@aspruyt/xfg 6.0.3 → 6.2.0

package/dist/settings/rulesets/diff-algorithm.js

@@ -78,14 +78,16 @@ function diffObjectArrays(currentArr, desiredArr, parentPath) {
         const currentByType = new Map();
         for (let i = 0; i < currentArr.length; i++) {
             const item = currentArr[i];
-            const type = item.type;
+            const type = typeof item.type === "string" ? item.type : String(item.type ?? "");
             if (type)
                 currentByType.set(type, { item, index: i });
         }
         const matchedTypes = new Set();
         for (let i = 0; i < desiredArr.length; i++) {
             const desiredItem = desiredArr[i];
-            const type = desiredItem.type;
+            const type = typeof desiredItem.type === "string"
+                ? desiredItem.type
+                : String(desiredItem.type ?? "");
             const label = `[${i}] (${type})`;
             const currentEntry = currentByType.get(type);
             if (currentEntry) {

package/dist/settings/rulesets/diff.js

@@ -1,7 +1,9 @@
 import { RULESET_COMPARABLE_FIELDS } from "../../config/index.js";
+import { findMatchKey } from "../../config/merge.js";
 import { isPlainObject } from "../../shared/type-guards.js";
 import { camelToSnake } from "../../shared/string-utils.js";
 import { countActions } from "../base-processor.js";
+import { deepEqual } from "./diff-algorithm.js";
 /**
  * Normalizes a value recursively, converting keys to a consistent format (snake_case).
  * This allows comparing GitHub API responses (snake_case) with config (camelCase).
@@ -54,37 +56,6 @@ function normalizeConfigRuleset(ruleset) {
     };
     return normalizeRuleset(withDefaults);
 }
-/**
- * Performs deep equality comparison of two normalized values.
- */
-function deepEqual(a, b) {
-    if (a === b) {
-        return true;
-    }
-    if (a === null || b === null || a === undefined || b === undefined) {
-        return a === b;
-    }
-    if (typeof a !== typeof b) {
-        return false;
-    }
-    if (Array.isArray(a) && Array.isArray(b)) {
-        if (a.length !== b.length) {
-            return false;
-        }
-        return a.every((val, i) => deepEqual(val, b[i]));
-    }
-    if (typeof a === "object" && typeof b === "object") {
-        const objA = a;
-        const objB = b;
-        const keysA = Object.keys(objA);
-        const keysB = Object.keys(objB);
-        if (keysA.length !== keysB.length) {
-            return false;
-        }
-        return keysA.every((key) => deepEqual(objA[key], objB[key]));
-    }
-    return false;
-}
 /**
  * Projects `current` onto the shape of `desired`.
  * Only keeps keys/structure present in `desired`, filtering out API noise.
@@ -129,26 +100,6 @@ function projectObjects(current, desired) {
     }
     return result;
 }
-/**
- * Candidate keys for matching array items by identity rather than index.
- * Order matters — first key found across all items wins.
- */
-const MATCH_KEY_CANDIDATES = ["type", "actor_id"];
-/**
- * Finds a key that uniquely identifies items in both arrays.
- * Returns the first candidate key present in every item of both arrays, or undefined.
- */
-function findMatchKey(current, desired) {
-    const allItems = [...current, ...desired];
-    if (allItems.length === 0)
-        return undefined;
-    for (const candidate of MATCH_KEY_CANDIDATES) {
-        const everyItemHasKey = allItems.every((item) => isPlainObject(item) && candidate in item);
-        if (everyItemHasKey)
-            return candidate;
-    }
-    return undefined;
-}
 function projectArrays(current, desired) {
     // Primitive arrays — return current as-is
     if (desired.length === 0 || !isPlainObject(desired[0])) {

package/dist/settings/rulesets/formatter.js

@@ -114,6 +114,10 @@ function getActionStyle(action) {
             return { symbol: "-", color: chalk.red };
         case "change":
             return { symbol: "~", color: chalk.yellow };
+        default: {
+            const _ = action;
+            throw new Error(`Unknown DiffAction: ${String(_)}`);
+        }
     }
 }
 function hasComplexValue(value) {

package/dist/settings/rulesets/github-ruleset-strategy.d.ts

@@ -2,7 +2,7 @@ import type { ICommandExecutor } from "../../shared/command-executor.js";
 import { type RepoInfo } from "../../repo/index.js";
 import { type GhApiOptions } from "../../shared/gh-api-utils.js";
 import type { Ruleset } from "../../config/index.js";
-import type { IRulesetStrategy, GitHubRuleset, GitHubBypassActor, GitHubRulesetConditions, GitHubRule, RulesetUpdateParams } from "./types.js";
+import type { IRulesetStrategy, GitHubRuleset, GitHubBypassActor, GitHubRulesetConditions, GitHubRule, RulesetCreateParams, RulesetUpdateParams } from "./types.js";
 /**
  * Converts camelCase config ruleset to snake_case GitHub API format.
  */
@@ -24,8 +24,8 @@ export declare class GitHubRulesetStrategy implements IRulesetStrategy {
     constructor(executor: ICommandExecutor, options: GitHubRulesetStrategyOptions);
     list(repoInfo: RepoInfo, options?: GhApiOptions): Promise<GitHubRuleset[]>;
     get(repoInfo: RepoInfo, rulesetId: number, options?: GhApiOptions): Promise<GitHubRuleset>;
-    create(repoInfo: RepoInfo, name: string, ruleset: Ruleset, options?: GhApiOptions): Promise<GitHubRuleset>;
-    update(repoInfo: RepoInfo, params: RulesetUpdateParams, options?: GhApiOptions): Promise<GitHubRuleset>;
+    create(repoInfo: RepoInfo, params: RulesetCreateParams, options?: GhApiOptions): Promise<void>;
+    update(repoInfo: RepoInfo, params: RulesetUpdateParams, options?: GhApiOptions): Promise<void>;
     delete(repoInfo: RepoInfo, rulesetId: number, options?: GhApiOptions): Promise<void>;
 }
 export {};

package/dist/settings/rulesets/github-ruleset-strategy.js

@@ -111,22 +111,20 @@ export class GitHubRulesetStrategy {
         const result = await this.api.call("GET", endpoint, { options });
         return parseApiJson(result, "ruleset response");
     }
-    async create(repoInfo, name, ruleset, options) {
+    async create(repoInfo, params, options) {
         assertGitHubRepo(repoInfo, "GitHub Ruleset strategy");
         const endpoint = `/repos/${repoInfo.owner}/${repoInfo.repo}/rulesets`;
-        const payload = configToGitHub(name, ruleset);
-        const result = await this.api.call("POST", endpoint, { payload, options });
-        return parseApiJson(result, "ruleset response");
+        const payload = configToGitHub(params.name, params.ruleset);
+        await this.api.call("POST", endpoint, { payload, options });
     }
     async update(repoInfo, params, options) {
         assertGitHubRepo(repoInfo, "GitHub Ruleset strategy");
         const endpoint = `/repos/${repoInfo.owner}/${repoInfo.repo}/rulesets/${params.rulesetId}`;
         const payload = configToGitHub(params.name, params.ruleset);
-        const result = await this.api.call("PUT", endpoint, {
+        await this.api.call("PUT", endpoint, {
             payload,
             options,
         });
-        return parseApiJson(result, "ruleset response");
     }
     async delete(repoInfo, rulesetId, options) {
         assertGitHubRepo(repoInfo, "GitHub Ruleset strategy");

package/dist/settings/rulesets/index.d.ts

@@ -1,4 +1,4 @@
-export { computePropertyDiffs, deepEqual, isArrayOfObjects, type PropertyDiff, } from "./diff-algorithm.js";
+export { type PropertyDiff } from "./diff-algorithm.js";
 export { type RulesetPlanEntry } from "./formatter.js";
 export { RulesetProcessor, type IRulesetProcessor } from "./processor.js";
 export { GitHubRulesetStrategy } from "./github-ruleset-strategy.js";

package/dist/settings/rulesets/index.js

@@ -1,5 +1,3 @@
-// Diff algorithm - property-level diffing for ruleset comparisons
-export { computePropertyDiffs, deepEqual, isArrayOfObjects, } from "./diff-algorithm.js";
 // Processor
 export { RulesetProcessor } from "./processor.js";
 // Strategy

package/dist/settings/rulesets/processor.js

@@ -50,7 +50,7 @@ export class RulesetProcessor {
             switch (change.action) {
                 case "create":
                     if (change.desired) {
-                        await this.strategy.create(githubRepo, change.name, change.desired, strategyOptions);
+                        await this.strategy.create(githubRepo, { name: change.name, ruleset: change.desired }, strategyOptions);
                         appliedCount++;
                     }
                     break;

package/dist/settings/rulesets/types.d.ts

@@ -30,6 +30,10 @@ export interface GitHubRule {
     type: string;
     parameters?: Record<string, unknown>;
 }
+export interface RulesetCreateParams {
+    name: string;
+    ruleset: Ruleset;
+}
 export interface RulesetUpdateParams {
     rulesetId: number;
     name: string;
@@ -38,7 +42,7 @@ export interface RulesetUpdateParams {
 export interface IRulesetStrategy {
     list(repoInfo: RepoInfo, options?: GhApiOptions): Promise<GitHubRuleset[]>;
     get(repoInfo: RepoInfo, rulesetId: number, options?: GhApiOptions): Promise<GitHubRuleset>;
-    create(repoInfo: RepoInfo, name: string, ruleset: Ruleset, options?: GhApiOptions): Promise<GitHubRuleset>;
-    update(repoInfo: RepoInfo, params: RulesetUpdateParams, options?: GhApiOptions): Promise<GitHubRuleset>;
+    create(repoInfo: RepoInfo, params: RulesetCreateParams, options?: GhApiOptions): Promise<void>;
+    update(repoInfo: RepoInfo, params: RulesetUpdateParams, options?: GhApiOptions): Promise<void>;
     delete(repoInfo: RepoInfo, rulesetId: number, options?: GhApiOptions): Promise<void>;
 }

package/dist/shared/command-executor.d.ts

@@ -1,14 +1,14 @@
 export interface ExecOptions {
-    /** Additional environment variables to set for the command */
     env?: Record<string, string>;
+    input?: string;
 }
 export interface ICommandExecutor {
-    exec(command: string, cwd: string, options?: ExecOptions): Promise<string>;
+    exec(executable: string, args: string[], cwd: string, options?: ExecOptions): Promise<string>;
 }
-export declare class ShellCommandExecutor implements ICommandExecutor {
+export declare class ProcessExecutor implements ICommandExecutor {
     private readonly baseEnv;
     constructor(baseEnv: Record<string, string | undefined>);
-    exec(command: string, cwd: string, options?: ExecOptions): Promise<string>;
+    exec(executable: string, args: string[], cwd: string, options?: ExecOptions): Promise<string>;
 }
 /** Extract stderr string from an exec error (child_process errors attach stderr). */
 export declare function getStderr(error: unknown): string;

package/dist/shared/command-executor.js

@@ -1,24 +1,23 @@
 import { execFileSync } from "node:child_process";
-import { sanitizeCredentials } from "../vcs/sanitize-utils.js";
-export class ShellCommandExecutor {
+import { sanitizeCredentials } from "./sanitize-utils.js";
+export class ProcessExecutor {
     baseEnv;
     constructor(baseEnv) {
         this.baseEnv = baseEnv;
     }
-    async exec(command, cwd, options) {
+    async exec(executable, args, cwd, options) {
         try {
-            return execFileSync("sh", ["-c", command], {
+            return execFileSync(executable, args, {
                 cwd,
                 encoding: "utf-8",
                 stdio: ["pipe", "pipe", "pipe"],
+                input: options?.input,
                 env: options?.env
                     ? { ...this.baseEnv, ...options.env }
                     : this.baseEnv,
             }).trim();
         }
         catch (error) {
-            // Normalise and sanitise the exec error so downstream retry logic
-            // sees a string stderr with no raw credentials.
             const execError = error;
             if (execError.stderr && typeof execError.stderr !== "string") {
                 execError.stderr = execError.stderr.toString();
@@ -41,7 +40,10 @@ export class ShellCommandExecutor {
 export function getStderr(error) {
     if (error != null && typeof error === "object" && "stderr" in error) {
         const { stderr } = error;
-        return typeof stderr === "string" ? stderr : "";
+        if (typeof stderr === "string")
+            return stderr;
+        if (Buffer.isBuffer(stderr))
+            return stderr.toString();
     }
     return "";
 }

package/dist/shared/diff-format.d.ts

@@ -0,0 +1 @@
+export declare function formatDiffLine(line: string): string;

package/dist/shared/diff-format.js

@@ -0,0 +1,10 @@
+import chalk from "chalk";
+export function formatDiffLine(line) {
+    if (line.startsWith("+"))
+        return chalk.green(line);
+    if (line.startsWith("-"))
+        return chalk.red(line);
+    if (line.startsWith("@@"))
+        return chalk.cyan(line);
+    return line;
+}

package/dist/shared/errors.d.ts

@@ -5,7 +5,7 @@
  */
 export declare class ValidationError extends Error {
     readonly name = "ValidationError";
-    constructor(message: string);
+    constructor(message: string, options?: ErrorOptions);
 }
 /**
  * Thrown when a GitHub GraphQL API call fails.
@@ -14,13 +14,16 @@ export declare class ValidationError extends Error {
  */
 export declare class GraphQLApiError extends Error {
     readonly name = "GraphQLApiError";
-    constructor(message: string);
+    constructor(message: string, options?: ErrorOptions);
 }
 export declare class SyncError extends Error {
     readonly name = "SyncError";
-    constructor(message: string);
+    constructor(message: string, options?: ErrorOptions);
+}
+export interface RateLimitedError {
+    retryAfter?: number;
 }
 export declare class LifecycleError extends Error {
     readonly name = "LifecycleError";
-    constructor(message: string);
+    constructor(message: string, options?: ErrorOptions);
 }

package/dist/shared/errors.js

@@ -5,8 +5,8 @@
  */
 export class ValidationError extends Error {
     name = "ValidationError";
-    constructor(message) {
-        super(message);
+    constructor(message, options) {
+        super(message, options);
     }
 }
 /**
@@ -16,19 +16,19 @@ export class ValidationError extends Error {
  */
 export class GraphQLApiError extends Error {
     name = "GraphQLApiError";
-    constructor(message) {
-        super(message);
+    constructor(message, options) {
+        super(message, options);
     }
 }
 export class SyncError extends Error {
     name = "SyncError";
-    constructor(message) {
-        super(message);
+    constructor(message, options) {
+        super(message, options);
     }
 }
 export class LifecycleError extends Error {
     name = "LifecycleError";
-    constructor(message) {
-        super(message);
+    constructor(message, options) {
+        super(message, options);
     }
 }

package/dist/shared/gh-api-utils.d.ts

@@ -1,12 +1,8 @@
 import type { ICommandExecutor } from "./command-executor.js";
-import type { DebugWarnLog } from "./logger.js";
 export interface GitHubApiTarget {
     host: string;
     owner: string;
 }
-interface ITokenManager {
-    getTokenForRepo(repoInfo: GitHubApiTarget): Promise<string | null>;
-}
 type HttpMethod = "GET" | "POST" | "PUT" | "PATCH" | "DELETE";
 export interface GhApiOptions {
     token?: string;
@@ -20,10 +16,10 @@ interface GhApiCallParams {
     _retryDelay?: (ms: number) => Promise<void>;
 }
 /**
- * Get the hostname flag for gh commands.
- * Returns "--hostname HOST" for GHE, empty string for github.com.
+ * Build the hostname args for gh commands.
+ * Returns ["--hostname", HOST] for GHE, empty array for github.com.
  */
-export declare function getHostnameFlag(repoInfo: Pick<GitHubApiTarget, "host">): string;
+export declare function buildHostnameArgs(repoInfo: Pick<GitHubApiTarget, "host">): string[];
 export declare function buildTokenEnv(token?: string): Record<string, string> | undefined;
 /**
  * Strips HTTP response headers from `gh api --include` output.
@@ -31,13 +27,6 @@ export declare function buildTokenEnv(token?: string): Record<string, string> |
  * If no blank line is found, returns the full string (no headers present).
  */
 export declare function parseResponseBody(raw: string): string;
-/**
- * Parses Retry-After header from an exec error's stdout and attaches it
- * as error.retryAfter (number of seconds). Only extracts the numeric value
- * to avoid leaking tokens from other headers.
- *
- * No-op if stdout is absent or does not contain a numeric Retry-After header.
- */
 export declare function attachRetryAfter(error: unknown): void;
 /**
  * Extracts GitHub API validation error details from `gh api --include` stdout
@@ -59,24 +48,4 @@ export declare class GhApiClient {
     constructor(executor: ICommandExecutor, retries: number, cwd: string);
     call(method: HttpMethod, endpoint: string, params?: GhApiCallParams): Promise<string>;
 }
-interface ResolveGitHubTokenOptions {
-    repoInfo: GitHubApiTarget;
-    tokenManager: ITokenManager | null;
-    context: string;
-    log?: DebugWarnLog;
-    envToken?: string;
-}
-/**
- * Resolve a GitHub token for a repo: GitHub App token → envToken fallback.
- * Returns { token, skipped } where skipped=true means no App installation found
- * for this owner (token will be undefined). Both sync and settings paths use this.
- */
-export declare function resolveGitHubToken(options: ResolveGitHubTokenOptions): Promise<{
-    token: string | undefined;
-    skipped: boolean;
-}>;
-/**
- * Check if an error message indicates an HTTP 404 response from the GitHub API.
- */
-export declare function isHttp404Error(error: unknown): boolean;
 export {};

package/dist/shared/gh-api-utils.js

@@ -1,15 +1,13 @@
-import { escapeShellArg } from "./shell-utils.js";
 import { withRetry } from "./retry-utils.js";
-import { toErrorMessage } from "./type-guards.js";
 /**
- * Get the hostname flag for gh commands.
- * Returns "--hostname HOST" for GHE, empty string for github.com.
+ * Build the hostname args for gh commands.
+ * Returns ["--hostname", HOST] for GHE, empty array for github.com.
  */
-export function getHostnameFlag(repoInfo) {
+export function buildHostnameArgs(repoInfo) {
     if (repoInfo.host !== "github.com") {
-        return `--hostname ${escapeShellArg(repoInfo.host)}`;
+        return ["--hostname", repoInfo.host];
     }
-    return "";
+    return [];
 }
 export function buildTokenEnv(token) {
     return token ? { GH_TOKEN: token } : undefined;
@@ -38,10 +36,17 @@ export function parseResponseBody(raw) {
  *
  * No-op if stdout is absent or does not contain a numeric Retry-After header.
  */
+function hasStdout(error) {
+    return (typeof error === "object" &&
+        error !== null &&
+        "stdout" in error &&
+        (typeof error.stdout === "string" ||
+            Buffer.isBuffer(error.stdout)));
+}
 export function attachRetryAfter(error) {
-    const stdout = error.stdout;
-    if (!stdout)
+    if (!hasStdout(error))
         return;
+    const stdout = error.stdout;
     const stdoutStr = typeof stdout === "string" ? stdout : stdout.toString();
     const match = stdoutStr.match(/^retry-after:\s*(\d+)\s*$/im);
     if (match) {
@@ -57,9 +62,9 @@ export function attachRetryAfter(error) {
  * No-op if stdout is absent or does not contain parseable error JSON.
  */
 export function attachValidationDetails(error) {
-    const stdout = error.stdout;
-    if (!stdout)
+    if (!hasStdout(error))
         return;
+    const stdout = error.stdout;
     const stdoutStr = typeof stdout === "string" ? stdout : stdout.toString();
     const body = parseResponseBody(stdoutStr);
     try {
@@ -93,7 +98,7 @@ export function attachValidationDetails(error) {
  */
 async function ghApiCall(method, endpoint, opts) {
     const { executor, retries, cwd, apiOpts, payload, paginate } = opts;
-    const args = ["gh", "api"];
+    const args = ["api"];
     if (method !== "GET") {
         args.push("-X", method);
     }
@@ -104,14 +109,13 @@ async function ghApiCall(method, endpoint, opts) {
         args.push("--include");
     }
     if (apiOpts?.host && apiOpts.host !== "github.com") {
-        args.push("--hostname", escapeShellArg(apiOpts.host));
+        args.push("--hostname", apiOpts.host);
     }
-    args.push(escapeShellArg(endpoint));
-    const baseCommand = args.join(" ");
+    args.push(endpoint);
     const env = buildTokenEnv(apiOpts?.token);
-    const execAndParse = async (command) => {
+    const execAndParse = async (execArgs, execOptions) => {
         try {
-            const raw = await executor.exec(command, cwd, { env });
+            const raw = await executor.exec("gh", execArgs, cwd, execOptions);
             return paginate ? raw : parseResponseBody(raw);
         }
         catch (error) {
@@ -129,10 +133,9 @@ async function ghApiCall(method, endpoint, opts) {
     if (payload &&
         (method === "POST" || method === "PUT" || method === "PATCH")) {
         const payloadJson = JSON.stringify(payload);
-        const command = `echo ${escapeShellArg(payloadJson)} | ${baseCommand} --input -`;
-        return withRetry(() => execAndParse(command), retryOpts);
+        return withRetry(() => execAndParse([...args, "--input", "-"], { env, input: payloadJson }), retryOpts);
     }
-    return withRetry(() => execAndParse(baseCommand), retryOpts);
+    return withRetry(() => execAndParse(args, { env }), retryOpts);
 }
 /**
  * Encapsulates executor + retries for GitHub API calls.
@@ -159,36 +162,3 @@ export class GhApiClient {
         });
     }
 }
-/**
- * Resolve a GitHub token for a repo: GitHub App token → envToken fallback.
- * Returns { token, skipped } where skipped=true means no App installation found
- * for this owner (token will be undefined). Both sync and settings paths use this.
- */
-export async function resolveGitHubToken(options) {
-    const { repoInfo, tokenManager, context, log, envToken } = options;
-    try {
-        const appToken = await tokenManager?.getTokenForRepo(repoInfo);
-        if (appToken === null) {
-            // null = no installation found for this owner
-            return { token: undefined, skipped: true };
-        }
-        // string = app token; undefined = no manager configured
-        return { token: appToken ?? envToken, skipped: false };
-    }
-    catch (error) {
-        const errorMsg = `GitHub App token resolution failed for ${context}: ${toErrorMessage(error)}`;
-        if (envToken) {
-            log?.debug(`${errorMsg}; falling back to GH_TOKEN`);
-        }
-        else {
-            log?.warn(`${errorMsg}; no fallback token available`);
-        }
-        return { token: envToken, skipped: false };
-    }
-}
-/**
- * Check if an error message indicates an HTTP 404 response from the GitHub API.
- */
-export function isHttp404Error(error) {
-    return toErrorMessage(error).includes("HTTP 404");
-}

package/dist/shared/gh-token-utils.d.ts

@@ -0,0 +1,26 @@
+import type { DebugWarnLog } from "./logger.js";
+import type { GitHubApiTarget } from "./gh-api-utils.js";
+interface ITokenManager {
+    getTokenForRepo(repoInfo: GitHubApiTarget): Promise<string | null>;
+}
+export interface ResolveGitHubTokenOptions {
+    repoInfo: GitHubApiTarget;
+    tokenManager: ITokenManager | null;
+    context: string;
+    log?: DebugWarnLog;
+    envToken?: string;
+}
+/**
+ * Resolve a GitHub token for a repo: GitHub App token → envToken fallback.
+ * Returns { token, skipped } where skipped=true means no App installation found
+ * for this owner (token will be undefined). Both sync and settings paths use this.
+ */
+export declare function resolveGitHubToken(options: ResolveGitHubTokenOptions): Promise<{
+    token: string | undefined;
+    skipped: boolean;
+}>;
+/**
+ * Check if an error message indicates an HTTP 404 response from the GitHub API.
+ */
+export declare function isHttp404Error(error: unknown): boolean;
+export {};

package/dist/shared/gh-token-utils.js

@@ -0,0 +1,32 @@
+import { toErrorMessage } from "./type-guards.js";
+/**
+ * Resolve a GitHub token for a repo: GitHub App token → envToken fallback.
+ * Returns { token, skipped } where skipped=true means no App installation found
+ * for this owner (token will be undefined). Both sync and settings paths use this.
+ */
+export async function resolveGitHubToken(options) {
+    const { repoInfo, tokenManager, context, log, envToken } = options;
+    try {
+        const appToken = await tokenManager?.getTokenForRepo(repoInfo);
+        if (appToken === null) {
+            return { token: undefined, skipped: true };
+        }
+        return { token: appToken ?? envToken, skipped: false };
+    }
+    catch (error) {
+        const errorMsg = `GitHub App token resolution failed for ${context}: ${toErrorMessage(error)}`;
+        if (envToken) {
+            log?.debug(`${errorMsg}; falling back to GH_TOKEN`);
+        }
+        else {
+            log?.warn(`${errorMsg}; no fallback token available`);
+        }
+        return { token: envToken, skipped: false };
+    }
+}
+/**
+ * Check if an error message indicates an HTTP 404 response from the GitHub API.
+ */
+export function isHttp404Error(error) {
+    return toErrorMessage(error).includes("HTTP 404");
+}

package/dist/shared/json-utils.js

@@ -11,6 +11,6 @@ export function parseApiJson(response, context) {
     }
     catch (error) {
         const preview = response.slice(0, 200);
-        throw new SyncError(`Failed to parse ${context}: ${toErrorMessage(error)} — ${preview}`);
+        throw new SyncError(`Failed to parse ${context}: ${toErrorMessage(error)} — ${preview}`, { cause: error });
     }
 }

package/dist/shared/regex-utils.d.ts

@@ -0,0 +1 @@
+export declare function escapeRegExp(str: string): string;

package/dist/shared/regex-utils.js

@@ -0,0 +1,3 @@
+export function escapeRegExp(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}

package/dist/shared/retry-utils.d.ts

@@ -3,6 +3,7 @@
  * Auth failures, permission issues, and resource-not-found errors.
  */
 export declare const CORE_PERMANENT_ERROR_PATTERNS: RegExp[];
+export declare const BRANCH_PROTECTION_ERROR_PATTERNS: RegExp[];
 /**
  * Default patterns indicating permanent errors that should NOT be retried.
  * Extends CORE_PERMANENT_ERROR_PATTERNS with git-CLI-specific patterns.