Spec: §7.3 (branch protection / PAT scope), §10 + §16.3 secrets (secrets by reference), §5.4 (the only push).
A thin GitHub API client the engine uses to push the agent branch and open/read PRs at hand-off. Authenticated via the github_pat secret resolved by name (#5). Scoped and defensive so it never attempts pushes to protected branches.
Acceptance criteria
Depends on: #5
Ordering: independent of the branch-lifecycle chain; can be built in parallel.
Spec: §7.3 (branch protection / PAT scope), §10 + §16.3
secrets(secrets by reference), §5.4 (the only push).A thin GitHub API client the engine uses to push the agent branch and open/read PRs at hand-off. Authenticated via the
github_patsecret resolved by name (#5). Scoped and defensive so it never attempts pushes to protected branches.Acceptance criteria
github_patresolved from the environment by reference (Secrets-by-reference resolution and .env.example #5); the token is never logged or written to disk (§10, §16.3).main/dev(the integration/protected branches) — §7.3, §7.5.github.com,api.github.com); no other hosts.Depends on: #5
Ordering: independent of the branch-lifecycle chain; can be built in parallel.