feature: add suport for target principal self rotation

.env.example

@@ -23,7 +23,7 @@ REDIS_URL=redis://redis:6379
 # Required
 SITE_URL=http://localhost:8080
 
-# Mail/SMTP
+# Mail/SMTP 
 SMTP_HOST=
 SMTP_PORT=
 SMTP_FROM_ADDRESS=
@@ -107,18 +107,6 @@ INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY=
 INF_APP_CONNECTION_GITHUB_APP_SLUG=
 INF_APP_CONNECTION_GITHUB_APP_ID=
 
-#gitlab app connection
-INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID=
-INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET=
-
-#github radar app connection
-INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_ID=
-INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_SECRET=
-INF_APP_CONNECTION_GITHUB_RADAR_APP_PRIVATE_KEY=
-INF_APP_CONNECTION_GITHUB_RADAR_APP_SLUG=
-INF_APP_CONNECTION_GITHUB_RADAR_APP_ID=
-INF_APP_CONNECTION_GITHUB_RADAR_APP_WEBHOOK_SECRET=
-
 #gcp app connection
 INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL=
 
@@ -132,6 +120,3 @@ DATADOG_PROFILING_ENABLED=
 DATADOG_ENV=
 DATADOG_SERVICE=
 DATADOG_HOSTNAME=
-
-# kubernetes
-KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN=false

.github/workflows/check-non-re2-regex.yml

@@ -1,53 +0,0 @@
-name: Detect Non-RE2 Regex
-on:
-  pull_request:
-    types: [opened, synchronize]
-
-jobs:
-  check-non-re2-regex:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Get diff of backend/*
-        run: |
-          git diff --unified=0 "origin/${{ github.base_ref }}"...HEAD -- backend/ > diff.txt
-
-      - name: Scan backend diff for non-RE2 regex
-        run: |
-          # Extract only added lines (excluding file headers)
-          grep '^+' diff.txt | grep -v '^+++' | sed 's/^\+//' > added_lines.txt
-
-          if [ ! -s added_lines.txt ]; then
-            echo "✅ No added lines in backend/ to check for regex usage."
-            exit 0
-          fi
-
-          regex_usage_pattern='(^|[^A-Za-z0-9_"'"'"'`\.\/\\])(\/(?:\\.|[^\/\n\\])+\/[gimsuyv]*(?=\s*[\.\(;,)\]}:]|$)|new RegExp\()'
-
-          # Find all added lines that contain regex patterns
-          if grep -E "$regex_usage_pattern" added_lines.txt > potential_violations.txt 2>/dev/null; then
-            # Filter out lines that contain 'new RE2' (allowing for whitespace variations)
-            if grep -v -E 'new\s+RE2\s*\(' potential_violations.txt > actual_violations.txt 2>/dev/null && [ -s actual_violations.txt ]; then
-              echo "🚨 ERROR: Found forbidden regex pattern in added/modified backend code."
-              echo ""
-              echo "The following lines use raw regex literals (/.../) or new RegExp(...):"
-              echo "Please replace with 'new RE2(...)' for RE2 compatibility."
-              echo ""
-              echo "Offending lines:"
-              cat actual_violations.txt
-              exit 1
-            else
-              echo "✅ All identified regex usages are correctly using 'new RE2(...)'."
-            fi
-          else
-            echo "✅ No regex patterns found in added/modified backend lines."
-          fi
-
-      - name: Cleanup temporary files
-        if: always()
-        run: |
-          rm -f diff.txt added_lines.txt potential_violations.txt actual_violations.txt

.github/workflows/helm-release-infisical-core.yml

@@ -3,62 +3,7 @@ name: Release Infisical Core Helm chart
 on: [workflow_dispatch]
 
 jobs:
-  test-helm:
-    name: Test Helm Chart
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Set up Helm
-        uses: azure/setup-helm@v4.2.0
-        with:
-          version: v3.17.0
-
-      - uses: actions/setup-python@v5.3.0
-        with:
-          python-version: "3.x"
-          check-latest: true
-
-      - name: Add Helm repositories
-        run: |
-          helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
-          helm repo add bitnami https://charts.bitnami.com/bitnami
-          helm repo update
-
-      - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.7.0
-
-      - name: Run chart-testing (lint)
-        run: ct lint --config ct.yaml --charts helm-charts/infisical-standalone-postgres
-
-      - name: Create kind cluster
-        uses: helm/kind-action@v1.12.0
-
-      - name: Create namespace
-        run: kubectl create namespace infisical-standalone-postgres
-
-      - name: Create Infisical secrets
-        run: |
-          kubectl create secret generic infisical-secrets \
-            --namespace infisical-standalone-postgres \
-            --from-literal=AUTH_SECRET=6c1fe4e407b8911c104518103505b218 \
-            --from-literal=ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218 \
-            --from-literal=SITE_URL=http://localhost:8080
-
-      - name: Run chart-testing (install)
-        run: |
-          ct install \
-            --config ct.yaml \
-            --charts helm-charts/infisical-standalone-postgres \
-            --helm-extra-args="--timeout=300s" \
-            --helm-extra-set-args="--set ingress.nginx.enabled=false --set infisical.autoDatabaseSchemaMigration=false --set infisical.replicaCount=1 --set infisical.image.tag=v0.132.2-postgres" \
-            --namespace infisical-standalone-postgres
-
   release:
-    needs: test-helm
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -74,4 +19,4 @@ jobs:
       - name: Build and push helm package to Cloudsmith
         run: cd helm-charts && sh upload-infisical-core-helm-cloudsmith.sh
         env:
-          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

.github/workflows/release-k8-operator-helm.yml

@@ -1,59 +1,27 @@
 name: Release K8 Operator Helm Chart
 on:
-  workflow_dispatch:
+    workflow_dispatch:
 
 jobs:
-  test-helm:
-    name: Test Helm Chart
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
+    release-helm:
+        name: Release Helm Chart
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v2
 
-      - name: Set up Helm
-        uses: azure/setup-helm@v4.2.0
-        with:
-          version: v3.17.0
+            - name: Install Helm
+              uses: azure/setup-helm@v3
+              with:
+                  version: v3.10.0
 
-      - uses: actions/setup-python@v5.3.0
-        with:
-          python-version: "3.x"
-          check-latest: true
+            - name: Install python
+              uses: actions/setup-python@v4
 
-      - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.7.0
+            - name: Install Cloudsmith CLI
+              run: pip install --upgrade cloudsmith-cli
 
-      - name: Run chart-testing (lint)
-        run: ct lint --config ct.yaml --charts helm-charts/secrets-operator
-
-      - name: Create kind cluster
-        uses: helm/kind-action@v1.12.0
-
-      - name: Run chart-testing (install)
-        run: ct install --config ct.yaml --charts helm-charts/secrets-operator
-
-  release-helm:
-    name: Release Helm Chart
-    needs: test-helm
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - name: Install Helm
-        uses: azure/setup-helm@v3
-        with:
-          version: v3.10.0
-
-      - name: Install python
-        uses: actions/setup-python@v4
-
-      - name: Install Cloudsmith CLI
-        run: pip install --upgrade cloudsmith-cli
-
-      - name: Build and push helm package to CloudSmith
-        run: cd helm-charts && sh upload-k8s-operator-cloudsmith.sh
-        env:
-          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+            - name: Build and push helm package to CloudSmith
+              run: cd helm-charts && sh upload-k8s-operator-cloudsmith.sh
+              env:
+                  CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

.github/workflows/release_build_infisical_cli.yml

@@ -83,7 +83,7 @@ jobs:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
   goreleaser:
-    runs-on: ubuntu-latest-8-cores
+    runs-on: ubuntu-latest
     needs: [cli-integration-tests]
     steps:
       - uses: actions/checkout@v3

.github/workflows/release_helm_gateway.yaml

@@ -1,70 +1,27 @@
 name: Release Gateway Helm Chart
 on:
-  workflow_dispatch:
+    workflow_dispatch:
 
 jobs:
-  test-helm:
-    name: Test Helm Chart
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
+    release-helm:
+        name: Release Helm Chart
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
 
-      - name: Set up Helm
-        uses: azure/setup-helm@v4.2.0
-        with:
-          version: v3.17.0
+            - name: Install Helm
+              uses: azure/setup-helm@v3
+              with:
+                  version: v3.10.0
 
-      - uses: actions/setup-python@v5.3.0
-        with:
-          python-version: "3.x"
-          check-latest: true
+            - name: Install python
+              uses: actions/setup-python@v4
 
-      - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.7.0
+            - name: Install Cloudsmith CLI
+              run: pip install --upgrade cloudsmith-cli
 
-      - name: Run chart-testing (lint)
-        run: ct lint --config ct.yaml --charts helm-charts/infisical-gateway
-
-      - name: Create kind cluster
-        uses: helm/kind-action@v1.12.0
-
-      - name: Create namespace
-        run: kubectl create namespace infisical-gateway
-
-      - name: Create gateway secret
-        run: kubectl create secret generic infisical-gateway-environment --from-literal=TOKEN=my-test-token -n infisical-gateway
-
-      - name: Run chart-testing (install)
-        run: |
-          ct install \
-            --config ct.yaml \
-            --charts helm-charts/infisical-gateway \
-            --helm-extra-args="--timeout=300s" \
-            --namespace infisical-gateway
-
-  release-helm:
-    name: Release Helm Chart
-    needs: test-helm
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Install Helm
-        uses: azure/setup-helm@v3
-        with:
-          version: v3.10.0
-
-      - name: Install python
-        uses: actions/setup-python@v4
-
-      - name: Install Cloudsmith CLI
-        run: pip install --upgrade cloudsmith-cli
-
-      - name: Build and push helm package to CloudSmith
-        run: cd helm-charts && sh upload-gateway-cloudsmith.sh
-        env:
-          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+            - name: Build and push helm package to CloudSmith
+              run: cd helm-charts && sh upload-gateway-cloudsmith.sh
+              env:
+                  CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

.github/workflows/run-helm-chart-tests-infisical-gateway.yml

@@ -1,49 +0,0 @@
-name: Run Helm Chart Tests for Gateway
-on:
-  pull_request:
-    paths:
-      - "helm-charts/infisical-gateway/**"
-      - ".github/workflows/run-helm-chart-tests-infisical-gateway.yml"
-
-jobs:
-  test-helm:
-    name: Test Helm Chart
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Set up Helm
-        uses: azure/setup-helm@v4.2.0
-        with:
-          version: v3.17.0
-
-      - uses: actions/setup-python@v5.3.0
-        with:
-          python-version: "3.x"
-          check-latest: true
-
-      - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.7.0
-
-      - name: Run chart-testing (lint)
-        run: ct lint --config ct.yaml --charts helm-charts/infisical-gateway
-
-      - name: Create kind cluster
-        uses: helm/kind-action@v1.12.0
-
-      - name: Create namespace
-        run: kubectl create namespace infisical-gateway
-
-      - name: Create gateway secret
-        run: kubectl create secret generic infisical-gateway-environment --from-literal=TOKEN=my-test-token -n infisical-gateway
-
-      - name: Run chart-testing (install)
-        run: |
-          ct install \
-            --config ct.yaml \
-            --charts helm-charts/infisical-gateway \
-            --helm-extra-args="--timeout=300s" \
-            --namespace infisical-gateway

.github/workflows/run-helm-chart-tests-infisical-standalone-postgres.yml

@@ -1,68 +0,0 @@
-name: Run Helm Chart Tests for Infisical Standalone Postgres
-on:
-  pull_request:
-    paths:
-      - "helm-charts/infisical-standalone-postgres/**"
-      - ".github/workflows/run-helm-chart-tests-infisical-standalone-postgres.yml"
-
-jobs:
-  test-helm:
-    name: Test Helm Chart
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Set up Helm
-        uses: azure/setup-helm@v4.2.0
-        with:
-          version: v3.17.0
-
-      - uses: actions/setup-python@v5.3.0
-        with:
-          python-version: "3.x"
-          check-latest: true
-
-      - name: Add Helm repositories
-        run: |
-          helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
-          helm repo add bitnami https://charts.bitnami.com/bitnami
-          helm repo update
-
-      - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.7.0
-
-      - name: Run chart-testing (lint)
-        run: ct lint --config ct.yaml --charts helm-charts/infisical-standalone-postgres
-
-      - name: Create kind cluster
-        uses: helm/kind-action@v1.12.0
-
-      - name: Create namespace
-        run: kubectl create namespace infisical-standalone-postgres
-
-      - name: Create Infisical secrets
-        run: |
-          kubectl create secret generic infisical-secrets \
-            --namespace infisical-standalone-postgres \
-            --from-literal=AUTH_SECRET=6c1fe4e407b8911c104518103505b218 \
-            --from-literal=ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218 \
-            --from-literal=SITE_URL=http://localhost:8080
-
-      - name: Create bootstrap secret
-        run: |
-          kubectl create secret generic infisical-bootstrap-credentials \
-            --namespace infisical-standalone-postgres \
-            --from-literal=INFISICAL_ADMIN_EMAIL=admin@example.com \
-            --from-literal=INFISICAL_ADMIN_PASSWORD=admin-password
-
-      - name: Run chart-testing (install)
-        run: |
-          ct install \
-            --config ct.yaml \
-            --charts helm-charts/infisical-standalone-postgres \
-            --helm-extra-args="--timeout=300s" \
-            --helm-extra-set-args="--set ingress.nginx.enabled=false --set infisical.autoDatabaseSchemaMigration=false --set infisical.replicaCount=1 --set infisical.image.tag=v0.132.2-postgres --set infisical.autoBootstrap.enabled=true" \
-            --namespace infisical-standalone-postgres

.github/workflows/run-helm-chart-tests-secret-operator.yml

@@ -1,38 +0,0 @@
-name: Run Helm Chart Tests for Secret Operator
-on:
-  pull_request:
-    paths:
-      - "helm-charts/secrets-operator/**"
-      - ".github/workflows/run-helm-chart-tests-secret-operator.yml"
-
-jobs:
-  test-helm:
-    name: Test Helm Chart
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Set up Helm
-        uses: azure/setup-helm@v4.2.0
-        with:
-          version: v3.17.0
-
-      - uses: actions/setup-python@v5.3.0
-        with:
-          python-version: "3.x"
-          check-latest: true
-
-      - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.7.0
-
-      - name: Run chart-testing (lint)
-        run: ct lint --config ct.yaml --charts helm-charts/secrets-operator
-
-      - name: Create kind cluster
-        uses: helm/kind-action@v1.12.0
-
-      - name: Run chart-testing (install)
-        run: ct install --config ct.yaml --charts helm-charts/secrets-operator

.infisicalignore

@@ -40,9 +40,3 @@ cli/detect/config/gitleaks.toml:gcp-api-key:578
 cli/detect/config/gitleaks.toml:gcp-api-key:579
 cli/detect/config/gitleaks.toml:gcp-api-key:581
 cli/detect/config/gitleaks.toml:gcp-api-key:582
-.github/workflows/run-helm-chart-tests-infisical-standalone-postgres.yml:generic-api-key:51
-.github/workflows/run-helm-chart-tests-infisical-standalone-postgres.yml:generic-api-key:50
-.github/workflows/helm-release-infisical-core.yml:generic-api-key:48
-.github/workflows/helm-release-infisical-core.yml:generic-api-key:47
-backend/src/services/smtp/smtp-service.ts:generic-api-key:79
-frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/CloudflarePagesSyncFields.tsx:cloudflare-api-key:7

Dockerfile.fips.standalone-infisical

@@ -19,7 +19,7 @@ WORKDIR /app
 
 # Copy dependencies
 COPY --from=frontend-dependencies /app/node_modules ./node_modules
-# Copy all files
+# Copy all files 
 COPY /frontend .
 
 ENV NODE_ENV production
@@ -32,7 +32,7 @@ ENV VITE_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
 ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY
+ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
 
 # Build
 RUN npm run build
@@ -134,7 +134,7 @@ RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-li
 
 # Install Infisical CLI
 RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
-    && apt-get update && apt-get install -y infisical=0.41.89 \
+    && apt-get update && apt-get install -y infisical=0.41.2 \
     && rm -rf /var/lib/apt/lists/*
 
 RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
@@ -155,7 +155,7 @@ ENV INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
 ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 
-WORKDIR /
+WORKDIR / 
 
 COPY --from=backend-runner /app /backend
 
@@ -166,9 +166,9 @@ ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 
 ENV PORT 8080
 ENV HOST=0.0.0.0
-ENV HTTPS_ENABLED false
+ENV HTTPS_ENABLED false 
 ENV NODE_ENV production
-ENV STANDALONE_BUILD true
+ENV STANDALONE_BUILD true 
 ENV STANDALONE_MODE true
 ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
 ENV NODE_OPTIONS="--max-old-space-size=1024"

Dockerfile.standalone-infisical

@@ -20,7 +20,7 @@ WORKDIR /app
 
 # Copy dependencies
 COPY --from=frontend-dependencies /app/node_modules ./node_modules
-# Copy all files
+# Copy all files 
 COPY /frontend .
 
 ENV NODE_ENV production
@@ -33,8 +33,7 @@ ENV VITE_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
 ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY
-ENV NODE_OPTIONS="--max-old-space-size=8192"
+ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
 
 # Build
 RUN npm run build
@@ -78,7 +77,6 @@ RUN npm ci --only-production
 COPY /backend .
 COPY --chown=non-root-user:nodejs standalone-entrypoint.sh standalone-entrypoint.sh
 RUN npm i -D tsconfig-paths
-ENV NODE_OPTIONS="--max-old-space-size=8192"
 RUN npm run build
 
 # Production stage
@@ -130,7 +128,7 @@ RUN apt-get update && apt-get install -y \
 
 # Install Infisical CLI
 RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
-    && apt-get update && apt-get install -y infisical=0.41.89 \
+    && apt-get update && apt-get install -y infisical=0.41.2 \
     && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /
@@ -166,9 +164,9 @@ ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 
 ENV PORT 8080
 ENV HOST=0.0.0.0
-ENV HTTPS_ENABLED false
+ENV HTTPS_ENABLED false 
 ENV NODE_ENV production
-ENV STANDALONE_BUILD true
+ENV STANDALONE_BUILD true 
 ENV STANDALONE_MODE true
 ENV NODE_OPTIONS="--max-old-space-size=1024"
 

backend/Dockerfile

@@ -9,7 +9,7 @@ RUN apt-get update && apt-get install -y \
     make \
     g++ \
     openssh-client \
-    openssl
+    openssl 
 
 # Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
 RUN apt-get install -y \
@@ -55,10 +55,10 @@ COPY --from=build /app .
 # Install Infisical CLI
 RUN apt-get install -y curl bash && \
     curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash && \
-    apt-get update && apt-get install -y infisical=0.41.89 git
+    apt-get update && apt-get install -y infisical=0.41.2 git
 
-HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \
-    CMD node healthcheck.js
+HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
+  CMD node healthcheck.js
 
 ENV HOST=0.0.0.0
 

backend/Dockerfile.dev

@@ -57,7 +57,7 @@ RUN mkdir -p /etc/softhsm2/tokens && \
 # Install Infisical CLI
 RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash && \
     apt-get update && \
-    apt-get install -y infisical=0.41.89
+    apt-get install -y infisical=0.41.2
 
 WORKDIR /app
 

backend/Dockerfile.dev.fips

@@ -52,7 +52,7 @@ RUN apt-get install -y opensc
 
 RUN mkdir -p /etc/softhsm2/tokens && \
     softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
-
+    
 WORKDIR /openssl-build
 RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
     && tar -xf openssl-3.1.2.tar.gz \
@@ -66,7 +66,7 @@ RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
 # Install Infisical CLI
 RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash && \
     apt-get update && \
-    apt-get install -y infisical=0.41.89
+    apt-get install -y infisical=0.41.2
 
 WORKDIR /app
 

backend/e2e-test/mocks/keystore.ts

@@ -8,9 +8,6 @@ import { Lock } from "@app/lib/red-lock";
 export const mockKeyStore = (): TKeyStoreFactory => {
   const store: Record<string, string | number | Buffer> = {};
 
-  const getRegex = (pattern: string) =>
-    new RE2(`^${pattern.replace(/[-[\]/{}()+?.\\^$|]/g, "\\$&").replace(/\*/g, ".*")}$`);
-
   return {
     setItem: async (key, value) => {
       store[key] = value;
@@ -26,7 +23,7 @@ export const mockKeyStore = (): TKeyStoreFactory => {
       return 1;
     },
     deleteItems: async ({ pattern, batchSize = 500, delay = 1500, jitter = 200 }) => {
-      const regex = getRegex(pattern);
+      const regex = new RE2(`^${pattern.replace(/[-[\]/{}()+?.\\^$|]/g, "\\$&").replace(/\*/g, ".*")}$`);
       let totalDeleted = 0;
       const keys = Object.keys(store);
 
@@ -56,27 +53,6 @@ export const mockKeyStore = (): TKeyStoreFactory => {
     incrementBy: async () => {
       return 1;
     },
-    getItems: async (keys) => {
-      const values = keys.map((key) => {
-        const value = store[key];
-        if (typeof value === "string") {
-          return value;
-        }
-        return null;
-      });
-      return values;
-    },
-    getKeysByPattern: async (pattern) => {
-      const regex = getRegex(pattern);
-      const keys = Object.keys(store);
-      return keys.filter((key) => regex.test(key));
-    },
-    deleteItemsByKeyIn: async (keys) => {
-      for (const key of keys) {
-        delete store[key];
-      }
-      return keys.length;
-    },
     acquireLock: () => {
       return Promise.resolve({
         release: () => {}

backend/e2e-test/mocks/queue.ts

@@ -26,7 +26,6 @@ export const mockQueue = (): TQueueServiceFactory => {
     getRepeatableJobs: async () => [],
     clearQueue: async () => {},
     stopJobById: async () => {},
-    stopJobByIdPg: async () => {},
     stopRepeatableJobByJobId: async () => true,
     stopRepeatableJobByKey: async () => true
   };

backend/e2e-test/vitest-environment-knex.ts

@@ -15,8 +15,8 @@ import { mockSmtpServer } from "./mocks/smtp";
 import { initDbConnection } from "@app/db";
 import { queueServiceFactory } from "@app/queue";
 import { keyStoreFactory } from "@app/keystore/keystore";
+import { Redis } from "ioredis";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
-import { buildRedisFromConfig } from "@app/lib/config/redis";
 
 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@@ -30,7 +30,7 @@ export default {
       dbRootCert: envConfig.DB_ROOT_CERT
     });
 
-    const redis = buildRedisFromConfig(envConfig);
+    const redis = new Redis(envConfig.REDIS_URL);
     await redis.flushdb("SYNC");
 
     try {
@@ -55,8 +55,8 @@ export default {
       });
 
       const smtp = mockSmtpServer();
-      const queue = queueServiceFactory(envConfig, { dbConnectionUrl: envConfig.DB_CONNECTION_URI });
-      const keyStore = keyStoreFactory(envConfig);
+      const queue = queueServiceFactory(envConfig.REDIS_URL, { dbConnectionUrl: envConfig.DB_CONNECTION_URI });
+      const keyStore = keyStoreFactory(envConfig.REDIS_URL);
 
       const hsmModule = initializeHsmModule(envConfig);
       hsmModule.initialize();

backend/package.json

@@ -131,7 +131,6 @@
     "@aws-sdk/client-elasticache": "^3.637.0",
     "@aws-sdk/client-iam": "^3.525.0",
     "@aws-sdk/client-kms": "^3.609.0",
-    "@aws-sdk/client-route-53": "^3.810.0",
     "@aws-sdk/client-secrets-manager": "^3.504.0",
     "@aws-sdk/client-sts": "^3.600.0",
     "@casl/ability": "^6.5.0",
@@ -149,7 +148,6 @@
     "@fastify/static": "^7.0.4",
     "@fastify/swagger": "^8.14.0",
     "@fastify/swagger-ui": "^2.1.0",
-    "@gitbeaker/rest": "^42.5.0",
     "@google-cloud/kms": "^4.5.0",
     "@infisical/quic": "^1.0.8",
     "@node-saml/passport-saml": "^5.0.1",
@@ -176,7 +174,6 @@
     "@slack/oauth": "^3.0.2",
     "@slack/web-api": "^7.8.0",
     "@ucast/mongo2js": "^1.3.4",
-    "acme-client": "^5.4.0",
     "ajv": "^8.12.0",
     "argon2": "^0.31.2",
     "aws-sdk": "^2.1553.0",

backend/scripts/generate-schema-types.ts

@@ -84,11 +84,6 @@ const getZodDefaultValue = (type: unknown, value: string | number | boolean | Ob
   }
 };
 
-const bigIntegerColumns: Record<string, string[]> = {
-  "folder_commits": ["commitId"]
-};
-
-
 const main = async () => {
   const tables = (
     await db("information_schema.tables")
@@ -113,9 +108,6 @@ const main = async () => {
       const columnName = columnNames[colNum];
       const colInfo = columns[columnName];
       let ztype = getZodPrimitiveType(colInfo.type);
-      if (bigIntegerColumns[tableName]?.includes(columnName)) {
-        ztype = "z.coerce.bigint()";
-      }
       if (["zodBuffer"].includes(ztype)) {
         zodImportSet.add(ztype);
       }

backend/src/@types/fastify.d.ts

@@ -3,15 +3,16 @@ import "fastify";
 import { Redis } from "ioredis";
 
 import { TUsers } from "@app/db/schemas";
-import { TAccessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
-import { TAccessApprovalRequestServiceFactory } from "@app/ee/services/access-approval-request/access-approval-request-types";
-import { TAssumePrivilegeServiceFactory } from "@app/ee/services/assume-privilege/assume-privilege-types";
-import { TAuditLogServiceFactory, TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
-import { TAuditLogStreamServiceFactory } from "@app/ee/services/audit-log-stream/audit-log-stream-types";
-import { TCertificateAuthorityCrlServiceFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-types";
+import { TAccessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
+import { TAccessApprovalRequestServiceFactory } from "@app/ee/services/access-approval-request/access-approval-request-service";
+import { TAssumePrivilegeServiceFactory } from "@app/ee/services/assume-privilege/assume-privilege-service";
+import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
+import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
+import { TAuditLogStreamServiceFactory } from "@app/ee/services/audit-log-stream/audit-log-stream-service";
+import { TCertificateAuthorityCrlServiceFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-service";
 import { TCertificateEstServiceFactory } from "@app/ee/services/certificate-est/certificate-est-service";
-import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-types";
-import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-types";
+import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
+import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
 import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
 import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TGithubOrgSyncServiceFactory } from "@app/ee/services/github-org-sync/github-org-sync-service";
@@ -24,25 +25,24 @@ import { TKmipServiceFactory } from "@app/ee/services/kmip/kmip-service";
 import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
-import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
-import { TPitServiceFactory } from "@app/ee/services/pit/pit-service";
-import { TProjectTemplateServiceFactory } from "@app/ee/services/project-template/project-template-types";
-import { TProjectUserAdditionalPrivilegeServiceFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-types";
-import { RateLimitConfiguration, TRateLimitServiceFactory } from "@app/ee/services/rate-limit/rate-limit-types";
-import { TSamlConfigServiceFactory } from "@app/ee/services/saml-config/saml-config-types";
-import { TScimServiceFactory } from "@app/ee/services/scim/scim-types";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { TProjectTemplateServiceFactory } from "@app/ee/services/project-template/project-template-service";
+import { TProjectUserAdditionalPrivilegeServiceFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-service";
+import { TRateLimitServiceFactory } from "@app/ee/services/rate-limit/rate-limit-service";
+import { RateLimitConfiguration } from "@app/ee/services/rate-limit/rate-limit-types";
+import { TSamlConfigServiceFactory } from "@app/ee/services/saml-config/saml-config-service";
+import { TScimServiceFactory } from "@app/ee/services/scim/scim-service";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
 import { TSecretApprovalRequestServiceFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-service";
 import { TSecretRotationServiceFactory } from "@app/ee/services/secret-rotation/secret-rotation-service";
 import { TSecretRotationV2ServiceFactory } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-service";
 import { TSecretScanningServiceFactory } from "@app/ee/services/secret-scanning/secret-scanning-service";
-import { TSecretScanningV2ServiceFactory } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-service";
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
 import { TSshCertificateAuthorityServiceFactory } from "@app/ee/services/ssh/ssh-certificate-authority-service";
 import { TSshCertificateTemplateServiceFactory } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-service";
 import { TSshHostServiceFactory } from "@app/ee/services/ssh-host/ssh-host-service";
 import { TSshHostGroupServiceFactory } from "@app/ee/services/ssh-host-group/ssh-host-group-service";
-import { TTrustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-types";
+import { TTrustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-service";
 import { TAuthMode } from "@app/server/plugins/auth/inject-identity";
 import { TApiKeyServiceFactory } from "@app/services/api-key/api-key-service";
 import { TAppConnectionServiceFactory } from "@app/services/app-connection/app-connection-service";
@@ -53,17 +53,14 @@ import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TCertificateServiceFactory } from "@app/services/certificate/certificate-service";
 import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
-import { TInternalCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/internal/internal-certificate-authority-service";
 import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
 import { TCmekServiceFactory } from "@app/services/cmek/cmek-service";
 import { TExternalGroupOrgRoleMappingServiceFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-service";
 import { TExternalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
-import { TFolderCommitServiceFactory } from "@app/services/folder-commit/folder-commit-service";
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { THsmServiceFactory } from "@app/services/hsm/hsm-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
-import { TIdentityAliCloudAuthServiceFactory } from "@app/services/identity-alicloud-auth/identity-alicloud-auth-service";
 import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
 import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
 import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
@@ -74,7 +71,6 @@ import { TAllowedFields } from "@app/services/identity-ldap-auth/identity-ldap-a
 import { TIdentityOciAuthServiceFactory } from "@app/services/identity-oci-auth/identity-oci-auth-service";
 import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
-import { TIdentityTlsCertAuthServiceFactory } from "@app/services/identity-tls-cert-auth/identity-tls-cert-auth-types";
 import { TIdentityTokenAuthServiceFactory } from "@app/services/identity-token-auth/identity-token-auth-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";
 import { TIntegrationServiceFactory } from "@app/services/integration/integration-service";
@@ -86,7 +82,6 @@ import { TOrgAdminServiceFactory } from "@app/services/org-admin/org-admin-servi
 import { TPkiAlertServiceFactory } from "@app/services/pki-alert/pki-alert-service";
 import { TPkiCollectionServiceFactory } from "@app/services/pki-collection/pki-collection-service";
 import { TPkiSubscriberServiceFactory } from "@app/services/pki-subscriber/pki-subscriber-service";
-import { TPkiTemplatesServiceFactory } from "@app/services/pki-templates/pki-templates-service";
 import { TProjectServiceFactory } from "@app/services/project/project-service";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env-service";
@@ -115,16 +110,11 @@ import { TWorkflowIntegrationServiceFactory } from "@app/services/workflow-integ
 declare module "@fastify/request-context" {
   interface RequestContextData {
     reqId: string;
-    orgId?: string;
     identityAuthInfo?: {
       identityId: string;
       oidc?: {
         claims: Record<string, string>;
       };
-      kubernetes?: {
-        namespace: string;
-        name: string;
-      };
     };
     identityPermissionMetadata?: Record<string, unknown>; // filled by permission service
     assumedPrivilegeDetails?: { requesterId: string; actorId: string; actorType: ActorType; projectId: string };
@@ -218,8 +208,6 @@ declare module "fastify" {
       identityUa: TIdentityUaServiceFactory;
       identityKubernetesAuth: TIdentityKubernetesAuthServiceFactory;
       identityGcpAuth: TIdentityGcpAuthServiceFactory;
-      identityAliCloudAuth: TIdentityAliCloudAuthServiceFactory;
-      identityTlsCertAuth: TIdentityTlsCertAuthServiceFactory;
       identityAwsAuth: TIdentityAwsAuthServiceFactory;
       identityAzureAuth: TIdentityAzureAuthServiceFactory;
       identityOciAuth: TIdentityOciAuthServiceFactory;
@@ -280,11 +268,6 @@ declare module "fastify" {
       microsoftTeams: TMicrosoftTeamsServiceFactory;
       assumePrivileges: TAssumePrivilegeServiceFactory;
       githubOrgSync: TGithubOrgSyncServiceFactory;
-      folderCommit: TFolderCommitServiceFactory;
-      pit: TPitServiceFactory;
-      secretScanningV2: TSecretScanningV2ServiceFactory;
-      internalCertificateAuthority: TInternalCertificateAuthorityServiceFactory;
-      pkiTemplate: TPkiTemplatesServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -6,9 +6,6 @@ import {
   TAccessApprovalPoliciesApprovers,
   TAccessApprovalPoliciesApproversInsert,
   TAccessApprovalPoliciesApproversUpdate,
-  TAccessApprovalPoliciesBypassers,
-  TAccessApprovalPoliciesBypassersInsert,
-  TAccessApprovalPoliciesBypassersUpdate,
   TAccessApprovalPoliciesInsert,
   TAccessApprovalPoliciesUpdate,
   TAccessApprovalRequests,
@@ -71,33 +68,12 @@ import {
   TDynamicSecrets,
   TDynamicSecretsInsert,
   TDynamicSecretsUpdate,
-  TExternalCertificateAuthorities,
-  TExternalCertificateAuthoritiesInsert,
-  TExternalCertificateAuthoritiesUpdate,
   TExternalGroupOrgRoleMappings,
   TExternalGroupOrgRoleMappingsInsert,
   TExternalGroupOrgRoleMappingsUpdate,
   TExternalKms,
   TExternalKmsInsert,
   TExternalKmsUpdate,
-  TFolderCheckpointResources,
-  TFolderCheckpointResourcesInsert,
-  TFolderCheckpointResourcesUpdate,
-  TFolderCheckpoints,
-  TFolderCheckpointsInsert,
-  TFolderCheckpointsUpdate,
-  TFolderCommitChanges,
-  TFolderCommitChangesInsert,
-  TFolderCommitChangesUpdate,
-  TFolderCommits,
-  TFolderCommitsInsert,
-  TFolderCommitsUpdate,
-  TFolderTreeCheckpointResources,
-  TFolderTreeCheckpointResourcesInsert,
-  TFolderTreeCheckpointResourcesUpdate,
-  TFolderTreeCheckpoints,
-  TFolderTreeCheckpointsInsert,
-  TFolderTreeCheckpointsUpdate,
   TGateways,
   TGatewaysInsert,
   TGatewaysUpdate,
@@ -125,9 +101,6 @@ import {
   TIdentityAccessTokens,
   TIdentityAccessTokensInsert,
   TIdentityAccessTokensUpdate,
-  TIdentityAlicloudAuths,
-  TIdentityAlicloudAuthsInsert,
-  TIdentityAlicloudAuthsUpdate,
   TIdentityAwsAuths,
   TIdentityAwsAuthsInsert,
   TIdentityAwsAuthsUpdate,
@@ -164,9 +137,6 @@ import {
   TIdentityProjectMemberships,
   TIdentityProjectMembershipsInsert,
   TIdentityProjectMembershipsUpdate,
-  TIdentityTlsCertAuths,
-  TIdentityTlsCertAuthsInsert,
-  TIdentityTlsCertAuthsUpdate,
   TIdentityTokenAuths,
   TIdentityTokenAuthsInsert,
   TIdentityTokenAuthsUpdate,
@@ -185,9 +155,6 @@ import {
   TIntegrations,
   TIntegrationsInsert,
   TIntegrationsUpdate,
-  TInternalCertificateAuthorities,
-  TInternalCertificateAuthoritiesInsert,
-  TInternalCertificateAuthoritiesUpdate,
   TInternalKms,
   TInternalKmsInsert,
   TInternalKmsUpdate,
@@ -303,9 +270,6 @@ import {
   TSecretApprovalPoliciesApprovers,
   TSecretApprovalPoliciesApproversInsert,
   TSecretApprovalPoliciesApproversUpdate,
-  TSecretApprovalPoliciesBypassers,
-  TSecretApprovalPoliciesBypassersInsert,
-  TSecretApprovalPoliciesBypassersUpdate,
   TSecretApprovalPoliciesInsert,
   TSecretApprovalPoliciesUpdate,
   TSecretApprovalRequests,
@@ -360,24 +324,9 @@ import {
   TSecretRotationV2SecretMappingsInsert,
   TSecretRotationV2SecretMappingsUpdate,
   TSecrets,
-  TSecretScanningConfigs,
-  TSecretScanningConfigsInsert,
-  TSecretScanningConfigsUpdate,
-  TSecretScanningDataSources,
-  TSecretScanningDataSourcesInsert,
-  TSecretScanningDataSourcesUpdate,
-  TSecretScanningFindings,
-  TSecretScanningFindingsInsert,
-  TSecretScanningFindingsUpdate,
   TSecretScanningGitRisks,
   TSecretScanningGitRisksInsert,
   TSecretScanningGitRisksUpdate,
-  TSecretScanningResources,
-  TSecretScanningResourcesInsert,
-  TSecretScanningResourcesUpdate,
-  TSecretScanningScans,
-  TSecretScanningScansInsert,
-  TSecretScanningScansUpdate,
   TSecretSharing,
   TSecretSharingInsert,
   TSecretSharingUpdate,
@@ -589,16 +538,6 @@ declare module "knex/types/tables" {
       TCertificateAuthorityCrlInsert,
       TCertificateAuthorityCrlUpdate
     >;
-    [TableName.InternalCertificateAuthority]: KnexOriginal.CompositeTableType<
-      TInternalCertificateAuthorities,
-      TInternalCertificateAuthoritiesInsert,
-      TInternalCertificateAuthoritiesUpdate
-    >;
-    [TableName.ExternalCertificateAuthority]: KnexOriginal.CompositeTableType<
-      TExternalCertificateAuthorities,
-      TExternalCertificateAuthoritiesInsert,
-      TExternalCertificateAuthoritiesUpdate
-    >;
     [TableName.Certificate]: KnexOriginal.CompositeTableType<TCertificates, TCertificatesInsert, TCertificatesUpdate>;
     [TableName.CertificateTemplate]: KnexOriginal.CompositeTableType<
       TCertificateTemplates,
@@ -792,16 +731,6 @@ declare module "knex/types/tables" {
       TIdentityGcpAuthsInsert,
       TIdentityGcpAuthsUpdate
     >;
-    [TableName.IdentityAliCloudAuth]: KnexOriginal.CompositeTableType<
-      TIdentityAlicloudAuths,
-      TIdentityAlicloudAuthsInsert,
-      TIdentityAlicloudAuthsUpdate
-    >;
-    [TableName.IdentityTlsCertAuth]: KnexOriginal.CompositeTableType<
-      TIdentityTlsCertAuths,
-      TIdentityTlsCertAuthsInsert,
-      TIdentityTlsCertAuthsUpdate
-    >;
     [TableName.IdentityAwsAuth]: KnexOriginal.CompositeTableType<
       TIdentityAwsAuths,
       TIdentityAwsAuthsInsert,
@@ -875,12 +804,6 @@ declare module "knex/types/tables" {
       TAccessApprovalPoliciesApproversUpdate
     >;
 
-    [TableName.AccessApprovalPolicyBypasser]: KnexOriginal.CompositeTableType<
-      TAccessApprovalPoliciesBypassers,
-      TAccessApprovalPoliciesBypassersInsert,
-      TAccessApprovalPoliciesBypassersUpdate
-    >;
-
     [TableName.AccessApprovalRequest]: KnexOriginal.CompositeTableType<
       TAccessApprovalRequests,
       TAccessApprovalRequestsInsert,
@@ -904,11 +827,6 @@ declare module "knex/types/tables" {
       TSecretApprovalPoliciesApproversInsert,
       TSecretApprovalPoliciesApproversUpdate
     >;
-    [TableName.SecretApprovalPolicyBypasser]: KnexOriginal.CompositeTableType<
-      TSecretApprovalPoliciesBypassers,
-      TSecretApprovalPoliciesBypassersInsert,
-      TSecretApprovalPoliciesBypassersUpdate
-    >;
     [TableName.SecretApprovalRequest]: KnexOriginal.CompositeTableType<
       TSecretApprovalRequests,
       TSecretApprovalRequestsInsert,
@@ -1156,60 +1074,5 @@ declare module "knex/types/tables" {
       TGithubOrgSyncConfigsInsert,
       TGithubOrgSyncConfigsUpdate
     >;
-    [TableName.FolderCommit]: KnexOriginal.CompositeTableType<
-      TFolderCommits,
-      TFolderCommitsInsert,
-      TFolderCommitsUpdate
-    >;
-    [TableName.FolderCommitChanges]: KnexOriginal.CompositeTableType<
-      TFolderCommitChanges,
-      TFolderCommitChangesInsert,
-      TFolderCommitChangesUpdate
-    >;
-    [TableName.FolderCheckpoint]: KnexOriginal.CompositeTableType<
-      TFolderCheckpoints,
-      TFolderCheckpointsInsert,
-      TFolderCheckpointsUpdate
-    >;
-    [TableName.FolderCheckpointResources]: KnexOriginal.CompositeTableType<
-      TFolderCheckpointResources,
-      TFolderCheckpointResourcesInsert,
-      TFolderCheckpointResourcesUpdate
-    >;
-    [TableName.FolderTreeCheckpoint]: KnexOriginal.CompositeTableType<
-      TFolderTreeCheckpoints,
-      TFolderTreeCheckpointsInsert,
-      TFolderTreeCheckpointsUpdate
-    >;
-    [TableName.FolderTreeCheckpointResources]: KnexOriginal.CompositeTableType<
-      TFolderTreeCheckpointResources,
-      TFolderTreeCheckpointResourcesInsert,
-      TFolderTreeCheckpointResourcesUpdate
-    >;
-    [TableName.SecretScanningDataSource]: KnexOriginal.CompositeTableType<
-      TSecretScanningDataSources,
-      TSecretScanningDataSourcesInsert,
-      TSecretScanningDataSourcesUpdate
-    >;
-    [TableName.SecretScanningResource]: KnexOriginal.CompositeTableType<
-      TSecretScanningResources,
-      TSecretScanningResourcesInsert,
-      TSecretScanningResourcesUpdate
-    >;
-    [TableName.SecretScanningScan]: KnexOriginal.CompositeTableType<
-      TSecretScanningScans,
-      TSecretScanningScansInsert,
-      TSecretScanningScansUpdate
-    >;
-    [TableName.SecretScanningFinding]: KnexOriginal.CompositeTableType<
-      TSecretScanningFindings,
-      TSecretScanningFindingsInsert,
-      TSecretScanningFindingsUpdate
-    >;
-    [TableName.SecretScanningConfig]: KnexOriginal.CompositeTableType<
-      TSecretScanningConfigs,
-      TSecretScanningConfigsInsert,
-      TSecretScanningConfigsUpdate
-    >;
   }
 }

backend/src/db/instance.ts

@@ -1,6 +1,6 @@
 import knex, { Knex } from "knex";
 
-export type TDbClient = Knex;
+export type TDbClient = ReturnType<typeof initDbConnection>;
 export const initDbConnection = ({
   dbConnectionUri,
   dbRootCert,
@@ -50,8 +50,6 @@ export const initDbConnection = ({
           }
         : false
     },
-    // https://knexjs.org/guide/#pool
-    pool: { min: 0, max: 10 },
     migrations: {
       tableName: "infisical_migrations"
     }
@@ -72,8 +70,7 @@ export const initDbConnection = ({
       },
       migrations: {
         tableName: "infisical_migrations"
-      },
-      pool: { min: 0, max: 10 }
+      }
     });
   });
 
@@ -110,8 +107,7 @@ export const initAuditLogDbConnection = ({
     },
     migrations: {
       tableName: "infisical_migrations"
-    },
-    pool: { min: 0, max: 10 }
+    }
   });
 
   // we add these overrides so that auditLogDb and the primary DB are interchangeable

backend/src/db/knexfile.ts

@@ -4,7 +4,6 @@ import "ts-node/register";
 import dotenv from "dotenv";
 import type { Knex } from "knex";
 import path from "path";
-import { initLogger } from "@app/lib/logger";
 
 // Update with your config settings. .
 dotenv.config({
@@ -14,8 +13,6 @@ dotenv.config({
   path: path.join(__dirname, "../../../.env")
 });
 
-initLogger();
-
 export default {
   development: {
     client: "postgres",

backend/src/db/migrations/20250429203304_certificates-ca-relation-removal.ts

@@ -1,44 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.Certificate)) {
-    const hasProjectIdColumn = await knex.schema.hasColumn(TableName.Certificate, "projectId");
-    if (!hasProjectIdColumn) {
-      await knex.schema.alterTable(TableName.Certificate, (t) => {
-        t.string("projectId", 36).nullable();
-        t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      });
-
-      await knex.raw(`
-          UPDATE "${TableName.Certificate}" cert
-          SET "projectId" = ca."projectId"
-          FROM "${TableName.CertificateAuthority}" ca
-          WHERE cert."caId" = ca.id
-        `);
-
-      await knex.schema.alterTable(TableName.Certificate, (t) => {
-        t.string("projectId").notNullable().alter();
-      });
-    }
-
-    await knex.schema.alterTable(TableName.Certificate, (t) => {
-      t.uuid("caId").nullable().alter();
-      t.uuid("caCertId").nullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.Certificate)) {
-    if (await knex.schema.hasColumn(TableName.Certificate, "projectId")) {
-      await knex.schema.alterTable(TableName.Certificate, (t) => {
-        t.dropForeign("projectId");
-        t.dropColumn("projectId");
-      });
-    }
-  }
-
-  // Altering back to notNullable for caId and caCertId will fail
-}

backend/src/db/migrations/20250430174352_email-case-change.ts

@@ -1,47 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasEmail = await knex.schema.hasColumn(TableName.Users, "email");
-  const hasUsername = await knex.schema.hasColumn(TableName.Users, "username");
-  if (hasEmail) {
-    await knex(TableName.Users)
-      .where({ isGhost: false })
-      .update({
-        // @ts-expect-error email assume string this is expected
-        email: knex.raw("lower(email)")
-      });
-  }
-  if (hasUsername) {
-    await knex.schema.raw(`
-      CREATE INDEX IF NOT EXISTS ${TableName.Users}_lower_username_idx 
-      ON ${TableName.Users} (LOWER(username))
-    `);
-
-    const duplicatesSubquery = knex(TableName.Users)
-      .select(knex.raw("lower(username) as lowercase_username"))
-      .groupBy("lowercase_username")
-      .having(knex.raw("count(*)"), ">", 1);
-
-    // Update usernames to lowercase where they won't create duplicates
-    await knex(TableName.Users)
-      .where({ isGhost: false })
-      .whereRaw("username <> lower(username)") // Only update if not already lowercase
-      // @ts-expect-error username assume string this is expected
-      .whereNotIn(knex.raw("lower(username)"), duplicatesSubquery)
-      .update({
-        // @ts-expect-error username assume string this is expected
-        username: knex.raw("lower(username)")
-      });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasUsername = await knex.schema.hasColumn(TableName.Users, "username");
-  if (hasUsername) {
-    await knex.schema.raw(`
-  DROP INDEX IF EXISTS ${TableName.Users}_lower_username_idx
-`);
-  }
-}

backend/src/db/migrations/20250505194916_add-pit-revamp-tables.ts

@@ -1,166 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasFolderCommitTable = await knex.schema.hasTable(TableName.FolderCommit);
-  if (!hasFolderCommitTable) {
-    await knex.schema.createTable(TableName.FolderCommit, (t) => {
-      t.uuid("id").primary().defaultTo(knex.fn.uuid());
-      t.bigIncrements("commitId");
-      t.jsonb("actorMetadata").notNullable();
-      t.string("actorType").notNullable();
-      t.string("message");
-      t.uuid("folderId").notNullable();
-      t.uuid("envId").notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-
-      t.index("folderId");
-      t.index("envId");
-    });
-  }
-
-  const hasFolderCommitChangesTable = await knex.schema.hasTable(TableName.FolderCommitChanges);
-  if (!hasFolderCommitChangesTable) {
-    await knex.schema.createTable(TableName.FolderCommitChanges, (t) => {
-      t.uuid("id").primary().defaultTo(knex.fn.uuid());
-      t.uuid("folderCommitId").notNullable();
-      t.foreign("folderCommitId").references("id").inTable(TableName.FolderCommit).onDelete("CASCADE");
-      t.string("changeType").notNullable();
-      t.boolean("isUpdate").notNullable().defaultTo(false);
-      t.uuid("secretVersionId");
-      t.foreign("secretVersionId").references("id").inTable(TableName.SecretVersionV2).onDelete("CASCADE");
-      t.uuid("folderVersionId");
-      t.foreign("folderVersionId").references("id").inTable(TableName.SecretFolderVersion).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-
-      t.index("folderCommitId");
-      t.index("secretVersionId");
-      t.index("folderVersionId");
-    });
-  }
-
-  const hasFolderCheckpointTable = await knex.schema.hasTable(TableName.FolderCheckpoint);
-  if (!hasFolderCheckpointTable) {
-    await knex.schema.createTable(TableName.FolderCheckpoint, (t) => {
-      t.uuid("id").primary().defaultTo(knex.fn.uuid());
-      t.uuid("folderCommitId").notNullable();
-      t.foreign("folderCommitId").references("id").inTable(TableName.FolderCommit).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-
-      t.index("folderCommitId");
-    });
-  }
-
-  const hasFolderCheckpointResourcesTable = await knex.schema.hasTable(TableName.FolderCheckpointResources);
-  if (!hasFolderCheckpointResourcesTable) {
-    await knex.schema.createTable(TableName.FolderCheckpointResources, (t) => {
-      t.uuid("id").primary().defaultTo(knex.fn.uuid());
-      t.uuid("folderCheckpointId").notNullable();
-      t.foreign("folderCheckpointId").references("id").inTable(TableName.FolderCheckpoint).onDelete("CASCADE");
-      t.uuid("secretVersionId");
-      t.foreign("secretVersionId").references("id").inTable(TableName.SecretVersionV2).onDelete("CASCADE");
-      t.uuid("folderVersionId");
-      t.foreign("folderVersionId").references("id").inTable(TableName.SecretFolderVersion).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-
-      t.index("folderCheckpointId");
-      t.index("secretVersionId");
-      t.index("folderVersionId");
-    });
-  }
-
-  const hasFolderTreeCheckpointTable = await knex.schema.hasTable(TableName.FolderTreeCheckpoint);
-  if (!hasFolderTreeCheckpointTable) {
-    await knex.schema.createTable(TableName.FolderTreeCheckpoint, (t) => {
-      t.uuid("id").primary().defaultTo(knex.fn.uuid());
-      t.uuid("folderCommitId").notNullable();
-      t.foreign("folderCommitId").references("id").inTable(TableName.FolderCommit).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-
-      t.index("folderCommitId");
-    });
-  }
-
-  const hasFolderTreeCheckpointResourcesTable = await knex.schema.hasTable(TableName.FolderTreeCheckpointResources);
-  if (!hasFolderTreeCheckpointResourcesTable) {
-    await knex.schema.createTable(TableName.FolderTreeCheckpointResources, (t) => {
-      t.uuid("id").primary().defaultTo(knex.fn.uuid());
-      t.uuid("folderTreeCheckpointId").notNullable();
-      t.foreign("folderTreeCheckpointId").references("id").inTable(TableName.FolderTreeCheckpoint).onDelete("CASCADE");
-      t.uuid("folderId").notNullable();
-      t.uuid("folderCommitId").notNullable();
-      t.foreign("folderCommitId").references("id").inTable(TableName.FolderCommit).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-
-      t.index("folderTreeCheckpointId");
-      t.index("folderId");
-      t.index("folderCommitId");
-    });
-  }
-
-  if (!hasFolderCommitTable) {
-    await createOnUpdateTrigger(knex, TableName.FolderCommit);
-  }
-
-  if (!hasFolderCommitChangesTable) {
-    await createOnUpdateTrigger(knex, TableName.FolderCommitChanges);
-  }
-
-  if (!hasFolderCheckpointTable) {
-    await createOnUpdateTrigger(knex, TableName.FolderCheckpoint);
-  }
-
-  if (!hasFolderCheckpointResourcesTable) {
-    await createOnUpdateTrigger(knex, TableName.FolderCheckpointResources);
-  }
-
-  if (!hasFolderTreeCheckpointTable) {
-    await createOnUpdateTrigger(knex, TableName.FolderTreeCheckpoint);
-  }
-
-  if (!hasFolderTreeCheckpointResourcesTable) {
-    await createOnUpdateTrigger(knex, TableName.FolderTreeCheckpointResources);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasFolderCheckpointResourcesTable = await knex.schema.hasTable(TableName.FolderCheckpointResources);
-  const hasFolderTreeCheckpointResourcesTable = await knex.schema.hasTable(TableName.FolderTreeCheckpointResources);
-  const hasFolderCommitTable = await knex.schema.hasTable(TableName.FolderCommit);
-  const hasFolderCommitChangesTable = await knex.schema.hasTable(TableName.FolderCommitChanges);
-  const hasFolderTreeCheckpointTable = await knex.schema.hasTable(TableName.FolderTreeCheckpoint);
-  const hasFolderCheckpointTable = await knex.schema.hasTable(TableName.FolderCheckpoint);
-
-  if (hasFolderTreeCheckpointResourcesTable) {
-    await dropOnUpdateTrigger(knex, TableName.FolderTreeCheckpointResources);
-    await knex.schema.dropTableIfExists(TableName.FolderTreeCheckpointResources);
-  }
-
-  if (hasFolderCheckpointResourcesTable) {
-    await dropOnUpdateTrigger(knex, TableName.FolderCheckpointResources);
-    await knex.schema.dropTableIfExists(TableName.FolderCheckpointResources);
-  }
-
-  if (hasFolderTreeCheckpointTable) {
-    await dropOnUpdateTrigger(knex, TableName.FolderTreeCheckpoint);
-    await knex.schema.dropTableIfExists(TableName.FolderTreeCheckpoint);
-  }
-
-  if (hasFolderCheckpointTable) {
-    await dropOnUpdateTrigger(knex, TableName.FolderCheckpoint);
-    await knex.schema.dropTableIfExists(TableName.FolderCheckpoint);
-  }
-
-  if (hasFolderCommitChangesTable) {
-    await dropOnUpdateTrigger(knex, TableName.FolderCommitChanges);
-    await knex.schema.dropTableIfExists(TableName.FolderCommitChanges);
-  }
-
-  if (hasFolderCommitTable) {
-    await dropOnUpdateTrigger(knex, TableName.FolderCommit);
-    await knex.schema.dropTableIfExists(TableName.FolderCommit);
-  }
-}

backend/src/db/migrations/20250512103022_identity-kubernetes-auth-gateway.ts

@@ -1,25 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasGatewayIdColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "gatewayId");
-
-  if (!hasGatewayIdColumn) {
-    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (table) => {
-      table.uuid("gatewayId").nullable();
-      table.foreign("gatewayId").references("id").inTable(TableName.Gateway).onDelete("SET NULL");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasGatewayIdColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "gatewayId");
-
-  if (hasGatewayIdColumn) {
-    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (table) => {
-      table.dropForeign("gatewayId");
-      table.dropColumn("gatewayId");
-    });
-  }
-}

backend/src/db/migrations/20250513081738_remove-gateway-project-link.ts

@@ -1,110 +0,0 @@
-import { Knex } from "knex";
-
-import { inMemoryKeyStore } from "@app/keystore/memory";
-import { selectAllTableCols } from "@app/lib/knex";
-import { initLogger } from "@app/lib/logger";
-import { KmsDataKey } from "@app/services/kms/kms-types";
-
-import { TableName } from "../schemas";
-import { getMigrationEnvConfig } from "./utils/env-config";
-import { getMigrationEncryptionServices } from "./utils/services";
-
-// Note(daniel): We aren't dropping tables or columns in this migrations so we can easily rollback if needed.
-// In the future we need to drop the projectGatewayId on the dynamic secrets table, and drop the project_gateways table entirely.
-
-const BATCH_SIZE = 500;
-
-export async function up(knex: Knex): Promise<void> {
-  // eslint-disable-next-line no-param-reassign
-  knex.replicaNode = () => {
-    return knex;
-  };
-
-  if (!(await knex.schema.hasColumn(TableName.DynamicSecret, "gatewayId"))) {
-    await knex.schema.alterTable(TableName.DynamicSecret, (table) => {
-      table.uuid("gatewayId").nullable();
-      table.foreign("gatewayId").references("id").inTable(TableName.Gateway).onDelete("SET NULL");
-
-      table.index("gatewayId");
-    });
-
-    const existingDynamicSecretsWithProjectGatewayId = await knex(TableName.DynamicSecret)
-      .select(selectAllTableCols(TableName.DynamicSecret))
-      .whereNotNull(`${TableName.DynamicSecret}.projectGatewayId`)
-      .join(TableName.ProjectGateway, `${TableName.ProjectGateway}.id`, `${TableName.DynamicSecret}.projectGatewayId`)
-      .whereNotNull(`${TableName.ProjectGateway}.gatewayId`)
-      .select(
-        knex.ref("projectId").withSchema(TableName.ProjectGateway).as("projectId"),
-        knex.ref("gatewayId").withSchema(TableName.ProjectGateway).as("projectGatewayGatewayId")
-      );
-
-    initLogger();
-    const envConfig = getMigrationEnvConfig();
-    const keyStore = inMemoryKeyStore();
-    const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-
-    const updatedDynamicSecrets = await Promise.all(
-      existingDynamicSecretsWithProjectGatewayId.map(async (existingDynamicSecret) => {
-        if (!existingDynamicSecret.projectGatewayGatewayId) {
-          const result = {
-            ...existingDynamicSecret,
-            gatewayId: null
-          };
-
-          const { projectId, projectGatewayGatewayId, ...rest } = result;
-          return rest;
-        }
-
-        const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
-          type: KmsDataKey.SecretManager,
-          projectId: existingDynamicSecret.projectId
-        });
-        const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey({
-          type: KmsDataKey.SecretManager,
-          projectId: existingDynamicSecret.projectId
-        });
-
-        let decryptedStoredInput = JSON.parse(
-          secretManagerDecryptor({ cipherTextBlob: Buffer.from(existingDynamicSecret.encryptedInput) }).toString()
-        ) as object;
-
-        // We're not removing the existing projectGatewayId from the input so we can easily rollback without having to re-encrypt the input
-        decryptedStoredInput = {
-          ...decryptedStoredInput,
-          gatewayId: existingDynamicSecret.projectGatewayGatewayId
-        };
-
-        const encryptedInput = secretManagerEncryptor({
-          plainText: Buffer.from(JSON.stringify(decryptedStoredInput))
-        }).cipherTextBlob;
-
-        const result = {
-          ...existingDynamicSecret,
-          encryptedInput,
-          gatewayId: existingDynamicSecret.projectGatewayGatewayId
-        };
-
-        const { projectId, projectGatewayGatewayId, ...rest } = result;
-        return rest;
-      })
-    );
-
-    for (let i = 0; i < updatedDynamicSecrets.length; i += BATCH_SIZE) {
-      // eslint-disable-next-line no-await-in-loop
-      await knex(TableName.DynamicSecret)
-        .insert(updatedDynamicSecrets.slice(i, i + BATCH_SIZE))
-        .onConflict("id")
-        .merge();
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  // no re-encryption needed as we keep the old projectGatewayId in the input
-  if (await knex.schema.hasColumn(TableName.DynamicSecret, "gatewayId")) {
-    await knex.schema.alterTable(TableName.DynamicSecret, (table) => {
-      table.dropForeign("gatewayId");
-      table.dropColumn("gatewayId");
-    });
-  }
-}

backend/src/db/migrations/20250515164622_select-org-products.ts

@@ -1,53 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const columns = await knex.table(TableName.Organization).columnInfo();
-
-  await knex.schema.alterTable(TableName.Organization, (t) => {
-    if (!columns.secretsProductEnabled) {
-      t.boolean("secretsProductEnabled").defaultTo(true);
-    }
-    if (!columns.pkiProductEnabled) {
-      t.boolean("pkiProductEnabled").defaultTo(true);
-    }
-    if (!columns.kmsProductEnabled) {
-      t.boolean("kmsProductEnabled").defaultTo(true);
-    }
-    if (!columns.sshProductEnabled) {
-      t.boolean("sshProductEnabled").defaultTo(true);
-    }
-    if (!columns.scannerProductEnabled) {
-      t.boolean("scannerProductEnabled").defaultTo(true);
-    }
-    if (!columns.shareSecretsProductEnabled) {
-      t.boolean("shareSecretsProductEnabled").defaultTo(true);
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const columns = await knex.table(TableName.Organization).columnInfo();
-
-  await knex.schema.alterTable(TableName.Organization, (t) => {
-    if (columns.secretsProductEnabled) {
-      t.dropColumn("secretsProductEnabled");
-    }
-    if (columns.pkiProductEnabled) {
-      t.dropColumn("pkiProductEnabled");
-    }
-    if (columns.kmsProductEnabled) {
-      t.dropColumn("kmsProductEnabled");
-    }
-    if (columns.sshProductEnabled) {
-      t.dropColumn("sshProductEnabled");
-    }
-    if (columns.scannerProductEnabled) {
-      t.dropColumn("scannerProductEnabled");
-    }
-    if (columns.shareSecretsProductEnabled) {
-      t.dropColumn("shareSecretsProductEnabled");
-    }
-  });
-}

backend/src/db/migrations/20250516021501_toggle-secret-sharing-on-project.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasSecretSharingColumn = await knex.schema.hasColumn(TableName.Project, "secretSharing");
-  if (!hasSecretSharingColumn) {
-    await knex.schema.table(TableName.Project, (table) => {
-      table.boolean("secretSharing").notNullable().defaultTo(true);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasSecretSharingColumn = await knex.schema.hasColumn(TableName.Project, "secretSharing");
-  if (hasSecretSharingColumn) {
-    await knex.schema.table(TableName.Project, (table) => {
-      table.dropColumn("secretSharing");
-    });
-  }
-}

backend/src/db/migrations/20250516192508_secret-sharing-limits-for-org.ts

@@ -1,35 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasLifetimeColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretLifetime");
-  const hasViewLimitColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretViewLimit");
-
-  if (!hasLifetimeColumn || !hasViewLimitColumn) {
-    await knex.schema.alterTable(TableName.Organization, (t) => {
-      if (!hasLifetimeColumn) {
-        t.integer("maxSharedSecretLifetime").nullable().defaultTo(2592000); // 30 days in seconds
-      }
-      if (!hasViewLimitColumn) {
-        t.integer("maxSharedSecretViewLimit").nullable();
-      }
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasLifetimeColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretLifetime");
-  const hasViewLimitColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretViewLimit");
-
-  if (hasLifetimeColumn || hasViewLimitColumn) {
-    await knex.schema.alterTable(TableName.Organization, (t) => {
-      if (hasLifetimeColumn) {
-        t.dropColumn("maxSharedSecretLifetime");
-      }
-      if (hasViewLimitColumn) {
-        t.dropColumn("maxSharedSecretViewLimit");
-      }
-    });
-  }
-}

backend/src/db/migrations/20250517002223_secret-share-to-specific-emails.ts

@@ -1,43 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretSharing)) {
-    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
-    const hasAuthorizedEmails = await knex.schema.hasColumn(TableName.SecretSharing, "authorizedEmails");
-
-    if (!hasEncryptedSalt || !hasAuthorizedEmails) {
-      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-        // These two columns are only needed when secrets are shared with a specific list of emails
-
-        if (!hasEncryptedSalt) {
-          t.binary("encryptedSalt").nullable();
-        }
-
-        if (!hasAuthorizedEmails) {
-          t.json("authorizedEmails").nullable();
-        }
-      });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretSharing)) {
-    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
-    const hasAuthorizedEmails = await knex.schema.hasColumn(TableName.SecretSharing, "authorizedEmails");
-
-    if (hasEncryptedSalt || hasAuthorizedEmails) {
-      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-        if (hasEncryptedSalt) {
-          t.dropColumn("encryptedSalt");
-        }
-
-        if (hasAuthorizedEmails) {
-          t.dropColumn("authorizedEmails");
-        }
-      });
-    }
-  }
-}

backend/src/db/migrations/20250517002225_secret-scanning-v2.ts

@@ -1,107 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
-import {
-  SecretScanningFindingStatus,
-  SecretScanningScanStatus
-} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretScanningDataSource))) {
-    await knex.schema.createTable(TableName.SecretScanningDataSource, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("externalId").index(); // if we need a unique way of identifying this data source from an external resource
-      t.string("name", 48).notNullable();
-      t.string("description");
-      t.string("type").notNullable();
-      t.jsonb("config").notNullable();
-      t.binary("encryptedCredentials"); // webhook credentials, etc.
-      t.uuid("connectionId");
-      t.boolean("isAutoScanEnabled").defaultTo(true);
-      t.foreign("connectionId").references("id").inTable(TableName.AppConnection);
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-      t.boolean("isDisconnected").notNullable().defaultTo(false);
-      t.unique(["projectId", "name"]);
-    });
-    await createOnUpdateTrigger(knex, TableName.SecretScanningDataSource);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SecretScanningResource))) {
-    await knex.schema.createTable(TableName.SecretScanningResource, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("externalId").notNullable();
-      t.string("name").notNullable();
-      t.string("type").notNullable();
-      t.uuid("dataSourceId").notNullable();
-      t.foreign("dataSourceId").references("id").inTable(TableName.SecretScanningDataSource).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-      t.unique(["dataSourceId", "externalId"]);
-    });
-    await createOnUpdateTrigger(knex, TableName.SecretScanningResource);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SecretScanningScan))) {
-    await knex.schema.createTable(TableName.SecretScanningScan, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("status").notNullable().defaultTo(SecretScanningScanStatus.Queued);
-      t.string("statusMessage", 1024);
-      t.string("type").notNullable();
-      t.uuid("resourceId").notNullable();
-      t.foreign("resourceId").references("id").inTable(TableName.SecretScanningResource).onDelete("CASCADE");
-      t.timestamp("createdAt").defaultTo(knex.fn.now());
-    });
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SecretScanningFinding))) {
-    await knex.schema.createTable(TableName.SecretScanningFinding, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("dataSourceName").notNullable();
-      t.string("dataSourceType").notNullable();
-      t.string("resourceName").notNullable();
-      t.string("resourceType").notNullable();
-      t.string("rule").notNullable();
-      t.string("severity").notNullable();
-      t.string("status").notNullable().defaultTo(SecretScanningFindingStatus.Unresolved);
-      t.string("remarks");
-      t.string("fingerprint").notNullable();
-      t.jsonb("details").notNullable();
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.uuid("scanId");
-      t.foreign("scanId").references("id").inTable(TableName.SecretScanningScan).onDelete("SET NULL");
-      t.timestamps(true, true, true);
-      t.unique(["projectId", "fingerprint"]);
-    });
-    await createOnUpdateTrigger(knex, TableName.SecretScanningFinding);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SecretScanningConfig))) {
-    await knex.schema.createTable(TableName.SecretScanningConfig, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("projectId").notNullable().unique();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.string("content", 5000);
-      t.timestamps(true, true, true);
-    });
-    await createOnUpdateTrigger(knex, TableName.SecretScanningConfig);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretScanningFinding);
-
-  await dropOnUpdateTrigger(knex, TableName.SecretScanningFinding);
-  await knex.schema.dropTableIfExists(TableName.SecretScanningScan);
-
-  await knex.schema.dropTableIfExists(TableName.SecretScanningResource);
-  await dropOnUpdateTrigger(knex, TableName.SecretScanningResource);
-
-  await knex.schema.dropTableIfExists(TableName.SecretScanningDataSource);
-  await dropOnUpdateTrigger(knex, TableName.SecretScanningDataSource);
-
-  await knex.schema.dropTableIfExists(TableName.SecretScanningConfig);
-  await dropOnUpdateTrigger(knex, TableName.SecretScanningConfig);
-}

backend/src/db/migrations/20250521061831_increase-name-sizes.ts

@@ -1,22 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.SecretSync, (t) => {
-    t.string("name", 64).notNullable().alter();
-  });
-  await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
-    t.string("name", 64).notNullable().alter();
-  });
-  await knex.schema.alterTable(TableName.AppConnection, (t) => {
-    t.string("name", 64).notNullable().alter();
-  });
-  await knex.schema.alterTable(TableName.SecretRotationV2, (t) => {
-    t.string("name", 64).notNullable().alter();
-  });
-}
-
-export async function down(): Promise<void> {
-  // No down migration or it will error
-}

backend/src/db/migrations/20250521110635_add-external-ca-pki.ts

@@ -1,205 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import { Knex } from "knex";
-
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasCATable = await knex.schema.hasTable(TableName.CertificateAuthority);
-  const hasExternalCATable = await knex.schema.hasTable(TableName.ExternalCertificateAuthority);
-  const hasInternalCATable = await knex.schema.hasTable(TableName.InternalCertificateAuthority);
-
-  if (hasCATable && !hasInternalCATable) {
-    await knex.schema.createTableLike(TableName.InternalCertificateAuthority, TableName.CertificateAuthority, (t) => {
-      t.uuid("caId").nullable();
-    });
-
-    // @ts-expect-error intentional: migration
-    await knex(TableName.InternalCertificateAuthority).insert(knex(TableName.CertificateAuthority).select("*"));
-    await knex(TableName.InternalCertificateAuthority).update("caId", knex.ref("id"));
-
-    await knex.schema.alterTable(TableName.InternalCertificateAuthority, (t) => {
-      t.dropColumn("projectId");
-      t.dropColumn("requireTemplateForIssuance");
-      t.dropColumn("createdAt");
-      t.dropColumn("updatedAt");
-      t.dropColumn("status");
-      t.uuid("parentCaId")
-        .nullable()
-        .references("id")
-        .inTable(TableName.CertificateAuthority)
-        .onDelete("CASCADE")
-        .alter();
-      t.uuid("activeCaCertId").nullable().references("id").inTable(TableName.CertificateAuthorityCert).alter();
-      t.uuid("caId").notNullable().references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE").alter();
-    });
-
-    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
-      t.renameColumn("requireTemplateForIssuance", "enableDirectIssuance");
-      t.string("name").nullable();
-    });
-
-    // prefill name for existing internal CAs and flip enableDirectIssuance
-    const cas = await knex(TableName.CertificateAuthority).select("id", "friendlyName", "enableDirectIssuance");
-    await Promise.all(
-      cas.map((ca) => {
-        const slugifiedName = ca.friendlyName
-          ? slugify(`${ca.friendlyName.slice(0, 16)}-${alphaNumericNanoId(8)}`)
-          : slugify(alphaNumericNanoId(12));
-
-        return knex(TableName.CertificateAuthority)
-          .where({ id: ca.id })
-          .update({ name: slugifiedName, enableDirectIssuance: !ca.enableDirectIssuance });
-      })
-    );
-
-    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
-      t.dropColumn("parentCaId");
-      t.dropColumn("type");
-      t.dropColumn("friendlyName");
-      t.dropColumn("organization");
-      t.dropColumn("ou");
-      t.dropColumn("country");
-      t.dropColumn("province");
-      t.dropColumn("locality");
-      t.dropColumn("commonName");
-      t.dropColumn("dn");
-      t.dropColumn("serialNumber");
-      t.dropColumn("maxPathLength");
-      t.dropColumn("keyAlgorithm");
-      t.dropColumn("notBefore");
-      t.dropColumn("notAfter");
-      t.dropColumn("activeCaCertId");
-      t.boolean("enableDirectIssuance").notNullable().defaultTo(true).alter();
-      t.string("name").notNullable().alter();
-      t.unique(["name", "projectId"]);
-    });
-  }
-
-  if (!hasExternalCATable) {
-    await knex.schema.createTable(TableName.ExternalCertificateAuthority, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("type").notNullable();
-      t.uuid("appConnectionId").nullable();
-      t.foreign("appConnectionId").references("id").inTable(TableName.AppConnection);
-      t.uuid("dnsAppConnectionId").nullable();
-      t.foreign("dnsAppConnectionId").references("id").inTable(TableName.AppConnection);
-      t.uuid("caId").notNullable().references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
-      t.binary("credentials");
-      t.json("configuration");
-    });
-  }
-
-  if (await knex.schema.hasTable(TableName.PkiSubscriber)) {
-    await knex.schema.alterTable(TableName.PkiSubscriber, (t) => {
-      t.string("ttl").nullable().alter();
-
-      t.boolean("enableAutoRenewal").notNullable().defaultTo(false);
-      t.integer("autoRenewalPeriodInDays");
-      t.datetime("lastAutoRenewAt");
-
-      t.string("lastOperationStatus");
-      t.text("lastOperationMessage");
-      t.dateTime("lastOperationAt");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasCATable = await knex.schema.hasTable(TableName.CertificateAuthority);
-  const hasExternalCATable = await knex.schema.hasTable(TableName.ExternalCertificateAuthority);
-  const hasInternalCATable = await knex.schema.hasTable(TableName.InternalCertificateAuthority);
-
-  if (hasCATable && hasInternalCATable) {
-    // First add all columns as nullable
-    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
-      t.uuid("parentCaId").nullable().references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
-      t.string("type").nullable();
-      t.string("friendlyName").nullable();
-      t.string("organization").nullable();
-      t.string("ou").nullable();
-      t.string("country").nullable();
-      t.string("province").nullable();
-      t.string("locality").nullable();
-      t.string("commonName").nullable();
-      t.string("dn").nullable();
-      t.string("serialNumber").nullable().unique();
-      t.integer("maxPathLength").nullable();
-      t.string("keyAlgorithm").nullable();
-      t.timestamp("notBefore").nullable();
-      t.timestamp("notAfter").nullable();
-      t.uuid("activeCaCertId").nullable().references("id").inTable(TableName.CertificateAuthorityCert);
-      t.renameColumn("enableDirectIssuance", "requireTemplateForIssuance");
-      t.dropColumn("name");
-    });
-
-    // flip requireTemplateForIssuance for existing internal CAs
-    const cas = await knex(TableName.CertificateAuthority).select("id", "requireTemplateForIssuance");
-    await Promise.all(
-      cas.map((ca) => {
-        return (
-          knex(TableName.CertificateAuthority)
-            .where({ id: ca.id })
-            // @ts-expect-error intentional: migration
-            .update({ requireTemplateForIssuance: !ca.requireTemplateForIssuance })
-        );
-      })
-    );
-
-    await knex.raw(`
-      UPDATE ${TableName.CertificateAuthority} ca
-      SET
-        type = ica.type,
-        "friendlyName" = ica."friendlyName",
-        organization = ica.organization,
-        ou = ica.ou,
-        country = ica.country,
-        province = ica.province,
-        locality = ica.locality,
-        "commonName" = ica."commonName",
-        dn = ica.dn,
-        "parentCaId" = ica."parentCaId",
-        "serialNumber" = ica."serialNumber",
-        "maxPathLength" = ica."maxPathLength",
-        "keyAlgorithm" = ica."keyAlgorithm",
-        "notBefore" = ica."notBefore",
-        "notAfter" = ica."notAfter",
-        "activeCaCertId" = ica."activeCaCertId"
-      FROM ${TableName.InternalCertificateAuthority} ica
-      WHERE ca.id = ica."caId"
-    `);
-
-    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
-      t.string("type").notNullable().alter();
-      t.string("friendlyName").notNullable().alter();
-      t.string("organization").notNullable().alter();
-      t.string("ou").notNullable().alter();
-      t.string("country").notNullable().alter();
-      t.string("province").notNullable().alter();
-      t.string("locality").notNullable().alter();
-      t.string("commonName").notNullable().alter();
-      t.string("dn").notNullable().alter();
-      t.string("keyAlgorithm").notNullable().alter();
-      t.boolean("requireTemplateForIssuance").notNullable().defaultTo(false).alter();
-    });
-
-    await knex.schema.dropTable(TableName.InternalCertificateAuthority);
-  }
-
-  if (hasExternalCATable) {
-    await knex.schema.dropTable(TableName.ExternalCertificateAuthority);
-  }
-
-  if (await knex.schema.hasTable(TableName.PkiSubscriber)) {
-    await knex.schema.alterTable(TableName.PkiSubscriber, (t) => {
-      t.dropColumn("enableAutoRenewal");
-      t.dropColumn("autoRenewalPeriodInDays");
-      t.dropColumn("lastAutoRenewAt");
-
-      t.dropColumn("lastOperationStatus");
-      t.dropColumn("lastOperationMessage");
-      t.dropColumn("lastOperationAt");
-    });
-  }
-}

backend/src/db/migrations/20250527030702_policy-bypassers.ts

@@ -1,48 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.AccessApprovalPolicyBypasser))) {
-    await knex.schema.createTable(TableName.AccessApprovalPolicyBypasser, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-
-      t.uuid("bypasserGroupId").nullable();
-      t.foreign("bypasserGroupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
-
-      t.uuid("bypasserUserId").nullable();
-      t.foreign("bypasserUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-
-      t.uuid("policyId").notNullable();
-      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-    await createOnUpdateTrigger(knex, TableName.AccessApprovalPolicyBypasser);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SecretApprovalPolicyBypasser))) {
-    await knex.schema.createTable(TableName.SecretApprovalPolicyBypasser, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-
-      t.uuid("bypasserGroupId").nullable();
-      t.foreign("bypasserGroupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
-
-      t.uuid("bypasserUserId").nullable();
-      t.foreign("bypasserUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-
-      t.uuid("policyId").notNullable();
-      t.foreign("policyId").references("id").inTable(TableName.SecretApprovalPolicy).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-    await createOnUpdateTrigger(knex, TableName.SecretApprovalPolicyBypasser);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretApprovalPolicyBypasser);
-  await knex.schema.dropTableIfExists(TableName.AccessApprovalPolicyBypasser);
-
-  await dropOnUpdateTrigger(knex, TableName.SecretApprovalPolicyBypasser);
-  await dropOnUpdateTrigger(knex, TableName.AccessApprovalPolicyBypasser);
-}

backend/src/db/migrations/20250527140639_dynamic-secret-username-template.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "usernameTemplate");
-  if (!hasColumn) {
-    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
-      t.string("usernameTemplate").nullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "usernameTemplate");
-  if (hasColumn) {
-    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
-      t.dropColumn("usernameTemplate");
-    });
-  }
-}

backend/src/db/migrations/20250527164523_add-mi-access-token-period.ts

@@ -1,139 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.IdentityAccessToken, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityUniversalAuth, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.IdentityAwsAuth, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.IdentityOidcAuth, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.IdentityAzureAuth, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityAzureAuth, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.IdentityGcpAuth, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.IdentityJwtAuth, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityJwtAuth, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.IdentityLdapAuth, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityLdapAuth, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.IdentityOciAuth, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityOciAuth, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.IdentityTokenAuth, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityTokenAuth, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.IdentityAccessToken, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityUniversalAuth, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.IdentityAwsAuth, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.IdentityOidcAuth, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.IdentityAzureAuth, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityAzureAuth, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.IdentityGcpAuth, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.IdentityJwtAuth, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityJwtAuth, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.IdentityLdapAuth, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityLdapAuth, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.IdentityOciAuth, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityOciAuth, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.IdentityTokenAuth, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityTokenAuth, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-}

backend/src/db/migrations/20250528110936_add-folder-description-to-versioning.ts

@@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.SecretFolderVersion, "description"))) {
-    await knex.schema.alterTable(TableName.SecretFolderVersion, (t) => {
-      t.string("description").nullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.SecretFolderVersion, "description")) {
-    await knex.schema.alterTable(TableName.SecretFolderVersion, (t) => {
-      t.dropColumn("description");
-    });
-  }
-}

backend/src/db/migrations/20250528145356_add-template-slug.ts

@@ -1,24 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import { Knex } from "knex";
-
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasNameCol = await knex.schema.hasColumn(TableName.CertificateTemplate, "name");
-  if (hasNameCol) {
-    const templates = await knex(TableName.CertificateTemplate).select("id", "name");
-    await Promise.all(
-      templates.map((el) => {
-        const slugifiedName = el.name
-          ? slugify(`${el.name.slice(0, 16)}-${alphaNumericNanoId(8)}`)
-          : slugify(alphaNumericNanoId(12));
-
-        return knex(TableName.CertificateTemplate).where({ id: el.id }).update({ name: slugifiedName });
-      })
-    );
-  }
-}
-
-export async function down(): Promise<void> {}

backend/src/db/migrations/20250528183744_remove-encrypted-salt-from-shared-secret.ts

@@ -1,27 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretSharing)) {
-    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
-
-    if (hasEncryptedSalt) {
-      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-        t.dropColumn("encryptedSalt");
-      });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretSharing)) {
-    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
-
-    if (!hasEncryptedSalt) {
-      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-        t.binary("encryptedSalt").nullable();
-      });
-    }
-  }
-}

backend/src/db/migrations/20250530152721_add-access-approval-request-deleted-at.ts

@@ -1,63 +0,0 @@
-import { Knex } from "knex";
-
-import { ApprovalStatus } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasPrivilegeDeletedAtColumn = await knex.schema.hasColumn(
-    TableName.AccessApprovalRequest,
-    "privilegeDeletedAt"
-  );
-  const hasStatusColumn = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "status");
-
-  if (!hasPrivilegeDeletedAtColumn) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-      t.timestamp("privilegeDeletedAt").nullable();
-    });
-  }
-
-  if (!hasStatusColumn) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-      t.string("status").defaultTo(ApprovalStatus.PENDING).notNullable();
-    });
-
-    // Update existing rows based on business logic
-    // If privilegeId is not null, set status to "approved"
-    await knex(TableName.AccessApprovalRequest).whereNotNull("privilegeId").update({ status: ApprovalStatus.APPROVED });
-
-    // If privilegeId is null and there's a rejected reviewer, set to "rejected"
-    const rejectedRequestIds = await knex(TableName.AccessApprovalRequestReviewer)
-      .select("requestId")
-      .where("status", "rejected")
-      .distinct()
-      .pluck("requestId");
-
-    if (rejectedRequestIds.length > 0) {
-      await knex(TableName.AccessApprovalRequest)
-        .whereNull("privilegeId")
-        .whereIn("id", rejectedRequestIds)
-        .update({ status: ApprovalStatus.REJECTED });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasPrivilegeDeletedAtColumn = await knex.schema.hasColumn(
-    TableName.AccessApprovalRequest,
-    "privilegeDeletedAt"
-  );
-  const hasStatusColumn = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "status");
-
-  if (hasPrivilegeDeletedAtColumn) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-      t.dropColumn("privilegeDeletedAt");
-    });
-  }
-
-  if (hasStatusColumn) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-      t.dropColumn("status");
-    });
-  }
-}

backend/src/db/migrations/20250602155451_fix-secret-versions.ts

@@ -1,139 +0,0 @@
-/* eslint-disable no-await-in-loop */
-import { Knex } from "knex";
-
-import { chunkArray } from "@app/lib/fn";
-import { selectAllTableCols } from "@app/lib/knex";
-import { logger } from "@app/lib/logger";
-
-import { SecretType, TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  logger.info("Starting secret version fix migration");
-
-  // Get all shared secret IDs first to optimize versions query
-  const secretIds = await knex(TableName.SecretV2)
-    .where("type", SecretType.Shared)
-    .select("id")
-    .then((rows) => rows.map((row) => row.id));
-
-  logger.info(`Found ${secretIds.length} shared secrets to process`);
-
-  if (secretIds.length === 0) {
-    logger.info("No shared secrets found");
-    return;
-  }
-
-  const secretIdChunks = chunkArray(secretIds, 5000);
-
-  for (let chunkIndex = 0; chunkIndex < secretIdChunks.length; chunkIndex += 1) {
-    const currentSecretIds = secretIdChunks[chunkIndex];
-    logger.info(`Processing chunk ${chunkIndex + 1} of ${secretIdChunks.length}`);
-
-    // Get secrets and versions for current chunk
-    const [sharedSecrets, allVersions] = await Promise.all([
-      knex(TableName.SecretV2).whereIn("id", currentSecretIds).select(selectAllTableCols(TableName.SecretV2)),
-      knex(TableName.SecretVersionV2).whereIn("secretId", currentSecretIds).select("secretId", "version")
-    ]);
-
-    const versionsBySecretId = new Map<string, number[]>();
-
-    allVersions.forEach((v) => {
-      const versions = versionsBySecretId.get(v.secretId);
-      if (versions) {
-        versions.push(v.version);
-      } else {
-        versionsBySecretId.set(v.secretId, [v.version]);
-      }
-    });
-
-    const versionsToAdd = [];
-    const secretsToUpdate = [];
-
-    // Process each shared secret
-    for (const secret of sharedSecrets) {
-      const existingVersions = versionsBySecretId.get(secret.id) || [];
-
-      if (existingVersions.length === 0) {
-        // No versions exist - add current version
-        versionsToAdd.push({
-          secretId: secret.id,
-          version: secret.version,
-          key: secret.key,
-          encryptedValue: secret.encryptedValue,
-          encryptedComment: secret.encryptedComment,
-          reminderNote: secret.reminderNote,
-          reminderRepeatDays: secret.reminderRepeatDays,
-          skipMultilineEncoding: secret.skipMultilineEncoding,
-          metadata: secret.metadata,
-          folderId: secret.folderId,
-          actorType: "platform"
-        });
-      } else {
-        const latestVersion = Math.max(...existingVersions);
-
-        if (latestVersion !== secret.version) {
-          // Latest version doesn't match - create new version and update secret
-          const nextVersion = latestVersion + 1;
-
-          versionsToAdd.push({
-            secretId: secret.id,
-            version: nextVersion,
-            key: secret.key,
-            encryptedValue: secret.encryptedValue,
-            encryptedComment: secret.encryptedComment,
-            reminderNote: secret.reminderNote,
-            reminderRepeatDays: secret.reminderRepeatDays,
-            skipMultilineEncoding: secret.skipMultilineEncoding,
-            metadata: secret.metadata,
-            folderId: secret.folderId,
-            actorType: "platform"
-          });
-
-          secretsToUpdate.push({
-            id: secret.id,
-            newVersion: nextVersion
-          });
-        }
-      }
-    }
-
-    logger.info(
-      `Chunk ${chunkIndex + 1}: Adding ${versionsToAdd.length} versions, updating ${secretsToUpdate.length} secrets`
-    );
-
-    // Batch insert new versions
-    if (versionsToAdd.length > 0) {
-      const insertBatches = chunkArray(versionsToAdd, 9000);
-      for (let i = 0; i < insertBatches.length; i += 1) {
-        await knex.batchInsert(TableName.SecretVersionV2, insertBatches[i]);
-      }
-    }
-
-    if (secretsToUpdate.length > 0) {
-      const updateBatches = chunkArray(secretsToUpdate, 1000);
-
-      for (const updateBatch of updateBatches) {
-        const ids = updateBatch.map((u) => u.id);
-        const versionCases = updateBatch.map((u) => `WHEN '${u.id}' THEN ${u.newVersion}`).join(" ");
-
-        await knex.raw(
-          `
-            UPDATE ${TableName.SecretV2} 
-            SET version = CASE id ${versionCases} END,
-                "updatedAt" = NOW()
-            WHERE id IN (${ids.map(() => "?").join(",")})
-          `,
-          ids
-        );
-      }
-    }
-  }
-
-  logger.info("Secret version fix migration completed");
-}
-
-export async function down(): Promise<void> {
-  logger.info("Rollback not implemented for secret version fix migration");
-  // Note: Rolling back this migration would be complex and potentially destructive
-  // as it would require tracking which version entries were added
-}

backend/src/db/migrations/20250602155452_pit-projects-commits-initialization.ts

@@ -1,345 +0,0 @@
-import { Knex } from "knex";
-
-import { chunkArray } from "@app/lib/fn";
-import { selectAllTableCols } from "@app/lib/knex";
-import { logger } from "@app/lib/logger";
-import { ActorType } from "@app/services/auth/auth-type";
-import { ChangeType } from "@app/services/folder-commit/folder-commit-service";
-
-import {
-  ProjectType,
-  SecretType,
-  TableName,
-  TFolderCheckpoints,
-  TFolderCommits,
-  TFolderTreeCheckpoints,
-  TSecretFolders
-} from "../schemas";
-
-const sortFoldersByHierarchy = (folders: TSecretFolders[]) => {
-  // Create a map for quick lookup of children by parent ID
-  const childrenMap = new Map<string, TSecretFolders[]>();
-
-  // Set of all folder IDs
-  const allFolderIds = new Set<string>();
-
-  // Build the set of all folder IDs
-  folders.forEach((folder) => {
-    if (folder.id) {
-      allFolderIds.add(folder.id);
-    }
-  });
-
-  // Group folders by their parentId
-  folders.forEach((folder) => {
-    if (folder.parentId) {
-      const children = childrenMap.get(folder.parentId) || [];
-      children.push(folder);
-      childrenMap.set(folder.parentId, children);
-    }
-  });
-
-  // Find root folders - those with no parentId or with a parentId that doesn't exist
-  const rootFolders = folders.filter((folder) => !folder.parentId || !allFolderIds.has(folder.parentId));
-
-  // Process each level of the hierarchy
-  const result = [];
-  let currentLevel = rootFolders;
-
-  while (currentLevel.length > 0) {
-    result.push(...currentLevel);
-
-    const nextLevel = [];
-    for (const folder of currentLevel) {
-      if (folder.id) {
-        const children = childrenMap.get(folder.id) || [];
-        nextLevel.push(...children);
-      }
-    }
-
-    currentLevel = nextLevel;
-  }
-
-  return result.reverse();
-};
-
-const getSecretsByFolderIds = async (knex: Knex, folderIds: string[]): Promise<Record<string, string[]>> => {
-  const secrets = await knex(TableName.SecretV2)
-    .whereIn(`${TableName.SecretV2}.folderId`, folderIds)
-    .where(`${TableName.SecretV2}.type`, SecretType.Shared)
-    .join<TableName.SecretVersionV2>(TableName.SecretVersionV2, (queryBuilder) => {
-      void queryBuilder
-        .on(`${TableName.SecretVersionV2}.secretId`, `${TableName.SecretV2}.id`)
-        .andOn(`${TableName.SecretVersionV2}.version`, `${TableName.SecretV2}.version`);
-    })
-    .select(selectAllTableCols(TableName.SecretV2))
-    .select(knex.ref("id").withSchema(TableName.SecretVersionV2).as("secretVersionId"));
-
-  const secretsMap: Record<string, string[]> = {};
-
-  secrets.forEach((secret) => {
-    if (!secretsMap[secret.folderId]) {
-      secretsMap[secret.folderId] = [];
-    }
-    secretsMap[secret.folderId].push(secret.secretVersionId);
-  });
-
-  return secretsMap;
-};
-
-const getFoldersByParentIds = async (knex: Knex, parentIds: string[]): Promise<Record<string, string[]>> => {
-  const folders = await knex(TableName.SecretFolder)
-    .whereIn(`${TableName.SecretFolder}.parentId`, parentIds)
-    .where(`${TableName.SecretFolder}.isReserved`, false)
-    .join<TableName.SecretFolderVersion>(TableName.SecretFolderVersion, (queryBuilder) => {
-      void queryBuilder
-        .on(`${TableName.SecretFolderVersion}.folderId`, `${TableName.SecretFolder}.id`)
-        .andOn(`${TableName.SecretFolderVersion}.version`, `${TableName.SecretFolder}.version`);
-    })
-    .select(selectAllTableCols(TableName.SecretFolder))
-    .select(knex.ref("id").withSchema(TableName.SecretFolderVersion).as("folderVersionId"));
-
-  const foldersMap: Record<string, string[]> = {};
-
-  folders.forEach((folder) => {
-    if (!folder.parentId) {
-      return;
-    }
-    if (!foldersMap[folder.parentId]) {
-      foldersMap[folder.parentId] = [];
-    }
-    foldersMap[folder.parentId].push(folder.folderVersionId);
-  });
-
-  return foldersMap;
-};
-
-export async function up(knex: Knex): Promise<void> {
-  logger.info("Initializing folder commits");
-  const hasFolderCommitTable = await knex.schema.hasTable(TableName.FolderCommit);
-  if (hasFolderCommitTable) {
-    // Get Projects to Initialize
-    const projects = await knex(TableName.Project)
-      .where(`${TableName.Project}.version`, 3)
-      .where(`${TableName.Project}.type`, ProjectType.SecretManager)
-      .select(selectAllTableCols(TableName.Project));
-    logger.info(`Found ${projects.length} projects to initialize`);
-
-    // Process Projects in batches of 100
-    const batches = chunkArray(projects, 100);
-    let i = 0;
-    for (const batch of batches) {
-      i += 1;
-      logger.info(`Processing project batch ${i} of ${batches.length}`);
-      let foldersCommitsList = [];
-
-      const rootFoldersMap: Record<string, string> = {};
-      const envRootFoldersMap: Record<string, string> = {};
-
-      // Get All Folders for the Project
-      // eslint-disable-next-line no-await-in-loop
-      const folders = await knex(TableName.SecretFolder)
-        .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
-        .whereIn(
-          `${TableName.Environment}.projectId`,
-          batch.map((project) => project.id)
-        )
-        .where(`${TableName.SecretFolder}.isReserved`, false)
-        .select(selectAllTableCols(TableName.SecretFolder));
-      logger.info(`Found ${folders.length} folders to initialize in project batch ${i} of ${batches.length}`);
-
-      // Sort Folders by Hierarchy (parents before nested folders)
-      const sortedFolders = sortFoldersByHierarchy(folders);
-
-      // eslint-disable-next-line no-await-in-loop
-      const folderSecretsMap = await getSecretsByFolderIds(
-        knex,
-        sortedFolders.map((folder) => folder.id)
-      );
-      // eslint-disable-next-line no-await-in-loop
-      const folderFoldersMap = await getFoldersByParentIds(
-        knex,
-        sortedFolders.map((folder) => folder.id)
-      );
-
-      // Get folder commit changes
-      for (const folder of sortedFolders) {
-        const subFolderVersionIds = folderFoldersMap[folder.id];
-        const secretVersionIds = folderSecretsMap[folder.id];
-        const changes = [];
-        if (subFolderVersionIds) {
-          changes.push(
-            ...subFolderVersionIds.map((folderVersionId) => ({
-              folderId: folder.id,
-              changeType: ChangeType.ADD,
-              secretVersionId: undefined,
-              folderVersionId,
-              isUpdate: false
-            }))
-          );
-        }
-        if (secretVersionIds) {
-          changes.push(
-            ...secretVersionIds.map((secretVersionId) => ({
-              folderId: folder.id,
-              changeType: ChangeType.ADD,
-              secretVersionId,
-              folderVersionId: undefined,
-              isUpdate: false
-            }))
-          );
-        }
-        if (changes.length > 0) {
-          const folderCommit = {
-            commit: {
-              actorMetadata: {},
-              actorType: ActorType.PLATFORM,
-              message: "Initialized folder",
-              folderId: folder.id,
-              envId: folder.envId
-            },
-            changes
-          };
-          foldersCommitsList.push(folderCommit);
-          if (!folder.parentId) {
-            rootFoldersMap[folder.id] = folder.envId;
-            envRootFoldersMap[folder.envId] = folder.id;
-          }
-        }
-      }
-      logger.info(`Retrieved folder changes for project batch ${i} of ${batches.length}`);
-
-      const filteredBrokenProjectFolders: string[] = [];
-
-      foldersCommitsList = foldersCommitsList.filter((folderCommit) => {
-        if (!envRootFoldersMap[folderCommit.commit.envId]) {
-          filteredBrokenProjectFolders.push(folderCommit.commit.folderId);
-          return false;
-        }
-        return true;
-      });
-
-      logger.info(
-        `Filtered ${filteredBrokenProjectFolders.length} broken project folders: ${JSON.stringify(filteredBrokenProjectFolders)}`
-      );
-
-      // Insert New Commits in batches of 9000
-      const newCommits = foldersCommitsList.map((folderCommit) => folderCommit.commit);
-      const commitBatches = chunkArray(newCommits, 9000);
-
-      let j = 0;
-      for (const commitBatch of commitBatches) {
-        j += 1;
-        logger.info(`Inserting folder commits - batch ${j} of ${commitBatches.length}`);
-        // Create folder commit
-        // eslint-disable-next-line no-await-in-loop
-        const newCommitsInserted = (await knex
-          .batchInsert(TableName.FolderCommit, commitBatch)
-          .returning("*")) as TFolderCommits[];
-
-        logger.info(`Finished inserting folder commits - batch ${j} of ${commitBatches.length}`);
-
-        const newCommitsMap: Record<string, string> = {};
-        const newCommitsMapInverted: Record<string, string> = {};
-        const newCheckpointsMap: Record<string, string> = {};
-        newCommitsInserted.forEach((commit) => {
-          newCommitsMap[commit.folderId] = commit.id;
-          newCommitsMapInverted[commit.id] = commit.folderId;
-        });
-
-        // Create folder checkpoints
-        // eslint-disable-next-line no-await-in-loop
-        const newCheckpoints = (await knex
-          .batchInsert(
-            TableName.FolderCheckpoint,
-            Object.values(newCommitsMap).map((commitId) => ({
-              folderCommitId: commitId
-            }))
-          )
-          .returning("*")) as TFolderCheckpoints[];
-
-        logger.info(`Finished inserting folder checkpoints - batch ${j} of ${commitBatches.length}`);
-
-        newCheckpoints.forEach((checkpoint) => {
-          newCheckpointsMap[newCommitsMapInverted[checkpoint.folderCommitId]] = checkpoint.id;
-        });
-
-        // Create folder commit changes
-        // eslint-disable-next-line no-await-in-loop
-        await knex.batchInsert(
-          TableName.FolderCommitChanges,
-          foldersCommitsList
-            .map((folderCommit) => folderCommit.changes)
-            .flat()
-            .map((change) => ({
-              folderCommitId: newCommitsMap[change.folderId],
-              changeType: change.changeType,
-              secretVersionId: change.secretVersionId,
-              folderVersionId: change.folderVersionId,
-              isUpdate: false
-            }))
-        );
-
-        logger.info(`Finished inserting folder commit changes - batch ${j} of ${commitBatches.length}`);
-
-        // Create folder checkpoint resources
-        // eslint-disable-next-line no-await-in-loop
-        await knex.batchInsert(
-          TableName.FolderCheckpointResources,
-          foldersCommitsList
-            .map((folderCommit) => folderCommit.changes)
-            .flat()
-            .map((change) => ({
-              folderCheckpointId: newCheckpointsMap[change.folderId],
-              folderVersionId: change.folderVersionId,
-              secretVersionId: change.secretVersionId
-            }))
-        );
-
-        logger.info(`Finished inserting folder checkpoint resources - batch ${j} of ${commitBatches.length}`);
-
-        // Create Folder Tree Checkpoint
-        // eslint-disable-next-line no-await-in-loop
-        const newTreeCheckpoints = (await knex
-          .batchInsert(
-            TableName.FolderTreeCheckpoint,
-            Object.keys(rootFoldersMap).map((folderId) => ({
-              folderCommitId: newCommitsMap[folderId]
-            }))
-          )
-          .returning("*")) as TFolderTreeCheckpoints[];
-
-        logger.info(`Finished inserting folder tree checkpoints - batch ${j} of ${commitBatches.length}`);
-
-        const newTreeCheckpointsMap: Record<string, string> = {};
-        newTreeCheckpoints.forEach((checkpoint) => {
-          newTreeCheckpointsMap[rootFoldersMap[newCommitsMapInverted[checkpoint.folderCommitId]]] = checkpoint.id;
-        });
-
-        // Create Folder Tree Checkpoint Resources
-        // eslint-disable-next-line no-await-in-loop
-        await knex
-          .batchInsert(
-            TableName.FolderTreeCheckpointResources,
-            newCommitsInserted.map((folderCommit) => ({
-              folderTreeCheckpointId: newTreeCheckpointsMap[folderCommit.envId],
-              folderId: folderCommit.folderId,
-              folderCommitId: folderCommit.id
-            }))
-          )
-          .returning("*");
-
-        logger.info(`Finished inserting folder tree checkpoint resources - batch ${j} of ${commitBatches.length}`);
-      }
-    }
-  }
-  logger.info("Folder commits initialized");
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasFolderCommitTable = await knex.schema.hasTable(TableName.FolderCommit);
-  if (hasFolderCommitTable) {
-    // delete all existing entries
-    await knex(TableName.FolderCommit).del();
-  }
-}

backend/src/db/migrations/20250603094506_access-request-sequential.ts

@@ -1,44 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasStepColumn = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "sequence");
-  const hasApprovalRequiredColumn = await knex.schema.hasColumn(
-    TableName.AccessApprovalPolicyApprover,
-    "approvalsRequired"
-  );
-  if (!hasStepColumn || !hasApprovalRequiredColumn) {
-    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (t) => {
-      if (!hasStepColumn) t.integer("sequence").defaultTo(1);
-      if (!hasApprovalRequiredColumn) t.integer("approvalsRequired").nullable();
-    });
-  }
-
-  // set rejected status for all access request that was rejected and still has status pending
-  const subquery = knex(TableName.AccessApprovalRequest)
-    .leftJoin(
-      TableName.AccessApprovalRequestReviewer,
-      `${TableName.AccessApprovalRequestReviewer}.requestId`,
-      `${TableName.AccessApprovalRequest}.id`
-    )
-    .where(`${TableName.AccessApprovalRequest}.status` as "status", "pending")
-    .where(`${TableName.AccessApprovalRequestReviewer}.status` as "status", "rejected")
-    .select(`${TableName.AccessApprovalRequest}.id`);
-
-  await knex(TableName.AccessApprovalRequest).where("id", "in", subquery).update("status", "rejected");
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasStepColumn = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "sequence");
-  const hasApprovalRequiredColumn = await knex.schema.hasColumn(
-    TableName.AccessApprovalPolicyApprover,
-    "approvalsRequired"
-  );
-  if (hasStepColumn || hasApprovalRequiredColumn) {
-    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (t) => {
-      if (hasStepColumn) t.dropColumn("sequence");
-      if (hasApprovalRequiredColumn) t.dropColumn("approvalsRequired");
-    });
-  }
-}

backend/src/db/migrations/20250604174128_identity-kubernetes-auth-gateway-reviewer.ts

@@ -1,23 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasTokenReviewModeColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "tokenReviewMode");
-
-  if (!hasTokenReviewModeColumn) {
-    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (table) => {
-      table.string("tokenReviewMode").notNullable().defaultTo("api");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasTokenReviewModeColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "tokenReviewMode");
-
-  if (hasTokenReviewModeColumn) {
-    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (table) => {
-      table.dropColumn("tokenReviewMode");
-    });
-  }
-}

backend/src/db/migrations/20250606134139_add-project-snapshots-legacy-option.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasShowSnapshotsLegacyColumn = await knex.schema.hasColumn(TableName.Project, "showSnapshotsLegacy");
-  if (!hasShowSnapshotsLegacyColumn) {
-    await knex.schema.table(TableName.Project, (table) => {
-      table.boolean("showSnapshotsLegacy").notNullable().defaultTo(false);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasShowSnapshotsLegacyColumn = await knex.schema.hasColumn(TableName.Project, "showSnapshotsLegacy");
-  if (hasShowSnapshotsLegacyColumn) {
-    await knex.schema.table(TableName.Project, (table) => {
-      table.dropColumn("showSnapshotsLegacy");
-    });
-  }
-}

backend/src/db/migrations/20250610143920_add-dynamic-secret-lease-config.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasConfigColumn = await knex.schema.hasColumn(TableName.DynamicSecretLease, "config");
-  if (!hasConfigColumn) {
-    await knex.schema.alterTable(TableName.DynamicSecretLease, (table) => {
-      table.jsonb("config");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasConfigColumn = await knex.schema.hasColumn(TableName.DynamicSecretLease, "config");
-  if (hasConfigColumn) {
-    await knex.schema.alterTable(TableName.DynamicSecretLease, (table) => {
-      table.dropColumn("config");
-    });
-  }
-}

backend/src/db/migrations/20250610173646_identity-kubernetes-auth-optional-host-url.ts

@@ -1,45 +0,0 @@
-import { Knex } from "knex";
-
-import { selectAllTableCols } from "@app/lib/knex";
-
-import { TableName } from "../schemas";
-
-const BATCH_SIZE = 1000;
-
-export async function up(knex: Knex): Promise<void> {
-  const hasKubernetesHostColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "kubernetesHost");
-
-  if (hasKubernetesHostColumn) {
-    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (table) => {
-      table.string("kubernetesHost").nullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasKubernetesHostColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "kubernetesHost");
-
-  // find all rows where kubernetesHost is null
-  const rows = await knex(TableName.IdentityKubernetesAuth)
-    .whereNull("kubernetesHost")
-    .select(selectAllTableCols(TableName.IdentityKubernetesAuth));
-
-  if (rows.length > 0) {
-    for (let i = 0; i < rows.length; i += BATCH_SIZE) {
-      const batch = rows.slice(i, i + BATCH_SIZE);
-      // eslint-disable-next-line no-await-in-loop
-      await knex(TableName.IdentityKubernetesAuth)
-        .whereIn(
-          "id",
-          batch.map((row) => row.id)
-        )
-        .update({ kubernetesHost: "" });
-    }
-  }
-
-  if (hasKubernetesHostColumn) {
-    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (table) => {
-      table.string("kubernetesHost").notNullable().alter();
-    });
-  }
-}

backend/src/db/migrations/20250610205158_alicloud-machine-identity.ts

@@ -1,29 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityAliCloudAuth))) {
-    await knex.schema.createTable(TableName.IdentityAliCloudAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("type").notNullable();
-
-      t.string("allowedArns").notNullable();
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityAliCloudAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityAliCloudAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityAliCloudAuth);
-}

backend/src/db/migrations/20250613153957_add-machine-identity-delete-protection.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasCol = await knex.schema.hasColumn(TableName.Identity, "hasDeleteProtection");
-  if (!hasCol) {
-    await knex.schema.alterTable(TableName.Identity, (t) => {
-      t.boolean("hasDeleteProtection").notNullable().defaultTo(false);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasCol = await knex.schema.hasColumn(TableName.Identity, "hasDeleteProtection");
-  if (hasCol) {
-    await knex.schema.alterTable(TableName.Identity, (t) => {
-      t.dropColumn("hasDeleteProtection");
-    });
-  }
-}

backend/src/db/migrations/20250618172150_increase-aws-arn-field-size.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.IdentityAwsAuth, "allowedPrincipalArns");
-  if (hasColumn) {
-    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
-      t.string("allowedPrincipalArns", 2048).notNullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.IdentityAwsAuth, "allowedPrincipalArns");
-  if (hasColumn) {
-    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
-      t.string("allowedPrincipalArns", 255).notNullable().alter();
-    });
-  }
-}

backend/src/db/migrations/20250620144939_add-instance-github-app-connection-credentials.ts

@@ -1,91 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasEncryptedGithubAppConnectionClientIdColumn = await knex.schema.hasColumn(
-    TableName.SuperAdmin,
-    "encryptedGitHubAppConnectionClientId"
-  );
-  const hasEncryptedGithubAppConnectionClientSecretColumn = await knex.schema.hasColumn(
-    TableName.SuperAdmin,
-    "encryptedGitHubAppConnectionClientSecret"
-  );
-
-  const hasEncryptedGithubAppConnectionSlugColumn = await knex.schema.hasColumn(
-    TableName.SuperAdmin,
-    "encryptedGitHubAppConnectionSlug"
-  );
-
-  const hasEncryptedGithubAppConnectionAppIdColumn = await knex.schema.hasColumn(
-    TableName.SuperAdmin,
-    "encryptedGitHubAppConnectionId"
-  );
-
-  const hasEncryptedGithubAppConnectionAppPrivateKeyColumn = await knex.schema.hasColumn(
-    TableName.SuperAdmin,
-    "encryptedGitHubAppConnectionPrivateKey"
-  );
-
-  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-    if (!hasEncryptedGithubAppConnectionClientIdColumn) {
-      t.binary("encryptedGitHubAppConnectionClientId").nullable();
-    }
-    if (!hasEncryptedGithubAppConnectionClientSecretColumn) {
-      t.binary("encryptedGitHubAppConnectionClientSecret").nullable();
-    }
-    if (!hasEncryptedGithubAppConnectionSlugColumn) {
-      t.binary("encryptedGitHubAppConnectionSlug").nullable();
-    }
-    if (!hasEncryptedGithubAppConnectionAppIdColumn) {
-      t.binary("encryptedGitHubAppConnectionId").nullable();
-    }
-    if (!hasEncryptedGithubAppConnectionAppPrivateKeyColumn) {
-      t.binary("encryptedGitHubAppConnectionPrivateKey").nullable();
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasEncryptedGithubAppConnectionClientIdColumn = await knex.schema.hasColumn(
-    TableName.SuperAdmin,
-    "encryptedGitHubAppConnectionClientId"
-  );
-  const hasEncryptedGithubAppConnectionClientSecretColumn = await knex.schema.hasColumn(
-    TableName.SuperAdmin,
-    "encryptedGitHubAppConnectionClientSecret"
-  );
-
-  const hasEncryptedGithubAppConnectionSlugColumn = await knex.schema.hasColumn(
-    TableName.SuperAdmin,
-    "encryptedGitHubAppConnectionSlug"
-  );
-
-  const hasEncryptedGithubAppConnectionAppIdColumn = await knex.schema.hasColumn(
-    TableName.SuperAdmin,
-    "encryptedGitHubAppConnectionId"
-  );
-
-  const hasEncryptedGithubAppConnectionAppPrivateKeyColumn = await knex.schema.hasColumn(
-    TableName.SuperAdmin,
-    "encryptedGitHubAppConnectionPrivateKey"
-  );
-
-  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-    if (hasEncryptedGithubAppConnectionClientIdColumn) {
-      t.dropColumn("encryptedGitHubAppConnectionClientId");
-    }
-    if (hasEncryptedGithubAppConnectionClientSecretColumn) {
-      t.dropColumn("encryptedGitHubAppConnectionClientSecret");
-    }
-    if (hasEncryptedGithubAppConnectionSlugColumn) {
-      t.dropColumn("encryptedGitHubAppConnectionSlug");
-    }
-    if (hasEncryptedGithubAppConnectionAppIdColumn) {
-      t.dropColumn("encryptedGitHubAppConnectionId");
-    }
-    if (hasEncryptedGithubAppConnectionAppPrivateKeyColumn) {
-      t.dropColumn("encryptedGitHubAppConnectionPrivateKey");
-    }
-  });
-}

backend/src/db/migrations/20250624061429_identity-tls-auth.ts

@@ -1,28 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityTlsCertAuth))) {
-    await knex.schema.createTable(TableName.IdentityTlsCertAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("allowedCommonNames").nullable();
-      t.binary("encryptedCaCertificate").notNullable();
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityTlsCertAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityTlsCertAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityTlsCertAuth);
-}

backend/src/db/migrations/20250626101747_default-project-type.ts

@@ -1,41 +0,0 @@
-import { Knex } from "knex";
-
-import { ProjectType, TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
-  const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
-  if (hasTypeColumn && !hasDefaultTypeColumn) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.string("type").nullable().alter();
-      t.string("defaultProduct").notNullable().defaultTo(ProjectType.SecretManager);
-    });
-
-    await knex(TableName.Project).update({
-      // eslint-disable-next-line
-      // @ts-ignore this is because this field is created later
-      defaultProduct: knex.raw(`
-    CASE 
-      WHEN "type" IS NULL OR "type" = '' THEN 'secret-manager' 
-      ELSE "type" 
-    END
-  `)
-    });
-  }
-
-  const hasTemplateTypeColumn = await knex.schema.hasColumn(TableName.ProjectTemplates, "type");
-  if (hasTemplateTypeColumn) {
-    await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
-      t.string("type").nullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
-  if (hasDefaultTypeColumn) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.dropColumn("defaultProduct");
-    });
-  }
-}

backend/src/db/migrations/20250627010508_env-overrides.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.SuperAdmin, "encryptedEnvOverrides");
-  if (!hasColumn) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-      t.binary("encryptedEnvOverrides").nullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.SuperAdmin, "encryptedEnvOverrides");
-  if (hasColumn) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-      t.dropColumn("encryptedEnvOverrides");
-    });
-  }
-}

backend/src/db/migrations/20250630212553_user-latest-invite.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.OrgMembership, "lastInvitedAt");
-  await knex.schema.alterTable(TableName.OrgMembership, (t) => {
-    if (!hasColumn) {
-      t.datetime("lastInvitedAt").nullable();
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.OrgMembership, "lastInvitedAt");
-  await knex.schema.alterTable(TableName.OrgMembership, (t) => {
-    if (hasColumn) {
-      t.dropColumn("lastInvitedAt");
-    }
-  });
-}

backend/src/db/migrations/20250707162850_last-invited-at-default.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.OrgMembership, "lastInvitedAt");
-  if (hasColumn) {
-    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
-      t.datetime("lastInvitedAt").nullable().defaultTo(knex.fn.now()).alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.OrgMembership, "lastInvitedAt");
-  if (hasColumn) {
-    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
-      t.datetime("lastInvitedAt").nullable().alter();
-    });
-  }
-}

backend/src/db/migrations/20250710022434_add-index-for-access-token.ts

@@ -1,46 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-const MIGRATION_TIMEOUT = 30 * 60 * 1000; // 30 minutes
-
-export async function up(knex: Knex): Promise<void> {
-  const result = await knex.raw("SHOW statement_timeout");
-  const originalTimeout = result.rows[0].statement_timeout;
-
-  try {
-    await knex.raw(`SET statement_timeout = ${MIGRATION_TIMEOUT}`);
-
-    // iat means IdentityAccessToken
-    await knex.raw(`
-          CREATE INDEX IF NOT EXISTS idx_iat_identity_id 
-          ON ${TableName.IdentityAccessToken} ("identityId")
-        `);
-
-    await knex.raw(`
-          CREATE INDEX IF NOT EXISTS idx_iat_ua_client_secret_id 
-          ON ${TableName.IdentityAccessToken} ("identityUAClientSecretId")
-        `);
-  } finally {
-    await knex.raw(`SET statement_timeout = '${originalTimeout}'`);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const result = await knex.raw("SHOW statement_timeout");
-  const originalTimeout = result.rows[0].statement_timeout;
-
-  try {
-    await knex.raw(`SET statement_timeout = ${MIGRATION_TIMEOUT}`);
-
-    await knex.raw(`
-          DROP INDEX IF EXISTS idx_iat_identity_id
-        `);
-
-    await knex.raw(`
-          DROP INDEX IF EXISTS idx_iat_ua_client_secret_id
-        `);
-  } finally {
-    await knex.raw(`SET statement_timeout = '${originalTimeout}'`);
-  }
-}

backend/src/db/migrations/20250710115149_required-path-on-approval-policies.ts

@@ -1,55 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const existingSecretApprovalPolicies = await knex(TableName.SecretApprovalPolicy)
-    .whereNull("secretPath")
-    .orWhere("secretPath", "");
-
-  const existingAccessApprovalPolicies = await knex(TableName.AccessApprovalPolicy)
-    .whereNull("secretPath")
-    .orWhere("secretPath", "");
-
-  // update all the secret approval policies secretPath to be "/**"
-  if (existingSecretApprovalPolicies.length) {
-    await knex(TableName.SecretApprovalPolicy)
-      .whereIn(
-        "id",
-        existingSecretApprovalPolicies.map((el) => el.id)
-      )
-      .update({
-        secretPath: "/**"
-      });
-  }
-
-  // update all the access approval policies secretPath to be "/**"
-  if (existingAccessApprovalPolicies.length) {
-    await knex(TableName.AccessApprovalPolicy)
-      .whereIn(
-        "id",
-        existingAccessApprovalPolicies.map((el) => el.id)
-      )
-      .update({
-        secretPath: "/**"
-      });
-  }
-
-  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (table) => {
-    table.string("secretPath").notNullable().alter();
-  });
-
-  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (table) => {
-    table.string("secretPath").notNullable().alter();
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (table) => {
-    table.string("secretPath").nullable().alter();
-  });
-
-  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (table) => {
-    table.string("secretPath").nullable().alter();
-  });
-}

backend/src/db/migrations/20250710153448_adjust-approval-request-user-cols.ts

@@ -1,35 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasCommitterCol = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "committerUserId");
-
-  if (hasCommitterCol) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequest, (tb) => {
-      tb.uuid("committerUserId").nullable().alter();
-    });
-  }
-
-  const hasRequesterCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedByUserId");
-
-  if (hasRequesterCol) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
-      tb.dropForeign("requestedByUserId");
-      tb.foreign("requestedByUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  // can't undo committer nullable
-
-  const hasRequesterCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedByUserId");
-
-  if (hasRequesterCol) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
-      tb.dropForeign("requestedByUserId");
-      tb.foreign("requestedByUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
-    });
-  }
-}

backend/src/db/migrations/20250711005900_github-app-connection-to-environments.ts

@@ -1,66 +0,0 @@
-import { Knex } from "knex";
-
-import { inMemoryKeyStore } from "@app/keystore/memory";
-import { selectAllTableCols } from "@app/lib/knex";
-
-import { TableName } from "../schemas";
-import { getMigrationEnvConfig } from "./utils/env-config";
-import { getMigrationEncryptionServices } from "./utils/services";
-
-export async function up(knex: Knex) {
-  const existingSuperAdminsWithGithubConnection = await knex(TableName.SuperAdmin)
-    .select(selectAllTableCols(TableName.SuperAdmin))
-    .whereNotNull(`${TableName.SuperAdmin}.encryptedGitHubAppConnectionClientId`);
-
-  const envConfig = getMigrationEnvConfig();
-  const keyStore = inMemoryKeyStore();
-  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-
-  const decryptor = kmsService.decryptWithRootKey();
-  const encryptor = kmsService.encryptWithRootKey();
-
-  const tasks = existingSuperAdminsWithGithubConnection.map(async (admin) => {
-    const overrides = (
-      admin.encryptedEnvOverrides ? JSON.parse(decryptor(Buffer.from(admin.encryptedEnvOverrides)).toString()) : {}
-    ) as Record<string, string>;
-
-    if (admin.encryptedGitHubAppConnectionClientId) {
-      overrides.INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID = decryptor(
-        admin.encryptedGitHubAppConnectionClientId
-      ).toString();
-    }
-
-    if (admin.encryptedGitHubAppConnectionClientSecret) {
-      overrides.INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET = decryptor(
-        admin.encryptedGitHubAppConnectionClientSecret
-      ).toString();
-    }
-
-    if (admin.encryptedGitHubAppConnectionPrivateKey) {
-      overrides.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY = decryptor(
-        admin.encryptedGitHubAppConnectionPrivateKey
-      ).toString();
-    }
-
-    if (admin.encryptedGitHubAppConnectionSlug) {
-      overrides.INF_APP_CONNECTION_GITHUB_APP_SLUG = decryptor(admin.encryptedGitHubAppConnectionSlug).toString();
-    }
-
-    if (admin.encryptedGitHubAppConnectionId) {
-      overrides.INF_APP_CONNECTION_GITHUB_APP_ID = decryptor(admin.encryptedGitHubAppConnectionId).toString();
-    }
-
-    const encryptedEnvOverrides = encryptor(Buffer.from(JSON.stringify(overrides)));
-
-    await knex(TableName.SuperAdmin).where({ id: admin.id }).update({
-      encryptedEnvOverrides
-    });
-  });
-
-  await Promise.all(tasks);
-}
-
-export async function down() {
-  // No down migration needed as this migration is only for data transformation
-  // and does not change the schema.
-}

backend/src/db/migrations/utils/services.ts

@@ -3,27 +3,12 @@ import { Knex } from "knex";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 import { hsmServiceFactory } from "@app/ee/services/hsm/hsm-service";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
-import { folderCheckpointDALFactory } from "@app/services/folder-checkpoint/folder-checkpoint-dal";
-import { folderCheckpointResourcesDALFactory } from "@app/services/folder-checkpoint-resources/folder-checkpoint-resources-dal";
-import { folderCommitDALFactory } from "@app/services/folder-commit/folder-commit-dal";
-import { folderCommitServiceFactory } from "@app/services/folder-commit/folder-commit-service";
-import { folderCommitChangesDALFactory } from "@app/services/folder-commit-changes/folder-commit-changes-dal";
-import { folderTreeCheckpointDALFactory } from "@app/services/folder-tree-checkpoint/folder-tree-checkpoint-dal";
-import { folderTreeCheckpointResourcesDALFactory } from "@app/services/folder-tree-checkpoint-resources/folder-tree-checkpoint-resources-dal";
-import { identityDALFactory } from "@app/services/identity/identity-dal";
 import { internalKmsDALFactory } from "@app/services/kms/internal-kms-dal";
 import { kmskeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { kmsRootConfigDALFactory } from "@app/services/kms/kms-root-config-dal";
 import { kmsServiceFactory } from "@app/services/kms/kms-service";
 import { orgDALFactory } from "@app/services/org/org-dal";
 import { projectDALFactory } from "@app/services/project/project-dal";
-import { resourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
-import { secretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
-import { secretFolderVersionDALFactory } from "@app/services/secret-folder/secret-folder-version-dal";
-import { secretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
-import { secretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-dal";
-import { secretVersionV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-version-dal";
-import { userDALFactory } from "@app/services/user/user-dal";
 
 import { TMigrationEnvConfig } from "./env-config";
 
@@ -65,77 +50,3 @@ export const getMigrationEncryptionServices = async ({ envConfig, db, keyStore }
 
   return { kmsService };
 };
-
-export const getMigrationPITServices = async ({
-  db,
-  keyStore,
-  envConfig
-}: {
-  db: Knex;
-  keyStore: TKeyStoreFactory;
-  envConfig: TMigrationEnvConfig;
-}) => {
-  const projectDAL = projectDALFactory(db);
-  const folderCommitDAL = folderCommitDALFactory(db);
-  const folderCommitChangesDAL = folderCommitChangesDALFactory(db);
-  const folderCheckpointDAL = folderCheckpointDALFactory(db);
-  const folderTreeCheckpointDAL = folderTreeCheckpointDALFactory(db);
-  const userDAL = userDALFactory(db);
-  const identityDAL = identityDALFactory(db);
-  const folderDAL = secretFolderDALFactory(db);
-  const folderVersionDAL = secretFolderVersionDALFactory(db);
-  const secretVersionV2BridgeDAL = secretVersionV2BridgeDALFactory(db);
-  const folderCheckpointResourcesDAL = folderCheckpointResourcesDALFactory(db);
-  const secretV2BridgeDAL = secretV2BridgeDALFactory({ db, keyStore });
-  const folderTreeCheckpointResourcesDAL = folderTreeCheckpointResourcesDALFactory(db);
-  const secretTagDAL = secretTagDALFactory(db);
-
-  const orgDAL = orgDALFactory(db);
-  const kmsRootConfigDAL = kmsRootConfigDALFactory(db);
-  const kmsDAL = kmskeyDALFactory(db);
-  const internalKmsDAL = internalKmsDALFactory(db);
-  const resourceMetadataDAL = resourceMetadataDALFactory(db);
-
-  const hsmModule = initializeHsmModule(envConfig);
-  hsmModule.initialize();
-
-  const hsmService = hsmServiceFactory({
-    hsmModule: hsmModule.getModule(),
-    envConfig
-  });
-
-  const kmsService = kmsServiceFactory({
-    kmsRootConfigDAL,
-    keyStore,
-    kmsDAL,
-    internalKmsDAL,
-    orgDAL,
-    projectDAL,
-    hsmService,
-    envConfig
-  });
-
-  await hsmService.startService();
-  await kmsService.startService();
-
-  const folderCommitService = folderCommitServiceFactory({
-    folderCommitDAL,
-    folderCommitChangesDAL,
-    folderCheckpointDAL,
-    folderTreeCheckpointDAL,
-    userDAL,
-    identityDAL,
-    folderDAL,
-    folderVersionDAL,
-    secretVersionV2BridgeDAL,
-    projectDAL,
-    folderCheckpointResourcesDAL,
-    secretV2BridgeDAL,
-    folderTreeCheckpointResourcesDAL,
-    kmsService,
-    secretTagDAL,
-    resourceMetadataDAL
-  });
-
-  return { folderCommitService };
-};

backend/src/db/schemas/access-approval-policies-approvers.ts

@@ -13,9 +13,7 @@ export const AccessApprovalPoliciesApproversSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   approverUserId: z.string().uuid().nullable().optional(),
-  approverGroupId: z.string().uuid().nullable().optional(),
-  sequence: z.number().default(1).nullable().optional(),
-  approvalsRequired: z.number().nullable().optional()
+  approverGroupId: z.string().uuid().nullable().optional()
 });
 
 export type TAccessApprovalPoliciesApprovers = z.infer<typeof AccessApprovalPoliciesApproversSchema>;

backend/src/db/schemas/access-approval-policies-bypassers.ts

@@ -1,26 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const AccessApprovalPoliciesBypassersSchema = z.object({
-  id: z.string().uuid(),
-  bypasserGroupId: z.string().uuid().nullable().optional(),
-  bypasserUserId: z.string().uuid().nullable().optional(),
-  policyId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TAccessApprovalPoliciesBypassers = z.infer<typeof AccessApprovalPoliciesBypassersSchema>;
-export type TAccessApprovalPoliciesBypassersInsert = Omit<
-  z.input<typeof AccessApprovalPoliciesBypassersSchema>,
-  TImmutableDBKeys
->;
-export type TAccessApprovalPoliciesBypassersUpdate = Partial<
-  Omit<z.input<typeof AccessApprovalPoliciesBypassersSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/access-approval-policies.ts

@@ -11,7 +11,7 @@ export const AccessApprovalPoliciesSchema = z.object({
   id: z.string().uuid(),
   name: z.string(),
   approvals: z.number().default(1),
-  secretPath: z.string(),
+  secretPath: z.string().nullable().optional(),
   envId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),

backend/src/db/schemas/access-approval-requests.ts

@@ -18,9 +18,7 @@ export const AccessApprovalRequestsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   requestedByUserId: z.string().uuid(),
-  note: z.string().nullable().optional(),
-  privilegeDeletedAt: z.date().nullable().optional(),
-  status: z.string().default("pending")
+  note: z.string().nullable().optional()
 });
 
 export type TAccessApprovalRequests = z.infer<typeof AccessApprovalRequestsSchema>;

backend/src/db/schemas/certificate-authorities.ts

@@ -11,10 +11,25 @@ export const CertificateAuthoritiesSchema = z.object({
   id: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
+  parentCaId: z.string().uuid().nullable().optional(),
   projectId: z.string(),
+  type: z.string(),
   status: z.string(),
-  enableDirectIssuance: z.boolean().default(true),
-  name: z.string()
+  friendlyName: z.string(),
+  organization: z.string(),
+  ou: z.string(),
+  country: z.string(),
+  province: z.string(),
+  locality: z.string(),
+  commonName: z.string(),
+  dn: z.string(),
+  serialNumber: z.string().nullable().optional(),
+  maxPathLength: z.number().nullable().optional(),
+  keyAlgorithm: z.string(),
+  notBefore: z.date().nullable().optional(),
+  notAfter: z.date().nullable().optional(),
+  activeCaCertId: z.string().uuid().nullable().optional(),
+  requireTemplateForIssuance: z.boolean().default(false)
 });
 
 export type TCertificateAuthorities = z.infer<typeof CertificateAuthoritiesSchema>;

backend/src/db/schemas/certificates.ts

@@ -11,7 +11,7 @@ export const CertificatesSchema = z.object({
   id: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  caId: z.string().uuid().nullable().optional(),
+  caId: z.string().uuid(),
   status: z.string(),
   serialNumber: z.string(),
   friendlyName: z.string(),
@@ -21,11 +21,10 @@ export const CertificatesSchema = z.object({
   revokedAt: z.date().nullable().optional(),
   revocationReason: z.number().nullable().optional(),
   altNames: z.string().nullable().optional(),
-  caCertId: z.string().uuid().nullable().optional(),
+  caCertId: z.string().uuid(),
   certificateTemplateId: z.string().uuid().nullable().optional(),
   keyUsages: z.string().array().nullable().optional(),
   extendedKeyUsages: z.string().array().nullable().optional(),
-  projectId: z.string(),
   pkiSubscriberId: z.string().uuid().nullable().optional()
 });
 

backend/src/db/schemas/dynamic-secret-leases.ts

@@ -16,8 +16,7 @@ export const DynamicSecretLeasesSchema = z.object({
   statusDetails: z.string().nullable().optional(),
   dynamicSecretId: z.string().uuid(),
   createdAt: z.date(),
-  updatedAt: z.date(),
-  config: z.unknown().nullable().optional()
+  updatedAt: z.date()
 });
 
 export type TDynamicSecretLeases = z.infer<typeof DynamicSecretLeasesSchema>;

backend/src/db/schemas/dynamic-secrets.ts

@@ -27,9 +27,7 @@ export const DynamicSecretsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   encryptedInput: zodBuffer,
-  projectGatewayId: z.string().uuid().nullable().optional(),
-  gatewayId: z.string().uuid().nullable().optional(),
-  usernameTemplate: z.string().nullable().optional()
+  projectGatewayId: z.string().uuid().nullable().optional()
 });
 
 export type TDynamicSecrets = z.infer<typeof DynamicSecretsSchema>;

backend/src/db/schemas/external-certificate-authorities.ts

@@ -1,29 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const ExternalCertificateAuthoritiesSchema = z.object({
-  id: z.string().uuid(),
-  type: z.string(),
-  appConnectionId: z.string().uuid().nullable().optional(),
-  dnsAppConnectionId: z.string().uuid().nullable().optional(),
-  caId: z.string().uuid(),
-  credentials: zodBuffer.nullable().optional(),
-  configuration: z.unknown().nullable().optional()
-});
-
-export type TExternalCertificateAuthorities = z.infer<typeof ExternalCertificateAuthoritiesSchema>;
-export type TExternalCertificateAuthoritiesInsert = Omit<
-  z.input<typeof ExternalCertificateAuthoritiesSchema>,
-  TImmutableDBKeys
->;
-export type TExternalCertificateAuthoritiesUpdate = Partial<
-  Omit<z.input<typeof ExternalCertificateAuthoritiesSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/folder-checkpoint-resources.ts

@@ -1,23 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const FolderCheckpointResourcesSchema = z.object({
-  id: z.string().uuid(),
-  folderCheckpointId: z.string().uuid(),
-  secretVersionId: z.string().uuid().nullable().optional(),
-  folderVersionId: z.string().uuid().nullable().optional(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TFolderCheckpointResources = z.infer<typeof FolderCheckpointResourcesSchema>;
-export type TFolderCheckpointResourcesInsert = Omit<z.input<typeof FolderCheckpointResourcesSchema>, TImmutableDBKeys>;
-export type TFolderCheckpointResourcesUpdate = Partial<
-  Omit<z.input<typeof FolderCheckpointResourcesSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/folder-checkpoints.ts

@@ -1,19 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const FolderCheckpointsSchema = z.object({
-  id: z.string().uuid(),
-  folderCommitId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TFolderCheckpoints = z.infer<typeof FolderCheckpointsSchema>;
-export type TFolderCheckpointsInsert = Omit<z.input<typeof FolderCheckpointsSchema>, TImmutableDBKeys>;
-export type TFolderCheckpointsUpdate = Partial<Omit<z.input<typeof FolderCheckpointsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/folder-commit-changes.ts

@@ -1,23 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const FolderCommitChangesSchema = z.object({
-  id: z.string().uuid(),
-  folderCommitId: z.string().uuid(),
-  changeType: z.string(),
-  isUpdate: z.boolean().default(false),
-  secretVersionId: z.string().uuid().nullable().optional(),
-  folderVersionId: z.string().uuid().nullable().optional(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TFolderCommitChanges = z.infer<typeof FolderCommitChangesSchema>;
-export type TFolderCommitChangesInsert = Omit<z.input<typeof FolderCommitChangesSchema>, TImmutableDBKeys>;
-export type TFolderCommitChangesUpdate = Partial<Omit<z.input<typeof FolderCommitChangesSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/folder-commits.ts

@@ -1,24 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const FolderCommitsSchema = z.object({
-  id: z.string().uuid(),
-  commitId: z.coerce.bigint(),
-  actorMetadata: z.unknown(),
-  actorType: z.string(),
-  message: z.string().nullable().optional(),
-  folderId: z.string().uuid(),
-  envId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TFolderCommits = z.infer<typeof FolderCommitsSchema>;
-export type TFolderCommitsInsert = Omit<z.input<typeof FolderCommitsSchema>, TImmutableDBKeys>;
-export type TFolderCommitsUpdate = Partial<Omit<z.input<typeof FolderCommitsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/folder-tree-checkpoint-resources.ts

@@ -1,26 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const FolderTreeCheckpointResourcesSchema = z.object({
-  id: z.string().uuid(),
-  folderTreeCheckpointId: z.string().uuid(),
-  folderId: z.string().uuid(),
-  folderCommitId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TFolderTreeCheckpointResources = z.infer<typeof FolderTreeCheckpointResourcesSchema>;
-export type TFolderTreeCheckpointResourcesInsert = Omit<
-  z.input<typeof FolderTreeCheckpointResourcesSchema>,
-  TImmutableDBKeys
->;
-export type TFolderTreeCheckpointResourcesUpdate = Partial<
-  Omit<z.input<typeof FolderTreeCheckpointResourcesSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/folder-tree-checkpoints.ts

@@ -1,19 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const FolderTreeCheckpointsSchema = z.object({
-  id: z.string().uuid(),
-  folderCommitId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TFolderTreeCheckpoints = z.infer<typeof FolderTreeCheckpointsSchema>;
-export type TFolderTreeCheckpointsInsert = Omit<z.input<typeof FolderTreeCheckpointsSchema>, TImmutableDBKeys>;
-export type TFolderTreeCheckpointsUpdate = Partial<Omit<z.input<typeof FolderTreeCheckpointsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identities.ts

@@ -12,8 +12,7 @@ export const IdentitiesSchema = z.object({
   name: z.string(),
   authMethod: z.string().nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date(),
-  hasDeleteProtection: z.boolean().default(false)
+  updatedAt: z.date()
 });
 
 export type TIdentities = z.infer<typeof IdentitiesSchema>;

backend/src/db/schemas/identity-access-tokens.ts

@@ -21,8 +21,7 @@ export const IdentityAccessTokensSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   name: z.string().nullable().optional(),
-  authMethod: z.string(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  authMethod: z.string()
 });
 
 export type TIdentityAccessTokens = z.infer<typeof IdentityAccessTokensSchema>;

backend/src/db/schemas/identity-alicloud-auths.ts

@@ -1,25 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityAlicloudAuthsSchema = z.object({
-  id: z.string().uuid(),
-  accessTokenTTL: z.coerce.number().default(7200),
-  accessTokenMaxTTL: z.coerce.number().default(7200),
-  accessTokenNumUsesLimit: z.coerce.number().default(0),
-  accessTokenTrustedIps: z.unknown(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  identityId: z.string().uuid(),
-  type: z.string(),
-  allowedArns: z.string()
-});
-
-export type TIdentityAlicloudAuths = z.infer<typeof IdentityAlicloudAuthsSchema>;
-export type TIdentityAlicloudAuthsInsert = Omit<z.input<typeof IdentityAlicloudAuthsSchema>, TImmutableDBKeys>;
-export type TIdentityAlicloudAuthsUpdate = Partial<Omit<z.input<typeof IdentityAlicloudAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-aws-auths.ts

@@ -19,8 +19,7 @@ export const IdentityAwsAuthsSchema = z.object({
   type: z.string(),
   stsEndpoint: z.string(),
   allowedPrincipalArns: z.string(),
-  allowedAccountIds: z.string(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  allowedAccountIds: z.string()
 });
 
 export type TIdentityAwsAuths = z.infer<typeof IdentityAwsAuthsSchema>;

backend/src/db/schemas/identity-azure-auths.ts

@@ -18,8 +18,7 @@ export const IdentityAzureAuthsSchema = z.object({
   identityId: z.string().uuid(),
   tenantId: z.string(),
   resource: z.string(),
-  allowedServicePrincipalIds: z.string(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  allowedServicePrincipalIds: z.string()
 });
 
 export type TIdentityAzureAuths = z.infer<typeof IdentityAzureAuthsSchema>;

backend/src/db/schemas/identity-gcp-auths.ts

@@ -19,8 +19,7 @@ export const IdentityGcpAuthsSchema = z.object({
   type: z.string(),
   allowedServiceAccounts: z.string().nullable().optional(),
   allowedProjects: z.string().nullable().optional(),
-  allowedZones: z.string().nullable().optional(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  allowedZones: z.string().nullable().optional()
 });
 
 export type TIdentityGcpAuths = z.infer<typeof IdentityGcpAuthsSchema>;

backend/src/db/schemas/identity-jwt-auths.ts

@@ -25,8 +25,7 @@ export const IdentityJwtAuthsSchema = z.object({
   boundClaims: z.unknown(),
   boundSubject: z.string(),
   createdAt: z.date(),
-  updatedAt: z.date(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  updatedAt: z.date()
 });
 
 export type TIdentityJwtAuths = z.infer<typeof IdentityJwtAuthsSchema>;

backend/src/db/schemas/identity-kubernetes-auths.ts

@@ -18,7 +18,7 @@ export const IdentityKubernetesAuthsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   identityId: z.string().uuid(),
-  kubernetesHost: z.string().nullable().optional(),
+  kubernetesHost: z.string(),
   encryptedCaCert: z.string().nullable().optional(),
   caCertIV: z.string().nullable().optional(),
   caCertTag: z.string().nullable().optional(),
@@ -29,10 +29,7 @@ export const IdentityKubernetesAuthsSchema = z.object({
   allowedNames: z.string(),
   allowedAudience: z.string(),
   encryptedKubernetesTokenReviewerJwt: zodBuffer.nullable().optional(),
-  encryptedKubernetesCaCertificate: zodBuffer.nullable().optional(),
-  gatewayId: z.string().uuid().nullable().optional(),
-  accessTokenPeriod: z.coerce.number().default(0),
-  tokenReviewMode: z.string().default("api")
+  encryptedKubernetesCaCertificate: zodBuffer.nullable().optional()
 });
 
 export type TIdentityKubernetesAuths = z.infer<typeof IdentityKubernetesAuthsSchema>;

backend/src/db/schemas/identity-ldap-auths.ts

@@ -24,8 +24,7 @@ export const IdentityLdapAuthsSchema = z.object({
   searchFilter: z.string(),
   allowedFields: z.unknown().nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  updatedAt: z.date()
 });
 
 export type TIdentityLdapAuths = z.infer<typeof IdentityLdapAuthsSchema>;

backend/src/db/schemas/identity-oci-auths.ts

@@ -18,8 +18,7 @@ export const IdentityOciAuthsSchema = z.object({
   identityId: z.string().uuid(),
   type: z.string(),
   tenancyOcid: z.string(),
-  allowedUsernames: z.string().nullable().optional(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  allowedUsernames: z.string().nullable().optional()
 });
 
 export type TIdentityOciAuths = z.infer<typeof IdentityOciAuthsSchema>;

backend/src/db/schemas/identity-oidc-auths.ts

@@ -27,8 +27,7 @@ export const IdentityOidcAuthsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   encryptedCaCertificate: zodBuffer.nullable().optional(),
-  claimMetadataMapping: z.unknown().nullable().optional(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  claimMetadataMapping: z.unknown().nullable().optional()
 });
 
 export type TIdentityOidcAuths = z.infer<typeof IdentityOidcAuthsSchema>;

backend/src/db/schemas/identity-tls-cert-auths.ts

@@ -1,27 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityTlsCertAuthsSchema = z.object({
-  id: z.string().uuid(),
-  accessTokenTTL: z.coerce.number().default(7200),
-  accessTokenMaxTTL: z.coerce.number().default(7200),
-  accessTokenNumUsesLimit: z.coerce.number().default(0),
-  accessTokenTrustedIps: z.unknown(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  identityId: z.string().uuid(),
-  allowedCommonNames: z.string().nullable().optional(),
-  encryptedCaCertificate: zodBuffer
-});
-
-export type TIdentityTlsCertAuths = z.infer<typeof IdentityTlsCertAuthsSchema>;
-export type TIdentityTlsCertAuthsInsert = Omit<z.input<typeof IdentityTlsCertAuthsSchema>, TImmutableDBKeys>;
-export type TIdentityTlsCertAuthsUpdate = Partial<Omit<z.input<typeof IdentityTlsCertAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-token-auths.ts

@@ -15,8 +15,7 @@ export const IdentityTokenAuthsSchema = z.object({
   accessTokenTrustedIps: z.unknown(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  identityId: z.string().uuid(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  identityId: z.string().uuid()
 });
 
 export type TIdentityTokenAuths = z.infer<typeof IdentityTokenAuthsSchema>;

backend/src/db/schemas/identity-universal-auths.ts

@@ -17,8 +17,7 @@ export const IdentityUniversalAuthsSchema = z.object({
   accessTokenTrustedIps: z.unknown(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  identityId: z.string().uuid(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  identityId: z.string().uuid()
 });
 
 export type TIdentityUniversalAuths = z.infer<typeof IdentityUniversalAuthsSchema>;

backend/src/db/schemas/index.ts

@@ -1,6 +1,5 @@
 export * from "./access-approval-policies";
 export * from "./access-approval-policies-approvers";
-export * from "./access-approval-policies-bypassers";
 export * from "./access-approval-requests";
 export * from "./access-approval-requests-reviewers";
 export * from "./api-keys";
@@ -21,15 +20,8 @@ export * from "./certificate-templates";
 export * from "./certificates";
 export * from "./dynamic-secret-leases";
 export * from "./dynamic-secrets";
-export * from "./external-certificate-authorities";
 export * from "./external-group-org-role-mappings";
 export * from "./external-kms";
-export * from "./folder-checkpoint-resources";
-export * from "./folder-checkpoints";
-export * from "./folder-commit-changes";
-export * from "./folder-commits";
-export * from "./folder-tree-checkpoint-resources";
-export * from "./folder-tree-checkpoints";
 export * from "./gateways";
 export * from "./git-app-install-sessions";
 export * from "./git-app-org";
@@ -39,7 +31,6 @@ export * from "./group-project-memberships";
 export * from "./groups";
 export * from "./identities";
 export * from "./identity-access-tokens";
-export * from "./identity-alicloud-auths";
 export * from "./identity-aws-auths";
 export * from "./identity-azure-auths";
 export * from "./identity-gcp-auths";
@@ -52,14 +43,12 @@ export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
 export * from "./identity-project-membership-role";
 export * from "./identity-project-memberships";
-export * from "./identity-tls-cert-auths";
 export * from "./identity-token-auths";
 export * from "./identity-ua-client-secrets";
 export * from "./identity-universal-auths";
 export * from "./incident-contacts";
 export * from "./integration-auths";
 export * from "./integrations";
-export * from "./internal-certificate-authorities";
 export * from "./internal-kms";
 export * from "./kmip-client-certificates";
 export * from "./kmip-clients";
@@ -101,7 +90,6 @@ export * from "./saml-configs";
 export * from "./scim-tokens";
 export * from "./secret-approval-policies";
 export * from "./secret-approval-policies-approvers";
-export * from "./secret-approval-policies-bypassers";
 export * from "./secret-approval-request-secret-tags";
 export * from "./secret-approval-request-secret-tags-v2";
 export * from "./secret-approval-requests";
@@ -119,12 +107,7 @@ export * from "./secret-rotation-outputs";
 export * from "./secret-rotation-v2-secret-mappings";
 export * from "./secret-rotations";
 export * from "./secret-rotations-v2";
-export * from "./secret-scanning-configs";
-export * from "./secret-scanning-data-sources";
-export * from "./secret-scanning-findings";
 export * from "./secret-scanning-git-risks";
-export * from "./secret-scanning-resources";
-export * from "./secret-scanning-scans";
 export * from "./secret-sharing";
 export * from "./secret-snapshot-folders";
 export * from "./secret-snapshot-secrets";

backend/src/db/schemas/internal-certificate-authorities.ts

@@ -1,38 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const InternalCertificateAuthoritiesSchema = z.object({
-  id: z.string().uuid(),
-  parentCaId: z.string().uuid().nullable().optional(),
-  type: z.string(),
-  friendlyName: z.string(),
-  organization: z.string(),
-  ou: z.string(),
-  country: z.string(),
-  province: z.string(),
-  locality: z.string(),
-  commonName: z.string(),
-  dn: z.string(),
-  serialNumber: z.string().nullable().optional(),
-  maxPathLength: z.number().nullable().optional(),
-  keyAlgorithm: z.string(),
-  notBefore: z.date().nullable().optional(),
-  notAfter: z.date().nullable().optional(),
-  activeCaCertId: z.string().uuid().nullable().optional(),
-  caId: z.string().uuid()
-});
-
-export type TInternalCertificateAuthorities = z.infer<typeof InternalCertificateAuthoritiesSchema>;
-export type TInternalCertificateAuthoritiesInsert = Omit<
-  z.input<typeof InternalCertificateAuthoritiesSchema>,
-  TImmutableDBKeys
->;
-export type TInternalCertificateAuthoritiesUpdate = Partial<
-  Omit<z.input<typeof InternalCertificateAuthoritiesSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/models.ts

@@ -13,8 +13,6 @@ export enum TableName {
   SshCertificate = "ssh_certificates",
   SshCertificateBody = "ssh_certificate_bodies",
   CertificateAuthority = "certificate_authorities",
-  ExternalCertificateAuthority = "external_certificate_authorities",
-  InternalCertificateAuthority = "internal_certificate_authorities",
   CertificateTemplateEstConfig = "certificate_template_est_configs",
   CertificateAuthorityCert = "certificate_authority_certs",
   CertificateAuthoritySecret = "certificate_authority_secret",
@@ -80,13 +78,11 @@ export enum TableName {
   IdentityGcpAuth = "identity_gcp_auths",
   IdentityAzureAuth = "identity_azure_auths",
   IdentityUaClientSecret = "identity_ua_client_secrets",
-  IdentityAliCloudAuth = "identity_alicloud_auths",
   IdentityAwsAuth = "identity_aws_auths",
   IdentityOciAuth = "identity_oci_auths",
   IdentityOidcAuth = "identity_oidc_auths",
   IdentityJwtAuth = "identity_jwt_auths",
   IdentityLdapAuth = "identity_ldap_auths",
-  IdentityTlsCertAuth = "identity_tls_cert_auths",
   IdentityOrgMembership = "identity_org_memberships",
   IdentityProjectMembership = "identity_project_memberships",
   IdentityProjectMembershipRole = "identity_project_membership_role",
@@ -97,12 +93,10 @@ export enum TableName {
   ScimToken = "scim_tokens",
   AccessApprovalPolicy = "access_approval_policies",
   AccessApprovalPolicyApprover = "access_approval_policies_approvers",
-  AccessApprovalPolicyBypasser = "access_approval_policies_bypassers",
   AccessApprovalRequest = "access_approval_requests",
   AccessApprovalRequestReviewer = "access_approval_requests_reviewers",
   SecretApprovalPolicy = "secret_approval_policies",
   SecretApprovalPolicyApprover = "secret_approval_policies_approvers",
-  SecretApprovalPolicyBypasser = "secret_approval_policies_bypassers",
   SecretApprovalRequest = "secret_approval_requests",
   SecretApprovalRequestReviewer = "secret_approval_requests_reviewers",
   SecretApprovalRequestSecret = "secret_approval_requests_secrets",
@@ -161,21 +155,10 @@ export enum TableName {
   MicrosoftTeamsIntegrations = "microsoft_teams_integrations",
   ProjectMicrosoftTeamsConfigs = "project_microsoft_teams_configs",
   SecretReminderRecipients = "secret_reminder_recipients",
-  GithubOrgSyncConfig = "github_org_sync_configs",
-  FolderCommit = "folder_commits",
-  FolderCommitChanges = "folder_commit_changes",
-  FolderCheckpoint = "folder_checkpoints",
-  FolderCheckpointResources = "folder_checkpoint_resources",
-  FolderTreeCheckpoint = "folder_tree_checkpoints",
-  FolderTreeCheckpointResources = "folder_tree_checkpoint_resources",
-  SecretScanningDataSource = "secret_scanning_data_sources",
-  SecretScanningResource = "secret_scanning_resources",
-  SecretScanningScan = "secret_scanning_scans",
-  SecretScanningFinding = "secret_scanning_findings",
-  SecretScanningConfig = "secret_scanning_configs"
+  GithubOrgSyncConfig = "github_org_sync_configs"
 }
 
-export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt" | "commitId";
+export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";
 
 export const UserDeviceSchema = z
   .object({
@@ -249,10 +232,8 @@ export enum IdentityAuthMethod {
   UNIVERSAL_AUTH = "universal-auth",
   KUBERNETES_AUTH = "kubernetes-auth",
   GCP_AUTH = "gcp-auth",
-  ALICLOUD_AUTH = "alicloud-auth",
   AWS_AUTH = "aws-auth",
   AZURE_AUTH = "azure-auth",
-  TLS_CERT_AUTH = "tls-cert-auth",
   OCI_AUTH = "oci-auth",
   OIDC_AUTH = "oidc-auth",
   JWT_AUTH = "jwt-auth",
@@ -263,8 +244,16 @@ export enum ProjectType {
   SecretManager = "secret-manager",
   CertificateManager = "cert-manager",
   KMS = "kms",
-  SSH = "ssh",
-  SecretScanning = "secret-scanning"
+  SSH = "ssh"
+}
+
+export enum ActionProjectType {
+  SecretManager = ProjectType.SecretManager,
+  CertificateManager = ProjectType.CertificateManager,
+  KMS = ProjectType.KMS,
+  SSH = ProjectType.SSH,
+  // project operations that happen on all types
+  Any = "any"
 }
 
 export enum SortDirection {

backend/src/db/schemas/org-memberships.ts

@@ -18,8 +18,7 @@ export const OrgMembershipsSchema = z.object({
   orgId: z.string().uuid(),
   roleId: z.string().uuid().nullable().optional(),
   projectFavorites: z.string().array().nullable().optional(),
-  isActive: z.boolean().default(true),
-  lastInvitedAt: z.date().nullable().optional()
+  isActive: z.boolean().default(true)
 });
 
 export type TOrgMemberships = z.infer<typeof OrgMembershipsSchema>;

backend/src/db/schemas/organizations.ts

@@ -28,15 +28,7 @@ export const OrganizationsSchema = z.object({
   privilegeUpgradeInitiatedByUsername: z.string().nullable().optional(),
   privilegeUpgradeInitiatedAt: z.date().nullable().optional(),
   bypassOrgAuthEnabled: z.boolean().default(false),
-  userTokenExpiration: z.string().nullable().optional(),
-  secretsProductEnabled: z.boolean().default(true).nullable().optional(),
-  pkiProductEnabled: z.boolean().default(true).nullable().optional(),
-  kmsProductEnabled: z.boolean().default(true).nullable().optional(),
-  sshProductEnabled: z.boolean().default(true).nullable().optional(),
-  scannerProductEnabled: z.boolean().default(true).nullable().optional(),
-  shareSecretsProductEnabled: z.boolean().default(true).nullable().optional(),
-  maxSharedSecretLifetime: z.number().default(2592000).nullable().optional(),
-  maxSharedSecretViewLimit: z.number().nullable().optional()
+  userTokenExpiration: z.string().nullable().optional()
 });
 
 export type TOrganizations = z.infer<typeof OrganizationsSchema>;

backend/src/db/schemas/pki-subscribers.ts

@@ -16,16 +16,10 @@ export const PkiSubscribersSchema = z.object({
   name: z.string(),
   commonName: z.string(),
   subjectAlternativeNames: z.string().array(),
-  ttl: z.string().nullable().optional(),
+  ttl: z.string(),
   keyUsages: z.string().array(),
   extendedKeyUsages: z.string().array(),
-  status: z.string(),
-  enableAutoRenewal: z.boolean().default(false),
-  autoRenewalPeriodInDays: z.number().nullable().optional(),
-  lastAutoRenewAt: z.date().nullable().optional(),
-  lastOperationStatus: z.string().nullable().optional(),
-  lastOperationMessage: z.string().nullable().optional(),
-  lastOperationAt: z.date().nullable().optional()
+  status: z.string()
 });
 
 export type TPkiSubscribers = z.infer<typeof PkiSubscribersSchema>;