fix(mcp): strip secret from create mutation result, dedupe oauth row mapping

- useCreateMcpServer was returning the raw serverData (including plaintext
  oauthClientSecret) as mutation.data; strip the secret to match the equivalent
  fix applied to useUpdateMcpServer.
- Extract the McpOauthRow mapping/decryption from loadOauthRow and
  loadOauthRowByState into a shared mapOauthRow helper.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/hooks/queries/mcp.ts

@@ -156,8 +156,9 @@ export function useCreateMcpServer() {
           : `Created MCP server: ${config.name} (ID: ${serverId})`
       )
 
+      const { oauthClientSecret: _omitSecret, ...safeServerData } = serverData
       return {
-        ...serverData,
+        ...safeServerData,
         id: serverId,
         connectionStatus: authType === 'oauth' ? ('disconnected' as const) : ('connected' as const),
         serverId,

apps/sim/lib/mcp/oauth/storage.ts

@@ -101,14 +101,9 @@ export async function getOrCreateOauthRow(params: {
   }
 }
 
-export async function loadOauthRow(params: { mcpServerId: string }): Promise<McpOauthRow | null> {
-  const [row] = await db
-    .select()
-    .from(mcpServerOauth)
-    .where(eq(mcpServerOauth.mcpServerId, params.mcpServerId))
-    .limit(1)
-  if (!row) return null
+type RawOauthRow = typeof mcpServerOauth.$inferSelect
 
+async function mapOauthRow(row: RawOauthRow): Promise<McpOauthRow> {
   return {
     id: row.id,
     mcpServerId: row.mcpServerId,
@@ -133,6 +128,16 @@ export async function loadOauthRow(params: { mcpServerId: string }): Promise<Mcp
   }
 }
 
+export async function loadOauthRow(params: { mcpServerId: string }): Promise<McpOauthRow | null> {
+  const [row] = await db
+    .select()
+    .from(mcpServerOauth)
+    .where(eq(mcpServerOauth.mcpServerId, params.mcpServerId))
+    .limit(1)
+  if (!row) return null
+  return mapOauthRow(row)
+}
+
 export async function setOauthRowUser(rowId: string, userId: string): Promise<void> {
   await db
     .update(mcpServerOauth)
@@ -152,28 +157,7 @@ export async function loadOauthRowByState(state: string): Promise<McpOauthRow |
     )
     .limit(1)
   if (!row) return null
-  return {
-    id: row.id,
-    mcpServerId: row.mcpServerId,
-    userId: row.userId,
-    workspaceId: row.workspaceId,
-    clientInformation: row.clientInformation
-      ? await safeDecrypt(
-          row.id,
-          'clientInformation',
-          row.clientInformation,
-          (d) => JSON.parse(d) as OAuthClientInformationMixed
-        )
-      : null,
-    tokens: row.tokens
-      ? await safeDecrypt(row.id, 'tokens', row.tokens, (d) => JSON.parse(d) as OAuthTokens)
-      : null,
-    codeVerifier: row.codeVerifier
-      ? await safeDecrypt(row.id, 'codeVerifier', row.codeVerifier, (d) => d)
-      : null,
-    state: row.state,
-    updatedAt: row.updatedAt,
-  }
+  return mapOauthRow(row)
 }
 
 export async function saveClientInformation(