feat: secret reference dependency tracking

[varonix0]

Context

Added secret reference dependency tracking and revamped the secret reference tree UI.

Steps to verify the change

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR enhances secret reference tracking by introducing a dependency tree visualization and revamping the UI. The backend now builds a recursive tree structure showing which secrets depend on a given secret, while the frontend uses the react-complex-tree library for better visualization.

Key Changes:

• Backend: Renamed endpoint from /:secretName/secret-references to /:secretName/reference-dependency-tree with completely restructured response (tree instead of flat array)
• Backend: New recursive buildDependencyTree function that traverses dependencies up to MAX_DEPTH of 10
• Frontend: Replaced custom tree UI with react-complex-tree library
• Frontend: Added new "Dependency Tree" section showing reverse dependencies (secrets that reference this secret)
• Frontend: Updated all components to work with tree structure instead of flat reference arrays

Critical Issues:

• Breaking API changes without versioning - both URL and response schema changed, affecting Terraform/API users
• Performance concern - decrypting all secrets in a folder to find local references could cause DoS with large folders
• API documentation needs updating to reflect the endpoint changes

Confidence Score: 2/5

• This PR contains breaking API changes without versioning and potential performance/DoS vulnerabilities
• Score of 2 reflects critical concerns: (1) Breaking changes to public API without versioning will break existing integrations, (2) Performance vulnerability where decrypting all secrets in a folder could enable DoS attacks, (3) Missing API documentation updates. The feature implementation itself is sound, but the breaking changes and security concerns need to be addressed before merge.
• Pay close attention to backend/src/server/routes/v4/secret-router.ts for breaking API changes and backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts for performance optimization

Important Files Changed

Filename	Overview
backend/src/server/routes/v4/secret-router.ts	Breaking API changes: URL renamed and response structure completely changed without versioning
backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts	Renamed function to getSecretReferenceDependencyTree with new recursive tree-building logic; potential performance and DoS concerns with unoptimized secret decryption in loops
frontend/src/components/secrets/SecretReferenceDetails/SecretReferenceDetails.tsx	Replaced custom tree UI with react-complex-tree library; added new SecretDependencyTree component showing reverse dependencies; improved tree visualization with better UX
frontend/src/hooks/api/secrets/queries.tsx	Updated fetchSecretReferences to call new endpoint URL and expect tree structure response instead of flat array

[greptile-apps]

_{4 files reviewed, 5 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (2)

backend/src/server/routes/v4/secret-router.ts
⚠️ Breaking API Change Detected

Renaming the endpoint URL from /:secretName/secret-references to /:secretName/reference-dependency-tree is a breaking change that will impact existing API consumers, including Terraform and Crossplane providers.

Impact: Any external tools or scripts calling the old endpoint will break.

Recommendation: Consider keeping the old endpoint as a deprecated alias that redirects to the new one, or clearly document this as a breaking change in release notes.

---

backend/src/server/routes/v4/secret-router.ts
⚠️ Breaking API Change Detected

The response schema has been completely restructured from:

{ references: Array<...>, totalCount: number }

to:

{ tree: SecretReferenceNodeTree }

Impact: This is a breaking change that will break all existing API consumers expecting the old response format.

Recommendation: Version this endpoint (e.g., /v5/secrets/...) or maintain backward compatibility by supporting both response formats.