Revoke and no-secret boundaries

Before revoking access

Use this page when repository access is no longer needed, when customer approval changes, or when any secret boundary concern appears during connected remediation. Revocation should remove connected repository capability without copying credentials or source snippets into support artifacts. Keep every credential reference indirect. The product can show credential_fingerprint and provider status for auditability, but it must not expose raw tokens, private keys, webhook secrets or customer source code.

• Do not store repository tokens, private keys, webhook secrets or customer source snippets in documentation pages, external tickets, logs or report copy.

Revoke repository access

Follow the path `Customer approval or connected access → Revoke access → Secret redaction check → Audit history → Reconnect or fallback`.

1. Open /settings and choose the connected repository provider for the affected project. Result: provider, repository_full_name and current access state are visible before revocation.
2. Check whether a pull request, review-only patch or ticket fallback still needs repository access. Result: revoke_reason explains why access can be removed or why the customer should wait.
3. Choose Revoke access when work is complete, unsafe, no longer approved or no longer needed. Result: revoked_at is recorded and repository write or read actions are disabled.
4. Confirm credential_fingerprint rather than any raw token value. Result: audit history can identify the credential boundary without storing a secret.
5. Review secret_redaction_status after revoke. Result: tokens, private keys, webhook secrets and customer source snippets stay out of docs, logs, prompts, tickets and report copy.
6. Use reconnect or fallback only through the product flow. Result: expired tokens, secret exposure or revoked access do not turn into chat, email or ticket credential handling.

Ready revocation states

Continue only when the product shows a clear revoked or safe state.

• Revoked means revoked_at is set and repository read, write, branch and pull request actions are disabled.
• Credential fingerprint retained means credential_fingerprint remains for audit history without revealing a token or private key.
• Redaction complete means secret_redaction_status shows customer source snippets and credentials are excluded from docs, logs, prompts, tickets and reports.
• Reconnect available means the customer can reconnect through the product flow when a new approved task needs access.
• Fallback available means ticket-only or customer-applied remediation can continue without connected repository access.

Blocked or unsafe secret states

Do not work around an unsafe access state. Stop before any secret, credential or source snippet spreads into another artifact.

• Secret exposure means stop connected remediation, revoke access and remove the exposed value from any product artifact that can be edited.
• Expired token means reconnect through the product flow only; do not paste credentials into chat, tickets, docs or email.
• Customer source snippet in output means remove it before sharing the artifact and use a customer-safe summary.
• Missing revoke reason means do not hide the access change; add revoke_reason so the customer can audit why access ended.
• Wrong repository means revoke the incorrect connection before reconnecting the intended repository.
• Pending PR write means return to Customer approval and PR creation before revoking access needed for an approved in-flight action.

Continue from no-secret boundary

Use GitHub repository connection when the customer needs to reconnect with approved scope. Use Ticket-only fallback or Safe fallback paths when connected access is revoked, unsafe, unsupported or no longer approved. Use Secret handling for broader data-retention and redaction rules when the concern is not limited to repository credentials.