fix(vault-migration): handle soft deleted secrets

[varonix0]

Context

Vault KV v2 supports soft deleting secrets (v1 does not, hence no changes to how we handle v1 secrets). Vault will return a deletion_timestamp when querying for deleted secrets and throw a 404 error. The 404 error was treated as a failure and caused the whole migration to fail if there were any soft-deleted secrets.

You can try soft deleting a secret using the Vault CLI:

vault kv delete -mount=<kv-name> <secret-path-to-soft-delete>

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds proper handling for soft-deleted secrets in Vault KV v2 migrations. When Vault returns a 404 error for soft-deleted secrets (which include deletion_time metadata), the migration now logs and skips these secrets instead of failing the entire migration.

Key Changes:

• Modified getSecrets to return null for soft-deleted secrets instead of throwing errors
• Added type annotation allowing data field to be null in KV v2 response (line 124)
• Added null check before pushing data to allData array (lines 271-278)
• Logs skipped soft-deleted secrets with secretPath and deletion_time

Issues Found:

• Type assertion on line 136 is unsafe and could cause runtime errors if Vault returns a different error format

Confidence Score: 4/5

• This PR is safe to merge with one logical issue that should be addressed
• The implementation correctly handles the soft-delete use case and prevents migration failures. However, the unsafe type assertion on line 136 could cause runtime errors if Vault's error response format differs from expectations. The rest of the logic is sound with proper null checks and logging.
• Pay attention to backend/src/services/external-migration/external-migration-fns/vault.ts line 136 - the type assertion needs safer handling

Important Files Changed

Filename	Overview
backend/src/services/external-migration/external-migration-fns/vault.ts	Adds soft-deleted secret handling for Vault KV v2 migrations with proper null checks and logging

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}