@uxmaltech/collab-cli 0.1.9 → 0.1.10

package/README.md

@@ -97,7 +97,7 @@ collab init --resume                 # resume from last failed stage
 | **Description** | Agents read `.md` files directly | Agents query NebulaGraph + Qdrant via MCP |
 | **Docker** | Not required | Required (Qdrant, NebulaGraph, MCP server) |
 | **MCP** | No | Yes — endpoint `http://127.0.0.1:7337/mcp` |
-| **Wizard stages** | 8 | 14 |
+| **Wizard stages** | 8 | 15 |
 | **Use case** | Small projects, no Docker, quick start | Multi-repo ecosystems, large canons |
 
 **Transition heuristic:** Consider indexed mode when the canon exceeds ~50,000 tokens (~375 files).
@@ -114,6 +114,7 @@ collab init --resume                 # resume from last failed stage
 | `collab up` | Full startup pipeline (infra → MCP) |
 | `collab seed` | Preflight check for infrastructure before seeding |
 | `collab doctor` | System diagnostics: config, health, and versions |
+| `collab end` | Finalize work: create PR with governance references and canon sync |
 | `collab update-canons` | Download/update canon from GitHub |
 
 ## Global options
@@ -152,27 +153,29 @@ collab init --resume                 # resume from last failed stage
 7. CI setup (GitHub Actions templates)
 8. Agent skills setup (skills and prompts registration)
 
-### Indexed (14 stages)
+### Indexed (15 stages)
 
 **Phase A — Local setup (stages 1-8):** Same as file-only, but repo analysis uses AI.
 
-**Phase B — Infrastructure (stages 9-11):**
+**Phase B — Infrastructure (stages 9-12):**
 
 9. Compose generation (docker-compose.yml or split files)
 10. Infra startup (Qdrant + NebulaGraph via Docker)
 11. MCP startup (MCP service + health checks)
+12. GitHub setup (branch model, protections, CI workflows)
 
-**Phase C — Ingestion (stages 12-14):**
+**Phase C — Ingestion (stages 13-15):**
 
-12. MCP client config (provider snippets)
-13. Graph seeding (initialize graph with architecture data)
-14. Canon ingest (ingest collab-architecture into Qdrant/Nebula)
+13. MCP client config (provider snippets)
+14. Graph seeding (initialize graph with architecture data)
+15. Canon ingest (ingest collab-architecture into Qdrant/Nebula)
 
 **Useful flags:**
 - `--resume` — resume from last incomplete stage
 - `--force` — overwrite existing config
 - `--skip-analysis` — skip code analysis
 - `--skip-ci` — skip CI generation
+- `--skip-github-setup` — skip GitHub branch model and workflow configuration
 - `--providers codex,claude` — specify providers
 
 ## Workspace mode
@@ -185,6 +188,22 @@ collab init --repos repo-a,repo-b,repo-c
 
 When run from a directory containing multiple repos, the wizard presents repository selection interactively.
 
+## Finalizing work (`collab end`)
+
+Create a pull request with governance references and optional canon sync:
+
+```bash
+collab end                              # create PR from current branch to development
+collab end --dry-run                    # preview PR without creating it
+collab end --title "feat: add login"    # override PR title
+collab end --base development           # specify target branch (default: development)
+collab end --skip-canon-sync            # skip canon sync PR generation
+```
+
+**Context detection:** Automatically parses issue numbers from branch names (e.g., `feature/42-add-login` links to issue #42). In indexed mode, the PR body includes GOV-R-001 phase checklist and governance references.
+
+**Canon sync (indexed mode):** When architecture changes are detected (`docs/architecture/`), a separate PR is created in the business-canon repo to complete Phase 5 (Canon Sync) of GOV-R-001.
+
 ## Local development
 
 | Script | Description |

package/dist/commands/end.js

@@ -0,0 +1,265 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseIssueFromBranch = parseIssueFromBranch;
+exports.registerEndCommand = registerEndCommand;
+const node_child_process_1 = require("node:child_process");
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+const command_context_1 = require("../lib/command-context");
+const errors_1 = require("../lib/errors");
+const github_api_1 = require("../lib/github-api");
+// ────────────────────────────────────────────────────────────────
+// Context detection helpers
+// ────────────────────────────────────────────────────────────────
+/**
+ * Parses an issue number from a branch name following the convention:
+ * `feature/42-add-login`, `fix/88-align-flow`, `refactor/10-cleanup`, etc.
+ */
+function parseIssueFromBranch(branch) {
+    const match = branch.match(/^(?:feature|fix|refactor|chore|docs|test)\/(\d+)/);
+    return match ? parseInt(match[1], 10) : null;
+}
+function getCurrentBranch(cwd) {
+    return (0, node_child_process_1.execFileSync)('git', ['rev-parse', '--abbrev-ref', 'HEAD'], {
+        cwd,
+        encoding: 'utf8',
+        stdio: ['ignore', 'pipe', 'ignore'],
+    }).trim();
+}
+function getCommitLog(cwd, base) {
+    try {
+        return (0, node_child_process_1.execFileSync)('git', ['log', '--oneline', `${base}..HEAD`], {
+            cwd,
+            encoding: 'utf8',
+            stdio: ['ignore', 'pipe', 'ignore'],
+        }).trim();
+    }
+    catch {
+        return '';
+    }
+}
+function hasGhCli() {
+    try {
+        (0, node_child_process_1.execFileSync)('gh', ['--version'], {
+            encoding: 'utf8',
+            stdio: ['ignore', 'pipe', 'ignore'],
+        });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+// ────────────────────────────────────────────────────────────────
+// PR body generation
+// ────────────────────────────────────────────────────────────────
+function buildPrBody(opts) {
+    const lines = ['## Summary', ''];
+    if (opts.issueNumber) {
+        lines.push(`Resolves #${opts.issueNumber}`, '');
+    }
+    if (opts.isIndexed) {
+        lines.push('## Governance', '');
+        if (opts.issueNumber) {
+            lines.push(`- **Issue**: #${opts.issueNumber}`);
+        }
+        lines.push('- **Phase**: Implementation (GOV-R-002)', '');
+        lines.push('## GOV-R-001 Phase Checklist', '');
+        lines.push('- [x] Phase 1: Epic Definition');
+        lines.push('- [x] Phase 2: User Story Decomposition');
+        lines.push('- [x] Phase 3: Sub-issue Assignment');
+        lines.push('- [x] Phase 4: Implementation');
+        lines.push('- [ ] Phase 5: Canon Sync');
+        lines.push('');
+    }
+    if (opts.commitLog) {
+        lines.push('## Changes', '', '```', opts.commitLog, '```', '');
+    }
+    return lines.join('\n');
+}
+// ────────────────────────────────────────────────────────────────
+// Canon sync PR generation (#94)
+// ────────────────────────────────────────────────────────────────
+function createCanonSyncPr(opts) {
+    const { cwd, canonSlug, repoSlug, issueNumber, dryRun, logger } = opts;
+    // Check if there are architecture changes
+    const archDir = node_path_1.default.join(cwd, 'docs', 'architecture');
+    if (!node_fs_1.default.existsSync(archDir)) {
+        logger.info('No docs/architecture directory found; skipping canon sync PR.');
+        return;
+    }
+    // Check for changes in architecture dir relative to base
+    let archChanges;
+    try {
+        archChanges = (0, node_child_process_1.execFileSync)('git', ['diff', '--name-only', 'development..HEAD', '--', 'docs/architecture/'], {
+            cwd,
+            encoding: 'utf8',
+            stdio: ['ignore', 'pipe', 'ignore'],
+        }).trim();
+    }
+    catch {
+        archChanges = '';
+    }
+    if (!archChanges) {
+        logger.info('No architecture changes detected; skipping canon sync PR.');
+        return;
+    }
+    const changedFiles = archChanges.split('\n').filter(Boolean);
+    const syncBranch = `canon-sync/${repoSlug.split('/')[1]}${issueNumber ? `-${issueNumber}` : ''}`;
+    const body = [
+        '## Canon Sync',
+        '',
+        `Source: ${repoSlug}${issueNumber ? `#${issueNumber}` : ''}`,
+        '',
+        '### Updated files',
+        '',
+        ...changedFiles.map((f) => `- \`${f}\``),
+        '',
+        '### Governance',
+        '',
+        `This PR completes Phase 5 (Canon Sync) of GOV-R-001.`,
+        '',
+    ].join('\n');
+    if (dryRun) {
+        logger.info(`[dry-run] Would create canon sync PR in ${canonSlug}:`);
+        logger.info(`  Branch: ${syncBranch}`);
+        logger.info(`  Changed files: ${changedFiles.length}`);
+        return;
+    }
+    // Create canon sync PR via gh CLI
+    try {
+        (0, node_child_process_1.execFileSync)('gh', [
+            'pr', 'create',
+            '-R', canonSlug,
+            '--base', 'development',
+            '--head', syncBranch,
+            '--title', `Canon sync — ${repoSlug.split('/')[1]}${issueNumber ? ` #${issueNumber}` : ''}`,
+            '--body', body,
+        ], {
+            cwd,
+            encoding: 'utf8',
+            stdio: ['ignore', 'pipe', 'pipe'],
+        });
+        logger.info(`Canon sync PR created in ${canonSlug}.`);
+    }
+    catch {
+        logger.warn(`Could not create canon sync PR in ${canonSlug}.\n` +
+            `Create it manually with: gh pr create -R ${canonSlug} --base development`);
+    }
+}
+// ────────────────────────────────────────────────────────────────
+// Command registration
+// ────────────────────────────────────────────────────────────────
+function registerEndCommand(program) {
+    program
+        .command('end')
+        .description('Finalize current work: create PR with governance references')
+        .option('--dry-run', 'Show what would be done without executing')
+        .option('--skip-canon-sync', 'Skip canon sync PR generation')
+        .option('--title <title>', 'Override PR title')
+        .option('--base <branch>', 'Target branch (default: development)')
+        .addHelpText('after', `
+Examples:
+  collab end
+  collab end --dry-run
+  collab end --title "feat: add login page" --base development
+  collab end --skip-canon-sync
+`)
+        .action((options, command) => {
+        const context = (0, command_context_1.createCommandContext)(command);
+        const cwd = context.config.workspaceDir;
+        const base = options.base ?? 'development';
+        // Validate: collab workspace exists
+        if (!node_fs_1.default.existsSync(context.config.configFile)) {
+            throw new errors_1.CliError('Not in a collab workspace. Run collab init first.');
+        }
+        // Validate: gh CLI available
+        if (!hasGhCli()) {
+            throw new errors_1.CliError('GitHub CLI (gh) is required for collab end.\n' +
+                'Install it: https://cli.github.com/');
+        }
+        // Detect context
+        const branch = getCurrentBranch(cwd);
+        if (branch === 'development' || branch === 'main') {
+            throw new errors_1.CliError(`Cannot create PR from "${branch}". Switch to a feature branch first.\n` +
+                'Example: git checkout -b feature/42-description');
+        }
+        const commitLog = getCommitLog(cwd, base);
+        if (!commitLog) {
+            throw new errors_1.CliError(`No commits ahead of "${base}". Nothing to create a PR for.`);
+        }
+        const issueNumber = parseIssueFromBranch(branch);
+        const identity = (0, github_api_1.resolveGitHubOwnerRepo)(cwd);
+        const canonSlug = context.config.canons?.business?.repo;
+        const isIndexed = context.config.mode === 'indexed';
+        // Build PR title
+        const prTitle = options.title ?? (issueNumber
+            ? `${branch.replace(/^(feature|fix|refactor|chore|docs|test)\/\d+-?/, '').replace(/-/g, ' ').trim() || `Resolve #${issueNumber}`}`
+            : branch.replace(/^(feature|fix|refactor|chore|docs|test)\//, '').replace(/-/g, ' ').trim());
+        // Build PR body
+        const prBody = buildPrBody({
+            issueNumber,
+            commitLog,
+            canonSlug,
+            isIndexed,
+        });
+        if (options.dryRun) {
+            context.logger.info(`[dry-run] Would create PR:`);
+            context.logger.info(`  Repo:   ${identity?.slug ?? cwd}`);
+            context.logger.info(`  Branch: ${branch} → ${base}`);
+            context.logger.info(`  Title:  ${prTitle}`);
+            if (issueNumber)
+                context.logger.info(`  Issue:  #${issueNumber}`);
+            context.logger.info('');
+            context.logger.info('PR body:');
+            context.logger.info(prBody);
+            if (!options.skipCanonSync && isIndexed && canonSlug) {
+                createCanonSyncPr({
+                    cwd,
+                    canonSlug,
+                    repoSlug: identity?.slug ?? '',
+                    issueNumber,
+                    branch,
+                    dryRun: true,
+                    logger: context.logger,
+                });
+            }
+            return;
+        }
+        // Create implementation PR
+        context.logger.info(`Creating PR: ${branch} → ${base}...`);
+        let prResult;
+        try {
+            prResult = (0, node_child_process_1.execFileSync)('gh', [
+                'pr', 'create',
+                '--base', base,
+                '--title', prTitle,
+                '--body', prBody,
+            ], {
+                cwd,
+                encoding: 'utf8',
+                stdio: ['ignore', 'pipe', 'pipe'],
+            }).trim();
+        }
+        catch {
+            throw new errors_1.CliError(`Failed to create PR. Ensure you are authenticated with gh CLI.\n` +
+                `Run: gh auth login`);
+        }
+        context.logger.info(`PR created: ${prResult}`);
+        // Canon sync PR (Phase 5)
+        if (!options.skipCanonSync && isIndexed && canonSlug) {
+            createCanonSyncPr({
+                cwd,
+                canonSlug,
+                repoSlug: identity?.slug ?? '',
+                issueNumber,
+                branch,
+                dryRun: false,
+                logger: context.logger,
+            });
+        }
+    });
+}

package/dist/commands/index.js

@@ -4,6 +4,7 @@ exports.registerCommands = registerCommands;
 const canon_1 = require("./canon");
 const compose_1 = require("./compose");
 const doctor_1 = require("./doctor");
+const end_1 = require("./end");
 const infra_1 = require("./infra");
 const init_1 = require("./init");
 const mcp_1 = require("./mcp");
@@ -14,6 +15,7 @@ const update_canons_1 = require("./update-canons");
 const upgrade_1 = require("./upgrade");
 function registerCommands(program) {
     (0, init_1.registerInitCommand)(program);
+    (0, end_1.registerEndCommand)(program);
     (0, canon_1.registerCanonCommand)(program);
     (0, compose_1.registerComposeCommand)(program);
     (0, infra_1.registerInfraCommand)(program);

package/dist/commands/init.js

@@ -19,6 +19,7 @@ const mcp_contract_1 = require("../lib/mcp-contract");
 const mode_1 = require("../lib/mode");
 const parsers_1 = require("../lib/parsers");
 const orchestrator_1 = require("../lib/orchestrator");
+const github_api_1 = require("../lib/github-api");
 const github_auth_1 = require("../lib/github-auth");
 const prompt_1 = require("../lib/prompt");
 const preflight_1 = require("../lib/preflight");
@@ -34,6 +35,7 @@ const repo_analysis_1 = require("../stages/repo-analysis");
 const repo_analysis_fileonly_1 = require("../stages/repo-analysis-fileonly");
 const agent_skills_setup_1 = require("../stages/agent-skills-setup");
 const ci_setup_1 = require("../stages/ci-setup");
+const github_setup_1 = require("../stages/github-setup");
 const domain_gen_1 = require("../stages/domain-gen");
 const canon_resolver_1 = require("../lib/canon-resolver");
 const providers_1 = require("../lib/providers");
@@ -192,7 +194,10 @@ function buildGitHubAuthStage(effectiveConfig, logger, options) {
             'Run collab init --resume after fixing GitHub access.',
         ],
         run: async () => {
-            // Skip if no business canon or local source — GitHub auth only needed for remote repos
+            // Skip GitHub auth when no GitHub canon is configured.
+            // In indexed mode, a GitHub canon is always required (enforced
+            // by parseBusinessCanonOption), so this check only triggers in
+            // file-only mode or when preserving an existing config.
             const canon = effectiveConfig.canons?.business;
             if (!canon || canon.source === 'local') {
                 logger.info('No GitHub canon configured; skipping GitHub authorization.');
@@ -274,7 +279,15 @@ function resolveLocalCanonPath(rawPath) {
     }
     return resolved;
 }
-function parseBusinessCanonOption(value) {
+function parseBusinessCanonOption(value, mode = 'file-only') {
+    if (mode === 'indexed') {
+        if (!value || value === 'none' || value === 'skip') {
+            throw new errors_1.CliError('Business canon is required for indexed mode. Use --business-canon owner/repo.');
+        }
+        if (LOCAL_PATH_RE.test(value)) {
+            throw new errors_1.CliError('Local business canon is not supported in indexed mode. Use --business-canon owner/repo (GitHub).');
+        }
+    }
     if (!value || value === 'none' || value === 'skip') {
         return undefined;
     }
@@ -305,15 +318,24 @@ function parseBusinessCanonOption(value) {
     };
 }
 async function resolveBusinessCanon(options, config, logger) {
+    const isIndexed = config.mode === 'indexed';
     // CLI flag takes priority
     if (options.businessCanon) {
-        return parseBusinessCanonOption(options.businessCanon);
+        return parseBusinessCanonOption(options.businessCanon, config.mode);
     }
     // --yes without --business-canon: mandatory error
     if (options.yes) {
+        if (isIndexed) {
+            throw new errors_1.CliError('--business-canon owner/repo is required with --yes in indexed mode.');
+        }
         throw new errors_1.CliError('--business-canon is required with --yes. Use --business-canon owner/repo, --business-canon /local/path, or --business-canon none.');
     }
-    // Interactive: choose source
+    // Interactive indexed: go straight to GitHub search (no local/skip options)
+    if (isIndexed) {
+        logger.info('Indexed mode requires a GitHub business canon.');
+        return resolveGitHubBusinessCanon(config, logger);
+    }
+    // Interactive file-only: choose source
     const source = await (0, prompt_1.promptChoice)('Business canon source:', [
         { value: 'github', label: 'GitHub repository (search and select)' },
         { value: 'local', label: 'Local directory' },
@@ -442,18 +464,26 @@ function parseRepos(value) {
         return null;
     return value.split(',').map((r) => r.trim()).filter(Boolean);
 }
-async function resolveWorkspace(workspaceDir, options, logger) {
+async function resolveWorkspace(workspaceDir, options, logger, mode = 'file-only') {
     const name = (0, config_1.deriveWorkspaceName)(workspaceDir);
+    const isIndexed = mode === 'indexed';
     // Explicit --repos flag takes priority
     const explicit = parseRepos(options.repos);
     if (explicit && explicit.length > 0) {
-        const type = explicit.length >= 2 ? 'multi-repo' : 'mono-repo';
+        // In indexed mode, always force multi-repo type
+        const type = isIndexed || explicit.length >= 2 ? 'multi-repo' : 'mono-repo';
         logger.info(`Workspace mode: ${explicit.length} repo(s) specified: ${explicit.join(', ')}`);
         return { name, type, repos: explicit };
     }
     // Auto-detect workspace layout
     const layout = (0, config_1.detectWorkspaceLayout)(workspaceDir);
     if (layout) {
+        // Indexed mode: reject mono-repo
+        if (isIndexed && layout.type === 'mono-repo') {
+            throw new errors_1.CliError('Indexed mode requires a multi-repo workspace (business-canon + at least 1 governed repo).\n' +
+                'Current directory is detected as mono-repo. ' +
+                'Run from a parent directory containing multiple git repositories.');
+        }
         if (options.yes) {
             logger.info(`Workspace auto-detected (${layout.type}): ${layout.repos.length} repo(s) found: ${layout.repos.join(', ')}`);
             return { name, type: layout.type, repos: layout.repos };
@@ -465,11 +495,16 @@ async function resolveWorkspace(workspaceDir, options, logger) {
                 return null;
             return { name, type: 'multi-repo', repos: selected };
         }
-        // mono-repo auto-detected
+        // mono-repo auto-detected (file-only only — indexed rejected above)
         logger.info(`Mono-repo workspace detected: ${layout.repos.join(', ')}`);
         return { name, type: 'mono-repo', repos: layout.repos };
     }
     // No repos found
+    if (isIndexed) {
+        throw new errors_1.CliError('Indexed mode requires a multi-repo workspace with at least 1 governed repo.\n' +
+            'No git repositories found in the workspace directory.\n' +
+            'Clone your repos from GitHub and re-run.');
+    }
     if (options.yes) {
         // Non-interactive with no repos → treat cwd as mono-repo
         logger.info('No repos discovered; initializing as mono-repo workspace.');
@@ -597,6 +632,7 @@ function buildInfraStages(effectiveConfig, executor, logger, options, composeMod
         },
         graph_seed_1.graphSeedStage,
         canon_ingest_1.canonIngestStage,
+        github_setup_1.githubSetupStage,
     ];
 }
 // ────────────────────────────────────────────────────────────────
@@ -661,6 +697,7 @@ function buildRemoteInfraStages(effectiveConfig, executor, logger, options, mcpU
         },
         graph_seed_1.graphSeedStage,
         canon_ingest_1.canonIngestStage,
+        github_setup_1.githubSetupStage,
     ];
 }
 // ────────────────────────────────────────────────────────────────
@@ -680,28 +717,6 @@ function buildFileOnlyPipeline(effectiveConfig, executor, logger, configExistedB
     ];
 }
 // ────────────────────────────────────────────────────────────────
-// Indexed pipeline (15 stages)
-// ────────────────────────────────────────────────────────────────
-function buildIndexedPipeline(effectiveConfig, executor, logger, configExistedBefore, options, composeMode, infraType = 'local', mcpUrl) {
-    const infraStages = infraType === 'remote' && mcpUrl
-        ? buildRemoteInfraStages(effectiveConfig, executor, logger, options, mcpUrl)
-        : buildInfraStages(effectiveConfig, executor, logger, options, composeMode);
-    return [
-        // Phase A — Local setup (shared with file-only)
-        buildPreflightStage(executor, logger, infraType === 'local' ? 'indexed' : undefined),
-        buildConfigStage(effectiveConfig, executor, logger, configExistedBefore, options.force),
-        buildGitHubAuthStage(effectiveConfig, logger, options),
-        assistant_setup_1.assistantSetupStage,
-        canon_sync_1.canonSyncStage,
-        repo_scaffold_1.repoScaffoldStage,
-        repo_analysis_1.repoAnalysisStage,
-        ci_setup_1.ciSetupStage,
-        agent_skills_setup_1.agentSkillsSetupStage,
-        // Phase B — Infrastructure + Phase C — Ingestion
-        ...infraStages,
-    ];
-}
-// ────────────────────────────────────────────────────────────────
 // Standalone infra phase  (collab init infra)
 // ────────────────────────────────────────────────────────────────
 async function runInfraOnly(context, options) {
@@ -816,8 +831,22 @@ async function runRepoDomainGeneration(context, options) {
         ...(0, config_1.defaultCollabConfig)(context.config.workspaceDir),
         ...context.config,
     };
+    // Resolve mode early so parseBusinessCanonOption gets the correct mode context
+    let mode;
+    if (options.mode) {
+        mode = (0, mode_1.parseMode)(options.mode);
+    }
+    else if (options.yes) {
+        mode = 'file-only';
+    }
+    else {
+        mode = await (0, prompt_1.promptChoice)('Select domain generation mode:', [
+            { value: 'file-only', label: 'file-only (write domain files to local repo only)' },
+            { value: 'indexed', label: 'indexed (write to business canon + ingest into MCP)' },
+        ], 'file-only');
+    }
     // Resolve business canon if passed via flag (but don't require it for file-only)
-    const canons = options.businessCanon ? parseBusinessCanonOption(options.businessCanon) : undefined;
+    const canons = options.businessCanon ? parseBusinessCanonOption(options.businessCanon, mode) : undefined;
     if (canons) {
         effectiveConfig.canons = canons;
     }
@@ -831,20 +860,6 @@ async function runRepoDomainGeneration(context, options) {
             context.logger.info('GitHub token stored from --github-token flag.');
         }
     }
-    // Resolve mode
-    let mode;
-    if (options.mode) {
-        mode = (0, mode_1.parseMode)(options.mode);
-    }
-    else if (options.yes) {
-        mode = 'file-only';
-    }
-    else {
-        mode = await (0, prompt_1.promptChoice)('Select domain generation mode:', [
-            { value: 'file-only', label: 'file-only (write domain files to local repo only)' },
-            { value: 'indexed', label: 'indexed (write to business canon + ingest into MCP)' },
-        ], 'file-only');
-    }
     // Validate prerequisites
     if (mode === 'indexed' && !(0, canon_resolver_1.isBusinessCanonConfigured)(effectiveConfig)) {
         throw new errors_1.CliError('Business canon is required for indexed mode. ' +
@@ -901,6 +916,7 @@ function registerInitCommand(program) {
         .option('--skip-mcp-snippets', 'Skip MCP client config snippet generation')
         .option('--skip-analysis', 'Skip AI-powered repository analysis stage')
         .option('--skip-ci', 'Skip CI workflow generation')
+        .option('--skip-github-setup', 'Skip GitHub branch model and workflow configuration')
         .option('--providers <list>', 'Comma-separated AI provider list (codex,claude,gemini,copilot)')
         .option('--business-canon <value>', 'Business canon: owner/repo, /local/path, or "none" to skip')
         .option('--github-token <token>', 'GitHub token for non-interactive mode')
@@ -964,10 +980,14 @@ Examples:
             mcpUrl: preserveExisting ? context.config.mcpUrl : selections.mcpUrl,
         };
         // ── Step 2: Business canon configuration ──────────────────
-        context.logger.phaseHeader('collab init', 'Business Canon');
-        const canons = await resolveBusinessCanon(options, effectiveConfig, context.logger);
-        if (canons) {
-            effectiveConfig.canons = canons;
+        // When preserving an existing config (no --force), skip canon
+        // resolution — the existing canon config is already merged.
+        if (!preserveExisting) {
+            context.logger.phaseHeader('collab init', 'Business Canon');
+            const canons = await resolveBusinessCanon(options, effectiveConfig, context.logger);
+            if (canons) {
+                effectiveConfig.canons = canons;
+            }
         }
         const stageOptions = {
             yes: options.yes,
@@ -975,13 +995,14 @@ Examples:
             outputDir: options.outputDir,
             skipAnalysis: options.skipAnalysis,
             skipCi: options.skipCi,
+            skipGithubSetup: options.skipGithubSetup,
         };
         // ── Workspace detection ───────────────────────────────────
         // Prefer persisted workspace config when it exists (unless
         // --force or explicit --repos override is provided).
         const ws = !options.force && !options.repos && context.config.workspace
             ? context.config.workspace
-            : await resolveWorkspace(context.config.workspaceDir, options, context.logger);
+            : await resolveWorkspace(context.config.workspaceDir, options, context.logger, selections.mode);
         if (ws) {
             // ── WORKSPACE MODE ────────────────────────────────────
             effectiveConfig.workspace = { name: ws.name, type: ws.type, repos: ws.repos };
@@ -989,7 +1010,6 @@ Examples:
                 ...effectiveConfig.compose,
                 projectName: `collab-${ws.name}`,
             };
-            const repoConfigs = (0, config_1.resolveRepoConfigs)(effectiveConfig);
             // Phase W — workspace-level stages
             context.logger.phaseHeader('Workspace Setup', `${ws.repos.length} repositories (${ws.type})`);
             const workspaceStages = buildWorkspaceStages(effectiveConfig, context.executor, context.logger, configExistedBefore, options);
@@ -1002,7 +1022,22 @@ Examples:
                 mode: `${selections.mode} (workspace)`,
                 stageOptions,
             }, workspaceStages);
+            // ── Indexed mode: validate all repos are GitHub repos with access ──
+            if (selections.mode === 'indexed' && context.executor.dryRun) {
+                context.logger.info('[dry-run] Would validate GitHub remotes and token access for workspace repos.');
+            }
+            else if (selections.mode === 'indexed') {
+                context.logger.phaseHeader('Repository Validation', 'GitHub access');
+                const auth = (0, github_auth_1.loadGitHubAuth)(effectiveConfig.collabDir);
+                if (!auth) {
+                    throw new errors_1.CliError('GitHub authorization required but token not found after auth stage.');
+                }
+                const validRepos = await (0, github_api_1.validateWorkspaceRepos)(ws.repos, effectiveConfig.workspaceDir, auth.token, context.logger);
+                effectiveConfig.workspace = { ...effectiveConfig.workspace, repos: validRepos };
+                ws.repos = validRepos;
+            }
             // Phase R — per-repo stages
+            const repoConfigs = (0, config_1.resolveRepoConfigs)(effectiveConfig);
             context.logger.phaseHeader('Repository Analysis', `${selections.mode} mode`);
             const perRepoStages = buildPerRepoStages(selections.mode);
             for (const [i, rc] of repoConfigs.entries()) {
@@ -1037,11 +1072,13 @@ Examples:
             }
         }
         else {
-            // ── SINGLE-REPO MODE (unchanged) ──────────────────────
+            // ── SINGLE-REPO MODE ─────────────────────────────────
+            if (selections.mode === 'indexed') {
+                throw new errors_1.CliError('Indexed mode requires a multi-repo workspace.\n' +
+                    'Run from a workspace directory with multiple git repos, or use --repos to specify repos.');
+            }
             context.logger.phaseHeader('Project Setup', selections.mode);
-            const stages = selections.mode === 'file-only'
-                ? buildFileOnlyPipeline(effectiveConfig, context.executor, context.logger, configExistedBefore, options)
-                : buildIndexedPipeline(effectiveConfig, context.executor, context.logger, configExistedBefore, options, selections.composeMode, selections.infraType, selections.mcpUrl);
+            const stages = buildFileOnlyPipeline(effectiveConfig, context.executor, context.logger, configExistedBefore, options);
             await (0, orchestrator_1.runOrchestration)({
                 workflowId: 'init',
                 config: effectiveConfig,

package/dist/lib/executor.js

@@ -38,6 +38,7 @@ class Executor {
         const result = (0, node_child_process_1.spawnSync)(commandName, args, {
             cwd: options.cwd ?? this.cwd,
             encoding: 'utf8',
+            ...(options.input !== undefined ? { input: options.input } : {}),
         });
         if (result.error) {
             const errorCode = result.error.code;

package/dist/lib/github-api.js

@@ -0,0 +1,375 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizeGitHubRemote = normalizeGitHubRemote;
+exports.resolveGitHubOwnerRepo = resolveGitHubOwnerRepo;
+exports.verifyGitHubAccess = verifyGitHubAccess;
+exports.validateWorkspaceRepos = validateWorkspaceRepos;
+exports.getRepoInfo = getRepoInfo;
+exports.getBranchRef = getBranchRef;
+exports.createBranch = createBranch;
+exports.setDefaultBranch = setDefaultBranch;
+exports.setBranchProtection = setBranchProtection;
+exports.setMergeStrategy = setMergeStrategy;
+exports.configureRepo = configureRepo;
+const node_child_process_1 = require("node:child_process");
+const node_path_1 = __importDefault(require("node:path"));
+const errors_1 = require("./errors");
+const GITHUB_API_VERSION = '2022-11-28';
+const ACCESS_CHECK_TIMEOUT_MS = 10_000;
+// ────────────────────────────────────────────────────────────────
+// Remote URL normalization
+// ────────────────────────────────────────────────────────────────
+/**
+ * Normalizes a git remote URL to a GitHub `owner/repo` slug.
+ * Handles HTTPS, SSH (`git@`), and `ssh://` URL formats.
+ * Returns `null` if the remote is not a `github.com` URL.
+ */
+function normalizeGitHubRemote(remoteUrl) {
+    if (!/github\.com[:/]/i.test(remoteUrl)) {
+        return null;
+    }
+    const slug = remoteUrl
+        .trim()
+        .replace(/\/+$/, '')
+        .replace(/\.git$/, '')
+        .replace(/^https?:\/\/github\.com\//i, '')
+        .replace(/^git@github\.com:/i, '')
+        .replace(/^ssh:\/\/git@github\.com\//i, '');
+    const parts = slug.split('/').filter(Boolean);
+    if (parts.length < 2) {
+        return null;
+    }
+    return `${parts[0]}/${parts[1]}`;
+}
+/**
+ * Reads the `origin` remote URL of a local git repo and extracts
+ * the GitHub owner/repo identity.
+ * Returns `null` if the repo has no git origin, no remote, or a non-GitHub remote.
+ */
+function resolveGitHubOwnerRepo(repoDir) {
+    let remoteUrl;
+    try {
+        remoteUrl = (0, node_child_process_1.execFileSync)('git', ['-C', repoDir, 'remote', 'get-url', 'origin'], { encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'] }).trim();
+    }
+    catch {
+        return null;
+    }
+    const slug = normalizeGitHubRemote(remoteUrl);
+    if (!slug) {
+        return null;
+    }
+    const [owner, repo] = slug.split('/');
+    return { owner, repo, slug };
+}
+// ────────────────────────────────────────────────────────────────
+// GitHub access verification
+// ────────────────────────────────────────────────────────────────
+/**
+ * Verifies the GitHub token has read access to the given repo.
+ * Returns `true` if `GET /repos/{slug}` returns 200.
+ */
+async function verifyGitHubAccess(slug, token) {
+    const url = `https://api.github.com/repos/${slug}`;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), ACCESS_CHECK_TIMEOUT_MS);
+    try {
+        const response = await fetch(url, {
+            headers: {
+                Authorization: `Bearer ${token}`,
+                Accept: 'application/vnd.github+json',
+                'X-GitHub-Api-Version': GITHUB_API_VERSION,
+            },
+            signal: controller.signal,
+        });
+        return response.ok;
+    }
+    catch {
+        return false;
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+// ────────────────────────────────────────────────────────────────
+// Workspace repo validation
+// ────────────────────────────────────────────────────────────────
+/**
+ * Validates that workspace repos have GitHub origin remotes with token access.
+ * Returns only the repos that pass. Throws `CliError` if zero repos pass.
+ */
+async function validateWorkspaceRepos(repoNames, workspaceDir, token, logger) {
+    const valid = [];
+    const excluded = [];
+    for (const name of repoNames) {
+        const repoDir = node_path_1.default.join(workspaceDir, name);
+        const identity = resolveGitHubOwnerRepo(repoDir);
+        if (!identity) {
+            excluded.push({ name, reason: 'no GitHub remote' });
+            logger.warn(`Excluding "${name}": no GitHub origin remote found.`);
+            continue;
+        }
+        const hasAccess = await verifyGitHubAccess(identity.slug, token);
+        if (!hasAccess) {
+            excluded.push({ name, reason: `no access to ${identity.slug}` });
+            logger.warn(`Excluding "${name}" (${identity.slug}): GitHub token lacks access.`);
+            continue;
+        }
+        logger.info(`Repo "${name}" (${identity.slug}): GitHub access verified.`);
+        valid.push(name);
+    }
+    if (excluded.length > 0) {
+        logger.info(`Excluded ${excluded.length} repo(s): ${excluded.map((e) => `${e.name} (${e.reason})`).join(', ')}`);
+    }
+    if (valid.length === 0) {
+        throw new errors_1.CliError('No repos in the workspace have a valid GitHub remote with token access.\n' +
+            'Indexed mode requires at least 1 governed GitHub repo in addition to the business canon.\n' +
+            'Clone your repos from GitHub and re-run.');
+    }
+    logger.info(`Found ${valid.length} governed repo(s): ${valid.join(', ')}`);
+    return valid;
+}
+/**
+ * Fetches repository metadata from the GitHub API.
+ */
+async function getRepoInfo(slug, token) {
+    const url = `https://api.github.com/repos/${slug}`;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), ACCESS_CHECK_TIMEOUT_MS);
+    try {
+        const response = await fetch(url, {
+            headers: {
+                Authorization: `Bearer ${token}`,
+                Accept: 'application/vnd.github+json',
+                'X-GitHub-Api-Version': GITHUB_API_VERSION,
+            },
+            signal: controller.signal,
+        });
+        if (!response.ok) {
+            throw new errors_1.CliError(`GitHub API error ${response.status} for ${slug}: ${response.statusText}`);
+        }
+        const data = (await response.json());
+        return {
+            default_branch: data.default_branch,
+            allow_merge_commit: data.allow_merge_commit,
+            allow_squash_merge: data.allow_squash_merge,
+            allow_rebase_merge: data.allow_rebase_merge,
+            delete_branch_on_merge: data.delete_branch_on_merge,
+        };
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+// ────────────────────────────────────────────────────────────────
+// Branch operations
+// ────────────────────────────────────────────────────────────────
+/**
+ * Gets the SHA of a branch ref. Returns `null` if the branch does not exist (404).
+ */
+async function getBranchRef(slug, branch, token) {
+    const url = `https://api.github.com/repos/${slug}/git/ref/heads/${branch}`;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), ACCESS_CHECK_TIMEOUT_MS);
+    try {
+        const response = await fetch(url, {
+            headers: {
+                Authorization: `Bearer ${token}`,
+                Accept: 'application/vnd.github+json',
+                'X-GitHub-Api-Version': GITHUB_API_VERSION,
+            },
+            signal: controller.signal,
+        });
+        if (response.status === 404) {
+            return null;
+        }
+        if (!response.ok) {
+            throw new errors_1.CliError(`GitHub API error ${response.status} checking branch ${branch} for ${slug}`);
+        }
+        const data = (await response.json());
+        return data.object.sha;
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+/**
+ * Creates a new branch from a given SHA. Idempotent: swallows 422 "Reference already exists".
+ */
+async function createBranch(slug, branch, fromSha, token) {
+    const url = `https://api.github.com/repos/${slug}/git/refs`;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), ACCESS_CHECK_TIMEOUT_MS);
+    try {
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                Authorization: `Bearer ${token}`,
+                Accept: 'application/vnd.github+json',
+                'X-GitHub-Api-Version': GITHUB_API_VERSION,
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({ ref: `refs/heads/${branch}`, sha: fromSha }),
+            signal: controller.signal,
+        });
+        // 422 = "Reference already exists" — idempotent, safe to ignore
+        if (response.status === 422) {
+            return;
+        }
+        if (!response.ok) {
+            throw new errors_1.CliError(`GitHub API error ${response.status} creating branch ${branch} for ${slug}`);
+        }
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+// ────────────────────────────────────────────────────────────────
+// Repo configuration
+// ────────────────────────────────────────────────────────────────
+/**
+ * Sets the default branch for a repository.
+ * Idempotent: skips if already set.
+ */
+async function setDefaultBranch(slug, branch, token) {
+    const url = `https://api.github.com/repos/${slug}`;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), ACCESS_CHECK_TIMEOUT_MS);
+    try {
+        const response = await fetch(url, {
+            method: 'PATCH',
+            headers: {
+                Authorization: `Bearer ${token}`,
+                Accept: 'application/vnd.github+json',
+                'X-GitHub-Api-Version': GITHUB_API_VERSION,
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({ default_branch: branch }),
+            signal: controller.signal,
+        });
+        if (!response.ok) {
+            throw new errors_1.CliError(`GitHub API error ${response.status} setting default branch for ${slug}`);
+        }
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+/**
+ * Applies branch protection rules. PUT is idempotent by HTTP spec.
+ */
+async function setBranchProtection(slug, branch, token) {
+    const url = `https://api.github.com/repos/${slug}/branches/${branch}/protection`;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), ACCESS_CHECK_TIMEOUT_MS);
+    try {
+        const response = await fetch(url, {
+            method: 'PUT',
+            headers: {
+                Authorization: `Bearer ${token}`,
+                Accept: 'application/vnd.github+json',
+                'X-GitHub-Api-Version': GITHUB_API_VERSION,
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+                required_status_checks: null,
+                enforce_admins: false,
+                required_pull_request_reviews: {
+                    required_approving_review_count: 1,
+                    dismiss_stale_reviews: true,
+                },
+                restrictions: null,
+            }),
+            signal: controller.signal,
+        });
+        if (!response.ok) {
+            throw new errors_1.CliError(`GitHub API error ${response.status} setting branch protection on ${branch} for ${slug}`);
+        }
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+/**
+ * Configures merge strategy: only merge commits, no squash/rebase, delete branch on merge.
+ * PATCH is safe to repeat.
+ */
+async function setMergeStrategy(slug, token) {
+    const url = `https://api.github.com/repos/${slug}`;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), ACCESS_CHECK_TIMEOUT_MS);
+    try {
+        const response = await fetch(url, {
+            method: 'PATCH',
+            headers: {
+                Authorization: `Bearer ${token}`,
+                Accept: 'application/vnd.github+json',
+                'X-GitHub-Api-Version': GITHUB_API_VERSION,
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+                allow_merge_commit: true,
+                allow_squash_merge: false,
+                allow_rebase_merge: false,
+                delete_branch_on_merge: true,
+            }),
+            signal: controller.signal,
+        });
+        if (!response.ok) {
+            throw new errors_1.CliError(`GitHub API error ${response.status} setting merge strategy for ${slug}`);
+        }
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+/**
+ * Orchestrates full GitHub configuration for a single repo:
+ * branch model → default branch → protection → merge strategy.
+ */
+async function configureRepo(slug, token, logger) {
+    logger.info(`Configuring branch model for ${slug}...`);
+    // 1. Get current repo info
+    const info = await getRepoInfo(slug, token);
+    // 2. Ensure both branches exist
+    const mainSha = await getBranchRef(slug, 'main', token);
+    const devSha = await getBranchRef(slug, 'development', token);
+    if (!mainSha && !devSha) {
+        // Neither exists — get the current default branch SHA and create both
+        const defaultSha = await getBranchRef(slug, info.default_branch, token);
+        if (!defaultSha) {
+            throw new errors_1.CliError(`Cannot resolve SHA for default branch "${info.default_branch}" of ${slug}`);
+        }
+        await createBranch(slug, 'main', defaultSha, token);
+        logger.info(`  Created branch "main" from "${info.default_branch}".`);
+        await createBranch(slug, 'development', defaultSha, token);
+        logger.info(`  Created branch "development" from "${info.default_branch}".`);
+    }
+    else if (!mainSha && devSha) {
+        await createBranch(slug, 'main', devSha, token);
+        logger.info(`  Created branch "main" from "development".`);
+    }
+    else if (mainSha && !devSha) {
+        await createBranch(slug, 'development', mainSha, token);
+        logger.info(`  Created branch "development" from "main".`);
+    }
+    else {
+        logger.info(`  Branches "main" and "development" already exist.`);
+    }
+    // 3. Set default branch to development
+    if (info.default_branch !== 'development') {
+        await setDefaultBranch(slug, 'development', token);
+        logger.info(`  Set default branch to "development" (was "${info.default_branch}").`);
+    }
+    else {
+        logger.info(`  Default branch is already "development".`);
+    }
+    // 4. Protect main
+    await setBranchProtection(slug, 'main', token);
+    logger.info(`  Applied branch protection on "main" (1 review required).`);
+    // 5. Merge strategy
+    await setMergeStrategy(slug, token);
+    logger.info(`  Merge strategy: merge-commit only, delete branch on merge.`);
+}

package/dist/stages/github-setup.js

@@ -0,0 +1,117 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.githubSetupStage = void 0;
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+const config_1 = require("../lib/config");
+const github_api_1 = require("../lib/github-api");
+const github_auth_1 = require("../lib/github-auth");
+const errors_1 = require("../lib/errors");
+const guard_main_pr_1 = require("../templates/ci/guard-main-pr");
+const canon_sync_trigger_1 = require("../templates/ci/canon-sync-trigger");
+/**
+ * Configures GitHub repos: branch model, protection, merge strategy,
+ * guard-main-pr workflow, canon-sync-trigger workflow, and CANON_SYNC_PAT secret.
+ *
+ * Only runs in indexed mode. Skipped with `--skip-github-setup`.
+ */
+exports.githubSetupStage = {
+    id: 'github-setup',
+    title: 'Configure GitHub branch model, protections, and automation workflows',
+    recovery: [
+        'Ensure GitHub token has repo scope.',
+        'Run collab init --resume to retry GitHub setup.',
+        'Use --skip-github-setup to bypass this stage.',
+    ],
+    run: async (ctx) => {
+        if (ctx.options?.skipGithubSetup) {
+            ctx.logger.info('Skipping GitHub setup by user choice.');
+            return;
+        }
+        if (ctx.config.mode !== 'indexed') {
+            ctx.logger.info('GitHub setup is only available in indexed mode; skipping.');
+            return;
+        }
+        if (ctx.executor.dryRun) {
+            ctx.logger.info('[dry-run] Would configure GitHub branch model, protections, and workflows for workspace repos.');
+            return;
+        }
+        // Load GitHub token
+        const auth = (0, github_auth_1.loadGitHubAuth)(ctx.config.collabDir);
+        if (!auth) {
+            throw new errors_1.CliError('GitHub authorization required but token not found.\n' +
+                'Run collab init --resume after authenticating with GitHub.');
+        }
+        const { token } = auth;
+        // Resolve business canon slug
+        const canonSlug = ctx.config.canons?.business?.repo;
+        // Configure governed repos
+        const repoConfigs = (0, config_1.resolveRepoConfigs)(ctx.config);
+        for (const rc of repoConfigs) {
+            const identity = (0, github_api_1.resolveGitHubOwnerRepo)(rc.repoDir);
+            if (!identity) {
+                ctx.logger.warn(`Skipping "${rc.name}": no GitHub origin remote.`);
+                continue;
+            }
+            // Branch model + protection + merge strategy
+            await (0, github_api_1.configureRepo)(identity.slug, token, ctx.logger);
+            // guard-main-pr.yml
+            const guardPath = node_path_1.default.join(rc.repoDir, '.github', 'workflows', 'guard-main-pr.yml');
+            if (!node_fs_1.default.existsSync(guardPath)) {
+                ctx.executor.writeFile(guardPath, guard_main_pr_1.guardMainPrTemplate, {
+                    description: `write guard-main-pr workflow for ${rc.name}`,
+                });
+                ctx.logger.info(`  Created guard-main-pr.yml for ${rc.name}.`);
+            }
+            else {
+                ctx.logger.info(`  guard-main-pr.yml already exists for ${rc.name}; skipping.`);
+            }
+            // canon-sync-trigger.yml (only for governed repos, not the canon itself)
+            if (canonSlug && identity.slug !== canonSlug) {
+                const triggerPath = node_path_1.default.join(rc.repoDir, '.github', 'workflows', 'canon-sync-trigger.yml');
+                if (!node_fs_1.default.existsSync(triggerPath)) {
+                    ctx.executor.writeFile(triggerPath, (0, canon_sync_trigger_1.canonSyncTriggerTemplate)(canonSlug), {
+                        description: `write canon-sync-trigger workflow for ${rc.name}`,
+                    });
+                    ctx.logger.info(`  Created canon-sync-trigger.yml for ${rc.name}.`);
+                }
+                else {
+                    ctx.logger.info(`  canon-sync-trigger.yml already exists for ${rc.name}; skipping.`);
+                }
+                // CANON_SYNC_PAT secret via gh CLI (passed via stdin for security)
+                try {
+                    ctx.executor.run('gh', [
+                        'secret', 'set', 'CANON_SYNC_PAT',
+                        '-R', identity.slug,
+                    ], { check: true, input: token });
+                    ctx.logger.info(`  Set CANON_SYNC_PAT secret for ${identity.slug}.`);
+                }
+                catch {
+                    ctx.logger.warn(`  Could not set CANON_SYNC_PAT for ${identity.slug}.\n` +
+                        `  Set it manually: gh secret set CANON_SYNC_PAT -R ${identity.slug}`);
+                }
+            }
+        }
+        // Configure business-canon repo (same branch model, but no canon-sync-trigger)
+        if (canonSlug) {
+            ctx.logger.info(`Configuring business-canon repo: ${canonSlug}...`);
+            await (0, github_api_1.configureRepo)(canonSlug, token, ctx.logger);
+            // guard-main-pr.yml for the canon repo (write to local clone if available)
+            const canonLocalDir = ctx.config.canons?.business?.localDir;
+            if (canonLocalDir) {
+                const canonRepoDir = node_path_1.default.join(ctx.config.architectureDir, canonLocalDir);
+                const guardPath = node_path_1.default.join(canonRepoDir, '.github', 'workflows', 'guard-main-pr.yml');
+                if (node_fs_1.default.existsSync(canonRepoDir) && !node_fs_1.default.existsSync(guardPath)) {
+                    ctx.executor.writeFile(guardPath, guard_main_pr_1.guardMainPrTemplate, {
+                        description: `write guard-main-pr workflow for business-canon`,
+                    });
+                    ctx.logger.info(`  Created guard-main-pr.yml for business-canon.`);
+                }
+            }
+        }
+        ctx.logger.info('GitHub setup complete.');
+    },
+};

package/dist/templates/ci/canon-sync-trigger.js

@@ -0,0 +1,37 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.canonSyncTriggerTemplate = canonSyncTriggerTemplate;
+/**
+ * Generates the canon-sync-trigger workflow template.
+ * On merge to main, creates an issue in the business-canon repo.
+ * Only generated for governed repos, NOT for the business-canon repo itself.
+ */
+function canonSyncTriggerTemplate(canonOwnerRepo) {
+    return `# Generated by collab-cli — triggers canon sync on merge to main.
+name: Canon Sync Trigger
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  trigger-canon-sync:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create canon sync issue
+        uses: actions/github-script@v7
+        with:
+          github-token: \${{ secrets.CANON_SYNC_PAT }}
+          script: |
+            const [owner, repo] = '${canonOwnerRepo}'.split('/');
+            await github.rest.issues.create({
+              owner, repo,
+              title: 'Canon sync required — ' + context.repo.repo,
+              body: '## Canon Sync Required\\n\\n'
+                + 'Merge to \\\`main\\\` in **' + context.repo.owner + '/' + context.repo.repo + '**.\\n\\n'
+                + '**Commit:** ' + context.sha + '\\n\\n'
+                + '> Created automatically by canon-sync-trigger.',
+              labels: ['canon-sync', 'automated'],
+            });
+`;
+}

package/dist/templates/ci/guard-main-pr.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.guardMainPrTemplate = void 0;
+exports.guardMainPrTemplate = `# Generated by collab-cli — blocks PRs to main that don't come from development.
+name: Guard Main PR Source
+
+on:
+  pull_request:
+    branches: [main]
+    types: [opened, synchronize, reopened]
+
+jobs:
+  check-source-branch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Verify PR comes from development
+        if: github.event.pull_request.head.ref != 'development'
+        run: |
+          echo "::error::PRs to main must come from the development branch."
+          exit 1
+      - name: PR source is valid
+        if: github.event.pull_request.head.ref == 'development'
+        run: echo "PR is from development branch — allowed."
+`;

package/dist/templates/ci/index.js

@@ -1,7 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.architectureMergeTemplate = exports.architecturePrTemplate = void 0;
+exports.canonSyncTriggerTemplate = exports.guardMainPrTemplate = exports.architectureMergeTemplate = exports.architecturePrTemplate = void 0;
 var architecture_pr_1 = require("./architecture-pr");
 Object.defineProperty(exports, "architecturePrTemplate", { enumerable: true, get: function () { return architecture_pr_1.architecturePrTemplate; } });
 var architecture_merge_1 = require("./architecture-merge");
 Object.defineProperty(exports, "architectureMergeTemplate", { enumerable: true, get: function () { return architecture_merge_1.architectureMergeTemplate; } });
+var guard_main_pr_1 = require("./guard-main-pr");
+Object.defineProperty(exports, "guardMainPrTemplate", { enumerable: true, get: function () { return guard_main_pr_1.guardMainPrTemplate; } });
+var canon_sync_trigger_1 = require("./canon-sync-trigger");
+Object.defineProperty(exports, "canonSyncTriggerTemplate", { enumerable: true, get: function () { return canon_sync_trigger_1.canonSyncTriggerTemplate; } });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@uxmaltech/collab-cli",
-  "version": "0.1.9",
+  "version": "0.1.10",
   "description": "CLI for collaborative architecture and delivery workflows.",
   "private": false,
   "license": "UNLICENSED",