Skip to content

Legacy removeDataSource can release credential refs before the row is safely removed #202

Description

@youhaowei

Problem

Clawpatch flagged a likely data-loss bug in the legacy removeDataSource RPC path.

The legacy coarse mutation can release vault credential refs before the DataSource row has been safely deleted and before the same durability gate used by the newer DeleteNode command path. A crash or failed write in that window can leave durable app state pointing at credentials that have already been released.

Evidence

Clawpatch run: 20260629T235052-baec0e

Finding: fnd_sig-feat-library-2d244dcc99-c448_42ff60499d

Relevant paths:

  • apps/server/src/functions/app-artifacts.ts around removeDataSource
  • apps/server/src/functions/utils.ts around credential release helpers
  • apps/server/src/functions/commands.ts around DeleteNode

Expected fix

Either retire/delegate the legacy mutation to the command path, or move it to the same release ordering used by DeleteNode: remove/write durable app state first, then release credential refs after the durability gate succeeds.

Scope

Follow-up from PR #197 review. This is not introduced by the assistant read-layer changes.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions