feat(access-tokens): expose project/group/personal access tokens management

[polaz]

👍 React to this issue if you need this feature — helps us prioritise.

Problem

Access tokens (PATs, project access tokens, group access tokens) are core CI/automation primitives. We expose token scope detection for the running token (TokenScopeDetector) but no tools to list/rotate/revoke them at user/project/group level.

Investigation done (current state)

Verified against src/entities/:

• ✅ services/TokenScopeDetector.ts introspects the CURRENT token via /api/v4/personal_access_tokens/self — good for whoami
• ❌ grep -ri 'access_token' src/entities/ returns 0 hits
• ❌ No tool lists tokens belonging to a project/group/user

Re-verify before coding:

grep -rIni 'access.*token' src/entities/
ls src/entities/ | grep token

Acceptance criteria

• New entity src/entities/access_tokens/ with:
  • browse_access_tokens actions: list_personal (self), list_project, list_group, get
  • manage_access_token actions: create_project, create_group, rotate (returns new token value once), revoke
• Token-value responses must be flagged sensitive in tool result metadata
• Integration test creating a PAT for a test project, rotating it, revoking it
• Permission gating: requires api scope; owner+admin for project/group tokens

GitLab API

• Endpoints:
  • /personal_access_tokens, /personal_access_tokens/self/rotate
  • /projects/:id/access_tokens, /projects/:id/access_tokens/:token_id/rotate
  • /groups/:id/access_tokens, /groups/:id/access_tokens/:token_id/rotate
• Tier: Free
• Docs: https://docs.gitlab.com/api/project_access_tokens/, .../group_access_tokens/, .../personal_access_tokens/

Estimate

6h

Context

Found during GitLab 18→19 API landscape analysis. Token rotation is a common compliance need.