@aspruyt/xfg 6.2.0 → 6.4.0

package/dist/config/types.d.ts

@@ -7,6 +7,7 @@ export interface PRMergeOptions {
     deleteBranch?: boolean;
     bypassReason?: string;
     labels?: string[];
+    branch?: string;
 }
 export type RulesetTarget = "branch" | "tag";
 export type RulesetEnforcement = "active" | "disabled" | "evaluate";
@@ -267,6 +268,9 @@ export interface CodeScanningSettings {
     querySuite?: CodeScanningQuerySuite;
     languages?: CodeScanningLanguage[];
 }
+export interface SecretConfig {
+    env: string;
+}
 export interface RepoSettings {
     /** GitHub rulesets keyed by name */
     rulesets?: Record<string, Ruleset>;
@@ -276,6 +280,10 @@ export interface RepoSettings {
     labels?: Record<string, Label>;
     /** GitHub code scanning default setup */
     codeScanning?: CodeScanningSettings;
+    /** GitHub Actions variables keyed by name */
+    variables?: Record<string, string> & {
+        deleteOrphaned?: boolean;
+    };
     deleteOrphaned?: boolean;
 }
 export type ContentValue = Record<string, unknown> | string | string[];
@@ -336,6 +344,9 @@ export interface RawRootSettings {
     repo?: GitHubRepoSettings | false;
     labels?: Record<string, Label | false>;
     codeScanning?: CodeScanningSettings | false;
+    variables?: Record<string, string | false> & {
+        deleteOrphaned?: boolean;
+    };
     deleteOrphaned?: boolean;
 }
 export interface RawRepoSettings {
@@ -347,6 +358,10 @@ export interface RawRepoSettings {
         inherit?: boolean;
     };
     codeScanning?: CodeScanningSettings | false;
+    variables?: Record<string, string | false> & {
+        inherit?: boolean;
+        deleteOrphaned?: boolean;
+    };
     deleteOrphaned?: boolean;
 }
 export interface RawRepoConfig {
@@ -373,6 +388,9 @@ export interface RawConfig {
     githubHosts?: string[];
     deleteOrphaned?: boolean;
     settings?: RawRootSettings;
+    secrets?: Record<string, SecretConfig | boolean> & {
+        deleteOrphaned?: boolean;
+    };
 }
 export interface FileContent {
     fileName: string;
@@ -402,5 +420,8 @@ export interface Config {
     githubHosts?: string[];
     deleteOrphaned?: boolean;
     settings?: RepoSettings;
+    secrets?: Record<string, SecretConfig | boolean> & {
+        deleteOrphaned?: boolean;
+    };
 }
 export {};

package/dist/config/validator.d.ts

@@ -9,4 +9,8 @@ export declare function validateRawConfig(config: RawConfig): void;
  * @throws ValidationError if neither files nor settings are present
  */
 export declare function validateForSync(config: RawConfig): void;
+export declare function validateVariableSecretOverlaps(config: RawConfig): void;
 export declare function hasActionableSettings(settings: RawRootSettings | RawRepoSettings | undefined): boolean;
+export declare function validateVariableName(name: string): void;
+export declare function validateSecretName(name: string): void;
+export declare function validateSecretsConfig(config: RawConfig): void;

package/dist/config/validator.js

@@ -1,10 +1,13 @@
 import { validateFileName } from "./validators/file-validator.js";
 import { isPlainObject } from "../shared/type-guards.js";
 import { ValidationError } from "../shared/errors.js";
+import { validateBranchName } from "../shared/branch-validation.js";
 import { validateFileConfigFields, validateSettings, } from "./validators/shared.js";
 import { validateGroups, validateConditionalGroups, } from "./validators/group-validator.js";
 import { validateRepoEntry } from "./validators/repo-entry-validator.js";
 const CONFIG_ID_PATTERN = /^[a-zA-Z0-9_-]+$/;
+const VARIABLE_NAME_PATTERN = /^[A-Za-z_][A-Za-z0-9_]*$/;
+const VARIABLE_RESERVED_KEYS = new Set(["deleteOrphaned", "inherit"]);
 const CONFIG_ID_MAX_LENGTH = 64;
 function validateConfigId(config) {
     if (!config.id || typeof config.id !== "string") {
@@ -42,6 +45,9 @@ function validateRootSettings(config) {
     if (config.settings.labels && "inherit" in config.settings.labels) {
         throw new ValidationError("'inherit' is a reserved key and cannot be used as a label name");
     }
+    if (config.settings.variables && "inherit" in config.settings.variables) {
+        throw new ValidationError("'inherit' is not allowed in root-level variables (nothing to inherit from)");
+    }
 }
 function validateGithubHosts(config) {
     if (config.githubHosts === undefined)
@@ -63,6 +69,9 @@ function validateGithubHosts(config) {
     }
 }
 function validatePrOptions(config) {
+    if (config.prOptions?.branch !== undefined) {
+        validateBranchName(config.prOptions.branch);
+    }
     if (config.prOptions?.labels === undefined)
         return;
     if (!Array.isArray(config.prOptions.labels)) {
@@ -110,15 +119,18 @@ export function validateRawConfig(config) {
     const hasCondGrpFiles = hasConditionalGroupFiles(config);
     const hasCondGrpSettings = hasConditionalGroupSettingsPresent(config);
     const hasCondGrpPR = hasConditionalGroupPR(config);
+    const hasSecrets = isPlainObject(config.secrets) && Object.keys(config.secrets).length > 0;
     if (!hasFiles &&
         !hasSettings &&
         !hasGrpFiles &&
         !hasGrpSettings &&
         !hasCondGrpFiles &&
         !hasCondGrpSettings &&
-        !hasCondGrpPR) {
-        throw new ValidationError("Config requires at least one of: 'files' or 'settings'. " +
-            "Use 'files' to sync configuration files, or 'settings' to manage repository settings.");
+        !hasCondGrpPR &&
+        !hasSecrets) {
+        throw new ValidationError("Config requires at least one of: 'files', 'settings', or 'secrets'. " +
+            "Use 'files' to sync configuration files, 'settings' to manage repository settings, " +
+            "or 'secrets' to manage GitHub Actions secrets.");
     }
     validateRootFiles(config);
     if (config.deleteOrphaned !== undefined &&
@@ -159,8 +171,111 @@ export function validateForSync(config) {
         !hasCondGrpFiles &&
         !hasCondGrpSettings &&
         !hasCondGrpPR) {
-        throw new ValidationError("Config requires at least one of: 'files' or 'settings'. " +
-            "Use 'files' to sync configuration files, or 'settings' to manage repository settings.");
+        throw new ValidationError("Config requires at least one of: 'files' or 'settings' (rulesets, labels, variables, repo config). " +
+            "Use 'files' to sync configuration files, or 'settings' to manage repository settings. " +
+            "For secrets, use 'xfg secrets sync'.");
+    }
+    // Validate variable names across all settings
+    const allSettings = [
+        config.settings,
+        ...config.repos.map((r) => r.settings),
+        ...Object.values(config.groups ?? {}).map((g) => g.settings),
+        ...(config.conditionalGroups ?? []).map((cg) => cg.settings),
+    ];
+    for (const settings of allSettings) {
+        if (!settings?.variables)
+            continue;
+        const vars = settings.variables;
+        if (vars.deleteOrphaned !== undefined &&
+            typeof vars.deleteOrphaned !== "boolean") {
+            throw new ValidationError("variables.deleteOrphaned must be a boolean");
+        }
+        if (vars.inherit !== undefined && typeof vars.inherit !== "boolean") {
+            throw new ValidationError("variables.inherit must be a boolean");
+        }
+        for (const [name, value] of Object.entries(vars)) {
+            if (VARIABLE_RESERVED_KEYS.has(name))
+                continue;
+            validateVariableName(name);
+            if (value !== false && typeof value !== "string") {
+                throw new ValidationError(`Variable '${name}' must have a string value (got ${typeof value}). Quote numeric values in YAML: "${String(value)}".`);
+            }
+        }
+        // Reject duplicate case-insensitive variable names
+        const seenVarNames = new Map();
+        for (const name of Object.keys(settings.variables)) {
+            if (VARIABLE_RESERVED_KEYS.has(name))
+                continue;
+            const upper = name.toUpperCase();
+            const existing = seenVarNames.get(upper);
+            if (existing) {
+                throw new ValidationError(`Duplicate variable name: '${name}' and '${existing}' collide (GitHub treats variable names case-insensitively).`);
+            }
+            seenVarNames.set(upper, name);
+        }
+    }
+    // Validate secret names and configs
+    validateSecretsConfig(config);
+    // Cross-validate: no overlap between global secret names and variable names
+    validateVariableSecretOverlaps(config);
+}
+export function validateVariableSecretOverlaps(config) {
+    if (!config.secrets)
+        return;
+    const { deleteOrphaned: _, ...secretEntries } = config.secrets;
+    // GitHub treats secret/variable names case-insensitively for collision purposes
+    const secretNames = new Set(Object.keys(secretEntries)
+        .filter((k) => typeof secretEntries[k] !== "boolean")
+        .map((n) => n.toUpperCase()));
+    if (secretNames.size === 0)
+        return;
+    // Check root-level variables
+    if (config.settings?.variables) {
+        const { deleteOrphaned: _rd, inherit: _ri, ...rootVarEntries } = config.settings.variables;
+        const rootVariableNames = Object.keys(rootVarEntries).filter((k) => typeof rootVarEntries[k] !== "boolean");
+        const overlapping = rootVariableNames.filter((n) => secretNames.has(n.toUpperCase()));
+        if (overlapping.length > 0) {
+            throw new ValidationError(`${overlapping.join(", ")} overlap between root variables and secrets. ` +
+                "GitHub does not allow variables and secrets with the same name.");
+        }
+    }
+    for (const repo of config.repos) {
+        const { deleteOrphaned: _d, inherit: _i, ...varEntries } = (repo.settings?.variables ?? {});
+        const variableNames = Object.keys(varEntries).filter((k) => typeof varEntries[k] !== "boolean");
+        const overlapping = variableNames.filter((n) => secretNames.has(n.toUpperCase()));
+        if (overlapping.length > 0) {
+            throw new ValidationError(`Repo '${repo.git}': ${overlapping.join(", ")} overlap between variables and secrets. ` +
+                "GitHub does not allow variables and secrets with the same name.");
+        }
+    }
+    // Check group-level variables
+    if (isPlainObject(config.groups)) {
+        for (const [groupName, group] of Object.entries(config.groups)) {
+            if (!group.settings?.variables)
+                continue;
+            const { deleteOrphaned: _gd, inherit: _gi, ...groupVarEntries } = group.settings.variables;
+            const groupVariableNames = Object.keys(groupVarEntries).filter((k) => typeof groupVarEntries[k] !== "boolean");
+            const overlapping = groupVariableNames.filter((n) => secretNames.has(n.toUpperCase()));
+            if (overlapping.length > 0) {
+                throw new ValidationError(`Group '${groupName}': ${overlapping.join(", ")} overlap between variables and secrets. ` +
+                    "GitHub does not allow variables and secrets with the same name.");
+            }
+        }
+    }
+    // Check conditional group-level variables
+    if (Array.isArray(config.conditionalGroups)) {
+        for (let i = 0; i < config.conditionalGroups.length; i++) {
+            const cg = config.conditionalGroups[i];
+            if (!cg.settings?.variables)
+                continue;
+            const { deleteOrphaned: _cd, inherit: _ci, ...cgVarEntries } = cg.settings.variables;
+            const cgVariableNames = Object.keys(cgVarEntries).filter((k) => typeof cgVarEntries[k] !== "boolean");
+            const overlapping = cgVariableNames.filter((n) => secretNames.has(n.toUpperCase()));
+            if (overlapping.length > 0) {
+                throw new ValidationError(`Conditional group ${i}: ${overlapping.join(", ")} overlap between variables and secrets. ` +
+                    "GitHub does not allow variables and secrets with the same name.");
+            }
+        }
     }
 }
 export function hasActionableSettings(settings) {
@@ -180,5 +295,63 @@ export function hasActionableSettings(settings) {
     if (settings.codeScanning) {
         return true;
     }
+    if (settings.variables) {
+        const { deleteOrphaned, inherit: _i, ...entries } = settings.variables;
+        if (Object.keys(entries).length > 0 || deleteOrphaned === true) {
+            return true;
+        }
+    }
     return false;
 }
+export function validateVariableName(name) {
+    if (!VARIABLE_NAME_PATTERN.test(name)) {
+        throw new ValidationError(`Variable name '${name}' contains invalid characters. Only alphanumeric and underscore allowed.`);
+    }
+    if (name.startsWith("GITHUB_")) {
+        throw new ValidationError(`Variable name '${name}' cannot start with 'GITHUB_' (reserved prefix).`);
+    }
+}
+export function validateSecretName(name) {
+    if (!VARIABLE_NAME_PATTERN.test(name)) {
+        throw new ValidationError(`Secret name '${name}' contains invalid characters. Only alphanumeric and underscore allowed.`);
+    }
+    if (name.startsWith("GITHUB_")) {
+        throw new ValidationError(`Secret name '${name}' cannot start with 'GITHUB_' (reserved prefix).`);
+    }
+}
+function validateSecretEntry(name, config) {
+    validateSecretName(name);
+    if (!config.env || typeof config.env !== "string") {
+        throw new ValidationError(`Secret '${name}' requires an 'env' field (string) specifying the environment variable source.`);
+    }
+}
+export function validateSecretsConfig(config) {
+    if (!config.secrets)
+        return;
+    const { deleteOrphaned, ...entries } = config.secrets;
+    // Reject 'deleteOrphaned' used as a secret name (it's a reserved peer key)
+    if (deleteOrphaned !== undefined && typeof deleteOrphaned !== "boolean") {
+        throw new ValidationError("'deleteOrphaned' is a reserved key in secrets config and cannot be used as a secret name.");
+    }
+    // Reject boolean true — only false (opt-out) is valid
+    for (const [name, value] of Object.entries(entries)) {
+        if (value === true) {
+            throw new ValidationError(`Secret '${name}' is set to true, which is not valid. Use false to opt out, or provide a SecretConfig object.`);
+        }
+    }
+    // Reject duplicate case-insensitive secret names
+    const seen = new Map();
+    for (const name of Object.keys(entries)) {
+        const upper = name.toUpperCase();
+        const existing = seen.get(upper);
+        if (existing) {
+            throw new ValidationError(`Duplicate secret name: '${name}' and '${existing}' collide (GitHub treats secret names case-insensitively).`);
+        }
+        seen.set(upper, name);
+    }
+    for (const [name, value] of Object.entries(entries)) {
+        if (typeof value === "boolean")
+            continue;
+        validateSecretEntry(name, value);
+    }
+}

package/dist/config/validators/group-validator.js

@@ -1,6 +1,7 @@
 import { resolveExtendsChain } from "../extends-resolver.js";
 import { isPlainObject } from "../../shared/type-guards.js";
 import { ValidationError } from "../../shared/errors.js";
+import { validateBranchName } from "../../shared/branch-validation.js";
 import { validateFileConfigFields, validateSettings, buildRootSettingsContext, } from "./shared.js";
 function validateGroupExtends(groupName, extends_, groupNames) {
     if (typeof extends_ === "string") {
@@ -102,6 +103,9 @@ export function validateGroups(config) {
         if (group.settings !== undefined) {
             validateSettings(group.settings, `groups.${groupName}`, rootCtx);
         }
+        if (group.prOptions?.branch !== undefined) {
+            validateBranchName(group.prOptions.branch);
+        }
     }
     validateNoCircularExtends(config.groups);
 }
@@ -163,5 +167,8 @@ export function validateConditionalGroups(config) {
         if (entry.settings !== undefined) {
             validateSettings(entry.settings, ctx, rootCtx);
         }
+        if (entry.prOptions?.branch !== undefined) {
+            validateBranchName(entry.prOptions.branch);
+        }
     }
 }

package/dist/config/validators/repo-entry-validator.js

@@ -3,6 +3,7 @@ import { validateFileName } from "./file-validator.js";
 import { isPlainObject } from "../../shared/type-guards.js";
 import { escapeRegExp } from "../../shared/regex-utils.js";
 import { ValidationError } from "../../shared/errors.js";
+import { validateBranchName } from "../../shared/branch-validation.js";
 import { validateFileConfigFields, validateSettings, buildRootSettingsContext, enrichSettingsContext, } from "./shared.js";
 function isValidGitUrl(url) {
     return /^git@[^:]+:.+$/.test(url) || /^https?:\/\/[^/]+\/.+$/.test(url);
@@ -156,10 +157,16 @@ function validateRepoSettingsEntry(config, repo, repoLabel) {
     }
     validateSettings(repo.settings, `Repo ${repoLabel}`, rootCtx);
 }
+function validateRepoPrOptions(repo) {
+    if (repo.prOptions?.branch !== undefined) {
+        validateBranchName(repo.prOptions.branch);
+    }
+}
 export function validateRepoEntry(config, repo, index) {
     const repoLabel = validateRepoGitField(repo, index);
     validateRepoOrigins(config, repo, repoLabel);
     validateRepoGroups(config, repo, index);
     validateRepoFiles(config, repo, index, repoLabel);
     validateRepoSettingsEntry(config, repo, repoLabel);
+    validateRepoPrOptions(repo);
 }

package/dist/output/settings-report.d.ts

@@ -17,6 +17,11 @@ export interface SettingsReport {
             update: number;
             delete: number;
         };
+        variables?: {
+            create: number;
+            update: number;
+            delete: number;
+        };
     };
 }
 export interface RepoChanges {
@@ -24,6 +29,12 @@ export interface RepoChanges {
     settings: SettingChange[];
     rulesets: RulesetChange[];
     labels: LabelChange[];
+    variables?: {
+        name: string;
+        action: ActiveAction;
+        oldValue?: string;
+        newValue?: string;
+    }[];
     error?: string;
 }
 export interface SettingChange {

package/dist/output/settings-report.js

@@ -90,6 +90,13 @@ function formatSettingsSummary(totals) {
     ]);
     if (labelsEntry)
         parts.push(labelsEntry);
+    const variablesEntry = formatCountEntry("variable", "variables", [
+        { label: "to create", value: totals.variables?.create ?? 0 },
+        { label: "to update", value: totals.variables?.update ?? 0 },
+        { label: "to delete", value: totals.variables?.delete ?? 0 },
+    ]);
+    if (variablesEntry)
+        parts.push(variablesEntry);
     if (parts.length === 0) {
         return "No changes";
     }
@@ -112,6 +119,7 @@ export function formatSettingsReportCLI(report) {
         if (repo.settings.length === 0 &&
             repo.rulesets.length === 0 &&
             repo.labels.length === 0 &&
+            (repo.variables ?? []).length === 0 &&
             !repo.error) {
             continue;
         }
@@ -231,6 +239,21 @@ export function renderRepoSettingsDiffLines(repo, diffLines) {
             diffLines.push(`- label "${label.name}"`);
         }
     }
+    // Blank line before variables if there was content above
+    if ((repo.variables ?? []).length > 0 && diffLines.length > startLength) {
+        diffLines.push("");
+    }
+    for (const variable of repo.variables ?? []) {
+        if (variable.action === "create") {
+            diffLines.push(`+ variable "${variable.name}": ${formatValuePlain(variable.newValue)}`);
+        }
+        else if (variable.action === "update") {
+            diffLines.push(`! variable "${variable.name}": ${formatValuePlain(variable.oldValue)} → ${formatValuePlain(variable.newValue)}`);
+        }
+        else if (variable.action === "delete") {
+            diffLines.push(`- variable "${variable.name}"`);
+        }
+    }
     if (repo.error) {
         diffLines.push(`- Error: ${repo.error}`);
     }
@@ -252,6 +275,7 @@ export function formatSettingsReportMarkdown(report, dryRun) {
         if (repo.settings.length === 0 &&
             repo.rulesets.length === 0 &&
             repo.labels.length === 0 &&
+            (repo.variables ?? []).length === 0 &&
             !repo.error) {
             continue;
         }

package/dist/secrets/encryption.d.ts

@@ -0,0 +1,9 @@
+export interface ISecretEncryptor {
+    encrypt(value: string, publicKeyBase64: string): Promise<string>;
+}
+export declare class SodiumEncryptor implements ISecretEncryptor {
+    private sodium;
+    private initPromise;
+    private ensureInitialized;
+    encrypt(value: string, publicKeyBase64: string): Promise<string>;
+}

package/dist/secrets/encryption.js

@@ -0,0 +1,29 @@
+export class SodiumEncryptor {
+    sodium;
+    initPromise = null;
+    ensureInitialized() {
+        if (!this.initPromise) {
+            this.initPromise = (async () => {
+                try {
+                    const sodium = await import("libsodium-wrappers");
+                    await sodium.default.ready;
+                    this.sodium = sodium.default;
+                }
+                catch {
+                    throw new Error("Failed to load libsodium-wrappers. Install it: npm install libsodium-wrappers");
+                }
+            })().catch((err) => {
+                this.initPromise = null;
+                throw err;
+            });
+        }
+        return this.initPromise.then(() => this.sodium);
+    }
+    async encrypt(value, publicKeyBase64) {
+        const sodium = await this.ensureInitialized();
+        const messageBytes = sodium.from_string(value);
+        const publicKey = sodium.from_base64(publicKeyBase64, sodium.base64_variants.ORIGINAL);
+        const encrypted = sodium.crypto_box_seal(messageBytes, publicKey);
+        return sodium.to_base64(encrypted, sodium.base64_variants.ORIGINAL);
+    }
+}

package/dist/secrets/github-secrets-strategy.d.ts

@@ -0,0 +1,17 @@
+import type { ICommandExecutor } from "../shared/command-executor.js";
+import { type RepoInfo } from "../repo/index.js";
+import { type GhApiOptions } from "../shared/gh-api-utils.js";
+import type { ISecretsStrategy, GitHubSecret, GitHubPublicKey } from "./types.js";
+interface GitHubSecretsStrategyOptions {
+    retries?: number;
+    cwd: string;
+}
+export declare class GitHubSecretsStrategy implements ISecretsStrategy {
+    private api;
+    constructor(executor: ICommandExecutor, options: GitHubSecretsStrategyOptions);
+    list(repoInfo: RepoInfo, options?: GhApiOptions): Promise<GitHubSecret[]>;
+    getPublicKey(repoInfo: RepoInfo, options?: GhApiOptions): Promise<GitHubPublicKey>;
+    upsert(repoInfo: RepoInfo, name: string, encryptedValue: string, keyId: string, options?: GhApiOptions): Promise<void>;
+    delete(repoInfo: RepoInfo, name: string, options?: GhApiOptions): Promise<void>;
+}
+export {};

package/dist/secrets/github-secrets-strategy.js

@@ -0,0 +1,38 @@
+import { assertGitHubRepo } from "../repo/index.js";
+import { GhApiClient } from "../shared/gh-api-utils.js";
+import { parseApiJson } from "../shared/json-utils.js";
+export class GitHubSecretsStrategy {
+    api;
+    constructor(executor, options) {
+        this.api = new GhApiClient(executor, options.retries ?? 3, options.cwd);
+    }
+    async list(repoInfo, options) {
+        assertGitHubRepo(repoInfo, "GitHub Secrets strategy");
+        const endpoint = `/repos/${repoInfo.owner}/${repoInfo.repo}/actions/secrets`;
+        const result = await this.api.call("GET", endpoint, {
+            options,
+            paginate: true,
+        });
+        const response = parseApiJson(result, "secrets response");
+        return response.secrets ?? [];
+    }
+    async getPublicKey(repoInfo, options) {
+        assertGitHubRepo(repoInfo, "GitHub Secrets strategy");
+        const endpoint = `/repos/${repoInfo.owner}/${repoInfo.repo}/actions/secrets/public-key`;
+        const result = await this.api.call("GET", endpoint, { options });
+        return parseApiJson(result, "public key response");
+    }
+    async upsert(repoInfo, name, encryptedValue, keyId, options) {
+        assertGitHubRepo(repoInfo, "GitHub Secrets strategy");
+        const endpoint = `/repos/${repoInfo.owner}/${repoInfo.repo}/actions/secrets/${encodeURIComponent(name)}`;
+        await this.api.call("PUT", endpoint, {
+            payload: { encrypted_value: encryptedValue, key_id: keyId },
+            options,
+        });
+    }
+    async delete(repoInfo, name, options) {
+        assertGitHubRepo(repoInfo, "GitHub Secrets strategy");
+        const endpoint = `/repos/${repoInfo.owner}/${repoInfo.repo}/actions/secrets/${encodeURIComponent(name)}`;
+        await this.api.call("DELETE", endpoint, { options });
+    }
+}

package/dist/secrets/index.d.ts

@@ -0,0 +1,5 @@
+export { SecretsProcessor } from "./processor.js";
+export type { SecretsProcessorOptions, SecretsProcessorResult, } from "./processor.js";
+export { GitHubSecretsStrategy } from "./github-secrets-strategy.js";
+export { SodiumEncryptor, type ISecretEncryptor } from "./encryption.js";
+export type { ISecretsStrategy, GitHubSecret, GitHubPublicKey, } from "./types.js";

package/dist/secrets/index.js

@@ -0,0 +1,3 @@
+export { SecretsProcessor } from "./processor.js";
+export { GitHubSecretsStrategy } from "./github-secrets-strategy.js";
+export { SodiumEncryptor } from "./encryption.js";

package/dist/secrets/processor.d.ts

@@ -0,0 +1,31 @@
+import { type RepoInfo } from "../repo/index.js";
+import type { ISecretsStrategy } from "./types.js";
+import type { ISecretEncryptor } from "./encryption.js";
+import type { IEnvResolver } from "../shared/env-resolver.js";
+import type { SecretConfig } from "../config/index.js";
+type SecretsConfig = Record<string, SecretConfig | boolean> & {
+    deleteOrphaned?: boolean;
+};
+export interface SecretsProcessorOptions {
+    dryRun?: boolean;
+    token?: string;
+    noDelete?: boolean;
+}
+export interface SecretsProcessorResult {
+    success: boolean;
+    repoName: string;
+    message: string;
+    skipped?: boolean;
+    dryRun?: boolean;
+    created: number;
+    updated: number;
+    deleted: number;
+}
+export declare class SecretsProcessor {
+    private readonly strategy;
+    private readonly encryptor;
+    private readonly envResolver;
+    constructor(strategy: ISecretsStrategy, encryptor: ISecretEncryptor, envResolver: IEnvResolver);
+    process(secretsConfig: SecretsConfig, repoInfo: RepoInfo, options: SecretsProcessorOptions): Promise<SecretsProcessorResult>;
+}
+export {};