diff --git a/ui/app/adapters/kv/config.js b/ui/app/adapters/kv/config.js
new file mode 100644
index 0000000000..398e6f2f33
--- /dev/null
+++ b/ui/app/adapters/kv/config.js
@@ -0,0 +1,13 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import ApplicationAdapter from '../application';
+export default class KvConfigAdapter extends ApplicationAdapter {
+  namespace = 'v1';
+
+  urlForFindRecord(id) {
+    return `${this.buildURL()}/${id}/config`;
+  }
+}
diff --git a/ui/app/adapters/kv/data.js b/ui/app/adapters/kv/data.js
new file mode 100644
index 0000000000..d6e46dc50e
--- /dev/null
+++ b/ui/app/adapters/kv/data.js
@@ -0,0 +1,136 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import ApplicationAdapter from '../application';
+import { kvDataPath, kvDeletePath, kvDestroyPath, kvUndeletePath } from 'vault/utils/kv-path';
+import { assert } from '@ember/debug';
+import ControlGroupError from 'vault/lib/control-group-error';
+
+export default class KvDataAdapter extends ApplicationAdapter {
+  namespace = 'v1';
+
+  _url(fullPath) {
+    return `${this.buildURL()}/${fullPath}`;
+  }
+
+  createRecord(store, type, snapshot) {
+    const { backend, path } = snapshot.record;
+    const url = this._url(kvDataPath(backend, path));
+
+    return this.ajax(url, 'POST', { data: this.serialize(snapshot) }).then((res) => {
+      return {
+        data: {
+          id: kvDataPath(backend, path, res.data.version),
+          backend,
+          path,
+          ...res.data,
+        },
+      };
+    });
+  }
+
+  fetchWrapInfo(query) {
+    const { backend, path, version, wrapTTL } = query;
+    const id = kvDataPath(backend, path, version);
+    return this.ajax(this._url(id), 'GET', { wrapTTL }).then((resp) => resp.wrap_info);
+  }
+
+  queryRecord(store, type, query) {
+    const { backend, path, version } = query;
+    // ID is the full path for the data (including version)
+    let id = kvDataPath(backend, path, version);
+    return this.ajax(this._url(id), 'GET')
+      .then((resp) => {
+        // if no version is queried, add version from response to ID
+        // otherwise duplicate ember data models will exist in store
+        // (one with an ID that includes the version and one without)
+        if (!version) {
+          id = kvDataPath(backend, path, resp.data.metadata.version);
+        }
+        return {
+          ...resp,
+          data: {
+            id,
+            backend,
+            path,
+            ...resp.data,
+          },
+        };
+      })
+      .catch((errorOrResponse) => {
+        const baseResponse = { id, backend, path, version };
+        const errorCode = errorOrResponse.httpStatus;
+        // if it's a legitimate error - throw it!
+        if (errorOrResponse instanceof ControlGroupError) {
+          throw errorOrResponse;
+        }
+
+        if (errorCode === 403) {
+          return {
+            data: {
+              ...baseResponse,
+              fail_read_error_code: errorCode,
+            },
+          };
+        }
+
+        if (errorOrResponse.data) {
+          // in the case of a deleted/destroyed secret the API returns a 404 because { data: null }
+          // however, there could be a metadata block with important information like deletion_time
+          // handleResponse below checks 404 status codes for metadata and updates the code to 200 if it exists.
+          // we still end up in the good ol' catch() block, but instead of a 404 adapter error we've "caught"
+          // the metadata that sneakily tried to hide from us
+          return {
+            ...errorOrResponse,
+            data: {
+              ...baseResponse,
+              ...errorOrResponse.data, // includes the { metadata } key we want
+            },
+          };
+        }
+
+        // If we get here, it's probably a 404 because it doesn't exist
+        throw errorOrResponse;
+      });
+  }
+
+  /* Five types of delete operations (the 5th operation is on the kv/metadata adapter) */
+  deleteRecord(store, type, snapshot) {
+    const { backend, path } = snapshot.record;
+    const { deleteType, deleteVersions } = snapshot.adapterOptions;
+
+    if (!backend || !path) {
+      throw new Error('The request to delete or undelete is missing required attributes.');
+    }
+
+    switch (deleteType) {
+      case 'delete-latest-version':
+        return this.ajax(this._url(kvDataPath(backend, path)), 'DELETE');
+      case 'delete-version':
+        return this.ajax(this._url(kvDeletePath(backend, path)), 'POST', {
+          data: { versions: deleteVersions },
+        });
+      case 'destroy':
+        return this.ajax(this._url(kvDestroyPath(backend, path)), 'PUT', {
+          data: { versions: deleteVersions },
+        });
+      case 'undelete':
+        return this.ajax(this._url(kvUndeletePath(backend, path)), 'POST', {
+          data: { versions: deleteVersions },
+        });
+      default:
+        assert('deleteType must be one of delete-latest-version, delete-version, destroy, or undelete.');
+    }
+  }
+
+  handleResponse(status, headers, payload, requestData) {
+    // after deleting a secret version, data is null and the API returns a 404
+    // but there could be relevant metadata
+    if (status === 404 && payload.data?.metadata) {
+      return super.handleResponse(200, headers, payload, requestData);
+    }
+    return super.handleResponse(...arguments);
+  }
+}
diff --git a/ui/app/adapters/kv/metadata.js b/ui/app/adapters/kv/metadata.js
new file mode 100644
index 0000000000..62c28008bb
--- /dev/null
+++ b/ui/app/adapters/kv/metadata.js
@@ -0,0 +1,77 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import ApplicationAdapter from '../application';
+import { kvMetadataPath } from 'vault/utils/kv-path';
+
+export default class KvMetadataAdapter extends ApplicationAdapter {
+  namespace = 'v1';
+
+  _url(fullPath) {
+    return `${this.buildURL()}/${fullPath}`;
+  }
+
+  createRecord(store, type, snapshot) {
+    const { backend, path } = snapshot.record;
+    const id = kvMetadataPath(backend, path);
+    const url = this._url(id);
+    const data = this.serialize(snapshot);
+    return this.ajax(url, 'POST', { data }).then(() => {
+      return {
+        id,
+        data,
+      };
+    });
+  }
+
+  updateRecord(store, type, snapshot) {
+    const { backend, path } = snapshot.record;
+    const id = kvMetadataPath(backend, path);
+    const url = this._url(id);
+    const data = this.serialize(snapshot);
+    return this.ajax(url, 'POST', { data }).then(() => {
+      return {
+        id,
+        data,
+      };
+    });
+  }
+
+  query(store, type, query) {
+    const { backend, pathToSecret } = query;
+    // example of pathToSecret: beep/boop/
+    return this.ajax(this._url(kvMetadataPath(backend, pathToSecret)), 'GET', {
+      data: { list: true },
+    }).then((resp) => {
+      resp.backend = backend;
+      resp.path = pathToSecret;
+      return resp;
+    });
+  }
+
+  queryRecord(store, type, query) {
+    const { backend, path } = query;
+    // ID is the full path for the metadata
+    const id = kvMetadataPath(backend, path);
+    return this.ajax(this._url(id), 'GET').then((resp) => {
+      return {
+        id,
+        ...resp,
+        data: {
+          backend,
+          path,
+          ...resp.data,
+        },
+      };
+    });
+  }
+
+  deleteRecord(store, type, snapshot) {
+    const { backend, path, fullSecretPath } = snapshot.record;
+    // fullSecretPath is used when deleting from the LIST view and is defined via the serializer
+    // path is used when deleting from the metadata details view.
+    return this.ajax(this._url(kvMetadataPath(backend, fullSecretPath || path)), 'DELETE');
+  }
+}
diff --git a/ui/app/adapters/secret-engine.js b/ui/app/adapters/secret-engine.js
index c15a0bc6ef..ac5c9bb023 100644
--- a/ui/app/adapters/secret-engine.js
+++ b/ui/app/adapters/secret-engine.js
@@ -34,6 +34,7 @@ export default ApplicationAdapter.extend({
     let mountModel, configModel;
     try {
       mountModel = await this.ajax(this.internalURL(query.path), 'GET');
+      // TODO kv engine cleanup - this logic can be removed when KV exists in separate ember engine
       // if kv2 then add the config data to the mountModel
       // version comes in as a string
       if (mountModel?.data?.type === 'kv' && mountModel?.data?.options?.version === '2') {
diff --git a/ui/app/app.js b/ui/app/app.js
index edd6b5ec2f..5fbe6b5456 100644
--- a/ui/app/app.js
+++ b/ui/app/app.js
@@ -52,6 +52,14 @@ export default class App extends Application {
         },
       },
     },
+    kv: {
+      dependencies: {
+        services: ['download', 'namespace', 'router', 'store', 'secret-mount-path', 'flash-messages'],
+        externalRoutes: {
+          secrets: 'vault.cluster.secrets.backends',
+        },
+      },
+    },
     pki: {
       dependencies: {
         services: [
diff --git a/ui/app/components/console/command-input.js b/ui/app/components/console/command-input.js
index baeac1993a..5cbb860198 100644
--- a/ui/app/components/console/command-input.js
+++ b/ui/app/components/console/command-input.js
@@ -4,7 +4,7 @@
  */
 
 import Component from '@ember/component';
-import keys from 'vault/lib/keycodes';
+import keys from 'core/utils/key-codes';
 
 export default Component.extend({
   onExecuteCommand() {},
diff --git a/ui/app/templates/components/get-credentials-card.hbs b/ui/app/components/get-credentials-card.hbs
similarity index 100%
rename from ui/app/templates/components/get-credentials-card.hbs
rename to ui/app/components/get-credentials-card.hbs
diff --git a/ui/app/components/get-credentials-card.js b/ui/app/components/get-credentials-card.js
index cd6015e9e7..9268c915ca 100644
--- a/ui/app/components/get-credentials-card.js
+++ b/ui/app/components/get-credentials-card.js
@@ -60,6 +60,7 @@ export default class GetCredentialsCard extends Component {
     if (role) {
       this.router.transitionTo('vault.cluster.secrets.backend.credentials', role);
     }
+    // TODO kv engine cleanup. Should be able to remove this component and replace with overview card for the role usage. KV engine has switched to overview card.
     if (secret) {
       if (secret.endsWith('/')) {
         this.router.transitionTo('vault.cluster.secrets.backend.list', secret);
diff --git a/ui/app/components/role-edit.js b/ui/app/components/role-edit.js
index a58d5611b3..8783c00579 100644
--- a/ui/app/components/role-edit.js
+++ b/ui/app/components/role-edit.js
@@ -10,7 +10,7 @@ import { task, waitForEvent } from 'ember-concurrency';
 import Component from '@ember/component';
 import { set } from '@ember/object';
 import FocusOnInsertMixin from 'vault/mixins/focus-on-insert';
-import keys from 'vault/lib/keycodes';
+import keys from 'core/utils/key-codes';
 
 const LIST_ROOT_ROUTE = 'vault.cluster.secrets.backend.list-root';
 const SHOW_ROUTE = 'vault.cluster.secrets.backend.show';
diff --git a/ui/app/components/secret-create-or-update.js b/ui/app/components/secret-create-or-update.js
index 7afc6b832c..aff341bc39 100644
--- a/ui/app/components/secret-create-or-update.js
+++ b/ui/app/components/secret-create-or-update.js
@@ -33,7 +33,7 @@
 import Component from '@glimmer/component';
 import ControlGroupError from 'vault/lib/control-group-error';
 import Ember from 'ember';
-import keys from 'vault/lib/keycodes';
+import keys from 'core/utils/key-codes';
 import { action, set } from '@ember/object';
 import { inject as service } from '@ember/service';
 import { tracked } from '@glimmer/tracking';
diff --git a/ui/app/components/secret-edit-toolbar.js b/ui/app/components/secret-edit-toolbar.js
index 3f5f02ad6b..ce1c32a85a 100644
--- a/ui/app/components/secret-edit-toolbar.js
+++ b/ui/app/components/secret-edit-toolbar.js
@@ -18,8 +18,6 @@
  * @showAdvancedMode={{showAdvancedMode}}
  * @modelForData={{this.modelForData}}
  * @canUpdateSecretData={{canUpdateSecretData}}
- * @codemirrorString={{codemirrorString}}
- * @wrappedData={{wrappedData}}
  * @editActions={{hash
     toggleAdvanced=(action "toggleAdvanced")
     refresh=(action "refresh")
@@ -32,80 +30,45 @@
  * @param {boolean} isV2 - KV type
  * @param {boolean} isWriteWithoutRead - boolean describing permissions
  * @param {boolean} secretDataIsAdvanced - used to determine if show JSON toggle
- * @param {boolean} showAdvacnedMode - used for JSON toggle
+ * @param {boolean} showAdvancedMode - used for JSON toggle
  * @param {object} modelForData - a modified version of the model with secret data
  * @param {boolean} canUpdateSecretData - permissions that show the create new version button or not.
- * @param {string} codemirrorString - used to copy the JSON
- * @param {object} wrappedData - when copy the data it's the token of the secret returned.
  * @param {object} editActions - actions passed from parent to child
  */
 /* eslint ember/no-computed-properties-in-native-classes: 'warn' */
 import Component from '@glimmer/component';
 import { action } from '@ember/object';
-import { not } from '@ember/object/computed';
 import { inject as service } from '@ember/service';
 import { tracked } from '@glimmer/tracking';
+import { task } from 'ember-concurrency';
+import { waitFor } from '@ember/test-waiters';
 
 export default class SecretEditToolbar extends Component {
   @service store;
   @service flashMessages;
 
   @tracked wrappedData = null;
-  @tracked isWrapping = false;
-  @not('wrappedData') showWrapButton;
 
   @action
   clearWrappedData() {
     this.wrappedData = null;
   }
 
-  @action
-  handleCopyError() {
-    this.flashMessages.danger('Could Not Copy Wrapped Data');
-    this.send('clearWrappedData');
-  }
+  @task
+  @waitFor
+  *wrapSecret() {
+    const { id } = this.args.modelForData;
+    const { backend } = this.args.model;
+    const wrapTTL = { wrapTTL: 1800 };
 
-  @action
-  handleCopySuccess() {
-    this.flashMessages.success('Copied Wrapped Data!');
-    this.send('clearWrappedData');
-  }
-
-  @action
-  handleWrapClick() {
-    this.isWrapping = true;
-    if (this.args.isV2) {
-      this.store
-        .adapterFor('secret-v2-version')
-        .queryRecord(this.args.modelForData.id, { wrapTTL: 1800 })
-        .then((resp) => {
-          this.wrappedData = resp.wrap_info.token;
-          this.flashMessages.success('Secret Successfully Wrapped!');
-        })
-        .catch(() => {
-          this.flashMessages.danger('Could Not Wrap Secret');
-        })
-        .finally(() => {
-          this.isWrapping = false;
-        });
-    } else {
-      this.store
-        .adapterFor('secret')
-        .queryRecord(null, null, {
-          backend: this.args.model.backend,
-          id: this.args.modelForData.id,
-          wrapTTL: 1800,
-        })
-        .then((resp) => {
-          this.wrappedData = resp.wrap_info.token;
-          this.flashMessages.success('Secret Successfully Wrapped!');
-        })
-        .catch(() => {
-          this.flashMessages.danger('Could Not Wrap Secret');
-        })
-        .finally(() => {
-          this.isWrapping = false;
-        });
+    try {
+      const resp = yield this.args.isV2
+        ? this.store.adapterFor('secret-v2-version').queryRecord(id, wrapTTL)
+        : this.store.adapterFor('secret').queryRecord(null, null, { backend, id, ...wrapTTL });
+      this.wrappedData = resp.wrap_info.token;
+      this.flashMessages.success('Secret successfully wrapped!');
+    } catch (e) {
+      this.flashMessages.danger('Could not wrap secret.');
     }
   }
 }
diff --git a/ui/app/components/transit-edit.js b/ui/app/components/transit-edit.js
index 45143294fa..05faf6cb0d 100644
--- a/ui/app/components/transit-edit.js
+++ b/ui/app/components/transit-edit.js
@@ -11,7 +11,7 @@ import { task, waitForEvent } from 'ember-concurrency';
 import { set } from '@ember/object';
 
 import FocusOnInsertMixin from 'vault/mixins/focus-on-insert';
-import keys from 'vault/lib/keycodes';
+import keys from 'core/utils/key-codes';
 
 const LIST_ROOT_ROUTE = 'vault.cluster.secrets.backend.list-root';
 const SHOW_ROUTE = 'vault.cluster.secrets.backend.show';
diff --git a/ui/app/lib/console-helpers.ts b/ui/app/lib/console-helpers.ts
index ce547a5263..1a76f4775d 100644
--- a/ui/app/lib/console-helpers.ts
+++ b/ui/app/lib/console-helpers.ts
@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import keys from 'vault/lib/keycodes';
+import keys from 'core/utils/key-codes';
 import AdapterError from '@ember-data/adapter/error';
 import { parse } from 'shell-quote';
 
diff --git a/ui/app/models/kv/config.js b/ui/app/models/kv/config.js
new file mode 100644
index 0000000000..bbb27dfb94
--- /dev/null
+++ b/ui/app/models/kv/config.js
@@ -0,0 +1,31 @@
+import Model, { attr } from '@ember-data/model';
+import lazyCapabilities, { apiPath } from 'vault/macros/lazy-capabilities';
+import { withFormFields } from 'vault/decorators/model-form-fields';
+import { duration } from 'core/helpers/format-duration';
+
+// This model is used only for display only - configuration happens via secret-engine model when an engine is mounted
+@withFormFields(['casRequired', 'deleteVersionAfter', 'maxVersions'])
+export default class KvConfigModel extends Model {
+  @attr backend;
+  @attr('number', { label: 'Maximum number of versions' }) maxVersions;
+
+  @attr('boolean', { label: 'Require check and set' }) casRequired;
+
+  @attr({ label: 'Automate secret deletion' }) deleteVersionAfter;
+
+  @lazyCapabilities(apiPath`${'backend'}/config`, 'backend') configPath;
+
+  get canRead() {
+    return this.configPath.get('canRead') !== false;
+  }
+
+  // used in template to render using this model instead of secret-engine (where these attrs also exist)
+  get displayFields() {
+    return ['casRequired', 'deleteVersionAfter', 'maxVersions'];
+  }
+
+  get displayDeleteTtl() {
+    if (this.deleteVersionAfter === '0s') return 'Never delete';
+    return duration([this.deleteVersionAfter]);
+  }
+}
diff --git a/ui/app/models/kv/data.js b/ui/app/models/kv/data.js
new file mode 100644
index 0000000000..af91ddd51b
--- /dev/null
+++ b/ui/app/models/kv/data.js
@@ -0,0 +1,113 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Model, { attr } from '@ember-data/model';
+import lazyCapabilities, { apiPath } from 'vault/macros/lazy-capabilities';
+import { withModelValidations } from 'vault/decorators/model-validations';
+import { withFormFields } from 'vault/decorators/model-form-fields';
+
+/* sample response
+{
+  "data": {
+    "data": {
+      "foo": "bar"
+    },
+    "metadata": {
+      "created_time": "2018-03-22T02:24:06.945319214Z",
+      "custom_metadata": {
+        "owner": "jdoe",
+        "mission_critical": "false"
+      },
+      "deletion_time": "",
+      "destroyed": false,
+      "version": 2
+    }
+  }
+}
+*/
+
+const validations = {
+  path: [
+    { type: 'presence', message: `Path can't be blank.` },
+    { type: 'endsInSlash', message: `Path can't end in forward slash '/'.` },
+    {
+      type: 'containsWhiteSpace',
+      message:
+        "Path contains whitespace. If this is desired, you'll need to encode it with %20 in API requests.",
+      level: 'warn',
+    },
+  ],
+  secretData: [
+    {
+      validator: (model) =>
+        model.secretData !== undefined && typeof model.secretData !== 'object' ? false : true,
+      message: 'Vault expects data to be formatted as an JSON object.',
+    },
+  ],
+};
+@withModelValidations(validations)
+@withFormFields()
+export default class KvSecretDataModel extends Model {
+  @attr('string') backend; // dynamic path of secret -- set on response from value passed to queryRecord.
+  @attr('string', { label: 'Path for this secret' }) path;
+  @attr('object') secretData; // { key: value } data of the secret version
+
+  // Params returned on the GET response.
+  @attr('string') createdTime;
+  @attr('object') customMetadata;
+  @attr('string') deletionTime;
+  @attr('boolean') destroyed;
+  @attr('number') version;
+  // Set in adapter if read failed
+  @attr('number') failReadErrorCode;
+
+  // if creating a new version this value is set in the edit route's
+  // model hook from metadata or secret version, pending permissions
+  // if the value is not a number, don't send options.cas on payload
+  @attr('number')
+  casVersion;
+
+  get state() {
+    if (this.destroyed) return 'destroyed';
+    if (this.deletionTime) return 'deleted';
+    if (this.createdTime) return 'created';
+    return '';
+  }
+
+  // Permissions
+  @lazyCapabilities(apiPath`${'backend'}/data/${'path'}`, 'backend', 'path') dataPath;
+  @lazyCapabilities(apiPath`${'backend'}/metadata/${'path'}`, 'backend', 'path') metadataPath;
+  @lazyCapabilities(apiPath`${'backend'}/delete/${'path'}`, 'backend', 'path') deletePath;
+  @lazyCapabilities(apiPath`${'backend'}/destroy/${'path'}`, 'backend', 'path') destroyPath;
+  @lazyCapabilities(apiPath`${'backend'}/undelete/${'path'}`, 'backend', 'path') undeletePath;
+
+  get canDeleteLatestVersion() {
+    return this.dataPath.get('canDelete') !== false;
+  }
+  get canDeleteVersion() {
+    return this.deletePath.get('canUpdate') !== false;
+  }
+  get canUndelete() {
+    return this.undeletePath.get('canUpdate') !== false;
+  }
+  get canDestroyVersion() {
+    return this.destroyPath.get('canUpdate') !== false;
+  }
+  get canEditData() {
+    return this.dataPath.get('canUpdate') !== false;
+  }
+  get canReadData() {
+    return this.dataPath.get('canRead') !== false;
+  }
+  get canReadMetadata() {
+    return this.metadataPath.get('canRead') !== false;
+  }
+  get canUpdateMetadata() {
+    return this.metadataPath.get('canUpdate') !== false;
+  }
+  get canListMetadata() {
+    return this.metadataPath.get('canList') !== false;
+  }
+}
diff --git a/ui/app/models/kv/metadata.js b/ui/app/models/kv/metadata.js
new file mode 100644
index 0000000000..c0ddc0e382
--- /dev/null
+++ b/ui/app/models/kv/metadata.js
@@ -0,0 +1,106 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Model, { attr } from '@ember-data/model';
+import lazyCapabilities, { apiPath } from 'vault/macros/lazy-capabilities';
+import { withModelValidations } from 'vault/decorators/model-validations';
+import { withFormFields } from 'vault/decorators/model-form-fields';
+import { keyIsFolder } from 'core/utils/key-utils';
+
+const validations = {
+  maxVersions: [
+    { type: 'number', message: 'Maximum versions must be a number.' },
+    { type: 'length', options: { min: 1, max: 16 }, message: 'You cannot go over 16 characters.' },
+  ],
+};
+const formFieldProps = ['customMetadata', 'maxVersions', 'casRequired', 'deleteVersionAfter'];
+
+@withModelValidations(validations)
+@withFormFields(formFieldProps)
+export default class KvSecretMetadataModel extends Model {
+  @attr('string') backend;
+  @attr('string') path;
+  @attr('string') fullSecretPath;
+
+  @attr('number', {
+    defaultValue: 0,
+    label: 'Maximum number of versions',
+    subText:
+      'The number of versions to keep per key. Once the number of keys exceeds the maximum number set here, the oldest version will be permanently deleted.',
+  })
+  maxVersions;
+
+  @attr('boolean', {
+    defaultValue: false,
+    label: 'Require Check and Set',
+    subText: `Writes will only be allowed if the key's current version matches the version specified in the cas parameter.`,
+  })
+  casRequired;
+
+  @attr('string', {
+    defaultValue: '0s',
+    editType: 'ttl',
+    label: 'Automate secret deletion',
+    helperTextDisabled: `A secret's version must be manually deleted.`,
+    helperTextEnabled: 'Delete all new versions of this secret after.',
+  })
+  deleteVersionAfter;
+
+  @attr('object', {
+    editType: 'kv',
+    subText: 'An optional set of informational key-value pairs that will be stored with all secret versions.',
+  })
+  customMetadata;
+
+  // Additional Params only returned on the GET response.
+  @attr('string') createdTime;
+  @attr('number') currentVersion;
+  @attr('number') oldestVersion;
+  @attr('string') updatedTime;
+  @attr('object') versions;
+
+  // used for KV list and list-directory view
+  get pathIsDirectory() {
+    // ex: beep/
+    return keyIsFolder(this.path);
+  }
+
+  // turns version object into an array for version dropdown menu
+  get sortedVersions() {
+    const array = [];
+    for (const key in this.versions) {
+      array.push({ version: key, ...this.versions[key] });
+    }
+    // version keys are in order created with 1 being the oldest, we want newest first
+    return array.reverse();
+  }
+
+  // helps in long logic statements for state of a currentVersion
+  get currentSecret() {
+    const data = this.versions[this.currentVersion];
+    const state = data.destroyed ? 'destroyed' : data.deletion_time ? 'deleted' : 'created';
+    return {
+      state,
+      isDeactivated: state !== 'created',
+    };
+  }
+
+  // permissions needed for the list view where kv/data has not yet been called. Allows us to conditionally show action items in the LinkedBlock popups.
+  @lazyCapabilities(apiPath`${'backend'}/data/${'path'}`, 'backend', 'path') dataPath;
+  @lazyCapabilities(apiPath`${'backend'}/metadata/${'path'}`, 'backend', 'path') metadataPath;
+
+  get canDeleteMetadata() {
+    return this.metadataPath.get('canDelete') !== false;
+  }
+  get canReadMetadata() {
+    return this.metadataPath.get('canRead') !== false;
+  }
+  get canUpdateMetadata() {
+    return this.metadataPath.get('canUpdate') !== false;
+  }
+  get canCreateVersionData() {
+    return this.dataPath.get('canUpdate') !== false;
+  }
+}
diff --git a/ui/app/router.js b/ui/app/router.js
index 78adeac841..5b1adc0468 100644
--- a/ui/app/router.js
+++ b/ui/app/router.js
@@ -159,6 +159,7 @@ Router.map(function () {
         this.route('backend', { path: '/:backend' }, function () {
           this.mount('kmip');
           this.mount('kubernetes');
+          this.mount('kv');
           this.mount('pki');
           this.route('index', { path: '/' });
           this.route('configuration');
diff --git a/ui/app/routes/vault/cluster/secrets/backend/configuration.js b/ui/app/routes/vault/cluster/secrets/backend/configuration.js
index 1e8401bb9a..a3619d313e 100644
--- a/ui/app/routes/vault/cluster/secrets/backend/configuration.js
+++ b/ui/app/routes/vault/cluster/secrets/backend/configuration.js
@@ -10,6 +10,7 @@ export default Route.extend({
   store: service(),
   async model() {
     const backend = this.modelFor('vault.cluster.secrets.backend');
+    // TODO kv engine cleanup - this can be removed when KV has fully moved to separate ember engine and list view config details menu is refactored
     if (backend.isV2KV) {
       const canRead = await this.store
         .findRecord('capabilities', `${backend.id}/config`)
diff --git a/ui/app/routes/vault/cluster/secrets/backend/secret-edit.js b/ui/app/routes/vault/cluster/secrets/backend/secret-edit.js
index 4bbc16c852..e85d606e4f 100644
--- a/ui/app/routes/vault/cluster/secrets/backend/secret-edit.js
+++ b/ui/app/routes/vault/cluster/secrets/backend/secret-edit.js
@@ -320,7 +320,7 @@ export default Route.extend(UnloadModelRoute, {
       if (!model.hasDirtyAttributes || model.isDeleted) {
         return true;
       }
-      // TODO: below is KV v2 logic, remove with engine work
+      // TODO kv engine cleanup: below is KV v2 logic, remove with engine work
       const version = model.get('selectedVersion');
       const changed = model.changedAttributes();
       const changedKeys = Object.keys(changed);
diff --git a/ui/app/serializers/kv/data.js b/ui/app/serializers/kv/data.js
new file mode 100644
index 0000000000..de42ee0ec9
--- /dev/null
+++ b/ui/app/serializers/kv/data.js
@@ -0,0 +1,45 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import ApplicationSerializer from '../application';
+
+export default class KvDataSerializer extends ApplicationSerializer {
+  serialize(snapshot) {
+    const { secretData, casVersion } = snapshot.record;
+    if (typeof casVersion === 'number') {
+      /* if this is a number it is set by one of the following:
+        A) user is creating initial version of a secret
+         -> 0 : default value set in route
+        B) user is creating a new version of a secret:
+         -> metadata.current_version : has metadata read permissions (data permissions are irrelevant)
+         -> secret.version : has data read permissions. without metadata read access a user is unable to navigate,
+                             to older secret versions so we assume creation is from the latest version */
+      return { data: secretData, options: { cas: casVersion } };
+    }
+    // a non-number value means no read permission for both data and metadata
+    return { data: secretData };
+  }
+
+  normalizeKvData(payload) {
+    const { data, metadata } = payload.data;
+    return {
+      ...payload,
+      data: {
+        ...payload.data,
+        // Rename to secret_data so it doesn't get removed by normalizer
+        secret_data: data,
+        ...metadata,
+      },
+    };
+  }
+
+  normalizeResponse(store, primaryModelClass, payload, id, requestType) {
+    if (requestType === 'queryRecord') {
+      const transformed = this.normalizeKvData(payload);
+      return super.normalizeResponse(store, primaryModelClass, transformed, id, requestType);
+    }
+    return super.normalizeResponse(store, primaryModelClass, payload, id, requestType);
+  }
+}
diff --git a/ui/app/serializers/kv/metadata.js b/ui/app/serializers/kv/metadata.js
new file mode 100644
index 0000000000..87646a91a1
--- /dev/null
+++ b/ui/app/serializers/kv/metadata.js
@@ -0,0 +1,39 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { assert } from '@ember/debug';
+import ApplicationSerializer from '../application';
+import { kvMetadataPath } from 'vault/utils/kv-path';
+
+export default class KvMetadataSerializer extends ApplicationSerializer {
+  attrs = {
+    backend: { serialize: false },
+    path: { serialize: false },
+    oldestVersion: { serialize: false },
+    createdTime: { serialize: false },
+    updatedTime: { serialize: false },
+    currentVersion: { serialize: false },
+    versions: { serialize: false },
+  };
+
+  normalizeItems(payload) {
+    if (payload.data.keys) {
+      assert('payload.backend must be provided on kv/metadata list response', !!payload.backend);
+      return payload.data.keys.map((secret) => {
+        // If there is no payload.path then we're either on a "top level" secret or the first level directory of a nested secret.
+        // We set the path to the current secret or pathToSecret. e.g. my-secret or beep/boop/
+        // We add a param called full_secret_path to the model which we use to navigate to the nested secret. e.g. beep/boop/bop.
+        const fullSecretPath = payload.path ? payload.path + secret : secret;
+        return {
+          id: kvMetadataPath(payload.backend, fullSecretPath),
+          path: secret,
+          backend: payload.backend,
+          full_secret_path: fullSecretPath,
+        };
+      });
+    }
+    return super.normalizeItems(payload);
+  }
+}
diff --git a/ui/app/services/store.js b/ui/app/services/store.js
index 5f94c6ffa3..35280a8a6e 100644
--- a/ui/app/services/store.js
+++ b/ui/app/services/store.js
@@ -132,6 +132,7 @@ export default class StoreService extends Store {
       prevPage: clamp(currentPage - 1, 1, lastPage),
       total: dataset.length || 0,
       filteredTotal: data.length || 0,
+      pageSize: size,
     };
 
     return resp;
diff --git a/ui/app/styles/components/diff-version-selector.scss b/ui/app/styles/components/diff-version-selector.scss
index 815018953a..ad505bdb72 100644
--- a/ui/app/styles/components/diff-version-selector.scss
+++ b/ui/app/styles/components/diff-version-selector.scss
@@ -2,6 +2,7 @@
  * Copyright (c) HashiCorp, Inc.
  * SPDX-License-Identifier: BUSL-1.1
  */
+//  TODO kv engine cleanup safe to remove this, the new component does not rely on this css
 
 .visual-diff {
   background-color: black;
diff --git a/ui/app/styles/components/modal-component.scss b/ui/app/styles/components/modal-component.scss
index 5efc8f043f..addb2c2633 100644
--- a/ui/app/styles/components/modal-component.scss
+++ b/ui/app/styles/components/modal-component.scss
@@ -110,6 +110,16 @@ pre {
   }
 }
 
+.is-danger {
+  .modal-card-head {
+    background: $red-010;
+    border: 1px solid $red-100;
+  }
+  .modal-card-title {
+    color: $red-dark;
+  }
+}
+
 .modal-confirm-section {
   margin: $spacing-xl 0 $spacing-m;
 }
@@ -118,7 +128,7 @@ pre {
   background: $ui-gray-050;
   border-top: $base-border;
 }
-
+// kv engine clean up - can remove this style after you remove secret-delete-menu
 .modal-radio-button {
   display: flex;
   align-items: baseline;
diff --git a/ui/app/styles/components/toolbar.scss b/ui/app/styles/components/toolbar.scss
index 3956293b90..bb263c468d 100644
--- a/ui/app/styles/components/toolbar.scss
+++ b/ui/app/styles/components/toolbar.scss
@@ -133,6 +133,7 @@ a.disabled.toolbar-link {
   width: 0;
 }
 
+// TODO kv engine cleanup
 .version-diff-toolbar {
   display: flex;
   align-items: baseline;
diff --git a/ui/app/styles/core.scss b/ui/app/styles/core.scss
index a18b9a0778..9716fda68e 100644
--- a/ui/app/styles/core.scss
+++ b/ui/app/styles/core.scss
@@ -29,6 +29,7 @@
 @import './core/file';
 @import './core/footer';
 @import './core/inputs';
+@import './core/json-diff-patch';
 @import './core/label';
 @import './core/level';
 @import './core/link';
diff --git a/ui/app/styles/core/buttons.scss b/ui/app/styles/core/buttons.scss
index 93eafe3a3a..cc099350ed 100644
--- a/ui/app/styles/core/buttons.scss
+++ b/ui/app/styles/core/buttons.scss
@@ -92,6 +92,12 @@
     color: $red-500;
   }
 
+  &.is-warning-outlined {
+    background-color: $yellow-010;
+    border: 1px solid $yellow-700;
+    color: $yellow-700;
+  }
+
   &.is-flat {
     min-width: auto;
     border: none;
diff --git a/ui/app/styles/core/json-diff-patch.scss b/ui/app/styles/core/json-diff-patch.scss
new file mode 100644
index 0000000000..3e472d9ddb
--- /dev/null
+++ b/ui/app/styles/core/json-diff-patch.scss
@@ -0,0 +1,23 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+// used in KV version diff view. https://github.com/benjamine/jsondiffpatch/tree/master
+
+.jsondiffpatch-deleted .jsondiffpatch-property-name,
+.jsondiffpatch-deleted pre,
+.jsondiffpatch-modified .jsondiffpatch-left-value pre,
+.jsondiffpatch-textdiff-deleted {
+  background: $red-500;
+}
+.jsondiffpatch-added .jsondiffpatch-property-name,
+.jsondiffpatch-added .jsondiffpatch-value pre,
+.jsondiffpatch-modified .jsondiffpatch-right-value pre,
+.jsondiffpatch-textdiff-added {
+  background: $green-500;
+}
+
+.jsondiffpatch-property-name {
+  color: $ui-gray-300;
+}
diff --git a/ui/app/styles/helper-classes/colors.scss b/ui/app/styles/helper-classes/colors.scss
index e0d4b81dbc..90add57ef7 100644
--- a/ui/app/styles/helper-classes/colors.scss
+++ b/ui/app/styles/helper-classes/colors.scss
@@ -18,6 +18,10 @@
   background-color: $ui-gray-200;
 }
 
+.background-color-black {
+  background-color: black;
+}
+
 // borders
 .has-border-top-light {
   border-radius: 0;
@@ -40,6 +44,10 @@ select.has-error-border {
 }
 
 // text color
+.text-grey-lightest {
+  color: $grey-lightest;
+}
+
 .has-text-grey-light {
   color: $ui-gray-300 !important;
 }
diff --git a/ui/app/styles/helper-classes/flexbox-and-grid.scss b/ui/app/styles/helper-classes/flexbox-and-grid.scss
index 20cbbe0cb0..3b9c4b4a77 100644
--- a/ui/app/styles/helper-classes/flexbox-and-grid.scss
+++ b/ui/app/styles/helper-classes/flexbox-and-grid.scss
@@ -118,6 +118,10 @@
   grid-template-columns: repeat(3, 1fr);
 }
 
+.align-self-center {
+  align-self: center;
+}
+
 .is-medium-height {
   height: 125px;
 }
diff --git a/ui/app/styles/helper-classes/layout.scss b/ui/app/styles/helper-classes/layout.scss
index 23e967903d..58717acc41 100644
--- a/ui/app/styles/helper-classes/layout.scss
+++ b/ui/app/styles/helper-classes/layout.scss
@@ -34,6 +34,10 @@
   position: relative;
 }
 
+.top-xxs {
+  top: $spacing-xxs;
+}
+
 // visibility
 .is-invisible {
   visibility: hidden;
@@ -44,6 +48,10 @@
   width: 100%;
 }
 
+.is-three-fourths-width {
+  width: 75%;
+}
+
 .is-auto-width {
   width: auto;
 }
diff --git a/ui/app/styles/helper-classes/typography.scss b/ui/app/styles/helper-classes/typography.scss
index a2698c05ea..43b76fdb99 100644
--- a/ui/app/styles/helper-classes/typography.scss
+++ b/ui/app/styles/helper-classes/typography.scss
@@ -104,3 +104,7 @@
     color: inherit;
   }
 }
+
+.opacity-060 {
+  opacity: 0.6;
+}
diff --git a/ui/app/templates/components/diff-version-selector.hbs b/ui/app/templates/components/diff-version-selector.hbs
index 804ae29544..fe6ad3da8e 100644
--- a/ui/app/templates/components/diff-version-selector.hbs
+++ b/ui/app/templates/components/diff-version-selector.hbs
@@ -3,6 +3,7 @@
   SPDX-License-Identifier: BUSL-1.1
 ~}}
 
+{{! TODO kv engine cleanup }}
 <Toolbar>
   <div class="version-diff-toolbar" data-test-version-diff-toolbar>
     {{! Left side version }}
diff --git a/ui/app/templates/components/secret-create-or-update.hbs b/ui/app/templates/components/secret-create-or-update.hbs
index 7f91804d23..ce6d1e5f63 100644
--- a/ui/app/templates/components/secret-create-or-update.hbs
+++ b/ui/app/templates/components/secret-create-or-update.hbs
@@ -33,6 +33,7 @@
           @isMarginless={{true}}
         />
       {{/if}}
+      {{! TODO kv engine cleanup }}
       {{#if @modelForData.isFolder}}
         <p class="help has-text-danger">
           The secret path may not end in
@@ -172,7 +173,7 @@
             <ul class={{if (and (eq @canReadSecretData false) this.isCreateNewVersionFromOldVersion) "bullet"}}>
               {{#if (eq @canReadSecretData false)}}
                 <li data-test-warning-no-read-permissions>
-                  You do not have read permissions. If a secret exists here creating a new secret will overwrite it.
+                  You do not have read permissions. If a secret exists at this path creating a new secret will overwrite it.
                 </li>
               {{/if}}
               {{#if this.isCreateNewVersionFromOldVersion}}
diff --git a/ui/app/templates/components/secret-edit-toolbar.hbs b/ui/app/templates/components/secret-edit-toolbar.hbs
index 6d1ccd6080..2b99a85b35 100644
--- a/ui/app/templates/components/secret-edit-toolbar.hbs
+++ b/ui/app/templates/components/secret-edit-toolbar.hbs
@@ -30,59 +30,15 @@
       />
     {{/if}}
     {{#if (and (eq @mode "show") @canUpdateSecretData)}}
+      {{! TODO kv engine cleanup - remove @isV2 logic }}
       {{#unless (and @isV2 (or @isWriteWithoutRead @modelForData.destroyed @modelForData.deleted))}}
-        <BasicDropdown
-          @class="popup-menu"
-          @horizontalPosition="auto-right"
-          @verticalPosition="below"
-          @onClose={{action "clearWrappedData"}}
-          as |D|
-        >
-          <D.Trigger
-            data-test-popup-menu-trigger="true"
-            class={{concat "toolbar-link" (if D.isOpen " is-active")}}
-            @htmlTag="button"
-          >
-            Copy
-            <Chevron @direction="down" @isButton={{true}} />
-          </D.Trigger>
-          <D.Content @defaultClass="popup-menu-content is-wide">
-            <nav class="box menu">
-              <ul class="menu-list">
-                <li class="action">
-                  <CopyButton
-                    @class="link link-plain has-text-weight-semibold is-ghost"
-                    @clipboardText={{stringify @modelForData.secretData}}
-                    @success={{action (set-flash-message "JSON Copied!")}}
-                    data-test-copy-button
-                  >
-                    Copy JSON
-                  </CopyButton>
-                </li>
-                <li class="action">
-                  {{#if this.showWrapButton}}
-                    <button
-                      class="link link-plain has-text-weight-semibold is-ghost {{if this.isWrapping 'is-loading'}}"
-                      type="button"
-                      {{on "click" this.handleWrapClick}}
-                      data-test-wrap-button
-                      disabled={{this.isWrapping}}
-                    >
-                      Wrap secret
-                    </button>
-                  {{else}}
-                    <MaskedInput
-                      @class="has-padding"
-                      @displayOnly={{true}}
-                      @allowCopy={{true}}
-                      @value={{this.wrappedData}}
-                    />
-                  {{/if}}
-                </li>
-              </ul>
-            </nav>
-          </D.Content>
-        </BasicDropdown>
+        <CopySecretDropdown
+          @clipboardText={{stringify @modelForData.secretData}}
+          @onWrap={{perform this.wrapSecret}}
+          @isWrapping={{this.wrapSecret.isRunning}}
+          @wrappedData={{this.wrappedData}}
+          @onClose={{this.clearWrappedData}}
+        />
       {{/unless}}
     {{/if}}
 
diff --git a/ui/app/templates/components/secret-form-show.hbs b/ui/app/templates/components/secret-form-show.hbs
index d1e2ef114d..0887eb49a3 100644
--- a/ui/app/templates/components/secret-form-show.hbs
+++ b/ui/app/templates/components/secret-form-show.hbs
@@ -3,6 +3,7 @@
   SPDX-License-Identifier: BUSL-1.1
 ~}}
 
+{{! TODO kv engine cleanup : this component can remove all logic related to V2 }}
 {{#if (and @isV2 @modelForData.destroyed)}}
   <EmptyState
     @title="Version {{@modelForData.version}} of this secret has been permanently destroyed"
diff --git a/ui/app/templates/components/secret-version-menu.hbs b/ui/app/templates/components/secret-version-menu.hbs
index 4bba937129..395c16fbe9 100644
--- a/ui/app/templates/components/secret-version-menu.hbs
+++ b/ui/app/templates/components/secret-version-menu.hbs
@@ -3,6 +3,7 @@
   SPDX-License-Identifier: BUSL-1.1
 ~}}
 
+{{! TODO kv engine cleanup : this component can be deleted in favor of <KvVersionDropdown/> }}
 <BasicDropdown @class="popup-menu" @horizontalPosition="auto-right" @verticalPosition="below" as |D|>
   <D.Trigger
     data-test-popup-menu-trigger="version"
diff --git a/ui/app/templates/vault/cluster/access/leases/list.hbs b/ui/app/templates/vault/cluster/access/leases/list.hbs
index e02927b476..632d91505d 100644
--- a/ui/app/templates/vault/cluster/access/leases/list.hbs
+++ b/ui/app/templates/vault/cluster/access/leases/list.hbs
@@ -36,19 +36,16 @@
       @placeholder="Filter leases"
     />
     {{#if this.filterFocused}}
-      {{! template-lint-disable no-whitespace-for-layout }}
-      &nbsp; &nbsp;
-      {{! template-lint-enable no-whitespace-for-layout }}
       {{#if this.filterMatchesKey}}
         {{#unless this.filterIsFolder}}
-          <p class="help has-text-grey is-size-8">
+          <p class="help has-text-grey is-size-8 has-left-padding-xs">
             <kbd>ENTER</kbd>
             to go to see details
           </p>
         {{/unless}}
       {{/if}}
       {{#if this.firstPartialMatch}}
-        <p class="help has-text-grey is-size-8">
+        <p class="help has-text-grey is-size-8 has-left-padding-xs">
           <kbd>TAB</kbd>
           to complete
         </p>
diff --git a/ui/app/templates/vault/cluster/secrets/backend/diff.hbs b/ui/app/templates/vault/cluster/secrets/backend/diff.hbs
index 8d7a3721ef..e26ec565c3 100644
--- a/ui/app/templates/vault/cluster/secrets/backend/diff.hbs
+++ b/ui/app/templates/vault/cluster/secrets/backend/diff.hbs
@@ -3,6 +3,7 @@
   SPDX-License-Identifier: BUSL-1.1
 ~}}
 
+{{! TODO kv engine cleanup }}
 <PageHeader as |p|>
   <p.top>
     <KeyValueHeader
diff --git a/ui/app/templates/vault/cluster/secrets/backends.hbs b/ui/app/templates/vault/cluster/secrets/backends.hbs
index 286be04f7a..f5295ee614 100644
--- a/ui/app/templates/vault/cluster/secrets/backends.hbs
+++ b/ui/app/templates/vault/cluster/secrets/backends.hbs
@@ -99,6 +99,7 @@
           <nav class="menu" aria-label="{{if backend.isSupportedBackend 'supported' 'unsupported'}} secrets engine menu">
             <ul class="menu-list">
               <li class="action">
+                {{! TODO kv engine cleanup: this link will not be accurate for kv config details }}
                 <LinkTo @route="vault.cluster.secrets.backend.configuration" @model={{backend.id}} data-test-engine-config>
                   View configuration
                 </LinkTo>
diff --git a/ui/app/utils/kv-path.ts b/ui/app/utils/kv-path.ts
new file mode 100644
index 0000000000..8d1f5abedc
--- /dev/null
+++ b/ui/app/utils/kv-path.ts
@@ -0,0 +1,32 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+/**
+ * This set of utils is for calculating the full path for a given KV V2 secret, which doubles as its ID.
+ * Additional methods for building URLs for other KV-V2 actions
+ */
+
+import { encodePath } from 'vault/utils/path-encoding-helpers';
+
+function buildKvPath(backend: string, path: string, type: string, version?: number | string) {
+  const url = `${encodePath(backend)}/${type}/${encodePath(path)}`;
+  return version ? `${url}?version=${version}` : url;
+}
+
+export function kvDataPath(backend: string, path: string, version?: number | string) {
+  return buildKvPath(backend, path, 'data', version);
+}
+export function kvDeletePath(backend: string, path: string, version?: number | string) {
+  return buildKvPath(backend, path, 'delete', version);
+}
+export function kvMetadataPath(backend: string, path: string) {
+  return buildKvPath(backend, path, 'metadata');
+}
+export function kvDestroyPath(backend: string, path: string) {
+  return buildKvPath(backend, path, 'destroy');
+}
+export function kvUndeletePath(backend: string, path: string) {
+  return buildKvPath(backend, path, 'undelete');
+}
diff --git a/ui/lib/core/addon/components/copy-secret-dropdown.hbs b/ui/lib/core/addon/components/copy-secret-dropdown.hbs
new file mode 100644
index 0000000000..63142912b9
--- /dev/null
+++ b/ui/lib/core/addon/components/copy-secret-dropdown.hbs
@@ -0,0 +1,38 @@
+{{! @onWrap is recommend to be a concurrency task! see <Page::Secret::Details> in KV addon for example }}
+<BasicDropdown @class="popup-menu" @horizontalPosition="auto-right" @verticalPosition="below" @onClose={{@onClose}} as |D|>
+  <D.Trigger data-test-copy-menu-trigger class="toolbar-link {{if D.isOpen 'is-active'}}" @htmlTag="button">
+    Copy
+    <Chevron @direction={{if D.isOpen "up" "down"}} @isButton={{true}} />
+  </D.Trigger>
+  <D.Content @defaultClass="popup-menu-content is-wide">
+    <nav class="box menu">
+      <ul class="menu-list">
+        <li class="action">
+          <CopyButton
+            @class="link"
+            @clipboardText={{@clipboardText}}
+            @success={{fn (set-flash-message "JSON Copied!")}}
+            data-test-copy-button
+          >
+            Copy JSON
+          </CopyButton>
+        </li>
+        <li class="action">
+          {{#if @wrappedData}}
+            <MaskedInput @class="has-padding" @displayOnly={{true}} @allowCopy={{true}} @value={{@wrappedData}} />
+          {{else}}
+            <button
+              class="link button {{if @isWrapping 'is-loading'}}"
+              type="button"
+              {{on "click" @onWrap}}
+              disabled={{@isWrapping}}
+              data-test-wrap-button
+            >
+              Wrap secret
+            </button>
+          {{/if}}
+        </li>
+      </ul>
+    </nav>
+  </D.Content>
+</BasicDropdown>
\ No newline at end of file
diff --git a/ui/lib/core/addon/components/input-search.js b/ui/lib/core/addon/components/input-search.js
index 86343e3c8b..db37120015 100644
--- a/ui/lib/core/addon/components/input-search.js
+++ b/ui/lib/core/addon/components/input-search.js
@@ -7,7 +7,24 @@ import Component from '@glimmer/component';
 import { action } from '@ember/object';
 import { tracked } from '@glimmer/tracking';
 
-export default class inputSelect extends Component {
+/**
+ * @module InputSearch
+ * This component renders an input that fires a callback on "keyup" containing the input's value
+ *
+ * @example
+ * <InputSearch
+ * @initialValue="secret/path/"
+ * @onChange={{this.handleSearch}}
+ * @placeholder="search..."
+ * />
+ * @param {string} [id] - unique id for the input
+ * @param {string} [initialValue] - initial search value, i.e. a secret path prefix, that pre-fills the input field
+ * @param {string} [placeholder] - placeholder text for the input
+ * @param {string} [label] - label for the input
+ * @param {string} [subtext] - displays below the label
+ */
+
+export default class InputSearch extends Component {
   /*
    * @public
    * @param Function
diff --git a/ui/lib/core/addon/components/kv-object-editor.hbs b/ui/lib/core/addon/components/kv-object-editor.hbs
index 842de187f4..9c803b8c9c 100644
--- a/ui/lib/core/addon/components/kv-object-editor.hbs
+++ b/ui/lib/core/addon/components/kv-object-editor.hbs
@@ -21,7 +21,7 @@
       <div class="columns is-variable" data-test-kv-row>
         <div class="column is-one-quarter">
           <Input
-            data-test-kv-key={{true}}
+            data-test-kv-key={{index}}
             @value={{row.name}}
             placeholder={{this.placeholders.key}}
             {{on "change" (fn this.updateRow row index)}}
@@ -31,6 +31,13 @@
         <div class="column">
           {{#if (has-block)}}
             {{yield row this.kvData}}
+          {{else if @isMasked}}
+            <MaskedInput
+              data-test-kv-value={{index}}
+              @name={{row.name}}
+              @onChange={{fn this.updateRow row index}}
+              @value={{row.value}}
+            />
           {{else}}
             <Textarea
               data-test-kv-value={{index}}
@@ -47,7 +54,7 @@
         </div>
         <div class="column is-narrow">
           {{#if (eq this.kvData.length (inc index))}}
-            <button type="button" {{action "addRow"}} class="button is-outlined is-primary" data-test-kv-add-row={{true}}>
+            <button type="button" {{action "addRow"}} class="button is-outlined is-primary" data-test-kv-add-row={{index}}>
               Add
             </button>
           {{else}}
diff --git a/ui/lib/core/addon/components/kv-object-editor.js b/ui/lib/core/addon/components/kv-object-editor.js
index cad55fe55c..69cdc2d455 100644
--- a/ui/lib/core/addon/components/kv-object-editor.js
+++ b/ui/lib/core/addon/components/kv-object-editor.js
@@ -25,6 +25,7 @@ import KVObject from 'vault/lib/kv-object';
  * ```
  * @param {string} value - the value is captured from the model.
  * @param {function} onChange - function that captures the value on change
+ * @param {boolean} [isMasked = false] - when true the <MaskedInput> renders instead of the default <textarea> to input the value portion of the key/value object 
  * @param {function} [onKeyUp] - function passed in that handles the dom keyup event. Used for validation on the kv custom metadata.
  * @param {string} [label] - label displayed over key value inputs
  * @param {string} [labelClass] - override default label class in FormFieldLabel component
diff --git a/ui/lib/core/addon/components/navigate-input.js b/ui/lib/core/addon/components/navigate-input.js
index 699b47b6c8..d6a8b607ea 100644
--- a/ui/lib/core/addon/components/navigate-input.js
+++ b/ui/lib/core/addon/components/navigate-input.js
@@ -12,8 +12,7 @@ import Component from '@glimmer/component';
 
 import { encodePath } from 'vault/utils/path-encoding-helpers';
 import { keyIsFolder, parentKeyForKey } from 'core/utils/key-utils';
-// TODO MOVE THESE TO THE ADDON
-import keys from 'vault/lib/keycodes';
+import keys from 'core/utils/key-codes';
 
 /**
  * @module NavigateInput
diff --git a/ui/lib/core/addon/components/page/breadcrumbs.hbs b/ui/lib/core/addon/components/page/breadcrumbs.hbs
index 58317432ce..d466215500 100644
--- a/ui/lib/core/addon/components/page/breadcrumbs.hbs
+++ b/ui/lib/core/addon/components/page/breadcrumbs.hbs
@@ -5,15 +5,21 @@
 
 <nav class="breadcrumb" aria-label="breadcrumbs" data-test-breadcrumbs>
   <ul>
-    {{#each @breadcrumbs as |breadcrumb|}}
-      <li>
+    {{#each @breadcrumbs as |breadcrumb idx|}}
+      <li data-test-crumb="{{idx}}">
         <span class="sep">/</span>
         {{#if breadcrumb.linkExternal}}
           <LinkToExternal @route={{breadcrumb.route}}>{{breadcrumb.label}}</LinkToExternal>
         {{else if breadcrumb.route}}
-          <LinkTo @route={{breadcrumb.route}}>
-            {{breadcrumb.label}}
-          </LinkTo>
+          {{#if breadcrumb.model}}
+            <LinkTo @route={{breadcrumb.route}} @model={{breadcrumb.model}}>
+              {{breadcrumb.label}}
+            </LinkTo>
+          {{else}}
+            <LinkTo @route={{breadcrumb.route}}>
+              {{breadcrumb.label}}
+            </LinkTo>
+          {{/if}}
         {{else}}
           {{breadcrumb.label}}
         {{/if}}
diff --git a/ui/lib/core/addon/components/page/breadcrumbs.js b/ui/lib/core/addon/components/page/breadcrumbs.js
index 0819bdb8a9..395686cb87 100644
--- a/ui/lib/core/addon/components/page/breadcrumbs.js
+++ b/ui/lib/core/addon/components/page/breadcrumbs.js
@@ -21,7 +21,7 @@ export default class Breadcrumbs extends Component {
   constructor() {
     super(...arguments);
     this.args.breadcrumbs.forEach((breadcrumb) => {
-      assert('breadcrumb has a label key', Object.keys(breadcrumb).includes('label'));
+      assert('breadcrumb must have a label key', Object.keys(breadcrumb).includes('label'));
     });
   }
 }
diff --git a/ui/app/helpers/stringify.js b/ui/lib/core/addon/helpers/stringify.js
similarity index 100%
rename from ui/app/helpers/stringify.js
rename to ui/lib/core/addon/helpers/stringify.js
diff --git a/ui/app/helpers/to-label.js b/ui/lib/core/addon/helpers/to-label.js
similarity index 100%
rename from ui/app/helpers/to-label.js
rename to ui/lib/core/addon/helpers/to-label.js
diff --git a/ui/app/lib/keycodes.js b/ui/lib/core/addon/utils/key-codes.js
similarity index 93%
rename from ui/app/lib/keycodes.js
rename to ui/lib/core/addon/utils/key-codes.js
index 267fe7268e..4c0d933d0d 100644
--- a/ui/app/lib/keycodes.js
+++ b/ui/lib/core/addon/utils/key-codes.js
@@ -13,4 +13,5 @@ export default {
   RIGHT: 39,
   DOWN: 40,
   T: 116,
+  BACKSPACE: 8,
 };
diff --git a/ui/lib/core/app/components/copy-secret-dropdown.js b/ui/lib/core/app/components/copy-secret-dropdown.js
new file mode 100644
index 0000000000..148ebb1ca3
--- /dev/null
+++ b/ui/lib/core/app/components/copy-secret-dropdown.js
@@ -0,0 +1 @@
+export { default } from 'core/components/copy-secret-dropdown';
diff --git a/ui/lib/core/app/helpers/format-duration.js b/ui/lib/core/app/helpers/format-duration.js
index 3db3770c76..caf870b084 100644
--- a/ui/lib/core/app/helpers/format-duration.js
+++ b/ui/lib/core/app/helpers/format-duration.js
@@ -3,4 +3,4 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-export { default } from 'core/helpers/format-duration';
+export { default, duration } from 'core/helpers/format-duration';
diff --git a/ui/lib/core/app/helpers/stringify.js b/ui/lib/core/app/helpers/stringify.js
new file mode 100644
index 0000000000..a0957233a7
--- /dev/null
+++ b/ui/lib/core/app/helpers/stringify.js
@@ -0,0 +1,6 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+export { default } from 'core/helpers/stringify';
diff --git a/ui/lib/core/app/helpers/to-label.js b/ui/lib/core/app/helpers/to-label.js
new file mode 100644
index 0000000000..699d9ed77c
--- /dev/null
+++ b/ui/lib/core/app/helpers/to-label.js
@@ -0,0 +1,6 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+export { default } from 'core/helpers/to-label';
diff --git a/ui/lib/kv/addon/components/kv-data-fields.hbs b/ui/lib/kv/addon/components/kv-data-fields.hbs
new file mode 100644
index 0000000000..eee7e603a9
--- /dev/null
+++ b/ui/lib/kv/addon/components/kv-data-fields.hbs
@@ -0,0 +1,33 @@
+{{#let (find-by "name" "path" @secret.allFields) as |attr|}}
+  {{#if @isEdit}}
+    <ReadonlyFormField @attr={{attr}} @value={{get @secret attr.name}} />
+  {{else}}
+    <FormField @attr={{attr}} @model={{@secret}} @modelValidations={{@modelValidations}} @onKeyUp={{@pathValidations}} />
+  {{/if}}
+{{/let}}
+
+<hr class="is-marginless has-background-gray-200" />
+{{#if @showJson}}
+  <JsonEditor
+    @title="{{if @isEdit 'Version' 'Secret'}} data"
+    @value={{or (stringify @secret.secretData) this.emptyJson}}
+    @valueUpdated={{this.handleJson}}
+  />
+  {{#if (or @modelValidations.secretData.errors this.lintingErrors)}}
+    <AlertInline @type={{if this.lintingErrors "warning" "danger"}} @paddingTop={{true}}>
+      {{#if @modelValidations.secretData.errors}}
+        {{@modelValidations.secretData.errors}}
+      {{else}}
+        JSON is unparsable. Fix linting errors to avoid data discrepancies.
+      {{/if}}
+    </AlertInline>
+  {{/if}}
+{{else}}
+  <KvObjectEditor
+    class="has-top-margin-m"
+    @label="{{if @isEdit 'Version' 'Secret'}} data"
+    @value={{@secret.secretData}}
+    @onChange={{fn (mut @secret.secretData)}}
+    @isMasked={{true}}
+  />
+{{/if}}
\ No newline at end of file
diff --git a/ui/lib/kv/addon/components/kv-data-fields.js b/ui/lib/kv/addon/components/kv-data-fields.js
new file mode 100644
index 0000000000..bb1f759810
--- /dev/null
+++ b/ui/lib/kv/addon/components/kv-data-fields.js
@@ -0,0 +1,45 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Component from '@glimmer/component';
+import { action } from '@ember/object';
+import { tracked } from '@glimmer/tracking';
+import KVObject from 'vault/lib/kv-object';
+
+/**
+ * @module KvDataFields is used for rendering the fields associated with kv secret data, it hides/shows a json editor and renders validation errors for the json editor
+ *
+ * <KvDataFields
+ *  @showJson={{true}}
+ *  @secret={{@secret}}
+ *  @isEdit={{true}}
+ *  @modelValidations={{this.modelValidations}}
+ *  @pathValidations={{this.pathValidations}}
+ * />
+ *
+ * @param {model} secret - Ember data model: 'kv/data', the new record saved by the form
+ * @param {boolean} showJson - boolean passed from parent to hide/show json editor
+ * @param {object} [modelValidations] - object of errors.  If attr.name is in object and has error message display in AlertInline.
+ * @param {callback} [pathValidations] - callback function fired for the path input on key up
+ * @param {boolean} [isEdit=false] - if true, this is a new secret version rather than a new secret. Used to change text for some form labels
+ */
+
+export default class KvDataFields extends Component {
+  @tracked lintingErrors;
+
+  get emptyJson() {
+    // if secretData is null, this specially formats a blank object and renders a nice initial state for the json editor
+    return KVObject.create({ content: [{ name: '', value: '' }] }).toJSONString(true);
+  }
+
+  @action
+  handleJson(value, codemirror) {
+    codemirror.performLint();
+    this.lintingErrors = codemirror.state.lint.marked.length > 0;
+    if (!this.lintingErrors) {
+      this.args.secret.secretData = JSON.parse(value);
+    }
+  }
+}
diff --git a/ui/lib/kv/addon/components/kv-delete-modal.hbs b/ui/lib/kv/addon/components/kv-delete-modal.hbs
new file mode 100644
index 0000000000..78235ba9d3
--- /dev/null
+++ b/ui/lib/kv/addon/components/kv-delete-modal.hbs
@@ -0,0 +1,61 @@
+<button type="button" class="toolbar-link" {{on "click" (fn (mut this.modalOpen) true)}} data-test-kv-delete={{@mode}}>
+  {{yield}}
+</button>
+{{#if this.modalOpen}}
+  <Modal
+    @title={{this.modalDisplay.title}}
+    @onClose={{fn (mut this.modalOpen) false}}
+    @isActive={{this.modalOpen}}
+    @type={{this.modalDisplay.type}}
+    @showCloseButton={{true}}
+  >
+    <section class="modal-card-body">
+      <p class="has-bottom-margin-s">
+        {{this.modalDisplay.intro}}
+      </p>
+      {{#if (eq @mode "delete")}}
+        <div class="is-flex-column">
+          {{#each this.deleteOptions as |option|}}
+            <ToolTip @verticalPosition="above" @horizontalPosition="left" as |T|>
+              <T.Trigger @tabindex="-1">
+                <div class="is-flex-align-baseline has-bottom-margin-m">
+                  <RadioButton
+                    id={{option.key}}
+                    class="radio top-xxs"
+                    @disabled={{option.disabled}}
+                    @value={{option.key}}
+                    @groupValue={{this.deleteType}}
+                    @onChange={{fn (mut this.deleteType) option.key}}
+                  />
+                  <label for={{option.key}} class="has-left-margin-s {{if option.disabled 'opacity-060'}}">
+                    <p class="has-text-weight-semibold">{{option.label}}</p>
+                    <p>{{option.description}}</p>
+                  </label>
+                </div>
+              </T.Trigger>
+              {{#if option.disabled}}
+                <T.Content @defaultClass="tool-tip">
+                  <div class="box">
+                    {{option.tooltipMessage}}
+                  </div>
+                </T.Content>
+              {{/if}}
+            </ToolTip>
+          {{/each}}
+        </div>
+      {{/if}}
+    </section>
+    <footer class="modal-card-foot modal-card-foot-outlined">
+      <button
+        type="button"
+        class="button {{if (eq this.modalDisplay.type 'danger') 'is-danger-outlined' 'is-warning-outlined'}}"
+        {{on "click" this.onDelete}}
+      >
+        Confirm
+      </button>
+      <button type="button" class="button is-secondary" {{on "click" (fn (mut this.modalOpen) false)}}>
+        Cancel
+      </button>
+    </footer>
+  </Modal>
+{{/if}}
\ No newline at end of file
diff --git a/ui/lib/kv/addon/components/kv-delete-modal.js b/ui/lib/kv/addon/components/kv-delete-modal.js
new file mode 100644
index 0000000000..a562ca1cf4
--- /dev/null
+++ b/ui/lib/kv/addon/components/kv-delete-modal.js
@@ -0,0 +1,88 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Component from '@glimmer/component';
+import { action } from '@ember/object';
+import { tracked } from '@glimmer/tracking';
+import { assert } from '@ember/debug';
+
+/**
+ * @module KvDeleteModal displays a button for a delete type and launches a modal. Undelete is the only mode that does not launch the modal and is not handled in this component.
+ *
+ * <KvDeleteModal
+ *  @mode="destroy"
+ *  @secret={{this.model.secret}}
+ *  @metadata={{this.model.metadata}}
+ *  @onDelete={{this.handleDestruction}}
+ * />
+ *
+ * @param {string} mode - delete, delete-metadata, or destroy.
+ * @param {object} secret - The kv/data model.
+ * @param {object} [metadata] - The kv/metadata model. It is only required when mode is "delete" or "metadata-delete".
+ * @param {callback} onDelete - callback function fired to handle delete event.
+ */
+
+export default class KvDeleteModal extends Component {
+  @tracked deleteType = null; // Either delete-version or delete-current-version.
+  @tracked modalOpen = false;
+
+  get modalDisplay() {
+    switch (this.args.mode) {
+      // Does not match adapter key directly because a delete type must be selected.
+      case 'delete':
+        return {
+          title: 'Delete version?',
+          type: 'warning',
+          intro:
+            'There are two ways to delete a version of a secret. Both delete actions can be undeleted later. How would you like to proceed?',
+        };
+      case 'destroy':
+        return {
+          title: 'Destroy version?',
+          type: 'danger',
+          intro: `This action will permanently destroy Version ${this.args.secret.version} of the secret, and the secret data cannot be read or recovered later.`,
+        };
+      case 'delete-metadata':
+        return {
+          title: 'Delete metadata?',
+          type: 'danger',
+          intro:
+            'This will permanently delete the metadata and versions of the secret. All version history will be removed. This cannot be undone.',
+        };
+      default:
+        return assert('mode must be one of delete, destroy, or delete-metadata.');
+    }
+  }
+
+  get deleteOptions() {
+    const { secret, metadata } = this.args;
+    const isDeactivated = secret.canReadMetadata ? metadata?.currentSecret.isDeactivated : false;
+    return [
+      {
+        key: 'delete-version',
+        label: 'Delete this version',
+        description: `This deletes Version ${secret.version} of the secret.`,
+        disabled: !secret.canDeleteVersion,
+        tooltipMessage: 'You do not have permission to delete a specific version.',
+      },
+      {
+        key: 'delete-latest-version',
+        label: 'Delete latest version',
+        description: 'This deletes the most recent version of the secret.',
+        disabled: !secret.canDeleteLatestVersion || isDeactivated,
+        tooltipMessage: isDeactivated
+          ? `The latest version of the secret is already ${metadata.currentSecret.state}.`
+          : 'You do not have permission to delete the latest version of this secret.',
+      },
+    ];
+  }
+
+  @action
+  onDelete() {
+    const type = this.args.mode === 'delete' ? this.deleteType : this.args.mode;
+    this.args.onDelete(type);
+    this.modalOpen = false;
+  }
+}
diff --git a/ui/lib/kv/addon/components/kv-list-filter.hbs b/ui/lib/kv/addon/components/kv-list-filter.hbs
new file mode 100644
index 0000000000..521be2e3f4
--- /dev/null
+++ b/ui/lib/kv/addon/components/kv-list-filter.hbs
@@ -0,0 +1,35 @@
+<div class="navigate-filter">
+  <div class="field" data-test-nav-input>
+    <p class="control has-icons-left">
+      <Input
+        id="secret-filter"
+        class="filter input"
+        placeholder="Filter secrets"
+        @value={{@filterValue}}
+        @type="text"
+        data-test-component="kv-list-filter"
+        {{on "input" this.handleInput}}
+        {{on "keydown" this.handleKeyDown}}
+        {{on "focus" this.setFilterIsFocused}}
+        {{did-insert this.focusInput}}
+        autocomplete="off"
+      />
+      <Icon @name="search" class="search-icon has-text-grey-light" />
+    </p>
+  </div>
+</div>
+{{#if (and this.filterIsFocused this.isFilterMatch)}}
+  <p class="help has-text-grey is-size-8 has-left-padding-xs" data-test-help-enter>
+    <kbd>ENTER</kbd>
+    to go to see details.
+    <kbd>ESC</kbd>
+    to clear input.
+  </p>
+{{else}}
+  <p class="help has-text-grey is-size-8 has-left-padding-xs" data-test-help-tab>
+    <kbd>TAB</kbd>
+    to autocomplete.
+    <kbd>ESC</kbd>
+    to clear input.
+  </p>
+{{/if}}
\ No newline at end of file
diff --git a/ui/lib/kv/addon/components/kv-list-filter.js b/ui/lib/kv/addon/components/kv-list-filter.js
new file mode 100644
index 0000000000..03bc4effbc
--- /dev/null
+++ b/ui/lib/kv/addon/components/kv-list-filter.js
@@ -0,0 +1,166 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Component from '@glimmer/component';
+import { inject as service } from '@ember/service';
+import { action } from '@ember/object';
+import keys from 'core/utils/key-codes';
+import { keyIsFolder, parentKeyForKey, keyWithoutParentKey } from 'core/utils/key-utils';
+import escapeStringRegexp from 'escape-string-regexp';
+import { tracked } from '@glimmer/tracking';
+
+/**
+ * @module KvListFilter
+ * `KvListFilter` filters through the KV metadata LIST response. It allows users to search through the current list, navigate into directories, and use keyboard functions to: autocomplete, view a secret, create a new secret, or clear the input field.
+ *  *
+ * <KvListFilter
+ *  @secrets={{this.model.secrets}}
+ *  @mountPoint={{this.model.mountPoint}}
+ *  @filterValue="beep/my-"
+ *  @pageFilter="my-"
+ * />
+ * @param {array} secrets - An array of secret models.
+ * @param {string} mountPoint - Where in the router files we're located. For this component it will always be vault.cluster.secrets.backend.kv
+ * @param {string} filterValue - A concatenation between the list-directory's dynamic path "path-to-secret" and the queryParam "pageFilter". For example, if we're inside the beep/ directory searching for any secret that starts with "my-" this value will equal "beep/my-".
+ * @param {string} pageFilter - The queryParam value, does not include pathToSecret ex: my-.
+ */
+
+export default class KvListFilterComponent extends Component {
+  @service router;
+  @tracked filterIsFocused = false;
+
+  navigate(pathToSecret, pageFilter) {
+    const route = pathToSecret ? `${this.args.mountPoint}.list-directory` : `${this.args.mountPoint}.list`;
+    const args = [route];
+    if (pathToSecret) {
+      args.push(pathToSecret);
+    }
+    args.push({
+      queryParams: {
+        pageFilter: pageFilter ? pageFilter : null,
+      },
+    });
+    this.router.transitionTo(...args);
+  }
+
+  /*
+  - partialMatch returns the secret that most closely matches the pageFilter queryParam.
+  - Searches pageFilter and not filterValue because if we're inside a directory we only care about the secrets listed there and not the directory. 
+  - If pageFilter is empty this returns the first secret model in the list.
+**/
+  get partialMatch() {
+    // If pageFilter is empty we replace it with an empty string because you cannot pass 'undefined' to RegEx.
+    const value = !this.args.pageFilter ? '' : this.args.pageFilter;
+    const reg = new RegExp('^' + escapeStringRegexp(value));
+    const match = this.args.secrets.filter((path) => reg.test(path.fullSecretPath))[0];
+    if (this.isFilterMatch || !match) return null;
+
+    return match.fullSecretPath;
+  }
+  /*
+  - isFilterMatch returns true if the filterValue matches a fullSecretPath.
+**/
+  get isFilterMatch() {
+    return !!this.args.secrets?.findBy('fullSecretPath', this.args.filterValue);
+  }
+  /*
+  -handleInput is triggered after the value of the input has changed. It is not triggered when input looses focus.
+**/
+  @action
+  handleInput(event) {
+    const input = event.target.value;
+    const isDirectory = keyIsFolder(input);
+    const parentDirectory = parentKeyForKey(input);
+    const secretWithinDirectory = keyWithoutParentKey(input);
+
+    if (isDirectory) {
+      this.navigate(input);
+    } else if (parentDirectory) {
+      this.navigate(parentDirectory, secretWithinDirectory);
+    } else {
+      this.navigate(null, input);
+    }
+  }
+  /*
+  -handleKeyDown handles: tab, enter, backspace and escape. Ignores everything else.
+**/
+  @action
+  handleKeyDown(event) {
+    const input = event.target.value;
+    const parentDirectory = parentKeyForKey(input);
+
+    if (event.keyCode === keys.BACKSPACE) {
+      this.handleBackspace(input, parentDirectory);
+    }
+
+    if (event.keyCode === keys.TAB) {
+      event.preventDefault();
+      this.handleTab();
+    }
+
+    if (event.keyCode === keys.ENTER) {
+      event.preventDefault();
+      this.handleEnter(input);
+    }
+
+    if (event.keyCode === keys.ESC) {
+      this.handleEscape(parentDirectory);
+    }
+    // ignore all other key events
+    return;
+  }
+  // key-code specific methods
+  handleBackspace(input, parentDirectory) {
+    const isInputDirectory = keyIsFolder(input);
+    const inputWithoutParentKey = keyWithoutParentKey(input);
+    const pageFilter = isInputDirectory ? '' : inputWithoutParentKey.slice(0, -1);
+    this.navigate(parentDirectory, pageFilter);
+  }
+  handleTab() {
+    const isMatchDirectory = keyIsFolder(this.partialMatch);
+    const matchParentDirectory = parentKeyForKey(this.partialMatch);
+    const matchWithinDirectory = keyWithoutParentKey(this.partialMatch);
+
+    if (isMatchDirectory) {
+      // ex: beep/boop/
+      this.navigate(this.partialMatch);
+    } else if (!isMatchDirectory && matchParentDirectory) {
+      // ex: beep/boop/my-
+      this.navigate(matchParentDirectory, matchWithinDirectory);
+    } else {
+      // ex: my-
+      this.navigate(null, this.partialMatch);
+    }
+  }
+  handleEnter(input) {
+    if (this.isFilterMatch) {
+      // if secret exists send to details
+      this.router.transitionTo(`${this.args.mountPoint}.secret.details`, input);
+    } else {
+      // if secret does not exists send to create with the path prefilled with input value.
+      this.router.transitionTo(`${this.args.mountPoint}.create`, {
+        queryParams: { initialKey: input },
+      });
+    }
+  }
+  handleEscape(parentDirectory) {
+    // transition to the nearest parentDirectory. If no parentDirectory, then to the list route.
+    !parentDirectory ? this.navigate() : this.navigate(parentDirectory);
+  }
+
+  @action
+  setFilterIsFocused() {
+    // tracked property used to show or hide the help-text next to the input. Not involved in focus event itself.
+    this.filterIsFocused = true;
+  }
+
+  @action
+  focusInput() {
+    // set focus to the input when there is either a pageFilter queryParam value and/or list-directory's dynamic path-to-secret has a value.
+    if (this.args.filterValue) {
+      document.getElementById('secret-filter')?.focus();
+    }
+  }
+}
diff --git a/ui/lib/kv/addon/components/kv-metadata-fields.hbs b/ui/lib/kv/addon/components/kv-metadata-fields.hbs
new file mode 100644
index 0000000000..fbb7ce3be5
--- /dev/null
+++ b/ui/lib/kv/addon/components/kv-metadata-fields.hbs
@@ -0,0 +1,10 @@
+{{#each @metadata.formFields as |attr|}}
+  {{#if (eq attr.name "customMetadata")}}
+    <FormField @attr={{attr}} @model={{@metadata}} @modelValidations={{@modelValidations}} />
+    <label class="title has-top-padding-m is-4">
+      Additional options
+    </label>
+  {{else}}
+    <FormField @attr={{attr}} @model={{@metadata}} @modelValidations={{@modelValidations}} />
+  {{/if}}
+{{/each}}
\ No newline at end of file
diff --git a/ui/lib/kv/addon/components/kv-page-header.hbs b/ui/lib/kv/addon/components/kv-page-header.hbs
new file mode 100644
index 0000000000..b78efa985f
--- /dev/null
+++ b/ui/lib/kv/addon/components/kv-page-header.hbs
@@ -0,0 +1,37 @@
+<PageHeader as |p|>
+  <p.top>
+    <Page::Breadcrumbs @breadcrumbs={{@breadcrumbs}} />
+  </p.top>
+  <p.levelLeft>
+    <h1 class="title is-3" data-test-header-title>
+      {{#if @mountName}}
+        <Icon @name="kv" @size="24" class="has-text-grey-light" />
+        {{@mountName}}
+        <span class="tag">Version 2</span>
+      {{else}}
+        {{@pageTitle}}
+      {{/if}}
+    </h1>
+  </p.levelLeft>
+</PageHeader>
+
+{{#if (has-block "tabLinks")}}
+  <div class="tabs-container box is-bottomless is-marginless is-paddingless">
+    <nav class="tabs" aria-label="kv tabs">
+      <ul>
+        {{yield to="tabLinks"}}
+      </ul>
+    </nav>
+  </div>
+{{/if}}
+
+{{#if (or (has-block "toolbarFilters") (has-block "toolbarActions"))}}
+  <Toolbar>
+    <ToolbarFilters>
+      {{yield to="toolbarFilters"}}
+    </ToolbarFilters>
+    <ToolbarActions>
+      {{yield to="toolbarActions"}}
+    </ToolbarActions>
+  </Toolbar>
+{{/if}}
\ No newline at end of file
diff --git a/ui/lib/kv/addon/components/kv-tooltip-timestamp.hbs b/ui/lib/kv/addon/components/kv-tooltip-timestamp.hbs
new file mode 100644
index 0000000000..8e3cab8f5b
--- /dev/null
+++ b/ui/lib/kv/addon/components/kv-tooltip-timestamp.hbs
@@ -0,0 +1,14 @@
+{{! renders a human readable date with a tooltip containing the API timestamp}}
+<ToolTip @verticalPosition="above" @horizontalPosition="center" as |T|>
+  <T.Trigger data-test-kv-version-tooltip-trigger tabindex="-1">
+    {{#if @text}}
+      {{@text}}
+    {{/if}}
+    {{date-format @timestamp "MMM dd, yyyy hh:mm a"}}
+  </T.Trigger>
+  <T.Content @defaultClass="tool-tip smaller-font">
+    <div class="box" data-test-hover-copy-tooltip-text>
+      {{@timestamp}}
+    </div>
+  </T.Content>
+</ToolTip>
\ No newline at end of file
diff --git a/ui/lib/kv/addon/components/kv-version-dropdown.hbs b/ui/lib/kv/addon/components/kv-version-dropdown.hbs
new file mode 100644
index 0000000000..d2a4f6e444
--- /dev/null
+++ b/ui/lib/kv/addon/components/kv-version-dropdown.hbs
@@ -0,0 +1,37 @@
+<BasicDropdown @class="popup-menu" @horizontalPosition="auto-right" @verticalPosition="below" as |D|>
+  <D.Trigger data-test-version-dropdown class="toolbar-link {{if D.isOpen ' is-active'}}">
+    Version
+    {{or @displayVersion "current"}}
+    <Chevron @direction="down" @isButton={{true}} />
+  </D.Trigger>
+  <D.Content @defaultClass="popup-menu-content">
+    <nav class="box menu">
+      <ul class="menu-list">
+        {{#each @metadata.sortedVersions as |versionData|}}
+          <li data-test-version={{versionData.version}} class="action">
+            <LinkTo @query={{hash version=versionData.version}} {{on "click" (fn @onClose D)}}>
+              Version
+              {{versionData.version}}
+              {{#if versionData.destroyed}}
+                <Icon @name="x-square-fill" class="has-text-danger is-pulled-right" />
+              {{else if versionData.deletion_time}}
+                <Icon @name="x-square-fill" class="has-text-grey is-pulled-right" />
+              {{else if (loose-equal versionData.version @metadata.currentVersion)}}
+                <Icon @name="check-circle" class="has-text-success is-pulled-right" />
+              {{/if}}
+            </LinkTo>
+          </li>
+        {{/each}}
+        {{! version diff }}
+        {{#if (gt @metadata.sortedVersions.length 1)}}
+          <hr />
+          <li>
+            <LinkTo @route="secret.metadata.diff" {{on "click" (fn @onClose D)}}>
+              Version Diff
+            </LinkTo>
+          </li>
+        {{/if}}
+      </ul>
+    </nav>
+  </D.Content>
+</BasicDropdown>
\ No newline at end of file
diff --git a/ui/lib/kv/addon/components/page/configuration.hbs b/ui/lib/kv/addon/components/page/configuration.hbs
new file mode 100644
index 0000000000..82522f21fd
--- /dev/null
+++ b/ui/lib/kv/addon/components/page/configuration.hbs
@@ -0,0 +1,32 @@
+<KvPageHeader @breadcrumbs={{@breadcrumbs}} @mountName={{@mountConfig.id}}>
+  <:tabLinks>
+    <LinkTo @route="list" data-test-secrets-tab="Secrets">Secrets</LinkTo>
+    <LinkTo @route="configuration" data-test-secrets-tab="Configuration">Configuration</LinkTo>
+  </:tabLinks>
+</KvPageHeader>
+
+{{! engine configuration }}
+{{#if @engineConfig.canRead}}
+  <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
+    {{#each @engineConfig.formFields as |attr|}}
+      <InfoTableRow
+        @alwaysRender={{true}}
+        @label={{or attr.options.label (to-label attr.name)}}
+        @value={{if (eq attr.name "deleteVersionAfter") @engineConfig.displayDeleteTtl (get @engineConfig attr.name)}}
+      />
+    {{/each}}
+  </div>
+{{/if}}
+
+{{! mount configuration }}
+<div class="box is-fullwidth is-sideless is-paddingless is-marginless">
+  {{#each @mountConfig.attrs as |attr|}}
+    {{#if (not (includes attr.name @engineConfig.displayFields))}}
+      <InfoTableRow
+        @formatTtl={{eq attr.options.editType "ttl"}}
+        @label={{or attr.options.label (to-label attr.name)}}
+        @value={{get @mountConfig (or attr.options.fieldValue attr.name)}}
+      />
+    {{/if}}
+  {{/each}}
+</div>
\ No newline at end of file
diff --git a/ui/lib/kv/addon/components/page/list.hbs b/ui/lib/kv/addon/components/page/list.hbs
new file mode 100644
index 0000000000..1af846e8ca
--- /dev/null
+++ b/ui/lib/kv/addon/components/page/list.hbs
@@ -0,0 +1,145 @@
+<KvPageHeader @breadcrumbs={{@breadcrumbs}} @mountName={{@backend}}>
+  <:tabLinks>
+    <LinkTo @route={{this.router.currentRoute.localName}} data-test-secrets-tab="Secrets">Secrets</LinkTo>
+    <LinkTo @route="configuration" data-test-secrets-tab="Configuration">Configuration</LinkTo>
+  </:tabLinks>
+
+  <:toolbarFilters>
+    {{#unless @noMetadataListPermissions}}
+      {{#if (or @secrets @filterValue)}}
+        <KvListFilter
+          @secrets={{@secrets}}
+          @mountPoint={{this.mountPoint}}
+          @filterValue={{@filterValue}}
+          @pageFilter={{@pageFilter}}
+        />
+      {{/if}}
+    {{/unless}}
+  </:toolbarFilters>
+
+  <:toolbarActions>
+    <ToolbarLink data-test-toolbar-create-secret @route="create" @query={{hash initialKey=@filterValue}} @type="add">
+      Create secret
+    </ToolbarLink>
+  </:toolbarActions>
+</KvPageHeader>
+
+{{#if @noMetadataListPermissions}}
+  <div class="box is-fullwidth is-shadowless has-tall-padding">
+    <div class="selectable-card-container one-card">
+      <OverviewCard
+        @cardTitle="View secret"
+        @subText="Type the path of the secret you want to view. Include a trailing slash to navigate to the list view."
+      >
+        <form {{on "submit" this.transitionToSecretDetail}} class="has-top-margin-m is-flex">
+          <InputSearch
+            @id="search-input-kv-secret"
+            @initialValue={{@pathToSecret}}
+            @onChange={{this.handleSecretPathInput}}
+            @placeholder="secret/"
+            data-test-view-secret
+          />
+          <button type="submit" class="button is-secondary" disabled={{not this.secretPath}} data-test-get-secret-detail>
+            {{this.buttonText}}
+          </button>
+        </form>
+      </OverviewCard>
+    </div>
+  </div>
+{{else}}
+  {{#if @secrets}}
+    {{#each @secrets as |metadata|}}
+      <LinkedBlock
+        data-test-list-item={{metadata.path}}
+        class="list-item-row"
+        @params={{array (if metadata.pathIsDirectory "list-directory" "secret.details") metadata.fullSecretPath}}
+        @linkPrefix={{this.mountPoint}}
+      >
+        <div class="level is-mobile">
+          <div class="level-left">
+            <div>
+              <Icon @name="user" class="has-text-grey-light" />
+              <span class="has-text-weight-semibold is-underline">
+                {{metadata.path}}
+              </span>
+            </div>
+          </div>
+          <div class="level-right is-flex is-paddingless is-marginless">
+            <div class="level-item">
+              <PopupMenu>
+                <nav class="menu">
+                  <ul class="menu-list">
+                    {{#if metadata.pathIsDirectory}}
+                      <li>
+                        <LinkTo @route="list-directory" @model={{metadata.fullSecretPath}}>
+                          Content
+                        </LinkTo>
+                      </li>
+                    {{else}}
+                      <li>
+                        <LinkTo @route="secret.details" @model={{metadata.fullSecretPath}}>
+                          Details
+                        </LinkTo>
+                      </li>
+                      {{#if metadata.canReadMetadata}}
+                        <li>
+                          <LinkTo @route="secret.metadata.versions" @model={{metadata.fullSecretPath}}>
+                            View version history
+                          </LinkTo>
+                        </li>
+                      {{/if}}
+                      {{#if metadata.canCreateVersionData}}
+                        <li>
+                          <LinkTo @route="secret.details.edit" @model={{metadata.fullSecretPath}}>
+                            Create new version
+                          </LinkTo>
+                        </li>
+                      {{/if}}
+                      {{#if metadata.canDeleteMetadata}}
+                        <li>
+                          <ConfirmAction
+                            @buttonClasses="link is-destroy"
+                            @onConfirmAction={{fn this.onDelete metadata}}
+                            @confirmMessage="This will permanently delete this secret and all its versions."
+                            @cancelButtonText="Cancel"
+                            data-test-delete-metadata={{metadata.path}}
+                          >
+                            Permanently delete
+                          </ConfirmAction>
+                        </li>
+                      {{/if}}
+                    {{/if}}
+                  </ul>
+                </nav>
+              </PopupMenu>
+            </div>
+          </div>
+        </div>
+      </LinkedBlock>
+    {{/each}}
+    {{! Pagination }}
+    <Hds::Pagination::Numbered
+      @currentPage={{@secrets.meta.currentPage}}
+      @currentPageSize={{@secrets.meta.pageSize}}
+      @route={{this.router.currentRoute.localName}}
+      @showSizeSelector={{false}}
+      @totalItems={{@secrets.meta.total}}
+      @queryFunction={{this.paginationQueryParams}}
+      data-test-pagination
+    />
+  {{else}}
+    {{#if @filterValue}}
+      <EmptyState @title="There are no secrets matching &quot;{{@filterValue}}&quot;." />
+    {{else}}
+      <EmptyState
+        data-test-secret-list-empty-state
+        @title="No secrets yet"
+        @message="When created, secrets will be listed here. Create a secret to get started."
+      >
+        <LinkTo class="has-top-margin-xs" @route="create">
+          Create secret
+        </LinkTo>
+      </EmptyState>
+    {{/if}}
+  {{/if}}
+{{/if}}
\ No newline at end of file
diff --git a/ui/lib/kv/addon/components/page/list.js b/ui/lib/kv/addon/components/page/list.js
new file mode 100644
index 0000000000..b2c7117f1c
--- /dev/null
+++ b/ui/lib/kv/addon/components/page/list.js
@@ -0,0 +1,88 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Component from '@glimmer/component';
+import { inject as service } from '@ember/service';
+import { action } from '@ember/object';
+import { tracked } from '@glimmer/tracking';
+import { getOwner } from '@ember/application';
+import { ancestorKeysForKey } from 'core/utils/key-utils';
+import errorMessage from 'vault/utils/error-message';
+import { pathIsDirectory } from 'kv/utils/kv-breadcrumbs';
+
+/**
+ * @module List
+ * ListPage component is a component to show a list of kv/metadata secrets.
+ *
+ * @param {array} secrets - An array of models generated form kv/metadata query.
+ * @param {string} backend - The name of the kv secret engine.
+ * @param {string} pathToSecret - The directory name that the secret belongs to ex: beep/boop/
+ * @param {string} pageFilter - The input on the kv-list-filter. Does not include a directory name.
+ * @param {string} filterValue - The concatenation of the pathToSecret and pageFilter ex: beep/boop/my-
+ * @param {boolean} noMetadataListPermissions - true if the return to query metadata LIST is 403, indicating the user does not have permissions to that endpoint.
+ * @param {array} breadcrumbs - Breadcrumbs as an array of objects that contain label, route, and modelId. They are updated via the util kv-breadcrumbs to handle dynamic *pathToSecret on the list-directory route.
+ */
+
+export default class KvListPageComponent extends Component {
+  @service flashMessages;
+  @service router;
+  @service store;
+
+  @tracked secretPath;
+
+  get mountPoint() {
+    // mountPoint tells transition where to start. In this case, mountPoint will always be vault.cluster.secrets.backend.kv.
+    return getOwner(this).mountPoint;
+  }
+
+  get buttonText() {
+    return pathIsDirectory(this.secretPath) ? 'View list' : 'View secret';
+  }
+
+  // callback from HDS pagination to set the queryParams currentPage
+  get paginationQueryParams() {
+    return (page) => {
+      return {
+        currentPage: page,
+      };
+    };
+  }
+
+  @action
+  async onDelete(model) {
+    try {
+      // The model passed in is a kv/metadata model
+      await model.destroyRecord();
+      this.store.clearDataset('kv/metadata'); // Clear out the store cache so that the metadata/list view is updated.
+      const message = `Successfully deleted the metadata and all version data of the secret ${model.fullSecretPath}.`;
+      this.flashMessages.success(message);
+      // if you've deleted a secret from within a directory, transition to its parent directory.
+      if (this.router.currentRoute.localName === 'list-directory') {
+        const ancestors = ancestorKeysForKey(model.fullSecretPath);
+        const nearest = ancestors.pop();
+        this.router.transitionTo(`${this.mountPoint}.list-directory`, nearest);
+      } else {
+        // Transition to refresh the model
+        this.router.transitionTo(`${this.mountPoint}.list`);
+      }
+    } catch (error) {
+      const message = errorMessage(error, 'Error deleting secret. Please try again or contact support.');
+      this.flashMessages.danger(message);
+    }
+  }
+
+  @action
+  handleSecretPathInput(value) {
+    this.secretPath = value;
+  }
+
+  @action
+  transitionToSecretDetail(evt) {
+    evt.preventDefault();
+    pathIsDirectory(this.secretPath)
+      ? this.router.transitionTo('vault.cluster.secrets.backend.kv.list-directory', this.secretPath)
+      : this.router.transitionTo('vault.cluster.secrets.backend.kv.secret.details', this.secretPath);
+  }
+}
diff --git a/ui/lib/kv/addon/components/page/secret/details.hbs b/ui/lib/kv/addon/components/page/secret/details.hbs
new file mode 100644
index 0000000000..440aa4243e
--- /dev/null
+++ b/ui/lib/kv/addon/components/page/secret/details.hbs
@@ -0,0 +1,93 @@
+<KvPageHeader @breadcrumbs={{@breadcrumbs}} @pageTitle={{@path}}>
+  <:tabLinks>
+    <LinkTo @route="secret.details" data-test-secrets-tab="Secret">Secret</LinkTo>
+    <LinkTo @route="secret.metadata.index" data-test-secrets-tab="Metadata">Metadata</LinkTo>
+    {{#if @secret.canReadMetadata}}
+      <LinkTo @route="secret.metadata.versions" data-test-secrets-tab="Version History">Version History</LinkTo>
+    {{/if}}
+  </:tabLinks>
+
+  <:toolbarFilters>
+    {{#unless this.emptyState}}
+      <Toggle @name="json" @status="success" @size="small" @checked={{this.showJsonView}} @onChange={{this.toggleJsonView}}>
+        <span class="has-text-grey">JSON</span>
+      </Toggle>
+    {{/unless}}
+  </:toolbarFilters>
+  <:toolbarActions>
+    {{#if this.showUndelete}}
+      <button type="button" class="toolbar-link" {{on "click" this.undelete}}>
+        Undelete
+      </button>
+    {{/if}}
+    {{#if this.showDelete}}
+      <KvDeleteModal @mode="delete" @secret={{@secret}} @metadata={{@metadata}} @onDelete={{this.handleDestruction}}>
+        Delete
+      </KvDeleteModal>
+    {{/if}}
+    {{#if this.showDestroy}}
+      <KvDeleteModal @mode="destroy" @secret={{@secret}} @onDelete={{this.handleDestruction}}>
+        Destroy
+      </KvDeleteModal>
+    {{/if}}
+    <div class="toolbar-separator"></div>
+    {{#if (and @secret.canReadData (eq @secret.state "created"))}}
+      <CopySecretDropdown
+        @clipboardText={{stringify @secret.secretData}}
+        @onWrap={{perform this.wrapSecret}}
+        @isWrapping={{this.wrapSecret.isRunning}}
+        @wrappedData={{this.wrappedData}}
+        @onClose={{this.clearWrappedData}}
+      />
+    {{/if}}
+    {{#if @secret.canReadMetadata}}
+      <KvVersionDropdown @displayVersion={{this.version}} @metadata={{@metadata}} @onClose={{this.closeVersionMenu}} />
+    {{/if}}
+    {{#if @secret.canEditData}}
+      <ToolbarLink data-test-create-new-version @route="secret.details.edit" @type="add">Create new version</ToolbarLink>
+    {{/if}}
+  </:toolbarActions>
+</KvPageHeader>
+
+{{#if (or @secret.deletionTime (not this.emptyState))}}
+  <div class="info-table-row-header">
+    <div class="info-table-row thead {{if this.showJsonView 'is-shadowless'}} ">
+      {{#unless this.hideHeaders}}
+        <div class="th column is-one-quarter">
+          Key
+        </div>
+        <div class="th column">
+          Value
+        </div>
+      {{/unless}}
+      <div class="th column justify-right">
+        {{#if (or @secret.deletionTime @secret.createdTime)}}
+          <KvTooltipTimestamp
+            @text="Version {{if @secret.version @secret.version}} {{@secret.state}}"
+            @timestamp={{or @secret.deletionTime @secret.createdTime}}
+          />
+        {{/if}}
+      </div>
+    </div>
+  </div>
+{{/if}}
+
+{{#if this.emptyState}}
+  <EmptyState @title={{this.emptyState.title}} @message={{this.emptyState.message}}>
+    {{#if this.emptyState.link}}
+      <DocLink @path={{this.emptyState.link}}>Learn more</DocLink>
+    {{/if}}
+  </EmptyState>
+{{else}}
+  {{#if this.showJsonView}}
+    <JsonEditor @title="Version data" @value={{stringify @secret.secretData}} @readOnly={{true}} />
+  {{else}}
+    {{#each-in @secret.secretData as |key value|}}
+      <InfoTableRow @label={{key}} @value={{value}} @alwaysRender={{true}}>
+        <MaskedInput @name={{key}} @value={{value}} @displayOnly={{true}} @allowCopy={{true}} @allowDownload={{true}} />
+      </InfoTableRow>
+    {{else}}
+      <InfoTableRow @label="" @value="" @alwaysRender={{true}} />
+    {{/each-in}}
+  {{/if}}
+{{/if}}
\ No newline at end of file
diff --git a/ui/lib/kv/addon/components/page/secret/details.js b/ui/lib/kv/addon/components/page/secret/details.js
new file mode 100644
index 0000000000..1f0e3d76c4
--- /dev/null
+++ b/ui/lib/kv/addon/components/page/secret/details.js
@@ -0,0 +1,200 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Component from '@glimmer/component';
+import { action } from '@ember/object';
+import { tracked } from '@glimmer/tracking';
+import { next } from '@ember/runloop';
+import { inject as service } from '@ember/service';
+import { task } from 'ember-concurrency';
+import { waitFor } from '@ember/test-waiters';
+
+/**
+ * @module KvSecretDetails renders the key/value data of a KV secret.
+ * It also renders a dropdown to display different versions of the secret.
+ * <Page::Secret::Details
+ *  @path={{this.model.path}}
+ *  @secret={{this.model.secret}}
+ *  @metadata={{this.model.metadata}}
+ *  @breadcrumbs={{this.breadcrumbs}}
+  />
+ *
+ * @param {string} path - path of kv secret 'my/secret' used as the title for the KV page header
+ * @param {model} secret - Ember data model: 'kv/data'
+ * @param {model} metadata - Ember data model: 'kv/metadata'
+ * @param {array} breadcrumbs - Array to generate breadcrumbs, passed to the page header component
+ */
+
+export default class KvSecretDetails extends Component {
+  @service flashMessages;
+  @service router;
+  @service store;
+
+  @tracked showJsonView = false;
+  @tracked wrappedData = null;
+
+  @action
+  toggleJsonView() {
+    this.showJsonView = !this.showJsonView;
+  }
+
+  @action
+  closeVersionMenu(dropdown) {
+    // strange issue where closing dropdown triggers full transition (which redirects to auth screen in production)
+    // closing dropdown in next tick of run loop fixes it
+    next(() => dropdown.actions.close());
+  }
+
+  @action
+  clearWrappedData() {
+    this.wrappedData = null;
+  }
+
+  @task
+  @waitFor
+  *wrapSecret() {
+    const { backend, path } = this.args.secret;
+    const adapter = this.store.adapterFor('kv/data');
+    try {
+      const { token } = yield adapter.fetchWrapInfo({ backend, path, wrapTTL: 1800 });
+      if (!token) throw 'No token';
+      this.wrappedData = token;
+      this.flashMessages.success('Secret successfully wrapped!');
+    } catch (error) {
+      this.flashMessages.danger('Could not wrap secret.');
+    }
+  }
+
+  @action
+  async undelete() {
+    const { secret } = this.args;
+    try {
+      await secret.destroyRecord({
+        adapterOptions: { deleteType: 'undelete', deleteVersions: secret.version },
+      });
+      this.store.clearDataset('kv/metadata'); // Clear out the store cache so that the metadata/list view is updated.
+      this.flashMessages.success(`Successfully undeleted ${secret.path}.`);
+      this.router.transitionTo('vault.cluster.secrets.backend.kv.secret', {
+        queryParams: { version: secret.version },
+      });
+    } catch (err) {
+      this.flashMessages.danger(
+        `There was a problem undeleting ${secret.path}. Error: ${err.errors.join(' ')}.`
+      );
+    }
+  }
+
+  @action
+  async handleDestruction(type) {
+    const { secret } = this.args;
+    try {
+      await secret.destroyRecord({ adapterOptions: { deleteType: type, deleteVersions: secret.version } });
+      this.store.clearDataset('kv/metadata'); // Clear out the store cache so that the metadata/list view is updated.
+      this.flashMessages.success(`Successfully ${secret.state} Version ${secret.version} of ${secret.path}.`);
+      this.router.transitionTo('vault.cluster.secrets.backend.kv.secret', {
+        queryParams: { version: secret.version },
+      });
+    } catch (err) {
+      const verb = type.includes('delete') ? 'deleting' : 'destroying';
+      this.flashMessages.danger(
+        `There was a problem ${verb} Version ${secret.version} of ${secret.path}. Error: ${err.errors.join(
+          ' '
+        )}.`
+      );
+    }
+  }
+
+  get version() {
+    return this.args.secret.version || this.router.currentRoute.queryParams.version;
+  }
+
+  get hideHeaders() {
+    return this.showJsonView || this.emptyState;
+  }
+
+  get versionState() {
+    const { secret, metadata } = this.args;
+    if (secret.failReadErrorCode !== 403) {
+      return secret.state;
+    }
+    // If the user can't read secret data, get the current version
+    // state from metadata versions
+    if (metadata?.sortedVersions) {
+      const version = this.version;
+      const meta = version
+        ? metadata.sortedVersions.find((v) => v.version == version)
+        : metadata.sortedVersions[0];
+      if (meta?.destroyed) {
+        return 'destroyed';
+      }
+      if (meta?.deletion_time) {
+        return 'deleted';
+      }
+      if (meta?.created_time) {
+        return 'created';
+      }
+    }
+    return '';
+  }
+
+  get showUndelete() {
+    const { secret } = this.args;
+    if (secret.canUndelete) {
+      return this.versionState === 'deleted';
+    }
+    return false;
+  }
+
+  get showDelete() {
+    const { secret } = this.args;
+    if (secret.canDeleteVersion || secret.canDeleteLatestVersion) {
+      return this.versionState === 'created';
+    }
+    return false;
+  }
+
+  get showDestroy() {
+    const { secret } = this.args;
+    if (secret.canDestroyVersion) {
+      return this.versionState !== 'destroyed';
+    }
+    return false;
+  }
+
+  get emptyState() {
+    if (!this.args.secret.canReadData) {
+      return {
+        title: 'You do not have permission to read this secret',
+        message:
+          'Your policies may permit you to write a new version of this secret, but do not allow you to read its current contents.',
+      };
+    }
+    // only destructure if we can read secret data
+    const { version, destroyed, deletionTime } = this.args.secret;
+    if (destroyed) {
+      return {
+        title: `Version ${version} of this secret has been permanently destroyed`,
+        message: `A version that has been permanently deleted cannot be restored. ${
+          this.args.secret.canReadMetadata
+            ? ' You can view other versions of this secret in the Version History tab above.'
+            : ''
+        }`,
+        link: '/vault/docs/secrets/kv/kv-v2',
+      };
+    }
+    if (deletionTime) {
+      return {
+        title: `Version ${version} of this secret has been deleted`,
+        message: `This version has been deleted but can be undeleted. ${
+          this.args.secret.canReadMetadata
+            ? 'View other versions of this secret by clicking the Version History tab above.'
+            : ''
+        }`,
+        link: '/vault/docs/secrets/kv/kv-v2',
+      };
+    }
+    return false;
+  }
+}
diff --git a/ui/lib/kv/addon/components/page/secret/edit.hbs b/ui/lib/kv/addon/components/page/secret/edit.hbs
new file mode 100644
index 0000000000..298e942f67
--- /dev/null
+++ b/ui/lib/kv/addon/components/page/secret/edit.hbs
@@ -0,0 +1,72 @@
+<KvPageHeader @breadcrumbs={{@breadcrumbs}} @pageTitle="Create New Version">
+  <:toolbarFilters>
+    <Toggle @name="json" @status="success" @size="small" @checked={{this.showJsonView}} @onChange={{this.toggleJsonView}}>
+      <span class="has-text-grey">JSON</span>
+    </Toggle>
+  </:toolbarFilters>
+</KvPageHeader>
+
+{{#if this.showOldVersionAlert}}
+  <Hds::Alert data-test-secret-version-alert @type="inline" @color="warning" class="has-top-bottom-margin" as |A|>
+    <A.Title>Warning</A.Title>
+    <A.Description>
+      You are creating a new version based on data from Version
+      {{@previousVersion}}. The current version for
+      <code>{{@secret.path}}</code>
+      is Version
+      {{@currentVersion}}.
+    </A.Description>
+  </Hds::Alert>
+{{/if}}
+{{#if @noReadAccess}}
+  <Hds::Alert data-test-secret-no-read-alert @type="inline" @color="warning" class="has-top-bottom-margin" as |A|>
+    <A.Title>Warning</A.Title>
+    <A.Description>
+      You do not have read permissions for this secret data. Saving will overwrite the existing secret.
+    </A.Description>
+  </Hds::Alert>
+{{/if}}
+
+<form {{on "submit" (perform this.save)}}>
+  <div class="box is-sideless is-fullwidth is-bottomless">
+    <NamespaceReminder @mode="create" @noun="secret" />
+    <MessageError @model={{@secret}} @errorMessage={{this.errorMessage}} />
+
+    <KvDataFields
+      @showJson={{this.showJsonView}}
+      @secret={{@secret}}
+      @modelValidations={{this.modelValidations}}
+      @isEdit={{true}}
+    />
+  </div>
+  <div class="box is-fullwidth is-bottomless">
+    <div class="control">
+      <button
+        type="submit"
+        class="button is-primary {{if this.save.isRunning 'is-loading'}}"
+        disabled={{this.save.isRunning}}
+        data-test-kv-save
+      >
+        Save
+      </button>
+      <button
+        type="button"
+        class="button has-left-margin-s"
+        disabled={{this.save.isRunning}}
+        {{on "click" this.onCancel}}
+        data-test-kv-cancel
+      >
+        Cancel
+      </button>
+    </div>
+    {{#if this.invalidFormAlert}}
+      <AlertInline
+        data-test-invalid-form-alert
+        class="has-top-padding-s"
+        @type="danger"
+        @message={{this.invalidFormAlert}}
+        @mimicRefresh={{true}}
+      />
+    {{/if}}
+  </div>
+</form>
\ No newline at end of file
diff --git a/ui/lib/kv/addon/components/page/secret/edit.js b/ui/lib/kv/addon/components/page/secret/edit.js
new file mode 100644
index 0000000000..67a1b2e152
--- /dev/null
+++ b/ui/lib/kv/addon/components/page/secret/edit.js
@@ -0,0 +1,75 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Component from '@glimmer/component';
+import { action } from '@ember/object';
+import { tracked } from '@glimmer/tracking';
+import { task } from 'ember-concurrency';
+import { inject as service } from '@ember/service';
+
+/**
+ * @module KvSecretEdit is used for creating a new version of a secret
+ *
+ * <Page::Secret::Edit
+ *  @secret={{this.model.newVersion}}
+ *  @previousVersion={{this.model.secret.version}}
+ *  @currentVersion={{this.model.metadata.currentVersion}}
+ *  @breadcrumbs={{this.breadcrumbs}
+ * />
+ *
+ * @param {model} secret - Ember data model: 'kv/data', the new record for the new secret version saved by the form
+ * @param {number} previousVersion - previous secret version number
+ * @param {number} currentVersion - current secret version, comes from the metadata endpoint
+ * @param {array} breadcrumbs - breadcrumb objects to render in page header
+ */
+
+export default class KvSecretEdit extends Component {
+  @service flashMessages;
+  @service router;
+
+  @tracked showJsonView = false;
+  @tracked errorMessage;
+  @tracked modelValidations;
+  @tracked invalidFormAlert;
+
+  get showOldVersionAlert() {
+    const { currentVersion, previousVersion } = this.args;
+    // isNew check prevents alert from flashing after save but before route transitions
+    if (!currentVersion || !previousVersion || !this.args.secret.isNew) return false;
+    if (currentVersion !== previousVersion) return true;
+    return false;
+  }
+
+  @action
+  toggleJsonView() {
+    this.showJsonView = !this.showJsonView;
+  }
+
+  @task
+  *save(event) {
+    event.preventDefault();
+    try {
+      const { isValid, state, invalidFormMessage } = this.args.secret.validate();
+      this.modelValidations = isValid ? null : state;
+      this.invalidFormAlert = invalidFormMessage;
+      if (isValid) {
+        const { secret } = this.args;
+        yield this.args.secret.save();
+        this.flashMessages.success(`Successfully created new version of ${secret.path}.`);
+        // transition to parent secret route to re-query latest version
+        this.router.transitionTo('vault.cluster.secrets.backend.kv.secret');
+      }
+    } catch (error) {
+      const message = error.errors ? error.errors.join('. ') : error.message;
+      this.errorMessage = message;
+      this.invalidFormAlert = 'There was an error submitting this form.';
+    }
+  }
+
+  @action
+  onCancel() {
+    this.router.transitionTo('vault.cluster.secrets.backend.kv.secret.details');
+  }
+}
diff --git a/ui/lib/kv/addon/components/page/secret/metadata/details.hbs b/ui/lib/kv/addon/components/page/secret/metadata/details.hbs
new file mode 100644
index 0000000000..803449c80c
--- /dev/null
+++ b/ui/lib/kv/addon/components/page/secret/metadata/details.hbs
@@ -0,0 +1,72 @@
+<KvPageHeader @breadcrumbs={{@breadcrumbs}} @pageTitle={{@path}}>
+  <:tabLinks>
+    <LinkTo @route="secret.details" data-test-secrets-tab="Secret">Secret</LinkTo>
+    <LinkTo @route="secret.metadata.index" data-test-secrets-tab="Metadata">Metadata</LinkTo>
+    {{#if @secret.canReadMetadata}}
+      <LinkTo @route="secret.metadata.versions" data-test-secrets-tab="Version History">Version History</LinkTo>
+    {{/if}}
+  </:tabLinks>
+
+  <:toolbarActions>
+    {{#if @metadata.canDeleteMetadata}}
+      <KvDeleteModal @mode="delete-metadata" @metadata={{@metadata}} @onDelete={{this.onDelete}}>
+        Delete metadata
+      </KvDeleteModal>
+    {{/if}}
+    {{#if @metadata.canUpdateMetadata}}
+      <ToolbarLink @route="secret.metadata.edit" data-test-edit-metadata>Edit metadata</ToolbarLink>
+    {{/if}}
+  </:toolbarActions>
+</KvPageHeader>
+
+<h2 class="title is-5 has-bottom-padding-s has-top-margin-l">
+  Custom metadata
+</h2>
+<div class="box is-fullwidth is-sideless is-paddingless is-marginless" data-test-kv-custom-metadata-section>
+  {{#if (or @metadata.canReadMetadata @secret.canReadData)}}
+    {{#each-in (or @metadata.customMetadata @secret.customMetadata) as |key value|}}
+      <InfoTableRow @alwaysRender={{false}} @label={{key}} @value={{value}} />
+    {{else}}
+      <EmptyState
+        @title="No custom metadata"
+        @bottomBorder={{true}}
+        @message="This data is version-agnostic and is usually used to describe the secret being stored."
+      >
+        {{#if @metadata.canUpdateMetadata}}
+          <LinkTo @route="secret.metadata.edit" @model={{@path}} data-test-add-custom-metadata>
+            Add metadata
+          </LinkTo>
+        {{/if}}
+      </EmptyState>
+    {{/each-in}}
+  {{else}}
+    <EmptyState
+      @title="You do not have access to read custom metadata"
+      @message="In order to read custom metadata you either need read access to the secret data and/or read access to metadata."
+    />
+  {{/if}}
+</div>
+<section data-test-kv-metadata-section>
+  <h2 class="title is-5 has-bottom-padding-s has-top-margin-l">
+    Secret metadata
+  </h2>
+  {{#if @metadata.canReadMetadata}}
+    <div class="box is-fullwidth is-sideless is-paddingless is-marginless" data-test-kv-metadata-section>
+      <InfoTableRow @alwaysRender={{true}} @label="Last updated">
+        <KvTooltipTimestamp @timestamp={{@metadata.updatedTime}} />
+      </InfoTableRow>
+      <InfoTableRow @alwaysRender={{true}} @label="Maximum versions" @value={{@metadata.maxVersions}} />
+      <InfoTableRow @alwaysRender={{true}} @label="Check-and-Set required" @value={{@metadata.casRequired}} />
+      <InfoTableRow
+        @alwaysRender={{true}}
+        @label="Delete version after"
+        @value={{if (eq @metadata.deleteVersionAfter "0s") "Never delete" (format-duration @metadata.deleteVersionAfter)}}
+      />
+    </div>
+  {{else}}
+    <EmptyState
+      @title="You do not have access to secret metadata"
+      @message="In order to edit secret metadata, the UI requires read permissions; otherwise, data may be deleted. Edits can still be made via the API and CLI."
+    />
+  {{/if}}
+</section>
\ No newline at end of file
diff --git a/ui/lib/kv/addon/components/page/secret/metadata/details.js b/ui/lib/kv/addon/components/page/secret/metadata/details.js
new file mode 100644
index 0000000000..b51ab7df9c
--- /dev/null
+++ b/ui/lib/kv/addon/components/page/secret/metadata/details.js
@@ -0,0 +1,46 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Component from '@glimmer/component';
+import { action } from '@ember/object';
+import { inject as service } from '@ember/service';
+
+/**
+ * @module KvSecretMetadataDetails renders the details view for kv/metadata.
+ * It also renders a button to delete metadata.
+ * <Page::Secret::Metadata::Details
+ *  @path={{this.model.path}}
+ *  @secret={{this.model.secret}}
+ *  @metadata={{this.model.metadata}}
+ *  @breadcrumbs={{this.breadcrumbs}}
+  /> 
+ *
+ * @param {string} path - path of kv secret 'my/secret' used as the title for the KV page header 
+ * @param {model} [secret] - Ember data model: 'kv/data'. Param not required for delete-metadata.
+ * @param {model} metadata - Ember data model: 'kv/metadata'
+ * @param {array} breadcrumbs - Array to generate breadcrumbs, passed to the page header component
+ */
+
+export default class KvSecretMetadataDetails extends Component {
+  @service flashMessages;
+  @service router;
+  @service store;
+
+  @action
+  async onDelete() {
+    // The only delete option from this view is delete on metadata.
+    const { metadata } = this.args;
+    try {
+      await metadata.destroyRecord();
+      this.store.clearDataset('kv/metadata'); // Clear out the store cache so that the metadata/list view is updated.
+      this.flashMessages.success(
+        `Successfully deleted the metadata and all version data for the secret ${metadata.path}.`
+      );
+      this.router.transitionTo('vault.cluster.secrets.backend.kv.list');
+    } catch (err) {
+      this.flashMessages.danger(`There was an issue deleting ${metadata.path} metadata.`);
+    }
+  }
+}
diff --git a/ui/lib/kv/addon/components/page/secret/metadata/edit.hbs b/ui/lib/kv/addon/components/page/secret/metadata/edit.hbs
new file mode 100644
index 0000000000..50ab800264
--- /dev/null
+++ b/ui/lib/kv/addon/components/page/secret/metadata/edit.hbs
@@ -0,0 +1,57 @@
+<KvPageHeader @breadcrumbs={{@breadcrumbs}} @pageTitle="Edit Secret Metadata" />
+
+<hr class="is-marginless has-background-gray-200" />
+<p class="has-top-margin-m has-bottom-margin-m">
+  The options below are all version-agnostic; they apply to all versions of this secret.
+</p>
+{{#if @metadata.canUpdateMetadata}}
+  <form {{on "submit" (perform this.save)}}>
+    <div class="box is-sideless is-fullwidth is-marginless">
+      <NamespaceReminder @mode="update" @noun="KV secret metadata" />
+      <MessageError @errorMessage={{this.errorBanner}} class="has-top-margin-s" />
+      <KvMetadataFields @metadata={{@metadata}} @modelValidations={{this.modelValidations}} />
+    </div>
+    <div class="field is-grouped is-grouped-split is-fullwidth box is-bottomless">
+      <div class="has-top-padding-s">
+        <button
+          type="submit"
+          class="button is-primary {{if this.save.isRunning 'is-loading'}}"
+          disabled={{this.save.isRunning}}
+          data-test-kv-save
+        >
+          Update
+        </button>
+        <button
+          type="button"
+          class="button has-left-margin-s"
+          disabled={{this.save.isRunning}}
+          {{on "click" this.cancel}}
+          data-test-kv-cancel
+        >
+          Cancel
+        </button>
+        {{#if this.invalidFormAlert}}
+          <div class="control">
+            <AlertInline
+              data-test-invalid-form-alert
+              @type="danger"
+              @paddingTop={{true}}
+              @message={{this.invalidFormAlert}}
+              @mimicRefresh={{true}}
+            />
+          </div>
+        {{/if}}
+      </div>
+    </div>
+  </form>
+{{else}}
+  <EmptyState
+    @title="You do not have permissions to edit metadata"
+    @message="Ask your administrator if you think you should have access."
+  >
+    <LinkTo @route="secret.metadata.index" @model={{@metadata.path}}>
+      View Metadata
+    </LinkTo>
+    <DocLink @path="/vault/api-docs/secret/kv/kv-v2#create-update-metadata">More here</DocLink>
+  </EmptyState>
+{{/if}}
\ No newline at end of file
diff --git a/ui/lib/kv/addon/components/page/secret/metadata/edit.js b/ui/lib/kv/addon/components/page/secret/metadata/edit.js
new file mode 100644
index 0000000000..ff49331a2b
--- /dev/null
+++ b/ui/lib/kv/addon/components/page/secret/metadata/edit.js
@@ -0,0 +1,54 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Component from '@glimmer/component';
+import { inject as service } from '@ember/service';
+import { task } from 'ember-concurrency';
+import { tracked } from '@glimmer/tracking';
+import errorMessage from 'vault/utils/error-message';
+import { action } from '@ember/object';
+
+/**
+ * @module KvSecretMetadataEdit
+ * This component renders the view for editing a kv secret's metadata.
+ * While secret data and metadata are created on the same view, they are edited on different views/routes.
+ *
+ * @param {array} metadata - The kv/metadata model. It is version agnostic.
+ * @param {array} breadcrumbs - Breadcrumbs as an array of objects that contain label, route, and modelId. They are updated via the util kv-breadcrumbs to handle dynamic *pathToSecret on the list-directory route.
+ * @callback onCancel - Callback triggered when cancel button is clicked that transitions to the metadata details route.
+ * @callback onSave - Callback triggered on save success that transitions to the metadata details route.
+ */
+
+export default class KvSecretMetadataEditComponent extends Component {
+  @service flashMessages;
+  @tracked errorBanner = '';
+  @tracked invalidFormAlert = '';
+  @tracked modelValidations = null;
+
+  @action
+  cancel() {
+    this.args.metadata.rollbackAttributes();
+    this.args.onCancel();
+  }
+
+  @task
+  *save(event) {
+    event.preventDefault();
+    try {
+      const { isValid, state, invalidFormMessage } = this.args.metadata.validate();
+      this.modelValidations = isValid ? null : state;
+      this.invalidFormAlert = invalidFormMessage;
+      if (isValid) {
+        const { path } = this.args.metadata;
+        yield this.args.metadata.save();
+        this.flashMessages.success(`Successfully updated ${path}'s metadata.`);
+        this.args.onSave();
+      }
+    } catch (error) {
+      this.errorBanner = errorMessage(error);
+      this.invalidFormAlert = 'There was an error submitting this form.';
+    }
+  }
+}
diff --git a/ui/lib/kv/addon/components/page/secret/metadata/version-diff.hbs b/ui/lib/kv/addon/components/page/secret/metadata/version-diff.hbs
new file mode 100644
index 0000000000..81a8dc3dd7
--- /dev/null
+++ b/ui/lib/kv/addon/components/page/secret/metadata/version-diff.hbs
@@ -0,0 +1,91 @@
+<KvPageHeader @breadcrumbs={{@breadcrumbs}} @pageTitle={{@path}}>
+  <:toolbarFilters>
+    {{! left side version selector }}
+    <BasicDropdown @class="popup-menu" @horizontalPosition="auto-right" @verticalPosition="below" as |D|>
+      <D.Trigger data-test-version-dropdown-left class="toolbar-link {{if D.isOpen ' is-active'}}">
+        Version
+        {{this.leftSideVersion}}
+        <Chevron @direction="down" @isButton={{true}} />
+      </D.Trigger>
+      <D.Content @defaultClass="popup-menu-content">
+        <nav class="box menu" aria-label="version-left">
+          <ul class="menu-list">
+            {{#each @metadata.sortedVersions as |versionData|}}
+              <li>
+                <button
+                  type="button"
+                  class="link {{if (loose-equal versionData.version this.leftSideVersion) 'is-active'}}"
+                  {{on "click" (fn this.selectVersion versionData.version D.actions "left")}}
+                  disabled={{(or versionData.destroyed versionData.deletion_time)}}
+                >
+                  Version
+                  {{versionData.version}}
+                  {{#if versionData.destroyed}}
+                    <Icon @name="x-square-fill" class="has-text-danger is-pulled-right" />
+                  {{else if versionData.deletion_time}}
+                    <Icon @name="x-square-fill" class="has-text-grey is-pulled-right" />
+                  {{else if (loose-equal @metadata.currentVersion versionData.version)}}
+                    <Icon @name="check-circle-fill" class="has-text-success is-pulled-right" />
+                  {{/if}}
+                </button>
+              </li>
+            {{/each}}
+          </ul>
+        </nav>
+      </D.Content>
+    </BasicDropdown>
+    {{! right side version selector }}
+    <BasicDropdown @class="popup-menu" @horizontalPosition="auto-right" @verticalPosition="below" as |D|>
+      <D.Trigger data-test-version-dropdown-right class="toolbar-link {{if D.isOpen ' is-active'}}">
+        Version
+        {{this.rightSideVersion}}
+        <Chevron @direction="down" @isButton={{true}} />
+      </D.Trigger>
+      <D.Content @defaultClass="popup-menu-content">
+        <nav class="box menu" aria-label="version-right">
+          <ul class="menu-list">
+            {{#each @metadata.sortedVersions as |versionData|}}
+              <li>
+                <button
+                  type="button"
+                  class="link {{if (loose-equal versionData.version this.rightSideVersion) 'is-active'}}"
+                  {{on "click" (fn this.selectVersion versionData.version D.actions "right")}}
+                  disabled={{(or versionData.destroyed versionData.deletion_time)}}
+                  data-test-version-button={{versionData.version}}
+                >
+                  Version
+                  {{versionData.version}}
+                  {{#if versionData.destroyed}}
+                    <Icon @name="x-square-fill" class="has-text-danger is-pulled-right" />
+                  {{else if versionData.deletion_time}}
+                    <Icon @name="x-square-fill" class="has-text-grey is-pulled-right" />
+                  {{else if (loose-equal @metadata.currentVersion versionData.version)}}
+                    <Icon @name="check-circle-fill" class="has-text-success is-pulled-right" />
+                  {{/if}}
+                </button>
+              </li>
+            {{/each}}
+          </ul>
+        </nav>
+      </D.Content>
+    </BasicDropdown>
+    {{! status icon }}
+    {{#if this.statesMatch}}
+      <div class="has-left-padding-s">
+        <Icon @name="check-circle-fill" class="has-text-success" />
+        <span>States match</span>
+      </div>
+    {{/if}}
+  </:toolbarFilters>
+</KvPageHeader>
+{{! Show an empty state if the current version of the secret is deleted or destroyed. This would only happen on init. }}
+{{#if (and (loose-equal this.leftSideVersion @metadata.currentVersion) @metadata.currentSecret.isDeactivated)}}
+  <EmptyState
+    @title="Version {{@metadata.currentVersion}} of {{@path}} has been {{@metadata.currentSecret.state}}"
+    @message="Please select another version of the secret to compare."
+  />
+{{else}}
+  <div class="form-section visual-diff text-grey-lightest background-color-black">
+    <pre data-test-visual-diff>{{sanitized-html this.visualDiff}}</pre>
+  </div>
+{{/if}}
\ No newline at end of file
diff --git a/ui/lib/kv/addon/components/page/secret/metadata/version-diff.js b/ui/lib/kv/addon/components/page/secret/metadata/version-diff.js
new file mode 100644
index 0000000000..b7784fb863
--- /dev/null
+++ b/ui/lib/kv/addon/components/page/secret/metadata/version-diff.js
@@ -0,0 +1,79 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Component from '@glimmer/component';
+import { inject as service } from '@ember/service';
+import { tracked } from '@glimmer/tracking';
+import { action } from '@ember/object';
+import { kvDataPath } from 'vault/utils/kv-path';
+
+/**
+ * @module KvVersionDiff
+ * This component produces a JSON diff view between 2 secret versions. It uses the library jsondiffpatch.
+ *
+ * @param {string} backend - Backend from the kv/data model.
+ * @param {string} path - Backend from the kv/data model.
+ * @param {array} metadata - The kv/metadata model. It is version agnostic.
+ * @param {array} breadcrumbs - Array to generate breadcrumbs, passed to the page header component.
+ */
+
+export default class KvVersionDiffComponent extends Component {
+  @service store;
+  @tracked leftSideVersion;
+  @tracked rightSideVersion;
+  @tracked visualDiff;
+  @tracked statesMatch = false;
+
+  constructor() {
+    super(...arguments);
+    // tracked properties set here because they use args.
+    this.leftSideVersion = this.args.metadata.currentVersion;
+    this.rightSideVersion = this.defaultRightSideVersion;
+    this.createVisualDiff();
+  }
+
+  get defaultRightSideVersion() {
+    // unless the version is destroyed or deleted we return the version prior to the current version.
+    const versionData = this.args.metadata.sortedVersions.find(
+      (version) =>
+        version.destroyed === false && version.deletion_time === '' && version.version != this.leftSideVersion
+    );
+    return versionData ? versionData.version : this.leftSideVersion - 1;
+  }
+
+  async fetchSecretData(version) {
+    const { backend, path } = this.args;
+    // check the store first, avoiding an extra network request if possible.
+    const storeData = await this.store.peekRecord('kv/data', kvDataPath(backend, path, version));
+    const data = storeData ? storeData : await this.store.queryRecord('kv/data', { backend, path, version });
+
+    return data?.secretData;
+  }
+
+  async createVisualDiff() {
+    /* eslint-disable no-undef */
+    const leftSideData = await this.fetchSecretData(Number(this.leftSideVersion));
+    const rightSideData = await this.fetchSecretData(Number(this.rightSideVersion));
+    const diffpatcher = jsondiffpatch.create({});
+    const delta = diffpatcher.diff(rightSideData, leftSideData);
+
+    this.statesMatch = !delta;
+    this.visualDiff = delta
+      ? jsondiffpatch.formatters.html.format(delta, rightSideData)
+      : JSON.stringify(leftSideData, undefined, 2);
+  }
+
+  @action selectVersion(version, actions, side) {
+    if (side === 'right') {
+      this.rightSideVersion = version;
+    }
+    if (side === 'left') {
+      this.leftSideVersion = version;
+    }
+    // close dropdown menu.
+    if (actions) actions.close();
+    this.createVisualDiff();
+  }
+}
diff --git a/ui/lib/kv/addon/components/page/secret/metadata/version-history.hbs b/ui/lib/kv/addon/components/page/secret/metadata/version-history.hbs
new file mode 100644
index 0000000000..f20379758e
--- /dev/null
+++ b/ui/lib/kv/addon/components/page/secret/metadata/version-history.hbs
@@ -0,0 +1,97 @@
+<KvPageHeader @breadcrumbs={{@breadcrumbs}} @pageTitle={{@path}}>
+  <:tabLinks>
+    <LinkTo @route="secret.details" data-test-secrets-tab="Secret">Secret</LinkTo>
+    <LinkTo @route="secret.metadata.index" data-test-secrets-tab="Metadata">Metadata</LinkTo>
+    <LinkTo @route="secret.metadata.versions" data-test-secrets-tab="Version History">Version History</LinkTo>
+  </:tabLinks>
+</KvPageHeader>
+
+<Toolbar />
+{{#if @metadata.canReadMetadata}}
+  <div class="sub-text has-text-weight-semibold is-flex-end has-short-padding">
+    <KvTooltipTimestamp @text="Secret last updated" @timestamp={{@metadata.updatedTime}} />
+  </div>
+  {{#each @metadata.sortedVersions as |versionData|}}
+    <LinkedBlock
+      class="list-item-row"
+      @params={{array "vault.cluster.secrets.backend.kv.secret.details" @metadata.path}}
+      @queryParams={{hash version=versionData.version}}
+      data-test-version-linked-block={{versionData.version}}
+    >
+      <div class="level is-mobile">
+        <div class="is-grid is-grid-3-columns is-three-fourths-width">
+          {{! version number and icon }}
+          <div class="align-self-center">
+            <Icon @name="history" class="has-text-grey" data-test-version />
+            <span class="has-text-weight-semibold has-text-black">
+              Version
+              {{versionData.version}}
+            </span>
+          </div>
+          {{! icons }}
+          <div class="align-self-center" data-test-icon-holder={{versionData.version}}>
+            {{#if versionData.destroyed}}
+              <div>
+                <span class="has-text-danger is-size-8 is-block">
+                  <Icon @name="x-square-fill" />Destroyed
+                </span>
+              </div>
+            {{else if versionData.deletion_time}}
+              <div>
+                <span class="has-text-grey is-size-8 is-block">
+                  <Icon @name="x-square-fill" />
+                  <KvTooltipTimestamp @text="Deleted" @timestamp={{versionData.deletion_time}} />
+                </span>
+              </div>
+            {{else if (loose-equal versionData.version @metadata.currentVersion)}}
+              <div>
+                <span class="has-text-success is-size-8 is-block">
+                  <Icon @name="check-circle-fill" />Current
+                </span>
+              </div>
+            {{/if}}
+          </div>
+          {{! version created date }}
+          <div class="is-size-8 has-text-weight-semibold has-text-grey align-self-center">
+            <KvTooltipTimestamp @text="Created" @timestamp={{versionData.created_time}} />
+          </div>
+        </div>
+
+        <div class="level-right">
+          <div class="level-item">
+            <PopupMenu @name="version-{{versionData.version}}">
+              <nav class="menu">
+                <ul class="menu-list">
+                  <li>
+                    <LinkTo @route="secret.details" @query={{hash version=versionData.version}}>
+                      View version
+                      {{versionData.version}}
+                    </LinkTo>
+                  </li>
+                  {{#if @metadata.canCreateVersionData}}
+                    <li>
+                      <LinkTo
+                        @route="secret.details.edit"
+                        @query={{hash version=versionData.version}}
+                        data-test-create-new-version-from={{versionData.version}}
+                        @disabled={{or versionData.destroyed versionData.deletion_time}}
+                      >
+                        Create new version from
+                        {{versionData.version}}
+                      </LinkTo>
+                    </li>
+                  {{/if}}
+                </ul>
+              </nav>
+            </PopupMenu>
+          </div>
+        </div>
+      </div>
+    </LinkedBlock>
+  {{/each}}
+{{else}}
+  <EmptyState
+    @title="You do not have permission to read metadata"
+    @message="Ask your administrator if you think you should have access."
+  />
+{{/if}}
\ No newline at end of file
diff --git a/ui/lib/kv/addon/components/page/secrets/create.hbs b/ui/lib/kv/addon/components/page/secrets/create.hbs
new file mode 100644
index 0000000000..a8a93fdd51
--- /dev/null
+++ b/ui/lib/kv/addon/components/page/secrets/create.hbs
@@ -0,0 +1,65 @@
+<KvPageHeader @breadcrumbs={{@breadcrumbs}} @pageTitle="Create Secret">
+  <:toolbarFilters>
+    <Toggle @name="json" @status="success" @size="small" @checked={{this.showJsonView}} @onChange={{this.toggleJsonView}}>
+      <span class="has-text-grey">JSON</span>
+    </Toggle>
+  </:toolbarFilters>
+</KvPageHeader>
+
+<form {{on "submit" (perform this.save)}}>
+  <div class="box is-sideless is-fullwidth is-bottomless">
+    <NamespaceReminder @mode="create" @noun="secret" />
+    <MessageError @errorMessage={{this.errorMessage}} />
+
+    <KvDataFields
+      @showJson={{this.showJsonView}}
+      @secret={{@secret}}
+      @modelValidations={{this.modelValidations}}
+      @pathValidations={{this.pathValidations}}
+    />
+
+    <ToggleButton
+      @isOpen={{this.showMetadata}}
+      @openLabel="Hide secret metadata"
+      @closedLabel="Show secret metadata"
+      @onClick={{fn (mut this.showMetadata)}}
+      class="is-block"
+      data-test-metadata-toggle
+    />
+    {{#if this.showMetadata}}
+      <div class="box has-container" data-test-metadata-section>
+        <KvMetadataFields @metadata={{@metadata}} @modelValidations={{this.modelValidations}} />
+      </div>
+    {{/if}}
+  </div>
+  <div class="box is-fullwidth is-bottomless">
+    <div class="control">
+      <button
+        type="submit"
+        class="button is-primary {{if this.save.isRunning 'is-loading'}}"
+        disabled={{this.save.isRunning}}
+        data-test-kv-save
+      >
+        Save
+      </button>
+      <button
+        type="button"
+        class="button has-left-margin-s"
+        disabled={{this.save.isRunning}}
+        {{on "click" this.onCancel}}
+        data-test-kv-cancel
+      >
+        Cancel
+      </button>
+    </div>
+    {{#if this.invalidFormAlert}}
+      <AlertInline
+        data-test-invalid-form-alert
+        class="has-top-padding-s"
+        @type="danger"
+        @message={{this.invalidFormAlert}}
+        @mimicRefresh={{true}}
+      />
+    {{/if}}
+  </div>
+</form>
\ No newline at end of file
diff --git a/ui/lib/kv/addon/components/page/secrets/create.js b/ui/lib/kv/addon/components/page/secrets/create.js
new file mode 100644
index 0000000000..1bbc85fe3c
--- /dev/null
+++ b/ui/lib/kv/addon/components/page/secrets/create.js
@@ -0,0 +1,127 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Component from '@glimmer/component';
+import { action } from '@ember/object';
+import { tracked } from '@glimmer/tracking';
+import { task } from 'ember-concurrency';
+import { inject as service } from '@ember/service';
+import { pathIsFromDirectory } from 'kv/utils/kv-breadcrumbs';
+import errorMessage from 'vault/utils/error-message';
+
+/**
+ * @module KvSecretCreate is used for creating the initial version of a secret
+ *
+ * <Page::Secrets::Create
+ *    @secret={{this.model.secret}}
+ *    @metadata={{this.model.metadata}}
+ *    @breadcrumbs={{this.breadcrumbs}}
+ *  />
+ *
+ * @param {model} secret - Ember data model: 'kv/data', the new record saved by the form
+ * @param {model} metadata - Ember data model: 'kv/metadata'
+ * @param {array} breadcrumbs - breadcrumb objects to render in page header
+ */
+
+export default class KvSecretCreate extends Component {
+  @service flashMessages;
+  @service router;
+  @service store;
+
+  @tracked showJsonView = false;
+  @tracked errorMessage; // only renders for kv/data API errors
+  @tracked modelValidations;
+  @tracked invalidFormAlert;
+
+  @action
+  toggleJsonView() {
+    this.showJsonView = !this.showJsonView;
+  }
+
+  @action
+  pathValidations() {
+    // check path attribute warnings on key up
+    const { state } = this.args.secret.validate();
+    if (state?.path?.warnings) {
+      // only set model validations if warnings exist
+      this.modelValidations = state;
+    }
+  }
+
+  @task
+  *save(event) {
+    event.preventDefault();
+    this.resetErrors();
+
+    const { isValid, state } = this.validate();
+    this.modelValidations = isValid ? null : state;
+    this.invalidFormAlert = isValid ? '' : 'There is an error with this form.';
+
+    const { secret, metadata } = this.args;
+    if (isValid) {
+      try {
+        // try saving secret data first
+        yield secret.save();
+        this.store.clearDataset('kv/metadata'); // Clear out the store cache so that the metadata/list view is updated.
+        this.flashMessages.success(`Successfully saved secret data for: ${secret.path}.`);
+      } catch (error) {
+        this.errorMessage = errorMessage(error);
+      }
+
+      // users must have permission to create secret data to create metadata in the UI
+      // only attempt to save metadata if secret data saves successfully and metadata is edited
+      if (secret.createdTime && this.hasChanged(metadata)) {
+        try {
+          metadata.path = secret.path;
+          yield metadata.save();
+          this.flashMessages.success(`Successfully saved metadata.`);
+        } catch (error) {
+          this.flashMessages.danger(`Secret data was saved but metadata was not: ${errorMessage(error)}`, {
+            sticky: true,
+          });
+        }
+      }
+
+      // prevent transition if there are errors with secret data
+      if (this.errorMessage) {
+        this.invalidFormAlert = 'There was an error submitting this form.';
+      } else {
+        this.router.transitionTo('vault.cluster.secrets.backend.kv.secret.details', secret.path);
+      }
+    }
+  }
+
+  @action
+  onCancel() {
+    const { path } = this.args.secret;
+    pathIsFromDirectory(path)
+      ? this.router.transitionTo('vault.cluster.secrets.backend.kv.list-directory', path)
+      : this.router.transitionTo('vault.cluster.secrets.backend.kv.list');
+  }
+
+  // HELPERS
+
+  validate() {
+    const dataValidations = this.args.secret.validate();
+    const metadataValidations = this.args.metadata.validate();
+    const state = { ...dataValidations.state, ...metadataValidations.state };
+    const failed = !dataValidations.isValid || !metadataValidations.isValid;
+    return { state, isValid: !failed };
+  }
+
+  hasChanged(model) {
+    const fieldName = model.formFields.map((attr) => attr.name);
+    const changedAttrs = Object.keys(model.changedAttributes());
+    // exclusively check if form field attributes have changed ('backend' and 'path' are passed to createRecord)
+    return changedAttrs.any((attr) => fieldName.includes(attr));
+  }
+
+  resetErrors() {
+    this.flashMessages.clearMessages();
+    this.errorMessage = null;
+    this.modelValidations = null;
+    this.invalidFormAlert = null;
+  }
+}
diff --git a/ui/lib/kv/addon/controllers/create.js b/ui/lib/kv/addon/controllers/create.js
new file mode 100644
index 0000000000..da6538b32e
--- /dev/null
+++ b/ui/lib/kv/addon/controllers/create.js
@@ -0,0 +1,10 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Controller from '@ember/controller';
+
+export default class KvCreateController extends Controller {
+  queryParams = ['initialKey'];
+}
diff --git a/ui/lib/kv/addon/controllers/list.js b/ui/lib/kv/addon/controllers/list.js
new file mode 100644
index 0000000000..d1c7e3daa5
--- /dev/null
+++ b/ui/lib/kv/addon/controllers/list.js
@@ -0,0 +1,10 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Controller from '@ember/controller';
+
+export default class KvListController extends Controller {
+  queryParams = ['pageFilter', 'currentPage'];
+}
diff --git a/ui/lib/kv/addon/controllers/secret/details.js b/ui/lib/kv/addon/controllers/secret/details.js
new file mode 100644
index 0000000000..f85868c4dd
--- /dev/null
+++ b/ui/lib/kv/addon/controllers/secret/details.js
@@ -0,0 +1,6 @@
+import Controller from '@ember/controller';
+
+export default class KvSecretDetailsController extends Controller {
+  queryParams = ['version'];
+  version = null;
+}
diff --git a/ui/lib/kv/addon/engine.js b/ui/lib/kv/addon/engine.js
new file mode 100644
index 0000000000..493e971dc5
--- /dev/null
+++ b/ui/lib/kv/addon/engine.js
@@ -0,0 +1,24 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Engine from '@ember/engine';
+
+import loadInitializers from 'ember-load-initializers';
+import Resolver from 'ember-resolver';
+
+import config from './config/environment';
+
+const { modulePrefix } = config;
+
+export default class KvEngine extends Engine {
+  modulePrefix = modulePrefix;
+  Resolver = Resolver;
+  dependencies = {
+    services: ['download', 'namespace', 'router', 'store', 'secret-mount-path', 'flash-messages'],
+    externalRoutes: ['secrets'],
+  };
+}
+
+loadInitializers(KvEngine, modulePrefix);
diff --git a/ui/lib/kv/addon/routes.js b/ui/lib/kv/addon/routes.js
new file mode 100644
index 0000000000..e356c0031b
--- /dev/null
+++ b/ui/lib/kv/addon/routes.js
@@ -0,0 +1,25 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import buildRoutes from 'ember-engines/routes';
+
+export default buildRoutes(function () {
+  // There are two list routes because Ember won't let a route param (e.g. *path_to_secret) be blank.
+  // :path_to_secret is used when we're listing a secret directory. Example { path: '/:beep%2Fboop%2F/directory' });
+  this.route('list');
+  this.route('list-directory', { path: '/:path_to_secret/directory' });
+  this.route('create');
+  this.route('secret', { path: '/:name' }, function () {
+    this.route('details', function () {
+      this.route('edit'); // route to create new version of a secret
+    });
+    this.route('metadata', function () {
+      this.route('edit');
+      this.route('versions');
+      this.route('diff');
+    });
+  });
+  this.route('configuration');
+});
diff --git a/ui/lib/kv/addon/routes/configuration.js b/ui/lib/kv/addon/routes/configuration.js
new file mode 100644
index 0000000000..174b24d18b
--- /dev/null
+++ b/ui/lib/kv/addon/routes/configuration.js
@@ -0,0 +1,32 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Route from '@ember/routing/route';
+import { inject as service } from '@ember/service';
+import { hash } from 'rsvp';
+
+export default class KvConfigurationRoute extends Route {
+  @service store;
+
+  model() {
+    const backend = this.modelFor('application');
+    return hash({
+      mountConfig: backend,
+      engineConfig: this.store.findRecord('kv/config', backend.id).catch(() => {
+        // return an empty record so we have access to model capabilities
+        return this.store.createRecord('kv/config', { backend: backend.id });
+      }),
+    });
+  }
+
+  setupController(controller, resolvedModel) {
+    super.setupController(controller, resolvedModel);
+    controller.breadcrumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: resolvedModel.mountConfig.id, route: 'list' },
+      { label: 'configuration' },
+    ];
+  }
+}
diff --git a/ui/lib/kv/addon/routes/create.js b/ui/lib/kv/addon/routes/create.js
new file mode 100644
index 0000000000..f807d4d8b7
--- /dev/null
+++ b/ui/lib/kv/addon/routes/create.js
@@ -0,0 +1,41 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Route from '@ember/routing/route';
+import { inject as service } from '@ember/service';
+import { hash } from 'rsvp';
+import { withConfirmLeave } from 'core/decorators/confirm-leave';
+import { breadcrumbsForSecret } from 'kv/utils/kv-breadcrumbs';
+
+@withConfirmLeave('model.secret', ['model.metadata'])
+export default class KvSecretsCreateRoute extends Route {
+  @service store;
+  @service secretMountPath;
+
+  model(params) {
+    const backend = this.secretMountPath.currentPath;
+    const { initialKey: path } = params;
+
+    return hash({
+      backend,
+      path,
+      // see serializer for logic behind setting casVersion
+      secret: this.store.createRecord('kv/data', { backend, path, casVersion: 0 }),
+      metadata: this.store.createRecord('kv/metadata', { backend, path }),
+    });
+  }
+
+  setupController(controller, resolvedModel) {
+    super.setupController(controller, resolvedModel);
+
+    const crumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: resolvedModel.backend, route: 'list' },
+      ...breadcrumbsForSecret(resolvedModel.path),
+      { label: 'create' },
+    ];
+    controller.breadcrumbs = crumbs;
+  }
+}
diff --git a/ui/lib/kv/addon/routes/error.js b/ui/lib/kv/addon/routes/error.js
new file mode 100644
index 0000000000..3a010c208f
--- /dev/null
+++ b/ui/lib/kv/addon/routes/error.js
@@ -0,0 +1,20 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Route from '@ember/routing/route';
+import { inject as service } from '@ember/service';
+
+export default class KvErrorRoute extends Route {
+  @service secretMountPath;
+
+  setupController(controller) {
+    super.setupController(...arguments);
+    controller.breadcrumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: this.secretMountPath.currentPath, route: 'list' },
+    ];
+    controller.mountName = this.secretMountPath.currentPath;
+  }
+}
diff --git a/ui/lib/kv/addon/routes/list-directory.js b/ui/lib/kv/addon/routes/list-directory.js
new file mode 100644
index 0000000000..cf1cc2dd4e
--- /dev/null
+++ b/ui/lib/kv/addon/routes/list-directory.js
@@ -0,0 +1,89 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Route from '@ember/routing/route';
+import { inject as service } from '@ember/service';
+import { hash } from 'rsvp';
+import { normalizePath } from 'vault/utils/path-encoding-helpers';
+import { breadcrumbsForSecret } from 'kv/utils/kv-breadcrumbs';
+
+export default class KvSecretsListRoute extends Route {
+  @service store;
+  @service router;
+  @service secretMountPath;
+
+  queryParams = {
+    pageFilter: {
+      refreshModel: true,
+    },
+    currentPage: {
+      refreshModel: true,
+    },
+  };
+
+  async fetchMetadata(backend, pathToSecret, params) {
+    return await this.store
+      .lazyPaginatedQuery('kv/metadata', {
+        backend,
+        responsePath: 'data.keys',
+        page: Number(params.currentPage) || 1,
+        size: Number(params.currentPageSize),
+        pageFilter: params.pageFilter,
+        pathToSecret,
+      })
+      .catch((err) => {
+        if (err.httpStatus === 403) {
+          return 403;
+        }
+        if (err.httpStatus === 404) {
+          return [];
+        } else {
+          throw err;
+        }
+      });
+  }
+
+  model(params) {
+    const { pageFilter, path_to_secret } = params;
+    const pathToSecret = path_to_secret ? normalizePath(path_to_secret) : '';
+    const backend = this.secretMountPath.currentPath;
+    const filterValue = pathToSecret ? (pageFilter ? pathToSecret + pageFilter : pathToSecret) : pageFilter;
+    return hash({
+      secrets: this.fetchMetadata(backend, pathToSecret, params),
+      backend,
+      pathToSecret,
+      filterValue,
+      pageFilter,
+    });
+  }
+
+  setupController(controller, resolvedModel) {
+    super.setupController(controller, resolvedModel);
+    if (resolvedModel.secrets === 403) {
+      resolvedModel.noMetadataListPermissions = true;
+    }
+
+    let breadcrumbsArray = [{ label: 'secrets', route: 'secrets', linkExternal: true }];
+    // if on top level don't link the engine breadcrumb label, but if within a directory, do link back to top level.
+    if (this.routeName === 'list') {
+      breadcrumbsArray.push({ label: resolvedModel.backend });
+    } else {
+      breadcrumbsArray = [
+        ...breadcrumbsArray,
+        { label: resolvedModel.backend, route: 'list' },
+        ...breadcrumbsForSecret(resolvedModel.pathToSecret, true),
+      ];
+    }
+
+    controller.set('breadcrumbs', breadcrumbsArray);
+  }
+
+  resetController(controller, isExiting) {
+    if (isExiting) {
+      controller.set('pageFilter', null);
+      controller.set('currentPage', null);
+    }
+  }
+}
diff --git a/ui/lib/kv/addon/routes/list.js b/ui/lib/kv/addon/routes/list.js
new file mode 100644
index 0000000000..abcd7fd4f4
--- /dev/null
+++ b/ui/lib/kv/addon/routes/list.js
@@ -0,0 +1,6 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+export { default } from './list-directory';
diff --git a/ui/lib/kv/addon/routes/secret.js b/ui/lib/kv/addon/routes/secret.js
new file mode 100644
index 0000000000..3fd41429fd
--- /dev/null
+++ b/ui/lib/kv/addon/routes/secret.js
@@ -0,0 +1,35 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Route from '@ember/routing/route';
+import { inject as service } from '@ember/service';
+import { hash } from 'rsvp';
+
+export default class KvSecretRoute extends Route {
+  @service secretMountPath;
+  @service store;
+
+  fetchSecretData(backend, path) {
+    // This will always return a record unless 404 not found (show error) or control group
+    return this.store.queryRecord('kv/data', { backend, path });
+  }
+
+  fetchSecretMetadata(backend, path) {
+    // catch error and do nothing because kv/data model handles metadata capabilities
+    return this.store.queryRecord('kv/metadata', { backend, path }).catch(() => {});
+  }
+
+  model() {
+    const backend = this.secretMountPath.currentPath;
+    const { name: path } = this.paramsFor('secret');
+
+    return hash({
+      path,
+      backend,
+      secret: this.fetchSecretData(backend, path),
+      metadata: this.fetchSecretMetadata(backend, path),
+    });
+  }
+}
diff --git a/ui/lib/kv/addon/routes/secret/details.js b/ui/lib/kv/addon/routes/secret/details.js
new file mode 100644
index 0000000000..88217a5218
--- /dev/null
+++ b/ui/lib/kv/addon/routes/secret/details.js
@@ -0,0 +1,50 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Route from '@ember/routing/route';
+import { inject as service } from '@ember/service';
+import { hash } from 'rsvp';
+
+export default class KvSecretDetailsRoute extends Route {
+  @service store;
+
+  queryParams = {
+    version: {
+      refreshModel: true,
+    },
+  };
+
+  model(params) {
+    const parentModel = this.modelFor('secret');
+    // Only fetch versioned data if selected version does not match parent (current) version
+    // and parentModel.secret has failReadErrorCode since permissions aren't version specific
+    if (
+      params.version &&
+      parentModel.secret.version !== params.version &&
+      !parentModel.secret.failReadErrorCode
+    ) {
+      // query params have changed by selecting a different version from the dropdown
+      // fire off new request for that version's secret data
+      const { backend, path } = parentModel;
+      return hash({
+        ...parentModel,
+        secret: this.store.queryRecord('kv/data', { backend, path, version: params.version }),
+      });
+    }
+    return parentModel;
+  }
+
+  setupController(controller, resolvedModel) {
+    super.setupController(controller, resolvedModel);
+    const { version } = this.paramsFor(this.routeName);
+    controller.set('version', resolvedModel.secret.version || version);
+  }
+
+  resetController(controller, isExiting) {
+    if (isExiting) {
+      controller.set('version', null);
+    }
+  }
+}
diff --git a/ui/lib/kv/addon/routes/secret/details/edit.js b/ui/lib/kv/addon/routes/secret/details/edit.js
new file mode 100644
index 0000000000..0360dadb29
--- /dev/null
+++ b/ui/lib/kv/addon/routes/secret/details/edit.js
@@ -0,0 +1,39 @@
+import Route from '@ember/routing/route';
+import { inject as service } from '@ember/service';
+import { hash } from 'rsvp';
+import { withConfirmLeave } from 'core/decorators/confirm-leave';
+import { breadcrumbsForSecret } from 'kv/utils/kv-breadcrumbs';
+
+@withConfirmLeave('model.newVersion')
+export default class KvSecretDetailsEditRoute extends Route {
+  @service store;
+
+  model() {
+    const parentModel = this.modelFor('secret.details');
+    const { backend, path, secret, metadata } = parentModel;
+    return hash({
+      secret,
+      metadata,
+      backend,
+      path,
+      newVersion: this.store.createRecord('kv/data', {
+        backend,
+        path,
+        secretData: secret?.secretData,
+        // see serializer for logic behind setting casVersion
+        casVersion: metadata?.currentVersion || secret?.version,
+      }),
+    });
+  }
+
+  setupController(controller, resolvedModel) {
+    super.setupController(controller, resolvedModel);
+
+    controller.breadcrumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: resolvedModel.backend, route: 'list' },
+      ...breadcrumbsForSecret(resolvedModel.path),
+      { label: 'edit' },
+    ];
+  }
+}
diff --git a/ui/lib/kv/addon/routes/secret/details/index.js b/ui/lib/kv/addon/routes/secret/details/index.js
new file mode 100644
index 0000000000..ff88a602f6
--- /dev/null
+++ b/ui/lib/kv/addon/routes/secret/details/index.js
@@ -0,0 +1,21 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Route from '@ember/routing/route';
+import { breadcrumbsForSecret } from 'kv/utils/kv-breadcrumbs';
+
+export default class KvSecretDetailsIndexRoute extends Route {
+  setupController(controller, resolvedModel) {
+    super.setupController(controller, resolvedModel);
+
+    const breadcrumbsArray = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: resolvedModel.backend, route: 'list' },
+      ...breadcrumbsForSecret(resolvedModel.path, true),
+    ];
+
+    controller.breadcrumbs = breadcrumbsArray;
+  }
+}
diff --git a/ui/lib/kv/addon/routes/secret/index.js b/ui/lib/kv/addon/routes/secret/index.js
new file mode 100644
index 0000000000..df0fa00f15
--- /dev/null
+++ b/ui/lib/kv/addon/routes/secret/index.js
@@ -0,0 +1,15 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Route from '@ember/routing/route';
+import { inject as service } from '@ember/service';
+
+export default class SecretIndex extends Route {
+  @service router;
+
+  redirect() {
+    this.router.transitionTo('vault.cluster.secrets.backend.kv.secret.details');
+  }
+}
diff --git a/ui/lib/kv/addon/routes/secret/metadata/diff.js b/ui/lib/kv/addon/routes/secret/metadata/diff.js
new file mode 100644
index 0000000000..ad94103ad4
--- /dev/null
+++ b/ui/lib/kv/addon/routes/secret/metadata/diff.js
@@ -0,0 +1,22 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Route from '@ember/routing/route';
+import { breadcrumbsForSecret } from 'kv/utils/kv-breadcrumbs';
+
+export default class KvSecretMetadataDiffRoute extends Route {
+  setupController(controller, resolvedModel) {
+    super.setupController(controller, resolvedModel);
+
+    const breadcrumbsArray = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: resolvedModel.backend, route: 'list' },
+      ...breadcrumbsForSecret(resolvedModel.path),
+      { label: 'version diff' },
+    ];
+
+    controller.set('breadcrumbs', breadcrumbsArray);
+  }
+}
diff --git a/ui/lib/kv/addon/routes/secret/metadata/edit.js b/ui/lib/kv/addon/routes/secret/metadata/edit.js
new file mode 100644
index 0000000000..3b43f5de0d
--- /dev/null
+++ b/ui/lib/kv/addon/routes/secret/metadata/edit.js
@@ -0,0 +1,25 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Route from '@ember/routing/route';
+import { breadcrumbsForSecret } from 'kv/utils/kv-breadcrumbs';
+
+export default class KvSecretMetadataEditRoute extends Route {
+  // model passed from 'secret' route, if we need to access or intercept
+  // it can retrieved via `this.modelFor('secret'), which includes the metadata model.
+
+  setupController(controller, resolvedModel) {
+    super.setupController(controller, resolvedModel);
+    const breadcrumbsArray = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: resolvedModel.backend, route: 'list' },
+      ...breadcrumbsForSecret(resolvedModel.path),
+      { label: 'metadata', route: 'secret.metadata' },
+      { label: 'edit' },
+    ];
+
+    controller.set('breadcrumbs', breadcrumbsArray);
+  }
+}
diff --git a/ui/lib/kv/addon/routes/secret/metadata/index.js b/ui/lib/kv/addon/routes/secret/metadata/index.js
new file mode 100644
index 0000000000..0d886794d0
--- /dev/null
+++ b/ui/lib/kv/addon/routes/secret/metadata/index.js
@@ -0,0 +1,24 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Route from '@ember/routing/route';
+import { breadcrumbsForSecret } from 'kv/utils/kv-breadcrumbs';
+
+export default class KvSecretMetadataIndexRoute extends Route {
+  // model passed from parent secret route, if we need to access or intercept
+  // it can retrieved via `this.modelFor('secret'), which includes the metadata model.
+
+  setupController(controller, resolvedModel) {
+    super.setupController(controller, resolvedModel);
+    const breadcrumbsArray = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: resolvedModel.backend, route: 'list' },
+      ...breadcrumbsForSecret(resolvedModel.path),
+      { label: 'metadata' },
+    ];
+
+    controller.set('breadcrumbs', breadcrumbsArray);
+  }
+}
diff --git a/ui/lib/kv/addon/routes/secret/metadata/versions.js b/ui/lib/kv/addon/routes/secret/metadata/versions.js
new file mode 100644
index 0000000000..f0e1db9c39
--- /dev/null
+++ b/ui/lib/kv/addon/routes/secret/metadata/versions.js
@@ -0,0 +1,21 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Route from '@ember/routing/route';
+import { breadcrumbsForSecret } from 'kv/utils/kv-breadcrumbs';
+
+export default class KvSecretMetadataVersionsRoute extends Route {
+  setupController(controller, resolvedModel) {
+    super.setupController(controller, resolvedModel);
+    const breadcrumbsArray = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: resolvedModel.backend, route: 'list' },
+      ...breadcrumbsForSecret(resolvedModel.path),
+      { label: 'version history' },
+    ];
+
+    controller.set('breadcrumbs', breadcrumbsArray);
+  }
+}
diff --git a/ui/lib/kv/addon/templates/configuration.hbs b/ui/lib/kv/addon/templates/configuration.hbs
new file mode 100644
index 0000000000..16ce46d55c
--- /dev/null
+++ b/ui/lib/kv/addon/templates/configuration.hbs
@@ -0,0 +1,5 @@
+<Page::Configuration
+  @engineConfig={{this.model.engineConfig}}
+  @mountConfig={{this.model.mountConfig}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>
\ No newline at end of file
diff --git a/ui/lib/kv/addon/templates/create.hbs b/ui/lib/kv/addon/templates/create.hbs
new file mode 100644
index 0000000000..860a449bc4
--- /dev/null
+++ b/ui/lib/kv/addon/templates/create.hbs
@@ -0,0 +1 @@
+<Page::Secrets::Create @secret={{this.model.secret}} @metadata={{this.model.metadata}} @breadcrumbs={{this.breadcrumbs}} />
\ No newline at end of file
diff --git a/ui/lib/kv/addon/templates/error.hbs b/ui/lib/kv/addon/templates/error.hbs
new file mode 100644
index 0000000000..5569721be0
--- /dev/null
+++ b/ui/lib/kv/addon/templates/error.hbs
@@ -0,0 +1,8 @@
+<KvPageHeader @breadcrumbs={{this.breadcrumbs}} @mountName={{this.mountName}}>
+  <:tabLinks>
+    <LinkTo @route="list" data-test-secrets-tab="Secrets">Secrets</LinkTo>
+    <LinkTo @route="configuration" data-test-secrets-tab="Configuration">Configuration</LinkTo>
+  </:tabLinks>
+</KvPageHeader>
+
+<Page::Error @error={{this.model}} />
\ No newline at end of file
diff --git a/ui/lib/kv/addon/templates/list-directory.hbs b/ui/lib/kv/addon/templates/list-directory.hbs
new file mode 100644
index 0000000000..77328497f7
--- /dev/null
+++ b/ui/lib/kv/addon/templates/list-directory.hbs
@@ -0,0 +1,9 @@
+<Page::List
+  @secrets={{this.model.secrets}}
+  @backend={{this.model.backend}}
+  @pathToSecret={{this.model.pathToSecret}}
+  @pageFilter={{this.model.pageFilter}}
+  @filterValue={{this.model.filterValue}}
+  @noMetadataListPermissions={{this.model.noMetadataListPermissions}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>
\ No newline at end of file
diff --git a/ui/lib/kv/addon/templates/list.hbs b/ui/lib/kv/addon/templates/list.hbs
new file mode 100644
index 0000000000..77328497f7
--- /dev/null
+++ b/ui/lib/kv/addon/templates/list.hbs
@@ -0,0 +1,9 @@
+<Page::List
+  @secrets={{this.model.secrets}}
+  @backend={{this.model.backend}}
+  @pathToSecret={{this.model.pathToSecret}}
+  @pageFilter={{this.model.pageFilter}}
+  @filterValue={{this.model.filterValue}}
+  @noMetadataListPermissions={{this.model.noMetadataListPermissions}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>
\ No newline at end of file
diff --git a/ui/lib/kv/addon/templates/secret/details/edit.hbs b/ui/lib/kv/addon/templates/secret/details/edit.hbs
new file mode 100644
index 0000000000..8702d64ff1
--- /dev/null
+++ b/ui/lib/kv/addon/templates/secret/details/edit.hbs
@@ -0,0 +1,7 @@
+<Page::Secret::Edit
+  @secret={{this.model.newVersion}}
+  @previousVersion={{this.model.secret.version}}
+  @currentVersion={{this.model.metadata.currentVersion}}
+  @breadcrumbs={{this.breadcrumbs}}
+  @noReadAccess={{eq this.model.secret.failReadErrorCode 403}}
+/>
\ No newline at end of file
diff --git a/ui/lib/kv/addon/templates/secret/details/index.hbs b/ui/lib/kv/addon/templates/secret/details/index.hbs
new file mode 100644
index 0000000000..cdbfd72e01
--- /dev/null
+++ b/ui/lib/kv/addon/templates/secret/details/index.hbs
@@ -0,0 +1,6 @@
+<Page::Secret::Details
+  @path={{this.model.path}}
+  @secret={{this.model.secret}}
+  @metadata={{this.model.metadata}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>
\ No newline at end of file
diff --git a/ui/lib/kv/addon/templates/secret/metadata/diff.hbs b/ui/lib/kv/addon/templates/secret/metadata/diff.hbs
new file mode 100644
index 0000000000..97b37f1261
--- /dev/null
+++ b/ui/lib/kv/addon/templates/secret/metadata/diff.hbs
@@ -0,0 +1,6 @@
+<Page::Secret::Metadata::VersionDiff
+  @metadata={{this.model.metadata}}
+  @path={{this.model.path}}
+  @backend={{this.model.backend}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>
\ No newline at end of file
diff --git a/ui/lib/kv/addon/templates/secret/metadata/edit.hbs b/ui/lib/kv/addon/templates/secret/metadata/edit.hbs
new file mode 100644
index 0000000000..429e591617
--- /dev/null
+++ b/ui/lib/kv/addon/templates/secret/metadata/edit.hbs
@@ -0,0 +1,6 @@
+<Page::Secret::Metadata::Edit
+  @metadata={{this.model.metadata}}
+  @breadcrumbs={{this.breadcrumbs}}
+  @onCancel={{transition-to "vault.cluster.secrets.backend.kv.secret.metadata" this.model.metadata.path}}
+  @onSave={{transition-to "vault.cluster.secrets.backend.kv.secret.metadata" this.model.metadata.path}}
+/>
\ No newline at end of file
diff --git a/ui/lib/kv/addon/templates/secret/metadata/index.hbs b/ui/lib/kv/addon/templates/secret/metadata/index.hbs
new file mode 100644
index 0000000000..05958a56f1
--- /dev/null
+++ b/ui/lib/kv/addon/templates/secret/metadata/index.hbs
@@ -0,0 +1,6 @@
+<Page::Secret::Metadata::Details
+  @metadata={{this.model.metadata}}
+  @path={{this.model.path}}
+  @breadcrumbs={{this.breadcrumbs}}
+  @secret={{this.model.secret}}
+/>
\ No newline at end of file
diff --git a/ui/lib/kv/addon/templates/secret/metadata/versions.hbs b/ui/lib/kv/addon/templates/secret/metadata/versions.hbs
new file mode 100644
index 0000000000..5c9595658f
--- /dev/null
+++ b/ui/lib/kv/addon/templates/secret/metadata/versions.hbs
@@ -0,0 +1,5 @@
+<Page::Secret::Metadata::VersionHistory
+  @metadata={{this.model.metadata}}
+  @path={{this.model.path}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>
\ No newline at end of file
diff --git a/ui/lib/kv/addon/utils/kv-breadcrumbs.js b/ui/lib/kv/addon/utils/kv-breadcrumbs.js
new file mode 100644
index 0000000000..5236038270
--- /dev/null
+++ b/ui/lib/kv/addon/utils/kv-breadcrumbs.js
@@ -0,0 +1,53 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+export function pathIsDirectory(pathToSecret) {
+  // This regex only checks for / at the end of the string. ex: boop/ === true, boop/bop === false;
+  return pathToSecret ? !!pathToSecret.match(/\/$/) : false;
+}
+
+export function pathIsFromDirectory(path) {
+  // This regex just looks for a / anywhere in the path. ex: boop/ === true, boop/bop === true;
+  return path ? !!path.match(/\//) : false;
+}
+
+function splitSegments(secretPath) {
+  const segments = secretPath.split('/').filter((path) => path);
+  segments.map((_, index) => {
+    return segments.slice(0, index + 1).join('/');
+  });
+  return segments.map((segment, idx) => {
+    return {
+      label: segment,
+      model: segments.slice(0, idx + 1).join('/'),
+    };
+  });
+}
+
+/**
+ * breadcrumbsForSecret is for generating page breadcrumbs for a secret path
+ * @param {string} secretPath is the full path to secret (like 'my-secret' or 'beep/boop')
+ * @param {boolean} lastItemCurrent
+ * @returns array of breadcrumbs specific to KV engine
+ */
+export function breadcrumbsForSecret(secretPath, lastItemCurrent = false) {
+  if (!secretPath) return [];
+  const isDir = pathIsDirectory(secretPath);
+  const segments = splitSegments(secretPath);
+
+  return segments.map((segment, index) => {
+    if (index === segments.length - 1) {
+      if (lastItemCurrent) {
+        return {
+          label: segment.label,
+        };
+      }
+      if (!isDir) {
+        return { label: segment.label, route: 'secret.details', model: segment.model };
+      }
+    }
+    return { label: segment.label, route: 'list-directory', model: `${segment.model}/` };
+  });
+}
diff --git a/ui/lib/kv/app/utils/kv-breadcrumbs.js b/ui/lib/kv/app/utils/kv-breadcrumbs.js
new file mode 100644
index 0000000000..ea70476e02
--- /dev/null
+++ b/ui/lib/kv/app/utils/kv-breadcrumbs.js
@@ -0,0 +1 @@
+export { default } from 'kv/utils/kv-breadcrumbs';
diff --git a/ui/lib/kv/config/environment.js b/ui/lib/kv/config/environment.js
new file mode 100644
index 0000000000..40ea64f52e
--- /dev/null
+++ b/ui/lib/kv/config/environment.js
@@ -0,0 +1,16 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+/* eslint-env node */
+'use strict';
+
+module.exports = function (environment) {
+  const ENV = {
+    modulePrefix: 'kv',
+    environment,
+  };
+
+  return ENV;
+};
diff --git a/ui/lib/kv/index.js b/ui/lib/kv/index.js
new file mode 100644
index 0000000000..c265f3ebfd
--- /dev/null
+++ b/ui/lib/kv/index.js
@@ -0,0 +1,22 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+/* eslint-env node */
+/* eslint-disable n/no-extraneous-require */
+'use strict';
+
+const { buildEngine } = require('ember-engines/lib/engine-addon');
+
+module.exports = buildEngine({
+  name: 'kv',
+
+  lazyLoading: {
+    enabled: false,
+  },
+
+  isDevelopingAddon() {
+    return true;
+  },
+});
diff --git a/ui/lib/kv/package.json b/ui/lib/kv/package.json
new file mode 100644
index 0000000000..4942e70fea
--- /dev/null
+++ b/ui/lib/kv/package.json
@@ -0,0 +1,18 @@
+{
+  "name": "kv",
+  "keywords": [
+    "ember-addon",
+    "ember-engine"
+  ],
+  "dependencies": {
+    "ember-cli-htmlbars": "*",
+    "ember-cli-babel": "*",
+    "ember-concurrency": "*",
+    "@ember/test-waiters": "*"
+  },
+  "ember-addon": {
+    "paths": [
+      "../core"
+    ]
+  }
+}
\ No newline at end of file
diff --git a/ui/lib/pki/addon/templates/certificates/index.hbs b/ui/lib/pki/addon/templates/certificates/index.hbs
index b04fa899df..58586fcae6 100644
--- a/ui/lib/pki/addon/templates/certificates/index.hbs
+++ b/ui/lib/pki/addon/templates/certificates/index.hbs
@@ -43,7 +43,6 @@
                         Details
                       </LinkTo>
                     </li>
-                    {{! ARG TODO ask Ivana if we wnat revoke or maybe download action here? }}
                   </ul>
                 </nav>
               </PopupMenu>
diff --git a/ui/mirage/factories/kv-metadatum.js b/ui/mirage/factories/kv-metadatum.js
new file mode 100644
index 0000000000..b350b8d6b4
--- /dev/null
+++ b/ui/mirage/factories/kv-metadatum.js
@@ -0,0 +1,60 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+// This cannot be called kv-metadata because mirage checks for plural factory names, and metadata and data are considered plural. It will throw an error.
+import { Factory, trait } from 'ember-cli-mirage';
+
+// define data outside of factory for linting error: https://github.com/ember-cli/eslint-plugin-ember/issues/202#issuecomment-356255988
+const data = {
+  path: 'my-secret',
+  backend: 'kv-engine',
+  cas_required: true,
+  created_time: '2018-03-22T02:24:06.945319214Z',
+  current_version: 4,
+  delete_version_after: '3h25m19s',
+  max_versions: 15,
+  oldest_version: 0,
+  updated_time: '2018-03-22T02:36:43.986212308Z',
+  versions: {
+    1: {
+      created_time: '2023-07-20T02:12:09.11529Z',
+      deletion_time: '',
+      destroyed: false,
+    },
+    2: {
+      created_time: '2023-07-20T02:15:35.86465Z',
+      deletion_time: '2023-07-25T00:36:19.950545Z',
+      destroyed: false,
+    },
+    3: {
+      created_time: '2023-07-20T02:15:40.164549Z',
+      deletion_time: '',
+      destroyed: true,
+    },
+    4: {
+      created_time: '2023-07-21T03:11:58.095971Z',
+      deletion_time: '',
+      destroyed: false,
+    },
+  },
+};
+
+export default Factory.extend({
+  data,
+
+  withCustomMetadata: trait({
+    custom_metadata: {
+      foo: 'abc',
+      bar: '123',
+      baz: '5c07d823-3810-48f6-a147-4c06b5219e84',
+    },
+  }),
+
+  withCustomPath: trait({
+    path(i) {
+      return `my-secret-${i}`;
+    },
+  }),
+});
diff --git a/ui/package.json b/ui/package.json
index cbcf141048..be7cad9e41 100644
--- a/ui/package.json
+++ b/ui/package.json
@@ -240,6 +240,7 @@
       "lib/keep-gitkeep",
       "lib/kmip",
       "lib/kubernetes",
+      "lib/kv",
       "lib/open-api-explorer",
       "lib/pki",
       "lib/replication",
diff --git a/ui/tests/acceptance/secrets/backend/cubbyhole/secret-test.js b/ui/tests/acceptance/secrets/backend/cubbyhole/secret-test.js
index de167f002d..af0b645345 100644
--- a/ui/tests/acceptance/secrets/backend/cubbyhole/secret-test.js
+++ b/ui/tests/acceptance/secrets/backend/cubbyhole/secret-test.js
@@ -7,19 +7,20 @@ import { currentRouteName, settled } from '@ember/test-helpers';
 import { module, test } from 'qunit';
 import { setupApplicationTest } from 'ember-qunit';
 import { v4 as uuidv4 } from 'uuid';
+import { setupMirage } from 'ember-cli-mirage/test-support';
 
 import editPage from 'vault/tests/pages/secrets/backend/kv/edit-secret';
 import showPage from 'vault/tests/pages/secrets/backend/kv/show';
 import listPage from 'vault/tests/pages/secrets/backend/list';
-import apiStub from 'vault/tests/helpers/noop-all-api-requests';
 import authPage from 'vault/tests/pages/auth';
+import assertSecretWrap from 'vault/tests/helpers/secret-edit-toolbar';
 
 module('Acceptance | secrets/cubbyhole/create', function (hooks) {
   setupApplicationTest(hooks);
+  setupMirage(hooks);
 
   hooks.beforeEach(function () {
     this.uid = uuidv4();
-    this.server = apiStub({ usePassthrough: true });
     return authPage.login();
   });
 
@@ -28,7 +29,9 @@ module('Acceptance | secrets/cubbyhole/create', function (hooks) {
   });
 
   test('it creates and can view a secret with the cubbyhole backend', async function (assert) {
+    assert.expect(5);
     const kvPath = `cubbyhole-kv-${this.uid}`;
+    const requestPath = `cubbyhole/${kvPath}`;
     await listPage.visitRoot({ backend: 'cubbyhole' });
     await settled();
     assert.strictEqual(
@@ -48,5 +51,7 @@ module('Acceptance | secrets/cubbyhole/create', function (hooks) {
     );
     assert.dom('[data-test-created-time]').hasText('', 'it does not render created time if blank');
     assert.ok(showPage.editIsPresent, 'shows the edit button');
+
+    await assertSecretWrap(assert, this.server, requestPath);
   });
 });
diff --git a/ui/tests/acceptance/secrets/backend/database/secret-test.js b/ui/tests/acceptance/secrets/backend/database/secret-test.js
index 286e203afc..2bceb84008 100644
--- a/ui/tests/acceptance/secrets/backend/database/secret-test.js
+++ b/ui/tests/acceptance/secrets/backend/database/secret-test.js
@@ -14,18 +14,10 @@ import connectionPage from 'vault/tests/pages/secrets/backend/database/connectio
 import rolePage from 'vault/tests/pages/secrets/backend/database/role';
 import authPage from 'vault/tests/pages/auth';
 import logout from 'vault/tests/pages/logout';
-import consoleClass from 'vault/tests/pages/components/console/ui-panel';
 import searchSelect from 'vault/tests/pages/components/search-select';
-import {
-  createPolicyCmd,
-  deleteEngineCmd,
-  mountEngineCmd,
-  runCmd,
-  tokenWithPolicyCmd,
-} from 'vault/tests/helpers/commands';
+import { deleteEngineCmd, mountEngineCmd, runCmd, tokenWithPolicyCmd } from 'vault/tests/helpers/commands';
 
 const searchSelectComponent = create(searchSelect);
-const consoleComponent = create(consoleClass);
 
 const newConnection = async (backend, plugin = 'mongodb-database-plugin') => {
   const name = `connection-${Date.now()}`;
@@ -231,10 +223,11 @@ module('Acceptance | secrets/database/*', function (hooks) {
   hooks.beforeEach(async function () {
     this.backend = `database-testing`;
     await authPage.login();
-    return consoleComponent.runCommands(mountEngineCmd('database', this.backend));
+    return runCmd(mountEngineCmd('database', this.backend), false);
   });
-  hooks.afterEach(function () {
-    return consoleComponent.runCommands(deleteEngineCmd(this.backend));
+  hooks.afterEach(async function () {
+    await authPage.login();
+    return runCmd(deleteEngineCmd(this.backend), false);
   });
 
   test('can enable the database secrets engine', async function (assert) {
@@ -256,7 +249,7 @@ module('Acceptance | secrets/database/*', function (hooks) {
     assert.dom('[data-test-secret-list-tab="Roles"]').exists('Has Roles tab');
     await visit('/vault/secrets');
     // Cleanup backend
-    await consoleComponent.runCommands(deleteEngineCmd(backend));
+    await runCmd(deleteEngineCmd(backend), false);
   });
 
   for (const testCase of connectionTests) {
@@ -446,15 +439,8 @@ module('Acceptance | secrets/database/*', function (hooks) {
       path "${backend}/config/*" {
         capabilities = ["read"]
       }
-      # allow backend cleanup on afterEach
-      path "sys/mounts/${backend}" {
-        capabilities = ["delete"]
-      }
     `;
-    const token = await runCmd(consoleComponent, [
-      ...createPolicyCmd('test-policy', CONNECTION_VIEW_ONLY),
-      ...tokenWithPolicyCmd('test-policy'),
-    ]);
+    const token = await runCmd(tokenWithPolicyCmd('test-policy', CONNECTION_VIEW_ONLY));
     await navToConnection(backend, connection);
     assert
       .dom('[data-test-database-connection-delete]')
@@ -540,10 +526,7 @@ module('Acceptance | secrets/database/*', function (hooks) {
         capabilities = ["list", "create", "read", "update"]
       }
     `;
-    const token = await runCmd(consoleComponent, [
-      ...createPolicyCmd('test-policy', NO_ROLES_POLICY),
-      ...tokenWithPolicyCmd('test-policy'),
-    ]);
+    const token = await runCmd(tokenWithPolicyCmd('test-policy', NO_ROLES_POLICY));
 
     // test root user flow first
     await visit(`/vault/secrets/${backend}/overview`);
diff --git a/ui/tests/acceptance/secrets/backend/kv/breadcrumbs-test.js b/ui/tests/acceptance/secrets/backend/kv/breadcrumbs-test.js
index af84b6365f..b545e04620 100644
--- a/ui/tests/acceptance/secrets/backend/kv/breadcrumbs-test.js
+++ b/ui/tests/acceptance/secrets/backend/kv/breadcrumbs-test.js
@@ -12,6 +12,7 @@ import consoleClass from 'vault/tests/pages/components/console/ui-panel';
 
 const consolePanel = create(consoleClass);
 
+// TODO: replace with workflow-navigation
 module('Acceptance | kv | breadcrumbs', function (hooks) {
   setupApplicationTest(hooks);
 
diff --git a/ui/tests/acceptance/secrets/backend/kv/diff-test.js b/ui/tests/acceptance/secrets/backend/kv/diff-test.js
index 58cdd487a2..ed6dbb9d37 100644
--- a/ui/tests/acceptance/secrets/backend/kv/diff-test.js
+++ b/ui/tests/acceptance/secrets/backend/kv/diff-test.js
@@ -15,6 +15,7 @@ import consoleClass from 'vault/tests/pages/components/console/ui-panel';
 
 const consoleComponent = create(consoleClass);
 
+// TODO: replace with workflow-diff-test
 module('Acceptance | kv2 diff view', function (hooks) {
   setupApplicationTest(hooks);
 
diff --git a/ui/tests/acceptance/secrets/backend/kv/kv-create-new-version-test.js b/ui/tests/acceptance/secrets/backend/kv/kv-create-new-version-test.js
new file mode 100644
index 0000000000..8c64718d6c
--- /dev/null
+++ b/ui/tests/acceptance/secrets/backend/kv/kv-create-new-version-test.js
@@ -0,0 +1,64 @@
+import { module, test } from 'qunit';
+import { setupApplicationTest } from 'ember-qunit';
+import { v4 as uuidv4 } from 'uuid';
+import { click, currentURL, fillIn, visit } from '@ember/test-helpers';
+import authPage from 'vault/tests/pages/auth';
+import enablePage from 'vault/tests/pages/settings/mount-secret-backend';
+import { FORM, PAGE } from 'vault/tests/helpers/kv/kv-selectors';
+import { deleteEngineCmd, runCmd } from 'vault/tests/helpers/commands';
+
+module('Acceptance | kv | creates a secret and a new version', function (hooks) {
+  setupApplicationTest(hooks);
+  hooks.beforeEach(async function () {
+    await authPage.login();
+    // Setup KV engine
+    this.mountPath = `kv-engine-${uuidv4()}`;
+    await enablePage.enable('kv', this.mountPath);
+  });
+
+  hooks.afterEach(async function () {
+    await authPage.login();
+    // Cleanup engine
+    await runCmd(deleteEngineCmd(this.mountPath), false);
+  });
+
+  test('it creates a new secret then a new secret version and navigates to details route', async function (assert) {
+    assert.expect(9);
+
+    const secretPath = 'my-secret';
+    await visit(`/vault/secrets/${this.mountPath}/kv/list`);
+    assert.dom(PAGE.emptyStateTitle).hasText('No secrets yet');
+    assert
+      .dom(`${PAGE.emptyStateActions} a`)
+      .hasAttribute('href', `/ui/vault/secrets/${this.mountPath}/kv/create`);
+    await click(PAGE.list.createSecret);
+    assert.strictEqual(currentURL(), `/vault/secrets/${this.mountPath}/kv/create`, 'url is correct');
+
+    await fillIn(FORM.inputByAttr('path'), secretPath);
+    await fillIn(FORM.keyInput(), 'foo-1');
+    await fillIn(FORM.maskedValueInput(), 'bar-1');
+    await click(FORM.saveBtn);
+    assert.strictEqual(currentURL(), `/vault/secrets/${this.mountPath}/kv/${secretPath}/details?version=1`);
+
+    await click(PAGE.detail.createNewVersion);
+    assert.strictEqual(
+      currentURL(),
+      `/vault/secrets/${this.mountPath}/kv/${secretPath}/details/edit?version=1`
+    );
+    assert.dom(FORM.inputByAttr('path')).isDisabled();
+
+    await fillIn(FORM.keyInput(1), 'foo-2');
+    await fillIn(FORM.maskedValueInput(1), 'bar-2');
+    await click(FORM.saveBtn);
+    assert.strictEqual(currentURL(), `/vault/secrets/${this.mountPath}/kv/${secretPath}/details?version=2`);
+
+    await visit(`/vault/secrets/${this.mountPath}/kv/list`);
+    await click(PAGE.list.item(secretPath));
+    assert.strictEqual(
+      currentURL(),
+      `/vault/secrets/${this.mountPath}/kv/${secretPath}/details?version=2`,
+      'list view navigates to latest version'
+    );
+    assert.dom(PAGE.detail.versionTimestamp).hasTextContaining('Version 2');
+  });
+});
diff --git a/ui/tests/acceptance/secrets/backend/kv/kv-engine-permissions-test.js b/ui/tests/acceptance/secrets/backend/kv/kv-engine-permissions-test.js
new file mode 100644
index 0000000000..7eeea27ac3
--- /dev/null
+++ b/ui/tests/acceptance/secrets/backend/kv/kv-engine-permissions-test.js
@@ -0,0 +1,110 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupApplicationTest } from 'ember-qunit';
+import { v4 as uuidv4 } from 'uuid';
+
+import authPage from 'vault/tests/pages/auth';
+import { currentURL, visit } from '@ember/test-helpers';
+import { adminPolicy, dataPolicy, metadataPolicy } from 'vault/tests/helpers/policy-generator/kv';
+import { deleteEngineCmd, mountEngineCmd, runCmd, tokenWithPolicyCmd } from 'vault/tests/helpers/commands';
+import { writeSecret } from 'vault/tests/helpers/kv/kv-run-commands';
+import { PAGE } from 'vault/tests/helpers/kv/kv-selectors';
+
+/*
+This test module tests KV permissions views, each module is is a separate tab (i.e. secret, metadata)
+each sub-module is a different state, for example:
+- it renders secret details
+- it renders secret details after a version is deleted
+
+And each test authenticates using varying permissions testing that view state renders as expected.
+*/
+// TODO: replace with workflow-* tests
+module('Acceptance | kv permissions', function (hooks) {
+  setupApplicationTest(hooks);
+
+  hooks.beforeEach(async function () {
+    await authPage.login();
+    this.uid = uuidv4();
+    // Setup KV engine
+    this.mountPath = `kv-engine-${this.uid}`;
+    await runCmd(mountEngineCmd('kv-v2', this.mountPath));
+    return authPage.logout();
+  });
+
+  hooks.afterEach(async function () {
+    await authPage.login();
+    // Cleanup engine
+    await runCmd(deleteEngineCmd(this.mountPath));
+  });
+
+  module('secret tab', function (hooks) {
+    hooks.beforeEach(async function () {
+      // Create secret
+      await authPage.login();
+      this.secretPath = `my-secret-${this.uid}`;
+      await writeSecret(this.mountPath, this.secretPath, 'foo', 'bar');
+      // Create different policy test cases
+      const kv_admin_policy = adminPolicy(this.mountPath);
+      this.kvAdminToken = await runCmd(tokenWithPolicyCmd('kv-admin', kv_admin_policy));
+
+      const no_metadata_read =
+        dataPolicy({ backend: this.mountPath, secretPath: this.secretPath }) +
+        metadataPolicy({ backend: this.mountPath, capabilities: ['list'] });
+      this.cannotReadMetadata = await runCmd(tokenWithPolicyCmd('kv-no-metadata-read', no_metadata_read));
+
+      const no_data_read = dataPolicy({
+        backend: this.mountPath,
+        secretPath: this.secretPath,
+        capabilities: ['list'],
+      });
+      this.cannotReadData = await runCmd(tokenWithPolicyCmd('kv-no-metadata-read', no_data_read));
+      await authPage.logout();
+    });
+
+    module('it renders secret details page', function () {
+      test('it shows all tabs for admin policy', async function (assert) {
+        assert.expect(4);
+        await authPage.login(this.kvAdminToken);
+        await visit(`/vault/secrets/${this.mountPath}/kv/${this.secretPath}/details`);
+        assert.strictEqual(currentURL(), `/vault/secrets/${this.mountPath}/kv/${this.secretPath}/details`);
+        assert.dom(PAGE.secretTab('Secret')).exists();
+        assert.dom(PAGE.secretTab('Metadata')).exists();
+        assert.dom(PAGE.secretTab('Version History')).exists();
+      });
+
+      test('it hides tabs when no metadata read', async function (assert) {
+        assert.expect(4);
+        await authPage.login(this.cannotReadMetadata);
+        await visit(`/vault/secrets/${this.mountPath}/kv/${this.secretPath}/details`);
+        assert.strictEqual(currentURL(), `/vault/secrets/${this.mountPath}/kv/${this.secretPath}/details`);
+        assert.dom(PAGE.secretTab('Secret')).exists();
+        assert.dom(PAGE.secretTab('Metadata')).exists();
+        assert.dom(PAGE.secretTab('Version History')).doesNotExist();
+      });
+
+      test('it shows empty state when cannot read secret data', async function (assert) {
+        assert.expect(6);
+        await authPage.login(this.cannotReadData);
+        await visit(`/vault/secrets/${this.mountPath}/kv/${this.secretPath}/details`);
+        assert.strictEqual(currentURL(), `/vault/secrets/${this.mountPath}/kv/${this.secretPath}/details`);
+        assert.dom(PAGE.secretTab('Secret')).exists();
+        assert.dom(PAGE.secretTab('Metadata')).exists();
+        assert.dom(PAGE.secretTab('Version History')).doesNotExist();
+        assert.dom(PAGE.emptyStateTitle).hasText('You do not have permission to read this secret');
+        assert
+          .dom(PAGE.emptyStateMessage)
+          .hasText(
+            'Your policies may permit you to write a new version of this secret, but do not allow you to read its current contents.'
+          );
+      });
+    });
+
+    module('it renders secret details page after deleting a version', function () {
+      // TODO delete secret and test different policy views
+    });
+  });
+});
diff --git a/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-create-test.js b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-create-test.js
new file mode 100644
index 0000000000..b0d15c7aee
--- /dev/null
+++ b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-create-test.js
@@ -0,0 +1,1031 @@
+import { module, test } from 'qunit';
+import { v4 as uuidv4 } from 'uuid';
+import { click, currentURL, fillIn, typeIn, visit } from '@ember/test-helpers';
+
+import { setupApplicationTest } from 'vault/tests/helpers';
+import authPage from 'vault/tests/pages/auth';
+import { deleteEngineCmd, mountEngineCmd, runCmd, tokenWithPolicyCmd } from 'vault/tests/helpers/commands';
+import { personas } from 'vault/tests/helpers/policy-generator/kv';
+import { clearRecords, writeVersionedSecret } from 'vault/tests/helpers/kv/kv-run-commands';
+import { FORM, PAGE } from 'vault/tests/helpers/kv/kv-selectors';
+import { setupControlGroup } from 'vault/tests/helpers/control-groups';
+
+/**
+ * This test set is for testing the flow for creating new secrets and versions.
+ * Letter(s) in parenthesis at the end are shorthand for the persona,
+ * for ease of tracking down specific tests failures from CI
+ */
+module('Acceptance | kv-v2 workflow | secret and version create', function (hooks) {
+  setupApplicationTest(hooks);
+
+  hooks.beforeEach(async function () {
+    this.backend = `kv-create-${uuidv4()}`;
+    this.store = this.owner.lookup('service:store');
+    await authPage.login();
+    await runCmd(mountEngineCmd('kv-v2', this.backend), false);
+    await writeVersionedSecret(this.backend, 'app/first', 'foo', 'bar', 2);
+  });
+
+  hooks.afterEach(async function () {
+    await authPage.login();
+    return runCmd(deleteEngineCmd(this.backend));
+  });
+
+  module('admin persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd(tokenWithPolicyCmd('admin', personas.admin(this.backend)));
+      await authPage.login(token);
+      clearRecords(this.store);
+      return;
+    });
+    test('cancel on create clears model (a)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      assert.dom(PAGE.list.item()).exists({ count: 1 }, 'single secret exists on list');
+      assert.dom(PAGE.list.item('app/')).hasText('app/', 'expected list item');
+      await click(PAGE.list.createSecret);
+      await fillIn(FORM.inputByAttr('path'), 'jk');
+      await click(FORM.cancelBtn);
+      assert.dom(PAGE.list.item()).exists({ count: 1 }, 'same amount of secrets');
+      assert.dom(PAGE.list.item('app/')).hasText('app/', 'expected list item');
+      await click(PAGE.list.createSecret);
+      await fillIn(FORM.inputByAttr('path'), 'psych');
+      await click(PAGE.breadcrumbAtIdx(1));
+      assert.dom(PAGE.list.item()).exists({ count: 1 }, 'same amount of secrets');
+      assert.dom(PAGE.list.item('app/')).hasText('app/', 'expected list item');
+    });
+    test('cancel on new version rolls back model (a)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/${encodeURIComponent('app/first')}/details`);
+      assert.dom(PAGE.infoRowValue('foo')).exists('key has expected value');
+      await click(PAGE.detail.createNewVersion);
+      await fillIn(FORM.keyInput(), 'bar');
+      await click(FORM.cancelBtn);
+      assert.dom(PAGE.infoRowValue('foo')).exists('secret is previous value');
+      await click(PAGE.detail.createNewVersion);
+      await fillIn(FORM.keyInput(), 'bar');
+      await click(PAGE.breadcrumbAtIdx(3));
+      assert.dom(PAGE.infoRowValue('foo')).exists('secret is previous value');
+    });
+    test('create & update root secret with default metadata (a)', async function (assert) {
+      const backend = this.backend;
+      const secretPath = 'some secret';
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      await click(PAGE.list.createSecret);
+
+      // Create secret form -- validations
+      await click(FORM.saveBtn);
+      assert.dom(FORM.invalidFormAlert).hasText('There is an error with this form.');
+      assert.dom(FORM.validation('path')).hasText("Path can't be blank.");
+      await typeIn(FORM.inputByAttr('path'), secretPath);
+      assert
+        .dom(FORM.validationWarning)
+        .hasText(
+          "Path contains whitespace. If this is desired, you'll need to encode it with %20 in API requests."
+        );
+      assert.dom(PAGE.create.metadataSection).doesNotExist('Hides metadata section by default');
+
+      // Submit with API errors
+      await click(FORM.saveBtn);
+      assert.dom(FORM.messageError).hasText('Error no data provided', 'API error shows on form');
+
+      await fillIn(FORM.keyInput(), 'api_key');
+      await fillIn(FORM.maskedValueInput(), 'partyparty');
+      await click(FORM.saveBtn);
+
+      // Details page
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${encodeURIComponent(secretPath)}/details?version=1`,
+        'Goes to details page after save'
+      );
+      assert.dom(PAGE.detail.versionTimestamp).includesText('Version 1 created');
+      assert.dom(PAGE.secretRow).exists({ count: 1 }, '1 row of data shows');
+      assert.dom(PAGE.infoRowValue('api_key')).hasText('***********');
+      await click(PAGE.infoRowToggleMasked('api_key'));
+      assert.dom(PAGE.infoRowValue('api_key')).hasText('partyparty', 'secret value shows after toggle');
+
+      // Metadata page
+      await click(PAGE.secretTab('Metadata'));
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('No custom metadata', 'No custom metadata empty state');
+      assert
+        .dom(`${PAGE.metadata.secretMetadataSection} ${PAGE.secretRow}`)
+        .exists({ count: 4 }, '4 metadata rows show');
+      assert.dom(PAGE.infoRowValue('Maximum versions')).hasText('0', 'max versions shows 0');
+      assert.dom(PAGE.infoRowValue('Check-and-Set required')).hasText('No', 'cas not enforced');
+      assert
+        .dom(PAGE.infoRowValue('Delete version after'))
+        .hasText('Never delete', 'Delete version after has default 0s');
+
+      // Add new version
+      await click(PAGE.secretTab('Secret'));
+      await click(PAGE.detail.createNewVersion);
+      assert.dom(FORM.inputByAttr('path')).isDisabled('path input is disabled');
+      assert.dom(FORM.inputByAttr('path')).hasValue(secretPath);
+      assert.dom(FORM.toggleMetadata).doesNotExist('Does not show metadata toggle when creating new version');
+      assert.dom(FORM.keyInput()).hasValue('api_key');
+      assert.dom(FORM.maskedValueInput()).hasValue('partyparty');
+      await fillIn(FORM.keyInput(1), 'api_url');
+      await fillIn(FORM.maskedValueInput(1), 'hashicorp.com');
+      await click(FORM.saveBtn);
+
+      // Back to details page
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${encodeURIComponent(secretPath)}/details?version=2`
+      );
+      assert.dom(PAGE.detail.versionTimestamp).includesText('Version 2 created');
+      assert.dom(PAGE.secretRow).exists({ count: 2 }, '2 rows of data shows');
+      assert.dom(PAGE.infoRowValue('api_key')).hasText('***********');
+      assert.dom(PAGE.infoRowValue('api_url')).hasText('***********');
+      await click(PAGE.infoRowToggleMasked('api_key'));
+      await click(PAGE.infoRowToggleMasked('api_url'));
+      assert.dom(PAGE.infoRowValue('api_key')).hasText('partyparty', 'secret value shows after toggle');
+      assert.dom(PAGE.infoRowValue('api_url')).hasText('hashicorp.com', 'secret value shows after toggle');
+    });
+    test('create nested secret with metadata (a)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      await click(PAGE.list.createSecret);
+
+      // Create secret
+      await typeIn(FORM.inputByAttr('path'), 'my/');
+      assert.dom(FORM.validation('path')).hasText("Path can't end in forward slash '/'.");
+      await typeIn(FORM.inputByAttr('path'), 'secret');
+      assert.dom(FORM.validation('path')).doesNotExist('form validation goes away');
+      await fillIn(FORM.keyInput(), 'password');
+      await fillIn(FORM.maskedValueInput(), 'kittens1234');
+
+      await click(FORM.toggleMetadata);
+      assert.dom(PAGE.create.metadataSection).exists('Shows metadata section after toggled');
+      // Check initial values
+      assert.dom(FORM.inputByAttr('maxVersions')).hasValue('0');
+      assert.dom(FORM.inputByAttr('casRequired')).isNotChecked();
+      assert.dom(FORM.toggleByLabel('Automate secret deletion')).isNotChecked();
+      // MaxVersions validation
+      await fillIn(FORM.inputByAttr('maxVersions'), 'seven');
+      await click(FORM.saveBtn);
+      assert.dom(FORM.validation('maxVersions')).hasText('Maximum versions must be a number.');
+      await fillIn(FORM.inputByAttr('maxVersions'), '99999999999999999');
+      await click(FORM.saveBtn);
+      assert.dom(FORM.validation('maxVersions')).hasText('You cannot go over 16 characters.');
+      await fillIn(FORM.inputByAttr('maxVersions'), '7');
+
+      // Fill in other metadata
+      await click(FORM.inputByAttr('casRequired'));
+      await click(FORM.toggleByLabel('Automate secret deletion'));
+      await fillIn(FORM.ttlValue('Automate secret deletion'), '1000');
+
+      // Fill in custom metadata
+      await fillIn(`${PAGE.create.metadataSection} ${FORM.keyInput()}`, 'team');
+      await fillIn(`${PAGE.create.metadataSection} ${FORM.valueInput()}`, 'UI');
+      // Fill in metadata
+      await click(FORM.saveBtn);
+
+      // Details
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${encodeURIComponent('my/secret')}/details?version=1`
+      );
+      assert.dom(PAGE.detail.versionTimestamp).includesText('Version 1 created');
+      assert.dom(PAGE.secretRow).exists({ count: 1 }, '1 row of data shows');
+      assert.dom(PAGE.infoRowValue('password')).hasText('***********');
+      await click(PAGE.infoRowToggleMasked('password'));
+      assert.dom(PAGE.infoRowValue('password')).hasText('kittens1234', 'secret value shows after toggle');
+
+      // Metadata
+      await click(PAGE.secretTab('Metadata'));
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.secretRow}`)
+        .exists({ count: 1 }, 'One custom metadata row shows');
+      assert.dom(`${PAGE.metadata.customMetadataSection} ${PAGE.infoRowValue('team')}`).hasText('UI');
+
+      assert
+        .dom(`${PAGE.metadata.secretMetadataSection} ${PAGE.secretRow}`)
+        .exists({ count: 4 }, '4 metadata rows show');
+      assert.dom(PAGE.infoRowValue('Maximum versions')).hasText('7', 'max versions shows 0');
+      assert.dom(PAGE.infoRowValue('Check-and-Set required')).hasText('Yes', 'cas enforced');
+      assert
+        .dom(PAGE.infoRowValue('Delete version after'))
+        .hasText('16 minutes 40 seconds', 'Delete version after has custom value');
+    });
+    test('creates a secret at a sub-directory (a)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/app%2F/directory`);
+      assert.dom(PAGE.list.item('first')).exists('Lists first sub-secret');
+      assert.dom(PAGE.list.item('new')).doesNotExist('Does not show new secret');
+      await click(PAGE.list.createSecret);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/create?initialKey=app%2F`,
+        'Goes to create page with initialKey'
+      );
+      await typeIn(FORM.inputByAttr('path'), 'new');
+      await fillIn(FORM.keyInput(), 'api_key');
+      await fillIn(FORM.maskedValueInput(), 'partyparty');
+      await click(FORM.saveBtn);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${encodeURIComponent('app/new')}/details?version=1`,
+        'Redirects to detail after save'
+      );
+      await click(PAGE.breadcrumbAtIdx(2));
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/app%2F/directory`, 'sub-dir page');
+      assert.dom(PAGE.list.item('new')).exists('Lists new secret in sub-dir');
+    });
+    test('create new version of secret from older version (a)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/app%2Ffirst/details`);
+      await click(PAGE.detail.versionDropdown);
+      await click(`${PAGE.detail.version(1)} a`);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/app%2Ffirst/details?version=1`,
+        'goes to version 1'
+      );
+      assert.dom(PAGE.detail.versionTimestamp).includesText('Version 1 created');
+      await click(PAGE.detail.createNewVersion);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/app%2Ffirst/details/edit?version=1`,
+        'Goes to new version page'
+      );
+      assert
+        .dom(FORM.versionAlert)
+        .hasText(
+          'Warning You are creating a new version based on data from Version 1. The current version for app/first is Version 2.',
+          'Shows version warning'
+        );
+      assert.dom(FORM.keyInput()).hasValue('key-1', 'Key input has old value');
+      assert.dom(FORM.maskedValueInput()).hasValue('val-1', 'Val input has old value');
+
+      await fillIn(FORM.keyInput(), 'my-key');
+      await fillIn(FORM.maskedValueInput(), 'my-value');
+      await click(FORM.saveBtn);
+
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/app%2Ffirst/details?version=3`,
+        'goes to latest version 3'
+      );
+      await click(PAGE.infoRowToggleMasked('my-key'));
+      assert.dom(PAGE.infoRowValue('my-key')).hasText('my-value', 'has new value');
+    });
+  });
+
+  module('data-reader persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd(tokenWithPolicyCmd('data-reader', personas.dataReader(this.backend)));
+      await authPage.login(token);
+      clearRecords(this.store);
+      return;
+    });
+    test('cancel on create clears model (dr)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      assert.dom(PAGE.list.item()).doesNotExist('list view has no items');
+      await click(PAGE.list.createSecret);
+      await fillIn(FORM.inputByAttr('path'), 'jk');
+      await click(FORM.cancelBtn);
+      assert.dom(PAGE.list.item()).doesNotExist('list view still has no items');
+      await click(PAGE.list.createSecret);
+      await fillIn(FORM.inputByAttr('path'), 'psych');
+      await click(PAGE.breadcrumbAtIdx(1));
+      assert.dom(PAGE.list.item()).doesNotExist('list view still has no items');
+    });
+    test('cancel on new version rolls back model (dr)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/${encodeURIComponent('app/first')}/details`);
+      assert.dom(PAGE.infoRowValue('foo')).exists('key has expected value');
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist();
+    });
+    test('create & update root secret with default metadata (dr)', async function (assert) {
+      const backend = this.backend;
+      const secretPath = 'some secret';
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      await click(PAGE.list.createSecret);
+
+      // Create secret form -- validations
+      await click(FORM.saveBtn);
+      assert.dom(FORM.invalidFormAlert).hasText('There is an error with this form.');
+      assert.dom(FORM.validation('path')).hasText("Path can't be blank.");
+      await typeIn(FORM.inputByAttr('path'), secretPath);
+      assert
+        .dom(FORM.validationWarning)
+        .hasText(
+          "Path contains whitespace. If this is desired, you'll need to encode it with %20 in API requests."
+        );
+      assert.dom(PAGE.create.metadataSection).doesNotExist('Hides metadata section by default');
+
+      // Submit with API errors
+      await click(FORM.saveBtn);
+      assert
+        .dom(FORM.messageError)
+        .hasText('Error 1 error occurred: * permission denied', 'API error shows on form');
+
+      // Since this persona can't create a new secret, test update with existing:
+      await visit(`/vault/secrets/${backend}/kv/app%2Ffirst/details`);
+      assert.dom(PAGE.detail.versionTimestamp).includesText('Version 2 created');
+      assert.dom(PAGE.secretRow).exists({ count: 1 }, '1 row of data shows');
+      assert.dom(PAGE.infoRowValue('foo')).hasText('***********');
+      await click(PAGE.infoRowToggleMasked('foo'));
+      assert.dom(PAGE.infoRowValue('foo')).hasText('bar', 'secret value shows after toggle');
+
+      // Metadata page
+      await click(PAGE.secretTab('Metadata'));
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('No custom metadata', 'No custom metadata empty state');
+      assert
+        .dom(`${PAGE.metadata.secretMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('You do not have access to secret metadata', 'shows no access state on metadata');
+
+      // Add new version
+      await click(PAGE.secretTab('Secret'));
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('cannot create new version');
+    });
+    test('create nested secret with metadata (dr)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      await click(PAGE.list.createSecret);
+
+      // Create secret
+      await typeIn(FORM.inputByAttr('path'), 'my/');
+      assert.dom(FORM.validation('path')).hasText("Path can't end in forward slash '/'.");
+      await typeIn(FORM.inputByAttr('path'), 'secret');
+      assert.dom(FORM.validation('path')).doesNotExist('form validation goes away');
+      await fillIn(FORM.keyInput(), 'password');
+      await fillIn(FORM.maskedValueInput(), 'kittens1234');
+
+      await click(FORM.toggleMetadata);
+      assert.dom(PAGE.create.metadataSection).exists('Shows metadata section after toggled');
+      // Check initial values
+      assert.dom(FORM.inputByAttr('maxVersions')).hasValue('0');
+      assert.dom(FORM.inputByAttr('casRequired')).isNotChecked();
+      assert.dom(FORM.toggleByLabel('Automate secret deletion')).isNotChecked();
+      // MaxVersions validation
+      await fillIn(FORM.inputByAttr('maxVersions'), 'seven');
+      await click(FORM.saveBtn);
+      assert.dom(FORM.validation('maxVersions')).hasText('Maximum versions must be a number.');
+      await fillIn(FORM.inputByAttr('maxVersions'), '99999999999999999');
+      await click(FORM.saveBtn);
+      assert.dom(FORM.validation('maxVersions')).hasText('You cannot go over 16 characters.');
+      await fillIn(FORM.inputByAttr('maxVersions'), '7');
+
+      // Fill in other metadata
+      await click(FORM.inputByAttr('casRequired'));
+      await click(FORM.toggleByLabel('Automate secret deletion'));
+      await fillIn(FORM.ttlValue('Automate secret deletion'), '1000');
+
+      // Fill in custom metadata
+      await fillIn(`${PAGE.create.metadataSection} ${FORM.keyInput()}`, 'team');
+      await fillIn(`${PAGE.create.metadataSection} ${FORM.valueInput()}`, 'UI');
+      // Fill in metadata
+      await click(FORM.saveBtn);
+      assert
+        .dom(FORM.messageError)
+        .hasText('Error 1 error occurred: * permission denied', 'API error shows on form');
+    });
+    test('creates a secret at a sub-directory (dr)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/app%2F/directory`);
+      assert.dom(PAGE.list.item()).doesNotExist('Does not list any secrets');
+      await click(PAGE.list.createSecret);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/create?initialKey=app%2F`,
+        'Goes to create page with initialKey'
+      );
+      await typeIn(FORM.inputByAttr('path'), 'new');
+      await fillIn(FORM.keyInput(), 'api_key');
+      await fillIn(FORM.maskedValueInput(), 'partyparty');
+      await click(FORM.saveBtn);
+      assert
+        .dom(FORM.messageError)
+        .hasText('Error 1 error occurred: * permission denied', 'API error shows on form');
+    });
+    test('create new version of secret from older version (dr)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/app%2Ffirst/details?version=1`);
+      assert.dom(PAGE.detail.versionDropdown).doesNotExist('version dropdown does not show');
+      assert.dom(PAGE.detail.versionTimestamp).includesText('Version 1 created');
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('cannot create new version');
+    });
+  });
+
+  module('data-list-reader persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd(
+        tokenWithPolicyCmd('data-list-reader', personas.dataListReader(this.backend))
+      );
+      await authPage.login(token);
+      clearRecords(this.store);
+      return;
+    });
+    test('cancel on create clears model (dlr)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      assert.dom(PAGE.list.item()).exists({ count: 1 }, 'single secret exists on list');
+      assert.dom(PAGE.list.item('app/')).hasText('app/', 'expected list item');
+      await click(PAGE.list.createSecret);
+      await fillIn(FORM.inputByAttr('path'), 'jk');
+      await click(FORM.cancelBtn);
+      assert.dom(PAGE.list.item()).exists({ count: 1 }, 'same amount of secrets');
+      assert.dom(PAGE.list.item('app/')).hasText('app/', 'expected list item');
+      await click(PAGE.list.createSecret);
+      await fillIn(FORM.inputByAttr('path'), 'psych');
+      await click(PAGE.breadcrumbAtIdx(1));
+      assert.dom(PAGE.list.item()).exists({ count: 1 }, 'same amount of secrets');
+      assert.dom(PAGE.list.item('app/')).hasText('app/', 'expected list item');
+    });
+    test('cancel on new version rolls back model (dlr)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/${encodeURIComponent('app/first')}/details`);
+      assert.dom(PAGE.infoRowValue('foo')).exists('key has expected value');
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('cannot create new version');
+    });
+    test('create & update root secret with default metadata (dlr)', async function (assert) {
+      const backend = this.backend;
+      const secretPath = 'some secret';
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      await click(PAGE.list.createSecret);
+
+      // Create secret form -- validations
+      await click(FORM.saveBtn);
+      assert.dom(FORM.invalidFormAlert).hasText('There is an error with this form.');
+      assert.dom(FORM.validation('path')).hasText("Path can't be blank.");
+      await typeIn(FORM.inputByAttr('path'), secretPath);
+      assert
+        .dom(FORM.validationWarning)
+        .hasText(
+          "Path contains whitespace. If this is desired, you'll need to encode it with %20 in API requests."
+        );
+      assert.dom(PAGE.create.metadataSection).doesNotExist('Hides metadata section by default');
+
+      // Submit with API errors
+      await click(FORM.saveBtn);
+      assert
+        .dom(FORM.messageError)
+        .hasText('Error 1 error occurred: * permission denied', 'API error shows on form');
+
+      // Since this persona can't create a new secret, test update with existing:
+      await visit(`/vault/secrets/${backend}/kv/app%2Ffirst/details`);
+      assert.dom(PAGE.detail.versionTimestamp).includesText('Version 2 created');
+      assert.dom(PAGE.secretRow).exists({ count: 1 }, '1 row of data shows');
+      assert.dom(PAGE.infoRowValue('foo')).hasText('***********');
+      await click(PAGE.infoRowToggleMasked('foo'));
+      assert.dom(PAGE.infoRowValue('foo')).hasText('bar', 'secret value shows after toggle');
+
+      // Metadata page
+      await click(PAGE.secretTab('Metadata'));
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('No custom metadata', 'No custom metadata empty state');
+      assert
+        .dom(`${PAGE.metadata.secretMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('You do not have access to secret metadata', 'shows no access state on metadata');
+
+      // Add new version
+      await click(PAGE.secretTab('Secret'));
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('cannot create new version');
+    });
+    test('create nested secret with metadata (dlr)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      await click(PAGE.list.createSecret);
+
+      // Create secret
+      await typeIn(FORM.inputByAttr('path'), 'my/');
+      assert.dom(FORM.validation('path')).hasText("Path can't end in forward slash '/'.");
+      await typeIn(FORM.inputByAttr('path'), 'secret');
+      assert.dom(FORM.validation('path')).doesNotExist('form validation goes away');
+      await fillIn(FORM.keyInput(), 'password');
+      await fillIn(FORM.maskedValueInput(), 'kittens1234');
+
+      await click(FORM.toggleMetadata);
+      assert.dom(PAGE.create.metadataSection).exists('Shows metadata section after toggled');
+      // Check initial values
+      assert.dom(FORM.inputByAttr('maxVersions')).hasValue('0');
+      assert.dom(FORM.inputByAttr('casRequired')).isNotChecked();
+      assert.dom(FORM.toggleByLabel('Automate secret deletion')).isNotChecked();
+      // MaxVersions validation
+      await fillIn(FORM.inputByAttr('maxVersions'), 'seven');
+      await click(FORM.saveBtn);
+      assert.dom(FORM.validation('maxVersions')).hasText('Maximum versions must be a number.');
+      await fillIn(FORM.inputByAttr('maxVersions'), '99999999999999999');
+      await click(FORM.saveBtn);
+      assert.dom(FORM.validation('maxVersions')).hasText('You cannot go over 16 characters.');
+      await fillIn(FORM.inputByAttr('maxVersions'), '7');
+
+      // Fill in other metadata
+      await click(FORM.inputByAttr('casRequired'));
+      await click(FORM.toggleByLabel('Automate secret deletion'));
+      await fillIn(FORM.ttlValue('Automate secret deletion'), '1000');
+
+      // Fill in custom metadata
+      await fillIn(`${PAGE.create.metadataSection} ${FORM.keyInput()}`, 'team');
+      await fillIn(`${PAGE.create.metadataSection} ${FORM.valueInput()}`, 'UI');
+      // Fill in metadata
+      await click(FORM.saveBtn);
+      assert
+        .dom(FORM.messageError)
+        .hasText('Error 1 error occurred: * permission denied', 'API error shows on form');
+    });
+    test('creates a secret at a sub-directory (dlr)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/app%2F/directory`);
+      assert.dom(PAGE.list.item()).doesNotExist('Does not list any secrets');
+      await click(PAGE.list.createSecret);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/create?initialKey=app%2F`,
+        'Goes to create page with initialKey'
+      );
+      await typeIn(FORM.inputByAttr('path'), 'new');
+      await fillIn(FORM.keyInput(), 'api_key');
+      await fillIn(FORM.maskedValueInput(), 'partyparty');
+      await click(FORM.saveBtn);
+      assert
+        .dom(FORM.messageError)
+        .hasText('Error 1 error occurred: * permission denied', 'API error shows on form');
+    });
+    test('create new version of secret from older version (dlr)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/app%2Ffirst/details?version=1`);
+      assert.dom(PAGE.detail.versionDropdown).doesNotExist('version dropdown does not show');
+      assert.dom(PAGE.detail.versionTimestamp).includesText('Version 1 created');
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('cannot create new version');
+    });
+  });
+
+  module('metadata-maintainer persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd(
+        tokenWithPolicyCmd('data-list-reader', personas.metadataMaintainer(this.backend))
+      );
+      await authPage.login(token);
+      clearRecords(this.store);
+      return;
+    });
+    test('cancel on create clears model (mm)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      assert.dom(PAGE.list.item()).exists({ count: 1 }, 'single secret exists on list');
+      assert.dom(PAGE.list.item('app/')).hasText('app/', 'expected list item');
+      await click(PAGE.list.createSecret);
+      await fillIn(FORM.inputByAttr('path'), 'jk');
+      await click(FORM.cancelBtn);
+      assert.dom(PAGE.list.item()).exists({ count: 1 }, 'same amount of secrets');
+      assert.dom(PAGE.list.item('app/')).hasText('app/', 'expected list item');
+      await click(PAGE.list.createSecret);
+      await fillIn(FORM.inputByAttr('path'), 'psych');
+      await click(PAGE.breadcrumbAtIdx(1));
+      assert.dom(PAGE.list.item()).exists({ count: 1 }, 'same amount of secrets');
+      assert.dom(PAGE.list.item('app/')).hasText('app/', 'expected list item');
+    });
+    test('cancel on new version rolls back model (mm)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/${encodeURIComponent('app/first')}/details`);
+      assert.dom(PAGE.emptyStateTitle).hasText('You do not have permission to read this secret');
+      assert
+        .dom(PAGE.detail.createNewVersion)
+        .doesNotExist('create new version button now allowed since user cannot read existing');
+    });
+    test('create & update root secret with default metadata (mm)', async function (assert) {
+      const backend = this.backend;
+      const secretPath = 'some secret';
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      await click(PAGE.list.createSecret);
+
+      // Create secret form -- validations
+      await click(FORM.saveBtn);
+      assert.dom(FORM.invalidFormAlert).hasText('There is an error with this form.');
+      assert.dom(FORM.validation('path')).hasText("Path can't be blank.");
+      await typeIn(FORM.inputByAttr('path'), secretPath);
+      assert
+        .dom(FORM.validationWarning)
+        .hasText(
+          "Path contains whitespace. If this is desired, you'll need to encode it with %20 in API requests."
+        );
+      assert.dom(PAGE.create.metadataSection).doesNotExist('Hides metadata section by default');
+
+      // Submit with API errors
+      await click(FORM.saveBtn);
+      assert
+        .dom(FORM.messageError)
+        .hasText('Error 1 error occurred: * permission denied', 'API error shows on form');
+
+      // Since this persona can't create a new secret, test update with existing:
+      await visit(`/vault/secrets/${backend}/kv/app%2Ffirst/details`);
+      assert.dom(PAGE.detail.versionTimestamp).doesNotExist('Version created tooltip does not show');
+      assert.dom(PAGE.secretRow).doesNotExist('secret data not shown');
+      assert.dom(PAGE.emptyStateTitle).hasText('You do not have permission to read this secret');
+
+      // Metadata page
+      await click(PAGE.secretTab('Metadata'));
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('No custom metadata', 'No custom metadata empty state');
+      assert
+        .dom(`${PAGE.metadata.secretMetadataSection} ${PAGE.secretRow}`)
+        .exists({ count: 4 }, '4 metadata rows show');
+      assert.dom(PAGE.infoRowValue('Maximum versions')).hasText('0', 'max versions shows 0');
+      assert.dom(PAGE.infoRowValue('Check-and-Set required')).hasText('No', 'cas not enforced');
+      assert
+        .dom(PAGE.infoRowValue('Delete version after'))
+        .hasText('Never delete', 'Delete version after has default 0s');
+
+      // Add new version
+      await click(PAGE.secretTab('Secret'));
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('create new version button not rendered');
+      await visit(`/vault/secrets/${backend}/kv/app%2Ffirst/details/edit?version=1`);
+      assert
+        .dom(FORM.noReadAlert)
+        .hasText(
+          'Warning You do not have read permissions for this secret data. Saving will overwrite the existing secret.',
+          'shows alert for no read permissions'
+        );
+
+      assert.dom(FORM.inputByAttr('path')).isDisabled('path input is disabled');
+      assert.dom(FORM.inputByAttr('path')).hasValue('app/first');
+      assert.dom(FORM.toggleMetadata).doesNotExist('Does not show metadata toggle when creating new version');
+      assert.dom(FORM.keyInput()).hasValue('', 'first row has no key');
+      assert.dom(FORM.maskedValueInput()).hasValue('', 'first row has no value');
+      await fillIn(FORM.keyInput(), 'api_url');
+      await fillIn(FORM.maskedValueInput(), 'hashicorp.com');
+      await click(FORM.saveBtn);
+      assert
+        .dom(FORM.messageError)
+        .hasText('Error 1 error occurred: * permission denied', 'API error shows on form');
+    });
+    test('create nested secret with metadata (mm)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      await click(PAGE.list.createSecret);
+
+      // Create secret
+      await typeIn(FORM.inputByAttr('path'), 'my/');
+      assert.dom(FORM.validation('path')).hasText("Path can't end in forward slash '/'.");
+      await typeIn(FORM.inputByAttr('path'), 'secret');
+      assert.dom(FORM.validation('path')).doesNotExist('form validation goes away');
+      await fillIn(FORM.keyInput(), 'password');
+      await fillIn(FORM.maskedValueInput(), 'kittens1234');
+
+      await click(FORM.toggleMetadata);
+      assert.dom(PAGE.create.metadataSection).exists('Shows metadata section after toggled');
+      // Check initial values
+      assert.dom(FORM.inputByAttr('maxVersions')).hasValue('0');
+      assert.dom(FORM.inputByAttr('casRequired')).isNotChecked();
+      assert.dom(FORM.toggleByLabel('Automate secret deletion')).isNotChecked();
+      // MaxVersions validation
+      await fillIn(FORM.inputByAttr('maxVersions'), 'seven');
+      await click(FORM.saveBtn);
+      assert.dom(FORM.validation('maxVersions')).hasText('Maximum versions must be a number.');
+      await fillIn(FORM.inputByAttr('maxVersions'), '99999999999999999');
+      await click(FORM.saveBtn);
+      assert.dom(FORM.validation('maxVersions')).hasText('You cannot go over 16 characters.');
+      await fillIn(FORM.inputByAttr('maxVersions'), '7');
+
+      // Fill in other metadata
+      await click(FORM.inputByAttr('casRequired'));
+      await click(FORM.toggleByLabel('Automate secret deletion'));
+      await fillIn(FORM.ttlValue('Automate secret deletion'), '1000');
+
+      // Fill in custom metadata
+      await fillIn(`${PAGE.create.metadataSection} ${FORM.keyInput()}`, 'team');
+      await fillIn(`${PAGE.create.metadataSection} ${FORM.valueInput()}`, 'UI');
+
+      await click(FORM.saveBtn);
+      assert
+        .dom(FORM.messageError)
+        .hasText('Error 1 error occurred: * permission denied', 'API error shows on form');
+    });
+    test('creates a secret at a sub-directory (mm)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/app%2F/directory`);
+      assert.dom(PAGE.list.item('first')).exists('Lists first sub-secret');
+      assert.dom(PAGE.list.item('new')).doesNotExist('Does not show new secret');
+      await click(PAGE.list.createSecret);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/create?initialKey=app%2F`,
+        'Goes to create page with initialKey'
+      );
+      await typeIn(FORM.inputByAttr('path'), 'new');
+      await fillIn(FORM.keyInput(), 'api_key');
+      await fillIn(FORM.maskedValueInput(), 'partyparty');
+      await click(FORM.saveBtn);
+      assert
+        .dom(FORM.messageError)
+        .hasText('Error 1 error occurred: * permission denied', 'API error shows on form');
+    });
+    test('create new version of secret from older version (mm)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/app%2Ffirst/details`);
+      assert.dom(PAGE.detail.versionDropdown).hasText('Version current');
+      await click(PAGE.detail.versionDropdown);
+      await click(`${PAGE.detail.version(1)} a`);
+      // TODO: works IRL but QP missing on test
+      // assert.strictEqual(
+      //   currentURL(),
+      //   `/vault/secrets/${backend}/kv/app%2Ffirst/details?version=1`,
+      //   'goes to version 1'
+      // );
+      assert.dom(PAGE.detail.versionDropdown).hasText('Version 1');
+      assert.dom(PAGE.detail.versionTimestamp).doesNotExist('version timestamp not shown');
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('create new version button not rendered');
+      await visit(`/vault/secrets/${backend}/kv/app%2Ffirst/details/edit?version=1`);
+      assert
+        .dom(FORM.noReadAlert)
+        .hasText(
+          'Warning You do not have read permissions for this secret data. Saving will overwrite the existing secret.',
+          'shows alert for no read permissions'
+        );
+
+      assert.dom(FORM.inputByAttr('path')).isDisabled('path input is disabled');
+      assert.dom(FORM.inputByAttr('path')).hasValue('app/first');
+      assert.dom(FORM.toggleMetadata).doesNotExist('Does not show metadata toggle when creating new version');
+      assert.dom(FORM.keyInput()).hasValue('', 'first row has no key');
+      assert.dom(FORM.maskedValueInput()).hasValue('', 'first row has no value');
+      await fillIn(FORM.keyInput(), 'api_url');
+      await fillIn(FORM.maskedValueInput(), 'hashicorp.com');
+      await click(FORM.saveBtn);
+      assert
+        .dom(FORM.messageError)
+        .hasText('Error 1 error occurred: * permission denied', 'API error shows on form');
+    });
+  });
+
+  module('secret-creator persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd(tokenWithPolicyCmd('secret-creator', personas.secretCreator(this.backend)));
+      await authPage.login(token);
+      clearRecords(this.store);
+      return;
+    });
+    test('cancel on create clears model (sc)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      assert.dom(PAGE.list.item()).doesNotExist('list view has no items');
+      await click(PAGE.list.createSecret);
+      await fillIn(FORM.inputByAttr('path'), 'jk');
+      await click(FORM.cancelBtn);
+      assert.dom(PAGE.list.item()).doesNotExist('list view still has no items');
+      await click(PAGE.list.createSecret);
+      await fillIn(FORM.inputByAttr('path'), 'psych');
+      await click(PAGE.breadcrumbAtIdx(1));
+      assert.dom(PAGE.list.item()).doesNotExist('list view still has no items');
+    });
+    test('cancel on new version rolls back model (sc)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/${encodeURIComponent('app/first')}/details`);
+      assert
+        .dom(PAGE.emptyStateTitle)
+        .hasText('You do not have permission to read this secret', 'no permissions state shows');
+      await click(PAGE.detail.createNewVersion);
+      await fillIn(FORM.keyInput(), 'bar');
+      await click(FORM.cancelBtn);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${encodeURIComponent('app/first')}/details`,
+        'cancel goes to correct url'
+      );
+      assert.dom(PAGE.list.item()).doesNotExist('list view has no items');
+      await click(PAGE.detail.createNewVersion);
+      await fillIn(FORM.keyInput(), 'bar');
+      await click(PAGE.breadcrumbAtIdx(3));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${encodeURIComponent('app/first')}/details`,
+        'breadcrumb goes to correct url'
+      );
+      assert.dom(PAGE.list.item()).doesNotExist('list view has no items');
+    });
+    test('create & update root secret with default metadata (sc)', async function (assert) {
+      const backend = this.backend;
+      const secretPath = 'some secret';
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      await click(PAGE.list.createSecret);
+
+      // Create secret form -- validations
+      await click(FORM.saveBtn);
+      assert.dom(FORM.invalidFormAlert).hasText('There is an error with this form.');
+      assert.dom(FORM.validation('path')).hasText("Path can't be blank.");
+      await typeIn(FORM.inputByAttr('path'), secretPath);
+      assert
+        .dom(FORM.validationWarning)
+        .hasText(
+          "Path contains whitespace. If this is desired, you'll need to encode it with %20 in API requests."
+        );
+      assert.dom(PAGE.create.metadataSection).doesNotExist('Hides metadata section by default');
+
+      // Submit with API errors
+      await click(FORM.saveBtn);
+      assert.dom(FORM.messageError).hasText('Error no data provided', 'API error shows on form');
+
+      await fillIn(FORM.keyInput(), 'api_key');
+      await fillIn(FORM.maskedValueInput(), 'partyparty');
+      await click(FORM.saveBtn);
+
+      // Details page
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${encodeURIComponent(secretPath)}/details`,
+        'Goes to details page after save'
+      );
+      assert.dom(PAGE.detail.versionTimestamp).doesNotExist('Version created not shown');
+      assert.dom(PAGE.secretRow).doesNotExist('does not show data contents');
+      assert
+        .dom(PAGE.emptyStateTitle)
+        .hasText('You do not have permission to read this secret', 'shows permissions empty state');
+
+      // Metadata page
+      await click(PAGE.secretTab('Metadata'));
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText(
+          'You do not have access to read custom metadata',
+          'permissions empty state for custom metadata'
+        );
+      assert
+        .dom(`${PAGE.metadata.secretMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('You do not have access to secret metadata', 'permissions empty state for secret metadata');
+
+      // Add new version
+      await click(PAGE.secretTab('Secret'));
+      await click(PAGE.detail.createNewVersion);
+      assert.dom(FORM.inputByAttr('path')).isDisabled('path input is disabled');
+      assert.dom(FORM.inputByAttr('path')).hasValue(secretPath);
+      assert.dom(FORM.toggleMetadata).doesNotExist('Does not show metadata toggle when creating new version');
+      assert.dom(FORM.keyInput()).hasValue('', 'row 1 is empty key');
+      assert.dom(FORM.maskedValueInput()).hasValue('', 'row 1 has empty value');
+      await fillIn(FORM.keyInput(), 'api_url');
+      await fillIn(FORM.maskedValueInput(), 'hashicorp.com');
+      await click(FORM.saveBtn);
+
+      // Back to details page
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${encodeURIComponent(secretPath)}/details`,
+        'goes back to details page'
+      );
+      assert.dom(PAGE.detail.versionTimestamp).doesNotExist('Version created does not show');
+      assert.dom(PAGE.secretRow).doesNotExist('does not show data contents');
+      assert
+        .dom(PAGE.emptyStateTitle)
+        .hasText('You do not have permission to read this secret', 'shows permissions empty state');
+    });
+    test('create nested secret with metadata (sc)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      await click(PAGE.list.createSecret);
+
+      // Create secret
+      await typeIn(FORM.inputByAttr('path'), 'my/');
+      assert.dom(FORM.validation('path')).hasText("Path can't end in forward slash '/'.");
+      await typeIn(FORM.inputByAttr('path'), 'secret');
+      assert.dom(FORM.validation('path')).doesNotExist('form validation goes away');
+      await fillIn(FORM.keyInput(), 'password');
+      await fillIn(FORM.maskedValueInput(), 'kittens1234');
+
+      await click(FORM.toggleMetadata);
+      assert.dom(PAGE.create.metadataSection).exists('Shows metadata section after toggled');
+      // Check initial values
+      assert.dom(FORM.inputByAttr('maxVersions')).hasValue('0');
+      assert.dom(FORM.inputByAttr('casRequired')).isNotChecked();
+      assert.dom(FORM.toggleByLabel('Automate secret deletion')).isNotChecked();
+      // MaxVersions validation
+      await fillIn(FORM.inputByAttr('maxVersions'), 'seven');
+      await click(FORM.saveBtn);
+      assert.dom(FORM.validation('maxVersions')).hasText('Maximum versions must be a number.');
+      await fillIn(FORM.inputByAttr('maxVersions'), '99999999999999999');
+      await click(FORM.saveBtn);
+      assert.dom(FORM.validation('maxVersions')).hasText('You cannot go over 16 characters.');
+      await fillIn(FORM.inputByAttr('maxVersions'), '7');
+
+      // Fill in other metadata
+      await click(FORM.inputByAttr('casRequired'));
+      await click(FORM.toggleByLabel('Automate secret deletion'));
+      await fillIn(FORM.ttlValue('Automate secret deletion'), '1000');
+
+      // Fill in custom metadata
+      await fillIn(`${PAGE.create.metadataSection} ${FORM.keyInput()}`, 'team');
+      await fillIn(`${PAGE.create.metadataSection} ${FORM.valueInput()}`, 'UI');
+      // Fill in metadata
+      await click(FORM.saveBtn);
+
+      // Details
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${encodeURIComponent('my/secret')}/details`,
+        'goes back to details page'
+      );
+      assert.dom(PAGE.detail.versionTimestamp).doesNotExist('version created not shown');
+      assert.dom(PAGE.secretRow).doesNotExist('does not show data contents');
+      assert
+        .dom(PAGE.emptyStateTitle)
+        .hasText('You do not have permission to read this secret', 'shows permissions empty state');
+
+      // Metadata
+      await click(PAGE.secretTab('Metadata'));
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText(
+          'You do not have access to read custom metadata',
+          'permissions empty state for custom metadata'
+        );
+      assert
+        .dom(`${PAGE.metadata.secretMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('You do not have access to secret metadata', 'permissions empty state for secret metadata');
+    });
+    test('creates a secret at a sub-directory (sc)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/app%2F/directory`);
+      assert.dom(PAGE.list.item()).doesNotExist('Does not list any secrets');
+      await click(PAGE.list.createSecret);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/create?initialKey=app%2F`,
+        'Goes to create page with initialKey'
+      );
+      await typeIn(FORM.inputByAttr('path'), 'new');
+      await fillIn(FORM.keyInput(), 'api_key');
+      await fillIn(FORM.maskedValueInput(), 'partyparty');
+      await click(FORM.saveBtn);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${encodeURIComponent('app/new')}/details`,
+        'Redirects to detail after save'
+      );
+      await click(PAGE.breadcrumbAtIdx(2));
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/app%2F/directory`, 'sub-dir page');
+      assert.dom(PAGE.list.item()).doesNotExist('Does not list any secrets');
+    });
+    test('create new version of secret from older version (sc)', async function (assert) {
+      const backend = this.backend;
+      await visit(`/vault/secrets/${backend}/kv/app%2Ffirst/details?version=1`);
+      assert.dom(PAGE.detail.versionDropdown).doesNotExist('version dropdown does not show');
+      assert.dom(PAGE.detail.versionTimestamp).doesNotExist('Version created not shown');
+      await click(PAGE.detail.createNewVersion);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/app%2Ffirst/details/edit?version=1`,
+        'Goes to new version page'
+      );
+      assert
+        .dom(FORM.noReadAlert)
+        .hasText(
+          'Warning You do not have read permissions for this secret data. Saving will overwrite the existing secret.',
+          'shows alert for no read permissions'
+        );
+      assert.dom(FORM.keyInput()).hasValue('', 'Key input has empty value');
+      assert.dom(FORM.maskedValueInput()).hasValue('', 'Val input has empty value');
+
+      await fillIn(FORM.keyInput(), 'my-key');
+      await fillIn(FORM.maskedValueInput(), 'my-value');
+      await click(FORM.saveBtn);
+
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/app%2Ffirst/details`,
+        'redirects to details page'
+      );
+      assert.dom(PAGE.secretRow).doesNotExist('does not show data contents');
+      assert
+        .dom(PAGE.emptyStateTitle)
+        .hasText('You do not have permission to read this secret', 'shows permissions empty state');
+    });
+  });
+
+  module('enterprise controlled access persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const userPolicy = `
+path "${this.backend}/data/*" {
+  capabilities = ["create", "read", "update"]
+  control_group = {
+    max_ttl = "24h"
+    factor "authorizer" {
+      identity {
+          group_names = ["managers"]
+          approvals = 1
+      }
+    }
+  }
+}
+
+path "${this.backend}/metadata" {
+  capabilities = ["list", "read"]
+}
+path "${this.backend}/metadata/*" {
+  capabilities = ["list", "read"]
+}
+`;
+      const { userToken } = await setupControlGroup({ userPolicy });
+      this.userToken = userToken;
+      return authPage.login(userToken);
+    });
+    // Copy test outline from admin persona
+  });
+});
diff --git a/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-delete-test.js b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-delete-test.js
new file mode 100644
index 0000000000..54256379aa
--- /dev/null
+++ b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-delete-test.js
@@ -0,0 +1,122 @@
+import { module, test } from 'qunit';
+import { v4 as uuidv4 } from 'uuid';
+import { setupApplicationTest } from 'vault/tests/helpers';
+import authPage from 'vault/tests/pages/auth';
+import { deleteEngineCmd, mountEngineCmd, runCmd, tokenWithPolicyCmd } from 'vault/tests/helpers/commands';
+import { personas } from 'vault/tests/helpers/policy-generator/kv';
+import { setupControlGroup, writeSecret } from 'vault/tests/helpers/kv/kv-run-commands';
+
+/**
+ * This test set is for testing delete, undelete, destroy flows
+ * VAULT-18818
+ */
+module('Acceptance | kv-v2 workflow | delete, undelete, destroy', function (hooks) {
+  setupApplicationTest(hooks);
+
+  hooks.beforeEach(async function () {
+    this.backend = `kv-delete-${uuidv4()}`;
+    await authPage.login();
+    await runCmd(mountEngineCmd('kv-v2', this.backend), false);
+    await writeSecret(this.backend, 'app/first-secret', 'foo', 'bar');
+  });
+
+  hooks.afterEach(async function () {
+    await authPage.login();
+    return runCmd(deleteEngineCmd(this.backend));
+  });
+
+  module('admin persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd(tokenWithPolicyCmd('admin', personas.admin(this.backend)));
+      await authPage.login(token);
+    });
+    test.skip('can delete the latest secret version', async function (assert) {
+      assert.expect(0);
+    });
+    test.skip('can soft delete and undelete a secret version', async function (assert) {
+      assert.expect(0);
+    });
+    test.skip('can destroy a secret version', async function (assert) {
+      assert.expect(0);
+    });
+    test.skip('can destroy a secret', async function (assert) {
+      assert.expect(0);
+    });
+  });
+
+  module('data-reader persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd([tokenWithPolicyCmd('data-reader', personas.dataReader(this.backend))]);
+      await authPage.login(token);
+    });
+    // Copy test outline from admin persona
+  });
+
+  module('data-list-reader persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd([
+        tokenWithPolicyCmd('data-list-reader', personas.dataListReader(this.backend)),
+      ]);
+      await authPage.login(token);
+    });
+    // Copy test outline from admin persona
+  });
+
+  module('metadata-maintainer persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd([
+        tokenWithPolicyCmd('metadata-maintainer', personas.metadataMaintainer(this.backend)),
+      ]);
+      await authPage.login(token);
+    });
+    // Copy test outline from admin persona
+  });
+
+  module('secret-creator persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd([
+        tokenWithPolicyCmd('secret-creator', personas.secretCreator(this.backend)),
+      ]);
+      await authPage.login(token);
+    });
+    // Copy test outline from admin persona
+  });
+
+  module('enterprise controlled access persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const userPolicy = `
+path "${this.backend}/data/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+  control_group = {
+    max_ttl = "24h"
+    factor "approver" {
+      controlled_capabilities = ["write"]
+      identity {
+          group_names = ["managers"]
+          approvals = 1
+      }
+    }
+  }
+}
+
+path "${this.backend}/*" {
+  capabilities = ["list"]
+}
+
+// Can we allow this so user can self-authorize?
+path "sys/control-group/authorize" {
+  capabilities = ["update"]
+}
+
+path "sys/control-group/request" {
+  capabilities = ["update"]
+}
+`;
+
+      const { userToken } = await setupControlGroup({ userPolicy });
+      this.userToken = userToken;
+      return authPage.login(userToken);
+    });
+    // Copy test outline from admin persona
+  });
+});
diff --git a/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-edge-cases-test.js b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-edge-cases-test.js
new file mode 100644
index 0000000000..aaf6a12798
--- /dev/null
+++ b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-edge-cases-test.js
@@ -0,0 +1,158 @@
+import { module, test } from 'qunit';
+import { v4 as uuidv4 } from 'uuid';
+import { click, currentURL, findAll, setupOnerror, typeIn, visit } from '@ember/test-helpers';
+import { setupApplicationTest } from 'vault/tests/helpers';
+import authPage from 'vault/tests/pages/auth';
+import {
+  createPolicyCmd,
+  deleteEngineCmd,
+  mountEngineCmd,
+  runCmd,
+  createTokenCmd,
+} from 'vault/tests/helpers/commands';
+import { dataPolicy, metadataPolicy } from 'vault/tests/helpers/policy-generator/kv';
+import { writeSecret } from 'vault/tests/helpers/kv/kv-run-commands';
+import { PAGE } from 'vault/tests/helpers/kv/kv-selectors';
+
+/**
+ * This test set is for testing edge cases, such as specific bug fixes or reported user workflows
+ */
+module('Acceptance | kv-v2 workflow | edge cases', function (hooks) {
+  setupApplicationTest(hooks);
+
+  hooks.beforeEach(async function () {
+    const uid = uuidv4();
+    this.backend = `kv-edge-${uid}`;
+    this.rootSecret = 'root-directory';
+    this.fullSecretPath = `${this.rootSecret}/nested/child-secret`;
+    await authPage.login();
+    await runCmd(mountEngineCmd('kv-v2', this.backend), false);
+    await writeSecret(this.backend, this.fullSecretPath, 'foo', 'bar');
+    return;
+  });
+
+  hooks.afterEach(async function () {
+    await authPage.login();
+    await runCmd(deleteEngineCmd(this.backend));
+    return;
+  });
+
+  module('persona with read and list access on the secret level', function (hooks) {
+    // see github issue for more details https://github.com/hashicorp/vault/issues/5362
+    hooks.beforeEach(async function () {
+      const secretPath = `${this.rootSecret}/*`; // user has LIST and READ access within this root secret directory
+      const capabilities = ['list', 'read'];
+      const backend = this.backend;
+      const token = await runCmd([
+        createPolicyCmd(
+          'nested-secret-list-reader',
+          metadataPolicy({ backend, secretPath, capabilities }) +
+            dataPolicy({ backend, secretPath, capabilities })
+        ),
+        createTokenCmd('nested-secret-list-reader'),
+      ]);
+      await authPage.login(token);
+    });
+
+    test('it can navigate to secrets within a secret directory', async function (assert) {
+      assert.expect(19);
+      const backend = this.backend;
+      const [root, subdirectory, secret] = this.fullSecretPath.split('/');
+
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list`, 'lands on secrets list page');
+
+      await typeIn(PAGE.list.overviewInput, `${root}/`); // add slash because this is a directory
+      await click(PAGE.list.overviewButton);
+
+      // URL correct
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${root}%2F/directory`,
+        'visits list-directory of root'
+      );
+
+      // Title correct
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      // Tabs correct
+      assert.dom(PAGE.secretTab('Secrets')).hasText('Secrets');
+      assert.dom(PAGE.secretTab('Secrets')).hasClass('active');
+      assert.dom(PAGE.secretTab('Configuration')).hasText('Configuration');
+      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('active');
+      // Toolbar correct
+      assert.dom(PAGE.toolbarAction).exists({ count: 1 }, 'toolbar only renders create secret action');
+      assert.dom(PAGE.list.filter).hasValue(`${root}/`);
+      // List content correct
+      assert.dom(PAGE.list.item(`${subdirectory}/`)).exists('renders linked block for subdirectory');
+      await click(PAGE.list.item(`${subdirectory}/`));
+      assert.dom(PAGE.list.item(secret)).exists('renders linked block for child secret');
+      await click(PAGE.list.item(secret));
+      // Secret details visible
+      assert.dom(PAGE.title).hasText(this.fullSecretPath);
+      assert.dom(PAGE.secretTab('Secret')).hasText('Secret');
+      assert.dom(PAGE.secretTab('Secret')).hasClass('active');
+      assert.dom(PAGE.secretTab('Metadata')).hasText('Metadata');
+      assert.dom(PAGE.secretTab('Metadata')).doesNotHaveClass('active');
+      assert.dom(PAGE.secretTab('Version History')).hasText('Version History');
+      assert.dom(PAGE.secretTab('Version History')).doesNotHaveClass('active');
+      assert.dom(PAGE.toolbarAction).exists({ count: 5 }, 'toolbar renders all actions');
+    });
+
+    test('it navigates back to engine index route via breadcrumbs from secret details', async function (assert) {
+      assert.expect(6);
+      const backend = this.backend;
+      const [root, subdirectory, secret] = this.fullSecretPath.split('/');
+
+      await visit(`vault/secrets/${backend}/kv/${encodeURIComponent(this.fullSecretPath)}/details?version=1`);
+      // navigate back through crumbs
+      let previousCrumb = findAll('[data-test-breadcrumbs] li').length - 2;
+      await click(PAGE.breadcrumbAtIdx(previousCrumb));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${root}%2F${subdirectory}%2F/directory`,
+        'goes back to subdirectory list'
+      );
+      assert.dom(PAGE.list.filter).hasValue(`${root}/${subdirectory}/`);
+      assert.dom(PAGE.list.item(secret)).exists('renders linked block for child secret');
+
+      // back again
+      previousCrumb = findAll('[data-test-breadcrumbs] li').length - 2;
+      await click(PAGE.breadcrumbAtIdx(previousCrumb));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${root}%2F/directory`,
+        'goes back to root directory'
+      );
+      assert.dom(PAGE.list.item(`${subdirectory}/`)).exists('renders linked block for subdirectory');
+
+      // and back to the engine list view
+      previousCrumb = findAll('[data-test-breadcrumbs] li').length - 2;
+      await click(PAGE.breadcrumbAtIdx(previousCrumb));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/list`,
+        'navigates back to engine list from crumbs'
+      );
+    });
+
+    test('it handles errors when attempting to view details of a secret that is a directory', async function (assert) {
+      assert.expect(7);
+      const backend = this.backend;
+      const [root, subdirectory] = this.fullSecretPath.split('/');
+      setupOnerror((error) => assert.strictEqual(error.httpStatus, 404), '404 error is thrown'); // catches error so qunit test doesn't fail
+
+      await visit(`/vault/secrets/${backend}/kv/list`);
+      await typeIn(PAGE.list.overviewInput, `${root}/${subdirectory}`); // intentionally leave out trailing slash
+      await click(PAGE.list.overviewButton);
+      assert.dom(PAGE.error.title).hasText('404 Not Found');
+      assert
+        .dom(PAGE.error.message)
+        .hasText(`Sorry, we were unable to find any content at /v1/${backend}/data/${root}/${subdirectory}.`);
+
+      assert.dom(PAGE.breadcrumbAtIdx(0)).hasText('secrets');
+      assert.dom(PAGE.breadcrumbAtIdx(1)).hasText(backend);
+      assert.dom(PAGE.secretTab('Secrets')).doesNotHaveClass('is-active');
+      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('is-active');
+    });
+  });
+});
diff --git a/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-navigation-test.js b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-navigation-test.js
new file mode 100644
index 0000000000..43ec32a675
--- /dev/null
+++ b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-navigation-test.js
@@ -0,0 +1,1242 @@
+import { module, test } from 'qunit';
+import { v4 as uuidv4 } from 'uuid';
+import { click, currentRouteName, currentURL, typeIn, visit, waitUntil } from '@ember/test-helpers';
+import { setupApplicationTest } from 'vault/tests/helpers';
+import authPage from 'vault/tests/pages/auth';
+import {
+  createPolicyCmd,
+  deleteEngineCmd,
+  mountEngineCmd,
+  runCmd,
+  createTokenCmd,
+  tokenWithPolicyCmd,
+} from 'vault/tests/helpers/commands';
+import { personas } from 'vault/tests/helpers/policy-generator/kv';
+import {
+  addSecretMetadataCmd,
+  clearRecords,
+  writeSecret,
+  writeVersionedSecret,
+} from 'vault/tests/helpers/kv/kv-run-commands';
+import { FORM, PAGE } from 'vault/tests/helpers/kv/kv-selectors';
+import { setupControlGroup, grantAccess } from 'vault/tests/helpers/control-groups';
+
+const secretPath = `my-#:$=?-secret`;
+// This doesn't encode in a normal way, so hardcoding it here until we sort that out
+const secretPathUrlEncoded = `my-%23:$=%3F-secret`;
+const navToBackend = (backend) => {
+  return visit(`/vault/secrets/${backend}/kv/list`);
+};
+const assertCorrectBreadcrumbs = (assert, expected) => {
+  assert.dom(PAGE.breadcrumb).exists({ count: expected.length }, 'correct number of breadcrumbs');
+  const breadcrumbs = document.querySelectorAll(PAGE.breadcrumb);
+  expected.forEach((text, idx) => {
+    assert.dom(breadcrumbs[idx]).includesText(text, `position ${idx} breadcrumb includes text ${text}`);
+  });
+};
+const DETAIL_TOOLBARS = ['delete', 'destroy', 'copy', 'versionDropdown', 'createNewVersion'];
+const assertDetailsToolbar = (assert, expected = DETAIL_TOOLBARS) => {
+  assert
+    .dom(PAGE.toolbarAction)
+    .exists({ count: expected.length }, 'correct number of toolbar actions render');
+  DETAIL_TOOLBARS.forEach((toolbar) => {
+    if (expected.includes(toolbar)) {
+      assert.dom(PAGE.detail[toolbar]).exists(`${toolbar} toolbar action exists`);
+    } else {
+      assert.dom(PAGE.detail[toolbar]).doesNotExist(`${toolbar} toolbar action not rendered`);
+    }
+  });
+};
+
+/**
+ * This test set is for testing the navigation, breadcrumbs, and tabs.
+ * Letter(s) in parenthesis at the end are shorthand for the persona,
+ * for ease of tracking down specific tests failures from CI
+ */
+module('Acceptance | kv-v2 workflow | navigation', function (hooks) {
+  setupApplicationTest(hooks);
+
+  hooks.beforeEach(async function () {
+    const uid = uuidv4();
+    this.store = this.owner.lookup('service:store');
+    this.emptyBackend = `kv-empty-${uid}`;
+    this.backend = `kv-nav-${uid}`;
+    await authPage.login();
+    await runCmd(mountEngineCmd('kv-v2', this.emptyBackend), false);
+    await runCmd(mountEngineCmd('kv-v2', this.backend), false);
+    await writeSecret(this.backend, 'app/nested/secret', 'foo', 'bar');
+    await writeVersionedSecret(this.backend, secretPath, 'foo', 'bar', 3);
+    await runCmd(addSecretMetadataCmd(this.backend, secretPath, { max_versions: 5, cas_required: true }));
+    return;
+  });
+
+  hooks.afterEach(async function () {
+    await authPage.login();
+    await runCmd(deleteEngineCmd(this.backend));
+    await runCmd(deleteEngineCmd(this.emptyBackend));
+    return;
+  });
+
+  module('admin persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd(
+        tokenWithPolicyCmd('admin', personas.admin(this.backend) + personas.admin(this.emptyBackend))
+      );
+      await authPage.login(token);
+      clearRecords(this.store);
+      return;
+    });
+    test('empty backend - breadcrumbs, title, tabs, emptyState (a)', async function (assert) {
+      assert.expect(18);
+      const backend = this.emptyBackend;
+      await navToBackend(backend);
+
+      // URL correct
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list`, 'lands on secrets list page');
+      // Breadcrumbs correct
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      // Title correct
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      // Tabs correct
+      assert.dom(PAGE.secretTab('Secrets')).hasText('Secrets');
+      assert.dom(PAGE.secretTab('Secrets')).hasClass('active');
+      assert.dom(PAGE.secretTab('Configuration')).hasText('Configuration');
+      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('active');
+      // Toolbar correct
+      assert.dom(PAGE.toolbar).exists({ count: 1 }, 'toolbar renders');
+      assert.dom(PAGE.list.filter).doesNotExist('List filter does not show because no secrets exists.');
+      // Page content correct
+      assert.dom(PAGE.emptyStateTitle).hasText('No secrets yet');
+      assert.dom(PAGE.emptyStateActions).hasText('Create secret');
+      assert.dom(PAGE.list.createSecret).hasText('Create secret');
+
+      // Click empty state CTA
+      await click(`${PAGE.emptyStateActions} a`);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/create`),
+        `url includes /vault/secrets/${backend}/kv/create`
+      );
+
+      // Click cancel btn
+      await click(FORM.cancelBtn);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list`),
+        `url includes /vault/secrets/${backend}/kv/list`
+      );
+
+      // click toolbar CTA
+      await click(PAGE.list.createSecret);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/create`),
+        `url includes /vault/secrets/${backend}/kv/create`
+      );
+
+      // Click cancel btn
+      await click(FORM.cancelBtn);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list`),
+        `url includes /vault/secrets/${backend}/kv/list`
+      );
+    });
+    test('can access nested secret (a)', async function (assert) {
+      assert.expect(40);
+      const backend = this.backend;
+      await navToBackend(backend);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title text correct');
+      assert.dom(PAGE.emptyStateTitle).doesNotExist('No empty state');
+      assertCorrectBreadcrumbs(assert, ['secret', backend]);
+      assert.dom(PAGE.list.filter).hasNoValue('List filter input is empty');
+
+      // Navigate through list items
+      await click(PAGE.list.item('app/'));
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/app%2F/directory`);
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      assert.dom(PAGE.list.filter).hasValue('app/', 'List filter input is prefilled');
+      assert.dom(PAGE.list.item('nested/')).exists('Shows nested secret');
+
+      await click(PAGE.list.item('nested/'));
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/app%2Fnested%2F/directory`);
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      assert.dom(PAGE.list.filter).hasValue('app/nested/', 'List filter input is prefilled');
+      assert.dom(PAGE.list.item('secret')).exists('Shows deeply nested secret');
+
+      await click(PAGE.list.item('secret'));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details?version=1`
+      );
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested', 'secret']);
+      assert.dom(PAGE.title).hasText('app/nested/secret', 'title is full secret path');
+      assertDetailsToolbar(assert);
+
+      await click(PAGE.breadcrumbAtIdx(3));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/app%2Fnested%2F/directory`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/app%2F/directory`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(1));
+      assert.ok(currentURL().startsWith(`/vault/secrets/${backend}/kv/list`), 'links back to list root');
+    });
+    test('versioned secret nav, tabs, breadcrumbs (a)', async function (assert) {
+      assert.expect(43);
+      const backend = this.backend;
+      await navToBackend(backend);
+      await click(PAGE.list.item(secretPath));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=3`,
+        'Url includes version query param'
+      );
+      assert.dom(PAGE.title).hasText(secretPath, 'Goes to secret detail view');
+      assert.dom(PAGE.secretTab('Secret')).hasText('Secret');
+      assert.dom(PAGE.secretTab('Secret')).hasClass('active');
+      assert.dom(PAGE.secretTab('Metadata')).hasText('Metadata');
+      assert.dom(PAGE.secretTab('Metadata')).doesNotHaveClass('active');
+      assert.dom(PAGE.secretTab('Version History')).hasText('Version History');
+      assert.dom(PAGE.secretTab('Version History')).doesNotHaveClass('active');
+      assert.dom(PAGE.detail.versionDropdown).hasText('Version 3', 'Version dropdown shows current version');
+      assert.dom(PAGE.detail.createNewVersion).hasText('Create new version', 'Create version button shows');
+      assert.dom(PAGE.detail.versionTimestamp).containsText('Version 3 created');
+      assert.dom(PAGE.infoRowValue('foo')).exists('renders current data');
+
+      await click(PAGE.detail.createNewVersion);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details/edit?version=3`,
+        'Url includes version query param'
+      );
+      assert.dom(FORM.versionAlert).doesNotExist('Does not show version alert for current version');
+      assert.dom(FORM.inputByAttr('path')).isDisabled();
+
+      await click(FORM.cancelBtn);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=3`,
+        'Goes back to detail view'
+      );
+
+      await click(PAGE.detail.versionDropdown);
+      await click(`${PAGE.detail.version(1)} a`);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=1`,
+        'Goes to detail view for version 1'
+      );
+      assert.dom(PAGE.detail.versionDropdown).hasText('Version 1', 'Version dropdown shows selected version');
+      assert.dom(PAGE.detail.versionTimestamp).containsText('Version 1 created');
+      assert.dom(PAGE.infoRowValue('key-1')).exists('renders previous data');
+
+      await click(PAGE.detail.createNewVersion);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details/edit?version=1`,
+        'Url includes version query param'
+      );
+      assert.dom(FORM.inputByAttr('path')).isDisabled();
+      assert.dom(FORM.keyInput()).hasValue('key-1', 'pre-populates form with selected version data');
+      assert.dom(FORM.maskedValueInput()).hasValue('val-1', 'pre-populates form with selected version data');
+      assert.dom(FORM.versionAlert).exists('Shows version alert');
+      await click(FORM.cancelBtn);
+
+      await click(PAGE.secretTab('Metadata'));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
+        `goes to metadata page`
+      );
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
+      assert.dom(PAGE.title).hasText(secretPath);
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('No custom metadata');
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateActions}`)
+        .hasText('Add metadata', 'empty state has metadata CTA');
+      assert.dom(PAGE.metadata.editBtn).hasText('Edit metadata');
+
+      await click(PAGE.metadata.editBtn);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata/edit`,
+        `goes to metadata edit page`
+      );
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata', 'edit']);
+      await click(FORM.cancelBtn);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
+        `cancel btn goes back to metadata page`
+      );
+    });
+    test('breadcrumbs & page titles are correct (a)', async function (assert) {
+      assert.expect(39);
+      const backend = this.backend;
+      await navToBackend(backend);
+      await click(PAGE.secretTab('Configuration'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'configuration']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for configuration');
+
+      await click(PAGE.secretTab('Secrets'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for secret list');
+
+      await click(PAGE.list.item(secretPath));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath]);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for secret detail');
+
+      await click(PAGE.detail.createNewVersion);
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'edit']);
+      assert.dom(PAGE.title).hasText('Create New Version', 'correct page title for secret edit');
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      await click(PAGE.secretTab('Metadata'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for metadata');
+
+      await click(PAGE.metadata.editBtn);
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata', 'edit']);
+      assert.dom(PAGE.title).hasText('Edit Secret Metadata', 'correct page title for metadata edit');
+
+      await click(PAGE.breadcrumbAtIdx(3));
+      await click(PAGE.secretTab('Version History'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'version history']);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for version history');
+    });
+  });
+
+  module('data-reader persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd([
+        createPolicyCmd(
+          'data-reader',
+          personas.dataReader(this.backend) + personas.dataReader(this.emptyBackend)
+        ),
+        createTokenCmd('data-reader'),
+      ]);
+      await authPage.login(token);
+      clearRecords(this.store);
+      return;
+    });
+    test('empty backend - breadcrumbs, title, tabs, emptyState (dr)', async function (assert) {
+      assert.expect(15);
+      const backend = this.emptyBackend;
+      await navToBackend(backend);
+
+      // URL correct
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list`, 'lands on secrets list page');
+      // Breadcrumbs correct
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      // Title correct
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      // Tabs correct
+      assert.dom(PAGE.secretTab('Secrets')).hasText('Secrets');
+      assert.dom(PAGE.secretTab('Secrets')).hasClass('active');
+      assert.dom(PAGE.secretTab('Configuration')).hasText('Configuration');
+      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('active');
+      // Toolbar correct
+      assert.dom(PAGE.toolbar).exists({ count: 1 }, 'toolbar renders');
+      assert
+        .dom(PAGE.list.filter)
+        .doesNotExist('list filter input does not render because no list capabilities');
+      // Page content correct
+      assert
+        .dom(PAGE.emptyStateTitle)
+        .doesNotExist('empty state does not render because no metadata access to list');
+      assert.dom(PAGE.list.overviewCard).exists('renders overview card');
+
+      // click toolbar CTA
+      await click(PAGE.list.createSecret);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/create`,
+        `url includes /vault/secrets/${backend}/kv/create`
+      );
+
+      // Click cancel btn
+      await click(FORM.cancelBtn);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/list`,
+        `url includes /vault/secrets/${backend}/kv/list`
+      );
+    });
+    test('can access nested secret (dr)', async function (assert) {
+      assert.expect(23);
+      const backend = this.backend;
+      await navToBackend(backend);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title text correct');
+      assert.dom(PAGE.emptyStateTitle).doesNotExist('No empty state');
+      assertCorrectBreadcrumbs(assert, ['secret', backend]);
+      assert
+        .dom(PAGE.list.filter)
+        .doesNotExist('List filter input does not render because no list capabilities');
+
+      await typeIn(PAGE.list.overviewInput, 'app/nested/secret');
+      await click(PAGE.list.overviewButton);
+
+      // Goes to correct detail view
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details?version=1`
+      );
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested', 'secret']);
+      assert.dom(PAGE.title).hasText('app/nested/secret', 'title is full secret path');
+      assertDetailsToolbar(assert, ['copy']);
+
+      await click(PAGE.breadcrumbAtIdx(3));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/app%2Fnested%2F/directory`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/app%2F/directory`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(1));
+      assert.ok(currentURL().startsWith(`/vault/secrets/${backend}/kv/list`), 'links back to list root');
+    });
+    test('versioned secret nav, tabs, breadcrumbs (dr)', async function (assert) {
+      assert.expect(25);
+      const backend = this.backend;
+      await navToBackend(backend);
+
+      // Navigate to secret
+      await typeIn(PAGE.list.overviewInput, secretPath);
+      await click(PAGE.list.overviewButton);
+
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=3`,
+        'Url includes version query param'
+      );
+      assert.dom(PAGE.title).hasText(secretPath, 'Goes to secret detail view');
+      assert.dom(PAGE.secretTab('Secret')).hasText('Secret');
+      assert.dom(PAGE.secretTab('Secret')).hasClass('active');
+      assert.dom(PAGE.secretTab('Metadata')).hasText('Metadata');
+      assert.dom(PAGE.secretTab('Metadata')).doesNotHaveClass('active');
+      assert.dom(PAGE.detail.versionDropdown).doesNotExist('Version dropdown hidden');
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('unable to create a new version');
+      assert.dom(PAGE.detail.versionTimestamp).containsText('Version 3 created');
+      assert.dom(PAGE.infoRowValue('foo')).exists('renders current data');
+
+      // data-reader can't navigate to older versions, but they can go to page directly
+      await visit(`/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=1`);
+      assert.dom(PAGE.detail.versionDropdown).doesNotExist('Version dropdown does not exist');
+      assert.dom(PAGE.detail.versionTimestamp).containsText('Version 1 created');
+      assert.dom(PAGE.infoRowValue('key-1')).exists('renders previous data');
+
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('cannot create new version');
+
+      await click(PAGE.secretTab('Metadata'));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
+        `goes to metadata page`
+      );
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
+      assert.dom(PAGE.title).hasText(secretPath);
+      assert.dom(PAGE.toolbarAction).doesNotExist('no toolbar actions available on metadata');
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('No custom metadata');
+      assert
+        .dom(`${PAGE.metadata.secretMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('You do not have access to secret metadata');
+      assert.dom(PAGE.metadata.editBtn).doesNotExist('edit button hidden');
+    });
+    test('breadcrumbs & page titles are correct (dr)', async function (assert) {
+      assert.expect(27);
+      const backend = this.backend;
+      await navToBackend(backend);
+      await click(PAGE.secretTab('Configuration'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'configuration']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title correct on config page');
+
+      await click(PAGE.secretTab('Secrets'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title correct on secrets list');
+
+      await typeIn(PAGE.list.overviewInput, 'app/nested/secret');
+      await click(PAGE.list.overviewButton);
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'app', 'nested', 'secret']);
+      assert.dom(PAGE.title).hasText('app/nested/secret', 'title correct on secret detail');
+
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('cannot create new version');
+
+      await click(PAGE.secretTab('Metadata'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'app', 'nested', 'secret', 'metadata']);
+      assert.dom(PAGE.title).hasText('app/nested/secret', 'title correct on metadata');
+
+      assert.dom(PAGE.metadata.editBtn).doesNotExist('cannot edit metadata');
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      assert.dom(PAGE.secretTab('Version History')).doesNotExist('Version History tab not shown');
+    });
+  });
+
+  module('data-list-reader persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd([
+        createPolicyCmd(
+          'data-reader-list',
+          personas.dataListReader(this.backend) + personas.dataListReader(this.emptyBackend)
+        ),
+        createTokenCmd('data-reader-list'),
+      ]);
+
+      await authPage.login(token);
+      clearRecords(this.store);
+      return;
+    });
+    test('empty backend - breadcrumbs, title, tabs, emptyState (dlr)', async function (assert) {
+      assert.expect(18);
+      const backend = this.emptyBackend;
+      await navToBackend(backend);
+
+      // URL correct
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list`, 'lands on secrets list page');
+      // Breadcrumbs correct
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      // Title correct
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      // Tabs correct
+      assert.dom(PAGE.secretTab('Secrets')).hasText('Secrets');
+      assert.dom(PAGE.secretTab('Secrets')).hasClass('active');
+      assert.dom(PAGE.secretTab('Configuration')).hasText('Configuration');
+      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('active');
+      // Toolbar correct
+      assert.dom(PAGE.toolbar).exists({ count: 1 }, 'toolbar renders');
+      assert.dom(PAGE.list.filter).doesNotExist('List filter does not show because no secrets exists.');
+      // Page content correct
+      assert.dom(PAGE.emptyStateTitle).hasText('No secrets yet');
+      assert.dom(PAGE.emptyStateActions).hasText('Create secret');
+      assert.dom(PAGE.list.createSecret).hasText('Create secret');
+
+      // Click empty state CTA
+      await click(`${PAGE.emptyStateActions} a`);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/create`),
+        `url includes /vault/secrets/${backend}/kv/create`
+      );
+
+      // Click cancel btn
+      await click(FORM.cancelBtn);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list`),
+        `url includes /vault/secrets/${backend}/kv/list`
+      );
+
+      // click toolbar CTA
+      await click(PAGE.list.createSecret);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/create`),
+        `url includes /vault/secrets/${backend}/kv/create`
+      );
+
+      // Click cancel btn
+      await click(FORM.cancelBtn);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list`),
+        `url includes /vault/secrets/${backend}/kv/list`
+      );
+    });
+    test('can access nested secret (dlr)', async function (assert) {
+      assert.expect(31);
+      const backend = this.backend;
+      await navToBackend(backend);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title text correct');
+      assert.dom(PAGE.emptyStateTitle).doesNotExist('No empty state');
+      assertCorrectBreadcrumbs(assert, ['secret', backend]);
+      assert.dom(PAGE.list.filter).hasNoValue('List filter input is empty');
+
+      // Navigate through list items
+      await click(PAGE.list.item('app/'));
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/app%2F/directory`);
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      assert.dom(PAGE.list.filter).doesNotExist('List filter hidden since no nested list access');
+
+      assert
+        .dom(PAGE.list.overviewInput)
+        .hasValue('app/', 'overview card is pre-filled with directory param');
+      await typeIn(PAGE.list.overviewInput, 'nested/secret');
+      await click(PAGE.list.overviewButton);
+
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details?version=1`
+      );
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested', 'secret']);
+      assert.dom(PAGE.title).hasText('app/nested/secret', 'title is full secret path');
+      assertDetailsToolbar(assert, ['delete', 'copy']);
+
+      await click(PAGE.breadcrumbAtIdx(3));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/app%2Fnested%2F/directory`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/app%2F/directory`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(1));
+      assert.ok(currentURL().startsWith(`/vault/secrets/${backend}/kv/list`), 'links back to list root');
+    });
+    test('versioned secret nav, tabs, breadcrumbs (dlr)', async function (assert) {
+      assert.expect(25);
+      const backend = this.backend;
+      await navToBackend(backend);
+      await click(PAGE.list.item(secretPath));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=3`,
+        'Url includes version query param'
+      );
+      assert.dom(PAGE.title).hasText(secretPath, 'Goes to secret detail view');
+      assert.dom(PAGE.secretTab('Secret')).hasText('Secret');
+      assert.dom(PAGE.secretTab('Secret')).hasClass('active');
+      assert.dom(PAGE.secretTab('Metadata')).hasText('Metadata');
+      assert.dom(PAGE.secretTab('Metadata')).doesNotHaveClass('active');
+      assert.dom(PAGE.detail.versionDropdown).doesNotExist('does not show version dropdown');
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('unable to create a new version');
+      assert.dom(PAGE.detail.versionTimestamp).containsText('Version 3 created');
+      assert.dom(PAGE.infoRowValue('foo')).exists('renders current data');
+
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('cannot create new version');
+
+      // data-list-reader can't navigate to older versions, but they can go to page directly
+      await visit(`/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=1`);
+      assert.dom(PAGE.detail.versionDropdown).doesNotExist('no version dropdown');
+      assert.dom(PAGE.detail.versionTimestamp).containsText('Version 1 created');
+      assert.dom(PAGE.infoRowValue('key-1')).exists('renders previous data');
+
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('cannot create new version from old version');
+
+      await click(PAGE.secretTab('Metadata'));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
+        `goes to metadata page`
+      );
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
+      assert.dom(PAGE.title).hasText(secretPath);
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('No custom metadata');
+      assert
+        .dom(`${PAGE.metadata.secretMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('You do not have access to secret metadata');
+      assert.dom(PAGE.metadata.editBtn).doesNotExist('edit button hidden');
+    });
+    test('breadcrumbs & page titles are correct (dlr)', async function (assert) {
+      assert.expect(23);
+      const backend = this.backend;
+      await navToBackend(backend);
+
+      await click(PAGE.secretTab('Configuration'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'configuration']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for configuration');
+
+      await click(PAGE.secretTab('Secrets'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for secret list');
+
+      await click(PAGE.list.item(secretPath));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath]);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for secret detail');
+
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('cannot create new version');
+
+      await click(PAGE.secretTab('Metadata'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for metadata');
+
+      assert.dom(PAGE.metadata.editBtn).doesNotExist('cannot edit metadata');
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      assert.dom(PAGE.secretTab('Version History')).doesNotExist('Version History tab not shown');
+    });
+  });
+
+  module('metadata-maintainer persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd([
+        createPolicyCmd(
+          'metadata-maintainer',
+          personas.metadataMaintainer(this.backend) + personas.metadataMaintainer(this.emptyBackend)
+        ),
+        createTokenCmd('metadata-maintainer'),
+      ]);
+      await authPage.login(token);
+      clearRecords(this.store);
+      return;
+    });
+    test('empty backend - breadcrumbs, title, tabs, emptyState (mm)', async function (assert) {
+      assert.expect(18);
+      const backend = this.emptyBackend;
+      await navToBackend(backend);
+
+      // URL correct
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list`, 'lands on secrets list page');
+      // Breadcrumbs correct
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      // Title correct
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      // Tabs correct
+      assert.dom(PAGE.secretTab('Secrets')).hasText('Secrets');
+      assert.dom(PAGE.secretTab('Secrets')).hasClass('active');
+      assert.dom(PAGE.secretTab('Configuration')).hasText('Configuration');
+      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('active');
+      // Toolbar correct
+      assert.dom(PAGE.toolbar).exists({ count: 1 }, 'toolbar only renders create secret action');
+      assert.dom(PAGE.list.filter).doesNotExist('List filter does not show because no secrets exists.');
+      // Page content correct
+      assert.dom(PAGE.emptyStateTitle).hasText('No secrets yet');
+      assert.dom(PAGE.emptyStateActions).hasText('Create secret');
+      assert.dom(PAGE.list.createSecret).hasText('Create secret');
+
+      // Click empty state CTA
+      await click(`${PAGE.emptyStateActions} a`);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/create`),
+        `url includes /vault/secrets/${backend}/kv/create`
+      );
+
+      // Click cancel btn
+      await click(FORM.cancelBtn);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list`),
+        `url includes /vault/secrets/${backend}/kv/list`
+      );
+
+      // click toolbar CTA
+      await click(PAGE.list.createSecret);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/create`),
+        `url includes /vault/secrets/${backend}/kv/create`
+      );
+
+      // Click cancel btn
+      await click(FORM.cancelBtn);
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/list`),
+        `url includes /vault/secrets/${backend}/kv/list`
+      );
+    });
+    test('can access nested secret (mm)', async function (assert) {
+      assert.expect(41);
+      const backend = this.backend;
+      await navToBackend(backend);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title text correct');
+      assert.dom(PAGE.emptyStateTitle).doesNotExist('No empty state');
+      assertCorrectBreadcrumbs(assert, ['secret', backend]);
+      assert.dom(PAGE.list.filter).hasNoValue('List filter input is empty');
+
+      // Navigate through list items
+      await click(PAGE.list.item('app/'));
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/app%2F/directory`);
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      assert.dom(PAGE.list.filter).hasValue('app/', 'List filter input is prefilled');
+      assert.dom(PAGE.list.item('nested/')).exists('Shows nested secret');
+
+      await click(PAGE.list.item('nested/'));
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/app%2Fnested%2F/directory`);
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      assert.dom(PAGE.list.filter).hasValue('app/nested/', 'List filter input is prefilled');
+      assert.dom(PAGE.list.item('secret')).exists('Shows deeply nested secret');
+
+      await click(PAGE.list.item('secret'));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details`,
+        `Goes to URL with version`
+      );
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested', 'secret']);
+      assert.dom(PAGE.title).hasText('app/nested/secret', 'title is full secret path');
+      assertDetailsToolbar(assert, ['delete', 'destroy', 'versionDropdown']);
+      assert.dom(PAGE.detail.versionDropdown).hasText('Version current');
+
+      await click(PAGE.breadcrumbAtIdx(3));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/app%2Fnested%2F/directory`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/app%2F/directory`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(1));
+      assert.ok(currentURL().startsWith(`/vault/secrets/${backend}/kv/list`), 'links back to list root');
+    });
+    test('versioned secret nav, tabs, breadcrumbs (mm)', async function (assert) {
+      assert.expect(35);
+      const backend = this.backend;
+      await navToBackend(backend);
+      await click(PAGE.list.item(secretPath));
+
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details`,
+        'Url includes version query param'
+      );
+      assert.dom(PAGE.title).hasText(secretPath, 'Goes to secret detail view');
+      assert.dom(PAGE.secretTab('Secret')).hasText('Secret');
+      assert.dom(PAGE.secretTab('Secret')).hasClass('active');
+      assert.dom(PAGE.secretTab('Metadata')).hasText('Metadata');
+      assert.dom(PAGE.secretTab('Metadata')).doesNotHaveClass('active');
+      assert.dom(PAGE.secretTab('Version History')).hasText('Version History');
+      assert.dom(PAGE.secretTab('Version History')).doesNotHaveClass('active');
+      assert
+        .dom(PAGE.detail.versionDropdown)
+        .hasText('Version current', 'Version dropdown shows current version');
+      assert.dom(PAGE.detail.createNewVersion).doesNotExist('Create new version button not shown');
+      assert.dom(PAGE.detail.versionTimestamp).doesNotExist('Version created text not shown');
+      assert.dom(PAGE.infoRowValue('foo')).doesNotExist('does not render current data');
+      assert
+        .dom(PAGE.emptyStateTitle)
+        .hasText('You do not have permission to read this secret', 'Shows empty state on secret detail');
+
+      await click(PAGE.detail.versionDropdown);
+      await click(`${PAGE.detail.version(1)} a`);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=1`,
+        'Goes to detail view for version 1'
+      );
+      assert.dom(PAGE.detail.versionDropdown).hasText('Version 1', 'Version dropdown shows selected version');
+
+      assert.dom(PAGE.infoRowValue('key-1')).doesNotExist('does not render previous data');
+      assert
+        .dom(PAGE.emptyStateTitle)
+        .hasText(
+          'You do not have permission to read this secret',
+          'Shows empty state on secret detail for older version'
+        );
+
+      await click(PAGE.secretTab('Metadata'));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
+        `goes to metadata page`
+      );
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
+      assert.dom(PAGE.title).hasText(secretPath);
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('No custom metadata');
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateActions}`)
+        .hasText('Add metadata', 'empty state has metadata CTA');
+      assert.dom(PAGE.metadata.editBtn).hasText('Edit metadata');
+
+      await click(PAGE.metadata.editBtn);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata/edit`,
+        `goes to metadata edit page`
+      );
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata', 'edit']);
+      await click(FORM.cancelBtn);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
+        `cancel btn goes back to metadata page`
+      );
+    });
+    test('breadcrumbs & page titles are correct (mm)', async function (assert) {
+      assert.expect(33);
+      const backend = this.backend;
+      await navToBackend(backend);
+      await click(PAGE.secretTab('Configuration'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'configuration']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for configuration');
+
+      await click(PAGE.secretTab('Secrets'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for secret list');
+
+      await click(PAGE.list.item(secretPath));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath]);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for secret detail');
+
+      await click(PAGE.secretTab('Metadata'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for metadata');
+
+      await click(PAGE.metadata.editBtn);
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata', 'edit']);
+      assert.dom(PAGE.title).hasText('Edit Secret Metadata', 'correct page title for metadata edit');
+
+      await click(PAGE.breadcrumbAtIdx(3));
+      await click(PAGE.secretTab('Version History'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'version history']);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for version history');
+    });
+  });
+
+  module('secret-creator persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd([
+        createPolicyCmd(
+          'secret-creator',
+          personas.secretCreator(this.backend) + personas.secretCreator(this.emptyBackend)
+        ),
+        createTokenCmd('secret-creator'),
+      ]);
+      await authPage.login(token);
+      clearRecords(this.store);
+      return;
+    });
+    test('empty backend - breadcrumbs, title, tabs, emptyState (sc)', async function (assert) {
+      assert.expect(15);
+      const backend = this.emptyBackend;
+      await navToBackend(backend);
+
+      // URL correct
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/list`, 'lands on secrets list page');
+      // Breadcrumbs correct
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      // Title correct
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      // Tabs correct
+      assert.dom(PAGE.secretTab('Secrets')).hasText('Secrets');
+      assert.dom(PAGE.secretTab('Secrets')).hasClass('active');
+      assert.dom(PAGE.secretTab('Configuration')).hasText('Configuration');
+      assert.dom(PAGE.secretTab('Configuration')).doesNotHaveClass('active');
+      // Toolbar correct
+      assert.dom(PAGE.toolbar).exists({ count: 1 }, 'toolbar only renders create secret action');
+      assert.dom(PAGE.list.filter).doesNotExist('List filter input is not rendered');
+      // Page content correct
+      assert.dom(PAGE.list.overviewCard).exists('Overview card renders');
+      assert.dom(PAGE.list.createSecret).hasText('Create secret');
+
+      // click toolbar CTA
+      await click(PAGE.list.createSecret);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/create`,
+        `goes to /vault/secrets/${backend}/kv/create`
+      );
+
+      // Click cancel btn
+      await click(FORM.cancelBtn);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/list`,
+        `url includes /vault/secrets/${backend}/kv/list`
+      );
+    });
+    test('can access nested secret (sc)', async function (assert) {
+      assert.expect(23);
+      const backend = this.backend;
+      await navToBackend(backend);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title text correct');
+      assert.dom(PAGE.emptyStateTitle).doesNotExist('No empty state');
+      assertCorrectBreadcrumbs(assert, ['secret', backend]);
+      assert.dom(PAGE.list.filter).doesNotExist('List filter input is not rendered');
+
+      // Navigate to secret
+      await typeIn(PAGE.list.overviewInput, 'app/nested/secret');
+      await click(PAGE.list.overviewButton);
+
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details`,
+        'goes to secret detail page'
+      );
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested', 'secret']);
+      assert.dom(PAGE.title).hasText('app/nested/secret', 'title is full secret path');
+      assertDetailsToolbar(assert, ['createNewVersion']);
+
+      await click(PAGE.breadcrumbAtIdx(3));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/app%2Fnested%2F/directory`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/app%2F/directory`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(1));
+      assert.ok(currentURL().startsWith(`/vault/secrets/${backend}/kv/list`), 'links back to list root');
+    });
+    test('versioned secret nav, tabs, breadcrumbs (sc)', async function (assert) {
+      assert.expect(34);
+      const backend = this.backend;
+      await navToBackend(backend);
+
+      await typeIn(PAGE.list.overviewInput, secretPath);
+      await click(PAGE.list.overviewButton);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details`,
+        'Goes to detail view'
+      );
+      assert.dom(PAGE.title).hasText(secretPath, 'Goes to secret detail view');
+      assert.dom(PAGE.secretTab('Secret')).hasText('Secret');
+      assert.dom(PAGE.secretTab('Secret')).hasClass('active');
+      assert.dom(PAGE.secretTab('Metadata')).hasText('Metadata');
+      assert.dom(PAGE.secretTab('Metadata')).doesNotHaveClass('active');
+      assert.dom(PAGE.secretTab('Version History')).doesNotExist('Version History tab does not render');
+      assert.dom(PAGE.detail.versionDropdown).doesNotExist('Version dropdown does not render');
+      assert.dom(PAGE.detail.createNewVersion).hasText('Create new version', 'Create version button shows');
+      assert.dom(PAGE.detail.versionTimestamp).doesNotExist('Version created info is not rendered');
+      assert.dom(PAGE.infoRowValue('foo')).doesNotExist('current data not rendered');
+      assert
+        .dom(PAGE.emptyStateTitle)
+        .hasText('You do not have permission to read this secret', 'empty state shows');
+
+      await click(PAGE.detail.createNewVersion);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details/edit`,
+        'Goes to edit page'
+      );
+      assert.dom(FORM.versionAlert).doesNotExist('Does not show version alert for current version');
+      assert
+        .dom(FORM.noReadAlert)
+        .hasText(
+          'Warning You do not have read permissions for this secret data. Saving will overwrite the existing secret.',
+          'Shows warning about no read permissions'
+        );
+      assert.dom(FORM.inputByAttr('path')).isDisabled();
+
+      await click(FORM.cancelBtn);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details`,
+        'Goes back to detail view'
+      );
+
+      await visit(`/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details?version=1`);
+      assert.dom(PAGE.detail.versionDropdown).doesNotExist('Version dropdown does not exist');
+      assert.dom(PAGE.detail.versionTimestamp).doesNotExist('version created data not rendered');
+      assert.dom(PAGE.infoRowValue('key-1')).doesNotExist('does not render previous data');
+
+      await click(PAGE.detail.createNewVersion);
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details/edit?version=1`,
+        'Url includes version query param'
+      );
+      assert.dom(FORM.inputByAttr('path')).isDisabled();
+      assert.dom(FORM.keyInput()).hasValue('', 'form does not pre-populate');
+      assert.dom(FORM.maskedValueInput()).hasValue('', 'form does not pre-populate');
+      assert.dom(FORM.noReadAlert).exists('Shows no read alert');
+      await click(FORM.cancelBtn);
+
+      await click(PAGE.secretTab('Metadata'));
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/metadata`,
+        `goes to metadata page`
+      );
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
+      assert.dom(PAGE.title).hasText(secretPath);
+      assert
+        .dom(`${PAGE.metadata.customMetadataSection} ${PAGE.emptyStateTitle}`)
+        .hasText('You do not have access to read custom metadata', 'shows correct empty state');
+      assert.dom(PAGE.metadata.editBtn).doesNotExist('edit metadata button does not render');
+    });
+    test('breadcrumbs & page titles are correct (sc)', async function (assert) {
+      assert.expect(28);
+      const backend = this.backend;
+      await navToBackend(backend);
+      await click(PAGE.secretTab('Configuration'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'configuration']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for configuration');
+
+      await click(PAGE.secretTab('Secrets'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for secret list');
+
+      await typeIn(PAGE.list.overviewInput, secretPath);
+      await click(PAGE.list.overviewButton);
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath]);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for secret detail');
+
+      await click(PAGE.detail.createNewVersion);
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'edit']);
+      assert.dom(PAGE.title).hasText('Create New Version', 'correct page title for secret edit');
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      await click(PAGE.secretTab('Metadata'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for metadata');
+
+      assert.dom(PAGE.metadata.editBtn).doesNotExist('cannot edit metadata');
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      assert.dom(PAGE.secretTab('Version History')).doesNotExist('Version History tab not shown');
+    });
+  });
+
+  module('enterprise controlled access persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      // Set up control group scenario
+      const userPolicy = `
+path "${this.backend}/data/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+  control_group = {
+    max_ttl = "24h"
+    factor "ops_manager" {
+      controlled_capabilities = ["read"]
+      identity {
+          group_names = ["managers"]
+          approvals = 1
+      }
+    }
+  }
+}
+
+path "${this.backend}/*" {
+  capabilities = ["list"]
+}
+`;
+      const { userToken } = await setupControlGroup({ userPolicy });
+      this.userToken = userToken;
+      await authPage.login(userToken);
+      clearRecords(this.store);
+      return;
+    });
+    test('can access nested secret (cg)', async function (assert) {
+      assert.expect(42);
+      const backend = this.backend;
+      await navToBackend(backend);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'title text correct');
+      assert.dom(PAGE.emptyStateTitle).doesNotExist('No empty state');
+      assertCorrectBreadcrumbs(assert, ['secret', backend]);
+      assert.dom(PAGE.list.filter).hasNoValue('List filter input is empty');
+
+      // Navigate through list items
+      await click(PAGE.list.item('app/'));
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/app%2F/directory`);
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      assert.dom(PAGE.list.filter).hasValue('app/', 'List filter input is prefilled');
+      assert.dom(PAGE.list.item('nested/')).exists('Shows nested secret');
+
+      await click(PAGE.list.item('nested/'));
+      assert.strictEqual(currentURL(), `/vault/secrets/${backend}/kv/app%2Fnested%2F/directory`);
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`);
+      assert.dom(PAGE.list.filter).hasValue('app/nested/', 'List filter input is prefilled');
+      assert.dom(PAGE.list.item('secret')).exists('Shows deeply nested secret');
+
+      // For some reason when we click on the item in tests it throws a global control group error
+      // But not when we visit the page directly
+      await visit(`/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details`);
+      assert.ok(
+        await waitUntil(() => currentRouteName() === 'vault.cluster.access.control-group-accessor'),
+        'redirects to access control group route'
+      );
+      await grantAccess({
+        apiPath: `${backend}/data/app/nested/secret`,
+        originUrl: `/vault/secrets/${backend}/kv/app%2Fnested%2F/directory`,
+        userToken: this.userToken,
+      });
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/app%2Fnested%2F/directory`,
+        'navigates to list url where secret is'
+      );
+      await click(PAGE.list.item('secret'));
+
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/app%2Fnested%2Fsecret/details?version=1`,
+        'goes to secret details'
+      );
+      assertCorrectBreadcrumbs(assert, ['secret', backend, 'app', 'nested', 'secret']);
+      assert.dom(PAGE.title).hasText('app/nested/secret', 'title is full secret path');
+      assertDetailsToolbar(assert, ['delete', 'copy', 'createNewVersion']);
+
+      await click(PAGE.breadcrumbAtIdx(3));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/app%2Fnested%2F/directory`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      assert.ok(
+        currentURL().startsWith(`/vault/secrets/${backend}/kv/app%2F/directory`),
+        'links back to list directory'
+      );
+
+      await click(PAGE.breadcrumbAtIdx(1));
+      assert.ok(currentURL().startsWith(`/vault/secrets/${backend}/kv/list`), 'links back to list root');
+    });
+    test('breadcrumbs & page titles are correct (cg)', async function (assert) {
+      assert.expect(30);
+      const backend = this.backend;
+      await navToBackend(backend);
+      await click(PAGE.secretTab('Configuration'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, 'configuration']);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for configuration');
+
+      await click(PAGE.secretTab('Secrets'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend]);
+      assert.dom(PAGE.title).hasText(`${backend} Version 2`, 'correct page title for secret list');
+
+      await visit(`/vault/secrets/${backend}/kv/${secretPathUrlEncoded}/details`);
+
+      assert.ok(
+        await waitUntil(() => currentRouteName() === 'vault.cluster.access.control-group-accessor'),
+        'redirects to access control group route'
+      );
+
+      await grantAccess({
+        apiPath: `${backend}/data/${encodeURIComponent(secretPath)}`,
+        originUrl: `/vault/secrets/${backend}/kv/list`,
+        userToken: this.userToken,
+      });
+
+      assert.strictEqual(
+        currentURL(),
+        `/vault/secrets/${backend}/kv/list`,
+        'navigates back to list url after authorized'
+      );
+      await click(PAGE.list.item(secretPath));
+
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath]);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for secret detail');
+
+      await click(PAGE.secretTab('Metadata'));
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'metadata']);
+      assert.dom(PAGE.title).hasText(secretPath, 'correct page title for metadata');
+
+      assert.dom(PAGE.metadata.editBtn).doesNotExist('cannot edit metadata');
+
+      await click(PAGE.breadcrumbAtIdx(2));
+      assert.dom(PAGE.secretTab('Version History')).doesNotExist('Version History tab not shown');
+
+      await click(PAGE.secretTab('Secret'));
+      await click(PAGE.detail.createNewVersion);
+      assertCorrectBreadcrumbs(assert, ['secrets', backend, secretPath, 'edit']);
+      assert.dom(PAGE.title).hasText('Create New Version', 'correct page title for secret edit');
+    });
+  });
+});
diff --git a/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-version-history-diff-test.js b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-version-history-diff-test.js
new file mode 100644
index 0000000000..1bb6514a1b
--- /dev/null
+++ b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-version-history-diff-test.js
@@ -0,0 +1,133 @@
+import { module, test } from 'qunit';
+import { v4 as uuidv4 } from 'uuid';
+import { setupApplicationTest } from 'vault/tests/helpers';
+import authPage from 'vault/tests/pages/auth';
+import { deleteEngineCmd, mountEngineCmd, runCmd, tokenWithPolicyCmd } from 'vault/tests/helpers/commands';
+import { personas } from 'vault/tests/helpers/policy-generator/kv';
+import { setupControlGroup, writeSecret } from 'vault/tests/helpers/kv/kv-run-commands';
+
+/**
+ * This test set is for testing version history & diff pages
+ * VAULT-18817
+ */
+module('Acceptance | kv-v2 workflow | version history & diff', function (hooks) {
+  setupApplicationTest(hooks);
+
+  hooks.beforeEach(async function () {
+    this.backend = `kv-workflow-${uuidv4()}`;
+    await authPage.login();
+    await runCmd(mountEngineCmd('kv-v2', this.backend), false);
+    await writeSecret(this.backend, 'app/first-secret', 'foo', 'bar');
+  });
+
+  hooks.afterEach(async function () {
+    await authPage.login();
+    return runCmd(deleteEngineCmd(this.backend));
+  });
+
+  module('admin persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd(tokenWithPolicyCmd('admin', personas.admin(this.backend)));
+      await authPage.login(token);
+    });
+    test.skip('can navigate to the version history page', async function (assert) {
+      assert.expect(0);
+    });
+    test.skip('history works correctly when no secrets', async function (assert) {
+      assert.expect(0);
+    });
+    test.skip('history works correctly when only one secret version', async function (assert) {
+      assert.expect(0);
+    });
+    test.skip('history works correctly when many secret versions in various states', async function (assert) {
+      assert.expect(0);
+    });
+    test.skip('can navigate to the version diff view', async function (assert) {
+      assert.expect(0);
+    });
+    test.skip('diff works correctly when no secrets', async function (assert) {
+      assert.expect(0);
+    });
+    test.skip('diff works correctly when only one secret version', async function (assert) {
+      assert.expect(0);
+    });
+    test.skip('diff works correctly between various secret versions', async function (assert) {
+      assert.expect(0);
+    });
+  });
+
+  module('data-reader persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd([tokenWithPolicyCmd('data-reader', personas.dataReader(this.backend))]);
+      await authPage.login(token);
+    });
+    // Copy test outline from admin persona
+  });
+
+  module('data-list-reader persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd([
+        tokenWithPolicyCmd('data-list-reader', personas.dataListReader(this.backend)),
+      ]);
+      await authPage.login(token);
+    });
+    // Copy test outline from admin persona
+  });
+
+  module('metadata-maintainer persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd([
+        tokenWithPolicyCmd('metadata-maintainer', personas.metadataMaintainer(this.backend)),
+      ]);
+      await authPage.login(token);
+    });
+    // Copy test outline from admin persona
+  });
+
+  module('secret-creator persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const token = await runCmd([
+        tokenWithPolicyCmd('secret-creator', personas.secretCreator(this.backend)),
+      ]);
+      await authPage.login(token);
+    });
+    // Copy test outline from admin persona
+  });
+
+  module('enterprise controlled access persona', function (hooks) {
+    hooks.beforeEach(async function () {
+      const userPolicy = `
+path "${this.backend}/data/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+  control_group = {
+    max_ttl = "24h"
+    factor "approver" {
+      controlled_capabilities = ["write"]
+      identity {
+          group_names = ["managers"]
+          approvals = 1
+      }
+    }
+  }
+}
+
+path "${this.backend}/*" {
+  capabilities = ["list"]
+}
+
+// Can we allow this so user can self-authorize?
+path "sys/control-group/authorize" {
+  capabilities = ["update"]
+}
+
+path "sys/control-group/request" {
+  capabilities = ["update"]
+}
+`;
+      const { userToken } = await setupControlGroup({ userPolicy });
+      this.userToken = userToken;
+      return authPage.login(userToken);
+    });
+    // Copy test outline from admin persona
+  });
+});
diff --git a/ui/tests/acceptance/secrets/backend/kv/secret-test.js b/ui/tests/acceptance/secrets/backend/kv/secret-test.js
index 22f0259e3b..9e123006db 100644
--- a/ui/tests/acceptance/secrets/backend/kv/secret-test.js
+++ b/ui/tests/acceptance/secrets/backend/kv/secret-test.js
@@ -17,13 +17,14 @@ import { create } from 'ember-cli-page-object';
 import { module, skip, test } from 'qunit';
 import { setupApplicationTest } from 'ember-qunit';
 import { v4 as uuidv4 } from 'uuid';
+import { setupMirage } from 'ember-cli-mirage/test-support';
 
 import editPage from 'vault/tests/pages/secrets/backend/kv/edit-secret';
 import showPage from 'vault/tests/pages/secrets/backend/kv/show';
 import listPage from 'vault/tests/pages/secrets/backend/list';
+import assertSecretWrap from 'vault/tests/helpers/secret-edit-toolbar';
 
 import mountSecrets from 'vault/tests/pages/settings/mount-secret-backend';
-import apiStub from 'vault/tests/helpers/noop-all-api-requests';
 import authPage from 'vault/tests/pages/auth';
 import logout from 'vault/tests/pages/logout';
 import consoleClass from 'vault/tests/pages/components/console/ui-panel';
@@ -65,10 +66,10 @@ const mountEngineGeneratePolicyToken = async (enginePath, secretPath, policy, ve
 
 module('Acceptance | secrets/secret/create, read, delete', function (hooks) {
   setupApplicationTest(hooks);
+  setupMirage(hooks);
 
   hooks.beforeEach(async function () {
     this.uid = uuidv4();
-    this.server = apiStub({ usePassthrough: true });
     await authPage.login();
   });
 
@@ -77,7 +78,7 @@ module('Acceptance | secrets/secret/create, read, delete', function (hooks) {
   });
 
   test('it creates a secret and redirects', async function (assert) {
-    assert.expect(5);
+    assert.expect(6);
     const secretPath = `kv-path-${this.uid}`;
     const path = `kv-engine-${this.uid}`;
     await enablePage.enable('kv', path);
@@ -101,6 +102,7 @@ module('Acceptance | secrets/secret/create, read, delete', function (hooks) {
       'vault.cluster.secrets.backend.show',
       'redirects to the show page'
     );
+    await assertSecretWrap(assert, this.server, `${path}/data/${secretPath}`);
     assert.ok(showPage.editIsPresent, 'shows the edit button');
     await deleteEngine(path, assert);
   });
@@ -1050,7 +1052,7 @@ module('Acceptance | secrets/secret/create, read, delete', function (hooks) {
     assert
       .dom('[data-test-warning-no-read-permissions]')
       .hasText(
-        'You do not have read permissions. If a secret exists here creating a new secret will overwrite it.'
+        'You do not have read permissions. If a secret exists at this path creating a new secret will overwrite it.'
       );
 
     await editPage.editSecret('bar', 'baz');
diff --git a/ui/tests/helpers/codemirror.js b/ui/tests/helpers/codemirror.js
index c5922ba210..2476680794 100644
--- a/ui/tests/helpers/codemirror.js
+++ b/ui/tests/helpers/codemirror.js
@@ -3,18 +3,28 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
+/*
+returns an instance of CodeMirror, see docs for callable functions https://codemirror.net/5/doc/manual.html#api_constructor
+sample use:
+
+  import codemirror from 'vault/tests/helpers/codemirror';
+
+  test('it renders initial value', function (assert) {
+
+    assert.strictEqual(codemirror.getValue(), 'some value')
+  )}
+*/
+
 const invariant = (truthy, error) => {
   if (!truthy) throw new Error(error);
 };
 
-export default function (context, selector) {
-  const cmService = context.owner.lookup('service:code-mirror');
+export default function () {
+  const element = document.querySelector('.CodeMirror');
+  invariant(element, `Selector '.CodeMirror' matched no elements`);
 
-  const element = document.querySelector(selector);
-  invariant(element, `Selector ${selector} matched no elements`);
-
-  const cm = cmService.instanceFor(element.id);
-  invariant(cm, `No registered CodeMirror instance for ${selector}`);
+  const cm = element.CodeMirror;
+  invariant(cm, `No registered CodeMirror instance for '.CodeMirror'`);
 
   return cm;
 }
diff --git a/ui/tests/helpers/commands.js b/ui/tests/helpers/commands.js
index cbda6e1c90..cd56b035eb 100644
--- a/ui/tests/helpers/commands.js
+++ b/ui/tests/helpers/commands.js
@@ -1,3 +1,5 @@
+import consoleClass from 'vault/tests/pages/components/console/ui-panel';
+import { create } from 'ember-cli-page-object';
 /**
  * Copyright (c) HashiCorp, Inc.
  * SPDX-License-Identifier: BUSL-1.1
@@ -5,62 +7,83 @@
 
 /**
  * Helper functions to run common commands in the consoleComponent during tests.
- * Please note that a user must be logged in during the test context for the commands to run
+ * Please note that a user must be logged in during the test context for the commands to run.
+ * By default runCmd throws an error if the last log includes "Error". To override this,
+ * pass boolean false to run the commands and not throw errors
  *
  * Example:
  *
  * import { v4 as uuidv4 } from 'uuid';
- * import { create } from 'ember-cli-page-object';
- * import consoleClass from 'vault/tests/pages/components/console/ui-panel';
  * import { runCmd, mountEngineCmd } from 'vault/tests/helpers/commands';
  *
- * const consoleComponent = create(consoleClass);
  *
  * async function mountEngineExitOnError() {
  *    const backend = `pki-${uuidv4()}`;
- *    await runCmd(consoleComponent, mountEngineCmd('pki', backend));
+ *    await runCmd(mountEngineCmd('pki', backend));
  *    return backend;
  * }
  *
  * async function mountEngineSquashErrors() {
  *    const backend = `pki-${uuidv4()}`;
- *    await consoleComponent.runCommands(mountEngineCmd('pki', backend));
+ *    await runCmd(mountEngineCmd('pki', backend), false);
  *    return backend;
  * }
  */
 
-export function mountEngineCmd(type, customName = '') {
-  const name = customName || type;
-  return [`write sys/mounts/${name} type=${type}`];
-}
-
-export function deleteEngineCmd(name) {
-  return [`delete sys/mounts/${name}`];
-}
-
-export function createPolicyCmd(name, contents) {
-  const policyContent = window.btoa(contents);
-  return [`write sys/policies/acl/${name} policy=${policyContent}`];
-}
-
-export function tokenWithPolicyCmd(policyName = 'default') {
-  return [`write -field=client_token auth/token/create policies=${policyName} ttl=1h`];
-}
+const cc = create(consoleClass);
 
 /**
  * runCmd is used to run commands and throw an error if the output includes "Error"
- * @param {Component} console instance
- * @param {Array<string>} commands array of commands that should be run
+ * @param {string || string[]} commands array of commands that should run
+ * @param {boolean} throwErrors
  * @returns the last log output. Throws an error if it includes an error
  */
-export async function runCmd(component, commands) {
-  if (!component || !commands) {
-    throw new Error('runCmd requires consoleComponent and commands passed in');
+export async function runCmd(commands, throwErrors = true) {
+  if (!commands) {
+    throw new Error('runCmd requires commands array passed in');
   }
-  await component.runCommands(commands);
-  const lastOutput = component.lastLogOutput;
-  if (lastOutput.includes('Error')) {
+  if (!Array.isArray(commands)) {
+    commands = [commands];
+  }
+  await cc.runCommands(commands);
+  const lastOutput = cc.lastLogOutput;
+  if (throwErrors && lastOutput.includes('Error')) {
     throw new Error(`Error occurred while running commands: "${commands.join('; ')}" - ${lastOutput}`);
   }
   return lastOutput;
 }
+
+// Common commands
+export function mountEngineCmd(type, customName = '') {
+  const name = customName || type;
+  if (type === 'kv-v2') {
+    return `write sys/mounts/${name} type=kv options=version=2`;
+  }
+  return `write sys/mounts/${name} type=${type}`;
+}
+
+export function deleteEngineCmd(name) {
+  return `delete sys/mounts/${name}`;
+}
+
+export function mountAuthCmd(type, customName = '') {
+  const name = customName || type;
+  return `write sys/auth/${name} type=${type}`;
+}
+
+export function deleteAuthCmd(name) {
+  return `delete sys/auth/${name}`;
+}
+
+export function createPolicyCmd(name, contents) {
+  const policyContent = window.btoa(contents);
+  return `write sys/policies/acl/${name} policy=${policyContent}`;
+}
+
+export function createTokenCmd(policyName = 'default') {
+  return `write -field=client_token auth/token/create policies=${policyName} ttl=1h`;
+}
+
+export const tokenWithPolicyCmd = function (name, policy) {
+  return [createPolicyCmd(name, policy), createTokenCmd(name)];
+};
diff --git a/ui/tests/helpers/control-groups.js b/ui/tests/helpers/control-groups.js
new file mode 100644
index 0000000000..6ae1fbfb9f
--- /dev/null
+++ b/ui/tests/helpers/control-groups.js
@@ -0,0 +1,94 @@
+import { click, visit } from '@ember/test-helpers';
+import { create } from 'ember-cli-page-object';
+import { CONTROL_GROUP_PREFIX, TOKEN_SEPARATOR } from 'vault/services/control-group';
+
+import authPage from 'vault/tests/pages/auth';
+import controlGroup from 'vault/tests/pages/components/control-group';
+import { createPolicyCmd, createTokenCmd, mountAuthCmd, runCmd } from './commands';
+const controlGroupComponent = create(controlGroup);
+
+const storageKey = (accessor, path) => {
+  return `${CONTROL_GROUP_PREFIX}${accessor}${TOKEN_SEPARATOR}${path}`;
+};
+
+export const setupControlGroup = async ({
+  userPolicy,
+  adminUser = 'authorizer',
+  adminPassword = 'password',
+  userpassMount = 'userpass',
+}) => {
+  const userPolicyName = 'kv-control-group';
+  const authorizerPolicy = `
+    path "sys/control-group/authorize" {
+    capabilities = ["update"]
+  }
+
+  path "sys/control-group/request" {
+    capabilities = ["update"]
+  }
+`;
+  const userpassAccessor = await runCmd([
+    // write policies for control group + authorization
+    createPolicyCmd(userPolicyName, userPolicy),
+    createPolicyCmd('authorizer', authorizerPolicy),
+    // enable userpass, create admin user
+    mountAuthCmd('userpass', userpassMount),
+    // read out mount to get the accessor
+    `read -field=accessor sys/internal/ui/mounts/auth/${userpassMount}`,
+  ]);
+  const authorizerEntityId = await runCmd([
+    // create admin user and entity
+    `write auth/${userpassMount}/users/${adminUser} password=${adminPassword} policies=default`,
+    `write identity/entity name=${adminUser} policies=test`,
+    `write -field=id identity/lookup/entity name=${adminUser}`,
+  ]);
+  const userToken = await runCmd([
+    // create alias for authorizor and add them to the managers group
+    `write identity/alias mount_accessor=${userpassAccessor} entity_id=${authorizerEntityId} name=${adminUser}`,
+    `write identity/group name=managers member_entity_ids=${authorizerEntityId} policies=authorizer`,
+    // create a token to request access to kv/foo
+    createTokenCmd(userPolicyName),
+  ]);
+  return {
+    userToken,
+    userPolicyName,
+    userPolicy,
+    adminUser,
+    adminPassword,
+    userpassMount,
+  };
+};
+
+export async function grantAccess({
+  apiPath,
+  originUrl,
+  userToken,
+  authorizerUser = 'authorizer',
+  authorizerPassword = 'password',
+}) {
+  /*
+   * Control group grant access flow
+   * Assumes start on route 'vault.cluster.access.control-group-accessor'
+   * and authorizer login is via userpass
+   */
+  const accessor = controlGroupComponent.accessor;
+  const controlGroupToken = controlGroupComponent.token;
+  await authPage.loginUsername(authorizerUser, authorizerPassword);
+  await visit(`/vault/access/control-groups/${accessor}`);
+  await controlGroupComponent.authorize();
+  await authPage.login(userToken);
+  localStorage.setItem(
+    storageKey(accessor, apiPath),
+    JSON.stringify({
+      accessor,
+      token: controlGroupToken,
+      creation_path: apiPath,
+      uiParams: {
+        url: originUrl,
+      },
+    })
+  );
+  await visit(`/vault/access/control-groups/${accessor}`);
+  await click(`[data-test-navigate-button]`);
+  /* end of control group authorization flow */
+}
diff --git a/ui/tests/helpers/kv/kv-run-commands.js b/ui/tests/helpers/kv/kv-run-commands.js
new file mode 100644
index 0000000000..9f1b53a68a
--- /dev/null
+++ b/ui/tests/helpers/kv/kv-run-commands.js
@@ -0,0 +1,48 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { click, fillIn, visit } from '@ember/test-helpers';
+import { FORM } from './kv-selectors';
+
+// CUSTOM ACTIONS RELEVANT TO KV-V2
+
+export const writeSecret = async function (backend, path, key, val) {
+  await visit(`vault/secrets/${backend}/kv/create`);
+  await fillIn(FORM.inputByAttr('path'), path);
+  await fillIn(FORM.keyInput(), key);
+  await fillIn(FORM.maskedValueInput(), val);
+  return click(FORM.saveBtn);
+};
+
+export const writeVersionedSecret = async function (backend, path, key, val, version = 2) {
+  await writeSecret(backend, path, 'key-1', 'val-1');
+  for (let currentVersion = 2; currentVersion <= version; currentVersion++) {
+    await visit(`/vault/secrets/${backend}/kv/${encodeURIComponent(path)}/details/edit`);
+    if (currentVersion === version) {
+      await fillIn(FORM.keyInput(), key);
+      await fillIn(FORM.maskedValueInput(), val);
+    } else {
+      await fillIn(FORM.keyInput(), `key-${currentVersion}`);
+      await fillIn(FORM.maskedValueInput(), `val-${currentVersion}`);
+    }
+    await click(FORM.saveBtn);
+  }
+  return;
+};
+
+export const addSecretMetadataCmd = (backend, secret, options = { max_versions: 10 }) => {
+  const stringOptions = Object.keys(options).reduce((prev, curr) => {
+    return `${prev} ${curr}=${options[curr]}`;
+  }, '');
+  return `write ${backend}/metadata/${secret} ${stringOptions}`;
+};
+
+// Clears kv-related data and capabilities so that admin
+// capabilities from setup don't rollover
+export function clearRecords(store) {
+  store.unloadAll('kv/data');
+  store.unloadAll('kv/metatata');
+  store.unloadAll('capabilities');
+}
diff --git a/ui/tests/helpers/kv/kv-selectors.js b/ui/tests/helpers/kv/kv-selectors.js
new file mode 100644
index 0000000000..e9230e7c23
--- /dev/null
+++ b/ui/tests/helpers/kv/kv-selectors.js
@@ -0,0 +1,99 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+export const PAGE = {
+  // General selectors that are common between pages
+  title: '[data-test-header-title]',
+  breadcrumbs: '[data-test-breadcrumbs]',
+  breadcrumb: '[data-test-breadcrumbs] li',
+  breadcrumbAtIdx: (idx) => `[data-test-crumb="${idx}"] a`,
+  infoRowValue: (label) => `[data-test-value-div="${label}"]`,
+  infoRowToggleMasked: (label) => `[data-test-value-div="${label}"] [data-test-button="toggle-masked"]`,
+  secretTab: (tab) => `[data-test-secrets-tab="${tab}"]`,
+  emptyStateTitle: '[data-test-empty-state-title]',
+  emptyStateMessage: '[data-test-empty-state-message]',
+  emptyStateActions: '[data-test-empty-state-actions]',
+  popup: '[data-test-popup-menu-trigger]',
+  error: {
+    title: '[data-test-page-error] h1',
+    message: '[data-test-page-error] p',
+  },
+  toolbar: 'nav.toolbar',
+  toolbarAction: 'nav.toolbar-actions .toolbar-link',
+  secretRow: '[data-test-component="info-table-row"]',
+  // specific page selectors
+  metadata: {
+    editBtn: '[data-test-edit-metadata]',
+    addCustomMetadataBtn: '[data-test-add-custom-metadata]',
+    customMetadataSection: '[data-test-kv-custom-metadata-section]',
+    secretMetadataSection: '[data-test-kv-metadata-section]',
+  },
+  detail: {
+    versionTimestamp: '[data-test-kv-version-tooltip-trigger]',
+    versionDropdown: '[data-test-version-dropdown]',
+    version: (number) => `[data-test-version="${number}"]`,
+    createNewVersion: '[data-test-create-new-version]',
+    delete: '[data-test-kv-delete="delete"]',
+    destroy: '[data-test-kv-delete="destroy"]',
+    copy: '[data-test-copy-menu-trigger]',
+  },
+  list: {
+    createSecret: '[data-test-toolbar-create-secret]',
+    item: (secret) => (!secret ? '[data-test-list-item]' : `[data-test-list-item="${secret}"]`),
+    filter: `[data-test-component="kv-list-filter"]`,
+    overviewCard: '[data-test-overview-card-container="View secret"]',
+    overviewInput: '[data-test-view-secret] input',
+    overviewButton: '[data-test-get-secret-detail]',
+    pagination: '[data-test-pagination]',
+    paginationInfo: '.hds-pagination-info',
+    paginationNext: '.hds-pagination-nav__arrow--direction-next',
+    paginationSelected: '.hds-pagination-nav__number--is-selected',
+  },
+  versions: {
+    icon: (version) => `[data-test-icon-holder="${version}"]`,
+    linkedBlock: (version) => `[data-test-version-linked-block="${version}"]`,
+    button: (version) => `[data-test-version-button="${version}"]`,
+  },
+  create: {
+    metadataSection: '[data-test-metadata-section]',
+  },
+};
+
+// Form/Interactive selectors that are common between pages and forms
+export const FORM = {
+  inputByAttr: (attr) => `[data-test-input="${attr}"]`,
+  fieldByAttr: (attr) => `[data=test=field="${attr}"]`, // formfield
+  toggleJson: '[data-test-toggle-input="json"]',
+  toggleMasked: '[data-test-button="toggle-masked"]',
+  toggleMetadata: '[data-test-metadata-toggle]',
+  jsonEditor: '[data-test-component="code-mirror-modifier"]',
+  ttlValue: (name) => `[data-test-ttl-value="${name}"]`,
+  toggleByLabel: (label) => `[data-test-ttl-toggle="${label}"]`,
+  dataInputLabel: ({ isJson = false }) =>
+    isJson ? '[data-test-component="json-editor-title"]' : '[data-test-kv-label]',
+  // <KvObjectEditor>
+  kvLabel: '[data-test-kv-label]',
+  kvRow: '[data-test-kv-row]',
+  keyInput: (idx = 0) => `[data-test-kv-key="${idx}"]`,
+  valueInput: (idx = 0) => `[data-test-kv-value="${idx}"]`,
+  maskedValueInput: (idx = 0) => `[data-test-kv-value="${idx}"] [data-test-textarea]`,
+  addRow: (idx = 0) => `[data-test-kv-add-row="${idx}"]`,
+  deleteRow: (idx = 0) => `[data-test-kv-delete-row="${idx}"]`,
+  // Alerts & validation
+  inlineAlert: '[data-test-inline-alert]',
+  validation: (attr) => `[data-test-field="${attr}"] [data-test-inline-alert]`,
+  messageError: '[data-test-message-error]',
+  validationWarning: '[data-test-validation-warning]',
+  invalidFormAlert: '[data-test-invalid-form-alert]',
+  versionAlert: '[data-test-secret-version-alert]',
+  noReadAlert: '[data-test-secret-no-read-alert]',
+  // Form btns
+  saveBtn: '[data-test-kv-save]',
+  cancelBtn: '[data-test-kv-cancel]',
+};
+
+export const parseJsonEditor = (find) => {
+  return JSON.parse(find(FORM.jsonEditor).innerText);
+};
diff --git a/ui/tests/helpers/policy-generator/kv.js b/ui/tests/helpers/policy-generator/kv.js
new file mode 100644
index 0000000000..4a27d15282
--- /dev/null
+++ b/ui/tests/helpers/policy-generator/kv.js
@@ -0,0 +1,80 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+const root = ['create', 'read', 'update', 'delete', 'list'];
+
+// returns a string with each capability wrapped in double quotes => ["create", "read"]
+const format = (array) => array.map((c) => `"${c}"`).join(', ');
+
+export const adminPolicy = (backend) => {
+  return `
+    path "${backend}/*" {
+      capabilities = [${format(root)}]
+    },
+  `;
+};
+
+export const dataPolicy = ({ backend, secretPath = '*', capabilities = root }) => {
+  // "delete" capability on this path can delete latest version
+  return `
+    path "${backend}/data/${secretPath}" {
+      capabilities = [${format(capabilities)}]
+    }
+  `;
+};
+
+export const metadataPolicy = ({ backend, secretPath = '*', capabilities = root }) => {
+  // "delete" capability on this path can destroy all versions
+  return `
+    path "${backend}/metadata/${secretPath}" {
+        capabilities = [${format(capabilities)}]
+    }
+  `;
+};
+
+export const metadataListPolicy = (backend) => {
+  return `
+    path "${backend}/metadata" {
+        capabilities = ["list"]
+    }
+  `;
+};
+
+export const deleteVersionsPolicy = ({ backend, secretPath = '*' }) => {
+  return `
+    path "${backend}/delete/${secretPath}" {
+        capabilities = ["update"]
+    }
+  `;
+};
+export const undeleteVersionsPolicy = ({ backend, secretPath = '*' }) => {
+  return `
+    path "${backend}/undelete/${secretPath}" {
+        capabilities = ["update"]
+    }
+  `;
+};
+export const destroyVersionsPolicy = ({ backend, secretPath = '*' }) => {
+  return `
+    path "${backend}/destroy/${secretPath}" {
+        capabilities = ["update"]
+    }
+  `;
+};
+
+// Personas for reuse in workflow tests
+export const personas = {
+  admin: (backend) => adminPolicy(backend),
+  dataReader: (backend) => dataPolicy({ backend, capabilities: ['read'] }),
+  dataListReader: (backend) =>
+    dataPolicy({ backend, capabilities: ['read', 'delete'] }) + metadataListPolicy(backend),
+  metadataMaintainer: (backend) =>
+    metadataListPolicy(backend) +
+    metadataPolicy({ backend, capabilities: ['create', 'read', 'update', 'list'] }) +
+    deleteVersionsPolicy({ backend }) +
+    undeleteVersionsPolicy({ backend }) +
+    destroyVersionsPolicy({ backend }),
+  secretCreator: (backend) => dataPolicy({ backend, capabilities: ['create', 'update'] }),
+};
diff --git a/ui/tests/helpers/secret-edit-toolbar.js b/ui/tests/helpers/secret-edit-toolbar.js
new file mode 100644
index 0000000000..bba282aa48
--- /dev/null
+++ b/ui/tests/helpers/secret-edit-toolbar.js
@@ -0,0 +1,12 @@
+import { click } from '@ember/test-helpers';
+const SELECTORS = {
+  dropdown: '[data-test-copy-menu-trigger]',
+  wrapButton: '[data-test-wrap-button]',
+};
+export default async function assertSecretWrap(assert, server, path) {
+  server.get(path, () => {
+    assert.ok(true, `request made to ${path} when wrapping secret`);
+  });
+  await click(SELECTORS.dropdown);
+  await click(SELECTORS.wrapButton);
+}
diff --git a/ui/tests/integration/components/copy-secret-dropdown-test.js b/ui/tests/integration/components/copy-secret-dropdown-test.js
new file mode 100644
index 0000000000..06d75025f1
--- /dev/null
+++ b/ui/tests/integration/components/copy-secret-dropdown-test.js
@@ -0,0 +1,88 @@
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { click, render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+
+const SELECTORS = {
+  dropdown: '[data-test-copy-menu-trigger]',
+  copyButton: '[data-test-copy-button]',
+  clipboard: 'data-clipboard-text',
+  wrapButton: '[data-test-wrap-button]',
+  masked: '[data-test-masked-input]',
+};
+
+module('Integration | Component | copy-secret-dropdown', function (hooks) {
+  setupRenderingTest(hooks);
+  hooks.beforeEach(function () {
+    this.onWrap = () => {};
+    this.onClose = () => {};
+  });
+
+  test('it renders and fires callback functions', async function (assert) {
+    assert.expect(5);
+    this.data = `{ foo: 'bar' }`;
+    this.onWrap = () => assert.ok(true, 'onWrap callback fires Wrap secret is clicked');
+    this.onClose = () => assert.ok(true, 'onClose callback fires when dropdown closes');
+
+    await render(
+      hbs`<ToolbarActions>
+  <CopySecretDropdown
+    @clipboardText={{this.data}}
+    @onWrap={{this.onWrap}}
+    @onClose={{this.onClose}}
+  />
+</ToolbarActions>`
+    );
+
+    await click(SELECTORS.dropdown);
+    assert.dom(SELECTORS.copyButton).hasText('Copy JSON');
+    assert.dom(SELECTORS.wrapButton).hasText('Wrap secret');
+    assert
+      .dom(SELECTORS.copyButton)
+      .hasAttribute('data-clipboard-text', `${this.data}`, 'it renders copyable data');
+
+    await click(SELECTORS.wrapButton);
+    await click(SELECTORS.dropdown);
+  });
+
+  test('it renders loading wrap button', async function (assert) {
+    assert.expect(2);
+    await render(
+      hbs`<ToolbarActions>
+  <CopySecretDropdown
+    @clipboardText={{this.data}}
+    @onWrap={{this.onWrap}}
+    @isWrapping={{true}}
+    @wrappedData={{this.wrappedData}}
+    @onClose={{this.onClose}}
+  />
+</ToolbarActions>`
+    );
+
+    await click(SELECTORS.dropdown);
+    assert.dom(SELECTORS.wrapButton).hasClass('is-loading');
+    assert.dom(SELECTORS.wrapButton).isDisabled();
+  });
+
+  test('it wrapped data', async function (assert) {
+    assert.expect(1);
+    this.wrappedData = 'my-token';
+
+    await render(
+      hbs`<ToolbarActions>
+  <CopySecretDropdown
+    @clipboardText={{this.data}}
+    @onWrap={{this.onWrap}}
+    @isWrapping={{false}}
+    @wrappedData={{this.wrappedData}}
+    @onClose={{this.onClose}}
+  />
+</ToolbarActions>`
+    );
+
+    await click(SELECTORS.dropdown);
+    assert
+      .dom(`${SELECTORS.masked} ${SELECTORS.copyButton}`)
+      .hasAttribute('data-clipboard-text', this.wrappedData, 'it renders wrapped data');
+  });
+});
diff --git a/ui/tests/integration/components/diff-version-selector-test.js b/ui/tests/integration/components/diff-version-selector-test.js
index 82f126d089..c6236d805f 100644
--- a/ui/tests/integration/components/diff-version-selector-test.js
+++ b/ui/tests/integration/components/diff-version-selector-test.js
@@ -3,6 +3,7 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
+// TODO kv engine cleanup
 import EmberObject from '@ember/object';
 import { module, test } from 'qunit';
 import { setupRenderingTest } from 'ember-qunit';
diff --git a/ui/tests/integration/components/get-credentials-card-test.js b/ui/tests/integration/components/get-credentials-card-test.js
index 82a128f9e4..5d80a36806 100644
--- a/ui/tests/integration/components/get-credentials-card-test.js
+++ b/ui/tests/integration/components/get-credentials-card-test.js
@@ -48,12 +48,14 @@ module('Integration | Component | get-credentials-card', function (hooks) {
   });
 
   test('it shows a disabled button when no item is selected', async function (assert) {
+    assert.expect(2);
     await render(hbs`<GetCredentialsCard @title={{this.title}} @searchLabel={{this.searchLabel}}/>`);
     assert.dom('[data-test-get-credentials]').isDisabled();
     assert.dom('[data-test-get-credentials]').hasText('Get credentials', 'Button has default text');
   });
 
   test('it shows button that can be clicked to credentials route when an item is selected', async function (assert) {
+    assert.expect(4);
     const models = ['database/role'];
     this.set('models', models);
     await render(
@@ -77,6 +79,7 @@ module('Integration | Component | get-credentials-card', function (hooks) {
   });
 
   test('it renders input search field when renderInputSearch=true and shows placeholder text', async function (assert) {
+    assert.expect(5);
     await render(
       hbs`<GetCredentialsCard @title={{this.title}} @renderInputSearch={{true}} @placeholder="secret/" @backend="kv" @type="secret"/>`
     );
diff --git a/ui/tests/integration/components/kv-object-editor-test.js b/ui/tests/integration/components/kv-object-editor-test.js
index bef4cddb5f..b6642ffa64 100644
--- a/ui/tests/integration/components/kv-object-editor-test.js
+++ b/ui/tests/integration/components/kv-object-editor-test.js
@@ -35,10 +35,16 @@ module('Integration | Component | kv-object-editor', function (hooks) {
     assert.deepEqual(
       this.spy.lastCall.args[0],
       { foo: 'bar' },
-      'calls onChange with the JSON respresentation of the data'
+      'calls onChange with the JSON representation of the data'
     );
     await component.addRow();
-    assert.strictEqual(component.rows.length, 2, 'adds a row when there is no blank one');
+    await assert.strictEqual(component.rows.length, 2, 'adds a row when there is no blank one');
+    await component.rows.objectAt(1).kvKey('another').kvVal('row');
+    assert.propEqual(
+      this.spy.lastCall.args[0],
+      { foo: 'bar', another: 'row' },
+      'calls onChange with second row of data'
+    );
   });
 
   test('it renders passed data', async function (assert) {
diff --git a/ui/tests/integration/components/kv/kv-data-fields-test.js b/ui/tests/integration/components/kv/kv-data-fields-test.js
new file mode 100644
index 0000000000..954e4d0e1f
--- /dev/null
+++ b/ui/tests/integration/components/kv/kv-data-fields-test.js
@@ -0,0 +1,76 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { setupEngine } from 'ember-engines/test-support';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { hbs } from 'ember-cli-htmlbars';
+import { fillIn, render } from '@ember/test-helpers';
+import codemirror from 'vault/tests/helpers/codemirror';
+import { FORM } from 'vault/tests/helpers/kv/kv-selectors';
+
+module('Integration | Component | kv-v2 | KvDataFields', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'kv');
+  setupMirage(hooks);
+
+  hooks.beforeEach(function () {
+    this.store = this.owner.lookup('service:store');
+    this.backend = 'my-kv-engine';
+    this.path = 'my-secret';
+    this.secret = this.store.createRecord('kv/data', { backend: this.backend });
+  });
+
+  test('it updates the secret model', async function (assert) {
+    assert.expect(2);
+
+    await render(hbs`<KvDataFields @showJson={{false}} @secret={{this.secret}} />`, { owner: this.engine });
+
+    await fillIn(FORM.inputByAttr('path'), this.path);
+    await fillIn(FORM.keyInput(), 'foo');
+    await fillIn(FORM.maskedValueInput(), 'bar');
+    assert.strictEqual(this.secret.path, this.path);
+    assert.propEqual(this.secret.secretData, { foo: 'bar' });
+  });
+
+  test('it JSON editor initializes with empty object and modifies secretData', async function (assert) {
+    assert.expect(3);
+
+    await render(hbs`<KvDataFields @showJson={{true}} @secret={{this.secret}} />`, { owner: this.engine });
+
+    assert.strictEqual(
+      codemirror().getValue(' '),
+      `{   \"\": \"\" }`, // eslint-disable-line no-useless-escape
+      'json editor initializes with empty object'
+    );
+    await fillIn(`${FORM.jsonEditor} textarea`, 'blah');
+    assert.strictEqual(codemirror().state.lint.marked.length, 1, 'codemirror lints input');
+    codemirror().setValue(`{ "hello": "there"}`);
+    assert.propEqual(this.secret.secretData, { hello: 'there' }, 'json editor updates secret data');
+  });
+
+  test('it disables path and prefills secret data when creating a new secret version', async function (assert) {
+    assert.expect(5);
+    this.secret.secretData = { foo: 'bar' };
+    this.secret.path = this.path;
+
+    this.newVersion = this.store.createRecord('kv/data', {
+      backend: this.backend,
+      path: this.path,
+      secretData: this.secret.secretData,
+    });
+
+    await render(hbs`<KvDataFields @showJson={{false}} @isEdit={{true}} @secret={{this.secret}} />`, {
+      owner: this.engine,
+    });
+
+    assert.dom(FORM.inputByAttr('path')).isDisabled();
+    assert.dom(FORM.inputByAttr('path')).hasValue(this.path);
+    assert.dom(FORM.keyInput()).hasValue('foo');
+    assert.dom(FORM.maskedValueInput()).hasValue('bar');
+    assert.dom(FORM.dataInputLabel({ isJson: false })).hasText('Version data');
+  });
+});
diff --git a/ui/tests/integration/components/kv/kv-list-filter-test.js b/ui/tests/integration/components/kv/kv-list-filter-test.js
new file mode 100644
index 0000000000..edeee644a8
--- /dev/null
+++ b/ui/tests/integration/components/kv/kv-list-filter-test.js
@@ -0,0 +1,197 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { setupEngine } from 'ember-engines/test-support';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { render, focus, triggerKeyEvent, fillIn } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { kvMetadataPath } from 'vault/utils/kv-path';
+
+const MODELS = {
+  secrets: [
+    {
+      id: kvMetadataPath('my-engine', 'my-secret'),
+      path: 'my-secret',
+      fullSecretPath: 'my-secret',
+    },
+    {
+      id: kvMetadataPath('my-engine', 'my'),
+      path: 'my',
+      fullSecretPath: 'my',
+    },
+    {
+      id: kvMetadataPath('my-engine', 'beep/boop/bop'),
+      path: 'beep/boop/bop',
+      fullSecretPath: 'beep/boop/bop',
+    },
+    {
+      id: kvMetadataPath('my-engine', 'beep/boop-1'),
+      path: 'beep/boop-1',
+      fullSecretPath: 'beep/boop-1',
+    },
+  ],
+};
+const MOUNT_POINT = 'vault.cluster.secrets.backend.kv';
+
+module('Integration | Component | kv | kv-list-filter', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'kv');
+  setupMirage(hooks);
+
+  hooks.beforeEach(function () {
+    this.model = MODELS;
+    this.mountPoint = MOUNT_POINT;
+  });
+
+  test('it renders and TAB defaults to first secret in list', async function (assert) {
+    assert.expect(4);
+    // mirage hook for TAB
+    this.owner.lookup('service:router').reopen({
+      transitionTo(route, { queryParams: { pageFilter } }) {
+        assert.strictEqual(route, `${MOUNT_POINT}.list`, 'List route sent when TAB on empty input.');
+        assert.deepEqual(pageFilter, 'my-secret', 'Filters to the first secret in the list.');
+      },
+    });
+
+    await render(hbs`<KvListFilter @secrets={{this.model.secrets}} @mountPoint={{this.mountPoint}} />`, {
+      owner: this.engine,
+    });
+
+    assert
+      .dom('[data-test-component="kv-list-filter"]')
+      .hasAttribute('placeholder', 'Filter secrets', 'Placeholder applied to input.');
+
+    await focus('[data-test-component="kv-list-filter"]');
+    assert.dom('[data-test-help-tab]').exists('on focus, with no filterValue, displays help text');
+    // trigger tab
+    await triggerKeyEvent('[data-test-component="kv-list-filter"]', 'keydown', 9);
+  });
+
+  test('it filters partial matches', async function (assert) {
+    assert.expect(2);
+    // mirage hook for TAB
+    this.owner.lookup('service:router').reopen({
+      transitionTo(route, { queryParams: { pageFilter } }) {
+        assert.strictEqual(route, `${MOUNT_POINT}.list`, 'List route sent when no pathToSecret.');
+        assert.deepEqual(pageFilter, 'my-secret', 'Sets page filter to my-secret.');
+      },
+    });
+
+    await render(
+      hbs`<KvListFilter @secrets={{this.model.secrets}} @mountPoint={{this.mountPoint}} @pageFilter="my-" />`,
+      {
+        owner: this.engine,
+      }
+    );
+    // focus on input and trigger TAB
+    await focus('[data-test-component="kv-list-filter"]');
+    await triggerKeyEvent('[data-test-component="kv-list-filter"]', 'keydown', 9);
+  });
+
+  test('it clears last item on backspace and clears to directory on esc', async function (assert) {
+    assert.expect(8);
+    // mirage hook for filling in the input
+    this.owner.lookup('service:router').reopen({
+      transitionTo(route, pathToSecret, { queryParams: { pageFilter } }) {
+        assert.deepEqual(pageFilter, 'boop-', 'Sends the correct pageFilter on fillIn.');
+      },
+    });
+
+    await render(
+      hbs`<KvListFilter @secrets={{this.model.secrets}} @mountPoint={{this.mountPoint}} @filterValue="beep/" @pageFilter=""/>`,
+      {
+        owner: this.engine,
+      }
+    );
+    // focus on input and trigger backspace
+    await focus('[data-test-component="kv-list-filter"]');
+    await fillIn('[data-test-component="kv-list-filter"]', 'beep/boop-');
+
+    this.owner.lookup('service:router').reopen({
+      transitionTo(route, pathToSecret, { queryParams: { pageFilter } }) {
+        assert.strictEqual(route, `${MOUNT_POINT}.list-directory`, 'Correct route sent.');
+        assert.strictEqual(pathToSecret, 'beep/', 'PathToSecret is the parent directory.');
+        assert.deepEqual(pageFilter, 'boop', 'Clears last item in pageFilter on backspace.');
+      },
+    });
+    await triggerKeyEvent('[data-test-component="kv-list-filter"]', 'keydown', 8);
+    assert.strictEqual(
+      document.activeElement.id,
+      'secret-filter',
+      'the input still remains focused after delete.'
+    );
+
+    this.owner.lookup('service:router').reopen({
+      transitionTo(route, pathToSecret, { queryParams: { pageFilter } }) {
+        assert.strictEqual(route, `${MOUNT_POINT}.list-directory`, 'Still on a directory route.');
+        assert.strictEqual(pathToSecret, 'beep/', 'Parent directory still shown.');
+        assert.deepEqual(pageFilter, null, 'Clears pageFilter on escape.');
+      },
+    });
+    // trigger escape
+    await triggerKeyEvent('[data-test-component="kv-list-filter"]', 'keydown', 27);
+  });
+
+  test('it transitions create page on enter when secret path is new', async function (assert) {
+    assert.expect(5);
+    // mirage hook for fillIn
+    this.owner.lookup('service:router').reopen({
+      transitionTo(route, pathToSecret, { queryParams: { pageFilter } }) {
+        assert.strictEqual(route, `${MOUNT_POINT}.list-directory`, 'Still on a directory route.');
+        assert.strictEqual(pathToSecret, 'beep/boop/', 'Parent directory still shown.');
+        assert.deepEqual(pageFilter, 'new-secret', 'Sends correct pageFilter.');
+      },
+    });
+
+    await render(
+      hbs`<KvListFilter @secrets={{this.model.secrets}} @mountPoint={{this.mountPoint}} @filterValue="beep/boop/"/>`,
+      {
+        owner: this.engine,
+      }
+    );
+    // focus on input, fillIn and then trigger enter
+    await focus('[data-test-component="kv-list-filter"]');
+    await fillIn('[data-test-component="kv-list-filter"]', 'beep/boop/new-secret');
+
+    // mirage hook for entering to create
+    this.owner.lookup('service:router').reopen({
+      transitionTo(route, { queryParams: { initialKey } }) {
+        assert.strictEqual(
+          route,
+          `${MOUNT_POINT}.create`,
+          'Sends to create route when secret does not exists.'
+        );
+        assert.deepEqual(initialKey, 'beep/boop/new-secret', 'It sends full secret path.');
+      },
+    });
+    await triggerKeyEvent('[data-test-component="kv-list-filter"]', 'keydown', 13);
+  });
+
+  test('it transitions details page on enter when secret path exists', async function (assert) {
+    assert.expect(1);
+    // mirage hook for entering to details
+    this.owner.lookup('service:router').reopen({
+      transitionTo(route) {
+        assert.strictEqual(
+          route,
+          `${MOUNT_POINT}.secret.details`,
+          'Sends to details route when secret does exists.'
+        );
+      },
+    });
+
+    await render(
+      hbs`<KvListFilter @secrets={{this.model.secrets}} @mountPoint={{this.mountPoint}} @filterValue="beep/boop/bop"/>`,
+      {
+        owner: this.engine,
+      }
+    );
+    // focus on input, fillIn and then trigger enter
+    await focus('[data-test-component="kv-list-filter"]');
+    await triggerKeyEvent('[data-test-component="kv-list-filter"]', 'keydown', 13);
+  });
+});
diff --git a/ui/tests/integration/components/kv/kv-page-header-test.js b/ui/tests/integration/components/kv/kv-page-header-test.js
new file mode 100644
index 0000000000..80cb0627d1
--- /dev/null
+++ b/ui/tests/integration/components/kv/kv-page-header-test.js
@@ -0,0 +1,119 @@
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { setupEngine } from 'ember-engines/test-support';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { kvDataPath } from 'vault/utils/kv-path';
+
+module('Integration | Component | kv | kv-page-header', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'kv');
+  setupMirage(hooks);
+  hooks.beforeEach(function () {
+    this.store = this.owner.lookup('service:store');
+    this.backend = 'kv-engine';
+    this.path = 'my-secret';
+    this.version = 2;
+    this.id = kvDataPath(this.backend, this.path, this.version);
+    this.payload = {
+      backend: this.backend,
+      path: this.path,
+      version: 2,
+    };
+    this.store.pushPayload('kv/data', {
+      modelName: 'kv/data',
+      id: this.id,
+      ...this.payload,
+    });
+
+    this.model = this.store.peekRecord('kv/data', this.id);
+    this.breadcrumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: this.model.backend, route: 'secrets' },
+      { label: this.model.path, route: 'secrets.secret.details', model: this.model.path },
+      { label: 'edit' },
+    ];
+  });
+
+  test('it renders breadcrumbs', async function (assert) {
+    assert.expect(4);
+    await render(hbs`<KvPageHeader @breadcrumbs={{this.breadcrumbs}} @pageTitle="Create new version"/>`, {
+      owner: this.engine,
+    });
+    assert.dom('[data-test-breadcrumbs] li:nth-child(1) a').hasText('secrets', 'Secrets breadcrumb renders');
+    assert.dom('[data-test-breadcrumbs] li:nth-child(2) a').hasText(this.backend, 'engine name renders');
+    assert.dom('[data-test-breadcrumbs] li:nth-child(3) a').hasText(this.path, 'secret path renders');
+    assert
+      .dom('[data-test-breadcrumbs] li:nth-child(4)')
+      .hasText('/ edit', 'final breadcrumb renders and it is not a link.');
+  });
+
+  test('it renders a custom title for a non engine view', async function (assert) {
+    assert.expect(2);
+    await render(hbs`<KvPageHeader @breadcrumbs={{this.breadcrumbs}} @pageTitle="Create new version"/>`, {
+      owner: this.engine,
+    });
+    assert.dom('[data-test-header-title]').hasText('Create new version', 'displays custom title.');
+    assert.dom('[data-test-header-title] svg').doesNotExist('Does not show icon if not at engine level.');
+  });
+
+  test('it renders a title, icon and tag if engine view', async function (assert) {
+    assert.expect(2);
+    await render(hbs`<KvPageHeader @breadcrumbs={{this.breadcrumbs}} @mountName={{this.backend}} />`, {
+      owner: this.engine,
+    });
+    assert
+      .dom('[data-test-header-title]')
+      .hasText(`${this.backend} Version 2`, 'Mount path and Version tag render for title.');
+    assert.dom('[data-test-header-title] span').hasClass('hs-icon', 'An icon renders next to title.');
+  });
+
+  test('it renders tabs', async function (assert) {
+    assert.expect(2);
+    await render(
+      hbs`<KvPageHeader @breadcrumbs={{this.breadcrumbs}} @mountName="my-engine">
+  <:tabLinks>
+    <LinkTo @route="list" data-test-secrets-tab="Secrets">Secrets</LinkTo>
+    <LinkTo @route="configuration" data-test-secrets-tab="Configuration">Configuration</LinkTo>
+  </:tabLinks>
+  </KvPageHeader>
+    `,
+      {
+        owner: this.engine,
+      }
+    );
+    assert.dom('[data-test-secrets-tab="Secrets"]').hasText('Secrets', 'Secrets tab renders');
+    assert
+      .dom('[data-test-secrets-tab="Configuration"]')
+      .hasText('Configuration', 'Configuration tab renders');
+  });
+
+  test('it should yield block for toolbar actions', async function (assert) {
+    assert.expect(1);
+    await render(
+      hbs`<KvPageHeader @breadcrumbs={{this.breadcrumbs}} @mountName="my-engine">
+      <:toolbarActions>
+      <ToolbarLink @route="secrets.create" @type="add">Create secret</ToolbarLink>
+    </:toolbarActions>
+  </KvPageHeader>
+    `,
+      { owner: this.engine }
+    ),
+      assert.dom('.toolbar-actions').exists('Block is yielded for toolbar actions');
+  });
+
+  test('it should yield block for toolbar filters', async function (assert) {
+    assert.expect(1);
+    await render(
+      hbs`<KvPageHeader @breadcrumbs={{this.breadcrumbs}} @mountName="my-engine">
+      <:toolbarFilters>
+      <p>stuff here</p>
+    </:toolbarFilters>
+  </KvPageHeader>
+    `,
+      { owner: this.engine }
+    ),
+      assert.dom('.toolbar-filters').exists('Block is yielded for toolbar filters');
+  });
+});
diff --git a/ui/tests/integration/components/kv/page/kv-page-configuration-test.js b/ui/tests/integration/components/kv/page/kv-page-configuration-test.js
new file mode 100644
index 0000000000..334f5038af
--- /dev/null
+++ b/ui/tests/integration/components/kv/page/kv-page-configuration-test.js
@@ -0,0 +1,108 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { setupEngine } from 'ember-engines/test-support';
+import { render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { PAGE } from 'vault/tests/helpers/kv/kv-selectors';
+
+module('Integration | Component | kv-v2 | Page::Configuration', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'kv');
+
+  hooks.beforeEach(async function () {
+    this.store = this.owner.lookup('service:store');
+    this.mountData = {
+      id: 'my-kv',
+      accessor: 'kv_80616825',
+      config: this.store.createRecord('mount-config', {
+        defaultLeaseTtl: '72h',
+        forceNoCache: false,
+        maxLeaseTtl: '123h',
+      }),
+      options: {
+        version: '2',
+      },
+      description: '',
+      path: 'my-kv',
+      sealWrap: false,
+      type: 'kv',
+      uuid: 'f1739f9d-dfc0-83c8-011f-ec17103a06a1',
+      // TODO: remove when attrs aren't duplicated across models
+      // these kv specific attrs exist on the secret-engine model (for POST request when mounting the engine)
+      // we want to make sure we're rendering values from kv/config while duplicates exist
+      maxVersions: 'this should never render',
+      casRequired: 'test is failing if this shows',
+      deleteVersionAfter: `definitely shouldn't render this`,
+    };
+    this.store.pushPayload('kv/config', {
+      modelName: 'kv/config',
+      id: 'my-config',
+      data: { max_versions: 0, cas_required: false, delete_version_after: '0s' },
+    });
+
+    // this is the route model, not an ember data model
+    this.model = {
+      engineConfig: this.store.peekRecord('kv/config', 'my-config'),
+      mountConfig: this.store.createRecord('secret-engine', this.mountData),
+    };
+
+    this.breadcrumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: this.model.mountConfig.path, route: 'list' },
+      { label: 'configuration' },
+    ];
+  });
+
+  test('it renders kv configuration details', async function (assert) {
+    assert.expect(11);
+
+    await render(
+      hbs`
+      <Page::Configuration
+        @engineConfig={{this.model.engineConfig}}
+        @mountConfig={{this.model.mountConfig}}
+        @breadcrumbs={{this.breadcrumbs}}
+      />
+      `,
+      { owner: this.engine }
+    );
+
+    assert.dom(PAGE.title).includesText(this.mountData.path, 'renders engine path as page title');
+    assert.dom(PAGE.infoRowValue('Require check and set')).hasText('No');
+    assert.dom(PAGE.infoRowValue('Automate secret deletion')).hasText('Never delete');
+    assert.dom(PAGE.infoRowValue('Maximum number of versions')).hasText('0');
+    assert.dom(PAGE.infoRowValue('Accessor')).hasText(this.mountData.accessor);
+    assert.dom(PAGE.infoRowValue('Path')).hasText(this.mountData.path);
+    assert.dom(PAGE.infoRowValue('Type')).hasText(this.mountData.type);
+    assert.dom(PAGE.infoRowValue('Description')).doesNotExist();
+    assert.dom(PAGE.infoRowValue('Seal wrap')).hasText('No');
+    assert.dom(PAGE.infoRowValue('Default Lease TTL')).hasText('3 days');
+    assert.dom(PAGE.infoRowValue('Max Lease TTL')).hasText('5 days 3 hours');
+  });
+
+  test('it renders non default kv engine config data', async function (assert) {
+    assert.expect(3);
+    this.model.engineConfig.maxVersions = 10;
+    this.model.engineConfig.casRequired = true;
+    this.model.engineConfig.deleteVersionAfter = '10d';
+
+    await render(
+      hbs`
+      <Page::Configuration
+        @engineConfig={{this.model.engineConfig}}
+        @mountConfig={{this.model.mountConfig}}
+        @breadcrumbs={{this.breadcrumbs}}
+      />
+      `,
+      { owner: this.engine }
+    );
+    assert.dom(PAGE.infoRowValue('Require check and set')).hasText('Yes');
+    assert.dom(PAGE.infoRowValue('Automate secret deletion')).hasText('10 days');
+    assert.dom(PAGE.infoRowValue('Maximum number of versions')).hasText('10');
+  });
+});
diff --git a/ui/tests/integration/components/kv/page/kv-page-list-test.js b/ui/tests/integration/components/kv/page/kv-page-list-test.js
new file mode 100644
index 0000000000..820388fa1f
--- /dev/null
+++ b/ui/tests/integration/components/kv/page/kv-page-list-test.js
@@ -0,0 +1,86 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { setupEngine } from 'ember-engines/test-support';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { render, click } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { kvMetadataPath } from 'vault/utils/kv-path';
+import { allowAllCapabilitiesStub } from 'vault/tests/helpers/stubs';
+import { PAGE } from 'vault/tests/helpers/kv/kv-selectors';
+
+const CREATE_RECORDS = (number, store, server) => {
+  const mirageList = server.createList('kv-metadatum', number, 'withCustomPath');
+  mirageList.forEach((record) => {
+    record.data.path = record.path;
+    record.id = kvMetadataPath(record.data.backend, record.data.path);
+    store.pushPayload('kv/metadata', {
+      modelName: 'kv/metadata',
+      ...record,
+    });
+  });
+};
+
+const META = {
+  currentPage: 1,
+  lastPage: 2,
+  nextPage: 2,
+  prevPage: 1,
+  total: 16,
+  filteredTotal: 16,
+  pageSize: 15,
+};
+
+module('Integration | Component | kv | Page::List', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'kv');
+  setupMirage(hooks);
+
+  hooks.beforeEach(async function () {
+    this.server.post('/sys/capabilities-self', allowAllCapabilitiesStub());
+    this.store = this.owner.lookup('service:store');
+  });
+
+  test('it renders Pagination and allows you to delete a kv/metadata record', async function (assert) {
+    assert.expect(19);
+    CREATE_RECORDS(15, this.store, this.server);
+    this.model = await this.store.peekAll('kv/metadata');
+    this.model.meta = META;
+    this.breadcrumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: this.model.backend, route: 'list' },
+    ];
+    await render(
+      hbs`<Page::List
+      @secrets={{this.model}} 
+      @backend={{this.model.backend}}
+      @noMetadataListPermissions={{false}}
+      @breadcrumbs={{this.breadcrumbs}} 
+      @meta={{this.model.meta}}
+    />`,
+      {
+        owner: this.engine,
+      }
+    );
+    assert.dom(PAGE.list.pagination).exists('shows hds pagination component');
+    assert.dom(PAGE.list.paginationInfo).hasText('1–15 of 16', 'shows correct page of pages');
+
+    this.model.forEach((record) => {
+      assert.dom(PAGE.list.item(record.path)).exists('lists all records from 0-14 on the first page');
+    });
+
+    this.server.delete(kvMetadataPath('kv-engine', 'my-secret-0'), () => {
+      assert.ok(true, 'request made to correct endpoint on delete metadata.');
+    });
+
+    const popupSelector = `${PAGE.list.item('my-secret-0')} ${PAGE.popup}`;
+    await click(popupSelector);
+    await click('[data-test-confirm-action-trigger="true"]');
+    await click('[data-test-confirm-button=true]');
+    assert.dom(PAGE.list.item('my-secret-0')).doesNotExist('deleted the first record from the list');
+  });
+});
diff --git a/ui/tests/integration/components/kv/page/kv-page-metadata-details-test.js b/ui/tests/integration/components/kv/page/kv-page-metadata-details-test.js
new file mode 100644
index 0000000000..c98f082300
--- /dev/null
+++ b/ui/tests/integration/components/kv/page/kv-page-metadata-details-test.js
@@ -0,0 +1,121 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { setupEngine } from 'ember-engines/test-support';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { findAll, render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { kvMetadataPath } from 'vault/utils/kv-path';
+import { allowAllCapabilitiesStub } from 'vault/tests/helpers/stubs';
+import { PAGE } from 'vault/tests/helpers/kv/kv-selectors';
+
+module('Integration | Component | kv | Page::Secret::Metadata::Details', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'kv');
+  setupMirage(hooks);
+
+  hooks.beforeEach(async function () {
+    this.store = this.owner.lookup('service:store');
+  });
+
+  test('it renders metadata details component and shows empty state when custom_metadata is empty', async function (assert) {
+    assert.expect(2);
+    this.server.post('/sys/capabilities-self', allowAllCapabilitiesStub());
+    const data = this.server.create('kv-metadatum');
+    data.id = kvMetadataPath('kv-engine', 'my-secret');
+    this.store.pushPayload('kv/metadata', {
+      modelName: 'kv/metadata',
+      ...data,
+    });
+    this.model = this.store.peekRecord('kv/metadata', data.id);
+    this.breadcrumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: this.model.backend, route: 'list' },
+      { label: this.model.path, route: 'secret', model: this.model.path },
+      { label: 'metadata' },
+    ];
+    await render(
+      hbs`<Page::Secret::Metadata::Details @metadata={{this.model}} @breadcrumbs={{this.breadcrumbs}} />`,
+      {
+        owner: this.engine,
+      }
+    );
+    assert.dom(PAGE.emptyStateTitle).hasText('No custom metadata', 'renders the correct empty state');
+    assert
+      .dom(PAGE.infoRowValue('Delete version after'))
+      .hasText('3 hours 25 minutes 19 seconds', 'correctly shows and formats the timestamp.');
+  });
+
+  test('it renders custom metadata when it exists and user has permissions', async function (assert) {
+    assert.expect(3);
+    this.server.post('/sys/capabilities-self', allowAllCapabilitiesStub());
+    const data = this.server.create('kv-metadatum', 'withCustomMetadata');
+    data.id = kvMetadataPath('kv-engine', 'my-secret');
+    this.store.pushPayload('kv/metadata', {
+      modelName: 'kv/metadata',
+      ...data,
+    });
+    this.model = this.store.peekRecord('kv/metadata', data.id);
+    this.breadcrumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: this.model.backend, route: 'list' },
+      { label: this.model.path, route: 'secret', model: this.model.path },
+      { label: 'metadata' },
+    ];
+
+    await render(
+      hbs`<Page::Secret::Metadata::Details @metadata={{this.model}} @breadcrumbs={{this.breadcrumbs}} />`,
+      {
+        owner: this.engine,
+      }
+    );
+    for (const key in this.model.customMetadata) {
+      const value = this.model.customMetadata[key];
+      assert.dom(PAGE.infoRowValue(key)).hasText(value);
+    }
+  });
+
+  test('it renders correct empty state messages with no READ metadata permissions and no secret.customMetadata is returned', async function (assert) {
+    assert.expect(3);
+    this.server.post('/sys/capabilities-self', allowAllCapabilitiesStub('list', 'update'));
+    // would not return custom_metadata if they did not have permissions
+    const data = this.server.create('kv-metadatum');
+    data.id = kvMetadataPath('kv-engine', 'my-secret');
+    this.store.pushPayload('kv/metadata', {
+      modelName: 'kv/metadata',
+      ...data,
+    });
+    this.model = this.store.peekRecord('kv/metadata', data.id);
+    this.breadcrumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: this.model.backend, route: 'list' },
+      { label: this.model.path, route: 'secret', model: this.model.path },
+      { label: 'metadata' },
+    ];
+    await render(
+      hbs`<Page::Secret::Metadata::Details @metadata={{this.model}} @breadcrumbs={{this.breadcrumbs}} />`,
+      {
+        owner: this.engine,
+      }
+    );
+
+    const [noCustomMetadata, noMetadata] = findAll(PAGE.emptyStateTitle);
+    assert
+      .dom(noCustomMetadata)
+      .exists(
+        'You do not have access to read custom metadata',
+        'renders the empty state about custom_metadata'
+      );
+    assert
+      .dom(noMetadata)
+      .exists(
+        'You do not have access to secret metadata',
+        'renders the empty state about no secret metadata'
+      );
+    assert.dom(PAGE.metadata.editBtn).doesNotExist('does not render edit metadata button.');
+  });
+});
diff --git a/ui/tests/integration/components/kv/page/kv-page-metadata-edit-test.js b/ui/tests/integration/components/kv/page/kv-page-metadata-edit-test.js
new file mode 100644
index 0000000000..6835babec2
--- /dev/null
+++ b/ui/tests/integration/components/kv/page/kv-page-metadata-edit-test.js
@@ -0,0 +1,180 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { setupEngine } from 'ember-engines/test-support';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { render, fillIn, click } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import sinon from 'sinon';
+import { kvMetadataPath } from 'vault/utils/kv-path';
+import { allowAllCapabilitiesStub } from 'vault/tests/helpers/stubs';
+import { FORM, PAGE } from 'vault/tests/helpers/kv/kv-selectors';
+
+module('Integration | Component | kv | Page::Secret::Metadata::Edit', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'kv');
+  setupMirage(hooks);
+
+  hooks.beforeEach(async function () {
+    this.onCancel = sinon.spy();
+    const store = this.owner.lookup('service:store');
+    this.server.post('/sys/capabilities-self', allowAllCapabilitiesStub());
+    const data = this.server.create('kv-metadatum', 'withCustomMetadata');
+    data.id = kvMetadataPath('kv-engine', 'my-secret');
+    store.pushPayload('kv/metadatum', {
+      modelName: 'kv/metadata',
+      ...data,
+    });
+    // Used to test a model with custom_metadata and non-default inputs.
+    this.metadataModelEdit = store.peekRecord('kv/metadata', data.id);
+    // Used to test a model with no custom_metadata and default values.
+    this.metadataModelCreate = store.createRecord('kv/metadata', {
+      backend: 'kv-engine-new',
+      path: 'my-secret-new',
+    });
+  });
+
+  test('it renders all inputs for a model that has all default values', async function (assert) {
+    assert.expect(5);
+    this.breadcrumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: this.metadataModelCreate.backend, route: 'list' },
+      { label: this.metadataModelCreate.path, route: 'secret.details', model: this.metadataModelCreate.path },
+      { label: 'metadata' },
+    ];
+    await render(
+      hbs`
+      <Page::Secret::Metadata::Edit
+        @metadata={{this.metadataModelCreate}}
+        @breadcrumbs={{this.breadcrumbs}}
+        @onCancel={{this.onCancel}}
+        @onSave={{this.onSave}} />`,
+      {
+        owner: this.engine,
+      }
+    );
+    assert.dom(FORM.kvRow).exists({ count: 1 }, 'renders one kv row when model is new.');
+    assert.dom(FORM.inputByAttr('maxVersions')).exists('renders Max versions.');
+    assert.dom(FORM.inputByAttr('casRequired')).exists('renders Required Check and Set.');
+    assert
+      .dom('[data-test-toggle-label="Automate secret deletion"]')
+      .exists('the label for automate secret deletion renders.');
+    assert
+      .dom(FORM.ttlValue('Automate secret deletion'))
+      .doesNotExist('the toggle for secret deletion is not triggered.');
+  });
+
+  test('it displays previous inputs from metadata record and saves new values', async function (assert) {
+    assert.expect(5);
+    this.breadcrumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: this.metadataModelEdit.backend, route: 'list' },
+      { label: this.metadataModelEdit.path, route: 'secret.details', model: this.metadataModelEdit.path },
+      { label: 'metadata' },
+    ];
+    await render(
+      hbs`
+      <Page::Secret::Metadata::Edit
+        @metadata={{this.metadataModelEdit}}
+        @breadcrumbs={{this.breadcrumbs}}
+        @onCancel={{this.onCancel}}
+        @onSave={{this.onSave}} />`,
+      {
+        owner: this.engine,
+      }
+    );
+    assert
+      .dom(FORM.kvRow)
+      .exists({ count: 4 }, 'renders all kv rows including previous data and one extra to fill out.');
+    assert
+      .dom(FORM.inputByAttr('maxVersions'))
+      .hasValue('15', 'renders Max versions that was on the record.');
+    assert
+      .dom(FORM.inputByAttr('casRequired'))
+      .hasValue('on', 'renders Required Check and Set that was on the record.');
+    assert
+      .dom(FORM.ttlValue('Automate secret deletion'))
+      .hasValue('12319', 'renders Automate secret deletion that was on the record.');
+
+    // change the "Additional option" values
+    await click(FORM.deleteRow()); // delete the first kv row
+    await fillIn(FORM.keyInput(2), 'last');
+    await fillIn(FORM.valueInput(2), 'value');
+    await fillIn(FORM.inputByAttr('maxVersions'), '8');
+    await click(FORM.inputByAttr('casRequired'));
+    await fillIn(FORM.ttlValue('Automate secret deletion'), '1000');
+    // save test and check record
+    this.server.post('/kv-engine/metadata/my-secret', (schema, req) => {
+      const data = JSON.parse(req.requestBody);
+      const expected = {
+        max_versions: 8,
+        cas_required: false,
+        delete_version_after: '1000s',
+        custom_metadata: {
+          baz: '5c07d823-3810-48f6-a147-4c06b5219e84',
+          foo: 'abc',
+          last: 'value',
+        },
+      };
+      assert.propEqual(data, expected, 'POST request made to save metadata with correct properties.');
+    });
+    await click(FORM.saveBtn);
+  });
+
+  test('it displays validation errors and does not save inputs on cancel', async function (assert) {
+    assert.expect(2);
+    this.breadcrumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: this.metadataModelEdit.backend, route: 'list' },
+      { label: this.metadataModelEdit.path, route: 'secret.details', model: this.metadataModelEdit.path },
+      { label: 'metadata' },
+    ];
+    await render(
+      hbs`
+      <Page::Secret::Metadata::Edit
+        @metadata={{this.metadataModelEdit}}
+        @breadcrumbs={{this.breadcrumbs}}
+        @onCancel={{this.onCancel}}
+        @onSave={{this.onSave}} />`,
+      {
+        owner: this.engine,
+      }
+    );
+    // trigger validation error
+    await fillIn(FORM.inputByAttr('maxVersions'), 'a');
+    await click(FORM.saveBtn);
+    assert
+      .dom(FORM.inlineAlert)
+      .hasText('Maximum versions must be a number.', 'Validation message is shown for max_versions');
+
+    await click(FORM.cancelBtn);
+    assert.strictEqual(this.metadataModelEdit.maxVersions, 15, 'Model is rolled back on cancel.');
+  });
+
+  test('it shows an empty state if user does not have metadata update permissions', async function (assert) {
+    assert.expect(1);
+    this.server.post('/sys/capabilities-self', allowAllCapabilitiesStub('list'));
+    this.breadcrumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: this.metadataModelEdit.backend, route: 'list' },
+      { label: this.metadataModelEdit.path, route: 'secret.details', model: this.metadataModelEdit.path },
+      { label: 'metadata' },
+    ];
+    await render(
+      hbs`
+      <Page::Secret::Metadata::Edit
+        @metadata={{this.metadataModelEdit}}
+        @breadcrumbs={{this.breadcrumbs}}
+        @onCancel={{this.onCancel}}
+        @onSave={{this.onSave}} />`,
+      {
+        owner: this.engine,
+      }
+    );
+    assert.dom(PAGE.emptyStateTitle).hasText('You do not have permissions to edit metadata');
+  });
+});
diff --git a/ui/tests/integration/components/kv/page/kv-page-secret-details-test.js b/ui/tests/integration/components/kv/page/kv-page-secret-details-test.js
new file mode 100644
index 0000000000..1520818eb5
--- /dev/null
+++ b/ui/tests/integration/components/kv/page/kv-page-secret-details-test.js
@@ -0,0 +1,174 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { setupEngine } from 'ember-engines/test-support';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { click, find, render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { kvDataPath, kvMetadataPath } from 'vault/utils/kv-path';
+import { allowAllCapabilitiesStub } from 'vault/tests/helpers/stubs';
+import { FORM, PAGE, parseJsonEditor } from 'vault/tests/helpers/kv/kv-selectors';
+
+module('Integration | Component | kv-v2 | Page::Secret::Details', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'kv');
+  setupMirage(hooks);
+
+  hooks.beforeEach(async function () {
+    this.store = this.owner.lookup('service:store');
+    this.server.post('/sys/capabilities-self', allowAllCapabilitiesStub());
+    this.backend = 'kv-engine';
+    this.path = 'my-secret';
+    this.version = 2;
+    this.dataId = kvDataPath(this.backend, this.path);
+    this.metadataId = kvMetadataPath(this.backend, this.path);
+
+    this.secretData = { foo: 'bar' };
+    this.store.pushPayload('kv/data', {
+      modelName: 'kv/data',
+      id: this.dataId,
+      secret_data: this.secretData,
+      created_time: '2023-07-20T02:12:17.379762Z',
+      custom_metadata: null,
+      deletion_time: '',
+      destroyed: false,
+      version: this.version,
+    });
+
+    const metadata = this.server.create('kv-metadatum');
+    metadata.id = this.metadataId;
+    this.store.pushPayload('kv/metadata', {
+      modelName: 'kv/metadata',
+      ...metadata,
+    });
+
+    this.metadata = this.store.peekRecord('kv/metadata', this.metadataId);
+    this.secret = this.store.peekRecord('kv/data', this.dataId);
+
+    // this is the route model, not an ember data model
+    this.model = {
+      backend: this.backend,
+      path: this.path,
+      secret: this.secret,
+      metadata: this.metadata,
+    };
+    this.breadcrumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: this.model.backend, route: 'list' },
+      { label: this.model.path },
+    ];
+  });
+
+  test('it renders secret details and toggles json view', async function (assert) {
+    assert.expect(6);
+
+    await render(
+      hbs`
+       <Page::Secret::Details
+        @path={{this.model.path}}
+        @secret={{this.model.secret}}
+        @metadata={{this.model.metadata}}
+        @breadcrumbs={{this.breadcrumbs}}
+      />
+      `,
+      { owner: this.engine }
+    );
+
+    assert.dom(PAGE.title).includesText(this.model.path, 'renders secret path as page title');
+    assert.dom(PAGE.infoRowValue('foo')).exists('renders row for secret data');
+    assert.dom(PAGE.infoRowValue('foo')).hasText('***********');
+    await click(FORM.toggleMasked);
+    assert.dom(PAGE.infoRowValue('foo')).hasText('bar', 'renders secret value');
+    await click(FORM.toggleJson);
+    assert.propEqual(parseJsonEditor(find), this.secretData, 'json editor renders secret data');
+    assert
+      .dom(PAGE.detail.versionTimestamp)
+      .includesText(`Version ${this.version} created`, 'renders version and time created');
+  });
+
+  test('it renders deleted empty state', async function (assert) {
+    assert.expect(3);
+    this.secret.deletionTime = '2023-07-23T02:12:17.379762Z';
+    await render(
+      hbs`
+       <Page::Secret::Details
+        @path={{this.model.path}}
+        @secret={{this.model.secret}}
+        @metadata={{this.model.metadata}}
+        @breadcrumbs={{this.breadcrumbs}}
+      />
+      `,
+      { owner: this.engine }
+    );
+    assert.dom(PAGE.emptyStateTitle).hasText('Version 2 of this secret has been deleted');
+    assert
+      .dom(PAGE.emptyStateMessage)
+      .hasText(
+        'This version has been deleted but can be undeleted. View other versions of this secret by clicking the Version History tab above.'
+      );
+    assert
+      .dom(PAGE.detail.versionTimestamp)
+      .includesText(`Version ${this.version} deleted`, 'renders version and time deleted');
+  });
+
+  test('it renders destroyed empty state', async function (assert) {
+    assert.expect(2);
+    this.secret.destroyed = true;
+    await render(
+      hbs`
+       <Page::Secret::Details
+        @path={{this.model.path}}
+        @secret={{this.model.secret}}
+        @metadata={{this.model.metadata}}
+        @breadcrumbs={{this.breadcrumbs}}
+      />
+      `,
+      { owner: this.engine }
+    );
+    assert.dom(PAGE.emptyStateTitle).hasText('Version 2 of this secret has been permanently destroyed');
+    assert
+      .dom(PAGE.emptyStateMessage)
+      .hasText(
+        'A version that has been permanently deleted cannot be restored. You can view other versions of this secret in the Version History tab above.'
+      );
+  });
+
+  test('it renders secret version dropdown', async function (assert) {
+    assert.expect(9);
+
+    await render(
+      hbs`
+       <Page::Secret::Details
+        @path={{this.model.path}}
+        @secret={{this.model.secret}}
+        @metadata={{this.model.metadata}}
+        @breadcrumbs={{this.breadcrumbs}}
+      />
+      `,
+      { owner: this.engine }
+    );
+
+    assert.dom(PAGE.detail.versionTimestamp).includesText(this.version, 'renders version');
+    assert.dom(PAGE.detail.versionDropdown).hasText(`Version ${this.secret.version}`);
+    await click(PAGE.detail.versionDropdown);
+
+    for (const version in this.metadata.versions) {
+      const data = this.metadata.versions[version];
+      assert.dom(PAGE.detail.version(version)).exists(`renders ${version} in dropdown menu`);
+
+      if (data.destroyed || data.deletion_time) {
+        assert
+          .dom(`${PAGE.detail.version(version)} [data-test-icon="x-square-fill"]`)
+          .hasClass(`${data.destroyed ? 'has-text-danger' : 'has-text-grey'}`);
+      }
+    }
+
+    assert
+      .dom(`${PAGE.detail.version(this.metadata.currentVersion)} [data-test-icon="check-circle"]`)
+      .exists('renders current version icon');
+  });
+});
diff --git a/ui/tests/integration/components/kv/page/kv-page-secret-edit-test.js b/ui/tests/integration/components/kv/page/kv-page-secret-edit-test.js
new file mode 100644
index 0000000000..f40a0a8e47
--- /dev/null
+++ b/ui/tests/integration/components/kv/page/kv-page-secret-edit-test.js
@@ -0,0 +1,243 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { setupEngine } from 'ember-engines/test-support';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { Response } from 'miragejs';
+import { hbs } from 'ember-cli-htmlbars';
+import { click, fillIn, render } from '@ember/test-helpers';
+import codemirror from 'vault/tests/helpers/codemirror';
+import { FORM } from 'vault/tests/helpers/kv/kv-selectors';
+import sinon from 'sinon';
+
+module('Integration | Component | kv-v2 | Page::Secret::Edit', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'kv');
+  setupMirage(hooks);
+
+  hooks.beforeEach(function () {
+    this.store = this.owner.lookup('service:store');
+    this.router = this.owner.lookup('service:router');
+    this.transitionStub = sinon.stub(this.router, 'transitionTo');
+    this.backend = 'my-kv-engine';
+    this.path = 'my-secret';
+    this.secret = this.store.createRecord('kv/data', {
+      backend: this.backend,
+      path: this.path,
+      secretData: { foo: 'bar' },
+      casVersion: 1,
+    });
+    this.breadcrumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: this.backend, route: 'list' },
+      { label: 'edit' },
+    ];
+  });
+
+  hooks.afterEach(function () {
+    this.router.transitionTo.restore();
+  });
+
+  test('it saves a new secret version', async function (assert) {
+    assert.expect(10);
+    this.server.post(`${this.backend}/data/${this.path}`, (schema, req) => {
+      assert.ok(true, 'Request made to save secret');
+      const payload = JSON.parse(req.requestBody);
+      assert.propEqual(payload, {
+        data: { foo: 'bar', foo2: 'bar2' },
+        options: { cas: 1 },
+      });
+      return {
+        request_id: 'bd76db73-605d-fcbc-0dad-d44a008f9b95',
+        data: {
+          created_time: '2023-07-28T18:47:32.924809Z',
+          custom_metadata: null,
+          deletion_time: '',
+          destroyed: false,
+          version: 2,
+        },
+      };
+    });
+
+    await render(
+      hbs`<Page::Secret::Edit
+  @secret={{this.secret}}
+  @previousVersion={{4}}
+  @currentVersion={{4}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>`,
+      { owner: this.engine }
+    );
+
+    assert.dom(FORM.inputByAttr('path')).isDisabled();
+    assert.dom(FORM.inputByAttr('path')).hasValue(this.path);
+    assert.dom(FORM.keyInput()).hasValue('foo');
+    assert.dom(FORM.maskedValueInput()).hasValue('bar');
+    assert.dom(FORM.dataInputLabel({ isJson: false })).hasText('Version data');
+    await click(FORM.toggleJson);
+    assert.strictEqual(
+      codemirror().getValue(' '),
+      `{   \"foo": \"bar" }`, // eslint-disable-line no-useless-escape
+      'json editor initializes with empty object'
+    );
+    assert.dom(FORM.dataInputLabel({ isJson: true })).hasText('Version data');
+    await click(FORM.toggleJson);
+    await fillIn(FORM.keyInput(1), 'foo2');
+    await fillIn(FORM.maskedValueInput(1), 'bar2');
+    await click(FORM.saveBtn);
+    assert.ok(
+      this.transitionStub.calledWith('vault.cluster.secrets.backend.kv.secret'),
+      'router transitions to parent secret route on save'
+    );
+  });
+
+  test('it saves nested secrets', async function (assert) {
+    assert.expect(3);
+    const nestedSecret = 'path/to/secret';
+    this.secret.path = nestedSecret;
+    this.server.post(`${this.backend}/data/${nestedSecret}`, (schema, req) => {
+      assert.ok(true, 'Request made to save secret');
+      const payload = JSON.parse(req.requestBody);
+      assert.propEqual(payload, {
+        data: { foo: 'bar' },
+        options: { cas: 1 },
+      });
+      return {
+        request_id: 'bd76db73-605d-fcbc-0dad-d44a008f9b95',
+        data: {
+          created_time: '2023-07-28T18:47:32.924809Z',
+          custom_metadata: null,
+          deletion_time: '',
+          destroyed: false,
+          version: 2,
+        },
+      };
+    });
+
+    await render(
+      hbs`<Page::Secret::Edit
+  @secret={{this.secret}}
+  @previousVersion={{4}}
+  @currentVersion={{4}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>`,
+      { owner: this.engine }
+    );
+
+    assert.dom(FORM.inputByAttr('path')).hasValue(nestedSecret);
+    await click(FORM.saveBtn);
+  });
+
+  test('it renders API errors', async function (assert) {
+    assert.expect(3);
+    this.server.post(`${this.backend}/data/${this.path}`, () => {
+      return new Response(500, {}, { errors: ['nope'] });
+    });
+
+    await render(
+      hbs`<Page::Secret::Edit
+  @secret={{this.secret}}
+  @previousVersion={{4}}
+  @currentVersion={{4}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>`,
+      { owner: this.engine }
+    );
+
+    await click(FORM.saveBtn);
+    assert.dom(FORM.messageError).hasText('Error nope', 'it renders API error');
+    assert.dom(FORM.inlineAlert).hasText('There was an error submitting this form.');
+    await click(FORM.cancelBtn);
+    assert.ok(
+      this.transitionStub.calledWith('vault.cluster.secrets.backend.kv.secret.details'),
+      'router transitions to details on cancel'
+    );
+  });
+
+  test('it renders kv secret validations', async function (assert) {
+    assert.expect(2);
+
+    await render(
+      hbs`<Page::Secret::Edit
+  @secret={{this.secret}}
+  @previousVersion={{4}}
+  @currentVersion={{4}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>`,
+      { owner: this.engine }
+    );
+
+    await click(FORM.toggleJson);
+    codemirror().setValue('i am a string and not JSON');
+    assert
+      .dom(FORM.inlineAlert)
+      .hasText('JSON is unparsable. Fix linting errors to avoid data discrepancies.');
+
+    codemirror().setValue(`""`);
+    await click(FORM.saveBtn);
+    assert.dom(FORM.inlineAlert).hasText('Vault expects data to be formatted as an JSON object.');
+  });
+
+  test('it toggles JSON view and saves modified data', async function (assert) {
+    assert.expect(4);
+
+    this.server.post(`${this.backend}/data/${this.path}`, (schema, req) => {
+      assert.ok(true, 'Request made to save secret');
+      const payload = JSON.parse(req.requestBody);
+      assert.propEqual(payload, {
+        data: { hello: 'there' },
+        options: { cas: 1 },
+      });
+      return {
+        request_id: 'bd76db73-605d-fcbc-0dad-d44a008f9b95',
+        data: {
+          created_time: '2023-07-28T18:47:32.924809Z',
+          custom_metadata: null,
+          deletion_time: '',
+          destroyed: false,
+          version: 2,
+        },
+      };
+    });
+
+    await render(
+      hbs`<Page::Secret::Edit
+  @secret={{this.secret}}
+  @previousVersion={{3}}
+  @currentVersion={{4}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>`,
+      { owner: this.engine }
+    );
+    assert.dom(FORM.dataInputLabel({ isJson: false })).hasText('Version data');
+    await click(FORM.toggleJson);
+    assert.dom(FORM.dataInputLabel({ isJson: true })).hasText('Version data');
+
+    codemirror().setValue(`{ "hello": "there"}`);
+    await click(FORM.saveBtn);
+  });
+
+  test('it renders alert when creating a new secret version from an old version', async function (assert) {
+    assert.expect(1);
+
+    await render(
+      hbs`<Page::Secret::Edit
+  @secret={{this.secret}}
+  @previousVersion={{1}}
+  @currentVersion={{4}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>`,
+      { owner: this.engine }
+    );
+
+    assert
+      .dom(FORM.versionAlert)
+      .hasText(
+        `Warning You are creating a new version based on data from Version 1. The current version for my-secret is Version 4.`
+      );
+  });
+});
diff --git a/ui/tests/integration/components/kv/page/kv-page-secrets-create-test.js b/ui/tests/integration/components/kv/page/kv-page-secrets-create-test.js
new file mode 100644
index 0000000000..6947737dae
--- /dev/null
+++ b/ui/tests/integration/components/kv/page/kv-page-secrets-create-test.js
@@ -0,0 +1,294 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { setupEngine } from 'ember-engines/test-support';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { Response } from 'miragejs';
+import { hbs } from 'ember-cli-htmlbars';
+import { click, fillIn, findAll, render, typeIn } from '@ember/test-helpers';
+import codemirror from 'vault/tests/helpers/codemirror';
+import { FORM } from 'vault/tests/helpers/kv/kv-selectors';
+import sinon from 'sinon';
+
+module('Integration | Component | kv-v2 | Page::Secrets::Create', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'kv');
+  setupMirage(hooks);
+
+  hooks.beforeEach(function () {
+    this.store = this.owner.lookup('service:store');
+    this.router = this.owner.lookup('service:router');
+    this.transitionStub = sinon.stub(this.router, 'transitionTo');
+    this.backend = 'my-kv-engine';
+    this.path = 'my-secret';
+    this.maxVersions = 10;
+    this.secret = this.store.createRecord('kv/data', { backend: this.backend, casVersion: 0 });
+    this.metadata = this.store.createRecord('kv/metadata', { backend: this.backend });
+    this.breadcrumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: this.backend, route: 'list' },
+      { label: 'create' },
+    ];
+  });
+
+  hooks.afterEach(function () {
+    this.router.transitionTo.restore();
+  });
+
+  test('it saves secret data and metadata', async function (assert) {
+    assert.expect(5);
+    this.server.post(`${this.backend}/data/${this.path}`, (schema, req) => {
+      assert.ok(true, 'Request made to save secret');
+      const payload = JSON.parse(req.requestBody);
+      assert.propEqual(payload, {
+        data: { foo: 'bar' },
+        options: { cas: 0 },
+      });
+      return {
+        request_id: 'bd76db73-605d-fcbc-0dad-d44a008f9b95',
+        data: {
+          created_time: '2023-07-28T18:47:32.924809Z',
+          custom_metadata: null,
+          deletion_time: '',
+          destroyed: false,
+          version: 1,
+        },
+      };
+    });
+
+    this.server.post(`${this.backend}/metadata/${this.path}`, (schema, req) => {
+      assert.ok(true, 'Request made to save metadata');
+      const payload = JSON.parse(req.requestBody);
+      assert.propEqual(payload, {
+        cas_required: false,
+        custom_metadata: {
+          'my-custom': 'metadata',
+        },
+        delete_version_after: '0s',
+        max_versions: 10,
+      });
+    });
+
+    await render(
+      hbs`<Page::Secrets::Create
+  @secret={{this.secret}}
+  @metadata={{this.metadata}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>`,
+      { owner: this.engine }
+    );
+
+    await fillIn(FORM.inputByAttr('path'), this.path);
+    await fillIn(FORM.keyInput(), 'foo');
+    await fillIn(FORM.maskedValueInput(), 'bar');
+
+    await click(FORM.toggleMetadata);
+    await fillIn(`[data-test-field="customMetadata"] ${FORM.keyInput()}`, 'my-custom');
+    await fillIn(`[data-test-field="customMetadata"] ${FORM.valueInput()}`, 'metadata');
+    await fillIn(FORM.inputByAttr('maxVersions'), this.maxVersions);
+
+    await click(FORM.saveBtn);
+
+    assert.ok(
+      this.transitionStub.calledWith('vault.cluster.secrets.backend.kv.secret.details'),
+      'router transitions to secret details route on save'
+    );
+  });
+
+  test('it does not send request to save secret metadata if fields are unchanged', async function (assert) {
+    // this test contains two assertions, but only expects one because a request to kv/metadata
+    // should NOT happen if its form inputs have not been edited
+    assert.expect(1);
+    this.server.post(`${this.backend}/data/${this.path}`, () => {
+      assert.ok(true, 'Request only made to save secret');
+      return {
+        request_id: 'bd76db73-605d-fcbc-0dad-d44a008f9b95',
+        data: {
+          created_time: '2023-07-28T18:47:32.924809Z',
+          custom_metadata: null,
+          deletion_time: '',
+          destroyed: false,
+          version: 1,
+        },
+      };
+    });
+
+    this.server.post(`${this.backend}/metadata/${this.path}`, () => {
+      // this assertion should not be hit!!
+      assert.notOk(true, 'Request should not be made to save metadata');
+      return new Response(403, {}, { errors: ['This request should not have been made'] });
+    });
+
+    await render(
+      hbs`<Page::Secrets::Create
+  @secret={{this.secret}}
+  @metadata={{this.metadata}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>`,
+      { owner: this.engine }
+    );
+
+    await fillIn(FORM.inputByAttr('path'), this.path);
+    await fillIn(FORM.keyInput(), 'foo');
+    await fillIn(FORM.maskedValueInput(), 'bar');
+    await click(FORM.saveBtn);
+  });
+
+  test('it saves nested secrets', async function (assert) {
+    assert.expect(3);
+    const pathToSecret = 'path/to/secret/';
+    this.secret.path = pathToSecret;
+    this.server.post(`${this.backend}/data/${pathToSecret + this.path}`, (schema, req) => {
+      assert.ok(true, 'Request made to save secret');
+      const payload = JSON.parse(req.requestBody);
+      assert.propEqual(payload, {
+        data: { foo: 'bar' },
+        options: { cas: 0 },
+      });
+      return {
+        request_id: 'bd76db73-605d-fcbc-0dad-d44a008f9b95',
+        data: {
+          created_time: '2023-07-28T18:47:32.924809Z',
+          custom_metadata: null,
+          deletion_time: '',
+          destroyed: false,
+          version: 1,
+        },
+      };
+    });
+
+    await render(
+      hbs`<Page::Secrets::Create
+  @secret={{this.secret}}
+  @metadata={{this.metadata}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>`,
+      { owner: this.engine }
+    );
+
+    assert.dom(FORM.inputByAttr('path')).hasValue(pathToSecret);
+    await typeIn(FORM.inputByAttr('path'), this.path);
+    await fillIn(FORM.keyInput(), 'foo');
+    await fillIn(FORM.maskedValueInput(), 'bar');
+    await click(FORM.saveBtn);
+  });
+
+  test('it renders API errors', async function (assert) {
+    // this test contains an extra assertion because a request to kv/metadata
+    // should NOT happen if kv/data fails
+    assert.expect(3);
+    this.server.post(`${this.backend}/data/${this.path}`, () => {
+      return new Response(500, {}, { errors: ['nope'] });
+    });
+
+    this.server.post(`${this.backend}/metadata/${this.path}`, () => {
+      // this assertion should not be hit because the request to save secret data failed!!
+      assert.ok(true, 'Request made to save metadata');
+      return new Response(403, {}, { errors: ['This request should not have been made'] });
+    });
+
+    await render(
+      hbs`<Page::Secrets::Create
+  @secret={{this.secret}}
+  @metadata={{this.metadata}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>`,
+      { owner: this.engine }
+    );
+
+    await fillIn(FORM.inputByAttr('path'), this.path);
+    await click(FORM.saveBtn);
+    assert.dom(FORM.messageError).hasText('Error nope', 'it renders API error');
+    assert.dom(FORM.inlineAlert).hasText('There was an error submitting this form.');
+    await click(FORM.cancelBtn);
+    assert.ok(
+      this.transitionStub.calledWith('vault.cluster.secrets.backend.kv.list'),
+      'router transitions to secret list route on cancel'
+    );
+  });
+
+  test('it renders kv secret validations', async function (assert) {
+    assert.expect(6);
+
+    await render(
+      hbs`<Page::Secrets::Create
+  @secret={{this.secret}}
+  @metadata={{this.metadata}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>`,
+      { owner: this.engine }
+    );
+
+    await typeIn(FORM.inputByAttr('path'), 'space ');
+    assert
+      .dom(FORM.validation('path'))
+      .hasText(
+        `Path contains whitespace. If this is desired, you'll need to encode it with %20 in API requests.`
+      );
+
+    await fillIn(FORM.inputByAttr('path'), ''); // clear input
+    await typeIn(FORM.inputByAttr('path'), 'slash/');
+    assert.dom(FORM.validation('path')).hasText(`Path can't end in forward slash '/'.`);
+
+    await typeIn(FORM.inputByAttr('path'), 'secret');
+    assert
+      .dom(FORM.validation('path'))
+      .doesNotExist('it removes validation on key up when secret contains slash but does not end in one');
+
+    await click(FORM.toggleJson);
+    codemirror().setValue('i am a string and not JSON');
+    assert
+      .dom(FORM.inlineAlert)
+      .hasText('JSON is unparsable. Fix linting errors to avoid data discrepancies.');
+
+    codemirror().setValue('{}'); // clear linting error
+    await fillIn(FORM.inputByAttr('path'), '');
+    await click(FORM.saveBtn);
+    const [pathValidation, formAlert] = findAll(FORM.inlineAlert);
+    assert.dom(pathValidation).hasText(`Path can't be blank.`);
+    assert.dom(formAlert).hasText('There is an error with this form.');
+  });
+
+  test('it toggles JSON view and saves modified data', async function (assert) {
+    assert.expect(4);
+    this.server.post(`${this.backend}/data/${this.path}`, (schema, req) => {
+      assert.ok(true, 'Request made to save secret');
+      const payload = JSON.parse(req.requestBody);
+      assert.propEqual(payload, {
+        data: { hello: 'there' },
+        options: { cas: 0 },
+      });
+      return {
+        request_id: 'bd76db73-605d-fcbc-0dad-d44a008f9b95',
+        data: {
+          created_time: '2023-07-28T18:47:32.924809Z',
+          custom_metadata: null,
+          deletion_time: '',
+          destroyed: false,
+          version: 1,
+        },
+      };
+    });
+
+    await render(
+      hbs`<Page::Secrets::Create
+  @secret={{this.secret}}
+  @metadata={{this.metadata}}
+  @breadcrumbs={{this.breadcrumbs}}
+/>`,
+      { owner: this.engine }
+    );
+
+    assert.dom(FORM.dataInputLabel({ isJson: false })).hasText('Secret data');
+    await click(FORM.toggleJson);
+    assert.dom(FORM.dataInputLabel({ isJson: true })).hasText('Secret data');
+
+    codemirror().setValue(`{ "hello": "there"}`);
+    await fillIn(FORM.inputByAttr('path'), this.path);
+    await click(FORM.saveBtn);
+  });
+});
diff --git a/ui/tests/integration/components/kv/page/kv-page-version-diff-test.js b/ui/tests/integration/components/kv/page/kv-page-version-diff-test.js
new file mode 100644
index 0000000000..33c34a9d1e
--- /dev/null
+++ b/ui/tests/integration/components/kv/page/kv-page-version-diff-test.js
@@ -0,0 +1,125 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { setupEngine } from 'ember-engines/test-support';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { click, render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { kvMetadataPath, kvDataPath } from 'vault/utils/kv-path';
+import { PAGE } from 'vault/tests/helpers/kv/kv-selectors';
+import { allowAllCapabilitiesStub } from 'vault/tests/helpers/stubs';
+import { encodePath } from 'vault/utils/path-encoding-helpers';
+
+const EXAMPLE_KV_DATA_GET_RESPONSE = {
+  request_id: 'foobar',
+  data: {
+    data: { hello: 'world' },
+    metadata: {
+      created_time: '2023-06-20T21:26:47.592306Z',
+      custom_metadata: null,
+      deletion_time: '',
+      destroyed: false,
+      version: 1,
+    },
+  },
+};
+
+module('Integration | Component | kv | Page::Secret::Metadata::Version-Diff', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'kv');
+  setupMirage(hooks);
+
+  hooks.beforeEach(async function () {
+    const store = this.owner.lookup('service:store');
+    this.server.post('/sys/capabilities-self', allowAllCapabilitiesStub());
+    const metadata = this.server.create('kv-metadatum');
+
+    metadata.id = kvMetadataPath('kv-engine', 'my-secret');
+    store.pushPayload('kv/metadata', {
+      modelName: 'kv/metadata',
+      ...metadata,
+    });
+    this.metadata = store.peekRecord('kv/metadata', metadata.id);
+    this.breadcrumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: this.metadata.backend, route: 'list' },
+      { label: this.metadata.path, route: 'secret.details', model: this.metadata.path },
+      { label: 'version diff' },
+    ];
+
+    // compare version 4
+    const dataId = kvDataPath('kv-engine', 'my-secret', 4);
+    store.pushPayload('kv/data', {
+      modelName: 'kv/data',
+      id: dataId,
+      secret_data: { foo: 'bar' },
+      created_time: '2023-07-20T02:12:17.379762Z',
+      custom_metadata: null,
+      deletion_time: '',
+      destroyed: false,
+      version: 4,
+    });
+
+    this.endpoint = `${encodePath('kv-engine')}/data/${'my-secret'}`;
+  });
+
+  test('it renders compared data of the two versions and shows icons for deleted, destroyed and current', async function (assert) {
+    assert.expect(12);
+    this.server.get(this.endpoint, (schema, req) => {
+      assert.ok('request made to the correct endpoint.');
+      assert.strictEqual(
+        req.queryParams.version,
+        '1',
+        'request includes the version flag on queryRecord and correctly only queries for the record not in the store, which is retrieved by peekRecord.'
+      );
+      return EXAMPLE_KV_DATA_GET_RESPONSE;
+    });
+
+    await render(
+      hbs`
+       <Page::Secret::Metadata::VersionDiff
+        @metadata={{this.metadata}} 
+        @path={{this.metadata.path}}
+        @backend={{this.metadata.backend}}
+        @breadcrumbs={{this.breadcrumbs}}
+      />
+      `,
+      { owner: this.engine }
+    );
+    /* eslint-disable no-useless-escape */
+    assert
+      .dom('[data-test-visual-diff]')
+      .hasText(
+        `foo"bar"\hello"world"`,
+        'correctly pull in the data from version 4 and compared to version 1.'
+      );
+    assert
+      .dom('[data-test-version-dropdown-left]')
+      .hasText('Version 4', 'shows the current version for the left side default version.');
+    assert
+      .dom('[data-test-version-dropdown-right]')
+      .hasText(
+        'Version 1',
+        'shows the first version that is not deleted or destroyed for the right version on init.'
+      );
+
+    await click('[data-test-version-dropdown-right]');
+    for (const version in this.metadata.versions) {
+      const data = this.metadata.versions[version];
+      assert.dom(PAGE.versions.button(version)).exists('renders the button for each version.');
+
+      if (data.destroyed || data.deletion_time) {
+        assert
+          .dom(`${PAGE.versions.button(version)} [data-test-icon="x-square-fill"]`)
+          .hasClass(`${data.destroyed ? 'has-text-danger' : 'has-text-grey'}`);
+      }
+    }
+    assert
+      .dom(`${PAGE.versions.button('1')}`)
+      .hasClass('is-active', 'correctly shows the selected version 1 as active giving it text blue.');
+  });
+});
diff --git a/ui/tests/integration/components/kv/page/kv-page-version-history-test.js b/ui/tests/integration/components/kv/page/kv-page-version-history-test.js
new file mode 100644
index 0000000000..d11dc61e02
--- /dev/null
+++ b/ui/tests/integration/components/kv/page/kv-page-version-history-test.js
@@ -0,0 +1,96 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'ember-qunit';
+import { setupEngine } from 'ember-engines/test-support';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { click, render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { kvMetadataPath } from 'vault/utils/kv-path';
+import { PAGE } from 'vault/tests/helpers/kv/kv-selectors';
+import { allowAllCapabilitiesStub } from 'vault/tests/helpers/stubs';
+
+module('Integration | Component | kv | Page::Secret::Metadata::Version-History', function (hooks) {
+  setupRenderingTest(hooks);
+  setupEngine(hooks, 'kv');
+  setupMirage(hooks);
+
+  hooks.beforeEach(async function () {
+    const store = this.owner.lookup('service:store');
+    this.server.post('/sys/capabilities-self', allowAllCapabilitiesStub());
+    const metadata = this.server.create('kv-metadatum');
+    // we want to test a scenario where the current version is also destroyed so there are two icons.
+    // we override the mirage factory to account for this use case.
+    metadata.data.versions[4] = {
+      created_time: '2023-07-21T03:11:58.095971Z',
+      deletion_time: '',
+      destroyed: true,
+    };
+    metadata.id = kvMetadataPath('kv-engine', 'my-secret');
+    store.pushPayload('kv/metadatum', {
+      modelName: 'kv/metadata',
+      ...metadata,
+    });
+    this.metadata = store.peekRecord('kv/metadata', metadata.id);
+    this.breadcrumbs = [
+      { label: 'secrets', route: 'secrets', linkExternal: true },
+      { label: this.metadata.backend, route: 'list' },
+      { label: this.metadata.path, route: 'secret.details', model: this.metadata.path },
+      { label: 'version history' },
+    ];
+  });
+
+  test('it renders version history and shows icons for deleted, destroyed and current', async function (assert) {
+    assert.expect(7); // 4 linked blocks, 2 destroyed, 1 deleted.
+
+    await render(
+      hbs`
+       <Page::Secret::Metadata::VersionHistory
+        @path={{this.metadata.path}}
+        @metadata={{this.metadata}}
+        @breadcrumbs={{this.breadcrumbs}}
+      />
+      `,
+      { owner: this.engine }
+    );
+
+    for (const version in this.metadata.versions) {
+      const data = this.metadata.versions[version];
+      assert.dom(PAGE.versions.linkedBlock(version)).exists(`renders the linked blocks for each version`);
+
+      if (data.destroyed) {
+        assert
+          .dom(`${PAGE.versions.icon(version)} [data-test-icon="x-square-fill"]`)
+          .hasStyle({ color: 'rgb(199, 52, 69)' });
+      }
+      if (data.deletion_time) {
+        assert
+          .dom(`${PAGE.versions.icon(version)} [data-test-icon="x-square-fill"]`)
+          .hasStyle({ color: 'rgb(111, 118, 130)' });
+      }
+    }
+  });
+
+  test('it gives the option to create a new version from a secret from the popup menu', async function (assert) {
+    assert.expect(1);
+    await render(
+      hbs`
+       <Page::Secret::Metadata::VersionHistory
+        @path={{this.metadata.path}}
+        @metadata={{this.metadata}}
+        @breadcrumbs={{this.breadcrumbs}}
+      />
+      `,
+      { owner: this.engine }
+    );
+    // because the popup menu is nested in a linked block we must combine the two selectors
+    const popupSelector = `${PAGE.versions.linkedBlock(2)} ${PAGE.popup}`;
+    await click(popupSelector);
+    assert
+      .dom('[data-test-create-new-version-from="2"]')
+      .exists('Shows the option to create a new version from that secret.');
+  });
+});
diff --git a/ui/tests/pages/components/console/ui-panel.js b/ui/tests/pages/components/console/ui-panel.js
index b53083288d..ed67c471bf 100644
--- a/ui/tests/pages/components/console/ui-panel.js
+++ b/ui/tests/pages/components/console/ui-panel.js
@@ -7,7 +7,7 @@ import { text, triggerable, clickable, collection, fillable, value, isPresent }
 import { getter } from 'ember-cli-page-object/macros';
 import { settled } from '@ember/test-helpers';
 
-import keys from 'vault/lib/keycodes';
+import keys from 'core/utils/key-codes';
 
 export default {
   toggle: clickable('[data-test-console-toggle]'),
diff --git a/ui/tests/unit/adapters/kv/data-test.js b/ui/tests/unit/adapters/kv/data-test.js
new file mode 100644
index 0000000000..c153cf9fd8
--- /dev/null
+++ b/ui/tests/unit/adapters/kv/data-test.js
@@ -0,0 +1,367 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupTest } from 'ember-qunit';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { kvDataPath } from 'vault/utils/kv-path';
+import { encodePath } from 'vault/utils/path-encoding-helpers';
+import { Response } from 'miragejs';
+
+const EXAMPLE_KV_DATA_CREATE_RESPONSE = {
+  request_id: 'foobar',
+  data: {
+    created_time: '2023-06-21T16:18:31.479993Z',
+    custom_metadata: null,
+    deletion_time: '',
+    destroyed: false,
+    version: 1,
+  },
+};
+
+const EXAMPLE_KV_DATA_GET_RESPONSE = {
+  request_id: 'foobar',
+  data: {
+    data: { foo: 'bar' },
+    metadata: {
+      created_time: '2023-06-20T21:26:47.592306Z',
+      custom_metadata: null,
+      deletion_time: '',
+      destroyed: false,
+      version: 2,
+    },
+  },
+};
+
+const EXAMPLE_CONTROL_GROUP_RESPONSE = {
+  data: null,
+  wrap_info: {
+    token: 'hvs.kQC7bJuXHBhXHmkOrD2s2uyD',
+    accessor: 'S6RoG8QpScWlBrF8AodC1nFi',
+    ttl: 86400,
+    creation_time: '2023-08-09T16:08:06-05:00',
+    creation_path: 'some/path/here',
+  },
+};
+
+const EXAMPLE_KV_DATA_DESTROYED = {
+  data: {
+    data: null,
+    metadata: {
+      created_time: '2023-08-09T20:10:24.4825Z',
+      custom_metadata: null,
+      deletion_time: '',
+      destroyed: true,
+      version: 2,
+    },
+  },
+};
+
+const EXAMPLE_KV_DATA_DELETED = {
+  data: {
+    data: null,
+    metadata: {
+      created_time: '2023-08-09T20:10:24.571332Z',
+      custom_metadata: null,
+      deletion_time: '2023-08-09T20:10:24.70176Z',
+      destroyed: false,
+      version: 2,
+    },
+  },
+};
+
+module('Unit | Adapter | kv/data', function (hooks) {
+  setupTest(hooks);
+  setupMirage(hooks);
+
+  hooks.beforeEach(function () {
+    this.store = this.owner.lookup('service:store');
+    this.version = this.owner.lookup('service:version');
+    this.version.version = 'example+ent'; // Required for testing control-group flow
+    this.secretMountPath = this.owner.lookup('service:secret-mount-path');
+    this.backend = 'my/kv-back&end';
+    this.secretMountPath.currentPath = this.backend;
+    this.path = 'beep/bop/my secret';
+    this.version = '2';
+    this.id = kvDataPath(this.backend, this.path, this.version);
+    this.data = {
+      options: {
+        cas: 2,
+      },
+      data: {
+        foo: 'bar',
+      },
+    };
+    this.payload = {
+      backend: this.backend,
+      path: this.path,
+      version: 2,
+    };
+    this.endpoint = (noun) => `${encodePath(this.backend)}/${noun}/${encodePath(this.path)}`;
+  });
+
+  test('it should make request to correct endpoint on createRecord', async function (assert) {
+    assert.expect(8);
+    this.server.post(this.endpoint('data'), (schema, req) => {
+      assert.ok('POST request made to correct endpoint when creating new record');
+      const body = JSON.parse(req.requestBody);
+      assert.deepEqual(body, {
+        data: {
+          foo: 'bar',
+        },
+        options: {
+          cas: 0,
+        },
+      });
+      return EXAMPLE_KV_DATA_CREATE_RESPONSE;
+    });
+    const record = this.store.createRecord('kv/data', {
+      backend: this.backend,
+      path: this.path,
+      secretData: { foo: 'bar' },
+      casVersion: 0,
+    });
+    await record.save();
+    assert.strictEqual(record.path, this.path, 'record has correct path');
+    assert.strictEqual(record.backend, this.backend, 'record has correct backend');
+    assert.strictEqual(record.version, 1, 'record has correct version');
+    assert.deepEqual(record.secretData, { foo: 'bar' }, 'record has correct data');
+    assert.strictEqual(record.createdTime, '2023-06-21T16:18:31.479993Z', 'record has correct createdTime');
+    assert.strictEqual(
+      record.id,
+      `${encodePath(this.backend)}/data/${encodePath(this.path)}?version=1`,
+      'record has correct id'
+    );
+  });
+
+  test('it should not send cas if casVersion is not a number', async function (assert) {
+    assert.expect(8);
+    this.server.post(this.endpoint('data'), (schema, req) => {
+      assert.ok('POST request made to correct endpoint when creating new record');
+      const body = JSON.parse(req.requestBody);
+      assert.deepEqual(body, {
+        data: {
+          foo: 'bar',
+        },
+      });
+      return EXAMPLE_KV_DATA_CREATE_RESPONSE;
+    });
+    const record = this.store.createRecord('kv/data', {
+      backend: this.backend,
+      path: this.path,
+      secretData: { foo: 'bar' },
+    });
+    await record.save();
+    assert.strictEqual(record.path, this.path, 'record has correct path');
+    assert.strictEqual(record.backend, this.backend, 'record has correct backend');
+    assert.strictEqual(record.version, 1, 'record has correct version');
+    assert.deepEqual(record.secretData, { foo: 'bar' }, 'record has correct data');
+    assert.strictEqual(record.createdTime, '2023-06-21T16:18:31.479993Z', 'record has correct createdTime');
+    assert.strictEqual(
+      record.id,
+      `${encodePath(this.backend)}/data/${encodePath(this.path)}?version=1`,
+      'record has correct id'
+    );
+  });
+
+  test('it should make request to correct endpoint on queryRecord', async function (assert) {
+    assert.expect(8);
+    this.server.get(this.endpoint('data'), (schema, req) => {
+      assert.ok(true, 'request is made to correct url on queryRecord.');
+      assert.strictEqual(
+        req.queryParams.version,
+        this.version,
+        'request includes the version flag on queryRecord.'
+      );
+      return EXAMPLE_KV_DATA_GET_RESPONSE;
+    });
+
+    const record = await this.store.queryRecord('kv/data', this.payload);
+    assert.strictEqual(record.path, this.path, 'record has correct path');
+    assert.strictEqual(record.backend, this.backend, 'record has correct backend');
+    assert.strictEqual(record.version, 2, 'record has correct version');
+    assert.deepEqual(record.secretData, { foo: 'bar' }, 'record has correct data');
+    assert.strictEqual(record.createdTime, '2023-06-20T21:26:47.592306Z', 'record has correct createdTime');
+    assert.strictEqual(
+      record.id,
+      `${encodePath(this.backend)}/data/${encodePath(this.path)}?version=${this.version}`,
+      'record has correct id'
+    );
+  });
+
+  test('it should handle a 404 not found response properly', async function (assert) {
+    assert.expect(1);
+    this.server.get(this.endpoint('data'), () => {
+      // This is what the API currently returns for not found
+      return new Response(404, {}, { errors: [] });
+    });
+
+    try {
+      await this.store.queryRecord('kv/data', this.payload);
+    } catch (e) {
+      assert.ok('throws the error');
+    }
+  });
+
+  test('it should handle a 403 permission denied properly', async function (assert) {
+    assert.expect(8);
+    this.server.get(this.endpoint('data'), (schema, req) => {
+      assert.ok(true, 'request is made to correct url on queryRecord.');
+      assert.strictEqual(
+        req.queryParams.version,
+        this.version,
+        'request includes the version flag on queryRecord.'
+      );
+      return new Response(403, {}, { errors: ['1 error occurred:\n\t* permission denied\n\n'] });
+    });
+
+    const record = await this.store.queryRecord('kv/data', this.payload);
+    assert.strictEqual(record.path, this.path, 'record has correct path');
+    assert.strictEqual(record.backend, this.backend, 'record has correct backend');
+    assert.strictEqual(record.version, 2, 'record has version based on request');
+    assert.strictEqual(record.secretData, undefined, 'record does not include data');
+    assert.strictEqual(record.failReadErrorCode, 403, 'record has error response recorded');
+    assert.strictEqual(
+      record.id,
+      `${encodePath(this.backend)}/data/${encodePath(this.path)}?version=${this.version}`,
+      'record has correct id'
+    );
+  });
+
+  test('it should handle a soft-deleted version properly', async function (assert) {
+    this.server.get(this.endpoint('data'), () => {
+      return new Response(404, {}, EXAMPLE_KV_DATA_DELETED);
+    });
+
+    const record = await this.store.queryRecord('kv/data', this.payload);
+    assert.strictEqual(record.path, this.path, 'record has correct path');
+    assert.strictEqual(record.backend, this.backend, 'record has correct backend');
+    assert.strictEqual(record.version, 2, 'record has version based on request');
+    assert.strictEqual(record.deletionTime, '2023-08-09T20:10:24.70176Z', 'record includes deletion time');
+    assert.strictEqual(record.failReadErrorCode, undefined, 'record does not have failed error code');
+    assert.strictEqual(
+      record.id,
+      `${encodePath(this.backend)}/data/${encodePath(this.path)}?version=${this.version}`,
+      'record has correct id'
+    );
+  });
+
+  test('it should handle a destroyed version properly', async function (assert) {
+    this.server.get(this.endpoint('data'), () => {
+      return new Response(404, {}, EXAMPLE_KV_DATA_DESTROYED);
+    });
+
+    const record = await this.store.queryRecord('kv/data', this.payload);
+    assert.strictEqual(record.path, this.path, 'record has correct path');
+    assert.strictEqual(record.backend, this.backend, 'record has correct backend');
+    assert.strictEqual(record.version, 2, 'record has version based on request');
+    assert.true(record.destroyed, 'record has destroyed value');
+    assert.strictEqual(record.failReadErrorCode, undefined, 'record does not have error code');
+    assert.strictEqual(
+      record.id,
+      `${encodePath(this.backend)}/data/${encodePath(this.path)}?version=${this.version}`,
+      'record has correct id'
+    );
+  });
+
+  test('it should handle a control group response properly', async function (assert) {
+    assert.expect(1);
+    this.server.get(this.endpoint('data'), () => {
+      return EXAMPLE_CONTROL_GROUP_RESPONSE;
+    });
+
+    try {
+      await this.store.queryRecord('kv/data', this.payload);
+    } catch (e) {
+      assert.ok('throws the error');
+    }
+  });
+
+  test('it should make request to correct endpoint on delete latest version', async function (assert) {
+    assert.expect(3);
+    this.server.delete(this.endpoint('data'), () => {
+      assert.ok(true, 'request made to correct endpoint on delete latest version.');
+      return new Response(204);
+    });
+
+    this.store.pushPayload('kv/data', {
+      modelName: 'kv/data',
+      id: this.id,
+      ...this.payload,
+    });
+    let record = await this.store.peekRecord('kv/data', this.id);
+    await record.destroyRecord({ adapterOptions: { deleteType: 'delete-latest-version' } });
+    assert.true(record.isDeleted, 'record is deleted');
+    record = await this.store.peekRecord('kv/data', this.id);
+    assert.strictEqual(record, null, 'record is no longer in store');
+  });
+
+  test('it should make request to correct endpoint on delete specific versions', async function (assert) {
+    assert.expect(4);
+    this.server.post(this.endpoint('delete'), (schema, req) => {
+      const { versions } = JSON.parse(req.requestBody);
+      assert.strictEqual(versions, 2, 'version array is sent in the payload.');
+      assert.ok(true, 'request made to correct endpoint on delete specific version.');
+    });
+
+    this.store.pushPayload('kv/data', {
+      modelName: 'kv/data',
+      id: this.id,
+      ...this.payload,
+    });
+    let record = await this.store.peekRecord('kv/data', this.id);
+    await record.destroyRecord({
+      adapterOptions: { deleteType: 'delete-version', deleteVersions: 2 },
+    });
+    assert.true(record.isDeleted, 'record is deleted');
+    record = await this.store.peekRecord('kv/data', this.id);
+    assert.strictEqual(record, null, 'record is no longer in store');
+  });
+
+  test('it should make request to correct endpoint on undelete', async function (assert) {
+    assert.expect(4);
+    this.server.post(`${this.backend}/undelete/${this.path}`, (schema, req) => {
+      const { versions } = JSON.parse(req.requestBody);
+      assert.strictEqual(versions, 2, 'version array is sent in the payload.');
+      assert.ok(true, 'request made to correct endpoint on undelete specific version.');
+    });
+
+    this.store.pushPayload('kv/data', {
+      modelName: 'kv/data',
+      id: this.id,
+      ...this.payload,
+    });
+    let record = await this.store.peekRecord('kv/data', this.id);
+
+    await record.destroyRecord({
+      adapterOptions: { deleteType: 'undelete', deleteVersions: 2 },
+    });
+    assert.true(record.isDeleted, 'record is deleted');
+    record = await this.store.peekRecord('kv/data', this.id);
+    assert.strictEqual(record, null, 'record is no longer in store');
+  });
+
+  test('it should make request to correct endpoint on destroy specific versions', async function (assert) {
+    assert.expect(4);
+    this.server.put(`${encodePath(this.backend)}/destroy/${encodePath(this.path)}`, (schema, req) => {
+      const { versions } = JSON.parse(req.requestBody);
+      assert.strictEqual(versions, 2, 'version array is sent in the payload.');
+      assert.ok(true, 'request made to correct endpoint on destroy specific version.');
+    });
+
+    this.store.pushPayload('kv/data', {
+      modelName: 'kv/data',
+      id: this.id,
+      ...this.payload,
+    });
+    let record = await this.store.peekRecord('kv/data', this.id);
+    await record.destroyRecord({
+      adapterOptions: { deleteType: 'destroy', deleteVersions: 2 },
+    });
+    assert.true(record.isDeleted, 'record is deleted');
+    record = await this.store.peekRecord('kv/data', this.id);
+    assert.strictEqual(record, null, 'record is no longer in store');
+  });
+});
diff --git a/ui/tests/unit/adapters/kv/metadata-test.js b/ui/tests/unit/adapters/kv/metadata-test.js
new file mode 100644
index 0000000000..d40690cf95
--- /dev/null
+++ b/ui/tests/unit/adapters/kv/metadata-test.js
@@ -0,0 +1,161 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupTest } from 'ember-qunit';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { kvMetadataPath } from 'vault/utils/kv-path';
+import { Response } from 'miragejs';
+
+const EXAMPLE_KV_METADATA_GET_RESPONSE = {
+  request_id: 'foobar',
+  data: {
+    cas_required: true,
+    created_time: 'created-time',
+    current_version: 2,
+    custom_metadata: { application: 'staging' },
+    delete_version_after: '0s',
+    max_versions: 10,
+    oldest_version: 0, // TODO: is this a bug? payload from real API
+    updated_time: 'updated-time',
+    versions: {
+      1: {
+        created_time: 'created-time',
+        deletion_time: 'deletion-time',
+        destroyed: false,
+      },
+      2: { created_time: 'created-time', deletion_time: '', destroyed: false },
+    },
+  },
+};
+
+module('Unit | Adapter | kv/metadata', function (hooks) {
+  setupTest(hooks);
+  setupMirage(hooks);
+
+  hooks.beforeEach(function () {
+    this.store = this.owner.lookup('service:store');
+    this.secretMountPath = this.owner.lookup('service:secret-mount-path');
+    this.backend = 'some/kv-back&end';
+    this.secretMountPath.currentPath = this.backend;
+    this.path = 'beep/bop my/secret';
+    this.id = kvMetadataPath(this.backend, this.path);
+    this.data = {
+      options: {
+        cas: 2,
+      },
+      data: {
+        foo: 'bar',
+      },
+    };
+    this.payload = {
+      max_versions: 2,
+      cas_required: false,
+      delete_version_after: '0s',
+      custom_metadata: {
+        admin: 'bob',
+      },
+    };
+    this.endpoint = kvMetadataPath(this.backend, this.path);
+  });
+
+  test('it should make request to correct endpoint on createRecord', async function (assert) {
+    assert.expect(10);
+    const recordData = {
+      backend: this.backend,
+      path: this.path,
+      deleteVersionAfter: '45h',
+      customMetadata: { application: 'staging' },
+      oldestVersion: 4,
+      currentVersion: 6,
+      createdTime: 'created',
+      updatedTime: 'updated',
+      versions: {
+        1: {
+          created_time: 'created-time',
+          deletion_time: 'deletion-time',
+          destroyed: false,
+        },
+        2: {
+          created_time: 'created-time',
+          deletion_time: '',
+          destroyed: false,
+        },
+      },
+    };
+    const expectedBody = {
+      max_versions: 0,
+      delete_version_after: '45h',
+      cas_required: false,
+      custom_metadata: { application: 'staging' },
+    };
+    this.server.post(this.endpoint, (schema, req) => {
+      const body = JSON.parse(req.requestBody);
+      assert.ok('POST request made to correct endpoint when creating new record');
+      assert.propEqual(body, expectedBody, 'POST request has correct body');
+      return new Response(204);
+    });
+    const record = this.store.createRecord('kv/metadata', recordData);
+    await record.save();
+    assert.strictEqual(record.id, this.id, 'record has correct id');
+    assert.strictEqual(record.backend, this.backend, 'record has correct backend');
+    assert.strictEqual(record.path, this.path, 'record has correct path');
+    assert.strictEqual(record.maxVersions, 0, 'record has default maxVersions');
+    assert.false(record.casRequired, 'record has correct casRequired');
+    assert.strictEqual(record.deleteVersionAfter, '45h', 'record has correct deleteVersionAfter');
+    assert.deepEqual(record.customMetadata, { application: 'staging' }, 'record has correct customMetadata');
+    assert.deepEqual(
+      record.versions,
+      EXAMPLE_KV_METADATA_GET_RESPONSE.data.versions,
+      'record has correct versions data'
+    );
+  });
+
+  test('it should make request to correct endpoint on queryRecord', async function (assert) {
+    assert.expect(13);
+    this.server.get(this.endpoint, () => {
+      assert.ok(true, 'request is made to correct url on queryRecord.');
+      return EXAMPLE_KV_METADATA_GET_RESPONSE;
+    });
+
+    const record = await this.store.queryRecord('kv/metadata', { backend: this.backend, path: this.path });
+    assert.strictEqual(record.id, this.id, 'record has correct id');
+    assert.strictEqual(record.backend, this.backend, 'record has correct backend');
+    assert.strictEqual(record.path, this.path, 'record has correct path');
+    assert.strictEqual(record.maxVersions, 10, 'record has correct maxVersions');
+    assert.true(record.casRequired, 'record has correct casRequired');
+    assert.strictEqual(record.deleteVersionAfter, '0s', 'record has correct deleteVersionAfter');
+    assert.deepEqual(record.customMetadata, { application: 'staging' }, 'record has correct customMetadata');
+    assert.strictEqual(record.createdTime, 'created-time', 'record has correct createdTime');
+    assert.strictEqual(record.currentVersion, 2, 'record has correct currentVersion');
+    assert.strictEqual(record.oldestVersion, 0, 'record has correct oldestVersion');
+    assert.strictEqual(record.updatedTime, 'updated-time', 'record has correct updatedTime');
+    assert.deepEqual(
+      record.versions,
+      EXAMPLE_KV_METADATA_GET_RESPONSE.data.versions,
+      'record has correct versions data'
+    );
+  });
+
+  test('it should make request to correct endpoint on delete metadata', async function (assert) {
+    assert.expect(3);
+    const data = this.server.create('kv-metadatum');
+    data.id = kvMetadataPath('kv-engine', 'my-secret');
+    this.store.pushPayload('kv/metadata', {
+      modelName: 'kv/metadata',
+      ...data,
+    });
+    this.server.delete(kvMetadataPath('kv-engine', 'my-secret'), () => {
+      assert.ok(true, 'request made to correct endpoint on delete metadata.');
+    });
+
+    let record = await this.store.peekRecord('kv/metadata', data.id);
+
+    await record.destroyRecord();
+    assert.true(record.isDestroyed, 'record is destroyed');
+    record = await this.store.peekRecord('kv/metadata', this.id);
+    assert.strictEqual(record, null, 'record is no longer in store');
+  });
+});
diff --git a/ui/tests/unit/serializers/kv/data-test.js b/ui/tests/unit/serializers/kv/data-test.js
new file mode 100644
index 0000000000..2f3c93f66c
--- /dev/null
+++ b/ui/tests/unit/serializers/kv/data-test.js
@@ -0,0 +1,31 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupTest } from 'ember-qunit';
+
+module('Unit | Serializer | kv/data', function (hooks) {
+  setupTest(hooks);
+
+  test('it should always pass the cas option when creating/updating a secret', function (assert) {
+    const store = this.owner.lookup('service:store');
+    const record = store.createRecord('kv/data', {
+      path: 'my-secret-path',
+      backend: 'kv-test',
+      version: 2,
+      casVersion: 3,
+      secretData: { foo: 'bar' },
+    });
+    const expectedResult = {
+      data: { foo: 'bar' },
+      options: {
+        cas: 3,
+      },
+    };
+
+    const serializedRecord = record.serialize();
+    assert.deepEqual(serializedRecord, expectedResult, 'cas option was correctly added to the payload.');
+  });
+});
diff --git a/ui/tests/unit/serializers/kv/metadata-test.js b/ui/tests/unit/serializers/kv/metadata-test.js
new file mode 100644
index 0000000000..caf6e5ce7c
--- /dev/null
+++ b/ui/tests/unit/serializers/kv/metadata-test.js
@@ -0,0 +1,88 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import { module, test } from 'qunit';
+import { setupTest } from 'ember-qunit';
+
+module('Unit | Serializer | kv/metadata', function (hooks) {
+  setupTest(hooks);
+
+  test('it should properly normalize a list response', function (assert) {
+    const serializer = this.owner.lookup('serializer:kv/metadata');
+    const serverData = {
+      request_id: 'foo',
+      backend: 'my-backend',
+      path: '',
+      data: {
+        keys: ['first', 'second', 'third/'],
+      },
+    };
+    const expectedData = [
+      {
+        id: 'my-backend/metadata/first',
+        path: 'first',
+        backend: 'my-backend',
+        full_secret_path: 'first',
+      },
+      {
+        id: 'my-backend/metadata/second',
+        path: 'second',
+        backend: 'my-backend',
+        full_secret_path: 'second',
+      },
+      {
+        id: 'my-backend/metadata/third/',
+        path: 'third/',
+        backend: 'my-backend',
+        full_secret_path: 'third/',
+      },
+    ];
+
+    const serializedRecord = serializer.normalizeItems(serverData);
+    assert.deepEqual(serializedRecord, expectedData, 'transformed keys into proper IDs');
+  });
+
+  test('it should properly normalize a nested secret list response', function (assert) {
+    const serializer = this.owner.lookup('serializer:kv/metadata');
+    const serverData = {
+      request_id: 'foo',
+      backend: 'my-backend',
+      path: 'beep/',
+      data: {
+        keys: ['boop/'],
+      },
+    };
+    const expectedData = [
+      {
+        id: 'my-backend/metadata/beep/boop/',
+        path: 'boop/',
+        backend: 'my-backend',
+        full_secret_path: 'beep/boop/',
+      },
+    ];
+    const serializedRecord = serializer.normalizeItems(serverData);
+    assert.deepEqual(serializedRecord, expectedData, 'transformed keys into proper IDs');
+  });
+
+  test('it throws an assertion if backend not on payload', function (assert) {
+    const serializer = this.owner.lookup('serializer:kv/metadata');
+    const serverData = {
+      request_id: 'foo',
+      data: {
+        keys: ['first', 'second'],
+      },
+    };
+    let result;
+    try {
+      result = serializer.normalizeItems(serverData);
+    } catch (e) {
+      result = e.message;
+    }
+    assert.strictEqual(
+      result,
+      'Assertion Failed: payload.backend must be provided on kv/metadata list response'
+    );
+  });
+});
diff --git a/ui/tests/unit/services/store-test.js b/ui/tests/unit/services/store-test.js
index 9aeb67602f..c40b69cab4 100644
--- a/ui/tests/unit/services/store-test.js
+++ b/ui/tests/unit/services/store-test.js
@@ -90,7 +90,15 @@ module('Unit | Service | store', function (hooks) {
       store.constructResponse('data', { id: 1, pageFilter: 't', page: 1, size: 3, responsePath: 'data' }),
       {
         data: ['two', 'three', 'fifteen'],
-        meta: { currentPage: 1, lastPage: 2, nextPage: 2, prevPage: 1, total: 5, filteredTotal: 4 },
+        meta: {
+          currentPage: 1,
+          lastPage: 2,
+          nextPage: 2,
+          prevPage: 1,
+          total: 5,
+          filteredTotal: 4,
+          pageSize: 3,
+        },
       },
       'it returns filtered results'
     );
@@ -125,6 +133,7 @@ module('Unit | Service | store', function (hooks) {
         lastPage: 4,
         total: 7,
         filteredTotal: 7,
+        pageSize: 2,
       },
       'returns correct meta values'
     );
diff --git a/ui/tests/unit/utils/kv-breadcrumbs-test.js b/ui/tests/unit/utils/kv-breadcrumbs-test.js
new file mode 100644
index 0000000000..6f42936151
--- /dev/null
+++ b/ui/tests/unit/utils/kv-breadcrumbs-test.js
@@ -0,0 +1,95 @@
+import { module, test } from 'qunit';
+import { breadcrumbsForSecret, pathIsDirectory, pathIsFromDirectory } from 'kv/utils/kv-breadcrumbs';
+
+module('Unit | Utility | kv-breadcrumbs', function () {
+  test('pathIsDirectory works', function (assert) {
+    assert.expect(5);
+    [
+      { path: 'some/path', expect: false },
+      { path: 'some/path/', expect: true },
+      { path: 'some', expect: false },
+      { path: 'some/', expect: true },
+      { path: '/some', expect: false },
+    ].forEach((scenario) => {
+      assert.strictEqual(
+        pathIsDirectory(scenario.path),
+        scenario.expect,
+        `correct for path ${scenario.path}`
+      );
+    });
+  });
+  test('pathIsFromDirectory works', function (assert) {
+    assert.expect(5);
+    [
+      { path: 'some/path', expect: true },
+      { path: 'some/path/', expect: true },
+      { path: 'some', expect: false },
+      { path: 'some/', expect: true },
+      { path: '/some', expect: true },
+    ].forEach((scenario) => {
+      assert.strictEqual(
+        pathIsFromDirectory(scenario.path),
+        scenario.expect,
+        `correct for path ${scenario.path}`
+      );
+    });
+  });
+
+  test('breadcrumbsForSecret works', function (assert) {
+    let results = breadcrumbsForSecret('beep/bop/boop');
+    assert.deepEqual(
+      results,
+      [
+        { label: 'beep', route: 'list-directory', model: 'beep/' },
+        { label: 'bop', route: 'list-directory', model: 'beep/bop/' },
+        { label: 'boop', route: 'secret.details', model: 'beep/bop/boop' },
+      ],
+      'correct when full nested path to secret'
+    );
+
+    results = breadcrumbsForSecret('beep/bop/boop', true);
+    assert.deepEqual(
+      results,
+      [
+        { label: 'beep', route: 'list-directory', model: 'beep/' },
+        { label: 'bop', route: 'list-directory', model: 'beep/bop/' },
+        { label: 'boop' },
+      ],
+      'correct when full nested path to secret and last item current'
+    );
+
+    results = breadcrumbsForSecret('beep');
+    assert.deepEqual(
+      results,
+      [{ label: 'beep', route: 'secret.details', model: 'beep' }],
+      'correct when non-nested secret path'
+    );
+
+    results = breadcrumbsForSecret('beep', true);
+    assert.deepEqual(
+      results,
+      [{ label: 'beep' }],
+      'correct when non-nested secret path and last item current'
+    );
+
+    results = breadcrumbsForSecret('beep/bop/');
+    assert.deepEqual(
+      results,
+      [
+        { label: 'beep', route: 'list-directory', model: 'beep/' },
+        { label: 'bop', route: 'list-directory', model: 'beep/bop/' },
+      ],
+      'correct when path is directory'
+    );
+
+    results = breadcrumbsForSecret('beep/bop/', true);
+    assert.deepEqual(
+      results,
+      [{ label: 'beep', route: 'list-directory', model: 'beep/' }, { label: 'bop' }],
+      'correct when path is directory and last item current'
+    );
+
+    results = breadcrumbsForSecret();
+    assert.deepEqual(results, [], 'fails gracefully if secretPath is undefined');
+  });
+});
diff --git a/ui/tests/unit/utils/kv-path-test.js b/ui/tests/unit/utils/kv-path-test.js
new file mode 100644
index 0000000000..c13a82c5e3
--- /dev/null
+++ b/ui/tests/unit/utils/kv-path-test.js
@@ -0,0 +1,90 @@
+import { kvDataPath, kvDestroyPath, kvMetadataPath, kvUndeletePath } from 'vault/utils/kv-path';
+import { module, test } from 'qunit';
+
+module('Unit | Utility | kv-path utils', function () {
+  module('kvDataPath', function () {
+    [
+      {
+        backend: 'basic-backend',
+        path: 'secret-path',
+        expected: 'basic-backend/data/secret-path',
+      },
+      {
+        backend: 'some/back end',
+        path: 'my/secret/path',
+        expected: 'some/back%20end/data/my/secret/path',
+      },
+      {
+        backend: 'some/back end',
+        path: 'my/secret/path',
+        version: 3,
+        expected: 'some/back%20end/data/my/secret/path?version=3',
+      },
+    ].forEach((t, idx) => {
+      test(`kvDataPath ${idx}`, function (assert) {
+        const result = kvDataPath(t.backend, t.path, t.version);
+        assert.strictEqual(result, t.expected);
+      });
+    });
+  });
+
+  module('kvMetadataPath', function () {
+    [
+      {
+        backend: 'basic-backend',
+        path: 'secret-path',
+        expected: 'basic-backend/metadata/secret-path',
+      },
+      {
+        backend: 'some/back end',
+        path: 'my/secret/path',
+        expected: 'some/back%20end/metadata/my/secret/path',
+      },
+    ].forEach((t, idx) => {
+      test(`kvMetadataPath ${idx}`, function (assert) {
+        const result = kvMetadataPath(t.backend, t.path);
+        assert.strictEqual(result, t.expected);
+      });
+    });
+  });
+
+  module('kvDestroyPath', function () {
+    [
+      {
+        backend: 'basic-backend',
+        path: 'secret-path',
+        expected: 'basic-backend/destroy/secret-path',
+      },
+      {
+        backend: 'some/back end',
+        path: 'my/secret/path',
+        expected: 'some/back%20end/destroy/my/secret/path',
+      },
+    ].forEach((t, idx) => {
+      test(`kvDestroyPath ${idx}`, function (assert) {
+        const result = kvDestroyPath(t.backend, t.path);
+        assert.strictEqual(result, t.expected);
+      });
+    });
+  });
+
+  module('kvUndeletePath', function () {
+    [
+      {
+        backend: 'basic-backend',
+        path: 'secret-path',
+        expected: 'basic-backend/undelete/secret-path',
+      },
+      {
+        backend: 'some/back end',
+        path: 'my/secret/path',
+        expected: 'some/back%20end/undelete/my/secret/path',
+      },
+    ].forEach((t, idx) => {
+      test(`kvUndeletePath ${idx}`, function (assert) {
+        const result = kvUndeletePath(t.backend, t.path);
+        assert.strictEqual(result, t.expected);
+      });
+    });
+  });
+});
diff --git a/ui/tsconfig.json b/ui/tsconfig.json
index 0aed4c324c..f86f81d510 100644
--- a/ui/tsconfig.json
+++ b/ui/tsconfig.json
@@ -43,6 +43,10 @@
       "kmip/*": ["lib/kmip/addon/*"],
       "kmip/test-support": ["lib/kmip/addon-test-support"],
       "kmip/test-support/*": ["lib/kmip/addon-test-support/*"],
+      "kv": ["lib/kv/addon"],
+      "kv/*": ["lib/kv/addon/*"],
+      "kv/test-support": ["lib/kv/addon-test-support"],
+      "kv/test-support/*": ["lib/kv/addon-test-support/*"],
       "open-api-explorer": ["lib/open-api-explorer/addon"],
       "open-api-explorer/*": ["lib/open-api-explorer/addon/*"],
       "open-api-explorer/test-support": ["lib/open-api-explorer/addon-test-support"],
diff --git a/ui/types/ember-data/types/registries/adapter.d.ts b/ui/types/ember-data/types/registries/adapter.d.ts
index 8afff848f5..6c0a082f39 100644
--- a/ui/types/ember-data/types/registries/adapter.d.ts
+++ b/ui/types/ember-data/types/registries/adapter.d.ts
@@ -8,6 +8,8 @@ import Adapter from 'ember-data/adapter';
 import ModelRegistry from 'ember-data/types/registries/model';
 import PkiIssuerAdapter from 'vault/adapters/pki/issuer';
 import PkiTidyAdapter from 'vault/adapters/pki/tidy';
+import KvDataAdapter from 'vault/adapters/kv/data';
+import KvMetadataAdapter from 'vault/adapters/kv/metadata';
 
 /**
  * Catch-all for ember-data.
@@ -15,6 +17,8 @@ import PkiTidyAdapter from 'vault/adapters/pki/tidy';
 export default interface AdapterRegistry {
   'pki/issuer': PkiIssuerAdapter;
   'pki/tidy': PkiTidyAdapter;
+  'kv/data': KvDataAdapterAdapter;
+  'kv/metadata': KvMetadataAdapter;
   application: Application;
   [key: keyof ModelRegistry]: Adapter;
 }
diff --git a/ui/types/ember-data/types/registries/model.d.ts b/ui/types/ember-data/types/registries/model.d.ts
index 6ddac33c6d..bef1775fd2 100644
--- a/ui/types/ember-data/types/registries/model.d.ts
+++ b/ui/types/ember-data/types/registries/model.d.ts
@@ -4,6 +4,8 @@
  */
 
 import Model from '@ember-data/model';
+import KvSecretDataModel from 'vault/models/kv/data';
+import KvSecretMetadataModel from 'vault/models/kv/metadata';
 import PkiActionModel from 'vault/models/pki/action';
 import PkiCertificateGenerateModel from 'vault/models/pki/certificate/generate';
 
@@ -11,6 +13,8 @@ declare module 'ember-data/types/registries/model' {
   export default interface ModelRegistry {
     'pki/action': PkiActionModel;
     'pki/certificate/generate': PkiCertificateGenerateModel;
+    'kv/data': KvSecretDataModelModel;
+    'kv/metadata': KvSecretMetadataModel;
     // Catchall for any other models
     [key: string]: any;
   }
diff --git a/ui/types/vault/models/kv/data.d.ts b/ui/types/vault/models/kv/data.d.ts
new file mode 100644
index 0000000000..c65609112a
--- /dev/null
+++ b/ui/types/vault/models/kv/data.d.ts
@@ -0,0 +1,37 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Model from '@ember-data/model';
+import CapabilitiesModel from '../capabilities';
+
+export default class KvSecretDataModel extends Model {
+  backend: string;
+  path: string;
+  secretData: object;
+  createdTime: string;
+  customMetadata: object;
+  deletionTime: string;
+  destroyed: boolean;
+  versions: object;
+  failReadErrorCode: number;
+  casVersion: number;
+  // apiPaths for capabilities
+  dataPath: Promise<CapabilitiesModel>;
+  metadataPath: Promise<CapabilitiesModel>;
+  deletePath: Promise<CapabilitiesModel>;
+  destroyPath: Promise<CapabilitiesModel>;
+  undeletePath: Promise<CapabilitiesModel>;
+
+  // Capabilities
+  get canDeleteLatestVersion(): boolean;
+  get canDeleteVersion(): boolean;
+  get canUndelete(): boolean;
+  get canDestroyVersion(): boolean;
+  get canEditData(): boolean;
+  get canReadData(): boolean;
+  get canReadMetadata(): boolean;
+  get canUpdateMetadata(): boolean;
+  get canListMetadata(): boolean;
+}
diff --git a/ui/types/vault/models/kv/metadata.d.ts b/ui/types/vault/models/kv/metadata.d.ts
new file mode 100644
index 0000000000..96fbb8216b
--- /dev/null
+++ b/ui/types/vault/models/kv/metadata.d.ts
@@ -0,0 +1,30 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+import Model from '@ember-data/model';
+
+export default class KvSecretDataModel extends Model {
+  backend: string;
+  path: string;
+  fullSecretPath: string;
+  maxVersions: number;
+  casRequired: boolean;
+  deleteVersionAfter: string;
+  customMetadata: object;
+  createdTime: string;
+  currentVersion: number;
+  oldestVersion: number;
+  updatedTime: string;
+  versions: object;
+  // apiPaths for capabilities
+  dataPath: Promise<CapabilitiesModel>;
+  metadataPath: Promise<CapabilitiesModel>;
+
+  // Capabilities
+  get canDeleteMetadata(): boolean;
+  get canReadMetadata(): boolean;
+  get canUpdateMetadata(): boolean;
+  get canCreateVersionData(): boolean;
+}