From 4148334d42a4ae498461e2fee0d6ab50ded8a46a Mon Sep 17 00:00:00 2001
From: Vault Automation <github-team-secure-vault-core@hashicorp.com>
Date: Fri, 20 Feb 2026 19:53:43 -0500
Subject: [PATCH] UI: Hide agent_registry backend from secrets engines list
 page (#12459) (#12466)

* add agent registry to hidden backend list

* consolidate excluded mounts to a single list

---------

Co-authored-by: Dan Rivera <dan.rivera@hashicorp.com>
Co-authored-by: claire bontempo <cbontempo@hashicorp.com>
---
 ui/app/models/secret-engine.js                           | 8 ++------
 ui/app/resources/secrets/engine.ts                       | 4 ++--
 ui/app/utils/all-engines-metadata.ts                     | 9 +++++++--
 .../addon/components/path-filter-config-list.js          | 3 ++-
 4 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/ui/app/models/secret-engine.js b/ui/app/models/secret-engine.js
index a4c33fe905..c6e798d248 100644
--- a/ui/app/models/secret-engine.js
+++ b/ui/app/models/secret-engine.js
@@ -10,16 +10,12 @@ import { withModelValidations } from 'vault/decorators/model-validations';
 import { withExpandedAttributes } from 'vault/decorators/model-expanded-attributes';
 import { supportedSecretBackends } from 'vault/helpers/supported-secret-backends';
 import { WHITESPACE_WARNING } from 'vault/utils/forms/validators';
-import { ALL_ENGINES, isAddonEngine } from 'vault/utils/all-engines-metadata';
+import { ALL_ENGINES, INTERNAL_ENGINE_TYPES, isAddonEngine } from 'vault/utils/all-engines-metadata';
 import { getEffectiveEngineType } from 'vault/utils/external-plugin-helpers';
 import engineDisplayData from 'vault/helpers/engines-display-data';
 
 const LINKED_BACKENDS = supportedSecretBackends();
 
-// identity will be managed separately and the inclusion
-// of the system backend is an implementation detail
-const LIST_EXCLUDED_BACKENDS = ['system', 'identity'];
-
 const validations = {
   path: [
     { type: 'presence', message: "Path can't be blank." },
@@ -136,7 +132,7 @@ export default class SecretEngineModel extends Model {
   }
 
   get shouldIncludeInList() {
-    return !LIST_EXCLUDED_BACKENDS.includes(this.engineType);
+    return !INTERNAL_ENGINE_TYPES.includes(this.engineType);
   }
 
   get isSupportedBackend() {
diff --git a/ui/app/resources/secrets/engine.ts b/ui/app/resources/secrets/engine.ts
index a2631d058d..0c522f0a1a 100644
--- a/ui/app/resources/secrets/engine.ts
+++ b/ui/app/resources/secrets/engine.ts
@@ -8,7 +8,7 @@ import {
   supportedSecretBackends,
   SupportedSecretBackendsEnum,
 } from 'vault/helpers/supported-secret-backends';
-import { isAddonEngine } from 'vault/utils/all-engines-metadata';
+import { INTERNAL_ENGINE_TYPES, isAddonEngine } from 'vault/utils/all-engines-metadata';
 import { getEffectiveEngineType } from 'vault/utils/external-plugin-helpers';
 import engineDisplayData from 'vault/helpers/engines-display-data';
 
@@ -25,7 +25,7 @@ export type RecoverySupportedEngines = (typeof SUPPORTS_RECOVERY)[number];
 export default class SecretsEngineResource extends baseResourceFactory<Mount>() {
   id: string;
 
-  #LIST_EXCLUDED_BACKENDS = ['system', 'identity'];
+  #LIST_EXCLUDED_BACKENDS = INTERNAL_ENGINE_TYPES;
 
   constructor(data: Mount) {
     super(data);
diff --git a/ui/app/utils/all-engines-metadata.ts b/ui/app/utils/all-engines-metadata.ts
index 17cc4c0ef5..0adc37aa1e 100644
--- a/ui/app/utils/all-engines-metadata.ts
+++ b/ui/app/utils/all-engines-metadata.ts
@@ -16,8 +16,8 @@
  * - Facilitate dynamic engine rendering and behavior based on metadata.
  *
  * Example usage:
- * // If an enterprise license is present, return all secret engines;
- * // otherwise, return only the secret engines supported in OSS.
+ * If an enterprise license is present, return all secret engines;
+ * otherwise, return only the secret engines supported in OSS.
  * return filterEnginesByMountCategory({ mountCategory: 'secret', isEnterprise: this.version.isEnterprise });
  */
 
@@ -64,6 +64,11 @@ export function isAddonEngine(type: string, version: number) {
   return !!engineRoute;
 }
 
+//  The "sys/mounts" and "sys/internal/ui/mounts" endpoints return a "secret/" key containing
+//  all mounts enabled in Vault. Some types are internal Vault APIs, not user-mountable secrets engines,
+//  and should be filtered in some scenarios, such as listing secrets engines.
+export const INTERNAL_ENGINE_TYPES = ['system', 'identity', 'agent_registry'];
+
 export const ALL_ENGINES: EngineDisplayData[] = [
   {
     pluginCategory: 'cloud',
diff --git a/ui/lib/replication/addon/components/path-filter-config-list.js b/ui/lib/replication/addon/components/path-filter-config-list.js
index 9938765853..36ec46042e 100644
--- a/ui/lib/replication/addon/components/path-filter-config-list.js
+++ b/ui/lib/replication/addon/components/path-filter-config-list.js
@@ -8,6 +8,7 @@ import { set, computed } from '@ember/object';
 import { service } from '@ember/service';
 import { readOnly } from '@ember/object/computed';
 import { task, timeout } from 'ember-concurrency';
+import { INTERNAL_ENGINE_TYPES } from 'vault/utils/all-engines-metadata';
 
 export default Component.extend({
   'data-test-component': 'path-filter-config',
@@ -120,7 +121,7 @@ export default Component.extend({
 
   // singleton mounts are not eligible for per-mount-filtering
   singletonMountTypes: computed(function () {
-    return ['cubbyhole', 'system', 'token', 'identity', 'ns_system', 'ns_identity', 'ns_token'];
+    return ['cubbyhole', 'token', 'ns_system', 'ns_identity', 'ns_token', ...INTERNAL_ENGINE_TYPES];
   }),
 
   actions: {