Reconcile org members, admins, and outside collaborators. API: /orgs/{org}/members, /orgs/{org}/memberships/{user}, outside-collaborator endpoints. The admin-floor / required-admins / removal-delta guardrails matter most here — verify they trip via the runner.
How (cold-handoff): copy the template at src/cycles/branch-protection.ts — read it and src/cycles/README.md first. Implement the Cycle interface from src/reconcile/runner.ts (note: fetchLive/buildDesired/apply all receive orgLogin — use it for API paths, NOT scope). Extend the config types in src/config/types.ts (all fields optional — selective-by-omission). Auth via src/auth/app-client.ts; diff via src/reconcile/diff.ts; guardrails via src/reconcile/guardrails.ts. Register the cycle in src/cli/registry.ts so --cycles <name> resolves it. Apply MUST be read-modify-write — preserve undeclared live fields (never null/disable what the config did not declare); charge the rate budget per API call. Verify: round-trips through the runner (dry-run diff accurate; apply create/update/delete) with guardrails, via a mock-client test (see branch-protection.test.ts). npx tsc --noEmit clean; npm test green.
Reconcile org members, admins, and outside collaborators. API:
/orgs/{org}/members,/orgs/{org}/memberships/{user}, outside-collaborator endpoints. The admin-floor / required-admins / removal-delta guardrails matter most here — verify they trip via the runner.How (cold-handoff): copy the template at
src/cycles/branch-protection.ts— read it andsrc/cycles/README.mdfirst. Implement theCycleinterface fromsrc/reconcile/runner.ts(note:fetchLive/buildDesired/applyall receiveorgLogin— use it for API paths, NOTscope). Extend the config types insrc/config/types.ts(all fields optional — selective-by-omission). Auth viasrc/auth/app-client.ts; diff viasrc/reconcile/diff.ts; guardrails viasrc/reconcile/guardrails.ts. Register the cycle insrc/cli/registry.tsso--cycles <name>resolves it. Apply MUST be read-modify-write — preserve undeclared live fields (never null/disable what the config did not declare); charge the rate budget per API call. Verify: round-trips through the runner (dry-run diff accurate; apply create/update/delete) with guardrails, via a mock-client test (seebranch-protection.test.ts).npx tsc --noEmitclean;npm testgreen.