fix(export): redact cached Orb token envelopes

[JSONbored]

Summary

• No issue because this is a small maintainer-side confidentiality hardening for the self-host export boundary.
• Adds orb_enrollments.cached_token_json to the D1 export redaction list so encrypted Orb installation-token cache envelopes stay out of migration export artifacts.
• Extends the existing export regression test to prove the cache envelope is omitted together with the other Orb secret material.

Scope

• The PR title follows type(scope): short summary Conventional Commit format, for example fix(api): restore profile access checks.
• This PR is focused and does not mix unrelated backend, UI, MCP, docs, dependency, and deploy changes.
• This follows CONTRIBUTING.md and does not reintroduce GitHub Pages, VitePress, site/, or CNAME.
• I linked an issue, or this is small enough that the summary explains why an issue is not needed.

Validation

• git diff --check
• npm run actionlint
• npm run typecheck
• npm run test:coverage locally; codecov/patch requires ≥97% coverage of the lines AND branches you changed (aim for 98%+ on your diff so CI variance does not fail near the threshold). Global coverage is a non-blocking trend with a loose 90% backstop, not the gate.
• npm run test:workers
• npm run build:mcp
• npm run test:mcp-pack
• npm run ui:openapi:check
• npm run ui:lint
• npm run ui:typecheck
• npm run ui:build
• npm audit --audit-level=moderate
• New or changed behavior has unit/integration tests for new branches, fallback paths, and sanitizer boundaries

If any required check was skipped, explain why:

• Nothing was skipped. Also ran npx vitest run test/unit/export-d1-core.test.ts for the focused regression.

Safety

• No secrets, wallet details, hotkeys, coldkeys, user PATs, private keys, raw trust scores, private rankings, or private maintainer evidence are exposed.
• Public GitHub text stays sanitized, low-noise, and does not imply compensation guarantees or optimization tactics.
• Auth, cookie, CORS, GitHub App, Cloudflare, or session changes include negative-path tests. N/A: export redaction only.
• API/OpenAPI/MCP behavior is updated and tested where needed. N/A: no API/OpenAPI/MCP surface change.
• UI changes use live API data or real empty/error/loading states, not production mock/demo fallbacks. N/A: no UI change.
• Visible UI changes include a UI Evidence section below with JPG/JPEG or PNG screenshots arranged as organized, captioned, clickable thumbnails. SVG screenshots are not used as review evidence. Review-only screenshots or recordings are not committed to the repository. N/A: no visible UI change.
• Public docs/changelogs are updated where needed; changelogs are only edited for release-prep PRs. N/A: no docs/changelog change.

UI Evidence

Not applicable. This is export tooling only, with no visible UI, frontend, docs, or extension change.

Notes

• The vulnerable path was reproduced in the existing export unit boundary: buildTableExport("orb_enrollments", ...) previously preserved cached_token_json; after this change, the serialized export rows omit it and the regression asserts the LEAK_ sentinel never appears.

[gittensory-orb]

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

_{Review updated: 2026-06-29 14:13:30 UTC}

2 files · 1 AI reviewer · no blockers · readiness 75/100 · CI green · clean

⏸️ Suggested Action - Manual Review

• Touches a guarded path — held for manual review

Review summary
This change extends the self-host D1 export sanitizer so orb_enrollments.cached_token_json is dropped alongside the existing sensitive orb_enrollments fields, and the regression test now exercises that path through buildTableExport. The implementation is correct in the changed file: redactRow removes every key listed in REDACTED_COLUMNS, and buildTableExport already routes orb_enrollments rows through that sanitizer. I do not see a reachable break in this diff.

Nits — 4 non-blocking

• nit: test/unit/export-d1-core.test.ts:39 duplicates the full orb_enrollments redaction list in multiple assertions, so future additions will need to update several exact arrays.
• test/unit/export-d1-core.test.ts:39 could define the expected orb_enrollments redacted columns once inside the redaction describe block and reuse it for both REDACTED_COLUMNS and orbExport?.redactedColumns assertions.
• Pull request duplicates other open work — Check for an existing pull request or issue covering this change and coordinate or consolidate before continuing.
• Touches a guarded path — held for manual review — A maintainer must review and merge this change.

Signal	Result	Evidence
Code review	✅ No blockers	1 reviewer
Linked issue	✅ No-issue rationale	PR body explains why no issue is linked.
Related work	⚠️ 1 scoped overlap	Top overlaps are listed below; lower-confidence bulk is hidden.
Review load	❌ 8/20	Readiness component derived from cached public PR metadata and labels.
Validation evidence	✅ 25/25	PR body includes validation/test evidence.
Open PR queue	❌ 3/10	22 open PR(s), 10 likely reviewable, 12 unlinked.
Contributor context	✅ Confirmed Gittensor contributor	JSONbored; Gittensor profile; 74 PR(s), 280 issue(s).
Gate result	⚠️ Not blocking	Advisory; not blocking this PR.

Review context

• Author: JSONbored
• Role context: owner (maintainer lane)
• Public audience mode: oss maintainer
• Lane context: Repository registration is not available in the local Gittensory cache.
• Public profile languages: not available
• Official Gittensor activity: 74 PR(s), 280 issue(s).
• Related work: Titles/paths share 8 meaningful terms. (PR #1679)

Contributor next steps

• Treat this as maintainer-lane context rather than normal contributor-lane activity.
• Review top overlaps.
• Add scope summary.
• Expect slower review.
• No action.
• Link the issue being solved, or explicitly explain why this is a no-issue PR.
• Check active issues and PRs before submitting.

Signal definitions

• Related work = same linked issue, overlapping active PRs, or title/path similarity.
• Review load = cached public PR metadata such as size labels, changed paths, and preflight status.
• Open PR queue = repo-wide review pressure; it is not a PR quality failure.
• Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

_{🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed}

---

💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

• Re-run Gittensory review

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.53%. Comparing base (199f46d) to head (a76df1f).
⚠️ Report is 5 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1690   +/-   ##
=======================================
  Coverage   95.53%   95.53%           
=======================================
  Files         204      204           
  Lines       22283    22283           
  Branches     8049     8049           
=======================================
  Hits        21289    21289           
  Misses        415      415           
  Partials      579      579           

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.