feat(secret-rotation): add OpenRouter API key rotation support

[IgorHorta]

Context

This PR implements OpenRouter API Key secret rotation support for Infisical. It includes:

Phase 1 - App Connection:

• New OpenRouter App Connection that allows users to store their OpenRouter Provisioning API key
• Connection validation by testing the API key against OpenRouter's API
• Full frontend UI for creating and managing OpenRouter connections

Phase 2 - Secret Rotation:

• New OpenRouter API Key rotation that automatically creates and rotates API keys
• Dual-credential rotation strategy for zero-downtime key rotation
• Configurable parameters:
  • Key Name (required): Name for the generated API key
  • Credit Limit (optional): Maximum credit limit for the key (leave blank for unlimited)
  • Limit Reset (optional): Reset period for the limit (daily, weekly, monthly)

The rotation follows the existing Secret Rotation V2 architecture:

• issueCredentials: Creates initial API key via OpenRouter Provisioning API
• rotateCredentials: Creates new key, updates secrets, then deletes the old inactive key
• revokeCredentials: Deletes all generated keys when rotation is removed

Related: SECRETS-71

Screenshots

Click to expand screenshots

Steps to verify the change

App Connection Tests

• Navigate to Organization Settings > App Connections
• Click "Add Connection" and select "OpenRouter"
• Enter a valid OpenRouter Provisioning API key
• Verify connection is created successfully
• Verify connection validation fails with an invalid API key
• Verify connection can be edited and deleted

Secret Rotation Tests

• Navigate to a project's Secrets page
• Click "Secret Rotation" > "Create Rotation"
• Select "OpenRouter API Key" rotation type
• Select an existing OpenRouter connection
• Configure rotation parameters:
  • Test with only key name (required)
  • Test with key name + credit limit
  • Test with key name + credit limit + limit reset (daily/weekly/monthly)
  • Test with key name + no limit (verify "unlimited" behavior)
• Configure secret mapping (e.g., OPEN_ROUTER_API_KEY)
• Create rotation and verify initial credentials are generated
• Verify the secret is created in the target environment/path
• Trigger manual rotation and verify:
  • New API key is created
  • Secret is updated with the new key
  • Old key is deleted on subsequent rotation (dual-credential behavior)
• Delete the rotation and verify:
  • All generated API keys are revoked from OpenRouter
  • Secret mapping is cleaned up

Edge Cases

• Verify rotation handles OpenRouter API errors gracefully
• Verify rotation works with scheduled intervals (5min, 1hr, etc.)
• Verify "View Generated Credentials" modal displays correctly
• Verify rotation review step shows all configured parameters

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds OpenRouter API key rotation support following the existing Secret Rotation V2 architecture. The implementation includes:

App Connection (Phase 1):

• New OpenRouter app connection type with API key authentication method
• Connection validation by testing against OpenRouter's /keys endpoint
• Frontend form with SecretInput component for secure credential entry

Secret Rotation (Phase 2):

• Dual-credential rotation strategy for zero-downtime key rotation
• Configurable parameters: key name (required), credit limit (optional), and limit reset period (optional)
• Standard rotation lifecycle: issueCredentials, rotateCredentials, revokeCredentials
• Proper error handling with OpenRouter-specific error message extraction

Key Changes:

• Backend integration into rotation factory maps and service layer
• Frontend forms and schemas for both connection and rotation configuration
• API documentation constants for new endpoints

Issues Found:

• Connection validation could be more robust by inspecting response body content
• No user-facing documentation added for the feature (per Rule 5)

Confidence Score: 4/5

• This PR is safe to merge with minor improvements recommended
• Implementation follows established patterns from other rotation providers. Code quality is good with proper error handling, validation, and TypeScript typing. One logic issue with connection validation identified that should be addressed.
• backend/src/services/app-connection/open-router/open-router-connection-fns.ts - validation logic needs improvement

Important Files Changed

Filename	Overview
backend/src/ee/services/secret-rotation-v2/open-router-api-key/open-router-api-key-rotation-fns.ts	Implements OpenRouter API key rotation with proper error handling and dual-credential rotation strategy
backend/src/services/app-connection/open-router/open-router-connection-fns.ts	Validates OpenRouter connection by testing API key against OpenRouter API
backend/src/ee/services/secret-rotation-v2/open-router-api-key/open-router-api-key-rotation-schemas.ts	Defines Zod schemas for OpenRouter API key rotation parameters and validation
frontend/src/components/secret-rotations-v2/forms/SecretRotationV2ParametersFields/OpenRouterApiKeyRotationParametersFields.tsx	Form fields for configuring OpenRouter API key rotation parameters (name, credit limit, limit reset)

[greptile-apps]

_{4 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[gitguardian]

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
22340054	Triggered	Generic Password	cc18668	frontend/src/pages/cert-manager/CertificateDetailsByIDPage/CertificateDetailsByIDPage.tsx	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secret safely. Learn here the best practices.
3. Revoke and rotate this secret.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[IgorHorta]

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request

GitGuardian id GitGuardian status Secret Commit Filename
22340054 Triggered Generic Password cc18668 frontend/src/pages/cert-manager/CertificateDetailsByIDPage/CertificateDetailsByIDPage.tsx View secret
🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secret safely. Learn here the best practices.
3. Revoke and rotate this secret.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

I think it is saying this because it thought part of the docs was talking about secrets? 🤔

[victorvhs017]

We are missing the API Reference docs for Open Router App Connection and Secret Rotation:

[victorvhs017]

Missing a space in the error message.

[IgorHorta]

Missing a space in the error message.

this actually comes from router .. we could fix it by normalizing .. but I dont think its a good idea since they could fix it ?

Taking over review