Summary
When a knowledge graph is deleted, its data sources are cascade-deleted via KnowledgeGraphService.delete(). However, the service calls ds_repo.delete(ds) directly on each data source, which does not delete the associated encrypted credentials from the secret store. Only DataSourceService.delete() handles credential cleanup.
Expected Behavior
Per specs/management/data-sources.spec.md and specs/management/knowledge-graphs.spec.md:
- When a knowledge graph is deleted, all data sources within it are deleted including their credentials
- Encrypted credentials should be deleted from the secret store before the data source record is removed
Actual Behavior
KnowledgeGraphService.delete() at management/application/services/knowledge_graph_service.py:368-374 calls ds_repo.delete(ds) which only deletes the database record. The FernetSecretStore entry at datasource/{id}/credentials is left orphaned in the encrypted_credentials table.
Impact
Orphaned encrypted credential blobs accumulate in the database over time. While they are inert (no data source references them), they represent a data hygiene issue and potential compliance concern — encrypted secrets should be deleted when their parent resource is deleted.
Fix
KnowledgeGraphService.delete() should delete credentials via the secret store before deleting each data source, mirroring what DataSourceService.delete() does at lines 385-389.
References
specs/management/knowledge-graphs.spec.md — "all data sources within it are deleted first (including their credentials)"specs/management/data-sources.spec.md — "the encrypted credentials are deleted first"
Summary
When a knowledge graph is deleted, its data sources are cascade-deleted via
KnowledgeGraphService.delete(). However, the service callsds_repo.delete(ds)directly on each data source, which does not delete the associated encrypted credentials from the secret store. OnlyDataSourceService.delete()handles credential cleanup.Expected Behavior
Per
specs/management/data-sources.spec.mdandspecs/management/knowledge-graphs.spec.md:Actual Behavior
KnowledgeGraphService.delete()atmanagement/application/services/knowledge_graph_service.py:368-374callsds_repo.delete(ds)which only deletes the database record. TheFernetSecretStoreentry atdatasource/{id}/credentialsis left orphaned in theencrypted_credentialstable.Impact
Orphaned encrypted credential blobs accumulate in the database over time. While they are inert (no data source references them), they represent a data hygiene issue and potential compliance concern — encrypted secrets should be deleted when their parent resource is deleted.
Fix
KnowledgeGraphService.delete()should delete credentials via the secret store before deleting each data source, mirroring whatDataSourceService.delete()does at lines 385-389.References
specs/management/knowledge-graphs.spec.md— "all data sources within it are deleted first (including their credentials)"specs/management/data-sources.spec.md— "the encrypted credentials are deleted first"