Add resolved repo identity to fix --debug output

AriESQ · claude · AriESQ · commit 3025ed3e8ff9 · 2026-04-07T14:31:01.000-04:00
When multiple repos share the same name under different owners (e.g.
user/quest and org/quest), the existing debug output only showed API
paths with no way to confirm which concrete repo was targeted. Now
fix --debug emits the repo's id, full_name, and owner_type immediately
after fetching repo data.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -52,7 +52,7 @@ API and tool quirks that affect future work. For full context on any of these, s
 **Key design invariants:**
 - CLI uses subcommands: `create`, `fix`, `scan` — all GitHub-targeting commands require `owner/repo` format
 - `create` validates `owner` case-insensitively against the authenticated user (UX guard for multi-account systems)
-- `fix` skips the owner check and instead verifies admin permissions on the target repo (supports org repos and collaborator access)
+- `fix` skips the owner check and instead verifies admin permissions on the target repo (supports org repos and collaborator access); `--debug` emits the resolved repo identity (id, full_name, owner_type) to help confirm the correct repo is targeted
 - `fix` has no secret scanning (settings-only); `create --local/--from` has automatic pre-flight scan
 - `create` and `fix` both prompt for confirmation before applying; `--yes`/`-y` skips the prompt for scripted/batch use
 - `enforce_admins = false` is intentional (owner bypass for tooling)
diff --git a/MANUAL_TESTING.md b/MANUAL_TESTING.md
@@ -665,6 +665,33 @@ gh-safe-repo create YOUR_USERNAME/gsr-test-debug-01 --dry-run --debug
 
 No tokens or credentials appear in debug output (sanitized URLs).
 
+### 8.2 Debug output shows resolved repo identity (fix)
+
+```bash
+gh-safe-repo fix YOUR_USERNAME/some-repo --dry-run --debug
+```
+
+**Expected:** After the `GET /repos` line, a repo identity line:
+
+```
+[debug] GET /repos/YOUR_USERNAME/some-repo
+[debug] repo: YOUR_USERNAME/some-repo (id=123456789, owner_type=User)
+```
+
+For an org repo:
+
+```bash
+gh-safe-repo fix some-org/some-repo --dry-run --debug
+```
+
+**Expected:**
+
+```
+[debug] repo: some-org/some-repo (id=987654321, owner_type=Organization)
+```
+
+This helps confirm you are targeting the correct repo when multiple repos share the same name under different owners.
+
 ---
 
 ## 9. Config File Customisation
@@ -873,6 +900,8 @@ Run each test doc's full suite before considering these scripts production-ready
 | 7.1 --json output | Y | | | | | Y | | Y | Y |
 | 7.2 --json pipeable | Y | | | | | Y | | Y | Y |
 | 7.3 --json fix | | | | Y | | Y | | Y | Y |
+| 8.1 Debug API calls | Y | | | Y | | | | Y | Y |
+| 8.2 Debug repo identity (fix) | | | | Y | | | | Y | Y |
 | 9.1 Custom config | Y | | | | | | | Y | Y |
 | 11.1 Abort on findings | Y | | Y | | Y | | | Y | Y |
 | 12.1 Rulesets API | Y | | | | | | | | Y |
diff --git a/README.md b/README.md
@@ -219,7 +219,7 @@ All commands that interact with GitHub require the `owner/repo` format (e.g. `my
 | `--dry-run` | Show settings diff without applying changes |
 | `--json` | Emit the plan as JSON to stdout instead of the ANSI table |
 | `--config [PATH]` | Path to config file; bare `--config` uses built-in defaults only |
-| `--debug` | Print every API call and response |
+| `--debug` | Print every API call and response, plus resolved repo identity (id, full name, owner type) |
 
 ### `scan` — Local secret scanning
 
diff --git a/docs/LEARNINGS.md b/docs/LEARNINGS.md
@@ -183,3 +183,9 @@ Technical notes accumulated during development. Moved from CLAUDE.md to keep the
 ## Config Consistency
 
 **`SAFE_DEFAULTS` must stay in sync with `gh-safe-repo.ini.example` — enforced by `test_config_consistency.py`.** Before this test existed, several keys consumed by `security_scanner.py` (`scan_email_history`, `exclude_emails`, `warn_ai_context_files`, `scan_exclude_paths`) relied on hardcoded `fallback=` values in the code but had no entry in `SAFE_DEFAULTS`. The `actions.enabled` key was in `SAFE_DEFAULTS` but missing from the example file. The test suite catches three classes of drift: missing/extra sections or keys, value mismatches, and config reads with neither a `SAFE_DEFAULTS` entry nor an explicit `fallback=`.
+
+## `fix` Non-Owner Repo Support
+
+**`fix` skips the `build_context()` owner check and verifies admin permissions from the repo API response instead.** The original owner check (`actual_owner.lower() != expected_owner.lower()`) was a UX guard for multi-account systems, not a security mechanism. For `fix`, requiring ownership is too strict — users need to fix org repos and repos where they are collaborators with admin access. The `permissions.admin` field from `GET /repos/{owner}/{repo}` is the correct check because admin access is what's actually needed to modify repo settings.
+
+**`fix --debug` emits the resolved repo identity (id, full_name, owner_type) after fetching repo data.** When multiple repos share the same name under different owners (e.g. `user/quest` and `org/quest`), the standard debug output (`[debug] GET /repos/{owner}/{repo}`) doesn't confirm which concrete repo was resolved. The identity line (`[debug] repo: owner/repo (id=N, owner_type=User|Organization)`) makes this immediately visible.
diff --git a/gh_safe_repo/README.md b/gh_safe_repo/README.md
@@ -77,5 +77,8 @@ cli.main()
   `gh api` directly from a plugin or from `cli.py`.
 - **Tokens are never logged.** Debug output uses sanitised URLs; `GH_TOKEN` is
   injected into the child-process environment, not into logged command strings.
+- **`fix` emits repo identity in debug mode.** After `get_repo_data()`, `fix`
+  prints the repo's `id`, `full_name`, and `owner.type` to stderr when `--debug`
+  is set, so users can confirm they are targeting the correct repo.
 - **`GET /user` and `GET /repos/{owner}/{repo}` are cached.** `GitHubClient` caches
   both; every plugin hits the cache instead of making a fresh HTTP call.
diff --git a/gh_safe_repo/commands/fix.py b/gh_safe_repo/commands/fix.py
@@ -75,6 +75,12 @@ def run(args):
             error(f"Failed to fetch repository info: {e}")
         sys.exit(1)
 
+    if args.debug:
+        repo_id = repo_data.get("id", "unknown")
+        full_name = repo_data.get("full_name", f"{owner}/{repo_name}")
+        owner_type = repo_data.get("owner", {}).get("type", "unknown")
+        print(f"[debug] repo: {full_name} (id={repo_id}, owner_type={owner_type})", file=sys.stderr)
+
     # Verify the authenticated user has admin access (required to change settings)
     if not repo_data.get("permissions", {}).get("admin", False):
         error(
diff --git a/tests/test_cli.py b/tests/test_cli.py
@@ -194,6 +194,9 @@ def test_no_admin_permission_exits(self):
             with patch("gh_safe_repo.commands.fix.build_context") as mock_ctx:
                 mock_client = MagicMock()
                 mock_client.get_repo_data.return_value = {
+                    "id": 123,
+                    "full_name": "some-org/some-repo",
+                    "owner": {"login": "some-org", "type": "Organization"},
                     "private": False,
                     "default_branch": "main",
                     "permissions": {"admin": False, "push": True, "pull": True},
@@ -212,6 +215,9 @@ def test_admin_permission_proceeds(self):
             with patch("gh_safe_repo.commands.fix.build_context") as mock_ctx:
                 mock_client = MagicMock()
                 mock_client.get_repo_data.return_value = {
+                    "id": 123,
+                    "full_name": "some-org/some-repo",
+                    "owner": {"login": "some-org", "type": "Organization"},
                     "private": False,
                     "default_branch": "main",
                     "permissions": {"admin": True, "push": True, "pull": True},
