clud-bug 0.7.0-rc.2 → 0.7.0-rc.4

package/data/canonical-v1.json

@@ -0,0 +1,37 @@
+{
+  "$comment": "Canonical branch protection ruleset for SkDD-conformant repos. Applied by `logmind init --configure-github`, `clud-bug init --configure-github`, and `reporulez`. Implements thrillmade/protocol SPEC §7. Schema-locked at v1; major bumps require coordinated tool releases.",
+  "version": "v1",
+  "spec_version": "0.1.2",
+  "branch_protection": {
+    "required_status_checks": {
+      "strict": true,
+      "contexts": [
+        "clud-bug-review",
+        "check-decisions",
+        "check-derived-docs",
+        "check-links",
+        "test"
+      ]
+    },
+    "required_pull_request_reviews": {
+      "required_approving_review_count": 1,
+      "dismiss_stale_reviews": false,
+      "require_code_owner_reviews": false
+    },
+    "required_conversation_resolution": true,
+    "enforce_admins": false,
+    "allow_force_pushes": false,
+    "allow_deletions": false,
+    "required_linear_history": false,
+    "allow_auto_merge": true,
+    "delete_branch_on_merge": true,
+    "squash_merge_commit_title": "PR_TITLE",
+    "squash_merge_commit_message": "PR_BODY"
+  },
+  "$notes": {
+    "required_approving_review_count": "1 — auto-satisfied by clud-bug[bot]'s APPROVE vote on clean reviews for org-member PRs (per SPEC §7.2.1). External-contributor PRs still need a human reviewer because the bot's APPROVE on first-time contributors is policy-gated. Repo-owners MAY raise above 1; tools MUST NOT lower below 1.",
+    "enforce_admins": "false so maintainers can land hotfixes outside the gate; the dogfood discipline expects this only for genuine emergencies (clud-bug review still runs but doesn't block)",
+    "contexts": "the four logmind workflow check names + clud-bug-review + a generic 'tests' context. Repos may add more, but MUST keep these. If a context name is renamed in workflow YAML, update the ruleset.",
+    "required_conversation_resolution": "true is the dogfood-defining rule: clud-bug findings must be resolved before merge"
+  }
+}

package/dist/cli/configure-github.d.ts

@@ -0,0 +1,39 @@
+import { loadCanonicalV1, type OctokitLike } from '../core/configure-github.js';
+export interface RunConfigureGithubOptions {
+    /** "owner/repo" target — required. */
+    target?: string | null;
+    /** Target branch (default `main`). */
+    branch?: string;
+    /** Render diff only; skip PATCH calls. */
+    dryRun?: boolean;
+    /** Suppress progress chatter; emit only the final `ok` summary. */
+    quiet?: boolean;
+    /** Resolver for the GitHub token (tests pass a stub). */
+    resolveToken?: () => Promise<string | null>;
+    /** Octokit factory (tests inject a fake; defaults to the gh-adapter). */
+    octokitFactory?: (token: string) => OctokitLike;
+    /** Stdout writer (tests capture). */
+    stdout?: (msg: string) => void;
+    /** Stderr writer (tests capture). */
+    stderr?: (msg: string) => void;
+}
+/**
+ * Entry point — wired into `clud-bug.js` dispatch. Returns a Node-style
+ * exit code so the dispatcher can `process.exit()` deterministically. We
+ * don't call `process.exit` ourselves so tests can drive the function
+ * without taking down the harness.
+ */
+export declare function runConfigureGithub(options: RunConfigureGithubOptions): Promise<number>;
+/**
+ * Builds an `OctokitLike` instance backed by `gh api` shell-outs. This
+ * lets us satisfy the structural interface without pulling in
+ * `@octokit/rest` as a runtime dep (~200KB). The App passes its real
+ * Octokit instance instead.
+ */
+export declare function ghCliOctokit(token: string): OctokitLike;
+/**
+ * Re-exported so callers can preload the ruleset (e.g. for a `--show-ruleset`
+ * flag in future). Currently exists for parity with the App's pattern.
+ */
+export { loadCanonicalV1 };
+//# sourceMappingURL=configure-github.d.ts.map

package/dist/cli/configure-github.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"configure-github.d.ts","sourceRoot":"","sources":["../../src/cli/configure-github.ts"],"names":[],"mappings":"AAwBA,OAAO,EAEL,eAAe,EACf,KAAK,WAAW,EAEjB,MAAM,6BAA6B,CAAC;AAErC,MAAM,WAAW,yBAAyB;IACxC,sCAAsC;IACtC,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,sCAAsC;IACtC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,mEAAmE;IACnE,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,yDAAyD;IACzD,YAAY,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC5C,yEAAyE;IACzE,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,WAAW,CAAC;IAChD,qCAAqC;IACrC,MAAM,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC/B,qCAAqC;IACrC,MAAM,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAChC;AAuBD;;;;;GAKG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,yBAAyB,GACjC,OAAO,CAAC,MAAM,CAAC,CA2FjB;AAkBD;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,WAAW,CAyFvD;AAOD;;;GAGG;AACH,OAAO,EAAE,eAAe,EAAE,CAAC"}

package/dist/cli/configure-github.js

@@ -0,0 +1,222 @@
+// `clud-bug configure-github` CLI command — applies the SPEC §7 canonical
+// branch protection ruleset to a target repo.
+//
+// External users installing the App expect "best practice branch protection"
+// applied automatically. This command lets them opt in offline + dry-run
+// safely BEFORE the App's auto-setup runs server-side. Same core logic
+// powers both paths (the App imports `applyCanonicalRuleset` from
+// clud-bug/core; this CLI passes a `gh api`-wrapping adapter so users
+// don't need `@octokit/rest` on their machine).
+//
+// Usage:
+//
+//   clud-bug configure-github <owner>/<repo>
+//   clud-bug configure-github <owner>/<repo> --dry-run
+//   clud-bug configure-github <owner>/<repo> --branch develop
+//
+// Auth ladder:
+//
+//   1. `GITHUB_TOKEN` env var (CI-friendly, no `gh` install required)
+//   2. `gh auth token` (developer workstation default)
+//
+// If neither produces a token, exits 1 with a recovery message.
+import { spawn, spawnSync } from 'node:child_process';
+import { applyCanonicalRuleset, loadCanonicalV1, } from '../core/configure-github.js';
+const HELP = `clud-bug configure-github — apply SPEC §7 canonical branch protection.
+
+Usage:
+  clud-bug configure-github <owner>/<repo> [options]
+
+Options:
+  --dry-run         Compute diff and print it, but do NOT call PATCH endpoints.
+  --branch <name>   Target branch (default: main).
+  --quiet,-q        Suppress progress chatter; emit only the final summary.
+  --help,-h         Show this help.
+
+Auth (resolved in order):
+  1. GITHUB_TOKEN env var (CI-friendly)
+  2. \`gh auth token\` (developer workstation)
+
+Exit codes:
+  0  success or already-canonical
+  1  auth missing, PATCH error, or unrecoverable transport failure
+  2  CLI usage error (missing target, bad flag)
+`;
+/**
+ * Entry point — wired into `clud-bug.js` dispatch. Returns a Node-style
+ * exit code so the dispatcher can `process.exit()` deterministically. We
+ * don't call `process.exit` ourselves so tests can drive the function
+ * without taking down the harness.
+ */
+export async function runConfigureGithub(options) {
+    const { target, branch = 'main', dryRun = false, quiet = false, resolveToken = defaultResolveToken, octokitFactory = ghCliOctokit, stdout = (msg) => process.stdout.write(msg), stderr = (msg) => process.stderr.write(msg), } = options;
+    if (!target) {
+        stderr(HELP);
+        return 2;
+    }
+    const match = /^([^/]+)\/([^/]+)$/.exec(target);
+    if (!match) {
+        stderr(`clud-bug configure-github: target must be in owner/repo form, got "${target}".\n`);
+        return 2;
+    }
+    const [, owner, repo] = match;
+    const token = await resolveToken();
+    if (!token) {
+        stderr('clud-bug configure-github: no GitHub token found.\n' +
+            '  Set GITHUB_TOKEN, or install + auth gh: brew install gh && gh auth login\n');
+        return 1;
+    }
+    if (!quiet) {
+        stdout(`\u{1F41B} configure-github: applying canonical-v1 ruleset to ${owner}/${repo} (branch=${branch})\n`);
+    }
+    // Single-call orchestration: the CLI previously called
+    // applyCanonicalRuleset twice in apply mode (dry-run first to display the
+    // planned changes, then a real call to apply). That two-read pattern
+    // opened a TOCTOU window — concurrent changes between the two reads
+    // could make the displayed list diverge from the actually-applied list,
+    // and the dry-run cost a redundant API round-trip every time. Drop the
+    // preview-first read: pass `dryRun` straight through. The function's
+    // idempotency contract (returns `alreadyCanonical: true` + empty changes
+    // on a no-op) means we don't need a separate "look before you leap"
+    // call. Users who want preview semantics run `--dry-run` first as a
+    // distinct invocation — idiomatic CLI behavior. Surfaced by PR #166
+    // reviewer (CTO follow-up 2026-06-17).
+    const octokit = octokitFactory(token);
+    let result;
+    try {
+        result = await applyCanonicalRuleset(octokit, {
+            owner,
+            repo,
+            branch,
+            dryRun,
+        });
+    }
+    catch (err) {
+        stderr(`clud-bug configure-github: ${dryRun ? 'failed to read current state' : 'PATCH failed'}: ${stringifyError(err)}\n`);
+        return 1;
+    }
+    if (result.alreadyCanonical) {
+        if (!quiet)
+            stdout('  No changes — repo already matches canonical-v1.\n');
+        stdout(`ok configure-github: ${owner}/${repo} already canonical-v1\n`);
+        return 0;
+    }
+    if (!quiet) {
+        const verb = dryRun ? 'Planned' : 'Applied';
+        stdout(`  ${verb} changes (${result.changes.length}):\n`);
+        for (const c of result.changes)
+            stdout(`    - ${c}\n`);
+    }
+    if (dryRun) {
+        stdout(`ok configure-github: dry-run on ${owner}/${repo} — ${result.changes.length} change${result.changes.length === 1 ? '' : 's'} pending\n`);
+        return 0;
+    }
+    stdout(`ok configure-github: ${owner}/${repo} converged to canonical-v1 (${result.changes.length} change${result.changes.length === 1 ? '' : 's'})\n`);
+    return 0;
+}
+/**
+ * Auth ladder: env var first, then `gh auth token`. Surfaces a token
+ * string on success or `null` if neither source has one (caller prints
+ * the recovery hint).
+ */
+async function defaultResolveToken() {
+    const fromEnv = process.env.GITHUB_TOKEN?.trim();
+    if (fromEnv)
+        return fromEnv;
+    const result = spawnSync('gh', ['auth', 'token'], { encoding: 'utf8' });
+    if (result.status === 0) {
+        const tok = result.stdout.trim();
+        if (tok)
+            return tok;
+    }
+    return null;
+}
+/**
+ * Builds an `OctokitLike` instance backed by `gh api` shell-outs. This
+ * lets us satisfy the structural interface without pulling in
+ * `@octokit/rest` as a runtime dep (~200KB). The App passes its real
+ * Octokit instance instead.
+ */
+export function ghCliOctokit(token) {
+    // We pass GITHUB_TOKEN through the spawn env so gh's API surface picks
+    // it up consistently whether the user supplied env or gh auth.
+    const env = { ...process.env, GITHUB_TOKEN: token };
+    function ghApi(method, path, body) {
+        return new Promise((resolve, reject) => {
+            const args = ['api', '-X', method];
+            if (body !== undefined) {
+                args.push('--input', '-');
+            }
+            args.push(path);
+            // Add an Accept header so 404s return the structured error, not a
+            // friendlier shell hint. The wrapping err.message detection in
+            // `isBranchNotProtected` keys on the structured form.
+            args.push('-H', 'Accept: application/vnd.github+json');
+            const child = spawn('gh', args, {
+                env,
+                stdio: ['pipe', 'pipe', 'pipe'],
+            });
+            let stdout = '';
+            let stderr = '';
+            child.stdout.on('data', (d) => {
+                stdout += d.toString();
+            });
+            child.stderr.on('data', (d) => {
+                stderr += d.toString();
+            });
+            child.on('error', reject);
+            child.on('close', (code) => {
+                if (code !== 0) {
+                    const httpMatch = /HTTP (\d{3})/.exec(stderr);
+                    const status = httpMatch ? Number(httpMatch[1]) : undefined;
+                    const err = new Error((stderr.trim() || stdout.trim() || `gh api exited ${code}`).slice(0, 500));
+                    if (status !== undefined)
+                        err.status = status;
+                    reject(err);
+                    return;
+                }
+                try {
+                    resolve(stdout ? JSON.parse(stdout) : {});
+                }
+                catch (parseErr) {
+                    reject(parseErr);
+                }
+            });
+            if (body !== undefined) {
+                child.stdin.end(JSON.stringify(body));
+            }
+            else {
+                child.stdin.end();
+            }
+        });
+    }
+    return {
+        repos: {
+            async getBranchProtection({ owner, repo, branch }) {
+                const data = await ghApi('GET', `/repos/${owner}/${repo}/branches/${branch}/protection`);
+                return { data: data };
+            },
+            async updateBranchProtection({ owner, repo, branch, ...rest }) {
+                return ghApi('PUT', `/repos/${owner}/${repo}/branches/${branch}/protection`, rest);
+            },
+            async get({ owner, repo }) {
+                const data = await ghApi('GET', `/repos/${owner}/${repo}`);
+                return { data: data };
+            },
+            async update({ owner, repo, ...rest }) {
+                return ghApi('PATCH', `/repos/${owner}/${repo}`, rest);
+            },
+        },
+    };
+}
+function stringifyError(err) {
+    if (err instanceof Error)
+        return err.message;
+    return String(err);
+}
+/**
+ * Re-exported so callers can preload the ruleset (e.g. for a `--show-ruleset`
+ * flag in future). Currently exists for parity with the App's pattern.
+ */
+export { loadCanonicalV1 };
+//# sourceMappingURL=configure-github.js.map

package/dist/cli/configure-github.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"configure-github.js","sourceRoot":"","sources":["../../src/cli/configure-github.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,8CAA8C;AAC9C,EAAE;AACF,6EAA6E;AAC7E,yEAAyE;AACzE,uEAAuE;AACvE,kEAAkE;AAClE,sEAAsE;AACtE,gDAAgD;AAChD,EAAE;AACF,SAAS;AACT,EAAE;AACF,6CAA6C;AAC7C,uDAAuD;AACvD,8DAA8D;AAC9D,EAAE;AACF,eAAe;AACf,EAAE;AACF,sEAAsE;AACtE,uDAAuD;AACvD,EAAE;AACF,gEAAgE;AAEhE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EACL,qBAAqB,EACrB,eAAe,GAGhB,MAAM,6BAA6B,CAAC;AAqBrC,MAAM,IAAI,GAAG;;;;;;;;;;;;;;;;;;;CAmBZ,CAAC;AAEF;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,OAAkC;IAElC,MAAM,EACJ,MAAM,EACN,MAAM,GAAG,MAAM,EACf,MAAM,GAAG,KAAK,EACd,KAAK,GAAG,KAAK,EACb,YAAY,GAAG,mBAAmB,EAClC,cAAc,GAAG,YAAY,EAC7B,MAAM,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,EAC3C,MAAM,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,GAC5C,GAAG,OAAO,CAAC;IAEZ,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,CAAC,IAAI,CAAC,CAAC;QACb,OAAO,CAAC,CAAC;IACX,CAAC;IACD,MAAM,KAAK,GAAG,oBAAoB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAChD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,CACJ,sEAAsE,MAAM,MAAM,CACnF,CAAC;QACF,OAAO,CAAC,CAAC;IACX,CAAC;IACD,MAAM,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,KAA6C,CAAC;IAEtE,MAAM,KAAK,GAAG,MAAM,YAAY,EAAE,CAAC;IACnC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,CACJ,qDAAqD;YACnD,8EAA8E,CACjF,CAAC;QACF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,CACJ,gEAAgE,KAAK,IAAI,IAAI,YAAY,MAAM,KAAK,CACrG,CAAC;IACJ,CAAC;IAED,uDAAuD;IACvD,0EAA0E;IAC1E,qEAAqE;IACrE,oEAAoE;IACpE,wEAAwE;IACxE,uEAAuE;IACvE,qEAAqE;IACrE,yEAAyE;IACzE,oEAAoE;IACpE,oEAAoE;IACpE,oEAAoE;IACpE,uCAAuC;IACvC,MAAM,OAAO,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;IACtC,IAAI,MAAmB,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,qBAAqB,CAAC,OAAO,EAAE;YAC5C,KAAK;YACL,IAAI;YACJ,MAAM;YACN,MAAM;SACP,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CACJ,8BAA8B,MAAM,CAAC,CAAC,CAAC,8BAA8B,CAAC,CAAC,CAAC,cAAc,KAAK,cAAc,CAAC,GAAG,CAAC,IAAI,CACnH,CAAC;QACF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;QAC5B,IAAI,CAAC,KAAK;YAAE,MAAM,CAAC,qDAAqD,CAAC,CAAC;QAC1E,MAAM,CAAC,wBAAwB,KAAK,IAAI,IAAI,yBAAyB,CAAC,CAAC;QACvE,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;QAC5C,MAAM,CAAC,KAAK,IAAI,aAAa,MAAM,CAAC,OAAO,CAAC,MAAM,MAAM,CAAC,CAAC;QAC1D,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO;YAAE,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACzD,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,CACJ,mCAAmC,KAAK,IAAI,IAAI,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,UAAU,MAAM,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,YAAY,CACxI,CAAC;QACF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,CACJ,wBAAwB,KAAK,IAAI,IAAI,+BAA+B,MAAM,CAAC,OAAO,CAAC,MAAM,UAAU,MAAM,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,CAC/I,CAAC;IACF,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,mBAAmB;IAChC,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC;IACjD,IAAI,OAAO;QAAE,OAAO,OAAO,CAAC;IAC5B,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;IACxE,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QACjC,IAAI,GAAG;YAAE,OAAO,GAAG,CAAC;IACtB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,uEAAuE;IACvE,+DAA+D;IAC/D,MAAM,GAAG,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;IAEpD,SAAS,KAAK,CACZ,MAAwC,EACxC,IAAY,EACZ,IAAc;QAEd,OAAO,IAAI,OAAO,CAAI,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACxC,MAAM,IAAI,GAAa,CAAC,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;YAC7C,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;gBACvB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;YAC5B,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChB,kEAAkE;YAClE,+DAA+D;YAC/D,sDAAsD;YACtD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,qCAAqC,CAAC,CAAC;YACvD,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,IAAI,EAAE;gBAC9B,GAAG;gBACH,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aAChC,CAAC,CAAC;YACH,IAAI,MAAM,GAAG,EAAE,CAAC;YAChB,IAAI,MAAM,GAAG,EAAE,CAAC;YAChB,KAAK,CAAC,MAAO,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE;gBACrC,MAAM,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;YACzB,CAAC,CAAC,CAAC;YACH,KAAK,CAAC,MAAO,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE;gBACrC,MAAM,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;YACzB,CAAC,CAAC,CAAC;YACH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC1B,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;gBACzB,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;oBACf,MAAM,SAAS,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;oBAC9C,MAAM,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;oBAC5D,MAAM,GAAG,GAAG,IAAI,KAAK,CACnB,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,MAAM,CAAC,IAAI,EAAE,IAAI,iBAAiB,IAAI,EAAE,CAAC,CAAC,KAAK,CAC/D,CAAC,EACD,GAAG,CACJ,CAC6B,CAAC;oBACjC,IAAI,MAAM,KAAK,SAAS;wBAAE,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC;oBAC9C,MAAM,CAAC,GAAG,CAAC,CAAC;oBACZ,OAAO;gBACT,CAAC;gBACD,IAAI,CAAC;oBACH,OAAO,CAAC,MAAM,CAAC,CAAC,CAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAO,CAAC,CAAC,CAAE,EAAQ,CAAC,CAAC;gBAC1D,CAAC;gBAAC,OAAO,QAAQ,EAAE,CAAC;oBAClB,MAAM,CAAC,QAAQ,CAAC,CAAC;gBACnB,CAAC;YACH,CAAC,CAAC,CAAC;YACH,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;gBACvB,KAAK,CAAC,KAAM,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;YACzC,CAAC;iBAAM,CAAC;gBACN,KAAK,CAAC,KAAM,CAAC,GAAG,EAAE,CAAC;YACrB,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,KAAK,EAAE;YACL,KAAK,CAAC,mBAAmB,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE;gBAC/C,MAAM,IAAI,GAAG,MAAM,KAAK,CACtB,KAAK,EACL,UAAU,KAAK,IAAI,IAAI,aAAa,MAAM,aAAa,CACxD,CAAC;gBACF,OAAO,EAAE,IAAI,EAAE,IAAgF,EAAE,CAAC;YACpG,CAAC;YACD,KAAK,CAAC,sBAAsB,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE;gBAC3D,OAAO,KAAK,CACV,KAAK,EACL,UAAU,KAAK,IAAI,IAAI,aAAa,MAAM,aAAa,EACvD,IAAI,CACL,CAAC;YACJ,CAAC;YACD,KAAK,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE;gBACvB,MAAM,IAAI,GAAG,MAAM,KAAK,CACtB,KAAK,EACL,UAAU,KAAK,IAAI,IAAI,EAAE,CAC1B,CAAC;gBACF,OAAO,EAAE,IAAI,EAAE,IAAgE,EAAE,CAAC;YACpF,CAAC;YACD,KAAK,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,IAAI,EAAE;gBACnC,OAAO,KAAK,CAAC,OAAO,EAAE,UAAU,KAAK,IAAI,IAAI,EAAE,EAAE,IAAI,CAAC,CAAC;YACzD,CAAC;SACF;KACF,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,GAAY;IAClC,IAAI,GAAG,YAAY,KAAK;QAAE,OAAO,GAAG,CAAC,OAAO,CAAC;IAC7C,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;AACrB,CAAC;AAED;;;GAGG;AACH,OAAO,EAAE,eAAe,EAAE,CAAC"}

package/dist/cli/index.d.ts

@@ -5,4 +5,5 @@ export { renderBlock, detectSkillRelPath, upsertBlock, hasAgentsMdImport, remove
 export { computeSkillUsageDelta, mergeSkillUsage, assessSkillHealth, formatHealthDashboard, DEFAULT_GH_RUNNER, fetchUsageArtifacts, aggregateUsageStream, type SkillDelta, type SkillUsageEntry, type SkillDeltaMap, type SkillUsageMap, type SkillHealthStatus, type SkillHealthRow, type GhRunResult, type GhRunner, type FetchUsageArtifactsOptions, type UsageArtifactRecord, } from './skill-usage.js';
 export { PRICING, computeReviewCost, costPerLOC, cacheHitRate, extractTokensFromLog, rollup, formatRollup, type ModelPricing, type TokenCounts, type CostParts, type ReviewCost, type ExtractedTokens, type ReviewRecord, type RollupGroupStats, type RollupTotal, type RollupTrend, type RollupOutlier, type UnknownModelReview, type Rollup, type FormatRollupOptions, } from './usage.js';
 export { runUpdate, type RunUpdateOptions, type UpdateChangeRecord, type UpdateSkippedRecord, type RunUpdateResult, } from './update.js';
+export { runConfigureGithub, ghCliOctokit, type RunConfigureGithubOptions, } from './configure-github.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/cli/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EACL,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,4BAA4B,EAC5B,KAAK,QAAQ,EACb,KAAK,SAAS,EACd,KAAK,SAAS,EACd,KAAK,iBAAiB,EACtB,KAAK,YAAY,EACjB,KAAK,0BAA0B,EAC/B,KAAK,eAAe,EACpB,KAAK,yBAAyB,EAC9B,KAAK,mCAAmC,EACxC,KAAK,YAAY,GAClB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,uBAAuB,EACvB,cAAc,EACd,cAAc,EACd,GAAG,EACH,KAAK,oBAAoB,EACzB,KAAK,UAAU,EACf,KAAK,SAAS,GACf,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,WAAW,EACX,iBAAiB,EACjB,WAAW,EACX,WAAW,EACX,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,GACvB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,sBAAsB,EACtB,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,iBAAiB,EACjB,mBAAmB,EACnB,oBAAoB,EACpB,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,KAAK,iBAAiB,EACtB,KAAK,cAAc,EACnB,KAAK,WAAW,EAChB,KAAK,QAAQ,EACb,KAAK,0BAA0B,EAC/B,KAAK,mBAAmB,GACzB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,OAAO,EACP,iBAAiB,EACjB,UAAU,EACV,YAAY,EACZ,oBAAoB,EACpB,MAAM,EACN,YAAY,EACZ,KAAK,YAAY,EACjB,KAAK,WAAW,EAChB,KAAK,SAAS,EACd,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,aAAa,EAClB,KAAK,kBAAkB,EACvB,KAAK,MAAM,EACX,KAAK,mBAAmB,GACzB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,SAAS,EACT,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EACxB,KAAK,eAAe,GACrB,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EACL,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,4BAA4B,EAC5B,KAAK,QAAQ,EACb,KAAK,SAAS,EACd,KAAK,SAAS,EACd,KAAK,iBAAiB,EACtB,KAAK,YAAY,EACjB,KAAK,0BAA0B,EAC/B,KAAK,eAAe,EACpB,KAAK,yBAAyB,EAC9B,KAAK,mCAAmC,EACxC,KAAK,YAAY,GAClB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,uBAAuB,EACvB,cAAc,EACd,cAAc,EACd,GAAG,EACH,KAAK,oBAAoB,EACzB,KAAK,UAAU,EACf,KAAK,SAAS,GACf,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,WAAW,EACX,iBAAiB,EACjB,WAAW,EACX,WAAW,EACX,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,GACvB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,sBAAsB,EACtB,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,iBAAiB,EACjB,mBAAmB,EACnB,oBAAoB,EACpB,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,KAAK,iBAAiB,EACtB,KAAK,cAAc,EACnB,KAAK,WAAW,EAChB,KAAK,QAAQ,EACb,KAAK,0BAA0B,EAC/B,KAAK,mBAAmB,GACzB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,OAAO,EACP,iBAAiB,EACjB,UAAU,EACV,YAAY,EACZ,oBAAoB,EACpB,MAAM,EACN,YAAY,EACZ,KAAK,YAAY,EACjB,KAAK,WAAW,EAChB,KAAK,SAAS,EACd,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,aAAa,EAClB,KAAK,kBAAkB,EACvB,KAAK,MAAM,EACX,KAAK,mBAAmB,GACzB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,SAAS,EACT,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EACxB,KAAK,eAAe,GACrB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,kBAAkB,EAClB,YAAY,EACZ,KAAK,yBAAyB,GAC/B,MAAM,uBAAuB,CAAC"}

package/dist/cli/index.js

@@ -15,4 +15,5 @@ export { renderBlock, detectSkillRelPath, upsertBlock, hasAgentsMdImport, remove
 export { computeSkillUsageDelta, mergeSkillUsage, assessSkillHealth, formatHealthDashboard, DEFAULT_GH_RUNNER, fetchUsageArtifacts, aggregateUsageStream, } from './skill-usage.js';
 export { PRICING, computeReviewCost, costPerLOC, cacheHitRate, extractTokensFromLog, rollup, formatRollup, } from './usage.js';
 export { runUpdate, } from './update.js';
+export { runConfigureGithub, ghCliOctokit, } from './configure-github.js';
 //# sourceMappingURL=index.js.map

package/dist/cli/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAAA,4EAA4E;AAC5E,0CAA0C;AAC1C,EAAE;AACF,oEAAoE;AACpE,uEAAuE;AACvE,iBAAiB;AAEjB,oEAAoE;AACpE,oEAAoE;AACpE,0DAA0D;AAC1D,oCAAoC;AACpC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EACL,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,4BAA4B,GAW7B,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,uBAAuB,EACvB,cAAc,EACd,cAAc,EACd,GAAG,GAIJ,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,WAAW,EACX,iBAAiB,EACjB,WAAW,EACX,WAAW,GAGZ,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,sBAAsB,EACtB,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,iBAAiB,EACjB,mBAAmB,EACnB,oBAAoB,GAWrB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,OAAO,EACP,iBAAiB,EACjB,UAAU,EACV,YAAY,EACZ,oBAAoB,EACpB,MAAM,EACN,YAAY,GAcb,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,SAAS,GAKV,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAAA,4EAA4E;AAC5E,0CAA0C;AAC1C,EAAE;AACF,oEAAoE;AACpE,uEAAuE;AACvE,iBAAiB;AAEjB,oEAAoE;AACpE,oEAAoE;AACpE,0DAA0D;AAC1D,oCAAoC;AACpC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EACL,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,4BAA4B,GAW7B,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,uBAAuB,EACvB,cAAc,EACd,cAAc,EACd,GAAG,GAIJ,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,WAAW,EACX,iBAAiB,EACjB,WAAW,EACX,WAAW,GAGZ,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,sBAAsB,EACtB,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,iBAAiB,EACjB,mBAAmB,EACnB,oBAAoB,GAWrB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,OAAO,EACP,iBAAiB,EACjB,UAAU,EACV,YAAY,EACZ,oBAAoB,EACpB,MAAM,EACN,YAAY,GAcb,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,SAAS,GAKV,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,kBAAkB,EAClB,YAAY,GAEb,MAAM,uBAAuB,CAAC"}

package/dist/cli/main.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"main.d.ts","sourceRoot":"","sources":["../../src/cli/main.ts"],"names":[],"mappings":"AA6KA,iBAAe,IAAI,kBAwBlB;AA0pCD,OAAO,EAAE,IAAI,EAAE,CAAC"}
+{"version":3,"file":"main.d.ts","sourceRoot":"","sources":["../../src/cli/main.ts"],"names":[],"mappings":"AAuMA,iBAAe,IAAI,kBA0BlB;AAwzCD,OAAO,EAAE,IAAI,EAAE,CAAC"}

package/dist/cli/main.js

@@ -55,6 +55,10 @@ function parseArgs(argv) {
         // users get the same one-command bootstrap as Python-first users
         // (logmind v0.6.8's --with-skdd is the symmetric counterpart).
         withSkdd: false,
+        // v0.7.0-rc.4: `clud-bug configure-github` flags.
+        // --dry-run prints the diff but skips PATCH; --branch overrides "main".
+        dryRun: false,
+        branch: null,
     };
     for (let i = 0; i < argv.length; i++) {
         const a = argv[i];
@@ -96,6 +100,10 @@ function parseArgs(argv) {
             args.artifacts = false;
         else if (a === '--with-skdd')
             args.withSkdd = true;
+        else if (a === '--dry-run')
+            args.dryRun = true;
+        else if (a === '--branch')
+            args.branch = argv[++i];
         else
             args._.push(a);
     }
@@ -117,6 +125,12 @@ Commands:
                         Use --since / --changed-in / --scope to narrow.
   update                Re-render workflows + refresh baseline specimens to the latest shipped
                         templates. Custom and skills.sh-installed specimens left alone.
+  configure-github <owner>/<repo>
+                        Apply the SPEC §7 canonical branch protection ruleset to a repo.
+                        Auth: GITHUB_TOKEN env first, then \`gh auth token\`. Use
+                        --dry-run to print the diff without PATCH-ing; --branch to
+                        target a non-main branch. Idempotent — already-canonical
+                        repos exit 0 with no changes.
   edit-workflow         Helper for editing .github/workflows/clud-bug-*.yml in an isolated
                         PR (the action refuses to review PRs that modify its own workflow).
   usage                 Read recent clud-bug-review run JSON + normalize cost per LOC.
@@ -150,6 +164,17 @@ Commands:
                         GitHub-markdown summary comment shape. Invoked by the
                         workflow post-step; output is what \`gh pr comment\`
                         receives. Empty stdin or non-object payload exits 2.
+  select-review-event   Compute the SPEC §7.2.1 formal-review event (APPROVE /
+   --stdin               REQUEST_CHANGES / COMMENT / skip) from a structured-output
+                        JSON payload + a few env-passed PR-author fields. Used by
+                        the v0.7.0-rc.3 workflow post-step to post a formal
+                        \`pulls.createReview\` call so the canonical ruleset's
+                        \`required_approving_review_count: 1\` floor is auto-
+                        satisfied by clud-bug[bot] on clean reviews.
+                        Required env vars: PR_AUTHOR_LOGIN, PR_AUTHOR_ASSOCIATION,
+                        STRICT_MODE ("true"/"false"). Empty/malformed stdin →
+                        exits 0 with "skip" on stdout (no-op; workflow degrades
+                        gracefully to the existing comment-only behavior).
 
 Options:
   --offline             Skip skills.sh; pin only the bundled baseline specimens.
@@ -164,6 +189,9 @@ Options:
                         required_conversation_resolution on the default
                         branch (init only). Use for repos that manage
                         branch protection via ruleset or org policy.
+  --dry-run             Print the canonical-v1 diff without PATCH-ing
+                        (configure-github only).
+  --branch <name>       Target branch for configure-github (default: main).
   --repo <owner/name>   Restrict \`usage\` to a single repo. Default: all repos
                         with clud-bug-review.yml in the gh user's auth scope.
   --pr <N>              Restrict \`usage\` to a single PR.
@@ -203,10 +231,12 @@ async function main() {
         case 'audit': return runAudit(args);
         case 'update': return runUpdateCmd(args);
         case 'edit-workflow': return runEditWorkflow(args);
+        case 'configure-github': return runConfigureGithubCmd(args);
         case 'usage': return runUsage(args);
         case 'eval': return runEval();
         case 'render': return runRender(args);
         case 'update-skill-usage': return runUpdateSkillUsage(args);
+        case 'select-review-event': return runSelectReviewEvent(args);
         default:
             process.stderr.write(`Unknown command: ${cmd || '(none)'}\n\n${HELP}`);
             process.exit(2);
@@ -340,6 +370,128 @@ async function runUpdateSkillUsage(args) {
     const skillCount = Object.keys(delta).length;
     ok(`update-skill-usage: merged ${skillCount} skill${skillCount === 1 ? '' : 's'} from review`);
 }
+// v0.7.0-rc.3 — SPEC §7.2.1 formal-review event selector for the npm
+// workflow path. Reads the action's structured_output JSON from stdin,
+// PR-author metadata from env, and emits ONE word on stdout:
+//
+//     APPROVE | REQUEST_CHANGES | COMMENT | skip
+//
+// The workflow template post-step pipes the structured_output payload
+// in, reads the verdict, then conditionally calls `gh api ... /reviews`
+// with `event=$VERDICT` (skipping the API call when verdict is "skip").
+//
+// Robustness contract: this command MUST NEVER fail the workflow on
+// caller-side problems (missing/malformed payload, missing env). Any
+// such case prints "skip" to stdout + a warning to stderr and exits 0
+// — the workflow then degrades to the existing comment-only behavior.
+// We only exit non-zero on programmer error (unknown command flags),
+// which the workflow templates don't pass.
+//
+// Required env vars (the workflow templates set all four):
+//   PR_AUTHOR_LOGIN          — github.event.pull_request.user.login
+//   PR_AUTHOR_ASSOCIATION    — github.event.pull_request.author_association
+//   STRICT_MODE              — "true" / "false" from the base-ref manifest
+// (PR_AUTHOR_ASSOCIATION missing → "CONTRIBUTOR" default which preserves
+// pre-§7.2.1 trusted-author semantics; PR_AUTHOR_LOGIN missing → "skip".)
+async function runSelectReviewEvent(args) {
+    const { selectReviewEvent } = await import('../core/formal-review.js');
+    if (!args.stdin) {
+        process.stderr.write('clud-bug select-review-event: --stdin is required.\n');
+        process.stdout.write('skip\n');
+        return;
+    }
+    let raw = '';
+    for await (const chunk of process.stdin)
+        raw += chunk;
+    raw = raw.trim();
+    if (!raw) {
+        process.stderr.write('clud-bug select-review-event: stdin empty — emitting "skip".\n');
+        process.stdout.write('skip\n');
+        return;
+    }
+    let payload;
+    try {
+        payload = JSON.parse(raw);
+    }
+    catch (e) {
+        process.stderr.write(`clud-bug select-review-event: JSON parse failed: ${e.message} — emitting "skip".\n`);
+        process.stdout.write('skip\n');
+        return;
+    }
+    if (!payload || typeof payload !== 'object') {
+        process.stderr.write('clud-bug select-review-event: payload must be a JSON object — emitting "skip".\n');
+        process.stdout.write('skip\n');
+        return;
+    }
+    // Count findings from the structured_output array shape. Each is
+    // optional — the model may emit absent / null / wrong-type arrays
+    // when its output drifts from schema; we tolerate all of those.
+    const criticalCount = Array.isArray(payload.critical_findings)
+        ? payload.critical_findings.length
+        : 0;
+    const minorCount = Array.isArray(payload.minor_findings)
+        ? payload.minor_findings.length
+        : 0;
+    // Env-passed metadata. Empty PR_AUTHOR_LOGIN means we have no idea
+    // who opened the PR — safer to skip than to attempt a formal review
+    // that might collide with the self-PR guard mis-routed.
+    const prAuthorLogin = String(process.env.PR_AUTHOR_LOGIN ?? '').trim();
+    if (prAuthorLogin === '') {
+        process.stderr.write('clud-bug select-review-event: PR_AUTHOR_LOGIN unset — emitting "skip".\n');
+        process.stdout.write('skip\n');
+        return;
+    }
+    // author_association resolution — security-critical fallback ladder.
+    //
+    // SPEC §7.2.1 + clud-bug-review #163 feedback: the §7.2.1 gate exists
+    // precisely so a future REST-API rename of an external tier doesn't
+    // silently degrade to "trusted → APPROVE". The fallback below splits
+    // the two error cases by what they MEAN:
+    //
+    //   1. EMPTY ("") — caller didn't pass author_association at all.
+    //      This is the "older webhook payload / non-GH caller" case.
+    //      Pre-§7.2.1, those callers got APPROVE on clean reviews; we
+    //      preserve that by defaulting to 'CONTRIBUTOR' (org-trusted).
+    //      Documented + tested under "missing PR_AUTHOR_ASSOCIATION".
+    //
+    //   2. NON-EMPTY UNRECOGNIZED ("FUTURE_TIER") — caller passed a
+    //      token this build doesn't know about. This is the rename
+    //      scenario the §7.2.1 gate is explicitly defending against.
+    //      Fail CLOSED: treat as external → 'NONE' → COMMENT, NEVER
+    //      APPROVE. If the rename was for a still-trusted tier (e.g.
+    //      'STAFF'), the cost is one extra COMMENT review pending
+    //      human approval; if it was a new external tier, we've closed
+    //      the drive-by exploit. Asymmetric risk → fail closed.
+    const rawAssoc = String(process.env.PR_AUTHOR_ASSOCIATION ?? '').trim();
+    const validAssociations = new Set([
+        'OWNER', 'MEMBER', 'COLLABORATOR', 'CONTRIBUTOR',
+        'FIRST_TIME_CONTRIBUTOR', 'FIRST_TIMER', 'NONE', 'MANNEQUIN',
+    ]);
+    let authorAssociation;
+    if (rawAssoc === '') {
+        // Back-compat for legacy callers without author_association.
+        authorAssociation = 'CONTRIBUTOR';
+    }
+    else if (validAssociations.has(rawAssoc)) {
+        authorAssociation = rawAssoc;
+    }
+    else {
+        // Fail-closed for unrecognized future tokens. 'NONE' is the
+        // weakest external tier and the safest default — selectReviewEvent
+        // routes it to COMMENT (never APPROVE, never REQUEST_CHANGES).
+        process.stderr.write(`clud-bug select-review-event: unrecognized PR_AUTHOR_ASSOCIATION="${rawAssoc}" — treating as external (fail-closed per SPEC §7.2.1).\n`);
+        authorAssociation = 'NONE';
+    }
+    const strictMode = String(process.env.STRICT_MODE ?? '').trim() === 'true';
+    const event = selectReviewEvent({
+        criticalCount,
+        minorCount,
+        strictMode,
+        prAuthorLogin,
+        authorAssociation,
+    });
+    process.stdout.write(event + '\n');
+}
 // 0.0.E (v0.6.17): thin wrapper around the golden-set test file. Devs
 // who follow the README invoke `clud-bug eval` — this routes to the
 // same `node --test` runner CI uses, so dev and CI verdicts match.
@@ -958,6 +1110,24 @@ async function runUpdateCmd(_args) {
     log('Commit + push to apply the refreshed kit on the next PR.');
     ok(`updated: @v${ourVersion}, ${result.changed.length} changed, ${result.unchanged.length} unchanged${skipped.length ? `, ${skipped.length} skipped` : ''}`);
 }
+// v0.7.0-rc.4 — `clud-bug configure-github <owner>/<repo>`. Pulls in the
+// SPEC §7 canonical ruleset applier from src/cli/configure-github.ts;
+// thin wrapper here just maps CLI args into the typed entry point. The
+// command is idempotent — re-runs on a converged repo exit 0 with no
+// PATCH calls. See `src/core/configure-github.ts` for the diff + rule
+// table.
+async function runConfigureGithubCmd(args) {
+    const { runConfigureGithub } = await import('./configure-github.js');
+    const target = args._[1] ?? null;
+    const code = await runConfigureGithub({
+        target,
+        branch: args.branch || 'main',
+        dryRun: Boolean(args.dryRun),
+        quiet: QUIET,
+    });
+    if (code !== 0)
+        process.exit(code);
+}
 async function runAudit(args) {
     const cwd = process.cwd();
     const date = new Date().toISOString().slice(0, 10);