Detect repos that have fallen out of the required security posture and correct or alert. Continuous (scheduled sweep + webhook on relevant changes). Reuses the security-feature cycle's desired-state; this is the detect-and-remediate loop. Document the alert-vs-auto-correct policy toggle.
How (cold-handoff): copy the template at src/cycles/branch-protection.ts (read it + src/cycles/README.md). Implement the Cycle interface from src/reconcile/runner.ts (fetchLive/buildDesired/apply receive orgLogin — use it for API paths). Extend src/config/types.ts (all optional — selective-by-omission). Auth src/auth/app-client.ts; diff src/reconcile/diff.ts; guardrails src/reconcile/guardrails.ts. Register in src/cli/registry.ts. Apply = read-modify-write (preserve undeclared live fields); charge the rate budget. Verify via the runner with a mock-client test; tsc clean; tests green.
Detect repos that have fallen out of the required security posture and correct or alert. Continuous (scheduled sweep + webhook on relevant changes). Reuses the security-feature cycle's desired-state; this is the detect-and-remediate loop. Document the alert-vs-auto-correct policy toggle.
How (cold-handoff): copy the template at
src/cycles/branch-protection.ts(read it +src/cycles/README.md). Implement theCycleinterface fromsrc/reconcile/runner.ts(fetchLive/buildDesired/applyreceiveorgLogin— use it for API paths). Extendsrc/config/types.ts(all optional — selective-by-omission). Authsrc/auth/app-client.ts; diffsrc/reconcile/diff.ts; guardrailssrc/reconcile/guardrails.ts. Register insrc/cli/registry.ts. Apply = read-modify-write (preserve undeclared live fields); charge the rate budget. Verify via the runner with a mock-client test; tsc clean; tests green.