Skip to content

feat(secret-manager): secrets brokering (proxied services + agent proxy CA)#7246

Merged
saifsmailbox98 merged 43 commits into
mainfrom
saif/age2-39-implement-secrets-brokering-infisical-agent-proxy
Jul 14, 2026
Merged

feat(secret-manager): secrets brokering (proxied services + agent proxy CA)#7246
saifsmailbox98 merged 43 commits into
mainfrom
saif/age2-39-implement-secrets-brokering-infisical-agent-proxy

Conversation

@saifsmailbox98

@saifsmailbox98 saifsmailbox98 commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Context

Adds Secrets Brokering to Secrets Management: a way to consume secrets where untrusted code (AI agents, unsafe code-execution environments) never holds real credentials. The agent routes its HTTP traffic through the Infisical Agent Proxy, which injects the real credential on the wire — rewriting a header or substituting a placeholder value — based on proxied services an admin configures in a folder alongside secrets. The agent only ever sees placeholders.

This is the backend + frontend. The agent proxy itself lives in the CLI: companion PR Infisical/cli#308.

Backend

  • New tables: proxied_services and proxied_service_credentials (folder-scoped, no projectId — project/env/path derived through folder → environment → project, same as secrets_v2), plus org_agent_proxy_config (one KMS-encrypted root CA per org).
  • Proxied service CRUD. Referenced secrets are validated at write time and gated per-key on ReadValue, so an Edit-only actor can't wire in a secret they can't read and exfiltrate it through the proxy.
  • Agent proxy CA service: lazily generates a per-org root CA and signs short-lived intermediate CAs; the root private key never leaves Infisical.
  • New ProxiedService CASL subject (Read/Create/Edit/Delete/Proxy) and two built-in Secret Manager roles — Agent (Proxy only, no secret read) and Agent Proxy (ReadValue on all secrets, for the proxy machine identity).
  • secretsBrokering license flag, audit events for create/update/delete + intermediate-CA signing, and the dashboard aggregate endpoint extended with proxied services.

Frontend

  • Manage proxied services alongside secrets in both the multi-env overview and the single-env dashboard: create/edit sheet with header-rewrite (bearer / basic auth / API key) and credential-substitution rows, plus a secret picker that only offers secrets the user can actually read.
  • ProxiedService added to the custom-role editor, and the two new built-in roles surface in Access Control.

Screenshots

Steps to verify the change

Type

  • Fix
  • Feature
  • Improvement
  • Breaking
  • Docs
  • Chore

Checklist

  • Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
  • Tested locally
  • Updated docs (if needed)
  • Updated CLAUDE.md files (if needed)
  • Read the contributing guide

Backend + frontend for the Secrets Brokering feature: proxied service
CRUD, org-level agent proxy root CA, ProxiedService CASL subject with
Agent/Agent Proxy built-in roles, license gating, and dashboard/overview
integration.
Backend:
- CA: 10-year root, clamp intermediate lifetime to root, refuse to sign
  against an expired root, backdate notBefore for clock skew
- CA endpoints locked to machine identities (drop AuthMode.JWT)
- proxied service: per-key ReadValue check (not folder-wide), so a denied
  secret can't be wired into a service
- cross-credential validation (basic-auth pairing, unique header names /
  placeholder keys+values, mutually-exclusive header modes), min 1 credential
- hostPattern grammar validation with a 255-char cap
- GET by name without scope returns 400 instead of 500 on the uuid column
- dashboard: return the canonical secret path instead of the folder name

Frontend:
- send undefined (not null) for empty headerPrefix so the API accepts it
- add Proxied Services to the overview resource filter
- match honey-token/dynamic-secret upgrade-modal pattern; consistent Enterprise copy
- warn when switching auth mode discards the other mode's credentials on edit
- mirror backend cross-credential validation in the form schema
- fix the secret pickers: use the searchable FilterableSelect (the app's
  standard list picker) instead of a hand-rolled Select that showed no options
- header rewriting: single shared column header row, an empty state when no
  headers remain, and inline validation errors per row
- surface validation errors for name, host pattern, basic auth, and substitutions
- use text-bunker-300 for section descriptions (not text-muted-foreground) and
  Title Case field labels, matching the honey-token form
Mirror the multi-env Create Secret sheet exactly: form owns a scrollable body
with a sticky SheetFooter (border-t, primary action first); repeated header and
substitution rows use the metadata-row pattern (label only on the first row,
bordered bg-container/50 container, centered empty state, ghost Add button);
neutral section descriptions use text-muted and warnings use text-warning.
- add --color-proxied-service (#4c7da1, steel blue) and use it for the entity
  icon in the add menu, resource filter, table row, and list view
- add info tooltips to the Host Pattern field and the Credential Substitution
  section explaining matching and the placeholder-substitution flow
- drop the auth-mode switch warning
…ew footer

- host pattern badge truncates at 240px with a hover title (was overflowing the row)
- hoist the secret picker option formatter out of render (react/no-unstable-nested-components)
- show a proxied service count in the overview ResourceCount footer
The no-access secret row count subtracted every resource type except proxied
services, so N proxied services in a page rendered N phantom 'no permission'
secret rows. Add totalUniqueProxiedServicesInPage and subtract it too.
…xied services

Backend:
- emit audit logs on proxied service create/update/delete
- soft-gate the dashboard proxied-service methods on the secretsBrokering license
  (return empty rather than throwing, so the shared overview isn't broken)
- move host-pattern + credential validation schemas into proxied-service-schemas.ts
  and switch the backend regexes to RE2 (codebase convention)
- de-duplicate the sanitized response schema (shared base + credential picks)

Frontend:
- mirror the host-pattern grammar + 255 cap in the form schema (inline errors)
- surface the backend error message on save failure instead of a generic toast
- gate the dashboard includeProxiedServices flag on the subscription
… viewer

Add create/update/delete proxied service events to the audit-log EventType enum
and display-name map so they render with labels and appear in the event filter.
Backend:
- sanitize ILIKE search input in proxied service DAL
- use isUuidV4 helper for id-or-name disambiguation
- group proxied service audit events contiguously
- add audit event for intermediate CA signing
- unify update/delete return shape; drop redundant credentials fetch
- type keyAlgorithm response as CertKeyAlgorithm; unify KeyUsage style

Frontend:
- add Agent / Agent Proxy role display names
- remove dead proxied service query hooks, DTOs, and canProxy field
- drop unused projectId from update/delete mutations
- type-to-confirm delete modal, truncate host pattern badge
- wire Enabled label to its switch; add color to DESIGN.md accent list
@linear

linear Bot commented Jul 10, 2026

Copy link
Copy Markdown

AGE2-39

@infisical-review-police

Copy link
Copy Markdown

💬 Discussion in Slack: #pr-review-infisical-7246-feat-secret-manager-secrets-brokering-proxied-services

Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel.

@greptile-apps

greptile-apps Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR introduces Secrets Brokering to the Secret Manager: a system where AI agents and untrusted workloads route HTTP traffic through an Infisical Agent Proxy that injects real credentials on the wire, so agents only ever hold placeholder values. The backend adds three new DB tables (proxied_services, proxied_service_credentials, org_agent_proxy_config), a full CRUD service with scoped CASL permissions, a per-org root CA service backed by KMS encryption, two new built-in project roles (Agent, AgentProxy), and dashboard-aggregate integration. The frontend adds create/edit/delete modals and a multi-env overview row component.

  • Permission model is well-designed: Create/Edit callers are validated per-key for ReadValue on every referenced secret at write time, preventing exfiltration of secrets an actor can't read through a proxy they can configure. The five-action ProxiedService CASL subject (Read, Create, Edit, Delete, Proxy) with environment and secretPath conditions follows the same scoping pattern as secrets.
  • Root CA generation uses a PostgreSQL advisory lock (OrgAgentProxyConfigInit) to prevent concurrent creation races, encrypts the private key with the org KMS data key, and clamps intermediate CA lifetimes to never outlive the root.
  • Dashboard pagination correctly uses DENSE_RANK in the DAL to count and page by unique service names across environments, keeping the count and list consistent.

Confidence Score: 5/5

The change is safe to merge; no correctness defects were found in the permission checks, credential validation, or database logic.

The core permission model, transaction safety, pagination logic, and CA key-management are all implemented correctly. The three observations are informational: the dashboard aggregate's Read-only filter (versus the dedicated endpoints' Read-or-Proxy check) is a design asymmetry that may be intentional; the secret-existence validation outside the transaction leaves a narrow TOCTOU window; and the AgentProxy role's unconditioned ReadValue is an explicit design choice documented in the PR. None of these represents a defect in current behavior.

No files require special attention before merging. Operators deploying this feature should understand the broad permission scope of the built-in AgentProxy role when assigning it to machine identities.

Important Files Changed

Filename Overview
backend/src/ee/services/proxied-service/proxied-service-service.ts Core business logic for proxied service CRUD + dashboard aggregates; permissions are correctly enforced per-operation; per-key ReadValue guard on credential wiring is well implemented; pagination with DENSE_RANK in the DAL is consistent with countDistinct-based counts
backend/src/ee/services/proxied-service/proxied-service-dal.ts DAL with multi-env DENSE_RANK pagination; search filter in countByFolderIds uses direct .whereILike() (AND logic, not OR), which is safe and consistent with the grouped form in findDashboardByFolderIds; no OR query violations
backend/src/ee/services/proxied-service/proxied-service-schemas.ts Validation schemas for hostPattern and credentials; uses RE2 for linear-time matching; cross-credential validation (basic-auth pairing, unique header names/placeholder keys) is thorough
backend/src/ee/services/agent-proxy-ca/agent-proxy-ca-service.ts Lazily generates per-org root CA with advisory lock to prevent races; root private key stays encrypted in KMS; intermediate CA clamped to not outlive root; correct ECDSA P-256 key handling
backend/src/ee/routes/v1/proxied-service-router.ts CRUD routes with appropriate rate limits and auth modes; audit log emission after each write; audit log reads from the returned service object before Fastify strips scope fields from the response
backend/src/server/routes/v1/dashboard-router.ts Integrates proxied service count and listing into both multi-env overview and single-env detail dashboard aggregates; pagination accounting is consistent with other resource types (unique-name decrement for multi-env)
backend/src/ee/services/permission/project-permission.ts Adds ProxiedServiceSubjectFields with environment/secretPath conditions and ProxiedServiceConditionSchema; correctly wired into the GeneralPermissionSchema union and ProjectPermissionSet type
backend/src/ee/services/permission/default-roles.ts Two new built-in roles: Agent (Proxy only, no secret read) and AgentProxy (DescribeSecret + ReadValue on all secrets, all environments, no path conditions — intentionally broad for the proxy machine identity)
backend/src/db/migrations/20260710162607_create-proxied-services.ts Creates three tables with correct FK cascades and unique constraints; rollback order is safe because DROP TABLE auto-removes triggers and dropOnUpdateTrigger uses IF EXISTS
frontend/src/components/proxied-services/forms/schema.ts Frontend Zod schema mirrors backend host-pattern grammar exactly; conditional field validation correctly suppresses inactive-mode fields; placeholder key uniqueness is enforced client-side

Reviews (3): Last reviewed commit: "chore: drop proxied services from the le..." | Re-trigger Greptile

Comment thread backend/src/db/migrations/20260710162607_create-proxied-services.ts
Comment thread backend/src/ee/services/agent-proxy-ca/agent-proxy-ca-service.ts
Comment thread backend/src/ee/services/proxied-service/proxied-service-schemas.ts

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: eb8411a784

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread backend/src/ee/services/agent-proxy-ca/agent-proxy-ca-service.ts
Comment thread backend/src/ee/services/agent-proxy-ca/agent-proxy-ca-service.ts
@veria-ai

veria-ai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

PR overview

All previously flagged issues have been addressed. No open security concerns remain on this pull request.

Security review

No open security issues remain on this pull request.

Fixed/addressed: 6 · PR risk: 0/10

@saifsmailbox98

Copy link
Copy Markdown
Contributor Author

@greptile review

Unhide the CRUD routes, tag them, and add field descriptions so they render
in the OpenAPI spec, plus the api-reference stub pages.
Simplify language, add network placement and identity-count guidance,
document import/reference reuse patterns, and align tone across pages.
@mintlify

mintlify Bot commented Jul 11, 2026

Copy link
Copy Markdown

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
infisical 🟢 Ready View Preview Jul 11, 2026, 2:58 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

Comment thread backend/src/ee/services/proxied-service/proxied-service-service.ts Outdated

@akhilmhdh akhilmhdh left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some minor changes but overall code looks good.

Pending application test, ux review and doc review

Comment thread backend/src/ee/routes/v1/proxied-service-router.ts
Comment thread backend/src/ee/services/agent-proxy-ca/agent-proxy-ca-service.ts
Comment thread backend/src/ee/services/proxied-service/proxied-service-schemas.ts
Comment thread backend/src/ee/services/proxied-service/proxied-service-service.ts Outdated
Comment thread backend/src/ee/services/proxied-service/proxied-service-service.ts Outdated
@saifsmailbox98 saifsmailbox98 requested a review from akhilmhdh July 13, 2026 11:24
Comment thread backend/src/ee/services/proxied-service/proxied-service-service.ts Outdated
@saifsmailbox98 saifsmailbox98 merged commit 5056f3d into main Jul 14, 2026
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants