Merge pull request #4245 from Infisical/daniel/fips-improvements

fix(fips): increased image size and migrations
Update Dockerfile.fips.standalone-infisical
2025-07-29 22:37:44 +00:00 · 2025-07-25 23:40:27 +04:00 · 2025-07-25 23:13:26 +04:00 · 2025-07-25 23:09:23 +04:00 · 2025-07-25 15:01:04 -04:00 · 2025-07-25 15:20:23 -03:00
655 changed files with 15173 additions and 7264 deletions
--- a/Dockerfile.fips.standalone-infisical
+++ b/Dockerfile.fips.standalone-infisical
@@ -145,7 +145,11 @@ RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
    && cd openssl-3.1.2 \
    && ./Configure enable-fips \
    && make \
-    && make install_fips
+    && make install_fips \
+    && cd / \
+    && rm -rf /openssl-build \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

 # Install Infisical CLI
 RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
@@ -186,12 +190,11 @@ ENV NODE_ENV production
 ENV STANDALONE_BUILD true
 ENV STANDALONE_MODE true
 ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
-ENV NODE_OPTIONS="--max-old-space-size=1024"
+ENV NODE_OPTIONS="--max-old-space-size=8192 --force-fips"

 # FIPS mode of operation:
 ENV OPENSSL_CONF=/backend/nodejs.fips.cnf
 ENV OPENSSL_MODULES=/usr/local/lib/ossl-modules
-ENV NODE_OPTIONS=--force-fips
 ENV FIPS_ENABLED=true
  

--- a/backend/Dockerfile.dev.fips
+++ b/backend/Dockerfile.dev.fips
@@ -59,7 +59,11 @@ RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
    && cd openssl-3.1.2 \
    && ./Configure enable-fips \
    && make \
-    && make install_fips
+    && make install_fips \
+    && cd / \
+    && rm -rf /openssl-build \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

 # ? App setup

--- a/backend/e2e-test/mocks/queue.ts
+++ b/backend/e2e-test/mocks/queue.ts
@@ -24,6 +24,7 @@ export const mockQueue = (): TQueueServiceFactory => {
      events[name] = event;
    },
    getRepeatableJobs: async () => [],
+    getDelayedJobs: async () => [],
    clearQueue: async () => {},
    stopJobById: async () => {},
    stopJobByIdPg: async () => {},
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@@ -93,6 +93,7 @@ import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env
 import { TProjectKeyServiceFactory } from "@app/services/project-key/project-key-service";
 import { TProjectMembershipServiceFactory } from "@app/services/project-membership/project-membership-service";
 import { TProjectRoleServiceFactory } from "@app/services/project-role/project-role-service";
+import { TReminderServiceFactory } from "@app/services/reminder/reminder-types";
 import { TSecretServiceFactory } from "@app/services/secret/secret-service";
 import { TSecretBlindIndexServiceFactory } from "@app/services/secret-blind-index/secret-blind-index-service";
 import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-folder-service";
@@ -125,6 +126,15 @@ declare module "@fastify/request-context" {
        namespace: string;
        name: string;
      };
+      aws?: {
+        accountId: string;
+        arn: string;
+        userId: string;
+        partition: string;
+        service: string;
+        resourceType: string;
+        resourceName: string;
+      };
    };
    identityPermissionMetadata?: Record<string, unknown>; // filled by permission service
    assumedPrivilegeDetails?: { requesterId: string; actorId: string; actorType: ActorType; projectId: string };
@@ -285,6 +295,7 @@ declare module "fastify" {
      secretScanningV2: TSecretScanningV2ServiceFactory;
      internalCertificateAuthority: TInternalCertificateAuthorityServiceFactory;
      pkiTemplate: TPkiTemplatesServiceFactory;
+      reminder: TReminderServiceFactory;
    };
    // this is exclusive use for middlewares in which we need to inject data
    // everywhere else access using service layer
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@@ -504,6 +504,12 @@ import {
  TProjectMicrosoftTeamsConfigsInsert,
  TProjectMicrosoftTeamsConfigsUpdate
 } from "@app/db/schemas/project-microsoft-teams-configs";
+import { TReminders, TRemindersInsert, TRemindersUpdate } from "@app/db/schemas/reminders";
+import {
+  TRemindersRecipients,
+  TRemindersRecipientsInsert,
+  TRemindersRecipientsUpdate
+} from "@app/db/schemas/reminders-recipients";
 import {
  TSecretReminderRecipients,
  TSecretReminderRecipientsInsert,
@@ -1211,5 +1217,11 @@ declare module "knex/types/tables" {
      TSecretScanningConfigsInsert,
      TSecretScanningConfigsUpdate
    >;
+    [TableName.Reminder]: KnexOriginal.CompositeTableType<TReminders, TRemindersInsert, TRemindersUpdate>;
+    [TableName.ReminderRecipient]: KnexOriginal.CompositeTableType<
+      TRemindersRecipients,
+      TRemindersRecipientsInsert,
+      TRemindersRecipientsUpdate
+    >;
  }
 }
--- a/backend/src/db/migrations/20250701202824_add-reminder-table.ts
+++ b/backend/src/db/migrations/20250701202824_add-reminder-table.ts
@@ -0,0 +1,43 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.Reminder))) {
+    await knex.schema.createTable(TableName.Reminder, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("secretId").nullable();
+      t.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
+      t.string("message", 1024).nullable();
+      t.integer("repeatDays").checkPositive().nullable();
+      t.timestamp("nextReminderDate").notNullable();
+      t.timestamps(true, true, true);
+      t.unique("secretId");
+    });
+  }
+
+  if (!(await knex.schema.hasTable(TableName.ReminderRecipient))) {
+    await knex.schema.createTable(TableName.ReminderRecipient, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("reminderId").notNullable();
+      t.foreign("reminderId").references("id").inTable(TableName.Reminder).onDelete("CASCADE");
+      t.uuid("userId").notNullable();
+      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+      t.index("reminderId");
+      t.index("userId");
+      t.unique(["reminderId", "userId"]);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.Reminder);
+  await createOnUpdateTrigger(knex, TableName.ReminderRecipient);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await dropOnUpdateTrigger(knex, TableName.Reminder);
+  await dropOnUpdateTrigger(knex, TableName.ReminderRecipient);
+  await knex.schema.dropTableIfExists(TableName.ReminderRecipient);
+  await knex.schema.dropTableIfExists(TableName.Reminder);
+}
--- a/backend/src/db/migrations/20250718133527_project-unify-revert.ts
+++ b/backend/src/db/migrations/20250718133527_project-unify-revert.ts
@@ -0,0 +1,432 @@
+import slugify from "@sindresorhus/slugify";
+import { Knex } from "knex";
+import { v4 as uuidV4 } from "uuid";
+
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { ProjectType, TableName } from "../schemas";
+
+/* eslint-disable no-await-in-loop,@typescript-eslint/ban-ts-comment */
+
+// Single query to get all projects that need any kind of kickout
+const getProjectsNeedingKickouts = async (
+  knex: Knex
+): Promise<
+  Array<{
+    id: string;
+    defaultProduct: string;
+    needsSecretManager: boolean;
+    needsCertManager: boolean;
+    needsSecretScanning: boolean;
+    needsKms: boolean;
+    needsSsh: boolean;
+  }>
+> => {
+  const result = await knex.raw(
+    `
+SELECT DISTINCT
+  p.id,
+  p."defaultProduct",
+  
+  -- Use CASE with direct joins instead of EXISTS subqueries
+  CASE WHEN p."defaultProduct" != 'secret-manager' AND s.secret_exists IS NOT NULL THEN true ELSE false END AS "needsSecretManager",
+  CASE WHEN p."defaultProduct" != 'cert-manager' AND ca.ca_exists IS NOT NULL THEN true ELSE false END AS "needsCertManager", 
+  CASE WHEN p."defaultProduct" != 'secret-scanning' AND ssds.ssds_exists IS NOT NULL THEN true ELSE false END AS "needsSecretScanning",
+  CASE WHEN p."defaultProduct" != 'kms' AND kk.kms_exists IS NOT NULL THEN true ELSE false END AS "needsKms",
+  CASE WHEN p."defaultProduct" != 'ssh' AND sc.ssh_exists IS NOT NULL THEN true ELSE false END AS "needsSsh"
+
+FROM projects p
+LEFT JOIN (
+  SELECT DISTINCT e."projectId", 1 as secret_exists
+  FROM secrets_v2 s
+  JOIN secret_folders sf ON sf.id = s."folderId"
+  JOIN project_environments e ON e.id = sf."envId"
+) s ON s."projectId" = p.id AND p."defaultProduct" != 'secret-manager'
+
+LEFT JOIN (
+  SELECT DISTINCT "projectId", 1 as ca_exists
+  FROM certificate_authorities
+) ca ON ca."projectId" = p.id AND p."defaultProduct" != 'cert-manager'
+
+LEFT JOIN (
+  SELECT DISTINCT "projectId", 1 as ssds_exists
+  FROM secret_scanning_data_sources
+) ssds ON ssds."projectId" = p.id AND p."defaultProduct" != 'secret-scanning'
+
+LEFT JOIN (
+  SELECT DISTINCT "projectId", 1 as kms_exists
+  FROM kms_keys
+  WHERE "isReserved" = false
+) kk ON kk."projectId" = p.id AND p."defaultProduct" != 'kms'
+
+LEFT JOIN (
+  SELECT DISTINCT sca."projectId", 1 as ssh_exists
+  FROM ssh_certificates sc
+  JOIN ssh_certificate_authorities sca ON sca.id = sc."sshCaId"
+) sc ON sc."projectId" = p.id AND p."defaultProduct" != 'ssh'
+
+WHERE p."defaultProduct" IS NOT NULL
+  AND (
+    (p."defaultProduct" != 'secret-manager' AND s.secret_exists IS NOT NULL) OR
+    (p."defaultProduct" != 'cert-manager' AND ca.ca_exists IS NOT NULL) OR
+    (p."defaultProduct" != 'secret-scanning' AND ssds.ssds_exists IS NOT NULL) OR
+    (p."defaultProduct" != 'kms' AND kk.kms_exists IS NOT NULL) OR
+    (p."defaultProduct" != 'ssh' AND sc.ssh_exists IS NOT NULL)
+  )
+    `
+  );
+
+  return result.rows;
+};
+
+const newProject = async (knex: Knex, projectId: string, projectType: ProjectType) => {
+  const newProjectId = uuidV4();
+  const project = await knex(TableName.Project).where("id", projectId).first();
+  await knex(TableName.Project).insert({
+    ...project,
+    type: projectType,
+    defaultProduct: null,
+    // @ts-ignore id is required
+    id: newProjectId,
+    slug: slugify(`${project?.name}-${alphaNumericNanoId(8)}`)
+  });
+
+  const customRoleMapping: Record<string, string> = {};
+  const projectCustomRoles = await knex(TableName.ProjectRoles).where("projectId", projectId);
+  if (projectCustomRoles.length) {
+    await knex.batchInsert(
+      TableName.ProjectRoles,
+      projectCustomRoles.map((el) => {
+        const id = uuidV4();
+        customRoleMapping[el.id] = id;
+        return {
+          ...el,
+          id,
+          projectId: newProjectId,
+          permissions: el.permissions ? JSON.stringify(el.permissions) : el.permissions
+        };
+      })
+    );
+  }
+  const groupMembershipMapping: Record<string, string> = {};
+  const groupMemberships = await knex(TableName.GroupProjectMembership).where("projectId", projectId);
+  if (groupMemberships.length) {
+    await knex.batchInsert(
+      TableName.GroupProjectMembership,
+      groupMemberships.map((el) => {
+        const id = uuidV4();
+        groupMembershipMapping[el.id] = id;
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const groupMembershipRoles = await knex(TableName.GroupProjectMembershipRole).whereIn(
+    "projectMembershipId",
+    groupMemberships.map((el) => el.id)
+  );
+  if (groupMembershipRoles.length) {
+    await knex.batchInsert(
+      TableName.GroupProjectMembershipRole,
+      groupMembershipRoles.map((el) => {
+        const id = uuidV4();
+        const projectMembershipId = groupMembershipMapping[el.projectMembershipId];
+        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
+        return { ...el, id, projectMembershipId, customRoleId };
+      })
+    );
+  }
+
+  const identityProjectMembershipMapping: Record<string, string> = {};
+  const identities = await knex(TableName.IdentityProjectMembership).where("projectId", projectId);
+  if (identities.length) {
+    await knex.batchInsert(
+      TableName.IdentityProjectMembership,
+      identities.map((el) => {
+        const id = uuidV4();
+        identityProjectMembershipMapping[el.id] = id;
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const identitiesRoles = await knex(TableName.IdentityProjectMembershipRole).whereIn(
+    "projectMembershipId",
+    identities.map((el) => el.id)
+  );
+  if (identitiesRoles.length) {
+    await knex.batchInsert(
+      TableName.IdentityProjectMembershipRole,
+      identitiesRoles.map((el) => {
+        const id = uuidV4();
+        const projectMembershipId = identityProjectMembershipMapping[el.projectMembershipId];
+        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
+        return { ...el, id, projectMembershipId, customRoleId };
+      })
+    );
+  }
+
+  const projectMembershipMapping: Record<string, string> = {};
+  const projectUserMembers = await knex(TableName.ProjectMembership).where("projectId", projectId);
+  if (projectUserMembers.length) {
+    await knex.batchInsert(
+      TableName.ProjectMembership,
+      projectUserMembers.map((el) => {
+        const id = uuidV4();
+        projectMembershipMapping[el.id] = id;
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+  const membershipRoles = await knex(TableName.ProjectUserMembershipRole).whereIn(
+    "projectMembershipId",
+    projectUserMembers.map((el) => el.id)
+  );
+  if (membershipRoles.length) {
+    await knex.batchInsert(
+      TableName.ProjectUserMembershipRole,
+      membershipRoles.map((el) => {
+        const id = uuidV4();
+        const projectMembershipId = projectMembershipMapping[el.projectMembershipId];
+        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
+        return { ...el, id, projectMembershipId, customRoleId };
+      })
+    );
+  }
+
+  const kmsKeys = await knex(TableName.KmsKey).where("projectId", projectId).andWhere("isReserved", true);
+  if (kmsKeys.length) {
+    await knex.batchInsert(
+      TableName.KmsKey,
+      kmsKeys.map((el) => {
+        const id = uuidV4();
+        const slug = slugify(alphaNumericNanoId(8).toLowerCase());
+        return { ...el, id, slug, projectId: newProjectId };
+      })
+    );
+  }
+
+  const projectBot = await knex(TableName.ProjectBot).where("projectId", projectId).first();
+  if (projectBot) {
+    const newProjectBot = { ...projectBot, id: uuidV4(), projectId: newProjectId };
+    await knex(TableName.ProjectBot).insert(newProjectBot);
+  }
+
+  const projectKeys = await knex(TableName.ProjectKeys).where("projectId", projectId);
+  if (projectKeys.length) {
+    await knex.batchInsert(
+      TableName.ProjectKeys,
+      projectKeys.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const projectGateways = await knex(TableName.ProjectGateway).where("projectId", projectId);
+  if (projectGateways.length) {
+    await knex.batchInsert(
+      TableName.ProjectGateway,
+      projectGateways.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const projectSlackConfigs = await knex(TableName.ProjectSlackConfigs).where("projectId", projectId);
+  if (projectSlackConfigs.length) {
+    await knex.batchInsert(
+      TableName.ProjectSlackConfigs,
+      projectSlackConfigs.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const projectMicrosoftTeamsConfigs = await knex(TableName.ProjectMicrosoftTeamsConfigs).where("projectId", projectId);
+  if (projectMicrosoftTeamsConfigs.length) {
+    await knex.batchInsert(
+      TableName.ProjectMicrosoftTeamsConfigs,
+      projectMicrosoftTeamsConfigs.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const trustedIps = await knex(TableName.TrustedIps).where("projectId", projectId);
+  if (trustedIps.length) {
+    await knex.batchInsert(
+      TableName.TrustedIps,
+      trustedIps.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  return newProjectId;
+};
+
+const kickOutSecretManagerProject = async (knex: Knex, oldProjectId: string) => {
+  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SecretManager);
+  await knex(TableName.IntegrationAuth).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.Environment).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretBlindIndex).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretSync).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretTag).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretReminderRecipients).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.ServiceToken).where("projectId", oldProjectId).update("projectId", newProjectId);
+};
+
+const kickOutCertManagerProject = async (knex: Knex, oldProjectId: string) => {
+  const newProjectId = await newProject(knex, oldProjectId, ProjectType.CertificateManager);
+  await knex(TableName.CertificateAuthority).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.Certificate).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.PkiSubscriber).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.PkiCollection).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.PkiAlert).where("projectId", oldProjectId).update("projectId", newProjectId);
+};
+
+const kickOutSecretScanningProject = async (knex: Knex, oldProjectId: string) => {
+  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SecretScanning);
+  await knex(TableName.SecretScanningConfig).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretScanningDataSource).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretScanningFinding).where("projectId", oldProjectId).update("projectId", newProjectId);
+};
+
+const kickOutKmsProject = async (knex: Knex, oldProjectId: string) => {
+  const newProjectId = await newProject(knex, oldProjectId, ProjectType.KMS);
+  await knex(TableName.KmsKey)
+    .where("projectId", oldProjectId)
+    .andWhere("isReserved", false)
+    .update("projectId", newProjectId);
+  await knex(TableName.KmipClient).where("projectId", oldProjectId).update("projectId", newProjectId);
+};
+
+const kickOutSshProject = async (knex: Knex, oldProjectId: string) => {
+  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SSH);
+  await knex(TableName.SshHost).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.ProjectSshConfig).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SshCertificateAuthority).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SshHostGroup).where("projectId", oldProjectId).update("projectId", newProjectId);
+};
+
+const BATCH_SIZE = 1000;
+const MIGRATION_TIMEOUT = 30 * 60 * 1000; // 30 minutes
+
+export async function up(knex: Knex): Promise<void> {
+  const result = await knex.raw("SHOW statement_timeout");
+  const originalTimeout = result.rows[0].statement_timeout;
+
+  try {
+    await knex.raw(`SET statement_timeout = ${MIGRATION_TIMEOUT}`);
+
+    const hasTemplateTypeColumn = await knex.schema.hasColumn(TableName.ProjectTemplates, "type");
+    if (hasTemplateTypeColumn) {
+      await knex(TableName.ProjectTemplates).whereNull("type").update({
+        type: ProjectType.SecretManager
+      });
+      await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
+        t.string("type").notNullable().defaultTo(ProjectType.SecretManager).alter();
+      });
+    }
+
+    const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
+    const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
+    if (hasTypeColumn && hasDefaultTypeColumn) {
+      await knex(TableName.Project).update({
+        // eslint-disable-next-line
+        // @ts-ignore this is because this field is created later
+        type: knex.raw(`"defaultProduct"`)
+      });
+
+      await knex.schema.alterTable(TableName.Project, (t) => {
+        t.string("type").notNullable().alter();
+        t.string("defaultProduct").nullable().alter();
+      });
+
+      // Get all projects that need kickouts in a single query
+      const projectsNeedingKickouts = await getProjectsNeedingKickouts(knex);
+
+      // Process projects in batches to avoid overwhelming the database
+      for (let i = 0; i < projectsNeedingKickouts.length; i += projectsNeedingKickouts.length) {
+        const batch = projectsNeedingKickouts.slice(i, i + BATCH_SIZE);
+        const processedIds: string[] = [];
+
+        for (const project of batch) {
+          const kickoutPromises: Promise<void>[] = [];
+
+          // Only add kickouts that are actually needed (flags are pre-computed)
+          if (project.needsSecretManager) {
+            kickoutPromises.push(kickOutSecretManagerProject(knex, project.id));
+          }
+          if (project.needsCertManager) {
+            kickoutPromises.push(kickOutCertManagerProject(knex, project.id));
+          }
+          if (project.needsKms) {
+            kickoutPromises.push(kickOutKmsProject(knex, project.id));
+          }
+          if (project.needsSsh) {
+            kickoutPromises.push(kickOutSshProject(knex, project.id));
+          }
+          if (project.needsSecretScanning) {
+            kickoutPromises.push(kickOutSecretScanningProject(knex, project.id));
+          }
+
+          // Execute all kickouts in parallel and handle any failures gracefully
+          if (kickoutPromises.length > 0) {
+            const results = await Promise.allSettled(kickoutPromises);
+
+            // Log any failures for debugging
+            results.forEach((res) => {
+              if (res.status === "rejected") {
+                throw new Error(`Migration failed for project ${project.id}: ${res.reason}`);
+              }
+            });
+          }
+
+          processedIds.push(project.id);
+        }
+
+        // Clear defaultProduct for the processed batch
+        if (processedIds.length > 0) {
+          await knex(TableName.Project).whereIn("id", processedIds).update("defaultProduct", null);
+        }
+      }
+    }
+  } finally {
+    await knex.raw(`SET statement_timeout = '${originalTimeout}'`);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
+  const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
+  if (hasTypeColumn && hasDefaultTypeColumn) {
+    await knex(TableName.Project).update({
+      // eslint-disable-next-line
+      // @ts-ignore this is because this field is created later
+      defaultProduct: knex.raw(`
+    CASE 
+      WHEN "type" IS NULL OR "type" = '' THEN 'secret-manager' 
+      ELSE "type" 
+    END
+  `)
+    });
+
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.string("type").nullable().alter();
+      t.string("defaultProduct").notNullable().alter();
+    });
+  }
+
+  const hasTemplateTypeColumn = await knex.schema.hasColumn(TableName.ProjectTemplates, "type");
+  if (hasTemplateTypeColumn) {
+    await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
+      t.string("type").nullable().alter();
+    });
+  }
+}
--- a/backend/src/db/migrations/20250725144940_fix-secret-reminders-migration.ts
+++ b/backend/src/db/migrations/20250725144940_fix-secret-reminders-migration.ts
@@ -0,0 +1,111 @@
+/* eslint-disable no-await-in-loop */
+import { Knex } from "knex";
+
+import { chunkArray } from "@app/lib/fn";
+import { logger } from "@app/lib/logger";
+
+import { TableName } from "../schemas";
+import { TReminders, TRemindersInsert } from "../schemas/reminders";
+
+export async function up(knex: Knex): Promise<void> {
+  logger.info("Initializing secret reminders migration");
+  const hasReminderTable = await knex.schema.hasTable(TableName.Reminder);
+
+  if (hasReminderTable) {
+    const secretsWithLatestVersions = await knex(TableName.SecretV2)
+      .whereNotNull(`${TableName.SecretV2}.reminderRepeatDays`)
+      .whereRaw(`"${TableName.SecretV2}"."reminderRepeatDays" > 0`)
+      .innerJoin(TableName.SecretVersionV2, (qb) => {
+        void qb
+          .on(`${TableName.SecretVersionV2}.secretId`, "=", `${TableName.SecretV2}.id`)
+          .andOn(`${TableName.SecretVersionV2}.reminderRepeatDays`, "=", `${TableName.SecretV2}.reminderRepeatDays`);
+      })
+      .whereIn([`${TableName.SecretVersionV2}.secretId`, `${TableName.SecretVersionV2}.version`], (qb) => {
+        void qb
+          .select(["v2.secretId", knex.raw("MIN(v2.version) as version")])
+          .from(`${TableName.SecretVersionV2} as v2`)
+          .innerJoin(`${TableName.SecretV2} as s2`, "v2.secretId", "s2.id")
+          .whereRaw(`v2."reminderRepeatDays" = s2."reminderRepeatDays"`)
+          .whereNotNull("v2.reminderRepeatDays")
+          .whereRaw(`v2."reminderRepeatDays" > 0`)
+          .groupBy("v2.secretId");
+      })
+      // Add LEFT JOIN with Reminder table to check for existing reminders
+      .leftJoin(TableName.Reminder, `${TableName.Reminder}.secretId`, `${TableName.SecretV2}.id`)
+      // Only include secrets that don't already have reminders
+      .whereNull(`${TableName.Reminder}.secretId`)
+      .select(
+        knex.ref("id").withSchema(TableName.SecretV2).as("secretId"),
+        knex.ref("reminderRepeatDays").withSchema(TableName.SecretV2).as("reminderRepeatDays"),
+        knex.ref("reminderNote").withSchema(TableName.SecretV2).as("reminderNote"),
+        knex.ref("createdAt").withSchema(TableName.SecretVersionV2).as("createdAt")
+      );
+
+    logger.info(`Found ${secretsWithLatestVersions.length} reminders to migrate`);
+
+    const reminderInserts: TRemindersInsert[] = [];
+    if (secretsWithLatestVersions.length > 0) {
+      secretsWithLatestVersions.forEach((secret) => {
+        if (!secret.reminderRepeatDays) return;
+
+        const now = new Date();
+        const createdAt = new Date(secret.createdAt);
+        let nextReminderDate = new Date(createdAt);
+        nextReminderDate.setDate(nextReminderDate.getDate() + secret.reminderRepeatDays);
+
+        // If the next reminder date is in the past, calculate the proper next occurrence
+        if (nextReminderDate < now) {
+          const daysSinceCreation = Math.floor((now.getTime() - createdAt.getTime()) / (1000 * 60 * 60 * 24));
+          const daysIntoCurrentCycle = daysSinceCreation % secret.reminderRepeatDays;
+          const daysUntilNextReminder = secret.reminderRepeatDays - daysIntoCurrentCycle;
+
+          nextReminderDate = new Date(now);
+          nextReminderDate.setDate(now.getDate() + daysUntilNextReminder);
+        }
+
+        reminderInserts.push({
+          secretId: secret.secretId,
+          message: secret.reminderNote,
+          repeatDays: secret.reminderRepeatDays,
+          nextReminderDate
+        });
+      });
+
+      const commitBatches = chunkArray(reminderInserts, 2000);
+      for (const commitBatch of commitBatches) {
+        const insertedReminders = (await knex
+          .batchInsert(TableName.Reminder, commitBatch)
+          .returning("*")) as TReminders[];
+
+        const insertedReminderSecretIds = insertedReminders.map((reminder) => reminder.secretId).filter(Boolean);
+
+        const recipients = await knex(TableName.SecretReminderRecipients)
+          .whereRaw(`??.?? IN (${insertedReminderSecretIds.map(() => "?").join(",")})`, [
+            TableName.SecretReminderRecipients,
+            "secretId",
+            ...insertedReminderSecretIds
+          ])
+          .select(
+            knex.ref("userId").withSchema(TableName.SecretReminderRecipients).as("userId"),
+            knex.ref("secretId").withSchema(TableName.SecretReminderRecipients).as("secretId")
+          );
+        const reminderRecipients = recipients.map((recipient) => ({
+          reminderId: insertedReminders.find((reminder) => reminder.secretId === recipient.secretId)?.id,
+          userId: recipient.userId
+        }));
+
+        const filteredRecipients = reminderRecipients.filter((recipient) => Boolean(recipient.reminderId));
+        await knex.batchInsert(TableName.ReminderRecipient, filteredRecipients);
+      }
+      logger.info(`Successfully migrated ${reminderInserts.length} secret reminders`);
+    }
+
+    logger.info("Secret reminders migration completed");
+  } else {
+    logger.warn("Reminder table does not exist, skipping migration");
+  }
+}
+
+export async function down(): Promise<void> {
+  logger.info("Rollback not implemented for secret reminders fix migration");
+}
--- a/backend/src/db/migrations/utils/env-config.ts
+++ b/backend/src/db/migrations/utils/env-config.ts
@@ -53,7 +53,7 @@ export const getMigrationEnvConfig = async (superAdminDAL: TSuperAdminDALFactory

  let envCfg = Object.freeze(parsedEnv.data);

-  const fipsEnabled = await crypto.initialize(superAdminDAL);
+  const fipsEnabled = await crypto.initialize(superAdminDAL, envCfg);

  // Fix for 128-bit entropy encryption key expansion issue:
  // In FIPS it is not ideal to expand a 128-bit key into 256-bit. We solved this issue in the past by creating the ROOT_ENCRYPTION_KEY.
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@@ -160,7 +160,7 @@ export enum TableName {
  SecretRotationV2SecretMapping = "secret_rotation_v2_secret_mappings",
  MicrosoftTeamsIntegrations = "microsoft_teams_integrations",
  ProjectMicrosoftTeamsConfigs = "project_microsoft_teams_configs",
-  SecretReminderRecipients = "secret_reminder_recipients",
+  SecretReminderRecipients = "secret_reminder_recipients", // TODO(Carlos): Remove this in the future after migrating to the new reminder recipients table
  GithubOrgSyncConfig = "github_org_sync_configs",
  FolderCommit = "folder_commits",
  FolderCommitChanges = "folder_commit_changes",
@@ -172,7 +172,10 @@ export enum TableName {
  SecretScanningResource = "secret_scanning_resources",
  SecretScanningScan = "secret_scanning_scans",
  SecretScanningFinding = "secret_scanning_findings",
-  SecretScanningConfig = "secret_scanning_configs"
+  SecretScanningConfig = "secret_scanning_configs",
+  // reminders
+  Reminder = "reminders",
+  ReminderRecipient = "reminders_recipients"
 }

 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt" | "commitId";
@@ -267,6 +270,16 @@ export enum ProjectType {
  SecretScanning = "secret-scanning"
 }

+export enum ActionProjectType {
+  SecretManager = ProjectType.SecretManager,
+  CertificateManager = ProjectType.CertificateManager,
+  KMS = ProjectType.KMS,
+  SSH = ProjectType.SSH,
+  SecretScanning = ProjectType.SecretScanning,
+  // project operations that happen on all types
+  Any = "any"
+}
+
 export enum SortDirection {
  ASC = "asc",
  DESC = "desc"
--- a/backend/src/db/schemas/project-templates.ts
+++ b/backend/src/db/schemas/project-templates.ts
@@ -16,7 +16,7 @@ export const ProjectTemplatesSchema = z.object({
  orgId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  type: z.string().nullable().optional()
+  type: z.string().default("secret-manager")
 });

 export type TProjectTemplates = z.infer<typeof ProjectTemplatesSchema>;
--- a/backend/src/db/schemas/projects.ts
+++ b/backend/src/db/schemas/projects.ts
@@ -25,12 +25,12 @@ export const ProjectsSchema = z.object({
  kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
  kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
  description: z.string().nullable().optional(),
-  type: z.string().nullable().optional(),
+  type: z.string(),
  enforceCapitalization: z.boolean().default(false),
  hasDeleteProtection: z.boolean().default(false).nullable().optional(),
  secretSharing: z.boolean().default(true),
  showSnapshotsLegacy: z.boolean().default(false),
-  defaultProduct: z.string().default("secret-manager")
+  defaultProduct: z.string().nullable().optional()
 });

 export type TProjects = z.infer<typeof ProjectsSchema>;
--- a/backend/src/db/schemas/reminders-recipients.ts
+++ b/backend/src/db/schemas/reminders-recipients.ts
@@ -0,0 +1,20 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const RemindersRecipientsSchema = z.object({
+  id: z.string().uuid(),
+  reminderId: z.string().uuid(),
+  userId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TRemindersRecipients = z.infer<typeof RemindersRecipientsSchema>;
+export type TRemindersRecipientsInsert = Omit<z.input<typeof RemindersRecipientsSchema>, TImmutableDBKeys>;
+export type TRemindersRecipientsUpdate = Partial<Omit<z.input<typeof RemindersRecipientsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/reminders.ts
+++ b/backend/src/db/schemas/reminders.ts
@@ -0,0 +1,22 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const RemindersSchema = z.object({
+  id: z.string().uuid(),
+  secretId: z.string().uuid().nullable().optional(),
+  message: z.string().nullable().optional(),
+  repeatDays: z.number().nullable().optional(),
+  nextReminderDate: z.date(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TReminders = z.infer<typeof RemindersSchema>;
+export type TRemindersInsert = Omit<z.input<typeof RemindersSchema>, TImmutableDBKeys>;
+export type TRemindersUpdate = Partial<Omit<z.input<typeof RemindersSchema>, TImmutableDBKeys>>;
--- a/backend/src/ee/routes/v1/project-template-router.ts
+++ b/backend/src/ee/routes/v1/project-template-router.ts
@@ -1,6 +1,6 @@
 import { z } from "zod";

-import { ProjectMembershipRole, ProjectTemplatesSchema } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectTemplatesSchema, ProjectType } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { isInfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
@@ -104,6 +104,9 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
      hide: false,
      tags: [ApiDocsTags.ProjectTemplates],
      description: "List project templates for the current organization.",
+      querystring: z.object({
+        type: z.nativeEnum(ProjectType).optional().describe(ProjectTemplates.LIST.type)
+      }),
      response: {
        200: z.object({
          projectTemplates: SanitizedProjectTemplateSchema.array()
@@ -112,7 +115,10 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
-      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(req.permission);
+      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(
+        req.permission,
+        req.query.type
+      );

      const auditTemplates = projectTemplates.filter((template) => !isInfisicalProjectTemplate(template.name));

@@ -191,6 +197,7 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
          .describe(ProjectTemplates.CREATE.name),
        description: z.string().max(256).trim().optional().describe(ProjectTemplates.CREATE.description),
        roles: ProjectTemplateRolesSchema.default([]).describe(ProjectTemplates.CREATE.roles),
+        type: z.nativeEnum(ProjectType).describe(ProjectTemplates.CREATE.type),
        environments: ProjectTemplateEnvironmentsSchema.describe(ProjectTemplates.CREATE.environments).optional()
      }),
      response: {
--- a/backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-endpoints.ts
+++ b/backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-endpoints.ts
@@ -315,10 +315,12 @@ export const registerSecretRotationEndpoints = <
      querystring: z.object({
        deleteSecrets: z
          .enum(["true", "false"])
+          .optional()
          .transform((value) => value === "true")
          .describe(SecretRotations.DELETE(type).deleteSecrets),
        revokeGeneratedCredentials: z
          .enum(["true", "false"])
+          .optional()
          .transform((value) => value === "true")
          .describe(SecretRotations.DELETE(type).revokeGeneratedCredentials)
      }),
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -116,7 +117,8 @@ export const accessApprovalPolicyServiceFactory = ({
      actorId,
      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -272,7 +274,8 @@ export const accessApprovalPolicyServiceFactory = ({
        actorId,
        projectId: project.id,
        actorAuthMethod,
-        actorOrgId
+        actorOrgId,
+        actionProjectType: ActionProjectType.SecretManager
      });

      const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
@@ -337,7 +340,8 @@ export const accessApprovalPolicyServiceFactory = ({
      actorId,
      projectId: accessApprovalPolicy.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
@@ -533,7 +537,8 @@ export const accessApprovalPolicyServiceFactory = ({
      actorId,
      projectId: policy.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
@@ -583,7 +588,8 @@ export const accessApprovalPolicyServiceFactory = ({
      actorId,
      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -622,7 +628,8 @@ export const accessApprovalPolicyServiceFactory = ({
      actorId,
      projectId: policy.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
--- a/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
@@ -1,7 +1,7 @@
 import slugify from "@sindresorhus/slugify";
 import msFn from "ms";

-import { ProjectMembershipRole } from "@app/db/schemas";
+import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@@ -107,7 +107,8 @@ export const accessApprovalRequestServiceFactory = ({
      actorId,
      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -216,7 +217,7 @@ export const accessApprovalRequestServiceFactory = ({
      );

      const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
-      const approvalUrl = `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`;
+      const approvalUrl = `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`;

      await triggerWorkflowIntegrationNotification({
        input: {
@@ -289,7 +290,8 @@ export const accessApprovalRequestServiceFactory = ({
      actorId,
      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -335,7 +337,8 @@ export const accessApprovalRequestServiceFactory = ({
      actorId,
      projectId: accessApprovalRequest.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    if (!membership) {
@@ -551,7 +554,7 @@ export const accessApprovalRequestServiceFactory = ({
                  bypassReason: bypassReason || "No reason provided",
                  secretPath: policy.secretPath || "/",
                  environment,
-                  approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`,
+                  approvalUrl: `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`,
                  requestType: "access"
                },
                template: SmtpTemplates.AccessSecretRequestBypassed
@@ -582,7 +585,8 @@ export const accessApprovalRequestServiceFactory = ({
      actorId,
      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
--- a/backend/src/ee/services/assume-privilege/assume-privilege-service.ts
+++ b/backend/src/ee/services/assume-privilege/assume-privilege-service.ts
@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

+import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -37,7 +38,8 @@ export const assumePrivilegeServiceFactory = ({
      actorId: actorPermissionDetails.id,
      projectId,
      actorAuthMethod: actorPermissionDetails.authMethod,
-      actorOrgId: actorPermissionDetails.orgId
+      actorOrgId: actorPermissionDetails.orgId,
+      actionProjectType: ActionProjectType.Any
    });

    if (targetActorType === ActorType.USER) {
@@ -58,7 +60,8 @@ export const assumePrivilegeServiceFactory = ({
      actorId: targetActorId,
      projectId,
      actorAuthMethod: actorPermissionDetails.authMethod,
-      actorOrgId: actorPermissionDetails.orgId
+      actorOrgId: actorPermissionDetails.orgId,
+      actionProjectType: ActionProjectType.Any
    });

    const appCfg = getConfig();
--- a/backend/src/ee/services/audit-log/audit-log-service.ts
+++ b/backend/src/ee/services/audit-log/audit-log-service.ts
@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import { requestContext } from "@fastify/request-context";

+import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
@@ -37,7 +38,8 @@ export const auditLogServiceFactory = ({
        actorId,
        projectId: filter.projectId,
        actorAuthMethod,
-        actorOrgId
+        actorOrgId,
+        actionProjectType: ActionProjectType.Any
      });
      ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
    } else {
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@@ -468,7 +468,11 @@ export enum EventType {

  CREATE_PROJECT = "create-project",
  UPDATE_PROJECT = "update-project",
-  DELETE_PROJECT = "delete-project"
+  DELETE_PROJECT = "delete-project",
+
+  CREATE_SECRET_REMINDER = "create-secret-reminder",
+  GET_SECRET_REMINDER = "get-secret-reminder",
+  DELETE_SECRET_REMINDER = "delete-secret-reminder"
 }

 export const filterableSecretEvents: EventType[] = [
@@ -3326,6 +3330,31 @@ interface SecretScanningConfigUpdateEvent {
  };
 }

+interface SecretReminderCreateEvent {
+  type: EventType.CREATE_SECRET_REMINDER;
+  metadata: {
+    secretId: string;
+    message?: string | null;
+    repeatDays?: number | null;
+    nextReminderDate?: string | null;
+    recipients?: string[] | null;
+  };
+}
+
+interface SecretReminderGetEvent {
+  type: EventType.GET_SECRET_REMINDER;
+  metadata: {
+    secretId: string;
+  };
+}
+
+interface SecretReminderDeleteEvent {
+  type: EventType.DELETE_SECRET_REMINDER;
+  metadata: {
+    secretId: string;
+  };
+}
+
 interface SecretScanningConfigReadEvent {
  type: EventType.SECRET_SCANNING_CONFIG_GET;
  metadata?: Record<string, never>; // not needed, based off projectId
@@ -3689,4 +3718,7 @@ export type Event =
  | OrgUpdateEvent
  | ProjectCreateEvent
  | ProjectUpdateEvent
-  | ProjectDeleteEvent;
+  | ProjectDeleteEvent
+  | SecretReminderCreateEvent
+  | SecretReminderGetEvent
+  | SecretReminderDeleteEvent;
--- a/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts
+++ b/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts
@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";

+import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -77,7 +78,8 @@ export const certificateAuthorityCrlServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
@@ -1,6 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import RE2 from "re2";

+import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -84,7 +85,8 @@ export const dynamicSecretLeaseServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    const plan = await licenseService.getPlan(actorOrgId);
@@ -200,7 +202,8 @@ export const dynamicSecretLeaseServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@@ -297,7 +300,8 @@ export const dynamicSecretLeaseServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@@ -385,7 +389,8 @@ export const dynamicSecretLeaseServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -432,7 +437,8 @@ export const dynamicSecretLeaseServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
@@ -1,5 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";

+import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -78,7 +79,8 @@ export const dynamicSecretServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -207,7 +209,8 @@ export const dynamicSecretServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    const plan = await licenseService.getPlan(actorOrgId);
@@ -358,7 +361,8 @@ export const dynamicSecretServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -423,7 +427,8 @@ export const dynamicSecretServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -487,7 +492,8 @@ export const dynamicSecretServiceFactory = ({
        actorId,
        projectId,
        actorAuthMethod,
-        actorOrgId
+        actorOrgId,
+        actionProjectType: ActionProjectType.SecretManager
      });

      // verify user has access to each env in request
@@ -530,7 +536,8 @@ export const dynamicSecretServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.ReadRootCredential,
@@ -578,7 +585,8 @@ export const dynamicSecretServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -615,7 +623,8 @@ export const dynamicSecretServiceFactory = ({
      actorId: actor.id,
      projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    const userAccessibleFolderMappings = folderMappings.filter(({ path, environment }) =>
@@ -659,7 +668,8 @@ export const dynamicSecretServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);
--- a/backend/src/ee/services/gateway/gateway-service.ts
+++ b/backend/src/ee/services/gateway/gateway-service.ts
@@ -566,6 +566,14 @@ export const gatewayServiceFactory = ({
    if (!gateway) throw new NotFoundError({ message: `Gateway with ID ${gatewayId} not found.` });

    const orgGatewayConfig = await orgGatewayConfigDAL.findById(gateway.orgGatewayRootCaId);
+
+    const orgLicensePlan = await licenseService.getPlan(orgGatewayConfig.orgId);
+    if (!orgLicensePlan.gateway) {
+      throw new BadRequestError({
+        message: "Please upgrade your instance to Infisical's Enterprise plan to use gateways."
+      });
+    }
+
    const { decryptor: orgKmsDecryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.Organization,
      orgId: orgGatewayConfig.orgId
--- a/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts
@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";

-import { TableName } from "@app/db/schemas";
+import { ActionProjectType, TableName } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -61,7 +61,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionIdentityActions.Edit,
@@ -72,7 +73,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actorId: identityId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });

    // we need to validate that the privilege given is not higher than the assigning users permission
@@ -158,7 +160,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionIdentityActions.Edit,
@@ -169,7 +172,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actorId: identityProjectMembership.identityId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });

    // we need to validate that the privilege given is not higher than the assigning users permission
@@ -256,7 +260,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionIdentityActions.Edit,
@@ -267,7 +272,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actorId: identityProjectMembership.identityId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });
    const permissionBoundary = validatePrivilegeChangeOperation(
      membership.shouldUseNewPrivilegeSystem,
@@ -315,7 +321,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionIdentityActions.Read,
@@ -349,7 +356,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionIdentityActions.Read,
@@ -384,7 +392,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionIdentityActions.Read,
--- a/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
@@ -1,6 +1,7 @@
 import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";

+import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -72,7 +73,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -85,7 +87,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actorId: identityId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });

    // we need to validate that the privilege given is not higher than the assigning users permission
@@ -172,7 +175,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -185,7 +189,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actorId: identityProjectMembership.identityId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });

    // we need to validate that the privilege given is not higher than the assigning users permission
@@ -288,7 +293,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionIdentityActions.Edit,
@@ -300,7 +306,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actorId: identityProjectMembership.identityId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });
    const permissionBoundary = validatePrivilegeChangeOperation(
      membership.shouldUseNewPrivilegeSystem,
@@ -359,7 +366,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionIdentityActions.Read,
@@ -401,7 +409,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });

    ForbiddenError.from(permission).throwUnlessCan(
--- a/backend/src/ee/services/kmip/kmip-service.ts
+++ b/backend/src/ee/services/kmip/kmip-service.ts
@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";

+import { ActionProjectType } from "@app/db/schemas";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { isValidIp } from "@app/lib/ip";
@@ -78,7 +79,8 @@ export const kmipServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -131,7 +133,8 @@ export const kmipServiceFactory = ({
      actorId,
      projectId: kmipClient.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -162,7 +165,8 @@ export const kmipServiceFactory = ({
      actorId,
      projectId: kmipClient.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -195,7 +199,8 @@ export const kmipServiceFactory = ({
      actorId,
      projectId: kmipClient.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
@@ -216,7 +221,8 @@ export const kmipServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
@@ -252,7 +258,8 @@ export const kmipServiceFactory = ({
      actorId,
      projectId: kmipClient.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
    });

    ForbiddenError.from(permission).throwUnlessCan(
--- a/backend/src/ee/services/permission/permission-service-types.ts
+++ b/backend/src/ee/services/permission/permission-service-types.ts
@@ -1,6 +1,7 @@
 import { MongoAbility, RawRuleOf } from "@casl/ability";
 import { MongoQuery } from "@ucast/mongo2js";

+import { ActionProjectType } from "@app/db/schemas";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";

 import { OrgPermissionSet } from "./org-permission";
@@ -20,6 +21,7 @@ export type TGetUserProjectPermissionArg = {
  userId: string;
  projectId: string;
  authMethod: ActorAuthMethod;
+  actionProjectType: ActionProjectType;
  userOrgId?: string;
 };

@@ -27,12 +29,14 @@ export type TGetIdentityProjectPermissionArg = {
  identityId: string;
  projectId: string;
  identityOrgId?: string;
+  actionProjectType: ActionProjectType;
 };

 export type TGetServiceTokenProjectPermissionArg = {
  serviceTokenId: string;
  projectId: string;
  actorOrgId?: string;
+  actionProjectType: ActionProjectType;
 };

 export type TGetProjectPermissionArg = {
@@ -41,6 +45,7 @@ export type TGetProjectPermissionArg = {
  projectId: string;
  actorAuthMethod: ActorAuthMethod;
  actorOrgId?: string;
+  actionProjectType: ActionProjectType;
 };

 export type TPermissionServiceFactory = {
@@ -138,7 +143,13 @@ export type TPermissionServiceFactory = {
        };
      }
  >;
-  getUserProjectPermission: ({ userId, projectId, authMethod, userOrgId }: TGetUserProjectPermissionArg) => Promise<{
+  getUserProjectPermission: ({
+    userId,
+    projectId,
+    authMethod,
+    userOrgId,
+    actionProjectType
+  }: TGetUserProjectPermissionArg) => Promise<{
    permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
    membership: {
      id: string;
--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@@ -5,6 +5,7 @@ import { MongoQuery } from "@ucast/mongo2js";
 import handlebars from "handlebars";

 import {
+  ActionProjectType,
  OrgMembershipRole,
  ProjectMembershipRole,
  ServiceTokenScopes,
@@ -213,7 +214,8 @@ export const permissionServiceFactory = ({
    userId,
    projectId,
    authMethod,
-    userOrgId
+    userOrgId,
+    actionProjectType
  }: TGetUserProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.USER>> => {
    const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
    if (!userProjectPermission) throw new ForbiddenRequestError({ name: "User not a part of the specified project" });
@@ -240,6 +242,12 @@ export const permissionServiceFactory = ({
      userProjectPermission.orgRole
    );

+    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== userProjectPermission.projectType) {
+      throw new BadRequestError({
+        message: `The project is of type ${userProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
+      });
+    }
+
    // join two permissions and pass to build the final permission set
    const rolePermissions = userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
    const additionalPrivileges =
@@ -287,7 +295,8 @@ export const permissionServiceFactory = ({
  const getIdentityProjectPermission = async ({
    identityId,
    projectId,
-    identityOrgId
+    identityOrgId,
+    actionProjectType
  }: TGetIdentityProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
    const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
    if (!identityProjectPermission)
@@ -307,6 +316,12 @@ export const permissionServiceFactory = ({
      throw new ForbiddenRequestError({ name: "Identity is not a member of the specified organization" });
    }

+    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== identityProjectPermission.projectType) {
+      throw new BadRequestError({
+        message: `The project is of type ${identityProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
+      });
+    }
+
    const rolePermissions =
      identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
    const additionalPrivileges =
@@ -361,7 +376,8 @@ export const permissionServiceFactory = ({
  const getServiceTokenProjectPermission = async ({
    serviceTokenId,
    projectId,
-    actorOrgId
+    actorOrgId,
+    actionProjectType
  }: TGetServiceTokenProjectPermissionArg) => {
    const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
    if (!serviceToken) throw new NotFoundError({ message: `Service token with ID '${serviceTokenId}' not found` });
@@ -386,6 +402,12 @@ export const permissionServiceFactory = ({
      });
    }

+    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== serviceTokenProject.type) {
+      throw new BadRequestError({
+        message: `The project is of type ${serviceTokenProject.type}. Operations of type ${actionProjectType} are not allowed.`
+      });
+    }
+
    const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
    return {
      permission: buildServiceTokenProjectPermission(scopes, serviceToken.permissions),
@@ -537,7 +559,8 @@ export const permissionServiceFactory = ({
    actorId: inputActorId,
    projectId,
    actorAuthMethod,
-    actorOrgId
+    actorOrgId,
+    actionProjectType
  }: TGetProjectPermissionArg): Promise<TProjectPermissionRT<T>> => {
    let actor = inputActor;
    let actorId = inputActorId;
@@ -558,19 +581,22 @@ export const permissionServiceFactory = ({
          userId: actorId,
          projectId,
          authMethod: actorAuthMethod,
-          userOrgId: actorOrgId
+          userOrgId: actorOrgId,
+          actionProjectType
        }) as Promise<TProjectPermissionRT<T>>;
      case ActorType.SERVICE:
        return getServiceTokenProjectPermission({
          serviceTokenId: actorId,
          projectId,
-          actorOrgId
+          actorOrgId,
+          actionProjectType
        }) as Promise<TProjectPermissionRT<T>>;
      case ActorType.IDENTITY:
        return getIdentityProjectPermission({
          identityId: actorId,
          projectId,
-          identityOrgId: actorOrgId
+          identityOrgId: actorOrgId,
+          actionProjectType
        }) as Promise<TProjectPermissionRT<T>>;
      default:
        throw new BadRequestError({
--- a/backend/src/ee/services/pit/pit-service.ts
+++ b/backend/src/ee/services/pit/pit-service.ts
@@ -1,6 +1,7 @@
 /* eslint-disable no-await-in-loop */
 import { ForbiddenError } from "@casl/ability";

+import { ActionProjectType } from "@app/db/schemas";
 import { Event, EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionCommitsActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -348,7 +349,8 @@ export const pitServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    ForbiddenError.from(userPermission).throwUnlessCan(
--- a/backend/src/ee/services/project-template/project-template-fns.ts
+++ b/backend/src/ee/services/project-template/project-template-fns.ts
@@ -1,3 +1,4 @@
+import { ProjectType } from "@app/db/schemas";
 import {
  InfisicalProjectTemplate,
  TUnpackedPermission
@@ -6,18 +7,21 @@ import { getPredefinedRoles } from "@app/services/project-role/project-role-fns"

 import { ProjectTemplateDefaultEnvironments } from "./project-template-constants";

-export const getDefaultProjectTemplate = (orgId: string) => ({
+export const getDefaultProjectTemplate = (orgId: string, type: ProjectType) => ({
  id: "b11b49a9-09a9-4443-916a-4246f9ff2c69", // random ID to appease zod
+  type,
  name: InfisicalProjectTemplate.Default,
  createdAt: new Date(),
  updatedAt: new Date(),
-  description: `Infisical's default project template`,
-  environments: ProjectTemplateDefaultEnvironments,
-  roles: getPredefinedRoles({ projectId: "project-template" }) as Array<{
-    name: string;
-    slug: string;
-    permissions: TUnpackedPermission[];
-  }>,
+  description: `Infisical's ${type} default project template`,
+  environments: type === ProjectType.SecretManager ? ProjectTemplateDefaultEnvironments : null,
+  roles: [...getPredefinedRoles({ projectId: "project-template", projectType: type })].map(
+    ({ name, slug, permissions }) => ({
+      name,
+      slug,
+      permissions: permissions as TUnpackedPermission[]
+    })
+  ),
  orgId
 });

--- a/backend/src/ee/services/project-template/project-template-service.ts
+++ b/backend/src/ee/services/project-template/project-template-service.ts
@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";

-import { TProjectTemplates } from "@app/db/schemas";
+import { ProjectType, TProjectTemplates } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
@@ -29,11 +29,13 @@ const $unpackProjectTemplate = ({ roles, environments, ...rest }: TProjectTempla
  ...rest,
  environments: environments as TProjectTemplateEnvironment[],
  roles: [
-    ...getPredefinedRoles({ projectId: "project-template" }).map(({ name, slug, permissions }) => ({
-      name,
-      slug,
-      permissions: permissions as TUnpackedPermission[]
-    })),
+    ...getPredefinedRoles({ projectId: "project-template", projectType: rest.type as ProjectType }).map(
+      ({ name, slug, permissions }) => ({
+        name,
+        slug,
+        permissions: permissions as TUnpackedPermission[]
+      })
+    ),
    ...(roles as TProjectTemplateRole[]).map((role) => ({
      ...role,
      permissions: unpackPermissions(role.permissions)
@@ -46,7 +48,10 @@ export const projectTemplateServiceFactory = ({
  permissionService,
  projectTemplateDAL
 }: TProjectTemplatesServiceFactoryDep): TProjectTemplateServiceFactory => {
-  const listProjectTemplatesByOrg: TProjectTemplateServiceFactory["listProjectTemplatesByOrg"] = async (actor) => {
+  const listProjectTemplatesByOrg: TProjectTemplateServiceFactory["listProjectTemplatesByOrg"] = async (
+    actor,
+    type
+  ) => {
    const plan = await licenseService.getPlan(actor.orgId);

    if (!plan.projectTemplates)
@@ -65,11 +70,14 @@ export const projectTemplateServiceFactory = ({
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.ProjectTemplates);

    const projectTemplates = await projectTemplateDAL.find({
-      orgId: actor.orgId
+      orgId: actor.orgId,
+      ...(type ? { type } : {})
    });

    return [
-      getDefaultProjectTemplate(actor.orgId),
+      ...(type
+        ? [getDefaultProjectTemplate(actor.orgId, type)]
+        : Object.values(ProjectType).map((projectType) => getDefaultProjectTemplate(actor.orgId, projectType))),
      ...projectTemplates.map((template) => $unpackProjectTemplate(template))
    ];
  };
@@ -134,7 +142,7 @@ export const projectTemplateServiceFactory = ({
  };

  const createProjectTemplate: TProjectTemplateServiceFactory["createProjectTemplate"] = async (
-    { roles, environments, ...params },
+    { roles, environments, type, ...params },
    actor
  ) => {
    const plan = await licenseService.getPlan(actor.orgId);
@@ -154,6 +162,10 @@ export const projectTemplateServiceFactory = ({

    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.ProjectTemplates);

+    if (environments && type !== ProjectType.SecretManager) {
+      throw new BadRequestError({ message: "Cannot configure environments for non-SecretManager project templates" });
+    }
+
    if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
      throw new BadRequestError({
        // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
@@ -176,8 +188,10 @@ export const projectTemplateServiceFactory = ({
    const projectTemplate = await projectTemplateDAL.create({
      ...params,
      roles: JSON.stringify(roles.map((role) => ({ ...role, permissions: packRules(role.permissions) }))),
-      environments: environments ? JSON.stringify(environments ?? ProjectTemplateDefaultEnvironments) : null,
-      orgId: actor.orgId
+      environments:
+        type === ProjectType.SecretManager ? JSON.stringify(environments ?? ProjectTemplateDefaultEnvironments) : null,
+      orgId: actor.orgId,
+      type
    });

    return $unpackProjectTemplate(projectTemplate);
@@ -208,6 +222,11 @@ export const projectTemplateServiceFactory = ({
    );

    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
+    if (projectTemplate.type !== ProjectType.SecretManager && environments)
+      throw new BadRequestError({ message: "Cannot configure environments for non-SecretManager project templates" });
+
+    if (projectTemplate.type === ProjectType.SecretManager && environments === null)
+      throw new BadRequestError({ message: "Environments cannot be removed for SecretManager project templates" });

    if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
      throw new BadRequestError({
--- a/backend/src/ee/services/project-template/project-template-types.ts
+++ b/backend/src/ee/services/project-template/project-template-types.ts
@@ -1,6 +1,6 @@
 import { z } from "zod";

-import { ProjectMembershipRole, TProjectEnvironments } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectType, TProjectEnvironments } from "@app/db/schemas";
 import { TProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { OrgServiceActor } from "@app/lib/types";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
@@ -15,6 +15,7 @@ export type TProjectTemplateRole = {

 export type TCreateProjectTemplateDTO = {
  name: string;
+  type: ProjectType;
  description?: string;
  roles: TProjectTemplateRole[];
  environments?: TProjectTemplateEnvironment[] | null;
@@ -29,11 +30,15 @@ export enum InfisicalProjectTemplate {
 }

 export type TProjectTemplateServiceFactory = {
-  listProjectTemplatesByOrg: (actor: OrgServiceActor) => Promise<
+  listProjectTemplatesByOrg: (
+    actor: OrgServiceActor,
+    type?: ProjectType
+  ) => Promise<
    (
      | {
          id: string;
          name: InfisicalProjectTemplate;
+          type: string;
          createdAt: Date;
          updatedAt: Date;
          description: string;
@@ -58,6 +63,7 @@ export type TProjectTemplateServiceFactory = {
        }
      | {
          environments: TProjectTemplateEnvironment[];
+          type: string;
          roles: {
            permissions: {
              action: string[];
@@ -94,6 +100,7 @@ export type TProjectTemplateServiceFactory = {
    }[];
    name: string;
    orgId: string;
+    type: string;
    id: string;
    createdAt: Date;
    updatedAt: Date;
@@ -118,6 +125,7 @@ export type TProjectTemplateServiceFactory = {
    name: string;
    orgId: string;
    id: string;
+    type: string;
    createdAt: Date;
    updatedAt: Date;
    description?: string | null | undefined;
@@ -140,6 +148,7 @@ export type TProjectTemplateServiceFactory = {
    name: string;
    orgId: string;
    id: string;
+    type: string;
    createdAt: Date;
    updatedAt: Date;
    description?: string | null | undefined;
@@ -162,6 +171,7 @@ export type TProjectTemplateServiceFactory = {
    }[];
    name: string;
    orgId: string;
+    type: string;
    id: string;
    createdAt: Date;
    updatedAt: Date;
@@ -184,6 +194,7 @@ export type TProjectTemplateServiceFactory = {
      name: string;
    }[];
    name: string;
+    type: string;
    orgId: string;
    id: string;
    createdAt: Date;
--- a/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
+++ b/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
@@ -1,7 +1,7 @@
 import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";

-import { TableName } from "@app/db/schemas";
+import { ActionProjectType, TableName } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -61,7 +61,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
      actorId,
      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
    const { permission: targetUserPermission, membership } = await permissionService.getProjectPermission({
@@ -69,7 +70,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
      actorId: projectMembership.userId,
      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });

    // we need to validate that the privilege given is not higher than the assigning users permission
@@ -164,7 +166,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
      actorId,
      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
    const { permission: targetUserPermission } = await permissionService.getProjectPermission({
@@ -172,7 +175,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
      actorId: projectMembership.userId,
      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });

    // we need to validate that the privilege given is not higher than the assigning users permission
@@ -272,7 +276,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
      actorId,
      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);

@@ -317,7 +322,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
      actorId,
      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);

@@ -343,7 +349,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
      actorId,
      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);

--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import picomatch from "picomatch";

+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -110,7 +111,8 @@ export const secretApprovalPolicyServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
@@ -304,7 +306,8 @@ export const secretApprovalPolicyServiceFactory = ({
      actorId,
      projectId: secretApprovalPolicy.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);

@@ -459,7 +462,8 @@ export const secretApprovalPolicyServiceFactory = ({
      actorId,
      projectId: sapPolicy.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
@@ -498,7 +502,8 @@ export const secretApprovalPolicyServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);

@@ -542,7 +547,8 @@ export const secretApprovalPolicyServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    return getSecretApprovalPolicy(projectId, environment, secretPath);
@@ -568,7 +574,8 @@ export const secretApprovalPolicyServiceFactory = ({
      actorId,
      projectId: sapPolicy.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-fns.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-fns.ts
@@ -36,7 +36,7 @@ export const sendApprovalEmailsFn = async ({
        firstName: reviewerUser.firstName,
        projectName: project.name,
        organizationName: project.organization.name,
-        approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval?requestId=${secretApprovalRequest.id}`
+        approvalUrl: `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval?requestId=${secretApprovalRequest.id}`
      },
      template: SmtpTemplates.SecretApprovalRequestNeedsReview
    });
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@@ -3,6 +3,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { Knex } from "knex";

 import {
+  ActionProjectType,
  ProjectMembershipRole,
  SecretEncryptionAlgo,
  SecretKeyEncoding,
@@ -184,7 +185,8 @@ export const secretApprovalRequestServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    const count = await secretApprovalRequestDAL.findProjectRequestCount(projectId, actorId, policyId);
@@ -211,7 +213,8 @@ export const secretApprovalRequestServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
@@ -263,7 +266,8 @@ export const secretApprovalRequestServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
@@ -412,7 +416,8 @@ export const secretApprovalRequestServiceFactory = ({
      actorId,
      projectId: secretApprovalRequest.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
@@ -481,7 +486,8 @@ export const secretApprovalRequestServiceFactory = ({
      actorId,
      projectId: secretApprovalRequest.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
@@ -537,7 +543,8 @@ export const secretApprovalRequestServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    if (
@@ -955,7 +962,7 @@ export const secretApprovalRequestServiceFactory = ({
          bypassReason,
          secretPath: policy.secretPath,
          environment: env.name,
-          approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`
+          approvalUrl: `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`
        },
        template: SmtpTemplates.AccessSecretRequestBypassed
      });
@@ -1089,7 +1096,8 @@ export const secretApprovalRequestServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
@@ -1380,7 +1388,8 @@ export const secretApprovalRequestServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
    if (!folder)
--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-queue.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-queue.ts
@@ -167,7 +167,7 @@ export const secretRotationV2QueueServiceFactory = async ({
            environment: environment.name,
            projectName: project.name,
            rotationUrl: encodeURI(
-              `${appCfg.SITE_URL}/projects/${projectId}/secret-manager/secrets/${environment.slug}`
+              `${appCfg.SITE_URL}/projects/secret-management/${projectId}/secrets/${environment.slug}`
            )
          }
        });
--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts
@@ -2,7 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { Knex } from "knex";
 import isEqual from "lodash.isequal";

-import { SecretType, TableName } from "@app/db/schemas";
+import { ActionProjectType, SecretType, TableName } from "@app/db/schemas";
 import { EventType, TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-types";
 import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
@@ -223,7 +223,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
      projectId
    });

@@ -274,7 +274,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
      projectId
    });

@@ -320,7 +320,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
      projectId
    });

@@ -385,7 +385,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
      projectId
    });

@@ -429,7 +429,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
      projectId
    });

@@ -631,7 +631,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
      projectId
    });

@@ -781,7 +781,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
      projectId
    });

@@ -1113,7 +1113,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
      projectId
    });

@@ -1160,7 +1160,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
      projectId
    });

@@ -1212,7 +1212,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
      projectId
    });

@@ -1328,7 +1328,8 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    const permissiveFolderMappings = folderMappings.filter(({ path, environment }) =>
--- a/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import Ajv from "ajv";

-import { ProjectVersion, TableName } from "@app/db/schemas";
+import { ActionProjectType, ProjectVersion, TableName } from "@app/db/schemas";
 import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
@@ -66,7 +66,8 @@ export const secretRotationServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionSecretRotationActions.Read,
@@ -97,7 +98,8 @@ export const secretRotationServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionSecretRotationActions.Read,
@@ -213,7 +215,8 @@ export const secretRotationServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionSecretRotationActions.Read,
@@ -263,7 +266,8 @@ export const secretRotationServiceFactory = ({
      actorId,
      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionSecretRotationActions.Edit,
@@ -283,7 +287,8 @@ export const secretRotationServiceFactory = ({
      actorId,
      projectId: doc.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionSecretRotationActions.Delete,
--- a/backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-queue.ts
+++ b/backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-queue.ts
@@ -596,7 +596,7 @@ export const secretScanningV2QueueServiceFactory = async ({
                  numberOfSecrets: payload.numberOfSecrets,
                  isDiffScan: payload.isDiffScan,
                  url: encodeURI(
-                    `${appCfg.SITE_URL}/projects/${projectId}/secret-scanning/findings?search=scanId:${payload.scanId}`
+                    `${appCfg.SITE_URL}/projects/secret-scanning/${projectId}/findings?search=scanId:${payload.scanId}`
                  ),
                  timestamp
                }
@@ -607,7 +607,7 @@ export const secretScanningV2QueueServiceFactory = async ({
                  timestamp,
                  errorMessage: payload.errorMessage,
                  url: encodeURI(
-                    `${appCfg.SITE_URL}/projects/${projectId}/secret-scanning/data-sources/${dataSource.type}/${dataSource.id}`
+                    `${appCfg.SITE_URL}/projects/secret-scanning/${projectId}/data-sources/${dataSource.type}/${dataSource.id}`
                  )
                }
        });
--- a/backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-service.ts
+++ b/backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-service.ts
@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import { join } from "path";

+import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -94,7 +95,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
      projectId
    });

@@ -156,7 +157,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
      projectId: dataSource.projectId
    });

@@ -201,7 +202,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
      projectId
    });

@@ -235,7 +236,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
      projectId: payload.projectId
    });

@@ -348,7 +349,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
      projectId: dataSource.projectId
    });

@@ -401,6 +402,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.SecretScanning,
      projectId: dataSource.projectId
    });

@@ -474,7 +476,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
      projectId: dataSource.projectId
    });

@@ -538,7 +540,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
      projectId: dataSource.projectId
    });

@@ -583,7 +585,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
      projectId: dataSource.projectId
    });

@@ -626,7 +628,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
      projectId: dataSource.projectId
    });

@@ -669,7 +671,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
      projectId: dataSource.projectId
    });

@@ -702,7 +704,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
      projectId
    });

@@ -736,7 +738,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
      projectId
    });

@@ -776,7 +778,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
      projectId: finding.projectId
    });

@@ -807,7 +809,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
      projectId
    });

@@ -842,7 +844,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
      projectId
    });

--- a/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
+++ b/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
@@ -2,7 +2,7 @@
 // akhilmhdh: I did this, quite strange bug with eslint. Everything do have a type stil has this error
 import { ForbiddenError } from "@casl/ability";

-import { TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
+import { ActionProjectType, TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
 import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { InternalServerError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@@ -103,7 +103,8 @@ export const secretSnapshotServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);

@@ -139,7 +140,8 @@ export const secretSnapshotServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);

@@ -167,7 +169,8 @@ export const secretSnapshotServiceFactory = ({
      actorId,
      projectId: snapshot.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
@@ -391,7 +394,8 @@ export const secretSnapshotServiceFactory = ({
      actorId,
      projectId: snapshot.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
--- a/backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-service.ts
+++ b/backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-service.ts
@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -58,7 +59,8 @@ export const sshCertificateTemplateServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -130,7 +132,8 @@ export const sshCertificateTemplateServiceFactory = ({
      actorId,
      projectId: certTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -198,7 +201,8 @@ export const sshCertificateTemplateServiceFactory = ({
      actorId,
      projectId: certificateTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -224,7 +228,8 @@ export const sshCertificateTemplateServiceFactory = ({
      actorId,
      projectId: certTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(
--- a/backend/src/ee/services/ssh-host-group/ssh-host-group-service.ts
+++ b/backend/src/ee/services/ssh-host-group/ssh-host-group-service.ts
@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSshHostDALFactory } from "@app/ee/services/ssh-host/ssh-host-dal";
@@ -79,7 +80,8 @@ export const sshHostGroupServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.SshHostGroups);
@@ -171,7 +173,8 @@ export const sshHostGroupServiceFactory = ({
      actorId,
      projectId: sshHostGroup.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);
@@ -267,7 +270,8 @@ export const sshHostGroupServiceFactory = ({
      actorId,
      projectId: sshHostGroup.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshHostGroups);
@@ -290,7 +294,8 @@ export const sshHostGroupServiceFactory = ({
      actorId,
      projectId: sshHostGroup.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.SshHostGroups);
@@ -316,7 +321,8 @@ export const sshHostGroupServiceFactory = ({
      actorId,
      projectId: sshHostGroup.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshHostGroups);
@@ -354,7 +360,8 @@ export const sshHostGroupServiceFactory = ({
      actorId,
      projectId: sshHostGroup.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);
@@ -393,7 +400,8 @@ export const sshHostGroupServiceFactory = ({
      actorId,
      projectId: sshHostGroup.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);
--- a/backend/src/ee/services/ssh-host/ssh-host-fns.ts
+++ b/backend/src/ee/services/ssh-host/ssh-host-fns.ts
@@ -1,5 +1,6 @@
 import { Knex } from "knex";

+import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError } from "@app/lib/errors";

 import { ProjectPermissionSshHostActions, ProjectPermissionSub } from "../permission/project-permission";
@@ -62,7 +63,8 @@ export const createSshLoginMappings = async ({
            userId: user.id,
            projectId,
            authMethod: actorAuthMethod,
-            userOrgId: actorOrgId
+            userOrgId: actorOrgId,
+            actionProjectType: ActionProjectType.SSH
          });
        }

--- a/backend/src/ee/services/ssh-host/ssh-host-service.ts
+++ b/backend/src/ee/services/ssh-host/ssh-host-service.ts
@@ -1,5 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";

+import { ActionProjectType } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionSshHostActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -111,7 +112,8 @@ export const sshHostServiceFactory = ({
          actorId,
          projectId: project.id,
          actorAuthMethod,
-          actorOrgId
+          actorOrgId,
+          actionProjectType: ActionProjectType.SSH
        });

        const projectHosts = await sshHostDAL.findUserAccessibleSshHosts([project.id], actorId);
@@ -144,7 +146,8 @@ export const sshHostServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -273,7 +276,8 @@ export const sshHostServiceFactory = ({
      actorId,
      projectId: host.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -334,7 +338,8 @@ export const sshHostServiceFactory = ({
      actorId,
      projectId: host.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -362,7 +367,8 @@ export const sshHostServiceFactory = ({
      actorId,
      projectId: host.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -401,7 +407,8 @@ export const sshHostServiceFactory = ({
      actorId,
      projectId: host.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    const internalPrincipals = await convertActorToPrincipals({
@@ -520,7 +527,8 @@ export const sshHostServiceFactory = ({
      actorId,
      projectId: host.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(
--- a/backend/src/ee/services/ssh/ssh-certificate-authority-service.ts
+++ b/backend/src/ee/services/ssh/ssh-certificate-authority-service.ts
@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSshCertificateAuthorityDALFactory } from "@app/ee/services/ssh/ssh-certificate-authority-dal";
@@ -72,7 +73,8 @@ export const sshCertificateAuthorityServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -107,7 +109,8 @@ export const sshCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -175,7 +178,8 @@ export const sshCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -213,7 +217,8 @@ export const sshCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -254,7 +259,8 @@ export const sshCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: sshCertificateTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -375,7 +381,8 @@ export const sshCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: sshCertificateTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -472,7 +479,8 @@ export const sshCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
    });

    ForbiddenError.from(permission).throwUnlessCan(
--- a/backend/src/ee/services/trusted-ip/trusted-ip-service.ts
+++ b/backend/src/ee/services/trusted-ip/trusted-ip-service.ts
@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

+import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -35,7 +36,8 @@ export const trustedIpServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
    const trustedIps = await trustedIpDAL.find({
@@ -59,7 +61,8 @@ export const trustedIpServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);

@@ -104,7 +107,8 @@ export const trustedIpServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);

@@ -149,7 +153,8 @@ export const trustedIpServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);

--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -2245,7 +2245,9 @@ export const AppConnections = {
    },
    AZURE_CLIENT_SECRETS: {
      code: "The OAuth code to use to connect with Azure Client Secrets.",
-      tenantId: "The Tenant ID to use to connect with Azure Client Secrets."
+      tenantId: "The Tenant ID to use to connect with Azure Client Secrets.",
+      clientId: "The Client ID to use to connect with Azure Client Secrets.",
+      clientSecret: "The Client Secret to use to connect with Azure Client Secrets."
    },
    AZURE_DEVOPS: {
      code: "The OAuth code to use to connect with Azure DevOps.",
@@ -2290,6 +2292,9 @@ export const AppConnections = {
      accessKey: "The Key used to access Supabase.",
      instanceUrl: "The URL used to access Supabase."
    },
+    DIGITAL_OCEAN_APP_PLATFORM: {
+      apiToken: "The API token used to authenticate with Digital Ocean App Platform."
+    },
    OKTA: {
      instanceUrl: "The URL used to access your Okta organization.",
      apiToken: "The API token used to authenticate with Okta."
@@ -2370,6 +2375,10 @@ export const SecretSyncs = {
      keyId: "The AWS KMS key ID or alias to use when encrypting parameters synced by Infisical.",
      tags: "Optional tags to add to secrets synced by Infisical.",
      syncSecretMetadataAsTags: `Whether Infisical secret metadata should be added as tags to secrets synced by Infisical.`
+    },
+    RENDER: {
+      autoRedeployServices:
+        "Whether Infisical should automatically redeploy the configured Render service upon secret changes."
    }
  },
  DESTINATION_CONFIG: {
@@ -2506,6 +2515,11 @@ export const SecretSyncs = {
    SUPABASE: {
      projectId: "The ID of the Supabase project to sync secrets to.",
      projectName: "The name of the Supabase project to sync secrets to."
+    },
+    BITBUCKET: {
+      workspaceSlug: "The Bitbucket Workspace slug to sync secrets to.",
+      repositorySlug: "The Bitbucket Repository slug to sync secrets to.",
+      environmentId: "The Bitbucket Deployment Environment uuid to sync secrets to."
    }
  }
 };
--- a/backend/src/lib/crypto/cryptography/crypto.ts
+++ b/backend/src/lib/crypto/cryptography/crypto.ts
@@ -14,7 +14,7 @@ import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal
 import { ADMIN_CONFIG_DB_UUID } from "@app/services/super-admin/super-admin-service";

 import { isBase64 } from "../../base64";
-import { getConfig } from "../../config/env";
+import { getConfig, TEnvConfig } from "../../config/env";
 import { CryptographyError } from "../../errors";
 import { logger } from "../../logger";
 import { asymmetricFipsValidated } from "./asymmetric-fips";
@@ -106,12 +106,12 @@ const cryptographyFactory = () => {
    }
  };

-  const $setFipsModeEnabled = (enabled: boolean) => {
+  const $setFipsModeEnabled = (enabled: boolean, envCfg?: Pick<TEnvConfig, "ENCRYPTION_KEY">) => {
    // If FIPS is enabled, we need to validate that the ENCRYPTION_KEY is in a base64 format, and is a 256-bit key.
    if (enabled) {
      crypto.setFips(true);

-      const appCfg = getConfig();
+      const appCfg = envCfg || getConfig();

      if (appCfg.ENCRYPTION_KEY) {
        // we need to validate that the ENCRYPTION_KEY is a base64 encoded 256-bit key
@@ -141,14 +141,14 @@ const cryptographyFactory = () => {
    $isInitialized = true;
  };

-  const initialize = async (superAdminDAL: TSuperAdminDALFactory) => {
+  const initialize = async (superAdminDAL: TSuperAdminDALFactory, envCfg?: Pick<TEnvConfig, "ENCRYPTION_KEY">) => {
    if ($isInitialized) {
      return isFipsModeEnabled();
    }

    if (process.env.FIPS_ENABLED !== "true") {
      logger.info("Cryptography module initialized in normal operation mode.");
-      $setFipsModeEnabled(false);
+      $setFipsModeEnabled(false, envCfg);
      return false;
    }

@@ -158,11 +158,11 @@ const cryptographyFactory = () => {
    if (serverCfg) {
      if (serverCfg.fipsEnabled) {
        logger.info("[FIPS]: Instance is configured for FIPS mode of operation. Continuing startup with FIPS enabled.");
-        $setFipsModeEnabled(true);
+        $setFipsModeEnabled(true, envCfg);
        return true;
      }
      logger.info("[FIPS]: Instance age predates FIPS mode inception date. Continuing without FIPS.");
-      $setFipsModeEnabled(false);
+      $setFipsModeEnabled(false, envCfg);
      return false;
    }

@@ -171,7 +171,7 @@ const cryptographyFactory = () => {
    // TODO(daniel): check if it's an enterprise deployment

    // if there is no server cfg, and FIPS_MODE is `true`, its a fresh FIPS deployment. We need to set the fipsEnabled to true.
-    $setFipsModeEnabled(true);
+    $setFipsModeEnabled(true, envCfg);
    return true;
  };

--- a/backend/src/queue/queue-service.ts
+++ b/backend/src/queue/queue-service.ts
@@ -64,7 +64,9 @@ export enum QueueName {
  FolderTreeCheckpoint = "folder-tree-checkpoint",
  InvalidateCache = "invalidate-cache",
  SecretScanningV2 = "secret-scanning-v2",
-  TelemetryAggregatedEvents = "telemetry-aggregated-events"
+  TelemetryAggregatedEvents = "telemetry-aggregated-events",
+  DailyReminders = "daily-reminders",
+  SecretReminderMigration = "secret-reminder-migration"
 }

 export enum QueueJobs {
@@ -104,7 +106,9 @@ export enum QueueJobs {
  SecretScanningV2SendNotification = "secret-scanning-v2-notification",
  CaOrderCertificateForSubscriber = "ca-order-certificate-for-subscriber",
  PkiSubscriberDailyAutoRenewal = "pki-subscriber-daily-auto-renewal",
-  TelemetryAggregatedEvents = "telemetry-aggregated-events"
+  TelemetryAggregatedEvents = "telemetry-aggregated-events",
+  DailyReminders = "daily-reminders",
+  SecretReminderMigration = "secret-reminder-migration"
 }

 export type TQueueJobTypes = {
@@ -291,6 +295,14 @@ export type TQueueJobTypes = {
      caType: CaType;
    };
  };
+  [QueueName.DailyReminders]: {
+    name: QueueJobs.DailyReminders;
+    payload: undefined;
+  };
+  [QueueName.SecretReminderMigration]: {
+    name: QueueJobs.SecretReminderMigration;
+    payload: undefined;
+  };
  [QueueName.PkiSubscriber]: {
    name: QueueJobs.PkiSubscriberDailyAutoRenewal;
    payload: undefined;
@@ -390,6 +402,11 @@ export type TQueueServiceFactory = {
    startOffset?: number,
    endOffset?: number
  ) => Promise<{ key: string; name: string; id: string | null }[]>;
+  getDelayedJobs: (
+    name: QueueName,
+    startOffset?: number,
+    endOffset?: number
+  ) => Promise<{ delay: number; timestamp: number; repeatJobKey?: string; data?: unknown }[]>;
 };

 export const queueServiceFactory = (
@@ -552,6 +569,13 @@ export const queueServiceFactory = (
    return q.getRepeatableJobs(startOffset, endOffset);
  };

+  const getDelayedJobs: TQueueServiceFactory["getDelayedJobs"] = (name, startOffset, endOffset) => {
+    const q = queueContainer[name];
+    if (!q) throw new Error(`Queue '${name}' not initialized`);
+
+    return q.getDelayed(startOffset, endOffset);
+  };
+
  const stopRepeatableJobByJobId: TQueueServiceFactory["stopRepeatableJobByJobId"] = async (name, jobId) => {
    const q = queueContainer[name];
    const job = await q.getJob(jobId);
@@ -598,6 +622,7 @@ export const queueServiceFactory = (
    stopJobById,
    stopJobByIdPg,
    getRepeatableJobs,
+    getDelayedJobs,
    startPg,
    queuePg,
    schedulePg
--- a/backend/src/server/plugins/auth/inject-identity.ts
+++ b/backend/src/server/plugins/auth/inject-identity.ts
@@ -162,6 +162,12 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
            kubernetes: token?.identityAuth?.kubernetes
          });
        }
+        if (token?.identityAuth?.aws) {
+          requestContext.set("identityAuthInfo", {
+            identityId: identity.identityId,
+            aws: token?.identityAuth?.aws
+          });
+        }
        break;
      }
      case AuthMode.SERVICE_TOKEN: {
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -246,6 +246,10 @@ import { projectMembershipServiceFactory } from "@app/services/project-membershi
 import { projectUserMembershipRoleDALFactory } from "@app/services/project-membership/project-user-membership-role-dal";
 import { projectRoleDALFactory } from "@app/services/project-role/project-role-dal";
 import { projectRoleServiceFactory } from "@app/services/project-role/project-role-service";
+import { reminderDALFactory } from "@app/services/reminder/reminder-dal";
+import { dailyReminderQueueServiceFactory } from "@app/services/reminder/reminder-queue";
+import { reminderServiceFactory } from "@app/services/reminder/reminder-service";
+import { reminderRecipientDALFactory } from "@app/services/reminder-recipients/reminder-recipient-dal";
 import { dailyResourceCleanUpQueueServiceFactory } from "@app/services/resource-cleanup/resource-cleanup-queue";
 import { resourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
 import { secretDALFactory } from "@app/services/secret/secret-dal";
@@ -371,6 +375,9 @@ export const registerRoutes = async (
  const secretVersionV2BridgeDAL = secretVersionV2BridgeDALFactory(db);
  const secretVersionTagV2BridgeDAL = secretVersionV2TagBridgeDALFactory(db);

+  const reminderDAL = reminderDALFactory(db);
+  const reminderRecipientDAL = reminderRecipientDALFactory(db);
+
  const integrationDAL = integrationDALFactory(db);
  const integrationAuthDAL = integrationAuthDALFactory(db);
  const webhookDAL = webhookDALFactory(db);
@@ -734,9 +741,17 @@ export const registerRoutes = async (

  const projectBotService = projectBotServiceFactory({ permissionService, projectBotDAL, projectDAL });

+  const reminderService = reminderServiceFactory({
+    reminderDAL,
+    reminderRecipientDAL,
+    smtpService,
+    projectMembershipDAL,
+    permissionService,
+    secretV2BridgeDAL
+  });
+
  const orgService = orgServiceFactory({
    userAliasDAL,
-    queueService,
    identityMetadataDAL,
    secretDAL,
    secretV2BridgeDAL,
@@ -762,7 +777,8 @@ export const registerRoutes = async (
    orgBotDAL,
    oidcConfigDAL,
    loginService,
-    projectBotService
+    projectBotService,
+    reminderService
  });
  const signupService = authSignupServiceFactory({
    tokenService,
@@ -1060,7 +1076,6 @@ export const registerRoutes = async (
    secretImportDAL,
    projectEnvDAL,
    webhookDAL,
-    orgDAL,
    auditLogService,
    userDAL,
    projectMembershipDAL,
@@ -1082,11 +1097,11 @@ export const registerRoutes = async (
    secretApprovalRequestDAL,
    projectKeyDAL,
    projectUserMembershipRoleDAL,
-    secretReminderRecipientsDAL,
    orgService,
    resourceMetadataDAL,
    folderCommitService,
-    secretSyncQueue
+    secretSyncQueue,
+    reminderService
  });

  const projectService = projectServiceFactory({
@@ -1095,7 +1110,6 @@ export const registerRoutes = async (
    projectSshConfigDAL,
    secretDAL,
    secretV2BridgeDAL,
-    queueService,
    projectQueue: projectQueueService,
    projectBotService,
    identityProjectDAL,
@@ -1132,7 +1146,8 @@ export const registerRoutes = async (
    microsoftTeamsIntegrationDAL,
    projectTemplateService,
    groupProjectDAL,
-    smtpService
+    smtpService,
+    reminderService
  });

  const projectEnvService = projectEnvServiceFactory({
@@ -1231,6 +1246,7 @@ export const registerRoutes = async (
    kmsService,
    snapshotService,
    resourceMetadataDAL,
+    reminderService,
    keyStore
  });

@@ -1284,7 +1300,8 @@ export const registerRoutes = async (
    secretApprovalRequestSecretDAL,
    secretV2BridgeService,
    secretApprovalRequestService,
-    licenseService
+    licenseService,
+    reminderService
  });

  const secretSharingService = secretSharingServiceFactory({
@@ -1616,7 +1633,6 @@ export const registerRoutes = async (
    auditLogDAL,
    queueService,
    secretVersionDAL,
-    secretDAL,
    secretFolderVersionDAL: folderVersionDAL,
    snapshotDAL,
    identityAccessTokenDAL,
@@ -1627,6 +1643,13 @@ export const registerRoutes = async (
    orgService
  });

+  const dailyReminderQueueService = dailyReminderQueueServiceFactory({
+    reminderService,
+    queueService,
+    secretDAL: secretV2BridgeDAL,
+    secretReminderRecipientsDAL
+  });
+
  const dailyExpiringPkiItemAlert = dailyExpiringPkiItemAlertQueueServiceFactory({
    queueService,
    pkiAlertService
@@ -1926,6 +1949,8 @@ export const registerRoutes = async (
  await telemetryQueue.startTelemetryCheck();
  await telemetryQueue.startAggregatedEventsJob();
  await dailyResourceCleanUp.startCleanUp();
+  await dailyReminderQueueService.startDailyRemindersJob();
+  await dailyReminderQueueService.startSecretReminderMigrationJob();
  await dailyExpiringPkiItemAlert.startSendingAlerts();
  await pkiSubscriberQueue.startDailyAutoRenewalJob();
  await kmsService.startService();
@@ -2036,7 +2061,8 @@ export const registerRoutes = async (
    assumePrivileges: assumePrivilegeService,
    githubOrgSync: githubOrgSyncConfigService,
    folderCommit: folderCommitService,
-    secretScanningV2: secretScanningV2Service
+    secretScanningV2: secretScanningV2Service,
+    reminder: reminderService
  });

  const cronJobs: CronJob[] = [];
--- a/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
@@ -51,6 +51,10 @@ import {
  DatabricksConnectionListItemSchema,
  SanitizedDatabricksConnectionSchema
 } from "@app/services/app-connection/databricks";
+import {
+  DigitalOceanConnectionListItemSchema,
+  SanitizedDigitalOceanConnectionSchema
+} from "@app/services/app-connection/digital-ocean";
 import { FlyioConnectionListItemSchema, SanitizedFlyioConnectionSchema } from "@app/services/app-connection/flyio";
 import { GcpConnectionListItemSchema, SanitizedGcpConnectionSchema } from "@app/services/app-connection/gcp";
 import { GitHubConnectionListItemSchema, SanitizedGitHubConnectionSchema } from "@app/services/app-connection/github";
@@ -140,6 +144,7 @@ const SanitizedAppConnectionSchema = z.union([
  ...SanitizedRailwayConnectionSchema.options,
  ...SanitizedChecklyConnectionSchema.options,
  ...SanitizedSupabaseConnectionSchema.options,
+  ...SanitizedDigitalOceanConnectionSchema.options,
  ...SanitizedOktaConnectionSchema.options
 ]);

@@ -178,6 +183,7 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
  RailwayConnectionListItemSchema,
  ChecklyConnectionListItemSchema,
  SupabaseConnectionListItemSchema,
+  DigitalOceanConnectionListItemSchema,
  OktaConnectionListItemSchema
 ]);

--- a/backend/src/server/routes/v1/app-connection-routers/bitbucket-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/bitbucket-connection-router.ts
@@ -85,4 +85,40 @@ export const registerBitbucketConnectionRouter = async (server: FastifyZodProvid
      return { repositories };
    }
  });
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/environments`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      querystring: z.object({
+        workspaceSlug: z.string().min(1).max(255),
+        repositorySlug: z.string().min(1).max(255)
+      }),
+      response: {
+        200: z.object({
+          environments: z.object({ slug: z.string(), name: z.string(), uuid: z.string() }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const {
+        params: { connectionId },
+        query: { workspaceSlug, repositorySlug }
+      } = req;
+
+      const environments = await server.services.appConnection.bitbucket.listEnvironments(
+        { connectionId, workspaceSlug, repositorySlug },
+        req.permission
+      );
+
+      return { environments };
+    }
+  });
 };
--- a/backend/src/server/routes/v1/app-connection-routers/digital-ocean-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/digital-ocean-connection-router.ts
@@ -0,0 +1,57 @@
+import { z } from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateDigitalOceanConnectionSchema,
+  SanitizedDigitalOceanConnectionSchema,
+  UpdateDigitalOceanConnectionSchema
+} from "@app/services/app-connection/digital-ocean";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerDigitalOceanConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.DigitalOcean,
+    server,
+    createSchema: CreateDigitalOceanConnectionSchema,
+    updateSchema: UpdateDigitalOceanConnectionSchema,
+    sanitizedResponseSchema: SanitizedDigitalOceanConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+  server.route({
+    method: "GET",
+    url: `/:connectionId/apps`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          apps: z
+            .object({
+              id: z.string(),
+              spec: z.object({
+                name: z.string()
+              })
+            })
+            .array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const apps = await server.services.appConnection.digitalOcean.listApps(connectionId, req.permission);
+
+      return { apps };
+    }
+  });
+};
--- a/backend/src/server/routes/v1/app-connection-routers/index.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/index.ts
@@ -14,6 +14,7 @@ import { registerCamundaConnectionRouter } from "./camunda-connection-router";
 import { registerChecklyConnectionRouter } from "./checkly-connection-router";
 import { registerCloudflareConnectionRouter } from "./cloudflare-connection-router";
 import { registerDatabricksConnectionRouter } from "./databricks-connection-router";
+import { registerDigitalOceanConnectionRouter } from "./digital-ocean-connection-router";
 import { registerFlyioConnectionRouter } from "./flyio-connection-router";
 import { registerGcpConnectionRouter } from "./gcp-connection-router";
 import { registerGitHubConnectionRouter } from "./github-connection-router";
@@ -74,5 +75,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
    [AppConnection.Railway]: registerRailwayConnectionRouter,
    [AppConnection.Checkly]: registerChecklyConnectionRouter,
    [AppConnection.Supabase]: registerSupabaseConnectionRouter,
+    [AppConnection.DigitalOcean]: registerDigitalOceanConnectionRouter,
    [AppConnection.Okta]: registerOktaConnectionRouter
  };
--- a/backend/src/server/routes/v1/dashboard-router.ts
+++ b/backend/src/server/routes/v1/dashboard-router.ts
@@ -270,11 +270,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
              }
            }
          });
-
-          remainingLimit -= imports.length;
-          adjustedOffset = 0;
-        } else {
-          adjustedOffset = Math.max(0, adjustedOffset - totalImportCount);
        }
      }

@@ -317,7 +312,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
        }
      }

-      if (!includeDynamicSecrets && !includeSecrets)
+      if (!includeDynamicSecrets && !includeSecrets && !includeSecretRotations)
        return {
          folders,
          totalFolderCount,
@@ -547,7 +542,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
          (totalFolderCount ?? 0) +
          (totalDynamicSecretCount ?? 0) +
          (totalSecretCount ?? 0) +
-          (totalImportCount ?? 0) +
          (totalSecretRotationCount ?? 0)
      };
    }
@@ -904,7 +898,9 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
            projectId,
            path: secretPath,
            search,
-            tagSlugs: tags
+            tagSlugs: tags,
+            includeTagsInSearch: true,
+            includeMetadataInSearch: true
          });

          if (remainingLimit > 0 && totalSecretCount > adjustedOffset) {
@@ -924,7 +920,9 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
                search,
                limit: remainingLimit,
                offset: adjustedOffset,
-                tagSlugs: tags
+                tagSlugs: tags,
+                includeTagsInSearch: true,
+                includeMetadataInSearch: true
              })
            ).secrets;
          }
@@ -1097,7 +1095,8 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
          filters: {
            ...sharedFilters,
            tagSlugs: tags,
-            includeTagsInSearch: true
+            includeTagsInSearch: true,
+            includeMetadataInSearch: true
          }
        },
        req.permission
--- a/backend/src/server/routes/v1/index.ts
+++ b/backend/src/server/routes/v1/index.ts
@@ -42,6 +42,7 @@ import { registerProjectEnvRouter } from "./project-env-router";
 import { registerProjectKeyRouter } from "./project-key-router";
 import { registerProjectMembershipRouter } from "./project-membership-router";
 import { registerProjectRouter } from "./project-router";
+import { SECRET_REMINDER_REGISTER_ROUTER_MAP } from "./reminder-routers";
 import { registerSecretFolderRouter } from "./secret-folder-router";
 import { registerSecretImportRouter } from "./secret-import-router";
 import { registerSecretRequestsRouter } from "./secret-requests-router";
@@ -172,4 +173,14 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
    },
    { prefix: "/secret-syncs" }
  );
+
+  await server.register(
+    async (reminderRouter) => {
+      // register service specific reminder endpoints (reminders/secret)
+      for await (const [reminderType, router] of Object.entries(SECRET_REMINDER_REGISTER_ROUTER_MAP)) {
+        await reminderRouter.register(router, { prefix: `/${reminderType}` });
+      }
+    },
+    { prefix: "/reminders" }
+  );
 };
--- a/backend/src/server/routes/v1/project-router.ts
+++ b/backend/src/server/routes/v1/project-router.ts
@@ -158,7 +158,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        includeRoles: z
          .enum(["true", "false"])
          .default("false")
-          .transform((value) => value === "true")
+          .transform((value) => value === "true"),
+        type: z.nativeEnum(ProjectType).optional()
      }),
      response: {
        200: z.object({
@@ -177,7 +178,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
-        actorOrgId: req.permission.orgId
+        actorOrgId: req.permission.orgId,
+        type: req.query.type
      });
      return { workspaces };
    }
@@ -1050,6 +1052,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      body: z.object({
        limit: z.number().default(100),
        offset: z.number().default(0),
+        type: z.nativeEnum(ProjectType).optional(),
        orderBy: z.nativeEnum(SearchProjectSortBy).optional().default(SearchProjectSortBy.NAME),
        orderDirection: z.nativeEnum(SortDirection).optional().default(SortDirection.ASC),
        name: z
--- a/backend/src/server/routes/v1/reminder-routers/index.ts
+++ b/backend/src/server/routes/v1/reminder-routers/index.ts
@@ -0,0 +1,8 @@
+import { ReminderType } from "@app/services/reminder/reminder-enums";
+
+import { registerSecretReminderRouter } from "./secret-reminder-router";
+
+export const SECRET_REMINDER_REGISTER_ROUTER_MAP: Record<ReminderType, (server: FastifyZodProvider) => Promise<void>> =
+  {
+    [ReminderType.SECRETS]: registerSecretReminderRouter
+  };
--- a/backend/src/server/routes/v1/reminder-routers/secret-reminder-router.ts
+++ b/backend/src/server/routes/v1/reminder-routers/secret-reminder-router.ts
@@ -0,0 +1,154 @@
+import { z } from "zod";
+
+import { RemindersSchema } from "@app/db/schemas/reminders";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerSecretReminderRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    url: "/:secretId",
+    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        secretId: z.string().uuid()
+      }),
+      body: z
+        .object({
+          message: z.string().trim().max(1024).optional(),
+          repeatDays: z.number().min(1).nullable().optional(),
+          nextReminderDate: z.string().datetime().nullable().optional(),
+          recipients: z.string().array().optional()
+        })
+        .refine((data) => {
+          return data.repeatDays || data.nextReminderDate;
+        }, "At least one of repeatDays or nextReminderDate is required"),
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      await server.services.reminder.createReminder({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        reminder: {
+          secretId: req.params.secretId,
+          message: req.body.message,
+          repeatDays: req.body.repeatDays,
+          nextReminderDate: req.body.nextReminderDate,
+          recipients: req.body.recipients
+        }
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.CREATE_SECRET_REMINDER,
+          metadata: {
+            secretId: req.params.secretId,
+            message: req.body.message,
+            repeatDays: req.body.repeatDays,
+            nextReminderDate: req.body.nextReminderDate,
+            recipients: req.body.recipients
+          }
+        }
+      });
+
+      return { message: "Successfully created reminder" };
+    }
+  });
+
+  server.route({
+    url: "/:secretId",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        secretId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          reminder: RemindersSchema.extend({
+            recipients: z.string().array().optional()
+          })
+            .optional()
+            .nullable()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const reminder = await server.services.reminder.getReminder({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        secretId: req.params.secretId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.GET_SECRET_REMINDER,
+          metadata: {
+            secretId: req.params.secretId
+          }
+        }
+      });
+      return { reminder };
+    }
+  });
+
+  server.route({
+    url: "/:secretId",
+    method: "DELETE",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        secretId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      await server.services.reminder.deleteReminder({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        secretId: req.params.secretId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.DELETE_SECRET_REMINDER,
+          metadata: {
+            secretId: req.params.secretId
+          }
+        }
+      });
+      return { message: "Successfully deleted reminder" };
+    }
+  });
+};
--- a/backend/src/server/routes/v1/secret-sync-routers/bitbucket-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/bitbucket-sync-router.ts
@@ -0,0 +1,17 @@
+import {
+  BitbucketSyncSchema,
+  CreateBitbucketSyncSchema,
+  UpdateBitbucketSyncSchema
+} from "@app/services/secret-sync/bitbucket";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerBitbucketSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.Bitbucket,
+    server,
+    responseSchema: BitbucketSyncSchema,
+    createSchema: CreateBitbucketSyncSchema,
+    updateSchema: UpdateBitbucketSyncSchema
+  });
--- a/backend/src/server/routes/v1/secret-sync-routers/digital-ocean-app-platform-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/digital-ocean-app-platform-sync-router.ts
@@ -0,0 +1,17 @@
+import {
+  CreateDigitalOceanAppPlatformSyncSchema,
+  DigitalOceanAppPlatformSyncSchema,
+  UpdateDigitalOceanAppPlatformSyncSchema
+} from "@app/services/secret-sync/digital-ocean-app-platform";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerDigitalOceanAppPlatformSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.DigitalOceanAppPlatform,
+    server,
+    responseSchema: DigitalOceanAppPlatformSyncSchema,
+    createSchema: CreateDigitalOceanAppPlatformSyncSchema,
+    updateSchema: UpdateDigitalOceanAppPlatformSyncSchema
+  });
--- a/backend/src/server/routes/v1/secret-sync-routers/index.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/index.ts
@@ -7,11 +7,13 @@ import { registerAwsSecretsManagerSyncRouter } from "./aws-secrets-manager-sync-
 import { registerAzureAppConfigurationSyncRouter } from "./azure-app-configuration-sync-router";
 import { registerAzureDevOpsSyncRouter } from "./azure-devops-sync-router";
 import { registerAzureKeyVaultSyncRouter } from "./azure-key-vault-sync-router";
+import { registerBitbucketSyncRouter } from "./bitbucket-sync-router";
 import { registerCamundaSyncRouter } from "./camunda-sync-router";
 import { registerChecklySyncRouter } from "./checkly-sync-router";
 import { registerCloudflarePagesSyncRouter } from "./cloudflare-pages-sync-router";
 import { registerCloudflareWorkersSyncRouter } from "./cloudflare-workers-sync-router";
 import { registerDatabricksSyncRouter } from "./databricks-sync-router";
+import { registerDigitalOceanAppPlatformSyncRouter } from "./digital-ocean-app-platform-sync-router";
 import { registerFlyioSyncRouter } from "./flyio-sync-router";
 import { registerGcpSyncRouter } from "./gcp-sync-router";
 import { registerGitHubSyncRouter } from "./github-sync-router";
@@ -57,5 +59,7 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
  [SecretSync.Supabase]: registerSupabaseSyncRouter,
  [SecretSync.Zabbix]: registerZabbixSyncRouter,
  [SecretSync.Railway]: registerRailwaySyncRouter,
-  [SecretSync.Checkly]: registerChecklySyncRouter
+  [SecretSync.Checkly]: registerChecklySyncRouter,
+  [SecretSync.DigitalOceanAppPlatform]: registerDigitalOceanAppPlatformSyncRouter,
+  [SecretSync.Bitbucket]: registerBitbucketSyncRouter
 };
--- a/backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts
@@ -21,6 +21,7 @@ import {
 } from "@app/services/secret-sync/azure-app-configuration";
 import { AzureDevOpsSyncListItemSchema, AzureDevOpsSyncSchema } from "@app/services/secret-sync/azure-devops";
 import { AzureKeyVaultSyncListItemSchema, AzureKeyVaultSyncSchema } from "@app/services/secret-sync/azure-key-vault";
+import { BitbucketSyncListItemSchema, BitbucketSyncSchema } from "@app/services/secret-sync/bitbucket";
 import { CamundaSyncListItemSchema, CamundaSyncSchema } from "@app/services/secret-sync/camunda";
 import { ChecklySyncListItemSchema, ChecklySyncSchema } from "@app/services/secret-sync/checkly/checkly-sync-schemas";
 import {
@@ -32,6 +33,10 @@ import {
  CloudflareWorkersSyncSchema
 } from "@app/services/secret-sync/cloudflare-workers/cloudflare-workers-schemas";
 import { DatabricksSyncListItemSchema, DatabricksSyncSchema } from "@app/services/secret-sync/databricks";
+import {
+  DigitalOceanAppPlatformSyncListItemSchema,
+  DigitalOceanAppPlatformSyncSchema
+} from "@app/services/secret-sync/digital-ocean-app-platform";
 import { FlyioSyncListItemSchema, FlyioSyncSchema } from "@app/services/secret-sync/flyio";
 import { GcpSyncListItemSchema, GcpSyncSchema } from "@app/services/secret-sync/gcp";
 import { GitHubSyncListItemSchema, GitHubSyncSchema } from "@app/services/secret-sync/github";
@@ -75,7 +80,9 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
  SupabaseSyncSchema,
  ZabbixSyncSchema,
  RailwaySyncSchema,
-  ChecklySyncSchema
+  ChecklySyncSchema,
+  DigitalOceanAppPlatformSyncSchema,
+  BitbucketSyncSchema
 ]);

 const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
@@ -102,11 +109,12 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
  GitLabSyncListItemSchema,
  CloudflarePagesSyncListItemSchema,
  CloudflareWorkersSyncListItemSchema,
-
+  DigitalOceanAppPlatformSyncListItemSchema,
  ZabbixSyncListItemSchema,
  RailwaySyncListItemSchema,
  ChecklySyncListItemSchema,
-  SupabaseSyncListItemSchema
+  SupabaseSyncListItemSchema,
+  BitbucketSyncListItemSchema
 ]);

 export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {
--- a/backend/src/server/routes/v3/external-migration-router.ts
+++ b/backend/src/server/routes/v3/external-migration-router.ts
@@ -1,9 +1,11 @@
 import fastifyMultipart from "@fastify/multipart";
+import { z } from "zod";

 import { BadRequestError } from "@app/lib/errors";
-import { readLimit } from "@app/server/config/rateLimiter";
+import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { VaultMappingType } from "@app/services/external-migration/external-migration-types";

 const MB25_IN_BYTES = 26214400;

@@ -15,7 +17,7 @@ export const registerExternalMigrationRouter = async (server: FastifyZodProvider
    bodyLimit: MB25_IN_BYTES,
    url: "/env-key",
    config: {
-      rateLimit: readLimit
+      rateLimit: writeLimit
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
@@ -52,4 +54,30 @@ export const registerExternalMigrationRouter = async (server: FastifyZodProvider
      });
    }
  });
+
+  server.route({
+    method: "POST",
+    url: "/vault",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        vaultAccessToken: z.string(),
+        vaultNamespace: z.string().trim().optional(),
+        vaultUrl: z.string(),
+        mappingType: z.nativeEnum(VaultMappingType)
+      })
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      await server.services.migration.importVaultData({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        ...req.body
+      });
+    }
+  });
 };
--- a/backend/src/server/routes/v3/index.ts
+++ b/backend/src/server/routes/v3/index.ts
@@ -11,5 +11,5 @@ export const registerV3Routes = async (server: FastifyZodProvider) => {
  await server.register(registerUserRouter, { prefix: "/users" });
  await server.register(registerSecretRouter, { prefix: "/secrets" });
  await server.register(registerSecretBlindIndexRouter, { prefix: "/workspaces" });
-  await server.register(registerExternalMigrationRouter, { prefix: "/migrate" });
+  await server.register(registerExternalMigrationRouter, { prefix: "/external-migration" });
 };
--- a/backend/src/services/app-connection/app-connection-enums.ts
+++ b/backend/src/services/app-connection/app-connection-enums.ts
@@ -33,6 +33,7 @@ export enum AppConnection {
  Bitbucket = "bitbucket",
  Checkly = "checkly",
  Supabase = "supabase",
+  DigitalOcean = "digital-ocean",
  Okta = "okta"
 }

--- a/backend/src/services/app-connection/app-connection-fns.ts
+++ b/backend/src/services/app-connection/app-connection-fns.ts
@@ -68,6 +68,11 @@ import {
  getDatabricksConnectionListItem,
  validateDatabricksConnectionCredentials
 } from "./databricks";
+import {
+  DigitalOceanConnectionMethod,
+  getDigitalOceanConnectionListItem,
+  validateDigitalOceanConnectionCredentials
+} from "./digital-ocean";
 import { FlyioConnectionMethod, getFlyioConnectionListItem, validateFlyioConnectionCredentials } from "./flyio";
 import { GcpConnectionMethod, getGcpConnectionListItem, validateGcpConnectionCredentials } from "./gcp";
 import { getGitHubConnectionListItem, GitHubConnectionMethod, validateGitHubConnectionCredentials } from "./github";
@@ -157,6 +162,7 @@ export const listAppConnectionOptions = () => {
    getBitbucketConnectionListItem(),
    getChecklyConnectionListItem(),
    getSupabaseConnectionListItem(),
+    getDigitalOceanConnectionListItem(),
    getOktaConnectionListItem()
  ].sort((a, b) => a.name.localeCompare(b.name));
 };
@@ -244,6 +250,7 @@ export const validateAppConnectionCredentials = async (
    [AppConnection.Bitbucket]: validateBitbucketConnectionCredentials as TAppConnectionCredentialsValidator,
    [AppConnection.Checkly]: validateChecklyConnectionCredentials as TAppConnectionCredentialsValidator,
    [AppConnection.Supabase]: validateSupabaseConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.DigitalOcean]: validateDigitalOceanConnectionCredentials as TAppConnectionCredentialsValidator,
    [AppConnection.Okta]: validateOktaConnectionCredentials as TAppConnectionCredentialsValidator
  };

@@ -283,6 +290,7 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
    case CloudflareConnectionMethod.APIToken:
    case BitbucketConnectionMethod.ApiToken:
    case ZabbixConnectionMethod.ApiToken:
+    case DigitalOceanConnectionMethod.ApiToken:
    case OktaConnectionMethod.ApiToken:
      return "API Token";
    case PostgresConnectionMethod.UsernameAndPassword:
@@ -372,6 +380,7 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
  [AppConnection.Bitbucket]: platformManagedCredentialsNotSupported,
  [AppConnection.Checkly]: platformManagedCredentialsNotSupported,
  [AppConnection.Supabase]: platformManagedCredentialsNotSupported,
+  [AppConnection.DigitalOcean]: platformManagedCredentialsNotSupported,
  [AppConnection.Okta]: platformManagedCredentialsNotSupported
 };

--- a/backend/src/services/app-connection/app-connection-maps.ts
+++ b/backend/src/services/app-connection/app-connection-maps.ts
@@ -35,6 +35,7 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
  [AppConnection.Bitbucket]: "Bitbucket",
  [AppConnection.Checkly]: "Checkly",
  [AppConnection.Supabase]: "Supabase",
+  [AppConnection.DigitalOcean]: "DigitalOcean App Platform",
  [AppConnection.Okta]: "Okta"
 };

@@ -73,5 +74,6 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
  [AppConnection.Bitbucket]: AppConnectionPlanType.Regular,
  [AppConnection.Checkly]: AppConnectionPlanType.Regular,
  [AppConnection.Supabase]: AppConnectionPlanType.Regular,
+  [AppConnection.DigitalOcean]: AppConnectionPlanType.Regular,
  [AppConnection.Okta]: AppConnectionPlanType.Regular
 };
--- a/backend/src/services/app-connection/app-connection-service.ts
+++ b/backend/src/services/app-connection/app-connection-service.ts
@@ -61,6 +61,8 @@ import { ValidateCloudflareConnectionCredentialsSchema } from "./cloudflare/clou
 import { cloudflareConnectionService } from "./cloudflare/cloudflare-connection-service";
 import { ValidateDatabricksConnectionCredentialsSchema } from "./databricks";
 import { databricksConnectionService } from "./databricks/databricks-connection-service";
+import { ValidateDigitalOceanConnectionCredentialsSchema } from "./digital-ocean";
+import { digitalOceanAppPlatformConnectionService } from "./digital-ocean/digital-ocean-connection-service";
 import { ValidateFlyioConnectionCredentialsSchema } from "./flyio";
 import { flyioConnectionService } from "./flyio/flyio-connection-service";
 import { ValidateGcpConnectionCredentialsSchema } from "./gcp";
@@ -145,6 +147,7 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
  [AppConnection.Bitbucket]: ValidateBitbucketConnectionCredentialsSchema,
  [AppConnection.Checkly]: ValidateChecklyConnectionCredentialsSchema,
  [AppConnection.Supabase]: ValidateSupabaseConnectionCredentialsSchema,
+  [AppConnection.DigitalOcean]: ValidateDigitalOceanConnectionCredentialsSchema,
  [AppConnection.Okta]: ValidateOktaConnectionCredentialsSchema
 };

@@ -607,6 +610,7 @@ export const appConnectionServiceFactory = ({
    bitbucket: bitbucketConnectionService(connectAppConnectionById),
    checkly: checklyConnectionService(connectAppConnectionById),
    supabase: supabaseConnectionService(connectAppConnectionById),
+    digitalOcean: digitalOceanAppPlatformConnectionService(connectAppConnectionById),
    okta: oktaConnectionService(connectAppConnectionById)
  };
 };
--- a/backend/src/services/app-connection/app-connection-types.ts
+++ b/backend/src/services/app-connection/app-connection-types.ts
@@ -87,6 +87,12 @@ import {
  TDatabricksConnectionInput,
  TValidateDatabricksConnectionCredentialsSchema
 } from "./databricks";
+import {
+  TDigitalOceanConnection,
+  TDigitalOceanConnectionConfig,
+  TDigitalOceanConnectionInput,
+  TValidateDigitalOceanCredentialsSchema
+} from "./digital-ocean";
 import {
  TFlyioConnection,
  TFlyioConnectionConfig,
@@ -238,6 +244,7 @@ export type TAppConnection = { id: string } & (
  | TRailwayConnection
  | TChecklyConnection
  | TSupabaseConnection
+  | TDigitalOceanConnection
  | TOktaConnection
 );

@@ -280,6 +287,7 @@ export type TAppConnectionInput = { id: string } & (
  | TRailwayConnectionInput
  | TChecklyConnectionInput
  | TSupabaseConnectionInput
+  | TDigitalOceanConnectionInput
  | TOktaConnectionInput
 );

@@ -330,6 +338,7 @@ export type TAppConnectionConfig =
  | TRailwayConnectionConfig
  | TChecklyConnectionConfig
  | TSupabaseConnectionConfig
+  | TDigitalOceanConnectionConfig
  | TOktaConnectionConfig;

 export type TValidateAppConnectionCredentialsSchema =
@@ -367,6 +376,7 @@ export type TValidateAppConnectionCredentialsSchema =
  | TValidateRailwayConnectionCredentialsSchema
  | TValidateChecklyConnectionCredentialsSchema
  | TValidateSupabaseConnectionCredentialsSchema
+  | TValidateDigitalOceanCredentialsSchema
  | TValidateOktaConnectionCredentialsSchema;

 export type TListAwsConnectionKmsKeys = {
--- a/backend/src/services/app-connection/azure-client-secrets/azure-client-secrets-connection-enums.ts
+++ b/backend/src/services/app-connection/azure-client-secrets/azure-client-secrets-connection-enums.ts
@@ -1,3 +1,4 @@
 export enum AzureClientSecretsConnectionMethod {
-  OAuth = "oauth"
+  OAuth = "oauth",
+  ClientSecret = "client-secret"
 }
--- a/backend/src/services/app-connection/azure-client-secrets/azure-client-secrets-connection-fns.ts
+++ b/backend/src/services/app-connection/azure-client-secrets/azure-client-secrets-connection-fns.ts
@@ -1,3 +1,4 @@
+/* eslint-disable no-case-declarations */
 import { AxiosError, AxiosResponse } from "axios";

 import { getConfig } from "@app/lib/config/env";
@@ -16,6 +17,7 @@ import { AppConnection } from "../app-connection-enums";
 import { AzureClientSecretsConnectionMethod } from "./azure-client-secrets-connection-enums";
 import {
  ExchangeCodeAzureResponse,
+  TAzureClientSecretsConnectionClientSecretCredentials,
  TAzureClientSecretsConnectionConfig,
  TAzureClientSecretsConnectionCredentials
 } from "./azure-client-secrets-connection-types";
@@ -26,7 +28,10 @@ export const getAzureClientSecretsConnectionListItem = () => {
  return {
    name: "Azure Client Secrets" as const,
    app: AppConnection.AzureClientSecrets as const,
-    methods: Object.values(AzureClientSecretsConnectionMethod) as [AzureClientSecretsConnectionMethod.OAuth],
+    methods: Object.values(AzureClientSecretsConnectionMethod) as [
+      AzureClientSecretsConnectionMethod.OAuth,
+      AzureClientSecretsConnectionMethod.ClientSecret
+    ],
    oauthClientId: INF_APP_CONNECTION_AZURE_CLIENT_ID
  };
 };
@@ -37,12 +42,6 @@ export const getAzureConnectionAccessToken = async (
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
 ) => {
  const appCfg = getConfig();
-  if (!appCfg.INF_APP_CONNECTION_AZURE_CLIENT_ID || !appCfg.INF_APP_CONNECTION_AZURE_CLIENT_SECRET) {
-    throw new BadRequestError({
-      message: `Azure environment variables have not been configured`
-    });
-  }
-
  const appConnection = await appConnectionDAL.findById(connectionId);

  if (!appConnection) {
@@ -63,34 +62,81 @@ export const getAzureConnectionAccessToken = async (

  const { refreshToken } = credentials;
  const currentTime = Date.now();
+  switch (appConnection.method) {
+    case AzureClientSecretsConnectionMethod.OAuth:
+      if (!appCfg.INF_APP_CONNECTION_AZURE_CLIENT_ID || !appCfg.INF_APP_CONNECTION_AZURE_CLIENT_SECRET) {
+        throw new BadRequestError({
+          message: `Azure OAuth environment variables have not been configured`
+        });
+      }
+      const { data } = await request.post<ExchangeCodeAzureResponse>(
+        IntegrationUrls.AZURE_TOKEN_URL.replace("common", credentials.tenantId || "common"),
+        new URLSearchParams({
+          grant_type: "refresh_token",
+          scope: `openid offline_access https://graph.microsoft.com/.default`,
+          client_id: appCfg.INF_APP_CONNECTION_AZURE_CLIENT_ID,
+          client_secret: appCfg.INF_APP_CONNECTION_AZURE_CLIENT_SECRET,
+          refresh_token: refreshToken
+        })
+      );

-  const { data } = await request.post<ExchangeCodeAzureResponse>(
-    IntegrationUrls.AZURE_TOKEN_URL.replace("common", credentials.tenantId || "common"),
-    new URLSearchParams({
-      grant_type: "refresh_token",
-      scope: `openid offline_access https://graph.microsoft.com/.default`,
-      client_id: appCfg.INF_APP_CONNECTION_AZURE_CLIENT_ID,
-      client_secret: appCfg.INF_APP_CONNECTION_AZURE_CLIENT_SECRET,
-      refresh_token: refreshToken
-    })
-  );
+      const updatedCredentials = {
+        ...credentials,
+        accessToken: data.access_token,
+        expiresAt: currentTime + data.expires_in * 1000,
+        refreshToken: data.refresh_token
+      };

-  const updatedCredentials = {
-    ...credentials,
-    accessToken: data.access_token,
-    expiresAt: currentTime + data.expires_in * 1000,
-    refreshToken: data.refresh_token
-  };
+      const encryptedCredentials = await encryptAppConnectionCredentials({
+        credentials: updatedCredentials,
+        orgId: appConnection.orgId,
+        kmsService
+      });

-  const encryptedCredentials = await encryptAppConnectionCredentials({
-    credentials: updatedCredentials,
-    orgId: appConnection.orgId,
-    kmsService
-  });
+      await appConnectionDAL.updateById(appConnection.id, { encryptedCredentials });

-  await appConnectionDAL.updateById(appConnection.id, { encryptedCredentials });
+      return data.access_token;
+    case AzureClientSecretsConnectionMethod.ClientSecret:
+      const accessTokenCredentials = (await decryptAppConnectionCredentials({
+        orgId: appConnection.orgId,
+        kmsService,
+        encryptedCredentials: appConnection.encryptedCredentials
+      })) as TAzureClientSecretsConnectionClientSecretCredentials;
+      const { accessToken, expiresAt, clientId, clientSecret, tenantId } = accessTokenCredentials;
+      if (accessToken && expiresAt && expiresAt > currentTime + 300000) {
+        return accessToken;
+      }

-  return data.access_token;
+      const { data: clientData } = await request.post<ExchangeCodeAzureResponse>(
+        IntegrationUrls.AZURE_TOKEN_URL.replace("common", tenantId || "common"),
+        new URLSearchParams({
+          grant_type: "client_credentials",
+          scope: `https://graph.microsoft.com/.default`,
+          client_id: clientId,
+          client_secret: clientSecret
+        })
+      );
+
+      const updatedClientCredentials = {
+        ...accessTokenCredentials,
+        accessToken: clientData.access_token,
+        expiresAt: currentTime + clientData.expires_in * 1000
+      };
+
+      const encryptedClientCredentials = await encryptAppConnectionCredentials({
+        credentials: updatedClientCredentials,
+        orgId: appConnection.orgId,
+        kmsService
+      });
+
+      await appConnectionDAL.updateById(appConnection.id, { encryptedCredentials: encryptedClientCredentials });
+
+      return clientData.access_token;
+    default:
+      throw new InternalServerError({
+        message: `Unhandled Azure connection method: ${appConnection.method as AzureClientSecretsConnectionMethod}`
+      });
+  }
 };

 export const validateAzureClientSecretsConnectionCredentials = async (config: TAzureClientSecretsConnectionConfig) => {
@@ -98,69 +144,103 @@ export const validateAzureClientSecretsConnectionCredentials = async (config: TA

  const { INF_APP_CONNECTION_AZURE_CLIENT_ID, INF_APP_CONNECTION_AZURE_CLIENT_SECRET, SITE_URL } = getConfig();

-  if (!SITE_URL) {
-    throw new InternalServerError({ message: "SITE_URL env var is required to complete Azure OAuth flow" });
-  }
-
-  if (!INF_APP_CONNECTION_AZURE_CLIENT_ID || !INF_APP_CONNECTION_AZURE_CLIENT_SECRET) {
-    throw new InternalServerError({
-      message: `Azure ${getAppConnectionMethodName(method)} environment variables have not been configured`
-    });
-  }
-
-  let tokenResp: AxiosResponse<ExchangeCodeAzureResponse> | null = null;
-  let tokenError: AxiosError | null = null;
-
-  try {
-    tokenResp = await request.post<ExchangeCodeAzureResponse>(
-      IntegrationUrls.AZURE_TOKEN_URL.replace("common", inputCredentials.tenantId || "common"),
-      new URLSearchParams({
-        grant_type: "authorization_code",
-        code: inputCredentials.code,
-        scope: `openid offline_access https://graph.microsoft.com/.default`,
-        client_id: INF_APP_CONNECTION_AZURE_CLIENT_ID,
-        client_secret: INF_APP_CONNECTION_AZURE_CLIENT_SECRET,
-        redirect_uri: `${SITE_URL}/organization/app-connections/azure/oauth/callback`
-      })
-    );
-  } catch (e: unknown) {
-    if (e instanceof AxiosError) {
-      tokenError = e;
-    } else {
-      throw new BadRequestError({
-        message: `Unable to validate connection: verify credentials`
-      });
-    }
-  }
-
-  if (tokenError) {
-    if (tokenError instanceof AxiosError) {
-      throw new BadRequestError({
-        message: `Failed to get access token: ${
-          (tokenError?.response?.data as { error_description?: string })?.error_description || "Unknown error"
-        }`
-      });
-    } else {
-      throw new InternalServerError({
-        message: "Failed to get access token"
-      });
-    }
-  }
-
-  if (!tokenResp) {
-    throw new InternalServerError({
-      message: `Failed to get access token: Token was empty with no error`
-    });
-  }
-
  switch (method) {
    case AzureClientSecretsConnectionMethod.OAuth:
+      if (!SITE_URL) {
+        throw new InternalServerError({ message: "SITE_URL env var is required to complete Azure OAuth flow" });
+      }
+
+      if (!INF_APP_CONNECTION_AZURE_CLIENT_ID || !INF_APP_CONNECTION_AZURE_CLIENT_SECRET) {
+        throw new InternalServerError({
+          message: `Azure ${getAppConnectionMethodName(method)} environment variables have not been configured`
+        });
+      }
+
+      let tokenResp: AxiosResponse<ExchangeCodeAzureResponse> | null = null;
+      let tokenError: AxiosError | null = null;
+
+      try {
+        tokenResp = await request.post<ExchangeCodeAzureResponse>(
+          IntegrationUrls.AZURE_TOKEN_URL.replace("common", inputCredentials.tenantId || "common"),
+          new URLSearchParams({
+            grant_type: "authorization_code",
+            code: inputCredentials.code,
+            scope: `openid offline_access https://graph.microsoft.com/.default`,
+            client_id: INF_APP_CONNECTION_AZURE_CLIENT_ID,
+            client_secret: INF_APP_CONNECTION_AZURE_CLIENT_SECRET,
+            redirect_uri: `${SITE_URL}/organization/app-connections/azure/oauth/callback`
+          })
+        );
+      } catch (e: unknown) {
+        if (e instanceof AxiosError) {
+          tokenError = e;
+        } else {
+          throw new BadRequestError({
+            message: `Unable to validate connection: verify credentials`
+          });
+        }
+      }
+
+      if (tokenError) {
+        if (tokenError instanceof AxiosError) {
+          throw new BadRequestError({
+            message: `Failed to get access token: ${
+              (tokenError?.response?.data as { error_description?: string })?.error_description || "Unknown error"
+            }`
+          });
+        } else {
+          throw new InternalServerError({
+            message: "Failed to get access token"
+          });
+        }
+      }
+
+      if (!tokenResp) {
+        throw new InternalServerError({
+          message: `Failed to get access token: Token was empty with no error`
+        });
+      }
+
      return {
        tenantId: inputCredentials.tenantId,
        accessToken: tokenResp.data.access_token,
        refreshToken: tokenResp.data.refresh_token,
        expiresAt: Date.now() + tokenResp.data.expires_in * 1000
      };
+
+    case AzureClientSecretsConnectionMethod.ClientSecret:
+      const { tenantId, clientId, clientSecret } = inputCredentials;
+      try {
+        const { data: clientData } = await request.post<ExchangeCodeAzureResponse>(
+          IntegrationUrls.AZURE_TOKEN_URL.replace("common", tenantId || "common"),
+          new URLSearchParams({
+            grant_type: "client_credentials",
+            scope: `https://graph.microsoft.com/.default`,
+            client_id: clientId,
+            client_secret: clientSecret
+          })
+        );
+
+        return {
+          tenantId,
+          accessToken: clientData.access_token,
+          expiresAt: Date.now() + clientData.expires_in * 1000,
+          clientId,
+          clientSecret
+        };
+      } catch (e: unknown) {
+        if (e instanceof AxiosError) {
+          throw new BadRequestError({
+            message: `Failed to get access token: ${
+              (e?.response?.data as { error_description?: string })?.error_description || "Unknown error"
+            }`
+          });
+        } else {
+          throw new InternalServerError({
+            message: "Failed to get access token"
+          });
+        }
+      }
    default:
      throw new InternalServerError({
        message: `Unhandled Azure connection method: ${method as AzureClientSecretsConnectionMethod}`
--- a/backend/src/services/app-connection/azure-client-secrets/azure-client-secrets-connection-schemas.ts
+++ b/backend/src/services/app-connection/azure-client-secrets/azure-client-secrets-connection-schemas.ts
@@ -26,6 +26,36 @@ export const AzureClientSecretsConnectionOAuthOutputCredentialsSchema = z.object
  expiresAt: z.number()
 });

+export const AzureClientSecretsConnectionClientSecretInputCredentialsSchema = z.object({
+  clientId: z
+    .string()
+    .uuid()
+    .trim()
+    .min(1, "Client ID required")
+    .max(50, "Client ID must be at most 50 characters long")
+    .describe(AppConnections.CREDENTIALS.AZURE_CLIENT_SECRETS.clientId),
+  clientSecret: z
+    .string()
+    .trim()
+    .min(1, "Client Secret required")
+    .max(50, "Client Secret must be at most 50 characters long")
+    .describe(AppConnections.CREDENTIALS.AZURE_CLIENT_SECRETS.clientSecret),
+  tenantId: z
+    .string()
+    .uuid()
+    .trim()
+    .min(1, "Tenant ID required")
+    .describe(AppConnections.CREDENTIALS.AZURE_CLIENT_SECRETS.tenantId)
+});
+
+export const AzureClientSecretsConnectionClientSecretOutputCredentialsSchema = z.object({
+  clientId: z.string(),
+  clientSecret: z.string(),
+  tenantId: z.string(),
+  accessToken: z.string(),
+  expiresAt: z.number()
+});
+
 export const ValidateAzureClientSecretsConnectionCredentialsSchema = z.discriminatedUnion("method", [
  z.object({
    method: z
@@ -34,6 +64,14 @@ export const ValidateAzureClientSecretsConnectionCredentialsSchema = z.discrimin
    credentials: AzureClientSecretsConnectionOAuthInputCredentialsSchema.describe(
      AppConnections.CREATE(AppConnection.AzureClientSecrets).credentials
    )
+  }),
+  z.object({
+    method: z
+      .literal(AzureClientSecretsConnectionMethod.ClientSecret)
+      .describe(AppConnections.CREATE(AppConnection.AzureClientSecrets).method),
+    credentials: AzureClientSecretsConnectionClientSecretInputCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.AzureClientSecrets).credentials
+    )
  })
 ]);

@@ -43,9 +81,13 @@ export const CreateAzureClientSecretsConnectionSchema = ValidateAzureClientSecre

 export const UpdateAzureClientSecretsConnectionSchema = z
  .object({
-    credentials: AzureClientSecretsConnectionOAuthInputCredentialsSchema.optional().describe(
-      AppConnections.UPDATE(AppConnection.AzureClientSecrets).credentials
-    )
+    credentials: z
+      .union([
+        AzureClientSecretsConnectionOAuthInputCredentialsSchema,
+        AzureClientSecretsConnectionClientSecretInputCredentialsSchema
+      ])
+      .optional()
+      .describe(AppConnections.UPDATE(AppConnection.AzureClientSecrets).credentials)
  })
  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.AzureClientSecrets));

@@ -59,6 +101,10 @@ export const AzureClientSecretsConnectionSchema = z.intersection(
    z.object({
      method: z.literal(AzureClientSecretsConnectionMethod.OAuth),
      credentials: AzureClientSecretsConnectionOAuthOutputCredentialsSchema
+    }),
+    z.object({
+      method: z.literal(AzureClientSecretsConnectionMethod.ClientSecret),
+      credentials: AzureClientSecretsConnectionClientSecretOutputCredentialsSchema
    })
  ])
 );
@@ -69,6 +115,13 @@ export const SanitizedAzureClientSecretsConnectionSchema = z.discriminatedUnion(
    credentials: AzureClientSecretsConnectionOAuthOutputCredentialsSchema.pick({
      tenantId: true
    })
+  }),
+  BaseAzureClientSecretsConnectionSchema.extend({
+    method: z.literal(AzureClientSecretsConnectionMethod.ClientSecret),
+    credentials: AzureClientSecretsConnectionClientSecretOutputCredentialsSchema.pick({
+      clientId: true,
+      tenantId: true
+    })
  })
 ]);

--- a/backend/src/services/app-connection/azure-client-secrets/azure-client-secrets-connection-types.ts
+++ b/backend/src/services/app-connection/azure-client-secrets/azure-client-secrets-connection-types.ts
@@ -4,6 +4,7 @@ import { DiscriminativePick } from "@app/lib/types";

 import { AppConnection } from "../app-connection-enums";
 import {
+  AzureClientSecretsConnectionClientSecretOutputCredentialsSchema,
  AzureClientSecretsConnectionOAuthOutputCredentialsSchema,
  AzureClientSecretsConnectionSchema,
  CreateAzureClientSecretsConnectionSchema,
@@ -30,6 +31,10 @@ export type TAzureClientSecretsConnectionCredentials = z.infer<
  typeof AzureClientSecretsConnectionOAuthOutputCredentialsSchema
 >;

+export type TAzureClientSecretsConnectionClientSecretCredentials = z.infer<
+  typeof AzureClientSecretsConnectionClientSecretOutputCredentialsSchema
+>;
+
 export interface ExchangeCodeAzureResponse {
  token_type: string;
  scope: string;
--- a/backend/src/services/app-connection/bitbucket/bitbucket-connection-fns.ts
+++ b/backend/src/services/app-connection/bitbucket/bitbucket-connection-fns.ts
@@ -9,6 +9,7 @@ import { BitbucketConnectionMethod } from "./bitbucket-connection-enums";
 import {
  TBitbucketConnection,
  TBitbucketConnectionConfig,
+  TBitbucketEnvironment,
  TBitbucketRepo,
  TBitbucketWorkspace
 } from "./bitbucket-connection-types";
@@ -21,11 +22,15 @@ export const getBitbucketConnectionListItem = () => {
  };
 };

+export const createAuthHeader = (email: string, apiToken: string): string => {
+  return `Basic ${Buffer.from(`${email}:${apiToken}`).toString("base64")}`;
+};
+
 export const getBitbucketUser = async ({ email, apiToken }: { email: string; apiToken: string }) => {
  try {
    const { data } = await request.get<{ username: string }>(`${IntegrationUrls.BITBUCKET_API_URL}/2.0/user`, {
      headers: {
-        Authorization: `Basic ${Buffer.from(`${email}:${apiToken}`).toString("base64")}`,
+        Authorization: createAuthHeader(email, apiToken),
        Accept: "application/json"
      }
    });
@@ -57,7 +62,7 @@ export const listBitbucketWorkspaces = async (appConnection: TBitbucketConnectio
  const { email, apiToken } = appConnection.credentials;

  const headers = {
-    Authorization: `Basic ${Buffer.from(`${email}:${apiToken}`).toString("base64")}`,
+    Authorization: createAuthHeader(email, apiToken),
    Accept: "application/json"
  };

@@ -89,7 +94,7 @@ export const listBitbucketRepositories = async (appConnection: TBitbucketConnect
  const { email, apiToken } = appConnection.credentials;

  const headers = {
-    Authorization: `Basic ${Buffer.from(`${email}:${apiToken}`).toString("base64")}`,
+    Authorization: createAuthHeader(email, apiToken),
    Accept: "application/json"
  };

@@ -115,3 +120,43 @@ export const listBitbucketRepositories = async (appConnection: TBitbucketConnect

  return allRepos;
 };
+
+export const listBitbucketEnvironments = async (
+  appConnection: TBitbucketConnection,
+  workspaceSlug: string,
+  repositorySlug: string
+) => {
+  const { email, apiToken } = appConnection.credentials;
+
+  const headers = {
+    Authorization: createAuthHeader(email, apiToken),
+    Accept: "application/json"
+  };
+
+  const environments: TBitbucketEnvironment[] = [];
+  let hasNextPage = true;
+
+  let environmentsUrl = `${IntegrationUrls.BITBUCKET_API_URL}/2.0/repositories/${encodeURIComponent(workspaceSlug)}/${encodeURIComponent(repositorySlug)}/environments?pagelen=100`;
+
+  let iterationCount = 0;
+  // Limit to 10 iterations, fetching at most 10 * 100 = 1000 environments
+  while (hasNextPage && iterationCount < 10) {
+    // eslint-disable-next-line no-await-in-loop
+    const { data }: { data: { values: TBitbucketEnvironment[]; next: string } } = await request.get(environmentsUrl, {
+      headers
+    });
+
+    if (data?.values.length > 0) {
+      environments.push(...data.values);
+    }
+
+    if (data.next) {
+      environmentsUrl = data.next;
+    } else {
+      hasNextPage = false;
+    }
+    iterationCount += 1;
+  }
+
+  return environments;
+};
--- a/backend/src/services/app-connection/bitbucket/bitbucket-connection-service.ts
+++ b/backend/src/services/app-connection/bitbucket/bitbucket-connection-service.ts
@@ -1,8 +1,16 @@
 import { OrgServiceActor } from "@app/lib/types";

 import { AppConnection } from "../app-connection-enums";
-import { listBitbucketRepositories, listBitbucketWorkspaces } from "./bitbucket-connection-fns";
-import { TBitbucketConnection, TGetBitbucketRepositoriesDTO } from "./bitbucket-connection-types";
+import {
+  listBitbucketEnvironments,
+  listBitbucketRepositories,
+  listBitbucketWorkspaces
+} from "./bitbucket-connection-fns";
+import {
+  TBitbucketConnection,
+  TGetBitbucketEnvironmentsDTO,
+  TGetBitbucketRepositoriesDTO
+} from "./bitbucket-connection-types";

 type TGetAppConnectionFunc = (
  app: AppConnection,
@@ -26,8 +34,18 @@ export const bitbucketConnectionService = (getAppConnection: TGetAppConnectionFu
    return repositories;
  };

+  const listEnvironments = async (
+    { connectionId, workspaceSlug, repositorySlug }: TGetBitbucketEnvironmentsDTO,
+    actor: OrgServiceActor
+  ) => {
+    const appConnection = await getAppConnection(AppConnection.Bitbucket, connectionId, actor);
+    const environments = await listBitbucketEnvironments(appConnection, workspaceSlug, repositorySlug);
+    return environments;
+  };
+
  return {
    listWorkspaces,
-    listRepositories
+    listRepositories,
+    listEnvironments
  };
 };
--- a/backend/src/services/app-connection/bitbucket/bitbucket-connection-types.ts
+++ b/backend/src/services/app-connection/bitbucket/bitbucket-connection-types.ts
@@ -38,3 +38,20 @@ export type TBitbucketRepo = {
  full_name: string; // workspace-slug/repo-slug
  slug: string;
 };
+
+export type TGetBitbucketEnvironmentsDTO = {
+  connectionId: string;
+  workspaceSlug: string;
+  repositorySlug: string;
+};
+
+export type TBitbucketEnvironment = {
+  uuid: string;
+  slug: string;
+  name: string;
+};
+
+export type TBitbucketEnvironmentsResponse = {
+  values: TBitbucketEnvironment[];
+  next?: string;
+};
--- a/backend/src/services/app-connection/digital-ocean/digital-ocean-connection-constants.ts
+++ b/backend/src/services/app-connection/digital-ocean/digital-ocean-connection-constants.ts
@@ -0,0 +1,3 @@
+export enum DigitalOceanConnectionMethod {
+  ApiToken = "api-token"
+}
--- a/backend/src/services/app-connection/digital-ocean/digital-ocean-connection-fns.ts
+++ b/backend/src/services/app-connection/digital-ocean/digital-ocean-connection-fns.ts
@@ -0,0 +1,37 @@
+/* eslint-disable no-await-in-loop */
+import { AxiosError } from "axios";
+import { z } from "zod";
+
+import { BadRequestError } from "@app/lib/errors";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+import { DigitalOceanConnectionMethod } from "./digital-ocean-connection-constants";
+import { DigitalOceanAppPlatformPublicAPI } from "./digital-ocean-connection-public-client";
+import { DigitalOceanConnectionListItemSchema } from "./digital-ocean-connection-schemas";
+import { TDigitalOceanConnectionConfig } from "./digital-ocean-connection-types";
+
+export const getDigitalOceanConnectionListItem = () => {
+  return {
+    name: "Digital Ocean" as z.infer<typeof DigitalOceanConnectionListItemSchema>["name"],
+    app: AppConnection.DigitalOcean as const,
+    methods: Object.values(DigitalOceanConnectionMethod)
+  };
+};
+
+export const validateDigitalOceanConnectionCredentials = async (config: TDigitalOceanConnectionConfig) => {
+  try {
+    await DigitalOceanAppPlatformPublicAPI.healthcheck(config);
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
+      });
+    }
+
+    throw new BadRequestError({
+      message: "Unable to validate connection - verify credentials"
+    });
+  }
+
+  return config.credentials;
+};
--- a/backend/src/services/app-connection/digital-ocean/digital-ocean-connection-public-client.ts
+++ b/backend/src/services/app-connection/digital-ocean/digital-ocean-connection-public-client.ts
@@ -0,0 +1,105 @@
+/* eslint-disable no-await-in-loop */
+/* eslint-disable class-methods-use-this */
+import { AxiosInstance } from "axios";
+
+import { createRequestClient } from "@app/lib/config/request";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+
+import { DigitalOceanConnectionMethod } from "./digital-ocean-connection-constants";
+import {
+  TDigitalOceanApp,
+  TDigitalOceanConnectionConfig,
+  TDigitalOceanVariable
+} from "./digital-ocean-connection-types";
+
+class DigitalOceanAppPlatformPublicClient {
+  private readonly client: AxiosInstance;
+
+  constructor() {
+    this.client = createRequestClient({
+      baseURL: `${IntegrationUrls.DIGITAL_OCEAN_API_URL}/v2`,
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json"
+      }
+    });
+  }
+
+  async healthcheck(connection: TDigitalOceanConnectionConfig) {
+    switch (connection.method) {
+      case DigitalOceanConnectionMethod.ApiToken:
+        await this.getApps(connection);
+        break;
+      default:
+        throw new Error(`Unsupported connection method`);
+    }
+  }
+
+  async getApps(connection: TDigitalOceanConnectionConfig) {
+    const response = await this.client.get<{ apps: TDigitalOceanApp[] }>(`/apps`, {
+      headers: {
+        Authorization: `Bearer ${connection.credentials.apiToken}`
+      }
+    });
+
+    return response.data.apps;
+  }
+
+  async getApp(connection: TDigitalOceanConnectionConfig, appId: string) {
+    const response = await this.client.get<{ app: TDigitalOceanApp }>(`/apps/${appId}`, {
+      headers: {
+        Authorization: `Bearer ${connection.credentials.apiToken}`
+      }
+    });
+
+    return response.data.app;
+  }
+
+  async getVariables(connection: TDigitalOceanConnectionConfig, appId: string): Promise<TDigitalOceanVariable[]> {
+    const app = await this.getApp(connection, appId);
+    return app.spec.envs || [];
+  }
+
+  async putVariables(connection: TDigitalOceanConnectionConfig, appId: string, ...input: TDigitalOceanVariable[]) {
+    const response = await this.getApp(connection, appId);
+
+    return this.client.put(
+      `/apps/${appId}`,
+      {
+        spec: {
+          ...response.spec,
+          envs: input
+        }
+      },
+      {
+        headers: {
+          Authorization: `Bearer ${connection.credentials.apiToken}`
+        }
+      }
+    );
+  }
+
+  async deleteVariables(connection: TDigitalOceanConnectionConfig, appId: string, ...input: TDigitalOceanVariable[]) {
+    const response = await this.getApp(connection, appId);
+    const existing = response.spec.envs || [];
+
+    const variables = existing.filter((v) => input.find((i) => i.key === v.key));
+
+    return this.client.put(
+      `/apps/${appId}`,
+      {
+        spec: {
+          ...response.spec,
+          envs: variables
+        }
+      },
+      {
+        headers: {
+          Authorization: `Bearer ${connection.credentials.apiToken}`
+        }
+      }
+    );
+  }
+}
+
+export const DigitalOceanAppPlatformPublicAPI = new DigitalOceanAppPlatformPublicClient();
--- a/backend/src/services/app-connection/digital-ocean/digital-ocean-connection-schemas.ts
+++ b/backend/src/services/app-connection/digital-ocean/digital-ocean-connection-schemas.ts
@@ -0,0 +1,67 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { DigitalOceanConnectionMethod } from "./digital-ocean-connection-constants";
+
+export const DigitalOceanConnectionMethodSchema = z
+  .nativeEnum(DigitalOceanConnectionMethod)
+  .describe(AppConnections.CREATE(AppConnection.DigitalOcean).method);
+
+export const DigitalOceanConnectionAccessTokenCredentialsSchema = z.object({
+  apiToken: z
+    .string()
+    .trim()
+    .min(1, "API Token required")
+    .max(255)
+    .describe(AppConnections.CREDENTIALS.DIGITAL_OCEAN_APP_PLATFORM.apiToken)
+});
+
+const BaseDigitalOceanConnectionSchema = BaseAppConnectionSchema.extend({
+  app: z.literal(AppConnection.DigitalOcean)
+});
+
+export const DigitalOceanConnectionSchema = BaseDigitalOceanConnectionSchema.extend({
+  method: DigitalOceanConnectionMethodSchema,
+  credentials: DigitalOceanConnectionAccessTokenCredentialsSchema
+});
+
+export const SanitizedDigitalOceanConnectionSchema = z.discriminatedUnion("method", [
+  BaseDigitalOceanConnectionSchema.extend({
+    method: DigitalOceanConnectionMethodSchema,
+    credentials: DigitalOceanConnectionAccessTokenCredentialsSchema.pick({})
+  })
+]);
+
+export const ValidateDigitalOceanConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: DigitalOceanConnectionMethodSchema,
+    credentials: DigitalOceanConnectionAccessTokenCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.DigitalOcean).credentials
+    )
+  })
+]);
+
+export const CreateDigitalOceanConnectionSchema = ValidateDigitalOceanConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.DigitalOcean)
+);
+
+export const UpdateDigitalOceanConnectionSchema = z
+  .object({
+    credentials: DigitalOceanConnectionAccessTokenCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.DigitalOcean).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.DigitalOcean));
+
+export const DigitalOceanConnectionListItemSchema = z.object({
+  name: z.literal("Digital Ocean"),
+  app: z.literal(AppConnection.DigitalOcean),
+  methods: z.nativeEnum(DigitalOceanConnectionMethod).array()
+});
--- a/backend/src/services/app-connection/digital-ocean/digital-ocean-connection-service.ts
+++ b/backend/src/services/app-connection/digital-ocean/digital-ocean-connection-service.ts
@@ -0,0 +1,29 @@
+import { logger } from "@app/lib/logger";
+import { OrgServiceActor } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import { DigitalOceanAppPlatformPublicAPI } from "./digital-ocean-connection-public-client";
+import { TDigitalOceanConnection } from "./digital-ocean-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<TDigitalOceanConnection>;
+
+export const digitalOceanAppPlatformConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+  const listApps = async (connectionId: string, actor: OrgServiceActor) => {
+    const connection = await getAppConnection(AppConnection.DigitalOcean, connectionId, actor);
+    try {
+      const apps = await DigitalOceanAppPlatformPublicAPI.getApps(connection);
+      return apps;
+    } catch (error) {
+      logger.error(error, "Failed to list apps on Digital Ocean");
+      return [];
+    }
+  };
+
+  return {
+    listApps
+  };
+};
--- a/backend/src/services/app-connection/digital-ocean/digital-ocean-connection-types.ts
+++ b/backend/src/services/app-connection/digital-ocean/digital-ocean-connection-types.ts
@@ -0,0 +1,42 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  CreateDigitalOceanConnectionSchema,
+  DigitalOceanConnectionSchema,
+  ValidateDigitalOceanConnectionCredentialsSchema
+} from "./digital-ocean-connection-schemas";
+
+export type TDigitalOceanConnection = z.infer<typeof DigitalOceanConnectionSchema>;
+
+export type TDigitalOceanConnectionInput = z.infer<typeof CreateDigitalOceanConnectionSchema> & {
+  app: AppConnection.DigitalOcean;
+};
+
+export type TValidateDigitalOceanCredentialsSchema = typeof ValidateDigitalOceanConnectionCredentialsSchema;
+
+export type TDigitalOceanConnectionConfig = DiscriminativePick<
+  TDigitalOceanConnection,
+  "method" | "app" | "credentials"
+> & {
+  orgId: string;
+};
+
+export type TDigitalOceanVariable = {
+  key: string;
+  value: string;
+  type: "SECRET" | "GENERAL";
+};
+
+export type TDigitalOceanApp = {
+  id: string;
+  spec: {
+    name: string;
+    services: Array<{
+      name: string;
+    }>;
+    envs?: TDigitalOceanVariable[];
+  };
+};
--- a/backend/src/services/app-connection/digital-ocean/index.ts
+++ b/backend/src/services/app-connection/digital-ocean/index.ts
@@ -0,0 +1,4 @@
+export * from "./digital-ocean-connection-constants";
+export * from "./digital-ocean-connection-fns";
+export * from "./digital-ocean-connection-schemas";
+export * from "./digital-ocean-connection-types";
--- a/backend/src/services/app-connection/shared/sql/sql-connection-fns.ts
+++ b/backend/src/services/app-connection/shared/sql/sql-connection-fns.ts
@@ -164,7 +164,7 @@ export const validateSqlConnectionCredentials = async (
 ) => {
  try {
    await executeWithPotentialGateway(config, gatewayService, async (client) => {
-      await client.raw(`Select 1`);
+      await client.raw(config.app === AppConnection.OracleDB ? `SELECT 1 FROM DUAL` : `Select 1`);
    });
    return config.credentials;
  } catch (error) {
--- a/backend/src/services/certificate-authority/certificate-authority-service.ts
+++ b/backend/src/services/certificate-authority/certificate-authority-service.ts
@@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

-import { TableName } from "@app/db/schemas";
+import { ActionProjectType, TableName } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -100,7 +100,8 @@ export const certificateAuthorityServiceFactory = ({
      actorId: actor.id,
      projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -167,7 +168,8 @@ export const certificateAuthorityServiceFactory = ({
      actorId: actor.id,
      projectId: certificateAuthority.projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -215,7 +217,8 @@ export const certificateAuthorityServiceFactory = ({
      actorId: actor.id,
      projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -268,7 +271,8 @@ export const certificateAuthorityServiceFactory = ({
      actorId: actor.id,
      projectId: certificateAuthority.projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -341,7 +345,8 @@ export const certificateAuthorityServiceFactory = ({
      actorId: actor.id,
      projectId: certificateAuthority.projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
--- a/backend/src/services/certificate-authority/internal/internal-certificate-authority-service.ts
+++ b/backend/src/services/certificate-authority/internal/internal-certificate-authority-service.ts
@@ -4,7 +4,7 @@ import * as x509 from "@peculiar/x509";
 import slugify from "@sindresorhus/slugify";
 import { z } from "zod";

-import { TableName, TCertificateAuthorities, TCertificateTemplates } from "@app/db/schemas";
+import { ActionProjectType, TableName, TCertificateAuthorities, TCertificateTemplates } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
  ProjectPermissionActions,
@@ -150,7 +150,8 @@ export const internalCertificateAuthorityServiceFactory = ({
        actorId: dto.actorId,
        projectId,
        actorAuthMethod: dto.actorAuthMethod,
-        actorOrgId: dto.actorOrgId
+        actorOrgId: dto.actorOrgId,
+        actionProjectType: ActionProjectType.CertificateManager
      });

      ForbiddenError.from(permission).throwUnlessCan(
@@ -333,7 +334,8 @@ export const internalCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
@@ -357,7 +359,8 @@ export const internalCertificateAuthorityServiceFactory = ({
        actorId: dto.actorId,
        projectId: ca.projectId,
        actorAuthMethod: dto.actorAuthMethod,
-        actorOrgId: dto.actorOrgId
+        actorOrgId: dto.actorOrgId,
+        actionProjectType: ActionProjectType.CertificateManager
      });

      ForbiddenError.from(permission).throwUnlessCan(
@@ -389,7 +392,8 @@ export const internalCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -414,7 +418,8 @@ export const internalCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -477,7 +482,8 @@ export const internalCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -763,7 +769,8 @@ export const internalCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -799,7 +806,8 @@ export const internalCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -879,7 +887,8 @@ export const internalCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -1026,7 +1035,8 @@ export const internalCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -1197,7 +1207,8 @@ export const internalCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -1553,7 +1564,8 @@ export const internalCertificateAuthorityServiceFactory = ({
        actorId: dto.actorId,
        projectId: ca.projectId,
        actorAuthMethod: dto.actorAuthMethod,
-        actorOrgId: dto.actorOrgId
+        actorOrgId: dto.actorOrgId,
+        actionProjectType: ActionProjectType.CertificateManager
      });

      ForbiddenError.from(permission).throwUnlessCan(
@@ -1920,7 +1932,8 @@ export const internalCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    const certificateTemplates = await certificateTemplateDAL.find({ caId });
--- a/backend/src/services/certificate-template/certificate-template-service.ts
+++ b/backend/src/services/certificate-template/certificate-template-service.ts
@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import * as x509 from "@peculiar/x509";

-import { TCertificateTemplateEstConfigsUpdate } from "@app/db/schemas";
+import { ActionProjectType, TCertificateTemplateEstConfigsUpdate } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -76,7 +76,8 @@ export const certificateTemplateServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -137,7 +138,8 @@ export const certificateTemplateServiceFactory = ({
      actorId,
      projectId: certTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -201,7 +203,8 @@ export const certificateTemplateServiceFactory = ({
      actorId,
      projectId: certTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -227,7 +230,8 @@ export const certificateTemplateServiceFactory = ({
      actorId,
      projectId: certTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -268,7 +272,8 @@ export const certificateTemplateServiceFactory = ({
      actorId,
      projectId: certTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -350,7 +355,8 @@ export const certificateTemplateServiceFactory = ({
      actorId,
      projectId: certTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -429,7 +435,8 @@ export const certificateTemplateServiceFactory = ({
        actorId: dto.actorId,
        projectId: certTemplate.projectId,
        actorAuthMethod: dto.actorAuthMethod,
-        actorOrgId: dto.actorOrgId
+        actorOrgId: dto.actorOrgId,
+        actionProjectType: ActionProjectType.CertificateManager
      });

      ForbiddenError.from(permission).throwUnlessCan(
--- a/backend/src/services/certificate/certificate-service.ts
+++ b/backend/src/services/certificate/certificate-service.ts
@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";

+import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -79,7 +80,8 @@ export const certificateServiceFactory = ({
      actorId,
      projectId: cert.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -109,7 +111,8 @@ export const certificateServiceFactory = ({
      actorId,
      projectId: cert.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -142,7 +145,8 @@ export const certificateServiceFactory = ({
      actorId,
      projectId: cert.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -191,7 +195,8 @@ export const certificateServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -239,7 +244,8 @@ export const certificateServiceFactory = ({
      actorId,
      projectId: cert.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -319,7 +325,8 @@ export const certificateServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
@@ -523,7 +530,8 @@ export const certificateServiceFactory = ({
      actorId,
      projectId: cert.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
    });

    ForbiddenError.from(permission).throwUnlessCan(
--- a/backend/src/services/cmek/cmek-service.ts
+++ b/backend/src/services/cmek/cmek-service.ts
@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionCmekActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { SigningAlgorithm } from "@app/lib/crypto/sign";
@@ -38,7 +39,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
      actorId: actor.id,
      projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Create, ProjectPermissionSub.Cmek);

@@ -77,7 +79,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
      actorId: actor.id,
      projectId: key.projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Edit, ProjectPermissionSub.Cmek);
@@ -113,7 +116,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
      actorId: actor.id,
      projectId: key.projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Delete, ProjectPermissionSub.Cmek);
@@ -129,7 +133,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
      actorId: actor.id,
      projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
@@ -151,7 +156,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
      actorId: actor.id,
      projectId: key.projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
@@ -172,7 +178,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
      actorId: actor.id,
      projectId: key.projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
@@ -194,7 +201,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
      actorId: actor.id,
      projectId: key.projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Encrypt, ProjectPermissionSub.Cmek);
@@ -221,7 +229,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
      actorId: actor.id,
      projectId: key.projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
@@ -268,7 +277,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
      actorId: actor.id,
      projectId: key.projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
@@ -291,7 +301,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
      actorId: actor.id,
      projectId: key.projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Sign, ProjectPermissionSub.Cmek);
@@ -325,7 +336,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
      actorId: actor.id,
      projectId: key.projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Verify, ProjectPermissionSub.Cmek);
@@ -360,7 +372,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
      actorId: actor.id,
      projectId: key.projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Decrypt, ProjectPermissionSub.Cmek);
--- a/backend/src/services/external-migration/external-migration-fns/envkey.ts
+++ b/backend/src/services/external-migration/external-migration-fns/envkey.ts
@@ -1,32 +1,26 @@
-import slugify from "@sindresorhus/slugify";
 import sjcl from "sjcl";
 import tweetnacl from "tweetnacl";
 import tweetnaclUtil from "tweetnacl-util";

-import { SecretType, TSecretFolders } from "@app/db/schemas";
 import { crypto } from "@app/lib/crypto/cryptography";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
-import { chunkArray } from "@app/lib/fn";
+import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
-import { alphaNumericNanoId } from "@app/lib/nanoid";

-import { CommitType, TFolderCommitServiceFactory } from "../folder-commit/folder-commit-service";
-import { TKmsServiceFactory } from "../kms/kms-service";
-import { KmsDataKey } from "../kms/kms-types";
-import { TProjectDALFactory } from "../project/project-dal";
-import { TProjectServiceFactory } from "../project/project-service";
-import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
-import { TProjectEnvServiceFactory } from "../project-env/project-env-service";
-import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
-import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
-import { TSecretFolderVersionDALFactory } from "../secret-folder/secret-folder-version-dal";
-import { TSecretTagDALFactory } from "../secret-tag/secret-tag-dal";
-import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
-import { fnSecretBulkInsert, getAllSecretReferences } from "../secret-v2-bridge/secret-v2-bridge-fns";
-import type { TSecretV2BridgeServiceFactory } from "../secret-v2-bridge/secret-v2-bridge-service";
-import { TSecretVersionV2DALFactory } from "../secret-v2-bridge/secret-version-dal";
-import { TSecretVersionV2TagDALFactory } from "../secret-v2-bridge/secret-version-tag-dal";
-import { InfisicalImportData, TEnvKeyExportJSON, TImportInfisicalDataCreate } from "./external-migration-types";
+import { TFolderCommitServiceFactory } from "../../folder-commit/folder-commit-service";
+import { TKmsServiceFactory } from "../../kms/kms-service";
+import { TProjectDALFactory } from "../../project/project-dal";
+import { TProjectServiceFactory } from "../../project/project-service";
+import { TProjectEnvDALFactory } from "../../project-env/project-env-dal";
+import { TProjectEnvServiceFactory } from "../../project-env/project-env-service";
+import { TResourceMetadataDALFactory } from "../../resource-metadata/resource-metadata-dal";
+import { TSecretFolderDALFactory } from "../../secret-folder/secret-folder-dal";
+import { TSecretFolderVersionDALFactory } from "../../secret-folder/secret-folder-version-dal";
+import { TSecretTagDALFactory } from "../../secret-tag/secret-tag-dal";
+import { TSecretV2BridgeDALFactory } from "../../secret-v2-bridge/secret-v2-bridge-dal";
+import type { TSecretV2BridgeServiceFactory } from "../../secret-v2-bridge/secret-v2-bridge-service";
+import { TSecretVersionV2DALFactory } from "../../secret-v2-bridge/secret-version-dal";
+import { TSecretVersionV2TagDALFactory } from "../../secret-v2-bridge/secret-version-tag-dal";
+import { InfisicalImportData, TEnvKeyExportJSON, TImportInfisicalDataCreate } from "../external-migration-types";

 export type TImportDataIntoInfisicalDTO = {
  projectDAL: Pick<TProjectDALFactory, "transaction">;
@@ -499,326 +493,3 @@ export const parseEnvKeyDataFn = async (decryptedJson: string): Promise<Infisica

  return infisicalImportData;
 };
-
-export const importDataIntoInfisicalFn = async ({
-  projectService,
-  projectEnvDAL,
-  projectDAL,
-  secretDAL,
-  kmsService,
-  secretVersionDAL,
-  secretTagDAL,
-  secretVersionTagDAL,
-  folderDAL,
-  resourceMetadataDAL,
-  folderVersionDAL,
-  folderCommitService,
-  input: { data, actor, actorId, actorOrgId, actorAuthMethod }
-}: TImportDataIntoInfisicalDTO) => {
-  // Import data to infisical
-  if (!data || !data.projects) {
-    throw new BadRequestError({ message: "No projects found in data" });
-  }
-
-  const originalToNewProjectId = new Map<string, string>();
-  const originalToNewEnvironmentId = new Map<
-    string,
-    { envId: string; envSlug: string; rootFolderId: string; projectId: string }
-  >();
-  const originalToNewFolderId = new Map<
-    string,
-    {
-      folderId: string;
-      projectId: string;
-    }
-  >();
-  const projectsNotImported: string[] = [];
-
-  await projectDAL.transaction(async (tx) => {
-    for await (const project of data.projects) {
-      const newProject = await projectService
-        .createProject({
-          actor,
-          actorId,
-          actorOrgId,
-          actorAuthMethod,
-          workspaceName: project.name,
-          createDefaultEnvs: false,
-          tx
-        })
-        .catch((e) => {
-          logger.error(e, `Failed to import to project [name:${project.name}]`);
-          throw new BadRequestError({ message: `Failed to import to project [name:${project.name}]` });
-        });
-      originalToNewProjectId.set(project.id, newProject.id);
-    }
-
-    // Import environments
-    if (data.environments) {
-      for await (const environment of data.environments) {
-        const projectId = originalToNewProjectId.get(environment.projectId);
-        const slug = slugify(`${environment.name}-${alphaNumericNanoId(4)}`);
-
-        if (!projectId) {
-          projectsNotImported.push(environment.projectId);
-          // eslint-disable-next-line no-continue
-          continue;
-        }
-
-        const existingEnv = await projectEnvDAL.findOne({ projectId, slug }, tx);
-
-        if (existingEnv) {
-          throw new BadRequestError({
-            message: `Environment with slug '${slug}' already exist`,
-            name: "CreateEnvironment"
-          });
-        }
-
-        const lastPos = await projectEnvDAL.findLastEnvPosition(projectId, tx);
-        const doc = await projectEnvDAL.create({ slug, name: environment.name, projectId, position: lastPos + 1 }, tx);
-        const folder = await folderDAL.create({ name: "root", parentId: null, envId: doc.id, version: 1 }, tx);
-
-        originalToNewEnvironmentId.set(environment.id, {
-          envSlug: doc.slug,
-          envId: doc.id,
-          rootFolderId: folder.id,
-          projectId
-        });
-      }
-    }
-
-    if (data.folders) {
-      for await (const folder of data.folders) {
-        const parentEnv = originalToNewEnvironmentId.get(folder.parentFolderId as string);
-
-        if (!parentEnv) {
-          // eslint-disable-next-line no-continue
-          continue;
-        }
-
-        const newFolder = await folderDAL.create(
-          {
-            name: folder.name,
-            envId: parentEnv.envId,
-            parentId: parentEnv.rootFolderId
-          },
-          tx
-        );
-
-        const newFolderVersion = await folderVersionDAL.create(
-          {
-            name: newFolder.name,
-            envId: newFolder.envId,
-            version: newFolder.version,
-            folderId: newFolder.id
-          },
-          tx
-        );
-
-        await folderCommitService.createCommit(
-          {
-            actor: {
-              type: actor,
-              metadata: {
-                id: actorId
-              }
-            },
-            message: "Changed by external migration",
-            folderId: parentEnv.rootFolderId,
-            changes: [
-              {
-                type: CommitType.ADD,
-                folderVersionId: newFolderVersion.id
-              }
-            ]
-          },
-          tx
-        );
-
-        originalToNewFolderId.set(folder.id, {
-          folderId: newFolder.id,
-          projectId: parentEnv.projectId
-        });
-      }
-    }
-
-    // Useful for debugging:
-    // console.log("data.secrets", data.secrets);
-    // console.log("data.folders", data.folders);
-    // console.log("data.environment", data.environments);
-
-    if (data.secrets && data.secrets.length > 0) {
-      const mappedToEnvironmentId = new Map<
-        string,
-        {
-          secretKey: string;
-          secretValue: string;
-          folderId?: string;
-          isFromBlock?: boolean;
-        }[]
-      >();
-
-      for (const secret of data.secrets) {
-        const targetId = secret.folderId || secret.environmentId;
-
-        // Skip if we can't find either an environment or folder mapping for this secret
-        if (!originalToNewEnvironmentId.get(secret.environmentId) && !originalToNewFolderId.get(targetId)) {
-          logger.info({ secret }, "[importDataIntoInfisicalFn]: Could not find environment or folder for secret");
-
-          // eslint-disable-next-line no-continue
-          continue;
-        }
-
-        if (!mappedToEnvironmentId.has(targetId)) {
-          mappedToEnvironmentId.set(targetId, []);
-        }
-
-        const alreadyHasSecret = mappedToEnvironmentId
-          .get(targetId)!
-          .find((el) => el.secretKey === secret.name && el.folderId === secret.folderId);
-
-        if (alreadyHasSecret && alreadyHasSecret.isFromBlock) {
-          // remove the existing secret if any
-          mappedToEnvironmentId
-            .get(targetId)!
-            .splice(mappedToEnvironmentId.get(targetId)!.indexOf(alreadyHasSecret), 1);
-        }
-        mappedToEnvironmentId.get(targetId)!.push({
-          secretKey: secret.name,
-          secretValue: secret.value || "",
-          folderId: secret.folderId,
-          isFromBlock: secret.appBlockOrderIndex !== undefined
-        });
-      }
-
-      // for each of the mappedEnvironmentId
-      for await (const [targetId, secrets] of mappedToEnvironmentId) {
-        logger.info("[importDataIntoInfisicalFn]: Processing secrets for targetId", targetId);
-
-        let selectedFolder: TSecretFolders | undefined;
-        let selectedProjectId: string | undefined;
-
-        // Case 1: Secret belongs to a folder / branch / branch of a block
-        const foundFolder = originalToNewFolderId.get(targetId);
-        if (foundFolder) {
-          logger.info("[importDataIntoInfisicalFn]: Processing secrets for folder");
-          selectedFolder = await folderDAL.findById(foundFolder.folderId, tx);
-          selectedProjectId = foundFolder.projectId;
-        } else {
-          logger.info("[importDataIntoInfisicalFn]: Processing secrets for normal environment");
-          const environment = data.environments.find((env) => env.id === targetId);
-          if (!environment) {
-            logger.info(
-              {
-                targetId
-              },
-              "[importDataIntoInfisicalFn]: Could not find environment for secret"
-            );
-            // eslint-disable-next-line no-continue
-            continue;
-          }
-
-          const projectId = originalToNewProjectId.get(environment.projectId)!;
-
-          if (!projectId) {
-            throw new BadRequestError({ message: `Failed to import secret, project not found` });
-          }
-
-          const env = originalToNewEnvironmentId.get(targetId);
-          if (!env) {
-            logger.info(
-              {
-                targetId
-              },
-              "[importDataIntoInfisicalFn]: Could not find environment for secret"
-            );
-
-            // eslint-disable-next-line no-continue
-            continue;
-          }
-
-          const folder = await folderDAL.findBySecretPath(projectId, env.envSlug, "/", tx);
-
-          if (!folder) {
-            throw new NotFoundError({
-              message: `Folder not found for the given environment slug (${env.envSlug}) & secret path (/)`,
-              name: "Create secret"
-            });
-          }
-
-          selectedFolder = folder;
-          selectedProjectId = projectId;
-        }
-
-        if (!selectedFolder) {
-          throw new NotFoundError({
-            message: `Folder not found for the given environment slug & secret path`,
-            name: "CreateSecret"
-          });
-        }
-
-        if (!selectedProjectId) {
-          throw new NotFoundError({
-            message: `Project not found for the given environment slug & secret path`,
-            name: "CreateSecret"
-          });
-        }
-
-        const { encryptor: secretManagerEncrypt } = await kmsService.createCipherPairWithDataKey(
-          {
-            type: KmsDataKey.SecretManager,
-            projectId: selectedProjectId
-          },
-          tx
-        );
-
-        const secretBatches = chunkArray(secrets, 2500);
-        for await (const secretBatch of secretBatches) {
-          const secretsByKeys = await secretDAL.findBySecretKeys(
-            selectedFolder.id,
-            secretBatch.map((el) => ({
-              key: el.secretKey,
-              type: SecretType.Shared
-            })),
-            tx
-          );
-          if (secretsByKeys.length) {
-            throw new BadRequestError({
-              message: `Secret already exist: ${secretsByKeys.map((el) => el.key).join(",")}`
-            });
-          }
-          await fnSecretBulkInsert({
-            inputSecrets: secretBatch.map((el) => {
-              const references = getAllSecretReferences(el.secretValue).nestedReferences;
-
-              return {
-                version: 1,
-                encryptedValue: el.secretValue
-                  ? secretManagerEncrypt({ plainText: Buffer.from(el.secretValue) }).cipherTextBlob
-                  : undefined,
-                key: el.secretKey,
-                references,
-                type: SecretType.Shared
-              };
-            }),
-            folderId: selectedFolder.id,
-            orgId: actorOrgId,
-            resourceMetadataDAL,
-            secretDAL,
-            secretVersionDAL,
-            secretTagDAL,
-            secretVersionTagDAL,
-            folderCommitService,
-            actor: {
-              type: actor,
-              actorId
-            },
-            tx
-          });
-        }
-      }
-    }
-  });
-
-  return { projectsNotImported };
-};
--- a/backend/src/services/external-migration/external-migration-fns/import.ts
+++ b/backend/src/services/external-migration/external-migration-fns/import.ts
@@ -0,0 +1,352 @@
+import slugify from "@sindresorhus/slugify";
+
+import { SecretType, TSecretFolders } from "@app/db/schemas";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { chunkArray } from "@app/lib/fn";
+import { logger } from "@app/lib/logger";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { CommitType } from "@app/services/folder-commit/folder-commit-service";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+import { fnSecretBulkInsert, getAllSecretReferences } from "@app/services/secret-v2-bridge/secret-v2-bridge-fns";
+
+import { TImportDataIntoInfisicalDTO } from "./envkey";
+
+export const importDataIntoInfisicalFn = async ({
+  projectService,
+  projectEnvDAL,
+  projectDAL,
+  secretDAL,
+  kmsService,
+  secretVersionDAL,
+  secretTagDAL,
+  secretVersionTagDAL,
+  folderDAL,
+  resourceMetadataDAL,
+  folderVersionDAL,
+  folderCommitService,
+  input: { data, actor, actorId, actorOrgId, actorAuthMethod }
+}: TImportDataIntoInfisicalDTO) => {
+  // Import data to infisical
+  if (!data || !data.projects) {
+    throw new BadRequestError({ message: "No projects found in data" });
+  }
+
+  const originalToNewProjectId = new Map<string, string>();
+  const originalToNewEnvironmentId = new Map<
+    string,
+    { envId: string; envSlug: string; rootFolderId?: string; projectId: string }
+  >();
+  const originalToNewFolderId = new Map<
+    string,
+    {
+      envId: string;
+      envSlug: string;
+      folderId: string;
+      projectId: string;
+    }
+  >();
+  const projectsNotImported: string[] = [];
+
+  await projectDAL.transaction(async (tx) => {
+    for await (const project of data.projects) {
+      const newProject = await projectService
+        .createProject({
+          actor,
+          actorId,
+          actorOrgId,
+          actorAuthMethod,
+          workspaceName: project.name,
+          createDefaultEnvs: false,
+          tx
+        })
+        .catch((e) => {
+          logger.error(e, `Failed to import to project [name:${project.name}]`);
+          throw new BadRequestError({ message: `Failed to import to project [name:${project.name}]` });
+        });
+      originalToNewProjectId.set(project.id, newProject.id);
+    }
+
+    // Import environments
+    if (data.environments) {
+      for await (const environment of data.environments) {
+        const projectId = originalToNewProjectId.get(environment.projectId);
+        const slug = slugify(`${environment.name}-${alphaNumericNanoId(4)}`);
+
+        if (!projectId) {
+          projectsNotImported.push(environment.projectId);
+          // eslint-disable-next-line no-continue
+          continue;
+        }
+
+        const existingEnv = await projectEnvDAL.findOne({ projectId, slug }, tx);
+
+        if (existingEnv) {
+          throw new BadRequestError({
+            message: `Environment with slug '${slug}' already exist`,
+            name: "CreateEnvironment"
+          });
+        }
+
+        const lastPos = await projectEnvDAL.findLastEnvPosition(projectId, tx);
+        const doc = await projectEnvDAL.create({ slug, name: environment.name, projectId, position: lastPos + 1 }, tx);
+        const folder = await folderDAL.create({ name: "root", parentId: null, envId: doc.id, version: 1 }, tx);
+
+        originalToNewEnvironmentId.set(environment.id, {
+          envSlug: doc.slug,
+          envId: doc.id,
+          rootFolderId: folder.id,
+          projectId
+        });
+      }
+    }
+
+    if (data.folders) {
+      for await (const folder of data.folders) {
+        const parentEnv = originalToNewEnvironmentId.get(folder.parentFolderId as string);
+        const parentFolder = originalToNewFolderId.get(folder.parentFolderId as string);
+
+        let newFolder: TSecretFolders;
+
+        if (parentEnv?.rootFolderId) {
+          newFolder = await folderDAL.create(
+            {
+              name: folder.name,
+              envId: parentEnv.envId,
+              parentId: parentEnv.rootFolderId
+            },
+            tx
+          );
+        } else if (parentFolder) {
+          newFolder = await folderDAL.create(
+            {
+              name: folder.name,
+              envId: parentFolder.envId,
+              parentId: parentFolder.folderId
+            },
+            tx
+          );
+        } else {
+          logger.info({ folder }, "No parent environment found for folder");
+          // eslint-disable-next-line no-continue
+          continue;
+        }
+
+        const newFolderVersion = await folderVersionDAL.create(
+          {
+            name: newFolder.name,
+            envId: newFolder.envId,
+            version: newFolder.version,
+            folderId: newFolder.id
+          },
+          tx
+        );
+
+        await folderCommitService.createCommit(
+          {
+            actor: {
+              type: actor,
+              metadata: {
+                id: actorId
+              }
+            },
+            message: "Changed by external migration",
+            folderId: parentEnv?.rootFolderId || parentFolder?.folderId || "",
+            changes: [
+              {
+                type: CommitType.ADD,
+                folderVersionId: newFolderVersion.id
+              }
+            ]
+          },
+          tx
+        );
+
+        originalToNewFolderId.set(folder.id, {
+          folderId: newFolder.id,
+          envId: parentEnv?.envId || parentFolder?.envId || "",
+          envSlug: parentEnv?.envSlug || parentFolder?.envSlug || "",
+          projectId: parentEnv?.projectId || parentFolder?.projectId || ""
+        });
+      }
+    }
+
+    // Useful for debugging:
+    // console.log("data.secrets", data.secrets);
+    // console.log("data.folders", data.folders);
+    // console.log("data.environment", data.environments);
+
+    if (data.secrets && data.secrets.length > 0) {
+      const mappedToEnvironmentId = new Map<
+        string,
+        {
+          secretKey: string;
+          secretValue: string;
+          folderId?: string;
+          isFromBlock?: boolean;
+        }[]
+      >();
+
+      for (const secret of data.secrets) {
+        const targetId = secret.folderId || secret.environmentId;
+
+        // Skip if we can't find either an environment or folder mapping for this secret
+        if (!originalToNewEnvironmentId.get(secret.environmentId) && !originalToNewFolderId.get(targetId)) {
+          logger.info({ secret }, "[importDataIntoInfisicalFn]: Could not find environment or folder for secret");
+
+          // eslint-disable-next-line no-continue
+          continue;
+        }
+
+        if (!mappedToEnvironmentId.has(targetId)) {
+          mappedToEnvironmentId.set(targetId, []);
+        }
+
+        const alreadyHasSecret = mappedToEnvironmentId
+          .get(targetId)!
+          .find((el) => el.secretKey === secret.name && el.folderId === secret.folderId);
+
+        if (alreadyHasSecret && alreadyHasSecret.isFromBlock) {
+          // remove the existing secret if any
+          mappedToEnvironmentId
+            .get(targetId)!
+            .splice(mappedToEnvironmentId.get(targetId)!.indexOf(alreadyHasSecret), 1);
+        }
+        mappedToEnvironmentId.get(targetId)!.push({
+          secretKey: secret.name,
+          secretValue: secret.value || "",
+          folderId: secret.folderId,
+          isFromBlock: secret.appBlockOrderIndex !== undefined
+        });
+      }
+
+      // for each of the mappedEnvironmentId
+      for await (const [targetId, secrets] of mappedToEnvironmentId) {
+        logger.info("[importDataIntoInfisicalFn]: Processing secrets for targetId", targetId);
+
+        let selectedFolder: TSecretFolders | undefined;
+        let selectedProjectId: string | undefined;
+
+        // Case 1: Secret belongs to a folder / branch / branch of a block
+        const foundFolder = originalToNewFolderId.get(targetId);
+        if (foundFolder) {
+          logger.info("[importDataIntoInfisicalFn]: Processing secrets for folder");
+          selectedFolder = await folderDAL.findById(foundFolder.folderId, tx);
+          selectedProjectId = foundFolder.projectId;
+        } else {
+          logger.info("[importDataIntoInfisicalFn]: Processing secrets for normal environment");
+          const environment = data.environments.find((env) => env.id === targetId);
+          if (!environment) {
+            logger.info(
+              {
+                targetId
+              },
+              "[importDataIntoInfisicalFn]: Could not find environment for secret"
+            );
+            // eslint-disable-next-line no-continue
+            continue;
+          }
+
+          const projectId = originalToNewProjectId.get(environment.projectId)!;
+
+          if (!projectId) {
+            throw new BadRequestError({ message: `Failed to import secret, project not found` });
+          }
+
+          const env = originalToNewEnvironmentId.get(targetId);
+          if (!env) {
+            logger.info(
+              {
+                targetId
+              },
+              "[importDataIntoInfisicalFn]: Could not find environment for secret"
+            );
+
+            // eslint-disable-next-line no-continue
+            continue;
+          }
+
+          const folder = await folderDAL.findBySecretPath(projectId, env.envSlug, "/", tx);
+
+          if (!folder) {
+            throw new NotFoundError({
+              message: `Folder not found for the given environment slug (${env.envSlug}) & secret path (/)`,
+              name: "Create secret"
+            });
+          }
+
+          selectedFolder = folder;
+          selectedProjectId = projectId;
+        }
+
+        if (!selectedFolder) {
+          throw new NotFoundError({
+            message: `Folder not found for the given environment slug & secret path`,
+            name: "CreateSecret"
+          });
+        }
+
+        if (!selectedProjectId) {
+          throw new NotFoundError({
+            message: `Project not found for the given environment slug & secret path`,
+            name: "CreateSecret"
+          });
+        }
+
+        const { encryptor: secretManagerEncrypt } = await kmsService.createCipherPairWithDataKey(
+          {
+            type: KmsDataKey.SecretManager,
+            projectId: selectedProjectId
+          },
+          tx
+        );
+
+        const secretBatches = chunkArray(secrets, 2500);
+        for await (const secretBatch of secretBatches) {
+          const secretsByKeys = await secretDAL.findBySecretKeys(
+            selectedFolder.id,
+            secretBatch.map((el) => ({
+              key: el.secretKey,
+              type: SecretType.Shared
+            })),
+            tx
+          );
+          if (secretsByKeys.length) {
+            throw new BadRequestError({
+              message: `Secret already exist: ${secretsByKeys.map((el) => el.key).join(",")}`
+            });
+          }
+          await fnSecretBulkInsert({
+            inputSecrets: secretBatch.map((el) => {
+              const references = getAllSecretReferences(el.secretValue).nestedReferences;
+
+              return {
+                version: 1,
+                encryptedValue: el.secretValue
+                  ? secretManagerEncrypt({ plainText: Buffer.from(el.secretValue) }).cipherTextBlob
+                  : undefined,
+                key: el.secretKey,
+                references,
+                type: SecretType.Shared
+              };
+            }),
+            folderId: selectedFolder.id,
+            orgId: actorOrgId,
+            resourceMetadataDAL,
+            secretDAL,
+            secretVersionDAL,
+            secretTagDAL,
+            secretVersionTagDAL,
+            folderCommitService,
+            actor: {
+              type: actor,
+              actorId
+            },
+            tx
+          });
+        }
+      }
+    }
+  });
+
+  return { projectsNotImported };
+};
--- a/backend/src/services/external-migration/external-migration-fns/index.ts
+++ b/backend/src/services/external-migration/external-migration-fns/index.ts
@@ -0,0 +1,3 @@
+export * from "./envkey";
+export * from "./import";
+export * from "./vault";
--- a/backend/src/services/external-migration/external-migration-fns/vault.ts
+++ b/backend/src/services/external-migration/external-migration-fns/vault.ts
@@ -0,0 +1,341 @@
+import axios, { AxiosInstance } from "axios";
+import { v4 as uuidv4 } from "uuid";
+
+import { BadRequestError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
+
+import { InfisicalImportData, VaultMappingType } from "../external-migration-types";
+
+type VaultData = {
+  namespace: string;
+  mount: string;
+  path: string;
+  secretData: Record<string, string>;
+};
+
+const vaultFactory = () => {
+  const getMounts = async (request: AxiosInstance) => {
+    const response = await request
+      .get<
+        Record<
+          string,
+          {
+            accessor: string;
+            options: {
+              version?: string;
+            } | null;
+            type: string;
+          }
+        >
+      >("/v1/sys/mounts")
+      .catch((err) => {
+        if (axios.isAxiosError(err)) {
+          logger.error(err.response?.data, "External migration: Failed to get Vault mounts");
+        }
+        throw err;
+      });
+    return response.data;
+  };
+
+  const getPaths = async (
+    request: AxiosInstance,
+    { mountPath, secretPath = "" }: { mountPath: string; secretPath?: string }
+  ) => {
+    try {
+      // For KV v2: /v1/{mount}/metadata/{path}?list=true
+      const path = secretPath ? `${mountPath}/metadata/${secretPath}` : `${mountPath}/metadata`;
+      const response = await request.get<{
+        data: {
+          keys: string[];
+        };
+      }>(`/v1/${path}?list=true`);
+
+      return response.data.data.keys;
+    } catch (err) {
+      if (axios.isAxiosError(err)) {
+        logger.error(err.response?.data, "External migration: Failed to get Vault paths");
+        if (err.response?.status === 404) {
+          return null;
+        }
+      }
+      throw err;
+    }
+  };
+
+  const getSecrets = async (
+    request: AxiosInstance,
+    { mountPath, secretPath }: { mountPath: string; secretPath: string }
+  ) => {
+    // For KV v2: /v1/{mount}/data/{path}
+    const response = await request
+      .get<{
+        data: {
+          data: Record<string, string>; // KV v2 has nested data structure
+          metadata: {
+            created_time: string;
+            deletion_time: string;
+            destroyed: boolean;
+            version: number;
+          };
+        };
+      }>(`/v1/${mountPath}/data/${secretPath}`)
+      .catch((err) => {
+        if (axios.isAxiosError(err)) {
+          logger.error(err.response?.data, "External migration: Failed to get Vault secret");
+        }
+        throw err;
+      });
+
+    return response.data.data.data;
+  };
+
+  // helper function to check if a mount is KV v2 (will be useful if we add support for Vault KV v1)
+  // const isKvV2Mount = (mountInfo: { type: string; options?: { version?: string } | null }) => {
+  //   return mountInfo.type === "kv" && mountInfo.options?.version === "2";
+  // };
+
+  const recursivelyGetAllPaths = async (
+    request: AxiosInstance,
+    mountPath: string,
+    currentPath: string = ""
+  ): Promise<string[]> => {
+    const paths = await getPaths(request, { mountPath, secretPath: currentPath });
+
+    if (paths === null || paths.length === 0) {
+      return [];
+    }
+
+    const allSecrets: string[] = [];
+
+    for await (const path of paths) {
+      const cleanPath = path.endsWith("/") ? path.slice(0, -1) : path;
+      const fullItemPath = currentPath ? `${currentPath}/${cleanPath}` : cleanPath;
+
+      if (path.endsWith("/")) {
+        // it's a folder so we recurse into it
+        const subSecrets = await recursivelyGetAllPaths(request, mountPath, fullItemPath);
+        allSecrets.push(...subSecrets);
+      } else {
+        // it's a secret so we add it to our results
+        allSecrets.push(`${mountPath}/${fullItemPath}`);
+      }
+    }
+
+    return allSecrets;
+  };
+
+  async function collectVaultData({
+    baseUrl,
+    namespace,
+    accessToken
+  }: {
+    baseUrl: string;
+    namespace?: string;
+    accessToken: string;
+  }): Promise<VaultData[]> {
+    const request = axios.create({
+      baseURL: baseUrl,
+      headers: {
+        "X-Vault-Token": accessToken,
+        ...(namespace ? { "X-Vault-Namespace": namespace } : {})
+      }
+    });
+
+    const allData: VaultData[] = [];
+
+    // Get all mounts in this namespace
+    const mounts = await getMounts(request);
+
+    for (const mount of Object.keys(mounts)) {
+      if (!mount.endsWith("/")) {
+        delete mounts[mount];
+      }
+    }
+
+    for await (const [mountPath, mountInfo] of Object.entries(mounts)) {
+      // skip non-KV mounts
+      if (!mountInfo.type.startsWith("kv")) {
+        // eslint-disable-next-line no-continue
+        continue;
+      }
+
+      // get all paths in this mount
+      const paths = await recursivelyGetAllPaths(request, `${mountPath.replace(/\/$/, "")}`);
+
+      const cleanMountPath = mountPath.replace(/\/$/, "");
+
+      for await (const secretPath of paths) {
+        // get the actual secret data
+        const secretData = await getSecrets(request, {
+          mountPath: cleanMountPath,
+          secretPath: secretPath.replace(`${cleanMountPath}/`, "")
+        });
+
+        allData.push({
+          namespace: namespace || "",
+          mount: mountPath.replace(/\/$/, ""),
+          path: secretPath.replace(`${cleanMountPath}/`, ""),
+          secretData
+        });
+      }
+    }
+
+    return allData;
+  }
+
+  return {
+    collectVaultData,
+    getMounts,
+    getPaths,
+    getSecrets,
+    recursivelyGetAllPaths
+  };
+};
+
+export const transformToInfisicalFormatNamespaceToProjects = (
+  vaultData: VaultData[],
+  mappingType: VaultMappingType
+): InfisicalImportData => {
+  const projects: Array<{ name: string; id: string }> = [];
+  const environments: Array<{ name: string; id: string; projectId: string; envParentId?: string }> = [];
+  const folders: Array<{ id: string; name: string; environmentId: string; parentFolderId?: string }> = [];
+  const secrets: Array<{ id: string; name: string; environmentId: string; value: string; folderId?: string }> = [];
+
+  // track created entities to avoid duplicates
+  const projectMap = new Map<string, string>(); // namespace -> projectId
+  const environmentMap = new Map<string, string>(); // namespace:mount -> environmentId
+  const folderMap = new Map<string, string>(); // namespace:mount:folderPath -> folderId
+
+  let environmentId: string = "";
+  for (const data of vaultData) {
+    const { namespace, mount, path, secretData } = data;
+
+    if (mappingType === VaultMappingType.Namespace) {
+      // create project (namespace)
+      if (!projectMap.has(namespace)) {
+        const projectId = uuidv4();
+        projectMap.set(namespace, projectId);
+        projects.push({
+          name: namespace,
+          id: projectId
+        });
+      }
+      const projectId = projectMap.get(namespace)!;
+
+      // create environment (mount)
+      const envKey = `${namespace}:${mount}`;
+      if (!environmentMap.has(envKey)) {
+        environmentId = uuidv4();
+        environmentMap.set(envKey, environmentId);
+        environments.push({
+          name: mount,
+          id: environmentId,
+          projectId
+        });
+      }
+      environmentId = environmentMap.get(envKey)!;
+    } else if (mappingType === VaultMappingType.KeyVault) {
+      if (!projectMap.has(mount)) {
+        const projectId = uuidv4();
+        projectMap.set(mount, projectId);
+        projects.push({
+          name: mount,
+          id: projectId
+        });
+      }
+      const projectId = projectMap.get(mount)!;
+
+      // create single "Production" environment per project, because we have no good way of determining environments from vault
+      if (!environmentMap.has(mount)) {
+        environmentId = uuidv4();
+        environmentMap.set(mount, environmentId);
+        environments.push({
+          name: "Production",
+          id: environmentId,
+          projectId
+        });
+      }
+      environmentId = environmentMap.get(mount)!;
+    }
+
+    // create folder structure
+    let currentFolderId: string | undefined;
+    let currentPath = "";
+
+    if (path.includes("/")) {
+      const pathParts = path.split("/").filter(Boolean);
+
+      const folderParts = pathParts;
+
+      // create nested folder structure for the entire path
+      for (const folderName of folderParts) {
+        currentPath = currentPath ? `${currentPath}/${folderName}` : folderName;
+        const folderKey = `${namespace}:${mount}:${currentPath}`;
+
+        if (!folderMap.has(folderKey)) {
+          const folderId = uuidv4();
+          folderMap.set(folderKey, folderId);
+          folders.push({
+            id: folderId,
+            name: folderName,
+            environmentId,
+            parentFolderId: currentFolderId || environmentId
+          });
+          currentFolderId = folderId;
+        } else {
+          currentFolderId = folderMap.get(folderKey)!;
+        }
+      }
+    }
+
+    for (const [key, value] of Object.entries(secretData)) {
+      secrets.push({
+        id: uuidv4(),
+        name: key,
+        environmentId,
+        value: String(value),
+        folderId: currentFolderId
+      });
+    }
+  }
+
+  return {
+    projects,
+    environments,
+    folders,
+    secrets
+  };
+};
+
+export const importVaultDataFn = async ({
+  vaultAccessToken,
+  vaultNamespace,
+  vaultUrl,
+  mappingType
+}: {
+  vaultAccessToken: string;
+  vaultNamespace?: string;
+  vaultUrl: string;
+  mappingType: VaultMappingType;
+}) => {
+  await blockLocalAndPrivateIpAddresses(vaultUrl);
+
+  if (mappingType === VaultMappingType.Namespace && !vaultNamespace) {
+    throw new BadRequestError({
+      message: "Vault namespace is required when project mapping type is set to namespace."
+    });
+  }
+
+  const vaultApi = vaultFactory();
+
+  const vaultData = await vaultApi.collectVaultData({
+    accessToken: vaultAccessToken,
+    baseUrl: vaultUrl,
+    namespace: vaultNamespace
+  });
+
+  const infisicalData = transformToInfisicalFormatNamespaceToProjects(vaultData, mappingType);
+
+  return infisicalData;
+};
--- a/backend/src/services/external-migration/external-migration-queue.ts
+++ b/backend/src/services/external-migration/external-migration-queue.ts
@@ -19,7 +19,7 @@ import { TSecretVersionV2DALFactory } from "../secret-v2-bridge/secret-version-d
 import { TSecretVersionV2TagDALFactory } from "../secret-v2-bridge/secret-version-tag-dal";
 import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
 import { importDataIntoInfisicalFn } from "./external-migration-fns";
-import { ExternalPlatforms, TImportInfisicalDataCreate } from "./external-migration-types";
+import { ExternalPlatforms, ImportType, TImportInfisicalDataCreate } from "./external-migration-types";

 export type TExternalMigrationQueueFactoryDep = {
  smtpService: TSmtpService;
@@ -67,6 +67,7 @@ export const externalMigrationQueueFactory = ({
  const startImport = async (dto: {
    actorEmail: string;
    data: {
+      importType: ImportType;
      iv: string;
      tag: string;
      ciphertext: string;
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Daniel Hougaard	c68138ac21	Merge pull request #4245 from Infisical/daniel/fips-improvements fix(fips): increased image size and migrations	2025-07-25 23:40:27 +04:00
Daniel Hougaard	d4f0301104	Update Dockerfile.fips.standalone-infisical	2025-07-25 23:13:26 +04:00
Daniel Hougaard	253c46f21d	fips improvements	2025-07-25 23:09:23 +04:00
Maidul Islam	d8e39aed16	Merge pull request #4243 from Infisical/fix/secretReminderMigration Add manual migration to secret imports rework	2025-07-25 15:01:04 -04:00
Carlos Monastyrski	72ee468208	Remove previous queue running the migration	2025-07-25 15:20:23 -03:00
carlosmonastyrski	18238b46a7	Merge pull request #4229 from Infisical/feat/azureClientSecretsNewAuth Add client secrets authentication on Azure CS app connection	2025-07-25 15:00:49 -03:00
Carlos Monastyrski	d0ffae2c10	Add uuid validation to Azure client secrets	2025-07-25 14:53:46 -03:00
Carlos Monastyrski	7ce11cde95	Add cycle logic to next reminder migration	2025-07-25 14:47:57 -03:00
Carlos Monastyrski	af32948a05	Minor improvements on reminders migration	2025-07-25 13:35:06 -03:00
Daniel Hougaard	25753fc995	Merge pull request #4242 from Infisical/daniel/render-sync-auto-redeploy feat(secret-sync/render): auto redeploy on sync	2025-07-25 20:31:47 +04:00
Carlos Monastyrski	cd71848800	Avoid migrating existing reminders	2025-07-25 13:10:54 -03:00
Carlos Monastyrski	4afc7a1981	Add manual migration to secret imports rework	2025-07-25 13:06:29 -03:00
Daniel Hougaard	11ca76ccca	fix: restructure and requested changes	2025-07-25 20:05:20 +04:00
Daniel Hougaard	418aca8af0	feat(secret-sync/render): auto redeploy on sync	2025-07-25 19:50:28 +04:00
Carlos Monastyrski	7365f60835	Small code improvements	2025-07-25 01:23:01 -03:00
Scott Wilson	929822514e	Merge pull request #4230 from Infisical/secret-dashboard-sing-env-col-resize improvement(frontend): add col resize to secret dashboard env view	2025-07-24 20:08:18 -07:00
Daniel Hougaard	616ccb97f2	Merge pull request #4238 from Infisical/daniel/docs-fix Update docs.json	2025-07-25 04:59:32 +04:00
Daniel Hougaard	7917a767e6	Update docs.json	2025-07-25 04:57:15 +04:00
carlosmonastyrski	ccff675e0d	Merge pull request #4237 from Infisical/fix/remindersMigrationFix Fix secret reminders migration job	2025-07-24 21:25:47 -03:00
Carlos Monastyrski	ad905b2ff7	Fix secret reminders migration job	2025-07-24 20:42:39 -03:00
carlosmonastyrski	2ada753527	Merge pull request #4235 from Infisical/fix/renderRateLimit Improve render retries and rate limits	2025-07-24 19:07:17 -03:00
Carlos Monastyrski	c031736701	Improve render api usage	2025-07-24 18:51:44 -03:00
Daniel Hougaard	91a1c34637	Merge pull request #4211 from Infisical/daniel/vault-import feat(external-migrations): vault migrations	2025-07-25 01:16:50 +04:00
Carlos Monastyrski	eadb1a63fa	Improve render retries and rate limits	2025-07-24 17:49:28 -03:00
Scott Wilson	f70a1e3db6	Merge pull request #4233 from Infisical/fix-identity-role-invalidation fix(frontend): correct org identity mutation table invalidation	2025-07-24 12:17:03 -07:00
Scott Wilson	fc6ab94a06	fix: correct org identity mutation table invalidation	2025-07-24 12:08:41 -07:00
Scott Wilson	4feb3314e7	Merge pull request #4232 from Infisical/create-project-modal-dropdown improvement(frontend): Adjust select dropdown styling in add project modal	2025-07-24 11:57:23 -07:00
Scott Wilson	d9a57d1391	fix: make side prop optional	2025-07-24 11:50:05 -07:00
Scott Wilson	2c99d41592	improvement: adjust select dropdown styling in add project modal	2025-07-24 11:42:04 -07:00
Scott Wilson	2535d1bc4b	Merge pull request #4228 from Infisical/project-audit-logs-page feature(project-audit-logs): add project audit logs pages	2025-07-24 10:49:02 -07:00
Scott Wilson	83e59ae160	feature: add col resize to secret dashboard env view	2025-07-24 10:18:57 -07:00
x032205	a8a1bc5f4a	Merge pull request #4227 from Infisical/ENG-3345 feat(machine-identity): Add AWS attributes for ABAC	2025-07-24 11:59:17 -04:00
Daniel Hougaard	d2a4f265de	Update ExternalMigrationsTab.tsx	2025-07-24 19:58:29 +04:00
x032205	3483f185a8	Doc tweaks	2025-07-24 11:44:10 -04:00
Scott Wilson	9bc24487b3	Merge pull request #4216 from Infisical/dashboard-filter-improvements improvement(frontend): improve dashboard filter behavior and design	2025-07-24 08:33:24 -07:00
Daniel Hougaard	4af872e504	fix: ui state	2025-07-24 19:14:50 +04:00
Daniel Hougaard	716b88fa49	requested changes and docs	2025-07-24 19:09:24 +04:00
Maidul Islam	cb700c5124	Merge pull request #4183 from Infisical/fix/oracle-app-connection fix: resolved oracle failing in app connection	2025-07-24 09:57:10 -04:00
=	8e829bdf85	fix: resolved oracle failing in app connection	2025-07-24 19:23:52 +05:30
Daniel Hougaard	716f061c01	Merge branch 'heads/main' into daniel/vault-import	2025-07-24 17:29:55 +04:00
Carlos Monastyrski	5af939992c	Update docs	2025-07-24 10:04:25 -03:00
Carlos Monastyrski	aec4ee905e	Add client secrets authentication on Azure CS app connection	2025-07-24 09:40:54 -03:00
Scott Wilson	dd008724fb	fix type error	2025-07-23 18:26:01 -07:00
Scott Wilson	dd0c07fb95	improvements: remove fixed css	2025-07-23 18:18:59 -07:00
Scott Wilson	d935b28925	feature: add project audit logs	2025-07-23 16:48:54 -07:00
x032205	60620840f2	Tweaks	2025-07-23 16:48:06 -04:00
x032205	e798eb2a4e	feat(machine-identity): Add AWS attributes for ABAC	2025-07-23 16:30:55 -04:00
Scott Wilson	e96e7b835d	improvements: address feedback	2025-07-23 12:43:48 -07:00
carlosmonastyrski	75622ed03e	Merge pull request #3926 from Infisical/feat/remindersImprovement feat(secret-reminders): rework secret reminders logic	2025-07-23 16:07:04 -03:00
Scott Wilson	a7041fcade	Merge pull request #4199 from Infisical/search-by-tags-metadata improvement(dashboard): add secret tag/metadata search functionality to single env view dashboard	2025-07-23 11:27:11 -07:00
Scott Wilson	0b38fc7843	Merge pull request #4181 from Infisical/org-policy-edit-page-revisions improvements(frontend): org and project policy page ui improvements	2025-07-23 11:26:38 -07:00
Maidul Islam	e678c19874	Merge pull request #4225 from Infisical/fix/secret-scanning-delete feat: updated invalid url	2025-07-23 13:38:45 -04:00
=	878e12ea5c	feat: updated invalid url	2025-07-23 23:06:38 +05:30
x032205	485a90bde1	Merge pull request #4224 from Infisical/fix-secret-rotation-defaults Fix secret rotation defaults	2025-07-23 12:45:39 -04:00
x032205	98b6bdad76	Fix secret rotation defaults	2025-07-23 12:44:23 -04:00
Carlos Monastyrski	f490ca22ac	Small fix on new permission field actionProjectType missin on reminders service	2025-07-23 13:07:58 -03:00
Maidul Islam	2d8de9e782	update product names for project templates	2025-07-23 10:50:46 -04:00
Maidul Islam	14d4cfdbe4	Merge pull request #4222 from Infisical/fix/secret-scanning-delete fix: resolved project deletion not working for secret scanning on missing plan	2025-07-23 10:47:18 -04:00
x032205	e8bd73c0d0	Merge pull request #4201 from Infisical/check-gateway-license-in-service License check on fnGetGatewayClientTlsByGatewayId	2025-07-23 10:41:58 -04:00
Akhil Mohan	3406457c08	Merge pull request #4218 from dcs-soni/bug/banner-flicker fix: redis banner appears only when it is not configured	2025-07-23 20:10:18 +05:30
=	c16764b62b	fix: resolved project deletion not working for secret scanning on missing plan	2025-07-23 20:07:45 +05:30
Sid	ab56a69d59	feat: Digital Ocean App connection and App Platform secret sync (#4203 ) * fix: save wip * feat: final impl * feat: docs * Update backend/src/services/app-connection/digital-ocean/digital-ocean-connection-service.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * chore: remove empty conflict files * Update backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * Update frontend/src/components/secret-syncs/forms/schemas/digital-ocean-app-platform-sync-destination-schema.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * Update frontend/src/components/secret-syncs/forms/schemas/digital-ocean-app-platform-sync-destination-schema.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * Update frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/DigitalOceanAppPlatformSyncFields.tsx Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * Update backend/src/services/secret-sync/digital-ocean-app-platform/digital-ocean-app-platform-sync-schemas.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * fix: lint * fix: api client * fix: lint and types * fix: typecheck lint * fix: docs * fix: docs * fix: linting --------- Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>	2025-07-23 19:59:29 +05:30
Carlos Monastyrski	8520ca98c7	Merge branch 'main' into feat/remindersImprovement	2025-07-23 11:27:31 -03:00
carlosmonastyrski	95b997c100	Merge pull request #4214 from Infisical/fix/confirmCommitButtonFix Redo confirm changes box	2025-07-23 11:08:38 -03:00
carlosmonastyrski	b433582ca6	Merge pull request #4210 from Infisical/feat/bitbucketSecretSync Add Bitbucket Secret Sync	2025-07-23 11:07:07 -03:00
Maidul Islam	242cfe82c5	update product names	2025-07-23 09:38:08 -04:00
Maidul Islam	af4f7ec4f3	Merge pull request #4207 from Infisical/feat/split-back feat: Move products out of projects	2025-07-23 09:27:53 -04:00
Maidul Islam	454e75cfd0	remove consoles	2025-07-23 09:26:32 -04:00
=	95f8ae1cf8	fix: resolved migration issue	2025-07-23 14:31:55 +05:30
Maidul Islam	feb773152e	update migration	2025-07-23 14:31:55 +05:30
=	7f35ff119e	feat: resolved dual filter in all view	2025-07-23 14:31:54 +05:30
Scott Wilson	cb4cb922b9	improvement: design revisions and various overflow handling	2025-07-23 14:31:54 +05:30
=	dfecaae560	feat: added timeout function to migration	2025-07-23 14:31:54 +05:30
=	53bec6bc3e	feat: resolved merge issue and fixed callback url	2025-07-23 14:31:54 +05:30
=	af48e7ce99	feat: more review changes	2025-07-23 14:31:54 +05:30
=	9f35b573d1	feat: resolved template bug	2025-07-23 14:31:54 +05:30
=	bcb1f35606	feat: hide environment in other products	2025-07-23 14:31:54 +05:30
=	67ab16aff3	feat: resolved lint fail	2025-07-23 14:31:53 +05:30
=	354aed5e8a	feat: resolved broken ui for templates	2025-07-23 14:31:53 +05:30
=	e2e9dbc8aa	feat: reverted license-fn	2025-07-23 14:31:53 +05:30
=	f38b8eac2b	feat: made review changes	2025-07-23 14:31:53 +05:30
=	7c87feb546	feat: added defaultProduct as null	2025-07-23 14:31:53 +05:30
=	e0cbfe8865	feat: added card truncation	2025-07-23 14:31:53 +05:30
=	abda494374	feat: brought back assume privilege banner	2025-07-23 14:31:53 +05:30
=	272207c580	feat: resolved migration failing	2025-07-23 14:31:52 +05:30
=	4cf66a8bfd	feat: completed migration script for project split revert	2025-07-23 14:31:52 +05:30
=	30ef7f395a	feat: removed type default value in get projects	2025-07-23 14:31:52 +05:30
=	ec8ea76e2c	feat: completed all layout changes needed for frontend	2025-07-23 14:31:52 +05:30
=	cc9f4fb5b3	feat: reverted template changes to project type based	2025-07-23 14:31:52 +05:30
=	33256c3462	feat: resolved frontend url changes and resolved ts error	2025-07-23 14:31:52 +05:30
=	864be1deb7	feat: revert back action project type	2025-07-23 14:31:51 +05:30
=	f10ab58d74	Revert "feat: removed all action project type check" This reverts commit `e028b4e26d`.	2025-07-23 14:31:51 +05:30
dcs-soni	9ec4419d83	fix testing vars	2025-07-23 13:04:10 +05:30
dcs-soni	7ff7e5882a	fix: redis banner appears only when it is not configured	2025-07-23 12:44:05 +05:30
Scott Wilson	e76e0f7bcc	improvement: improve dashboard filter behavior and design	2025-07-22 17:14:45 -07:00
Daniel Hougaard	cb4999c1b4	Merge pull request #4215 from Infisical/daniel/rust-sdk-docs Daniel/rust sdk docs	2025-07-23 04:01:58 +04:00
Scott Wilson	d4bdf04061	improvement: responsive and border color	2025-07-22 09:34:43 -07:00
Scott Wilson	4dcb3938e0	improvements: minor adjustments	2025-07-22 08:58:12 -07:00
Carlos Monastyrski	f992535812	Redo confirm changes box	2025-07-22 11:03:25 -03:00
Daniel Hougaard	464e32b0e9	Update VaultPlatformModal.tsx	2025-07-22 13:04:00 +04:00
Scott Wilson	4547b61d8f	improvement: add metadata support to deep search	2025-07-21 18:18:04 -07:00
Carlos Monastyrski	047fd9371f	Fix bitbucket iterationCount limit	2025-07-21 21:39:57 -03:00
Daniel Hougaard	bfd8b64871	requested changes	2025-07-22 02:15:21 +04:00
Daniel Hougaard	185cc4efba	Update VaultPlatformModal copy.tsx	2025-07-22 01:50:28 +04:00
Daniel Hougaard	7150b9314d	feat(external-migrations): vault migrations	2025-07-22 01:35:02 +04:00
Carlos Monastyrski	328f929a29	Addressed PR comments	2025-07-21 18:24:48 -03:00
Carlos Monastyrski	5019918516	Add secret sync app connection permission set	2025-07-21 11:44:21 -03:00
Carlos Monastyrski	ce877cd352	Addressed PR suggestions	2025-07-21 11:01:22 -03:00
Carlos Monastyrski	d44b3293b6	Add Bitbucket Secret Sync	2025-07-21 10:28:31 -03:00
x032205	4d8000e331	License check on fnGetGatewayClientTlsByGatewayId	2025-07-19 02:41:41 -04:00
Scott Wilson	90c341cf53	improvement: add secret tag/metadata search functionality to single env view dashboard	2025-07-18 18:22:11 -07:00
Scott Wilson	8df53dde3b	improvements: address feedback	2025-07-17 15:27:28 -07:00
Carlos Monastyrski	394ecd24a0	Merge branch 'main' into feat/remindersImprovement	2025-07-17 17:35:41 -03:00
Daniel Hougaard	6d3acb5514	Update models.ts	2025-07-18 00:28:15 +04:00
Scott Wilson	1e08b3cdc2	chore: remove unused export	2025-07-16 15:05:10 -07:00
Scott Wilson	844f2bb72c	improvements: org and project policy page ui improvements	2025-07-16 14:48:57 -07:00
Carlos Monastyrski	bd4968b60d	Minor improvements on new reminders api	2025-07-14 16:48:05 -03:00
Carlos Monastyrski	6449699f03	Merge branch 'main' into feat/remindersImprovement	2025-07-14 10:19:33 -03:00
Carlos Monastyrski	0e680e366b	Improve reminders router	2025-07-11 15:26:09 -03:00
Carlos Monastyrski	0af00ce82d	Minor fix on add reminder table migration	2025-07-11 09:21:57 -03:00
Carlos Monastyrski	3153450dc5	Merge branch 'main' into feat/remindersImprovement	2025-07-11 08:59:21 -03:00
Carlos Monastyrski	50ba2e543c	Minor improvements on new reminders logic	2025-07-11 08:02:18 -03:00
Carlos Monastyrski	e2559f10bc	feat(secret-reminders): addressed PR suggestions and improvements	2025-07-04 11:58:09 -03:00
Carlos Monastyrski	0efc314f33	feat(secret-reminders): rework secret reminders logic	2025-07-04 09:47:36 -03:00