THU-506: Move integration secrets to local-only table

[raivieiraadriano92]

Summary

• Creates integrations_secrets local-only table (PowerSync localOnly: true) for Google/Microsoft OAuth credentials and enabled flags — credentials never leave the device
• Moves OAuth flow state (oauth_state, oauth_verifier, etc.) from synced settings to sessionStorage — PKCE verifiers and CSRF tokens are security-critical single-use values that should not sync
• Moves integrations_google_is_enabled and integrations_microsoft_is_enabled to the local table alongside credentials — enabled flag is meaningless without local credentials on other devices
• integrations_pro_is_enabled and integrations_do_not_ask_again remain in synced settings (not credential-dependent)
• New src/dal/integrations.ts DAL module centralizes credential CRUD (uses SELECT-then-INSERT-or-UPDATE pattern for PowerSync view compatibility)

Test plan

• Google OAuth connect flow → credentials saved to integrations_secrets, not settings table
• Microsoft OAuth connect flow → same
• Token refresh persists to local table
• Disconnect deletes from local table, UI updates immediately
• Toggle enabled updates local table
• AI tools gated on enabled from local table
• OAuth state uses sessionStorage (no oauth_* keys in settings table)
• integrations_pro_is_enabled and integrations_do_not_ask_again still sync correctly
• TypeScript compiles, lint passes, all tests pass

🤖 Generated with Claude Code

---

Note

Medium Risk
Touches OAuth credential storage, token refresh persistence, and integration gating logic; bugs could break connect/disconnect flows or accidentally disable tools despite valid credentials.

Overview
Moves Google/Microsoft integration credentials and enabled flags out of synced settings and into a new local-only SQLite table integrations_secrets (registered in PowerSync schema as localOnly: true), with a new DAL (dal/integrations.ts) to read/write/delete and compute per-provider status (including surfaced email).

Updates OAuth connect/disconnect, integrations settings UI, onboarding state, and tool availability/AI prompt labeling to use getIntegrationStatus + React Query invalidation instead of settings keys, and centralizes OAuth token refresh logic via new integrations/oauth-credentials.ts.

Shifts OAuth flow state (state/verifier/returnContext) from the database to browser storage via lib/oauth-state.ts, and updates the deep-link listener/tests accordingly.

^{Reviewed by Cursor Bugbot for commit 1d2e5ba. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Semgrep Security Scan

No security issues found.

[github-actions]

PR Metrics

Metric	Value
Lines changed (prod code)	+369 / -337
JS bundle size (gzipped)	🟢 1.02 MB → 1.02 MB (-4.5 KB, -0.4%)
Test coverage	🟡 71.47% → 71.37% (-0.1%)
Performance (preview)	Preview not ready — Render deploy may have timed out
Accessibility	—
Best Practices	—
SEO	—

Updated Fri, 15 May 2026 20:08:03 GMT · run #1506

[github-actions]

Preview environment deployed 🚀

Service	URL
Marketing / blog / docs	https://thunderbolt-pr-859.preview.thunderbolt.io
App	https://app-pr-859.preview.thunderbolt.io
API	https://api-pr-859.preview.thunderbolt.io
Keycloak	https://auth-pr-859.preview.thunderbolt.io
PowerSync	https://powersync-pr-859.preview.thunderbolt.io

Stack: preview-pr-859 · Commit: 1d2e5ba9f2869121a3bcec2756b492d0850a7043

Auto-destroys on PR close/merge. Login via the bundled Keycloak realm — demo@thunderbolt.io / demo by default.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 1d2e5ba. Configure here.}