feat: refactored the systemd service to seperate package file

add system md service for gateway
Merge pull request #3210 from akhilmhdh/fix/gateway-patch-up
2025-08-31 15:32:32 +00:00 · 2025-03-10 16:03:51 +05:30 · 2025-03-09 16:07:33 -04:00 · 2025-03-09 14:03:21 -04:00 · 2025-03-09 22:06:27 +05:30 · 2025-03-09 21:37:28 +05:30
50 changed files with 1278 additions and 438 deletions
--- a/.github/workflows/check-api-for-breaking-changes.yml
+++ b/.github/workflows/check-api-for-breaking-changes.yml
@@ -35,7 +35,20 @@ jobs:
          echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
          echo "SECRET_SCANNING_PRIVATE_KEY=some-random" >> .env
          echo "SECRET_SCANNING_WEBHOOK_SECRET=some-random" >> .env
-          docker run --name infisical-api -d -p 4000:4000 -e DB_CONNECTION_URI=$DB_CONNECTION_URI -e REDIS_URL=$REDIS_URL -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET -e ENCRYPTION_KEY=$ENCRYPTION_KEY --env-file .env --entrypoint '/bin/sh' infisical-api
+
+          echo "Examining built image:"
+          docker image inspect infisical-api | grep -A 5 "Entrypoint"
+          
+          docker run --name infisical-api -d -p 4000:4000 \
+            -e DB_CONNECTION_URI=$DB_CONNECTION_URI \
+            -e REDIS_URL=$REDIS_URL \
+            -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET \
+            -e ENCRYPTION_KEY=$ENCRYPTION_KEY \
+            --env-file .env \
+            infisical-api
+          
+          echo "Container status right after creation:"
+          docker ps -a | grep infisical-api
        env:
          REDIS_URL: redis://172.17.0.1:6379
          DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
@@ -49,21 +62,33 @@ jobs:
          SECONDS=0
          HEALTHY=0
          while [ $SECONDS -lt 60 ]; do
-            if docker ps | grep infisical-api | grep -q healthy; then
-              echo "Container is healthy."
-              HEALTHY=1
+            # Check if container is running
+            if docker ps | grep infisical-api; then
+              # Try to access the API endpoint
+              if curl -s -f http://localhost:4000/api/docs/json > /dev/null 2>&1; then
+                echo "API endpoint is responding. Container seems healthy."
+                HEALTHY=1
+                break
+              fi
+            else
+              echo "Container is not running!"
+              docker ps -a | grep infisical-api
              break
            fi
+            
            echo "Waiting for container to be healthy... ($SECONDS seconds elapsed)"
-
-            docker logs infisical-api
-
-            sleep 2
-            SECONDS=$((SECONDS+2))
+            sleep 5
+            SECONDS=$((SECONDS+5))
          done
-
+          
          if [ $HEALTHY -ne 1 ]; then
            echo "Container did not become healthy in time"
+            echo "Container status:"
+            docker ps -a | grep infisical-api
+            echo "Container logs (if any):"
+            docker logs infisical-api || echo "No logs available"
+            echo "Container inspection:"
+            docker inspect infisical-api | grep -A 5 "State"
            exit 1
          fi
      - name: Install openapi-diff
@@ -71,7 +96,8 @@ jobs:
      - name: Running OpenAPI Spec diff action
        run: oasdiff breaking https://app.infisical.com/api/docs/json http://localhost:4000/api/docs/json --fail-on ERR
      - name: cleanup
+        if: always()
        run: |
          docker compose -f "docker-compose.dev.yml" down
-          docker stop infisical-api
-          docker remove infisical-api
+          docker stop infisical-api || true
+          docker rm infisical-api || true
--- a/backend/src/db/migrations/20250305131152_add-actor-id-to-secret-versions-v2.ts
+++ b/backend/src/db/migrations/20250305131152_add-actor-id-to-secret-versions-v2.ts
@@ -0,0 +1,45 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretVersionV2)) {
+    const hasSecretVersionV2UserActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "userActorId");
+    const hasSecretVersionV2IdentityActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "identityActorId");
+    const hasSecretVersionV2ActorType = await knex.schema.hasColumn(TableName.SecretVersionV2, "actorType");
+
+    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
+      if (!hasSecretVersionV2UserActorId) {
+        t.uuid("userActorId");
+        t.foreign("userActorId").references("id").inTable(TableName.Users);
+      }
+      if (!hasSecretVersionV2IdentityActorId) {
+        t.uuid("identityActorId");
+        t.foreign("identityActorId").references("id").inTable(TableName.Identity);
+      }
+      if (!hasSecretVersionV2ActorType) {
+        t.string("actorType");
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretVersionV2)) {
+    const hasSecretVersionV2UserActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "userActorId");
+    const hasSecretVersionV2IdentityActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "identityActorId");
+    const hasSecretVersionV2ActorType = await knex.schema.hasColumn(TableName.SecretVersionV2, "actorType");
+
+    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
+      if (hasSecretVersionV2UserActorId) {
+        t.dropColumn("userActorId");
+      }
+      if (hasSecretVersionV2IdentityActorId) {
+        t.dropColumn("identityActorId");
+      }
+      if (hasSecretVersionV2ActorType) {
+        t.dropColumn("actorType");
+      }
+    });
+  }
+}
--- a/backend/src/db/schemas/secret-versions-v2.ts
+++ b/backend/src/db/schemas/secret-versions-v2.ts
@@ -25,7 +25,10 @@ export const SecretVersionsV2Schema = z.object({
  folderId: z.string().uuid(),
  userId: z.string().uuid().nullable().optional(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  userActorId: z.string().uuid().nullable().optional(),
+  identityActorId: z.string().uuid().nullable().optional(),
+  actorType: z.string().nullable().optional()
 });

 export type TSecretVersionsV2 = z.infer<typeof SecretVersionsV2Schema>;
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@@ -503,7 +503,7 @@ export const secretApprovalRequestServiceFactory = ({
    if (!hasMinApproval && !isSoftEnforcement)
      throw new BadRequestError({ message: "Doesn't have minimum approvals needed" });

-    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
+    const { botKey, shouldUseSecretV2Bridge, project } = await projectBotService.getBotKey(projectId);
    let mergeStatus;
    if (shouldUseSecretV2Bridge) {
      // this cycle if for bridged secrets
@@ -861,7 +861,6 @@ export const secretApprovalRequestServiceFactory = ({

    if (isSoftEnforcement) {
      const cfg = getConfig();
-      const project = await projectDAL.findProjectById(projectId);
      const env = await projectEnvDAL.findOne({ id: policy.envId });
      const requestedByUser = await userDAL.findOne({ id: actorId });
      const approverUsers = await userDAL.find({
@@ -1156,7 +1155,8 @@ export const secretApprovalRequestServiceFactory = ({
          environment: env.name,
          secretPath,
          projectId,
-          requestId: secretApprovalRequest.id
+          requestId: secretApprovalRequest.id,
+          secretKeys: [...new Set(Object.values(data).flatMap((arr) => arr?.map((item) => item.secretName) ?? []))]
        }
      }
    });
@@ -1456,7 +1456,8 @@ export const secretApprovalRequestServiceFactory = ({
          environment: env.name,
          secretPath,
          projectId,
-          requestId: secretApprovalRequest.id
+          requestId: secretApprovalRequest.id,
+          secretKeys: [...new Set(Object.values(data).flatMap((arr) => arr?.map((item) => item.secretKey) ?? []))]
        }
      }
    });
--- a/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
@@ -13,6 +13,7 @@ import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
+import { ActorType } from "@app/services/auth/auth-type";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
@@ -332,6 +333,7 @@ export const secretRotationQueueFactory = ({
          await secretVersionV2BridgeDAL.insertMany(
            updatedSecrets.map(({ id, updatedAt, createdAt, ...el }) => ({
              ...el,
+              actorType: ActorType.PLATFORM,
              secretId: id
            })),
            tx
--- a/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
+++ b/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
@@ -7,6 +7,7 @@ import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { InternalServerError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
+import { ActorType } from "@app/services/auth/auth-type";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
@@ -370,7 +371,21 @@ export const secretSnapshotServiceFactory = ({
        const secrets = await secretV2BridgeDAL.insertMany(
          rollbackSnaps.flatMap(({ secretVersions, folderId }) =>
            secretVersions.map(
-              ({ latestSecretVersion, version, updatedAt, createdAt, secretId, envId, id, tags, ...el }) => ({
+              ({
+                latestSecretVersion,
+                version,
+                updatedAt,
+                createdAt,
+                secretId,
+                envId,
+                id,
+                tags,
+                // exclude the bottom fields from the secret - they are for versioning only.
+                userActorId,
+                identityActorId,
+                actorType,
+                ...el
+              }) => ({
                ...el,
                id: secretId,
                version: deletedTopLevelSecsGroupById[secretId] ? latestSecretVersion + 1 : latestSecretVersion,
@@ -401,8 +416,18 @@ export const secretSnapshotServiceFactory = ({
          })),
          tx
        );
+        const userActorId = actor === ActorType.USER ? actorId : undefined;
+        const identityActorId = actor !== ActorType.USER ? actorId : undefined;
+        const actorType = actor || ActorType.PLATFORM;
+
        const secretVersions = await secretVersionV2BridgeDAL.insertMany(
-          secrets.map(({ id, updatedAt, createdAt, ...el }) => ({ ...el, secretId: id })),
+          secrets.map(({ id, updatedAt, createdAt, ...el }) => ({
+            ...el,
+            secretId: id,
+            userActorId,
+            identityActorId,
+            actorType
+          })),
          tx
        );
        await secretVersionV2TagBridgeDAL.insertMany(
--- a/backend/src/lib/gateway/index.ts
+++ b/backend/src/lib/gateway/index.ts
@@ -2,7 +2,7 @@
 import crypto from "node:crypto";
 import net from "node:net";

-import * as quic from "@infisical/quic";
+import quicDefault, * as quicModule from "@infisical/quic";

 import { BadRequestError } from "../errors";
 import { logger } from "../logger";
@@ -10,6 +10,8 @@ import { logger } from "../logger";
 const DEFAULT_MAX_RETRIES = 3;
 const DEFAULT_RETRY_DELAY = 1000; // 1 second

+const quic = quicDefault || quicModule;
+
 const parseSubjectDetails = (data: string) => {
  const values: Record<string, string> = {};
  data.split("\n").forEach((el) => {
@@ -94,6 +96,7 @@ export const pingGatewayAndVerify = async ({
      error: err as Error
    });
  });
+
  for (let attempt = 1; attempt <= maxRetries; attempt += 1) {
    try {
      const stream = quicClient.connection.newStream("bidi");
@@ -106,17 +109,13 @@ export const pingGatewayAndVerify = async ({
      const { value, done } = await reader.read();

      if (done) {
-        throw new BadRequestError({
-          message: "Gateway closed before receiving PONG"
-        });
+        throw new Error("Gateway closed before receiving PONG");
      }

      const response = Buffer.from(value).toString();

      if (response !== "PONG\n" && response !== "PONG") {
-        throw new BadRequestError({
-          message: `Failed to Ping. Unexpected response: ${response}`
-        });
+        throw new Error(`Failed to Ping. Unexpected response: ${response}`);
      }

      reader.releaseLock();
@@ -144,6 +143,7 @@ interface TProxyServer {
  server: net.Server;
  port: number;
  cleanup: () => Promise<void>;
+  getProxyError: () => string;
 }

 const setupProxyServer = async ({
@@ -168,6 +168,7 @@ const setupProxyServer = async ({
      error: err as Error
    });
  });
+  const proxyErrorMsg = [""];

  return new Promise((resolve, reject) => {
    const server = net.createServer();
@@ -183,31 +184,33 @@ const setupProxyServer = async ({
        const forwardWriter = stream.writable.getWriter();
        await forwardWriter.write(Buffer.from(`FORWARD-TCP ${targetHost}:${targetPort}\n`));
        forwardWriter.releaseLock();
-        /* eslint-disable @typescript-eslint/no-misused-promises */
+
        // Set up bidirectional copy
-        const setupCopy = async () => {
+        const setupCopy = () => {
          // Client to QUIC
          // eslint-disable-next-line
          (async () => {
-            try {
-              const writer = stream.writable.getWriter();
+            const writer = stream.writable.getWriter();

-              // Create a handler for client data
-              clientConn.on("data", async (chunk) => {
-                await writer.write(chunk);
+            // Create a handler for client data
+            clientConn.on("data", (chunk) => {
+              writer.write(chunk).catch((err) => {
+                proxyErrorMsg.push((err as Error)?.message);
              });
+            });

-              // Handle client connection close
-              clientConn.on("end", async () => {
-                await writer.close();
+            // Handle client connection close
+            clientConn.on("end", () => {
+              writer.close().catch((err) => {
+                logger.error(err);
              });
+            });

-              clientConn.on("error", async (err) => {
-                await writer.abort(err);
+            clientConn.on("error", (clientConnErr) => {
+              writer.abort(clientConnErr?.message).catch((err) => {
+                proxyErrorMsg.push((err as Error)?.message);
              });
-            } catch (err) {
-              clientConn.destroy();
-            }
+            });
          })();

          // QUIC to Client
@@ -236,15 +239,18 @@ const setupProxyServer = async ({
                }
              }
            } catch (err) {
+              proxyErrorMsg.push((err as Error)?.message);
              clientConn.destroy();
            }
          })();
        };
-        await setupCopy();
-        //
+
+        setupCopy();
        // Handle connection closure
-        clientConn.on("close", async () => {
-          await stream.destroy();
+        clientConn.on("close", () => {
+          stream.destroy().catch((err) => {
+            proxyErrorMsg.push((err as Error)?.message);
+          });
        });

        const cleanup = async () => {
@@ -252,13 +258,18 @@ const setupProxyServer = async ({
          await stream.destroy();
        };

-        clientConn.on("error", (err) => {
-          logger.error(err, "Client socket error");
-          void cleanup();
-          reject(err);
+        clientConn.on("error", (clientConnErr) => {
+          logger.error(clientConnErr, "Client socket error");
+          cleanup().catch((err) => {
+            logger.error(err, "Client conn cleanup");
+          });
        });

-        clientConn.on("end", cleanup);
+        clientConn.on("end", () => {
+          cleanup().catch((err) => {
+            logger.error(err, "Client conn end");
+          });
+        });
      } catch (err) {
        logger.error(err, "Failed to establish target connection:");
        clientConn.end();
@@ -270,12 +281,12 @@ const setupProxyServer = async ({
      reject(err);
    });

-    server.on("close", async () => {
-      await quicClient?.destroy();
+    server.on("close", () => {
+      quicClient?.destroy().catch((err) => {
+        logger.error(err, "Failed to destroy quic client");
+      });
    });

-    /* eslint-enable */
-
    server.listen(0, () => {
      const address = server.address();
      if (!address || typeof address === "string") {
@@ -291,7 +302,8 @@ const setupProxyServer = async ({
        cleanup: async () => {
          server.close();
          await quicClient?.destroy();
-        }
+        },
+        getProxyError: () => proxyErrorMsg.join(",")
      });
    });
  });
@@ -314,7 +326,7 @@ export const withGatewayProxy = async (
  const { relayHost, relayPort, targetHost, targetPort, tlsOptions, identityId, orgId } = options;

  // Setup the proxy server
-  const { port, cleanup } = await setupProxyServer({
+  const { port, cleanup, getProxyError } = await setupProxyServer({
    targetHost,
    targetPort,
    relayPort,
@@ -328,8 +340,12 @@ export const withGatewayProxy = async (
    // Execute the callback with the allocated port
    await callback(port);
  } catch (err) {
-    logger.error(err, "Failed to proxy");
-    throw new BadRequestError({ message: (err as Error)?.message });
+    const proxyErrorMessage = getProxyError();
+    if (proxyErrorMessage) {
+      logger.error(new Error(proxyErrorMessage), "Failed to proxy");
+    }
+    logger.error(err, "Failed to do gateway");
+    throw new BadRequestError({ message: proxyErrorMessage || (err as Error)?.message });
  } finally {
    // Ensure cleanup happens regardless of success or failure
    await cleanup();
--- a/backend/src/lib/turn/credentials.ts
+++ b/backend/src/lib/turn/credentials.ts
@@ -1,6 +1,6 @@
 import crypto from "node:crypto";

-const TURN_TOKEN_TTL = 60 * 60 * 1000; // 24 hours in milliseconds
+const TURN_TOKEN_TTL = 24 * 60 * 60 * 1000; // 24 hours in milliseconds
 export const getTurnCredentials = (id: string, authSecret: string, ttl = TURN_TOKEN_TTL) => {
  const timestamp = Math.floor((Date.now() + ttl) / 1000);
  const username = `${timestamp}:${id}`;
--- a/backend/src/main.ts
+++ b/backend/src/main.ts
@@ -83,6 +83,14 @@ const run = async () => {
    process.exit(0);
  });

+  process.on("uncaughtException", (error) => {
+    logger.error(error, "CRITICAL ERROR: Uncaught Exception");
+  });
+
+  process.on("unhandledRejection", (error) => {
+    logger.error(error, "CRITICAL ERROR: Unhandled Promise Rejection");
+  });
+
  await server.listen({
    port: envConfig.PORT,
    host: envConfig.HOST,
--- a/backend/src/queue/queue-service.ts
+++ b/backend/src/queue/queue-service.ts
@@ -21,6 +21,7 @@ import {
  TQueueSecretSyncSyncSecretsByIdDTO,
  TQueueSendSecretSyncActionFailedNotificationsDTO
 } from "@app/services/secret-sync/secret-sync-types";
+import { TWebhookPayloads } from "@app/services/webhook/webhook-types";

 export enum QueueName {
  SecretRotation = "secret-rotation",
@@ -107,7 +108,7 @@ export type TQueueJobTypes = {
  };
  [QueueName.SecretWebhook]: {
    name: QueueJobs.SecWebhook;
-    payload: { projectId: string; environment: string; secretPath: string; depth?: number };
+    payload: TWebhookPayloads;
  };

  [QueueName.AccessTokenStatusUpdate]:
--- a/backend/src/server/lib/utils.ts
+++ b/backend/src/server/lib/utils.ts
@@ -1,8 +0,0 @@
-export const QUERY_TIMEOUT = 121000; // 2 mins (query timeout) with padding
-
-export const extendTimeout =
-  (timeoutMs: number) =>
-  (request: { raw: { socket: { setTimeout: (ms: number) => void } } }, reply: unknown, done: () => void) => {
-    request.raw.socket.setTimeout(timeoutMs);
-    done();
-  };
--- a/backend/src/server/routes/sanitizedSchemas.ts
+++ b/backend/src/server/routes/sanitizedSchemas.ts
@@ -111,7 +111,16 @@ export const secretRawSchema = z.object({
  secretReminderRepeatDays: z.number().nullable().optional(),
  skipMultilineEncoding: z.boolean().default(false).nullable().optional(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  actor: z
+    .object({
+      actorId: z.string().nullable().optional(),
+      actorType: z.string().nullable().optional(),
+      name: z.string().nullable().optional(),
+      membershipId: z.string().nullable().optional()
+    })
+    .optional()
+    .nullable()
 });

 export const ProjectPermissionSchema = z.object({
--- a/backend/src/server/routes/v1/organization-router.ts
+++ b/backend/src/server/routes/v1/organization-router.ts
@@ -14,7 +14,6 @@ import { AUDIT_LOGS, ORGANIZATIONS } from "@app/lib/api-docs";
 import { getLastMidnightDateISO, removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
-import { extendTimeout, QUERY_TIMEOUT } from "@app/server/lib/utils";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode, MfaMethod } from "@app/services/auth/auth-type";
 import { sanitizedOrganizationSchema } from "@app/services/org/org-schema";
@@ -109,7 +108,6 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
    config: {
      rateLimit: readLimit
    },
-    preHandler: extendTimeout(QUERY_TIMEOUT),
    schema: {
      description: "Get all audit logs for an organization",
      querystring: z.object({
--- a/backend/src/server/routes/v3/secret-router.ts
+++ b/backend/src/server/routes/v3/secret-router.ts
@@ -380,6 +380,48 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
    }
  });

+  server.route({
+    method: "GET",
+    url: "/raw/id/:secretId",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      params: z.object({
+        secretId: z.string()
+      }),
+      response: {
+        200: z.object({
+          secret: secretRawSchema.extend({
+            secretPath: z.string(),
+            tags: SecretTagsSchema.pick({
+              id: true,
+              slug: true,
+              color: true
+            })
+              .extend({ name: z.string() })
+              .array()
+              .optional(),
+            secretMetadata: ResourceMetadataSchema.optional()
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { secretId } = req.params;
+      const secret = await server.services.secret.getSecretByIdRaw({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        secretId
+      });
+
+      return { secret };
+    }
+  });
+
  server.route({
    method: "GET",
    url: "/raw/:secretName",
--- a/backend/src/services/external-migration/external-migration-fns.ts
+++ b/backend/src/services/external-migration/external-migration-fns.ts
@@ -772,6 +772,10 @@ export const importDataIntoInfisicalFn = async ({
            secretVersionDAL,
            secretTagDAL,
            secretVersionTagDAL,
+            actor: {
+              type: actor,
+              actorId
+            },
            tx
          });
        }
--- a/backend/src/services/integration-auth/integration-auth-service.ts
+++ b/backend/src/services/integration-auth/integration-auth-service.ts
@@ -114,20 +114,27 @@ export const integrationAuthServiceFactory = ({
  const listOrgIntegrationAuth = async ({ actorId, actor, actorOrgId, actorAuthMethod }: TGenericPermission) => {
    const authorizations = await integrationAuthDAL.getByOrg(actorOrgId as string);

-    return Promise.all(
-      authorizations.filter(async (auth) => {
-        const { permission } = await permissionService.getProjectPermission({
-          actor,
-          actorId,
-          projectId: auth.projectId,
-          actorAuthMethod,
-          actorOrgId,
-          actionProjectType: ActionProjectType.SecretManager
-        });
+    const filteredAuthorizations = await Promise.all(
+      authorizations.map(async (auth) => {
+        try {
+          const { permission } = await permissionService.getProjectPermission({
+            actor,
+            actorId,
+            projectId: auth.projectId,
+            actorAuthMethod,
+            actorOrgId,
+            actionProjectType: ActionProjectType.SecretManager
+          });

-        return permission.can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
+          return permission.can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations) ? auth : null;
+        } catch (error) {
+          // user does not belong to the project that the integration auth belongs to
+          return null;
+        }
      })
    );
+
+    return filteredAuthorizations.filter((auth): auth is NonNullable<typeof auth> => auth !== null);
  };

  const getIntegrationAuth = async ({ actor, id, actorId, actorAuthMethod, actorOrgId }: TGetIntegrationAuthDTO) => {
--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts
@@ -613,6 +613,9 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
          `${TableName.SecretV2JnTag}.${TableName.SecretTag}Id`,
          `${TableName.SecretTag}.id`
        )
+
+        .leftJoin(TableName.SecretFolder, `${TableName.SecretV2}.folderId`, `${TableName.SecretFolder}.id`)
+        .leftJoin(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
        .leftJoin(TableName.ResourceMetadata, `${TableName.SecretV2}.id`, `${TableName.ResourceMetadata}.secretId`)
        .select(selectAllTableCols(TableName.SecretV2))
        .select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
@@ -622,12 +625,13 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
-        );
+        )
+        .select(db.ref("projectId").withSchema(TableName.Environment).as("projectId"));

      const docs = sqlNestRelationships({
        data: rawDocs,
        key: "id",
-        parentMapper: (el) => ({ _id: el.id, ...SecretsV2Schema.parse(el) }),
+        parentMapper: (el) => ({ _id: el.id, projectId: el.projectId, ...SecretsV2Schema.parse(el) }),
        childrenMapper: [
          {
            key: "tagId",
--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts
@@ -5,6 +5,7 @@ import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";

+import { ActorType } from "../auth/auth-type";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
@@ -62,6 +63,7 @@ export const fnSecretBulkInsert = async ({
  resourceMetadataDAL,
  secretTagDAL,
  secretVersionTagDAL,
+  actor,
  tx
 }: TFnSecretBulkInsert) => {
  const sanitizedInputSecrets = inputSecrets.map(
@@ -90,6 +92,10 @@ export const fnSecretBulkInsert = async ({
    })
  );

+  const userActorId = actor && actor.type === ActorType.USER ? actor.actorId : undefined;
+  const identityActorId = actor && actor.type !== ActorType.USER ? actor.actorId : undefined;
+  const actorType = actor?.type || ActorType.PLATFORM;
+
  const newSecrets = await secretDAL.insertMany(
    sanitizedInputSecrets.map((el) => ({ ...el, folderId })),
    tx
@@ -106,6 +112,9 @@ export const fnSecretBulkInsert = async ({
    sanitizedInputSecrets.map((el) => ({
      ...el,
      folderId,
+      userActorId,
+      identityActorId,
+      actorType,
      secretId: newSecretGroupedByKeyName[el.key][0].id
    })),
    tx
@@ -157,8 +166,13 @@ export const fnSecretBulkUpdate = async ({
  secretVersionDAL,
  secretTagDAL,
  secretVersionTagDAL,
-  resourceMetadataDAL
+  resourceMetadataDAL,
+  actor
 }: TFnSecretBulkUpdate) => {
+  const userActorId = actor && actor?.type === ActorType.USER ? actor?.actorId : undefined;
+  const identityActorId = actor && actor?.type !== ActorType.USER ? actor?.actorId : undefined;
+  const actorType = actor?.type || ActorType.PLATFORM;
+
  const sanitizedInputSecrets = inputSecrets.map(
    ({
      filter,
@@ -216,7 +230,10 @@ export const fnSecretBulkUpdate = async ({
        encryptedValue,
        reminderRepeatDays,
        folderId,
-        secretId
+        secretId,
+        userActorId,
+        identityActorId,
+        actorType
      })
    ),
    tx
@@ -616,6 +633,12 @@ export const reshapeBridgeSecret = (
  secret: Omit<TSecretsV2, "encryptedValue" | "encryptedComment"> & {
    value: string;
    comment: string;
+    userActorName?: string | null;
+    identityActorName?: string | null;
+    userActorId?: string | null;
+    identityActorId?: string | null;
+    membershipId?: string | null;
+    actorType?: string | null;
    tags?: {
      id: string;
      slug: string;
@@ -636,6 +659,14 @@ export const reshapeBridgeSecret = (
  _id: secret.id,
  id: secret.id,
  user: secret.userId,
+  actor: secret.actorType
+    ? {
+        actorType: secret.actorType,
+        actorId: secret.userActorId || secret.identityActorId,
+        name: secret.identityActorName || secret.userActorName,
+        membershipId: secret.membershipId
+      }
+    : undefined,
  tags: secret.tags,
  skipMultilineEncoding: secret.skipMultilineEncoding,
  secretReminderRepeatDays: secret.reminderRepeatDays,
--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts
@@ -28,6 +28,7 @@ import { KmsDataKey } from "../kms/kms-types";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
 import { TSecretQueueFactory } from "../secret/secret-queue";
+import { TGetASecretByIdDTO } from "../secret/secret-types";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretImportDALFactory } from "../secret-import/secret-import-dal";
 import { fnSecretsV2FromImports } from "../secret-import/secret-import-fns";
@@ -73,7 +74,13 @@ type TSecretV2BridgeServiceFactoryDep = {
  projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne" | "findBySlugs">;
  folderDAL: Pick<
    TSecretFolderDALFactory,
-    "findBySecretPath" | "updateById" | "findById" | "findByManySecretPath" | "find" | "findBySecretPathMultiEnv"
+    | "findBySecretPath"
+    | "updateById"
+    | "findById"
+    | "findByManySecretPath"
+    | "find"
+    | "findBySecretPathMultiEnv"
+    | "findSecretPathByFolderIds"
  >;
  secretImportDAL: Pick<TSecretImportDALFactory, "find" | "findByFolderIds">;
  secretQueueService: Pick<TSecretQueueFactory, "syncSecrets" | "handleSecretReminder" | "removeSecretReminder">;
@@ -301,6 +308,10 @@ export const secretV2BridgeServiceFactory = ({
        secretVersionDAL,
        secretTagDAL,
        secretVersionTagDAL,
+        actor: {
+          type: actor,
+          actorId
+        },
        tx
      })
    );
@@ -483,6 +494,10 @@ export const secretV2BridgeServiceFactory = ({
        secretVersionDAL,
        secretTagDAL,
        secretVersionTagDAL,
+        actor: {
+          type: actor,
+          actorId
+        },
        tx
      })
    );
@@ -947,6 +962,73 @@ export const secretV2BridgeServiceFactory = ({
    };
  };

+  const getSecretById = async ({ actorId, actor, actorOrgId, actorAuthMethod, secretId }: TGetASecretByIdDTO) => {
+    const secret = await secretDAL.findOneWithTags({
+      [`${TableName.SecretV2}.id` as "id"]: secretId
+    });
+
+    if (!secret) {
+      throw new NotFoundError({
+        message: `Secret with ID '${secretId}' not found`,
+        name: "GetSecretById"
+      });
+    }
+
+    const [folderWithPath] = await folderDAL.findSecretPathByFolderIds(secret.projectId, [secret.folderId]);
+
+    if (!folderWithPath) {
+      throw new NotFoundError({
+        message: `Folder with id '${secret.folderId}' not found`,
+        name: "GetSecretById"
+      });
+    }
+
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: secret.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, {
+        environment: folderWithPath.environmentSlug,
+        secretPath: folderWithPath.path,
+        secretName: secret.key,
+        secretTags: secret.tags.map((i) => i.slug)
+      })
+    );
+
+    if (secret.type === SecretType.Personal && secret.userId !== actorId) {
+      throw new ForbiddenRequestError({
+        message: "You are not allowed to access this secret",
+        name: "GetSecretById"
+      });
+    }
+
+    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.SecretManager,
+      projectId: secret.projectId
+    });
+
+    const secretValue = secret.encryptedValue
+      ? secretManagerDecryptor({ cipherTextBlob: secret.encryptedValue }).toString()
+      : "";
+
+    const secretComment = secret.encryptedComment
+      ? secretManagerDecryptor({ cipherTextBlob: secret.encryptedComment }).toString()
+      : "";
+
+    return reshapeBridgeSecret(secret.projectId, folderWithPath.environmentSlug, folderWithPath.path, {
+      ...secret,
+      value: secretValue,
+      comment: secretComment
+    });
+  };
+
  const getSecretByName = async ({
    actorId,
    actor,
@@ -1230,6 +1312,10 @@ export const secretV2BridgeServiceFactory = ({
        secretVersionDAL,
        secretTagDAL,
        secretVersionTagDAL,
+        actor: {
+          type: actor,
+          actorId
+        },
        tx
      })
    );
@@ -1490,6 +1576,10 @@ export const secretV2BridgeServiceFactory = ({
          secretVersionDAL,
          secretTagDAL,
          secretVersionTagDAL,
+          actor: {
+            type: actor,
+            actorId
+          },
          resourceMetadataDAL
        });
        updatedSecrets.push(...bulkUpdatedSecrets.map((el) => ({ ...el, secretPath: folder.path })));
@@ -1522,6 +1612,10 @@ export const secretV2BridgeServiceFactory = ({
            secretVersionDAL,
            secretTagDAL,
            secretVersionTagDAL,
+            actor: {
+              type: actor,
+              actorId
+            },
            tx
          });
          updatedSecrets.push(...bulkInsertedSecrets.map((el) => ({ ...el, secretPath: folder.path })));
@@ -1689,14 +1783,19 @@ export const secretV2BridgeServiceFactory = ({
      type: KmsDataKey.SecretManager,
      projectId: folder.projectId
    });
-    const secretVersions = await secretVersionDAL.find({ secretId }, { offset, limit, sort: [["createdAt", "desc"]] });
-    return secretVersions.map((el) =>
-      reshapeBridgeSecret(folder.projectId, folder.environment.envSlug, "/", {
+    const secretVersions = await secretVersionDAL.findVersionsBySecretIdWithActors(secretId, folder.projectId, {
+      offset,
+      limit,
+      sort: [["createdAt", "desc"]]
+    });
+
+    return secretVersions.map((el) => {
+      return reshapeBridgeSecret(folder.projectId, folder.environment.envSlug, "/", {
        ...el,
        value: el.encryptedValue ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString() : "",
        comment: el.encryptedComment ? secretManagerDecryptor({ cipherTextBlob: el.encryptedComment }).toString() : ""
-      })
-    );
+      });
+    });
  };

  // this is a backfilling API for secret references
@@ -1956,6 +2055,10 @@ export const secretV2BridgeServiceFactory = ({
            secretTagDAL,
            resourceMetadataDAL,
            secretVersionTagDAL,
+            actor: {
+              type: actor,
+              actorId
+            },
            inputSecrets: locallyCreatedSecrets.map((doc) => {
              return {
                type: doc.type,
@@ -1982,6 +2085,10 @@ export const secretV2BridgeServiceFactory = ({
            tx,
            secretTagDAL,
            secretVersionTagDAL,
+            actor: {
+              type: actor,
+              actorId
+            },
            inputSecrets: locallyUpdatedSecrets.map((doc) => {
              return {
                filter: {
@@ -2204,6 +2311,7 @@ export const secretV2BridgeServiceFactory = ({
    getSecretsCountMultiEnv,
    getSecretsMultiEnv,
    getSecretReferenceTree,
-    getSecretsByFolderMappings
+    getSecretsByFolderMappings,
+    getSecretById
  };
 };
--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts
@@ -168,6 +168,10 @@ export type TFnSecretBulkInsert = {
  secretVersionDAL: Pick<TSecretVersionV2DALFactory, "insertMany">;
  secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2">;
  secretVersionTagDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
+  actor?: {
+    type: string;
+    actorId: string;
+  };
 };

 type TRequireReferenceIfValue =
@@ -192,6 +196,10 @@ export type TFnSecretBulkUpdate = {
  secretVersionDAL: Pick<TSecretVersionV2DALFactory, "insertMany">;
  secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2" | "deleteTagsToSecretV2">;
  secretVersionTagDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
+  actor?: {
+    type: string;
+    actorId: string;
+  };
  tx?: Knex;
 };

--- a/backend/src/services/secret-v2-bridge/secret-version-dal.ts
+++ b/backend/src/services/secret-v2-bridge/secret-version-dal.ts
@@ -1,9 +1,10 @@
+/* eslint-disable @typescript-eslint/no-unsafe-assignment */
 import { Knex } from "knex";

 import { TDbClient } from "@app/db";
 import { TableName, TSecretVersionsV2, TSecretVersionsV2Update } from "@app/db/schemas";
 import { BadRequestError, DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols } from "@app/lib/knex";
+import { ormify, selectAllTableCols, TFindOpt } from "@app/lib/knex";
 import { logger } from "@app/lib/logger";
 import { QueueName } from "@app/queue";

@@ -119,11 +120,67 @@ export const secretVersionV2BridgeDALFactory = (db: TDbClient) => {
    logger.info(`${QueueName.DailyResourceCleanUp}: pruning secret version v2 completed`);
  };

+  const findVersionsBySecretIdWithActors = async (
+    secretId: string,
+    projectId: string,
+    { offset, limit, sort = [["createdAt", "desc"]] }: TFindOpt<TSecretVersionsV2> = {},
+    tx?: Knex
+  ) => {
+    try {
+      const query = (tx || db)(TableName.SecretVersionV2)
+        .leftJoin(TableName.Users, `${TableName.Users}.id`, `${TableName.SecretVersionV2}.userActorId`)
+        .leftJoin(
+          TableName.ProjectMembership,
+          `${TableName.ProjectMembership}.userId`,
+          `${TableName.SecretVersionV2}.userActorId`
+        )
+        .leftJoin(TableName.Identity, `${TableName.Identity}.id`, `${TableName.SecretVersionV2}.identityActorId`)
+        .where((qb) => {
+          void qb.where(`${TableName.SecretVersionV2}.secretId`, secretId);
+          void qb.where(`${TableName.ProjectMembership}.projectId`, projectId);
+        })
+        .orWhere((qb) => {
+          void qb.where(`${TableName.SecretVersionV2}.secretId`, secretId);
+          void qb.whereNull(`${TableName.ProjectMembership}.projectId`);
+        })
+        .select(
+          selectAllTableCols(TableName.SecretVersionV2),
+          `${TableName.Users}.username as userActorName`,
+          `${TableName.Identity}.name as identityActorName`,
+          `${TableName.ProjectMembership}.id as membershipId`
+        );
+
+      if (limit) void query.limit(limit);
+      if (offset) void query.offset(offset);
+      if (sort) {
+        void query.orderBy(
+          sort.map(([column, order, nulls]) => ({
+            column: `${TableName.SecretVersionV2}.${column as string}`,
+            order,
+            nulls
+          }))
+        );
+      }
+
+      const docs: Array<
+        TSecretVersionsV2 & {
+          userActorName: string | undefined | null;
+          identityActorName: string | undefined | null;
+          membershipId: string | undefined | null;
+        }
+      > = await query;
+      return docs;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "FindVersionsBySecretIdWithActors" });
+    }
+  };
+
  return {
    ...secretVersionV2Orm,
    pruneExcessVersions,
    findLatestVersionMany,
    bulkUpdate,
-    findLatestVersionByFolderId
+    findLatestVersionByFolderId,
+    findVersionsBySecretIdWithActors
  };
 };
--- a/backend/src/services/secret/secret-fns.ts
+++ b/backend/src/services/secret/secret-fns.ts
@@ -579,6 +579,7 @@ export const fnSecretBulkInsert = async ({
      [`${TableName.Secret}Id` as const]: newSecretGroupByBlindIndex[secretBlindIndex as string][0].id
    }))
  );
+
  const secretVersions = await secretVersionDAL.insertMany(
    sanitizedInputSecrets.map((el) => ({
      ...el,
--- a/backend/src/services/secret/secret-queue.ts
+++ b/backend/src/services/secret/secret-queue.ts
@@ -61,6 +61,7 @@ import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
 import { TUserDALFactory } from "../user/user-dal";
 import { TWebhookDALFactory } from "../webhook/webhook-dal";
 import { fnTriggerWebhook } from "../webhook/webhook-fns";
+import { WebhookEvents } from "../webhook/webhook-types";
 import { TSecretDALFactory } from "./secret-dal";
 import { interpolateSecrets } from "./secret-fns";
 import {
@@ -623,7 +624,14 @@ export const secretQueueFactory = ({
    await queueService.queue(
      QueueName.SecretWebhook,
      QueueJobs.SecWebhook,
-      { environment, projectId, secretPath },
+      {
+        type: WebhookEvents.SecretModified,
+        payload: {
+          environment,
+          projectId,
+          secretPath
+        }
+      },
      {
        jobId: `secret-webhook-${environment}-${projectId}-${secretPath}`,
        removeOnFail: { count: 5 },
@@ -1055,6 +1063,8 @@ export const secretQueueFactory = ({

    const organization = await orgDAL.findOrgByProjectId(projectId);
    const project = await projectDAL.findById(projectId);
+    const secret = await secretV2BridgeDAL.findById(data.secretId);
+    const [folder] = await folderDAL.findSecretPathByFolderIds(project.id, [secret.folderId]);

    if (!organization) {
      logger.info(`secretReminderQueue.process: [secretDocument=${data.secretId}] no organization found`);
@@ -1083,6 +1093,19 @@ export const secretQueueFactory = ({
        organizationName: organization.name
      }
    });
+
+    await queueService.queue(QueueName.SecretWebhook, QueueJobs.SecWebhook, {
+      type: WebhookEvents.SecretReminderExpired,
+      payload: {
+        projectName: project.name,
+        projectId: project.id,
+        secretPath: folder?.path,
+        environment: folder?.environmentSlug || "",
+        reminderNote: data.note,
+        secretName: secret?.key,
+        secretId: data.secretId
+      }
+    });
  });

  const startSecretV2Migration = async (projectId: string) => {
@@ -1490,14 +1513,17 @@ export const secretQueueFactory = ({
  queueService.start(QueueName.SecretWebhook, async (job) => {
    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.SecretManager,
-      projectId: job.data.projectId
+      projectId: job.data.payload.projectId
    });

    await fnTriggerWebhook({
-      ...job.data,
+      projectId: job.data.payload.projectId,
+      environment: job.data.payload.environment,
+      secretPath: job.data.payload.secretPath || "/",
      projectEnvDAL,
-      webhookDAL,
      projectDAL,
+      webhookDAL,
+      event: job.data,
      secretManagerDecryptor: (value) => secretManagerDecryptor({ cipherTextBlob: value }).toString()
    });
  });
--- a/backend/src/services/secret/secret-service.ts
+++ b/backend/src/services/secret/secret-service.ts
@@ -71,6 +71,7 @@ import {
  TDeleteManySecretRawDTO,
  TDeleteSecretDTO,
  TDeleteSecretRawDTO,
+  TGetASecretByIdRawDTO,
  TGetASecretDTO,
  TGetASecretRawDTO,
  TGetSecretAccessListDTO,
@@ -95,7 +96,7 @@ type TSecretServiceFactoryDep = {
  projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
  folderDAL: Pick<
    TSecretFolderDALFactory,
-    "findBySecretPath" | "updateById" | "findById" | "findByManySecretPath" | "find"
+    "findBySecretPath" | "updateById" | "findById" | "findByManySecretPath" | "find" | "findSecretPathByFolderIds"
  >;
  secretV2BridgeService: TSecretV2BridgeServiceFactory;
  secretBlindIndexDAL: TSecretBlindIndexDALFactory;
@@ -1382,6 +1383,18 @@ export const secretServiceFactory = ({
    };
  };

+  const getSecretByIdRaw = async ({ secretId, actorId, actor, actorOrgId, actorAuthMethod }: TGetASecretByIdRawDTO) => {
+    const secret = await secretV2BridgeService.getSecretById({
+      secretId,
+      actorId,
+      actor,
+      actorOrgId,
+      actorAuthMethod
+    });
+
+    return secret;
+  };
+
  const getSecretByNameRaw = async ({
    type,
    path,
@@ -3088,6 +3101,7 @@ export const secretServiceFactory = ({
    getSecretsRawMultiEnv,
    getSecretReferenceTree,
    getSecretsRawByFolderMappings,
-    getSecretAccessList
+    getSecretAccessList,
+    getSecretByIdRaw
  };
 };
--- a/backend/src/services/secret/secret-types.ts
+++ b/backend/src/services/secret/secret-types.ts
@@ -121,6 +121,10 @@ export type TGetASecretDTO = {
  version?: number;
 } & TProjectPermission;

+export type TGetASecretByIdDTO = {
+  secretId: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TCreateBulkSecretDTO = {
  path: string;
  environment: string;
@@ -213,6 +217,10 @@ export type TGetASecretRawDTO = {
  projectId?: string;
 } & Omit<TProjectPermission, "projectId">;

+export type TGetASecretByIdRawDTO = {
+  secretId: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TCreateSecretRawDTO = TProjectPermission & {
  secretName: string;
  secretPath: string;
--- a/backend/src/services/slack/slack-fns.ts
+++ b/backend/src/services/slack/slack-fns.ts
@@ -50,6 +50,7 @@ const buildSlackPayload = (notification: TSlackNotification) => {
      const messageBody = `A secret approval request has been opened by ${payload.userEmail}.
 *Environment*: ${payload.environment}
 *Secret path*: ${payload.secretPath || "/"}
+*Secret Key${payload.secretKeys.length > 1 ? "s" : ""}*: ${payload.secretKeys.join(", ")}

 View the complete details <${appCfg.SITE_URL}/secret-manager/${payload.projectId}/approval?requestId=${
        payload.requestId
--- a/backend/src/services/slack/slack-types.ts
+++ b/backend/src/services/slack/slack-types.ts
@@ -62,6 +62,7 @@ export type TSlackNotification =
        secretPath: string;
        requestId: string;
        projectId: string;
+        secretKeys: string[];
      };
    }
  | {
--- a/backend/src/services/webhook/webhook-fns.ts
+++ b/backend/src/services/webhook/webhook-fns.ts
@@ -11,7 +11,7 @@ import { logger } from "@app/lib/logger";
 import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TWebhookDALFactory } from "./webhook-dal";
-import { WebhookType } from "./webhook-types";
+import { TWebhookPayloads, WebhookEvents, WebhookType } from "./webhook-types";

 const WEBHOOK_TRIGGER_TIMEOUT = 15 * 1000;

@@ -54,29 +54,64 @@ export const triggerWebhookRequest = async (
  return req;
 };

-export const getWebhookPayload = (
-  eventName: string,
-  details: {
-    workspaceName: string;
-    workspaceId: string;
-    environment: string;
-    secretPath?: string;
-    type?: string | null;
+export const getWebhookPayload = (event: TWebhookPayloads) => {
+  if (event.type === WebhookEvents.SecretModified) {
+    const { projectName, projectId, environment, secretPath, type } = event.payload;
+
+    switch (type) {
+      case WebhookType.SLACK:
+        return {
+          text: "A secret value has been added or modified.",
+          attachments: [
+            {
+              color: "#E7F256",
+              fields: [
+                {
+                  title: "Project",
+                  value: projectName,
+                  short: false
+                },
+                {
+                  title: "Environment",
+                  value: environment,
+                  short: false
+                },
+                {
+                  title: "Secret Path",
+                  value: secretPath,
+                  short: false
+                }
+              ]
+            }
+          ]
+        };
+      case WebhookType.GENERAL:
+      default:
+        return {
+          event: event.type,
+          project: {
+            workspaceId: projectId,
+            projectName,
+            environment,
+            secretPath
+          }
+        };
+    }
  }
-) => {
-  const { workspaceName, workspaceId, environment, secretPath, type } = details;
+
+  const { projectName, projectId, environment, secretPath, type, reminderNote, secretName } = event.payload;

  switch (type) {
    case WebhookType.SLACK:
      return {
-        text: "A secret value has been added or modified.",
+        text: "You have a secret reminder",
        attachments: [
          {
            color: "#E7F256",
            fields: [
              {
                title: "Project",
-                value: workspaceName,
+                value: projectName,
                short: false
              },
              {
@@ -88,6 +123,16 @@ export const getWebhookPayload = (
                title: "Secret Path",
                value: secretPath,
                short: false
+              },
+              {
+                title: "Secret Name",
+                value: secretName,
+                short: false
+              },
+              {
+                title: "Reminder Note",
+                value: reminderNote,
+                short: false
              }
            ]
          }
@@ -96,11 +141,14 @@ export const getWebhookPayload = (
    case WebhookType.GENERAL:
    default:
      return {
-        event: eventName,
+        event: event.type,
        project: {
-          workspaceId,
+          workspaceId: projectId,
+          projectName,
          environment,
-          secretPath
+          secretPath,
+          secretName,
+          reminderNote
        }
      };
  }
@@ -110,6 +158,7 @@ export type TFnTriggerWebhookDTO = {
  projectId: string;
  secretPath: string;
  environment: string;
+  event: TWebhookPayloads;
  webhookDAL: Pick<TWebhookDALFactory, "findAllWebhooks" | "transaction" | "update" | "bulkUpdate">;
  projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
  projectDAL: Pick<TProjectDALFactory, "findById">;
@@ -124,8 +173,9 @@ export const fnTriggerWebhook = async ({
  projectId,
  webhookDAL,
  projectEnvDAL,
-  projectDAL,
-  secretManagerDecryptor
+  event,
+  secretManagerDecryptor,
+  projectDAL
 }: TFnTriggerWebhookDTO) => {
  const webhooks = await webhookDAL.findAllWebhooks(projectId, environment);
  const toBeTriggeredHooks = webhooks.filter(
@@ -134,21 +184,20 @@ export const fnTriggerWebhook = async ({
  );
  if (!toBeTriggeredHooks.length) return;
  logger.info({ environment, secretPath, projectId }, "Secret webhook job started");
-  const project = await projectDAL.findById(projectId);
+  let { projectName } = event.payload;
+  if (!projectName) {
+    const project = await projectDAL.findById(event.payload.projectId);
+    projectName = project.name;
+  }
+
  const webhooksTriggered = await Promise.allSettled(
-    toBeTriggeredHooks.map((hook) =>
-      triggerWebhookRequest(
-        hook,
-        secretManagerDecryptor,
-        getWebhookPayload("secrets.modified", {
-          workspaceName: project.name,
-          workspaceId: projectId,
-          environment,
-          secretPath,
-          type: hook.type
-        })
-      )
-    )
+    toBeTriggeredHooks.map((hook) => {
+      const formattedEvent = {
+        type: event.type,
+        payload: { ...event.payload, type: hook.type, projectName }
+      } as TWebhookPayloads;
+      return triggerWebhookRequest(hook, secretManagerDecryptor, getWebhookPayload(formattedEvent));
+    })
  );

  // filter hooks by status
--- a/backend/src/services/webhook/webhook-service.ts
+++ b/backend/src/services/webhook/webhook-service.ts
@@ -16,7 +16,8 @@ import {
  TDeleteWebhookDTO,
  TListWebhookDTO,
  TTestWebhookDTO,
-  TUpdateWebhookDTO
+  TUpdateWebhookDTO,
+  WebhookEvents
 } from "./webhook-types";

 type TWebhookServiceFactoryDep = {
@@ -144,12 +145,15 @@ export const webhookServiceFactory = ({
      await triggerWebhookRequest(
        webhook,
        (value) => secretManagerDecryptor({ cipherTextBlob: value }).toString(),
-        getWebhookPayload("test", {
-          workspaceName: project.name,
-          workspaceId: webhook.projectId,
-          environment: webhook.environment.slug,
-          secretPath: webhook.secretPath,
-          type: webhook.type
+        getWebhookPayload({
+          type: "test" as WebhookEvents.SecretModified,
+          payload: {
+            projectName: project.name,
+            projectId: webhook.projectId,
+            environment: webhook.environment.slug,
+            secretPath: webhook.secretPath,
+            type: webhook.type
+          }
        })
      );
    } catch (err) {
--- a/backend/src/services/webhook/webhook-types.ts
+++ b/backend/src/services/webhook/webhook-types.ts
@@ -30,3 +30,36 @@ export enum WebhookType {
  GENERAL = "general",
  SLACK = "slack"
 }
+
+export enum WebhookEvents {
+  SecretModified = "secrets.modified",
+  SecretReminderExpired = "secrets.reminder-expired",
+  TestEvent = "test"
+}
+
+type TWebhookSecretModifiedEventPayload = {
+  type: WebhookEvents.SecretModified;
+  payload: {
+    projectName?: string;
+    projectId: string;
+    environment: string;
+    secretPath?: string;
+    type?: string | null;
+  };
+};
+
+type TWebhookSecretReminderEventPayload = {
+  type: WebhookEvents.SecretReminderExpired;
+  payload: {
+    projectName?: string;
+    projectId: string;
+    environment: string;
+    secretPath?: string;
+    type?: string | null;
+    secretName: string;
+    secretId: string;
+    reminderNote?: string | null;
+  };
+};
+
+export type TWebhookPayloads = TWebhookSecretModifiedEventPayload | TWebhookSecretReminderEventPayload;
--- a/cli/config/example-infisical-relay.yaml
+++ b/cli/config/example-infisical-relay.yaml
@@ -0,0 +1,8 @@
+public_ip: 127.0.0.1
+auth_secret: example-auth-secret
+realm: infisical.org
+# set port 5349 for tls
+# port: 5349
+# tls_private_key_path: /full-path
+# tls_ca_path:  /full-path
+# tls_cert_path: /full-path
--- a/cli/go.mod
+++ b/cli/go.mod
@@ -28,9 +28,10 @@ require (
 	github.com/rs/zerolog v1.26.1
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/viper v1.8.1
-	github.com/stretchr/testify v1.9.0
-	golang.org/x/crypto v0.35.0
-	golang.org/x/term v0.29.0
+	github.com/stretchr/testify v1.10.0
+	golang.org/x/crypto v0.36.0
+	golang.org/x/sys v0.31.0
+	golang.org/x/term v0.30.0
 	gopkg.in/yaml.v2 v2.4.0
 )

@@ -114,9 +115,8 @@ require (
 	golang.org/x/mod v0.23.0 // indirect
 	golang.org/x/net v0.35.0 // indirect
 	golang.org/x/oauth2 v0.21.0 // indirect
-	golang.org/x/sync v0.11.0 // indirect
-	golang.org/x/sys v0.30.0 // indirect
-	golang.org/x/text v0.22.0 // indirect
+	golang.org/x/sync v0.12.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
 	golang.org/x/time v0.6.0 // indirect
 	golang.org/x/tools v0.30.0 // indirect
 	google.golang.org/api v0.188.0 // indirect
@@ -139,3 +139,5 @@ require (
 )

 replace github.com/zalando/go-keyring => github.com/Infisical/go-keyring v1.0.2
+
+replace github.com/pion/turn/v4 => github.com/Infisical/turn/v4 v4.0.1
--- a/cli/go.sum
+++ b/cli/go.sum
@@ -49,6 +49,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Infisical/go-keyring v1.0.2 h1:dWOkI/pB/7RocfSJgGXbXxLDcVYsdslgjEPmVhb+nl8=
 github.com/Infisical/go-keyring v1.0.2/go.mod h1:LWOnn/sw9FxDW/0VY+jHFAfOFEe03xmwBVSfJnBowto=
+github.com/Infisical/turn/v4 v4.0.1 h1:omdelNsnFfzS5cu86W5OBR68by68a8sva4ogR0lQQnw=
+github.com/Infisical/turn/v4 v4.0.1/go.mod h1:pMMKP/ieNAG/fN5cZiN4SDuyKsXtNTr0ccN7IToA1zs=
 github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0=
 github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
@@ -365,8 +367,6 @@ github.com/pion/stun/v3 v3.0.0 h1:4h1gwhWLWuZWOJIJR9s2ferRO+W3zA/b6ijOI6mKzUw=
 github.com/pion/stun/v3 v3.0.0/go.mod h1:HvCN8txt8mwi4FBvS3EmDghW6aQJ24T+y+1TKjB5jyU=
 github.com/pion/transport/v3 v3.0.7 h1:iRbMH05BzSNwhILHoBoAPxoB9xQgOaJk+591KC9P1o0=
 github.com/pion/transport/v3 v3.0.7/go.mod h1:YleKiTZ4vqNxVwh77Z0zytYi7rXHl7j6uPLGhhz9rwo=
-github.com/pion/turn/v4 v4.0.0 h1:qxplo3Rxa9Yg1xXDxxH8xaqcyGUtbHYw4QSCvmFWvhM=
-github.com/pion/turn/v4 v4.0.0/go.mod h1:MuPDkm15nYSklKpN8vWJ9W2M0PlyQZqYt1McGuxG7mA=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -425,8 +425,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4=
@@ -486,6 +486,8 @@ golang.org/x/crypto v0.0.0-20211215165025-cf75a172585e/go.mod h1:P+XmwS30IXTQdn5
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=
 golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -592,6 +594,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
 golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -642,9 +646,13 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
 golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
 golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -656,6 +664,8 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
 golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
--- a/cli/packages/cmd/gateway.go
+++ b/cli/packages/cmd/gateway.go
@@ -1,10 +1,6 @@
 package cmd

 import (
-	// "fmt"
-
-	// "github.com/Infisical/infisical-merge/packages/api"
-	// "github.com/Infisical/infisical-merge/packages/models"
 	"context"
 	"fmt"
 	"os"
@@ -14,13 +10,8 @@ import (

 	"github.com/Infisical/infisical-merge/packages/gateway"
 	"github.com/Infisical/infisical-merge/packages/util"
-	"github.com/rs/zerolog/log"
-
-	// "github.com/Infisical/infisical-merge/packages/visualize"
-	// "github.com/rs/zerolog/log"
-
-	// "github.com/go-resty/resty/v2"
 	"github.com/posthog/posthog-go"
+	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 )

@@ -40,6 +31,16 @@ var gatewayCmd = &cobra.Command{
 			util.HandleError(fmt.Errorf("Token not found"))
 		}

+		domain, err := cmd.Flags().GetString("domain")
+		if err != nil {
+			util.HandleError(err, "Unable to parse domain flag")
+		}
+
+		// Try to install systemd service if possible
+		if err := gateway.InstallGatewaySystemdService(token.Token, domain); err != nil {
+			log.Warn().Msgf("Failed to install systemd service: %v", err)
+		}
+
 		Telemetry.CaptureEvent("cli-command:gateway", posthog.NewProperties().Set("version", util.CLI_VERSION))

 		sigCh := make(chan os.Signal, 1)
@@ -137,15 +138,10 @@ var gatewayRelayCmd = &cobra.Command{
 }

 func init() {
-	gatewayCmd.SetHelpFunc(func(command *cobra.Command, strings []string) {
-		command.Flags().MarkHidden("domain")
-		command.Parent().HelpFunc()(command, strings)
-	})
 	gatewayCmd.Flags().String("token", "", "Connect with Infisical using machine identity access token")

 	gatewayRelayCmd.Flags().String("config", "", "Relay config yaml file path")

 	gatewayCmd.AddCommand(gatewayRelayCmd)
-
 	rootCmd.AddCommand(gatewayCmd)
 }
--- a/cli/packages/gateway/gateway.go
+++ b/cli/packages/gateway/gateway.go
@@ -14,6 +14,7 @@ import (
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/systemd"
 	"github.com/go-resty/resty/v2"
+	"github.com/pion/dtls/v3"
 	"github.com/pion/logging"
 	"github.com/pion/turn/v4"
 	"github.com/rs/zerolog/log"
@@ -54,26 +55,6 @@ func (g *Gateway) ConnectWithRelay() error {
 		return err
 	}
 	relayAddress, relayPort := strings.Split(relayDetails.TurnServerAddress, ":")[0], strings.Split(relayDetails.TurnServerAddress, ":")[1]
-	var conn net.Conn
-
-	// Dial TURN Server
-	if relayPort == "5349" {
-		log.Info().Msgf("Provided relay port %s. Using TLS", relayPort)
-		conn, err = tls.Dial("tcp", relayDetails.TurnServerAddress, &tls.Config{
-			ServerName: relayAddress,
-		})
-	} else {
-		log.Info().Msgf("Provided relay port %s. Using non TLS connection.", relayPort)
-		peerAddr, errPeer := net.ResolveTCPAddr("tcp", relayDetails.TurnServerAddress)
-		if errPeer != nil {
-			return fmt.Errorf("Failed to parse turn server address: %w", err)
-		}
-		conn, err = net.DialTCP("tcp", nil, peerAddr)
-	}
-
-	if err != nil {
-		return fmt.Errorf("Failed to connect with relay server: %w", err)
-	}

 	// Start a new TURN Client and wrap our net.Conn in a STUNConn
 	// This allows us to simulate datagram based communication over a net.Conn
@@ -81,17 +62,46 @@ func (g *Gateway) ConnectWithRelay() error {
 	if os.Getenv("LOG_LEVEL") == "debug" {
 		logger.DefaultLogLevel = logging.LogLevelDebug
 	}
-	cfg := &turn.ClientConfig{
+
+	turnClientCfg := &turn.ClientConfig{
 		STUNServerAddr: relayDetails.TurnServerAddress,
 		TURNServerAddr: relayDetails.TurnServerAddress,
-		Conn:           turn.NewSTUNConn(conn),
 		Username:       relayDetails.TurnServerUsername,
 		Password:       relayDetails.TurnServerPassword,
 		Realm:          relayDetails.TurnServerRealm,
 		LoggerFactory:  logger,
 	}

-	client, err := turn.NewClient(cfg)
+	turnAddr, err := net.ResolveUDPAddr("udp4", relayDetails.TurnServerAddress)
+	if err != nil {
+		return fmt.Errorf("Failed to parse turn server address: %w", err)
+	}
+
+	// Dial TURN Server
+	if relayPort == "5349" {
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM([]byte(g.config.CertificateChain))
+
+		log.Info().Msgf("Provided relay port %s. Using TLS", relayPort)
+		conn, err := dtls.Dial("udp", turnAddr, &dtls.Config{
+			ServerName: relayAddress,
+			RootCAs:    caCertPool,
+		})
+		if err != nil {
+			return fmt.Errorf("Failed to connect with relay server: %w", err)
+		}
+		turnClientCfg.Conn = turn.NewSTUNConn(conn)
+	} else {
+		log.Info().Msgf("Provided relay port %s. Using non TLS connection.", relayPort)
+		conn, err := net.ListenPacket("udp4", turnAddr.String())
+		if err != nil {
+			return fmt.Errorf("Failed to connect with relay server: %w", err)
+		}
+
+		turnClientCfg.Conn = conn
+	}
+
+	client, err := turn.NewClient(turnClientCfg)
 	if err != nil {
 		return fmt.Errorf("Failed to create relay client: %w", err)
 	}
@@ -168,7 +178,6 @@ func (g *Gateway) Listen(ctx context.Context) error {
 		ClientAuth:   tls.RequireAndVerifyClientCert,
 		NextProtos:   []string{"infisical-gateway"},
 	}
-
 	// Setup QUIC listener on the relayConn
 	quicConfig := &quic.Config{
 		EnableDatagrams: true,
@@ -176,7 +185,6 @@ func (g *Gateway) Listen(ctx context.Context) error {
 		KeepAlivePeriod: 2 * time.Second,
 	}

-	g.registerRelayIsActive(ctx, relayUdpConnection.LocalAddr().String(), errCh)
 	quicListener, err := quic.Listen(relayUdpConnection, tlsConfig, quicConfig)
 	if err != nil {
 		return fmt.Errorf("Failed to listen for QUIC: %w", err)
@@ -185,6 +193,8 @@ func (g *Gateway) Listen(ctx context.Context) error {

 	log.Printf("Listener started on %s", quicListener.Addr())

+	g.registerRelayIsActive(ctx, quicListener.Addr().String(), errCh)
+
 	log.Info().Msg("Gateway started successfully")

 	var wg sync.WaitGroup
@@ -320,41 +330,40 @@ func (g *Gateway) createPermissionForStaticIps(staticIps string) error {
 	return nil
 }

-func (g *Gateway) registerRelayIsActive(ctx context.Context, relayAddress string, errCh chan error) error {
-	ticker := time.NewTicker(10 * time.Second)
+func (g *Gateway) registerRelayIsActive(ctx context.Context, addr string, errCh chan error) error {
+	ticker := time.NewTicker(15 * time.Second)
 	maxFailures := 3
 	failures := 0

+	log.Info().Msg("Starting relay connection health check")
 	go func() {
-		time.Sleep(2 * time.Second)
+		time.Sleep(5 * time.Second)
 		for {
 			select {
 			case <-ctx.Done():
+				log.Info().Msg("Stopping relay connection health check")
 				return
 			case <-ticker.C:
-				// Configure TLS to skip verification
-				tlsConfig := &tls.Config{
-					InsecureSkipVerify: true,
+				log.Debug().Msg("Performing relay connection health check")
+				ctxTimeout, cancel := context.WithTimeout(ctx, 5*time.Second)
+				defer cancel()
+				// Try to establish a QUIC connection
+				conn, err := quic.DialAddr(ctxTimeout, addr, &tls.Config{
+					InsecureSkipVerify: false, // Skip certificate verification
 					NextProtos:         []string{"infisical-gateway"},
-				}
-				quicConfig := &quic.Config{
-					EnableDatagrams: true,
-				}
-				func() {
-					checkCtx, cancel := context.WithTimeout(ctx, 3*time.Second)
-					defer cancel()
-					conn, err := quic.DialAddr(checkCtx, relayAddress, tlsConfig, quicConfig)
-					if err != nil {
-						failures++
-						log.Warn().Err(err).Int("failures", failures).Msg("Relay connection check failed")
-						if failures >= maxFailures {
-							errCh <- fmt.Errorf("relay connection check failed: %w", err)
-						}
+				}, nil)
+				if err != nil && !strings.Contains(err.Error(), "tls:") {
+					failures++
+					log.Warn().Err(err).Int("failures", failures).Msg("Failed to refresh TURN permissions")
+					if failures >= maxFailures {
+						errCh <- fmt.Errorf("relay connection check failed: %w", err)
+						return
 					}
-					if conn != nil {
-						conn.CloseWithError(0, "closed")
-					}
-				}()
+					continue
+				}
+				if conn != nil {
+					defer conn.CloseWithError(0, "All good")
+				}
 			}
 		}
 	}()
--- a/cli/packages/gateway/relay.go
+++ b/cli/packages/gateway/relay.go
@@ -1,7 +1,9 @@
+//go:build !windows
+// +build !windows
+
 package gateway

 import (
-	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
@@ -9,12 +11,13 @@ import (
 	"net"
 	"os"
 	"os/signal"
-	"runtime"
+
+	// "runtime"
 	"strconv"
 	"syscall"

-	udplistener "github.com/Infisical/infisical-merge/packages/gateway/udp_listener"
 	"github.com/Infisical/infisical-merge/packages/systemd"
+	"github.com/pion/dtls/v3"
 	"github.com/pion/logging"
 	"github.com/pion/turn/v4"
 	"github.com/rs/zerolog/log"
@@ -105,7 +108,7 @@ func NewGatewayRelay(configFilePath string) (*GatewayRelay, error) {
 }

 func (g *GatewayRelay) Run() error {
-	addr, err := net.ResolveTCPAddr("tcp", "0.0.0.0:"+strconv.Itoa(g.Config.Port))
+	addr, err := net.ResolveUDPAddr("udp", "0.0.0.0:"+strconv.Itoa(g.Config.Port))
 	if err != nil {
 		return fmt.Errorf("Failed to parse server address: %s", err)
 	}
@@ -114,13 +117,6 @@ func (g *GatewayRelay) Run() error {
 	// and process them yourself.
 	logger := logging.NewDefaultLeveledLoggerForScope("lt-creds", logging.LogLevelTrace, os.Stdout)

-	// Create `numThreads` UDP listeners to pass into pion/turn
-	// pion/turn itself doesn't allocate any UDP sockets, but lets the user pass them in
-	// this allows us to add logging, storage or modify inbound/outbound traffic
-	// UDP listeners share the same local address:port with setting SO_REUSEPORT and the kernel
-	// will load-balance received packets per the IP 5-tuple
-	listenerConfig := udplistener.SetupListenerConfig()
-
 	publicIP := g.Config.PublicIP
 	relayAddressGenerator := &turn.RelayAddressGeneratorPortRange{
 		RelayAddress: net.ParseIP(publicIP), // Claim that we are listening on IP passed by user
@@ -129,49 +125,54 @@ func (g *GatewayRelay) Run() error {
 		MaxPort:      g.Config.RelayMaxPort,
 	}

-	threadNum := runtime.NumCPU()
-	listenerConfigs := make([]turn.ListenerConfig, threadNum)
-	var connAddress string
-	for i := 0; i < threadNum; i++ {
-		conn, listErr := listenerConfig.Listen(context.Background(), addr.Network(), addr.String())
-		if listErr != nil {
-			return fmt.Errorf("Failed to allocate TCP listener at %s:%s %s", addr.Network(), addr.String(), listErr)
-		}
-
-		listenerConfigs[i] = turn.ListenerConfig{
-			RelayAddressGenerator: relayAddressGenerator,
-		}
-
-		if g.Config.isTlsEnabled {
-			caCertPool := x509.NewCertPool()
-			caCertPool.AppendCertsFromPEM([]byte(g.Config.tlsCa))
-
-			listenerConfigs[i].Listener = tls.NewListener(conn, &tls.Config{
-				Certificates: []tls.Certificate{g.Config.tls},
-				ClientCAs:    caCertPool,
-			})
-		} else {
-			listenerConfigs[i].Listener = conn
-		}
-		connAddress = conn.Addr().String()
-	}
-
 	loggerF := logging.NewDefaultLoggerFactory()
 	loggerF.DefaultLogLevel = logging.LogLevelDebug

+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM([]byte(g.Config.tlsCa))
+
+	listenerConfigs := make([]turn.ListenerConfig, 0)
+	packetConfigs := make([]turn.PacketConnConfig, 0)
+
+	if g.Config.isTlsEnabled {
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM([]byte(g.Config.tlsCa))
+		dtlsServer, err := dtls.Listen("udp", addr, &dtls.Config{
+			Certificates: []tls.Certificate{g.Config.tls},
+			ClientCAs:    caCertPool,
+		})
+		if err != nil {
+			return fmt.Errorf("Failed to start dtls server: %w", err)
+		}
+		listenerConfigs = append(listenerConfigs, turn.ListenerConfig{
+			RelayAddressGenerator: relayAddressGenerator,
+			Listener:              dtlsServer,
+		})
+	} else {
+		udpListener, err := net.ListenPacket("udp4", "0.0.0.0:"+strconv.Itoa(g.Config.Port))
+		if err != nil {
+			return fmt.Errorf("Failed to relay udp listener: %w", err)
+		}
+		packetConfigs = append(packetConfigs, turn.PacketConnConfig{
+			RelayAddressGenerator: relayAddressGenerator,
+			PacketConn:            udpListener,
+		})
+	}
+
 	server, err := turn.NewServer(turn.ServerConfig{
 		Realm:       g.Config.Realm,
 		AuthHandler: turn.LongTermTURNRESTAuthHandler(g.Config.AuthSecret, logger),
 		// PacketConnConfigs is a list of UDP Listeners and the configuration around them
-		ListenerConfigs: listenerConfigs,
-		LoggerFactory:   loggerF,
+		ListenerConfigs:   listenerConfigs,
+		PacketConnConfigs: packetConfigs,
+		LoggerFactory:     loggerF,
 	})

 	if err != nil {
 		return fmt.Errorf("Failed to start server: %w", err)
 	}

-	log.Info().Msgf("Relay listening on %s\n", connAddress)
+	log.Info().Msgf("Relay listening on %d\n", g.Config.Port)

 	// make this compatiable with systemd notify mode
 	systemd.SdNotify(false, systemd.SdNotifyReady)
--- a/cli/packages/gateway/relay_windows.go
+++ b/cli/packages/gateway/relay_windows.go
@@ -0,0 +1,37 @@
+//go:build windows
+// +build windows
+
+package gateway
+
+import (
+	"errors"
+)
+
+var (
+	errMissingTlsCert      = errors.New("Missing TLS files")
+	errWindowsNotSupported = errors.New("Relay is not supported on Windows")
+)
+
+type GatewayRelay struct {
+	Config *GatewayRelayConfig
+}
+
+type GatewayRelayConfig struct {
+	PublicIP          string
+	Port              int
+	Realm             string
+	AuthSecret        string
+	RelayMinPort      uint16
+	RelayMaxPort      uint16
+	TlsCertPath       string
+	TlsPrivateKeyPath string
+	TlsCaPath         string
+}
+
+func NewGatewayRelay(configFilePath string) (*GatewayRelay, error) {
+	return nil, errWindowsNotSupported
+}
+
+func (g *GatewayRelay) Run() error {
+	return errWindowsNotSupported
+}
--- a/cli/packages/gateway/systemd.go
+++ b/cli/packages/gateway/systemd.go
@@ -0,0 +1,82 @@
+package gateway
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+
+	"github.com/rs/zerolog/log"
+)
+
+const systemdServiceTemplate = `[Unit]
+Description=Infisical Gateway Service
+After=network.target
+
+[Service]
+Type=simple
+EnvironmentFile=/etc/infisical/gateway.conf
+ExecStart=/usr/local/bin/infisical gateway
+Restart=on-failure
+InaccessibleDirectories=/home
+PrivateTmp=yes
+LimitCORE=infinity
+LimitNOFILE=1000000
+LimitNPROC=60000
+LimitRTPRIO=infinity
+LimitRTTIME=7000000
+
+[Install]
+WantedBy=multi-user.target
+`
+
+func InstallGatewaySystemdService(token string, domain string) error {
+	if runtime.GOOS != "linux" {
+		log.Info().Msg("Skipping systemd service installation - not on Linux")
+		return nil
+	}
+
+	if os.Geteuid() != 0 {
+		log.Info().Msg("Skipping systemd service installation - not running as root/sudo")
+		return nil
+	}
+
+	configDir := "/etc/infisical"
+	if err := os.MkdirAll(configDir, 0755); err != nil {
+		return fmt.Errorf("failed to create config directory: %v", err)
+	}
+
+	configContent := fmt.Sprintf("INFISICAL_UNIVERSAL_AUTH_ACCESS_TOKEN=%s\n", token)
+	if domain != "" {
+		configContent += fmt.Sprintf("INFISICAL_API_URL=%s\n", domain)
+	} else {
+		configContent += "INFISICAL_API_URL=\n"
+	}
+
+	configPath := filepath.Join(configDir, "gateway.conf")
+	if err := os.WriteFile(configPath, []byte(configContent), 0600); err != nil {
+		return fmt.Errorf("failed to write config file: %v", err)
+	}
+
+	servicePath := "/etc/systemd/system/infisical-gateway.service"
+	if _, err := os.Stat(servicePath); err == nil {
+		log.Info().Msg("Systemd service file already exists")
+		return nil
+	}
+
+	if err := os.WriteFile(servicePath, []byte(systemdServiceTemplate), 0644); err != nil {
+		return fmt.Errorf("failed to write systemd service file: %v", err)
+	}
+
+	reloadCmd := exec.Command("systemctl", "daemon-reload")
+	if err := reloadCmd.Run(); err != nil {
+		return fmt.Errorf("failed to reload systemd: %v", err)
+	}
+
+	log.Info().Msg("Successfully installed systemd service")
+	log.Info().Msg("To start the service, run: sudo systemctl start infisical-gateway")
+	log.Info().Msg("To enable the service on boot, run: sudo systemctl enable infisical-gateway")
+
+	return nil
+}
--- a/company/handbook/meetings.mdx
+++ b/company/handbook/meetings.mdx
@@ -10,6 +10,10 @@ Being a remote-first company, we try to be as async as possible. When an issue a

 In other words, we have almost no (recurring) meetings and prefer written communication or quick Slack huddles.

+## Daily Standup
+
+Towards the end of each day, everyone on the Engineering and GTM teams should document their progress in the respective Slack standup channels, ensuring the team stays informed of important updates. On the engineering side, if you are working on something that takes longer than 1-2 days, please add an estimated completion date (ECD) for that item in standup specifying when it will be pushed to production. 
+
 ## Weekly All-hands

-All-hands is the single recurring meeting that we run every Monday at 8:30am PT. Typically, we would discuss everything important that happened during the previous week and plan out the week ahead. This is also an opportunity to bring up any important topics in front of the whole company (but feel free to post those in Slack too).
+All-hands is the single recurring meeting that we run every Monday at 8:00am PT. Typically, we would discuss everything important that happened during the previous week and plan out the week ahead. This is also an opportunity to bring up any important topics in front of the whole company (but feel free to post those in Slack too).
--- a/docs/documentation/platform/gateways/gateway-security.mdx
+++ b/docs/documentation/platform/gateways/gateway-security.mdx
@@ -0,0 +1,110 @@
+---
+title: "Gateway Security Architecture"
+sidebarTitle: "Architecture"
+description: "Understand the security model and tenant isolation of Infisical's Gateway"
+---
+
+# Gateway Security Architecture
+
+The Infisical Gateway enables Infisical Cloud to securely interact with private resources using mutual TLS authentication and private PKI (Public Key Infrastructure) system to ensure secure, isolated communication between multiple tenants. 
+This document explains the internal security architecture and how tenant isolation is maintained.
+
+## Security Model Overview
+
+### Private PKI System
+Each organization (tenant) in Infisical has its own private PKI system consisting of:
+
+1. **Root CA**: The ultimate trust anchor for the organization
+2. **Intermediate CAs**:
+   - Client CA: Issues certificates for cloud components
+   - Gateway CA: Issues certificates for gateway instances
+
+This hierarchical structure ensures complete isolation between organizations as each has its own independent certificate chain.
+
+### Certificate Hierarchy
+```
+Root CA (Organization Specific)
+├── Client CA
+│   └── Client Certificates (Cloud Components)
+└── Gateway CA
+    └── Gateway Certificates (Gateway Instances)
+```
+
+## Communication Security
+
+### 1. Gateway Registration
+When a gateway is first deployed:
+
+1. Establishes initial connection using machine identity token
+2. Allocates a relay address for communication
+3. Exchanges certificates through a secure handshake:
+   - Gateway receives a unique certificate signed by organization's Gateway CA along with certificate chain for verification
+
+### 2. Mutual TLS Authentication
+All communication between gateway and cloud uses mutual TLS (mTLS):
+
+- **Gateway Authentication**:
+  - Presents certificate signed by organization's Gateway CA
+  - Certificate contains unique identifiers (Organization ID, Gateway ID)
+  - Cloud validates complete certificate chain
+
+- **Cloud Authentication**:
+  - Presents certificate signed by organization's Client CA
+  - Certificate includes required organizational unit ("gateway-client")
+  - Gateway validates certificate chain back to organization's root CA
+
+### 3. Relay Communication
+The relay system provides secure tunneling:
+
+1. **Connection Establishment**:
+   - Uses QUIC protocol over UDP for efficient, secure communication
+   - Provides built-in encryption, congestion control, and multiplexing
+   - Enables faster connection establishment and reduced latency
+   - Each organization's traffic is isolated using separate relay sessions
+
+2. **Traffic Isolation**:
+   - Each gateway gets unique relay credentials
+   - Traffic is end-to-end encrypted using QUIC's TLS 1.3
+   - Organization's private keys never leave their environment
+
+## Tenant Isolation
+
+### Certificate-Based Isolation
+- Each organization has unique root CA and intermediate CAs
+- Certificates contain organization-specific identifiers
+- Cross-tenant communication is cryptographically impossible
+
+### Gateway-Project Mapping
+- Gateways are explicitly mapped to specific projects
+- Access controls enforce organization boundaries
+- Project-level permissions determine resource accessibility
+
+### Resource Access Control
+1. **Project Verification**:
+   - Gateway verifies project membership
+   - Validates organization ownership
+   - Enforces project-level permissions
+
+2. **Resource Restrictions**:
+   - Gateways only accept connections to approved resources
+   - Each connection requires explicit project authorization
+   - Resources remain private to their assigned organization
+
+## Security Measures
+
+### Certificate Lifecycle
+- Certificates have limited validity periods
+- Automatic certificate rotation
+- Immediate certificate revocation capabilities
+
+### Monitoring and Verification
+1. **Continuous Verification**:
+   - Regular heartbeat checks
+   - Certificate chain validation
+   - Connection state monitoring
+
+2. **Security Controls**:
+   - Automatic connection termination on verification failure
+   - Audit logging of all access attempts
+   - Machine identity based authentication
+
--- a/docs/documentation/platform/webhooks.mdx
+++ b/docs/documentation/platform/webhooks.mdx
@@ -36,3 +36,18 @@ If the signature in the header matches the signature that you generated, then yo
  "timestamp": ""
 }
 ```
+
+```json
+{
+  "event": "secrets.reminder-expired",
+  "project": {
+    "workspaceId": "the workspace id",
+    "environment": "project environment",
+    "secretPath": "project folder path",
+    "secretName": "name of the secret",
+    "secretId": "id of the secret",
+    "reminderNote": "reminder note of the secret"
+  },
+  "timestamp": ""
+}
+```
--- a/docs/mint.json
+++ b/docs/mint.json
@@ -203,7 +203,7 @@
        },
        {
          "group": "Gateway",
-          "pages": ["documentation/platform/gateways/overview"]
+          "pages": ["documentation/platform/gateways/overview", "documentation/platform/gateways/gateway-security"]
        },
        "documentation/platform/project-templates",
        {
--- a/frontend/src/components/projects/NewProjectModal.tsx
+++ b/frontend/src/components/projects/NewProjectModal.tsx
@@ -14,7 +14,6 @@ import {
  AccordionItem,
  AccordionTrigger,
  Button,
-  Checkbox,
  FormControl,
  Input,
  Modal,
@@ -33,13 +32,7 @@ import {
  useUser
 } from "@app/context";
 import { getProjectHomePage } from "@app/helpers/project";
-import {
-  fetchOrgUsers,
-  useAddUserToWsNonE2EE,
-  useCreateWorkspace,
-  useGetExternalKmsList,
-  useGetUserWorkspaces
-} from "@app/hooks/api";
+import { useCreateWorkspace, useGetExternalKmsList, useGetUserWorkspaces } from "@app/hooks/api";
 import { INTERNAL_KMS_KEY_ID } from "@app/hooks/api/kms/types";
 import { InfisicalProjectTemplate, useListProjectTemplates } from "@app/hooks/api/projectTemplates";
 import { ProjectType } from "@app/hooks/api/workspace/types";
@@ -51,7 +44,6 @@ const formSchema = z.object({
    .trim()
    .max(256, "Description too long, max length is 256 characters")
    .optional(),
-  addMembers: z.boolean(),
  kmsKeyId: z.string(),
  template: z.string()
 });
@@ -73,7 +65,6 @@ const NewProjectForm = ({ onOpenChange, projectType }: NewProjectFormProps) => {
  const { user } = useUser();
  const createWs = useCreateWorkspace();
  const { refetch: refetchWorkspaces } = useGetUserWorkspaces();
-  const addUsersToProject = useAddUserToWsNonE2EE();
  const { subscription } = useSubscription();

  const canReadProjectTemplates = permission.can(
@@ -111,7 +102,6 @@ const NewProjectForm = ({ onOpenChange, projectType }: NewProjectFormProps) => {
  const onCreateProject = async ({
    name,
    description,
-    addMembers,
    kmsKeyId,
    template
  }: TAddProjectFormData) => {
@@ -128,21 +118,6 @@ const NewProjectForm = ({ onOpenChange, projectType }: NewProjectFormProps) => {
        template,
        type: projectType
      });
-      const { id: newProjectId } = project;
-
-      if (addMembers) {
-        const orgUsers = await fetchOrgUsers(currentOrg.id);
-        await addUsersToProject.mutateAsync({
-          usernames: orgUsers
-            .filter(
-              (member) => member.user.username !== user.username && member.status === "accepted"
-            )
-            .map((member) => member.user.username),
-          projectId: newProjectId,
-          orgId: currentOrg.id
-        });
-      }
-
      await refetchWorkspaces();

      createNotification({ text: "Project created", type: "success" });
@@ -246,31 +221,7 @@ const NewProjectForm = ({ onOpenChange, projectType }: NewProjectFormProps) => {
          )}
        />
      </div>
-      <div className="mt-4 pl-1">
-        <Controller
-          control={control}
-          name="addMembers"
-          defaultValue={false}
-          render={({ field: { onBlur, value, onChange } }) => (
-            <OrgPermissionCan I={OrgPermissionActions.Read} a={OrgPermissionSubjects.Member}>
-              {(isAllowed) => (
-                <div>
-                  <Checkbox
-                    id="add-project-layout"
-                    isChecked={value}
-                    onCheckedChange={onChange}
-                    isDisabled={!isAllowed}
-                    onBlur={onBlur}
-                  >
-                    Add all members of my organization to this project
-                  </Checkbox>
-                </div>
-              )}
-            </OrgPermissionCan>
-          )}
-        />
-      </div>
-      <div className="mt-14 flex">
+      <div className="mt-4 flex">
        <Accordion type="single" collapsible className="w-full">
          <AccordionItem value="advance-settings" className="data-[state=open]:border-none">
            <AccordionTrigger className="h-fit flex-none pl-1 text-sm">
--- a/frontend/src/hooks/api/secrets/types.ts
+++ b/frontend/src/hooks/api/secrets/types.ts
@@ -101,6 +101,12 @@ export type SecretVersions = {
  skipMultilineEncoding?: boolean;
  createdAt: string;
  updatedAt: string;
+  actor?: {
+    actorId?: string | null;
+    actorType?: string | null;
+    name?: string | null;
+    membershipId?: string | null;
+  } | null;
 };

 // dto
--- a/frontend/src/pages/organization/AuditLogsPage/components/LogsTable.tsx
+++ b/frontend/src/pages/organization/AuditLogsPage/components/LogsTable.tsx
@@ -106,7 +106,7 @@ export const LogsTable = ({
          className="mb-20 mt-4 px-4 py-3 text-sm"
          isFullWidth
          variant="star"
-          isLoading={isFetchingNextPage || isPending}
+          isLoading={isFetchingNextPage}
          isDisabled={isFetchingNextPage || !hasNextPage}
          onClick={() => fetchNextPage()}
        >
--- a/frontend/src/pages/secret-manager/SecretDashboardPage/components/DynamicSecretListView/EditDynamicSecretForm/EditDynamicSecretSqlProviderForm.tsx
+++ b/frontend/src/pages/secret-manager/SecretDashboardPage/components/DynamicSecretListView/EditDynamicSecretForm/EditDynamicSecretSqlProviderForm.tsx
@@ -36,7 +36,7 @@ const formSchema = z.object({
      revocationStatement: z.string().min(1),
      renewStatement: z.string().optional(),
      ca: z.string().optional(),
-      projectGatewayId: z.string().optional()
+      projectGatewayId: z.string().optional().nullable()
    })
    .partial(),
  defaultTTL: z.string().superRefine((val, ctx) => {
@@ -207,7 +207,7 @@ export const EditDynamicSecretSqlProviderForm = ({
                helperText=""
              >
                <Select
-                  value={value}
+                  value={value || undefined}
                  onValueChange={onChange}
                  className="w-full border border-mineshaft-500"
                  dropdownContainerClassName="max-w-none"
--- a/frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretDetailSidebar.tsx
+++ b/frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretDetailSidebar.tsx
@@ -5,15 +5,19 @@ import {
  faArrowRotateRight,
  faCheckCircle,
  faClock,
+  faCopy,
+  faDesktop,
  faEyeSlash,
  faPlus,
+  faServer,
  faShare,
  faTag,
-  faTrash
+  faTrash,
+  faUser
 } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { zodResolver } from "@hookform/resolvers/zod";
-import { Link } from "@tanstack/react-router";
+import { Link, useNavigate } from "@tanstack/react-router";
 import { format } from "date-fns";

 import { UpgradePlanModal } from "@app/components/license/UpgradePlanModal";
@@ -46,6 +50,7 @@ import {
 } from "@app/context";
 import { usePopUp, useToggle } from "@app/hooks";
 import { useGetSecretVersion } from "@app/hooks/api";
+import { ActorType } from "@app/hooks/api/auditLogs/enums";
 import { useGetSecretAccessList } from "@app/hooks/api/secrets/queries";
 import { SecretV3RawSanitized, WsTag } from "@app/hooks/api/types";
 import { ProjectType } from "@app/hooks/api/workspace/types";
@@ -120,6 +125,7 @@ export const SecretDetailSidebar = ({
    {}
  );
  const selectTagSlugs = selectedTags.map((i) => i.slug);
+  const navigate = useNavigate();

  const cannotEditSecret = permission.cannot(
    ProjectPermissionActions.Edit,
@@ -192,15 +198,73 @@ export const SecretDetailSidebar = ({
    await onSaveSecret(secret, { ...secret, ...data }, () => reset());
  };

-  const handleReminderSubmit = async (reminderRepeatDays: number | null | undefined, reminderNote: string | null | undefined) => {
-    await onSaveSecret(secret, { ...secret, reminderRepeatDays, reminderNote, isReminderEvent: true }, () => { });
-  }
+  const handleReminderSubmit = async (
+    reminderRepeatDays: number | null | undefined,
+    reminderNote: string | null | undefined
+  ) => {
+    await onSaveSecret(
+      secret,
+      { ...secret, reminderRepeatDays, reminderNote, isReminderEvent: true },
+      () => {}
+    );
+  };

  const [createReminderFormOpen, setCreateReminderFormOpen] = useToggle(false);

  const secretReminderRepeatDays = watch("reminderRepeatDays");
  const secretReminderNote = watch("reminderNote");

+  const getModifiedByIcon = (userType: string | undefined | null) => {
+    switch (userType) {
+      case ActorType.USER:
+        return faUser;
+      case ActorType.IDENTITY:
+        return faDesktop;
+      default:
+        return faServer;
+    }
+  };
+
+  const getModifiedByName = (
+    userType: string | undefined | null,
+    userName: string | null | undefined
+  ) => {
+    switch (userType) {
+      case ActorType.PLATFORM:
+        return "System-generated";
+      default:
+        return userName;
+    }
+  };
+
+  const getLinkToModifyHistoryEntity = (
+    actorId: string,
+    actorType: string,
+    membershipId: string | null = ""
+  ) => {
+    switch (actorType) {
+      case ActorType.USER:
+        return `/${ProjectType.SecretManager}/${currentWorkspace.id}/members/${membershipId}`;
+      case ActorType.IDENTITY:
+        return `/${ProjectType.SecretManager}/${currentWorkspace.id}/identities/${actorId}`;
+      default:
+        return null;
+    }
+  };
+
+  const onModifyHistoryClick = (
+    actorId: string | undefined | null,
+    actorType: string | undefined | null,
+    membershipId: string | undefined | null
+  ) => {
+    if (actorType && actorId && actorType !== ActorType.PLATFORM) {
+      const redirectLink = getLinkToModifyHistoryEntity(actorId, actorType, membershipId);
+      if (redirectLink) {
+        navigate({ to: redirectLink });
+      }
+    }
+  };
+
  return (
    <>
      <CreateReminderForm
@@ -213,7 +277,7 @@ export const SecretDetailSidebar = ({
          if (data) {
            setValue("reminderRepeatDays", data.days, { shouldDirty: false });
            setValue("reminderNote", data.note, { shouldDirty: false });
-            handleReminderSubmit(data.days, data.note)
+            handleReminderSubmit(data.days, data.note);
          }
        }}
      />
@@ -618,7 +682,7 @@ export const SecretDetailSidebar = ({
              <div className="mb-4flex-grow dark cursor-default text-sm text-bunker-300">
                <div className="mb-2 pl-1">Version History</div>
                <div className="thin-scrollbar flex h-48 flex-col space-y-2 overflow-y-auto overflow-x-hidden rounded-md border border-mineshaft-600 bg-mineshaft-900 p-4 dark:[color-scheme:dark]">
-                  {secretVersion?.map(({ createdAt, secretValue, version, id }) => (
+                  {secretVersion?.map(({ createdAt, secretValue, version, id, actor }) => (
                    <div className="flex flex-row">
                      <div key={id} className="flex w-full flex-col space-y-1">
                        <div className="flex items-center">
@@ -633,36 +697,42 @@ export const SecretDetailSidebar = ({
                          <div className="relative w-10">
                            <div className="absolute bottom-0 left-3 top-0 mt-0.5 border-l border-mineshaft-400/60" />
                          </div>
-                          <div className="flex flex-row">
-                            <div className="h-min w-fit rounded-sm bg-primary-500/10 px-1 text-primary-300/70">
-                              Value:
-                            </div>
-                            <div className="group break-all pl-1 font-mono">
-                              <div className="relative hidden cursor-pointer transition-all duration-200 group-[.show-value]:inline">
-                                <button
-                                  type="button"
-                                  className="select-none"
-                                  onClick={(e) => {
-                                    navigator.clipboard.writeText(secretValue || "");
-                                    const target = e.currentTarget;
-                                    target.style.borderBottom = "1px dashed";
-                                    target.style.paddingBottom = "-1px";
-
-                                    // Create and insert popup
-                                    const popup = document.createElement("div");
-                                    popup.className =
-                                      "w-16 flex justify-center absolute top-6 left-0 text-xs text-primary-100 bg-mineshaft-800 px-1 py-0.5 rounded-md border border-primary-500/50";
-                                    popup.textContent = "Copied!";
-                                    target.parentElement?.appendChild(popup);
-
-                                    // Remove popup and border after delay
-                                    setTimeout(() => {
-                                      popup.remove();
-                                      target.style.borderBottom = "none";
-                                    }, 3000);
-                                  }}
-                                  onKeyDown={(e) => {
-                                    if (e.key === "Enter" || e.key === " ") {
+                          <div className="flex w-full cursor-default flex-col">
+                            {actor && (
+                              <div className="flex flex-row">
+                                <div className="flex w-fit flex-row text-sm">
+                                  Modified by:
+                                  <Tooltip content={getModifiedByName(actor.actorType, actor.name)}>
+                                    {/* eslint-disable-next-line jsx-a11y/click-events-have-key-events, jsx-a11y/no-static-element-interactions */}
+                                    <div
+                                      onClick={() =>
+                                        onModifyHistoryClick(
+                                          actor.actorId,
+                                          actor.actorType,
+                                          actor.membershipId
+                                        )
+                                      }
+                                      className="cursor-pointer"
+                                    >
+                                      <FontAwesomeIcon
+                                        icon={getModifiedByIcon(actor.actorType)}
+                                        className="ml-2"
+                                      />
+                                    </div>
+                                  </Tooltip>
+                                </div>
+                              </div>
+                            )}
+                            <div className="flex flex-row">
+                              <div className="h-min w-fit rounded-sm bg-primary-500/10 px-1 text-primary-300/70">
+                                Value:
+                              </div>
+                              <div className="group break-all pl-1 font-mono">
+                                <div className="relative hidden cursor-pointer transition-all duration-200 group-[.show-value]:inline">
+                                  <button
+                                    type="button"
+                                    className="select-none text-left"
+                                    onClick={(e) => {
                                      navigator.clipboard.writeText(secretValue || "");
                                      const target = e.currentTarget;
                                      target.style.borderBottom = "1px dashed";
@@ -680,51 +750,74 @@ export const SecretDetailSidebar = ({
                                        popup.remove();
                                        target.style.borderBottom = "none";
                                      }, 3000);
-                                    }
-                                  }}
-                                >
-                                  {secretValue}
-                                </button>
-                                <button
-                                  type="button"
-                                  className="ml-1 cursor-pointer"
-                                  onClick={(e) => {
-                                    e.stopPropagation();
-                                    e.currentTarget
-                                      .closest(".group")
-                                      ?.classList.remove("show-value");
-                                  }}
-                                  onKeyDown={(e) => {
-                                    if (e.key === "Enter" || e.key === " ") {
+                                    }}
+                                    onKeyDown={(e) => {
+                                      if (e.key === "Enter" || e.key === " ") {
+                                        navigator.clipboard.writeText(secretValue || "");
+                                        const target = e.currentTarget;
+                                        target.style.borderBottom = "1px dashed";
+                                        target.style.paddingBottom = "-1px";
+
+                                        // Create and insert popup
+                                        const popup = document.createElement("div");
+                                        popup.className =
+                                          "w-16 flex justify-center absolute top-6 left-0 text-xs text-primary-100 bg-mineshaft-800 px-1 py-0.5 rounded-md border border-primary-500/50";
+                                        popup.textContent = "Copied!";
+                                        target.parentElement?.appendChild(popup);
+
+                                        // Remove popup and border after delay
+                                        setTimeout(() => {
+                                          popup.remove();
+                                          target.style.borderBottom = "none";
+                                        }, 3000);
+                                      }
+                                    }}
+                                  >
+                                    {secretValue}
+                                  </button>
+                                  <button
+                                    type="button"
+                                    className="ml-1 cursor-pointer"
+                                    onClick={(e) => {
                                      e.stopPropagation();
                                      e.currentTarget
                                        .closest(".group")
                                        ?.classList.remove("show-value");
-                                    }
-                                  }}
-                                >
-                                  <FontAwesomeIcon icon={faEyeSlash} />
-                                </button>
-                              </div>
-                              <span className="group-[.show-value]:hidden">
-                                {secretValue?.replace(/./g, "*")}
-                                <button
-                                  type="button"
-                                  className="ml-1 cursor-pointer"
-                                  onClick={(e) => {
-                                    e.currentTarget.closest(".group")?.classList.add("show-value");
-                                  }}
-                                  onKeyDown={(e) => {
-                                    if (e.key === "Enter" || e.key === " ") {
+                                    }}
+                                    onKeyDown={(e) => {
+                                      if (e.key === "Enter" || e.key === " ") {
+                                        e.stopPropagation();
+                                        e.currentTarget
+                                          .closest(".group")
+                                          ?.classList.remove("show-value");
+                                      }
+                                    }}
+                                  >
+                                    <FontAwesomeIcon icon={faEyeSlash} />
+                                  </button>
+                                </div>
+                                <span className="group-[.show-value]:hidden">
+                                  {secretValue?.replace(/./g, "*")}
+                                  <button
+                                    type="button"
+                                    className="ml-1 cursor-pointer"
+                                    onClick={(e) => {
                                      e.currentTarget
                                        .closest(".group")
                                        ?.classList.add("show-value");
-                                    }
-                                  }}
-                                >
-                                  <FontAwesomeIcon icon={faEye} />
-                                </button>
-                              </span>
+                                    }}
+                                    onKeyDown={(e) => {
+                                      if (e.key === "Enter" || e.key === " ") {
+                                        e.currentTarget
+                                          .closest(".group")
+                                          ?.classList.add("show-value");
+                                      }
+                                    }}
+                                  >
+                                    <FontAwesomeIcon icon={faEye} />
+                                  </button>
+                                </span>
+                              </div>
                            </div>
                          </div>
                        </div>
@@ -898,29 +991,49 @@ export const SecretDetailSidebar = ({
                      </Button>
                    )}
                  </ProjectPermissionCan>
-                  <ProjectPermissionCan
-                    I={ProjectPermissionActions.Delete}
-                    a={subject(ProjectPermissionSub.Secrets, {
-                      environment,
-                      secretPath,
-                      secretName: secretKey,
-                      secretTags: selectTagSlugs
-                    })}
-                  >
-                    {(isAllowed) => (
+                  <div className="flex items-center gap-2">
+                    <Tooltip content="Copy Secret ID">
                      <IconButton
-                        colorSchema="danger"
-                        ariaLabel="Delete Secret"
-                        className="border border-mineshaft-600 bg-mineshaft-700 hover:border-red-500/70 hover:bg-red-600/20"
-                        isDisabled={!isAllowed}
-                        onClick={onDeleteSecret}
+                        variant="outline_bg"
+                        ariaLabel="Copy Secret ID"
+                        onClick={async () => {
+                          await navigator.clipboard.writeText(secret.id);
+
+                          createNotification({
+                            title: "Secret ID Copied",
+                            text: "The secret ID has been copied to your clipboard.",
+                            type: "success"
+                          });
+                        }}
                      >
-                        <Tooltip content="Delete Secret">
-                          <FontAwesomeIcon icon={faTrash} />
-                        </Tooltip>
+                        <FontAwesomeIcon icon={faCopy} />
                      </IconButton>
-                    )}
-                  </ProjectPermissionCan>
+                    </Tooltip>
+                    <ProjectPermissionCan
+                      I={ProjectPermissionActions.Delete}
+                      a={subject(ProjectPermissionSub.Secrets, {
+                        environment,
+                        secretPath,
+                        secretName: secretKey,
+                        secretTags: selectTagSlugs
+                      })}
+                    >
+                      {(isAllowed) => (
+                        <Tooltip content="Delete Secret">
+                          <IconButton
+                            colorSchema="danger"
+                            variant="outline_bg"
+                            ariaLabel="Delete Secret"
+                            className="border border-mineshaft-600 bg-mineshaft-700 hover:border-red-500/70 hover:bg-red-600/20"
+                            isDisabled={!isAllowed}
+                            onClick={onDeleteSecret}
+                          >
+                            <FontAwesomeIcon icon={faTrash} />
+                          </IconButton>
+                        </Tooltip>
+                      )}
+                    </ProjectPermissionCan>
+                  </div>
                </div>
              </div>
            </div>
--- a/frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretListView.tsx
+++ b/frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretListView.tsx
@@ -238,10 +238,12 @@ export const SecretListView = ({
        if (!isReminderEvent) {
          handlePopUpClose("secretDetail");
        }
-        
+
        let successMessage;
        if (isReminderEvent) {
-          successMessage = reminderRepeatDays ? "Successfully saved secret reminder" : "Successfully deleted secret reminder";
+          successMessage = reminderRepeatDays 
+            ? "Successfully saved secret reminder" 
+            : "Successfully deleted secret reminder";
        } else {
          successMessage = "Successfully saved secrets";
        }
--- a/nginx/default.conf
+++ b/nginx/default.conf
@@ -15,21 +15,6 @@ server {
        proxy_cookie_path / "/; HttpOnly; SameSite=strict";
    }

-     location /api/v1/organization/audit-logs {
-        proxy_set_header X-Real-RIP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-        proxy_set_header Host $http_host;
-        proxy_set_header X-NginX-Proxy true;
-
-        proxy_pass http://backend:4000;
-        proxy_redirect off;
-
-        proxy_cookie_path / "/; HttpOnly; SameSite=strict";
-
-        proxy_read_timeout 121s; # query timeout with padding
-     }
-
    location /api/v3/migrate {
        client_max_body_size 25M;

--- a/nginx/default.dev.conf
+++ b/nginx/default.dev.conf
@@ -17,21 +17,6 @@ server {
        proxy_cookie_path / "/; HttpOnly; SameSite=strict";
    }

-     location /api/v1/organization/audit-logs {
-        proxy_set_header X-Real-RIP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-        proxy_set_header Host $http_host;
-        proxy_set_header X-NginX-Proxy true;
-
-        proxy_pass http://backend:4000;
-        proxy_redirect off;
-
-        proxy_cookie_path / "/; HttpOnly; SameSite=strict";
-
-        proxy_read_timeout 121s; # query timeout with padding
-    }
-
 		location /runtime-ui-env.js {
        proxy_set_header X-Real-RIP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Author	SHA1	Message	Date
=	004a8b71a2	feat: refactored the systemd service to seperate package file	2025-03-10 16:03:51 +05:30
Maidul Islam	2bd681d58f	add system md service for gateway	2025-03-09 16:07:33 -04:00
Maidul Islam	51fef3ce60	Merge pull request #3210 from akhilmhdh/fix/gateway-patch-up Gateway patch up	2025-03-09 14:03:21 -04:00
=	df9e7bf6ee	feat: renamed timeout	2025-03-09 22:06:27 +05:30
=	04479bb70a	fix: removed cert read to load	2025-03-09 21:37:28 +05:30
=	cdc90411e5	feat: updated gateway to use dtls	2025-03-09 21:15:10 +05:30
=	dcb05a3093	feat: resolved not able to edit sql form due to gateway change	2025-03-09 21:15:10 +05:30
=	b055cda64d	feat: increased turn cred duration, and fixed gateway crashing	2025-03-09 21:15:10 +05:30
Maidul Islam	f68602280e	Merge pull request #3197 from Infisical/gateway-arch add gateway security docs	2025-03-07 20:15:49 -05:00
Maidul Islam	f9483afe95	Merge pull request #3204 from akoullick1/patch-13 Update meetings.mdx	2025-03-07 18:31:16 -05:00
akoullick1	d742534f6a	Update meetings.mdx ECD detail	2025-03-07 14:54:38 -08:00
carlosmonastyrski	f6372249b4	Merge pull request #3206 from Infisical/fix/removeInviteAllOnProjectCreation Remove addAllMembers option from project creation modal	2025-03-07 17:16:12 -03:00
carlosmonastyrski	0f42fcd688	Remove addAllMembers option from project creation modal	2025-03-07 16:59:12 -03:00
Maidul Islam	2e02f8bea8	Merge pull request #3199 from akhilmhdh/feat/webhook-reminder Added webhook trigger for secret reminder	2025-03-07 14:17:11 -05:00
carlosmonastyrski	8203158c63	Merge pull request #3195 from Infisical/feat/addSecretNameToSlackNotification Feat/add secret name to slack notification	2025-03-07 15:39:06 -03:00
akoullick1	ada04ed4fc	Update meetings.mdx Added daily standup	2025-03-07 10:19:54 -08:00
Sheen	cc9cc70125	Merge pull request #3203 from Infisical/misc/add-uncaught-exception-handler misc: add uncaught exception handler	2025-03-08 00:36:08 +08:00
Sheen Capadngan	045debeaf3	misc: added unhandled rejection handler	2025-03-08 00:29:23 +08:00
Sheen Capadngan	3fb8ad2fac	misc: add uncaught exception handler	2025-03-08 00:22:27 +08:00
Sheen	cbe3acde74	Merge pull request #3202 from Infisical/fix/address-unhandled-promise-rejects-causing-502 fix: address unhandled promise rejects causing 502s	2025-03-07 23:48:43 +08:00
Daniel Hougaard	de480b5771	Merge pull request #3181 from Infisical/daniel/id-get-secret feat: get secret by ID	2025-03-07 19:35:52 +04:00
Daniel Hougaard	07b93c5cec	Update secret-v2-bridge-service.ts	2025-03-07 19:26:18 +04:00
Daniel Hougaard	77431b4719	requested changes	2025-03-07 19:26:18 +04:00
Daniel Hougaard	50610945be	feat: get secret by ID	2025-03-07 19:25:53 +04:00
Sheen Capadngan	57f54440d6	misc: added support for type	2025-03-07 23:15:05 +08:00
Sheen Capadngan	9711e73a06	fix: address unhandled promise rejects causing 502s	2025-03-07 23:05:47 +08:00
carlosmonastyrski	58ebebb162	Merge pull request #3191 from Infisical/feat/addActorToVersionHistory Add actor to secret version history	2025-03-07 08:06:24 -03:00
carlosmonastyrski	65ddddb6de	Change slack notification label from key to secret key	2025-03-07 08:03:02 -03:00
=	a55b26164a	feat: updated doc	2025-03-07 15:14:09 +05:30
=	6cd448b8a5	feat: webhook on secret reminder trigger	2025-03-07 15:01:14 +05:30
Maidul Islam	75345d91c0	add gateway security docs	2025-03-06 18:49:57 -05:00
carlosmonastyrski	b7640f2d03	Lint fixes	2025-03-06 17:36:09 -03:00
carlosmonastyrski	2ee4d68fd0	Fix case for multiple projects messing with the joins	2025-03-06 17:04:01 -03:00
carlosmonastyrski	3ca931acf1	Add condition to query to only retrieve the actual project id	2025-03-06 16:38:49 -03:00
carlosmonastyrski	7f6715643d	Change label from Secret to Key for consistency with the UI	2025-03-06 15:31:37 -03:00
carlosmonastyrski	8e311658d4	Improve query to only use one to retrieve all information	2025-03-06 15:15:52 -03:00
carlosmonastyrski	9116acd37b	Fix linter issues	2025-03-06 13:07:03 -03:00
carlosmonastyrski	0513307d98	Improve code quality	2025-03-06 12:55:10 -03:00
carlosmonastyrski	28c2f1874e	Add secret name to slack notification	2025-03-06 12:46:43 -03:00
carlosmonastyrski	efc3b6d474	Remove secret_version_v1 changes	2025-03-06 11:31:26 -03:00
carlosmonastyrski	07e1d1b130	Merge branch 'main' into feat/addActorToVersionHistory	2025-03-06 10:56:54 -03:00
carlosmonastyrski	7f76779124	Fix frontend type errors	2025-03-06 09:17:55 -03:00
carlosmonastyrski	30bcf1f204	Fix linter and type issues, made a small fix for secret rotation platform events	2025-03-06 09:10:13 -03:00
Maidul Islam	706feafbf2	revert featureset changes	2025-03-06 00:20:08 -05:00
Maidul Islam	fc4e3f1f72	update relay health check	2025-03-05 23:50:11 -05:00
Maidul Islam	dcd5f20325	add example	2025-03-05 22:20:13 -05:00
Maidul Islam	58f3e116a3	add example	2025-03-05 22:19:56 -05:00
Maidul Islam	7bc5aad8ec	fix infinite loop	2025-03-05 22:14:09 -05:00
Maidul Islam	a16dc3aef6	add windows stub to fix build issue	2025-03-05 18:29:29 -05:00
Maidul Islam	da7746c639	use forked pion	2025-03-05 17:54:23 -05:00
carlosmonastyrski	cd5b6da541	Merge branch 'main' into feat/addActorToVersionHistory	2025-03-05 17:53:57 -03:00
carlosmonastyrski	2dda7180a9	Fix linter issue	2025-03-05 17:36:00 -03:00
carlosmonastyrski	30ccfbfc8e	Add actor to secret version history	2025-03-05 17:20:57 -03:00
Maidul Islam	aa76924ee6	fix import	2025-03-05 14:48:36 -05:00
Maidul Islam	d8f679e72d	Merge pull request #3189 from Infisical/revert-3128-daniel/view-secret-value-permission Revert "feat(api/secrets): view secret value permission"	2025-03-05 14:15:16 -05:00
Maidul Islam	bf6cfbac7a	Revert "feat(api/secrets): view secret value permission"	2025-03-05 14:15:02 -05:00
Daniel Hougaard	8e82813894	Merge pull request #3128 from Infisical/daniel/view-secret-value-permission feat(api/secrets): view secret value permission	2025-03-05 22:57:25 +04:00
Daniel Hougaard	df21a1fb81	fix: types	2025-03-05 22:47:40 +04:00
Daniel Hougaard	bdbb6346cb	fix: permission error instead of not found error on single secret import	2025-03-05 22:47:40 +04:00
Daniel Hougaard	ea9da6d2a8	fix: view secret value (requested changes)	2025-03-05 22:47:40 +04:00
Daniel Hougaard	3c2c70912f	Update secret-service.ts	2025-03-05 22:47:40 +04:00
Daniel Hougaard	b607429b99	chore: minor ui improvements	2025-03-05 22:47:40 +04:00
Daniel Hougaard	16c1516979	fix: move permissions	2025-03-05 22:47:40 +04:00
Daniel Hougaard	f5dbbaf1fd	Update SecretEditRow.tsx	2025-03-05 22:47:40 +04:00
Daniel Hougaard	2a292455ef	chore: minor ui improvements	2025-03-05 22:47:40 +04:00
Daniel Hougaard	4d040706a9	Update SecretDetailSidebar.tsx	2025-03-05 22:47:40 +04:00
Daniel Hougaard	5183f76397	fix: pathing	2025-03-05 22:47:40 +04:00
Daniel Hougaard	4b3efb43b0	fix: view secret value permission (requested changes)	2025-03-05 22:47:40 +04:00
Daniel Hougaard	96046726b2	Update 20250218020306_backfill-secret-permissions-with-readvalue.ts	2025-03-05 22:47:40 +04:00
Daniel Hougaard	a86a951acc	Update secret-snapshot-service.ts	2025-03-05 22:47:40 +04:00
Daniel Hougaard	5e70860160	fix: ui bug	2025-03-05 22:47:40 +04:00
Daniel Hougaard	abbd427ee2	minor lint fixes	2025-03-05 22:47:40 +04:00
Daniel Hougaard	8fd5fdbc6a	chore: minor changes	2025-03-05 22:47:40 +04:00
Daniel Hougaard	77e1ccc8d7	fix: view secret value permission (requested changes)	2025-03-05 22:47:40 +04:00
Daniel Hougaard	711cc438f6	chore: better error	2025-03-05 22:47:40 +04:00
Daniel Hougaard	8447190bf8	fix: coderabbit requested changes	2025-03-05 22:47:40 +04:00
Daniel Hougaard	12b447425b	chore: further cleanup	2025-03-05 22:47:40 +04:00
Daniel Hougaard	9cb1a31287	fix: allow Viewer role to read value	2025-03-05 22:47:40 +04:00
Daniel Hougaard	b00413817d	fix: add service token read value permissions	2025-03-05 22:47:40 +04:00
Daniel Hougaard	2a8bd74e88	Update 20250218020306_backfill-secret-permissions-with-readvalue.ts	2025-03-05 22:47:40 +04:00
Daniel Hougaard	f28f4f7561	fix: requested changes	2025-03-05 22:47:40 +04:00
Daniel Hougaard	f0b05c683b	fix: service token creation	2025-03-05 22:47:40 +04:00
Daniel Hougaard	3e8f02a4f9	Update service-token.spec.ts	2025-03-05 22:47:40 +04:00
Daniel Hougaard	50ee60a3ea	Update service-token.spec.ts	2025-03-05 22:47:40 +04:00
Daniel Hougaard	21bdecdf2a	Update secret-v2-bridge-service.ts	2025-03-05 22:47:40 +04:00
Daniel Hougaard	bf09461416	Update secret-v2-bridge-service.ts	2025-03-05 22:47:40 +04:00
Daniel Hougaard	1ff615913c	fix: bulk secret create	2025-03-05 22:47:40 +04:00
Daniel Hougaard	281cedf1a2	fix: updated migration to support additional privileges	2025-03-05 22:47:39 +04:00
Daniel Hougaard	a8d847f139	chore: remove logs	2025-03-05 22:47:39 +04:00
Daniel Hougaard	2a0c0590f1	fix: cleanup and bug fixes	2025-03-05 22:47:39 +04:00
Daniel Hougaard	2e6d525d27	chore: cleanup	2025-03-05 22:47:39 +04:00
Daniel Hougaard	7fd4249d00	fix: frontend requested changes	2025-03-05 22:47:39 +04:00
Daniel Hougaard	90cfc44592	fix: personal secret support without read value permission	2025-03-05 22:47:39 +04:00
Daniel Hougaard	8c403780c2	chore: lint & ts	2025-03-05 22:47:39 +04:00
Daniel Hougaard	b69c091f2f	Update 20250218020306_backfill-secret-permissions-with-readvalue.ts	2025-03-05 22:47:39 +04:00
Daniel Hougaard	4a66395ce6	feat(api): view secret value, WIP	2025-03-05 22:47:39 +04:00
Daniel Hougaard	8c18753e3f	Merge pull request #3188 from Infisical/daniel/fix-breaking-check fix: breaking changes check	2025-03-05 22:45:56 +04:00
Daniel Hougaard	85c5d69c36	chore: remove breaking change test	2025-03-05 22:42:29 +04:00
Daniel Hougaard	94fe577046	chore: test breaking change	2025-03-05 22:38:35 +04:00
Daniel Hougaard	a0a579834c	fix: check docs endpoint instead of status	2025-03-05 22:36:43 +04:00
Daniel Hougaard	b5575f4c20	fix api endpoint	2025-03-05 22:31:01 +04:00
Daniel Hougaard	f98f212ecf	Update check-api-for-breaking-changes.yml	2025-03-05 22:23:49 +04:00
Daniel Hougaard	b331a4a708	fix: breaking changes check	2025-03-05 22:17:16 +04:00