fix(metadata): drop orphan private repo entries blocking data merge

[fro-bot]

What

The scheduled Merge Data Branch workflow is fail-closed at 🔒 Block private wiki pages. scripts/check-wiki-private-presence.ts could not verify two private entries in metadata/repos.yaml:

[subprocess-threw] R_kgDOSVJgdw
[subprocess-threw] R_kgDOSZ9x-w

• Failing run: https://github.com/fro-bot/.github/actions/runs/26726914713/job/78763657557#step:6:1

Root cause

Both node IDs resolve to GraphQL NOT_FOUND:

Could not resolve to a node with the global id of 'R_kgDOSVJgdw'.
Could not resolve to a node with the global id of 'R_kgDOSZ9x-w'.

The repos were deleted or the App's installation lost access. They sit in repos.yaml as orphan placeholders — owner: '[REDACTED]', name equal to the node_id, onboarding_status: pending — never fully onboarded, now unreachable.

The diagnostic also mislabeled the failure class. gh api graphql exits non-zero whenever the response carries a top-level errors array — including the benign NOT_FOUND that ships alongside a valid data.node: null. execFileSync therefore threw before the code could read data.node, and the catch defaulted every such failure to subprocess-threw (network/rate-limit/auth). The real cause — repo lifecycle — was masked.

Changes

• Remove the two orphan entries from metadata/repos.yaml. This unblocks the weekly merge. reconcile-repos.ts would eventually prune them on its daily cron (it already has lost-access handling for [REDACTED] entries), but the privacy gate fails before reconcile runs.
• Fix error classification in check-wiki-private-presence.ts. The catch block now inspects the thrown subprocess's captured stdout/stderr via a new isNotFoundSignal helper and classifies a NOT_FOUND / data.node: null body as node-null ("investigate repo lifecycle/App access") instead of subprocess-threw. Genuine transport errors (HTTP 401 with no body) still classify as subprocess-threw.
• Tests: added coverage for the non-zero-exit-carrying-NOT_FOUND path, the transport-error path, and isNotFoundSignal unit tests. 31 tests pass.

The gate stays fail-closed by design — this only sharpens why it fails so the next orphan points operators at the right place.

Verification

• vitest run scripts/check-wiki-private-presence.test.ts — 31 passed
• tsc --noEmit — clean
• node scripts/check-wiki-private-presence.ts against the fixed repos.yaml — exits 0 (remaining repos resolve cleanly, no leaks)

Note

The privacy check reads repos.yaml from the data branch in the workflow (working-directory: data-branch-check). Once this merges to main, the next data→main sync reconciles the two branches; reconcile's lost-access path keeps them aligned. If the next scheduled merge still trips on the data-branch copy, a manual data branch sync may be needed.

Refs #3375

Run Summary — dispatch #26728562097 (workflow_dispatch)

• Diagnosis: R_kgDOSVJgdw and R_kgDOSZ9x-w resolve to GraphQL NOT_FOUND (deleted repos / lost App access). Orphan placeholders in metadata/repos.yaml.
• Fix: removed both orphan entries; reclassified gh non-zero NOT_FOUND exits as node-null instead of subprocess-threw.
• Checks: vitest (31 passed) + tsc + live privacy check all green.

🤖 Generated by Fro Bot

[Copilot]

Pull request overview

This PR unblocks the Merge Data Branch privacy gate by removing two orphaned private repo metadata entries and improving diagnostics for GraphQL NOT_FOUND responses from gh api graphql.

Changes:

• Removed two unreachable [REDACTED] private repository placeholders from metadata/repos.yaml.
• Added isNotFoundSignal() handling so non-zero gh exits containing NOT_FOUND are classified as node-null.
• Added tests for NOT_FOUND classification, transport errors, and helper behavior.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
scripts/check-wiki-private-presence.ts	Improves failure classification for captured GraphQL NOT_FOUND output.
scripts/check-wiki-private-presence.test.ts	Adds coverage for new classification paths and helper behavior.
metadata/repos.yaml	Removes the two orphan private repository entries blocking the privacy gate.