Skip to content

GitHub API client for hand-off (PAT-scoped: push agent branch + PRs only) #13

Description

@Ryan-Atkinson87

Spec: §7.3 (branch protection / PAT scope), §10 + §16.3 secrets (secrets by reference), §5.4 (the only push).

A thin GitHub API client the engine uses to push the agent branch and open/read PRs at hand-off. Authenticated via the github_pat secret resolved by name (#5). Scoped and defensive so it never attempts pushes to protected branches.

Acceptance criteria

  • Authenticates using the github_pat resolved from the environment by reference (Secrets-by-reference resolution and .env.example #5); the token is never logged or written to disk (§10, §16.3).
  • Can push a local branch to origin and open / read pull requests; exposes no operation that pushes to main/dev (the integration/protected branches) — §7.3, §7.5.
  • Every API call has explicit success and failure handling, including an auth failure and a push rejected by branch protection (surfaced as a typed error, not a crash).
  • Confined to the GitHub host(s) on the egress allowlist (github.com, api.github.com); no other hosts.
  • Reusable by later tracker-sync work (Phase 5) — no hand-off-specific assumptions baked into the client itself.
  • Unit tests cover auth-header construction, the success path, and auth / branch-protection failure handling (GitHub API mocked — no live calls).
  • Lint, format, and typecheck pass.

Depends on: #5

Ordering: independent of the branch-lifecycle chain; can be built in parallel.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions