add slack notification message on success

2025-03-22 13:07:43 +00:00 · 2024-12-20 17:33:36 -08:00
1570 changed files with 43649 additions and 41033 deletions
--- a/.github/actions/notify-slack/action.yaml
+++ b/.github/actions/notify-slack/action.yaml
@ -0,0 +1,42 @@
+name: notify-slack
+description: notify slack
+inputs:
+  channel:
+    description: channel to send message
+    required: true
+  token:
+    description: token with chat:write and chat:write.public permissions
+    required: true
+  message:
+    description: message formatted in Markdown
+    required: true
+runs:
+  using: composite
+  steps:
+    # see https://api.slack.com/tutorials/tracks/posting-messages-with-curl#let-us-hello-then__making-your-messages-more-fantastic
+    - name: notify-slack
+      shell: bash
+      run: |
+        curl https://slack.com/api/chat.postMessage \
+        -X POST --fail --silent --show-error \
+        -H "Authorization: Bearer ${SLACK_TOKEN}" \
+        -H "Content-type: application/json; charset=utf-8" \
+        --data @<(yq -pjson -ojson '.channel = env(SLACK_CHANNEL) | .blocks[0].text.text = env(MESSAGE)' <<'EOF'
+        {
+          "channel": "<replace me>",
+          "blocks": [
+            {
+              "type": "section",
+              "text": {
+                "type": "mrkdwn",
+                "text": "<replace me>"
+              }
+            }
+          ]
+        }
+        EOF
+        ) >/dev/null
+      env:
+        SLACK_CHANNEL: ${{ inputs.channel }}
+        SLACK_TOKEN: ${{ inputs.token }}
+        MESSAGE: ${{ inputs.message }}
--- a/.github/workflows/check-fe-ts-and-lint.yml
+++ b/.github/workflows/check-fe-ts-and-lint.yml
@ -18,18 +18,18 @@ jobs:
    steps:
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
-      - name: 🔧 Setup Node 20
+      - name: 🔧 Setup Node 16
        uses: actions/setup-node@v3
        with:
-          node-version: "20"
+          node-version: "16"
          cache: "npm"
          cache-dependency-path: frontend/package-lock.json
      - name: 📦 Install dependencies
        run: npm install
        working-directory: frontend
      - name: 🏗️ Run Type check
-        run: npm run type:check
+        run: npm run type:check 
        working-directory: frontend
      - name: 🏗️ Run Link check
-        run: npm run lint:fix
+        run: npm run lint:fix 
        working-directory: frontend
--- a/.github/workflows/deployment-pipeline.yml
+++ b/.github/workflows/deployment-pipeline.yml
@ -97,12 +97,18 @@ jobs:
          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
          environment-variables: "LOG_LEVEL=info"
      - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
        with:
          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
          service: infisical-core-gamma-stage
          cluster: infisical-gamma-stage
          wait-for-service-stability: true
+      # only notify of success because continue-on-error is so tricky, see https://www.kenmuse.com/blog/how-to-handle-step-and-job-errors-in-github-actions/
+      - uses: ./.github/actions/notify-slack
+        with:
+          token: ${{ secrets.SLACK_TOKEN }}
+          channel: ${{ secrets.SLACK_CHANNEL }}
+          message: deployed infisical/staging_infisical:${{ steps.commit.outputs.short }} to ${{ vars.ENVIRONMENT }}

  production-us:
    name: US production deploy 
@ -153,12 +159,18 @@ jobs:
          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
          environment-variables: "LOG_LEVEL=info"
      - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
        with:
          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
          service: infisical-core-platform
          cluster: infisical-core-platform
          wait-for-service-stability: true
+      # only notify of success because continue-on-error is so tricky, see https://www.kenmuse.com/blog/how-to-handle-step-and-job-errors-in-github-actions/
+      - uses: ./.github/actions/notify-slack
+        with:
+          token: ${{ secrets.SLACK_TOKEN }}
+          channel: ${{ secrets.SLACK_CHANNEL }}
+          message: deployed infisical/staging_infisical:${{ steps.commit.outputs.short }} to ${{ vars.ENVIRONMENT }}

  production-eu:
      name: EU production deploy
@ -204,9 +216,15 @@ jobs:
            image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
            environment-variables: "LOG_LEVEL=info"
        - name: Deploy to Amazon ECS service
-          uses: aws-actions/amazon-ecs-deploy-task-definition@v2
+          uses: aws-actions/amazon-ecs-deploy-task-definition@v1
          with:
            task-definition: ${{ steps.render-web-container.outputs.task-definition }}
            service: infisical-core-platform
            cluster: infisical-core-platform
            wait-for-service-stability: true
+      # only notify of success because continue-on-error is so tricky, see https://www.kenmuse.com/blog/how-to-handle-step-and-job-errors-in-github-actions/
+      - uses: ./.github/actions/notify-slack
+        with:
+          token: ${{ secrets.SLACK_TOKEN }}
+          channel: ${{ secrets.SLACK_CHANNEL }}
+          message: deployed infisical/staging_infisical:${{ steps.commit.outputs.short }} to ${{ vars.ENVIRONMENT }}
--- a/Dockerfile.fips.standalone-infisical
+++ b/Dockerfile.fips.standalone-infisical
@ -8,7 +8,7 @@ FROM node:20-slim AS base
 FROM base AS frontend-dependencies
 WORKDIR /app

-COPY frontend/package.json frontend/package-lock.json  ./
+COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./

 # Install dependencies
 RUN npm ci --only-production --ignore-scripts
@ -23,16 +23,17 @@ COPY --from=frontend-dependencies /app/node_modules ./node_modules
 COPY /frontend .

 ENV NODE_ENV production
+ENV NEXT_PUBLIC_ENV production
 ARG POSTHOG_HOST
-ENV VITE_POSTHOG_HOST $POSTHOG_HOST
+ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
-ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
-ENV VITE_INTERCOM_ID $INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
-ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 

 # Build
 RUN npm run build
@ -43,10 +44,20 @@ WORKDIR /app

 RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user

-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
+RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
+VOLUME /app/.next/cache/images
+
+COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
+COPY --from=frontend-builder /app/public ./public
+RUN chown non-root-user:nodejs ./public/data
+
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static

 USER non-root-user

+ENV NEXT_TELEMETRY_DISABLED 1
+
 ##
 ## BACKEND
 ##
@ -126,7 +137,7 @@ RUN apt-get update && apt-get install -y \
    freetds-dev \
    freetds-bin \
    tdsodbc \
-    openssh-client \
+    openssh \
    && rm -rf /var/lib/apt/lists/*

 # Configure ODBC in production
@ -149,11 +160,14 @@ RUN chmod u+rx /usr/sbin/update-ca-certificates

 ## set pre baked keys
 ARG POSTHOG_API_KEY
-ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+    BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
 ARG INTERCOM_ID=intercom-id
-ENV INTERCOM_ID=$INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+    BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
-ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
+    BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY

 WORKDIR / 

@ -178,4 +192,4 @@ EXPOSE 443

 USER non-root-user

-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@ -12,7 +12,7 @@ RUN apk add --no-cache libc6-compat

 WORKDIR /app

-COPY frontend/package.json frontend/package-lock.json  ./
+COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./

 # Install dependencies
 RUN npm ci --only-production --ignore-scripts
@ -27,16 +27,17 @@ COPY --from=frontend-dependencies /app/node_modules ./node_modules
 COPY /frontend .

 ENV NODE_ENV production
+ENV NEXT_PUBLIC_ENV production
 ARG POSTHOG_HOST
-ENV VITE_POSTHOG_HOST $POSTHOG_HOST
+ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
-ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
-ENV VITE_INTERCOM_ID $INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
-ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 

 # Build
 RUN npm run build
@ -48,10 +49,20 @@ WORKDIR /app
 RUN addgroup --system --gid 1001 nodejs
 RUN adduser --system --uid 1001 non-root-user

-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
+RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
+VOLUME /app/.next/cache/images
+
+COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
+COPY --from=frontend-builder /app/public ./public
+RUN chown non-root-user:nodejs ./public/data
+
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static

 USER non-root-user

+ENV NEXT_TELEMETRY_DISABLED 1
+
 ##
 ## BACKEND
 ##
@ -148,11 +159,14 @@ RUN chmod u+rx /usr/sbin/update-ca-certificates

 ## set pre baked keys
 ARG POSTHOG_API_KEY
-ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+  BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
 ARG INTERCOM_ID=intercom-id
-ENV INTERCOM_ID=$INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
-ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
+  BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY


 COPY --from=backend-runner /app /backend
@ -175,4 +189,4 @@ EXPOSE 443

 USER non-root-user

-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@ -26,7 +26,6 @@
        "@fastify/rate-limit": "^9.0.0",
        "@fastify/request-context": "^5.1.0",
        "@fastify/session": "^10.7.0",
-        "@fastify/static": "^7.0.4",
        "@fastify/swagger": "^8.14.0",
        "@fastify/swagger-ui": "^2.1.0",
        "@google-cloud/kms": "^4.5.0",
@ -5407,7 +5406,6 @@
      "version": "1.1.0",
      "resolved": "https://registry.npmjs.org/@fastify/accept-negotiator/-/accept-negotiator-1.1.0.tgz",
      "integrity": "sha512-OIHZrb2ImZ7XG85HXOONLcJWGosv7sIvM2ifAPQVhg9Lv7qdmMBNVaai4QTdyuaqbKM5eO6sLSQOYI7wEQeCJQ==",
-      "license": "MIT",
      "engines": {
        "node": ">=14"
      }
@ -5547,7 +5545,6 @@
      "version": "2.1.0",
      "resolved": "https://registry.npmjs.org/@fastify/send/-/send-2.1.0.tgz",
      "integrity": "sha512-yNYiY6sDkexoJR0D8IDy3aRP3+L4wdqCpvx5WP+VtEU58sn7USmKynBzDQex5X42Zzvw2gNzzYgP90UfWShLFA==",
-      "license": "MIT",
      "dependencies": {
        "@lukeed/ms": "^2.0.1",
        "escape-html": "~1.0.3",
@ -5566,85 +5563,16 @@
      }
    },
    "node_modules/@fastify/static": {
-      "version": "7.0.4",
-      "resolved": "https://registry.npmjs.org/@fastify/static/-/static-7.0.4.tgz",
-      "integrity": "sha512-p2uKtaf8BMOZWLs6wu+Ihg7bWNBdjNgCwDza4MJtTqg+5ovKmcbgbR9Xs5/smZ1YISfzKOCNYmZV8LaCj+eJ1Q==",
-      "license": "MIT",
+      "version": "6.12.0",
+      "resolved": "https://registry.npmjs.org/@fastify/static/-/static-6.12.0.tgz",
+      "integrity": "sha512-KK1B84E6QD/FcQWxDI2aiUCwHxMJBI1KeCUzm1BwYpPY1b742+jeKruGHP2uOluuM6OkBPI8CIANrXcCRtC2oQ==",
      "dependencies": {
        "@fastify/accept-negotiator": "^1.0.0",
        "@fastify/send": "^2.0.0",
        "content-disposition": "^0.5.3",
        "fastify-plugin": "^4.0.0",
-        "fastq": "^1.17.0",
-        "glob": "^10.3.4"
-      }
-    },
-    "node_modules/@fastify/static/node_modules/brace-expansion": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
-      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
-      "license": "MIT",
-      "dependencies": {
-        "balanced-match": "^1.0.0"
-      }
-    },
-    "node_modules/@fastify/static/node_modules/glob": {
-      "version": "10.4.5",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz",
-      "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==",
-      "license": "ISC",
-      "dependencies": {
-        "foreground-child": "^3.1.0",
-        "jackspeak": "^3.1.2",
-        "minimatch": "^9.0.4",
-        "minipass": "^7.1.2",
-        "package-json-from-dist": "^1.0.0",
-        "path-scurry": "^1.11.1"
-      },
-      "bin": {
-        "glob": "dist/esm/bin.mjs"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/@fastify/static/node_modules/jackspeak": {
-      "version": "3.4.3",
-      "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz",
-      "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==",
-      "license": "BlueOak-1.0.0",
-      "dependencies": {
-        "@isaacs/cliui": "^8.0.2"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      },
-      "optionalDependencies": {
-        "@pkgjs/parseargs": "^0.11.0"
-      }
-    },
-    "node_modules/@fastify/static/node_modules/minimatch": {
-      "version": "9.0.5",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
-      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
-      "license": "ISC",
-      "dependencies": {
-        "brace-expansion": "^2.0.1"
-      },
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/@fastify/static/node_modules/minipass": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
-      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
+        "glob": "^8.0.1",
+        "p-limit": "^3.1.0"
      }
    },
    "node_modules/@fastify/swagger": {
@ -5671,20 +5599,6 @@
        "yaml": "^2.2.2"
      }
    },
-    "node_modules/@fastify/swagger-ui/node_modules/@fastify/static": {
-      "version": "6.12.0",
-      "resolved": "https://registry.npmjs.org/@fastify/static/-/static-6.12.0.tgz",
-      "integrity": "sha512-KK1B84E6QD/FcQWxDI2aiUCwHxMJBI1KeCUzm1BwYpPY1b742+jeKruGHP2uOluuM6OkBPI8CIANrXcCRtC2oQ==",
-      "license": "MIT",
-      "dependencies": {
-        "@fastify/accept-negotiator": "^1.0.0",
-        "@fastify/send": "^2.0.0",
-        "content-disposition": "^0.5.3",
-        "fastify-plugin": "^4.0.0",
-        "glob": "^8.0.1",
-        "p-limit": "^3.1.0"
-      }
-    },
    "node_modules/@google-cloud/kms": {
      "version": "4.5.0",
      "resolved": "https://registry.npmjs.org/@google-cloud/kms/-/kms-4.5.0.tgz",
@ -6148,10 +6062,9 @@
      "integrity": "sha512-O89xFDLW2gBoZWNXuXpBSM32/KealKCTb3JGtJdtUQc7RjAk8XzrRgyz02cPAwGKwKPxy0ivuC7UP9bmN87egQ=="
    },
    "node_modules/@lukeed/ms": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/@lukeed/ms/-/ms-2.0.2.tgz",
-      "integrity": "sha512-9I2Zn6+NJLfaGoz9jN3lpwDgAYvfGeNYdbAIjJOqzs4Tpc+VU3Jqq4IofSUBKajiDS8k9fZIg18/z13mpk1bsA==",
-      "license": "MIT",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@lukeed/ms/-/ms-2.0.1.tgz",
+      "integrity": "sha512-Xs/4RZltsAL7pkvaNStUQt7netTkyxrS0K+RILcVr3TRMS/ToOg4I6uNfhB9SlGsnWBym4U+EaXq0f0cEMNkHA==",
      "engines": {
        "node": ">=8"
      }
@ -13966,9 +13879,9 @@
      }
    },
    "node_modules/express": {
-      "version": "4.21.2",
-      "resolved": "https://registry.npmjs.org/express/-/express-4.21.2.tgz",
-      "integrity": "sha512-28HqgMZAmih1Czt9ny7qr6ek2qddF4FclbMzwhCREB6OFfH+rXAnuNCwo1/wFvrtbgsQDb4kSbX9de9lFbrXnA==",
+      "version": "4.21.1",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.21.1.tgz",
+      "integrity": "sha512-YSFlK1Ee0/GC8QaO91tHcDxJiE/X4FbpAyQWkxAvG6AXCuR65YzK8ua6D9hvi/TzUfZMpc+BwuM1IPw8fmQBiQ==",
      "license": "MIT",
      "dependencies": {
        "accepts": "~1.3.8",
@ -13990,7 +13903,7 @@
        "methods": "~1.1.2",
        "on-finished": "2.4.1",
        "parseurl": "~1.3.3",
-        "path-to-regexp": "0.1.12",
+        "path-to-regexp": "0.1.10",
        "proxy-addr": "~2.0.7",
        "qs": "6.13.0",
        "range-parser": "~1.2.1",
@ -14005,10 +13918,6 @@
      },
      "engines": {
        "node": ">= 0.10.0"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/express"
      }
    },
    "node_modules/express-session": {
@ -17479,16 +17388,15 @@
      }
    },
    "node_modules/nanoid": {
-      "version": "3.3.8",
-      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.8.tgz",
-      "integrity": "sha512-WNLf5Sd8oZxOm+TzppcYk8gVOgP+l58xNy58D0nbUnOxOWRWvlcCV4kUF7ltmI6PsrLl/BgKEyS4mqsGChFN0w==",
+      "version": "3.3.7",
+      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.7.tgz",
+      "integrity": "sha512-eSRppjcPIatRIMC1U6UngP8XFcz8MQWGQdt1MTBQ7NaAmvXDfvNxbvWV3x2y6CdEUciCSsDHDQZbhYaB8QEo2g==",
      "funding": [
        {
          "type": "github",
          "url": "https://github.com/sponsors/ai"
        }
      ],
-      "license": "MIT",
      "bin": {
        "nanoid": "bin/nanoid.cjs"
      },
@ -18475,9 +18383,9 @@
      "license": "ISC"
    },
    "node_modules/path-to-regexp": {
-      "version": "0.1.12",
-      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.12.tgz",
-      "integrity": "sha512-RA1GjUVMnvYFxuqovrEqZoxxW5NUZqbwKtYz/Tt7nXerk0LbLblQmrsgdeOxV5SFHf0UDggjS/bSeOZwt1pmEQ==",
+      "version": "0.1.10",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz",
+      "integrity": "sha512-7lf7qcQidTku0Gu3YDPc8DJ1q7OOucfa/BSsIwjuh56VU7katFvuM8hULfkwB3Fns/rsVF7PwPKVw1sl5KQS9w==",
      "license": "MIT"
    },
    "node_modules/path-type": {
--- a/backend/package.json
+++ b/backend/package.json
@ -134,7 +134,6 @@
    "@fastify/rate-limit": "^9.0.0",
    "@fastify/request-context": "^5.1.0",
    "@fastify/session": "^10.7.0",
-    "@fastify/static": "^7.0.4",
    "@fastify/swagger": "^8.14.0",
    "@fastify/swagger-ui": "^2.1.0",
    "@google-cloud/kms": "^4.5.0",
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@ -218,9 +218,6 @@ import {
  TRateLimit,
  TRateLimitInsert,
  TRateLimitUpdate,
-  TResourceMetadata,
-  TResourceMetadataInsert,
-  TResourceMetadataUpdate,
  TSamlConfigs,
  TSamlConfigsInsert,
  TSamlConfigsUpdate,
@ -890,11 +887,6 @@ declare module "knex/types/tables" {
      TProjectSplitBackfillIdsInsert,
      TProjectSplitBackfillIdsUpdate
    >;
-    [TableName.ResourceMetadata]: KnexOriginal.CompositeTableType<
-      TResourceMetadata,
-      TResourceMetadataInsert,
-      TResourceMetadataUpdate
-    >;
    [TableName.AppConnection]: KnexOriginal.CompositeTableType<
      TAppConnections,
      TAppConnectionsInsert,
--- a/backend/src/db/migrations/20241218165837_resource-metadata.ts
+++ b/backend/src/db/migrations/20241218165837_resource-metadata.ts
@ -1,40 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.ResourceMetadata))) {
-    await knex.schema.createTable(TableName.ResourceMetadata, (tb) => {
-      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      tb.string("key").notNullable();
-      tb.string("value", 1020).notNullable();
-      tb.uuid("orgId").notNullable();
-      tb.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      tb.uuid("userId");
-      tb.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      tb.uuid("identityId");
-      tb.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      tb.uuid("secretId");
-      tb.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
-      tb.timestamps(true, true, true);
-    });
-  }
-
-  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
-  if (!hasSecretMetadataField) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
-      t.jsonb("secretMetadata");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.ResourceMetadata);
-
-  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
-  if (hasSecretMetadataField) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
-      t.dropColumn("secretMetadata");
-    });
-  }
-}
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@ -71,7 +71,6 @@ export * from "./project-user-additional-privilege";
 export * from "./project-user-membership-roles";
 export * from "./projects";
 export * from "./rate-limit";
-export * from "./resource-metadata";
 export * from "./saml-configs";
 export * from "./scim-tokens";
 export * from "./secret-approval-policies";
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@ -80,7 +80,6 @@ export enum TableName {
  IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
  // used by both identity and users
  IdentityMetadata = "identity_metadata",
-  ResourceMetadata = "resource_metadata",
  ScimToken = "scim_tokens",
  AccessApprovalPolicy = "access_approval_policies",
  AccessApprovalPolicyApprover = "access_approval_policies_approvers",
--- a/backend/src/db/schemas/resource-metadata.ts
+++ b/backend/src/db/schemas/resource-metadata.ts
@ -1,24 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const ResourceMetadataSchema = z.object({
-  id: z.string().uuid(),
-  key: z.string(),
-  value: z.string(),
-  orgId: z.string().uuid(),
-  userId: z.string().uuid().nullable().optional(),
-  identityId: z.string().uuid().nullable().optional(),
-  secretId: z.string().uuid().nullable().optional(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TResourceMetadata = z.infer<typeof ResourceMetadataSchema>;
-export type TResourceMetadataInsert = Omit<z.input<typeof ResourceMetadataSchema>, TImmutableDBKeys>;
-export type TResourceMetadataUpdate = Partial<Omit<z.input<typeof ResourceMetadataSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/secret-approval-requests-secrets-v2.ts
+++ b/backend/src/db/schemas/secret-approval-requests-secrets-v2.ts
@ -24,8 +24,7 @@ export const SecretApprovalRequestsSecretsV2Schema = z.object({
  requestId: z.string().uuid(),
  op: z.string(),
  secretId: z.string().uuid().nullable().optional(),
-  secretVersion: z.string().uuid().nullable().optional(),
-  secretMetadata: z.unknown().nullable().optional()
+  secretVersion: z.string().uuid().nullable().optional()
 });

 export type TSecretApprovalRequestsSecretsV2 = z.infer<typeof SecretApprovalRequestsSecretsV2Schema>;
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@ -22,7 +22,6 @@ import { registerSecretApprovalPolicyRouter } from "./secret-approval-policy-rou
 import { registerSecretApprovalRequestRouter } from "./secret-approval-request-router";
 import { registerSecretRotationProviderRouter } from "./secret-rotation-provider-router";
 import { registerSecretRotationRouter } from "./secret-rotation-router";
-import { registerSecretRouter } from "./secret-router";
 import { registerSecretScanningRouter } from "./secret-scanning-router";
 import { registerSecretVersionRouter } from "./secret-version-router";
 import { registerSnapshotRouter } from "./snapshot-router";
@ -93,7 +92,6 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
  await server.register(registerLdapRouter, { prefix: "/ldap" });
  await server.register(registerSecretScanningRouter, { prefix: "/secret-scanning" });
  await server.register(registerSecretRotationRouter, { prefix: "/secret-rotations" });
-  await server.register(registerSecretRouter, { prefix: "/secrets" });
  await server.register(registerSecretVersionRouter, { prefix: "/secret" });
  await server.register(registerGroupRouter, { prefix: "/groups" });
  await server.register(registerAuditLogStreamRouter, { prefix: "/audit-log-streams" });
--- a/backend/src/ee/routes/v1/saml-router.ts
+++ b/backend/src/ee/routes/v1/saml-router.ts
@ -84,10 +84,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
                samlConfig.audience = `spn:${ssoConfig.issuer}`;
              }
            }
-            if (
-              ssoConfig.authProvider === SamlProviders.GOOGLE_SAML ||
-              ssoConfig.authProvider === SamlProviders.AUTH0_SAML
-            ) {
+            if (ssoConfig.authProvider === SamlProviders.GOOGLE_SAML) {
              samlConfig.wantAssertionsSigned = false;
            }

@ -126,10 +123,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
              `email: ${email} firstName: ${profile.firstName as string}`
            );

-            throw new BadRequestError({
-              message:
-                "Missing email or first name. Please double check your SAML attribute mapping for the selected provider."
-            });
+            throw new Error("Invalid saml request. Missing email or first name");
          }

          const userMetadata = Object.keys(profile.attributes || {})
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@ -12,7 +12,6 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";

 const approvalRequestUser = z.object({ userId: z.string().nullable().optional() }).merge(
  UsersSchema.pick({
@ -275,7 +274,6 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                .extend({
                  op: z.string(),
                  tags: tagSchema,
-                  secretMetadata: ResourceMetadataSchema.nullish(),
                  secret: z
                    .object({
                      id: z.string(),
@ -293,8 +291,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                      secretKey: z.string(),
                      secretValue: z.string().optional(),
                      secretComment: z.string().optional(),
-                      tags: tagSchema,
-                      secretMetadata: ResourceMetadataSchema.nullish()
+                      tags: tagSchema
                    })
                    .optional()
                })
--- a/backend/src/ee/routes/v1/secret-router.ts
+++ b/backend/src/ee/routes/v1/secret-router.ts
@ -1,71 +0,0 @@
-import z from "zod";
-
-import { ProjectPermissionActions } from "@app/ee/services/permission/project-permission";
-import { RAW_SECRETS } from "@app/lib/api-docs";
-import { removeTrailingSlash } from "@app/lib/fn";
-import { readLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-const AccessListEntrySchema = z
-  .object({
-    allowedActions: z.nativeEnum(ProjectPermissionActions).array(),
-    id: z.string(),
-    membershipId: z.string(),
-    name: z.string()
-  })
-  .array();
-
-export const registerSecretRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "GET",
-    url: "/:secretName/access-list",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "Get list of users, machine identities, and groups with access to a secret",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.secretName)
-      }),
-      querystring: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.workspaceId),
-        environment: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.environment),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(RAW_SECRETS.GET_ACCESS_LIST.secretPath)
-      }),
-      response: {
-        200: z.object({
-          groups: AccessListEntrySchema,
-          identities: AccessListEntrySchema,
-          users: AccessListEntrySchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { secretName } = req.params;
-      const { secretPath, environment, workspaceId: projectId } = req.query;
-
-      return server.services.secret.getSecretAccessList({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        secretPath,
-        environment,
-        projectId,
-        secretName
-      });
-    }
-  });
-};
--- a/backend/src/ee/routes/v1/secret-scanning-router.ts
+++ b/backend/src/ee/routes/v1/secret-scanning-router.ts
@ -1,13 +1,9 @@
 import { z } from "zod";

 import { GitAppOrgSchema, SecretScanningGitRisksSchema } from "@app/db/schemas";
-import {
-  SecretScanningResolvedStatus,
-  SecretScanningRiskStatus
-} from "@app/ee/services/secret-scanning/secret-scanning-types";
+import { SecretScanningRiskStatus } from "@app/ee/services/secret-scanning/secret-scanning-types";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
-import { OrderByDirection } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -101,45 +97,6 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
    }
  });

-  server.route({
-    url: "/organization/:organizationId/risks/export",
-    method: "GET",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({ organizationId: z.string().trim() }),
-      querystring: z.object({
-        repositoryNames: z
-          .string()
-          .optional()
-          .nullable()
-          .transform((val) => (val ? val.split(",") : undefined)),
-        resolvedStatus: z.nativeEnum(SecretScanningResolvedStatus).optional()
-      }),
-      response: {
-        200: z.object({
-          risks: SecretScanningGitRisksSchema.array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const risks = await server.services.secretScanning.getAllRisksByOrg({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        orgId: req.params.organizationId,
-        filter: {
-          repositoryNames: req.query.repositoryNames,
-          resolvedStatus: req.query.resolvedStatus
-        }
-      });
-      return { risks };
-    }
-  });
-
  server.route({
    url: "/organization/:organizationId/risks",
    method: "GET",
@ -148,46 +105,20 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
-
-      querystring: z.object({
-        offset: z.coerce.number().min(0).default(0),
-        limit: z.coerce.number().min(1).max(20000).default(100),
-        orderBy: z.enum(["createdAt", "name"]).default("createdAt"),
-        orderDirection: z.nativeEnum(OrderByDirection).default(OrderByDirection.DESC),
-        repositoryNames: z
-          .string()
-          .optional()
-          .nullable()
-          .transform((val) => (val ? val.split(",") : undefined)),
-        resolvedStatus: z.nativeEnum(SecretScanningResolvedStatus).optional()
-      }),
-
      response: {
-        200: z.object({
-          risks: SecretScanningGitRisksSchema.array(),
-          totalCount: z.number(),
-          repos: z.array(z.string())
-        })
+        200: z.object({ risks: SecretScanningGitRisksSchema.array() })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
-      const { risks, totalCount, repos } = await server.services.secretScanning.getRisksByOrg({
+      const { risks } = await server.services.secretScanning.getRisksByOrg({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        orgId: req.params.organizationId,
-        filter: {
-          limit: req.query.limit,
-          offset: req.query.offset,
-          orderBy: req.query.orderBy,
-          orderDirection: req.query.orderDirection,
-          repositoryNames: req.query.repositoryNames,
-          resolvedStatus: req.query.resolvedStatus
-        }
+        orgId: req.params.organizationId
      });
-      return { risks, totalCount, repos };
+      return { risks };
    }
  });

--- a/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
@ -213,7 +213,7 @@ export const accessApprovalRequestServiceFactory = ({
      );

      const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
-      const approvalUrl = `${cfg.SITE_URL}/secret-manager/${project.id}/approval`;
+      const approvalUrl = `${cfg.SITE_URL}/project/${project.id}/approval`;

      await triggerSlackNotification({
        projectId: project.id,
--- a/backend/src/ee/services/audit-log/audit-log-dal.ts
+++ b/backend/src/ee/services/audit-log/audit-log-dal.ts
@ -100,10 +100,10 @@ export const auditLogDALFactory = (db: TDbClient) => {

      // Filter by date range
      if (startDate) {
-        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" >= ?::timestamptz`, [startDate]);
+        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, ">=", startDate);
      }
      if (endDate) {
-        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" <= ?::timestamptz`, [endDate]);
+        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, "<=", endDate);
      }

      // we timeout long running queries to prevent DB resource issues (2 minutes)
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@ -31,7 +31,7 @@ export type TListProjectAuditLogDTO = {

 export type TCreateAuditLogDTO = {
  event: Event;
-  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor | UnknownUserActor;
+  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor;
  orgId?: string;
  projectId?: string;
 } & BaseAuthData;
@ -229,10 +229,7 @@ export enum EventType {
  GET_APP_CONNECTION = "get-app-connection",
  CREATE_APP_CONNECTION = "create-app-connection",
  UPDATE_APP_CONNECTION = "update-app-connection",
-  DELETE_APP_CONNECTION = "delete-app-connection",
-  CREATE_SHARED_SECRET = "create-shared-secret",
-  DELETE_SHARED_SECRET = "delete-shared-secret",
-  READ_SHARED_SECRET = "read-shared-secret"
+  DELETE_APP_CONNECTION = "delete-app-connection"
 }

 interface UserActorMetadata {
@ -255,8 +252,6 @@ interface ScimClientActorMetadata {}

 interface PlatformActorMetadata {}

-interface UnknownUserActorMetadata {}
-
 export interface UserActor {
  type: ActorType.USER;
  metadata: UserActorMetadata;
@ -272,11 +267,6 @@ export interface PlatformActor {
  metadata: PlatformActorMetadata;
 }

-export interface UnknownUserActor {
-  type: ActorType.UNKNOWN_USER;
-  metadata: UnknownUserActorMetadata;
-}
-
 export interface IdentityActor {
  type: ActorType.IDENTITY;
  metadata: IdentityActorMetadata;
@ -1917,35 +1907,6 @@ interface DeleteAppConnectionEvent {
  };
 }

-interface CreateSharedSecretEvent {
-  type: EventType.CREATE_SHARED_SECRET;
-  metadata: {
-    id: string;
-    accessType: string;
-    name?: string;
-    expiresAfterViews?: number;
-    usingPassword: boolean;
-    expiresAt: string;
-  };
-}
-
-interface DeleteSharedSecretEvent {
-  type: EventType.DELETE_SHARED_SECRET;
-  metadata: {
-    id: string;
-    name?: string;
-  };
-}
-
-interface ReadSharedSecretEvent {
-  type: EventType.READ_SHARED_SECRET;
-  metadata: {
-    id: string;
-    name?: string;
-    accessType: string;
-  };
-}
-
 export type Event =
  | GetSecretsEvent
  | GetSecretEvent
@ -2122,7 +2083,4 @@ export type Event =
  | GetAppConnectionEvent
  | CreateAppConnectionEvent
  | UpdateAppConnectionEvent
-  | DeleteAppConnectionEvent
-  | CreateSharedSecretEvent
-  | DeleteSharedSecretEvent
-  | ReadSharedSecretEvent;
+  | DeleteAppConnectionEvent;
--- a/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
@ -34,8 +34,6 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {

  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>) => {
    const ssl = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
-    const isMsSQLClient = providerInputs.client === SqlProviders.MsSQL;
-
    const db = knex({
      client: providerInputs.client,
      connection: {
@ -45,16 +43,7 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
        user: providerInputs.username,
        password: providerInputs.password,
        ssl,
-        pool: { min: 0, max: 1 },
-        // @ts-expect-error this is because of knexjs type signature issue. This is directly passed to driver
-        // https://github.com/knex/knex/blob/b6507a7129d2b9fafebf5f831494431e64c6a8a0/lib/dialects/mssql/index.js#L66
-        // https://github.com/tediousjs/tedious/blob/ebb023ed90969a7ec0e4b036533ad52739d921f7/test/config.ci.ts#L19
-        options: isMsSQLClient
-          ? {
-              trustServerCertificate: !providerInputs.ca,
-              cryptoCredentialsDetails: providerInputs.ca ? { ca: providerInputs.ca } : {}
-            }
-          : undefined
+        pool: { min: 0, max: 1 }
      },
      acquireConnectionTimeout: EXTERNAL_REQUEST_TIMEOUT
    });
--- a/backend/src/ee/services/license/license-fns.ts
+++ b/backend/src/ee/services/license/license-fns.ts
@ -24,7 +24,6 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
  rbac: false,
  customRateLimits: false,
  customAlerts: false,
-  secretAccessInsights: false,
  auditLogs: false,
  auditLogsRetentionDays: 0,
  auditLogStreams: false,
--- a/backend/src/ee/services/license/license-service.ts
+++ b/backend/src/ee/services/license/license-service.ts
@ -246,7 +246,8 @@ export const licenseServiceFactory = ({
  };

  const getOrgPlan = async ({ orgId, actor, actorId, actorOrgId, actorAuthMethod, projectId }: TOrgPlanDTO) => {
-    await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const plan = await getPlan(orgId, projectId);
    return plan;
  };
--- a/backend/src/ee/services/license/license-types.ts
+++ b/backend/src/ee/services/license/license-types.ts
@ -48,7 +48,6 @@ export type TFeatureSet = {
  samlSSO: false;
  hsm: false;
  oidcSSO: false;
-  secretAccessInsights: false;
  scim: false;
  ldap: false;
  groups: false;
--- a/backend/src/ee/services/permission/permission-dal.ts
+++ b/backend/src/ee/services/permission/permission-dal.ts
@ -125,404 +125,6 @@ export const permissionDALFactory = (db: TDbClient) => {
    }
  };

-  const getProjectGroupPermissions = async (projectId: string) => {
-    try {
-      const docs = await db
-        .replicaNode()(TableName.GroupProjectMembership)
-        .join(TableName.Groups, `${TableName.Groups}.id`, `${TableName.GroupProjectMembership}.groupId`)
-        .join(
-          TableName.GroupProjectMembershipRole,
-          `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
-          `${TableName.GroupProjectMembership}.id`
-        )
-        .leftJoin<TProjectRoles>(
-          { groupCustomRoles: TableName.ProjectRoles },
-          `${TableName.GroupProjectMembershipRole}.customRoleId`,
-          `groupCustomRoles.id`
-        )
-        .where(`${TableName.GroupProjectMembership}.projectId`, "=", projectId)
-        .select(
-          db.ref("id").withSchema(TableName.GroupProjectMembership).as("membershipId"),
-          db.ref("id").withSchema(TableName.Groups).as("groupId"),
-          db.ref("name").withSchema(TableName.Groups).as("groupName"),
-          db.ref("slug").withSchema("groupCustomRoles").as("groupProjectMembershipRoleCustomRoleSlug"),
-          db.ref("permissions").withSchema("groupCustomRoles").as("groupProjectMembershipRolePermission"),
-          db.ref("id").withSchema(TableName.GroupProjectMembershipRole).as("groupProjectMembershipRoleId"),
-          db.ref("role").withSchema(TableName.GroupProjectMembershipRole).as("groupProjectMembershipRole"),
-          db
-            .ref("customRoleId")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleCustomRoleId"),
-          db
-            .ref("isTemporary")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleIsTemporary"),
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleTemporaryMode"),
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleTemporaryRange"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleTemporaryAccessEndTime")
-        );
-
-      const groupPermissions = sqlNestRelationships({
-        data: docs,
-        key: "groupId",
-        parentMapper: ({ groupId, groupName, membershipId }) => ({
-          groupId,
-          username: groupName,
-          id: membershipId
-        }),
-        childrenMapper: [
-          {
-            key: "groupProjectMembershipRoleId",
-            label: "groupRoles" as const,
-            mapper: ({
-              groupProjectMembershipRoleId,
-              groupProjectMembershipRole,
-              groupProjectMembershipRolePermission,
-              groupProjectMembershipRoleCustomRoleSlug,
-              groupProjectMembershipRoleIsTemporary,
-              groupProjectMembershipRoleTemporaryMode,
-              groupProjectMembershipRoleTemporaryAccessEndTime,
-              groupProjectMembershipRoleTemporaryAccessStartTime,
-              groupProjectMembershipRoleTemporaryRange
-            }) => ({
-              id: groupProjectMembershipRoleId,
-              role: groupProjectMembershipRole,
-              customRoleSlug: groupProjectMembershipRoleCustomRoleSlug,
-              permissions: groupProjectMembershipRolePermission,
-              temporaryRange: groupProjectMembershipRoleTemporaryRange,
-              temporaryMode: groupProjectMembershipRoleTemporaryMode,
-              temporaryAccessStartTime: groupProjectMembershipRoleTemporaryAccessStartTime,
-              temporaryAccessEndTime: groupProjectMembershipRoleTemporaryAccessEndTime,
-              isTemporary: groupProjectMembershipRoleIsTemporary
-            })
-          }
-        ]
-      });
-
-      return groupPermissions
-        .map((groupPermission) => {
-          if (!groupPermission) return undefined;
-
-          const activeGroupRoles =
-            groupPermission?.groupRoles?.filter(
-              ({ isTemporary, temporaryAccessEndTime }) =>
-                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-            ) ?? [];
-
-          return {
-            ...groupPermission,
-            roles: activeGroupRoles
-          };
-        })
-        .filter((item): item is NonNullable<typeof item> => Boolean(item));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "GetProjectGroupPermissions" });
-    }
-  };
-
-  const getProjectUserPermissions = async (projectId: string) => {
-    try {
-      const docs = await db
-        .replicaNode()(TableName.Users)
-        .where("isGhost", "=", false)
-        .leftJoin(TableName.GroupProjectMembership, (queryBuilder) => {
-          void queryBuilder.on(`${TableName.GroupProjectMembership}.projectId`, db.raw("?", [projectId]));
-        })
-        .leftJoin(
-          TableName.GroupProjectMembershipRole,
-          `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
-          `${TableName.GroupProjectMembership}.id`
-        )
-        .leftJoin<TProjectRoles>(
-          { groupCustomRoles: TableName.ProjectRoles },
-          `${TableName.GroupProjectMembershipRole}.customRoleId`,
-          `groupCustomRoles.id`
-        )
-        .join(TableName.ProjectMembership, (queryBuilder) => {
-          void queryBuilder
-            .on(`${TableName.ProjectMembership}.projectId`, db.raw("?", [projectId]))
-            .andOn(`${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`);
-        })
-        .leftJoin(
-          TableName.ProjectUserMembershipRole,
-          `${TableName.ProjectUserMembershipRole}.projectMembershipId`,
-          `${TableName.ProjectMembership}.id`
-        )
-        .leftJoin(
-          TableName.ProjectRoles,
-          `${TableName.ProjectUserMembershipRole}.customRoleId`,
-          `${TableName.ProjectRoles}.id`
-        )
-        .leftJoin(TableName.ProjectUserAdditionalPrivilege, (queryBuilder) => {
-          void queryBuilder
-            .on(`${TableName.ProjectUserAdditionalPrivilege}.projectId`, db.raw("?", [projectId]))
-            .andOn(`${TableName.ProjectUserAdditionalPrivilege}.userId`, `${TableName.Users}.id`);
-        })
-        .join<TProjects>(TableName.Project, `${TableName.Project}.id`, db.raw("?", [projectId]))
-        .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
-        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
-          void queryBuilder
-            .on(`${TableName.Users}.id`, `${TableName.IdentityMetadata}.userId`)
-            .andOn(`${TableName.Organization}.id`, `${TableName.IdentityMetadata}.orgId`);
-        })
-        .select(
-          db.ref("id").withSchema(TableName.Users).as("userId"),
-          db.ref("username").withSchema(TableName.Users).as("username"),
-          // groups specific
-          db.ref("id").withSchema(TableName.GroupProjectMembership).as("groupMembershipId"),
-          db.ref("createdAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipUpdatedAt"),
-          db.ref("slug").withSchema("groupCustomRoles").as("userGroupProjectMembershipRoleCustomRoleSlug"),
-          db.ref("permissions").withSchema("groupCustomRoles").as("userGroupProjectMembershipRolePermission"),
-          db.ref("id").withSchema(TableName.GroupProjectMembershipRole).as("userGroupProjectMembershipRoleId"),
-          db.ref("role").withSchema(TableName.GroupProjectMembershipRole).as("userGroupProjectMembershipRole"),
-          db
-            .ref("customRoleId")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleCustomRoleId"),
-          db
-            .ref("isTemporary")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleIsTemporary"),
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleTemporaryMode"),
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleTemporaryRange"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleTemporaryAccessEndTime"),
-          // user specific
-          db.ref("id").withSchema(TableName.ProjectMembership).as("membershipId"),
-          db.ref("createdAt").withSchema(TableName.ProjectMembership).as("membershipCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.ProjectMembership).as("membershipUpdatedAt"),
-          db.ref("slug").withSchema(TableName.ProjectRoles).as("userProjectMembershipRoleCustomRoleSlug"),
-          db.ref("permissions").withSchema(TableName.ProjectRoles).as("userProjectCustomRolePermission"),
-          db.ref("id").withSchema(TableName.ProjectUserMembershipRole).as("userProjectMembershipRoleId"),
-          db.ref("role").withSchema(TableName.ProjectUserMembershipRole).as("userProjectMembershipRole"),
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.ProjectUserMembershipRole)
-            .as("userProjectMembershipRoleTemporaryMode"),
-          db
-            .ref("isTemporary")
-            .withSchema(TableName.ProjectUserMembershipRole)
-            .as("userProjectMembershipRoleIsTemporary"),
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.ProjectUserMembershipRole)
-            .as("userProjectMembershipRoleTemporaryRange"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.ProjectUserMembershipRole)
-            .as("userProjectMembershipRoleTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.ProjectUserMembershipRole)
-            .as("userProjectMembershipRoleTemporaryAccessEndTime"),
-          db.ref("id").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userAdditionalPrivilegesId"),
-          db
-            .ref("permissions")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesPermissions"),
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesTemporaryMode"),
-          db
-            .ref("isTemporary")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesIsTemporary"),
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesTemporaryRange"),
-          db.ref("userId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userAdditionalPrivilegesUserId"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesTemporaryAccessEndTime"),
-          // general
-          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
-          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
-          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue"),
-          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
-          db.ref("orgId").withSchema(TableName.Project),
-          db.ref("type").withSchema(TableName.Project).as("projectType"),
-          db.ref("id").withSchema(TableName.Project).as("projectId")
-        );
-
-      const userPermissions = sqlNestRelationships({
-        data: docs,
-        key: "userId",
-        parentMapper: ({
-          orgId,
-          username,
-          orgAuthEnforced,
-          membershipId,
-          groupMembershipId,
-          membershipCreatedAt,
-          groupMembershipCreatedAt,
-          groupMembershipUpdatedAt,
-          membershipUpdatedAt,
-          projectType,
-          userId
-        }) => ({
-          orgId,
-          orgAuthEnforced,
-          userId,
-          projectId,
-          username,
-          projectType,
-          id: membershipId || groupMembershipId,
-          createdAt: membershipCreatedAt || groupMembershipCreatedAt,
-          updatedAt: membershipUpdatedAt || groupMembershipUpdatedAt
-        }),
-        childrenMapper: [
-          {
-            key: "userGroupProjectMembershipRoleId",
-            label: "userGroupRoles" as const,
-            mapper: ({
-              userGroupProjectMembershipRoleId,
-              userGroupProjectMembershipRole,
-              userGroupProjectMembershipRolePermission,
-              userGroupProjectMembershipRoleCustomRoleSlug,
-              userGroupProjectMembershipRoleIsTemporary,
-              userGroupProjectMembershipRoleTemporaryMode,
-              userGroupProjectMembershipRoleTemporaryAccessEndTime,
-              userGroupProjectMembershipRoleTemporaryAccessStartTime,
-              userGroupProjectMembershipRoleTemporaryRange
-            }) => ({
-              id: userGroupProjectMembershipRoleId,
-              role: userGroupProjectMembershipRole,
-              customRoleSlug: userGroupProjectMembershipRoleCustomRoleSlug,
-              permissions: userGroupProjectMembershipRolePermission,
-              temporaryRange: userGroupProjectMembershipRoleTemporaryRange,
-              temporaryMode: userGroupProjectMembershipRoleTemporaryMode,
-              temporaryAccessStartTime: userGroupProjectMembershipRoleTemporaryAccessStartTime,
-              temporaryAccessEndTime: userGroupProjectMembershipRoleTemporaryAccessEndTime,
-              isTemporary: userGroupProjectMembershipRoleIsTemporary
-            })
-          },
-          {
-            key: "userProjectMembershipRoleId",
-            label: "projectMembershipRoles" as const,
-            mapper: ({
-              userProjectMembershipRoleId,
-              userProjectMembershipRole,
-              userProjectCustomRolePermission,
-              userProjectMembershipRoleIsTemporary,
-              userProjectMembershipRoleTemporaryMode,
-              userProjectMembershipRoleTemporaryRange,
-              userProjectMembershipRoleTemporaryAccessEndTime,
-              userProjectMembershipRoleTemporaryAccessStartTime,
-              userProjectMembershipRoleCustomRoleSlug
-            }) => ({
-              id: userProjectMembershipRoleId,
-              role: userProjectMembershipRole,
-              customRoleSlug: userProjectMembershipRoleCustomRoleSlug,
-              permissions: userProjectCustomRolePermission,
-              temporaryRange: userProjectMembershipRoleTemporaryRange,
-              temporaryMode: userProjectMembershipRoleTemporaryMode,
-              temporaryAccessStartTime: userProjectMembershipRoleTemporaryAccessStartTime,
-              temporaryAccessEndTime: userProjectMembershipRoleTemporaryAccessEndTime,
-              isTemporary: userProjectMembershipRoleIsTemporary
-            })
-          },
-          {
-            key: "userAdditionalPrivilegesId",
-            label: "additionalPrivileges" as const,
-            mapper: ({
-              userAdditionalPrivilegesId,
-              userAdditionalPrivilegesPermissions,
-              userAdditionalPrivilegesIsTemporary,
-              userAdditionalPrivilegesTemporaryMode,
-              userAdditionalPrivilegesTemporaryRange,
-              userAdditionalPrivilegesTemporaryAccessEndTime,
-              userAdditionalPrivilegesTemporaryAccessStartTime
-            }) => ({
-              id: userAdditionalPrivilegesId,
-              permissions: userAdditionalPrivilegesPermissions,
-              temporaryRange: userAdditionalPrivilegesTemporaryRange,
-              temporaryMode: userAdditionalPrivilegesTemporaryMode,
-              temporaryAccessStartTime: userAdditionalPrivilegesTemporaryAccessStartTime,
-              temporaryAccessEndTime: userAdditionalPrivilegesTemporaryAccessEndTime,
-              isTemporary: userAdditionalPrivilegesIsTemporary
-            })
-          },
-          {
-            key: "metadataId",
-            label: "metadata" as const,
-            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-              id: metadataId,
-              key: metadataKey,
-              value: metadataValue
-            })
-          }
-        ]
-      });
-
-      return userPermissions
-        .map((userPermission) => {
-          if (!userPermission) return undefined;
-          if (!userPermission?.userGroupRoles?.[0] && !userPermission?.projectMembershipRoles?.[0]) return undefined;
-
-          // when introducting cron mode change it here
-          const activeRoles =
-            userPermission?.projectMembershipRoles?.filter(
-              ({ isTemporary, temporaryAccessEndTime }) =>
-                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-            ) ?? [];
-
-          const activeGroupRoles =
-            userPermission?.userGroupRoles?.filter(
-              ({ isTemporary, temporaryAccessEndTime }) =>
-                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-            ) ?? [];
-
-          const activeAdditionalPrivileges =
-            userPermission?.additionalPrivileges?.filter(
-              ({ isTemporary, temporaryAccessEndTime }) =>
-                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-            ) ?? [];
-
-          return {
-            ...userPermission,
-            roles: [...activeRoles, ...activeGroupRoles],
-            additionalPrivileges: activeAdditionalPrivileges
-          };
-        })
-        .filter((item): item is NonNullable<typeof item> => Boolean(item));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "GetProjectUserPermissions" });
-    }
-  };
-
  const getProjectPermission = async (userId: string, projectId: string) => {
    try {
      const subQueryUserGroups = db(TableName.UserGroupMembership).where("userId", userId).select("groupId");
@ -812,163 +414,6 @@ export const permissionDALFactory = (db: TDbClient) => {
    }
  };

-  const getProjectIdentityPermissions = async (projectId: string) => {
-    try {
-      const docs = await db
-        .replicaNode()(TableName.IdentityProjectMembership)
-        .join(
-          TableName.IdentityProjectMembershipRole,
-          `${TableName.IdentityProjectMembershipRole}.projectMembershipId`,
-          `${TableName.IdentityProjectMembership}.id`
-        )
-        .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.IdentityProjectMembership}.identityId`)
-        .leftJoin(
-          TableName.ProjectRoles,
-          `${TableName.IdentityProjectMembershipRole}.customRoleId`,
-          `${TableName.ProjectRoles}.id`
-        )
-        .leftJoin(
-          TableName.IdentityProjectAdditionalPrivilege,
-          `${TableName.IdentityProjectAdditionalPrivilege}.projectMembershipId`,
-          `${TableName.IdentityProjectMembership}.id`
-        )
-        .join(
-          // Join the Project table to later select orgId
-          TableName.Project,
-          `${TableName.IdentityProjectMembership}.projectId`,
-          `${TableName.Project}.id`
-        )
-        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
-          void queryBuilder
-            .on(`${TableName.Identity}.id`, `${TableName.IdentityMetadata}.identityId`)
-            .andOn(`${TableName.Project}.orgId`, `${TableName.IdentityMetadata}.orgId`);
-        })
-        .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
-        .select(selectAllTableCols(TableName.IdentityProjectMembershipRole))
-        .select(
-          db.ref("id").withSchema(TableName.IdentityProjectMembership).as("membershipId"),
-          db.ref("id").withSchema(TableName.Identity).as("identityId"),
-          db.ref("name").withSchema(TableName.Identity).as("identityName"),
-          db.ref("orgId").withSchema(TableName.Project).as("orgId"), // Now you can select orgId from Project
-          db.ref("type").withSchema(TableName.Project).as("projectType"),
-          db.ref("createdAt").withSchema(TableName.IdentityProjectMembership).as("membershipCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
-          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
-          db.ref("permissions").withSchema(TableName.ProjectRoles),
-          db.ref("id").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApId"),
-          db.ref("permissions").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApPermissions"),
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
-            .as("identityApTemporaryMode"),
-          db.ref("isTemporary").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApIsTemporary"),
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
-            .as("identityApTemporaryRange"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
-            .as("identityApTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
-            .as("identityApTemporaryAccessEndTime"),
-          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
-          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
-          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue")
-        );
-
-      const permissions = sqlNestRelationships({
-        data: docs,
-        key: "identityId",
-        parentMapper: ({
-          membershipId,
-          membershipCreatedAt,
-          membershipUpdatedAt,
-          orgId,
-          identityName,
-          projectType,
-          identityId
-        }) => ({
-          id: membershipId,
-          identityId,
-          username: identityName,
-          projectId,
-          createdAt: membershipCreatedAt,
-          updatedAt: membershipUpdatedAt,
-          orgId,
-          projectType,
-          // just a prefilled value
-          orgAuthEnforced: false
-        }),
-        childrenMapper: [
-          {
-            key: "id",
-            label: "roles" as const,
-            mapper: (data) =>
-              IdentityProjectMembershipRoleSchema.extend({
-                permissions: z.unknown(),
-                customRoleSlug: z.string().optional().nullable()
-              }).parse(data)
-          },
-          {
-            key: "identityApId",
-            label: "additionalPrivileges" as const,
-            mapper: ({
-              identityApId,
-              identityApPermissions,
-              identityApIsTemporary,
-              identityApTemporaryMode,
-              identityApTemporaryRange,
-              identityApTemporaryAccessEndTime,
-              identityApTemporaryAccessStartTime
-            }) => ({
-              id: identityApId,
-              permissions: identityApPermissions,
-              temporaryRange: identityApTemporaryRange,
-              temporaryMode: identityApTemporaryMode,
-              temporaryAccessEndTime: identityApTemporaryAccessEndTime,
-              temporaryAccessStartTime: identityApTemporaryAccessStartTime,
-              isTemporary: identityApIsTemporary
-            })
-          },
-          {
-            key: "metadataId",
-            label: "metadata" as const,
-            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-              id: metadataId,
-              key: metadataKey,
-              value: metadataValue
-            })
-          }
-        ]
-      });
-
-      return permissions
-        .map((permission) => {
-          if (!permission) {
-            return undefined;
-          }
-
-          // when introducting cron mode change it here
-          const activeRoles = permission?.roles.filter(
-            ({ isTemporary, temporaryAccessEndTime }) =>
-              !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-          );
-          const activeAdditionalPrivileges = permission?.additionalPrivileges?.filter(
-            ({ isTemporary, temporaryAccessEndTime }) =>
-              !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-          );
-
-          return { ...permission, roles: activeRoles, additionalPrivileges: activeAdditionalPrivileges };
-        })
-        .filter((item): item is NonNullable<typeof item> => Boolean(item));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "GetProjectIdentityPermissions" });
-    }
-  };
-
  const getProjectIdentityPermission = async (identityId: string, projectId: string) => {
    try {
      const docs = await db
@ -1123,9 +568,6 @@ export const permissionDALFactory = (db: TDbClient) => {
    getOrgPermission,
    getOrgIdentityPermission,
    getProjectPermission,
-    getProjectIdentityPermission,
-    getProjectUserPermissions,
-    getProjectIdentityPermissions,
-    getProjectGroupPermissions
+    getProjectIdentityPermission
  };
 };
--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@ -405,123 +405,6 @@ export const permissionServiceFactory = ({
        ForbidOnInvalidProjectType: (type: ProjectType) => void;
      };

-  const getProjectPermissions = async (projectId: string) => {
-    // fetch user permissions
-    const rawUserProjectPermissions = await permissionDAL.getProjectUserPermissions(projectId);
-    const userPermissions = rawUserProjectPermissions.map((userProjectPermission) => {
-      const rolePermissions =
-        userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
-      const additionalPrivileges =
-        userProjectPermission.additionalPrivileges?.map(({ permissions }) => ({
-          role: ProjectMembershipRole.Custom,
-          permissions
-        })) || [];
-
-      const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
-      const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
-        objectify(
-          userProjectPermission.metadata,
-          (i) => i.key,
-          (i) => i.value
-        )
-      );
-      const interpolateRules = templatedRules(
-        {
-          identity: {
-            id: userProjectPermission.userId,
-            username: userProjectPermission.username,
-            metadata: metadataKeyValuePair
-          }
-        },
-        { data: false }
-      );
-      const permission = createMongoAbility<ProjectPermissionSet>(
-        JSON.parse(interpolateRules) as RawRuleOf<MongoAbility<ProjectPermissionSet>>[],
-        {
-          conditionsMatcher
-        }
-      );
-
-      return {
-        permission,
-        id: userProjectPermission.userId,
-        name: userProjectPermission.username,
-        membershipId: userProjectPermission.id
-      };
-    });
-
-    // fetch identity permissions
-    const rawIdentityProjectPermissions = await permissionDAL.getProjectIdentityPermissions(projectId);
-    const identityPermissions = rawIdentityProjectPermissions.map((identityProjectPermission) => {
-      const rolePermissions =
-        identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
-      const additionalPrivileges =
-        identityProjectPermission.additionalPrivileges?.map(({ permissions }) => ({
-          role: ProjectMembershipRole.Custom,
-          permissions
-        })) || [];
-
-      const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
-      const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
-        objectify(
-          identityProjectPermission.metadata,
-          (i) => i.key,
-          (i) => i.value
-        )
-      );
-
-      const interpolateRules = templatedRules(
-        {
-          identity: {
-            id: identityProjectPermission.identityId,
-            username: identityProjectPermission.username,
-            metadata: metadataKeyValuePair
-          }
-        },
-        { data: false }
-      );
-      const permission = createMongoAbility<ProjectPermissionSet>(
-        JSON.parse(interpolateRules) as RawRuleOf<MongoAbility<ProjectPermissionSet>>[],
-        {
-          conditionsMatcher
-        }
-      );
-
-      return {
-        permission,
-        id: identityProjectPermission.identityId,
-        name: identityProjectPermission.username,
-        membershipId: identityProjectPermission.id
-      };
-    });
-
-    // fetch group permissions
-    const rawGroupProjectPermissions = await permissionDAL.getProjectGroupPermissions(projectId);
-    const groupPermissions = rawGroupProjectPermissions.map((groupProjectPermission) => {
-      const rolePermissions =
-        groupProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
-      const rules = buildProjectPermissionRules(rolePermissions);
-      const permission = createMongoAbility<ProjectPermissionSet>(rules, {
-        conditionsMatcher
-      });
-
-      return {
-        permission,
-        id: groupProjectPermission.groupId,
-        name: groupProjectPermission.username,
-        membershipId: groupProjectPermission.id
-      };
-    });
-
-    return {
-      userPermissions,
-      identityPermissions,
-      groupPermissions
-    };
-  };
-
  const getProjectPermission = async <T extends ActorType>(
    type: T,
    id: string,
@ -572,7 +455,6 @@ export const permissionServiceFactory = ({
    getOrgPermission,
    getUserProjectPermission,
    getProjectPermission,
-    getProjectPermissions,
    getOrgPermissionByRole,
    getProjectPermissionByRole,
    buildOrgPermission,
--- a/backend/src/ee/services/saml-config/saml-config-types.ts
+++ b/backend/src/ee/services/saml-config/saml-config-types.ts
@ -6,8 +6,7 @@ export enum SamlProviders {
  AZURE_SAML = "azure-saml",
  JUMPCLOUD_SAML = "jumpcloud-saml",
  GOOGLE_SAML = "google-saml",
-  KEYCLOAK_SAML = "keycloak-saml",
-  AUTH0_SAML = "auth0-saml"
+  KEYCLOAK_SAML = "keycloak-saml"
 }

 export type TCreateSamlCfgDTO = {
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-fns.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-fns.ts
@ -36,7 +36,7 @@ export const sendApprovalEmailsFn = async ({
        firstName: reviewerUser.firstName,
        projectName: project.name,
        organizationName: project.organization.name,
-        approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval?requestId=${secretApprovalRequest.id}`
+        approvalUrl: `${cfg.SITE_URL}/project/${project.id}/approval?requestId=${secretApprovalRequest.id}`
      },
      template: SmtpTemplates.SecretApprovalRequestNeedsReview
    });
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-secret-dal.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-secret-dal.ts
@ -256,7 +256,6 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
          `${TableName.SecretVersionV2Tag}.${TableName.SecretTag}Id`,
          db.ref("id").withSchema("secVerTag")
        )
-        .leftJoin(TableName.ResourceMetadata, `${TableName.SecretV2}.id`, `${TableName.ResourceMetadata}.secretId`)
        .select(selectAllTableCols(TableName.SecretApprovalRequestSecretV2))
        .select({
          secVerTagId: "secVerTag.id",
@ -280,11 +279,6 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
          db.ref("key").withSchema(TableName.SecretVersionV2).as("secVerKey"),
          db.ref("encryptedValue").withSchema(TableName.SecretVersionV2).as("secVerValue"),
          db.ref("encryptedComment").withSchema(TableName.SecretVersionV2).as("secVerComment")
-        )
-        .select(
-          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
-          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
-          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
        );
      const formatedDoc = sqlNestRelationships({
        data: doc,
@ -344,19 +338,9 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
                })
              }
            ]
-          },
-          {
-            key: "metadataId",
-            label: "oldSecretMetadata" as const,
-            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-              id: metadataId,
-              key: metadataKey,
-              value: metadataValue
-            })
          }
        ]
      });
-
      return formatedDoc?.map(({ secret, secretVersion, ...el }) => ({
        ...el,
        secret: secret?.[0],
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@ -22,8 +22,6 @@ import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
-import { TResourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
-import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
 import {
  decryptSecretWithBot,
@ -93,7 +91,6 @@ type TSecretApprovalRequestServiceFactoryDep = {
  secretBlindIndexDAL: Pick<TSecretBlindIndexDALFactory, "findOne">;
  snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
  secretVersionDAL: Pick<TSecretVersionDALFactory, "findLatestVersionMany" | "insertMany">;
-  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
  secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "insertMany">;
  smtpService: Pick<TSmtpService, "sendMail">;
  userDAL: Pick<TUserDALFactory, "find" | "findOne" | "findById">;
@ -141,8 +138,7 @@ export const secretApprovalRequestServiceFactory = ({
  secretVersionV2BridgeDAL,
  secretVersionTagV2BridgeDAL,
  licenseService,
-  projectSlackConfigDAL,
-  resourceMetadataDAL
+  projectSlackConfigDAL
 }: TSecretApprovalRequestServiceFactoryDep) => {
  const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
@ -245,7 +241,6 @@ export const secretApprovalRequestServiceFactory = ({
        secretKey: el.key,
        id: el.id,
        version: el.version,
-        secretMetadata: el.secretMetadata as ResourceMetadataDTO,
        secretValue: el.encryptedValue ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString() : "",
        secretComment: el.encryptedComment
          ? secretManagerDecryptor({ cipherTextBlob: el.encryptedComment }).toString()
@ -274,8 +269,7 @@ export const secretApprovalRequestServiceFactory = ({
              secretComment: el.secretVersion.encryptedComment
                ? secretManagerDecryptor({ cipherTextBlob: el.secretVersion.encryptedComment }).toString()
                : "",
-              tags: el.secretVersion.tags,
-              secretMetadata: el.oldSecretMetadata as ResourceMetadataDTO
+              tags: el.secretVersion.tags
            }
          : undefined
      }));
@ -549,7 +543,6 @@ export const secretApprovalRequestServiceFactory = ({
          ? await fnSecretV2BridgeBulkInsert({
              tx,
              folderId,
-              orgId: actorOrgId,
              inputSecrets: secretCreationCommits.map((el) => ({
                tagIds: el?.tags.map(({ id }) => id),
                version: 1,
@ -557,7 +550,6 @@ export const secretApprovalRequestServiceFactory = ({
                encryptedValue: el.encryptedValue,
                skipMultilineEncoding: el.skipMultilineEncoding,
                key: el.key,
-                secretMetadata: el.secretMetadata as ResourceMetadataDTO,
                references: el.encryptedValue
                  ? getAllSecretReferencesV2Bridge(
                      secretManagerDecryptor({
@ -567,7 +559,6 @@ export const secretApprovalRequestServiceFactory = ({
                  : [],
                type: SecretType.Shared
              })),
-              resourceMetadataDAL,
              secretDAL: secretV2BridgeDAL,
              secretVersionDAL: secretVersionV2BridgeDAL,
              secretTagDAL,
@ -577,7 +568,6 @@ export const secretApprovalRequestServiceFactory = ({
        const updatedSecrets = secretUpdationCommits.length
          ? await fnSecretV2BridgeBulkUpdate({
              folderId,
-              orgId: actorOrgId,
              tx,
              inputSecrets: secretUpdationCommits.map((el) => {
                const encryptedValue =
@ -602,7 +592,6 @@ export const secretApprovalRequestServiceFactory = ({
                    skipMultilineEncoding: el.skipMultilineEncoding,
                    key: el.key,
                    tags: el?.tags.map(({ id }) => id),
-                    secretMetadata: el.secretMetadata as ResourceMetadataDTO,
                    ...encryptedValue
                  }
                };
@ -610,8 +599,7 @@ export const secretApprovalRequestServiceFactory = ({
              secretDAL: secretV2BridgeDAL,
              secretVersionDAL: secretVersionV2BridgeDAL,
              secretTagDAL,
-              secretVersionTagDAL: secretVersionTagV2BridgeDAL,
-              resourceMetadataDAL
+              secretVersionTagDAL: secretVersionTagV2BridgeDAL
            })
          : [];
        const deletedSecret = secretDeletionCommits.length
@ -836,7 +824,6 @@ export const secretApprovalRequestServiceFactory = ({
    }
    await secretQueueService.syncSecrets({
      projectId,
-      orgId: actorOrgId,
      secretPath: folder.path,
      environmentSlug: folder.environmentSlug,
      actorId,
@ -865,7 +852,7 @@ export const secretApprovalRequestServiceFactory = ({
          bypassReason,
          secretPath: policy.secretPath,
          environment: env.name,
-          approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval`
+          approvalUrl: `${cfg.SITE_URL}/project/${project.id}/approval`
        },
        template: SmtpTemplates.AccessSecretRequestBypassed
      });
@ -1221,7 +1208,6 @@ export const secretApprovalRequestServiceFactory = ({
          ),
          skipMultilineEncoding: createdSecret.skipMultilineEncoding,
          key: createdSecret.secretKey,
-          secretMetadata: createdSecret.secretMetadata,
          type: SecretType.Shared
        }))
      );
@ -1277,14 +1263,12 @@ export const secretApprovalRequestServiceFactory = ({
            reminderNote,
            secretComment,
            metadata,
-            skipMultilineEncoding,
-            secretMetadata
+            skipMultilineEncoding
          }) => {
            const secretId = updatingSecretsGroupByKey[secretKey][0].id;
            if (tagIds?.length) commitTagIds[secretKey] = tagIds;
            return {
              ...latestSecretVersions[secretId],
-              secretMetadata,
              key: newSecretName || secretKey,
              encryptedComment: setKnexStringValue(
                secretComment,
@ -1386,8 +1370,7 @@ export const secretApprovalRequestServiceFactory = ({
            reminderRepeatDays,
            encryptedValue,
            secretId,
-            secretVersion,
-            secretMetadata
+            secretVersion
          }) => ({
            version,
            requestId: doc.id,
@ -1400,8 +1383,7 @@ export const secretApprovalRequestServiceFactory = ({
            reminderRepeatDays,
            reminderNote,
            encryptedComment,
-            key,
-            secretMetadata: JSON.stringify(secretMetadata)
+            key
          })
        ),
        tx
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-types.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-types.ts
@ -1,6 +1,5 @@
 import { TImmutableDBKeys, TSecretApprovalPolicies, TSecretApprovalRequestsSecrets } from "@app/db/schemas";
 import { TProjectPermission } from "@app/lib/types";
-import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretOperations } from "@app/services/secret/secret-types";

 export enum RequestState {
@ -35,7 +34,6 @@ export type TApprovalCreateSecretV2Bridge = {
  reminderRepeatDays?: number | null;
  skipMultilineEncoding?: boolean;
  metadata?: Record<string, string>;
-  secretMetadata?: ResourceMetadataDTO;
  tagIds?: string[];
 };

--- a/backend/src/ee/services/secret-replication/secret-replication-service.ts
+++ b/backend/src/ee/services/secret-replication/secret-replication-service.ts
@ -13,8 +13,6 @@ import { ActorType } from "@app/services/auth/auth-type";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
-import { TResourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
-import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
 import { fnSecretBulkInsert, fnSecretBulkUpdate } from "@app/services/secret/secret-fns";
 import { TSecretQueueFactory, uniqueSecretQueueKey } from "@app/services/secret/secret-queue";
@ -58,7 +56,6 @@ type TSecretReplicationServiceFactoryDep = {
  >;
  secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "find" | "insertMany">;
  secretVersionV2TagBridgeDAL: Pick<TSecretVersionV2TagDALFactory, "find" | "insertMany">;
-  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
  secretQueueService: Pick<TSecretQueueFactory, "syncSecrets" | "replicateSecrets">;
  queueService: Pick<TQueueServiceFactory, "start" | "listen" | "queue" | "stopJobById">;
  secretApprovalPolicyService: Pick<TSecretApprovalPolicyServiceFactory, "getSecretApprovalPolicy">;
@ -124,8 +121,7 @@ export const secretReplicationServiceFactory = ({
  secretVersionV2TagBridgeDAL,
  secretVersionV2BridgeDAL,
  secretV2BridgeDAL,
-  kmsService,
-  resourceMetadataDAL
+  kmsService
 }: TSecretReplicationServiceFactoryDep) => {
  const $getReplicatedSecrets = (
    botKey: string,
@ -155,10 +151,8 @@ export const secretReplicationServiceFactory = ({
  };

  const $getReplicatedSecretsV2 = (
-    localSecrets: (TSecretsV2 & { secretKey: string; secretValue?: string; secretMetadata?: ResourceMetadataDTO })[],
-    importedSecrets: {
-      secrets: (TSecretsV2 & { secretKey: string; secretValue?: string; secretMetadata?: ResourceMetadataDTO })[];
-    }[]
+    localSecrets: (TSecretsV2 & { secretKey: string; secretValue?: string })[],
+    importedSecrets: { secrets: (TSecretsV2 & { secretKey: string; secretValue?: string })[] }[]
  ) => {
    const deDupe = new Set<string>();
    const secrets = [...localSecrets];
@ -184,7 +178,6 @@ export const secretReplicationServiceFactory = ({
      secretPath,
      environmentSlug,
      projectId,
-      orgId,
      actorId,
      actor,
      pickOnlyImportIds,
@ -229,7 +222,6 @@ export const secretReplicationServiceFactory = ({
          .map(({ folderId }) =>
            secretQueueService.replicateSecrets({
              projectId,
-              orgId,
              secretPath: foldersGroupedById[folderId][0]?.path as string,
              environmentSlug: foldersGroupedById[folderId][0]?.environmentSlug as string,
              actorId,
@ -275,7 +267,6 @@ export const secretReplicationServiceFactory = ({
          ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString()
          : undefined
      }));
-
      const sourceSecrets = $getReplicatedSecretsV2(sourceDecryptedLocalSecrets, sourceImportedSecrets);
      const sourceSecretsGroupByKey = groupBy(sourceSecrets, (i) => i.key);

@ -342,29 +333,13 @@ export const secretReplicationServiceFactory = ({
              .map((el) => ({ ...el, operation: SecretOperations.Create })); // rewrite update ops to create

            const locallyUpdatedSecrets = sourceSecrets
-              .filter(({ key, secretKey, secretValue, secretMetadata }) => {
-                const sourceSecretMetadataJson = JSON.stringify(
-                  (secretMetadata ?? []).map((entry) => ({
-                    key: entry.key,
-                    value: entry.value
-                  }))
-                );
-
-                const destinationSecretMetadataJson = JSON.stringify(
-                  (destinationLocalSecretsGroupedByKey[key]?.[0]?.secretMetadata ?? []).map((entry) => ({
-                    key: entry.key,
-                    value: entry.value
-                  }))
-                );
-
-                return (
+              .filter(
+                ({ key, secretKey, secretValue }) =>
                  destinationLocalSecretsGroupedByKey[key]?.[0] &&
                  // if key or value changed
                  (destinationLocalSecretsGroupedByKey[key]?.[0]?.secretKey !== secretKey ||
-                    destinationLocalSecretsGroupedByKey[key]?.[0]?.secretValue !== secretValue ||
-                    sourceSecretMetadataJson !== destinationSecretMetadataJson)
-                );
-              })
+                    destinationLocalSecretsGroupedByKey[key]?.[0]?.secretValue !== secretValue)
+              )
              .map((el) => ({ ...el, operation: SecretOperations.Update })); // rewrite update ops to create

            const locallyDeletedSecrets = destinationLocalSecrets
@ -412,7 +387,6 @@ export const secretReplicationServiceFactory = ({
                      op: operation,
                      requestId: approvalRequestDoc.id,
                      metadata: doc.metadata,
-                      secretMetadata: JSON.stringify(doc.secretMetadata),
                      key: doc.key,
                      encryptedValue: doc.encryptedValue,
                      encryptedComment: doc.encryptedComment,
@ -432,12 +406,10 @@ export const secretReplicationServiceFactory = ({
                if (locallyCreatedSecrets.length) {
                  await fnSecretV2BridgeBulkInsert({
                    folderId: destinationReplicationFolderId,
-                    orgId,
                    secretVersionDAL: secretVersionV2BridgeDAL,
                    secretDAL: secretV2BridgeDAL,
                    tx,
                    secretTagDAL,
-                    resourceMetadataDAL,
                    secretVersionTagDAL: secretVersionV2TagBridgeDAL,
                    inputSecrets: locallyCreatedSecrets.map((doc) => {
                      return {
@ -447,7 +419,6 @@ export const secretReplicationServiceFactory = ({
                        encryptedValue: doc.encryptedValue,
                        encryptedComment: doc.encryptedComment,
                        skipMultilineEncoding: doc.skipMultilineEncoding,
-                        secretMetadata: doc.secretMetadata,
                        references: doc.secretValue ? getAllSecretReferences(doc.secretValue).nestedReferences : []
                      };
                    })
@ -455,12 +426,10 @@ export const secretReplicationServiceFactory = ({
                }
                if (locallyUpdatedSecrets.length) {
                  await fnSecretV2BridgeBulkUpdate({
-                    orgId,
                    folderId: destinationReplicationFolderId,
                    secretVersionDAL: secretVersionV2BridgeDAL,
                    secretDAL: secretV2BridgeDAL,
                    tx,
-                    resourceMetadataDAL,
                    secretTagDAL,
                    secretVersionTagDAL: secretVersionV2TagBridgeDAL,
                    inputSecrets: locallyUpdatedSecrets.map((doc) => {
@ -476,7 +445,6 @@ export const secretReplicationServiceFactory = ({
                          encryptedValue: doc.encryptedValue as Buffer,
                          encryptedComment: doc.encryptedComment,
                          skipMultilineEncoding: doc.skipMultilineEncoding,
-                          secretMetadata: doc.secretMetadata,
                          references: doc.secretValue ? getAllSecretReferences(doc.secretValue).nestedReferences : []
                        }
                      };
@ -498,7 +466,6 @@ export const secretReplicationServiceFactory = ({

              await secretQueueService.syncSecrets({
                projectId,
-                orgId,
                secretPath: destinationFolder.path,
                environmentSlug: destinationFolder.environmentSlug,
                actorId,
@ -784,7 +751,6 @@ export const secretReplicationServiceFactory = ({

            await secretQueueService.syncSecrets({
              projectId,
-              orgId,
              secretPath: destinationFolder.path,
              environmentSlug: destinationFolder.environmentSlug,
              actorId,
--- a/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
@ -180,8 +180,6 @@ export const secretRotationQueueFactory = ({
          provider.template.client === TDbProviderClients.MsSqlServer
            ? ({
                encrypt: appCfg.ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT,
-                // when ca is provided use that
-                trustServerCertificate: !ca,
                cryptoCredentialsDetails: ca ? { ca } : {}
              } as Record<string, unknown>)
            : undefined;
--- a/backend/src/ee/services/secret-scanning/secret-scanning-dal.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-dal.ts
@ -1,12 +1,9 @@
-import knex, { Knex } from "knex";
+import { Knex } from "knex";

 import { TDbClient } from "@app/db";
 import { TableName, TSecretScanningGitRisksInsert } from "@app/db/schemas";
-import { DatabaseError, GatewayTimeoutError } from "@app/lib/errors";
-import { ormify, selectAllTableCols } from "@app/lib/knex";
-import { OrderByDirection } from "@app/lib/types";
-
-import { SecretScanningResolvedStatus, TGetOrgRisksDTO } from "./secret-scanning-types";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify } from "@app/lib/knex";

 export type TSecretScanningDALFactory = ReturnType<typeof secretScanningDALFactory>;

@ -22,70 +19,5 @@ export const secretScanningDALFactory = (db: TDbClient) => {
    }
  };

-  const findByOrgId = async (orgId: string, filter: TGetOrgRisksDTO["filter"], tx?: Knex) => {
-    try {
-      // Find statements
-      const sqlQuery = (tx || db.replicaNode())(TableName.SecretScanningGitRisk)
-        // eslint-disable-next-line func-names
-        .where(`${TableName.SecretScanningGitRisk}.orgId`, orgId);
-
-      if (filter.repositoryNames) {
-        void sqlQuery.whereIn(`${TableName.SecretScanningGitRisk}.repositoryFullName`, filter.repositoryNames);
-      }
-
-      if (filter.resolvedStatus) {
-        if (filter.resolvedStatus !== SecretScanningResolvedStatus.All) {
-          const isResolved = filter.resolvedStatus === SecretScanningResolvedStatus.Resolved;
-
-          void sqlQuery.where(`${TableName.SecretScanningGitRisk}.isResolved`, isResolved);
-        }
-      }
-
-      // Select statements
-      void sqlQuery
-        .select(selectAllTableCols(TableName.SecretScanningGitRisk))
-        .limit(filter.limit)
-        .offset(filter.offset);
-
-      if (filter.orderBy) {
-        const orderDirection = filter.orderDirection || OrderByDirection.ASC;
-
-        void sqlQuery.orderBy(filter.orderBy, orderDirection);
-      }
-
-      const countQuery = (tx || db.replicaNode())(TableName.SecretScanningGitRisk)
-        .where(`${TableName.SecretScanningGitRisk}.orgId`, orgId)
-        .count();
-
-      const uniqueReposQuery = (tx || db.replicaNode())(TableName.SecretScanningGitRisk)
-        .where(`${TableName.SecretScanningGitRisk}.orgId`, orgId)
-        .distinct("repositoryFullName")
-        .select("repositoryFullName");
-
-      // we timeout long running queries to prevent DB resource issues (2 minutes)
-      const docs = await sqlQuery.timeout(1000 * 120);
-      const uniqueRepos = await uniqueReposQuery.timeout(1000 * 120);
-      const totalCount = await countQuery;
-
-      return {
-        risks: docs,
-        totalCount: Number(totalCount?.[0].count),
-        repos: uniqueRepos
-          .filter(Boolean)
-          .map((r) => r.repositoryFullName!)
-          .sort((a, b) => a.localeCompare(b))
-      };
-    } catch (error) {
-      if (error instanceof knex.KnexTimeoutError) {
-        throw new GatewayTimeoutError({
-          error,
-          message: "Failed to fetch secret leaks due to timeout. Add more search filters."
-        });
-      }
-
-      throw new DatabaseError({ error });
-    }
-  };
-
-  return { ...gitRiskOrm, upsert, findByOrgId };
+  return { ...gitRiskOrm, upsert };
 };
--- a/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
@ -15,7 +15,6 @@ import { TSecretScanningDALFactory } from "./secret-scanning-dal";
 import { TSecretScanningQueueFactory } from "./secret-scanning-queue";
 import {
  SecretScanningRiskStatus,
-  TGetAllOrgRisksDTO,
  TGetOrgInstallStatusDTO,
  TGetOrgRisksDTO,
  TInstallAppSessionDTO,
@ -119,21 +118,11 @@ export const secretScanningServiceFactory = ({
    return Boolean(appInstallation);
  };

-  const getRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId, filter }: TGetOrgRisksDTO) => {
+  const getRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId }: TGetOrgRisksDTO) => {
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);
-
-    const results = await secretScanningDAL.findByOrgId(orgId, filter);
-
-    return results;
-  };
-
-  const getAllRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId }: TGetAllOrgRisksDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);
-
    const risks = await secretScanningDAL.find({ orgId }, { sort: [["createdAt", "desc"]] });
-    return risks;
+    return { risks };
  };

  const updateRiskStatus = async ({
@ -200,7 +189,6 @@ export const secretScanningServiceFactory = ({
    linkInstallationToOrg,
    getOrgInstallationStatus,
    getRisksByOrg,
-    getAllRisksByOrg,
    updateRiskStatus,
    handleRepoPushEvent,
    handleRepoDeleteEvent
--- a/backend/src/ee/services/secret-scanning/secret-scanning-types.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-types.ts
@ -1,4 +1,4 @@
-import { OrderByDirection, TOrgPermission } from "@app/lib/types";
+import { TOrgPermission } from "@app/lib/types";

 export enum SecretScanningRiskStatus {
  FalsePositive = "RESOLVED_FALSE_POSITIVE",
@ -7,12 +7,6 @@ export enum SecretScanningRiskStatus {
  Unresolved = "UNRESOLVED"
 }

-export enum SecretScanningResolvedStatus {
-  All = "all",
-  Resolved = "resolved",
-  Unresolved = "unresolved"
-}
-
 export type TInstallAppSessionDTO = TOrgPermission;

 export type TLinkInstallSessionDTO = {
@ -22,22 +16,7 @@ export type TLinkInstallSessionDTO = {

 export type TGetOrgInstallStatusDTO = TOrgPermission;

-type RiskFilter = {
-  offset: number;
-  limit: number;
-  orderBy?: "createdAt" | "name";
-  orderDirection?: OrderByDirection;
-  repositoryNames?: string[];
-  resolvedStatus?: SecretScanningResolvedStatus;
-};
-
-export type TGetOrgRisksDTO = {
-  filter: RiskFilter;
-} & TOrgPermission;
-
-export type TGetAllOrgRisksDTO = {
-  filter: Omit<RiskFilter, "offset" | "limit" | "orderBy" | "orderDirection">;
-} & TOrgPermission;
+export type TGetOrgRisksDTO = TOrgPermission;

 export type TUpdateRiskStatusDTO = {
  riskId: string;
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@ -741,12 +741,6 @@ export const RAW_SECRETS = {
    workspaceId: "The ID of the project where the secret is located.",
    environment: "The slug of the environment where the the secret is located.",
    secretPath: "The folder path where the secret is located."
-  },
-  GET_ACCESS_LIST: {
-    secretName: "The name of the secret to get the access list for.",
-    workspaceId: "The ID of the project where the secret is located.",
-    environment: "The slug of the environment where the the secret is located.",
-    secretPath: "The folder path where the secret is located."
  }
 } as const;

@ -1156,8 +1150,7 @@ export const INTEGRATION = {
      shouldMaskSecrets: "Specifies if the secrets synced from Infisical to Gitlab should be marked as 'Masked'.",
      shouldProtectSecrets: "Specifies if the secrets synced from Infisical to Gitlab should be marked as 'Protected'.",
      shouldEnableDelete: "The flag to enable deletion of secrets.",
-      octopusDeployScopeValues: "Specifies the scope values to set on synced secrets to Octopus Deploy.",
-      metadataSyncMode: "The mode for syncing metadata to external system"
+      octopusDeployScopeValues: "Specifies the scope values to set on synced secrets to Octopus Deploy."
    }
  },
  UPDATE: {
--- a/backend/src/lib/config/env.ts
+++ b/backend/src/lib/config/env.ts
@ -157,8 +157,6 @@ const envSchema = z
    INFISICAL_CLOUD: zodStrBool.default("false"),
    MAINTENANCE_MODE: zodStrBool.default("false"),
    CAPTCHA_SECRET: zpStr(z.string().optional()),
-    CAPTCHA_SITE_KEY: zpStr(z.string().optional()),
-    INTERCOM_ID: zpStr(z.string().optional()),

    // TELEMETRY
    OTEL_TELEMETRY_COLLECTION_ENABLED: zodStrBool.default("false"),
--- a/backend/src/server/app.ts
+++ b/backend/src/server/app.ts
@ -27,10 +27,10 @@ import { globalRateLimiterCfg } from "./config/rateLimiter";
 import { addErrorsToResponseSchemas } from "./plugins/add-errors-to-response-schemas";
 import { apiMetrics } from "./plugins/api-metrics";
 import { fastifyErrHandler } from "./plugins/error-handler";
+import { registerExternalNextjs } from "./plugins/external-nextjs";
 import { serializerCompiler, validatorCompiler, ZodTypeProvider } from "./plugins/fastify-zod";
 import { fastifyIp } from "./plugins/ip";
 import { maintenanceMode } from "./plugins/maintenanceMode";
-import { registerServeUI } from "./plugins/serve-ui";
 import { fastifySwagger } from "./plugins/swagger";
 import { registerRoutes } from "./routes";

@ -120,10 +120,13 @@ export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, key

    await server.register(registerRoutes, { smtp, queue, db, auditLogDb, keyStore, hsmModule });

-    await server.register(registerServeUI, {
-      standaloneMode: appCfg.STANDALONE_MODE || IS_PACKAGED,
-      dir: path.join(__dirname, IS_PACKAGED ? "../../../" : "../../")
-    });
+    if (appCfg.isProductionMode) {
+      await server.register(registerExternalNextjs, {
+        standaloneMode: appCfg.STANDALONE_MODE || IS_PACKAGED,
+        dir: path.join(__dirname, IS_PACKAGED ? "../../../" : "../../"),
+        port: appCfg.PORT
+      });
+    }

    await server.ready();
    server.swagger();
--- a/backend/src/server/plugins/audit-log.ts
+++ b/backend/src/server/plugins/audit-log.ts
@ -32,21 +32,13 @@ export const getUserAgentType = (userAgent: string | undefined) => {
 export const injectAuditLogInfo = fp(async (server: FastifyZodProvider) => {
  server.decorateRequest("auditLogInfo", null);
  server.addHook("onRequest", async (req) => {
+    if (!req.auth) return;
    const userAgent = req.headers["user-agent"] ?? "";
    const payload = {
      ipAddress: req.realIp,
      userAgent,
      userAgentType: getUserAgentType(userAgent)
    } as typeof req.auditLogInfo;
-
-    if (!req.auth) {
-      payload.actor = {
-        type: ActorType.UNKNOWN_USER,
-        metadata: {}
-      };
-      req.auditLogInfo = payload;
-      return;
-    }
    if (req.auth.actor === ActorType.USER) {
      payload.actor = {
        type: ActorType.USER,
--- a/backend/src/server/plugins/external-nextjs.ts
+++ b/backend/src/server/plugins/external-nextjs.ts
@ -0,0 +1,76 @@
+// this plugins allows to run infisical in standalone mode
+// standalone mode = infisical backend and nextjs frontend in one server
+// this way users don't need to deploy two things
+import path from "node:path";
+
+import { IS_PACKAGED } from "@app/lib/config/env";
+
+// to enabled this u need to set standalone mode to true
+export const registerExternalNextjs = async (
+  server: FastifyZodProvider,
+  {
+    standaloneMode,
+    dir,
+    port
+  }: {
+    standaloneMode?: boolean;
+    dir: string;
+    port: number;
+  }
+) => {
+  if (standaloneMode) {
+    const frontendName = IS_PACKAGED ? "frontend" : "frontend-build";
+    const nextJsBuildPath = path.join(dir, frontendName);
+
+    const { default: conf } = (await import(
+      path.join(dir, `${frontendName}/.next/required-server-files.json`),
+      // @ts-expect-error type
+      {
+        assert: { type: "json" }
+      }
+    )) as { default: { config: string } };
+
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    let NextServer: any;
+
+    if (!IS_PACKAGED) {
+      /* eslint-disable */
+      const { default: nextServer } = (
+        await import(path.join(dir, `${frontendName}/node_modules/next/dist/server/next-server.js`))
+      ).default;
+
+      NextServer = nextServer;
+    } else {
+      /* eslint-disable */
+      const nextServer = await import(path.join(dir, `${frontendName}/node_modules/next/dist/server/next-server.js`));
+
+      NextServer = nextServer.default;
+    }
+
+    const nextApp = new NextServer({
+      dev: false,
+      dir: nextJsBuildPath,
+      port,
+      conf: conf.config,
+      hostname: "local",
+      customServer: false
+    });
+
+    server.route({
+      method: ["GET", "PUT", "PATCH", "POST", "DELETE"],
+      url: "/*",
+      schema: {
+        hide: true
+      },
+      handler: (req, res) =>
+        nextApp
+          .getRequestHandler()(req.raw, res.raw)
+          .then(() => {
+            res.hijack();
+          })
+    });
+    server.addHook("onClose", () => nextApp.close());
+    await nextApp.prepare();
+    /* eslint-enable */
+  }
+};
--- a/backend/src/server/plugins/secret-scanner.ts
+++ b/backend/src/server/plugins/secret-scanner.ts
@ -1,4 +1,3 @@
-import type { EmitterWebhookEventName } from "@octokit/webhooks/dist-types/types";
 import { PushEvent } from "@octokit/webhooks-types";
 import { Probot } from "probot";
 import SmeeClient from "smee-client";
@ -55,14 +54,14 @@ export const registerSecretScannerGhApp = async (server: FastifyZodProvider) =>
        rateLimit: writeLimit
      },
      handler: async (req, res) => {
-        const eventName = req.headers["x-github-event"] as EmitterWebhookEventName;
+        const eventName = req.headers["x-github-event"];
        const signatureSHA256 = req.headers["x-hub-signature-256"] as string;
        const id = req.headers["x-github-delivery"] as string;
-
        await probot.webhooks.verifyAndReceive({
          id,
+          // @ts-expect-error type
          name: eventName,
-          payload: JSON.stringify(req.body),
+          payload: req.body as string,
          signature: signatureSHA256
        });
        void res.send("ok");
--- a/backend/src/server/plugins/serve-ui.ts
+++ b/backend/src/server/plugins/serve-ui.ts
@ -1,64 +0,0 @@
-import path from "node:path";
-
-import staticServe from "@fastify/static";
-
-import { getConfig, IS_PACKAGED } from "@app/lib/config/env";
-
-// to enabled this u need to set standalone mode to true
-export const registerServeUI = async (
-  server: FastifyZodProvider,
-  {
-    standaloneMode,
-    dir
-  }: {
-    standaloneMode?: boolean;
-    dir: string;
-  }
-) => {
-  // use this only for frontend runtime static non-sensitive configuration in standalone mode
-  // that app needs before loading like posthog dsn key
-  // for most of the other usecase use server config
-  server.route({
-    method: "GET",
-    url: "/runtime-ui-env.js",
-    schema: {
-      hide: true
-    },
-    handler: (_req, res) => {
-      const appCfg = getConfig();
-      void res.type("application/javascript");
-      const config = {
-        CAPTCHA_SITE_KEY: appCfg.CAPTCHA_SITE_KEY,
-        POSTHOG_API_KEY: appCfg.POSTHOG_PROJECT_API_KEY,
-        INTERCOM_ID: appCfg.INTERCOM_ID,
-        TELEMETRY_CAPTURING_ENABLED: appCfg.TELEMETRY_ENABLED
-      };
-      const js = `window.__INFISICAL_RUNTIME_ENV__ = Object.freeze(${JSON.stringify(config)});`;
-      void res.send(js);
-    }
-  });
-
-  if (standaloneMode) {
-    const frontendName = IS_PACKAGED ? "frontend" : "frontend-build";
-    const frontendPath = path.join(dir, frontendName);
-    await server.register(staticServe, {
-      root: frontendPath,
-      wildcard: false
-    });
-
-    server.route({
-      method: "GET",
-      url: "/*",
-      schema: {
-        hide: true
-      },
-      handler: (request, reply) => {
-        if (request.url.startsWith("/api")) {
-          reply.callNotFound();
-          return;
-        }
-        void reply.sendFile("index.html");
-      }
-    });
-  }
-};
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@ -181,7 +181,6 @@ import { projectUserMembershipRoleDALFactory } from "@app/services/project-membe
 import { projectRoleDALFactory } from "@app/services/project-role/project-role-dal";
 import { projectRoleServiceFactory } from "@app/services/project-role/project-role-service";
 import { dailyResourceCleanUpQueueServiceFactory } from "@app/services/resource-cleanup/resource-cleanup-queue";
-import { resourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
 import { secretDALFactory } from "@app/services/secret/secret-dal";
 import { secretQueueFactory } from "@app/services/secret/secret-queue";
 import { secretServiceFactory } from "@app/services/secret/secret-service";
@ -375,7 +374,6 @@ export const registerRoutes = async (
  const externalGroupOrgRoleMappingDAL = externalGroupOrgRoleMappingDALFactory(db);

  const projectTemplateDAL = projectTemplateDALFactory(db);
-  const resourceMetadataDAL = resourceMetadataDALFactory(db);

  const permissionService = permissionServiceFactory({
    permissionDAL,
@ -856,8 +854,7 @@ export const registerRoutes = async (
    secretApprovalRequestDAL,
    projectKeyDAL,
    projectUserMembershipRoleDAL,
-    orgService,
-    resourceMetadataDAL
+    orgService
  });

  const projectService = projectServiceFactory({
@ -983,8 +980,7 @@ export const registerRoutes = async (
    secretApprovalPolicyService,
    secretApprovalRequestSecretDAL,
    kmsService,
-    snapshotService,
-    resourceMetadataDAL
+    snapshotService
  });

  const secretApprovalRequestService = secretApprovalRequestServiceFactory({
@ -1011,8 +1007,7 @@ export const registerRoutes = async (
    projectEnvDAL,
    userDAL,
    licenseService,
-    projectSlackConfigDAL,
-    resourceMetadataDAL
+    projectSlackConfigDAL
  });

  const secretService = secretServiceFactory({
@ -1033,8 +1028,7 @@ export const registerRoutes = async (
    secretApprovalRequestDAL,
    secretApprovalRequestSecretDAL,
    secretV2BridgeService,
-    secretApprovalRequestService,
-    licenseService
+    secretApprovalRequestService
  });

  const secretSharingService = secretSharingServiceFactory({
@ -1092,10 +1086,8 @@ export const registerRoutes = async (
    kmsService,
    secretV2BridgeDAL,
    secretVersionV2TagBridgeDAL: secretVersionTagV2BridgeDAL,
-    secretVersionV2BridgeDAL,
-    resourceMetadataDAL
+    secretVersionV2BridgeDAL
  });
-
  const secretRotationQueue = secretRotationQueueFactory({
    telemetryService,
    secretRotationDAL,
@ -1347,8 +1339,7 @@ export const registerRoutes = async (
    folderDAL,
    secretDAL: secretV2BridgeDAL,
    queueService,
-    secretV2BridgeService,
-    resourceMetadataDAL
+    secretV2BridgeService
  });

  const migrationService = externalMigrationServiceFactory({
--- a/backend/src/server/routes/v1/auth-router.ts
+++ b/backend/src/server/routes/v1/auth-router.ts
@ -63,8 +63,7 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
    schema: {
      response: {
        200: z.object({
-          token: z.string(),
-          organizationId: z.string().optional()
+          token: z.string()
        })
      }
    },
@ -116,7 +115,7 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
        { expiresIn: appCfg.JWT_AUTH_LIFETIME }
      );

-      return { token, organizationId: decodedToken.organizationId };
+      return { token };
    }
  });
 };
--- a/backend/src/server/routes/v1/dashboard-router.ts
+++ b/backend/src/server/routes/v1/dashboard-router.ts
@ -17,7 +17,6 @@ import { getUserAgentType } from "@app/server/plugins/audit-log";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedDynamicSecretSchema, secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";

@ -117,7 +116,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
          secrets: secretRawSchema
            .extend({
              secretPath: z.string().optional(),
-              secretMetadata: ResourceMetadataSchema.optional(),
              tags: SecretTagsSchema.pick({
                id: true,
                slug: true,
@ -410,7 +408,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
          secrets: secretRawSchema
            .extend({
              secretPath: z.string().optional(),
-              secretMetadata: ResourceMetadataSchema.optional(),
              tags: SecretTagsSchema.pick({
                id: true,
                slug: true,
@ -696,7 +693,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
          secrets: secretRawSchema
            .extend({
              secretPath: z.string().optional(),
-              secretMetadata: ResourceMetadataSchema.optional(),
              tags: SecretTagsSchema.pick({
                id: true,
                slug: true,
@ -868,7 +864,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
          secrets: secretRawSchema
            .extend({
              secretPath: z.string().optional(),
-              secretMetadata: ResourceMetadataSchema.optional(),
              tags: SecretTagsSchema.pick({
                id: true,
                slug: true,
--- a/backend/src/server/routes/v1/integration-router.ts
+++ b/backend/src/server/routes/v1/integration-router.ts
@ -131,7 +131,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
      body: z.object({
        app: z.string().trim().optional().describe(INTEGRATION.UPDATE.app),
        appId: z.string().trim().optional().describe(INTEGRATION.UPDATE.appId),
-        isActive: z.boolean().optional().describe(INTEGRATION.UPDATE.isActive),
+        isActive: z.boolean().describe(INTEGRATION.UPDATE.isActive),
        secretPath: z
          .string()
          .trim()
--- a/backend/src/server/routes/v1/secret-sharing-router.ts
+++ b/backend/src/server/routes/v1/secret-sharing-router.ts
@ -1,7 +1,6 @@
 import { z } from "zod";

 import { SecretSharingSchema } from "@app/db/schemas";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { SecretSharingAccessType } from "@app/lib/types";
 import {
  publicEndpointLimit,
@ -89,21 +88,6 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
        orgId: req.permission?.orgId
      });

-      if (sharedSecret.secret?.orgId) {
-        await server.services.auditLog.createAuditLog({
-          orgId: sharedSecret.secret.orgId,
-          ...req.auditLogInfo,
-          event: {
-            type: EventType.READ_SHARED_SECRET,
-            metadata: {
-              id: req.params.id,
-              name: sharedSecret.secret.name || undefined,
-              accessType: sharedSecret.secret.accessType
-            }
-          }
-        });
-      }
-
      return sharedSecret;
    }
  });
@ -167,23 +151,6 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
        actorOrgId: req.permission.orgId,
        ...req.body
      });
-
-      await server.services.auditLog.createAuditLog({
-        orgId: req.permission.orgId,
-        ...req.auditLogInfo,
-        event: {
-          type: EventType.CREATE_SHARED_SECRET,
-          metadata: {
-            accessType: req.body.accessType,
-            expiresAt: req.body.expiresAt,
-            expiresAfterViews: req.body.expiresAfterViews,
-            name: req.body.name,
-            id: sharedSecret.id,
-            usingPassword: !!req.body.password
-          }
-        }
-      });
-
      return { id: sharedSecret.id };
    }
  });
@ -214,18 +181,6 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
        sharedSecretId
      });

-      await server.services.auditLog.createAuditLog({
-        orgId: req.permission.orgId,
-        ...req.auditLogInfo,
-        event: {
-          type: EventType.DELETE_SHARED_SECRET,
-          metadata: {
-            id: sharedSecretId,
-            name: deletedSharedSecret.name || undefined
-          }
-        }
-      });
-
      return { ...deletedSharedSecret };
    }
  });
--- a/backend/src/server/routes/v1/slack-router.ts
+++ b/backend/src/server/routes/v1/slack-router.ts
@ -331,8 +331,12 @@ export const registerSlackRouter = async (server: FastifyZodProvider) => {
        failureAsync: async () => {
          return res.redirect(appCfg.SITE_URL as string);
        },
-        successAsync: async () => {
-          return res.redirect(`${appCfg.SITE_URL}/organization/settings?selectedTab=workflow-integrations`);
+        successAsync: async (installation) => {
+          const metadata = JSON.parse(installation.metadata || "") as {
+            orgId: string;
+          };
+
+          return res.redirect(`${appCfg.SITE_URL}/org/${metadata.orgId}/settings?selectedTab=workflow-integrations`);
        }
      });
    }
--- a/backend/src/server/routes/v3/secret-router.ts
+++ b/backend/src/server/routes/v3/secret-router.ts
@ -18,7 +18,6 @@ import { getUserAgentType } from "@app/server/plugins/audit-log";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
 import { ProjectFilterType } from "@app/services/project/project-types";
-import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretOperations, SecretProtectionType } from "@app/services/secret/secret-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";

@ -36,12 +35,6 @@ const SecretReferenceNodeTree: z.ZodType<TSecretReferenceNode> = SecretReference
  children: z.lazy(() => SecretReferenceNodeTree.array())
 });

-const SecretNameSchema = z
-  .string()
-  .trim()
-  .min(1)
-  .refine((el) => !el.includes(" "), "Secret name cannot contain spaces.");
-
 export const registerSecretRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
@ -57,7 +50,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        secretName: SecretNameSchema.describe(SECRETS.ATTACH_TAGS.secretName)
+        secretName: z.string().trim().describe(SECRETS.ATTACH_TAGS.secretName)
      }),
      body: z.object({
        projectSlug: z.string().trim().describe(SECRETS.ATTACH_TAGS.projectSlug),
@ -120,7 +113,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        secretName: z.string().describe(SECRETS.DETACH_TAGS.secretName)
+        secretName: z.string().trim().describe(SECRETS.DETACH_TAGS.secretName)
      }),
      body: z.object({
        projectSlug: z.string().trim().describe(SECRETS.DETACH_TAGS.projectSlug),
@ -212,7 +205,6 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          secrets: secretRawSchema
            .extend({
              secretPath: z.string().optional(),
-              secretMetadata: ResourceMetadataSchema.optional(),
              tags: SecretTagsSchema.pick({
                id: true,
                slug: true,
@ -228,12 +220,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
              secretPath: z.string(),
              environment: z.string(),
              folderId: z.string().optional(),
-              secrets: secretRawSchema
-                .omit({ createdAt: true, updatedAt: true })
-                .extend({
-                  secretMetadata: ResourceMetadataSchema.optional()
-                })
-                .array()
+              secrets: secretRawSchema.omit({ createdAt: true, updatedAt: true }).array()
            })
            .array()
            .optional()
@ -361,8 +348,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
            })
              .extend({ name: z.string() })
              .array()
-              .optional(),
-            secretMetadata: ResourceMetadataSchema.optional()
+              .optional()
          })
        })
      }
@ -448,7 +434,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        secretName: SecretNameSchema.describe(RAW_SECRETS.CREATE.secretName)
+        secretName: z.string().trim().describe(RAW_SECRETS.CREATE.secretName)
      }),
      body: z.object({
        workspaceId: z.string().trim().describe(RAW_SECRETS.CREATE.workspaceId),
@ -464,7 +450,6 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
          .describe(RAW_SECRETS.CREATE.secretValue),
        secretComment: z.string().trim().optional().default("").describe(RAW_SECRETS.CREATE.secretComment),
-        secretMetadata: ResourceMetadataSchema.optional(),
        tagIds: z.string().array().optional().describe(RAW_SECRETS.CREATE.tagIds),
        skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.CREATE.skipMultilineEncoding),
        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.CREATE.type),
@ -499,7 +484,6 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        secretValue: req.body.secretValue,
        skipMultilineEncoding: req.body.skipMultilineEncoding,
        secretComment: req.body.secretComment,
-        secretMetadata: req.body.secretMetadata,
        tagIds: req.body.tagIds,
        secretReminderNote: req.body.secretReminderNote,
        secretReminderRepeatDays: req.body.secretReminderRepeatDays
@ -555,7 +539,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        secretName: SecretNameSchema.describe(RAW_SECRETS.UPDATE.secretName)
+        secretName: z.string().trim().describe(RAW_SECRETS.UPDATE.secretName)
      }),
      body: z.object({
        workspaceId: z.string().trim().describe(RAW_SECRETS.UPDATE.workspaceId),
@ -574,14 +558,13 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.UPDATE.type),
        tagIds: z.string().array().optional().describe(RAW_SECRETS.UPDATE.tagIds),
        metadata: z.record(z.string()).optional(),
-        secretMetadata: ResourceMetadataSchema.optional(),
        secretReminderNote: z.string().optional().nullable().describe(RAW_SECRETS.UPDATE.secretReminderNote),
        secretReminderRepeatDays: z
          .number()
          .optional()
          .nullable()
          .describe(RAW_SECRETS.UPDATE.secretReminderRepeatDays),
-        newSecretName: SecretNameSchema.optional().describe(RAW_SECRETS.UPDATE.newSecretName),
+        newSecretName: z.string().min(1).optional().describe(RAW_SECRETS.UPDATE.newSecretName),
        secretComment: z.string().optional().describe(RAW_SECRETS.UPDATE.secretComment)
      }),
      response: {
@ -612,10 +595,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        secretReminderNote: req.body.secretReminderNote,
        metadata: req.body.metadata,
        newSecretName: req.body.newSecretName,
-        secretComment: req.body.secretComment,
-        secretMetadata: req.body.secretMetadata
+        secretComment: req.body.secretComment
      });
-
      if (secretOperation.type === SecretProtectionType.Approval) {
        return { approval: secretOperation.approval };
      }
@ -666,7 +647,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        secretName: z.string().min(1).describe(RAW_SECRETS.DELETE.secretName)
+        secretName: z.string().trim().describe(RAW_SECRETS.DELETE.secretName)
      }),
      body: z.object({
        workspaceId: z.string().trim().describe(RAW_SECRETS.DELETE.workspaceId),
@ -1861,7 +1842,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          .describe(RAW_SECRETS.CREATE.secretPath),
        secrets: z
          .object({
-            secretKey: SecretNameSchema.describe(RAW_SECRETS.CREATE.secretName),
+            secretKey: z.string().trim().describe(RAW_SECRETS.CREATE.secretName),
            secretValue: z
              .string()
              .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
@ -1869,7 +1850,6 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
            secretComment: z.string().trim().optional().default("").describe(RAW_SECRETS.CREATE.secretComment),
            skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.CREATE.skipMultilineEncoding),
            metadata: z.record(z.string()).optional(),
-            secretMetadata: ResourceMetadataSchema.optional(),
            tagIds: z.string().array().optional().describe(RAW_SECRETS.CREATE.tagIds)
          })
          .array()
@ -1962,17 +1942,16 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          .describe(RAW_SECRETS.UPDATE.secretPath),
        secrets: z
          .object({
-            secretKey: SecretNameSchema.describe(RAW_SECRETS.UPDATE.secretName),
+            secretKey: z.string().trim().describe(RAW_SECRETS.UPDATE.secretName),
            secretValue: z
              .string()
              .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
              .describe(RAW_SECRETS.UPDATE.secretValue),
            secretComment: z.string().trim().optional().describe(RAW_SECRETS.UPDATE.secretComment),
            skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.UPDATE.skipMultilineEncoding),
-            newSecretName: SecretNameSchema.optional().describe(RAW_SECRETS.UPDATE.newSecretName),
+            newSecretName: z.string().min(1).optional().describe(RAW_SECRETS.UPDATE.newSecretName),
            tagIds: z.string().array().optional().describe(RAW_SECRETS.UPDATE.tagIds),
            secretReminderNote: z.string().optional().nullable().describe(RAW_SECRETS.UPDATE.secretReminderNote),
-            secretMetadata: ResourceMetadataSchema.optional(),
            secretReminderRepeatDays: z
              .number()
              .optional()
@ -2068,7 +2047,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          .describe(RAW_SECRETS.DELETE.secretPath),
        secrets: z
          .object({
-            secretKey: z.string().describe(RAW_SECRETS.DELETE.secretName),
+            secretKey: z.string().trim().describe(RAW_SECRETS.DELETE.secretName),
            type: z.nativeEnum(SecretType).default(SecretType.Shared)
          })
          .array()
--- a/backend/src/services/auth/auth-type.ts
+++ b/backend/src/services/auth/auth-type.ts
@ -39,8 +39,7 @@ export enum ActorType { // would extend to AWS, Azure, ...
  SERVICE = "service",
  IDENTITY = "identity",
  Machine = "machine",
-  SCIM_CLIENT = "scimClient",
-  UNKNOWN_USER = "unknownUser"
+  SCIM_CLIENT = "scimClient"
 }

 // This will be null unless the token-type is JWT
--- a/backend/src/services/external-migration/external-migration-fns.ts
+++ b/backend/src/services/external-migration/external-migration-fns.ts
@ -16,7 +16,6 @@ import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectServiceFactory } from "../project/project-service";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectEnvServiceFactory } from "../project-env/project-env-service";
-import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretTagDALFactory } from "../secret-tag/secret-tag-dal";
 import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
@ -36,8 +35,6 @@ export type TImportDataIntoInfisicalDTO = {
  secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2" | "create">;
  secretVersionTagDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany" | "create">;

-  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany">;
-
  folderDAL: Pick<TSecretFolderDALFactory, "create" | "findBySecretPath" | "findById">;
  projectService: Pick<TProjectServiceFactory, "createProject">;
  projectEnvService: Pick<TProjectEnvServiceFactory, "createEnvironment">;
@ -506,7 +503,6 @@ export const importDataIntoInfisicalFn = async ({
  secretTagDAL,
  secretVersionTagDAL,
  folderDAL,
-  resourceMetadataDAL,
  input: { data, actor, actorId, actorOrgId, actorAuthMethod }
 }: TImportDataIntoInfisicalDTO) => {
  // Import data to infisical
@ -766,8 +762,6 @@ export const importDataIntoInfisicalFn = async ({
              };
            }),
            folderId: selectedFolder.id,
-            orgId: actorOrgId,
-            resourceMetadataDAL,
            secretDAL,
            secretVersionDAL,
            secretTagDAL,
--- a/backend/src/services/external-migration/external-migration-queue.ts
+++ b/backend/src/services/external-migration/external-migration-queue.ts
@ -8,7 +8,6 @@ import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectServiceFactory } from "../project/project-service";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectEnvServiceFactory } from "../project-env/project-env-service";
-import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretTagDALFactory } from "../secret-tag/secret-tag-dal";
 import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
@ -36,8 +35,6 @@ export type TExternalMigrationQueueFactoryDep = {
  projectService: Pick<TProjectServiceFactory, "createProject">;
  projectEnvService: Pick<TProjectEnvServiceFactory, "createEnvironment">;
  secretV2BridgeService: Pick<TSecretV2BridgeServiceFactory, "createManySecret">;
-
-  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };

 export type TExternalMigrationQueueFactory = ReturnType<typeof externalMigrationQueueFactory>;
@ -55,8 +52,7 @@ export const externalMigrationQueueFactory = ({
  secretVersionDAL,
  secretTagDAL,
  secretVersionTagDAL,
-  folderDAL,
-  resourceMetadataDAL
+  folderDAL
 }: TExternalMigrationQueueFactoryDep) => {
  const startImport = async (dto: {
    actorEmail: string;
@ -113,8 +109,7 @@ export const externalMigrationQueueFactory = ({
        kmsService,
        projectService,
        projectEnvService,
-        secretV2BridgeService,
-        resourceMetadataDAL
+        secretV2BridgeService
      });

      if (projectsNotImported.length) {
--- a/backend/src/services/identity-oidc-auth/identity-oidc-auth-fns.ts
+++ b/backend/src/services/identity-oidc-auth/identity-oidc-auth-fns.ts
@ -2,11 +2,3 @@ import picomatch from "picomatch";

 export const doesFieldValueMatchOidcPolicy = (fieldValue: string, policyValue: string) =>
  policyValue === fieldValue || picomatch.isMatch(fieldValue, policyValue);
-
-export const doesAudValueMatchOidcPolicy = (fieldValue: string | string[], policyValue: string) => {
-  if (Array.isArray(fieldValue)) {
-    return fieldValue.some((entry) => entry === policyValue || picomatch.isMatch(entry, policyValue));
-  }
-
-  return policyValue === fieldValue || picomatch.isMatch(fieldValue, policyValue);
-};
--- a/backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts
+++ b/backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts
@ -27,7 +27,7 @@ import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identit
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
 import { TOrgBotDALFactory } from "../org/org-bot-dal";
 import { TIdentityOidcAuthDALFactory } from "./identity-oidc-auth-dal";
-import { doesAudValueMatchOidcPolicy, doesFieldValueMatchOidcPolicy } from "./identity-oidc-auth-fns";
+import { doesFieldValueMatchOidcPolicy } from "./identity-oidc-auth-fns";
 import {
  TAttachOidcAuthDTO,
  TGetOidcAuthDTO,
@ -148,7 +148,7 @@ export const identityOidcAuthServiceFactory = ({
      if (
        !identityOidcAuth.boundAudiences
          .split(", ")
-          .some((policyValue) => doesAudValueMatchOidcPolicy(tokenData.aud, policyValue))
+          .some((policyValue) => doesFieldValueMatchOidcPolicy(tokenData.aud, policyValue))
      ) {
        throw new UnauthorizedError({
          message: "Access denied: OIDC audience not allowed."
--- a/backend/src/services/integration-auth/integration-list.ts
+++ b/backend/src/services/integration-auth/integration-list.ts
@ -427,8 +427,3 @@ export const getIntegrationOptions = async () => {

  return INTEGRATION_OPTIONS;
 };
-
-export enum IntegrationMetadataSyncMode {
-  CUSTOM = "custom",
-  SECRET_METADATA = "secret-metadata"
-}
--- a/backend/src/services/integration-auth/integration-sync-secret.ts
+++ b/backend/src/services/integration-auth/integration-sync-secret.ts
@ -38,7 +38,6 @@ import { TCreateManySecretsRawFn, TUpdateManySecretsRawFn } from "@app/services/

 import { TIntegrationDALFactory } from "../integration/integration-dal";
 import { IntegrationMetadataSchema } from "../integration/integration-schema";
-import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { IntegrationAuthMetadataSchema } from "./integration-auth-schema";
 import {
  CircleCiScope,
@ -49,7 +48,6 @@ import {
 import {
  IntegrationInitialSyncBehavior,
  IntegrationMappingBehavior,
-  IntegrationMetadataSyncMode,
  Integrations,
  IntegrationUrls
 } from "./integration-list";
@ -307,16 +305,10 @@ const syncSecretsAzureAppConfig = async ({
    value: string;
  }

-  if (!integration.app || !integration.app.endsWith(".azconfig.io"))
-    throw new BadRequestError({
-      message: "Invalid Azure App Configuration URL provided."
-    });
-
-  const getCompleteAzureAppConfigValues = async (baseURL: string, url: string) => {
+  const getCompleteAzureAppConfigValues = async (url: string) => {
    let result: AzureAppConfigKeyValue[] = [];
    while (url) {
      const res = await request.get(url, {
-        baseURL,
        headers: {
          Authorization: `Bearer ${accessToken}`
        },
@ -327,7 +319,7 @@ const syncSecretsAzureAppConfig = async ({
      });

      result = result.concat(res.data.items);
-      url = res.data?.["@nextLink"];
+      url = res.data.nextLink;
    }

    return result;
@ -335,13 +327,11 @@ const syncSecretsAzureAppConfig = async ({

  const metadata = IntegrationMetadataSchema.parse(integration.metadata);

-  const azureAppConfigValuesUrl = `/kv?api-version=2023-11-01&key=${metadata.secretPrefix}*${
-    metadata.azureLabel ? `&label=${metadata.azureLabel}` : "&label=%00"
+  const azureAppConfigValuesUrl = `${integration.app}/kv?api-version=2023-11-01&key=${metadata.secretPrefix}*${
+    metadata.azureLabel ? `&label=${metadata.azureLabel}` : ""
  }`;

-  const azureAppConfigSecrets = (
-    await getCompleteAzureAppConfigValues(integration.app, azureAppConfigValuesUrl)
-  ).reduce(
+  const azureAppConfigSecrets = (await getCompleteAzureAppConfigValues(azureAppConfigValuesUrl)).reduce(
    (accum, entry) => {
      accum[entry.key] = entry.value;

@ -1084,14 +1074,14 @@ const syncSecretsAWSSecretManager = async ({
  projectId
 }: {
  integration: TIntegrations;
-  secrets: Record<string, { value: string; comment?: string; secretMetadata?: ResourceMetadataDTO }>;
+  secrets: Record<string, { value: string; comment?: string }>;
  accessId: string | null;
  accessToken: string;
  awsAssumeRoleArn: string | null;
  projectId?: string;
 }) => {
  const appCfg = getConfig();
-  const metadata = IntegrationMetadataSchema.parse(integration.metadata || {});
+  const metadata = z.record(z.any()).parse(integration.metadata || {});

  if (!accessId && !awsAssumeRoleArn) {
    throw new Error("AWS access ID/AWS Assume Role is required");
@ -1139,25 +1129,8 @@ const syncSecretsAWSSecretManager = async ({

  const processAwsSecret = async (
    secretId: string,
-    secretValue: Record<string, string | null | undefined> | string,
-    secretMetadata?: ResourceMetadataDTO
+    secretValue: Record<string, string | null | undefined> | string
  ) => {
-    const secretAWSTag = metadata.secretAWSTag as { key: string; value: string }[] | undefined;
-    const shouldTag =
-      (secretAWSTag && secretAWSTag.length) ||
-      (metadata.metadataSyncMode === IntegrationMetadataSyncMode.SECRET_METADATA &&
-        metadata.mappingBehavior === IntegrationMappingBehavior.ONE_TO_ONE);
-    const tagArray =
-      (metadata.metadataSyncMode === IntegrationMetadataSyncMode.SECRET_METADATA ? secretMetadata : secretAWSTag) ?? [];
-
-    const integrationTagObj = tagArray.reduce(
-      (acc, item) => {
-        acc[item.key] = item.value;
-        return acc;
-      },
-      {} as Record<string, string>
-    );
-
    try {
      const awsSecretManagerSecret = await secretsManager.send(
        new GetSecretValueCommand({
@ -1186,14 +1159,15 @@ const syncSecretsAWSSecretManager = async ({
        } else {
          await secretsManager.send(
            new DeleteSecretCommand({
-              SecretId: secretId,
-              ForceDeleteWithoutRecovery: true
+              SecretId: secretId
            })
          );
        }
      }

-      if (shouldTag) {
+      const secretAWSTag = metadata.secretAWSTag as { key: string; value: string }[] | undefined;
+
+      if (secretAWSTag && secretAWSTag.length) {
        const describedSecret = await secretsManager.send(
          // requires secretsmanager:DescribeSecret policy
          new DescribeSecretCommand({
@ -1203,6 +1177,14 @@ const syncSecretsAWSSecretManager = async ({

        if (!describedSecret.Tags) return;

+        const integrationTagObj = secretAWSTag.reduce(
+          (acc, item) => {
+            acc[item.key] = item.value;
+            return acc;
+          },
+          {} as Record<string, string>
+        );
+
        const awsTagObj = (describedSecret.Tags || []).reduce(
          (acc, item) => {
            if (item.Key && item.Value) {
@ -1234,7 +1216,7 @@ const syncSecretsAWSSecretManager = async ({
          }
        });

-        tagArray.forEach((tag) => {
+        secretAWSTag?.forEach((tag) => {
          if (!(tag.key in awsTagObj)) {
            // create tag in AWS secret manager
            tagsToUpdate.push({
@ -1271,8 +1253,8 @@ const syncSecretsAWSSecretManager = async ({
              Name: secretId,
              SecretString: typeof secretValue === "string" ? secretValue : JSON.stringify(secretValue),
              ...(metadata.kmsKeyId && { KmsKeyId: metadata.kmsKeyId }),
-              Tags: shouldTag
-                ? tagArray.map((tag: { key: string; value: string }) => ({
+              Tags: metadata.secretAWSTag
+                ? metadata.secretAWSTag.map((tag: { key: string; value: string }) => ({
                    Key: tag.key,
                    Value: tag.value
                  }))
@ -1289,10 +1271,7 @@ const syncSecretsAWSSecretManager = async ({

  if (metadata.mappingBehavior === IntegrationMappingBehavior.ONE_TO_ONE) {
    for await (const [key, value] of Object.entries(secrets)) {
-      await processAwsSecret(key, value.value, value.secretMetadata).catch((error) => {
-        error.secretKey = key;
-        throw error;
-      });
+      await processAwsSecret(key, value.value);
    }
  } else {
    await processAwsSecret(integration.app as string, getSecretKeyValuePair(secrets));
@ -2775,23 +2754,13 @@ const syncSecretsAzureDevops = async ({
 * Sync/push [secrets] to GitLab repo with name [integration.app]
 */
 const syncSecretsGitLab = async ({
-  createManySecretsRawFn,
  integrationAuth,
  integration,
  secrets,
  accessToken
 }: {
-  createManySecretsRawFn: (params: TCreateManySecretsRawFn) => Promise<Array<{ id: string }>>;
  integrationAuth: TIntegrationAuths;
-  integration: TIntegrations & {
-    projectId: string;
-    environment: {
-      id: string;
-      name: string;
-      slug: string;
-    };
-    secretPath: string;
-  };
+  integration: TIntegrations;
  secrets: Record<string, { value: string; comment?: string }>;
  accessToken: string;
 }) => {
@ -2848,81 +2817,6 @@ const syncSecretsGitLab = async ({
      return isValid;
    });

-  if (!integration.lastUsed) {
-    const secretsToAddToInfisical: { [key: string]: GitLabSecret } = {};
-    const secretsToRemoveInGitlab: GitLabSecret[] = [];
-
-    if (!metadata.initialSyncBehavior) {
-      metadata.initialSyncBehavior = IntegrationInitialSyncBehavior.OVERWRITE_TARGET;
-    }
-
-    getSecretsRes.forEach((gitlabSecret) => {
-      // first time using integration
-      // -> apply initial sync behavior
-      switch (metadata.initialSyncBehavior) {
-        // Override all the secrets in GitLab
-        case IntegrationInitialSyncBehavior.OVERWRITE_TARGET: {
-          if (!(gitlabSecret.key in secrets)) {
-            secretsToRemoveInGitlab.push(gitlabSecret);
-          }
-          break;
-        }
-        case IntegrationInitialSyncBehavior.PREFER_SOURCE: {
-          // if the secret is not in infisical, we need to add it to infisical
-          if (!(gitlabSecret.key in secrets)) {
-            secrets[gitlabSecret.key] = {
-              value: gitlabSecret.value
-            };
-            // need to remove prefix and suffix from what we're saving to Infisical
-            const prefix = metadata?.secretPrefix || "";
-            const suffix = metadata?.secretSuffix || "";
-            let processedKey = gitlabSecret.key;
-
-            // Remove prefix if it exists at the start
-            if (prefix && processedKey.startsWith(prefix)) {
-              processedKey = processedKey.slice(prefix.length);
-            }
-
-            // Remove suffix if it exists at the end
-            if (suffix && processedKey.endsWith(suffix)) {
-              processedKey = processedKey.slice(0, -suffix.length);
-            }
-
-            secretsToAddToInfisical[processedKey] = gitlabSecret;
-          }
-          break;
-        }
-        default: {
-          throw new Error(`Invalid initial sync behavior: ${metadata.initialSyncBehavior}`);
-        }
-      }
-    });
-
-    if (Object.keys(secretsToAddToInfisical).length) {
-      await createManySecretsRawFn({
-        projectId: integration.projectId,
-        environment: integration.environment.slug,
-        path: integration.secretPath,
-        secrets: Object.keys(secretsToAddToInfisical).map((key) => ({
-          secretName: key,
-          secretValue: secretsToAddToInfisical[key].value,
-          type: SecretType.Shared
-        }))
-      });
-    }
-
-    for await (const gitlabSecret of secretsToRemoveInGitlab) {
-      await request.delete(
-        `${gitLabApiUrl}/v4/projects/${integration?.appId}/variables/${gitlabSecret.key}?filter[environment_scope]=${integration.targetEnvironment}`,
-        {
-          headers: {
-            Authorization: `Bearer ${accessToken}`
-          }
-        }
-      );
-    }
-  }
-
  for await (const key of Object.keys(secrets)) {
    const existingSecret = getSecretsRes.find((s) => s.key === key);
    if (!existingSecret) {
@ -4537,7 +4431,7 @@ export const syncIntegrationSecrets = async ({
    secretPath: string;
  };
  integrationAuth: TIntegrationAuths;
-  secrets: Record<string, { value: string; comment?: string; secretMetadata?: ResourceMetadataDTO }>;
+  secrets: Record<string, { value: string; comment?: string }>;
  accessId: string | null;
  awsAssumeRoleArn: string | null;
  accessToken: string;
@ -4642,8 +4536,7 @@ export const syncIntegrationSecrets = async ({
        integrationAuth,
        integration,
        secrets,
-        accessToken,
-        createManySecretsRawFn
+        accessToken
      });
      break;
    case Integrations.RENDER:
--- a/backend/src/services/integration-auth/integration-team.ts
+++ b/backend/src/services/integration-auth/integration-team.ts
@ -1,5 +1,3 @@
-import { AxiosResponse } from "axios";
-
 import { request } from "@app/lib/config/request";
 import { BadRequestError } from "@app/lib/errors";

@ -13,27 +11,19 @@ const getTeamsGitLab = async ({ url, accessToken }: { url: string; accessToken:
  const gitLabApiUrl = url ? `${url}/api` : IntegrationUrls.GITLAB_API_URL;

  let teams: Team[] = [];
-  let page: number = 1;
-  while (page > 0) {
-    // eslint-disable-next-line no-await-in-loop
-    const { data, headers }: AxiosResponse<{ name: string; id: string }[]> = await request.get(
-      `${gitLabApiUrl}/v4/groups?page=${page}`,
-      {
-        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          "Accept-Encoding": "application/json"
-        }
+  const res = (
+    await request.get<{ name: string; id: string }[]>(`${gitLabApiUrl}/v4/groups`, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json"
      }
-    );
+    })
+  ).data;

-    page = Number(headers["x-next-page"] ?? "");
-    teams = teams.concat(
-      data.map((t) => ({
-        name: t.name,
-        id: t.id.toString()
-      }))
-    );
-  }
+  teams = res.map((t) => ({
+    name: t.name,
+    id: t.id.toString()
+  }));

  return teams;
 };
--- a/backend/src/services/integration/integration-schema.ts
+++ b/backend/src/services/integration/integration-schema.ts
@ -2,7 +2,7 @@ import { z } from "zod";

 import { INTEGRATION } from "@app/lib/api-docs";

-import { IntegrationMappingBehavior, IntegrationMetadataSyncMode } from "../integration-auth/integration-list";
+import { IntegrationMappingBehavior } from "../integration-auth/integration-list";

 export const IntegrationMetadataSchema = z.object({
  initialSyncBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.initialSyncBehavoir),
@ -50,11 +50,6 @@ export const IntegrationMetadataSchema = z.object({
  shouldMaskSecrets: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldMaskSecrets),
  shouldProtectSecrets: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldProtectSecrets),

-  metadataSyncMode: z
-    .nativeEnum(IntegrationMetadataSyncMode)
-    .optional()
-    .describe(INTEGRATION.CREATE.metadata.metadataSyncMode),
-
  octopusDeployScopeValues: z
    .object({
      // in Octopus Deploy Scope Value Format
--- a/backend/src/services/resource-metadata/resource-metadata-dal.ts
+++ b/backend/src/services/resource-metadata/resource-metadata-dal.ts
@ -1,11 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TResourceMetadataDALFactory = ReturnType<typeof resourceMetadataDALFactory>;
-
-export const resourceMetadataDALFactory = (db: TDbClient) => {
-  const orm = ormify(db, TableName.ResourceMetadata);
-
-  return orm;
-};
--- a/backend/src/services/resource-metadata/resource-metadata-schema.ts
+++ b/backend/src/services/resource-metadata/resource-metadata-schema.ts
@ -1,10 +0,0 @@
-import z from "zod";
-
-export const ResourceMetadataSchema = z
-  .object({
-    key: z.string().trim().min(1),
-    value: z.string().trim().default("")
-  })
-  .array();
-
-export type ResourceMetadataDTO = z.infer<typeof ResourceMetadataSchema>;
--- a/backend/src/services/secret-import/secret-import-fns.ts
+++ b/backend/src/services/secret-import/secret-import-fns.ts
@ -1,7 +1,6 @@
 import { SecretType, TSecretImports, TSecrets, TSecretsV2 } from "@app/db/schemas";
 import { groupBy, unique } from "@app/lib/fn";

-import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { TSecretDALFactory } from "../secret/secret-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
@ -40,7 +39,6 @@ type TSecretImportSecretsV2 = {
    // But for somereason ts consider ? and undefined explicit as different just ts things
    secretValue: string;
    secretComment: string;
-    secretMetadata?: ResourceMetadataDTO;
  })[];
 };

--- a/backend/src/services/secret-import/secret-import-service.ts
+++ b/backend/src/services/secret-import/secret-import-service.ts
@ -160,7 +160,6 @@ export const secretImportServiceFactory = ({
    if (secImport.isReplication && sourceFolder) {
      await secretQueueService.replicateSecrets({
        secretPath: secImport.importPath,
-        orgId: actorOrgId,
        projectId,
        environmentSlug: importEnv.slug,
        pickOnlyImportIds: [secImport.id],
@ -170,7 +169,6 @@ export const secretImportServiceFactory = ({
    } else {
      await secretQueueService.syncSecrets({
        secretPath,
-        orgId: actorOrgId,
        projectId,
        environmentSlug: environment,
        actorId,
@ -342,7 +340,6 @@ export const secretImportServiceFactory = ({

    await secretQueueService.syncSecrets({
      secretPath,
-      orgId: actorOrgId,
      projectId,
      environmentSlug: environment,
      actor,
@ -418,7 +415,6 @@ export const secretImportServiceFactory = ({

    if (membership && sourceFolder) {
      await secretQueueService.replicateSecrets({
-        orgId: actorOrgId,
        secretPath: secretImportDoc.importPath,
        projectId,
        environmentSlug: secretImportDoc.importEnv.slug,
--- a/backend/src/services/secret-sharing/secret-sharing-service.ts
+++ b/backend/src/services/secret-sharing/secret-sharing-service.ts
@ -206,13 +206,8 @@ export const secretSharingServiceFactory = ({

    const orgName = sharedSecret.orgId ? (await orgDAL.findOrgById(sharedSecret.orgId))?.name : "";

-    if (accessType === SecretSharingAccessType.Organization && orgId === undefined) {
-      throw new UnauthorizedError();
-    }
-
-    if (accessType === SecretSharingAccessType.Organization && orgId !== sharedSecret.orgId) {
+    if (accessType === SecretSharingAccessType.Organization && orgId !== sharedSecret.orgId)
      throw new ForbiddenRequestError();
-    }

    // all secrets pass through here, meaning we check if its expired first and then check if it needs verification
    // or can be safely sent to the client.
--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts
@ -78,12 +78,6 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
          `${TableName.SecretV2JnTag}.${TableName.SecretTag}Id`,
          `${TableName.SecretTag}.id`
        )
-        .leftJoin(TableName.ResourceMetadata, `${TableName.SecretV2}.id`, `${TableName.ResourceMetadata}.secretId`)
-        .select(
-          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
-          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
-          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
-        )
        .select(selectAllTableCols(TableName.SecretV2))
        .select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
        .select(db.ref("color").withSchema(TableName.SecretTag).as("tagColor"))
@ -109,15 +103,6 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
              slug,
              name: slug
            })
-          },
-          {
-            key: "metadataId",
-            label: "secretMetadata" as const,
-            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-              id: metadataId,
-              key: metadataKey,
-              value: metadataValue
-            })
          }
        ]
      });
@ -236,9 +221,7 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
      const secs = await (tx || db.replicaNode())(TableName.SecretV2)
        .where({ folderId })
        .where((bd) => {
-          void bd
-            .whereNull(`${TableName.SecretV2}.userId`)
-            .orWhere({ [`${TableName.SecretV2}.userId` as "userId"]: userId || null });
+          void bd.whereNull("userId").orWhere({ userId: userId || null });
        })
        .leftJoin(
          TableName.SecretV2JnTag,
@ -250,16 +233,10 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
          `${TableName.SecretV2JnTag}.${TableName.SecretTag}Id`,
          `${TableName.SecretTag}.id`
        )
-        .leftJoin(TableName.ResourceMetadata, `${TableName.SecretV2}.id`, `${TableName.ResourceMetadata}.secretId`)
        .select(selectAllTableCols(TableName.SecretV2))
        .select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
        .select(db.ref("color").withSchema(TableName.SecretTag).as("tagColor"))
        .select(db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"))
-        .select(
-          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
-          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
-          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
-        )
        .orderBy("id", "asc");

      const data = sqlNestRelationships({
@ -276,15 +253,6 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
              slug,
              name: slug
            })
-          },
-          {
-            key: "metadataId",
-            label: "secretMetadata" as const,
-            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-              id: metadataId,
-              key: metadataKey,
-              value: metadataValue
-            })
          }
        ]
      });
@ -399,9 +367,7 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
          }
        })
        .where((bd) => {
-          void bd
-            .whereNull(`${TableName.SecretV2}.userId`)
-            .orWhere({ [`${TableName.SecretV2}.userId` as "userId"]: userId || null });
+          void bd.whereNull(`${TableName.SecretV2}.userId`).orWhere({ userId: userId || null });
        })
        .leftJoin(
          TableName.SecretV2JnTag,
@ -413,23 +379,13 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
          `${TableName.SecretV2JnTag}.${TableName.SecretTag}Id`,
          `${TableName.SecretTag}.id`
        )
-        .leftJoin(TableName.ResourceMetadata, `${TableName.SecretV2}.id`, `${TableName.ResourceMetadata}.secretId`)
        .select(
          selectAllTableCols(TableName.SecretV2),
-          db.raw(
-            `DENSE_RANK() OVER (ORDER BY "${TableName.SecretV2}".key ${
-              filters?.orderDirection ?? OrderByDirection.ASC
-            }) as rank`
-          )
+          db.raw(`DENSE_RANK() OVER (ORDER BY "key" ${filters?.orderDirection ?? OrderByDirection.ASC}) as rank`)
        )
        .select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
        .select(db.ref("color").withSchema(TableName.SecretTag).as("tagColor"))
        .select(db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"))
-        .select(
-          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
-          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
-          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
-        )
        .where((bd) => {
          const slugs = filters?.tagSlugs?.filter(Boolean);
          if (slugs && slugs.length > 0) {
@ -469,15 +425,6 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
              slug,
              name: slug
            })
-          },
-          {
-            key: "metadataId",
-            label: "secretMetadata" as const,
-            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-              id: metadataId,
-              key: metadataKey,
-              value: metadataValue
-            })
          }
        ]
      });
@ -598,17 +545,10 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
          `${TableName.SecretV2JnTag}.${TableName.SecretTag}Id`,
          `${TableName.SecretTag}.id`
        )
-        .leftJoin(TableName.ResourceMetadata, `${TableName.SecretV2}.id`, `${TableName.ResourceMetadata}.secretId`)
        .select(selectAllTableCols(TableName.SecretV2))
        .select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
        .select(db.ref("color").withSchema(TableName.SecretTag).as("tagColor"))
-        .select(db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"))
-        .select(
-          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
-          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
-          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
-        );
-
+        .select(db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"));
      const docs = sqlNestRelationships({
        data: rawDocs,
        key: "id",
@ -623,15 +563,6 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
              slug,
              name: slug
            })
-          },
-          {
-            key: "metadataId",
-            label: "secretMetadata" as const,
-            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-              id: metadataId,
-              key: metadataKey,
-              value: metadataValue
-            })
          }
        ]
      });
--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts
@ -6,7 +6,6 @@ import { groupBy } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";

 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
-import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretV2BridgeDALFactory } from "./secret-v2-bridge-dal";
 import { TFnSecretBulkDelete, TFnSecretBulkInsert, TFnSecretBulkUpdate } from "./secret-v2-bridge-types";
@ -55,11 +54,9 @@ export const getAllSecretReferences = (maybeSecretReference: string) => {
 export const fnSecretBulkInsert = async ({
  // TODO: Pick types here
  folderId,
-  orgId,
  inputSecrets,
  secretDAL,
  secretVersionDAL,
-  resourceMetadataDAL,
  secretTagDAL,
  secretVersionTagDAL,
  tx
@ -94,7 +91,6 @@ export const fnSecretBulkInsert = async ({
    sanitizedInputSecrets.map((el) => ({ ...el, folderId })),
    tx
  );
-
  const newSecretGroupedByKeyName = groupBy(newSecrets, (item) => item.key);
  const newSecretTags = inputSecrets.flatMap(({ tagIds: secretTags = [], key }) =>
    secretTags.map((tag) => ({
@ -110,7 +106,6 @@ export const fnSecretBulkInsert = async ({
    })),
    tx
  );
-
  await secretDAL.upsertSecretReferences(
    inputSecrets.map(({ references = [], key }) => ({
      secretId: newSecretGroupedByKeyName[key][0].id,
@ -118,22 +113,6 @@ export const fnSecretBulkInsert = async ({
    })),
    tx
  );
-
-  await resourceMetadataDAL.insertMany(
-    inputSecrets.flatMap(({ key: secretKey, secretMetadata }) => {
-      if (secretMetadata) {
-        return secretMetadata.map(({ key, value }) => ({
-          key,
-          value,
-          secretId: newSecretGroupedByKeyName[secretKey][0].id,
-          orgId
-        }));
-      }
-      return [];
-    }),
-    tx
-  );
-
  if (newSecretTags.length) {
    const secTags = await secretTagDAL.saveTagsToSecretV2(newSecretTags, tx);
    const secVersionsGroupBySecId = groupBy(secretVersions, (i) => i.secretId);
@ -141,7 +120,6 @@ export const fnSecretBulkInsert = async ({
      [`${TableName.SecretVersionV2}Id` as const]: secVersionsGroupBySecId[secrets_v2Id][0].id,
      [`${TableName.SecretTag}Id` as const]: secret_tagsId
    }));
-
    await secretVersionTagDAL.insertMany(newSecretVersionTags, tx);
  }

@ -152,12 +130,10 @@ export const fnSecretBulkUpdate = async ({
  tx,
  inputSecrets,
  folderId,
-  orgId,
  secretDAL,
  secretVersionDAL,
  secretTagDAL,
-  secretVersionTagDAL,
-  resourceMetadataDAL
+  secretVersionTagDAL
 }: TFnSecretBulkUpdate) => {
  const sanitizedInputSecrets = inputSecrets.map(
    ({
@ -255,34 +231,6 @@ export const fnSecretBulkUpdate = async ({
    }
  }

-  const inputSecretIdsWithMetadata = inputSecrets
-    .filter((sec) => Boolean(sec.data.secretMetadata))
-    .map((sec) => sec.filter.id);
-
-  await resourceMetadataDAL.delete(
-    {
-      $in: {
-        secretId: inputSecretIdsWithMetadata
-      }
-    },
-    tx
-  );
-
-  await resourceMetadataDAL.insertMany(
-    inputSecrets.flatMap(({ filter: { id }, data: { secretMetadata } }) => {
-      if (secretMetadata) {
-        return secretMetadata.map(({ key, value }) => ({
-          key,
-          value,
-          secretId: id,
-          orgId
-        }));
-      }
-      return [];
-    }),
-    tx
-  );
-
  return newSecrets.map((secret) => ({ ...secret, _id: secret.id }));
 };

@ -622,7 +570,6 @@ export const reshapeBridgeSecret = (
      color?: string | null;
      name: string;
    }[];
-    secretMetadata?: ResourceMetadataDTO;
  }
 ) => ({
  secretKey: secret.key,
@ -641,7 +588,6 @@ export const reshapeBridgeSecret = (
  secretReminderRepeatDays: secret.reminderRepeatDays,
  secretReminderNote: secret.reminderNote,
  metadata: secret.metadata,
-  secretMetadata: secret.secretMetadata,
  createdAt: secret.createdAt,
  updatedAt: secret.updatedAt
 });
--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts
@ -18,7 +18,6 @@ import { ActorType } from "../auth/auth-type";
 import { TKmsServiceFactory } from "../kms/kms-service";
 import { KmsDataKey } from "../kms/kms-types";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
-import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
 import { TSecretQueueFactory } from "../secret/secret-queue";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretImportDALFactory } from "../secret-import/secret-import-dal";
@ -75,7 +74,6 @@ type TSecretV2BridgeServiceFactoryDep = {
    "insertV2Bridge" | "insertApprovalSecretV2Tags"
  >;
  snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
-  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };

 export type TSecretV2BridgeServiceFactory = ReturnType<typeof secretV2BridgeServiceFactory>;
@ -97,8 +95,7 @@ export const secretV2BridgeServiceFactory = ({
  secretApprovalPolicyService,
  secretApprovalRequestDAL,
  secretApprovalRequestSecretDAL,
-  kmsService,
-  resourceMetadataDAL
+  kmsService
 }: TSecretV2BridgeServiceFactoryDep) => {
  const $validateSecretReferences = async (
    projectId: string,
@ -144,7 +141,7 @@ export const secretV2BridgeServiceFactory = ({
              },
              {
                operator: "eq",
-                field: `${TableName.SecretV2}.key` as "key",
+                field: "key",
                value: el.secretKey
              }
            ]
@ -189,7 +186,6 @@ export const secretV2BridgeServiceFactory = ({
    actorAuthMethod,
    projectId,
    secretPath,
-    secretMetadata,
    ...inputSecret
  }: TCreateSecretDTO) => {
    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
@ -259,7 +255,6 @@ export const secretV2BridgeServiceFactory = ({
    const secret = await secretDAL.transaction((tx) =>
      fnSecretBulkInsert({
        folderId,
-        orgId: actorOrgId,
        inputSecrets: [
          {
            version: 1,
@ -277,11 +272,9 @@ export const secretV2BridgeServiceFactory = ({
            key: secretName,
            userId: inputSecret.type === SecretType.Personal ? actorId : null,
            tagIds: inputSecret.tagIds,
-            references: nestedReferences,
-            secretMetadata
+            references: nestedReferences
          }
        ],
-        resourceMetadataDAL,
        secretDAL,
        secretVersionDAL,
        secretTagDAL,
@ -294,7 +287,6 @@ export const secretV2BridgeServiceFactory = ({
      await snapshotService.performSnapshot(folderId);
      await secretQueueService.syncSecrets({
        secretPath,
-        orgId: actorOrgId,
        actorId,
        actor,
        projectId,
@ -317,7 +309,6 @@ export const secretV2BridgeServiceFactory = ({
    actorAuthMethod,
    projectId,
    secretPath,
-    secretMetadata,
    ...inputSecret
  }: TUpdateSecretDTO) => {
    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
@ -444,8 +435,6 @@ export const secretV2BridgeServiceFactory = ({
    const updatedSecret = await secretDAL.transaction(async (tx) =>
      fnSecretBulkUpdate({
        folderId,
-        orgId: actorOrgId,
-        resourceMetadataDAL,
        inputSecrets: [
          {
            filter: { id: secretId },
@ -459,7 +448,6 @@ export const secretV2BridgeServiceFactory = ({
              skipMultilineEncoding: inputSecret.skipMultilineEncoding,
              key: inputSecret.newSecretName || secretName,
              tags: inputSecret.tagIds,
-              secretMetadata,
              ...encryptedValue
            }
          }
@ -487,7 +475,6 @@ export const secretV2BridgeServiceFactory = ({
        actorId,
        actor,
        projectId,
-        orgId: actorOrgId,
        environmentSlug: folder.environment.slug
      });
    }
@ -575,7 +562,6 @@ export const secretV2BridgeServiceFactory = ({
        actorId,
        actor,
        projectId,
-        orgId: actorOrgId,
        environmentSlug: folder.environment.slug
      });
    }
@ -975,8 +961,8 @@ export const secretV2BridgeServiceFactory = ({
      ? secretDAL.findOneWithTags({
          folderId,
          type: secretType,
-          [`${TableName.SecretV2}.key` as "key"]: secretName,
-          [`${TableName.SecretV2}.userId` as "userId"]: secretType === SecretType.Personal ? actorId : null
+          key: secretName,
+          userId: secretType === SecretType.Personal ? actorId : null
        })
      : secretVersionDAL
          .findOne({
@ -1127,7 +1113,7 @@ export const secretV2BridgeServiceFactory = ({
              value: [
                {
                  operator: "eq",
-                  field: `${TableName.SecretV2}.key` as "key",
+                  field: "key",
                  value: el.secretKey
                },
                {
@ -1199,14 +1185,11 @@ export const secretV2BridgeServiceFactory = ({
            key: el.secretKey,
            tagIds: el.tagIds,
            references,
-            secretMetadata: el.secretMetadata,
            type: SecretType.Shared
          };
        }),
        folderId,
-        orgId: actorOrgId,
        secretDAL,
-        resourceMetadataDAL,
        secretVersionDAL,
        secretTagDAL,
        secretVersionTagDAL,
@ -1220,7 +1203,6 @@ export const secretV2BridgeServiceFactory = ({
      actorId,
      secretPath,
      projectId,
-      orgId: actorOrgId,
      environmentSlug: folder.environment.slug
    });

@ -1272,7 +1254,7 @@ export const secretV2BridgeServiceFactory = ({
              value: [
                {
                  operator: "eq",
-                  field: `${TableName.SecretV2}.key` as "key",
+                  field: "key",
                  value: el.secretKey
                },
                {
@ -1337,7 +1319,7 @@ export const secretV2BridgeServiceFactory = ({
                value: [
                  {
                    operator: "eq",
-                    field: `${TableName.SecretV2}.key` as "key",
+                    field: "key",
                    value: el.secretKey
                  },
                  {
@ -1389,7 +1371,6 @@ export const secretV2BridgeServiceFactory = ({
    const secrets = await secretDAL.transaction(async (tx) =>
      fnSecretBulkUpdate({
        folderId,
-        orgId: actorOrgId,
        tx,
        inputSecrets: inputSecrets.map((el) => {
          const originalSecret = secretsToUpdateInDBGroupedByKey[el.secretKey][0];
@ -1413,7 +1394,6 @@ export const secretV2BridgeServiceFactory = ({
              skipMultilineEncoding: el.skipMultilineEncoding,
              key: el.newSecretName || el.secretKey,
              tags: el.tagIds,
-              secretMetadata: el.secretMetadata,
              ...encryptedValue
            }
          };
@ -1421,8 +1401,7 @@ export const secretV2BridgeServiceFactory = ({
        secretDAL,
        secretVersionDAL,
        secretTagDAL,
-        secretVersionTagDAL,
-        resourceMetadataDAL
+        secretVersionTagDAL
      })
    );
    await snapshotService.performSnapshot(folderId);
@ -1431,7 +1410,6 @@ export const secretV2BridgeServiceFactory = ({
      actorId,
      secretPath,
      projectId,
-      orgId: actorOrgId,
      environmentSlug: folder.environment.slug
    });

@ -1483,7 +1461,7 @@ export const secretV2BridgeServiceFactory = ({
              value: [
                {
                  operator: "eq",
-                  field: `${TableName.SecretV2}.key` as "key",
+                  field: "key",
                  value: el.secretKey
                },
                {
@ -1534,7 +1512,6 @@ export const secretV2BridgeServiceFactory = ({
      actorId,
      secretPath,
      projectId,
-      orgId: actorOrgId,
      environmentSlug: folder.environment.slug
    });

@ -1838,12 +1815,10 @@ export const secretV2BridgeServiceFactory = ({
        if (locallyCreatedSecrets.length) {
          await fnSecretBulkInsert({
            folderId: destinationFolder.id,
-            orgId: actorOrgId,
            secretVersionDAL,
            secretDAL,
            tx,
            secretTagDAL,
-            resourceMetadataDAL,
            secretVersionTagDAL,
            inputSecrets: locallyCreatedSecrets.map((doc) => {
              return {
@ -1855,7 +1830,6 @@ export const secretV2BridgeServiceFactory = ({
                skipMultilineEncoding: doc.skipMultilineEncoding,
                reminderNote: doc.reminderNote,
                reminderRepeatDays: doc.reminderRepeatDays,
-                secretMetadata: doc.secretMetadata,
                references: doc.value ? getAllSecretReferences(doc.value).nestedReferences : []
              };
            })
@ -1864,8 +1838,6 @@ export const secretV2BridgeServiceFactory = ({
        if (locallyUpdatedSecrets.length) {
          await fnSecretBulkUpdate({
            folderId: destinationFolder.id,
-            orgId: actorOrgId,
-            resourceMetadataDAL,
            secretVersionDAL,
            secretDAL,
            tx,
@ -1883,7 +1855,6 @@ export const secretV2BridgeServiceFactory = ({
                  encryptedComment: doc.encryptedComment,
                  skipMultilineEncoding: doc.skipMultilineEncoding,
                  reminderNote: doc.reminderNote,
-                  secretMetadata: doc.secretMetadata,
                  reminderRepeatDays: doc.reminderRepeatDays,
                  ...(doc.encryptedValue
                    ? {
@ -1967,7 +1938,6 @@ export const secretV2BridgeServiceFactory = ({
      await snapshotService.performSnapshot(destinationFolder.id);
      await secretQueueService.syncSecrets({
        projectId,
-        orgId: actorOrgId,
        secretPath: destinationFolder.path,
        environmentSlug: destinationFolder.environment.slug,
        actorId,
@ -1979,7 +1949,6 @@ export const secretV2BridgeServiceFactory = ({
      await snapshotService.performSnapshot(sourceFolder.id);
      await secretQueueService.syncSecrets({
        projectId,
-        orgId: actorOrgId,
        secretPath: sourceFolder.path,
        environmentSlug: sourceFolder.environment.slug,
        actorId,
--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts
@ -7,8 +7,6 @@ import { SecretsOrderBy } from "@app/services/secret/secret-types";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 import { TSecretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";

-import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
-import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { TSecretV2BridgeDALFactory } from "./secret-v2-bridge-dal";
 import { TSecretVersionV2DALFactory } from "./secret-version-dal";
 import { TSecretVersionV2TagDALFactory } from "./secret-version-tag-dal";
@ -60,7 +58,6 @@ export type TCreateSecretDTO = TProjectPermission & {
  skipMultilineEncoding?: boolean;
  secretReminderRepeatDays?: number | null;
  secretReminderNote?: string | null;
-  secretMetadata?: ResourceMetadataDTO;
 };

 export type TUpdateSecretDTO = TProjectPermission & {
@ -78,7 +75,6 @@ export type TUpdateSecretDTO = TProjectPermission & {
  metadata?: {
    source?: string;
  };
-  secretMetadata?: ResourceMetadataDTO;
 };

 export type TDeleteSecretDTO = TProjectPermission & {
@ -98,7 +94,6 @@ export type TCreateManySecretDTO = Omit<TProjectPermission, "projectId"> & {
    secretComment?: string;
    skipMultilineEncoding?: boolean;
    tagIds?: string[];
-    secretMetadata?: ResourceMetadataDTO;
    metadata?: {
      source?: string;
    };
@ -118,7 +113,6 @@ export type TUpdateManySecretDTO = Omit<TProjectPermission, "projectId"> & {
    tagIds?: string[];
    secretReminderRepeatDays?: number | null;
    secretReminderNote?: string | null;
-    secretMetadata?: ResourceMetadataDTO;
  }[];
 };

@ -142,16 +136,8 @@ export type TSecretReference = { environment: string; secretPath: string; secret

 export type TFnSecretBulkInsert = {
  folderId: string;
-  orgId: string;
  tx?: Knex;
-  inputSecrets: Array<
-    Omit<TSecretsV2Insert, "folderId"> & {
-      tagIds?: string[];
-      references: TSecretReference[];
-      secretMetadata?: ResourceMetadataDTO;
-    }
-  >;
-  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany">;
+  inputSecrets: Array<Omit<TSecretsV2Insert, "folderId"> & { tagIds?: string[]; references: TSecretReference[] }>;
  secretDAL: Pick<TSecretV2BridgeDALFactory, "insertMany" | "upsertSecretReferences">;
  secretVersionDAL: Pick<TSecretVersionV2DALFactory, "insertMany">;
  secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2">;
@ -170,12 +156,10 @@ type TRequireReferenceIfValue =

 export type TFnSecretBulkUpdate = {
  folderId: string;
-  orgId: string;
  inputSecrets: {
    filter: Partial<TSecretsV2>;
-    data: TRequireReferenceIfValue & { tags?: string[]; secretMetadata?: ResourceMetadataDTO };
+    data: TRequireReferenceIfValue & { tags?: string[] };
  }[];
-  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
  secretDAL: Pick<TSecretV2BridgeDALFactory, "bulkUpdate" | "upsertSecretReferences">;
  secretVersionDAL: Pick<TSecretVersionV2DALFactory, "insertMany">;
  secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2" | "deleteTagsToSecretV2">;
--- a/backend/src/services/secret/secret-fns.ts
+++ b/backend/src/services/secret/secret-fns.ts
@ -749,8 +749,7 @@ export const createManySecretsRawFnFactory = ({
  secretVersionV2BridgeDAL,
  secretV2BridgeDAL,
  secretVersionTagV2BridgeDAL,
-  kmsService,
-  resourceMetadataDAL
+  kmsService
 }: TCreateManySecretsRawFnFactory) => {
  const getBotKeyFn = getBotKeyFnFactory(projectBotDAL, projectDAL);
  const createManySecretsRawFn = async ({
@ -761,7 +760,7 @@ export const createManySecretsRawFnFactory = ({
    userId
  }: TCreateManySecretsRawFn) => {
    const { botKey, shouldUseSecretV2Bridge } = await getBotKeyFn(projectId);
-    const project = await projectDAL.findById(projectId);
+
    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
    if (!folder)
      throw new NotFoundError({
@ -815,9 +814,7 @@ export const createManySecretsRawFnFactory = ({
            tagIds: el.tags
          })),
          folderId,
-          orgId: project.orgId,
          secretDAL: secretV2BridgeDAL,
-          resourceMetadataDAL,
          secretVersionDAL: secretVersionV2BridgeDAL,
          secretTagDAL,
          secretVersionTagDAL: secretVersionTagV2BridgeDAL,
@ -912,7 +909,6 @@ export const updateManySecretsRawFnFactory = ({
  secretVersionTagV2BridgeDAL,
  secretVersionV2BridgeDAL,
  secretV2BridgeDAL,
-  resourceMetadataDAL,
  kmsService
 }: TUpdateManySecretsRawFnFactory) => {
  const getBotKeyFn = getBotKeyFnFactory(projectBotDAL, projectDAL);
@ -924,7 +920,6 @@ export const updateManySecretsRawFnFactory = ({
    userId
  }: TUpdateManySecretsRawFn): Promise<Array<{ id: string }>> => {
    const { botKey, shouldUseSecretV2Bridge } = await getBotKeyFn(projectId);
-    const project = await projectDAL.findById(projectId);

    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
    if (!folder)
@ -993,13 +988,11 @@ export const updateManySecretsRawFnFactory = ({
      const updatedSecrets = await secretDAL.transaction(async (tx) =>
        fnSecretV2BridgeBulkUpdate({
          folderId,
-          orgId: project.orgId,
          tx,
          inputSecrets: inputSecrets.map((el) => ({
            filter: { id: secretsToUpdateInDBGroupedByKey[el.key][0].id, type: SecretType.Shared },
            data: el
          })),
-          resourceMetadataDAL,
          secretDAL: secretV2BridgeDAL,
          secretVersionDAL: secretVersionV2BridgeDAL,
          secretTagDAL,
--- a/backend/src/services/secret/secret-queue.ts
+++ b/backend/src/services/secret/secret-queue.ts
@ -47,8 +47,6 @@ import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectKeyDALFactory } from "../project-key/project-key-dal";
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
 import { TProjectUserMembershipRoleDALFactory } from "../project-membership/project-user-membership-role-dal";
-import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
-import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretImportDALFactory } from "../secret-import/secret-import-dal";
 import { fnSecretsV2FromImports } from "../secret-import/secret-import-fns";
@ -106,7 +104,6 @@ type TSecretQueueFactoryDep = {
  auditLogService: Pick<TAuditLogServiceFactory, "createAuditLog">;
  orgService: Pick<TOrgServiceFactory, "addGhostUser">;
  projectUserMembershipRoleDAL: Pick<TProjectUserMembershipRoleDALFactory, "create">;
-  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };

 export type TGetSecrets = {
@ -123,12 +120,7 @@ export const uniqueSecretQueueKey = (environment: string, secretPath: string) =>

 type TIntegrationSecret = Record<
  string,
-  {
-    value: string;
-    comment?: string;
-    skipMultilineEncoding?: boolean | null | undefined;
-    secretMetadata?: ResourceMetadataDTO;
-  }
+  { value: string; comment?: string; skipMultilineEncoding?: boolean | null | undefined }
 >;

 // TODO(akhilmhdh): split this into multiple queue
@ -165,8 +157,7 @@ export const secretQueueFactory = ({
  auditLogService,
  orgService,
  projectUserMembershipRoleDAL,
-  projectKeyDAL,
-  resourceMetadataDAL
+  projectKeyDAL
 }: TSecretQueueFactoryDep) => {
  const integrationMeter = opentelemetry.metrics.getMeter("Integrations");
  const errorHistogram = integrationMeter.createHistogram("integration_secret_sync_errors", {
@ -315,8 +306,7 @@ export const secretQueueFactory = ({
    kmsService,
    secretVersionV2BridgeDAL,
    secretV2BridgeDAL,
-    secretVersionTagV2BridgeDAL,
-    resourceMetadataDAL
+    secretVersionTagV2BridgeDAL
  });

  const updateManySecretsRawFn = updateManySecretsRawFnFactory({
@ -331,8 +321,7 @@ export const secretQueueFactory = ({
    kmsService,
    secretVersionV2BridgeDAL,
    secretV2BridgeDAL,
-    secretVersionTagV2BridgeDAL,
-    resourceMetadataDAL
+    secretVersionTagV2BridgeDAL
  });

  /**
@ -383,7 +372,6 @@ export const secretQueueFactory = ({
        }

        content[secretKey].skipMultilineEncoding = Boolean(secret.skipMultilineEncoding);
-        content[secretKey].secretMetadata = secret.secretMetadata;
      })
    );

@ -409,8 +397,7 @@ export const secretQueueFactory = ({
          content[importedSecret.key] = {
            skipMultilineEncoding: importedSecret.skipMultilineEncoding,
            comment: importedSecret.secretComment,
-            value: importedSecret.secretValue || "",
-            secretMetadata: importedSecret.secretMetadata
+            value: importedSecret.secretValue || ""
          };
        }
      }
@ -610,7 +597,6 @@ export const secretQueueFactory = ({
      _depth: depth,
      secretPath,
      projectId,
-      orgId,
      environmentSlug: environment,
      excludeReplication,
      actorId,
@ -639,7 +625,6 @@ export const secretQueueFactory = ({
        _deDupeReplicationQueue: deDupeReplicationQueue,
        _depth: depth,
        projectId,
-        orgId,
        secretPath,
        actorId,
        actor,
@ -696,7 +681,6 @@ export const secretQueueFactory = ({
      if (!folder) {
        throw new Error("Secret path not found");
      }
-      const project = await projectDAL.findById(projectId);

      // find all imports made with the given environment and secret path
      const linkSourceDto = {
@ -731,7 +715,6 @@ export const secretQueueFactory = ({
            .map(({ folderId }) =>
              syncSecrets({
                projectId,
-                orgId: project.orgId,
                secretPath: foldersGroupedById[folderId][0]?.path as string,
                environmentSlug: foldersGroupedById[folderId][0]?.environmentSlug as string,
                _deDupeQueue: deDupeQueue,
@ -784,7 +767,6 @@ export const secretQueueFactory = ({
            .map((folderId) =>
              syncSecrets({
                projectId,
-                orgId: project.orgId,
                secretPath: referencedFoldersGroupedById[folderId][0]?.path as string,
                environmentSlug: referencedFoldersGroupedById[folderId][0]?.environmentSlug as string,
                _deDupeQueue: deDupeQueue,
@ -971,8 +953,6 @@ export const secretQueueFactory = ({
              });
            }

-            const { secretKey } = (err as { secretKey: string }) || {};
-
            const message =
              // eslint-disable-next-line no-nested-ternary
              (err instanceof AxiosError
@ -981,8 +961,6 @@ export const secretQueueFactory = ({
                  : err?.message
                : (err as Error)?.message) || "Unknown error occurred.";

-            const errorLog = `${secretKey ? `[Secret Key: ${secretKey}] ` : ""}${message}`;
-
            await auditLogService.createAuditLog({
              projectId,
              actor: await $generateActor(actorId, isManual),
@ -993,7 +971,7 @@ export const secretQueueFactory = ({
                  isSynced: false,
                  lastSyncJobId: job?.id ?? "",
                  lastUsed: new Date(),
-                  syncMessage: errorLog
+                  syncMessage: message
                }
              }
            });
@ -1005,13 +983,13 @@ export const secretQueueFactory = ({

            await integrationDAL.updateById(integration.id, {
              lastSyncJobId: job.id,
-              syncMessage: errorLog,
+              syncMessage: message,
              isSynced: false
            });

            integrationsFailedToSync.push({
              integrationId: integration.id,
-              syncMessage: errorLog
+              syncMessage: message
            });
          }
        }
--- a/backend/src/services/secret/secret-service.ts
+++ b/backend/src/services/secret/secret-service.ts
@ -11,7 +11,6 @@ import {
  SecretsSchema,
  SecretType
 } from "@app/db/schemas";
-import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
@ -70,7 +69,6 @@ import {
  TDeleteSecretRawDTO,
  TGetASecretDTO,
  TGetASecretRawDTO,
-  TGetSecretAccessListDTO,
  TGetSecretsDTO,
  TGetSecretsRawDTO,
  TGetSecretVersionsDTO,
@ -96,7 +94,7 @@ type TSecretServiceFactoryDep = {
  >;
  secretV2BridgeService: TSecretV2BridgeServiceFactory;
  secretBlindIndexDAL: TSecretBlindIndexDALFactory;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getProjectPermissions">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
  snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
  secretQueueService: Pick<
    TSecretQueueFactory,
@ -115,7 +113,6 @@ type TSecretServiceFactoryDep = {
    TSecretApprovalRequestSecretDALFactory,
    "insertMany" | "insertApprovalSecretTags"
  >;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };

 export type TSecretServiceFactory = ReturnType<typeof secretServiceFactory>;
@ -137,8 +134,7 @@ export const secretServiceFactory = ({
  secretApprovalRequestDAL,
  secretApprovalRequestSecretDAL,
  secretV2BridgeService,
-  secretApprovalRequestService,
-  licenseService
+  secretApprovalRequestService
 }: TSecretServiceFactoryDep) => {
  const getSecretReference = async (projectId: string) => {
    // if bot key missing means e2e still exist
@ -292,7 +288,6 @@ export const secretServiceFactory = ({
        actorId,
        actor,
        projectId,
-        orgId: actorOrgId,
        environmentSlug: folder.environment.slug
      });
    }
@ -434,7 +429,6 @@ export const secretServiceFactory = ({
      await snapshotService.performSnapshot(folderId);
      await secretQueueService.syncSecrets({
        secretPath: path,
-        orgId: actorOrgId,
        actorId,
        actor,
        projectId,
@ -532,7 +526,6 @@ export const secretServiceFactory = ({
        actorId,
        actor,
        projectId,
-        orgId: actorOrgId,
        environmentSlug: folder.environment.slug
      });
    }
@ -827,7 +820,6 @@ export const secretServiceFactory = ({
      actorId,
      secretPath: path,
      projectId,
-      orgId: actorOrgId,
      environmentSlug: folder.environment.slug
    });

@ -936,7 +928,6 @@ export const secretServiceFactory = ({
      actorId,
      secretPath: path,
      projectId,
-      orgId: actorOrgId,
      environmentSlug: folder.environment.slug
    });

@ -1023,7 +1014,6 @@ export const secretServiceFactory = ({
      actorId,
      secretPath: path,
      projectId,
-      orgId: actorOrgId,
      environmentSlug: folder.environment.slug
    });

@ -1157,71 +1147,6 @@ export const secretServiceFactory = ({
    return secretV2BridgeService.getSecretReferenceTree(dto);
  };

-  const getSecretAccessList = async (dto: TGetSecretAccessListDTO) => {
-    const { environment, secretPath, secretName, projectId } = dto;
-    const plan = await licenseService.getPlan(dto.actorOrgId);
-    if (!plan.secretAccessInsights) {
-      throw new BadRequestError({
-        message: "Failed to fetch secret access list due to plan restriction. Upgrade your plan."
-      });
-    }
-
-    const secret = await secretV2BridgeService.getSecretByName({
-      actor: dto.actor,
-      actorId: dto.actorId,
-      actorOrgId: dto.actorOrgId,
-      actorAuthMethod: dto.actorAuthMethod,
-      projectId,
-      secretName,
-      path: secretPath,
-      environment,
-      type: "shared"
-    });
-
-    const { userPermissions, identityPermissions, groupPermissions } = await permissionService.getProjectPermissions(
-      dto.projectId
-    );
-
-    const attachAllowedActions = (
-      entityPermission:
-        | (typeof userPermissions)[number]
-        | (typeof identityPermissions)[number]
-        | (typeof groupPermissions)[number]
-    ) => {
-      const allowedActions = [
-        ProjectPermissionActions.Read,
-        ProjectPermissionActions.Delete,
-        ProjectPermissionActions.Create,
-        ProjectPermissionActions.Edit
-      ].filter((action) =>
-        entityPermission.permission.can(
-          action,
-          subject(ProjectPermissionSub.Secrets, {
-            environment,
-            secretPath,
-            secretName,
-            secretTags: secret?.tags?.map((el) => el.slug)
-          })
-        )
-      );
-
-      return {
-        ...entityPermission,
-        allowedActions
-      };
-    };
-
-    const usersWithAccess = userPermissions.map(attachAllowedActions).filter((user) => user.allowedActions.length > 0);
-    const identitiesWithAccess = identityPermissions
-      .map(attachAllowedActions)
-      .filter((identity) => identity.allowedActions.length > 0);
-    const groupsWithAccess = groupPermissions
-      .map(attachAllowedActions)
-      .filter((group) => group.allowedActions.length > 0);
-
-    return { users: usersWithAccess, identities: identitiesWithAccess, groups: groupsWithAccess };
-  };
-
  const getSecretsRaw = async ({
    projectId,
    path,
@ -1460,8 +1385,7 @@ export const secretServiceFactory = ({
    skipMultilineEncoding,
    tagIds,
    secretReminderNote,
-    secretReminderRepeatDays,
-    secretMetadata
+    secretReminderRepeatDays
  }: TCreateSecretRawDTO) => {
    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
    const policy =
@ -1488,8 +1412,7 @@ export const secretServiceFactory = ({
                secretValue,
                tagIds,
                reminderNote: secretReminderNote,
-                reminderRepeatDays: secretReminderRepeatDays,
-                secretMetadata
+                reminderRepeatDays: secretReminderRepeatDays
              }
            ]
          }
@ -1512,8 +1435,7 @@ export const secretServiceFactory = ({
        tagIds,
        secretReminderNote,
        skipMultilineEncoding,
-        secretReminderRepeatDays,
-        secretMetadata
+        secretReminderRepeatDays
      });
      return { secret, type: SecretProtectionType.Direct as const };
    }
@ -1603,8 +1525,7 @@ export const secretServiceFactory = ({
    secretReminderRepeatDays,
    metadata,
    secretComment,
-    newSecretName,
-    secretMetadata
+    newSecretName
  }: TUpdateSecretRawDTO) => {
    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
    const policy =
@ -1632,8 +1553,7 @@ export const secretServiceFactory = ({
                secretValue,
                tagIds,
                reminderNote: secretReminderNote,
-                reminderRepeatDays: secretReminderRepeatDays,
-                secretMetadata
+                reminderRepeatDays: secretReminderRepeatDays
              }
            ]
          }
@ -1657,8 +1577,7 @@ export const secretServiceFactory = ({
        secretName,
        newSecretName,
        metadata,
-        secretValue,
-        secretMetadata
+        secretValue
      });
      return { type: SecretProtectionType.Direct as const, secret };
    }
@ -1874,8 +1793,7 @@ export const secretServiceFactory = ({
              secretComment: el.secretComment,
              metadata: el.metadata,
              skipMultilineEncoding: el.skipMultilineEncoding,
-              secretKey: el.secretKey,
-              secretMetadata: el.secretMetadata
+              secretKey: el.secretKey
            }))
          }
        });
@ -2001,8 +1919,7 @@ export const secretServiceFactory = ({
              secretValue: el.secretValue,
              secretComment: el.secretComment,
              skipMultilineEncoding: el.skipMultilineEncoding,
-              secretKey: el.secretKey,
-              secretMetadata: el.secretMetadata
+              secretKey: el.secretKey
            }))
          }
        });
@ -2345,7 +2262,6 @@ export const secretServiceFactory = ({
    await secretQueueService.syncSecrets({
      secretPath,
      projectId: project.id,
-      orgId: project.orgId,
      environmentSlug: environment,
      excludeReplication: true
    });
@ -2454,7 +2370,6 @@ export const secretServiceFactory = ({
    await secretQueueService.syncSecrets({
      secretPath,
      projectId: project.id,
-      orgId: project.orgId,
      environmentSlug: environment,
      excludeReplication: true
    });
@ -2913,7 +2828,6 @@ export const secretServiceFactory = ({
      await snapshotService.performSnapshot(destinationFolder.id);
      await secretQueueService.syncSecrets({
        projectId: project.id,
-        orgId: project.orgId,
        secretPath: destinationFolder.path,
        environmentSlug: destinationFolder.environment.slug,
        actorId,
@ -2925,7 +2839,6 @@ export const secretServiceFactory = ({
      await snapshotService.performSnapshot(sourceFolder.id);
      await secretQueueService.syncSecrets({
        projectId: project.id,
-        orgId: project.orgId,
        secretPath: sourceFolder.path,
        environmentSlug: sourceFolder.environment.slug,
        actorId,
@ -3015,7 +2928,6 @@ export const secretServiceFactory = ({
    getSecretsCountMultiEnv,
    getSecretsRawMultiEnv,
    getSecretReferenceTree,
-    getSecretsRawByFolderMappings,
-    getSecretAccessList
+    getSecretsRawByFolderMappings
  };
 };
--- a/backend/src/services/secret/secret-types.ts
+++ b/backend/src/services/secret/secret-types.ts
@ -14,8 +14,6 @@ import { TSecretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";

 import { ActorType } from "../auth/auth-type";
 import { TKmsServiceFactory } from "../kms/kms-service";
-import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
-import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
 import { TSecretVersionV2DALFactory } from "../secret-v2-bridge/secret-version-dal";
 import { TSecretVersionV2TagDALFactory } from "../secret-v2-bridge/secret-version-tag-dal";
@ -190,12 +188,6 @@ export type TGetSecretsRawDTO = {
  keys?: string[];
 } & TProjectPermission;

-export type TGetSecretAccessListDTO = {
-  environment: string;
-  secretPath: string;
-  secretName: string;
-} & TProjectPermission;
-
 export type TGetASecretRawDTO = {
  secretName: string;
  path: string;
@ -219,7 +211,6 @@ export type TCreateSecretRawDTO = TProjectPermission & {
  skipMultilineEncoding?: boolean;
  secretReminderRepeatDays?: number | null;
  secretReminderNote?: string | null;
-  secretMetadata?: ResourceMetadataDTO;
 };

 export type TUpdateSecretRawDTO = TProjectPermission & {
@ -237,7 +228,6 @@ export type TUpdateSecretRawDTO = TProjectPermission & {
  metadata?: {
    source?: string;
  };
-  secretMetadata?: ResourceMetadataDTO;
 };

 export type TDeleteSecretRawDTO = TProjectPermission & {
@ -258,7 +248,6 @@ export type TCreateManySecretRawDTO = Omit<TProjectPermission, "projectId"> & {
    secretComment?: string;
    skipMultilineEncoding?: boolean;
    tagIds?: string[];
-    secretMetadata?: ResourceMetadataDTO;
    metadata?: {
      source?: string;
    };
@ -277,7 +266,6 @@ export type TUpdateManySecretRawDTO = Omit<TProjectPermission, "projectId"> & {
    secretComment?: string;
    skipMultilineEncoding?: boolean;
    tagIds?: string[];
-    secretMetadata?: ResourceMetadataDTO;
    secretReminderRepeatDays?: number | null;
    secretReminderNote?: string | null;
  }[];
@ -305,13 +293,7 @@ export type TSecretReference = { environment: string; secretPath: string };
 export type TFnSecretBulkInsert = {
  folderId: string;
  tx?: Knex;
-  inputSecrets: Array<
-    Omit<TSecretsInsert, "folderId"> & {
-      tags?: string[];
-      references?: TSecretReference[];
-      secretMetadata?: ResourceMetadataDTO;
-    }
-  >;
+  inputSecrets: Array<Omit<TSecretsInsert, "folderId"> & { tags?: string[]; references?: TSecretReference[] }>;
  secretDAL: Pick<TSecretDALFactory, "insertMany" | "upsertSecretReferences">;
  secretVersionDAL: Pick<TSecretVersionDALFactory, "insertMany">;
  secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecret">;
@ -407,7 +389,6 @@ export type TCreateManySecretsRawFnFactory = {
  >;
  secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionMany">;
  secretVersionTagV2BridgeDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
-  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany">;
 };

 export type TCreateManySecretsRawFn = {
@ -444,7 +425,6 @@ export type TUpdateManySecretsRawFnFactory = {
  >;
  secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionMany">;
  secretVersionTagV2BridgeDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
-  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };

 export type TUpdateManySecretsRawFn = {
@ -480,7 +460,6 @@ export type TSyncSecretsDTO<T extends boolean = false> = {
  _depth?: number;
  secretPath: string;
  projectId: string;
-  orgId: string;
  environmentSlug: string;
  // cases for just doing sync integration and webhook
  excludeReplication?: T;
--- a/backend/src/services/slack/slack-fns.ts
+++ b/backend/src/services/slack/slack-fns.ts
@ -51,7 +51,7 @@ const buildSlackPayload = (notification: TSlackNotification) => {
 *Environment*: ${payload.environment}
 *Secret path*: ${payload.secretPath || "/"}

-View the complete details <${appCfg.SITE_URL}/secret-manager/${payload.projectId}/approval?requestId=${
+View the complete details <${appCfg.SITE_URL}/project/${payload.projectId}/approval?requestId=${
        payload.requestId
      }|here>.`;

--- a/cli/packages/cmd/run.go
+++ b/cli/packages/cmd/run.go
@ -419,23 +419,22 @@ func executeCommandWithWatchMode(commandFlag string, args []string, watchModeInt

 	for {
 		<-recheckSecretsChannel
-		func() {
-			watchMutex.Lock()
-			defer watchMutex.Unlock()
+		watchMutex.Lock()

-			newEnvironmentVariables, err := fetchAndFormatSecretsForShell(request, projectConfigDir, secretOverriding, token)
-			if err != nil {
-				log.Error().Err(err).Msg("[HOT RELOAD] Failed to fetch secrets")
-				return
-			}
+		newEnvironmentVariables, err := fetchAndFormatSecretsForShell(request, projectConfigDir, secretOverriding, token)
+		if err != nil {
+			log.Error().Err(err).Msg("[HOT RELOAD] Failed to fetch secrets")
+			continue
+		}

-			if newEnvironmentVariables.ETag != currentETag {
-				runCommandWithWatcher(newEnvironmentVariables)
-			} else {
-				log.Debug().Msg("[HOT RELOAD] No changes detected in secrets, not reloading process")
-			}
+		if newEnvironmentVariables.ETag != currentETag {
+			runCommandWithWatcher(newEnvironmentVariables)
+		} else {
+			log.Debug().Msg("[HOT RELOAD] No changes detected in secrets, not reloading process")
+		}
+
+		watchMutex.Unlock()

-		}()
 	}
 }

--- a/company/documentation/engineering/oncall-summery-template.mdx
+++ b/company/documentation/engineering/oncall-summery-template.mdx
@ -1,22 +0,0 @@
---
-title: "On call summary template"
-sidebarTitle: "Summary template"
---
-
-```plain
-Date: MM/DD/YY-MM/DD/YY
-
-Notable incidents:
-  [<open/resolved>] <details of the incident including who was impacted. what you did to mitigate/patch the issue>
-    - Action items:
-        - <what can we do to prevent this from happening in the future?> 
-
-Notable support:
- [Customer company name] <details of the support inquiry>
-    - Action items:
-        - <what actions should be taken/has been taken to resolve this>
-        - <what can we do to prevent this from happening in the future?> 
-
-Comments:
-<Any comments you have from your on call shift. Were there any pain points you experienced, etc?>
-```
--- a/company/documentation/engineering/oncall.mdx
+++ b/company/documentation/engineering/oncall.mdx
@ -1,77 +0,0 @@
---
-title: "On call rotation"
-sidebarTitle: "On call rotation"
-description: "Learn about call rotation at Infisical"
---
-
-Infisical is mission-critical software, which means minimizing service disruptions is a top priority. 
-To make sure we can react to any issues that come up, we have an on-call rotation that helps us to provide responsive, 24x7x365 support to our customers. 
-Being part of the on-call rotation is an opportunity to deepen the understanding of our infrastructure, deployment pipelines, and customer-facing systems. 
-Having this broader understanding of our system not only helps us design better software but also enhances the overall stability of our platform. 
-
-### On-Call Overview
-
-**Rotation Details**
-
-Each engineer will be on call once a week, from **Thursday to Thursday**, including weekends. 
-During this time, the on-call engineer is expected to be available at all times to respond to service disruption alerts.
-
-While being on call, you are responsible for acting as the first line of defense for critical incidents and answering customer support inquiries. 
-During your working hours, you must respond to all support tickets or involve relevant team members with sufficient context. 
-Outside of working hours, you are expected to be available for any high-severity pager alerts and critical support inquiries by customers.
-
-### Responsibilities While On Call
-
-During your working hours, prioritize the following in this order:
-
-1. **Responding to Alerts:**
-    - Monitor and respond promptly to all PagerDuty alerts.
-    - Investigate incidents, determine root causes, and mitigate issues.
-    - Refer to runbooks or any relevant documentation to resolve alarms quickly.
-2. **Customer Support:**
-    - Actively monitor all support inquiries in [**Pylon**](https://app.usepylon.com/issues) and respond to incoming tickets.
-    - Debug and resolve customer issues. If you encounter a problem outside your expertise, collaborate with the relevant teammates to resolve it. This is an opportunity to learn and build context for future incidents.
-3. **Sprint work:**
-    - Since the current on-call workload does not require all of your working hours, you are expected to work on the sprint items assigned to you. 
-      If the on-call workload increases significantly, inform Maidul to make adjustments.
-4. **Continuous Improvement:**
-    - Take note of recurring patterns, inefficiencies, and opportunities where we can automate to reduce on-call burdens in the future.
-
-<Warning>
-    Outside of working hours, you are expected to be available and respond to any high-severity pager alerts and critical support inquiries by customers.
-</Warning>
-
-### Before You Get On Call
-
- **Set Up PagerDuty:** Ensure you have the PagerDuty mobile app installed, configured, and notifications enabled for Infisical services.
- **Access Required Tools:** Verify access to internal network, runbooks on Notion, [https://grafana.infisical.com](https://grafana.infisical.com/), access to aws accounts and any other access you may require.
- **AWS Permissions:** You will be granted sufficient AWS permissions before the start of your on-call shift in case you need to access production accounts.
-
-### At the End of Your Shift
-
- Post an on-call summary in the Slack channel `#on-call-summaries` at the end of your shift using the following [template](/documentation/engineering/oncall-summery-template). Include notable findings, support inquires and incidents you encountered. 
-  This will helps the rest of the team stay in the loop and open discussions on how to prevent similar issues in the future.
- Do a **handoff meeting/slack huddle** with the next engineer on call to summarize any outstanding work, unresolved issues, or any incidents that require follow-up. Ensure the next on-call engineer is fully briefed so they can pick up where you left off. **Include Maidul in this hand off call.**
-
-### When to escalate an incident
-
-If you are paged for incident that you cannot resolve after attempting to debug and mitigate the issue, you should not hesitate to escalate and page others in. 
-It’s better to get help sooner rather than later to minimize the impact on customers. 
-
- **Paging relevant teammate:** If you’ve tried resolving an issue on your own and need additional help, page another engineer who might be relevant through PagerDuty.
- **Escalating to Maidul:** You can page Maidul at any time if you think it would be helpful.
-
-### How to be successful on you rotations
-
- Be on top of all changes that get merged into main. This will help you be aware of any changes that might cause issues.
- When responding to support inquiries, double check your replies and make sure they are well written and typo-free. Always acknowledge inquiries quickly to make customers feel valued, and suggest a meeting or huddle if you need more clarity on their issues.
- When customers raise support inquiries, always consider what could have been done to make the inquiry self-serve. Could adding a tooltip next to the relevant feature provide clarity? Maybe the documentation could be more detailed or better organized?
- Document all of your notable support/findings/incidents/feature requests during on call so that it is easy to create your on call summary at the end of your on call shift.
-
-### Resources
-
- [Pylon for support tickets](https://app.usepylon.com/issues)
- [AWS Portal](https://infisical.awsapps.com/start/)
- [View metrics on Grafana](https://grafana.infisical.com/)
- [Run books](https://www.notion.so/Runbooks-19e534883d6b4621b8c712194edbb687?pvs=21)
- [On call summary template](/documentation/engineering/oncall-summery-template)
--- a/company/handbook/onboarding.mdx
+++ b/company/handbook/onboarding.mdx
@ -19,7 +19,7 @@ Every new joiner has an onboarding buddy who should ideally be in the the same t
 1. Join the weekly all-hands meeting. It typically happens on Monday's at 8:30am PT.
 2. Ship something together on day one – even if tiny! It feels great to hit the ground running, with a development environment all ready to go.
 3. Check out the [Areas of Responsibility (AoR) Table](https://docs.google.com/spreadsheets/d/1RnXlGFg83Sgu0dh7ycuydsSobmFfI3A0XkGw7vrVxEI/edit?usp=sharing). This is helpful to know who you can ask about particular areas of Infisical. Feel free to add yourself to the areas you'd be most interesting to dive into.
-4. Read the [Infisical Strategy Doc](https://docs.google.com/document/d/1uV9IaahYwbZ5OuzDTFdQMSa1P0mpMOnetGB-xqf4G40).
+4. Read the [Infisical Strategy Doc](https://docs.google.com/document/d/1RaJd3RoS2QpWLFHlgfHaXnHqCCwRt6mCGZkbJ75J_D0/edit?usp=sharing).
 5. Update your LinkedIn profile with one of [Infisical's official banners](https://drive.google.com/drive/u/0/folders/1oSNWjbpRl9oNYwxM_98IqzKs9fAskrb2) (if you want to). You can also coordinate your social posts in the #marketing Slack channel, so that we can boost it from Infisical's official social media accounts.
 6. Over the first few weeks, feel free to schedule 1:1s with folks on the team to get to know them a bit better.
 7. Change your Slack username in the users channel to `[NAME] (Infisical)`.
--- a/company/mint.json
+++ b/company/mint.json
@ -62,13 +62,7 @@
        "handbook/time-off",
        "handbook/hiring",
        "handbook/meetings",
-        "handbook/talking-to-customers",
-        {
-          "group": "Engineering",
-          "pages": [
-            "documentation/engineering/oncall"
-          ]
-        }
+        "handbook/talking-to-customers"
      ]
    }
  ],
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@ -144,6 +144,9 @@ services:
      - ./frontend/src:/app/src/ # mounted whole src to avoid missing reload on new files
      - ./frontend/public:/app/public
    env_file: .env
+    environment:
+      - NEXT_PUBLIC_ENV=development
+      - INFISICAL_TELEMETRY_ENABLED=false

  pgadmin:
    image: dpage/pgadmin4
--- a/docs/changelog/overview.mdx
+++ b/docs/changelog/overview.mdx
@ -4,27 +4,6 @@ title: "Changelog"

 The changelog below reflects new product developments and updates on a monthly basis.

-## December 2024
- Added [GCP KMS](https://infisical.com/docs/documentation/platform/kms/overview) integration support.
- Added support for [K8s CSI integration](https://infisical.com/docs/integrations/platforms/kubernetes-csi) and ability to point K8s operator to specific secret versions.
- Fixed [Java SDK](https://github.com/Infisical/java-sdk) compatibility issues with Alpine Linux.
- Fixed SCIM group role assignment issues.
- Added Group View Page for improved team management.
- Added instance URL to email verification for Infisical accounts.
- Added ability to copy full path of nested folders.
- Added custom templating support for K8s operator, allowing flexible secret key mapping and additional fields
- Optimized secrets versions table performance.
-
-## November 2024
- Improved EnvKey migration functionality with support for Blocks, Inheritance, and Branches.
- Added [Hardware Security Module (HSM) Encryption](https://infisical.com/docs/documentation/platform/kms/hsm-integration) support.
- Updated permissions handling in [Infisical Terraform Provider](https://registry.terraform.io/providers/Infisical/infisical/latest/docs) to use lists instead of sets.
- Enhanced [SCIM](https://infisical.com/docs/documentation/platform/scim/overview) implementation to remove SAML dependency.
- Enhanced [OIDC Authentication](https://infisical.com/docs/documentation/platform/identities/oidc-auth/general) implementation and added Default Org Slug support.
- Added support for multiple authentication methods per identity.
- Added AWS Parameter Store integration sync improvements.
- Added new screen and API for managing additional privileges.
- Added Dynamic Secrets support for SQL Server.

 ## October 2024
 - Significantly improved performance of audit log operations in UI. 
--- a/docs/documentation/platform/dynamic-secrets/overview.mdx
+++ b/docs/documentation/platform/dynamic-secrets/overview.mdx
@ -4,13 +4,6 @@ sidebarTitle: "Overview"
 description: "Learn how to generate secrets dynamically on-demand."
 ---

-<Info>
-    Note that Dynamic Secrets is a paid feature.
-
-    If you're using Infisical Cloud, then it is available under the **Enterprise Tier** 
-    If you're self-hosting Infisical, then you should contact sales@infisical.com to purchase an enterprise license to use it.
-</Info>
-
 ## Introduction

 Contrary to static key-value secrets, which require manual input of data into the secure Infisical storage, **dynamic secrets are generated on-demand upon access**. 
--- a/docs/documentation/platform/pr-workflows.mdx
+++ b/docs/documentation/platform/pr-workflows.mdx
@ -3,13 +3,6 @@ title: "Approval Workflows"
 description: "Learn how to enable a set of policies to manage changes to sensitive secrets and environments."
 ---

-<Info>
-    Approval Workflows is a paid feature.
-   
-    If you're using Infisical Cloud, then it is available under the **Pro Tier** and **Enterprise Tire**. 
-    If you're self-hosting Infisical, then you should contact sales@infisical.com to purchase an enterprise license to use it.
-</Info>
-
 ## Problem at hand

 Updating secrets in high-stakes environments (e.g., production) can have a number of problematic issues: 
@ -47,4 +40,4 @@ When a user submits a change to an enviropnment that is under a particular polic

 Approvers are notified by email and/or Slack as soon as the request is initiated. In the Infisical Dashboard, they will be able to `approve` and `merge` (or `deny`) a request for a change in a particular environment. After that, depending on the workflows setup, the change will be automatically propagated to the right applications (e.g., using [Infisical Kubernetes Operator](https://infisical.com/docs/integrations/platforms/kubernetes)).

-![secrets update pull request](../../images/platform/pr-workflows/secret-update-pr.png)
+![secrets update pull request](../../images/platform/pr-workflows/secret-update-pr.png)
--- a/docs/documentation/platform/scim/azure.mdx
+++ b/docs/documentation/platform/scim/azure.mdx
@ -15,7 +15,7 @@ Prerequisites:

 <Steps>
    <Step title="Create a SCIM token in Infisical">
-        In Infisical, head to your Organization Settings > Security > SCIM Configuration and
+        In Infisical, head to your Organization Settings > Authentication > SCIM Configuration and
        press the **Enable SCIM provisioning** toggle to allow Azure to provision/deprovision users for your organization.
        
        ![SCIM enable provisioning](/images/platform/scim/scim-enable-provisioning.png)
--- a/docs/documentation/platform/scim/jumpcloud.mdx
+++ b/docs/documentation/platform/scim/jumpcloud.mdx
@ -15,7 +15,7 @@ Prerequisites:

 <Steps>
    <Step title="Create a SCIM token in Infisical">
-        In Infisical, head to your Organization Settings > Security > SCIM Configuration and
+        In Infisical, head to your Organization Settings > Authentication > SCIM Configuration and
        press the **Enable SCIM provisioning** toggle to allow JumpCloud to provision/deprovision users and user groups for your organization.
        
        ![SCIM enable provisioning](/images/platform/scim/scim-enable-provisioning.png)
--- a/docs/documentation/platform/scim/okta.mdx
+++ b/docs/documentation/platform/scim/okta.mdx
@ -15,7 +15,7 @@ Prerequisites:

 <Steps>
    <Step title="Create a SCIM token in Infisical">
-        In Infisical, head to your Organization Settings > Security > SCIM Configuration and
+        In Infisical, head to your Organization Settings > Authentication > SCIM Configuration and
        press the **Enable SCIM provisioning** toggle to allow Okta to provision/deprovision users and user groups for your organization.
        
        ![SCIM enable provisioning](/images/platform/scim/scim-enable-provisioning.png)
--- a/docs/documentation/platform/sso/auth0-saml.mdx
+++ b/docs/documentation/platform/sso/auth0-saml.mdx
@ -1,93 +0,0 @@
---
-title: "Auth0 SAML"
-description: "Learn how to configure Auth0 SAML for Infisical SSO."
---
-
-<Info>
-  Auth0 SAML SSO feature is a paid feature. If you're using Infisical Cloud,
-  then it is available under the **Pro Tier**. If you're self-hosting Infisical,
-  then you should contact sales@infisical.com to purchase an enterprise license
-  to use it.
-</Info>
-
-<Steps>
-   <Step title="Prepare the SAML SSO configuration in Infisical">
-        In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select Auth0, then click **Connect** again.
-
-        Next, note the **Application Callback URL** and **Audience** to use when configuring the Auth0 SAML application.
-
-        ![Auth0 SAML initial configuration](../../../images/sso/auth0-saml/init-config.png)
-
-   </Step>
-   <Step title="Create a SAML application in Auth0">
-        2.1. In your Auth0 account, head to Applications and create an application.
-        
-        ![Auth0 SAML app creation](../../../images/sso/auth0-saml/create-application.png)
-        
-        Select **Regular Web Application** and press **Create**.
-        
-        ![Auth0 SAML app creation](../../../images/sso/auth0-saml/create-application-2.png)
-        
-        2.2. In the Application head to Settings > Application URIs and add the **Application Callback URL** from step 1 into the **Allowed Callback URLs** field.
-        
-        ![Auth0 SAML allowed callback URLs](../../../images/sso/auth0-saml/auth0-config.png)
-        
-        2.3. In the Application head to Addons > SAML2 Web App and copy the **Issuer**, **Identity Provider Login URL**, and **Identity Provider Certificate** from the **Usage** tab.
-        
-        ![Auth0 SAML config](../../../images/sso/auth0-saml/auth0-config-2.png)
-        
-        2.4. Back in Infisical, set **Issuer**, **Identity Provider Login URL**, and **Certificate** to the corresponding items from step 2.3.
-        
-        ![Auth0 SAML Infisical config](../../../images/sso/auth0-saml/infisical-config.png)
-        
-        2.5. Back in Auth0, in the **Settings** tab, set the **Application Callback URL** to the **Application Callback URL** from step 1
-        and update the **Settings** field with the JSON under the picture below (replacing `<audience-from-infisical>` with the **Audience** from step 1).
-        
-        ![Auth0 SAML config](../../../images/sso/auth0-saml/auth0-config-3.png)
-        
-        ```json
-        {
-        "audience": "<audience-from-infisical>",
-        "mappings": {
-            "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email",
-            "given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstName",
-            "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastName"
-        },
-        "signatureAlgorithm": "rsa-sha256",
-        "digestAlgorithm": "sha256",
-        "signResponse": true
-        }
-        ```
-
-        Click **Save**.
-    </Step>
-    <Step title="Enable SAML SSO in Infisical">
-        Enabling SAML SSO allows members in your organization to log into Infisical via Auth0.
-
-        ![Auth0 SAML enable](../../../images/sso/auth0-saml/enable-saml.png)
-    </Step>
-    <Step title="Enforce SAML SSO in Infisical">
-        Enforcing SAML SSO ensures that members in your organization can only access Infisical
-        by logging into the organization via Auth0.
-
-        To enforce SAML SSO, you're required to test out the SAML connection by successfully authenticating at least one Auth0 user with Infisical;
-        Once you've completed this requirement, you can toggle the **Enforce SAML SSO** button to enforce SAML SSO.
-    </Step>
-
-</Steps>
-
-<Tip>
-    If you are only using one organization on your Infisical instance, you can configure a default organization in the [Server Admin Console](../admin-panel/server-admin#default-organization) to expedite SAML login.
-</Tip>
-
-<Note>
-    If you're configuring SAML SSO on a self-hosted instance of Infisical, make
-    sure to set the `AUTH_SECRET` and `SITE_URL` environment variable for it to
-    work:
-    <div class="height:1px;"/>
-    - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This
-    can be a random 32-byte base64 string generated with `openssl rand -base64
-    32`.
-    <div class="height:1px;"/>
-    - `SITE_URL`: The absolute URL of your self-hosted instance of Infisical including the protocol (e.g. https://app.infisical.com)
-</Note>
--- a/docs/documentation/platform/sso/azure.mdx
+++ b/docs/documentation/platform/sso/azure.mdx
@ -12,7 +12,7 @@ description: "Learn how to configure Microsoft Entra ID for Infisical SSO."

 <Steps>
   <Step title="Prepare the SAML SSO configuration in Infisical">
-      In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select Azure / Entra, then click **Connect** again.
+      In Infisical, head to your Organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.

      Next, copy the **Reply URL (Assertion Consumer Service URL)** and **Identifier (Entity ID)** to use when configuring the Azure SAML application.

--- a/docs/documentation/platform/sso/google-saml.mdx
+++ b/docs/documentation/platform/sso/google-saml.mdx
@ -12,7 +12,7 @@ description: "Learn how to configure Google SAML for Infisical SSO."

 <Steps>
   <Step title="Prepare the SAML SSO configuration in Infisical">
-        In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select Google, then click **Connect** again.
+        In Infisical, head to your Organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.

        Next, note the **ACS URL** and **SP Entity ID** to use when configuring the Google SAML application.

--- a/docs/documentation/platform/sso/jumpcloud.mdx
+++ b/docs/documentation/platform/sso/jumpcloud.mdx
@ -12,7 +12,7 @@ description: "Learn how to configure JumpCloud SAML for Infisical SSO."

 <Steps>
   <Step title="Prepare the SAML SSO configuration in Infisical">
-      In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select JumpCloud, then click **Connect** again.
+      In Infisical, head to your Organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.

      Next, copy the **ACS URL** and **SP Entity ID** to use when configuring the JumpCloud SAML application.

--- a/docs/documentation/platform/sso/keycloak-saml.mdx
+++ b/docs/documentation/platform/sso/keycloak-saml.mdx
@ -12,7 +12,7 @@ description: "Learn how to configure Keycloak SAML for Infisical SSO."

 <Steps>
   <Step title="Prepare the SAML SSO configuration in Infisical">
-      In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select Keycloak, then click **Connect** again.
+      In Infisical, head to your Organization Settings > Authentication > SAML SSO Configuration and select **Manage**.
      
      ![Keycloak SAML organization security section](../../../images/sso/keycloak/org-security-section.png)
      
--- a/docs/documentation/platform/sso/okta.mdx
+++ b/docs/documentation/platform/sso/okta.mdx
@ -12,7 +12,7 @@ description: "Learn how to configure Okta SAML 2.0 for Infisical SSO."

 <Steps>
   <Step title="Prepare the SAML SSO configuration in Infisical">
-      In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select Okta, then click **Connect** again.
+      In Infisical, head to your Organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
      
      Next, copy the **Single sign-on URL** and **Audience URI (SP Entity ID)** to use when configuring the Okta SAML 2.0 application.
      ![Okta SAML initial configuration](../../../images/sso/okta/init-config.png)
--- a/docs/documentation/platform/sso/overview.mdx
+++ b/docs/documentation/platform/sso/overview.mdx
@ -28,7 +28,6 @@ Infisical supports these and many other identity providers:
 - [JumpCloud SAML](/documentation/platform/sso/jumpcloud)
 - [Keycloak SAML](/documentation/platform/sso/keycloak-saml)
 - [Google SAML](/documentation/platform/sso/google-saml)
- [Auth0 SAML](/documentation/platform/sso/auth0-saml)
 - [Keycloak OIDC](/documentation/platform/sso/keycloak-oidc)
 - [Auth0 OIDC](/documentation/platform/sso/auth0-oidc)
 - [General OIDC](/documentation/platform/sso/general-oidc)
--- a/docs/images/integrations/aws/integrations-aws-secret-manager-options.png
+++ b/docs/images/integrations/aws/integrations-aws-secret-manager-options.png
--- a/docs/images/integrations/azure-app-configuration/create-integration-form.png
+++ b/docs/images/integrations/azure-app-configuration/create-integration-form.png
--- a/docs/images/integrations/azure-key-vault/integrations-azure-key-vault-tenant-select.png
+++ b/docs/images/integrations/azure-key-vault/integrations-azure-key-vault-tenant-select.png
--- a/docs/images/sso/auth0-saml/auth0-config-2.png
+++ b/docs/images/sso/auth0-saml/auth0-config-2.png
--- a/docs/images/sso/auth0-saml/auth0-config-3.png
+++ b/docs/images/sso/auth0-saml/auth0-config-3.png
--- a/docs/images/sso/auth0-saml/auth0-config.png
+++ b/docs/images/sso/auth0-saml/auth0-config.png
--- a/docs/images/sso/auth0-saml/create-application-2.png
+++ b/docs/images/sso/auth0-saml/create-application-2.png
--- a/Show More
+++ b/Show More