PAT Rotation Plan
Date: 2026-06-22 23:37 UTC (originally written) → re-archived in docHub 2026-06-23 00:30 UTC Source: Helper session 412100071272671 Deadline: 2026-06-24 (2 days, current classic PAT expires) Goal: rotate the exposed classic PAT and mint a fine-grained PAT with delete permission so case-variant dup cleanup can proceed
TL;DR
- Revoke the old classic PAT (
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) — leak window has been open since 2026-06-19. - Mint a fine-grained PAT with Administration: Read and write (this is what unblocks the dup cleanup).
- Strip the old token from local
.git/configfiles. - Rotate the Cloudflare API token too (separate system, same leak risk).
- (Optional) Delete the 5 case-variant dup repos now that delete permission is available.
What was being replaced
| Field | Value |
|---|---|
| Token (DO NOT paste anywhere new) | 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 |
| Type | classic PAT |
| Scopes | repo, workflow |
| Where it lives | /workspace/freshvibestudio/.git/config (raw URL with token embedded) |
| Risk | Visible to anyone with sandbox read access. Has been publicly visible on GitHub. |
Step 1 — Revoke the old PAT
- Open https://github.com/settings/tokens
- Find the row matching
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 - Click Delete, then confirm.
- Effect: immediate. Anything still using the old token stops on the next API call.
Status: Operator chose to let it expire on 2026-06-24 rather than manually revoke. Per OQ-2 in bootstrap/open-questions.md.
Step 2 — Mint a fine-grained replacement
- Open https://github.com/settings/personal-access-tokens/new
- Fill in:
- Token name:
fvs-operator-2026 - Expiration: 90 days (then re-evaluate)
- Resource owner:
avidtech6 - Repository access: All repositories (or pick specific ones if you want tighter scope)
- Set only these permissions:
- Contents: Read and write
- Metadata: Read-only (auto)
- Pull requests: Read and write
- Workflows: Read and write
- Administration: Read and write ← this is the one that unblocks dup cleanup
- Click Generate token.
- Copy it now — you will not see it again.
Status: New PAT received by Helper 2026-06-22 23:50 UTC. Administration: delete confirmed.
Step 3 — Strip the old token from local clones
For each repo on disk, run:
git remote set-url origin https://github.com/<owner>/<repo>.gitFor each repo where you want the new token used non-interactively:
git remote set-url origin https://<NEW_TOKEN>@github.com/<owner>/<repo>.gitOr — preferred — switch to one of these so the token never lives in .git/config:
gh auth login # OAuth, refresh tokens, scoped per command- Git Credential Manager — system keychain
- macOS keychain helper — built-in if you have
git-credential-osxkeychain
Status: Pending operator action on local clones. Helper has the new PAT in memory but hasn't pushed to any local repo (Helper doesn't have a worktree).
Step 4 — Rotate the Cloudflare API token too
Cloudflare API tokens are a separate system from GitHub PATs. The Cloudflare Pages API token was previously visible on GitHub in repo configs.
Status: ✅ Done. Operator confirmed 2026-06-22 23:48 UTC.
Step 5 — Clean up the case-variant dups (optional, now possible)
Once the new PAT has Administration: delete, the 5 case-variant pairs become deletable. Status: ✅ Executed 2026-06-22 23:53 UTC. All 5 dups deleted (204 each). Both casings of each pair return 404. Per reports/2026-06-22-dup-cleanup.md and dangerous/case-variant-dups.md.
Why this matters
The old token has been visible on GitHub since 2026-06-19. Anyone who saw it can still use it until you revoke (or it expires on 2026-06-24).
Cross-references
- D-058 — PAT rotation (the decision)
- Report: 2026-06-22-dup-cleanup — the cleanup that used the new PAT
dangerous/github-pat-leak.md— the lessonbootstrap/open-questions.mdOQ-2 — current status