feat: revamped event architecture

[akhilmhdh]

Context

This PR revamps the project event architecture. It makes various part of the project events modular. Most of the external parts stays same and only internal improvements.

I have also revamped the documentation to be more aligned with the permission model than the old one.

Screenshots

Steps to verify the change

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR refactors the project event architecture to be more modular and scalable. It introduces a new event bus system using Redis pub/sub for inter-container communication with a local memory bus for single-container delivery, replacing the old event service. The SSE (Server-Sent Events) implementation has been completely rewritten with improved permission caching, rate limiting via Redis keystore, and better resource cleanup.

Key Changes:

• New event bus architecture with Redis pub/sub for cross-container communication and memory bus for local delivery
• Refactored SSE service with periodic permission refresh (60s), connection rate limiting (100 per project), and improved cleanup
• Unified event payload structure using discriminated unions with type field and secretKeys arrays
• Added Redis list operations to keystore for connection tracking and rate limiting
• Updated documentation to align with permission model using "Secret Events" subject
• Simplified event router by moving complex logic into dedicated SSE service

Issues Found:

• Event payload construction in secret-approval-request-service.ts uses incorrect field names (secretKey vs secretKeys)
• Mock keystore listRange implementation has off-by-one error compared to Redis behavior
• Comment inconsistency for PING_INTERVAL value

Confidence Score: 4/5

• This PR is safe to merge after fixing the critical event payload bug
• The architectural refactoring is well-designed with proper error handling, cleanup, and security measures. However, there's a critical bug in secret-approval-request-service.ts where event payloads use secretKey (singular string) instead of secretKeys (array), which will cause runtime errors. The mock test implementation also has a logic error that could affect test reliability.
• Pay close attention to backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts (critical syntax error) and backend/e2e-test/mocks/keystore.ts (logic error in listRange)

Important Files Changed

Filename	Overview
backend/src/ee/services/event-bus/event-bus-service.ts	New event bus service for inter-container communication using Redis pub/sub with memory bus for local delivery
backend/src/ee/services/project-events/project-events-sse-service.ts	SSE service for streaming project events to clients with permission validation and rate limiting
backend/src/keystore/keystore.ts	Added Redis list operations for SSE connection tracking and rate limiting
backend/src/server/routes/v1/event-router.ts	Simplified event subscription endpoint using new SSE service
backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts	Updated to use new event payload structure with type and secretKeys array
backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts	Refactored event publishing to use new discriminated union types

[greptile-apps]

_{4 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}

[varonix0]

After building the backend, I am faced with this error. Seems like a translation issue during the build step. This is also why the breaking changes check is failing

[varonix0]

I don't think this is intentional:

"data": {
        "eventType": "secret:create",
        "payload": [
            {
                "environment": "dev",
                "secretPath": "/",
                "secretKeys": "SECRET_KEY1"
            },
            {
                "environment": "dev",
                "secretPath": "/",
                "secretKeys": "SECRET_KEY2"
            }
        ]
    }

I batch-created secrets via. the UI, and the payload split the secret keys into two different objects; shouldn't secretKeys always be an array (even if its only one key)? secretKeys implies its an array

[varonix0]

This seems dangerous:

{
    "type": "secret-manager",
    "data": {
        "eventType": "secret:create",
        "payload": [
            {
                "environment": "dev",
                "secretPath": "/test",
                "secretKeys": "TEST_KEY"
            }
        ]
    }
}

I am only subscribed to the / secret path, but I am also getting events from folders. This should only be the case if I use a path like /**

[varonix0]

    "type": "secret-manager",

In the response, can we please call this projectType? type is too ambigious