browser-vault-gui/LATEST_FEATURES.md

# Latest Features - Mount Point Detection & Multi-Mount Search

## 🎉 What's New

### 1. Login Verification ✅

**Before:** Login was assumed to work, no verification

**Now:** Login is verified by calling `/v1/sys/internal/ui/mounts`
- ✅ Confirms credentials are valid
- ✅ Provides immediate feedback
- ✅ Shows detailed error messages on failure
- ✅ Fails fast if credentials are invalid

```typescript
// On login:
const mountPoints = await vaultApi.verifyLoginAndGetMounts(server, credentials);
// ✓ Login verified
// ✓ Mount points detected
```

### 2. Automatic Mount Point Discovery 🔍

**Detects all KV secret engine mount points:**
- Queries `/v1/sys/internal/ui/mounts` on login
- Filters for KV secret engines only (`kv` or `generic` type)
- Auto-detects KV version (v1 or v2) from mount options
- Stores mount points in connection state

**Example Console Output:**
```
⚡ Verifying login and fetching mount points...
✓ Found 3 KV mount point(s): ["secret", "secret-v1", "team-secrets"]
✓ Logged in successfully.
```

### 3. Search Across All Mounts 🚀

**New Feature:** Optional multi-mount search

**UI Changes:**
- Checkbox: "Search across all mount points (N available)"
- Shows number of detected mount points
- Disabled when no mount points available
- **Off by default** (single path search)

**When Enabled:**
- Searches all detected KV mount points
- Each mount searched with correct KV version
- Results show mount point indicator: 📌
- Continues even if some mounts fail (permission denied)

**Search Results:**
```
📄 secret/prod/database/credentials
   📌 secret
   Depth: 2

📄 team-secrets/shared/database
   📌 team-secrets  
   Depth: 1
```

### 4. Intelligent KV Version Handling

**Per-mount KV version detection:**
```typescript
// Each mount can have different KV version
secret/       → KV v2 (uses /metadata/ for LIST)
secret-v1/    → KV v1 (direct LIST)
team-secrets/ → KV v2 (uses /metadata/ for LIST)
```

**Automatic path transformation:**
- KV v2: `secret/` → `secret/metadata/` for LIST
- KV v2: `secret/` → `secret/data/` for READ/WRITE
- KV v1: `secret/` → `secret/` (no transformation)

## 📊 Technical Changes

### New API Methods

**`VaultClient.listMounts()`**
```typescript
const mounts = await client.listMounts();
// Returns all mount points with metadata
```

**`vaultApi.verifyLoginAndGetMounts()`**
```typescript
const mountPoints = await vaultApi.verifyLoginAndGetMounts(server, credentials);
// Verifies login + returns filtered KV mount points
```

**`vaultApi.searchAllMounts()`**
```typescript
const results = await vaultApi.searchAllMounts(
  server,
  credentials,
  mountPoints,
  searchTerm
);
// Searches across all provided mount points
```

### Updated Types

**`MountPoint` interface:**
```typescript
interface MountPoint {
  path: string;              // "secret"
  type: string;              // "kv"
  description: string;       // "key/value secret storage"
  accessor: string;          // "kv_abc123"
  config: { ... };
  options: {
    version?: string;        // "2" for KV v2
  };
}
```

**`VaultConnection` interface:**
```typescript
interface VaultConnection {
  server: VaultServer;
  credentials: VaultCredentials;
  isConnected: boolean;
  lastConnected?: Date;
  mountPoints?: MountPoint[];  // ← NEW
}
```

**`SearchResult` interface:**
```typescript
interface SearchResult {
  path: string;
  isDirectory: boolean;
  depth: number;
  mountPoint?: string;  // ← NEW
}
```

### File Changes

**Modified:**
- ✅ `src/types.ts` - Added MountPoint, updated VaultConnection
- ✅ `src/services/vaultClient.ts` - Added listMounts()
- ✅ `src/services/vaultApi.ts` - Added verifyLoginAndGetMounts(), searchAllMounts()
- ✅ `src/components/PathSearch.tsx` - Added multi-mount search UI
- ✅ `src/components/PathSearch.css` - Styles for new UI elements
- ✅ `src/components/Dashboard.tsx` - Pass mountPoints to PathSearch
- ✅ `src/App.tsx` - Call verifyLoginAndGetMounts() on login

**New:**
- ✅ `MOUNT_POINTS.md` - Comprehensive documentation

## 🎯 Use Cases

### Use Case 1: I Don't Know Which Mount

**Scenario:** "I need the database credentials, but I don't know if they're in `secret/` or `team-secrets/`"

**Solution:**
```
1. ☑ Enable "Search across all mount points"
2. Search: "database"
3. Results show secrets from ALL mounts with indicators
```

### Use Case 2: Multi-Team Environment

**Scenario:** Organization with multiple teams, each with their own mount point

**Detected:**
```
- secret (shared)
- team-engineering-secrets
- team-ops-secrets
- team-data-secrets
```

**Benefit:** Search across all teams' secrets (if you have permission)

### Use Case 3: Fast Targeted Search

**Scenario:** "I know exactly where to look: `secret/prod/myapp/`"

**Solution:**
```
1. ☐ Disable "Search across all mount points"
2. Base Path: secret/prod/myapp/
3. Search: "api-key"
4. Fast, targeted results
```

## 🔒 Security & Permissions

### Required Permissions

**For login verification and mount discovery:**
```hcl
path "sys/internal/ui/mounts" {
  capabilities = ["read"]
}
```

**For searching:**
```hcl
# KV v2
path "secret/metadata/*" {
  capabilities = ["list"]
}

# KV v1
path "secret/*" {
  capabilities = ["list"]
}
```

### Graceful Permission Handling

**What happens if you can't access a mount:**
```
🔍 Searching across 3 mount point(s)...
  → Searching in secret/
  ✓ 45 results
  → Searching in team-secrets/
  ✗ Error: permission denied
  → Searching in public-secrets/
  ✓ 23 results

✓ Found 68 total result(s) across all mounts
```

- ✅ Continues with other mounts
- ✅ Logs error in console
- ✅ Returns partial results
- ✅ No error thrown to user

## ⚡ Performance

### Caching Strategy

**Each mount path cached separately:**
```
Cache key: "server123:list:secret/"
Cache key: "server123:list:team-secrets/"
Cache key: "server123:list:public-secrets/"
```

**Benefits:**
- First search: API calls to all mounts
- Subsequent searches: Instant from cache
- Cache respects max size and expiration

### Search Optimization

**Sequential search with early exit:**
```
1. Search mount 1 → 400 results
2. Search mount 2 → 300 results  
3. Search mount 3 → 300 results
4. Total: 1000 results → STOP (max reached)
5. Mount 4+ not searched
```

## 🎨 UI/UX Improvements

### Login Process

**Visual feedback:**
```
[Connecting...] → [✓ Login verified] → [✓ Found 3 mount points]
```

**On failure:**
```
[Connecting...] → [✗ Error: permission denied]
                  [Please check credentials]
```

### Search Interface

**Dynamic UI:**
- Checkbox shows mount count: "(3 available)"
- Checkbox disabled if no mounts detected
- Base path field hidden when searching all mounts
- Results show mount indicator when relevant

**Helpful hints:**
```
ℹ️ Search Tips:
  • Search all mounts: searches across all KV secret engines
    (detected: secret, secret-v1, team-secrets)
  • Base path: when not searching all mounts, specify starting path
  • Results are cached to prevent excessive API calls
```

## 📝 Console Output Examples

### Successful Login
```
⚡ Verifying login and fetching mount points...
✓ Found 3 KV mount point(s): ["secret", "secret-v1", "team-secrets"]
✓ Logged in successfully. Found 3 KV mount point(s).
```

### Failed Login
```
⚡ Verifying login and fetching mount points...
✗ Login verification failed: permission denied
```

### Multi-Mount Search
```
🔍 Searching across 3 mount point(s)...
  → Searching in secret/
  ⚡ API call for list: secret/metadata/
  ⚡ API call for list: secret/metadata/prod/
  ⚡ API call for list: secret/metadata/dev/
  ✓ Cache hit for list: secret/metadata/shared/
  → Searching in secret-v1/
  ✓ Cache hit for list: secret-v1/
  → Searching in team-secrets/
  ⚡ API call for list: team-secrets/metadata/
✓ Found 145 total result(s) across all mounts
```

## 🔧 Configuration

All existing configuration still applies:

**Cache Settings:**
- Max cache size (MB)
- Cache expiration time (minutes)
- Enable/disable caching

**Search Settings:**
- Max search depth (applies per mount)
- Max search results (applies globally across all mounts)

## 📚 Documentation

**New comprehensive guide:**
- `MOUNT_POINTS.md` - Everything about mount point detection and multi-mount search

**Updated guides:**
- `README.md` - Project overview
- `USAGE.md` - Usage instructions
- `FEATURES.md` - Feature list

## 🎯 Summary

✅ **Login verification** - No more blind login attempts  
✅ **Auto-detect mount points** - Discover all KV secret engines  
✅ **Search all mounts** - Optional cross-mount search  
✅ **Mount indicators** - Know which mount each result is from  
✅ **Smart KV handling** - Per-mount version detection  
✅ **Graceful errors** - Continue on permission denied  
✅ **Performance optimized** - Caching + early exit  
✅ **Security conscious** - Respects Vault ACLs  

This makes discovering secrets in large Vault deployments **much easier**! 🚀