Address greptile comments

Minor fix on redundant constant
Dynamic Secrets: add Temporary Credentials for AWS IAM Roles
2025-09-04 07:35:30 +00:00 · 2025-09-03 23:48:38 -03:00 · 2025-09-03 22:23:19 -03:00 · 2025-09-03 22:19:18 -03:00 · 2025-09-03 21:10:59 +02:00 · 2025-09-03 20:43:15 +02:00
669 changed files with 31645 additions and 12406 deletions
--- a/.github/workflows/build-docker-image-to-prod.yml
+++ b/.github/workflows/build-docker-image-to-prod.yml
@@ -1,123 +0,0 @@
-name: Release production images (frontend, backend)
-on:
-  push:
-    tags:
-      - "infisical/v*.*.*"
-      - "!infisical/v*.*.*-postgres"
-
-jobs:
-  backend-image:
-    name: Build backend image
-    runs-on: ubuntu-latest
-    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      # - name: 🧪 Run tests
-      #   run: npm run test:ci
-      #   working-directory: backend
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build backend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          load: true
-          context: backend
-          tags: infisical/infisical:test
-          platforms: linux/amd64,linux/arm64
-      - name: ⏻ Spawn backend container and dependencies
-        run: |
-          docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
-      - name: 🧪 Test backend image
-        run: |
-          ./.github/resources/healthcheck.sh infisical-backend-test
-      - name: ⏻ Shut down backend container and dependencies
-        run: |
-          docker compose -f .github/resources/docker-compose.be-test.yml down
-      - name: 🏗️ Build backend and push
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          push: true
-          context: backend
-          tags: |
-            infisical/backend:${{ steps.commit.outputs.short }}
-            infisical/backend:latest
-            infisical/backend:${{ steps.extract_version.outputs.version }}
-          platforms: linux/amd64,linux/arm64
-
-  frontend-image:
-    name: Build frontend image
-    runs-on: ubuntu-latest
-    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build frontend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          load: true
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          project: 64mmf0n610
-          context: frontend
-          tags: infisical/frontend:test
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            NEXT_INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
-      - name: ⏻ Spawn frontend container
-        run: |
-          docker run -d --rm --name infisical-frontend-test infisical/frontend:test
-      - name: 🧪 Test frontend image
-        run: |
-          ./.github/resources/healthcheck.sh infisical-frontend-test
-      - name: ⏻ Shut down frontend container
-        run: |
-          docker stop infisical-frontend-test
-      - name: 🏗️ Build frontend and push
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          push: true
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          context: frontend
-          tags: |
-            infisical/frontend:${{ steps.commit.outputs.short }}
-            infisical/frontend:latest
-            infisical/frontend:${{ steps.extract_version.outputs.version }}
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            NEXT_INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
--- a/.github/workflows/nightly-tag-generation.yml
+++ b/.github/workflows/nightly-tag-generation.yml
@@ -0,0 +1,82 @@
+name: Generate Nightly Tag
+
+on:
+  schedule:
+    - cron: '0 0 * * *'  # Run daily at midnight UTC
+  workflow_dispatch:  # Allow manual triggering for testing
+
+permissions:
+  contents: write
+
+jobs:
+  create-nightly-tag:
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Fetch all history for tags
+          token: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+      
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+      
+      - name: Generate nightly tag
+        run: |
+          # Get the latest infisical production tag
+          LATEST_STABLE_TAG=$(git tag --list | grep "^v[0-9].*$" | grep -v "nightly" | sort -V | tail -n1)
+          
+          if [ -z "$LATEST_STABLE_TAG" ]; then
+            echo "No infisical production tags found, using v0.1.0"
+            LATEST_STABLE_TAG="v0.1.0"
+          fi
+          
+          echo "Latest production tag: $LATEST_STABLE_TAG"
+          
+          # Get current date in YYYYMMDD format
+          DATE=$(date +%Y%m%d)
+          
+          # Base nightly tag name
+          BASE_TAG="${LATEST_STABLE_TAG}-nightly-${DATE}"
+          
+          # Check if this exact tag already exists
+          if git tag --list | grep -q "^${BASE_TAG}$"; then
+            echo "Base tag ${BASE_TAG} already exists, finding next increment"
+            
+            # Find existing tags for this date and get the highest increment
+            EXISTING_TAGS=$(git tag --list | grep "^${BASE_TAG}" | grep -E '\.[0-9]+$' || true)
+            
+            if [ -z "$EXISTING_TAGS" ]; then
+              # No incremental tags exist, create .1
+              NIGHTLY_TAG="${BASE_TAG}.1"
+            else
+              # Find the highest increment
+              HIGHEST_INCREMENT=$(echo "$EXISTING_TAGS" | sed "s|^${BASE_TAG}\.||" | sort -n | tail -n1)
+              NEXT_INCREMENT=$((HIGHEST_INCREMENT + 1))
+              NIGHTLY_TAG="${BASE_TAG}.${NEXT_INCREMENT}"
+            fi
+          else
+            # Base tag doesn't exist, use it
+            NIGHTLY_TAG="$BASE_TAG"
+          fi
+          
+          echo "Generated nightly tag: $NIGHTLY_TAG"
+          echo "NIGHTLY_TAG=$NIGHTLY_TAG" >> $GITHUB_ENV
+          echo "LATEST_PRODUCTION_TAG=$LATEST_STABLE_TAG" >> $GITHUB_ENV
+
+          git tag "$NIGHTLY_TAG"
+          git push origin "$NIGHTLY_TAG"
+          echo "✅ Created and pushed nightly tag: $NIGHTLY_TAG"
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ env.NIGHTLY_TAG }}
+          name: ${{ env.NIGHTLY_TAG }}
+          draft: false
+          prerelease: true
+          generate_release_notes: true
+          make_latest: false
--- a/.github/workflows/release-standalone-docker-img-postgres-offical.yml
+++ b/.github/workflows/release-standalone-docker-img-postgres-offical.yml
@@ -2,7 +2,9 @@ name: Release standalone docker image
 on:
    push:
        tags:
-            - "infisical/v*.*.*-postgres"
+            - "v*.*.*"
+            - "v*.*.*-nightly-*"
+            - "v*.*.*-nightly-*.*"

 jobs:
    infisical-tests:
@@ -17,7 +19,7 @@ jobs:
        steps:
            - name: Extract version from tag
              id: extract_version
-              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+              run: echo "::set-output name=version::${GITHUB_REF_NAME}"
            - name: ☁️ Checkout source
              uses: actions/checkout@v3
              with:
@@ -53,7 +55,7 @@ jobs:
                  push: true
                  context: .
                  tags: |
-                      infisical/infisical:latest-postgres
+                      infisical/infisical:latest
                      infisical/infisical:${{ steps.commit.outputs.short }}
                      infisical/infisical:${{ steps.extract_version.outputs.version }}
                  platforms: linux/amd64,linux/arm64
@@ -69,7 +71,7 @@ jobs:
        steps:
            - name: Extract version from tag
              id: extract_version
-              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+              run: echo "::set-output name=version::${GITHUB_REF_NAME}"
            - name: ☁️ Checkout source
              uses: actions/checkout@v3
              with:
@@ -105,7 +107,7 @@ jobs:
                  push: true
                  context: .
                  tags: |
-                      infisical/infisical-fips:latest-postgres
+                      infisical/infisical-fips:latest
                      infisical/infisical-fips:${{ steps.commit.outputs.short }}
                      infisical/infisical-fips:${{ steps.extract_version.outputs.version }}
                  platforms: linux/amd64,linux/arm64
--- a/.github/workflows/release_docker_k8_operator.yaml
+++ b/.github/workflows/release_docker_k8_operator.yaml
@@ -44,10 +44,7 @@ jobs:

            - name: Generate Helm Chart
              working-directory: k8-operator
-              run: make helm
-
-            - name: Update Helm Chart Version
-              run: ./k8-operator/scripts/update-version.sh ${{ steps.extract_version.outputs.version }}
+              run: make helm VERSION=${{ steps.extract_version.outputs.version }}

            - name: Debug - Check file changes
              run: |
--- a/.github/workflows/run-backend-tests.yml
+++ b/.github/workflows/run-backend-tests.yml
@@ -16,6 +16,16 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
+
+
+      - name: Free up disk space
+        run: |
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /opt/ghc
+          sudo rm -rf "/usr/local/share/boost"
+          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
+          docker system prune -af
+          
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
      - uses: KengoTODA/actions-setup-docker-compose@v1
@@ -34,6 +44,8 @@ jobs:
        working-directory: backend
      - name: Start postgres and redis
        run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
+      - name: Start Secret Rotation testing databases
+        run: docker compose -f docker-compose.e2e-dbs.yml up -d --wait --wait-timeout 300
      - name: Run unit test
        run: npm run test:unit
        working-directory: backend
@@ -41,6 +53,9 @@ jobs:
        run: npm run test:e2e
        working-directory: backend
        env:
+          E2E_TEST_ORACLE_DB_19_HOST: ${{ secrets.E2E_TEST_ORACLE_DB_19_HOST }}
+          E2E_TEST_ORACLE_DB_19_USERNAME: ${{ secrets.E2E_TEST_ORACLE_DB_19_USERNAME }}
+          E2E_TEST_ORACLE_DB_19_PASSWORD: ${{ secrets.E2E_TEST_ORACLE_DB_19_PASSWORD }}
          REDIS_URL: redis://172.17.0.1:6379
          DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
          AUTH_SECRET: something-random
--- a/.infisicalignore
+++ b/.infisicalignore
@@ -50,3 +50,4 @@ docs/integrations/app-connections/zabbix.mdx:generic-api-key:91
 docs/integrations/app-connections/bitbucket.mdx:generic-api-key:123
 docs/integrations/app-connections/railway.mdx:generic-api-key:156
 .github/workflows/validate-db-schemas.yml:generic-api-key:21
+k8-operator/config/samples/universalAuthIdentitySecret.yaml:generic-api-key:8
--- a/backend/e2e-test/mocks/queue.ts
+++ b/backend/e2e-test/mocks/queue.ts
@@ -1,34 +0,0 @@
-import { TQueueServiceFactory } from "@app/queue";
-
-export const mockQueue = (): TQueueServiceFactory => {
-  const queues: Record<string, unknown> = {};
-  const workers: Record<string, unknown> = {};
-  const job: Record<string, unknown> = {};
-  const events: Record<string, unknown> = {};
-
-  return {
-    queue: async (name, jobData) => {
-      job[name] = jobData;
-    },
-    queuePg: async () => {},
-    schedulePg: async () => {},
-    initialize: async () => {},
-    shutdown: async () => undefined,
-    stopRepeatableJob: async () => true,
-    start: (name, jobFn) => {
-      queues[name] = jobFn;
-      workers[name] = jobFn;
-    },
-    startPg: async () => {},
-    listen: (name, event) => {
-      events[name] = event;
-    },
-    getRepeatableJobs: async () => [],
-    getDelayedJobs: async () => [],
-    clearQueue: async () => {},
-    stopJobById: async () => {},
-    stopJobByIdPg: async () => {},
-    stopRepeatableJobByJobId: async () => true,
-    stopRepeatableJobByKey: async () => true
-  };
-};
--- a/backend/e2e-test/routes/v3/secret-rotations.spec.ts
+++ b/backend/e2e-test/routes/v3/secret-rotations.spec.ts
@@ -0,0 +1,726 @@
+/* eslint-disable no-promise-executor-return */
+/* eslint-disable no-await-in-loop */
+import knex from "knex";
+import { v4 as uuidv4 } from "uuid";
+
+import { seedData1 } from "@app/db/seed-data";
+
+enum SecretRotationType {
+  OracleDb = "oracledb",
+  MySQL = "mysql",
+  Postgres = "postgres"
+}
+
+type TGenericSqlCredentials = {
+  host: string;
+  port: number;
+  username: string;
+  password: string;
+  database: string;
+};
+
+type TSecretMapping = {
+  username: string;
+  password: string;
+};
+
+type TDatabaseUserCredentials = {
+  username: string;
+};
+
+const formatSqlUsername = (username: string) => `${username}_${uuidv4().slice(0, 8).replace(/-/g, "").toUpperCase()}`;
+
+const getSecretValue = async (secretKey: string) => {
+  const passwordSecret = await testServer.inject({
+    url: `/api/v3/secrets/raw/${secretKey}`,
+    method: "GET",
+    query: {
+      workspaceId: seedData1.projectV3.id,
+      environment: seedData1.environment.slug
+    },
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    }
+  });
+
+  expect(passwordSecret.statusCode).toBe(200);
+  expect(passwordSecret.json().secret).toBeDefined();
+
+  const passwordSecretJson = JSON.parse(passwordSecret.payload);
+
+  return passwordSecretJson.secret.secretValue as string;
+};
+
+const deleteSecretRotation = async (id: string, type: SecretRotationType) => {
+  const res = await testServer.inject({
+    method: "DELETE",
+    query: {
+      deleteSecrets: "true",
+      revokeGeneratedCredentials: "true"
+    },
+    url: `/api/v2/secret-rotations/${type}-credentials/${id}`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    }
+  });
+
+  expect(res.statusCode).toBe(200);
+};
+
+const deleteAppConnection = async (id: string, type: SecretRotationType) => {
+  const res = await testServer.inject({
+    method: "DELETE",
+    url: `/api/v1/app-connections/${type}/${id}`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    }
+  });
+
+  expect(res.statusCode).toBe(200);
+};
+
+const createOracleDBAppConnection = async (credentials: TGenericSqlCredentials) => {
+  const createOracleDBAppConnectionReqBody = {
+    credentials: {
+      database: credentials.database,
+      host: credentials.host,
+      username: credentials.username,
+      password: credentials.password,
+      port: credentials.port,
+      sslEnabled: true,
+      sslRejectUnauthorized: true
+    },
+    name: `oracle-db-${uuidv4()}`,
+    description: "Test OracleDB App Connection",
+    gatewayId: null,
+    isPlatformManagedCredentials: false,
+    method: "username-and-password"
+  };
+
+  const res = await testServer.inject({
+    method: "POST",
+    url: `/api/v1/app-connections/oracledb`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: createOracleDBAppConnectionReqBody
+  });
+
+  const json = JSON.parse(res.payload);
+
+  expect(res.statusCode).toBe(200);
+  expect(json.appConnection).toBeDefined();
+
+  return json.appConnection.id as string;
+};
+
+const createMySQLAppConnection = async (credentials: TGenericSqlCredentials) => {
+  const createMySQLAppConnectionReqBody = {
+    name: `mysql-test-${uuidv4()}`,
+    description: "test-mysql",
+    gatewayId: null,
+    method: "username-and-password",
+    credentials: {
+      host: credentials.host,
+      port: credentials.port,
+      database: credentials.database,
+      username: credentials.username,
+      password: credentials.password,
+      sslEnabled: false,
+      sslRejectUnauthorized: true
+    }
+  };
+
+  const res = await testServer.inject({
+    method: "POST",
+    url: `/api/v1/app-connections/mysql`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: createMySQLAppConnectionReqBody
+  });
+
+  const json = JSON.parse(res.payload);
+
+  expect(res.statusCode).toBe(200);
+  expect(json.appConnection).toBeDefined();
+
+  return json.appConnection.id as string;
+};
+
+const createPostgresAppConnection = async (credentials: TGenericSqlCredentials) => {
+  const createPostgresAppConnectionReqBody = {
+    credentials: {
+      host: credentials.host,
+      port: credentials.port,
+      database: credentials.database,
+      username: credentials.username,
+      password: credentials.password,
+      sslEnabled: false,
+      sslRejectUnauthorized: true
+    },
+    name: `postgres-test-${uuidv4()}`,
+    description: "test-postgres",
+    gatewayId: null,
+    method: "username-and-password"
+  };
+
+  const res = await testServer.inject({
+    method: "POST",
+    url: `/api/v1/app-connections/postgres`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: createPostgresAppConnectionReqBody
+  });
+
+  const json = JSON.parse(res.payload);
+
+  expect(res.statusCode).toBe(200);
+  expect(json.appConnection).toBeDefined();
+
+  return json.appConnection.id as string;
+};
+
+const createOracleInfisicalUsers = async (
+  credentials: TGenericSqlCredentials,
+  userCredentials: TDatabaseUserCredentials[]
+) => {
+  const client = knex({
+    client: "oracledb",
+    connection: {
+      database: credentials.database,
+      port: credentials.port,
+      host: credentials.host,
+      user: credentials.username,
+      password: credentials.password,
+      connectionTimeoutMillis: 10000,
+      ssl: {
+        // @ts-expect-error - this is a valid property for the ssl object
+        sslServerDNMatch: true
+      }
+    }
+  });
+
+  for await (const { username } of userCredentials) {
+    // check if user exists, and if it does, don't create it
+    const existingUser = await client.raw(`SELECT * FROM all_users WHERE username = '${username}'`);
+
+    if (!existingUser.length) {
+      await client.raw(`CREATE USER ${username} IDENTIFIED BY "temporary_password"`);
+    }
+    await client.raw(`GRANT ALL PRIVILEGES TO ${username} WITH ADMIN OPTION`);
+  }
+
+  await client.destroy();
+};
+
+const createMySQLInfisicalUsers = async (
+  credentials: TGenericSqlCredentials,
+  userCredentials: TDatabaseUserCredentials[]
+) => {
+  const client = knex({
+    client: "mysql2",
+    connection: {
+      database: credentials.database,
+      port: credentials.port,
+      host: credentials.host,
+      user: credentials.username,
+      password: credentials.password,
+      connectionTimeoutMillis: 10000
+    }
+  });
+
+  // Fix: Ensure root has GRANT OPTION privileges
+  try {
+    await client.raw("GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION;");
+    await client.raw("FLUSH PRIVILEGES;");
+  } catch (error) {
+    // Ignore if already has privileges
+  }
+
+  for await (const { username } of userCredentials) {
+    // check if user exists, and if it does, dont create it
+
+    const existingUser = await client.raw(`SELECT * FROM mysql.user WHERE user = '${username}'`);
+
+    if (!existingUser[0].length) {
+      await client.raw(`CREATE USER '${username}'@'%' IDENTIFIED BY 'temporary_password';`);
+    }
+
+    await client.raw(`GRANT ALL PRIVILEGES ON \`${credentials.database}\`.* TO '${username}'@'%';`);
+    await client.raw("FLUSH PRIVILEGES;");
+  }
+
+  await client.destroy();
+};
+
+const createPostgresInfisicalUsers = async (
+  credentials: TGenericSqlCredentials,
+  userCredentials: TDatabaseUserCredentials[]
+) => {
+  const client = knex({
+    client: "pg",
+    connection: {
+      database: credentials.database,
+      port: credentials.port,
+      host: credentials.host,
+      user: credentials.username,
+      password: credentials.password,
+      connectionTimeoutMillis: 10000
+    }
+  });
+
+  for await (const { username } of userCredentials) {
+    // check if user exists, and if it does, don't create it
+    const existingUser = await client.raw("SELECT * FROM pg_catalog.pg_user WHERE usename = ?", [username]);
+
+    if (!existingUser.rows.length) {
+      await client.raw(`CREATE USER "${username}" WITH PASSWORD 'temporary_password'`);
+    }
+
+    await client.raw("GRANT ALL PRIVILEGES ON DATABASE ?? TO ??", [credentials.database, username]);
+  }
+
+  await client.destroy();
+};
+
+const createOracleDBSecretRotation = async (
+  appConnectionId: string,
+  credentials: TGenericSqlCredentials,
+  userCredentials: TDatabaseUserCredentials[],
+  secretMapping: TSecretMapping
+) => {
+  const now = new Date();
+  const rotationTime = new Date(now.getTime() - 2 * 60 * 1000); // 2 minutes ago
+
+  await createOracleInfisicalUsers(credentials, userCredentials);
+
+  const createOracleDBSecretRotationReqBody = {
+    parameters: userCredentials.reduce(
+      (acc, user, index) => {
+        acc[`username${index + 1}`] = user.username;
+        return acc;
+      },
+      {} as Record<string, string>
+    ),
+    secretsMapping: {
+      username: secretMapping.username,
+      password: secretMapping.password
+    },
+    name: `test-oracle-${uuidv4()}`,
+    description: "Test OracleDB Secret Rotation",
+    secretPath: "/",
+    isAutoRotationEnabled: true,
+    rotationInterval: 5, // 5 seconds for testing
+    rotateAtUtc: {
+      hours: rotationTime.getUTCHours(),
+      minutes: rotationTime.getUTCMinutes()
+    },
+    connectionId: appConnectionId,
+    environment: seedData1.environment.slug,
+    projectId: seedData1.projectV3.id
+  };
+
+  const res = await testServer.inject({
+    method: "POST",
+    url: `/api/v2/secret-rotations/oracledb-credentials`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: createOracleDBSecretRotationReqBody
+  });
+
+  expect(res.statusCode).toBe(200);
+  expect(res.json().secretRotation).toBeDefined();
+
+  return res;
+};
+
+const createMySQLSecretRotation = async (
+  appConnectionId: string,
+  credentials: TGenericSqlCredentials,
+  userCredentials: TDatabaseUserCredentials[],
+  secretMapping: TSecretMapping
+) => {
+  const now = new Date();
+  const rotationTime = new Date(now.getTime() - 2 * 60 * 1000); // 2 minutes ago
+
+  await createMySQLInfisicalUsers(credentials, userCredentials);
+
+  const createMySQLSecretRotationReqBody = {
+    parameters: userCredentials.reduce(
+      (acc, user, index) => {
+        acc[`username${index + 1}`] = user.username;
+        return acc;
+      },
+      {} as Record<string, string>
+    ),
+    secretsMapping: {
+      username: secretMapping.username,
+      password: secretMapping.password
+    },
+    name: `test-mysql-rotation-${uuidv4()}`,
+    description: "Test MySQL Secret Rotation",
+    secretPath: "/",
+    isAutoRotationEnabled: true,
+    rotationInterval: 5,
+    rotateAtUtc: {
+      hours: rotationTime.getUTCHours(),
+      minutes: rotationTime.getUTCMinutes()
+    },
+    connectionId: appConnectionId,
+    environment: seedData1.environment.slug,
+    projectId: seedData1.projectV3.id
+  };
+
+  const res = await testServer.inject({
+    method: "POST",
+    url: `/api/v2/secret-rotations/mysql-credentials`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: createMySQLSecretRotationReqBody
+  });
+
+  expect(res.statusCode).toBe(200);
+  expect(res.json().secretRotation).toBeDefined();
+
+  return res;
+};
+
+const createPostgresSecretRotation = async (
+  appConnectionId: string,
+  credentials: TGenericSqlCredentials,
+  userCredentials: TDatabaseUserCredentials[],
+  secretMapping: TSecretMapping
+) => {
+  const now = new Date();
+  const rotationTime = new Date(now.getTime() - 2 * 60 * 1000); // 2 minutes ago
+
+  await createPostgresInfisicalUsers(credentials, userCredentials);
+
+  const createPostgresSecretRotationReqBody = {
+    parameters: userCredentials.reduce(
+      (acc, user, index) => {
+        acc[`username${index + 1}`] = user.username;
+        return acc;
+      },
+      {} as Record<string, string>
+    ),
+    secretsMapping: {
+      username: secretMapping.username,
+      password: secretMapping.password
+    },
+    name: `test-postgres-rotation-${uuidv4()}`,
+    description: "Test Postgres Secret Rotation",
+    secretPath: "/",
+    isAutoRotationEnabled: true,
+    rotationInterval: 5,
+    rotateAtUtc: {
+      hours: rotationTime.getUTCHours(),
+      minutes: rotationTime.getUTCMinutes()
+    },
+    connectionId: appConnectionId,
+    environment: seedData1.environment.slug,
+    projectId: seedData1.projectV3.id
+  };
+
+  const res = await testServer.inject({
+    method: "POST",
+    url: `/api/v2/secret-rotations/postgres-credentials`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: createPostgresSecretRotationReqBody
+  });
+
+  expect(res.statusCode).toBe(200);
+  expect(res.json().secretRotation).toBeDefined();
+
+  return res;
+};
+
+describe("Secret Rotations", async () => {
+  const testCases = [
+    {
+      type: SecretRotationType.MySQL,
+      name: "MySQL (8.4.6) Secret Rotation",
+      dbCredentials: {
+        database: "mysql-test",
+        host: "127.0.0.1",
+        username: "root",
+        password: "mysql-test",
+        port: 3306
+      },
+      secretMapping: {
+        username: formatSqlUsername("MYSQL_USERNAME"),
+        password: formatSqlUsername("MYSQL_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("MYSQL_USER_1")
+        },
+        {
+          username: formatSqlUsername("MYSQL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.MySQL,
+      name: "MySQL (8.0.29) Secret Rotation",
+      dbCredentials: {
+        database: "mysql-test",
+        host: "127.0.0.1",
+        username: "root",
+        password: "mysql-test",
+        port: 3307
+      },
+      secretMapping: {
+        username: formatSqlUsername("MYSQL_USERNAME"),
+        password: formatSqlUsername("MYSQL_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("MYSQL_USER_1")
+        },
+        {
+          username: formatSqlUsername("MYSQL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.MySQL,
+      name: "MySQL (5.7.31) Secret Rotation",
+      dbCredentials: {
+        database: "mysql-test",
+        host: "127.0.0.1",
+        username: "root",
+        password: "mysql-test",
+        port: 3308
+      },
+      secretMapping: {
+        username: formatSqlUsername("MYSQL_USERNAME"),
+        password: formatSqlUsername("MYSQL_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("MYSQL_USER_1")
+        },
+        {
+          username: formatSqlUsername("MYSQL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.OracleDb,
+      name: "OracleDB (23.8) Secret Rotation",
+      dbCredentials: {
+        database: "FREEPDB1",
+        host: "127.0.0.1",
+        username: "system",
+        password: "pdb-password",
+        port: 1521
+      },
+      secretMapping: {
+        username: formatSqlUsername("ORACLEDB_USERNAME"),
+        password: formatSqlUsername("ORACLEDB_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("INFISICAL_USER_1")
+        },
+        {
+          username: formatSqlUsername("INFISICAL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.OracleDb,
+      name: "OracleDB (19.3) Secret Rotation",
+      skippable: true,
+      dbCredentials: {
+        password: process.env.E2E_TEST_ORACLE_DB_19_PASSWORD!,
+        host: process.env.E2E_TEST_ORACLE_DB_19_HOST!,
+        username: process.env.E2E_TEST_ORACLE_DB_19_USERNAME!,
+        port: 1521,
+        database: "ORCLPDB1"
+      },
+      secretMapping: {
+        username: formatSqlUsername("ORACLEDB_USERNAME"),
+        password: formatSqlUsername("ORACLEDB_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("INFISICAL_USER_1")
+        },
+        {
+          username: formatSqlUsername("INFISICAL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.Postgres,
+      name: "Postgres (17) Secret Rotation",
+      dbCredentials: {
+        database: "postgres-test",
+        host: "127.0.0.1",
+        username: "postgres-test",
+        password: "postgres-test",
+        port: 5433
+      },
+      secretMapping: {
+        username: formatSqlUsername("POSTGRES_USERNAME"),
+        password: formatSqlUsername("POSTGRES_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("INFISICAL_USER_1")
+        },
+        {
+          username: formatSqlUsername("INFISICAL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.Postgres,
+      name: "Postgres (16) Secret Rotation",
+      dbCredentials: {
+        database: "postgres-test",
+        host: "127.0.0.1",
+        username: "postgres-test",
+        password: "postgres-test",
+        port: 5434
+      },
+      secretMapping: {
+        username: formatSqlUsername("POSTGRES_USERNAME"),
+        password: formatSqlUsername("POSTGRES_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("INFISICAL_USER_1")
+        },
+        {
+          username: formatSqlUsername("INFISICAL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.Postgres,
+      name: "Postgres (10.12) Secret Rotation",
+      dbCredentials: {
+        database: "postgres-test",
+        host: "127.0.0.1",
+        username: "postgres-test",
+        password: "postgres-test",
+        port: 5435
+      },
+      secretMapping: {
+        username: formatSqlUsername("POSTGRES_USERNAME"),
+        password: formatSqlUsername("POSTGRES_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("INFISICAL_USER_1")
+        },
+        {
+          username: formatSqlUsername("INFISICAL_USER_2")
+        }
+      ]
+    }
+  ] as {
+    skippable?: boolean;
+    type: SecretRotationType;
+    name: string;
+    dbCredentials: TGenericSqlCredentials;
+    secretMapping: TSecretMapping;
+    userCredentials: TDatabaseUserCredentials[];
+  }[];
+
+  const createAppConnectionMap = {
+    [SecretRotationType.OracleDb]: createOracleDBAppConnection,
+    [SecretRotationType.MySQL]: createMySQLAppConnection,
+    [SecretRotationType.Postgres]: createPostgresAppConnection
+  };
+
+  const createRotationMap = {
+    [SecretRotationType.OracleDb]: createOracleDBSecretRotation,
+    [SecretRotationType.MySQL]: createMySQLSecretRotation,
+    [SecretRotationType.Postgres]: createPostgresSecretRotation
+  };
+
+  const appConnectionIds: { id: string; type: SecretRotationType }[] = [];
+  const secretRotationIds: { id: string; type: SecretRotationType }[] = [];
+
+  afterAll(async () => {
+    for (const { id, type } of secretRotationIds) {
+      await deleteSecretRotation(id, type);
+    }
+
+    for (const { id, type } of appConnectionIds) {
+      await deleteAppConnection(id, type);
+    }
+  });
+
+  testCases.forEach(({ skippable, dbCredentials, secretMapping, userCredentials, type, name }) => {
+    const shouldSkip = () => {
+      if (skippable) {
+        if (type === SecretRotationType.OracleDb) {
+          if (!process.env.E2E_TEST_ORACLE_DB_19_HOST) {
+            return true;
+          }
+        }
+      }
+
+      return false;
+    };
+
+    if (shouldSkip()) {
+      test.skip(`Skipping Secret Rotation for ${type} (${name}) because E2E_TEST_ORACLE_DB_19_HOST is not set`);
+    } else {
+      test.concurrent(
+        `Create secret rotation for ${name}`,
+        async () => {
+          const appConnectionId = await createAppConnectionMap[type](dbCredentials);
+
+          if (appConnectionId) {
+            appConnectionIds.push({ id: appConnectionId, type });
+          }
+
+          const res = await createRotationMap[type](appConnectionId, dbCredentials, userCredentials, secretMapping);
+
+          const resJson = JSON.parse(res.payload);
+
+          if (resJson.secretRotation) {
+            secretRotationIds.push({ id: resJson.secretRotation.id, type });
+          }
+
+          const startSecretValue = await getSecretValue(secretMapping.password);
+          expect(startSecretValue).toBeDefined();
+
+          let attempts = 0;
+          while (attempts < 60) {
+            const currentSecretValue = await getSecretValue(secretMapping.password);
+
+            if (currentSecretValue !== startSecretValue) {
+              break;
+            }
+
+            attempts += 1;
+            await new Promise((resolve) => setTimeout(resolve, 2_500));
+          }
+
+          if (attempts >= 60) {
+            throw new Error("Secret rotation failed to rotate after 60 attempts");
+          }
+
+          const finalSecretValue = await getSecretValue(secretMapping.password);
+          expect(finalSecretValue).not.toBe(startSecretValue);
+        },
+        {
+          timeout: 300_000
+        }
+      );
+    }
+  });
+});
--- a/backend/e2e-test/vitest-environment-knex.ts
+++ b/backend/e2e-test/vitest-environment-knex.ts
@@ -18,6 +18,7 @@ import { keyStoreFactory } from "@app/keystore/keystore";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 import { buildRedisFromConfig } from "@app/lib/config/redis";
 import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
+import { bootstrapCheck } from "@app/server/boot-strap-check";

 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@@ -63,6 +64,8 @@ export default {
      const queue = queueServiceFactory(envCfg, { dbConnectionUrl: envCfg.DB_CONNECTION_URI });
      const keyStore = keyStoreFactory(envCfg);

+      await queue.initialize();
+
      const hsmModule = initializeHsmModule(envCfg);
      hsmModule.initialize();

@@ -78,9 +81,13 @@ export default {
        envConfig: envCfg
      });

+      await bootstrapCheck({ db });
+
      // @ts-expect-error type
      globalThis.testServer = server;
      // @ts-expect-error type
+      globalThis.testQueue = queue;
+      // @ts-expect-error type
      globalThis.testSuperAdminDAL = superAdminDAL;
      // @ts-expect-error type
      globalThis.jwtAuthToken = crypto.jwt().sign(
@@ -105,6 +112,8 @@ export default {
    // custom setup
    return {
      async teardown() {
+        // @ts-expect-error type
+        await globalThis.testQueue.shutdown();
        // @ts-expect-error type
        await globalThis.testServer.close();
        // @ts-expect-error type
@@ -112,7 +121,9 @@ export default {
        // @ts-expect-error type
        delete globalThis.testSuperAdminDAL;
        // @ts-expect-error type
-        delete globalThis.jwtToken;
+        delete globalThis.jwtAuthToken;
+        // @ts-expect-error type
+        delete globalThis.testQueue;
        // called after all tests with this env have been run
        await db.migrate.rollback(
          {
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@@ -63,6 +63,7 @@
        "argon2": "^0.31.2",
        "aws-sdk": "^2.1553.0",
        "axios": "^1.11.0",
+        "axios-ntlm": "^1.4.4",
        "axios-retry": "^4.0.0",
        "bcrypt": "^5.1.1",
        "botbuilder": "^4.23.2",
@@ -12956,216 +12957,6 @@
      "dev": true,
      "license": "MIT"
    },
-    "node_modules/@swc/core": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core/-/core-1.3.107.tgz",
-      "integrity": "sha512-zKhqDyFcTsyLIYK1iEmavljZnf4CCor5pF52UzLAz4B6Nu/4GLU+2LQVAf+oRHjusG39PTPjd2AlRT3f3QWfsQ==",
-      "dev": true,
-      "hasInstallScript": true,
-      "optional": true,
-      "peer": true,
-      "dependencies": {
-        "@swc/counter": "^0.1.1",
-        "@swc/types": "^0.1.5"
-      },
-      "engines": {
-        "node": ">=10"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/swc"
-      },
-      "optionalDependencies": {
-        "@swc/core-darwin-arm64": "1.3.107",
-        "@swc/core-darwin-x64": "1.3.107",
-        "@swc/core-linux-arm-gnueabihf": "1.3.107",
-        "@swc/core-linux-arm64-gnu": "1.3.107",
-        "@swc/core-linux-arm64-musl": "1.3.107",
-        "@swc/core-linux-x64-gnu": "1.3.107",
-        "@swc/core-linux-x64-musl": "1.3.107",
-        "@swc/core-win32-arm64-msvc": "1.3.107",
-        "@swc/core-win32-ia32-msvc": "1.3.107",
-        "@swc/core-win32-x64-msvc": "1.3.107"
-      },
-      "peerDependencies": {
-        "@swc/helpers": "^0.5.0"
-      },
-      "peerDependenciesMeta": {
-        "@swc/helpers": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/@swc/core-darwin-arm64": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core-darwin-arm64/-/core-darwin-arm64-1.3.107.tgz",
-      "integrity": "sha512-47tD/5vSXWxPd0j/ZllyQUg4bqalbQTsmqSw0J4dDdS82MWqCAwUErUrAZPRjBkjNQ6Kmrf5rpCWaGTtPw+ngw==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
-      "peer": true,
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/@swc/core-darwin-x64": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core-darwin-x64/-/core-darwin-x64-1.3.107.tgz",
-      "integrity": "sha512-hwiLJ2ulNkBGAh1m1eTfeY1417OAYbRGcb/iGsJ+LuVLvKAhU/itzsl535CvcwAlt2LayeCFfcI8gdeOLeZa9A==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
-      "peer": true,
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/@swc/core-linux-arm-gnueabihf": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core-linux-arm-gnueabihf/-/core-linux-arm-gnueabihf-1.3.107.tgz",
-      "integrity": "sha512-I2wzcC0KXqh0OwymCmYwNRgZ9nxX7DWnOOStJXV3pS0uB83TXAkmqd7wvMBuIl9qu4Hfomi9aDM7IlEEn9tumQ==",
-      "cpu": [
-        "arm"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "peer": true,
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/@swc/core-linux-arm64-gnu": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core-linux-arm64-gnu/-/core-linux-arm64-gnu-1.3.107.tgz",
-      "integrity": "sha512-HWgnn7JORYlOYnGsdunpSF8A+BCZKPLzLtEUA27/M/ZuANcMZabKL9Zurt7XQXq888uJFAt98Gy+59PU90aHKg==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "peer": true,
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/@swc/core-linux-arm64-musl": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core-linux-arm64-musl/-/core-linux-arm64-musl-1.3.107.tgz",
-      "integrity": "sha512-vfPF74cWfAm8hyhS8yvYI94ucMHIo8xIYU+oFOW9uvDlGQRgnUf/6DEVbLyt/3yfX5723Ln57U8uiMALbX5Pyw==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "peer": true,
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/@swc/core-linux-x64-gnu": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core-linux-x64-gnu/-/core-linux-x64-gnu-1.3.107.tgz",
-      "integrity": "sha512-uBVNhIg0ip8rH9OnOsCARUFZ3Mq3tbPHxtmWk9uAa5u8jQwGWeBx5+nTHpDOVd3YxKb6+5xDEI/edeeLpha/9g==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "peer": true,
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/@swc/core-linux-x64-musl": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core-linux-x64-musl/-/core-linux-x64-musl-1.3.107.tgz",
-      "integrity": "sha512-mvACkUvzSIB12q1H5JtabWATbk3AG+pQgXEN95AmEX2ZA5gbP9+B+mijsg7Sd/3tboHr7ZHLz/q3SHTvdFJrEw==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "peer": true,
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/@swc/core-win32-arm64-msvc": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core-win32-arm64-msvc/-/core-win32-arm64-msvc-1.3.107.tgz",
-      "integrity": "sha512-J3P14Ngy/1qtapzbguEH41kY109t6DFxfbK4Ntz9dOWNuVY3o9/RTB841ctnJk0ZHEG+BjfCJjsD2n8H5HcaOA==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "win32"
-      ],
-      "peer": true,
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/@swc/core-win32-ia32-msvc": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core-win32-ia32-msvc/-/core-win32-ia32-msvc-1.3.107.tgz",
-      "integrity": "sha512-ZBUtgyjTHlz8TPJh7kfwwwFma+ktr6OccB1oXC8fMSopD0AxVnQasgun3l3099wIsAB9eEsJDQ/3lDkOLs1gBA==",
-      "cpu": [
-        "ia32"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "win32"
-      ],
-      "peer": true,
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/@swc/core-win32-x64-msvc": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core-win32-x64-msvc/-/core-win32-x64-msvc-1.3.107.tgz",
-      "integrity": "sha512-Eyzo2XRqWOxqhE1gk9h7LWmUf4Bp4Xn2Ttb0ayAXFp6YSTxQIThXcT9kipXZqcpxcmDwoq8iWbbf2P8XL743EA==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "win32"
-      ],
-      "peer": true,
-      "engines": {
-        "node": ">=10"
-      }
-    },
    "node_modules/@swc/counter": {
      "version": "0.1.3",
      "resolved": "https://registry.npmjs.org/@swc/counter/-/counter-0.1.3.tgz",
@@ -13183,14 +12974,6 @@
        "tslib": "^2.8.0"
      }
    },
-    "node_modules/@swc/types": {
-      "version": "0.1.5",
-      "resolved": "https://registry.npmjs.org/@swc/types/-/types-0.1.5.tgz",
-      "integrity": "sha512-myfUej5naTBWnqOCc/MdVOLVjXUXtIA+NpDrDBKJtLLg2shUjBu3cZmB/85RyitKc55+lUUyl7oRfLOvkr2hsw==",
-      "dev": true,
-      "optional": true,
-      "peer": true
-    },
    "node_modules/@techteamer/ocsp": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/@techteamer/ocsp/-/ocsp-1.0.1.tgz",
@@ -15195,6 +14978,18 @@
        "proxy-from-env": "^1.1.0"
      }
    },
+    "node_modules/axios-ntlm": {
+      "version": "1.4.4",
+      "resolved": "https://registry.npmjs.org/axios-ntlm/-/axios-ntlm-1.4.4.tgz",
+      "integrity": "sha512-kpCRdzMfL8gi0Z0o96P3QPAK4XuC8iciGgxGXe+PeQ4oyjI2LZN8WSOKbu0Y9Jo3T/A7pB81n6jYVPIpglEuRA==",
+      "license": "MIT",
+      "dependencies": {
+        "axios": "^1.8.4",
+        "des.js": "^1.1.0",
+        "dev-null": "^0.1.1",
+        "js-md4": "^0.3.2"
+      }
+    },
    "node_modules/axios-retry": {
      "version": "4.0.0",
      "resolved": "https://registry.npmjs.org/axios-retry/-/axios-retry-4.0.0.tgz",
@@ -16954,6 +16749,16 @@
      "resolved": "https://registry.npmjs.org/deprecation/-/deprecation-2.3.1.tgz",
      "integrity": "sha512-xmHIy4F3scKVwMsQ4WnVaS8bHOx0DmVwRywosKhaILI0ywMDWPtBSku2HNxRvF7jtwDRsoEwYQSfbxj8b7RlJQ=="
    },
+    "node_modules/des.js": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/des.js/-/des.js-1.1.0.tgz",
+      "integrity": "sha512-r17GxjhUCjSRy8aiJpr8/UadFIzMzJGexI3Nmz4ADi9LYSFx4gTBp80+NaX/YsXWWLhpZ7v/v/ubEc/bCNfKwg==",
+      "license": "MIT",
+      "dependencies": {
+        "inherits": "^2.0.1",
+        "minimalistic-assert": "^1.0.0"
+      }
+    },
    "node_modules/destroy": {
      "version": "1.2.0",
      "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.2.0.tgz",
@@ -16981,6 +16786,12 @@
        "node": ">=8"
      }
    },
+    "node_modules/dev-null": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmjs.org/dev-null/-/dev-null-0.1.1.tgz",
+      "integrity": "sha512-nMNZG0zfMgmdv8S5O0TM5cpwNbGKRGPCxVsr0SmA3NZZy9CYBbuNLL0PD3Acx9e5LIUgwONXtM9kM6RlawPxEQ==",
+      "license": "MIT"
+    },
    "node_modules/diff": {
      "version": "4.0.2",
      "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.2.tgz",
@@ -19029,49 +18840,6 @@
      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
    },
-    "node_modules/gcp-metadata": {
-      "version": "5.3.0",
-      "resolved": "https://registry.npmjs.org/gcp-metadata/-/gcp-metadata-5.3.0.tgz",
-      "integrity": "sha512-FNTkdNEnBdlqF2oatizolQqNANMrcqJt6AAYt99B3y1aLLC8Hc5IOBb+ZnnzllodEEf6xMBp6wRcBbc16fa65w==",
-      "optional": true,
-      "peer": true,
-      "dependencies": {
-        "gaxios": "^5.0.0",
-        "json-bigint": "^1.0.0"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/gcp-metadata/node_modules/gaxios": {
-      "version": "5.1.3",
-      "resolved": "https://registry.npmjs.org/gaxios/-/gaxios-5.1.3.tgz",
-      "integrity": "sha512-95hVgBRgEIRQQQHIbnxBXeHbW4TqFk4ZDJW7wmVtvYar72FdhRIo1UGOLS2eRAKCPEdPBWu+M7+A33D9CdX9rA==",
-      "optional": true,
-      "peer": true,
-      "dependencies": {
-        "extend": "^3.0.2",
-        "https-proxy-agent": "^5.0.0",
-        "is-stream": "^2.0.0",
-        "node-fetch": "^2.6.9"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/gcp-metadata/node_modules/is-stream": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-2.0.1.tgz",
-      "integrity": "sha512-hFoiJiTl63nn+kstHGBtewWSKnQLpyb155KHheA1l39uvtO9nWIop1p3udqPcUd/xbF1VLMO4n7OI6p7RbngDg==",
-      "optional": true,
-      "peer": true,
-      "engines": {
-        "node": ">=8"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
    "node_modules/generate-function": {
      "version": "2.3.1",
      "resolved": "https://registry.npmjs.org/generate-function/-/generate-function-2.3.1.tgz",
--- a/backend/package.json
+++ b/backend/package.json
@@ -37,7 +37,7 @@
    "build": "tsup --sourcemap",
    "build:frontend": "npm run build --prefix ../frontend",
    "start": "node --enable-source-maps dist/main.mjs",
-    "type:check": "tsc --noEmit",
+    "type:check": "node --max-old-space-size=8192 ./node_modules/.bin/tsc --noEmit",
    "lint:fix": "node --max-old-space-size=8192 ./node_modules/.bin/eslint --fix --ext js,ts ./src",
    "lint": "node --max-old-space-size=8192 ./node_modules/.bin/eslint 'src/**/*.ts'",
    "test:unit": "vitest run -c vitest.unit.config.ts",
@@ -183,6 +183,7 @@
    "argon2": "^0.31.2",
    "aws-sdk": "^2.1553.0",
    "axios": "^1.11.0",
+    "axios-ntlm": "^1.4.4",
    "axios-retry": "^4.0.0",
    "bcrypt": "^5.1.1",
    "botbuilder": "^4.23.2",
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@@ -148,6 +148,7 @@ declare module "fastify" {
  interface Session {
    callbackPort: string;
    isAdminLogin: boolean;
+    orgSlug?: string;
  }

  interface FastifyRequest {
--- a/backend/src/db/manual-migrations/partition-audit-logs.ts
+++ b/backend/src/db/manual-migrations/partition-audit-logs.ts
@@ -84,6 +84,9 @@ const up = async (knex: Knex): Promise<void> => {
      t.index("expiresAt");
      t.index("orgId");
      t.index("projectId");
+      t.index("eventType");
+      t.index("userAgentType");
+      t.index("actor");
    });

    console.log("Adding GIN indices...");
@@ -119,8 +122,8 @@ const up = async (knex: Knex): Promise<void> => {
    console.log("Creating audit log partitions ahead of time... next date:", nextDateStr);
    await createAuditLogPartition(knex, nextDate, new Date(nextDate.getFullYear(), nextDate.getMonth() + 1));

-    // create partitions 4 years ahead
-    const partitionMonths = 4 * 12;
+    // create partitions 20 years ahead
+    const partitionMonths = 20 * 12;
    const partitionPromises: Promise<void>[] = [];
    for (let x = 1; x <= partitionMonths; x += 1) {
      partitionPromises.push(
--- a/backend/src/db/migrations/20250725144940_fix-secret-reminders-migration.ts
+++ b/backend/src/db/migrations/20250725144940_fix-secret-reminders-migration.ts
@@ -2,7 +2,7 @@
 import { Knex } from "knex";

 import { chunkArray } from "@app/lib/fn";
-import { logger } from "@app/lib/logger";
+import { initLogger, logger } from "@app/lib/logger";

 import { TableName } from "../schemas";
 import { TReminders, TRemindersInsert } from "../schemas/reminders";
@@ -107,5 +107,6 @@ export async function up(knex: Knex): Promise<void> {
 }

 export async function down(): Promise<void> {
+  initLogger();
  logger.info("Rollback not implemented for secret reminders fix migration");
 }
--- a/backend/src/db/migrations/20250805151349_last-logged-auth-method.ts
+++ b/backend/src/db/migrations/20250805151349_last-logged-auth-method.ts
@@ -0,0 +1,65 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const lastUserLoggedInAuthMethod = await knex.schema.hasColumn(TableName.OrgMembership, "lastLoginAuthMethod");
+  const lastIdentityLoggedInAuthMethod = await knex.schema.hasColumn(
+    TableName.IdentityOrgMembership,
+    "lastLoginAuthMethod"
+  );
+  const lastUserLoggedInTime = await knex.schema.hasColumn(TableName.OrgMembership, "lastLoginTime");
+  const lastIdentityLoggedInTime = await knex.schema.hasColumn(TableName.IdentityOrgMembership, "lastLoginTime");
+  if (!lastUserLoggedInAuthMethod || !lastUserLoggedInTime) {
+    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
+      if (!lastUserLoggedInAuthMethod) {
+        t.string("lastLoginAuthMethod").nullable();
+      }
+      if (!lastUserLoggedInTime) {
+        t.datetime("lastLoginTime").nullable();
+      }
+    });
+  }
+
+  if (!lastIdentityLoggedInAuthMethod || !lastIdentityLoggedInTime) {
+    await knex.schema.alterTable(TableName.IdentityOrgMembership, (t) => {
+      if (!lastIdentityLoggedInAuthMethod) {
+        t.string("lastLoginAuthMethod").nullable();
+      }
+      if (!lastIdentityLoggedInTime) {
+        t.datetime("lastLoginTime").nullable();
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const lastUserLoggedInAuthMethod = await knex.schema.hasColumn(TableName.OrgMembership, "lastLoginAuthMethod");
+  const lastIdentityLoggedInAuthMethod = await knex.schema.hasColumn(
+    TableName.IdentityOrgMembership,
+    "lastLoginAuthMethod"
+  );
+  const lastUserLoggedInTime = await knex.schema.hasColumn(TableName.OrgMembership, "lastLoginTime");
+  const lastIdentityLoggedInTime = await knex.schema.hasColumn(TableName.IdentityOrgMembership, "lastLoginTime");
+  if (lastUserLoggedInAuthMethod || lastUserLoggedInTime) {
+    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
+      if (lastUserLoggedInAuthMethod) {
+        t.dropColumn("lastLoginAuthMethod");
+      }
+      if (lastUserLoggedInTime) {
+        t.dropColumn("lastLoginTime");
+      }
+    });
+  }
+
+  if (lastIdentityLoggedInAuthMethod || lastIdentityLoggedInTime) {
+    await knex.schema.alterTable(TableName.IdentityOrgMembership, (t) => {
+      if (lastIdentityLoggedInAuthMethod) {
+        t.dropColumn("lastLoginAuthMethod");
+      }
+      if (lastIdentityLoggedInTime) {
+        t.dropColumn("lastLoginTime");
+      }
+    });
+  }
+}
--- a/backend/src/db/migrations/20250808021941_access-policy-max-time-period.ts
+++ b/backend/src/db/migrations/20250808021941_access-policy-max-time-period.ts
@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas/models";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "maxTimePeriod"))) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
+      t.string("maxTimePeriod").nullable(); // Ex: 1h - Null is permanent
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "maxTimePeriod")) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
+      t.dropColumn("maxTimePeriod");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250808174003_add-user-alias-is-email-verified.ts
+++ b/backend/src/db/migrations/20250808174003_add-user-alias-is-email-verified.ts
@@ -0,0 +1,49 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+const BATCH_SIZE = 1000;
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.UserAliases, "isEmailVerified"))) {
+    // Add the column
+    await knex.schema.alterTable(TableName.UserAliases, (t) => {
+      t.boolean("isEmailVerified").defaultTo(false);
+    });
+
+    const aliasesToUpdate: { aliasId: string; isEmailVerified: boolean }[] = await knex(TableName.UserAliases)
+      .join(TableName.Users, `${TableName.UserAliases}.userId`, `${TableName.Users}.id`)
+      .select([`${TableName.UserAliases}.id as aliasId`, `${TableName.Users}.isEmailVerified`]);
+
+    for (let i = 0; i < aliasesToUpdate.length; i += BATCH_SIZE) {
+      const batch = aliasesToUpdate.slice(i, i + BATCH_SIZE);
+
+      const trueIds = batch.filter((row) => row.isEmailVerified).map((row) => row.aliasId);
+
+      if (trueIds.length > 0) {
+        // eslint-disable-next-line no-await-in-loop
+        await knex(TableName.UserAliases).whereIn("id", trueIds).update({ isEmailVerified: true });
+      }
+    }
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.AuthTokens, "aliasId"))) {
+    await knex.schema.alterTable(TableName.AuthTokens, (t) => {
+      t.string("aliasId").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.UserAliases, "isEmailVerified")) {
+    await knex.schema.alterTable(TableName.UserAliases, (t) => {
+      t.dropColumn("isEmailVerified");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.AuthTokens, "aliasId")) {
+    await knex.schema.alterTable(TableName.AuthTokens, (t) => {
+      t.dropColumn("aliasId");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250813020335_access-request-edit-cols.ts
+++ b/backend/src/db/migrations/20250813020335_access-request-edit-cols.ts
@@ -0,0 +1,38 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasEditNoteCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "editNote");
+  const hasEditedByUserId = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "editedByUserId");
+
+  if (!hasEditNoteCol || !hasEditedByUserId) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+      if (!hasEditedByUserId) {
+        t.uuid("editedByUserId").nullable();
+        t.foreign("editedByUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
+      }
+
+      if (!hasEditNoteCol) {
+        t.string("editNote").nullable();
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasEditNoteCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "editNote");
+  const hasEditedByUserId = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "editedByUserId");
+
+  if (hasEditNoteCol || hasEditedByUserId) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+      if (hasEditedByUserId) {
+        t.dropColumn("editedByUserId");
+      }
+
+      if (hasEditNoteCol) {
+        t.dropColumn("editNote");
+      }
+    });
+  }
+}
--- a/backend/src/db/migrations/20250813214709_enforce-google-sso.ts
+++ b/backend/src/db/migrations/20250813214709_enforce-google-sso.ts
@@ -0,0 +1,39 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+const GOOGLE_SSO_AUTH_ENFORCED_COLUMN_NAME = "googleSsoAuthEnforced";
+const GOOGLE_SSO_AUTH_LAST_USED_COLUMN_NAME = "googleSsoAuthLastUsed";
+export async function up(knex: Knex): Promise<void> {
+  const hasGoogleSsoAuthEnforcedColumn = await knex.schema.hasColumn(
+    TableName.Organization,
+    GOOGLE_SSO_AUTH_ENFORCED_COLUMN_NAME
+  );
+  const hasGoogleSsoAuthLastUsedColumn = await knex.schema.hasColumn(
+    TableName.Organization,
+    GOOGLE_SSO_AUTH_LAST_USED_COLUMN_NAME
+  );
+
+  await knex.schema.alterTable(TableName.Organization, (table) => {
+    if (!hasGoogleSsoAuthEnforcedColumn)
+      table.boolean(GOOGLE_SSO_AUTH_ENFORCED_COLUMN_NAME).defaultTo(false).notNullable();
+    if (!hasGoogleSsoAuthLastUsedColumn) table.timestamp(GOOGLE_SSO_AUTH_LAST_USED_COLUMN_NAME).nullable();
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasGoogleSsoAuthEnforcedColumn = await knex.schema.hasColumn(
+    TableName.Organization,
+    GOOGLE_SSO_AUTH_ENFORCED_COLUMN_NAME
+  );
+
+  const hasGoogleSsoAuthLastUsedColumn = await knex.schema.hasColumn(
+    TableName.Organization,
+    GOOGLE_SSO_AUTH_LAST_USED_COLUMN_NAME
+  );
+
+  await knex.schema.alterTable(TableName.Organization, (table) => {
+    if (hasGoogleSsoAuthEnforcedColumn) table.dropColumn(GOOGLE_SSO_AUTH_ENFORCED_COLUMN_NAME);
+    if (hasGoogleSsoAuthLastUsedColumn) table.dropColumn(GOOGLE_SSO_AUTH_LAST_USED_COLUMN_NAME);
+  });
+}
--- a/backend/src/db/migrations/20250815022242_identity-lockouts.ts
+++ b/backend/src/db/migrations/20250815022242_identity-lockouts.ts
@@ -0,0 +1,57 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.IdentityUniversalAuth)) {
+    const hasLockoutEnabled = await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "lockoutEnabled");
+    const hasLockoutThreshold = await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "lockoutThreshold");
+    const hasLockoutDuration = await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "lockoutDurationSeconds");
+    const hasLockoutCounterReset = await knex.schema.hasColumn(
+      TableName.IdentityUniversalAuth,
+      "lockoutCounterResetSeconds"
+    );
+
+    await knex.schema.alterTable(TableName.IdentityUniversalAuth, (t) => {
+      if (!hasLockoutEnabled) {
+        t.boolean("lockoutEnabled").notNullable().defaultTo(true);
+      }
+      if (!hasLockoutThreshold) {
+        t.integer("lockoutThreshold").notNullable().defaultTo(3);
+      }
+      if (!hasLockoutDuration) {
+        t.integer("lockoutDurationSeconds").notNullable().defaultTo(300); // 5 minutes
+      }
+      if (!hasLockoutCounterReset) {
+        t.integer("lockoutCounterResetSeconds").notNullable().defaultTo(30); // 30 seconds
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.IdentityUniversalAuth)) {
+    const hasLockoutEnabled = await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "lockoutEnabled");
+    const hasLockoutThreshold = await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "lockoutThreshold");
+    const hasLockoutDuration = await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "lockoutDurationSeconds");
+    const hasLockoutCounterReset = await knex.schema.hasColumn(
+      TableName.IdentityUniversalAuth,
+      "lockoutCounterResetSeconds"
+    );
+
+    await knex.schema.alterTable(TableName.IdentityUniversalAuth, (t) => {
+      if (hasLockoutEnabled) {
+        t.dropColumn("lockoutEnabled");
+      }
+      if (hasLockoutThreshold) {
+        t.dropColumn("lockoutThreshold");
+      }
+      if (hasLockoutDuration) {
+        t.dropColumn("lockoutDurationSeconds");
+      }
+      if (hasLockoutCounterReset) {
+        t.dropColumn("lockoutCounterResetSeconds");
+      }
+    });
+  }
+}
--- a/backend/src/db/migrations/20250824173438_add-approval-secret-read-compat.ts
+++ b/backend/src/db/migrations/20250824173438_add-approval-secret-read-compat.ts
@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "shouldCheckSecretPermission"))) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
+      t.boolean("shouldCheckSecretPermission").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "shouldCheckSecretPermission")) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
+      t.dropColumn("shouldCheckSecretPermission");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250824192801_backfill-secret-read-compat-flag.ts
+++ b/backend/src/db/migrations/20250824192801_backfill-secret-read-compat-flag.ts
@@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { selectAllTableCols } from "@app/lib/knex";
+
+import { TableName } from "../schemas";
+
+const BATCH_SIZE = 100;
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "shouldCheckSecretPermission")) {
+    // find all existing SecretApprovalPolicy rows to backfill shouldCheckSecretPermission flag
+    const rows = await knex(TableName.SecretApprovalPolicy).select(selectAllTableCols(TableName.SecretApprovalPolicy));
+
+    if (rows.length > 0) {
+      for (let i = 0; i < rows.length; i += BATCH_SIZE) {
+        const batch = rows.slice(i, i + BATCH_SIZE);
+        // eslint-disable-next-line no-await-in-loop
+        await knex(TableName.SecretApprovalPolicy)
+          .whereIn(
+            "id",
+            batch.map((row) => row.id)
+          )
+          .update({ shouldCheckSecretPermission: true });
+      }
+    }
+  }
+}
+
+export async function down(): Promise<void> {}
--- a/backend/src/db/migrations/20250826190000_add-properties-to-pki-subscriber.ts
+++ b/backend/src/db/migrations/20250826190000_add-properties-to-pki-subscriber.ts
@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasPropertiesCol = await knex.schema.hasColumn(TableName.PkiSubscriber, "properties");
+
+  if (!hasPropertiesCol) {
+    await knex.schema.alterTable(TableName.PkiSubscriber, (t) => {
+      t.jsonb("properties").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasPropertiesCol = await knex.schema.hasColumn(TableName.PkiSubscriber, "properties");
+
+  if (hasPropertiesCol) {
+    await knex.schema.alterTable(TableName.PkiSubscriber, (t) => {
+      t.dropColumn("properties");
+    });
+  }
+}
--- a/backend/src/db/schemas/access-approval-policies.ts
+++ b/backend/src/db/schemas/access-approval-policies.ts
@@ -17,7 +17,8 @@ export const AccessApprovalPoliciesSchema = z.object({
  updatedAt: z.date(),
  enforcementLevel: z.string().default("hard"),
  deletedAt: z.date().nullable().optional(),
-  allowedSelfApprovals: z.boolean().default(true)
+  allowedSelfApprovals: z.boolean().default(true),
+  maxTimePeriod: z.string().nullable().optional()
 });

 export type TAccessApprovalPolicies = z.infer<typeof AccessApprovalPoliciesSchema>;
--- a/backend/src/db/schemas/access-approval-requests.ts
+++ b/backend/src/db/schemas/access-approval-requests.ts
@@ -20,7 +20,9 @@ export const AccessApprovalRequestsSchema = z.object({
  requestedByUserId: z.string().uuid(),
  note: z.string().nullable().optional(),
  privilegeDeletedAt: z.date().nullable().optional(),
-  status: z.string().default("pending")
+  status: z.string().default("pending"),
+  editedByUserId: z.string().uuid().nullable().optional(),
+  editNote: z.string().nullable().optional()
 });

 export type TAccessApprovalRequests = z.infer<typeof AccessApprovalRequestsSchema>;
--- a/backend/src/db/schemas/auth-tokens.ts
+++ b/backend/src/db/schemas/auth-tokens.ts
@@ -17,7 +17,8 @@ export const AuthTokensSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  userId: z.string().uuid().nullable().optional(),
-  orgId: z.string().uuid().nullable().optional()
+  orgId: z.string().uuid().nullable().optional(),
+  aliasId: z.string().nullable().optional()
 });

 export type TAuthTokens = z.infer<typeof AuthTokensSchema>;
--- a/backend/src/db/schemas/identity-org-memberships.ts
+++ b/backend/src/db/schemas/identity-org-memberships.ts
@@ -14,7 +14,9 @@ export const IdentityOrgMembershipsSchema = z.object({
  orgId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  identityId: z.string().uuid()
+  identityId: z.string().uuid(),
+  lastLoginAuthMethod: z.string().nullable().optional(),
+  lastLoginTime: z.date().nullable().optional()
 });

 export type TIdentityOrgMemberships = z.infer<typeof IdentityOrgMembershipsSchema>;
--- a/backend/src/db/schemas/identity-universal-auths.ts
+++ b/backend/src/db/schemas/identity-universal-auths.ts
@@ -18,7 +18,11 @@ export const IdentityUniversalAuthsSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  identityId: z.string().uuid(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  accessTokenPeriod: z.coerce.number().default(0),
+  lockoutEnabled: z.boolean().default(true),
+  lockoutThreshold: z.number().default(3),
+  lockoutDurationSeconds: z.number().default(300),
+  lockoutCounterResetSeconds: z.number().default(30)
 });

 export type TIdentityUniversalAuths = z.infer<typeof IdentityUniversalAuthsSchema>;
--- a/backend/src/db/schemas/org-memberships.ts
+++ b/backend/src/db/schemas/org-memberships.ts
@@ -19,7 +19,9 @@ export const OrgMembershipsSchema = z.object({
  roleId: z.string().uuid().nullable().optional(),
  projectFavorites: z.string().array().nullable().optional(),
  isActive: z.boolean().default(true),
-  lastInvitedAt: z.date().nullable().optional()
+  lastInvitedAt: z.date().nullable().optional(),
+  lastLoginAuthMethod: z.string().nullable().optional(),
+  lastLoginTime: z.date().nullable().optional()
 });

 export type TOrgMemberships = z.infer<typeof OrgMembershipsSchema>;
--- a/backend/src/db/schemas/organizations.ts
+++ b/backend/src/db/schemas/organizations.ts
@@ -36,7 +36,9 @@ export const OrganizationsSchema = z.object({
  scannerProductEnabled: z.boolean().default(true).nullable().optional(),
  shareSecretsProductEnabled: z.boolean().default(true).nullable().optional(),
  maxSharedSecretLifetime: z.number().default(2592000).nullable().optional(),
-  maxSharedSecretViewLimit: z.number().nullable().optional()
+  maxSharedSecretViewLimit: z.number().nullable().optional(),
+  googleSsoAuthEnforced: z.boolean().default(false),
+  googleSsoAuthLastUsed: z.date().nullable().optional()
 });

 export type TOrganizations = z.infer<typeof OrganizationsSchema>;
--- a/backend/src/db/schemas/pki-subscribers.ts
+++ b/backend/src/db/schemas/pki-subscribers.ts
@@ -25,7 +25,8 @@ export const PkiSubscribersSchema = z.object({
  lastAutoRenewAt: z.date().nullable().optional(),
  lastOperationStatus: z.string().nullable().optional(),
  lastOperationMessage: z.string().nullable().optional(),
-  lastOperationAt: z.date().nullable().optional()
+  lastOperationAt: z.date().nullable().optional(),
+  properties: z.unknown().nullable().optional()
 });

 export type TPkiSubscribers = z.infer<typeof PkiSubscribersSchema>;
--- a/backend/src/db/schemas/secret-approval-policies.ts
+++ b/backend/src/db/schemas/secret-approval-policies.ts
@@ -17,7 +17,8 @@ export const SecretApprovalPoliciesSchema = z.object({
  updatedAt: z.date(),
  enforcementLevel: z.string().default("hard"),
  deletedAt: z.date().nullable().optional(),
-  allowedSelfApprovals: z.boolean().default(true)
+  allowedSelfApprovals: z.boolean().default(true),
+  shouldCheckSecretPermission: z.boolean().nullable().optional()
 });

 export type TSecretApprovalPolicies = z.infer<typeof SecretApprovalPoliciesSchema>;
--- a/backend/src/db/schemas/user-aliases.ts
+++ b/backend/src/db/schemas/user-aliases.ts
@@ -16,7 +16,8 @@ export const UserAliasesSchema = z.object({
  emails: z.string().array().nullable().optional(),
  orgId: z.string().uuid().nullable().optional(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  isEmailVerified: z.boolean().default(false).nullable().optional()
 });

 export type TUserAliases = z.infer<typeof UserAliasesSchema>;
--- a/backend/src/ee/routes/v1/access-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-policy-router.ts
@@ -3,12 +3,32 @@ import { z } from "zod";

 import { ApproverType, BypasserType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { ms } from "@app/lib/ms";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";

+const maxTimePeriodSchema = z
+  .string()
+  .trim()
+  .nullish()
+  .transform((val, ctx) => {
+    if (val === undefined) return undefined;
+    if (!val || val === "permanent") return null;
+    const parsedMs = ms(val);
+
+    if (typeof parsedMs !== "number" || parsedMs <= 0) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: "Invalid time period format or value. Must be a positive duration (e.g., '1h', '30m', '2d')."
+      });
+      return z.NEVER;
+    }
+    return val;
+  });
+
 export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/",
@@ -71,7 +91,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
            .optional(),
          approvals: z.number().min(1).default(1),
          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
-          allowedSelfApprovals: z.boolean().default(true)
+          allowedSelfApprovals: z.boolean().default(true),
+          maxTimePeriod: maxTimePeriodSchema
        })
        .refine(
          (val) => Boolean(val.environment) || Boolean(val.environments),
@@ -124,7 +145,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
                .array()
                .nullable()
                .optional(),
-              bypassers: z.object({ type: z.nativeEnum(BypasserType), id: z.string().nullable().optional() }).array()
+              bypassers: z.object({ type: z.nativeEnum(BypasserType), id: z.string().nullable().optional() }).array(),
+              maxTimePeriod: z.string().nullable().optional()
            })
            .array()
            .nullable()
@@ -233,7 +255,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
            stepNumber: z.number().int()
          })
          .array()
-          .optional()
+          .optional(),
+        maxTimePeriod: maxTimePeriodSchema
      }),
      response: {
        200: z.object({
@@ -314,7 +337,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
              })
              .array()
              .nullable()
-              .optional()
+              .optional(),
+            maxTimePeriod: z.string().nullable().optional()
          })
        })
      }
--- a/backend/src/ee/routes/v1/access-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-request-router.ts
@@ -2,6 +2,7 @@ import { z } from "zod";

 import { AccessApprovalRequestsReviewersSchema, AccessApprovalRequestsSchema, UsersSchema } from "@app/db/schemas";
 import { ApprovalStatus } from "@app/ee/services/access-approval-request/access-approval-request-types";
+import { ms } from "@app/lib/ms";
 import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -26,7 +27,23 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
      body: z.object({
        permissions: z.any().array(),
        isTemporary: z.boolean(),
-        temporaryRange: z.string().optional(),
+        temporaryRange: z
+          .string()
+          .optional()
+          .transform((val, ctx) => {
+            if (!val || val === "permanent") return undefined;
+
+            const parsedMs = ms(val);
+
+            if (typeof parsedMs !== "number" || parsedMs <= 0) {
+              ctx.addIssue({
+                code: z.ZodIssueCode.custom,
+                message: "Invalid time period format or value. Must be a positive duration (e.g., '1h', '30m', '2d')."
+              });
+              return z.NEVER;
+            }
+            return val;
+          }),
        note: z.string().max(255).optional()
      }),
      querystring: z.object({
@@ -116,6 +133,7 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
              approvals: z.number(),
              approvers: z
                .object({
+                  isOrgMembershipActive: z.boolean().nullable().optional(),
                  userId: z.string().nullable().optional(),
                  sequence: z.number().nullable().optional(),
                  approvalsRequired: z.number().nullable().optional(),
@@ -128,10 +146,12 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
              envId: z.string(),
              enforcementLevel: z.string(),
              deletedAt: z.date().nullish(),
-              allowedSelfApprovals: z.boolean()
+              allowedSelfApprovals: z.boolean(),
+              maxTimePeriod: z.string().nullable().optional()
            }),
            reviewers: z
              .object({
+                isOrgMembershipActive: z.boolean().nullable().optional(),
                userId: z.string(),
                status: z.string()
              })
@@ -189,4 +209,47 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
      return { review };
    }
  });
+
+  server.route({
+    url: "/:requestId",
+    method: "PATCH",
+    schema: {
+      params: z.object({
+        requestId: z.string().trim()
+      }),
+      body: z.object({
+        temporaryRange: z.string().transform((val, ctx) => {
+          const parsedMs = ms(val);
+
+          if (typeof parsedMs !== "number" || parsedMs <= 0) {
+            ctx.addIssue({
+              code: z.ZodIssueCode.custom,
+              message: "Invalid time period format or value. Must be a positive duration (e.g., '1h', '30m', '2d')."
+            });
+            return z.NEVER;
+          }
+          return val;
+        }),
+        editNote: z.string().max(255)
+      }),
+      response: {
+        200: z.object({
+          approval: AccessApprovalRequestsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { request } = await server.services.accessApprovalRequest.updateAccessApprovalRequest({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        temporaryRange: req.body.temporaryRange,
+        editNote: req.body.editNote,
+        requestId: req.params.requestId
+      });
+      return { approval: request };
+    }
+  });
 };
--- a/backend/src/ee/routes/v1/github-org-sync-router.ts
+++ b/backend/src/ee/routes/v1/github-org-sync-router.ts
@@ -126,4 +126,39 @@ export const registerGithubOrgSyncRouter = async (server: FastifyZodProvider) =>
      return { githubOrgSyncConfig };
    }
  });
+
+  server.route({
+    url: "/sync-all-teams",
+    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      response: {
+        200: z.object({
+          totalUsers: z.number(),
+          errors: z.array(z.string()),
+          createdTeams: z.array(z.string()),
+          updatedTeams: z.array(z.string()),
+          removedMemberships: z.number(),
+          syncDuration: z.number()
+        })
+      }
+    },
+    handler: async (req) => {
+      const result = await server.services.githubOrgSync.syncAllTeams({
+        orgPermission: req.permission
+      });
+
+      return {
+        totalUsers: result.totalUsers,
+        errors: result.errors,
+        createdTeams: result.createdTeams,
+        updatedTeams: result.updatedTeams,
+        removedMemberships: result.removedMemberships,
+        syncDuration: result.syncDuration
+      };
+    }
+  });
 };
--- a/backend/src/ee/routes/v1/ldap-router.ts
+++ b/backend/src/ee/routes/v1/ldap-router.ts
@@ -379,14 +379,17 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {

  server.route({
    method: "POST",
-    url: "/config/:configId/test-connection",
+    url: "/config/test-connection",
    config: {
      rateLimit: readLimit
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
-      params: z.object({
-        configId: z.string().trim()
+      body: z.object({
+        url: z.string().trim(),
+        bindDN: z.string().trim(),
+        bindPass: z.string().trim(),
+        caCert: z.string().trim()
      }),
      response: {
        200: z.boolean()
@@ -399,8 +402,9 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
        orgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        ldapConfigId: req.params.configId
+        ...req.body
      });
+
      return result;
    }
  });
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@@ -294,22 +294,30 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
        200: z.object({
          approval: SecretApprovalRequestsSchema.merge(
            z.object({
-              // secretPath: z.string(),
              policy: z.object({
                id: z.string(),
                name: z.string(),
                approvals: z.number(),
-                approvers: approvalRequestUser.array(),
+                approvers: approvalRequestUser
+                  .extend({ isOrgMembershipActive: z.boolean().nullable().optional() })
+                  .array(),
                bypassers: approvalRequestUser.array(),
                secretPath: z.string().optional().nullable(),
                enforcementLevel: z.string(),
                deletedAt: z.date().nullish(),
-                allowedSelfApprovals: z.boolean()
+                allowedSelfApprovals: z.boolean(),
+                shouldCheckSecretPermission: z.boolean().nullable().optional()
              }),
              environment: z.string(),
              statusChangedByUser: approvalRequestUser.optional(),
              committerUser: approvalRequestUser.nullish(),
-              reviewers: approvalRequestUser.extend({ status: z.string(), comment: z.string().optional() }).array(),
+              reviewers: approvalRequestUser
+                .extend({
+                  status: z.string(),
+                  comment: z.string().optional(),
+                  isOrgMembershipActive: z.boolean().nullable().optional()
+                })
+                .array(),
              secretPath: z.string(),
              commits: secretRawSchema
                .omit({ _id: true, environment: true, workspace: true, type: true, version: true, secretValue: true })
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
@@ -56,6 +56,7 @@ export interface TAccessApprovalPolicyDALFactory
      allowedSelfApprovals: boolean;
      secretPath: string;
      deletedAt?: Date | null | undefined;
+      maxTimePeriod?: string | null;
      projectId: string;
      bypassers: (
        | {
@@ -96,6 +97,7 @@ export interface TAccessApprovalPolicyDALFactory
        allowedSelfApprovals: boolean;
        secretPath: string;
        deletedAt?: Date | null | undefined;
+        maxTimePeriod?: string | null;
        environments: {
          id: string;
          name: string;
@@ -141,6 +143,7 @@ export interface TAccessApprovalPolicyDALFactory
        allowedSelfApprovals: boolean;
        secretPath: string;
        deletedAt?: Date | null | undefined;
+        maxTimePeriod?: string | null;
      }
    | undefined
  >;
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
@@ -100,7 +100,8 @@ export const accessApprovalPolicyServiceFactory = ({
    environments,
    enforcementLevel,
    allowedSelfApprovals,
-    approvalsRequired
+    approvalsRequired,
+    maxTimePeriod
  }) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -219,7 +220,8 @@ export const accessApprovalPolicyServiceFactory = ({
          secretPath,
          name,
          enforcementLevel,
-          allowedSelfApprovals
+          allowedSelfApprovals,
+          maxTimePeriod
        },
        tx
      );
@@ -318,7 +320,8 @@ export const accessApprovalPolicyServiceFactory = ({
    enforcementLevel,
    allowedSelfApprovals,
    approvalsRequired,
-    environments
+    environments,
+    maxTimePeriod
  }: TUpdateAccessApprovalPolicy) => {
    const groupApprovers = approvers.filter((approver) => approver.type === ApproverType.Group);

@@ -461,7 +464,8 @@ export const accessApprovalPolicyServiceFactory = ({
          secretPath,
          name,
          enforcementLevel,
-          allowedSelfApprovals
+          allowedSelfApprovals,
+          maxTimePeriod
        },
        tx
      );
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts
@@ -41,6 +41,7 @@ export type TCreateAccessApprovalPolicy = {
  enforcementLevel: EnforcementLevel;
  allowedSelfApprovals: boolean;
  approvalsRequired?: { numberOfApprovals: number; stepNumber: number }[];
+  maxTimePeriod?: string | null;
 } & Omit<TProjectPermission, "projectId">;

 export type TUpdateAccessApprovalPolicy = {
@@ -60,6 +61,7 @@ export type TUpdateAccessApprovalPolicy = {
  allowedSelfApprovals: boolean;
  approvalsRequired?: { numberOfApprovals: number; stepNumber: number }[];
  environments?: string[];
+  maxTimePeriod?: string | null;
 } & Omit<TProjectPermission, "projectId">;

 export type TDeleteAccessApprovalPolicy = {
@@ -104,7 +106,8 @@ export interface TAccessApprovalPolicyServiceFactory {
    environment,
    enforcementLevel,
    allowedSelfApprovals,
-    approvalsRequired
+    approvalsRequired,
+    maxTimePeriod
  }: TCreateAccessApprovalPolicy) => Promise<{
    environment: {
      name: string;
@@ -135,6 +138,7 @@ export interface TAccessApprovalPolicyServiceFactory {
    allowedSelfApprovals: boolean;
    secretPath: string;
    deletedAt?: Date | null | undefined;
+    maxTimePeriod?: string | null;
  }>;
  deleteAccessApprovalPolicy: ({
    policyId,
@@ -159,6 +163,7 @@ export interface TAccessApprovalPolicyServiceFactory {
    allowedSelfApprovals: boolean;
    secretPath: string;
    deletedAt?: Date | null | undefined;
+    maxTimePeriod?: string | null;
    environment: {
      id: string;
      name: string;
@@ -185,7 +190,8 @@ export interface TAccessApprovalPolicyServiceFactory {
    enforcementLevel,
    allowedSelfApprovals,
    approvalsRequired,
-    environments
+    environments,
+    maxTimePeriod
  }: TUpdateAccessApprovalPolicy) => Promise<{
    environment: {
      id: string;
@@ -208,6 +214,7 @@ export interface TAccessApprovalPolicyServiceFactory {
    allowedSelfApprovals: boolean;
    secretPath?: string | null | undefined;
    deletedAt?: Date | null | undefined;
+    maxTimePeriod?: string | null;
  }>;
  getAccessApprovalPolicyByProjectSlug: ({
    actorId,
@@ -242,6 +249,7 @@ export interface TAccessApprovalPolicyServiceFactory {
      allowedSelfApprovals: boolean;
      secretPath: string;
      deletedAt?: Date | null | undefined;
+      maxTimePeriod?: string | null;
      environment: {
        id: string;
        name: string;
@@ -298,6 +306,7 @@ export interface TAccessApprovalPolicyServiceFactory {
    allowedSelfApprovals: boolean;
    secretPath: string;
    deletedAt?: Date | null | undefined;
+    maxTimePeriod?: string | null;
    environment: {
      id: string;
      name: string;
--- a/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
@@ -5,6 +5,7 @@ import {
  AccessApprovalRequestsSchema,
  TableName,
  TAccessApprovalRequests,
+  TOrgMemberships,
  TUserGroupMembership,
  TUsers
 } from "@app/db/schemas";
@@ -63,6 +64,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
          enforcementLevel: string;
          allowedSelfApprovals: boolean;
          deletedAt: Date | null | undefined;
+          maxTimePeriod?: string | null;
        };
        projectId: string;
        environments: string[];
@@ -143,6 +145,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
              approvalsRequired: number | null | undefined;
              email: string | null | undefined;
              username: string;
+              isOrgMembershipActive: boolean;
            }
          | {
              userId: string;
@@ -150,6 +153,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
              approvalsRequired: number | null | undefined;
              email: string | null | undefined;
              username: string;
+              isOrgMembershipActive: boolean;
            }
        )[];
        bypassers: string[];
@@ -161,6 +165,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
        allowedSelfApprovals: boolean;
        envId: string;
        deletedAt: Date | null | undefined;
+        maxTimePeriod?: string | null;
      };
      projectId: string;
      environment: string;
@@ -200,6 +205,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
      reviewers: {
        userId: string;
        status: string;
+        isOrgMembershipActive: boolean;
      }[];
      approvers: (
        | {
@@ -208,6 +214,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
            approvalsRequired: number | null | undefined;
            email: string | null | undefined;
            username: string;
+            isOrgMembershipActive: boolean;
          }
        | {
            userId: string;
@@ -215,6 +222,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
            approvalsRequired: number | null | undefined;
            email: string | null | undefined;
            username: string;
+            isOrgMembershipActive: boolean;
          }
      )[];
      bypassers: string[];
@@ -286,6 +294,24 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
            `requestedByUser.id`
          )

+          .leftJoin<TOrgMemberships>(
+            db(TableName.OrgMembership).as("approverOrgMembership"),
+            `${TableName.AccessApprovalPolicyApprover}.approverUserId`,
+            `approverOrgMembership.userId`
+          )
+
+          .leftJoin<TOrgMemberships>(
+            db(TableName.OrgMembership).as("approverGroupOrgMembership"),
+            `${TableName.Users}.id`,
+            `approverGroupOrgMembership.userId`
+          )
+
+          .leftJoin<TOrgMemberships>(
+            db(TableName.OrgMembership).as("reviewerOrgMembership"),
+            `${TableName.AccessApprovalRequestReviewer}.reviewerUserId`,
+            `reviewerOrgMembership.userId`
+          )
+
          .leftJoin(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)

          .select(selectAllTableCols(TableName.AccessApprovalRequest))
@@ -297,7 +323,12 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
            db.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
            db.ref("allowedSelfApprovals").withSchema(TableName.AccessApprovalPolicy).as("policyAllowedSelfApprovals"),
            db.ref("envId").withSchema(TableName.AccessApprovalPolicy).as("policyEnvId"),
-            db.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt")
+            db.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt"),
+
+            db.ref("isActive").withSchema("approverOrgMembership").as("approverIsOrgMembershipActive"),
+            db.ref("isActive").withSchema("approverGroupOrgMembership").as("approverGroupIsOrgMembershipActive"),
+            db.ref("isActive").withSchema("reviewerOrgMembership").as("reviewerIsOrgMembershipActive"),
+            db.ref("maxTimePeriod").withSchema(TableName.AccessApprovalPolicy).as("policyMaxTimePeriod")
          )
          .select(db.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
          .select(db.ref("sequence").withSchema(TableName.AccessApprovalPolicyApprover).as("approverSequence"))
@@ -364,7 +395,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
              enforcementLevel: doc.policyEnforcementLevel,
              allowedSelfApprovals: doc.policyAllowedSelfApprovals,
              envId: doc.policyEnvId,
-              deletedAt: doc.policyDeletedAt
+              deletedAt: doc.policyDeletedAt,
+              maxTimePeriod: doc.policyMaxTimePeriod
            },
            requestedByUser: {
              userId: doc.requestedByUserId,
@@ -392,17 +424,26 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
            {
              key: "reviewerUserId",
              label: "reviewers" as const,
-              mapper: ({ reviewerUserId: userId, reviewerStatus: status }) => (userId ? { userId, status } : undefined)
+              mapper: ({ reviewerUserId: userId, reviewerStatus: status, reviewerIsOrgMembershipActive }) =>
+                userId ? { userId, status, isOrgMembershipActive: reviewerIsOrgMembershipActive } : undefined
            },
            {
              key: "approverUserId",
              label: "approvers" as const,
-              mapper: ({ approverUserId, approverSequence, approvalsRequired, approverUsername, approverEmail }) => ({
+              mapper: ({
+                approverUserId,
+                approverSequence,
+                approvalsRequired,
+                approverUsername,
+                approverEmail,
+                approverIsOrgMembershipActive
+              }) => ({
                userId: approverUserId,
                sequence: approverSequence,
                approvalsRequired,
                email: approverEmail,
-                username: approverUsername
+                username: approverUsername,
+                isOrgMembershipActive: approverIsOrgMembershipActive
              })
            },
            {
@@ -413,13 +454,15 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
                approverSequence,
                approvalsRequired,
                approverGroupEmail,
-                approverGroupUsername
+                approverGroupUsername,
+                approverGroupIsOrgMembershipActive
              }) => ({
                userId: approverGroupUserId,
                sequence: approverSequence,
                approvalsRequired,
                email: approverGroupEmail,
-                username: approverGroupUsername
+                username: approverGroupUsername,
+                isOrgMembershipActive: approverGroupIsOrgMembershipActive
              })
            },
            { key: "bypasserUserId", label: "bypassers" as const, mapper: ({ bypasserUserId }) => bypasserUserId },
@@ -574,7 +617,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
        tx.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
        tx.ref("allowedSelfApprovals").withSchema(TableName.AccessApprovalPolicy).as("policyAllowedSelfApprovals"),
        tx.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
-        tx.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt")
+        tx.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt"),
+        tx.ref("maxTimePeriod").withSchema(TableName.AccessApprovalPolicy).as("policyMaxTimePeriod")
      );

  const findById: TAccessApprovalRequestDALFactory["findById"] = async (id, tx) => {
@@ -595,7 +639,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
            secretPath: el.policySecretPath,
            enforcementLevel: el.policyEnforcementLevel,
            allowedSelfApprovals: el.policyAllowedSelfApprovals,
-            deletedAt: el.policyDeletedAt
+            deletedAt: el.policyDeletedAt,
+            maxTimePeriod: el.policyMaxTimePeriod
          },
          requestedByUser: {
            userId: el.requestedByUserId,
--- a/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
@@ -54,7 +54,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
  accessApprovalPolicyDAL: Pick<TAccessApprovalPolicyDALFactory, "findOne" | "find" | "findLastValidPolicy">;
  accessApprovalRequestReviewerDAL: Pick<
    TAccessApprovalRequestReviewerDALFactory,
-    "create" | "find" | "findOne" | "transaction"
+    "create" | "find" | "findOne" | "transaction" | "delete"
  >;
  groupDAL: Pick<TGroupDALFactory, "findAllGroupPossibleMembers">;
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findById">;
@@ -156,6 +156,15 @@ export const accessApprovalRequestServiceFactory = ({
      throw new BadRequestError({ message: "The policy linked to this request has been deleted" });
    }

+    // Check if the requested time falls under policy.maxTimePeriod
+    if (policy.maxTimePeriod) {
+      if (!temporaryRange || ms(temporaryRange) > ms(policy.maxTimePeriod)) {
+        throw new BadRequestError({
+          message: `Requested access time range is limited to ${policy.maxTimePeriod} by policy`
+        });
+      }
+    }
+
    const approverIds: string[] = [];
    const approverGroupIds: string[] = [];

@@ -292,6 +301,155 @@ export const accessApprovalRequestServiceFactory = ({
    return { request: approval };
  };

+  const updateAccessApprovalRequest: TAccessApprovalRequestServiceFactory["updateAccessApprovalRequest"] = async ({
+    temporaryRange,
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    editNote,
+    requestId
+  }) => {
+    const cfg = getConfig();
+
+    const accessApprovalRequest = await accessApprovalRequestDAL.findById(requestId);
+    if (!accessApprovalRequest) {
+      throw new NotFoundError({ message: `Access request with ID '${requestId}' not found` });
+    }
+
+    const { policy, requestedByUser } = accessApprovalRequest;
+    if (policy.deletedAt) {
+      throw new BadRequestError({
+        message: "The policy associated with this access request has been deleted."
+      });
+    }
+
+    const { membership, hasRole } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: accessApprovalRequest.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
+
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }
+
+    const isApprover = policy.approvers.find((approver) => approver.userId === actorId);
+
+    if (!hasRole(ProjectMembershipRole.Admin) && !isApprover) {
+      throw new ForbiddenRequestError({ message: "You are not authorized to modify this request" });
+    }
+
+    const project = await projectDAL.findById(accessApprovalRequest.projectId);
+
+    if (!project) {
+      throw new NotFoundError({
+        message: `The project associated with this access request was not found. [projectId=${accessApprovalRequest.projectId}]`
+      });
+    }
+
+    if (accessApprovalRequest.status !== ApprovalStatus.PENDING) {
+      throw new BadRequestError({ message: "The request has been closed" });
+    }
+
+    const editedByUser = await userDAL.findById(actorId);
+
+    if (!editedByUser) throw new NotFoundError({ message: "Editing user not found" });
+
+    if (accessApprovalRequest.isTemporary && accessApprovalRequest.temporaryRange) {
+      if (ms(temporaryRange) > ms(accessApprovalRequest.temporaryRange)) {
+        throw new BadRequestError({ message: "Updated access duration must be less than current access duration" });
+      }
+    }
+
+    const { envSlug, secretPath, accessTypes } = verifyRequestedPermissions({
+      permissions: accessApprovalRequest.permissions
+    });
+
+    const approval = await accessApprovalRequestDAL.transaction(async (tx) => {
+      const approvalRequest = await accessApprovalRequestDAL.updateById(
+        requestId,
+        {
+          temporaryRange,
+          isTemporary: true,
+          editNote,
+          editedByUserId: actorId
+        },
+        tx
+      );
+
+      // reset review progress
+      await accessApprovalRequestReviewerDAL.delete(
+        {
+          requestId
+        },
+        tx
+      );
+
+      const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
+      const editorFullName = `${editedByUser.firstName} ${editedByUser.lastName}`;
+      const approvalUrl = `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`;
+
+      await triggerWorkflowIntegrationNotification({
+        input: {
+          notification: {
+            type: TriggerFeature.ACCESS_REQUEST_UPDATED,
+            payload: {
+              projectName: project.name,
+              requesterFullName,
+              isTemporary: true,
+              requesterEmail: requestedByUser.email as string,
+              secretPath,
+              environment: envSlug,
+              permissions: accessTypes,
+              approvalUrl,
+              editNote,
+              editorEmail: editedByUser.email as string,
+              editorFullName
+            }
+          },
+          projectId: project.id
+        },
+        dependencies: {
+          projectDAL,
+          projectSlackConfigDAL,
+          kmsService,
+          microsoftTeamsService,
+          projectMicrosoftTeamsConfigDAL
+        }
+      });
+
+      await smtpService.sendMail({
+        recipients: policy.approvers
+          .filter((approver) => Boolean(approver.email) && approver.userId !== editedByUser.id)
+          .map((approver) => approver.email!),
+        subjectLine: "Access Approval Request Updated",
+        substitutions: {
+          projectName: project.name,
+          requesterFullName,
+          requesterEmail: requestedByUser.email,
+          isTemporary: true,
+          expiresIn: msFn(ms(temporaryRange || ""), { long: true }),
+          secretPath,
+          environment: envSlug,
+          permissions: accessTypes,
+          approvalUrl,
+          editNote,
+          editorFullName,
+          editorEmail: editedByUser.email
+        },
+        template: SmtpTemplates.AccessApprovalRequestUpdated
+      });
+
+      return approvalRequest;
+    });
+
+    return { request: approval };
+  };
+
  const listApprovalRequests: TAccessApprovalRequestServiceFactory["listApprovalRequests"] = async ({
    projectSlug,
    authorUserId,
@@ -641,6 +799,7 @@ export const accessApprovalRequestServiceFactory = ({

  return {
    createAccessApprovalRequest,
+    updateAccessApprovalRequest,
    listApprovalRequests,
    reviewAccessRequest,
    getCount
--- a/backend/src/ee/services/access-approval-request/access-approval-request-types.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-types.ts
@@ -30,6 +30,12 @@ export type TCreateAccessApprovalRequestDTO = {
  note?: string;
 } & Omit<TProjectPermission, "projectId">;

+export type TUpdateAccessApprovalRequestDTO = {
+  requestId: string;
+  temporaryRange: string;
+  editNote: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TListApprovalRequestsDTO = {
  projectSlug: string;
  authorUserId?: string;
@@ -54,6 +60,23 @@ export interface TAccessApprovalRequestServiceFactory {
      privilegeDeletedAt?: Date | null | undefined;
    };
  }>;
+  updateAccessApprovalRequest: (arg: TUpdateAccessApprovalRequestDTO) => Promise<{
+    request: {
+      status: string;
+      id: string;
+      createdAt: Date;
+      updatedAt: Date;
+      policyId: string;
+      isTemporary: boolean;
+      requestedByUserId: string;
+      privilegeId?: string | null | undefined;
+      requestedBy?: string | null | undefined;
+      temporaryRange?: string | null | undefined;
+      permissions?: unknown;
+      note?: string | null | undefined;
+      privilegeDeletedAt?: Date | null | undefined;
+    };
+  }>;
  listApprovalRequests: (arg: TListApprovalRequestsDTO) => Promise<{
    requests: {
      policy: {
@@ -64,6 +87,7 @@ export interface TAccessApprovalRequestServiceFactory {
              approvalsRequired: number | null | undefined;
              email: string | null | undefined;
              username: string;
+              isOrgMembershipActive: boolean;
            }
          | {
              userId: string;
@@ -71,6 +95,7 @@ export interface TAccessApprovalRequestServiceFactory {
              approvalsRequired: number | null | undefined;
              email: string | null | undefined;
              username: string;
+              isOrgMembershipActive: boolean;
            }
        )[];
        bypassers: string[];
@@ -82,6 +107,7 @@ export interface TAccessApprovalRequestServiceFactory {
        allowedSelfApprovals: boolean;
        envId: string;
        deletedAt: Date | null | undefined;
+        maxTimePeriod?: string | null;
      };
      projectId: string;
      environment: string;
@@ -121,6 +147,7 @@ export interface TAccessApprovalRequestServiceFactory {
      reviewers: {
        userId: string;
        status: string;
+        isOrgMembershipActive: boolean;
      }[];
      approvers: (
        | {
@@ -129,6 +156,7 @@ export interface TAccessApprovalRequestServiceFactory {
            approvalsRequired: number | null | undefined;
            email: string | null | undefined;
            username: string;
+            isOrgMembershipActive: boolean;
          }
        | {
            userId: string;
@@ -136,6 +164,7 @@ export interface TAccessApprovalRequestServiceFactory {
            approvalsRequired: number | null | undefined;
            email: string | null | undefined;
            username: string;
+            isOrgMembershipActive: boolean;
          }
      )[];
      bypassers: string[];
--- a/backend/src/ee/services/audit-log/audit-log-dal.ts
+++ b/backend/src/ee/services/audit-log/audit-log-dal.ts
@@ -14,7 +14,7 @@ import { ActorType } from "@app/services/auth/auth-type";
 import { EventType, filterableSecretEvents } from "./audit-log-types";

 export interface TAuditLogDALFactory extends Omit<TOrmify<TableName.AuditLog>, "find"> {
-  pruneAuditLog: (tx?: knex.Knex) => Promise<void>;
+  pruneAuditLog: () => Promise<void>;
  find: (
    arg: Omit<TFindQuery, "actor" | "eventType"> & {
      actorId?: string | undefined;
@@ -41,6 +41,10 @@ type TFindQuery = {
  offset?: number;
 };

+const QUERY_TIMEOUT_MS = 10 * 60 * 1000; // 10 minutes
+const AUDIT_LOG_PRUNE_BATCH_SIZE = 10000;
+const MAX_RETRY_ON_FAILURE = 3;
+
 export const auditLogDALFactory = (db: TDbClient) => {
  const auditLogOrm = ormify(db, TableName.AuditLog);

@@ -151,20 +155,20 @@ export const auditLogDALFactory = (db: TDbClient) => {
  };

  // delete all audit log that have expired
-  const pruneAuditLog: TAuditLogDALFactory["pruneAuditLog"] = async (tx) => {
-    const runPrune = async (dbClient: knex.Knex) => {
-      const AUDIT_LOG_PRUNE_BATCH_SIZE = 10000;
-      const MAX_RETRY_ON_FAILURE = 3;
+  const pruneAuditLog: TAuditLogDALFactory["pruneAuditLog"] = async () => {
+    const today = new Date();
+    let deletedAuditLogIds: { id: string }[] = [];
+    let numberOfRetryOnFailure = 0;
+    let isRetrying = false;

-      const today = new Date();
-      let deletedAuditLogIds: { id: string }[] = [];
-      let numberOfRetryOnFailure = 0;
-      let isRetrying = false;
+    logger.info(`${QueueName.DailyResourceCleanUp}: audit log started`);
+    do {
+      try {
+        // eslint-disable-next-line no-await-in-loop
+        deletedAuditLogIds = await db.transaction(async (trx) => {
+          await trx.raw(`SET statement_timeout = ${QUERY_TIMEOUT_MS}`);

-      logger.info(`${QueueName.DailyResourceCleanUp}: audit log started`);
-      do {
-        try {
-          const findExpiredLogSubQuery = dbClient(TableName.AuditLog)
+          const findExpiredLogSubQuery = trx(TableName.AuditLog)
            .where("expiresAt", "<", today)
            .where("createdAt", "<", today) // to use audit log partition
            .orderBy(`${TableName.AuditLog}.createdAt`, "desc")
@@ -172,34 +176,25 @@ export const auditLogDALFactory = (db: TDbClient) => {
            .limit(AUDIT_LOG_PRUNE_BATCH_SIZE);

          // eslint-disable-next-line no-await-in-loop
-          deletedAuditLogIds = await dbClient(TableName.AuditLog)
-            .whereIn("id", findExpiredLogSubQuery)
-            .del()
-            .returning("id");
-          numberOfRetryOnFailure = 0; // reset
-        } catch (error) {
-          numberOfRetryOnFailure += 1;
-          logger.error(error, "Failed to delete audit log on pruning");
-        } finally {
-          // eslint-disable-next-line no-await-in-loop
-          await new Promise((resolve) => {
-            setTimeout(resolve, 10); // time to breathe for db
-          });
-        }
-        isRetrying = numberOfRetryOnFailure > 0;
-      } while (deletedAuditLogIds.length > 0 || (isRetrying && numberOfRetryOnFailure < MAX_RETRY_ON_FAILURE));
-      logger.info(`${QueueName.DailyResourceCleanUp}: audit log completed`);
-    };
+          const results = await trx(TableName.AuditLog).whereIn("id", findExpiredLogSubQuery).del().returning("id");

-    if (tx) {
-      await runPrune(tx);
-    } else {
-      const QUERY_TIMEOUT_MS = 10 * 60 * 1000; // 10 minutes
-      await db.transaction(async (trx) => {
-        await trx.raw(`SET statement_timeout = ${QUERY_TIMEOUT_MS}`);
-        await runPrune(trx);
-      });
-    }
+          return results;
+        });
+
+        numberOfRetryOnFailure = 0; // reset
+      } catch (error) {
+        numberOfRetryOnFailure += 1;
+        deletedAuditLogIds = [];
+        logger.error(error, "Failed to delete audit log on pruning");
+      } finally {
+        // eslint-disable-next-line no-await-in-loop
+        await new Promise((resolve) => {
+          setTimeout(resolve, 10); // time to breathe for db
+        });
+      }
+      isRetrying = numberOfRetryOnFailure > 0;
+    } while (deletedAuditLogIds.length > 0 || (isRetrying && numberOfRetryOnFailure < MAX_RETRY_ON_FAILURE));
+    logger.info(`${QueueName.DailyResourceCleanUp}: audit log completed`);
  };

  const create: TAuditLogDALFactory["create"] = async (tx) => {
--- a/backend/src/ee/services/audit-log/audit-log-queue.ts
+++ b/backend/src/ee/services/audit-log/audit-log-queue.ts
@@ -1,8 +1,6 @@
 import { AxiosError, RawAxiosRequestHeaders } from "axios";

-import { ProjectType, SecretKeyEncoding } from "@app/db/schemas";
-import { TEventBusService } from "@app/ee/services/event/event-bus-service";
-import { TopicName, toPublishableEvent } from "@app/ee/services/event/types";
+import { SecretKeyEncoding } from "@app/db/schemas";
 import { request } from "@app/lib/config/request";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { logger } from "@app/lib/logger";
@@ -22,7 +20,6 @@ type TAuditLogQueueServiceFactoryDep = {
  queueService: TQueueServiceFactory;
  projectDAL: Pick<TProjectDALFactory, "findById">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-  eventBusService: TEventBusService;
 };

 export type TAuditLogQueueServiceFactory = {
@@ -38,8 +35,7 @@ export const auditLogQueueServiceFactory = async ({
  queueService,
  projectDAL,
  licenseService,
-  auditLogStreamDAL,
-  eventBusService
+  auditLogStreamDAL
 }: TAuditLogQueueServiceFactoryDep): Promise<TAuditLogQueueServiceFactory> => {
  const pushToLog = async (data: TCreateAuditLogDTO) => {
    await queueService.queue<QueueName.AuditLog>(QueueName.AuditLog, QueueJobs.AuditLog, data, {
@@ -145,16 +141,6 @@ export const auditLogQueueServiceFactory = async ({
        )
      );
    }
-
-    const publishable = toPublishableEvent(event);
-
-    if (publishable) {
-      await eventBusService.publish(TopicName.CoreServers, {
-        type: ProjectType.SecretManager,
-        source: "infiscal",
-        data: publishable.data
-      });
-    }
  });

  return {
--- a/backend/src/ee/services/audit-log/audit-log-service.ts
+++ b/backend/src/ee/services/audit-log/audit-log-service.ts
@@ -6,9 +6,9 @@ import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";

-import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
+import { OrgPermissionAuditLogsActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service-types";
-import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
+import { ProjectPermissionAuditLogsActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TAuditLogDALFactory } from "./audit-log-dal";
 import { TAuditLogQueueServiceFactory } from "./audit-log-queue";
 import { EventType, TAuditLogServiceFactory } from "./audit-log-types";
@@ -41,7 +41,10 @@ export const auditLogServiceFactory = ({
        actorOrgId,
        actionProjectType: ActionProjectType.Any
      });
-      ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionAuditLogsActions.Read,
+        ProjectPermissionSub.AuditLogs
+      );
    } else {
      // Organization-wide logs
      const { permission } = await permissionService.getOrgPermission(
@@ -52,7 +55,10 @@ export const auditLogServiceFactory = ({
        actorOrgId
      );

-      ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
+      ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionAuditLogsActions.Read,
+        OrgPermissionSubjects.AuditLogs
+      );
    }

    // If project ID is not provided, then we need to return all the audit logs for the organization itself.
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@@ -198,6 +198,7 @@ export enum EventType {

  CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
  REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "revoke-identity-universal-auth-client-secret",
+  CLEAR_IDENTITY_UNIVERSAL_AUTH_LOCKOUTS = "clear-identity-universal-auth-lockouts",

  GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
  GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET_BY_ID = "get-identity-universal-auth-client-secret-by-id",
@@ -281,6 +282,7 @@ export enum EventType {
  UPDATE_SSH_CERTIFICATE_TEMPLATE = "update-ssh-certificate-template",
  DELETE_SSH_CERTIFICATE_TEMPLATE = "delete-ssh-certificate-template",
  GET_SSH_CERTIFICATE_TEMPLATE = "get-ssh-certificate-template",
+  GET_AZURE_AD_TEMPLATES = "get-azure-ad-templates",
  GET_SSH_HOST = "get-ssh-host",
  CREATE_SSH_HOST = "create-ssh-host",
  UPDATE_SSH_HOST = "update-ssh-host",
@@ -866,6 +868,10 @@ interface AddIdentityUniversalAuthEvent {
    accessTokenMaxTTL: number;
    accessTokenNumUsesLimit: number;
    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
+    lockoutEnabled: boolean;
+    lockoutThreshold: number;
+    lockoutDurationSeconds: number;
+    lockoutCounterResetSeconds: number;
  };
 }

@@ -878,6 +884,10 @@ interface UpdateIdentityUniversalAuthEvent {
    accessTokenMaxTTL?: number;
    accessTokenNumUsesLimit?: number;
    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
+    lockoutEnabled?: boolean;
+    lockoutThreshold?: number;
+    lockoutDurationSeconds?: number;
+    lockoutCounterResetSeconds?: number;
  };
 }

@@ -1037,6 +1047,13 @@ interface RevokeIdentityUniversalAuthClientSecretEvent {
  };
 }

+interface ClearIdentityUniversalAuthLockoutsEvent {
+  type: EventType.CLEAR_IDENTITY_UNIVERSAL_AUTH_LOCKOUTS;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface LoginIdentityGcpAuthEvent {
  type: EventType.LOGIN_IDENTITY_GCP_AUTH;
  metadata: {
@@ -2497,6 +2514,14 @@ interface CreateCertificateTemplateEstConfig {
  };
 }

+interface GetAzureAdCsTemplatesEvent {
+  type: EventType.GET_AZURE_AD_TEMPLATES;
+  metadata: {
+    caId: string;
+    amount: number;
+  };
+}
+
 interface UpdateCertificateTemplateEstConfig {
  type: EventType.UPDATE_CERTIFICATE_TEMPLATE_EST_CONFIG;
  metadata: {
@@ -3491,6 +3516,7 @@ export type Event =
  | GetIdentityUniversalAuthClientSecretsEvent
  | GetIdentityUniversalAuthClientSecretByIdEvent
  | RevokeIdentityUniversalAuthClientSecretEvent
+  | ClearIdentityUniversalAuthLockoutsEvent
  | LoginIdentityGcpAuthEvent
  | AddIdentityGcpAuthEvent
  | DeleteIdentityGcpAuthEvent
@@ -3636,6 +3662,7 @@ export type Event =
  | CreateCertificateTemplateEstConfig
  | UpdateCertificateTemplateEstConfig
  | GetCertificateTemplateEstConfig
+  | GetAzureAdCsTemplatesEvent
  | AttemptCreateSlackIntegration
  | AttemptReinstallSlackIntegration
  | UpdateSlackIntegration
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts
@@ -9,7 +9,7 @@ import { getDbConnectionHost } from "@app/lib/knex";
 export const verifyHostInputValidity = async (host: string, isGateway = false) => {
  const appCfg = getConfig();

-  if (appCfg.isDevelopmentMode) return [host];
+  if (appCfg.isDevelopmentMode || appCfg.isTestMode) return [host];

  if (isGateway) return [host];

--- a/backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts
@@ -15,6 +15,7 @@ import { z } from "zod";
 import { CustomAWSHasher } from "@app/lib/aws/hashing";
 import { crypto } from "@app/lib/crypto";
 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";

 import { DynamicSecretAwsElastiCacheSchema, TDynamicProviderFns } from "./models";
@@ -170,14 +171,29 @@ export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {
  };
  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    await ElastiCacheUserManager(
-      {
-        accessKeyId: providerInputs.accessKeyId,
-        secretAccessKey: providerInputs.secretAccessKey
-      },
-      providerInputs.region
-    ).verifyCredentials(providerInputs.clusterName);
-    return true;
+    try {
+      await ElastiCacheUserManager(
+        {
+          accessKeyId: providerInputs.accessKeyId,
+          secretAccessKey: providerInputs.secretAccessKey
+        },
+        providerInputs.region
+      ).verifyCredentials(providerInputs.clusterName);
+      return true;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [
+          providerInputs.accessKeyId,
+          providerInputs.secretAccessKey,
+          providerInputs.clusterName,
+          providerInputs.region
+        ]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: {
@@ -206,21 +222,37 @@ export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {

    const parsedStatement = CreateElastiCacheUserSchema.parse(JSON.parse(creationStatement));

-    await ElastiCacheUserManager(
-      {
-        accessKeyId: providerInputs.accessKeyId,
-        secretAccessKey: providerInputs.secretAccessKey
-      },
-      providerInputs.region
-    ).createUser(parsedStatement, providerInputs.clusterName);
+    try {
+      await ElastiCacheUserManager(
+        {
+          accessKeyId: providerInputs.accessKeyId,
+          secretAccessKey: providerInputs.secretAccessKey
+        },
+        providerInputs.region
+      ).createUser(parsedStatement, providerInputs.clusterName);

-    return {
-      entityId: leaseUsername,
-      data: {
-        DB_USERNAME: leaseUsername,
-        DB_PASSWORD: leasePassword
-      }
-    };
+      return {
+        entityId: leaseUsername,
+        data: {
+          DB_USERNAME: leaseUsername,
+          DB_PASSWORD: leasePassword
+        }
+      };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [
+          leaseUsername,
+          leasePassword,
+          providerInputs.accessKeyId,
+          providerInputs.secretAccessKey,
+          providerInputs.clusterName
+        ]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
@@ -229,15 +261,25 @@ export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {
    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username: entityId });
    const parsedStatement = DeleteElasticCacheUserSchema.parse(JSON.parse(revokeStatement));

-    await ElastiCacheUserManager(
-      {
-        accessKeyId: providerInputs.accessKeyId,
-        secretAccessKey: providerInputs.secretAccessKey
-      },
-      providerInputs.region
-    ).deleteUser(parsedStatement);
+    try {
+      await ElastiCacheUserManager(
+        {
+          accessKeyId: providerInputs.accessKeyId,
+          secretAccessKey: providerInputs.secretAccessKey
+        },
+        providerInputs.region
+      ).deleteUser(parsedStatement);

-    return { entityId };
+      return { entityId };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [entityId, providerInputs.accessKeyId, providerInputs.secretAccessKey, providerInputs.clusterName]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const renew = async (_inputs: unknown, entityId: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/aws-iam.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/aws-iam.ts
@@ -16,18 +16,24 @@ import {
  PutUserPolicyCommand,
  RemoveUserFromGroupCommand
 } from "@aws-sdk/client-iam";
-import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
+import { AssumeRoleCommand, GetSessionTokenCommand, STSClient } from "@aws-sdk/client-sts";
 import { z } from "zod";

 import { CustomAWSHasher } from "@app/lib/aws/hashing";
 import { getConfig } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

-import { AwsIamAuthType, DynamicSecretAwsIamSchema, TDynamicProviderFns } from "./models";
+import { AwsIamAuthType, AwsIamCredentialType, DynamicSecretAwsIamSchema, TDynamicProviderFns } from "./models";
 import { compileUsernameTemplate } from "./templateUtils";

+// AWS STS duration constants (in seconds)
+const AWS_STS_MIN_DURATION = 900;
+const AWS_STS_MAX_DURATION_SESSION_TOKEN = 43200; // 12 hours for GetSessionToken
+const AWS_STS_MAX_DURATION_ASSUME_ROLE = 3600; // 1 hour for AssumeRole when using temp credentials
+
 const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
  const randomUsername = alphaNumericNanoId(32);
  if (!usernameTemplate) return randomUsername;
@@ -118,22 +124,91 @@ export const AwsIamProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown, { projectId }: { projectId: string }) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const client = await $getClient(providerInputs, projectId);
-    const isConnected = await client
-      .send(new GetUserCommand({}))
-      .then(() => true)
-      .catch((err) => {
-        const message = (err as Error)?.message;
-        if (
-          (providerInputs.method === AwsIamAuthType.AssumeRole || providerInputs.method === AwsIamAuthType.IRSA) &&
-          // assume role will throw an error asking to provider username, but if so this has access in aws correctly
-          message.includes("Must specify userName when calling with non-User credentials")
-        ) {
+    try {
+      if (providerInputs.credentialType === AwsIamCredentialType.TemporaryCredentials) {
+        if (providerInputs.method === AwsIamAuthType.AccessKey) {
+          const stsClient = new STSClient({
+            region: providerInputs.region,
+            useFipsEndpoint: crypto.isFipsModeEnabled(),
+            sha256: CustomAWSHasher,
+            credentials: {
+              accessKeyId: providerInputs.accessKey,
+              secretAccessKey: providerInputs.secretAccessKey
+            }
+          });
+
+          await stsClient.send(new GetSessionTokenCommand({ DurationSeconds: AWS_STS_MIN_DURATION }));
          return true;
        }
-        throw err;
+        if (providerInputs.method === AwsIamAuthType.AssumeRole) {
+          const appCfg = getConfig();
+          const stsClient = new STSClient({
+            region: providerInputs.region,
+            useFipsEndpoint: crypto.isFipsModeEnabled(),
+            sha256: CustomAWSHasher,
+            credentials:
+              appCfg.DYNAMIC_SECRET_AWS_ACCESS_KEY_ID && appCfg.DYNAMIC_SECRET_AWS_SECRET_ACCESS_KEY
+                ? {
+                    accessKeyId: appCfg.DYNAMIC_SECRET_AWS_ACCESS_KEY_ID,
+                    secretAccessKey: appCfg.DYNAMIC_SECRET_AWS_SECRET_ACCESS_KEY
+                  }
+                : undefined
+          });
+
+          await stsClient.send(
+            new AssumeRoleCommand({
+              RoleArn: providerInputs.roleArn,
+              RoleSessionName: `infisical-validation-${crypto.nativeCrypto.randomUUID()}`,
+              DurationSeconds: AWS_STS_MIN_DURATION,
+              ExternalId: projectId
+            })
+          );
+          return true;
+        }
+        if (providerInputs.method === AwsIamAuthType.IRSA) {
+          const stsClient = new STSClient({
+            region: providerInputs.region,
+            useFipsEndpoint: crypto.isFipsModeEnabled(),
+            sha256: CustomAWSHasher
+          });
+
+          await stsClient.send(new GetSessionTokenCommand({ DurationSeconds: AWS_STS_MIN_DURATION }));
+          return true;
+        }
+      }
+
+      const client = await $getClient(providerInputs, projectId);
+      const isConnected = await client
+        .send(new GetUserCommand({}))
+        .then(() => true)
+        .catch((err) => {
+          const message = (err as Error)?.message;
+          if (
+            (providerInputs.method === AwsIamAuthType.AssumeRole || providerInputs.method === AwsIamAuthType.IRSA) &&
+            // assume role will throw an error asking to provider username, but if so this has access in aws correctly
+            message.includes("Must specify userName when calling with non-User credentials")
+          ) {
+            return true;
+          }
+          throw err;
+        });
+      return isConnected;
+    } catch (err) {
+      const sensitiveTokens: string[] = [];
+      if (providerInputs.method === AwsIamAuthType.AccessKey) {
+        sensitiveTokens.push(providerInputs.accessKey, providerInputs.secretAccessKey);
+      }
+      if (providerInputs.method === AwsIamAuthType.AssumeRole) {
+        sensitiveTokens.push(providerInputs.roleArn);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: sensitiveTokens
      });
-    return isConnected;
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: {
@@ -145,83 +220,262 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
    };
    metadata: { projectId: string };
  }) => {
-    const { inputs, usernameTemplate, metadata, identity } = data;
+    const { inputs, usernameTemplate, metadata, identity, expireAt } = data;

    const providerInputs = await validateProviderInputs(inputs);
-    const client = await $getClient(providerInputs, metadata.projectId);

-    const username = generateUsername(usernameTemplate, identity);
-    const { policyArns, userGroups, policyDocument, awsPath, permissionBoundaryPolicyArn } = providerInputs;
-    const awsTags = [{ Key: "createdBy", Value: "infisical-dynamic-secret" }];
+    if (providerInputs.credentialType === AwsIamCredentialType.TemporaryCredentials) {
+      try {
+        let stsClient: STSClient;
+        let entityId: string;

-    if (providerInputs.tags && Array.isArray(providerInputs.tags)) {
-      const additionalTags = providerInputs.tags.map((tag) => ({
-        Key: tag.key,
-        Value: tag.value
-      }));
-      awsTags.push(...additionalTags);
-    }
+        const currentTime = Math.floor(Date.now() / 1000);
+        const requestedDuration = expireAt - currentTime;

-    const createUserRes = await client.send(
-      new CreateUserCommand({
-        Path: awsPath,
-        PermissionsBoundary: permissionBoundaryPolicyArn || undefined,
-        Tags: awsTags,
-        UserName: username
-      })
-    );
+        if (requestedDuration <= 0) {
+          throw new BadRequestError({ message: "Expiration time must be in the future" });
+        }

-    if (!createUserRes.User) throw new BadRequestError({ message: "Failed to create AWS IAM User" });
-    if (userGroups) {
-      await Promise.all(
-        userGroups
-          .split(",")
-          .filter(Boolean)
-          .map((group) =>
-            client.send(new AddUserToGroupCommand({ UserName: createUserRes?.User?.UserName, GroupName: group }))
-          )
-      );
-    }
-    if (policyArns) {
-      await Promise.all(
-        policyArns
-          .split(",")
-          .filter(Boolean)
-          .map((policyArn) =>
-            client.send(new AttachUserPolicyCommand({ UserName: createUserRes?.User?.UserName, PolicyArn: policyArn }))
-          )
-      );
-    }
-    if (policyDocument) {
-      await client.send(
-        new PutUserPolicyCommand({
-          UserName: createUserRes.User.UserName,
-          PolicyName: `infisical-dynamic-policy-${alphaNumericNanoId(4)}`,
-          PolicyDocument: policyDocument
-        })
-      );
-    }
+        let durationSeconds: number;

-    const createAccessKeyRes = await client.send(
-      new CreateAccessKeyCommand({
-        UserName: createUserRes.User.UserName
-      })
-    );
-    if (!createAccessKeyRes.AccessKey)
-      throw new BadRequestError({ message: "Failed to create AWS IAM User access key" });
+        if (providerInputs.method === AwsIamAuthType.AssumeRole) {
+          // AssumeRole has a lower maximum duration when using temporary credentials
+          durationSeconds = Math.min(requestedDuration, AWS_STS_MAX_DURATION_ASSUME_ROLE);
+          const appCfg = getConfig();
+          stsClient = new STSClient({
+            region: providerInputs.region,
+            useFipsEndpoint: crypto.isFipsModeEnabled(),
+            sha256: CustomAWSHasher,
+            credentials:
+              appCfg.DYNAMIC_SECRET_AWS_ACCESS_KEY_ID && appCfg.DYNAMIC_SECRET_AWS_SECRET_ACCESS_KEY
+                ? {
+                    accessKeyId: appCfg.DYNAMIC_SECRET_AWS_ACCESS_KEY_ID,
+                    secretAccessKey: appCfg.DYNAMIC_SECRET_AWS_SECRET_ACCESS_KEY
+                  }
+                : undefined
+          });

-    return {
-      entityId: username,
-      data: {
-        ACCESS_KEY: createAccessKeyRes.AccessKey.AccessKeyId,
-        SECRET_ACCESS_KEY: createAccessKeyRes.AccessKey.SecretAccessKey,
-        USERNAME: username
+          const assumeRoleRes = await stsClient.send(
+            new AssumeRoleCommand({
+              RoleArn: providerInputs.roleArn,
+              RoleSessionName: `infisical-temp-cred-${crypto.nativeCrypto.randomUUID()}`,
+              DurationSeconds: Math.max(durationSeconds, AWS_STS_MIN_DURATION),
+              ExternalId: metadata.projectId
+            })
+          );
+
+          if (
+            !assumeRoleRes.Credentials?.AccessKeyId ||
+            !assumeRoleRes.Credentials?.SecretAccessKey ||
+            !assumeRoleRes.Credentials?.SessionToken
+          ) {
+            throw new BadRequestError({ message: "Failed to assume role - verify credentials and role configuration" });
+          }
+
+          entityId = `assume-role-${alphaNumericNanoId(8)}`;
+          return {
+            entityId,
+            data: {
+              ACCESS_KEY: assumeRoleRes.Credentials.AccessKeyId,
+              SECRET_ACCESS_KEY: assumeRoleRes.Credentials.SecretAccessKey,
+              SESSION_TOKEN: assumeRoleRes.Credentials.SessionToken
+            }
+          };
+        }
+        if (providerInputs.method === AwsIamAuthType.AccessKey) {
+          // GetSessionToken supports longer durations
+          durationSeconds = Math.min(requestedDuration, AWS_STS_MAX_DURATION_SESSION_TOKEN);
+          stsClient = new STSClient({
+            region: providerInputs.region,
+            useFipsEndpoint: crypto.isFipsModeEnabled(),
+            sha256: CustomAWSHasher,
+            credentials: {
+              accessKeyId: providerInputs.accessKey,
+              secretAccessKey: providerInputs.secretAccessKey
+            }
+          });
+
+          const sessionTokenRes = await stsClient.send(
+            new GetSessionTokenCommand({
+              DurationSeconds: Math.max(durationSeconds, AWS_STS_MIN_DURATION)
+            })
+          );
+
+          if (
+            !sessionTokenRes.Credentials?.AccessKeyId ||
+            !sessionTokenRes.Credentials?.SecretAccessKey ||
+            !sessionTokenRes.Credentials?.SessionToken
+          ) {
+            throw new BadRequestError({ message: "Failed to get session token - verify credentials and permissions" });
+          }
+
+          entityId = `session-token-${alphaNumericNanoId(8)}`;
+          return {
+            entityId,
+            data: {
+              ACCESS_KEY: sessionTokenRes.Credentials.AccessKeyId,
+              SECRET_ACCESS_KEY: sessionTokenRes.Credentials.SecretAccessKey,
+              SESSION_TOKEN: sessionTokenRes.Credentials.SessionToken
+            }
+          };
+        }
+        if (providerInputs.method === AwsIamAuthType.IRSA) {
+          // GetSessionToken supports longer durations
+          durationSeconds = Math.min(requestedDuration, AWS_STS_MAX_DURATION_SESSION_TOKEN);
+          stsClient = new STSClient({
+            region: providerInputs.region,
+            useFipsEndpoint: crypto.isFipsModeEnabled(),
+            sha256: CustomAWSHasher
+          });
+
+          const sessionTokenRes = await stsClient.send(
+            new GetSessionTokenCommand({
+              DurationSeconds: Math.max(durationSeconds, AWS_STS_MIN_DURATION)
+            })
+          );
+
+          if (
+            !sessionTokenRes.Credentials?.AccessKeyId ||
+            !sessionTokenRes.Credentials?.SecretAccessKey ||
+            !sessionTokenRes.Credentials?.SessionToken
+          ) {
+            throw new BadRequestError({
+              message: "Failed to get session token - verify IRSA credentials and permissions"
+            });
+          }
+
+          entityId = `irsa-session-${alphaNumericNanoId(8)}`;
+          return {
+            entityId,
+            data: {
+              ACCESS_KEY: sessionTokenRes.Credentials.AccessKeyId,
+              SECRET_ACCESS_KEY: sessionTokenRes.Credentials.SecretAccessKey,
+              SESSION_TOKEN: sessionTokenRes.Credentials.SessionToken
+            }
+          };
+        }
+
+        throw new BadRequestError({ message: "Unsupported authentication method for temporary credentials" });
+      } catch (err) {
+        const sensitiveTokens: string[] = [];
+        if (providerInputs.method === AwsIamAuthType.AccessKey) {
+          sensitiveTokens.push(providerInputs.accessKey, providerInputs.secretAccessKey);
+        }
+        if (providerInputs.method === AwsIamAuthType.AssumeRole) {
+          sensitiveTokens.push(providerInputs.roleArn);
+        }
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: sensitiveTokens
+        });
+        throw new BadRequestError({
+          message: `Failed to create temporary credentials: ${sanitizedErrorMessage}`
+        });
      }
-    };
+    }
+
+    if (providerInputs.credentialType === AwsIamCredentialType.IamUser) {
+      const client = await $getClient(providerInputs, metadata.projectId);
+
+      const username = generateUsername(usernameTemplate, identity);
+      const { policyArns, userGroups, policyDocument, awsPath, permissionBoundaryPolicyArn } = providerInputs;
+      const awsTags = [{ Key: "createdBy", Value: "infisical-dynamic-secret" }];
+
+      if (providerInputs.tags && Array.isArray(providerInputs.tags)) {
+        const additionalTags = providerInputs.tags.map((tag) => ({
+          Key: tag.key,
+          Value: tag.value
+        }));
+        awsTags.push(...additionalTags);
+      }
+
+      try {
+        const createUserRes = await client.send(
+          new CreateUserCommand({
+            Path: awsPath,
+            PermissionsBoundary: permissionBoundaryPolicyArn || undefined,
+            Tags: awsTags,
+            UserName: username
+          })
+        );
+
+        if (!createUserRes.User) throw new BadRequestError({ message: "Failed to create AWS IAM User" });
+        if (userGroups) {
+          await Promise.all(
+            userGroups
+              .split(",")
+              .filter(Boolean)
+              .map((group) =>
+                client.send(new AddUserToGroupCommand({ UserName: createUserRes?.User?.UserName, GroupName: group }))
+              )
+          );
+        }
+        if (policyArns) {
+          await Promise.all(
+            policyArns
+              .split(",")
+              .filter(Boolean)
+              .map((policyArn) =>
+                client.send(
+                  new AttachUserPolicyCommand({ UserName: createUserRes?.User?.UserName, PolicyArn: policyArn })
+                )
+              )
+          );
+        }
+        if (policyDocument) {
+          await client.send(
+            new PutUserPolicyCommand({
+              UserName: createUserRes.User.UserName,
+              PolicyName: `infisical-dynamic-policy-${alphaNumericNanoId(4)}`,
+              PolicyDocument: policyDocument
+            })
+          );
+        }
+
+        const createAccessKeyRes = await client.send(
+          new CreateAccessKeyCommand({
+            UserName: createUserRes.User.UserName
+          })
+        );
+        if (!createAccessKeyRes.AccessKey)
+          throw new BadRequestError({ message: "Failed to create AWS IAM User access key" });
+
+        return {
+          entityId: username,
+          data: {
+            ACCESS_KEY: createAccessKeyRes.AccessKey.AccessKeyId,
+            SECRET_ACCESS_KEY: createAccessKeyRes.AccessKey.SecretAccessKey,
+            USERNAME: username
+          }
+        };
+      } catch (err) {
+        const sensitiveTokens = [username];
+        if (providerInputs.method === AwsIamAuthType.AccessKey) {
+          sensitiveTokens.push(providerInputs.accessKey, providerInputs.secretAccessKey);
+        }
+        if (providerInputs.method === AwsIamAuthType.AssumeRole) {
+          sensitiveTokens.push(providerInputs.roleArn);
+        }
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: sensitiveTokens
+        });
+        throw new BadRequestError({
+          message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+        });
+      }
+    }
+
+    throw new BadRequestError({ message: "Invalid credential type specified" });
  };

  const revoke = async (inputs: unknown, entityId: string, metadata: { projectId: string }) => {
    const providerInputs = await validateProviderInputs(inputs);
+
+    if (providerInputs.credentialType === AwsIamCredentialType.TemporaryCredentials) {
+      return { entityId };
+    }
+
    const client = await $getClient(providerInputs, metadata.projectId);

    const username = entityId;
@@ -278,8 +532,25 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
      )
    );

-    await client.send(new DeleteUserCommand({ UserName: username }));
-    return { entityId: username };
+    try {
+      await client.send(new DeleteUserCommand({ UserName: username }));
+      return { entityId: username };
+    } catch (err) {
+      const sensitiveTokens = [username];
+      if (providerInputs.method === AwsIamAuthType.AccessKey) {
+        sensitiveTokens.push(providerInputs.accessKey, providerInputs.secretAccessKey);
+      }
+      if (providerInputs.method === AwsIamAuthType.AssumeRole) {
+        sensitiveTokens.push(providerInputs.roleArn);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: sensitiveTokens
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const renew = async (_inputs: unknown, entityId: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/azure-entra-id.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/azure-entra-id.ts
@@ -2,6 +2,7 @@ import axios from "axios";
 import { customAlphabet } from "nanoid";

 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";

 import { AzureEntraIDSchema, TDynamicProviderFns } from "./models";

@@ -51,45 +52,82 @@ export const AzureEntraIDProvider = (): TDynamicProviderFns & {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
-    return data.success;
+    try {
+      const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
+      return data.success;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.clientSecret, providerInputs.applicationId, providerInputs.tenantId]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async ({ inputs }: { inputs: unknown }) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
-    if (!data.success) {
-      throw new BadRequestError({ message: "Failed to authorize to Microsoft Entra ID" });
-    }

    const password = generatePassword();
-
-    const response = await axios.patch(
-      `${MSFT_GRAPH_API_URL}/users/${providerInputs.userId}`,
-      {
-        passwordProfile: {
-          forceChangePasswordNextSignIn: false,
-          password
-        }
-      },
-      {
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${data.token}`
-        }
+    try {
+      const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
+      if (!data.success) {
+        throw new BadRequestError({ message: "Failed to authorize to Microsoft Entra ID" });
      }
-    );
-    if (response.status !== 204) {
-      throw new BadRequestError({ message: "Failed to update password" });
-    }

-    return { entityId: providerInputs.userId, data: { email: providerInputs.email, password } };
+      const response = await axios.patch(
+        `${MSFT_GRAPH_API_URL}/users/${providerInputs.userId}`,
+        {
+          passwordProfile: {
+            forceChangePasswordNextSignIn: false,
+            password
+          }
+        },
+        {
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${data.token}`
+          }
+        }
+      );
+      if (response.status !== 204) {
+        throw new BadRequestError({ message: "Failed to update password" });
+      }
+
+      return { entityId: providerInputs.userId, data: { email: providerInputs.email, password } };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [
+          providerInputs.clientSecret,
+          providerInputs.applicationId,
+          providerInputs.userId,
+          providerInputs.email,
+          password
+        ]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
-    // Creates a new password
-    await create({ inputs });
-    return { entityId };
+    const providerInputs = await validateProviderInputs(inputs);
+    try {
+      // Creates a new password
+      await create({ inputs });
+      return { entityId };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.clientSecret, providerInputs.applicationId, entityId]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const fetchAzureEntraIdUsers = async (tenantId: string, applicationId: string, clientSecret: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/cassandra.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/cassandra.ts
@@ -3,6 +3,8 @@ import handlebars from "handlebars";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";

+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";

@@ -71,9 +73,24 @@ export const CassandraProvider = (): TDynamicProviderFns => {
    const providerInputs = await validateProviderInputs(inputs);
    const client = await $getClient(providerInputs);

-    const isConnected = await client.execute("SELECT * FROM system_schema.keyspaces").then(() => true);
-    await client.shutdown();
-    return isConnected;
+    try {
+      const isConnected = await client.execute("SELECT * FROM system_schema.keyspaces").then(() => true);
+      await client.shutdown();
+      return isConnected;
+    } catch (err) {
+      const tokens = [providerInputs.password, providerInputs.username];
+      if (providerInputs.keyspace) {
+        tokens.push(providerInputs.keyspace);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens
+      });
+      await client.shutdown();
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: {
@@ -89,23 +106,39 @@ export const CassandraProvider = (): TDynamicProviderFns => {
    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();
    const { keyspace } = providerInputs;
-    const expiration = new Date(expireAt).toISOString();

-    const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
-      username,
-      password,
-      expiration,
-      keyspace
-    });
+    try {
+      const expiration = new Date(expireAt).toISOString();

-    const queries = creationStatement.toString().split(";").filter(Boolean);
-    for (const query of queries) {
-      // eslint-disable-next-line
-      await client.execute(query);
+      const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
+        username,
+        password,
+        expiration,
+        keyspace
+      });
+
+      const queries = creationStatement.toString().split(";").filter(Boolean);
+      for (const query of queries) {
+        // eslint-disable-next-line
+        await client.execute(query);
+      }
+      await client.shutdown();
+
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (err) {
+      const tokens = [username, password];
+      if (keyspace) {
+        tokens.push(keyspace);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens
+      });
+      await client.shutdown();
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-    await client.shutdown();
-
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
  };

  const revoke = async (inputs: unknown, entityId: string) => {
@@ -115,14 +148,29 @@ export const CassandraProvider = (): TDynamicProviderFns => {
    const username = entityId;
    const { keyspace } = providerInputs;

-    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username, keyspace });
-    const queries = revokeStatement.toString().split(";").filter(Boolean);
-    for (const query of queries) {
-      // eslint-disable-next-line
-      await client.execute(query);
+    try {
+      const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username, keyspace });
+      const queries = revokeStatement.toString().split(";").filter(Boolean);
+      for (const query of queries) {
+        // eslint-disable-next-line
+        await client.execute(query);
+      }
+      await client.shutdown();
+      return { entityId: username };
+    } catch (err) {
+      const tokens = [username];
+      if (keyspace) {
+        tokens.push(keyspace);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens
+      });
+      await client.shutdown();
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-    await client.shutdown();
-    return { entityId: username };
  };

  const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
@@ -130,21 +178,36 @@ export const CassandraProvider = (): TDynamicProviderFns => {
    if (!providerInputs.renewStatement) return { entityId };

    const client = await $getClient(providerInputs);
-
-    const expiration = new Date(expireAt).toISOString();
    const { keyspace } = providerInputs;

-    const renewStatement = handlebars.compile(providerInputs.renewStatement)({
-      username: entityId,
-      keyspace,
-      expiration
-    });
-    const queries = renewStatement.toString().split(";").filter(Boolean);
-    for await (const query of queries) {
-      await client.execute(query);
+    try {
+      const expiration = new Date(expireAt).toISOString();
+
+      const renewStatement = handlebars.compile(providerInputs.renewStatement)({
+        username: entityId,
+        keyspace,
+        expiration
+      });
+      const queries = renewStatement.toString().split(";").filter(Boolean);
+      for await (const query of queries) {
+        await client.execute(query);
+      }
+      await client.shutdown();
+      return { entityId };
+    } catch (err) {
+      const tokens = [entityId];
+      if (keyspace) {
+        tokens.push(keyspace);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens
+      });
+      await client.shutdown();
+      throw new BadRequestError({
+        message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-    await client.shutdown();
-    return { entityId };
  };

  return {
--- a/backend/src/ee/services/dynamic-secret/providers/couchbase.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/couchbase.ts
@@ -0,0 +1,289 @@
+import crypto from "node:crypto";
+
+import axios from "axios";
+import RE2 from "re2";
+
+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator/validate-url";
+
+import { DynamicSecretCouchbaseSchema, PasswordRequirements, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";
+
+type TCreateCouchbaseUser = {
+  name: string;
+  password: string;
+  access: {
+    privileges: string[];
+    resources: {
+      buckets: {
+        name: string;
+        scopes?: {
+          name: string;
+          collections?: string[];
+        }[];
+      }[];
+    };
+  }[];
+};
+
+type CouchbaseUserResponse = {
+  id: string;
+  uuid?: string;
+};
+
+const sanitizeCouchbaseUsername = (username: string): string => {
+  // Couchbase username restrictions:
+  // - Cannot contain: ) ( > < , ; : " \ / ] [ ? = } {
+  // - Cannot begin with @ character
+
+  const forbiddenCharsPattern = new RE2('[\\)\\(><,;:"\\\\\\[\\]\\?=\\}\\{]', "g");
+  let sanitized = forbiddenCharsPattern.replace(username, "-");
+
+  const leadingAtPattern = new RE2("^@+");
+  sanitized = leadingAtPattern.replace(sanitized, "");
+
+  if (!sanitized || sanitized.length === 0) {
+    return alphaNumericNanoId(12);
+  }
+
+  return sanitized;
+};
+
+/**
+ * Normalizes bucket configuration to handle wildcard (*) access consistently.
+ *
+ * Key behaviors:
+ * - If "*" appears anywhere (string or array), grants access to ALL buckets, scopes, and collections
+ *
+ * @param buckets - Either a string or array of bucket configurations
+ * @returns Normalized bucket resources for Couchbase API
+ */
+const normalizeBucketConfiguration = (
+  buckets:
+    | string
+    | Array<{
+        name: string;
+        scopes?: Array<{
+          name: string;
+          collections?: string[];
+        }>;
+      }>
+) => {
+  if (typeof buckets === "string") {
+    // Simple string format - either "*" or comma-separated bucket names
+    const bucketNames = buckets
+      .split(",")
+      .map((bucket) => bucket.trim())
+      .filter((bucket) => bucket.length > 0);
+
+    // If "*" is present anywhere, grant access to all buckets, scopes, and collections
+    if (bucketNames.includes("*") || buckets === "*") {
+      return [{ name: "*" }];
+    }
+    return bucketNames.map((bucketName) => ({ name: bucketName }));
+  }
+
+  // Array of bucket objects with scopes and collections
+  // Check if any bucket is "*" - if so, grant access to all buckets, scopes, and collections
+  const hasWildcardBucket = buckets.some((bucket) => bucket.name === "*");
+
+  if (hasWildcardBucket) {
+    return [{ name: "*" }];
+  }
+
+  return buckets.map((bucket) => ({
+    name: bucket.name,
+    scopes: bucket.scopes?.map((scope) => ({
+      name: scope.name,
+      collections: scope.collections || []
+    }))
+  }));
+};
+
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
+  const randomUsername = alphaNumericNanoId(12);
+  if (!usernameTemplate) return sanitizeCouchbaseUsername(randomUsername);
+
+  const compiledUsername = compileUsernameTemplate({
+    usernameTemplate,
+    randomUsername,
+    identity
+  });
+
+  return sanitizeCouchbaseUsername(compiledUsername);
+};
+
+const generatePassword = (requirements?: PasswordRequirements): string => {
+  const {
+    length = 12,
+    required = { lowercase: 1, uppercase: 1, digits: 1, symbols: 1 },
+    allowedSymbols = "!@#$%^()_+-=[]{}:,?/~`"
+  } = requirements || {};
+
+  const lowercase = "abcdefghijklmnopqrstuvwxyz";
+  const uppercase = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+  const digits = "0123456789";
+  const symbols = allowedSymbols;
+
+  let password = "";
+  let remaining = length;
+
+  // Add required characters
+  for (let i = 0; i < required.lowercase; i += 1) {
+    password += lowercase[crypto.randomInt(lowercase.length)];
+    remaining -= 1;
+  }
+  for (let i = 0; i < required.uppercase; i += 1) {
+    password += uppercase[crypto.randomInt(uppercase.length)];
+    remaining -= 1;
+  }
+  for (let i = 0; i < required.digits; i += 1) {
+    password += digits[crypto.randomInt(digits.length)];
+    remaining -= 1;
+  }
+  for (let i = 0; i < required.symbols; i += 1) {
+    password += symbols[crypto.randomInt(symbols.length)];
+    remaining -= 1;
+  }
+
+  // Fill remaining with random characters from all sets
+  const allChars = lowercase + uppercase + digits + symbols;
+  for (let i = 0; i < remaining; i += 1) {
+    password += allChars[crypto.randomInt(allChars.length)];
+  }
+
+  // Shuffle the password
+  return password
+    .split("")
+    .sort(() => crypto.randomInt(3) - 1)
+    .join("");
+};
+
+const couchbaseApiRequest = async (
+  method: string,
+  url: string,
+  apiKey: string,
+  data?: unknown
+): Promise<CouchbaseUserResponse> => {
+  await blockLocalAndPrivateIpAddresses(url);
+
+  try {
+    const response = await axios({
+      method: method.toLowerCase() as "get" | "post" | "put" | "delete",
+      url,
+      headers: {
+        Authorization: `Bearer ${apiKey}`,
+        "Content-Type": "application/json"
+      },
+      data: data || undefined,
+      timeout: 30000
+    });
+
+    return response.data as CouchbaseUserResponse;
+  } catch (err) {
+    const sanitizedErrorMessage = sanitizeString({
+      unsanitizedString: (err as Error)?.message,
+      tokens: [apiKey]
+    });
+    throw new BadRequestError({
+      message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+    });
+  }
+};
+
+export const CouchbaseProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: object) => {
+    const providerInputs = DynamicSecretCouchbaseSchema.parse(inputs);
+
+    await blockLocalAndPrivateIpAddresses(providerInputs.url);
+
+    return providerInputs;
+  };
+
+  const validateConnection = async (inputs: unknown): Promise<boolean> => {
+    try {
+      const providerInputs = await validateProviderInputs(inputs as object);
+
+      // Test connection by trying to get organization info
+      const url = `${providerInputs.url}/v4/organizations/${providerInputs.orgId}`;
+      await couchbaseApiRequest("GET", url, providerInputs.auth.apiKey);
+
+      return true;
+    } catch (error) {
+      throw new BadRequestError({
+        message: `Failed to connect to Couchbase: ${error instanceof Error ? error.message : "Unknown error"}`
+      });
+    }
+  };
+
+  const create = async ({
+    inputs,
+    usernameTemplate,
+    identity
+  }: {
+    inputs: unknown;
+    usernameTemplate?: string | null;
+    identity?: { name: string };
+  }) => {
+    const providerInputs = await validateProviderInputs(inputs as object);
+
+    const username = generateUsername(usernameTemplate, identity);
+
+    const password = generatePassword(providerInputs.passwordRequirements);
+
+    const createUserUrl = `${providerInputs.url}/v4/organizations/${providerInputs.orgId}/projects/${providerInputs.projectId}/clusters/${providerInputs.clusterId}/users`;
+
+    const bucketResources = normalizeBucketConfiguration(providerInputs.buckets);
+
+    const userData: TCreateCouchbaseUser = {
+      name: username,
+      password,
+      access: [
+        {
+          privileges: providerInputs.roles,
+          resources: {
+            buckets: bucketResources
+          }
+        }
+      ]
+    };
+
+    const response = await couchbaseApiRequest("POST", createUserUrl, providerInputs.auth.apiKey, userData);
+
+    const userUuid = response?.id || response?.uuid || username;
+
+    return {
+      entityId: userUuid,
+      data: {
+        username,
+        password
+      }
+    };
+  };
+
+  const revoke = async (inputs: unknown, entityId: string) => {
+    const providerInputs = await validateProviderInputs(inputs as object);
+
+    const deleteUserUrl = `${providerInputs.url}/v4/organizations/${providerInputs.orgId}/projects/${providerInputs.projectId}/clusters/${providerInputs.clusterId}/users/${encodeURIComponent(entityId)}`;
+
+    await couchbaseApiRequest("DELETE", deleteUserUrl, providerInputs.auth.apiKey);
+
+    return { entityId };
+  };
+
+  const renew = async (_inputs: unknown, entityId: string) => {
+    // Couchbase Cloud API doesn't support renewing user credentials
+    // The user remains valid until explicitly deleted
+    return { entityId };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};
--- a/backend/src/ee/services/dynamic-secret/providers/elastic-search.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/elastic-search.ts
@@ -2,6 +2,8 @@ import { Client as ElasticSearchClient } from "@elastic/elasticsearch";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";

+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { verifyHostInputValidity } from "../dynamic-secret-fns";
@@ -63,12 +65,24 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
    const providerInputs = await validateProviderInputs(inputs);
    const connection = await $getClient(providerInputs);

-    const infoResponse = await connection
-      .info()
-      .then(() => true)
-      .catch(() => false);
-
-    return infoResponse;
+    try {
+      const infoResponse = await connection.info().then(() => true);
+      return infoResponse;
+    } catch (err) {
+      const tokens = [];
+      if (providerInputs.auth.type === ElasticSearchAuthTypes.ApiKey) {
+        tokens.push(providerInputs.auth.apiKey, providerInputs.auth.apiKeyId);
+      } else {
+        tokens.push(providerInputs.auth.username, providerInputs.auth.password);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
@@ -79,27 +93,49 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();

-    await connection.security.putUser({
-      username,
-      password,
-      full_name: "Managed by Infisical.com",
-      roles: providerInputs.roles
-    });
+    try {
+      await connection.security.putUser({
+        username,
+        password,
+        full_name: "Managed by Infisical.com",
+        roles: providerInputs.roles
+      });

-    await connection.close();
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+      await connection.close();
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, password]
+      });
+      await connection.close();
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
    const providerInputs = await validateProviderInputs(inputs);
    const connection = await $getClient(providerInputs);

-    await connection.security.deleteUser({
-      username: entityId
-    });
+    try {
+      await connection.security.deleteUser({
+        username: entityId
+      });

-    await connection.close();
-    return { entityId };
+      await connection.close();
+      return { entityId };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [entityId]
+      });
+      await connection.close();
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const renew = async (_inputs: unknown, entityId: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/gcp-iam.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/gcp-iam.ts
@@ -3,6 +3,7 @@ import { GetAccessTokenResponse } from "google-auth-library/build/src/auth/oauth

 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { DynamicSecretGcpIamSchema, TDynamicProviderFns } from "./models";
@@ -65,8 +66,18 @@ export const GcpIamProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    await $getToken(providerInputs.serviceAccountEmail, 10);
-    return true;
+    try {
+      await $getToken(providerInputs.serviceAccountEmail, 10);
+      return true;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.serviceAccountEmail]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: { inputs: unknown; expireAt: number }) => {
@@ -74,13 +85,23 @@ export const GcpIamProvider = (): TDynamicProviderFns => {

    const providerInputs = await validateProviderInputs(inputs);

-    const now = Math.floor(Date.now() / 1000);
-    const ttl = Math.max(Math.floor(expireAt / 1000) - now, 0);
+    try {
+      const now = Math.floor(Date.now() / 1000);
+      const ttl = Math.max(Math.floor(expireAt / 1000) - now, 0);

-    const token = await $getToken(providerInputs.serviceAccountEmail, ttl);
-    const entityId = alphaNumericNanoId(32);
+      const token = await $getToken(providerInputs.serviceAccountEmail, ttl);
+      const entityId = alphaNumericNanoId(32);

-    return { entityId, data: { SERVICE_ACCOUNT_EMAIL: providerInputs.serviceAccountEmail, TOKEN: token } };
+      return { entityId, data: { SERVICE_ACCOUNT_EMAIL: providerInputs.serviceAccountEmail, TOKEN: token } };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.serviceAccountEmail]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (_inputs: unknown, entityId: string) => {
@@ -89,10 +110,21 @@ export const GcpIamProvider = (): TDynamicProviderFns => {
  };

  const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
-    // To renew a token it must be re-created
-    const data = await create({ inputs, expireAt });
+    try {
+      // To renew a token it must be re-created
+      const data = await create({ inputs, expireAt });

-    return { ...data, entityId };
+      return { ...data, entityId };
+    } catch (err) {
+      const providerInputs = await validateProviderInputs(inputs);
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.serviceAccountEmail]
+      });
+      throw new BadRequestError({
+        message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  return {
--- a/backend/src/ee/services/dynamic-secret/providers/github.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/github.ts
@@ -3,6 +3,7 @@ import jwt from "jsonwebtoken";

 import { crypto } from "@app/lib/crypto";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";

@@ -89,26 +90,46 @@ export const GithubProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    await $generateGitHubInstallationAccessToken(providerInputs);
-    return true;
+    try {
+      await $generateGitHubInstallationAccessToken(providerInputs);
+      return true;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.privateKey, String(providerInputs.appId), String(providerInputs.installationId)]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: { inputs: unknown }) => {
    const { inputs } = data;
    const providerInputs = await validateProviderInputs(inputs);

-    const ghTokenData = await $generateGitHubInstallationAccessToken(providerInputs);
-    const entityId = alphaNumericNanoId(32);
+    try {
+      const ghTokenData = await $generateGitHubInstallationAccessToken(providerInputs);
+      const entityId = alphaNumericNanoId(32);

-    return {
-      entityId,
-      data: {
-        TOKEN: ghTokenData.token,
-        EXPIRES_AT: ghTokenData.expires_at,
-        PERMISSIONS: ghTokenData.permissions,
-        REPOSITORY_SELECTION: ghTokenData.repository_selection
-      }
-    };
+      return {
+        entityId,
+        data: {
+          TOKEN: ghTokenData.token,
+          EXPIRES_AT: ghTokenData.expires_at,
+          PERMISSIONS: ghTokenData.permissions,
+          REPOSITORY_SELECTION: ghTokenData.repository_selection
+        }
+      };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.privateKey, String(providerInputs.appId), String(providerInputs.installationId)]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async () => {
--- a/backend/src/ee/services/dynamic-secret/providers/index.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/index.ts
@@ -5,6 +5,7 @@ import { AwsElastiCacheDatabaseProvider } from "./aws-elasticache";
 import { AwsIamProvider } from "./aws-iam";
 import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
+import { CouchbaseProvider } from "./couchbase";
 import { ElasticSearchProvider } from "./elastic-search";
 import { GcpIamProvider } from "./gcp-iam";
 import { GithubProvider } from "./github";
@@ -46,5 +47,6 @@ export const buildDynamicSecretProviders = ({
  [DynamicSecretProviders.Kubernetes]: KubernetesProvider({ gatewayService }),
  [DynamicSecretProviders.Vertica]: VerticaProvider({ gatewayService }),
  [DynamicSecretProviders.GcpIam]: GcpIamProvider(),
-  [DynamicSecretProviders.Github]: GithubProvider()
+  [DynamicSecretProviders.Github]: GithubProvider(),
+  [DynamicSecretProviders.Couchbase]: CouchbaseProvider()
 });
--- a/backend/src/ee/services/dynamic-secret/providers/kubernetes.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/kubernetes.ts
@@ -2,7 +2,8 @@ import axios, { AxiosError } from "axios";
 import handlebars from "handlebars";
 import https from "https";

-import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { GatewayHttpProxyActions, GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
@@ -356,8 +357,12 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
        errorMessage = (error.response?.data as { message: string }).message;
      }

-      throw new InternalServerError({
-        message: `Failed to validate connection: ${errorMessage}`
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: errorMessage,
+        tokens: [providerInputs.clusterToken || ""]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
      });
    }
  };
@@ -602,8 +607,12 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
        errorMessage = (error.response?.data as { message: string }).message;
      }

-      throw new InternalServerError({
-        message: `Failed to create dynamic secret: ${errorMessage}`
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: errorMessage,
+        tokens: [providerInputs.clusterToken || ""]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
      });
    }
  };
@@ -683,50 +692,65 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
    };

    if (providerInputs.credentialType === KubernetesCredentialType.Dynamic) {
-      const rawUrl =
-        providerInputs.authMethod === KubernetesAuthMethod.Gateway
-          ? GATEWAY_AUTH_DEFAULT_URL
-          : providerInputs.url || "";
+      try {
+        const rawUrl =
+          providerInputs.authMethod === KubernetesAuthMethod.Gateway
+            ? GATEWAY_AUTH_DEFAULT_URL
+            : providerInputs.url || "";

-      const url = new URL(rawUrl);
-      const k8sGatewayHost = url.hostname;
-      const k8sPort = url.port ? Number(url.port) : 443;
-      const k8sHost = `${url.protocol}//${url.hostname}`;
+        const url = new URL(rawUrl);
+        const k8sGatewayHost = url.hostname;
+        const k8sPort = url.port ? Number(url.port) : 443;
+        const k8sHost = `${url.protocol}//${url.hostname}`;

-      const httpsAgent =
-        providerInputs.ca && providerInputs.sslEnabled
-          ? new https.Agent({
-              ca: providerInputs.ca,
-              rejectUnauthorized: true
-            })
-          : undefined;
+        const httpsAgent =
+          providerInputs.ca && providerInputs.sslEnabled
+            ? new https.Agent({
+                ca: providerInputs.ca,
+                rejectUnauthorized: true
+              })
+            : undefined;

-      if (providerInputs.gatewayId) {
-        if (providerInputs.authMethod === KubernetesAuthMethod.Gateway) {
-          await $gatewayProxyWrapper(
-            {
-              gatewayId: providerInputs.gatewayId,
-              targetHost: k8sHost,
-              targetPort: k8sPort,
-              httpsAgent,
-              reviewTokenThroughGateway: true
-            },
-            serviceAccountDynamicCallback
-          );
+        if (providerInputs.gatewayId) {
+          if (providerInputs.authMethod === KubernetesAuthMethod.Gateway) {
+            await $gatewayProxyWrapper(
+              {
+                gatewayId: providerInputs.gatewayId,
+                targetHost: k8sHost,
+                targetPort: k8sPort,
+                httpsAgent,
+                reviewTokenThroughGateway: true
+              },
+              serviceAccountDynamicCallback
+            );
+          } else {
+            await $gatewayProxyWrapper(
+              {
+                gatewayId: providerInputs.gatewayId,
+                targetHost: k8sGatewayHost,
+                targetPort: k8sPort,
+                httpsAgent,
+                reviewTokenThroughGateway: false
+              },
+              serviceAccountDynamicCallback
+            );
+          }
        } else {
-          await $gatewayProxyWrapper(
-            {
-              gatewayId: providerInputs.gatewayId,
-              targetHost: k8sGatewayHost,
-              targetPort: k8sPort,
-              httpsAgent,
-              reviewTokenThroughGateway: false
-            },
-            serviceAccountDynamicCallback
-          );
+          await serviceAccountDynamicCallback(k8sHost, k8sPort, httpsAgent);
        }
-      } else {
-        await serviceAccountDynamicCallback(k8sHost, k8sPort, httpsAgent);
+      } catch (error) {
+        let errorMessage = error instanceof Error ? error.message : "Unknown error";
+        if (axios.isAxiosError(error) && (error.response?.data as { message: string })?.message) {
+          errorMessage = (error.response?.data as { message: string }).message;
+        }
+
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: errorMessage,
+          tokens: [entityId, providerInputs.clusterToken || ""]
+        });
+        throw new BadRequestError({
+          message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+        });
      }
    }

--- a/backend/src/ee/services/dynamic-secret/providers/ldap.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/ldap.ts
@@ -6,6 +6,7 @@ import RE2 from "re2";
 import { z } from "zod";

 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { LdapCredentialType, LdapSchema, TDynamicProviderFns } from "./models";
@@ -91,8 +92,18 @@ export const LdapProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const client = await $getClient(providerInputs);
-    return client.connected;
+    try {
+      const client = await $getClient(providerInputs);
+      return client.connected;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.bindpass, providerInputs.binddn]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const executeLdif = async (client: ldapjs.Client, ldif_file: string) => {
@@ -205,11 +216,11 @@ export const LdapProvider = (): TDynamicProviderFns => {
    if (providerInputs.credentialType === LdapCredentialType.Static) {
      const dnRegex = new RE2("^dn:\\s*(.+)", "m");
      const dnMatch = dnRegex.exec(providerInputs.rotationLdif);
+      const username = dnMatch?.[1];
+      if (!username) throw new BadRequestError({ message: "Username not found from Ldif" });
+      const password = generatePassword();

      if (dnMatch) {
-        const username = dnMatch[1];
-        const password = generatePassword();
-
        const generatedLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.rotationLdif });

        try {
@@ -217,7 +228,11 @@ export const LdapProvider = (): TDynamicProviderFns => {

          return { entityId: username, data: { DN_ARRAY: dnArray, USERNAME: username, PASSWORD: password } };
        } catch (err) {
-          throw new BadRequestError({ message: (err as Error).message });
+          const sanitizedErrorMessage = sanitizeString({
+            unsanitizedString: (err as Error)?.message,
+            tokens: [username, password, providerInputs.binddn, providerInputs.bindpass]
+          });
+          throw new BadRequestError({ message: sanitizedErrorMessage });
        }
      } else {
        throw new BadRequestError({
@@ -238,7 +253,11 @@ export const LdapProvider = (): TDynamicProviderFns => {
          const rollbackLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.rollbackLdif });
          await executeLdif(client, rollbackLdif);
        }
-        throw new BadRequestError({ message: (err as Error).message });
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [username, password, providerInputs.binddn, providerInputs.bindpass]
+        });
+        throw new BadRequestError({ message: sanitizedErrorMessage });
      }
    }
  };
@@ -262,7 +281,11 @@ export const LdapProvider = (): TDynamicProviderFns => {

          return { entityId: username, data: { DN_ARRAY: dnArray, USERNAME: username, PASSWORD: password } };
        } catch (err) {
-          throw new BadRequestError({ message: (err as Error).message });
+          const sanitizedErrorMessage = sanitizeString({
+            unsanitizedString: (err as Error)?.message,
+            tokens: [username, password, providerInputs.binddn, providerInputs.bindpass]
+          });
+          throw new BadRequestError({ message: sanitizedErrorMessage });
        }
      } else {
        throw new BadRequestError({
@@ -278,7 +301,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
    return { entityId };
  };

-  const renew = async (inputs: unknown, entityId: string) => {
+  const renew = async (_inputs: unknown, entityId: string) => {
    // No renewal necessary
    return { entityId };
  };
--- a/backend/src/ee/services/dynamic-secret/providers/models.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/models.ts
@@ -32,6 +32,11 @@ export enum AwsIamAuthType {
  IRSA = "irsa"
 }

+export enum AwsIamCredentialType {
+  IamUser = "iam-user",
+  TemporaryCredentials = "temporary-credentials"
+}
+
 export enum ElasticSearchAuthTypes {
  User = "user",
  ApiKey = "api-key"
@@ -202,6 +207,7 @@ export const DynamicSecretAwsIamSchema = z.preprocess(
  z.discriminatedUnion("method", [
    z.object({
      method: z.literal(AwsIamAuthType.AccessKey),
+      credentialType: z.nativeEnum(AwsIamCredentialType).default(AwsIamCredentialType.IamUser),
      accessKey: z.string().trim().min(1),
      secretAccessKey: z.string().trim().min(1),
      region: z.string().trim().min(1),
@@ -214,6 +220,7 @@ export const DynamicSecretAwsIamSchema = z.preprocess(
    }),
    z.object({
      method: z.literal(AwsIamAuthType.AssumeRole),
+      credentialType: z.nativeEnum(AwsIamCredentialType).default(AwsIamCredentialType.IamUser),
      roleArn: z.string().trim().min(1, "Role ARN required"),
      region: z.string().trim().min(1),
      awsPath: z.string().trim().optional(),
@@ -225,6 +232,7 @@ export const DynamicSecretAwsIamSchema = z.preprocess(
    }),
    z.object({
      method: z.literal(AwsIamAuthType.IRSA),
+      credentialType: z.nativeEnum(AwsIamCredentialType).default(AwsIamCredentialType.IamUser),
      region: z.string().trim().min(1),
      awsPath: z.string().trim().optional(),
      permissionBoundaryPolicyArn: z.string().trim().optional(),
@@ -505,6 +513,91 @@ export const DynamicSecretGithubSchema = z.object({
    .describe("The private key generated for your GitHub App.")
 });

+export const DynamicSecretCouchbaseSchema = z.object({
+  url: z.string().url().trim().min(1).describe("Couchbase Cloud API URL"),
+  orgId: z.string().trim().min(1).describe("Organization ID"),
+  projectId: z.string().trim().min(1).describe("Project ID"),
+  clusterId: z.string().trim().min(1).describe("Cluster ID"),
+  roles: z.array(z.string().trim().min(1)).min(1).describe("Roles to assign to the user"),
+  buckets: z
+    .union([
+      z
+        .string()
+        .trim()
+        .min(1)
+        .default("*")
+        .refine((val) => {
+          if (val.includes(",")) {
+            const buckets = val
+              .split(",")
+              .map((b) => b.trim())
+              .filter((b) => b.length > 0);
+            if (buckets.includes("*") && buckets.length > 1) {
+              return false;
+            }
+          }
+          return true;
+        }, "Cannot combine '*' with other bucket names"),
+      z
+        .array(
+          z.object({
+            name: z.string().trim().min(1).describe("Bucket name"),
+            scopes: z
+              .array(
+                z.object({
+                  name: z.string().trim().min(1).describe("Scope name"),
+                  collections: z.array(z.string().trim().min(1)).optional().describe("Collection names")
+                })
+              )
+              .optional()
+              .describe("Scopes within the bucket")
+          })
+        )
+        .refine((buckets) => {
+          const hasWildcard = buckets.some((bucket) => bucket.name === "*");
+          if (hasWildcard && buckets.length > 1) {
+            return false;
+          }
+          return true;
+        }, "Cannot combine '*' bucket with other buckets")
+    ])
+    .default("*")
+    .describe(
+      "Bucket configuration: '*' for all buckets, scopes, and collections or array of bucket objects with specific scopes and collections"
+    ),
+  passwordRequirements: z
+    .object({
+      length: z.number().min(8, "Password must be at least 8 characters").max(128),
+      required: z
+        .object({
+          lowercase: z.number().min(1, "At least 1 lowercase character required"),
+          uppercase: z.number().min(1, "At least 1 uppercase character required"),
+          digits: z.number().min(1, "At least 1 digit required"),
+          symbols: z.number().min(1, "At least 1 special character required")
+        })
+        .refine((data) => {
+          const total = Object.values(data).reduce((sum, count) => sum + count, 0);
+          return total <= 128;
+        }, "Sum of required characters cannot exceed 128"),
+      allowedSymbols: z
+        .string()
+        .refine((symbols) => {
+          const forbiddenChars = ["<", ">", ";", ".", "*", "&", "|", "£"];
+          return !forbiddenChars.some((char) => symbols?.includes(char));
+        }, "Cannot contain: < > ; . * & | £")
+        .optional()
+    })
+    .refine((data) => {
+      const total = Object.values(data.required).reduce((sum, count) => sum + count, 0);
+      return total <= data.length;
+    }, "Sum of required characters cannot exceed the total length")
+    .optional()
+    .describe("Password generation requirements for Couchbase"),
+  auth: z.object({
+    apiKey: z.string().trim().min(1).describe("Couchbase Cloud API Key")
+  })
+});
+
 export enum DynamicSecretProviders {
  SqlDatabase = "sql-database",
  Cassandra = "cassandra",
@@ -524,7 +617,8 @@ export enum DynamicSecretProviders {
  Kubernetes = "kubernetes",
  Vertica = "vertica",
  GcpIam = "gcp-iam",
-  Github = "github"
+  Github = "github",
+  Couchbase = "couchbase"
 }

 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
@@ -546,7 +640,8 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
  z.object({ type: z.literal(DynamicSecretProviders.Kubernetes), inputs: DynamicSecretKubernetesSchema }),
  z.object({ type: z.literal(DynamicSecretProviders.Vertica), inputs: DynamicSecretVerticaSchema }),
  z.object({ type: z.literal(DynamicSecretProviders.GcpIam), inputs: DynamicSecretGcpIamSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.Github), inputs: DynamicSecretGithubSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.Github), inputs: DynamicSecretGithubSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.Couchbase), inputs: DynamicSecretCouchbaseSchema })
 ]);

 export type TDynamicProviderFns = {
--- a/backend/src/ee/services/dynamic-secret/providers/mongo-atlas.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/mongo-atlas.ts
@@ -3,6 +3,8 @@ import { customAlphabet } from "nanoid";
 import { z } from "zod";

 import { createDigestAuthRequestInterceptor } from "@app/lib/axios/digest-auth";
+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { DynamicSecretMongoAtlasSchema, TDynamicProviderFns } from "./models";
@@ -49,19 +51,25 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
    const providerInputs = await validateProviderInputs(inputs);
    const client = await $getClient(providerInputs);

-    const isConnected = await client({
-      method: "GET",
-      url: `v2/groups/${providerInputs.groupId}/databaseUsers`,
-      params: { itemsPerPage: 1 }
-    })
-      .then(() => true)
-      .catch((error) => {
-        if ((error as AxiosError).response) {
-          throw new Error(JSON.stringify((error as AxiosError).response?.data));
-        }
-        throw error;
+    try {
+      const isConnected = await client({
+        method: "GET",
+        url: `v2/groups/${providerInputs.groupId}/databaseUsers`,
+        params: { itemsPerPage: 1 }
+      }).then(() => true);
+      return isConnected;
+    } catch (error) {
+      const errorMessage = (error as AxiosError).response
+        ? JSON.stringify((error as AxiosError).response?.data)
+        : (error as Error)?.message;
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: errorMessage,
+        tokens: [providerInputs.adminPublicKey, providerInputs.adminPrivateKey, providerInputs.groupId]
      });
-    return isConnected;
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: {
@@ -77,25 +85,39 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();
    const expiration = new Date(expireAt).toISOString();
-    await client({
-      method: "POST",
-      url: `/v2/groups/${providerInputs.groupId}/databaseUsers`,
-      data: {
-        roles: providerInputs.roles,
-        scopes: providerInputs.scopes,
-        deleteAfterDate: expiration,
-        username,
-        password,
-        databaseName: "admin",
-        groupId: providerInputs.groupId
-      }
-    }).catch((error) => {
-      if ((error as AxiosError).response) {
-        throw new Error(JSON.stringify((error as AxiosError).response?.data));
-      }
-      throw error;
-    });
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    try {
+      await client({
+        method: "POST",
+        url: `/v2/groups/${providerInputs.groupId}/databaseUsers`,
+        data: {
+          roles: providerInputs.roles,
+          scopes: providerInputs.scopes,
+          deleteAfterDate: expiration,
+          username,
+          password,
+          databaseName: "admin",
+          groupId: providerInputs.groupId
+        }
+      });
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (error) {
+      const errorMessage = (error as AxiosError).response
+        ? JSON.stringify((error as AxiosError).response?.data)
+        : (error as Error)?.message;
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: errorMessage,
+        tokens: [
+          username,
+          password,
+          providerInputs.adminPublicKey,
+          providerInputs.adminPrivateKey,
+          providerInputs.groupId
+        ]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
@@ -111,15 +133,23 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
      throw err;
    });
    if (isExisting) {
-      await client({
-        method: "DELETE",
-        url: `/v2/groups/${providerInputs.groupId}/databaseUsers/admin/${username}`
-      }).catch((error) => {
-        if ((error as AxiosError).response) {
-          throw new Error(JSON.stringify((error as AxiosError).response?.data));
-        }
-        throw error;
-      });
+      try {
+        await client({
+          method: "DELETE",
+          url: `/v2/groups/${providerInputs.groupId}/databaseUsers/admin/${username}`
+        });
+      } catch (error) {
+        const errorMessage = (error as AxiosError).response
+          ? JSON.stringify((error as AxiosError).response?.data)
+          : (error as Error)?.message;
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: errorMessage,
+          tokens: [username, providerInputs.adminPublicKey, providerInputs.adminPrivateKey, providerInputs.groupId]
+        });
+        throw new BadRequestError({
+          message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+        });
+      }
    }

    return { entityId: username };
@@ -132,21 +162,29 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
    const username = entityId;
    const expiration = new Date(expireAt).toISOString();

-    await client({
-      method: "PATCH",
-      url: `/v2/groups/${providerInputs.groupId}/databaseUsers/admin/${username}`,
-      data: {
-        deleteAfterDate: expiration,
-        databaseName: "admin",
-        groupId: providerInputs.groupId
-      }
-    }).catch((error) => {
-      if ((error as AxiosError).response) {
-        throw new Error(JSON.stringify((error as AxiosError).response?.data));
-      }
-      throw error;
-    });
-    return { entityId: username };
+    try {
+      await client({
+        method: "PATCH",
+        url: `/v2/groups/${providerInputs.groupId}/databaseUsers/admin/${username}`,
+        data: {
+          deleteAfterDate: expiration,
+          databaseName: "admin",
+          groupId: providerInputs.groupId
+        }
+      });
+      return { entityId: username };
+    } catch (error) {
+      const errorMessage = (error as AxiosError).response
+        ? JSON.stringify((error as AxiosError).response?.data)
+        : (error as Error)?.message;
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: errorMessage,
+        tokens: [username, providerInputs.adminPublicKey, providerInputs.adminPrivateKey, providerInputs.groupId]
+      });
+      throw new BadRequestError({
+        message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  return {
--- a/backend/src/ee/services/dynamic-secret/providers/mongo-db.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/mongo-db.ts
@@ -2,6 +2,8 @@ import { MongoClient } from "mongodb";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";

+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { verifyHostInputValidity } from "../dynamic-secret-fns";
@@ -51,13 +53,24 @@ export const MongoDBProvider = (): TDynamicProviderFns => {
    const providerInputs = await validateProviderInputs(inputs);
    const client = await $getClient(providerInputs);

-    const isConnected = await client
-      .db(providerInputs.database)
-      .command({ ping: 1 })
-      .then(() => true);
+    try {
+      const isConnected = await client
+        .db(providerInputs.database)
+        .command({ ping: 1 })
+        .then(() => true);

-    await client.close();
-    return isConnected;
+      await client.close();
+      return isConnected;
+    } catch (err) {
+      await client.close();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.password, providerInputs.username, providerInputs.database, providerInputs.host]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
@@ -68,16 +81,27 @@ export const MongoDBProvider = (): TDynamicProviderFns => {
    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();

-    const db = client.db(providerInputs.database);
+    try {
+      const db = client.db(providerInputs.database);

-    await db.command({
-      createUser: username,
-      pwd: password,
-      roles: providerInputs.roles
-    });
-    await client.close();
+      await db.command({
+        createUser: username,
+        pwd: password,
+        roles: providerInputs.roles
+      });
+      await client.close();

-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (err) {
+      await client.close();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, password, providerInputs.password, providerInputs.username, providerInputs.database]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
@@ -86,13 +110,24 @@ export const MongoDBProvider = (): TDynamicProviderFns => {

    const username = entityId;

-    const db = client.db(providerInputs.database);
-    await db.command({
-      dropUser: username
-    });
-    await client.close();
+    try {
+      const db = client.db(providerInputs.database);
+      await db.command({
+        dropUser: username
+      });
+      await client.close();

-    return { entityId: username };
+      return { entityId: username };
+    } catch (err) {
+      await client.close();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, providerInputs.password, providerInputs.username, providerInputs.database]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const renew = async (_inputs: unknown, entityId: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/rabbit-mq.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/rabbit-mq.ts
@@ -3,6 +3,8 @@ import https from "https";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";

+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

@@ -110,11 +112,19 @@ export const RabbitMqProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const connection = await $getClient(providerInputs);
-
-    const infoResponse = await connection.get("/whoami").then(() => true);
-
-    return infoResponse;
+    try {
+      const connection = await $getClient(providerInputs);
+      const infoResponse = await connection.get("/whoami").then(() => true);
+      return infoResponse;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.password, providerInputs.username, providerInputs.host]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
@@ -125,26 +135,44 @@ export const RabbitMqProvider = (): TDynamicProviderFns => {
    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();

-    await createRabbitMqUser({
-      axiosInstance: connection,
-      virtualHost: providerInputs.virtualHost,
-      createUser: {
-        password,
-        username,
-        tags: [...(providerInputs.tags ?? []), "infisical-user"]
-      }
-    });
-
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    try {
+      await createRabbitMqUser({
+        axiosInstance: connection,
+        virtualHost: providerInputs.virtualHost,
+        createUser: {
+          password,
+          username,
+          tags: [...(providerInputs.tags ?? []), "infisical-user"]
+        }
+      });
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, password, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
    const providerInputs = await validateProviderInputs(inputs);
    const connection = await $getClient(providerInputs);

-    await deleteRabbitMqUser({ axiosInstance: connection, usernameToDelete: entityId });
-
-    return { entityId };
+    try {
+      await deleteRabbitMqUser({ axiosInstance: connection, usernameToDelete: entityId });
+      return { entityId };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [entityId, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const renew = async (_inputs: unknown, entityId: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/redis.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/redis.ts
@@ -4,6 +4,7 @@ import { customAlphabet } from "nanoid";
 import { z } from "zod";

 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";

@@ -112,14 +113,27 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const connection = await $getClient(providerInputs);
-
-    const pingResponse = await connection
-      .ping()
-      .then(() => true)
-      .catch(() => false);
-
-    return pingResponse;
+    let connection;
+    try {
+      connection = await $getClient(providerInputs);
+      const pingResponse = await connection.ping().then(() => true);
+      await connection.quit();
+      return pingResponse;
+    } catch (err) {
+      if (connection) await connection.quit();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [
+          providerInputs.password || "",
+          providerInputs.username,
+          providerInputs.host,
+          String(providerInputs.port)
+        ]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: {
@@ -144,10 +158,20 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {

    const queries = creationStatement.toString().split(";").filter(Boolean);

-    await executeTransactions(connection, queries);
-
-    await connection.quit();
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    try {
+      await executeTransactions(connection, queries);
+      await connection.quit();
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (err) {
+      await connection.quit();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, password, providerInputs.password || "", providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
@@ -159,10 +183,20 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {
    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username });
    const queries = revokeStatement.toString().split(";").filter(Boolean);

-    await executeTransactions(connection, queries);
-
-    await connection.quit();
-    return { entityId: username };
+    try {
+      await executeTransactions(connection, queries);
+      await connection.quit();
+      return { entityId: username };
+    } catch (err) {
+      await connection.quit();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, providerInputs.password || "", providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
@@ -176,13 +210,23 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {

    const renewStatement = handlebars.compile(providerInputs.renewStatement)({ username, expiration });

-    if (renewStatement) {
-      const queries = renewStatement.toString().split(";").filter(Boolean);
-      await executeTransactions(connection, queries);
+    try {
+      if (renewStatement) {
+        const queries = renewStatement.toString().split(";").filter(Boolean);
+        await executeTransactions(connection, queries);
+      }
+      await connection.quit();
+      return { entityId: username };
+    } catch (err) {
+      await connection.quit();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, providerInputs.password || "", providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-
-    await connection.quit();
-    return { entityId: username };
  };

  return {
--- a/backend/src/ee/services/dynamic-secret/providers/sap-ase.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/sap-ase.ts
@@ -4,6 +4,7 @@ import odbc from "odbc";
 import { z } from "zod";

 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";

@@ -67,25 +68,41 @@ export const SapAseProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const masterClient = await $getClient(providerInputs, true);
-    const client = await $getClient(providerInputs);
+    let masterClient;
+    let client;
+    try {
+      masterClient = await $getClient(providerInputs, true);
+      client = await $getClient(providerInputs);

-    const [resultFromMasterDatabase] = await masterClient.query<{ version: string }>("SELECT @@VERSION AS version");
-    const [resultFromSelectedDatabase] = await client.query<{ version: string }>("SELECT @@VERSION AS version");
+      const [resultFromMasterDatabase] = await masterClient.query<{ version: string }>("SELECT @@VERSION AS version");
+      const [resultFromSelectedDatabase] = await client.query<{ version: string }>("SELECT @@VERSION AS version");

-    if (!resultFromSelectedDatabase.version) {
+      if (!resultFromSelectedDatabase.version) {
+        throw new BadRequestError({
+          message: "Failed to validate SAP ASE connection, version query failed"
+        });
+      }
+
+      if (resultFromMasterDatabase.version !== resultFromSelectedDatabase.version) {
+        throw new BadRequestError({
+          message: "Failed to validate SAP ASE connection (master), version mismatch"
+        });
+      }
+
+      await masterClient.close();
+      await client.close();
+      return true;
+    } catch (err) {
+      if (masterClient) await masterClient.close();
+      if (client) await client.close();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.password, providerInputs.username, providerInputs.host, providerInputs.database]
+      });
      throw new BadRequestError({
-        message: "Failed to validate SAP ASE connection, version query failed"
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
      });
    }
-
-    if (resultFromMasterDatabase.version !== resultFromSelectedDatabase.version) {
-      throw new BadRequestError({
-        message: "Failed to validate SAP ASE connection (master), version mismatch"
-      });
-    }
-
-    return true;
  };

  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
@@ -105,16 +122,26 @@ export const SapAseProvider = (): TDynamicProviderFns => {

    const queries = creationStatement.trim().replaceAll("\n", "").split(";").filter(Boolean);

-    for await (const query of queries) {
-      // If it's an adduser query, we need to first call sp_addlogin on the MASTER database.
-      // If not done, then the newly created user won't be able to authenticate.
-      await (query.startsWith(SapCommands.CreateLogin) ? masterClient : client).query(query);
+    try {
+      for await (const query of queries) {
+        // If it's an adduser query, we need to first call sp_addlogin on the MASTER database.
+        // If not done, then the newly created user won't be able to authenticate.
+        await (query.startsWith(SapCommands.CreateLogin) ? masterClient : client).query(query);
+      }
+      await masterClient.close();
+      await client.close();
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (err) {
+      await masterClient.close();
+      await client.close();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, password, providerInputs.password, providerInputs.username, providerInputs.database]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-
-    await masterClient.close();
-    await client.close();
-
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
  };

  const revoke = async (inputs: unknown, username: string) => {
@@ -140,14 +167,24 @@ export const SapAseProvider = (): TDynamicProviderFns => {
      }
    }

-    for await (const query of queries) {
-      await (query.startsWith(SapCommands.DropLogin) ? masterClient : client).query(query);
+    try {
+      for await (const query of queries) {
+        await (query.startsWith(SapCommands.DropLogin) ? masterClient : client).query(query);
+      }
+      await masterClient.close();
+      await client.close();
+      return { entityId: username };
+    } catch (err) {
+      await masterClient.close();
+      await client.close();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, providerInputs.password, providerInputs.username, providerInputs.database]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-
-    await masterClient.close();
-    await client.close();
-
-    return { entityId: username };
  };

  const renew = async (_: unknown, username: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/sap-hana.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/sap-hana.ts
@@ -10,6 +10,7 @@ import { customAlphabet } from "nanoid";
 import { z } from "zod";

 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";

@@ -83,19 +84,26 @@ export const SapHanaProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const client = await $getClient(providerInputs);
-
-    const testResult = await new Promise<boolean>((resolve, reject) => {
-      client.exec("SELECT 1 FROM DUMMY;", (err: any) => {
-        if (err) {
-          reject();
-        }
-
-        resolve(true);
+    try {
+      const client = await $getClient(providerInputs);
+      const testResult = await new Promise<boolean>((resolve, reject) => {
+        client.exec("SELECT 1 FROM DUMMY;", (err: any) => {
+          if (err) {
+            return reject(err);
+          }
+          resolve(true);
+        });
      });
-    });
-
-    return testResult;
+      return testResult;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.password, providerInputs.username, providerInputs.host]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: {
@@ -119,18 +127,22 @@ export const SapHanaProvider = (): TDynamicProviderFns => {
    });

    const queries = creationStatement.toString().split(";").filter(Boolean);
-    for await (const query of queries) {
-      await new Promise((resolve, reject) => {
-        client.exec(query, (err: any) => {
-          if (err) {
-            reject(
-              new BadRequestError({
-                message: err.message
-              })
-            );
-          }
-          resolve(true);
+    try {
+      for await (const query of queries) {
+        await new Promise((resolve, reject) => {
+          client.exec(query, (err: any) => {
+            if (err) return reject(err);
+            resolve(true);
+          });
        });
+      }
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, password, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
      });
    }

@@ -142,18 +154,24 @@ export const SapHanaProvider = (): TDynamicProviderFns => {
    const client = await $getClient(providerInputs);
    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username });
    const queries = revokeStatement.toString().split(";").filter(Boolean);
-    for await (const query of queries) {
-      await new Promise((resolve, reject) => {
-        client.exec(query, (err: any) => {
-          if (err) {
-            reject(
-              new BadRequestError({
-                message: err.message
-              })
-            );
-          }
-          resolve(true);
+    try {
+      for await (const query of queries) {
+        await new Promise((resolve, reject) => {
+          client.exec(query, (err: any) => {
+            if (err) {
+              reject(err);
+            }
+            resolve(true);
+          });
        });
+      }
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
      });
    }

@@ -174,16 +192,20 @@ export const SapHanaProvider = (): TDynamicProviderFns => {
        await new Promise((resolve, reject) => {
          client.exec(query, (err: any) => {
            if (err) {
-              reject(
-                new BadRequestError({
-                  message: err.message
-                })
-              );
+              reject(err);
            }
            resolve(true);
          });
        });
      }
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [entityId, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
+      });
    } finally {
      client.disconnect();
    }
--- a/backend/src/ee/services/dynamic-secret/providers/snowflake.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/snowflake.ts
@@ -4,6 +4,7 @@ import snowflake from "snowflake-sdk";
 import { z } from "zod";

 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";

@@ -69,12 +70,10 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const client = await $getClient(providerInputs);
-
-    let isValidConnection: boolean;
-
+    let client;
    try {
-      isValidConnection = await Promise.race([
+      client = await $getClient(providerInputs);
+      const isValidConnection = await Promise.race([
        client.isValidAsync(),
        new Promise((resolve) => {
          setTimeout(resolve, 10000);
@@ -82,11 +81,18 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {
          throw new BadRequestError({ message: "Unable to establish connection - verify credentials" });
        })
      ]);
+      return isValidConnection;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.password, providerInputs.username, providerInputs.accountId, providerInputs.orgId]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
    } finally {
-      client.destroy(noop);
+      if (client) client.destroy(noop);
    }
-
-    return isValidConnection;
  };

  const create = async (data: {
@@ -116,13 +122,19 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {
          sqlText: creationStatement,
          complete(err) {
            if (err) {
-              return reject(new BadRequestError({ name: "CreateLease", message: err.message }));
+              return reject(err);
            }

            return resolve(true);
          }
        });
      });
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error).message,
+        tokens: [username, password, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({ message: `Failed to create lease from provider: ${sanitizedErrorMessage}` });
    } finally {
      client.destroy(noop);
    }
@@ -143,13 +155,19 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {
          sqlText: revokeStatement,
          complete(err) {
            if (err) {
-              return reject(new BadRequestError({ name: "RevokeLease", message: err.message }));
+              return reject(err);
            }

            return resolve(true);
          }
        });
      });
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error).message,
+        tokens: [username, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({ message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}` });
    } finally {
      client.destroy(noop);
    }
@@ -175,13 +193,19 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {
          sqlText: renewStatement,
          complete(err) {
            if (err) {
-              return reject(new BadRequestError({ name: "RenewLease", message: err.message }));
+              return reject(err);
            }

            return resolve(true);
          }
        });
      });
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error).message,
+        tokens: [entityId, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({ message: `Failed to renew lease from provider: ${sanitizedErrorMessage}` });
    } finally {
      client.destroy(noop);
    }
--- a/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
@@ -3,6 +3,8 @@ import knex from "knex";
 import { z } from "zod";

 import { crypto } from "@app/lib/crypto/cryptography";
+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -212,8 +214,19 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
      // oracle needs from keyword
      const testStatement = providerInputs.client === SqlProviders.Oracle ? "SELECT 1 FROM DUAL" : "SELECT 1";

-      isConnected = await db.raw(testStatement).then(() => true);
-      await db.destroy();
+      try {
+        isConnected = await db.raw(testStatement).then(() => true);
+      } catch (err) {
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [providerInputs.username]
+        });
+        throw new BadRequestError({
+          message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+        });
+      } finally {
+        await db.destroy();
+      }
    };

    if (providerInputs.gatewayId) {
@@ -233,13 +246,13 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
    const { inputs, expireAt, usernameTemplate, identity } = data;

    const providerInputs = await validateProviderInputs(inputs);
+    const { database } = providerInputs;
    const username = generateUsername(providerInputs.client, usernameTemplate, identity);

    const password = generatePassword(providerInputs.client, providerInputs.passwordRequirements);
    const gatewayCallback = async (host = providerInputs.host, port = providerInputs.port) => {
      const db = await $getClient({ ...providerInputs, port, host });
      try {
-        const { database } = providerInputs;
        const expiration = new Date(expireAt).toISOString();

        const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
@@ -256,6 +269,14 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
            await tx.raw(query);
          }
        });
+      } catch (err) {
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [username, password, database]
+        });
+        throw new BadRequestError({
+          message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+        });
      } finally {
        await db.destroy();
      }
@@ -283,6 +304,14 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
            await tx.raw(query);
          }
        });
+      } catch (err) {
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [username, database]
+        });
+        throw new BadRequestError({
+          message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+        });
      } finally {
        await db.destroy();
      }
@@ -319,6 +348,14 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
            }
          });
        }
+      } catch (err) {
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [database]
+        });
+        throw new BadRequestError({
+          message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
+        });
      } finally {
        await db.destroy();
      }
--- a/backend/src/ee/services/dynamic-secret/providers/totp.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/totp.ts
@@ -1,6 +1,8 @@
 import { authenticator } from "otplib";
 import { HashAlgorithms } from "otplib/core";

+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { DynamicSecretTotpSchema, TDynamicProviderFns, TotpConfigType } from "./models";
@@ -12,62 +14,84 @@ export const TotpProvider = (): TDynamicProviderFns => {
    return providerInputs;
  };

-  const validateConnection = async () => {
-    return true;
+  const validateConnection = async (inputs: unknown) => {
+    try {
+      await validateProviderInputs(inputs);
+      return true;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: []
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

-  const create = async (inputs: unknown) => {
-    const providerInputs = await validateProviderInputs(inputs);
+  const create = async (data: { inputs: unknown }) => {
+    const { inputs } = data;
+    try {
+      const providerInputs = await validateProviderInputs(inputs);

-    const entityId = alphaNumericNanoId(32);
-    const authenticatorInstance = authenticator.clone();
+      const entityId = alphaNumericNanoId(32);
+      const authenticatorInstance = authenticator.clone();

-    let secret: string;
-    let period: number | null | undefined;
-    let digits: number | null | undefined;
-    let algorithm: HashAlgorithms | null | undefined;
+      let secret: string;
+      let period: number | null | undefined;
+      let digits: number | null | undefined;
+      let algorithm: HashAlgorithms | null | undefined;

-    if (providerInputs.configType === TotpConfigType.URL) {
-      const urlObj = new URL(providerInputs.url);
-      secret = urlObj.searchParams.get("secret") as string;
-      const periodFromUrl = urlObj.searchParams.get("period");
-      const digitsFromUrl = urlObj.searchParams.get("digits");
-      const algorithmFromUrl = urlObj.searchParams.get("algorithm");
+      if (providerInputs.configType === TotpConfigType.URL) {
+        const urlObj = new URL(providerInputs.url);
+        secret = urlObj.searchParams.get("secret") as string;
+        const periodFromUrl = urlObj.searchParams.get("period");
+        const digitsFromUrl = urlObj.searchParams.get("digits");
+        const algorithmFromUrl = urlObj.searchParams.get("algorithm");

-      if (periodFromUrl) {
-        period = +periodFromUrl;
+        if (periodFromUrl) {
+          period = +periodFromUrl;
+        }
+
+        if (digitsFromUrl) {
+          digits = +digitsFromUrl;
+        }
+
+        if (algorithmFromUrl) {
+          algorithm = algorithmFromUrl.toLowerCase() as HashAlgorithms;
+        }
+      } else {
+        secret = providerInputs.secret;
+        period = providerInputs.period;
+        digits = providerInputs.digits;
+        algorithm = providerInputs.algorithm as unknown as HashAlgorithms;
      }

-      if (digitsFromUrl) {
-        digits = +digitsFromUrl;
+      if (digits) {
+        authenticatorInstance.options = { digits };
      }

-      if (algorithmFromUrl) {
-        algorithm = algorithmFromUrl.toLowerCase() as HashAlgorithms;
+      if (algorithm) {
+        authenticatorInstance.options = { algorithm };
      }
-    } else {
-      secret = providerInputs.secret;
-      period = providerInputs.period;
-      digits = providerInputs.digits;
-      algorithm = providerInputs.algorithm as unknown as HashAlgorithms;
-    }

-    if (digits) {
-      authenticatorInstance.options = { digits };
-    }
+      if (period) {
+        authenticatorInstance.options = { step: period };
+      }

-    if (algorithm) {
-      authenticatorInstance.options = { algorithm };
+      return {
+        entityId,
+        data: { TOTP: authenticatorInstance.generate(secret), TIME_REMAINING: authenticatorInstance.timeRemaining() }
+      };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: []
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-
-    if (period) {
-      authenticatorInstance.options = { step: period };
-    }
-
-    return {
-      entityId,
-      data: { TOTP: authenticatorInstance.generate(secret), TIME_REMAINING: authenticatorInstance.timeRemaining() }
-    };
  };

  const revoke = async (_inputs: unknown, entityId: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/vertica.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/vertica.ts
@@ -4,6 +4,7 @@ import { z } from "zod";

 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -275,6 +276,14 @@ export const VerticaProvider = ({ gatewayService }: TVerticaProviderDTO): TDynam
            await client.raw(trimmedQuery);
          }
        }
+      } catch (err) {
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [username, password, providerInputs.username, providerInputs.password]
+        });
+        throw new BadRequestError({
+          message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+        });
      } finally {
        if (client) await client.destroy();
      }
@@ -339,6 +348,14 @@ export const VerticaProvider = ({ gatewayService }: TVerticaProviderDTO): TDynam
            await client.raw(trimmedQuery);
          }
        }
+      } catch (err) {
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [username, providerInputs.username, providerInputs.password]
+        });
+        throw new BadRequestError({
+          message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+        });
      } finally {
        if (client) await client.destroy();
      }
--- a/backend/src/ee/services/event/event-bus-service.ts
+++ b/backend/src/ee/services/event/event-bus-service.ts
@@ -3,7 +3,7 @@ import { z } from "zod";

 import { logger } from "@app/lib/logger";

-import { EventSchema, TopicName } from "./types";
+import { BusEventSchema, TopicName } from "./types";

 export const eventBusFactory = (redis: Redis) => {
  const publisher = redis.duplicate();
@@ -28,7 +28,7 @@ export const eventBusFactory = (redis: Redis) => {
   * @param topic - The topic to publish the event to.
   * @param event - The event data to publish.
   */
-  const publish = async <T extends z.input<typeof EventSchema>>(topic: TopicName, event: T) => {
+  const publish = async <T extends z.input<typeof BusEventSchema>>(topic: TopicName, event: T) => {
    const json = JSON.stringify(event);

    return publisher.publish(topic, json, (err) => {
@@ -44,7 +44,7 @@ export const eventBusFactory = (redis: Redis) => {
   * @template T - The type of the event data, which should match the schema defined in EventSchema.
   * @returns A function that can be called to unsubscribe from the event bus.
   */
-  const subscribe = <T extends z.infer<typeof EventSchema>>(fn: (data: T) => Promise<void> | void) => {
+  const subscribe = <T extends z.infer<typeof BusEventSchema>>(fn: (data: T) => Promise<void> | void) => {
    // Not using async await cause redis client's `on` method does not expect async listeners.
    const listener = (channel: string, message: string) => {
      try {
--- a/backend/src/ee/services/event/event-sse-service.ts
+++ b/backend/src/ee/services/event/event-sse-service.ts
@@ -7,7 +7,7 @@ import { logger } from "@app/lib/logger";

 import { TEventBusService } from "./event-bus-service";
 import { createEventStreamClient, EventStreamClient, IEventStreamClientOpts } from "./event-sse-stream";
-import { EventData, RegisteredEvent, toBusEventName } from "./types";
+import { BusEvent, RegisteredEvent } from "./types";

 const AUTH_REFRESH_INTERVAL = 60 * 1000;
 const HEART_BEAT_INTERVAL = 15 * 1000;
@@ -69,8 +69,8 @@ export const sseServiceFactory = (bus: TEventBusService, redis: Redis) => {
    }
  };

-  function filterEventsForClient(client: EventStreamClient, event: EventData, registered: RegisteredEvent[]) {
-    const eventType = toBusEventName(event.data.eventType);
+  function filterEventsForClient(client: EventStreamClient, event: BusEvent, registered: RegisteredEvent[]) {
+    const eventType = event.data.event;
    const match = registered.find((r) => r.event === eventType);
    if (!match) return;

--- a/backend/src/ee/services/event/event-sse-stream.ts
+++ b/backend/src/ee/services/event/event-sse-stream.ts
@@ -12,7 +12,7 @@ import { KeyStorePrefixes } from "@app/keystore/keystore";
 import { conditionsMatcher } from "@app/lib/casl";
 import { logger } from "@app/lib/logger";

-import { EventData, RegisteredEvent } from "./types";
+import { BusEvent, RegisteredEvent } from "./types";

 export const getServerSentEventsHeaders = () =>
  ({
@@ -55,7 +55,7 @@ export type EventStreamClient = {
  id: string;
  stream: Readable;
  open: () => Promise<void>;
-  send: (data: EventMessage | EventData) => void;
+  send: (data: EventMessage | BusEvent) => void;
  ping: () => Promise<void>;
  refresh: () => Promise<void>;
  close: () => void;
@@ -73,15 +73,12 @@ export function createEventStreamClient(redis: Redis, options: IEventStreamClien
    return {
      subject: options.type,
      action: "subscribe",
-      conditions: {
-        eventType: r.event,
-        ...(hasConditions
-          ? {
-              environment: r.conditions?.environmentSlug ?? "",
-              secretPath: { $glob: secretPath }
-            }
-          : {})
-      }
+      conditions: hasConditions
+        ? {
+            environment: r.conditions?.environmentSlug ?? "",
+            secretPath: { $glob: secretPath }
+          }
+        : undefined
    };
  });

@@ -98,7 +95,7 @@ export function createEventStreamClient(redis: Redis, options: IEventStreamClien
  // We will manually push data to the stream
  stream._read = () => {};

-  const send = (data: EventMessage | EventData) => {
+  const send = (data: EventMessage | BusEvent) => {
    const chunk = serializeSseEvent(data);
    if (!stream.push(chunk)) {
      logger.debug("Backpressure detected: dropped manual event");
@@ -126,7 +123,7 @@ export function createEventStreamClient(redis: Redis, options: IEventStreamClien

    await redis.set(key, "1", "EX", 60);

-    stream.push("1");
+    send({ type: "ping" });
  };

  const close = () => {
--- a/backend/src/ee/services/event/types.ts
+++ b/backend/src/ee/services/event/types.ts
@@ -1,7 +1,8 @@
 import { z } from "zod";

 import { ProjectType } from "@app/db/schemas";
-import { Event, EventType } from "@app/ee/services/audit-log/audit-log-types";
+
+import { ProjectPermissionSecretEventActions } from "../permission/project-permission";

 export enum TopicName {
  CoreServers = "infisical::core-servers"
@@ -10,84 +11,44 @@ export enum TopicName {
 export enum BusEventName {
  CreateSecret = "secret:create",
  UpdateSecret = "secret:update",
-  DeleteSecret = "secret:delete"
+  DeleteSecret = "secret:delete",
+  ImportMutation = "secret:import-mutation"
 }

-type PublisableEventTypes =
-  | EventType.CREATE_SECRET
-  | EventType.CREATE_SECRETS
-  | EventType.DELETE_SECRET
-  | EventType.DELETE_SECRETS
-  | EventType.UPDATE_SECRETS
-  | EventType.UPDATE_SECRET;
-
-export function toBusEventName(input: EventType) {
-  switch (input) {
-    case EventType.CREATE_SECRET:
-    case EventType.CREATE_SECRETS:
-      return BusEventName.CreateSecret;
-    case EventType.UPDATE_SECRET:
-    case EventType.UPDATE_SECRETS:
-      return BusEventName.UpdateSecret;
-    case EventType.DELETE_SECRET:
-    case EventType.DELETE_SECRETS:
-      return BusEventName.DeleteSecret;
-    default:
-      return null;
-  }
-}
-
-const isBulkEvent = (event: Event): event is Extract<Event, { metadata: { secrets: Array<unknown> } }> => {
-  return event.type.endsWith("-secrets"); // Feels so wrong
-};
-
-export const toPublishableEvent = (event: Event) => {
-  const name = toBusEventName(event.type);
-
-  if (!name) return null;
-
-  const e = event as Extract<Event, { type: PublisableEventTypes }>;
-
-  if (isBulkEvent(e)) {
-    return {
-      name,
-      isBulk: true,
-      data: {
-        eventType: e.type,
-        payload: e.metadata.secrets.map((s) => ({
-          environment: e.metadata.environment,
-          secretPath: e.metadata.secretPath,
-          ...s
-        }))
-      }
-    } as const;
-  }
-
-  return {
-    name,
-    isBulk: false,
-    data: {
-      eventType: e.type,
-      payload: {
-        ...e.metadata,
-        environment: e.metadata.environment
-      }
+export const Mappings = {
+  BusEventToAction(input: BusEventName) {
+    switch (input) {
+      case BusEventName.CreateSecret:
+        return ProjectPermissionSecretEventActions.SubscribeCreated;
+      case BusEventName.DeleteSecret:
+        return ProjectPermissionSecretEventActions.SubscribeDeleted;
+      case BusEventName.ImportMutation:
+        return ProjectPermissionSecretEventActions.SubscribeImportMutations;
+      case BusEventName.UpdateSecret:
+        return ProjectPermissionSecretEventActions.SubscribeUpdated;
+      default:
+        throw new Error("Unknown bus event name");
    }
-  } as const;
+  }
 };

 export const EventName = z.nativeEnum(BusEventName);

 const EventSecretPayload = z.object({
-  secretPath: z.string().optional(),
  secretId: z.string(),
+  secretPath: z.string().optional(),
  secretKey: z.string(),
  environment: z.string()
 });

+const EventImportMutationPayload = z.object({
+  secretPath: z.string(),
+  environment: z.string()
+});
+
 export type EventSecret = z.infer<typeof EventSecretPayload>;

-export const EventSchema = z.object({
+export const BusEventSchema = z.object({
  datacontenttype: z.literal("application/json").optional().default("application/json"),
  type: z.nativeEnum(ProjectType),
  source: z.string(),
@@ -95,25 +56,38 @@ export const EventSchema = z.object({
    .string()
    .optional()
    .default(() => new Date().toISOString()),
-  data: z.discriminatedUnion("eventType", [
+  data: z.discriminatedUnion("event", [
    z.object({
      specversion: z.number().optional().default(1),
-      eventType: z.enum([EventType.CREATE_SECRET, EventType.UPDATE_SECRET, EventType.DELETE_SECRET]),
-      payload: EventSecretPayload
+      event: z.enum([BusEventName.CreateSecret, BusEventName.DeleteSecret, BusEventName.UpdateSecret]),
+      payload: z.union([EventSecretPayload, EventSecretPayload.array()])
    }),
    z.object({
      specversion: z.number().optional().default(1),
-      eventType: z.enum([EventType.CREATE_SECRETS, EventType.UPDATE_SECRETS, EventType.DELETE_SECRETS]),
-      payload: EventSecretPayload.array()
+      event: z.enum([BusEventName.ImportMutation]),
+      payload: z.union([EventImportMutationPayload, EventImportMutationPayload.array()])
    })
    // Add more event types as needed
  ])
 });

-export type EventData = z.infer<typeof EventSchema>;
+export type BusEvent = z.infer<typeof BusEventSchema>;
+
+type PublishableEventPayload = z.input<typeof BusEventSchema>["data"];
+type PublishableSecretEvent = Extract<
+  PublishableEventPayload,
+  { event: Exclude<BusEventName, BusEventName.ImportMutation> }
+>["payload"];
+
+export type PublishableEvent = {
+  created?: PublishableSecretEvent;
+  updated?: PublishableSecretEvent;
+  deleted?: PublishableSecretEvent;
+  importMutation?: Extract<PublishableEventPayload, { event: BusEventName.ImportMutation }>["payload"];
+};

 export const EventRegisterSchema = z.object({
-  event: EventName,
+  event: z.nativeEnum(BusEventName),
  conditions: z
    .object({
      secretPath: z.string().optional().default("/"),
--- a/backend/src/ee/services/github-org-sync/github-org-sync-service.ts
+++ b/backend/src/ee/services/github-org-sync/github-org-sync-service.ts
@@ -1,14 +1,19 @@
+/* eslint-disable @typescript-eslint/return-await */
+/* eslint-disable no-await-in-loop */
 import { ForbiddenError } from "@casl/ability";
 import { Octokit } from "@octokit/core";
 import { paginateGraphql } from "@octokit/plugin-paginate-graphql";
 import { Octokit as OctokitRest } from "@octokit/rest";
+import RE2 from "re2";

 import { OrgMembershipRole } from "@app/db/schemas";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
+import { retryWithBackoff } from "@app/lib/retry";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";

 import { TGroupDALFactory } from "../group/group-dal";
 import { TUserGroupMembershipDALFactory } from "../group/user-group-membership-dal";
@@ -16,20 +21,67 @@ import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service-types";
 import { TGithubOrgSyncDALFactory } from "./github-org-sync-dal";
-import { TCreateGithubOrgSyncDTO, TDeleteGithubOrgSyncDTO, TUpdateGithubOrgSyncDTO } from "./github-org-sync-types";
+import {
+  TCreateGithubOrgSyncDTO,
+  TDeleteGithubOrgSyncDTO,
+  TSyncAllTeamsDTO,
+  TSyncResult,
+  TUpdateGithubOrgSyncDTO,
+  TValidateGithubTokenDTO
+} from "./github-org-sync-types";

 const OctokitWithPlugin = Octokit.plugin(paginateGraphql);

+// Type definitions for GitHub API errors
+interface GitHubApiError extends Error {
+  status?: number;
+  response?: {
+    status?: number;
+    headers?: {
+      "x-ratelimit-reset"?: string;
+    };
+  };
+}
+
+interface OrgMembershipWithUser {
+  id: string;
+  orgId: string;
+  role: string;
+  status: string;
+  isActive: boolean;
+  inviteEmail: string | null;
+  user: {
+    id: string;
+    email: string;
+    username: string | null;
+    firstName: string | null;
+    lastName: string | null;
+  } | null;
+}
+
+interface GroupMembership {
+  id: string;
+  groupId: string;
+  groupName: string;
+  orgMembershipId: string;
+  firstName: string | null;
+  lastName: string | null;
+}
+
 type TGithubOrgSyncServiceFactoryDep = {
  githubOrgSyncDAL: TGithubOrgSyncDALFactory;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
  userGroupMembershipDAL: Pick<
    TUserGroupMembershipDALFactory,
-    "findGroupMembershipsByUserIdInOrg" | "insertMany" | "delete"
+    "findGroupMembershipsByUserIdInOrg" | "findGroupMembershipsByGroupIdInOrg" | "insertMany" | "delete"
  >;
  groupDAL: Pick<TGroupDALFactory, "insertMany" | "transaction" | "find">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  orgMembershipDAL: Pick<
+    TOrgMembershipDALFactory,
+    "find" | "findOrgMembershipById" | "findOrgMembershipsWithUsersByOrgId"
+  >;
 };

 export type TGithubOrgSyncServiceFactory = ReturnType<typeof githubOrgSyncServiceFactory>;
@@ -40,7 +92,8 @@ export const githubOrgSyncServiceFactory = ({
  kmsService,
  userGroupMembershipDAL,
  groupDAL,
-  licenseService
+  licenseService,
+  orgMembershipDAL
 }: TGithubOrgSyncServiceFactoryDep) => {
  const createGithubOrgSync = async ({
    githubOrgName,
@@ -304,8 +357,8 @@ export const githubOrgSyncServiceFactory = ({
    const removeFromTeams = infisicalUserGroups.filter((el) => !githubUserTeamSet.has(el.groupName));

    if (newTeams.length || updateTeams.length || removeFromTeams.length) {
-      await groupDAL.transaction(async (tx) => {
-        if (newTeams.length) {
+      if (newTeams.length) {
+        await groupDAL.transaction(async (tx) => {
          const newGroups = await groupDAL.insertMany(
            newTeams.map((newGroupName) => ({
              name: newGroupName,
@@ -322,9 +375,11 @@ export const githubOrgSyncServiceFactory = ({
            })),
            tx
          );
-        }
+        });
+      }

-        if (updateTeams.length) {
+      if (updateTeams.length) {
+        await groupDAL.transaction(async (tx) => {
          await userGroupMembershipDAL.insertMany(
            updateTeams.map((el) => ({
              groupId: githubUserTeamOnInfisicalGroupByName[el][0].id,
@@ -332,16 +387,433 @@ export const githubOrgSyncServiceFactory = ({
            })),
            tx
          );
-        }
+        });
+      }

-        if (removeFromTeams.length) {
+      if (removeFromTeams.length) {
+        await groupDAL.transaction(async (tx) => {
          await userGroupMembershipDAL.delete(
            { userId, $in: { groupId: removeFromTeams.map((el) => el.groupId) } },
            tx
          );
-        }
+        });
+      }
+    }
+  };
+
+  const validateGithubToken = async ({ orgPermission, githubOrgAccessToken }: TValidateGithubTokenDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      orgPermission.type,
+      orgPermission.id,
+      orgPermission.orgId,
+      orgPermission.authMethod,
+      orgPermission.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.GithubOrgSync);
+
+    const plan = await licenseService.getPlan(orgPermission.orgId);
+    if (!plan.githubOrgSync) {
+      throw new BadRequestError({
+        message:
+          "Failed to validate GitHub token due to plan restriction. Upgrade plan to use GitHub organization sync."
      });
    }
+
+    const config = await githubOrgSyncDAL.findOne({ orgId: orgPermission.orgId });
+    if (!config) {
+      throw new BadRequestError({ message: "GitHub organization sync is not configured" });
+    }
+
+    try {
+      const testOctokit = new OctokitRest({
+        auth: githubOrgAccessToken,
+        request: {
+          signal: AbortSignal.timeout(10000)
+        }
+      });
+
+      const { data: org } = await testOctokit.rest.orgs.get({
+        org: config.githubOrgName
+      });
+
+      const octokitGraphQL = new OctokitWithPlugin({
+        auth: githubOrgAccessToken,
+        request: {
+          signal: AbortSignal.timeout(10000)
+        }
+      });
+
+      await octokitGraphQL.graphql(`query($org: String!) { organization(login: $org) { id name } }`, {
+        org: config.githubOrgName
+      });
+
+      return {
+        valid: true,
+        organizationInfo: {
+          id: org.id,
+          login: org.login,
+          name: org.name || org.login,
+          publicRepos: org.public_repos,
+          privateRepos: org.owned_private_repos || 0
+        }
+      };
+    } catch (error) {
+      logger.error(error, `GitHub token validation failed for org ${config.githubOrgName}`);
+
+      const gitHubError = error as GitHubApiError;
+      const statusCode = gitHubError.status || gitHubError.response?.status;
+      if (statusCode) {
+        if (statusCode === 401) {
+          throw new BadRequestError({
+            message: "GitHub access token is invalid or expired."
+          });
+        }
+        if (statusCode === 403) {
+          throw new BadRequestError({
+            message:
+              "GitHub access token lacks required permissions. Required: 1) 'read:org' scope for organization teams, 2) Token owner must be an organization member with team visibility access, 3) Organization settings must allow team visibility. Check GitHub token scopes and organization member permissions."
+          });
+        }
+        if (statusCode === 404) {
+          throw new BadRequestError({
+            message: `Organization '${config.githubOrgName}' not found or access token does not have access to it.`
+          });
+        }
+      }
+
+      throw new BadRequestError({
+        message: `GitHub token validation failed: ${(error as Error).message}`
+      });
+    }
+  };
+
+  const syncAllTeams = async ({ orgPermission }: TSyncAllTeamsDTO): Promise<TSyncResult> => {
+    const { permission } = await permissionService.getOrgPermission(
+      orgPermission.type,
+      orgPermission.id,
+      orgPermission.orgId,
+      orgPermission.authMethod,
+      orgPermission.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionActions.Edit,
+      OrgPermissionSubjects.GithubOrgSyncManual
+    );
+
+    const plan = await licenseService.getPlan(orgPermission.orgId);
+    if (!plan.githubOrgSync) {
+      throw new BadRequestError({
+        message:
+          "Failed to sync all GitHub teams due to plan restriction. Upgrade plan to use GitHub organization sync."
+      });
+    }
+
+    const config = await githubOrgSyncDAL.findOne({ orgId: orgPermission.orgId });
+    if (!config || !config?.isActive) {
+      throw new BadRequestError({ message: "GitHub organization sync is not configured or not active" });
+    }
+
+    const { decryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId: orgPermission.orgId
+    });
+
+    if (!config.encryptedGithubOrgAccessToken) {
+      throw new BadRequestError({
+        message: "GitHub organization access token is required. Please set a token first."
+      });
+    }
+
+    const orgAccessToken = decryptor({ cipherTextBlob: config.encryptedGithubOrgAccessToken }).toString();
+
+    try {
+      const testOctokit = new OctokitRest({
+        auth: orgAccessToken,
+        request: {
+          signal: AbortSignal.timeout(10000)
+        }
+      });
+
+      await testOctokit.rest.orgs.get({
+        org: config.githubOrgName
+      });
+
+      await testOctokit.rest.users.getAuthenticated();
+    } catch (error) {
+      throw new BadRequestError({
+        message: "Stored GitHub access token is invalid or expired. Please set a new token."
+      });
+    }
+
+    const allMembers = await orgMembershipDAL.findOrgMembershipsWithUsersByOrgId(orgPermission.orgId);
+    const activeMembers = allMembers.filter(
+      (member) => member.status === "accepted" && member.isActive
+    ) as OrgMembershipWithUser[];
+
+    const startTime = Date.now();
+    const syncErrors: string[] = [];
+
+    const octokit = new OctokitWithPlugin({
+      auth: orgAccessToken,
+      request: {
+        signal: AbortSignal.timeout(30000)
+      }
+    });
+
+    const data = await retryWithBackoff(async () => {
+      return octokit.graphql
+        .paginate<{
+          organization: {
+            teams: {
+              totalCount: number;
+              edges: {
+                node: {
+                  name: string;
+                  description: string;
+                  members: {
+                    edges: {
+                      node: {
+                        login: string;
+                      };
+                    }[];
+                  };
+                };
+              }[];
+            };
+          };
+        }>(
+          `
+        query orgTeams($cursor: String, $org: String!) {
+          organization(login: $org) {
+            teams(first: 100, after: $cursor) {
+              totalCount
+              edges {
+                node {
+                  name
+                  description
+                  members(first: 100) {
+                    edges {
+                      node {
+                        login
+                      }
+                    }
+                  }
+                }
+              }
+              pageInfo {
+                hasNextPage
+                endCursor
+              }
+            }
+          }
+        }
+        `,
+          {
+            org: config.githubOrgName
+          }
+        )
+        .catch((err) => {
+          logger.error(err, "GitHub GraphQL error for batched team sync");
+
+          const gitHubError = err as GitHubApiError;
+          const statusCode = gitHubError.status || gitHubError.response?.status;
+          if (statusCode) {
+            if (statusCode === 401) {
+              throw new BadRequestError({
+                message: "GitHub access token is invalid or expired. Please provide a new token."
+              });
+            }
+            if (statusCode === 403) {
+              throw new BadRequestError({
+                message:
+                  "GitHub access token lacks required permissions for organization team sync. Required: 1) 'admin:org' scope, 2) Token owner must be organization owner or have team read permissions, 3) Organization settings must allow team visibility. Check token scopes and user role."
+              });
+            }
+            if (statusCode === 404) {
+              throw new BadRequestError({
+                message: `Organization ${config.githubOrgName} not found or access token does not have sufficient permissions to read it.`
+              });
+            }
+          }
+
+          if ((err as Error)?.message?.includes("Although you appear to have the correct authorization credential")) {
+            throw new BadRequestError({
+              message:
+                "Organization has restricted OAuth app access. Please check that: 1) Your organization has approved the Infisical OAuth application, 2) The token owner has sufficient organization permissions."
+            });
+          }
+          throw new BadRequestError({ message: `GitHub GraphQL query failed: ${(err as Error)?.message}` });
+        });
+    });
+
+    const {
+      organization: { teams }
+    } = data;
+
+    const userTeamMap = new Map<string, string[]>();
+    const allGithubUsernamesInTeams = new Set<string>();
+
+    teams?.edges?.forEach((teamEdge) => {
+      const teamName = teamEdge.node.name.toLowerCase();
+
+      teamEdge.node.members.edges.forEach((memberEdge) => {
+        const username = memberEdge.node.login.toLowerCase();
+        allGithubUsernamesInTeams.add(username);
+
+        if (!userTeamMap.has(username)) {
+          userTeamMap.set(username, []);
+        }
+        userTeamMap.get(username)!.push(teamName);
+      });
+    });
+
+    const allGithubTeamNames = Array.from(new Set(teams?.edges?.map((edge) => edge.node.name.toLowerCase()) || []));
+
+    const existingTeamsOnInfisical = await groupDAL.find({
+      orgId: orgPermission.orgId,
+      $in: { name: allGithubTeamNames }
+    });
+    const existingTeamsMap = groupBy(existingTeamsOnInfisical, (i) => i.name);
+
+    const teamsToCreate = allGithubTeamNames.filter((teamName) => !(teamName in existingTeamsMap));
+    const createdTeams = new Set<string>();
+    const updatedTeams = new Set<string>();
+    const totalRemovedMemberships = 0;
+
+    await groupDAL.transaction(async (tx) => {
+      if (teamsToCreate.length > 0) {
+        const newGroups = await groupDAL.insertMany(
+          teamsToCreate.map((teamName) => ({
+            name: teamName,
+            role: OrgMembershipRole.Member,
+            slug: teamName,
+            orgId: orgPermission.orgId
+          })),
+          tx
+        );
+
+        newGroups.forEach((group) => {
+          if (!existingTeamsMap[group.name]) {
+            existingTeamsMap[group.name] = [];
+          }
+          existingTeamsMap[group.name].push(group);
+          createdTeams.add(group.name);
+        });
+      }
+
+      const allTeams = [...Object.values(existingTeamsMap).flat()];
+
+      for (const team of allTeams) {
+        const teamName = team.name.toLowerCase();
+
+        const currentMemberships = (await userGroupMembershipDAL.findGroupMembershipsByGroupIdInOrg(
+          team.id,
+          orgPermission.orgId
+        )) as GroupMembership[];
+
+        const expectedUserIds = new Set<string>();
+        teams?.edges?.forEach((teamEdge) => {
+          if (teamEdge.node.name.toLowerCase() === teamName) {
+            teamEdge.node.members.edges.forEach((memberEdge) => {
+              const githubUsername = memberEdge.node.login.toLowerCase();
+
+              const matchingMember = activeMembers.find((member) => {
+                const email = member.user?.email || member.inviteEmail;
+                if (!email) return false;
+
+                const emailPrefix = email.split("@")[0].toLowerCase();
+                const emailDomain = email.split("@")[1].toLowerCase();
+
+                if (emailPrefix === githubUsername) {
+                  return true;
+                }
+                const domainName = emailDomain.split(".")[0];
+                if (githubUsername.endsWith(domainName) && githubUsername.length > domainName.length) {
+                  const baseUsername = githubUsername.slice(0, -domainName.length);
+                  if (emailPrefix === baseUsername) {
+                    return true;
+                  }
+                }
+                const emailSplitRegex = new RE2(/[._-]/);
+                const emailParts = emailPrefix.split(emailSplitRegex);
+                const longestEmailPart = emailParts.reduce((a, b) => (a.length > b.length ? a : b), "");
+                if (longestEmailPart.length >= 4 && githubUsername.includes(longestEmailPart)) {
+                  return true;
+                }
+                return false;
+              });
+
+              if (matchingMember?.user?.id) {
+                expectedUserIds.add(matchingMember.user.id);
+                logger.info(
+                  `Matched GitHub user ${githubUsername} to email ${matchingMember.user?.email || matchingMember.inviteEmail}`
+                );
+              }
+            });
+          }
+        });
+
+        const currentUserIds = new Set<string>();
+        currentMemberships.forEach((membership) => {
+          const activeMember = activeMembers.find((am) => am.id === membership.orgMembershipId);
+          if (activeMember?.user?.id) {
+            currentUserIds.add(activeMember.user.id);
+          }
+        });
+
+        const usersToAdd = Array.from(expectedUserIds).filter((userId) => !currentUserIds.has(userId));
+
+        const membershipsToRemove = currentMemberships.filter((membership) => {
+          const activeMember = activeMembers.find((am) => am.id === membership.orgMembershipId);
+          return activeMember?.user?.id && !expectedUserIds.has(activeMember.user.id);
+        });
+
+        if (usersToAdd.length > 0) {
+          await userGroupMembershipDAL.insertMany(
+            usersToAdd.map((userId) => ({
+              userId,
+              groupId: team.id
+            })),
+            tx
+          );
+          updatedTeams.add(teamName);
+        }
+
+        if (membershipsToRemove.length > 0) {
+          await userGroupMembershipDAL.delete(
+            {
+              $in: {
+                id: membershipsToRemove.map((m) => m.id)
+              }
+            },
+            tx
+          );
+          updatedTeams.add(teamName);
+        }
+      }
+    });
+
+    const syncDuration = Date.now() - startTime;
+
+    logger.info(
+      {
+        orgId: orgPermission.orgId,
+        createdTeams: createdTeams.size,
+        syncDuration
+      },
+      "GitHub team sync completed"
+    );
+
+    return {
+      totalUsers: activeMembers.length,
+      errors: syncErrors,
+      createdTeams: Array.from(createdTeams),
+      updatedTeams: Array.from(updatedTeams),
+      removedMemberships: totalRemovedMemberships,
+      syncDuration
+    };
  };

  return {
@@ -349,6 +821,8 @@ export const githubOrgSyncServiceFactory = ({
    updateGithubOrgSync,
    deleteGithubOrgSync,
    getGithubOrgSync,
-    syncUserGroups
+    syncUserGroups,
+    syncAllTeams,
+    validateGithubToken
  };
 };
--- a/backend/src/ee/services/github-org-sync/github-org-sync-types.ts
+++ b/backend/src/ee/services/github-org-sync/github-org-sync-types.ts
@@ -21,3 +21,21 @@ export interface TDeleteGithubOrgSyncDTO {
 export interface TGetGithubOrgSyncDTO {
  orgPermission: OrgServiceActor;
 }
+
+export interface TSyncAllTeamsDTO {
+  orgPermission: OrgServiceActor;
+}
+
+export interface TSyncResult {
+  totalUsers: number;
+  errors: string[];
+  createdTeams: string[];
+  updatedTeams: string[];
+  removedMemberships: number;
+  syncDuration: number;
+}
+
+export interface TValidateGithubTokenDTO {
+  orgPermission: OrgServiceActor;
+  githubOrgAccessToken: string;
+}
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@@ -1,4 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
+import { Knex } from "knex";

 import { OrgMembershipStatus, TableName, TLdapConfigsUpdate, TUsers } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
@@ -45,7 +46,7 @@ import { searchGroups, testLDAPConfig } from "./ldap-fns";
 import { TLdapGroupMapDALFactory } from "./ldap-group-map-dal";

 type TLdapConfigServiceFactoryDep = {
-  ldapConfigDAL: Pick<TLdapConfigDALFactory, "create" | "update" | "findOne">;
+  ldapConfigDAL: Pick<TLdapConfigDALFactory, "create" | "update" | "findOne" | "transaction">;
  ldapGroupMapDAL: Pick<TLdapGroupMapDALFactory, "find" | "create" | "delete" | "findLdapGroupMapsByLdapConfigId">;
  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "create">;
  orgDAL: Pick<
@@ -131,6 +132,19 @@ export const ldapConfigServiceFactory = ({
      orgId
    });

+    const isConnected = await testLDAPConfig({
+      bindDN,
+      bindPass,
+      caCert,
+      url
+    });
+
+    if (!isConnected) {
+      throw new BadRequestError({
+        message: "Failed to establish connection to LDAP directory. Please verify that your credentials are correct."
+      });
+    }
+
    const ldapConfig = await ldapConfigDAL.create({
      orgId,
      isActive,
@@ -148,6 +162,50 @@ export const ldapConfigServiceFactory = ({
    return ldapConfig;
  };

+  const getLdapCfg = async (filter: { orgId: string; isActive?: boolean; id?: string }, tx?: Knex) => {
+    const ldapConfig = await ldapConfigDAL.findOne(filter, tx);
+    if (!ldapConfig) {
+      throw new NotFoundError({
+        message: `Failed to find organization LDAP data in organization with ID '${filter.orgId}'`
+      });
+    }
+
+    const { decryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId: ldapConfig.orgId
+    });
+
+    let bindDN = "";
+    if (ldapConfig.encryptedLdapBindDN) {
+      bindDN = decryptor({ cipherTextBlob: ldapConfig.encryptedLdapBindDN }).toString();
+    }
+
+    let bindPass = "";
+    if (ldapConfig.encryptedLdapBindPass) {
+      bindPass = decryptor({ cipherTextBlob: ldapConfig.encryptedLdapBindPass }).toString();
+    }
+
+    let caCert = "";
+    if (ldapConfig.encryptedLdapCaCertificate) {
+      caCert = decryptor({ cipherTextBlob: ldapConfig.encryptedLdapCaCertificate }).toString();
+    }
+
+    return {
+      id: ldapConfig.id,
+      organization: ldapConfig.orgId,
+      isActive: ldapConfig.isActive,
+      url: ldapConfig.url,
+      bindDN,
+      bindPass,
+      uniqueUserAttribute: ldapConfig.uniqueUserAttribute,
+      searchBase: ldapConfig.searchBase,
+      searchFilter: ldapConfig.searchFilter,
+      groupSearchBase: ldapConfig.groupSearchBase,
+      groupSearchFilter: ldapConfig.groupSearchFilter,
+      caCert
+    };
+  };
+
  const updateLdapCfg = async ({
    actor,
    actorId,
@@ -202,53 +260,25 @@ export const ldapConfigServiceFactory = ({
      updateQuery.encryptedLdapCaCertificate = encryptor({ plainText: Buffer.from(caCert) }).cipherTextBlob;
    }

-    const [ldapConfig] = await ldapConfigDAL.update({ orgId }, updateQuery);
+    const config = await ldapConfigDAL.transaction(async (tx) => {
+      const [updatedLdapCfg] = await ldapConfigDAL.update({ orgId }, updateQuery, tx);
+      const decryptedLdapCfg = await getLdapCfg({ orgId }, tx);

-    return ldapConfig;
-  };
+      const isSoftDeletion = !decryptedLdapCfg.url && !decryptedLdapCfg.bindDN && !decryptedLdapCfg.bindPass;
+      if (!isSoftDeletion) {
+        const isConnected = await testLDAPConfig(decryptedLdapCfg);
+        if (!isConnected) {
+          throw new BadRequestError({
+            message:
+              "Failed to establish connection to LDAP directory. Please verify that your credentials are correct."
+          });
+        }
+      }

-  const getLdapCfg = async (filter: { orgId: string; isActive?: boolean; id?: string }) => {
-    const ldapConfig = await ldapConfigDAL.findOne(filter);
-    if (!ldapConfig) {
-      throw new NotFoundError({
-        message: `Failed to find organization LDAP data in organization with ID '${filter.orgId}'`
-      });
-    }
-
-    const { decryptor } = await kmsService.createCipherPairWithDataKey({
-      type: KmsDataKey.Organization,
-      orgId: ldapConfig.orgId
+      return updatedLdapCfg;
    });

-    let bindDN = "";
-    if (ldapConfig.encryptedLdapBindDN) {
-      bindDN = decryptor({ cipherTextBlob: ldapConfig.encryptedLdapBindDN }).toString();
-    }
-
-    let bindPass = "";
-    if (ldapConfig.encryptedLdapBindPass) {
-      bindPass = decryptor({ cipherTextBlob: ldapConfig.encryptedLdapBindPass }).toString();
-    }
-
-    let caCert = "";
-    if (ldapConfig.encryptedLdapCaCertificate) {
-      caCert = decryptor({ cipherTextBlob: ldapConfig.encryptedLdapCaCertificate }).toString();
-    }
-
-    return {
-      id: ldapConfig.id,
-      organization: ldapConfig.orgId,
-      isActive: ldapConfig.isActive,
-      url: ldapConfig.url,
-      bindDN,
-      bindPass,
-      uniqueUserAttribute: ldapConfig.uniqueUserAttribute,
-      searchBase: ldapConfig.searchBase,
-      searchFilter: ldapConfig.searchFilter,
-      groupSearchBase: ldapConfig.groupSearchBase,
-      groupSearchFilter: ldapConfig.groupSearchFilter,
-      caCert
-    };
+    return config;
  };

  const getLdapCfgWithPermissionCheck = async ({
@@ -370,15 +400,13 @@ export const ldapConfigServiceFactory = ({

      userAlias = await userDAL.transaction(async (tx) => {
        let newUser: TUsers | undefined;
-        if (serverCfg.trustLdapEmails) {
-          newUser = await userDAL.findOne(
-            {
-              email: email.toLowerCase(),
-              isEmailVerified: true
-            },
-            tx
-          );
-        }
+        newUser = await userDAL.findOne(
+          {
+            email: email.toLowerCase(),
+            isEmailVerified: true
+          },
+          tx
+        );

        if (!newUser) {
          const uniqueUsername = await normalizeUsername(username, userDAL);
@@ -403,7 +431,8 @@ export const ldapConfigServiceFactory = ({
            aliasType: UserAliasType.LDAP,
            externalId,
            emails: [email],
-            orgId
+            orgId,
+            isEmailVerified: serverCfg.trustLdapEmails
          },
          tx
        );
@@ -526,16 +555,14 @@ export const ldapConfigServiceFactory = ({
      return newUser;
    });

-    const isUserCompleted = Boolean(user.isAccepted);
-    const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
-
+    const isUserCompleted = Boolean(user.isAccepted) && userAlias.isEmailVerified;
    const providerAuthToken = crypto.jwt().sign(
      {
        authTokenType: AuthTokenType.PROVIDER_TOKEN,
        userId: user.id,
        username: user.username,
-        hasExchangedPrivateKey: Boolean(userEnc?.serverEncryptedPrivateKey),
-        ...(user.email && { email: user.email, isEmailVerified: user.isEmailVerified }),
+        hasExchangedPrivateKey: true,
+        ...(user.email && { email: user.email, isEmailVerified: userAlias.isEmailVerified }),
        firstName,
        lastName,
        organizationName: organization.name,
@@ -543,6 +570,7 @@ export const ldapConfigServiceFactory = ({
        organizationSlug: organization.slug,
        authMethod: AuthMethod.LDAP,
        authType: UserAliasType.LDAP,
+        aliasId: userAlias.id,
        isUserCompleted,
        ...(relayState
          ? {
@@ -556,10 +584,11 @@ export const ldapConfigServiceFactory = ({
      }
    );

-    if (user.email && !user.isEmailVerified) {
+    if (user.email && !userAlias.isEmailVerified) {
      const token = await tokenService.createTokenForUser({
        type: TokenType.TOKEN_EMAIL_VERIFICATION,
-        userId: user.id
+        userId: user.id,
+        aliasId: userAlias.id
      });

      await smtpService.sendMail({
@@ -694,7 +723,17 @@ export const ldapConfigServiceFactory = ({
    return deletedGroupMap;
  };

-  const testLDAPConnection = async ({ actor, actorId, orgId, actorAuthMethod, actorOrgId }: TTestLdapConnectionDTO) => {
+  const testLDAPConnection = async ({
+    actor,
+    actorId,
+    orgId,
+    actorAuthMethod,
+    actorOrgId,
+    bindDN,
+    bindPass,
+    caCert,
+    url
+  }: TTestLdapConnectionDTO) => {
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Ldap);

@@ -704,11 +743,12 @@ export const ldapConfigServiceFactory = ({
        message: "Failed to test LDAP connection due to plan restriction. Upgrade plan to test the LDAP connection."
      });

-    const ldapConfig = await getLdapCfg({
-      orgId
+    return testLDAPConfig({
+      bindDN,
+      bindPass,
+      caCert,
+      url
    });
-
-    return testLDAPConfig(ldapConfig);
  };

  return {
--- a/backend/src/ee/services/ldap-config/ldap-config-types.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-types.ts
@@ -83,6 +83,4 @@ export type TDeleteLdapGroupMapDTO = {
  ldapGroupMapId: string;
 } & TOrgPermission;

-export type TTestLdapConnectionDTO = {
-  ldapConfigId: string;
-} & TOrgPermission;
+export type TTestLdapConnectionDTO = TOrgPermission & TTestLDAPConfigDTO;
--- a/backend/src/ee/services/license/mocks/license-fns.ts
+++ b/backend/src/ee/services/license/mocks/license-fns.ts
@@ -31,7 +31,7 @@ export const getDefaultOnPremFeatures = () => {
    caCrl: false,
    sshHostGroups: false,
    enterpriseSecretSyncs: false,
-    enterpriseAppConnections: false,
+    enterpriseAppConnections: true,
    machineIdentityAuthTemplates: false
  };
 };
--- a/backend/src/ee/services/license/license-fns.ts
+++ b/backend/src/ee/services/license/license-fns.ts
@@ -32,6 +32,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
  auditLogStreams: false,
  auditLogStreamLimit: 3,
  samlSSO: false,
+  enforceGoogleSSO: false,
  hsm: false,
  oidcSSO: false,
  scim: false,
--- a/backend/src/ee/services/license/license-types.ts
+++ b/backend/src/ee/services/license/license-types.ts
@@ -47,6 +47,7 @@ export type TFeatureSet = {
  auditLogStreamLimit: 3;
  githubOrgSync: false;
  samlSSO: false;
+  enforceGoogleSSO: false;
  hsm: false;
  oidcSSO: false;
  secretAccessInsights: false;
--- a/backend/src/ee/services/oidc/oidc-config-service.ts
+++ b/backend/src/ee/services/oidc/oidc-config-service.ts
@@ -180,7 +180,7 @@ export const oidcConfigServiceFactory = ({
    }

    const appCfg = getConfig();
-    const userAlias = await userAliasDAL.findOne({
+    let userAlias = await userAliasDAL.findOne({
      externalId,
      orgId,
      aliasType: UserAliasType.OIDC
@@ -231,32 +231,29 @@ export const oidcConfigServiceFactory = ({
    } else {
      user = await userDAL.transaction(async (tx) => {
        let newUser: TUsers | undefined;
+        // we prioritize getting the most complete user to create the new alias under
+        newUser = await userDAL.findOne(
+          {
+            email,
+            isEmailVerified: true
+          },
+          tx
+        );

-        if (serverCfg.trustOidcEmails) {
-          // we prioritize getting the most complete user to create the new alias under
+        if (!newUser) {
+          // this fetches user entries created via invites
          newUser = await userDAL.findOne(
            {
-              email,
-              isEmailVerified: true
+              username: email
            },
            tx
          );

-          if (!newUser) {
-            // this fetches user entries created via invites
-            newUser = await userDAL.findOne(
-              {
-                username: email
-              },
-              tx
-            );
-
-            if (newUser && !newUser.isEmailVerified) {
-              // we automatically mark it as email-verified because we've configured trust for OIDC emails
-              newUser = await userDAL.updateById(newUser.id, {
-                isEmailVerified: true
-              });
-            }
+          if (newUser && !newUser.isEmailVerified) {
+            // we automatically mark it as email-verified because we've configured trust for OIDC emails
+            newUser = await userDAL.updateById(newUser.id, {
+              isEmailVerified: serverCfg.trustOidcEmails
+            });
          }
        }

@@ -276,13 +273,14 @@ export const oidcConfigServiceFactory = ({
          );
        }

-        await userAliasDAL.create(
+        userAlias = await userAliasDAL.create(
          {
            userId: newUser.id,
            aliasType: UserAliasType.OIDC,
            externalId,
            emails: email ? [email] : [],
-            orgId
+            orgId,
+            isEmailVerified: serverCfg.trustOidcEmails
          },
          tx
        );
@@ -404,20 +402,20 @@ export const oidcConfigServiceFactory = ({

    await licenseService.updateSubscriptionOrgMemberCount(organization.id);

-    const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
-    const isUserCompleted = Boolean(user.isAccepted);
+    const isUserCompleted = Boolean(user.isAccepted) && userAlias.isEmailVerified;
    const providerAuthToken = crypto.jwt().sign(
      {
        authTokenType: AuthTokenType.PROVIDER_TOKEN,
        userId: user.id,
        username: user.username,
-        ...(user.email && { email: user.email, isEmailVerified: user.isEmailVerified }),
+        ...(user.email && { email: user.email, isEmailVerified: userAlias.isEmailVerified }),
        firstName,
        lastName,
        organizationName: organization.name,
        organizationId: organization.id,
        organizationSlug: organization.slug,
-        hasExchangedPrivateKey: Boolean(userEnc?.serverEncryptedPrivateKey),
+        hasExchangedPrivateKey: true,
+        aliasId: userAlias.id,
        authMethod: AuthMethod.OIDC,
        authType: UserAliasType.OIDC,
        isUserCompleted,
@@ -431,10 +429,11 @@ export const oidcConfigServiceFactory = ({

    await oidcConfigDAL.update({ orgId }, { lastUsed: new Date() });

-    if (user.email && !user.isEmailVerified) {
+    if (user.email && !userAlias.isEmailVerified) {
      const token = await tokenService.createTokenForUser({
        type: TokenType.TOKEN_EMAIL_VERIFICATION,
-        userId: user.id
+        userId: user.id,
+        aliasId: userAlias.id
      });

      await smtpService
--- a/backend/src/ee/services/permission/default-roles.ts
+++ b/backend/src/ee/services/permission/default-roles.ts
@@ -2,6 +2,7 @@ import { AbilityBuilder, createMongoAbility, MongoAbility } from "@casl/ability"

 import {
  ProjectPermissionActions,
+  ProjectPermissionAuditLogsActions,
  ProjectPermissionCertificateActions,
  ProjectPermissionCmekActions,
  ProjectPermissionCommitsActions,
@@ -13,6 +14,7 @@ import {
  ProjectPermissionPkiSubscriberActions,
  ProjectPermissionPkiTemplateActions,
  ProjectPermissionSecretActions,
+  ProjectPermissionSecretEventActions,
  ProjectPermissionSecretRotationActions,
  ProjectPermissionSecretScanningConfigActions,
  ProjectPermissionSecretScanningDataSourceActions,
@@ -161,8 +163,7 @@ const buildAdminPermissionRules = () => {
      ProjectPermissionSecretActions.ReadValue,
      ProjectPermissionSecretActions.Create,
      ProjectPermissionSecretActions.Edit,
-      ProjectPermissionSecretActions.Delete,
-      ProjectPermissionSecretActions.Subscribe
+      ProjectPermissionSecretActions.Delete
    ],
    ProjectPermissionSub.Secrets
  );
@@ -253,6 +254,16 @@ const buildAdminPermissionRules = () => {
    ProjectPermissionSub.SecretScanningConfigs
  );

+  can(
+    [
+      ProjectPermissionSecretEventActions.SubscribeCreated,
+      ProjectPermissionSecretEventActions.SubscribeDeleted,
+      ProjectPermissionSecretEventActions.SubscribeUpdated,
+      ProjectPermissionSecretEventActions.SubscribeImportMutations
+    ],
+    ProjectPermissionSub.SecretEvents
+  );
+
  return rules;
 };

@@ -266,8 +277,7 @@ const buildMemberPermissionRules = () => {
      ProjectPermissionSecretActions.ReadValue,
      ProjectPermissionSecretActions.Edit,
      ProjectPermissionSecretActions.Create,
-      ProjectPermissionSecretActions.Delete,
-      ProjectPermissionSecretActions.Subscribe
+      ProjectPermissionSecretActions.Delete
    ],
    ProjectPermissionSub.Secrets
  );
@@ -385,7 +395,7 @@ const buildMemberPermissionRules = () => {
  );

  can([ProjectPermissionActions.Read], ProjectPermissionSub.Role);
-  can([ProjectPermissionActions.Read], ProjectPermissionSub.AuditLogs);
+  can([ProjectPermissionAuditLogsActions.Read], ProjectPermissionSub.AuditLogs);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.IpAllowList);

  // double check if all CRUD are needed for CA and Certificates
@@ -457,6 +467,16 @@ const buildMemberPermissionRules = () => {

  can([ProjectPermissionSecretScanningConfigActions.Read], ProjectPermissionSub.SecretScanningConfigs);

+  can(
+    [
+      ProjectPermissionSecretEventActions.SubscribeCreated,
+      ProjectPermissionSecretEventActions.SubscribeDeleted,
+      ProjectPermissionSecretEventActions.SubscribeUpdated,
+      ProjectPermissionSecretEventActions.SubscribeImportMutations
+    ],
+    ProjectPermissionSub.SecretEvents
+  );
+
  return rules;
 };

@@ -483,7 +503,7 @@ const buildViewerPermissionRules = () => {
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Settings);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Environments);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Tags);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
+  can(ProjectPermissionAuditLogsActions.Read, ProjectPermissionSub.AuditLogs);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.CertificateAuthorities);
  can(ProjectPermissionCertificateActions.Read, ProjectPermissionSub.Certificates);
@@ -507,6 +527,16 @@ const buildViewerPermissionRules = () => {

  can([ProjectPermissionSecretScanningConfigActions.Read], ProjectPermissionSub.SecretScanningConfigs);

+  can(
+    [
+      ProjectPermissionSecretEventActions.SubscribeCreated,
+      ProjectPermissionSecretEventActions.SubscribeDeleted,
+      ProjectPermissionSecretEventActions.SubscribeUpdated,
+      ProjectPermissionSecretEventActions.SubscribeImportMutations
+    ],
+    ProjectPermissionSub.SecretEvents
+  );
+
  return rules;
 };

--- a/backend/src/ee/services/permission/org-permission.ts
+++ b/backend/src/ee/services/permission/org-permission.ts
@@ -23,6 +23,10 @@ export enum OrgPermissionAppConnectionActions {
  Connect = "connect"
 }

+export enum OrgPermissionAuditLogsActions {
+  Read = "read"
+}
+
 export enum OrgPermissionKmipActions {
  Proxy = "proxy",
  Setup = "setup"
@@ -90,6 +94,7 @@ export enum OrgPermissionSubjects {
  Sso = "sso",
  Scim = "scim",
  GithubOrgSync = "github-org-sync",
+  GithubOrgSyncManual = "github-org-sync-manual",
  Ldap = "ldap",
  Groups = "groups",
  Billing = "billing",
@@ -119,13 +124,14 @@ export type OrgPermissionSet =
  | [OrgPermissionActions, OrgPermissionSubjects.Sso]
  | [OrgPermissionActions, OrgPermissionSubjects.Scim]
  | [OrgPermissionActions, OrgPermissionSubjects.GithubOrgSync]
+  | [OrgPermissionActions, OrgPermissionSubjects.GithubOrgSyncManual]
  | [OrgPermissionActions, OrgPermissionSubjects.Ldap]
  | [OrgPermissionGroupActions, OrgPermissionSubjects.Groups]
  | [OrgPermissionActions, OrgPermissionSubjects.SecretScanning]
  | [OrgPermissionBillingActions, OrgPermissionSubjects.Billing]
  | [OrgPermissionIdentityActions, OrgPermissionSubjects.Identity]
  | [OrgPermissionActions, OrgPermissionSubjects.Kms]
-  | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
+  | [OrgPermissionAuditLogsActions, OrgPermissionSubjects.AuditLogs]
  | [OrgPermissionActions, OrgPermissionSubjects.ProjectTemplates]
  | [OrgPermissionGatewayActions, OrgPermissionSubjects.Gateway]
  | [
@@ -188,6 +194,10 @@ export const OrgPermissionSchema = z.discriminatedUnion("subject", [
    subject: z.literal(OrgPermissionSubjects.GithubOrgSync).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.GithubOrgSyncManual).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Ldap).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
@@ -214,7 +224,9 @@ export const OrgPermissionSchema = z.discriminatedUnion("subject", [
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.AuditLogs).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionAuditLogsActions).describe(
+      "Describe what action an entity can take."
+    )
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.ProjectTemplates).describe("The entity this permission pertains to."),
@@ -309,6 +321,11 @@ const buildAdminPermission = () => {
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.GithubOrgSync);
  can(OrgPermissionActions.Delete, OrgPermissionSubjects.GithubOrgSync);

+  can(OrgPermissionActions.Read, OrgPermissionSubjects.GithubOrgSyncManual);
+  can(OrgPermissionActions.Create, OrgPermissionSubjects.GithubOrgSyncManual);
+  can(OrgPermissionActions.Edit, OrgPermissionSubjects.GithubOrgSyncManual);
+  can(OrgPermissionActions.Delete, OrgPermissionSubjects.GithubOrgSyncManual);
+
  can(OrgPermissionActions.Read, OrgPermissionSubjects.Ldap);
  can(OrgPermissionActions.Create, OrgPermissionSubjects.Ldap);
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Ldap);
@@ -340,10 +357,7 @@ const buildAdminPermission = () => {
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Kms);
  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Kms);

-  can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
-  can(OrgPermissionActions.Create, OrgPermissionSubjects.AuditLogs);
-  can(OrgPermissionActions.Edit, OrgPermissionSubjects.AuditLogs);
-  can(OrgPermissionActions.Delete, OrgPermissionSubjects.AuditLogs);
+  can(OrgPermissionAuditLogsActions.Read, OrgPermissionSubjects.AuditLogs);

  can(OrgPermissionActions.Read, OrgPermissionSubjects.ProjectTemplates);
  can(OrgPermissionActions.Create, OrgPermissionSubjects.ProjectTemplates);
@@ -416,7 +430,7 @@ const buildMemberPermission = () => {
  can(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
  can(OrgPermissionIdentityActions.Delete, OrgPermissionSubjects.Identity);

-  can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
+  can(OrgPermissionAuditLogsActions.Read, OrgPermissionSubjects.AuditLogs);

  can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);
  can(OrgPermissionGatewayActions.ListGateways, OrgPermissionSubjects.Gateway);
--- a/backend/src/ee/services/permission/permission-dal.ts
+++ b/backend/src/ee/services/permission/permission-dal.ts
@@ -35,6 +35,7 @@ export interface TPermissionDALFactory {
      projectFavorites?: string[] | null | undefined;
      customRoleSlug?: string | null | undefined;
      orgAuthEnforced?: boolean | null | undefined;
+      orgGoogleSsoAuthEnforced: boolean;
    } & {
      groups: {
        id: string;
@@ -87,6 +88,7 @@ export interface TPermissionDALFactory {
        }[];
        orgId: string;
        orgAuthEnforced: boolean | null | undefined;
+        orgGoogleSsoAuthEnforced: boolean;
        orgRole: OrgMembershipRole;
        userId: string;
        projectId: string;
@@ -350,6 +352,7 @@ export const permissionDALFactory = (db: TDbClient): TPermissionDALFactory => {
          db.ref("slug").withSchema(TableName.OrgRoles).withSchema(TableName.OrgRoles).as("customRoleSlug"),
          db.ref("permissions").withSchema(TableName.OrgRoles),
          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
+          db.ref("googleSsoAuthEnforced").withSchema(TableName.Organization).as("orgGoogleSsoAuthEnforced"),
          db.ref("bypassOrgAuthEnabled").withSchema(TableName.Organization).as("bypassOrgAuthEnabled"),
          db.ref("groupId").withSchema("userGroups"),
          db.ref("groupOrgId").withSchema("userGroups"),
@@ -369,6 +372,7 @@ export const permissionDALFactory = (db: TDbClient): TPermissionDALFactory => {
          OrgMembershipsSchema.extend({
            permissions: z.unknown(),
            orgAuthEnforced: z.boolean().optional().nullable(),
+            orgGoogleSsoAuthEnforced: z.boolean(),
            bypassOrgAuthEnabled: z.boolean(),
            customRoleSlug: z.string().optional().nullable(),
            shouldUseNewPrivilegeSystem: z.boolean()
@@ -988,6 +992,7 @@ export const permissionDALFactory = (db: TDbClient): TPermissionDALFactory => {
          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue"),
          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
+          db.ref("googleSsoAuthEnforced").withSchema(TableName.Organization).as("orgGoogleSsoAuthEnforced"),
          db.ref("bypassOrgAuthEnabled").withSchema(TableName.Organization).as("bypassOrgAuthEnabled"),
          db.ref("role").withSchema(TableName.OrgMembership).as("orgRole"),
          db.ref("orgId").withSchema(TableName.Project),
@@ -1003,6 +1008,7 @@ export const permissionDALFactory = (db: TDbClient): TPermissionDALFactory => {
          orgId,
          username,
          orgAuthEnforced,
+          orgGoogleSsoAuthEnforced,
          orgRole,
          membershipId,
          groupMembershipId,
@@ -1016,6 +1022,7 @@ export const permissionDALFactory = (db: TDbClient): TPermissionDALFactory => {
        }) => ({
          orgId,
          orgAuthEnforced,
+          orgGoogleSsoAuthEnforced,
          orgRole: orgRole as OrgMembershipRole,
          userId,
          projectId,
--- a/backend/src/ee/services/permission/permission-fns.ts
+++ b/backend/src/ee/services/permission/permission-fns.ts
@@ -121,6 +121,7 @@ function isAuthMethodSaml(actorAuthMethod: ActorAuthMethod) {
 function validateOrgSSO(
  actorAuthMethod: ActorAuthMethod,
  isOrgSsoEnforced: TOrganizations["authEnforced"],
+  isOrgGoogleSsoEnforced: TOrganizations["googleSsoAuthEnforced"],
  isOrgSsoBypassEnabled: TOrganizations["bypassOrgAuthEnabled"],
  orgRole: OrgMembershipRole
 ) {
@@ -128,10 +129,16 @@ function validateOrgSSO(
    throw new UnauthorizedError({ name: "No auth method defined" });
  }

-  if (isOrgSsoEnforced && isOrgSsoBypassEnabled && orgRole === OrgMembershipRole.Admin) {
+  if ((isOrgSsoEnforced || isOrgGoogleSsoEnforced) && isOrgSsoBypassEnabled && orgRole === OrgMembershipRole.Admin) {
    return;
  }

+  // case: google sso is enforced, but the actor is not using google sso
+  if (isOrgGoogleSsoEnforced && actorAuthMethod !== null && actorAuthMethod !== AuthMethod.GOOGLE) {
+    throw new ForbiddenRequestError({ name: "Org auth enforced. Cannot access org-scoped resource" });
+  }
+
+  // case: SAML SSO is enforced, but the actor is not using SAML SSO
  if (
    isOrgSsoEnforced &&
    actorAuthMethod !== null &&
--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@@ -146,6 +146,7 @@ export const permissionServiceFactory = ({
    validateOrgSSO(
      authMethod,
      membership.orgAuthEnforced,
+      membership.orgGoogleSsoAuthEnforced,
      membership.bypassOrgAuthEnabled,
      membership.role as OrgMembershipRole
    );
@@ -238,6 +239,7 @@ export const permissionServiceFactory = ({
    validateOrgSSO(
      authMethod,
      userProjectPermission.orgAuthEnforced,
+      userProjectPermission.orgGoogleSsoAuthEnforced,
      userProjectPermission.bypassOrgAuthEnabled,
      userProjectPermission.orgRole
    );
--- a/backend/src/ee/services/permission/project-permission.ts
+++ b/backend/src/ee/services/permission/project-permission.ts
@@ -36,8 +36,7 @@ export enum ProjectPermissionSecretActions {
  ReadValue = "readValue",
  Create = "create",
  Edit = "edit",
-  Delete = "delete",
-  Subscribe = "subscribe"
+  Delete = "delete"
 }

 export enum ProjectPermissionCmekActions {
@@ -158,6 +157,17 @@ export enum ProjectPermissionSecretScanningConfigActions {
  Update = "update-configs"
 }

+export enum ProjectPermissionSecretEventActions {
+  SubscribeCreated = "subscribe-on-created",
+  SubscribeUpdated = "subscribe-on-updated",
+  SubscribeDeleted = "subscribe-on-deleted",
+  SubscribeImportMutations = "subscribe-on-import-mutations"
+}
+
+export enum ProjectPermissionAuditLogsActions {
+  Read = "read"
+}
+
 export enum ProjectPermissionSub {
  Role = "role",
  Member = "member",
@@ -197,7 +207,8 @@ export enum ProjectPermissionSub {
  Kmip = "kmip",
  SecretScanningDataSources = "secret-scanning-data-sources",
  SecretScanningFindings = "secret-scanning-findings",
-  SecretScanningConfigs = "secret-scanning-configs"
+  SecretScanningConfigs = "secret-scanning-configs",
+  SecretEvents = "secret-events"
 }

 export type SecretSubjectFields = {
@@ -205,7 +216,13 @@ export type SecretSubjectFields = {
  secretPath: string;
  secretName?: string;
  secretTags?: string[];
-  eventType?: string;
+};
+
+export type SecretEventSubjectFields = {
+  environment: string;
+  secretPath: string;
+  secretName?: string;
+  secretTags?: string[];
 };

 export type SecretFolderSubjectFields = {
@@ -291,7 +308,7 @@ export type ProjectPermissionSet =
  | [ProjectPermissionGroupActions, ProjectPermissionSub.Groups]
  | [ProjectPermissionActions, ProjectPermissionSub.Integrations]
  | [ProjectPermissionActions, ProjectPermissionSub.Webhooks]
-  | [ProjectPermissionActions, ProjectPermissionSub.AuditLogs]
+  | [ProjectPermissionAuditLogsActions, ProjectPermissionSub.AuditLogs]
  | [ProjectPermissionActions, ProjectPermissionSub.Environments]
  | [ProjectPermissionActions, ProjectPermissionSub.IpAllowList]
  | [ProjectPermissionActions, ProjectPermissionSub.Settings]
@@ -344,7 +361,11 @@ export type ProjectPermissionSet =
  | [ProjectPermissionCommitsActions, ProjectPermissionSub.Commits]
  | [ProjectPermissionSecretScanningDataSourceActions, ProjectPermissionSub.SecretScanningDataSources]
  | [ProjectPermissionSecretScanningFindingActions, ProjectPermissionSub.SecretScanningFindings]
-  | [ProjectPermissionSecretScanningConfigActions, ProjectPermissionSub.SecretScanningConfigs];
+  | [ProjectPermissionSecretScanningConfigActions, ProjectPermissionSub.SecretScanningConfigs]
+  | [
+      ProjectPermissionSecretEventActions,
+      ProjectPermissionSub.SecretEvents | (ForcedSubject<ProjectPermissionSub.SecretEvents> & SecretEventSubjectFields)
+    ];

 const SECRET_PATH_MISSING_SLASH_ERR_MSG = "Invalid Secret Path; it must start with a '/'";
 const SECRET_PATH_PERMISSION_OPERATOR_SCHEMA = z.union([
@@ -628,7 +649,7 @@ const GeneralPermissionSchema = [
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.AuditLogs).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionAuditLogsActions).describe(
      "Describe what action an entity can take."
    )
  }),
@@ -877,7 +898,16 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
      "When specified, only matching conditions will be allowed to access given resource."
    ).optional()
  }),
-
+  z.object({
+    subject: z.literal(ProjectPermissionSub.SecretEvents).describe("The entity this permission pertains to."),
+    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionSecretEventActions).describe(
+      "Describe what action an entity can take."
+    ),
+    conditions: SecretSyncConditionV2Schema.describe(
+      "When specified, only matching conditions will be allowed to access given resource."
+    ).optional()
+  }),
  ...GeneralPermissionSchema
 ]);

--- a/backend/src/ee/services/saml-config/saml-config-service.ts
+++ b/backend/src/ee/services/saml-config/saml-config-service.ts
@@ -246,7 +246,7 @@ export const samlConfigServiceFactory = ({
      });
    }

-    const userAlias = await userAliasDAL.findOne({
+    let userAlias = await userAliasDAL.findOne({
      externalId,
      orgId,
      aliasType: UserAliasType.SAML
@@ -320,15 +320,13 @@ export const samlConfigServiceFactory = ({

      user = await userDAL.transaction(async (tx) => {
        let newUser: TUsers | undefined;
-        if (serverCfg.trustSamlEmails) {
-          newUser = await userDAL.findOne(
-            {
-              email,
-              isEmailVerified: true
-            },
-            tx
-          );
-        }
+        newUser = await userDAL.findOne(
+          {
+            email,
+            isEmailVerified: true
+          },
+          tx
+        );

        if (!newUser) {
          const uniqueUsername = await normalizeUsername(`${firstName ?? ""}-${lastName ?? ""}`, userDAL);
@@ -346,13 +344,14 @@ export const samlConfigServiceFactory = ({
          );
        }

-        await userAliasDAL.create(
+        userAlias = await userAliasDAL.create(
          {
            userId: newUser.id,
            aliasType: UserAliasType.SAML,
            externalId,
            emails: email ? [email] : [],
-            orgId
+            orgId,
+            isEmailVerified: serverCfg.trustSamlEmails
          },
          tx
        );
@@ -410,21 +409,21 @@ export const samlConfigServiceFactory = ({
    }
    await licenseService.updateSubscriptionOrgMemberCount(organization.id);

-    const isUserCompleted = Boolean(user.isAccepted && user.isEmailVerified);
-    const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
+    const isUserCompleted = Boolean(user.isAccepted && user.isEmailVerified && userAlias.isEmailVerified);
    const providerAuthToken = crypto.jwt().sign(
      {
        authTokenType: AuthTokenType.PROVIDER_TOKEN,
        userId: user.id,
        username: user.username,
-        ...(user.email && { email: user.email, isEmailVerified: user.isEmailVerified }),
+        ...(user.email && { email: user.email, isEmailVerified: userAlias.isEmailVerified }),
        firstName,
        lastName,
        organizationName: organization.name,
        organizationId: organization.id,
        organizationSlug: organization.slug,
        authMethod: authProvider,
-        hasExchangedPrivateKey: Boolean(userEnc?.serverEncryptedPrivateKey),
+        hasExchangedPrivateKey: true,
+        aliasId: userAlias.id,
        authType: UserAliasType.SAML,
        isUserCompleted,
        ...(relayState
@@ -441,10 +440,11 @@ export const samlConfigServiceFactory = ({

    await samlConfigDAL.update({ orgId }, { lastUsed: new Date() });

-    if (user.email && !user.isEmailVerified) {
+    if (user.email && !userAlias.isEmailVerified) {
      const token = await tokenService.createTokenForUser({
        type: TokenType.TOKEN_EMAIL_VERIFICATION,
-        userId: user.id
+        userId: user.id,
+        aliasId: userAlias.id
      });

      await smtpService.sendMail({
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
@@ -4,6 +4,7 @@ import { TDbClient } from "@app/db";
 import {
  SecretApprovalRequestsSchema,
  TableName,
+  TOrgMemberships,
  TSecretApprovalRequests,
  TSecretApprovalRequestsSecrets,
  TUserGroupMembership,
@@ -107,11 +108,32 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
        `${TableName.SecretApprovalRequestReviewer}.reviewerUserId`,
        `secretApprovalReviewerUser.id`
      )
+
+      .leftJoin<TOrgMemberships>(
+        db(TableName.OrgMembership).as("approverOrgMembership"),
+        `${TableName.SecretApprovalPolicyApprover}.approverUserId`,
+        `approverOrgMembership.userId`
+      )
+
+      .leftJoin<TOrgMemberships>(
+        db(TableName.OrgMembership).as("approverGroupOrgMembership"),
+        `secretApprovalPolicyGroupApproverUser.id`,
+        `approverGroupOrgMembership.userId`
+      )
+
+      .leftJoin<TOrgMemberships>(
+        db(TableName.OrgMembership).as("reviewerOrgMembership"),
+        `${TableName.SecretApprovalRequestReviewer}.reviewerUserId`,
+        `reviewerOrgMembership.userId`
+      )
+
      .select(selectAllTableCols(TableName.SecretApprovalRequest))
      .select(
        tx.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
        tx.ref("userId").withSchema("approverUserGroupMembership").as("approverGroupUserId"),
        tx.ref("email").withSchema("secretApprovalPolicyApproverUser").as("approverEmail"),
+        tx.ref("isActive").withSchema("approverOrgMembership").as("approverIsOrgMembershipActive"),
+        tx.ref("isActive").withSchema("approverGroupOrgMembership").as("approverGroupIsOrgMembershipActive"),
        tx.ref("email").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupEmail"),
        tx.ref("username").withSchema("secretApprovalPolicyApproverUser").as("approverUsername"),
        tx.ref("username").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupUsername"),
@@ -148,6 +170,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
        tx.ref("username").withSchema("secretApprovalReviewerUser").as("reviewerUsername"),
        tx.ref("firstName").withSchema("secretApprovalReviewerUser").as("reviewerFirstName"),
        tx.ref("lastName").withSchema("secretApprovalReviewerUser").as("reviewerLastName"),
+        tx.ref("isActive").withSchema("reviewerOrgMembership").as("reviewerIsOrgMembershipActive"),
        tx.ref("id").withSchema(TableName.SecretApprovalPolicy).as("policyId"),
        tx.ref("name").withSchema(TableName.SecretApprovalPolicy).as("policyName"),
        tx.ref("projectId").withSchema(TableName.Environment),
@@ -157,7 +180,11 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
        tx.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
        tx.ref("allowedSelfApprovals").withSchema(TableName.SecretApprovalPolicy).as("policyAllowedSelfApprovals"),
        tx.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
-        tx.ref("deletedAt").withSchema(TableName.SecretApprovalPolicy).as("policyDeletedAt")
+        tx.ref("deletedAt").withSchema(TableName.SecretApprovalPolicy).as("policyDeletedAt"),
+        tx
+          .ref("shouldCheckSecretPermission")
+          .withSchema(TableName.SecretApprovalPolicy)
+          .as("policySecretReadAccessCompat")
      );

  const findById = async (id: string, tx?: Knex) => {
@@ -197,7 +224,8 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
            enforcementLevel: el.policyEnforcementLevel,
            envId: el.policyEnvId,
            deletedAt: el.policyDeletedAt,
-            allowedSelfApprovals: el.policyAllowedSelfApprovals
+            allowedSelfApprovals: el.policyAllowedSelfApprovals,
+            shouldCheckSecretPermission: el.policySecretReadAccessCompat
          }
        }),
        childrenMapper: [
@@ -211,9 +239,21 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
              reviewerLastName: lastName,
              reviewerUsername: username,
              reviewerFirstName: firstName,
-              reviewerComment: comment
+              reviewerComment: comment,
+              reviewerIsOrgMembershipActive: isOrgMembershipActive
            }) =>
-              userId ? { userId, status, email, firstName, lastName, username, comment: comment ?? "" } : undefined
+              userId
+                ? {
+                    userId,
+                    status,
+                    email,
+                    firstName,
+                    lastName,
+                    username,
+                    comment: comment ?? "",
+                    isOrgMembershipActive
+                  }
+                : undefined
          },
          {
            key: "approverUserId",
@@ -223,13 +263,15 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
              approverEmail: email,
              approverUsername: username,
              approverLastName: lastName,
-              approverFirstName: firstName
+              approverFirstName: firstName,
+              approverIsOrgMembershipActive: isOrgMembershipActive
            }) => ({
              userId,
              email,
              firstName,
              lastName,
-              username
+              username,
+              isOrgMembershipActive
            })
          },
          {
@@ -240,13 +282,15 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
              approverGroupEmail: email,
              approverGroupUsername: username,
              approverGroupLastName: lastName,
-              approverGroupFirstName: firstName
+              approverGroupFirstName: firstName,
+              approverGroupIsOrgMembershipActive: isOrgMembershipActive
            }) => ({
              userId,
              email,
              firstName,
              lastName,
-              username
+              username,
+              isOrgMembershipActive
            })
          },
          {
@@ -653,14 +697,15 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          db.ref("firstName").withSchema("committerUser").as("committerUserFirstName"),
          db.ref("lastName").withSchema("committerUser").as("committerUserLastName")
        )
-        .distinctOn(`${TableName.SecretApprovalRequest}.id`)
        .as("inner");

-      const query = (tx || db)
-        .select("*")
+      const countQuery = (await (tx || db)
        .select(db.raw("count(*) OVER() as total_count"))
-        .from(innerQuery)
-        .orderBy("createdAt", "desc") as typeof innerQuery;
+        .from(innerQuery.clone().distinctOn(`${TableName.SecretApprovalRequest}.id`))) as Array<{
+        total_count: number;
+      }>;
+
+      const query = (tx || db).select("*").from(innerQuery).orderBy("createdAt", "desc") as typeof innerQuery;

      if (search) {
        void query.where((qb) => {
@@ -686,8 +731,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
        .where("w.rank", ">=", rankOffset)
        .andWhere("w.rank", "<", rankOffset + limit);

-      // @ts-expect-error knex does not infer
-      const totalCount = Number(docs[0]?.total_count || 0);
+      const totalCount = Number(countQuery[0]?.total_count || 0);

      const formattedDoc = sqlNestRelationships({
        data: docs,
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@@ -258,6 +258,7 @@ export const secretApprovalRequestServiceFactory = ({
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });

    const secretApprovalRequest = await secretApprovalRequestDAL.findById(id);
+
    if (!secretApprovalRequest)
      throw new NotFoundError({ message: `Secret approval request with ID '${id}' not found` });

@@ -280,13 +281,22 @@ export const secretApprovalRequestServiceFactory = ({
    ) {
      throw new ForbiddenRequestError({ message: "User has insufficient privileges" });
    }
-    const getHasSecretReadAccess = (environment: string, tags: { slug: string }[], secretPath?: string) => {
-      const canRead = hasSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
-        environment,
-        secretPath: secretPath || "/",
-        secretTags: tags.map((i) => i.slug)
-      });
-      return canRead;
+    const getHasSecretReadAccess = (
+      shouldCheckSecretPermission: boolean | null | undefined,
+      environment: string,
+      tags: { slug: string }[],
+      secretPath?: string
+    ) => {
+      if (shouldCheckSecretPermission) {
+        const canRead = hasSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
+          environment,
+          secretPath: secretPath || "/",
+          secretTags: tags.map((i) => i.slug)
+        });
+        return canRead;
+      }
+
+      return true;
    };

    let secrets;
@@ -308,8 +318,18 @@ export const secretApprovalRequestServiceFactory = ({
        version: el.version,
        secretMetadata: el.secretMetadata as ResourceMetadataDTO,
        isRotatedSecret: el.secret?.isRotatedSecret ?? false,
-        secretValueHidden: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path),
-        secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
+        secretValueHidden: !getHasSecretReadAccess(
+          secretApprovalRequest.policy.shouldCheckSecretPermission,
+          secretApprovalRequest.environment,
+          el.tags,
+          secretPath?.[0]?.path
+        ),
+        secretValue: !getHasSecretReadAccess(
+          secretApprovalRequest.policy.shouldCheckSecretPermission,
+          secretApprovalRequest.environment,
+          el.tags,
+          secretPath?.[0]?.path
+        )
          ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
          : el.secret && el.secret.isRotatedSecret
            ? undefined
@@ -325,11 +345,17 @@ export const secretApprovalRequestServiceFactory = ({
              id: el.secret.id,
              version: el.secret.version,
              secretValueHidden: !getHasSecretReadAccess(
+                secretApprovalRequest.policy.shouldCheckSecretPermission,
                secretApprovalRequest.environment,
                el.tags,
                secretPath?.[0]?.path
              ),
-              secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
+              secretValue: !getHasSecretReadAccess(
+                secretApprovalRequest.policy.shouldCheckSecretPermission,
+                secretApprovalRequest.environment,
+                el.tags,
+                secretPath?.[0]?.path
+              )
                ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
                : el.secret.encryptedValue
                  ? secretManagerDecryptor({ cipherTextBlob: el.secret.encryptedValue }).toString()
@@ -345,11 +371,17 @@ export const secretApprovalRequestServiceFactory = ({
              id: el.secretVersion.id,
              version: el.secretVersion.version,
              secretValueHidden: !getHasSecretReadAccess(
+                secretApprovalRequest.policy.shouldCheckSecretPermission,
                secretApprovalRequest.environment,
                el.tags,
                secretPath?.[0]?.path
              ),
-              secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
+              secretValue: !getHasSecretReadAccess(
+                secretApprovalRequest.policy.shouldCheckSecretPermission,
+                secretApprovalRequest.environment,
+                el.tags,
+                secretPath?.[0]?.path
+              )
                ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
                : el.secretVersion.encryptedValue
                  ? secretManagerDecryptor({ cipherTextBlob: el.secretVersion.encryptedValue }).toString()
@@ -367,7 +399,12 @@ export const secretApprovalRequestServiceFactory = ({
      const encryptedSecrets = await secretApprovalRequestSecretDAL.findByRequestId(secretApprovalRequest.id);
      secrets = encryptedSecrets.map((el) => ({
        ...el,
-        secretValueHidden: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path),
+        secretValueHidden: !getHasSecretReadAccess(
+          secretApprovalRequest.policy.shouldCheckSecretPermission,
+          secretApprovalRequest.environment,
+          el.tags,
+          secretPath?.[0]?.path
+        ),
        ...decryptSecretWithBot(el, botKey),
        secret: el.secret
          ? {
@@ -952,13 +989,39 @@ export const secretApprovalRequestServiceFactory = ({
    if (!folder) {
      throw new NotFoundError({ message: `Folder with ID '${folderId}' not found in project with ID '${projectId}'` });
    }
+
+    const { secrets } = mergeStatus;
+
    await secretQueueService.syncSecrets({
      projectId,
      orgId: actorOrgId,
      secretPath: folder.path,
      environmentSlug: folder.environmentSlug,
      actorId,
-      actor
+      actor,
+      event: {
+        created: secrets.created.map((el) => ({
+          environment: folder.environmentSlug,
+          secretPath: folder.path,
+          secretId: el.id,
+          // @ts-expect-error - not present on V1 secrets
+          secretKey: el.key as string
+        })),
+        updated: secrets.updated.map((el) => ({
+          environment: folder.environmentSlug,
+          secretPath: folder.path,
+          secretId: el.id,
+          // @ts-expect-error - not present on V1 secrets
+          secretKey: el.key as string
+        })),
+        deleted: secrets.deleted.map((el) => ({
+          environment: folder.environmentSlug,
+          secretPath: folder.path,
+          secretId: el.id,
+          // @ts-expect-error - not present on V1 secrets
+          secretKey: el.key as string
+        }))
+      }
    });

    if (isSoftEnforcement) {
@@ -1421,6 +1484,7 @@ export const secretApprovalRequestServiceFactory = ({

    const commits: Omit<TSecretApprovalRequestsSecretsV2Insert, "requestId">[] = [];
    const commitTagIds: Record<string, string[]> = {};
+    const existingTagIds: Record<string, string[]> = {};

    const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.SecretManager,
@@ -1486,6 +1550,11 @@ export const secretApprovalRequestServiceFactory = ({
          type: SecretType.Shared
        }))
      );
+
+      secretsToUpdateStoredInDB.forEach((el) => {
+        if (el.tags?.length) existingTagIds[el.key] = el.tags.map((i) => i.id);
+      });
+
      if (secretsToUpdateStoredInDB.length !== secretsToUpdate.length)
        throw new NotFoundError({
          message: `Secret does not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
@@ -1529,7 +1598,10 @@ export const secretApprovalRequestServiceFactory = ({
            secretMetadata
          }) => {
            const secretId = updatingSecretsGroupByKey[secretKey][0].id;
-            if (tagIds?.length) commitTagIds[newSecretName ?? secretKey] = tagIds;
+            if (tagIds?.length || existingTagIds[secretKey]?.length) {
+              commitTagIds[newSecretName ?? secretKey] = tagIds || existingTagIds[secretKey];
+            }
+
            return {
              ...latestSecretVersions[secretId],
              secretMetadata,
--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts
@@ -2,6 +2,7 @@ import { AxiosError } from "axios";

 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";

 import { AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./auth0-client-secret";
@@ -13,9 +14,11 @@ import { MYSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mysql-credentials";
 import { OKTA_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./okta-client-secret";
 import { ORACLEDB_CREDENTIALS_ROTATION_LIST_OPTION } from "./oracledb-credentials";
 import { POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION } from "./postgres-credentials";
+import { TSecretRotationV2DALFactory } from "./secret-rotation-v2-dal";
 import { SecretRotation, SecretRotationStatus } from "./secret-rotation-v2-enums";
-import { TSecretRotationV2ServiceFactoryDep } from "./secret-rotation-v2-service";
+import { TSecretRotationV2ServiceFactory, TSecretRotationV2ServiceFactoryDep } from "./secret-rotation-v2-service";
 import {
+  TSecretRotationRotateSecretsJobPayload,
  TSecretRotationV2,
  TSecretRotationV2GeneratedCredentials,
  TSecretRotationV2ListItem,
@@ -74,6 +77,10 @@ export const getNextUtcRotationInterval = (rotateAtUtc?: TSecretRotationV2["rota
  const appCfg = getConfig();

  if (appCfg.isRotationDevelopmentMode) {
+    if (appCfg.isTestMode) {
+      // if its test mode, it should always rotate
+      return new Date(Date.now() + 365 * 24 * 60 * 60 * 1000); // Current time + 1 year
+    }
    return getNextUTCMinuteInterval(rotateAtUtc);
  }

@@ -263,3 +270,51 @@ export const throwOnImmutableParameterUpdate = (
    // do nothing
  }
 };
+
+export const rotateSecretsFns = async ({
+  job,
+  secretRotationV2DAL,
+  secretRotationV2Service
+}: {
+  job: {
+    data: TSecretRotationRotateSecretsJobPayload;
+    id: string;
+    retryCount: number;
+    retryLimit: number;
+  };
+  secretRotationV2DAL: Pick<TSecretRotationV2DALFactory, "findById">;
+  secretRotationV2Service: Pick<TSecretRotationV2ServiceFactory, "rotateGeneratedCredentials">;
+}) => {
+  const { rotationId, queuedAt, isManualRotation } = job.data;
+  const { retryCount, retryLimit } = job;
+
+  const logDetails = `[rotationId=${rotationId}] [jobId=${job.id}] retryCount=[${retryCount}/${retryLimit}]`;
+
+  try {
+    const secretRotation = await secretRotationV2DAL.findById(rotationId);
+
+    if (!secretRotation) throw new Error(`Secret rotation ${rotationId} not found`);
+
+    if (!secretRotation.isAutoRotationEnabled) {
+      logger.info(`secretRotationV2Queue: Skipping Rotation - Auto-Rotation Disabled Since Queue ${logDetails}`);
+    }
+
+    if (new Date(secretRotation.lastRotatedAt).getTime() >= new Date(queuedAt).getTime()) {
+      // rotated since being queued, skip rotation
+      logger.info(`secretRotationV2Queue: Skipping Rotation - Rotated Since Queue ${logDetails}`);
+      return;
+    }
+
+    await secretRotationV2Service.rotateGeneratedCredentials(secretRotation, {
+      jobId: job.id,
+      shouldSendNotification: true,
+      isFinalAttempt: retryCount === retryLimit,
+      isManualRotation
+    });
+
+    logger.info(`secretRotationV2Queue: Secrets Rotated ${logDetails}`);
+  } catch (error) {
+    logger.error(error, `secretRotationV2Queue: Failed to Rotate Secrets ${logDetails}`);
+    throw error;
+  }
+};
--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-queue.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-queue.ts
@@ -1,9 +1,12 @@
+import { v4 as uuidv4 } from "uuid";
+
 import { ProjectMembershipRole } from "@app/db/schemas";
 import { TSecretRotationV2DALFactory } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-dal";
 import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
 import {
  getNextUtcRotationInterval,
-  getSecretRotationRotateSecretJobOptions
+  getSecretRotationRotateSecretJobOptions,
+  rotateSecretsFns
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-fns";
 import { SECRET_ROTATION_NAME_MAP } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-maps";
 import { TSecretRotationV2ServiceFactory } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-service";
@@ -63,14 +66,34 @@ export const secretRotationV2QueueServiceFactory = async ({
              rotation.lastRotatedAt
            ).toISOString()}] [rotateAt=${new Date(rotation.nextRotationAt!).toISOString()}]`
          );
-          await queueService.queuePg(
-            QueueJobs.SecretRotationV2RotateSecrets,
-            {
-              rotationId: rotation.id,
-              queuedAt: currentTime
-            },
-            getSecretRotationRotateSecretJobOptions(rotation)
-          );
+
+          const data = {
+            rotationId: rotation.id,
+            queuedAt: currentTime
+          } as TSecretRotationRotateSecretsJobPayload;
+
+          if (appCfg.isTestMode) {
+            logger.warn("secretRotationV2Queue: Manually rotating secrets for test mode");
+            await rotateSecretsFns({
+              job: {
+                id: uuidv4(),
+                data,
+                retryCount: 0,
+                retryLimit: 0
+              },
+              secretRotationV2DAL,
+              secretRotationV2Service
+            });
+          } else {
+            await queueService.queuePg(
+              QueueJobs.SecretRotationV2RotateSecrets,
+              {
+                rotationId: rotation.id,
+                queuedAt: currentTime
+              },
+              getSecretRotationRotateSecretJobOptions(rotation)
+            );
+          }
        }
      } catch (error) {
        logger.error(error, "secretRotationV2Queue: Queue Rotations Error:");
@@ -87,38 +110,14 @@ export const secretRotationV2QueueServiceFactory = async ({
  await queueService.startPg<QueueName.SecretRotationV2>(
    QueueJobs.SecretRotationV2RotateSecrets,
    async ([job]) => {
-      const { rotationId, queuedAt, isManualRotation } = job.data as TSecretRotationRotateSecretsJobPayload;
-      const { retryCount, retryLimit } = job;
-
-      const logDetails = `[rotationId=${rotationId}] [jobId=${job.id}] retryCount=[${retryCount}/${retryLimit}]`;
-
-      try {
-        const secretRotation = await secretRotationV2DAL.findById(rotationId);
-
-        if (!secretRotation) throw new Error(`Secret rotation ${rotationId} not found`);
-
-        if (!secretRotation.isAutoRotationEnabled) {
-          logger.info(`secretRotationV2Queue: Skipping Rotation - Auto-Rotation Disabled Since Queue ${logDetails}`);
-        }
-
-        if (new Date(secretRotation.lastRotatedAt).getTime() >= new Date(queuedAt).getTime()) {
-          // rotated since being queued, skip rotation
-          logger.info(`secretRotationV2Queue: Skipping Rotation - Rotated Since Queue ${logDetails}`);
-          return;
-        }
-
-        await secretRotationV2Service.rotateGeneratedCredentials(secretRotation, {
-          jobId: job.id,
-          shouldSendNotification: true,
-          isFinalAttempt: retryCount === retryLimit,
-          isManualRotation
-        });
-
-        logger.info(`secretRotationV2Queue: Secrets Rotated ${logDetails}`);
-      } catch (error) {
-        logger.error(error, `secretRotationV2Queue: Failed to Rotate Secrets ${logDetails}`);
-        throw error;
-      }
+      await rotateSecretsFns({
+        job: {
+          ...job,
+          data: job.data as TSecretRotationRotateSecretsJobPayload
+        },
+        secretRotationV2DAL,
+        secretRotationV2Service
+      });
    },
    {
      batchSize: 1,
--- a/backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-fns.ts
+++ b/backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-fns.ts
@@ -58,9 +58,9 @@ export function scanDirectory(inputPath: string, outputPath: string, configPath?
  });
 }

-export function scanFile(inputPath: string): Promise<void> {
+export function scanFile(inputPath: string, configPath?: string): Promise<void> {
  return new Promise((resolve, reject) => {
-    const command = `infisical scan --exit-code=77 --source "${inputPath}" --no-git`;
+    const command = `infisical scan --exit-code=77 --source "${inputPath}" --no-git ${configPath ? `-c ${configPath}` : ""}`;
    exec(command, (error) => {
      if (error && error.code === 77) {
        reject(error);
@@ -166,6 +166,20 @@ export const parseScanErrorMessage = (err: unknown): string => {
    : `${errorMessage.substring(0, MAX_MESSAGE_LENGTH - 3)}...`;
 };

+const generateSecretValuePolicyConfiguration = (entropy: number): string => `
+# Extend default configuration to preserve existing rules
+[extend]
+useDefault = true
+
+# Add custom high-entropy rule
+[[rules]]
+id = "high-entropy"
+description = "Will scan for high entropy secrets"
+regex = '''.*'''
+entropy = ${entropy}
+keywords = []
+`;
+
 export const scanSecretPolicyViolations = async (
  projectId: string,
  secretPath: string,
@@ -188,14 +202,25 @@ export const scanSecretPolicyViolations = async (

  const tempFolder = await createTempFolder();
  try {
+    const configPath = join(tempFolder, "infisical-scan.toml");
+
+    const secretPolicyConfiguration = generateSecretValuePolicyConfiguration(
+      appCfg.PARAMS_FOLDER_SECRET_DETECTION_ENTROPY
+    );
+
+    await writeTextToFile(configPath, secretPolicyConfiguration);
+
    const scanPromises = secrets
      .filter((secret) => !ignoreValues.includes(secret.secretValue))
      .map(async (secret) => {
-        const secretFilePath = join(tempFolder, `${crypto.nativeCrypto.randomUUID()}.txt`);
-        await writeTextToFile(secretFilePath, `${secret.secretKey}=${secret.secretValue}`);
+        const secretKeyValueFilePath = join(tempFolder, `${crypto.nativeCrypto.randomUUID()}.txt`);
+        const secretValueOnlyFilePath = join(tempFolder, `${crypto.nativeCrypto.randomUUID()}.txt`);
+        await writeTextToFile(secretKeyValueFilePath, `${secret.secretKey}=${secret.secretValue}`);
+        await writeTextToFile(secretValueOnlyFilePath, secret.secretValue);

        try {
-          await scanFile(secretFilePath);
+          await scanFile(secretKeyValueFilePath);
+          await scanFile(secretValueOnlyFilePath, configPath);
        } catch (error) {
          throw new BadRequestError({
            message: `Secret value detected in ${secret.secretKey}. Please add this instead to the designated secrets path in the project.`,
--- a/backend/src/keystore/keystore.ts
+++ b/backend/src/keystore/keystore.ts
@@ -13,7 +13,8 @@ export const PgSqlLock = {
  SecretRotationV2Creation: (folderId: string) => pgAdvisoryLockHashText(`secret-rotation-v2-creation:${folderId}`),
  CreateProject: (orgId: string) => pgAdvisoryLockHashText(`create-project:${orgId}`),
  CreateFolder: (envId: string, projectId: string) => pgAdvisoryLockHashText(`create-folder:${envId}-${projectId}`),
-  SshInit: (projectId: string) => pgAdvisoryLockHashText(`ssh-bootstrap:${projectId}`)
+  SshInit: (projectId: string) => pgAdvisoryLockHashText(`ssh-bootstrap:${projectId}`),
+  IdentityLogin: (identityId: string, nonce: string) => pgAdvisoryLockHashText(`identity-login:${identityId}:${nonce}`)
 } as const;

 // all the key prefixes used must be set here to avoid conflict
@@ -40,6 +41,7 @@ export const KeyStorePrefixes = {
  SecretRotationLock: (rotationId: string) => `secret-rotation-v2-mutex-${rotationId}` as const,
  SecretScanningLock: (dataSourceId: string, resourceExternalId: string) =>
    `secret-scanning-v2-mutex-${dataSourceId}-${resourceExternalId}` as const,
+  IdentityLockoutLock: (lockoutKey: string) => `identity-lockout-lock-${lockoutKey}` as const,
  CaOrderCertificateForSubscriberLock: (subscriberId: string) =>
    `ca-order-certificate-for-subscriber-lock-${subscriberId}` as const,
  SecretSyncLastRunTimestamp: (syncId: string) => `secret-sync-last-run-${syncId}` as const,
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -166,7 +166,12 @@ export const UNIVERSAL_AUTH = {
    accessTokenNumUsesLimit:
      "The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses.",
    accessTokenPeriod:
-      "The period for an access token in seconds. This value will be referenced at renewal time. Default value is 0."
+      "The period for an access token in seconds. This value will be referenced at renewal time. Default value is 0.",
+    lockoutEnabled: "Whether the lockout feature is enabled.",
+    lockoutThreshold: "The amount of times login must fail before locking the identity auth method.",
+    lockoutDurationSeconds: "How long an identity auth method lockout lasts.",
+    lockoutCounterResetSeconds:
+      "How long to wait from the most recent failed login until resetting the lockout counter."
  },
  RETRIEVE: {
    identityId: "The ID of the identity to retrieve the auth method for."
@@ -181,7 +186,12 @@ export const UNIVERSAL_AUTH = {
    accessTokenTTL: "The new lifetime for an access token in seconds.",
    accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used.",
-    accessTokenPeriod: "The new period for an access token in seconds."
+    accessTokenPeriod: "The new period for an access token in seconds.",
+    lockoutEnabled: "Whether the lockout feature is enabled.",
+    lockoutThreshold: "The amount of times login must fail before locking the identity auth method.",
+    lockoutDurationSeconds: "How long an identity auth method lockout lasts.",
+    lockoutCounterResetSeconds:
+      "How long to wait from the most recent failed login until resetting the lockout counter."
  },
  CREATE_CLIENT_SECRET: {
    identityId: "The ID of the identity to create a client secret for.",
@@ -201,6 +211,9 @@ export const UNIVERSAL_AUTH = {
    identityId: "The ID of the identity to revoke the client secret from.",
    clientSecretId: "The ID of the client secret to revoke."
  },
+  CLEAR_CLIENT_LOCKOUTS: {
+    identityId: "The ID of the identity to clear the client lockouts from."
+  },
  RENEW_ACCESS_TOKEN: {
    accessToken: "The access token to renew."
  },
@@ -2148,7 +2161,9 @@ export const CertificateAuthorities = {
      directoryUrl: `The directory URL for the ACME Certificate Authority.`,
      accountEmail: `The email address for the ACME Certificate Authority.`,
      provider: `The DNS provider for the ACME Certificate Authority.`,
-      hostedZoneId: `The hosted zone ID for the ACME Certificate Authority.`
+      hostedZoneId: `The hosted zone ID for the ACME Certificate Authority.`,
+      eabKid: `The External Account Binding (EAB) Key ID for the ACME Certificate Authority. Required if the ACME provider uses EAB.`,
+      eabHmacKey: `The External Account Binding (EAB) HMAC key for the ACME Certificate Authority. Required if the ACME provider uses EAB.`
    },
    INTERNAL: {
      type: "The type of CA to create.",
@@ -2312,6 +2327,15 @@ export const AppConnections = {
    OKTA: {
      instanceUrl: "The URL used to access your Okta organization.",
      apiToken: "The API token used to authenticate with Okta."
+    },
+    AZURE_ADCS: {
+      adcsUrl:
+        "The HTTPS URL of the Azure ADCS instance to connect with (e.g., 'https://adcs.yourdomain.com/certsrv').",
+      username: "The username used to access Azure ADCS (format: 'DOMAIN\\username' or 'username@domain.com').",
+      password: "The password used to access Azure ADCS.",
+      sslRejectUnauthorized:
+        "Whether or not to reject unauthorized SSL certificates (true/false). Set to false only in test environments with self-signed certificates.",
+      sslCertificate: "The SSL certificate (PEM format) to use for secure connection."
    }
  }
 };
@@ -2491,6 +2515,7 @@ export const SecretSyncs = {
    },
    RENDER: {
      serviceId: "The ID of the Render service to sync secrets to.",
+      environmentGroupId: "The ID of the Render environment group to sync secrets to.",
      scope: "The Render scope that secrets should be synced to.",
      type: "The Render resource type to sync secrets to."
    },
--- a/backend/src/lib/config/env.ts
+++ b/backend/src/lib/config/env.ts
@@ -79,6 +79,7 @@ const envSchema = z
    QUEUE_WORKER_PROFILE: z.nativeEnum(QueueWorkerProfile).default(QueueWorkerProfile.All),
    HTTPS_ENABLED: zodStrBool,
    ROTATION_DEVELOPMENT_MODE: zodStrBool.default("false").optional(),
+    DAILY_RESOURCE_CLEAN_UP_DEVELOPMENT_MODE: zodStrBool.default("false").optional(),
    // smtp options
    SMTP_HOST: zpStr(z.string().optional()),
    SMTP_IGNORE_TLS: zodStrBool.default("false"),
@@ -215,6 +216,7 @@ const envSchema = z
          return JSON.parse(val) as { secretPath: string; projectId: string }[];
        })
    ),
+    PARAMS_FOLDER_SECRET_DETECTION_ENTROPY: z.coerce.number().optional().default(3.7),

    // HSM
    HSM_LIB_PATH: zpStr(z.string().optional()),
@@ -346,7 +348,11 @@ const envSchema = z
    isSmtpConfigured: Boolean(data.SMTP_HOST),
    isRedisConfigured: Boolean(data.REDIS_URL || data.REDIS_SENTINEL_HOSTS),
    isDevelopmentMode: data.NODE_ENV === "development",
-    isRotationDevelopmentMode: data.NODE_ENV === "development" && data.ROTATION_DEVELOPMENT_MODE,
+    isTestMode: data.NODE_ENV === "test",
+    isRotationDevelopmentMode:
+      (data.NODE_ENV === "development" && data.ROTATION_DEVELOPMENT_MODE) || data.NODE_ENV === "test",
+    isDailyResourceCleanUpDevelopmentMode:
+      data.NODE_ENV === "development" && data.DAILY_RESOURCE_CLEAN_UP_DEVELOPMENT_MODE,
    isProductionMode: data.NODE_ENV === "production" || IS_PACKAGED,
    isRedisSentinelMode: Boolean(data.REDIS_SENTINEL_HOSTS),
    REDIS_SENTINEL_HOSTS: data.REDIS_SENTINEL_HOSTS?.trim()
--- a/backend/src/lib/fn/string.ts
+++ b/backend/src/lib/fn/string.ts
@@ -19,3 +19,17 @@ export const prefixWithSlash = (str: string) => {
 const vowelRegex = new RE2(/^[aeiou]/i);

 export const startsWithVowel = (str: string) => vowelRegex.test(str);
+
+const pickWordsRegex = new RE2(/(\W+)/);
+export const sanitizeString = (dto: { unsanitizedString: string; tokens: string[] }) => {
+  const words = dto.unsanitizedString.split(pickWordsRegex);
+
+  const redactionSet = new Set(dto.tokens.filter(Boolean));
+  const sanitizedWords = words.map((el) => {
+    if (redactionSet.has(el)) {
+      return "[REDACTED]";
+    }
+    return el;
+  });
+  return sanitizedWords.join("");
+};
--- a/backend/src/lib/ip/index.test.ts
+++ b/backend/src/lib/ip/index.test.ts
@@ -0,0 +1,121 @@
+import { extractIPDetails, IPType, isValidCidr, isValidIp, isValidIpOrCidr } from "./index";
+
+describe("IP Validation", () => {
+  describe("isValidIp", () => {
+    test("should validate IPv4 addresses with ports", () => {
+      expect(isValidIp("192.168.1.1:8080")).toBe(true);
+      expect(isValidIp("10.0.0.1:1234")).toBe(true);
+      expect(isValidIp("172.16.0.1:80")).toBe(true);
+    });
+
+    test("should validate IPv6 addresses with ports", () => {
+      expect(isValidIp("[2001:db8::1]:8080")).toBe(true);
+      expect(isValidIp("[fe80::1ff:fe23:4567:890a]:1234")).toBe(true);
+      expect(isValidIp("[::1]:80")).toBe(true);
+    });
+
+    test("should validate regular IPv4 addresses", () => {
+      expect(isValidIp("192.168.1.1")).toBe(true);
+      expect(isValidIp("10.0.0.1")).toBe(true);
+      expect(isValidIp("172.16.0.1")).toBe(true);
+    });
+
+    test("should validate regular IPv6 addresses", () => {
+      expect(isValidIp("2001:db8::1")).toBe(true);
+      expect(isValidIp("fe80::1ff:fe23:4567:890a")).toBe(true);
+      expect(isValidIp("::1")).toBe(true);
+    });
+
+    test("should reject invalid IP addresses", () => {
+      expect(isValidIp("256.256.256.256")).toBe(false);
+      expect(isValidIp("192.168.1")).toBe(false);
+      expect(isValidIp("192.168.1.1.1")).toBe(false);
+      expect(isValidIp("2001:db8::1::1")).toBe(false);
+      expect(isValidIp("invalid")).toBe(false);
+    });
+
+    test("should reject malformed IP addresses with ports", () => {
+      expect(isValidIp("192.168.1.1:")).toBe(false);
+      expect(isValidIp("192.168.1.1:abc")).toBe(false);
+      expect(isValidIp("[2001:db8::1]")).toBe(false);
+      expect(isValidIp("[2001:db8::1]:")).toBe(false);
+      expect(isValidIp("[2001:db8::1]:abc")).toBe(false);
+    });
+  });
+
+  describe("isValidCidr", () => {
+    test("should validate IPv4 CIDR blocks", () => {
+      expect(isValidCidr("192.168.1.0/24")).toBe(true);
+      expect(isValidCidr("10.0.0.0/8")).toBe(true);
+      expect(isValidCidr("172.16.0.0/16")).toBe(true);
+    });
+
+    test("should validate IPv6 CIDR blocks", () => {
+      expect(isValidCidr("2001:db8::/32")).toBe(true);
+      expect(isValidCidr("fe80::/10")).toBe(true);
+      expect(isValidCidr("::/0")).toBe(true);
+    });
+
+    test("should reject invalid CIDR blocks", () => {
+      expect(isValidCidr("192.168.1.0/33")).toBe(false);
+      expect(isValidCidr("2001:db8::/129")).toBe(false);
+      expect(isValidCidr("192.168.1.0/abc")).toBe(false);
+      expect(isValidCidr("invalid/24")).toBe(false);
+    });
+  });
+
+  describe("isValidIpOrCidr", () => {
+    test("should validate both IP addresses and CIDR blocks", () => {
+      expect(isValidIpOrCidr("192.168.1.1")).toBe(true);
+      expect(isValidIpOrCidr("2001:db8::1")).toBe(true);
+      expect(isValidIpOrCidr("192.168.1.0/24")).toBe(true);
+      expect(isValidIpOrCidr("2001:db8::/32")).toBe(true);
+    });
+
+    test("should reject invalid inputs", () => {
+      expect(isValidIpOrCidr("invalid")).toBe(false);
+      expect(isValidIpOrCidr("192.168.1.0/33")).toBe(false);
+      expect(isValidIpOrCidr("2001:db8::/129")).toBe(false);
+    });
+  });
+
+  describe("extractIPDetails", () => {
+    test("should extract IPv4 address details", () => {
+      const result = extractIPDetails("192.168.1.1");
+      expect(result).toEqual({
+        ipAddress: "192.168.1.1",
+        type: IPType.IPV4
+      });
+    });
+
+    test("should extract IPv6 address details", () => {
+      const result = extractIPDetails("2001:db8::1");
+      expect(result).toEqual({
+        ipAddress: "2001:db8::1",
+        type: IPType.IPV6
+      });
+    });
+
+    test("should extract IPv4 CIDR details", () => {
+      const result = extractIPDetails("192.168.1.0/24");
+      expect(result).toEqual({
+        ipAddress: "192.168.1.0",
+        type: IPType.IPV4,
+        prefix: 24
+      });
+    });
+
+    test("should extract IPv6 CIDR details", () => {
+      const result = extractIPDetails("2001:db8::/32");
+      expect(result).toEqual({
+        ipAddress: "2001:db8::",
+        type: IPType.IPV6,
+        prefix: 32
+      });
+    });
+
+    test("should throw error for invalid IP", () => {
+      expect(() => extractIPDetails("invalid")).toThrow("Failed to extract IP details");
+    });
+  });
+});
--- a/Show More
+++ b/Show More