skill: HubSpot Private App creation + rotation

[axelclark]

Summary

Two new domain skills under domain-skills/hubspot/:

• private-app-creation.md — end-to-end flow for generating a Private App access token via the Legacy Apps UI. Covers the <I18N-STRING> TreeWalker pattern, React-controlled input gotcha (native setter + dispatched input/change events), scope-row checkbox walking, and the two-step creation confirmation modal.
• private-app-rotation.md — rotating a compromised or routine-cycle token via the Auth tab. Covers the two-step rotate confirmation (expire-later vs expire-now), a regex-gated TreeWalker for capturing the freshly-minted 44-char token (so the masked ******** display can't match), the subprocess.run([...]) pattern to pipe straight to fly secrets set without the value crossing a shell, and the in-VM node-fetch verification pattern (slim containers have no curl).

Cross-references private-app-creation.md where appropriate rather than duplicating shared gotchas.

Test plan

• Drove both flows end-to-end against a live HubSpot dev portal. Creation → 44-char pat-na2-… token verified against /account-info/v3/details = 200. Rotation with "expire now" → new 44-char token, old one invalidated, verified against the same endpoint.
• Regex guard in the rotation extractor rejects the masked display even when it coexists on the page with the unmasked value.
• No live token values in the committed examples (format spec only; no hex-shaped samples). GitHub Push Protection passed.
• Reviewer: confirm file placement matches conventions (one file per distinct flow under domain-skills/<vendor>/).

🤖 Generated with Claude Code

---

Summary by cubic

Adds three HubSpot domain skills for creating Private App tokens, rotating them safely, and editing webhook subscriptions. Improves reliability of token handling and webhook changes while avoiding secret leaks.

• New Features
  • domain-skills/hubspot/private-app-creation.md: Legacy Apps flow; TreeWalker for <I18N-STRING> text; React input setter + events; scope checkbox clicks; two-step confirm; token regex + /account-info/v3/details check.
  • domain-skills/hubspot/private-app-rotation.md: Auth tab flow; "expire later" vs "now"; regex-gated capture (exclude masked ********); subprocess.run([...]) to fly secrets set; in-VM node -e fetch verification; cross-links to shared DOM tips.
  • domain-skills/hubspot/private-app-webhooks.md: Subscription editor drawer; React-Select coordinate-click requirement; "SubscribeLoading" button-text trap; two-step save (drawer Subscribe → top-right Commit changes); verify via read-only /webhooks.

^{Written for commit 223a4e3. Summary will update on new commits.}

[browser-harness-review]

✅ Skill review passed

Reviewed 3 file(s) — no findings.

[cubic-dev-ai]

1 issue found across 2 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="domain-skills/hubspot/private-app-creation.md">

<violation number="1" location="domain-skills/hubspot/private-app-creation.md:90">
P2: Token format regex is incorrectly hardcoded to `na` region, contradicting the documented multi-region token format and rejecting valid non-NA tokens.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

P2: Token format regex is incorrectly hardcoded to na region, contradicting the documented multi-region token format and rejecting valid non-NA tokens.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At domain-skills/hubspot/private-app-creation.md, line 90:

<comment>Token format regex is incorrectly hardcoded to `na` region, contradicting the documented multi-region token format and rejecting valid non-NA tokens.</comment>

<file context>
@@ -0,0 +1,110 @@
+
+### Token format
+
+`pat-{region}-{uuid-v4}` — 44 characters total. Regex: `^pat-na[0-9]+-[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$`. The 5-char hex prefix shown in the masked view (e.g. `pat-na2-abcde**-...`) is the start of the UUID's first group — useful for confirming a revealed token matches what you're looking at without printing the full value.
+
+## Verification
</file context>

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="domain-skills/hubspot/private-app-webhooks.md">

<violation number="1" location="domain-skills/hubspot/private-app-webhooks.md:79">
P2: Verification helper is too broad: it scans the whole document and matches generic tokens, so it can report unrelated text as a subscribed property.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

P2: Verification helper is too broad: it scans the whole document and matches generic tokens, so it can report unrelated text as a subscribed property.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At domain-skills/hubspot/private-app-webhooks.md, line 79:

<comment>Verification helper is too broad: it scans the whole document and matches generic tokens, so it can report unrelated text as a subscribed property.</comment>

<file context>
@@ -0,0 +1,99 @@
+
+```js
+const subscribedProps = (() => {
+  const walker = document.createTreeWalker(document.body, NodeFilter.SHOW_TEXT);
+  const out = new Set();
+  let n;
</file context>