feat(secret-sync): support for vault KV engine v1

[varonix0]

Context

This PR adds support for vault's kv engine v1 (previously only v2 was supported). No changes made to the secret sync API and the vault engine version is determined during runtime.

Steps to verify the change

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds support for HashiCorp Vault KV engine version 1, expanding on the existing v2-only support. The implementation automatically detects the KV version at runtime by querying the /v1/sys/mounts endpoint and then uses version-specific API paths and data structures.

Key Changes:

• Added KvVersion enum (V1 = "1", V2 = "2") for type safety
• Implemented getKvMountVersion() function to detect KV version dynamically by inspecting mount options
• Updated API paths: KV v2 uses /data/ in the path (e.g., mount/data/path), KV v1 does not (e.g., mount/path)
• Adjusted payload structure: KV v2 wraps data in { data: { ... } }, KV v1 sends data directly
• Updated response parsing: KV v2 has nested structure (data.data.data), KV v1 is one level shallower (data.data)
• Modified mount filtering to include both v1 and v2 engines
• Updated frontend tooltip to reflect support for both versions

Architecture:
The change maintains backward compatibility - existing KV v2 integrations continue to work unchanged. The version detection happens transparently at sync time, making this a non-breaking enhancement. The implementation correctly handles the structural differences between v1 and v2 APIs across all three main operations: syncSecrets, removeSecrets, and getSecrets.

Confidence Score: 4/5

• This PR is safe to merge with only minor style improvements needed
• The implementation correctly handles the differences between KV v1 and v2 APIs with proper path construction, data nesting, and response parsing. The runtime version detection approach is sound and maintains backward compatibility. One outdated comment was found but this is a minor style issue that doesn't affect functionality.
• All files are well-implemented. The comment in hc-vault-connection-service.ts:27 should be updated to reflect that both v1 and v2 are now supported.

Important Files Changed

Filename	Overview
backend/src/services/external-migration/external-migration-types.ts	Added KvVersion enum to define Vault KV engine versions (V1="1", V2="2"). Clean addition with no issues.
backend/src/services/app-connection/hc-vault/hc-vault-connection-service.ts	Updated mount filtering to include both KV v1 and v2 mounts. Uses proper enum constants. Implementation is correct.
frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/HCVaultSyncFields.tsx	Updated tooltip text to reflect support for both KV v1 and v2. Documentation change is accurate.
backend/src/services/secret-sync/hc-vault/hc-vault-sync-fns.ts	Implements KV v1 support by detecting mount version at runtime and using version-specific API paths. Uses correct data nesting for each version. Found one potential improvement regarding error handling.

[greptile-apps]

_{7 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[scott-ray-wilson]

LGTM, confirmed delete, sync and import behavior