.js";
-import { BasePRStrategy, PRStrategyOptions, CloseExistingPROptions, MergeOptions, MergeResult } from "./pr-strategy.js";
+import type { PRResult } from "./types.js";
+import { BasePRStrategy } from "./pr-strategy.js";
+import type { IPRStrategyLogger } from "./pr-strategy.js";
+import type { PRStrategyOptions, CloseExistingPROptions, MergeOptions, MergeResult } from "./types.js";
 import { ICommandExecutor } from "../shared/command-executor.js";
 export declare class AzurePRStrategy extends BasePRStrategy {
-    constructor(executor?: ICommandExecutor);
+    constructor(executor?: ICommandExecutor, log?: IPRStrategyLogger);
     private getOrgUrl;
     private buildPRUrl;
-    checkExistingPR(options: PRStrategyOptions): Promise<string | null>;
+    checkExistingPR(options: CloseExistingPROptions): Promise<string | null>;
     closeExistingPR(options: CloseExistingPROptions): Promise<boolean>;
     create(options: PRStrategyOptions): Promise<PRResult>;
     /**

package/dist/vcs/azure-pr-strategy.js

@@ -1,14 +1,15 @@
 import { existsSync, writeFileSync, unlinkSync } from "node:fs";
 import { join } from "node:path";
 import { escapeShellArg } from "../shared/shell-utils.js";
-import { isAzureDevOpsRepo, } from "../shared/repo-detector.js";
-import { BasePRStrategy, } from "./pr-strategy.js";
-import { logger } from "../shared/logger.js";
-import { withRetry, isPermanentError } from "../shared/retry-utils.js";
+import { assertAzureDevOpsRepo, } from "../shared/repo-detector.js";
+import { BasePRStrategy } from "./pr-strategy.js";
+import { withRetry } from "../shared/retry-utils.js";
+import { toErrorMessage, safeCleanup } from "../shared/type-guards.js";
 import { sanitizeCredentials } from "../shared/sanitize-utils.js";
+import { getStderr } from "../shared/command-executor.js";
 export class AzurePRStrategy extends BasePRStrategy {
-    constructor(executor) {
-        super(executor);
+    constructor(executor, log) {
+        super(executor, log);
         this.bodyFilePath = ".pr-description.md";
     }
     getOrgUrl(repoInfo) {
@@ -19,9 +20,7 @@ export class AzurePRStrategy extends BasePRStrategy {
     }
     async checkExistingPR(options) {
         const { repoInfo, branchName, baseBranch, workDir, retries = 3 } = options;
-        if (!isAzureDevOpsRepo(repoInfo)) {
-            throw new Error("Expected Azure DevOps repository");
-        }
+        assertAzureDevOpsRepo(repoInfo, "Azure PR strategy");
         const azureRepoInfo = repoInfo;
         const orgUrl = this.getOrgUrl(azureRepoInfo);
         const command = `az repos pr list --repository ${escapeShellArg(azureRepoInfo.repo)} --source-branch ${escapeShellArg(branchName)} --target-branch ${escapeShellArg(baseBranch)} --org ${escapeShellArg(orgUrl)} --project ${escapeShellArg(azureRepoInfo.project)} --query "[0].pullRequestId" -o tsv`;
@@ -30,23 +29,16 @@ export class AzurePRStrategy extends BasePRStrategy {
             return existingPRId ? this.buildPRUrl(azureRepoInfo, existingPRId) : null;
         }
         catch (error) {
-            if (error instanceof Error) {
-                if (isPermanentError(error)) {
-                    throw error;
-                }
-                const stderr = error.stderr ?? "";
-                if (stderr && !stderr.includes("does not exist")) {
-                    logger.info(`Debug: Azure PR check failed - ${sanitizeCredentials(stderr).trim()}`);
-                }
+            const stderr = getStderr(error);
+            if (stderr && !stderr.includes("does not exist")) {
+                this.log?.debug(`Azure PR check failed - ${sanitizeCredentials(stderr).trim()}`);
             }
             return null;
         }
     }
     async closeExistingPR(options) {
         const { repoInfo, branchName, baseBranch, workDir, retries = 3 } = options;
-        if (!isAzureDevOpsRepo(repoInfo)) {
-            throw new Error("Expected Azure DevOps repository");
-        }
+        assertAzureDevOpsRepo(repoInfo, "Azure PR strategy");
         const azureRepoInfo = repoInfo;
         const orgUrl = this.getOrgUrl(azureRepoInfo);
         // First check if there's an existing PR
@@ -56,8 +48,6 @@ export class AzurePRStrategy extends BasePRStrategy {
             baseBranch,
             workDir,
             retries,
-            title: "", // Not used for check
-            body: "", // Not used for check
         });
         if (!existingUrl) {
             return false;
@@ -65,7 +55,7 @@ export class AzurePRStrategy extends BasePRStrategy {
         // Extract PR ID from URL
         const prInfo = this.parsePRUrl(existingUrl);
         if (!prInfo) {
-            logger.info(`Warning: Could not parse PR URL: ${existingUrl}`);
+            this.log?.warn(`Could not parse PR URL: ${existingUrl}`);
             return false;
         }
         // Abandon the PR (Azure DevOps equivalent of closing)
@@ -76,13 +66,11 @@ export class AzurePRStrategy extends BasePRStrategy {
             });
         }
         catch (error) {
-            const message = error instanceof Error ? error.message : String(error);
-            logger.info(`Warning: Failed to abandon PR #${prInfo.prId}: ${message}`);
+            const message = toErrorMessage(error);
+            this.log?.warn(`Failed to abandon PR #${prInfo.prId}: ${message}`);
             return false;
         }
-        // Delete the source branch - need to get object_id first
         try {
-            // Get the branch's object_id
             const getRefCommand = `az repos ref list --repository ${escapeShellArg(azureRepoInfo.repo)} --org ${escapeShellArg(orgUrl)} --project ${escapeShellArg(azureRepoInfo.project)} --filter heads/${escapeShellArg(branchName)} --query "[0].objectId" -o tsv`;
             const objectId = await withRetry(() => this.executor.exec(getRefCommand, workDir), { retries });
             if (objectId) {
@@ -92,19 +80,16 @@ export class AzurePRStrategy extends BasePRStrategy {
         }
         catch (error) {
             // Branch deletion failure is not critical - PR is already abandoned
-            const message = error instanceof Error ? error.message : String(error);
-            logger.info(`Warning: Failed to delete branch ${branchName}: ${message}`);
+            const message = toErrorMessage(error);
+            this.log?.warn(`Failed to delete branch ${branchName}: ${message}`);
         }
         return true;
     }
     async create(options) {
         const { repoInfo, title, body, branchName, baseBranch, workDir, retries = 3, } = options;
-        if (!isAzureDevOpsRepo(repoInfo)) {
-            throw new Error("Expected Azure DevOps repository");
-        }
+        assertAzureDevOpsRepo(repoInfo, "Azure PR strategy");
         const azureRepoInfo = repoInfo;
         const orgUrl = this.getOrgUrl(azureRepoInfo);
-        // Write description to temp file to avoid shell escaping issues
         const descFile = join(workDir, this.bodyFilePath);
         writeFileSync(descFile, body, "utf-8");
         // Azure CLI @file syntax: escape the full @path to handle special chars in workDir
@@ -120,15 +105,10 @@ export class AzurePRStrategy extends BasePRStrategy {
             };
         }
         finally {
-            // Clean up temp file - log warning on failure instead of throwing
-            try {
-                if (existsSync(descFile)) {
+            safeCleanup(() => {
+                if (existsSync(descFile))
                     unlinkSync(descFile);
-                }
-            }
-            catch (cleanupError) {
-                logger.info(`Warning: Failed to clean up temp file ${descFile}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`);
-            }
+            }, `failed to remove ${descFile}`, this.log ?? { debug() { } });
         }
     }
     /**
@@ -171,50 +151,22 @@ export class AzurePRStrategy extends BasePRStrategy {
             ? "--delete-source-branch true"
             : "";
         if (config.mode === "auto") {
-            // Enable auto-complete (no pre-check needed - always available in Azure DevOps)
-            const command = `az repos pr update --id ${escapeShellArg(prInfo.prId)} --auto-complete true ${squashFlag} ${deleteBranchFlag} --org ${escapeShellArg(orgUrl)}`.trim();
-            try {
-                await withRetry(() => this.executor.exec(command, workDir), {
-                    retries,
-                });
-                return {
-                    success: true,
-                    message: "Auto-complete enabled. PR will merge when all policies pass.",
-                    merged: false,
-                    autoMergeEnabled: true,
-                };
-            }
-            catch (error) {
-                const message = error instanceof Error ? error.message : String(error);
-                return {
-                    success: false,
-                    message: `Failed to enable auto-complete: ${message}`,
-                    merged: false,
-                };
-            }
+            const autoCommand = `az repos pr update --id ${escapeShellArg(prInfo.prId)} --auto-complete true ${squashFlag} ${deleteBranchFlag} --org ${escapeShellArg(orgUrl)}`.trim();
+            return this.executeMergeCommand(() => this.executor.exec(autoCommand, workDir), retries, {
+                success: true,
+                message: "Auto-complete enabled. PR will merge when all policies pass.",
+                merged: false,
+                autoMergeEnabled: true,
+            }, "Failed to enable auto-complete");
         }
         if (config.mode === "force") {
-            // Bypass policies and complete the PR
             const bypassReason = config.bypassReason ?? "Automated config sync via xfg";
-            const command = `az repos pr update --id ${escapeShellArg(prInfo.prId)} --bypass-policy true --bypass-policy-reason ${escapeShellArg(bypassReason)} --status completed ${squashFlag} ${deleteBranchFlag} --org ${escapeShellArg(orgUrl)}`.trim();
-            try {
-                await withRetry(() => this.executor.exec(command, workDir), {
-                    retries,
-                });
-                return {
-                    success: true,
-                    message: "PR completed by bypassing policies.",
-                    merged: true,
-                };
-            }
-            catch (error) {
-                const message = error instanceof Error ? error.message : String(error);
-                return {
-                    success: false,
-                    message: `Failed to bypass policies and complete PR: ${message}`,
-                    merged: false,
-                };
-            }
+            const forceCommand = `az repos pr update --id ${escapeShellArg(prInfo.prId)} --bypass-policy true --bypass-policy-reason ${escapeShellArg(bypassReason)} --status completed ${squashFlag} ${deleteBranchFlag} --org ${escapeShellArg(orgUrl)}`.trim();
+            return this.executeMergeCommand(() => this.executor.exec(forceCommand, workDir), retries, {
+                success: true,
+                message: "PR completed by bypassing policies.",
+                merged: true,
+            }, "Failed to bypass policies and complete PR");
         }
         return {
             success: false,

package/dist/vcs/branch-utils.d.ts

@@ -0,0 +1,6 @@
+export declare function sanitizeBranchName(fileName: string): string;
+/**
+ * Validates a user-provided branch name against git's naming rules.
+ * @throws Error if the branch name is invalid
+ */
+export declare function validateBranchName(branchName: string): void;

package/dist/vcs/branch-utils.js

@@ -0,0 +1,29 @@
+export function sanitizeBranchName(fileName) {
+    return fileName
+        .toLowerCase()
+        .replace(/\.[^.]+$/, "") // Remove extension
+        .replace(/[^a-z0-9-]/g, "-") // Replace non-alphanumeric with dashes
+        .replace(/-+/g, "-") // Collapse multiple dashes
+        .replace(/^-|-$/g, ""); // Remove leading/trailing dashes
+}
+/**
+ * Validates a user-provided branch name against git's naming rules.
+ * @throws Error if the branch name is invalid
+ */
+export function validateBranchName(branchName) {
+    if (!branchName || branchName.trim() === "") {
+        throw new Error("Branch name cannot be empty");
+    }
+    if (branchName.startsWith(".") || branchName.startsWith("-")) {
+        throw new Error('Branch name cannot start with "." or "-"');
+    }
+    // Git disallows: space, ~, ^, :, ?, *, [, \, and consecutive dots (..)
+    if (/[\s~^:?*[\\]/.test(branchName) || branchName.includes("..")) {
+        throw new Error("Branch name contains invalid characters");
+    }
+    if (branchName.endsWith("/") ||
+        branchName.endsWith(".lock") ||
+        branchName.endsWith(".")) {
+        throw new Error("Branch name has invalid ending");
+    }
+}

package/dist/vcs/commit-strategy-selector.d.ts

@@ -1,11 +1,16 @@
 import { RepoInfo } from "../shared/repo-detector.js";
 import type { ICommitStrategy } from "./types.js";
+import { GitHubAppTokenManager } from "./github-app-token-manager.js";
 import { ICommandExecutor } from "../shared/command-executor.js";
 /**
  * Checks if GitHub App credentials are configured via environment variables.
  * Both XFG_GITHUB_APP_ID and XFG_GITHUB_APP_PRIVATE_KEY must be set.
  */
 export declare function hasGitHubAppCredentials(): boolean;
+/**
+ * Creates a GitHubAppTokenManager if credentials are configured, otherwise null.
+ */
+export declare function createTokenManager(): GitHubAppTokenManager | null;
 /**
  * Factory function to get the appropriate commit strategy for a repository.
  *

package/dist/vcs/commit-strategy-selector.js

@@ -1,6 +1,7 @@
 import { isGitHubRepo } from "../shared/repo-detector.js";
 import { GitCommitStrategy } from "./git-commit-strategy.js";
 import { GraphQLCommitStrategy } from "./graphql-commit-strategy.js";
+import { GitHubAppTokenManager } from "./github-app-token-manager.js";
 /**
  * Checks if GitHub App credentials are configured via environment variables.
  * Both XFG_GITHUB_APP_ID and XFG_GITHUB_APP_PRIVATE_KEY must be set.
@@ -8,6 +9,15 @@ import { GraphQLCommitStrategy } from "./graphql-commit-strategy.js";
 export function hasGitHubAppCredentials() {
     return !!(process.env.XFG_GITHUB_APP_ID && process.env.XFG_GITHUB_APP_PRIVATE_KEY);
 }
+/**
+ * Creates a GitHubAppTokenManager if credentials are configured, otherwise null.
+ */
+export function createTokenManager() {
+    if (!hasGitHubAppCredentials()) {
+        return null;
+    }
+    return new GitHubAppTokenManager(process.env.XFG_GITHUB_APP_ID, process.env.XFG_GITHUB_APP_PRIVATE_KEY);
+}
 /**
  * Factory function to get the appropriate commit strategy for a repository.
  *

package/dist/vcs/git-commit-strategy.js

@@ -19,9 +19,8 @@ export class GitCommitStrategy {
      */
     async commit(options) {
         const { branchName, message, workDir, retries = 3, force = true, gitOps, } = options;
-        // Stage all changes
-        await this.executor.exec("git add -A", workDir);
         // Commit with the message (--no-verify to skip pre-commit hooks)
+        // Staging is handled by CommitPushManager before calling commit()
         await this.executor.exec(`git commit --no-verify -m ${escapeShellArg(message)}`, workDir);
         // Push with authentication via gitOps if available
         if (gitOps) {

package/dist/vcs/git-ops.d.ts

@@ -1,49 +1,21 @@
 import { ICommandExecutor } from "../shared/command-executor.js";
-export interface IGitOps {
-    cleanWorkspace(): void;
-    clone(gitUrl: string): Promise<void>;
-    fetch(options?: {
-        prune?: boolean;
-    }): Promise<void>;
-    createBranch(branchName: string): Promise<void>;
-    commit(message: string): Promise<boolean>;
-    push(branchName: string, options?: {
-        force?: boolean;
-    }): Promise<void>;
-    getDefaultBranch(): Promise<{
-        branch: string;
-        method: string;
-    }>;
-    writeFile(fileName: string, content: string): void;
-    setExecutable(fileName: string): Promise<void>;
-    getFileContent(fileName: string): string | null;
-    deleteFile(fileName: string): void;
-    wouldChange(fileName: string, content: string): boolean;
-    hasChanges(): Promise<boolean>;
-    getChangedFiles(): Promise<string[]>;
-    hasStagedChanges(): Promise<boolean>;
-    fileExistsOnBranch(fileName: string, branch: string): Promise<boolean>;
-    fileExists(fileName: string): boolean;
-}
+import type { ILocalGitOps } from "./types.js";
 export interface GitOpsOptions {
     workDir: string;
     dryRun?: boolean;
     executor?: ICommandExecutor;
-    /** Number of retries for network operations (default: 3) */
-    retries?: number;
+    /** Optional logger for debug messages */
+    log?: {
+        debug(msg: string): void;
+    };
 }
-export declare class GitOps implements IGitOps {
-    private workDir;
-    private dryRun;
-    private executor;
-    private retries;
+export declare class GitOps implements ILocalGitOps {
+    private readonly _workDir;
+    private readonly dryRun;
+    private readonly _executor;
+    private readonly log?;
     constructor(options: GitOpsOptions);
     private exec;
-    /**
-     * Run a command with retry logic for transient failures.
-     * Used for network operations like clone, fetch, push.
-     */
-    private execWithRetry;
     /**
      * Validates that a file path doesn't escape the workspace directory.
      * @returns The resolved absolute file path
@@ -51,14 +23,6 @@ export declare class GitOps implements IGitOps {
      */
     private validatePath;
     cleanWorkspace(): void;
-    clone(gitUrl: string): Promise<void>;
-    /**
-     * Fetch from remote with optional pruning of stale refs.
-     * Used to update local tracking refs after remote branch deletion.
-     */
-    fetch(options?: {
-        prune?: boolean;
-    }): Promise<void>;
     /**
      * Create a new branch from the current HEAD.
      * Always creates fresh - existing branches should be cleaned up beforehand
@@ -100,9 +64,6 @@ export declare class GitOps implements IGitOps {
      * Used for createOnly checks against the base branch (not the working directory).
      */
     fileExistsOnBranch(fileName: string, branch: string): Promise<boolean>;
-    /**
-     * Check if a file exists in the working directory.
-     */
     fileExists(fileName: string): boolean;
     /**
      * Delete a file from the working directory.
@@ -117,17 +78,12 @@ export declare class GitOps implements IGitOps {
      * @returns true if a commit was made, false if there were no staged changes
      */
     commit(message: string): Promise<boolean>;
-    push(branchName: string, options?: {
-        force?: boolean;
-    }): Promise<void>;
-    getDefaultBranch(): Promise<{
+    /**
+     * Fallback default branch detection using local refs only.
+     * Checks origin/main, then origin/master, then defaults to "main".
+     */
+    getDefaultBranchLocal(): Promise<{
         branch: string;
         method: string;
     }>;
 }
-export declare function sanitizeBranchName(fileName: string): string;
-/**
- * Validates a user-provided branch name against git's naming rules.
- * @throws Error if the branch name is invalid
- */
-export declare function validateBranchName(branchName: string): void;