declastruct-github 1.0.7 → 1.2.0

package/dist/domain.objects/DeclaredGithubApp.d.ts

@@ -0,0 +1,75 @@
+import type { UniDateTime } from '@ehmpathy/uni-time';
+import { DomainEntity } from 'domain-objects';
+import { DeclaredGithubAppPermissions } from './DeclaredGithubAppPermissions';
+import { DeclaredGithubOwner } from './DeclaredGithubOwner';
+/**
+ * .what = a declarative structure which represents a GitHub App
+ * .why = enables declarative management of GitHub Apps following declastruct patterns
+ */
+export interface DeclaredGithubApp {
+    /**
+     * .what = GitHub's internal app ID
+     * .note = is @metadata -> may be undefined
+     */
+    id?: number;
+    /**
+     * .what = when the app was created
+     * .note = is @metadata -> may be undefined
+     */
+    createdAt?: UniDateTime;
+    /**
+     * .what = when the app was last updated
+     * .note = is @metadata -> may be undefined
+     */
+    updatedAt?: UniDateTime;
+    /**
+     * .what = organization or user that owns the app
+     */
+    owner: DeclaredGithubOwner;
+    /**
+     * .what = URL-friendly name of the app
+     * .note = used in URLs like github.com/apps/{slug}
+     */
+    slug: string;
+    /**
+     * .what = display name of the app
+     * .note = null if not set
+     */
+    name: string | null;
+    /**
+     * .what = description of what the app does
+     * .note = null if not set
+     */
+    description: string | null;
+    /**
+     * .what = whether the app is public (anyone can install) or private (only owner can install)
+     * .note = defaults to false (private)
+     */
+    public: boolean;
+    /**
+     * .what = granular permission mappings for the app
+     */
+    permissions: DeclaredGithubAppPermissions;
+    /**
+     * .what = webhook event subscriptions
+     * .note = empty array if no events subscribed
+     */
+    events: string[];
+    /**
+     * .what = external homepage URL
+     */
+    homepageUrl: string;
+    /**
+     * .what = webhook URL for receiving events
+     * .note = null if not set
+     */
+    webhookUrl: string | null;
+}
+export declare class DeclaredGithubApp extends DomainEntity<DeclaredGithubApp> implements DeclaredGithubApp {
+    static primary: readonly ["id"];
+    static unique: readonly ["owner", "slug"];
+    static nested: {
+        owner: typeof DeclaredGithubOwner;
+        permissions: typeof DeclaredGithubAppPermissions;
+    };
+}

package/dist/domain.objects/DeclaredGithubApp.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DeclaredGithubApp = void 0;
+const domain_objects_1 = require("domain-objects");
+const DeclaredGithubAppPermissions_1 = require("./DeclaredGithubAppPermissions");
+const DeclaredGithubOwner_1 = require("./DeclaredGithubOwner");
+class DeclaredGithubApp extends domain_objects_1.DomainEntity {
+}
+exports.DeclaredGithubApp = DeclaredGithubApp;
+DeclaredGithubApp.primary = ['id'];
+DeclaredGithubApp.unique = ['owner', 'slug'];
+DeclaredGithubApp.nested = {
+    owner: DeclaredGithubOwner_1.DeclaredGithubOwner,
+    permissions: DeclaredGithubAppPermissions_1.DeclaredGithubAppPermissions,
+};
+//# sourceMappingURL=DeclaredGithubApp.js.map

package/dist/domain.objects/DeclaredGithubApp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"DeclaredGithubApp.js","sourceRoot":"","sources":["../../src/domain.objects/DeclaredGithubApp.ts"],"names":[],"mappings":";;;AACA,mDAA8C;AAC9C,iFAA8E;AAC9E,+DAA4D;AA6E5D,MAAa,iBACX,SAAQ,6BAA+B;;AADzC,8CAUC;AANe,yBAAO,GAAG,CAAC,IAAI,CAAU,CAAC;AAC1B,wBAAM,GAAG,CAAC,OAAO,EAAE,MAAM,CAAU,CAAC;AACpC,wBAAM,GAAG;IACrB,KAAK,EAAE,yCAAmB;IAC1B,WAAW,EAAE,2DAA4B;CAC1C,CAAC"}

package/dist/domain.objects/DeclaredGithubAppInstallation.d.ts

@@ -0,0 +1,61 @@
+import type { UniDateTime } from '@ehmpathy/uni-time';
+import { DomainEntity, RefByUnique } from 'domain-objects';
+import type { DeclaredGithubApp } from './DeclaredGithubApp';
+import { DeclaredGithubOwner } from './DeclaredGithubOwner';
+/**
+ * .what = a declarative structure which represents a GitHub App installation
+ * .why = enables declarative management of GitHub App installations following declastruct patterns
+ */
+export interface DeclaredGithubAppInstallation {
+    /**
+     * .what = GitHub's internal installation ID
+     * .note = is @metadata -> may be undefined
+     */
+    id?: number;
+    /**
+     * .what = when the installation was created
+     * .note = is @metadata -> may be undefined
+     */
+    createdAt?: UniDateTime;
+    /**
+     * .what = when the installation was last updated
+     * .note = is @metadata -> may be undefined
+     */
+    updatedAt?: UniDateTime;
+    /**
+     * .what = reference to the GitHub App this installation belongs to
+     */
+    app: RefByUnique<typeof DeclaredGithubApp>;
+    /**
+     * .what = where this app was installed to
+     */
+    target: DeclaredGithubOwner;
+    /**
+     * .what = whether the installation has access to all repos or selected repos
+     * .note = defaults to 'all'
+     */
+    repositorySelection: 'all' | 'selected';
+    /**
+     * .what = list of repository names the installation has access to
+     * .note = only applicable when repositorySelection is 'selected'; null otherwise
+     */
+    repositories: string[] | null;
+    /**
+     * .what = whether the installation is suspended
+     * .note = is @metadata -> may be undefined
+     */
+    suspended?: boolean;
+}
+export declare class DeclaredGithubAppInstallation extends DomainEntity<DeclaredGithubAppInstallation> implements DeclaredGithubAppInstallation {
+    static primary: readonly ["id"];
+    static unique: readonly ["app", "target"];
+    static readonly: readonly ["suspended"];
+    static nested: {
+        app: {
+            new (props: RefByUnique<typeof DeclaredGithubApp, any, any, any>): RefByUnique<typeof DeclaredGithubApp, any, any, any>;
+            build<TDobj extends import("domain-objects").Refable<TShape, TPrimary, TUnique>, TShape extends import("domain-objects/dist/reference/Refable").DomainObjectShape = any, TPrimary extends readonly string[] = any, TUnique extends readonly string[] = any>(props: RefByUnique<TDobj, TShape, TPrimary, TUnique>): RefByUnique<TDobj, TShape, TPrimary, TUnique>;
+            as<TDobj_1 extends import("domain-objects").Refable<TShape_1, TPrimary_1, TUnique_1>, TShape_1 extends import("domain-objects/dist/reference/Refable").DomainObjectShape = any, TPrimary_1 extends readonly string[] = any, TUnique_1 extends readonly string[] = any>(props: RefByUnique<TDobj_1, TShape_1, TPrimary_1, TUnique_1>): RefByUnique<TDobj_1, TShape_1, TPrimary_1, TUnique_1>;
+        };
+        target: typeof DeclaredGithubOwner;
+    };
+}

package/dist/domain.objects/DeclaredGithubAppInstallation.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DeclaredGithubAppInstallation = void 0;
+const domain_objects_1 = require("domain-objects");
+const DeclaredGithubOwner_1 = require("./DeclaredGithubOwner");
+class DeclaredGithubAppInstallation extends domain_objects_1.DomainEntity {
+}
+exports.DeclaredGithubAppInstallation = DeclaredGithubAppInstallation;
+DeclaredGithubAppInstallation.primary = ['id'];
+DeclaredGithubAppInstallation.unique = ['app', 'target'];
+DeclaredGithubAppInstallation.readonly = ['suspended'];
+DeclaredGithubAppInstallation.nested = {
+    app: (domain_objects_1.RefByUnique),
+    target: DeclaredGithubOwner_1.DeclaredGithubOwner,
+};
+//# sourceMappingURL=DeclaredGithubAppInstallation.js.map

package/dist/domain.objects/DeclaredGithubAppInstallation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"DeclaredGithubAppInstallation.js","sourceRoot":"","sources":["../../src/domain.objects/DeclaredGithubAppInstallation.ts"],"names":[],"mappings":";;;AACA,mDAA2D;AAG3D,+DAA4D;AAsD5D,MAAa,6BACX,SAAQ,6BAA2C;;AADrD,sEAWC;AAPe,qCAAO,GAAG,CAAC,IAAI,CAAU,CAAC;AAC1B,oCAAM,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAU,CAAC;AACpC,sCAAQ,GAAG,CAAC,WAAW,CAAU,CAAC;AAClC,oCAAM,GAAG;IACrB,GAAG,EAAE,CAAA,4BAAqC,CAAA;IAC1C,MAAM,EAAE,yCAAmB;CAC5B,CAAC"}

package/dist/domain.objects/DeclaredGithubAppPermissions.d.ts

@@ -0,0 +1,130 @@
+import { DomainLiteral } from 'domain-objects';
+/**
+ * .what = permission levels for GitHub App capabilities
+ * .why = enables type-safe declaration of granular permissions for GitHub Apps
+ */
+export type GithubAppPermissionLevel = 'read' | 'write' | 'admin';
+/**
+ * .what = repository-level permissions for GitHub Apps
+ * .why = scopes permissions explicitly to repository resources
+ */
+export interface DeclaredGithubAppRepositoryPermissions {
+    /**
+     * .what = push code and manage file operations
+     */
+    contents?: GithubAppPermissionLevel | null;
+    /**
+     * .what = manage code review processes (pull requests)
+     */
+    pullRequests?: GithubAppPermissionLevel | null;
+    /**
+     * .what = handle issue tracking and labels
+     */
+    issues?: GithubAppPermissionLevel | null;
+    /**
+     * .what = control workflow permissions and artifacts
+     */
+    actions?: GithubAppPermissionLevel | null;
+    /**
+     * .what = manage repo settings, branch protection, and security settings
+     * .note = nuclear option! can delete/rename/transfer repos unless org restricts this to owners
+     */
+    administration?: GithubAppPermissionLevel | null;
+    /**
+     * .what = basic repository information
+     * .note = implicit read access for most operations
+     */
+    metadata?: 'read' | null;
+    /**
+     * .what = oversee release management
+     */
+    deployments?: GithubAppPermissionLevel | null;
+    /**
+     * .what = manage status reports (checks)
+     */
+    checks?: GithubAppPermissionLevel | null;
+    /**
+     * .what = review and manage security alerts (code scanning)
+     */
+    codeScanning?: GithubAppPermissionLevel | null;
+    /**
+     * .what = handle repository-specific credentials (secrets)
+     */
+    secrets?: GithubAppPermissionLevel | null;
+    /**
+     * .what = access or edit Actions files in the .github/workflows directory
+     */
+    workflows?: GithubAppPermissionLevel | null;
+    /**
+     * .what = manage repository environments
+     */
+    environments?: GithubAppPermissionLevel | null;
+    /**
+     * .what = manage repository pages
+     */
+    pages?: GithubAppPermissionLevel | null;
+    /**
+     * .what = manage repository packages
+     */
+    packages?: GithubAppPermissionLevel | null;
+    /**
+     * .what = manage repository webhooks
+     */
+    hooks?: GithubAppPermissionLevel | null;
+}
+/**
+ * .what = organization-level permissions for GitHub Apps
+ * .why = scopes permissions explicitly to organization resources
+ */
+export interface DeclaredGithubAppOrganizationPermissions {
+    /**
+     * .what = org-level administration
+     */
+    administration?: GithubAppPermissionLevel | null;
+    /**
+     * .what = manage invitations, memberships, and team assignments
+     */
+    members?: GithubAppPermissionLevel | null;
+    /**
+     * .what = create schemas and manage property values (custom properties)
+     */
+    customProperties?: GithubAppPermissionLevel | null;
+    /**
+     * .what = control user blocks
+     */
+    userBlocking?: GithubAppPermissionLevel | null;
+    /**
+     * .what = configure organization event notifications (webhooks)
+     */
+    hooks?: GithubAppPermissionLevel | null;
+    /**
+     * .what = organization-wide actions secrets
+     */
+    actionsSecrets?: GithubAppPermissionLevel | null;
+    /**
+     * .what = organization-wide actions variables
+     */
+    actionsVariables?: GithubAppPermissionLevel | null;
+    /**
+     * .what = project management
+     */
+    projects?: GithubAppPermissionLevel | null;
+    /**
+     * .what = runner infrastructure (self-hosted runners)
+     */
+    selfHostedRunners?: GithubAppPermissionLevel | null;
+}
+/**
+ * .what = a declarative structure which represents a GitHub App's permissions
+ * .why = enables type-safe permission configuration for GitHub Apps following declastruct patterns
+ */
+export interface DeclaredGithubAppPermissions {
+    repository: DeclaredGithubAppRepositoryPermissions | null;
+    organization: DeclaredGithubAppOrganizationPermissions | null;
+}
+export declare class DeclaredGithubAppPermissions extends DomainLiteral<DeclaredGithubAppPermissions> implements DeclaredGithubAppPermissions {
+    static nested: {
+        repository: typeof DomainLiteral;
+        organization: typeof DomainLiteral;
+    };
+}

package/dist/domain.objects/DeclaredGithubAppPermissions.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DeclaredGithubAppPermissions = void 0;
+const domain_objects_1 = require("domain-objects");
+class DeclaredGithubAppPermissions extends domain_objects_1.DomainLiteral {
+}
+exports.DeclaredGithubAppPermissions = DeclaredGithubAppPermissions;
+DeclaredGithubAppPermissions.nested = {
+    repository: domain_objects_1.DomainLiteral,
+    organization: domain_objects_1.DomainLiteral,
+};
+//# sourceMappingURL=DeclaredGithubAppPermissions.js.map

package/dist/domain.objects/DeclaredGithubAppPermissions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"DeclaredGithubAppPermissions.js","sourceRoot":"","sources":["../../src/domain.objects/DeclaredGithubAppPermissions.ts"],"names":[],"mappings":";;;AAAA,mDAA+C;AAuJ/C,MAAa,4BACX,SAAQ,8BAA2C;;AADrD,oEAQC;AAJe,mCAAM,GAAG;IACrB,UAAU,EAAE,8BAAa;IACzB,YAAY,EAAE,8BAAa;CAC5B,CAAC"}

package/dist/domain.objects/DeclaredGithubOrg.d.ts

@@ -0,0 +1,59 @@
+import type { UniDateTime } from '@ehmpathy/uni-time';
+import { DomainEntity } from 'domain-objects';
+/**
+ * .what = a declarative structure which represents GitHub Organization profile
+ * .why = enables declarative management of org profile settings
+ */
+export interface DeclaredGithubOrg {
+    /**
+     * .what = GitHub's internal org ID
+     * .note = is @metadata -> may be undefined
+     */
+    id?: number;
+    /**
+     * .what = when the org was created
+     * .note = is @metadata -> may be undefined
+     */
+    createdAt?: UniDateTime;
+    /**
+     * .what = when the org was last updated
+     * .note = is @metadata -> may be undefined
+     */
+    updatedAt?: UniDateTime;
+    /**
+     * .what = organization login/handle
+     * .note = e.g., 'ehmpathy'
+     */
+    login: string;
+    /**
+     * .what = display name of the organization (shown on profile)
+     * .note = null if not set (falls back to login in UI)
+     */
+    name: string | null;
+    /**
+     * .what = organization description
+     * .note = null if not set
+     */
+    description: string | null;
+    /**
+     * .what = billing email address (write-only)
+     * .note = if undefined, existing value is kept unchanged
+     */
+    billingEmail?: string;
+    /**
+     * .what = whether 2FA is required for all members
+     * .note = is @metadata -> read-only
+     */
+    twoFactorRequirementEnabled?: boolean;
+    /**
+     * .what = count of public repos
+     * .note = is @metadata -> read-only
+     */
+    publicRepos?: number;
+}
+export declare class DeclaredGithubOrg extends DomainEntity<DeclaredGithubOrg> implements DeclaredGithubOrg {
+    static primary: readonly ["id"];
+    static unique: readonly ["login"];
+    static readonly: readonly ["twoFactorRequirementEnabled", "publicRepos"];
+    static writeonly: readonly ["billingEmail"];
+}

package/dist/domain.objects/DeclaredGithubOrg.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DeclaredGithubOrg = void 0;
+const domain_objects_1 = require("domain-objects");
+class DeclaredGithubOrg extends domain_objects_1.DomainEntity {
+}
+exports.DeclaredGithubOrg = DeclaredGithubOrg;
+DeclaredGithubOrg.primary = ['id'];
+DeclaredGithubOrg.unique = ['login'];
+DeclaredGithubOrg.readonly = [
+    'twoFactorRequirementEnabled',
+    'publicRepos',
+];
+DeclaredGithubOrg.writeonly = ['billingEmail'];
+//# sourceMappingURL=DeclaredGithubOrg.js.map

package/dist/domain.objects/DeclaredGithubOrg.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"DeclaredGithubOrg.js","sourceRoot":"","sources":["../../src/domain.objects/DeclaredGithubOrg.ts"],"names":[],"mappings":";;;AACA,mDAA8C;AAkE9C,MAAa,iBACX,SAAQ,6BAA+B;;AADzC,8CAWC;AAPe,yBAAO,GAAG,CAAC,IAAI,CAAU,CAAC;AAC1B,wBAAM,GAAG,CAAC,OAAO,CAAU,CAAC;AAC5B,0BAAQ,GAAG;IACvB,6BAA6B;IAC7B,aAAa;CACL,CAAC;AACG,2BAAS,GAAG,CAAC,cAAc,CAAU,CAAC"}

package/dist/domain.objects/DeclaredGithubOrgMemberPrivileges.d.ts

@@ -0,0 +1,85 @@
+import type { UniDateTime } from '@ehmpathy/uni-time';
+import { DomainEntity, RefByUnique } from 'domain-objects';
+import type { DeclaredGithubOrg } from './DeclaredGithubOrg';
+/**
+ * .what = a declarative structure which represents GitHub Organization member privileges
+ * .why = enables declarative management of what org members are allowed to do
+ * .note = KEY SECURITY RESOURCE - controls what non-owners can do
+ */
+export interface DeclaredGithubOrgMemberPrivileges {
+    /**
+     * .what = when the settings were last updated
+     * .note = is @metadata -> may be undefined
+     */
+    updatedAt?: UniDateTime;
+    /**
+     * .what = reference to the organization
+     */
+    org: RefByUnique<typeof DeclaredGithubOrg>;
+    /**
+     * .what = whether non-admin members can create repositories
+     */
+    membersCanCreateRepositories: boolean;
+    /**
+     * .what = whether members can create PUBLIC repositories
+     * .note = only applies if membersCanCreateRepositories is true
+     */
+    membersCanCreatePublicRepositories: boolean;
+    /**
+     * .what = whether members can create PRIVATE repositories
+     * .note = only applies if membersCanCreateRepositories is true
+     */
+    membersCanCreatePrivateRepositories: boolean;
+    /**
+     * .what = whether members can create INTERNAL repositories
+     * .note = only available for enterprise orgs; null if not enterprise
+     */
+    membersCanCreateInternalRepositories: boolean | null;
+    /**
+     * .what = whether members with admin permissions can DELETE or TRANSFER repositories
+     * .note = KEY SECURITY SETTING - false means only org owners can delete/transfer
+     * .note = GitHub default is true (DANGEROUS)
+     */
+    membersCanDeleteRepositories: boolean;
+    /**
+     * .what = whether members with admin permissions can change repository VISIBILITY
+     * .note = KEY SECURITY SETTING - false means only org owners can change visibility
+     * .note = GitHub default is true (DANGEROUS)
+     */
+    membersCanChangeRepoVisibility: boolean;
+    /**
+     * .what = whether members can fork private repositories
+     */
+    membersCanForkPrivateRepositories: boolean;
+    /**
+     * .what = whether members can invite outside collaborators
+     */
+    membersCanInviteOutsideCollaborators: boolean;
+    /**
+     * .what = whether members can create GitHub Pages sites
+     */
+    membersCanCreatePages: boolean;
+    /**
+     * .what = whether members can create public GitHub Pages sites
+     */
+    membersCanCreatePublicPages: boolean;
+    /**
+     * .what = whether members can create private GitHub Pages sites
+     */
+    membersCanCreatePrivatePages: boolean;
+    /**
+     * .what = default permission level for new repos
+     */
+    defaultRepositoryPermission: 'read' | 'write' | 'admin' | 'none';
+}
+export declare class DeclaredGithubOrgMemberPrivileges extends DomainEntity<DeclaredGithubOrgMemberPrivileges> implements DeclaredGithubOrgMemberPrivileges {
+    static unique: readonly ["org"];
+    static readonly: readonly ["updatedAt"];
+    static nested: {
+        org: {
+            new (props: RefByUnique<typeof DeclaredGithubOrg, any, any, any>): RefByUnique<typeof DeclaredGithubOrg, any, any, any>;
+            build<TDobj extends import("domain-objects").Refable<TShape, TPrimary, TUnique>, TShape extends import("domain-objects/dist/reference/Refable").DomainObjectShape = any, TPrimary extends readonly string[] = any, TUnique extends readonly string[] = any>(props: RefByUnique<TDobj, TShape, TPrimary, TUnique>): RefByUnique<TDobj, TShape, TPrimary, TUnique>;
+            as<TDobj_1 extends import("domain-objects").Refable<TShape_1, TPrimary_1, TUnique_1>, TShape_1 extends import("domain-objects/dist/reference/Refable").DomainObjectShape = any, TPrimary_1 extends readonly string[] = any, TUnique_1 extends readonly string[] = any>(props: RefByUnique<TDobj_1, TShape_1, TPrimary_1, TUnique_1>): RefByUnique<TDobj_1, TShape_1, TPrimary_1, TUnique_1>;
+        };
+    };
+}

package/dist/domain.objects/DeclaredGithubOrgMemberPrivileges.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DeclaredGithubOrgMemberPrivileges = void 0;
+const domain_objects_1 = require("domain-objects");
+class DeclaredGithubOrgMemberPrivileges extends domain_objects_1.DomainEntity {
+}
+exports.DeclaredGithubOrgMemberPrivileges = DeclaredGithubOrgMemberPrivileges;
+DeclaredGithubOrgMemberPrivileges.unique = ['org'];
+DeclaredGithubOrgMemberPrivileges.readonly = ['updatedAt'];
+DeclaredGithubOrgMemberPrivileges.nested = {
+    org: (domain_objects_1.RefByUnique),
+};
+//# sourceMappingURL=DeclaredGithubOrgMemberPrivileges.js.map

package/dist/domain.objects/DeclaredGithubOrgMemberPrivileges.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"DeclaredGithubOrgMemberPrivileges.js","sourceRoot":"","sources":["../../src/domain.objects/DeclaredGithubOrgMemberPrivileges.ts"],"names":[],"mappings":";;;AACA,mDAA2D;AAyG3D,MAAa,iCACX,SAAQ,6BAA+C;;AADzD,8EASC;AALe,wCAAM,GAAG,CAAC,KAAK,CAAU,CAAC;AAC1B,0CAAQ,GAAG,CAAC,WAAW,CAAU,CAAC;AAClC,wCAAM,GAAG;IACrB,GAAG,EAAE,CAAA,4BAAqC,CAAA;CAC3C,CAAC"}

package/dist/domain.objects/DeclaredGithubOrgSecret.d.ts

@@ -0,0 +1,63 @@
+import type { UniDateTime } from '@ehmpathy/uni-time';
+import { DomainEntity, RefByUnique } from 'domain-objects';
+import type { DeclaredGithubOrg } from './DeclaredGithubOrg';
+/**
+ * .what = a declarative structure representing a GitHub Organization secret
+ * .why = enables declarative management of org-level GitHub Actions secrets
+ *
+ * WRITE-ONLY PATTERN:
+ * - Secret values are NEVER readable via API
+ * - On read: only metadata (name, visibility, created_at) is returned
+ * - On write: value must be encrypted with org public key before sending
+ * - If value is undefined: existing secret is kept unchanged (shows [KEEP])
+ * - If value is provided: secret is created/updated with new encrypted value
+ */
+export interface DeclaredGithubOrgSecret {
+    /**
+     * .what = reference to the organization
+     */
+    org: RefByUnique<typeof DeclaredGithubOrg>;
+    /**
+     * .what = secret name
+     * .note = must be unique per org
+     */
+    name: string;
+    /**
+     * .what = secret value (write-only)
+     * .note = if undefined, existing secret is kept unchanged
+     * .note = value is encrypted before being sent to API
+     */
+    value?: string;
+    /**
+     * .what = visibility scope for the secret
+     * .note = 'all' = all repos, 'private' = private repos only, 'selected' = specific repos
+     */
+    visibility: 'all' | 'private' | 'selected';
+    /**
+     * .what = repository names when visibility is 'selected'
+     * .note = only repo names, not full owner/repo format
+     */
+    selectedRepositoryNames?: string[];
+    /**
+     * .what = when the secret was created
+     * .note = is @metadata -> may be undefined
+     */
+    createdAt?: UniDateTime;
+    /**
+     * .what = when the secret was last updated
+     * .note = is @metadata -> may be undefined
+     */
+    updatedAt?: UniDateTime;
+}
+export declare class DeclaredGithubOrgSecret extends DomainEntity<DeclaredGithubOrgSecret> implements DeclaredGithubOrgSecret {
+    static unique: readonly ["org", "name"];
+    static readonly: readonly ["createdAt", "updatedAt"];
+    static writeonly: readonly ["value"];
+    static nested: {
+        org: {
+            new (props: RefByUnique<typeof DeclaredGithubOrg, any, any, any>): RefByUnique<typeof DeclaredGithubOrg, any, any, any>;
+            build<TDobj extends import("domain-objects").Refable<TShape, TPrimary, TUnique>, TShape extends import("domain-objects/dist/reference/Refable").DomainObjectShape = any, TPrimary extends readonly string[] = any, TUnique extends readonly string[] = any>(props: RefByUnique<TDobj, TShape, TPrimary, TUnique>): RefByUnique<TDobj, TShape, TPrimary, TUnique>;
+            as<TDobj_1 extends import("domain-objects").Refable<TShape_1, TPrimary_1, TUnique_1>, TShape_1 extends import("domain-objects/dist/reference/Refable").DomainObjectShape = any, TPrimary_1 extends readonly string[] = any, TUnique_1 extends readonly string[] = any>(props: RefByUnique<TDobj_1, TShape_1, TPrimary_1, TUnique_1>): RefByUnique<TDobj_1, TShape_1, TPrimary_1, TUnique_1>;
+        };
+    };
+}

package/dist/domain.objects/DeclaredGithubOrgSecret.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DeclaredGithubOrgSecret = void 0;
+const domain_objects_1 = require("domain-objects");
+class DeclaredGithubOrgSecret extends domain_objects_1.DomainEntity {
+}
+exports.DeclaredGithubOrgSecret = DeclaredGithubOrgSecret;
+DeclaredGithubOrgSecret.unique = ['org', 'name'];
+DeclaredGithubOrgSecret.readonly = ['createdAt', 'updatedAt'];
+DeclaredGithubOrgSecret.writeonly = ['value'];
+DeclaredGithubOrgSecret.nested = {
+    org: (domain_objects_1.RefByUnique),
+};
+//# sourceMappingURL=DeclaredGithubOrgSecret.js.map

package/dist/domain.objects/DeclaredGithubOrgSecret.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"DeclaredGithubOrgSecret.js","sourceRoot":"","sources":["../../src/domain.objects/DeclaredGithubOrgSecret.ts"],"names":[],"mappings":";;;AACA,mDAA2D;AA2D3D,MAAa,uBACX,SAAQ,6BAAqC;;AAD/C,0DAUC;AANe,8BAAM,GAAG,CAAC,KAAK,EAAE,MAAM,CAAU,CAAC;AAClC,gCAAQ,GAAG,CAAC,WAAW,EAAE,WAAW,CAAU,CAAC;AAC/C,iCAAS,GAAG,CAAC,OAAO,CAAU,CAAC;AAC/B,8BAAM,GAAG;IACrB,GAAG,EAAE,CAAA,4BAAqC,CAAA;CAC3C,CAAC"}

package/dist/domain.objects/DeclaredGithubOrgVariable.d.ts

@@ -0,0 +1,54 @@
+import type { UniDateTime } from '@ehmpathy/uni-time';
+import { DomainEntity, RefByUnique } from 'domain-objects';
+import type { DeclaredGithubOrg } from './DeclaredGithubOrg';
+/**
+ * .what = a declarative structure representing a GitHub Organization variable
+ * .why = enables declarative management of org-level GitHub Actions variables
+ */
+export interface DeclaredGithubOrgVariable {
+    /**
+     * .what = reference to the organization
+     */
+    org: RefByUnique<typeof DeclaredGithubOrg>;
+    /**
+     * .what = variable name
+     * .note = must be unique per org
+     */
+    name: string;
+    /**
+     * .what = variable value
+     * .note = stored in plain text (not encrypted)
+     */
+    value: string;
+    /**
+     * .what = visibility scope for the variable
+     * .note = 'all' = all repos, 'private' = private repos only, 'selected' = specific repos
+     */
+    visibility: 'all' | 'private' | 'selected';
+    /**
+     * .what = repository names when visibility is 'selected'
+     * .note = only repo names, not full owner/repo format
+     */
+    selectedRepositoryNames?: string[];
+    /**
+     * .what = when the variable was created
+     * .note = is @metadata -> may be undefined
+     */
+    createdAt?: UniDateTime;
+    /**
+     * .what = when the variable was last updated
+     * .note = is @metadata -> may be undefined
+     */
+    updatedAt?: UniDateTime;
+}
+export declare class DeclaredGithubOrgVariable extends DomainEntity<DeclaredGithubOrgVariable> implements DeclaredGithubOrgVariable {
+    static unique: readonly ["org", "name"];
+    static readonly: readonly ["createdAt", "updatedAt"];
+    static nested: {
+        org: {
+            new (props: RefByUnique<typeof DeclaredGithubOrg, any, any, any>): RefByUnique<typeof DeclaredGithubOrg, any, any, any>;
+            build<TDobj extends import("domain-objects").Refable<TShape, TPrimary, TUnique>, TShape extends import("domain-objects/dist/reference/Refable").DomainObjectShape = any, TPrimary extends readonly string[] = any, TUnique extends readonly string[] = any>(props: RefByUnique<TDobj, TShape, TPrimary, TUnique>): RefByUnique<TDobj, TShape, TPrimary, TUnique>;
+            as<TDobj_1 extends import("domain-objects").Refable<TShape_1, TPrimary_1, TUnique_1>, TShape_1 extends import("domain-objects/dist/reference/Refable").DomainObjectShape = any, TPrimary_1 extends readonly string[] = any, TUnique_1 extends readonly string[] = any>(props: RefByUnique<TDobj_1, TShape_1, TPrimary_1, TUnique_1>): RefByUnique<TDobj_1, TShape_1, TPrimary_1, TUnique_1>;
+        };
+    };
+}

package/dist/domain.objects/DeclaredGithubOrgVariable.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DeclaredGithubOrgVariable = void 0;
+const domain_objects_1 = require("domain-objects");
+class DeclaredGithubOrgVariable extends domain_objects_1.DomainEntity {
+}
+exports.DeclaredGithubOrgVariable = DeclaredGithubOrgVariable;
+DeclaredGithubOrgVariable.unique = ['org', 'name'];
+DeclaredGithubOrgVariable.readonly = ['createdAt', 'updatedAt'];
+DeclaredGithubOrgVariable.nested = {
+    org: (domain_objects_1.RefByUnique),
+};
+//# sourceMappingURL=DeclaredGithubOrgVariable.js.map