fix(export): redact cached Orb token envelopes

[JSONbored]

Motivation

• Prevent encrypted GitHub installation-token envelopes stored in orb_enrollments.cached_token_json from being included in self-host D1 export artifacts, closing a redaction gap that could leak secret-bearing blobs when exports are shared.

Description

• Add cached_token_json to the orb_enrollments entry in REDACTED_COLUMNS in scripts/export-d1-core.mjs and document the column as sensitive, and extend test/unit/export-d1-core.test.ts to assert the new redaction behavior.

Testing

• Ran the focused unit regression: npx vitest run test/unit/export-d1-core.test.ts, which passed.
• Attempted broader verification: npm run test:coverage was started but unrelated long-running suites prevented a clean local completion (the targeted export redaction tests ran and passed); npm run test:ci could not fully complete locally due to actionlint/network and runner-label issues; npm audit --audit-level=moderate returned 403 from the audit endpoint so could not complete locally.

---

Codex Task

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.58%. Comparing base (6228967) to head (d1ad6dd).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1679   +/-   ##
=======================================
  Coverage   95.58%   95.58%           
=======================================
  Files         204      204           
  Lines       22314    22314           
  Branches     8066     8066           
=======================================
  Hits        21329    21329           
  Misses        408      408           
  Partials      577      577           

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gittensory-orb]

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

_{Review updated: 2026-06-29 15:37:52 UTC}

2 files · 1 AI reviewer · no blockers · readiness 68/100 · CI green · clean

⏸️ Suggested Action - Manual Review

• Touches a guarded path — held for manual review

Review summary
This change correctly adds `orb_enrollments.cached_token_json` to the self-host export redaction list and documents why that column must not leave the source environment. The existing redaction path in `buildTableExport` already consumes `REDACTED_COLUMNS`, and the regression test now verifies both the emitted `redactedColumns` metadata and that the sensitive value is removed from exported rows. The diff is narrow, coherent with the PR description, and uses the existing export-core test pattern.

Nits — 3 non-blocking

• Pull request duplicates other open work — Check for an existing pull request or issue covering this change and coordinate or consolidate before continuing.
• Readiness score is below the configured threshold — Use the readiness panel as advisory maintainer context; the score does not block this PR.
• Touches a guarded path — held for manual review — A maintainer must review and merge this change.

Signal	Result	Evidence
Code review	✅ No blockers	1 reviewer
Linked issue	⚠️ Missing	No linked issue or no-issue rationale found.
Related work	⚠️ 2 scoped overlaps	Top overlaps are listed below; lower-confidence bulk is hidden.
Review load	❌ 8/20	Readiness component derived from cached public PR metadata and labels; size label size:XS.
Validation evidence	✅ 25/25	PR body includes validation/test evidence.
Open PR queue	❌ 3/10	24 open PR(s), 11 likely reviewable, 13 unlinked.
Contributor context	✅ Confirmed Gittensor contributor	JSONbored; Gittensor profile; 74 PR(s), 280 issue(s).
Gate result	⚠️ Not blocking	Advisory; not blocking this PR.

Review context

• Author: JSONbored
• Role context: owner (maintainer lane)
• Public audience mode: oss maintainer
• Lane context: Repository registration is not available in the local Gittensory cache.
• Public profile languages: not available
• Official Gittensor activity: 74 PR(s), 280 issue(s).
• Related work: Titles/paths share 8 meaningful terms. (PR #1690)
• Related work: Titles/paths share 6 meaningful terms. (PR #1693, PR #1716)

Contributor next steps

• Treat this as maintainer-lane context rather than normal contributor-lane activity.
• Explain no-issue PR.
• Review top overlaps.
• Add scope summary.
• Expect slower review.
• No action.
• Link the issue being solved, or explicitly explain why this is a no-issue PR.
• Check active issues and PRs before submitting.

Signal definitions

• Related work = same linked issue, overlapping active PRs, or title/path similarity.
• Review load = cached public PR metadata such as size labels, changed paths, and preflight status.
• Open PR queue = repo-wide review pressure; it is not a PR quality failure.
• Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

_{🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed}

---

💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

• Re-run Gittensory review

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	gittensory-ui	4d51737	Commit Preview URL Branch Preview URL	Jun 28 2026, 09:49 PM