@firestartr/cli 2.5.0-snapshot-1 → 2.5.0

package/README.md

@@ -9,7 +9,6 @@
 # requirements
 
 - terraform 1.6.2
-- cdktf-cli@0.19.0
 - lerna@7.4.1
 
 To install it, run the next commands:
@@ -21,7 +20,6 @@ mv terraform /usr/local/bin/;  \
 chmod a+x /usr/local/bin/terraform;  \
 rm -f terraform_1.6.2_linux_amd64.zip;  \
 terraform --version;  \
-npm install -g cdktf-cli@0.19.0; \
 npm install -g lerna@7.4.1; 
 ```
 

package/build/index.js

@@ -268553,12 +268553,7 @@ var envVars;
     envVars["s3Bucket"] = "S3_BUCKET";
     envVars["s3Lock"] = "S3_LOCK";
     envVars["s3Region"] = "S3_REGION";
-    // ---- CDKTF/LOCAL VARIABLES -----------------------------------------------
-    envVars["cdktfConfigFiles"] = "CDKTF_CONFIG_FILES";
     envVars["exclusionsYamlPath"] = "EXCLUSIONS_PATH";
-    envVars["cdktfEntityPath"] = "FIRESTARTR_CDKTF_ENTITY_PATH";
-    envVars["cdktfDepsPath"] = "FIRESTARTR_CDKTF_DEPS_PATH";
-    envVars["cdktfIsImport"] = "FIRESTARTR_CDKTF_IS_IMPORT";
     // ---- GITHUB APP VARIABLES -----------------------------------------------
     envVars["githubAppId"] = "GITHUB_APP_ID";
     envVars["githubAppInstallationId"] = "GITHUB_APP_INSTALLATION_ID";
@@ -268980,6 +268975,128 @@ class SimpleTokenizer {
     SimpleTokenizer,
 });
 
+;// CONCATENATED MODULE: ../catalog_common/src/codeowners/index.ts
+// Common CODEOWNERS machinery (pure TypeScript/data; NO IO, NO classes)
+// Strictly follows GitHub CODEOWNERS syntax.
+// Spec: see specs/common/001-common-codeowners-machinery/spec.md
+
+const OWNER_RE = /^@[\w.-]+(\/[\w.-]+)?$/;
+function codeowners_parse(raw) {
+    if (typeof raw !== 'string' || raw === '')
+        return [];
+    return raw.split(/\r?\n/).map((line) => {
+        const trimmed = line.trim();
+        if (trimmed === '') {
+            return { type: 'blank', raw: line };
+        }
+        if (/^#/.test(trimmed)) {
+            return { type: 'comment', raw: line };
+        }
+        // Rule line: parse pattern & owners structurally, no ref resolution
+        const tokens = trimmed.split(/\s+/);
+        const pattern = tokens[0];
+        const owners = tokens.slice(1);
+        return { type: 'rule', pattern, owners, raw: line };
+    });
+}
+function format(entries) {
+    let end = entries.length;
+    while (end > 0 && entries[end - 1].type === 'blank') {
+        end -= 1;
+    }
+    const lines = entries.slice(0, end).map((entry) => {
+        switch (entry.type) {
+            case 'blank':
+                return '';
+            case 'comment':
+                return entry.raw.trimEnd();
+            case 'rule': {
+                const owners = entry.owners ?? [];
+                return owners.length > 0
+                    ? `${entry.pattern} ${owners.join(' ')}`
+                    : `${entry.pattern}`;
+            }
+        }
+    });
+    return lines.join('\n') + '\n';
+}
+function codeowners_validate(raw) {
+    const errors = [];
+    const lines = raw.split(/\r?\n/);
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (/^\s*$/.test(line))
+            continue;
+        if (/^\s*#/.test(line))
+            continue;
+        const tokens = line.trim().split(/\s+/);
+        const pattern = tokens[0];
+        const owners = tokens.slice(1);
+        if (!pattern) {
+            errors.push(`Line ${i + 1}: empty pattern`);
+            continue;
+        }
+        if (owners.length === 0) {
+            errors.push(`Line ${i + 1}: rule must have at least one owner`);
+            continue;
+        }
+        for (const owner of owners) {
+            if (!OWNER_RE.test(owner)) {
+                errors.push(`Line ${i + 1}: invalid owner '${owner}' (must be @username or @org/team-slug)`);
+            }
+        }
+        if (line.includes('#')) {
+            errors.push(`Line ${i + 1}: inline comments are not allowed`);
+        }
+    }
+    return { valid: errors.length === 0, errors };
+}
+function updateRule(entries, pattern, owners) {
+    const idx = entries.findIndex((e) => e.type === 'rule' && e.pattern === pattern);
+    const newEntry = {
+        type: 'rule',
+        pattern,
+        owners,
+        raw: `${pattern} ${owners.join(' ')}`,
+    };
+    if (idx >= 0) {
+        const result = [...entries];
+        result[idx] = newEntry;
+        return result;
+    }
+    return [...entries, newEntry];
+}
+function remove(entries, pattern) {
+    return entries.filter((e) => !(e.type === 'rule' && e.pattern === pattern));
+}
+function getOwners(entries) {
+    const owners = new Set();
+    for (const entry of entries) {
+        if (entry.type === 'rule' && entry.owners) {
+            for (const owner of entry.owners) {
+                owners.add(owner);
+            }
+        }
+    }
+    return [...owners];
+}
+function resolveRefs(raw, replacements) {
+    const tokenizer = new SimpleTokenizer(/\{\{\s*([\w./-]+)\s*\}\}/);
+    return tokenizer.replace(raw, (token) => {
+        const key = token.groups?.[0] ?? '';
+        return key in replacements ? replacements[key] : token.value;
+    });
+}
+/* harmony default export */ const codeowners = ({
+    parse: codeowners_parse,
+    format,
+    validate: codeowners_validate,
+    updateRule,
+    remove,
+    getOwners,
+    resolveRefs,
+});
+
 // EXTERNAL MODULE: ../../node_modules/cron-parser/dist/index.js
 var cron_parser_dist = __nccwpck_require__(98370);
 ;// CONCATENATED MODULE: ../catalog_common/src/cron.ts
@@ -269023,6 +269140,7 @@ function getCronNextInterval(cronLine, tz) {
 
 
 
+
 /* harmony default export */ const catalog_common = ({
     io: io,
     generic: generic,
@@ -269033,6 +269151,7 @@ function getCronNextInterval(cronLine, tz) {
     policies: policies,
     logger: logger_logger,
     tokenizer: tokenizer,
+    codeowners: codeowners,
     cron: {
         validateCron: validateCron,
         isValidCron: isValidCron,
@@ -290043,7 +290162,7 @@ class RepoGithubDecanter extends GithubDecanter {
         if (this.data.isEmpty) {
             const repoFullName = `${this.org}/${this.data.repoDetails.name}`;
             throw new Error(`The repo ${repoFullName} is empty - no commits, therefore CAN NOT be imported. ` +
-                'Create it with firestartr or fill it with some README.md or another initial file or code');
+                'Create it with Firestartr or fill it with some README.md or another initial file or code');
         }
     }
     constructor(data, org, githubTeams = {}) {
@@ -291151,6 +291270,27 @@ function definitions_getPluralFromKind(kind) {
     const plural = Object.keys(kindPluralMap).find((key) => kindPluralMap[key] === kind);
     return plural;
 }
+// ----------------------------------------------------
+// Operations, workitems and handlers definitions
+// ----------------------------------------------------
+/**
+ * Helper to extract the canonical identity (metadata.uid) from a WorkItem or its item.
+ *
+ * Use this helper when you need a stable identity key for WorkItems, e.g. for
+ * in-memory deferred-scheduling bookkeeping.
+ *
+ * Note: other subsystems may still use kind/namespace/name keys; this helper is
+ * specifically intended for UID-based WorkItem identity.
+ * Any future change to identity logic MUST be made here and nowhere else.
+ *
+ * Returns undefined if .metadata.uid is missing so scheduler/bookkeeping paths
+ * can safely short-circuit instead of throwing and aborting an entire pass.
+ */
+function getWorkItemIdentity(wi) {
+    // Support either .item.metadata.uid or direct .metadata.uid for future extensibility
+    const meta = wi.item && wi.item.metadata ? wi.item.metadata : wi.metadata;
+    return meta && meta.uid ? meta.uid : undefined;
+}
 var OperationType;
 (function (OperationType) {
     OperationType["RENAMED"] = "RENAMED";
@@ -293242,7 +293382,7 @@ async function* markedToDeletion(item, op, handler) {
             reason: op,
             type: 'PROVISIONED',
             status: 'False',
-            message: 'Synth CDKTF',
+            message: 'Synth',
         };
         yield {
             item,
@@ -293394,6 +293534,134 @@ function fdummies_fWait(ms) {
     });
 }
 
+;// CONCATENATED MODULE: ../operator/src/processItem.blocks.ts
+// processItem.blocks.ts
+// Responsible for all in-memory deferred-scheduling bookkeeping for blocked parent deletions.
+//
+// Always extract WorkItem identity for all in-memory maps and keys by calling
+// getWorkItemIdentity() from definitions.ts, and NOT by constructing your own key.
+// This ensures spec compliance and future maintainability.
+//
+// Does NOT detect "blocked" state (caller must supply outcome). Purely key/value scheduler-local state logic per spec.
+
+// Only use getWorkItemIdentity(item) for identity bookkeeping and maps.
+// --- Config: Deferral Policy ---
+/**
+ * Maximum number of blocked attempts allowed before an item is moved to the deferred segment.
+ * An item becomes deferred once its blocked-attempt count exceeds this value.
+ */
+const MAX_BLOCKED_ATTEMPTS_BEFORE_DEFER = 5;
+// Initial supported parent kind(s): extensible for future cases
+const SUPPORTED_PARENT_KINDS = new Set(['FirestartrGithubRepository']);
+// --- Bookkeeper Class ---
+/**
+ * Encapsulates all deferred-scheduling bookkeeping state for one scheduler queue.
+ * Instantiate once per queue (alongside processItemSlotsManager) inside loop().
+ */
+class DeferredSchedulingBookkeeper {
+    constructor() {
+        this._blockedAttempts = new Map();
+        this._deferredEntryOrder = new Map();
+        this._deferredOrderCounter = 0;
+    }
+    // --- Applicability Logic ---
+    /**
+     * Returns true only for supported parent kinds AND only for deletion operations.
+     * Per spec Definition 2: applicable when operation is MARKED_TO_DELETION,
+     * or RETRY with metadata.deletionTimestamp set.
+     */
+    isDeferredSchedulingApplicable(item) {
+        const kind = item.item && item.item.kind ? item.item.kind : item.kind;
+        if (!SUPPORTED_PARENT_KINDS.has(kind))
+            return false;
+        const op = item.operation;
+        if (op === OperationType.MARKED_TO_DELETION)
+            return true;
+        if (op === OperationType.RETRY && item.item?.metadata?.deletionTimestamp)
+            return true;
+        return false;
+    }
+    // --- Bookkeeping API ---
+    /**
+     * Increments block counter for item (only call when item has been detected as blocked).
+     * Returns new value. Promotes item to deferred segment if threshold crossed.
+     */
+    incrementBlockedAttempt(item) {
+        if (!this.isDeferredSchedulingApplicable(item))
+            return 0;
+        const id = getWorkItemIdentity(item);
+        if (id === undefined)
+            return 0;
+        const prev = this._blockedAttempts.get(id) || 0;
+        const next = prev + 1;
+        this._blockedAttempts.set(id, next);
+        if (next > MAX_BLOCKED_ATTEMPTS_BEFORE_DEFER &&
+            !this._deferredEntryOrder.has(id)) {
+            this._deferredEntryOrder.set(id, ++this._deferredOrderCounter);
+        }
+        return next;
+    }
+    getBlockedAttempts(item) {
+        if (!this.isDeferredSchedulingApplicable(item))
+            return 0;
+        const id = getWorkItemIdentity(item);
+        if (id === undefined)
+            return 0;
+        return this._blockedAttempts.get(id) || 0;
+    }
+    isDeferred(item) {
+        if (!this.isDeferredSchedulingApplicable(item))
+            return false;
+        return this.getBlockedAttempts(item) > MAX_BLOCKED_ATTEMPTS_BEFORE_DEFER;
+    }
+    getDeferredOrder(item) {
+        if (!this.isDeferredSchedulingApplicable(item))
+            return undefined;
+        const id = getWorkItemIdentity(item);
+        if (id === undefined)
+            return undefined;
+        return this._deferredEntryOrder.get(id);
+    }
+    removeBookkeeping(item) {
+        if (!this.isDeferredSchedulingApplicable(item))
+            return;
+        const id = getWorkItemIdentity(item);
+        if (id === undefined)
+            return;
+        this._blockedAttempts.delete(id);
+        this._deferredEntryOrder.delete(id);
+    }
+    // --- Queue Partitioning ---
+    /**
+     * Splits queue into non-deferred and deferred, preserving original order,
+     * but sorts deferred by stable insertion order.
+     */
+    partitionQueueByDeferred(queue) {
+        const nonDeferred = [];
+        const deferred = [];
+        for (const item of queue) {
+            if (this.isDeferredSchedulingApplicable(item) && this.isDeferred(item)) {
+                deferred.push(item);
+            }
+            else {
+                nonDeferred.push(item);
+            }
+        }
+        deferred.sort((a, b) => {
+            const orderA = this.getDeferredOrder(a) || 0;
+            const orderB = this.getDeferredOrder(b) || 0;
+            return orderA - orderB;
+        });
+        return { nonDeferred, deferred };
+    }
+    // --- TESTING / DEBUG ---
+    clearAllBookkeeping() {
+        this._blockedAttempts.clear();
+        this._deferredEntryOrder.clear();
+        this._deferredOrderCounter = 0;
+    }
+}
+
 ;// CONCATENATED MODULE: ../operator/src/processItem.debug.ts
 
 
@@ -293884,12 +294152,12 @@ async function startCRStates(meter, kindList, namespace) {
 
 
 
-function initProcessItemsSlots(nSlots, initMetrics = true) {
+function initProcessItemsSlots(nSlots, initMetrics = true, onWorkItemBlockedByHandler) {
     operator_src_logger.info(`Initializing ${nSlots} processing slots...`);
-    return new ProcessItemSlots(nSlots, initMetrics);
+    return new ProcessItemSlots(nSlots, initMetrics, onWorkItemBlockedByHandler);
 }
 class ProcessItemSlots {
-    constructor(nSlots, initMetrics) {
+    constructor(nSlots, initMetrics, onWorkItemBlockedByHandler) {
         this._guardRails = new GuardRails();
         // let's init the slots
         this._nSlots = nSlots;
@@ -293906,6 +294174,7 @@ class ProcessItemSlots {
             slot.actions = {
                 blockItem: (item) => this._guardRails.block(item),
                 unblockItem: (item) => this._guardRails.unblock(item),
+                onWorkItemBlockedByHandler,
             };
             return slot;
         });
@@ -294016,6 +294285,9 @@ class ProcessItemSlot {
         if ('needsBlocking' in workItem.handler &&
             workItem.handler.needsBlocking(item, workItem.operation)) {
             operator_src_logger.debug(`Item ${item.kind}/${item.metadata.namespace} needs blocking`);
+            // Fire-and-forget: the callback is synchronous bookkeeping only;
+            // no async side effects are expected from this callback.
+            this._actions?.onWorkItemBlockedByHandler?.(workItem);
             return;
         }
         workItem.workStatus = WorkStatus.PROCESSING;
@@ -294037,6 +294309,7 @@ class ProcessItemSlot {
 
 
 
+
 const queue = [];
 const WEIGHTS = {
     RENAMED: 15,
@@ -294157,12 +294430,26 @@ async function processItem(workItem) {
 async function processItem_loop() {
     loopWorkItemDebug(queue);
     let podIsTerminating = false;
-    const processItemSlotsManager = initProcessItemsSlots(MAX_SLOTS);
-    const nextWorkItem = () => sortQueue(queue)
-        .filter((w) => !w.isBlocked &&
-        !w.isPicked &&
-        !processItemSlotsManager.isWorkItemBlocked(w))
-        .find((w) => w.workStatus === WorkStatus.PENDING);
+    const deferredBookkeeper = new DeferredSchedulingBookkeeper();
+    const processItemSlotsManager = initProcessItemsSlots(MAX_SLOTS, true, (w) => deferredBookkeeper.incrementBlockedAttempt(w));
+    if (process.env.GARBAGE_QUEUE_COLLECTOR) {
+        void workItemGarbageCollector(queue, deferredBookkeeper);
+    }
+    const nextWorkItem = () => {
+        // First, sort the queue and partition it for deferred scheduling.
+        const sorted = sortQueue(queue);
+        const { nonDeferred, deferred } = deferredBookkeeper.partitionQueueByDeferred(sorted);
+        // Helper for selection logic
+        function pickEligible(arr) {
+            return arr
+                .filter((w) => !w.isBlocked &&
+                !w.isPicked &&
+                !processItemSlotsManager.isWorkItemBlocked(w))
+                .find((w) => w.workStatus === WorkStatus.PENDING);
+        }
+        // Always prefer non-deferred, only defer if absolutely nothing eligible
+        return pickEligible(nonDeferred) || pickEligible(deferred);
+    };
     initSignalsHandler(new Map([['SIGTERM', () => (podIsTerminating = true)]]));
     operator_src_logger.info(`
     ------- Processor main loop started with a maximum of '${MAX_SLOTS}' concurrent slots to process items. -------
@@ -294239,24 +294526,23 @@ function processItem_wait(t = 2000) {
  * Periodically checks the queue for finished WorkItems and removes them
  * @param {WorkItem[]} queue - Queue of WorkItems
  */
-async function workItemGarbageCollector(queue) {
+async function workItemGarbageCollector(queue, bookkeeper) {
     while (1) {
         operator_src_logger.debug(`The garbage collector processed '${queue.length}' work items.`);
-        for (const [index, wi] of queue.entries()) {
+        for (let i = queue.length - 1; i >= 0; i--) {
+            const wi = queue[i];
             if (wi.workStatus === WorkStatus.FINISHED) {
+                bookkeeper?.removeBookkeeping(wi);
                 // Because the queue is a constant, we cannot reassign it, instead we
                 // use splice which modifies the array in place
                 //wi.onDelete()
-                queue.splice(index, 1);
+                queue.splice(i, 1);
             }
         }
         operator_src_logger.debug(`The garbage collector finished its run, leaving '${queue.length}' work items in the queue.`);
         await processItem_wait(10 * 1000);
     }
 }
-if (process.env.GARBAGE_QUEUE_COLLECTOR) {
-    void workItemGarbageCollector(queue);
-}
 
 ;// CONCATENATED MODULE: ../terraform_provisioner/src/tf/analyzer.ts
 
@@ -296792,7 +297078,7 @@ async function* process_operation_markedToDeletion(item, op, handler) {
             reason: op,
             type: 'PROVISIONED',
             status: 'False',
-            message: 'Synth CDKTF',
+            message: 'Synth',
         };
         yield {
             item,
@@ -296914,7 +297200,7 @@ async function* doApply(item, op, handler) {
             reason: op,
             type: 'PROVISIONED',
             status: 'False',
-            message: 'Synth CDKTF',
+            message: 'Synth',
         };
         let output = '';
         const type = 'PROVISIONING';
@@ -298218,8 +298504,8 @@ const MODULES = {
     },
     FirestartrGithubRepository: {
         module: 'git::https://github.com/prefapp/tfm.git//modules/github-repo',
-        // github-repo-v0.4.1
-        ref: 'addd7ce4a1054933c7f254a3d650c550c6a44024',
+        // github-repo-v0.5.1
+        ref: '67c7afaec38c1fdc9f1928090c181ef310fb81ec',
     },
     FirestartrGithubRepositoryFeature: {
         module: 'git::https://github.com/prefapp/tfm.git//modules/github-files-set',
@@ -298683,16 +298969,67 @@ function provisionDefaultBranch(fsGithubRepository) {
 ;// CONCATENATED MODULE: ../gh_provisioner/src/entities/ghrepo/helpers/codeowners.ts
 
 
+// Helper: Escape RegExp special characters in owner strings
+function codeowners_escapeRegExp(string) {
+    return string.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
 async function provisionCodeowners(fsGithubRepository) {
     const cr = fsGithubRepository.cr;
+    let codeownersText = cr.spec.repo.codeowners;
+    const org = cr.spec.org;
+    if (typeof codeownersText !== 'string') {
+        gh_provisioner_src_logger.debug('[provisionCodeowners] No CODEOWNERS content configured; skipping provisioning.');
+        return;
+    }
+    // 1. Gather all group refs present in cr.spec.permissions (if any)
+    const allRefs = [];
+    if (cr.spec.permissions && Array.isArray(cr.spec.permissions)) {
+        for (const perm of cr.spec.permissions) {
+            if (perm.ref && perm.ref.kind === 'FirestartrGithubGroup') {
+                allRefs.push(perm.ref);
+            }
+        }
+    }
+    // (Extend here if group refs appear in other fields in future specs)
+    // 2. For each group dependency: get external name & slug
+    const replacements = [];
+    for (const ref of allRefs) {
+        let dep;
+        try {
+            dep = base_Entity.refResolver(ref);
+        }
+        catch (e) {
+            gh_provisioner_src_logger.error(`[provisionCodeowners] Failed to resolve group ref ${ref.name}: ${String(e)}`);
+            continue;
+        }
+        const extName = dep?.cr?.metadata?.annotations?.['firestartr.dev/external-name'];
+        const slug = dep?.getOutput && dep.getOutput('slug');
+        if (!extName) {
+            gh_provisioner_src_logger.error(`[provisionCodeowners] Missing external-name annotation for group ref ${ref.name}`);
+            continue;
+        }
+        if (!slug) {
+            gh_provisioner_src_logger.error(`[provisionCodeowners] Missing slug output for group '${extName}' (${ref.name}) - will preserve as-is.`);
+            continue;
+        }
+        const from = `@${org}/${extName}`;
+        const to = `@${org}/${slug}`;
+        replacements.push({ from, to });
+    }
+    // 3. Replace all exact occurrences of each external name owner with slug owner
+    for (const { from, to } of replacements) {
+        // Needs literal match, even if source owner has spaces/punctuation
+        codeownersText = codeownersText.replace(new RegExp(codeowners_escapeRegExp(from), 'g'), to);
+    }
+    // Do not reformat, parse, or canonicalize further (per spec: preserve layout except for replacements)
     const config = {
         branch: cr.spec.repo.defaultBranch,
         commitMessage: 'ci: provision CODEOWNERS file',
-        content: cr.spec.repo.codeowners,
+        content: codeownersText,
         file: '.github/CODEOWNERS',
         overwriteOnCreate: true,
     };
-    gh_provisioner_src_logger.debug(`Content of the codeowners:  ${cr.spec.repo.codeowners}`);
+    gh_provisioner_src_logger.debug(`[provisionCodeowners] Final CODEOWNERS content: ${codeownersText}`);
     fsGithubRepository.patchData({
         path: '/config/files/-',
         op: PatchOperations.add,
@@ -298886,6 +299223,48 @@ function checkIfLabelExists(labelName, repoIssuesList) {
     return repoIssuesList.some((label) => label.name === labelName);
 }
 
+;// CONCATENATED MODULE: ../gh_provisioner/src/entities/ghrepo/helpers/branch_protections.ts
+
+
+/**
+ * Adds branch protection config to the synthesized Terraform config,
+ * preserving legacy field semantics exactly (empty lists, explicit booleans, names).
+ * @param entity The EntityGHRepo instance
+ */
+function provisionBranchProtections(entity) {
+    const protections = entity.cr.spec.branchProtections;
+    if (!protections || !Array.isArray(protections) || protections.length === 0) {
+        return;
+    }
+    for (const protection of protections) {
+        // This shape should match the compatible Terraform contract
+        const output = {};
+        // Only emit legacy fields in allowed order
+        output.branch = protection.branch;
+        output.statusChecks =
+            'statusChecks' in protection ? (protection.statusChecks ?? []) : [];
+        if ('requiredReviewersCount' in protection)
+            output.requiredReviewersCount = protection.requiredReviewersCount;
+        if ('requiredCodeownersReviewers' in protection)
+            output.requiredCodeownersReviewers =
+                protection.requiredCodeownersReviewers;
+        if ('enforceAdmins' in protection)
+            output.enforceAdmins = protection.enforceAdmins;
+        if ('requireSignedCommits' in protection)
+            output.requireSignedCommits = protection.requireSignedCommits;
+        if ('requireConversationResolution' in protection)
+            output.requireConversationResolution =
+                protection.requireConversationResolution;
+        // Only keep fields that are present, including explicit false/empty
+        gh_provisioner_src_logger.debug(`[gh-provisioner] Adding branch protection config: ${JSON.stringify(output)}`);
+        entity.patchData({
+            op: PatchOperations.add,
+            path: '/config/branch_protections/-',
+            value: output,
+        });
+    }
+}
+
 ;// CONCATENATED MODULE: ../gh_provisioner/src/entities/ghrepo/helpers/index.ts
 
 
@@ -298894,6 +299273,7 @@ function checkIfLabelExists(labelName, repoIssuesList) {
 
 
 
+
 ;// CONCATENATED MODULE: ../gh_provisioner/src/entities/ghrepo/post/additional_branches.ts
 
 
@@ -298960,6 +299340,9 @@ async function provisionRegularBranch(repo, branchName, sourceBranch, org) {
 
 
 class EntityGHRepo extends base_Entity {
+    escapeTerraformBranchName(value) {
+        return value.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+    }
     constructor(artifact) {
         super(artifact, {
             config: {
@@ -298968,6 +299351,7 @@ class EntityGHRepo extends base_Entity {
                 teams: [],
                 collaborators: [],
                 labels: [],
+                branch_protections: [],
             },
         });
     }
@@ -299022,6 +299406,8 @@ class EntityGHRepo extends base_Entity {
             await provisionDefaultBranch(this);
             await provisionCodeowners(this);
             await provisionVariables(this);
+            // Add branch protections to config if defined
+            provisionBranchProtections(this);
             await provisionOIDCSubjectClaim(this);
             await provisionPermissions(this);
             await provisionLabels(this, repoAlreadyExists);
@@ -299071,6 +299457,21 @@ class EntityGHRepo extends base_Entity {
                 id: this.cr.name,
             },
         });
+        // Import github_branch_protection ONLY for protections declared in CR, not GitHub state
+        const protections = this.cr.spec.branchProtections;
+        if (protections && Array.isArray(protections) && protections.length > 0) {
+            for (const protection of protections) {
+                const branch = protection.branch;
+                this.patchImportData({
+                    op: PatchOperations.add,
+                    path: '/imports/-',
+                    value: {
+                        to: `github_branch_protection.this["${this.escapeTerraformBranchName(branch)}"]`,
+                        id: `${this.cr.name}:${this.escapeTerraformBranchName(branch)}`,
+                    },
+                });
+            }
+        }
         // we cannot ensure the files exist, thus we need to check
         // it they exist before importing them
         //for (const file of this.document.config.files) {
@@ -299093,6 +299494,19 @@ class EntityGHRepo extends base_Entity {
                 },
             });
         }
+        // Import Pages resource if configured.
+        // When a repository is manually created with Pages already enabled,
+        // we must import the existing resource to avoid a 409 conflict on apply.
+        if (this.cr.spec.pages) {
+            this.patchImportData({
+                op: PatchOperations.add,
+                path: '/imports/-',
+                value: {
+                    to: 'github_repository_pages.this[0]',
+                    id: this.cr.name,
+                },
+            });
+        }
     }
     async provisionRepository() {
         this.patchData({
@@ -301739,9 +302153,9 @@ const crs_analyzerSubcommand = {
 };
 
 ;// CONCATENATED MODULE: ./package.json
-const package_namespaceObject = JSON.parse('{"i8":"2.5.0-snapshot-1"}');
+const package_namespaceObject = {"i8":"2.5.0"};
 ;// CONCATENATED MODULE: ../../package.json
-const package_namespaceObject_1 = {"i8":"2.4.0"};
+const package_namespaceObject_1 = {"i8":"2.5.0"};
 ;// CONCATENATED MODULE: ./src/subcommands/index.ts
 
 

package/build/packages/catalog_common/index.d.ts

@@ -104,6 +104,15 @@ declare const _default: {
     tokenizer: {
         SimpleTokenizer: typeof import("./src/tokenizer").SimpleTokenizer;
     };
+    codeowners: {
+        parse: typeof import("./src/codeowners").parse;
+        format: typeof import("./src/codeowners").format;
+        validate: typeof import("./src/codeowners").validate;
+        updateRule: typeof import("./src/codeowners").updateRule;
+        remove: typeof import("./src/codeowners").remove;
+        getOwners: typeof import("./src/codeowners").getOwners;
+        resolveRefs: typeof import("./src/codeowners").resolveRefs;
+    };
     cron: {
         validateCron: typeof validateCron;
         isValidCron: typeof isValidCron;

package/build/packages/catalog_common/src/codeowners/index.d.ts

@@ -0,0 +1,26 @@
+export interface CodeownersEntry {
+    type: 'rule' | 'comment' | 'blank';
+    pattern?: string;
+    owners?: string[];
+    raw: string;
+}
+export declare function parse(raw: string): CodeownersEntry[];
+export declare function format(entries: CodeownersEntry[]): string;
+export declare function validate(raw: string): {
+    valid: boolean;
+    errors: string[];
+};
+export declare function updateRule(entries: CodeownersEntry[], pattern: string, owners: string[]): CodeownersEntry[];
+export declare function remove(entries: CodeownersEntry[], pattern: string): CodeownersEntry[];
+export declare function getOwners(entries: CodeownersEntry[]): string[];
+export declare function resolveRefs(raw: string, replacements: Record<string, string>): string;
+declare const _default: {
+    parse: typeof parse;
+    format: typeof format;
+    validate: typeof validate;
+    updateRule: typeof updateRule;
+    remove: typeof remove;
+    getOwners: typeof getOwners;
+    resolveRefs: typeof resolveRefs;
+};
+export default _default;

package/build/packages/catalog_common/src/types/envvars.d.ts

@@ -25,11 +25,7 @@ export declare enum envVars {
     s3Bucket = "S3_BUCKET",
     s3Lock = "S3_LOCK",
     s3Region = "S3_REGION",
-    cdktfConfigFiles = "CDKTF_CONFIG_FILES",
     exclusionsYamlPath = "EXCLUSIONS_PATH",
-    cdktfEntityPath = "FIRESTARTR_CDKTF_ENTITY_PATH",
-    cdktfDepsPath = "FIRESTARTR_CDKTF_DEPS_PATH",
-    cdktfIsImport = "FIRESTARTR_CDKTF_IS_IMPORT",
     githubAppId = "GITHUB_APP_ID",
     githubAppInstallationId = "GITHUB_APP_INSTALLATION_ID",
     githubAppInstallationIdPrefapp = "GITHUB_APP_INSTALLATION_ID_PREFAPP",

package/build/packages/gh_provisioner/src/entities/ghrepo/helpers/branch_protections.d.ts

@@ -0,0 +1,7 @@
+import { EntityGHRepo } from '../';
+/**
+ * Adds branch protection config to the synthesized Terraform config,
+ * preserving legacy field semantics exactly (empty lists, explicit booleans, names).
+ * @param entity The EntityGHRepo instance
+ */
+export declare function provisionBranchProtections(entity: EntityGHRepo): void;

package/build/packages/gh_provisioner/src/entities/ghrepo/helpers/index.d.ts

@@ -4,3 +4,4 @@ export { provisionVariables } from './variables';
 export { provisionOIDCSubjectClaim } from './actions_oidc';
 export { provisionPermissions } from './teams';
 export { provisionLabels } from './labels';
+export { provisionBranchProtections } from './branch_protections';

package/build/packages/gh_provisioner/src/entities/ghrepo/index.d.ts

@@ -1,5 +1,6 @@
 import { Entity } from '../base';
 export declare class EntityGHRepo extends Entity {
+    private escapeTerraformBranchName;
     constructor(artifact: any);
     /**
      * Validation logic for GitHub Pages branch settings:

package/build/packages/operator/src/definitions.d.ts

@@ -1,6 +1,20 @@
+import type { Dependencies } from './resolver';
 export declare function getKindFromPlural(plural: string): any;
 export declare function getPluralFromKind(kind: string): string;
-import type { Dependencies } from './resolver';
+/**
+ * Helper to extract the canonical identity (metadata.uid) from a WorkItem or its item.
+ *
+ * Use this helper when you need a stable identity key for WorkItems, e.g. for
+ * in-memory deferred-scheduling bookkeeping.
+ *
+ * Note: other subsystems may still use kind/namespace/name keys; this helper is
+ * specifically intended for UID-based WorkItem identity.
+ * Any future change to identity logic MUST be made here and nowhere else.
+ *
+ * Returns undefined if .metadata.uid is missing so scheduler/bookkeeping paths
+ * can safely short-circuit instead of throwing and aborting an entire pass.
+ */
+export declare function getWorkItemIdentity(wi: WorkItem): string | undefined;
 export declare enum OperationType {
     RENAMED = "RENAMED",
     UPDATED = "UPDATED",

package/build/packages/operator/src/processItem.blocks.d.ts

@@ -0,0 +1,40 @@
+import type { WorkItem } from './definitions';
+/**
+ * Maximum number of blocked attempts allowed before an item is moved to the deferred segment.
+ * An item becomes deferred once its blocked-attempt count exceeds this value.
+ */
+export declare const MAX_BLOCKED_ATTEMPTS_BEFORE_DEFER = 5;
+export declare const SUPPORTED_PARENT_KINDS: Set<string>;
+/**
+ * Encapsulates all deferred-scheduling bookkeeping state for one scheduler queue.
+ * Instantiate once per queue (alongside processItemSlotsManager) inside loop().
+ */
+export declare class DeferredSchedulingBookkeeper {
+    private _blockedAttempts;
+    private _deferredEntryOrder;
+    private _deferredOrderCounter;
+    /**
+     * Returns true only for supported parent kinds AND only for deletion operations.
+     * Per spec Definition 2: applicable when operation is MARKED_TO_DELETION,
+     * or RETRY with metadata.deletionTimestamp set.
+     */
+    isDeferredSchedulingApplicable(item: WorkItem): boolean;
+    /**
+     * Increments block counter for item (only call when item has been detected as blocked).
+     * Returns new value. Promotes item to deferred segment if threshold crossed.
+     */
+    incrementBlockedAttempt(item: WorkItem): number;
+    getBlockedAttempts(item: WorkItem): number;
+    isDeferred(item: WorkItem): boolean;
+    getDeferredOrder(item: WorkItem): number | undefined;
+    removeBookkeeping(item: WorkItem): void;
+    /**
+     * Splits queue into non-deferred and deferred, preserving original order,
+     * but sorts deferred by stable insertion order.
+     */
+    partitionQueueByDeferred<T extends WorkItem>(queue: T[]): {
+        nonDeferred: T[];
+        deferred: T[];
+    };
+    clearAllBookkeeping(): void;
+}

package/build/packages/operator/src/processItem.d.ts

@@ -1,4 +1,5 @@
 import { WorkItem } from './informer';
+import { DeferredSchedulingBookkeeper } from './processItem.blocks';
 export declare function getQueueMetrics(): {
     nItems: number;
     nItemsFinished: number;
@@ -25,4 +26,4 @@ export declare function processItem(workItem: WorkItem): Promise<void>;
  * Periodically checks the queue for finished WorkItems and removes them
  * @param {WorkItem[]} queue - Queue of WorkItems
  */
-export declare function workItemGarbageCollector(queue: WorkItem[]): Promise<void>;
+export declare function workItemGarbageCollector(queue: WorkItem[], bookkeeper?: DeferredSchedulingBookkeeper): Promise<void>;

package/build/packages/operator/src/processItem.slot.d.ts

@@ -1,11 +1,11 @@
 import { WorkItem } from './definitions';
 import { ProcessItemSlotMetrics } from './metrics/processItem.slot.metrics';
-export declare function initProcessItemsSlots(nSlots: number, initMetrics?: boolean): ProcessItemSlots;
+export declare function initProcessItemsSlots(nSlots: number, initMetrics?: boolean, onWorkItemBlockedByHandler?: (workItem: WorkItem) => void): ProcessItemSlots;
 export declare class ProcessItemSlots {
     _slots: ProcessItemSlot[];
     _nSlots: number;
     _guardRails: GuardRails;
-    constructor(nSlots: number, initMetrics: boolean);
+    constructor(nSlots: number, initMetrics: boolean, onWorkItemBlockedByHandler?: (workItem: WorkItem) => void);
     getIdleSlots(): Generator<ProcessItemSlot, void, unknown>;
     allSlotsAreIdle(): boolean;
     isWorkItemBlocked(workItem: WorkItem): boolean;
@@ -24,16 +24,19 @@ export declare class ProcessItemSlot {
     _actions: {
         blockItem: (item: any) => void;
         unblockItem: (item: any) => void;
+        onWorkItemBlockedByHandler?: (workItem: WorkItem) => void;
     } | undefined;
     _metrics: ProcessItemSlotMetrics;
     constructor(id: number);
     set actions(actions: {
         blockItem: (item: any) => void;
         unblockItem: (item: any) => void;
+        onWorkItemBlockedByHandler?: (workItem: WorkItem) => void;
     });
     get actions(): {
         blockItem: (item: any) => void;
         unblockItem: (item: any) => void;
+        onWorkItemBlockedByHandler?: (workItem: WorkItem) => void;
     };
     get idle(): boolean;
     get id(): number;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@firestartr/cli",
-  "version": "2.5.0-snapshot-1",
+  "version": "2.5.0",
   "private": false,
   "description": "Commandline tool",
   "main": "build/main.js",