PR Summary

High Risk
Introduces new server-side endpoints that accept AWS credentials and perform secret CRUD operations, which is security- and data-sensitive. Incorrect auth/validation or logging could expose or delete secrets.

Overview
Adds a new AWS Secrets Manager integration (secrets_manager) end-to-end: new tool configs registered in apps/sim/tools/registry.ts, a new SecretsManagerBlock with operation-driven parameter mapping, and a new set of authenticated Next.js API routes for get/list/create/update/delete backed by @aws-sdk/client-secrets-manager.

Updates docs and UI metadata to surface the integration (new secrets_manager.mdx, meta.json entry, integration listing JSON, and icon mapping), and introduces a new SecretsManagerIcon used in both docs and the Sim integrations UI.

^{Written by Cursor Bugbot for commit cb3a6af. Configure here.}

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Mar 31, 2026 9:41pm

Greptile Summary

This PR adds a full AWS Secrets Manager integration with five operations (get, list, create, update, delete), following the established tool → API route → AWS SDK pattern already used by S3, SQS, and similar blocks. The structure is consistent with the rest of the codebase: typed params/response interfaces in types.ts, per-operation ToolConfig files, Next.js API routes backed by a shared utils.ts, and a BlockConfig wiring them all together.

Previous review concerns (binary-secret silent empty return, incorrect force-delete log message) have been correctly addressed. The remaining findings are both style-level:

• secretValue is unmasked in the UI — the block's secretValue sub-block uses type: 'code' without password: true, so the actual secret content (passwords, API keys, JSON credentials) is displayed in plain text whenever the workflow is opened or shared. AWS credential fields (accessKeyId, secretAccessKey) are correctly masked; the same treatment should apply to secretValue.
• Inaccurate client-side fallback message in delete_secret.ts — the fallback string 'Secret scheduled for deletion' is never reached in practice (the API always returns a message), but it would be wrong if forceDelete: true was in effect.

Confidence Score: 5/5

Safe to merge; all remaining findings are P2 style/UX suggestions with no runtime impact.

Previously flagged P1 issues (binary secret detection, force-delete message correctness) have both been resolved. The only remaining items are a misleading-but-unreachable fallback string and an unmasked UI input — neither affects correctness or data integrity at runtime.

apps/sim/blocks/blocks/secrets_manager.ts (secretValue masking) and apps/sim/tools/secrets_manager/delete_secret.ts (fallback message)

Important Files Changed

Sequence Diagram

sequenceDiagram
    participant UI as Block UI
    participant Block as secrets_manager.ts (block)
    participant Tool as ToolConfig (tools/secrets_manager/*)
    participant Route as /api/tools/secrets_manager/*
    participant Utils as utils.ts
    participant AWS as AWS Secrets Manager

    UI->>Block: User selects operation + fills params
    Block->>Tool: config.tool(params) → tool ID<br/>config.params(params) → cleaned params
    Tool->>Route: POST (region, accessKeyId, secretAccessKey, …)
    Route->>Route: checkInternalAuth()
    Route->>Route: ZodSchema.parse(body)
    Route->>Utils: createSecretsManagerClient(config)
    Utils-->>Route: SecretsManagerClient
    Route->>Utils: getSecretValue / listSecrets / createSecret / updateSecretValue / deleteSecret
    Utils->>AWS: SDK Command (GetSecretValueCommand, etc.)
    AWS-->>Utils: Response
    Utils-->>Route: Typed result object
    Route->>Route: client.destroy()
    Route-->>Tool: NextResponse.json(result)
    Tool->>Tool: transformResponse() → { success, output }
    Tool-->>Block: output fields (name, secretValue, arn, …)
    Block-->>UI: Workflow outputs

_{Reviews (3): Last reviewed commit: "fix(secrets-manager): handle boolean for..." | Re-trigger Greptile}

@greptile

@cursor review

@greptile

@cursor review