@openparachute/vault 0.4.8 → 0.4.9-rc.10

package/core/src/schema.ts

@@ -2,7 +2,7 @@ import { Database } from "bun:sqlite";
 import { normalizePath } from "./paths.js";
 import { rebuildIndexes } from "./indexed-fields.js";
 
-export const SCHEMA_VERSION = 18;
+export const SCHEMA_VERSION = 19;
 
 export const SCHEMA_SQL = `
 -- Notes: the universal record.
@@ -118,6 +118,20 @@ CREATE TABLE IF NOT EXISTS indexed_fields (
 --
 -- scope_tag / scope_path_prefix are deprecated Phase-0 columns — never
 -- enforced at runtime, kept only for schema stability.
+-- created_via (v19) records the provenance of a token. NULL means the
+-- legacy/unspecified path (CLI, REST mint, YAML import); 'mcp_mint' means
+-- the token was minted by the manage-token MCP tool, which lets the
+-- list/revoke surface of that tool restrict itself to its own session's
+-- mints (no cross-session token management from inside MCP).
+--
+-- parent_jti (v19) is the display id (t_hashprefix) of the token that
+-- minted this one, or the hub-JWT jti claim when minted from a hub
+-- session. Session-pinned list+revoke in manage-token filters on this.
+--
+-- revoked_at (v19) marks soft-revocation. Revoke from manage-token sets
+-- this rather than deleting the row, so the audit trail stays intact and
+-- the second revoke of the same jti is idempotent (returns ok=true).
+-- resolveToken treats a revoked_at-set row as not-found.
 CREATE TABLE IF NOT EXISTS tokens (
   token_hash TEXT PRIMARY KEY,
   label TEXT NOT NULL,
@@ -129,7 +143,10 @@ CREATE TABLE IF NOT EXISTS tokens (
   expires_at TEXT,
   created_at TEXT NOT NULL,
   last_used_at TEXT,
-  vault_name TEXT
+  vault_name TEXT,
+  created_via TEXT,
+  parent_jti TEXT,
+  revoked_at TEXT
 );
 
 -- OAuth: registered clients (Dynamic Client Registration)
@@ -380,6 +397,12 @@ export function initSchema(db: Database): void {
   // (markdown), unchanged in meaning. See vault#328.
   migrateToV18(db);
 
+  // Migrate v18 → v19: add MCP-mint provenance columns to `tokens`
+  // (created_via, parent_jti, revoked_at) for vault#376's manage-token tool.
+  // All three are nullable; existing rows backfill to NULL which means
+  // "non-MCP-minted, not revoked" — identical pre-v19 semantics.
+  migrateToV19(db);
+
   // Rebuild any generated columns + indexes declared in indexed_fields.
   // No-op for a fresh vault; idempotent on existing vaults.
   rebuildIndexes(db);
@@ -952,6 +975,32 @@ function migrateToV18(db: Database): void {
   }
 }
 
+/**
+ * Migrate v18 → v19: add `created_via`, `parent_jti`, `revoked_at` columns
+ * to `tokens` so manage-token can attribute mints to the MCP session that
+ * minted them, scope its list+revoke to those tokens, and soft-revoke
+ * (preserving the audit trail).
+ *
+ * All three columns are nullable; existing rows backfill to NULL with
+ * back-compat semantics — `created_via IS NULL` matches the CLI/REST-mint
+ * provenance, `revoked_at IS NULL` matches "still active". Idempotent —
+ * the column-existence guard means the migration is safe to re-run on a
+ * post-v19 vault. See vault#376.
+ */
+function migrateToV19(db: Database): void {
+  if (!hasTable(db, "tokens")) return;
+  const cols: [string, string][] = [
+    ["created_via", "TEXT"],
+    ["parent_jti", "TEXT"],
+    ["revoked_at", "TEXT"],
+  ];
+  for (const [col, type] of cols) {
+    if (!hasColumn(db, "tokens", col)) {
+      db.exec(`ALTER TABLE tokens ADD COLUMN ${col} ${type}`);
+    }
+  }
+}
+
 function hasTable(db: Database, name: string): boolean {
   const row = db.prepare("SELECT name FROM sqlite_master WHERE type='table' AND name=?").get(name);
   return !!row;

package/core/src/store.ts

@@ -217,10 +217,23 @@ export class BunSqliteStore implements Store {
   }
 
   async deleteNote(id: string): Promise<void> {
-    // Read before delete so we can invalidate config caches on the way out.
+    // Read before delete so we can invalidate config caches on the way out
+    // AND so the post-delete hook dispatch carries the minimum payload
+    // ({ id, path }). The full note can't be reconstructed post-delete —
+    // by design, hooks subscribing to "deleted" receive a DeletedNoteRef,
+    // not a Note.
     const existing = noteOps.getNote(this.db, id);
     noteOps.deleteNote(this.db, id);
     if (existing?.path) this.invalidateConfigCachesForPath(existing.path);
+    // Dispatch even when `existing` was null — the caller asked for a
+    // deletion, and downstream consumers (e.g. the mirror) reconcile via
+    // id. Path is undefined in that case; the mirror sweep will catch
+    // any orphans missed by the targeted-removal fast path.
+    this.hooks.dispatch(
+      "deleted",
+      { id, ...(existing?.path ? { path: existing.path } : {}) },
+      this,
+    );
   }
 
   async queryNotes(opts: QueryOpts): Promise<Note[]> {
@@ -340,6 +353,10 @@ export class BunSqliteStore implements Store {
     // and may have declared `fields` powering schema validation.
     this._tagHierarchy = null;
     this._schemaConfig = null;
+    // Fire "deleted" only when SOMETHING happened (the underlying
+    // deleteTag returns `deleted: false` when the tag didn't exist).
+    // The git-mirror reacts to this by sweeping the schema sidecar.
+    if (result.deleted) this.hooks.dispatchTag("deleted", name, this);
     return result;
   }
 
@@ -352,6 +369,16 @@ export class BunSqliteStore implements Store {
     // the schema-config by parent_names + fields content.
     this._tagHierarchy = null;
     this._schemaConfig = null;
+    // Rename = delete-then-upsert from the perspective of any consumer
+    // that keys schema artifacts on the tag name (e.g. the git-mirror's
+    // `.parachute/schemas/<tag>.yaml` sidecar file). Fire both events
+    // so the consumer drops the old artifact and writes the new one.
+    // Only dispatch when the rename actually happened — error returns
+    // ({ error: ... }) shouldn't notify subscribers about phantom moves.
+    if ("renamed" in result) {
+      this.hooks.dispatchTag("deleted", oldName, this);
+      this.hooks.dispatchTag("upserted", newName, this);
+    }
     return result;
   }
 
@@ -365,6 +392,15 @@ export class BunSqliteStore implements Store {
     // bust the schema cache — `fields` declarations follow tag identity.
     this._tagHierarchy = null;
     this._schemaConfig = null;
+    // Each merged source vanishes from the tag set; the target's
+    // schema may have absorbed fields/relationships from the sources.
+    // Fire "deleted" for each source and "upserted" for the target so
+    // the mirror sweeps the source sidecars and rewrites the target.
+    for (const source of sources) {
+      if (source === target) continue;
+      this.hooks.dispatchTag("deleted", source, this);
+    }
+    this.hooks.dispatchTag("upserted", target, this);
     return result;
   }
 
@@ -440,12 +476,26 @@ export class BunSqliteStore implements Store {
     // `fields` drives validation — bust the schema cache so the next
     // create/update sees the new declarations.
     this._schemaConfig = null;
+    // The tag schema sidecar in the mirror needs to track this. Fire
+    // "upserted" regardless of whether the row was created or modified
+    // — the mirror writes the sidecar fresh either way.
+    this.hooks.dispatchTag("upserted", tag, this);
     return result;
   }
 
   async deleteTagSchema(tag: string) {
     const result = tagSchemaOps.deleteTagSchema(this.db, tag);
-    if (result) this._schemaConfig = null;
+    if (result) {
+      this._schemaConfig = null;
+      // Schema-only delete: the tag may still exist as a name in the
+      // hierarchy, but the sidecar lost its content. Mirror reacts by
+      // sweeping the sidecar file. (If the underlying row was reduced
+      // to a bare name with no schema content, hasSchemaContent() in
+      // exportVaultToDir already wouldn't have written it on the next
+      // export pass — the targeted delete is the fast path; the sweep
+      // is the safety net.)
+      this.hooks.dispatchTag("deleted", tag, this);
+    }
     return result;
   }
 
@@ -494,6 +544,11 @@ export class BunSqliteStore implements Store {
       this._tagHierarchy = null;
       this._schemaConfig = null;
     }
+    // Tag-mutation event for the git-mirror and any other downstream
+    // consumer. Fire "upserted" on every successful tag-record write —
+    // schema/relationship/parent-name mutations all alter the sidecar
+    // contents the mirror persists.
+    this.hooks.dispatchTag("upserted", tag, this);
     return result;
   }
 
@@ -599,6 +654,17 @@ export class BunSqliteStore implements Store {
     const other = this.db.prepare(
       "SELECT 1 FROM attachments WHERE path = ? LIMIT 1",
     ).get(row.path);
+
+    // Post-delete event for downstream consumers (e.g. the git-mirror's
+    // sweep of `.parachute/attachments/<id>/...`). Payload is the
+    // DeletedAttachmentRef — the row is gone, so we pass only id /
+    // note_id / path.
+    this.hooks.dispatchAttachment(
+      "deleted",
+      { id: attachmentId, noteId, path: row.path },
+      this,
+    );
+
     return { deleted: true, path: row.path, orphaned: !other };
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/vault",
-  "version": "0.4.8",
+  "version": "0.4.9-rc.10",
   "description": "Agent-native knowledge graph. Notes, tags, links over MCP.",
   "module": "src/cli.ts",
   "type": "module",

package/src/auth.ts

@@ -91,6 +91,12 @@ function tryServerWideAuth(
     legacyDerived: false,
     scoped_tags: null,
     vault_name: null,
+    // No stable session id for the env-var operator token — every request
+    // is the operator-bearer, not a minted session. manage-token's session
+    // pin is a no-op for this caller (it'd still mint, but list/revoke
+    // would see no other operator mints; that's fine — env-var-bearer is
+    // explicitly the operator-channel, not a user surface).
+    caller_jti: null,
   };
 }
 
@@ -120,6 +126,15 @@ export interface AuthResult {
    * legacy / server-wide / hub JWT — no per-vault binding. See vault#257.
    */
   vault_name: string | null;
+  /**
+   * Session identifier (v19). For `pvt_*` tokens this is the display id
+   * (`t_<hashprefix>`) of the presented token. For hub JWTs it's the
+   * `jti` claim, when present. NULL for legacy YAML keys / server-wide
+   * env-var tokens / hub JWTs without a `jti`. Used by the manage-token
+   * MCP tool to stamp child tokens with `parent_jti` so list/revoke can
+   * scope to this session's mints. See vault#376.
+   */
+  caller_jti: string | null;
 }
 
 /**
@@ -134,6 +149,7 @@ function legacyAuthResult(permission: TokenPermission): AuthResult {
     legacyDerived: true,
     scoped_tags: null,
     vault_name: null,
+    caller_jti: null,
   };
 }
 
@@ -285,6 +301,7 @@ export async function authenticateVaultRequest(
           legacyDerived: resolved.legacyDerived,
           scoped_tags: resolved.scoped_tags,
           vault_name: resolved.vault_name,
+          caller_jti: resolved.jti,
         };
       }
     } catch {
@@ -396,7 +413,17 @@ async function authenticateHubJwt(
       hasScope(claims.scopes, SCOPE_WRITE) || hasScope(claims.scopes, SCOPE_ADMIN)
         ? "full"
         : "read";
-    return { permission, scopes: claims.scopes, legacyDerived: false, scoped_tags: null, vault_name: null };
+    return {
+      permission,
+      scopes: claims.scopes,
+      legacyDerived: false,
+      scoped_tags: null,
+      vault_name: null,
+      // claims.jti is `undefined` when the issuer didn't stamp one. Pass it
+      // through verbatim — manage-token's session-pin will be null in that
+      // case, and list/revoke from that session sees no mints.
+      caller_jti: claims.jti ?? null,
+    };
   } catch (err) {
     if (err instanceof HubJwtError) {
       // Revocation-related codes get sanitized client messages: server-side
@@ -511,6 +538,7 @@ export async function authenticateGlobalRequest(
           legacyDerived: resolved.legacyDerived,
           scoped_tags: resolved.scoped_tags,
           vault_name: resolved.vault_name,
+          caller_jti: resolved.jti,
         };
       }
     } catch {

package/src/auto-transcribe.test.ts

@@ -69,11 +69,16 @@ describe("shouldAutoTranscribe", () => {
     })).toBe(false);
   });
 
-  test("skips when enabled is unset (no auto_transcribe block in config)", () => {
+  test("fires when enabled is unset — unset config means ON", () => {
+    // Default behavior (no `auto_transcribe` block in config) is opt-out:
+    // once an operator has scribe reachable, audio attachments transcribe
+    // automatically. Operators wanting it OFF set
+    // `auto_transcribe.enabled: false` explicitly. Previously default-off;
+    // flipped to default-on so installing scribe is the only opt-in signal.
     expect(shouldAutoTranscribe("audio/wav", {
       readGlobalConfigImpl: readGlobalConfig(undefined),
       getCachedScribeUrlImpl: scribePresent,
-    })).toBe(false);
+    })).toBe(true);
   });
 
   test("skips when scribe URL is undefined (no services.json entry, no env)", () => {

package/src/auto-transcribe.ts

@@ -19,7 +19,11 @@ import { getCachedScribeUrl } from "./scribe-discovery.ts";
  *
  * Returns `true` only when ALL three conditions hold:
  *   1. mime-type starts with `audio/` (case-insensitive).
- *   2. `globalConfig.auto_transcribe?.enabled === true`.
+ *   2. `globalConfig.auto_transcribe?.enabled` is not explicitly false.
+ *      Default behavior (when unset) is ON — once an operator has scribe
+ *      reachable, audio attachments transcribe automatically without a
+ *      separate config step. Operators who want it OFF set
+ *      `auto_transcribe.enabled: false` explicitly.
  *   3. Scribe is discoverable (services.json entry OR SCRIBE_URL env).
  *
  * The three conditions are independent guards: a single `false` is sufficient
@@ -40,7 +44,7 @@ export function shouldAutoTranscribe(
   }
   const enabled = opts.enabledOverride
     ?? (opts.readGlobalConfigImpl ?? readGlobalConfig)().auto_transcribe?.enabled
-    ?? false;
+    ?? true;
   if (!enabled) return false;
   const url = (opts.getCachedScribeUrlImpl ?? getCachedScribeUrl)();
   if (!url || !url.trim()) return false;

package/src/export-watch.test.ts

@@ -27,6 +27,7 @@ import {
   DEFAULT_COMMIT_TEMPLATE,
   gitAddAll,
   gitCommit,
+  gitPush,
   gitUnstageAll,
   isGitRepo,
   listStagedFiles,
@@ -315,6 +316,79 @@ describe("git-shell helpers", () => {
   });
 });
 
+// ---------------------------------------------------------------------------
+// 2b. gitPush — first-push upstream tracking (Cut 4 of vault#392)
+//
+// A freshly-bootstrapped mirror has commits but no upstream branch.
+// Bare `git push` fails with "fatal: The current branch X has no upstream
+// branch." gitPush now detects the missing-upstream case and falls back
+// to `git push -u origin <branch>`. Subsequent pushes go bare.
+// ---------------------------------------------------------------------------
+
+describe("gitPush — upstream tracking", () => {
+  let workdir: string;
+  let remote: string;
+  beforeEach(() => {
+    workdir = makeTmp("vault-push-work-");
+    remote = makeTmp("vault-push-remote-");
+    // Bare repo as the "remote" — `git push` to it lands like any real remote.
+    Bun.spawnSync(["git", "init", "--bare", "-q", "-b", "main"], { cwd: remote });
+    initGitRepo(workdir);
+    Bun.spawnSync(["git", "remote", "add", "origin", remote], { cwd: workdir });
+    fs.writeFileSync(path.join(workdir, "seed.md"), "# seed\n");
+    Bun.spawnSync(["git", "add", "-A"], { cwd: workdir });
+    Bun.spawnSync(["git", "commit", "-q", "-m", "initial"], { cwd: workdir });
+  });
+  afterEach(() => {
+    fs.rmSync(workdir, { recursive: true, force: true });
+    fs.rmSync(remote, { recursive: true, force: true });
+  });
+
+  test("first push to a fresh remote establishes upstream tracking", async () => {
+    // Pre-Cut-4 this failed with "no upstream branch."
+    const result = await gitPush(workdir);
+    expect(result.ok).toBe(true);
+    // Verify upstream is now set so subsequent pushes can be bare.
+    const upstream = Bun.spawnSync(
+      ["git", "rev-parse", "--abbrev-ref", "--symbolic-full-name", "@{u}"],
+      { cwd: workdir, stdout: "pipe" },
+    );
+    expect(upstream.exitCode).toBe(0);
+    expect(
+      new TextDecoder().decode(upstream.stdout).trim(),
+    ).toBe("origin/main");
+  });
+
+  test("subsequent push (upstream already set) succeeds bare", async () => {
+    // First push wires the upstream.
+    await gitPush(workdir);
+    // Make another commit, push again — should succeed.
+    fs.writeFileSync(path.join(workdir, "n.md"), "# n\n");
+    Bun.spawnSync(["git", "add", "-A"], { cwd: workdir });
+    Bun.spawnSync(["git", "commit", "-q", "-m", "second"], { cwd: workdir });
+    const result = await gitPush(workdir);
+    expect(result.ok).toBe(true);
+  });
+
+  test("push with no remote configured surfaces the error (back-compat)", async () => {
+    // Same shape as the existing "no remote" test in runGitCommitCycle —
+    // the branch probe returns a branch but no upstream, gitPush falls
+    // back to `git push -u origin main`, which fails because there's no
+    // `origin` remote configured.
+    const localOnly = makeTmp("vault-push-noremote-");
+    initGitRepo(localOnly);
+    fs.writeFileSync(path.join(localOnly, "x.md"), "# x\n");
+    Bun.spawnSync(["git", "add", "-A"], { cwd: localOnly });
+    Bun.spawnSync(["git", "commit", "-q", "-m", "x"], { cwd: localOnly });
+    const result = await gitPush(localOnly);
+    expect(result.ok).toBe(false);
+    // Doesn't matter what the exact error is — just that it's non-fatal
+    // (gitPush returns rather than throws).
+    expect(typeof result.stderr).toBe("string");
+    fs.rmSync(localOnly, { recursive: true, force: true });
+  });
+});
+
 // ---------------------------------------------------------------------------
 // 3. runGitCommitCycle — stage → decide → commit → push
 // ---------------------------------------------------------------------------

package/src/export-watch.ts

@@ -121,11 +121,72 @@ export async function gitCommit(
   return { ok: exitCode === 0, stderr: stderr.trim() };
 }
 
-/** Run `git push` in `repoDir`. Returns true on success. */
+/**
+ * Run `git push` in `repoDir`. Returns true on success.
+ *
+ * Handles the first-push case: a freshly-bootstrapped mirror has
+ * commits but no upstream tracking, and a bare `git push` fails with
+ * "fatal: The current branch X has no upstream branch." That's
+ * unrecoverable from the operator's POV — they'd have to drop to a
+ * shell and run `git push -u origin main`. The wiring here detects the
+ * missing-upstream case ahead of time and falls back to `git push -u
+ * origin <branch>` so the first push works and every subsequent push
+ * picks up the now-configured tracking.
+ *
+ * Vault#382 carried bare `git push`; this is the Cut 4 fix in the
+ * credentials-save round-trip work.
+ */
 export async function gitPush(
   repoDir: string,
 ): Promise<{ ok: boolean; stderr: string }> {
-  const proc = Bun.spawn(["git", "push"], {
+  // Resolve the current branch name. `git rev-parse --abbrev-ref HEAD`
+  // returns the branch on a checked-out branch (e.g. "main"); on a
+  // detached HEAD it returns "HEAD" — in that case we bail to bare push
+  // since `-u origin HEAD` doesn't mean anything useful.
+  let branch: string | null = null;
+  try {
+    const branchProc = Bun.spawn(["git", "rev-parse", "--abbrev-ref", "HEAD"], {
+      cwd: repoDir,
+      stdout: "pipe",
+      stderr: "pipe",
+    });
+    const branchCode = await branchProc.exited;
+    if (branchCode === 0) {
+      const out = new TextDecoder()
+        .decode(await new Response(branchProc.stdout).arrayBuffer())
+        .trim();
+      if (out.length > 0 && out !== "HEAD") branch = out;
+    }
+  } catch {
+    // Fall through to bare push.
+  }
+
+  // Probe for an existing upstream. `git rev-parse --abbrev-ref
+  // --symbolic-full-name @{u}` exits non-zero when no upstream is
+  // configured for the current branch. Exit 0 + a value → upstream
+  // exists; bare `git push` is fine.
+  let hasUpstream = false;
+  if (branch !== null) {
+    const upstreamProc = Bun.spawn(
+      ["git", "rev-parse", "--abbrev-ref", "--symbolic-full-name", "@{u}"],
+      {
+        cwd: repoDir,
+        stdout: "pipe",
+        stderr: "pipe",
+      },
+    );
+    const upstreamCode = await upstreamProc.exited;
+    hasUpstream = upstreamCode === 0;
+  }
+
+  // First-push path: `git push -u origin <branch>` to establish
+  // tracking. Subsequent calls take the bare path because hasUpstream
+  // will be true after this lands.
+  const cmd =
+    branch !== null && !hasUpstream
+      ? ["git", "push", "-u", "origin", branch]
+      : ["git", "push"];
+  const proc = Bun.spawn(cmd, {
     cwd: repoDir,
     stdout: "pipe",
     stderr: "pipe",
@@ -190,7 +251,14 @@ export function shouldCommit(stagedFiles: string[], notesChanged: number): {
 
 /**
  * Stage → decide → commit → optionally push. Logs status to stdout/stderr.
- * Returns whether a commit landed.
+ * Returns whether a commit landed and (when push was attempted) the
+ * push outcome — so callers can surface push status in their UIs
+ * without having to grep logs.
+ *
+ * Cut 5: the return shape now includes a `push` field with the outcome
+ * when push was attempted. Tokens are redacted from `push.error` via
+ * the userinfo + `gho_/ghp_/glpat-` regex so log + status surfaces are
+ * safe to display.
  */
 export async function runGitCommitCycle(opts: {
   repoDir: string;
@@ -201,7 +269,11 @@ export async function runGitCommitCycle(opts: {
   push: boolean;
   /** Override for tests — defaults to `new Date().toISOString()`. */
   now?: () => string;
-}): Promise<{ committed: boolean; message?: string }> {
+}): Promise<{
+  committed: boolean;
+  message?: string;
+  push?: { attempted: true; ok: boolean; error?: string };
+}> {
   const now = opts.now ?? (() => new Date().toISOString());
 
   const add = await gitAddAll(opts.repoDir);
@@ -245,11 +317,40 @@ export async function runGitCommitCycle(opts: {
     if (!pushResult.ok) {
       // Non-fatal — a network blip shouldn't kill a watch loop. Warn and
       // move on; the next successful commit's push will catch up history.
-      console.warn(`[git-commit] git push failed (non-fatal): ${pushResult.stderr}`);
-    } else {
-      console.log(`[git-commit] pushed`);
+      const redacted = redactToken(pushResult.stderr);
+      console.warn(`[git-commit] git push failed (non-fatal): ${redacted}`);
+      return {
+        committed: true,
+        message,
+        push: { attempted: true, ok: false, error: redacted },
+      };
     }
+    console.log(`[git-commit] pushed`);
+    return { committed: true, message, push: { attempted: true, ok: true } };
   }
 
   return { committed: true, message };
 }
+
+/**
+ * Redact tokens from a string that came back from `git push` /
+ * `git ls-remote` stderr. Same pattern as `redactRemoteUrl` for full
+ * URLs; also handles bare `gho_*`/`ghp_*`/`glpat-*` tokens that
+ * sometimes show up in git error messages.
+ *
+ * Best-effort — git's error format isn't a stable contract, so we
+ * scrub the obvious patterns and accept that a really unusual
+ * formatting could slip through. The credentials file is the
+ * authoritative store; logs are diagnostic.
+ */
+export function redactToken(text: string): string {
+  return text
+    // userinfo (https://user:token@host/…)
+    .replace(/https?:\/\/[^@\s]+@/g, "https://***@")
+    // bare GitHub OAuth tokens
+    .replace(/gho_[A-Za-z0-9_]{8,}/g, "gho_***")
+    // bare GitHub PATs
+    .replace(/ghp_[A-Za-z0-9_]{8,}/g, "ghp_***")
+    // bare GitLab PATs
+    .replace(/glpat-[A-Za-z0-9_-]{8,}/g, "glpat-***");
+}