Update terraform.mdx

.github/workflows/release_build_infisical_cli.yml

@@ -0,0 +1,153 @@
+name: Build and release CLI
+
+on:
+  workflow_dispatch:
+
+  push:
+    # run only against tags
+    tags:
+      - "infisical-cli/v*.*.*"
+
+permissions:
+  contents: write
+
+jobs:
+  cli-integration-tests:
+    name: Run tests before deployment
+    uses: ./.github/workflows/run-cli-tests.yml
+    secrets:
+      CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+      CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+      CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+      CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+      CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+      CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+      CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+      CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
+
+  npm-release:
+    runs-on: ubuntu-latest
+    env:
+      working-directory: ./npm
+    needs:
+      - cli-integration-tests
+      - goreleaser
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Extract version
+        run: |
+          VERSION=$(echo ${{ github.ref_name }} | sed 's/infisical-cli\/v//')
+          echo "Version extracted: $VERSION"
+          echo "CLI_VERSION=$VERSION" >> $GITHUB_ENV
+
+      - name: Print version
+        run: echo ${{ env.CLI_VERSION }}
+
+      - name: Setup Node
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        with:
+          node-version: 20
+          cache: "npm"
+          cache-dependency-path: ./npm/package-lock.json
+      - name: Install dependencies
+        working-directory: ${{ env.working-directory }}
+        run: npm install --ignore-scripts
+
+      - name: Set NPM version
+        working-directory: ${{ env.working-directory }}
+        run: npm version ${{ env.CLI_VERSION }} --allow-same-version --no-git-tag-version
+
+      - name: Setup NPM
+        working-directory: ${{ env.working-directory }}
+        run: |
+          echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
+          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
+
+          echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc
+          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Pack NPM
+        working-directory: ${{ env.working-directory }}
+        run: npm pack
+
+      - name: Publish NPM
+        working-directory: ${{ env.working-directory }}
+        run: npm publish --tarball=./infisical-sdk-${{github.ref_name}} --access public --registry=https://registry.npmjs.org/
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+  goreleaser:
+    runs-on: ubuntu-latest-8-cores
+    needs: [cli-integration-tests]
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - run: git fetch --force --tags
+      - run: echo "Ref name ${{github.ref_name}}"
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ">=1.19.3"
+          cache: true
+          cache-dependency-path: cli/go.sum
+      - name: Setup for libssl1.0-dev
+        run: |
+          echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
+          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
+          sudo apt update
+          sudo apt-get install -y libssl1.0-dev
+      - name: OSXCross for CGO Support
+        run: |
+          mkdir ../../osxcross
+          git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
+      - uses: goreleaser/goreleaser-action@v4
+        with:
+          distribution: goreleaser-pro
+          version: v1.26.2-pro
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
+          FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
+          AUR_KEY: ${{ secrets.AUR_KEY }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+      - uses: actions/setup-python@v4
+      - run: pip install --upgrade cloudsmith-cli
+      - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252
+        with:
+          ruby-version: "3.3" # Not needed with a .ruby-version, .tool-versions or mise.toml
+          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+      - name: Install deb-s3
+        run: gem install deb-s3
+      - name: Configure GPG Key
+        run: echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --batch --import
+        env:
+          GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
+          GPG_SIGNING_KEY_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
+      - name: Publish to CloudSmith
+        run: sh cli/upload_to_cloudsmith.sh
+        env:
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+          INFISICAL_CLI_S3_BUCKET: ${{ secrets.INFISICAL_CLI_S3_BUCKET }}
+          INFISICAL_CLI_REPO_SIGNING_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_SIGNING_KEY_ID }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
+      - name: Invalidate Cloudfront cache
+        run: aws cloudfront create-invalidation --distribution-id $CLOUDFRONT_DISTRIBUTION_ID --paths '/deb/dists/stable/*'
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
+          CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID }}

.github/workflows/run-cli-tests.yml

@@ -0,0 +1,55 @@
+name: Go CLI Tests
+
+on:
+    pull_request:
+        types: [opened, synchronize]
+        paths:
+            - "cli/**"
+
+    workflow_dispatch:
+
+    workflow_call:
+        secrets:
+            CLI_TESTS_UA_CLIENT_ID:
+                required: true
+            CLI_TESTS_UA_CLIENT_SECRET:
+                required: true
+            CLI_TESTS_SERVICE_TOKEN:
+                required: true
+            CLI_TESTS_PROJECT_ID:
+                required: true
+            CLI_TESTS_ENV_SLUG:
+                required: true
+            CLI_TESTS_USER_EMAIL:
+                required: true
+            CLI_TESTS_USER_PASSWORD:
+                required: true
+            CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE:
+                required: true
+jobs:
+    test:
+        defaults:
+            run:
+                working-directory: ./cli
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@v4
+            - name: Setup Go
+              uses: actions/setup-go@v4
+              with:
+                  go-version: "1.21.x"
+            - name: Install dependencies
+              run: go get .
+            - name: Test with the Go CLI
+              env:
+                  CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+                  CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+                  CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+                  CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+                  CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+                  CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+                  CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+                #   INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
+
+              run: go test -v -count=1 ./test

.goreleaser.yaml

@@ -0,0 +1,241 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+# before:
+#   hooks:
+#     # You may remove this if you don't use go modules.
+#     - cd cli && go mod tidy
+#     # you may remove this if you don't need go generate
+#     - cd cli && go generate ./...
+before:
+  hooks:
+    - ./cli/scripts/completions.sh
+    - ./cli/scripts/manpages.sh
+
+monorepo:
+  tag_prefix: infisical-cli/
+  dir: cli
+
+builds:
+  - id: darwin-build
+    binary: infisical
+    ldflags:
+      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+    flags:
+      - -trimpath
+    env:
+      - CGO_ENABLED=1
+      - CC=/home/runner/work/osxcross/target/bin/o64-clang
+      - CXX=/home/runner/work/osxcross/target/bin/o64-clang++
+    goos:
+      - darwin
+    ignore:
+      - goos: darwin
+        goarch: "386"
+    dir: ./cli
+
+  - id: all-other-builds
+    env:
+      - CGO_ENABLED=0
+    binary: infisical
+    ldflags:
+      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+    flags:
+      - -trimpath
+    goos:
+      - freebsd
+      - linux
+      - netbsd
+      - openbsd
+      - windows
+    goarch:
+      - "386"
+      - amd64
+      - arm
+      - arm64
+    goarm:
+      - "6"
+      - "7"
+    ignore:
+      - goos: windows
+        goarch: "386"
+      - goos: freebsd
+        goarch: "386"
+    dir: ./cli
+
+archives:
+  - format_overrides:
+      - goos: windows
+        format: zip
+    files:
+      - ../README*
+      - ../LICENSE*
+      - ../manpages/*
+      - ../completions/*
+
+release:
+  replace_existing_draft: true
+  mode: "replace"
+
+checksum:
+  name_template: "checksums.txt"
+
+snapshot:
+  name_template: "{{ .Version }}-devel"
+
+# publishers:
+#   - name: fury.io
+#     ids:
+#       - infisical
+#     dir: "{{ dir .ArtifactPath }}"
+#     cmd: curl -F package=@{{ .ArtifactName }} https://{{ .Env.FURY_TOKEN }}@push.fury.io/infisical/
+
+brews:
+  - name: infisical
+    tap:
+      owner: Infisical
+      name: homebrew-get-cli
+    commit_author:
+      name: "Infisical"
+      email: ai@infisical.com
+    folder: Formula
+    homepage: "https://infisical.com"
+    description: "The official Infisical CLI"
+    install: |-
+      bin.install "infisical"
+      bash_completion.install "completions/infisical.bash" => "infisical"
+      zsh_completion.install "completions/infisical.zsh" => "_infisical"
+      fish_completion.install "completions/infisical.fish"
+      man1.install "manpages/infisical.1.gz"
+  - name: "infisical@{{.Version}}"
+    tap:
+      owner: Infisical
+      name: homebrew-get-cli
+    commit_author:
+      name: "Infisical"
+      email: ai@infisical.com
+    folder: Formula
+    homepage: "https://infisical.com"
+    description: "The official Infisical CLI"
+    install: |-
+      bin.install "infisical"
+      bash_completion.install "completions/infisical.bash" => "infisical"
+      zsh_completion.install "completions/infisical.zsh" => "_infisical"
+      fish_completion.install "completions/infisical.fish"
+      man1.install "manpages/infisical.1.gz"
+
+nfpms:
+  - id: infisical
+    package_name: infisical
+    builds:
+      - all-other-builds
+    vendor: Infisical, Inc
+    homepage: https://infisical.com/
+    maintainer: Infisical, Inc
+    description: The offical Infisical CLI
+    license: MIT
+    formats:
+      - rpm
+      - deb
+      - apk
+      - archlinux
+    bindir: /usr/bin
+    contents:
+      - src: ./completions/infisical.bash
+        dst: /etc/bash_completion.d/infisical
+      - src: ./completions/infisical.fish
+        dst: /usr/share/fish/vendor_completions.d/infisical.fish
+      - src: ./completions/infisical.zsh
+        dst: /usr/share/zsh/site-functions/_infisical
+      - src: ./manpages/infisical.1.gz
+        dst: /usr/share/man/man1/infisical.1.gz
+
+scoop:
+  bucket:
+    owner: Infisical
+    name: scoop-infisical
+  commit_author:
+    name: "Infisical"
+    email: ai@infisical.com
+  homepage: "https://infisical.com"
+  description: "The official Infisical CLI"
+  license: MIT
+
+winget:
+  - name: infisical
+    publisher: infisical
+    license: MIT
+    homepage: https://infisical.com
+    short_description: "The official Infisical CLI"
+    repository:
+      owner: infisical
+      name: winget-pkgs
+      branch: "infisical-{{.Version}}"
+      pull_request:
+        enabled: true
+        draft: false
+        base:
+          owner: microsoft
+          name: winget-pkgs
+          branch: master
+
+aurs:
+  - name: infisical-bin
+    homepage: "https://infisical.com"
+    description: "The official Infisical CLI"
+    maintainers:
+      - Infisical, Inc <support@infisical.com>
+    license: MIT
+    private_key: "{{ .Env.AUR_KEY }}"
+    git_url: "ssh://aur@aur.archlinux.org/infisical-bin.git"
+    package: |-
+      # bin
+      install -Dm755 "./infisical" "${pkgdir}/usr/bin/infisical"
+      # license
+      install -Dm644 "./LICENSE" "${pkgdir}/usr/share/licenses/infisical/LICENSE"
+      # completions
+      mkdir -p "${pkgdir}/usr/share/bash-completion/completions/"
+      mkdir -p "${pkgdir}/usr/share/zsh/site-functions/"
+      mkdir -p "${pkgdir}/usr/share/fish/vendor_completions.d/"
+      install -Dm644 "./completions/infisical.bash" "${pkgdir}/usr/share/bash-completion/completions/infisical"
+      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/_infisical"
+      install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
+      # man pages
+      install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"
+
+dockers:
+  - dockerfile: docker/alpine
+    goos: linux
+    goarch: amd64
+    use: buildx
+    ids:
+      - all-other-builds
+    image_templates:
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
+      - "infisical/cli:latest-amd64"
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/amd64"
+  - dockerfile: docker/alpine
+    goos: linux
+    goarch: amd64
+    use: buildx
+    ids:
+      - all-other-builds
+    image_templates:
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
+      - "infisical/cli:latest-arm64"
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/arm64"
+
+docker_manifests:
+  - name_template: "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}"
+    image_templates:
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
+  - name_template: "infisical/cli:latest"
+    image_templates:
+      - "infisical/cli:latest-amd64"
+      - "infisical/cli:latest-arm64"

Dockerfile.fips.standalone-infisical

@@ -34,8 +34,6 @@ ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
 ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY
 
-ENV NODE_OPTIONS="--max-old-space-size=8192"
-
 # Build
 RUN npm run build
 
@@ -211,11 +209,6 @@ EXPOSE 443
 RUN grep -v 'import "./lib/telemetry/instrumentation.mjs";' dist/main.mjs > dist/main.mjs.tmp && \
     mv dist/main.mjs.tmp dist/main.mjs
 
-# The OpenSSL library is installed in different locations in different architectures (x86_64 and arm64).
-# This is a workaround to avoid errors when the library is not found.
-RUN ln -sf /usr/local/lib64/ossl-modules /usr/local/lib/ossl-modules || \
-    ln -sf /usr/local/lib/ossl-modules /usr/local/lib64/ossl-modules
-
 USER non-root-user
 
 CMD ["./standalone-entrypoint.sh"]

Dockerfile.standalone-infisical

@@ -55,8 +55,6 @@ USER non-root-user
 ##
 FROM base AS backend-build
 
-ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
-
 WORKDIR /app
 
 # Install all required dependencies for build
@@ -86,8 +84,6 @@ RUN npm run build
 # Production stage
 FROM base AS backend-runner
 
-ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
-
 WORKDIR /app
 
 # Install all required dependencies for runtime
@@ -116,11 +112,6 @@ RUN mkdir frontend-build
 FROM base AS production
 
 RUN apt-get update && apt-get install -y \
-    build-essential \
-    autoconf \
-    automake \
-    libtool \
-    libssl-dev \
     ca-certificates \
     bash \
     curl \
@@ -180,7 +171,6 @@ ENV NODE_ENV production
 ENV STANDALONE_BUILD true
 ENV STANDALONE_MODE true
 ENV NODE_OPTIONS="--max-old-space-size=1024"
-ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
 
 WORKDIR /backend
 

backend/package-lock.json

@@ -7,6 +7,7 @@
     "": {
       "name": "backend",
       "version": "1.0.0",
+      "hasInstallScript": true,
       "license": "ISC",
       "dependencies": {
         "@aws-sdk/client-elasticache": "^3.637.0",
@@ -33,12 +34,11 @@
         "@gitbeaker/rest": "^42.5.0",
         "@google-cloud/kms": "^4.5.0",
         "@infisical/quic": "^1.0.8",
-        "@node-saml/passport-saml": "^5.1.0",
+        "@node-saml/passport-saml": "^5.0.1",
         "@octokit/auth-app": "^7.1.1",
         "@octokit/core": "^5.2.1",
         "@octokit/plugin-paginate-graphql": "^4.0.1",
         "@octokit/plugin-retry": "^5.0.5",
-        "@octokit/request": "8.4.1",
         "@octokit/rest": "^20.0.2",
         "@octokit/webhooks-types": "^7.3.1",
         "@octopusdeploy/api-client": "^3.4.1",
@@ -9574,20 +9574,20 @@
       }
     },
     "node_modules/@node-saml/node-saml": {
-      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/@node-saml/node-saml/-/node-saml-5.1.0.tgz",
-      "integrity": "sha512-t3cJnZ4aC7HhPZ6MGylGZULvUtBOZ6FzuUndaHGXjmIZHXnLfC/7L8a57O9Q9V7AxJGKAiRM5zu2wNm9EsvQpw==",
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/@node-saml/node-saml/-/node-saml-5.0.1.tgz",
+      "integrity": "sha512-YQzFPEC+CnsfO9AFYnwfYZKIzOLx3kITaC1HrjHVLTo6hxcQhc+LgHODOMvW4VCV95Gwrz1MshRUWCPzkDqmnA==",
       "license": "MIT",
       "dependencies": {
         "@types/debug": "^4.1.12",
-        "@types/qs": "^6.9.18",
+        "@types/qs": "^6.9.11",
         "@types/xml-encryption": "^1.2.4",
         "@types/xml2js": "^0.4.14",
         "@xmldom/is-dom-node": "^1.0.1",
         "@xmldom/xmldom": "^0.8.10",
-        "debug": "^4.4.0",
-        "xml-crypto": "^6.1.2",
-        "xml-encryption": "^3.1.0",
+        "debug": "^4.3.4",
+        "xml-crypto": "^6.0.1",
+        "xml-encryption": "^3.0.2",
         "xml2js": "^0.6.2",
         "xmlbuilder": "^15.1.1",
         "xpath": "^0.0.34"
@@ -9597,9 +9597,9 @@
       }
     },
     "node_modules/@node-saml/node-saml/node_modules/debug": {
-      "version": "4.4.1",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.1.tgz",
-      "integrity": "sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ==",
+      "version": "4.4.0",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz",
+      "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==",
       "license": "MIT",
       "dependencies": {
         "ms": "^2.1.3"
@@ -9636,14 +9636,14 @@
       }
     },
     "node_modules/@node-saml/passport-saml": {
-      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/@node-saml/passport-saml/-/passport-saml-5.1.0.tgz",
-      "integrity": "sha512-pBm+iFjv9eihcgeJuSUs4c0AuX1QEFdHwP8w1iaWCfDzXdeWZxUBU5HT2bY2S4dvNutcy+A9hYsH7ZLBGtgwDg==",
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/@node-saml/passport-saml/-/passport-saml-5.0.1.tgz",
+      "integrity": "sha512-fMztg3zfSnjLEgxvpl6HaDMNeh0xeQX4QHiF9e2Lsie2dc4qFE37XYbQZhVmn8XJ2awPpSWLQ736UskYgGU8lQ==",
       "license": "MIT",
       "dependencies": {
-        "@node-saml/node-saml": "^5.1.0",
-        "@types/express": "^4.17.23",
-        "@types/passport": "^1.0.17",
+        "@node-saml/node-saml": "^5.0.1",
+        "@types/express": "^4.17.21",
+        "@types/passport": "^1.0.16",
         "@types/passport-strategy": "^0.2.38",
         "passport": "^0.7.0",
         "passport-strategy": "^1.0.0"
@@ -9778,6 +9778,18 @@
         "node": ">= 18"
       }
     },
+    "node_modules/@octokit/auth-app/node_modules/@octokit/endpoint": {
+      "version": "10.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
+      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
+      "dependencies": {
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^7.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
     "node_modules/@octokit/auth-app/node_modules/@octokit/openapi-types": {
       "version": "22.2.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
@@ -9824,6 +9836,11 @@
         "node": "14 || >=16.14"
       }
     },
+    "node_modules/@octokit/auth-app/node_modules/universal-user-agent": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
+      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
+    },
     "node_modules/@octokit/auth-oauth-app": {
       "version": "8.1.1",
       "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-app/-/auth-oauth-app-8.1.1.tgz",
@@ -9839,6 +9856,18 @@
         "node": ">= 18"
       }
     },
+    "node_modules/@octokit/auth-oauth-app/node_modules/@octokit/endpoint": {
+      "version": "10.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
+      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
+      "dependencies": {
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^7.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
     "node_modules/@octokit/auth-oauth-app/node_modules/@octokit/openapi-types": {
       "version": "22.2.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
@@ -9877,6 +9906,11 @@
         "@octokit/openapi-types": "^22.2.0"
       }
     },
+    "node_modules/@octokit/auth-oauth-app/node_modules/universal-user-agent": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
+      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
+    },
     "node_modules/@octokit/auth-oauth-device": {
       "version": "7.1.1",
       "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-device/-/auth-oauth-device-7.1.1.tgz",
@@ -9891,6 +9925,18 @@
         "node": ">= 18"
       }
     },
+    "node_modules/@octokit/auth-oauth-device/node_modules/@octokit/endpoint": {
+      "version": "10.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
+      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
+      "dependencies": {
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^7.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
     "node_modules/@octokit/auth-oauth-device/node_modules/@octokit/openapi-types": {
       "version": "22.2.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
@@ -9929,6 +9975,11 @@
         "@octokit/openapi-types": "^22.2.0"
       }
     },
+    "node_modules/@octokit/auth-oauth-device/node_modules/universal-user-agent": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
+      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
+    },
     "node_modules/@octokit/auth-oauth-user": {
       "version": "5.1.1",
       "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-user/-/auth-oauth-user-5.1.1.tgz",
@@ -9944,6 +9995,18 @@
         "node": ">= 18"
       }
     },
+    "node_modules/@octokit/auth-oauth-user/node_modules/@octokit/endpoint": {
+      "version": "10.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
+      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
+      "dependencies": {
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^7.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
     "node_modules/@octokit/auth-oauth-user/node_modules/@octokit/openapi-types": {
       "version": "22.2.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
@@ -9982,6 +10045,11 @@
         "@octokit/openapi-types": "^22.2.0"
       }
     },
+    "node_modules/@octokit/auth-oauth-user/node_modules/universal-user-agent": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
+      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
+    },
     "node_modules/@octokit/auth-token": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-4.0.0.tgz",
@@ -10035,38 +10103,32 @@
         "@octokit/openapi-types": "^24.2.0"
       }
     },
-    "node_modules/@octokit/core/node_modules/universal-user-agent": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz",
-      "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==",
-      "license": "ISC"
-    },
     "node_modules/@octokit/endpoint": {
-      "version": "10.1.4",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.4.tgz",
-      "integrity": "sha512-OlYOlZIsfEVZm5HCSR8aSg02T2lbUWOsCQoPKfTXJwDzcHQBrVBGdGXb89dv2Kw2ToZaRtudp8O3ZIYoaOjKlA==",
+      "version": "9.0.6",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-9.0.6.tgz",
+      "integrity": "sha512-H1fNTMA57HbkFESSt3Y9+FBICv+0jFceJFPWDePYlR/iMGrwM5ph+Dd4XRQs+8X+PUFURLQgX9ChPfhJ/1uNQw==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/types": "^14.0.0",
-        "universal-user-agent": "^7.0.2"
+        "@octokit/types": "^13.1.0",
+        "universal-user-agent": "^6.0.0"
       },
       "engines": {
         "node": ">= 18"
       }
     },
     "node_modules/@octokit/endpoint/node_modules/@octokit/openapi-types": {
-      "version": "25.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-25.1.0.tgz",
-      "integrity": "sha512-idsIggNXUKkk0+BExUn1dQ92sfysJrje03Q0bv0e+KPLrvyqZF8MnBpFz8UNfYDwB3Ie7Z0TByjWfzxt7vseaA==",
+      "version": "24.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
+      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
       "license": "MIT"
     },
     "node_modules/@octokit/endpoint/node_modules/@octokit/types": {
-      "version": "14.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-14.1.0.tgz",
-      "integrity": "sha512-1y6DgTy8Jomcpu33N+p5w58l6xyt55Ar2I91RPiIA0xCJBXyUAhXCcmZaDWSANiha7R9a6qJJ2CRomGPZ6f46g==",
+      "version": "13.10.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
+      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/openapi-types": "^25.1.0"
+        "@octokit/openapi-types": "^24.2.0"
       }
     },
     "node_modules/@octokit/graphql": {
@@ -10098,12 +10160,6 @@
         "@octokit/openapi-types": "^24.2.0"
       }
     },
-    "node_modules/@octokit/graphql/node_modules/universal-user-agent": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz",
-      "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==",
-      "license": "ISC"
-    },
     "node_modules/@octokit/oauth-authorization-url": {
       "version": "7.1.1",
       "resolved": "https://registry.npmjs.org/@octokit/oauth-authorization-url/-/oauth-authorization-url-7.1.1.tgz",
@@ -10126,6 +10182,18 @@
         "node": ">= 18"
       }
     },
+    "node_modules/@octokit/oauth-methods/node_modules/@octokit/endpoint": {
+      "version": "10.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
+      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
+      "dependencies": {
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^7.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
     "node_modules/@octokit/oauth-methods/node_modules/@octokit/openapi-types": {
       "version": "22.2.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
@@ -10164,6 +10232,11 @@
         "@octokit/openapi-types": "^22.2.0"
       }
     },
+    "node_modules/@octokit/oauth-methods/node_modules/universal-user-agent": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
+      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
+    },
     "node_modules/@octokit/openapi-types": {
       "version": "19.1.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-19.1.0.tgz",
@@ -10304,54 +10377,31 @@
       }
     },
     "node_modules/@octokit/request-error/node_modules/@octokit/openapi-types": {
-      "version": "24.2.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
-      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
-      "license": "MIT"
+      "version": "22.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
+      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
     },
     "node_modules/@octokit/request-error/node_modules/@octokit/types": {
-      "version": "13.10.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
-      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
-      "license": "MIT",
+      "version": "13.6.1",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
+      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
       "dependencies": {
-        "@octokit/openapi-types": "^24.2.0"
-      }
-    },
-    "node_modules/@octokit/request/node_modules/@octokit/endpoint": {
-      "version": "9.0.6",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-9.0.6.tgz",
-      "integrity": "sha512-H1fNTMA57HbkFESSt3Y9+FBICv+0jFceJFPWDePYlR/iMGrwM5ph+Dd4XRQs+8X+PUFURLQgX9ChPfhJ/1uNQw==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/types": "^13.1.0",
-        "universal-user-agent": "^6.0.0"
-      },
-      "engines": {
-        "node": ">= 18"
+        "@octokit/openapi-types": "^22.2.0"
       }
     },
     "node_modules/@octokit/request/node_modules/@octokit/openapi-types": {
-      "version": "24.2.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
-      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
-      "license": "MIT"
+      "version": "22.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
+      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
     },
     "node_modules/@octokit/request/node_modules/@octokit/types": {
-      "version": "13.10.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
-      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
-      "license": "MIT",
+      "version": "13.6.1",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
+      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
       "dependencies": {
-        "@octokit/openapi-types": "^24.2.0"
+        "@octokit/openapi-types": "^22.2.0"
       }
     },
-    "node_modules/@octokit/request/node_modules/universal-user-agent": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz",
-      "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==",
-      "license": "ISC"
-    },
     "node_modules/@octokit/rest": {
       "version": "20.0.2",
       "resolved": "https://registry.npmjs.org/@octokit/rest/-/rest-20.0.2.tgz",
@@ -13301,10 +13351,9 @@
       "license": "MIT"
     },
     "node_modules/@types/express": {
-      "version": "4.17.23",
-      "resolved": "https://registry.npmjs.org/@types/express/-/express-4.17.23.tgz",
-      "integrity": "sha512-Crp6WY9aTYP3qPi2wGDo9iUe/rceX01UMhnF1jmwDcKCFM6cx7YhGP/Mpr3y9AASpfHixIG0E6azCcL5OcDHsQ==",
-      "license": "MIT",
+      "version": "4.17.21",
+      "resolved": "https://registry.npmjs.org/@types/express/-/express-4.17.21.tgz",
+      "integrity": "sha512-ejlPM315qwLpaQlQDTjPdsUFSc6ZsP4AN6AlWnogPjQ7CVi7PYF3YVz+CY3jE2pwYf7E/7HlDAN0rV2GxTG0HQ==",
       "dependencies": {
         "@types/body-parser": "*",
         "@types/express-serve-static-core": "^4.17.33",
@@ -13474,10 +13523,9 @@
       }
     },
     "node_modules/@types/passport": {
-      "version": "1.0.17",
-      "resolved": "https://registry.npmjs.org/@types/passport/-/passport-1.0.17.tgz",
-      "integrity": "sha512-aciLyx+wDwT2t2/kJGJR2AEeBz0nJU4WuRX04Wu9Dqc5lSUtwu0WERPHYsLhF9PtseiAMPBGNUOtFjxZ56prsg==",
-      "license": "MIT",
+      "version": "1.0.16",
+      "resolved": "https://registry.npmjs.org/@types/passport/-/passport-1.0.16.tgz",
+      "integrity": "sha512-FD0qD5hbPWQzaM0wHUnJ/T0BBCJBxCeemtnCwc/ThhTg3x9jfrAcRUmj5Dopza+MfFS9acTe3wk7rcVnRIp/0A==",
       "dependencies": {
         "@types/express": "*"
       }
@@ -18239,8 +18287,7 @@
     "node_modules/fast-content-type-parse": {
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/fast-content-type-parse/-/fast-content-type-parse-1.1.0.tgz",
-      "integrity": "sha512-fBHHqSTFLVnR61C+gltJuE5GkVQMV0S2nqUO8TJ+5Z3qAKG8vAx4FKai1s5jq/inV1+sREynIWSuQ6HgoSXpDQ==",
-      "license": "MIT"
+      "integrity": "sha512-fBHHqSTFLVnR61C+gltJuE5GkVQMV0S2nqUO8TJ+5Z3qAKG8vAx4FKai1s5jq/inV1+sREynIWSuQ6HgoSXpDQ=="
     },
     "node_modules/fast-copy": {
       "version": "3.0.1",
@@ -24728,12 +24775,6 @@
         "jsonwebtoken": "^9.0.2"
       }
     },
-    "node_modules/octokit-auth-probot/node_modules/universal-user-agent": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz",
-      "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==",
-      "license": "ISC"
-    },
     "node_modules/odbc": {
       "version": "2.4.9",
       "resolved": "https://registry.npmjs.org/odbc/-/odbc-2.4.9.tgz",
@@ -30663,10 +30704,9 @@
       "integrity": "sha512-G5o6f95b5BggDGuUfKDApKaCgNYy2x7OdHY0zSMF081O0EJobw+1130VONhrA7ezGSV2FNOGyM+KQpQZAr9bIQ=="
     },
     "node_modules/universal-user-agent": {
-      "version": "7.0.3",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.3.tgz",
-      "integrity": "sha512-TmnEAEAsBJVZM/AADELsK76llnwcf9vMKuPz8JflO1frO8Lchitr0fNaN9d+Ap0BjKtqWqd/J17qeDnXh8CL2A==",
-      "license": "ISC"
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz",
+      "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ=="
     },
     "node_modules/universalify": {
       "version": "2.0.1",
@@ -31913,9 +31953,9 @@
       "license": "MIT"
     },
     "node_modules/xml-crypto": {
-      "version": "6.1.2",
-      "resolved": "https://registry.npmjs.org/xml-crypto/-/xml-crypto-6.1.2.tgz",
-      "integrity": "sha512-leBOVQdVi8FvPJrMYoum7Ici9qyxfE4kVi+AkpUoYCSXaQF4IlBm1cneTK9oAxR61LpYxTx7lNcsnBIeRpGW2w==",
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/xml-crypto/-/xml-crypto-6.0.1.tgz",
+      "integrity": "sha512-v05aU7NS03z4jlZ0iZGRFeZsuKO1UfEbbYiaeRMiATBFs6Jq9+wqKquEMTn4UTrYZ9iGD8yz3KT4L9o2iF682w==",
       "license": "MIT",
       "dependencies": {
         "@xmldom/is-dom-node": "^1.0.1",

backend/package.json

@@ -153,12 +153,11 @@
     "@gitbeaker/rest": "^42.5.0",
     "@google-cloud/kms": "^4.5.0",
     "@infisical/quic": "^1.0.8",
-    "@node-saml/passport-saml": "^5.1.0",
+    "@node-saml/passport-saml": "^5.0.1",
     "@octokit/auth-app": "^7.1.1",
     "@octokit/core": "^5.2.1",
     "@octokit/plugin-paginate-graphql": "^4.0.1",
     "@octokit/plugin-retry": "^5.0.5",
-    "@octokit/request": "8.4.1",
     "@octokit/rest": "^20.0.2",
     "@octokit/webhooks-types": "^7.3.1",
     "@octopusdeploy/api-client": "^3.4.1",

backend/src/@types/fastify.d.ts

@@ -12,8 +12,6 @@ import { TCertificateAuthorityCrlServiceFactory } from "@app/ee/services/certifi
 import { TCertificateEstServiceFactory } from "@app/ee/services/certificate-est/certificate-est-service";
 import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-types";
 import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-types";
-import { TEventBusService } from "@app/ee/services/event/event-bus-service";
-import { TServerSentEventsService } from "@app/ee/services/event/event-sse-service";
 import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
 import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TGithubOrgSyncServiceFactory } from "@app/ee/services/github-org-sync/github-org-sync-service";
@@ -298,8 +296,6 @@ declare module "fastify" {
       internalCertificateAuthority: TInternalCertificateAuthorityServiceFactory;
       pkiTemplate: TPkiTemplatesServiceFactory;
       reminder: TReminderServiceFactory;
-      bus: TEventBusService;
-      sse: TServerSentEventsService;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/db/migrations/20250725171821_add-secret-detection-ignore-values.ts

@@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.Project, "secretDetectionIgnoreValues"))) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.specificType("secretDetectionIgnoreValues", "text[]");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.Project, "secretDetectionIgnoreValues")) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.dropColumn("secretDetectionIgnoreValues");
-    });
-  }
-}

backend/src/db/schemas/projects.ts

@@ -30,8 +30,7 @@ export const ProjectsSchema = z.object({
   hasDeleteProtection: z.boolean().default(false).nullable().optional(),
   secretSharing: z.boolean().default(true),
   showSnapshotsLegacy: z.boolean().default(false),
-  defaultProduct: z.string().nullable().optional(),
-  secretDetectionIgnoreValues: z.string().array().nullable().optional()
+  defaultProduct: z.string().nullable().optional()
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/ee/routes/v2/secret-scanning-v2-routers/gitlab-secret-scanning-router.ts

@@ -1,16 +0,0 @@
-import { registerSecretScanningEndpoints } from "@app/ee/routes/v2/secret-scanning-v2-routers/secret-scanning-v2-endpoints";
-import {
-  CreateGitLabDataSourceSchema,
-  GitLabDataSourceSchema,
-  UpdateGitLabDataSourceSchema
-} from "@app/ee/services/secret-scanning-v2/gitlab";
-import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
-
-export const registerGitLabSecretScanningRouter = async (server: FastifyZodProvider) =>
-  registerSecretScanningEndpoints({
-    type: SecretScanningDataSource.GitLab,
-    server,
-    responseSchema: GitLabDataSourceSchema,
-    createSchema: CreateGitLabDataSourceSchema,
-    updateSchema: UpdateGitLabDataSourceSchema
-  });

backend/src/ee/routes/v2/secret-scanning-v2-routers/index.ts

@@ -1,4 +1,3 @@
-import { registerGitLabSecretScanningRouter } from "@app/ee/routes/v2/secret-scanning-v2-routers/gitlab-secret-scanning-router";
 import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
 
 import { registerBitbucketSecretScanningRouter } from "./bitbucket-secret-scanning-router";
@@ -11,6 +10,5 @@ export const SECRET_SCANNING_REGISTER_ROUTER_MAP: Record<
   (server: FastifyZodProvider) => Promise<void>
 > = {
   [SecretScanningDataSource.GitHub]: registerGitHubSecretScanningRouter,
-  [SecretScanningDataSource.Bitbucket]: registerBitbucketSecretScanningRouter,
-  [SecretScanningDataSource.GitLab]: registerGitLabSecretScanningRouter
+  [SecretScanningDataSource.Bitbucket]: registerBitbucketSecretScanningRouter
 };

backend/src/ee/routes/v2/secret-scanning-v2-routers/secret-scanning-v2-router.ts

@@ -4,7 +4,6 @@ import { SecretScanningConfigsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { BitbucketDataSourceListItemSchema } from "@app/ee/services/secret-scanning-v2/bitbucket";
 import { GitHubDataSourceListItemSchema } from "@app/ee/services/secret-scanning-v2/github";
-import { GitLabDataSourceListItemSchema } from "@app/ee/services/secret-scanning-v2/gitlab";
 import {
   SecretScanningFindingStatus,
   SecretScanningScanStatus
@@ -25,8 +24,7 @@ import { AuthMode } from "@app/services/auth/auth-type";
 
 const SecretScanningDataSourceOptionsSchema = z.discriminatedUnion("type", [
   GitHubDataSourceListItemSchema,
-  BitbucketDataSourceListItemSchema,
-  GitLabDataSourceListItemSchema
+  BitbucketDataSourceListItemSchema
 ]);
 
 export const registerSecretScanningV2Router = async (server: FastifyZodProvider) => {

backend/src/ee/services/audit-log/audit-log-dal.ts

@@ -1,10 +1,8 @@
 // weird commonjs-related error in the CI requires us to do the import like this
 import knex from "knex";
-import { v4 as uuidv4 } from "uuid";
 
 import { TDbClient } from "@app/db";
 import { TableName, TAuditLogs } from "@app/db/schemas";
-import { getConfig } from "@app/lib/config/env";
 import { DatabaseError, GatewayTimeoutError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, TOrmify } from "@app/lib/knex";
 import { logger } from "@app/lib/logger";
@@ -190,20 +188,5 @@ export const auditLogDALFactory = (db: TDbClient) => {
     logger.info(`${QueueName.DailyResourceCleanUp}: audit log completed`);
   };
 
-  const create: TAuditLogDALFactory["create"] = async (tx) => {
-    const config = getConfig();
-
-    if (config.DISABLE_AUDIT_LOG_STORAGE) {
-      return {
-        ...tx,
-        id: uuidv4(),
-        createdAt: new Date(),
-        updatedAt: new Date()
-      };
-    }
-
-    return auditLogOrm.create(tx);
-  };
-
-  return { ...auditLogOrm, create, pruneAuditLog, find };
+  return { ...auditLogOrm, pruneAuditLog, find };
 };

backend/src/ee/services/audit-log/audit-log-queue.ts

@@ -1,8 +1,7 @@
 import { AxiosError, RawAxiosRequestHeaders } from "axios";
 
-import { ProjectType, SecretKeyEncoding } from "@app/db/schemas";
-import { TEventBusService } from "@app/ee/services/event/event-bus-service";
-import { TopicName, toPublishableEvent } from "@app/ee/services/event/types";
+import { SecretKeyEncoding } from "@app/db/schemas";
+import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { logger } from "@app/lib/logger";
@@ -22,7 +21,6 @@ type TAuditLogQueueServiceFactoryDep = {
   queueService: TQueueServiceFactory;
   projectDAL: Pick<TProjectDALFactory, "findById">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-  eventBusService: TEventBusService;
 };
 
 export type TAuditLogQueueServiceFactory = {
@@ -38,18 +36,134 @@ export const auditLogQueueServiceFactory = async ({
   queueService,
   projectDAL,
   licenseService,
-  auditLogStreamDAL,
-  eventBusService
+  auditLogStreamDAL
 }: TAuditLogQueueServiceFactoryDep): Promise<TAuditLogQueueServiceFactory> => {
+  const appCfg = getConfig();
+
   const pushToLog = async (data: TCreateAuditLogDTO) => {
-    await queueService.queue<QueueName.AuditLog>(QueueName.AuditLog, QueueJobs.AuditLog, data, {
-      removeOnFail: {
-        count: 3
-      },
-      removeOnComplete: true
-    });
+    if (appCfg.USE_PG_QUEUE && appCfg.SHOULD_INIT_PG_QUEUE) {
+      await queueService.queuePg<QueueName.AuditLog>(QueueJobs.AuditLog, data, {
+        retryLimit: 10,
+        retryBackoff: true
+      });
+    } else {
+      await queueService.queue<QueueName.AuditLog>(QueueName.AuditLog, QueueJobs.AuditLog, data, {
+        removeOnFail: {
+          count: 3
+        },
+        removeOnComplete: true
+      });
+    }
   };
 
+  if (appCfg.SHOULD_INIT_PG_QUEUE) {
+    await queueService.startPg<QueueName.AuditLog>(
+      QueueJobs.AuditLog,
+      async ([job]) => {
+        const { actor, event, ipAddress, projectId, userAgent, userAgentType } = job.data;
+        let { orgId } = job.data;
+        const MS_IN_DAY = 24 * 60 * 60 * 1000;
+        let project;
+
+        if (!orgId) {
+          // it will never be undefined for both org and project id
+          // TODO(akhilmhdh): use caching here in dal to avoid db calls
+          project = await projectDAL.findById(projectId as string);
+          orgId = project.orgId;
+        }
+
+        const plan = await licenseService.getPlan(orgId);
+        if (plan.auditLogsRetentionDays === 0) {
+          // skip inserting if audit log retention is 0 meaning its not supported
+          return;
+        }
+
+        // For project actions, set TTL to project-level audit log retention config
+        // This condition ensures that the plan's audit log retention days cannot be bypassed
+        const ttlInDays =
+          project?.auditLogsRetentionDays && project.auditLogsRetentionDays < plan.auditLogsRetentionDays
+            ? project.auditLogsRetentionDays
+            : plan.auditLogsRetentionDays;
+
+        const ttl = ttlInDays * MS_IN_DAY;
+
+        const auditLog = await auditLogDAL.create({
+          actor: actor.type,
+          actorMetadata: actor.metadata,
+          userAgent,
+          projectId,
+          projectName: project?.name,
+          ipAddress,
+          orgId,
+          eventType: event.type,
+          expiresAt: new Date(Date.now() + ttl),
+          eventMetadata: event.metadata,
+          userAgentType
+        });
+
+        const logStreams = orgId ? await auditLogStreamDAL.find({ orgId }) : [];
+        await Promise.allSettled(
+          logStreams.map(
+            async ({
+              url,
+              encryptedHeadersTag,
+              encryptedHeadersIV,
+              encryptedHeadersKeyEncoding,
+              encryptedHeadersCiphertext
+            }) => {
+              const streamHeaders =
+                encryptedHeadersIV && encryptedHeadersCiphertext && encryptedHeadersTag
+                  ? (JSON.parse(
+                      crypto
+                        .encryption()
+                        .symmetric()
+                        .decryptWithRootEncryptionKey({
+                          keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
+                          iv: encryptedHeadersIV,
+                          tag: encryptedHeadersTag,
+                          ciphertext: encryptedHeadersCiphertext
+                        })
+                    ) as LogStreamHeaders[])
+                  : [];
+
+              const headers: RawAxiosRequestHeaders = { "Content-Type": "application/json" };
+
+              if (streamHeaders.length)
+                streamHeaders.forEach(({ key, value }) => {
+                  headers[key] = value;
+                });
+
+              try {
+                const response = await request.post(
+                  url,
+                  { ...providerSpecificPayload(url), ...auditLog },
+                  {
+                    headers,
+                    // request timeout
+                    timeout: AUDIT_LOG_STREAM_TIMEOUT,
+                    // connection timeout
+                    signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
+                  }
+                );
+                return response;
+              } catch (error) {
+                logger.error(
+                  `Failed to stream audit log [url=${url}] for org [orgId=${orgId}] [error=${(error as AxiosError).message}]`
+                );
+                return error;
+              }
+            }
+          )
+        );
+      },
+      {
+        batchSize: 1,
+        workerCount: 30,
+        pollingIntervalSeconds: 0.5
+      }
+    );
+  }
+
   queueService.start(QueueName.AuditLog, async (job) => {
     const { actor, event, ipAddress, projectId, userAgent, userAgentType } = job.data;
     let { orgId } = job.data;
@@ -64,97 +178,88 @@ export const auditLogQueueServiceFactory = async ({
     }
 
     const plan = await licenseService.getPlan(orgId);
+    if (plan.auditLogsRetentionDays === 0) {
+      // skip inserting if audit log retention is 0 meaning its not supported
+      return;
+    }
 
-    // skip inserting if audit log retention is 0 meaning its not supported
-    if (plan.auditLogsRetentionDays !== 0) {
-      // For project actions, set TTL to project-level audit log retention config
-      // This condition ensures that the plan's audit log retention days cannot be bypassed
-      const ttlInDays =
-        project?.auditLogsRetentionDays && project.auditLogsRetentionDays < plan.auditLogsRetentionDays
-          ? project.auditLogsRetentionDays
-          : plan.auditLogsRetentionDays;
+    // For project actions, set TTL to project-level audit log retention config
+    // This condition ensures that the plan's audit log retention days cannot be bypassed
+    const ttlInDays =
+      project?.auditLogsRetentionDays && project.auditLogsRetentionDays < plan.auditLogsRetentionDays
+        ? project.auditLogsRetentionDays
+        : plan.auditLogsRetentionDays;
 
-      const ttl = ttlInDays * MS_IN_DAY;
+    const ttl = ttlInDays * MS_IN_DAY;
 
-      const auditLog = await auditLogDAL.create({
-        actor: actor.type,
-        actorMetadata: actor.metadata,
-        userAgent,
-        projectId,
-        projectName: project?.name,
-        ipAddress,
-        orgId,
-        eventType: event.type,
-        expiresAt: new Date(Date.now() + ttl),
-        eventMetadata: event.metadata,
-        userAgentType
-      });
+    const auditLog = await auditLogDAL.create({
+      actor: actor.type,
+      actorMetadata: actor.metadata,
+      userAgent,
+      projectId,
+      projectName: project?.name,
+      ipAddress,
+      orgId,
+      eventType: event.type,
+      expiresAt: new Date(Date.now() + ttl),
+      eventMetadata: event.metadata,
+      userAgentType
+    });
 
-      const logStreams = orgId ? await auditLogStreamDAL.find({ orgId }) : [];
-      await Promise.allSettled(
-        logStreams.map(
-          async ({
-            url,
-            encryptedHeadersTag,
-            encryptedHeadersIV,
-            encryptedHeadersKeyEncoding,
-            encryptedHeadersCiphertext
-          }) => {
-            const streamHeaders =
-              encryptedHeadersIV && encryptedHeadersCiphertext && encryptedHeadersTag
-                ? (JSON.parse(
-                    crypto
-                      .encryption()
-                      .symmetric()
-                      .decryptWithRootEncryptionKey({
-                        keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
-                        iv: encryptedHeadersIV,
-                        tag: encryptedHeadersTag,
-                        ciphertext: encryptedHeadersCiphertext
-                      })
-                  ) as LogStreamHeaders[])
-                : [];
+    const logStreams = orgId ? await auditLogStreamDAL.find({ orgId }) : [];
+    await Promise.allSettled(
+      logStreams.map(
+        async ({
+          url,
+          encryptedHeadersTag,
+          encryptedHeadersIV,
+          encryptedHeadersKeyEncoding,
+          encryptedHeadersCiphertext
+        }) => {
+          const streamHeaders =
+            encryptedHeadersIV && encryptedHeadersCiphertext && encryptedHeadersTag
+              ? (JSON.parse(
+                  crypto
+                    .encryption()
+                    .symmetric()
+                    .decryptWithRootEncryptionKey({
+                      keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
+                      iv: encryptedHeadersIV,
+                      tag: encryptedHeadersTag,
+                      ciphertext: encryptedHeadersCiphertext
+                    })
+                ) as LogStreamHeaders[])
+              : [];
 
-            const headers: RawAxiosRequestHeaders = { "Content-Type": "application/json" };
+          const headers: RawAxiosRequestHeaders = { "Content-Type": "application/json" };
 
-            if (streamHeaders.length)
-              streamHeaders.forEach(({ key, value }) => {
-                headers[key] = value;
-              });
+          if (streamHeaders.length)
+            streamHeaders.forEach(({ key, value }) => {
+              headers[key] = value;
+            });
 
-            try {
-              const response = await request.post(
-                url,
-                { ...providerSpecificPayload(url), ...auditLog },
-                {
-                  headers,
-                  // request timeout
-                  timeout: AUDIT_LOG_STREAM_TIMEOUT,
-                  // connection timeout
-                  signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
-                }
-              );
-              return response;
-            } catch (error) {
-              logger.error(
-                `Failed to stream audit log [url=${url}] for org [orgId=${orgId}] [error=${(error as AxiosError).message}]`
-              );
-              return error;
-            }
+          try {
+            const response = await request.post(
+              url,
+              { ...providerSpecificPayload(url), ...auditLog },
+              {
+                headers,
+                // request timeout
+                timeout: AUDIT_LOG_STREAM_TIMEOUT,
+                // connection timeout
+                signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
+              }
+            );
+            return response;
+          } catch (error) {
+            logger.error(
+              `Failed to stream audit log [url=${url}] for org [orgId=${orgId}] [error=${(error as AxiosError).message}]`
+            );
+            return error;
           }
-        )
-      );
-    }
-
-    const publishable = toPublishableEvent(event);
-
-    if (publishable) {
-      await eventBusService.publish(TopicName.CoreServers, {
-        type: ProjectType.SecretManager,
-        source: "infiscal",
-        data: publishable.data
-      });
-    }
+        }
+      )
+    );
   });
 
   return {

backend/src/ee/services/event/event-bus-service.ts

@@ -1,83 +0,0 @@
-import Redis from "ioredis";
-import { z } from "zod";
-
-import { logger } from "@app/lib/logger";
-
-import { EventSchema, TopicName } from "./types";
-
-export const eventBusFactory = (redis: Redis) => {
-  const publisher = redis.duplicate();
-  // Duplicate the publisher to create a subscriber.
-  // This is necessary because Redis does not allow a single connection to both publish and subscribe.
-  const subscriber = publisher.duplicate();
-
-  const init = async (topics: TopicName[] = Object.values(TopicName)) => {
-    subscriber.on("error", (e) => {
-      logger.error(e, "Event Bus subscriber error");
-    });
-
-    publisher.on("error", (e) => {
-      logger.error(e, "Event Bus publisher error");
-    });
-
-    await subscriber.subscribe(...topics);
-  };
-
-  /**
-   * Publishes an event to the specified topic.
-   * @param topic - The topic to publish the event to.
-   * @param event - The event data to publish.
-   */
-  const publish = async <T extends z.input<typeof EventSchema>>(topic: TopicName, event: T) => {
-    const json = JSON.stringify(event);
-
-    return publisher.publish(topic, json, (err) => {
-      if (err) {
-        return logger.error(err, `Error publishing to channel ${topic}`);
-      }
-    });
-  };
-
-  /**
-   * @param fn - The function to call when a message is received.
-   * It should accept the parsed event data as an argument.
-   * @template T - The type of the event data, which should match the schema defined in EventSchema.
-   * @returns A function that can be called to unsubscribe from the event bus.
-   */
-  const subscribe = <T extends z.infer<typeof EventSchema>>(fn: (data: T) => Promise<void> | void) => {
-    // Not using async await cause redis client's `on` method does not expect async listeners.
-    const listener = (channel: string, message: string) => {
-      try {
-        const parsed = JSON.parse(message) as T;
-        const thenable = fn(parsed);
-
-        // If the function returns a Promise, catch any errors that occur during processing.
-        if (thenable instanceof Promise) {
-          thenable.catch((error) => {
-            logger.error(error, `Error processing message from channel ${channel}`);
-          });
-        }
-      } catch (error) {
-        logger.error(error, `Error parsing message data from channel ${channel}`);
-      }
-    };
-    subscriber.on("message", listener);
-
-    return () => {
-      subscriber.off("message", listener);
-    };
-  };
-
-  const close = async () => {
-    try {
-      await publisher.quit();
-      await subscriber.quit();
-    } catch (error) {
-      logger.error(error, "Error closing event bus connections");
-    }
-  };
-
-  return { init, publish, subscribe, close };
-};
-
-export type TEventBusService = ReturnType<typeof eventBusFactory>;

backend/src/ee/services/event/event-sse-service.ts

@@ -1,164 +0,0 @@
-/* eslint-disable no-continue */
-import { subject } from "@casl/ability";
-import Redis from "ioredis";
-
-import { KeyStorePrefixes } from "@app/keystore/keystore";
-import { logger } from "@app/lib/logger";
-
-import { TEventBusService } from "./event-bus-service";
-import { createEventStreamClient, EventStreamClient, IEventStreamClientOpts } from "./event-sse-stream";
-import { EventData, RegisteredEvent, toBusEventName } from "./types";
-
-const AUTH_REFRESH_INTERVAL = 60 * 1000;
-const HEART_BEAT_INTERVAL = 15 * 1000;
-
-export const sseServiceFactory = (bus: TEventBusService, redis: Redis) => {
-  let heartbeatInterval: NodeJS.Timeout | null = null;
-
-  const clients = new Set<EventStreamClient>();
-
-  heartbeatInterval = setInterval(() => {
-    for (const client of clients) {
-      if (client.stream.closed) continue;
-      void client.ping();
-    }
-  }, HEART_BEAT_INTERVAL);
-
-  const refreshInterval = setInterval(() => {
-    for (const client of clients) {
-      if (client.stream.closed) continue;
-      void client.refresh();
-    }
-  }, AUTH_REFRESH_INTERVAL);
-
-  const removeActiveConnection = async (projectId: string, identityId: string, connectionId: string) => {
-    const set = KeyStorePrefixes.ActiveSSEConnectionsSet(projectId, identityId);
-    const key = KeyStorePrefixes.ActiveSSEConnections(projectId, identityId, connectionId);
-
-    await Promise.all([redis.lrem(set, 0, connectionId), redis.del(key)]);
-  };
-
-  const getActiveConnectionsCount = async (projectId: string, identityId: string) => {
-    const set = KeyStorePrefixes.ActiveSSEConnectionsSet(projectId, identityId);
-    const connections = await redis.lrange(set, 0, -1);
-
-    if (connections.length === 0) {
-      return 0; // No active connections
-    }
-
-    const keys = connections.map((c) => KeyStorePrefixes.ActiveSSEConnections(projectId, identityId, c));
-
-    const values = await redis.mget(...keys);
-
-    // eslint-disable-next-line no-plusplus
-    for (let i = 0; i < values.length; i++) {
-      if (values[i] === null) {
-        // eslint-disable-next-line no-await-in-loop
-        await removeActiveConnection(projectId, identityId, connections[i]);
-      }
-    }
-
-    return redis.llen(set);
-  };
-
-  const onDisconnect = async (client: EventStreamClient) => {
-    try {
-      client.close();
-      clients.delete(client);
-      await removeActiveConnection(client.auth.projectId, client.auth.actorId, client.id);
-    } catch (error) {
-      logger.error(error, "Error during SSE stream disconnection");
-    }
-  };
-
-  function filterEventsForClient(client: EventStreamClient, event: EventData, registered: RegisteredEvent[]) {
-    const eventType = toBusEventName(event.data.eventType);
-    const match = registered.find((r) => r.event === eventType);
-    if (!match) return;
-
-    const item = event.data.payload;
-
-    if (Array.isArray(item)) {
-      if (item.length === 0) return;
-
-      const baseSubject = {
-        eventType,
-        environment: undefined as string | undefined,
-        secretPath: undefined as string | undefined
-      };
-
-      const filtered = item.filter((ev) => {
-        baseSubject.secretPath = ev.secretPath ?? "/";
-        baseSubject.environment = ev.environment;
-
-        return client.matcher.can("subscribe", subject(event.type, baseSubject));
-      });
-
-      if (filtered.length === 0) return;
-
-      return client.send({
-        ...event,
-        data: {
-          ...event.data,
-          payload: filtered
-        }
-      });
-    }
-
-    // For single item
-    const baseSubject = {
-      eventType,
-      secretPath: item.secretPath ?? "/",
-      environment: item.environment
-    };
-
-    if (client.matcher.can("subscribe", subject(event.type, baseSubject))) {
-      client.send(event);
-    }
-  }
-
-  const subscribe = async (
-    opts: IEventStreamClientOpts & {
-      onClose?: () => void;
-    }
-  ) => {
-    const client = createEventStreamClient(redis, opts);
-
-    // Set up event listener on event bus
-    const unsubscribe = bus.subscribe((event) => {
-      if (event.type !== opts.type) return;
-      filterEventsForClient(client, event, opts.registered);
-    });
-
-    client.stream.on("close", () => {
-      unsubscribe();
-      void onDisconnect(client); // This will never throw
-    });
-
-    await client.open();
-
-    clients.add(client);
-
-    return client;
-  };
-
-  const close = () => {
-    if (heartbeatInterval) {
-      clearInterval(heartbeatInterval);
-    }
-
-    if (refreshInterval) {
-      clearInterval(refreshInterval);
-    }
-
-    for (const client of clients) {
-      client.close();
-    }
-
-    clients.clear();
-  };
-
-  return { subscribe, close, getActiveConnectionsCount };
-};
-
-export type TServerSentEventsService = ReturnType<typeof sseServiceFactory>;

backend/src/ee/services/event/event-sse-stream.ts

@@ -1,178 +0,0 @@
-/* eslint-disable no-underscore-dangle */
-import { Readable } from "node:stream";
-
-import { MongoAbility, PureAbility } from "@casl/ability";
-import { MongoQuery } from "@ucast/mongo2js";
-import Redis from "ioredis";
-import { nanoid } from "nanoid";
-
-import { ProjectType } from "@app/db/schemas";
-import { ProjectPermissionSet } from "@app/ee/services/permission/project-permission";
-import { KeyStorePrefixes } from "@app/keystore/keystore";
-import { conditionsMatcher } from "@app/lib/casl";
-import { logger } from "@app/lib/logger";
-
-import { EventData, RegisteredEvent } from "./types";
-
-export const getServerSentEventsHeaders = () =>
-  ({
-    "Cache-Control": "no-cache",
-    "Content-Type": "text/event-stream",
-    Connection: "keep-alive",
-    "X-Accel-Buffering": "no"
-  }) as const;
-
-type TAuthInfo = {
-  actorId: string;
-  projectId: string;
-  permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
-};
-
-export interface IEventStreamClientOpts {
-  type: ProjectType;
-  registered: RegisteredEvent[];
-  onAuthRefresh: (info: TAuthInfo) => Promise<void> | void;
-  getAuthInfo: () => Promise<TAuthInfo> | TAuthInfo;
-}
-
-interface EventMessage {
-  time?: string | number;
-  type: string;
-  data?: unknown;
-}
-
-function serializeSseEvent(chunk: EventMessage): string {
-  let payload = "";
-
-  if (chunk.time) payload += `id: ${chunk.time}\n`;
-  if (chunk.type) payload += `event: ${chunk.type}\n`;
-  if (chunk.data) payload += `data: ${JSON.stringify(chunk)}\n`;
-
-  return `${payload}\n`;
-}
-
-export type EventStreamClient = {
-  id: string;
-  stream: Readable;
-  open: () => Promise<void>;
-  send: (data: EventMessage | EventData) => void;
-  ping: () => Promise<void>;
-  refresh: () => Promise<void>;
-  close: () => void;
-  get auth(): TAuthInfo;
-  signal: AbortSignal;
-  abort: () => void;
-  matcher: PureAbility;
-};
-
-export function createEventStreamClient(redis: Redis, options: IEventStreamClientOpts): EventStreamClient {
-  const rules = options.registered.map((r) => ({
-    subject: options.type,
-    action: "subscribe",
-    conditions: {
-      eventType: r.event,
-      secretPath: r.conditions?.secretPath ?? "/",
-      environment: r.conditions?.environmentSlug
-    }
-  }));
-
-  const id = `sse-${nanoid()}`;
-  const control = new AbortController();
-  const matcher = new PureAbility(rules, { conditionsMatcher });
-
-  let auth: TAuthInfo | undefined;
-
-  const stream = new Readable({
-    objectMode: true
-  });
-
-  // We will manually push data to the stream
-  stream._read = () => {};
-
-  const send = (data: EventMessage | EventData) => {
-    const chunk = serializeSseEvent(data);
-    if (!stream.push(chunk)) {
-      logger.debug("Backpressure detected: dropped manual event");
-    }
-  };
-
-  stream.on("error", (error: Error) => stream.destroy(error));
-
-  const open = async () => {
-    auth = await options.getAuthInfo();
-    await options.onAuthRefresh(auth);
-
-    const { actorId, projectId } = auth;
-    const set = KeyStorePrefixes.ActiveSSEConnectionsSet(projectId, actorId);
-    const key = KeyStorePrefixes.ActiveSSEConnections(projectId, actorId, id);
-
-    await Promise.all([redis.rpush(set, id), redis.set(key, "1", "EX", 60)]);
-  };
-
-  const ping = async () => {
-    if (!auth) return; // Avoid race condition if ping is called before open
-
-    const { actorId, projectId } = auth;
-    const key = KeyStorePrefixes.ActiveSSEConnections(projectId, actorId, id);
-
-    await redis.set(key, "1", "EX", 60);
-
-    stream.push("1");
-  };
-
-  const close = () => {
-    if (stream.closed) return;
-    stream.push(null);
-    stream.destroy();
-  };
-
-  /**
-   * Refreshes the connection's auth permissions
-   * Must be called atleast once when connection is opened
-   */
-  const refresh = async () => {
-    try {
-      auth = await options.getAuthInfo();
-      await options.onAuthRefresh(auth);
-    } catch (error) {
-      if (error instanceof Error) {
-        send({
-          type: "error",
-          data: {
-            ...error
-          }
-        });
-        return close();
-      }
-      stream.emit("error", error);
-    }
-  };
-
-  const abort = () => {
-    try {
-      control.abort();
-    } catch (error) {
-      logger.debug(error, "Error aborting SSE stream");
-    }
-  };
-
-  return {
-    id,
-    stream,
-    open,
-    send,
-    ping,
-    refresh,
-    close,
-    signal: control.signal,
-    abort,
-    matcher,
-    get auth() {
-      if (!auth) {
-        throw new Error("Auth info not set");
-      }
-
-      return auth;
-    }
-  };
-}

backend/src/ee/services/event/types.ts

@@ -1,125 +0,0 @@
-import { z } from "zod";
-
-import { ProjectType } from "@app/db/schemas";
-import { Event, EventType } from "@app/ee/services/audit-log/audit-log-types";
-
-export enum TopicName {
-  CoreServers = "infisical::core-servers"
-}
-
-export enum BusEventName {
-  CreateSecret = "secret:create",
-  UpdateSecret = "secret:update",
-  DeleteSecret = "secret:delete"
-}
-
-type PublisableEventTypes =
-  | EventType.CREATE_SECRET
-  | EventType.CREATE_SECRETS
-  | EventType.DELETE_SECRET
-  | EventType.DELETE_SECRETS
-  | EventType.UPDATE_SECRETS
-  | EventType.UPDATE_SECRET;
-
-export function toBusEventName(input: EventType) {
-  switch (input) {
-    case EventType.CREATE_SECRET:
-    case EventType.CREATE_SECRETS:
-      return BusEventName.CreateSecret;
-    case EventType.UPDATE_SECRET:
-    case EventType.UPDATE_SECRETS:
-      return BusEventName.UpdateSecret;
-    case EventType.DELETE_SECRET:
-    case EventType.DELETE_SECRETS:
-      return BusEventName.DeleteSecret;
-    default:
-      return null;
-  }
-}
-
-const isBulkEvent = (event: Event): event is Extract<Event, { metadata: { secrets: Array<unknown> } }> => {
-  return event.type.endsWith("-secrets"); // Feels so wrong
-};
-
-export const toPublishableEvent = (event: Event) => {
-  const name = toBusEventName(event.type);
-
-  if (!name) return null;
-
-  const e = event as Extract<Event, { type: PublisableEventTypes }>;
-
-  if (isBulkEvent(e)) {
-    return {
-      name,
-      isBulk: true,
-      data: {
-        eventType: e.type,
-        payload: e.metadata.secrets.map((s) => ({
-          environment: e.metadata.environment,
-          secretPath: e.metadata.secretPath,
-          ...s
-        }))
-      }
-    } as const;
-  }
-
-  return {
-    name,
-    isBulk: false,
-    data: {
-      eventType: e.type,
-      payload: {
-        ...e.metadata,
-        environment: e.metadata.environment
-      }
-    }
-  } as const;
-};
-
-export const EventName = z.nativeEnum(BusEventName);
-
-const EventSecretPayload = z.object({
-  secretPath: z.string().optional(),
-  secretId: z.string(),
-  secretKey: z.string(),
-  environment: z.string()
-});
-
-export type EventSecret = z.infer<typeof EventSecretPayload>;
-
-export const EventSchema = z.object({
-  datacontenttype: z.literal("application/json").optional().default("application/json"),
-  type: z.nativeEnum(ProjectType),
-  source: z.string(),
-  time: z
-    .string()
-    .optional()
-    .default(() => new Date().toISOString()),
-  data: z.discriminatedUnion("eventType", [
-    z.object({
-      specversion: z.number().optional().default(1),
-      eventType: z.enum([EventType.CREATE_SECRET, EventType.UPDATE_SECRET, EventType.DELETE_SECRET]),
-      payload: EventSecretPayload
-    }),
-    z.object({
-      specversion: z.number().optional().default(1),
-      eventType: z.enum([EventType.CREATE_SECRETS, EventType.UPDATE_SECRETS, EventType.DELETE_SECRETS]),
-      payload: EventSecretPayload.array()
-    })
-    // Add more event types as needed
-  ])
-});
-
-export type EventData = z.infer<typeof EventSchema>;
-
-export const EventRegisterSchema = z.object({
-  event: EventName,
-  conditions: z
-    .object({
-      secretPath: z.string().optional().default("/"),
-      environmentSlug: z.string()
-    })
-    .optional()
-});
-
-export type RegisteredEvent = z.infer<typeof EventRegisterSchema>;

backend/src/ee/services/license/license-fns.ts

@@ -59,8 +59,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   secretScanning: false,
   enterpriseSecretSyncs: false,
   enterpriseAppConnections: false,
-  fips: false,
-  eventSubscriptions: false
+  fips: false
 });
 
 export const setupLicenseRequestWithStore = (

backend/src/ee/services/license/license-service.ts

@@ -5,14 +5,13 @@
 // TODO(akhilmhdh): With tony find out the api structure and fill it here
 
 import { ForbiddenError } from "@casl/ability";
-import { AxiosError } from "axios";
 import { CronJob } from "cron";
 import { Knex } from "knex";
 
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { verifyOfflineLicense } from "@app/lib/crypto";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { TIdentityOrgDALFactory } from "@app/services/identity/identity-org-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
@@ -604,22 +603,10 @@ export const licenseServiceFactory = ({
       });
     }
 
-    try {
-      const { data } = await licenseServerCloudApi.request.delete(
-        `/api/license-server/v1/customers/${organization.customerId}/billing-details/payment-methods/${pmtMethodId}`
-      );
-      return data;
-    } catch (error) {
-      if (error instanceof AxiosError) {
-        throw new BadRequestError({
-          // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
-          message: `Failed to remove payment method: ${error.response?.data?.message}`
-        });
-      }
-      throw new BadRequestError({
-        message: "Unable to remove payment method"
-      });
-    }
+    const { data } = await licenseServerCloudApi.request.delete(
+      `/api/license-server/v1/customers/${organization.customerId}/billing-details/payment-methods/${pmtMethodId}`
+    );
+    return data;
   };
 
   const getOrgTaxIds = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgTaxIdDTO) => {

backend/src/ee/services/license/license-types.ts

@@ -76,7 +76,6 @@ export type TFeatureSet = {
   enterpriseSecretSyncs: false;
   enterpriseAppConnections: false;
   fips: false;
-  eventSubscriptions: false;
 };
 
 export type TOrgPlansTableDTO = {

backend/src/ee/services/permission/default-roles.ts

@@ -161,8 +161,7 @@ const buildAdminPermissionRules = () => {
       ProjectPermissionSecretActions.ReadValue,
       ProjectPermissionSecretActions.Create,
       ProjectPermissionSecretActions.Edit,
-      ProjectPermissionSecretActions.Delete,
-      ProjectPermissionSecretActions.Subscribe
+      ProjectPermissionSecretActions.Delete
     ],
     ProjectPermissionSub.Secrets
   );
@@ -266,8 +265,7 @@ const buildMemberPermissionRules = () => {
       ProjectPermissionSecretActions.ReadValue,
       ProjectPermissionSecretActions.Edit,
       ProjectPermissionSecretActions.Create,
-      ProjectPermissionSecretActions.Delete,
-      ProjectPermissionSecretActions.Subscribe
+      ProjectPermissionSecretActions.Delete
     ],
     ProjectPermissionSub.Secrets
   );

backend/src/ee/services/permission/project-permission.ts

@@ -36,8 +36,7 @@ export enum ProjectPermissionSecretActions {
   ReadValue = "readValue",
   Create = "create",
   Edit = "edit",
-  Delete = "delete",
-  Subscribe = "subscribe"
+  Delete = "delete"
 }
 
 export enum ProjectPermissionCmekActions {
@@ -205,7 +204,6 @@ export type SecretSubjectFields = {
   secretPath: string;
   secretName?: string;
   secretTags?: string[];
-  eventType?: string;
 };
 
 export type SecretFolderSubjectFields = {
@@ -485,17 +483,7 @@ const SecretConditionV2Schema = z
       .object({
         [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
       })
-      .partial(),
-    eventType: z.union([
-      z.string(),
-      z
-        .object({
-          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
-          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
-          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
-        })
-        .partial()
-    ])
+      .partial()
   })
   .partial();
 

backend/src/ee/services/scim/scim-service.ts

@@ -579,9 +579,6 @@ export const scimServiceFactory = ({
       });
 
     const serverCfg = await getServerCfg();
-    const hasEmailChanged = email?.toLowerCase() !== membership.email;
-    const defaultEmailVerified =
-      org.orgAuthMethod === OrgAuthMethod.OIDC ? serverCfg.trustOidcEmails : serverCfg.trustSamlEmails;
     await userDAL.transaction(async (tx) => {
       await userAliasDAL.update(
         {
@@ -608,7 +605,8 @@ export const scimServiceFactory = ({
           firstName,
           email: email?.toLowerCase(),
           lastName,
-          isEmailVerified: hasEmailChanged ? defaultEmailVerified : undefined
+          isEmailVerified:
+            org.orgAuthMethod === OrgAuthMethod.OIDC ? serverCfg.trustOidcEmails : serverCfg.trustSamlEmails
         },
         tx
       );

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -65,14 +65,10 @@ import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 
 import { TLicenseServiceFactory } from "../license/license-service";
-import {
-  hasSecretReadValueOrDescribePermission,
-  throwIfMissingSecretReadValueOrDescribePermission
-} from "../permission/permission-fns";
+import { throwIfMissingSecretReadValueOrDescribePermission } from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service-types";
 import { ProjectPermissionSecretActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TSecretApprovalPolicyDALFactory } from "../secret-approval-policy/secret-approval-policy-dal";
-import { scanSecretPolicyViolations } from "../secret-scanning-v2/secret-scanning-v2-fns";
 import { TSecretSnapshotServiceFactory } from "../secret-snapshot/secret-snapshot-service";
 import { TSecretApprovalRequestDALFactory } from "./secret-approval-request-dal";
 import { sendApprovalEmailsFn } from "./secret-approval-request-fns";
@@ -280,19 +276,13 @@ export const secretApprovalRequestServiceFactory = ({
     ) {
       throw new ForbiddenRequestError({ message: "User has insufficient privileges" });
     }
-    const getHasSecretReadAccess = (environment: string, tags: { slug: string }[], secretPath?: string) => {
-      const canRead = hasSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
-        environment,
-        secretPath: secretPath || "/",
-        secretTags: tags.map((i) => i.slug)
-      });
-      return canRead;
-    };
+
+    const hasSecretReadAccess = permission.can(
+      ProjectPermissionSecretActions.DescribeAndReadValue,
+      ProjectPermissionSub.Secrets
+    );
 
     let secrets;
-    const secretPath = await folderDAL.findSecretPathByFolderIds(secretApprovalRequest.projectId, [
-      secretApprovalRequest.folderId
-    ]);
     if (shouldUseSecretV2Bridge) {
       const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
         type: KmsDataKey.SecretManager,
@@ -308,8 +298,8 @@ export const secretApprovalRequestServiceFactory = ({
         version: el.version,
         secretMetadata: el.secretMetadata as ResourceMetadataDTO,
         isRotatedSecret: el.secret?.isRotatedSecret ?? false,
-        secretValueHidden: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path),
-        secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
+        secretValueHidden: !hasSecretReadAccess,
+        secretValue: !hasSecretReadAccess
           ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
           : el.secret && el.secret.isRotatedSecret
             ? undefined
@@ -324,12 +314,8 @@ export const secretApprovalRequestServiceFactory = ({
               secretKey: el.secret.key,
               id: el.secret.id,
               version: el.secret.version,
-              secretValueHidden: !getHasSecretReadAccess(
-                secretApprovalRequest.environment,
-                el.tags,
-                secretPath?.[0]?.path
-              ),
-              secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
+              secretValueHidden: !hasSecretReadAccess,
+              secretValue: !hasSecretReadAccess
                 ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
                 : el.secret.encryptedValue
                   ? secretManagerDecryptor({ cipherTextBlob: el.secret.encryptedValue }).toString()
@@ -344,12 +330,8 @@ export const secretApprovalRequestServiceFactory = ({
               secretKey: el.secretVersion.key,
               id: el.secretVersion.id,
               version: el.secretVersion.version,
-              secretValueHidden: !getHasSecretReadAccess(
-                secretApprovalRequest.environment,
-                el.tags,
-                secretPath?.[0]?.path
-              ),
-              secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
+              secretValueHidden: !hasSecretReadAccess,
+              secretValue: !hasSecretReadAccess
                 ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
                 : el.secretVersion.encryptedValue
                   ? secretManagerDecryptor({ cipherTextBlob: el.secretVersion.encryptedValue }).toString()
@@ -367,7 +349,7 @@ export const secretApprovalRequestServiceFactory = ({
       const encryptedSecrets = await secretApprovalRequestSecretDAL.findByRequestId(secretApprovalRequest.id);
       secrets = encryptedSecrets.map((el) => ({
         ...el,
-        secretValueHidden: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path),
+        secretValueHidden: !hasSecretReadAccess,
         ...decryptSecretWithBot(el, botKey),
         secret: el.secret
           ? {
@@ -387,6 +369,9 @@ export const secretApprovalRequestServiceFactory = ({
           : undefined
       }));
     }
+    const secretPath = await folderDAL.findSecretPathByFolderIds(secretApprovalRequest.projectId, [
+      secretApprovalRequest.folderId
+    ]);
 
     return { ...secretApprovalRequest, secretPath: secretPath?.[0]?.path || "/", commits: secrets };
   };
@@ -1427,20 +1412,6 @@ export const secretApprovalRequestServiceFactory = ({
       projectId
     });
 
-    const project = await projectDAL.findById(projectId);
-    await scanSecretPolicyViolations(
-      projectId,
-      secretPath,
-      [
-        ...(data[SecretOperations.Create] || []),
-        ...(data[SecretOperations.Update] || []).filter((el) => el.secretValue)
-      ].map((el) => ({
-        secretKey: el.secretKey,
-        secretValue: el.secretValue as string
-      })),
-      project.secretDetectionIgnoreValues || []
-    );
-
     // for created secret approval change
     const createdSecrets = data[SecretOperations.Create];
     if (createdSecrets && createdSecrets?.length) {

backend/src/ee/services/secret-rotation-v2/azure-client-secret/azure-client-secret-rotation-fns.ts

@@ -21,8 +21,6 @@ const GRAPH_API_BASE = "https://graph.microsoft.com/v1.0";
 
 type AzureErrorResponse = { error: { message: string } };
 
-const EXPIRY_PADDING_IN_DAYS = 3;
-
 const sleep = async () =>
   new Promise((resolve) => {
     setTimeout(resolve, 1000);
@@ -35,8 +33,7 @@ export const azureClientSecretRotationFactory: TRotationFactory<
   const {
     connection,
     parameters: { objectId, clientId: clientIdParam },
-    secretsMapping,
-    rotationInterval
+    secretsMapping
   } = secretRotation;
 
   /**
@@ -53,7 +50,7 @@ export const azureClientSecretRotationFactory: TRotationFactory<
     )}-${now.getFullYear()}`;
 
     const endDateTime = new Date();
-    endDateTime.setDate(now.getDate() + rotationInterval * 2 + EXPIRY_PADDING_IN_DAYS); // give 72 hour buffer
+    endDateTime.setFullYear(now.getFullYear() + 5);
 
     try {
       const { data } = await request.post<AzureAddPasswordResponse>(
@@ -198,12 +195,6 @@ export const azureClientSecretRotationFactory: TRotationFactory<
     callback
   ) => {
     const credentials = await $rotateClientSecret();
-
-    // 2.5 years as expiry is set to x2 interval for the inactive period of credential
-    if (rotationInterval > Math.floor(365 * 2.5) - EXPIRY_PADDING_IN_DAYS) {
-      throw new BadRequestError({ message: "Azure does not support token duration over 5 years" });
-    }
-
     return callback(credentials);
   };
 

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-dal.ts

@@ -51,7 +51,6 @@ const baseSecretRotationV2Query = ({
       db.ref("encryptedCredentials").withSchema(TableName.AppConnection).as("connectionEncryptedCredentials"),
       db.ref("description").withSchema(TableName.AppConnection).as("connectionDescription"),
       db.ref("version").withSchema(TableName.AppConnection).as("connectionVersion"),
-      db.ref("gatewayId").withSchema(TableName.AppConnection).as("connectionGatewayId"),
       db.ref("createdAt").withSchema(TableName.AppConnection).as("connectionCreatedAt"),
       db.ref("updatedAt").withSchema(TableName.AppConnection).as("connectionUpdatedAt"),
       db
@@ -105,7 +104,6 @@ const expandSecretRotation = <T extends Awaited<ReturnType<typeof baseSecretRota
     connectionCreatedAt,
     connectionUpdatedAt,
     connectionVersion,
-    connectionGatewayId,
     connectionIsPlatformManagedCredentials,
     ...el
   } = secretRotation;
@@ -125,7 +123,6 @@ const expandSecretRotation = <T extends Awaited<ReturnType<typeof baseSecretRota
       createdAt: connectionCreatedAt,
       updatedAt: connectionUpdatedAt,
       version: connectionVersion,
-      gatewayId: connectionGatewayId,
       isPlatformManagedCredentials: connectionIsPlatformManagedCredentials
     },
     folder: {

backend/src/ee/services/secret-scanning-v2/bitbucket/bitbucket-secret-scanning-factory.ts

@@ -18,8 +18,7 @@ import {
   TSecretScanningFactoryInitialize,
   TSecretScanningFactoryListRawResources,
   TSecretScanningFactoryPostInitialization,
-  TSecretScanningFactoryTeardown,
-  TSecretScanningFactoryValidateConfigUpdate
+  TSecretScanningFactoryTeardown
 } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-types";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
@@ -303,13 +302,6 @@ export const BitbucketSecretScanningFactory = () => {
     );
   };
 
-  const validateConfigUpdate: TSecretScanningFactoryValidateConfigUpdate<
-    TBitbucketDataSourceInput["config"],
-    TBitbucketDataSourceWithConnection
-  > = async () => {
-    // no validation required
-  };
-
   return {
     initialize,
     postInitialization,
@@ -317,7 +309,6 @@ export const BitbucketSecretScanningFactory = () => {
     getFullScanPath,
     getDiffScanResourcePayload,
     getDiffScanFindingsPayload,
-    teardown,
-    validateConfigUpdate
+    teardown
   };
 };

backend/src/ee/services/secret-scanning-v2/github/github-secret-scanning-factory.ts

@@ -20,8 +20,7 @@ import {
   TSecretScanningFactoryInitialize,
   TSecretScanningFactoryListRawResources,
   TSecretScanningFactoryPostInitialization,
-  TSecretScanningFactoryTeardown,
-  TSecretScanningFactoryValidateConfigUpdate
+  TSecretScanningFactoryTeardown
 } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-types";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
@@ -65,14 +64,7 @@ export const GitHubSecretScanningFactory = () => {
   };
 
   const teardown: TSecretScanningFactoryTeardown<TGitHubDataSourceWithConnection> = async () => {
-    // no teardown required
-  };
-
-  const validateConfigUpdate: TSecretScanningFactoryValidateConfigUpdate<
-    TGitHubDataSourceInput["config"],
-    TGitHubDataSourceWithConnection
-  > = async () => {
-    // no validation required
+    // no termination required
   };
 
   const listRawResources: TSecretScanningFactoryListRawResources<TGitHubDataSourceWithConnection> = async (
@@ -246,7 +238,6 @@ export const GitHubSecretScanningFactory = () => {
     getFullScanPath,
     getDiffScanResourcePayload,
     getDiffScanFindingsPayload,
-    teardown,
-    validateConfigUpdate
+    teardown
   };
 };

backend/src/ee/services/secret-scanning-v2/gitlab/gitlab-secret-scanning-constants.ts

@@ -1,9 +0,0 @@
-import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
-import { TSecretScanningDataSourceListItem } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-types";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-
-export const GITLAB_SECRET_SCANNING_DATA_SOURCE_LIST_OPTION: TSecretScanningDataSourceListItem = {
-  name: "GitLab",
-  type: SecretScanningDataSource.GitLab,
-  connection: AppConnection.GitLab
-};

backend/src/ee/services/secret-scanning-v2/gitlab/gitlab-secret-scanning-enums.ts

@@ -1,8 +0,0 @@
-export enum GitLabDataSourceScope {
-  Project = "project",
-  Group = "group"
-}
-
-export enum GitLabWebHookEvent {
-  Push = "Push Hook"
-}

backend/src/ee/services/secret-scanning-v2/gitlab/gitlab-secret-scanning-factory.ts

@@ -1,409 +0,0 @@
-import { Camelize, GitbeakerRequestError, GroupHookSchema, ProjectHookSchema } from "@gitbeaker/rest";
-import { join } from "path";
-
-import { scanContentAndGetFindings } from "@app/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-fns";
-import { SecretMatch } from "@app/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-queue-types";
-import {
-  SecretScanningFindingSeverity,
-  SecretScanningResource
-} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
-import {
-  cloneRepository,
-  convertPatchLineToFileLineNumber,
-  replaceNonChangesWithNewlines
-} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-fns";
-import {
-  TSecretScanningFactoryGetDiffScanFindingsPayload,
-  TSecretScanningFactoryGetDiffScanResourcePayload,
-  TSecretScanningFactoryGetFullScanPath,
-  TSecretScanningFactoryInitialize,
-  TSecretScanningFactoryListRawResources,
-  TSecretScanningFactoryParams,
-  TSecretScanningFactoryPostInitialization,
-  TSecretScanningFactoryTeardown,
-  TSecretScanningFactoryValidateConfigUpdate
-} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-types";
-import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
-import { titleCaseToCamelCase } from "@app/lib/fn";
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { GitLabProjectRegex } from "@app/lib/regex";
-import {
-  getGitLabConnectionClient,
-  getGitLabInstanceUrl,
-  TGitLabConnection
-} from "@app/services/app-connection/gitlab";
-
-import { GitLabDataSourceScope } from "./gitlab-secret-scanning-enums";
-import {
-  TGitLabDataSourceCredentials,
-  TGitLabDataSourceInput,
-  TGitLabDataSourceWithConnection,
-  TQueueGitLabResourceDiffScan
-} from "./gitlab-secret-scanning-types";
-
-const getMainDomain = (instanceUrl: string) => {
-  const url = new URL(instanceUrl);
-  const { hostname } = url;
-  const parts = hostname.split(".");
-
-  if (parts.length >= 2) {
-    return parts.slice(-2).join(".");
-  }
-
-  return hostname;
-};
-
-export const GitLabSecretScanningFactory = ({ appConnectionDAL, kmsService }: TSecretScanningFactoryParams) => {
-  const initialize: TSecretScanningFactoryInitialize<
-    TGitLabDataSourceInput,
-    TGitLabConnection,
-    TGitLabDataSourceCredentials
-  > = async ({ payload: { config, name }, connection }, callback) => {
-    const token = alphaNumericNanoId(64);
-
-    const client = await getGitLabConnectionClient(connection, appConnectionDAL, kmsService);
-    const appCfg = getConfig();
-
-    if (config.scope === GitLabDataSourceScope.Project) {
-      const { projectId } = config;
-      const project = await client.Projects.show(projectId);
-
-      if (!project) {
-        throw new BadRequestError({ message: `Could not find project with ID ${projectId}.` });
-      }
-
-      let hook: Camelize<ProjectHookSchema>;
-      try {
-        hook = await client.ProjectHooks.add(projectId, `${appCfg.SITE_URL}/secret-scanning/webhooks/gitlab`, {
-          token,
-          pushEvents: true,
-          enableSslVerification: true,
-          // @ts-expect-error gitbeaker is outdated, and the types don't support this field yet
-          name: `Infisical Secret Scanning - ${name}`
-        });
-      } catch (error) {
-        if (error instanceof GitbeakerRequestError) {
-          throw new BadRequestError({ message: `${error.message}: ${error.cause?.description ?? "Unknown Error"}` });
-        }
-
-        throw error;
-      }
-
-      try {
-        return await callback({
-          credentials: {
-            token,
-            hookId: hook.id
-          }
-        });
-      } catch (error) {
-        try {
-          await client.ProjectHooks.remove(projectId, hook.id);
-        } catch {
-          // do nothing, just try to clean up webhook
-        }
-
-        throw error;
-      }
-    }
-
-    // group scope
-    const { groupId } = config;
-
-    const group = await client.Groups.show(groupId);
-
-    if (!group) {
-      throw new BadRequestError({ message: `Could not find group with ID ${groupId}.` });
-    }
-
-    let hook: Camelize<GroupHookSchema>;
-    try {
-      hook = await client.GroupHooks.add(groupId, `${appCfg.SITE_URL}/secret-scanning/webhooks/gitlab`, {
-        token,
-        pushEvents: true,
-        enableSslVerification: true,
-        // @ts-expect-error gitbeaker is outdated, and the types don't support this field yet
-        name: `Infisical Secret Scanning - ${name}`
-      });
-    } catch (error) {
-      if (error instanceof GitbeakerRequestError) {
-        throw new BadRequestError({ message: `${error.message}: ${error.cause?.description ?? "Unknown Error"}` });
-      }
-
-      throw error;
-    }
-
-    try {
-      return await callback({
-        credentials: {
-          token,
-          hookId: hook.id
-        }
-      });
-    } catch (error) {
-      try {
-        await client.GroupHooks.remove(groupId, hook.id);
-      } catch {
-        // do nothing, just try to clean up webhook
-      }
-
-      throw error;
-    }
-  };
-
-  const postInitialization: TSecretScanningFactoryPostInitialization<
-    TGitLabDataSourceInput,
-    TGitLabConnection,
-    TGitLabDataSourceCredentials
-  > = async ({ connection, dataSourceId, credentials, payload: { config } }) => {
-    const client = await getGitLabConnectionClient(connection, appConnectionDAL, kmsService);
-    const appCfg = getConfig();
-
-    const hookUrl = `${appCfg.SITE_URL}/secret-scanning/webhooks/gitlab`;
-    const { hookId } = credentials;
-
-    if (config.scope === GitLabDataSourceScope.Project) {
-      const { projectId } = config;
-
-      try {
-        await client.ProjectHooks.edit(projectId, hookId, hookUrl, {
-          // @ts-expect-error gitbeaker is outdated, and the types don't support this field yet
-          name: `Infisical Secret Scanning - ${dataSourceId}`,
-          custom_headers: [{ key: "x-data-source-id", value: dataSourceId }]
-        });
-      } catch (error) {
-        try {
-          await client.ProjectHooks.remove(projectId, hookId);
-        } catch {
-          // do nothing, just try to clean up webhook
-        }
-
-        throw error;
-      }
-
-      return;
-    }
-
-    // group-scope
-    const { groupId } = config;
-
-    try {
-      await client.GroupHooks.edit(groupId, hookId, hookUrl, {
-        // @ts-expect-error gitbeaker is outdated, and the types don't support this field yet
-        name: `Infisical Secret Scanning - ${dataSourceId}`,
-        custom_headers: [{ key: "x-data-source-id", value: dataSourceId }]
-      });
-    } catch (error) {
-      try {
-        await client.GroupHooks.remove(groupId, hookId);
-      } catch {
-        // do nothing, just try to clean up webhook
-      }
-
-      throw error;
-    }
-  };
-
-  const listRawResources: TSecretScanningFactoryListRawResources<TGitLabDataSourceWithConnection> = async (
-    dataSource
-  ) => {
-    const { connection, config } = dataSource;
-
-    const client = await getGitLabConnectionClient(connection, appConnectionDAL, kmsService);
-
-    if (config.scope === GitLabDataSourceScope.Project) {
-      const { projectId } = config;
-
-      const project = await client.Projects.show(projectId);
-
-      if (!project) {
-        throw new BadRequestError({ message: `Could not find project with ID ${projectId}.` });
-      }
-
-      // scott: even though we have this data we want to get potentially updated name
-      return [
-        {
-          name: project.pathWithNamespace,
-          externalId: project.id.toString(),
-          type: SecretScanningResource.Project
-        }
-      ];
-    }
-
-    // group-scope
-
-    const { groupId, includeProjects } = config;
-
-    const projects = await client.Groups.allProjects(groupId, {
-      archived: false
-    });
-
-    const filteredProjects: typeof projects = [];
-    if (!includeProjects || includeProjects.includes("*")) {
-      filteredProjects.push(...projects);
-    } else {
-      filteredProjects.push(...projects.filter((project) => includeProjects.includes(project.pathWithNamespace)));
-    }
-
-    return filteredProjects.map(({ id, pathWithNamespace }) => ({
-      name: pathWithNamespace,
-      externalId: id.toString(),
-      type: SecretScanningResource.Project
-    }));
-  };
-
-  const getFullScanPath: TSecretScanningFactoryGetFullScanPath<TGitLabDataSourceWithConnection> = async ({
-    dataSource,
-    resourceName,
-    tempFolder
-  }) => {
-    const { connection } = dataSource;
-
-    const instanceUrl = await getGitLabInstanceUrl(connection.credentials.instanceUrl);
-
-    const client = await getGitLabConnectionClient(connection, appConnectionDAL, kmsService);
-
-    const user = await client.Users.showCurrentUser();
-
-    const repoPath = join(tempFolder, "repo.git");
-
-    if (!GitLabProjectRegex.test(resourceName)) {
-      throw new Error("Invalid GitLab project name");
-    }
-
-    await cloneRepository({
-      cloneUrl: `https://${user.username}:${connection.credentials.accessToken}@${getMainDomain(instanceUrl)}/${resourceName}.git`,
-      repoPath
-    });
-
-    return repoPath;
-  };
-
-  const teardown: TSecretScanningFactoryTeardown<
-    TGitLabDataSourceWithConnection,
-    TGitLabDataSourceCredentials
-  > = async ({ dataSource: { connection, config }, credentials: { hookId } }) => {
-    const client = await getGitLabConnectionClient(connection, appConnectionDAL, kmsService);
-
-    if (config.scope === GitLabDataSourceScope.Project) {
-      const { projectId } = config;
-      try {
-        await client.ProjectHooks.remove(projectId, hookId);
-      } catch (error) {
-        // do nothing, just try to clean up webhook
-      }
-      return;
-    }
-
-    const { groupId } = config;
-    try {
-      await client.GroupHooks.remove(groupId, hookId);
-    } catch (error) {
-      // do nothing, just try to clean up webhook
-    }
-  };
-
-  const getDiffScanResourcePayload: TSecretScanningFactoryGetDiffScanResourcePayload<
-    TQueueGitLabResourceDiffScan["payload"]
-  > = ({ project }) => {
-    return {
-      name: project.path_with_namespace,
-      externalId: project.id.toString(),
-      type: SecretScanningResource.Project
-    };
-  };
-
-  const getDiffScanFindingsPayload: TSecretScanningFactoryGetDiffScanFindingsPayload<
-    TGitLabDataSourceWithConnection,
-    TQueueGitLabResourceDiffScan["payload"]
-  > = async ({ dataSource, payload, resourceName, configPath }) => {
-    const { connection } = dataSource;
-
-    const client = await getGitLabConnectionClient(connection, appConnectionDAL, kmsService);
-
-    const { commits, project } = payload;
-
-    const allFindings: SecretMatch[] = [];
-
-    for (const commit of commits) {
-      // eslint-disable-next-line no-await-in-loop
-      const commitDiffs = await client.Commits.showDiff(project.id, commit.id);
-
-      for (const commitDiff of commitDiffs) {
-        // eslint-disable-next-line no-continue
-        if (commitDiff.deletedFile) continue;
-
-        // eslint-disable-next-line no-await-in-loop
-        const findings = await scanContentAndGetFindings(
-          replaceNonChangesWithNewlines(`\n${commitDiff.diff}`),
-          configPath
-        );
-
-        const adjustedFindings = findings.map((finding) => {
-          const startLine = convertPatchLineToFileLineNumber(commitDiff.diff, finding.StartLine);
-          const endLine =
-            finding.StartLine === finding.EndLine
-              ? startLine
-              : convertPatchLineToFileLineNumber(commitDiff.diff, finding.EndLine);
-          const startColumn = finding.StartColumn - 1; // subtract 1 for +
-          const endColumn = finding.EndColumn - 1; // subtract 1 for +
-          const authorName = commit.author.name;
-          const authorEmail = commit.author.email;
-
-          return {
-            ...finding,
-            StartLine: startLine,
-            EndLine: endLine,
-            StartColumn: startColumn,
-            EndColumn: endColumn,
-            File: commitDiff.newPath,
-            Commit: commit.id,
-            Author: authorName,
-            Email: authorEmail,
-            Message: commit.message,
-            Fingerprint: `${commit.id}:${commitDiff.newPath}:${finding.RuleID}:${startLine}:${startColumn}`,
-            Date: commit.timestamp,
-            Link: `https://gitlab.com/${resourceName}/blob/${commit.id}/${commitDiff.newPath}#L${startLine}`
-          };
-        });
-
-        allFindings.push(...adjustedFindings);
-      }
-    }
-
-    return allFindings.map(
-      ({
-        // discard match and secret as we don't want to store
-        Match,
-        Secret,
-        ...finding
-      }) => ({
-        details: titleCaseToCamelCase(finding),
-        fingerprint: finding.Fingerprint,
-        severity: SecretScanningFindingSeverity.High,
-        rule: finding.RuleID
-      })
-    );
-  };
-
-  const validateConfigUpdate: TSecretScanningFactoryValidateConfigUpdate<
-    TGitLabDataSourceInput["config"],
-    TGitLabDataSourceWithConnection
-  > = async ({ config, dataSource }) => {
-    if (dataSource.config.scope !== config.scope) {
-      throw new BadRequestError({ message: "Cannot change Data Source scope after creation." });
-    }
-  };
-
-  return {
-    listRawResources,
-    getFullScanPath,
-    initialize,
-    postInitialization,
-    teardown,
-    getDiffScanResourcePayload,
-    getDiffScanFindingsPayload,
-    validateConfigUpdate
-  };
-};

backend/src/ee/services/secret-scanning-v2/gitlab/gitlab-secret-scanning-schemas.ts

@@ -1,101 +0,0 @@
-import { z } from "zod";
-
-import { GitLabDataSourceScope } from "@app/ee/services/secret-scanning-v2/gitlab/gitlab-secret-scanning-enums";
-import {
-  SecretScanningDataSource,
-  SecretScanningResource
-} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
-import {
-  BaseCreateSecretScanningDataSourceSchema,
-  BaseSecretScanningDataSourceSchema,
-  BaseSecretScanningFindingSchema,
-  BaseUpdateSecretScanningDataSourceSchema,
-  GitRepositoryScanFindingDetailsSchema
-} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-schemas";
-import { SecretScanningDataSources } from "@app/lib/api-docs";
-import { GitLabProjectRegex } from "@app/lib/regex";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-
-export const GitLabDataSourceConfigSchema = z.discriminatedUnion("scope", [
-  z.object({
-    scope: z.literal(GitLabDataSourceScope.Group).describe(SecretScanningDataSources.CONFIG.GITLAB.scope),
-    groupId: z.number().describe(SecretScanningDataSources.CONFIG.GITLAB.groupId),
-    groupName: z.string().trim().max(256).optional().describe(SecretScanningDataSources.CONFIG.GITLAB.groupName),
-    includeProjects: z
-      .array(
-        z
-          .string()
-          .min(1)
-          .max(256)
-          .refine((value) => value === "*" || GitLabProjectRegex.test(value), "Invalid project name format")
-      )
-      .nonempty("One or more projects required")
-      .max(100, "Cannot configure more than 100 projects")
-      .default(["*"])
-      .describe(SecretScanningDataSources.CONFIG.GITLAB.includeProjects)
-  }),
-  z.object({
-    scope: z.literal(GitLabDataSourceScope.Project).describe(SecretScanningDataSources.CONFIG.GITLAB.scope),
-    projectName: z.string().trim().max(256).optional().describe(SecretScanningDataSources.CONFIG.GITLAB.projectName),
-    projectId: z.number().describe(SecretScanningDataSources.CONFIG.GITLAB.projectId)
-  })
-]);
-
-export const GitLabDataSourceSchema = BaseSecretScanningDataSourceSchema({
-  type: SecretScanningDataSource.GitLab,
-  isConnectionRequired: true
-})
-  .extend({
-    config: GitLabDataSourceConfigSchema
-  })
-  .describe(
-    JSON.stringify({
-      title: "GitLab"
-    })
-  );
-
-export const CreateGitLabDataSourceSchema = BaseCreateSecretScanningDataSourceSchema({
-  type: SecretScanningDataSource.GitLab,
-  isConnectionRequired: true
-})
-  .extend({
-    config: GitLabDataSourceConfigSchema
-  })
-  .describe(
-    JSON.stringify({
-      title: "GitLab"
-    })
-  );
-
-export const UpdateGitLabDataSourceSchema = BaseUpdateSecretScanningDataSourceSchema(SecretScanningDataSource.GitLab)
-  .extend({
-    config: GitLabDataSourceConfigSchema.optional()
-  })
-  .describe(
-    JSON.stringify({
-      title: "GitLab"
-    })
-  );
-
-export const GitLabDataSourceListItemSchema = z
-  .object({
-    name: z.literal("GitLab"),
-    connection: z.literal(AppConnection.GitLab),
-    type: z.literal(SecretScanningDataSource.GitLab)
-  })
-  .describe(
-    JSON.stringify({
-      title: "GitLab"
-    })
-  );
-
-export const GitLabFindingSchema = BaseSecretScanningFindingSchema.extend({
-  resourceType: z.literal(SecretScanningResource.Project),
-  dataSourceType: z.literal(SecretScanningDataSource.GitLab),
-  details: GitRepositoryScanFindingDetailsSchema
-});
-
-export const GitLabDataSourceCredentialsSchema = z.object({
-  token: z.string(),
-  hookId: z.number()
-});

backend/src/ee/services/secret-scanning-v2/gitlab/gitlab-secret-scanning-service.ts

@@ -1,94 +0,0 @@
-import { GitLabDataSourceScope } from "@app/ee/services/secret-scanning-v2/gitlab/gitlab-secret-scanning-enums";
-import { TSecretScanningV2DALFactory } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-dal";
-import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
-import { TSecretScanningV2QueueServiceFactory } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-queue";
-import { logger } from "@app/lib/logger";
-import { TKmsServiceFactory } from "@app/services/kms/kms-service";
-import { KmsDataKey } from "@app/services/kms/kms-types";
-
-import {
-  TGitLabDataSource,
-  TGitLabDataSourceCredentials,
-  THandleGitLabPushEvent
-} from "./gitlab-secret-scanning-types";
-
-export const gitlabSecretScanningService = (
-  secretScanningV2DAL: TSecretScanningV2DALFactory,
-  secretScanningV2Queue: Pick<TSecretScanningV2QueueServiceFactory, "queueResourceDiffScan">,
-  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
-) => {
-  const handlePushEvent = async ({ payload, token, dataSourceId }: THandleGitLabPushEvent) => {
-    if (!payload.total_commits_count || !payload.project) {
-      logger.warn(
-        `secretScanningV2PushEvent: GitLab - Insufficient data [changes=${
-          payload.total_commits_count ?? 0
-        }] [projectName=${payload.project?.path_with_namespace ?? "unknown"}] [projectId=${payload.project?.id ?? "unknown"}]`
-      );
-      return;
-    }
-
-    const dataSource = (await secretScanningV2DAL.dataSources.findOne({
-      id: dataSourceId,
-      type: SecretScanningDataSource.GitLab
-    })) as TGitLabDataSource | undefined;
-
-    if (!dataSource) {
-      logger.error(
-        `secretScanningV2PushEvent: GitLab - Could not find data source [dataSourceId=${dataSourceId}] [projectId=${payload.project.id}]`
-      );
-      return;
-    }
-
-    const { isAutoScanEnabled, config, encryptedCredentials, projectId } = dataSource;
-
-    if (!encryptedCredentials) {
-      logger.info(
-        `secretScanningV2PushEvent: GitLab - Could not find encrypted credentials [dataSourceId=${dataSource.id}] [projectId=${payload.project.id}]`
-      );
-      return;
-    }
-
-    const { decryptor } = await kmsService.createCipherPairWithDataKey({
-      type: KmsDataKey.SecretManager,
-      projectId
-    });
-
-    const decryptedCredentials = decryptor({ cipherTextBlob: encryptedCredentials });
-
-    const credentials = JSON.parse(decryptedCredentials.toString()) as TGitLabDataSourceCredentials;
-
-    if (token !== credentials.token) {
-      logger.error(
-        `secretScanningV2PushEvent: GitLab - Invalid webhook token [dataSourceId=${dataSource.id}] [projectId=${payload.project.id}]`
-      );
-      return;
-    }
-
-    if (!isAutoScanEnabled) {
-      logger.info(
-        `secretScanningV2PushEvent: GitLab - ignoring due to auto scan disabled [dataSourceId=${dataSource.id}] [projectId=${payload.project.id}]`
-      );
-      return;
-    }
-
-    if (
-      config.scope === GitLabDataSourceScope.Project
-        ? config.projectId.toString() === payload.project_id.toString()
-        : config.includeProjects.includes("*") || config.includeProjects.includes(payload.project.path_with_namespace)
-    ) {
-      await secretScanningV2Queue.queueResourceDiffScan({
-        dataSourceType: SecretScanningDataSource.GitLab,
-        payload,
-        dataSourceId: dataSource.id
-      });
-    } else {
-      logger.info(
-        `secretScanningV2PushEvent: GitLab - ignoring due to repository not being present in config [dataSourceId=${dataSource.id}] [projectId=${payload.project.id}]`
-      );
-    }
-  };
-
-  return {
-    handlePushEvent
-  };
-};

backend/src/ee/services/secret-scanning-v2/gitlab/gitlab-secret-scanning-types.ts

@@ -1,97 +0,0 @@
-import { z } from "zod";
-
-import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
-import { TGitLabConnection } from "@app/services/app-connection/gitlab";
-
-import {
-  CreateGitLabDataSourceSchema,
-  GitLabDataSourceCredentialsSchema,
-  GitLabDataSourceListItemSchema,
-  GitLabDataSourceSchema,
-  GitLabFindingSchema
-} from "./gitlab-secret-scanning-schemas";
-
-export type TGitLabDataSource = z.infer<typeof GitLabDataSourceSchema>;
-
-export type TGitLabDataSourceInput = z.infer<typeof CreateGitLabDataSourceSchema>;
-
-export type TGitLabDataSourceListItem = z.infer<typeof GitLabDataSourceListItemSchema>;
-
-export type TGitLabFinding = z.infer<typeof GitLabFindingSchema>;
-
-export type TGitLabDataSourceWithConnection = TGitLabDataSource & {
-  connection: TGitLabConnection;
-};
-
-export type TGitLabDataSourceCredentials = z.infer<typeof GitLabDataSourceCredentialsSchema>;
-
-export type TGitLabDataSourcePushEventPayload = {
-  object_kind: "push";
-  event_name: "push";
-  before: string;
-  after: string;
-  ref: string;
-  ref_protected: boolean;
-  checkout_sha: string;
-  user_id: number;
-  user_name: string;
-  user_username: string;
-  user_email: string;
-  user_avatar: string;
-  project_id: number;
-  project: {
-    id: number;
-    name: string;
-    description: string;
-    web_url: string;
-    avatar_url: string | null;
-    git_ssh_url: string;
-    git_http_url: string;
-    namespace: string;
-    visibility_level: number;
-    path_with_namespace: string;
-    default_branch: string;
-    homepage: string;
-    url: string;
-    ssh_url: string;
-    http_url: string;
-  };
-  repository: {
-    name: string;
-    url: string;
-    description: string;
-    homepage: string;
-    git_http_url: string;
-    git_ssh_url: string;
-    visibility_level: number;
-  };
-  commits: {
-    id: string;
-    message: string;
-    title: string;
-    timestamp: string;
-    url: string;
-    author: {
-      name: string;
-      email: string;
-    };
-    added: string[];
-    modified: string[];
-    removed: string[];
-  }[];
-  total_commits_count: number;
-};
-
-export type THandleGitLabPushEvent = {
-  payload: TGitLabDataSourcePushEventPayload;
-  dataSourceId: string;
-  token: string;
-};
-
-export type TQueueGitLabResourceDiffScan = {
-  dataSourceType: SecretScanningDataSource.GitLab;
-  payload: TGitLabDataSourcePushEventPayload;
-  dataSourceId: string;
-  resourceId: string;
-  scanId: string;
-};

backend/src/ee/services/secret-scanning-v2/gitlab/index.ts

@@ -1,3 +0,0 @@
-export * from "./gitlab-secret-scanning-constants";
-export * from "./gitlab-secret-scanning-schemas";
-export * from "./gitlab-secret-scanning-types";

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-dal.ts

@@ -49,7 +49,6 @@ const baseSecretScanningDataSourceQuery = ({
       db.ref("encryptedCredentials").withSchema(TableName.AppConnection).as("connectionEncryptedCredentials"),
       db.ref("description").withSchema(TableName.AppConnection).as("connectionDescription"),
       db.ref("version").withSchema(TableName.AppConnection).as("connectionVersion"),
-      db.ref("gatewayId").withSchema(TableName.AppConnection).as("connectionGatewayId"),
       db.ref("createdAt").withSchema(TableName.AppConnection).as("connectionCreatedAt"),
       db.ref("updatedAt").withSchema(TableName.AppConnection).as("connectionUpdatedAt"),
       db
@@ -83,7 +82,6 @@ const expandSecretScanningDataSource = <
     connectionUpdatedAt,
     connectionVersion,
     connectionIsPlatformManagedCredentials,
-    connectionGatewayId,
     ...el
   } = dataSource;
 
@@ -102,8 +100,7 @@ const expandSecretScanningDataSource = <
           createdAt: connectionCreatedAt,
           updatedAt: connectionUpdatedAt,
           version: connectionVersion,
-          isPlatformManagedCredentials: connectionIsPlatformManagedCredentials,
-          gatewayId: connectionGatewayId
+          isPlatformManagedCredentials: connectionIsPlatformManagedCredentials
         }
       : undefined
   };

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-enums.ts

@@ -1,7 +1,6 @@
 export enum SecretScanningDataSource {
   GitHub = "github",
-  Bitbucket = "bitbucket",
-  GitLab = "gitlab"
+  Bitbucket = "bitbucket"
 }
 
 export enum SecretScanningScanStatus {

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-factory.ts

@@ -1,6 +1,5 @@
 import { BitbucketSecretScanningFactory } from "@app/ee/services/secret-scanning-v2/bitbucket/bitbucket-secret-scanning-factory";
 import { GitHubSecretScanningFactory } from "@app/ee/services/secret-scanning-v2/github/github-secret-scanning-factory";
-import { GitLabSecretScanningFactory } from "@app/ee/services/secret-scanning-v2/gitlab/gitlab-secret-scanning-factory";
 
 import { SecretScanningDataSource } from "./secret-scanning-v2-enums";
 import {
@@ -20,6 +19,5 @@ type TSecretScanningFactoryImplementation = TSecretScanningFactory<
 
 export const SECRET_SCANNING_FACTORY_MAP: Record<SecretScanningDataSource, TSecretScanningFactoryImplementation> = {
   [SecretScanningDataSource.GitHub]: GitHubSecretScanningFactory as TSecretScanningFactoryImplementation,
-  [SecretScanningDataSource.Bitbucket]: BitbucketSecretScanningFactory as TSecretScanningFactoryImplementation,
-  [SecretScanningDataSource.GitLab]: GitLabSecretScanningFactory as TSecretScanningFactoryImplementation
+  [SecretScanningDataSource.Bitbucket]: BitbucketSecretScanningFactory as TSecretScanningFactoryImplementation
 };

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-fns.ts

@@ -1,22 +1,11 @@
 import { AxiosError } from "axios";
 import { exec } from "child_process";
-import { join } from "path";
-import picomatch from "picomatch";
 import RE2 from "re2";
 
-import {
-  createTempFolder,
-  deleteTempFolder,
-  readFindingsFile,
-  writeTextToFile
-} from "@app/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-fns";
+import { readFindingsFile } from "@app/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-fns";
 import { SecretMatch } from "@app/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-queue-types";
 import { BITBUCKET_SECRET_SCANNING_DATA_SOURCE_LIST_OPTION } from "@app/ee/services/secret-scanning-v2/bitbucket";
 import { GITHUB_SECRET_SCANNING_DATA_SOURCE_LIST_OPTION } from "@app/ee/services/secret-scanning-v2/github";
-import { GITLAB_SECRET_SCANNING_DATA_SOURCE_LIST_OPTION } from "@app/ee/services/secret-scanning-v2/gitlab";
-import { getConfig } from "@app/lib/config/env";
-import { crypto } from "@app/lib/crypto";
-import { BadRequestError } from "@app/lib/errors";
 import { titleCaseToCamelCase } from "@app/lib/fn";
 
 import { SecretScanningDataSource, SecretScanningFindingSeverity } from "./secret-scanning-v2-enums";
@@ -24,8 +13,7 @@ import { TCloneRepository, TGetFindingsPayload, TSecretScanningDataSourceListIte
 
 const SECRET_SCANNING_SOURCE_LIST_OPTIONS: Record<SecretScanningDataSource, TSecretScanningDataSourceListItem> = {
   [SecretScanningDataSource.GitHub]: GITHUB_SECRET_SCANNING_DATA_SOURCE_LIST_OPTION,
-  [SecretScanningDataSource.Bitbucket]: BITBUCKET_SECRET_SCANNING_DATA_SOURCE_LIST_OPTION,
-  [SecretScanningDataSource.GitLab]: GITLAB_SECRET_SCANNING_DATA_SOURCE_LIST_OPTION
+  [SecretScanningDataSource.Bitbucket]: BITBUCKET_SECRET_SCANNING_DATA_SOURCE_LIST_OPTION
 };
 
 export const listSecretScanningDataSourceOptions = () => {
@@ -58,19 +46,6 @@ export function scanDirectory(inputPath: string, outputPath: string, configPath?
   });
 }
 
-export function scanFile(inputPath: string): Promise<void> {
-  return new Promise((resolve, reject) => {
-    const command = `infisical scan --exit-code=77 --source "${inputPath}" --no-git`;
-    exec(command, (error) => {
-      if (error && error.code === 77) {
-        reject(error);
-      } else {
-        resolve();
-      }
-    });
-  });
-}
-
 export const scanGitRepositoryAndGetFindings = async (
   scanPath: string,
   findingsPath: string,
@@ -165,47 +140,3 @@ export const parseScanErrorMessage = (err: unknown): string => {
     ? errorMessage
     : `${errorMessage.substring(0, MAX_MESSAGE_LENGTH - 3)}...`;
 };
-
-export const scanSecretPolicyViolations = async (
-  projectId: string,
-  secretPath: string,
-  secrets: { secretKey: string; secretValue: string }[],
-  ignoreValues: string[]
-) => {
-  const appCfg = getConfig();
-
-  if (!appCfg.PARAMS_FOLDER_SECRET_DETECTION_ENABLED) {
-    return;
-  }
-
-  const match = appCfg.PARAMS_FOLDER_SECRET_DETECTION_PATHS?.find(
-    (el) => el.projectId === projectId && picomatch.isMatch(secretPath, el.secretPath, { strictSlashes: false })
-  );
-
-  if (!match) {
-    return;
-  }
-
-  const tempFolder = await createTempFolder();
-  try {
-    const scanPromises = secrets
-      .filter((secret) => !ignoreValues.includes(secret.secretValue))
-      .map(async (secret) => {
-        const secretFilePath = join(tempFolder, `${crypto.nativeCrypto.randomUUID()}.txt`);
-        await writeTextToFile(secretFilePath, `${secret.secretKey}=${secret.secretValue}`);
-
-        try {
-          await scanFile(secretFilePath);
-        } catch (error) {
-          throw new BadRequestError({
-            message: `Secret value detected in ${secret.secretKey}. Please add this instead to the designated secrets path in the project.`,
-            name: "SecretPolicyViolation"
-          });
-        }
-      });
-
-    await Promise.all(scanPromises);
-  } finally {
-    await deleteTempFolder(tempFolder);
-  }
-};

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-maps.ts

@@ -3,18 +3,15 @@ import { AppConnection } from "@app/services/app-connection/app-connection-enums
 
 export const SECRET_SCANNING_DATA_SOURCE_NAME_MAP: Record<SecretScanningDataSource, string> = {
   [SecretScanningDataSource.GitHub]: "GitHub",
-  [SecretScanningDataSource.Bitbucket]: "Bitbucket",
-  [SecretScanningDataSource.GitLab]: "GitLab"
+  [SecretScanningDataSource.Bitbucket]: "Bitbucket"
 };
 
 export const SECRET_SCANNING_DATA_SOURCE_CONNECTION_MAP: Record<SecretScanningDataSource, AppConnection> = {
   [SecretScanningDataSource.GitHub]: AppConnection.GitHubRadar,
-  [SecretScanningDataSource.Bitbucket]: AppConnection.Bitbucket,
-  [SecretScanningDataSource.GitLab]: AppConnection.GitLab
+  [SecretScanningDataSource.Bitbucket]: AppConnection.Bitbucket
 };
 
 export const AUTO_SYNC_DESCRIPTION_HELPER: Record<SecretScanningDataSource, { verb: string; noun: string }> = {
   [SecretScanningDataSource.GitHub]: { verb: "push", noun: "repositories" },
-  [SecretScanningDataSource.Bitbucket]: { verb: "push", noun: "repositories" },
-  [SecretScanningDataSource.GitLab]: { verb: "push", noun: "projects" }
+  [SecretScanningDataSource.Bitbucket]: { verb: "push", noun: "repositories" }
 };

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-queue.ts

@@ -16,7 +16,6 @@ import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
-import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
 import { decryptAppConnection } from "@app/services/app-connection/app-connection-fns";
 import { TAppConnection } from "@app/services/app-connection/app-connection-types";
 import { ActorType } from "@app/services/auth/auth-type";
@@ -49,7 +48,6 @@ type TSecretRotationV2QueueServiceFactoryDep = {
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findAllProjectMembers">;
   projectDAL: Pick<TProjectDALFactory, "findById">;
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
-  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">;
   auditLogService: Pick<TAuditLogServiceFactory, "createAuditLog">;
   keyStore: Pick<TKeyStoreFactory, "acquireLock" | "getItem">;
 };
@@ -64,8 +62,7 @@ export const secretScanningV2QueueServiceFactory = async ({
   smtpService,
   kmsService,
   auditLogService,
-  keyStore,
-  appConnectionDAL
+  keyStore
 }: TSecretRotationV2QueueServiceFactoryDep) => {
   const queueDataSourceFullScan = async (
     dataSource: TSecretScanningDataSourceWithConnection,
@@ -74,10 +71,7 @@ export const secretScanningV2QueueServiceFactory = async ({
     try {
       const { type } = dataSource;
 
-      const factory = SECRET_SCANNING_FACTORY_MAP[type]({
-        kmsService,
-        appConnectionDAL
-      });
+      const factory = SECRET_SCANNING_FACTORY_MAP[type]();
 
       const rawResources = await factory.listRawResources(dataSource);
 
@@ -177,10 +171,7 @@ export const secretScanningV2QueueServiceFactory = async ({
         let connection: TAppConnection | null = null;
         if (dataSource.connection) connection = await decryptAppConnection(dataSource.connection, kmsService);
 
-        const factory = SECRET_SCANNING_FACTORY_MAP[dataSource.type as SecretScanningDataSource]({
-          kmsService,
-          appConnectionDAL
-        });
+        const factory = SECRET_SCANNING_FACTORY_MAP[dataSource.type as SecretScanningDataSource]();
 
         const findingsPath = join(tempFolder, "findings.json");
 
@@ -338,10 +329,7 @@ export const secretScanningV2QueueServiceFactory = async ({
     dataSourceId,
     dataSourceType
   }: Pick<TQueueSecretScanningResourceDiffScan, "payload" | "dataSourceId" | "dataSourceType">) => {
-    const factory = SECRET_SCANNING_FACTORY_MAP[dataSourceType as SecretScanningDataSource]({
-      kmsService,
-      appConnectionDAL
-    });
+    const factory = SECRET_SCANNING_FACTORY_MAP[dataSourceType as SecretScanningDataSource]();
 
     const resourcePayload = factory.getDiffScanResourcePayload(payload);
 
@@ -403,10 +391,7 @@ export const secretScanningV2QueueServiceFactory = async ({
 
       if (!resource) throw new Error(`Resource with ID "${resourceId}" not found`);
 
-      const factory = SECRET_SCANNING_FACTORY_MAP[dataSource.type as SecretScanningDataSource]({
-        kmsService,
-        appConnectionDAL
-      });
+      const factory = SECRET_SCANNING_FACTORY_MAP[dataSource.type as SecretScanningDataSource]();
 
       const tempFolder = await createTempFolder();
 

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-service.ts

@@ -46,7 +46,6 @@ import {
 import { DatabaseErrorCode } from "@app/lib/error-codes";
 import { BadRequestError, DatabaseError, NotFoundError } from "@app/lib/errors";
 import { OrgServiceActor } from "@app/lib/types";
-import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
 import { decryptAppConnection } from "@app/services/app-connection/app-connection-fns";
 import { TAppConnectionServiceFactory } from "@app/services/app-connection/app-connection-service";
 import { TAppConnection } from "@app/services/app-connection/app-connection-types";
@@ -54,14 +53,12 @@ import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 
 import { bitbucketSecretScanningService } from "./bitbucket/bitbucket-secret-scanning-service";
-import { gitlabSecretScanningService } from "./gitlab/gitlab-secret-scanning-service";
 import { TSecretScanningV2DALFactory } from "./secret-scanning-v2-dal";
 import { TSecretScanningV2QueueServiceFactory } from "./secret-scanning-v2-queue";
 
 export type TSecretScanningV2ServiceFactoryDep = {
   secretScanningV2DAL: TSecretScanningV2DALFactory;
   appConnectionService: Pick<TAppConnectionServiceFactory, "connectAppConnectionById">;
-  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getOrgPermission">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   secretScanningV2Queue: Pick<
@@ -79,7 +76,6 @@ export const secretScanningV2ServiceFactory = ({
   appConnectionService,
   licenseService,
   secretScanningV2Queue,
-  appConnectionDAL,
   kmsService
 }: TSecretScanningV2ServiceFactoryDep) => {
   const $checkListSecretScanningDataSourcesByProjectIdPermissions = async (
@@ -259,10 +255,7 @@ export const secretScanningV2ServiceFactory = ({
       );
     }
 
-    const factory = SECRET_SCANNING_FACTORY_MAP[payload.type]({
-      appConnectionDAL,
-      kmsService
-    });
+    const factory = SECRET_SCANNING_FACTORY_MAP[payload.type]();
 
     try {
       const createdDataSource = await factory.initialize(
@@ -370,31 +363,6 @@ export const secretScanningV2ServiceFactory = ({
         message: `Secret Scanning Data Source with ID "${dataSourceId}" is not configured for ${SECRET_SCANNING_DATA_SOURCE_NAME_MAP[type]}`
       });
 
-    let connection: TAppConnection | null = null;
-    if (dataSource.connectionId) {
-      // validates permission to connect and app is valid for data source
-      connection = await appConnectionService.connectAppConnectionById(
-        SECRET_SCANNING_DATA_SOURCE_CONNECTION_MAP[dataSource.type],
-        dataSource.connectionId,
-        actor
-      );
-    }
-
-    const factory = SECRET_SCANNING_FACTORY_MAP[dataSource.type]({
-      appConnectionDAL,
-      kmsService
-    });
-
-    if (payload.config) {
-      await factory.validateConfigUpdate({
-        dataSource: {
-          ...dataSource,
-          connection
-        } as TSecretScanningDataSourceWithConnection,
-        config: payload.config as TSecretScanningDataSourceWithConnection["config"]
-      });
-    }
-
     try {
       const updatedDataSource = await secretScanningV2DAL.dataSources.updateById(dataSourceId, payload);
 
@@ -448,10 +416,7 @@ export const secretScanningV2ServiceFactory = ({
         message: `Secret Scanning Data Source with ID "${dataSourceId}" is not configured for ${SECRET_SCANNING_DATA_SOURCE_NAME_MAP[type]}`
       });
 
-    const factory = SECRET_SCANNING_FACTORY_MAP[type]({
-      appConnectionDAL,
-      kmsService
-    });
+    const factory = SECRET_SCANNING_FACTORY_MAP[type]();
 
     let connection: TAppConnection | null = null;
     if (dataSource.connection) {
@@ -938,7 +903,6 @@ export const secretScanningV2ServiceFactory = ({
     findSecretScanningConfigByProjectId,
     upsertSecretScanningConfig,
     github: githubSecretScanningService(secretScanningV2DAL, secretScanningV2Queue),
-    bitbucket: bitbucketSecretScanningService(secretScanningV2DAL, secretScanningV2Queue, kmsService),
-    gitlab: gitlabSecretScanningService(secretScanningV2DAL, secretScanningV2Queue, kmsService)
+    bitbucket: bitbucketSecretScanningService(secretScanningV2DAL, secretScanningV2Queue, kmsService)
   };
 };

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-types.ts

@@ -21,25 +21,14 @@ import {
   TGitHubFinding,
   TQueueGitHubResourceDiffScan
 } from "@app/ee/services/secret-scanning-v2/github";
-import {
-  TGitLabDataSource,
-  TGitLabDataSourceCredentials,
-  TGitLabDataSourceInput,
-  TGitLabDataSourceListItem,
-  TGitLabDataSourceWithConnection,
-  TGitLabFinding,
-  TQueueGitLabResourceDiffScan
-} from "@app/ee/services/secret-scanning-v2/gitlab";
 import { TSecretScanningV2DALFactory } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-dal";
 import {
   SecretScanningDataSource,
   SecretScanningFindingStatus,
   SecretScanningScanStatus
 } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
-import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
-import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 
-export type TSecretScanningDataSource = TGitHubDataSource | TBitbucketDataSource | TGitLabDataSource;
+export type TSecretScanningDataSource = TGitHubDataSource | TBitbucketDataSource;
 
 export type TSecretScanningDataSourceWithDetails = TSecretScanningDataSource & {
   lastScannedAt?: Date | null;
@@ -63,25 +52,15 @@ export type TSecretScanningScanWithDetails = TSecretScanningScans & {
 
 export type TSecretScanningDataSourceWithConnection =
   | TGitHubDataSourceWithConnection
-  | TBitbucketDataSourceWithConnection
-  | TGitLabDataSourceWithConnection;
+  | TBitbucketDataSourceWithConnection;
 
-export type TSecretScanningDataSourceInput =
-  | TGitHubDataSourceInput
-  | TBitbucketDataSourceInput
-  | TGitLabDataSourceInput;
+export type TSecretScanningDataSourceInput = TGitHubDataSourceInput | TBitbucketDataSourceInput;
 
-export type TSecretScanningDataSourceListItem =
-  | TGitHubDataSourceListItem
-  | TBitbucketDataSourceListItem
-  | TGitLabDataSourceListItem;
+export type TSecretScanningDataSourceListItem = TGitHubDataSourceListItem | TBitbucketDataSourceListItem;
 
-export type TSecretScanningDataSourceCredentials =
-  | TBitbucketDataSourceCredentials
-  | TGitLabDataSourceCredentials
-  | undefined;
+export type TSecretScanningDataSourceCredentials = TBitbucketDataSourceCredentials | undefined;
 
-export type TSecretScanningFinding = TGitHubFinding | TBitbucketFinding | TGitLabFinding;
+export type TSecretScanningFinding = TGitHubFinding | TBitbucketFinding;
 
 export type TListSecretScanningDataSourcesByProjectId = {
   projectId: string;
@@ -133,10 +112,7 @@ export type TQueueSecretScanningDataSourceFullScan = {
   scanId: string;
 };
 
-export type TQueueSecretScanningResourceDiffScan =
-  | TQueueGitHubResourceDiffScan
-  | TQueueBitbucketResourceDiffScan
-  | TQueueGitLabResourceDiffScan;
+export type TQueueSecretScanningResourceDiffScan = TQueueGitHubResourceDiffScan | TQueueBitbucketResourceDiffScan;
 
 export type TQueueSecretScanningSendNotification = {
   dataSource: TSecretScanningDataSources;
@@ -194,11 +170,6 @@ export type TSecretScanningFactoryInitialize<
   callback: (parameters: { credentials?: C; externalId?: string }) => Promise<TSecretScanningDataSourceRaw>
 ) => Promise<TSecretScanningDataSourceRaw>;
 
-export type TSecretScanningFactoryValidateConfigUpdate<
-  C extends TSecretScanningDataSourceInput["config"],
-  T extends TSecretScanningDataSourceWithConnection
-> = (params: { config: C; dataSource: T }) => Promise<void>;
-
 export type TSecretScanningFactoryPostInitialization<
   P extends TSecretScanningDataSourceInput,
   T extends TSecretScanningDataSourceWithConnection["connection"] | undefined = undefined,
@@ -210,23 +181,17 @@ export type TSecretScanningFactoryTeardown<
   C extends TSecretScanningDataSourceCredentials = undefined
 > = (params: { dataSource: T; credentials: C }) => Promise<void>;
 
-export type TSecretScanningFactoryParams = {
-  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">;
-  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
-};
-
 export type TSecretScanningFactory<
   T extends TSecretScanningDataSourceWithConnection,
   P extends TQueueSecretScanningResourceDiffScan["payload"],
   I extends TSecretScanningDataSourceInput,
   C extends TSecretScanningDataSourceCredentials | undefined = undefined
-> = (params: TSecretScanningFactoryParams) => {
+> = () => {
   listRawResources: TSecretScanningFactoryListRawResources<T>;
   getFullScanPath: TSecretScanningFactoryGetFullScanPath<T>;
   initialize: TSecretScanningFactoryInitialize<I, T["connection"] | undefined, C>;
   postInitialization: TSecretScanningFactoryPostInitialization<I, T["connection"] | undefined, C>;
   teardown: TSecretScanningFactoryTeardown<T, C>;
-  validateConfigUpdate: TSecretScanningFactoryValidateConfigUpdate<I["config"], T>;
   getDiffScanResourcePayload: TSecretScanningFactoryGetDiffScanResourcePayload<P>;
   getDiffScanFindingsPayload: TSecretScanningFactoryGetDiffScanFindingsPayload<T, P>;
 };

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-union-schemas.ts

@@ -2,12 +2,10 @@ import { z } from "zod";
 
 import { BitbucketDataSourceSchema, BitbucketFindingSchema } from "@app/ee/services/secret-scanning-v2/bitbucket";
 import { GitHubDataSourceSchema, GitHubFindingSchema } from "@app/ee/services/secret-scanning-v2/github";
-import { GitLabDataSourceSchema, GitLabFindingSchema } from "@app/ee/services/secret-scanning-v2/gitlab";
 
 export const SecretScanningDataSourceSchema = z.discriminatedUnion("type", [
   GitHubDataSourceSchema,
-  BitbucketDataSourceSchema,
-  GitLabDataSourceSchema
+  BitbucketDataSourceSchema
 ]);
 
 export const SecretScanningFindingSchema = z.discriminatedUnion("dataSourceType", [
@@ -20,10 +18,5 @@ export const SecretScanningFindingSchema = z.discriminatedUnion("dataSourceType"
     JSON.stringify({
       title: "Bitbucket"
     })
-  ),
-  GitLabFindingSchema.describe(
-    JSON.stringify({
-      title: "GitLab"
-    })
   )
 ]);

backend/src/keystore/keystore.ts

@@ -46,11 +46,7 @@ export const KeyStorePrefixes = {
   IdentityAccessTokenStatusUpdate: (identityAccessTokenId: string) =>
     `identity-access-token-status:${identityAccessTokenId}`,
   ServiceTokenStatusUpdate: (serviceTokenId: string) => `service-token-status:${serviceTokenId}`,
-  GatewayIdentityCredential: (identityId: string) => `gateway-credentials:${identityId}`,
-  ActiveSSEConnectionsSet: (projectId: string, identityId: string) =>
-    `sse-connections:${projectId}:${identityId}` as const,
-  ActiveSSEConnections: (projectId: string, identityId: string, connectionId: string) =>
-    `sse-connections:${projectId}:${identityId}:${connectionId}` as const
+  GatewayIdentityCredential: (identityId: string) => `gateway-credentials:${identityId}`
 };
 
 export const KeyStoreTtls = {

backend/src/lib/api-docs/constants.ts

@@ -664,10 +664,6 @@ export const ORGANIZATIONS = {
     organizationId: "The ID of the organization to delete the membership from.",
     membershipId: "The ID of the membership to delete."
   },
-  BULK_DELETE_USER_MEMBERSHIPS: {
-    organizationId: "The ID of the organization to delete the memberships from.",
-    membershipIds: "The IDs of the memberships to delete."
-  },
   LIST_IDENTITY_MEMBERSHIPS: {
     orgId: "The ID of the organization to get identity memberships from.",
     offset: "The offset to start from. If you enter 10, it will start from the 10th identity membership.",
@@ -708,8 +704,7 @@ export const PROJECTS = {
     hasDeleteProtection: "Enable or disable delete protection for the project.",
     secretSharing: "Enable or disable secret sharing for the project.",
     showSnapshotsLegacy: "Enable or disable legacy snapshots for the project.",
-    defaultProduct: "The default product in which the project will open",
-    secretDetectionIgnoreValues: "The list of secret values to ignore for secret detection."
+    defaultProduct: "The default product in which the project will open"
   },
   GET_KEY: {
     workspaceId: "The ID of the project to get the key from."
@@ -2257,9 +2252,7 @@ export const AppConnections = {
     AZURE_DEVOPS: {
       code: "The OAuth code to use to connect with Azure DevOps.",
       tenantId: "The Tenant ID to use to connect with Azure DevOps.",
-      orgName: "The Organization name to use to connect with Azure DevOps.",
-      clientId: "The Client ID to use to connect with Azure Client Secrets.",
-      clientSecret: "The Client Secret to use to connect with Azure Client Secrets."
+      orgName: "The Organization name to use to connect with Azure DevOps."
     },
     OCI: {
       userOcid: "The OCID (Oracle Cloud Identifier) of the user making the request.",
@@ -2302,9 +2295,6 @@ export const AppConnections = {
     DIGITAL_OCEAN_APP_PLATFORM: {
       apiToken: "The API token used to authenticate with Digital Ocean App Platform."
     },
-    NETLIFY: {
-      accessToken: "The Access token used to authenticate with Netlify."
-    },
     OKTA: {
       instanceUrl: "The URL used to access your Okta organization.",
       apiToken: "The API token used to authenticate with Okta."
@@ -2409,18 +2399,12 @@ export const SecretSyncs = {
       env: "The name of the GitHub environment."
     },
     AZURE_KEY_VAULT: {
-      vaultBaseUrl: "The base URL of the Azure Key Vault to sync secrets to. Example: https://example.vault.azure.net/",
-      tenantId: "The Tenant ID to use to connect with Azure Client Secrets.",
-      clientId: "The Client ID to use to connect with Azure Client Secrets.",
-      clientSecret: "The Client Secret to use to connect with Azure Client Secrets."
+      vaultBaseUrl: "The base URL of the Azure Key Vault to sync secrets to. Example: https://example.vault.azure.net/"
     },
     AZURE_APP_CONFIGURATION: {
       configurationUrl:
         "The URL of the Azure App Configuration to sync secrets to. Example: https://example.azconfig.io/",
-      label: "An optional label to assign to secrets created in Azure App Configuration.",
-      tenantId: "The Tenant ID to use to connect with Azure Client Secrets.",
-      clientId: "The Client ID to use to connect with Azure Client Secrets.",
-      clientSecret: "The Client Secret to use to connect with Azure Client Secrets."
+      label: "An optional label to assign to secrets created in Azure App Configuration."
     },
     AZURE_DEVOPS: {
       devopsProjectId: "The ID of the Azure DevOps project to sync secrets to.",
@@ -2536,13 +2520,6 @@ export const SecretSyncs = {
       workspaceSlug: "The Bitbucket Workspace slug to sync secrets to.",
       repositorySlug: "The Bitbucket Repository slug to sync secrets to.",
       environmentId: "The Bitbucket Deployment Environment uuid to sync secrets to."
-    },
-    NETLIFY: {
-      accountId: "The ID of the Netlify account to sync secrets to.",
-      accountName: "The name of the Netlify account to sync secrets to.",
-      siteName: "The name of the Netlify site to sync secrets to.",
-      siteId: "The ID of the Netlify site to sync secrets to.",
-      context: "The Netlify context to sync secrets to."
     }
   }
 };
@@ -2724,14 +2701,6 @@ export const SecretScanningDataSources = {
     GITHUB: {
       includeRepos: 'The repositories to include when scanning. Defaults to all repositories (["*"]).'
     },
-    GITLAB: {
-      includeProjects: 'The projects to include when scanning. Defaults to all projects (["*"]).',
-      scope: "The GitLab scope scanning should occur at (project or group level).",
-      projectId: "The ID of the project to scan.",
-      projectName: "The name of the project to scan.",
-      groupId: "The ID of the group to scan projects from.",
-      groupName: "The name of the group to scan projects from."
-    },
     BITBUCKET: {
       workspaceSlug: "The workspace to scan.",
       includeRepos: 'The repositories to include when scanning. Defaults to all repositories (["*"]).'

backend/src/lib/config/env.ts

@@ -59,7 +59,6 @@ const envSchema = z
     AUDIT_LOGS_DB_ROOT_CERT: zpStr(
       z.string().describe("Postgres database base64-encoded CA cert for Audit logs").optional()
     ),
-    DISABLE_AUDIT_LOG_STORAGE: zodStrBool.default("false").optional().describe("Disable audit log storage"),
     MAX_LEASE_LIMIT: z.coerce.number().default(10000),
     DB_ROOT_CERT: zpStr(z.string().describe("Postgres database base64-encoded CA cert").optional()),
     DB_HOST: zpStr(z.string().describe("Postgres database host").optional()),
@@ -205,17 +204,6 @@ const envSchema = z
     WORKFLOW_SLACK_CLIENT_SECRET: zpStr(z.string().optional()),
     ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT: zodStrBool.default("true"),
 
-    // Special Detection Feature
-    PARAMS_FOLDER_SECRET_DETECTION_PATHS: zpStr(
-      z
-        .string()
-        .optional()
-        .transform((val) => {
-          if (!val) return undefined;
-          return JSON.parse(val) as { secretPath: string; projectId: string }[];
-        })
-    ),
-
     // HSM
     HSM_LIB_PATH: zpStr(z.string().optional()),
     HSM_PIN: zpStr(z.string().optional()),
@@ -370,7 +358,6 @@ const envSchema = z
       Boolean(data.HSM_LIB_PATH) && Boolean(data.HSM_PIN) && Boolean(data.HSM_KEY_LABEL) && data.HSM_SLOT !== undefined,
     samlDefaultOrgSlug: data.DEFAULT_SAML_ORG_SLUG,
     SECRET_SCANNING_ORG_WHITELIST: data.SECRET_SCANNING_ORG_WHITELIST?.split(","),
-    PARAMS_FOLDER_SECRET_DETECTION_ENABLED: (data.PARAMS_FOLDER_SECRET_DETECTION_PATHS?.length ?? 0) > 0,
     INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_ID:
       data.INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_ID || data.INF_APP_CONNECTION_AZURE_CLIENT_ID,
     INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_SECRET:
@@ -483,15 +470,6 @@ export const overwriteSchema: {
     fields: { key: keyof TEnvConfig; description?: string }[];
   };
 } = {
-  auditLogs: {
-    name: "Audit Logs",
-    fields: [
-      {
-        key: "DISABLE_AUDIT_LOG_STORAGE",
-        description: "Disable audit log storage"
-      }
-    ]
-  },
   aws: {
     name: "AWS",
     fields: [
@@ -506,7 +484,7 @@ export const overwriteSchema: {
     ]
   },
   azureAppConfiguration: {
-    name: "Azure App Connection: App Configuration",
+    name: "Azure App Configuration",
     fields: [
       {
         key: "INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_ID",
@@ -519,7 +497,7 @@ export const overwriteSchema: {
     ]
   },
   azureKeyVault: {
-    name: "Azure App Connection: Key Vault",
+    name: "Azure Key Vault",
     fields: [
       {
         key: "INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID",
@@ -532,7 +510,7 @@ export const overwriteSchema: {
     ]
   },
   azureClientSecrets: {
-    name: "Azure App Connection: Client Secrets",
+    name: "Azure Client Secrets",
     fields: [
       {
         key: "INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_ID",
@@ -545,7 +523,7 @@ export const overwriteSchema: {
     ]
   },
   azureDevOps: {
-    name: "Azure App Connection: DevOps",
+    name: "Azure DevOps",
     fields: [
       {
         key: "INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_ID",

backend/src/lib/regex/index.ts

@@ -11,5 +11,3 @@ export const UserPrincipalNameRegex = new RE2(/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9._-]
 export const LdapUrlRegex = new RE2(/^ldaps?:\/\//);
 
 export const BasicRepositoryRegex = new RE2(/^[a-zA-Z0-9._-]+\/[a-zA-Z0-9._-]+$/);
-
-export const GitLabProjectRegex = new RE2(/^[a-zA-Z0-9._-]+(?:\/[a-zA-Z0-9._-]+)+$/);

backend/src/lib/validator/validate-url.ts

@@ -14,11 +14,6 @@ export const blockLocalAndPrivateIpAddresses = async (url: string) => {
   if (appCfg.isDevelopmentMode) return;
 
   const validUrl = new URL(url);
-
-  if (validUrl.username || validUrl.password) {
-    throw new BadRequestError({ message: "URLs with user credentials (e.g., user:pass@) are not allowed" });
-  }
-
   const inputHostIps: string[] = [];
   if (isIPv4(validUrl.hostname)) {
     inputHostIps.push(validUrl.hostname);

backend/src/queue/queue-service.ts

@@ -22,7 +22,6 @@ import { crypto } from "@app/lib/crypto";
 import { logger } from "@app/lib/logger";
 import { QueueWorkerProfile } from "@app/lib/types";
 import { CaType } from "@app/services/certificate-authority/certificate-authority-enums";
-import { ExternalPlatforms } from "@app/services/external-migration/external-migration-types";
 import {
   TFailedIntegrationSyncEmailsPayload,
   TIntegrationSyncPayload,
@@ -229,7 +228,6 @@ export type TQueueJobTypes = {
     name: QueueJobs.ImportSecretsFromExternalSource;
     payload: {
       actorEmail: string;
-      importType: ExternalPlatforms;
       data: {
         iv: string;
         tag: string;

backend/src/server/plugins/auth/inject-identity.ts

@@ -22,7 +22,6 @@ export type TAuthMode =
       orgId: string;
       authMethod: AuthMethod;
       isMfaVerified?: boolean;
-      token: AuthModeJwtTokenPayload;
     }
   | {
       authMode: AuthMode.API_KEY;
@@ -31,7 +30,6 @@ export type TAuthMode =
       userId: string;
       user: TUsers;
       orgId: string;
-      token: string;
     }
   | {
       authMode: AuthMode.SERVICE_TOKEN;
@@ -40,7 +38,6 @@ export type TAuthMode =
       serviceTokenId: string;
       orgId: string;
       authMethod: null;
-      token: string;
     }
   | {
       authMode: AuthMode.IDENTITY_ACCESS_TOKEN;
@@ -50,7 +47,6 @@ export type TAuthMode =
       orgId: string;
       authMethod: null;
       isInstanceAdmin?: boolean;
-      token: TIdentityAccessTokenJwtPayload;
     }
   | {
       authMode: AuthMode.SCIM_TOKEN;
@@ -60,7 +56,7 @@ export type TAuthMode =
       authMethod: null;
     };
 
-export const extractAuth = async (req: FastifyRequest, jwtSecret: string) => {
+const extractAuth = async (req: FastifyRequest, jwtSecret: string) => {
   const apiKey = req.headers?.["x-api-key"];
   if (apiKey) {
     return { authMode: AuthMode.API_KEY, token: apiKey, actor: ActorType.USER } as const;
@@ -137,8 +133,7 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
           actor,
           orgId: orgId as string,
           authMethod: token.authMethod,
-          isMfaVerified: token.isMfaVerified,
-          token
+          isMfaVerified: token.isMfaVerified
         };
         break;
       }
@@ -153,8 +148,7 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
           identityId: identity.identityId,
           identityName: identity.name,
           authMethod: null,
-          isInstanceAdmin: serverCfg?.adminIdentityIds?.includes(identity.identityId),
-          token
+          isInstanceAdmin: serverCfg?.adminIdentityIds?.includes(identity.identityId)
         };
         if (token?.identityAuth?.oidc) {
           requestContext.set("identityAuthInfo", {
@@ -185,8 +179,7 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
           serviceToken,
           serviceTokenId: serviceToken.id,
           actor,
-          authMethod: null,
-          token
+          authMethod: null
         };
         break;
       }
@@ -198,8 +191,7 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
           actor,
           user,
           orgId: "API_KEY", // We set the orgId to an arbitrary value, since we can't link an API key to a specific org. We have to deprecate API keys soon!
-          authMethod: null,
-          token: token as string
+          authMethod: null
         };
         break;
       }

backend/src/server/plugins/secret-scanner-v2.ts

@@ -4,8 +4,6 @@ import { Probot } from "probot";
 import { z } from "zod";
 
 import { TBitbucketPushEvent } from "@app/ee/services/secret-scanning-v2/bitbucket/bitbucket-secret-scanning-types";
-import { TGitLabDataSourcePushEventPayload } from "@app/ee/services/secret-scanning-v2/gitlab";
-import { GitLabWebHookEvent } from "@app/ee/services/secret-scanning-v2/gitlab/gitlab-secret-scanning-enums";
 import { getConfig } from "@app/lib/config/env";
 import { logger } from "@app/lib/logger";
 import { writeLimit } from "@app/server/config/rateLimiter";
@@ -115,36 +113,4 @@ export const registerSecretScanningV2Webhooks = async (server: FastifyZodProvide
       return res.send("ok");
     }
   });
-
-  // gitlab push event webhook
-  server.route({
-    method: "POST",
-    url: "/gitlab",
-    config: {
-      rateLimit: writeLimit
-    },
-    handler: async (req, res) => {
-      const event = req.headers["x-gitlab-event"] as GitLabWebHookEvent;
-      const token = req.headers["x-gitlab-token"] as string;
-      const dataSourceId = req.headers["x-data-source-id"] as string;
-
-      if (event !== GitLabWebHookEvent.Push) {
-        return res.status(400).send({ message: `Event type not supported: ${event as string}` });
-      }
-
-      if (!token) {
-        return res.status(401).send({ message: "Unauthorized: Missing token" });
-      }
-
-      if (!dataSourceId) return res.status(400).send({ message: "Data Source ID header is required" });
-
-      await server.services.secretScanningV2.gitlab.handlePushEvent({
-        dataSourceId,
-        payload: req.body as TGitLabDataSourcePushEventPayload,
-        token
-      });
-
-      return res.send("ok");
-    }
-  });
 };

backend/src/server/routes/index.ts

@@ -31,8 +31,6 @@ import { buildDynamicSecretProviders } from "@app/ee/services/dynamic-secret/pro
 import { dynamicSecretLeaseDALFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-dal";
 import { dynamicSecretLeaseQueueServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-queue";
 import { dynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
-import { eventBusFactory } from "@app/ee/services/event/event-bus-service";
-import { sseServiceFactory } from "@app/ee/services/event/event-sse-service";
 import { externalKmsDALFactory } from "@app/ee/services/external-kms/external-kms-dal";
 import { externalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
 import { gatewayDALFactory } from "@app/ee/services/gateway/gateway-dal";
@@ -497,9 +495,6 @@ export const registerRoutes = async (
   const projectMicrosoftTeamsConfigDAL = projectMicrosoftTeamsConfigDALFactory(db);
   const secretScanningV2DAL = secretScanningV2DALFactory(db);
 
-  const eventBusService = eventBusFactory(server.redis);
-  const sseService = sseServiceFactory(eventBusService, server.redis);
-
   const permissionService = permissionServiceFactory({
     permissionDAL,
     orgRoleDAL,
@@ -557,8 +552,7 @@ export const registerRoutes = async (
     queueService,
     projectDAL,
     licenseService,
-    auditLogStreamDAL,
-    eventBusService
+    auditLogStreamDAL
   });
 
   const auditLogService = auditLogServiceFactory({ auditLogDAL, permissionService, auditLogQueue });
@@ -1050,15 +1044,6 @@ export const registerRoutes = async (
     kmsService
   });
 
-  const gatewayService = gatewayServiceFactory({
-    permissionService,
-    gatewayDAL,
-    kmsService,
-    licenseService,
-    orgGatewayConfigDAL,
-    keyStore
-  });
-
   const secretSyncQueue = secretSyncQueueFactory({
     queueService,
     secretSyncDAL,
@@ -1082,8 +1067,7 @@ export const registerRoutes = async (
     secretVersionTagV2BridgeDAL,
     resourceMetadataDAL,
     appConnectionDAL,
-    licenseService,
-    gatewayService
+    licenseService
   });
 
   const secretQueueService = secretQueueFactory({
@@ -1254,7 +1238,6 @@ export const registerRoutes = async (
 
   const secretV2BridgeService = secretV2BridgeServiceFactory({
     folderDAL,
-    projectDAL,
     secretVersionDAL: secretVersionV2BridgeDAL,
     folderCommitService,
     secretQueueService,
@@ -1506,6 +1489,15 @@ export const registerRoutes = async (
     licenseService
   });
 
+  const gatewayService = gatewayServiceFactory({
+    permissionService,
+    gatewayDAL,
+    kmsService,
+    licenseService,
+    orgGatewayConfigDAL,
+    keyStore
+  });
+
   const identityKubernetesAuthService = identityKubernetesAuthServiceFactory({
     identityKubernetesAuthDAL,
     identityOrgMembershipDAL,
@@ -1939,8 +1931,7 @@ export const registerRoutes = async (
     projectMembershipDAL,
     smtpService,
     kmsService,
-    keyStore,
-    appConnectionDAL
+    keyStore
   });
 
   const secretScanningV2Service = secretScanningV2ServiceFactory({
@@ -1949,8 +1940,7 @@ export const registerRoutes = async (
     licenseService,
     secretScanningV2DAL,
     secretScanningV2Queue,
-    kmsService,
-    appConnectionDAL
+    kmsService
   });
 
   // setup the communication with license key server
@@ -1974,7 +1964,6 @@ export const registerRoutes = async (
   await kmsService.startService();
   await microsoftTeamsService.start();
   await dynamicSecretQueueService.init();
-  await eventBusService.init();
 
   // inject all services
   server.decorate<FastifyZodProvider["services"]>("services", {
@@ -2081,9 +2070,7 @@ export const registerRoutes = async (
     githubOrgSync: githubOrgSyncConfigService,
     folderCommit: folderCommitService,
     secretScanningV2: secretScanningV2Service,
-    reminder: reminderService,
-    bus: eventBusService,
-    sse: sseService
+    reminder: reminderService
   });
 
   const cronJobs: CronJob[] = [];
@@ -2144,8 +2131,7 @@ export const registerRoutes = async (
           inviteOnlySignup: z.boolean().optional(),
           redisConfigured: z.boolean().optional(),
           secretScanningConfigured: z.boolean().optional(),
-          samlDefaultOrgSlug: z.string().optional(),
-          auditLogStorageDisabled: z.boolean().optional()
+          samlDefaultOrgSlug: z.string().optional()
         })
       }
     },
@@ -2172,8 +2158,7 @@ export const registerRoutes = async (
         inviteOnlySignup: Boolean(serverCfg.allowSignUp),
         redisConfigured: cfg.isRedisConfigured,
         secretScanningConfigured: cfg.isSecretScanningConfigured,
-        samlDefaultOrgSlug: cfg.samlDefaultOrgSlug,
-        auditLogStorageDisabled: Boolean(cfg.DISABLE_AUDIT_LOG_STORAGE)
+        samlDefaultOrgSlug: cfg.samlDefaultOrgSlug
       };
     }
   });
@@ -2201,7 +2186,5 @@ export const registerRoutes = async (
   server.addHook("onClose", async () => {
     cronJobs.forEach((job) => job.stop());
     await telemetryService.flushAll();
-    await eventBusService.close();
-    sseService.close();
   });
 };

backend/src/server/routes/sanitizedSchemas.ts

@@ -271,8 +271,7 @@ export const SanitizedProjectSchema = ProjectsSchema.pick({
   auditLogsRetentionDays: true,
   hasDeleteProtection: true,
   secretSharing: true,
-  showSnapshotsLegacy: true,
-  secretDetectionIgnoreValues: true
+  showSnapshotsLegacy: true
 });
 
 export const SanitizedTagSchema = SecretTagsSchema.pick({

backend/src/server/routes/v1/admin-router.ts

@@ -52,8 +52,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
             defaultAuthOrgAuthEnforced: z.boolean().nullish(),
             defaultAuthOrgAuthMethod: z.string().nullish(),
             isSecretScanningDisabled: z.boolean(),
-            kubernetesAutoFetchServiceAccountToken: z.boolean(),
-            paramsFolderSecretDetectionEnabled: z.boolean()
+            kubernetesAutoFetchServiceAccountToken: z.boolean()
           })
         })
       }
@@ -68,8 +67,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
           fipsEnabled: crypto.isFipsModeEnabled(),
           isMigrationModeOn: serverEnvs.MAINTENANCE_MODE,
           isSecretScanningDisabled: serverEnvs.DISABLE_SECRET_SCANNING,
-          kubernetesAutoFetchServiceAccountToken: serverEnvs.KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN,
-          paramsFolderSecretDetectionEnabled: serverEnvs.PARAMS_FOLDER_SECRET_DETECTION_ENABLED
+          kubernetesAutoFetchServiceAccountToken: serverEnvs.KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN
         }
       };
     }
@@ -464,42 +462,6 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     }
   });
 
-  server.route({
-    method: "DELETE",
-    url: "/user-management/users",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      body: z.object({
-        userIds: z.string().array()
-      }),
-      response: {
-        200: z.object({
-          users: UsersSchema.pick({
-            username: true,
-            firstName: true,
-            lastName: true,
-            email: true,
-            id: true
-          }).array()
-        })
-      }
-    },
-    onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
-        verifySuperAdmin(req, res, done);
-      });
-    },
-    handler: async (req) => {
-      const users = await server.services.superAdmin.deleteUsers(req.body.userIds);
-
-      return {
-        users
-      };
-    }
-  });
-
   server.route({
     method: "PATCH",
     url: "/user-management/users/:userId/admin-access",
@@ -723,7 +685,6 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
       body: z.object({
         email: z.string().email().trim().min(1),
         password: z.string().trim().min(1),

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -75,10 +75,6 @@ import {
 import { LdapConnectionListItemSchema, SanitizedLdapConnectionSchema } from "@app/services/app-connection/ldap";
 import { MsSqlConnectionListItemSchema, SanitizedMsSqlConnectionSchema } from "@app/services/app-connection/mssql";
 import { MySqlConnectionListItemSchema, SanitizedMySqlConnectionSchema } from "@app/services/app-connection/mysql";
-import {
-  NetlifyConnectionListItemSchema,
-  SanitizedNetlifyConnectionSchema
-} from "@app/services/app-connection/netlify";
 import { OktaConnectionListItemSchema, SanitizedOktaConnectionSchema } from "@app/services/app-connection/okta";
 import {
   PostgresConnectionListItemSchema,
@@ -149,7 +145,6 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedChecklyConnectionSchema.options,
   ...SanitizedSupabaseConnectionSchema.options,
   ...SanitizedDigitalOceanConnectionSchema.options,
-  ...SanitizedNetlifyConnectionSchema.options,
   ...SanitizedOktaConnectionSchema.options
 ]);
 
@@ -189,7 +184,6 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   ChecklyConnectionListItemSchema,
   SupabaseConnectionListItemSchema,
   DigitalOceanConnectionListItemSchema,
-  NetlifyConnectionListItemSchema,
   OktaConnectionListItemSchema
 ]);
 

backend/src/server/routes/v1/app-connection-routers/cloudflare-connection-router.ts

@@ -46,6 +46,7 @@ export const registerCloudflareConnectionRouter = async (server: FastifyZodProvi
       const { connectionId } = req.params;
 
       const projects = await server.services.appConnection.cloudflare.listPagesProjects(connectionId, req.permission);
+
       return projects;
     }
   });
@@ -72,36 +73,9 @@ export const registerCloudflareConnectionRouter = async (server: FastifyZodProvi
     handler: async (req) => {
       const { connectionId } = req.params;
 
-      const scripts = await server.services.appConnection.cloudflare.listWorkersScripts(connectionId, req.permission);
-      return scripts;
-    }
-  });
+      const projects = await server.services.appConnection.cloudflare.listWorkersScripts(connectionId, req.permission);
 
-  server.route({
-    method: "GET",
-    url: `/:connectionId/cloudflare-zones`,
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        connectionId: z.string().uuid()
-      }),
-      response: {
-        200: z
-          .object({
-            id: z.string(),
-            name: z.string()
-          })
-          .array()
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { connectionId } = req.params;
-
-      const zones = await server.services.appConnection.cloudflare.listZones(connectionId, req.permission);
-      return zones;
+      return projects;
     }
   });
 };

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -26,7 +26,6 @@ import { registerHumanitecConnectionRouter } from "./humanitec-connection-router
 import { registerLdapConnectionRouter } from "./ldap-connection-router";
 import { registerMsSqlConnectionRouter } from "./mssql-connection-router";
 import { registerMySqlConnectionRouter } from "./mysql-connection-router";
-import { registerNetlifyConnectionRouter } from "./netlify-connection-router";
 import { registerOktaConnectionRouter } from "./okta-connection-router";
 import { registerPostgresConnectionRouter } from "./postgres-connection-router";
 import { registerRailwayConnectionRouter } from "./railway-connection-router";
@@ -77,6 +76,5 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.Checkly]: registerChecklyConnectionRouter,
     [AppConnection.Supabase]: registerSupabaseConnectionRouter,
     [AppConnection.DigitalOcean]: registerDigitalOceanConnectionRouter,
-    [AppConnection.Netlify]: registerNetlifyConnectionRouter,
     [AppConnection.Okta]: registerOktaConnectionRouter
   };

backend/src/server/routes/v1/app-connection-routers/netlify-connection-router.ts

@@ -1,87 +0,0 @@
-import { z } from "zod";
-
-import { readLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-import {
-  CreateNetlifyConnectionSchema,
-  SanitizedNetlifyConnectionSchema,
-  UpdateNetlifyConnectionSchema
-} from "@app/services/app-connection/netlify";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
-
-export const registerNetlifyConnectionRouter = async (server: FastifyZodProvider) => {
-  registerAppConnectionEndpoints({
-    app: AppConnection.Netlify,
-    server,
-    sanitizedResponseSchema: SanitizedNetlifyConnectionSchema,
-    createSchema: CreateNetlifyConnectionSchema,
-    updateSchema: UpdateNetlifyConnectionSchema
-  });
-
-  // The below endpoints are not exposed and for Infisical App use
-  server.route({
-    method: "GET",
-    url: `/:connectionId/accounts`,
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        connectionId: z.string().uuid()
-      }),
-      response: {
-        200: z.object({
-          accounts: z
-            .object({
-              name: z.string(),
-              id: z.string()
-            })
-            .array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { connectionId } = req.params;
-
-      const accounts = await server.services.appConnection.netlify.listAccounts(connectionId, req.permission);
-
-      return { accounts };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: `/:connectionId/accounts/:accountId/sites`,
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        connectionId: z.string().uuid(),
-        accountId: z.string()
-      }),
-      response: {
-        200: z.object({
-          sites: z
-            .object({
-              name: z.string(),
-              id: z.string()
-            })
-            .array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { connectionId, accountId } = req.params;
-
-      const sites = await server.services.appConnection.netlify.listSites(connectionId, req.permission, accountId);
-
-      return { sites };
-    }
-  });
-};

backend/src/server/routes/v1/event-router.ts

@@ -1,118 +0,0 @@
-/* eslint-disable @typescript-eslint/no-floating-promises */
-import { subject } from "@casl/ability";
-import { pipeline } from "stream/promises";
-import { z } from "zod";
-
-import { ActionProjectType, ProjectType } from "@app/db/schemas";
-import { getServerSentEventsHeaders } from "@app/ee/services/event/event-sse-stream";
-import { EventRegisterSchema } from "@app/ee/services/event/types";
-import { ProjectPermissionSecretActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { BadRequestError, ForbiddenRequestError, RateLimitError } from "@app/lib/errors";
-import { readLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-export const registerEventRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/subscribe/project-events",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      body: z.object({
-        projectId: z.string().trim(),
-        register: z.array(EventRegisterSchema).max(10)
-      })
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req, reply) => {
-      try {
-        const { sse, permission, identityAccessToken, authToken, license } = req.server.services;
-
-        const plan = await license.getPlan(req.auth.orgId);
-
-        if (!plan.eventSubscriptions) {
-          throw new BadRequestError({
-            message:
-              "Failed to use event subscriptions due to plan restriction. Upgrade plan to access enterprise event subscriptions."
-          });
-        }
-
-        const count = await sse.getActiveConnectionsCount(req.body.projectId, req.permission.id);
-
-        if (count >= 5) {
-          throw new RateLimitError({
-            message: `Too many active connections for project ${req.body.projectId}. Please close some connections before opening a new one.`
-          });
-        }
-
-        const client = await sse.subscribe({
-          type: ProjectType.SecretManager,
-          registered: req.body.register,
-          async getAuthInfo() {
-            const ability = await permission.getProjectPermission({
-              actor: req.auth.actor,
-              projectId: req.body.projectId,
-              actionProjectType: ActionProjectType.Any,
-              actorAuthMethod: req.auth.authMethod,
-              actorId: req.permission.id,
-              actorOrgId: req.permission.orgId
-            });
-
-            return { permission: ability.permission, actorId: req.permission.id, projectId: req.body.projectId };
-          },
-          async onAuthRefresh(info) {
-            switch (req.auth.authMode) {
-              case AuthMode.JWT:
-                await authToken.fnValidateJwtIdentity(req.auth.token);
-                break;
-              case AuthMode.IDENTITY_ACCESS_TOKEN:
-                await identityAccessToken.fnValidateIdentityAccessToken(req.auth.token, req.realIp);
-                break;
-              default:
-                throw new Error("Unsupported authentication method");
-            }
-
-            req.body.register.forEach((r) => {
-              const allowed = info.permission.can(
-                ProjectPermissionSecretActions.Subscribe,
-                subject(ProjectPermissionSub.Secrets, {
-                  environment: r.conditions?.environmentSlug ?? "",
-                  secretPath: r.conditions?.secretPath ?? "/",
-                  eventType: r.event
-                })
-              );
-
-              if (!allowed) {
-                throw new ForbiddenRequestError({
-                  name: "PermissionDenied",
-                  message: `You are not allowed to subscribe on secrets`,
-                  details: {
-                    event: r.event,
-                    environmentSlug: r.conditions?.environmentSlug,
-                    secretPath: r.conditions?.secretPath ?? "/"
-                  }
-                });
-              }
-            });
-          }
-        });
-
-        // Switches to manual response and enable SSE streaming
-        reply.hijack();
-        reply.raw.writeHead(200, getServerSentEventsHeaders()).flushHeaders();
-        reply.raw.on("close", client.abort);
-
-        await pipeline(client.stream, reply.raw, { signal: client.signal });
-      } catch (error) {
-        if (error instanceof Error && error.name === "AbortError") {
-          // If the stream is aborted, we don't need to do anything
-          return;
-        }
-
-        throw error;
-      }
-    }
-  });
-};

backend/src/server/routes/v1/index.ts

@@ -13,7 +13,6 @@ import { registerCaRouter } from "./certificate-authority-router";
 import { CERTIFICATE_AUTHORITY_REGISTER_ROUTER_MAP } from "./certificate-authority-routers";
 import { registerCertRouter } from "./certificate-router";
 import { registerCertificateTemplateRouter } from "./certificate-template-router";
-import { registerEventRouter } from "./event-router";
 import { registerExternalGroupOrgRoleMappingRouter } from "./external-group-org-role-mapping-router";
 import { registerIdentityAccessTokenRouter } from "./identity-access-token-router";
 import { registerIdentityAliCloudAuthRouter } from "./identity-alicloud-auth-router";
@@ -184,6 +183,4 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
     },
     { prefix: "/reminders" }
   );
-
-  await server.register(registerEventRouter, { prefix: "/events" });
 };

backend/src/server/routes/v1/project-router.ts

@@ -369,11 +369,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
           .describe(PROJECTS.UPDATE.slug),
         secretSharing: z.boolean().optional().describe(PROJECTS.UPDATE.secretSharing),
         showSnapshotsLegacy: z.boolean().optional().describe(PROJECTS.UPDATE.showSnapshotsLegacy),
-        defaultProduct: z.nativeEnum(ProjectType).optional().describe(PROJECTS.UPDATE.defaultProduct),
-        secretDetectionIgnoreValues: z
-          .array(z.string())
-          .optional()
-          .describe(PROJECTS.UPDATE.secretDetectionIgnoreValues)
+        defaultProduct: z.nativeEnum(ProjectType).optional().describe(PROJECTS.UPDATE.defaultProduct)
       }),
       response: {
         200: z.object({
@@ -396,8 +392,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
           hasDeleteProtection: req.body.hasDeleteProtection,
           slug: req.body.slug,
           secretSharing: req.body.secretSharing,
-          showSnapshotsLegacy: req.body.showSnapshotsLegacy,
-          secretDetectionIgnoreValues: req.body.secretDetectionIgnoreValues
+          showSnapshotsLegacy: req.body.showSnapshotsLegacy
         },
         actorAuthMethod: req.permission.authMethod,
         actorId: req.permission.id,

backend/src/server/routes/v1/secret-sync-routers/index.ts

@@ -21,7 +21,6 @@ import { registerGitLabSyncRouter } from "./gitlab-sync-router";
 import { registerHCVaultSyncRouter } from "./hc-vault-sync-router";
 import { registerHerokuSyncRouter } from "./heroku-sync-router";
 import { registerHumanitecSyncRouter } from "./humanitec-sync-router";
-import { registerNetlifySyncRouter } from "./netlify-sync-router";
 import { registerRailwaySyncRouter } from "./railway-sync-router";
 import { registerRenderSyncRouter } from "./render-sync-router";
 import { registerSupabaseSyncRouter } from "./supabase-sync-router";
@@ -62,6 +61,5 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
   [SecretSync.Railway]: registerRailwaySyncRouter,
   [SecretSync.Checkly]: registerChecklySyncRouter,
   [SecretSync.DigitalOceanAppPlatform]: registerDigitalOceanAppPlatformSyncRouter,
-  [SecretSync.Netlify]: registerNetlifySyncRouter,
   [SecretSync.Bitbucket]: registerBitbucketSyncRouter
 };

backend/src/server/routes/v1/secret-sync-routers/netlify-sync-router.ts

@@ -1,17 +0,0 @@
-import {
-  CreateNetlifySyncSchema,
-  NetlifySyncSchema,
-  UpdateNetlifySyncSchema
-} from "@app/services/secret-sync/netlify/netlify-sync-schemas";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-
-import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
-
-export const registerNetlifySyncRouter = async (server: FastifyZodProvider) =>
-  registerSyncSecretsEndpoints({
-    destination: SecretSync.Netlify,
-    server,
-    responseSchema: NetlifySyncSchema,
-    createSchema: CreateNetlifySyncSchema,
-    updateSchema: UpdateNetlifySyncSchema
-  });

backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts

@@ -44,7 +44,6 @@ import { GitLabSyncListItemSchema, GitLabSyncSchema } from "@app/services/secret
 import { HCVaultSyncListItemSchema, HCVaultSyncSchema } from "@app/services/secret-sync/hc-vault";
 import { HerokuSyncListItemSchema, HerokuSyncSchema } from "@app/services/secret-sync/heroku";
 import { HumanitecSyncListItemSchema, HumanitecSyncSchema } from "@app/services/secret-sync/humanitec";
-import { NetlifySyncListItemSchema, NetlifySyncSchema } from "@app/services/secret-sync/netlify";
 import { RailwaySyncListItemSchema, RailwaySyncSchema } from "@app/services/secret-sync/railway/railway-sync-schemas";
 import { RenderSyncListItemSchema, RenderSyncSchema } from "@app/services/secret-sync/render/render-sync-schemas";
 import { SupabaseSyncListItemSchema, SupabaseSyncSchema } from "@app/services/secret-sync/supabase";
@@ -83,7 +82,6 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
   RailwaySyncSchema,
   ChecklySyncSchema,
   DigitalOceanAppPlatformSyncSchema,
-  NetlifySyncSchema,
   BitbucketSyncSchema
 ]);
 
@@ -116,7 +114,6 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
   RailwaySyncListItemSchema,
   ChecklySyncListItemSchema,
   SupabaseSyncListItemSchema,
-  NetlifySyncListItemSchema,
   BitbucketSyncListItemSchema
 ]);
 

backend/src/server/routes/v2/organization-router.ts

@@ -264,48 +264,6 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
     }
   });
 
-  server.route({
-    method: "DELETE",
-    url: "/:organizationId/memberships",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      hide: false,
-      tags: [ApiDocsTags.Organizations],
-      description: "Bulk delete organization user memberships",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        organizationId: z.string().trim().describe(ORGANIZATIONS.BULK_DELETE_USER_MEMBERSHIPS.organizationId)
-      }),
-      body: z.object({
-        membershipIds: z.string().trim().array().describe(ORGANIZATIONS.BULK_DELETE_USER_MEMBERSHIPS.membershipIds)
-      }),
-      response: {
-        200: z.object({
-          memberships: OrgMembershipsSchema.array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      if (req.auth.actor !== ActorType.USER) return;
-
-      const memberships = await server.services.org.bulkDeleteOrgMemberships({
-        userId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        orgId: req.params.organizationId,
-        membershipIds: req.body.membershipIds,
-        actorOrgId: req.permission.orgId
-      });
-      return { memberships };
-    }
-  });
-
   server.route({
     // TODO: re-think endpoint structure in future so users only need to pass in membershipId bc organizationId is redundant
     method: "GET",

backend/src/services/app-connection/app-connection-enums.ts

@@ -34,7 +34,6 @@ export enum AppConnection {
   Checkly = "checkly",
   Supabase = "supabase",
   DigitalOcean = "digital-ocean",
-  Netlify = "netlify",
   Okta = "okta"
 }
 

backend/src/services/app-connection/app-connection-fns.ts

@@ -97,7 +97,6 @@ import { getLdapConnectionListItem, LdapConnectionMethod, validateLdapConnection
 import { getMsSqlConnectionListItem, MsSqlConnectionMethod } from "./mssql";
 import { MySqlConnectionMethod } from "./mysql/mysql-connection-enums";
 import { getMySqlConnectionListItem } from "./mysql/mysql-connection-fns";
-import { getNetlifyConnectionListItem, validateNetlifyConnectionCredentials } from "./netlify";
 import { getOktaConnectionListItem, OktaConnectionMethod, validateOktaConnectionCredentials } from "./okta";
 import { getPostgresConnectionListItem, PostgresConnectionMethod } from "./postgres";
 import { getRailwayConnectionListItem, validateRailwayConnectionCredentials } from "./railway";
@@ -164,7 +163,6 @@ export const listAppConnectionOptions = () => {
     getChecklyConnectionListItem(),
     getSupabaseConnectionListItem(),
     getDigitalOceanConnectionListItem(),
-    getNetlifyConnectionListItem(),
     getOktaConnectionListItem()
   ].sort((a, b) => a.name.localeCompare(b.name));
 };
@@ -253,8 +251,7 @@ export const validateAppConnectionCredentials = async (
     [AppConnection.Checkly]: validateChecklyConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Supabase]: validateSupabaseConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.DigitalOcean]: validateDigitalOceanConnectionCredentials as TAppConnectionCredentialsValidator,
-    [AppConnection.Okta]: validateOktaConnectionCredentials as TAppConnectionCredentialsValidator,
-    [AppConnection.Netlify]: validateNetlifyConnectionCredentials as TAppConnectionCredentialsValidator
+    [AppConnection.Okta]: validateOktaConnectionCredentials as TAppConnectionCredentialsValidator
   };
 
   return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection, gatewayService);
@@ -384,7 +381,6 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
   [AppConnection.Checkly]: platformManagedCredentialsNotSupported,
   [AppConnection.Supabase]: platformManagedCredentialsNotSupported,
   [AppConnection.DigitalOcean]: platformManagedCredentialsNotSupported,
-  [AppConnection.Netlify]: platformManagedCredentialsNotSupported,
   [AppConnection.Okta]: platformManagedCredentialsNotSupported
 };
 

backend/src/services/app-connection/app-connection-maps.ts

@@ -36,7 +36,6 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
   [AppConnection.Checkly]: "Checkly",
   [AppConnection.Supabase]: "Supabase",
   [AppConnection.DigitalOcean]: "DigitalOcean App Platform",
-  [AppConnection.Netlify]: "Netlify",
   [AppConnection.Okta]: "Okta"
 };
 
@@ -76,6 +75,5 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
   [AppConnection.Checkly]: AppConnectionPlanType.Regular,
   [AppConnection.Supabase]: AppConnectionPlanType.Regular,
   [AppConnection.DigitalOcean]: AppConnectionPlanType.Regular,
-  [AppConnection.Netlify]: AppConnectionPlanType.Regular,
   [AppConnection.Okta]: AppConnectionPlanType.Regular
 };

backend/src/services/app-connection/app-connection-service.ts

@@ -81,8 +81,6 @@ import { humanitecConnectionService } from "./humanitec/humanitec-connection-ser
 import { ValidateLdapConnectionCredentialsSchema } from "./ldap";
 import { ValidateMsSqlConnectionCredentialsSchema } from "./mssql";
 import { ValidateMySqlConnectionCredentialsSchema } from "./mysql";
-import { ValidateNetlifyConnectionCredentialsSchema } from "./netlify";
-import { netlifyConnectionService } from "./netlify/netlify-connection-service";
 import { ValidateOktaConnectionCredentialsSchema } from "./okta";
 import { oktaConnectionService } from "./okta/okta-connection-service";
 import { ValidatePostgresConnectionCredentialsSchema } from "./postgres";
@@ -150,7 +148,6 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
   [AppConnection.Checkly]: ValidateChecklyConnectionCredentialsSchema,
   [AppConnection.Supabase]: ValidateSupabaseConnectionCredentialsSchema,
   [AppConnection.DigitalOcean]: ValidateDigitalOceanConnectionCredentialsSchema,
-  [AppConnection.Netlify]: ValidateNetlifyConnectionCredentialsSchema,
   [AppConnection.Okta]: ValidateOktaConnectionCredentialsSchema
 };
 
@@ -586,7 +583,7 @@ export const appConnectionServiceFactory = ({
     deleteAppConnection,
     connectAppConnectionById,
     listAvailableAppConnectionsForUser,
-    github: githubConnectionService(connectAppConnectionById, gatewayService),
+    github: githubConnectionService(connectAppConnectionById),
     githubRadar: githubRadarConnectionService(connectAppConnectionById),
     gcp: gcpConnectionService(connectAppConnectionById),
     databricks: databricksConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
@@ -614,7 +611,6 @@ export const appConnectionServiceFactory = ({
     checkly: checklyConnectionService(connectAppConnectionById),
     supabase: supabaseConnectionService(connectAppConnectionById),
     digitalOcean: digitalOceanAppPlatformConnectionService(connectAppConnectionById),
-    netlify: netlifyConnectionService(connectAppConnectionById),
     okta: oktaConnectionService(connectAppConnectionById)
   };
 };

backend/src/services/app-connection/app-connection-types.ts

@@ -149,12 +149,6 @@ import {
 } from "./ldap";
 import { TMsSqlConnection, TMsSqlConnectionInput, TValidateMsSqlConnectionCredentialsSchema } from "./mssql";
 import { TMySqlConnection, TMySqlConnectionInput, TValidateMySqlConnectionCredentialsSchema } from "./mysql";
-import {
-  TNetlifyConnection,
-  TNetlifyConnectionConfig,
-  TNetlifyConnectionInput,
-  TValidateNetlifyConnectionCredentialsSchema
-} from "./netlify";
 import {
   TOktaConnection,
   TOktaConnectionConfig,
@@ -251,7 +245,6 @@ export type TAppConnection = { id: string } & (
   | TChecklyConnection
   | TSupabaseConnection
   | TDigitalOceanConnection
-  | TNetlifyConnection
   | TOktaConnection
 );
 
@@ -295,7 +288,6 @@ export type TAppConnectionInput = { id: string } & (
   | TChecklyConnectionInput
   | TSupabaseConnectionInput
   | TDigitalOceanConnectionInput
-  | TNetlifyConnectionInput
   | TOktaConnectionInput
 );
 
@@ -347,7 +339,6 @@ export type TAppConnectionConfig =
   | TChecklyConnectionConfig
   | TSupabaseConnectionConfig
   | TDigitalOceanConnectionConfig
-  | TNetlifyConnectionConfig
   | TOktaConnectionConfig;
 
 export type TValidateAppConnectionCredentialsSchema =
@@ -386,7 +377,6 @@ export type TValidateAppConnectionCredentialsSchema =
   | TValidateChecklyConnectionCredentialsSchema
   | TValidateSupabaseConnectionCredentialsSchema
   | TValidateDigitalOceanCredentialsSchema
-  | TValidateNetlifyConnectionCredentialsSchema
   | TValidateOktaConnectionCredentialsSchema;
 
 export type TListAwsConnectionKmsKeys = {

backend/src/services/app-connection/azure-app-configuration/azure-app-configuration-connection-enums.ts

@@ -1,4 +1,3 @@
 export enum AzureAppConfigurationConnectionMethod {
-  OAuth = "oauth",
-  ClientSecret = "client-secret"
+  OAuth = "oauth"
 }

backend/src/services/app-connection/azure-app-configuration/azure-app-configuration-connection-fns.ts

@@ -1,4 +1,3 @@
-/* eslint-disable no-case-declarations */
 import { AxiosError, AxiosResponse } from "axios";
 
 import { getConfig } from "@app/lib/config/env";
@@ -20,10 +19,7 @@ export const getAzureAppConfigurationConnectionListItem = () => {
   return {
     name: "Azure App Configuration" as const,
     app: AppConnection.AzureAppConfiguration as const,
-    methods: Object.values(AzureAppConfigurationConnectionMethod) as [
-      AzureAppConfigurationConnectionMethod.OAuth,
-      AzureAppConfigurationConnectionMethod.ClientSecret
-    ],
+    methods: Object.values(AzureAppConfigurationConnectionMethod) as [AzureAppConfigurationConnectionMethod.OAuth],
     oauthClientId: INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_ID
   };
 };
@@ -39,111 +35,71 @@ export const validateAzureAppConfigurationConnectionCredentials = async (
     SITE_URL
   } = getConfig();
 
+  if (
+    !INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_ID ||
+    !INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_SECRET
+  ) {
+    throw new InternalServerError({
+      message: `Azure ${getAppConnectionMethodName(method)} environment variables have not been configured`
+    });
+  }
+
+  let tokenResp: AxiosResponse<ExchangeCodeAzureResponse> | null = null;
+  let tokenError: AxiosError | null = null;
+
+  try {
+    tokenResp = await request.post<ExchangeCodeAzureResponse>(
+      IntegrationUrls.AZURE_TOKEN_URL.replace("common", inputCredentials.tenantId || "common"),
+      new URLSearchParams({
+        grant_type: "authorization_code",
+        code: inputCredentials.code,
+        scope: `openid offline_access https://azconfig.io/.default`,
+        client_id: INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_ID,
+        client_secret: INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_SECRET,
+        redirect_uri: `${SITE_URL}/organization/app-connections/azure/oauth/callback`
+      })
+    );
+  } catch (e: unknown) {
+    if (e instanceof AxiosError) {
+      tokenError = e;
+    } else {
+      throw new BadRequestError({
+        message: `Unable to validate connection: verify credentials`
+      });
+    }
+  }
+
+  if (tokenError) {
+    if (tokenError instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to get access token: ${
+          (tokenError?.response?.data as { error_description?: string })?.error_description || "Unknown error"
+        }`
+      });
+    } else {
+      throw new InternalServerError({
+        message: "Failed to get access token"
+      });
+    }
+  }
+
+  if (!tokenResp) {
+    throw new InternalServerError({
+      message: `Failed to get access token: Token was empty with no error`
+    });
+  }
+
   switch (method) {
     case AzureAppConfigurationConnectionMethod.OAuth:
-      if (
-        !INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_ID ||
-        !INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_SECRET
-      ) {
-        throw new InternalServerError({
-          message: `Azure ${getAppConnectionMethodName(method)} environment variables have not been configured`
-        });
-      }
-
-      let tokenResp: AxiosResponse<ExchangeCodeAzureResponse> | null = null;
-      let tokenError: AxiosError | null = null;
-      const oauthCredentials = inputCredentials as { code: string; tenantId?: string };
-      try {
-        tokenResp = await request.post<ExchangeCodeAzureResponse>(
-          IntegrationUrls.AZURE_TOKEN_URL.replace("common", oauthCredentials.tenantId || "common"),
-          new URLSearchParams({
-            grant_type: "authorization_code",
-            code: oauthCredentials.code,
-            scope: `openid offline_access https://azconfig.io/.default`,
-            client_id: INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_ID,
-            client_secret: INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_SECRET,
-            redirect_uri: `${SITE_URL}/organization/app-connections/azure/oauth/callback`
-          })
-        );
-      } catch (e: unknown) {
-        if (e instanceof AxiosError) {
-          tokenError = e;
-        } else {
-          throw new BadRequestError({
-            message: `Unable to validate connection: verify credentials`
-          });
-        }
-      }
-
-      if (tokenError) {
-        if (tokenError instanceof AxiosError) {
-          throw new BadRequestError({
-            message: `Failed to get access token: ${
-              (tokenError?.response?.data as { error_description?: string })?.error_description || "Unknown error"
-            }`
-          });
-        } else {
-          throw new InternalServerError({
-            message: "Failed to get access token"
-          });
-        }
-      }
-
-      if (!tokenResp) {
-        throw new InternalServerError({
-          message: `Failed to get access token: Token was empty with no error`
-        });
-      }
-
       return {
-        tenantId: oauthCredentials.tenantId,
+        tenantId: inputCredentials.tenantId,
         accessToken: tokenResp.data.access_token,
         refreshToken: tokenResp.data.refresh_token,
         expiresAt: Date.now() + tokenResp.data.expires_in * 1000
       };
-
-    case AzureAppConfigurationConnectionMethod.ClientSecret:
-      const { tenantId, clientId, clientSecret } = inputCredentials as {
-        tenantId: string;
-        clientId: string;
-        clientSecret: string;
-      };
-
-      try {
-        const { data: clientData } = await request.post<ExchangeCodeAzureResponse>(
-          IntegrationUrls.AZURE_TOKEN_URL.replace("common", tenantId || "common"),
-          new URLSearchParams({
-            grant_type: "client_credentials",
-            scope: `https://azconfig.io/.default`,
-            client_id: clientId,
-            client_secret: clientSecret
-          })
-        );
-
-        return {
-          tenantId,
-          accessToken: clientData.access_token,
-          expiresAt: Date.now() + clientData.expires_in * 1000,
-          clientId,
-          clientSecret
-        };
-      } catch (e: unknown) {
-        if (e instanceof AxiosError) {
-          throw new BadRequestError({
-            message: `Failed to get access token: ${
-              (e?.response?.data as { error_description?: string })?.error_description || "Unknown error"
-            }`
-          });
-        } else {
-          throw new InternalServerError({
-            message: "Failed to get access token"
-          });
-        }
-      }
-
     default:
       throw new InternalServerError({
-        message: `Unhandled Azure App Configuration connection method: ${method as AzureAppConfigurationConnectionMethod}`
+        message: `Unhandled Azure connection method: ${method as AzureAppConfigurationConnectionMethod}`
       });
   }
 };

backend/src/services/app-connection/azure-app-configuration/azure-app-configuration-connection-schemas.ts

@@ -22,29 +22,6 @@ export const AzureAppConfigurationConnectionOAuthOutputCredentialsSchema = z.obj
   expiresAt: z.number()
 });
 
-export const AzureAppConfigurationConnectionClientSecretInputCredentialsSchema = z.object({
-  clientId: z
-    .string()
-    .uuid()
-    .trim()
-    .min(1, "Client ID required")
-    .max(50, "Client ID must be at most 50 characters long"),
-  clientSecret: z
-    .string()
-    .trim()
-    .min(1, "Client Secret required")
-    .max(50, "Client Secret must be at most 50 characters long"),
-  tenantId: z.string().uuid().trim().min(1, "Tenant ID required")
-});
-
-export const AzureAppConfigurationConnectionClientSecretOutputCredentialsSchema = z.object({
-  clientId: z.string(),
-  clientSecret: z.string(),
-  tenantId: z.string(),
-  accessToken: z.string(),
-  expiresAt: z.number()
-});
-
 export const ValidateAzureAppConfigurationConnectionCredentialsSchema = z.discriminatedUnion("method", [
   z.object({
     method: z
@@ -53,14 +30,6 @@ export const ValidateAzureAppConfigurationConnectionCredentialsSchema = z.discri
     credentials: AzureAppConfigurationConnectionOAuthInputCredentialsSchema.describe(
       AppConnections.CREATE(AppConnection.AzureAppConfiguration).credentials
     )
-  }),
-  z.object({
-    method: z
-      .literal(AzureAppConfigurationConnectionMethod.ClientSecret)
-      .describe(AppConnections.CREATE(AppConnection.AzureAppConfiguration).method),
-    credentials: AzureAppConfigurationConnectionClientSecretInputCredentialsSchema.describe(
-      AppConnections.CREATE(AppConnection.AzureAppConfiguration).credentials
-    )
   })
 ]);
 
@@ -70,13 +39,9 @@ export const CreateAzureAppConfigurationConnectionSchema = ValidateAzureAppConfi
 
 export const UpdateAzureAppConfigurationConnectionSchema = z
   .object({
-    credentials: z
-      .union([
-        AzureAppConfigurationConnectionOAuthInputCredentialsSchema,
-        AzureAppConfigurationConnectionClientSecretInputCredentialsSchema
-      ])
-      .optional()
-      .describe(AppConnections.UPDATE(AppConnection.AzureAppConfiguration).credentials)
+    credentials: AzureAppConfigurationConnectionOAuthInputCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.AzureAppConfiguration).credentials
+    )
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.AzureAppConfiguration));
 
@@ -90,10 +55,6 @@ export const AzureAppConfigurationConnectionSchema = z.intersection(
     z.object({
       method: z.literal(AzureAppConfigurationConnectionMethod.OAuth),
       credentials: AzureAppConfigurationConnectionOAuthOutputCredentialsSchema
-    }),
-    z.object({
-      method: z.literal(AzureAppConfigurationConnectionMethod.ClientSecret),
-      credentials: AzureAppConfigurationConnectionClientSecretOutputCredentialsSchema
     })
   ])
 );
@@ -104,13 +65,6 @@ export const SanitizedAzureAppConfigurationConnectionSchema = z.discriminatedUni
     credentials: AzureAppConfigurationConnectionOAuthOutputCredentialsSchema.pick({
       tenantId: true
     })
-  }),
-  BaseAzureAppConfigurationConnectionSchema.extend({
-    method: z.literal(AzureAppConfigurationConnectionMethod.ClientSecret),
-    credentials: AzureAppConfigurationConnectionClientSecretOutputCredentialsSchema.pick({
-      clientId: true,
-      tenantId: true
-    })
   })
 ]);
 

backend/src/services/app-connection/azure-app-configuration/azure-app-configuration-connection-types.ts

@@ -4,7 +4,6 @@ import { DiscriminativePick } from "@app/lib/types";
 
 import { AppConnection } from "../app-connection-enums";
 import {
-  AzureAppConfigurationConnectionClientSecretOutputCredentialsSchema,
   AzureAppConfigurationConnectionOAuthOutputCredentialsSchema,
   AzureAppConfigurationConnectionSchema,
   CreateAzureAppConfigurationConnectionSchema,
@@ -40,7 +39,3 @@ export type ExchangeCodeAzureResponse = {
 export type TAzureAppConfigurationConnectionCredentials = z.infer<
   typeof AzureAppConfigurationConnectionOAuthOutputCredentialsSchema
 >;
-
-export type TAzureAppConfigurationConnectionClientSecretCredentials = z.infer<
-  typeof AzureAppConfigurationConnectionClientSecretOutputCredentialsSchema
->;

backend/src/services/app-connection/azure-devops/azure-devops-enums.ts

@@ -1,5 +1,4 @@
 export enum AzureDevOpsConnectionMethod {
   OAuth = "oauth",
-  AccessToken = "access-token",
-  ClientSecret = "client-secret"
+  AccessToken = "access-token"
 }

backend/src/services/app-connection/azure-devops/azure-devops-fns.ts

@@ -18,7 +18,6 @@ import { AppConnection } from "../app-connection-enums";
 import { AzureDevOpsConnectionMethod } from "./azure-devops-enums";
 import {
   ExchangeCodeAzureResponse,
-  TAzureDevOpsConnectionClientSecretCredentials,
   TAzureDevOpsConnectionConfig,
   TAzureDevOpsConnectionCredentials
 } from "./azure-devops-types";
@@ -31,8 +30,7 @@ export const getAzureDevopsConnectionListItem = () => {
     app: AppConnection.AzureDevOps as const,
     methods: Object.values(AzureDevOpsConnectionMethod) as [
       AzureDevOpsConnectionMethod.OAuth,
-      AzureDevOpsConnectionMethod.AccessToken,
-      AzureDevOpsConnectionMethod.ClientSecret
+      AzureDevOpsConnectionMethod.AccessToken
     ],
     oauthClientId: INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_ID
   };
@@ -55,7 +53,11 @@ export const getAzureDevopsConnection = async (
     });
   }
 
-  const currentTime = Date.now();
+  const credentials = (await decryptAppConnectionCredentials({
+    orgId: appConnection.orgId,
+    kmsService,
+    encryptedCredentials: appConnection.encryptedCredentials
+  })) as TAzureDevOpsConnectionCredentials;
 
   // Handle different connection methods
   switch (appConnection.method) {
@@ -67,17 +69,12 @@ export const getAzureDevopsConnection = async (
         });
       }
 
-      const oauthCredentials = (await decryptAppConnectionCredentials({
-        orgId: appConnection.orgId,
-        kmsService,
-        encryptedCredentials: appConnection.encryptedCredentials
-      })) as TAzureDevOpsConnectionCredentials;
-
-      if (!("refreshToken" in oauthCredentials)) {
+      if (!("refreshToken" in credentials)) {
         throw new BadRequestError({ message: "Invalid OAuth credentials" });
       }
 
-      const { refreshToken, tenantId } = oauthCredentials;
+      const { refreshToken, tenantId } = credentials;
+      const currentTime = Date.now();
 
       const { data } = await request.post<ExchangeCodeAzureResponse>(
         IntegrationUrls.AZURE_TOKEN_URL.replace("common", tenantId || "common"),
@@ -90,75 +87,29 @@ export const getAzureDevopsConnection = async (
         })
       );
 
-      const updatedOAuthCredentials = {
-        ...oauthCredentials,
+      const updatedCredentials = {
+        ...credentials,
         accessToken: data.access_token,
         expiresAt: currentTime + data.expires_in * 1000,
         refreshToken: data.refresh_token
       };
 
-      const encryptedOAuthCredentials = await encryptAppConnectionCredentials({
-        credentials: updatedOAuthCredentials,
+      const encryptedCredentials = await encryptAppConnectionCredentials({
+        credentials: updatedCredentials,
         orgId: appConnection.orgId,
         kmsService
       });
 
-      await appConnectionDAL.updateById(appConnection.id, { encryptedCredentials: encryptedOAuthCredentials });
+      await appConnectionDAL.updateById(appConnection.id, { encryptedCredentials });
 
       return data.access_token;
 
     case AzureDevOpsConnectionMethod.AccessToken:
-      const accessTokenCredentials = (await decryptAppConnectionCredentials({
-        orgId: appConnection.orgId,
-        kmsService,
-        encryptedCredentials: appConnection.encryptedCredentials
-      })) as { accessToken: string };
-
-      if (!("accessToken" in accessTokenCredentials)) {
+      if (!("accessToken" in credentials)) {
         throw new BadRequestError({ message: "Invalid API token credentials" });
       }
       // For access token, return the basic auth token directly
-      return accessTokenCredentials.accessToken;
-
-    case AzureDevOpsConnectionMethod.ClientSecret:
-      const clientSecretCredentials = (await decryptAppConnectionCredentials({
-        orgId: appConnection.orgId,
-        kmsService,
-        encryptedCredentials: appConnection.encryptedCredentials
-      })) as TAzureDevOpsConnectionClientSecretCredentials;
-
-      const { accessToken, expiresAt, clientId, clientSecret, tenantId: clientTenantId } = clientSecretCredentials;
-
-      // Check if token is still valid (with 5 minute buffer)
-      if (accessToken && expiresAt && expiresAt > currentTime + 300000) {
-        return accessToken;
-      }
-
-      const { data: clientData } = await request.post<ExchangeCodeAzureResponse>(
-        IntegrationUrls.AZURE_TOKEN_URL.replace("common", clientTenantId || "common"),
-        new URLSearchParams({
-          grant_type: "client_credentials",
-          scope: `https://app.vssps.visualstudio.com/.default`,
-          client_id: clientId,
-          client_secret: clientSecret
-        })
-      );
-
-      const updatedClientCredentials = {
-        ...clientSecretCredentials,
-        accessToken: clientData.access_token,
-        expiresAt: currentTime + clientData.expires_in * 1000
-      };
-
-      const encryptedClientCredentials = await encryptAppConnectionCredentials({
-        credentials: updatedClientCredentials,
-        orgId: appConnection.orgId,
-        kmsService
-      });
-
-      await appConnectionDAL.updateById(appConnection.id, { encryptedCredentials: encryptedClientCredentials });
-
-      return clientData.access_token;
+      return credentials.accessToken;
 
     default:
       throw new BadRequestError({ message: `Unsupported connection method` });
@@ -187,7 +138,7 @@ export const validateAzureDevOpsConnectionCredentials = async (config: TAzureDev
       let tokenError: AxiosError | null = null;
 
       try {
-        const oauthCredentials = inputCredentials as { code: string; tenantId: string; orgName: string };
+        const oauthCredentials = inputCredentials as { code: string; tenantId: string };
         tokenResp = await request.post<ExchangeCodeAzureResponse>(
           IntegrationUrls.AZURE_TOKEN_URL.replace("common", oauthCredentials.tenantId || "common"),
           new URLSearchParams({
@@ -311,67 +262,9 @@ export const validateAzureDevOpsConnectionCredentials = async (config: TAzureDev
         });
       }
 
-    case AzureDevOpsConnectionMethod.ClientSecret:
-      const { tenantId, clientId, clientSecret, orgName } = inputCredentials as {
-        tenantId: string;
-        clientId: string;
-        clientSecret: string;
-        orgName: string;
-      };
-
-      try {
-        // First, get the access token using client credentials flow
-        const { data: clientData } = await request.post<ExchangeCodeAzureResponse>(
-          IntegrationUrls.AZURE_TOKEN_URL.replace("common", tenantId || "common"),
-          new URLSearchParams({
-            grant_type: "client_credentials",
-            scope: `https://app.vssps.visualstudio.com/.default`,
-            client_id: clientId,
-            client_secret: clientSecret
-          })
-        );
-
-        // Validate access to the specific organization
-        const response = await request.get(
-          `${IntegrationUrls.AZURE_DEVOPS_API_URL}/${encodeURIComponent(orgName)}/_apis/projects?api-version=7.2-preview.2&$top=1`,
-          {
-            headers: {
-              Authorization: `Bearer ${clientData.access_token}`
-            }
-          }
-        );
-
-        if (response.status !== 200) {
-          throw new BadRequestError({
-            message: `Failed to validate connection to organization '${orgName}': ${response.status}`
-          });
-        }
-
-        return {
-          tenantId,
-          clientId,
-          clientSecret,
-          orgName,
-          accessToken: clientData.access_token,
-          expiresAt: Date.now() + clientData.expires_in * 1000
-        };
-      } catch (e: unknown) {
-        if (e instanceof AxiosError) {
-          throw new BadRequestError({
-            message: `Failed to authenticate with Azure DevOps using client credentials: ${
-              (e?.response?.data as { error_description?: string })?.error_description || e.message
-            }`
-          });
-        } else {
-          throw new InternalServerError({
-            message: "Failed to validate Azure DevOps client credentials"
-          });
-        }
-      }
-
     default:
       throw new InternalServerError({
-        message: `Unhandled Azure DevOps connection method: ${method as AzureDevOpsConnectionMethod}`
+        message: `Unhandled Azure connection method: ${method as AzureDevOpsConnectionMethod}`
       });
   }
 };

backend/src/services/app-connection/azure-devops/azure-devops-schemas.ts

@@ -38,42 +38,6 @@ export const AzureDevOpsConnectionAccessTokenOutputCredentialsSchema = z.object(
   orgName: z.string()
 });
 
-export const AzureDevOpsConnectionClientSecretInputCredentialsSchema = z.object({
-  clientId: z
-    .string()
-    .uuid()
-    .trim()
-    .min(1, "Client ID required")
-    .max(50, "Client ID must be at most 50 characters long")
-    .describe(AppConnections.CREDENTIALS.AZURE_DEVOPS.clientId),
-  clientSecret: z
-    .string()
-    .trim()
-    .min(1, "Client Secret required")
-    .max(50, "Client Secret must be at most 50 characters long")
-    .describe(AppConnections.CREDENTIALS.AZURE_DEVOPS.clientSecret),
-  tenantId: z
-    .string()
-    .uuid()
-    .trim()
-    .min(1, "Tenant ID required")
-    .describe(AppConnections.CREDENTIALS.AZURE_DEVOPS.tenantId),
-  orgName: z
-    .string()
-    .trim()
-    .min(1, "Organization name required")
-    .describe(AppConnections.CREDENTIALS.AZURE_DEVOPS.orgName)
-});
-
-export const AzureDevOpsConnectionClientSecretOutputCredentialsSchema = z.object({
-  clientId: z.string(),
-  clientSecret: z.string(),
-  tenantId: z.string(),
-  orgName: z.string(),
-  accessToken: z.string(),
-  expiresAt: z.number()
-});
-
 export const ValidateAzureDevOpsConnectionCredentialsSchema = z.discriminatedUnion("method", [
   z.object({
     method: z
@@ -90,14 +54,6 @@ export const ValidateAzureDevOpsConnectionCredentialsSchema = z.discriminatedUni
     credentials: AzureDevOpsConnectionAccessTokenInputCredentialsSchema.describe(
       AppConnections.CREATE(AppConnection.AzureDevOps).credentials
     )
-  }),
-  z.object({
-    method: z
-      .literal(AzureDevOpsConnectionMethod.ClientSecret)
-      .describe(AppConnections.CREATE(AppConnection.AzureDevOps).method),
-    credentials: AzureDevOpsConnectionClientSecretInputCredentialsSchema.describe(
-      AppConnections.CREATE(AppConnection.AzureDevOps).credentials
-    )
   })
 ]);
 
@@ -108,11 +64,7 @@ export const CreateAzureDevOpsConnectionSchema = ValidateAzureDevOpsConnectionCr
 export const UpdateAzureDevOpsConnectionSchema = z
   .object({
     credentials: z
-      .union([
-        AzureDevOpsConnectionOAuthInputCredentialsSchema,
-        AzureDevOpsConnectionAccessTokenInputCredentialsSchema,
-        AzureDevOpsConnectionClientSecretInputCredentialsSchema
-      ])
+      .union([AzureDevOpsConnectionOAuthInputCredentialsSchema, AzureDevOpsConnectionAccessTokenInputCredentialsSchema])
       .optional()
       .describe(AppConnections.UPDATE(AppConnection.AzureDevOps).credentials)
   })
@@ -132,10 +84,6 @@ export const AzureDevOpsConnectionSchema = z.intersection(
     z.object({
       method: z.literal(AzureDevOpsConnectionMethod.AccessToken),
       credentials: AzureDevOpsConnectionAccessTokenOutputCredentialsSchema
-    }),
-    z.object({
-      method: z.literal(AzureDevOpsConnectionMethod.ClientSecret),
-      credentials: AzureDevOpsConnectionClientSecretOutputCredentialsSchema
     })
   ])
 );
@@ -153,14 +101,6 @@ export const SanitizedAzureDevOpsConnectionSchema = z.discriminatedUnion("method
     credentials: AzureDevOpsConnectionAccessTokenOutputCredentialsSchema.pick({
       orgName: true
     })
-  }),
-  BaseAzureDevOpsConnectionSchema.extend({
-    method: z.literal(AzureDevOpsConnectionMethod.ClientSecret),
-    credentials: AzureDevOpsConnectionClientSecretOutputCredentialsSchema.pick({
-      clientId: true,
-      tenantId: true,
-      orgName: true
-    })
   })
 ]);
 

backend/src/services/app-connection/azure-devops/azure-devops-service.ts

@@ -52,11 +52,6 @@ const getAuthHeaders = (appConnection: TAzureDevOpsConnection, accessToken: stri
         Authorization: `Basic ${basicAuthToken}`,
         Accept: "application/json"
       };
-    case AzureDevOpsConnectionMethod.ClientSecret:
-      return {
-        Authorization: `Bearer ${accessToken}`,
-        Accept: "application/json"
-      };
     default:
       throw new BadRequestError({ message: "Unsupported connection method" });
   }

backend/src/services/app-connection/azure-devops/azure-devops-types.ts

@@ -4,7 +4,6 @@ import { DiscriminativePick } from "@app/lib/types";
 
 import { AppConnection } from "../app-connection-enums";
 import {
-  AzureDevOpsConnectionClientSecretOutputCredentialsSchema,
   AzureDevOpsConnectionOAuthOutputCredentialsSchema,
   AzureDevOpsConnectionSchema,
   CreateAzureDevOpsConnectionSchema,
@@ -28,10 +27,6 @@ export type TAzureDevOpsConnectionConfig = DiscriminativePick<
 
 export type TAzureDevOpsConnectionCredentials = z.infer<typeof AzureDevOpsConnectionOAuthOutputCredentialsSchema>;
 
-export type TAzureDevOpsConnectionClientSecretCredentials = z.infer<
-  typeof AzureDevOpsConnectionClientSecretOutputCredentialsSchema
->;
-
 export interface ExchangeCodeAzureResponse {
   token_type: string;
   scope: string;

backend/src/services/app-connection/azure-key-vault/azure-key-vault-connection-enums.ts

@@ -1,4 +1,3 @@
 export enum AzureKeyVaultConnectionMethod {
-  OAuth = "oauth",
-  ClientSecret = "client-secret"
+  OAuth = "oauth"
 }

backend/src/services/app-connection/azure-key-vault/azure-key-vault-connection-fns.ts

@@ -1,4 +1,3 @@
-/* eslint-disable no-case-declarations */
 import { AxiosError, AxiosResponse } from "axios";
 
 import { getConfig } from "@app/lib/config/env";
@@ -17,16 +16,25 @@ import { AppConnection } from "../app-connection-enums";
 import { AzureKeyVaultConnectionMethod } from "./azure-key-vault-connection-enums";
 import {
   ExchangeCodeAzureResponse,
-  TAzureKeyVaultConnectionClientSecretCredentials,
   TAzureKeyVaultConnectionConfig,
   TAzureKeyVaultConnectionCredentials
 } from "./azure-key-vault-connection-types";
 
 export const getAzureConnectionAccessToken = async (
   connectionId: string,
-  appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "updateById">,
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "update">,
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
 ) => {
+  const appCfg = getConfig();
+  if (
+    !appCfg.INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID ||
+    !appCfg.INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET
+  ) {
+    throw new BadRequestError({
+      message: `Azure environment variables have not been configured`
+    });
+  }
+
   const appConnection = await appConnectionDAL.findById(connectionId);
 
   if (!appConnection) {
@@ -41,101 +49,49 @@ export const getAzureConnectionAccessToken = async (
     throw new BadRequestError({ message: `Connection with ID '${connectionId}' is not a valid Azure connection` });
   }
 
-  const currentTime = Date.now();
+  const credentials = (await decryptAppConnectionCredentials({
+    orgId: appConnection.orgId,
+    kmsService,
+    encryptedCredentials: appConnection.encryptedCredentials
+  })) as TAzureKeyVaultConnectionCredentials;
 
-  switch (appConnection.method) {
-    case AzureKeyVaultConnectionMethod.OAuth:
-      const appCfg = getConfig();
-      if (
-        !appCfg.INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID ||
-        !appCfg.INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET
-      ) {
-        throw new BadRequestError({
-          message: `Azure environment variables have not been configured`
-        });
-      }
+  const { data } = await request.post<ExchangeCodeAzureResponse>(
+    IntegrationUrls.AZURE_TOKEN_URL.replace("common", credentials.tenantId || "common"),
+    new URLSearchParams({
+      grant_type: "refresh_token",
+      scope: `openid offline_access`,
+      client_id: appCfg.INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID,
+      client_secret: appCfg.INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET,
+      refresh_token: credentials.refreshToken
+    })
+  );
 
-      const oauthCredentials = (await decryptAppConnectionCredentials({
-        orgId: appConnection.orgId,
-        kmsService,
-        encryptedCredentials: appConnection.encryptedCredentials
-      })) as TAzureKeyVaultConnectionCredentials;
+  const accessExpiresAt = new Date();
+  accessExpiresAt.setSeconds(accessExpiresAt.getSeconds() + data.expires_in);
 
-      const { data } = await request.post<ExchangeCodeAzureResponse>(
-        IntegrationUrls.AZURE_TOKEN_URL.replace("common", oauthCredentials.tenantId || "common"),
-        new URLSearchParams({
-          grant_type: "refresh_token",
-          scope: `openid offline_access https://vault.azure.net/.default`,
-          client_id: appCfg.INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID,
-          client_secret: appCfg.INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET,
-          refresh_token: oauthCredentials.refreshToken
-        })
-      );
+  const updatedCredentials = {
+    ...credentials,
+    accessToken: data.access_token,
+    expiresAt: accessExpiresAt.getTime(),
+    refreshToken: data.refresh_token
+  };
 
-      const updatedOAuthCredentials = {
-        ...oauthCredentials,
-        accessToken: data.access_token,
-        expiresAt: currentTime + data.expires_in * 1000,
-        refreshToken: data.refresh_token
-      };
+  const encryptedCredentials = await encryptAppConnectionCredentials({
+    credentials: updatedCredentials,
+    orgId: appConnection.orgId,
+    kmsService
+  });
 
-      const encryptedOAuthCredentials = await encryptAppConnectionCredentials({
-        credentials: updatedOAuthCredentials,
-        orgId: appConnection.orgId,
-        kmsService
-      });
+  await appConnectionDAL.update(
+    { id: connectionId },
+    {
+      encryptedCredentials
+    }
+  );
 
-      await appConnectionDAL.updateById(appConnection.id, { encryptedCredentials: encryptedOAuthCredentials });
-
-      return {
-        accessToken: data.access_token
-      };
-
-    case AzureKeyVaultConnectionMethod.ClientSecret:
-      const clientSecretCredentials = (await decryptAppConnectionCredentials({
-        orgId: appConnection.orgId,
-        kmsService,
-        encryptedCredentials: appConnection.encryptedCredentials
-      })) as TAzureKeyVaultConnectionClientSecretCredentials;
-
-      const { accessToken, expiresAt, clientId, clientSecret, tenantId } = clientSecretCredentials;
-
-      // Check if token is still valid (with 5 minute buffer)
-      if (accessToken && expiresAt && expiresAt > currentTime + 300000) {
-        return { accessToken };
-      }
-
-      const { data: clientData } = await request.post<ExchangeCodeAzureResponse>(
-        IntegrationUrls.AZURE_TOKEN_URL.replace("common", tenantId || "common"),
-        new URLSearchParams({
-          grant_type: "client_credentials",
-          scope: `https://vault.azure.net/.default`,
-          client_id: clientId,
-          client_secret: clientSecret
-        })
-      );
-
-      const updatedClientCredentials = {
-        ...clientSecretCredentials,
-        accessToken: clientData.access_token,
-        expiresAt: currentTime + clientData.expires_in * 1000
-      };
-
-      const encryptedClientCredentials = await encryptAppConnectionCredentials({
-        credentials: updatedClientCredentials,
-        orgId: appConnection.orgId,
-        kmsService
-      });
-
-      await appConnectionDAL.updateById(appConnection.id, { encryptedCredentials: encryptedClientCredentials });
-
-      return { accessToken: clientData.access_token };
-
-    default:
-      throw new InternalServerError({
-        message: `Unhandled Azure Key Vault connection method: ${appConnection.method as AzureKeyVaultConnectionMethod}`
-      });
-  }
+  return {
+    accessToken: data.access_token
+  };
 };
 
 export const getAzureKeyVaultConnectionListItem = () => {
@@ -144,10 +100,7 @@ export const getAzureKeyVaultConnectionListItem = () => {
   return {
     name: "Azure Key Vault" as const,
     app: AppConnection.AzureKeyVault as const,
-    methods: Object.values(AzureKeyVaultConnectionMethod) as [
-      AzureKeyVaultConnectionMethod.OAuth,
-      AzureKeyVaultConnectionMethod.ClientSecret
-    ],
+    methods: Object.values(AzureKeyVaultConnectionMethod) as [AzureKeyVaultConnectionMethod.OAuth],
     oauthClientId: INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID
   };
 };
@@ -158,108 +111,68 @@ export const validateAzureKeyVaultConnectionCredentials = async (config: TAzureK
   const { INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID, INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET, SITE_URL } =
     getConfig();
 
+  if (!INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID || !INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET) {
+    throw new InternalServerError({
+      message: `Azure ${getAppConnectionMethodName(method)} environment variables have not been configured`
+    });
+  }
+
+  let tokenResp: AxiosResponse<ExchangeCodeAzureResponse> | null = null;
+  let tokenError: AxiosError | null = null;
+
+  try {
+    tokenResp = await request.post<ExchangeCodeAzureResponse>(
+      IntegrationUrls.AZURE_TOKEN_URL.replace("common", inputCredentials.tenantId || "common"),
+      new URLSearchParams({
+        grant_type: "authorization_code",
+        code: inputCredentials.code,
+        scope: `openid offline_access https://vault.azure.net/.default`,
+        client_id: INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID,
+        client_secret: INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET,
+        redirect_uri: `${SITE_URL}/organization/app-connections/azure/oauth/callback`
+      })
+    );
+  } catch (e: unknown) {
+    if (e instanceof AxiosError) {
+      tokenError = e;
+    } else {
+      throw new BadRequestError({
+        message: `Unable to validate connection: verify credentials`
+      });
+    }
+  }
+
+  if (tokenError) {
+    if (tokenError instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to get access token: ${
+          (tokenError?.response?.data as { error_description?: string })?.error_description || "Unknown error"
+        }`
+      });
+    } else {
+      throw new InternalServerError({
+        message: "Failed to get access token"
+      });
+    }
+  }
+
+  if (!tokenResp) {
+    throw new InternalServerError({
+      message: `Failed to get access token: Token was empty with no error`
+    });
+  }
+
   switch (method) {
     case AzureKeyVaultConnectionMethod.OAuth:
-      if (!INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID || !INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET) {
-        throw new InternalServerError({
-          message: `Azure ${getAppConnectionMethodName(method)} environment variables have not been configured`
-        });
-      }
-
-      let tokenResp: AxiosResponse<ExchangeCodeAzureResponse> | null = null;
-      let tokenError: AxiosError | null = null;
-      const oauthCredentials = inputCredentials as { code: string; tenantId?: string };
-      try {
-        tokenResp = await request.post<ExchangeCodeAzureResponse>(
-          IntegrationUrls.AZURE_TOKEN_URL.replace("common", oauthCredentials.tenantId || "common"),
-          new URLSearchParams({
-            grant_type: "authorization_code",
-            code: oauthCredentials.code,
-            scope: `openid offline_access https://vault.azure.net/.default`,
-            client_id: INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID,
-            client_secret: INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET,
-            redirect_uri: `${SITE_URL}/organization/app-connections/azure/oauth/callback`
-          })
-        );
-      } catch (e: unknown) {
-        if (e instanceof AxiosError) {
-          tokenError = e;
-        } else {
-          throw new BadRequestError({
-            message: `Unable to validate connection: verify credentials`
-          });
-        }
-      }
-
-      if (tokenError) {
-        if (tokenError instanceof AxiosError) {
-          throw new BadRequestError({
-            message: `Failed to get access token: ${
-              (tokenError?.response?.data as { error_description?: string })?.error_description || "Unknown error"
-            }`
-          });
-        } else {
-          throw new InternalServerError({
-            message: "Failed to get access token"
-          });
-        }
-      }
-
-      if (!tokenResp) {
-        throw new InternalServerError({
-          message: `Failed to get access token: Token was empty with no error`
-        });
-      }
-
       return {
-        tenantId: oauthCredentials.tenantId,
+        tenantId: inputCredentials.tenantId,
         accessToken: tokenResp.data.access_token,
         refreshToken: tokenResp.data.refresh_token,
         expiresAt: Date.now() + tokenResp.data.expires_in * 1000
       };
-
-    case AzureKeyVaultConnectionMethod.ClientSecret:
-      const { tenantId, clientId, clientSecret } = inputCredentials as {
-        tenantId: string;
-        clientId: string;
-        clientSecret: string;
-      };
-
-      try {
-        const { data: clientData } = await request.post<ExchangeCodeAzureResponse>(
-          IntegrationUrls.AZURE_TOKEN_URL.replace("common", tenantId || "common"),
-          new URLSearchParams({
-            grant_type: "client_credentials",
-            scope: `https://vault.azure.net/.default`,
-            client_id: clientId,
-            client_secret: clientSecret
-          })
-        );
-
-        return {
-          tenantId,
-          accessToken: clientData.access_token,
-          expiresAt: Date.now() + clientData.expires_in * 1000,
-          clientId,
-          clientSecret
-        };
-      } catch (e: unknown) {
-        if (e instanceof AxiosError) {
-          throw new BadRequestError({
-            message: `Failed to get access token: ${
-              (e?.response?.data as { error_description?: string })?.error_description || "Unknown error"
-            }`
-          });
-        } else {
-          throw new InternalServerError({
-            message: "Failed to get access token"
-          });
-        }
-      }
-
     default:
       throw new InternalServerError({
-        message: `Unhandled Azure Key Vault connection method: ${method as AzureKeyVaultConnectionMethod}`
+        message: `Unhandled Azure connection method: ${method as AzureKeyVaultConnectionMethod}`
       });
   }
 };

backend/src/services/app-connection/azure-key-vault/azure-key-vault-connection-schemas.ts

@@ -22,29 +22,6 @@ export const AzureKeyVaultConnectionOAuthOutputCredentialsSchema = z.object({
   expiresAt: z.number()
 });
 
-export const AzureKeyVaultConnectionClientSecretInputCredentialsSchema = z.object({
-  clientId: z
-    .string()
-    .uuid()
-    .trim()
-    .min(1, "Client ID required")
-    .max(50, "Client ID must be at most 50 characters long"),
-  clientSecret: z
-    .string()
-    .trim()
-    .min(1, "Client Secret required")
-    .max(50, "Client Secret must be at most 50 characters long"),
-  tenantId: z.string().uuid().trim().min(1, "Tenant ID required")
-});
-
-export const AzureKeyVaultConnectionClientSecretOutputCredentialsSchema = z.object({
-  clientId: z.string(),
-  clientSecret: z.string(),
-  tenantId: z.string(),
-  accessToken: z.string(),
-  expiresAt: z.number()
-});
-
 export const ValidateAzureKeyVaultConnectionCredentialsSchema = z.discriminatedUnion("method", [
   z.object({
     method: z
@@ -53,14 +30,6 @@ export const ValidateAzureKeyVaultConnectionCredentialsSchema = z.discriminatedU
     credentials: AzureKeyVaultConnectionOAuthInputCredentialsSchema.describe(
       AppConnections.CREATE(AppConnection.AzureKeyVault).credentials
     )
-  }),
-  z.object({
-    method: z
-      .literal(AzureKeyVaultConnectionMethod.ClientSecret)
-      .describe(AppConnections.CREATE(AppConnection.AzureKeyVault).method),
-    credentials: AzureKeyVaultConnectionClientSecretInputCredentialsSchema.describe(
-      AppConnections.CREATE(AppConnection.AzureKeyVault).credentials
-    )
   })
 ]);
 
@@ -70,13 +39,9 @@ export const CreateAzureKeyVaultConnectionSchema = ValidateAzureKeyVaultConnecti
 
 export const UpdateAzureKeyVaultConnectionSchema = z
   .object({
-    credentials: z
-      .union([
-        AzureKeyVaultConnectionOAuthInputCredentialsSchema,
-        AzureKeyVaultConnectionClientSecretInputCredentialsSchema
-      ])
-      .optional()
-      .describe(AppConnections.UPDATE(AppConnection.AzureKeyVault).credentials)
+    credentials: AzureKeyVaultConnectionOAuthInputCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.AzureKeyVault).credentials
+    )
   })
   .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.AzureKeyVault));
 
@@ -90,10 +55,6 @@ export const AzureKeyVaultConnectionSchema = z.intersection(
     z.object({
       method: z.literal(AzureKeyVaultConnectionMethod.OAuth),
       credentials: AzureKeyVaultConnectionOAuthOutputCredentialsSchema
-    }),
-    z.object({
-      method: z.literal(AzureKeyVaultConnectionMethod.ClientSecret),
-      credentials: AzureKeyVaultConnectionClientSecretOutputCredentialsSchema
     })
   ])
 );
@@ -104,13 +65,6 @@ export const SanitizedAzureKeyVaultConnectionSchema = z.discriminatedUnion("meth
     credentials: AzureKeyVaultConnectionOAuthOutputCredentialsSchema.pick({
       tenantId: true
     })
-  }),
-  BaseAzureKeyVaultConnectionSchema.extend({
-    method: z.literal(AzureKeyVaultConnectionMethod.ClientSecret),
-    credentials: AzureKeyVaultConnectionClientSecretOutputCredentialsSchema.pick({
-      clientId: true,
-      tenantId: true
-    })
   })
 ]);
 

backend/src/services/app-connection/azure-key-vault/azure-key-vault-connection-types.ts

@@ -4,7 +4,6 @@ import { DiscriminativePick } from "@app/lib/types";
 
 import { AppConnection } from "../app-connection-enums";
 import {
-  AzureKeyVaultConnectionClientSecretOutputCredentialsSchema,
   AzureKeyVaultConnectionOAuthOutputCredentialsSchema,
   AzureKeyVaultConnectionSchema,
   CreateAzureKeyVaultConnectionSchema,
@@ -37,7 +36,3 @@ export type ExchangeCodeAzureResponse = {
 };
 
 export type TAzureKeyVaultConnectionCredentials = z.infer<typeof AzureKeyVaultConnectionOAuthOutputCredentialsSchema>;
-
-export type TAzureKeyVaultConnectionClientSecretCredentials = z.infer<
-  typeof AzureKeyVaultConnectionClientSecretOutputCredentialsSchema
->;

backend/src/services/app-connection/cloudflare/cloudflare-connection-fns.ts

@@ -10,8 +10,7 @@ import {
   TCloudflareConnection,
   TCloudflareConnectionConfig,
   TCloudflarePagesProject,
-  TCloudflareWorkersScript,
-  TCloudflareZone
+  TCloudflareWorkersScript
 } from "./cloudflare-connection-types";
 
 export const getCloudflareConnectionListItem = () => {
@@ -67,27 +66,6 @@ export const listCloudflareWorkersScripts = async (
   }));
 };
 
-export const listCloudflareZones = async (appConnection: TCloudflareConnection): Promise<TCloudflareZone[]> => {
-  const {
-    credentials: { apiToken }
-  } = appConnection;
-
-  const { data } = await request.get<{ result: { name: string; id: string }[] }>(
-    `${IntegrationUrls.CLOUDFLARE_API_URL}/client/v4/zones`,
-    {
-      headers: {
-        Authorization: `Bearer ${apiToken}`,
-        Accept: "application/json"
-      }
-    }
-  );
-
-  return data.result.map((a) => ({
-    name: a.name,
-    id: a.id
-  }));
-};
-
 export const validateCloudflareConnectionCredentials = async (config: TCloudflareConnectionConfig) => {
   const { apiToken, accountId } = config.credentials;
 

backend/src/services/app-connection/cloudflare/cloudflare-connection-service.ts

@@ -2,11 +2,7 @@ import { logger } from "@app/lib/logger";
 import { OrgServiceActor } from "@app/lib/types";
 
 import { AppConnection } from "../app-connection-enums";
-import {
-  listCloudflarePagesProjects,
-  listCloudflareWorkersScripts,
-  listCloudflareZones
-} from "./cloudflare-connection-fns";
+import { listCloudflarePagesProjects, listCloudflareWorkersScripts } from "./cloudflare-connection-fns";
 import { TCloudflareConnection } from "./cloudflare-connection-types";
 
 type TGetAppConnectionFunc = (
@@ -20,6 +16,7 @@ export const cloudflareConnectionService = (getAppConnection: TGetAppConnectionF
     const appConnection = await getAppConnection(AppConnection.Cloudflare, connectionId, actor);
     try {
       const projects = await listCloudflarePagesProjects(appConnection);
+
       return projects;
     } catch (error) {
       logger.error(
@@ -33,8 +30,9 @@ export const cloudflareConnectionService = (getAppConnection: TGetAppConnectionF
   const listWorkersScripts = async (connectionId: string, actor: OrgServiceActor) => {
     const appConnection = await getAppConnection(AppConnection.Cloudflare, connectionId, actor);
     try {
-      const scripts = await listCloudflareWorkersScripts(appConnection);
-      return scripts;
+      const projects = await listCloudflareWorkersScripts(appConnection);
+
+      return projects;
     } catch (error) {
       logger.error(
         error,
@@ -44,20 +42,8 @@ export const cloudflareConnectionService = (getAppConnection: TGetAppConnectionF
     }
   };
 
-  const listZones = async (connectionId: string, actor: OrgServiceActor) => {
-    const appConnection = await getAppConnection(AppConnection.Cloudflare, connectionId, actor);
-    try {
-      const zones = await listCloudflareZones(appConnection);
-      return zones;
-    } catch (error) {
-      logger.error(error, `Failed to list Cloudflare Zones for Cloudflare connection [connectionId=${connectionId}]`);
-      return [];
-    }
-  };
-
   return {
     listPagesProjects,
-    listWorkersScripts,
-    listZones
+    listWorkersScripts
   };
 };

backend/src/services/app-connection/cloudflare/cloudflare-connection-types.ts

@@ -32,8 +32,3 @@ export type TCloudflarePagesProject = {
 export type TCloudflareWorkersScript = {
   id: string;
 };
-
-export type TCloudflareZone = {
-  id: string;
-  name: string;
-};

backend/src/services/app-connection/github/github-connection-fns.ts

@@ -1,18 +1,12 @@
 import { createAppAuth } from "@octokit/auth-app";
-import { request } from "@octokit/request";
-import { AxiosError, AxiosRequestConfig, AxiosResponse } from "axios";
-import https from "https";
-import RE2 from "re2";
+import { Octokit } from "@octokit/rest";
+import { AxiosResponse } from "axios";
 
-import { verifyHostInputValidity } from "@app/ee/services/dynamic-secret/dynamic-secret-fns";
-import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { getConfig } from "@app/lib/config/env";
-import { request as httpRequest } from "@app/lib/config/request";
+import { request } from "@app/lib/config/request";
 import { BadRequestError, ForbiddenRequestError, InternalServerError } from "@app/lib/errors";
-import { GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
-import { logger } from "@app/lib/logger";
-import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
 import { getAppConnectionMethodName } from "@app/services/app-connection/app-connection-fns";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
 
 import { AppConnection } from "../app-connection-enums";
 import { GitHubConnectionMethod } from "./github-connection-enums";
@@ -30,247 +24,123 @@ export const getGitHubConnectionListItem = () => {
   };
 };
 
-export const getGitHubInstanceApiUrl = async (config: {
-  credentials: Pick<TGitHubConnectionConfig["credentials"], "host" | "instanceType">;
-}) => {
-  const host = config.credentials.host || "github.com";
-
-  await blockLocalAndPrivateIpAddresses(host);
-
-  let apiBase: string;
-  if (config.credentials.instanceType === "server") {
-    apiBase = `${host}/api/v3`;
-  } else {
-    apiBase = `api.${host}`;
-  }
-
-  return apiBase;
-};
-
-export const requestWithGitHubGateway = async <T>(
-  appConnection: { gatewayId?: string | null },
-  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">,
-  requestConfig: AxiosRequestConfig
-): Promise<AxiosResponse<T>> => {
-  const { gatewayId } = appConnection;
-
-  // If gateway isn't set up, don't proxy request
-  if (!gatewayId) {
-    return httpRequest.request(requestConfig);
-  }
-
-  const url = new URL(requestConfig.url as string);
-
-  await blockLocalAndPrivateIpAddresses(url.toString());
-
-  const [targetHost] = await verifyHostInputValidity(url.host, true);
-  const relayDetails = await gatewayService.fnGetGatewayClientTlsByGatewayId(gatewayId);
-  const [relayHost, relayPort] = relayDetails.relayAddress.split(":");
-
-  return withGatewayProxy(
-    async (proxyPort) => {
-      const httpsAgent = new https.Agent({
-        servername: targetHost
-      });
-
-      url.protocol = "https:";
-      url.host = `localhost:${proxyPort}`;
-
-      const finalRequestConfig: AxiosRequestConfig = {
-        ...requestConfig,
-        url: url.toString(),
-        httpsAgent,
-        headers: {
-          ...requestConfig.headers,
-          Host: targetHost
-        }
-      };
-
-      try {
-        return await httpRequest.request(finalRequestConfig);
-      } catch (error) {
-        const axiosError = error as AxiosError;
-        logger.error(
-          { message: axiosError.message, data: axiosError.response?.data },
-          "Error during GitHub gateway request:"
-        );
-        throw error;
-      }
-    },
-    {
-      protocol: GatewayProxyProtocol.Tcp,
-      targetHost,
-      targetPort: 443,
-      relayHost,
-      relayPort: Number(relayPort),
-      identityId: relayDetails.identityId,
-      orgId: relayDetails.orgId,
-      tlsOptions: {
-        ca: relayDetails.certChain,
-        cert: relayDetails.certificate,
-        key: relayDetails.privateKey.toString()
-      }
-    }
-  );
-};
-
-export const getGitHubAppAuthToken = async (appConnection: TGitHubConnection) => {
+export const getGitHubClient = (appConnection: TGitHubConnection) => {
   const appCfg = getConfig();
+
+  const { method, credentials } = appConnection;
+
+  let client: Octokit;
+
   const appId = appCfg.INF_APP_CONNECTION_GITHUB_APP_ID;
   const appPrivateKey = appCfg.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY;
 
-  if (!appId || !appPrivateKey) {
-    throw new InternalServerError({
-      message: `GitHub App keys are not configured.`
-    });
-  }
-
-  if (appConnection.method !== GitHubConnectionMethod.App) {
-    throw new InternalServerError({ message: "Cannot generate GitHub App token for non-app connection" });
-  }
-
-  const appAuth = createAppAuth({
-    appId,
-    privateKey: appPrivateKey,
-    installationId: appConnection.credentials.installationId,
-    request: request.defaults({
-      baseUrl: `https://${await getGitHubInstanceApiUrl(appConnection)}`
-    })
-  });
-
-  const { token } = await appAuth({ type: "installation" });
-  return token;
-};
-
-function extractNextPageUrl(linkHeader: string | undefined): string | null {
-  if (!linkHeader) return null;
-
-  const links = linkHeader.split(",");
-  const nextLink = links.find((link) => link.includes('rel="next"'));
-
-  if (!nextLink) return null;
-
-  const match = new RE2(/<([^>]+)>/).exec(nextLink);
-  return match ? match[1] : null;
-}
-
-export const makePaginatedGitHubRequest = async <T, R = T[]>(
-  appConnection: TGitHubConnection,
-  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">,
-  path: string,
-  dataMapper?: (data: R) => T[]
-): Promise<T[]> => {
-  const { credentials, method } = appConnection;
-
-  const token =
-    method === GitHubConnectionMethod.OAuth ? credentials.accessToken : await getGitHubAppAuthToken(appConnection);
-  let url: string | null = `https://${await getGitHubInstanceApiUrl(appConnection)}${path}`;
-  let results: T[] = [];
-  let i = 0;
-
-  while (url && i < 1000) {
-    // eslint-disable-next-line no-await-in-loop
-    const response: AxiosResponse<R> = await requestWithGitHubGateway<R>(appConnection, gatewayService, {
-      url,
-      method: "GET",
-      headers: {
-        Accept: "application/vnd.github+json",
-        Authorization: `Bearer ${token}`,
-        "X-GitHub-Api-Version": "2022-11-28"
+  switch (method) {
+    case GitHubConnectionMethod.App:
+      if (!appId || !appPrivateKey) {
+        throw new InternalServerError({
+          message: `GitHub ${getAppConnectionMethodName(method).replace("GitHub", "")} has not been configured`
+        });
       }
-    });
 
-    const items = dataMapper ? dataMapper(response.data) : (response.data as unknown as T[]);
-    results = results.concat(items);
-
-    url = extractNextPageUrl(response.headers.link as string | undefined);
-    i += 1;
+      client = new Octokit({
+        authStrategy: createAppAuth,
+        auth: {
+          appId,
+          privateKey: appPrivateKey,
+          installationId: credentials.installationId
+        }
+      });
+      break;
+    case GitHubConnectionMethod.OAuth:
+      client = new Octokit({
+        auth: credentials.accessToken
+      });
+      break;
+    default:
+      throw new InternalServerError({
+        message: `Unhandled GitHub connection method: ${method as GitHubConnectionMethod}`
+      });
   }
 
-  return results;
+  return client;
 };
 
 type GitHubOrganization = {
   login: string;
   id: number;
-  type: string;
 };
 
 type GitHubRepository = {
   id: number;
   name: string;
   owner: GitHubOrganization;
-  permissions?: {
-    admin: boolean;
-    maintain: boolean;
-    push: boolean;
-    triage: boolean;
-    pull: boolean;
-  };
 };
 
-type GitHubEnvironment = {
-  id: number;
-  name: string;
-};
+export const getGitHubRepositories = async (appConnection: TGitHubConnection) => {
+  const client = getGitHubClient(appConnection);
 
-export const getGitHubRepositories = async (
-  appConnection: TGitHubConnection,
-  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
-) => {
-  if (appConnection.method === GitHubConnectionMethod.App) {
-    return makePaginatedGitHubRequest<GitHubRepository, { repositories: GitHubRepository[] }>(
-      appConnection,
-      gatewayService,
-      "/installation/repositories",
-      (data) => data.repositories
-    );
+  let repositories: GitHubRepository[];
+
+  switch (appConnection.method) {
+    case GitHubConnectionMethod.App:
+      repositories = await client.paginate("GET /installation/repositories");
+      break;
+    case GitHubConnectionMethod.OAuth:
+    default:
+      repositories = (await client.paginate("GET /user/repos")).filter((repo) => repo.permissions?.admin);
+      break;
   }
 
-  const repos = await makePaginatedGitHubRequest<GitHubRepository>(appConnection, gatewayService, "/user/repos");
-  return repos.filter((repo) => repo.permissions?.admin);
+  return repositories;
 };
 
-export const getGitHubOrganizations = async (
-  appConnection: TGitHubConnection,
-  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
-) => {
-  if (appConnection.method === GitHubConnectionMethod.App) {
-    const installationRepositories = await makePaginatedGitHubRequest<
-      GitHubRepository,
-      { repositories: GitHubRepository[] }
-    >(appConnection, gatewayService, "/installation/repositories", (data) => data.repositories);
+export const getGitHubOrganizations = async (appConnection: TGitHubConnection) => {
+  const client = getGitHubClient(appConnection);
 
-    const organizationMap: Record<string, GitHubOrganization> = {};
-    installationRepositories.forEach((repo) => {
-      if (repo.owner.type === "Organization") {
-        organizationMap[repo.owner.id] = repo.owner;
-      }
+  let organizations: GitHubOrganization[];
+
+  switch (appConnection.method) {
+    case GitHubConnectionMethod.App: {
+      const installationRepositories = await client.paginate("GET /installation/repositories");
+
+      const organizationMap: Record<string, GitHubOrganization> = {};
+
+      installationRepositories.forEach((repo) => {
+        if (repo.owner.type === "Organization") {
+          organizationMap[repo.owner.id] = repo.owner;
+        }
+      });
+
+      organizations = Object.values(organizationMap);
+
+      break;
+    }
+    case GitHubConnectionMethod.OAuth:
+    default:
+      organizations = await client.paginate("GET /user/orgs");
+      break;
+  }
+
+  return organizations;
+};
+
+export const getGitHubEnvironments = async (appConnection: TGitHubConnection, owner: string, repo: string) => {
+  const client = getGitHubClient(appConnection);
+
+  try {
+    const environments = await client.paginate("GET /repos/{owner}/{repo}/environments", {
+      owner,
+      repo
     });
 
-    return Object.values(organizationMap);
-  }
+    return environments;
+  } catch (e) {
+    // repo doesn't have envs
+    if ((e as { status: number }).status === 404) {
+      return [];
+    }
 
-  return makePaginatedGitHubRequest<GitHubOrganization>(appConnection, gatewayService, "/user/orgs");
-};
-
-export const getGitHubEnvironments = async (
-  appConnection: TGitHubConnection,
-  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">,
-  owner: string,
-  repo: string
-) => {
-  try {
-    return await makePaginatedGitHubRequest<GitHubEnvironment, { environments: GitHubEnvironment[] }>(
-      appConnection,
-      gatewayService,
-      `/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repo)}/environments`,
-      (data) => data.environments
-    );
-  } catch (error) {
-    const axiosError = error as AxiosError;
-    if (axiosError.response?.status === 404) return [];
-    throw error;
+    throw e;
   }
 };
 
@@ -289,11 +159,9 @@ export function isGithubErrorResponse(data: GithubTokenRespData): data is Github
   return "error" in data;
 }
 
-export const validateGitHubConnectionCredentials = async (
-  config: TGitHubConnectionConfig,
-  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
-) => {
+export const validateGitHubConnectionCredentials = async (config: TGitHubConnectionConfig) => {
   const { credentials, method } = config;
+
   const {
     INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID,
     INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET,
@@ -324,13 +192,10 @@ export const validateGitHubConnectionCredentials = async (
   }
 
   let tokenResp: AxiosResponse<GithubTokenRespData>;
-  const host = credentials.host || "github.com";
 
   try {
-    tokenResp = await requestWithGitHubGateway<GithubTokenRespData>(config, gatewayService, {
-      url: `https://${host}/login/oauth/access_token`,
-      method: "POST",
-      data: {
+    tokenResp = await request.get<GithubTokenRespData>("https://github.com/login/oauth/access_token", {
+      params: {
         client_id: clientId,
         client_secret: clientSecret,
         code: credentials.code,
@@ -338,7 +203,7 @@ export const validateGitHubConnectionCredentials = async (
       },
       headers: {
         Accept: "application/json",
-        "Content-Type": "application/json"
+        "Accept-Encoding": "application/json"
       }
     });
 
@@ -368,7 +233,7 @@ export const validateGitHubConnectionCredentials = async (
       throw new InternalServerError({ message: `Missing access token: ${tokenResp.data.error}` });
     }
 
-    const installationsResp = await requestWithGitHubGateway<{
+    const installationsResp = await request.get<{
       installations: {
         id: number;
         account: {
@@ -377,8 +242,7 @@ export const validateGitHubConnectionCredentials = async (
           id: number;
         };
       }[];
-    }>(config, gatewayService, {
-      url: `https://${await getGitHubInstanceApiUrl(config)}/user/installations`,
+    }>(IntegrationUrls.GITHUB_USER_INSTALLATIONS, {
       headers: {
         Accept: "application/json",
         Authorization: `Bearer ${tokenResp.data.access_token}`,
@@ -400,15 +264,11 @@ export const validateGitHubConnectionCredentials = async (
   switch (method) {
     case GitHubConnectionMethod.App:
       return {
-        installationId: credentials.installationId,
-        instanceType: credentials.instanceType,
-        host: credentials.host
+        installationId: credentials.installationId
       };
     case GitHubConnectionMethod.OAuth:
       return {
-        accessToken: tokenResp.data.access_token,
-        instanceType: credentials.instanceType,
-        host: credentials.host
+        accessToken: tokenResp.data.access_token
       };
     default:
       throw new InternalServerError({

backend/src/services/app-connection/github/github-connection-schemas.ts

@@ -10,59 +10,22 @@ import {
 
 import { GitHubConnectionMethod } from "./github-connection-enums";
 
-export const GitHubConnectionOAuthInputCredentialsSchema = z.union([
-  z.object({
-    code: z.string().trim().min(1, "OAuth code required"),
-    instanceType: z.literal("server"),
-    host: z.string().trim().min(1, "Host is required for server instance type")
-  }),
-  z.object({
-    code: z.string().trim().min(1, "OAuth code required"),
-    instanceType: z.literal("cloud").optional(),
-    host: z.string().trim().optional()
-  })
-]);
+export const GitHubConnectionOAuthInputCredentialsSchema = z.object({
+  code: z.string().trim().min(1, "OAuth code required")
+});
 
-export const GitHubConnectionAppInputCredentialsSchema = z.union([
-  z.object({
-    code: z.string().trim().min(1, "GitHub App code required"),
-    installationId: z.string().min(1, "GitHub App Installation ID required"),
-    instanceType: z.literal("server"),
-    host: z.string().trim().min(1, "Host is required for server instance type")
-  }),
-  z.object({
-    code: z.string().trim().min(1, "GitHub App code required"),
-    installationId: z.string().min(1, "GitHub App Installation ID required"),
-    instanceType: z.literal("cloud").optional(),
-    host: z.string().trim().optional()
-  })
-]);
+export const GitHubConnectionAppInputCredentialsSchema = z.object({
+  code: z.string().trim().min(1, "GitHub App code required"),
+  installationId: z.string().min(1, "GitHub App Installation ID required")
+});
 
-export const GitHubConnectionOAuthOutputCredentialsSchema = z.union([
-  z.object({
-    accessToken: z.string(),
-    instanceType: z.literal("server"),
-    host: z.string().trim().min(1)
-  }),
-  z.object({
-    accessToken: z.string(),
-    instanceType: z.literal("cloud").optional(),
-    host: z.string().trim().optional()
-  })
-]);
+export const GitHubConnectionOAuthOutputCredentialsSchema = z.object({
+  accessToken: z.string()
+});
 
-export const GitHubConnectionAppOutputCredentialsSchema = z.union([
-  z.object({
-    installationId: z.string(),
-    instanceType: z.literal("server"),
-    host: z.string().trim().min(1)
-  }),
-  z.object({
-    installationId: z.string(),
-    instanceType: z.literal("cloud").optional(),
-    host: z.string().trim().optional()
-  })
-]);
+export const GitHubConnectionAppOutputCredentialsSchema = z.object({
+  installationId: z.string()
+});
 
 export const ValidateGitHubConnectionCredentialsSchema = z.discriminatedUnion("method", [
   z.object({
@@ -80,9 +43,7 @@ export const ValidateGitHubConnectionCredentialsSchema = z.discriminatedUnion("m
 ]);
 
 export const CreateGitHubConnectionSchema = ValidateGitHubConnectionCredentialsSchema.and(
-  GenericCreateAppConnectionFieldsSchema(AppConnection.GitHub, {
-    supportsGateways: true
-  })
+  GenericCreateAppConnectionFieldsSchema(AppConnection.GitHub)
 );
 
 export const UpdateGitHubConnectionSchema = z
@@ -92,11 +53,7 @@ export const UpdateGitHubConnectionSchema = z
       .optional()
       .describe(AppConnections.UPDATE(AppConnection.GitHub).credentials)
   })
-  .and(
-    GenericUpdateAppConnectionFieldsSchema(AppConnection.GitHub, {
-      supportsGateways: true
-    })
-  );
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.GitHub));
 
 const BaseGitHubConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.GitHub) });
 
@@ -117,17 +74,11 @@ export const GitHubConnectionSchema = z.intersection(
 export const SanitizedGitHubConnectionSchema = z.discriminatedUnion("method", [
   BaseGitHubConnectionSchema.extend({
     method: z.literal(GitHubConnectionMethod.App),
-    credentials: z.object({
-      instanceType: z.union([z.literal("server"), z.literal("cloud")]).optional(),
-      host: z.string().optional()
-    })
+    credentials: GitHubConnectionAppOutputCredentialsSchema.pick({})
   }),
   BaseGitHubConnectionSchema.extend({
     method: z.literal(GitHubConnectionMethod.OAuth),
-    credentials: z.object({
-      instanceType: z.union([z.literal("server"), z.literal("cloud")]).optional(),
-      host: z.string().optional()
-    })
+    credentials: GitHubConnectionOAuthOutputCredentialsSchema.pick({})
   })
 ]);
 

backend/src/services/app-connection/github/github-connection-service.ts

@@ -1,4 +1,3 @@
-import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { OrgServiceActor } from "@app/lib/types";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
@@ -20,14 +19,11 @@ type TListGitHubEnvironmentsDTO = {
   owner: string;
 };
 
-export const githubConnectionService = (
-  getAppConnection: TGetAppConnectionFunc,
-  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
-) => {
+export const githubConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
   const listRepositories = async (connectionId: string, actor: OrgServiceActor) => {
     const appConnection = await getAppConnection(AppConnection.GitHub, connectionId, actor);
 
-    const repositories = await getGitHubRepositories(appConnection, gatewayService);
+    const repositories = await getGitHubRepositories(appConnection);
 
     return repositories;
   };
@@ -35,7 +31,7 @@ export const githubConnectionService = (
   const listOrganizations = async (connectionId: string, actor: OrgServiceActor) => {
     const appConnection = await getAppConnection(AppConnection.GitHub, connectionId, actor);
 
-    const organizations = await getGitHubOrganizations(appConnection, gatewayService);
+    const organizations = await getGitHubOrganizations(appConnection);
 
     return organizations;
   };
@@ -46,7 +42,7 @@ export const githubConnectionService = (
   ) => {
     const appConnection = await getAppConnection(AppConnection.GitHub, connectionId, actor);
 
-    const environments = await getGitHubEnvironments(appConnection, gatewayService, owner, repo);
+    const environments = await getGitHubEnvironments(appConnection, owner, repo);
 
     return environments;
   };

backend/src/services/app-connection/github/github-connection-types.ts

@@ -17,7 +17,4 @@ export type TGitHubConnectionInput = z.infer<typeof CreateGitHubConnectionSchema
 
 export type TValidateGitHubConnectionCredentialsSchema = typeof ValidateGitHubConnectionCredentialsSchema;
 
-export type TGitHubConnectionConfig = DiscriminativePick<
-  TGitHubConnectionInput,
-  "method" | "app" | "credentials" | "gatewayId"
->;
+export type TGitHubConnectionConfig = DiscriminativePick<TGitHubConnectionInput, "method" | "app" | "credentials">;

backend/src/services/app-connection/gitlab/gitlab-connection-fns.ts

@@ -222,37 +222,6 @@ export const validateGitLabConnectionCredentials = async (config: TGitLabConnect
   return inputCredentials;
 };
 
-export const getGitLabConnectionClient = async (
-  appConnection: TGitLabConnection,
-  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">,
-  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
-) => {
-  let { accessToken } = appConnection.credentials;
-
-  if (
-    appConnection.method === GitLabConnectionMethod.OAuth &&
-    appConnection.credentials.refreshToken &&
-    new Date(appConnection.credentials.expiresAt) < new Date()
-  ) {
-    accessToken = await refreshGitLabToken(
-      appConnection.credentials.refreshToken,
-      appConnection.id,
-      appConnection.orgId,
-      appConnectionDAL,
-      kmsService,
-      appConnection.credentials.instanceUrl
-    );
-  }
-
-  const client = await getGitLabClient(
-    accessToken,
-    appConnection.credentials.instanceUrl,
-    appConnection.method === GitLabConnectionMethod.OAuth
-  );
-
-  return client;
-};
-
 export const listGitLabProjects = async ({
   appConnection,
   appConnectionDAL,

backend/src/services/app-connection/netlify/index.ts

@@ -1,4 +0,0 @@
-export * from "./netlify-connection-constants";
-export * from "./netlify-connection-fns";
-export * from "./netlify-connection-schemas";
-export * from "./netlify-connection-types";

backend/src/services/app-connection/netlify/netlify-connection-constants.ts

@@ -1,3 +0,0 @@
-export enum NetlifyConnectionMethod {
-  AccessToken = "access-token"
-}

backend/src/services/app-connection/netlify/netlify-connection-fns.ts

@@ -1,35 +0,0 @@
-/* eslint-disable no-await-in-loop */
-import { AxiosError } from "axios";
-
-import { BadRequestError } from "@app/lib/errors";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-
-import { NetlifyConnectionMethod } from "./netlify-connection-constants";
-import { NetlifyPublicAPI } from "./netlify-connection-public-client";
-import { TNetlifyConnectionConfig } from "./netlify-connection-types";
-
-export const getNetlifyConnectionListItem = () => {
-  return {
-    name: "Netlify" as const,
-    app: AppConnection.Netlify as const,
-    methods: Object.values(NetlifyConnectionMethod)
-  };
-};
-
-export const validateNetlifyConnectionCredentials = async (config: TNetlifyConnectionConfig) => {
-  try {
-    await NetlifyPublicAPI.healthcheck(config);
-  } catch (error: unknown) {
-    if (error instanceof AxiosError) {
-      throw new BadRequestError({
-        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
-      });
-    }
-
-    throw new BadRequestError({
-      message: "Unable to validate connection - verify credentials"
-    });
-  }
-
-  return config.credentials;
-};

backend/src/services/app-connection/netlify/netlify-connection-public-client.ts

@@ -1,261 +0,0 @@
-/* eslint-disable @typescript-eslint/no-unsafe-call */
-/* eslint-disable no-await-in-loop */
-/* eslint-disable class-methods-use-this */
-import { AxiosInstance, AxiosRequestConfig, AxiosResponse, HttpStatusCode, isAxiosError } from "axios";
-
-import { createRequestClient } from "@app/lib/config/request";
-import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
-
-import { NetlifyConnectionMethod } from "./netlify-connection-constants";
-import { TNetlifyAccount, TNetlifyConnectionConfig, TNetlifySite, TNetlifyVariable } from "./netlify-connection-types";
-
-export function getNetlifyAuthHeaders(connection: TNetlifyConnectionConfig): Record<string, string> {
-  switch (connection.method) {
-    case NetlifyConnectionMethod.AccessToken:
-      return {
-        Authorization: `Bearer ${connection.credentials.accessToken}`
-      };
-    default:
-      throw new Error(`Unsupported Netlify connection method`);
-  }
-}
-
-export function getNetlifyRatelimiter(response: AxiosResponse): {
-  maxAttempts: number;
-  isRatelimited: boolean;
-  wait: () => Promise<void>;
-} {
-  const wait = (seconds: number = 60) => {
-    return new Promise<void>((res) => {
-      setTimeout(res, seconds * 1000);
-    });
-  };
-
-  let remaining = parseInt(response.headers["X-RateLimit-Remaining"] as string, 10);
-  let isRatelimited = response.status === HttpStatusCode.TooManyRequests;
-
-  if (isRatelimited) {
-    if (Math.round(remaining) > 0) {
-      isRatelimited = true;
-      remaining += 1; // Jitter to ensure we wait at least 1 second
-    } else {
-      remaining = 60;
-    }
-  }
-
-  return {
-    isRatelimited,
-    wait: () => wait(remaining),
-    maxAttempts: 3
-  };
-}
-
-type NetlifyParams = {
-  account_id: string;
-  context_name?: string;
-  site_id?: string;
-};
-
-class NetlifyPublicClient {
-  private client: AxiosInstance;
-
-  constructor() {
-    this.client = createRequestClient({
-      baseURL: `${IntegrationUrls.NETLIFY_API_URL}/api/v1`,
-      headers: {
-        "Content-Type": "application/json"
-      }
-    });
-  }
-
-  async send<T>(connection: TNetlifyConnectionConfig, config: AxiosRequestConfig, retryAttempt = 0): Promise<T> {
-    const response = await this.client.request<T>({
-      ...config,
-      timeout: 1000 * 60, // 60 seconds timeout
-      validateStatus: (status) => (status >= 200 && status < 300) || status === HttpStatusCode.TooManyRequests,
-      headers: getNetlifyAuthHeaders(connection)
-    });
-    const limiter = getNetlifyRatelimiter(response);
-
-    if (limiter.isRatelimited && retryAttempt <= limiter.maxAttempts) {
-      await limiter.wait();
-      return this.send(connection, config, retryAttempt + 1);
-    }
-
-    return response.data;
-  }
-
-  healthcheck(connection: TNetlifyConnectionConfig) {
-    switch (connection.method) {
-      case NetlifyConnectionMethod.AccessToken:
-        return this.getNetlifyAccounts(connection);
-      default:
-        throw new Error(`Unsupported Netlify connection method`);
-    }
-  }
-
-  async getVariables(
-    connection: TNetlifyConnectionConfig,
-    { account_id, ...params }: NetlifyParams,
-    limit: number = 50,
-    page: number = 1
-  ) {
-    const res = await this.send<TNetlifyVariable[]>(connection, {
-      method: "GET",
-      url: `/accounts/${account_id}/env`,
-      params: {
-        ...params,
-        limit,
-        page
-      }
-    });
-
-    return res;
-  }
-
-  async createVariable(
-    connection: TNetlifyConnectionConfig,
-    { account_id, ...params }: NetlifyParams,
-    ...variables: TNetlifyVariable[]
-  ) {
-    const res = await this.send<TNetlifyVariable>(connection, {
-      method: "POST",
-      url: `/accounts/${account_id}/env`,
-      data: variables,
-      params
-    });
-
-    return res;
-  }
-
-  async updateVariableValue(
-    connection: TNetlifyConnectionConfig,
-    { account_id, ...params }: NetlifyParams,
-    variable: TNetlifyVariable
-  ) {
-    const res = await this.send<TNetlifyVariable>(connection, {
-      method: "PATCH",
-      url: `/accounts/${account_id}/env/${variable.key}`,
-      data: variable,
-      params
-    });
-
-    return res;
-  }
-
-  async updateVariable(
-    connection: TNetlifyConnectionConfig,
-    { account_id, ...params }: NetlifyParams,
-    variable: TNetlifyVariable
-  ) {
-    const res = await this.send<TNetlifyVariable>(connection, {
-      method: "PUT",
-      url: `/accounts/${account_id}/env/${variable.key}`,
-      data: variable,
-      params
-    });
-
-    return res;
-  }
-
-  async getVariable(
-    connection: TNetlifyConnectionConfig,
-    { account_id, ...params }: NetlifyParams,
-    variable: Pick<TNetlifyVariable, "key">
-  ) {
-    try {
-      const res = await this.send<TNetlifyVariable>(connection, {
-        method: "GET",
-        url: `/accounts/${account_id}/env/${variable.key}`,
-        params
-      });
-
-      return res;
-    } catch (error) {
-      if (isAxiosError(error) && error.response?.status === HttpStatusCode.NotFound) {
-        return null;
-      }
-
-      throw error;
-    }
-  }
-
-  async upsertVariable(connection: TNetlifyConnectionConfig, params: NetlifyParams, variable: TNetlifyVariable) {
-    const res = await this.getVariable(connection, params, variable);
-
-    if (!res) {
-      return this.createVariable(connection, params, variable);
-    }
-
-    if (res.is_secret) {
-      await this.deleteVariable(connection, params, variable);
-      return this.createVariable(connection, params, variable);
-    }
-
-    return this.updateVariable(connection, params, variable);
-  }
-
-  async deleteVariable(
-    connection: TNetlifyConnectionConfig,
-    { account_id, ...params }: NetlifyParams,
-    variable: Pick<TNetlifyVariable, "key">
-  ) {
-    try {
-      const res = await this.send<TNetlifyVariable>(connection, {
-        method: "DELETE",
-        url: `/accounts/${account_id}/env/${variable.key}`,
-        params
-      });
-
-      return res;
-    } catch (error) {
-      if (isAxiosError(error) && error.response?.status === HttpStatusCode.NotFound) {
-        return null;
-      }
-
-      throw error;
-    }
-  }
-
-  async deleteVariableValue(
-    connection: TNetlifyConnectionConfig,
-    { account_id, value_id, ...params }: NetlifyParams & { value_id: string },
-    variable: Pick<TNetlifyVariable, "key" | "id">
-  ) {
-    try {
-      const res = await this.send<TNetlifyVariable>(connection, {
-        method: "DELETE",
-        url: `/accounts/${account_id}/${variable.key}/value/${value_id}`,
-        params
-      });
-
-      return res;
-    } catch (error) {
-      if (isAxiosError(error) && error.response?.status === HttpStatusCode.NotFound) {
-        return null;
-      }
-
-      throw error;
-    }
-  }
-
-  async getSites(connection: TNetlifyConnectionConfig, accountId: string) {
-    const res = await this.send<TNetlifySite[]>(connection, {
-      method: "GET",
-      url: `/${accountId}/sites`
-    });
-
-    return res;
-  }
-
-  async getNetlifyAccounts(connection: TNetlifyConnectionConfig) {
-    const res = await this.send<TNetlifyAccount[]>(connection, {
-      method: "GET",
-      url: `/accounts`
-    });
-
-    return res;
-  }
-}
-
-export const NetlifyPublicAPI = new NetlifyPublicClient();

backend/src/services/app-connection/netlify/netlify-connection-schemas.ts

@@ -1,67 +0,0 @@
-import z from "zod";
-
-import { AppConnections } from "@app/lib/api-docs";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-import {
-  BaseAppConnectionSchema,
-  GenericCreateAppConnectionFieldsSchema,
-  GenericUpdateAppConnectionFieldsSchema
-} from "@app/services/app-connection/app-connection-schemas";
-
-import { NetlifyConnectionMethod } from "./netlify-connection-constants";
-
-export const NetlifyConnectionMethodSchema = z
-  .nativeEnum(NetlifyConnectionMethod)
-  .describe(AppConnections.CREATE(AppConnection.Netlify).method);
-
-export const NetlifyConnectionAccessTokenCredentialsSchema = z.object({
-  accessToken: z
-    .string()
-    .trim()
-    .min(1, "Access Token required")
-    .max(255)
-    .describe(AppConnections.CREDENTIALS.NETLIFY.accessToken)
-});
-
-const BaseNetlifyConnectionSchema = BaseAppConnectionSchema.extend({
-  app: z.literal(AppConnection.Netlify)
-});
-
-export const NetlifyConnectionSchema = BaseNetlifyConnectionSchema.extend({
-  method: NetlifyConnectionMethodSchema,
-  credentials: NetlifyConnectionAccessTokenCredentialsSchema
-});
-
-export const SanitizedNetlifyConnectionSchema = z.discriminatedUnion("method", [
-  BaseNetlifyConnectionSchema.extend({
-    method: NetlifyConnectionMethodSchema,
-    credentials: NetlifyConnectionAccessTokenCredentialsSchema.pick({})
-  })
-]);
-
-export const ValidateNetlifyConnectionCredentialsSchema = z.discriminatedUnion("method", [
-  z.object({
-    method: NetlifyConnectionMethodSchema,
-    credentials: NetlifyConnectionAccessTokenCredentialsSchema.describe(
-      AppConnections.CREATE(AppConnection.Netlify).credentials
-    )
-  })
-]);
-
-export const CreateNetlifyConnectionSchema = ValidateNetlifyConnectionCredentialsSchema.and(
-  GenericCreateAppConnectionFieldsSchema(AppConnection.Netlify)
-);
-
-export const UpdateNetlifyConnectionSchema = z
-  .object({
-    credentials: NetlifyConnectionAccessTokenCredentialsSchema.optional().describe(
-      AppConnections.UPDATE(AppConnection.Netlify).credentials
-    )
-  })
-  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Netlify));
-
-export const NetlifyConnectionListItemSchema = z.object({
-  name: z.literal("Netlify"),
-  app: z.literal(AppConnection.Netlify),
-  methods: z.nativeEnum(NetlifyConnectionMethod).array()
-});

backend/src/services/app-connection/netlify/netlify-connection-service.ts

@@ -1,42 +0,0 @@
-import { logger } from "@app/lib/logger";
-import { OrgServiceActor } from "@app/lib/types";
-
-import { AppConnection } from "../app-connection-enums";
-import { NetlifyPublicAPI } from "./netlify-connection-public-client";
-import { TNetlifyConnection } from "./netlify-connection-types";
-
-type TGetAppConnectionFunc = (
-  app: AppConnection,
-  connectionId: string,
-  actor: OrgServiceActor
-) => Promise<TNetlifyConnection>;
-
-// eslint-disable-next-line @typescript-eslint/no-unused-vars
-export const netlifyConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
-  const listAccounts = async (connectionId: string, actor: OrgServiceActor) => {
-    const appConnection = await getAppConnection(AppConnection.Netlify, connectionId, actor);
-    try {
-      const accounts = await NetlifyPublicAPI.getNetlifyAccounts(appConnection);
-      return accounts;
-    } catch (error) {
-      logger.error(error, "Failed to list accounts on Netlify");
-      return [];
-    }
-  };
-
-  const listSites = async (connectionId: string, actor: OrgServiceActor, accountId: string) => {
-    const appConnection = await getAppConnection(AppConnection.Netlify, connectionId, actor);
-    try {
-      const sites = await NetlifyPublicAPI.getSites(appConnection, accountId);
-      return sites;
-    } catch (error) {
-      logger.error(error, "Failed to list sites on Netlify");
-      return [];
-    }
-  };
-
-  return {
-    listAccounts,
-    listSites
-  };
-};