Automate approve/deny of fine-grained PAT requests against policy. API: org fine-grained-PAT request endpoints — callable ONLY by a GitHub App. Poll/event-driven on pending requests. Platform wall: admins approve or deny; they cannot assign a token's repo scope (the creator chooses it).
How (cold-handoff): copy the template at src/cycles/branch-protection.ts (read it + src/cycles/README.md). Implement the Cycle interface from src/reconcile/runner.ts (fetchLive/buildDesired/apply receive orgLogin — use it for API paths). Extend src/config/types.ts (all optional — selective-by-omission). Auth src/auth/app-client.ts; diff src/reconcile/diff.ts; guardrails src/reconcile/guardrails.ts. Register in src/cli/registry.ts. Apply = read-modify-write (preserve undeclared live fields); charge the rate budget. Verify via the runner with a mock-client test; tsc clean; tests green.
Automate approve/deny of fine-grained PAT requests against policy. API: org fine-grained-PAT request endpoints — callable ONLY by a GitHub App. Poll/event-driven on pending requests. Platform wall: admins approve or deny; they cannot assign a token's repo scope (the creator chooses it).
How (cold-handoff): copy the template at
src/cycles/branch-protection.ts(read it +src/cycles/README.md). Implement theCycleinterface fromsrc/reconcile/runner.ts(fetchLive/buildDesired/applyreceiveorgLogin— use it for API paths). Extendsrc/config/types.ts(all optional — selective-by-omission). Authsrc/auth/app-client.ts; diffsrc/reconcile/diff.ts; guardrailssrc/reconcile/guardrails.ts. Register insrc/cli/registry.ts. Apply = read-modify-write (preserve undeclared live fields); charge the rate budget. Verify via the runner with a mock-client test; tsc clean; tests green.