D-058 — Rotate to fine-grained PAT with `Administration:delete` before 2026-06-24

Status: accepted Originally triggered: 2026-06-19 Formally recorded: 2026-06-23 Decided by: Helper Mavis (session 412100071272671) + operator

Context

A long-lived classic GitHub PAT (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) was found embedded in .git/config of a sandbox clone. The token was visible on GitHub from at least 2026-06-19 to 2026-06-22. The token expires 2026-06-24.

The classic PAT has repo, workflow scopes. It CANNOT delete repositories (the dup cleanup that exposed the case-variant trap needed a fine-grained PAT with Administration: Delete repositories).

Decision

Mint a fine-grained PAT with the following:

Name: fvs-operator-2026
Expiry: 90 days from mint date
Resource owner: avidtech6
Repository access: All repositories (or specific ones if scope-tight)
Permissions: Contents (read+write), Pull requests (read+write), Workflows (read+write), Administration (read+write)

Use the new PAT for all subsequent GitHub operations.
Strip the old PAT from any local clones (git remote set-url origin https://github.com/<owner>/<repo>.git).
Let the old PAT expire on 2026-06-24 rather than manually revoking — operator's call (per 2026-06-22 23:53 UTC chat).
Rotate the Cloudflare API token at the same time (separate system, same leak risk).

Consequences

✅ New PAT received by Helper on 2026-06-22 23:50 UTC. Old PAT will expire on 2026-06-24.
✅ The dup cleanup on 2026-06-22 was possible because the new PAT has Administration: delete perm.
⚠️ The leak window was 3+ days (2026-06-19 to 2026-06-22). Anyone with the old token could have made authenticated calls. The audit log at https://github.com/settings/tokens should be checked for unexpected activity.
⚠️ Cloudflare API token rotation status: confirmed by operator 2026-06-22 23:48 UTC. Done.

Pact cross-references

This is a docHub-level decision about external system hygiene. It does not have a direct pact fragment.

Related decisions