feat: dbt app connection & service token secret rotation

[varonix0]

Context

App connection and secret rotation for https://www.getdbt.com

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[varonix0]

@greptile review this

[greptile-apps]

Greptile Overview

Greptile Summary

Adds dbt Cloud app connection and service token rotation capabilities. The implementation includes:

• App Connection: Allows users to configure dbt Cloud connections using API tokens with instance URL, account ID, and API token validation
• Secret Rotation: Implements automated rotation of dbt service tokens with configurable permission grants at the account or project level
• Security: Properly validates and sanitizes URLs to prevent SSRF attacks via blockLocalAndPrivateIpAddresses, uses zod schemas for input validation
• API: RESTful endpoints with JWT authentication and rate limiting
• Documentation: Includes comprehensive docs for both app connections and secret rotation

The feature enables users to securely manage dbt Cloud credentials and automate token rotation with fine-grained permissions.

Confidence Score: 5/5

• Safe to merge with minimal risk - solid implementation with proper security controls
• Implementation follows security best practices: SSRF protection via blockLocalAndPrivateIpAddresses, proper input validation with zod schemas, no regex vulnerabilities, no SQL joins, comprehensive error handling, and complete documentation
• No files require special attention

Important Files Changed

Filename	Overview
backend/src/services/app-connection/dbt/dbt-connection-fns.ts	Adds dbt connection validation with proper URL sanitization and SSRF protection
backend/src/ee/services/secret-rotation-v2/dbt-service-token/dbt-service-token-rotation-fns.ts	Implements token rotation logic with proper credential cleanup and error handling
backend/src/services/app-connection/dbt/dbt-connection-schemas.ts	Defines zod validation schemas for dbt connection with proper input constraints
backend/src/server/routes/v1/app-connection-routers/dbt-connection-router.ts	REST endpoints for dbt connections with JWT auth and rate limiting
backend/src/ee/services/secret-rotation-v2/dbt-service-token/dbt-service-token-rotation-schemas.ts	Zod schemas for dbt service token rotation parameters and validation

[greptile-apps]

_{5 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[victorvhs017]

All tested and looking good!