Prepared the 1.40.0 release and masked secrets in the demo-video pipeline.

[AlexSkrypnyk]

This branch prepares the Vortex 1.40.0 release: it bumps Composer production and dev-tool constraints, refreshes the theme yarn.lock, and fixes a credential-disclosure bug in the documentation video pipeline that was embedding a real PACKAGE_TOKEN into the committed demo assets.

Changes

Dependencies

• drupal/core-composer-scaffold and drupal/core-recommended: ~11.3.12 → ~11.3.13
• drush/drush: ^13.7.3 → ^13.7.4
• drupal/coder: ^9@alpha → ^9.0.1@alpha
• rector/rector: ^2.5.0 → ^2.5.2
• vincentlanglet/twig-cs-fixer: ^4.0 → ^4.0.1
• Theme front-end packages refreshed in yarn.lock (sass, prettier, terser, and friends)

Documentation video pipeline - secret masking

Added VideoRecorder::redactSecrets() as a post-processing step that runs after the existing login-token redaction. Before the cast is rendered to SVG and PNG, it replaces:

• GitHub PATs matching ghp_, gho_, ghp_, ghs_, ghr_, ghu_ prefixes
• GitHub fine-grained tokens (github_pat_...)
• AWS access key identifiers (AKIA..., ASIA...)
• The literal runtime values of PACKAGE_TOKEN, GITHUB_TOKEN, and VORTEX_CONTAINER_REGISTRY_PASS (defence-in-depth for unrecognised formats)

The bug: a cached Docker RUN build layer was replaying the real PACKAGE_TOKEN verbatim into the captured ahoy build output, and the unmasked value was being committed as part of the .json asciicast and rendered into the .svg/.png poster.

Regenerated demo videos

All six demo videos (installer, build, provision, lint, test, test-bdd) re-recorded. The build video now shows XXXXX where the token previously appeared.

Screenshots

N/A - no running-app UI changed; the updated assets are committed documentation videos.

Before / After

Before (VideoRecorder post-processing without secret masking)
─────────────────────────────────────────────────────────────

  asciicast event (build.json)
  ┌──────────────────────────────────────────────────────┐
  │ [1.23, "o", "Step 3/12 : ARG PACKAGE_TOKEN\r\n"]    │
  │ [1.45, "o", "ghp_A1B2C3D4E5F6...realtoken\r\n"]     │  ← real credential
  └──────────────────────────────────────────────────────┘
             │
             ▼ render
  build.svg / build.png
  ┌──────────────────────────────────────────────────────┐
  │   ghp_A1B2C3D4E5F6...realtoken                       │  ← embedded in committed asset
  └──────────────────────────────────────────────────────┘


After (VideoRecorder::redactSecrets() applied before render)
─────────────────────────────────────────────────────────────

  asciicast event (build.json)
  ┌──────────────────────────────────────────────────────┐
  │ [1.23, "o", "Step 3/12 : ARG PACKAGE_TOKEN\r\n"]    │
  │ [1.45, "o", "XXXXX\r\n"]                             │  ← token masked
  └──────────────────────────────────────────────────────┘
             │
             ▼ render
  build.svg / build.png
  ┌──────────────────────────────────────────────────────┐
  │   XXXXX                                               │  ← safe placeholder in committed asset
  └──────────────────────────────────────────────────────┘

Summary by CodeRabbit

• New Features

  • Sensitive credentials and authentication tokens are now automatically masked in recorded session outputs.

• Tests

  • Updated recorded test execution snapshots for lint, provisioning, BDD, and unit testing to reflect latest results.

• Dependencies

  • Updated Drupal core, Drush, Coder, Rector, and Twig CS Fixer to their latest patch versions.

[coderabbitai]

Warning

Review limit reached

@AlexSkrypnyk, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 27 minutes and 15 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: e8b910fa-e23c-4553-a2a5-4269de6f9488

📥 Commits

Reviewing files that changed from the base of the PR and between 4f7c718 and 48aee21.

⛔ Files ignored due to path filters (1)

• .vortex/docs/static/img/build.svg is excluded by !**/*.svg

📒 Files selected for processing (1)

• .vortex/docs/static/img/build.json

Walkthrough

Adds a redactSecrets() helper to VideoRecorder.php that masks credential token patterns (GitHub/AWS regex patterns and specific environment variable values) in recorded cast files during post-processing. Also bumps five Composer dependencies and replaces four static documentation demo JSON snapshot files with new recordings.

Changes

Secrets Masking in VideoRecorder

Layer / File(s)	Summary
redactSecrets() implementation and postprocessCast() wiring .vortex/docs/.utils/VideoRecorder.php	postprocessCast() calls the new redactSecrets() method, which applies regex replacement for GitHub/AWS token patterns and replaces literal values of PACKAGE_TOKEN, GITHUB_TOKEN, and VORTEX_CONTAINER_REGISTRY_PASS (when ≥ 8 chars) with a fixed placeholder. Throws RuntimeException on regex failure.

Dependency Bumps and Refreshed Doc Snapshots

Layer / File(s)	Summary
Composer dependency version bumps composer.json	drupal/core-composer-scaffold and core-recommended bumped to ~11.3.13; drush/drush to ^13.7.4; drupal/coder to ^9.0.1@alpha; rector/rector to ^2.5.2; vincentlanglet/twig-cs-fixer to ^4.0.1.
Refreshed static demo JSON snapshots .vortex/docs/static/img/lint.json, .vortex/docs/static/img/provision.json, .vortex/docs/static/img/test-bdd.json, .vortex/docs/static/img/test.json	All four recordings replaced with new runs reflecting updated timestamps and command strings. Outputs now show failure states: missing autoload.php fatal errors (provision, test), phpcs sniff-not-found errors (lint), and a dependency-setup prompt with exit code 1 (test-bdd).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• drevops/vortex#2487: Also bumps drupal/core-composer-scaffold and drupal/core-recommended version constraints in composer.json.
• drevops/vortex#2524: Similarly updates drupal/core-composer-scaffold and drupal/core-recommended constraints in composer.json.
• drevops/vortex#2525: Introduced the VideoRecorder cast post-processing pipeline that this PR extends with redactSecrets().

Suggested labels

Dependencies

🐇 A token appeared in the cast,
A secret that shouldn't be broadcast!
With regex and env,
I masked them — and then,
No credentials leaked unsurpassed! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two main changes: dependency updates for version 1.40.0 release and secret masking implementation in the video pipeline.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/release-1.40.0

---

_{Comment @coderabbitai help to get the list of available commands.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.22%. Comparing base (a527e91) to head (48aee21).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2709      +/-   ##
==========================================
- Coverage   86.67%   86.22%   -0.45%     
==========================================
  Files          96       89       -7     
  Lines        4719     4560     -159     
  Branches       47        3      -44     
==========================================
- Hits         4090     3932     -158     
+ Misses        629      628       -1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.vortex/docs/.utils/VideoRecorder.php:
- Around line 327-352: The current masking logic operates on the concatenated
contents string, but asciicast events are JSON-delimited with `"],\n[`
separators that fragment tokens across multiple events, causing the regex
patterns and str_replace operations to miss partial token matches. To fix this,
preprocess the contents string by removing the inter-event JSON delimiters (the
`"],\n[` sequences) before applying the preg_replace and str_replace operations
on the patterns and environment variable values, or alternatively decode and
redact secrets per-event by parsing each JSON event individually after the token
masking is applied to restore the proper JSON structure afterward.

In @.vortex/docs/static/img/provision.json:
- Around line 1-23: The environment bootstrap process is broken, causing
multiple recorded videos to fail with exit code 1 due to missing autoload.php.
Review the update-videos.php script to ensure it properly initializes the Docker
environment by running Composer install before executing any ahoy commands,
verify that the Docker workspace initialization includes all necessary Composer
setup steps to generate the vendor/autoload.php file, and ensure the bootstrap
completes successfully before attempting to record any documentation videos. The
issue is systemic across the environment setup phase, not individual command
execution.

In @.vortex/docs/static/img/test-bdd.json:
- Around line 1-20: The test-bdd.json file contains a terminal session recording
that captured a failed test execution with exit code 1 (indicated by the "x":
"1" entry at the end). The recording shows dependency installation error
messages which will be displayed to documentation viewers instead of a
successful test demonstration. Either remove this file entirely if the demo is
no longer needed, or re-record the test-bdd.json session from a properly
initialized environment where all project dependencies are installed and the
test suite completes successfully, ensuring the final exit code indicates
success rather than failure.

In @.vortex/docs/static/img/test.json:
- Around line 1-16: The documentation video snapshots in the
.vortex/docs/static/img/ directory are capturing failed command executions due
to missing composer vendor files. The test.json snapshot shows a PHP error about
a missing autoload.php file, which originates from a composer install failure
visible in build.json (the vfsstream package installation failed). To fix this,
investigate why the composer install step is failing in the video recording
environment, particularly the vfsstream package installation, verify that all
composer dependencies are properly resolved and the vendor directory is fully
populated before recording the snapshots, and then re-record the documentation
videos (build.json, lint.json, provision.json, test-bdd.json, and test.json)
with a successful dependency installation to ensure the snapshots accurately
represent expected behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 85ab126e-1f99-4401-8c1b-8223a099d592

📥 Commits

Reviewing files that changed from the base of the PR and between a527e91 and 4f7c718.

⛔ Files ignored due to path filters (11)

• .vortex/docs/static/img/build.svg is excluded by !**/*.svg
• .vortex/docs/static/img/installer.svg is excluded by !**/*.svg
• .vortex/docs/static/img/lint.png is excluded by !**/*.png
• .vortex/docs/static/img/lint.svg is excluded by !**/*.svg
• .vortex/docs/static/img/provision.png is excluded by !**/*.png
• .vortex/docs/static/img/provision.svg is excluded by !**/*.svg
• .vortex/docs/static/img/test-bdd.png is excluded by !**/*.png
• .vortex/docs/static/img/test-bdd.svg is excluded by !**/*.svg
• .vortex/docs/static/img/test.png is excluded by !**/*.png
• .vortex/docs/static/img/test.svg is excluded by !**/*.svg
• web/themes/custom/your_site_theme/yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (8)

• .vortex/docs/.utils/VideoRecorder.php
• .vortex/docs/static/img/build.json
• .vortex/docs/static/img/installer.json
• .vortex/docs/static/img/lint.json
• .vortex/docs/static/img/provision.json
• .vortex/docs/static/img/test-bdd.json
• .vortex/docs/static/img/test.json
• composer.json

[github-actions]

📖 Documentation preview for this pull request has been deployed to Netlify:

https://6a3b5653a244155f5092193b--vortex-docs.netlify.app

This preview is rebuilt on every commit and is not the production documentation site.

[github-actions]

Code coverage (threshold: 90%)

  Classes: 100.00% (1/1)
  Methods: 100.00% (2/2)
  Lines:   98.58% (208/211)

Per-class coverage

Drupal\ys_demo\Plugin\Block\CounterBlock
  Methods: 100.00% ( 2/ 2)   Lines: 100.00% ( 10/ 10)

[AlexSkrypnyk]

Code coverage (threshold: 90%)

  Classes: 100.00% (1/1)
  Methods: 100.00% (2/2)
  Lines:   98.58% (208/211)

Per-class coverage

Drupal\ys_demo\Plugin\Block\CounterBlock
  Methods: 100.00% ( 2/ 2)   Lines: 100.00% ( 10/ 10)