fix(gitlab): sync integration_type on OAuth reconnect and drop self_rotate scope

[eshurakov]

Summary

• When a GitLab PAT integration was reconnected via OAuth, the callback update path overwrote metadata.auth_type to "oauth" but left the integration_type column as "pat", causing a data inconsistency. Now the OAuth callback also sets integration_type: 'oauth' on update.
• Removed the self_rotate scope from project access token creation. Token rotation already uses the user's OAuth/PAT token (not the project token itself), so self_rotate is unnecessary. It also causes "scopes does not have a valid value" errors on self-hosted GitLab instances running versions older than 16.6 (when that scope was introduced).

Verification

• pnpm typecheck — all packages pass
• prettier --check — all files pass
• eslint — all packages pass
• Pre-push hooks (format, lint, typecheck) — all pass

Visual Changes

N/A

Reviewer Notes

• The integration_type column is not currently read for GitLab runtime logic (all code reads metadata.auth_type), so the mismatch didn't cause functional breakage — but it's semantically wrong and could confuse DB queries or admin tools.
• The self_rotate scope removal is safe because rotateProjectAccessToken() in adapter.ts authenticates with the user's token (Authorization: Bearer ${accessToken}), not the project access token. The scope was only needed if the project token were rotating itself.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (3 files)

• src/app/api/integrations/gitlab/callback/route.ts
• src/lib/integrations/gitlab-service.ts
• src/lib/integrations/platforms/gitlab/adapter.ts

---

_{Reviewed by gpt-5.4-20260305 · 778,118 tokens}