From edc77da0822e6ce19e634f31d0b00be146502f94 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Fri, 10 Apr 2026 17:31:36 -0400
Subject: [PATCH] fix(skills): delete secret row when PAT is cleared via
 updateSkillAuth

When updateSkillAuth(null) is called, the underlying secret row was
left orphaned. Now deletes the secret via secretsSvc.remove() before
clearing sourceAuthSecretId from metadata.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 server/src/services/company-skills.ts | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/server/src/services/company-skills.ts b/server/src/services/company-skills.ts
index 6549fda8..b6c36db4 100644
--- a/server/src/services/company-skills.ts
+++ b/server/src/services/company-skills.ts
@@ -2445,9 +2445,15 @@ export function companySkillService(db: Db) {
       }
       meta.sourceAuthSecretId = secretId;
     } else {
-      // Clear the PAT
+      // Clear the PAT — delete the secret row to avoid orphaned secrets
+      if (existingSecretId) {
+        try {
+          await secretsSvc.remove(existingSecretId);
+        } catch {
+          // Best-effort: don't fail the metadata update if secret deletion fails
+        }
+      }
       delete meta.sourceAuthSecretId;
-      // Note: we don't delete the secret itself — it may be referenced in audit logs
     }
 
     const [updated] = await db