@pierre/storage 0.0.10 → 0.1.0

package/src/fetch.ts

@@ -1,16 +1,40 @@
+import { errorEnvelopeSchema } from './schemas';
 import type { ValidAPIVersion, ValidMethod, ValidPath } from './types';
 
 interface RequestOptions {
 	allowedStatus?: number[];
 }
 
+export class ApiError extends Error {
+	public readonly status: number;
+	public readonly statusText: string;
+	public readonly method: ValidMethod;
+	public readonly url: string;
+	public readonly body?: unknown;
+
+	constructor(params: {
+		message: string;
+		status: number;
+		statusText: string;
+		method: ValidMethod;
+		url: string;
+		body?: unknown;
+	}) {
+		super(params.message);
+		this.name = 'ApiError';
+		this.status = params.status;
+		this.statusText = params.statusText;
+		this.method = params.method;
+		this.url = params.url;
+		this.body = params.body;
+	}
+}
+
 export class ApiFetcher {
 	constructor(
 		private readonly API_BASE_URL: string,
 		private readonly version: ValidAPIVersion,
-	) {
-		console.log('api fetcher created', API_BASE_URL, version);
-	}
+	) {}
 
 	private getBaseUrl() {
 		return `${this.API_BASE_URL}/api/v${this.version}`;
@@ -46,9 +70,55 @@ export class ApiFetcher {
 
 		if (!response.ok) {
 			const allowed = options?.allowedStatus ?? [];
-			if (!allowed.includes(response.status)) {
-				throw new Error(`Failed to fetch ${method} ${requestUrl}: ${response.statusText}`);
+			if (allowed.includes(response.status)) {
+				return response;
 			}
+
+			let errorBody: unknown;
+			let message: string | undefined;
+			const contentType = response.headers.get('content-type') ?? '';
+
+			try {
+				if (contentType.includes('application/json')) {
+					errorBody = await response.json();
+				} else {
+					const text = await response.text();
+					errorBody = text;
+				}
+			} catch {
+				// Fallback to plain text if JSON parse failed after reading body
+				try {
+					errorBody = await response.text();
+				} catch {
+					errorBody = undefined;
+				}
+			}
+
+			if (typeof errorBody === 'string') {
+				const trimmed = errorBody.trim();
+				if (trimmed) {
+					message = trimmed;
+				}
+			} else if (errorBody && typeof errorBody === 'object') {
+				const parsedError = errorEnvelopeSchema.safeParse(errorBody);
+				if (parsedError.success) {
+					const trimmed = parsedError.data.error.trim();
+					if (trimmed) {
+						message = trimmed;
+					}
+				}
+			}
+
+			throw new ApiError({
+				message:
+					message ??
+					`Request ${method} ${requestUrl} failed with status ${response.status} ${response.statusText}`,
+				status: response.status,
+				statusText: response.statusText,
+				method,
+				url: requestUrl,
+				body: errorBody,
+			});
 		}
 		return response;
 	}

package/src/index.ts

@@ -6,28 +6,56 @@
 
 import { importPKCS8, SignJWT } from 'jose';
 import snakecaseKeys from 'snakecase-keys';
+import { createCommitBuilder, FetchCommitTransport, resolveCommitTtlSeconds } from './commit';
+import { RefUpdateError } from './errors';
 import { ApiFetcher } from './fetch';
+import type { ResetCommitAckRaw } from './schemas';
+import {
+	branchDiffResponseSchema,
+	commitDiffResponseSchema,
+	listBranchesResponseSchema,
+	listCommitsResponseSchema,
+	listFilesResponseSchema,
+	resetCommitAckSchema,
+	resetCommitResponseSchema,
+} from './schemas';
 import type {
+	BranchInfo,
+	CommitBuilder,
+	CommitInfo,
+	CreateCommitOptions,
 	CreateRepoOptions,
+	DiffFileState,
+	FileDiff,
+	FilteredFile,
 	FindOneOptions,
 	GetBranchDiffOptions,
 	GetBranchDiffResponse,
+	GetBranchDiffResult,
 	GetCommitDiffOptions,
 	GetCommitDiffResponse,
-	GetCommitOptions,
-	GetCommitResponse,
+	GetCommitDiffResult,
 	GetFileOptions,
 	GetRemoteURLOptions,
 	GitStorageOptions,
 	ListBranchesOptions,
 	ListBranchesResponse,
+	ListBranchesResult,
 	ListCommitsOptions,
 	ListCommitsResponse,
+	ListCommitsResult,
 	ListFilesOptions,
-	ListFilesResponse,
+	ListFilesResult,
 	OverrideableGitStorageOptions,
 	PullUpstreamOptions,
+	RawBranchInfo,
+	RawCommitInfo,
+	RawFileDiff,
+	RawFilteredFile,
+	RefUpdate,
 	Repo,
+	ResetCommitOptions,
+	ResetCommitResult,
 	ValidAPIVersion,
 } from './types';
 
@@ -35,6 +63,8 @@ import type {
  * Type definitions for Pierre Git Storage SDK
  */
 
+export { RefUpdateError } from './errors';
+export { ApiError } from './fetch';
 // Import additional types from types.ts
 export * from './types';
 
@@ -53,6 +83,122 @@ const STORAGE_BASE_URL = __STORAGE_BASE_URL__;
 const API_VERSION: ValidAPIVersion = 1;
 
 const apiInstanceMap = new Map<string, ApiFetcher>();
+const DEFAULT_TOKEN_TTL_SECONDS = 60 * 60; // 1 hour
+const RESET_COMMIT_ALLOWED_STATUS = [
+	400, // Bad Request - validation errors
+	401, // Unauthorized - missing/invalid auth header
+	403, // Forbidden - missing git:write scope
+	404, // Not Found - repo lookup failures
+	408, // Request Timeout - client cancelled
+	409, // Conflict - concurrent ref updates
+	412, // Precondition Failed - optimistic concurrency
+	422, // Unprocessable Entity - metadata issues
+	429, // Too Many Requests - upstream throttling
+	499, // Client Closed Request - storage cancellation
+	500, // Internal Server Error - generic failure
+	502, // Bad Gateway - storage/gateway bridge issues
+	503, // Service Unavailable - storage selection failures
+	504, // Gateway Timeout - long-running storage operations
+] as const;
+
+function resolveInvocationTtlSeconds(
+	options?: { ttl?: number },
+	defaultValue: number = DEFAULT_TOKEN_TTL_SECONDS,
+): number {
+	if (typeof options?.ttl === 'number' && options.ttl > 0) {
+		return options.ttl;
+	}
+	return defaultValue;
+}
+
+type ResetCommitAck = ResetCommitAckRaw;
+
+function toRefUpdate(result: ResetCommitAck['result']): RefUpdate {
+	return {
+		branch: result.branch,
+		oldSha: result.old_sha,
+		newSha: result.new_sha,
+	};
+}
+
+function buildResetCommitResult(ack: ResetCommitAck): ResetCommitResult {
+	const refUpdate = toRefUpdate(ack.result);
+	if (!ack.result.success) {
+		throw new RefUpdateError(
+			ack.result.message ?? `Reset commit failed with status ${ack.result.status}`,
+			{
+				status: ack.result.status,
+				message: ack.result.message,
+				refUpdate,
+			},
+		);
+	}
+	return {
+		commitSha: ack.commit.commit_sha,
+		treeSha: ack.commit.tree_sha,
+		targetBranch: ack.commit.target_branch,
+		packBytes: ack.commit.pack_bytes,
+		refUpdate,
+	};
+}
+
+interface ResetCommitFailureInfo {
+	status?: string;
+	message?: string;
+	refUpdate?: Partial<RefUpdate>;
+}
+
+function toPartialRefUpdate(
+	branch?: unknown,
+	oldSha?: unknown,
+	newSha?: unknown,
+): Partial<RefUpdate> | undefined {
+	const refUpdate: Partial<RefUpdate> = {};
+	if (typeof branch === 'string' && branch.trim() !== '') {
+		refUpdate.branch = branch;
+	}
+	if (typeof oldSha === 'string' && oldSha.trim() !== '') {
+		refUpdate.oldSha = oldSha;
+	}
+	if (typeof newSha === 'string' && newSha.trim() !== '') {
+		refUpdate.newSha = newSha;
+	}
+	return Object.keys(refUpdate).length > 0 ? refUpdate : undefined;
+}
+
+function parseResetCommitPayload(
+	payload: unknown,
+): { ack: ResetCommitAck } | { failure: ResetCommitFailureInfo } | null {
+	const ack = resetCommitAckSchema.safeParse(payload);
+	if (ack.success) {
+		return { ack: ack.data };
+	}
+
+	const failure = resetCommitResponseSchema.safeParse(payload);
+	if (failure.success) {
+		const result = failure.data.result;
+		return {
+			failure: {
+				status: result.status,
+				message: result.message,
+				refUpdate: toPartialRefUpdate(result.branch, result.old_sha, result.new_sha),
+			},
+		};
+	}
+
+	return null;
+}
+
+function httpStatusToResetStatus(status: number): string {
+	switch (status) {
+		case 409:
+			return 'conflict';
+		case 412:
+			return 'precondition_failed';
+		default:
+			return `${status}`;
+	}
+}
 
 function getApiInstance(baseUrl: string, version: ValidAPIVersion) {
 	if (!apiInstanceMap.has(`${baseUrl}--${version}`)) {
@@ -61,6 +207,114 @@ function getApiInstance(baseUrl: string, version: ValidAPIVersion) {
 	return apiInstanceMap.get(`${baseUrl}--${version}`)!;
 }
 
+function transformBranchInfo(raw: RawBranchInfo): BranchInfo {
+	return {
+		cursor: raw.cursor,
+		name: raw.name,
+		headSha: raw.head_sha,
+		createdAt: raw.created_at,
+	};
+}
+
+function transformListBranchesResult(raw: ListBranchesResponse): ListBranchesResult {
+	return {
+		branches: raw.branches.map(transformBranchInfo),
+		nextCursor: raw.next_cursor ?? undefined,
+		hasMore: raw.has_more,
+	};
+}
+
+function transformCommitInfo(raw: RawCommitInfo): CommitInfo {
+	const parsedDate = new Date(raw.date);
+	return {
+		sha: raw.sha,
+		message: raw.message,
+		authorName: raw.author_name,
+		authorEmail: raw.author_email,
+		committerName: raw.committer_name,
+		committerEmail: raw.committer_email,
+		date: parsedDate,
+		rawDate: raw.date,
+	};
+}
+
+function transformListCommitsResult(raw: ListCommitsResponse): ListCommitsResult {
+	return {
+		commits: raw.commits.map(transformCommitInfo),
+		nextCursor: raw.next_cursor ?? undefined,
+		hasMore: raw.has_more,
+	};
+}
+
+function normalizeDiffState(rawState: string): DiffFileState {
+	if (!rawState) {
+		return 'unknown';
+	}
+	const leading = rawState.trim()[0]?.toUpperCase();
+	switch (leading) {
+		case 'A':
+			return 'added';
+		case 'M':
+			return 'modified';
+		case 'D':
+			return 'deleted';
+		case 'R':
+			return 'renamed';
+		case 'C':
+			return 'copied';
+		case 'T':
+			return 'type_changed';
+		case 'U':
+			return 'unmerged';
+		default:
+			return 'unknown';
+	}
+}
+
+function transformFileDiff(raw: RawFileDiff): FileDiff {
+	const normalizedState = normalizeDiffState(raw.state);
+	return {
+		path: raw.path,
+		state: normalizedState,
+		rawState: raw.state,
+		oldPath: raw.old_path ?? undefined,
+		raw: raw.raw,
+		bytes: raw.bytes,
+		isEof: raw.is_eof,
+	};
+}
+
+function transformFilteredFile(raw: RawFilteredFile): FilteredFile {
+	const normalizedState = normalizeDiffState(raw.state);
+	return {
+		path: raw.path,
+		state: normalizedState,
+		rawState: raw.state,
+		oldPath: raw.old_path ?? undefined,
+		bytes: raw.bytes,
+		isEof: raw.is_eof,
+	};
+}
+
+function transformBranchDiffResult(raw: GetBranchDiffResponse): GetBranchDiffResult {
+	return {
+		branch: raw.branch,
+		base: raw.base,
+		stats: raw.stats,
+		files: raw.files.map(transformFileDiff),
+		filteredFiles: raw.filtered_files.map(transformFilteredFile),
+	};
+}
+
+function transformCommitDiffResult(raw: GetCommitDiffResponse): GetCommitDiffResult {
+	return {
+		sha: raw.sha,
+		stats: raw.stats,
+		files: raw.files.map(transformFileDiff),
+		filteredFiles: raw.filtered_files.map(transformFilteredFile),
+	};
+}
+
 /**
  * Implementation of the Repo interface
  */
@@ -90,9 +344,10 @@ class RepoImpl implements Repo {
 	}
 
 	async getFileStream(options: GetFileOptions): Promise<Response> {
+		const ttl = resolveInvocationTtlSeconds(options, DEFAULT_TOKEN_TTL_SECONDS);
 		const jwt = await this.generateJWT(this.id, {
 			permissions: ['git:read'],
-			ttl: options?.ttl ?? 1 * 60 * 60, // 1hr in seconds
+			ttl,
 		});
 
 		const params: Record<string, string> = {
@@ -107,10 +362,11 @@ class RepoImpl implements Repo {
 		return this.api.get({ path: 'repos/file', params }, jwt);
 	}
 
-	async listFiles(options?: ListFilesOptions): Promise<ListFilesResponse> {
+	async listFiles(options?: ListFilesOptions): Promise<ListFilesResult> {
+		const ttl = resolveInvocationTtlSeconds(options, DEFAULT_TOKEN_TTL_SECONDS);
 		const jwt = await this.generateJWT(this.id, {
 			permissions: ['git:read'],
-			ttl: options?.ttl ?? 1 * 60 * 60, // 1hr in seconds
+			ttl,
 		});
 
 		const params: Record<string, string> | undefined = options?.ref
@@ -118,36 +374,46 @@ class RepoImpl implements Repo {
 			: undefined;
 		const response = await this.api.get({ path: 'repos/files', params }, jwt);
 
-		return (await response.json()) as ListFilesResponse;
+		const raw = listFilesResponseSchema.parse(await response.json());
+		return { paths: raw.paths, ref: raw.ref };
 	}
 
-	async listBranches(options?: ListBranchesOptions): Promise<ListBranchesResponse> {
+	async listBranches(options?: ListBranchesOptions): Promise<ListBranchesResult> {
+		const ttl = resolveInvocationTtlSeconds(options, DEFAULT_TOKEN_TTL_SECONDS);
 		const jwt = await this.generateJWT(this.id, {
 			permissions: ['git:read'],
-			ttl: options?.ttl ?? 1 * 60 * 60, // 1hr in seconds
+			ttl,
 		});
 
+		const cursor = options?.cursor;
+		const limit = options?.limit;
+
 		let params: Record<string, string> | undefined;
 
-		if (options?.cursor || !options?.limit) {
+		if (typeof cursor === 'string' || typeof limit === 'number') {
 			params = {};
-			if (options?.cursor) {
-				params.cursor = options.cursor;
+			if (typeof cursor === 'string') {
+				params.cursor = cursor;
 			}
-			if (typeof options?.limit == 'number') {
-				params.limit = options.limit.toString();
+			if (typeof limit === 'number') {
+				params.limit = limit.toString();
 			}
 		}
 
 		const response = await this.api.get({ path: 'repos/branches', params }, jwt);
 
-		return (await response.json()) as ListBranchesResponse;
+		const raw = listBranchesResponseSchema.parse(await response.json());
+		return transformListBranchesResult({
+			...raw,
+			next_cursor: raw.next_cursor ?? undefined,
+		});
 	}
 
-	async listCommits(options?: ListCommitsOptions): Promise<ListCommitsResponse> {
+	async listCommits(options?: ListCommitsOptions): Promise<ListCommitsResult> {
+		const ttl = resolveInvocationTtlSeconds(options, DEFAULT_TOKEN_TTL_SECONDS);
 		const jwt = await this.generateJWT(this.id, {
 			permissions: ['git:read'],
-			ttl: options?.ttl ?? 1 * 60 * 60, // 1hr in seconds
+			ttl,
 		});
 
 		let params: Record<string, string> | undefined;
@@ -167,13 +433,18 @@ class RepoImpl implements Repo {
 
 		const response = await this.api.get({ path: 'repos/commits', params }, jwt);
 
-		return (await response.json()) as ListCommitsResponse;
+		const raw = listCommitsResponseSchema.parse(await response.json());
+		return transformListCommitsResult({
+			...raw,
+			next_cursor: raw.next_cursor ?? undefined,
+		});
 	}
 
-	async getBranchDiff(options: GetBranchDiffOptions): Promise<GetBranchDiffResponse> {
+	async getBranchDiff(options: GetBranchDiffOptions): Promise<GetBranchDiffResult> {
+		const ttl = resolveInvocationTtlSeconds(options, DEFAULT_TOKEN_TTL_SECONDS);
 		const jwt = await this.generateJWT(this.id, {
 			permissions: ['git:read'],
-			ttl: options?.ttl ?? 1 * 60 * 60, // 1hr in seconds
+			ttl,
 		});
 
 		const params: Record<string, string> = {
@@ -186,13 +457,15 @@ class RepoImpl implements Repo {
 
 		const response = await this.api.get({ path: 'repos/branches/diff', params }, jwt);
 
-		return (await response.json()) as GetBranchDiffResponse;
+		const raw = branchDiffResponseSchema.parse(await response.json());
+		return transformBranchDiffResult(raw);
 	}
 
-	async getCommitDiff(options: GetCommitDiffOptions): Promise<GetCommitDiffResponse> {
+	async getCommitDiff(options: GetCommitDiffOptions): Promise<GetCommitDiffResult> {
+		const ttl = resolveInvocationTtlSeconds(options, DEFAULT_TOKEN_TTL_SECONDS);
 		const jwt = await this.generateJWT(this.id, {
 			permissions: ['git:read'],
-			ttl: options?.ttl ?? 1 * 60 * 60, // 1hr in seconds
+			ttl,
 		});
 
 		const params: Record<string, string> = {
@@ -201,28 +474,15 @@ class RepoImpl implements Repo {
 
 		const response = await this.api.get({ path: 'repos/diff', params }, jwt);
 
-		return (await response.json()) as GetCommitDiffResponse;
-	}
-
-	async getCommit(options: GetCommitOptions): Promise<GetCommitResponse> {
-		const jwt = await this.generateJWT(this.id, {
-			permissions: ['git:read'],
-			ttl: options?.ttl ?? 1 * 60 * 60, // 1hr in seconds
-		});
-
-		const params: Record<string, string> = {
-			repo: this.id,
-			sha: options.sha,
-		};
-		const response = await this.api.get({ path: 'commit', params }, jwt);
-
-		return (await response.json()) as GetCommitResponse;
+		const raw = commitDiffResponseSchema.parse(await response.json());
+		return transformCommitDiffResult(raw);
 	}
 
 	async pullUpstream(options: PullUpstreamOptions): Promise<void> {
+		const ttl = resolveInvocationTtlSeconds(options, DEFAULT_TOKEN_TTL_SECONDS);
 		const jwt = await this.generateJWT(this.id, {
 			permissions: ['git:write'],
-			ttl: options?.ttl ?? 1 * 60 * 60, // 1hr in seconds
+			ttl,
 		});
 
 		const body: Record<string, string> = {};
@@ -239,6 +499,108 @@ class RepoImpl implements Repo {
 
 		return;
 	}
+
+	async resetCommit(options: ResetCommitOptions): Promise<ResetCommitResult> {
+		const targetBranch = options?.targetBranch?.trim();
+		if (!targetBranch) {
+			throw new Error('resetCommit targetBranch is required');
+		}
+		if (targetBranch.startsWith('refs/')) {
+			throw new Error('resetCommit targetBranch must not include refs/ prefix');
+		}
+
+		const targetCommitSha = options?.targetCommitSha?.trim();
+		if (!targetCommitSha) {
+			throw new Error('resetCommit targetCommitSha is required');
+		}
+		const commitMessage = options?.commitMessage?.trim();
+
+		const authorName = options.author?.name?.trim();
+		const authorEmail = options.author?.email?.trim();
+		if (!authorName || !authorEmail) {
+			throw new Error('resetCommit author name and email are required');
+		}
+
+		const ttl = resolveCommitTtlSeconds(options);
+		const jwt = await this.generateJWT(this.id, {
+			permissions: ['git:write'],
+			ttl,
+		});
+
+		const metadata: Record<string, unknown> = {
+			target_branch: targetBranch,
+			target_commit_sha: targetCommitSha,
+			author: {
+				name: authorName,
+				email: authorEmail,
+			},
+		};
+
+		if (commitMessage) {
+			metadata.commit_message = commitMessage;
+		}
+
+		const expectedHeadSha = options.expectedHeadSha?.trim();
+		if (expectedHeadSha) {
+			metadata.expected_head_sha = expectedHeadSha;
+		}
+
+		if (options.committer) {
+			const committerName = options.committer.name?.trim();
+			const committerEmail = options.committer.email?.trim();
+			if (!committerName || !committerEmail) {
+				throw new Error('resetCommit committer name and email are required when provided');
+			}
+			metadata.committer = {
+				name: committerName,
+				email: committerEmail,
+			};
+		}
+
+		const response = await this.api.post({ path: 'repos/reset-commits', body: { metadata } }, jwt, {
+			allowedStatus: [...RESET_COMMIT_ALLOWED_STATUS],
+		});
+
+		const payload = await response.json();
+		const parsed = parseResetCommitPayload(payload);
+		if (parsed && 'ack' in parsed) {
+			return buildResetCommitResult(parsed.ack);
+		}
+
+		const failure = parsed && 'failure' in parsed ? parsed.failure : undefined;
+		const status = failure?.status ?? httpStatusToResetStatus(response.status);
+		const message =
+			failure?.message ??
+			`Reset commit failed with HTTP ${response.status}` +
+				(response.statusText ? ` ${response.statusText}` : '');
+
+		throw new RefUpdateError(message, {
+			status,
+			refUpdate: failure?.refUpdate,
+		});
+	}
+
+	createCommit(options: CreateCommitOptions): CommitBuilder {
+		const version = this.options.apiVersion ?? API_VERSION;
+		const baseUrl = this.options.apiBaseUrl ?? API_BASE_URL;
+		const transport = new FetchCommitTransport({ baseUrl, version });
+		const ttl = resolveCommitTtlSeconds(options);
+		const builderOptions: CreateCommitOptions = {
+			...options,
+			ttl,
+		};
+		const getAuthToken = () =>
+			this.generateJWT(this.id, {
+				permissions: ['git:write'],
+				ttl,
+			});
+
+		return createCommitBuilder({
+			options: builderOptions,
+			getAuthToken,
+			transport,
+		});
+	}
 }
 
 export class GitStorage {
@@ -272,6 +634,7 @@ export class GitStorage {
 		const resolvedApiVersion = options.apiVersion ?? GitStorage.overrides.apiVersion ?? API_VERSION;
 		const resolvedStorageBaseUrl =
 			options.storageBaseUrl ?? GitStorage.overrides.storageBaseUrl ?? STORAGE_BASE_URL;
+		const resolvedDefaultTtl = options.defaultTTL ?? GitStorage.overrides.defaultTTL;
 
 		this.api = getApiInstance(resolvedApiBaseUrl, resolvedApiVersion);
 
@@ -281,6 +644,7 @@ export class GitStorage {
 			apiBaseUrl: resolvedApiBaseUrl,
 			apiVersion: resolvedApiVersion,
 			storageBaseUrl: resolvedStorageBaseUrl,
+			defaultTTL: resolvedDefaultTtl,
 		};
 	}
 
@@ -294,10 +658,10 @@ export class GitStorage {
 	 */
 	async createRepo(options?: CreateRepoOptions): Promise<Repo> {
 		const repoId = options?.id || crypto.randomUUID();
-
+		const ttl = resolveInvocationTtlSeconds(options, DEFAULT_TOKEN_TTL_SECONDS);
 		const jwt = await this.generateJWT(repoId, {
 			permissions: ['repo:write'],
-			ttl: options?.ttl ?? 1 * 60 * 60, // 1hr in seconds
+			ttl,
 		});
 
 		const baseRepoOptions = options?.baseRepo
@@ -338,7 +702,7 @@ export class GitStorage {
 	async findOne(options: FindOneOptions): Promise<Repo | null> {
 		const jwt = await this.generateJWT(options.id, {
 			permissions: ['git:read'],
-			ttl: 1 * 60 * 60,
+			ttl: DEFAULT_TOKEN_TTL_SECONDS,
 		});
 
 		// Allow 404 to indicate "not found" without throwing
@@ -366,7 +730,7 @@ export class GitStorage {
 	private async generateJWT(repoId: string, options?: GetRemoteURLOptions): Promise<string> {
 		// Default permissions and TTL
 		const permissions = options?.permissions || ['git:write', 'git:read'];
-		const ttl = options?.ttl || 365 * 24 * 60 * 60; // 1 year in seconds
+		const ttl = resolveInvocationTtlSeconds(options, this.options.defaultTTL ?? 365 * 24 * 60 * 60);
 
 		// Create the JWT payload
 		const now = Math.floor(Date.now() / 1000);