@aspruyt/xfg 5.3.1 → 5.5.0

package/dist/settings/code-scanning/processor.js

@@ -0,0 +1,81 @@
+import { diffCodeScanning, hasCodeScanningChanges } from "./diff.js";
+import { formatCodeScanningPlan, } from "./formatter.js";
+import { withGitHubGuards, countActions, buildDryRunResult, buildApplyResult, } from "../base-processor.js";
+export class CodeScanningProcessor {
+    strategy;
+    metadataProvider;
+    constructor(strategy, metadataProvider) {
+        this.strategy = strategy;
+        this.metadataProvider = metadataProvider;
+    }
+    async process(repoConfig, repoInfo, options) {
+        return withGitHubGuards(repoConfig, repoInfo, options, {
+            hasDesiredSettings: (rc) => {
+                const cs = rc.settings?.codeScanning;
+                return !!cs && typeof cs === "object";
+            },
+            emptySettingsMessage: "No code scanning settings configured",
+            applySettings: (githubRepo, rc, opts, token, repoName) => this.applySettings(githubRepo, rc, opts, token, repoName),
+        });
+    }
+    async applySettings(githubRepo, repoConfig, options, effectiveToken, repoName) {
+        const { dryRun } = options;
+        const desiredSettings = repoConfig.settings
+            .codeScanning;
+        const strategyOptions = { token: effectiveToken, host: githubRepo.host };
+        // Validate GHAS availability for private repos
+        const metadata = await this.metadataProvider.getMetadata(githubRepo, strategyOptions);
+        const validationError = this.validateGHAS(desiredSettings, metadata);
+        if (validationError) {
+            return {
+                success: false,
+                repoName,
+                message: `Failed: ${validationError}`,
+            };
+        }
+        // Fetch current settings
+        const currentSettings = await this.strategy.getDefaultSetup(githubRepo, strategyOptions);
+        // Compute diff
+        const changes = diffCodeScanning(currentSettings, desiredSettings);
+        const changeCounts = countActions(changes);
+        if (!hasCodeScanningChanges(changes)) {
+            return {
+                success: true,
+                repoName,
+                message: "No changes needed",
+                changes: changeCounts,
+            };
+        }
+        // Format plan output
+        const planOutput = formatCodeScanningPlan(changes);
+        if (dryRun) {
+            return buildDryRunResult(repoName, changeCounts, { planOutput });
+        }
+        // Build API payload from desired settings
+        const payload = {
+            state: desiredSettings.state,
+        };
+        if (desiredSettings.querySuite !== undefined) {
+            payload.query_suite = desiredSettings.querySuite;
+        }
+        if (desiredSettings.languages !== undefined) {
+            payload.languages = desiredSettings.languages;
+        }
+        await this.strategy.updateDefaultSetup(githubRepo, payload, strategyOptions);
+        const appliedCount = changes.filter((c) => c.action !== "unchanged").length;
+        return buildApplyResult(repoName, changeCounts, appliedCount, {
+            planOutput,
+        });
+    }
+    validateGHAS(desired, metadata) {
+        if (desired.state !== "configured")
+            return undefined;
+        const isPublic = metadata.visibility === "public";
+        if (isPublic)
+            return undefined;
+        if (!metadata.hasGHAS) {
+            return "Code scanning default setup requires GitHub Advanced Security (not available for this repository)";
+        }
+        return undefined;
+    }
+}

package/dist/settings/code-scanning/types.d.ts

@@ -0,0 +1,22 @@
+import type { RepoInfo } from "../../shared/repo-detector.js";
+import type { GhApiOptions } from "../../shared/gh-api-utils.js";
+/**
+ * Current code scanning default setup state from GitHub API.
+ */
+export interface CurrentCodeScanningSettings {
+    state: "configured" | "not-configured";
+    query_suite?: "default" | "extended";
+    languages?: string[];
+}
+/**
+ * Strategy interface for code scanning default setup operations.
+ * Abstracts the GitHub API calls for testability.
+ */
+export interface ICodeScanningStrategy {
+    getDefaultSetup(repoInfo: RepoInfo, options?: GhApiOptions): Promise<CurrentCodeScanningSettings>;
+    updateDefaultSetup(repoInfo: RepoInfo, settings: {
+        state: string;
+        query_suite?: string;
+        languages?: string[];
+    }, options?: GhApiOptions): Promise<void>;
+}

package/dist/settings/code-scanning/types.js

@@ -0,0 +1 @@
+export {};

package/dist/settings/index.d.ts

@@ -2,3 +2,4 @@ export { type BaseProcessorResult, type ISettingsProcessor, countActions, isActi
 export { type PropertyDiff, type RulesetPlanEntry, RulesetProcessor, type IRulesetProcessor, GitHubRulesetStrategy, } from "./rulesets/index.js";
 export { RepoSettingsProcessor, type IRepoSettingsProcessor, type RepoSettingsPlanEntry, GitHubRepoSettingsStrategy, } from "./repo-settings/index.js";
 export { type LabelsPlanEntry, LabelsProcessor, type ILabelsProcessor, GitHubLabelsStrategy, } from "./labels/index.js";
+export { type CodeScanningPlanEntry, CodeScanningProcessor, type ICodeScanningProcessor, GitHubCodeScanningStrategy, } from "./code-scanning/index.js";

package/dist/settings/index.js

@@ -6,3 +6,5 @@ export { RulesetProcessor, GitHubRulesetStrategy, } from "./rulesets/index.js";
 export { RepoSettingsProcessor, GitHubRepoSettingsStrategy, } from "./repo-settings/index.js";
 // Labels
 export { LabelsProcessor, GitHubLabelsStrategy, } from "./labels/index.js";
+// Code scanning
+export { CodeScanningProcessor, GitHubCodeScanningStrategy, } from "./code-scanning/index.js";

package/dist/settings/labels/github-labels-strategy.d.ts

@@ -1,5 +1,5 @@
-import { ICommandExecutor } from "../../shared/command-executor.js";
-import { RepoInfo } from "../../shared/repo-detector.js";
+import type { ICommandExecutor } from "../../shared/command-executor.js";
+import { type RepoInfo } from "../../shared/repo-detector.js";
 import { type GhApiOptions } from "../../shared/gh-api-utils.js";
 import type { ILabelsStrategy, GitHubLabel } from "./types.js";
 interface GitHubLabelsStrategyOptions {

package/dist/settings/repo-settings/diff.d.ts

@@ -1,6 +1,7 @@
 import type { GitHubRepoSettings } from "../../config/index.js";
+import type { SettingsAction } from "../base-processor.js";
 import type { CurrentRepoSettings } from "./types.js";
-export type RepoSettingsAction = "create" | "update" | "unchanged";
+export type RepoSettingsAction = Exclude<SettingsAction, "delete">;
 export interface RepoSettingsChange {
     property: keyof GitHubRepoSettings;
     action: RepoSettingsAction;

package/dist/settings/repo-settings/github-repo-settings-strategy.d.ts

@@ -1,4 +1,4 @@
-import { ICommandExecutor } from "../../shared/command-executor.js";
+import type { ICommandExecutor } from "../../shared/command-executor.js";
 import { type RepoInfo } from "../../shared/repo-detector.js";
 import { type GhApiOptions } from "../../shared/gh-api-utils.js";
 import type { GitHubRepoSettings } from "../../config/index.js";

package/dist/settings/repo-settings/processor.d.ts

@@ -1,7 +1,8 @@
 import type { RepoConfig } from "../../config/index.js";
 import type { RepoInfo } from "../../shared/repo-detector.js";
 import type { IRepoSettingsStrategy } from "./types.js";
-import { RepoSettingsPlanResult } from "./formatter.js";
+import type { IRepoMetadataProvider } from "../../shared/repo-metadata-provider.js";
+import { type RepoSettingsPlanResult } from "./formatter.js";
 import { type BaseProcessorOptions, type BaseProcessorResult, type ISettingsProcessor, type ChangeCounts } from "../base-processor.js";
 export type IRepoSettingsProcessor = ISettingsProcessor<RepoSettingsProcessorOptions, RepoSettingsProcessorResult>;
 export type RepoSettingsProcessorOptions = BaseProcessorOptions;
@@ -12,7 +13,8 @@ export interface RepoSettingsProcessorResult extends BaseProcessorResult {
 }
 export declare class RepoSettingsProcessor implements IRepoSettingsProcessor {
     private readonly strategy;
-    constructor(strategy: IRepoSettingsStrategy);
+    private readonly metadataProvider;
+    constructor(strategy: IRepoSettingsStrategy, metadataProvider: IRepoMetadataProvider);
     process(repoConfig: RepoConfig, repoInfo: RepoInfo, options: RepoSettingsProcessorOptions): Promise<RepoSettingsProcessorResult>;
     private applySettings;
     private applyChanges;

package/dist/settings/repo-settings/processor.js

@@ -1,10 +1,12 @@
 import { diffRepoSettings, hasChanges } from "./diff.js";
-import { formatRepoSettingsPlan } from "./formatter.js";
+import { formatRepoSettingsPlan, } from "./formatter.js";
 import { withGitHubGuards, buildDryRunResult, buildApplyResult, } from "../base-processor.js";
 export class RepoSettingsProcessor {
     strategy;
-    constructor(strategy) {
+    metadataProvider;
+    constructor(strategy, metadataProvider) {
         this.strategy = strategy;
+        this.metadataProvider = metadataProvider;
     }
     async process(repoConfig, repoInfo, options) {
         return withGitHubGuards(repoConfig, repoInfo, options, {
@@ -20,10 +22,13 @@ export class RepoSettingsProcessor {
         const { dryRun } = options;
         const desiredSettings = repoConfig.settings.repo;
         const strategyOptions = { token: effectiveToken, host: githubRepo.host };
-        // Fetch current settings
-        const currentSettings = await this.strategy.getSettings(githubRepo, strategyOptions);
+        // Fetch current settings and metadata in parallel
+        const [currentSettings, metadata] = await Promise.all([
+            this.strategy.getSettings(githubRepo, strategyOptions),
+            this.metadataProvider.getMetadata(githubRepo, strategyOptions),
+        ]);
         // Validate security settings compatibility
-        const securityErrors = this.validateSecuritySettings(desiredSettings, currentSettings);
+        const securityErrors = this.validateSecuritySettings(desiredSettings, metadata);
         if (securityErrors.length > 0) {
             return {
                 success: false,
@@ -93,23 +98,16 @@ export class RepoSettingsProcessor {
             await this.strategy.setAutomatedSecurityFixes(repoInfo, automatedSecurityFixes, options);
         }
     }
-    validateSecuritySettings(desiredSettings, currentSettings) {
+    validateSecuritySettings(desiredSettings, metadata) {
         const errors = [];
-        // Use desired visibility if specified (repo may be transitioning to public),
-        // otherwise fall back to current visibility
-        const effectiveVisibility = desiredSettings.visibility ?? currentSettings.visibility;
+        const effectiveVisibility = desiredSettings.visibility ?? metadata.visibility;
         const isPublic = effectiveVisibility === "public";
-        // privateVulnerabilityReporting is only available on public repos
         if (desiredSettings.privateVulnerabilityReporting === true && !isPublic) {
             errors.push("privateVulnerabilityReporting is only available for public repositories");
         }
-        // secretScanning and secretScanningPushProtection:
-        // - Available on public repos (free)
-        // - Available on org private/internal repos with GHAS (security_and_analysis is populated)
-        // - NOT available on user private repos or org private/internal repos without GHAS
         if (!isPublic) {
-            const isUserOwned = currentSettings.owner_type === "User";
-            const hasGHAS = currentSettings.security_and_analysis != null;
+            const isUserOwned = metadata.ownerType === "User";
+            const hasGHAS = metadata.hasGHAS;
             if (desiredSettings.secretScanning === true &&
                 (isUserOwned || !hasGHAS)) {
                 errors.push("secretScanning requires GitHub Advanced Security (not available for this repository)");

package/dist/settings/rulesets/github-ruleset-strategy.d.ts

@@ -1,5 +1,5 @@
-import { ICommandExecutor } from "../../shared/command-executor.js";
-import { RepoInfo } from "../../shared/repo-detector.js";
+import type { ICommandExecutor } from "../../shared/command-executor.js";
+import { type RepoInfo } from "../../shared/repo-detector.js";
 import { type GhApiOptions } from "../../shared/gh-api-utils.js";
 import type { Ruleset } from "../../config/index.js";
 import type { IRulesetStrategy, GitHubRuleset, GitHubBypassActor, GitHubRulesetConditions, GitHubRule, RulesetUpdateParams } from "./types.js";

package/dist/settings/rulesets/processor.d.ts

@@ -1,7 +1,7 @@
 import type { RepoConfig } from "../../config/index.js";
 import type { RepoInfo } from "../../shared/repo-detector.js";
 import type { IRulesetStrategy } from "./types.js";
-import { RulesetPlanResult } from "./formatter.js";
+import { type RulesetPlanResult } from "./formatter.js";
 import { type BaseProcessorOptions, type BaseProcessorResult, type ISettingsProcessor, type ChangeCounts } from "../base-processor.js";
 export type IRulesetProcessor = ISettingsProcessor<RulesetProcessorOptions, RulesetProcessorResult>;
 export interface RulesetProcessorOptions extends BaseProcessorOptions {

package/dist/shared/cleanup-utils.d.ts

@@ -0,0 +1,8 @@
+import type { DebugLog } from "./logger.js";
+/**
+ * Run a cleanup action, swallowing errors with a debug log.
+ * Replaces the repetitive try-catch-debug-log cleanup pattern.
+ * If the function returns a Promise, the returned Promise resolves
+ * after the cleanup completes (or fails silently).
+ */
+export declare function safeCleanup(fn: () => void | Promise<void>, label: string, log: DebugLog): Promise<void>;

package/dist/shared/cleanup-utils.js

@@ -0,0 +1,15 @@
+import { toErrorMessage } from "./type-guards.js";
+/**
+ * Run a cleanup action, swallowing errors with a debug log.
+ * Replaces the repetitive try-catch-debug-log cleanup pattern.
+ * If the function returns a Promise, the returned Promise resolves
+ * after the cleanup completes (or fails silently).
+ */
+export async function safeCleanup(fn, label, log) {
+    try {
+        await fn();
+    }
+    catch (error) {
+        log.debug(`Cleanup: ${label}: ${toErrorMessage(error)}`);
+    }
+}

package/dist/shared/gh-api-utils.d.ts

@@ -1,6 +1,6 @@
 import type { ICommandExecutor } from "./command-executor.js";
 import type { GitHubRepoInfo } from "./repo-detector.js";
-import type { DebugLog } from "./logger.js";
+import type { DebugWarnLog } from "./logger.js";
 interface ITokenManager {
     getTokenForRepo(repoInfo: GitHubRepoInfo): Promise<string | null>;
 }
@@ -51,7 +51,7 @@ interface ResolveGitHubTokenOptions {
     repoInfo: GitHubRepoInfo;
     tokenManager: ITokenManager | null;
     context: string;
-    log?: DebugLog;
+    log?: DebugWarnLog;
     envToken?: string;
 }
 /**

package/dist/shared/gh-api-utils.js

@@ -139,10 +139,13 @@ export async function resolveGitHubToken(options) {
         return { token: appToken ?? envToken, skipped: false };
     }
     catch (error) {
-        const fallbackDesc = envToken
-            ? "falling back to GH_TOKEN"
-            : "no fallback token available";
-        log?.debug(`GitHub App token resolution failed for ${context}: ${toErrorMessage(error)}; ${fallbackDesc}`);
+        const errorMsg = `GitHub App token resolution failed for ${context}: ${toErrorMessage(error)}`;
+        if (envToken) {
+            log?.debug(`${errorMsg}; falling back to GH_TOKEN`);
+        }
+        else {
+            log?.warn(`${errorMsg}; no fallback token available`);
+        }
         return { token: envToken, skipped: false };
     }
 }

package/dist/shared/repo-detector.d.ts

@@ -24,25 +24,6 @@ export interface GitLabRepoInfo extends BaseRepoInfo {
     host: string;
 }
 export type RepoInfo = GitHubRepoInfo | AzureDevOpsRepoInfo | GitLabRepoInfo;
-export declare function isGitHubRepo(info: RepoInfo): info is GitHubRepoInfo;
-export declare function isAzureDevOpsRepo(info: RepoInfo): info is AzureDevOpsRepoInfo;
-export declare function isGitLabRepo(info: RepoInfo): info is GitLabRepoInfo;
-/**
- * Assert that a RepoInfo is a GitHub repository, narrowing the type.
- * Use in GitHub-specific strategies to avoid duplicating validation logic.
- */
-export declare function assertGitHubRepo(repoInfo: RepoInfo, context: string): asserts repoInfo is GitHubRepoInfo;
-/**
- * Assert that a RepoInfo is an Azure DevOps repository, narrowing the type.
- * Use in Azure-specific strategies to avoid duplicating validation logic.
- */
-export declare function assertAzureDevOpsRepo(repoInfo: RepoInfo, context: string): asserts repoInfo is AzureDevOpsRepoInfo;
-/**
- * Assert that a RepoInfo is a GitLab repository, narrowing the type.
- * Use in GitLab-specific strategies to avoid duplicating validation logic.
- */
-export declare function assertGitLabRepo(repoInfo: RepoInfo, context: string): asserts repoInfo is GitLabRepoInfo;
+export { isGitHubRepo, isAzureDevOpsRepo, isGitLabRepo, assertGitHubRepo, assertAzureDevOpsRepo, assertGitLabRepo, getRepoDisplayName, } from "./repo-info-utils.js";
 export declare function detectRepoType(gitUrl: string, context?: RepoDetectorContext): RepoType;
 export declare function parseGitUrl(gitUrl: string, context?: RepoDetectorContext): RepoInfo;
-export declare function getRepoDisplayName(repoInfo: RepoInfo): string;
-export {};

package/dist/shared/repo-detector.js

@@ -1,40 +1,7 @@
 import { ValidationError } from "./errors.js";
-export function isGitHubRepo(info) {
-    return info.type === "github";
-}
-export function isAzureDevOpsRepo(info) {
-    return info.type === "azure-devops";
-}
-export function isGitLabRepo(info) {
-    return info.type === "gitlab";
-}
-/**
- * Assert that a RepoInfo is a GitHub repository, narrowing the type.
- * Use in GitHub-specific strategies to avoid duplicating validation logic.
- */
-export function assertGitHubRepo(repoInfo, context) {
-    if (!isGitHubRepo(repoInfo)) {
-        throw new ValidationError(`${context} requires GitHub repositories. Got: ${repoInfo.type}`);
-    }
-}
-/**
- * Assert that a RepoInfo is an Azure DevOps repository, narrowing the type.
- * Use in Azure-specific strategies to avoid duplicating validation logic.
- */
-export function assertAzureDevOpsRepo(repoInfo, context) {
-    if (!isAzureDevOpsRepo(repoInfo)) {
-        throw new ValidationError(`${context} requires Azure DevOps repositories. Got: ${repoInfo.type}`);
-    }
-}
-/**
- * Assert that a RepoInfo is a GitLab repository, narrowing the type.
- * Use in GitLab-specific strategies to avoid duplicating validation logic.
- */
-export function assertGitLabRepo(repoInfo, context) {
-    if (!isGitLabRepo(repoInfo)) {
-        throw new ValidationError(`${context} requires GitLab repositories. Got: ${repoInfo.type}`);
-    }
-}
+// Type guards, assertions, and display helpers live in repo-info-utils.ts.
+// Re-exported here for backward compatibility.
+export { isGitHubRepo, isAzureDevOpsRepo, isGitLabRepo, assertGitHubRepo, assertAzureDevOpsRepo, assertGitLabRepo, getRepoDisplayName, } from "./repo-info-utils.js";
 function extractHostFromUrl(gitUrl) {
     // SSH: git@hostname:path
     const sshMatch = gitUrl.match(/^git@([^:]+):/);
@@ -217,12 +184,3 @@ function parseGitLabPath(gitUrl, host, fullPath) {
         host,
     };
 }
-export function getRepoDisplayName(repoInfo) {
-    if (repoInfo.type === "azure-devops") {
-        return `${repoInfo.organization}/${repoInfo.project}/${repoInfo.repo}`;
-    }
-    if (repoInfo.type === "gitlab") {
-        return `${repoInfo.namespace}/${repoInfo.repo}`;
-    }
-    return `${repoInfo.owner}/${repoInfo.repo}`;
-}

package/dist/shared/repo-info-utils.d.ts

@@ -0,0 +1,20 @@
+import type { RepoInfo, GitHubRepoInfo, AzureDevOpsRepoInfo, GitLabRepoInfo } from "./repo-detector.js";
+export declare function isGitHubRepo(info: RepoInfo): info is GitHubRepoInfo;
+export declare function isAzureDevOpsRepo(info: RepoInfo): info is AzureDevOpsRepoInfo;
+export declare function isGitLabRepo(info: RepoInfo): info is GitLabRepoInfo;
+/**
+ * Assert that a RepoInfo is a GitHub repository, narrowing the type.
+ * Use in GitHub-specific strategies to avoid duplicating validation logic.
+ */
+export declare function assertGitHubRepo(repoInfo: RepoInfo, context: string): asserts repoInfo is GitHubRepoInfo;
+/**
+ * Assert that a RepoInfo is an Azure DevOps repository, narrowing the type.
+ * Use in Azure-specific strategies to avoid duplicating validation logic.
+ */
+export declare function assertAzureDevOpsRepo(repoInfo: RepoInfo, context: string): asserts repoInfo is AzureDevOpsRepoInfo;
+/**
+ * Assert that a RepoInfo is a GitLab repository, narrowing the type.
+ * Use in GitLab-specific strategies to avoid duplicating validation logic.
+ */
+export declare function assertGitLabRepo(repoInfo: RepoInfo, context: string): asserts repoInfo is GitLabRepoInfo;
+export declare function getRepoDisplayName(repoInfo: RepoInfo): string;

package/dist/shared/repo-info-utils.js

@@ -0,0 +1,46 @@
+import { ValidationError } from "./errors.js";
+export function isGitHubRepo(info) {
+    return info.type === "github";
+}
+export function isAzureDevOpsRepo(info) {
+    return info.type === "azure-devops";
+}
+export function isGitLabRepo(info) {
+    return info.type === "gitlab";
+}
+/**
+ * Assert that a RepoInfo is a GitHub repository, narrowing the type.
+ * Use in GitHub-specific strategies to avoid duplicating validation logic.
+ */
+export function assertGitHubRepo(repoInfo, context) {
+    if (!isGitHubRepo(repoInfo)) {
+        throw new ValidationError(`${context} requires GitHub repositories. Got: ${repoInfo.type}`);
+    }
+}
+/**
+ * Assert that a RepoInfo is an Azure DevOps repository, narrowing the type.
+ * Use in Azure-specific strategies to avoid duplicating validation logic.
+ */
+export function assertAzureDevOpsRepo(repoInfo, context) {
+    if (!isAzureDevOpsRepo(repoInfo)) {
+        throw new ValidationError(`${context} requires Azure DevOps repositories. Got: ${repoInfo.type}`);
+    }
+}
+/**
+ * Assert that a RepoInfo is a GitLab repository, narrowing the type.
+ * Use in GitLab-specific strategies to avoid duplicating validation logic.
+ */
+export function assertGitLabRepo(repoInfo, context) {
+    if (!isGitLabRepo(repoInfo)) {
+        throw new ValidationError(`${context} requires GitLab repositories. Got: ${repoInfo.type}`);
+    }
+}
+export function getRepoDisplayName(repoInfo) {
+    if (repoInfo.type === "azure-devops") {
+        return `${repoInfo.organization}/${repoInfo.project}/${repoInfo.repo}`;
+    }
+    if (repoInfo.type === "gitlab") {
+        return `${repoInfo.namespace}/${repoInfo.repo}`;
+    }
+    return `${repoInfo.owner}/${repoInfo.repo}`;
+}

package/dist/shared/repo-metadata-provider.d.ts

@@ -0,0 +1,27 @@
+import type { ICommandExecutor } from "./command-executor.js";
+import { type RepoInfo } from "./repo-detector.js";
+import { type GhApiOptions } from "./gh-api-utils.js";
+import type { RepoVisibility } from "../config/index.js";
+export interface RepoMetadata {
+    visibility: RepoVisibility;
+    ownerType: "User" | "Organization";
+    hasGHAS: boolean;
+}
+/**
+ * Strategy interface for fetching repository metadata.
+ * Used to share repo metadata (visibility, owner type, GHAS)
+ * across settings processors without coupling them.
+ */
+export interface IRepoMetadataProvider {
+    getMetadata(repoInfo: RepoInfo, options?: GhApiOptions): Promise<RepoMetadata>;
+}
+interface GitHubRepoMetadataProviderOptions {
+    retries?: number;
+    cwd: string;
+}
+export declare class GitHubRepoMetadataProvider implements IRepoMetadataProvider {
+    private api;
+    constructor(executor: ICommandExecutor, options: GitHubRepoMetadataProviderOptions);
+    getMetadata(repoInfo: RepoInfo, options?: GhApiOptions): Promise<RepoMetadata>;
+}
+export {};

package/dist/shared/repo-metadata-provider.js

@@ -0,0 +1,20 @@
+import { assertGitHubRepo } from "./repo-detector.js";
+import { GhApiClient } from "./gh-api-utils.js";
+import { parseApiJson } from "./json-utils.js";
+export class GitHubRepoMetadataProvider {
+    api;
+    constructor(executor, options) {
+        this.api = new GhApiClient(executor, options.retries ?? 3, options.cwd);
+    }
+    async getMetadata(repoInfo, options) {
+        assertGitHubRepo(repoInfo, "Repo Metadata Provider");
+        const endpoint = `/repos/${repoInfo.owner}/${repoInfo.repo}`;
+        const result = await this.api.call("GET", endpoint, { options });
+        const parsed = parseApiJson(result, "repo metadata response");
+        return {
+            visibility: parsed.visibility ?? "public",
+            ownerType: parsed.owner?.type ?? "User",
+            hasGHAS: parsed.security_and_analysis != null,
+        };
+    }
+}

package/dist/shared/retry-utils.d.ts

@@ -44,7 +44,7 @@ export declare function isTransientError(error: unknown, patterns?: RegExp[]): b
  * @param fn The async function to run with retry
  * @param options Retry configuration options
  * @returns The result of the function if successful
- * @throws AbortError for permanent failures, or the last error after all retries exhausted
+ * @throws The original error for permanent failures (pRetry unwraps AbortError before propagating), or the last transient error after all retries exhausted
  */
 export declare function withRetry<T>(fn: () => Promise<T>, options?: RetryOptions): Promise<T>;
 export {};

package/dist/shared/retry-utils.js

@@ -135,7 +135,7 @@ export function isTransientError(error, patterns = DEFAULT_TRANSIENT_ERROR_PATTE
  * @param fn The async function to run with retry
  * @param options Retry configuration options
  * @returns The result of the function if successful
- * @throws AbortError for permanent failures, or the last error after all retries exhausted
+ * @throws The original error for permanent failures (pRetry unwraps AbortError before propagating), or the last transient error after all retries exhausted
  */
 export async function withRetry(fn, options) {
     const retries = options?.retries ?? 3;

package/dist/shared/type-guards.d.ts

@@ -1,10 +1,2 @@
-import type { DebugLog } from "./logger.js";
 export declare function isPlainObject(val: unknown): val is Record<string, unknown>;
 export declare function toErrorMessage(error: unknown): string;
-/**
- * Run a cleanup action, swallowing errors with a debug log.
- * Replaces the repetitive try-catch-debug-log cleanup pattern.
- * If the function returns a Promise, the returned Promise resolves
- * after the cleanup completes (or fails silently).
- */
-export declare function safeCleanup(fn: () => void | Promise<void>, label: string, log: DebugLog): Promise<void>;

package/dist/shared/type-guards.js

@@ -4,17 +4,3 @@ export function isPlainObject(val) {
 export function toErrorMessage(error) {
     return error instanceof Error ? error.message : String(error);
 }
-/**
- * Run a cleanup action, swallowing errors with a debug log.
- * Replaces the repetitive try-catch-debug-log cleanup pattern.
- * If the function returns a Promise, the returned Promise resolves
- * after the cleanup completes (or fails silently).
- */
-export async function safeCleanup(fn, label, log) {
-    try {
-        await fn();
-    }
-    catch (error) {
-        log.debug(`Cleanup: ${label}: ${toErrorMessage(error)}`);
-    }
-}

package/dist/shared/xfg-template.js

@@ -28,7 +28,7 @@ const ESCAPED_XFG_VAR_REGEX = /\$\$\{xfg:([a-zA-Z0-9._]+)\}/g;
  * Get the value of a built-in xfg variable.
  * Returns undefined if the variable is not recognized.
  */
-function getBuiltinVar(varName, ctx) {
+function getBuiltinVariable(varName, ctx) {
     const { repoInfo, fileName } = ctx;
     switch (varName) {
         case "repo.name":
@@ -68,7 +68,7 @@ function buildXfgConfig(ctx, options) {
             return ctx.vars[varName];
         }
         // Then check built-in vars
-        const builtinValue = getBuiltinVar(varName, ctx);
+        const builtinValue = getBuiltinVariable(varName, ctx);
         if (builtinValue !== undefined) {
             return builtinValue;
         }

package/dist/sync/auth-options-builder.d.ts

@@ -1,4 +1,4 @@
-import { RepoInfo } from "../shared/repo-detector.js";
+import { type RepoInfo } from "../shared/repo-detector.js";
 import type { GitHubAppTokenManager } from "../vcs/index.js";
 import type { AuthResult, IAuthOptionsBuilder } from "./types.js";
 import type { ILogger } from "../shared/logger.js";

package/dist/sync/branch-manager.d.ts

@@ -1,17 +1,13 @@
 import type { IPRStrategy } from "../vcs/index.js";
 import type { RepoInfo } from "../shared/repo-detector.js";
 import type { ICommandExecutor } from "../shared/command-executor.js";
+import type { DebugInfoWarnLog } from "../shared/logger.js";
 import type { IBranchManager, BranchSetupOptions } from "./types.js";
-type SyncLog = {
-    debug(msg: string): void;
-    info(msg: string): void;
-    warn(msg: string): void;
-};
-type PRStrategyFactory = (repoInfo: RepoInfo, executor: ICommandExecutor, log?: SyncLog) => IPRStrategy;
+type PRStrategyFactory = (repoInfo: RepoInfo, executor: ICommandExecutor, log?: DebugInfoWarnLog) => IPRStrategy;
 export declare class BranchManager implements IBranchManager {
     private readonly log;
     private readonly prStrategyFactory;
-    constructor(log: SyncLog, prStrategyFactory?: PRStrategyFactory);
+    constructor(log: DebugInfoWarnLog, prStrategyFactory?: PRStrategyFactory);
     setupBranch(options: BranchSetupOptions): Promise<void>;
 }
 export {};

package/dist/sync/commit-push-manager.d.ts

@@ -9,6 +9,6 @@ export declare class CommitPushManager implements ICommitPushManager {
     private readonly commitStrategyFactory;
     constructor(log: DebugInfoLog, commitStrategyFactory?: CommitStrategyFactory);
     commitAndPush(options: CommitPushOptions): Promise<CommitPushResult>;
-    private handleCommitError;
+    private rethrowIfUnexpectedCommitError;
 }
 export {};

package/dist/sync/commit-push-manager.js

@@ -43,10 +43,10 @@ export class CommitPushManager {
             return { success: true };
         }
         catch (error) {
-            return this.handleCommitError(error, isDirectMode, pushBranch, repoInfo);
+            return this.rethrowIfUnexpectedCommitError(error, isDirectMode, pushBranch, repoInfo);
         }
     }
-    handleCommitError(error, isDirectMode, pushBranch, repoInfo) {
+    rethrowIfUnexpectedCommitError(error, isDirectMode, pushBranch, repoInfo) {
         const repoName = getRepoDisplayName(repoInfo);
         const message = toErrorMessage(error);
         if (isDirectMode &&