# forge-enforce

Enforce repository policies across forge providers (GitHub, etc.). Runs on a schedule, discovers repositories matching allow/deny filters, and applies configured policies.

## Usage

```bash
forge-enforce serve --host 127.0.0.1:3000
```

Requires `FE_CONFIG_DIR` (or `--config-dir`) pointing to a directory of TOML config files, one per forge.

## Configuration

Each file in the config directory defines a forge connection. Example (`github.com.toml`):

```toml
# Schedule: pick one
# schedule.cron = "0 * * * * *"
# schedule.interval = "60"        # minutes (default)
schedule.once = true

# Repository filters (regex patterns)
allow = ["^canopy-.*$"]
deny  = ["^infrastructure-.*$", "^canopy-data-gateway$"]

# Forge connection
[github]
credentials.token_env = "GITHUB_ACCESS_TOKEN"
organisation = "understory-io"

# Policies to enforce
[policies]
squash_merge_only.enabled = true
```

### Fields

| Field | Description |
|---|---|
| `schedule` | `cron`, `interval` (minutes), or `once` |
| `allow` | Regex list of repository names to include (default: `.*`) |
| `deny` | Regex list of repository names to exclude (default: none) |
| `[github]` | GitHub forge config: `credentials` and `organisation` |
| `credentials` | `token = "..."` or `token_env = "ENV_VAR"` |
| `[policies]` | Policy rules to enforce on matched repositories |
| `squash_merge_only.enabled` | Require squash merges only |