fix: remove secret cache (breaks rotation) + fix deploy script trap overwrite

Address PR #31 review feedback:

1. Remove secretCache from get-secret.ts
   - Caching versions/latest forever prevents secret rotation from taking
     effect on warm Cloud Run instances (🔴 critical regression per review)
   - The singleton SecretManagerServiceClient alone fixes the gRPC leak;
     per-request round-trips to Secret Manager are acceptable
   - Added explicit comment explaining why we don't cache

2. Fix EXIT trap overwrite in deploy-quicknode-filter.sh
   - Per-call 'trap rm EXIT' in deploy_webhook() overwrote the previous
     trap on repeated calls, leaking the first temp file
   - Replace with global TMP_FILES array + single script-level EXIT trap
     (same fix proposed by Cursor Bugbot)

Author: gisk0

bin/deploy-quicknode-filter.sh

@@ -33,6 +33,17 @@ GOVERNOR_WEBHOOK_ID="73a99141-e8cb-411a-9732-c42a031cebe6"
 
 QN_API_BASE="https://api.quicknode.com/webhooks/rest/v1/webhooks"
 
+# Global array to track temp files created by deploy_webhook invocations.
+# A single EXIT trap at script level cleans them all up, avoiding the problem
+# of per-call traps overwriting the previous trap registration.
+TMP_FILES=()
+cleanup_temp_files() {
+	if ((${#TMP_FILES[@]} > 0)); then
+		rm -f "${TMP_FILES[@]}"
+	fi
+}
+trap cleanup_temp_files EXIT
+
 # ------------------------------------------------------------------------------
 log() { printf '\n\033[1m%s\033[0m\n' "$*"; }
 success() { printf '✅ %s\n' "$*"; }
@@ -96,9 +107,7 @@ deploy_webhook() {
 	# The internal template ID for PATCH is "evmAbiFilterGo" (evmAbiFilter is the display name).
 	local payload_file
 	payload_file=$(mktemp /tmp/qn_payload.XXXXXX.json)
-	# Ensure temp file is always cleaned up, even on SIGINT/SIGTERM
-	# shellcheck disable=SC2064
-	trap "rm -f '${payload_file}'" EXIT
+	TMP_FILES+=("${payload_file}")
 
 	# Build templateArgs payload: abiJson must be a raw JSON string (not a parsed object).
 	# Use env vars to avoid shell quoting issues with large ABI strings.

src/utils/get-secret.ts

@@ -4,24 +4,19 @@ import config from "../config.js";
 /**
  * Singleton gRPC client — creating a new SecretManagerServiceClient per request
  * leaks gRPC channels and causes memory growth (~488 MiB OOM within 30 min).
+ * One client is created at module load time and reused for all requests.
+ *
+ * Note: we intentionally do NOT cache secret values here. Caching `versions/latest`
+ * would break secret rotation — rotated credentials would not take effect until Cloud
+ * Run recycles the instance. The singleton client alone eliminates the gRPC leak.
  */
 const secretManager = new SecretManagerServiceClient();
 
 /**
- * In-memory cache for secrets. Secrets don't change during an instance's lifetime,
- * so we can safely cache them and avoid repeated Secret Manager round-trips.
- */
-const secretCache = new Map<string, string>();
-
-/**
- * Load a secret from Secret Manager (cached per instance lifetime)
+ * Load a secret from Secret Manager.
+ * Uses a singleton gRPC client to prevent channel leaks on warm instances.
  */
 export default async function getSecret(secretId: string): Promise<string> {
-  const cached = secretCache.get(secretId);
-  if (cached) {
-    return cached;
-  }
-
   try {
     const secretFullResourceName = `projects/${config.GCP_PROJECT_ID}/secrets/${secretId}/versions/latest`;
     const [version] = await secretManager.accessSecretVersion({
@@ -36,7 +31,6 @@ export default async function getSecret(secretId: string): Promise<string> {
       );
     }
 
-    secretCache.set(secretId, secret);
     return secret;
   } catch (error) {
     console.error(