refactor(github): extract canonical error-message constants

Export `GITHUB_ERR_*` constants from utils/git/github.mts so callers
short-circuit on blocking conditions via constant reference instead
of matching literal strings. Previously the create-scan-from-github
loop hard-coded four copies of the same message text — quietly
drifting if the handler's wording ever changed would re-introduce the
"ok:true / 0 manifests" silent-failure this PR was opened to fix.

Author: jdalton

packages/cli/src/commands/scan/create-scan-from-github.mts

@@ -13,7 +13,14 @@ import { REPORT_LEVEL_ERROR } from '../../constants/reporting.mjs'
 import { formatErrorWithDetail } from '../../utils/error/errors.mjs'
 import { socketHttpRequest } from '../../utils/socket/api.mjs'
 import { isReportSupportedFile } from '../../utils/fs/glob.mts'
-import { getOctokit, withGitHubRetry } from '../../utils/git/github.mts'
+import {
+  GITHUB_ERR_ABUSE_DETECTION,
+  GITHUB_ERR_AUTH_FAILED,
+  GITHUB_ERR_GRAPHQL_RATE_LIMIT,
+  GITHUB_ERR_RATE_LIMIT,
+  getOctokit,
+  withGitHubRetry,
+} from '../../utils/git/github.mts'
 import { fetchListAllRepos } from '../repository/fetch-list-all-repos.mts'
 
 import type { CResult, OutputKind } from '../../types.mts'
@@ -123,16 +130,14 @@ export async function createScanFromGithub({
       repo: repoSlug,
       message: scanCResult.message,
     })
-    // Stop the loop if we hit a rate limit or auth failure — every
-    // subsequent repo will fail for the same reason and continuing
-    // only burns more quota while delaying the real error. Strings
-    // here match `handleGitHubApiError` / `handleGraphqlError` in
-    // utils/git/github.mts.
+    // Stop on rate-limit / auth failures: every subsequent repo will
+    // fail for the same reason and continuing only burns more quota
+    // while delaying the real error.
     if (
-      scanCResult.message === 'GitHub rate limit exceeded' ||
-      scanCResult.message === 'GitHub GraphQL rate limit exceeded' ||
-      scanCResult.message === 'GitHub abuse detection triggered' ||
-      scanCResult.message === 'GitHub authentication failed'
+      scanCResult.message === GITHUB_ERR_RATE_LIMIT ||
+      scanCResult.message === GITHUB_ERR_GRAPHQL_RATE_LIMIT ||
+      scanCResult.message === GITHUB_ERR_ABUSE_DETECTION ||
+      scanCResult.message === GITHUB_ERR_AUTH_FAILED
     ) {
       blockingError = {
         ok: false,

packages/cli/src/utils/git/github.mts

@@ -54,6 +54,15 @@ import type { SpawnOptions } from '@socketsecurity/lib/spawn'
 
 export type Pr = components['schemas']['pull-request']
 
+// Canonical `message` values returned by `handleGitHubApiError` /
+// `handleGraphqlError`. Exported so callers can short-circuit on
+// blocking conditions without matching free-form strings.
+export const GITHUB_ERR_ABUSE_DETECTION = 'GitHub abuse detection triggered'
+export const GITHUB_ERR_AUTH_FAILED = 'GitHub authentication failed'
+export const GITHUB_ERR_GRAPHQL_RATE_LIMIT =
+  'GitHub GraphQL rate limit exceeded'
+export const GITHUB_ERR_RATE_LIMIT = 'GitHub rate limit exceeded'
+
 interface CacheEntry {
   timestamp: number
   data: JsonContent
@@ -398,7 +407,7 @@ export function handleGraphqlError(
     if (isGraphqlRateLimitError(e)) {
       return {
         ok: false,
-        message: 'GitHub GraphQL rate limit exceeded',
+        message: GITHUB_ERR_GRAPHQL_RATE_LIMIT,
         cause:
           `GitHub GraphQL rate limit exceeded while ${context}. ` +
           'Try again in a few minutes.\n\n' +
@@ -440,7 +449,7 @@ export function handleGitHubApiError(
     if (status === 403 && e.message.includes('secondary rate limit')) {
       return {
         ok: false,
-        message: 'GitHub abuse detection triggered',
+        message: GITHUB_ERR_ABUSE_DETECTION,
         cause:
           `GitHub abuse detection triggered while ${context}. ` +
           'This happens when making too many requests in a short period. ' +
@@ -474,7 +483,7 @@ export function handleGitHubApiError(
 
       return {
         ok: false,
-        message: 'GitHub rate limit exceeded',
+        message: GITHUB_ERR_RATE_LIMIT,
         cause:
           `GitHub API rate limit exceeded while ${context}. ` +
           (waitTime
@@ -492,7 +501,7 @@ export function handleGitHubApiError(
     if (status === 401) {
       return {
         ok: false,
-        message: 'GitHub authentication failed',
+        message: GITHUB_ERR_AUTH_FAILED,
         cause:
           `GitHub authentication failed while ${context}. ` +
           'Your token may be invalid, expired, or missing required permissions.\n\n' +

packages/cli/test/unit/commands/scan/create-scan-from-github.test.mts

@@ -51,6 +51,10 @@ const mockWithGitHubRetry = vi.hoisted(() =>
 
 // Mock dependencies.
 vi.mock('../../../../src/utils/git/github.mts', () => ({
+  GITHUB_ERR_ABUSE_DETECTION: 'GitHub abuse detection triggered',
+  GITHUB_ERR_AUTH_FAILED: 'GitHub authentication failed',
+  GITHUB_ERR_GRAPHQL_RATE_LIMIT: 'GitHub GraphQL rate limit exceeded',
+  GITHUB_ERR_RATE_LIMIT: 'GitHub rate limit exceeded',
   getOctokit: vi.fn(() => mockOctokit),
   withGitHubRetry: mockWithGitHubRetry,
 }))