Scheduled (time-based — nothing fires an event for an aging token). Enforce org/enterprise max token lifetime (1–366 days), inventory tokens by age/expiry/last-use, revoke org access on violation. PLATFORM WALL (document in code): user PATs cannot be created/rotated on a user's behalf via API — only lifetime policy, approval gating, inventory, and revoke-org-access are possible. The token policy/approval APIs are callable ONLY by a GitHub App (warden's auth).
How (cold-handoff): copy the template at src/cycles/branch-protection.ts (read it + src/cycles/README.md). Implement the Cycle interface from src/reconcile/runner.ts (fetchLive/buildDesired/apply receive orgLogin — use it for API paths). Extend src/config/types.ts (all optional — selective-by-omission). Auth src/auth/app-client.ts; diff src/reconcile/diff.ts; guardrails src/reconcile/guardrails.ts. Register in src/cli/registry.ts. Apply = read-modify-write (preserve undeclared live fields); charge the rate budget. Verify via the runner with a mock-client test; tsc clean; tests green.
Scheduled (time-based — nothing fires an event for an aging token). Enforce org/enterprise max token lifetime (1–366 days), inventory tokens by age/expiry/last-use, revoke org access on violation. PLATFORM WALL (document in code): user PATs cannot be created/rotated on a user's behalf via API — only lifetime policy, approval gating, inventory, and revoke-org-access are possible. The token policy/approval APIs are callable ONLY by a GitHub App (warden's auth).
How (cold-handoff): copy the template at
src/cycles/branch-protection.ts(read it +src/cycles/README.md). Implement theCycleinterface fromsrc/reconcile/runner.ts(fetchLive/buildDesired/applyreceiveorgLogin— use it for API paths). Extendsrc/config/types.ts(all optional — selective-by-omission). Authsrc/auth/app-client.ts; diffsrc/reconcile/diff.ts; guardrailssrc/reconcile/guardrails.ts. Register insrc/cli/registry.ts. Apply = read-modify-write (preserve undeclared live fields); charge the rate budget. Verify via the runner with a mock-client test; tsc clean; tests green.