clud-bug 0.7.0-rc.3 → 0.7.0-rc.4

package/data/canonical-v1.json

@@ -0,0 +1,37 @@
+{
+  "$comment": "Canonical branch protection ruleset for SkDD-conformant repos. Applied by `logmind init --configure-github`, `clud-bug init --configure-github`, and `reporulez`. Implements thrillmade/protocol SPEC §7. Schema-locked at v1; major bumps require coordinated tool releases.",
+  "version": "v1",
+  "spec_version": "0.1.2",
+  "branch_protection": {
+    "required_status_checks": {
+      "strict": true,
+      "contexts": [
+        "clud-bug-review",
+        "check-decisions",
+        "check-derived-docs",
+        "check-links",
+        "test"
+      ]
+    },
+    "required_pull_request_reviews": {
+      "required_approving_review_count": 1,
+      "dismiss_stale_reviews": false,
+      "require_code_owner_reviews": false
+    },
+    "required_conversation_resolution": true,
+    "enforce_admins": false,
+    "allow_force_pushes": false,
+    "allow_deletions": false,
+    "required_linear_history": false,
+    "allow_auto_merge": true,
+    "delete_branch_on_merge": true,
+    "squash_merge_commit_title": "PR_TITLE",
+    "squash_merge_commit_message": "PR_BODY"
+  },
+  "$notes": {
+    "required_approving_review_count": "1 — auto-satisfied by clud-bug[bot]'s APPROVE vote on clean reviews for org-member PRs (per SPEC §7.2.1). External-contributor PRs still need a human reviewer because the bot's APPROVE on first-time contributors is policy-gated. Repo-owners MAY raise above 1; tools MUST NOT lower below 1.",
+    "enforce_admins": "false so maintainers can land hotfixes outside the gate; the dogfood discipline expects this only for genuine emergencies (clud-bug review still runs but doesn't block)",
+    "contexts": "the four logmind workflow check names + clud-bug-review + a generic 'tests' context. Repos may add more, but MUST keep these. If a context name is renamed in workflow YAML, update the ruleset.",
+    "required_conversation_resolution": "true is the dogfood-defining rule: clud-bug findings must be resolved before merge"
+  }
+}

package/dist/cli/configure-github.d.ts

@@ -0,0 +1,39 @@
+import { loadCanonicalV1, type OctokitLike } from '../core/configure-github.js';
+export interface RunConfigureGithubOptions {
+    /** "owner/repo" target — required. */
+    target?: string | null;
+    /** Target branch (default `main`). */
+    branch?: string;
+    /** Render diff only; skip PATCH calls. */
+    dryRun?: boolean;
+    /** Suppress progress chatter; emit only the final `ok` summary. */
+    quiet?: boolean;
+    /** Resolver for the GitHub token (tests pass a stub). */
+    resolveToken?: () => Promise<string | null>;
+    /** Octokit factory (tests inject a fake; defaults to the gh-adapter). */
+    octokitFactory?: (token: string) => OctokitLike;
+    /** Stdout writer (tests capture). */
+    stdout?: (msg: string) => void;
+    /** Stderr writer (tests capture). */
+    stderr?: (msg: string) => void;
+}
+/**
+ * Entry point — wired into `clud-bug.js` dispatch. Returns a Node-style
+ * exit code so the dispatcher can `process.exit()` deterministically. We
+ * don't call `process.exit` ourselves so tests can drive the function
+ * without taking down the harness.
+ */
+export declare function runConfigureGithub(options: RunConfigureGithubOptions): Promise<number>;
+/**
+ * Builds an `OctokitLike` instance backed by `gh api` shell-outs. This
+ * lets us satisfy the structural interface without pulling in
+ * `@octokit/rest` as a runtime dep (~200KB). The App passes its real
+ * Octokit instance instead.
+ */
+export declare function ghCliOctokit(token: string): OctokitLike;
+/**
+ * Re-exported so callers can preload the ruleset (e.g. for a `--show-ruleset`
+ * flag in future). Currently exists for parity with the App's pattern.
+ */
+export { loadCanonicalV1 };
+//# sourceMappingURL=configure-github.d.ts.map

package/dist/cli/configure-github.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"configure-github.d.ts","sourceRoot":"","sources":["../../src/cli/configure-github.ts"],"names":[],"mappings":"AAwBA,OAAO,EAEL,eAAe,EACf,KAAK,WAAW,EAEjB,MAAM,6BAA6B,CAAC;AAErC,MAAM,WAAW,yBAAyB;IACxC,sCAAsC;IACtC,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,sCAAsC;IACtC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,mEAAmE;IACnE,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,yDAAyD;IACzD,YAAY,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC5C,yEAAyE;IACzE,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,WAAW,CAAC;IAChD,qCAAqC;IACrC,MAAM,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC/B,qCAAqC;IACrC,MAAM,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAChC;AAuBD;;;;;GAKG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,yBAAyB,GACjC,OAAO,CAAC,MAAM,CAAC,CA2FjB;AAkBD;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,WAAW,CAyFvD;AAOD;;;GAGG;AACH,OAAO,EAAE,eAAe,EAAE,CAAC"}

package/dist/cli/configure-github.js

@@ -0,0 +1,222 @@
+// `clud-bug configure-github` CLI command — applies the SPEC §7 canonical
+// branch protection ruleset to a target repo.
+//
+// External users installing the App expect "best practice branch protection"
+// applied automatically. This command lets them opt in offline + dry-run
+// safely BEFORE the App's auto-setup runs server-side. Same core logic
+// powers both paths (the App imports `applyCanonicalRuleset` from
+// clud-bug/core; this CLI passes a `gh api`-wrapping adapter so users
+// don't need `@octokit/rest` on their machine).
+//
+// Usage:
+//
+//   clud-bug configure-github <owner>/<repo>
+//   clud-bug configure-github <owner>/<repo> --dry-run
+//   clud-bug configure-github <owner>/<repo> --branch develop
+//
+// Auth ladder:
+//
+//   1. `GITHUB_TOKEN` env var (CI-friendly, no `gh` install required)
+//   2. `gh auth token` (developer workstation default)
+//
+// If neither produces a token, exits 1 with a recovery message.
+import { spawn, spawnSync } from 'node:child_process';
+import { applyCanonicalRuleset, loadCanonicalV1, } from '../core/configure-github.js';
+const HELP = `clud-bug configure-github — apply SPEC §7 canonical branch protection.
+
+Usage:
+  clud-bug configure-github <owner>/<repo> [options]
+
+Options:
+  --dry-run         Compute diff and print it, but do NOT call PATCH endpoints.
+  --branch <name>   Target branch (default: main).
+  --quiet,-q        Suppress progress chatter; emit only the final summary.
+  --help,-h         Show this help.
+
+Auth (resolved in order):
+  1. GITHUB_TOKEN env var (CI-friendly)
+  2. \`gh auth token\` (developer workstation)
+
+Exit codes:
+  0  success or already-canonical
+  1  auth missing, PATCH error, or unrecoverable transport failure
+  2  CLI usage error (missing target, bad flag)
+`;
+/**
+ * Entry point — wired into `clud-bug.js` dispatch. Returns a Node-style
+ * exit code so the dispatcher can `process.exit()` deterministically. We
+ * don't call `process.exit` ourselves so tests can drive the function
+ * without taking down the harness.
+ */
+export async function runConfigureGithub(options) {
+    const { target, branch = 'main', dryRun = false, quiet = false, resolveToken = defaultResolveToken, octokitFactory = ghCliOctokit, stdout = (msg) => process.stdout.write(msg), stderr = (msg) => process.stderr.write(msg), } = options;
+    if (!target) {
+        stderr(HELP);
+        return 2;
+    }
+    const match = /^([^/]+)\/([^/]+)$/.exec(target);
+    if (!match) {
+        stderr(`clud-bug configure-github: target must be in owner/repo form, got "${target}".\n`);
+        return 2;
+    }
+    const [, owner, repo] = match;
+    const token = await resolveToken();
+    if (!token) {
+        stderr('clud-bug configure-github: no GitHub token found.\n' +
+            '  Set GITHUB_TOKEN, or install + auth gh: brew install gh && gh auth login\n');
+        return 1;
+    }
+    if (!quiet) {
+        stdout(`\u{1F41B} configure-github: applying canonical-v1 ruleset to ${owner}/${repo} (branch=${branch})\n`);
+    }
+    // Single-call orchestration: the CLI previously called
+    // applyCanonicalRuleset twice in apply mode (dry-run first to display the
+    // planned changes, then a real call to apply). That two-read pattern
+    // opened a TOCTOU window — concurrent changes between the two reads
+    // could make the displayed list diverge from the actually-applied list,
+    // and the dry-run cost a redundant API round-trip every time. Drop the
+    // preview-first read: pass `dryRun` straight through. The function's
+    // idempotency contract (returns `alreadyCanonical: true` + empty changes
+    // on a no-op) means we don't need a separate "look before you leap"
+    // call. Users who want preview semantics run `--dry-run` first as a
+    // distinct invocation — idiomatic CLI behavior. Surfaced by PR #166
+    // reviewer (CTO follow-up 2026-06-17).
+    const octokit = octokitFactory(token);
+    let result;
+    try {
+        result = await applyCanonicalRuleset(octokit, {
+            owner,
+            repo,
+            branch,
+            dryRun,
+        });
+    }
+    catch (err) {
+        stderr(`clud-bug configure-github: ${dryRun ? 'failed to read current state' : 'PATCH failed'}: ${stringifyError(err)}\n`);
+        return 1;
+    }
+    if (result.alreadyCanonical) {
+        if (!quiet)
+            stdout('  No changes — repo already matches canonical-v1.\n');
+        stdout(`ok configure-github: ${owner}/${repo} already canonical-v1\n`);
+        return 0;
+    }
+    if (!quiet) {
+        const verb = dryRun ? 'Planned' : 'Applied';
+        stdout(`  ${verb} changes (${result.changes.length}):\n`);
+        for (const c of result.changes)
+            stdout(`    - ${c}\n`);
+    }
+    if (dryRun) {
+        stdout(`ok configure-github: dry-run on ${owner}/${repo} — ${result.changes.length} change${result.changes.length === 1 ? '' : 's'} pending\n`);
+        return 0;
+    }
+    stdout(`ok configure-github: ${owner}/${repo} converged to canonical-v1 (${result.changes.length} change${result.changes.length === 1 ? '' : 's'})\n`);
+    return 0;
+}
+/**
+ * Auth ladder: env var first, then `gh auth token`. Surfaces a token
+ * string on success or `null` if neither source has one (caller prints
+ * the recovery hint).
+ */
+async function defaultResolveToken() {
+    const fromEnv = process.env.GITHUB_TOKEN?.trim();
+    if (fromEnv)
+        return fromEnv;
+    const result = spawnSync('gh', ['auth', 'token'], { encoding: 'utf8' });
+    if (result.status === 0) {
+        const tok = result.stdout.trim();
+        if (tok)
+            return tok;
+    }
+    return null;
+}
+/**
+ * Builds an `OctokitLike` instance backed by `gh api` shell-outs. This
+ * lets us satisfy the structural interface without pulling in
+ * `@octokit/rest` as a runtime dep (~200KB). The App passes its real
+ * Octokit instance instead.
+ */
+export function ghCliOctokit(token) {
+    // We pass GITHUB_TOKEN through the spawn env so gh's API surface picks
+    // it up consistently whether the user supplied env or gh auth.
+    const env = { ...process.env, GITHUB_TOKEN: token };
+    function ghApi(method, path, body) {
+        return new Promise((resolve, reject) => {
+            const args = ['api', '-X', method];
+            if (body !== undefined) {
+                args.push('--input', '-');
+            }
+            args.push(path);
+            // Add an Accept header so 404s return the structured error, not a
+            // friendlier shell hint. The wrapping err.message detection in
+            // `isBranchNotProtected` keys on the structured form.
+            args.push('-H', 'Accept: application/vnd.github+json');
+            const child = spawn('gh', args, {
+                env,
+                stdio: ['pipe', 'pipe', 'pipe'],
+            });
+            let stdout = '';
+            let stderr = '';
+            child.stdout.on('data', (d) => {
+                stdout += d.toString();
+            });
+            child.stderr.on('data', (d) => {
+                stderr += d.toString();
+            });
+            child.on('error', reject);
+            child.on('close', (code) => {
+                if (code !== 0) {
+                    const httpMatch = /HTTP (\d{3})/.exec(stderr);
+                    const status = httpMatch ? Number(httpMatch[1]) : undefined;
+                    const err = new Error((stderr.trim() || stdout.trim() || `gh api exited ${code}`).slice(0, 500));
+                    if (status !== undefined)
+                        err.status = status;
+                    reject(err);
+                    return;
+                }
+                try {
+                    resolve(stdout ? JSON.parse(stdout) : {});
+                }
+                catch (parseErr) {
+                    reject(parseErr);
+                }
+            });
+            if (body !== undefined) {
+                child.stdin.end(JSON.stringify(body));
+            }
+            else {
+                child.stdin.end();
+            }
+        });
+    }
+    return {
+        repos: {
+            async getBranchProtection({ owner, repo, branch }) {
+                const data = await ghApi('GET', `/repos/${owner}/${repo}/branches/${branch}/protection`);
+                return { data: data };
+            },
+            async updateBranchProtection({ owner, repo, branch, ...rest }) {
+                return ghApi('PUT', `/repos/${owner}/${repo}/branches/${branch}/protection`, rest);
+            },
+            async get({ owner, repo }) {
+                const data = await ghApi('GET', `/repos/${owner}/${repo}`);
+                return { data: data };
+            },
+            async update({ owner, repo, ...rest }) {
+                return ghApi('PATCH', `/repos/${owner}/${repo}`, rest);
+            },
+        },
+    };
+}
+function stringifyError(err) {
+    if (err instanceof Error)
+        return err.message;
+    return String(err);
+}
+/**
+ * Re-exported so callers can preload the ruleset (e.g. for a `--show-ruleset`
+ * flag in future). Currently exists for parity with the App's pattern.
+ */
+export { loadCanonicalV1 };
+//# sourceMappingURL=configure-github.js.map

package/dist/cli/configure-github.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"configure-github.js","sourceRoot":"","sources":["../../src/cli/configure-github.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,8CAA8C;AAC9C,EAAE;AACF,6EAA6E;AAC7E,yEAAyE;AACzE,uEAAuE;AACvE,kEAAkE;AAClE,sEAAsE;AACtE,gDAAgD;AAChD,EAAE;AACF,SAAS;AACT,EAAE;AACF,6CAA6C;AAC7C,uDAAuD;AACvD,8DAA8D;AAC9D,EAAE;AACF,eAAe;AACf,EAAE;AACF,sEAAsE;AACtE,uDAAuD;AACvD,EAAE;AACF,gEAAgE;AAEhE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EACL,qBAAqB,EACrB,eAAe,GAGhB,MAAM,6BAA6B,CAAC;AAqBrC,MAAM,IAAI,GAAG;;;;;;;;;;;;;;;;;;;CAmBZ,CAAC;AAEF;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,OAAkC;IAElC,MAAM,EACJ,MAAM,EACN,MAAM,GAAG,MAAM,EACf,MAAM,GAAG,KAAK,EACd,KAAK,GAAG,KAAK,EACb,YAAY,GAAG,mBAAmB,EAClC,cAAc,GAAG,YAAY,EAC7B,MAAM,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,EAC3C,MAAM,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,GAC5C,GAAG,OAAO,CAAC;IAEZ,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,CAAC,IAAI,CAAC,CAAC;QACb,OAAO,CAAC,CAAC;IACX,CAAC;IACD,MAAM,KAAK,GAAG,oBAAoB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAChD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,CACJ,sEAAsE,MAAM,MAAM,CACnF,CAAC;QACF,OAAO,CAAC,CAAC;IACX,CAAC;IACD,MAAM,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,KAA6C,CAAC;IAEtE,MAAM,KAAK,GAAG,MAAM,YAAY,EAAE,CAAC;IACnC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,CACJ,qDAAqD;YACnD,8EAA8E,CACjF,CAAC;QACF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,CACJ,gEAAgE,KAAK,IAAI,IAAI,YAAY,MAAM,KAAK,CACrG,CAAC;IACJ,CAAC;IAED,uDAAuD;IACvD,0EAA0E;IAC1E,qEAAqE;IACrE,oEAAoE;IACpE,wEAAwE;IACxE,uEAAuE;IACvE,qEAAqE;IACrE,yEAAyE;IACzE,oEAAoE;IACpE,oEAAoE;IACpE,oEAAoE;IACpE,uCAAuC;IACvC,MAAM,OAAO,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;IACtC,IAAI,MAAmB,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,qBAAqB,CAAC,OAAO,EAAE;YAC5C,KAAK;YACL,IAAI;YACJ,MAAM;YACN,MAAM;SACP,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CACJ,8BAA8B,MAAM,CAAC,CAAC,CAAC,8BAA8B,CAAC,CAAC,CAAC,cAAc,KAAK,cAAc,CAAC,GAAG,CAAC,IAAI,CACnH,CAAC;QACF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;QAC5B,IAAI,CAAC,KAAK;YAAE,MAAM,CAAC,qDAAqD,CAAC,CAAC;QAC1E,MAAM,CAAC,wBAAwB,KAAK,IAAI,IAAI,yBAAyB,CAAC,CAAC;QACvE,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;QAC5C,MAAM,CAAC,KAAK,IAAI,aAAa,MAAM,CAAC,OAAO,CAAC,MAAM,MAAM,CAAC,CAAC;QAC1D,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO;YAAE,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACzD,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,CACJ,mCAAmC,KAAK,IAAI,IAAI,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,UAAU,MAAM,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,YAAY,CACxI,CAAC;QACF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,CACJ,wBAAwB,KAAK,IAAI,IAAI,+BAA+B,MAAM,CAAC,OAAO,CAAC,MAAM,UAAU,MAAM,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,CAC/I,CAAC;IACF,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,mBAAmB;IAChC,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC;IACjD,IAAI,OAAO;QAAE,OAAO,OAAO,CAAC;IAC5B,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;IACxE,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QACjC,IAAI,GAAG;YAAE,OAAO,GAAG,CAAC;IACtB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,uEAAuE;IACvE,+DAA+D;IAC/D,MAAM,GAAG,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;IAEpD,SAAS,KAAK,CACZ,MAAwC,EACxC,IAAY,EACZ,IAAc;QAEd,OAAO,IAAI,OAAO,CAAI,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACxC,MAAM,IAAI,GAAa,CAAC,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;YAC7C,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;gBACvB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;YAC5B,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChB,kEAAkE;YAClE,+DAA+D;YAC/D,sDAAsD;YACtD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,qCAAqC,CAAC,CAAC;YACvD,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,IAAI,EAAE;gBAC9B,GAAG;gBACH,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aAChC,CAAC,CAAC;YACH,IAAI,MAAM,GAAG,EAAE,CAAC;YAChB,IAAI,MAAM,GAAG,EAAE,CAAC;YAChB,KAAK,CAAC,MAAO,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE;gBACrC,MAAM,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;YACzB,CAAC,CAAC,CAAC;YACH,KAAK,CAAC,MAAO,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE;gBACrC,MAAM,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;YACzB,CAAC,CAAC,CAAC;YACH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC1B,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;gBACzB,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;oBACf,MAAM,SAAS,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;oBAC9C,MAAM,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;oBAC5D,MAAM,GAAG,GAAG,IAAI,KAAK,CACnB,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,MAAM,CAAC,IAAI,EAAE,IAAI,iBAAiB,IAAI,EAAE,CAAC,CAAC,KAAK,CAC/D,CAAC,EACD,GAAG,CACJ,CAC6B,CAAC;oBACjC,IAAI,MAAM,KAAK,SAAS;wBAAE,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC;oBAC9C,MAAM,CAAC,GAAG,CAAC,CAAC;oBACZ,OAAO;gBACT,CAAC;gBACD,IAAI,CAAC;oBACH,OAAO,CAAC,MAAM,CAAC,CAAC,CAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAO,CAAC,CAAC,CAAE,EAAQ,CAAC,CAAC;gBAC1D,CAAC;gBAAC,OAAO,QAAQ,EAAE,CAAC;oBAClB,MAAM,CAAC,QAAQ,CAAC,CAAC;gBACnB,CAAC;YACH,CAAC,CAAC,CAAC;YACH,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;gBACvB,KAAK,CAAC,KAAM,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;YACzC,CAAC;iBAAM,CAAC;gBACN,KAAK,CAAC,KAAM,CAAC,GAAG,EAAE,CAAC;YACrB,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,KAAK,EAAE;YACL,KAAK,CAAC,mBAAmB,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE;gBAC/C,MAAM,IAAI,GAAG,MAAM,KAAK,CACtB,KAAK,EACL,UAAU,KAAK,IAAI,IAAI,aAAa,MAAM,aAAa,CACxD,CAAC;gBACF,OAAO,EAAE,IAAI,EAAE,IAAgF,EAAE,CAAC;YACpG,CAAC;YACD,KAAK,CAAC,sBAAsB,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE;gBAC3D,OAAO,KAAK,CACV,KAAK,EACL,UAAU,KAAK,IAAI,IAAI,aAAa,MAAM,aAAa,EACvD,IAAI,CACL,CAAC;YACJ,CAAC;YACD,KAAK,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE;gBACvB,MAAM,IAAI,GAAG,MAAM,KAAK,CACtB,KAAK,EACL,UAAU,KAAK,IAAI,IAAI,EAAE,CAC1B,CAAC;gBACF,OAAO,EAAE,IAAI,EAAE,IAAgE,EAAE,CAAC;YACpF,CAAC;YACD,KAAK,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,IAAI,EAAE;gBACnC,OAAO,KAAK,CAAC,OAAO,EAAE,UAAU,KAAK,IAAI,IAAI,EAAE,EAAE,IAAI,CAAC,CAAC;YACzD,CAAC;SACF;KACF,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,GAAY;IAClC,IAAI,GAAG,YAAY,KAAK;QAAE,OAAO,GAAG,CAAC,OAAO,CAAC;IAC7C,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;AACrB,CAAC;AAED;;;GAGG;AACH,OAAO,EAAE,eAAe,EAAE,CAAC"}

package/dist/cli/index.d.ts

@@ -5,4 +5,5 @@ export { renderBlock, detectSkillRelPath, upsertBlock, hasAgentsMdImport, remove
 export { computeSkillUsageDelta, mergeSkillUsage, assessSkillHealth, formatHealthDashboard, DEFAULT_GH_RUNNER, fetchUsageArtifacts, aggregateUsageStream, type SkillDelta, type SkillUsageEntry, type SkillDeltaMap, type SkillUsageMap, type SkillHealthStatus, type SkillHealthRow, type GhRunResult, type GhRunner, type FetchUsageArtifactsOptions, type UsageArtifactRecord, } from './skill-usage.js';
 export { PRICING, computeReviewCost, costPerLOC, cacheHitRate, extractTokensFromLog, rollup, formatRollup, type ModelPricing, type TokenCounts, type CostParts, type ReviewCost, type ExtractedTokens, type ReviewRecord, type RollupGroupStats, type RollupTotal, type RollupTrend, type RollupOutlier, type UnknownModelReview, type Rollup, type FormatRollupOptions, } from './usage.js';
 export { runUpdate, type RunUpdateOptions, type UpdateChangeRecord, type UpdateSkippedRecord, type RunUpdateResult, } from './update.js';
+export { runConfigureGithub, ghCliOctokit, type RunConfigureGithubOptions, } from './configure-github.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/cli/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EACL,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,4BAA4B,EAC5B,KAAK,QAAQ,EACb,KAAK,SAAS,EACd,KAAK,SAAS,EACd,KAAK,iBAAiB,EACtB,KAAK,YAAY,EACjB,KAAK,0BAA0B,EAC/B,KAAK,eAAe,EACpB,KAAK,yBAAyB,EAC9B,KAAK,mCAAmC,EACxC,KAAK,YAAY,GAClB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,uBAAuB,EACvB,cAAc,EACd,cAAc,EACd,GAAG,EACH,KAAK,oBAAoB,EACzB,KAAK,UAAU,EACf,KAAK,SAAS,GACf,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,WAAW,EACX,iBAAiB,EACjB,WAAW,EACX,WAAW,EACX,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,GACvB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,sBAAsB,EACtB,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,iBAAiB,EACjB,mBAAmB,EACnB,oBAAoB,EACpB,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,KAAK,iBAAiB,EACtB,KAAK,cAAc,EACnB,KAAK,WAAW,EAChB,KAAK,QAAQ,EACb,KAAK,0BAA0B,EAC/B,KAAK,mBAAmB,GACzB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,OAAO,EACP,iBAAiB,EACjB,UAAU,EACV,YAAY,EACZ,oBAAoB,EACpB,MAAM,EACN,YAAY,EACZ,KAAK,YAAY,EACjB,KAAK,WAAW,EAChB,KAAK,SAAS,EACd,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,aAAa,EAClB,KAAK,kBAAkB,EACvB,KAAK,MAAM,EACX,KAAK,mBAAmB,GACzB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,SAAS,EACT,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EACxB,KAAK,eAAe,GACrB,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EACL,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,4BAA4B,EAC5B,KAAK,QAAQ,EACb,KAAK,SAAS,EACd,KAAK,SAAS,EACd,KAAK,iBAAiB,EACtB,KAAK,YAAY,EACjB,KAAK,0BAA0B,EAC/B,KAAK,eAAe,EACpB,KAAK,yBAAyB,EAC9B,KAAK,mCAAmC,EACxC,KAAK,YAAY,GAClB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,uBAAuB,EACvB,cAAc,EACd,cAAc,EACd,GAAG,EACH,KAAK,oBAAoB,EACzB,KAAK,UAAU,EACf,KAAK,SAAS,GACf,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,WAAW,EACX,iBAAiB,EACjB,WAAW,EACX,WAAW,EACX,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,GACvB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,sBAAsB,EACtB,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,iBAAiB,EACjB,mBAAmB,EACnB,oBAAoB,EACpB,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,KAAK,iBAAiB,EACtB,KAAK,cAAc,EACnB,KAAK,WAAW,EAChB,KAAK,QAAQ,EACb,KAAK,0BAA0B,EAC/B,KAAK,mBAAmB,GACzB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,OAAO,EACP,iBAAiB,EACjB,UAAU,EACV,YAAY,EACZ,oBAAoB,EACpB,MAAM,EACN,YAAY,EACZ,KAAK,YAAY,EACjB,KAAK,WAAW,EAChB,KAAK,SAAS,EACd,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,aAAa,EAClB,KAAK,kBAAkB,EACvB,KAAK,MAAM,EACX,KAAK,mBAAmB,GACzB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,SAAS,EACT,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EACxB,KAAK,eAAe,GACrB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,kBAAkB,EAClB,YAAY,EACZ,KAAK,yBAAyB,GAC/B,MAAM,uBAAuB,CAAC"}

package/dist/cli/index.js

@@ -15,4 +15,5 @@ export { renderBlock, detectSkillRelPath, upsertBlock, hasAgentsMdImport, remove
 export { computeSkillUsageDelta, mergeSkillUsage, assessSkillHealth, formatHealthDashboard, DEFAULT_GH_RUNNER, fetchUsageArtifacts, aggregateUsageStream, } from './skill-usage.js';
 export { PRICING, computeReviewCost, costPerLOC, cacheHitRate, extractTokensFromLog, rollup, formatRollup, } from './usage.js';
 export { runUpdate, } from './update.js';
+export { runConfigureGithub, ghCliOctokit, } from './configure-github.js';
 //# sourceMappingURL=index.js.map

package/dist/cli/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAAA,4EAA4E;AAC5E,0CAA0C;AAC1C,EAAE;AACF,oEAAoE;AACpE,uEAAuE;AACvE,iBAAiB;AAEjB,oEAAoE;AACpE,oEAAoE;AACpE,0DAA0D;AAC1D,oCAAoC;AACpC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EACL,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,4BAA4B,GAW7B,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,uBAAuB,EACvB,cAAc,EACd,cAAc,EACd,GAAG,GAIJ,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,WAAW,EACX,iBAAiB,EACjB,WAAW,EACX,WAAW,GAGZ,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,sBAAsB,EACtB,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,iBAAiB,EACjB,mBAAmB,EACnB,oBAAoB,GAWrB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,OAAO,EACP,iBAAiB,EACjB,UAAU,EACV,YAAY,EACZ,oBAAoB,EACpB,MAAM,EACN,YAAY,GAcb,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,SAAS,GAKV,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAAA,4EAA4E;AAC5E,0CAA0C;AAC1C,EAAE;AACF,oEAAoE;AACpE,uEAAuE;AACvE,iBAAiB;AAEjB,oEAAoE;AACpE,oEAAoE;AACpE,0DAA0D;AAC1D,oCAAoC;AACpC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EACL,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,4BAA4B,GAW7B,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,uBAAuB,EACvB,cAAc,EACd,cAAc,EACd,GAAG,GAIJ,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,WAAW,EACX,iBAAiB,EACjB,WAAW,EACX,WAAW,GAGZ,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,sBAAsB,EACtB,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,iBAAiB,EACjB,mBAAmB,EACnB,oBAAoB,GAWrB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,OAAO,EACP,iBAAiB,EACjB,UAAU,EACV,YAAY,EACZ,oBAAoB,EACpB,MAAM,EACN,YAAY,GAcb,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,SAAS,GAKV,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,kBAAkB,EAClB,YAAY,GAEb,MAAM,uBAAuB,CAAC"}

package/dist/cli/main.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"main.d.ts","sourceRoot":"","sources":["../../src/cli/main.ts"],"names":[],"mappings":"AAwLA,iBAAe,IAAI,kBAyBlB;AAsyCD,OAAO,EAAE,IAAI,EAAE,CAAC"}
+{"version":3,"file":"main.d.ts","sourceRoot":"","sources":["../../src/cli/main.ts"],"names":[],"mappings":"AAuMA,iBAAe,IAAI,kBA0BlB;AAwzCD,OAAO,EAAE,IAAI,EAAE,CAAC"}

package/dist/cli/main.js

@@ -55,6 +55,10 @@ function parseArgs(argv) {
         // users get the same one-command bootstrap as Python-first users
         // (logmind v0.6.8's --with-skdd is the symmetric counterpart).
         withSkdd: false,
+        // v0.7.0-rc.4: `clud-bug configure-github` flags.
+        // --dry-run prints the diff but skips PATCH; --branch overrides "main".
+        dryRun: false,
+        branch: null,
     };
     for (let i = 0; i < argv.length; i++) {
         const a = argv[i];
@@ -96,6 +100,10 @@ function parseArgs(argv) {
             args.artifacts = false;
         else if (a === '--with-skdd')
             args.withSkdd = true;
+        else if (a === '--dry-run')
+            args.dryRun = true;
+        else if (a === '--branch')
+            args.branch = argv[++i];
         else
             args._.push(a);
     }
@@ -117,6 +125,12 @@ Commands:
                         Use --since / --changed-in / --scope to narrow.
   update                Re-render workflows + refresh baseline specimens to the latest shipped
                         templates. Custom and skills.sh-installed specimens left alone.
+  configure-github <owner>/<repo>
+                        Apply the SPEC §7 canonical branch protection ruleset to a repo.
+                        Auth: GITHUB_TOKEN env first, then \`gh auth token\`. Use
+                        --dry-run to print the diff without PATCH-ing; --branch to
+                        target a non-main branch. Idempotent — already-canonical
+                        repos exit 0 with no changes.
   edit-workflow         Helper for editing .github/workflows/clud-bug-*.yml in an isolated
                         PR (the action refuses to review PRs that modify its own workflow).
   usage                 Read recent clud-bug-review run JSON + normalize cost per LOC.
@@ -175,6 +189,9 @@ Options:
                         required_conversation_resolution on the default
                         branch (init only). Use for repos that manage
                         branch protection via ruleset or org policy.
+  --dry-run             Print the canonical-v1 diff without PATCH-ing
+                        (configure-github only).
+  --branch <name>       Target branch for configure-github (default: main).
   --repo <owner/name>   Restrict \`usage\` to a single repo. Default: all repos
                         with clud-bug-review.yml in the gh user's auth scope.
   --pr <N>              Restrict \`usage\` to a single PR.
@@ -214,6 +231,7 @@ async function main() {
         case 'audit': return runAudit(args);
         case 'update': return runUpdateCmd(args);
         case 'edit-workflow': return runEditWorkflow(args);
+        case 'configure-github': return runConfigureGithubCmd(args);
         case 'usage': return runUsage(args);
         case 'eval': return runEval();
         case 'render': return runRender(args);
@@ -1092,6 +1110,24 @@ async function runUpdateCmd(_args) {
     log('Commit + push to apply the refreshed kit on the next PR.');
     ok(`updated: @v${ourVersion}, ${result.changed.length} changed, ${result.unchanged.length} unchanged${skipped.length ? `, ${skipped.length} skipped` : ''}`);
 }
+// v0.7.0-rc.4 — `clud-bug configure-github <owner>/<repo>`. Pulls in the
+// SPEC §7 canonical ruleset applier from src/cli/configure-github.ts;
+// thin wrapper here just maps CLI args into the typed entry point. The
+// command is idempotent — re-runs on a converged repo exit 0 with no
+// PATCH calls. See `src/core/configure-github.ts` for the diff + rule
+// table.
+async function runConfigureGithubCmd(args) {
+    const { runConfigureGithub } = await import('./configure-github.js');
+    const target = args._[1] ?? null;
+    const code = await runConfigureGithub({
+        target,
+        branch: args.branch || 'main',
+        dryRun: Boolean(args.dryRun),
+        quiet: QUIET,
+    });
+    if (code !== 0)
+        process.exit(code);
+}
 async function runAudit(args) {
     const cwd = process.cwd();
     const date = new Date().toISOString().slice(0, 10);