feat: Add option to delete or keep API keys when uninstalling plugin

Add user-facing option to manage credentials during plugin deletion.
Users can now choose to delete or keep API keys/credentials when
uninstalling a plugin.

Backend changes:
- Add PluginCredentialService for credential management
- Add check_plugin_credentials() method to PluginService
- Modify uninstall() to accept delete_credentials and credential_ids params
- Add GET /plugin/uninstall/check-credentials endpoint
- Update POST /plugin/uninstall endpoint with credential options

Frontend changes:
- Update plugin action component with credential checking
- Add radio button UI for delete/keep credential options
- Update plugin detail panel with same functionality
- Add checkPluginCredentials() and update uninstallPlugin() in service layer
- Add internationalization for credential management UI

Tests:
- Add 26 backend tests (pytest) covering service and API layers
- Add 15 frontend tests (jest) covering UI and service integration
- Test coverage includes: credential retrieval, deletion, API endpoints,
  state management, user flow, and edge cases
- All tests follow project conventions with proper mocking

Fixes #27531

Author: UMDKyle

api/controllers/console/workspace/plugin.py

@@ -526,8 +526,38 @@ def post(self):
             raise ValueError(e)
 
 
+parser_check_credentials = reqparse.RequestParser().add_argument(
+    "plugin_installation_id", type=str, required=True, location="args"
+)
+
+
+@console_ns.route("/workspaces/current/plugin/uninstall/check-credentials")
+class PluginUninstallCheckCredentialsApi(Resource):
+    @api.expect(parser_check_credentials)
+    @setup_required
+    @login_required
+    @account_initialization_required
+    @plugin_permission_required(install_required=True)
+    def get(self):
+        """Check if plugin has associated credentials before uninstall."""
+        args = parser_check_credentials.parse_args()
+
+        _, tenant_id = current_account_with_tenant()
+
+        try:
+            credentials = PluginService.check_plugin_credentials(tenant_id, args["plugin_installation_id"])
+            return {
+                "has_credentials": len(credentials) > 0,
+                "credentials": [cred.to_dict() for cred in credentials],
+            }
+        except PluginDaemonClientSideError as e:
+            raise ValueError(e)
+
+
 parser_uninstall = reqparse.RequestParser().add_argument(
     "plugin_installation_id", type=str, required=True, location="json"
+).add_argument("delete_credentials", type=bool, required=False, default=False, location="json").add_argument(
+    "credential_ids", type=list, required=False, location="json"
 )
 
 
@@ -544,7 +574,13 @@ def post(self):
         _, tenant_id = current_account_with_tenant()
 
         try:
-            return {"success": PluginService.uninstall(tenant_id, args["plugin_installation_id"])}
+            result = PluginService.uninstall(
+                tenant_id,
+                args["plugin_installation_id"],
+                delete_credentials=args.get("delete_credentials", False),
+                credential_ids=args.get("credential_ids", []),
+            )
+            return {"success": result}
         except PluginDaemonClientSideError as e:
             raise ValueError(e)
 

api/services/plugin/plugin_credential_service.py

@@ -0,0 +1,148 @@
+"""Service for managing plugin credentials during installation and uninstallation."""
+
+import logging
+from collections.abc import Sequence
+
+from sqlalchemy import select
+
+from extensions.ext_database import db
+from models.provider import ProviderCredential, ProviderModelCredential
+from models.provider_ids import GenericProviderID
+
+logger = logging.getLogger(__name__)
+
+
+class PluginCredentialInfo:
+    """Information about a plugin credential."""
+
+    def __init__(self, credential_id: str, credential_name: str, credential_type: str, provider_name: str):
+        self.credential_id = credential_id
+        self.credential_name = credential_name
+        self.credential_type = credential_type  # "provider" or "model"
+        self.provider_name = provider_name
+
+    def to_dict(self) -> dict:
+        return {
+            "credential_id": self.credential_id,
+            "credential_name": self.credential_name,
+            "credential_type": self.credential_type,
+            "provider_name": self.provider_name,
+        }
+
+
+class PluginCredentialService:
+    """Service for managing plugin credentials."""
+
+    @staticmethod
+    def get_plugin_credentials(tenant_id: str, plugin_id: str) -> list[PluginCredentialInfo]:
+        """
+        Get all credentials associated with a plugin.
+
+        Args:
+            tenant_id: Tenant ID
+            plugin_id: Plugin ID in format "organization/plugin_name"
+
+        Returns:
+            List of PluginCredentialInfo objects
+        """
+        logger.info(f"Getting credentials for plugin_id: {plugin_id}, tenant_id: {tenant_id}")
+        credentials = []
+
+        # Query provider credentials
+        provider_credentials = db.session.scalars(
+            select(ProviderCredential).where(
+                ProviderCredential.tenant_id == tenant_id,
+                ProviderCredential.provider_name.like(f"{plugin_id}/%"),
+            )
+        ).all()
+        logger.info(f"Found {len(provider_credentials)} provider credentials")
+
+        for cred in provider_credentials:
+            credentials.append(
+                PluginCredentialInfo(
+                    credential_id=cred.id,
+                    credential_name=cred.credential_name,
+                    credential_type="provider",
+                    provider_name=cred.provider_name,
+                )
+            )
+
+        # Query provider model credentials
+        model_credentials = db.session.scalars(
+            select(ProviderModelCredential).where(
+                ProviderModelCredential.tenant_id == tenant_id,
+                ProviderModelCredential.provider_name.like(f"{plugin_id}/%"),
+            )
+        ).all()
+
+        for cred in model_credentials:
+            credentials.append(
+                PluginCredentialInfo(
+                    credential_id=cred.id,
+                    credential_name=cred.credential_name,
+                    credential_type="model",
+                    provider_name=cred.provider_name,
+                )
+            )
+
+        return credentials
+
+    @staticmethod
+    def delete_plugin_credentials(tenant_id: str, credential_ids: Sequence[str]) -> int:
+        """
+        Delete plugin credentials by IDs.
+
+        Args:
+            tenant_id: Tenant ID
+            credential_ids: List of credential IDs to delete
+
+        Returns:
+            Number of credentials deleted
+        """
+        logger.info(f"Deleting credentials: {credential_ids} for tenant: {tenant_id}")
+        deleted_count = 0
+
+        for credential_id in credential_ids:
+            # Try deleting from provider_credentials
+            provider_cred = db.session.scalars(
+                select(ProviderCredential).where(
+                    ProviderCredential.id == credential_id, ProviderCredential.tenant_id == tenant_id
+                )
+            ).first()
+
+            if provider_cred:
+                db.session.delete(provider_cred)
+                deleted_count += 1
+                continue
+
+            # Try deleting from provider_model_credentials
+            model_cred = db.session.scalars(
+                select(ProviderModelCredential).where(
+                    ProviderModelCredential.id == credential_id, ProviderModelCredential.tenant_id == tenant_id
+                )
+            ).first()
+
+            if model_cred:
+                db.session.delete(model_cred)
+                deleted_count += 1
+
+        db.session.commit()
+        logger.info(f"Deleted {deleted_count} plugin credentials for tenant {tenant_id}")
+        return deleted_count
+
+    @staticmethod
+    def delete_all_plugin_credentials(tenant_id: str, plugin_id: str) -> int:
+        """
+        Delete all credentials associated with a plugin.
+
+        Args:
+            tenant_id: Tenant ID
+            plugin_id: Plugin ID in format "organization/plugin_name"
+
+        Returns:
+            Number of credentials deleted
+        """
+        credentials = PluginCredentialService.get_plugin_credentials(tenant_id, plugin_id)
+        credential_ids = [cred.credential_id for cred in credentials]
+        return PluginCredentialService.delete_plugin_credentials(tenant_id, credential_ids)
+

api/services/plugin/plugin_service.py

@@ -1,6 +1,7 @@
 import logging
 from collections.abc import Mapping, Sequence
 from mimetypes import guess_type
+from typing import Optional
 
 from pydantic import BaseModel
 from yarl import URL
@@ -504,7 +505,79 @@ def install_from_marketplace_pkg(tenant_id: str, plugin_unique_identifiers: Sequ
         )
 
     @staticmethod
-    def uninstall(tenant_id: str, plugin_installation_id: str) -> bool:
+    def check_plugin_credentials(tenant_id: str, plugin_installation_id: str):
+        """
+        Check if a plugin has associated credentials.
+
+        Args:
+            tenant_id: Tenant ID
+            plugin_installation_id: Plugin installation ID
+
+        Returns:
+            List of PluginCredentialInfo objects
+        """
+        from services.plugin.plugin_credential_service import PluginCredentialService
+
+        # Get plugin installation to extract plugin_id
+        manager = PluginInstaller()
+        plugins = manager.list_plugins(tenant_id)
+        plugin = next((p for p in plugins if p.installation_id == plugin_installation_id), None)
+
+        if not plugin:
+            return []
+
+        plugin_id = plugin.plugin_id
+        return PluginCredentialService.get_plugin_credentials(tenant_id, plugin_id)
+
+    @staticmethod
+    def uninstall(
+        tenant_id: str,
+        plugin_installation_id: str,
+        delete_credentials: bool = False,
+        credential_ids: Optional[Sequence[str]] = None,
+    ) -> bool:
+        """
+        Uninstall a plugin and optionally delete its credentials.
+
+        Args:
+            tenant_id: Tenant ID
+            plugin_installation_id: Plugin installation ID
+            delete_credentials: Whether to delete associated credentials
+            credential_ids: Specific credential IDs to delete (if None, deletes all)
+
+        Returns:
+            True if successful
+        """
+        import logging
+        from services.plugin.plugin_credential_service import PluginCredentialService
+
+        logger = logging.getLogger(__name__)
+        logger.info(
+            f"Uninstalling plugin {plugin_installation_id}, delete_credentials={delete_credentials}, "
+            f"credential_ids={credential_ids}"
+        )
+
+        # Get plugin information before uninstalling
+        if delete_credentials:
+            manager = PluginInstaller()
+            plugins = manager.list_plugins(tenant_id)
+            plugin = next((p for p in plugins if p.installation_id == plugin_installation_id), None)
+
+            if plugin:
+                plugin_id = plugin.plugin_id
+                logger.info(f"Plugin found: {plugin_id}, proceeding with credential deletion")
+                if credential_ids:
+                    # Delete specific credentials
+                    logger.info(f"Deleting specific credentials: {credential_ids}")
+                    PluginCredentialService.delete_plugin_credentials(tenant_id, credential_ids)
+                else:
+                    # Delete all plugin credentials
+                    logger.info(f"Deleting all credentials for plugin: {plugin_id}")
+                    PluginCredentialService.delete_all_plugin_credentials(tenant_id, plugin_id)
+            else:
+                logger.warning(f"Plugin not found: {plugin_installation_id}")
+
+        # Uninstall the plugin
         manager = PluginInstaller()
         return manager.uninstall(tenant_id, plugin_installation_id)
 

api/tests/unit_tests/controllers/console/workspace/__init__.py

@@ -0,0 +1,2 @@
+# Workspace controller tests
+