fix(tools): scope builtin tool default-credential clear to tenant

[GareArc]

Summary

• Fixes a bug where two workspace members each setting their own credential as default for the same builtin tool provider left both rows with is_default=True for the same (tenant_id, provider).
• The clear-default UPDATE in BuiltinToolManageService.set_default_provider was filtered by user_id, so it only reset the caller's own defaults. The consumer (get_builtin_provider) is tenant-scoped and breaks ties via created_at, producing user-visible inconsistencies (UI shows credential B as default while runtime uses credential A).
• Drops user_id from the clear filter, mirroring DatasourceProviderService.set_default_datasource_provider. The is_default flag is now correctly tenant-scoped (one default per provider per workspace).

Reproduction

1. Member A in workspace W creates cred1 (provider P), sets it as default
2. Member B in workspace W creates cred2 (provider P), sets it as default
3. Both rows now have is_default=True — DB has two defaults for the same (tenant_id, provider)

Reproduced on production and on console-platform.dify.dev.

Test plan

• Unit test added: TestSetDefaultProvider::test_clear_default_is_tenant_scoped_not_user_scoped — asserts the compiled UPDATE WHERE clause contains tenant_id/provider but not user_id. Verified failing on pre-fix code, passing on fixed code.
• Existing TestSetDefaultProvider tests still pass.
• Manual reproduction on staging once merged.

Notes

• Pre-existing TOCTOU race between concurrent transactions remains (two callers for the same tenant could still produce two is_default=True rows in a narrow window). A partial unique index UNIQUE (tenant_id, provider) WHERE is_default would close this — out of scope here, flagging for follow-up.
• Equivalent fix backported to lts/1.13.x in a separate PR.
• user_id parameter retained on set_default_provider signature: still passed by the controller via kwargs and may be used by EE callers; removing it would be a breaking change for kwarg callers.

[github-actions]

Pyrefly Type Coverage

Metric	Base	PR	Delta
Type coverage	0.00%	41.39%	+41.39%
Strict coverage	0.00%	40.91%	+40.91%
Typed symbols	0	20,728	+20,728
Untyped symbols	0	29,697	+29,697
Modules	0	2536	+2,536

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.81%. Comparing base (1b0d463) to head (2c6d90b).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #35887      +/-   ##
==========================================
+ Coverage   85.80%   85.81%   +0.01%     
==========================================
  Files        4456     4462       +6     
  Lines      208899   208769     -130     
  Branches    39075    38961     -114     
==========================================
- Hits       179242   179159      -83     
+ Misses      26482    26434      -48     
- Partials     3175     3176       +1     

Flag	Coverage Δ
api	85.11% <100.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.