fix(#860): sync org variable visibility when enabling repos

[fullsend-ai-coder]

When fullsend admin enable repos enrolls new repositories, the FULLSEND_MINT_URL org variable's "selected" visibility is not updated to include the new repos. This causes the shim workflow in newly enrolled repos to fail because the variable is empty.

Add SetOrgVariableRepos and GetOrgVariableRepos to the forge client interface (paralleling existing SetOrgSecretRepos). After saving the updated config in runEnableRepos, call a new syncOrgVariableVisibility helper that collects all enrolled repo IDs (plus the config repo) and updates the variable's repository access list. The sync is best-effort: failures are logged as warnings but do not block the enable command, since repo-maintenance can reconcile later.

---

Closes #860

Post-script verification

• Branch is not main/master (agent/860-sync-org-variable-visibility)
• Secret scan passed (gitleaks — c95b51ec1bad556d3486bf85721dec12fab53024..HEAD)
• Pre-commit hooks passed (authoritative run on runner)
• Tests ran inside sandbox

[github-actions]

fullsend review is working on this — view logs

[github-actions]

Site preview

Preview: https://1005cb93-site.fullsend-ai.workers.dev

Commit: 7c9c8867d638150f9ee70f5850bc99a9b3dafdf5

[fullsend-ai-review]

Review: #862

Head SHA: 7c9c886
Timestamp: 2026-05-13T00:00:00Z
Outcome: approve

Summary

This PR fixes a real bug where newly enrolled repos cannot read the FULLSEND_MINT_URL org variable because the variable's "selected" repository visibility list is not updated during admin enable repos. The fix adds SetOrgVariableRepos and GetOrgVariableRepos to the forge client interface (mirroring the existing SetOrgSecretRepos/GetOrgSecretRepos pattern exactly), and calls a new syncOrgVariableVisibility helper after config save. The implementation is best-effort (warnings on failure, no blocking), appropriately scoped to oidc-mint dispatch mode, and well-tested with three focused test cases covering the happy path, non-oidc-mint skip, and missing-variable skip.

Findings

Medium

• [correctness] internal/cli/admin.go:dispatchOrgVariableNames — The hardcoded variable name list (FULLSEND_MINT_URL) is documented as needing manual sync with gcf.Provisioner.OrgVariableNames(). This is a maintenance hazard — if a new dispatch variable is added to the provisioner, this list could silently drift. The comment acknowledges this trade-off to avoid a package dependency, which is reasonable for now, but consider a build-time check or shared constant in a future PR.

• [correctness] internal/cli/admin.go:syncOrgVariableVisibility — When GetRepo for the config repo fails (line where configRepo is fetched), the error is silently swallowed and the config repo is simply omitted from the visibility list. This is acceptable for best-effort behavior, but a warning log would help operators diagnose why the config repo's workflows might fail to read the variable.

Info

• [style] The new SetOrgVariableRepos and GetOrgVariableRepos implementations in github.go are exact structural copies of SetOrgSecretRepos and GetOrgSecretRepos, which is the correct pattern to follow in this codebase.

• [correctness] The allOrgRepos variable hoisting from block-scoped to function-scoped is clean — both the --all and explicit-repos branches assign to it, and it's only consumed after both branches complete. No nil-pointer risk since syncOrgVariableVisibility handles nil allOrgRepos gracefully (empty map, empty enrolled list).

Footer

Outcome: approve
This review applies to SHA 7c9c8867d638150f9ee70f5850bc99a9b3dafdf5. Any push to the PR head clears this review and requires a new evaluation.