feat: v4 secrets router refactor

[varonix0]

Context

Larger changes to the V4 secrets router. The user now explictly has to request for personal secrets to be included in the request. The user needs to pass includePersonalOverrides=true when doing the request for personal secrets to be fetched. Additionally, this now functions with a priority mechanism which means duplicate shared / personal secrets will no longer be returned. If there is a personal secret, the personal secret will take priority and the shared secret will be stripped out of the response. Personal secrets now also support referencing other personal secrets.

Other changes to the v4 rotuer:

• expandSecretReferences now default to true, and we will always attempt to expand secret references by default.
• include_imports renamed to includeImports, and now defaults to true.

What this means for the v3 router
The V3 router will continue to work as before by including both personal and shared secrets in the response, with no way to configure the behavior.

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR refactors the V4 secrets router to provide explicit control over personal secret overrides through a new includePersonalOverrides parameter. When enabled, personal secrets take priority over shared secrets with the same key, eliminating duplicates in the response. The implementation also enables personal secrets to reference other personal secrets.

Key Changes:

• Added includePersonalOverrides parameter (defaults to false) - when true, personal secrets replace their corresponding shared secrets using a Map-based deduplication strategy
• Changed expandSecretReferences default to true - secret references will now always be expanded by default
• Renamed include_imports to includeImports with default true (camelCase consistency)
• V3 router and V1 dashboard routes explicitly use PersonalOverridesBehavior.IncludeAll to maintain backward compatibility
• Personal secret reference expansion now supported via userId parameter threading

Backward Compatibility:
The v3 router and v1 dashboard endpoints have been updated to use PersonalOverridesBehavior.IncludeAll, preserving existing behavior of returning both personal and shared secrets.

Confidence Score: 4/5

• Safe to merge with minor style suggestions
• The implementation is well-structured with proper permission checks, backward compatibility for v1/v3 routes, and comprehensive test coverage. The Map-based deduplication logic is sound, and OR queries are properly wrapped. Two minor style suggestions around code clarity.
• Pay closer attention to backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts for the deduplication logic and backend/src/server/routes/v4/secret-router.ts for the hardcoded expandPersonalOverrides behavior

Important Files Changed

Filename	Overview
backend/src/server/routes/v4/secret-router.ts	Adds includePersonalOverrides parameter and updates defaults for expandSecretReferences and includeImports to true. Removes deprecated include_imports parameter.
backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts	Implements priority-based deduplication of personal/shared secrets using Map. Adds logic to filter secrets based on PersonalOverridesBehavior enum.
backend/src/services/secret-v2-bridge/secret-reference-fns.ts	Adds userId parameter to support personal secret override resolution when expanding secret references. Personal secrets take precedence in the reduce logic.
backend/e2e-test/routes/v4/secrets.spec.ts	Updates test helper function to accept includeImports parameter and passes false explicitly to all test assertions to maintain existing behavior.

[greptile-apps]

_{7 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

backend/src/services/secret-v2-bridge/secret-reference-fns.ts
Native regex used here

This file already uses re2 for interpolation, but formatMultiValueEnv introduces native regex usage via val.match("\n"). This violates the repo rule to avoid native regex (Regex DDoS prevention) and should be replaced with a non-regex check (e.g. val.includes("\n")) or an RE2-based call.

Also consider RE2 equivalents for other string/regex operations in this file if they are regex-driven.

[varonix0]

@greptile i've made some larger changes since your last review. review this PR thoroughly.

some notes:
we are okay with changing the default behavior of expandSecretReferences to true in the v4 secret router. we are also okay with renaming include_imports to includeImports, and making it default to true.

[greptile-apps]

_{9 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

backend/src/services/secret-v2-bridge/secret-reference-fns.ts
Using native string .match() without re2 package violates the ReDoS prevention rule.

  if (!val.includes("\n")) return val;

[varonix0]

@greptile update your summary with my comments to your previous comments in mind

[greptile-apps]

_{10 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[akhilmhdh]

As sir @varonix0 ordered