Merge pull request #3060 from Infisical/daniel/query-secrets-by-metadata

feat(api): list secrets filter by metadata
requested changes
2025-07-13 09:35:39 +00:00 · 2025-02-07 04:53:30 +01:00 · 2025-02-07 07:49:42 +04:00 · 2025-02-06 15:10:49 -08:00 · 2025-02-06 11:26:26 -08:00 · 2025-02-06 10:12:51 -08:00
2618 changed files with 134446 additions and 65323 deletions
--- a/.env.example
+++ b/.env.example
@ -26,7 +26,8 @@ SITE_URL=http://localhost:8080
 # Mail/SMTP 
 SMTP_HOST=
 SMTP_PORT=
-SMTP_NAME=
+SMTP_FROM_ADDRESS=
 SMTP_FROM_NAME=
 SMTP_USERNAME=
 SMTP_PASSWORD=
@ -74,7 +75,37 @@ CAPTCHA_SECRET=
 NEXT_PUBLIC_CAPTCHA_SITE_KEY=
 OTEL_TELEMETRY_COLLECTION_ENABLED=false
 OTEL_EXPORT_TYPE=prometheus
 OTEL_EXPORT_OTLP_ENDPOINT=
 OTEL_OTLP_PUSH_INTERVAL=
 OTEL_COLLECTOR_BASIC_AUTH_USERNAME=
 OTEL_COLLECTOR_BASIC_AUTH_PASSWORD=
 PLAIN_API_KEY=
 PLAIN_WISH_LABEL_IDS=
 SSL_CLIENT_CERTIFICATE_HEADER_KEY=
 ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT=true
 # App Connections
 # aws assume-role
 INF_APP_CONNECTION_AWS_ACCESS_KEY_ID=
 INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY=
 # github oauth
 INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID=
 INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET=
 #github app
 INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID=
 INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET=
 INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY=
 INF_APP_CONNECTION_GITHUB_APP_SLUG=
 INF_APP_CONNECTION_GITHUB_APP_ID=
 #gcp app
 INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL=
--- a/.github/workflows/check-fe-ts-and-lint.yml
+++ b/.github/workflows/check-fe-ts-and-lint.yml
@ -18,18 +18,18 @@ jobs:
    steps:
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
-      - name: 🔧 Setup Node 16
+      - name: 🔧 Setup Node 20
        uses: actions/setup-node@v3
        with:
-          node-version: "16"
+          node-version: "20"
          cache: "npm"
          cache-dependency-path: frontend/package-lock.json
      - name: 📦 Install dependencies
        run: npm install
        working-directory: frontend
      - name: 🏗️ Run Type check
-        run: npm run type:check 
+        run: npm run type:check
        working-directory: frontend
      - name: 🏗️ Run Link check
-        run: npm run lint:fix 
+        run: npm run lint:fix
        working-directory: frontend
--- a/.github/workflows/build-staging-and-deploy-aws.yml
+++ b/.github/workflows/build-staging-and-deploy-aws.yml
@ -5,14 +5,18 @@ permissions:
  id-token: write
  contents: read
 concurrency: 
  group: "infisical-core-deployment"
  cancel-in-progress: true  
 jobs:
  infisical-tests:
-    name: Run tests before deployment
+    name: Integration tests
    # https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
    uses: ./.github/workflows/run-backend-tests.yml
  infisical-image:
-    name: Build backend image
+    name: Build
    runs-on: ubuntu-latest
    needs: [infisical-tests]
    steps:
@ -97,15 +101,15 @@ jobs:
          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
          environment-variables: "LOG_LEVEL=info"
      - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
        with:
          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
          service: infisical-core-gamma-stage
          cluster: infisical-gamma-stage
          wait-for-service-stability: true
-  production-postgres-deployment:
+  production-us:
-    name: Deploy to production
+    name: US production deploy 
    runs-on: ubuntu-latest
    needs: [gamma-deployment]
    environment:
@ -113,10 +117,6 @@ jobs:
    steps:
      - uses: twingate/github-action@v1
        with:
        # The Twingate Service Key used to connect Twingate to the proper service
        # Learn more about [Twingate Services](https://docs.twingate.com/docs/services)
        #
        # Required
          service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
      - name: Checkout code
        uses: actions/checkout@v2
@ -153,9 +153,110 @@ jobs:
          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
          environment-variables: "LOG_LEVEL=info"
      - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
        with:
          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
          service: infisical-core-platform
          cluster: infisical-core-platform
          wait-for-service-stability: true
      - name: Post slack message 
        uses: slackapi/slack-github-action@v2.0.0
        with:
          webhook: ${{ secrets.SLACK_DEPLOYMENT_WEBHOOK_URL }}
          webhook-type: incoming-webhook
          payload: |
            text: "*Deployment Status Update*: ${{ job.status }}"
            blocks:
              - type: "section"
                text:
                  type: "mrkdwn"
                  text: "*Deployment Status Update*: ${{ job.status }}"
              - type: "section"
                fields:
                  - type: "mrkdwn"
                    text: "*Application:*\nInfisical Core"
                  - type: "mrkdwn"
                    text: "*Instance Type:*\nShared Infisical Cloud"
              - type: "section"
                fields:
                  - type: "mrkdwn"
                    text: "*Region:*\nUS"
                  - type: "mrkdwn"
                    text: "*Git Tag:*\n<https://github.com/Infisical/infisical/commit/${{ steps.commit.outputs.short }}>"
  production-eu:
      name: EU production deploy
      runs-on: ubuntu-latest
      needs: [production-us]
      environment:
        name: production-eu
      steps:
        - uses: twingate/github-action@v1
          with:
            service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
        - name: Configure AWS Credentials 
          uses: aws-actions/configure-aws-credentials@v4
          with:
            audience: sts.amazonaws.com
            aws-region: eu-central-1
            role-to-assume: arn:aws:iam::345594589636:role/gha-make-prod-deployment
        - name: Checkout code
          uses: actions/checkout@v2
        - name: Setup Node.js environment
          uses: actions/setup-node@v2
          with:
            node-version: "20"
        - name: Change directory to backend and install dependencies
          env:
            DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
          run: |
            cd backend
            npm install
            npm run migration:latest
        - name: Save commit hashes for tag
          id: commit
          uses: pr-mpt/actions-commit-hash@v2
        - name: Download task definition
          run: |
            aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
        - name: Render Amazon ECS task definition
          id: render-web-container
          uses: aws-actions/amazon-ecs-render-task-definition@v1
          with:
            task-definition: task-definition.json
            container-name: infisical-core-platform
            image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
            environment-variables: "LOG_LEVEL=info"
        - name: Deploy to Amazon ECS service
          uses: aws-actions/amazon-ecs-deploy-task-definition@v2
          with:
            task-definition: ${{ steps.render-web-container.outputs.task-definition }}
            service: infisical-core-platform
            cluster: infisical-core-platform
            wait-for-service-stability: true
        - name: Post slack message 
          uses: slackapi/slack-github-action@v2.0.0
          with:
            webhook: ${{ secrets.SLACK_DEPLOYMENT_WEBHOOK_URL }}
            webhook-type: incoming-webhook
            payload: |
              text: "*Deployment Status Update*: ${{ job.status }}"
              blocks:
                - type: "section"
                  text:
                    type: "mrkdwn"
                    text: "*Deployment Status Update*: ${{ job.status }}"
                - type: "section"
                  fields:
                    - type: "mrkdwn"
                      text: "*Application:*\nInfisical Core"
                    - type: "mrkdwn"
                      text: "*Instance Type:*\nShared Infisical Cloud"
                - type: "section"
                  fields:
                    - type: "mrkdwn"
                      text: "*Region:*\nEU"
                    - type: "mrkdwn"
                      text: "*Git Tag:*\n<https://github.com/Infisical/infisical/commit/${{ steps.commit.outputs.short }}>"
--- a/.github/workflows/helm-release-infisical-core.yml
+++ b/.github/workflows/helm-release-infisical-core.yml
@ -1,4 +1,4 @@
-name: Release Helm Charts
+name: Release Infisical Core Helm chart
 on: [workflow_dispatch]
@ -17,6 +17,6 @@ jobs:
      - name: Install Cloudsmith CLI
        run: pip install --upgrade cloudsmith-cli
      - name: Build and push helm package to Cloudsmith
-        run: cd helm-charts && sh upload-to-cloudsmith.sh
+        run: cd helm-charts && sh upload-infisical-core-helm-cloudsmith.sh
        env:
          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
--- a/.github/workflows/release-standalone-docker-img-postgres-offical.yml
+++ b/.github/workflows/release-standalone-docker-img-postgres-offical.yml
@ -1,62 +1,115 @@
 name: Release standalone docker image
 on:
-  push:
+    push:
-    tags:
+        tags:
-      - "infisical/v*.*.*-postgres"
+            - "infisical/v*.*.*-postgres"
 jobs:
-  infisical-tests:
+    infisical-tests:
-    name: Run tests before deployment
+        name: Run tests before deployment
-    # https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
+        # https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
-    uses: ./.github/workflows/run-backend-tests.yml
+        uses: ./.github/workflows/run-backend-tests.yml
-  infisical-standalone:
+
-    name: Build infisical standalone image postgres
+    infisical-standalone:
-    runs-on: ubuntu-latest
+        name: Build infisical standalone image postgres
-    needs: [infisical-tests]
+        runs-on: ubuntu-latest
-    steps:
+        needs: [infisical-tests]
-      - name: Extract version from tag
+        steps:
-        id: extract_version
+            - name: Extract version from tag
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+              id: extract_version
-      - name: ☁️ Checkout source
+              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
-        uses: actions/checkout@v3
+            - name: ☁️ Checkout source
-        with:
+              uses: actions/checkout@v3
-          fetch-depth: 0
+              with:
-      - name: 📦 Install dependencies to test all dependencies
+                  fetch-depth: 0
-        run: npm ci --only-production
+            - name: 📦 Install dependencies to test all dependencies
-        working-directory: backend
+              run: npm ci --only-production
-      - name: version output
+              working-directory: backend
-        run: |
+            - name: version output
-          echo "Output Value: ${{ steps.version.outputs.major }}"
+              run: |
-          echo "Output Value: ${{ steps.version.outputs.minor }}"
+                  echo "Output Value: ${{ steps.version.outputs.major }}"
-          echo "Output Value: ${{ steps.version.outputs.patch }}"
+                  echo "Output Value: ${{ steps.version.outputs.minor }}"
-          echo "Output Value: ${{ steps.version.outputs.version }}"
+                  echo "Output Value: ${{ steps.version.outputs.patch }}"
-          echo "Output Value: ${{ steps.version.outputs.version_type }}"
+                  echo "Output Value: ${{ steps.version.outputs.version }}"
-          echo "Output Value: ${{ steps.version.outputs.increment }}"
+                  echo "Output Value: ${{ steps.version.outputs.version_type }}"
-      - name: Save commit hashes for tag
+                  echo "Output Value: ${{ steps.version.outputs.increment }}"
-        id: commit
+            - name: Save commit hashes for tag
-        uses: pr-mpt/actions-commit-hash@v2
+              id: commit
-      - name: 🔧 Set up Docker Buildx
+              uses: pr-mpt/actions-commit-hash@v2
-        uses: docker/setup-buildx-action@v2
+            - name: 🔧 Set up Docker Buildx
-      - name: 🐋 Login to Docker Hub
+              uses: docker/setup-buildx-action@v2
-        uses: docker/login-action@v2
+            - name: 🐋 Login to Docker Hub
-        with:
+              uses: docker/login-action@v2
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
+              with:
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+                  username: ${{ secrets.DOCKERHUB_USERNAME }}
-      - name: Set up Depot CLI
+                  password: ${{ secrets.DOCKERHUB_TOKEN }}
-        uses: depot/setup-action@v1
+            - name: Set up Depot CLI
-      - name: 📦 Build backend and export to Docker
+              uses: depot/setup-action@v1
-        uses: depot/build-push-action@v1
+            - name: 📦 Build backend and export to Docker
-        with:
+              uses: depot/build-push-action@v1
-          project: 64mmf0n610
+              with:
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+                  project: 64mmf0n610
-          push: true
+                  token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          context: .
+                  push: true
-          tags: |
+                  context: .
-            infisical/infisical:latest-postgres
+                  tags: |
-            infisical/infisical:${{ steps.commit.outputs.short }}
+                      infisical/infisical:latest-postgres
-            infisical/infisical:${{ steps.extract_version.outputs.version }}
+                      infisical/infisical:${{ steps.commit.outputs.short }}
-          platforms: linux/amd64,linux/arm64
+                      infisical/infisical:${{ steps.extract_version.outputs.version }}
-          file: Dockerfile.standalone-infisical
+                  platforms: linux/amd64,linux/arm64
-          build-args: |
+                  file: Dockerfile.standalone-infisical
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+                  build-args: |
-            INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
+                      POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
                      INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
    infisical-fips-standalone:
        name: Build infisical standalone image postgres
        runs-on: ubuntu-latest
        needs: [infisical-tests]
        steps:
            - name: Extract version from tag
              id: extract_version
              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
            - name: ☁️ Checkout source
              uses: actions/checkout@v3
              with:
                  fetch-depth: 0
            - name: 📦 Install dependencies to test all dependencies
              run: npm ci --only-production
              working-directory: backend
            - name: version output
              run: |
                  echo "Output Value: ${{ steps.version.outputs.major }}"
                  echo "Output Value: ${{ steps.version.outputs.minor }}"
                  echo "Output Value: ${{ steps.version.outputs.patch }}"
                  echo "Output Value: ${{ steps.version.outputs.version }}"
                  echo "Output Value: ${{ steps.version.outputs.version_type }}"
                  echo "Output Value: ${{ steps.version.outputs.increment }}"
            - name: Save commit hashes for tag
              id: commit
              uses: pr-mpt/actions-commit-hash@v2
            - name: 🔧 Set up Docker Buildx
              uses: docker/setup-buildx-action@v2
            - name: 🐋 Login to Docker Hub
              uses: docker/login-action@v2
              with:
                  username: ${{ secrets.DOCKERHUB_USERNAME }}
                  password: ${{ secrets.DOCKERHUB_TOKEN }}
            - name: Set up Depot CLI
              uses: depot/setup-action@v1
            - name: 📦 Build backend and export to Docker
              uses: depot/build-push-action@v1
              with:
                  project: 64mmf0n610
                  token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
                  push: true
                  context: .
                  tags: |
                      infisical/infisical-fips:latest-postgres
                      infisical/infisical-fips:${{ steps.commit.outputs.short }}
                      infisical/infisical-fips:${{ steps.extract_version.outputs.version }}
                  platforms: linux/amd64,linux/arm64
                  file: Dockerfile.fips.standalone-infisical
                  build-args: |
                      POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
                      INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
--- a/.github/workflows/release_build_infisical_cli.yml
+++ b/.github/workflows/release_build_infisical_cli.yml
@ -10,8 +10,7 @@ on:
 permissions:
    contents: write
-    # packages: write
+
    # issues: write
 jobs:
    cli-integration-tests:
        name: Run tests before deployment
@ -26,6 +25,63 @@ jobs:
            CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
            CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
    npm-release:
        runs-on: ubuntu-20.04
        env:
            working-directory: ./npm
        needs:
            - cli-integration-tests
            - goreleaser
        steps:
            - uses: actions/checkout@v3
              with:
                  fetch-depth: 0
            - name: Extract version
              run: |
                  VERSION=$(echo ${{ github.ref_name }} | sed 's/infisical-cli\/v//')
                  echo "Version extracted: $VERSION"
                  echo "CLI_VERSION=$VERSION" >> $GITHUB_ENV
            - name: Print version
              run: echo ${{ env.CLI_VERSION }}
            - name: Setup Node
              uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
              with:
                  node-version: 20
                  cache: "npm"
                  cache-dependency-path: ./npm/package-lock.json
            - name: Install dependencies
              working-directory: ${{ env.working-directory }}
              run: npm install --ignore-scripts
            - name: Set NPM version
              working-directory: ${{ env.working-directory }}
              run: npm version ${{ env.CLI_VERSION }} --allow-same-version --no-git-tag-version
            - name: Setup NPM
              working-directory: ${{ env.working-directory }}
              run: |
                  echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
                  echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
                  echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc
                  echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
              env:
                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
            - name: Pack NPM
              working-directory: ${{ env.working-directory }}
              run: npm pack
            - name: Publish NPM
              working-directory: ${{ env.working-directory }}
              run: npm publish --tarball=./infisical-sdk-${{github.ref_name}} --access public --registry=https://registry.npmjs.org/
              env:
                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
                  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
    goreleaser:
        runs-on: ubuntu-20.04
        needs: [cli-integration-tests]
--- a/.github/workflows/release_docker_k8_operator.yaml
+++ b/.github/workflows/release_docker_k8_operator.yaml
@ -1,4 +1,4 @@
-name: Release Docker image for K8 operator
+name: Release image + Helm chart K8s Operator
 on:
  push:
    tags:
@ -35,3 +35,18 @@ jobs:
          tags: |
            infisical/kubernetes-operator:latest
            infisical/kubernetes-operator:${{ steps.extract_version.outputs.version }}
      - name: Checkout
        uses: actions/checkout@v2
      - name: Install Helm
        uses: azure/setup-helm@v3
        with:
          version: v3.10.0
      - name: Install python
        uses: actions/setup-python@v4
      - name: Install Cloudsmith CLI
        run: pip install --upgrade cloudsmith-cli
      - name: Build and push helm package to Cloudsmith
        run: cd helm-charts && sh upload-k8s-operator-cloudsmith.sh
        env:
          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
--- a/.gitignore
+++ b/.gitignore
@ -71,3 +71,5 @@ frontend-build
 cli/infisical-merge
 cli/test/infisical-merge
 /backend/binary
 /npm/bin
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@ -1,6 +1,12 @@
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"
 # Check if infisical is installed
 if ! command -v infisical >/dev/null 2>&1; then
    echo "\nError: Infisical CLI is not installed. Please install the Infisical CLI before comitting.\n You can refer to the documentation at https://infisical.com/docs/cli/overview\n\n"
    exit 1
 fi
 npx lint-staged
 infisical scan git-changes --staged -v
--- a/.infisicalignore
+++ b/.infisicalignore
@ -6,3 +6,5 @@ frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/S
 docs/self-hosting/configuration/envars.mdx:generic-api-key:106
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
 docs/mint.json:generic-api-key:651
 backend/src/ee/services/hsm/hsm-service.ts:generic-api-key:134
 docs/documentation/platform/audit-log-streams/audit-log-streams.mdx:generic-api-key:104
--- a/Dockerfile.fips.standalone-infisical
+++ b/Dockerfile.fips.standalone-infisical
@ -0,0 +1,181 @@
 ARG POSTHOG_HOST=https://app.posthog.com
 ARG POSTHOG_API_KEY=posthog-api-key
 ARG INTERCOM_ID=intercom-id
 ARG CAPTCHA_SITE_KEY=captcha-site-key
 FROM node:20-slim AS base
 FROM base AS frontend-dependencies
 WORKDIR /app
 COPY frontend/package.json frontend/package-lock.json  ./
 # Install dependencies
 RUN npm ci --only-production --ignore-scripts
 # Rebuild the source code only when needed
 FROM base AS frontend-builder
 WORKDIR /app
 # Copy dependencies
 COPY --from=frontend-dependencies /app/node_modules ./node_modules
 # Copy all files 
 COPY /frontend .
 ENV NODE_ENV production
 ARG POSTHOG_HOST
 ENV VITE_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
 ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
 ENV VITE_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
 ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
 ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
 # Build
 RUN npm run build
 # Production image
 FROM base AS frontend-runner
 WORKDIR /app
 RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
 COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
 USER non-root-user
 ##
 ## BACKEND
 ##
 FROM base AS backend-build
 ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
 RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
 WORKDIR /app
 # Required for pkcs11js and ODBC
 RUN apt-get update && apt-get install -y \
    python3 \
    make \
    g++ \
    unixodbc \
    unixodbc-dev \
    freetds-dev \
    freetds-bin \
    tdsodbc \
    && rm -rf /var/lib/apt/lists/*
 # Configure ODBC
 RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 COPY backend/package*.json ./
 RUN npm ci --only-production
 COPY /backend .
 COPY --chown=non-root-user:nodejs standalone-entrypoint.sh standalone-entrypoint.sh
 RUN npm i -D tsconfig-paths
 RUN npm run build
 # Production stage
 FROM base AS backend-runner
 ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
 WORKDIR /app
 # Required for pkcs11js and ODBC
 RUN apt-get update && apt-get install -y \
    python3 \
    make \
    g++ \
    unixodbc \
    unixodbc-dev \
    freetds-dev \
    freetds-bin \
    tdsodbc \
    && rm -rf /var/lib/apt/lists/*
 # Configure ODBC
 RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 COPY backend/package*.json ./
 RUN npm ci --only-production
 COPY --from=backend-build /app .
 RUN mkdir frontend-build
 # Production stage
 FROM base AS production
 # Install necessary packages including ODBC
 RUN apt-get update && apt-get install -y \
    ca-certificates \
    curl \
    git \
    python3 \
    make \
    g++ \
    unixodbc \
    unixodbc-dev \
    freetds-dev \
    freetds-bin \
    tdsodbc \
    openssh-client \
    && rm -rf /var/lib/apt/lists/*
 # Configure ODBC in production
 RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 # Install Infisical CLI
 RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
    && apt-get update && apt-get install -y infisical=0.31.1 \
    && rm -rf /var/lib/apt/lists/*
 RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
 # Give non-root-user permission to update SSL certs
 RUN chown -R non-root-user /etc/ssl/certs
 RUN chown non-root-user /etc/ssl/certs/ca-certificates.crt
 RUN chmod -R u+rwx /etc/ssl/certs
 RUN chmod u+rw /etc/ssl/certs/ca-certificates.crt
 RUN chown non-root-user /usr/sbin/update-ca-certificates
 RUN chmod u+rx /usr/sbin/update-ca-certificates
 ## set pre baked keys
 ARG POSTHOG_API_KEY
 ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
 ARG INTERCOM_ID=intercom-id
 ENV INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
 ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 WORKDIR / 
 COPY --from=backend-runner /app /backend
 COPY --from=frontend-runner /app ./backend/frontend-build
 ENV PORT 8080
 ENV HOST=0.0.0.0
 ENV HTTPS_ENABLED false 
 ENV NODE_ENV production
 ENV STANDALONE_BUILD true 
 ENV STANDALONE_MODE true
 ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
 WORKDIR /backend
 ENV TELEMETRY_ENABLED true
 EXPOSE 8080
 EXPOSE 443
 USER non-root-user
 CMD ["./standalone-entrypoint.sh"]
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@ -12,7 +12,7 @@ RUN apk add --no-cache libc6-compat
 WORKDIR /app
-COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
+COPY frontend/package.json frontend/package-lock.json  ./
 # Install dependencies
 RUN npm ci --only-production --ignore-scripts
@ -27,17 +27,16 @@ COPY --from=frontend-dependencies /app/node_modules ./node_modules
 COPY /frontend .
 ENV NODE_ENV production
 ENV NEXT_PUBLIC_ENV production
 ARG POSTHOG_HOST
-ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
+ENV VITE_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
-ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
+ENV VITE_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
-ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
 # Build
 RUN npm run build
@ -49,20 +48,10 @@ WORKDIR /app
 RUN addgroup --system --gid 1001 nodejs
 RUN adduser --system --uid 1001 non-root-user
-RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
 VOLUME /app/.next/cache/images
 COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
 COPY --from=frontend-builder /app/public ./public
 RUN chown non-root-user:nodejs ./public/data
 COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
 COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static
 USER non-root-user
 ENV NEXT_TELEMETRY_DISABLED 1
 ##
 ## BACKEND
 ##
@ -72,6 +61,17 @@ RUN addgroup --system --gid 1001 nodejs \
 WORKDIR /app
 # Install all required dependencies for build
 RUN apk --update add \
    python3 \
    make \
    g++ \
    unixodbc \
    freetds \
    unixodbc-dev \
    libc-dev \
    freetds-dev
 COPY backend/package*.json ./
 RUN npm ci --only-production
@ -85,6 +85,20 @@ FROM base AS backend-runner
 WORKDIR /app
 # Install all required dependencies for runtime
 RUN apk --update add \
    python3 \
    make \
    g++ \
    unixodbc \
    freetds \
    unixodbc-dev \
    libc-dev \
    freetds-dev
 # Configure ODBC
 RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 COPY backend/package*.json ./
 RUN npm ci --only-production
@ -94,7 +108,33 @@ RUN mkdir frontend-build
 # Production stage
 FROM base AS production
 RUN apk add --upgrade --no-cache ca-certificates
 RUN apk add --no-cache bash curl && curl -1sLf \
  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
  && apk add infisical=0.31.1 && apk add --no-cache git
 WORKDIR /
 # Install all required runtime dependencies
 RUN apk --update add \
    python3 \
    make \
    g++ \
    unixodbc \
    freetds \
    unixodbc-dev \
    libc-dev \
    freetds-dev \
    bash \
    curl \
    git \
    openssh
 # Configure ODBC in production
 RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 # Setup user permissions
 RUN addgroup --system --gid 1001 nodejs \
  && adduser --system --uid 1001 non-root-user
@ -108,16 +148,12 @@ RUN chmod u+rx /usr/sbin/update-ca-certificates
 ## set pre baked keys
 ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
  BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
 ARG INTERCOM_ID=intercom-id
-ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+ENV INTERCOM_ID=$INTERCOM_ID
  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
+ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
  BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 WORKDIR / 
 COPY --from=backend-runner /app /backend
--- a/5
+++ b/5
@ -10,6 +10,9 @@ up-dev:
 up-dev-ldap:
 	docker compose -f docker-compose.dev.yml --profile ldap up --build
 up-dev-metrics:
 	docker compose -f docker-compose.dev.yml --profile metrics up --build
 up-prod:
 	docker-compose -f docker-compose.prod.yml up --build
@ -28,3 +31,5 @@ reviewable-api:
 reviewable: reviewable-ui reviewable-api
 up-dev-sso:
 	docker compose -f docker-compose.dev.yml --profile sso up --build
--- a/README.md
+++ b/README.md
@ -14,15 +14,6 @@
  <a href="https://infisical.com/careers">Hiring (Remote/SF)</a>
 </h4>
 <p align="center">
  <a href="https://infisical.com/docs/self-hosting/deployment-options/aws-ec2">
    <img src=".github/images/deploy-to-aws.png" width="137" />
  </a>
  <a href="https://infisical.com/docs/self-hosting/deployment-options/digital-ocean-marketplace" alt="Deploy to DigitalOcean">
     <img width="200" alt="Deploy to DO" src="https://www.deploytodo.com/do-btn-blue.svg"/>
  </a>
 </p>
 <h4 align="center">
  <a href="https://github.com/Infisical/infisical/blob/main/LICENSE">
    <img src="https://img.shields.io/badge/license-MIT-blue.svg" alt="Infisical is released under the MIT license." />
@ -65,7 +56,7 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical Kubernetes Operator](https://infisical.com/docs/documentation/getting-started/kubernetes)**: Deliver secrets to your Kubernetes workloads and automatically reload deployments.
 - **[Infisical Agent](https://infisical.com/docs/infisical-agent/overview)**: Inject secrets into applications without modifying any code logic.
-### Internal PKI:
+### Infisical (Internal) PKI:
 - **[Private Certificate Authority](https://infisical.com/docs/documentation/platform/pki/private-ca)**: Create CA hierarchies, configure [certificate templates](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-issuing-certificates) for policy enforcement, and start issuing X.509 certificates.
 - **[Certificate Management](https://infisical.com/docs/documentation/platform/pki/certificates)**: Manage the certificate lifecycle from [issuance](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-issuing-certificates) to [revocation](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-revoking-certificates) with support for CRL.
@ -73,12 +64,17 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical PKI Issuer for Kubernetes](https://infisical.com/docs/documentation/platform/pki/pki-issuer)**: Deliver TLS certificates to your Kubernetes workloads with automatic renewal.
 - **[Enrollment over Secure Transport](https://infisical.com/docs/documentation/platform/pki/est)**: Enroll and manage certificates via EST protocol.
-### Key Management (KMS):
+### Infisical Key Management System (KMS):
- **[Cryptograhic Keys](https://infisical.com/docs/documentation/platform/kms)**: Centrally manage keys across projects through a user-friendly interface or via the API.
+- **[Cryptographic Keys](https://infisical.com/docs/documentation/platform/kms)**: Centrally manage keys across projects through a user-friendly interface or via the API.
 - **[Encrypt and Decrypt Data](https://infisical.com/docs/documentation/platform/kms#guide-to-encrypting-data)**: Use symmetric keys to encrypt and decrypt data.
 ### Infisical SSH
 - **[Signed SSH Certificates](https://infisical.com/docs/documentation/platform/ssh)**: Issue ephemeral SSH credentials for secure, short-lived, and centralized access to infrastructure.
 ### General Platform:
 - **Authentication Methods**: Authenticate machine identities with Infisical using a cloud-native or platform agnostic authentication method ([Kubernetes Auth](https://infisical.com/docs/documentation/platform/identities/kubernetes-auth), [GCP Auth](https://infisical.com/docs/documentation/platform/identities/gcp-auth), [Azure Auth](https://infisical.com/docs/documentation/platform/identities/azure-auth), [AWS Auth](https://infisical.com/docs/documentation/platform/identities/aws-auth), [OIDC Auth](https://infisical.com/docs/documentation/platform/identities/oidc-auth/general), [Universal Auth](https://infisical.com/docs/documentation/platform/identities/universal-auth)).
 - **[Access Controls](https://infisical.com/docs/documentation/platform/access-controls/overview)**: Define advanced authorization controls for users and machine identities with [RBAC](https://infisical.com/docs/documentation/platform/access-controls/role-based-access-controls), [additional privileges](https://infisical.com/docs/documentation/platform/access-controls/additional-privileges), [temporary access](https://infisical.com/docs/documentation/platform/access-controls/temporary-access), [access requests](https://infisical.com/docs/documentation/platform/access-controls/access-requests), [approval workflows](https://infisical.com/docs/documentation/platform/pr-workflows), and more.
 - **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)**: Track every action taken on the platform.
@ -129,7 +125,7 @@ Install pre commit hook to scan each commit before you push to your repository
 infisical scan install --pre-commit-hook
 ```
-Lean about Infisical's code scanning feature [here](https://infisical.com/docs/cli/scanning-overview)
+Learn about Infisical's code scanning feature [here](https://infisical.com/docs/cli/scanning-overview)
 ## Open-source vs. paid
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@ -3,6 +3,22 @@ FROM node:20-alpine AS build
 WORKDIR /app
 # Required for pkcs11js
 RUN apk --update add \
        python3 \
        make \
        g++ \
        openssh
 # install dependencies for TDS driver (required for SAP ASE dynamic secrets)
 RUN apk add --no-cache \
    unixodbc \
    freetds \
    unixodbc-dev \
    libc-dev \
    freetds-dev
 COPY package*.json ./
 RUN npm ci --only-production
@ -11,12 +27,28 @@ RUN npm run build
 # Production stage
 FROM node:20-alpine
 WORKDIR /app
 ENV npm_config_cache /home/node/.npm
 COPY package*.json ./
 RUN apk --update add \
        python3 \
        make \
        g++
 # install dependencies for TDS driver (required for SAP ASE dynamic secrets)
 RUN apk add --no-cache \
    unixodbc \
    freetds \
    unixodbc-dev \
    libc-dev \
    freetds-dev
 RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 RUN npm ci --only-production && npm cache clean --force
 COPY --from=build /app .
--- a/backend/Dockerfile.dev
+++ b/backend/Dockerfile.dev
@ -1,5 +1,57 @@
 FROM node:20-alpine
 # ? Setup a test SoftHSM module. In production a real HSM is used.
 ARG SOFTHSM2_VERSION=2.5.0
 ENV SOFTHSM2_VERSION=${SOFTHSM2_VERSION} \
    SOFTHSM2_SOURCES=/tmp/softhsm2
 # install build dependencies including python3 (required for pkcs11js and partially TDS driver)
 RUN apk --update add \
        alpine-sdk \
        autoconf \
        automake \
        git \
        libtool \
        openssl-dev \
        python3 \
        make \
        g++ \
        openssh
 # install dependencies for TDS driver (required for SAP ASE dynamic secrets)
 RUN apk add --no-cache \
    unixodbc \
    freetds \
    unixodbc-dev \
    libc-dev \
    freetds-dev
 RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 # build and install SoftHSM2
 RUN git clone https://github.com/opendnssec/SoftHSMv2.git ${SOFTHSM2_SOURCES}
 WORKDIR ${SOFTHSM2_SOURCES}
 RUN git checkout ${SOFTHSM2_VERSION} -b ${SOFTHSM2_VERSION} \
    && sh autogen.sh \
    && ./configure --prefix=/usr/local --disable-gost \
    && make \
    && make install
 WORKDIR /root
 RUN rm -fr ${SOFTHSM2_SOURCES}
 # install pkcs11-tool
 RUN apk --update add opensc
 RUN softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
 # ? App setup
 RUN apk add --no-cache bash curl && curl -1sLf \
  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
  && apk add infisical=0.8.1 && apk add --no-cache git
--- a/backend/e2e-test/mocks/queue.ts
+++ b/backend/e2e-test/mocks/queue.ts
@ -10,17 +10,22 @@ export const mockQueue = (): TQueueServiceFactory => {
    queue: async (name, jobData) => {
      job[name] = jobData;
    },
    queuePg: async () => {},
    initialize: async () => {},
    shutdown: async () => undefined,
    stopRepeatableJob: async () => true,
    start: (name, jobFn) => {
      queues[name] = jobFn;
      workers[name] = jobFn;
    },
    startPg: async () => {},
    listen: (name, event) => {
      events[name] = event;
    },
    getRepeatableJobs: async () => [],
    clearQueue: async () => {},
    stopJobById: async () => {},
-    stopRepeatableJobByJobId: async () => true
+    stopRepeatableJobByJobId: async () => true,
    stopRepeatableJobByKey: async () => true
  };
 };
--- a/backend/e2e-test/mocks/smtp.ts
+++ b/backend/e2e-test/mocks/smtp.ts
@ -5,6 +5,9 @@ export const mockSmtpServer = (): TSmtpService => {
  return {
    sendMail: async (data) => {
      storage.push(data);
    },
    verify: async () => {
      return true;
    }
  };
 };
--- a/backend/e2e-test/routes/v1/identity.spec.ts
+++ b/backend/e2e-test/routes/v1/identity.spec.ts
@ -34,7 +34,7 @@ describe("Identity v1", async () => {
  test("Create identity", async () => {
    const newIdentity = await createIdentity("mac1", OrgMembershipRole.Admin);
    expect(newIdentity.name).toBe("mac1");
-    expect(newIdentity.authMethod).toBeNull();
+    expect(newIdentity.authMethods).toEqual([]);
    await deleteIdentity(newIdentity.id);
  });
@ -42,7 +42,7 @@ describe("Identity v1", async () => {
  test("Update identity", async () => {
    const newIdentity = await createIdentity("mac1", OrgMembershipRole.Admin);
    expect(newIdentity.name).toBe("mac1");
-    expect(newIdentity.authMethod).toBeNull();
+    expect(newIdentity.authMethods).toEqual([]);
    const updatedIdentity = await testServer.inject({
      method: "PATCH",
--- a/backend/e2e-test/routes/v1/login.spec.ts
+++ b/backend/e2e-test/routes/v1/login.spec.ts
@ -39,8 +39,6 @@ describe("Login V1 Router", async () => {
    });
    expect(res.statusCode).toBe(200);
    const payload = JSON.parse(res.payload);
    expect(payload).toHaveProperty("mfaEnabled");
    expect(payload).toHaveProperty("token");
    expect(payload.mfaEnabled).toBeFalsy();
  });
 });
--- a/backend/e2e-test/routes/v1/secret-replication.spec.ts
+++ b/backend/e2e-test/routes/v1/secret-replication.spec.ts
@ -118,9 +118,9 @@ describe.each([{ secretPath: "/" }, { secretPath: "/deep" }])(
        value: "stage-value"
      });
-      // wait for 5 second for  replication to finish
+      // wait for 10 second for  replication to finish
      await new Promise((resolve) => {
-        setTimeout(resolve, 5000); // time to breathe for db
+        setTimeout(resolve, 10000); // time to breathe for db
      });
      const secret = await getSecretByNameV2({
@ -173,9 +173,9 @@ describe.each([{ secretPath: "/" }, { secretPath: "/deep" }])(
        value: "prod-value"
      });
-      // wait for 5 second for  replication to finish
+      // wait for 10 second for  replication to finish
      await new Promise((resolve) => {
-        setTimeout(resolve, 5000); // time to breathe for db
+        setTimeout(resolve, 10000); // time to breathe for db
      });
      const secret = await getSecretByNameV2({
@ -343,9 +343,9 @@ describe.each([{ path: "/" }, { path: "/deep" }])(
        value: "prod-value"
      });
-      // wait for 5 second for  replication to finish
+      // wait for 10 second for  replication to finish
      await new Promise((resolve) => {
-        setTimeout(resolve, 5000); // time to breathe for db
+        setTimeout(resolve, 10000); // time to breathe for db
      });
      const secret = await getSecretByNameV2({
--- a/backend/e2e-test/routes/v3/secret-recursive.spec.ts
+++ b/backend/e2e-test/routes/v3/secret-recursive.spec.ts
@ -0,0 +1,86 @@
 import { createFolder, deleteFolder } from "e2e-test/testUtils/folders";
 import { createSecretV2, deleteSecretV2, getSecretsV2 } from "e2e-test/testUtils/secrets";
 import { seedData1 } from "@app/db/seed-data";
 describe("Secret Recursive Testing", async () => {
  const projectId = seedData1.projectV3.id;
  const folderAndSecretNames = [
    { name: "deep1", path: "/", expectedSecretCount: 4 },
    { name: "deep21", path: "/deep1", expectedSecretCount: 2 },
    { name: "deep3", path: "/deep1/deep2", expectedSecretCount: 1 },
    { name: "deep22", path: "/deep2", expectedSecretCount: 1 }
  ];
  beforeAll(async () => {
    const rootFolderIds: string[] = [];
    for (const folder of folderAndSecretNames) {
      // eslint-disable-next-line no-await-in-loop
      const createdFolder = await createFolder({
        authToken: jwtAuthToken,
        environmentSlug: "prod",
        workspaceId: projectId,
        secretPath: folder.path,
        name: folder.name
      });
      if (folder.path === "/") {
        rootFolderIds.push(createdFolder.id);
      }
      // eslint-disable-next-line no-await-in-loop
      await createSecretV2({
        secretPath: folder.path,
        authToken: jwtAuthToken,
        environmentSlug: "prod",
        workspaceId: projectId,
        key: folder.name,
        value: folder.name
      });
    }
    return async () => {
      await Promise.all(
        rootFolderIds.map((id) =>
          deleteFolder({
            authToken: jwtAuthToken,
            secretPath: "/",
            id,
            workspaceId: projectId,
            environmentSlug: "prod"
          })
        )
      );
      await deleteSecretV2({
        authToken: jwtAuthToken,
        secretPath: "/",
        workspaceId: projectId,
        environmentSlug: "prod",
        key: folderAndSecretNames[0].name
      });
    };
  });
  test.each(folderAndSecretNames)("$path recursive secret fetching", async ({ path, expectedSecretCount }) => {
    const secrets = await getSecretsV2({
      authToken: jwtAuthToken,
      secretPath: path,
      workspaceId: projectId,
      environmentSlug: "prod",
      recursive: true
    });
    expect(secrets.secrets.length).toEqual(expectedSecretCount);
    expect(secrets.secrets.sort((a, b) => a.secretKey.localeCompare(b.secretKey))).toEqual(
      folderAndSecretNames
        .filter((el) => el.path.startsWith(path))
        .sort((a, b) => a.name.localeCompare(b.name))
        .map((el) =>
          expect.objectContaining({
            secretKey: el.name,
            secretValue: el.name
          })
        )
    );
  });
 });
--- a/backend/e2e-test/routes/v3/secret-reference.spec.ts
+++ b/backend/e2e-test/routes/v3/secret-reference.spec.ts
@ -56,7 +56,10 @@ describe("Secret expansion", () => {
      }
    ];
-    await Promise.all(secrets.map((el) => createSecretV2(el)));
+    for (const secret of secrets) {
      // eslint-disable-next-line no-await-in-loop
      await createSecretV2(secret);
    }
    const expandedSecret = await getSecretByNameV2({
      environmentSlug: seedData1.environment.slug,
@ -123,7 +126,10 @@ describe("Secret expansion", () => {
      }
    ];
-    await Promise.all(secrets.map((el) => createSecretV2(el)));
+    for (const secret of secrets) {
      // eslint-disable-next-line no-await-in-loop
      await createSecretV2(secret);
    }
    const expandedSecret = await getSecretByNameV2({
      environmentSlug: seedData1.environment.slug,
@ -190,7 +196,11 @@ describe("Secret expansion", () => {
      }
    ];
-    await Promise.all(secrets.map((el) => createSecretV2(el)));
+    for (const secret of secrets) {
      // eslint-disable-next-line no-await-in-loop
      await createSecretV2(secret);
    }
    const secretImportFromProdToDev = await createSecretImport({
      environmentSlug: seedData1.environment.slug,
      workspaceId: projectId,
@ -275,7 +285,11 @@ describe("Secret expansion", () => {
        }
      ];
-      await Promise.all(secrets.map((el) => createSecretV2(el)));
+      for (const secret of secrets) {
        // eslint-disable-next-line no-await-in-loop
        await createSecretV2(secret);
      }
      const secretImportFromProdToDev = await createSecretImport({
        environmentSlug: seedData1.environment.slug,
        workspaceId: projectId,
--- a/backend/e2e-test/testUtils/secrets.ts
+++ b/backend/e2e-test/testUtils/secrets.ts
@ -97,6 +97,7 @@ export const getSecretsV2 = async (dto: {
  environmentSlug: string;
  secretPath: string;
  authToken: string;
  recursive?: boolean;
 }) => {
  const getSecretsResponse = await testServer.inject({
    method: "GET",
@ -109,7 +110,8 @@ export const getSecretsV2 = async (dto: {
      environment: dto.environmentSlug,
      secretPath: dto.secretPath,
      expandSecretReferences: "true",
-      include_imports: "true"
+      include_imports: "true",
      recursive: String(dto.recursive || false)
    }
  });
  expect(getSecretsResponse.statusCode).toBe(200);
--- a/backend/e2e-test/vitest-environment-knex.ts
+++ b/backend/e2e-test/vitest-environment-knex.ts
@ -16,6 +16,7 @@ import { initDbConnection } from "@app/db";
 import { queueServiceFactory } from "@app/queue";
 import { keyStoreFactory } from "@app/keystore/keystore";
 import { Redis } from "ioredis";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@ -52,9 +53,14 @@ export default {
        extension: "ts"
      });
      const smtp = mockSmtpServer();
-      const queue = queueServiceFactory(cfg.REDIS_URL);
+      const queue = queueServiceFactory(cfg.REDIS_URL, { dbConnectionUrl: cfg.DB_CONNECTION_URI });
      const keyStore = keyStoreFactory(cfg.REDIS_URL);
-      const server = await main({ db, smtp, logger, queue, keyStore });
+
      const hsmModule = initializeHsmModule();
      hsmModule.initialize();
      const server = await main({ db, smtp, logger, queue, keyStore, hsmModule: hsmModule.getModule(), redis });
      // @ts-expect-error type
      globalThis.testServer = server;
      // @ts-expect-error type
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -44,12 +44,13 @@
    "test:e2e-watch": "vitest -c vitest.e2e.config.ts --bail=1",
    "test:e2e-coverage": "vitest run --coverage -c vitest.e2e.config.ts",
    "generate:component": "tsx ./scripts/create-backend-file.ts",
-    "generate:schema": "tsx ./scripts/generate-schema-types.ts",
+    "generate:schema": "tsx ./scripts/generate-schema-types.ts && eslint --fix --ext ts ./src/db/schemas",
    "auditlog-migration:latest": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:latest",
    "auditlog-migration:up": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:up",
    "auditlog-migration:down": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:down",
    "auditlog-migration:list": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:list",
    "auditlog-migration:status": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:status",
    "auditlog-migration:unlock": "knex --knexfile ./src/db/auditlog-knexfile.ts migrate:unlock",
    "auditlog-migration:rollback": "knex --knexfile ./src/db/auditlog-knexfile.ts migrate:rollback",
    "migration:new": "tsx ./scripts/create-migration.ts",
    "migration:up": "npm run auditlog-migration:up && knex --knexfile ./src/db/knexfile.ts --client pg migrate:up",
@ -58,6 +59,8 @@
    "migration:latest": "npm run auditlog-migration:latest && knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
    "migration:status": "npm run auditlog-migration:status && knex --knexfile ./src/db/knexfile.ts --client pg migrate:status",
    "migration:rollback": "npm run auditlog-migration:rollback && knex --knexfile ./src/db/knexfile.ts migrate:rollback",
    "migration:unlock": "npm run auditlog-migration:unlock && knex --knexfile ./src/db/knexfile.ts migrate:unlock",
    "migrate:org": "tsx ./scripts/migrate-organization.ts",
    "seed:new": "tsx ./scripts/create-seed-file.ts",
    "seed": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
    "db:reset": "npm run migration:rollback -- --all && npm run migration:latest"
@ -83,6 +86,7 @@
    "@types/passport-google-oauth20": "^2.0.14",
    "@types/pg": "^8.10.9",
    "@types/picomatch": "^2.3.3",
    "@types/pkcs11js": "^1.0.4",
    "@types/prompt-sync": "^4.2.3",
    "@types/resolve": "^1.20.6",
    "@types/safe-regex": "^1.1.6",
@ -128,21 +132,32 @@
    "@fastify/multipart": "8.3.0",
    "@fastify/passport": "^2.4.0",
    "@fastify/rate-limit": "^9.0.0",
    "@fastify/request-context": "^5.1.0",
    "@fastify/session": "^10.7.0",
    "@fastify/static": "^7.0.4",
    "@fastify/swagger": "^8.14.0",
    "@fastify/swagger-ui": "^2.1.0",
    "@google-cloud/kms": "^4.5.0",
    "@node-saml/passport-saml": "^4.0.4",
    "@octokit/auth-app": "^7.1.1",
    "@octokit/plugin-retry": "^5.0.5",
    "@octokit/rest": "^20.0.2",
    "@octokit/webhooks-types": "^7.3.1",
    "@octopusdeploy/api-client": "^3.4.1",
    "@opentelemetry/api": "^1.9.0",
    "@opentelemetry/auto-instrumentations-node": "^0.53.0",
    "@opentelemetry/exporter-metrics-otlp-proto": "^0.55.0",
    "@opentelemetry/exporter-prometheus": "^0.55.0",
    "@opentelemetry/instrumentation": "^0.55.0",
    "@opentelemetry/resources": "^1.28.0",
    "@opentelemetry/sdk-metrics": "^1.28.0",
    "@opentelemetry/semantic-conventions": "^1.27.0",
    "@peculiar/asn1-schema": "^2.3.8",
    "@peculiar/x509": "^1.12.1",
    "@serdnam/pino-cloudwatch-transport": "^1.0.4",
    "@sindresorhus/slugify": "1.1.0",
    "@slack/oauth": "^3.0.1",
    "@slack/web-api": "^7.3.4",
    "@team-plain/typescript-sdk": "^4.6.1",
    "@ucast/mongo2js": "^1.3.4",
    "ajv": "^8.12.0",
    "argon2": "^0.31.2",
@ -155,11 +170,12 @@
    "connect-redis": "^7.1.1",
    "cron": "^3.1.7",
    "dotenv": "^16.4.1",
-    "fastify": "^4.26.0",
+    "fastify": "^4.28.1",
    "fastify-plugin": "^4.5.1",
    "google-auth-library": "^9.9.0",
    "googleapis": "^137.1.0",
    "handlebars": "^4.7.8",
    "hdb": "^0.19.10",
    "ioredis": "^5.3.2",
    "jmespath": "^0.16.0",
    "jsonwebtoken": "^9.0.2",
@ -175,17 +191,21 @@
    "mysql2": "^3.9.8",
    "nanoid": "^3.3.4",
    "nodemailer": "^6.9.9",
    "odbc": "^2.4.9",
    "openid-client": "^5.6.5",
    "ora": "^7.0.1",
    "oracledb": "^6.4.0",
    "otplib": "^12.0.1",
    "passport-github": "^1.1.0",
    "passport-gitlab2": "^5.0.0",
    "passport-google-oauth20": "^2.0.0",
    "passport-ldapauth": "^3.0.1",
    "pg": "^8.11.3",
    "pg-boss": "^10.1.5",
    "pg-query-stream": "^4.5.3",
    "picomatch": "^3.0.1",
    "pino": "^8.16.2",
    "pkcs11js": "^2.1.6",
    "pkijs": "^3.2.4",
    "posthog-node": "^3.6.2",
    "probot": "^13.3.8",
@ -194,6 +214,7 @@
    "scim2-parse-filter": "^0.2.10",
    "sjcl": "^1.0.8",
    "smee-client": "^2.0.0",
    "snowflake-sdk": "^1.14.0",
    "tedious": "^18.2.1",
    "tweetnacl": "^1.0.3",
    "tweetnacl-util": "^0.15.1",
--- a/backend/scripts/migrate-organization.ts
+++ b/backend/scripts/migrate-organization.ts
@ -0,0 +1,103 @@
 /* eslint-disable */
 import promptSync from "prompt-sync";
 import { execSync } from "child_process";
 import path from "path";
 import { existsSync } from "fs";
 const prompt = promptSync({
  sigint: true
 });
 const sanitizeInputParam = (value: string) => {
  // Escape double quotes and wrap the entire value in double quotes
  if (value) {
    return `"${value.replace(/"/g, '\\"')}"`;
  }
  return '""';
 };
 const exportDb = () => {
  const exportHost = sanitizeInputParam(prompt("Enter your Postgres Host to migrate from: "));
  const exportPort = sanitizeInputParam(
    prompt("Enter your Postgres Port to migrate from [Default = 5432]: ") ?? "5432"
  );
  const exportUser = sanitizeInputParam(
    prompt("Enter your Postgres User to migrate from: [Default = infisical]: ") ?? "infisical"
  );
  const exportPassword = sanitizeInputParam(prompt("Enter your Postgres Password to migrate from: "));
  const exportDatabase = sanitizeInputParam(
    prompt("Enter your Postgres Database to migrate from [Default = infisical]: ") ?? "infisical"
  );
  // we do not include the audit_log and secret_sharing entries
  execSync(
    `PGDATABASE=${exportDatabase} PGPASSWORD=${exportPassword} PGHOST=${exportHost} PGPORT=${exportPort} PGUSER=${exportUser} pg_dump -Fc infisical --exclude-table-data="secret_sharing" --exclude-table-data="audit_log*" > ${path.join(
      __dirname,
      "../src/db/backup.dump"
    )}`,
    { stdio: "inherit" }
  );
 };
 const importDbForOrg = () => {
  const importHost = sanitizeInputParam(prompt("Enter your Postgres Host to migrate to: "));
  const importPort = sanitizeInputParam(prompt("Enter your Postgres Port to migrate to [Default = 5432]: ") ?? "5432");
  const importUser = sanitizeInputParam(
    prompt("Enter your Postgres User to migrate to: [Default = infisical]: ") ?? "infisical"
  );
  const importPassword = sanitizeInputParam(prompt("Enter your Postgres Password to migrate to: "));
  const importDatabase = sanitizeInputParam(
    prompt("Enter your Postgres Database to migrate to [Default = infisical]: ") ?? "infisical"
  );
  const orgId = sanitizeInputParam(prompt("Enter the organization ID to migrate: "));
  if (!existsSync(path.join(__dirname, "../src/db/backup.dump"))) {
    console.log("File not found, please export the database first.");
    return;
  }
  execSync(
    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} pg_restore -d ${importDatabase} --verbose ${path.join(
      __dirname,
      "../src/db/backup.dump"
    )}`,
    { maxBuffer: 1024 * 1024 * 4096 }
  );
  execSync(
    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} psql -c "DELETE FROM public.organizations WHERE id != '${orgId}'"`
  );
  // delete global/instance-level resources not relevant to the organization to migrate
  // users
  execSync(
    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM users WHERE users.id NOT IN (SELECT org_memberships."userId" FROM org_memberships)'`
  );
  // identities
  execSync(
    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM identities WHERE id NOT IN (SELECT "identityId" FROM identity_org_memberships)'`
  );
  // reset slack configuration in superAdmin
  execSync(
    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} psql -c 'UPDATE super_admin SET "encryptedSlackClientId" = null, "encryptedSlackClientSecret" = null'`
  );
  console.log("Organization migrated successfully.");
 };
 const main = () => {
  const action = prompt(
    "Enter the action to perform\n 1. Export from existing instance.\n 2. Import org to instance.\n \n Action: "
  );
  if (action === "1") {
    exportDb();
  } else if (action === "2") {
    importDbForOrg();
  } else {
    console.log("Invalid action");
  }
 };
 main();
--- a/backend/src/@types/fastify-request-context.d.ts
+++ b/backend/src/@types/fastify-request-context.d.ts
@ -0,0 +1,7 @@
 import "@fastify/request-context";
 declare module "@fastify/request-context" {
  interface RequestContextData {
    reqId: string;
  }
 }
--- a/backend/src/@types/fastify-zod.d.ts
+++ b/backend/src/@types/fastify-zod.d.ts
@ -1,6 +1,6 @@
 import { FastifyInstance, RawReplyDefaultExpression, RawRequestDefaultExpression, RawServerDefault } from "fastify";
 import { Logger } from "pino";
 import { CustomLogger } from "@app/lib/logger/logger";
 import { ZodTypeProvider } from "@app/server/plugins/fastify-zod";
 declare global {
@ -8,7 +8,7 @@ declare global {
    RawServerDefault,
    RawRequestDefaultExpression<RawServerDefault>,
    RawReplyDefaultExpression<RawServerDefault>,
-    Readonly<Logger>,
+    Readonly<CustomLogger>,
    ZodTypeProvider
  >;
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@ -1,5 +1,7 @@
 import "fastify";
 import { Redis } from "ioredis";
 import { TUsers } from "@app/db/schemas";
 import { TAccessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
 import { TAccessApprovalRequestServiceFactory } from "@app/ee/services/access-approval-request/access-approval-request-service";
@ -13,10 +15,12 @@ import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secr
 import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
 import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
 import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { TIdentityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
 import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { TProjectTemplateServiceFactory } from "@app/ee/services/project-template/project-template-service";
 import { TProjectUserAdditionalPrivilegeServiceFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-service";
 import { TRateLimitServiceFactory } from "@app/ee/services/rate-limit/rate-limit-service";
 import { RateLimitConfiguration } from "@app/ee/services/rate-limit/rate-limit-types";
@ -27,9 +31,12 @@ import { TSecretApprovalRequestServiceFactory } from "@app/ee/services/secret-ap
 import { TSecretRotationServiceFactory } from "@app/ee/services/secret-rotation/secret-rotation-service";
 import { TSecretScanningServiceFactory } from "@app/ee/services/secret-scanning/secret-scanning-service";
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
 import { TSshCertificateAuthorityServiceFactory } from "@app/ee/services/ssh/ssh-certificate-authority-service";
 import { TSshCertificateTemplateServiceFactory } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-service";
 import { TTrustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-service";
 import { TAuthMode } from "@app/server/plugins/auth/inject-identity";
 import { TApiKeyServiceFactory } from "@app/services/api-key/api-key-service";
 import { TAppConnectionServiceFactory } from "@app/services/app-connection/app-connection-service";
 import { TAuthLoginFactory } from "@app/services/auth/auth-login-service";
 import { TAuthPasswordFactory } from "@app/services/auth/auth-password-service";
 import { TAuthSignupFactory } from "@app/services/auth/auth-signup-service";
@ -42,11 +49,13 @@ import { TCmekServiceFactory } from "@app/services/cmek/cmek-service";
 import { TExternalGroupOrgRoleMappingServiceFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-service";
 import { TExternalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { THsmServiceFactory } from "@app/services/hsm/hsm-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
 import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
 import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
 import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
 import { TIdentityJwtAuthServiceFactory } from "@app/services/identity-jwt-auth/identity-jwt-auth-service";
 import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
@ -71,11 +80,13 @@ import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-
 import { TSecretImportServiceFactory } from "@app/services/secret-import/secret-import-service";
 import { TSecretReplicationServiceFactory } from "@app/services/secret-replication/secret-replication-service";
 import { TSecretSharingServiceFactory } from "@app/services/secret-sharing/secret-sharing-service";
 import { TSecretSyncServiceFactory } from "@app/services/secret-sync/secret-sync-service";
 import { TSecretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
 import { TServiceTokenServiceFactory } from "@app/services/service-token/service-token-service";
 import { TSlackServiceFactory } from "@app/services/slack/slack-service";
 import { TSuperAdminServiceFactory } from "@app/services/super-admin/super-admin-service";
 import { TTelemetryServiceFactory } from "@app/services/telemetry/telemetry-service";
 import { TTotpServiceFactory } from "@app/services/totp/totp-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TUserServiceFactory } from "@app/services/user/user-service";
 import { TUserEngagementServiceFactory } from "@app/services/user-engagement/user-engagement-service";
@ -83,6 +94,10 @@ import { TWebhookServiceFactory } from "@app/services/webhook/webhook-service";
 import { TWorkflowIntegrationServiceFactory } from "@app/services/workflow-integration/workflow-integration-service";
 declare module "fastify" {
  interface Session {
    callbackPort: string;
  }
  interface FastifyRequest {
    realIp: string;
    // used for mfa session authentication
@ -111,6 +126,7 @@ declare module "fastify" {
  }
  interface FastifyInstance {
    redis: Redis;
    services: {
      login: TAuthLoginFactory;
      password: TAuthPasswordFactory;
@ -151,6 +167,7 @@ declare module "fastify" {
      identityAwsAuth: TIdentityAwsAuthServiceFactory;
      identityAzureAuth: TIdentityAzureAuthServiceFactory;
      identityOidcAuth: TIdentityOidcAuthServiceFactory;
      identityJwtAuth: TIdentityJwtAuthServiceFactory;
      accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
      accessApprovalRequest: TAccessApprovalRequestServiceFactory;
      secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;
@ -164,6 +181,8 @@ declare module "fastify" {
      auditLogStream: TAuditLogStreamServiceFactory;
      certificate: TCertificateServiceFactory;
      certificateTemplate: TCertificateTemplateServiceFactory;
      sshCertificateAuthority: TSshCertificateAuthorityServiceFactory;
      sshCertificateTemplate: TSshCertificateTemplateServiceFactory;
      certificateAuthority: TCertificateAuthorityServiceFactory;
      certificateAuthorityCrl: TCertificateAuthorityCrlServiceFactory;
      certificateEst: TCertificateEstServiceFactory;
@ -177,16 +196,22 @@ declare module "fastify" {
      dynamicSecretLease: TDynamicSecretLeaseServiceFactory;
      projectUserAdditionalPrivilege: TProjectUserAdditionalPrivilegeServiceFactory;
      identityProjectAdditionalPrivilege: TIdentityProjectAdditionalPrivilegeServiceFactory;
      identityProjectAdditionalPrivilegeV2: TIdentityProjectAdditionalPrivilegeV2ServiceFactory;
      secretSharing: TSecretSharingServiceFactory;
      rateLimit: TRateLimitServiceFactory;
      userEngagement: TUserEngagementServiceFactory;
      externalKms: TExternalKmsServiceFactory;
      hsm: THsmServiceFactory;
      orgAdmin: TOrgAdminServiceFactory;
      slack: TSlackServiceFactory;
      workflowIntegration: TWorkflowIntegrationServiceFactory;
      cmek: TCmekServiceFactory;
      migration: TExternalMigrationServiceFactory;
      externalGroupOrgRoleMapping: TExternalGroupOrgRoleMappingServiceFactory;
      projectTemplate: TProjectTemplateServiceFactory;
      totp: TTotpServiceFactory;
      appConnection: TAppConnectionServiceFactory;
      secretSync: TSecretSyncServiceFactory;
    };
    // this is exclusive use for middlewares in which we need to inject data
    // everywhere else access using service layer
--- a/backend/src/@types/hdb.d.ts
+++ b/backend/src/@types/hdb.d.ts
@ -0,0 +1,4 @@
 declare module "hdb" {
  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Untyped, the function returns `any`.
  function createClient(options): any;
 }
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@ -98,6 +98,9 @@ import {
  TIdentityGcpAuths,
  TIdentityGcpAuthsInsert,
  TIdentityGcpAuthsUpdate,
  TIdentityJwtAuths,
  TIdentityJwtAuthsInsert,
  TIdentityJwtAuthsUpdate,
  TIdentityKubernetesAuths,
  TIdentityKubernetesAuthsInsert,
  TIdentityKubernetesAuthsUpdate,
@ -199,7 +202,13 @@ import {
  TProjectSlackConfigs,
  TProjectSlackConfigsInsert,
  TProjectSlackConfigsUpdate,
  TProjectSplitBackfillIds,
  TProjectSplitBackfillIdsInsert,
  TProjectSplitBackfillIdsUpdate,
  TProjectsUpdate,
  TProjectTemplates,
  TProjectTemplatesInsert,
  TProjectTemplatesUpdate,
  TProjectUserAdditionalPrivilege,
  TProjectUserAdditionalPrivilegeInsert,
  TProjectUserAdditionalPrivilegeUpdate,
@ -209,6 +218,9 @@ import {
  TRateLimit,
  TRateLimitInsert,
  TRateLimitUpdate,
  TResourceMetadata,
  TResourceMetadataInsert,
  TResourceMetadataUpdate,
  TSamlConfigs,
  TSamlConfigsInsert,
  TSamlConfigsUpdate,
@ -308,9 +320,27 @@ import {
  TSlackIntegrations,
  TSlackIntegrationsInsert,
  TSlackIntegrationsUpdate,
  TSshCertificateAuthorities,
  TSshCertificateAuthoritiesInsert,
  TSshCertificateAuthoritiesUpdate,
  TSshCertificateAuthoritySecrets,
  TSshCertificateAuthoritySecretsInsert,
  TSshCertificateAuthoritySecretsUpdate,
  TSshCertificateBodies,
  TSshCertificateBodiesInsert,
  TSshCertificateBodiesUpdate,
  TSshCertificates,
  TSshCertificatesInsert,
  TSshCertificatesUpdate,
  TSshCertificateTemplates,
  TSshCertificateTemplatesInsert,
  TSshCertificateTemplatesUpdate,
  TSuperAdmin,
  TSuperAdminInsert,
  TSuperAdminUpdate,
  TTotpConfigs,
  TTotpConfigsInsert,
  TTotpConfigsUpdate,
  TTrustedIps,
  TTrustedIpsInsert,
  TTrustedIpsUpdate,
@ -336,11 +366,13 @@ import {
  TWorkflowIntegrationsInsert,
  TWorkflowIntegrationsUpdate
 } from "@app/db/schemas";
 import { TAppConnections, TAppConnectionsInsert, TAppConnectionsUpdate } from "@app/db/schemas/app-connections";
 import {
  TExternalGroupOrgRoleMappings,
  TExternalGroupOrgRoleMappingsInsert,
  TExternalGroupOrgRoleMappingsUpdate
 } from "@app/db/schemas/external-group-org-role-mappings";
 import { TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate } from "@app/db/schemas/secret-syncs";
 import {
  TSecretV2TagJunction,
  TSecretV2TagJunctionInsert,
@ -366,6 +398,31 @@ declare module "knex/types/tables" {
  interface Tables {
    [TableName.Users]: KnexOriginal.CompositeTableType<TUsers, TUsersInsert, TUsersUpdate>;
    [TableName.Groups]: KnexOriginal.CompositeTableType<TGroups, TGroupsInsert, TGroupsUpdate>;
    [TableName.SshCertificateAuthority]: KnexOriginal.CompositeTableType<
      TSshCertificateAuthorities,
      TSshCertificateAuthoritiesInsert,
      TSshCertificateAuthoritiesUpdate
    >;
    [TableName.SshCertificateAuthoritySecret]: KnexOriginal.CompositeTableType<
      TSshCertificateAuthoritySecrets,
      TSshCertificateAuthoritySecretsInsert,
      TSshCertificateAuthoritySecretsUpdate
    >;
    [TableName.SshCertificateTemplate]: KnexOriginal.CompositeTableType<
      TSshCertificateTemplates,
      TSshCertificateTemplatesInsert,
      TSshCertificateTemplatesUpdate
    >;
    [TableName.SshCertificate]: KnexOriginal.CompositeTableType<
      TSshCertificates,
      TSshCertificatesInsert,
      TSshCertificatesUpdate
    >;
    [TableName.SshCertificateBody]: KnexOriginal.CompositeTableType<
      TSshCertificateBodies,
      TSshCertificateBodiesInsert,
      TSshCertificateBodiesUpdate
    >;
    [TableName.CertificateAuthority]: KnexOriginal.CompositeTableType<
      TCertificateAuthorities,
      TCertificateAuthoritiesInsert,
@ -584,6 +641,11 @@ declare module "knex/types/tables" {
      TIdentityOidcAuthsInsert,
      TIdentityOidcAuthsUpdate
    >;
    [TableName.IdentityJwtAuth]: KnexOriginal.CompositeTableType<
      TIdentityJwtAuths,
      TIdentityJwtAuthsInsert,
      TIdentityJwtAuthsUpdate
    >;
    [TableName.IdentityUaClientSecret]: KnexOriginal.CompositeTableType<
      TIdentityUaClientSecrets,
      TIdentityUaClientSecretsInsert,
@ -818,5 +880,27 @@ declare module "knex/types/tables" {
      TExternalGroupOrgRoleMappingsInsert,
      TExternalGroupOrgRoleMappingsUpdate
    >;
    [TableName.ProjectTemplates]: KnexOriginal.CompositeTableType<
      TProjectTemplates,
      TProjectTemplatesInsert,
      TProjectTemplatesUpdate
    >;
    [TableName.TotpConfig]: KnexOriginal.CompositeTableType<TTotpConfigs, TTotpConfigsInsert, TTotpConfigsUpdate>;
    [TableName.ProjectSplitBackfillIds]: KnexOriginal.CompositeTableType<
      TProjectSplitBackfillIds,
      TProjectSplitBackfillIdsInsert,
      TProjectSplitBackfillIdsUpdate
    >;
    [TableName.ResourceMetadata]: KnexOriginal.CompositeTableType<
      TResourceMetadata,
      TResourceMetadataInsert,
      TResourceMetadataUpdate
    >;
    [TableName.AppConnection]: KnexOriginal.CompositeTableType<
      TAppConnections,
      TAppConnectionsInsert,
      TAppConnectionsUpdate
    >;
    [TableName.SecretSync]: KnexOriginal.CompositeTableType<TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate>;
  }
 }
--- a/backend/src/db/migrations/20231222172455_integration.ts
+++ b/backend/src/db/migrations/20231222172455_integration.ts
@ -9,7 +9,7 @@ export async function up(knex: Knex): Promise<void> {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.string("integration").notNullable();
      t.string("teamId"); // vercel-specific
-      t.string("url"); // for self hosted
+      t.string("url"); // for self-hosted
      t.string("namespace"); // hashicorp specific
      t.string("accountId"); // netlify
      t.text("refreshCiphertext");
@ -36,7 +36,7 @@ export async function up(knex: Knex): Promise<void> {
    await knex.schema.createTable(TableName.Integration, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.boolean("isActive").notNullable();
-      t.string("url"); // self hosted
+      t.string("url"); // self-hosted
      t.string("app"); // name of app in provider
      t.string("appId");
      t.string("targetEnvironment");
--- a/backend/src/db/migrations/20240802181855_ca-cert-version.ts
+++ b/backend/src/db/migrations/20240802181855_ca-cert-version.ts
@ -64,23 +64,25 @@ export async function up(knex: Knex): Promise<void> {
  }
  if (await knex.schema.hasTable(TableName.Certificate)) {
-    await knex.schema.alterTable(TableName.Certificate, (t) => {
+    const hasCaCertIdColumn = await knex.schema.hasColumn(TableName.Certificate, "caCertId");
-      t.uuid("caCertId").nullable();
+    if (!hasCaCertIdColumn) {
-      t.foreign("caCertId").references("id").inTable(TableName.CertificateAuthorityCert);
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
-    });
+        t.uuid("caCertId").nullable();
        t.foreign("caCertId").references("id").inTable(TableName.CertificateAuthorityCert);
      });
-    await knex.raw(`
+      await knex.raw(`
        UPDATE "${TableName.Certificate}" cert
        SET "caCertId" = (
          SELECT caCert.id
          FROM "${TableName.CertificateAuthorityCert}" caCert
          WHERE caCert."caId" = cert."caId"
-        )
+        )`);
      `);
-    await knex.schema.alterTable(TableName.Certificate, (t) => {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
-      t.uuid("caCertId").notNullable().alter();
+        t.uuid("caCertId").notNullable().alter();
-    });
+      });
    }
  }
 }
--- a/backend/src/db/migrations/20240925100349_managed-secret-sharing.ts
+++ b/backend/src/db/migrations/20240925100349_managed-secret-sharing.ts
@ -4,27 +4,40 @@ import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  if (await knex.schema.hasTable(TableName.SecretSharing)) {
    const hasEncryptedSecret = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSecret");
    const hasIdentifier = await knex.schema.hasColumn(TableName.SecretSharing, "identifier");
    await knex.schema.alterTable(TableName.SecretSharing, (t) => {
      t.string("iv").nullable().alter();
      t.string("tag").nullable().alter();
      t.string("encryptedValue").nullable().alter();
-      t.binary("encryptedSecret").nullable();
+      if (!hasEncryptedSecret) {
        t.binary("encryptedSecret").nullable();
      }
      t.string("hashedHex").nullable().alter();
-      t.string("identifier", 64).nullable();
+      if (!hasIdentifier) {
-      t.unique("identifier");
+        t.string("identifier", 64).nullable();
-      t.index("identifier");
+        t.unique("identifier");
        t.index("identifier");
      }
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  const hasEncryptedSecret = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSecret");
  const hasIdentifier = await knex.schema.hasColumn(TableName.SecretSharing, "identifier");
  if (await knex.schema.hasTable(TableName.SecretSharing)) {
    await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-      t.dropColumn("encryptedSecret");
+      if (hasEncryptedSecret) {
        t.dropColumn("encryptedSecret");
      }
-      t.dropColumn("identifier");
+      if (hasIdentifier) {
        t.dropColumn("identifier");
      }
    });
  }
 }
--- a/backend/src/db/migrations/20241003220151_kms-key-cmek-alterations.ts
+++ b/backend/src/db/migrations/20241003220151_kms-key-cmek-alterations.ts
@ -7,15 +7,18 @@ export async function up(knex: Knex): Promise<void> {
  if (await knex.schema.hasTable(TableName.KmsKey)) {
    const hasOrgId = await knex.schema.hasColumn(TableName.KmsKey, "orgId");
    const hasSlug = await knex.schema.hasColumn(TableName.KmsKey, "slug");
    const hasProjectId = await knex.schema.hasColumn(TableName.KmsKey, "projectId");
    // drop constraint if exists (won't exist if rolled back, see below)
    await dropConstraintIfExists(TableName.KmsKey, "kms_keys_orgid_slug_unique", knex);
    // projectId for CMEK functionality
    await knex.schema.alterTable(TableName.KmsKey, (table) => {
-      table.string("projectId").nullable().references("id").inTable(TableName.Project).onDelete("CASCADE");
+      if (!hasProjectId) {
        table.string("projectId").nullable().references("id").inTable(TableName.Project).onDelete("CASCADE");
      }
-      if (hasOrgId) {
+      if (hasOrgId && hasSlug) {
        table.unique(["orgId", "projectId", "slug"]);
      }
@ -30,6 +33,7 @@ export async function down(knex: Knex): Promise<void> {
  if (await knex.schema.hasTable(TableName.KmsKey)) {
    const hasOrgId = await knex.schema.hasColumn(TableName.KmsKey, "orgId");
    const hasName = await knex.schema.hasColumn(TableName.KmsKey, "name");
    const hasProjectId = await knex.schema.hasColumn(TableName.KmsKey, "projectId");
    // remove projectId for CMEK functionality
    await knex.schema.alterTable(TableName.KmsKey, (table) => {
@ -40,7 +44,9 @@ export async function down(knex: Knex): Promise<void> {
      if (hasOrgId) {
        table.dropUnique(["orgId", "projectId", "slug"]);
      }
-      table.dropColumn("projectId");
+      if (hasProjectId) {
        table.dropColumn("projectId");
      }
    });
  }
 }
--- a/backend/src/db/migrations/20241008172622_project-permission-split.ts
+++ b/backend/src/db/migrations/20241008172622_project-permission-split.ts
@ -0,0 +1,101 @@
 /* eslint-disable no-await-in-loop */
 import { packRules, unpackRules } from "@casl/ability/extra";
 import { Knex } from "knex";
 import {
  backfillPermissionV1SchemaToV2Schema,
  ProjectPermissionSub
 } from "@app/ee/services/permission/project-permission";
 import { TableName } from "../schemas";
 const CHUNK_SIZE = 1000;
 export async function up(knex: Knex): Promise<void> {
  const hasVersion = await knex.schema.hasColumn(TableName.ProjectRoles, "version");
  if (!hasVersion) {
    await knex.schema.alterTable(TableName.ProjectRoles, (t) => {
      t.integer("version").defaultTo(1).notNullable();
    });
    const docs = await knex(TableName.ProjectRoles).select("*");
    const updatedDocs = docs
      .filter((i) => {
        const permissionString = JSON.stringify(i.permissions || []);
        return (
          !permissionString.includes(ProjectPermissionSub.SecretImports) &&
          !permissionString.includes(ProjectPermissionSub.DynamicSecrets)
        );
      })
      .map((el) => ({
        ...el,
        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
        // @ts-ignore-error this is valid ts
        permissions: JSON.stringify(packRules(backfillPermissionV1SchemaToV2Schema(unpackRules(el.permissions), true)))
      }));
    if (updatedDocs.length) {
      for (let i = 0; i < updatedDocs.length; i += CHUNK_SIZE) {
        const chunk = updatedDocs.slice(i, i + CHUNK_SIZE);
        await knex(TableName.ProjectRoles).insert(chunk).onConflict("id").merge();
      }
    }
    // secret permission is split into multiple ones like secrets, folders, imports and dynamic-secrets
    // so we just find all the privileges with respective mapping and map it as needed
    const identityPrivileges = await knex(TableName.IdentityProjectAdditionalPrivilege).select("*");
    const updatedIdentityPrivilegesDocs = identityPrivileges
      .filter((i) => {
        const permissionString = JSON.stringify(i.permissions || []);
        return (
          !permissionString.includes(ProjectPermissionSub.SecretImports) &&
          !permissionString.includes(ProjectPermissionSub.DynamicSecrets) &&
          !permissionString.includes(ProjectPermissionSub.SecretFolders)
        );
      })
      .map((el) => ({
        ...el,
        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
        // @ts-ignore-error this is valid ts
        permissions: JSON.stringify(packRules(backfillPermissionV1SchemaToV2Schema(unpackRules(el.permissions))))
      }));
    if (updatedIdentityPrivilegesDocs.length) {
      for (let i = 0; i < updatedIdentityPrivilegesDocs.length; i += CHUNK_SIZE) {
        const chunk = updatedIdentityPrivilegesDocs.slice(i, i + CHUNK_SIZE);
        await knex(TableName.IdentityProjectAdditionalPrivilege).insert(chunk).onConflict("id").merge();
      }
    }
    const userPrivileges = await knex(TableName.ProjectUserAdditionalPrivilege).select("*");
    const updatedUserPrivilegeDocs = userPrivileges
      .filter((i) => {
        const permissionString = JSON.stringify(i.permissions || []);
        return (
          !permissionString.includes(ProjectPermissionSub.SecretImports) &&
          !permissionString.includes(ProjectPermissionSub.DynamicSecrets) &&
          !permissionString.includes(ProjectPermissionSub.SecretFolders)
        );
      })
      .map((el) => ({
        ...el,
        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
        // @ts-ignore-error this is valid ts
        permissions: JSON.stringify(packRules(backfillPermissionV1SchemaToV2Schema(unpackRules(el.permissions))))
      }));
    if (docs.length) {
      for (let i = 0; i < updatedUserPrivilegeDocs.length; i += CHUNK_SIZE) {
        const chunk = updatedUserPrivilegeDocs.slice(i, i + CHUNK_SIZE);
        await knex(TableName.ProjectUserAdditionalPrivilege).insert(chunk).onConflict("id").merge();
      }
    }
  }
 }
 export async function down(knex: Knex): Promise<void> {
  const hasVersion = await knex.schema.hasColumn(TableName.ProjectRoles, "version");
  if (hasVersion) {
    await knex.schema.alterTable(TableName.ProjectRoles, (t) => {
      t.dropColumn("version");
    });
    // permission change can be ignored
  }
 }
--- a/backend/src/db/migrations/20241014084900_identity-multiple-auth-methods.ts
+++ b/backend/src/db/migrations/20241014084900_identity-multiple-auth-methods.ts
@ -0,0 +1,78 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 const BATCH_SIZE = 10_000;
 export async function up(knex: Knex): Promise<void> {
  const hasAuthMethodColumnAccessToken = await knex.schema.hasColumn(TableName.IdentityAccessToken, "authMethod");
  if (!hasAuthMethodColumnAccessToken) {
    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
      t.string("authMethod").nullable();
    });
    // first we remove identities without auth method that is unused
    // ! We delete all access tokens where the identity has no auth method set!
    // ! Which means un-configured identities that for some reason have access tokens, will have their access tokens deleted.
    await knex(TableName.IdentityAccessToken)
      .leftJoin(TableName.Identity, `${TableName.Identity}.id`, `${TableName.IdentityAccessToken}.identityId`)
      .whereNull(`${TableName.Identity}.authMethod`)
      .delete();
    let nullableAccessTokens = await knex(TableName.IdentityAccessToken)
      .whereNull("authMethod")
      .limit(BATCH_SIZE)
      .select("id");
    let totalUpdated = 0;
    do {
      const batchIds = nullableAccessTokens.map((token) => token.id);
      // ! Update the auth method column in batches for the current batch
      // eslint-disable-next-line no-await-in-loop
      await knex(TableName.IdentityAccessToken)
        .whereIn("id", batchIds)
        .update({
          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
          // @ts-ignore because generate schema happens after this
          authMethod: knex(TableName.Identity)
            .select("authMethod")
            .whereRaw(`${TableName.IdentityAccessToken}."identityId" = ${TableName.Identity}.id`)
            .whereNotNull("authMethod")
            .first()
        });
      // eslint-disable-next-line no-await-in-loop
      nullableAccessTokens = await knex(TableName.IdentityAccessToken)
        .whereNull("authMethod")
        .limit(BATCH_SIZE)
        .select("id");
      totalUpdated += batchIds.length;
      console.log(`Updated ${batchIds.length} access tokens in batch <> Total updated: ${totalUpdated}`);
    } while (nullableAccessTokens.length > 0);
    // Finally we set the authMethod to notNullable after populating the column.
    // This will fail if the data is not populated correctly, so it's safe.
    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
      t.string("authMethod").notNullable().alter();
    });
  }
  // ! We aren't dropping the authMethod column from the Identity itself, because we wan't to be able to easily rollback for the time being.
 }
 // eslint-disable-next-line @typescript-eslint/no-unused-vars
 export async function down(knex: Knex): Promise<void> {
  const hasAuthMethodColumnAccessToken = await knex.schema.hasColumn(TableName.IdentityAccessToken, "authMethod");
  if (hasAuthMethodColumnAccessToken) {
    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
      t.dropColumn("authMethod");
    });
  }
 }
 const config = { transaction: false };
 export { config };
--- a/backend/src/db/migrations/20241016183616_add-org-enforce-mfa.ts
+++ b/backend/src/db/migrations/20241016183616_add-org-enforce-mfa.ts
@ -0,0 +1,19 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasColumn(TableName.Organization, "enforceMfa"))) {
    await knex.schema.alterTable(TableName.Organization, (tb) => {
      tb.boolean("enforceMfa").defaultTo(false).notNullable();
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  if (await knex.schema.hasColumn(TableName.Organization, "enforceMfa")) {
    await knex.schema.alterTable(TableName.Organization, (t) => {
      t.dropColumn("enforceMfa");
    });
  }
 }
--- a/backend/src/db/migrations/20241021114650_add-missing-org-cascade-references.ts
+++ b/backend/src/db/migrations/20241021114650_add-missing-org-cascade-references.ts
@ -0,0 +1,21 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  if (await knex.schema.hasColumn(TableName.SamlConfig, "orgId")) {
    await knex.schema.alterTable(TableName.SamlConfig, (t) => {
      t.dropForeign("orgId");
      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  if (await knex.schema.hasColumn(TableName.SamlConfig, "orgId")) {
    await knex.schema.alterTable(TableName.SamlConfig, (t) => {
      t.dropForeign("orgId");
      t.foreign("orgId").references("id").inTable(TableName.Organization);
    });
  }
 }
--- a/backend/src/db/migrations/20241101174939_project-templates.ts
+++ b/backend/src/db/migrations/20241101174939_project-templates.ts
@ -0,0 +1,28 @@
 import { Knex } from "knex";
 import { TableName } from "@app/db/schemas";
 import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
 export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasTable(TableName.ProjectTemplates))) {
    await knex.schema.createTable(TableName.ProjectTemplates, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.string("name", 32).notNullable();
      t.string("description").nullable();
      t.jsonb("roles").notNullable();
      t.jsonb("environments").notNullable();
      t.uuid("orgId").notNullable().references("id").inTable(TableName.Organization).onDelete("CASCADE");
      t.timestamps(true, true, true);
    });
    await createOnUpdateTrigger(knex, TableName.ProjectTemplates);
  }
 }
 export async function down(knex: Knex): Promise<void> {
  if (await knex.schema.hasTable(TableName.ProjectTemplates)) {
    await dropOnUpdateTrigger(knex, TableName.ProjectTemplates);
    await knex.schema.dropTable(TableName.ProjectTemplates);
  }
 }
--- a/backend/src/db/migrations/20241107112632_skip-bootstrap-cert-validation-est.ts
+++ b/backend/src/db/migrations/20241107112632_skip-bootstrap-cert-validation-est.ts
@ -0,0 +1,35 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  const hasDisableBootstrapCertValidationCol = await knex.schema.hasColumn(
    TableName.CertificateTemplateEstConfig,
    "disableBootstrapCertValidation"
  );
  const hasCaChainCol = await knex.schema.hasColumn(TableName.CertificateTemplateEstConfig, "encryptedCaChain");
  await knex.schema.alterTable(TableName.CertificateTemplateEstConfig, (t) => {
    if (!hasDisableBootstrapCertValidationCol) {
      t.boolean("disableBootstrapCertValidation").defaultTo(false).notNullable();
    }
    if (hasCaChainCol) {
      t.binary("encryptedCaChain").nullable().alter();
    }
  });
 }
 export async function down(knex: Knex): Promise<void> {
  const hasDisableBootstrapCertValidationCol = await knex.schema.hasColumn(
    TableName.CertificateTemplateEstConfig,
    "disableBootstrapCertValidation"
  );
  await knex.schema.alterTable(TableName.CertificateTemplateEstConfig, (t) => {
    if (hasDisableBootstrapCertValidationCol) {
      t.dropColumn("disableBootstrapCertValidation");
    }
  });
 }
--- a/backend/src/db/migrations/20241110032223_add-missing-oidc-org-cascade-reference.ts
+++ b/backend/src/db/migrations/20241110032223_add-missing-oidc-org-cascade-reference.ts
@ -0,0 +1,21 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  if (await knex.schema.hasColumn(TableName.OidcConfig, "orgId")) {
    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
      t.dropForeign("orgId");
      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  if (await knex.schema.hasColumn(TableName.OidcConfig, "orgId")) {
    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
      t.dropForeign("orgId");
      t.foreign("orgId").references("id").inTable(TableName.Organization);
    });
  }
 }
--- a/backend/src/db/migrations/20241111175154_kms-root-cfg-hsm.ts
+++ b/backend/src/db/migrations/20241111175154_kms-root-cfg-hsm.ts
@ -0,0 +1,23 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  const hasEncryptionStrategy = await knex.schema.hasColumn(TableName.KmsServerRootConfig, "encryptionStrategy");
  const hasTimestampsCol = await knex.schema.hasColumn(TableName.KmsServerRootConfig, "createdAt");
  await knex.schema.alterTable(TableName.KmsServerRootConfig, (t) => {
    if (!hasEncryptionStrategy) t.string("encryptionStrategy").defaultTo("SOFTWARE");
    if (!hasTimestampsCol) t.timestamps(true, true, true);
  });
 }
 export async function down(knex: Knex): Promise<void> {
  const hasEncryptionStrategy = await knex.schema.hasColumn(TableName.KmsServerRootConfig, "encryptionStrategy");
  const hasTimestampsCol = await knex.schema.hasColumn(TableName.KmsServerRootConfig, "createdAt");
  await knex.schema.alterTable(TableName.KmsServerRootConfig, (t) => {
    if (hasEncryptionStrategy) t.dropColumn("encryptionStrategy");
    if (hasTimestampsCol) t.dropTimestamps(true);
  });
 }
--- a/backend/src/db/migrations/20241112082701_add-totp-support.ts
+++ b/backend/src/db/migrations/20241112082701_add-totp-support.ts
@ -0,0 +1,54 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
 export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasTable(TableName.TotpConfig))) {
    await knex.schema.createTable(TableName.TotpConfig, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.uuid("userId").notNullable();
      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
      t.boolean("isVerified").defaultTo(false).notNullable();
      t.binary("encryptedRecoveryCodes").notNullable();
      t.binary("encryptedSecret").notNullable();
      t.timestamps(true, true, true);
      t.unique("userId");
    });
    await createOnUpdateTrigger(knex, TableName.TotpConfig);
  }
  const doesOrgMfaMethodColExist = await knex.schema.hasColumn(TableName.Organization, "selectedMfaMethod");
  await knex.schema.alterTable(TableName.Organization, (t) => {
    if (!doesOrgMfaMethodColExist) {
      t.string("selectedMfaMethod");
    }
  });
  const doesUserSelectedMfaMethodColExist = await knex.schema.hasColumn(TableName.Users, "selectedMfaMethod");
  await knex.schema.alterTable(TableName.Users, (t) => {
    if (!doesUserSelectedMfaMethodColExist) {
      t.string("selectedMfaMethod");
    }
  });
 }
 export async function down(knex: Knex): Promise<void> {
  await dropOnUpdateTrigger(knex, TableName.TotpConfig);
  await knex.schema.dropTableIfExists(TableName.TotpConfig);
  const doesOrgMfaMethodColExist = await knex.schema.hasColumn(TableName.Organization, "selectedMfaMethod");
  await knex.schema.alterTable(TableName.Organization, (t) => {
    if (doesOrgMfaMethodColExist) {
      t.dropColumn("selectedMfaMethod");
    }
  });
  const doesUserSelectedMfaMethodColExist = await knex.schema.hasColumn(TableName.Users, "selectedMfaMethod");
  await knex.schema.alterTable(TableName.Users, (t) => {
    if (doesUserSelectedMfaMethodColExist) {
      t.dropColumn("selectedMfaMethod");
    }
  });
 }
--- a/backend/src/db/migrations/20241119143026_add-project-descripton.ts
+++ b/backend/src/db/migrations/20241119143026_add-project-descripton.ts
@ -0,0 +1,23 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  const hasProjectDescription = await knex.schema.hasColumn(TableName.Project, "description");
  if (!hasProjectDescription) {
    await knex.schema.alterTable(TableName.Project, (t) => {
      t.string("description");
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  const hasProjectDescription = await knex.schema.hasColumn(TableName.Project, "description");
  if (hasProjectDescription) {
    await knex.schema.alterTable(TableName.Project, (t) => {
      t.dropColumn("description");
    });
  }
 }
--- a/backend/src/db/migrations/20241121131344_make-identity-metadata-not-nullable-again.ts
+++ b/backend/src/db/migrations/20241121131344_make-identity-metadata-not-nullable-again.ts
@ -0,0 +1,20 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  if (await knex.schema.hasColumn(TableName.IdentityMetadata, "value")) {
    await knex(TableName.IdentityMetadata).whereNull("value").delete();
    await knex.schema.alterTable(TableName.IdentityMetadata, (t) => {
      t.string("value", 1020).notNullable().alter();
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  if (await knex.schema.hasColumn(TableName.IdentityMetadata, "value")) {
    await knex.schema.alterTable(TableName.IdentityMetadata, (t) => {
      t.string("value", 1020).alter();
    });
  }
 }
--- a/backend/src/db/migrations/20241203165840_allow-disabling-approval-workflows.ts
+++ b/backend/src/db/migrations/20241203165840_allow-disabling-approval-workflows.ts
@ -0,0 +1,59 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  const hasAccessApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
    TableName.AccessApprovalPolicy,
    "deletedAt"
  );
  const hasSecretApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
    TableName.SecretApprovalPolicy,
    "deletedAt"
  );
  if (!hasAccessApprovalPolicyDeletedAtColumn) {
    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
      t.timestamp("deletedAt");
    });
  }
  if (!hasSecretApprovalPolicyDeletedAtColumn) {
    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
      t.timestamp("deletedAt");
    });
  }
  await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
    t.dropForeign(["privilegeId"]);
    // Add the new foreign key constraint with ON DELETE SET NULL
    t.foreign("privilegeId").references("id").inTable(TableName.ProjectUserAdditionalPrivilege).onDelete("SET NULL");
  });
 }
 export async function down(knex: Knex): Promise<void> {
  const hasAccessApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
    TableName.AccessApprovalPolicy,
    "deletedAt"
  );
  const hasSecretApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
    TableName.SecretApprovalPolicy,
    "deletedAt"
  );
  if (hasAccessApprovalPolicyDeletedAtColumn) {
    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
      t.dropColumn("deletedAt");
    });
  }
  if (hasSecretApprovalPolicyDeletedAtColumn) {
    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
      t.dropColumn("deletedAt");
    });
  }
  await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
    t.dropForeign(["privilegeId"]);
    t.foreign("privilegeId").references("id").inTable(TableName.ProjectUserAdditionalPrivilege).onDelete("CASCADE");
  });
 }
--- a/backend/src/db/migrations/20241209144123_add-identity-jwt-auth.ts
+++ b/backend/src/db/migrations/20241209144123_add-identity-jwt-auth.ts
@ -0,0 +1,34 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
 export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasTable(TableName.IdentityJwtAuth))) {
    await knex.schema.createTable(TableName.IdentityJwtAuth, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
      t.jsonb("accessTokenTrustedIps").notNullable();
      t.uuid("identityId").notNullable().unique();
      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
      t.string("configurationType").notNullable();
      t.string("jwksUrl").notNullable();
      t.binary("encryptedJwksCaCert").notNullable();
      t.binary("encryptedPublicKeys").notNullable();
      t.string("boundIssuer").notNullable();
      t.string("boundAudiences").notNullable();
      t.jsonb("boundClaims").notNullable();
      t.string("boundSubject").notNullable();
      t.timestamps(true, true, true);
    });
    await createOnUpdateTrigger(knex, TableName.IdentityJwtAuth);
  }
 }
 export async function down(knex: Knex): Promise<void> {
  await knex.schema.dropTableIfExists(TableName.IdentityJwtAuth);
  await dropOnUpdateTrigger(knex, TableName.IdentityJwtAuth);
 }
--- a/backend/src/db/migrations/20241213122320_add-index-for-secret-version-v2-folder.ts
+++ b/backend/src/db/migrations/20241213122320_add-index-for-secret-version-v2-folder.ts
@ -0,0 +1,19 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  if (await knex.schema.hasColumn(TableName.SecretVersionV2, "folderId")) {
    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
      t.index("folderId");
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  if (await knex.schema.hasColumn(TableName.SecretVersionV2, "folderId")) {
    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
      t.dropIndex("folderId");
    });
  }
 }
--- a/backend/src/db/migrations/20241213122350_project-split-to-products.ts
+++ b/backend/src/db/migrations/20241213122350_project-split-to-products.ts
@ -0,0 +1,297 @@
 import slugify from "@sindresorhus/slugify";
 import { Knex } from "knex";
 import { v4 as uuidV4 } from "uuid";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { ProjectType, TableName } from "../schemas";
 /* eslint-disable no-await-in-loop,@typescript-eslint/ban-ts-comment */
 const newProject = async (knex: Knex, projectId: string, projectType: ProjectType) => {
  const newProjectId = uuidV4();
  const project = await knex(TableName.Project).where("id", projectId).first();
  await knex(TableName.Project).insert({
    ...project,
    type: projectType,
    // @ts-ignore id is required
    id: newProjectId,
    slug: slugify(`${project?.name}-${alphaNumericNanoId(4)}`)
  });
  const customRoleMapping: Record<string, string> = {};
  const projectCustomRoles = await knex(TableName.ProjectRoles).where("projectId", projectId);
  if (projectCustomRoles.length) {
    await knex.batchInsert(
      TableName.ProjectRoles,
      projectCustomRoles.map((el) => {
        const id = uuidV4();
        customRoleMapping[el.id] = id;
        return {
          ...el,
          id,
          projectId: newProjectId,
          permissions: el.permissions ? JSON.stringify(el.permissions) : el.permissions
        };
      })
    );
  }
  const groupMembershipMapping: Record<string, string> = {};
  const groupMemberships = await knex(TableName.GroupProjectMembership).where("projectId", projectId);
  if (groupMemberships.length) {
    await knex.batchInsert(
      TableName.GroupProjectMembership,
      groupMemberships.map((el) => {
        const id = uuidV4();
        groupMembershipMapping[el.id] = id;
        return { ...el, id, projectId: newProjectId };
      })
    );
  }
  const groupMembershipRoles = await knex(TableName.GroupProjectMembershipRole).whereIn(
    "projectMembershipId",
    groupMemberships.map((el) => el.id)
  );
  if (groupMembershipRoles.length) {
    await knex.batchInsert(
      TableName.GroupProjectMembershipRole,
      groupMembershipRoles.map((el) => {
        const id = uuidV4();
        const projectMembershipId = groupMembershipMapping[el.projectMembershipId];
        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
        return { ...el, id, projectMembershipId, customRoleId };
      })
    );
  }
  const identityProjectMembershipMapping: Record<string, string> = {};
  const identities = await knex(TableName.IdentityProjectMembership).where("projectId", projectId);
  if (identities.length) {
    await knex.batchInsert(
      TableName.IdentityProjectMembership,
      identities.map((el) => {
        const id = uuidV4();
        identityProjectMembershipMapping[el.id] = id;
        return { ...el, id, projectId: newProjectId };
      })
    );
  }
  const identitiesRoles = await knex(TableName.IdentityProjectMembershipRole).whereIn(
    "projectMembershipId",
    identities.map((el) => el.id)
  );
  if (identitiesRoles.length) {
    await knex.batchInsert(
      TableName.IdentityProjectMembershipRole,
      identitiesRoles.map((el) => {
        const id = uuidV4();
        const projectMembershipId = identityProjectMembershipMapping[el.projectMembershipId];
        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
        return { ...el, id, projectMembershipId, customRoleId };
      })
    );
  }
  const projectMembershipMapping: Record<string, string> = {};
  const projectUserMembers = await knex(TableName.ProjectMembership).where("projectId", projectId);
  if (projectUserMembers.length) {
    await knex.batchInsert(
      TableName.ProjectMembership,
      projectUserMembers.map((el) => {
        const id = uuidV4();
        projectMembershipMapping[el.id] = id;
        return { ...el, id, projectId: newProjectId };
      })
    );
  }
  const membershipRoles = await knex(TableName.ProjectUserMembershipRole).whereIn(
    "projectMembershipId",
    projectUserMembers.map((el) => el.id)
  );
  if (membershipRoles.length) {
    await knex.batchInsert(
      TableName.ProjectUserMembershipRole,
      membershipRoles.map((el) => {
        const id = uuidV4();
        const projectMembershipId = projectMembershipMapping[el.projectMembershipId];
        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
        return { ...el, id, projectMembershipId, customRoleId };
      })
    );
  }
  const kmsKeys = await knex(TableName.KmsKey).where("projectId", projectId).andWhere("isReserved", true);
  if (kmsKeys.length) {
    await knex.batchInsert(
      TableName.KmsKey,
      kmsKeys.map((el) => {
        const id = uuidV4();
        const slug = slugify(alphaNumericNanoId(8).toLowerCase());
        return { ...el, id, slug, projectId: newProjectId };
      })
    );
  }
  const projectBot = await knex(TableName.ProjectBot).where("projectId", projectId).first();
  if (projectBot) {
    const newProjectBot = { ...projectBot, id: uuidV4(), projectId: newProjectId };
    await knex(TableName.ProjectBot).insert(newProjectBot);
  }
  const projectKeys = await knex(TableName.ProjectKeys).where("projectId", projectId);
  if (projectKeys.length) {
    await knex.batchInsert(
      TableName.ProjectKeys,
      projectKeys.map((el) => {
        const id = uuidV4();
        return { ...el, id, projectId: newProjectId };
      })
    );
  }
  return newProjectId;
 };
 const BATCH_SIZE = 500;
 export async function up(knex: Knex): Promise<void> {
  const hasSplitMappingTable = await knex.schema.hasTable(TableName.ProjectSplitBackfillIds);
  if (!hasSplitMappingTable) {
    await knex.schema.createTable(TableName.ProjectSplitBackfillIds, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.string("sourceProjectId", 36).notNullable();
      t.foreign("sourceProjectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
      t.string("destinationProjectType").notNullable();
      t.string("destinationProjectId", 36).notNullable();
      t.foreign("destinationProjectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
    });
  }
  const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
  if (!hasTypeColumn) {
    await knex.schema.alterTable(TableName.Project, (t) => {
      t.string("type");
    });
    let projectsToBeTyped;
    do {
      // eslint-disable-next-line no-await-in-loop
      projectsToBeTyped = await knex(TableName.Project).whereNull("type").limit(BATCH_SIZE).select("id");
      if (projectsToBeTyped.length) {
        // eslint-disable-next-line no-await-in-loop
        await knex(TableName.Project)
          .whereIn(
            "id",
            projectsToBeTyped.map((el) => el.id)
          )
          .update({ type: ProjectType.SecretManager });
      }
    } while (projectsToBeTyped.length > 0);
    const projectsWithCertificates = await knex(TableName.CertificateAuthority)
      .distinct("projectId")
      .select("projectId");
    /* eslint-disable no-await-in-loop,no-param-reassign */
    for (const { projectId } of projectsWithCertificates) {
      const newProjectId = await newProject(knex, projectId, ProjectType.CertificateManager);
      await knex(TableName.CertificateAuthority).where("projectId", projectId).update({ projectId: newProjectId });
      await knex(TableName.PkiAlert).where("projectId", projectId).update({ projectId: newProjectId });
      await knex(TableName.PkiCollection).where("projectId", projectId).update({ projectId: newProjectId });
      await knex(TableName.ProjectSplitBackfillIds).insert({
        sourceProjectId: projectId,
        destinationProjectType: ProjectType.CertificateManager,
        destinationProjectId: newProjectId
      });
    }
    const projectsWithCmek = await knex(TableName.KmsKey)
      .where("isReserved", false)
      .whereNotNull("projectId")
      .distinct("projectId")
      .select("projectId");
    for (const { projectId } of projectsWithCmek) {
      if (projectId) {
        const newProjectId = await newProject(knex, projectId, ProjectType.KMS);
        await knex(TableName.KmsKey)
          .where({
            isReserved: false,
            projectId
          })
          .update({ projectId: newProjectId });
        await knex(TableName.ProjectSplitBackfillIds).insert({
          sourceProjectId: projectId,
          destinationProjectType: ProjectType.KMS,
          destinationProjectId: newProjectId
        });
      }
    }
    /* eslint-enable */
    await knex.schema.alterTable(TableName.Project, (t) => {
      t.string("type").notNullable().alter();
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
  const hasSplitMappingTable = await knex.schema.hasTable(TableName.ProjectSplitBackfillIds);
  if (hasTypeColumn && hasSplitMappingTable) {
    const splitProjectMappings = await knex(TableName.ProjectSplitBackfillIds).where({});
    const certMapping = splitProjectMappings.filter(
      (el) => el.destinationProjectType === ProjectType.CertificateManager
    );
    /* eslint-disable no-await-in-loop */
    for (const project of certMapping) {
      await knex(TableName.CertificateAuthority)
        .where("projectId", project.destinationProjectId)
        .update({ projectId: project.sourceProjectId });
      await knex(TableName.PkiAlert)
        .where("projectId", project.destinationProjectId)
        .update({ projectId: project.sourceProjectId });
      await knex(TableName.PkiCollection)
        .where("projectId", project.destinationProjectId)
        .update({ projectId: project.sourceProjectId });
    }
    /* eslint-enable */
    const kmsMapping = splitProjectMappings.filter((el) => el.destinationProjectType === ProjectType.KMS);
    /* eslint-disable no-await-in-loop */
    for (const project of kmsMapping) {
      await knex(TableName.KmsKey)
        .where({
          isReserved: false,
          projectId: project.destinationProjectId
        })
        .update({ projectId: project.sourceProjectId });
    }
    /* eslint-enable */
    await knex(TableName.ProjectMembership)
      .whereIn(
        "projectId",
        splitProjectMappings.map((el) => el.destinationProjectId)
      )
      .delete();
    await knex(TableName.ProjectRoles)
      .whereIn(
        "projectId",
        splitProjectMappings.map((el) => el.destinationProjectId)
      )
      .delete();
    await knex(TableName.Project)
      .whereIn(
        "id",
        splitProjectMappings.map((el) => el.destinationProjectId)
      )
      .delete();
    await knex.schema.alterTable(TableName.Project, (t) => {
      t.dropColumn("type");
    });
  }
  if (hasSplitMappingTable) {
    await knex.schema.dropTableIfExists(TableName.ProjectSplitBackfillIds);
  }
 }
--- a/backend/src/db/migrations/20241216013357_ssh-mgmt.ts
+++ b/backend/src/db/migrations/20241216013357_ssh-mgmt.ts
@ -0,0 +1,99 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
 export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasTable(TableName.SshCertificateAuthority))) {
    await knex.schema.createTable(TableName.SshCertificateAuthority, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.timestamps(true, true, true);
      t.string("projectId").notNullable();
      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
      t.string("status").notNullable(); // active / disabled
      t.string("friendlyName").notNullable();
      t.string("keyAlgorithm").notNullable();
    });
    await createOnUpdateTrigger(knex, TableName.SshCertificateAuthority);
  }
  if (!(await knex.schema.hasTable(TableName.SshCertificateAuthoritySecret))) {
    await knex.schema.createTable(TableName.SshCertificateAuthoritySecret, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.timestamps(true, true, true);
      t.uuid("sshCaId").notNullable().unique();
      t.foreign("sshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
      t.binary("encryptedPrivateKey").notNullable();
    });
    await createOnUpdateTrigger(knex, TableName.SshCertificateAuthoritySecret);
  }
  if (!(await knex.schema.hasTable(TableName.SshCertificateTemplate))) {
    await knex.schema.createTable(TableName.SshCertificateTemplate, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.timestamps(true, true, true);
      t.uuid("sshCaId").notNullable();
      t.foreign("sshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
      t.string("status").notNullable(); // active / disabled
      t.string("name").notNullable();
      t.string("ttl").notNullable();
      t.string("maxTTL").notNullable();
      t.specificType("allowedUsers", "text[]").notNullable();
      t.specificType("allowedHosts", "text[]").notNullable();
      t.boolean("allowUserCertificates").notNullable();
      t.boolean("allowHostCertificates").notNullable();
      t.boolean("allowCustomKeyIds").notNullable();
    });
    await createOnUpdateTrigger(knex, TableName.SshCertificateTemplate);
  }
  if (!(await knex.schema.hasTable(TableName.SshCertificate))) {
    await knex.schema.createTable(TableName.SshCertificate, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.timestamps(true, true, true);
      t.uuid("sshCaId").notNullable();
      t.foreign("sshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("SET NULL");
      t.uuid("sshCertificateTemplateId");
      t.foreign("sshCertificateTemplateId")
        .references("id")
        .inTable(TableName.SshCertificateTemplate)
        .onDelete("SET NULL");
      t.string("serialNumber").notNullable().unique();
      t.string("certType").notNullable(); // user or host
      t.specificType("principals", "text[]").notNullable();
      t.string("keyId").notNullable();
      t.datetime("notBefore").notNullable();
      t.datetime("notAfter").notNullable();
    });
    await createOnUpdateTrigger(knex, TableName.SshCertificate);
  }
  if (!(await knex.schema.hasTable(TableName.SshCertificateBody))) {
    await knex.schema.createTable(TableName.SshCertificateBody, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.timestamps(true, true, true);
      t.uuid("sshCertId").notNullable().unique();
      t.foreign("sshCertId").references("id").inTable(TableName.SshCertificate).onDelete("CASCADE");
      t.binary("encryptedCertificate").notNullable();
    });
    await createOnUpdateTrigger(knex, TableName.SshCertificateBody);
  }
 }
 export async function down(knex: Knex): Promise<void> {
  await knex.schema.dropTableIfExists(TableName.SshCertificateBody);
  await dropOnUpdateTrigger(knex, TableName.SshCertificateBody);
  await knex.schema.dropTableIfExists(TableName.SshCertificate);
  await dropOnUpdateTrigger(knex, TableName.SshCertificate);
  await knex.schema.dropTableIfExists(TableName.SshCertificateTemplate);
  await dropOnUpdateTrigger(knex, TableName.SshCertificateTemplate);
  await knex.schema.dropTableIfExists(TableName.SshCertificateAuthoritySecret);
  await dropOnUpdateTrigger(knex, TableName.SshCertificateAuthoritySecret);
  await knex.schema.dropTableIfExists(TableName.SshCertificateAuthority);
  await dropOnUpdateTrigger(knex, TableName.SshCertificateAuthority);
 }
--- a/backend/src/db/migrations/20241218165837_resource-metadata.ts
+++ b/backend/src/db/migrations/20241218165837_resource-metadata.ts
@ -0,0 +1,40 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasTable(TableName.ResourceMetadata))) {
    await knex.schema.createTable(TableName.ResourceMetadata, (tb) => {
      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      tb.string("key").notNullable();
      tb.string("value", 1020).notNullable();
      tb.uuid("orgId").notNullable();
      tb.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
      tb.uuid("userId");
      tb.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
      tb.uuid("identityId");
      tb.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
      tb.uuid("secretId");
      tb.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
      tb.timestamps(true, true, true);
    });
  }
  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
  if (!hasSecretMetadataField) {
    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
      t.jsonb("secretMetadata");
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  await knex.schema.dropTableIfExists(TableName.ResourceMetadata);
  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
  if (hasSecretMetadataField) {
    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
      t.dropColumn("secretMetadata");
    });
  }
 }
--- a/backend/src/db/migrations/20241218181018_app-connection.ts
+++ b/backend/src/db/migrations/20241218181018_app-connection.ts
@ -0,0 +1,28 @@
 import { Knex } from "knex";
 import { TableName } from "@app/db/schemas";
 import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
 export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasTable(TableName.AppConnection))) {
    await knex.schema.createTable(TableName.AppConnection, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.string("name", 32).notNullable();
      t.string("description");
      t.string("app").notNullable();
      t.string("method").notNullable();
      t.binary("encryptedCredentials").notNullable();
      t.integer("version").defaultTo(1).notNullable();
      t.uuid("orgId").notNullable();
      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
      t.timestamps(true, true, true);
    });
    await createOnUpdateTrigger(knex, TableName.AppConnection);
  }
 }
 export async function down(knex: Knex): Promise<void> {
  await knex.schema.dropTableIfExists(TableName.AppConnection);
  await dropOnUpdateTrigger(knex, TableName.AppConnection);
 }
--- a/backend/src/db/migrations/20250115222458_groups-unique-name.ts
+++ b/backend/src/db/migrations/20250115222458_groups-unique-name.ts
@ -0,0 +1,49 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  // find any duplicate group names within organizations
  const duplicates = await knex(TableName.Groups)
    .select("orgId", "name")
    .count("* as count")
    .groupBy("orgId", "name")
    .having(knex.raw("count(*) > 1"));
  // for each set of duplicates, update all but one with a numbered suffix
  for await (const duplicate of duplicates) {
    const groups = await knex(TableName.Groups)
      .select("id", "name")
      .where({
        orgId: duplicate.orgId,
        name: duplicate.name
      })
      .orderBy("createdAt", "asc"); // keep original name for oldest group
    // skip the first (oldest) group, rename others with numbered suffix
    for (let i = 1; i < groups.length; i += 1) {
      // eslint-disable-next-line no-await-in-loop
      await knex(TableName.Groups)
        .where("id", groups[i].id)
        .update({
          name: `${groups[i].name} (${i})`,
          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
          // @ts-ignore TS doesn't know about Knex's timestamp types
          updatedAt: new Date()
        });
    }
  }
  // add the unique constraint
  await knex.schema.alterTable(TableName.Groups, (t) => {
    t.unique(["orgId", "name"]);
  });
 }
 export async function down(knex: Knex): Promise<void> {
  // Remove the unique constraint
  await knex.schema.alterTable(TableName.Groups, (t) => {
    t.dropUnique(["orgId", "name"]);
  });
 }
--- a/backend/src/db/migrations/20250116092245_add-enforce-capitalization-project-flag.ts
+++ b/backend/src/db/migrations/20250116092245_add-enforce-capitalization-project-flag.ts
@ -0,0 +1,33 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  const hasEnforceCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "enforceCapitalization");
  const hasAutoCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "autoCapitalization");
  await knex.schema.alterTable(TableName.Project, (t) => {
    if (!hasEnforceCapitalizationCol) {
      t.boolean("enforceCapitalization").defaultTo(false).notNullable();
    }
    if (hasAutoCapitalizationCol) {
      t.boolean("autoCapitalization").defaultTo(false).alter();
    }
  });
 }
 export async function down(knex: Knex): Promise<void> {
  const hasEnforceCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "enforceCapitalization");
  const hasAutoCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "autoCapitalization");
  await knex.schema.alterTable(TableName.Project, (t) => {
    if (hasEnforceCapitalizationCol) {
      t.dropColumn("enforceCapitalization");
    }
    if (hasAutoCapitalizationCol) {
      t.boolean("autoCapitalization").defaultTo(true).alter();
    }
  });
 }
--- a/backend/src/db/migrations/20250122055102_secret-sync.ts
+++ b/backend/src/db/migrations/20250122055102_secret-sync.ts
@ -0,0 +1,50 @@
 import { Knex } from "knex";
 import { TableName } from "@app/db/schemas";
 import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
 export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasTable(TableName.SecretSync))) {
    await knex.schema.createTable(TableName.SecretSync, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.string("name", 32).notNullable();
      t.string("description");
      t.string("destination").notNullable();
      t.boolean("isAutoSyncEnabled").notNullable().defaultTo(true);
      t.integer("version").defaultTo(1).notNullable();
      t.jsonb("destinationConfig").notNullable();
      t.jsonb("syncOptions").notNullable();
      // we're including projectId in addition to folder ID because we allow folderId to be null (if the folder
      // is deleted), to preserve sync configuration
      t.string("projectId").notNullable();
      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
      t.uuid("folderId");
      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("SET NULL");
      t.uuid("connectionId").notNullable();
      t.foreign("connectionId").references("id").inTable(TableName.AppConnection);
      t.timestamps(true, true, true);
      // sync secrets to destination
      t.string("syncStatus");
      t.string("lastSyncJobId");
      t.string("lastSyncMessage");
      t.datetime("lastSyncedAt");
      // import secrets from destination
      t.string("importStatus");
      t.string("lastImportJobId");
      t.string("lastImportMessage");
      t.datetime("lastImportedAt");
      // remove secrets from destination
      t.string("removeStatus");
      t.string("lastRemoveJobId");
      t.string("lastRemoveMessage");
      t.datetime("lastRemovedAt");
    });
    await createOnUpdateTrigger(knex, TableName.SecretSync);
  }
 }
 export async function down(knex: Knex): Promise<void> {
  await knex.schema.dropTableIfExists(TableName.SecretSync);
  await dropOnUpdateTrigger(knex, TableName.SecretSync);
 }
--- a/backend/src/db/migrations/20250129214629_oidc-configs-manage-group-memberships-col.ts
+++ b/backend/src/db/migrations/20250129214629_oidc-configs-manage-group-memberships-col.ts
@ -0,0 +1,23 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  const hasManageGroupMembershipsCol = await knex.schema.hasColumn(TableName.OidcConfig, "manageGroupMemberships");
  await knex.schema.alterTable(TableName.OidcConfig, (tb) => {
    if (!hasManageGroupMembershipsCol) {
      tb.boolean("manageGroupMemberships").notNullable().defaultTo(false);
    }
  });
 }
 export async function down(knex: Knex): Promise<void> {
  const hasManageGroupMembershipsCol = await knex.schema.hasColumn(TableName.OidcConfig, "manageGroupMemberships");
  await knex.schema.alterTable(TableName.OidcConfig, (t) => {
    if (hasManageGroupMembershipsCol) {
      t.dropColumn("manageGroupMemberships");
    }
  });
 }
--- a/backend/src/db/migrations/20250204025010_app-connections-and-secret-syncs-unique-constraint.ts
+++ b/backend/src/db/migrations/20250204025010_app-connections-and-secret-syncs-unique-constraint.ts
@ -0,0 +1,23 @@
 import { Knex } from "knex";
 import { TableName } from "@app/db/schemas";
 export async function up(knex: Knex): Promise<void> {
  await knex.schema.alterTable(TableName.AppConnection, (t) => {
    t.unique(["orgId", "name"]);
  });
  await knex.schema.alterTable(TableName.SecretSync, (t) => {
    t.unique(["projectId", "name"]);
  });
 }
 export async function down(knex: Knex): Promise<void> {
  await knex.schema.alterTable(TableName.AppConnection, (t) => {
    t.dropUnique(["orgId", "name"]);
  });
  await knex.schema.alterTable(TableName.SecretSync, (t) => {
    t.dropUnique(["projectId", "name"]);
  });
 }
--- a/backend/src/db/migrations/20250205045509_increase-gcp-auth-limit.ts
+++ b/backend/src/db/migrations/20250205045509_increase-gcp-auth-limit.ts
@ -0,0 +1,36 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  const hasTable = await knex.schema.hasTable(TableName.IdentityGcpAuth);
  const hasAllowedProjectsColumn = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedProjects");
  const hasAllowedServiceAccountsColumn = await knex.schema.hasColumn(
    TableName.IdentityGcpAuth,
    "allowedServiceAccounts"
  );
  const hasAllowedZones = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedZones");
  if (hasTable) {
    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
      if (hasAllowedProjectsColumn) t.string("allowedProjects", 2500).alter();
      if (hasAllowedServiceAccountsColumn) t.string("allowedServiceAccounts", 5000).alter();
      if (hasAllowedZones) t.string("allowedZones", 2500).alter();
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  const hasTable = await knex.schema.hasTable(TableName.IdentityGcpAuth);
  const hasAllowedProjectsColumn = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedProjects");
  const hasAllowedServiceAccountsColumn = await knex.schema.hasColumn(
    TableName.IdentityGcpAuth,
    "allowedServiceAccounts"
  );
  const hasAllowedZones = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedZones");
  if (hasTable) {
    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
      if (hasAllowedProjectsColumn) t.string("allowedProjects").alter();
      if (hasAllowedServiceAccountsColumn) t.string("allowedServiceAccounts").alter();
      if (hasAllowedZones) t.string("allowedZones").alter();
    });
  }
 }
--- a/backend/src/db/schemas/access-approval-policies.ts
+++ b/backend/src/db/schemas/access-approval-policies.ts
@ -15,7 +15,8 @@ export const AccessApprovalPoliciesSchema = z.object({
  envId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  enforcementLevel: z.string().default("hard")
+  enforcementLevel: z.string().default("hard"),
  deletedAt: z.date().nullable().optional()
 });
 export type TAccessApprovalPolicies = z.infer<typeof AccessApprovalPoliciesSchema>;
--- a/backend/src/db/schemas/app-connections.ts
+++ b/backend/src/db/schemas/app-connections.ts
@ -0,0 +1,27 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { zodBuffer } from "@app/lib/zod";
 import { TImmutableDBKeys } from "./models";
 export const AppConnectionsSchema = z.object({
  id: z.string().uuid(),
  name: z.string(),
  description: z.string().nullable().optional(),
  app: z.string(),
  method: z.string(),
  encryptedCredentials: zodBuffer,
  version: z.number().default(1),
  orgId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date()
 });
 export type TAppConnections = z.infer<typeof AppConnectionsSchema>;
 export type TAppConnectionsInsert = Omit<z.input<typeof AppConnectionsSchema>, TImmutableDBKeys>;
 export type TAppConnectionsUpdate = Partial<Omit<z.input<typeof AppConnectionsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/certificate-template-est-configs.ts
+++ b/backend/src/db/schemas/certificate-template-est-configs.ts
@ -12,11 +12,12 @@ import { TImmutableDBKeys } from "./models";
 export const CertificateTemplateEstConfigsSchema = z.object({
  id: z.string().uuid(),
  certificateTemplateId: z.string().uuid(),
-  encryptedCaChain: zodBuffer,
+  encryptedCaChain: zodBuffer.nullable().optional(),
  hashedPassphrase: z.string(),
  isEnabled: z.boolean(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
  disableBootstrapCertValidation: z.boolean().default(false)
 });
 export type TCertificateTemplateEstConfigs = z.infer<typeof CertificateTemplateEstConfigsSchema>;
--- a/backend/src/db/schemas/identity-access-tokens.ts
+++ b/backend/src/db/schemas/identity-access-tokens.ts
@ -20,7 +20,8 @@ export const IdentityAccessTokensSchema = z.object({
  identityId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  name: z.string().nullable().optional()
+  name: z.string().nullable().optional(),
  authMethod: z.string()
 });
 export type TIdentityAccessTokens = z.infer<typeof IdentityAccessTokensSchema>;
--- a/backend/src/db/schemas/identity-gcp-auths.ts
+++ b/backend/src/db/schemas/identity-gcp-auths.ts
@ -17,9 +17,9 @@ export const IdentityGcpAuthsSchema = z.object({
  updatedAt: z.date(),
  identityId: z.string().uuid(),
  type: z.string(),
-  allowedServiceAccounts: z.string(),
+  allowedServiceAccounts: z.string().nullable().optional(),
-  allowedProjects: z.string(),
+  allowedProjects: z.string().nullable().optional(),
-  allowedZones: z.string()
+  allowedZones: z.string().nullable().optional()
 });
 export type TIdentityGcpAuths = z.infer<typeof IdentityGcpAuthsSchema>;
--- a/backend/src/db/schemas/identity-jwt-auths.ts
+++ b/backend/src/db/schemas/identity-jwt-auths.ts
@ -0,0 +1,33 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { zodBuffer } from "@app/lib/zod";
 import { TImmutableDBKeys } from "./models";
 export const IdentityJwtAuthsSchema = z.object({
  id: z.string().uuid(),
  accessTokenTTL: z.coerce.number().default(7200),
  accessTokenMaxTTL: z.coerce.number().default(7200),
  accessTokenNumUsesLimit: z.coerce.number().default(0),
  accessTokenTrustedIps: z.unknown(),
  identityId: z.string().uuid(),
  configurationType: z.string(),
  jwksUrl: z.string(),
  encryptedJwksCaCert: zodBuffer,
  encryptedPublicKeys: zodBuffer,
  boundIssuer: z.string(),
  boundAudiences: z.string(),
  boundClaims: z.unknown(),
  boundSubject: z.string(),
  createdAt: z.date(),
  updatedAt: z.date()
 });
 export type TIdentityJwtAuths = z.infer<typeof IdentityJwtAuthsSchema>;
 export type TIdentityJwtAuthsInsert = Omit<z.input<typeof IdentityJwtAuthsSchema>, TImmutableDBKeys>;
 export type TIdentityJwtAuthsUpdate = Partial<Omit<z.input<typeof IdentityJwtAuthsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@ -30,6 +30,7 @@ export * from "./identity-access-tokens";
 export * from "./identity-aws-auths";
 export * from "./identity-azure-auths";
 export * from "./identity-gcp-auths";
 export * from "./identity-jwt-auths";
 export * from "./identity-kubernetes-auths";
 export * from "./identity-metadata";
 export * from "./identity-oidc-auths";
@ -64,10 +65,13 @@ export * from "./project-keys";
 export * from "./project-memberships";
 export * from "./project-roles";
 export * from "./project-slack-configs";
 export * from "./project-split-backfill-ids";
 export * from "./project-templates";
 export * from "./project-user-additional-privilege";
 export * from "./project-user-membership-roles";
 export * from "./projects";
 export * from "./rate-limit";
 export * from "./resource-metadata";
 export * from "./saml-configs";
 export * from "./scim-tokens";
 export * from "./secret-approval-policies";
@ -104,7 +108,13 @@ export * from "./secrets";
 export * from "./secrets-v2";
 export * from "./service-tokens";
 export * from "./slack-integrations";
 export * from "./ssh-certificate-authorities";
 export * from "./ssh-certificate-authority-secrets";
 export * from "./ssh-certificate-bodies";
 export * from "./ssh-certificate-templates";
 export * from "./ssh-certificates";
 export * from "./super-admin";
 export * from "./totp-configs";
 export * from "./trusted-ips";
 export * from "./user-actions";
 export * from "./user-aliases";
--- a/backend/src/db/schemas/kms-root-config.ts
+++ b/backend/src/db/schemas/kms-root-config.ts
@ -11,7 +11,10 @@ import { TImmutableDBKeys } from "./models";
 export const KmsRootConfigSchema = z.object({
  id: z.string().uuid(),
-  encryptedRootKey: zodBuffer
+  encryptedRootKey: zodBuffer,
  encryptionStrategy: z.string().default("SOFTWARE").nullable().optional(),
  createdAt: z.date(),
  updatedAt: z.date()
 });
 export type TKmsRootConfig = z.infer<typeof KmsRootConfigSchema>;
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@ -2,6 +2,11 @@ import { z } from "zod";
 export enum TableName {
  Users = "users",
  SshCertificateAuthority = "ssh_certificate_authorities",
  SshCertificateAuthoritySecret = "ssh_certificate_authority_secrets",
  SshCertificateTemplate = "ssh_certificate_templates",
  SshCertificate = "ssh_certificates",
  SshCertificateBody = "ssh_certificate_bodies",
  CertificateAuthority = "certificate_authorities",
  CertificateTemplateEstConfig = "certificate_template_est_configs",
  CertificateAuthorityCert = "certificate_authority_certs",
@ -41,6 +46,7 @@ export enum TableName {
  ProjectUserAdditionalPrivilege = "project_user_additional_privilege",
  ProjectUserMembershipRole = "project_user_membership_roles",
  ProjectKeys = "project_keys",
  ProjectTemplates = "project_templates",
  Secret = "secrets",
  SecretReference = "secret_references",
  SecretSharing = "secret_sharing",
@ -67,12 +73,14 @@ export enum TableName {
  IdentityUaClientSecret = "identity_ua_client_secrets",
  IdentityAwsAuth = "identity_aws_auths",
  IdentityOidcAuth = "identity_oidc_auths",
  IdentityJwtAuth = "identity_jwt_auths",
  IdentityOrgMembership = "identity_org_memberships",
  IdentityProjectMembership = "identity_project_memberships",
  IdentityProjectMembershipRole = "identity_project_membership_role",
  IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
  // used by both identity and users
  IdentityMetadata = "identity_metadata",
  ResourceMetadata = "resource_metadata",
  ScimToken = "scim_tokens",
  AccessApprovalPolicy = "access_approval_policies",
  AccessApprovalPolicyApprover = "access_approval_policies_approvers",
@ -104,6 +112,7 @@ export enum TableName {
  SecretApprovalRequestSecretV2 = "secret_approval_requests_secrets_v2",
  SecretApprovalRequestSecretTagV2 = "secret_approval_request_secret_tags_v2",
  SnapshotSecretV2 = "secret_snapshot_secrets_v2",
  ProjectSplitBackfillIds = "project_split_backfill_ids",
  // junction tables with tags
  SecretV2JnTag = "secret_v2_tag_junction",
  JnSecretTag = "secret_tag_junction",
@ -116,11 +125,14 @@ export enum TableName {
  ExternalKms = "external_kms",
  InternalKms = "internal_kms",
  InternalKmsKeyVersion = "internal_kms_key_version",
  TotpConfig = "totp_configs",
  // @depreciated
  KmsKeyVersion = "kms_key_versions",
  WorkflowIntegrations = "workflow_integrations",
  SlackIntegrations = "slack_integrations",
-  ProjectSlackConfigs = "project_slack_configs"
+  ProjectSlackConfigs = "project_slack_configs",
  AppConnection = "app_connections",
  SecretSync = "secret_syncs"
 }
 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";
@ -189,10 +201,27 @@ export enum ProjectUpgradeStatus {
 export enum IdentityAuthMethod {
  TOKEN_AUTH = "token-auth",
-  Univeral = "universal-auth",
+  UNIVERSAL_AUTH = "universal-auth",
  KUBERNETES_AUTH = "kubernetes-auth",
  GCP_AUTH = "gcp-auth",
  AWS_AUTH = "aws-auth",
  AZURE_AUTH = "azure-auth",
-  OIDC_AUTH = "oidc-auth"
+  OIDC_AUTH = "oidc-auth",
  JWT_AUTH = "jwt-auth"
 }
 export enum ProjectType {
  SecretManager = "secret-manager",
  CertificateManager = "cert-manager",
  KMS = "kms",
  SSH = "ssh"
 }
 export enum ActionProjectType {
  SecretManager = ProjectType.SecretManager,
  CertificateManager = ProjectType.CertificateManager,
  KMS = ProjectType.KMS,
  SSH = ProjectType.SSH,
  // project operations that happen on all types
  Any = "any"
 }
--- a/backend/src/db/schemas/oidc-configs.ts
+++ b/backend/src/db/schemas/oidc-configs.ts
@ -27,7 +27,8 @@ export const OidcConfigsSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  orgId: z.string().uuid(),
-  lastUsed: z.date().nullable().optional()
+  lastUsed: z.date().nullable().optional(),
  manageGroupMemberships: z.boolean().default(false)
 });
 export type TOidcConfigs = z.infer<typeof OidcConfigsSchema>;
--- a/backend/src/db/schemas/organizations.ts
+++ b/backend/src/db/schemas/organizations.ts
@ -20,7 +20,9 @@ export const OrganizationsSchema = z.object({
  scimEnabled: z.boolean().default(false).nullable().optional(),
  kmsDefaultKeyId: z.string().uuid().nullable().optional(),
  kmsEncryptedDataKey: zodBuffer.nullable().optional(),
-  defaultMembershipRole: z.string().default("member")
+  defaultMembershipRole: z.string().default("member"),
  enforceMfa: z.boolean().default(false),
  selectedMfaMethod: z.string().nullable().optional()
 });
 export type TOrganizations = z.infer<typeof OrganizationsSchema>;
--- a/backend/src/db/schemas/project-roles.ts
+++ b/backend/src/db/schemas/project-roles.ts
@ -15,7 +15,8 @@ export const ProjectRolesSchema = z.object({
  permissions: z.unknown(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  projectId: z.string()
+  projectId: z.string(),
  version: z.number().default(1)
 });
 export type TProjectRoles = z.infer<typeof ProjectRolesSchema>;
--- a/backend/src/db/schemas/project-split-backfill-ids.ts
+++ b/backend/src/db/schemas/project-split-backfill-ids.ts
@ -0,0 +1,21 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { TImmutableDBKeys } from "./models";
 export const ProjectSplitBackfillIdsSchema = z.object({
  id: z.string().uuid(),
  sourceProjectId: z.string(),
  destinationProjectType: z.string(),
  destinationProjectId: z.string()
 });
 export type TProjectSplitBackfillIds = z.infer<typeof ProjectSplitBackfillIdsSchema>;
 export type TProjectSplitBackfillIdsInsert = Omit<z.input<typeof ProjectSplitBackfillIdsSchema>, TImmutableDBKeys>;
 export type TProjectSplitBackfillIdsUpdate = Partial<
  Omit<z.input<typeof ProjectSplitBackfillIdsSchema>, TImmutableDBKeys>
 >;
--- a/backend/src/db/schemas/project-templates.ts
+++ b/backend/src/db/schemas/project-templates.ts
@ -0,0 +1,23 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { TImmutableDBKeys } from "./models";
 export const ProjectTemplatesSchema = z.object({
  id: z.string().uuid(),
  name: z.string(),
  description: z.string().nullable().optional(),
  roles: z.unknown(),
  environments: z.unknown(),
  orgId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date()
 });
 export type TProjectTemplates = z.infer<typeof ProjectTemplatesSchema>;
 export type TProjectTemplatesInsert = Omit<z.input<typeof ProjectTemplatesSchema>, TImmutableDBKeys>;
 export type TProjectTemplatesUpdate = Partial<Omit<z.input<typeof ProjectTemplatesSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/projects.ts
+++ b/backend/src/db/schemas/projects.ts
@ -13,7 +13,7 @@ export const ProjectsSchema = z.object({
  id: z.string(),
  name: z.string(),
  slug: z.string(),
-  autoCapitalization: z.boolean().default(true).nullable().optional(),
+  autoCapitalization: z.boolean().default(false).nullable().optional(),
  orgId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
@ -23,7 +23,10 @@ export const ProjectsSchema = z.object({
  kmsCertificateKeyId: z.string().uuid().nullable().optional(),
  auditLogsRetentionDays: z.number().nullable().optional(),
  kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
-  kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional()
+  kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
  description: z.string().nullable().optional(),
  type: z.string(),
  enforceCapitalization: z.boolean().default(false)
 });
 export type TProjects = z.infer<typeof ProjectsSchema>;
--- a/backend/src/db/schemas/resource-metadata.ts
+++ b/backend/src/db/schemas/resource-metadata.ts
@ -0,0 +1,24 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { TImmutableDBKeys } from "./models";
 export const ResourceMetadataSchema = z.object({
  id: z.string().uuid(),
  key: z.string(),
  value: z.string(),
  orgId: z.string().uuid(),
  userId: z.string().uuid().nullable().optional(),
  identityId: z.string().uuid().nullable().optional(),
  secretId: z.string().uuid().nullable().optional(),
  createdAt: z.date(),
  updatedAt: z.date()
 });
 export type TResourceMetadata = z.infer<typeof ResourceMetadataSchema>;
 export type TResourceMetadataInsert = Omit<z.input<typeof ResourceMetadataSchema>, TImmutableDBKeys>;
 export type TResourceMetadataUpdate = Partial<Omit<z.input<typeof ResourceMetadataSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/secret-approval-policies.ts
+++ b/backend/src/db/schemas/secret-approval-policies.ts
@ -15,7 +15,8 @@ export const SecretApprovalPoliciesSchema = z.object({
  envId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  enforcementLevel: z.string().default("hard")
+  enforcementLevel: z.string().default("hard"),
  deletedAt: z.date().nullable().optional()
 });
 export type TSecretApprovalPolicies = z.infer<typeof SecretApprovalPoliciesSchema>;
--- a/backend/src/db/schemas/secret-approval-requests-secrets-v2.ts
+++ b/backend/src/db/schemas/secret-approval-requests-secrets-v2.ts
@ -24,7 +24,8 @@ export const SecretApprovalRequestsSecretsV2Schema = z.object({
  requestId: z.string().uuid(),
  op: z.string(),
  secretId: z.string().uuid().nullable().optional(),
-  secretVersion: z.string().uuid().nullable().optional()
+  secretVersion: z.string().uuid().nullable().optional(),
  secretMetadata: z.unknown().nullable().optional()
 });
 export type TSecretApprovalRequestsSecretsV2 = z.infer<typeof SecretApprovalRequestsSecretsV2Schema>;
--- a/backend/src/db/schemas/secret-syncs.ts
+++ b/backend/src/db/schemas/secret-syncs.ts
@ -0,0 +1,40 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { TImmutableDBKeys } from "./models";
 export const SecretSyncsSchema = z.object({
  id: z.string().uuid(),
  name: z.string(),
  description: z.string().nullable().optional(),
  destination: z.string(),
  isAutoSyncEnabled: z.boolean().default(true),
  version: z.number().default(1),
  destinationConfig: z.unknown(),
  syncOptions: z.unknown(),
  projectId: z.string(),
  folderId: z.string().uuid().nullable().optional(),
  connectionId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
  syncStatus: z.string().nullable().optional(),
  lastSyncJobId: z.string().nullable().optional(),
  lastSyncMessage: z.string().nullable().optional(),
  lastSyncedAt: z.date().nullable().optional(),
  importStatus: z.string().nullable().optional(),
  lastImportJobId: z.string().nullable().optional(),
  lastImportMessage: z.string().nullable().optional(),
  lastImportedAt: z.date().nullable().optional(),
  removeStatus: z.string().nullable().optional(),
  lastRemoveJobId: z.string().nullable().optional(),
  lastRemoveMessage: z.string().nullable().optional(),
  lastRemovedAt: z.date().nullable().optional()
 });
 export type TSecretSyncs = z.infer<typeof SecretSyncsSchema>;
 export type TSecretSyncsInsert = Omit<z.input<typeof SecretSyncsSchema>, TImmutableDBKeys>;
 export type TSecretSyncsUpdate = Partial<Omit<z.input<typeof SecretSyncsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/ssh-certificate-authorities.ts
+++ b/backend/src/db/schemas/ssh-certificate-authorities.ts
@ -0,0 +1,24 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { TImmutableDBKeys } from "./models";
 export const SshCertificateAuthoritiesSchema = z.object({
  id: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
  projectId: z.string(),
  status: z.string(),
  friendlyName: z.string(),
  keyAlgorithm: z.string()
 });
 export type TSshCertificateAuthorities = z.infer<typeof SshCertificateAuthoritiesSchema>;
 export type TSshCertificateAuthoritiesInsert = Omit<z.input<typeof SshCertificateAuthoritiesSchema>, TImmutableDBKeys>;
 export type TSshCertificateAuthoritiesUpdate = Partial<
  Omit<z.input<typeof SshCertificateAuthoritiesSchema>, TImmutableDBKeys>
 >;
--- a/backend/src/db/schemas/ssh-certificate-authority-secrets.ts
+++ b/backend/src/db/schemas/ssh-certificate-authority-secrets.ts
@ -0,0 +1,27 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { zodBuffer } from "@app/lib/zod";
 import { TImmutableDBKeys } from "./models";
 export const SshCertificateAuthoritySecretsSchema = z.object({
  id: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
  sshCaId: z.string().uuid(),
  encryptedPrivateKey: zodBuffer
 });
 export type TSshCertificateAuthoritySecrets = z.infer<typeof SshCertificateAuthoritySecretsSchema>;
 export type TSshCertificateAuthoritySecretsInsert = Omit<
  z.input<typeof SshCertificateAuthoritySecretsSchema>,
  TImmutableDBKeys
 >;
 export type TSshCertificateAuthoritySecretsUpdate = Partial<
  Omit<z.input<typeof SshCertificateAuthoritySecretsSchema>, TImmutableDBKeys>
 >;
--- a/backend/src/db/schemas/ssh-certificate-bodies.ts
+++ b/backend/src/db/schemas/ssh-certificate-bodies.ts
@ -0,0 +1,22 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { zodBuffer } from "@app/lib/zod";
 import { TImmutableDBKeys } from "./models";
 export const SshCertificateBodiesSchema = z.object({
  id: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
  sshCertId: z.string().uuid(),
  encryptedCertificate: zodBuffer
 });
 export type TSshCertificateBodies = z.infer<typeof SshCertificateBodiesSchema>;
 export type TSshCertificateBodiesInsert = Omit<z.input<typeof SshCertificateBodiesSchema>, TImmutableDBKeys>;
 export type TSshCertificateBodiesUpdate = Partial<Omit<z.input<typeof SshCertificateBodiesSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/ssh-certificate-templates.ts
+++ b/backend/src/db/schemas/ssh-certificate-templates.ts
@ -0,0 +1,30 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { TImmutableDBKeys } from "./models";
 export const SshCertificateTemplatesSchema = z.object({
  id: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
  sshCaId: z.string().uuid(),
  status: z.string(),
  name: z.string(),
  ttl: z.string(),
  maxTTL: z.string(),
  allowedUsers: z.string().array(),
  allowedHosts: z.string().array(),
  allowUserCertificates: z.boolean(),
  allowHostCertificates: z.boolean(),
  allowCustomKeyIds: z.boolean()
 });
 export type TSshCertificateTemplates = z.infer<typeof SshCertificateTemplatesSchema>;
 export type TSshCertificateTemplatesInsert = Omit<z.input<typeof SshCertificateTemplatesSchema>, TImmutableDBKeys>;
 export type TSshCertificateTemplatesUpdate = Partial<
  Omit<z.input<typeof SshCertificateTemplatesSchema>, TImmutableDBKeys>
 >;
--- a/backend/src/db/schemas/ssh-certificates.ts
+++ b/backend/src/db/schemas/ssh-certificates.ts
@ -0,0 +1,26 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { TImmutableDBKeys } from "./models";
 export const SshCertificatesSchema = z.object({
  id: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
  sshCaId: z.string().uuid(),
  sshCertificateTemplateId: z.string().uuid().nullable().optional(),
  serialNumber: z.string(),
  certType: z.string(),
  principals: z.string().array(),
  keyId: z.string(),
  notBefore: z.date(),
  notAfter: z.date()
 });
 export type TSshCertificates = z.infer<typeof SshCertificatesSchema>;
 export type TSshCertificatesInsert = Omit<z.input<typeof SshCertificatesSchema>, TImmutableDBKeys>;
 export type TSshCertificatesUpdate = Partial<Omit<z.input<typeof SshCertificatesSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/totp-configs.ts
+++ b/backend/src/db/schemas/totp-configs.ts
@ -0,0 +1,24 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { zodBuffer } from "@app/lib/zod";
 import { TImmutableDBKeys } from "./models";
 export const TotpConfigsSchema = z.object({
  id: z.string().uuid(),
  userId: z.string().uuid(),
  isVerified: z.boolean().default(false),
  encryptedRecoveryCodes: zodBuffer,
  encryptedSecret: zodBuffer,
  createdAt: z.date(),
  updatedAt: z.date()
 });
 export type TTotpConfigs = z.infer<typeof TotpConfigsSchema>;
 export type TTotpConfigsInsert = Omit<z.input<typeof TotpConfigsSchema>, TImmutableDBKeys>;
 export type TTotpConfigsUpdate = Partial<Omit<z.input<typeof TotpConfigsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/users.ts
+++ b/backend/src/db/schemas/users.ts
@ -26,7 +26,8 @@ export const UsersSchema = z.object({
  consecutiveFailedMfaAttempts: z.number().default(0).nullable().optional(),
  isLocked: z.boolean().default(false).nullable().optional(),
  temporaryLockDateEnd: z.date().nullable().optional(),
-  consecutiveFailedPasswordAttempts: z.number().default(0).nullable().optional()
+  consecutiveFailedPasswordAttempts: z.number().default(0).nullable().optional(),
  selectedMfaMethod: z.string().nullable().optional()
 });
 export type TUsers = z.infer<typeof UsersSchema>;
--- a/backend/src/db/seeds/3-project.ts
+++ b/backend/src/db/seeds/3-project.ts
@ -4,7 +4,7 @@ import { Knex } from "knex";
 import { encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
-import { ProjectMembershipRole, SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
+import { ProjectMembershipRole, ProjectType, SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
 import { buildUserProjectKey, getUserPrivateKey, seedData1 } from "../seed-data";
 export const DEFAULT_PROJECT_ENVS = [
@ -24,6 +24,7 @@ export async function seed(knex: Knex): Promise<void> {
      name: seedData1.project.name,
      orgId: seedData1.organization.id,
      slug: "first-project",
      type: ProjectType.SecretManager,
      // eslint-disable-next-line
      // @ts-ignore
      id: seedData1.project.id
--- a/backend/src/db/seeds/4-project-v3.ts
+++ b/backend/src/db/seeds/4-project-v3.ts
@ -1,6 +1,6 @@
 import { Knex } from "knex";
-import { ProjectMembershipRole, ProjectVersion, TableName } from "../schemas";
+import { ProjectMembershipRole, ProjectType, ProjectVersion, TableName } from "../schemas";
 import { seedData1 } from "../seed-data";
 export const DEFAULT_PROJECT_ENVS = [
@ -16,6 +16,7 @@ export async function seed(knex: Knex): Promise<void> {
      orgId: seedData1.organization.id,
      slug: seedData1.projectV3.slug,
      version: ProjectVersion.V3,
      type: ProjectType.SecretManager,
      // eslint-disable-next-line
      // @ts-ignore
      id: seedData1.projectV3.id
--- a/backend/src/db/seeds/5-machine-identity.ts
+++ b/backend/src/db/seeds/5-machine-identity.ts
@ -16,7 +16,7 @@ export async function seed(knex: Knex): Promise<void> {
      // @ts-ignore
      id: seedData1.machineIdentity.id,
      name: seedData1.machineIdentity.name,
-      authMethod: IdentityAuthMethod.Univeral
+      authMethod: IdentityAuthMethod.UNIVERSAL_AUTH
    }
  ]);
  const identityUa = await knex(TableName.IdentityUniversalAuth)
--- a/backend/src/db/utils.ts
+++ b/backend/src/db/utils.ts
@ -2,6 +2,9 @@ import { Knex } from "knex";
 import { TableName } from "./schemas";
 interface PgTriggerResult {
  rows: Array<{ exists: boolean }>;
 }
 export const createJunctionTable = (knex: Knex, tableName: TableName, table1Name: TableName, table2Name: TableName) =>
  knex.schema.createTable(tableName, (table) => {
    table.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
@ -28,13 +31,26 @@ DROP FUNCTION IF EXISTS on_update_timestamp() CASCADE;
 // we would be using this to apply updatedAt where ever we wanta
 // remember to set `timestamps(true,true,true)` before this on schema
-export const createOnUpdateTrigger = (knex: Knex, tableName: string) =>
+export const createOnUpdateTrigger = async (knex: Knex, tableName: string) => {
-  knex.raw(`
+  const triggerExists = await knex.raw<PgTriggerResult>(`
-CREATE TRIGGER "${tableName}_updatedAt"
+    SELECT EXISTS (
-BEFORE UPDATE ON ${tableName}
+      SELECT 1 
-FOR EACH ROW
+      FROM pg_trigger 
-EXECUTE PROCEDURE on_update_timestamp();
+      WHERE tgname = '${tableName}_updatedAt'
-`);
+    );
  `);
  if (!triggerExists?.rows?.[0]?.exists) {
    return knex.raw(`
      CREATE TRIGGER "${tableName}_updatedAt"
      BEFORE UPDATE ON ${tableName}
      FOR EACH ROW
      EXECUTE PROCEDURE on_update_timestamp();
    `);
  }
  return null;
 };
 export const dropOnUpdateTrigger = (knex: Knex, tableName: string) =>
  knex.raw(`DROP TRIGGER IF EXISTS "${tableName}_updatedAt" ON ${tableName}`);
--- a/backend/src/ee/routes/v1/access-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-request-router.ts
@ -109,7 +109,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
              approvers: z.string().array(),
              secretPath: z.string().nullish(),
              envId: z.string(),
-              enforcementLevel: z.string()
+              enforcementLevel: z.string(),
              deletedAt: z.date().nullish()
            }),
            reviewers: z
              .object({
--- a/backend/src/ee/routes/v1/dynamic-secret-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-router.ts
@ -1,4 +1,3 @@
 import slugify from "@sindresorhus/slugify";
 import ms from "ms";
 import { z } from "zod";
@ -8,6 +7,7 @@ import { DYNAMIC_SECRETS } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -48,15 +48,7 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
          .nullable(),
        path: z.string().describe(DYNAMIC_SECRETS.CREATE.path).trim().default("/").transform(removeTrailingSlash),
        environmentSlug: z.string().describe(DYNAMIC_SECRETS.CREATE.environmentSlug).min(1),
-        name: z
+        name: slugSchema({ min: 1, max: 64, field: "Name" }).describe(DYNAMIC_SECRETS.CREATE.name)
          .string()
          .describe(DYNAMIC_SECRETS.CREATE.name)
          .min(1)
          .toLowerCase()
          .max(64)
          .refine((v) => slugify(v) === v, {
            message: "Slug must be a valid"
          })
      }),
      response: {
        200: z.object({
--- a/backend/src/ee/routes/v1/external-kms-router.ts
+++ b/backend/src/ee/routes/v1/external-kms-router.ts
@ -4,9 +4,15 @@ import { ExternalKmsSchema, KmsKeysSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import {
  ExternalKmsAwsSchema,
  ExternalKmsGcpCredentialSchema,
  ExternalKmsGcpSchema,
  ExternalKmsInputSchema,
-  ExternalKmsInputUpdateSchema
+  ExternalKmsInputUpdateSchema,
  KmsGcpKeyFetchAuthType,
  KmsProviders,
  TExternalKmsGcpCredentialSchema
 } from "@app/ee/services/external-kms/providers/model";
 import { NotFoundError } from "@app/lib/errors";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -44,7 +50,8 @@ const sanitizedExternalSchemaForGetById = KmsKeysSchema.extend({
    statusDetails: true,
    provider: true
  }).extend({
-    providerInput: ExternalKmsAwsSchema
+    // for GCP, we don't return the credential object as it is sensitive data that should not be exposed
    providerInput: z.union([ExternalKmsAwsSchema, ExternalKmsGcpSchema.pick({ gcpRegion: true, keyName: true })])
  })
 });
@ -286,4 +293,67 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
      return { externalKms };
    }
  });
  server.route({
    method: "POST",
    url: "/gcp/keys",
    config: {
      rateLimit: writeLimit
    },
    schema: {
      body: z.discriminatedUnion("authMethod", [
        z.object({
          authMethod: z.literal(KmsGcpKeyFetchAuthType.Credential),
          region: z.string().trim().min(1),
          credential: ExternalKmsGcpCredentialSchema
        }),
        z.object({
          authMethod: z.literal(KmsGcpKeyFetchAuthType.Kms),
          region: z.string().trim().min(1),
          kmsId: z.string().trim().min(1)
        })
      ]),
      response: {
        200: z.object({
          keys: z.string().array()
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const { region, authMethod } = req.body;
      let credentialJson: TExternalKmsGcpCredentialSchema | undefined;
      if (authMethod === KmsGcpKeyFetchAuthType.Credential) {
        credentialJson = req.body.credential;
      } else if (authMethod === KmsGcpKeyFetchAuthType.Kms) {
        const externalKms = await server.services.externalKms.findById({
          actor: req.permission.type,
          actorId: req.permission.id,
          actorAuthMethod: req.permission.authMethod,
          actorOrgId: req.permission.orgId,
          id: req.body.kmsId
        });
        if (!externalKms || externalKms.external.provider !== KmsProviders.Gcp) {
          throw new NotFoundError({ message: "KMS not found or not of type GCP" });
        }
        credentialJson = externalKms.external.providerInput.credential as TExternalKmsGcpCredentialSchema;
      }
      if (!credentialJson) {
        throw new NotFoundError({
          message: "Something went wrong while fetching the GCP credential, please check inputs and try again"
        });
      }
      const results = await server.services.externalKms.fetchGcpKeys({
        credential: credentialJson,
        gcpRegion: region
      });
      return results;
    }
  });
 };
--- a/backend/src/ee/routes/v1/group-router.ts
+++ b/backend/src/ee/routes/v1/group-router.ts
@ -1,8 +1,9 @@
 import slugify from "@sindresorhus/slugify";
 import { z } from "zod";
 import { GroupsSchema, OrgMembershipRole, UsersSchema } from "@app/db/schemas";
 import { EFilterReturnedUsers } from "@app/ee/services/group/group-types";
 import { GROUPS } from "@app/lib/api-docs";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -14,15 +15,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    schema: {
      body: z.object({
        name: z.string().trim().min(1).max(50).describe(GROUPS.CREATE.name),
-        slug: z
+        slug: slugSchema({ min: 5, max: 36 }).optional().describe(GROUPS.CREATE.slug),
          .string()
          .min(5)
          .max(36)
          .refine((v) => slugify(v) === v, {
            message: "Slug must be a valid slug"
          })
          .optional()
          .describe(GROUPS.CREATE.slug),
        role: z.string().trim().min(1).default(OrgMembershipRole.NoAccess).describe(GROUPS.CREATE.role)
      }),
      response: {
@ -100,14 +93,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
      body: z
        .object({
          name: z.string().trim().min(1).describe(GROUPS.UPDATE.name),
-          slug: z
+          slug: slugSchema({ min: 5, max: 36 }).describe(GROUPS.UPDATE.slug),
            .string()
            .min(5)
            .max(36)
            .refine((v) => slugify(v) === v, {
              message: "Slug must be a valid slug"
            })
            .describe(GROUPS.UPDATE.slug),
          role: z.string().trim().min(1).describe(GROUPS.UPDATE.role)
        })
        .partial(),
@ -165,7 +151,9 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
      querystring: z.object({
        offset: z.coerce.number().min(0).max(100).default(0).describe(GROUPS.LIST_USERS.offset),
        limit: z.coerce.number().min(1).max(100).default(10).describe(GROUPS.LIST_USERS.limit),
-        username: z.string().optional().describe(GROUPS.LIST_USERS.username)
+        username: z.string().trim().optional().describe(GROUPS.LIST_USERS.username),
        search: z.string().trim().optional().describe(GROUPS.LIST_USERS.search),
        filter: z.nativeEnum(EFilterReturnedUsers).optional().describe(GROUPS.LIST_USERS.filterUsers)
      }),
      response: {
        200: z.object({
@ -178,7 +166,8 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
          })
            .merge(
              z.object({
-                isPartOfGroup: z.boolean()
+                isPartOfGroup: z.boolean(),
                joinedGroupAt: z.date().nullable()
              })
            )
            .array(),
--- a/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
@ -1,13 +1,14 @@
 import { packRules } from "@casl/ability/extra";
 import slugify from "@sindresorhus/slugify";
 import ms from "ms";
 import { z } from "zod";
 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
 import { backfillPermissionV1SchemaToV2Schema } from "@app/ee/services/permission/project-permission";
 import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import {
  ProjectPermissionSchema,
@ -33,17 +34,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      body: z.object({
        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.identityId),
        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.projectSlug),
-        slug: z
+        slug: slugSchema({ min: 1, max: 60 }).optional().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
          .string()
          .min(1)
          .max(60)
          .trim()
          .refine((val) => val.toLowerCase() === val, "Must be lowercase")
          .refine((v) => slugify(v) === v, {
            message: "Slug must be a valid slug"
          })
          .optional()
          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
        permissions: ProjectPermissionSchema.array()
          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
          .optional(),
@ -77,9 +68,11 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        ...req.body,
-        slug: req.body.slug ? slugify(req.body.slug) : slugify(alphaNumericNanoId(12)),
+        slug: req.body.slug ?? slugify(alphaNumericNanoId(12)),
        isTemporary: false,
-        permissions: JSON.stringify(packRules(permission))
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
        // @ts-ignore-error this is valid ts
        permissions: backfillPermissionV1SchemaToV2Schema(permission)
      });
      return { privilege };
    }
@ -101,17 +94,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      body: z.object({
        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.identityId),
        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.projectSlug),
-        slug: z
+        slug: slugSchema({ min: 1, max: 60 }).optional().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
          .string()
          .min(1)
          .max(60)
          .trim()
          .refine((val) => val.toLowerCase() === val, "Must be lowercase")
          .refine((v) => slugify(v) === v, {
            message: "Slug must be a valid slug"
          })
          .optional()
          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
        permissions: ProjectPermissionSchema.array()
          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
          .optional(),
@ -157,9 +140,11 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        ...req.body,
-        slug: req.body.slug ? slugify(req.body.slug) : slugify(alphaNumericNanoId(12)),
+        slug: req.body.slug ?? slugify(alphaNumericNanoId(12)),
        isTemporary: true,
-        permissions: JSON.stringify(packRules(permission))
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
        // @ts-ignore-error this is valid ts
        permissions: backfillPermissionV1SchemaToV2Schema(permission)
      });
      return { privilege };
    }
@ -185,16 +170,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.projectSlug),
        privilegeDetails: z
          .object({
-            slug: z
+            slug: slugSchema({ min: 1, max: 60 }).describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.newSlug),
              .string()
              .min(1)
              .max(60)
              .trim()
              .refine((val) => val.toLowerCase() === val, "Must be lowercase")
              .refine((v) => slugify(v) === v, {
                message: "Slug must be a valid slug"
              })
              .describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.newSlug),
            permissions: ProjectPermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
            privilegePermission: ProjectSpecificPrivilegePermissionSchema.describe(
              IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.privilegePermission
@ -244,7 +220,13 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
        projectSlug: req.body.projectSlug,
        data: {
          ...updatedInfo,
-          permissions: permission ? JSON.stringify(packRules(permission)) : undefined
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
          // @ts-ignore-error this is valid ts
          permissions: permission
            ? // eslint-disable-next-line @typescript-eslint/ban-ts-comment
              // @ts-ignore-error this is valid ts
              backfillPermissionV1SchemaToV2Schema(permission)
            : undefined
        }
      });
      return { privilege };
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@ -1,3 +1,5 @@
 import { registerProjectTemplateRouter } from "@app/ee/routes/v1/project-template-router";
 import { registerAccessApprovalPolicyRouter } from "./access-approval-policy-router";
 import { registerAccessApprovalRequestRouter } from "./access-approval-request-router";
 import { registerAuditLogStreamRouter } from "./audit-log-stream-router";
@ -20,9 +22,13 @@ import { registerSecretApprovalPolicyRouter } from "./secret-approval-policy-rou
 import { registerSecretApprovalRequestRouter } from "./secret-approval-request-router";
 import { registerSecretRotationProviderRouter } from "./secret-rotation-provider-router";
 import { registerSecretRotationRouter } from "./secret-rotation-router";
 import { registerSecretRouter } from "./secret-router";
 import { registerSecretScanningRouter } from "./secret-scanning-router";
 import { registerSecretVersionRouter } from "./secret-version-router";
 import { registerSnapshotRouter } from "./snapshot-router";
 import { registerSshCaRouter } from "./ssh-certificate-authority-router";
 import { registerSshCertRouter } from "./ssh-certificate-router";
 import { registerSshCertificateTemplateRouter } from "./ssh-certificate-template-router";
 import { registerTrustedIpRouter } from "./trusted-ip-router";
 import { registerUserAdditionalPrivilegeRouter } from "./user-additional-privilege-router";
@ -66,6 +72,15 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
    { prefix: "/pki" }
  );
  await server.register(
    async (sshRouter) => {
      await sshRouter.register(registerSshCaRouter, { prefix: "/ca" });
      await sshRouter.register(registerSshCertRouter, { prefix: "/certificates" });
      await sshRouter.register(registerSshCertificateTemplateRouter, { prefix: "/certificate-templates" });
    },
    { prefix: "/ssh" }
  );
  await server.register(
    async (ssoRouter) => {
      await ssoRouter.register(registerSamlRouter);
@ -78,12 +93,13 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
  await server.register(registerLdapRouter, { prefix: "/ldap" });
  await server.register(registerSecretScanningRouter, { prefix: "/secret-scanning" });
  await server.register(registerSecretRotationRouter, { prefix: "/secret-rotations" });
  await server.register(registerSecretRouter, { prefix: "/secrets" });
  await server.register(registerSecretVersionRouter, { prefix: "/secret" });
  await server.register(registerGroupRouter, { prefix: "/groups" });
  await server.register(registerAuditLogStreamRouter, { prefix: "/audit-log-streams" });
  await server.register(registerUserAdditionalPrivilegeRouter, { prefix: "/user-project-additional-privilege" });
  await server.register(
    async (privilegeRouter) => {
      await privilegeRouter.register(registerUserAdditionalPrivilegeRouter, { prefix: "/users" });
      await privilegeRouter.register(registerIdentityProjectAdditionalPrivilegeRouter, { prefix: "/identity" });
    },
    { prefix: "/additional-privilege" }
@ -92,4 +108,6 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
  await server.register(registerExternalKmsRouter, {
    prefix: "/external-kms"
  });
  await server.register(registerProjectTemplateRouter, { prefix: "/project-templates" });
 };
--- a/backend/src/ee/routes/v1/oidc-router.ts
+++ b/backend/src/ee/routes/v1/oidc-router.ts
@ -9,7 +9,6 @@
 import { Authenticator, Strategy } from "@fastify/passport";
 import fastifySession from "@fastify/session";
 import RedisStore from "connect-redis";
 import { Redis } from "ioredis";
 import { z } from "zod";
 import { OidcConfigsSchema } from "@app/db/schemas/oidc-configs";
@ -21,7 +20,6 @@ import { AuthMode } from "@app/services/auth/auth-type";
 export const registerOidcRouter = async (server: FastifyZodProvider) => {
  const appCfg = getConfig();
  const redis = new Redis(appCfg.REDIS_URL);
  const passport = new Authenticator({ key: "oidc", userProperty: "passportUser" });
  /*
@ -30,7 +28,7 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
  - Fastify session <> Redis structure is based on the ff: https://github.com/fastify/session/blob/master/examples/redis.js
  */
  const redisStore = new RedisStore({
-    client: redis,
+    client: server.redis,
    prefix: "oidc-session:",
    ttl: 600 // 10 minutes
  });
@ -155,7 +153,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
          discoveryURL: true,
          isActive: true,
          orgId: true,
-          allowedEmailDomains: true
+          allowedEmailDomains: true,
          manageGroupMemberships: true
        }).extend({
          clientId: z.string(),
          clientSecret: z.string()
@ -209,7 +208,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
          userinfoEndpoint: z.string().trim(),
          clientId: z.string().trim(),
          clientSecret: z.string().trim(),
-          isActive: z.boolean()
+          isActive: z.boolean(),
          manageGroupMemberships: z.boolean().optional()
        })
        .partial()
        .merge(z.object({ orgSlug: z.string() })),
@ -225,7 +225,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
          userinfoEndpoint: true,
          orgId: true,
          allowedEmailDomains: true,
-          isActive: true
+          isActive: true,
          manageGroupMemberships: true
        })
      }
    },
@ -274,7 +275,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
          clientId: z.string().trim(),
          clientSecret: z.string().trim(),
          isActive: z.boolean(),
-          orgSlug: z.string().trim()
+          orgSlug: z.string().trim(),
          manageGroupMemberships: z.boolean().optional().default(false)
        })
        .superRefine((data, ctx) => {
          if (data.configurationType === OIDCConfigurationType.CUSTOM) {
@ -336,7 +338,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
          userinfoEndpoint: true,
          orgId: true,
          isActive: true,
-          allowedEmailDomains: true
+          allowedEmailDomains: true,
          manageGroupMemberships: true
        })
      }
    },
@ -352,4 +355,25 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
      return oidc;
    }
  });
  server.route({
    method: "GET",
    url: "/manage-group-memberships",
    schema: {
      querystring: z.object({
        orgId: z.string().trim().min(1, "Org ID is required")
      }),
      response: {
        200: z.object({
          isEnabled: z.boolean()
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const isEnabled = await server.services.oidc.isOidcManageGroupMembershipsEnabled(req.query.orgId, req.permission);
      return { isEnabled };
    }
  });
 };
--- a/backend/src/ee/routes/v1/org-role-router.ts
+++ b/backend/src/ee/routes/v1/org-role-router.ts
@ -1,8 +1,8 @@
 import slugify from "@sindresorhus/slugify";
 import { z } from "zod";
 import { OrgMembershipRole, OrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -18,19 +18,13 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
        organizationId: z.string().trim()
      }),
      body: z.object({
-        slug: z
+        slug: slugSchema({ min: 1, max: 64 }).refine(
-          .string()
+          (val) => !Object.values(OrgMembershipRole).includes(val as OrgMembershipRole),
-          .min(1)
+          "Please choose a different slug, the slug you have entered is reserved"
-          .trim()
+        ),
          .refine(
            (val) => !Object.values(OrgMembershipRole).includes(val as OrgMembershipRole),
            "Please choose a different slug, the slug you have entered is reserved"
          )
          .refine((v) => slugify(v) === v, {
            message: "Slug must be a valid"
          }),
        name: z.string().trim(),
-        description: z.string().trim().optional(),
+        description: z.string().trim().nullish(),
        // TODO(scott): once UI refactored permissions: OrgPermissionSchema.array()
        permissions: z.any().array()
      }),
      response: {
@ -94,19 +88,16 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
        roleId: z.string().trim()
      }),
      body: z.object({
-        slug: z
+        // TODO: Switch to slugSchema after verifying correct methods with Akhil - Omar 11/24
-          .string()
+        slug: slugSchema({ min: 1, max: 64 })
          .trim()
          .optional()
          .refine(
-            (val) => typeof val !== "undefined" && !Object.keys(OrgMembershipRole).includes(val),
+            (val) => !Object.keys(OrgMembershipRole).includes(val),
            "Please choose a different slug, the slug you have entered is reserved."
          )
-          .refine((val) => typeof val === "undefined" || slugify(val) === val, {
+          .optional(),
            message: "Slug must be a valid"
          }),
        name: z.string().trim().optional(),
-        description: z.string().trim().optional(),
+        description: z.string().trim().nullish(),
        // TODO(scott): once UI refactored permissions: OrgPermissionSchema.array().optional()
        permissions: z.any().array().optional()
      }),
      response: {
--- a/backend/src/ee/routes/v1/project-role-router.ts
+++ b/backend/src/ee/routes/v1/project-role-router.ts
@ -1,14 +1,18 @@
 import { packRules } from "@casl/ability/extra";
 import slugify from "@sindresorhus/slugify";
 import { z } from "zod";
 import { ProjectMembershipRole, ProjectMembershipsSchema, ProjectRolesSchema } from "@app/db/schemas";
-import { ProjectPermissionSchema } from "@app/ee/services/permission/project-permission";
+import {
  backfillPermissionV1SchemaToV2Schema,
  ProjectPermissionV1Schema
 } from "@app/ee/services/permission/project-permission";
 import { PROJECT_ROLE } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { SanitizedRoleSchema } from "@app/server/routes/sanitizedSchemas";
+import { SanitizedRoleSchemaV1 } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectRoleServiceIdentifierType } from "@app/services/project-role/project-role-types";
 export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
@ -28,26 +32,19 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        projectSlug: z.string().trim().describe(PROJECT_ROLE.CREATE.projectSlug)
      }),
      body: z.object({
-        slug: z
+        slug: slugSchema({ max: 64 })
          .string()
          .toLowerCase()
          .trim()
          .min(1)
          .refine(
            (val) => !Object.values(ProjectMembershipRole).includes(val as ProjectMembershipRole),
            "Please choose a different slug, the slug you have entered is reserved"
          )
          .refine((v) => slugify(v) === v, {
            message: "Slug must be a valid"
          })
          .describe(PROJECT_ROLE.CREATE.slug),
        name: z.string().min(1).trim().describe(PROJECT_ROLE.CREATE.name),
-        description: z.string().trim().optional().describe(PROJECT_ROLE.CREATE.description),
+        description: z.string().trim().nullish().describe(PROJECT_ROLE.CREATE.description),
-        permissions: ProjectPermissionSchema.array().describe(PROJECT_ROLE.CREATE.permissions)
+        permissions: ProjectPermissionV1Schema.array().describe(PROJECT_ROLE.CREATE.permissions)
      }),
      response: {
        200: z.object({
-          role: SanitizedRoleSchema
+          role: SanitizedRoleSchemaV1
        })
      }
    },
@ -58,12 +55,16 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actor: req.permission.type,
-        projectSlug: req.params.projectSlug,
+        filter: {
          type: ProjectRoleServiceIdentifierType.SLUG,
          projectSlug: req.params.projectSlug
        },
        data: {
          ...req.body,
-          permissions: JSON.stringify(packRules(req.body.permissions))
+          permissions: JSON.stringify(packRules(backfillPermissionV1SchemaToV2Schema(req.body.permissions, true)))
        }
      });
      return { role };
    }
  });
@ -86,28 +87,20 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        roleId: z.string().trim().describe(PROJECT_ROLE.UPDATE.roleId)
      }),
      body: z.object({
-        slug: z
+        slug: slugSchema({ max: 64 })
          .string()
          .toLowerCase()
          .trim()
          .optional()
          .describe(PROJECT_ROLE.UPDATE.slug)
          .refine(
-            (val) =>
+            (val) => !Object.values(ProjectMembershipRole).includes(val as ProjectMembershipRole),
              typeof val === "undefined" ||
              !Object.values(ProjectMembershipRole).includes(val as ProjectMembershipRole),
            "Please choose a different slug, the slug you have entered is reserved"
          )
-          .refine((val) => typeof val === "undefined" || slugify(val) === val, {
+          .describe(PROJECT_ROLE.UPDATE.slug)
-            message: "Slug must be a valid"
+          .optional(),
          }),
        name: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.name),
-        description: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.description),
+        description: z.string().trim().nullish().describe(PROJECT_ROLE.UPDATE.description),
-        permissions: ProjectPermissionSchema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
+        permissions: ProjectPermissionV1Schema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
      }),
      response: {
        200: z.object({
-          role: SanitizedRoleSchema
+          role: SanitizedRoleSchemaV1
        })
      }
    },
@ -118,11 +111,12 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actor: req.permission.type,
        projectSlug: req.params.projectSlug,
        roleId: req.params.roleId,
        data: {
          ...req.body,
-          permissions: req.body.permissions ? JSON.stringify(packRules(req.body.permissions)) : undefined
+          permissions: req.body.permissions
            ? JSON.stringify(packRules(backfillPermissionV1SchemaToV2Schema(req.body.permissions, true)))
            : undefined
        }
      });
      return { role };
@ -148,7 +142,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          role: SanitizedRoleSchema
+          role: SanitizedRoleSchemaV1
        })
      }
    },
@ -159,7 +153,6 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actor: req.permission.type,
        projectSlug: req.params.projectSlug,
        roleId: req.params.roleId
      });
      return { role };
@ -184,7 +177,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          roles: ProjectRolesSchema.omit({ permissions: true }).array()
+          roles: ProjectRolesSchema.omit({ permissions: true, version: true }).array()
        })
      }
    },
@ -195,7 +188,10 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actor: req.permission.type,
-        projectSlug: req.params.projectSlug
+        filter: {
          type: ProjectRoleServiceIdentifierType.SLUG,
          projectSlug: req.params.projectSlug
        }
      });
      return { roles };
    }
@ -214,7 +210,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          role: SanitizedRoleSchema
+          role: SanitizedRoleSchemaV1.omit({ version: true })
        })
      }
    },
@ -225,9 +221,13 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actor: req.permission.type,
-        projectSlug: req.params.projectSlug,
+        filter: {
          type: ProjectRoleServiceIdentifierType.SLUG,
          projectSlug: req.params.projectSlug
        },
        roleSlug: req.params.slug
      });
      return { role };
    }
  });
--- a/Show More
+++ b/Show More