✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Greptile Overview

Greptile Summary

This PR implements secret version value redaction to combat secret spill by allowing users to redact (clear) secret values from historical versions while keeping metadata intact. The implementation also fixes a bug where automatic secret reference updates weren't incrementing versions correctly.

Key changes:

• Added database columns isRedacted, redactedAt, redactedByUserId, and parentVersionId to track redaction state and version relationships
• Implemented cascading redaction that automatically redacts child (replicated) secret versions when a parent is redacted
• Fixed critical bug in secret reference update logic that failed to increment versions, causing duplicate version numbers and missing version history
• Uses proper permission checks (ProjectPermissionSecretActions.Edit) and prevents redacting the latest version
• Encrypts empty string for redacted values to prevent decryption errors
• Frontend UI shows redacted versions with visual indicators and confirmation modal

Bug fix details:
The PR fixes an issue where updating secret references (when secrets are renamed or moved) would update the secret value but not properly create new versions. The fix uses $incr: { version: 1 } for atomic version increments and deduplicates updates via Map to prevent duplicate version creation when a secret references the same renamed secret multiple times.

Confidence Score: 4/5

• Safe to merge with one potential edge case to address
• The implementation is well-structured with proper permission checks, idempotent migrations, and comprehensive cascading logic. The bug fix for version increments is critical and properly implemented. Score reduced from 5 to 4 due to unbounded recursion risk in cascading redaction that could cause stack overflow with pathological data.
• backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts needs attention for the unbounded recursion issue

Important Files Changed

@greptile, your additional comments:

backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts
Wrong foreign key stored
redactedByUserId is being set to actorId in redactSecretVersionValue, but actorId can be an identity or other actor type (you pass actor: req.permission.type). Since the migration defines redactedByUserId as a FK to Users.id, redacting as a non-user actor will violate the FK (or store incorrect data if FK enforcement differs).

Answer: Wrong. The route only accepts JWT auth (user auth)

frontend/src/hooks/api/secrets/mutations.tsx (Unused mutation parameter)

Answer: This is fine. In this case we don't use the response for invalidation

backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts
Native regex used

Answer: Doesn't matter, it matches a single char. But I've refactored it to use .replaceAll instead

backend/src/ee/routes/v2/secret-version-router.ts
Response schema mismatch
The route response is declared as SecretVersionsV2Schema.omit({ encryptedValue: true, encryptedComment: true }), but SecretVersionsV2Schema includes encryptedValue as a required field in the DB schema (and the service returns updatedSecretVersion from DAL). If encryptedValue is still present on the returned object, Fastify Zod response validation can fail (depending on how strict response validation is configured).

Answer: Wrong. Even if the encryptedValue is included in the object, zod just strips it out so it's not returned in the request. This is the design we follow across the whole API.

With these comments and my latest changes in mind, re-review my PR and update your summary when you are done.