@aspruyt/xfg 6.1.0 → 6.3.0

package/dist/config/validator.js

@@ -1,259 +1,13 @@
-import { resolveExtendsChain, expandRepoGroups } from "./extends-resolver.js";
-import { isTextContent, isObjectContent, isStructuredFileExtension, validateFileName, VALID_STRATEGIES, } from "./validators/file-validator.js";
-import { validateRepoSettings } from "./validators/repo-settings-validator.js";
-import { validateRuleset } from "./validators/ruleset-validator.js";
-import { escapeRegExp } from "../shared/shell-utils.js";
+import { validateFileName } from "./validators/file-validator.js";
 import { isPlainObject } from "../shared/type-guards.js";
 import { ValidationError } from "../shared/errors.js";
-// Pattern for valid config ID: alphanumeric, hyphens, underscores
+import { validateFileConfigFields, validateSettings, } from "./validators/shared.js";
+import { validateGroups, validateConditionalGroups, } from "./validators/group-validator.js";
+import { validateRepoEntry } from "./validators/repo-entry-validator.js";
 const CONFIG_ID_PATTERN = /^[a-zA-Z0-9_-]+$/;
+const VARIABLE_NAME_PATTERN = /^[A-Za-z_][A-Za-z0-9_]*$/;
+const VARIABLE_RESERVED_KEYS = new Set(["deleteOrphaned", "inherit"]);
 const CONFIG_ID_MAX_LENGTH = 64;
-/**
- * Check if a string looks like a valid git URL.
- * Supports SSH (git@host:path) and HTTPS (https://host/path) formats.
- */
-function isValidGitUrl(url) {
-    // SSH format: git@hostname:path  OR  HTTPS format: https://hostname/path
-    return /^git@[^:]+:.+$/.test(url) || /^https?:\/\/[^/]+\/.+$/.test(url);
-}
-/**
- * Check if a git URL points to GitHub (github.com).
- * Used to reject GitHub URLs as migration sources (not supported).
- */
-function isGitHubUrl(url, githubHosts) {
-    const hosts = ["github.com", ...(githubHosts ?? [])];
-    for (const host of hosts) {
-        if (url.startsWith(`git@${host}:`) ||
-            url.match(new RegExp(`^https?://${escapeRegExp(host)}/`))) {
-            return true;
-        }
-    }
-    return false;
-}
-function getGitDisplayName(git) {
-    if (Array.isArray(git)) {
-        return git[0] || "unknown";
-    }
-    return git;
-}
-/**
- * Validate file config fields shared between root files and per-repo overrides.
- */
-function validateFileConfigFields(fileConfig, fileName, context) {
-    if (fileConfig.content !== undefined) {
-        const hasText = isTextContent(fileConfig.content);
-        const hasObject = isObjectContent(fileConfig.content);
-        if (!hasText && !hasObject) {
-            throw new ValidationError(`${context} file '${fileName}' content must be an object, string, or array of strings`);
-        }
-        const isStructured = isStructuredFileExtension(fileName);
-        if (isStructured && hasText) {
-            throw new ValidationError(`${context} file '${fileName}' has JSON/YAML extension but string content. Use object content for structured files.`);
-        }
-        if (!isStructured && hasObject) {
-            throw new ValidationError(`${context} file '${fileName}' has text extension but object content. Use string or string[] for text files, or use .json/.yaml/.yml extension.`);
-        }
-    }
-    if (fileConfig.mergeStrategy !== undefined &&
-        !VALID_STRATEGIES.includes(fileConfig.mergeStrategy)) {
-        throw new ValidationError(`${context} file '${fileName}' has invalid mergeStrategy: ${fileConfig.mergeStrategy}. Must be one of: ${VALID_STRATEGIES.join(", ")}`);
-    }
-    const booleanFields = [
-        "createOnly",
-        "executable",
-        "template",
-        "deleteOrphaned",
-    ];
-    for (const field of booleanFields) {
-        if (fileConfig[field] !== undefined &&
-            typeof fileConfig[field] !== "boolean") {
-            throw new ValidationError(`${context} file '${fileName}' ${field} must be a boolean`);
-        }
-    }
-    const stringFields = ["schemaUrl"];
-    for (const field of stringFields) {
-        if (fileConfig[field] !== undefined &&
-            typeof fileConfig[field] !== "string") {
-            throw new ValidationError(`${context} file '${fileName}' ${field} must be a string`);
-        }
-    }
-    if (fileConfig.header !== undefined) {
-        if (typeof fileConfig.header !== "string" &&
-            (!Array.isArray(fileConfig.header) ||
-                !fileConfig.header.every((h) => typeof h === "string"))) {
-            throw new ValidationError(`${context} file '${fileName}' header must be a string or array of strings`);
-        }
-    }
-    if (fileConfig.vars !== undefined) {
-        if (!isPlainObject(fileConfig.vars)) {
-            throw new ValidationError(`${context} file '${fileName}' vars must be an object with string values`);
-        }
-        for (const [key, value] of Object.entries(fileConfig.vars)) {
-            if (typeof value !== "string") {
-                throw new ValidationError(`${context} file '${fileName}' vars.${key} must be a string`);
-            }
-        }
-    }
-}
-/**
- * Validates a single label configuration.
- */
-function validateLabel(label, name, context) {
-    if (!isPlainObject(label)) {
-        throw new ValidationError(`${context}: label '${name}' must be an object`);
-    }
-    const l = label;
-    if (typeof l.color !== "string" || !/^#?[0-9a-fA-F]{6}$/.test(l.color)) {
-        throw new ValidationError(`${context}: label '${name}' color must be a 6-character hex code (with or without #)`);
-    }
-    if (l.description !== undefined) {
-        if (typeof l.description !== "string") {
-            throw new ValidationError(`${context}: label '${name}' description must be a string`);
-        }
-        if (l.description.length > 100) {
-            throw new ValidationError(`${context}: label '${name}' description exceeds 100 characters (GitHub limit)`);
-        }
-    }
-    if (l.new_name !== undefined && typeof l.new_name !== "string") {
-        throw new ValidationError(`${context}: label '${name}' new_name must be a string`);
-    }
-}
-function buildRootSettingsContext(config) {
-    return {
-        rulesetNames: config.settings?.rulesets
-            ? Object.keys(config.settings.rulesets).filter((k) => k !== "inherit")
-            : [],
-        hasRepoSettings: config.settings?.repo !== undefined && config.settings.repo !== false,
-        hasCodeScanningSettings: config.settings?.codeScanning !== undefined &&
-            config.settings.codeScanning !== false,
-        labelNames: config.settings?.labels
-            ? Object.keys(config.settings.labels).filter((k) => k !== "inherit")
-            : [],
-    };
-}
-/**
- * Validates settings object containing rulesets, labels, and repo settings.
- */
-function validateSettingsRulesets(settings, context, rootCtx) {
-    if (settings.rulesets === undefined)
-        return;
-    if (!isPlainObject(settings.rulesets)) {
-        throw new ValidationError(`${context}: rulesets must be an object`);
-    }
-    const rulesets = settings.rulesets;
-    for (const [name, ruleset] of Object.entries(rulesets)) {
-        if (name === "inherit")
-            continue;
-        if (ruleset === false) {
-            if (rootCtx && !rootCtx.rulesetNames.includes(name)) {
-                throw new ValidationError(`${context}: Cannot opt out of '${name}' - not defined in root settings.rulesets`);
-            }
-            continue;
-        }
-        validateRuleset(ruleset, name, context);
-    }
-}
-function validateSettingsLabels(settings, context, rootCtx) {
-    if (settings.labels === undefined)
-        return;
-    if (!isPlainObject(settings.labels)) {
-        throw new ValidationError(`${context}: labels must be an object`);
-    }
-    const labels = settings.labels;
-    for (const [name, label] of Object.entries(labels)) {
-        if (name === "inherit")
-            continue;
-        if (label === false) {
-            if (rootCtx && !rootCtx.labelNames.includes(name)) {
-                throw new ValidationError(`${context}: Cannot opt out of label '${name}' - not defined in root settings.labels`);
-            }
-            continue;
-        }
-        validateLabel(label, name, context);
-    }
-}
-function validateSettingsDeleteOrphaned(settings, context) {
-    if (settings.deleteOrphaned !== undefined &&
-        typeof settings.deleteOrphaned !== "boolean") {
-        throw new ValidationError(`${context}: settings.deleteOrphaned must be a boolean`);
-    }
-}
-function validateSettingsRepo(settings, context, rootCtx) {
-    if (settings.repo === undefined)
-        return;
-    if (settings.repo === false) {
-        if (!rootCtx) {
-            throw new ValidationError(`${context}: repo: false is not valid at root level. Define repo settings or remove the field.`);
-        }
-        if (!rootCtx.hasRepoSettings) {
-            throw new ValidationError(`${context}: Cannot opt out of repo settings — not defined in root settings.repo`);
-        }
-        return;
-    }
-    validateRepoSettings(settings.repo, context);
-}
-function validateSettingsCodeScanning(settings, context, rootCtx) {
-    if (settings.codeScanning === undefined)
-        return;
-    if (settings.codeScanning === false) {
-        if (!rootCtx) {
-            throw new ValidationError(`${context}: codeScanning: false is not valid at root level. Define codeScanning settings or remove the field.`);
-        }
-        if (!rootCtx.hasCodeScanningSettings) {
-            throw new ValidationError(`${context}: Cannot opt out of code scanning settings — not defined in root settings.codeScanning`);
-        }
-        return;
-    }
-    validateCodeScanningSettings(settings.codeScanning, `${context} codeScanning`);
-}
-function validateSettings(settings, context, rootCtx) {
-    if (!isPlainObject(settings)) {
-        throw new ValidationError(`${context}: settings must be an object`);
-    }
-    validateSettingsRulesets(settings, context, rootCtx);
-    validateSettingsLabels(settings, context, rootCtx);
-    validateSettingsDeleteOrphaned(settings, context);
-    validateSettingsRepo(settings, context, rootCtx);
-    validateSettingsCodeScanning(settings, context, rootCtx);
-}
-const VALID_CODE_SCANNING_STATES = ["configured", "not-configured"];
-const VALID_CODE_SCANNING_QUERY_SUITES = ["default", "extended"];
-const VALID_CODE_SCANNING_LANGUAGES = [
-    "actions",
-    "c-cpp",
-    "csharp",
-    "go",
-    "java-kotlin",
-    "javascript-typescript",
-    "python",
-    "ruby",
-    "swift",
-];
-function validateCodeScanningSettings(settings, context) {
-    if (!isPlainObject(settings)) {
-        throw new ValidationError(`${context}: must be an object`);
-    }
-    if (settings.state === undefined) {
-        throw new ValidationError(`${context}: state is required`);
-    }
-    if (!VALID_CODE_SCANNING_STATES.includes(settings.state)) {
-        throw new ValidationError(`${context}: state must be one of: ${VALID_CODE_SCANNING_STATES.join(", ")}`);
-    }
-    if (settings.querySuite !== undefined &&
-        !VALID_CODE_SCANNING_QUERY_SUITES.includes(settings.querySuite)) {
-        throw new ValidationError(`${context}: querySuite must be one of: ${VALID_CODE_SCANNING_QUERY_SUITES.join(", ")}`);
-    }
-    if (settings.languages !== undefined) {
-        if (!Array.isArray(settings.languages)) {
-            throw new ValidationError(`${context}: languages must be an array`);
-        }
-        for (const lang of settings.languages) {
-            if (!VALID_CODE_SCANNING_LANGUAGES.includes(lang)) {
-                throw new ValidationError(`${context}: invalid language "${lang}". Valid languages: ${VALID_CODE_SCANNING_LANGUAGES.join(", ")}`);
-            }
-        }
-    }
-}
 function validateConfigId(config) {
     if (!config.id || typeof config.id !== "string") {
         throw new ValidationError("Config requires an 'id' field. This unique identifier is used to namespace managed files in .xfg.json");
@@ -290,6 +44,9 @@ function validateRootSettings(config) {
     if (config.settings.labels && "inherit" in config.settings.labels) {
         throw new ValidationError("'inherit' is a reserved key and cannot be used as a label name");
     }
+    if (config.settings.variables && "inherit" in config.settings.variables) {
+        throw new ValidationError("'inherit' is not allowed in root-level variables (nothing to inherit from)");
+    }
 }
 function validateGithubHosts(config) {
     if (config.githubHosts === undefined)
@@ -322,352 +79,6 @@ function validatePrOptions(config) {
         }
     }
 }
-/**
- * Validates the extends field on a single group definition.
- * Checks type, self-reference, and that all referenced groups exist.
- */
-function validateGroupExtends(groupName, extends_, groupNames) {
-    // Type check
-    if (typeof extends_ === "string") {
-        if (extends_.length === 0) {
-            throw new ValidationError(`groups.${groupName}: 'extends' must be a non-empty string or array of strings`);
-        }
-        // Self-reference
-        if (extends_ === groupName) {
-            throw new ValidationError(`groups.${groupName}: extends cannot reference itself`);
-        }
-        // Existence
-        if (!groupNames.has(extends_)) {
-            throw new ValidationError(`groups.${groupName}: extends references undefined group '${extends_}'`);
-        }
-    }
-    else if (Array.isArray(extends_)) {
-        if (extends_.length === 0) {
-            throw new ValidationError(`groups.${groupName}: 'extends' must be a non-empty string or array of strings`);
-        }
-        const seen = new Set();
-        for (const entry of extends_) {
-            if (typeof entry !== "string") {
-                throw new ValidationError(`groups.${groupName}: 'extends' array entries must be strings`);
-            }
-            if (entry.length === 0) {
-                throw new ValidationError(`groups.${groupName}: 'extends' array entries must be non-empty strings`);
-            }
-            if (entry === groupName) {
-                throw new ValidationError(`groups.${groupName}: extends cannot reference itself`);
-            }
-            if (!groupNames.has(entry)) {
-                throw new ValidationError(`groups.${groupName}: extends references undefined group '${entry}'`);
-            }
-            if (seen.has(entry)) {
-                throw new ValidationError(`groups.${groupName}: duplicate '${entry}' in extends`);
-            }
-            seen.add(entry);
-        }
-    }
-    else {
-        throw new ValidationError(`groups.${groupName}: 'extends' must be a non-empty string or array of strings`);
-    }
-}
-/**
- * Detects circular extends chains across all groups.
- * Reuses resolveExtendsChain from extends-resolver.ts to avoid
- * duplicating the chain-walking logic. Converts thrown errors
- * to ValidationError.
- */
-function validateNoCircularExtends(groups) {
-    for (const name of Object.keys(groups)) {
-        if (!groups[name].extends)
-            continue;
-        try {
-            resolveExtendsChain(name, groups);
-        }
-        catch (error) {
-            throw new ValidationError(error instanceof Error ? error.message : String(error));
-        }
-    }
-}
-function validateGroups(config) {
-    if (config.groups === undefined)
-        return;
-    if (!isPlainObject(config.groups)) {
-        throw new ValidationError("groups must be an object");
-    }
-    const rootCtx = buildRootSettingsContext(config);
-    const groupNames = new Set(Object.keys(config.groups));
-    for (const [groupName, group] of Object.entries(config.groups)) {
-        if (groupName === "inherit") {
-            throw new ValidationError("'inherit' is a reserved key and cannot be used as a group name");
-        }
-        if (groupName === "extends") {
-            throw new ValidationError("'extends' is a reserved key and cannot be used as a group name");
-        }
-        // Validate extends field
-        if (group.extends !== undefined) {
-            validateGroupExtends(groupName, group.extends, groupNames);
-        }
-        if (group.files) {
-            for (const [fileName, fileConfig] of Object.entries(group.files)) {
-                if (fileName === "inherit")
-                    continue;
-                if (fileConfig === false)
-                    continue;
-                if (fileConfig === undefined)
-                    continue;
-                validateFileConfigFields(fileConfig, fileName, `groups.${groupName}:`);
-            }
-        }
-        if (group.settings !== undefined) {
-            validateSettings(group.settings, `groups.${groupName}`, rootCtx);
-        }
-    }
-    // Validate no circular extends after individual validation
-    validateNoCircularExtends(config.groups);
-}
-function validateGroupRefArray(arr, fieldName, ctx, groupNames) {
-    if (!Array.isArray(arr) || arr.length === 0) {
-        throw new ValidationError(`${ctx}: '${fieldName}' must be a non-empty array of strings`);
-    }
-    const seen = new Set();
-    for (const name of arr) {
-        if (typeof name !== "string") {
-            throw new ValidationError(`${ctx}: '${fieldName}' entries must be strings`);
-        }
-        if (!groupNames.includes(name)) {
-            throw new ValidationError(`${ctx}: group '${name}' in ${fieldName} is not defined in root 'groups'`);
-        }
-        if (seen.has(name)) {
-            throw new ValidationError(`${ctx}: duplicate group '${name}' in ${fieldName}`);
-        }
-        seen.add(name);
-    }
-}
-function validateConditionalGroups(config) {
-    if (config.conditionalGroups === undefined)
-        return;
-    if (!Array.isArray(config.conditionalGroups)) {
-        throw new ValidationError("conditionalGroups must be an array");
-    }
-    const rootCtx = buildRootSettingsContext(config);
-    const groupNames = config.groups ? Object.keys(config.groups) : [];
-    for (let i = 0; i < config.conditionalGroups.length; i++) {
-        const entry = config.conditionalGroups[i];
-        const ctx = `conditionalGroups[${i}]`;
-        // Validate 'when' clause
-        if (!entry.when || !isPlainObject(entry.when)) {
-            throw new ValidationError(`${ctx}: 'when' is required and must be an object`);
-        }
-        const { allOf, anyOf, noneOf } = entry.when;
-        if (!allOf && !anyOf && !noneOf) {
-            throw new ValidationError(`${ctx}: 'when' must have at least one of 'allOf', 'anyOf', or 'noneOf'`);
-        }
-        if (allOf !== undefined) {
-            validateGroupRefArray(allOf, "allOf", ctx, groupNames);
-        }
-        if (anyOf !== undefined) {
-            validateGroupRefArray(anyOf, "anyOf", ctx, groupNames);
-        }
-        if (noneOf !== undefined) {
-            validateGroupRefArray(noneOf, "noneOf", ctx, groupNames);
-        }
-        // Cross-operator overlap: noneOf must not share groups with allOf or anyOf
-        if (noneOf) {
-            const noneOfSet = new Set(noneOf);
-            if (allOf) {
-                for (const g of allOf) {
-                    if (noneOfSet.has(g)) {
-                        throw new ValidationError(`${ctx}: noneOf group '${g}' overlaps with allOf (contradictory condition)`);
-                    }
-                }
-            }
-            if (anyOf) {
-                for (const g of anyOf) {
-                    if (noneOfSet.has(g)) {
-                        throw new ValidationError(`${ctx}: noneOf group '${g}' overlaps with anyOf (contradictory condition)`);
-                    }
-                }
-            }
-        }
-        // Validate files
-        if (entry.files) {
-            for (const [fileName, fileConfig] of Object.entries(entry.files)) {
-                if (fileName === "inherit")
-                    continue;
-                if (fileConfig === false)
-                    continue;
-                if (fileConfig === undefined)
-                    continue;
-                validateFileConfigFields(fileConfig, fileName, `${ctx}:`);
-            }
-        }
-        // Validate settings
-        if (entry.settings !== undefined) {
-            validateSettings(entry.settings, ctx, rootCtx);
-        }
-    }
-}
-function validateRepoGitField(repo, index) {
-    if (!repo.git) {
-        throw new ValidationError(`Repo at index ${index} missing required field: git`);
-    }
-    if (Array.isArray(repo.git) && repo.git.length === 0) {
-        throw new ValidationError(`Repo at index ${index} has empty git array`);
-    }
-    return getGitDisplayName(repo.git);
-}
-function validateRepoOrigins(config, repo, repoLabel) {
-    if (repo.upstream !== undefined && repo.source !== undefined) {
-        throw new ValidationError(`Repo ${repoLabel}: 'upstream' and 'source' are mutually exclusive. ` +
-            `Use 'upstream' to fork, or 'source' to migrate, not both.`);
-    }
-    if (repo.upstream !== undefined) {
-        if (typeof repo.upstream !== "string") {
-            throw new ValidationError(`Repo ${repoLabel}: 'upstream' must be a string`);
-        }
-        if (!isValidGitUrl(repo.upstream)) {
-            throw new ValidationError(`Repo ${repoLabel}: 'upstream' must be a valid git URL ` +
-                `(SSH: git@host:path or HTTPS: https://host/path)`);
-        }
-    }
-    if (repo.source !== undefined) {
-        if (typeof repo.source !== "string") {
-            throw new ValidationError(`Repo ${repoLabel}: 'source' must be a string`);
-        }
-        if (!isValidGitUrl(repo.source)) {
-            throw new ValidationError(`Repo ${repoLabel}: 'source' must be a valid git URL ` +
-                `(SSH: git@host:path or HTTPS: https://host/path)`);
-        }
-        if (isGitHubUrl(repo.source, config.githubHosts)) {
-            throw new ValidationError(`Repo ${repoLabel}: 'source' cannot be a GitHub URL. ` +
-                `Migration from GitHub is not supported. Currently supported sources: Azure DevOps`);
-        }
-    }
-}
-function validateRepoGroups(config, repo, index) {
-    if (repo.groups === undefined)
-        return;
-    if (!Array.isArray(repo.groups) ||
-        !repo.groups.every((g) => typeof g === "string")) {
-        throw new ValidationError(`Repo at index ${index}: groups must be an array of strings`);
-    }
-    const seen = new Set();
-    for (const groupName of repo.groups) {
-        if (!config.groups || !config.groups[groupName]) {
-            throw new ValidationError(`Repo at index ${index}: group '${groupName}' is not defined in root 'groups'`);
-        }
-        if (seen.has(groupName)) {
-            throw new ValidationError(`Repo at index ${index}: duplicate group '${groupName}'`);
-        }
-        seen.add(groupName);
-    }
-}
-function validateRepoFiles(config, repo, index, repoLabel) {
-    if (!repo.files)
-        return;
-    if (!isPlainObject(repo.files)) {
-        throw new ValidationError(`Repo at index ${index}: files must be an object`);
-    }
-    const knownFiles = new Set(config.files ? Object.keys(config.files) : []);
-    if (repo.groups && config.groups) {
-        const expandedGroups = expandRepoGroups(repo.groups, config.groups);
-        for (const groupName of expandedGroups) {
-            const group = config.groups[groupName];
-            if (group?.files) {
-                for (const fileName of Object.keys(group.files)) {
-                    if (fileName !== "inherit")
-                        knownFiles.add(fileName);
-                }
-            }
-        }
-    }
-    if (config.conditionalGroups) {
-        for (const cg of config.conditionalGroups) {
-            if (cg.files) {
-                for (const fileName of Object.keys(cg.files)) {
-                    if (fileName !== "inherit")
-                        knownFiles.add(fileName);
-                }
-            }
-        }
-    }
-    for (const fileName of Object.keys(repo.files)) {
-        if (fileName === "inherit") {
-            const inheritValue = repo.files.inherit;
-            if (typeof inheritValue !== "boolean") {
-                throw new ValidationError(`Repo at index ${index}: files.inherit must be a boolean`);
-            }
-            continue;
-        }
-        if (!knownFiles.has(fileName)) {
-            const fileEntry = repo.files[fileName];
-            const isStandaloneDefinition = fileEntry != null &&
-                fileEntry !== false &&
-                typeof fileEntry === "object" &&
-                "content" in fileEntry &&
-                fileEntry.content !== undefined &&
-                fileEntry.content !== null;
-            if (!isStandaloneDefinition) {
-                throw new ValidationError(`Repo at index ${index} references undefined file '${fileName}'. File must be defined in root 'files' object or in a referenced group, or provide content inline.`);
-            }
-            validateFileName(fileName);
-        }
-        const fileOverride = repo.files[fileName];
-        if (fileOverride === false) {
-            continue;
-        }
-        if (fileOverride.override && !fileOverride.content) {
-            throw new ValidationError(`Repo ${repoLabel} has override: true for file '${fileName}' but no content defined. ` +
-                `Use content: "" for an empty text file override, or content: {} for an empty JSON/YAML override.`);
-        }
-        validateFileConfigFields(fileOverride, fileName, `Repo ${repoLabel}:`);
-    }
-}
-function enrichSettingsContext(rootCtx, settings) {
-    if (!settings)
-        return;
-    if (settings.rulesets) {
-        for (const name of Object.keys(settings.rulesets)) {
-            if (name !== "inherit")
-                rootCtx.rulesetNames.push(name);
-        }
-    }
-    if (settings.labels) {
-        for (const name of Object.keys(settings.labels)) {
-            if (name !== "inherit")
-                rootCtx.labelNames.push(name);
-        }
-    }
-    if (settings.repo !== undefined && settings.repo !== false) {
-        rootCtx.hasRepoSettings = true;
-    }
-    if (settings.codeScanning !== undefined && settings.codeScanning !== false) {
-        rootCtx.hasCodeScanningSettings = true;
-    }
-}
-function validateRepoSettingsEntry(config, repo, repoLabel) {
-    if (repo.settings === undefined)
-        return;
-    const rootCtx = buildRootSettingsContext(config);
-    if (repo.groups && config.groups) {
-        const expandedGroups = expandRepoGroups(repo.groups, config.groups);
-        for (const groupName of expandedGroups) {
-            enrichSettingsContext(rootCtx, config.groups[groupName]?.settings);
-        }
-    }
-    if (config.conditionalGroups) {
-        for (const cg of config.conditionalGroups) {
-            enrichSettingsContext(rootCtx, cg.settings);
-        }
-    }
-    validateSettings(repo.settings, `Repo ${repoLabel}`, rootCtx);
-}
-function validateRepoEntry(config, repo, index) {
-    const repoLabel = validateRepoGitField(repo, index);
-    validateRepoOrigins(config, repo, repoLabel);
-    validateRepoGroups(config, repo, index);
-    validateRepoFiles(config, repo, index, repoLabel);
-    validateRepoSettingsEntry(config, repo, repoLabel);
-}
 function hasGroupFiles(config) {
     return (isPlainObject(config.groups) &&
         Object.values(config.groups).some((g) => g.files &&
@@ -678,9 +89,13 @@ function hasConditionalGroupFiles(config) {
         config.conditionalGroups.some((cg) => cg.files &&
             Object.keys(cg.files).filter((k) => k !== "inherit" && cg.files[k] !== false).length > 0));
 }
-function hasConditionalGroupSettings(config, predicate) {
+function hasConditionalGroupSettingsPresent(config) {
+    return (Array.isArray(config.conditionalGroups) &&
+        config.conditionalGroups.some((cg) => cg.settings && isPlainObject(cg.settings)));
+}
+function hasConditionalGroupSettingsActionable(config) {
     return (Array.isArray(config.conditionalGroups) &&
-        config.conditionalGroups.some((cg) => cg.settings && predicate(cg.settings)));
+        config.conditionalGroups.some((cg) => cg.settings && hasActionableSettings(cg.settings)));
 }
 function hasConditionalGroupPR(config) {
     return (Array.isArray(config.conditionalGroups) &&
@@ -698,17 +113,20 @@ export function validateRawConfig(config) {
     const hasGrpSettings = isPlainObject(config.groups) &&
         Object.values(config.groups).some((g) => g.settings && isPlainObject(g.settings));
     const hasCondGrpFiles = hasConditionalGroupFiles(config);
-    const hasCondGrpSettings = hasConditionalGroupSettings(config, isPlainObject);
+    const hasCondGrpSettings = hasConditionalGroupSettingsPresent(config);
     const hasCondGrpPR = hasConditionalGroupPR(config);
+    const hasSecrets = isPlainObject(config.secrets) && Object.keys(config.secrets).length > 0;
     if (!hasFiles &&
         !hasSettings &&
         !hasGrpFiles &&
         !hasGrpSettings &&
         !hasCondGrpFiles &&
         !hasCondGrpSettings &&
-        !hasCondGrpPR) {
-        throw new ValidationError("Config requires at least one of: 'files' or 'settings'. " +
-            "Use 'files' to sync configuration files, or 'settings' to manage repository settings.");
+        !hasCondGrpPR &&
+        !hasSecrets) {
+        throw new ValidationError("Config requires at least one of: 'files', 'settings', or 'secrets'. " +
+            "Use 'files' to sync configuration files, 'settings' to manage repository settings, " +
+            "or 'secrets' to manage GitHub Actions secrets.");
     }
     validateRootFiles(config);
     if (config.deleteOrphaned !== undefined &&
@@ -727,9 +145,6 @@ export function validateRawConfig(config) {
         validateRepoEntry(config, config.repos[i], i);
     }
 }
-// =============================================================================
-// Command-Specific Validators
-// =============================================================================
 /**
  * Validates that config is suitable for the sync command.
  * @throws ValidationError if neither files nor settings are present
@@ -742,7 +157,7 @@ export function validateForSync(config) {
     const hasGroupSettings = isPlainObject(config.groups) &&
         Object.values(config.groups).some((g) => g.settings && hasActionableSettings(g.settings));
     const hasCondGrpFiles = hasConditionalGroupFiles(config);
-    const hasCondGrpSettings = hasConditionalGroupSettings(config, hasActionableSettings);
+    const hasCondGrpSettings = hasConditionalGroupSettingsActionable(config);
     const hasCondGrpPR = hasConditionalGroupPR(config);
     if (!hasRootFiles &&
         !hasGrpFiles &&
@@ -752,13 +167,113 @@ export function validateForSync(config) {
         !hasCondGrpFiles &&
         !hasCondGrpSettings &&
         !hasCondGrpPR) {
-        throw new ValidationError("Config requires at least one of: 'files' or 'settings'. " +
-            "Use 'files' to sync configuration files, or 'settings' to manage repository settings.");
+        throw new ValidationError("Config requires at least one of: 'files' or 'settings' (rulesets, labels, variables, repo config). " +
+            "Use 'files' to sync configuration files, or 'settings' to manage repository settings. " +
+            "For secrets, use 'xfg secrets sync'.");
+    }
+    // Validate variable names across all settings
+    const allSettings = [
+        config.settings,
+        ...config.repos.map((r) => r.settings),
+        ...Object.values(config.groups ?? {}).map((g) => g.settings),
+        ...(config.conditionalGroups ?? []).map((cg) => cg.settings),
+    ];
+    for (const settings of allSettings) {
+        if (!settings?.variables)
+            continue;
+        const vars = settings.variables;
+        if (vars.deleteOrphaned !== undefined &&
+            typeof vars.deleteOrphaned !== "boolean") {
+            throw new ValidationError("variables.deleteOrphaned must be a boolean");
+        }
+        if (vars.inherit !== undefined && typeof vars.inherit !== "boolean") {
+            throw new ValidationError("variables.inherit must be a boolean");
+        }
+        for (const [name, value] of Object.entries(vars)) {
+            if (VARIABLE_RESERVED_KEYS.has(name))
+                continue;
+            validateVariableName(name);
+            if (value !== false && typeof value !== "string") {
+                throw new ValidationError(`Variable '${name}' must have a string value (got ${typeof value}). Quote numeric values in YAML: "${String(value)}".`);
+            }
+        }
+        // Reject duplicate case-insensitive variable names
+        const seenVarNames = new Map();
+        for (const name of Object.keys(settings.variables)) {
+            if (VARIABLE_RESERVED_KEYS.has(name))
+                continue;
+            const upper = name.toUpperCase();
+            const existing = seenVarNames.get(upper);
+            if (existing) {
+                throw new ValidationError(`Duplicate variable name: '${name}' and '${existing}' collide (GitHub treats variable names case-insensitively).`);
+            }
+            seenVarNames.set(upper, name);
+        }
+    }
+    // Validate secret names and configs
+    validateSecretsConfig(config);
+    // Cross-validate: no overlap between global secret names and variable names
+    validateVariableSecretOverlaps(config);
+}
+export function validateVariableSecretOverlaps(config) {
+    if (!config.secrets)
+        return;
+    const { deleteOrphaned: _, ...secretEntries } = config.secrets;
+    // GitHub treats secret/variable names case-insensitively for collision purposes
+    const secretNames = new Set(Object.keys(secretEntries)
+        .filter((k) => typeof secretEntries[k] !== "boolean")
+        .map((n) => n.toUpperCase()));
+    if (secretNames.size === 0)
+        return;
+    // Check root-level variables
+    if (config.settings?.variables) {
+        const { deleteOrphaned: _rd, inherit: _ri, ...rootVarEntries } = config.settings.variables;
+        const rootVariableNames = Object.keys(rootVarEntries).filter((k) => typeof rootVarEntries[k] !== "boolean");
+        const overlapping = rootVariableNames.filter((n) => secretNames.has(n.toUpperCase()));
+        if (overlapping.length > 0) {
+            throw new ValidationError(`${overlapping.join(", ")} overlap between root variables and secrets. ` +
+                "GitHub does not allow variables and secrets with the same name.");
+        }
+    }
+    for (const repo of config.repos) {
+        const { deleteOrphaned: _d, inherit: _i, ...varEntries } = (repo.settings?.variables ?? {});
+        const variableNames = Object.keys(varEntries).filter((k) => typeof varEntries[k] !== "boolean");
+        const overlapping = variableNames.filter((n) => secretNames.has(n.toUpperCase()));
+        if (overlapping.length > 0) {
+            throw new ValidationError(`Repo '${repo.git}': ${overlapping.join(", ")} overlap between variables and secrets. ` +
+                "GitHub does not allow variables and secrets with the same name.");
+        }
+    }
+    // Check group-level variables
+    if (isPlainObject(config.groups)) {
+        for (const [groupName, group] of Object.entries(config.groups)) {
+            if (!group.settings?.variables)
+                continue;
+            const { deleteOrphaned: _gd, inherit: _gi, ...groupVarEntries } = group.settings.variables;
+            const groupVariableNames = Object.keys(groupVarEntries).filter((k) => typeof groupVarEntries[k] !== "boolean");
+            const overlapping = groupVariableNames.filter((n) => secretNames.has(n.toUpperCase()));
+            if (overlapping.length > 0) {
+                throw new ValidationError(`Group '${groupName}': ${overlapping.join(", ")} overlap between variables and secrets. ` +
+                    "GitHub does not allow variables and secrets with the same name.");
+            }
+        }
+    }
+    // Check conditional group-level variables
+    if (Array.isArray(config.conditionalGroups)) {
+        for (let i = 0; i < config.conditionalGroups.length; i++) {
+            const cg = config.conditionalGroups[i];
+            if (!cg.settings?.variables)
+                continue;
+            const { deleteOrphaned: _cd, inherit: _ci, ...cgVarEntries } = cg.settings.variables;
+            const cgVariableNames = Object.keys(cgVarEntries).filter((k) => typeof cgVarEntries[k] !== "boolean");
+            const overlapping = cgVariableNames.filter((n) => secretNames.has(n.toUpperCase()));
+            if (overlapping.length > 0) {
+                throw new ValidationError(`Conditional group ${i}: ${overlapping.join(", ")} overlap between variables and secrets. ` +
+                    "GitHub does not allow variables and secrets with the same name.");
+            }
+        }
     }
 }
-/**
- * Checks if settings contain actionable configuration.
- */
 export function hasActionableSettings(settings) {
     if (!settings)
         return false;
@@ -773,8 +288,66 @@ export function hasActionableSettings(settings) {
         Object.keys(settings.labels).filter((k) => k !== "inherit").length > 0) {
         return true;
     }
-    if (settings.codeScanning && typeof settings.codeScanning === "object") {
+    if (settings.codeScanning) {
         return true;
     }
+    if (settings.variables) {
+        const { deleteOrphaned, inherit: _i, ...entries } = settings.variables;
+        if (Object.keys(entries).length > 0 || deleteOrphaned === true) {
+            return true;
+        }
+    }
     return false;
 }
+export function validateVariableName(name) {
+    if (!VARIABLE_NAME_PATTERN.test(name)) {
+        throw new ValidationError(`Variable name '${name}' contains invalid characters. Only alphanumeric and underscore allowed.`);
+    }
+    if (name.startsWith("GITHUB_")) {
+        throw new ValidationError(`Variable name '${name}' cannot start with 'GITHUB_' (reserved prefix).`);
+    }
+}
+export function validateSecretName(name) {
+    if (!VARIABLE_NAME_PATTERN.test(name)) {
+        throw new ValidationError(`Secret name '${name}' contains invalid characters. Only alphanumeric and underscore allowed.`);
+    }
+    if (name.startsWith("GITHUB_")) {
+        throw new ValidationError(`Secret name '${name}' cannot start with 'GITHUB_' (reserved prefix).`);
+    }
+}
+function validateSecretEntry(name, config) {
+    validateSecretName(name);
+    if (!config.env || typeof config.env !== "string") {
+        throw new ValidationError(`Secret '${name}' requires an 'env' field (string) specifying the environment variable source.`);
+    }
+}
+export function validateSecretsConfig(config) {
+    if (!config.secrets)
+        return;
+    const { deleteOrphaned, ...entries } = config.secrets;
+    // Reject 'deleteOrphaned' used as a secret name (it's a reserved peer key)
+    if (deleteOrphaned !== undefined && typeof deleteOrphaned !== "boolean") {
+        throw new ValidationError("'deleteOrphaned' is a reserved key in secrets config and cannot be used as a secret name.");
+    }
+    // Reject boolean true — only false (opt-out) is valid
+    for (const [name, value] of Object.entries(entries)) {
+        if (value === true) {
+            throw new ValidationError(`Secret '${name}' is set to true, which is not valid. Use false to opt out, or provide a SecretConfig object.`);
+        }
+    }
+    // Reject duplicate case-insensitive secret names
+    const seen = new Map();
+    for (const name of Object.keys(entries)) {
+        const upper = name.toUpperCase();
+        const existing = seen.get(upper);
+        if (existing) {
+            throw new ValidationError(`Duplicate secret name: '${name}' and '${existing}' collide (GitHub treats secret names case-insensitively).`);
+        }
+        seen.set(upper, name);
+    }
+    for (const [name, value] of Object.entries(entries)) {
+        if (typeof value === "boolean")
+            continue;
+        validateSecretEntry(name, value);
+    }
+}