feat(core): Enable external secrets for projects

[sandra0503]

Summary

• Enable external secrets for projects
• Hide external secret permission settings in project roles

Related Linear tickets, Github issues, and Community forum posts

Closes LIGO-298

Review / Merge checklist

• PR title and summary are descriptive. (conventions)
• Docs updated or follow-up ticket created.
• Tests included.
• PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)

[codecov]

Bundle Report

Changes will increase total bundle size by 3.5kB (0.01%) ⬆️. This is within the configured threshold ✅

Detailed changes

Bundle name	Size	Change
editor-ui-esm	42.51MB	3.5kB (0.01%) ⬆️

Affected Assets, Files, and Routes:

view changes for bundle: editor-ui-esm

Assets Changed:

Asset Name	Size Change	Total Size	Change (%)
assets/worker-*.js	2.91MB	2.92MB	21725.55% ⚠️
assets/worker-*.js	-2.91MB	13.37kB	-99.54%
assets/constants-*.js	136 bytes	2.89MB	0.0%
assets/index-*.js	2.69kB	1.13MB	0.24%
assets/_MapCache-*.js	647 bytes	577.49kB	0.11%
assets/ProjectRoleView-*.js	4 bytes	30.96kB	0.01%
assets/projectRoleScopes-*.js	28 bytes	1.22kB	2.35%

Files in assets/ProjectRoleView-*.js:

• ./src/features/project-roles/ProjectRoleView.vue → Total Size: 340 bytes

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[sandra0503]

Found 6 test failures on Blacksmith runners:

These integrations tests are testing the soon to be deleted endpoints. I think it we can delete these tests already? @ireneea

[ireneea]

I think we could remove those tests when we actually remove the controller. I don't see anything from the changes here that would cause them to fail 🤔

[cubic-dev-ai]

cubic analysis

No issues found across 9 files

Linked issue analysis

Linked issue: LIGO-298: [FE] Expose releasable project-scoped external secrets

Status	Acceptance criteria	Notes
⚠️	Instance admins should be able to share an external secret store	Adds roleBasedAccess setting and UI gating but no sharing enforcement
❌	Project admins and all other users should not be able to create or share external secret stores	No backend permission checks to prevent create/share actions

Architecture diagram

sequenceDiagram
    participant UI as Frontend (ProjectRoleView)
    participant SS as Frontend Settings Store
    participant API as Backend API
    participant ESM as External Secrets Module
    participant ESC as External Secrets Config

    Note over ESC: Backend Initialization
    ESC->>ESC: CHANGED: externalSecretsForProjects = true (default)
    ESC->>ESC: NEW: externalSecretsRoleBasedAccess = false (default)

    Note over UI, ESM: Runtime Settings Fetch
    UI->>API: Fetch Frontend Settings
    API->>ESM: getFrontendSettings()
    ESM->>ESC: Read feature flags
    ESC-->>ESM: forProjects, roleBasedAccess, multipleConnections
    ESM-->>API: { "external-secrets": { forProjects, roleBasedAccess, ... } }
    API-->>UI: JSON Settings
    UI->>SS: Commit settings to store

    Note over UI: Project Roles Management
    UI->>SS: Request moduleSettings['external-secrets']
    SS-->>UI: Return config flags

    alt NEW: roleBasedAccess == true
        UI->>UI: Render 'externalSecretsProvider' and 'externalSecret' scopes
        Note right of UI: UI Labels CHANGED: "Secrets Vaults" (formerly "Stores")
    else roleBasedAccess == false (Default)
        UI->>UI: CHANGED: Filter out secret-related permission scopes
    end

    opt CHANGED: Project Admin UI
        UI->>UI: Terminology updated from "Secrets Store" to "Secrets Vault"
        Note right of UI: Affects empty states and tooltips
    end

Loading

[n8n-assistant]

Got released with [email protected]