feat(vault): reusable gateway

[varonix0]

Context

Added reusable gateway for vault-specific requests. You can now pass pre-created gateway credentials when doing vault requests, and it will use those instead of getting new ones. This was done to resolve an issue with the in-platform vault migration tooling failing when the vault instance has a large number of policies. It would fail to even configure the vault migration tooling because our postgres pool would be exhausted because we use advisory locks when obtaining the relay credentials.

Note: I've had to update the types across parts of the backend that uses the v1 gatway to make typescript play ball.

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR refactors the gateway credential handling to enable credential reusability across multiple vault operations. The main change encapsulates V1 gateway relay details (host, port, TLS options, identity) into a single TGatewayV1RelayDetails type, and allows passing pre-fetched gateway credentials to vault request functions via an optional gatewayDetails parameter.

Key improvements:

• Reduced database load by fetching gateway credentials once and reusing them across multiple vault migration operations
• Fixed postgres pool exhaustion issue when vault instances have many policies
• Improved type safety with structured gateway credential types (TGatewayV1RelayDetails and TGatewayV2ConnectionDetails)
• Added getGatewayDetails helper in external-migration-service.ts that fetches credentials once and passes them to downstream functions
• Updated 13+ files across dynamic secrets, vault connections, and SQL connections to use the new encapsulated structure

The refactoring maintains backward compatibility - when gatewayDetails is not provided, functions fetch credentials as before. The change is well-isolated to gateway-related code paths.

Confidence Score: 4/5

• This PR is safe to merge with minor considerations around error handling
• The refactoring is well-structured and addresses a real production issue (postgres pool exhaustion). The changes are primarily mechanical refactoring that encapsulates existing logic into structured types. However, there's a minor concern: the relayAddress.split(":") operation in gateway-service.ts:613 doesn't validate the array length before destructuring, which could cause issues if the address format is invalid (though this was addressed in previous review threads and is pre-existing behavior)
• Pay attention to backend/src/services/external-migration/external-migration-service.ts and backend/src/services/app-connection/hc-vault/hc-vault-connection-fns.ts as they contain the core logic for credential reuse

Important Files Changed

Filename	Overview
backend/src/lib/gateway/types.ts	Refactored gateway types to encapsulate relay details into TGatewayV1RelayDetails structure, added GatewayVersion enum
backend/src/ee/services/gateway/gateway-service.ts	Returns structured TGatewayV1RelayDetails including parsed host/port and formatted TLS options to avoid redundant processing
backend/src/services/app-connection/hc-vault/hc-vault-connection-types.ts	Added discriminated union TGatewayDetails type supporting both V1 and V2 gateway versions
backend/src/services/app-connection/hc-vault/hc-vault-connection-fns.ts	Added optional gatewayDetails parameter to reuse gateway credentials, avoiding redundant database queries during vault operations
backend/src/services/external-migration/external-migration-service.ts	Added getGatewayDetails helper to fetch gateway credentials once and reuse across vault migration operations

_{Last reviewed commit: 190022a}

[greptile-apps]

_{18 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[varonix0]

@greptile re-review the PR and update your summary

[scott-ray-wilson]

LGTM, we verified together walking through in call