fix: delete old API key before inserting rotated one (#740)

* fix: delete old API key before inserting rotated one

The agent_api_keys table has a OneToOne unique constraint on agent_id,
so deactivating the old key (setting is_active=false) still blocks the
insert of the new key. Delete the old row instead.

* retrigger CI

* fix: update rotateKey tests to match delete + insert approach

The mock for keyRepo was missing the delete method, causing all
rotateKey tests to fail with "this.keyRepo.delete is not a function".
Updated test assertions to verify delete is called instead of update.

* fix: always show terminal command in configure step

The terminal with the copyable CLI/env command was hidden when the
full API key wasn't available (e.g. on subsequent visits). Now the
terminal is always visible regardless of key availability.

---------

Co-authored-by: Bruno Perez <bruno@buddyweb.fr>

Author: SebConejo

packages/backend/src/otlp/services/api-key.service.spec.ts

@@ -29,6 +29,7 @@ describe('ApiKeyGeneratorService', () => {
   let mockAgentInsert: jest.Mock;
   let mockKeyInsert: jest.Mock;
   let mockKeyUpdate: jest.Mock;
+  let mockKeyDelete: jest.Mock;
   let mockKeyGetOne: jest.Mock;
   let mockKeyQb: Record<string, jest.Mock>;
   let mockAgentGetOne: jest.Mock;
@@ -40,6 +41,7 @@ describe('ApiKeyGeneratorService', () => {
     mockAgentInsert = jest.fn().mockResolvedValue({});
     mockKeyInsert = jest.fn().mockResolvedValue({});
     mockKeyUpdate = jest.fn().mockResolvedValue({});
+    mockKeyDelete = jest.fn().mockResolvedValue({});
     mockKeyGetOne = jest.fn();
     mockAgentGetOne = jest.fn();
 
@@ -79,6 +81,7 @@ describe('ApiKeyGeneratorService', () => {
           useValue: {
             insert: mockKeyInsert,
             update: mockKeyUpdate,
+            delete: mockKeyDelete,
             createQueryBuilder: jest.fn().mockReturnValue(mockKeyQb),
           },
         },
@@ -367,15 +370,12 @@ describe('ApiKeyGeneratorService', () => {
       ).rejects.toThrow('Agent not found or access denied');
     });
 
-    it('should deactivate all existing active keys for the agent', async () => {
+    it('should delete existing keys for the agent before creating a new one', async () => {
       mockAgentGetOne.mockResolvedValue(existingAgent);
 
       await service.rotateKey('user-1', 'my-agent');
 
-      expect(mockKeyUpdate).toHaveBeenCalledWith(
-        { agent_id: 'agent-id-1', is_active: true },
-        { is_active: false },
-      );
+      expect(mockKeyDelete).toHaveBeenCalledWith({ agent_id: 'agent-id-1' });
     });
 
     it('should create a new key with hash and prefix, no plaintext', async () => {
@@ -432,12 +432,12 @@ describe('ApiKeyGeneratorService', () => {
       );
     });
 
-    it('should deactivate old keys before inserting the new one', async () => {
+    it('should delete old keys before inserting the new one', async () => {
       mockAgentGetOne.mockResolvedValue(existingAgent);
 
       const callOrder: string[] = [];
-      mockKeyUpdate.mockImplementation(() => {
-        callOrder.push('update');
+      mockKeyDelete.mockImplementation(() => {
+        callOrder.push('delete');
         return Promise.resolve({});
       });
       mockKeyInsert.mockImplementation(() => {
@@ -447,7 +447,7 @@ describe('ApiKeyGeneratorService', () => {
 
       await service.rotateKey('user-1', 'my-agent');
 
-      expect(callOrder).toEqual(['update', 'insert']);
+      expect(callOrder).toEqual(['delete', 'insert']);
     });
   });
 });

packages/backend/src/otlp/services/api-key.service.ts

@@ -101,10 +101,7 @@ export class ApiKeyGeneratorService {
       .getOne();
     if (!agent) throw new NotFoundException('Agent not found or access denied');
 
-    await this.keyRepo.update(
-      { agent_id: agent.id, is_active: true },
-      { is_active: false },
-    );
+    await this.keyRepo.delete({ agent_id: agent.id });
 
     const rawKey = this.generateKey();
     const keyId = uuidv4();