misc: removed minimum requirements for kms description

misc: addressed minor kms issues
feat: resolved bug reported on search and integration failing due to typo in integration field
2025-03-27 09:40:45 +00:00 · 2024-07-25 00:15:47 +08:00 · 2024-07-24 23:45:38 +08:00 · 2024-07-24 19:42:29 +05:30 · 2024-07-24 15:38:45 +05:30 · 2024-07-24 13:31:38 +05:30
1134 changed files with 20711 additions and 64534 deletions
--- a/.env.example
+++ b/.env.example
@ -70,5 +70,3 @@ NEXT_PUBLIC_CAPTCHA_SITE_KEY=

 PLAIN_API_KEY=
 PLAIN_WISH_LABEL_IDS=
-
-SSL_CLIENT_CERTIFICATE_HEADER_KEY=
--- a/.github/workflows/build-binaries.yml
+++ b/.github/workflows/build-binaries.yml
@ -14,6 +14,7 @@ defaults:

 jobs:
    build-and-deploy:
+        runs-on: ubuntu-20.04
        strategy:
            matrix:
                arch: [x64, arm64]
@ -23,7 +24,6 @@ jobs:
                      target: node20-linux
                    - os: win
                      target: node20-win
-        runs-on: ${{ (matrix.arch == 'arm64' && matrix.os == 'linux') && 'ubuntu24-arm64' || 'ubuntu-latest' }}

        steps:
            - name: Checkout code
@ -49,9 +49,9 @@ jobs:
            - name: Package into node binary
              run: |
                  if [ "${{ matrix.os }}" != "linux" ]; then
-                    pkg --no-bytecode --public-packages "*" --public --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core-${{ matrix.os }}-${{ matrix.arch }} .
+                    pkg --no-bytecode --public-packages "*" --public --compress Brotli --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core-${{ matrix.os }}-${{ matrix.arch }} .
                  else
-                    pkg --no-bytecode --public-packages "*" --public --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core .
+                    pkg --no-bytecode --public-packages "*" --public --compress Brotli --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core .
                  fi

            # Set up .deb package structure (Debian/Ubuntu only)
@ -84,12 +84,7 @@ jobs:
                  mv infisical-core.deb ./binary/infisical-core-${{matrix.arch}}.deb

            - uses: actions/setup-python@v4
-              with:
-                  python-version: "3.x" # Specify the Python version you need
-            - name: Install Python dependencies
-              run: |
-                  python -m pip install --upgrade pip
-                  pip install --upgrade cloudsmith-cli
+            - run: pip install --upgrade cloudsmith-cli

            # Publish .deb file to Cloudsmith (Debian/Ubuntu only)
            - name: Publish to Cloudsmith (Debian/Ubuntu)
--- a/.github/workflows/build-staging-and-deploy-aws.yml
+++ b/.github/workflows/build-staging-and-deploy-aws.yml
@ -6,15 +6,9 @@ permissions:
  contents: read

 jobs:
-  infisical-tests:
-    name: Run tests before deployment
-    # https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
-    uses: ./.github/workflows/run-backend-tests.yml
-    
  infisical-image:
    name: Build backend image
    runs-on: ubuntu-latest
-    needs: [infisical-tests]
    steps:
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
--- a/.github/workflows/check-api-for-breaking-changes.yml
+++ b/.github/workflows/check-api-for-breaking-changes.yml
@ -22,14 +22,14 @@ jobs:
      # uncomment this when testing locally using nektos/act
      - uses: KengoTODA/actions-setup-docker-compose@v1
        if: ${{ env.ACT }}
-        name: Install `docker compose` for local simulations
+        name: Install `docker-compose` for local simulations
        with:
          version: "2.14.2"
      - name: 📦Build the latest image
        run: docker build --tag infisical-api .
        working-directory: backend
      - name: Start postgres and redis
-        run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
+        run: touch .env && docker-compose -f docker-compose.dev.yml up -d db redis
      - name: Start the server
        run: |
            echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
@ -72,6 +72,6 @@ jobs:
        run: oasdiff breaking https://app.infisical.com/api/docs/json http://localhost:4000/api/docs/json --fail-on ERR
      - name: cleanup
        run: |
-          docker compose -f "docker-compose.dev.yml" down
+          docker-compose -f "docker-compose.dev.yml" down
          docker stop infisical-api
          docker remove infisical-api
--- a/.github/workflows/run-backend-tests.yml
+++ b/.github/workflows/run-backend-tests.yml
@ -20,7 +20,7 @@ jobs:
        uses: actions/checkout@v3
      - uses: KengoTODA/actions-setup-docker-compose@v1
        if: ${{ env.ACT }}
-        name: Install `docker compose` for local simulations
+        name: Install `docker-compose` for local simulations
        with:
          version: "2.14.2"
      - name: 🔧 Setup Node 20
@ -33,7 +33,7 @@ jobs:
        run: npm install
        working-directory: backend
      - name: Start postgres and redis
-        run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
+        run: touch .env && docker-compose -f docker-compose.dev.yml up -d db redis
      - name: Start integration test
        run: npm run test:e2e
        working-directory: backend
@ -44,4 +44,4 @@ jobs:
          ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
      - name: cleanup
        run: |
-          docker compose -f "docker-compose.dev.yml" down
+          docker-compose -f "docker-compose.dev.yml" down
--- a/.github/workflows/run-cli-tests.yml
+++ b/.github/workflows/run-cli-tests.yml
@ -50,6 +50,6 @@ jobs:
                  CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
                  CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
                  CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
-                #   INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
+                  INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}

              run: go test -v -count=1 ./test
--- a/.gitignore
+++ b/.gitignore
@ -63,7 +63,6 @@ yarn-error.log*

 # Editor specific
 .vscode/*
-.idea/*

 frontend-build

--- a/13
+++ b/13
@ -15,16 +15,3 @@ up-prod:

 down:
 	docker compose -f docker-compose.dev.yml down
-
-reviewable-ui:
-	cd frontend && \
-	npm run lint:fix && \
-	npm run type:check
-
-reviewable-api:
-	cd backend && \
-	npm run lint:fix && \
-	npm run type:check
-
-reviewable: reviewable-ui reviewable-api
-
--- a/README.md
+++ b/README.md
--- a/backend/e2e-test/routes/v1/secret-approval-policy.spec.ts
+++ b/backend/e2e-test/routes/v1/secret-approval-policy.spec.ts
@ -1,36 +0,0 @@
-import { seedData1 } from "@app/db/seed-data";
-import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
-
-const createPolicy = async (dto: { name: string; secretPath: string; approvers: {type: ApproverType.User, id: string}[]; approvals: number }) => {
-  const res = await testServer.inject({
-    method: "POST",
-    url: `/api/v1/secret-approvals`,
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    },
-    body: {
-      workspaceId: seedData1.project.id,
-      environment: seedData1.environment.slug,
-      name: dto.name,
-      secretPath: dto.secretPath,
-      approvers: dto.approvers,
-      approvals: dto.approvals
-    }
-  });
-
-  expect(res.statusCode).toBe(200);
-  return res.json().approval;
-};
-
-describe("Secret approval policy router", async () => {
-  test("Create policy", async () => {
-    const policy = await createPolicy({
-      secretPath: "/",
-      approvals: 1,
-      approvers: [{id:seedData1.id, type: ApproverType.User}],
-      name: "test-policy"
-    });
-
-    expect(policy.name).toBe("test-policy");
-  });
-});
--- a/backend/e2e-test/routes/v1/secret-import.spec.ts
+++ b/backend/e2e-test/routes/v1/secret-import.spec.ts
@ -1,61 +1,73 @@
-import { createFolder, deleteFolder } from "e2e-test/testUtils/folders";
-import { createSecretImport, deleteSecretImport } from "e2e-test/testUtils/secret-imports";
-import { createSecretV2, deleteSecretV2, getSecretByNameV2, getSecretsV2 } from "e2e-test/testUtils/secrets";
-
 import { seedData1 } from "@app/db/seed-data";

+const createSecretImport = async (importPath: string, importEnv: string) => {
+  const res = await testServer.inject({
+    method: "POST",
+    url: `/api/v1/secret-imports`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: {
+      workspaceId: seedData1.project.id,
+      environment: seedData1.environment.slug,
+      path: "/",
+      import: {
+        environment: importEnv,
+        path: importPath
+      }
+    }
+  });
+
+  expect(res.statusCode).toBe(200);
+  const payload = JSON.parse(res.payload);
+  expect(payload).toHaveProperty("secretImport");
+  return payload.secretImport;
+};
+
+const deleteSecretImport = async (id: string) => {
+  const res = await testServer.inject({
+    method: "DELETE",
+    url: `/api/v1/secret-imports/${id}`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: {
+      workspaceId: seedData1.project.id,
+      environment: seedData1.environment.slug,
+      path: "/"
+    }
+  });
+
+  expect(res.statusCode).toBe(200);
+  const payload = JSON.parse(res.payload);
+  expect(payload).toHaveProperty("secretImport");
+  return payload.secretImport;
+};
+
 describe("Secret Import Router", async () => {
  test.each([
    { importEnv: "prod", importPath: "/" }, // one in root
    { importEnv: "staging", importPath: "/" } // then create a deep one creating intermediate ones
  ])("Create secret import $importEnv with path $importPath", async ({ importPath, importEnv }) => {
    // check for default environments
-    const payload = await createSecretImport({
-      authToken: jwtAuthToken,
-      secretPath: "/",
-      environmentSlug: seedData1.environment.slug,
-      workspaceId: seedData1.project.id,
-      importPath,
-      importEnv
-    });
+    const payload = await createSecretImport(importPath, importEnv);
    expect(payload).toEqual(
      expect.objectContaining({
        id: expect.any(String),
-        importPath,
+        importPath: expect.any(String),
        importEnv: expect.objectContaining({
          name: expect.any(String),
-          slug: importEnv,
+          slug: expect.any(String),
          id: expect.any(String)
        })
      })
    );
-
-    await deleteSecretImport({
-      id: payload.id,
-      workspaceId: seedData1.project.id,
-      environmentSlug: seedData1.environment.slug,
-      secretPath: "/",
-      authToken: jwtAuthToken
-    });
+    await deleteSecretImport(payload.id);
  });

  test("Get secret imports", async () => {
-    const createdImport1 = await createSecretImport({
-      authToken: jwtAuthToken,
-      secretPath: "/",
-      environmentSlug: seedData1.environment.slug,
-      workspaceId: seedData1.project.id,
-      importPath: "/",
-      importEnv: "prod"
-    });
-    const createdImport2 = await createSecretImport({
-      authToken: jwtAuthToken,
-      secretPath: "/",
-      environmentSlug: seedData1.environment.slug,
-      workspaceId: seedData1.project.id,
-      importPath: "/",
-      importEnv: "staging"
-    });
+    const createdImport1 = await createSecretImport("/", "prod");
+    const createdImport2 = await createSecretImport("/", "staging");
    const res = await testServer.inject({
      method: "GET",
      url: `/api/v1/secret-imports`,
@ -77,60 +89,25 @@ describe("Secret Import Router", async () => {
      expect.arrayContaining([
        expect.objectContaining({
          id: expect.any(String),
-          importPath: "/",
+          importPath: expect.any(String),
          importEnv: expect.objectContaining({
            name: expect.any(String),
-            slug: "prod",
-            id: expect.any(String)
-          })
-        }),
-        expect.objectContaining({
-          id: expect.any(String),
-          importPath: "/",
-          importEnv: expect.objectContaining({
-            name: expect.any(String),
-            slug: "staging",
+            slug: expect.any(String),
            id: expect.any(String)
          })
        })
      ])
    );
-    await deleteSecretImport({
-      id: createdImport1.id,
-      workspaceId: seedData1.project.id,
-      environmentSlug: seedData1.environment.slug,
-      secretPath: "/",
-      authToken: jwtAuthToken
-    });
-    await deleteSecretImport({
-      id: createdImport2.id,
-      workspaceId: seedData1.project.id,
-      environmentSlug: seedData1.environment.slug,
-      secretPath: "/",
-      authToken: jwtAuthToken
-    });
+    await deleteSecretImport(createdImport1.id);
+    await deleteSecretImport(createdImport2.id);
  });

  test("Update secret import position", async () => {
    const prodImportDetails = { path: "/", envSlug: "prod" };
    const stagingImportDetails = { path: "/", envSlug: "staging" };

-    const createdImport1 = await createSecretImport({
-      authToken: jwtAuthToken,
-      secretPath: "/",
-      environmentSlug: seedData1.environment.slug,
-      workspaceId: seedData1.project.id,
-      importPath: prodImportDetails.path,
-      importEnv: prodImportDetails.envSlug
-    });
-    const createdImport2 = await createSecretImport({
-      authToken: jwtAuthToken,
-      secretPath: "/",
-      environmentSlug: seedData1.environment.slug,
-      workspaceId: seedData1.project.id,
-      importPath: stagingImportDetails.path,
-      importEnv: stagingImportDetails.envSlug
-    });
+    const createdImport1 = await createSecretImport(prodImportDetails.path, prodImportDetails.envSlug);
+    const createdImport2 = await createSecretImport(stagingImportDetails.path, stagingImportDetails.envSlug);

    const updateImportRes = await testServer.inject({
      method: "PATCH",
@ -184,55 +161,22 @@ describe("Secret Import Router", async () => {
    expect(secretImportList.secretImports[1].id).toEqual(createdImport1.id);
    expect(secretImportList.secretImports[0].id).toEqual(createdImport2.id);

-    await deleteSecretImport({
-      id: createdImport1.id,
-      workspaceId: seedData1.project.id,
-      environmentSlug: seedData1.environment.slug,
-      secretPath: "/",
-      authToken: jwtAuthToken
-    });
-    await deleteSecretImport({
-      id: createdImport2.id,
-      workspaceId: seedData1.project.id,
-      environmentSlug: seedData1.environment.slug,
-      secretPath: "/",
-      authToken: jwtAuthToken
-    });
+    await deleteSecretImport(createdImport1.id);
+    await deleteSecretImport(createdImport2.id);
  });

  test("Delete secret import position", async () => {
-    const createdImport1 = await createSecretImport({
-      authToken: jwtAuthToken,
-      secretPath: "/",
-      environmentSlug: seedData1.environment.slug,
-      workspaceId: seedData1.project.id,
-      importPath: "/",
-      importEnv: "prod"
-    });
-    const createdImport2 = await createSecretImport({
-      authToken: jwtAuthToken,
-      secretPath: "/",
-      environmentSlug: seedData1.environment.slug,
-      workspaceId: seedData1.project.id,
-      importPath: "/",
-      importEnv: "staging"
-    });
-    const deletedImport = await deleteSecretImport({
-      id: createdImport1.id,
-      workspaceId: seedData1.project.id,
-      environmentSlug: seedData1.environment.slug,
-      secretPath: "/",
-      authToken: jwtAuthToken
-    });
-
+    const createdImport1 = await createSecretImport("/", "prod");
+    const createdImport2 = await createSecretImport("/", "staging");
+    const deletedImport = await deleteSecretImport(createdImport1.id);
    // check for default environments
    expect(deletedImport).toEqual(
      expect.objectContaining({
        id: expect.any(String),
-        importPath: "/",
+        importPath: expect.any(String),
        importEnv: expect.objectContaining({
          name: expect.any(String),
-          slug: "prod",
+          slug: expect.any(String),
          id: expect.any(String)
        })
      })
@ -257,552 +201,6 @@ describe("Secret Import Router", async () => {
    expect(secretImportList.secretImports.length).toEqual(1);
    expect(secretImportList.secretImports[0].position).toEqual(1);

-    await deleteSecretImport({
-      id: createdImport2.id,
-      workspaceId: seedData1.project.id,
-      environmentSlug: seedData1.environment.slug,
-      secretPath: "/",
-      authToken: jwtAuthToken
-    });
+    await deleteSecretImport(createdImport2.id);
  });
 });
-
-// dev <- stage <- prod
-describe.each([{ path: "/" }, { path: "/deep" }])(
-  "Secret import waterfall pattern testing - %path",
-  ({ path: testSuitePath }) => {
-    beforeAll(async () => {
-      let prodFolder: { id: string };
-      let stagingFolder: { id: string };
-      let devFolder: { id: string };
-
-      if (testSuitePath !== "/") {
-        prodFolder = await createFolder({
-          authToken: jwtAuthToken,
-          environmentSlug: "prod",
-          workspaceId: seedData1.projectV3.id,
-          secretPath: "/",
-          name: "deep"
-        });
-
-        stagingFolder = await createFolder({
-          authToken: jwtAuthToken,
-          environmentSlug: "staging",
-          workspaceId: seedData1.projectV3.id,
-          secretPath: "/",
-          name: "deep"
-        });
-
-        devFolder = await createFolder({
-          authToken: jwtAuthToken,
-          environmentSlug: seedData1.environment.slug,
-          workspaceId: seedData1.projectV3.id,
-          secretPath: "/",
-          name: "deep"
-        });
-      }
-
-      const devImportFromStage = await createSecretImport({
-        authToken: jwtAuthToken,
-        secretPath: testSuitePath,
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        importPath: testSuitePath,
-        importEnv: "staging"
-      });
-
-      const stageImportFromProd = await createSecretImport({
-        authToken: jwtAuthToken,
-        secretPath: testSuitePath,
-        environmentSlug: "staging",
-        workspaceId: seedData1.projectV3.id,
-        importPath: testSuitePath,
-        importEnv: "prod"
-      });
-
-      return async () => {
-        await deleteSecretImport({
-          id: stageImportFromProd.id,
-          workspaceId: seedData1.projectV3.id,
-          environmentSlug: "staging",
-          secretPath: testSuitePath,
-          authToken: jwtAuthToken
-        });
-
-        await deleteSecretImport({
-          id: devImportFromStage.id,
-          workspaceId: seedData1.projectV3.id,
-          environmentSlug: seedData1.environment.slug,
-          secretPath: testSuitePath,
-          authToken: jwtAuthToken
-        });
-
-        if (prodFolder) {
-          await deleteFolder({
-            authToken: jwtAuthToken,
-            secretPath: "/",
-            id: prodFolder.id,
-            workspaceId: seedData1.projectV3.id,
-            environmentSlug: "prod"
-          });
-        }
-
-        if (stagingFolder) {
-          await deleteFolder({
-            authToken: jwtAuthToken,
-            secretPath: "/",
-            id: stagingFolder.id,
-            workspaceId: seedData1.projectV3.id,
-            environmentSlug: "staging"
-          });
-        }
-
-        if (devFolder) {
-          await deleteFolder({
-            authToken: jwtAuthToken,
-            secretPath: "/",
-            id: devFolder.id,
-            workspaceId: seedData1.projectV3.id,
-            environmentSlug: seedData1.environment.slug
-          });
-        }
-      };
-    });
-
-    test("Check one level imported secret exist", async () => {
-      await createSecretV2({
-        environmentSlug: "staging",
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "STAGING_KEY",
-        value: "stage-value"
-      });
-
-      const secret = await getSecretByNameV2({
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "STAGING_KEY"
-      });
-
-      expect(secret.secretKey).toBe("STAGING_KEY");
-      expect(secret.secretValue).toBe("stage-value");
-
-      const listSecrets = await getSecretsV2({
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken
-      });
-      expect(listSecrets.imports).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({
-            secrets: expect.arrayContaining([
-              expect.objectContaining({
-                secretKey: "STAGING_KEY",
-                secretValue: "stage-value"
-              })
-            ])
-          })
-        ])
-      );
-
-      await deleteSecretV2({
-        environmentSlug: "staging",
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "STAGING_KEY"
-      });
-    });
-
-    test("Check two level imported secret exist", async () => {
-      await createSecretV2({
-        environmentSlug: "prod",
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "PROD_KEY",
-        value: "prod-value"
-      });
-
-      const secret = await getSecretByNameV2({
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "PROD_KEY"
-      });
-
-      expect(secret.secretKey).toBe("PROD_KEY");
-      expect(secret.secretValue).toBe("prod-value");
-
-      const listSecrets = await getSecretsV2({
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken
-      });
-      expect(listSecrets.imports).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({
-            secrets: expect.arrayContaining([
-              expect.objectContaining({
-                secretKey: "PROD_KEY",
-                secretValue: "prod-value"
-              })
-            ])
-          })
-        ])
-      );
-
-      await deleteSecretV2({
-        environmentSlug: "prod",
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "PROD_KEY"
-      });
-    });
-  }
-);
-
-// dev <- stage, dev <- prod
-describe.each([{ path: "/" }, { path: "/deep" }])(
-  "Secret import multiple destination to one source pattern testing - %path",
-  ({ path: testSuitePath }) => {
-    beforeAll(async () => {
-      let prodFolder: { id: string };
-      let stagingFolder: { id: string };
-      let devFolder: { id: string };
-
-      if (testSuitePath !== "/") {
-        prodFolder = await createFolder({
-          authToken: jwtAuthToken,
-          environmentSlug: "prod",
-          workspaceId: seedData1.projectV3.id,
-          secretPath: "/",
-          name: "deep"
-        });
-
-        stagingFolder = await createFolder({
-          authToken: jwtAuthToken,
-          environmentSlug: "staging",
-          workspaceId: seedData1.projectV3.id,
-          secretPath: "/",
-          name: "deep"
-        });
-
-        devFolder = await createFolder({
-          authToken: jwtAuthToken,
-          environmentSlug: seedData1.environment.slug,
-          workspaceId: seedData1.projectV3.id,
-          secretPath: "/",
-          name: "deep"
-        });
-      }
-
-      const devImportFromStage = await createSecretImport({
-        authToken: jwtAuthToken,
-        secretPath: testSuitePath,
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        importPath: testSuitePath,
-        importEnv: "staging"
-      });
-
-      const devImportFromProd = await createSecretImport({
-        authToken: jwtAuthToken,
-        secretPath: testSuitePath,
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        importPath: testSuitePath,
-        importEnv: "prod"
-      });
-
-      return async () => {
-        await deleteSecretImport({
-          id: devImportFromProd.id,
-          workspaceId: seedData1.projectV3.id,
-          environmentSlug: seedData1.environment.slug,
-          secretPath: testSuitePath,
-          authToken: jwtAuthToken
-        });
-
-        await deleteSecretImport({
-          id: devImportFromStage.id,
-          workspaceId: seedData1.projectV3.id,
-          environmentSlug: seedData1.environment.slug,
-          secretPath: testSuitePath,
-          authToken: jwtAuthToken
-        });
-
-        if (prodFolder) {
-          await deleteFolder({
-            authToken: jwtAuthToken,
-            secretPath: "/",
-            id: prodFolder.id,
-            workspaceId: seedData1.projectV3.id,
-            environmentSlug: "prod"
-          });
-        }
-
-        if (stagingFolder) {
-          await deleteFolder({
-            authToken: jwtAuthToken,
-            secretPath: "/",
-            id: stagingFolder.id,
-            workspaceId: seedData1.projectV3.id,
-            environmentSlug: "staging"
-          });
-        }
-
-        if (devFolder) {
-          await deleteFolder({
-            authToken: jwtAuthToken,
-            secretPath: "/",
-            id: devFolder.id,
-            workspaceId: seedData1.projectV3.id,
-            environmentSlug: seedData1.environment.slug
-          });
-        }
-      };
-    });
-
-    test("Check imported secret exist", async () => {
-      await createSecretV2({
-        environmentSlug: "staging",
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "STAGING_KEY",
-        value: "stage-value"
-      });
-
-      await createSecretV2({
-        environmentSlug: "prod",
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "PROD_KEY",
-        value: "prod-value"
-      });
-
-      const secret = await getSecretByNameV2({
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "STAGING_KEY"
-      });
-
-      expect(secret.secretKey).toBe("STAGING_KEY");
-      expect(secret.secretValue).toBe("stage-value");
-
-      const listSecrets = await getSecretsV2({
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken
-      });
-      expect(listSecrets.imports).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({
-            secrets: expect.arrayContaining([
-              expect.objectContaining({
-                secretKey: "STAGING_KEY",
-                secretValue: "stage-value"
-              })
-            ])
-          }),
-          expect.objectContaining({
-            secrets: expect.arrayContaining([
-              expect.objectContaining({
-                secretKey: "PROD_KEY",
-                secretValue: "prod-value"
-              })
-            ])
-          })
-        ])
-      );
-
-      await deleteSecretV2({
-        environmentSlug: "staging",
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "STAGING_KEY"
-      });
-      await deleteSecretV2({
-        environmentSlug: "prod",
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "PROD_KEY"
-      });
-    });
-  }
-);
-
-// dev -> stage, prod
-describe.each([{ path: "/" }, { path: "/deep" }])(
-  "Secret import one source to multiple destination pattern testing - %path",
-  ({ path: testSuitePath }) => {
-    beforeAll(async () => {
-      let prodFolder: { id: string };
-      let stagingFolder: { id: string };
-      let devFolder: { id: string };
-
-      if (testSuitePath !== "/") {
-        prodFolder = await createFolder({
-          authToken: jwtAuthToken,
-          environmentSlug: "prod",
-          workspaceId: seedData1.projectV3.id,
-          secretPath: "/",
-          name: "deep"
-        });
-
-        stagingFolder = await createFolder({
-          authToken: jwtAuthToken,
-          environmentSlug: "staging",
-          workspaceId: seedData1.projectV3.id,
-          secretPath: "/",
-          name: "deep"
-        });
-
-        devFolder = await createFolder({
-          authToken: jwtAuthToken,
-          environmentSlug: seedData1.environment.slug,
-          workspaceId: seedData1.projectV3.id,
-          secretPath: "/",
-          name: "deep"
-        });
-      }
-
-      const stageImportFromDev = await createSecretImport({
-        authToken: jwtAuthToken,
-        secretPath: testSuitePath,
-        environmentSlug: "staging",
-        workspaceId: seedData1.projectV3.id,
-        importPath: testSuitePath,
-        importEnv: seedData1.environment.slug
-      });
-
-      const prodImportFromDev = await createSecretImport({
-        authToken: jwtAuthToken,
-        secretPath: testSuitePath,
-        environmentSlug: "prod",
-        workspaceId: seedData1.projectV3.id,
-        importPath: testSuitePath,
-        importEnv: seedData1.environment.slug
-      });
-
-      return async () => {
-        await deleteSecretImport({
-          id: prodImportFromDev.id,
-          workspaceId: seedData1.projectV3.id,
-          environmentSlug: "prod",
-          secretPath: testSuitePath,
-          authToken: jwtAuthToken
-        });
-
-        await deleteSecretImport({
-          id: stageImportFromDev.id,
-          workspaceId: seedData1.projectV3.id,
-          environmentSlug: "staging",
-          secretPath: testSuitePath,
-          authToken: jwtAuthToken
-        });
-
-        if (prodFolder) {
-          await deleteFolder({
-            authToken: jwtAuthToken,
-            secretPath: "/",
-            id: prodFolder.id,
-            workspaceId: seedData1.projectV3.id,
-            environmentSlug: "prod"
-          });
-        }
-
-        if (stagingFolder) {
-          await deleteFolder({
-            authToken: jwtAuthToken,
-            secretPath: "/",
-            id: stagingFolder.id,
-            workspaceId: seedData1.projectV3.id,
-            environmentSlug: "staging"
-          });
-        }
-
-        if (devFolder) {
-          await deleteFolder({
-            authToken: jwtAuthToken,
-            secretPath: "/",
-            id: devFolder.id,
-            workspaceId: seedData1.projectV3.id,
-            environmentSlug: seedData1.environment.slug
-          });
-        }
-      };
-    });
-
-    test("Check imported secret exist", async () => {
-      await createSecretV2({
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "STAGING_KEY",
-        value: "stage-value"
-      });
-
-      await createSecretV2({
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "PROD_KEY",
-        value: "prod-value"
-      });
-
-      const stagingSecret = await getSecretByNameV2({
-        environmentSlug: "staging",
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "STAGING_KEY"
-      });
-
-      expect(stagingSecret.secretKey).toBe("STAGING_KEY");
-      expect(stagingSecret.secretValue).toBe("stage-value");
-
-      const prodSecret = await getSecretByNameV2({
-        environmentSlug: "prod",
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "PROD_KEY"
-      });
-
-      expect(prodSecret.secretKey).toBe("PROD_KEY");
-      expect(prodSecret.secretValue).toBe("prod-value");
-
-      await deleteSecretV2({
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "STAGING_KEY"
-      });
-      await deleteSecretV2({
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "PROD_KEY"
-      });
-    });
-  }
-);
--- a/backend/e2e-test/routes/v1/secret-replication.spec.ts
+++ b/backend/e2e-test/routes/v1/secret-replication.spec.ts
@ -1,406 +0,0 @@
-import { createFolder, deleteFolder } from "e2e-test/testUtils/folders";
-import { createSecretImport, deleteSecretImport } from "e2e-test/testUtils/secret-imports";
-import { createSecretV2, deleteSecretV2, getSecretByNameV2, getSecretsV2 } from "e2e-test/testUtils/secrets";
-
-import { seedData1 } from "@app/db/seed-data";
-
-// dev <- stage <- prod
-describe.each([{ secretPath: "/" }, { secretPath: "/deep" }])(
-  "Secret replication waterfall pattern testing - %secretPath",
-  ({ secretPath: testSuitePath }) => {
-    beforeAll(async () => {
-      let prodFolder: { id: string };
-      let stagingFolder: { id: string };
-      let devFolder: { id: string };
-
-      if (testSuitePath !== "/") {
-        prodFolder = await createFolder({
-          authToken: jwtAuthToken,
-          environmentSlug: "prod",
-          workspaceId: seedData1.projectV3.id,
-          secretPath: "/",
-          name: "deep"
-        });
-
-        stagingFolder = await createFolder({
-          authToken: jwtAuthToken,
-          environmentSlug: "staging",
-          workspaceId: seedData1.projectV3.id,
-          secretPath: "/",
-          name: "deep"
-        });
-
-        devFolder = await createFolder({
-          authToken: jwtAuthToken,
-          environmentSlug: seedData1.environment.slug,
-          workspaceId: seedData1.projectV3.id,
-          secretPath: "/",
-          name: "deep"
-        });
-      }
-
-      const devImportFromStage = await createSecretImport({
-        authToken: jwtAuthToken,
-        secretPath: testSuitePath,
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        importPath: testSuitePath,
-        importEnv: "staging",
-        isReplication: true
-      });
-
-      const stageImportFromProd = await createSecretImport({
-        authToken: jwtAuthToken,
-        secretPath: testSuitePath,
-        environmentSlug: "staging",
-        workspaceId: seedData1.projectV3.id,
-        importPath: testSuitePath,
-        importEnv: "prod",
-        isReplication: true
-      });
-
-      return async () => {
-        await deleteSecretImport({
-          id: stageImportFromProd.id,
-          workspaceId: seedData1.projectV3.id,
-          environmentSlug: "staging",
-          secretPath: testSuitePath,
-          authToken: jwtAuthToken
-        });
-
-        await deleteSecretImport({
-          id: devImportFromStage.id,
-          workspaceId: seedData1.projectV3.id,
-          environmentSlug: seedData1.environment.slug,
-          secretPath: testSuitePath,
-          authToken: jwtAuthToken
-        });
-
-        if (prodFolder) {
-          await deleteFolder({
-            authToken: jwtAuthToken,
-            secretPath: "/",
-            id: prodFolder.id,
-            workspaceId: seedData1.projectV3.id,
-            environmentSlug: "prod"
-          });
-        }
-
-        if (stagingFolder) {
-          await deleteFolder({
-            authToken: jwtAuthToken,
-            secretPath: "/",
-            id: stagingFolder.id,
-            workspaceId: seedData1.projectV3.id,
-            environmentSlug: "staging"
-          });
-        }
-
-        if (devFolder) {
-          await deleteFolder({
-            authToken: jwtAuthToken,
-            secretPath: "/",
-            id: devFolder.id,
-            workspaceId: seedData1.projectV3.id,
-            environmentSlug: seedData1.environment.slug
-          });
-        }
-      };
-    });
-
-    test("Check one level imported secret exist", async () => {
-      await createSecretV2({
-        environmentSlug: "staging",
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "STAGING_KEY",
-        value: "stage-value"
-      });
-
-      // wait for 5 second for  replication to finish
-      await new Promise((resolve) => {
-        setTimeout(resolve, 5000); // time to breathe for db
-      });
-
-      const secret = await getSecretByNameV2({
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "STAGING_KEY"
-      });
-
-      expect(secret.secretKey).toBe("STAGING_KEY");
-      expect(secret.secretValue).toBe("stage-value");
-
-      const listSecrets = await getSecretsV2({
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken
-      });
-
-      expect(listSecrets.imports).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({
-            secrets: expect.arrayContaining([
-              expect.objectContaining({
-                secretKey: "STAGING_KEY",
-                secretValue: "stage-value"
-              })
-            ])
-          })
-        ])
-      );
-
-      await deleteSecretV2({
-        environmentSlug: "staging",
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "STAGING_KEY"
-      });
-    });
-
-    test("Check two level imported secret exist", async () => {
-      await createSecretV2({
-        environmentSlug: "prod",
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "PROD_KEY",
-        value: "prod-value"
-      });
-
-      // wait for 5 second for  replication to finish
-      await new Promise((resolve) => {
-        setTimeout(resolve, 5000); // time to breathe for db
-      });
-
-      const secret = await getSecretByNameV2({
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "PROD_KEY"
-      });
-
-      expect(secret.secretKey).toBe("PROD_KEY");
-      expect(secret.secretValue).toBe("prod-value");
-
-      const listSecrets = await getSecretsV2({
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken
-      });
-      expect(listSecrets.imports).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({
-            secrets: expect.arrayContaining([
-              expect.objectContaining({
-                secretKey: "PROD_KEY",
-                secretValue: "prod-value"
-              })
-            ])
-          })
-        ])
-      );
-
-      await deleteSecretV2({
-        environmentSlug: "prod",
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "PROD_KEY"
-      });
-    });
-  },
-  { timeout: 30000 }
-);
-
-// dev <- stage, dev <- prod
-describe.each([{ path: "/" }, { path: "/deep" }])(
-  "Secret replication 1-N pattern testing - %path",
-  ({ path: testSuitePath }) => {
-    beforeAll(async () => {
-      let prodFolder: { id: string };
-      let stagingFolder: { id: string };
-      let devFolder: { id: string };
-
-      if (testSuitePath !== "/") {
-        prodFolder = await createFolder({
-          authToken: jwtAuthToken,
-          environmentSlug: "prod",
-          workspaceId: seedData1.projectV3.id,
-          secretPath: "/",
-          name: "deep"
-        });
-
-        stagingFolder = await createFolder({
-          authToken: jwtAuthToken,
-          environmentSlug: "staging",
-          workspaceId: seedData1.projectV3.id,
-          secretPath: "/",
-          name: "deep"
-        });
-
-        devFolder = await createFolder({
-          authToken: jwtAuthToken,
-          environmentSlug: seedData1.environment.slug,
-          workspaceId: seedData1.projectV3.id,
-          secretPath: "/",
-          name: "deep"
-        });
-      }
-
-      const devImportFromStage = await createSecretImport({
-        authToken: jwtAuthToken,
-        secretPath: testSuitePath,
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        importPath: testSuitePath,
-        importEnv: "staging",
-        isReplication: true
-      });
-
-      const devImportFromProd = await createSecretImport({
-        authToken: jwtAuthToken,
-        secretPath: testSuitePath,
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        importPath: testSuitePath,
-        importEnv: "prod",
-        isReplication: true
-      });
-
-      return async () => {
-        await deleteSecretImport({
-          id: devImportFromProd.id,
-          workspaceId: seedData1.projectV3.id,
-          environmentSlug: seedData1.environment.slug,
-          secretPath: testSuitePath,
-          authToken: jwtAuthToken
-        });
-
-        await deleteSecretImport({
-          id: devImportFromStage.id,
-          workspaceId: seedData1.projectV3.id,
-          environmentSlug: seedData1.environment.slug,
-          secretPath: testSuitePath,
-          authToken: jwtAuthToken
-        });
-
-        if (prodFolder) {
-          await deleteFolder({
-            authToken: jwtAuthToken,
-            secretPath: "/",
-            id: prodFolder.id,
-            workspaceId: seedData1.projectV3.id,
-            environmentSlug: "prod"
-          });
-        }
-
-        if (stagingFolder) {
-          await deleteFolder({
-            authToken: jwtAuthToken,
-            secretPath: "/",
-            id: stagingFolder.id,
-            workspaceId: seedData1.projectV3.id,
-            environmentSlug: "staging"
-          });
-        }
-
-        if (devFolder) {
-          await deleteFolder({
-            authToken: jwtAuthToken,
-            secretPath: "/",
-            id: devFolder.id,
-            workspaceId: seedData1.projectV3.id,
-            environmentSlug: seedData1.environment.slug
-          });
-        }
-      };
-    });
-
-    test("Check imported secret exist", async () => {
-      await createSecretV2({
-        environmentSlug: "staging",
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "STAGING_KEY",
-        value: "stage-value"
-      });
-
-      await createSecretV2({
-        environmentSlug: "prod",
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "PROD_KEY",
-        value: "prod-value"
-      });
-
-      // wait for 5 second for  replication to finish
-      await new Promise((resolve) => {
-        setTimeout(resolve, 5000); // time to breathe for db
-      });
-
-      const secret = await getSecretByNameV2({
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "STAGING_KEY"
-      });
-
-      expect(secret.secretKey).toBe("STAGING_KEY");
-      expect(secret.secretValue).toBe("stage-value");
-
-      const listSecrets = await getSecretsV2({
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken
-      });
-      expect(listSecrets.imports).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({
-            secrets: expect.arrayContaining([
-              expect.objectContaining({
-                secretKey: "STAGING_KEY",
-                secretValue: "stage-value"
-              })
-            ])
-          }),
-          expect.objectContaining({
-            secrets: expect.arrayContaining([
-              expect.objectContaining({
-                secretKey: "PROD_KEY",
-                secretValue: "prod-value"
-              })
-            ])
-          })
-        ])
-      );
-
-      await deleteSecretV2({
-        environmentSlug: "staging",
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "STAGING_KEY"
-      });
-      await deleteSecretV2({
-        environmentSlug: "prod",
-        workspaceId: seedData1.projectV3.id,
-        secretPath: testSuitePath,
-        authToken: jwtAuthToken,
-        key: "PROD_KEY"
-      });
-    });
-  },
-  { timeout: 30000 }
-);
--- a/backend/e2e-test/routes/v2/service-token.spec.ts
+++ b/backend/e2e-test/routes/v2/service-token.spec.ts
@ -510,7 +510,7 @@ describe("Service token fail cases", async () => {
        authorization: `Bearer ${serviceToken}`
      }
    });
-    expect(fetchSecrets.statusCode).toBe(403);
+    expect(fetchSecrets.statusCode).toBe(401);
    expect(fetchSecrets.json().error).toBe("PermissionDenied");
    await deleteServiceToken();
  });
@ -532,7 +532,7 @@ describe("Service token fail cases", async () => {
        authorization: `Bearer ${serviceToken}`
      }
    });
-    expect(fetchSecrets.statusCode).toBe(403);
+    expect(fetchSecrets.statusCode).toBe(401);
    expect(fetchSecrets.json().error).toBe("PermissionDenied");
    await deleteServiceToken();
  });
@ -557,7 +557,7 @@ describe("Service token fail cases", async () => {
        authorization: `Bearer ${serviceToken}`
      }
    });
-    expect(writeSecrets.statusCode).toBe(403);
+    expect(writeSecrets.statusCode).toBe(401);
    expect(writeSecrets.json().error).toBe("PermissionDenied");

    // but read access should still work fine
--- a/backend/e2e-test/routes/v3/secret-reference.spec.ts
+++ b/backend/e2e-test/routes/v3/secret-reference.spec.ts
@ -1,330 +0,0 @@
-import { createFolder, deleteFolder } from "e2e-test/testUtils/folders";
-import { createSecretImport, deleteSecretImport } from "e2e-test/testUtils/secret-imports";
-import { createSecretV2, deleteSecretV2, getSecretByNameV2, getSecretsV2 } from "e2e-test/testUtils/secrets";
-
-import { seedData1 } from "@app/db/seed-data";
-
-describe("Secret expansion", () => {
-  const projectId = seedData1.projectV3.id;
-
-  beforeAll(async () => {
-    const prodRootFolder = await createFolder({
-      authToken: jwtAuthToken,
-      environmentSlug: "prod",
-      workspaceId: projectId,
-      secretPath: "/",
-      name: "deep"
-    });
-
-    await createFolder({
-      authToken: jwtAuthToken,
-      environmentSlug: "prod",
-      workspaceId: projectId,
-      secretPath: "/deep",
-      name: "nested"
-    });
-
-    return async () => {
-      await deleteFolder({
-        authToken: jwtAuthToken,
-        secretPath: "/",
-        id: prodRootFolder.id,
-        workspaceId: projectId,
-        environmentSlug: "prod"
-      });
-    };
-  });
-
-  test("Local secret reference", async () => {
-    const secrets = [
-      {
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: projectId,
-        secretPath: "/",
-        authToken: jwtAuthToken,
-        key: "HELLO",
-        value: "world"
-      },
-      {
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: projectId,
-        secretPath: "/",
-        authToken: jwtAuthToken,
-        key: "TEST",
-        // eslint-disable-next-line
-        value: "hello ${HELLO}"
-      }
-    ];
-
-    await Promise.all(secrets.map((el) => createSecretV2(el)));
-
-    const expandedSecret = await getSecretByNameV2({
-      environmentSlug: seedData1.environment.slug,
-      workspaceId: projectId,
-      secretPath: "/",
-      authToken: jwtAuthToken,
-      key: "TEST"
-    });
-    expect(expandedSecret.secretValue).toBe("hello world");
-
-    const listSecrets = await getSecretsV2({
-      environmentSlug: seedData1.environment.slug,
-      workspaceId: projectId,
-      secretPath: "/",
-      authToken: jwtAuthToken
-    });
-    expect(listSecrets.secrets).toEqual(
-      expect.arrayContaining([
-        expect.objectContaining({
-          secretKey: "TEST",
-          secretValue: "hello world"
-        })
-      ])
-    );
-
-    await Promise.all(secrets.map((el) => deleteSecretV2(el)));
-  });
-
-  test("Cross environment secret reference", async () => {
-    const secrets = [
-      {
-        environmentSlug: "prod",
-        workspaceId: projectId,
-        secretPath: "/deep",
-        authToken: jwtAuthToken,
-        key: "DEEP_KEY_1",
-        value: "testing"
-      },
-      {
-        environmentSlug: "prod",
-        workspaceId: projectId,
-        secretPath: "/deep/nested",
-        authToken: jwtAuthToken,
-        key: "NESTED_KEY_1",
-        value: "reference"
-      },
-      {
-        environmentSlug: "prod",
-        workspaceId: projectId,
-        secretPath: "/deep/nested",
-        authToken: jwtAuthToken,
-        key: "NESTED_KEY_2",
-        // eslint-disable-next-line
-        value: "secret ${NESTED_KEY_1}"
-      },
-      {
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: projectId,
-        secretPath: "/",
-        authToken: jwtAuthToken,
-        key: "KEY",
-        // eslint-disable-next-line
-        value: "hello ${prod.deep.DEEP_KEY_1} ${prod.deep.nested.NESTED_KEY_2}"
-      }
-    ];
-
-    await Promise.all(secrets.map((el) => createSecretV2(el)));
-
-    const expandedSecret = await getSecretByNameV2({
-      environmentSlug: seedData1.environment.slug,
-      workspaceId: projectId,
-      secretPath: "/",
-      authToken: jwtAuthToken,
-      key: "KEY"
-    });
-    expect(expandedSecret.secretValue).toBe("hello testing secret reference");
-
-    const listSecrets = await getSecretsV2({
-      environmentSlug: seedData1.environment.slug,
-      workspaceId: projectId,
-      secretPath: "/",
-      authToken: jwtAuthToken
-    });
-    expect(listSecrets.secrets).toEqual(
-      expect.arrayContaining([
-        expect.objectContaining({
-          secretKey: "KEY",
-          secretValue: "hello testing secret reference"
-        })
-      ])
-    );
-
-    await Promise.all(secrets.map((el) => deleteSecretV2(el)));
-  });
-
-  test("Non replicated secret import secret expansion on local reference and nested reference", async () => {
-    const secrets = [
-      {
-        environmentSlug: "prod",
-        workspaceId: projectId,
-        secretPath: "/deep",
-        authToken: jwtAuthToken,
-        key: "DEEP_KEY_1",
-        value: "testing"
-      },
-      {
-        environmentSlug: "prod",
-        workspaceId: projectId,
-        secretPath: "/deep/nested",
-        authToken: jwtAuthToken,
-        key: "NESTED_KEY_1",
-        value: "reference"
-      },
-      {
-        environmentSlug: "prod",
-        workspaceId: projectId,
-        secretPath: "/deep/nested",
-        authToken: jwtAuthToken,
-        key: "NESTED_KEY_2",
-        // eslint-disable-next-line
-        value: "secret ${NESTED_KEY_1} ${prod.deep.DEEP_KEY_1}"
-      },
-      {
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: projectId,
-        secretPath: "/",
-        authToken: jwtAuthToken,
-        key: "KEY",
-        // eslint-disable-next-line
-        value: "hello world"
-      }
-    ];
-
-    await Promise.all(secrets.map((el) => createSecretV2(el)));
-    const secretImportFromProdToDev = await createSecretImport({
-      environmentSlug: seedData1.environment.slug,
-      workspaceId: projectId,
-      secretPath: "/",
-      authToken: jwtAuthToken,
-      importEnv: "prod",
-      importPath: "/deep/nested"
-    });
-
-    const listSecrets = await getSecretsV2({
-      environmentSlug: seedData1.environment.slug,
-      workspaceId: projectId,
-      secretPath: "/",
-      authToken: jwtAuthToken
-    });
-    expect(listSecrets.imports).toEqual(
-      expect.arrayContaining([
-        expect.objectContaining({
-          secretPath: "/deep/nested",
-          environment: "prod",
-          secrets: expect.arrayContaining([
-            expect.objectContaining({
-              secretKey: "NESTED_KEY_1",
-              secretValue: "reference"
-            }),
-            expect.objectContaining({
-              secretKey: "NESTED_KEY_2",
-              secretValue: "secret reference testing"
-            })
-          ])
-        })
-      ])
-    );
-
-    await Promise.all(secrets.map((el) => deleteSecretV2(el)));
-    await deleteSecretImport({
-      environmentSlug: seedData1.environment.slug,
-      workspaceId: projectId,
-      authToken: jwtAuthToken,
-      id: secretImportFromProdToDev.id,
-      secretPath: "/"
-    });
-  });
-
-  test(
-    "Replicated secret import secret expansion on local reference and nested reference",
-    async () => {
-      const secrets = [
-        {
-          environmentSlug: "prod",
-          workspaceId: projectId,
-          secretPath: "/deep",
-          authToken: jwtAuthToken,
-          key: "DEEP_KEY_1",
-          value: "testing"
-        },
-        {
-          environmentSlug: "prod",
-          workspaceId: projectId,
-          secretPath: "/deep/nested",
-          authToken: jwtAuthToken,
-          key: "NESTED_KEY_1",
-          value: "reference"
-        },
-        {
-          environmentSlug: "prod",
-          workspaceId: projectId,
-          secretPath: "/deep/nested",
-          authToken: jwtAuthToken,
-          key: "NESTED_KEY_2",
-          // eslint-disable-next-line
-          value: "secret ${NESTED_KEY_1} ${prod.deep.DEEP_KEY_1}"
-        },
-        {
-          environmentSlug: seedData1.environment.slug,
-          workspaceId: projectId,
-          secretPath: "/",
-          authToken: jwtAuthToken,
-          key: "KEY",
-          // eslint-disable-next-line
-          value: "hello world"
-        }
-      ];
-
-      await Promise.all(secrets.map((el) => createSecretV2(el)));
-      const secretImportFromProdToDev = await createSecretImport({
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: projectId,
-        secretPath: "/",
-        authToken: jwtAuthToken,
-        importEnv: "prod",
-        importPath: "/deep/nested",
-        isReplication: true
-      });
-
-      // wait for 5 second for  replication to finish
-      await new Promise((resolve) => {
-        setTimeout(resolve, 5000); // time to breathe for db
-      });
-
-      const listSecrets = await getSecretsV2({
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: projectId,
-        secretPath: "/",
-        authToken: jwtAuthToken
-      });
-      expect(listSecrets.imports).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({
-            secretPath: `/__reserve_replication_${secretImportFromProdToDev.id}`,
-            environment: seedData1.environment.slug,
-            secrets: expect.arrayContaining([
-              expect.objectContaining({
-                secretKey: "NESTED_KEY_1",
-                secretValue: "reference"
-              }),
-              expect.objectContaining({
-                secretKey: "NESTED_KEY_2",
-                secretValue: "secret reference testing"
-              })
-            ])
-          })
-        ])
-      );
-
-      await Promise.all(secrets.map((el) => deleteSecretV2(el)));
-      await deleteSecretImport({
-        environmentSlug: seedData1.environment.slug,
-        workspaceId: projectId,
-        authToken: jwtAuthToken,
-        id: secretImportFromProdToDev.id,
-        secretPath: "/"
-      });
-    },
-    { timeout: 10000 }
-  );
-});
--- a/backend/e2e-test/routes/v3/secrets-v2.spec.ts
+++ b/backend/e2e-test/routes/v3/secrets-v2.spec.ts
@ -8,7 +8,6 @@ type TRawSecret = {
  secretComment?: string;
  version: number;
 };
-
 const createSecret = async (dto: { path: string; key: string; value: string; comment: string; type?: SecretType }) => {
  const createSecretReqBody = {
    workspaceId: seedData1.projectV3.id,
--- a/backend/e2e-test/routes/v3/secrets.spec.ts
+++ b/backend/e2e-test/routes/v3/secrets.spec.ts
@ -1075,7 +1075,7 @@ describe("Secret V3 Raw Router Without E2EE enabled", async () => {
      },
      body: createSecretReqBody
    });
-    expect(createSecRes.statusCode).toBe(404);
+    expect(createSecRes.statusCode).toBe(400);
  });

  test("Update secret raw", async () => {
@ -1093,7 +1093,7 @@ describe("Secret V3 Raw Router Without E2EE enabled", async () => {
      },
      body: updateSecretReqBody
    });
-    expect(updateSecRes.statusCode).toBe(404);
+    expect(updateSecRes.statusCode).toBe(400);
  });

  test("Delete secret raw", async () => {
@ -1110,6 +1110,6 @@ describe("Secret V3 Raw Router Without E2EE enabled", async () => {
      },
      body: deletedSecretReqBody
    });
-    expect(deletedSecRes.statusCode).toBe(404);
+    expect(deletedSecRes.statusCode).toBe(400);
  });
 });
--- a/backend/e2e-test/testUtils/folders.ts
+++ b/backend/e2e-test/testUtils/folders.ts
@ -1,73 +0,0 @@
-type TFolder = {
-  id: string;
-  name: string;
-};
-
-export const createFolder = async (dto: {
-  workspaceId: string;
-  environmentSlug: string;
-  secretPath: string;
-  name: string;
-  authToken: string;
-}) => {
-  const res = await testServer.inject({
-    method: "POST",
-    url: `/api/v1/folders`,
-    headers: {
-      authorization: `Bearer ${dto.authToken}`
-    },
-    body: {
-      workspaceId: dto.workspaceId,
-      environment: dto.environmentSlug,
-      name: dto.name,
-      path: dto.secretPath
-    }
-  });
-  expect(res.statusCode).toBe(200);
-  return res.json().folder as TFolder;
-};
-
-export const deleteFolder = async (dto: {
-  workspaceId: string;
-  environmentSlug: string;
-  secretPath: string;
-  id: string;
-  authToken: string;
-}) => {
-  const res = await testServer.inject({
-    method: "DELETE",
-    url: `/api/v1/folders/${dto.id}`,
-    headers: {
-      authorization: `Bearer ${dto.authToken}`
-    },
-    body: {
-      workspaceId: dto.workspaceId,
-      environment: dto.environmentSlug,
-      path: dto.secretPath
-    }
-  });
-  expect(res.statusCode).toBe(200);
-  return res.json().folder as TFolder;
-};
-
-export const listFolders = async (dto: {
-  workspaceId: string;
-  environmentSlug: string;
-  secretPath: string;
-  authToken: string;
-}) => {
-  const res = await testServer.inject({
-    method: "GET",
-    url: `/api/v1/folders`,
-    headers: {
-      authorization: `Bearer ${dto.authToken}`
-    },
-    body: {
-      workspaceId: dto.workspaceId,
-      environment: dto.environmentSlug,
-      path: dto.secretPath
-    }
-  });
-  expect(res.statusCode).toBe(200);
-  return res.json().folders as TFolder[];
-};
--- a/backend/e2e-test/testUtils/secret-imports.ts
+++ b/backend/e2e-test/testUtils/secret-imports.ts
@ -1,93 +0,0 @@
-type TSecretImport = {
-  id: string;
-  importEnv: {
-    name: string;
-    slug: string;
-    id: string;
-  };
-  importPath: string;
-};
-
-export const createSecretImport = async (dto: {
-  workspaceId: string;
-  environmentSlug: string;
-  isReplication?: boolean;
-  secretPath: string;
-  importPath: string;
-  importEnv: string;
-  authToken: string;
-}) => {
-  const res = await testServer.inject({
-    method: "POST",
-    url: `/api/v1/secret-imports`,
-    headers: {
-      authorization: `Bearer ${dto.authToken}`
-    },
-    body: {
-      workspaceId: dto.workspaceId,
-      environment: dto.environmentSlug,
-      isReplication: dto.isReplication,
-      path: dto.secretPath,
-      import: {
-        environment: dto.importEnv,
-        path: dto.importPath
-      }
-    }
-  });
-
-  expect(res.statusCode).toBe(200);
-  const payload = JSON.parse(res.payload);
-  expect(payload).toHaveProperty("secretImport");
-  return payload.secretImport as TSecretImport;
-};
-
-export const deleteSecretImport = async (dto: {
-  workspaceId: string;
-  environmentSlug: string;
-  secretPath: string;
-  authToken: string;
-  id: string;
-}) => {
-  const res = await testServer.inject({
-    method: "DELETE",
-    url: `/api/v1/secret-imports/${dto.id}`,
-    headers: {
-      authorization: `Bearer ${dto.authToken}`
-    },
-    body: {
-      workspaceId: dto.workspaceId,
-      environment: dto.environmentSlug,
-      path: dto.secretPath
-    }
-  });
-
-  expect(res.statusCode).toBe(200);
-  const payload = JSON.parse(res.payload);
-  expect(payload).toHaveProperty("secretImport");
-  return payload.secretImport as TSecretImport;
-};
-
-export const listSecretImport = async (dto: {
-  workspaceId: string;
-  environmentSlug: string;
-  secretPath: string;
-  authToken: string;
-}) => {
-  const res = await testServer.inject({
-    method: "GET",
-    url: `/api/v1/secret-imports`,
-    headers: {
-      authorization: `Bearer ${dto.authToken}`
-    },
-    query: {
-      workspaceId: dto.workspaceId,
-      environment: dto.environmentSlug,
-      path: dto.secretPath
-    }
-  });
-
-  expect(res.statusCode).toBe(200);
-  const payload = JSON.parse(res.payload);
-  expect(payload).toHaveProperty("secretImports");
-  return payload.secretImports as TSecretImport[];
-};
--- a/backend/e2e-test/testUtils/secrets.ts
+++ b/backend/e2e-test/testUtils/secrets.ts
@ -1,128 +0,0 @@
-import { SecretType } from "@app/db/schemas";
-
-type TRawSecret = {
-  secretKey: string;
-  secretValue: string;
-  secretComment?: string;
-  version: number;
-};
-
-export const createSecretV2 = async (dto: {
-  workspaceId: string;
-  environmentSlug: string;
-  secretPath: string;
-  key: string;
-  value: string;
-  comment?: string;
-  authToken: string;
-  type?: SecretType;
-}) => {
-  const createSecretReqBody = {
-    workspaceId: dto.workspaceId,
-    environment: dto.environmentSlug,
-    type: dto.type || SecretType.Shared,
-    secretPath: dto.secretPath,
-    secretKey: dto.key,
-    secretValue: dto.value,
-    secretComment: dto.comment
-  };
-  const createSecRes = await testServer.inject({
-    method: "POST",
-    url: `/api/v3/secrets/raw/${dto.key}`,
-    headers: {
-      authorization: `Bearer ${dto.authToken}`
-    },
-    body: createSecretReqBody
-  });
-  expect(createSecRes.statusCode).toBe(200);
-  const createdSecretPayload = JSON.parse(createSecRes.payload);
-  expect(createdSecretPayload).toHaveProperty("secret");
-  return createdSecretPayload.secret as TRawSecret;
-};
-
-export const deleteSecretV2 = async (dto: {
-  workspaceId: string;
-  environmentSlug: string;
-  secretPath: string;
-  key: string;
-  authToken: string;
-}) => {
-  const deleteSecRes = await testServer.inject({
-    method: "DELETE",
-    url: `/api/v3/secrets/raw/${dto.key}`,
-    headers: {
-      authorization: `Bearer ${dto.authToken}`
-    },
-    body: {
-      workspaceId: dto.workspaceId,
-      environment: dto.environmentSlug,
-      secretPath: dto.secretPath
-    }
-  });
-  expect(deleteSecRes.statusCode).toBe(200);
-  const updatedSecretPayload = JSON.parse(deleteSecRes.payload);
-  expect(updatedSecretPayload).toHaveProperty("secret");
-  return updatedSecretPayload.secret as TRawSecret;
-};
-
-export const getSecretByNameV2 = async (dto: {
-  workspaceId: string;
-  environmentSlug: string;
-  secretPath: string;
-  key: string;
-  authToken: string;
-}) => {
-  const response = await testServer.inject({
-    method: "GET",
-    url: `/api/v3/secrets/raw/${dto.key}`,
-    headers: {
-      authorization: `Bearer ${dto.authToken}`
-    },
-    query: {
-      workspaceId: dto.workspaceId,
-      environment: dto.environmentSlug,
-      secretPath: dto.secretPath,
-      expandSecretReferences: "true",
-      include_imports: "true"
-    }
-  });
-  expect(response.statusCode).toBe(200);
-  const payload = JSON.parse(response.payload);
-  expect(payload).toHaveProperty("secret");
-  return payload.secret as TRawSecret;
-};
-
-export const getSecretsV2 = async (dto: {
-  workspaceId: string;
-  environmentSlug: string;
-  secretPath: string;
-  authToken: string;
-}) => {
-  const getSecretsResponse = await testServer.inject({
-    method: "GET",
-    url: `/api/v3/secrets/raw`,
-    headers: {
-      authorization: `Bearer ${dto.authToken}`
-    },
-    query: {
-      workspaceId: dto.workspaceId,
-      environment: dto.environmentSlug,
-      secretPath: dto.secretPath,
-      expandSecretReferences: "true",
-      include_imports: "true"
-    }
-  });
-  expect(getSecretsResponse.statusCode).toBe(200);
-  const getSecretsPayload = JSON.parse(getSecretsResponse.payload);
-  expect(getSecretsPayload).toHaveProperty("secrets");
-  expect(getSecretsPayload).toHaveProperty("imports");
-  return getSecretsPayload as {
-    secrets: TRawSecret[];
-    imports: {
-      secretPath: string;
-      environment: string;
-      folderId: string;
-      secrets: TRawSecret[];
-    }[];
-  };
-};
--- a/backend/e2e-test/vitest-environment-knex.ts
+++ b/backend/e2e-test/vitest-environment-knex.ts
@ -11,11 +11,10 @@ import { initLogger } from "@app/lib/logger";
 import { main } from "@app/server/app";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";

+import { mockQueue } from "./mocks/queue";
 import { mockSmtpServer } from "./mocks/smtp";
+import { mockKeyStore } from "./mocks/keystore";
 import { initDbConnection } from "@app/db";
-import { queueServiceFactory } from "@app/queue";
-import { keyStoreFactory } from "@app/keystore/keystore";
-import { Redis } from "ioredis";

 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@ -29,31 +28,19 @@ export default {
      dbRootCert: cfg.DB_ROOT_CERT
    });

-    const redis = new Redis(cfg.REDIS_URL);
-    await redis.flushdb("SYNC");
-
    try {
-      await db.migrate.rollback(
-        {
-          directory: path.join(__dirname, "../src/db/migrations"),
-          extension: "ts",
-          tableName: "infisical_migrations"
-        },
-        true
-      );
      await db.migrate.latest({
        directory: path.join(__dirname, "../src/db/migrations"),
        extension: "ts",
        tableName: "infisical_migrations"
      });
-
      await db.seed.run({
        directory: path.join(__dirname, "../src/db/seeds"),
        extension: "ts"
      });
      const smtp = mockSmtpServer();
-      const queue = queueServiceFactory(cfg.REDIS_URL);
-      const keyStore = keyStoreFactory(cfg.REDIS_URL);
+      const queue = mockQueue();
+      const keyStore = mockKeyStore();
      const server = await main({ db, smtp, logger, queue, keyStore });
      // @ts-expect-error type
      globalThis.testServer = server;
@ -71,12 +58,10 @@ export default {
        { expiresIn: cfg.JWT_AUTH_LIFETIME }
      );
    } catch (error) {
-      // eslint-disable-next-line
      console.log("[TEST] Error setting up environment", error);
      await db.destroy();
      throw error;
    }
-
    // custom setup
    return {
      async teardown() {
@ -95,9 +80,6 @@ export default {
          },
          true
        );
-
-        await redis.flushdb("ASYNC");
-        redis.disconnect();
        await db.destroy();
      }
    };
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -34,14 +34,14 @@
    "test": "echo \"Error: no test specified\" && exit 1",
    "dev": "tsx watch --clear-screen=false ./src/main.ts  | pino-pretty --colorize --colorizeObjects --singleLine",
    "dev:docker": "nodemon",
-    "build": "tsup --sourcemap",
+    "build": "tsup",
    "build:frontend": "npm run build --prefix ../frontend",
-    "start": "node --enable-source-maps dist/main.mjs",
+    "start": "node dist/main.mjs",
    "type:check": "tsc --noEmit",
    "lint:fix": "eslint --fix --ext js,ts ./src",
    "lint": "eslint 'src/**/*.ts'",
    "test:e2e": "vitest run -c vitest.e2e.config.ts --bail=1",
-    "test:e2e-watch": "vitest -c vitest.e2e.config.ts --bail=1",
+    "test:e2e-watch": "vitest -c vitest.e2e.config.ts --bail=<value>",
    "test:e2e-coverage": "vitest run --coverage -c vitest.e2e.config.ts",
    "generate:component": "tsx ./scripts/create-backend-file.ts",
    "generate:schema": "tsx ./scripts/generate-schema-types.ts",
@ -50,7 +50,6 @@
    "migration:down": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:down",
    "migration:list": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:list",
    "migration:latest": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
-    "migration:status": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:status",
    "migration:rollback": "knex --knexfile ./src/db/knexfile.ts migrate:rollback",
    "seed:new": "tsx ./scripts/create-seed-file.ts",
    "seed": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
@ -79,8 +78,6 @@
    "@types/picomatch": "^2.3.3",
    "@types/prompt-sync": "^4.2.3",
    "@types/resolve": "^1.20.6",
-    "@types/safe-regex": "^1.1.6",
-    "@types/sjcl": "^1.0.34",
    "@types/uuid": "^9.0.7",
    "@typescript-eslint/eslint-plugin": "^6.20.0",
    "@typescript-eslint/parser": "^6.20.0",
@ -104,16 +101,15 @@
    "tsup": "^8.0.1",
    "tsx": "^4.4.0",
    "typescript": "^5.3.2",
+    "vite-tsconfig-paths": "^4.2.2",
    "vitest": "^1.2.2"
  },
  "dependencies": {
-    "@aws-sdk/client-elasticache": "^3.637.0",
    "@aws-sdk/client-iam": "^3.525.0",
    "@aws-sdk/client-kms": "^3.609.0",
    "@aws-sdk/client-secrets-manager": "^3.504.0",
    "@aws-sdk/client-sts": "^3.600.0",
    "@casl/ability": "^6.5.0",
-    "@elastic/elasticsearch": "^8.15.0",
    "@fastify/cookie": "^9.3.1",
    "@fastify/cors": "^8.5.0",
    "@fastify/etag": "^5.1.0",
@ -125,15 +121,12 @@
    "@fastify/swagger": "^8.14.0",
    "@fastify/swagger-ui": "^2.1.0",
    "@node-saml/passport-saml": "^4.0.4",
-    "@octokit/plugin-retry": "^5.0.5",
    "@octokit/rest": "^20.0.2",
    "@octokit/webhooks-types": "^7.3.1",
    "@peculiar/asn1-schema": "^2.3.8",
-    "@peculiar/x509": "^1.12.1",
+    "@peculiar/x509": "^1.10.0",
    "@serdnam/pino-cloudwatch-transport": "^1.0.4",
    "@sindresorhus/slugify": "1.1.0",
-    "@slack/oauth": "^3.0.1",
-    "@slack/web-api": "^7.3.4",
    "@team-plain/typescript-sdk": "^4.6.1",
    "@ucast/mongo2js": "^1.3.4",
    "ajv": "^8.12.0",
@ -161,7 +154,6 @@
    "ldapjs": "^3.0.7",
    "libsodium-wrappers": "^0.7.13",
    "lodash.isequal": "^4.5.0",
-    "mongodb": "^6.8.1",
    "ms": "^2.1.3",
    "mysql2": "^3.9.8",
    "nanoid": "^3.3.4",
@ -177,13 +169,8 @@
    "pg-query-stream": "^4.5.3",
    "picomatch": "^3.0.1",
    "pino": "^8.16.2",
-    "pkijs": "^3.2.4",
    "posthog-node": "^3.6.2",
-    "probot": "^13.3.8",
-    "safe-regex": "^2.1.1",
-    "scim-patch": "^0.8.3",
-    "scim2-parse-filter": "^0.2.10",
-    "sjcl": "^1.0.8",
+    "probot": "^13.0.0",
    "smee-client": "^2.0.0",
    "tedious": "^18.2.1",
    "tweetnacl": "^1.0.3",
--- a/backend/scripts/create-backend-file.ts
+++ b/backend/scripts/create-backend-file.ts
@ -7,33 +7,14 @@ const prompt = promptSync({
  sigint: true
 });

-type ComponentType = 1 | 2 | 3;
-
 console.log(`
 Component List
 --------------
-0. Exit
 1. Service component
 2. DAL component
 3. Router component
 `);
-
-function getComponentType(): ComponentType {
-  while (true) {
-    const input = prompt("Select a component (0-3): ");
-    const componentType = parseInt(input, 10);
-
-    if (componentType === 0) {
-      console.log("Exiting the program. Goodbye!");
-      process.exit(0);
-    } else if (componentType === 1 || componentType === 2 || componentType === 3) {
-      return componentType;
-    } else {
-      console.log("Invalid input. Please enter 0, 1, 2, or 3.");
-    }
-  }
-}
-const componentType = getComponentType();
+const componentType = parseInt(prompt("Select a component: "), 10);

 if (componentType === 1) {
  const componentName = prompt("Enter service name: ");
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@ -7,7 +7,6 @@ import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-se
 import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
 import { TAuditLogStreamServiceFactory } from "@app/ee/services/audit-log-stream/audit-log-stream-service";
 import { TCertificateAuthorityCrlServiceFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-service";
-import { TCertificateEstServiceFactory } from "@app/ee/services/certificate-est/certificate-est-service";
 import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
 import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
 import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
@ -19,7 +18,6 @@ import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-ser
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { TProjectUserAdditionalPrivilegeServiceFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-service";
 import { TRateLimitServiceFactory } from "@app/ee/services/rate-limit/rate-limit-service";
-import { RateLimitConfiguration } from "@app/ee/services/rate-limit/rate-limit-types";
 import { TSamlConfigServiceFactory } from "@app/ee/services/saml-config/saml-config-service";
 import { TScimServiceFactory } from "@app/ee/services/scim/scim-service";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
@ -37,8 +35,6 @@ import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TCertificateServiceFactory } from "@app/services/certificate/certificate-service";
 import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
-import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
-import { TExternalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
@ -54,9 +50,6 @@ import { TIntegrationServiceFactory } from "@app/services/integration/integratio
 import { TIntegrationAuthServiceFactory } from "@app/services/integration-auth/integration-auth-service";
 import { TOrgRoleServiceFactory } from "@app/services/org/org-role-service";
 import { TOrgServiceFactory } from "@app/services/org/org-service";
-import { TOrgAdminServiceFactory } from "@app/services/org-admin/org-admin-service";
-import { TPkiAlertServiceFactory } from "@app/services/pki-alert/pki-alert-service";
-import { TPkiCollectionServiceFactory } from "@app/services/pki-collection/pki-collection-service";
 import { TProjectServiceFactory } from "@app/services/project/project-service";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env-service";
@ -71,14 +64,12 @@ import { TSecretReplicationServiceFactory } from "@app/services/secret-replicati
 import { TSecretSharingServiceFactory } from "@app/services/secret-sharing/secret-sharing-service";
 import { TSecretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
 import { TServiceTokenServiceFactory } from "@app/services/service-token/service-token-service";
-import { TSlackServiceFactory } from "@app/services/slack/slack-service";
 import { TSuperAdminServiceFactory } from "@app/services/super-admin/super-admin-service";
 import { TTelemetryServiceFactory } from "@app/services/telemetry/telemetry-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TUserServiceFactory } from "@app/services/user/user-service";
 import { TUserEngagementServiceFactory } from "@app/services/user-engagement/user-engagement-service";
 import { TWebhookServiceFactory } from "@app/services/webhook/webhook-service";
-import { TWorkflowIntegrationServiceFactory } from "@app/services/workflow-integration/workflow-integration-service";

 declare module "fastify" {
  interface FastifyRequest {
@ -97,7 +88,6 @@ declare module "fastify" {
      id: string;
      orgId: string;
    };
-    rateLimits: RateLimitConfiguration;
    // passport data
    passportUser: {
      isUserCompleted: string;
@ -123,7 +113,6 @@ declare module "fastify" {
      group: TGroupServiceFactory;
      groupProject: TGroupProjectServiceFactory;
      apiKey: TApiKeyServiceFactory;
-      pkiAlert: TPkiAlertServiceFactory;
      project: TProjectServiceFactory;
      projectMembership: TProjectMembershipServiceFactory;
      projectEnv: TProjectEnvServiceFactory;
@ -161,11 +150,8 @@ declare module "fastify" {
      auditLog: TAuditLogServiceFactory;
      auditLogStream: TAuditLogStreamServiceFactory;
      certificate: TCertificateServiceFactory;
-      certificateTemplate: TCertificateTemplateServiceFactory;
      certificateAuthority: TCertificateAuthorityServiceFactory;
      certificateAuthorityCrl: TCertificateAuthorityCrlServiceFactory;
-      certificateEst: TCertificateEstServiceFactory;
-      pkiCollection: TPkiCollectionServiceFactory;
      secretScanning: TSecretScanningServiceFactory;
      license: TLicenseServiceFactory;
      trustedIp: TTrustedIpServiceFactory;
@ -179,10 +165,6 @@ declare module "fastify" {
      rateLimit: TRateLimitServiceFactory;
      userEngagement: TUserEngagementServiceFactory;
      externalKms: TExternalKmsServiceFactory;
-      orgAdmin: TOrgAdminServiceFactory;
-      slack: TSlackServiceFactory;
-      workflowIntegration: TWorkflowIntegrationServiceFactory;
-      migration: TExternalMigrationServiceFactory;
    };
    // this is exclusive use for middlewares in which we need to inject data
    // everywhere else access using service layer
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@ -53,12 +53,6 @@ import {
  TCertificateSecretsUpdate,
  TCertificatesInsert,
  TCertificatesUpdate,
-  TCertificateTemplateEstConfigs,
-  TCertificateTemplateEstConfigsInsert,
-  TCertificateTemplateEstConfigsUpdate,
-  TCertificateTemplates,
-  TCertificateTemplatesInsert,
-  TCertificateTemplatesUpdate,
  TDynamicSecretLeases,
  TDynamicSecretLeasesInsert,
  TDynamicSecretLeasesUpdate,
@ -101,9 +95,6 @@ import {
  TIdentityKubernetesAuths,
  TIdentityKubernetesAuthsInsert,
  TIdentityKubernetesAuthsUpdate,
-  TIdentityMetadata,
-  TIdentityMetadataInsert,
-  TIdentityMetadataUpdate,
  TIdentityOidcAuths,
  TIdentityOidcAuthsInsert,
  TIdentityOidcAuthsUpdate,
@ -170,15 +161,6 @@ import {
  TOrgRoles,
  TOrgRolesInsert,
  TOrgRolesUpdate,
-  TPkiAlerts,
-  TPkiAlertsInsert,
-  TPkiAlertsUpdate,
-  TPkiCollectionItems,
-  TPkiCollectionItemsInsert,
-  TPkiCollectionItemsUpdate,
-  TPkiCollections,
-  TPkiCollectionsInsert,
-  TPkiCollectionsUpdate,
  TProjectBots,
  TProjectBotsInsert,
  TProjectBotsUpdate,
@ -196,9 +178,6 @@ import {
  TProjectRolesUpdate,
  TProjects,
  TProjectsInsert,
-  TProjectSlackConfigs,
-  TProjectSlackConfigsInsert,
-  TProjectSlackConfigsUpdate,
  TProjectsUpdate,
  TProjectUserAdditionalPrivilege,
  TProjectUserAdditionalPrivilegeInsert,
@ -305,9 +284,6 @@ import {
  TServiceTokens,
  TServiceTokensInsert,
  TServiceTokensUpdate,
-  TSlackIntegrations,
-  TSlackIntegrationsInsert,
-  TSlackIntegrationsUpdate,
  TSuperAdmin,
  TSuperAdminInsert,
  TSuperAdminUpdate,
@ -331,10 +307,7 @@ import {
  TUsersUpdate,
  TWebhooks,
  TWebhooksInsert,
-  TWebhooksUpdate,
-  TWorkflowIntegrations,
-  TWorkflowIntegrationsInsert,
-  TWorkflowIntegrationsUpdate
+  TWebhooksUpdate
 } from "@app/db/schemas";
 import {
  TSecretV2TagJunction,
@ -382,16 +355,6 @@ declare module "knex/types/tables" {
      TCertificateAuthorityCrlUpdate
    >;
    [TableName.Certificate]: KnexOriginal.CompositeTableType<TCertificates, TCertificatesInsert, TCertificatesUpdate>;
-    [TableName.CertificateTemplate]: KnexOriginal.CompositeTableType<
-      TCertificateTemplates,
-      TCertificateTemplatesInsert,
-      TCertificateTemplatesUpdate
-    >;
-    [TableName.CertificateTemplateEstConfig]: KnexOriginal.CompositeTableType<
-      TCertificateTemplateEstConfigs,
-      TCertificateTemplateEstConfigsInsert,
-      TCertificateTemplateEstConfigsUpdate
-    >;
    [TableName.CertificateBody]: KnexOriginal.CompositeTableType<
      TCertificateBodies,
      TCertificateBodiesInsert,
@ -402,17 +365,6 @@ declare module "knex/types/tables" {
      TCertificateSecretsInsert,
      TCertificateSecretsUpdate
    >;
-    [TableName.PkiAlert]: KnexOriginal.CompositeTableType<TPkiAlerts, TPkiAlertsInsert, TPkiAlertsUpdate>;
-    [TableName.PkiCollection]: KnexOriginal.CompositeTableType<
-      TPkiCollections,
-      TPkiCollectionsInsert,
-      TPkiCollectionsUpdate
-    >;
-    [TableName.PkiCollectionItem]: KnexOriginal.CompositeTableType<
-      TPkiCollectionItems,
-      TPkiCollectionItemsInsert,
-      TPkiCollectionItemsUpdate
-    >;
    [TableName.UserGroupMembership]: KnexOriginal.CompositeTableType<
      TUserGroupMembership,
      TUserGroupMembershipInsert,
@ -549,11 +501,6 @@ declare module "knex/types/tables" {
      TIdentityUniversalAuthsInsert,
      TIdentityUniversalAuthsUpdate
    >;
-    [TableName.IdentityMetadata]: KnexOriginal.CompositeTableType<
-      TIdentityMetadata,
-      TIdentityMetadataInsert,
-      TIdentityMetadataUpdate
-    >;
    [TableName.IdentityKubernetesAuth]: KnexOriginal.CompositeTableType<
      TIdentityKubernetesAuths,
      TIdentityKubernetesAuthsInsert,
@ -793,20 +740,5 @@ declare module "knex/types/tables" {
      TKmsKeyVersionsInsert,
      TKmsKeyVersionsUpdate
    >;
-    [TableName.SlackIntegrations]: KnexOriginal.CompositeTableType<
-      TSlackIntegrations,
-      TSlackIntegrationsInsert,
-      TSlackIntegrationsUpdate
-    >;
-    [TableName.ProjectSlackConfigs]: KnexOriginal.CompositeTableType<
-      TProjectSlackConfigs,
-      TProjectSlackConfigsInsert,
-      TProjectSlackConfigsUpdate
-    >;
-    [TableName.WorkflowIntegrations]: KnexOriginal.CompositeTableType<
-      TWorkflowIntegrations,
-      TWorkflowIntegrationsInsert,
-      TWorkflowIntegrationsUpdate
-    >;
  }
 }
--- a/backend/src/db/migrations/20240702131735_secret-approval-groups.ts
+++ b/backend/src/db/migrations/20240702131735_secret-approval-groups.ts
@ -115,14 +115,7 @@ export async function down(knex: Knex): Promise<void> {
        // eslint-disable-next-line
        // @ts-ignore because generate schema happens after this
        approverId: knex(TableName.ProjectMembership)
-          .join(
-            TableName.SecretApprovalPolicy,
-            `${TableName.SecretApprovalPolicy}.id`,
-            `${TableName.SecretApprovalPolicyApprover}.policyId`
-          )
-          .join(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretApprovalPolicy}.envId`)
-          .select(knex.ref("id").withSchema(TableName.ProjectMembership))
-          .where(`${TableName.ProjectMembership}.projectId`, knex.raw("??", [`${TableName.Environment}.projectId`]))
+          .select("id")
          .where("userId", knex.raw("??", [`${TableName.SecretApprovalPolicyApprover}.approverUserId`]))
      });
      await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (tb) => {
@ -154,27 +147,13 @@ export async function down(knex: Knex): Promise<void> {
      // eslint-disable-next-line
      // @ts-ignore because generate schema happens after this
      committerId: knex(TableName.ProjectMembership)
-        .join(
-          TableName.SecretApprovalPolicy,
-          `${TableName.SecretApprovalPolicy}.id`,
-          `${TableName.SecretApprovalRequest}.policyId`
-        )
-        .join(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretApprovalPolicy}.envId`)
-        .where(`${TableName.ProjectMembership}.projectId`, knex.raw("??", [`${TableName.Environment}.projectId`]))
-        .where("userId", knex.raw("??", [`${TableName.SecretApprovalRequest}.committerUserId`]))
-        .select(knex.ref("id").withSchema(TableName.ProjectMembership)),
+        .select("id")
+        .where("userId", knex.raw("??", [`${TableName.SecretApprovalRequest}.committerUserId`])),
      // eslint-disable-next-line
      // @ts-ignore because generate schema happens after this
      statusChangeBy: knex(TableName.ProjectMembership)
-        .join(
-          TableName.SecretApprovalPolicy,
-          `${TableName.SecretApprovalPolicy}.id`,
-          `${TableName.SecretApprovalRequest}.policyId`
-        )
-        .join(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretApprovalPolicy}.envId`)
-        .where(`${TableName.ProjectMembership}.projectId`, knex.raw("??", [`${TableName.Environment}.projectId`]))
+        .select("id")
        .where("userId", knex.raw("??", [`${TableName.SecretApprovalRequest}.statusChangedByUserId`]))
-        .select(knex.ref("id").withSchema(TableName.ProjectMembership))
    });

    await knex.schema.alterTable(TableName.SecretApprovalRequest, (tb) => {
@ -198,20 +177,8 @@ export async function down(knex: Knex): Promise<void> {
      // eslint-disable-next-line
      // @ts-ignore because generate schema happens after this
      member: knex(TableName.ProjectMembership)
-        .join(
-          TableName.SecretApprovalRequest,
-          `${TableName.SecretApprovalRequest}.id`,
-          `${TableName.SecretApprovalRequestReviewer}.requestId`
-        )
-        .join(
-          TableName.SecretApprovalPolicy,
-          `${TableName.SecretApprovalPolicy}.id`,
-          `${TableName.SecretApprovalRequest}.policyId`
-        )
-        .join(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretApprovalPolicy}.envId`)
-        .where(`${TableName.ProjectMembership}.projectId`, knex.raw("??", [`${TableName.Environment}.projectId`]))
+        .select("id")
        .where("userId", knex.raw("??", [`${TableName.SecretApprovalRequestReviewer}.reviewerUserId`]))
-        .select(knex.ref("id").withSchema(TableName.ProjectMembership))
    });
    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (tb) => {
      tb.uuid("member").notNullable().alter();
--- a/backend/src/db/migrations/20240716063111_add-org-kms-data-key.ts
+++ b/backend/src/db/migrations/20240716063111_add-org-kms-data-key.ts
--- a/backend/src/db/migrations/20240716105646_secret-v2.ts
+++ b/backend/src/db/migrations/20240716105646_secret-v2.ts
@ -1,4 +1,3 @@
-/* eslint-disable @typescript-eslint/ban-ts-comment */
 import { Knex } from "knex";

 import { SecretType, TableName } from "../schemas";
@ -23,7 +22,6 @@ export async function up(knex: Knex): Promise<void> {
      t.uuid("folderId").notNullable();
      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
      t.timestamps(true, true, true);
-      t.index(["folderId", "userId"]);
    });
  }
  await createOnUpdateTrigger(knex, TableName.SecretV2);
@ -107,12 +105,12 @@ export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasTable(TableName.SnapshotSecretV2))) {
    await knex.schema.createTable(TableName.SnapshotSecretV2, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("envId").index().notNullable();
+      t.uuid("envId").notNullable();
      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
      // not a relation kept like that to keep it when rolled back
-      t.uuid("secretVersionId").index().notNullable();
+      t.uuid("secretVersionId").notNullable();
      t.foreign("secretVersionId").references("id").inTable(TableName.SecretVersionV2).onDelete("CASCADE");
-      t.uuid("snapshotId").index().notNullable();
+      t.uuid("snapshotId").notNullable();
      t.foreign("snapshotId").references("id").inTable(TableName.Snapshot).onDelete("CASCADE");
      t.timestamps(true, true, true);
    });
--- a/backend/src/db/migrations/20240717114407_add-project-data-key.ts
+++ b/backend/src/db/migrations/20240717114407_add-project-data-key.ts
--- a/backend/src/db/migrations/20240717184929_add-enforcement-level-secrets-policies.ts
+++ b/backend/src/db/migrations/20240717184929_add-enforcement-level-secrets-policies.ts
@ -1,23 +0,0 @@
-import { Knex } from "knex";
-
-import { EnforcementLevel } from "@app/lib/types";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "enforcementLevel");
-  if (!hasColumn) {
-    await knex.schema.table(TableName.SecretApprovalPolicy, (table) => {
-      table.string("enforcementLevel", 10).notNullable().defaultTo(EnforcementLevel.Hard);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "enforcementLevel");
-  if (hasColumn) {
-    await knex.schema.table(TableName.SecretApprovalPolicy, (table) => {
-      table.dropColumn("enforcementLevel");
-    });
-  }
-}
--- a/backend/src/db/migrations/20240717194958_add-enforcement-level-access-policies.ts
+++ b/backend/src/db/migrations/20240717194958_add-enforcement-level-access-policies.ts
@ -1,23 +0,0 @@
-import { Knex } from "knex";
-
-import { EnforcementLevel } from "@app/lib/types";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "enforcementLevel");
-  if (!hasColumn) {
-    await knex.schema.table(TableName.AccessApprovalPolicy, (table) => {
-      table.string("enforcementLevel", 10).notNullable().defaultTo(EnforcementLevel.Hard);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "enforcementLevel");
-  if (hasColumn) {
-    await knex.schema.table(TableName.AccessApprovalPolicy, (table) => {
-      table.dropColumn("enforcementLevel");
-    });
-  }
-}
--- a/backend/src/db/migrations/20240718170955_add-access-secret-sharing.ts
+++ b/backend/src/db/migrations/20240718170955_add-access-secret-sharing.ts
@ -1,23 +0,0 @@
-import { Knex } from "knex";
-
-import { SecretSharingAccessType } from "@app/lib/types";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.SecretSharing, "accessType");
-  if (!hasColumn) {
-    await knex.schema.table(TableName.SecretSharing, (table) => {
-      table.string("accessType").notNullable().defaultTo(SecretSharingAccessType.Anyone);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.SecretSharing, "accessType");
-  if (hasColumn) {
-    await knex.schema.table(TableName.SecretSharing, (table) => {
-      table.dropColumn("accessType");
-    });
-  }
-}
--- a/backend/src/db/migrations/20240719182539_add-bypass-reason-secret-approval-requets.ts
+++ b/backend/src/db/migrations/20240719182539_add-bypass-reason-secret-approval-requets.ts
@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "bypassReason");
-  if (!hasColumn) {
-    await knex.schema.table(TableName.SecretApprovalRequest, (table) => {
-      table.string("bypassReason").nullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "bypassReason");
-  if (hasColumn) {
-    await knex.schema.table(TableName.SecretApprovalRequest, (table) => {
-      table.dropColumn("bypassReason");
-    });
-  }
-}
--- a/backend/src/db/migrations/20240724101056_access-request-groups.ts
+++ b/backend/src/db/migrations/20240724101056_access-request-groups.ts
@ -1,294 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  // ---------- ACCESS APPROVAL POLICY APPROVER ------------
-  const hasApproverUserId = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "approverUserId");
-  const hasApproverId = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "approverId");
-
-  if (!hasApproverUserId) {
-    // add the new fields
-    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (tb) => {
-      // if (hasApproverId) tb.setNullable("approverId");
-      tb.uuid("approverUserId");
-      tb.foreign("approverUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-
-    // convert project membership id => user id
-    await knex(TableName.AccessApprovalPolicyApprover).update({
-      // eslint-disable-next-line
-      // @ts-ignore because generate schema happens after this
-      approverUserId: knex(TableName.ProjectMembership)
-        .select("userId")
-        .where("id", knex.raw("??", [`${TableName.AccessApprovalPolicyApprover}.approverId`]))
-    });
-    // drop the old field
-    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (tb) => {
-      if (hasApproverId) tb.dropColumn("approverId");
-      tb.uuid("approverUserId").notNullable().alter();
-    });
-  }
-
-  // ---------- ACCESS APPROVAL REQUEST ------------
-  const hasAccessApprovalRequestTable = await knex.schema.hasTable(TableName.AccessApprovalRequest);
-  const hasRequestedByUserId = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedByUserId");
-  const hasRequestedBy = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedBy");
-
-  if (hasAccessApprovalRequestTable) {
-    // new fields
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
-      if (!hasRequestedByUserId) {
-        tb.uuid("requestedByUserId");
-        tb.foreign("requestedByUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
-      }
-    });
-
-    // copy the assigned project membership => user id to new fields
-    await knex(TableName.AccessApprovalRequest).update({
-      // eslint-disable-next-line
-      // @ts-ignore because generate schema happens after this
-      requestedByUserId: knex(TableName.ProjectMembership)
-        .select("userId")
-        .where("id", knex.raw("??", [`${TableName.AccessApprovalRequest}.requestedBy`]))
-    });
-    // drop old fields
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
-      if (hasRequestedBy) {
-        // DROP AT A LATER TIME
-        // tb.dropColumn("requestedBy");
-
-        // ADD ALLOW NULLABLE FOR NOW
-        tb.uuid("requestedBy").nullable().alter();
-      }
-      tb.uuid("requestedByUserId").notNullable().alter();
-    });
-  }
-
-  // ---------- ACCESS APPROVAL REQUEST REVIEWER ------------
-  const hasMemberId = await knex.schema.hasColumn(TableName.AccessApprovalRequestReviewer, "member");
-  const hasReviewerUserId = await knex.schema.hasColumn(TableName.AccessApprovalRequestReviewer, "reviewerUserId");
-  if (!hasReviewerUserId) {
-    // new fields
-    await knex.schema.alterTable(TableName.AccessApprovalRequestReviewer, (tb) => {
-      // if (hasMemberId) tb.setNullable("member");
-      tb.uuid("reviewerUserId");
-      tb.foreign("reviewerUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
-    });
-    // copy project membership => user id to new fields
-    await knex(TableName.AccessApprovalRequestReviewer).update({
-      // eslint-disable-next-line
-      // @ts-ignore because generate schema happens after this
-      reviewerUserId: knex(TableName.ProjectMembership)
-        .select("userId")
-        .where("id", knex.raw("??", [`${TableName.AccessApprovalRequestReviewer}.member`]))
-    });
-    // drop table
-    await knex.schema.alterTable(TableName.AccessApprovalRequestReviewer, (tb) => {
-      if (hasMemberId) {
-        // DROP AT A LATER TIME
-        // tb.dropColumn("member");
-
-        // ADD ALLOW NULLABLE FOR NOW
-        tb.uuid("member").nullable().alter();
-      }
-      tb.uuid("reviewerUserId").notNullable().alter();
-    });
-  }
-
-  // ---------- PROJECT USER ADDITIONAL PRIVILEGE ------------
-  const projectUserAdditionalPrivilegeHasProjectMembershipId = await knex.schema.hasColumn(
-    TableName.ProjectUserAdditionalPrivilege,
-    "projectMembershipId"
-  );
-
-  const projectUserAdditionalPrivilegeHasUserId = await knex.schema.hasColumn(
-    TableName.ProjectUserAdditionalPrivilege,
-    "userId"
-  );
-
-  if (!projectUserAdditionalPrivilegeHasUserId) {
-    await knex.schema.alterTable(TableName.ProjectUserAdditionalPrivilege, (tb) => {
-      tb.uuid("userId");
-      tb.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-
-      tb.string("projectId");
-      tb.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-    });
-
-    await knex(TableName.ProjectUserAdditionalPrivilege)
-      .update({
-        // eslint-disable-next-line
-        // @ts-ignore because generate schema happens after this
-        userId: knex(TableName.ProjectMembership)
-          .select("userId")
-          .where("id", knex.raw("??", [`${TableName.ProjectUserAdditionalPrivilege}.projectMembershipId`])),
-
-        // eslint-disable-next-line
-        // @ts-ignore because generate schema happens after this
-        projectId: knex(TableName.ProjectMembership)
-          .select("projectId")
-          .where("id", knex.raw("??", [`${TableName.ProjectUserAdditionalPrivilege}.projectMembershipId`]))
-      })
-      .whereNotNull("projectMembershipId");
-
-    await knex.schema.alterTable(TableName.ProjectUserAdditionalPrivilege, (tb) => {
-      tb.uuid("userId").notNullable().alter();
-      tb.string("projectId").notNullable().alter();
-    });
-  }
-
-  if (projectUserAdditionalPrivilegeHasProjectMembershipId) {
-    await knex.schema.alterTable(TableName.ProjectUserAdditionalPrivilege, (tb) => {
-      // DROP AT A LATER TIME
-      // tb.dropColumn("projectMembershipId");
-
-      // ADD ALLOW NULLABLE FOR NOW
-      tb.uuid("projectMembershipId").nullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  // We remove project user additional privileges first, because it may delete records in the database where the project membership is not found.
-  // The project membership won't be found on records created by group members. In those cades we just delete the record and continue.
-  // When the additionl privilege record is deleted, it will cascade delete the access request created by the group member.
-
-  // ---------- PROJECT USER ADDITIONAL PRIVILEGE ------------
-  const hasUserId = await knex.schema.hasColumn(TableName.ProjectUserAdditionalPrivilege, "userId");
-  const hasProjectMembershipId = await knex.schema.hasColumn(
-    TableName.ProjectUserAdditionalPrivilege,
-    "projectMembershipId"
-  );
-
-  // If it doesn't have the userId field, then the up migration has not run
-  if (!hasUserId) {
-    return;
-  }
-
-  await knex.schema.alterTable(TableName.ProjectUserAdditionalPrivilege, (tb) => {
-    if (!hasProjectMembershipId) {
-      tb.uuid("projectMembershipId");
-      tb.foreign("projectMembershipId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
-    }
-  });
-
-  if (!hasProjectMembershipId) {
-    // First, update records where a matching project membership exists
-    await knex(TableName.ProjectUserAdditionalPrivilege).update({
-      // eslint-disable-next-line
-      // @ts-ignore because generate schema happens after this
-      projectMembershipId: knex(TableName.ProjectMembership)
-        .select("id")
-        .where("userId", knex.raw("??", [`${TableName.ProjectUserAdditionalPrivilege}.userId`]))
-    });
-
-    await knex(TableName.AccessApprovalRequest).update({
-      // eslint-disable-next-line
-      // @ts-ignore because generate schema happens after this
-      projectMembershipId: knex(TableName.ProjectMembership)
-        .select("id")
-        .where("userId", knex.raw("??", [`${TableName.SecretApprovalRequest}.userId`]))
-    });
-
-    await knex.schema.alterTable(TableName.ProjectUserAdditionalPrivilege, (tb) => {
-      tb.dropColumn("userId");
-      tb.dropColumn("projectId");
-
-      tb.uuid("projectMembershipId").notNullable().alter();
-    });
-  }
-
-  // Then, delete records where no matching project membership was found
-  await knex(TableName.ProjectUserAdditionalPrivilege).whereNull("projectMembershipId").delete();
-  await knex(TableName.AccessApprovalRequest).whereNull("requestedBy").delete();
-
-  // ---------- ACCESS APPROVAL POLICY APPROVER ------------
-  const hasApproverUserId = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "approverUserId");
-  const hasApproverId = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "approverId");
-
-  if (hasApproverUserId) {
-    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (tb) => {
-      if (!hasApproverId) {
-        tb.uuid("approverId");
-        tb.foreign("approverId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
-      }
-    });
-
-    if (!hasApproverId) {
-      await knex(TableName.AccessApprovalPolicyApprover).update({
-        // eslint-disable-next-line
-        // @ts-ignore because generate schema happens after this
-        approverId: knex(TableName.ProjectMembership)
-          .select("id")
-          .where("userId", knex.raw("??", [`${TableName.AccessApprovalPolicyApprover}.approverUserId`]))
-      });
-      await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (tb) => {
-        tb.dropColumn("approverUserId");
-
-        tb.uuid("approverId").notNullable().alter();
-      });
-    }
-
-    // ---------- ACCESS APPROVAL REQUEST ------------
-    const hasAccessApprovalRequestTable = await knex.schema.hasTable(TableName.AccessApprovalRequest);
-    const hasRequestedByUserId = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedByUserId");
-    const hasRequestedBy = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedBy");
-
-    if (hasAccessApprovalRequestTable) {
-      await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
-        if (!hasRequestedBy) {
-          tb.uuid("requestedBy");
-          tb.foreign("requestedBy").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
-        }
-      });
-
-      // Try to find a project membership based on the AccessApprovalRequest.requestedByUserId and AccessApprovalRequest.policyId(reference to AccessApprovalRequestPolicy).envId(reference to Environment).projectId(reference to Project)
-      // If a project membership is found, set the AccessApprovalRequest.requestedBy to the project membership id
-      // If a project membership is not found, remove the AccessApprovalRequest record
-
-      await knex(TableName.AccessApprovalRequest).update({
-        // eslint-disable-next-line
-        // @ts-ignore because generate schema happens after this
-        requestedBy: knex(TableName.ProjectMembership)
-          .select("id")
-          .where("userId", knex.raw("??", [`${TableName.AccessApprovalRequest}.requestedByUserId`]))
-      });
-
-      // Then, delete records where no matching project membership was found
-      await knex(TableName.AccessApprovalRequest).whereNull("requestedBy").delete();
-
-      await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
-        if (hasRequestedByUserId) {
-          tb.dropColumn("requestedByUserId");
-        }
-        if (hasRequestedBy) tb.uuid("requestedBy").notNullable().alter();
-      });
-    }
-
-    // ---------- ACCESS APPROVAL REQUEST REVIEWER ------------
-    const hasMemberId = await knex.schema.hasColumn(TableName.AccessApprovalRequestReviewer, "member");
-    const hasReviewerUserId = await knex.schema.hasColumn(TableName.AccessApprovalRequestReviewer, "reviewerUserId");
-
-    if (hasReviewerUserId) {
-      if (!hasMemberId) {
-        await knex.schema.alterTable(TableName.AccessApprovalRequestReviewer, (tb) => {
-          tb.uuid("member");
-          tb.foreign("member").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
-        });
-      }
-      await knex(TableName.AccessApprovalRequestReviewer).update({
-        // eslint-disable-next-line
-        // @ts-ignore because generate schema happens after this
-        member: knex(TableName.ProjectMembership)
-          .select("id")
-          .where("userId", knex.raw("??", [`${TableName.AccessApprovalRequestReviewer}.reviewerUserId`]))
-      });
-      await knex.schema.alterTable(TableName.AccessApprovalRequestReviewer, (tb) => {
-        tb.dropColumn("reviewerUserId");
-
-        tb.uuid("member").notNullable().alter();
-      });
-    }
-  }
-}
--- a/backend/src/db/migrations/20240728010334_secret-sharing-name.ts
+++ b/backend/src/db/migrations/20240728010334_secret-sharing-name.ts
@ -1,39 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretSharing)) {
-    const doesNameExist = await knex.schema.hasColumn(TableName.SecretSharing, "name");
-    if (!doesNameExist) {
-      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-        t.string("name").nullable();
-      });
-    }
-
-    const doesLastViewedAtExist = await knex.schema.hasColumn(TableName.SecretSharing, "lastViewedAt");
-    if (!doesLastViewedAtExist) {
-      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-        t.timestamp("lastViewedAt").nullable();
-      });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretSharing)) {
-    const doesNameExist = await knex.schema.hasColumn(TableName.SecretSharing, "name");
-    if (doesNameExist) {
-      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-        t.dropColumn("name");
-      });
-    }
-
-    const doesLastViewedAtExist = await knex.schema.hasColumn(TableName.SecretSharing, "lastViewedAt");
-    if (doesLastViewedAtExist) {
-      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-        t.dropColumn("lastViewedAt");
-      });
-    }
-  }
-}
--- a/backend/src/db/migrations/20240802181855_ca-cert-version.ts
+++ b/backend/src/db/migrations/20240802181855_ca-cert-version.ts
@ -1,117 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.CertificateAuthority)) {
-    const hasActiveCaCertIdColumn = await knex.schema.hasColumn(TableName.CertificateAuthority, "activeCaCertId");
-    if (!hasActiveCaCertIdColumn) {
-      await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
-        t.uuid("activeCaCertId").nullable();
-        t.foreign("activeCaCertId").references("id").inTable(TableName.CertificateAuthorityCert);
-      });
-
-      await knex.raw(`
-        UPDATE "${TableName.CertificateAuthority}" ca
-        SET "activeCaCertId" = cac.id
-        FROM "${TableName.CertificateAuthorityCert}" cac
-        WHERE ca.id = cac."caId"
-      `);
-    }
-  }
-
-  if (await knex.schema.hasTable(TableName.CertificateAuthorityCert)) {
-    const hasVersionColumn = await knex.schema.hasColumn(TableName.CertificateAuthorityCert, "version");
-    if (!hasVersionColumn) {
-      await knex.schema.alterTable(TableName.CertificateAuthorityCert, (t) => {
-        t.integer("version").nullable();
-        t.dropUnique(["caId"]);
-      });
-
-      await knex(TableName.CertificateAuthorityCert).update({ version: 1 }).whereNull("version");
-
-      await knex.schema.alterTable(TableName.CertificateAuthorityCert, (t) => {
-        t.integer("version").notNullable().alter();
-      });
-    }
-
-    const hasCaSecretIdColumn = await knex.schema.hasColumn(TableName.CertificateAuthorityCert, "caSecretId");
-    if (!hasCaSecretIdColumn) {
-      await knex.schema.alterTable(TableName.CertificateAuthorityCert, (t) => {
-        t.uuid("caSecretId").nullable();
-        t.foreign("caSecretId").references("id").inTable(TableName.CertificateAuthoritySecret).onDelete("CASCADE");
-      });
-
-      await knex.raw(`
-        UPDATE "${TableName.CertificateAuthorityCert}" cert
-        SET "caSecretId" = (
-          SELECT sec.id
-          FROM "${TableName.CertificateAuthoritySecret}" sec
-          WHERE sec."caId" = cert."caId"
-        )
-      `);
-
-      await knex.schema.alterTable(TableName.CertificateAuthorityCert, (t) => {
-        t.uuid("caSecretId").notNullable().alter();
-      });
-    }
-  }
-
-  if (await knex.schema.hasTable(TableName.CertificateAuthoritySecret)) {
-    await knex.schema.alterTable(TableName.CertificateAuthoritySecret, (t) => {
-      t.dropUnique(["caId"]);
-    });
-  }
-
-  if (await knex.schema.hasTable(TableName.Certificate)) {
-    await knex.schema.alterTable(TableName.Certificate, (t) => {
-      t.uuid("caCertId").nullable();
-      t.foreign("caCertId").references("id").inTable(TableName.CertificateAuthorityCert);
-    });
-
-    await knex.raw(`
-        UPDATE "${TableName.Certificate}" cert
-        SET "caCertId" = (
-          SELECT caCert.id
-          FROM "${TableName.CertificateAuthorityCert}" caCert
-          WHERE caCert."caId" = cert."caId"
-        )
-      `);
-
-    await knex.schema.alterTable(TableName.Certificate, (t) => {
-      t.uuid("caCertId").notNullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.CertificateAuthority)) {
-    if (await knex.schema.hasColumn(TableName.CertificateAuthority, "activeCaCertId")) {
-      await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
-        t.dropColumn("activeCaCertId");
-      });
-    }
-  }
-
-  if (await knex.schema.hasTable(TableName.CertificateAuthorityCert)) {
-    if (await knex.schema.hasColumn(TableName.CertificateAuthorityCert, "version")) {
-      await knex.schema.alterTable(TableName.CertificateAuthorityCert, (t) => {
-        t.dropColumn("version");
-      });
-    }
-
-    if (await knex.schema.hasColumn(TableName.CertificateAuthorityCert, "caSecretId")) {
-      await knex.schema.alterTable(TableName.CertificateAuthorityCert, (t) => {
-        t.dropColumn("caSecretId");
-      });
-    }
-  }
-
-  if (await knex.schema.hasTable(TableName.Certificate)) {
-    if (await knex.schema.hasColumn(TableName.Certificate, "caCertId")) {
-      await knex.schema.alterTable(TableName.Certificate, (t) => {
-        t.dropColumn("caCertId");
-      });
-    }
-  }
-}
--- a/backend/src/db/migrations/20240806083221_secret-sharing-password.ts
+++ b/backend/src/db/migrations/20240806083221_secret-sharing-password.ts
@ -1,25 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretSharing)) {
-    const doesPasswordExist = await knex.schema.hasColumn(TableName.SecretSharing, "password");
-    if (!doesPasswordExist) {
-      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-        t.string("password").nullable();
-      });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretSharing)) {
-    const doesPasswordExist = await knex.schema.hasColumn(TableName.SecretSharing, "password");
-    if (doesPasswordExist) {
-      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-        t.dropColumn("password");
-      });
-    }
-  }
-}
--- a/backend/src/db/migrations/20240806113425_remove-creation-limit-rate-limit.ts
+++ b/backend/src/db/migrations/20240806113425_remove-creation-limit-rate-limit.ts
@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasCreationLimitCol = await knex.schema.hasColumn(TableName.RateLimit, "creationLimit");
-  await knex.schema.alterTable(TableName.RateLimit, (t) => {
-    if (hasCreationLimitCol) {
-      t.dropColumn("creationLimit");
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasCreationLimitCol = await knex.schema.hasColumn(TableName.RateLimit, "creationLimit");
-  await knex.schema.alterTable(TableName.RateLimit, (t) => {
-    if (!hasCreationLimitCol) {
-      t.integer("creationLimit").defaultTo(30).notNullable();
-    }
-  });
-}
--- a/backend/src/db/migrations/20240806185442_drop-tag-name.ts
+++ b/backend/src/db/migrations/20240806185442_drop-tag-name.ts
@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasNameField = await knex.schema.hasColumn(TableName.SecretTag, "name");
-  if (hasNameField) {
-    await knex.schema.alterTable(TableName.SecretTag, (t) => {
-      t.dropColumn("name");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasNameField = await knex.schema.hasColumn(TableName.SecretTag, "name");
-  if (!hasNameField) {
-    await knex.schema.alterTable(TableName.SecretTag, (t) => {
-      t.string("name");
-    });
-  }
-}
--- a/backend/src/db/migrations/20240818024923_cert-alerting.ts
+++ b/backend/src/db/migrations/20240818024923_cert-alerting.ts
@ -1,62 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.PkiCollection))) {
-    await knex.schema.createTable(TableName.PkiCollection, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.string("name").notNullable();
-      t.string("description").notNullable();
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.PkiCollection);
-
-  if (!(await knex.schema.hasTable(TableName.PkiCollectionItem))) {
-    await knex.schema.createTable(TableName.PkiCollectionItem, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("pkiCollectionId").notNullable();
-      t.foreign("pkiCollectionId").references("id").inTable(TableName.PkiCollection).onDelete("CASCADE");
-      t.uuid("caId").nullable();
-      t.foreign("caId").references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
-      t.uuid("certId").nullable();
-      t.foreign("certId").references("id").inTable(TableName.Certificate).onDelete("CASCADE");
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.PkiCollectionItem);
-
-  if (!(await knex.schema.hasTable(TableName.PkiAlert))) {
-    await knex.schema.createTable(TableName.PkiAlert, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.uuid("pkiCollectionId").notNullable();
-      t.foreign("pkiCollectionId").references("id").inTable(TableName.PkiCollection).onDelete("CASCADE");
-      t.string("name").notNullable();
-      t.integer("alertBeforeDays").notNullable();
-      t.string("recipientEmails").notNullable();
-      t.unique(["name", "projectId"]);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.PkiAlert);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.PkiAlert);
-  await dropOnUpdateTrigger(knex, TableName.PkiAlert);
-
-  await knex.schema.dropTableIfExists(TableName.PkiCollectionItem);
-  await dropOnUpdateTrigger(knex, TableName.PkiCollectionItem);
-
-  await knex.schema.dropTableIfExists(TableName.PkiCollection);
-  await dropOnUpdateTrigger(knex, TableName.PkiCollection);
-}
--- a/backend/src/db/migrations/20240818184238_add-certificate-template.ts
+++ b/backend/src/db/migrations/20240818184238_add-certificate-template.ts
@ -1,55 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasCertificateTemplateTable = await knex.schema.hasTable(TableName.CertificateTemplate);
-  if (!hasCertificateTemplateTable) {
-    await knex.schema.createTable(TableName.CertificateTemplate, (tb) => {
-      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      tb.uuid("caId").notNullable();
-      tb.foreign("caId").references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
-      tb.uuid("pkiCollectionId");
-      tb.foreign("pkiCollectionId").references("id").inTable(TableName.PkiCollection).onDelete("SET NULL");
-      tb.string("name").notNullable();
-      tb.string("commonName").notNullable();
-      tb.string("subjectAlternativeName").notNullable();
-      tb.string("ttl").notNullable();
-      tb.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.CertificateTemplate);
-  }
-
-  const doesCertificateTableHaveTemplateId = await knex.schema.hasColumn(
-    TableName.Certificate,
-    "certificateTemplateId"
-  );
-
-  if (!doesCertificateTableHaveTemplateId) {
-    await knex.schema.alterTable(TableName.Certificate, (tb) => {
-      tb.uuid("certificateTemplateId");
-      tb.foreign("certificateTemplateId").references("id").inTable(TableName.CertificateTemplate).onDelete("SET NULL");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesCertificateTableHaveTemplateId = await knex.schema.hasColumn(
-    TableName.Certificate,
-    "certificateTemplateId"
-  );
-
-  if (doesCertificateTableHaveTemplateId) {
-    await knex.schema.alterTable(TableName.Certificate, (t) => {
-      t.dropColumn("certificateTemplateId");
-    });
-  }
-
-  const hasCertificateTemplateTable = await knex.schema.hasTable(TableName.CertificateTemplate);
-  if (hasCertificateTemplateTable) {
-    await knex.schema.dropTable(TableName.CertificateTemplate);
-    await dropOnUpdateTrigger(knex, TableName.CertificateTemplate);
-  }
-}
--- a/backend/src/db/migrations/20240819092916_certificate-template-est-configuration.ts
+++ b/backend/src/db/migrations/20240819092916_certificate-template-est-configuration.ts
@ -1,26 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasEstConfigTable = await knex.schema.hasTable(TableName.CertificateTemplateEstConfig);
-  if (!hasEstConfigTable) {
-    await knex.schema.createTable(TableName.CertificateTemplateEstConfig, (tb) => {
-      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      tb.uuid("certificateTemplateId").notNullable().unique();
-      tb.foreign("certificateTemplateId").references("id").inTable(TableName.CertificateTemplate).onDelete("CASCADE");
-      tb.binary("encryptedCaChain").notNullable();
-      tb.string("hashedPassphrase").notNullable();
-      tb.boolean("isEnabled").notNullable();
-      tb.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.CertificateTemplateEstConfig);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.CertificateTemplateEstConfig);
-  await dropOnUpdateTrigger(knex, TableName.CertificateTemplateEstConfig);
-}
--- a/backend/src/db/migrations/20240821212643_crl-ca-secret-binding.ts
+++ b/backend/src/db/migrations/20240821212643_crl-ca-secret-binding.ts
@ -1,36 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.CertificateAuthorityCrl)) {
-    const hasCaSecretIdColumn = await knex.schema.hasColumn(TableName.CertificateAuthorityCrl, "caSecretId");
-    if (!hasCaSecretIdColumn) {
-      await knex.schema.alterTable(TableName.CertificateAuthorityCrl, (t) => {
-        t.uuid("caSecretId").nullable();
-        t.foreign("caSecretId").references("id").inTable(TableName.CertificateAuthoritySecret).onDelete("CASCADE");
-      });
-
-      await knex.raw(`
-        UPDATE "${TableName.CertificateAuthorityCrl}" crl
-        SET "caSecretId" = (
-          SELECT sec.id
-          FROM "${TableName.CertificateAuthoritySecret}" sec
-          WHERE sec."caId" = crl."caId"
-        )
-      `);
-
-      await knex.schema.alterTable(TableName.CertificateAuthorityCrl, (t) => {
-        t.uuid("caSecretId").notNullable().alter();
-      });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.CertificateAuthorityCrl)) {
-    await knex.schema.alterTable(TableName.CertificateAuthorityCrl, (t) => {
-      t.dropColumn("caSecretId");
-    });
-  }
-}
--- a/backend/src/db/migrations/20240830142938_native-slack-integration.ts
+++ b/backend/src/db/migrations/20240830142938_native-slack-integration.ts
@ -1,96 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.WorkflowIntegrations))) {
-    await knex.schema.createTable(TableName.WorkflowIntegrations, (tb) => {
-      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      tb.string("integration").notNullable();
-      tb.string("slug").notNullable();
-      tb.uuid("orgId").notNullable();
-      tb.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      tb.string("description");
-      tb.unique(["orgId", "slug"]);
-      tb.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.WorkflowIntegrations);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SlackIntegrations))) {
-    await knex.schema.createTable(TableName.SlackIntegrations, (tb) => {
-      tb.uuid("id", { primaryKey: true }).notNullable();
-      tb.foreign("id").references("id").inTable(TableName.WorkflowIntegrations).onDelete("CASCADE");
-      tb.string("teamId").notNullable();
-      tb.string("teamName").notNullable();
-      tb.string("slackUserId").notNullable();
-      tb.string("slackAppId").notNullable();
-      tb.binary("encryptedBotAccessToken").notNullable();
-      tb.string("slackBotId").notNullable();
-      tb.string("slackBotUserId").notNullable();
-      tb.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.SlackIntegrations);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.ProjectSlackConfigs))) {
-    await knex.schema.createTable(TableName.ProjectSlackConfigs, (tb) => {
-      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      tb.string("projectId").notNullable().unique();
-      tb.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      tb.uuid("slackIntegrationId").notNullable();
-      tb.foreign("slackIntegrationId").references("id").inTable(TableName.SlackIntegrations).onDelete("CASCADE");
-      tb.boolean("isAccessRequestNotificationEnabled").notNullable().defaultTo(false);
-      tb.string("accessRequestChannels").notNullable().defaultTo("");
-      tb.boolean("isSecretRequestNotificationEnabled").notNullable().defaultTo(false);
-      tb.string("secretRequestChannels").notNullable().defaultTo("");
-      tb.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.ProjectSlackConfigs);
-  }
-
-  const doesSuperAdminHaveSlackClientId = await knex.schema.hasColumn(TableName.SuperAdmin, "encryptedSlackClientId");
-  const doesSuperAdminHaveSlackClientSecret = await knex.schema.hasColumn(
-    TableName.SuperAdmin,
-    "encryptedSlackClientSecret"
-  );
-
-  await knex.schema.alterTable(TableName.SuperAdmin, (tb) => {
-    if (!doesSuperAdminHaveSlackClientId) {
-      tb.binary("encryptedSlackClientId");
-    }
-    if (!doesSuperAdminHaveSlackClientSecret) {
-      tb.binary("encryptedSlackClientSecret");
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.ProjectSlackConfigs);
-  await dropOnUpdateTrigger(knex, TableName.ProjectSlackConfigs);
-
-  await knex.schema.dropTableIfExists(TableName.SlackIntegrations);
-  await dropOnUpdateTrigger(knex, TableName.SlackIntegrations);
-
-  await knex.schema.dropTableIfExists(TableName.WorkflowIntegrations);
-  await dropOnUpdateTrigger(knex, TableName.WorkflowIntegrations);
-
-  const doesSuperAdminHaveSlackClientId = await knex.schema.hasColumn(TableName.SuperAdmin, "encryptedSlackClientId");
-  const doesSuperAdminHaveSlackClientSecret = await knex.schema.hasColumn(
-    TableName.SuperAdmin,
-    "encryptedSlackClientSecret"
-  );
-
-  await knex.schema.alterTable(TableName.SuperAdmin, (tb) => {
-    if (doesSuperAdminHaveSlackClientId) {
-      tb.dropColumn("encryptedSlackClientId");
-    }
-    if (doesSuperAdminHaveSlackClientSecret) {
-      tb.dropColumn("encryptedSlackClientSecret");
-    }
-  });
-}
--- a/backend/src/db/migrations/20240909145938_cert-template-enforcement.ts
+++ b/backend/src/db/migrations/20240909145938_cert-template-enforcement.ts
@ -1,25 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.CertificateAuthority)) {
-    const hasRequireTemplateForIssuanceColumn = await knex.schema.hasColumn(
-      TableName.CertificateAuthority,
-      "requireTemplateForIssuance"
-    );
-    if (!hasRequireTemplateForIssuanceColumn) {
-      await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
-        t.boolean("requireTemplateForIssuance").notNullable().defaultTo(false);
-      });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.CertificateAuthority)) {
-    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
-      t.dropColumn("requireTemplateForIssuance");
-    });
-  }
-}
--- a/backend/src/db/migrations/20240910070128_add-pki-key-usages.ts
+++ b/backend/src/db/migrations/20240910070128_add-pki-key-usages.ts
@ -1,85 +0,0 @@
-import { Knex } from "knex";
-
-import { CertKeyUsage } from "@app/services/certificate/certificate-types";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  // Certificate template
-  const hasKeyUsagesCol = await knex.schema.hasColumn(TableName.CertificateTemplate, "keyUsages");
-  const hasExtendedKeyUsagesCol = await knex.schema.hasColumn(TableName.CertificateTemplate, "extendedKeyUsages");
-
-  await knex.schema.alterTable(TableName.CertificateTemplate, (tb) => {
-    if (!hasKeyUsagesCol) {
-      tb.specificType("keyUsages", "text[]");
-    }
-
-    if (!hasExtendedKeyUsagesCol) {
-      tb.specificType("extendedKeyUsages", "text[]");
-    }
-  });
-
-  if (!hasKeyUsagesCol) {
-    await knex(TableName.CertificateTemplate).update({
-      keyUsages: [CertKeyUsage.DIGITAL_SIGNATURE, CertKeyUsage.KEY_ENCIPHERMENT]
-    });
-  }
-
-  if (!hasExtendedKeyUsagesCol) {
-    await knex(TableName.CertificateTemplate).update({
-      extendedKeyUsages: []
-    });
-  }
-
-  // Certificate
-  const doesCertTableHaveKeyUsages = await knex.schema.hasColumn(TableName.Certificate, "keyUsages");
-  const doesCertTableHaveExtendedKeyUsages = await knex.schema.hasColumn(TableName.Certificate, "extendedKeyUsages");
-  await knex.schema.alterTable(TableName.Certificate, (tb) => {
-    if (!doesCertTableHaveKeyUsages) {
-      tb.specificType("keyUsages", "text[]");
-    }
-
-    if (!doesCertTableHaveExtendedKeyUsages) {
-      tb.specificType("extendedKeyUsages", "text[]");
-    }
-  });
-
-  if (!doesCertTableHaveKeyUsages) {
-    await knex(TableName.Certificate).update({
-      keyUsages: [CertKeyUsage.DIGITAL_SIGNATURE, CertKeyUsage.KEY_ENCIPHERMENT]
-    });
-  }
-
-  if (!doesCertTableHaveExtendedKeyUsages) {
-    await knex(TableName.Certificate).update({
-      extendedKeyUsages: []
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  // Certificate Template
-  const hasKeyUsagesCol = await knex.schema.hasColumn(TableName.CertificateTemplate, "keyUsages");
-  const hasExtendedKeyUsagesCol = await knex.schema.hasColumn(TableName.CertificateTemplate, "extendedKeyUsages");
-
-  await knex.schema.alterTable(TableName.CertificateTemplate, (t) => {
-    if (hasKeyUsagesCol) {
-      t.dropColumn("keyUsages");
-    }
-    if (hasExtendedKeyUsagesCol) {
-      t.dropColumn("extendedKeyUsages");
-    }
-  });
-
-  // Certificate
-  const doesCertTableHaveKeyUsages = await knex.schema.hasColumn(TableName.Certificate, "keyUsages");
-  const doesCertTableHaveExtendedKeyUsages = await knex.schema.hasColumn(TableName.Certificate, "extendedKeyUsages");
-  await knex.schema.alterTable(TableName.Certificate, (t) => {
-    if (doesCertTableHaveKeyUsages) {
-      t.dropColumn("keyUsages");
-    }
-    if (doesCertTableHaveExtendedKeyUsages) {
-      t.dropColumn("extendedKeyUsages");
-    }
-  });
-}
--- a/backend/src/db/migrations/20240918005344_add-group-approvals.ts
+++ b/backend/src/db/migrations/20240918005344_add-group-approvals.ts
@ -1,76 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasAccessApproverGroupId = await knex.schema.hasColumn(
-    TableName.AccessApprovalPolicyApprover,
-    "approverGroupId"
-  );
-  const hasAccessApproverUserId = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "approverUserId");
-  const hasSecretApproverGroupId = await knex.schema.hasColumn(
-    TableName.SecretApprovalPolicyApprover,
-    "approverGroupId"
-  );
-  const hasSecretApproverUserId = await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverUserId");
-  if (await knex.schema.hasTable(TableName.AccessApprovalPolicyApprover)) {
-    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (table) => {
-      // add column approverGroupId to AccessApprovalPolicyApprover
-      if (!hasAccessApproverGroupId) {
-        table.uuid("approverGroupId").nullable().references("id").inTable(TableName.Groups).onDelete("CASCADE");
-      }
-
-      // make approverUserId nullable
-      if (hasAccessApproverUserId) {
-        table.uuid("approverUserId").nullable().alter();
-      }
-    });
-    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (table) => {
-      // add column approverGroupId to SecretApprovalPolicyApprover
-      if (!hasSecretApproverGroupId) {
-        table.uuid("approverGroupId").nullable().references("id").inTable(TableName.Groups).onDelete("CASCADE");
-      }
-
-      // make approverUserId nullable
-      if (hasSecretApproverUserId) {
-        table.uuid("approverUserId").nullable().alter();
-      }
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasAccessApproverGroupId = await knex.schema.hasColumn(
-    TableName.AccessApprovalPolicyApprover,
-    "approverGroupId"
-  );
-  const hasAccessApproverUserId = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "approverUserId");
-  const hasSecretApproverGroupId = await knex.schema.hasColumn(
-    TableName.SecretApprovalPolicyApprover,
-    "approverGroupId"
-  );
-  const hasSecretApproverUserId = await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverUserId");
-
-  if (await knex.schema.hasTable(TableName.AccessApprovalPolicyApprover)) {
-    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (table) => {
-      if (hasAccessApproverGroupId) {
-        table.dropColumn("approverGroupId");
-      }
-      // make approverUserId not nullable
-      if (hasAccessApproverUserId) {
-        table.uuid("approverUserId").notNullable().alter();
-      }
-    });
-
-    // remove
-    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (table) => {
-      if (hasSecretApproverGroupId) {
-        table.dropColumn("approverGroupId");
-      }
-      // make approverUserId not nullable
-      if (hasSecretApproverUserId) {
-        table.uuid("approverUserId").notNullable().alter();
-      }
-    });
-  }
-}
--- a/backend/src/db/migrations/20240924100329_identity-metadata.ts
+++ b/backend/src/db/migrations/20240924100329_identity-metadata.ts
@ -1,24 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityMetadata))) {
-    await knex.schema.createTable(TableName.IdentityMetadata, (tb) => {
-      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      tb.string("key").notNullable();
-      tb.string("value").notNullable();
-      tb.uuid("orgId").notNullable();
-      tb.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      tb.uuid("userId");
-      tb.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      tb.uuid("identityId");
-      tb.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      tb.timestamps(true, true, true);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityMetadata);
-}
--- a/backend/src/db/migrations/20240930072738_add-oidc-auth-enforced-to-org.ts
+++ b/backend/src/db/migrations/20240930072738_add-oidc-auth-enforced-to-org.ts
@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.OidcConfig, "lastUsed"))) {
-    await knex.schema.alterTable(TableName.OidcConfig, (tb) => {
-      tb.datetime("lastUsed");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.OidcConfig, "lastUsed")) {
-    await knex.schema.alterTable(TableName.OidcConfig, (tb) => {
-      tb.dropColumn("lastUsed");
-    });
-  }
-}
--- a/backend/src/db/migrations/utils/kms.ts
+++ b/backend/src/db/migrations/utils/kms.ts
@ -1,105 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-import { randomSecureBytes } from "@app/lib/crypto";
-import { symmetricCipherService, SymmetricEncryption } from "@app/lib/crypto/cipher";
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-
-const getInstanceRootKey = async (knex: Knex) => {
-  const encryptionKey = process.env.ENCRYPTION_KEY || process.env.ROOT_ENCRYPTION_KEY;
-  // if root key its base64 encoded
-  const isBase64 = !process.env.ENCRYPTION_KEY;
-  if (!encryptionKey) throw new Error("ENCRYPTION_KEY variable needed for migration");
-  const encryptionKeyBuffer = Buffer.from(encryptionKey, isBase64 ? "base64" : "utf8");
-
-  const KMS_ROOT_CONFIG_UUID = "00000000-0000-0000-0000-000000000000";
-  const kmsRootConfig = await knex(TableName.KmsServerRootConfig).where({ id: KMS_ROOT_CONFIG_UUID }).first();
-  const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-  if (kmsRootConfig) {
-    const decryptedRootKey = cipher.decrypt(kmsRootConfig.encryptedRootKey, encryptionKeyBuffer);
-    // set the flag so that other instancen nodes can start
-    return decryptedRootKey;
-  }
-
-  const newRootKey = randomSecureBytes(32);
-  const encryptedRootKey = cipher.encrypt(newRootKey, encryptionKeyBuffer);
-  await knex(TableName.KmsServerRootConfig).insert({
-    encryptedRootKey,
-    // eslint-disable-next-line
-    // @ts-ignore id is kept as fixed for idempotence and to avoid race condition
-    id: KMS_ROOT_CONFIG_UUID
-  });
-  return encryptedRootKey;
-};
-
-export const getSecretManagerDataKey = async (knex: Knex, projectId: string) => {
-  const KMS_VERSION = "v01";
-  const KMS_VERSION_BLOB_LENGTH = 3;
-  const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-  const project = await knex(TableName.Project).where({ id: projectId }).first();
-  if (!project) throw new Error("Missing project id");
-
-  const ROOT_ENCRYPTION_KEY = await getInstanceRootKey(knex);
-
-  let secretManagerKmsKey;
-  const projectSecretManagerKmsId = project?.kmsSecretManagerKeyId;
-  if (projectSecretManagerKmsId) {
-    const kmsDoc = await knex(TableName.KmsKey)
-      .leftJoin(TableName.InternalKms, `${TableName.KmsKey}.id`, `${TableName.InternalKms}.kmsKeyId`)
-      .where({ [`${TableName.KmsKey}.id` as "id"]: projectSecretManagerKmsId })
-      .first();
-    if (!kmsDoc) throw new Error("missing kms");
-    secretManagerKmsKey = cipher.decrypt(kmsDoc.encryptedKey, ROOT_ENCRYPTION_KEY);
-  } else {
-    const [kmsDoc] = await knex(TableName.KmsKey)
-      .insert({
-        slug: slugify(alphaNumericNanoId(8).toLowerCase()),
-        orgId: project.orgId,
-        isReserved: false
-      })
-      .returning("*");
-
-    secretManagerKmsKey = randomSecureBytes(32);
-    const encryptedKeyMaterial = cipher.encrypt(secretManagerKmsKey, ROOT_ENCRYPTION_KEY);
-    await knex(TableName.InternalKms).insert({
-      version: 1,
-      encryptedKey: encryptedKeyMaterial,
-      encryptionAlgorithm: SymmetricEncryption.AES_GCM_256,
-      kmsKeyId: kmsDoc.id
-    });
-  }
-
-  const encryptedSecretManagerDataKey = project?.kmsSecretManagerEncryptedDataKey;
-  let dataKey: Buffer;
-  if (!encryptedSecretManagerDataKey) {
-    dataKey = randomSecureBytes();
-    // the below versioning we do it automatically in kms service
-    const unversionedDataKey = cipher.encrypt(dataKey, secretManagerKmsKey);
-    const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
-    await knex(TableName.Project)
-      .where({ id: projectId })
-      .update({
-        kmsSecretManagerEncryptedDataKey: Buffer.concat([unversionedDataKey, versionBlob])
-      });
-  } else {
-    const cipherTextBlob = encryptedSecretManagerDataKey.subarray(0, -KMS_VERSION_BLOB_LENGTH);
-    dataKey = cipher.decrypt(cipherTextBlob, secretManagerKmsKey);
-  }
-
-  return {
-    encryptor: ({ plainText }: { plainText: Buffer }) => {
-      const encryptedPlainTextBlob = cipher.encrypt(plainText, dataKey);
-
-      // Buffer#1 encrypted text + Buffer#2 version number
-      const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
-      const cipherTextBlob = Buffer.concat([encryptedPlainTextBlob, versionBlob]);
-      return { cipherTextBlob };
-    },
-    decryptor: ({ cipherTextBlob: versionedCipherTextBlob }: { cipherTextBlob: Buffer }) => {
-      const cipherTextBlob = versionedCipherTextBlob.subarray(0, -KMS_VERSION_BLOB_LENGTH);
-      const decryptedBlob = cipher.decrypt(cipherTextBlob, dataKey);
-      return decryptedBlob;
-    }
-  };
-};
--- a/backend/src/db/schemas/access-approval-policies-approvers.ts
+++ b/backend/src/db/schemas/access-approval-policies-approvers.ts
@ -9,11 +9,10 @@ import { TImmutableDBKeys } from "./models";

 export const AccessApprovalPoliciesApproversSchema = z.object({
  id: z.string().uuid(),
+  approverId: z.string().uuid(),
  policyId: z.string().uuid(),
  createdAt: z.date(),
-  updatedAt: z.date(),
-  approverUserId: z.string().uuid().nullable().optional(),
-  approverGroupId: z.string().uuid().nullable().optional()
+  updatedAt: z.date()
 });

 export type TAccessApprovalPoliciesApprovers = z.infer<typeof AccessApprovalPoliciesApproversSchema>;
--- a/backend/src/db/schemas/access-approval-policies.ts
+++ b/backend/src/db/schemas/access-approval-policies.ts
@ -14,8 +14,7 @@ export const AccessApprovalPoliciesSchema = z.object({
  secretPath: z.string().nullable().optional(),
  envId: z.string().uuid(),
  createdAt: z.date(),
-  updatedAt: z.date(),
-  enforcementLevel: z.string().default("hard")
+  updatedAt: z.date()
 });

 export type TAccessApprovalPolicies = z.infer<typeof AccessApprovalPoliciesSchema>;
--- a/backend/src/db/schemas/access-approval-requests-reviewers.ts
+++ b/backend/src/db/schemas/access-approval-requests-reviewers.ts
@ -9,12 +9,11 @@ import { TImmutableDBKeys } from "./models";

 export const AccessApprovalRequestsReviewersSchema = z.object({
  id: z.string().uuid(),
-  member: z.string().uuid().nullable().optional(),
+  member: z.string().uuid(),
  status: z.string(),
  requestId: z.string().uuid(),
  createdAt: z.date(),
-  updatedAt: z.date(),
-  reviewerUserId: z.string().uuid()
+  updatedAt: z.date()
 });

 export type TAccessApprovalRequestsReviewers = z.infer<typeof AccessApprovalRequestsReviewersSchema>;
--- a/backend/src/db/schemas/access-approval-requests.ts
+++ b/backend/src/db/schemas/access-approval-requests.ts
@ -11,13 +11,12 @@ export const AccessApprovalRequestsSchema = z.object({
  id: z.string().uuid(),
  policyId: z.string().uuid(),
  privilegeId: z.string().uuid().nullable().optional(),
-  requestedBy: z.string().uuid().nullable().optional(),
+  requestedBy: z.string().uuid(),
  isTemporary: z.boolean(),
  temporaryRange: z.string().nullable().optional(),
  permissions: z.unknown(),
  createdAt: z.date(),
-  updatedAt: z.date(),
-  requestedByUserId: z.string().uuid()
+  updatedAt: z.date()
 });

 export type TAccessApprovalRequests = z.infer<typeof AccessApprovalRequestsSchema>;
--- a/backend/src/db/schemas/certificate-authorities.ts
+++ b/backend/src/db/schemas/certificate-authorities.ts
@ -27,9 +27,7 @@ export const CertificateAuthoritiesSchema = z.object({
  maxPathLength: z.number().nullable().optional(),
  keyAlgorithm: z.string(),
  notBefore: z.date().nullable().optional(),
-  notAfter: z.date().nullable().optional(),
-  activeCaCertId: z.string().uuid().nullable().optional(),
-  requireTemplateForIssuance: z.boolean().default(false)
+  notAfter: z.date().nullable().optional()
 });

 export type TCertificateAuthorities = z.infer<typeof CertificateAuthoritiesSchema>;
--- a/backend/src/db/schemas/certificate-authority-certs.ts
+++ b/backend/src/db/schemas/certificate-authority-certs.ts
@ -15,9 +15,7 @@ export const CertificateAuthorityCertsSchema = z.object({
  updatedAt: z.date(),
  caId: z.string().uuid(),
  encryptedCertificate: zodBuffer,
-  encryptedCertificateChain: zodBuffer,
-  version: z.number(),
-  caSecretId: z.string().uuid()
+  encryptedCertificateChain: zodBuffer
 });

 export type TCertificateAuthorityCerts = z.infer<typeof CertificateAuthorityCertsSchema>;
--- a/backend/src/db/schemas/certificate-authority-crl.ts
+++ b/backend/src/db/schemas/certificate-authority-crl.ts
@ -14,8 +14,7 @@ export const CertificateAuthorityCrlSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  caId: z.string().uuid(),
-  encryptedCrl: zodBuffer,
-  caSecretId: z.string().uuid()
+  encryptedCrl: zodBuffer
 });

 export type TCertificateAuthorityCrl = z.infer<typeof CertificateAuthorityCrlSchema>;
--- a/backend/src/db/schemas/certificate-template-est-configs.ts
+++ b/backend/src/db/schemas/certificate-template-est-configs.ts
@ -1,29 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const CertificateTemplateEstConfigsSchema = z.object({
-  id: z.string().uuid(),
-  certificateTemplateId: z.string().uuid(),
-  encryptedCaChain: zodBuffer,
-  hashedPassphrase: z.string(),
-  isEnabled: z.boolean(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TCertificateTemplateEstConfigs = z.infer<typeof CertificateTemplateEstConfigsSchema>;
-export type TCertificateTemplateEstConfigsInsert = Omit<
-  z.input<typeof CertificateTemplateEstConfigsSchema>,
-  TImmutableDBKeys
->;
-export type TCertificateTemplateEstConfigsUpdate = Partial<
-  Omit<z.input<typeof CertificateTemplateEstConfigsSchema>, TImmutableDBKeys>
->;
--- a/backend/src/db/schemas/certificate-templates.ts
+++ b/backend/src/db/schemas/certificate-templates.ts
@ -1,26 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const CertificateTemplatesSchema = z.object({
-  id: z.string().uuid(),
-  caId: z.string().uuid(),
-  pkiCollectionId: z.string().uuid().nullable().optional(),
-  name: z.string(),
-  commonName: z.string(),
-  subjectAlternativeName: z.string(),
-  ttl: z.string(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  keyUsages: z.string().array().nullable().optional(),
-  extendedKeyUsages: z.string().array().nullable().optional()
-});
-
-export type TCertificateTemplates = z.infer<typeof CertificateTemplatesSchema>;
-export type TCertificateTemplatesInsert = Omit<z.input<typeof CertificateTemplatesSchema>, TImmutableDBKeys>;
-export type TCertificateTemplatesUpdate = Partial<Omit<z.input<typeof CertificateTemplatesSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/certificates.ts
+++ b/backend/src/db/schemas/certificates.ts
@ -20,11 +20,7 @@ export const CertificatesSchema = z.object({
  notAfter: z.date(),
  revokedAt: z.date().nullable().optional(),
  revocationReason: z.number().nullable().optional(),
-  altNames: z.string().default("").nullable().optional(),
-  caCertId: z.string().uuid(),
-  certificateTemplateId: z.string().uuid().nullable().optional(),
-  keyUsages: z.string().array().nullable().optional(),
-  extendedKeyUsages: z.string().array().nullable().optional()
+  altNames: z.string().default("").nullable().optional()
 });

 export type TCertificates = z.infer<typeof CertificatesSchema>;
--- a/backend/src/db/schemas/identity-metadata.ts
+++ b/backend/src/db/schemas/identity-metadata.ts
@ -1,23 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityMetadataSchema = z.object({
-  id: z.string().uuid(),
-  key: z.string(),
-  value: z.string(),
-  orgId: z.string().uuid(),
-  userId: z.string().uuid().nullable().optional(),
-  identityId: z.string().uuid().nullable().optional(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TIdentityMetadata = z.infer<typeof IdentityMetadataSchema>;
-export type TIdentityMetadataInsert = Omit<z.input<typeof IdentityMetadataSchema>, TImmutableDBKeys>;
-export type TIdentityMetadataUpdate = Partial<Omit<z.input<typeof IdentityMetadataSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@ -14,8 +14,6 @@ export * from "./certificate-authority-crl";
 export * from "./certificate-authority-secret";
 export * from "./certificate-bodies";
 export * from "./certificate-secrets";
-export * from "./certificate-template-est-configs";
-export * from "./certificate-templates";
 export * from "./certificates";
 export * from "./dynamic-secret-leases";
 export * from "./dynamic-secrets";
@ -31,7 +29,6 @@ export * from "./identity-aws-auths";
 export * from "./identity-azure-auths";
 export * from "./identity-gcp-auths";
 export * from "./identity-kubernetes-auths";
-export * from "./identity-metadata";
 export * from "./identity-oidc-auths";
 export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
@ -55,15 +52,11 @@ export * from "./org-bots";
 export * from "./org-memberships";
 export * from "./org-roles";
 export * from "./organizations";
-export * from "./pki-alerts";
-export * from "./pki-collection-items";
-export * from "./pki-collections";
 export * from "./project-bots";
 export * from "./project-environments";
 export * from "./project-keys";
 export * from "./project-memberships";
 export * from "./project-roles";
-export * from "./project-slack-configs";
 export * from "./project-user-additional-privilege";
 export * from "./project-user-membership-roles";
 export * from "./projects";
@ -103,7 +96,6 @@ export * from "./secret-versions-v2";
 export * from "./secrets";
 export * from "./secrets-v2";
 export * from "./service-tokens";
-export * from "./slack-integrations";
 export * from "./super-admin";
 export * from "./trusted-ips";
 export * from "./user-actions";
@ -112,4 +104,3 @@ export * from "./user-encryption-keys";
 export * from "./user-group-membership";
 export * from "./users";
 export * from "./webhooks";
-export * from "./workflow-integrations";
--- a/backend/src/db/schemas/integration-auths.ts
+++ b/backend/src/db/schemas/integration-auths.ts
@ -35,6 +35,7 @@ export const IntegrationAuthsSchema = z.object({
  awsAssumeIamRoleArnCipherText: z.string().nullable().optional(),
  awsAssumeIamRoleArnIV: z.string().nullable().optional(),
  awsAssumeIamRoleArnTag: z.string().nullable().optional(),
+  encryptedAwsIamAssumRole: zodBuffer.nullable().optional(),
  encryptedAccess: zodBuffer.nullable().optional(),
  encryptedAccessId: zodBuffer.nullable().optional(),
  encryptedRefresh: zodBuffer.nullable().optional(),
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@ -3,17 +3,12 @@ import { z } from "zod";
 export enum TableName {
  Users = "users",
  CertificateAuthority = "certificate_authorities",
-  CertificateTemplateEstConfig = "certificate_template_est_configs",
  CertificateAuthorityCert = "certificate_authority_certs",
  CertificateAuthoritySecret = "certificate_authority_secret",
  CertificateAuthorityCrl = "certificate_authority_crl",
  Certificate = "certificates",
  CertificateBody = "certificate_bodies",
  CertificateSecret = "certificate_secrets",
-  CertificateTemplate = "certificate_templates",
-  PkiAlert = "pki_alerts",
-  PkiCollection = "pki_collections",
-  PkiCollectionItem = "pki_collection_items",
  Groups = "groups",
  GroupProjectMembership = "group_project_memberships",
  GroupProjectMembershipRole = "group_project_membership_roles",
@ -70,8 +65,6 @@ export enum TableName {
  IdentityProjectMembership = "identity_project_memberships",
  IdentityProjectMembershipRole = "identity_project_membership_role",
  IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
-  // used by both identity and users
-  IdentityMetadata = "identity_metadata",
  ScimToken = "scim_tokens",
  AccessApprovalPolicy = "access_approval_policies",
  AccessApprovalPolicyApprover = "access_approval_policies_approvers",
@ -116,10 +109,7 @@ export enum TableName {
  InternalKms = "internal_kms",
  InternalKmsKeyVersion = "internal_kms_key_version",
  // @depreciated
-  KmsKeyVersion = "kms_key_versions",
-  WorkflowIntegrations = "workflow_integrations",
-  SlackIntegrations = "slack_integrations",
-  ProjectSlackConfigs = "project_slack_configs"
+  KmsKeyVersion = "kms_key_versions"
 }

 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";
--- a/backend/src/db/schemas/oidc-configs.ts
+++ b/backend/src/db/schemas/oidc-configs.ts
@ -26,8 +26,7 @@ export const OidcConfigsSchema = z.object({
  isActive: z.boolean(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  orgId: z.string().uuid(),
-  lastUsed: z.date().nullable().optional()
+  orgId: z.string().uuid()
 });

 export type TOidcConfigs = z.infer<typeof OidcConfigsSchema>;
--- a/backend/src/db/schemas/pki-alerts.ts
+++ b/backend/src/db/schemas/pki-alerts.ts
@ -1,23 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const PkiAlertsSchema = z.object({
-  id: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  projectId: z.string(),
-  pkiCollectionId: z.string().uuid(),
-  name: z.string(),
-  alertBeforeDays: z.number(),
-  recipientEmails: z.string()
-});
-
-export type TPkiAlerts = z.infer<typeof PkiAlertsSchema>;
-export type TPkiAlertsInsert = Omit<z.input<typeof PkiAlertsSchema>, TImmutableDBKeys>;
-export type TPkiAlertsUpdate = Partial<Omit<z.input<typeof PkiAlertsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/pki-collection-items.ts
+++ b/backend/src/db/schemas/pki-collection-items.ts
@ -1,21 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const PkiCollectionItemsSchema = z.object({
-  id: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  pkiCollectionId: z.string().uuid(),
-  caId: z.string().uuid().nullable().optional(),
-  certId: z.string().uuid().nullable().optional()
-});
-
-export type TPkiCollectionItems = z.infer<typeof PkiCollectionItemsSchema>;
-export type TPkiCollectionItemsInsert = Omit<z.input<typeof PkiCollectionItemsSchema>, TImmutableDBKeys>;
-export type TPkiCollectionItemsUpdate = Partial<Omit<z.input<typeof PkiCollectionItemsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/pki-collections.ts
+++ b/backend/src/db/schemas/pki-collections.ts
@ -1,21 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const PkiCollectionsSchema = z.object({
-  id: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  projectId: z.string(),
-  name: z.string(),
-  description: z.string()
-});
-
-export type TPkiCollections = z.infer<typeof PkiCollectionsSchema>;
-export type TPkiCollectionsInsert = Omit<z.input<typeof PkiCollectionsSchema>, TImmutableDBKeys>;
-export type TPkiCollectionsUpdate = Partial<Omit<z.input<typeof PkiCollectionsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/project-slack-configs.ts
+++ b/backend/src/db/schemas/project-slack-configs.ts
@ -1,24 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const ProjectSlackConfigsSchema = z.object({
-  id: z.string().uuid(),
-  projectId: z.string(),
-  slackIntegrationId: z.string().uuid(),
-  isAccessRequestNotificationEnabled: z.boolean().default(false),
-  accessRequestChannels: z.string().default(""),
-  isSecretRequestNotificationEnabled: z.boolean().default(false),
-  secretRequestChannels: z.string().default(""),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TProjectSlackConfigs = z.infer<typeof ProjectSlackConfigsSchema>;
-export type TProjectSlackConfigsInsert = Omit<z.input<typeof ProjectSlackConfigsSchema>, TImmutableDBKeys>;
-export type TProjectSlackConfigsUpdate = Partial<Omit<z.input<typeof ProjectSlackConfigsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/project-user-additional-privilege.ts
+++ b/backend/src/db/schemas/project-user-additional-privilege.ts
@ -10,7 +10,7 @@ import { TImmutableDBKeys } from "./models";
 export const ProjectUserAdditionalPrivilegeSchema = z.object({
  id: z.string().uuid(),
  slug: z.string(),
-  projectMembershipId: z.string().uuid().nullable().optional(),
+  projectMembershipId: z.string().uuid(),
  isTemporary: z.boolean().default(false),
  temporaryMode: z.string().nullable().optional(),
  temporaryRange: z.string().nullable().optional(),
@ -18,9 +18,7 @@ export const ProjectUserAdditionalPrivilegeSchema = z.object({
  temporaryAccessEndTime: z.date().nullable().optional(),
  permissions: z.unknown(),
  createdAt: z.date(),
-  updatedAt: z.date(),
-  userId: z.string().uuid(),
-  projectId: z.string()
+  updatedAt: z.date()
 });

 export type TProjectUserAdditionalPrivilege = z.infer<typeof ProjectUserAdditionalPrivilegeSchema>;
--- a/backend/src/db/schemas/rate-limit.ts
+++ b/backend/src/db/schemas/rate-limit.ts
@ -15,6 +15,7 @@ export const RateLimitSchema = z.object({
  authRateLimit: z.number().default(60),
  inviteUserRateLimit: z.number().default(30),
  mfaRateLimit: z.number().default(20),
+  creationLimit: z.number().default(30),
  publicEndpointLimit: z.number().default(30),
  createdAt: z.date(),
  updatedAt: z.date()
--- a/backend/src/db/schemas/secret-approval-policies-approvers.ts
+++ b/backend/src/db/schemas/secret-approval-policies-approvers.ts
@ -12,8 +12,7 @@ export const SecretApprovalPoliciesApproversSchema = z.object({
  policyId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  approverUserId: z.string().uuid().nullable().optional(),
-  approverGroupId: z.string().uuid().nullable().optional()
+  approverUserId: z.string().uuid()
 });

 export type TSecretApprovalPoliciesApprovers = z.infer<typeof SecretApprovalPoliciesApproversSchema>;
--- a/backend/src/db/schemas/secret-approval-policies.ts
+++ b/backend/src/db/schemas/secret-approval-policies.ts
@ -14,8 +14,7 @@ export const SecretApprovalPoliciesSchema = z.object({
  approvals: z.number().default(1),
  envId: z.string().uuid(),
  createdAt: z.date(),
-  updatedAt: z.date(),
-  enforcementLevel: z.string().default("hard")
+  updatedAt: z.date()
 });

 export type TSecretApprovalPolicies = z.infer<typeof SecretApprovalPoliciesSchema>;
--- a/backend/src/db/schemas/secret-approval-requests.ts
+++ b/backend/src/db/schemas/secret-approval-requests.ts
@ -19,8 +19,7 @@ export const SecretApprovalRequestsSchema = z.object({
  updatedAt: z.date(),
  isReplicated: z.boolean().nullable().optional(),
  committerUserId: z.string().uuid(),
-  statusChangedByUserId: z.string().uuid().nullable().optional(),
-  bypassReason: z.string().nullable().optional()
+  statusChangedByUserId: z.string().uuid().nullable().optional()
 });

 export type TSecretApprovalRequests = z.infer<typeof SecretApprovalRequestsSchema>;
--- a/backend/src/db/schemas/secret-sharing.ts
+++ b/backend/src/db/schemas/secret-sharing.ts
@ -18,11 +18,7 @@ export const SecretSharingSchema = z.object({
  orgId: z.string().uuid().nullable().optional(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  expiresAfterViews: z.number().nullable().optional(),
-  accessType: z.string().default("anyone"),
-  name: z.string().nullable().optional(),
-  lastViewedAt: z.date().nullable().optional(),
-  password: z.string().nullable().optional()
+  expiresAfterViews: z.number().nullable().optional()
 });

 export type TSecretSharing = z.infer<typeof SecretSharingSchema>;
--- a/backend/src/db/schemas/secret-tags.ts
+++ b/backend/src/db/schemas/secret-tags.ts
@ -9,6 +9,7 @@ import { TImmutableDBKeys } from "./models";

 export const SecretTagsSchema = z.object({
  id: z.string().uuid(),
+  name: z.string(),
  slug: z.string(),
  color: z.string().nullable().optional(),
  createdAt: z.date(),
--- a/backend/src/db/schemas/slack-integrations.ts
+++ b/backend/src/db/schemas/slack-integrations.ts
@ -1,27 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SlackIntegrationsSchema = z.object({
-  id: z.string().uuid(),
-  teamId: z.string(),
-  teamName: z.string(),
-  slackUserId: z.string(),
-  slackAppId: z.string(),
-  encryptedBotAccessToken: zodBuffer,
-  slackBotId: z.string(),
-  slackBotUserId: z.string(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TSlackIntegrations = z.infer<typeof SlackIntegrationsSchema>;
-export type TSlackIntegrationsInsert = Omit<z.input<typeof SlackIntegrationsSchema>, TImmutableDBKeys>;
-export type TSlackIntegrationsUpdate = Partial<Omit<z.input<typeof SlackIntegrationsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/super-admin.ts
+++ b/backend/src/db/schemas/super-admin.ts
@ -5,8 +5,6 @@

 import { z } from "zod";

-import { zodBuffer } from "@app/lib/zod";
-
 import { TImmutableDBKeys } from "./models";

 export const SuperAdminSchema = z.object({
@ -21,9 +19,7 @@ export const SuperAdminSchema = z.object({
  trustLdapEmails: z.boolean().default(false).nullable().optional(),
  trustOidcEmails: z.boolean().default(false).nullable().optional(),
  defaultAuthOrgId: z.string().uuid().nullable().optional(),
-  enabledLoginMethods: z.string().array().nullable().optional(),
-  encryptedSlackClientId: zodBuffer.nullable().optional(),
-  encryptedSlackClientSecret: zodBuffer.nullable().optional()
+  enabledLoginMethods: z.string().array().nullable().optional()
 });

 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;
--- a/backend/src/db/schemas/workflow-integrations.ts
+++ b/backend/src/db/schemas/workflow-integrations.ts
@ -1,22 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const WorkflowIntegrationsSchema = z.object({
-  id: z.string().uuid(),
-  integration: z.string(),
-  slug: z.string(),
-  orgId: z.string().uuid(),
-  description: z.string().nullable().optional(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TWorkflowIntegrations = z.infer<typeof WorkflowIntegrationsSchema>;
-export type TWorkflowIntegrationsInsert = Omit<z.input<typeof WorkflowIntegrationsSchema>, TImmutableDBKeys>;
-export type TWorkflowIntegrationsUpdate = Partial<Omit<z.input<typeof WorkflowIntegrationsSchema>, TImmutableDBKeys>>;
--- a/backend/src/ee/routes/est/certificate-est-router.ts
+++ b/backend/src/ee/routes/est/certificate-est-router.ts
@ -1,173 +0,0 @@
-import bcrypt from "bcrypt";
-import { z } from "zod";
-
-import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-
-export const registerCertificateEstRouter = async (server: FastifyZodProvider) => {
-  const appCfg = getConfig();
-
-  // add support for CSR bodies
-  server.addContentTypeParser("application/pkcs10", { parseAs: "string" }, (_, body, done) => {
-    try {
-      let csrBody = body as string;
-      // some EST clients send CSRs in PEM format and some in base64 format
-      // for CSRs sent in PEM, we leave them as is
-      // for CSRs sent in base64, we preprocess them to remove new lines and spaces
-      if (!csrBody.includes("BEGIN CERTIFICATE REQUEST")) {
-        csrBody = csrBody.replace(/\n/g, "").replace(/ /g, "");
-      }
-
-      done(null, csrBody);
-    } catch (err) {
-      const error = err as Error;
-      done(error, undefined);
-    }
-  });
-
-  // Authenticate EST client using Passphrase
-  server.addHook("onRequest", async (req, res) => {
-    const { authorization } = req.headers;
-    const urlFragments = req.url.split("/");
-
-    // cacerts endpoint should not have any authentication
-    if (urlFragments[urlFragments.length - 1] === "cacerts") {
-      return;
-    }
-
-    if (!authorization) {
-      const wwwAuthenticateHeader = "WWW-Authenticate";
-      const errAuthRequired = "Authentication required";
-
-      await res.hijack();
-
-      // definitive connection timeout to clean-up open connections and prevent memory leak
-      res.raw.setTimeout(10 * 1000, () => {
-        res.raw.end();
-      });
-
-      res.raw.setHeader(wwwAuthenticateHeader, `Basic realm="infisical"`);
-      res.raw.setHeader("Content-Length", 0);
-      res.raw.statusCode = 401;
-
-      // Write the error message to the response without ending the connection
-      res.raw.write(errAuthRequired);
-
-      // flush headers
-      res.raw.flushHeaders();
-      return;
-    }
-
-    const certificateTemplateId = urlFragments.slice(-2)[0];
-    const estConfig = await server.services.certificateTemplate.getEstConfiguration({
-      isInternal: true,
-      certificateTemplateId
-    });
-
-    if (!estConfig.isEnabled) {
-      throw new BadRequestError({
-        message: "EST is disabled"
-      });
-    }
-
-    const rawCredential = authorization?.split(" ").pop();
-    if (!rawCredential) {
-      throw new UnauthorizedError({ message: "Missing HTTP credentials" });
-    }
-
-    // expected format is user:password
-    const basicCredential = atob(rawCredential);
-    const password = basicCredential.split(":").pop();
-    if (!password) {
-      throw new BadRequestError({
-        message: "No password provided"
-      });
-    }
-
-    const isPasswordValid = await bcrypt.compare(password, estConfig.hashedPassphrase);
-    if (!isPasswordValid) {
-      throw new UnauthorizedError({
-        message: "Invalid credentials"
-      });
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/:certificateTemplateId/simpleenroll",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      body: z.string().min(1),
-      params: z.object({
-        certificateTemplateId: z.string().min(1)
-      }),
-      response: {
-        200: z.string()
-      }
-    },
-    handler: async (req, res) => {
-      void res.header("Content-Type", "application/pkcs7-mime; smime-type=certs-only");
-      void res.header("Content-Transfer-Encoding", "base64");
-
-      return server.services.certificateEst.simpleEnroll({
-        csr: req.body,
-        certificateTemplateId: req.params.certificateTemplateId,
-        sslClientCert: req.headers[appCfg.SSL_CLIENT_CERTIFICATE_HEADER_KEY] as string
-      });
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/:certificateTemplateId/simplereenroll",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      body: z.string().min(1),
-      params: z.object({
-        certificateTemplateId: z.string().min(1)
-      }),
-      response: {
-        200: z.string()
-      }
-    },
-    handler: async (req, res) => {
-      void res.header("Content-Type", "application/pkcs7-mime; smime-type=certs-only");
-      void res.header("Content-Transfer-Encoding", "base64");
-
-      return server.services.certificateEst.simpleReenroll({
-        csr: req.body,
-        certificateTemplateId: req.params.certificateTemplateId,
-        sslClientCert: req.headers[appCfg.SSL_CLIENT_CERTIFICATE_HEADER_KEY] as string
-      });
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/:certificateTemplateId/cacerts",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        certificateTemplateId: z.string().min(1)
-      }),
-      response: {
-        200: z.string()
-      }
-    },
-    handler: async (req, res) => {
-      void res.header("Content-Type", "application/pkcs7-mime; smime-type=certs-only");
-      void res.header("Content-Transfer-Encoding", "base64");
-
-      return server.services.certificateEst.getCaCerts({
-        certificateTemplateId: req.params.certificateTemplateId
-      });
-    }
-  });
-};
--- a/backend/src/ee/routes/v1/access-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-policy-router.ts
@ -1,9 +1,6 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";

-import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
-import { EnforcementLevel } from "@app/lib/types";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -12,32 +9,27 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/",
    method: "POST",
-    config: {
-      rateLimit: writeLimit
-    },
    schema: {
-      body: z.object({
-        projectSlug: z.string().trim(),
-        name: z.string().optional(),
-        secretPath: z.string().trim().default("/"),
-        environment: z.string(),
-        approvers: z
-          .discriminatedUnion("type", [
-            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
-          ])
-          .array()
-          .min(1, { message: "At least one approver should be provided" }),
-        approvals: z.number().min(1).default(1),
-        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
-      }),
+      body: z
+        .object({
+          projectSlug: z.string().trim(),
+          name: z.string().optional(),
+          secretPath: z.string().trim().default("/"),
+          environment: z.string(),
+          approvers: z.string().array().min(1),
+          approvals: z.number().min(1).default(1)
+        })
+        .refine((data) => data.approvals <= data.approvers.length, {
+          path: ["approvals"],
+          message: "The number of approvals should be lower than the number of approvers."
+        }),
      response: {
        200: z.object({
          approval: sapPubSchema
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const approval = await server.services.accessApprovalPolicy.createAccessApprovalPolicy({
        actor: req.permission.type,
@ -46,8 +38,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
        actorOrgId: req.permission.orgId,
        ...req.body,
        projectSlug: req.body.projectSlug,
-        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`,
-        enforcementLevel: req.body.enforcementLevel
+        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`
      });
      return { approval };
    }
@ -56,26 +47,13 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/",
    method: "GET",
-    config: {
-      rateLimit: readLimit
-    },
    schema: {
      querystring: z.object({
        projectSlug: z.string().trim()
      }),
      response: {
        200: z.object({
-          approvals: sapPubSchema
-            .extend({
-              approvers: z
-                .object({ type: z.nativeEnum(ApproverType), id: z.string().nullable().optional() })
-                .array()
-                .nullable()
-                .optional()
-            })
-            .array()
-            .nullable()
-            .optional()
+          approvals: sapPubSchema.extend({ approvers: z.string().array(), secretPath: z.string().optional() }).array()
        })
      }
    },
@ -88,7 +66,6 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
        actorOrgId: req.permission.orgId,
        projectSlug: req.query.projectSlug
      });
-
      return { approvals };
    }
  });
@ -125,37 +102,32 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/:policyId",
    method: "PATCH",
-    config: {
-      rateLimit: writeLimit
-    },
    schema: {
      params: z.object({
        policyId: z.string()
      }),
-      body: z.object({
-        name: z.string().optional(),
-        secretPath: z
-          .string()
-          .trim()
-          .optional()
-          .transform((val) => (val === "" ? "/" : val)),
-        approvers: z
-          .discriminatedUnion("type", [
-            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
-          ])
-          .array()
-          .min(1, { message: "At least one approver should be provided" }),
-        approvals: z.number().min(1).optional(),
-        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
-      }),
+      body: z
+        .object({
+          name: z.string().optional(),
+          secretPath: z
+            .string()
+            .trim()
+            .optional()
+            .transform((val) => (val === "" ? "/" : val)),
+          approvers: z.string().array().min(1),
+          approvals: z.number().min(1).default(1)
+        })
+        .refine((data) => data.approvals <= data.approvers.length, {
+          path: ["approvals"],
+          message: "The number of approvals should be lower than the number of approvers."
+        }),
      response: {
        200: z.object({
          approval: sapPubSchema
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      await server.services.accessApprovalPolicy.updateAccessApprovalPolicy({
        policyId: req.params.policyId,
@ -171,9 +143,6 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/:policyId",
    method: "DELETE",
-    config: {
-      rateLimit: writeLimit
-    },
    schema: {
      params: z.object({
        policyId: z.string()
@ -184,7 +153,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const approval = await server.services.accessApprovalPolicy.deleteAccessApprovalPolicy({
        actor: req.permission.type,
@ -196,44 +165,4 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
      return { approval };
    }
  });
-
-  server.route({
-    url: "/:policyId",
-    method: "GET",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        policyId: z.string()
-      }),
-      response: {
-        200: z.object({
-          approval: sapPubSchema.extend({
-            approvers: z
-              .object({
-                type: z.nativeEnum(ApproverType),
-                id: z.string().nullable().optional(),
-                name: z.string().nullable().optional()
-              })
-              .array()
-              .nullable()
-              .optional()
-          })
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const approval = await server.services.accessApprovalPolicy.getAccessApprovalPolicyById({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.params
-      });
-
-      return { approval };
-    }
-  });
 };
--- a/backend/src/ee/routes/v1/access-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-request-router.ts
@ -1,19 +1,10 @@
 import { z } from "zod";

-import { AccessApprovalRequestsReviewersSchema, AccessApprovalRequestsSchema, UsersSchema } from "@app/db/schemas";
+import { AccessApprovalRequestsReviewersSchema, AccessApprovalRequestsSchema } from "@app/db/schemas";
 import { ApprovalStatus } from "@app/ee/services/access-approval-request/access-approval-request-types";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

-const approvalRequestUser = z.object({ userId: z.string() }).merge(
-  UsersSchema.pick({
-    email: true,
-    firstName: true,
-    lastName: true,
-    username: true
-  })
-);
-
 export const registerAccessApprovalRequestRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/",
@ -108,16 +99,14 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
              approvals: z.number(),
              approvers: z.string().array(),
              secretPath: z.string().nullish(),
-              envId: z.string(),
-              enforcementLevel: z.string()
+              envId: z.string()
            }),
            reviewers: z
              .object({
-                userId: z.string(),
+                member: z.string(),
                status: z.string()
              })
-              .array(),
-            requestedByUser: approvalRequestUser
+              .array()
          }).array()
        })
      }
--- a/backend/src/ee/routes/v1/certificate-authority-crl-router.ts
+++ b/backend/src/ee/routes/v1/certificate-authority-crl-router.ts
@ -1,55 +1,86 @@
-/* eslint-disable @typescript-eslint/no-floating-promises */
 import { z } from "zod";

-import { CA_CRLS } from "@app/lib/api-docs";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
 import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";

 export const registerCaCrlRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
-    url: "/:crlId",
+    url: "/:caId/crl",
    config: {
      rateLimit: readLimit
    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
-      description: "Get CRL in DER format (deprecated)",
+      description: "Get CRL of the CA",
      params: z.object({
-        crlId: z.string().trim().describe(CA_CRLS.GET.crlId)
+        caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.GET_CRL.caId)
      }),
      response: {
-        200: z.instanceof(Buffer)
+        200: z.object({
+          crl: z.string().describe(CERTIFICATE_AUTHORITIES.GET_CRL.crl)
+        })
      }
    },
-    handler: async (req, res) => {
-      const { crl } = await server.services.certificateAuthorityCrl.getCrlById(req.params.crlId);
+    handler: async (req) => {
+      const { crl, ca } = await server.services.certificateAuthorityCrl.getCaCrl({
+        caId: req.params.caId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });

-      res.header("Content-Type", "application/pkix-crl");
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: ca.projectId,
+        event: {
+          type: EventType.GET_CA_CRL,
+          metadata: {
+            caId: ca.id,
+            dn: ca.dn
+          }
+        }
+      });

-      return Buffer.from(crl);
+      return {
+        crl
+      };
    }
  });

-  server.route({
-    method: "GET",
-    url: "/:crlId/der",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "Get CRL in DER format",
-      params: z.object({
-        crlId: z.string().trim().describe(CA_CRLS.GET.crlId)
-      }),
-      response: {
-        200: z.instanceof(Buffer)
-      }
-    },
-    handler: async (req, res) => {
-      const { crl } = await server.services.certificateAuthorityCrl.getCrlById(req.params.crlId);
-
-      res.header("Content-Type", "application/pkix-crl");
-
-      return Buffer.from(crl);
-    }
-  });
+  // server.route({
+  //   method: "GET",
+  //   url: "/:caId/crl/rotate",
+  //   config: {
+  //     rateLimit: writeLimit
+  //   },
+  //   onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+  //   schema: {
+  //     description: "Rotate CRL of the CA",
+  //     params: z.object({
+  //       caId: z.string().trim()
+  //     }),
+  //     response: {
+  //       200: z.object({
+  //         message: z.string()
+  //       })
+  //     }
+  //   },
+  //   handler: async (req) => {
+  //     await server.services.certificateAuthority.rotateCaCrl({
+  //       caId: req.params.caId,
+  //       actor: req.permission.type,
+  //       actorId: req.permission.id,
+  //       actorAuthMethod: req.permission.authMethod,
+  //       actorOrgId: req.permission.orgId
+  //     });
+  //     return {
+  //       message: "Successfully rotated CA CRL"
+  //     };
+  //   }
+  // });
 };
--- a/backend/src/ee/routes/v1/dynamic-secret-lease-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-lease-router.ts
@ -131,7 +131,7 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
          .default("/")
          .transform(removeTrailingSlash)
          .describe(DYNAMIC_SECRET_LEASES.RENEW.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.environmentSlug)
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.ttl)
      }),
      response: {
        200: z.object({
--- a/backend/src/ee/routes/v1/dynamic-secret-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-router.ts
@ -77,39 +77,6 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
    }
  });

-  server.route({
-    method: "POST",
-    url: "/entra-id/users",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      body: z.object({
-        tenantId: z.string().min(1).describe("The tenant ID of the Azure Entra ID"),
-        applicationId: z.string().min(1).describe("The application ID of the Azure Entra ID App Registration"),
-        clientSecret: z.string().min(1).describe("The client secret of the Azure Entra ID App Registration")
-      }),
-      response: {
-        200: z
-          .object({
-            name: z.string().min(1).describe("The name of the user"),
-            id: z.string().min(1).describe("The ID of the user"),
-            email: z.string().min(1).describe("The email of the user")
-          })
-          .array()
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const data = await server.services.dynamicSecret.fetchAzureEntraIdUsers({
-        tenantId: req.body.tenantId,
-        applicationId: req.body.applicationId,
-        clientSecret: req.body.clientSecret
-      });
-      return data;
-    }
-  });
-
  server.route({
    method: "PATCH",
    url: "/:name",
@ -270,7 +237,7 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
-      const dynamicSecretCfgs = await server.services.dynamicSecret.listDynamicSecretsByEnv({
+      const dynamicSecretCfgs = await server.services.dynamicSecret.list({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
--- a/backend/src/ee/routes/v1/group-router.ts
+++ b/backend/src/ee/routes/v1/group-router.ts
@ -10,7 +10,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/",
    method: "POST",
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      body: z.object({
        name: z.string().trim().min(1).max(50).describe(GROUPS.CREATE.name),
@ -43,59 +43,12 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:id",
-    method: "GET",
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      params: z.object({
-        id: z.string().trim().describe(GROUPS.GET_BY_ID.id)
-      }),
-      response: {
-        200: GroupsSchema
-      }
-    },
-    handler: async (req) => {
-      const group = await server.services.group.getGroupById({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        id: req.params.id
-      });
-
-      return group;
-    }
-  });
-
-  server.route({
-    url: "/",
-    method: "GET",
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      response: {
-        200: GroupsSchema.array()
-      }
-    },
-    handler: async (req) => {
-      const groups = await server.services.org.getOrgGroups({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        orgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      return groups;
-    }
-  });
-
-  server.route({
-    url: "/:id",
+    url: "/:currentSlug",
    method: "PATCH",
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
-        id: z.string().trim().describe(GROUPS.UPDATE.id)
+        currentSlug: z.string().trim().describe(GROUPS.UPDATE.currentSlug)
      }),
      body: z
        .object({
@ -117,7 +70,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req) => {
      const group = await server.services.group.updateGroup({
-        id: req.params.id,
+        currentSlug: req.params.currentSlug,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
@ -130,12 +83,12 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:id",
+    url: "/:slug",
    method: "DELETE",
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
-        id: z.string().trim().describe(GROUPS.DELETE.id)
+        slug: z.string().trim().describe(GROUPS.DELETE.slug)
      }),
      response: {
        200: GroupsSchema
@ -143,7 +96,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req) => {
      const group = await server.services.group.deleteGroup({
-        id: req.params.id,
+        groupSlug: req.params.slug,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
@ -156,11 +109,11 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {

  server.route({
    method: "GET",
-    url: "/:id/users",
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    url: "/:slug/users",
+    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
-        id: z.string().trim().describe(GROUPS.LIST_USERS.id)
+        slug: z.string().trim().describe(GROUPS.LIST_USERS.slug)
      }),
      querystring: z.object({
        offset: z.coerce.number().min(0).max(100).default(0).describe(GROUPS.LIST_USERS.offset),
@ -188,25 +141,24 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req) => {
      const { users, totalCount } = await server.services.group.listGroupUsers({
-        id: req.params.id,
+        groupSlug: req.params.slug,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.query
      });
-
      return { users, totalCount };
    }
  });

  server.route({
    method: "POST",
-    url: "/:id/users/:username",
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    url: "/:slug/users/:username",
+    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
-        id: z.string().trim().describe(GROUPS.ADD_USER.id),
+        slug: z.string().trim().describe(GROUPS.ADD_USER.slug),
        username: z.string().trim().describe(GROUPS.ADD_USER.username)
      }),
      response: {
@ -221,7 +173,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req) => {
      const user = await server.services.group.addUserToGroup({
-        id: req.params.id,
+        groupSlug: req.params.slug,
        username: req.params.username,
        actor: req.permission.type,
        actorId: req.permission.id,
@ -235,11 +187,11 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {

  server.route({
    method: "DELETE",
-    url: "/:id/users/:username",
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    url: "/:slug/users/:username",
+    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
-        id: z.string().trim().describe(GROUPS.DELETE_USER.id),
+        slug: z.string().trim().describe(GROUPS.DELETE_USER.slug),
        username: z.string().trim().describe(GROUPS.DELETE_USER.username)
      }),
      response: {
@ -254,7 +206,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req) => {
      const user = await server.services.group.removeUserFromGroup({
-        id: req.params.id,
+        groupSlug: req.params.slug,
        username: req.params.username,
        actor: req.permission.type,
        actorId: req.permission.id,
--- a/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
@ -5,7 +5,7 @@ import { z } from "zod";

 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
 import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
-import { UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@ -61,7 +61,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
    handler: async (req) => {
      const { permissions, privilegePermission } = req.body;
      if (!permissions && !privilegePermission) {
-        throw new UnauthorizedError({ message: "Permission or privilegePermission must be provided" });
+        throw new BadRequestError({ message: "Permission or privilegePermission must be provided" });
      }

      const permission = privilegePermission
@ -140,7 +140,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
    handler: async (req) => {
      const { permissions, privilegePermission } = req.body;
      if (!permissions && !privilegePermission) {
-        throw new UnauthorizedError({ message: "Permission or privilegePermission must be provided" });
+        throw new BadRequestError({ message: "Permission or privilegePermission must be provided" });
      }

      const permission = privilegePermission
@ -224,7 +224,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
    handler: async (req) => {
      const { permissions, privilegePermission, ...updatedInfo } = req.body.privilegeDetails;
      if (!permissions && !privilegePermission) {
-        throw new UnauthorizedError({ message: "Permission or privilegePermission must be provided" });
+        throw new BadRequestError({ message: "Permission or privilegePermission must be provided" });
      }

      const permission = privilegePermission
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@ -61,7 +61,7 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {

  await server.register(
    async (pkiRouter) => {
-      await pkiRouter.register(registerCaCrlRouter, { prefix: "/crl" });
+      await pkiRouter.register(registerCaCrlRouter, { prefix: "/ca" });
    },
    { prefix: "/pki" }
  );
--- a/backend/src/ee/routes/v1/license-router.ts
+++ b/backend/src/ee/routes/v1/license-router.ts
@ -1,6 +1,6 @@
 /* eslint-disable @typescript-eslint/no-unsafe-return */
 /* eslint-disable @typescript-eslint/no-unsafe-assignment */
-// TODO(akhilmhdh): Fix this when license service gets it type
+// TODO(akhilmhdh): Fix this when licence service gets it type
 import { z } from "zod";

 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
--- a/backend/src/ee/routes/v1/org-role-router.ts
+++ b/backend/src/ee/routes/v1/org-role-router.ts
@ -52,36 +52,6 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
    }
  });

-  server.route({
-    method: "GET",
-    url: "/:organizationId/roles/:roleId",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        organizationId: z.string().trim(),
-        roleId: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          role: OrgRolesSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const role = await server.services.orgRole.getRole(
-        req.permission.id,
-        req.params.organizationId,
-        req.params.roleId,
-        req.permission.authMethod,
-        req.permission.orgId
-      );
-      return { role };
-    }
-  });
-
  server.route({
    method: "PATCH",
    url: "/:organizationId/roles/:roleId",
@ -99,7 +69,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
          .trim()
          .optional()
          .refine(
-            (val) => typeof val !== "undefined" && !Object.keys(OrgMembershipRole).includes(val),
+            (val) => typeof val === "undefined" || Object.keys(OrgMembershipRole).includes(val),
            "Please choose a different slug, the slug you have entered is reserved."
          )
          .refine((val) => typeof val === "undefined" || slugify(val) === val, {
@ -107,7 +77,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
          }),
        name: z.string().trim().optional(),
        description: z.string().trim().optional(),
-        permissions: z.any().array().optional()
+        permissions: z.any().array()
      }),
      response: {
        200: z.object({
--- a/backend/src/ee/routes/v1/project-role-router.ts
+++ b/backend/src/ee/routes/v1/project-role-router.ts
@ -3,11 +3,10 @@ import slugify from "@sindresorhus/slugify";
 import { z } from "zod";

 import { ProjectMembershipRole, ProjectMembershipsSchema, ProjectRolesSchema } from "@app/db/schemas";
-import { ProjectPermissionSchema } from "@app/ee/services/permission/project-permission";
 import { PROJECT_ROLE } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { SanitizedRoleSchema } from "@app/server/routes/sanitizedSchemas";
+import { ProjectPermissionSchema, SanitizedRoleSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
@ -102,8 +101,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
            message: "Slug must be a valid"
          }),
        name: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.name),
-        description: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.description),
-        permissions: ProjectPermissionSchema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
+        permissions: ProjectPermissionSchema.array().describe(PROJECT_ROLE.UPDATE.permissions)
      }),
      response: {
        200: z.object({
@ -122,7 +120,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        roleId: req.params.roleId,
        data: {
          ...req.body,
-          permissions: req.body.permissions ? JSON.stringify(packRules(req.body.permissions)) : undefined
+          permissions: JSON.stringify(packRules(req.body.permissions))
        }
      });
      return { role };
--- a/backend/src/ee/routes/v1/project-router.ts
+++ b/backend/src/ee/routes/v1/project-router.ts
@ -87,12 +87,6 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    }
  });

-  /*
-   * Daniel: This endpoint is no longer is use.
-   * We are keeping it for now because it has been exposed in our public api docs for a while, so by removing it we are likely to break users workflows.
-   *
-   * Please refer to the new endpoint, GET /api/v1/organization/audit-logs, for the same (and more) functionality.
-   */
  server.route({
    method: "GET",
    url: "/:workspaceId/audit-logs",
@ -107,7 +101,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim().describe(AUDIT_LOGS.EXPORT.projectId)
+        workspaceId: z.string().trim().describe(AUDIT_LOGS.EXPORT.workspaceId)
      }),
      querystring: z.object({
        eventType: z.nativeEnum(EventType).optional().describe(AUDIT_LOGS.EXPORT.eventType),
@ -128,12 +122,6 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
          })
            .merge(
              z.object({
-                project: z
-                  .object({
-                    name: z.string(),
-                    slug: z.string()
-                  })
-                  .optional(),
                event: z.object({
                  type: z.string(),
                  metadata: z.any()
@ -150,20 +138,16 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
-      const auditLogs = await server.services.auditLog.listAuditLogs({
+      const auditLogs = await server.services.auditLog.listProjectAuditLogs({
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
-        actor: req.permission.type,
-
-        filter: {
-          ...req.query,
-          projectId: req.params.workspaceId,
-          endDate: req.query.endDate,
-          startDate: req.query.startDate || getLastMidnightDateISO(),
-          auditLogActorId: req.query.actor,
-          eventType: req.query.eventType ? [req.query.eventType] : undefined
-        }
+        projectId: req.params.workspaceId,
+        ...req.query,
+        endDate: req.query.endDate,
+        startDate: req.query.startDate || getLastMidnightDateISO(),
+        auditLogActor: req.query.actor,
+        actor: req.permission.type
      });
      return { auditLogs };
    }
@ -365,35 +349,4 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      return backup;
    }
  });
-
-  server.route({
-    method: "POST",
-    url: "/:workspaceId/migrate-v3",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      params: z.object({
-        workspaceId: z.string().trim()
-      }),
-
-      response: {
-        200: z.object({
-          message: z.string()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const migration = await server.services.secret.startSecretV2Migration({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        projectId: req.params.workspaceId
-      });
-
-      return migration;
-    }
-  });
 };
--- a/backend/src/ee/routes/v1/rate-limit-router.ts
+++ b/backend/src/ee/routes/v1/rate-limit-router.ts
@ -1,7 +1,7 @@
 import { z } from "zod";

 import { RateLimitSchema } from "@app/db/schemas";
-import { NotFoundError } from "@app/lib/errors";
+import { BadRequestError } from "@app/lib/errors";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifySuperAdmin } from "@app/server/plugins/auth/superAdmin";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@ -29,7 +29,7 @@ export const registerRateLimitRouter = async (server: FastifyZodProvider) => {
    handler: async () => {
      const rateLimit = await server.services.rateLimit.getRateLimits();
      if (!rateLimit) {
-        throw new NotFoundError({
+        throw new BadRequestError({
          name: "Get Rate Limit Error",
          message: "Rate limit configuration does not exist."
        });
@ -58,6 +58,7 @@ export const registerRateLimitRouter = async (server: FastifyZodProvider) => {
        authRateLimit: z.number(),
        inviteUserRateLimit: z.number(),
        mfaRateLimit: z.number(),
+        creationLimit: z.number(),
        publicEndpointLimit: z.number()
      }),
      response: {
--- a/backend/src/ee/routes/v1/saml-router.ts
+++ b/backend/src/ee/routes/v1/saml-router.ts
@ -61,7 +61,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
                id: samlConfigId
              };
            } else {
-              throw new BadRequestError({ message: "Missing sso identifier or org slug" });
+              throw new BadRequestError({ message: "Missing sso identitier or org slug" });
            }

            const ssoConfig = await server.services.saml.getSaml(ssoLookupDetails);
@ -100,52 +100,25 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
      async (req, profile, cb) => {
        try {
          if (!profile) throw new BadRequestError({ message: "Missing profile" });
+          const email = profile?.email ?? (profile?.emailAddress as string); // emailRippling is added because in Rippling the field `email` reserved

-          const email =
-            profile?.email ??
-            // entra sends data in this format
-            (profile["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email"] as string) ??
-            (profile?.emailAddress as string); // emailRippling is added because in Rippling the field `email` reserved\
-
-          const firstName = (profile.firstName ??
-            // entra sends data in this format
-            profile["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstName"]) as string;
-
-          const lastName =
-            profile.lastName ?? profile["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastName"];
-
-          if (!email || !firstName) {
-            logger.info(
-              {
-                err: new Error("Invalid saml request. Missing email or first name"),
-                profile
-              },
-              `email: ${email} firstName: ${profile.firstName as string}`
-            );
+          if (!email || !profile.firstName) {
+            throw new BadRequestError({ message: "Invalid request. Missing email or first name" });
          }

-          const userMetadata = Object.keys(profile.attributes || {})
-            .map((key) => {
-              // for the ones like in format: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email
-              const formatedKey = key.startsWith("http") ? key.split("/").at(-1) || "" : key;
-              return { key: formatedKey, value: String((profile.attributes as Record<string, string>)[key]) };
-            })
-            .filter((el) => el.key && !["email", "firstName", "lastName"].includes(el.key));
-
          const { isUserCompleted, providerAuthToken } = await server.services.saml.samlLogin({
            externalId: profile.nameID,
            email,
-            firstName,
-            lastName: lastName as string,
+            firstName: profile.firstName as string,
+            lastName: profile.lastName as string,
            relayState: (req.body as { RelayState?: string }).RelayState,
            authProvider: (req as unknown as FastifyRequest).ssoConfig?.authProvider as string,
-            orgId: (req as unknown as FastifyRequest).ssoConfig?.orgId as string,
-            metadata: userMetadata
+            orgId: (req as unknown as FastifyRequest).ssoConfig?.orgId as string
          });
          cb(null, { isUserCompleted, providerAuthToken });
        } catch (error) {
          logger.error(error);
-          cb(error as Error);
+          cb(null, {});
        }
      },
      () => {}
--- a/backend/src/ee/routes/v1/scim-router.ts
+++ b/backend/src/ee/routes/v1/scim-router.ts
@ -5,47 +5,19 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

-const ScimUserSchema = z.object({
-  schemas: z.array(z.string()),
-  id: z.string().trim(),
-  userName: z.string().trim(),
-  name: z
-    .object({
-      familyName: z.string().trim().optional(),
-      givenName: z.string().trim().optional()
-    })
-    .optional(),
-  emails: z
-    .array(
-      z.object({
-        primary: z.boolean(),
-        value: z.string().email(),
-        type: z.string().trim()
-      })
-    )
-    .optional(),
-  displayName: z.string().trim(),
-  active: z.boolean()
-});
-
-const ScimGroupSchema = z.object({
-  schemas: z.array(z.string()),
-  id: z.string().trim(),
-  displayName: z.string().trim(),
-  members: z
-    .array(
-      z.object({
-        value: z.string(),
-        display: z.string().optional()
-      })
-    )
-    .optional(),
-  meta: z.object({
-    resourceType: z.string().trim()
-  })
-});
-
 export const registerScimRouter = async (server: FastifyZodProvider) => {
+  server.addContentTypeParser("application/scim+json", { parseAs: "string" }, (_, body, done) => {
+    try {
+      const strBody = body instanceof Buffer ? body.toString() : body;
+
+      const json: unknown = JSON.parse(strBody);
+      done(null, json);
+    } catch (err) {
+      const error = err as Error;
+      done(error, undefined);
+    }
+  });
+
  server.route({
    url: "/scim-tokens",
    method: "POST",
@ -152,7 +124,25 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          Resources: z.array(ScimUserSchema),
+          Resources: z.array(
+            z.object({
+              id: z.string().trim(),
+              userName: z.string().trim(),
+              name: z.object({
+                familyName: z.string().trim(),
+                givenName: z.string().trim()
+              }),
+              emails: z.array(
+                z.object({
+                  primary: z.boolean(),
+                  value: z.string(),
+                  type: z.string().trim()
+                })
+              ),
+              displayName: z.string().trim(),
+              active: z.boolean()
+            })
+          ),
          itemsPerPage: z.number(),
          schemas: z.array(z.string()),
          startIndex: z.number(),
@ -180,7 +170,30 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
        orgMembershipId: z.string().trim()
      }),
      response: {
-        200: ScimUserSchema
+        201: z.object({
+          schemas: z.array(z.string()),
+          id: z.string().trim(),
+          userName: z.string().trim(),
+          name: z.object({
+            familyName: z.string().trim(),
+            givenName: z.string().trim()
+          }),
+          emails: z.array(
+            z.object({
+              primary: z.boolean(),
+              value: z.string(),
+              type: z.string().trim()
+            })
+          ),
+          displayName: z.string().trim(),
+          active: z.boolean(),
+          groups: z.array(
+            z.object({
+              value: z.string().trim(),
+              display: z.string().trim()
+            })
+          )
+        })
      }
    },
    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
@ -200,12 +213,10 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
      body: z.object({
        schemas: z.array(z.string()),
        userName: z.string().trim(),
-        name: z
-          .object({
-            familyName: z.string().trim().optional(),
-            givenName: z.string().trim().optional()
-          })
-          .optional(),
+        name: z.object({
+          familyName: z.string().trim(),
+          givenName: z.string().trim()
+        }),
        emails: z
          .array(
            z.object({
@ -215,10 +226,28 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
            })
          )
          .optional(),
-        active: z.boolean().default(true)
+        // displayName: z.string().trim(),
+        active: z.boolean()
      }),
      response: {
-        200: ScimUserSchema
+        200: z.object({
+          schemas: z.array(z.string()),
+          id: z.string().trim(),
+          userName: z.string().trim(),
+          name: z.object({
+            familyName: z.string().trim(),
+            givenName: z.string().trim()
+          }),
+          emails: z.array(
+            z.object({
+              primary: z.boolean(),
+              value: z.string().email(),
+              type: z.string().trim()
+            })
+          ),
+          displayName: z.string().trim(),
+          active: z.boolean()
+        })
      }
    },
    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
@ -228,8 +257,8 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
      const user = await req.server.services.scim.createScimUser({
        externalId: req.body.userName,
        email: primaryEmail,
-        firstName: req.body?.name?.givenName,
-        lastName: req.body?.name?.familyName,
+        firstName: req.body.name.givenName,
+        lastName: req.body.name.familyName,
        orgId: req.permission.orgId
      });

@ -259,116 +288,6 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
    }
  });

-  server.route({
-    url: "/Users/:orgMembershipId",
-    method: "PUT",
-    schema: {
-      params: z.object({
-        orgMembershipId: z.string().trim()
-      }),
-      body: z.object({
-        schemas: z.array(z.string()),
-        id: z.string().trim(),
-        userName: z.string().trim(),
-        name: z
-          .object({
-            familyName: z.string().trim().optional(),
-            givenName: z.string().trim().optional()
-          })
-          .optional(),
-        displayName: z.string().trim(),
-        emails: z
-          .array(
-            z.object({
-              primary: z.boolean(),
-              value: z.string().email(),
-              type: z.string().trim()
-            })
-          )
-          .optional(),
-        active: z.boolean()
-      }),
-      response: {
-        200: z.object({
-          schemas: z.array(z.string()),
-          id: z.string().trim(),
-          userName: z.string().trim(),
-          name: z.object({
-            familyName: z.string().trim(),
-            givenName: z.string().trim()
-          }),
-          emails: z.array(
-            z.object({
-              primary: z.boolean(),
-              value: z.string().email(),
-              type: z.string().trim()
-            })
-          ),
-          displayName: z.string().trim(),
-          active: z.boolean()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
-    handler: async (req) => {
-      const primaryEmail = req.body.emails?.find((email) => email.primary)?.value;
-      const user = await req.server.services.scim.replaceScimUser({
-        orgMembershipId: req.params.orgMembershipId,
-        orgId: req.permission.orgId,
-        firstName: req.body?.name?.givenName,
-        lastName: req.body?.name?.familyName,
-        active: req.body?.active,
-        email: primaryEmail,
-        externalId: req.body.userName
-      });
-      return user;
-    }
-  });
-
-  server.route({
-    url: "/Users/:orgMembershipId",
-    method: "PATCH",
-    schema: {
-      params: z.object({
-        orgMembershipId: z.string().trim()
-      }),
-      body: z.object({
-        schemas: z.array(z.string()),
-        Operations: z.array(
-          z.union([
-            z.object({
-              op: z.union([z.literal("remove"), z.literal("Remove")]),
-              path: z.string().trim(),
-              value: z
-                .object({
-                  value: z.string()
-                })
-                .array()
-                .optional()
-            }),
-            z.object({
-              op: z.union([z.literal("add"), z.literal("Add"), z.literal("replace"), z.literal("Replace")]),
-              path: z.string().trim().optional(),
-              value: z.any().optional()
-            })
-          ])
-        )
-      }),
-      response: {
-        200: ScimUserSchema
-      }
-    },
-    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
-    handler: async (req) => {
-      const user = await req.server.services.scim.updateScimUser({
-        orgMembershipId: req.params.orgMembershipId,
-        orgId: req.permission.orgId,
-        operations: req.body.Operations
-      });
-
-      return user;
-    }
-  });
  server.route({
    url: "/Groups",
    method: "POST",
@ -383,10 +302,25 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
              display: z.string()
            })
          )
-          .optional()
+          .optional() // okta-specific
      }),
      response: {
-        200: ScimGroupSchema
+        200: z.object({
+          schemas: z.array(z.string()),
+          id: z.string().trim(),
+          displayName: z.string().trim(),
+          members: z
+            .array(
+              z.object({
+                value: z.string(),
+                display: z.string()
+              })
+            )
+            .optional(),
+          meta: z.object({
+            resourceType: z.string().trim()
+          })
+        })
      }
    },
    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
@ -407,12 +341,21 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
      querystring: z.object({
        startIndex: z.coerce.number().default(1),
        count: z.coerce.number().default(20),
-        filter: z.string().trim().optional(),
-        excludedAttributes: z.string().trim().optional()
+        filter: z.string().trim().optional()
      }),
      response: {
        200: z.object({
-          Resources: z.array(ScimGroupSchema),
+          Resources: z.array(
+            z.object({
+              schemas: z.array(z.string()),
+              id: z.string().trim(),
+              displayName: z.string().trim(),
+              members: z.array(z.any()).length(0),
+              meta: z.object({
+                resourceType: z.string().trim()
+              })
+            })
+          ),
          itemsPerPage: z.number(),
          schemas: z.array(z.string()),
          startIndex: z.number(),
@ -426,8 +369,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
        orgId: req.permission.orgId,
        startIndex: req.query.startIndex,
        filter: req.query.filter,
-        limit: req.query.count,
-        isMembersExcluded: req.query.excludedAttributes === "members"
+        limit: req.query.count
      });

      return groups;
@ -442,7 +384,20 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
        groupId: z.string().trim()
      }),
      response: {
-        200: ScimGroupSchema
+        200: z.object({
+          schemas: z.array(z.string()),
+          id: z.string().trim(),
+          displayName: z.string().trim(),
+          members: z.array(
+            z.object({
+              value: z.string(),
+              display: z.string()
+            })
+          ),
+          meta: z.object({
+            resourceType: z.string().trim()
+          })
+        })
      }
    },
    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
@ -451,7 +406,6 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
        groupId: req.params.groupId,
        orgId: req.permission.orgId
      });
-
      return group;
    }
  });
@ -469,18 +423,31 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
        displayName: z.string().trim(),
        members: z.array(
          z.object({
-            value: z.string(),
+            value: z.string(), // infisical orgMembershipId
            display: z.string()
          })
        )
      }),
      response: {
-        200: ScimGroupSchema
+        200: z.object({
+          schemas: z.array(z.string()),
+          id: z.string().trim(),
+          displayName: z.string().trim(),
+          members: z.array(
+            z.object({
+              value: z.string(),
+              display: z.string()
+            })
+          ),
+          meta: z.object({
+            resourceType: z.string().trim()
+          })
+        })
      }
    },
    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
    handler: async (req) => {
-      const group = await req.server.services.scim.replaceScimGroup({
+      const group = await req.server.services.scim.updateScimGroupNamePut({
        groupId: req.params.groupId,
        orgId: req.permission.orgId,
        ...req.body
@ -502,34 +469,54 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
        Operations: z.array(
          z.union([
            z.object({
-              op: z.union([z.literal("remove"), z.literal("Remove")]),
-              path: z.string().trim(),
-              value: z
-                .object({
-                  value: z.string()
-                })
-                .array()
-                .optional()
+              op: z.literal("replace"),
+              value: z.object({
+                id: z.string().trim(),
+                displayName: z.string().trim()
+              })
            }),
            z.object({
-              op: z.union([z.literal("add"), z.literal("Add"), z.literal("replace"), z.literal("Replace")]),
-              path: z.string().trim().optional(),
-              value: z.any()
+              op: z.literal("remove"),
+              path: z.string().trim()
+            }),
+            z.object({
+              op: z.literal("add"),
+              path: z.string().trim(),
+              value: z.array(
+                z.object({
+                  value: z.string().trim(),
+                  display: z.string().trim().optional()
+                })
+              )
            })
          ])
        )
      }),
      response: {
-        200: ScimGroupSchema
+        200: z.object({
+          schemas: z.array(z.string()),
+          id: z.string().trim(),
+          displayName: z.string().trim(),
+          members: z.array(
+            z.object({
+              value: z.string(),
+              display: z.string()
+            })
+          ),
+          meta: z.object({
+            resourceType: z.string().trim()
+          })
+        })
      }
    },
    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
    handler: async (req) => {
-      const group = await req.server.services.scim.updateScimGroup({
+      const group = await req.server.services.scim.updateScimGroupNamePatch({
        groupId: req.params.groupId,
        orgId: req.permission.orgId,
        operations: req.body.Operations
      });
+
      return group;
    }
  });
@ -555,4 +542,60 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
      return group;
    }
  });
+
+  server.route({
+    url: "/Users/:orgMembershipId",
+    method: "PUT",
+    schema: {
+      params: z.object({
+        orgMembershipId: z.string().trim()
+      }),
+      body: z.object({
+        schemas: z.array(z.string()),
+        id: z.string().trim(),
+        userName: z.string().trim(),
+        name: z.object({
+          familyName: z.string().trim(),
+          givenName: z.string().trim()
+        }),
+        displayName: z.string().trim(),
+        active: z.boolean()
+      }),
+      response: {
+        200: z.object({
+          schemas: z.array(z.string()),
+          id: z.string().trim(),
+          userName: z.string().trim(),
+          name: z.object({
+            familyName: z.string().trim(),
+            givenName: z.string().trim()
+          }),
+          emails: z.array(
+            z.object({
+              primary: z.boolean(),
+              value: z.string().email(),
+              type: z.string().trim()
+            })
+          ),
+          displayName: z.string().trim(),
+          active: z.boolean(),
+          groups: z.array(
+            z.object({
+              value: z.string().trim(),
+              display: z.string().trim()
+            })
+          )
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
+    handler: async (req) => {
+      const user = await req.server.services.scim.replaceScimUser({
+        orgMembershipId: req.params.orgMembershipId,
+        orgId: req.permission.orgId,
+        active: req.body.active
+      });
+      return user;
+    }
+  });
 };
--- a/backend/src/ee/routes/v1/secret-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-policy-router.ts
@ -1,9 +1,7 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";

-import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { removeTrailingSlash } from "@app/lib/fn";
-import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
@ -17,33 +15,30 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      rateLimit: writeLimit
    },
    schema: {
-      body: z.object({
-        workspaceId: z.string(),
-        name: z.string().optional(),
-        environment: z.string(),
-        secretPath: z
-          .string()
-          .optional()
-          .nullable()
-          .default("/")
-          .transform((val) => (val ? removeTrailingSlash(val) : val)),
-        approvers: z
-          .discriminatedUnion("type", [
-            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
-          ])
-          .array()
-          .min(1, { message: "At least one approver should be provided" }),
-        approvals: z.number().min(1).default(1),
-        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
-      }),
+      body: z
+        .object({
+          workspaceId: z.string(),
+          name: z.string().optional(),
+          environment: z.string(),
+          secretPath: z
+            .string()
+            .optional()
+            .nullable()
+            .transform((val) => (val ? removeTrailingSlash(val) : val)),
+          approverUserIds: z.string().array().min(1),
+          approvals: z.number().min(1).default(1)
+        })
+        .refine((data) => data.approvals <= data.approverUserIds.length, {
+          path: ["approvals"],
+          message: "The number of approvals should be lower than the number of approvers."
+        }),
      response: {
        200: z.object({
          approval: sapPubSchema
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const approval = await server.services.secretApprovalPolicy.createSecretApprovalPolicy({
        actor: req.permission.type,
@ -52,8 +47,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
        actorOrgId: req.permission.orgId,
        projectId: req.body.workspaceId,
        ...req.body,
-        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`,
-        enforcementLevel: req.body.enforcementLevel
+        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`
      });
      return { approval };
    }
@ -69,31 +63,28 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      params: z.object({
        sapId: z.string()
      }),
-      body: z.object({
-        name: z.string().optional(),
-        approvers: z
-          .discriminatedUnion("type", [
-            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
-          ])
-          .array()
-          .min(1, { message: "At least one approver should be provided" }),
-        approvals: z.number().min(1).default(1),
-        secretPath: z
-          .string()
-          .optional()
-          .nullable()
-          .transform((val) => (val ? removeTrailingSlash(val) : val))
-          .transform((val) => (val === "" ? "/" : val)),
-        enforcementLevel: z.nativeEnum(EnforcementLevel).optional()
-      }),
+      body: z
+        .object({
+          name: z.string().optional(),
+          approverUserIds: z.string().array().min(1),
+          approvals: z.number().min(1).default(1),
+          secretPath: z
+            .string()
+            .optional()
+            .nullable()
+            .transform((val) => (val ? removeTrailingSlash(val) : val))
+        })
+        .refine((data) => data.approvals <= data.approverUserIds.length, {
+          path: ["approvals"],
+          message: "The number of approvals should be lower than the number of approvers."
+        }),
      response: {
        200: z.object({
          approval: sapPubSchema
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const approval = await server.services.secretApprovalPolicy.updateSecretApprovalPolicy({
        actor: req.permission.type,
@ -123,7 +114,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const approval = await server.services.secretApprovalPolicy.deleteSecretApprovalPolicy({
        actor: req.permission.type,
@ -150,10 +141,9 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
        200: z.object({
          approvals: sapPubSchema
            .extend({
-              approvers: z
+              userApprovers: z
                .object({
-                  id: z.string().nullable().optional(),
-                  type: z.nativeEnum(ApproverType)
+                  userId: z.string()
                })
                .array()
            })
@ -174,44 +164,6 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
    }
  });

-  server.route({
-    url: "/:sapId",
-    method: "GET",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        sapId: z.string()
-      }),
-      response: {
-        200: z.object({
-          approval: sapPubSchema.extend({
-            approvers: z
-              .object({
-                id: z.string().nullable().optional(),
-                type: z.nativeEnum(ApproverType),
-                name: z.string().nullable().optional()
-              })
-              .array()
-          })
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const approval = await server.services.secretApprovalPolicy.getSecretApprovalPolicyById({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.params
-      });
-
-      return { approval };
-    }
-  });
-
  server.route({
    url: "/board",
    method: "GET",
@ -228,7 +180,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
        200: z.object({
          policy: sapPubSchema
            .extend({
-              userApprovers: z.object({ userId: z.string().nullable().optional() }).array()
+              userApprovers: z.object({ userId: z.string() }).array()
            })
            .optional()
        })
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@ -13,7 +13,7 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";

-const approvalRequestUser = z.object({ userId: z.string().nullable().optional() }).merge(
+const approvalRequestUser = z.object({ userId: z.string() }).merge(
  UsersSchema.pick({
    email: true,
    firstName: true,
@ -46,23 +46,14 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
              id: z.string(),
              name: z.string(),
              approvals: z.number(),
-              approvers: z
-                .object({
-                  userId: z.string().nullable().optional()
-                })
-                .array(),
-              secretPath: z.string().optional().nullable(),
-              enforcementLevel: z.string()
+              approvers: z.string().array(),
+              secretPath: z.string().optional().nullable()
            }),
            committerUser: approvalRequestUser,
            commits: z.object({ op: z.string(), secretId: z.string().nullable().optional() }).array(),
            environment: z.string(),
            reviewers: z.object({ userId: z.string(), status: z.string() }).array(),
-            approvers: z
-              .object({
-                userId: z.string().nullable().optional()
-              })
-              .array()
+            approvers: z.string().array()
          }).array()
        })
      }
@ -123,9 +114,6 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
      params: z.object({
        id: z.string()
      }),
-      body: z.object({
-        bypassReason: z.string().optional()
-      }),
      response: {
        200: z.object({
          approval: SecretApprovalRequestsSchema
@ -139,8 +127,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        approvalId: req.params.id,
-        bypassReason: req.body.bypassReason
+        approvalId: req.params.id
      });
      return { approval };
    }
@ -259,8 +246,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                name: z.string(),
                approvals: z.number(),
                approvers: approvalRequestUser.array(),
-                secretPath: z.string().optional().nullable(),
-                enforcementLevel: z.string()
+                secretPath: z.string().optional().nullable()
              }),
              environment: z.string(),
              statusChangedByUser: approvalRequestUser.optional(),
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
@ -1,42 +1,26 @@
 import { Knex } from "knex";

 import { TDbClient } from "@app/db";
-import { AccessApprovalPoliciesSchema, TableName, TAccessApprovalPolicies } from "@app/db/schemas";
+import { TableName, TAccessApprovalPolicies } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { buildFindFilter, ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";
-
-import { ApproverType } from "./access-approval-policy-types";
+import { buildFindFilter, mergeOneToManyRelation, ormify, selectAllTableCols, TFindFilter } from "@app/lib/knex";

 export type TAccessApprovalPolicyDALFactory = ReturnType<typeof accessApprovalPolicyDALFactory>;

 export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
  const accessApprovalPolicyOrm = ormify(db, TableName.AccessApprovalPolicy);

-  const accessApprovalPolicyFindQuery = async (
-    tx: Knex,
-    filter: TFindFilter<TAccessApprovalPolicies>,
-    customFilter?: {
-      policyId?: string;
-    }
-  ) => {
+  const accessApprovalPolicyFindQuery = async (tx: Knex, filter: TFindFilter<TAccessApprovalPolicies>) => {
    const result = await tx(TableName.AccessApprovalPolicy)
      // eslint-disable-next-line
      .where(buildFindFilter(filter))
-      .where((qb) => {
-        if (customFilter?.policyId) {
-          void qb.where(`${TableName.AccessApprovalPolicy}.id`, "=", customFilter.policyId);
-        }
-      })
      .join(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
-      .leftJoin(
+      .join(
        TableName.AccessApprovalPolicyApprover,
        `${TableName.AccessApprovalPolicy}.id`,
        `${TableName.AccessApprovalPolicyApprover}.policyId`
      )
-      .leftJoin(TableName.Users, `${TableName.AccessApprovalPolicyApprover}.approverUserId`, `${TableName.Users}.id`)
-      .select(tx.ref("username").withSchema(TableName.Users).as("approverUsername"))
-      .select(tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
-      .select(tx.ref("approverGroupId").withSchema(TableName.AccessApprovalPolicyApprover))
+      .select(tx.ref("approverId").withSchema(TableName.AccessApprovalPolicyApprover))
      .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
      .select(tx.ref("slug").withSchema(TableName.Environment).as("envSlug"))
      .select(tx.ref("id").withSchema(TableName.Environment).as("envId"))
@ -46,94 +30,43 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
    return result;
  };

-  const findById = async (policyId: string, tx?: Knex) => {
+  const findById = async (id: string, tx?: Knex) => {
    try {
      const doc = await accessApprovalPolicyFindQuery(tx || db.replicaNode(), {
-        [`${TableName.AccessApprovalPolicy}.id` as "id"]: policyId
+        [`${TableName.AccessApprovalPolicy}.id` as "id"]: id
      });
-      const formattedDoc = sqlNestRelationships({
-        data: doc,
-        key: "id",
-        parentMapper: (data) => ({
-          environment: {
-            id: data.envId,
-            name: data.envName,
-            slug: data.envSlug
-          },
-          projectId: data.projectId,
-          ...AccessApprovalPoliciesSchema.parse(data)
+      const formatedDoc = mergeOneToManyRelation(
+        doc,
+        "id",
+        ({ approverId, envId, envName: name, envSlug: slug, ...el }) => ({
+          ...el,
+          envId,
+          environment: { id: envId, name, slug }
        }),
-        childrenMapper: [
-          {
-            key: "approverUserId",
-            label: "approvers" as const,
-            mapper: ({ approverUserId: id }) => ({
-              id,
-              type: "user"
-            })
-          },
-          {
-            key: "approverGroupId",
-            label: "approvers" as const,
-            mapper: ({ approverGroupId: id }) => ({
-              id,
-              type: "group"
-            })
-          }
-        ]
-      });
-
-      return formattedDoc?.[0];
+        ({ approverId }) => approverId,
+        "approvers"
+      );
+      return formatedDoc?.[0];
    } catch (error) {
      throw new DatabaseError({ error, name: "FindById" });
    }
  };

-  const find = async (
-    filter: TFindFilter<TAccessApprovalPolicies & { projectId: string }>,
-    customFilter?: {
-      policyId?: string;
-    },
-    tx?: Knex
-  ) => {
+  const find = async (filter: TFindFilter<TAccessApprovalPolicies & { projectId: string }>, tx?: Knex) => {
    try {
-      const docs = await accessApprovalPolicyFindQuery(tx || db.replicaNode(), filter, customFilter);
-
-      const formattedDocs = sqlNestRelationships({
-        data: docs,
-        key: "id",
-        parentMapper: (data) => ({
-          environment: {
-            id: data.envId,
-            name: data.envName,
-            slug: data.envSlug
-          },
-          projectId: data.projectId,
-          ...AccessApprovalPoliciesSchema.parse(data)
-          // secretPath: data.secretPath || undefined,
+      const docs = await accessApprovalPolicyFindQuery(tx || db.replicaNode(), filter);
+      const formatedDoc = mergeOneToManyRelation(
+        docs,
+        "id",
+        ({ approverId, envId, envName: name, envSlug: slug, ...el }) => ({
+          ...el,
+          envId,
+          environment: { id: envId, name, slug }
        }),
-        childrenMapper: [
-          {
-            key: "approverUserId",
-            label: "approvers" as const,
-            mapper: ({ approverUserId: id, approverUsername }) => ({
-              id,
-              type: ApproverType.User,
-              name: approverUsername
-            })
-          },
-          {
-            key: "approverGroupId",
-            label: "approvers" as const,
-            mapper: ({ approverGroupId: id }) => ({
-              id,
-              type: ApproverType.Group
-            })
-          }
-        ]
-      });
-
-      return formattedDocs;
+        ({ approverId }) => approverId,
+        "approvers"
+      );
+      return formatedDoc.map((policy) => ({ ...policy, secretPath: policy.secretPath || undefined }));
    } catch (error) {
      throw new DatabaseError({ error, name: "Find" });
    }
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-fns.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-fns.ts
@ -1,11 +1,12 @@
 import { ForbiddenError, subject } from "@casl/ability";

+import { BadRequestError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";

 import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
-import { TIsApproversValid } from "./access-approval-policy-types";
+import { TVerifyApprovers } from "./access-approval-policy-types";

-export const isApproversValid = async ({
+export const verifyApprovers = async ({
  userIds,
  projectId,
  orgId,
@ -13,9 +14,9 @@ export const isApproversValid = async ({
  actorAuthMethod,
  secretPath,
  permissionService
-}: TIsApproversValid) => {
-  try {
-    for await (const userId of userIds) {
+}: TVerifyApprovers) => {
+  for await (const userId of userIds) {
+    try {
      const { permission: approverPermission } = await permissionService.getProjectPermission(
        ActorType.USER,
        userId,
@ -28,9 +29,8 @@ export const isApproversValid = async ({
        ProjectPermissionActions.Create,
        subject(ProjectPermissionSub.Secrets, { environment: envSlug, secretPath })
      );
+    } catch (err) {
+      throw new BadRequestError({ message: "One or more approvers doesn't have access to be specified secret path" });
    }
-  } catch {
-    return false;
  }
-  return true;
 };
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
@ -2,21 +2,17 @@ import { ForbiddenError } from "@casl/ability";

 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError } from "@app/lib/errors";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
-import { TUserDALFactory } from "@app/services/user/user-dal";

-import { TGroupDALFactory } from "../group/group-dal";
 import { TAccessApprovalPolicyApproverDALFactory } from "./access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
-import { isApproversValid } from "./access-approval-policy-fns";
+import { verifyApprovers } from "./access-approval-policy-fns";
 import {
-  ApproverType,
  TCreateAccessApprovalPolicy,
  TDeleteAccessApprovalPolicy,
-  TGetAccessApprovalPolicyByIdDTO,
  TGetAccessPolicyCountByEnvironmentDTO,
  TListAccessApprovalPoliciesDTO,
  TUpdateAccessApprovalPolicy
@ -29,8 +25,6 @@ type TSecretApprovalPolicyServiceFactoryDep = {
  projectEnvDAL: Pick<TProjectEnvDALFactory, "find" | "findOne">;
  accessApprovalPolicyApproverDAL: TAccessApprovalPolicyApproverDALFactory;
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find">;
-  groupDAL: TGroupDALFactory;
-  userDAL: Pick<TUserDALFactory, "find">;
 };

 export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprovalPolicyServiceFactory>;
@ -38,11 +32,10 @@ export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprov
 export const accessApprovalPolicyServiceFactory = ({
  accessApprovalPolicyDAL,
  accessApprovalPolicyApproverDAL,
-  groupDAL,
  permissionService,
  projectEnvDAL,
  projectDAL,
-  userDAL
+  projectMembershipDAL
 }: TSecretApprovalPolicyServiceFactoryDep) => {
  const createAccessApprovalPolicy = async ({
    name,
@ -54,27 +47,12 @@ export const accessApprovalPolicyServiceFactory = ({
    approvals,
    approvers,
    projectSlug,
-    environment,
-    enforcementLevel
+    environment
  }: TCreateAccessApprovalPolicy) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new NotFoundError({ message: "Project not found" });
+    if (!project) throw new BadRequestError({ message: "Project not found" });

-    // If there is a group approver people might be added to the group later to meet the approvers quota
-    const groupApprovers = approvers
-      .filter((approver) => approver.type === ApproverType.Group)
-      .map((approver) => approver.id) as string[];
-
-    const userApprovers = approvers
-      .filter((approver) => approver.type === ApproverType.User)
-      .map((approver) => approver.id)
-      .filter(Boolean) as string[];
-
-    const userApproverNames = approvers
-      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
-      .filter(Boolean) as string[];
-
-    if (!groupApprovers && approvals > userApprovers.length + userApproverNames.length)
+    if (approvals > approvers.length)
      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });

    const { permission } = await permissionService.getProjectPermission(
@ -89,96 +67,44 @@ export const accessApprovalPolicyServiceFactory = ({
      ProjectPermissionSub.SecretApproval
    );
    const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
-    if (!env) throw new NotFoundError({ message: "Environment not found" });
+    if (!env) throw new BadRequestError({ message: "Environment not found" });

-    let approverUserIds = userApprovers;
-    if (userApproverNames.length) {
-      const approverUsers = await userDAL.find({
-        $in: {
-          username: userApproverNames
-        }
-      });
+    const secretApprovers = await projectMembershipDAL.find({
+      projectId: project.id,
+      $in: { id: approvers }
+    });

-      const approverNamesFromDb = approverUsers.map((user) => user.username);
-      const invalidUsernames = userApproverNames.filter((username) => !approverNamesFromDb.includes(username));
-
-      if (invalidUsernames.length) {
-        throw new BadRequestError({
-          message: `Invalid approver user: ${invalidUsernames.join(", ")}`
-        });
-      }
-
-      approverUserIds = approverUserIds.concat(approverUsers.map((user) => user.id));
+    if (secretApprovers.length !== approvers.length) {
+      throw new BadRequestError({ message: "Approver not found in project" });
    }

-    const usersPromises: Promise<
-      {
-        id: string;
-        email: string | null | undefined;
-        username: string;
-        firstName: string | null | undefined;
-        lastName: string | null | undefined;
-        isPartOfGroup: boolean;
-      }[]
-    >[] = [];
-    const verifyAllApprovers = [...approverUserIds];
-
-    for (const groupId of groupApprovers) {
-      usersPromises.push(groupDAL.findAllGroupPossibleMembers({ orgId: actorOrgId, groupId, offset: 0 }));
-    }
-    const verifyGroupApprovers = (await Promise.all(usersPromises))
-      .flat()
-      .filter((user) => user.isPartOfGroup)
-      .map((user) => user.id);
-    verifyAllApprovers.push(...verifyGroupApprovers);
-
-    const approversValid = await isApproversValid({
+    await verifyApprovers({
      projectId: project.id,
      orgId: actorOrgId,
      envSlug: environment,
      secretPath,
      actorAuthMethod,
      permissionService,
-      userIds: verifyAllApprovers
+      userIds: secretApprovers.map((approver) => approver.userId)
    });

-    if (!approversValid) {
-      throw new BadRequestError({
-        message: "One or more approvers doesn't have access to be specified secret path"
-      });
-    }
-
    const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
      const doc = await accessApprovalPolicyDAL.create(
        {
          envId: env.id,
          approvals,
          secretPath,
-          name,
-          enforcementLevel
+          name
        },
        tx
      );
-      if (approverUserIds.length) {
-        await accessApprovalPolicyApproverDAL.insertMany(
-          approverUserIds.map((userId) => ({
-            approverUserId: userId,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-
-      if (groupApprovers) {
-        await accessApprovalPolicyApproverDAL.insertMany(
-          groupApprovers.map((groupId) => ({
-            approverGroupId: groupId,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-
+      await accessApprovalPolicyApproverDAL.insertMany(
+        secretApprovers.map(({ id }) => ({
+          approverId: id,
+          policyId: doc.id
+        })),
+        tx
+      );
      return doc;
    });
    return { ...accessApproval, environment: env, projectId: project.id };
@ -192,7 +118,7 @@ export const accessApprovalPolicyServiceFactory = ({
    projectSlug
  }: TListAccessApprovalPoliciesDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new NotFoundError({ message: "Project not found" });
+    if (!project) throw new BadRequestError({ message: "Project not found" });

    // Anyone in the project should be able to get the policies.
    /* const { permission } = */ await permissionService.getProjectPermission(
@ -217,33 +143,10 @@ export const accessApprovalPolicyServiceFactory = ({
    actor,
    actorOrgId,
    actorAuthMethod,
-    approvals,
-    enforcementLevel
+    approvals
  }: TUpdateAccessApprovalPolicy) => {
-    const groupApprovers = approvers
-      .filter((approver) => approver.type === ApproverType.Group)
-      .map((approver) => approver.id) as string[];
-
-    const userApprovers = approvers
-      .filter((approver) => approver.type === ApproverType.User)
-      .map((approver) => approver.id)
-      .filter(Boolean) as string[];
-
-    const userApproverNames = approvers
-      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
-      .filter(Boolean) as string[];
-
    const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
-    const currentAppovals = approvals || accessApprovalPolicy.approvals;
-    if (
-      groupApprovers?.length === 0 &&
-      userApprovers &&
-      currentAppovals > userApprovers.length + userApproverNames.length
-    ) {
-      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
-    }
-
-    if (!accessApprovalPolicy) throw new NotFoundError({ message: "Secret approval policy not found" });
+    if (!accessApprovalPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
@ -260,105 +163,41 @@ export const accessApprovalPolicyServiceFactory = ({
        {
          approvals,
          secretPath,
-          name,
-          enforcementLevel
+          name
        },
        tx
      );
-
-      await accessApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
-
-      if (userApprovers.length || userApproverNames.length) {
-        let userApproverIds = userApprovers;
-        if (userApproverNames.length) {
-          const approverUsers = await userDAL.find({
-            $in: {
-              username: userApproverNames
-            }
-          });
-
-          const approverNamesFromDb = approverUsers.map((user) => user.username);
-          const invalidUsernames = userApproverNames.filter((username) => !approverNamesFromDb.includes(username));
-
-          if (invalidUsernames.length) {
-            throw new BadRequestError({
-              message: `Invalid approver user: ${invalidUsernames.join(", ")}`
-            });
-          }
-
-          userApproverIds = userApproverIds.concat(approverUsers.map((user) => user.id));
-        }
-
-        const approversValid = await isApproversValid({
-          projectId: accessApprovalPolicy.projectId,
-          orgId: actorOrgId,
-          envSlug: accessApprovalPolicy.environment.slug,
-          secretPath: doc.secretPath!,
-          actorAuthMethod,
-          permissionService,
-          userIds: userApproverIds
-        });
-
-        if (!approversValid) {
-          throw new BadRequestError({
-            message: "One or more approvers doesn't have access to be specified secret path"
-          });
-        }
-
-        await accessApprovalPolicyApproverDAL.insertMany(
-          userApproverIds.map((userId) => ({
-            approverUserId: userId,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-
-      if (groupApprovers) {
-        const usersPromises: Promise<
+      if (approvers) {
+        // Find the workspace project memberships of the users passed in the approvers array
+        const secretApprovers = await projectMembershipDAL.find(
          {
-            id: string;
-            email: string | null | undefined;
-            username: string;
-            firstName: string | null | undefined;
-            lastName: string | null | undefined;
-            isPartOfGroup: boolean;
-          }[]
-        >[] = [];
+            projectId: accessApprovalPolicy.projectId,
+            $in: { id: approvers }
+          },
+          { tx }
+        );

-        for (const groupId of groupApprovers) {
-          usersPromises.push(groupDAL.findAllGroupPossibleMembers({ orgId: actorOrgId, groupId, offset: 0 }));
-        }
-        const verifyGroupApprovers = (await Promise.all(usersPromises))
-          .flat()
-          .filter((user) => user.isPartOfGroup)
-          .map((user) => user.id);
-
-        const approversValid = await isApproversValid({
+        await verifyApprovers({
          projectId: accessApprovalPolicy.projectId,
          orgId: actorOrgId,
          envSlug: accessApprovalPolicy.environment.slug,
          secretPath: doc.secretPath!,
          actorAuthMethod,
          permissionService,
-          userIds: verifyGroupApprovers
+          userIds: secretApprovers.map((approver) => approver.userId)
        });

-        if (!approversValid) {
-          throw new BadRequestError({
-            message: "One or more approvers doesn't have access to be specified secret path"
-          });
-        }
-
+        if (secretApprovers.length !== approvers.length)
+          throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
+        await accessApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
        await accessApprovalPolicyApproverDAL.insertMany(
-          groupApprovers.map((groupId) => ({
-            approverGroupId: groupId,
+          secretApprovers.map(({ id }) => ({
+            approverId: id,
            policyId: doc.id
          })),
          tx
        );
      }
-
      return doc;
    });
    return {
@ -376,7 +215,7 @@ export const accessApprovalPolicyServiceFactory = ({
    actorOrgId
  }: TDeleteAccessApprovalPolicy) => {
    const policy = await accessApprovalPolicyDAL.findById(policyId);
-    if (!policy) throw new NotFoundError({ message: "Secret approval policy not found" });
+    if (!policy) throw new BadRequestError({ message: "Secret approval policy not found" });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -404,7 +243,7 @@ export const accessApprovalPolicyServiceFactory = ({
  }: TGetAccessPolicyCountByEnvironmentDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);

-    if (!project) throw new NotFoundError({ message: "Project not found" });
+    if (!project) throw new BadRequestError({ message: "Project not found" });

    const { membership } = await permissionService.getProjectPermission(
      actor,
@ -413,53 +252,22 @@ export const accessApprovalPolicyServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    if (!membership) {
-      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
-    }
+    if (!membership) throw new BadRequestError({ message: "User not found in project" });

    const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
-    if (!environment) throw new NotFoundError({ message: "Environment not found" });
+    if (!environment) throw new BadRequestError({ message: "Environment not found" });

    const policies = await accessApprovalPolicyDAL.find({ envId: environment.id, projectId: project.id });
-    if (!policies) throw new NotFoundError({ message: "No policies found" });
+    if (!policies) throw new BadRequestError({ message: "No policies found" });

    return { count: policies.length };
  };

-  const getAccessApprovalPolicyById = async ({
-    actorId,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    policyId
-  }: TGetAccessApprovalPolicyByIdDTO) => {
-    const [policy] = await accessApprovalPolicyDAL.find({}, { policyId });
-
-    if (!policy) {
-      throw new NotFoundError({
-        message: "Cannot find access approval policy"
-      });
-    }
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      policy.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
-
-    return policy;
-  };
-
  return {
    getAccessPolicyCountByEnvSlug,
    createAccessApprovalPolicy,
    deleteAccessApprovalPolicy,
    updateAccessApprovalPolicy,
-    getAccessApprovalPolicyByProjectSlug,
-    getAccessApprovalPolicyById
+    getAccessApprovalPolicyByProjectSlug
  };
 };
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Sheen Capadngan	4f5e9f7be1	misc: removed minimum requirements for kms description	2024-07-25 00:15:47 +08:00
Sheen Capadngan	2d1a553f14	misc: addressed minor kms issues	2024-07-24 23:45:38 +08:00
=	b4ae9b7299	feat: resolved bug reported on search and integration failing due to typo in integration field	2024-07-24 19:42:29 +05:30
=	e83a56735a	feat: added test case for secret v2 with raw endpoints	2024-07-24 15:38:45 +05:30
=	5564461294	feat: resolved failing testcases	2024-07-24 13:31:38 +05:30
=	857de5c4b5	feat: lint fix	2024-07-24 01:07:41 +05:30
=	e170062969	feat: updated kms service to return only kms details and some more minor changes	2024-07-24 00:56:23 +05:30
=	20cfee087b	feat: fixed secret approval for architecture v2	2024-07-23 22:35:06 +05:30
=	6b37a353e6	feat: secret v2 architecture for secret rotation	2024-07-23 22:35:06 +05:30
=	e9389d9b05	feat: testing v2 architecture changes and corrections as needed	2024-07-23 22:35:06 +05:30
=	2c1ee52dea	feat: ui removed all private key except secret rotation to raw endpoints version	2024-07-23 22:35:05 +05:30
=	8255d71711	feat: resolved concurrent bug with kms management	2024-07-23 22:35:05 +05:30
=	77e7ab9013	feat: resolved all ts issues on router schema and other functions	2024-07-23 22:34:07 +05:30
=	86daf2be00	feat: all the services are now working with secrets v2 architecture	2024-07-23 22:34:07 +05:30
=	a616f16bad	checkpoint	2024-07-23 22:34:07 +05:30
=	1b933f4e70	feat: added bridge logic in secret replication, snapshot and approval for raw endpoint	2024-07-23 22:34:07 +05:30
=	66156129e7	feat: migration updated for secret v2 snapshot and secret approval	2024-07-23 22:33:17 +05:30
=	fca21a0b97	feat: added kms encryption and decryption secret bridge	2024-07-23 22:33:17 +05:30
=	98e155498b	feat: created base for secret v2 bridge and plugged it to secret-router	2024-07-23 22:33:17 +05:30
=	cd089649d7	feat: added new secret v2 data structures	2024-07-23 22:33:17 +05:30
Akhil Mohan	8b4a100709	Merge pull request #2140 from Infisical/feat/integrate-external-kms feat: external kms integration	2024-07-23 22:31:12 +05:30
Sheen Capadngan	da8483cff6	misc: made kms description optional	2024-07-22 18:39:27 +08:00
Sheen Capadngan	d047be499b	doc: added aws permission setup doc for kms	2024-07-22 18:34:09 +08:00
Sheen Capadngan	3d30271ab3	Merge pull request #2158 from Infisical/doc/external-kms doc: initial docs for kms	2024-07-22 17:27:14 +08:00
Sheen Capadngan	9f73c77624	doc: initial docs for kms	2024-07-22 17:25:50 +08:00
Sheen Capadngan	5b7afea3f5	misc: made kms hook generic	2024-07-22 14:17:07 +08:00
Sheen Capadngan	fe9318cf8d	misc: renamed project method	2024-07-20 02:56:04 +08:00
Sheen Capadngan	c5a9f36a0c	misc: removed kms from service	2024-07-20 02:52:34 +08:00
Sheen Capadngan	5bd6a193f4	misc: created abstraction for get kms by id	2024-07-20 02:33:16 +08:00
Sheen Capadngan	9ac17718b3	misc: modified design of advanced settings	2024-07-20 02:07:35 +08:00
Sheen Capadngan	b9f35d16a5	misc: finalized project backup prompts	2024-07-20 01:25:00 +08:00
Sheen Capadngan	5e9929a9d5	misc: added empty metadata	2024-07-20 01:23:54 +08:00
Sheen Capadngan	c2870dffcd	misc: added ability for users to select KMS during project creation	2024-07-20 00:47:48 +08:00
Sheen Capadngan	e9ee38fb54	misc: modified modal text	2024-07-19 19:45:17 +08:00
Sheen Capadngan	9d88caf66b	misc: addressed type issue with audit log	2024-07-19 19:43:07 +08:00
Sheen Capadngan	7ef4b68503	feat: load project kms backup	2024-07-19 19:37:25 +08:00
Sheen Capadngan	d2456b5bd8	misc: added UI for load backup	2024-07-19 17:09:14 +08:00
Sheen Capadngan	1b64cdf09c	misc: added audit logs for kms backup and other minor edits	2024-07-19 02:05:53 +08:00
Sheen Capadngan	73a00df439	misc: developed create kms backup feature	2024-07-19 01:31:13 +08:00
Sheen Capadngan	9f87689a8f	misc: made project key and data key creation concurrency safe	2024-07-18 22:44:32 +08:00
Sheen Capadngan	5d6bbdfd24	misc: made org key and data key concurrency safe	2024-07-18 22:06:07 +08:00
Sheen Capadngan	f1b5e6104c	misc: finalized switching of project KMS	2024-07-18 20:50:31 +08:00
Sheen Capadngan	73a552d60c	Merge pull request #2125 from akhilmhdh/feat/ui-secret-raw Migrated secret endpoints to raw endpoints in ui	2024-07-18 03:24:36 +08:00
Sheen Capadngan	0f7e055981	misc: partial project kms switch	2024-07-18 03:00:43 +08:00
Sheen Capadngan	2045305127	Merge branch 'secret-engine-v2-bridge' into feat/integrate-external-kms	2024-07-18 00:22:18 +08:00
Sheen Capadngan	6b6f8f5523	Merge pull request #2144 from Infisical/feat/add-project-data-key feat: added project data key	2024-07-18 00:20:36 +08:00
Sheen Capadngan	9860d15d33	Merge branch 'feat/add-project-data-key' into feat/integrate-external-kms	2024-07-17 23:42:06 +08:00
Sheen Capadngan	166de417f1	feat: added project data key	2024-07-17 23:19:32 +08:00
Sheen Capadngan	65f416378a	misc: changed order of aws validate connection and creation	2024-07-17 15:11:13 +08:00
Sheen Capadngan	de0b179b0c	misc: added audit logs for external kms	2024-07-17 13:39:47 +08:00
Sheen Capadngan	8b0c62fbdb	misc: added license checks for external kms management	2024-07-17 13:04:26 +08:00
Sheen Capadngan	0d512f041f	misc: migrated to dedicated org permissions for kms management	2024-07-17 12:43:55 +08:00
Sheen Capadngan	eb03fa4d4e	misc: minor UI updates	2024-07-17 00:40:54 +08:00
Sheen Capadngan	0a7a9b6c37	feat: finalized kms settings in org-level	2024-07-16 21:29:20 +08:00
Sheen Capadngan	a1bfbdf32e	misc: modified encryption/decryption of external kms config	2024-07-16 15:52:29 +08:00
=	df0c11471b	fix: resolving undefined secret key	2024-07-16 12:53:08 +05:30
Sheen Capadngan	a07983ddc8	Merge remote-tracking branch 'akhilmhdh/feat/aws-kms-sm' into feat/integrate-external-kms	2024-07-16 14:19:51 +08:00
Sheen Capadngan	b9d5330db6	Merge remote-tracking branch 'akhilmhdh/feat/aws-kms-sm' into feat/integrate-external-kms	2024-07-16 14:19:18 +08:00
Sheen Capadngan	538ca972e6	misc: connected aws add kms	2024-07-16 14:17:54 +08:00
Sheen Capadngan	9cce604ca8	feat: added initial aws form	2024-07-16 02:21:14 +08:00
=	2bfecdb095	refactor(ui): migrated secret endpoints of e2ee to raw	2024-07-15 23:15:37 +05:30
=	09dfdd93d1	feat: made raw secret endpoints and normal e2ee ones to be same functionality	2024-07-15 23:13:03 +05:30