fix(scan): surface GitHub rate-limit errors in bulk repo scan

The bulk-scan loop in `createScanFromGithub` silently swallowed
per-repo failures. A rate-limited token made every repo fail, yet
the outer function returned ok:true with "N repos / 0 manifests",
misleading users into thinking the scan worked.

- Track per-repo failures and short-circuit the loop on known
  blocking errors (rate limit, GraphQL rate limit, abuse detection,
  auth failure) so subsequent repos don't burn more quota for the
  same error
- Return an error CResult when all repos fail, so scripts can tell
  the run did not succeed
- Add regression tests covering the short-circuit and the
  all-repos-failed fallback

Author: jdalton

packages/cli/src/commands/scan/create-scan-from-github.mts

@@ -92,7 +92,17 @@ export async function createScanFromGithub({
   }
 
   let scansCreated = 0
+  let reposScanned = 0
+  // Track a blocking error (rate limit / auth) so we can surface it
+  // instead of reporting silent success with "0 manifests". Without
+  // this, a rate-limited GitHub token made every repo fail its tree
+  // fetch, the outer loop swallowed each error, and the final summary
+  // ("N repos / 0 manifests") misled users into thinking the scan
+  // worked. See ASK-167.
+  let blockingError: CResult<undefined> | undefined
+  const perRepoFailures: Array<{ repo: string; message: string }> = []
   for (const repoSlug of targetRepos) {
+    reposScanned += 1
     // eslint-disable-next-line no-await-in-loop
     const scanCResult = await scanRepo(repoSlug, {
       githubApiUrl,
@@ -107,12 +117,54 @@ export async function createScanFromGithub({
       if (scanCreated) {
         scansCreated += 1
       }
+      continue
+    }
+    perRepoFailures.push({
+      repo: repoSlug,
+      message: scanCResult.message,
+    })
+    // Stop the loop if we hit a rate limit or auth failure — every
+    // subsequent repo will fail for the same reason and continuing
+    // only burns more quota while delaying the real error. Strings
+    // here match `handleGitHubApiError` / `handleGraphqlError` in
+    // utils/git/github.mts.
+    if (
+      scanCResult.message === 'GitHub rate limit exceeded' ||
+      scanCResult.message === 'GitHub GraphQL rate limit exceeded' ||
+      scanCResult.message === 'GitHub abuse detection triggered' ||
+      scanCResult.message === 'GitHub authentication failed'
+    ) {
+      blockingError = {
+        ok: false,
+        message: scanCResult.message,
+        cause: scanCResult.cause,
+      }
+      break
     }
   }
 
-  logger.success(targetRepos.length, 'GitHub repos detected')
+  logger.success(reposScanned, 'GitHub repos processed')
   logger.success(scansCreated, 'with supported Manifest files')
 
+  if (blockingError) {
+    logger.fail(blockingError.message)
+    return blockingError
+  }
+
+  // If every repo failed but not for a known-blocking reason, treat
+  // the run as an error so scripts know something went wrong instead
+  // of inferring success from an ok: true with 0 scans.
+  if (reposScanned > 0 && scansCreated === 0 && perRepoFailures.length === reposScanned) {
+    const firstFailure = perRepoFailures[0]!
+    return {
+      ok: false,
+      message: 'All repos failed to scan',
+      cause:
+        `All ${reposScanned} repos failed to scan. First failure for ${firstFailure.repo}: ${firstFailure.message}. ` +
+        'Check the log above for per-repo details.',
+    }
+  }
+
   return {
     ok: true,
     data: undefined,

packages/cli/test/unit/commands/scan/create-scan-from-github.test.mts

@@ -428,3 +428,106 @@ describe('error message quality', () => {
     }
   })
 })
+
+// Regression tests for ASK-167: the bulk loop in createScanFromGithub
+// used to swallow per-repo failures, so a rate-limited token returned
+// ok:true with "0 manifests". These drive the full function through
+// mocked octokit calls.
+describe('createScanFromGithub rate-limit short-circuit (ASK-167)', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('returns ok:false and stops the loop on GitHub rate limit', async () => {
+    // First call (getRepoDetails for repo-a) fails with rate limit.
+    mockWithGitHubRetry.mockResolvedValueOnce({
+      ok: false,
+      message: 'GitHub rate limit exceeded',
+      cause: 'GitHub API rate limit exceeded.',
+    })
+
+    const { createScanFromGithub } = await import(
+      '../../../../src/commands/scan/create-scan-from-github.mts'
+    )
+
+    const result = await createScanFromGithub({
+      all: false,
+      githubApiUrl: '',
+      githubToken: '',
+      interactive: false,
+      orgGithub: 'org',
+      orgSlug: 'org',
+      outputKind: 'text',
+      repos: 'repo-a,repo-b,repo-c',
+    })
+
+    expect(result.ok).toBe(false)
+    if (!result.ok) {
+      expect(result.message).toBe('GitHub rate limit exceeded')
+    }
+    // Short-circuit: only the first repo's getRepoDetails should have run.
+    expect(mockWithGitHubRetry).toHaveBeenCalledTimes(1)
+  })
+
+  it('returns ok:false and stops on GitHub auth failure', async () => {
+    mockWithGitHubRetry.mockResolvedValueOnce({
+      ok: false,
+      message: 'GitHub authentication failed',
+      cause: 'Bad credentials.',
+    })
+
+    const { createScanFromGithub } = await import(
+      '../../../../src/commands/scan/create-scan-from-github.mts'
+    )
+
+    const result = await createScanFromGithub({
+      all: false,
+      githubApiUrl: '',
+      githubToken: '',
+      interactive: false,
+      orgGithub: 'org',
+      orgSlug: 'org',
+      outputKind: 'text',
+      repos: 'repo-a,repo-b',
+    })
+
+    expect(result.ok).toBe(false)
+    if (!result.ok) {
+      expect(result.message).toBe('GitHub authentication failed')
+    }
+    expect(mockWithGitHubRetry).toHaveBeenCalledTimes(1)
+  })
+
+  it('returns "All repos failed to scan" when every repo errors with a non-blocking reason', async () => {
+    // Each repo's getRepoDetails fails with a non-rate-limit error;
+    // the loop should finish all repos and return the catch-all error.
+    mockWithGitHubRetry.mockResolvedValue({
+      ok: false,
+      message: 'GitHub resource not found',
+      cause: 'Not found.',
+    })
+
+    const { createScanFromGithub } = await import(
+      '../../../../src/commands/scan/create-scan-from-github.mts'
+    )
+
+    const result = await createScanFromGithub({
+      all: false,
+      githubApiUrl: '',
+      githubToken: '',
+      interactive: false,
+      orgGithub: 'org',
+      orgSlug: 'org',
+      outputKind: 'text',
+      repos: 'repo-a,repo-b',
+    })
+
+    expect(result.ok).toBe(false)
+    if (!result.ok) {
+      expect(result.message).toBe('All repos failed to scan')
+      expect(result.cause).toContain('repo-a')
+    }
+    // Both repos should have been attempted (no short-circuit for 404).
+    expect(mockWithGitHubRetry).toHaveBeenCalledTimes(2)
+  })
+})