remove debug console log

.env.example

@@ -23,7 +23,7 @@ REDIS_URL=redis://redis:6379
 # Required
 SITE_URL=http://localhost:8080
 
-# Mail/SMTP
+# Mail/SMTP 
 SMTP_HOST=
 SMTP_PORT=
 SMTP_FROM_ADDRESS=
@@ -107,10 +107,6 @@ INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY=
 INF_APP_CONNECTION_GITHUB_APP_SLUG=
 INF_APP_CONNECTION_GITHUB_APP_ID=
 
-#gitlab app connection
-INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID=
-INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET=
-
 #github radar app connection
 INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_ID=
 INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_SECRET=
@@ -132,6 +128,3 @@ DATADOG_PROFILING_ENABLED=
 DATADOG_ENV=
 DATADOG_SERVICE=
 DATADOG_HOSTNAME=
-
-# kubernetes
-KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN=false

.github/workflows/release_build_infisical_cli.yml

@@ -83,7 +83,7 @@ jobs:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
   goreleaser:
-    runs-on: ubuntu-latest-8-cores
+    runs-on: ubuntu-latest
     needs: [cli-integration-tests]
     steps:
       - uses: actions/checkout@v3

.github/workflows/run-helm-chart-tests-infisical-standalone-postgres.yml

@@ -51,18 +51,11 @@ jobs:
             --from-literal=ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218 \
             --from-literal=SITE_URL=http://localhost:8080
 
-      - name: Create bootstrap secret
-        run: |
-          kubectl create secret generic infisical-bootstrap-credentials \
-            --namespace infisical-standalone-postgres \
-            --from-literal=INFISICAL_ADMIN_EMAIL=admin@example.com \
-            --from-literal=INFISICAL_ADMIN_PASSWORD=admin-password
-
       - name: Run chart-testing (install)
         run: |
           ct install \
             --config ct.yaml \
             --charts helm-charts/infisical-standalone-postgres \
             --helm-extra-args="--timeout=300s" \
-            --helm-extra-set-args="--set ingress.nginx.enabled=false --set infisical.autoDatabaseSchemaMigration=false --set infisical.replicaCount=1 --set infisical.image.tag=v0.132.2-postgres --set infisical.autoBootstrap.enabled=true" \
+            --helm-extra-set-args="--set ingress.nginx.enabled=false --set infisical.autoDatabaseSchemaMigration=false --set infisical.replicaCount=1 --set infisical.image.tag=v0.132.2-postgres" \
             --namespace infisical-standalone-postgres

.infisicalignore

@@ -45,4 +45,3 @@ cli/detect/config/gitleaks.toml:gcp-api-key:582
 .github/workflows/helm-release-infisical-core.yml:generic-api-key:48
 .github/workflows/helm-release-infisical-core.yml:generic-api-key:47
 backend/src/services/smtp/smtp-service.ts:generic-api-key:79
-frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/CloudflarePagesSyncFields.tsx:cloudflare-api-key:7

Dockerfile.fips.standalone-infisical

@@ -19,7 +19,7 @@ WORKDIR /app
 
 # Copy dependencies
 COPY --from=frontend-dependencies /app/node_modules ./node_modules
-# Copy all files
+# Copy all files 
 COPY /frontend .
 
 ENV NODE_ENV production
@@ -32,7 +32,7 @@ ENV VITE_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
 ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY
+ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
 
 # Build
 RUN npm run build
@@ -134,7 +134,7 @@ RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-li
 
 # Install Infisical CLI
 RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
-    && apt-get update && apt-get install -y infisical=0.41.89 \
+    && apt-get update && apt-get install -y infisical=0.41.2 \
     && rm -rf /var/lib/apt/lists/*
 
 RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
@@ -155,7 +155,7 @@ ENV INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
 ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 
-WORKDIR /
+WORKDIR / 
 
 COPY --from=backend-runner /app /backend
 
@@ -166,9 +166,9 @@ ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 
 ENV PORT 8080
 ENV HOST=0.0.0.0
-ENV HTTPS_ENABLED false
+ENV HTTPS_ENABLED false 
 ENV NODE_ENV production
-ENV STANDALONE_BUILD true
+ENV STANDALONE_BUILD true 
 ENV STANDALONE_MODE true
 ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
 ENV NODE_OPTIONS="--max-old-space-size=1024"

Dockerfile.standalone-infisical

@@ -20,7 +20,7 @@ WORKDIR /app
 
 # Copy dependencies
 COPY --from=frontend-dependencies /app/node_modules ./node_modules
-# Copy all files
+# Copy all files 
 COPY /frontend .
 
 ENV NODE_ENV production
@@ -33,8 +33,7 @@ ENV VITE_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
 ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY
-ENV NODE_OPTIONS="--max-old-space-size=8192"
+ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
 
 # Build
 RUN npm run build
@@ -78,7 +77,6 @@ RUN npm ci --only-production
 COPY /backend .
 COPY --chown=non-root-user:nodejs standalone-entrypoint.sh standalone-entrypoint.sh
 RUN npm i -D tsconfig-paths
-ENV NODE_OPTIONS="--max-old-space-size=8192"
 RUN npm run build
 
 # Production stage
@@ -130,7 +128,7 @@ RUN apt-get update && apt-get install -y \
 
 # Install Infisical CLI
 RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
-    && apt-get update && apt-get install -y infisical=0.41.89 \
+    && apt-get update && apt-get install -y infisical=0.41.2 \
     && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /
@@ -166,9 +164,9 @@ ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 
 ENV PORT 8080
 ENV HOST=0.0.0.0
-ENV HTTPS_ENABLED false
+ENV HTTPS_ENABLED false 
 ENV NODE_ENV production
-ENV STANDALONE_BUILD true
+ENV STANDALONE_BUILD true 
 ENV STANDALONE_MODE true
 ENV NODE_OPTIONS="--max-old-space-size=1024"
 

backend/Dockerfile

@@ -9,7 +9,7 @@ RUN apt-get update && apt-get install -y \
     make \
     g++ \
     openssh-client \
-    openssl
+    openssl 
 
 # Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
 RUN apt-get install -y \
@@ -55,10 +55,10 @@ COPY --from=build /app .
 # Install Infisical CLI
 RUN apt-get install -y curl bash && \
     curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash && \
-    apt-get update && apt-get install -y infisical=0.41.89 git
+    apt-get update && apt-get install -y infisical=0.41.2 git
 
-HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \
-    CMD node healthcheck.js
+HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
+  CMD node healthcheck.js
 
 ENV HOST=0.0.0.0
 

backend/Dockerfile.dev

@@ -57,7 +57,7 @@ RUN mkdir -p /etc/softhsm2/tokens && \
 # Install Infisical CLI
 RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash && \
     apt-get update && \
-    apt-get install -y infisical=0.41.89
+    apt-get install -y infisical=0.41.2
 
 WORKDIR /app
 

backend/Dockerfile.dev.fips

@@ -52,7 +52,7 @@ RUN apt-get install -y opensc
 
 RUN mkdir -p /etc/softhsm2/tokens && \
     softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
-
+    
 WORKDIR /openssl-build
 RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
     && tar -xf openssl-3.1.2.tar.gz \
@@ -66,7 +66,7 @@ RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
 # Install Infisical CLI
 RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash && \
     apt-get update && \
-    apt-get install -y infisical=0.41.89
+    apt-get install -y infisical=0.41.2
 
 WORKDIR /app
 

backend/e2e-test/mocks/keystore.ts

@@ -8,9 +8,6 @@ import { Lock } from "@app/lib/red-lock";
 export const mockKeyStore = (): TKeyStoreFactory => {
   const store: Record<string, string | number | Buffer> = {};
 
-  const getRegex = (pattern: string) =>
-    new RE2(`^${pattern.replace(/[-[\]/{}()+?.\\^$|]/g, "\\$&").replace(/\*/g, ".*")}$`);
-
   return {
     setItem: async (key, value) => {
       store[key] = value;
@@ -26,7 +23,7 @@ export const mockKeyStore = (): TKeyStoreFactory => {
       return 1;
     },
     deleteItems: async ({ pattern, batchSize = 500, delay = 1500, jitter = 200 }) => {
-      const regex = getRegex(pattern);
+      const regex = new RE2(`^${pattern.replace(/[-[\]/{}()+?.\\^$|]/g, "\\$&").replace(/\*/g, ".*")}$`);
       let totalDeleted = 0;
       const keys = Object.keys(store);
 
@@ -56,27 +53,6 @@ export const mockKeyStore = (): TKeyStoreFactory => {
     incrementBy: async () => {
       return 1;
     },
-    getItems: async (keys) => {
-      const values = keys.map((key) => {
-        const value = store[key];
-        if (typeof value === "string") {
-          return value;
-        }
-        return null;
-      });
-      return values;
-    },
-    getKeysByPattern: async (pattern) => {
-      const regex = getRegex(pattern);
-      const keys = Object.keys(store);
-      return keys.filter((key) => regex.test(key));
-    },
-    deleteItemsByKeyIn: async (keys) => {
-      for (const key of keys) {
-        delete store[key];
-      }
-      return keys.length;
-    },
     acquireLock: () => {
       return Promise.resolve({
         release: () => {}

backend/package-lock.json

@@ -30,7 +30,6 @@
         "@fastify/static": "^7.0.4",
         "@fastify/swagger": "^8.14.0",
         "@fastify/swagger-ui": "^2.1.0",
-        "@gitbeaker/rest": "^42.5.0",
         "@google-cloud/kms": "^4.5.0",
         "@infisical/quic": "^1.0.8",
         "@node-saml/passport-saml": "^5.0.1",
@@ -7808,48 +7807,6 @@
         "p-limit": "^3.1.0"
       }
     },
-    "node_modules/@gitbeaker/core": {
-      "version": "42.5.0",
-      "resolved": "https://registry.npmjs.org/@gitbeaker/core/-/core-42.5.0.tgz",
-      "integrity": "sha512-rMWpOPaZi1iLiifnOIoVO57p2EmQQdfIwP4txqNyMvG4WjYP5Ez0U7jRD9Nra41x6K5kTPBZkuQcAdxVWRJcEQ==",
-      "license": "MIT",
-      "dependencies": {
-        "@gitbeaker/requester-utils": "^42.5.0",
-        "qs": "^6.12.2",
-        "xcase": "^2.0.1"
-      },
-      "engines": {
-        "node": ">=18.20.0"
-      }
-    },
-    "node_modules/@gitbeaker/requester-utils": {
-      "version": "42.5.0",
-      "resolved": "https://registry.npmjs.org/@gitbeaker/requester-utils/-/requester-utils-42.5.0.tgz",
-      "integrity": "sha512-HLdLS9LPBMVQumvroQg/4qkphLDtwDB+ygEsrD2u4oYCMUtXV4V1xaVqU4yTXjbTJ5sItOtdB43vYRkBcgueBw==",
-      "license": "MIT",
-      "dependencies": {
-        "picomatch-browser": "^2.2.6",
-        "qs": "^6.12.2",
-        "rate-limiter-flexible": "^4.0.1",
-        "xcase": "^2.0.1"
-      },
-      "engines": {
-        "node": ">=18.20.0"
-      }
-    },
-    "node_modules/@gitbeaker/rest": {
-      "version": "42.5.0",
-      "resolved": "https://registry.npmjs.org/@gitbeaker/rest/-/rest-42.5.0.tgz",
-      "integrity": "sha512-oC5cM6jS7aFOp0luTw5mWSRuMgdxwHRLZQ/aWkI+ETMfsprR/HyxsXfljlMY/XJ/fRxTbRJiodR5Axf66WjO3w==",
-      "license": "MIT",
-      "dependencies": {
-        "@gitbeaker/core": "^42.5.0",
-        "@gitbeaker/requester-utils": "^42.5.0"
-      },
-      "engines": {
-        "node": ">=18.20.0"
-      }
-    },
     "node_modules/@google-cloud/kms": {
       "version": "4.5.0",
       "resolved": "https://registry.npmjs.org/@google-cloud/kms/-/kms-4.5.0.tgz",
@@ -24671,18 +24628,6 @@
         "url": "https://github.com/sponsors/jonschlinkert"
       }
     },
-    "node_modules/picomatch-browser": {
-      "version": "2.2.6",
-      "resolved": "https://registry.npmjs.org/picomatch-browser/-/picomatch-browser-2.2.6.tgz",
-      "integrity": "sha512-0ypsOQt9D4e3hziV8O4elD9uN0z/jtUEfxVRtNaAAtXIyUx9m/SzlO020i8YNL2aL/E6blOvvHQcin6HZlFy/w==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=8.6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/jonschlinkert"
-      }
-    },
     "node_modules/pify": {
       "version": "4.0.1",
       "resolved": "https://registry.npmjs.org/pify/-/pify-4.0.1.tgz",
@@ -25617,12 +25562,6 @@
         "node": ">= 0.6"
       }
     },
-    "node_modules/rate-limiter-flexible": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/rate-limiter-flexible/-/rate-limiter-flexible-4.0.1.tgz",
-      "integrity": "sha512-2/dGHpDFpeA0+755oUkW+EKyklqLS9lu0go9pDsbhqQjZcxfRyJ6LA4JI0+HAdZ2bemD/oOjUeZQB2lCZqXQfQ==",
-      "license": "ISC"
-    },
     "node_modules/raw-body": {
       "version": "2.5.2",
       "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.2.tgz",
@@ -31100,12 +31039,6 @@
         }
       }
     },
-    "node_modules/xcase": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/xcase/-/xcase-2.0.1.tgz",
-      "integrity": "sha512-UmFXIPU+9Eg3E9m/728Bii0lAIuoc+6nbrNUKaRPJOFp91ih44qqGlWtxMB6kXFrRD6po+86ksHM5XHCfk6iPw==",
-      "license": "MIT"
-    },
     "node_modules/xml-crypto": {
       "version": "6.0.1",
       "resolved": "https://registry.npmjs.org/xml-crypto/-/xml-crypto-6.0.1.tgz",

backend/package.json

@@ -149,7 +149,6 @@
     "@fastify/static": "^7.0.4",
     "@fastify/swagger": "^8.14.0",
     "@fastify/swagger-ui": "^2.1.0",
-    "@gitbeaker/rest": "^42.5.0",
     "@google-cloud/kms": "^4.5.0",
     "@infisical/quic": "^1.0.8",
     "@node-saml/passport-saml": "^5.0.1",

backend/src/@types/fastify.d.ts

@@ -74,7 +74,6 @@ import { TAllowedFields } from "@app/services/identity-ldap-auth/identity-ldap-a
 import { TIdentityOciAuthServiceFactory } from "@app/services/identity-oci-auth/identity-oci-auth-service";
 import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
-import { TIdentityTlsCertAuthServiceFactory } from "@app/services/identity-tls-cert-auth/identity-tls-cert-auth-types";
 import { TIdentityTokenAuthServiceFactory } from "@app/services/identity-token-auth/identity-token-auth-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";
 import { TIntegrationServiceFactory } from "@app/services/integration/integration-service";
@@ -219,7 +218,6 @@ declare module "fastify" {
       identityKubernetesAuth: TIdentityKubernetesAuthServiceFactory;
       identityGcpAuth: TIdentityGcpAuthServiceFactory;
       identityAliCloudAuth: TIdentityAliCloudAuthServiceFactory;
-      identityTlsCertAuth: TIdentityTlsCertAuthServiceFactory;
       identityAwsAuth: TIdentityAwsAuthServiceFactory;
       identityAzureAuth: TIdentityAzureAuthServiceFactory;
       identityOciAuth: TIdentityOciAuthServiceFactory;

backend/src/@types/knex.d.ts

@@ -164,9 +164,6 @@ import {
   TIdentityProjectMemberships,
   TIdentityProjectMembershipsInsert,
   TIdentityProjectMembershipsUpdate,
-  TIdentityTlsCertAuths,
-  TIdentityTlsCertAuthsInsert,
-  TIdentityTlsCertAuthsUpdate,
   TIdentityTokenAuths,
   TIdentityTokenAuthsInsert,
   TIdentityTokenAuthsUpdate,
@@ -499,6 +496,11 @@ import {
   TMicrosoftTeamsIntegrationsInsert,
   TMicrosoftTeamsIntegrationsUpdate
 } from "@app/db/schemas/microsoft-teams-integrations";
+import {
+  TPosthogAggregatedEvents,
+  TPosthogAggregatedEventsInsert,
+  TPosthogAggregatedEventsUpdate
+} from "@app/db/schemas/posthog-aggregated-events";
 import {
   TProjectMicrosoftTeamsConfigs,
   TProjectMicrosoftTeamsConfigsInsert,
@@ -797,11 +799,6 @@ declare module "knex/types/tables" {
       TIdentityAlicloudAuthsInsert,
       TIdentityAlicloudAuthsUpdate
     >;
-    [TableName.IdentityTlsCertAuth]: KnexOriginal.CompositeTableType<
-      TIdentityTlsCertAuths,
-      TIdentityTlsCertAuthsInsert,
-      TIdentityTlsCertAuthsUpdate
-    >;
     [TableName.IdentityAwsAuth]: KnexOriginal.CompositeTableType<
       TIdentityAwsAuths,
       TIdentityAwsAuthsInsert,
@@ -1211,5 +1208,10 @@ declare module "knex/types/tables" {
       TSecretScanningConfigsInsert,
       TSecretScanningConfigsUpdate
     >;
+    [TableName.PosthogAggregatedEvents]: KnexOriginal.CompositeTableType<
+      TPosthogAggregatedEvents,
+      TPosthogAggregatedEventsInsert,
+      TPosthogAggregatedEventsUpdate
+    >;
   }
 }

backend/src/db/instance.ts

@@ -110,8 +110,7 @@ export const initAuditLogDbConnection = ({
     },
     migrations: {
       tableName: "infisical_migrations"
-    },
-    pool: { min: 0, max: 10 }
+    }
   });
 
   // we add these overrides so that auditLogDb and the primary DB are interchangeable

backend/src/db/knexfile.ts

@@ -4,7 +4,6 @@ import "ts-node/register";
 import dotenv from "dotenv";
 import type { Knex } from "knex";
 import path from "path";
-import { initLogger } from "@app/lib/logger";
 
 // Update with your config settings. .
 dotenv.config({
@@ -14,8 +13,6 @@ dotenv.config({
   path: path.join(__dirname, "../../../.env")
 });
 
-initLogger();
-
 export default {
   development: {
     client: "postgres",

backend/src/db/migrations/20250624061429_identity-tls-auth.ts

@@ -1,28 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityTlsCertAuth))) {
-    await knex.schema.createTable(TableName.IdentityTlsCertAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("allowedCommonNames").nullable();
-      t.binary("encryptedCaCertificate").notNullable();
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityTlsCertAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityTlsCertAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityTlsCertAuth);
-}

backend/src/db/migrations/20250625115132_add-posthog-aggregated-events-table.ts

@@ -0,0 +1,26 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.PosthogAggregatedEvents))) {
+    await knex.schema.createTable(TableName.PosthogAggregatedEvents, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("distinctId").notNullable();
+      t.string("event").notNullable();
+      t.bigInteger("eventCount").defaultTo(0).notNullable();
+      t.jsonb("properties").notNullable();
+      t.string("batchId").notNullable();
+      t.string("organizationId").nullable();
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.PosthogAggregatedEvents);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.PosthogAggregatedEvents);
+  await dropOnUpdateTrigger(knex, TableName.PosthogAggregatedEvents);
+}

backend/src/db/migrations/20250626101747_default-project-type.ts

@@ -1,41 +0,0 @@
-import { Knex } from "knex";
-
-import { ProjectType, TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
-  const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
-  if (hasTypeColumn && !hasDefaultTypeColumn) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.string("type").nullable().alter();
-      t.string("defaultProduct").notNullable().defaultTo(ProjectType.SecretManager);
-    });
-
-    await knex(TableName.Project).update({
-      // eslint-disable-next-line
-      // @ts-ignore this is because this field is created later
-      defaultProduct: knex.raw(`
-    CASE 
-      WHEN "type" IS NULL OR "type" = '' THEN 'secret-manager' 
-      ELSE "type" 
-    END
-  `)
-    });
-  }
-
-  const hasTemplateTypeColumn = await knex.schema.hasColumn(TableName.ProjectTemplates, "type");
-  if (hasTemplateTypeColumn) {
-    await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
-      t.string("type").nullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
-  if (hasDefaultTypeColumn) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.dropColumn("defaultProduct");
-    });
-  }
-}

backend/src/db/migrations/20250627010508_env-overrides.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.SuperAdmin, "encryptedEnvOverrides");
-  if (!hasColumn) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-      t.binary("encryptedEnvOverrides").nullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.SuperAdmin, "encryptedEnvOverrides");
-  if (hasColumn) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-      t.dropColumn("encryptedEnvOverrides");
-    });
-  }
-}

backend/src/db/migrations/20250630212553_user-latest-invite.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.OrgMembership, "lastInvitedAt");
-  await knex.schema.alterTable(TableName.OrgMembership, (t) => {
-    if (!hasColumn) {
-      t.datetime("lastInvitedAt").nullable();
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.OrgMembership, "lastInvitedAt");
-  await knex.schema.alterTable(TableName.OrgMembership, (t) => {
-    if (hasColumn) {
-      t.dropColumn("lastInvitedAt");
-    }
-  });
-}

backend/src/db/migrations/20250707162850_last-invited-at-default.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.OrgMembership, "lastInvitedAt");
-  if (hasColumn) {
-    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
-      t.datetime("lastInvitedAt").nullable().defaultTo(knex.fn.now()).alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.OrgMembership, "lastInvitedAt");
-  if (hasColumn) {
-    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
-      t.datetime("lastInvitedAt").nullable().alter();
-    });
-  }
-}

backend/src/db/migrations/20250710022434_add-index-for-access-token.ts

@@ -1,46 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-const MIGRATION_TIMEOUT = 30 * 60 * 1000; // 30 minutes
-
-export async function up(knex: Knex): Promise<void> {
-  const result = await knex.raw("SHOW statement_timeout");
-  const originalTimeout = result.rows[0].statement_timeout;
-
-  try {
-    await knex.raw(`SET statement_timeout = ${MIGRATION_TIMEOUT}`);
-
-    // iat means IdentityAccessToken
-    await knex.raw(`
-          CREATE INDEX IF NOT EXISTS idx_iat_identity_id 
-          ON ${TableName.IdentityAccessToken} ("identityId")
-        `);
-
-    await knex.raw(`
-          CREATE INDEX IF NOT EXISTS idx_iat_ua_client_secret_id 
-          ON ${TableName.IdentityAccessToken} ("identityUAClientSecretId")
-        `);
-  } finally {
-    await knex.raw(`SET statement_timeout = '${originalTimeout}'`);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const result = await knex.raw("SHOW statement_timeout");
-  const originalTimeout = result.rows[0].statement_timeout;
-
-  try {
-    await knex.raw(`SET statement_timeout = ${MIGRATION_TIMEOUT}`);
-
-    await knex.raw(`
-          DROP INDEX IF EXISTS idx_iat_identity_id
-        `);
-
-    await knex.raw(`
-          DROP INDEX IF EXISTS idx_iat_ua_client_secret_id
-        `);
-  } finally {
-    await knex.raw(`SET statement_timeout = '${originalTimeout}'`);
-  }
-}

backend/src/db/migrations/20250710115149_required-path-on-approval-policies.ts

@@ -1,55 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const existingSecretApprovalPolicies = await knex(TableName.SecretApprovalPolicy)
-    .whereNull("secretPath")
-    .orWhere("secretPath", "");
-
-  const existingAccessApprovalPolicies = await knex(TableName.AccessApprovalPolicy)
-    .whereNull("secretPath")
-    .orWhere("secretPath", "");
-
-  // update all the secret approval policies secretPath to be "/**"
-  if (existingSecretApprovalPolicies.length) {
-    await knex(TableName.SecretApprovalPolicy)
-      .whereIn(
-        "id",
-        existingSecretApprovalPolicies.map((el) => el.id)
-      )
-      .update({
-        secretPath: "/**"
-      });
-  }
-
-  // update all the access approval policies secretPath to be "/**"
-  if (existingAccessApprovalPolicies.length) {
-    await knex(TableName.AccessApprovalPolicy)
-      .whereIn(
-        "id",
-        existingAccessApprovalPolicies.map((el) => el.id)
-      )
-      .update({
-        secretPath: "/**"
-      });
-  }
-
-  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (table) => {
-    table.string("secretPath").notNullable().alter();
-  });
-
-  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (table) => {
-    table.string("secretPath").notNullable().alter();
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (table) => {
-    table.string("secretPath").nullable().alter();
-  });
-
-  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (table) => {
-    table.string("secretPath").nullable().alter();
-  });
-}

backend/src/db/migrations/20250710153448_adjust-approval-request-user-cols.ts

@@ -1,35 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasCommitterCol = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "committerUserId");
-
-  if (hasCommitterCol) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequest, (tb) => {
-      tb.uuid("committerUserId").nullable().alter();
-    });
-  }
-
-  const hasRequesterCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedByUserId");
-
-  if (hasRequesterCol) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
-      tb.dropForeign("requestedByUserId");
-      tb.foreign("requestedByUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  // can't undo committer nullable
-
-  const hasRequesterCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedByUserId");
-
-  if (hasRequesterCol) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
-      tb.dropForeign("requestedByUserId");
-      tb.foreign("requestedByUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
-    });
-  }
-}

backend/src/db/migrations/20250711005900_github-app-connection-to-environments.ts

@@ -1,66 +0,0 @@
-import { Knex } from "knex";
-
-import { inMemoryKeyStore } from "@app/keystore/memory";
-import { selectAllTableCols } from "@app/lib/knex";
-
-import { TableName } from "../schemas";
-import { getMigrationEnvConfig } from "./utils/env-config";
-import { getMigrationEncryptionServices } from "./utils/services";
-
-export async function up(knex: Knex) {
-  const existingSuperAdminsWithGithubConnection = await knex(TableName.SuperAdmin)
-    .select(selectAllTableCols(TableName.SuperAdmin))
-    .whereNotNull(`${TableName.SuperAdmin}.encryptedGitHubAppConnectionClientId`);
-
-  const envConfig = getMigrationEnvConfig();
-  const keyStore = inMemoryKeyStore();
-  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-
-  const decryptor = kmsService.decryptWithRootKey();
-  const encryptor = kmsService.encryptWithRootKey();
-
-  const tasks = existingSuperAdminsWithGithubConnection.map(async (admin) => {
-    const overrides = (
-      admin.encryptedEnvOverrides ? JSON.parse(decryptor(Buffer.from(admin.encryptedEnvOverrides)).toString()) : {}
-    ) as Record<string, string>;
-
-    if (admin.encryptedGitHubAppConnectionClientId) {
-      overrides.INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID = decryptor(
-        admin.encryptedGitHubAppConnectionClientId
-      ).toString();
-    }
-
-    if (admin.encryptedGitHubAppConnectionClientSecret) {
-      overrides.INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET = decryptor(
-        admin.encryptedGitHubAppConnectionClientSecret
-      ).toString();
-    }
-
-    if (admin.encryptedGitHubAppConnectionPrivateKey) {
-      overrides.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY = decryptor(
-        admin.encryptedGitHubAppConnectionPrivateKey
-      ).toString();
-    }
-
-    if (admin.encryptedGitHubAppConnectionSlug) {
-      overrides.INF_APP_CONNECTION_GITHUB_APP_SLUG = decryptor(admin.encryptedGitHubAppConnectionSlug).toString();
-    }
-
-    if (admin.encryptedGitHubAppConnectionId) {
-      overrides.INF_APP_CONNECTION_GITHUB_APP_ID = decryptor(admin.encryptedGitHubAppConnectionId).toString();
-    }
-
-    const encryptedEnvOverrides = encryptor(Buffer.from(JSON.stringify(overrides)));
-
-    await knex(TableName.SuperAdmin).where({ id: admin.id }).update({
-      encryptedEnvOverrides
-    });
-  });
-
-  await Promise.all(tasks);
-}
-
-export async function down() {
-  // No down migration needed as this migration is only for data transformation
-  // and does not change the schema.
-}

backend/src/db/schemas/access-approval-policies-approvers.ts

@@ -14,8 +14,8 @@ export const AccessApprovalPoliciesApproversSchema = z.object({
   updatedAt: z.date(),
   approverUserId: z.string().uuid().nullable().optional(),
   approverGroupId: z.string().uuid().nullable().optional(),
-  sequence: z.number().default(1).nullable().optional(),
-  approvalsRequired: z.number().nullable().optional()
+  sequence: z.number().default(0).nullable().optional(),
+  approvalsRequired: z.number().default(1).nullable().optional()
 });
 
 export type TAccessApprovalPoliciesApprovers = z.infer<typeof AccessApprovalPoliciesApproversSchema>;

backend/src/db/schemas/access-approval-policies.ts

@@ -11,7 +11,7 @@ export const AccessApprovalPoliciesSchema = z.object({
   id: z.string().uuid(),
   name: z.string(),
   approvals: z.number().default(1),
-  secretPath: z.string(),
+  secretPath: z.string().nullable().optional(),
   envId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),

backend/src/db/schemas/certificate-authorities.ts

@@ -12,8 +12,8 @@ export const CertificateAuthoritiesSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   projectId: z.string(),
-  status: z.string(),
   enableDirectIssuance: z.boolean().default(true),
+  status: z.string(),
   name: z.string()
 });
 

backend/src/db/schemas/certificates.ts

@@ -25,8 +25,8 @@ export const CertificatesSchema = z.object({
   certificateTemplateId: z.string().uuid().nullable().optional(),
   keyUsages: z.string().array().nullable().optional(),
   extendedKeyUsages: z.string().array().nullable().optional(),
-  projectId: z.string(),
-  pkiSubscriberId: z.string().uuid().nullable().optional()
+  pkiSubscriberId: z.string().uuid().nullable().optional(),
+  projectId: z.string()
 });
 
 export type TCertificates = z.infer<typeof CertificatesSchema>;

backend/src/db/schemas/identity-tls-cert-auths.ts

@@ -1,27 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityTlsCertAuthsSchema = z.object({
-  id: z.string().uuid(),
-  accessTokenTTL: z.coerce.number().default(7200),
-  accessTokenMaxTTL: z.coerce.number().default(7200),
-  accessTokenNumUsesLimit: z.coerce.number().default(0),
-  accessTokenTrustedIps: z.unknown(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  identityId: z.string().uuid(),
-  allowedCommonNames: z.string().nullable().optional(),
-  encryptedCaCertificate: zodBuffer
-});
-
-export type TIdentityTlsCertAuths = z.infer<typeof IdentityTlsCertAuthsSchema>;
-export type TIdentityTlsCertAuthsInsert = Omit<z.input<typeof IdentityTlsCertAuthsSchema>, TImmutableDBKeys>;
-export type TIdentityTlsCertAuthsUpdate = Partial<Omit<z.input<typeof IdentityTlsCertAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/index.ts

@@ -52,7 +52,6 @@ export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
 export * from "./identity-project-membership-role";
 export * from "./identity-project-memberships";
-export * from "./identity-tls-cert-auths";
 export * from "./identity-token-auths";
 export * from "./identity-ua-client-secrets";
 export * from "./identity-universal-auths";

backend/src/db/schemas/models.ts

@@ -86,7 +86,6 @@ export enum TableName {
   IdentityOidcAuth = "identity_oidc_auths",
   IdentityJwtAuth = "identity_jwt_auths",
   IdentityLdapAuth = "identity_ldap_auths",
-  IdentityTlsCertAuth = "identity_tls_cert_auths",
   IdentityOrgMembership = "identity_org_memberships",
   IdentityProjectMembership = "identity_project_memberships",
   IdentityProjectMembershipRole = "identity_project_membership_role",
@@ -172,7 +171,9 @@ export enum TableName {
   SecretScanningResource = "secret_scanning_resources",
   SecretScanningScan = "secret_scanning_scans",
   SecretScanningFinding = "secret_scanning_findings",
-  SecretScanningConfig = "secret_scanning_configs"
+  SecretScanningConfig = "secret_scanning_configs",
+  // Telemetry
+  PosthogAggregatedEvents = "posthog_aggregated_events"
 }
 
 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt" | "commitId";
@@ -252,7 +253,6 @@ export enum IdentityAuthMethod {
   ALICLOUD_AUTH = "alicloud-auth",
   AWS_AUTH = "aws-auth",
   AZURE_AUTH = "azure-auth",
-  TLS_CERT_AUTH = "tls-cert-auth",
   OCI_AUTH = "oci-auth",
   OIDC_AUTH = "oidc-auth",
   JWT_AUTH = "jwt-auth",
@@ -267,6 +267,16 @@ export enum ProjectType {
   SecretScanning = "secret-scanning"
 }
 
+export enum ActionProjectType {
+  SecretManager = ProjectType.SecretManager,
+  CertificateManager = ProjectType.CertificateManager,
+  KMS = ProjectType.KMS,
+  SSH = ProjectType.SSH,
+  SecretScanning = ProjectType.SecretScanning,
+  // project operations that happen on all types
+  Any = "any"
+}
+
 export enum SortDirection {
   ASC = "asc",
   DESC = "desc"

backend/src/db/schemas/org-memberships.ts

@@ -18,8 +18,7 @@ export const OrgMembershipsSchema = z.object({
   orgId: z.string().uuid(),
   roleId: z.string().uuid().nullable().optional(),
   projectFavorites: z.string().array().nullable().optional(),
-  isActive: z.boolean().default(true),
-  lastInvitedAt: z.date().nullable().optional()
+  isActive: z.boolean().default(true)
 });
 
 export type TOrgMemberships = z.infer<typeof OrgMembershipsSchema>;

backend/src/db/schemas/posthog-aggregated-events.ts

@@ -0,0 +1,26 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const PosthogAggregatedEventsSchema = z.object({
+  id: z.string().uuid(),
+  distinctId: z.string(),
+  event: z.string(),
+  eventCount: z.coerce.number().default(0),
+  properties: z.unknown(),
+  batchId: z.string(),
+  organizationId: z.string().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TPosthogAggregatedEvents = z.infer<typeof PosthogAggregatedEventsSchema>;
+export type TPosthogAggregatedEventsInsert = Omit<z.input<typeof PosthogAggregatedEventsSchema>, TImmutableDBKeys>;
+export type TPosthogAggregatedEventsUpdate = Partial<
+  Omit<z.input<typeof PosthogAggregatedEventsSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/project-templates.ts

@@ -16,7 +16,7 @@ export const ProjectTemplatesSchema = z.object({
   orgId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  type: z.string().nullable().optional()
+  type: z.string().default("secret-manager")
 });
 
 export type TProjectTemplates = z.infer<typeof ProjectTemplatesSchema>;

backend/src/db/schemas/projects.ts

@@ -25,12 +25,11 @@ export const ProjectsSchema = z.object({
   kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
   kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
   description: z.string().nullable().optional(),
-  type: z.string().nullable().optional(),
+  type: z.string(),
   enforceCapitalization: z.boolean().default(false),
   hasDeleteProtection: z.boolean().default(false).nullable().optional(),
   secretSharing: z.boolean().default(true),
-  showSnapshotsLegacy: z.boolean().default(false),
-  defaultProduct: z.string().default("secret-manager")
+  showSnapshotsLegacy: z.boolean().default(false)
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/db/schemas/secret-approval-policies.ts

@@ -10,7 +10,7 @@ import { TImmutableDBKeys } from "./models";
 export const SecretApprovalPoliciesSchema = z.object({
   id: z.string().uuid(),
   name: z.string(),
-  secretPath: z.string(),
+  secretPath: z.string().nullable().optional(),
   approvals: z.number().default(1),
   envId: z.string().uuid(),
   createdAt: z.date(),

backend/src/db/schemas/secret-approval-requests.ts

@@ -18,7 +18,7 @@ export const SecretApprovalRequestsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   isReplicated: z.boolean().nullable().optional(),
-  committerUserId: z.string().uuid().nullable().optional(),
+  committerUserId: z.string().uuid(),
   statusChangedByUserId: z.string().uuid().nullable().optional(),
   bypassReason: z.string().nullable().optional()
 });

backend/src/db/schemas/super-admin.ts

@@ -34,8 +34,7 @@ export const SuperAdminSchema = z.object({
   encryptedGitHubAppConnectionClientSecret: zodBuffer.nullable().optional(),
   encryptedGitHubAppConnectionSlug: zodBuffer.nullable().optional(),
   encryptedGitHubAppConnectionId: zodBuffer.nullable().optional(),
-  encryptedGitHubAppConnectionPrivateKey: zodBuffer.nullable().optional(),
-  encryptedEnvOverrides: zodBuffer.nullable().optional()
+  encryptedGitHubAppConnectionPrivateKey: zodBuffer.nullable().optional()
 });
 
 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -2,7 +2,6 @@ import { nanoid } from "nanoid";
 import { z } from "zod";
 
 import { ApproverType, BypasserType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
-import { removeTrailingSlash } from "@app/lib/fn";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -20,7 +19,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
       body: z.object({
         projectSlug: z.string().trim(),
         name: z.string().optional(),
-        secretPath: z.string().trim().min(1, { message: "Secret path cannot be empty" }).transform(removeTrailingSlash),
+        secretPath: z.string().trim().default("/"),
         environment: z.string(),
         approvers: z
           .discriminatedUnion("type", [
@@ -175,9 +174,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         secretPath: z
           .string()
           .trim()
-          .min(1, { message: "Secret path cannot be empty" })
           .optional()
-          .transform((val) => (val ? removeTrailingSlash(val) : val)),
+          .transform((val) => (val === "" ? "/" : val)),
         approvers: z
           .discriminatedUnion("type", [
             z.object({

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -60,8 +60,7 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
     method: "GET",
     schema: {
       querystring: z.object({
-        projectSlug: z.string().trim(),
-        policyId: z.string().trim().optional()
+        projectSlug: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -74,7 +73,6 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
     handler: async (req) => {
       const { count } = await server.services.accessApprovalRequest.getCount({
         projectSlug: req.query.projectSlug,
-        policyId: req.query.policyId,
         actor: req.permission.type,
         actorId: req.permission.id,
         actorOrgId: req.permission.orgId,

backend/src/ee/routes/v1/ldap-router.ts

@@ -17,7 +17,6 @@ import { z } from "zod";
 import { LdapGroupMapsSchema } from "@app/db/schemas";
 import { TLDAPConfig } from "@app/ee/services/ldap-config/ldap-config-types";
 import { isValidLdapFilter, searchGroups } from "@app/ee/services/ldap-config/ldap-fns";
-import { ApiDocsTags, LdapSso } from "@app/lib/api-docs";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
@@ -133,18 +132,10 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
     config: {
       rateLimit: readLimit
     },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.LdapSso],
-      description: "Get LDAP config",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
       querystring: z.object({
-        organizationId: z.string().trim().describe(LdapSso.GET_CONFIG.organizationId)
+        organizationId: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -181,32 +172,23 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
     config: {
       rateLimit: writeLimit
     },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.LdapSso],
-      description: "Create LDAP config",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
       body: z.object({
-        organizationId: z.string().trim().describe(LdapSso.CREATE_CONFIG.organizationId),
-        isActive: z.boolean().describe(LdapSso.CREATE_CONFIG.isActive),
-        url: z.string().trim().describe(LdapSso.CREATE_CONFIG.url),
-        bindDN: z.string().trim().describe(LdapSso.CREATE_CONFIG.bindDN),
-        bindPass: z.string().trim().describe(LdapSso.CREATE_CONFIG.bindPass),
-        uniqueUserAttribute: z.string().trim().default("uidNumber").describe(LdapSso.CREATE_CONFIG.uniqueUserAttribute),
-        searchBase: z.string().trim().describe(LdapSso.CREATE_CONFIG.searchBase),
-        searchFilter: z.string().trim().default("(uid={{username}})").describe(LdapSso.CREATE_CONFIG.searchFilter),
-        groupSearchBase: z.string().trim().describe(LdapSso.CREATE_CONFIG.groupSearchBase),
+        organizationId: z.string().trim(),
+        isActive: z.boolean(),
+        url: z.string().trim(),
+        bindDN: z.string().trim(),
+        bindPass: z.string().trim(),
+        uniqueUserAttribute: z.string().trim().default("uidNumber"),
+        searchBase: z.string().trim(),
+        searchFilter: z.string().trim().default("(uid={{username}})"),
+        groupSearchBase: z.string().trim(),
         groupSearchFilter: z
           .string()
           .trim()
-          .default("(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))")
-          .describe(LdapSso.CREATE_CONFIG.groupSearchFilter),
-        caCert: z.string().trim().default("").describe(LdapSso.CREATE_CONFIG.caCert)
+          .default("(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))"),
+        caCert: z.string().trim().default("")
       }),
       response: {
         200: SanitizedLdapConfigSchema
@@ -232,31 +214,23 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
     config: {
       rateLimit: writeLimit
     },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.LdapSso],
-      description: "Update LDAP config",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
       body: z
         .object({
-          isActive: z.boolean().describe(LdapSso.UPDATE_CONFIG.isActive),
-          url: z.string().trim().describe(LdapSso.UPDATE_CONFIG.url),
-          bindDN: z.string().trim().describe(LdapSso.UPDATE_CONFIG.bindDN),
-          bindPass: z.string().trim().describe(LdapSso.UPDATE_CONFIG.bindPass),
-          uniqueUserAttribute: z.string().trim().describe(LdapSso.UPDATE_CONFIG.uniqueUserAttribute),
-          searchBase: z.string().trim().describe(LdapSso.UPDATE_CONFIG.searchBase),
-          searchFilter: z.string().trim().describe(LdapSso.UPDATE_CONFIG.searchFilter),
-          groupSearchBase: z.string().trim().describe(LdapSso.UPDATE_CONFIG.groupSearchBase),
-          groupSearchFilter: z.string().trim().describe(LdapSso.UPDATE_CONFIG.groupSearchFilter),
-          caCert: z.string().trim().describe(LdapSso.UPDATE_CONFIG.caCert)
+          isActive: z.boolean(),
+          url: z.string().trim(),
+          bindDN: z.string().trim(),
+          bindPass: z.string().trim(),
+          uniqueUserAttribute: z.string().trim(),
+          searchBase: z.string().trim(),
+          searchFilter: z.string().trim(),
+          groupSearchBase: z.string().trim(),
+          groupSearchFilter: z.string().trim(),
+          caCert: z.string().trim()
         })
         .partial()
-        .merge(z.object({ organizationId: z.string().trim().describe(LdapSso.UPDATE_CONFIG.organizationId) })),
+        .merge(z.object({ organizationId: z.string() })),
       response: {
         200: SanitizedLdapConfigSchema
       }

backend/src/ee/routes/v1/oidc-router.ts

@@ -13,7 +13,6 @@ import { z } from "zod";
 
 import { OidcConfigsSchema } from "@app/db/schemas";
 import { OIDCConfigurationType, OIDCJWTSignatureAlgorithm } from "@app/ee/services/oidc/oidc-config-types";
-import { ApiDocsTags, OidcSSo } from "@app/lib/api-docs";
 import { getConfig } from "@app/lib/config/env";
 import { authRateLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -154,18 +153,10 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
     config: {
       rateLimit: readLimit
     },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.OidcSso],
-      description: "Get OIDC config",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
       querystring: z.object({
-        organizationId: z.string().trim().describe(OidcSSo.GET_CONFIG.organizationId)
+        orgSlug: z.string().trim()
       }),
       response: {
         200: SanitizedOidcConfigSchema.pick({
@@ -189,8 +180,9 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
+      const { orgSlug } = req.query;
       const oidc = await server.services.oidc.getOidc({
-        organizationId: req.query.organizationId,
+        orgSlug,
         type: "external",
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -208,16 +200,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
     config: {
       rateLimit: writeLimit
     },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.OidcSso],
-      description: "Update OIDC config",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
       body: z
         .object({
           allowedEmailDomains: z
@@ -232,26 +216,22 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
                 .split(",")
                 .map((id) => id.trim())
                 .join(", ");
-            })
-            .describe(OidcSSo.UPDATE_CONFIG.allowedEmailDomains),
-          discoveryURL: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.discoveryURL),
-          configurationType: z.nativeEnum(OIDCConfigurationType).describe(OidcSSo.UPDATE_CONFIG.configurationType),
-          issuer: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.issuer),
-          authorizationEndpoint: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.authorizationEndpoint),
-          jwksUri: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.jwksUri),
-          tokenEndpoint: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.tokenEndpoint),
-          userinfoEndpoint: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.userinfoEndpoint),
-          clientId: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.clientId),
-          clientSecret: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.clientSecret),
-          isActive: z.boolean().describe(OidcSSo.UPDATE_CONFIG.isActive),
-          manageGroupMemberships: z.boolean().optional().describe(OidcSSo.UPDATE_CONFIG.manageGroupMemberships),
-          jwtSignatureAlgorithm: z
-            .nativeEnum(OIDCJWTSignatureAlgorithm)
-            .optional()
-            .describe(OidcSSo.UPDATE_CONFIG.jwtSignatureAlgorithm)
+            }),
+          discoveryURL: z.string().trim(),
+          configurationType: z.nativeEnum(OIDCConfigurationType),
+          issuer: z.string().trim(),
+          authorizationEndpoint: z.string().trim(),
+          jwksUri: z.string().trim(),
+          tokenEndpoint: z.string().trim(),
+          userinfoEndpoint: z.string().trim(),
+          clientId: z.string().trim(),
+          clientSecret: z.string().trim(),
+          isActive: z.boolean(),
+          manageGroupMemberships: z.boolean().optional(),
+          jwtSignatureAlgorithm: z.nativeEnum(OIDCJWTSignatureAlgorithm).optional()
         })
         .partial()
-        .merge(z.object({ organizationId: z.string().describe(OidcSSo.UPDATE_CONFIG.organizationId) })),
+        .merge(z.object({ orgSlug: z.string() })),
       response: {
         200: SanitizedOidcConfigSchema.pick({
           id: true,
@@ -287,16 +267,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
     config: {
       rateLimit: writeLimit
     },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.OidcSso],
-      description: "Create OIDC config",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
       body: z
         .object({
           allowedEmailDomains: z
@@ -311,34 +283,23 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
                 .split(",")
                 .map((id) => id.trim())
                 .join(", ");
-            })
-            .describe(OidcSSo.CREATE_CONFIG.allowedEmailDomains),
-          configurationType: z.nativeEnum(OIDCConfigurationType).describe(OidcSSo.CREATE_CONFIG.configurationType),
-          issuer: z.string().trim().optional().default("").describe(OidcSSo.CREATE_CONFIG.issuer),
-          discoveryURL: z.string().trim().optional().default("").describe(OidcSSo.CREATE_CONFIG.discoveryURL),
-          authorizationEndpoint: z
-            .string()
-            .trim()
-            .optional()
-            .default("")
-            .describe(OidcSSo.CREATE_CONFIG.authorizationEndpoint),
-          jwksUri: z.string().trim().optional().default("").describe(OidcSSo.CREATE_CONFIG.jwksUri),
-          tokenEndpoint: z.string().trim().optional().default("").describe(OidcSSo.CREATE_CONFIG.tokenEndpoint),
-          userinfoEndpoint: z.string().trim().optional().default("").describe(OidcSSo.CREATE_CONFIG.userinfoEndpoint),
-          clientId: z.string().trim().describe(OidcSSo.CREATE_CONFIG.clientId),
-          clientSecret: z.string().trim().describe(OidcSSo.CREATE_CONFIG.clientSecret),
-          isActive: z.boolean().describe(OidcSSo.CREATE_CONFIG.isActive),
-          organizationId: z.string().trim().describe(OidcSSo.CREATE_CONFIG.organizationId),
-          manageGroupMemberships: z
-            .boolean()
-            .optional()
-            .default(false)
-            .describe(OidcSSo.CREATE_CONFIG.manageGroupMemberships),
+            }),
+          configurationType: z.nativeEnum(OIDCConfigurationType),
+          issuer: z.string().trim().optional().default(""),
+          discoveryURL: z.string().trim().optional().default(""),
+          authorizationEndpoint: z.string().trim().optional().default(""),
+          jwksUri: z.string().trim().optional().default(""),
+          tokenEndpoint: z.string().trim().optional().default(""),
+          userinfoEndpoint: z.string().trim().optional().default(""),
+          clientId: z.string().trim(),
+          clientSecret: z.string().trim(),
+          isActive: z.boolean(),
+          orgSlug: z.string().trim(),
+          manageGroupMemberships: z.boolean().optional().default(false),
           jwtSignatureAlgorithm: z
             .nativeEnum(OIDCJWTSignatureAlgorithm)
             .optional()
             .default(OIDCJWTSignatureAlgorithm.RS256)
-            .describe(OidcSSo.CREATE_CONFIG.jwtSignatureAlgorithm)
         })
         .superRefine((data, ctx) => {
           if (data.configurationType === OIDCConfigurationType.CUSTOM) {

backend/src/ee/routes/v1/project-router.ts

@@ -111,38 +111,15 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       params: z.object({
         workspaceId: z.string().trim().describe(AUDIT_LOGS.EXPORT.projectId)
       }),
-      querystring: z
-        .object({
-          eventType: z.nativeEnum(EventType).optional().describe(AUDIT_LOGS.EXPORT.eventType),
-          userAgentType: z.nativeEnum(UserAgentType).optional().describe(AUDIT_LOGS.EXPORT.userAgentType),
-          startDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.startDate),
-          endDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.endDate),
-          offset: z.coerce.number().default(0).describe(AUDIT_LOGS.EXPORT.offset),
-          limit: z.coerce.number().max(1000).default(20).describe(AUDIT_LOGS.EXPORT.limit),
-          actor: z.string().optional().describe(AUDIT_LOGS.EXPORT.actor)
-        })
-        .superRefine((el, ctx) => {
-          if (el.endDate && el.startDate) {
-            const startDate = new Date(el.startDate);
-            const endDate = new Date(el.endDate);
-            const maxAllowedDate = new Date(startDate);
-            maxAllowedDate.setMonth(maxAllowedDate.getMonth() + 3);
-            if (endDate < startDate) {
-              ctx.addIssue({
-                code: z.ZodIssueCode.custom,
-                path: ["endDate"],
-                message: "End date cannot be before start date"
-              });
-            }
-            if (endDate > maxAllowedDate) {
-              ctx.addIssue({
-                code: z.ZodIssueCode.custom,
-                path: ["endDate"],
-                message: "Dates must be within 3 months"
-              });
-            }
-          }
-        }),
+      querystring: z.object({
+        eventType: z.nativeEnum(EventType).optional().describe(AUDIT_LOGS.EXPORT.eventType),
+        userAgentType: z.nativeEnum(UserAgentType).optional().describe(AUDIT_LOGS.EXPORT.userAgentType),
+        startDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.startDate),
+        endDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.endDate),
+        offset: z.coerce.number().default(0).describe(AUDIT_LOGS.EXPORT.offset),
+        limit: z.coerce.number().default(20).describe(AUDIT_LOGS.EXPORT.limit),
+        actor: z.string().optional().describe(AUDIT_LOGS.EXPORT.actor)
+      }),
       response: {
         200: z.object({
           auditLogs: AuditLogsSchema.omit({
@@ -184,7 +161,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         filter: {
           ...req.query,
           projectId: req.params.workspaceId,
-          endDate: req.query.endDate || new Date().toISOString(),
+          endDate: req.query.endDate,
           startDate: req.query.startDate || getLastMidnightDateISO(),
           auditLogActorId: req.query.actor,
           eventType: req.query.eventType ? [req.query.eventType] : undefined

backend/src/ee/routes/v1/project-template-router.ts

@@ -1,6 +1,6 @@
 import { z } from "zod";
 
-import { ProjectMembershipRole, ProjectTemplatesSchema } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectTemplatesSchema, ProjectType } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { isInfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
@@ -104,6 +104,9 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       hide: false,
       tags: [ApiDocsTags.ProjectTemplates],
       description: "List project templates for the current organization.",
+      querystring: z.object({
+        type: z.nativeEnum(ProjectType).optional().describe(ProjectTemplates.LIST.type)
+      }),
       response: {
         200: z.object({
           projectTemplates: SanitizedProjectTemplateSchema.array()
@@ -112,7 +115,8 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(req.permission);
+      const { type } = req.query;
+      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(req.permission, type);
 
       const auditTemplates = projectTemplates.filter((template) => !isInfisicalProjectTemplate(template.name));
 
@@ -184,6 +188,7 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       tags: [ApiDocsTags.ProjectTemplates],
       description: "Create a project template.",
       body: z.object({
+        type: z.nativeEnum(ProjectType).describe(ProjectTemplates.CREATE.type),
         name: slugSchema({ field: "name" })
           .refine((val) => !isInfisicalProjectTemplate(val), {
             message: `The requested project template name is reserved.`
@@ -279,6 +284,7 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       tags: [ApiDocsTags.ProjectTemplates],
       description: "Delete a project template.",
       params: z.object({ templateId: z.string().uuid().describe(ProjectTemplates.DELETE.templateId) }),
+
       response: {
         200: z.object({
           projectTemplate: SanitizedProjectTemplateSchema

backend/src/ee/routes/v1/saml-router.ts

@@ -13,7 +13,6 @@ import { FastifyRequest } from "fastify";
 import { z } from "zod";
 
 import { SamlProviders, TGetSamlCfgDTO } from "@app/ee/services/saml-config/saml-config-types";
-import { ApiDocsTags, SamlSso } from "@app/lib/api-docs";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
@@ -150,8 +149,8 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
             firstName,
             lastName: lastName as string,
             relayState: (req.body as { RelayState?: string }).RelayState,
-            authProvider: (req as unknown as FastifyRequest).ssoConfig?.authProvider,
-            orgId: (req as unknown as FastifyRequest).ssoConfig?.orgId,
+            authProvider: (req as unknown as FastifyRequest).ssoConfig?.authProvider as string,
+            orgId: (req as unknown as FastifyRequest).ssoConfig?.orgId as string,
             metadata: userMetadata
           });
           cb(null, { isUserCompleted, providerAuthToken });
@@ -263,31 +262,25 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
     config: {
       rateLimit: readLimit
     },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SamlSso],
-      description: "Get SAML config",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
       querystring: z.object({
-        organizationId: z.string().trim().describe(SamlSso.GET_CONFIG.organizationId)
+        organizationId: z.string().trim()
       }),
       response: {
-        200: z.object({
-          id: z.string(),
-          organization: z.string(),
-          orgId: z.string(),
-          authProvider: z.string(),
-          isActive: z.boolean(),
-          entryPoint: z.string(),
-          issuer: z.string(),
-          cert: z.string(),
-          lastUsed: z.date().nullable().optional()
-        })
+        200: z
+          .object({
+            id: z.string(),
+            organization: z.string(),
+            orgId: z.string(),
+            authProvider: z.string(),
+            isActive: z.boolean(),
+            entryPoint: z.string(),
+            issuer: z.string(),
+            cert: z.string(),
+            lastUsed: z.date().nullable().optional()
+          })
+          .optional()
       }
     },
     handler: async (req) => {
@@ -309,23 +302,15 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
     config: {
       rateLimit: writeLimit
     },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SamlSso],
-      description: "Create SAML config",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
       body: z.object({
-        organizationId: z.string().trim().describe(SamlSso.CREATE_CONFIG.organizationId),
-        authProvider: z.nativeEnum(SamlProviders).describe(SamlSso.CREATE_CONFIG.authProvider),
-        isActive: z.boolean().describe(SamlSso.CREATE_CONFIG.isActive),
-        entryPoint: z.string().trim().describe(SamlSso.CREATE_CONFIG.entryPoint),
-        issuer: z.string().trim().describe(SamlSso.CREATE_CONFIG.issuer),
-        cert: z.string().trim().describe(SamlSso.CREATE_CONFIG.cert)
+        organizationId: z.string(),
+        authProvider: z.nativeEnum(SamlProviders),
+        isActive: z.boolean(),
+        entryPoint: z.string(),
+        issuer: z.string(),
+        cert: z.string()
       }),
       response: {
         200: SanitizedSamlConfigSchema
@@ -356,26 +341,18 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
     config: {
       rateLimit: writeLimit
     },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SamlSso],
-      description: "Update SAML config",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
       body: z
         .object({
-          authProvider: z.nativeEnum(SamlProviders).describe(SamlSso.UPDATE_CONFIG.authProvider),
-          isActive: z.boolean().describe(SamlSso.UPDATE_CONFIG.isActive),
-          entryPoint: z.string().trim().describe(SamlSso.UPDATE_CONFIG.entryPoint),
-          issuer: z.string().trim().describe(SamlSso.UPDATE_CONFIG.issuer),
-          cert: z.string().trim().describe(SamlSso.UPDATE_CONFIG.cert)
+          authProvider: z.nativeEnum(SamlProviders),
+          isActive: z.boolean(),
+          entryPoint: z.string(),
+          issuer: z.string(),
+          cert: z.string()
         })
         .partial()
-        .merge(z.object({ organizationId: z.string().trim().describe(SamlSso.UPDATE_CONFIG.organizationId) })),
+        .merge(z.object({ organizationId: z.string() })),
       response: {
         200: SanitizedSamlConfigSchema
       }

backend/src/ee/routes/v1/secret-approval-policy-router.ts

@@ -23,8 +23,10 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         environment: z.string(),
         secretPath: z
           .string()
-          .min(1, { message: "Secret path cannot be empty" })
-          .transform((val) => removeTrailingSlash(val)),
+          .optional()
+          .nullable()
+          .default("/")
+          .transform((val) => (val ? removeTrailingSlash(val) : val)),
         approvers: z
           .discriminatedUnion("type", [
             z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
@@ -98,10 +100,10 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         approvals: z.number().min(1).default(1),
         secretPath: z
           .string()
-          .trim()
-          .min(1, { message: "Secret path cannot be empty" })
           .optional()
-          .transform((val) => (val ? removeTrailingSlash(val) : undefined)),
+          .nullable()
+          .transform((val) => (val ? removeTrailingSlash(val) : val))
+          .transform((val) => (val === "" ? "/" : val)),
         enforcementLevel: z.nativeEnum(EnforcementLevel).optional(),
         allowedSelfApprovals: z.boolean().default(true)
       }),

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -58,7 +58,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
               deletedAt: z.date().nullish(),
               allowedSelfApprovals: z.boolean()
             }),
-            committerUser: approvalRequestUser.nullish(),
+            committerUser: approvalRequestUser,
             commits: z.object({ op: z.string(), secretId: z.string().nullable().optional() }).array(),
             environment: z.string(),
             reviewers: z.object({ userId: z.string(), status: z.string() }).array(),
@@ -94,8 +94,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
     },
     schema: {
       querystring: z.object({
-        workspaceId: z.string().trim(),
-        policyId: z.string().trim().optional()
+        workspaceId: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -113,8 +112,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        projectId: req.query.workspaceId,
-        policyId: req.query.policyId
+        projectId: req.query.workspaceId
       });
       return { approvals };
     }
@@ -141,39 +139,14 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
     },
     onRequest: verifyAuth([AuthMode.JWT]),
     handler: async (req) => {
-      const { approval, projectId, secretMutationEvents } =
-        await server.services.secretApprovalRequest.mergeSecretApprovalRequest({
-          actorId: req.permission.id,
-          actor: req.permission.type,
-          actorAuthMethod: req.permission.authMethod,
-          actorOrgId: req.permission.orgId,
-          approvalId: req.params.id,
-          bypassReason: req.body.bypassReason
-        });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        projectId,
-        event: {
-          type: EventType.SECRET_APPROVAL_MERGED,
-          metadata: {
-            mergedBy: req.permission.id,
-            secretApprovalRequestSlug: approval.slug,
-            secretApprovalRequestId: approval.id
-          }
-        }
+      const { approval } = await server.services.secretApprovalRequest.mergeSecretApprovalRequest({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        approvalId: req.params.id,
+        bypassReason: req.body.bypassReason
       });
-
-      for await (const event of secretMutationEvents) {
-        await server.services.auditLog.createAuditLog({
-          ...req.auditLogInfo,
-          orgId: req.permission.orgId,
-          projectId,
-          event
-        });
-      }
-
       return { approval };
     }
   });
@@ -308,7 +281,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
               }),
               environment: z.string(),
               statusChangedByUser: approvalRequestUser.optional(),
-              committerUser: approvalRequestUser.nullish(),
+              committerUser: approvalRequestUser,
               reviewers: approvalRequestUser.extend({ status: z.string(), comment: z.string().optional() }).array(),
               secretPath: z.string(),
               commits: secretRawSchema

backend/src/ee/routes/v2/secret-scanning-v2-routers/bitbucket-secret-scanning-router.ts

@@ -1,16 +0,0 @@
-import { registerSecretScanningEndpoints } from "@app/ee/routes/v2/secret-scanning-v2-routers/secret-scanning-v2-endpoints";
-import {
-  BitbucketDataSourceSchema,
-  CreateBitbucketDataSourceSchema,
-  UpdateBitbucketDataSourceSchema
-} from "@app/ee/services/secret-scanning-v2/bitbucket";
-import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
-
-export const registerBitbucketSecretScanningRouter = async (server: FastifyZodProvider) =>
-  registerSecretScanningEndpoints({
-    type: SecretScanningDataSource.Bitbucket,
-    server,
-    responseSchema: BitbucketDataSourceSchema,
-    createSchema: CreateBitbucketDataSourceSchema,
-    updateSchema: UpdateBitbucketDataSourceSchema
-  });

backend/src/ee/routes/v2/secret-scanning-v2-routers/index.ts

@@ -1,6 +1,5 @@
 import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
 
-import { registerBitbucketSecretScanningRouter } from "./bitbucket-secret-scanning-router";
 import { registerGitHubSecretScanningRouter } from "./github-secret-scanning-router";
 
 export * from "./secret-scanning-v2-router";
@@ -9,6 +8,5 @@ export const SECRET_SCANNING_REGISTER_ROUTER_MAP: Record<
   SecretScanningDataSource,
   (server: FastifyZodProvider) => Promise<void>
 > = {
-  [SecretScanningDataSource.GitHub]: registerGitHubSecretScanningRouter,
-  [SecretScanningDataSource.Bitbucket]: registerBitbucketSecretScanningRouter
+  [SecretScanningDataSource.GitHub]: registerGitHubSecretScanningRouter
 };

backend/src/ee/routes/v2/secret-scanning-v2-routers/secret-scanning-v2-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { SecretScanningConfigsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { BitbucketDataSourceListItemSchema } from "@app/ee/services/secret-scanning-v2/bitbucket";
 import { GitHubDataSourceListItemSchema } from "@app/ee/services/secret-scanning-v2/github";
 import {
   SecretScanningFindingStatus,
@@ -22,10 +21,7 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
-const SecretScanningDataSourceOptionsSchema = z.discriminatedUnion("type", [
-  GitHubDataSourceListItemSchema,
-  BitbucketDataSourceListItemSchema
-]);
+const SecretScanningDataSourceOptionsSchema = z.discriminatedUnion("type", [GitHubDataSourceListItemSchema]);
 
 export const registerSecretScanningV2Router = async (server: FastifyZodProvider) => {
   server.route({

backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts

@@ -53,7 +53,7 @@ export interface TAccessApprovalPolicyDALFactory
       envId: string;
       enforcementLevel: string;
       allowedSelfApprovals: boolean;
-      secretPath: string;
+      secretPath?: string | null | undefined;
       deletedAt?: Date | null | undefined;
       environment: {
         id: string;
@@ -93,7 +93,7 @@ export interface TAccessApprovalPolicyDALFactory
         envId: string;
         enforcementLevel: string;
         allowedSelfApprovals: boolean;
-        secretPath: string;
+        secretPath?: string | null | undefined;
         deletedAt?: Date | null | undefined;
         environment: {
           id: string;
@@ -116,7 +116,7 @@ export interface TAccessApprovalPolicyDALFactory
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath: string;
+    secretPath?: string | null | undefined;
     deletedAt?: Date | null | undefined;
   }>;
   findLastValidPolicy: (
@@ -138,7 +138,7 @@ export interface TAccessApprovalPolicyDALFactory
         envId: string;
         enforcementLevel: string;
         allowedSelfApprovals: boolean;
-        secretPath: string;
+        secretPath?: string | null | undefined;
         deletedAt?: Date | null | undefined;
       }
     | undefined
@@ -190,7 +190,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath: string;
+    secretPath?: string | null | undefined;
     deletedAt?: Date | null | undefined;
   }>;
   deleteAccessApprovalPolicy: ({
@@ -214,7 +214,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath: string;
+    secretPath?: string | null | undefined;
     deletedAt?: Date | null | undefined;
     environment: {
       id: string;
@@ -252,7 +252,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath: string;
+    secretPath?: string | null | undefined;
     deletedAt?: Date | null | undefined;
   }>;
   getAccessApprovalPolicyByProjectSlug: ({
@@ -286,7 +286,7 @@ export interface TAccessApprovalPolicyServiceFactory {
       envId: string;
       enforcementLevel: string;
       allowedSelfApprovals: boolean;
-      secretPath: string;
+      secretPath?: string | null | undefined;
       deletedAt?: Date | null | undefined;
       environment: {
         id: string;
@@ -337,7 +337,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath: string;
+    secretPath?: string | null | undefined;
     deletedAt?: Date | null | undefined;
     environment: {
       id: string;

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -60,26 +61,6 @@ export const accessApprovalPolicyServiceFactory = ({
   accessApprovalRequestReviewerDAL,
   orgMembershipDAL
 }: TAccessApprovalPolicyServiceFactoryDep): TAccessApprovalPolicyServiceFactory => {
-  const $policyExists = async ({
-    envId,
-    secretPath,
-    policyId
-  }: {
-    envId: string;
-    secretPath: string;
-    policyId?: string;
-  }) => {
-    const policy = await accessApprovalPolicyDAL
-      .findOne({
-        envId,
-        secretPath,
-        deletedAt: null
-      })
-      .catch(() => null);
-
-    return policyId ? policy && policy.id !== policyId : Boolean(policy);
-  };
-
   const createAccessApprovalPolicy: TAccessApprovalPolicyServiceFactory["createAccessApprovalPolicy"] = async ({
     name,
     actor,
@@ -116,7 +97,8 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -126,12 +108,6 @@ export const accessApprovalPolicyServiceFactory = ({
     const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
     if (!env) throw new NotFoundError({ message: `Environment with slug '${environment}' not found` });
 
-    if (await $policyExists({ envId: env.id, secretPath })) {
-      throw new BadRequestError({
-        message: `A policy for secret path '${secretPath}' already exists in environment '${environment}'`
-      });
-    }
-
     let approverUserIds = userApprovers;
     if (userApproverNames.length) {
       const approverUsersInDB = await userDAL.find({
@@ -272,7 +248,8 @@ export const accessApprovalPolicyServiceFactory = ({
         actorId,
         projectId: project.id,
         actorAuthMethod,
-        actorOrgId
+        actorOrgId,
+        actionProjectType: ActionProjectType.SecretManager
       });
 
       const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
@@ -305,11 +282,7 @@ export const accessApprovalPolicyServiceFactory = ({
     ) as { username: string; sequence?: number }[];
 
     const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
-    if (!accessApprovalPolicy) {
-      throw new NotFoundError({
-        message: `Access approval policy with ID '${policyId}' not found`
-      });
-    }
+    if (!accessApprovalPolicy) throw new BadRequestError({ message: "Approval policy not found" });
 
     const currentApprovals = approvals || accessApprovalPolicy.approvals;
     if (
@@ -320,24 +293,16 @@ export const accessApprovalPolicyServiceFactory = ({
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
     }
 
-    if (
-      await $policyExists({
-        envId: accessApprovalPolicy.envId,
-        secretPath: secretPath || accessApprovalPolicy.secretPath,
-        policyId: accessApprovalPolicy.id
-      })
-    ) {
-      throw new BadRequestError({
-        message: `A policy for secret path '${secretPath}' already exists in environment '${accessApprovalPolicy.environment.slug}'`
-      });
+    if (!accessApprovalPolicy) {
+      throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });
     }
-
     const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId: accessApprovalPolicy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
@@ -533,7 +498,8 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: policy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
@@ -583,7 +549,8 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -622,7 +589,8 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: policy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -122,7 +122,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath: string;
+    secretPath?: string | null | undefined;
     deletedAt?: Date | null | undefined;
   }>;
   deleteAccessApprovalPolicy: ({
@@ -146,7 +146,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath: string;
+    secretPath?: string | null | undefined;
     deletedAt?: Date | null | undefined;
     environment: {
       id: string;
@@ -218,7 +218,7 @@ export interface TAccessApprovalPolicyServiceFactory {
       envId: string;
       enforcementLevel: string;
       allowedSelfApprovals: boolean;
-      secretPath: string;
+      secretPath?: string | null | undefined;
       deletedAt?: Date | null | undefined;
       environment: {
         id: string;
@@ -269,7 +269,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath: string;
+    secretPath?: string | null | undefined;
     deletedAt?: Date | null | undefined;
     environment: {
       id: string;

backend/src/ee/services/access-approval-request/access-approval-request-dal.ts

@@ -220,7 +220,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
       bypassers: string[];
     }[]
   >;
-  getCount: ({ projectId }: { projectId: string; policyId?: string }) => Promise<{
+  getCount: ({ projectId }: { projectId: string }) => Promise<{
     pendingCount: number;
     finalizedCount: number;
   }>;
@@ -702,7 +702,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
     }
   };
 
-  const getCount: TAccessApprovalRequestDALFactory["getCount"] = async ({ projectId, policyId }) => {
+  const getCount: TAccessApprovalRequestDALFactory["getCount"] = async ({ projectId }) => {
     try {
       const accessRequests = await db
         .replicaNode()(TableName.AccessApprovalRequest)
@@ -723,10 +723,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
           `${TableName.AccessApprovalRequest}.id`,
           `${TableName.AccessApprovalRequestReviewer}.requestId`
         )
+
         .where(`${TableName.Environment}.projectId`, projectId)
-        .where((qb) => {
-          if (policyId) void qb.where(`${TableName.AccessApprovalPolicy}.id`, policyId);
-        })
         .select(selectAllTableCols(TableName.AccessApprovalRequest))
         .select(db.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"))
         .select(db.ref("reviewerUserId").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerUserId"))

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -1,7 +1,7 @@
 import slugify from "@sindresorhus/slugify";
 import msFn from "ms";
 
-import { ProjectMembershipRole } from "@app/db/schemas";
+import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@@ -107,7 +107,8 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -216,7 +217,7 @@ export const accessApprovalRequestServiceFactory = ({
       );
 
       const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
-      const approvalUrl = `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`;
+      const approvalUrl = `${cfg.SITE_URL}/secret-manager/${project.id}/approval`;
 
       await triggerWorkflowIntegrationNotification({
         input: {
@@ -289,7 +290,8 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -335,7 +337,8 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: accessApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     if (!membership) {
@@ -347,12 +350,6 @@ export const accessApprovalRequestServiceFactory = ({
     const canBypass = !policy.bypassers.length || policy.bypassers.some((bypasser) => bypasser.userId === actorId);
     const cannotBypassUnderSoftEnforcement = !(isSoftEnforcement && canBypass);
 
-    // Calculate break glass attempt before sequence checks
-    const isBreakGlassApprovalAttempt =
-      policy.enforcementLevel === EnforcementLevel.Soft &&
-      actorId === accessApprovalRequest.requestedByUserId &&
-      status === ApprovalStatus.APPROVED;
-
     const isApprover = policy.approvers.find((approver) => approver.userId === actorId);
     // If user is (not an approver OR cant self approve) AND can't bypass policy
     if ((!isApprover || (!policy.allowedSelfApprovals && isSelfApproval)) && cannotBypassUnderSoftEnforcement) {
@@ -412,14 +409,15 @@ export const accessApprovalRequestServiceFactory = ({
       const isApproverOfTheSequence = policy.approvers.find(
         (el) => el.sequence === presentSequence.step && el.userId === actorId
       );
-
-      // Only throw if actor is not the approver and not bypassing
-      if (!isApproverOfTheSequence && !isBreakGlassApprovalAttempt) {
-        throw new BadRequestError({ message: "You are not a reviewer in this step" });
-      }
+      if (!isApproverOfTheSequence) throw new BadRequestError({ message: "You are not reviewer in this step" });
     }
 
     const reviewStatus = await accessApprovalRequestReviewerDAL.transaction(async (tx) => {
+      const isBreakGlassApprovalAttempt =
+        policy.enforcementLevel === EnforcementLevel.Soft &&
+        actorId === accessApprovalRequest.requestedByUserId &&
+        status === ApprovalStatus.APPROVED;
+
       let reviewForThisActorProcessing: {
         id: string;
         requestId: string;
@@ -545,7 +543,7 @@ export const accessApprovalRequestServiceFactory = ({
                   bypassReason: bypassReason || "No reason provided",
                   secretPath: policy.secretPath || "/",
                   environment,
-                  approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`,
+                  approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval`,
                   requestType: "access"
                 },
                 template: SmtpTemplates.AccessSecretRequestBypassed
@@ -562,7 +560,6 @@ export const accessApprovalRequestServiceFactory = ({
 
   const getCount: TAccessApprovalRequestServiceFactory["getCount"] = async ({
     projectSlug,
-    policyId,
     actor,
     actorAuthMethod,
     actorId,
@@ -576,13 +573,14 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
     }
 
-    const count = await accessApprovalRequestDAL.getCount({ projectId: project.id, policyId });
+    const count = await accessApprovalRequestDAL.getCount({ projectId: project.id });
 
     return { count };
   };

backend/src/ee/services/access-approval-request/access-approval-request-types.ts

@@ -12,7 +12,6 @@ export type TVerifyPermission = {
 
 export type TGetAccessRequestCountDTO = {
   projectSlug: string;
-  policyId?: string;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TReviewAccessRequestDTO = {

backend/src/ee/services/assume-privilege/assume-privilege-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import jwt from "jsonwebtoken";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
@@ -37,7 +38,8 @@ export const assumePrivilegeServiceFactory = ({
       actorId: actorPermissionDetails.id,
       projectId,
       actorAuthMethod: actorPermissionDetails.authMethod,
-      actorOrgId: actorPermissionDetails.orgId
+      actorOrgId: actorPermissionDetails.orgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     if (targetActorType === ActorType.USER) {
@@ -58,7 +60,8 @@ export const assumePrivilegeServiceFactory = ({
       actorId: targetActorId,
       projectId,
       actorAuthMethod: actorPermissionDetails.authMethod,
-      actorOrgId: actorPermissionDetails.orgId
+      actorOrgId: actorPermissionDetails.orgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     const appCfg = getConfig();

backend/src/ee/services/audit-log-stream/audit-log-stream-fns.ts

@@ -1,21 +0,0 @@
-export function providerSpecificPayload(url: string) {
-  const { hostname } = new URL(url);
-
-  const payload: Record<string, string> = {};
-
-  switch (hostname) {
-    case "http-intake.logs.datadoghq.com":
-    case "http-intake.logs.us3.datadoghq.com":
-    case "http-intake.logs.us5.datadoghq.com":
-    case "http-intake.logs.datadoghq.eu":
-    case "http-intake.logs.ap1.datadoghq.com":
-    case "http-intake.logs.ddog-gov.com":
-      payload.ddsource = "infisical";
-      payload.service = "audit-logs";
-      break;
-    default:
-      break;
-  }
-
-  return payload;
-}

backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts

@@ -13,7 +13,6 @@ import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service-types";
 import { TAuditLogStreamDALFactory } from "./audit-log-stream-dal";
-import { providerSpecificPayload } from "./audit-log-stream-fns";
 import { LogStreamHeaders, TAuditLogStreamServiceFactory } from "./audit-log-stream-types";
 
 type TAuditLogStreamServiceFactoryDep = {
@@ -70,11 +69,10 @@ export const auditLogStreamServiceFactory = ({
       headers.forEach(({ key, value }) => {
         streamHeaders[key] = value;
       });
-
     await request
       .post(
         url,
-        { ...providerSpecificPayload(url), ping: "ok" },
+        { ping: "ok" },
         {
           headers: streamHeaders,
           // request timeout
@@ -139,7 +137,7 @@ export const auditLogStreamServiceFactory = ({
     await request
       .post(
         url || logStream.url,
-        { ...providerSpecificPayload(url || logStream.url), ping: "ok" },
+        { ping: "ok" },
         {
           headers: streamHeaders,
           // request timeout

backend/src/ee/services/audit-log/audit-log-dal.ts

@@ -30,10 +30,10 @@ type TFindQuery = {
   actor?: string;
   projectId?: string;
   environment?: string;
-  orgId: string;
+  orgId?: string;
   eventType?: string;
-  startDate: string;
-  endDate: string;
+  startDate?: string;
+  endDate?: string;
   userAgentType?: string;
   limit?: number;
   offset?: number;
@@ -61,15 +61,18 @@ export const auditLogDALFactory = (db: TDbClient) => {
     },
     tx
   ) => {
+    if (!orgId && !projectId) {
+      throw new Error("Either orgId or projectId must be provided");
+    }
+
     try {
       // Find statements
       const sqlQuery = (tx || db.replicaNode())(TableName.AuditLog)
-        .where(`${TableName.AuditLog}.orgId`, orgId)
-        .whereRaw(`"${TableName.AuditLog}"."createdAt" >= ?::timestamptz`, [startDate])
-        .andWhereRaw(`"${TableName.AuditLog}"."createdAt" < ?::timestamptz`, [endDate])
         // eslint-disable-next-line func-names
         .where(function () {
-          if (projectId) {
+          if (orgId) {
+            void this.where(`${TableName.AuditLog}.orgId`, orgId);
+          } else if (projectId) {
             void this.where(`${TableName.AuditLog}.projectId`, projectId);
           }
         });
@@ -132,6 +135,14 @@ export const auditLogDALFactory = (db: TDbClient) => {
         void sqlQuery.whereIn("eventType", eventType);
       }
 
+      // Filter by date range
+      if (startDate) {
+        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" >= ?::timestamptz`, [startDate]);
+      }
+      if (endDate) {
+        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" <= ?::timestamptz`, [endDate]);
+      }
+
       // we timeout long running queries to prevent DB resource issues (2 minutes)
       const docs = await sqlQuery.timeout(1000 * 120);
 
@@ -163,8 +174,6 @@ export const auditLogDALFactory = (db: TDbClient) => {
       try {
         const findExpiredLogSubQuery = (tx || db)(TableName.AuditLog)
           .where("expiresAt", "<", today)
-          .where("createdAt", "<", today) // to use audit log partition
-          .orderBy(`${TableName.AuditLog}.createdAt`, "desc")
           .select("id")
           .limit(AUDIT_LOG_PRUNE_BATCH_SIZE);
 

backend/src/ee/services/audit-log/audit-log-queue.ts

@@ -1,15 +1,13 @@
-import { AxiosError, RawAxiosRequestHeaders } from "axios";
+import { RawAxiosRequestHeaders } from "axios";
 
 import { SecretKeyEncoding } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
 import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 
 import { TAuditLogStreamDALFactory } from "../audit-log-stream/audit-log-stream-dal";
-import { providerSpecificPayload } from "../audit-log-stream/audit-log-stream-fns";
 import { LogStreamHeaders } from "../audit-log-stream/audit-log-stream-types";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { TAuditLogDALFactory } from "./audit-log-dal";
@@ -130,25 +128,13 @@ export const auditLogQueueServiceFactory = async ({
                   headers[key] = value;
                 });
 
-              try {
-                const response = await request.post(
-                  url,
-                  { ...providerSpecificPayload(url), ...auditLog },
-                  {
-                    headers,
-                    // request timeout
-                    timeout: AUDIT_LOG_STREAM_TIMEOUT,
-                    // connection timeout
-                    signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
-                  }
-                );
-                return response;
-              } catch (error) {
-                logger.error(
-                  `Failed to stream audit log [url=${url}] for org [orgId=${orgId}] [error=${(error as AxiosError).message}]`
-                );
-                return error;
-              }
+              return request.post(url, auditLog, {
+                headers,
+                // request timeout
+                timeout: AUDIT_LOG_STREAM_TIMEOUT,
+                // connection timeout
+                signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
+              });
             }
           )
         );
@@ -232,25 +218,13 @@ export const auditLogQueueServiceFactory = async ({
               headers[key] = value;
             });
 
-          try {
-            const response = await request.post(
-              url,
-              { ...providerSpecificPayload(url), ...auditLog },
-              {
-                headers,
-                // request timeout
-                timeout: AUDIT_LOG_STREAM_TIMEOUT,
-                // connection timeout
-                signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
-              }
-            );
-            return response;
-          } catch (error) {
-            logger.error(
-              `Failed to stream audit log [url=${url}] for org [orgId=${orgId}] [error=${(error as AxiosError).message}]`
-            );
-            return error;
-          }
+          return request.post(url, auditLog, {
+            headers,
+            // request timeout
+            timeout: AUDIT_LOG_STREAM_TIMEOUT,
+            // connection timeout
+            signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
+          });
         }
       )
     );

backend/src/ee/services/audit-log/audit-log-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import { requestContext } from "@fastify/request-context";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
@@ -37,7 +38,8 @@ export const auditLogServiceFactory = ({
         actorId,
         projectId: filter.projectId,
         actorAuthMethod,
-        actorOrgId
+        actorOrgId,
+        actionProjectType: ActionProjectType.Any
       });
       ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
     } else {
@@ -67,8 +69,7 @@ export const auditLogServiceFactory = ({
       secretPath: filter.secretPath,
       secretKey: filter.secretKey,
       environment: filter.environment,
-      orgId: actorOrgId,
-      ...(filter.projectId ? { projectId: filter.projectId } : {})
+      ...(filter.projectId ? { projectId: filter.projectId } : { orgId: actorOrgId })
     });
 
     return auditLogs.map(({ eventType: logEventType, actor: eActor, actorMetadata, eventMetadata, ...el }) => ({

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -56,8 +56,8 @@ export type TListProjectAuditLogDTO = {
     eventType?: EventType[];
     offset?: number;
     limit: number;
-    endDate: string;
-    startDate: string;
+    endDate?: string;
+    startDate?: string;
     projectId?: string;
     environment?: string;
     auditLogActorId?: string;
@@ -116,15 +116,6 @@ interface BaseAuthData {
   userAgentType?: UserAgentType;
 }
 
-export enum SecretApprovalEvent {
-  Create = "create",
-  Update = "update",
-  Delete = "delete",
-  CreateMany = "create-many",
-  UpdateMany = "update-many",
-  DeleteMany = "delete-many"
-}
-
 export enum UserAgentType {
   WEB = "web",
   CLI = "cli",
@@ -211,12 +202,6 @@ export enum EventType {
   REVOKE_IDENTITY_ALICLOUD_AUTH = "revoke-identity-alicloud-auth",
   GET_IDENTITY_ALICLOUD_AUTH = "get-identity-alicloud-auth",
 
-  LOGIN_IDENTITY_TLS_CERT_AUTH = "login-identity-tls-cert-auth",
-  ADD_IDENTITY_TLS_CERT_AUTH = "add-identity-tls-cert-auth",
-  UPDATE_IDENTITY_TLS_CERT_AUTH = "update-identity-tls-cert-auth",
-  REVOKE_IDENTITY_TLS_CERT_AUTH = "revoke-identity-tls-cert-auth",
-  GET_IDENTITY_TLS_CERT_AUTH = "get-identity-tls-cert-auth",
-
   LOGIN_IDENTITY_AWS_AUTH = "login-identity-aws-auth",
   ADD_IDENTITY_AWS_AUTH = "add-identity-aws-auth",
   UPDATE_IDENTITY_AWS_AUTH = "update-identity-aws-auth",
@@ -1156,53 +1141,6 @@ interface GetIdentityAliCloudAuthEvent {
   };
 }
 
-interface LoginIdentityTlsCertAuthEvent {
-  type: EventType.LOGIN_IDENTITY_TLS_CERT_AUTH;
-  metadata: {
-    identityId: string;
-    identityTlsCertAuthId: string;
-    identityAccessTokenId: string;
-  };
-}
-
-interface AddIdentityTlsCertAuthEvent {
-  type: EventType.ADD_IDENTITY_TLS_CERT_AUTH;
-  metadata: {
-    identityId: string;
-    allowedCommonNames: string | null | undefined;
-    accessTokenTTL: number;
-    accessTokenMaxTTL: number;
-    accessTokenNumUsesLimit: number;
-    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface DeleteIdentityTlsCertAuthEvent {
-  type: EventType.REVOKE_IDENTITY_TLS_CERT_AUTH;
-  metadata: {
-    identityId: string;
-  };
-}
-
-interface UpdateIdentityTlsCertAuthEvent {
-  type: EventType.UPDATE_IDENTITY_TLS_CERT_AUTH;
-  metadata: {
-    identityId: string;
-    allowedCommonNames: string | null | undefined;
-    accessTokenTTL?: number;
-    accessTokenMaxTTL?: number;
-    accessTokenNumUsesLimit?: number;
-    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface GetIdentityTlsCertAuthEvent {
-  type: EventType.GET_IDENTITY_TLS_CERT_AUTH;
-  metadata: {
-    identityId: string;
-  };
-}
-
 interface LoginIdentityOciAuthEvent {
   type: EventType.LOGIN_IDENTITY_OCI_AUTH;
   metadata: {
@@ -1711,20 +1649,9 @@ interface SecretApprovalReopened {
 interface SecretApprovalRequest {
   type: EventType.SECRET_APPROVAL_REQUEST;
   metadata: {
-    committedBy?: string | null;
+    committedBy: string;
     secretApprovalRequestSlug: string;
     secretApprovalRequestId: string;
-    eventType: SecretApprovalEvent;
-    secretKey?: string;
-    secretId?: string;
-    secrets?: {
-      secretKey?: string;
-      secretId?: string;
-      environment?: string;
-      secretPath?: string;
-    }[];
-    environment: string;
-    secretPath: string;
   };
 }
 
@@ -3431,11 +3358,6 @@ export type Event =
   | UpdateIdentityAliCloudAuthEvent
   | GetIdentityAliCloudAuthEvent
   | DeleteIdentityAliCloudAuthEvent
-  | LoginIdentityTlsCertAuthEvent
-  | AddIdentityTlsCertAuthEvent
-  | UpdateIdentityTlsCertAuthEvent
-  | GetIdentityTlsCertAuthEvent
-  | DeleteIdentityTlsCertAuthEvent
   | LoginIdentityOciAuthEvent
   | AddIdentityOciAuthEvent
   | UpdateIdentityOciAuthEvent

backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -77,7 +78,8 @@ export const certificateAuthorityCrlServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import RE2 from "re2";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -84,7 +85,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -200,7 +202,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@@ -297,7 +300,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@@ -385,7 +389,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -432,7 +437,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -77,7 +78,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -200,7 +202,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -351,7 +354,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -416,7 +420,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -480,7 +485,8 @@ export const dynamicSecretServiceFactory = ({
         actorId,
         projectId,
         actorAuthMethod,
-        actorOrgId
+        actorOrgId,
+        actionProjectType: ActionProjectType.SecretManager
       });
 
       // verify user has access to each env in request
@@ -523,7 +529,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.ReadRootCredential,
@@ -571,7 +578,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -608,7 +616,8 @@ export const dynamicSecretServiceFactory = ({
       actorId: actor.id,
       projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const userAccessibleFolderMappings = folderMappings.filter(({ path, environment }) =>
@@ -652,7 +661,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);

backend/src/ee/services/dynamic-secret/providers/aws-iam.ts

@@ -21,7 +21,7 @@ import { randomUUID } from "crypto";
 import { z } from "zod";
 
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
 import { AwsIamAuthType, DynamicSecretAwsIamSchema, TDynamicProviderFns } from "./models";
@@ -81,21 +81,6 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
       return client;
     }
 
-    if (providerInputs.method === AwsIamAuthType.IRSA) {
-      // Allow instances to disable automatic service account token fetching (e.g. for shared cloud)
-      if (!appCfg.KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN) {
-        throw new UnauthorizedError({
-          message: "Failed to get AWS credentials via IRSA: KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN is not enabled."
-        });
-      }
-
-      // The SDK will automatically pick up credentials from the environment
-      const client = new IAMClient({
-        region: providerInputs.region
-      });
-      return client;
-    }
-
     const client = new IAMClient({
       region: providerInputs.region,
       credentials: {
@@ -116,7 +101,7 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
       .catch((err) => {
         const message = (err as Error)?.message;
         if (
-          (providerInputs.method === AwsIamAuthType.AssumeRole || providerInputs.method === AwsIamAuthType.IRSA) &&
+          providerInputs.method === AwsIamAuthType.AssumeRole &&
           // assume role will throw an error asking to provider username, but if so this has access in aws correctly
           message.includes("Must specify userName when calling with non-User credentials")
         ) {

backend/src/ee/services/dynamic-secret/providers/github.ts

@@ -1,5 +1,5 @@
 import axios from "axios";
-import jwt from "jsonwebtoken";
+import * as jwt from "jsonwebtoken";
 
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -28,8 +28,7 @@ export enum SqlProviders {
 
 export enum AwsIamAuthType {
   AssumeRole = "assume-role",
-  AccessKey = "access-key",
-  IRSA = "irsa"
+  AccessKey = "access-key"
 }
 
 export enum ElasticSearchAuthTypes {
@@ -222,16 +221,6 @@ export const DynamicSecretAwsIamSchema = z.preprocess(
       userGroups: z.string().trim().optional(),
       policyArns: z.string().trim().optional(),
       tags: ResourceMetadataSchema.optional()
-    }),
-    z.object({
-      method: z.literal(AwsIamAuthType.IRSA),
-      region: z.string().trim().min(1),
-      awsPath: z.string().trim().optional(),
-      permissionBoundaryPolicyArn: z.string().trim().optional(),
-      policyDocument: z.string().trim().optional(),
-      userGroups: z.string().trim().optional(),
-      policyArns: z.string().trim().optional(),
-      tags: ResourceMetadataSchema.optional()
     })
   ])
 );

backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
 
-import { TableName } from "@app/db/schemas";
+import { ActionProjectType, TableName } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -61,7 +61,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -72,7 +73,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId: identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -158,7 +160,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -169,7 +172,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -256,7 +260,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -267,7 +272,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     const permissionBoundary = validatePrivilegeChangeOperation(
       membership.shouldUseNewPrivilegeSystem,
@@ -315,7 +321,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,
@@ -349,7 +356,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,
@@ -384,7 +392,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -72,7 +73,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -85,7 +87,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId: identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -172,7 +175,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -185,7 +189,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -288,7 +293,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -300,7 +306,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     const permissionBoundary = validatePrivilegeChangeOperation(
       membership.shouldUseNewPrivilegeSystem,
@@ -359,7 +366,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,
@@ -401,7 +409,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/kmip/kmip-operation-service.ts

@@ -24,7 +24,7 @@ type TKmipOperationServiceFactoryDep = {
   kmsService: TKmsServiceFactory;
   kmsDAL: TKmsKeyDALFactory;
   kmipClientDAL: TKmipClientDALFactory;
-  projectDAL: Pick<TProjectDALFactory, "findById">;
+  projectDAL: Pick<TProjectDALFactory, "getProjectFromSplitId" | "findById">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
 };
 

backend/src/ee/services/kmip/kmip-service.ts

@@ -2,6 +2,7 @@ import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import crypto, { KeyObject } from "crypto";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { isValidIp } from "@app/lib/ip";
 import { ms } from "@app/lib/ms";
@@ -72,7 +73,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -125,7 +127,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -156,7 +159,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -189,7 +193,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
@@ -210,7 +215,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
@@ -246,7 +252,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -361,6 +361,13 @@ export const ldapConfigServiceFactory = ({
       });
     } else {
       const plan = await licenseService.getPlan(orgId);
+      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
+        // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
+        throw new BadRequestError({
+          message: "Failed to create new member via LDAP due to member limit reached. Upgrade plan to add more members."
+        });
+      }
+
       if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
         // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
         throw new BadRequestError({

backend/src/ee/services/license/licence-enums.ts

@@ -1,4 +1,5 @@
 export const BillingPlanRows = {
+  MemberLimit: { name: "Organization member limit", field: "memberLimit" },
   IdentityLimit: { name: "Organization identity limit", field: "identityLimit" },
   WorkspaceLimit: { name: "Project limit", field: "workspaceLimit" },
   EnvironmentLimit: { name: "Environment limit", field: "environmentLimit" },

backend/src/ee/services/license/license-service.ts

@@ -442,7 +442,9 @@ export const licenseServiceFactory = ({
         rows: data.rows.map((el) => {
           let used = "-";
 
-          if (el.name === BillingPlanRows.WorkspaceLimit.name) {
+          if (el.name === BillingPlanRows.MemberLimit.name) {
+            used = orgMembersUsed.toString();
+          } else if (el.name === BillingPlanRows.WorkspaceLimit.name) {
             used = projectCount.toString();
           } else if (el.name === BillingPlanRows.IdentityLimit.name) {
             used = (identityUsed + orgMembersUsed).toString();
@@ -462,10 +464,12 @@ export const licenseServiceFactory = ({
         const allowed = onPremFeatures[field as keyof TFeatureSet];
         let used = "-";
 
-        if (field === BillingPlanRows.WorkspaceLimit.field) {
+        if (field === BillingPlanRows.MemberLimit.field) {
+          used = orgMembersUsed.toString();
+        } else if (field === BillingPlanRows.WorkspaceLimit.field) {
           used = projectCount.toString();
         } else if (field === BillingPlanRows.IdentityLimit.field) {
-          used = (identityUsed + orgMembersUsed).toString();
+          used = identityUsed.toString();
         }
 
         return {

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -107,26 +107,34 @@ export const oidcConfigServiceFactory = ({
   kmsService
 }: TOidcConfigServiceFactoryDep) => {
   const getOidc = async (dto: TGetOidcCfgDTO) => {
-    const oidcCfg = await oidcConfigDAL.findOne({
-      orgId: dto.organizationId
-    });
-    if (!oidcCfg) {
+    const org = await orgDAL.findOne({ slug: dto.orgSlug });
+    if (!org) {
       throw new NotFoundError({
-        message: `OIDC configuration for organization with ID '${dto.organizationId}' not found`
+        message: `Organization with slug '${dto.orgSlug}' not found`,
+        name: "OrgNotFound"
       });
     }
-
     if (dto.type === "external") {
       const { permission } = await permissionService.getOrgPermission(
         dto.actor,
         dto.actorId,
-        dto.organizationId,
+        org.id,
         dto.actorAuthMethod,
         dto.actorOrgId
       );
       ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Sso);
     }
 
+    const oidcCfg = await oidcConfigDAL.findOne({
+      orgId: org.id
+    });
+
+    if (!oidcCfg) {
+      throw new NotFoundError({
+        message: `OIDC configuration for organization with slug '${dto.orgSlug}' not found`
+      });
+    }
+
     const { decryptor } = await kmsService.createCipherPairWithDataKey({
       type: KmsDataKey.Organization,
       orgId: oidcCfg.orgId
@@ -457,7 +465,7 @@ export const oidcConfigServiceFactory = ({
   };
 
   const updateOidcCfg = async ({
-    organizationId,
+    orgSlug,
     allowedEmailDomains,
     configurationType,
     discoveryURL,
@@ -476,11 +484,13 @@ export const oidcConfigServiceFactory = ({
     manageGroupMemberships,
     jwtSignatureAlgorithm
   }: TUpdateOidcCfgDTO) => {
-    const org = await orgDAL.findOne({ id: organizationId });
+    const org = await orgDAL.findOne({
+      slug: orgSlug
+    });
 
     if (!org) {
       throw new NotFoundError({
-        message: `Organization with ID '${organizationId}' not found`
+        message: `Organization with slug '${orgSlug}' not found`
       });
     }
 
@@ -545,7 +555,7 @@ export const oidcConfigServiceFactory = ({
   };
 
   const createOidcCfg = async ({
-    organizationId,
+    orgSlug,
     allowedEmailDomains,
     configurationType,
     discoveryURL,
@@ -564,10 +574,12 @@ export const oidcConfigServiceFactory = ({
     manageGroupMemberships,
     jwtSignatureAlgorithm
   }: TCreateOidcCfgDTO) => {
-    const org = await orgDAL.findOne({ id: organizationId });
+    const org = await orgDAL.findOne({
+      slug: orgSlug
+    });
     if (!org) {
       throw new NotFoundError({
-        message: `Organization with ID '${organizationId}' not found`
+        message: `Organization with slug '${orgSlug}' not found`
       });
     }
 
@@ -627,7 +639,7 @@ export const oidcConfigServiceFactory = ({
 
     const oidcCfg = await getOidc({
       type: "internal",
-      organizationId: org.id
+      orgSlug
     });
 
     if (!oidcCfg || !oidcCfg.isActive) {

backend/src/ee/services/oidc/oidc-config-types.ts

@@ -26,11 +26,11 @@ export type TOidcLoginDTO = {
 export type TGetOidcCfgDTO =
   | ({
       type: "external";
-      organizationId: string;
+      orgSlug: string;
     } & TGenericPermission)
   | {
       type: "internal";
-      organizationId: string;
+      orgSlug: string;
     };
 
 export type TCreateOidcCfgDTO = {
@@ -45,7 +45,7 @@ export type TCreateOidcCfgDTO = {
   clientId: string;
   clientSecret: string;
   isActive: boolean;
-  organizationId: string;
+  orgSlug: string;
   manageGroupMemberships: boolean;
   jwtSignatureAlgorithm: OIDCJWTSignatureAlgorithm;
 } & TGenericPermission;
@@ -62,7 +62,7 @@ export type TUpdateOidcCfgDTO = Partial<{
   clientId: string;
   clientSecret: string;
   isActive: boolean;
-  organizationId: string;
+  orgSlug: string;
   manageGroupMemberships: boolean;
   jwtSignatureAlgorithm: OIDCJWTSignatureAlgorithm;
 }> &

backend/src/ee/services/permission/permission-dal.ts

@@ -91,7 +91,7 @@ export interface TPermissionDALFactory {
         userId: string;
         projectId: string;
         username: string;
-        projectType?: string | null;
+        projectType: string;
         id: string;
         createdAt: Date;
         updatedAt: Date;
@@ -163,7 +163,7 @@ export interface TPermissionDALFactory {
         createdAt: Date;
         updatedAt: Date;
         orgId: string;
-        projectType?: string | null;
+        projectType: string;
         shouldUseNewPrivilegeSystem: boolean;
         orgAuthEnforced: boolean;
         metadata: {
@@ -201,7 +201,7 @@ export interface TPermissionDALFactory {
       userId: string;
       projectId: string;
       username: string;
-      projectType?: string | null;
+      projectType: string;
       id: string;
       createdAt: Date;
       updatedAt: Date;
@@ -267,7 +267,7 @@ export interface TPermissionDALFactory {
       createdAt: Date;
       updatedAt: Date;
       orgId: string;
-      projectType?: string | null;
+      projectType: string;
       orgAuthEnforced: boolean;
       metadata: {
         id: string;

backend/src/ee/services/permission/permission-service-types.ts

@@ -1,6 +1,7 @@
 import { MongoAbility, RawRuleOf } from "@casl/ability";
 import { MongoQuery } from "@ucast/mongo2js";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 
 import { OrgPermissionSet } from "./org-permission";
@@ -20,6 +21,7 @@ export type TGetUserProjectPermissionArg = {
   userId: string;
   projectId: string;
   authMethod: ActorAuthMethod;
+  actionProjectType: ActionProjectType;
   userOrgId?: string;
 };
 
@@ -27,12 +29,14 @@ export type TGetIdentityProjectPermissionArg = {
   identityId: string;
   projectId: string;
   identityOrgId?: string;
+  actionProjectType: ActionProjectType;
 };
 
 export type TGetServiceTokenProjectPermissionArg = {
   serviceTokenId: string;
   projectId: string;
   actorOrgId?: string;
+  actionProjectType: ActionProjectType;
 };
 
 export type TGetProjectPermissionArg = {
@@ -41,6 +45,7 @@ export type TGetProjectPermissionArg = {
   projectId: string;
   actorAuthMethod: ActorAuthMethod;
   actorOrgId?: string;
+  actionProjectType: ActionProjectType;
 };
 
 export type TPermissionServiceFactory = {
@@ -138,7 +143,13 @@ export type TPermissionServiceFactory = {
         };
       }
   >;
-  getUserProjectPermission: ({ userId, projectId, authMethod, userOrgId }: TGetUserProjectPermissionArg) => Promise<{
+  getUserProjectPermission: ({
+    userId,
+    projectId,
+    authMethod,
+    userOrgId,
+    actionProjectType
+  }: TGetUserProjectPermissionArg) => Promise<{
     permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
     membership: {
       id: string;

backend/src/ee/services/permission/permission-service.ts

@@ -5,6 +5,7 @@ import { MongoQuery } from "@ucast/mongo2js";
 import handlebars from "handlebars";
 
 import {
+  ActionProjectType,
   OrgMembershipRole,
   ProjectMembershipRole,
   ServiceTokenScopes,
@@ -213,7 +214,8 @@ export const permissionServiceFactory = ({
     userId,
     projectId,
     authMethod,
-    userOrgId
+    userOrgId,
+    actionProjectType
   }: TGetUserProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.USER>> => {
     const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
     if (!userProjectPermission) throw new ForbiddenRequestError({ name: "User not a part of the specified project" });
@@ -240,6 +242,12 @@ export const permissionServiceFactory = ({
       userProjectPermission.orgRole
     );
 
+    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== userProjectPermission.projectType) {
+      throw new BadRequestError({
+        message: `The project is of type ${userProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
+      });
+    }
+
     // join two permissions and pass to build the final permission set
     const rolePermissions = userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
     const additionalPrivileges =
@@ -287,7 +295,8 @@ export const permissionServiceFactory = ({
   const getIdentityProjectPermission = async ({
     identityId,
     projectId,
-    identityOrgId
+    identityOrgId,
+    actionProjectType
   }: TGetIdentityProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
     const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
     if (!identityProjectPermission)
@@ -307,6 +316,12 @@ export const permissionServiceFactory = ({
       throw new ForbiddenRequestError({ name: "Identity is not a member of the specified organization" });
     }
 
+    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== identityProjectPermission.projectType) {
+      throw new BadRequestError({
+        message: `The project is of type ${identityProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
+      });
+    }
+
     const rolePermissions =
       identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
     const additionalPrivileges =
@@ -361,7 +376,8 @@ export const permissionServiceFactory = ({
   const getServiceTokenProjectPermission = async ({
     serviceTokenId,
     projectId,
-    actorOrgId
+    actorOrgId,
+    actionProjectType
   }: TGetServiceTokenProjectPermissionArg) => {
     const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
     if (!serviceToken) throw new NotFoundError({ message: `Service token with ID '${serviceTokenId}' not found` });
@@ -386,6 +402,12 @@ export const permissionServiceFactory = ({
       });
     }
 
+    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== serviceTokenProject.type) {
+      throw new BadRequestError({
+        message: `The project is of type ${serviceTokenProject.type}. Operations of type ${actionProjectType} are not allowed.`
+      });
+    }
+
     const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
     return {
       permission: buildServiceTokenProjectPermission(scopes, serviceToken.permissions),
@@ -537,7 +559,8 @@ export const permissionServiceFactory = ({
     actorId: inputActorId,
     projectId,
     actorAuthMethod,
-    actorOrgId
+    actorOrgId,
+    actionProjectType
   }: TGetProjectPermissionArg): Promise<TProjectPermissionRT<T>> => {
     let actor = inputActor;
     let actorId = inputActorId;
@@ -558,19 +581,22 @@ export const permissionServiceFactory = ({
           userId: actorId,
           projectId,
           authMethod: actorAuthMethod,
-          userOrgId: actorOrgId
+          userOrgId: actorOrgId,
+          actionProjectType
         }) as Promise<TProjectPermissionRT<T>>;
       case ActorType.SERVICE:
         return getServiceTokenProjectPermission({
           serviceTokenId: actorId,
           projectId,
-          actorOrgId
+          actorOrgId,
+          actionProjectType
         }) as Promise<TProjectPermissionRT<T>>;
       case ActorType.IDENTITY:
         return getIdentityProjectPermission({
           identityId: actorId,
           projectId,
-          identityOrgId: actorOrgId
+          identityOrgId: actorOrgId,
+          actionProjectType
         }) as Promise<TProjectPermissionRT<T>>;
       default:
         throw new BadRequestError({

backend/src/ee/services/pit/pit-service.ts

@@ -1,6 +1,7 @@
 /* eslint-disable no-await-in-loop */
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { ProjectPermissionCommitsActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
@@ -320,7 +321,8 @@ export const pitServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(userPermission).throwUnlessCan(

backend/src/ee/services/project-template/project-template-fns.ts

@@ -1,3 +1,4 @@
+import { ProjectType } from "@app/db/schemas";
 import {
   InfisicalProjectTemplate,
   TUnpackedPermission
@@ -6,18 +7,21 @@ import { getPredefinedRoles } from "@app/services/project-role/project-role-fns"
 
 import { ProjectTemplateDefaultEnvironments } from "./project-template-constants";
 
-export const getDefaultProjectTemplate = (orgId: string) => ({
+export const getDefaultProjectTemplate = (orgId: string, type: ProjectType) => ({
   id: "b11b49a9-09a9-4443-916a-4246f9ff2c69", // random ID to appease zod
+  type,
   name: InfisicalProjectTemplate.Default,
   createdAt: new Date(),
   updatedAt: new Date(),
-  description: `Infisical's default project template`,
-  environments: ProjectTemplateDefaultEnvironments,
-  roles: getPredefinedRoles({ projectId: "project-template" }) as Array<{
-    name: string;
-    slug: string;
-    permissions: TUnpackedPermission[];
-  }>,
+  description: `Infisical's ${type} default project template`,
+  environments: type === ProjectType.SecretManager ? ProjectTemplateDefaultEnvironments : null,
+  roles: [...getPredefinedRoles({ projectId: "project-template", projectType: type })].map(
+    ({ name, slug, permissions }) => ({
+      name,
+      slug,
+      permissions: permissions as TUnpackedPermission[]
+    })
+  ),
   orgId
 });
 

backend/src/ee/services/project-template/project-template-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
 
-import { TProjectTemplates } from "@app/db/schemas";
+import { ProjectType, TProjectTemplates } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
@@ -29,11 +29,13 @@ const $unpackProjectTemplate = ({ roles, environments, ...rest }: TProjectTempla
   ...rest,
   environments: environments as TProjectTemplateEnvironment[],
   roles: [
-    ...getPredefinedRoles({ projectId: "project-template" }).map(({ name, slug, permissions }) => ({
-      name,
-      slug,
-      permissions: permissions as TUnpackedPermission[]
-    })),
+    ...getPredefinedRoles({ projectId: "project-template", projectType: rest.type as ProjectType }).map(
+      ({ name, slug, permissions }) => ({
+        name,
+        slug,
+        permissions: permissions as TUnpackedPermission[]
+      })
+    ),
     ...(roles as TProjectTemplateRole[]).map((role) => ({
       ...role,
       permissions: unpackPermissions(role.permissions)
@@ -46,7 +48,10 @@ export const projectTemplateServiceFactory = ({
   permissionService,
   projectTemplateDAL
 }: TProjectTemplatesServiceFactoryDep): TProjectTemplateServiceFactory => {
-  const listProjectTemplatesByOrg: TProjectTemplateServiceFactory["listProjectTemplatesByOrg"] = async (actor) => {
+  const listProjectTemplatesByOrg: TProjectTemplateServiceFactory["listProjectTemplatesByOrg"] = async (
+    actor,
+    type
+  ) => {
     const plan = await licenseService.getPlan(actor.orgId);
 
     if (!plan.projectTemplates)
@@ -65,11 +70,14 @@ export const projectTemplateServiceFactory = ({
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.ProjectTemplates);
 
     const projectTemplates = await projectTemplateDAL.find({
-      orgId: actor.orgId
+      orgId: actor.orgId,
+      ...(type ? { type } : {})
     });
 
     return [
-      getDefaultProjectTemplate(actor.orgId),
+      ...(type
+        ? [getDefaultProjectTemplate(actor.orgId, type)]
+        : Object.values(ProjectType).map((projectType) => getDefaultProjectTemplate(actor.orgId, projectType))),
       ...projectTemplates.map((template) => $unpackProjectTemplate(template))
     ];
   };
@@ -134,7 +142,7 @@ export const projectTemplateServiceFactory = ({
   };
 
   const createProjectTemplate: TProjectTemplateServiceFactory["createProjectTemplate"] = async (
-    { roles, environments, ...params },
+    { roles, environments, type, ...params },
     actor
   ) => {
     const plan = await licenseService.getPlan(actor.orgId);
@@ -154,6 +162,10 @@ export const projectTemplateServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.ProjectTemplates);
 
+    if (environments && type !== ProjectType.SecretManager) {
+      throw new BadRequestError({ message: "Cannot configure environments for non-SecretManager project templates" });
+    }
+
     if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
       throw new BadRequestError({
         // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
@@ -176,8 +188,10 @@ export const projectTemplateServiceFactory = ({
     const projectTemplate = await projectTemplateDAL.create({
       ...params,
       roles: JSON.stringify(roles.map((role) => ({ ...role, permissions: packRules(role.permissions) }))),
-      environments: environments ? JSON.stringify(environments ?? ProjectTemplateDefaultEnvironments) : null,
-      orgId: actor.orgId
+      environments:
+        type === ProjectType.SecretManager ? JSON.stringify(environments ?? ProjectTemplateDefaultEnvironments) : null,
+      orgId: actor.orgId,
+      type
     });
 
     return $unpackProjectTemplate(projectTemplate);
@@ -209,6 +223,12 @@ export const projectTemplateServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
 
+    if (projectTemplate.type !== ProjectType.SecretManager && environments)
+      throw new BadRequestError({ message: "Cannot configure environments for non-SecretManager project templates" });
+
+    if (projectTemplate.type === ProjectType.SecretManager && environments === null)
+      throw new BadRequestError({ message: "Environments cannot be removed for SecretManager project templates" });
+
     if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
       throw new BadRequestError({
         // eslint-disable-next-line @typescript-eslint/restrict-template-expressions

backend/src/ee/services/project-template/project-template-types.ts

@@ -1,6 +1,6 @@
 import { z } from "zod";
 
-import { ProjectMembershipRole, TProjectEnvironments } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectType, TProjectEnvironments } from "@app/db/schemas";
 import { TProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { OrgServiceActor } from "@app/lib/types";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
@@ -16,6 +16,7 @@ export type TProjectTemplateRole = {
 export type TCreateProjectTemplateDTO = {
   name: string;
   description?: string;
+  type: ProjectType;
   roles: TProjectTemplateRole[];
   environments?: TProjectTemplateEnvironment[] | null;
 };
@@ -29,10 +30,14 @@ export enum InfisicalProjectTemplate {
 }
 
 export type TProjectTemplateServiceFactory = {
-  listProjectTemplatesByOrg: (actor: OrgServiceActor) => Promise<
+  listProjectTemplatesByOrg: (
+    actor: OrgServiceActor,
+    type?: ProjectType
+  ) => Promise<
     (
       | {
           id: string;
+          type: ProjectType;
           name: InfisicalProjectTemplate;
           createdAt: Date;
           updatedAt: Date;
@@ -69,6 +74,7 @@ export type TProjectTemplateServiceFactory = {
             name: string;
           }[];
           name: string;
+          type: string;
           orgId: string;
           id: string;
           createdAt: Date;
@@ -93,6 +99,7 @@ export type TProjectTemplateServiceFactory = {
       name: string;
     }[];
     name: string;
+    type: string;
     orgId: string;
     id: string;
     createdAt: Date;
@@ -116,6 +123,7 @@ export type TProjectTemplateServiceFactory = {
       name: string;
     }[];
     name: string;
+    type: string;
     orgId: string;
     id: string;
     createdAt: Date;
@@ -138,6 +146,7 @@ export type TProjectTemplateServiceFactory = {
       name: string;
     }[];
     name: string;
+    type: string;
     orgId: string;
     id: string;
     createdAt: Date;
@@ -161,6 +170,7 @@ export type TProjectTemplateServiceFactory = {
       name: string;
     }[];
     name: string;
+    type: string;
     orgId: string;
     id: string;
     createdAt: Date;
@@ -184,6 +194,7 @@ export type TProjectTemplateServiceFactory = {
       name: string;
     }[];
     name: string;
+    type: string;
     orgId: string;
     id: string;
     createdAt: Date;

backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 
-import { TableName } from "@app/db/schemas";
+import { ActionProjectType, TableName } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -61,7 +61,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
     const { permission: targetUserPermission, membership } = await permissionService.getProjectPermission({
@@ -69,7 +70,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId: projectMembership.userId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -164,7 +166,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
     const { permission: targetUserPermission } = await permissionService.getProjectPermission({
@@ -172,7 +175,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId: projectMembership.userId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -272,7 +276,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
 
@@ -317,7 +322,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
 
@@ -343,7 +349,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
 

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -148,18 +148,10 @@ export const samlConfigServiceFactory = ({
     let samlConfig: TSamlConfigs | undefined;
     if (dto.type === "org") {
       samlConfig = await samlConfigDAL.findOne({ orgId: dto.orgId });
-      if (!samlConfig) {
-        throw new NotFoundError({
-          message: `SAML configuration for organization with ID '${dto.orgId}' not found`
-        });
-      }
+      if (!samlConfig) return;
     } else if (dto.type === "orgSlug") {
       const org = await orgDAL.findOne({ slug: dto.orgSlug });
-      if (!org) {
-        throw new NotFoundError({
-          message: `Organization with slug '${dto.orgSlug}' not found`
-        });
-      }
+      if (!org) return;
       samlConfig = await samlConfigDAL.findOne({ orgId: org.id });
     } else if (dto.type === "ssoId") {
       // TODO:
@@ -311,6 +303,13 @@ export const samlConfigServiceFactory = ({
       });
     } else {
       const plan = await licenseService.getPlan(orgId);
+      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
+        // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
+        throw new BadRequestError({
+          message: "Failed to create new member via SAML due to member limit reached. Upgrade plan to add more members."
+        });
+      }
+
       if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
         // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
         throw new BadRequestError({

backend/src/ee/services/saml-config/saml-config-types.ts

@@ -61,17 +61,20 @@ export type TSamlLoginDTO = {
 export type TSamlConfigServiceFactory = {
   createSamlCfg: (arg: TCreateSamlCfgDTO) => Promise<TSamlConfigs>;
   updateSamlCfg: (arg: TUpdateSamlCfgDTO) => Promise<TSamlConfigs>;
-  getSaml: (arg: TGetSamlCfgDTO) => Promise<{
-    id: string;
-    organization: string;
-    orgId: string;
-    authProvider: string;
-    isActive: boolean;
-    entryPoint: string;
-    issuer: string;
-    cert: string;
-    lastUsed: Date | null | undefined;
-  }>;
+  getSaml: (arg: TGetSamlCfgDTO) => Promise<
+    | {
+        id: string;
+        organization: string;
+        orgId: string;
+        authProvider: string;
+        isActive: boolean;
+        entryPoint: string;
+        issuer: string;
+        cert: string;
+        lastUsed: Date | null | undefined;
+      }
+    | undefined
+  >;
   samlLogin: (arg: TSamlLoginDTO) => Promise<{
     isUserCompleted: boolean;
     providerAuthToken: string;

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import picomatch from "picomatch";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -55,26 +56,6 @@ export const secretApprovalPolicyServiceFactory = ({
   licenseService,
   secretApprovalRequestDAL
 }: TSecretApprovalPolicyServiceFactoryDep) => {
-  const $policyExists = async ({
-    envId,
-    secretPath,
-    policyId
-  }: {
-    envId: string;
-    secretPath: string;
-    policyId?: string;
-  }) => {
-    const policy = await secretApprovalPolicyDAL
-      .findOne({
-        envId,
-        secretPath,
-        deletedAt: null
-      })
-      .catch(() => null);
-
-    return policyId ? policy && policy.id !== policyId : Boolean(policy);
-  };
-
   const createSecretApprovalPolicy = async ({
     name,
     actor,
@@ -110,7 +91,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
@@ -126,17 +108,10 @@ export const secretApprovalPolicyServiceFactory = ({
     }
 
     const env = await projectEnvDAL.findOne({ slug: environment, projectId });
-    if (!env) {
+    if (!env)
       throw new NotFoundError({
         message: `Environment with slug '${environment}' not found in project with ID ${projectId}`
       });
-    }
-
-    if (await $policyExists({ envId: env.id, secretPath })) {
-      throw new BadRequestError({
-        message: `A policy for secret path '${secretPath}' already exists in environment '${environment}'`
-      });
-    }
 
     let groupBypassers: string[] = [];
     let bypasserUserIds: string[] = [];
@@ -287,24 +262,13 @@ export const secretApprovalPolicyServiceFactory = ({
       });
     }
 
-    if (
-      await $policyExists({
-        envId: secretApprovalPolicy.envId,
-        secretPath: secretPath || secretApprovalPolicy.secretPath,
-        policyId: secretApprovalPolicy.id
-      })
-    ) {
-      throw new BadRequestError({
-        message: `A policy for secret path '${secretPath}' already exists in environment '${secretApprovalPolicy.environment.slug}'`
-      });
-    }
-
     const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId: secretApprovalPolicy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
 
@@ -459,7 +423,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId: sapPolicy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
@@ -498,7 +463,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 
@@ -542,7 +508,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     return getSecretApprovalPolicy(projectId, environment, secretPath);
@@ -568,7 +535,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId: sapPolicy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);

backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts

@@ -4,7 +4,7 @@ import { ApproverType, BypasserType } from "../access-approval-policy/access-app
 
 export type TCreateSapDTO = {
   approvals: number;
-  secretPath: string;
+  secretPath?: string | null;
   environment: string;
   approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
   bypassers?: (
@@ -20,7 +20,7 @@ export type TCreateSapDTO = {
 export type TUpdateSapDTO = {
   secretPolicyId: string;
   approvals?: number;
-  secretPath?: string;
+  secretPath?: string | null;
   approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
   bypassers?: (
     | { type: BypasserType.Group; id: string }

backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts

@@ -45,7 +45,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         `${TableName.SecretApprovalRequest}.statusChangedByUserId`,
         `statusChangedByUser.id`
       )
-      .leftJoin<TUsers>(
+      .join<TUsers>(
         db(TableName.Users).as("committerUser"),
         `${TableName.SecretApprovalRequest}.committerUserId`,
         `committerUser.id`
@@ -173,15 +173,13 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
                 username: el.statusChangedByUserUsername
               }
             : undefined,
-          committerUser: el.committerUserId
-            ? {
-                userId: el.committerUserId,
-                email: el.committerUserEmail,
-                firstName: el.committerUserFirstName,
-                lastName: el.committerUserLastName,
-                username: el.committerUserUsername
-              }
-            : null,
+          committerUser: {
+            userId: el.committerUserId,
+            email: el.committerUserEmail,
+            firstName: el.committerUserFirstName,
+            lastName: el.committerUserLastName,
+            username: el.committerUserUsername
+          },
           policy: {
             id: el.policyId,
             name: el.policyName,
@@ -292,7 +290,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findProjectRequestCount = async (projectId: string, userId: string, policyId?: string, tx?: Knex) => {
+  const findProjectRequestCount = async (projectId: string, userId: string, tx?: Knex) => {
     try {
       const docs = await (tx || db)
         .with(
@@ -311,9 +309,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
               `${TableName.SecretApprovalPolicy}.id`
             )
             .where({ projectId })
-            .where((qb) => {
-              if (policyId) void qb.where(`${TableName.SecretApprovalPolicy}.id`, policyId);
-            })
             .andWhere(
               (bd) =>
                 void bd
@@ -379,7 +374,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
           `bypasserUserGroupMembership.groupId`
         )
-        .leftJoin<TUsers>(
+        .join<TUsers>(
           db(TableName.Users).as("committerUser"),
           `${TableName.SecretApprovalRequest}.committerUserId`,
           `committerUser.id`
@@ -490,15 +485,13 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             enforcementLevel: el.policyEnforcementLevel,
             allowedSelfApprovals: el.policyAllowedSelfApprovals
           },
-          committerUser: el.committerUserId
-            ? {
-                userId: el.committerUserId,
-                email: el.committerUserEmail,
-                firstName: el.committerUserFirstName,
-                lastName: el.committerUserLastName,
-                username: el.committerUserUsername
-              }
-            : null
+          committerUser: {
+            userId: el.committerUserId,
+            email: el.committerUserEmail,
+            firstName: el.committerUserFirstName,
+            lastName: el.committerUserLastName,
+            username: el.committerUserUsername
+          }
         }),
         childrenMapper: [
           {
@@ -585,7 +578,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
           `bypasserUserGroupMembership.groupId`
         )
-        .leftJoin<TUsers>(
+        .join<TUsers>(
           db(TableName.Users).as("committerUser"),
           `${TableName.SecretApprovalRequest}.committerUserId`,
           `committerUser.id`
@@ -697,15 +690,13 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             enforcementLevel: el.policyEnforcementLevel,
             allowedSelfApprovals: el.policyAllowedSelfApprovals
           },
-          committerUser: el.committerUserId
-            ? {
-                userId: el.committerUserId,
-                email: el.committerUserEmail,
-                firstName: el.committerUserFirstName,
-                lastName: el.committerUserLastName,
-                username: el.committerUserUsername
-              }
-            : null
+          committerUser: {
+            userId: el.committerUserId,
+            email: el.committerUserEmail,
+            firstName: el.committerUserFirstName,
+            lastName: el.committerUserLastName,
+            username: el.committerUserUsername
+          }
         }),
         childrenMapper: [
           {

backend/src/ee/services/secret-approval-request/secret-approval-request-fns.ts

@@ -36,7 +36,7 @@ export const sendApprovalEmailsFn = async ({
         firstName: reviewerUser.firstName,
         projectName: project.name,
         organizationName: project.organization.name,
-        approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval?requestId=${secretApprovalRequest.id}`
+        approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval?requestId=${secretApprovalRequest.id}`
       },
       template: SmtpTemplates.SecretApprovalRequestNeedsReview
     });

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -2,6 +2,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
 import {
+  ActionProjectType,
   ProjectMembershipRole,
   SecretEncryptionAlgo,
   SecretKeyEncoding,
@@ -10,7 +11,6 @@ import {
   TSecretApprovalRequestsSecretsInsert,
   TSecretApprovalRequestsSecretsV2Insert
 } from "@app/db/schemas";
-import { Event, EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { getConfig } from "@app/lib/config/env";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -168,14 +168,7 @@ export const secretApprovalRequestServiceFactory = ({
   microsoftTeamsService,
   folderCommitService
 }: TSecretApprovalRequestServiceFactoryDep) => {
-  const requestCount = async ({
-    projectId,
-    policyId,
-    actor,
-    actorId,
-    actorOrgId,
-    actorAuthMethod
-  }: TApprovalRequestCountDTO) => {
+  const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
 
     await permissionService.getProjectPermission({
@@ -183,10 +176,11 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
-    const count = await secretApprovalRequestDAL.findProjectRequestCount(projectId, actorId, policyId);
+    const count = await secretApprovalRequestDAL.findProjectRequestCount(projectId, actorId);
     return count;
   };
 
@@ -210,7 +204,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
@@ -262,7 +257,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
@@ -411,7 +407,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId: secretApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
@@ -480,7 +477,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId: secretApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
@@ -524,7 +522,7 @@ export const secretApprovalRequestServiceFactory = ({
       });
     }
 
-    const { policy, folderId, projectId, bypassers, environment } = secretApprovalRequest;
+    const { policy, folderId, projectId, bypassers } = secretApprovalRequest;
     if (policy.deletedAt) {
       throw new BadRequestError({
         message: "The policy associated with this secret approval request has been deleted."
@@ -536,7 +534,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     if (
@@ -952,118 +951,13 @@ export const secretApprovalRequestServiceFactory = ({
           bypassReason,
           secretPath: policy.secretPath,
           environment: env.name,
-          approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`
+          approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval`
         },
         template: SmtpTemplates.AccessSecretRequestBypassed
       });
     }
 
-    const { created, updated, deleted } = mergeStatus.secrets;
-
-    const secretMutationEvents: Event[] = [];
-
-    if (created.length) {
-      if (created.length > 1) {
-        secretMutationEvents.push({
-          type: EventType.CREATE_SECRETS,
-          metadata: {
-            environment,
-            secretPath: folder.path,
-            secrets: created.map((secret) => ({
-              secretId: secret.id,
-              secretVersion: 1,
-              // @ts-expect-error not present on v1 secrets
-              secretKey: secret.key as string,
-              // @ts-expect-error not present on v1 secrets
-              secretMetadata: secret.secretMetadata as ResourceMetadataDTO
-            }))
-          }
-        });
-      } else {
-        const [secret] = created;
-        secretMutationEvents.push({
-          type: EventType.CREATE_SECRET,
-          metadata: {
-            environment,
-            secretPath: folder.path,
-            secretId: secret.id,
-            secretVersion: 1,
-            // @ts-expect-error not present on v1 secrets
-            secretKey: secret.key as string,
-            // @ts-expect-error not present on v1 secrets
-            secretMetadata: secret.secretMetadata as ResourceMetadataDTO
-          }
-        });
-      }
-    }
-
-    if (updated.length) {
-      if (updated.length > 1) {
-        secretMutationEvents.push({
-          type: EventType.UPDATE_SECRETS,
-          metadata: {
-            environment,
-            secretPath: folder.path,
-            secrets: updated.map((secret) => ({
-              secretId: secret.id,
-              secretVersion: secret.version,
-              // @ts-expect-error not present on v1 secrets
-              secretKey: secret.key as string,
-              // @ts-expect-error not present on v1 secrets
-              secretMetadata: secret.secretMetadata as ResourceMetadataDTO
-            }))
-          }
-        });
-      } else {
-        const [secret] = updated;
-        secretMutationEvents.push({
-          type: EventType.UPDATE_SECRET,
-          metadata: {
-            environment,
-            secretPath: folder.path,
-            secretId: secret.id,
-            secretVersion: secret.version,
-            // @ts-expect-error not present on v1 secrets
-            secretKey: secret.key as string,
-            // @ts-expect-error not present on v1 secrets
-            secretMetadata: secret.secretMetadata as ResourceMetadataDTO
-          }
-        });
-      }
-    }
-
-    if (deleted.length) {
-      if (deleted.length > 1) {
-        secretMutationEvents.push({
-          type: EventType.DELETE_SECRETS,
-          metadata: {
-            environment,
-            secretPath: folder.path,
-            secrets: deleted.map((secret) => ({
-              secretId: secret.id,
-              secretVersion: secret.version,
-              // @ts-expect-error not present on v1 secrets
-              secretKey: secret.key as string
-            }))
-          }
-        });
-      } else {
-        const [secret] = deleted;
-        secretMutationEvents.push({
-          type: EventType.DELETE_SECRET,
-          metadata: {
-            environment,
-            secretPath: folder.path,
-            secretId: secret.id,
-            secretVersion: secret.version,
-            // @ts-expect-error not present on v1 secrets
-            secretKey: secret.key as string
-          }
-        });
-      }
-    }
-
-    return { ...mergeStatus, projectId, secretMutationEvents };
+    return mergeStatus;
   };
 
   // function to save secret change to secret approval
@@ -1086,7 +980,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
@@ -1320,7 +1215,7 @@ export const secretApprovalRequestServiceFactory = ({
     });
 
     const env = await projectEnvDAL.findOne({ id: policy.envId });
-    const user = await userDAL.findById(actorId);
+    const user = await userDAL.findById(secretApprovalRequest.committerUserId);
 
     await triggerWorkflowIntegrationNotification({
       input: {
@@ -1376,7 +1271,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!folder)
@@ -1657,7 +1553,7 @@ export const secretApprovalRequestServiceFactory = ({
       return { ...doc, commits: approvalCommits };
     });
 
-    const user = await userDAL.findById(actorId);
+    const user = await userDAL.findById(secretApprovalRequest.committerUserId);
     const env = await projectEnvDAL.findOne({ id: policy.envId });
 
     await triggerWorkflowIntegrationNotification({

backend/src/ee/services/secret-approval-request/secret-approval-request-types.ts

@@ -84,7 +84,7 @@ export type TReviewRequestDTO = {
   comment?: string;
 } & Omit<TProjectPermission, "projectId">;
 
-export type TApprovalRequestCountDTO = TProjectPermission & { policyId?: string };
+export type TApprovalRequestCountDTO = TProjectPermission;
 
 export type TListApprovalsDTO = {
   projectId: string;

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-queue.ts

@@ -166,9 +166,7 @@ export const secretRotationV2QueueServiceFactory = async ({
             secretPath: folder.path,
             environment: environment.name,
             projectName: project.name,
-            rotationUrl: encodeURI(
-              `${appCfg.SITE_URL}/projects/${projectId}/secret-manager/secrets/${environment.slug}`
-            )
+            rotationUrl: encodeURI(`${appCfg.SITE_URL}/secret-manager/${projectId}/secrets/${environment.slug}`)
           }
         });
       } catch (error) {

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { Knex } from "knex";
 import isEqual from "lodash.isequal";
 
-import { SecretType, TableName } from "@app/db/schemas";
+import { ActionProjectType, SecretType, TableName } from "@app/db/schemas";
 import { EventType, TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-types";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { hasSecretReadValueOrDescribePermission } from "@app/ee/services/permission/permission-fns";
@@ -218,7 +218,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -269,7 +269,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -315,7 +315,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -380,7 +380,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -424,7 +424,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -625,7 +625,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -775,7 +775,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -1105,7 +1105,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -1152,7 +1152,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -1204,7 +1204,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -1320,7 +1320,8 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const permissiveFolderMappings = folderMappings.filter(({ path, environment }) =>

backend/src/ee/services/secret-rotation/secret-rotation-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import Ajv from "ajv";
 
-import { ProjectVersion, TableName } from "@app/db/schemas";
+import { ActionProjectType, ProjectVersion, TableName } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto/encryption";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
@@ -66,7 +66,8 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Read,
@@ -97,7 +98,8 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Read,
@@ -213,7 +215,8 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Read,
@@ -261,7 +264,8 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Edit,
@@ -281,7 +285,8 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId: doc.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Delete,

backend/src/ee/services/secret-scanning-v2/bitbucket/bitbucket-secret-scanning-constants.ts

@@ -1,9 +0,0 @@
-import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
-import { TSecretScanningDataSourceListItem } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-types";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-
-export const BITBUCKET_SECRET_SCANNING_DATA_SOURCE_LIST_OPTION: TSecretScanningDataSourceListItem = {
-  name: "Bitbucket",
-  type: SecretScanningDataSource.Bitbucket,
-  connection: AppConnection.Bitbucket
-};