@aspruyt/xfg 5.4.0 → 5.5.0

package/dist/config/validator.js

@@ -124,6 +124,8 @@ function buildRootSettingsContext(config) {
             ? Object.keys(config.settings.rulesets).filter((k) => k !== "inherit")
             : [],
         hasRepoSettings: config.settings?.repo !== undefined && config.settings.repo !== false,
+        hasCodeScanningSettings: config.settings?.codeScanning !== undefined &&
+            config.settings.codeScanning !== false,
         labelNames: config.settings?.labels
             ? Object.keys(config.settings.labels).filter((k) => k !== "inherit")
             : [],
@@ -191,6 +193,58 @@ function validateSettings(settings, context, rootCtx) {
             validateRepoSettings(settings.repo, context);
         }
     }
+    if (settings.codeScanning !== undefined) {
+        if (settings.codeScanning === false) {
+            if (!rootCtx) {
+                throw new ValidationError(`${context}: codeScanning: false is not valid at root level. Define codeScanning settings or remove the field.`);
+            }
+            // Per-repo level — check root has codeScanning settings to opt out of
+            if (!rootCtx.hasCodeScanningSettings) {
+                throw new ValidationError(`${context}: Cannot opt out of code scanning settings — not defined in root settings.codeScanning`);
+            }
+        }
+        else {
+            validateCodeScanningSettings(settings.codeScanning, `${context} codeScanning`);
+        }
+    }
+}
+const VALID_CODE_SCANNING_STATES = ["configured", "not-configured"];
+const VALID_CODE_SCANNING_QUERY_SUITES = ["default", "extended"];
+const VALID_CODE_SCANNING_LANGUAGES = [
+    "actions",
+    "c-cpp",
+    "csharp",
+    "go",
+    "java-kotlin",
+    "javascript-typescript",
+    "python",
+    "ruby",
+    "swift",
+];
+function validateCodeScanningSettings(settings, context) {
+    if (!isPlainObject(settings)) {
+        throw new ValidationError(`${context}: must be an object`);
+    }
+    if (settings.state === undefined) {
+        throw new ValidationError(`${context}: state is required`);
+    }
+    if (!VALID_CODE_SCANNING_STATES.includes(settings.state)) {
+        throw new ValidationError(`${context}: state must be one of: ${VALID_CODE_SCANNING_STATES.join(", ")}`);
+    }
+    if (settings.querySuite !== undefined &&
+        !VALID_CODE_SCANNING_QUERY_SUITES.includes(settings.querySuite)) {
+        throw new ValidationError(`${context}: querySuite must be one of: ${VALID_CODE_SCANNING_QUERY_SUITES.join(", ")}`);
+    }
+    if (settings.languages !== undefined) {
+        if (!Array.isArray(settings.languages)) {
+            throw new ValidationError(`${context}: languages must be an array`);
+        }
+        for (const lang of settings.languages) {
+            if (!VALID_CODE_SCANNING_LANGUAGES.includes(lang)) {
+                throw new ValidationError(`${context}: invalid language "${lang}". Valid languages: ${VALID_CODE_SCANNING_LANGUAGES.join(", ")}`);
+            }
+        }
+    }
 }
 function validateConfigId(config) {
     if (!config.id || typeof config.id !== "string") {
@@ -362,6 +416,24 @@ function validateGroups(config) {
     // Validate no circular extends after individual validation
     validateNoCircularExtends(config.groups);
 }
+function validateGroupRefArray(arr, fieldName, ctx, groupNames) {
+    if (!Array.isArray(arr) || arr.length === 0) {
+        throw new ValidationError(`${ctx}: '${fieldName}' must be a non-empty array of strings`);
+    }
+    const seen = new Set();
+    for (const name of arr) {
+        if (typeof name !== "string") {
+            throw new ValidationError(`${ctx}: '${fieldName}' entries must be strings`);
+        }
+        if (!groupNames.includes(name)) {
+            throw new ValidationError(`${ctx}: group '${name}' in ${fieldName} is not defined in root 'groups'`);
+        }
+        if (seen.has(name)) {
+            throw new ValidationError(`${ctx}: duplicate group '${name}' in ${fieldName}`);
+        }
+        seen.add(name);
+    }
+}
 function validateConditionalGroups(config) {
     if (config.conditionalGroups === undefined)
         return;
@@ -382,40 +454,10 @@ function validateConditionalGroups(config) {
             throw new ValidationError(`${ctx}: 'when' must have at least one of 'allOf' or 'anyOf'`);
         }
         if (allOf !== undefined) {
-            if (!Array.isArray(allOf) || allOf.length === 0) {
-                throw new ValidationError(`${ctx}: 'allOf' must be a non-empty array of strings`);
-            }
-            const seen = new Set();
-            for (const name of allOf) {
-                if (typeof name !== "string") {
-                    throw new ValidationError(`${ctx}: 'allOf' entries must be strings`);
-                }
-                if (!groupNames.includes(name)) {
-                    throw new ValidationError(`${ctx}: group '${name}' in allOf is not defined in root 'groups'`);
-                }
-                if (seen.has(name)) {
-                    throw new ValidationError(`${ctx}: duplicate group '${name}' in allOf`);
-                }
-                seen.add(name);
-            }
+            validateGroupRefArray(allOf, "allOf", ctx, groupNames);
         }
         if (anyOf !== undefined) {
-            if (!Array.isArray(anyOf) || anyOf.length === 0) {
-                throw new ValidationError(`${ctx}: 'anyOf' must be a non-empty array of strings`);
-            }
-            const seen = new Set();
-            for (const name of anyOf) {
-                if (typeof name !== "string") {
-                    throw new ValidationError(`${ctx}: 'anyOf' entries must be strings`);
-                }
-                if (!groupNames.includes(name)) {
-                    throw new ValidationError(`${ctx}: group '${name}' in anyOf is not defined in root 'groups'`);
-                }
-                if (seen.has(name)) {
-                    throw new ValidationError(`${ctx}: duplicate group '${name}' in anyOf`);
-                }
-                seen.add(name);
-            }
+            validateGroupRefArray(anyOf, "anyOf", ctx, groupNames);
         }
         // Validate files
         if (entry.files) {
@@ -565,6 +607,10 @@ function validateRepoSettingsEntry(config, repo, repoLabel) {
                 group.settings.repo !== false) {
                 rootCtx.hasRepoSettings = true;
             }
+            if (group?.settings?.codeScanning !== undefined &&
+                group.settings.codeScanning !== false) {
+                rootCtx.hasCodeScanningSettings = true;
+            }
         }
     }
     if (config.conditionalGroups) {
@@ -584,6 +630,10 @@ function validateRepoSettingsEntry(config, repo, repoLabel) {
             if (cg.settings?.repo !== undefined && cg.settings.repo !== false) {
                 rootCtx.hasRepoSettings = true;
             }
+            if (cg.settings?.codeScanning !== undefined &&
+                cg.settings.codeScanning !== false) {
+                rootCtx.hasCodeScanningSettings = true;
+            }
         }
     }
     validateSettings(repo.settings, `Repo ${repoLabel}`, rootCtx);
@@ -600,6 +650,19 @@ function hasGroupFiles(config) {
         Object.values(config.groups).some((g) => g.files &&
             Object.keys(g.files).filter((k) => k !== "inherit" && g.files[k] !== false).length > 0));
 }
+function hasConditionalGroupFiles(config) {
+    return (Array.isArray(config.conditionalGroups) &&
+        config.conditionalGroups.some((cg) => cg.files &&
+            Object.keys(cg.files).filter((k) => k !== "inherit" && cg.files[k] !== false).length > 0));
+}
+function hasConditionalGroupSettings(config, predicate) {
+    return (Array.isArray(config.conditionalGroups) &&
+        config.conditionalGroups.some((cg) => cg.settings && predicate(cg.settings)));
+}
+function hasConditionalGroupPR(config) {
+    return (Array.isArray(config.conditionalGroups) &&
+        config.conditionalGroups.some((cg) => cg.prOptions && isPlainObject(cg.prOptions)));
+}
 /**
  * Validates raw config structure before normalization.
  * @throws ValidationError if validation fails
@@ -611,13 +674,9 @@ export function validateRawConfig(config) {
     const hasGrpFiles = hasGroupFiles(config);
     const hasGrpSettings = isPlainObject(config.groups) &&
         Object.values(config.groups).some((g) => g.settings && isPlainObject(g.settings));
-    const hasCondGrpFiles = Array.isArray(config.conditionalGroups) &&
-        config.conditionalGroups.some((cg) => cg.files &&
-            Object.keys(cg.files).filter((k) => k !== "inherit" && cg.files[k] !== false).length > 0);
-    const hasCondGrpSettings = Array.isArray(config.conditionalGroups) &&
-        config.conditionalGroups.some((cg) => cg.settings && isPlainObject(cg.settings));
-    const hasCondGrpPR = Array.isArray(config.conditionalGroups) &&
-        config.conditionalGroups.some((cg) => cg.prOptions && isPlainObject(cg.prOptions));
+    const hasCondGrpFiles = hasConditionalGroupFiles(config);
+    const hasCondGrpSettings = hasConditionalGroupSettings(config, isPlainObject);
+    const hasCondGrpPR = hasConditionalGroupPR(config);
     if (!hasFiles &&
         !hasSettings &&
         !hasGrpFiles &&
@@ -659,13 +718,9 @@ export function validateForSync(config) {
     const hasRepoSettings = config.repos.some((repo) => hasActionableSettings(repo.settings));
     const hasGroupSettings = isPlainObject(config.groups) &&
         Object.values(config.groups).some((g) => g.settings && hasActionableSettings(g.settings));
-    const hasCondGrpFiles = Array.isArray(config.conditionalGroups) &&
-        config.conditionalGroups.some((cg) => cg.files &&
-            Object.keys(cg.files).filter((k) => k !== "inherit" && cg.files[k] !== false).length > 0);
-    const hasCondGrpSettings = Array.isArray(config.conditionalGroups) &&
-        config.conditionalGroups.some((cg) => cg.settings && hasActionableSettings(cg.settings));
-    const hasCondGrpPR = Array.isArray(config.conditionalGroups) &&
-        config.conditionalGroups.some((cg) => cg.prOptions && isPlainObject(cg.prOptions));
+    const hasCondGrpFiles = hasConditionalGroupFiles(config);
+    const hasCondGrpSettings = hasConditionalGroupSettings(config, hasActionableSettings);
+    const hasCondGrpPR = hasConditionalGroupPR(config);
     if (!hasRootFiles &&
         !hasGrpFiles &&
         !hasSettings &&
@@ -695,5 +750,8 @@ export function hasActionableSettings(settings) {
         Object.keys(settings.labels).filter((k) => k !== "inherit").length > 0) {
         return true;
     }
+    if (settings.codeScanning && typeof settings.codeScanning === "object") {
+        return true;
+    }
     return false;
 }

package/dist/lifecycle/ado-migration-source.d.ts

@@ -1,4 +1,4 @@
-import { ICommandExecutor } from "../shared/command-executor.js";
+import type { ICommandExecutor } from "../shared/command-executor.js";
 import { type RepoInfo } from "../shared/repo-detector.js";
 import type { IMigrationSource, LifecyclePlatform } from "./types.js";
 /**

package/dist/lifecycle/github-lifecycle-provider.d.ts

@@ -1,4 +1,4 @@
-import { ICommandExecutor } from "../shared/command-executor.js";
+import type { ICommandExecutor } from "../shared/command-executor.js";
 import { type RepoInfo } from "../shared/repo-detector.js";
 import type { DebugWarnLog } from "../shared/logger.js";
 import type { IRepoLifecycleProvider, LifecyclePlatform, CreateRepoSettings } from "./types.js";

package/dist/lifecycle/index.d.ts

@@ -1,3 +1,3 @@
 export type { IRepoLifecycleManager } from "./types.js";
 export { RepoLifecycleManager } from "./repo-lifecycle-manager.js";
-export { runLifecycleCheck, toCreateRepoSettings, } from "./lifecycle-helpers.js";
+export { runLifecycleCheck, toCreateRepoSettings, type LifecycleCheckResult, } from "./lifecycle-helpers.js";

package/dist/lifecycle/lifecycle-helpers.d.ts

@@ -20,9 +20,10 @@ interface LifecycleCheckOptions {
  * Extracts only the fields relevant for repo creation.
  */
 export declare function toCreateRepoSettings(repo: GitHubRepoSettings | undefined): CreateRepoSettings | undefined;
-interface LifecycleCheckResult {
+export interface LifecycleCheckResult {
     lifecycleResult: LifecycleResult;
     outputLines: string[];
+    createSettings: CreateRepoSettings | undefined;
 }
 /**
  * Run lifecycle check for a single repo.

package/dist/lifecycle/lifecycle-helpers.js

@@ -45,5 +45,5 @@ export async function runLifecycleCheck(repoConfig, repoInfo, options) {
             }
             : undefined,
     });
-    return { lifecycleResult, outputLines };
+    return { lifecycleResult, outputLines, createSettings };
 }

package/dist/lifecycle/repo-lifecycle-factory.d.ts

@@ -1,4 +1,4 @@
-import { ICommandExecutor } from "../shared/command-executor.js";
+import type { ICommandExecutor } from "../shared/command-executor.js";
 import type { DebugWarnLog } from "../shared/logger.js";
 import type { IRepoLifecycleFactory, IRepoLifecycleProvider, IMigrationSource, LifecyclePlatform } from "./types.js";
 export declare class RepoLifecycleFactory implements IRepoLifecycleFactory {

package/dist/lifecycle/repo-lifecycle-manager.js

@@ -1,7 +1,7 @@
 import { join } from "node:path";
 import { rm } from "node:fs/promises";
 import { parseGitUrl } from "../shared/repo-detector.js";
-import { safeCleanup } from "../shared/type-guards.js";
+import { safeCleanup } from "../shared/cleanup-utils.js";
 import { LifecycleError } from "../shared/errors.js";
 import { NO_OP_DEBUG_LOG } from "../shared/logger.js";
 import { RepoLifecycleFactory } from "./repo-lifecycle-factory.js";

package/dist/output/types.d.ts

@@ -1,3 +1,4 @@
+import type { MergeMode } from "../config/index.js";
 import type { FileChangeDetail } from "../sync/index.js";
 export type ReportFileChange = FileChangeDetail;
 export interface SyncReport {
@@ -14,6 +15,6 @@ export interface RepoFileChanges {
     repoName: string;
     files: ReportFileChange[];
     prUrl?: string;
-    mergeOutcome?: "manual" | "auto" | "force" | "direct";
+    mergeOutcome?: MergeMode;
     error?: string;
 }

package/dist/settings/code-scanning/diff.d.ts

@@ -0,0 +1,19 @@
+import type { CodeScanningSettings } from "../../config/index.js";
+import type { CurrentCodeScanningSettings } from "./types.js";
+import type { SettingsAction } from "../base-processor.js";
+export interface CodeScanningChange {
+    property: "state" | "querySuite" | "languages";
+    action: SettingsAction;
+    oldValue?: unknown;
+    newValue?: unknown;
+}
+/**
+ * Compares current code scanning default setup with desired settings.
+ * Only compares properties that are explicitly set in desired.
+ * Languages are compared as sorted arrays (order doesn't matter).
+ */
+export declare function diffCodeScanning(current: CurrentCodeScanningSettings, desired: CodeScanningSettings): CodeScanningChange[];
+/**
+ * Checks if there are any actual changes to apply.
+ */
+export declare function hasCodeScanningChanges(changes: CodeScanningChange[]): boolean;

package/dist/settings/code-scanning/diff.js

@@ -0,0 +1,75 @@
+/**
+ * Compares current code scanning default setup with desired settings.
+ * Only compares properties that are explicitly set in desired.
+ * Languages are compared as sorted arrays (order doesn't matter).
+ */
+export function diffCodeScanning(current, desired) {
+    const changes = [];
+    // state is always compared (required field)
+    if (current.state !== desired.state) {
+        changes.push({
+            property: "state",
+            action: current.state === undefined ? "create" : "update",
+            oldValue: current.state,
+            newValue: desired.state,
+        });
+    }
+    else {
+        changes.push({
+            property: "state",
+            action: "unchanged",
+            oldValue: current.state,
+            newValue: desired.state,
+        });
+    }
+    // querySuite: only diff if specified in desired
+    if (desired.querySuite !== undefined) {
+        const currentQS = current.query_suite;
+        if (currentQS !== desired.querySuite) {
+            changes.push({
+                property: "querySuite",
+                action: currentQS === undefined ? "create" : "update",
+                oldValue: currentQS,
+                newValue: desired.querySuite,
+            });
+        }
+        else {
+            changes.push({
+                property: "querySuite",
+                action: "unchanged",
+                oldValue: currentQS,
+                newValue: desired.querySuite,
+            });
+        }
+    }
+    // languages: only diff if specified in desired (sorted comparison)
+    if (desired.languages !== undefined) {
+        const currentLangs = [...(current.languages ?? [])].sort();
+        const desiredLangs = [...desired.languages].sort();
+        const langsMatch = currentLangs.length === desiredLangs.length &&
+            currentLangs.every((lang, i) => lang === desiredLangs[i]);
+        if (!langsMatch) {
+            changes.push({
+                property: "languages",
+                action: current.languages === undefined ? "create" : "update",
+                oldValue: current.languages,
+                newValue: desired.languages,
+            });
+        }
+        else {
+            changes.push({
+                property: "languages",
+                action: "unchanged",
+                oldValue: current.languages,
+                newValue: desired.languages,
+            });
+        }
+    }
+    return changes;
+}
+/**
+ * Checks if there are any actual changes to apply.
+ */
+export function hasCodeScanningChanges(changes) {
+    return changes.some((c) => c.action !== "unchanged");
+}

package/dist/settings/code-scanning/formatter.d.ts

@@ -0,0 +1,17 @@
+import type { CodeScanningChange } from "./diff.js";
+export interface CodeScanningPlanEntry {
+    property: string;
+    action: "create" | "update";
+    oldValue?: unknown;
+    newValue?: unknown;
+}
+export interface CodeScanningPlanResult {
+    lines: string[];
+    creates: number;
+    updates: number;
+    entries: CodeScanningPlanEntry[];
+}
+/**
+ * Formats code scanning changes as Terraform-style plan output.
+ */
+export declare function formatCodeScanningPlan(changes: CodeScanningChange[]): CodeScanningPlanResult;

package/dist/settings/code-scanning/formatter.js

@@ -0,0 +1,37 @@
+import chalk from "chalk";
+import { formatScalarValue } from "../../shared/string-utils.js";
+import { countActions } from "../base-processor.js";
+function formatValue(val) {
+    if (Array.isArray(val)) {
+        return `[${val.join(", ")}]`;
+    }
+    return formatScalarValue(val) ?? String(val);
+}
+/**
+ * Formats code scanning changes as Terraform-style plan output.
+ */
+export function formatCodeScanningPlan(changes) {
+    const lines = [];
+    const entries = [];
+    const { create: creates, update: updates } = countActions(changes);
+    for (const change of changes) {
+        if (change.action === "create") {
+            lines.push(chalk.green(`    + ${change.property}: ${formatValue(change.newValue)}`));
+            entries.push({
+                property: change.property,
+                action: "create",
+                newValue: change.newValue,
+            });
+        }
+        else if (change.action === "update") {
+            lines.push(chalk.yellow(`    ~ ${change.property}: ${formatValue(change.oldValue)} → ${formatValue(change.newValue)}`));
+            entries.push({
+                property: change.property,
+                action: "update",
+                oldValue: change.oldValue,
+                newValue: change.newValue,
+            });
+        }
+    }
+    return { lines, creates, updates, entries };
+}

package/dist/settings/code-scanning/github-code-scanning-strategy.d.ts

@@ -0,0 +1,19 @@
+import type { ICommandExecutor } from "../../shared/command-executor.js";
+import { type RepoInfo } from "../../shared/repo-detector.js";
+import { type GhApiOptions } from "../../shared/gh-api-utils.js";
+import type { ICodeScanningStrategy, CurrentCodeScanningSettings } from "./types.js";
+interface GitHubCodeScanningStrategyOptions {
+    retries?: number;
+    cwd: string;
+}
+export declare class GitHubCodeScanningStrategy implements ICodeScanningStrategy {
+    private api;
+    constructor(executor: ICommandExecutor, options: GitHubCodeScanningStrategyOptions);
+    getDefaultSetup(repoInfo: RepoInfo, options?: GhApiOptions): Promise<CurrentCodeScanningSettings>;
+    updateDefaultSetup(repoInfo: RepoInfo, settings: {
+        state: string;
+        query_suite?: string;
+        languages?: string[];
+    }, options?: GhApiOptions): Promise<void>;
+}
+export {};

package/dist/settings/code-scanning/github-code-scanning-strategy.js

@@ -0,0 +1,20 @@
+import { assertGitHubRepo } from "../../shared/repo-detector.js";
+import { GhApiClient } from "../../shared/gh-api-utils.js";
+import { parseApiJson } from "../../shared/json-utils.js";
+export class GitHubCodeScanningStrategy {
+    api;
+    constructor(executor, options) {
+        this.api = new GhApiClient(executor, options.retries ?? 3, options.cwd);
+    }
+    async getDefaultSetup(repoInfo, options) {
+        assertGitHubRepo(repoInfo, "GitHub Code Scanning strategy");
+        const endpoint = `/repos/${repoInfo.owner}/${repoInfo.repo}/code-scanning/default-setup`;
+        const result = await this.api.call("GET", endpoint, { options });
+        return parseApiJson(result, "code scanning default setup response");
+    }
+    async updateDefaultSetup(repoInfo, settings, options) {
+        assertGitHubRepo(repoInfo, "GitHub Code Scanning strategy");
+        const endpoint = `/repos/${repoInfo.owner}/${repoInfo.repo}/code-scanning/default-setup`;
+        await this.api.call("PATCH", endpoint, { payload: settings, options });
+    }
+}

package/dist/settings/code-scanning/index.d.ts

@@ -0,0 +1,3 @@
+export { type CodeScanningPlanEntry } from "./formatter.js";
+export { CodeScanningProcessor, type ICodeScanningProcessor, } from "./processor.js";
+export { GitHubCodeScanningStrategy } from "./github-code-scanning-strategy.js";

package/dist/settings/code-scanning/index.js

@@ -0,0 +1,4 @@
+// Processor
+export { CodeScanningProcessor, } from "./processor.js";
+// Strategy
+export { GitHubCodeScanningStrategy } from "./github-code-scanning-strategy.js";

package/dist/settings/code-scanning/processor.d.ts

@@ -0,0 +1,20 @@
+import type { RepoConfig } from "../../config/index.js";
+import type { RepoInfo } from "../../shared/repo-detector.js";
+import type { ICodeScanningStrategy } from "./types.js";
+import type { IRepoMetadataProvider } from "../../shared/repo-metadata-provider.js";
+import { type CodeScanningPlanResult } from "./formatter.js";
+import { type BaseProcessorOptions, type BaseProcessorResult, type ISettingsProcessor, type ChangeCounts } from "../base-processor.js";
+export type ICodeScanningProcessor = ISettingsProcessor<CodeScanningProcessorOptions, CodeScanningProcessorResult>;
+export type CodeScanningProcessorOptions = BaseProcessorOptions;
+export interface CodeScanningProcessorResult extends BaseProcessorResult {
+    changes?: ChangeCounts;
+    planOutput?: CodeScanningPlanResult;
+}
+export declare class CodeScanningProcessor implements ICodeScanningProcessor {
+    private readonly strategy;
+    private readonly metadataProvider;
+    constructor(strategy: ICodeScanningStrategy, metadataProvider: IRepoMetadataProvider);
+    process(repoConfig: RepoConfig, repoInfo: RepoInfo, options: CodeScanningProcessorOptions): Promise<CodeScanningProcessorResult>;
+    private applySettings;
+    private validateGHAS;
+}

package/dist/settings/code-scanning/processor.js

@@ -0,0 +1,81 @@
+import { diffCodeScanning, hasCodeScanningChanges } from "./diff.js";
+import { formatCodeScanningPlan, } from "./formatter.js";
+import { withGitHubGuards, countActions, buildDryRunResult, buildApplyResult, } from "../base-processor.js";
+export class CodeScanningProcessor {
+    strategy;
+    metadataProvider;
+    constructor(strategy, metadataProvider) {
+        this.strategy = strategy;
+        this.metadataProvider = metadataProvider;
+    }
+    async process(repoConfig, repoInfo, options) {
+        return withGitHubGuards(repoConfig, repoInfo, options, {
+            hasDesiredSettings: (rc) => {
+                const cs = rc.settings?.codeScanning;
+                return !!cs && typeof cs === "object";
+            },
+            emptySettingsMessage: "No code scanning settings configured",
+            applySettings: (githubRepo, rc, opts, token, repoName) => this.applySettings(githubRepo, rc, opts, token, repoName),
+        });
+    }
+    async applySettings(githubRepo, repoConfig, options, effectiveToken, repoName) {
+        const { dryRun } = options;
+        const desiredSettings = repoConfig.settings
+            .codeScanning;
+        const strategyOptions = { token: effectiveToken, host: githubRepo.host };
+        // Validate GHAS availability for private repos
+        const metadata = await this.metadataProvider.getMetadata(githubRepo, strategyOptions);
+        const validationError = this.validateGHAS(desiredSettings, metadata);
+        if (validationError) {
+            return {
+                success: false,
+                repoName,
+                message: `Failed: ${validationError}`,
+            };
+        }
+        // Fetch current settings
+        const currentSettings = await this.strategy.getDefaultSetup(githubRepo, strategyOptions);
+        // Compute diff
+        const changes = diffCodeScanning(currentSettings, desiredSettings);
+        const changeCounts = countActions(changes);
+        if (!hasCodeScanningChanges(changes)) {
+            return {
+                success: true,
+                repoName,
+                message: "No changes needed",
+                changes: changeCounts,
+            };
+        }
+        // Format plan output
+        const planOutput = formatCodeScanningPlan(changes);
+        if (dryRun) {
+            return buildDryRunResult(repoName, changeCounts, { planOutput });
+        }
+        // Build API payload from desired settings
+        const payload = {
+            state: desiredSettings.state,
+        };
+        if (desiredSettings.querySuite !== undefined) {
+            payload.query_suite = desiredSettings.querySuite;
+        }
+        if (desiredSettings.languages !== undefined) {
+            payload.languages = desiredSettings.languages;
+        }
+        await this.strategy.updateDefaultSetup(githubRepo, payload, strategyOptions);
+        const appliedCount = changes.filter((c) => c.action !== "unchanged").length;
+        return buildApplyResult(repoName, changeCounts, appliedCount, {
+            planOutput,
+        });
+    }
+    validateGHAS(desired, metadata) {
+        if (desired.state !== "configured")
+            return undefined;
+        const isPublic = metadata.visibility === "public";
+        if (isPublic)
+            return undefined;
+        if (!metadata.hasGHAS) {
+            return "Code scanning default setup requires GitHub Advanced Security (not available for this repository)";
+        }
+        return undefined;
+    }
+}

package/dist/settings/code-scanning/types.d.ts

@@ -0,0 +1,22 @@
+import type { RepoInfo } from "../../shared/repo-detector.js";
+import type { GhApiOptions } from "../../shared/gh-api-utils.js";
+/**
+ * Current code scanning default setup state from GitHub API.
+ */
+export interface CurrentCodeScanningSettings {
+    state: "configured" | "not-configured";
+    query_suite?: "default" | "extended";
+    languages?: string[];
+}
+/**
+ * Strategy interface for code scanning default setup operations.
+ * Abstracts the GitHub API calls for testability.
+ */
+export interface ICodeScanningStrategy {
+    getDefaultSetup(repoInfo: RepoInfo, options?: GhApiOptions): Promise<CurrentCodeScanningSettings>;
+    updateDefaultSetup(repoInfo: RepoInfo, settings: {
+        state: string;
+        query_suite?: string;
+        languages?: string[];
+    }, options?: GhApiOptions): Promise<void>;
+}

package/dist/settings/code-scanning/types.js

@@ -0,0 +1 @@
+export {};

package/dist/settings/index.d.ts

@@ -2,3 +2,4 @@ export { type BaseProcessorResult, type ISettingsProcessor, countActions, isActi
 export { type PropertyDiff, type RulesetPlanEntry, RulesetProcessor, type IRulesetProcessor, GitHubRulesetStrategy, } from "./rulesets/index.js";
 export { RepoSettingsProcessor, type IRepoSettingsProcessor, type RepoSettingsPlanEntry, GitHubRepoSettingsStrategy, } from "./repo-settings/index.js";
 export { type LabelsPlanEntry, LabelsProcessor, type ILabelsProcessor, GitHubLabelsStrategy, } from "./labels/index.js";
+export { type CodeScanningPlanEntry, CodeScanningProcessor, type ICodeScanningProcessor, GitHubCodeScanningStrategy, } from "./code-scanning/index.js";

package/dist/settings/index.js

@@ -6,3 +6,5 @@ export { RulesetProcessor, GitHubRulesetStrategy, } from "./rulesets/index.js";
 export { RepoSettingsProcessor, GitHubRepoSettingsStrategy, } from "./repo-settings/index.js";
 // Labels
 export { LabelsProcessor, GitHubLabelsStrategy, } from "./labels/index.js";
+// Code scanning
+export { CodeScanningProcessor, GitHubCodeScanningStrategy, } from "./code-scanning/index.js";

package/dist/settings/labels/github-labels-strategy.d.ts

@@ -1,5 +1,5 @@
-import { ICommandExecutor } from "../../shared/command-executor.js";
-import { RepoInfo } from "../../shared/repo-detector.js";
+import type { ICommandExecutor } from "../../shared/command-executor.js";
+import { type RepoInfo } from "../../shared/repo-detector.js";
 import { type GhApiOptions } from "../../shared/gh-api-utils.js";
 import type { ILabelsStrategy, GitHubLabel } from "./types.js";
 interface GitHubLabelsStrategyOptions {