Reconcile repository and organization rulesets — a separate REST API from classic branch protection (which the branch-protection cycle already covers). API: /repos/{o}/{r}/rulesets, org rulesets endpoints (rules array, conditions, bypass actors). RMW preserve undeclared rules.
How (cold-handoff): copy the template at src/cycles/branch-protection.ts — read it and src/cycles/README.md first. Implement the Cycle interface from src/reconcile/runner.ts (note: fetchLive/buildDesired/apply all receive orgLogin — use it for API paths, NOT scope). Extend the config types in src/config/types.ts (all fields optional — selective-by-omission). Auth via src/auth/app-client.ts; diff via src/reconcile/diff.ts; guardrails via src/reconcile/guardrails.ts. Register the cycle in src/cli/registry.ts so --cycles <name> resolves it. Apply MUST be read-modify-write — preserve undeclared live fields (never null/disable what the config did not declare); charge the rate budget per API call. Verify: round-trips through the runner (dry-run diff accurate; apply create/update/delete) with guardrails, via a mock-client test (see branch-protection.test.ts). npx tsc --noEmit clean; npm test green.
Reconcile repository and organization rulesets — a separate REST API from classic branch protection (which the branch-protection cycle already covers). API:
/repos/{o}/{r}/rulesets, org rulesets endpoints (rules array, conditions, bypass actors). RMW preserve undeclared rules.How (cold-handoff): copy the template at
src/cycles/branch-protection.ts— read it andsrc/cycles/README.mdfirst. Implement theCycleinterface fromsrc/reconcile/runner.ts(note:fetchLive/buildDesired/applyall receiveorgLogin— use it for API paths, NOTscope). Extend the config types insrc/config/types.ts(all fields optional — selective-by-omission). Auth viasrc/auth/app-client.ts; diff viasrc/reconcile/diff.ts; guardrails viasrc/reconcile/guardrails.ts. Register the cycle insrc/cli/registry.tsso--cycles <name>resolves it. Apply MUST be read-modify-write — preserve undeclared live fields (never null/disable what the config did not declare); charge the rate budget per API call. Verify: round-trips through the runner (dry-run diff accurate; apply create/update/delete) with guardrails, via a mock-client test (seebranch-protection.test.ts).npx tsc --noEmitclean;npm testgreen.