improvement(oauth): coalesce token refresh + scrub unknown credential refs

Author: waleedlatif1

apps/realtime/src/handlers/subblocks.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { SUBBLOCK_OPERATIONS } from '@sim/realtime-protocol/constants'
 import { getErrorMessage } from '@sim/utils/errors'
 import { assertWorkflowMutable, WorkflowLockedError } from '@sim/workflow-authz'
+import { scrubSingleCredentialValue } from '@sim/workflow-persistence/credential-scrub'
 import { isWorkflowBlockProtected } from '@sim/workflow-types/workflow'
 import { and, eq } from 'drizzle-orm'
 import type { AuthenticatedSocket } from '@/middleware/auth'
@@ -234,8 +235,19 @@ async function flushSubblockUpdate(
   pending: PendingSubblock,
   roomManager: IRoomManager
 ) {
-  const { blockId, subblockId, value, timestamp } = pending.latest
+  const { blockId, subblockId, value: incomingValue, timestamp } = pending.latest
   const io = roomManager.io
+  const { value, cleared: credentialCleared } = await scrubSingleCredentialValue(
+    subblockId,
+    incomingValue
+  )
+  if (credentialCleared) {
+    logger.warn('Cleared dangling credential ref in realtime subblock update', {
+      workflowId,
+      blockId,
+      subblockId,
+    })
+  }
 
   try {
     // Verify workflow still exists