feat(infisical): add Infisical secrets management integration

[waleedlatif1]

Summary

• Add Infisical integration with 5 tools: list secrets, get secret, create secret, update secret, delete secret
• Block with operation dropdown, API key auth, advanced mode for optional fields
• Regenerated docs (also picks up workday and ashby doc updates)

Type of Change

• New feature

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Mar 19, 2026 10:20pm

[cursor]

PR Summary

Medium Risk
Adds a new secrets-management integration that handles API tokens and secret values, so misconfiguration or logging/response-shaping issues could expose sensitive data. Changes are mostly additive and isolated to the new block/tools and docs/registry wiring.

Overview
Adds a new Infisical tool integration, including a InfisicalBlock with an operation dropdown and API-key auth that routes to five new tools: infisical_list_secrets, infisical_get_secret, infisical_create_secret, infisical_update_secret, and infisical_delete_secret.

Implements the Infisical tool configs (request construction + response transforms/types), registers them in the Sim tool/block registries, and adds InfisicalIcon plus docs pages/metadata updates (also regenerating docs content and adding WorkdayIcon + workday docs entry).

^{Written by Cursor Bugbot for commit 99159d3. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds a full Infisical secrets-management integration to Sim, comprising five tools (list_secrets, get_secret, create_secret, update_secret, delete_secret), a corresponding block config, icon assets, registry wiring, and documentation. The integration fits cleanly into the existing tool/block architecture and all previously-flagged issues (hardcoded base URL, NaN version, empty-string secret clear, DELETE body, type-cast error objects) have been addressed.

Key changes:

• Five new tools under apps/sim/tools/infisical/ with configurable baseUrl (defaulting to https://us.infisical.com) and proper user-only visibility on apiKey
• Block config at apps/sim/blocks/blocks/infisical.ts with operation dropdown, conditional sub-blocks, and advanced-mode fields
• All five tools registered in both tools/registry.ts and blocks/registry.ts

Issue found:

• The if (!response.ok) error-handling branches inside each tool's transformResponse function are dead code — the framework (tools/index.ts) intercepts HTTP errors via isErrorResponse and throws before transformResponse is ever called. The dead branches create a misleading picture of the error contract (callers will receive a thrown exception, not { success: false }). This does not break runtime behavior today but should be cleaned up for clarity.

Confidence Score: 4/5

• Safe to merge; all previously-raised blocking issues have been fixed and the remaining concern is dead code that does not affect runtime behavior.
• The integration is well-structured and follows existing patterns. All seven issues raised in prior review threads have been addressed. The only remaining finding is unreachable error-handling code inside transformResponse across all five tools — a clarity/maintenance concern rather than a functional bug. No security regressions or data-loss risks were identified.
• The transformResponse error paths in list_secrets.ts, get_secret.ts, create_secret.ts, update_secret.ts, and delete_secret.ts contain dead code that should be cleaned up.

Important Files Changed

Filename	Overview
apps/sim/tools/infisical/list_secrets.ts	Implements GET /api/v4/secrets with query-param URL builder and response normalization; error-handling branch inside transformResponse is dead code since the framework intercepts HTTP errors before calling it.
apps/sim/blocks/blocks/infisical.ts	Block config wiring all 5 operations with correct conditional sub-blocks, falsy guard for updateSecretValue, NaN guard for secretVersion, and configurable baseUrl — previously-flagged issues have been addressed.
apps/sim/tools/infisical/get_secret.ts	GET single secret by name; same dead-code !response.ok branch in transformResponse as list_secrets; otherwise structurally sound with proper URL encoding and optional-param handling.
apps/sim/tools/infisical/create_secret.ts	POST to create a new secret; tagIds comma-split handled correctly; dead-code error branch in transformResponse; secretValue visibility intentionally user-or-llm per previous thread.
apps/sim/tools/infisical/update_secret.ts	PATCH to update a secret; falsy guard on secretValue correctly prevents clearing secrets with empty string; dead-code error branch in transformResponse.
apps/sim/tools/infisical/delete_secret.ts	DELETE with query params (matching Infisical SDK behavior after fix); dead-code !response.ok branch; returns deleted secret in output.
apps/sim/tools/infisical/types.ts	Well-structured TypeScript interfaces for all 5 operations; InfisicalSecret fields marked appropriately nullable.

Sequence Diagram

sequenceDiagram
    participant User as User/LLM
    participant Block as InfisicalBlock
    participant Framework as Tool Framework
    participant API as Infisical API

    User->>Block: Trigger with operation + params
    Block->>Framework: Resolve tool (infisical_${operation})
    Framework->>Framework: Build URL & headers from params

    alt list_secrets
        Framework->>API: GET /api/v4/secrets?projectId=...&environment=...
    else get_secret
        Framework->>API: GET /api/v4/secrets/{secretName}?projectId=...
    else create_secret
        Framework->>API: POST /api/v4/secrets/{secretName} (JSON body)
    else update_secret
        Framework->>API: PATCH /api/v4/secrets/{secretName} (JSON body)
    else delete_secret
        Framework->>API: DELETE /api/v4/secrets/{secretName}?projectId=...
    end

    API-->>Framework: HTTP Response

    alt HTTP error (4xx/5xx)
        Framework->>Framework: isErrorResponse → throws before transformResponse
        Framework-->>User: Error (exception)
    else HTTP success (2xx)
        Framework->>Framework: calls transformResponse(mockResponse)
        Framework-->>User: { success: true, output: { secret | secrets } }
    end

Loading

_{Last reviewed commit: "fix(infisical): use ..."}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}