misc: updated admin integration picture

misc: added tabs for admin integrations
misc: add auto-sync after config update
2025-06-29 04:31:59 +00:00 · 2025-06-23 14:12:54 +00:00 · 2025-06-23 22:05:08 +08:00 · 2025-06-21 02:57:34 +08:00 · 2025-06-21 02:41:39 +08:00 · 2025-06-21 02:41:15 +08:00
903 changed files with 37294 additions and 4259 deletions
--- a/.github/workflows/check-non-re2-regex.yml
+++ b/.github/workflows/check-non-re2-regex.yml
@ -0,0 +1,53 @@
+name: Detect Non-RE2 Regex
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+jobs:
+  check-non-re2-regex:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get diff of backend/*
+        run: |
+          git diff --unified=0 "origin/${{ github.base_ref }}"...HEAD -- backend/ > diff.txt
+
+      - name: Scan backend diff for non-RE2 regex
+        run: |
+          # Extract only added lines (excluding file headers)
+          grep '^+' diff.txt | grep -v '^+++' | sed 's/^\+//' > added_lines.txt
+
+          if [ ! -s added_lines.txt ]; then
+            echo "✅ No added lines in backend/ to check for regex usage."
+            exit 0
+          fi
+
+          regex_usage_pattern='(^|[^A-Za-z0-9_"'"'"'`\.\/\\])(\/(?:\\.|[^\/\n\\])+\/[gimsuyv]*(?=\s*[\.\(;,)\]}:]|$)|new RegExp\()'
+
+          # Find all added lines that contain regex patterns
+          if grep -E "$regex_usage_pattern" added_lines.txt > potential_violations.txt 2>/dev/null; then
+            # Filter out lines that contain 'new RE2' (allowing for whitespace variations)
+            if grep -v -E 'new\s+RE2\s*\(' potential_violations.txt > actual_violations.txt 2>/dev/null && [ -s actual_violations.txt ]; then
+              echo "🚨 ERROR: Found forbidden regex pattern in added/modified backend code."
+              echo ""
+              echo "The following lines use raw regex literals (/.../) or new RegExp(...):"
+              echo "Please replace with 'new RE2(...)' for RE2 compatibility."
+              echo ""
+              echo "Offending lines:"
+              cat actual_violations.txt
+              exit 1
+            else
+              echo "✅ All identified regex usages are correctly using 'new RE2(...)'."
+            fi
+          else
+            echo "✅ No regex patterns found in added/modified backend lines."
+          fi
+
+      - name: Cleanup temporary files
+        if: always()
+        run: |
+          rm -f diff.txt added_lines.txt potential_violations.txt actual_violations.txt
--- a/.github/workflows/helm-release-infisical-core.yml
+++ b/.github/workflows/helm-release-infisical-core.yml
@ -3,7 +3,62 @@ name: Release Infisical Core Helm chart
 on: [workflow_dispatch]

 jobs:
+  test-helm:
+    name: Test Helm Chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.2.0
+        with:
+          version: v3.17.0
+
+      - uses: actions/setup-python@v5.3.0
+        with:
+          python-version: "3.x"
+          check-latest: true
+
+      - name: Add Helm repositories
+        run: |
+          helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+          helm repo update
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.7.0
+
+      - name: Run chart-testing (lint)
+        run: ct lint --config ct.yaml --charts helm-charts/infisical-standalone-postgres
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.12.0
+
+      - name: Create namespace
+        run: kubectl create namespace infisical-standalone-postgres
+
+      - name: Create Infisical secrets
+        run: |
+          kubectl create secret generic infisical-secrets \
+            --namespace infisical-standalone-postgres \
+            --from-literal=AUTH_SECRET=6c1fe4e407b8911c104518103505b218 \
+            --from-literal=ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218 \
+            --from-literal=SITE_URL=http://localhost:8080
+
+      - name: Run chart-testing (install)
+        run: |
+          ct install \
+            --config ct.yaml \
+            --charts helm-charts/infisical-standalone-postgres \
+            --helm-extra-args="--timeout=300s" \
+            --helm-extra-set-args="--set ingress.nginx.enabled=false --set infisical.autoDatabaseSchemaMigration=false --set infisical.replicaCount=1 --set infisical.image.tag=v0.132.2-postgres" \
+            --namespace infisical-standalone-postgres
+
  release:
+    needs: test-helm
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
@ -19,4 +74,4 @@ jobs:
      - name: Build and push helm package to Cloudsmith
        run: cd helm-charts && sh upload-infisical-core-helm-cloudsmith.sh
        env:
-          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
--- a/.github/workflows/release-k8-operator-helm.yml
+++ b/.github/workflows/release-k8-operator-helm.yml
@ -1,27 +1,59 @@
 name: Release K8 Operator Helm Chart
 on:
-    workflow_dispatch:
+  workflow_dispatch:

 jobs:
-    release-helm:
-        name: Release Helm Chart
-        runs-on: ubuntu-latest
-        steps:
-            - name: Checkout
-              uses: actions/checkout@v2
+  test-helm:
+    name: Test Helm Chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0

-            - name: Install Helm
-              uses: azure/setup-helm@v3
-              with:
-                  version: v3.10.0
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.2.0
+        with:
+          version: v3.17.0

-            - name: Install python
-              uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5.3.0
+        with:
+          python-version: "3.x"
+          check-latest: true

-            - name: Install Cloudsmith CLI
-              run: pip install --upgrade cloudsmith-cli
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.7.0

-            - name: Build and push helm package to CloudSmith
-              run: cd helm-charts && sh upload-k8s-operator-cloudsmith.sh
-              env:
-                  CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+      - name: Run chart-testing (lint)
+        run: ct lint --config ct.yaml --charts helm-charts/secrets-operator
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.12.0
+
+      - name: Run chart-testing (install)
+        run: ct install --config ct.yaml --charts helm-charts/secrets-operator
+
+  release-helm:
+    name: Release Helm Chart
+    needs: test-helm
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.0
+
+      - name: Install python
+        uses: actions/setup-python@v4
+
+      - name: Install Cloudsmith CLI
+        run: pip install --upgrade cloudsmith-cli
+
+      - name: Build and push helm package to CloudSmith
+        run: cd helm-charts && sh upload-k8s-operator-cloudsmith.sh
+        env:
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
--- a/.github/workflows/release_helm_gateway.yaml
+++ b/.github/workflows/release_helm_gateway.yaml
@ -1,27 +1,70 @@
 name: Release Gateway Helm Chart
 on:
-    workflow_dispatch:
+  workflow_dispatch:

 jobs:
-    release-helm:
-        name: Release Helm Chart
-        runs-on: ubuntu-latest
-        steps:
-            - name: Checkout
-              uses: actions/checkout@v4
+  test-helm:
+    name: Test Helm Chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0

-            - name: Install Helm
-              uses: azure/setup-helm@v3
-              with:
-                  version: v3.10.0
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.2.0
+        with:
+          version: v3.17.0

-            - name: Install python
-              uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5.3.0
+        with:
+          python-version: "3.x"
+          check-latest: true

-            - name: Install Cloudsmith CLI
-              run: pip install --upgrade cloudsmith-cli
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.7.0

-            - name: Build and push helm package to CloudSmith
-              run: cd helm-charts && sh upload-gateway-cloudsmith.sh
-              env:
-                  CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+      - name: Run chart-testing (lint)
+        run: ct lint --config ct.yaml --charts helm-charts/infisical-gateway
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.12.0
+
+      - name: Create namespace
+        run: kubectl create namespace infisical-gateway
+
+      - name: Create gateway secret
+        run: kubectl create secret generic infisical-gateway-environment --from-literal=TOKEN=my-test-token -n infisical-gateway
+
+      - name: Run chart-testing (install)
+        run: |
+          ct install \
+            --config ct.yaml \
+            --charts helm-charts/infisical-gateway \
+            --helm-extra-args="--timeout=300s" \
+            --namespace infisical-gateway
+
+  release-helm:
+    name: Release Helm Chart
+    needs: test-helm
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.0
+
+      - name: Install python
+        uses: actions/setup-python@v4
+
+      - name: Install Cloudsmith CLI
+        run: pip install --upgrade cloudsmith-cli
+
+      - name: Build and push helm package to CloudSmith
+        run: cd helm-charts && sh upload-gateway-cloudsmith.sh
+        env:
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
--- a/.github/workflows/run-helm-chart-tests-infisical-gateway.yml
+++ b/.github/workflows/run-helm-chart-tests-infisical-gateway.yml
@ -0,0 +1,49 @@
+name: Run Helm Chart Tests for Gateway
+on:
+  pull_request:
+    paths:
+      - "helm-charts/infisical-gateway/**"
+      - ".github/workflows/run-helm-chart-tests-infisical-gateway.yml"
+
+jobs:
+  test-helm:
+    name: Test Helm Chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.2.0
+        with:
+          version: v3.17.0
+
+      - uses: actions/setup-python@v5.3.0
+        with:
+          python-version: "3.x"
+          check-latest: true
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.7.0
+
+      - name: Run chart-testing (lint)
+        run: ct lint --config ct.yaml --charts helm-charts/infisical-gateway
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.12.0
+
+      - name: Create namespace
+        run: kubectl create namespace infisical-gateway
+
+      - name: Create gateway secret
+        run: kubectl create secret generic infisical-gateway-environment --from-literal=TOKEN=my-test-token -n infisical-gateway
+
+      - name: Run chart-testing (install)
+        run: |
+          ct install \
+            --config ct.yaml \
+            --charts helm-charts/infisical-gateway \
+            --helm-extra-args="--timeout=300s" \
+            --namespace infisical-gateway
--- a/.github/workflows/run-helm-chart-tests-infisical-standalone-postgres.yml
+++ b/.github/workflows/run-helm-chart-tests-infisical-standalone-postgres.yml
@ -0,0 +1,61 @@
+name: Run Helm Chart Tests for Infisical Standalone Postgres
+on:
+  pull_request:
+    paths:
+      - "helm-charts/infisical-standalone-postgres/**"
+      - ".github/workflows/run-helm-chart-tests-infisical-standalone-postgres.yml"
+
+jobs:
+  test-helm:
+    name: Test Helm Chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.2.0
+        with:
+          version: v3.17.0
+
+      - uses: actions/setup-python@v5.3.0
+        with:
+          python-version: "3.x"
+          check-latest: true
+
+      - name: Add Helm repositories
+        run: |
+          helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+          helm repo update
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.7.0
+
+      - name: Run chart-testing (lint)
+        run: ct lint --config ct.yaml --charts helm-charts/infisical-standalone-postgres
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.12.0
+
+      - name: Create namespace
+        run: kubectl create namespace infisical-standalone-postgres
+
+      - name: Create Infisical secrets
+        run: |
+          kubectl create secret generic infisical-secrets \
+            --namespace infisical-standalone-postgres \
+            --from-literal=AUTH_SECRET=6c1fe4e407b8911c104518103505b218 \
+            --from-literal=ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218 \
+            --from-literal=SITE_URL=http://localhost:8080
+
+      - name: Run chart-testing (install)
+        run: |
+          ct install \
+            --config ct.yaml \
+            --charts helm-charts/infisical-standalone-postgres \
+            --helm-extra-args="--timeout=300s" \
+            --helm-extra-set-args="--set ingress.nginx.enabled=false --set infisical.autoDatabaseSchemaMigration=false --set infisical.replicaCount=1 --set infisical.image.tag=v0.132.2-postgres" \
+            --namespace infisical-standalone-postgres
--- a/.github/workflows/run-helm-chart-tests-secret-operator.yml
+++ b/.github/workflows/run-helm-chart-tests-secret-operator.yml
@ -0,0 +1,38 @@
+name: Run Helm Chart Tests for Secret Operator
+on:
+  pull_request:
+    paths:
+      - "helm-charts/secrets-operator/**"
+      - ".github/workflows/run-helm-chart-tests-secret-operator.yml"
+
+jobs:
+  test-helm:
+    name: Test Helm Chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.2.0
+        with:
+          version: v3.17.0
+
+      - uses: actions/setup-python@v5.3.0
+        with:
+          python-version: "3.x"
+          check-latest: true
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.7.0
+
+      - name: Run chart-testing (lint)
+        run: ct lint --config ct.yaml --charts helm-charts/secrets-operator
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.12.0
+
+      - name: Run chart-testing (install)
+        run: ct install --config ct.yaml --charts helm-charts/secrets-operator
--- a/.infisicalignore
+++ b/.infisicalignore
@ -40,4 +40,8 @@ cli/detect/config/gitleaks.toml:gcp-api-key:578
 cli/detect/config/gitleaks.toml:gcp-api-key:579
 cli/detect/config/gitleaks.toml:gcp-api-key:581
 cli/detect/config/gitleaks.toml:gcp-api-key:582
+.github/workflows/run-helm-chart-tests-infisical-standalone-postgres.yml:generic-api-key:51
+.github/workflows/run-helm-chart-tests-infisical-standalone-postgres.yml:generic-api-key:50
+.github/workflows/helm-release-infisical-core.yml:generic-api-key:48
+.github/workflows/helm-release-infisical-core.yml:generic-api-key:47
 backend/src/services/smtp/smtp-service.ts:generic-api-key:79
--- a/backend/scripts/generate-schema-types.ts
+++ b/backend/scripts/generate-schema-types.ts
@ -84,6 +84,11 @@ const getZodDefaultValue = (type: unknown, value: string | number | boolean | Ob
  }
 };

+const bigIntegerColumns: Record<string, string[]> = {
+  "folder_commits": ["commitId"]
+};
+
+
 const main = async () => {
  const tables = (
    await db("information_schema.tables")
@ -108,6 +113,9 @@ const main = async () => {
      const columnName = columnNames[colNum];
      const colInfo = columns[columnName];
      let ztype = getZodPrimitiveType(colInfo.type);
+      if (bigIntegerColumns[tableName]?.includes(columnName)) {
+        ztype = "z.coerce.bigint()";
+      }
      if (["zodBuffer"].includes(ztype)) {
        zodImportSet.add(ztype);
      }
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@ -3,13 +3,12 @@ import "fastify";
 import { Redis } from "ioredis";

 import { TUsers } from "@app/db/schemas";
-import { TAccessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
-import { TAccessApprovalRequestServiceFactory } from "@app/ee/services/access-approval-request/access-approval-request-service";
-import { TAssumePrivilegeServiceFactory } from "@app/ee/services/assume-privilege/assume-privilege-service";
-import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
-import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
-import { TAuditLogStreamServiceFactory } from "@app/ee/services/audit-log-stream/audit-log-stream-service";
-import { TCertificateAuthorityCrlServiceFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-service";
+import { TAccessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
+import { TAccessApprovalRequestServiceFactory } from "@app/ee/services/access-approval-request/access-approval-request-types";
+import { TAssumePrivilegeServiceFactory } from "@app/ee/services/assume-privilege/assume-privilege-types";
+import { TAuditLogServiceFactory, TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
+import { TAuditLogStreamServiceFactory } from "@app/ee/services/audit-log-stream/audit-log-stream-types";
+import { TCertificateAuthorityCrlServiceFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-types";
 import { TCertificateEstServiceFactory } from "@app/ee/services/certificate-est/certificate-est-service";
 import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
 import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
@ -25,13 +24,13 @@ import { TKmipServiceFactory } from "@app/ee/services/kmip/kmip-service";
 import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
-import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { TProjectTemplateServiceFactory } from "@app/ee/services/project-template/project-template-service";
-import { TProjectUserAdditionalPrivilegeServiceFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-service";
-import { TRateLimitServiceFactory } from "@app/ee/services/rate-limit/rate-limit-service";
-import { RateLimitConfiguration } from "@app/ee/services/rate-limit/rate-limit-types";
-import { TSamlConfigServiceFactory } from "@app/ee/services/saml-config/saml-config-service";
-import { TScimServiceFactory } from "@app/ee/services/scim/scim-service";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
+import { TPitServiceFactory } from "@app/ee/services/pit/pit-service";
+import { TProjectTemplateServiceFactory } from "@app/ee/services/project-template/project-template-types";
+import { TProjectUserAdditionalPrivilegeServiceFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-types";
+import { RateLimitConfiguration, TRateLimitServiceFactory } from "@app/ee/services/rate-limit/rate-limit-types";
+import { TSamlConfigServiceFactory } from "@app/ee/services/saml-config/saml-config-types";
+import { TScimServiceFactory } from "@app/ee/services/scim/scim-types";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
 import { TSecretApprovalRequestServiceFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-service";
 import { TSecretRotationServiceFactory } from "@app/ee/services/secret-rotation/secret-rotation-service";
@ -43,7 +42,7 @@ import { TSshCertificateAuthorityServiceFactory } from "@app/ee/services/ssh/ssh
 import { TSshCertificateTemplateServiceFactory } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-service";
 import { TSshHostServiceFactory } from "@app/ee/services/ssh-host/ssh-host-service";
 import { TSshHostGroupServiceFactory } from "@app/ee/services/ssh-host-group/ssh-host-group-service";
-import { TTrustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-service";
+import { TTrustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-types";
 import { TAuthMode } from "@app/server/plugins/auth/inject-identity";
 import { TApiKeyServiceFactory } from "@app/services/api-key/api-key-service";
 import { TAppConnectionServiceFactory } from "@app/services/app-connection/app-connection-service";
@ -59,10 +58,12 @@ import { TCertificateTemplateServiceFactory } from "@app/services/certificate-te
 import { TCmekServiceFactory } from "@app/services/cmek/cmek-service";
 import { TExternalGroupOrgRoleMappingServiceFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-service";
 import { TExternalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
+import { TFolderCommitServiceFactory } from "@app/services/folder-commit/folder-commit-service";
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { THsmServiceFactory } from "@app/services/hsm/hsm-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
+import { TIdentityAliCloudAuthServiceFactory } from "@app/services/identity-alicloud-auth/identity-alicloud-auth-service";
 import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
 import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
 import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
@ -119,6 +120,10 @@ declare module "@fastify/request-context" {
      oidc?: {
        claims: Record<string, string>;
      };
+      kubernetes?: {
+        namespace: string;
+        name: string;
+      };
    };
    identityPermissionMetadata?: Record<string, unknown>; // filled by permission service
    assumedPrivilegeDetails?: { requesterId: string; actorId: string; actorType: ActorType; projectId: string };
@ -212,6 +217,7 @@ declare module "fastify" {
      identityUa: TIdentityUaServiceFactory;
      identityKubernetesAuth: TIdentityKubernetesAuthServiceFactory;
      identityGcpAuth: TIdentityGcpAuthServiceFactory;
+      identityAliCloudAuth: TIdentityAliCloudAuthServiceFactory;
      identityAwsAuth: TIdentityAwsAuthServiceFactory;
      identityAzureAuth: TIdentityAzureAuthServiceFactory;
      identityOciAuth: TIdentityOciAuthServiceFactory;
@ -272,6 +278,8 @@ declare module "fastify" {
      microsoftTeams: TMicrosoftTeamsServiceFactory;
      assumePrivileges: TAssumePrivilegeServiceFactory;
      githubOrgSync: TGithubOrgSyncServiceFactory;
+      folderCommit: TFolderCommitServiceFactory;
+      pit: TPitServiceFactory;
      secretScanningV2: TSecretScanningV2ServiceFactory;
      internalCertificateAuthority: TInternalCertificateAuthorityServiceFactory;
      pkiTemplate: TPkiTemplatesServiceFactory;
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@ -80,6 +80,24 @@ import {
  TExternalKms,
  TExternalKmsInsert,
  TExternalKmsUpdate,
+  TFolderCheckpointResources,
+  TFolderCheckpointResourcesInsert,
+  TFolderCheckpointResourcesUpdate,
+  TFolderCheckpoints,
+  TFolderCheckpointsInsert,
+  TFolderCheckpointsUpdate,
+  TFolderCommitChanges,
+  TFolderCommitChangesInsert,
+  TFolderCommitChangesUpdate,
+  TFolderCommits,
+  TFolderCommitsInsert,
+  TFolderCommitsUpdate,
+  TFolderTreeCheckpointResources,
+  TFolderTreeCheckpointResourcesInsert,
+  TFolderTreeCheckpointResourcesUpdate,
+  TFolderTreeCheckpoints,
+  TFolderTreeCheckpointsInsert,
+  TFolderTreeCheckpointsUpdate,
  TGateways,
  TGatewaysInsert,
  TGatewaysUpdate,
@ -107,6 +125,9 @@ import {
  TIdentityAccessTokens,
  TIdentityAccessTokensInsert,
  TIdentityAccessTokensUpdate,
+  TIdentityAlicloudAuths,
+  TIdentityAlicloudAuthsInsert,
+  TIdentityAlicloudAuthsUpdate,
  TIdentityAwsAuths,
  TIdentityAwsAuthsInsert,
  TIdentityAwsAuthsUpdate,
@ -768,6 +789,11 @@ declare module "knex/types/tables" {
      TIdentityGcpAuthsInsert,
      TIdentityGcpAuthsUpdate
    >;
+    [TableName.IdentityAliCloudAuth]: KnexOriginal.CompositeTableType<
+      TIdentityAlicloudAuths,
+      TIdentityAlicloudAuthsInsert,
+      TIdentityAlicloudAuthsUpdate
+    >;
    [TableName.IdentityAwsAuth]: KnexOriginal.CompositeTableType<
      TIdentityAwsAuths,
      TIdentityAwsAuthsInsert,
@ -1122,6 +1148,36 @@ declare module "knex/types/tables" {
      TGithubOrgSyncConfigsInsert,
      TGithubOrgSyncConfigsUpdate
    >;
+    [TableName.FolderCommit]: KnexOriginal.CompositeTableType<
+      TFolderCommits,
+      TFolderCommitsInsert,
+      TFolderCommitsUpdate
+    >;
+    [TableName.FolderCommitChanges]: KnexOriginal.CompositeTableType<
+      TFolderCommitChanges,
+      TFolderCommitChangesInsert,
+      TFolderCommitChangesUpdate
+    >;
+    [TableName.FolderCheckpoint]: KnexOriginal.CompositeTableType<
+      TFolderCheckpoints,
+      TFolderCheckpointsInsert,
+      TFolderCheckpointsUpdate
+    >;
+    [TableName.FolderCheckpointResources]: KnexOriginal.CompositeTableType<
+      TFolderCheckpointResources,
+      TFolderCheckpointResourcesInsert,
+      TFolderCheckpointResourcesUpdate
+    >;
+    [TableName.FolderTreeCheckpoint]: KnexOriginal.CompositeTableType<
+      TFolderTreeCheckpoints,
+      TFolderTreeCheckpointsInsert,
+      TFolderTreeCheckpointsUpdate
+    >;
+    [TableName.FolderTreeCheckpointResources]: KnexOriginal.CompositeTableType<
+      TFolderTreeCheckpointResources,
+      TFolderTreeCheckpointResourcesInsert,
+      TFolderTreeCheckpointResourcesUpdate
+    >;
    [TableName.SecretScanningDataSource]: KnexOriginal.CompositeTableType<
      TSecretScanningDataSources,
      TSecretScanningDataSourcesInsert,
--- a/backend/src/db/instance.ts
+++ b/backend/src/db/instance.ts
@ -1,6 +1,6 @@
 import knex, { Knex } from "knex";

-export type TDbClient = ReturnType<typeof initDbConnection>;
+export type TDbClient = Knex;
 export const initDbConnection = ({
  dbConnectionUri,
  dbRootCert,
@ -50,6 +50,8 @@ export const initDbConnection = ({
          }
        : false
    },
+    // https://knexjs.org/guide/#pool
+    pool: { min: 0, max: 10 },
    migrations: {
      tableName: "infisical_migrations"
    }
@ -70,7 +72,8 @@ export const initDbConnection = ({
      },
      migrations: {
        tableName: "infisical_migrations"
-      }
+      },
+      pool: { min: 0, max: 10 }
    });
  });

--- a/backend/src/db/migrations/20250505194916_add-pit-revamp-tables.ts
+++ b/backend/src/db/migrations/20250505194916_add-pit-revamp-tables.ts
@ -0,0 +1,166 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasFolderCommitTable = await knex.schema.hasTable(TableName.FolderCommit);
+  if (!hasFolderCommitTable) {
+    await knex.schema.createTable(TableName.FolderCommit, (t) => {
+      t.uuid("id").primary().defaultTo(knex.fn.uuid());
+      t.bigIncrements("commitId");
+      t.jsonb("actorMetadata").notNullable();
+      t.string("actorType").notNullable();
+      t.string("message");
+      t.uuid("folderId").notNullable();
+      t.uuid("envId").notNullable();
+      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+
+      t.index("folderId");
+      t.index("envId");
+    });
+  }
+
+  const hasFolderCommitChangesTable = await knex.schema.hasTable(TableName.FolderCommitChanges);
+  if (!hasFolderCommitChangesTable) {
+    await knex.schema.createTable(TableName.FolderCommitChanges, (t) => {
+      t.uuid("id").primary().defaultTo(knex.fn.uuid());
+      t.uuid("folderCommitId").notNullable();
+      t.foreign("folderCommitId").references("id").inTable(TableName.FolderCommit).onDelete("CASCADE");
+      t.string("changeType").notNullable();
+      t.boolean("isUpdate").notNullable().defaultTo(false);
+      t.uuid("secretVersionId");
+      t.foreign("secretVersionId").references("id").inTable(TableName.SecretVersionV2).onDelete("CASCADE");
+      t.uuid("folderVersionId");
+      t.foreign("folderVersionId").references("id").inTable(TableName.SecretFolderVersion).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+
+      t.index("folderCommitId");
+      t.index("secretVersionId");
+      t.index("folderVersionId");
+    });
+  }
+
+  const hasFolderCheckpointTable = await knex.schema.hasTable(TableName.FolderCheckpoint);
+  if (!hasFolderCheckpointTable) {
+    await knex.schema.createTable(TableName.FolderCheckpoint, (t) => {
+      t.uuid("id").primary().defaultTo(knex.fn.uuid());
+      t.uuid("folderCommitId").notNullable();
+      t.foreign("folderCommitId").references("id").inTable(TableName.FolderCommit).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+
+      t.index("folderCommitId");
+    });
+  }
+
+  const hasFolderCheckpointResourcesTable = await knex.schema.hasTable(TableName.FolderCheckpointResources);
+  if (!hasFolderCheckpointResourcesTable) {
+    await knex.schema.createTable(TableName.FolderCheckpointResources, (t) => {
+      t.uuid("id").primary().defaultTo(knex.fn.uuid());
+      t.uuid("folderCheckpointId").notNullable();
+      t.foreign("folderCheckpointId").references("id").inTable(TableName.FolderCheckpoint).onDelete("CASCADE");
+      t.uuid("secretVersionId");
+      t.foreign("secretVersionId").references("id").inTable(TableName.SecretVersionV2).onDelete("CASCADE");
+      t.uuid("folderVersionId");
+      t.foreign("folderVersionId").references("id").inTable(TableName.SecretFolderVersion).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+
+      t.index("folderCheckpointId");
+      t.index("secretVersionId");
+      t.index("folderVersionId");
+    });
+  }
+
+  const hasFolderTreeCheckpointTable = await knex.schema.hasTable(TableName.FolderTreeCheckpoint);
+  if (!hasFolderTreeCheckpointTable) {
+    await knex.schema.createTable(TableName.FolderTreeCheckpoint, (t) => {
+      t.uuid("id").primary().defaultTo(knex.fn.uuid());
+      t.uuid("folderCommitId").notNullable();
+      t.foreign("folderCommitId").references("id").inTable(TableName.FolderCommit).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+
+      t.index("folderCommitId");
+    });
+  }
+
+  const hasFolderTreeCheckpointResourcesTable = await knex.schema.hasTable(TableName.FolderTreeCheckpointResources);
+  if (!hasFolderTreeCheckpointResourcesTable) {
+    await knex.schema.createTable(TableName.FolderTreeCheckpointResources, (t) => {
+      t.uuid("id").primary().defaultTo(knex.fn.uuid());
+      t.uuid("folderTreeCheckpointId").notNullable();
+      t.foreign("folderTreeCheckpointId").references("id").inTable(TableName.FolderTreeCheckpoint).onDelete("CASCADE");
+      t.uuid("folderId").notNullable();
+      t.uuid("folderCommitId").notNullable();
+      t.foreign("folderCommitId").references("id").inTable(TableName.FolderCommit).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+
+      t.index("folderTreeCheckpointId");
+      t.index("folderId");
+      t.index("folderCommitId");
+    });
+  }
+
+  if (!hasFolderCommitTable) {
+    await createOnUpdateTrigger(knex, TableName.FolderCommit);
+  }
+
+  if (!hasFolderCommitChangesTable) {
+    await createOnUpdateTrigger(knex, TableName.FolderCommitChanges);
+  }
+
+  if (!hasFolderCheckpointTable) {
+    await createOnUpdateTrigger(knex, TableName.FolderCheckpoint);
+  }
+
+  if (!hasFolderCheckpointResourcesTable) {
+    await createOnUpdateTrigger(knex, TableName.FolderCheckpointResources);
+  }
+
+  if (!hasFolderTreeCheckpointTable) {
+    await createOnUpdateTrigger(knex, TableName.FolderTreeCheckpoint);
+  }
+
+  if (!hasFolderTreeCheckpointResourcesTable) {
+    await createOnUpdateTrigger(knex, TableName.FolderTreeCheckpointResources);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasFolderCheckpointResourcesTable = await knex.schema.hasTable(TableName.FolderCheckpointResources);
+  const hasFolderTreeCheckpointResourcesTable = await knex.schema.hasTable(TableName.FolderTreeCheckpointResources);
+  const hasFolderCommitTable = await knex.schema.hasTable(TableName.FolderCommit);
+  const hasFolderCommitChangesTable = await knex.schema.hasTable(TableName.FolderCommitChanges);
+  const hasFolderTreeCheckpointTable = await knex.schema.hasTable(TableName.FolderTreeCheckpoint);
+  const hasFolderCheckpointTable = await knex.schema.hasTable(TableName.FolderCheckpoint);
+
+  if (hasFolderTreeCheckpointResourcesTable) {
+    await dropOnUpdateTrigger(knex, TableName.FolderTreeCheckpointResources);
+    await knex.schema.dropTableIfExists(TableName.FolderTreeCheckpointResources);
+  }
+
+  if (hasFolderCheckpointResourcesTable) {
+    await dropOnUpdateTrigger(knex, TableName.FolderCheckpointResources);
+    await knex.schema.dropTableIfExists(TableName.FolderCheckpointResources);
+  }
+
+  if (hasFolderTreeCheckpointTable) {
+    await dropOnUpdateTrigger(knex, TableName.FolderTreeCheckpoint);
+    await knex.schema.dropTableIfExists(TableName.FolderTreeCheckpoint);
+  }
+
+  if (hasFolderCheckpointTable) {
+    await dropOnUpdateTrigger(knex, TableName.FolderCheckpoint);
+    await knex.schema.dropTableIfExists(TableName.FolderCheckpoint);
+  }
+
+  if (hasFolderCommitChangesTable) {
+    await dropOnUpdateTrigger(knex, TableName.FolderCommitChanges);
+    await knex.schema.dropTableIfExists(TableName.FolderCommitChanges);
+  }
+
+  if (hasFolderCommitTable) {
+    await dropOnUpdateTrigger(knex, TableName.FolderCommit);
+    await knex.schema.dropTableIfExists(TableName.FolderCommit);
+  }
+}
--- a/backend/src/db/migrations/20250528110936_add-folder-description-to-versioning.ts
+++ b/backend/src/db/migrations/20250528110936_add-folder-description-to-versioning.ts
@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.SecretFolderVersion, "description"))) {
+    await knex.schema.alterTable(TableName.SecretFolderVersion, (t) => {
+      t.string("description").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SecretFolderVersion, "description")) {
+    await knex.schema.alterTable(TableName.SecretFolderVersion, (t) => {
+      t.dropColumn("description");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250602155451_fix-secret-versions.ts
+++ b/backend/src/db/migrations/20250602155451_fix-secret-versions.ts
@ -0,0 +1,139 @@
+/* eslint-disable no-await-in-loop */
+import { Knex } from "knex";
+
+import { chunkArray } from "@app/lib/fn";
+import { selectAllTableCols } from "@app/lib/knex";
+import { logger } from "@app/lib/logger";
+
+import { SecretType, TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  logger.info("Starting secret version fix migration");
+
+  // Get all shared secret IDs first to optimize versions query
+  const secretIds = await knex(TableName.SecretV2)
+    .where("type", SecretType.Shared)
+    .select("id")
+    .then((rows) => rows.map((row) => row.id));
+
+  logger.info(`Found ${secretIds.length} shared secrets to process`);
+
+  if (secretIds.length === 0) {
+    logger.info("No shared secrets found");
+    return;
+  }
+
+  const secretIdChunks = chunkArray(secretIds, 5000);
+
+  for (let chunkIndex = 0; chunkIndex < secretIdChunks.length; chunkIndex += 1) {
+    const currentSecretIds = secretIdChunks[chunkIndex];
+    logger.info(`Processing chunk ${chunkIndex + 1} of ${secretIdChunks.length}`);
+
+    // Get secrets and versions for current chunk
+    const [sharedSecrets, allVersions] = await Promise.all([
+      knex(TableName.SecretV2).whereIn("id", currentSecretIds).select(selectAllTableCols(TableName.SecretV2)),
+      knex(TableName.SecretVersionV2).whereIn("secretId", currentSecretIds).select("secretId", "version")
+    ]);
+
+    const versionsBySecretId = new Map<string, number[]>();
+
+    allVersions.forEach((v) => {
+      const versions = versionsBySecretId.get(v.secretId);
+      if (versions) {
+        versions.push(v.version);
+      } else {
+        versionsBySecretId.set(v.secretId, [v.version]);
+      }
+    });
+
+    const versionsToAdd = [];
+    const secretsToUpdate = [];
+
+    // Process each shared secret
+    for (const secret of sharedSecrets) {
+      const existingVersions = versionsBySecretId.get(secret.id) || [];
+
+      if (existingVersions.length === 0) {
+        // No versions exist - add current version
+        versionsToAdd.push({
+          secretId: secret.id,
+          version: secret.version,
+          key: secret.key,
+          encryptedValue: secret.encryptedValue,
+          encryptedComment: secret.encryptedComment,
+          reminderNote: secret.reminderNote,
+          reminderRepeatDays: secret.reminderRepeatDays,
+          skipMultilineEncoding: secret.skipMultilineEncoding,
+          metadata: secret.metadata,
+          folderId: secret.folderId,
+          actorType: "platform"
+        });
+      } else {
+        const latestVersion = Math.max(...existingVersions);
+
+        if (latestVersion !== secret.version) {
+          // Latest version doesn't match - create new version and update secret
+          const nextVersion = latestVersion + 1;
+
+          versionsToAdd.push({
+            secretId: secret.id,
+            version: nextVersion,
+            key: secret.key,
+            encryptedValue: secret.encryptedValue,
+            encryptedComment: secret.encryptedComment,
+            reminderNote: secret.reminderNote,
+            reminderRepeatDays: secret.reminderRepeatDays,
+            skipMultilineEncoding: secret.skipMultilineEncoding,
+            metadata: secret.metadata,
+            folderId: secret.folderId,
+            actorType: "platform"
+          });
+
+          secretsToUpdate.push({
+            id: secret.id,
+            newVersion: nextVersion
+          });
+        }
+      }
+    }
+
+    logger.info(
+      `Chunk ${chunkIndex + 1}: Adding ${versionsToAdd.length} versions, updating ${secretsToUpdate.length} secrets`
+    );
+
+    // Batch insert new versions
+    if (versionsToAdd.length > 0) {
+      const insertBatches = chunkArray(versionsToAdd, 9000);
+      for (let i = 0; i < insertBatches.length; i += 1) {
+        await knex.batchInsert(TableName.SecretVersionV2, insertBatches[i]);
+      }
+    }
+
+    if (secretsToUpdate.length > 0) {
+      const updateBatches = chunkArray(secretsToUpdate, 1000);
+
+      for (const updateBatch of updateBatches) {
+        const ids = updateBatch.map((u) => u.id);
+        const versionCases = updateBatch.map((u) => `WHEN '${u.id}' THEN ${u.newVersion}`).join(" ");
+
+        await knex.raw(
+          `
+            UPDATE ${TableName.SecretV2} 
+            SET version = CASE id ${versionCases} END,
+                "updatedAt" = NOW()
+            WHERE id IN (${ids.map(() => "?").join(",")})
+          `,
+          ids
+        );
+      }
+    }
+  }
+
+  logger.info("Secret version fix migration completed");
+}
+
+export async function down(): Promise<void> {
+  logger.info("Rollback not implemented for secret version fix migration");
+  // Note: Rolling back this migration would be complex and potentially destructive
+  // as it would require tracking which version entries were added
+}
--- a/backend/src/db/migrations/20250602155452_pit-projects-commits-initialization.ts
+++ b/backend/src/db/migrations/20250602155452_pit-projects-commits-initialization.ts
@ -0,0 +1,345 @@
+import { Knex } from "knex";
+
+import { chunkArray } from "@app/lib/fn";
+import { selectAllTableCols } from "@app/lib/knex";
+import { logger } from "@app/lib/logger";
+import { ActorType } from "@app/services/auth/auth-type";
+import { ChangeType } from "@app/services/folder-commit/folder-commit-service";
+
+import {
+  ProjectType,
+  SecretType,
+  TableName,
+  TFolderCheckpoints,
+  TFolderCommits,
+  TFolderTreeCheckpoints,
+  TSecretFolders
+} from "../schemas";
+
+const sortFoldersByHierarchy = (folders: TSecretFolders[]) => {
+  // Create a map for quick lookup of children by parent ID
+  const childrenMap = new Map<string, TSecretFolders[]>();
+
+  // Set of all folder IDs
+  const allFolderIds = new Set<string>();
+
+  // Build the set of all folder IDs
+  folders.forEach((folder) => {
+    if (folder.id) {
+      allFolderIds.add(folder.id);
+    }
+  });
+
+  // Group folders by their parentId
+  folders.forEach((folder) => {
+    if (folder.parentId) {
+      const children = childrenMap.get(folder.parentId) || [];
+      children.push(folder);
+      childrenMap.set(folder.parentId, children);
+    }
+  });
+
+  // Find root folders - those with no parentId or with a parentId that doesn't exist
+  const rootFolders = folders.filter((folder) => !folder.parentId || !allFolderIds.has(folder.parentId));
+
+  // Process each level of the hierarchy
+  const result = [];
+  let currentLevel = rootFolders;
+
+  while (currentLevel.length > 0) {
+    result.push(...currentLevel);
+
+    const nextLevel = [];
+    for (const folder of currentLevel) {
+      if (folder.id) {
+        const children = childrenMap.get(folder.id) || [];
+        nextLevel.push(...children);
+      }
+    }
+
+    currentLevel = nextLevel;
+  }
+
+  return result.reverse();
+};
+
+const getSecretsByFolderIds = async (knex: Knex, folderIds: string[]): Promise<Record<string, string[]>> => {
+  const secrets = await knex(TableName.SecretV2)
+    .whereIn(`${TableName.SecretV2}.folderId`, folderIds)
+    .where(`${TableName.SecretV2}.type`, SecretType.Shared)
+    .join<TableName.SecretVersionV2>(TableName.SecretVersionV2, (queryBuilder) => {
+      void queryBuilder
+        .on(`${TableName.SecretVersionV2}.secretId`, `${TableName.SecretV2}.id`)
+        .andOn(`${TableName.SecretVersionV2}.version`, `${TableName.SecretV2}.version`);
+    })
+    .select(selectAllTableCols(TableName.SecretV2))
+    .select(knex.ref("id").withSchema(TableName.SecretVersionV2).as("secretVersionId"));
+
+  const secretsMap: Record<string, string[]> = {};
+
+  secrets.forEach((secret) => {
+    if (!secretsMap[secret.folderId]) {
+      secretsMap[secret.folderId] = [];
+    }
+    secretsMap[secret.folderId].push(secret.secretVersionId);
+  });
+
+  return secretsMap;
+};
+
+const getFoldersByParentIds = async (knex: Knex, parentIds: string[]): Promise<Record<string, string[]>> => {
+  const folders = await knex(TableName.SecretFolder)
+    .whereIn(`${TableName.SecretFolder}.parentId`, parentIds)
+    .where(`${TableName.SecretFolder}.isReserved`, false)
+    .join<TableName.SecretFolderVersion>(TableName.SecretFolderVersion, (queryBuilder) => {
+      void queryBuilder
+        .on(`${TableName.SecretFolderVersion}.folderId`, `${TableName.SecretFolder}.id`)
+        .andOn(`${TableName.SecretFolderVersion}.version`, `${TableName.SecretFolder}.version`);
+    })
+    .select(selectAllTableCols(TableName.SecretFolder))
+    .select(knex.ref("id").withSchema(TableName.SecretFolderVersion).as("folderVersionId"));
+
+  const foldersMap: Record<string, string[]> = {};
+
+  folders.forEach((folder) => {
+    if (!folder.parentId) {
+      return;
+    }
+    if (!foldersMap[folder.parentId]) {
+      foldersMap[folder.parentId] = [];
+    }
+    foldersMap[folder.parentId].push(folder.folderVersionId);
+  });
+
+  return foldersMap;
+};
+
+export async function up(knex: Knex): Promise<void> {
+  logger.info("Initializing folder commits");
+  const hasFolderCommitTable = await knex.schema.hasTable(TableName.FolderCommit);
+  if (hasFolderCommitTable) {
+    // Get Projects to Initialize
+    const projects = await knex(TableName.Project)
+      .where(`${TableName.Project}.version`, 3)
+      .where(`${TableName.Project}.type`, ProjectType.SecretManager)
+      .select(selectAllTableCols(TableName.Project));
+    logger.info(`Found ${projects.length} projects to initialize`);
+
+    // Process Projects in batches of 100
+    const batches = chunkArray(projects, 100);
+    let i = 0;
+    for (const batch of batches) {
+      i += 1;
+      logger.info(`Processing project batch ${i} of ${batches.length}`);
+      let foldersCommitsList = [];
+
+      const rootFoldersMap: Record<string, string> = {};
+      const envRootFoldersMap: Record<string, string> = {};
+
+      // Get All Folders for the Project
+      // eslint-disable-next-line no-await-in-loop
+      const folders = await knex(TableName.SecretFolder)
+        .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
+        .whereIn(
+          `${TableName.Environment}.projectId`,
+          batch.map((project) => project.id)
+        )
+        .where(`${TableName.SecretFolder}.isReserved`, false)
+        .select(selectAllTableCols(TableName.SecretFolder));
+      logger.info(`Found ${folders.length} folders to initialize in project batch ${i} of ${batches.length}`);
+
+      // Sort Folders by Hierarchy (parents before nested folders)
+      const sortedFolders = sortFoldersByHierarchy(folders);
+
+      // eslint-disable-next-line no-await-in-loop
+      const folderSecretsMap = await getSecretsByFolderIds(
+        knex,
+        sortedFolders.map((folder) => folder.id)
+      );
+      // eslint-disable-next-line no-await-in-loop
+      const folderFoldersMap = await getFoldersByParentIds(
+        knex,
+        sortedFolders.map((folder) => folder.id)
+      );
+
+      // Get folder commit changes
+      for (const folder of sortedFolders) {
+        const subFolderVersionIds = folderFoldersMap[folder.id];
+        const secretVersionIds = folderSecretsMap[folder.id];
+        const changes = [];
+        if (subFolderVersionIds) {
+          changes.push(
+            ...subFolderVersionIds.map((folderVersionId) => ({
+              folderId: folder.id,
+              changeType: ChangeType.ADD,
+              secretVersionId: undefined,
+              folderVersionId,
+              isUpdate: false
+            }))
+          );
+        }
+        if (secretVersionIds) {
+          changes.push(
+            ...secretVersionIds.map((secretVersionId) => ({
+              folderId: folder.id,
+              changeType: ChangeType.ADD,
+              secretVersionId,
+              folderVersionId: undefined,
+              isUpdate: false
+            }))
+          );
+        }
+        if (changes.length > 0) {
+          const folderCommit = {
+            commit: {
+              actorMetadata: {},
+              actorType: ActorType.PLATFORM,
+              message: "Initialized folder",
+              folderId: folder.id,
+              envId: folder.envId
+            },
+            changes
+          };
+          foldersCommitsList.push(folderCommit);
+          if (!folder.parentId) {
+            rootFoldersMap[folder.id] = folder.envId;
+            envRootFoldersMap[folder.envId] = folder.id;
+          }
+        }
+      }
+      logger.info(`Retrieved folder changes for project batch ${i} of ${batches.length}`);
+
+      const filteredBrokenProjectFolders: string[] = [];
+
+      foldersCommitsList = foldersCommitsList.filter((folderCommit) => {
+        if (!envRootFoldersMap[folderCommit.commit.envId]) {
+          filteredBrokenProjectFolders.push(folderCommit.commit.folderId);
+          return false;
+        }
+        return true;
+      });
+
+      logger.info(
+        `Filtered ${filteredBrokenProjectFolders.length} broken project folders: ${JSON.stringify(filteredBrokenProjectFolders)}`
+      );
+
+      // Insert New Commits in batches of 9000
+      const newCommits = foldersCommitsList.map((folderCommit) => folderCommit.commit);
+      const commitBatches = chunkArray(newCommits, 9000);
+
+      let j = 0;
+      for (const commitBatch of commitBatches) {
+        j += 1;
+        logger.info(`Inserting folder commits - batch ${j} of ${commitBatches.length}`);
+        // Create folder commit
+        // eslint-disable-next-line no-await-in-loop
+        const newCommitsInserted = (await knex
+          .batchInsert(TableName.FolderCommit, commitBatch)
+          .returning("*")) as TFolderCommits[];
+
+        logger.info(`Finished inserting folder commits - batch ${j} of ${commitBatches.length}`);
+
+        const newCommitsMap: Record<string, string> = {};
+        const newCommitsMapInverted: Record<string, string> = {};
+        const newCheckpointsMap: Record<string, string> = {};
+        newCommitsInserted.forEach((commit) => {
+          newCommitsMap[commit.folderId] = commit.id;
+          newCommitsMapInverted[commit.id] = commit.folderId;
+        });
+
+        // Create folder checkpoints
+        // eslint-disable-next-line no-await-in-loop
+        const newCheckpoints = (await knex
+          .batchInsert(
+            TableName.FolderCheckpoint,
+            Object.values(newCommitsMap).map((commitId) => ({
+              folderCommitId: commitId
+            }))
+          )
+          .returning("*")) as TFolderCheckpoints[];
+
+        logger.info(`Finished inserting folder checkpoints - batch ${j} of ${commitBatches.length}`);
+
+        newCheckpoints.forEach((checkpoint) => {
+          newCheckpointsMap[newCommitsMapInverted[checkpoint.folderCommitId]] = checkpoint.id;
+        });
+
+        // Create folder commit changes
+        // eslint-disable-next-line no-await-in-loop
+        await knex.batchInsert(
+          TableName.FolderCommitChanges,
+          foldersCommitsList
+            .map((folderCommit) => folderCommit.changes)
+            .flat()
+            .map((change) => ({
+              folderCommitId: newCommitsMap[change.folderId],
+              changeType: change.changeType,
+              secretVersionId: change.secretVersionId,
+              folderVersionId: change.folderVersionId,
+              isUpdate: false
+            }))
+        );
+
+        logger.info(`Finished inserting folder commit changes - batch ${j} of ${commitBatches.length}`);
+
+        // Create folder checkpoint resources
+        // eslint-disable-next-line no-await-in-loop
+        await knex.batchInsert(
+          TableName.FolderCheckpointResources,
+          foldersCommitsList
+            .map((folderCommit) => folderCommit.changes)
+            .flat()
+            .map((change) => ({
+              folderCheckpointId: newCheckpointsMap[change.folderId],
+              folderVersionId: change.folderVersionId,
+              secretVersionId: change.secretVersionId
+            }))
+        );
+
+        logger.info(`Finished inserting folder checkpoint resources - batch ${j} of ${commitBatches.length}`);
+
+        // Create Folder Tree Checkpoint
+        // eslint-disable-next-line no-await-in-loop
+        const newTreeCheckpoints = (await knex
+          .batchInsert(
+            TableName.FolderTreeCheckpoint,
+            Object.keys(rootFoldersMap).map((folderId) => ({
+              folderCommitId: newCommitsMap[folderId]
+            }))
+          )
+          .returning("*")) as TFolderTreeCheckpoints[];
+
+        logger.info(`Finished inserting folder tree checkpoints - batch ${j} of ${commitBatches.length}`);
+
+        const newTreeCheckpointsMap: Record<string, string> = {};
+        newTreeCheckpoints.forEach((checkpoint) => {
+          newTreeCheckpointsMap[rootFoldersMap[newCommitsMapInverted[checkpoint.folderCommitId]]] = checkpoint.id;
+        });
+
+        // Create Folder Tree Checkpoint Resources
+        // eslint-disable-next-line no-await-in-loop
+        await knex
+          .batchInsert(
+            TableName.FolderTreeCheckpointResources,
+            newCommitsInserted.map((folderCommit) => ({
+              folderTreeCheckpointId: newTreeCheckpointsMap[folderCommit.envId],
+              folderId: folderCommit.folderId,
+              folderCommitId: folderCommit.id
+            }))
+          )
+          .returning("*");
+
+        logger.info(`Finished inserting folder tree checkpoint resources - batch ${j} of ${commitBatches.length}`);
+      }
+    }
+  }
+  logger.info("Folder commits initialized");
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasFolderCommitTable = await knex.schema.hasTable(TableName.FolderCommit);
+  if (hasFolderCommitTable) {
+    // delete all existing entries
+    await knex(TableName.FolderCommit).del();
+  }
+}
--- a/backend/src/db/migrations/20250603094506_access-request-sequential.ts
+++ b/backend/src/db/migrations/20250603094506_access-request-sequential.ts
@ -0,0 +1,44 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasStepColumn = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "sequence");
+  const hasApprovalRequiredColumn = await knex.schema.hasColumn(
+    TableName.AccessApprovalPolicyApprover,
+    "approvalsRequired"
+  );
+  if (!hasStepColumn || !hasApprovalRequiredColumn) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (t) => {
+      if (!hasStepColumn) t.integer("sequence").defaultTo(1);
+      if (!hasApprovalRequiredColumn) t.integer("approvalsRequired").nullable();
+    });
+  }
+
+  // set rejected status for all access request that was rejected and still has status pending
+  const subquery = knex(TableName.AccessApprovalRequest)
+    .leftJoin(
+      TableName.AccessApprovalRequestReviewer,
+      `${TableName.AccessApprovalRequestReviewer}.requestId`,
+      `${TableName.AccessApprovalRequest}.id`
+    )
+    .where(`${TableName.AccessApprovalRequest}.status` as "status", "pending")
+    .where(`${TableName.AccessApprovalRequestReviewer}.status` as "status", "rejected")
+    .select(`${TableName.AccessApprovalRequest}.id`);
+
+  await knex(TableName.AccessApprovalRequest).where("id", "in", subquery).update("status", "rejected");
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasStepColumn = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "sequence");
+  const hasApprovalRequiredColumn = await knex.schema.hasColumn(
+    TableName.AccessApprovalPolicyApprover,
+    "approvalsRequired"
+  );
+  if (hasStepColumn || hasApprovalRequiredColumn) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (t) => {
+      if (hasStepColumn) t.dropColumn("sequence");
+      if (hasApprovalRequiredColumn) t.dropColumn("approvalsRequired");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250606134139_add-project-snapshots-legacy-option.ts
+++ b/backend/src/db/migrations/20250606134139_add-project-snapshots-legacy-option.ts
@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasShowSnapshotsLegacyColumn = await knex.schema.hasColumn(TableName.Project, "showSnapshotsLegacy");
+  if (!hasShowSnapshotsLegacyColumn) {
+    await knex.schema.table(TableName.Project, (table) => {
+      table.boolean("showSnapshotsLegacy").notNullable().defaultTo(false);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasShowSnapshotsLegacyColumn = await knex.schema.hasColumn(TableName.Project, "showSnapshotsLegacy");
+  if (hasShowSnapshotsLegacyColumn) {
+    await knex.schema.table(TableName.Project, (table) => {
+      table.dropColumn("showSnapshotsLegacy");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250610143920_add-dynamic-secret-lease-config.ts
+++ b/backend/src/db/migrations/20250610143920_add-dynamic-secret-lease-config.ts
@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasConfigColumn = await knex.schema.hasColumn(TableName.DynamicSecretLease, "config");
+  if (!hasConfigColumn) {
+    await knex.schema.alterTable(TableName.DynamicSecretLease, (table) => {
+      table.jsonb("config");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasConfigColumn = await knex.schema.hasColumn(TableName.DynamicSecretLease, "config");
+  if (hasConfigColumn) {
+    await knex.schema.alterTable(TableName.DynamicSecretLease, (table) => {
+      table.dropColumn("config");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250610173646_identity-kubernetes-auth-optional-host-url.ts
+++ b/backend/src/db/migrations/20250610173646_identity-kubernetes-auth-optional-host-url.ts
@ -0,0 +1,45 @@
+import { Knex } from "knex";
+
+import { selectAllTableCols } from "@app/lib/knex";
+
+import { TableName } from "../schemas";
+
+const BATCH_SIZE = 1000;
+
+export async function up(knex: Knex): Promise<void> {
+  const hasKubernetesHostColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "kubernetesHost");
+
+  if (hasKubernetesHostColumn) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (table) => {
+      table.string("kubernetesHost").nullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasKubernetesHostColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "kubernetesHost");
+
+  // find all rows where kubernetesHost is null
+  const rows = await knex(TableName.IdentityKubernetesAuth)
+    .whereNull("kubernetesHost")
+    .select(selectAllTableCols(TableName.IdentityKubernetesAuth));
+
+  if (rows.length > 0) {
+    for (let i = 0; i < rows.length; i += BATCH_SIZE) {
+      const batch = rows.slice(i, i + BATCH_SIZE);
+      // eslint-disable-next-line no-await-in-loop
+      await knex(TableName.IdentityKubernetesAuth)
+        .whereIn(
+          "id",
+          batch.map((row) => row.id)
+        )
+        .update({ kubernetesHost: "" });
+    }
+  }
+
+  if (hasKubernetesHostColumn) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (table) => {
+      table.string("kubernetesHost").notNullable().alter();
+    });
+  }
+}
--- a/backend/src/db/migrations/20250610205158_alicloud-machine-identity.ts
+++ b/backend/src/db/migrations/20250610205158_alicloud-machine-identity.ts
@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityAliCloudAuth))) {
+    await knex.schema.createTable(TableName.IdentityAliCloudAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("type").notNullable();
+
+      t.string("allowedArns").notNullable();
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityAliCloudAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityAliCloudAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityAliCloudAuth);
+}
--- a/backend/src/db/migrations/20250613153957_add-machine-identity-delete-protection.ts
+++ b/backend/src/db/migrations/20250613153957_add-machine-identity-delete-protection.ts
@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.Identity, "hasDeleteProtection");
+  if (!hasCol) {
+    await knex.schema.alterTable(TableName.Identity, (t) => {
+      t.boolean("hasDeleteProtection").notNullable().defaultTo(false);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.Identity, "hasDeleteProtection");
+  if (hasCol) {
+    await knex.schema.alterTable(TableName.Identity, (t) => {
+      t.dropColumn("hasDeleteProtection");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250618172150_increase-aws-arn-field-size.ts
+++ b/backend/src/db/migrations/20250618172150_increase-aws-arn-field-size.ts
@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.IdentityAwsAuth, "allowedPrincipalArns");
+  if (hasColumn) {
+    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
+      t.string("allowedPrincipalArns", 2048).notNullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.IdentityAwsAuth, "allowedPrincipalArns");
+  if (hasColumn) {
+    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
+      t.string("allowedPrincipalArns", 255).notNullable().alter();
+    });
+  }
+}
--- a/backend/src/db/migrations/20250620144939_add-instance-github-app-connection-credentials.ts
+++ b/backend/src/db/migrations/20250620144939_add-instance-github-app-connection-credentials.ts
@ -0,0 +1,91 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasEncryptedGithubAppConnectionClientIdColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionClientId"
+  );
+  const hasEncryptedGithubAppConnectionClientSecretColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionClientSecret"
+  );
+
+  const hasEncryptedGithubAppConnectionSlugColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionSlug"
+  );
+
+  const hasEncryptedGithubAppConnectionAppIdColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionId"
+  );
+
+  const hasEncryptedGithubAppConnectionAppPrivateKeyColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionPrivateKey"
+  );
+
+  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+    if (!hasEncryptedGithubAppConnectionClientIdColumn) {
+      t.binary("encryptedGitHubAppConnectionClientId").nullable();
+    }
+    if (!hasEncryptedGithubAppConnectionClientSecretColumn) {
+      t.binary("encryptedGitHubAppConnectionClientSecret").nullable();
+    }
+    if (!hasEncryptedGithubAppConnectionSlugColumn) {
+      t.binary("encryptedGitHubAppConnectionSlug").nullable();
+    }
+    if (!hasEncryptedGithubAppConnectionAppIdColumn) {
+      t.binary("encryptedGitHubAppConnectionId").nullable();
+    }
+    if (!hasEncryptedGithubAppConnectionAppPrivateKeyColumn) {
+      t.binary("encryptedGitHubAppConnectionPrivateKey").nullable();
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasEncryptedGithubAppConnectionClientIdColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionClientId"
+  );
+  const hasEncryptedGithubAppConnectionClientSecretColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionClientSecret"
+  );
+
+  const hasEncryptedGithubAppConnectionSlugColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionSlug"
+  );
+
+  const hasEncryptedGithubAppConnectionAppIdColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionId"
+  );
+
+  const hasEncryptedGithubAppConnectionAppPrivateKeyColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionPrivateKey"
+  );
+
+  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+    if (hasEncryptedGithubAppConnectionClientIdColumn) {
+      t.dropColumn("encryptedGitHubAppConnectionClientId");
+    }
+    if (hasEncryptedGithubAppConnectionClientSecretColumn) {
+      t.dropColumn("encryptedGitHubAppConnectionClientSecret");
+    }
+    if (hasEncryptedGithubAppConnectionSlugColumn) {
+      t.dropColumn("encryptedGitHubAppConnectionSlug");
+    }
+    if (hasEncryptedGithubAppConnectionAppIdColumn) {
+      t.dropColumn("encryptedGitHubAppConnectionId");
+    }
+    if (hasEncryptedGithubAppConnectionAppPrivateKeyColumn) {
+      t.dropColumn("encryptedGitHubAppConnectionPrivateKey");
+    }
+  });
+}
--- a/backend/src/db/migrations/utils/services.ts
+++ b/backend/src/db/migrations/utils/services.ts
@ -3,12 +3,27 @@ import { Knex } from "knex";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 import { hsmServiceFactory } from "@app/ee/services/hsm/hsm-service";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
+import { folderCheckpointDALFactory } from "@app/services/folder-checkpoint/folder-checkpoint-dal";
+import { folderCheckpointResourcesDALFactory } from "@app/services/folder-checkpoint-resources/folder-checkpoint-resources-dal";
+import { folderCommitDALFactory } from "@app/services/folder-commit/folder-commit-dal";
+import { folderCommitServiceFactory } from "@app/services/folder-commit/folder-commit-service";
+import { folderCommitChangesDALFactory } from "@app/services/folder-commit-changes/folder-commit-changes-dal";
+import { folderTreeCheckpointDALFactory } from "@app/services/folder-tree-checkpoint/folder-tree-checkpoint-dal";
+import { folderTreeCheckpointResourcesDALFactory } from "@app/services/folder-tree-checkpoint-resources/folder-tree-checkpoint-resources-dal";
+import { identityDALFactory } from "@app/services/identity/identity-dal";
 import { internalKmsDALFactory } from "@app/services/kms/internal-kms-dal";
 import { kmskeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { kmsRootConfigDALFactory } from "@app/services/kms/kms-root-config-dal";
 import { kmsServiceFactory } from "@app/services/kms/kms-service";
 import { orgDALFactory } from "@app/services/org/org-dal";
 import { projectDALFactory } from "@app/services/project/project-dal";
+import { resourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
+import { secretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
+import { secretFolderVersionDALFactory } from "@app/services/secret-folder/secret-folder-version-dal";
+import { secretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
+import { secretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-dal";
+import { secretVersionV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-version-dal";
+import { userDALFactory } from "@app/services/user/user-dal";

 import { TMigrationEnvConfig } from "./env-config";

@ -50,3 +65,77 @@ export const getMigrationEncryptionServices = async ({ envConfig, db, keyStore }

  return { kmsService };
 };
+
+export const getMigrationPITServices = async ({
+  db,
+  keyStore,
+  envConfig
+}: {
+  db: Knex;
+  keyStore: TKeyStoreFactory;
+  envConfig: TMigrationEnvConfig;
+}) => {
+  const projectDAL = projectDALFactory(db);
+  const folderCommitDAL = folderCommitDALFactory(db);
+  const folderCommitChangesDAL = folderCommitChangesDALFactory(db);
+  const folderCheckpointDAL = folderCheckpointDALFactory(db);
+  const folderTreeCheckpointDAL = folderTreeCheckpointDALFactory(db);
+  const userDAL = userDALFactory(db);
+  const identityDAL = identityDALFactory(db);
+  const folderDAL = secretFolderDALFactory(db);
+  const folderVersionDAL = secretFolderVersionDALFactory(db);
+  const secretVersionV2BridgeDAL = secretVersionV2BridgeDALFactory(db);
+  const folderCheckpointResourcesDAL = folderCheckpointResourcesDALFactory(db);
+  const secretV2BridgeDAL = secretV2BridgeDALFactory({ db, keyStore });
+  const folderTreeCheckpointResourcesDAL = folderTreeCheckpointResourcesDALFactory(db);
+  const secretTagDAL = secretTagDALFactory(db);
+
+  const orgDAL = orgDALFactory(db);
+  const kmsRootConfigDAL = kmsRootConfigDALFactory(db);
+  const kmsDAL = kmskeyDALFactory(db);
+  const internalKmsDAL = internalKmsDALFactory(db);
+  const resourceMetadataDAL = resourceMetadataDALFactory(db);
+
+  const hsmModule = initializeHsmModule(envConfig);
+  hsmModule.initialize();
+
+  const hsmService = hsmServiceFactory({
+    hsmModule: hsmModule.getModule(),
+    envConfig
+  });
+
+  const kmsService = kmsServiceFactory({
+    kmsRootConfigDAL,
+    keyStore,
+    kmsDAL,
+    internalKmsDAL,
+    orgDAL,
+    projectDAL,
+    hsmService,
+    envConfig
+  });
+
+  await hsmService.startService();
+  await kmsService.startService();
+
+  const folderCommitService = folderCommitServiceFactory({
+    folderCommitDAL,
+    folderCommitChangesDAL,
+    folderCheckpointDAL,
+    folderTreeCheckpointDAL,
+    userDAL,
+    identityDAL,
+    folderDAL,
+    folderVersionDAL,
+    secretVersionV2BridgeDAL,
+    projectDAL,
+    folderCheckpointResourcesDAL,
+    secretV2BridgeDAL,
+    folderTreeCheckpointResourcesDAL,
+    kmsService,
+    secretTagDAL,
+    resourceMetadataDAL
+  });
+
+  return { folderCommitService };
+};
--- a/backend/src/db/schemas/access-approval-policies-approvers.ts
+++ b/backend/src/db/schemas/access-approval-policies-approvers.ts
@ -13,7 +13,9 @@ export const AccessApprovalPoliciesApproversSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  approverUserId: z.string().uuid().nullable().optional(),
-  approverGroupId: z.string().uuid().nullable().optional()
+  approverGroupId: z.string().uuid().nullable().optional(),
+  sequence: z.number().default(0).nullable().optional(),
+  approvalsRequired: z.number().default(1).nullable().optional()
 });

 export type TAccessApprovalPoliciesApprovers = z.infer<typeof AccessApprovalPoliciesApproversSchema>;
--- a/backend/src/db/schemas/dynamic-secret-leases.ts
+++ b/backend/src/db/schemas/dynamic-secret-leases.ts
@ -16,7 +16,8 @@ export const DynamicSecretLeasesSchema = z.object({
  statusDetails: z.string().nullable().optional(),
  dynamicSecretId: z.string().uuid(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  config: z.unknown().nullable().optional()
 });

 export type TDynamicSecretLeases = z.infer<typeof DynamicSecretLeasesSchema>;
--- a/backend/src/db/schemas/folder-checkpoint-resources.ts
+++ b/backend/src/db/schemas/folder-checkpoint-resources.ts
@ -0,0 +1,23 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const FolderCheckpointResourcesSchema = z.object({
+  id: z.string().uuid(),
+  folderCheckpointId: z.string().uuid(),
+  secretVersionId: z.string().uuid().nullable().optional(),
+  folderVersionId: z.string().uuid().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TFolderCheckpointResources = z.infer<typeof FolderCheckpointResourcesSchema>;
+export type TFolderCheckpointResourcesInsert = Omit<z.input<typeof FolderCheckpointResourcesSchema>, TImmutableDBKeys>;
+export type TFolderCheckpointResourcesUpdate = Partial<
+  Omit<z.input<typeof FolderCheckpointResourcesSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/folder-checkpoints.ts
+++ b/backend/src/db/schemas/folder-checkpoints.ts
@ -0,0 +1,19 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const FolderCheckpointsSchema = z.object({
+  id: z.string().uuid(),
+  folderCommitId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TFolderCheckpoints = z.infer<typeof FolderCheckpointsSchema>;
+export type TFolderCheckpointsInsert = Omit<z.input<typeof FolderCheckpointsSchema>, TImmutableDBKeys>;
+export type TFolderCheckpointsUpdate = Partial<Omit<z.input<typeof FolderCheckpointsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/folder-commit-changes.ts
+++ b/backend/src/db/schemas/folder-commit-changes.ts
@ -0,0 +1,23 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const FolderCommitChangesSchema = z.object({
+  id: z.string().uuid(),
+  folderCommitId: z.string().uuid(),
+  changeType: z.string(),
+  isUpdate: z.boolean().default(false),
+  secretVersionId: z.string().uuid().nullable().optional(),
+  folderVersionId: z.string().uuid().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TFolderCommitChanges = z.infer<typeof FolderCommitChangesSchema>;
+export type TFolderCommitChangesInsert = Omit<z.input<typeof FolderCommitChangesSchema>, TImmutableDBKeys>;
+export type TFolderCommitChangesUpdate = Partial<Omit<z.input<typeof FolderCommitChangesSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/folder-commits.ts
+++ b/backend/src/db/schemas/folder-commits.ts
@ -0,0 +1,24 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const FolderCommitsSchema = z.object({
+  id: z.string().uuid(),
+  commitId: z.coerce.bigint(),
+  actorMetadata: z.unknown(),
+  actorType: z.string(),
+  message: z.string().nullable().optional(),
+  folderId: z.string().uuid(),
+  envId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TFolderCommits = z.infer<typeof FolderCommitsSchema>;
+export type TFolderCommitsInsert = Omit<z.input<typeof FolderCommitsSchema>, TImmutableDBKeys>;
+export type TFolderCommitsUpdate = Partial<Omit<z.input<typeof FolderCommitsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/folder-tree-checkpoint-resources.ts
+++ b/backend/src/db/schemas/folder-tree-checkpoint-resources.ts
@ -0,0 +1,26 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const FolderTreeCheckpointResourcesSchema = z.object({
+  id: z.string().uuid(),
+  folderTreeCheckpointId: z.string().uuid(),
+  folderId: z.string().uuid(),
+  folderCommitId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TFolderTreeCheckpointResources = z.infer<typeof FolderTreeCheckpointResourcesSchema>;
+export type TFolderTreeCheckpointResourcesInsert = Omit<
+  z.input<typeof FolderTreeCheckpointResourcesSchema>,
+  TImmutableDBKeys
+>;
+export type TFolderTreeCheckpointResourcesUpdate = Partial<
+  Omit<z.input<typeof FolderTreeCheckpointResourcesSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/folder-tree-checkpoints.ts
+++ b/backend/src/db/schemas/folder-tree-checkpoints.ts
@ -0,0 +1,19 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const FolderTreeCheckpointsSchema = z.object({
+  id: z.string().uuid(),
+  folderCommitId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TFolderTreeCheckpoints = z.infer<typeof FolderTreeCheckpointsSchema>;
+export type TFolderTreeCheckpointsInsert = Omit<z.input<typeof FolderTreeCheckpointsSchema>, TImmutableDBKeys>;
+export type TFolderTreeCheckpointsUpdate = Partial<Omit<z.input<typeof FolderTreeCheckpointsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/identities.ts
+++ b/backend/src/db/schemas/identities.ts
@ -12,7 +12,8 @@ export const IdentitiesSchema = z.object({
  name: z.string(),
  authMethod: z.string().nullable().optional(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  hasDeleteProtection: z.boolean().default(false)
 });

 export type TIdentities = z.infer<typeof IdentitiesSchema>;
--- a/backend/src/db/schemas/identity-alicloud-auths.ts
+++ b/backend/src/db/schemas/identity-alicloud-auths.ts
@ -0,0 +1,25 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityAlicloudAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  identityId: z.string().uuid(),
+  type: z.string(),
+  allowedArns: z.string()
+});
+
+export type TIdentityAlicloudAuths = z.infer<typeof IdentityAlicloudAuthsSchema>;
+export type TIdentityAlicloudAuthsInsert = Omit<z.input<typeof IdentityAlicloudAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityAlicloudAuthsUpdate = Partial<Omit<z.input<typeof IdentityAlicloudAuthsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/identity-kubernetes-auths.ts
+++ b/backend/src/db/schemas/identity-kubernetes-auths.ts
@ -18,7 +18,7 @@ export const IdentityKubernetesAuthsSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  identityId: z.string().uuid(),
-  kubernetesHost: z.string(),
+  kubernetesHost: z.string().nullable().optional(),
  encryptedCaCert: z.string().nullable().optional(),
  caCertIV: z.string().nullable().optional(),
  caCertTag: z.string().nullable().optional(),
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@ -24,6 +24,12 @@ export * from "./dynamic-secrets";
 export * from "./external-certificate-authorities";
 export * from "./external-group-org-role-mappings";
 export * from "./external-kms";
+export * from "./folder-checkpoint-resources";
+export * from "./folder-checkpoints";
+export * from "./folder-commit-changes";
+export * from "./folder-commits";
+export * from "./folder-tree-checkpoint-resources";
+export * from "./folder-tree-checkpoints";
 export * from "./gateways";
 export * from "./git-app-install-sessions";
 export * from "./git-app-org";
@ -33,6 +39,7 @@ export * from "./group-project-memberships";
 export * from "./groups";
 export * from "./identities";
 export * from "./identity-access-tokens";
+export * from "./identity-alicloud-auths";
 export * from "./identity-aws-auths";
 export * from "./identity-azure-auths";
 export * from "./identity-gcp-auths";
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@ -80,6 +80,7 @@ export enum TableName {
  IdentityGcpAuth = "identity_gcp_auths",
  IdentityAzureAuth = "identity_azure_auths",
  IdentityUaClientSecret = "identity_ua_client_secrets",
+  IdentityAliCloudAuth = "identity_alicloud_auths",
  IdentityAwsAuth = "identity_aws_auths",
  IdentityOciAuth = "identity_oci_auths",
  IdentityOidcAuth = "identity_oidc_auths",
@ -160,6 +161,12 @@ export enum TableName {
  ProjectMicrosoftTeamsConfigs = "project_microsoft_teams_configs",
  SecretReminderRecipients = "secret_reminder_recipients",
  GithubOrgSyncConfig = "github_org_sync_configs",
+  FolderCommit = "folder_commits",
+  FolderCommitChanges = "folder_commit_changes",
+  FolderCheckpoint = "folder_checkpoints",
+  FolderCheckpointResources = "folder_checkpoint_resources",
+  FolderTreeCheckpoint = "folder_tree_checkpoints",
+  FolderTreeCheckpointResources = "folder_tree_checkpoint_resources",
  SecretScanningDataSource = "secret_scanning_data_sources",
  SecretScanningResource = "secret_scanning_resources",
  SecretScanningScan = "secret_scanning_scans",
@ -167,7 +174,7 @@ export enum TableName {
  SecretScanningConfig = "secret_scanning_configs"
 }

-export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";
+export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt" | "commitId";

 export const UserDeviceSchema = z
  .object({
@ -241,6 +248,7 @@ export enum IdentityAuthMethod {
  UNIVERSAL_AUTH = "universal-auth",
  KUBERNETES_AUTH = "kubernetes-auth",
  GCP_AUTH = "gcp-auth",
+  ALICLOUD_AUTH = "alicloud-auth",
  AWS_AUTH = "aws-auth",
  AZURE_AUTH = "azure-auth",
  OCI_AUTH = "oci-auth",
--- a/backend/src/db/schemas/projects.ts
+++ b/backend/src/db/schemas/projects.ts
@ -28,7 +28,8 @@ export const ProjectsSchema = z.object({
  type: z.string(),
  enforceCapitalization: z.boolean().default(false),
  hasDeleteProtection: z.boolean().default(false).nullable().optional(),
-  secretSharing: z.boolean().default(true)
+  secretSharing: z.boolean().default(true),
+  showSnapshotsLegacy: z.boolean().default(false)
 });

 export type TProjects = z.infer<typeof ProjectsSchema>;
--- a/backend/src/db/schemas/secret-folder-versions.ts
+++ b/backend/src/db/schemas/secret-folder-versions.ts
@ -14,7 +14,8 @@ export const SecretFolderVersionsSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  envId: z.string().uuid(),
-  folderId: z.string().uuid()
+  folderId: z.string().uuid(),
+  description: z.string().nullable().optional()
 });

 export type TSecretFolderVersions = z.infer<typeof SecretFolderVersionsSchema>;
--- a/backend/src/db/schemas/super-admin.ts
+++ b/backend/src/db/schemas/super-admin.ts
@ -29,7 +29,12 @@ export const SuperAdminSchema = z.object({
  adminIdentityIds: z.string().array().nullable().optional(),
  encryptedMicrosoftTeamsAppId: zodBuffer.nullable().optional(),
  encryptedMicrosoftTeamsClientSecret: zodBuffer.nullable().optional(),
-  encryptedMicrosoftTeamsBotId: zodBuffer.nullable().optional()
+  encryptedMicrosoftTeamsBotId: zodBuffer.nullable().optional(),
+  encryptedGitHubAppConnectionClientId: zodBuffer.nullable().optional(),
+  encryptedGitHubAppConnectionClientSecret: zodBuffer.nullable().optional(),
+  encryptedGitHubAppConnectionSlug: zodBuffer.nullable().optional(),
+  encryptedGitHubAppConnectionId: zodBuffer.nullable().optional(),
+  encryptedGitHubAppConnectionPrivateKey: zodBuffer.nullable().optional()
 });

 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;
--- a/backend/src/ee/routes/v1/access-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-policy-router.ts
@ -23,12 +23,26 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
        environment: z.string(),
        approvers: z
          .discriminatedUnion("type", [
-            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
+            z.object({
+              type: z.literal(ApproverType.Group),
+              id: z.string(),
+              sequence: z.number().int().default(1)
+            }),
+            z.object({
+              type: z.literal(ApproverType.User),
+              id: z.string().optional(),
+              username: z.string().optional(),
+              sequence: z.number().int().default(1)
+            })
          ])
          .array()
          .max(100, "Cannot have more than 100 approvers")
-          .min(1, { message: "At least one approver should be provided" }),
+          .min(1, { message: "At least one approver should be provided" })
+          .refine(
+            // @ts-expect-error this is ok
+            (el) => el.every((i) => Boolean(i?.id) || Boolean(i?.username)),
+            "Must provide either username or id"
+          ),
        bypassers: z
          .discriminatedUnion("type", [
            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
@ -37,6 +51,13 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
          .array()
          .max(100, "Cannot have more than 100 bypassers")
          .optional(),
+        approvalsRequired: z
+          .object({
+            numberOfApprovals: z.number().int(),
+            stepNumber: z.number().int()
+          })
+          .array()
+          .optional(),
        approvals: z.number().min(1).default(1),
        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
        allowedSelfApprovals: z.boolean().default(true)
@ -78,7 +99,12 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
          approvals: sapPubSchema
            .extend({
              approvers: z
-                .object({ type: z.nativeEnum(ApproverType), id: z.string().nullable().optional() })
+                .object({
+                  type: z.nativeEnum(ApproverType),
+                  id: z.string().nullable().optional(),
+                  sequence: z.number().nullable().optional(),
+                  approvalsRequired: z.number().nullable().optional()
+                })
                .array()
                .nullable()
                .optional(),
@ -152,12 +178,26 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
          .transform((val) => (val === "" ? "/" : val)),
        approvers: z
          .discriminatedUnion("type", [
-            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
+            z.object({
+              type: z.literal(ApproverType.Group),
+              id: z.string(),
+              sequence: z.number().int().default(1)
+            }),
+            z.object({
+              type: z.literal(ApproverType.User),
+              id: z.string().optional(),
+              username: z.string().optional(),
+              sequence: z.number().int().default(1)
+            })
          ])
          .array()
          .min(1, { message: "At least one approver should be provided" })
-          .max(100, "Cannot have more than 100 approvers"),
+          .max(100, "Cannot have more than 100 approvers")
+          .refine(
+            // @ts-expect-error this is ok
+            (el) => el.every((i) => Boolean(i?.id) || Boolean(i?.username)),
+            "Must provide either username or id"
+          ),
        bypassers: z
          .discriminatedUnion("type", [
            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
@ -168,7 +208,14 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
          .optional(),
        approvals: z.number().min(1).optional(),
        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
-        allowedSelfApprovals: z.boolean().default(true)
+        allowedSelfApprovals: z.boolean().default(true),
+        approvalsRequired: z
+          .object({
+            numberOfApprovals: z.number().int(),
+            stepNumber: z.number().int()
+          })
+          .array()
+          .optional()
      }),
      response: {
        200: z.object({
@ -235,7 +282,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
              .object({
                type: z.nativeEnum(ApproverType),
                id: z.string().nullable().optional(),
-                name: z.string().nullable().optional()
+                name: z.string().nullable().optional(),
+                approvalsRequired: z.number().nullable().optional()
              })
              .array()
              .nullable()
--- a/backend/src/ee/routes/v1/access-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-request-router.ts
@ -112,7 +112,15 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
              id: z.string(),
              name: z.string(),
              approvals: z.number(),
-              approvers: z.string().array(),
+              approvers: z
+                .object({
+                  userId: z.string().nullable().optional(),
+                  sequence: z.number().nullable().optional(),
+                  approvalsRequired: z.number().nullable().optional(),
+                  email: z.string().nullable().optional(),
+                  username: z.string().nullable().optional()
+                })
+                .array(),
              bypassers: z.string().array(),
              secretPath: z.string().nullish(),
              envId: z.string(),
--- a/backend/src/ee/routes/v1/app-connection-routers/oracledb-connection-router.ts
+++ b/backend/src/ee/routes/v1/app-connection-routers/oracledb-connection-router.ts
@ -0,0 +1,17 @@
+import {
+  CreateOracleDBConnectionSchema,
+  SanitizedOracleDBConnectionSchema,
+  UpdateOracleDBConnectionSchema
+} from "@app/ee/services/app-connections/oracledb";
+import { registerAppConnectionEndpoints } from "@app/server/routes/v1/app-connection-routers/app-connection-endpoints";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const registerOracleDBConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.OracleDB,
+    server,
+    sanitizedResponseSchema: SanitizedOracleDBConnectionSchema,
+    createSchema: CreateOracleDBConnectionSchema,
+    updateSchema: UpdateOracleDBConnectionSchema
+  });
+};
--- a/backend/src/ee/routes/v1/dynamic-secret-lease-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-lease-router.ts
@ -36,7 +36,8 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
          }),
        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRET_LEASES.CREATE.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.path)
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.environmentSlug),
+        config: z.any().optional()
      }),
      response: {
        200: z.object({
--- a/backend/src/ee/routes/v1/dynamic-secret-lease-routers/kubernetes-lease-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-lease-routers/kubernetes-lease-router.ts
@ -0,0 +1,67 @@
+import { z } from "zod";
+
+import { DynamicSecretLeasesSchema } from "@app/db/schemas";
+import { ApiDocsTags, DYNAMIC_SECRET_LEASES } from "@app/lib/api-docs";
+import { daysToMillisecond } from "@app/lib/dates";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { ms } from "@app/lib/ms";
+import { writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchemas";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerKubernetesDynamicSecretLeaseRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
+      body: z.object({
+        dynamicSecretName: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.dynamicSecretName).toLowerCase(),
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.projectSlug),
+        ttl: z
+          .string()
+          .optional()
+          .describe(DYNAMIC_SECRET_LEASES.CREATE.ttl)
+          .superRefine((val, ctx) => {
+            if (!val) return;
+            const valMs = ms(val);
+            if (valMs < 60 * 1000)
+              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be greater than 1min" });
+            if (valMs > daysToMillisecond(1))
+              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
+          }),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRET_LEASES.CREATE.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.environmentSlug),
+        config: z
+          .object({
+            namespace: z.string().min(1).optional().describe(DYNAMIC_SECRET_LEASES.KUBERNETES.CREATE.config.namespace)
+          })
+          .optional()
+      }),
+      response: {
+        200: z.object({
+          lease: DynamicSecretLeasesSchema,
+          dynamicSecret: SanitizedDynamicSecretSchema,
+          data: z.unknown()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { data, lease, dynamicSecret } = await server.services.dynamicSecretLease.create({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        name: req.body.dynamicSecretName,
+        ...req.body
+      });
+      return { lease, data, dynamicSecret };
+    }
+  });
+};
--- a/backend/src/ee/routes/v1/dynamic-secret-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-router.ts
@ -23,7 +23,10 @@ const validateUsernameTemplateCharacters = characterValidator([
  CharacterType.CloseBrace,
  CharacterType.CloseBracket,
  CharacterType.OpenBracket,
-  CharacterType.Fullstop
+  CharacterType.Fullstop,
+  CharacterType.SingleQuote,
+  CharacterType.Spaces,
+  CharacterType.Pipe
 ]);

 const userTemplateSchema = z
@ -33,7 +36,7 @@ const userTemplateSchema = z
  .refine((el) => validateUsernameTemplateCharacters(el))
  .refine((el) =>
    isValidHandleBarTemplate(el, {
-      allowedExpressions: (val) => ["randomUsername", "unixTimestamp"].includes(val)
+      allowedExpressions: (val) => ["randomUsername", "unixTimestamp", "identity.name"].includes(val)
    })
  );

--- a/backend/src/ee/routes/v1/group-router.ts
+++ b/backend/src/ee/routes/v1/group-router.ts
@ -48,7 +48,9 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
        id: z.string().trim().describe(GROUPS.GET_BY_ID.id)
      }),
      response: {
-        200: GroupsSchema
+        200: GroupsSchema.extend({
+          customRoleSlug: z.string().nullable()
+        })
      }
    },
    handler: async (req) => {
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@ -6,6 +6,7 @@ import { registerAssumePrivilegeRouter } from "./assume-privilege-router";
 import { registerAuditLogStreamRouter } from "./audit-log-stream-router";
 import { registerCaCrlRouter } from "./certificate-authority-crl-router";
 import { registerDynamicSecretLeaseRouter } from "./dynamic-secret-lease-router";
+import { registerKubernetesDynamicSecretLeaseRouter } from "./dynamic-secret-lease-routers/kubernetes-lease-router";
 import { registerDynamicSecretRouter } from "./dynamic-secret-router";
 import { registerExternalKmsRouter } from "./external-kms-router";
 import { registerGatewayRouter } from "./gateway-router";
@ -18,6 +19,7 @@ import { registerLdapRouter } from "./ldap-router";
 import { registerLicenseRouter } from "./license-router";
 import { registerOidcRouter } from "./oidc-router";
 import { registerOrgRoleRouter } from "./org-role-router";
+import { registerPITRouter } from "./pit-router";
 import { registerProjectRoleRouter } from "./project-role-router";
 import { registerProjectRouter } from "./project-router";
 import { registerRateLimitRouter } from "./rate-limit-router";
@ -53,6 +55,7 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
    { prefix: "/workspace" }
  );
  await server.register(registerSnapshotRouter, { prefix: "/secret-snapshot" });
+  await server.register(registerPITRouter, { prefix: "/pit" });
  await server.register(registerSecretApprovalPolicyRouter, { prefix: "/secret-approvals" });
  await server.register(registerSecretApprovalRequestRouter, {
    prefix: "/secret-approval-requests"
@ -69,6 +72,7 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
    async (dynamicSecretRouter) => {
      await dynamicSecretRouter.register(registerDynamicSecretRouter);
      await dynamicSecretRouter.register(registerDynamicSecretLeaseRouter, { prefix: "/leases" });
+      await dynamicSecretRouter.register(registerKubernetesDynamicSecretLeaseRouter, { prefix: "/leases/kubernetes" });
    },
    { prefix: "/dynamic-secrets" }
  );
--- a/backend/src/ee/routes/v1/pit-router.ts
+++ b/backend/src/ee/routes/v1/pit-router.ts
@ -0,0 +1,416 @@
+/* eslint-disable @typescript-eslint/no-base-to-string */
+import { z } from "zod";
+
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { booleanSchema } from "@app/server/routes/sanitizedSchemas";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { commitChangesResponseSchema, resourceChangeSchema } from "@app/services/folder-commit/folder-commit-schemas";
+
+const commitHistoryItemSchema = z.object({
+  id: z.string(),
+  folderId: z.string(),
+  actorType: z.string(),
+  actorMetadata: z.unknown().optional(),
+  message: z.string().optional().nullable(),
+  commitId: z.string(),
+  createdAt: z.string().or(z.date()),
+  envId: z.string()
+});
+
+const folderStateSchema = z.array(
+  z.object({
+    type: z.string(),
+    id: z.string(),
+    versionId: z.string(),
+    secretKey: z.string().optional(),
+    secretVersion: z.number().optional(),
+    folderName: z.string().optional(),
+    folderVersion: z.number().optional()
+  })
+);
+
+export const registerPITRouter = async (server: FastifyZodProvider) => {
+  // Get commits count for a folder
+  server.route({
+    method: "GET",
+    url: "/commits/count",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      querystring: z.object({
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        projectId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          count: z.number(),
+          folderId: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.getCommitsCount({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.query.projectId,
+        environment: req.query.environment,
+        path: req.query.path
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.query.projectId,
+        event: {
+          type: EventType.GET_PROJECT_PIT_COMMIT_COUNT,
+          metadata: {
+            environment: req.query.environment,
+            path: req.query.path,
+            commitCount: result.count.toString()
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+
+  // Get all commits for a folder
+  server.route({
+    method: "GET",
+    url: "/commits",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      querystring: z.object({
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        projectId: z.string().trim(),
+        offset: z.coerce.number().min(0).default(0),
+        limit: z.coerce.number().min(1).max(100).default(20),
+        search: z.string().trim().optional(),
+        sort: z.enum(["asc", "desc"]).default("desc")
+      }),
+      response: {
+        200: z.object({
+          commits: commitHistoryItemSchema.array(),
+          total: z.number(),
+          hasMore: z.boolean()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.getCommitsForFolder({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.query.projectId,
+        environment: req.query.environment,
+        path: req.query.path,
+        offset: req.query.offset,
+        limit: req.query.limit,
+        search: req.query.search,
+        sort: req.query.sort
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.query.projectId,
+        event: {
+          type: EventType.GET_PROJECT_PIT_COMMITS,
+          metadata: {
+            environment: req.query.environment,
+            path: req.query.path,
+            commitCount: result.commits.length.toString(),
+            offset: req.query.offset.toString(),
+            limit: req.query.limit.toString(),
+            search: req.query.search,
+            sort: req.query.sort
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+
+  // Get commit changes for a specific commit
+  server.route({
+    method: "GET",
+    url: "/commits/:commitId/changes",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        commitId: z.string().trim()
+      }),
+      querystring: z.object({
+        projectId: z.string().trim()
+      }),
+      response: {
+        200: commitChangesResponseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.getCommitChanges({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.query.projectId,
+        commitId: req.params.commitId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.query.projectId,
+        event: {
+          type: EventType.GET_PROJECT_PIT_COMMIT_CHANGES,
+          metadata: {
+            commitId: req.params.commitId,
+            changesCount: (result.changes.changes?.length || 0).toString()
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+
+  // Retrieve rollback changes for a commit
+  server.route({
+    method: "GET",
+    url: "/commits/:commitId/compare",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        commitId: z.string().trim()
+      }),
+      querystring: z.object({
+        folderId: z.string().trim(),
+        environment: z.string().trim(),
+        deepRollback: booleanSchema.default(false),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        projectId: z.string().trim()
+      }),
+      response: {
+        200: z.array(
+          z.object({
+            folderId: z.string(),
+            folderName: z.string(),
+            folderPath: z.string().optional(),
+            changes: z.array(resourceChangeSchema)
+          })
+        )
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.compareCommitChanges({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.query.projectId,
+        commitId: req.params.commitId,
+        folderId: req.query.folderId,
+        environment: req.query.environment,
+        deepRollback: req.query.deepRollback,
+        secretPath: req.query.secretPath
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.query.projectId,
+        event: {
+          type: EventType.PIT_COMPARE_FOLDER_STATES,
+          metadata: {
+            targetCommitId: req.params.commitId,
+            folderId: req.query.folderId,
+            deepRollback: req.query.deepRollback,
+            diffsCount: result.length.toString(),
+            environment: req.query.environment,
+            folderPath: req.query.secretPath
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+
+  // Rollback to a previous commit
+  server.route({
+    method: "POST",
+    url: "/commits/:commitId/rollback",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        commitId: z.string().trim()
+      }),
+      body: z.object({
+        folderId: z.string().trim(),
+        deepRollback: z.boolean().default(false),
+        message: z.string().max(256).trim().optional(),
+        environment: z.string().trim(),
+        projectId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          success: z.boolean(),
+          secretChangesCount: z.number().optional(),
+          folderChangesCount: z.number().optional(),
+          totalChanges: z.number().optional()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.rollbackToCommit({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.body.projectId,
+        commitId: req.params.commitId,
+        folderId: req.body.folderId,
+        deepRollback: req.body.deepRollback,
+        message: req.body.message,
+        environment: req.body.environment
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.body.projectId,
+        event: {
+          type: EventType.PIT_ROLLBACK_COMMIT,
+          metadata: {
+            targetCommitId: req.params.commitId,
+            environment: req.body.environment,
+            folderId: req.body.folderId,
+            deepRollback: req.body.deepRollback,
+            message: req.body.message || "Rollback to previous commit",
+            totalChanges: result.totalChanges?.toString() || "0"
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+
+  // Revert commit
+  server.route({
+    method: "POST",
+    url: "/commits/:commitId/revert",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        commitId: z.string().trim()
+      }),
+      body: z.object({
+        projectId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          success: z.boolean(),
+          message: z.string(),
+          originalCommitId: z.string(),
+          revertCommitId: z.string().optional(),
+          changesReverted: z.number().optional()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.revertCommit({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.body.projectId,
+        commitId: req.params.commitId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.body.projectId,
+        event: {
+          type: EventType.PIT_REVERT_COMMIT,
+          metadata: {
+            commitId: req.params.commitId,
+            revertCommitId: result.revertCommitId,
+            changesReverted: result.changesReverted?.toString()
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+
+  // Folder state at commit
+  server.route({
+    method: "GET",
+    url: "/commits/:commitId",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        commitId: z.string().trim()
+      }),
+      querystring: z.object({
+        folderId: z.string().trim(),
+        projectId: z.string().trim()
+      }),
+      response: {
+        200: folderStateSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.getFolderStateAtCommit({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.query.projectId,
+        commitId: req.params.commitId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.query.projectId,
+        event: {
+          type: EventType.PIT_GET_FOLDER_STATE,
+          metadata: {
+            commitId: req.params.commitId,
+            folderId: req.query.folderId,
+            resourceCount: result.length.toString()
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+};
--- a/backend/src/ee/routes/v1/scim-router.ts
+++ b/backend/src/ee/routes/v1/scim-router.ts
@ -270,7 +270,6 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
      }),
      body: z.object({
        schemas: z.array(z.string()),
-        id: z.string().trim(),
        userName: z.string().trim(),
        name: z
          .object({
@ -278,7 +277,6 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
            givenName: z.string().trim().optional()
          })
          .optional(),
-        displayName: z.string().trim(),
        emails: z
          .array(
            z.object({
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@ -285,6 +285,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
              commits: secretRawSchema
                .omit({ _id: true, environment: true, workspace: true, type: true, version: true, secretValue: true })
                .extend({
+                  secretValueHidden: z.boolean(),
                  secretValue: z.string().optional(),
                  isRotatedSecret: z.boolean().optional(),
                  op: z.string(),
@ -296,6 +297,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                      version: z.number(),
                      secretKey: z.string(),
                      secretValue: z.string().optional(),
+                      secretValueHidden: z.boolean(),
                      secretComment: z.string().optional()
                    })
                    .optional()
@ -306,6 +308,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                      version: z.number(),
                      secretKey: z.string(),
                      secretValue: z.string().optional(),
+                      secretValueHidden: z.boolean(),
                      secretComment: z.string().optional(),
                      tags: SanitizedTagSchema.array().optional(),
                      secretMetadata: ResourceMetadataSchema.nullish()
--- a/backend/src/ee/routes/v1/snapshot-router.ts
+++ b/backend/src/ee/routes/v1/snapshot-router.ts
@ -65,9 +65,10 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
-      hide: false,
+      hide: true,
+      deprecated: true,
      tags: [ApiDocsTags.Projects],
-      description: "Roll back project secrets to those captured in a secret snapshot version.",
+      description: "(Deprecated) Roll back project secrets to those captured in a secret snapshot version.",
      security: [
        {
          bearerAuth: []
@ -84,6 +85,10 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
+      throw new Error(
+        "This endpoint is deprecated. Please use the new PIT recovery system. More information is available at: https://infisical.com/docs/documentation/platform/pit-recovery."
+      );
+
      const secretSnapshot = await server.services.snapshot.rollbackSnapshot({
        actor: req.permission.type,
        actorId: req.permission.id,
--- a/backend/src/ee/routes/v2/secret-rotation-v2-routers/index.ts
+++ b/backend/src/ee/routes/v2/secret-rotation-v2-routers/index.ts
@ -6,6 +6,7 @@ import { registerAzureClientSecretRotationRouter } from "./azure-client-secret-r
 import { registerLdapPasswordRotationRouter } from "./ldap-password-rotation-router";
 import { registerMsSqlCredentialsRotationRouter } from "./mssql-credentials-rotation-router";
 import { registerMySqlCredentialsRotationRouter } from "./mysql-credentials-rotation-router";
+import { registerOracleDBCredentialsRotationRouter } from "./oracledb-credentials-rotation-router";
 import { registerPostgresCredentialsRotationRouter } from "./postgres-credentials-rotation-router";

 export * from "./secret-rotation-v2-router";
@ -17,6 +18,7 @@ export const SECRET_ROTATION_REGISTER_ROUTER_MAP: Record<
  [SecretRotation.PostgresCredentials]: registerPostgresCredentialsRotationRouter,
  [SecretRotation.MsSqlCredentials]: registerMsSqlCredentialsRotationRouter,
  [SecretRotation.MySqlCredentials]: registerMySqlCredentialsRotationRouter,
+  [SecretRotation.OracleDBCredentials]: registerOracleDBCredentialsRotationRouter,
  [SecretRotation.Auth0ClientSecret]: registerAuth0ClientSecretRotationRouter,
  [SecretRotation.AzureClientSecret]: registerAzureClientSecretRotationRouter,
  [SecretRotation.AwsIamUserSecret]: registerAwsIamUserSecretRotationRouter,
--- a/backend/src/ee/routes/v2/secret-rotation-v2-routers/oracledb-credentials-rotation-router.ts
+++ b/backend/src/ee/routes/v2/secret-rotation-v2-routers/oracledb-credentials-rotation-router.ts
@ -0,0 +1,19 @@
+import {
+  CreateOracleDBCredentialsRotationSchema,
+  OracleDBCredentialsRotationSchema,
+  UpdateOracleDBCredentialsRotationSchema
+} from "@app/ee/services/secret-rotation-v2/oracledb-credentials";
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+import { SqlCredentialsRotationGeneratedCredentialsSchema } from "@app/ee/services/secret-rotation-v2/shared/sql-credentials";
+
+import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
+
+export const registerOracleDBCredentialsRotationRouter = async (server: FastifyZodProvider) =>
+  registerSecretRotationEndpoints({
+    type: SecretRotation.OracleDBCredentials,
+    server,
+    responseSchema: OracleDBCredentialsRotationSchema,
+    createSchema: CreateOracleDBCredentialsRotationSchema,
+    updateSchema: UpdateOracleDBCredentialsRotationSchema,
+    generatedCredentialsSchema: SqlCredentialsRotationGeneratedCredentialsSchema
+  });
--- a/backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-router.ts
+++ b/backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-router.ts
@ -7,6 +7,7 @@ import { AzureClientSecretRotationListItemSchema } from "@app/ee/services/secret
 import { LdapPasswordRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/ldap-password";
 import { MsSqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
 import { MySqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
+import { OracleDBCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/oracledb-credentials";
 import { PostgresCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 import { SecretRotationV2Schema } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema";
 import { ApiDocsTags, SecretRotations } from "@app/lib/api-docs";
@ -18,6 +19,7 @@ const SecretRotationV2OptionsSchema = z.discriminatedUnion("type", [
  PostgresCredentialsRotationListItemSchema,
  MsSqlCredentialsRotationListItemSchema,
  MySqlCredentialsRotationListItemSchema,
+  OracleDBCredentialsRotationListItemSchema,
  Auth0ClientSecretRotationListItemSchema,
  AzureClientSecretRotationListItemSchema,
  AwsIamUserSecretRotationListItemSchema,
--- a/backend/src/ee/routes/v2/secret-scanning-v2-routers/secret-scanning-v2-router.ts
+++ b/backend/src/ee/routes/v2/secret-scanning-v2-routers/secret-scanning-v2-router.ts
@ -187,6 +187,56 @@ export const registerSecretScanningV2Router = async (server: FastifyZodProvider)
    }
  });

+  server.route({
+    method: "PATCH",
+    url: "/findings",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretScanning],
+      description: "Update one or more Secret Scanning Findings in a batch.",
+      body: z
+        .object({
+          findingId: z.string().trim().min(1, "Finding ID required").describe(SecretScanningFindings.UPDATE.findingId),
+          status: z.nativeEnum(SecretScanningFindingStatus).optional().describe(SecretScanningFindings.UPDATE.status),
+          remarks: z.string().nullish().describe(SecretScanningFindings.UPDATE.remarks)
+        })
+        .array()
+        .max(500),
+      response: {
+        200: z.object({ findings: SecretScanningFindingSchema.array() })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { body, permission } = req;
+
+      const updatedFindingPromises = body.map(async (findingUpdatePayload) => {
+        const { finding, projectId } = await server.services.secretScanningV2.updateSecretScanningFindingById(
+          findingUpdatePayload,
+          permission
+        );
+
+        await server.services.auditLog.createAuditLog({
+          ...req.auditLogInfo,
+          projectId,
+          event: {
+            type: EventType.SECRET_SCANNING_FINDING_UPDATE,
+            metadata: findingUpdatePayload
+          }
+        });
+
+        return finding;
+      });
+
+      const findings = await Promise.all(updatedFindingPromises);
+
+      return { findings };
+    }
+  });
+
  server.route({
    method: "GET",
    url: "/configs",
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-approver-dal.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-approver-dal.ts
@ -1,15 +1,15 @@
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
+import { ormify, TOrmify } from "@app/lib/knex";

-export type TAccessApprovalPolicyApproverDALFactory = ReturnType<typeof accessApprovalPolicyApproverDALFactory>;
+export type TAccessApprovalPolicyApproverDALFactory = TOrmify<TableName.AccessApprovalPolicyApprover>;

 export const accessApprovalPolicyApproverDALFactory = (db: TDbClient) => {
  const accessApprovalPolicyApproverOrm = ormify(db, TableName.AccessApprovalPolicyApprover);
  return { ...accessApprovalPolicyApproverOrm };
 };

-export type TAccessApprovalPolicyBypasserDALFactory = ReturnType<typeof accessApprovalPolicyBypasserDALFactory>;
+export type TAccessApprovalPolicyBypasserDALFactory = TOrmify<TableName.AccessApprovalPolicyBypasser>;

 export const accessApprovalPolicyBypasserDALFactory = (db: TDbClient) => {
  const accessApprovalPolicyBypasserOrm = ormify(db, TableName.AccessApprovalPolicyBypasser);
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
@ -3,13 +3,363 @@ import { Knex } from "knex";
 import { TDbClient } from "@app/db";
 import { AccessApprovalPoliciesSchema, TableName, TAccessApprovalPolicies, TUsers } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { buildFindFilter, ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";
+import { buildFindFilter, ormify, selectAllTableCols, sqlNestRelationships, TFindFilter, TOrmify } from "@app/lib/knex";

-import { ApproverType, BypasserType } from "./access-approval-policy-types";
+import {
+  ApproverType,
+  BypasserType,
+  TCreateAccessApprovalPolicy,
+  TDeleteAccessApprovalPolicy,
+  TGetAccessApprovalPolicyByIdDTO,
+  TGetAccessPolicyCountByEnvironmentDTO,
+  TListAccessApprovalPoliciesDTO,
+  TUpdateAccessApprovalPolicy
+} from "./access-approval-policy-types";

-export type TAccessApprovalPolicyDALFactory = ReturnType<typeof accessApprovalPolicyDALFactory>;
+export interface TAccessApprovalPolicyDALFactory
+  extends Omit<TOrmify<TableName.AccessApprovalPolicy>, "findById" | "find"> {
+  find: (
+    filter: TFindFilter<
+      TAccessApprovalPolicies & {
+        projectId: string;
+      }
+    >,
+    customFilter?: {
+      policyId?: string;
+    },
+    tx?: Knex
+  ) => Promise<
+    {
+      approvers: (
+        | {
+            id: string | null | undefined;
+            type: ApproverType.User;
+            name: string;
+            sequence: number | null | undefined;
+            approvalsRequired: number | null | undefined;
+          }
+        | {
+            id: string | null | undefined;
+            type: ApproverType.Group;
+            sequence: number | null | undefined;
+            approvalsRequired: number | null | undefined;
+          }
+      )[];
+      name: string;
+      id: string;
+      createdAt: Date;
+      updatedAt: Date;
+      approvals: number;
+      envId: string;
+      enforcementLevel: string;
+      allowedSelfApprovals: boolean;
+      secretPath?: string | null | undefined;
+      deletedAt?: Date | null | undefined;
+      environment: {
+        id: string;
+        name: string;
+        slug: string;
+      };
+      projectId: string;
+      bypassers: (
+        | {
+            id: string | null | undefined;
+            type: BypasserType.User;
+            name: string;
+          }
+        | {
+            id: string | null | undefined;
+            type: BypasserType.Group;
+          }
+      )[];
+    }[]
+  >;
+  findById: (
+    policyId: string,
+    tx?: Knex
+  ) => Promise<
+    | {
+        approvers: {
+          id: string | null | undefined;
+          type: string;
+          sequence: number | null | undefined;
+          approvalsRequired: number | null | undefined;
+        }[];
+        name: string;
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        approvals: number;
+        envId: string;
+        enforcementLevel: string;
+        allowedSelfApprovals: boolean;
+        secretPath?: string | null | undefined;
+        deletedAt?: Date | null | undefined;
+        environment: {
+          id: string;
+          name: string;
+          slug: string;
+        };
+        projectId: string;
+      }
+    | undefined
+  >;
+  softDeleteById: (
+    policyId: string,
+    tx?: Knex
+  ) => Promise<{
+    name: string;
+    id: string;
+    createdAt: Date;
+    updatedAt: Date;
+    approvals: number;
+    envId: string;
+    enforcementLevel: string;
+    allowedSelfApprovals: boolean;
+    secretPath?: string | null | undefined;
+    deletedAt?: Date | null | undefined;
+  }>;
+  findLastValidPolicy: (
+    {
+      envId,
+      secretPath
+    }: {
+      envId: string;
+      secretPath: string;
+    },
+    tx?: Knex
+  ) => Promise<
+    | {
+        name: string;
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        approvals: number;
+        envId: string;
+        enforcementLevel: string;
+        allowedSelfApprovals: boolean;
+        secretPath?: string | null | undefined;
+        deletedAt?: Date | null | undefined;
+      }
+    | undefined
+  >;
+}

-export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
+export interface TAccessApprovalPolicyServiceFactory {
+  getAccessPolicyCountByEnvSlug: ({
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    projectSlug,
+    actorId,
+    envSlug
+  }: TGetAccessPolicyCountByEnvironmentDTO) => Promise<{
+    count: number;
+  }>;
+  createAccessApprovalPolicy: ({
+    name,
+    actor,
+    actorId,
+    actorOrgId,
+    secretPath,
+    actorAuthMethod,
+    approvals,
+    approvers,
+    bypassers,
+    projectSlug,
+    environment,
+    enforcementLevel,
+    allowedSelfApprovals,
+    approvalsRequired
+  }: TCreateAccessApprovalPolicy) => Promise<{
+    environment: {
+      name: string;
+      id: string;
+      createdAt: Date;
+      updatedAt: Date;
+      projectId: string;
+      slug: string;
+      position: number;
+    };
+    projectId: string;
+    name: string;
+    id: string;
+    createdAt: Date;
+    updatedAt: Date;
+    approvals: number;
+    envId: string;
+    enforcementLevel: string;
+    allowedSelfApprovals: boolean;
+    secretPath?: string | null | undefined;
+    deletedAt?: Date | null | undefined;
+  }>;
+  deleteAccessApprovalPolicy: ({
+    policyId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TDeleteAccessApprovalPolicy) => Promise<{
+    approvers: {
+      id: string | null | undefined;
+      type: string;
+      sequence: number | null | undefined;
+      approvalsRequired: number | null | undefined;
+    }[];
+    name: string;
+    id: string;
+    createdAt: Date;
+    updatedAt: Date;
+    approvals: number;
+    envId: string;
+    enforcementLevel: string;
+    allowedSelfApprovals: boolean;
+    secretPath?: string | null | undefined;
+    deletedAt?: Date | null | undefined;
+    environment: {
+      id: string;
+      name: string;
+      slug: string;
+    };
+    projectId: string;
+  }>;
+  updateAccessApprovalPolicy: ({
+    policyId,
+    approvers,
+    bypassers,
+    secretPath,
+    name,
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    approvals,
+    enforcementLevel,
+    allowedSelfApprovals,
+    approvalsRequired
+  }: TUpdateAccessApprovalPolicy) => Promise<{
+    environment: {
+      id: string;
+      name: string;
+      slug: string;
+    };
+    projectId: string;
+    name: string;
+    id: string;
+    createdAt: Date;
+    updatedAt: Date;
+    approvals: number;
+    envId: string;
+    enforcementLevel: string;
+    allowedSelfApprovals: boolean;
+    secretPath?: string | null | undefined;
+    deletedAt?: Date | null | undefined;
+  }>;
+  getAccessApprovalPolicyByProjectSlug: ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    projectSlug
+  }: TListAccessApprovalPoliciesDTO) => Promise<
+    {
+      approvers: (
+        | {
+            id: string | null | undefined;
+            type: ApproverType;
+            name: string;
+            sequence: number | null | undefined;
+            approvalsRequired: number | null | undefined;
+          }
+        | {
+            id: string | null | undefined;
+            type: ApproverType;
+            sequence: number | null | undefined;
+            approvalsRequired: number | null | undefined;
+          }
+      )[];
+      name: string;
+      id: string;
+      createdAt: Date;
+      updatedAt: Date;
+      approvals: number;
+      envId: string;
+      enforcementLevel: string;
+      allowedSelfApprovals: boolean;
+      secretPath?: string | null | undefined;
+      deletedAt?: Date | null | undefined;
+      environment: {
+        id: string;
+        name: string;
+        slug: string;
+      };
+      projectId: string;
+      bypassers: (
+        | {
+            id: string | null | undefined;
+            type: BypasserType;
+            name: string;
+          }
+        | {
+            id: string | null | undefined;
+            type: BypasserType;
+          }
+      )[];
+    }[]
+  >;
+  getAccessApprovalPolicyById: ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    policyId
+  }: TGetAccessApprovalPolicyByIdDTO) => Promise<{
+    approvers: (
+      | {
+          id: string | null | undefined;
+          type: ApproverType.User;
+          name: string;
+          sequence: number | null | undefined;
+          approvalsRequired: number | null | undefined;
+        }
+      | {
+          id: string | null | undefined;
+          type: ApproverType.Group;
+          sequence: number | null | undefined;
+          approvalsRequired: number | null | undefined;
+        }
+    )[];
+    name: string;
+    id: string;
+    createdAt: Date;
+    updatedAt: Date;
+    approvals: number;
+    envId: string;
+    enforcementLevel: string;
+    allowedSelfApprovals: boolean;
+    secretPath?: string | null | undefined;
+    deletedAt?: Date | null | undefined;
+    environment: {
+      id: string;
+      name: string;
+      slug: string;
+    };
+    projectId: string;
+    bypassers: (
+      | {
+          id: string | null | undefined;
+          type: BypasserType.User;
+          name: string;
+        }
+      | {
+          id: string | null | undefined;
+          type: BypasserType.Group;
+        }
+    )[];
+  }>;
+}
+
+export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPolicyDALFactory => {
  const accessApprovalPolicyOrm = ormify(db, TableName.AccessApprovalPolicy);

  const accessApprovalPolicyFindQuery = async (
@ -48,6 +398,8 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
      .select(tx.ref("username").withSchema("bypasserUsers").as("bypasserUsername"))
      .select(tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
      .select(tx.ref("approverGroupId").withSchema(TableName.AccessApprovalPolicyApprover))
+      .select(tx.ref("sequence").withSchema(TableName.AccessApprovalPolicyApprover).as("approverSequence"))
+      .select(tx.ref("approvalsRequired").withSchema(TableName.AccessApprovalPolicyApprover))
      .select(tx.ref("bypasserUserId").withSchema(TableName.AccessApprovalPolicyBypasser))
      .select(tx.ref("bypasserGroupId").withSchema(TableName.AccessApprovalPolicyBypasser))
      .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
@ -59,7 +411,7 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
    return result;
  };

-  const findById = async (policyId: string, tx?: Knex) => {
+  const findById: TAccessApprovalPolicyDALFactory["findById"] = async (policyId, tx) => {
    try {
      const doc = await accessApprovalPolicyFindQuery(tx || db.replicaNode(), {
        [`${TableName.AccessApprovalPolicy}.id` as "id"]: policyId
@ -80,35 +432,37 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
          {
            key: "approverUserId",
            label: "approvers" as const,
-            mapper: ({ approverUserId: id }) => ({
+            mapper: ({ approverUserId: id, approverSequence, approvalsRequired }) => ({
              id,
-              type: "user"
+              type: "user",
+              sequence: approverSequence,
+              approvalsRequired
            })
          },
          {
            key: "approverGroupId",
            label: "approvers" as const,
-            mapper: ({ approverGroupId: id }) => ({
+            mapper: ({ approverGroupId: id, approverSequence, approvalsRequired }) => ({
              id,
-              type: "group"
+              type: "group",
+              sequence: approverSequence,
+              approvalsRequired
            })
          }
        ]
      });
+      if (!formattedDoc?.[0]) return;

-      return formattedDoc?.[0];
+      return {
+        ...formattedDoc?.[0],
+        approvers: formattedDoc?.[0]?.approvers.sort((a, b) => (a.sequence || 1) - (b.sequence || 1))
+      };
    } catch (error) {
      throw new DatabaseError({ error, name: "FindById" });
    }
  };

-  const find = async (
-    filter: TFindFilter<TAccessApprovalPolicies & { projectId: string }>,
-    customFilter?: {
-      policyId?: string;
-    },
-    tx?: Knex
-  ) => {
+  const find: TAccessApprovalPolicyDALFactory["find"] = async (filter, customFilter, tx) => {
    try {
      const docs = await accessApprovalPolicyFindQuery(tx || db.replicaNode(), filter, customFilter);

@ -129,18 +483,22 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
          {
            key: "approverUserId",
            label: "approvers" as const,
-            mapper: ({ approverUserId: id, approverUsername }) => ({
+            mapper: ({ approverUserId: id, approverUsername, approverSequence, approvalsRequired }) => ({
              id,
-              type: ApproverType.User,
-              name: approverUsername
+              type: ApproverType.User as const,
+              name: approverUsername,
+              sequence: approverSequence,
+              approvalsRequired
            })
          },
          {
            key: "approverGroupId",
            label: "approvers" as const,
-            mapper: ({ approverGroupId: id }) => ({
+            mapper: ({ approverGroupId: id, approverSequence, approvalsRequired }) => ({
              id,
-              type: ApproverType.Group
+              type: ApproverType.Group as const,
+              sequence: approverSequence,
+              approvalsRequired
            })
          },
          {
@ -148,7 +506,7 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
            label: "bypassers" as const,
            mapper: ({ bypasserUserId: id, bypasserUsername }) => ({
              id,
-              type: BypasserType.User,
+              type: BypasserType.User as const,
              name: bypasserUsername
            })
          },
@ -157,24 +515,30 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
            label: "bypassers" as const,
            mapper: ({ bypasserGroupId: id }) => ({
              id,
-              type: BypasserType.Group
+              type: BypasserType.Group as const
            })
          }
        ]
      });

-      return formattedDocs;
+      return formattedDocs.map((el) => ({
+        ...el,
+        approvers: el?.approvers.sort((a, b) => (a.sequence || 1) - (b.sequence || 1))
+      }));
    } catch (error) {
      throw new DatabaseError({ error, name: "Find" });
    }
  };

-  const softDeleteById = async (policyId: string, tx?: Knex) => {
+  const softDeleteById: TAccessApprovalPolicyDALFactory["softDeleteById"] = async (policyId, tx) => {
    const softDeletedPolicy = await accessApprovalPolicyOrm.updateById(policyId, { deletedAt: new Date() }, tx);
    return softDeletedPolicy;
  };

-  const findLastValidPolicy = async ({ envId, secretPath }: { envId: string; secretPath: string }, tx?: Knex) => {
+  const findLastValidPolicy: TAccessApprovalPolicyDALFactory["findLastValidPolicy"] = async (
+    { envId, secretPath },
+    tx
+  ) => {
    try {
      const result = await (tx || db.replicaNode())(TableName.AccessApprovalPolicy)
        .where(
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
@ -1,9 +1,10 @@
 import { ForbiddenError } from "@casl/ability";

 import { ActionProjectType } from "@app/db/schemas";
-import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { groupBy } from "@app/lib/fn";
 import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
@ -23,9 +24,8 @@ import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
 import {
  ApproverType,
  BypasserType,
-  TCreateAccessApprovalPolicy,
+  TAccessApprovalPolicyServiceFactory,
  TDeleteAccessApprovalPolicy,
-  TGetAccessApprovalPolicyByIdDTO,
  TGetAccessPolicyCountByEnvironmentDTO,
  TListAccessApprovalPoliciesDTO,
  TUpdateAccessApprovalPolicy
@ -41,14 +41,12 @@ type TAccessApprovalPolicyServiceFactoryDep = {
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find">;
  groupDAL: TGroupDALFactory;
  userDAL: Pick<TUserDALFactory, "find">;
-  accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "update" | "find">;
+  accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "update" | "find" | "resetReviewByPolicyId">;
  additionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "delete">;
-  accessApprovalRequestReviewerDAL: Pick<TAccessApprovalRequestReviewerDALFactory, "update">;
+  accessApprovalRequestReviewerDAL: Pick<TAccessApprovalRequestReviewerDALFactory, "update" | "delete">;
  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find">;
 };

-export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprovalPolicyServiceFactory>;
-
 export const accessApprovalPolicyServiceFactory = ({
  accessApprovalPolicyDAL,
  accessApprovalPolicyApproverDAL,
@ -62,8 +60,8 @@ export const accessApprovalPolicyServiceFactory = ({
  additionalPrivilegeDAL,
  accessApprovalRequestReviewerDAL,
  orgMembershipDAL
-}: TAccessApprovalPolicyServiceFactoryDep) => {
-  const createAccessApprovalPolicy = async ({
+}: TAccessApprovalPolicyServiceFactoryDep): TAccessApprovalPolicyServiceFactory => {
+  const createAccessApprovalPolicy: TAccessApprovalPolicyServiceFactory["createAccessApprovalPolicy"] = async ({
    name,
    actor,
    actorId,
@ -76,27 +74,23 @@ export const accessApprovalPolicyServiceFactory = ({
    projectSlug,
    environment,
    enforcementLevel,
-    allowedSelfApprovals
-  }: TCreateAccessApprovalPolicy) => {
+    allowedSelfApprovals,
+    approvalsRequired
+  }) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    // If there is a group approver people might be added to the group later to meet the approvers quota
-    const groupApprovers = approvers
-      .filter((approver) => approver.type === ApproverType.Group)
-      .map((approver) => approver.id) as string[];
+    const groupApprovers = approvers.filter((approver) => approver.type === ApproverType.Group);

-    const userApprovers = approvers
-      .filter((approver) => approver.type === ApproverType.User)
-      .map((approver) => approver.id)
-      .filter(Boolean) as string[];
+    const userApprovers = approvers.filter((approver) => approver.type === ApproverType.User && approver.id) as {
+      id: string;
+      sequence?: number;
+    }[];

-    const userApproverNames = approvers
-      .map((approver) => (approver.type === ApproverType.User ? approver.username : undefined))
-      .filter(Boolean) as string[];
-
-    if (!groupApprovers && approvals > userApprovers.length + userApproverNames.length)
-      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
+    const userApproverNames = approvers.filter(
+      (approver) => approver.type === ApproverType.User && approver.username
+    ) as { username: string; sequence?: number }[];

    const { permission } = await permissionService.getProjectPermission({
      actor,
@ -116,14 +110,13 @@ export const accessApprovalPolicyServiceFactory = ({

    let approverUserIds = userApprovers;
    if (userApproverNames.length) {
-      const approverUsers = await userDAL.find({
+      const approverUsersInDB = await userDAL.find({
        $in: {
-          username: userApproverNames
+          username: userApproverNames.map((el) => el.username)
        }
      });
-
-      const approverNamesFromDb = approverUsers.map((user) => user.username);
-      const invalidUsernames = userApproverNames.filter((username) => !approverNamesFromDb.includes(username));
+      const approverUsersInDBGroupByUsername = groupBy(approverUsersInDB, (i) => i.username);
+      const invalidUsernames = userApproverNames.filter((el) => !approverUsersInDBGroupByUsername?.[el.username]?.[0]);

      if (invalidUsernames.length) {
        throw new BadRequestError({
@ -131,32 +124,13 @@ export const accessApprovalPolicyServiceFactory = ({
        });
      }

-      approverUserIds = approverUserIds.concat(approverUsers.map((user) => user.id));
-    }
-
-    const usersPromises: Promise<
-      {
-        id: string;
-        email: string | null | undefined;
-        username: string;
-        firstName: string | null | undefined;
-        lastName: string | null | undefined;
-        isPartOfGroup: boolean;
-      }[]
-    >[] = [];
-    const verifyAllApprovers = [...approverUserIds];
-
-    for (const groupId of groupApprovers) {
-      usersPromises.push(
-        groupDAL.findAllGroupPossibleMembers({ orgId: actorOrgId, groupId, offset: 0 }).then((group) => group.members)
+      approverUserIds = approverUserIds.concat(
+        userApproverNames.map((el) => ({
+          id: approverUsersInDBGroupByUsername[el.username]?.[0].id,
+          sequence: el.sequence
+        }))
      );
    }
-    const verifyGroupApprovers = (await Promise.all(usersPromises))
-      .flat()
-      .filter((user) => user.isPartOfGroup)
-      .map((user) => user.id);
-    verifyAllApprovers.push(...verifyGroupApprovers);
-
    let groupBypassers: string[] = [];
    let bypasserUserIds: string[] = [];

@ -195,6 +169,7 @@ export const accessApprovalPolicyServiceFactory = ({
      }
    }

+    const approvalsRequiredGroupByStepNumber = groupBy(approvalsRequired || [], (i) => i.stepNumber);
    const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
      const doc = await accessApprovalPolicyDAL.create(
        {
@ -210,9 +185,13 @@ export const accessApprovalPolicyServiceFactory = ({

      if (approverUserIds.length) {
        await accessApprovalPolicyApproverDAL.insertMany(
-          approverUserIds.map((userId) => ({
-            approverUserId: userId,
-            policyId: doc.id
+          approverUserIds.map((el) => ({
+            approverUserId: el.id,
+            policyId: doc.id,
+            sequence: el.sequence,
+            approvalsRequired: el.sequence
+              ? approvalsRequiredGroupByStepNumber?.[el.sequence]?.[0]?.numberOfApprovals
+              : approvals
          })),
          tx
        );
@ -220,9 +199,13 @@ export const accessApprovalPolicyServiceFactory = ({

      if (groupApprovers) {
        await accessApprovalPolicyApproverDAL.insertMany(
-          groupApprovers.map((groupId) => ({
-            approverGroupId: groupId,
-            policyId: doc.id
+          groupApprovers.map((el) => ({
+            approverGroupId: el.id,
+            policyId: doc.id,
+            sequence: el.sequence,
+            approvalsRequired: el.sequence
+              ? approvalsRequiredGroupByStepNumber?.[el.sequence]?.[0]?.numberOfApprovals
+              : approvals
          })),
          tx
        );
@ -254,31 +237,26 @@ export const accessApprovalPolicyServiceFactory = ({
    return { ...accessApproval, environment: env, projectId: project.id };
  };

-  const getAccessApprovalPolicyByProjectSlug = async ({
-    actorId,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    projectSlug
-  }: TListAccessApprovalPoliciesDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
+  const getAccessApprovalPolicyByProjectSlug: TAccessApprovalPolicyServiceFactory["getAccessApprovalPolicyByProjectSlug"] =
+    async ({ actorId, actor, actorOrgId, actorAuthMethod, projectSlug }: TListAccessApprovalPoliciesDTO) => {
+      const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+      if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

-    // Anyone in the project should be able to get the policies.
-    await permissionService.getProjectPermission({
-      actor,
-      actorId,
-      projectId: project.id,
-      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      // Anyone in the project should be able to get the policies.
+      await permissionService.getProjectPermission({
+        actor,
+        actorId,
+        projectId: project.id,
+        actorAuthMethod,
+        actorOrgId,
+        actionProjectType: ActionProjectType.SecretManager
+      });

-    const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
-    return accessApprovalPolicies;
-  };
+      const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
+      return accessApprovalPolicies;
+    };

-  const updateAccessApprovalPolicy = async ({
+  const updateAccessApprovalPolicy: TAccessApprovalPolicyServiceFactory["updateAccessApprovalPolicy"] = async ({
    policyId,
    approvers,
    bypassers,
@ -290,22 +268,22 @@ export const accessApprovalPolicyServiceFactory = ({
    actorAuthMethod,
    approvals,
    enforcementLevel,
-    allowedSelfApprovals
+    allowedSelfApprovals,
+    approvalsRequired
  }: TUpdateAccessApprovalPolicy) => {
-    const groupApprovers = approvers
-      .filter((approver) => approver.type === ApproverType.Group)
-      .map((approver) => approver.id) as string[];
+    const groupApprovers = approvers.filter((approver) => approver.type === ApproverType.Group);

-    const userApprovers = approvers
-      .filter((approver) => approver.type === ApproverType.User)
-      .map((approver) => approver.id)
-      .filter(Boolean) as string[];
-
-    const userApproverNames = approvers
-      .map((approver) => (approver.type === ApproverType.User ? approver.username : undefined))
-      .filter(Boolean) as string[];
+    const userApprovers = approvers.filter((approver) => approver.type === ApproverType.User && approver.id) as {
+      id: string;
+      sequence?: number;
+    }[];
+    const userApproverNames = approvers.filter(
+      (approver) => approver.type === ApproverType.User && approver.username
+    ) as { username: string; sequence?: number }[];

    const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
+    if (!accessApprovalPolicy) throw new BadRequestError({ message: "Approval policy not found" });
+
    const currentApprovals = approvals || accessApprovalPolicy.approvals;
    if (
      groupApprovers?.length === 0 &&
@ -401,6 +379,7 @@ export const accessApprovalPolicyServiceFactory = ({
      }
    }

+    const approvalsRequiredGroupByStepNumber = groupBy(approvalsRequired || [], (i) => i.stepNumber);
    const updatedPolicy = await accessApprovalPolicyDAL.transaction(async (tx) => {
      const doc = await accessApprovalPolicyDAL.updateById(
        accessApprovalPolicy.id,
@ -417,16 +396,18 @@ export const accessApprovalPolicyServiceFactory = ({
      await accessApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);

      if (userApprovers.length || userApproverNames.length) {
-        let userApproverIds = userApprovers;
+        let approverUserIds = userApprovers;
        if (userApproverNames.length) {
-          const approverUsers = await userDAL.find({
+          const approverUsersInDB = await userDAL.find({
            $in: {
-              username: userApproverNames
+              username: userApproverNames.map((el) => el.username)
            }
          });
+          const approverUsersInDBGroupByUsername = groupBy(approverUsersInDB, (i) => i.username);

-          const approverNamesFromDb = approverUsers.map((user) => user.username);
-          const invalidUsernames = userApproverNames.filter((username) => !approverNamesFromDb.includes(username));
+          const invalidUsernames = userApproverNames.filter(
+            (el) => !approverUsersInDBGroupByUsername?.[el.username]?.[0]
+          );

          if (invalidUsernames.length) {
            throw new BadRequestError({
@ -434,13 +415,21 @@ export const accessApprovalPolicyServiceFactory = ({
            });
          }

-          userApproverIds = userApproverIds.concat(approverUsers.map((user) => user.id));
+          approverUserIds = approverUserIds.concat(
+            userApproverNames.map((el) => ({
+              id: approverUsersInDBGroupByUsername[el.username]?.[0].id,
+              sequence: el.sequence
+            }))
+          );
        }
-
        await accessApprovalPolicyApproverDAL.insertMany(
-          userApproverIds.map((userId) => ({
-            approverUserId: userId,
-            policyId: doc.id
+          approverUserIds.map((el) => ({
+            approverUserId: el.id,
+            policyId: doc.id,
+            sequence: el.sequence,
+            approvalsRequired: el.sequence
+              ? approvalsRequiredGroupByStepNumber?.[el.sequence]?.[0]?.numberOfApprovals
+              : approvals
          })),
          tx
        );
@ -448,9 +437,13 @@ export const accessApprovalPolicyServiceFactory = ({

      if (groupApprovers) {
        await accessApprovalPolicyApproverDAL.insertMany(
-          groupApprovers.map((groupId) => ({
-            approverGroupId: groupId,
-            policyId: doc.id
+          groupApprovers.map((el) => ({
+            approverGroupId: el.id,
+            policyId: doc.id,
+            sequence: el.sequence,
+            approvalsRequired: el.sequence
+              ? approvalsRequiredGroupByStepNumber?.[el.sequence]?.[0]?.numberOfApprovals
+              : approvals
          })),
          tx
        );
@ -478,8 +471,11 @@ export const accessApprovalPolicyServiceFactory = ({
        );
      }

+      await accessApprovalRequestDAL.resetReviewByPolicyId(doc.id, tx);
+
      return doc;
    });
+
    return {
      ...updatedPolicy,
      environment: accessApprovalPolicy.environment,
@ -487,7 +483,7 @@ export const accessApprovalPolicyServiceFactory = ({
    };
  };

-  const deleteAccessApprovalPolicy = async ({
+  const deleteAccessApprovalPolicy: TAccessApprovalPolicyServiceFactory["deleteAccessApprovalPolicy"] = async ({
    policyId,
    actor,
    actorId,
@ -536,7 +532,7 @@ export const accessApprovalPolicyServiceFactory = ({
    return policy;
  };

-  const getAccessPolicyCountByEnvSlug = async ({
+  const getAccessPolicyCountByEnvSlug: TAccessApprovalPolicyServiceFactory["getAccessPolicyCountByEnvSlug"] = async ({
    actor,
    actorOrgId,
    actorAuthMethod,
@ -573,13 +569,13 @@ export const accessApprovalPolicyServiceFactory = ({
    return { count: policies.length };
  };

-  const getAccessApprovalPolicyById = async ({
+  const getAccessApprovalPolicyById: TAccessApprovalPolicyServiceFactory["getAccessApprovalPolicyById"] = async ({
    actorId,
    actor,
    actorOrgId,
    actorAuthMethod,
    policyId
-  }: TGetAccessApprovalPolicyByIdDTO) => {
+  }) => {
    const [policy] = await accessApprovalPolicyDAL.find({}, { policyId });

    if (!policy) {
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts
@ -1,7 +1,7 @@
 import { EnforcementLevel, TProjectPermission } from "@app/lib/types";
 import { ActorAuthMethod } from "@app/services/auth/auth-type";

-import { TPermissionServiceFactory } from "../permission/permission-service";
+import { TPermissionServiceFactory } from "../permission/permission-service-types";

 export type TIsApproversValid = {
  userIds: string[];
@ -27,7 +27,10 @@ export type TCreateAccessApprovalPolicy = {
  approvals: number;
  secretPath: string;
  environment: string;
-  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
+  approvers: (
+    | { type: ApproverType.Group; id: string; sequence?: number }
+    | { type: ApproverType.User; id?: string; username?: string; sequence?: number }
+  )[];
  bypassers?: (
    | { type: BypasserType.Group; id: string }
    | { type: BypasserType.User; id?: string; username?: string }
@ -36,12 +39,16 @@ export type TCreateAccessApprovalPolicy = {
  name: string;
  enforcementLevel: EnforcementLevel;
  allowedSelfApprovals: boolean;
+  approvalsRequired?: { numberOfApprovals: number; stepNumber: number }[];
 } & Omit<TProjectPermission, "projectId">;

 export type TUpdateAccessApprovalPolicy = {
  policyId: string;
  approvals?: number;
-  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
+  approvers: (
+    | { type: ApproverType.Group; id: string; sequence?: number }
+    | { type: ApproverType.User; id?: string; username?: string; sequence?: number }
+  )[];
  bypassers?: (
    | { type: BypasserType.Group; id: string }
    | { type: BypasserType.User; id?: string; username?: string }
@ -50,6 +57,7 @@ export type TUpdateAccessApprovalPolicy = {
  name?: string;
  enforcementLevel?: EnforcementLevel;
  allowedSelfApprovals: boolean;
+  approvalsRequired?: { numberOfApprovals: number; stepNumber: number }[];
 } & Omit<TProjectPermission, "projectId">;

 export type TDeleteAccessApprovalPolicy = {
@ -68,3 +76,217 @@ export type TGetAccessApprovalPolicyByIdDTO = {
 export type TListAccessApprovalPoliciesDTO = {
  projectSlug: string;
 } & Omit<TProjectPermission, "projectId">;
+
+export interface TAccessApprovalPolicyServiceFactory {
+  getAccessPolicyCountByEnvSlug: ({
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    projectSlug,
+    actorId,
+    envSlug
+  }: TGetAccessPolicyCountByEnvironmentDTO) => Promise<{
+    count: number;
+  }>;
+  createAccessApprovalPolicy: ({
+    name,
+    actor,
+    actorId,
+    actorOrgId,
+    secretPath,
+    actorAuthMethod,
+    approvals,
+    approvers,
+    bypassers,
+    projectSlug,
+    environment,
+    enforcementLevel,
+    allowedSelfApprovals,
+    approvalsRequired
+  }: TCreateAccessApprovalPolicy) => Promise<{
+    environment: {
+      name: string;
+      id: string;
+      createdAt: Date;
+      updatedAt: Date;
+      projectId: string;
+      slug: string;
+      position: number;
+    };
+    projectId: string;
+    name: string;
+    id: string;
+    createdAt: Date;
+    updatedAt: Date;
+    approvals: number;
+    envId: string;
+    enforcementLevel: string;
+    allowedSelfApprovals: boolean;
+    secretPath?: string | null | undefined;
+    deletedAt?: Date | null | undefined;
+  }>;
+  deleteAccessApprovalPolicy: ({
+    policyId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TDeleteAccessApprovalPolicy) => Promise<{
+    approvers: {
+      id: string | null | undefined;
+      type: string;
+      sequence: number | null | undefined;
+      approvalsRequired: number | null | undefined;
+    }[];
+    name: string;
+    id: string;
+    createdAt: Date;
+    updatedAt: Date;
+    approvals: number;
+    envId: string;
+    enforcementLevel: string;
+    allowedSelfApprovals: boolean;
+    secretPath?: string | null | undefined;
+    deletedAt?: Date | null | undefined;
+    environment: {
+      id: string;
+      name: string;
+      slug: string;
+    };
+    projectId: string;
+  }>;
+  updateAccessApprovalPolicy: ({
+    policyId,
+    approvers,
+    bypassers,
+    secretPath,
+    name,
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    approvals,
+    enforcementLevel,
+    allowedSelfApprovals,
+    approvalsRequired
+  }: TUpdateAccessApprovalPolicy) => Promise<{
+    environment: {
+      id: string;
+      name: string;
+      slug: string;
+    };
+    projectId: string;
+    name: string;
+    id: string;
+    createdAt: Date;
+    updatedAt: Date;
+    approvals: number;
+    envId: string;
+    enforcementLevel: string;
+    allowedSelfApprovals: boolean;
+    secretPath?: string | null | undefined;
+    deletedAt?: Date | null | undefined;
+  }>;
+  getAccessApprovalPolicyByProjectSlug: ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    projectSlug
+  }: TListAccessApprovalPoliciesDTO) => Promise<
+    {
+      approvers: (
+        | {
+            id: string | null | undefined;
+            type: ApproverType;
+            name: string;
+            sequence: number | null | undefined;
+            approvalsRequired: number | null | undefined;
+          }
+        | {
+            id: string | null | undefined;
+            type: ApproverType;
+            sequence: number | null | undefined;
+            approvalsRequired: number | null | undefined;
+          }
+      )[];
+      name: string;
+      id: string;
+      createdAt: Date;
+      updatedAt: Date;
+      approvals: number;
+      envId: string;
+      enforcementLevel: string;
+      allowedSelfApprovals: boolean;
+      secretPath?: string | null | undefined;
+      deletedAt?: Date | null | undefined;
+      environment: {
+        id: string;
+        name: string;
+        slug: string;
+      };
+      projectId: string;
+      bypassers: (
+        | {
+            id: string | null | undefined;
+            type: BypasserType;
+            name: string;
+          }
+        | {
+            id: string | null | undefined;
+            type: BypasserType;
+          }
+      )[];
+    }[]
+  >;
+  getAccessApprovalPolicyById: ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    policyId
+  }: TGetAccessApprovalPolicyByIdDTO) => Promise<{
+    approvers: (
+      | {
+          id: string | null | undefined;
+          type: ApproverType.User;
+          name: string;
+          sequence: number | null | undefined;
+          approvalsRequired: number | null | undefined;
+        }
+      | {
+          id: string | null | undefined;
+          type: ApproverType.Group;
+          sequence: number | null | undefined;
+          approvalsRequired: number | null | undefined;
+        }
+    )[];
+    name: string;
+    id: string;
+    createdAt: Date;
+    updatedAt: Date;
+    approvals: number;
+    envId: string;
+    enforcementLevel: string;
+    allowedSelfApprovals: boolean;
+    secretPath?: string | null | undefined;
+    deletedAt?: Date | null | undefined;
+    environment: {
+      id: string;
+      name: string;
+      slug: string;
+    };
+    projectId: string;
+    bypassers: (
+      | {
+          id: string | null | undefined;
+          type: BypasserType.User;
+          name: string;
+        }
+      | {
+          id: string | null | undefined;
+          type: BypasserType.Group;
+        }
+    )[];
+  }>;
+}
--- a/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
@ -9,195 +9,442 @@ import {
  TUsers
 } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";
+import { ormify, selectAllTableCols, sqlNestRelationships, TFindFilter, TOrmify } from "@app/lib/knex";

 import { ApprovalStatus } from "./access-approval-request-types";

-export type TAccessApprovalRequestDALFactory = ReturnType<typeof accessApprovalRequestDALFactory>;
+export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName.AccessApprovalRequest>, "findById"> {
+  findById: (
+    id: string,
+    tx?: Knex
+  ) => Promise<
+    | {
+        policy: {
+          approvers: (
+            | {
+                userId: string | null | undefined;
+                email: string | null | undefined;
+                firstName: string | null | undefined;
+                lastName: string | null | undefined;
+                username: string;
+                sequence: number | null | undefined;
+                approvalsRequired: number | null | undefined;
+              }
+            | {
+                userId: string;
+                email: string | null | undefined;
+                firstName: string | null | undefined;
+                lastName: string | null | undefined;
+                username: string;
+                sequence: number | null | undefined;
+                approvalsRequired: number | null | undefined;
+              }
+          )[];
+          bypassers: (
+            | {
+                userId: string | null | undefined;
+                email: string | null | undefined;
+                firstName: string | null | undefined;
+                lastName: string | null | undefined;
+                username: string;
+              }
+            | {
+                userId: string;
+                email: string | null | undefined;
+                firstName: string | null | undefined;
+                lastName: string | null | undefined;
+                username: string;
+              }
+          )[];
+          id: string;
+          name: string;
+          approvals: number;
+          secretPath: string | null | undefined;
+          enforcementLevel: string;
+          allowedSelfApprovals: boolean;
+          deletedAt: Date | null | undefined;
+        };
+        projectId: string;
+        environment: string;
+        requestedByUser: {
+          userId: string;
+          email: string | null | undefined;
+          firstName: string | null | undefined;
+          lastName: string | null | undefined;
+          username: string;
+        };
+        status: string;
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        policyId: string;
+        isTemporary: boolean;
+        requestedByUserId: string;
+        privilegeId?: string | null | undefined;
+        requestedBy?: string | null | undefined;
+        temporaryRange?: string | null | undefined;
+        permissions?: unknown;
+        note?: string | null | undefined;
+        privilegeDeletedAt?: Date | null | undefined;
+        reviewers: {
+          userId: string;
+          status: string;
+          email: string | null | undefined;
+          firstName: string | null | undefined;
+          lastName: string | null | undefined;
+          username: string;
+        }[];
+        approvers: (
+          | {
+              userId: string | null | undefined;
+              email: string | null | undefined;
+              firstName: string | null | undefined;
+              lastName: string | null | undefined;
+              username: string;
+              sequence: number | null | undefined;
+              approvalsRequired: number | null | undefined;
+            }
+          | {
+              userId: string;
+              email: string | null | undefined;
+              firstName: string | null | undefined;
+              lastName: string | null | undefined;
+              username: string;
+              sequence: number | null | undefined;
+              approvalsRequired: number | null | undefined;
+            }
+        )[];
+        bypassers: (
+          | {
+              userId: string | null | undefined;
+              email: string | null | undefined;
+              firstName: string | null | undefined;
+              lastName: string | null | undefined;
+              username: string;
+            }
+          | {
+              userId: string;
+              email: string | null | undefined;
+              firstName: string | null | undefined;
+              lastName: string | null | undefined;
+              username: string;
+            }
+        )[];
+      }
+    | undefined
+  >;
+  findRequestsWithPrivilegeByPolicyIds: (policyIds: string[]) => Promise<
+    {
+      policy: {
+        approvers: (
+          | {
+              userId: string | null | undefined;
+              sequence: number | null | undefined;
+              approvalsRequired: number | null | undefined;
+              email: string | null | undefined;
+              username: string;
+            }
+          | {
+              userId: string;
+              sequence: number | null | undefined;
+              approvalsRequired: number | null | undefined;
+              email: string | null | undefined;
+              username: string;
+            }
+        )[];
+        bypassers: string[];
+        id: string;
+        name: string;
+        approvals: number;
+        secretPath: string | null | undefined;
+        enforcementLevel: string;
+        allowedSelfApprovals: boolean;
+        envId: string;
+        deletedAt: Date | null | undefined;
+      };
+      projectId: string;
+      environment: string;
+      environmentName: string;
+      requestedByUser: {
+        userId: string;
+        email: string | null | undefined;
+        firstName: string | null | undefined;
+        lastName: string | null | undefined;
+        username: string;
+      };
+      privilege: {
+        membershipId: string;
+        userId: string;
+        projectId: string;
+        isTemporary: boolean;
+        temporaryMode: string | null | undefined;
+        temporaryRange: string | null | undefined;
+        temporaryAccessStartTime: Date | null | undefined;
+        temporaryAccessEndTime: Date | null | undefined;
+        permissions: unknown;
+      } | null;
+      isApproved: boolean;
+      status: string;
+      id: string;
+      createdAt: Date;
+      updatedAt: Date;
+      policyId: string;
+      isTemporary: boolean;
+      requestedByUserId: string;
+      privilegeId?: string | null | undefined;
+      requestedBy?: string | null | undefined;
+      temporaryRange?: string | null | undefined;
+      permissions?: unknown;
+      note?: string | null | undefined;
+      privilegeDeletedAt?: Date | null | undefined;
+      reviewers: {
+        userId: string;
+        status: string;
+      }[];
+      approvers: (
+        | {
+            userId: string | null | undefined;
+            sequence: number | null | undefined;
+            approvalsRequired: number | null | undefined;
+            email: string | null | undefined;
+            username: string;
+          }
+        | {
+            userId: string;
+            sequence: number | null | undefined;
+            approvalsRequired: number | null | undefined;
+            email: string | null | undefined;
+            username: string;
+          }
+      )[];
+      bypassers: string[];
+    }[]
+  >;
+  getCount: ({ projectId }: { projectId: string }) => Promise<{
+    pendingCount: number;
+    finalizedCount: number;
+  }>;
+  resetReviewByPolicyId: (policyId: string, tx?: Knex) => Promise<void>;
+}

-export const accessApprovalRequestDALFactory = (db: TDbClient) => {
+export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalRequestDALFactory => {
  const accessApprovalRequestOrm = ormify(db, TableName.AccessApprovalRequest);

-  const findRequestsWithPrivilegeByPolicyIds = async (policyIds: string[]) => {
-    try {
-      const docs = await db
-        .replicaNode()(TableName.AccessApprovalRequest)
-        .whereIn(`${TableName.AccessApprovalRequest}.policyId`, policyIds)
+  const findRequestsWithPrivilegeByPolicyIds: TAccessApprovalRequestDALFactory["findRequestsWithPrivilegeByPolicyIds"] =
+    async (policyIds) => {
+      try {
+        const docs = await db
+          .replicaNode()(TableName.AccessApprovalRequest)
+          .whereIn(`${TableName.AccessApprovalRequest}.policyId`, policyIds)

-        .leftJoin(
-          TableName.ProjectUserAdditionalPrivilege,
-          `${TableName.AccessApprovalRequest}.privilegeId`,
-          `${TableName.ProjectUserAdditionalPrivilege}.id`
-        )
-        .leftJoin(
-          TableName.AccessApprovalPolicy,
-          `${TableName.AccessApprovalRequest}.policyId`,
-          `${TableName.AccessApprovalPolicy}.id`
-        )
-        .leftJoin(
-          TableName.AccessApprovalRequestReviewer,
-          `${TableName.AccessApprovalRequest}.id`,
-          `${TableName.AccessApprovalRequestReviewer}.requestId`
-        )
+          .leftJoin(
+            TableName.ProjectUserAdditionalPrivilege,
+            `${TableName.AccessApprovalRequest}.privilegeId`,
+            `${TableName.ProjectUserAdditionalPrivilege}.id`
+          )
+          .leftJoin(
+            TableName.AccessApprovalPolicy,
+            `${TableName.AccessApprovalRequest}.policyId`,
+            `${TableName.AccessApprovalPolicy}.id`
+          )
+          .leftJoin(
+            TableName.AccessApprovalRequestReviewer,
+            `${TableName.AccessApprovalRequest}.id`,
+            `${TableName.AccessApprovalRequestReviewer}.requestId`
+          )
+          .leftJoin(
+            TableName.AccessApprovalPolicyApprover,
+            `${TableName.AccessApprovalPolicy}.id`,
+            `${TableName.AccessApprovalPolicyApprover}.policyId`
+          )
+          .leftJoin<TUsers>(
+            db(TableName.Users).as("accessApprovalPolicyApproverUser"),
+            `${TableName.AccessApprovalPolicyApprover}.approverUserId`,
+            "accessApprovalPolicyApproverUser.id"
+          )
+          .leftJoin(
+            TableName.UserGroupMembership,
+            `${TableName.AccessApprovalPolicyApprover}.approverGroupId`,
+            `${TableName.UserGroupMembership}.groupId`
+          )
+          .leftJoin(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)

-        .leftJoin(
-          TableName.AccessApprovalPolicyApprover,
-          `${TableName.AccessApprovalPolicy}.id`,
-          `${TableName.AccessApprovalPolicyApprover}.policyId`
-        )
-        .leftJoin(
-          TableName.UserGroupMembership,
-          `${TableName.AccessApprovalPolicyApprover}.approverGroupId`,
-          `${TableName.UserGroupMembership}.groupId`
-        )
-        .leftJoin(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
+          .leftJoin(
+            TableName.AccessApprovalPolicyBypasser,
+            `${TableName.AccessApprovalPolicy}.id`,
+            `${TableName.AccessApprovalPolicyBypasser}.policyId`
+          )
+          .leftJoin<TUserGroupMembership>(
+            db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
+            `${TableName.AccessApprovalPolicyBypasser}.bypasserGroupId`,
+            `bypasserUserGroupMembership.groupId`
+          )

-        .leftJoin(
-          TableName.AccessApprovalPolicyBypasser,
-          `${TableName.AccessApprovalPolicy}.id`,
-          `${TableName.AccessApprovalPolicyBypasser}.policyId`
-        )
-        .leftJoin<TUserGroupMembership>(
-          db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
-          `${TableName.AccessApprovalPolicyBypasser}.bypasserGroupId`,
-          `bypasserUserGroupMembership.groupId`
-        )
+          .join<TUsers>(
+            db(TableName.Users).as("requestedByUser"),
+            `${TableName.AccessApprovalRequest}.requestedByUserId`,
+            `requestedByUser.id`
+          )

-        .join<TUsers>(
-          db(TableName.Users).as("requestedByUser"),
-          `${TableName.AccessApprovalRequest}.requestedByUserId`,
-          `requestedByUser.id`
-        )
+          .leftJoin(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)

-        .leftJoin(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
+          .select(selectAllTableCols(TableName.AccessApprovalRequest))
+          .select(
+            db.ref("id").withSchema(TableName.AccessApprovalPolicy).as("policyId"),
+            db.ref("name").withSchema(TableName.AccessApprovalPolicy).as("policyName"),
+            db.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
+            db.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
+            db.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
+            db.ref("allowedSelfApprovals").withSchema(TableName.AccessApprovalPolicy).as("policyAllowedSelfApprovals"),
+            db.ref("envId").withSchema(TableName.AccessApprovalPolicy).as("policyEnvId"),
+            db.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt")
+          )
+          .select(db.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
+          .select(db.ref("sequence").withSchema(TableName.AccessApprovalPolicyApprover).as("approverSequence"))
+          .select(db.ref("approvalsRequired").withSchema(TableName.AccessApprovalPolicyApprover))
+          .select(db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"))
+          .select(db.ref("bypasserUserId").withSchema(TableName.AccessApprovalPolicyBypasser))
+          .select(db.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"))
+          .select(
+            db.ref("email").withSchema("accessApprovalPolicyApproverUser").as("approverEmail"),
+            db.ref("email").withSchema(TableName.Users).as("approverGroupEmail"),
+            db.ref("username").withSchema("accessApprovalPolicyApproverUser").as("approverUsername"),
+            db.ref("username").withSchema(TableName.Users).as("approverGroupUsername")
+          )
+          .select(
+            db.ref("projectId").withSchema(TableName.Environment),
+            db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
+            db.ref("name").withSchema(TableName.Environment).as("envName")
+          )

-        .select(selectAllTableCols(TableName.AccessApprovalRequest))
-        .select(
-          db.ref("id").withSchema(TableName.AccessApprovalPolicy).as("policyId"),
-          db.ref("name").withSchema(TableName.AccessApprovalPolicy).as("policyName"),
-          db.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
-          db.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
-          db.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
-          db.ref("allowedSelfApprovals").withSchema(TableName.AccessApprovalPolicy).as("policyAllowedSelfApprovals"),
-          db.ref("envId").withSchema(TableName.AccessApprovalPolicy).as("policyEnvId"),
-          db.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt")
-        )
+          .select(
+            db.ref("reviewerUserId").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerUserId"),
+            db.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus")
+          )

-        .select(db.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
-        .select(db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"))
+          // TODO: ADD SUPPORT FOR GROUPS!!!!
+          .select(
+            db.ref("email").withSchema("requestedByUser").as("requestedByUserEmail"),
+            db.ref("username").withSchema("requestedByUser").as("requestedByUserUsername"),
+            db.ref("firstName").withSchema("requestedByUser").as("requestedByUserFirstName"),
+            db.ref("lastName").withSchema("requestedByUser").as("requestedByUserLastName"),

-        .select(db.ref("bypasserUserId").withSchema(TableName.AccessApprovalPolicyBypasser))
-        .select(db.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"))
+            db.ref("userId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegeUserId"),
+            db.ref("projectId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegeMembershipId"),

-        .select(
-          db.ref("projectId").withSchema(TableName.Environment),
-          db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
-          db.ref("name").withSchema(TableName.Environment).as("envName")
-        )
+            db.ref("isTemporary").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegeIsTemporary"),
+            db.ref("temporaryMode").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegeTemporaryMode"),
+            db.ref("temporaryRange").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegeTemporaryRange"),
+            db
+              .ref("temporaryAccessStartTime")
+              .withSchema(TableName.ProjectUserAdditionalPrivilege)
+              .as("privilegeTemporaryAccessStartTime"),
+            db
+              .ref("temporaryAccessEndTime")
+              .withSchema(TableName.ProjectUserAdditionalPrivilege)
+              .as("privilegeTemporaryAccessEndTime"),

-        .select(
-          db.ref("reviewerUserId").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerUserId"),
-          db.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus")
-        )
+            db.ref("permissions").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegePermissions")
+          )
+          .orderBy(`${TableName.AccessApprovalRequest}.createdAt`, "desc");

-        // TODO: ADD SUPPORT FOR GROUPS!!!!
-        .select(
-          db.ref("email").withSchema("requestedByUser").as("requestedByUserEmail"),
-          db.ref("username").withSchema("requestedByUser").as("requestedByUserUsername"),
-          db.ref("firstName").withSchema("requestedByUser").as("requestedByUserFirstName"),
-          db.ref("lastName").withSchema("requestedByUser").as("requestedByUserLastName"),
+        const formattedDocs = sqlNestRelationships({
+          data: docs,
+          key: "id",
+          parentMapper: (doc) => ({
+            ...AccessApprovalRequestsSchema.parse(doc),
+            projectId: doc.projectId,
+            environment: doc.envSlug,
+            environmentName: doc.envName,
+            policy: {
+              id: doc.policyId,
+              name: doc.policyName,
+              approvals: doc.policyApprovals,
+              secretPath: doc.policySecretPath,
+              enforcementLevel: doc.policyEnforcementLevel,
+              allowedSelfApprovals: doc.policyAllowedSelfApprovals,
+              envId: doc.policyEnvId,
+              deletedAt: doc.policyDeletedAt
+            },
+            requestedByUser: {
+              userId: doc.requestedByUserId,
+              email: doc.requestedByUserEmail,
+              firstName: doc.requestedByUserFirstName,
+              lastName: doc.requestedByUserLastName,
+              username: doc.requestedByUserUsername
+            },
+            privilege: doc.privilegeId
+              ? {
+                  membershipId: doc.privilegeMembershipId,
+                  userId: doc.privilegeUserId,
+                  projectId: doc.projectId,
+                  isTemporary: doc.privilegeIsTemporary,
+                  temporaryMode: doc.privilegeTemporaryMode,
+                  temporaryRange: doc.privilegeTemporaryRange,
+                  temporaryAccessStartTime: doc.privilegeTemporaryAccessStartTime,
+                  temporaryAccessEndTime: doc.privilegeTemporaryAccessEndTime,
+                  permissions: doc.privilegePermissions
+                }
+              : null,
+            isApproved: doc.status === ApprovalStatus.APPROVED
+          }),
+          childrenMapper: [
+            {
+              key: "reviewerUserId",
+              label: "reviewers" as const,
+              mapper: ({ reviewerUserId: userId, reviewerStatus: status }) => (userId ? { userId, status } : undefined)
+            },
+            {
+              key: "approverUserId",
+              label: "approvers" as const,
+              mapper: ({ approverUserId, approverSequence, approvalsRequired, approverUsername, approverEmail }) => ({
+                userId: approverUserId,
+                sequence: approverSequence,
+                approvalsRequired,
+                email: approverEmail,
+                username: approverUsername
+              })
+            },
+            {
+              key: "approverGroupUserId",
+              label: "approvers" as const,
+              mapper: ({
+                approverGroupUserId,
+                approverSequence,
+                approvalsRequired,
+                approverGroupEmail,
+                approverGroupUsername
+              }) => ({
+                userId: approverGroupUserId,
+                sequence: approverSequence,
+                approvalsRequired,
+                email: approverGroupEmail,
+                username: approverGroupUsername
+              })
+            },
+            { key: "bypasserUserId", label: "bypassers" as const, mapper: ({ bypasserUserId }) => bypasserUserId },
+            {
+              key: "bypasserGroupUserId",
+              label: "bypassers" as const,
+              mapper: ({ bypasserGroupUserId }) => bypasserGroupUserId
+            }
+          ]
+        });

-          db.ref("userId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegeUserId"),
-          db.ref("projectId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegeMembershipId"),
+        if (!formattedDocs) return [];

-          db.ref("isTemporary").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegeIsTemporary"),
-          db.ref("temporaryMode").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegeTemporaryMode"),
-          db.ref("temporaryRange").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegeTemporaryRange"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("privilegeTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("privilegeTemporaryAccessEndTime"),
-
-          db.ref("permissions").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegePermissions")
-        )
-        .orderBy(`${TableName.AccessApprovalRequest}.createdAt`, "desc");
-
-      const formattedDocs = sqlNestRelationships({
-        data: docs,
-        key: "id",
-        parentMapper: (doc) => ({
-          ...AccessApprovalRequestsSchema.parse(doc),
-          projectId: doc.projectId,
-          environment: doc.envSlug,
-          environmentName: doc.envName,
+        return formattedDocs.map((doc) => ({
+          ...doc,
          policy: {
-            id: doc.policyId,
-            name: doc.policyName,
-            approvals: doc.policyApprovals,
-            secretPath: doc.policySecretPath,
-            enforcementLevel: doc.policyEnforcementLevel,
-            allowedSelfApprovals: doc.policyAllowedSelfApprovals,
-            envId: doc.policyEnvId,
-            deletedAt: doc.policyDeletedAt
-          },
-          requestedByUser: {
-            userId: doc.requestedByUserId,
-            email: doc.requestedByUserEmail,
-            firstName: doc.requestedByUserFirstName,
-            lastName: doc.requestedByUserLastName,
-            username: doc.requestedByUserUsername
-          },
-          privilege: doc.privilegeId
-            ? {
-                membershipId: doc.privilegeMembershipId,
-                userId: doc.privilegeUserId,
-                projectId: doc.projectId,
-                isTemporary: doc.privilegeIsTemporary,
-                temporaryMode: doc.privilegeTemporaryMode,
-                temporaryRange: doc.privilegeTemporaryRange,
-                temporaryAccessStartTime: doc.privilegeTemporaryAccessStartTime,
-                temporaryAccessEndTime: doc.privilegeTemporaryAccessEndTime,
-                permissions: doc.privilegePermissions
-              }
-            : null,
-
-          isApproved: !!doc.policyDeletedAt || !!doc.privilegeId || doc.status !== ApprovalStatus.PENDING
-        }),
-        childrenMapper: [
-          {
-            key: "reviewerUserId",
-            label: "reviewers" as const,
-            mapper: ({ reviewerUserId: userId, reviewerStatus: status }) => (userId ? { userId, status } : undefined)
-          },
-          { key: "approverUserId", label: "approvers" as const, mapper: ({ approverUserId }) => approverUserId },
-          {
-            key: "approverGroupUserId",
-            label: "approvers" as const,
-            mapper: ({ approverGroupUserId }) => approverGroupUserId
-          },
-          { key: "bypasserUserId", label: "bypassers" as const, mapper: ({ bypasserUserId }) => bypasserUserId },
-          {
-            key: "bypasserGroupUserId",
-            label: "bypassers" as const,
-            mapper: ({ bypasserGroupUserId }) => bypasserGroupUserId
+            ...doc.policy,
+            approvers: doc.approvers.filter((el) => el.userId).sort((a, b) => (a.sequence || 0) - (b.sequence || 0)),
+            bypassers: doc.bypassers
          }
-        ]
-      });
-
-      if (!formattedDocs) return [];
-
-      return formattedDocs.map((doc) => ({
-        ...doc,
-        policy: { ...doc.policy, approvers: doc.approvers, bypassers: doc.bypassers }
-      }));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "FindRequestsWithPrivilege" });
-    }
-  };
+        }));
+      } catch (error) {
+        throw new DatabaseError({ error, name: "FindRequestsWithPrivilege" });
+      }
+    };

  const findQuery = (filter: TFindFilter<TAccessApprovalRequests>, tx: Knex) =>
    tx(TableName.AccessApprovalRequest)
@ -272,6 +519,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
      .select(selectAllTableCols(TableName.AccessApprovalRequest))
      .select(
        tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover),
+        tx.ref("sequence").withSchema(TableName.AccessApprovalPolicyApprover).as("approverSequence"),
+        tx.ref("approvalsRequired").withSchema(TableName.AccessApprovalPolicyApprover),
        tx.ref("userId").withSchema(TableName.UserGroupMembership),
        tx.ref("email").withSchema("accessApprovalPolicyApproverUser").as("approverEmail"),
        tx.ref("email").withSchema("accessApprovalPolicyGroupApproverUser").as("approverGroupEmail"),
@ -318,7 +567,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
        tx.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt")
      );

-  const findById = async (id: string, tx?: Knex) => {
+  const findById: TAccessApprovalRequestDALFactory["findById"] = async (id, tx) => {
    try {
      const sql = findQuery({ [`${TableName.AccessApprovalRequest}.id` as "id"]: id }, tx || db.replicaNode());
      const docs = await sql;
@ -367,13 +616,17 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
              approverEmail: email,
              approverUsername: username,
              approverLastName: lastName,
-              approverFirstName: firstName
+              approverFirstName: firstName,
+              approverSequence,
+              approvalsRequired
            }) => ({
              userId: approverUserId,
              email,
              firstName,
              lastName,
-              username
+              username,
+              sequence: approverSequence,
+              approvalsRequired
            })
          },
          {
@ -384,13 +637,17 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
              approverGroupEmail: email,
              approverGroupUsername: username,
              approverGroupLastName: lastName,
-              approverFirstName: firstName
+              approverFirstName: firstName,
+              approverSequence,
+              approvalsRequired
            }) => ({
              userId,
              email,
              firstName,
              lastName,
-              username
+              username,
+              sequence: approverSequence,
+              approvalsRequired
            })
          },
          {
@ -434,7 +691,9 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
        ...formattedDoc[0],
        policy: {
          ...formattedDoc[0].policy,
-          approvers: formattedDoc[0].approvers,
+          approvers: formattedDoc[0].approvers
+            .filter((el) => el.userId)
+            .sort((a, b) => (a.sequence || 0) - (b.sequence || 0)),
          bypassers: formattedDoc[0].bypassers
        }
      };
@ -443,7 +702,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
    }
  };

-  const getCount = async ({ projectId }: { projectId: string }) => {
+  const getCount: TAccessApprovalRequestDALFactory["getCount"] = async ({ projectId }) => {
    try {
      const accessRequests = await db
        .replicaNode()(TableName.AccessApprovalRequest)
@ -495,7 +754,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
          req.status === ApprovalStatus.PENDING
      );

-      // an approval is finalized if there are any rejections, a privilege ID is set or the number of approvals is equal to the number of approvals required
+      // an approval is finalized if there are any rejections, a privilege ID is set or the number of approvals is equal to the number of approvals required.
      const finalizedApprovals = formattedRequests.filter(
        (req) =>
          req.privilegeId ||
@ -509,5 +768,27 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
    }
  };

-  return { ...accessApprovalRequestOrm, findById, findRequestsWithPrivilegeByPolicyIds, getCount };
+  const resetReviewByPolicyId: TAccessApprovalRequestDALFactory["resetReviewByPolicyId"] = async (policyId, tx) => {
+    try {
+      await (tx || db)(TableName.AccessApprovalRequestReviewer)
+        .leftJoin(
+          TableName.AccessApprovalRequest,
+          `${TableName.AccessApprovalRequest}.id`,
+          `${TableName.AccessApprovalRequestReviewer}.requestId`
+        )
+        .where(`${TableName.AccessApprovalRequest}.status` as "status", ApprovalStatus.PENDING)
+        .where(`${TableName.AccessApprovalRequest}.policyId` as "policyId", policyId)
+        .del();
+    } catch (error) {
+      throw new DatabaseError({ error, name: "ResetReviewByPolicyId" });
+    }
+  };
+
+  return {
+    ...accessApprovalRequestOrm,
+    findById,
+    findRequestsWithPrivilegeByPolicyIds,
+    getCount,
+    resetReviewByPolicyId
+  };
 };
--- a/backend/src/ee/services/access-approval-request/access-approval-request-reviewer-dal.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-reviewer-dal.ts
@ -1,10 +1,10 @@
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
+import { ormify, TOrmify } from "@app/lib/knex";

-export type TAccessApprovalRequestReviewerDALFactory = ReturnType<typeof accessApprovalRequestReviewerDALFactory>;
+export type TAccessApprovalRequestReviewerDALFactory = TOrmify<TableName.AccessApprovalRequestReviewer>;

-export const accessApprovalRequestReviewerDALFactory = (db: TDbClient) => {
+export const accessApprovalRequestReviewerDALFactory = (db: TDbClient): TAccessApprovalRequestReviewerDALFactory => {
  const secretApprovalRequestReviewerOrm = ormify(db, TableName.AccessApprovalRequestReviewer);
  return secretApprovalRequestReviewerOrm;
 };
--- a/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
@ -4,6 +4,7 @@ import msFn from "ms";
 import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { groupBy } from "@app/lib/fn";
 import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { EnforcementLevel } from "@app/lib/types";
@ -22,19 +23,13 @@ import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TAccessApprovalPolicyApproverDALFactory } from "../access-approval-policy/access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "../access-approval-policy/access-approval-policy-dal";
 import { TGroupDALFactory } from "../group/group-dal";
-import { TPermissionServiceFactory } from "../permission/permission-service";
+import { TPermissionServiceFactory } from "../permission/permission-service-types";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
 import { ProjectUserAdditionalPrivilegeTemporaryMode } from "../project-user-additional-privilege/project-user-additional-privilege-types";
 import { TAccessApprovalRequestDALFactory } from "./access-approval-request-dal";
 import { verifyRequestedPermissions } from "./access-approval-request-fns";
 import { TAccessApprovalRequestReviewerDALFactory } from "./access-approval-request-reviewer-dal";
-import {
-  ApprovalStatus,
-  TCreateAccessApprovalRequestDTO,
-  TGetAccessRequestCountDTO,
-  TListApprovalRequestsDTO,
-  TReviewAccessRequestDTO
-} from "./access-approval-request-types";
+import { ApprovalStatus, TAccessApprovalRequestServiceFactory } from "./access-approval-request-types";

 type TSecretApprovalRequestServiceFactoryDep = {
  additionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "create" | "findById">;
@ -74,8 +69,6 @@ type TSecretApprovalRequestServiceFactoryDep = {
  projectMicrosoftTeamsConfigDAL: Pick<TProjectMicrosoftTeamsConfigDALFactory, "getIntegrationDetailsByProject">;
 };

-export type TAccessApprovalRequestServiceFactory = ReturnType<typeof accessApprovalRequestServiceFactory>;
-
 export const accessApprovalRequestServiceFactory = ({
  groupDAL,
  projectDAL,
@ -92,8 +85,8 @@ export const accessApprovalRequestServiceFactory = ({
  microsoftTeamsService,
  projectMicrosoftTeamsConfigDAL,
  projectSlackConfigDAL
-}: TSecretApprovalRequestServiceFactoryDep) => {
-  const createAccessApprovalRequest = async ({
+}: TSecretApprovalRequestServiceFactoryDep): TAccessApprovalRequestServiceFactory => {
+  const createAccessApprovalRequest: TAccessApprovalRequestServiceFactory["createAccessApprovalRequest"] = async ({
    isTemporary,
    temporaryRange,
    actorId,
@ -103,7 +96,7 @@ export const accessApprovalRequestServiceFactory = ({
    actorAuthMethod,
    projectSlug,
    note
-  }: TCreateAccessApprovalRequestDTO) => {
+  }) => {
    const cfg = getConfig();
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@ -280,7 +273,7 @@ export const accessApprovalRequestServiceFactory = ({
    return { request: approval };
  };

-  const listApprovalRequests = async ({
+  const listApprovalRequests: TAccessApprovalRequestServiceFactory["listApprovalRequests"] = async ({
    projectSlug,
    authorProjectMembershipId,
    envSlug,
@ -288,7 +281,7 @@ export const accessApprovalRequestServiceFactory = ({
    actorOrgId,
    actorId,
    actorAuthMethod
-  }: TListApprovalRequestsDTO) => {
+  }) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

@ -318,7 +311,7 @@ export const accessApprovalRequestServiceFactory = ({
    return { requests };
  };

-  const reviewAccessRequest = async ({
+  const reviewAccessRequest: TAccessApprovalRequestServiceFactory["reviewAccessRequest"] = async ({
    requestId,
    actor,
    status,
@ -326,7 +319,7 @@ export const accessApprovalRequestServiceFactory = ({
    actorAuthMethod,
    actorOrgId,
    bypassReason
-  }: TReviewAccessRequestDTO) => {
+  }) => {
    const accessApprovalRequest = await accessApprovalRequestDAL.findById(requestId);
    if (!accessApprovalRequest) {
      throw new NotFoundError({ message: `Secret approval request with ID '${requestId}' not found` });
@ -358,7 +351,6 @@ export const accessApprovalRequestServiceFactory = ({
    const cannotBypassUnderSoftEnforcement = !(isSoftEnforcement && canBypass);

    const isApprover = policy.approvers.find((approver) => approver.userId === actorId);
-
    // If user is (not an approver OR cant self approve) AND can't bypass policy
    if ((!isApprover || (!policy.allowedSelfApprovals && isSelfApproval)) && cannotBypassUnderSoftEnforcement) {
      throw new BadRequestError({
@ -380,8 +372,44 @@ export const accessApprovalRequestServiceFactory = ({
    }

    const existingReviews = await accessApprovalRequestReviewerDAL.find({ requestId: accessApprovalRequest.id });
-    if (existingReviews.some((review) => review.status === ApprovalStatus.REJECTED)) {
-      throw new BadRequestError({ message: "The request has already been rejected by another reviewer" });
+    if (accessApprovalRequest.status !== ApprovalStatus.PENDING) {
+      throw new BadRequestError({ message: "The request has been closed" });
+    }
+
+    const reviewsGroupById = groupBy(
+      existingReviews.filter((review) => review.status === ApprovalStatus.APPROVED),
+      (i) => i.reviewerUserId
+    );
+
+    const approvedSequences = policy.approvers.reduce(
+      (acc, curr) => {
+        const hasApproved = reviewsGroupById?.[curr.userId as string]?.[0];
+        if (acc?.[acc.length - 1]?.step === curr.sequence) {
+          if (hasApproved) {
+            acc[acc.length - 1].approvals += 1;
+          }
+          return acc;
+        }
+
+        acc.push({
+          step: curr.sequence || 1,
+          approvals: hasApproved ? 1 : 0,
+          requiredApprovals: curr.approvalsRequired || 1
+        });
+        return acc;
+      },
+      [] as { step: number; approvals: number; requiredApprovals: number }[]
+    );
+    const presentSequence = approvedSequences.find((el) => el.approvals < el.requiredApprovals) || {
+      step: 1,
+      approvals: 0,
+      requiredApprovals: 1
+    };
+    if (presentSequence) {
+      const isApproverOfTheSequence = policy.approvers.find(
+        (el) => el.sequence === presentSequence.step && el.userId === actorId
+      );
+      if (!isApproverOfTheSequence) throw new BadRequestError({ message: "You are not reviewer in this step" });
    }

    const reviewStatus = await accessApprovalRequestReviewerDAL.transaction(async (tx) => {
@ -426,11 +454,14 @@ export const accessApprovalRequestServiceFactory = ({
        );
      }

-      const otherReviews = existingReviews.filter((er) => er.reviewerUserId !== actorId);
-      const allUniqueReviews = [...otherReviews, reviewForThisActorProcessing];
+      if (status === ApprovalStatus.REJECTED) {
+        await accessApprovalRequestDAL.updateById(accessApprovalRequest.id, { status: ApprovalStatus.REJECTED }, tx);
+        return reviewForThisActorProcessing;
+      }

-      const approvedReviews = allUniqueReviews.filter((r) => r.status === ApprovalStatus.APPROVED);
-      const meetsStandardApprovalThreshold = approvedReviews.length >= policy.approvals;
+      const meetsStandardApprovalThreshold =
+        (presentSequence?.approvals || 0) + 1 >= presentSequence.requiredApprovals &&
+        approvedSequences.at(-1)?.step === presentSequence?.step;

      if (
        reviewForThisActorProcessing.status === ApprovalStatus.APPROVED &&
@ -527,7 +558,13 @@ export const accessApprovalRequestServiceFactory = ({
    return reviewStatus;
  };

-  const getCount = async ({ projectSlug, actor, actorAuthMethod, actorId, actorOrgId }: TGetAccessRequestCountDTO) => {
+  const getCount: TAccessApprovalRequestServiceFactory["getCount"] = async ({
+    projectSlug,
+    actor,
+    actorAuthMethod,
+    actorId,
+    actorOrgId
+  }) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

--- a/backend/src/ee/services/access-approval-request/access-approval-request-types.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-types.ts
@ -34,3 +34,124 @@ export type TListApprovalRequestsDTO = {
  authorProjectMembershipId?: string;
  envSlug?: string;
 } & Omit<TProjectPermission, "projectId">;
+
+export interface TAccessApprovalRequestServiceFactory {
+  createAccessApprovalRequest: (arg: TCreateAccessApprovalRequestDTO) => Promise<{
+    request: {
+      status: string;
+      id: string;
+      createdAt: Date;
+      updatedAt: Date;
+      policyId: string;
+      isTemporary: boolean;
+      requestedByUserId: string;
+      privilegeId?: string | null | undefined;
+      requestedBy?: string | null | undefined;
+      temporaryRange?: string | null | undefined;
+      permissions?: unknown;
+      note?: string | null | undefined;
+      privilegeDeletedAt?: Date | null | undefined;
+    };
+  }>;
+  listApprovalRequests: (arg: TListApprovalRequestsDTO) => Promise<{
+    requests: {
+      policy: {
+        approvers: (
+          | {
+              userId: string | null | undefined;
+              sequence: number | null | undefined;
+              approvalsRequired: number | null | undefined;
+              email: string | null | undefined;
+              username: string;
+            }
+          | {
+              userId: string;
+              sequence: number | null | undefined;
+              approvalsRequired: number | null | undefined;
+              email: string | null | undefined;
+              username: string;
+            }
+        )[];
+        bypassers: string[];
+        id: string;
+        name: string;
+        approvals: number;
+        secretPath: string | null | undefined;
+        enforcementLevel: string;
+        allowedSelfApprovals: boolean;
+        envId: string;
+        deletedAt: Date | null | undefined;
+      };
+      projectId: string;
+      environment: string;
+      environmentName: string;
+      requestedByUser: {
+        userId: string;
+        email: string | null | undefined;
+        firstName: string | null | undefined;
+        lastName: string | null | undefined;
+        username: string;
+      };
+      privilege: {
+        membershipId: string;
+        userId: string;
+        projectId: string;
+        isTemporary: boolean;
+        temporaryMode: string | null | undefined;
+        temporaryRange: string | null | undefined;
+        temporaryAccessStartTime: Date | null | undefined;
+        temporaryAccessEndTime: Date | null | undefined;
+        permissions: unknown;
+      } | null;
+      isApproved: boolean;
+      status: string;
+      id: string;
+      createdAt: Date;
+      updatedAt: Date;
+      policyId: string;
+      isTemporary: boolean;
+      requestedByUserId: string;
+      privilegeId?: string | null | undefined;
+      requestedBy?: string | null | undefined;
+      temporaryRange?: string | null | undefined;
+      permissions?: unknown;
+      note?: string | null | undefined;
+      privilegeDeletedAt?: Date | null | undefined;
+      reviewers: {
+        userId: string;
+        status: string;
+      }[];
+      approvers: (
+        | {
+            userId: string | null | undefined;
+            sequence: number | null | undefined;
+            approvalsRequired: number | null | undefined;
+            email: string | null | undefined;
+            username: string;
+          }
+        | {
+            userId: string;
+            sequence: number | null | undefined;
+            approvalsRequired: number | null | undefined;
+            email: string | null | undefined;
+            username: string;
+          }
+      )[];
+      bypassers: string[];
+    }[];
+  }>;
+  reviewAccessRequest: (arg: TReviewAccessRequestDTO) => Promise<{
+    id: string;
+    requestId: string;
+    reviewerUserId: string;
+    status: string;
+    createdAt: Date;
+    updatedAt: Date;
+  }>;
+  getCount: (arg: TGetAccessRequestCountDTO) => Promise<{
+    count: {
+      pendingCount: number;
+      finalizedCount: number;
+    };
+  }>;
+}
--- a/backend/src/ee/services/app-connections/oracledb/index.ts
+++ b/backend/src/ee/services/app-connections/oracledb/index.ts
@ -0,0 +1,4 @@
+export * from "./oracledb-connection-enums";
+export * from "./oracledb-connection-fns";
+export * from "./oracledb-connection-schemas";
+export * from "./oracledb-connection-types";
--- a/backend/src/ee/services/app-connections/oracledb/oracledb-connection-enums.ts
+++ b/backend/src/ee/services/app-connections/oracledb/oracledb-connection-enums.ts
@ -0,0 +1,3 @@
+export enum OracleDBConnectionMethod {
+  UsernameAndPassword = "username-and-password"
+}
--- a/backend/src/ee/services/app-connections/oracledb/oracledb-connection-fns.ts
+++ b/backend/src/ee/services/app-connections/oracledb/oracledb-connection-fns.ts
@ -0,0 +1,12 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+import { OracleDBConnectionMethod } from "./oracledb-connection-enums";
+
+export const getOracleDBConnectionListItem = () => {
+  return {
+    name: "OracleDB" as const,
+    app: AppConnection.OracleDB as const,
+    methods: Object.values(OracleDBConnectionMethod) as [OracleDBConnectionMethod.UsernameAndPassword],
+    supportsPlatformManagement: true as const
+  };
+};
--- a/backend/src/ee/services/app-connections/oracledb/oracledb-connection-schemas.ts
+++ b/backend/src/ee/services/app-connections/oracledb/oracledb-connection-schemas.ts
@ -0,0 +1,64 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+import { BaseSqlUsernameAndPasswordConnectionSchema } from "@app/services/app-connection/shared/sql";
+
+import { OracleDBConnectionMethod } from "./oracledb-connection-enums";
+
+export const OracleDBConnectionCredentialsSchema = BaseSqlUsernameAndPasswordConnectionSchema;
+
+const BaseOracleDBConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.OracleDB) });
+
+export const OracleDBConnectionSchema = BaseOracleDBConnectionSchema.extend({
+  method: z.literal(OracleDBConnectionMethod.UsernameAndPassword),
+  credentials: OracleDBConnectionCredentialsSchema
+});
+
+export const SanitizedOracleDBConnectionSchema = z.discriminatedUnion("method", [
+  BaseOracleDBConnectionSchema.extend({
+    method: z.literal(OracleDBConnectionMethod.UsernameAndPassword),
+    credentials: OracleDBConnectionCredentialsSchema.pick({
+      host: true,
+      database: true,
+      port: true,
+      username: true,
+      sslEnabled: true,
+      sslRejectUnauthorized: true,
+      sslCertificate: true
+    })
+  })
+]);
+
+export const ValidateOracleDBConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z
+      .literal(OracleDBConnectionMethod.UsernameAndPassword)
+      .describe(AppConnections.CREATE(AppConnection.OracleDB).method),
+    credentials: OracleDBConnectionCredentialsSchema.describe(AppConnections.CREATE(AppConnection.OracleDB).credentials)
+  })
+]);
+
+export const CreateOracleDBConnectionSchema = ValidateOracleDBConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.OracleDB, { supportsPlatformManagedCredentials: true })
+);
+
+export const UpdateOracleDBConnectionSchema = z
+  .object({
+    credentials: OracleDBConnectionCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.OracleDB).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.OracleDB, { supportsPlatformManagedCredentials: true }));
+
+export const OracleDBConnectionListItemSchema = z.object({
+  name: z.literal("OracleDB"),
+  app: z.literal(AppConnection.OracleDB),
+  methods: z.nativeEnum(OracleDBConnectionMethod).array(),
+  supportsPlatformManagement: z.literal(true)
+});
--- a/backend/src/ee/services/app-connections/oracledb/oracledb-connection-types.ts
+++ b/backend/src/ee/services/app-connections/oracledb/oracledb-connection-types.ts
@ -0,0 +1,17 @@
+import z from "zod";
+
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+import {
+  CreateOracleDBConnectionSchema,
+  OracleDBConnectionSchema,
+  ValidateOracleDBConnectionCredentialsSchema
+} from "./oracledb-connection-schemas";
+
+export type TOracleDBConnection = z.infer<typeof OracleDBConnectionSchema>;
+
+export type TOracleDBConnectionInput = z.infer<typeof CreateOracleDBConnectionSchema> & {
+  app: AppConnection.OracleDB;
+};
+
+export type TValidateOracleDBConnectionCredentialsSchema = typeof ValidateOracleDBConnectionCredentialsSchema;
--- a/backend/src/ee/services/assume-privilege/assume-privilege-service.ts
+++ b/backend/src/ee/services/assume-privilege/assume-privilege-service.ts
@ -7,29 +7,30 @@ import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TProjectDALFactory } from "@app/services/project/project-dal";

-import { TPermissionServiceFactory } from "../permission/permission-service";
+import { TPermissionServiceFactory } from "../permission/permission-service-types";
 import {
  ProjectPermissionIdentityActions,
  ProjectPermissionMemberActions,
  ProjectPermissionSub
 } from "../permission/project-permission";
-import { TAssumeProjectPrivilegeDTO } from "./assume-privilege-types";
+import { TAssumePrivilegeServiceFactory } from "./assume-privilege-types";

 type TAssumePrivilegeServiceFactoryDep = {
  projectDAL: Pick<TProjectDALFactory, "findById">;
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
 };

-export type TAssumePrivilegeServiceFactory = ReturnType<typeof assumePrivilegeServiceFactory>;
-
-export const assumePrivilegeServiceFactory = ({ projectDAL, permissionService }: TAssumePrivilegeServiceFactoryDep) => {
-  const assumeProjectPrivileges = async ({
+export const assumePrivilegeServiceFactory = ({
+  projectDAL,
+  permissionService
+}: TAssumePrivilegeServiceFactoryDep): TAssumePrivilegeServiceFactory => {
+  const assumeProjectPrivileges: TAssumePrivilegeServiceFactory["assumeProjectPrivileges"] = async ({
    targetActorType,
    targetActorId,
    projectId,
    actorPermissionDetails,
    tokenVersionId
-  }: TAssumeProjectPrivilegeDTO) => {
+  }) => {
    const project = await projectDAL.findById(projectId);
    if (!project) throw new NotFoundError({ message: `Project with ID '${projectId}' not found` });
    const { permission } = await permissionService.getProjectPermission({
@ -79,7 +80,10 @@ export const assumePrivilegeServiceFactory = ({ projectDAL, permissionService }:
    return { actorType: targetActorType, actorId: targetActorId, projectId, assumePrivilegesToken };
  };

-  const verifyAssumePrivilegeToken = (token: string, tokenVersionId: string) => {
+  const verifyAssumePrivilegeToken: TAssumePrivilegeServiceFactory["verifyAssumePrivilegeToken"] = (
+    token,
+    tokenVersionId
+  ) => {
    const appCfg = getConfig();
    const decodedToken = jwt.verify(token, appCfg.AUTH_SECRET) as {
      tokenVersionId: string;
--- a/backend/src/ee/services/assume-privilege/assume-privilege-types.ts
+++ b/backend/src/ee/services/assume-privilege/assume-privilege-types.ts
@ -8,3 +8,28 @@ export type TAssumeProjectPrivilegeDTO = {
  tokenVersionId: string;
  actorPermissionDetails: OrgServiceActor;
 };
+
+export interface TAssumePrivilegeServiceFactory {
+  assumeProjectPrivileges: ({
+    targetActorType,
+    targetActorId,
+    projectId,
+    actorPermissionDetails,
+    tokenVersionId
+  }: TAssumeProjectPrivilegeDTO) => Promise<{
+    actorType: ActorType.USER | ActorType.IDENTITY;
+    actorId: string;
+    projectId: string;
+    assumePrivilegesToken: string;
+  }>;
+  verifyAssumePrivilegeToken: (
+    token: string,
+    tokenVersionId: string
+  ) => {
+    tokenVersionId: string;
+    projectId: string;
+    requesterId: string;
+    actorType: ActorType;
+    actorId: string;
+  };
+}
--- a/backend/src/ee/services/audit-log-stream/audit-log-stream-dal.ts
+++ b/backend/src/ee/services/audit-log-stream/audit-log-stream-dal.ts
@ -1,10 +1,10 @@
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
+import { ormify, TOrmify } from "@app/lib/knex";

-export type TAuditLogStreamDALFactory = ReturnType<typeof auditLogStreamDALFactory>;
+export type TAuditLogStreamDALFactory = TOrmify<TableName.AuditLogStream>;

-export const auditLogStreamDALFactory = (db: TDbClient) => {
+export const auditLogStreamDALFactory = (db: TDbClient): TAuditLogStreamDALFactory => {
  const orm = ormify(db, TableName.AuditLogStream);

  return orm;
--- a/backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts
+++ b/backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts
@ -11,16 +11,9 @@ import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
 import { AUDIT_LOG_STREAM_TIMEOUT } from "../audit-log/audit-log-queue";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
-import { TPermissionServiceFactory } from "../permission/permission-service";
+import { TPermissionServiceFactory } from "../permission/permission-service-types";
 import { TAuditLogStreamDALFactory } from "./audit-log-stream-dal";
-import {
-  LogStreamHeaders,
-  TCreateAuditLogStreamDTO,
-  TDeleteAuditLogStreamDTO,
-  TGetDetailsAuditLogStreamDTO,
-  TListAuditLogStreamDTO,
-  TUpdateAuditLogStreamDTO
-} from "./audit-log-stream-types";
+import { LogStreamHeaders, TAuditLogStreamServiceFactory } from "./audit-log-stream-types";

 type TAuditLogStreamServiceFactoryDep = {
  auditLogStreamDAL: TAuditLogStreamDALFactory;
@ -28,21 +21,19 @@ type TAuditLogStreamServiceFactoryDep = {
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };

-export type TAuditLogStreamServiceFactory = ReturnType<typeof auditLogStreamServiceFactory>;
-
 export const auditLogStreamServiceFactory = ({
  auditLogStreamDAL,
  permissionService,
  licenseService
-}: TAuditLogStreamServiceFactoryDep) => {
-  const create = async ({
+}: TAuditLogStreamServiceFactoryDep): TAuditLogStreamServiceFactory => {
+  const create: TAuditLogStreamServiceFactory["create"] = async ({
    url,
    actor,
    headers = [],
    actorId,
    actorOrgId,
    actorAuthMethod
-  }: TCreateAuditLogStreamDTO) => {
+  }) => {
    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID attached to authentication token" });

    const plan = await licenseService.getPlan(actorOrgId);
@ -110,7 +101,7 @@ export const auditLogStreamServiceFactory = ({
    return logStream;
  };

-  const updateById = async ({
+  const updateById: TAuditLogStreamServiceFactory["updateById"] = async ({
    id,
    url,
    actor,
@ -118,7 +109,7 @@ export const auditLogStreamServiceFactory = ({
    actorId,
    actorOrgId,
    actorAuthMethod
-  }: TUpdateAuditLogStreamDTO) => {
+  }) => {
    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID attached to authentication token" });

    const plan = await licenseService.getPlan(actorOrgId);
@ -175,7 +166,13 @@ export const auditLogStreamServiceFactory = ({
    return updatedLogStream;
  };

-  const deleteById = async ({ id, actor, actorId, actorOrgId, actorAuthMethod }: TDeleteAuditLogStreamDTO) => {
+  const deleteById: TAuditLogStreamServiceFactory["deleteById"] = async ({
+    id,
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod
+  }) => {
    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID attached to authentication token" });

    const logStream = await auditLogStreamDAL.findById(id);
@ -189,7 +186,13 @@ export const auditLogStreamServiceFactory = ({
    return deletedLogStream;
  };

-  const getById = async ({ id, actor, actorId, actorOrgId, actorAuthMethod }: TGetDetailsAuditLogStreamDTO) => {
+  const getById: TAuditLogStreamServiceFactory["getById"] = async ({
+    id,
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod
+  }) => {
    const logStream = await auditLogStreamDAL.findById(id);
    if (!logStream) throw new NotFoundError({ message: `Audit log stream with ID '${id}' not found` });

@ -212,7 +215,7 @@ export const auditLogStreamServiceFactory = ({
    return { ...logStream, headers };
  };

-  const list = async ({ actor, actorId, actorOrgId, actorAuthMethod }: TListAuditLogStreamDTO) => {
+  const list: TAuditLogStreamServiceFactory["list"] = async ({ actor, actorId, actorOrgId, actorAuthMethod }) => {
    const { permission } = await permissionService.getOrgPermission(
      actor,
      actorId,
--- a/backend/src/ee/services/audit-log-stream/audit-log-stream-types.ts
+++ b/backend/src/ee/services/audit-log-stream/audit-log-stream-types.ts
@ -1,3 +1,4 @@
+import { TAuditLogStreams } from "@app/db/schemas";
 import { TOrgPermission } from "@app/lib/types";

 export type LogStreamHeaders = {
@ -25,3 +26,23 @@ export type TListAuditLogStreamDTO = Omit<TOrgPermission, "orgId">;
 export type TGetDetailsAuditLogStreamDTO = Omit<TOrgPermission, "orgId"> & {
  id: string;
 };
+
+export type TAuditLogStreamServiceFactory = {
+  create: (arg: TCreateAuditLogStreamDTO) => Promise<TAuditLogStreams>;
+  updateById: (arg: TUpdateAuditLogStreamDTO) => Promise<TAuditLogStreams>;
+  deleteById: (arg: TDeleteAuditLogStreamDTO) => Promise<TAuditLogStreams>;
+  getById: (arg: TGetDetailsAuditLogStreamDTO) => Promise<{
+    headers: LogStreamHeaders[] | undefined;
+    orgId: string;
+    url: string;
+    id: string;
+    createdAt: Date;
+    updatedAt: Date;
+    encryptedHeadersCiphertext?: string | null | undefined;
+    encryptedHeadersIV?: string | null | undefined;
+    encryptedHeadersTag?: string | null | undefined;
+    encryptedHeadersAlgorithm?: string | null | undefined;
+    encryptedHeadersKeyEncoding?: string | null | undefined;
+  }>;
+  list: (arg: TListAuditLogStreamDTO) => Promise<TAuditLogStreams[]>;
+};
--- a/backend/src/ee/services/audit-log/audit-log-dal.ts
+++ b/backend/src/ee/services/audit-log/audit-log-dal.ts
@ -2,16 +2,29 @@
 import knex from "knex";

 import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
+import { TableName, TAuditLogs } from "@app/db/schemas";
 import { DatabaseError, GatewayTimeoutError } from "@app/lib/errors";
-import { ormify, selectAllTableCols } from "@app/lib/knex";
+import { ormify, selectAllTableCols, TOrmify } from "@app/lib/knex";
 import { logger } from "@app/lib/logger";
 import { QueueName } from "@app/queue";
 import { ActorType } from "@app/services/auth/auth-type";

 import { EventType, filterableSecretEvents } from "./audit-log-types";

-export type TAuditLogDALFactory = ReturnType<typeof auditLogDALFactory>;
+export interface TAuditLogDALFactory extends Omit<TOrmify<TableName.AuditLog>, "find"> {
+  pruneAuditLog: (tx?: knex.Knex) => Promise<void>;
+  find: (
+    arg: Omit<TFindQuery, "actor" | "eventType"> & {
+      actorId?: string | undefined;
+      actorType?: ActorType | undefined;
+      secretPath?: string | undefined;
+      secretKey?: string | undefined;
+      eventType?: EventType[] | undefined;
+      eventMetadata?: Record<string, string> | undefined;
+    },
+    tx?: knex.Knex
+  ) => Promise<TAuditLogs[]>;
+}

 type TFindQuery = {
  actor?: string;
@ -29,7 +42,7 @@ type TFindQuery = {
 export const auditLogDALFactory = (db: TDbClient) => {
  const auditLogOrm = ormify(db, TableName.AuditLog);

-  const find = async (
+  const find: TAuditLogDALFactory["find"] = async (
    {
      orgId,
      projectId,
@ -45,15 +58,8 @@ export const auditLogDALFactory = (db: TDbClient) => {
      secretKey,
      eventType,
      eventMetadata
-    }: Omit<TFindQuery, "actor" | "eventType"> & {
-      actorId?: string;
-      actorType?: ActorType;
-      secretPath?: string;
-      secretKey?: string;
-      eventType?: EventType[];
-      eventMetadata?: Record<string, string>;
    },
-    tx?: knex.Knex
+    tx
  ) => {
    if (!orgId && !projectId) {
      throw new Error("Either orgId or projectId must be provided");
@ -154,7 +160,7 @@ export const auditLogDALFactory = (db: TDbClient) => {
  };

  // delete all audit log that have expired
-  const pruneAuditLog = async (tx?: knex.Knex) => {
+  const pruneAuditLog: TAuditLogDALFactory["pruneAuditLog"] = async (tx) => {
    const AUDIT_LOG_PRUNE_BATCH_SIZE = 10000;
    const MAX_RETRY_ON_FAILURE = 3;

--- a/backend/src/ee/services/audit-log/audit-log-queue.ts
+++ b/backend/src/ee/services/audit-log/audit-log-queue.ts
@ -21,7 +21,9 @@ type TAuditLogQueueServiceFactoryDep = {
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };

-export type TAuditLogQueueServiceFactory = Awaited<ReturnType<typeof auditLogQueueServiceFactory>>;
+export type TAuditLogQueueServiceFactory = {
+  pushToLog: (data: TCreateAuditLogDTO) => Promise<void>;
+};

 // keep this timeout 5s it must be fast because else the queue will take time to finish
 // audit log is a crowded queue thus needs to be fast
@ -33,7 +35,7 @@ export const auditLogQueueServiceFactory = async ({
  projectDAL,
  licenseService,
  auditLogStreamDAL
-}: TAuditLogQueueServiceFactoryDep) => {
+}: TAuditLogQueueServiceFactoryDep): Promise<TAuditLogQueueServiceFactory> => {
  const appCfg = getConfig();

  const pushToLog = async (data: TCreateAuditLogDTO) => {
--- a/backend/src/ee/services/audit-log/audit-log-service.ts
+++ b/backend/src/ee/services/audit-log/audit-log-service.ts
@ -7,11 +7,11 @@ import { BadRequestError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";

 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
-import { TPermissionServiceFactory } from "../permission/permission-service";
+import { TPermissionServiceFactory } from "../permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TAuditLogDALFactory } from "./audit-log-dal";
 import { TAuditLogQueueServiceFactory } from "./audit-log-queue";
-import { EventType, TCreateAuditLogDTO, TListProjectAuditLogDTO } from "./audit-log-types";
+import { EventType, TAuditLogServiceFactory } from "./audit-log-types";

 type TAuditLogServiceFactoryDep = {
  auditLogDAL: TAuditLogDALFactory;
@ -19,14 +19,18 @@ type TAuditLogServiceFactoryDep = {
  auditLogQueue: TAuditLogQueueServiceFactory;
 };

-export type TAuditLogServiceFactory = ReturnType<typeof auditLogServiceFactory>;
-
 export const auditLogServiceFactory = ({
  auditLogDAL,
  auditLogQueue,
  permissionService
-}: TAuditLogServiceFactoryDep) => {
-  const listAuditLogs = async ({ actorAuthMethod, actorId, actorOrgId, actor, filter }: TListProjectAuditLogDTO) => {
+}: TAuditLogServiceFactoryDep): TAuditLogServiceFactory => {
+  const listAuditLogs: TAuditLogServiceFactory["listAuditLogs"] = async ({
+    actorAuthMethod,
+    actorId,
+    actorOrgId,
+    actor,
+    filter
+  }) => {
    // Filter logs for specific project
    if (filter.projectId) {
      const { permission } = await permissionService.getProjectPermission({
@ -75,7 +79,7 @@ export const auditLogServiceFactory = ({
    }));
  };

-  const createAuditLog = async (data: TCreateAuditLogDTO) => {
+  const createAuditLog: TAuditLogServiceFactory["createAuditLog"] = async (data) => {
    const appCfg = getConfig();
    if (appCfg.DISABLE_AUDIT_LOG_GENERATION) {
      return;
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@ -44,6 +44,7 @@ import {
  TSecretSyncRaw,
  TUpdateSecretSyncDTO
 } from "@app/services/secret-sync/secret-sync-types";
+import { TWebhookPayloads } from "@app/services/webhook/webhook-types";
 import { WorkflowIntegration } from "@app/services/workflow-integration/workflow-integration-types";

 import { KmipPermission } from "../kmip/kmip-enum";
@ -81,6 +82,32 @@ export type TCreateAuditLogDTO = {
  projectId?: string;
 } & BaseAuthData;

+export type TAuditLogServiceFactory = {
+  createAuditLog: (data: TCreateAuditLogDTO) => Promise<void>;
+  listAuditLogs: (arg: TListProjectAuditLogDTO) => Promise<
+    {
+      event: {
+        type: string;
+        metadata: unknown;
+      };
+      actor: {
+        type: string;
+        metadata: unknown;
+      };
+      id: string;
+      createdAt: Date;
+      updatedAt: Date;
+      orgId?: string | null | undefined;
+      userAgent?: string | null | undefined;
+      expiresAt?: Date | null | undefined;
+      ipAddress?: string | null | undefined;
+      userAgentType?: string | null | undefined;
+      projectId?: string | null | undefined;
+      projectName?: string | null | undefined;
+    }[]
+  >;
+};
+
 export type AuditLogInfo = Pick<TCreateAuditLogDTO, "userAgent" | "userAgentType" | "ipAddress" | "actor">;

 interface BaseAuthData {
@ -169,6 +196,12 @@ export enum EventType {
  REVOKE_IDENTITY_GCP_AUTH = "revoke-identity-gcp-auth",
  GET_IDENTITY_GCP_AUTH = "get-identity-gcp-auth",

+  LOGIN_IDENTITY_ALICLOUD_AUTH = "login-identity-alicloud-auth",
+  ADD_IDENTITY_ALICLOUD_AUTH = "add-identity-alicloud-auth",
+  UPDATE_IDENTITY_ALICLOUD_AUTH = "update-identity-alicloud-auth",
+  REVOKE_IDENTITY_ALICLOUD_AUTH = "revoke-identity-alicloud-auth",
+  GET_IDENTITY_ALICLOUD_AUTH = "get-identity-alicloud-auth",
+
  LOGIN_IDENTITY_AWS_AUTH = "login-identity-aws-auth",
  ADD_IDENTITY_AWS_AUTH = "add-identity-aws-auth",
  UPDATE_IDENTITY_AWS_AUTH = "update-identity-aws-auth",
@ -206,6 +239,7 @@ export enum EventType {
  CREATE_WEBHOOK = "create-webhook",
  UPDATE_WEBHOOK_STATUS = "update-webhook-status",
  DELETE_WEBHOOK = "delete-webhook",
+  WEBHOOK_TRIGGERED = "webhook-triggered",
  GET_SECRET_IMPORTS = "get-secret-imports",
  GET_SECRET_IMPORT = "get-secret-import",
  CREATE_SECRET_IMPORT = "create-secret-import",
@ -393,6 +427,13 @@ export enum EventType {
  PROJECT_ASSUME_PRIVILEGE_SESSION_START = "project-assume-privileges-session-start",
  PROJECT_ASSUME_PRIVILEGE_SESSION_END = "project-assume-privileges-session-end",

+  GET_PROJECT_PIT_COMMITS = "get-project-pit-commits",
+  GET_PROJECT_PIT_COMMIT_CHANGES = "get-project-pit-commit-changes",
+  GET_PROJECT_PIT_COMMIT_COUNT = "get-project-pit-commit-count",
+  PIT_ROLLBACK_COMMIT = "pit-rollback-commit",
+  PIT_REVERT_COMMIT = "pit-revert-commit",
+  PIT_GET_FOLDER_STATE = "pit-get-folder-state",
+  PIT_COMPARE_FOLDER_STATES = "pit-compare-folder-states",
  SECRET_SCANNING_DATA_SOURCE_LIST = "secret-scanning-data-source-list",
  SECRET_SCANNING_DATA_SOURCE_CREATE = "secret-scanning-data-source-create",
  SECRET_SCANNING_DATA_SOURCE_UPDATE = "secret-scanning-data-source-update",
@ -739,6 +780,7 @@ interface CreateIdentityEvent {
  metadata: {
    identityId: string;
    name: string;
+    hasDeleteProtection: boolean;
  };
 }

@ -747,6 +789,7 @@ interface UpdateIdentityEvent {
  metadata: {
    identityId: string;
    name?: string;
+    hasDeleteProtection?: boolean;
  };
 }

@ -1051,6 +1094,53 @@ interface GetIdentityAwsAuthEvent {
  };
 }

+interface LoginIdentityAliCloudAuthEvent {
+  type: EventType.LOGIN_IDENTITY_ALICLOUD_AUTH;
+  metadata: {
+    identityId: string;
+    identityAliCloudAuthId: string;
+    identityAccessTokenId: string;
+  };
+}
+
+interface AddIdentityAliCloudAuthEvent {
+  type: EventType.ADD_IDENTITY_ALICLOUD_AUTH;
+  metadata: {
+    identityId: string;
+    allowedArns: string;
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface DeleteIdentityAliCloudAuthEvent {
+  type: EventType.REVOKE_IDENTITY_ALICLOUD_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
+interface UpdateIdentityAliCloudAuthEvent {
+  type: EventType.UPDATE_IDENTITY_ALICLOUD_AUTH;
+  metadata: {
+    identityId: string;
+    allowedArns: string;
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface GetIdentityAliCloudAuthEvent {
+  type: EventType.GET_IDENTITY_ALICLOUD_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface LoginIdentityOciAuthEvent {
  type: EventType.LOGIN_IDENTITY_OCI_AUTH;
  metadata: {
@ -1440,6 +1530,14 @@ interface DeleteWebhookEvent {
  };
 }

+export interface WebhookTriggeredEvent {
+  type: EventType.WEBHOOK_TRIGGERED;
+  metadata: {
+    webhookId: string;
+    status: string;
+  } & TWebhookPayloads;
+}
+
 interface GetSecretImportsEvent {
  type: EventType.GET_SECRET_IMPORTS;
  metadata: {
@ -2979,6 +3077,78 @@ interface MicrosoftTeamsWorkflowIntegrationUpdateEvent {
  };
 }

+interface GetProjectPitCommitsEvent {
+  type: EventType.GET_PROJECT_PIT_COMMITS;
+  metadata: {
+    commitCount: string;
+    environment: string;
+    path: string;
+    offset: string;
+    limit: string;
+    search?: string;
+    sort: string;
+  };
+}
+
+interface GetProjectPitCommitChangesEvent {
+  type: EventType.GET_PROJECT_PIT_COMMIT_CHANGES;
+  metadata: {
+    changesCount: string;
+    commitId: string;
+  };
+}
+
+interface GetProjectPitCommitCountEvent {
+  type: EventType.GET_PROJECT_PIT_COMMIT_COUNT;
+  metadata: {
+    environment: string;
+    path: string;
+    commitCount: string;
+  };
+}
+
+interface PitRollbackCommitEvent {
+  type: EventType.PIT_ROLLBACK_COMMIT;
+  metadata: {
+    targetCommitId: string;
+    folderId: string;
+    deepRollback: boolean;
+    message: string;
+    totalChanges: string;
+    environment: string;
+  };
+}
+
+interface PitRevertCommitEvent {
+  type: EventType.PIT_REVERT_COMMIT;
+  metadata: {
+    commitId: string;
+    revertCommitId?: string;
+    changesReverted?: string;
+  };
+}
+
+interface PitGetFolderStateEvent {
+  type: EventType.PIT_GET_FOLDER_STATE;
+  metadata: {
+    commitId: string;
+    folderId: string;
+    resourceCount: string;
+  };
+}
+
+interface PitCompareFolderStatesEvent {
+  type: EventType.PIT_COMPARE_FOLDER_STATES;
+  metadata: {
+    targetCommitId: string;
+    folderId: string;
+    deepRollback: boolean;
+    diffsCount: string;
+    environment: string;
+    folderPath: string;
+  };
+}
+
 interface SecretScanningDataSourceListEvent {
  type: EventType.SECRET_SCANNING_DATA_SOURCE_LIST;
  metadata: {
@ -3183,6 +3353,11 @@ export type Event =
  | UpdateIdentityAwsAuthEvent
  | GetIdentityAwsAuthEvent
  | DeleteIdentityAwsAuthEvent
+  | LoginIdentityAliCloudAuthEvent
+  | AddIdentityAliCloudAuthEvent
+  | UpdateIdentityAliCloudAuthEvent
+  | GetIdentityAliCloudAuthEvent
+  | DeleteIdentityAliCloudAuthEvent
  | LoginIdentityOciAuthEvent
  | AddIdentityOciAuthEvent
  | UpdateIdentityOciAuthEvent
@ -3221,6 +3396,7 @@ export type Event =
  | CreateWebhookEvent
  | UpdateWebhookStatusEvent
  | DeleteWebhookEvent
+  | WebhookTriggeredEvent
  | GetSecretImportsEvent
  | GetSecretImportEvent
  | CreateSecretImportEvent
@ -3397,6 +3573,13 @@ export type Event =
  | MicrosoftTeamsWorkflowIntegrationGetEvent
  | MicrosoftTeamsWorkflowIntegrationListEvent
  | MicrosoftTeamsWorkflowIntegrationUpdateEvent
+  | GetProjectPitCommitsEvent
+  | GetProjectPitCommitChangesEvent
+  | PitRollbackCommitEvent
+  | GetProjectPitCommitCountEvent
+  | PitRevertCommitEvent
+  | PitCompareFolderStatesEvent
+  | PitGetFolderStateEvent
  | SecretScanningDataSourceListEvent
  | SecretScanningDataSourceGetEvent
  | SecretScanningDataSourceCreateEvent
--- a/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-dal.ts
+++ b/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-dal.ts
@ -1,10 +1,10 @@
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
+import { ormify, TOrmify } from "@app/lib/knex";

-export type TCertificateAuthorityCrlDALFactory = ReturnType<typeof certificateAuthorityCrlDALFactory>;
+export type TCertificateAuthorityCrlDALFactory = TOrmify<TableName.CertificateAuthorityCrl>;

-export const certificateAuthorityCrlDALFactory = (db: TDbClient) => {
+export const certificateAuthorityCrlDALFactory = (db: TDbClient): TCertificateAuthorityCrlDALFactory => {
  const caCrlOrm = ormify(db, TableName.CertificateAuthorityCrl);
  return caCrlOrm;
 };
--- a/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts
+++ b/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts
@ -3,7 +3,7 @@ import * as x509 from "@peculiar/x509";

 import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
-import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { NotFoundError } from "@app/lib/errors";
 import { TCertificateAuthorityDALFactory } from "@app/services/certificate-authority/certificate-authority-dal";
@ -12,7 +12,7 @@ import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { getProjectKmsCertificateKeyId } from "@app/services/project/project-fns";

-import { TGetCaCrlsDTO, TGetCrlById } from "./certificate-authority-crl-types";
+import { TCertificateAuthorityCrlServiceFactory } from "./certificate-authority-crl-types";

 type TCertificateAuthorityCrlServiceFactoryDep = {
  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findByIdWithAssociatedCa">;
@ -22,19 +22,17 @@ type TCertificateAuthorityCrlServiceFactoryDep = {
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
 };

-export type TCertificateAuthorityCrlServiceFactory = ReturnType<typeof certificateAuthorityCrlServiceFactory>;
-
 export const certificateAuthorityCrlServiceFactory = ({
  certificateAuthorityDAL,
  certificateAuthorityCrlDAL,
  projectDAL,
  kmsService,
  permissionService // licenseService
-}: TCertificateAuthorityCrlServiceFactoryDep) => {
+}: TCertificateAuthorityCrlServiceFactoryDep): TCertificateAuthorityCrlServiceFactory => {
  /**
   * Return CRL with id [crlId]
   */
-  const getCrlById = async (crlId: TGetCrlById) => {
+  const getCrlById: TCertificateAuthorityCrlServiceFactory["getCrlById"] = async (crlId) => {
    const caCrl = await certificateAuthorityCrlDAL.findById(crlId);
    if (!caCrl) throw new NotFoundError({ message: `CRL with ID '${crlId}' not found` });

@ -65,7 +63,13 @@ export const certificateAuthorityCrlServiceFactory = ({
  /**
   * Returns a list of CRL ids for CA with id [caId]
   */
-  const getCaCrls = async ({ caId, actorId, actorAuthMethod, actor, actorOrgId }: TGetCaCrlsDTO) => {
+  const getCaCrls: TCertificateAuthorityCrlServiceFactory["getCaCrls"] = async ({
+    caId,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }) => {
    const ca = await certificateAuthorityDAL.findByIdWithAssociatedCa(caId);
    if (!ca?.internalCa?.id) throw new NotFoundError({ message: `Internal CA with ID '${caId}' not found` });

--- a/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-types.ts
+++ b/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-types.ts
@ -5,3 +5,137 @@ export type TGetCrlById = string;
 export type TGetCaCrlsDTO = {
  caId: string;
 } & Omit<TProjectPermission, "projectId">;
+
+export type TCertificateAuthorityCrlServiceFactory = {
+  getCrlById: (crlId: TGetCrlById) => Promise<{
+    ca: {
+      readonly requireTemplateForIssuance: boolean;
+      readonly internalCa:
+        | {
+            id: string;
+            parentCaId: string | null | undefined;
+            type: string;
+            friendlyName: string;
+            organization: string;
+            ou: string;
+            country: string;
+            province: string;
+            locality: string;
+            commonName: string;
+            dn: string;
+            serialNumber: string | null | undefined;
+            maxPathLength: number | null | undefined;
+            keyAlgorithm: string;
+            notBefore: string | undefined;
+            notAfter: string | undefined;
+            activeCaCertId: string | null | undefined;
+          }
+        | undefined;
+      readonly externalCa:
+        | {
+            id: string;
+            type: string;
+            configuration: unknown;
+            dnsAppConnectionId: string | null | undefined;
+            appConnectionId: string | null | undefined;
+            credentials: Buffer | null | undefined;
+          }
+        | undefined;
+      readonly name: string;
+      readonly status: string;
+      readonly id: string;
+      readonly createdAt: Date;
+      readonly updatedAt: Date;
+      readonly projectId: string;
+      readonly enableDirectIssuance: boolean;
+      readonly parentCaId: string | null | undefined;
+      readonly type: string;
+      readonly friendlyName: string;
+      readonly organization: string;
+      readonly ou: string;
+      readonly country: string;
+      readonly province: string;
+      readonly locality: string;
+      readonly commonName: string;
+      readonly dn: string;
+      readonly serialNumber: string | null | undefined;
+      readonly maxPathLength: number | null | undefined;
+      readonly keyAlgorithm: string;
+      readonly notBefore: string | undefined;
+      readonly notAfter: string | undefined;
+      readonly activeCaCertId: string | null | undefined;
+    };
+    caCrl: {
+      id: string;
+      createdAt: Date;
+      updatedAt: Date;
+      caId: string;
+      caSecretId: string;
+      encryptedCrl: Buffer;
+    };
+    crl: ArrayBuffer;
+  }>;
+  getCaCrls: ({ caId, actorId, actorAuthMethod, actor, actorOrgId }: TGetCaCrlsDTO) => Promise<{
+    ca: {
+      readonly requireTemplateForIssuance: boolean;
+      readonly internalCa:
+        | {
+            id: string;
+            parentCaId: string | null | undefined;
+            type: string;
+            friendlyName: string;
+            organization: string;
+            ou: string;
+            country: string;
+            province: string;
+            locality: string;
+            commonName: string;
+            dn: string;
+            serialNumber: string | null | undefined;
+            maxPathLength: number | null | undefined;
+            keyAlgorithm: string;
+            notBefore: string | undefined;
+            notAfter: string | undefined;
+            activeCaCertId: string | null | undefined;
+          }
+        | undefined;
+      readonly externalCa:
+        | {
+            id: string;
+            type: string;
+            configuration: unknown;
+            dnsAppConnectionId: string | null | undefined;
+            appConnectionId: string | null | undefined;
+            credentials: Buffer | null | undefined;
+          }
+        | undefined;
+      readonly name: string;
+      readonly status: string;
+      readonly id: string;
+      readonly createdAt: Date;
+      readonly updatedAt: Date;
+      readonly projectId: string;
+      readonly enableDirectIssuance: boolean;
+      readonly parentCaId: string | null | undefined;
+      readonly type: string;
+      readonly friendlyName: string;
+      readonly organization: string;
+      readonly ou: string;
+      readonly country: string;
+      readonly province: string;
+      readonly locality: string;
+      readonly commonName: string;
+      readonly dn: string;
+      readonly serialNumber: string | null | undefined;
+      readonly maxPathLength: number | null | undefined;
+      readonly keyAlgorithm: string;
+      readonly notBefore: string | undefined;
+      readonly notAfter: string | undefined;
+      readonly activeCaCertId: string | null | undefined;
+    };
+    crls: {
+      id: string;
+      crl: string;
+    }[];
+  }>;
+};
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-queue.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-queue.ts
@ -10,6 +10,7 @@ import { TDynamicSecretDALFactory } from "../dynamic-secret/dynamic-secret-dal";
 import { DynamicSecretStatus } from "../dynamic-secret/dynamic-secret-types";
 import { DynamicSecretProviders, TDynamicProviderFns } from "../dynamic-secret/providers/models";
 import { TDynamicSecretLeaseDALFactory } from "./dynamic-secret-lease-dal";
+import { TDynamicSecretLeaseConfig } from "./dynamic-secret-lease-types";

 type TDynamicSecretLeaseQueueServiceFactoryDep = {
  queueService: TQueueServiceFactory;
@ -99,7 +100,9 @@ export const dynamicSecretLeaseQueueServiceFactory = ({
          secretManagerDecryptor({ cipherTextBlob: dynamicSecretCfg.encryptedInput }).toString()
        ) as object;

-        await selectedProvider.revoke(decryptedStoredInput, dynamicSecretLease.externalEntityId);
+        await selectedProvider.revoke(decryptedStoredInput, dynamicSecretLease.externalEntityId, {
+          projectId: folder.projectId
+        });
        await dynamicSecretLeaseDAL.deleteById(dynamicSecretLease.id);
        return;
      }
@ -132,8 +135,15 @@ export const dynamicSecretLeaseQueueServiceFactory = ({

          await Promise.all(dynamicSecretLeases.map(({ id }) => unsetLeaseRevocation(id)));
          await Promise.all(
-            dynamicSecretLeases.map(({ externalEntityId }) =>
-              selectedProvider.revoke(decryptedStoredInput, externalEntityId)
+            dynamicSecretLeases.map(({ externalEntityId, config }) =>
+              selectedProvider.revoke(
+                decryptedStoredInput,
+                externalEntityId,
+                {
+                  projectId: folder.projectId
+                },
+                config as TDynamicSecretLeaseConfig
+              )
            )
          );
        }
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
@ -1,8 +1,9 @@
 import { ForbiddenError, subject } from "@casl/ability";
+import RE2 from "re2";

 import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
  ProjectPermissionDynamicSecretActions,
  ProjectPermissionSub
@ -11,10 +12,13 @@ import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { ms } from "@app/lib/ms";
+import { ActorType } from "@app/services/auth/auth-type";
+import { TIdentityDALFactory } from "@app/services/identity/identity-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
+import { TUserDALFactory } from "@app/services/user/user-dal";

 import { TDynamicSecretDALFactory } from "../dynamic-secret/dynamic-secret-dal";
 import { DynamicSecretProviders, TDynamicProviderFns } from "../dynamic-secret/providers/models";
@ -25,6 +29,7 @@ import {
  TCreateDynamicSecretLeaseDTO,
  TDeleteDynamicSecretLeaseDTO,
  TDetailsDynamicSecretLeaseDTO,
+  TDynamicSecretLeaseConfig,
  TListDynamicSecretLeasesDTO,
  TRenewDynamicSecretLeaseDTO
 } from "./dynamic-secret-lease-types";
@ -39,6 +44,8 @@ type TDynamicSecretLeaseServiceFactoryDep = {
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+  userDAL: Pick<TUserDALFactory, "findById">;
+  identityDAL: TIdentityDALFactory;
 };

 export type TDynamicSecretLeaseServiceFactory = ReturnType<typeof dynamicSecretLeaseServiceFactory>;
@ -52,8 +59,16 @@ export const dynamicSecretLeaseServiceFactory = ({
  dynamicSecretQueueService,
  projectDAL,
  licenseService,
-  kmsService
+  kmsService,
+  userDAL,
+  identityDAL
 }: TDynamicSecretLeaseServiceFactoryDep) => {
+  const extractEmailUsername = (email: string) => {
+    const regex = new RE2(/^([^@]+)/);
+    const match = email.match(regex);
+    return match ? match[1] : email;
+  };
+
  const create = async ({
    environmentSlug,
    path,
@ -63,7 +78,8 @@ export const dynamicSecretLeaseServiceFactory = ({
    actorId,
    actorOrgId,
    actorAuthMethod,
-    ttl
+    ttl,
+    config
  }: TCreateDynamicSecretLeaseDTO) => {
    const appCfg = getConfig();
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
@ -132,10 +148,25 @@ export const dynamicSecretLeaseServiceFactory = ({

    let result;
    try {
+      const identity: { name: string } = { name: "" };
+      if (actor === ActorType.USER) {
+        const user = await userDAL.findById(actorId);
+        if (user) {
+          identity.name = extractEmailUsername(user.username);
+        }
+      } else if (actor === ActorType.Machine) {
+        const machineIdentity = await identityDAL.findById(actorId);
+        if (machineIdentity) {
+          identity.name = machineIdentity.name;
+        }
+      }
      result = await selectedProvider.create({
        inputs: decryptedStoredInput,
        expireAt: expireAt.getTime(),
-        usernameTemplate: dynamicSecretCfg.usernameTemplate
+        usernameTemplate: dynamicSecretCfg.usernameTemplate,
+        identity,
+        metadata: { projectId },
+        config
      });
    } catch (error: unknown) {
      if (error && typeof error === "object" && error !== null && "sqlMessage" in error) {
@ -149,8 +180,10 @@ export const dynamicSecretLeaseServiceFactory = ({
      expireAt,
      version: 1,
      dynamicSecretId: dynamicSecretCfg.id,
-      externalEntityId: entityId
+      externalEntityId: entityId,
+      config
    });
+
    await dynamicSecretQueueService.setLeaseRevocation(dynamicSecretLease.id, Number(expireAt) - Number(new Date()));
    return { lease: dynamicSecretLease, dynamicSecret: dynamicSecretCfg, data };
  };
@ -231,13 +264,17 @@ export const dynamicSecretLeaseServiceFactory = ({
    const expireAt = new Date(dynamicSecretLease.expireAt.getTime() + ms(selectedTTL));
    if (maxTTL) {
      const maxExpiryDate = new Date(dynamicSecretLease.createdAt.getTime() + ms(maxTTL));
-      if (expireAt > maxExpiryDate) throw new BadRequestError({ message: "TTL cannot be larger than max ttl" });
+      if (expireAt > maxExpiryDate)
+        throw new BadRequestError({
+          message: "The requested renewal would exceed the maximum allowed lease duration. Please choose a shorter TTL"
+        });
    }

    const { entityId } = await selectedProvider.renew(
      decryptedStoredInput,
      dynamicSecretLease.externalEntityId,
-      expireAt.getTime()
+      expireAt.getTime(),
+      { projectId }
    );

    await dynamicSecretQueueService.unsetLeaseRevocation(dynamicSecretLease.id);
@ -313,7 +350,12 @@ export const dynamicSecretLeaseServiceFactory = ({
    ) as object;

    const revokeResponse = await selectedProvider
-      .revoke(decryptedStoredInput, dynamicSecretLease.externalEntityId)
+      .revoke(
+        decryptedStoredInput,
+        dynamicSecretLease.externalEntityId,
+        { projectId },
+        dynamicSecretLease.config as TDynamicSecretLeaseConfig
+      )
      .catch(async (err) => {
        // only propogate this error if forced is false
        if (!isForced) return { error: err as Error };
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-types.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-types.ts
@ -10,6 +10,7 @@ export type TCreateDynamicSecretLeaseDTO = {
  environmentSlug: string;
  ttl?: string;
  projectSlug: string;
+  config?: TDynamicSecretLeaseConfig;
 } & Omit<TProjectPermission, "projectId">;

 export type TDetailsDynamicSecretLeaseDTO = {
@ -41,3 +42,9 @@ export type TRenewDynamicSecretLeaseDTO = {
  ttl?: string;
  projectSlug: string;
 } & Omit<TProjectPermission, "projectId">;
+
+export type TDynamicSecretKubernetesLeaseConfig = {
+  namespace?: string;
+};
+
+export type TDynamicSecretLeaseConfig = TDynamicSecretKubernetesLeaseConfig;
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
@ -2,7 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";

 import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
  ProjectPermissionDynamicSecretActions,
  ProjectPermissionSub
@ -116,7 +116,7 @@ export const dynamicSecretServiceFactory = ({
      throw new BadRequestError({ message: "Provided dynamic secret already exist under the folder" });

    const selectedProvider = dynamicSecretProviders[provider.type];
-    const inputs = await selectedProvider.validateProviderInputs(provider.inputs);
+    const inputs = await selectedProvider.validateProviderInputs(provider.inputs, { projectId });

    let selectedGatewayId: string | null = null;
    if (inputs && typeof inputs === "object" && "gatewayId" in inputs && inputs.gatewayId) {
@ -146,7 +146,7 @@ export const dynamicSecretServiceFactory = ({
      selectedGatewayId = gateway.id;
    }

-    const isConnected = await selectedProvider.validateConnection(provider.inputs);
+    const isConnected = await selectedProvider.validateConnection(provider.inputs, { projectId });
    if (!isConnected) throw new BadRequestError({ message: "Provider connection failed" });

    const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey({
@ -272,7 +272,7 @@ export const dynamicSecretServiceFactory = ({
      secretManagerDecryptor({ cipherTextBlob: dynamicSecretCfg.encryptedInput }).toString()
    ) as object;
    const newInput = { ...decryptedStoredInput, ...(inputs || {}) };
-    const updatedInput = await selectedProvider.validateProviderInputs(newInput);
+    const updatedInput = await selectedProvider.validateProviderInputs(newInput, { projectId });

    let selectedGatewayId: string | null = null;
    if (updatedInput && typeof updatedInput === "object" && "gatewayId" in updatedInput && updatedInput?.gatewayId) {
@ -301,7 +301,7 @@ export const dynamicSecretServiceFactory = ({
      selectedGatewayId = gateway.id;
    }

-    const isConnected = await selectedProvider.validateConnection(newInput);
+    const isConnected = await selectedProvider.validateConnection(newInput, { projectId });
    if (!isConnected) throw new BadRequestError({ message: "Provider connection failed" });

    const updatedDynamicCfg = await dynamicSecretDAL.transaction(async (tx) => {
@ -472,7 +472,9 @@ export const dynamicSecretServiceFactory = ({
      secretManagerDecryptor({ cipherTextBlob: dynamicSecretCfg.encryptedInput }).toString()
    ) as object;
    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
-    const providerInputs = (await selectedProvider.validateProviderInputs(decryptedStoredInput)) as object;
+    const providerInputs = (await selectedProvider.validateProviderInputs(decryptedStoredInput, {
+      projectId
+    })) as object;

    return { ...dynamicSecretCfg, inputs: providerInputs };
  };
--- a/backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts
@ -16,6 +16,7 @@ import { BadRequestError } from "@app/lib/errors";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";

 import { DynamicSecretAwsElastiCacheSchema, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";

 const CreateElastiCacheUserSchema = z.object({
  UserId: z.string().trim().min(1),
@ -132,14 +133,14 @@ const generatePassword = () => {
  return customAlphabet(charset, 64)();
 };

-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
  const charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-";
  const randomUsername = `inf-${customAlphabet(charset, 32)()}`;
  if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
  });
 };

@ -174,14 +175,21 @@ export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {
    return true;
  };

-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, expireAt, usernameTemplate } = data;
+  const create = async (data: {
+    inputs: unknown;
+    expireAt: number;
+    usernameTemplate?: string | null;
+    identity?: {
+      name: string;
+    };
+  }) => {
+    const { inputs, expireAt, usernameTemplate, identity } = data;
    const providerInputs = await validateProviderInputs(inputs);
    if (!(await validateConnection(providerInputs))) {
      throw new BadRequestError({ message: "Failed to establish connection" });
    }

-    const leaseUsername = generateUsername(usernameTemplate);
+    const leaseUsername = generateUsername(usernameTemplate, identity);
    const leasePassword = generatePassword();
    const leaseExpiration = new Date(expireAt).toISOString();

--- a/backend/src/ee/services/dynamic-secret/providers/aws-iam.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/aws-iam.ts
@ -16,21 +16,25 @@ import {
  PutUserPolicyCommand,
  RemoveUserFromGroupCommand
 } from "@aws-sdk/client-iam";
-import handlebars from "handlebars";
+import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
+import { randomUUID } from "crypto";
 import { z } from "zod";

+import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

-import { DynamicSecretAwsIamSchema, TDynamicProviderFns } from "./models";
+import { AwsIamAuthType, DynamicSecretAwsIamSchema, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";

-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
  const randomUsername = alphaNumericNanoId(32);
  if (!usernameTemplate) return randomUsername;

-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
  });
 };

@ -40,7 +44,43 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
    return providerInputs;
  };

-  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretAwsIamSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretAwsIamSchema>, projectId: string) => {
+    const appCfg = getConfig();
+    if (providerInputs.method === AwsIamAuthType.AssumeRole) {
+      const stsClient = new STSClient({
+        region: providerInputs.region,
+        credentials:
+          appCfg.DYNAMIC_SECRET_AWS_ACCESS_KEY_ID && appCfg.DYNAMIC_SECRET_AWS_SECRET_ACCESS_KEY
+            ? {
+                accessKeyId: appCfg.DYNAMIC_SECRET_AWS_ACCESS_KEY_ID,
+                secretAccessKey: appCfg.DYNAMIC_SECRET_AWS_SECRET_ACCESS_KEY
+              }
+            : undefined // if hosting on AWS
+      });
+
+      const command = new AssumeRoleCommand({
+        RoleArn: providerInputs.roleArn,
+        RoleSessionName: `infisical-dynamic-secret-${randomUUID()}`,
+        DurationSeconds: 900, // 15 mins
+        ExternalId: projectId
+      });
+
+      const assumeRes = await stsClient.send(command);
+
+      if (!assumeRes.Credentials?.AccessKeyId || !assumeRes.Credentials?.SecretAccessKey) {
+        throw new BadRequestError({ message: "Failed to assume role - verify credentials and role configuration" });
+      }
+      const client = new IAMClient({
+        region: providerInputs.region,
+        credentials: {
+          accessKeyId: assumeRes.Credentials?.AccessKeyId,
+          secretAccessKey: assumeRes.Credentials?.SecretAccessKey,
+          sessionToken: assumeRes.Credentials?.SessionToken
+        }
+      });
+      return client;
+    }
+
    const client = new IAMClient({
      region: providerInputs.region,
      credentials: {
@ -52,30 +92,61 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
    return client;
  };

-  const validateConnection = async (inputs: unknown) => {
+  const validateConnection = async (inputs: unknown, { projectId }: { projectId: string }) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const client = await $getClient(providerInputs);
-
-    const isConnected = await client.send(new GetUserCommand({})).then(() => true);
+    const client = await $getClient(providerInputs, projectId);
+    const isConnected = await client
+      .send(new GetUserCommand({}))
+      .then(() => true)
+      .catch((err) => {
+        const message = (err as Error)?.message;
+        if (
+          providerInputs.method === AwsIamAuthType.AssumeRole &&
+          // assume role will throw an error asking to provider username, but if so this has access in aws correctly
+          message.includes("Must specify userName when calling with non-User credentials")
+        ) {
+          return true;
+        }
+        throw err;
+      });
    return isConnected;
  };

-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, usernameTemplate } = data;
+  const create = async (data: {
+    inputs: unknown;
+    expireAt: number;
+    usernameTemplate?: string | null;
+    identity?: {
+      name: string;
+    };
+    metadata: { projectId: string };
+  }) => {
+    const { inputs, usernameTemplate, metadata, identity } = data;

    const providerInputs = await validateProviderInputs(inputs);
-    const client = await $getClient(providerInputs);
+    const client = await $getClient(providerInputs, metadata.projectId);

-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername(usernameTemplate, identity);
    const { policyArns, userGroups, policyDocument, awsPath, permissionBoundaryPolicyArn } = providerInputs;
+    const awsTags = [{ Key: "createdBy", Value: "infisical-dynamic-secret" }];
+
+    if (providerInputs.tags && Array.isArray(providerInputs.tags)) {
+      const additionalTags = providerInputs.tags.map((tag) => ({
+        Key: tag.key,
+        Value: tag.value
+      }));
+      awsTags.push(...additionalTags);
+    }
+
    const createUserRes = await client.send(
      new CreateUserCommand({
        Path: awsPath,
        PermissionsBoundary: permissionBoundaryPolicyArn || undefined,
-        Tags: [{ Key: "createdBy", Value: "infisical-dynamic-secret" }],
+        Tags: awsTags,
        UserName: username
      })
    );
+
    if (!createUserRes.User) throw new BadRequestError({ message: "Failed to create AWS IAM User" });
    if (userGroups) {
      await Promise.all(
@ -125,9 +196,9 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
    };
  };

-  const revoke = async (inputs: unknown, entityId: string) => {
+  const revoke = async (inputs: unknown, entityId: string, metadata: { projectId: string }) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const client = await $getClient(providerInputs);
+    const client = await $getClient(providerInputs, metadata.projectId);

    const username = entityId;

--- a/backend/src/ee/services/dynamic-secret/providers/cassandra.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/cassandra.ts
@ -8,19 +8,20 @@ import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars

 import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretCassandraSchema, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";

 const generatePassword = (size = 48) => {
  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
  return customAlphabet(charset, 48)(size);
 };

-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
  const randomUsername = alphaNumericNanoId(32); // Username must start with an ascii letter, so we prepend the username with "inf-"
  if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
  });
 };

@ -75,12 +76,17 @@ export const CassandraProvider = (): TDynamicProviderFns => {
    return isConnected;
  };

-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, expireAt, usernameTemplate } = data;
+  const create = async (data: {
+    inputs: unknown;
+    expireAt: number;
+    usernameTemplate?: string | null;
+    identity?: { name: string };
+  }) => {
+    const { inputs, expireAt, usernameTemplate, identity } = data;
    const providerInputs = await validateProviderInputs(inputs);
    const client = await $getClient(providerInputs);

-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();
    const { keyspace } = providerInputs;
    const expiration = new Date(expireAt).toISOString();
--- a/backend/src/ee/services/dynamic-secret/providers/elastic-search.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/elastic-search.ts
@ -1,5 +1,4 @@
 import { Client as ElasticSearchClient } from "@elastic/elasticsearch";
-import handlebars from "handlebars";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";

@ -7,19 +6,20 @@ import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretElasticSearchSchema, ElasticSearchAuthTypes, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";

 const generatePassword = () => {
  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
  return customAlphabet(charset, 64)();
 };

-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
  const randomUsername = alphaNumericNanoId(32); // Username must start with an ascii letter, so we prepend the username with "inf-"
  if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
  });
 };

@ -71,12 +71,12 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
    return infoResponse;
  };

-  const create = async (data: { inputs: unknown; usernameTemplate?: string | null }) => {
-    const { inputs, usernameTemplate } = data;
+  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
+    const { inputs, usernameTemplate, identity } = data;
    const providerInputs = await validateProviderInputs(inputs);
    const connection = await $getClient(providerInputs);

-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();

    await connection.security.putUser({
--- a/backend/src/ee/services/dynamic-secret/providers/gcp-iam.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/gcp-iam.ts
@ -0,0 +1,105 @@
+import { gaxios, Impersonated, JWT } from "google-auth-library";
+import { GetAccessTokenResponse } from "google-auth-library/build/src/auth/oauth2client";
+
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { DynamicSecretGcpIamSchema, TDynamicProviderFns } from "./models";
+
+export const GcpIamProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await DynamicSecretGcpIamSchema.parseAsync(inputs);
+    return providerInputs;
+  };
+
+  const $getToken = async (serviceAccountEmail: string, ttl: number): Promise<string> => {
+    const appCfg = getConfig();
+    if (!appCfg.INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL) {
+      throw new InternalServerError({
+        message: "Environment variable has not been configured: INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL"
+      });
+    }
+
+    const credJson = JSON.parse(appCfg.INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL) as {
+      client_email: string;
+      private_key: string;
+    };
+
+    const sourceClient = new JWT({
+      email: credJson.client_email,
+      key: credJson.private_key,
+      scopes: ["https://www.googleapis.com/auth/cloud-platform"]
+    });
+
+    const impersonatedCredentials = new Impersonated({
+      sourceClient,
+      targetPrincipal: serviceAccountEmail,
+      lifetime: ttl,
+      delegates: [],
+      targetScopes: ["https://www.googleapis.com/auth/iam", "https://www.googleapis.com/auth/cloud-platform"]
+    });
+
+    let tokenResponse: GetAccessTokenResponse | undefined;
+    try {
+      tokenResponse = await impersonatedCredentials.getAccessToken();
+    } catch (error) {
+      let message = "Unable to validate connection";
+      if (error instanceof gaxios.GaxiosError) {
+        message = error.message;
+      }
+
+      throw new BadRequestError({
+        message
+      });
+    }
+
+    if (!tokenResponse || !tokenResponse.token) {
+      throw new BadRequestError({
+        message: "Unable to validate connection"
+      });
+    }
+
+    return tokenResponse.token;
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    await $getToken(providerInputs.serviceAccountEmail, 10);
+    return true;
+  };
+
+  const create = async (data: { inputs: unknown; expireAt: number }) => {
+    const { inputs, expireAt } = data;
+
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const now = Math.floor(Date.now() / 1000);
+    const ttl = Math.max(Math.floor(expireAt / 1000) - now, 0);
+
+    const token = await $getToken(providerInputs.serviceAccountEmail, ttl);
+    const entityId = alphaNumericNanoId(32);
+
+    return { entityId, data: { SERVICE_ACCOUNT_EMAIL: providerInputs.serviceAccountEmail, TOKEN: token } };
+  };
+
+  const revoke = async (_inputs: unknown, entityId: string) => {
+    // There's no way to revoke GCP IAM access tokens
+    return { entityId };
+  };
+
+  const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
+    // To renew a token it must be re-created
+    const data = await create({ inputs, expireAt });
+
+    return { ...data, entityId };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};
--- a/backend/src/ee/services/dynamic-secret/providers/github.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/github.ts
@ -0,0 +1,133 @@
+import axios from "axios";
+import * as jwt from "jsonwebtoken";
+
+import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+
+import { DynamicSecretGithubSchema, TDynamicProviderFns } from "./models";
+
+interface GitHubInstallationTokenResponse {
+  token: string;
+  expires_at: string; // ISO 8601 timestamp e.g., "2024-01-15T12:00:00Z"
+  permissions?: Record<string, string>;
+  repository_selection?: string;
+}
+
+interface TGithubProviderInputs {
+  appId: number;
+  installationId: number;
+  privateKey: string;
+}
+
+export const GithubProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await DynamicSecretGithubSchema.parseAsync(inputs);
+    return providerInputs;
+  };
+
+  const $generateGitHubInstallationAccessToken = async (
+    credentials: TGithubProviderInputs
+  ): Promise<GitHubInstallationTokenResponse> => {
+    const { appId, installationId, privateKey } = credentials;
+
+    const nowInSeconds = Math.floor(Date.now() / 1000);
+    const jwtPayload = {
+      iat: nowInSeconds - 5,
+      exp: nowInSeconds + 60,
+      iss: String(appId)
+    };
+
+    let appJwt: string;
+    try {
+      appJwt = jwt.sign(jwtPayload, privateKey, { algorithm: "RS256" });
+    } catch (error) {
+      let message = "Failed to sign JWT.";
+      if (error instanceof jwt.JsonWebTokenError) {
+        message += ` JsonWebTokenError: ${error.message}`;
+      }
+      throw new InternalServerError({
+        message
+      });
+    }
+
+    const tokenUrl = `${IntegrationUrls.GITHUB_API_URL}/app/installations/${String(installationId)}/access_tokens`;
+
+    try {
+      const response = await axios.post<GitHubInstallationTokenResponse>(tokenUrl, undefined, {
+        headers: {
+          Authorization: `Bearer ${appJwt}`,
+          Accept: "application/vnd.github.v3+json",
+          "X-GitHub-Api-Version": "2022-11-28"
+        }
+      });
+
+      if (response.status === 201 && response.data.token) {
+        return response.data; // Includes token, expires_at, permissions, repository_selection
+      }
+
+      throw new InternalServerError({
+        message: `GitHub API responded with unexpected status ${response.status}: ${JSON.stringify(response.data)}`
+      });
+    } catch (error) {
+      let message = "Failed to fetch GitHub installation access token.";
+      if (axios.isAxiosError(error) && error.response) {
+        const githubErrorMsg =
+          (error.response.data as { message?: string })?.message || JSON.stringify(error.response.data);
+        message += ` GitHub API Error: ${error.response.status} - ${githubErrorMsg}`;
+
+        // Classify as BadRequestError for auth-related issues (401, 403, 404) which might be due to user input
+        if ([401, 403, 404].includes(error.response.status)) {
+          throw new BadRequestError({ message });
+        }
+      }
+
+      throw new InternalServerError({ message });
+    }
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    await $generateGitHubInstallationAccessToken(providerInputs);
+    return true;
+  };
+
+  const create = async (data: { inputs: unknown }) => {
+    const { inputs } = data;
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const ghTokenData = await $generateGitHubInstallationAccessToken(providerInputs);
+    const entityId = alphaNumericNanoId(32);
+
+    return {
+      entityId,
+      data: {
+        TOKEN: ghTokenData.token,
+        EXPIRES_AT: ghTokenData.expires_at,
+        PERMISSIONS: ghTokenData.permissions,
+        REPOSITORY_SELECTION: ghTokenData.repository_selection
+      }
+    };
+  };
+
+  const revoke = async () => {
+    // GitHub installation tokens cannot be revoked.
+    throw new BadRequestError({
+      message:
+        "Github dynamic secret does not support revocation because GitHub itself cannot revoke installation tokens"
+    });
+  };
+
+  const renew = async () => {
+    // No renewal
+    throw new BadRequestError({ message: "Github dynamic secret does not support renewal" });
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};
--- a/backend/src/ee/services/dynamic-secret/providers/index.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/index.ts
@ -6,6 +6,8 @@ import { AwsIamProvider } from "./aws-iam";
 import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
 import { ElasticSearchProvider } from "./elastic-search";
+import { GcpIamProvider } from "./gcp-iam";
+import { GithubProvider } from "./github";
 import { KubernetesProvider } from "./kubernetes";
 import { LdapProvider } from "./ldap";
 import { DynamicSecretProviders, TDynamicProviderFns } from "./models";
@ -42,5 +44,7 @@ export const buildDynamicSecretProviders = ({
  [DynamicSecretProviders.Totp]: TotpProvider(),
  [DynamicSecretProviders.SapAse]: SapAseProvider(),
  [DynamicSecretProviders.Kubernetes]: KubernetesProvider({ gatewayService }),
-  [DynamicSecretProviders.Vertica]: VerticaProvider({ gatewayService })
+  [DynamicSecretProviders.Vertica]: VerticaProvider({ gatewayService }),
+  [DynamicSecretProviders.GcpIam]: GcpIamProvider(),
+  [DynamicSecretProviders.Github]: GithubProvider()
 });
--- a/backend/src/ee/services/dynamic-secret/providers/kubernetes.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/kubernetes.ts
@ -1,24 +1,46 @@
-import axios from "axios";
+import axios, { AxiosError } from "axios";
+import handlebars from "handlebars";
 import https from "https";

-import { InternalServerError } from "@app/lib/errors";
-import { GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
+import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { GatewayHttpProxyActions, GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
 import { TKubernetesTokenRequest } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-types";

+import { TDynamicSecretKubernetesLeaseConfig } from "../../dynamic-secret-lease/dynamic-secret-lease-types";
 import { TGatewayServiceFactory } from "../../gateway/gateway-service";
-import { DynamicSecretKubernetesSchema, TDynamicProviderFns } from "./models";
+import {
+  DynamicSecretKubernetesSchema,
+  KubernetesAuthMethod,
+  KubernetesCredentialType,
+  KubernetesRoleType,
+  TDynamicProviderFns
+} from "./models";

 const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;

+// This value is just a placeholder. When using gateway auth method, the url is irrelevant.
+const GATEWAY_AUTH_DEFAULT_URL = "https://kubernetes.default.svc.cluster.local";
+
 type TKubernetesProviderDTO = {
  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">;
 };

+const generateUsername = (usernameTemplate?: string | null) => {
+  const randomUsername = `dynamic-secret-sa-${alphaNumericNanoId(10).toLowerCase()}`;
+  if (!usernameTemplate) return randomUsername;
+
+  return handlebars.compile(usernameTemplate)({
+    randomUsername,
+    unixTimestamp: Math.floor(Date.now() / 100)
+  });
+};
+
 export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO): TDynamicProviderFns => {
  const validateProviderInputs = async (inputs: unknown) => {
    const providerInputs = await DynamicSecretKubernetesSchema.parseAsync(inputs);
-    if (!providerInputs.gatewayId) {
+    if (!providerInputs.gatewayId && providerInputs.url) {
      await blockLocalAndPrivateIpAddresses(providerInputs.url);
    }

@ -30,20 +52,27 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
      gatewayId: string;
      targetHost: string;
      targetPort: number;
+      caCert?: string;
+      reviewTokenThroughGateway: boolean;
+      enableSsl: boolean;
    },
-    gatewayCallback: (host: string, port: number) => Promise<T>
+    gatewayCallback: (host: string, port: number, httpsAgent?: https.Agent) => Promise<T>
  ): Promise<T> => {
    const relayDetails = await gatewayService.fnGetGatewayClientTlsByGatewayId(inputs.gatewayId);
    const [relayHost, relayPort] = relayDetails.relayAddress.split(":");

    const callbackResult = await withGatewayProxy(
-      async (port) => {
+      async (port, httpsAgent) => {
        // Needs to be https protocol or the kubernetes API server will fail with "Client sent an HTTP request to an HTTPS server"
-        const res = await gatewayCallback("https://localhost", port);
+        const res = await gatewayCallback(
+          inputs.reviewTokenThroughGateway ? "http://localhost" : "https://localhost",
+          port,
+          httpsAgent
+        );
        return res;
      },
      {
-        protocol: GatewayProxyProtocol.Tcp,
+        protocol: inputs.reviewTokenThroughGateway ? GatewayProxyProtocol.Http : GatewayProxyProtocol.Tcp,
        targetHost: inputs.targetHost,
        targetPort: inputs.targetPort,
        relayHost,
@ -54,7 +83,12 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
          ca: relayDetails.certChain,
          cert: relayDetails.certificate,
          key: relayDetails.privateKey.toString()
-        }
+        },
+        // we always pass this, because its needed for both tcp and http protocol
+        httpsAgent: new https.Agent({
+          ca: inputs.caCert,
+          rejectUnauthorized: inputs.enableSsl
+        })
      }
    );

@ -64,7 +98,189 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);

-    const serviceAccountGetCallback = async (host: string, port: number) => {
+    const serviceAccountDynamicCallback = async (host: string, port: number, httpsAgent?: https.Agent) => {
+      if (providerInputs.credentialType !== KubernetesCredentialType.Dynamic) {
+        throw new Error("invalid callback");
+      }
+
+      const baseUrl = port ? `${host}:${port}` : host;
+      const serviceAccountName = generateUsername();
+      const roleBindingName = `${serviceAccountName}-role-binding`;
+
+      const namespaces = providerInputs.namespace.split(",").map((namespace) => namespace.trim());
+
+      // Test each namespace sequentially instead of in parallel to simplify cleanup
+      for await (const namespace of namespaces) {
+        try {
+          // 1. Create a test service account
+          await axios.post(
+            `${baseUrl}/api/v1/namespaces/${namespace}/serviceaccounts`,
+            {
+              metadata: {
+                name: serviceAccountName,
+                namespace
+              }
+            },
+            {
+              headers: {
+                "Content-Type": "application/json",
+                ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
+                  ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
+                  : { Authorization: `Bearer ${providerInputs.clusterToken}` })
+              },
+              ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+                ? {
+                    httpsAgent
+                  }
+                : {}),
+              signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+              timeout: EXTERNAL_REQUEST_TIMEOUT
+            }
+          );
+
+          // 2. Create a test role binding
+          const roleBindingUrl =
+            providerInputs.roleType === KubernetesRoleType.ClusterRole
+              ? `${baseUrl}/apis/rbac.authorization.k8s.io/v1/clusterrolebindings`
+              : `${baseUrl}/apis/rbac.authorization.k8s.io/v1/namespaces/${namespace}/rolebindings`;
+
+          const roleBindingMetadata = {
+            name: roleBindingName,
+            ...(providerInputs.roleType !== KubernetesRoleType.ClusterRole && { namespace })
+          };
+
+          await axios.post(
+            roleBindingUrl,
+            {
+              metadata: roleBindingMetadata,
+              roleRef: {
+                kind: providerInputs.roleType === KubernetesRoleType.ClusterRole ? "ClusterRole" : "Role",
+                name: providerInputs.role,
+                apiGroup: "rbac.authorization.k8s.io"
+              },
+              subjects: [
+                {
+                  kind: "ServiceAccount",
+                  name: serviceAccountName,
+                  namespace
+                }
+              ]
+            },
+            {
+              headers: {
+                "Content-Type": "application/json",
+                ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
+                  ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
+                  : { Authorization: `Bearer ${providerInputs.clusterToken}` })
+              },
+              ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+                ? {
+                    httpsAgent
+                  }
+                : {}),
+              signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+              timeout: EXTERNAL_REQUEST_TIMEOUT
+            }
+          );
+
+          // 3. Request a token for the test service account
+          await axios.post(
+            `${baseUrl}/api/v1/namespaces/${namespace}/serviceaccounts/${serviceAccountName}/token`,
+            {
+              spec: {
+                expirationSeconds: 600, // 10 minutes
+                ...(providerInputs.audiences?.length ? { audiences: providerInputs.audiences } : {})
+              }
+            },
+            {
+              headers: {
+                "Content-Type": "application/json",
+                ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
+                  ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
+                  : { Authorization: `Bearer ${providerInputs.clusterToken}` })
+              },
+              ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+                ? {
+                    httpsAgent
+                  }
+                : {}),
+              signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+              timeout: EXTERNAL_REQUEST_TIMEOUT
+            }
+          );
+
+          // 4. Cleanup: delete role binding and service account
+          if (providerInputs.roleType === KubernetesRoleType.Role) {
+            await axios.delete(
+              `${baseUrl}/apis/rbac.authorization.k8s.io/v1/namespaces/${namespace}/rolebindings/${roleBindingName}`,
+              {
+                headers: {
+                  "Content-Type": "application/json",
+                  ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
+                    ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
+                    : { Authorization: `Bearer ${providerInputs.clusterToken}` })
+                },
+                ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+                  ? {
+                      httpsAgent
+                    }
+                  : {}),
+                signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+                timeout: EXTERNAL_REQUEST_TIMEOUT
+              }
+            );
+          } else {
+            await axios.delete(`${baseUrl}/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/${roleBindingName}`, {
+              headers: {
+                "Content-Type": "application/json",
+                ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
+                  ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
+                  : { Authorization: `Bearer ${providerInputs.clusterToken}` })
+              },
+              ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+                ? {
+                    httpsAgent
+                  }
+                : {}),
+              signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+              timeout: EXTERNAL_REQUEST_TIMEOUT
+            });
+          }
+
+          await axios.delete(`${baseUrl}/api/v1/namespaces/${namespace}/serviceaccounts/${serviceAccountName}`, {
+            headers: {
+              "Content-Type": "application/json",
+              ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
+                ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
+                : { Authorization: `Bearer ${providerInputs.clusterToken}` })
+            },
+            ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+              ? {
+                  httpsAgent
+                }
+              : {}),
+            signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+            timeout: EXTERNAL_REQUEST_TIMEOUT
+          });
+        } catch (error) {
+          const cleanupInfo = `You may need to manually clean up the following resources in namespace "${namespace}": Service Account - ${serviceAccountName}, ${providerInputs.roleType === KubernetesRoleType.Role ? "Role" : "Cluster Role"} Binding - ${roleBindingName}.`;
+          let mainErrorMessage = "Unknown error";
+          if (error instanceof AxiosError) {
+            mainErrorMessage = (error.response?.data as { message: string })?.message;
+          } else if (error instanceof Error) {
+            mainErrorMessage = error.message;
+          }
+
+          throw new Error(`${mainErrorMessage}. ${cleanupInfo}`);
+        }
+      }
+    };
+
+    const serviceAccountStaticCallback = async (host: string, port: number, httpsAgent?: https.Agent) => {
+      if (providerInputs.credentialType !== KubernetesCredentialType.Static) {
+        throw new Error("invalid callback");
+      }
+
      const baseUrl = port ? `${host}:${port}` : host;

      await axios.get(
@ -72,36 +288,63 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
        {
          headers: {
            "Content-Type": "application/json",
-            Authorization: `Bearer ${providerInputs.clusterToken}`
+            ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
+              ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
+              : { Authorization: `Bearer ${providerInputs.clusterToken}` })
          },
+          ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+            ? {
+                httpsAgent
+              }
+            : {}),
          signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
-          timeout: EXTERNAL_REQUEST_TIMEOUT,
-          httpsAgent: new https.Agent({
-            ca: providerInputs.ca,
-            rejectUnauthorized: providerInputs.sslEnabled
-          })
+          timeout: EXTERNAL_REQUEST_TIMEOUT
        }
      );
    };

-    const url = new URL(providerInputs.url);
+    const rawUrl =
+      providerInputs.authMethod === KubernetesAuthMethod.Gateway ? GATEWAY_AUTH_DEFAULT_URL : providerInputs.url || "";
+    const url = new URL(rawUrl);
+    const k8sGatewayHost = url.hostname;
    const k8sPort = url.port ? Number(url.port) : 443;
+    const k8sHost = `${url.protocol}//${url.hostname}`;

    try {
      if (providerInputs.gatewayId) {
-        const k8sHost = url.hostname;
-
-        await $gatewayProxyWrapper(
-          {
-            gatewayId: providerInputs.gatewayId,
-            targetHost: k8sHost,
-            targetPort: k8sPort
-          },
-          serviceAccountGetCallback
-        );
+        if (providerInputs.authMethod === KubernetesAuthMethod.Gateway) {
+          await $gatewayProxyWrapper(
+            {
+              gatewayId: providerInputs.gatewayId,
+              targetHost: k8sHost,
+              targetPort: k8sPort,
+              enableSsl: providerInputs.sslEnabled,
+              caCert: providerInputs.ca,
+              reviewTokenThroughGateway: true
+            },
+            providerInputs.credentialType === KubernetesCredentialType.Static
+              ? serviceAccountStaticCallback
+              : serviceAccountDynamicCallback
+          );
+        } else {
+          await $gatewayProxyWrapper(
+            {
+              gatewayId: providerInputs.gatewayId,
+              targetHost: k8sGatewayHost,
+              targetPort: k8sPort,
+              enableSsl: providerInputs.sslEnabled,
+              caCert: providerInputs.ca,
+              reviewTokenThroughGateway: false
+            },
+            providerInputs.credentialType === KubernetesCredentialType.Static
+              ? serviceAccountStaticCallback
+              : serviceAccountDynamicCallback
+          );
+        }
+      } else if (providerInputs.credentialType === KubernetesCredentialType.Static) {
+        await serviceAccountStaticCallback(k8sHost, k8sPort);
      } else {
-        const k8sHost = `${url.protocol}//${url.hostname}`;
-        await serviceAccountGetCallback(k8sHost, k8sPort);
+        await serviceAccountDynamicCallback(k8sHost, k8sPort);
      }

      return true;
@ -117,10 +360,153 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
    }
  };

-  const create = async ({ inputs, expireAt }: { inputs: unknown; expireAt: number }) => {
+  const create = async ({
+    inputs,
+    expireAt,
+    usernameTemplate,
+    config
+  }: {
+    inputs: unknown;
+    expireAt: number;
+    usernameTemplate?: string | null;
+    config?: TDynamicSecretKubernetesLeaseConfig;
+  }) => {
    const providerInputs = await validateProviderInputs(inputs);

-    const tokenRequestCallback = async (host: string, port: number) => {
+    const serviceAccountDynamicCallback = async (host: string, port: number, httpsAgent?: https.Agent) => {
+      if (providerInputs.credentialType !== KubernetesCredentialType.Dynamic) {
+        throw new Error("invalid callback");
+      }
+
+      const baseUrl = port ? `${host}:${port}` : host;
+      const serviceAccountName = generateUsername(usernameTemplate);
+      const roleBindingName = `${serviceAccountName}-role-binding`;
+      const allowedNamespaces = providerInputs.namespace.split(",").map((namespace) => namespace.trim());
+
+      if (config?.namespace && !allowedNamespaces?.includes(config?.namespace)) {
+        throw new BadRequestError({
+          message: `Namespace ${config?.namespace} is not allowed. Allowed namespaces: ${allowedNamespaces?.join(", ")}`
+        });
+      }
+
+      const namespace = config?.namespace || allowedNamespaces[0];
+      if (!namespace) {
+        throw new BadRequestError({
+          message: "No namespace provided"
+        });
+      }
+
+      // 1. Create the service account
+      await axios.post(
+        `${baseUrl}/api/v1/namespaces/${namespace}/serviceaccounts`,
+        {
+          metadata: {
+            name: serviceAccountName,
+            namespace
+          }
+        },
+        {
+          headers: {
+            "Content-Type": "application/json",
+            ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
+              ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
+              : { Authorization: `Bearer ${providerInputs.clusterToken}` })
+          },
+          ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+            ? {
+                httpsAgent
+              }
+            : {}),
+          signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+          timeout: EXTERNAL_REQUEST_TIMEOUT
+        }
+      );
+
+      // 2. Create the role binding
+      const roleBindingUrl =
+        providerInputs.roleType === KubernetesRoleType.ClusterRole
+          ? `${baseUrl}/apis/rbac.authorization.k8s.io/v1/clusterrolebindings`
+          : `${baseUrl}/apis/rbac.authorization.k8s.io/v1/namespaces/${namespace}/rolebindings`;
+
+      const roleBindingMetadata = {
+        name: roleBindingName,
+        ...(providerInputs.roleType !== KubernetesRoleType.ClusterRole && { namespace })
+      };
+
+      await axios.post(
+        roleBindingUrl,
+        {
+          metadata: roleBindingMetadata,
+          roleRef: {
+            kind: providerInputs.roleType === KubernetesRoleType.ClusterRole ? "ClusterRole" : "Role",
+            name: providerInputs.role,
+            apiGroup: "rbac.authorization.k8s.io"
+          },
+          subjects: [
+            {
+              kind: "ServiceAccount",
+              name: serviceAccountName,
+              namespace
+            }
+          ]
+        },
+        {
+          headers: {
+            "Content-Type": "application/json",
+            ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
+              ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
+              : { Authorization: `Bearer ${providerInputs.clusterToken}` })
+          },
+          ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+            ? {
+                httpsAgent
+              }
+            : {}),
+          signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+          timeout: EXTERNAL_REQUEST_TIMEOUT
+        }
+      );
+
+      // 3. Request a token for the service account
+      const res = await axios.post<TKubernetesTokenRequest>(
+        `${baseUrl}/api/v1/namespaces/${namespace}/serviceaccounts/${serviceAccountName}/token`,
+        {
+          spec: {
+            expirationSeconds: Math.floor((expireAt - Date.now()) / 1000),
+            ...(providerInputs.audiences?.length ? { audiences: providerInputs.audiences } : {})
+          }
+        },
+        {
+          headers: {
+            "Content-Type": "application/json",
+            ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
+              ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
+              : { Authorization: `Bearer ${providerInputs.clusterToken}` })
+          },
+          ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+            ? {
+                httpsAgent
+              }
+            : {}),
+          signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+          timeout: EXTERNAL_REQUEST_TIMEOUT
+        }
+      );
+
+      return { ...res.data, serviceAccountName };
+    };
+
+    const tokenRequestStaticCallback = async (host: string, port: number, httpsAgent?: https.Agent) => {
+      if (providerInputs.credentialType !== KubernetesCredentialType.Static) {
+        throw new Error("invalid callback");
+      }
+
+      if (config?.namespace && config.namespace !== providerInputs.namespace) {
+        throw new BadRequestError({
+          message: `Namespace ${config?.namespace} is not allowed. Allowed namespace: ${providerInputs.namespace}.`
+        });
+      }
+
      const baseUrl = port ? `${host}:${port}` : host;

      const res = await axios.post<TKubernetesTokenRequest>(
@ -134,39 +520,71 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
        {
          headers: {
            "Content-Type": "application/json",
-            Authorization: `Bearer ${providerInputs.clusterToken}`
+            ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
+              ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
+              : { Authorization: `Bearer ${providerInputs.clusterToken}` })
          },
+          ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+            ? {
+                httpsAgent
+              }
+            : {}),
          signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
-          timeout: EXTERNAL_REQUEST_TIMEOUT,
-          httpsAgent: new https.Agent({
-            ca: providerInputs.ca,
-            rejectUnauthorized: providerInputs.sslEnabled
-          })
+          timeout: EXTERNAL_REQUEST_TIMEOUT
        }
      );

-      return res.data;
+      return { ...res.data, serviceAccountName: providerInputs.serviceAccountName };
    };

-    const url = new URL(providerInputs.url);
+    const rawUrl =
+      providerInputs.authMethod === KubernetesAuthMethod.Gateway ? GATEWAY_AUTH_DEFAULT_URL : providerInputs.url || "";
+    const url = new URL(rawUrl);
    const k8sHost = `${url.protocol}//${url.hostname}`;
    const k8sGatewayHost = url.hostname;
    const k8sPort = url.port ? Number(url.port) : 443;

    try {
-      const tokenData = providerInputs.gatewayId
-        ? await $gatewayProxyWrapper(
+      let tokenData;
+      if (providerInputs.gatewayId) {
+        if (providerInputs.authMethod === KubernetesAuthMethod.Gateway) {
+          tokenData = await $gatewayProxyWrapper(
+            {
+              gatewayId: providerInputs.gatewayId,
+              targetHost: k8sHost,
+              targetPort: k8sPort,
+              enableSsl: providerInputs.sslEnabled,
+              caCert: providerInputs.ca,
+              reviewTokenThroughGateway: true
+            },
+            providerInputs.credentialType === KubernetesCredentialType.Static
+              ? tokenRequestStaticCallback
+              : serviceAccountDynamicCallback
+          );
+        } else {
+          tokenData = await $gatewayProxyWrapper(
            {
              gatewayId: providerInputs.gatewayId,
              targetHost: k8sGatewayHost,
-              targetPort: k8sPort
+              targetPort: k8sPort,
+              enableSsl: providerInputs.sslEnabled,
+              caCert: providerInputs.ca,
+              reviewTokenThroughGateway: false
            },
-            tokenRequestCallback
-          )
-        : await tokenRequestCallback(k8sHost, k8sPort);
+            providerInputs.credentialType === KubernetesCredentialType.Static
+              ? tokenRequestStaticCallback
+              : serviceAccountDynamicCallback
+          );
+        }
+      } else {
+        tokenData =
+          providerInputs.credentialType === KubernetesCredentialType.Static
+            ? await tokenRequestStaticCallback(k8sHost, k8sPort)
+            : await serviceAccountDynamicCallback(k8sHost, k8sPort);
+      }

      return {
-        entityId: providerInputs.serviceAccountName,
+        entityId: tokenData.serviceAccountName,
        data: { TOKEN: tokenData.status.token }
      };
    } catch (error) {
@ -181,7 +599,122 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
    }
  };

-  const revoke = async (_inputs: unknown, entityId: string) => {
+  const revoke = async (
+    inputs: unknown,
+    entityId: string,
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    _metadata: { projectId: string },
+    config?: TDynamicSecretKubernetesLeaseConfig
+  ) => {
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const serviceAccountDynamicCallback = async (host: string, port: number, httpsAgent?: https.Agent) => {
+      if (providerInputs.credentialType !== KubernetesCredentialType.Dynamic) {
+        throw new Error("invalid callback");
+      }
+
+      const baseUrl = port ? `${host}:${port}` : host;
+      const roleBindingName = `${entityId}-role-binding`;
+
+      const namespace = config?.namespace ?? providerInputs.namespace.split(",")[0].trim();
+
+      if (providerInputs.roleType === KubernetesRoleType.Role) {
+        await axios.delete(
+          `${baseUrl}/apis/rbac.authorization.k8s.io/v1/namespaces/${namespace}/rolebindings/${roleBindingName}`,
+          {
+            headers: {
+              "Content-Type": "application/json",
+              ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
+                ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
+                : { Authorization: `Bearer ${providerInputs.clusterToken}` })
+            },
+            ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+              ? {
+                  httpsAgent
+                }
+              : {}),
+            signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+            timeout: EXTERNAL_REQUEST_TIMEOUT
+          }
+        );
+      } else {
+        await axios.delete(`${baseUrl}/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/${roleBindingName}`, {
+          headers: {
+            "Content-Type": "application/json",
+            ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
+              ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
+              : { Authorization: `Bearer ${providerInputs.clusterToken}` })
+          },
+          ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+            ? {
+                httpsAgent
+              }
+            : {}),
+          signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+          timeout: EXTERNAL_REQUEST_TIMEOUT
+        });
+      }
+
+      // Delete the service account
+      await axios.delete(`${baseUrl}/api/v1/namespaces/${namespace}/serviceaccounts/${entityId}`, {
+        headers: {
+          "Content-Type": "application/json",
+          ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
+            ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
+            : { Authorization: `Bearer ${providerInputs.clusterToken}` })
+        },
+        ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+          ? {
+              httpsAgent
+            }
+          : {}),
+        signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+        timeout: EXTERNAL_REQUEST_TIMEOUT
+      });
+    };
+
+    if (providerInputs.credentialType === KubernetesCredentialType.Dynamic) {
+      const rawUrl =
+        providerInputs.authMethod === KubernetesAuthMethod.Gateway
+          ? GATEWAY_AUTH_DEFAULT_URL
+          : providerInputs.url || "";
+
+      const url = new URL(rawUrl);
+      const k8sGatewayHost = url.hostname;
+      const k8sPort = url.port ? Number(url.port) : 443;
+      const k8sHost = `${url.protocol}//${url.hostname}`;
+
+      if (providerInputs.gatewayId) {
+        if (providerInputs.authMethod === KubernetesAuthMethod.Gateway) {
+          await $gatewayProxyWrapper(
+            {
+              gatewayId: providerInputs.gatewayId,
+              targetHost: k8sHost,
+              targetPort: k8sPort,
+              enableSsl: providerInputs.sslEnabled,
+              caCert: providerInputs.ca,
+              reviewTokenThroughGateway: true
+            },
+            serviceAccountDynamicCallback
+          );
+        } else {
+          await $gatewayProxyWrapper(
+            {
+              gatewayId: providerInputs.gatewayId,
+              targetHost: k8sGatewayHost,
+              targetPort: k8sPort,
+              enableSsl: providerInputs.sslEnabled,
+              caCert: providerInputs.ca,
+              reviewTokenThroughGateway: false
+            },
+            serviceAccountDynamicCallback
+          );
+        }
+      } else {
+        await serviceAccountDynamicCallback(k8sHost, k8sPort);
+      }
+    }
+
    return { entityId };
  };

--- a/backend/src/ee/services/dynamic-secret/providers/ldap.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/ldap.ts
@ -9,6 +9,7 @@ import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { LdapCredentialType, LdapSchema, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";

 const generatePassword = () => {
  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
@ -22,13 +23,13 @@ const encodePassword = (password?: string) => {
  return base64Password;
 };

-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
  const randomUsername = alphaNumericNanoId(32); // Username must start with an ascii letter, so we prepend the username with "inf-"
  if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
  });
 };

@ -196,8 +197,8 @@ export const LdapProvider = (): TDynamicProviderFns => {
    return dnArray;
  };

-  const create = async (data: { inputs: unknown; usernameTemplate?: string | null }) => {
-    const { inputs, usernameTemplate } = data;
+  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
+    const { inputs, usernameTemplate, identity } = data;
    const providerInputs = await validateProviderInputs(inputs);
    const client = await $getClient(providerInputs);

@ -224,7 +225,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
        });
      }
    } else {
-      const username = generateUsername(usernameTemplate);
+      const username = generateUsername(usernameTemplate, identity);
      const password = generatePassword();
      const generatedLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.creationLdif });

--- a/backend/src/ee/services/dynamic-secret/providers/models.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/models.ts
@ -1,5 +1,11 @@
+import RE2 from "re2";
 import { z } from "zod";

+import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
+import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
+
+import { TDynamicSecretLeaseConfig } from "../../dynamic-secret-lease/dynamic-secret-lease-types";
+
 export type PasswordRequirements = {
  length: number;
  required: {
@ -20,6 +26,11 @@ export enum SqlProviders {
  Vertica = "vertica"
 }

+export enum AwsIamAuthType {
+  AssumeRole = "assume-role",
+  AccessKey = "access-key"
+}
+
 export enum ElasticSearchAuthTypes {
  User = "user",
  ApiKey = "api-key"
@ -31,7 +42,18 @@ export enum LdapCredentialType {
 }

 export enum KubernetesCredentialType {
-  Static = "static"
+  Static = "static",
+  Dynamic = "dynamic"
+}
+
+export enum KubernetesRoleType {
+  ClusterRole = "cluster-role",
+  Role = "role"
+}
+
+export enum KubernetesAuthMethod {
+  Gateway = "gateway",
+  Api = "api"
 }

 export enum TotpConfigType {
@ -168,16 +190,40 @@ export const DynamicSecretSapAseSchema = z.object({
  revocationStatement: z.string().trim()
 });

-export const DynamicSecretAwsIamSchema = z.object({
-  accessKey: z.string().trim().min(1),
-  secretAccessKey: z.string().trim().min(1),
-  region: z.string().trim().min(1),
-  awsPath: z.string().trim().optional(),
-  permissionBoundaryPolicyArn: z.string().trim().optional(),
-  policyDocument: z.string().trim().optional(),
-  userGroups: z.string().trim().optional(),
-  policyArns: z.string().trim().optional()
-});
+export const DynamicSecretAwsIamSchema = z.preprocess(
+  (val) => {
+    if (typeof val === "object" && val !== null && !Object.hasOwn(val, "method")) {
+      // eslint-disable-next-line no-param-reassign
+      (val as { method: string }).method = AwsIamAuthType.AccessKey;
+    }
+    return val;
+  },
+  z.discriminatedUnion("method", [
+    z.object({
+      method: z.literal(AwsIamAuthType.AccessKey),
+      accessKey: z.string().trim().min(1),
+      secretAccessKey: z.string().trim().min(1),
+      region: z.string().trim().min(1),
+      awsPath: z.string().trim().optional(),
+      permissionBoundaryPolicyArn: z.string().trim().optional(),
+      policyDocument: z.string().trim().optional(),
+      userGroups: z.string().trim().optional(),
+      policyArns: z.string().trim().optional(),
+      tags: ResourceMetadataSchema.optional()
+    }),
+    z.object({
+      method: z.literal(AwsIamAuthType.AssumeRole),
+      roleArn: z.string().trim().min(1, "Role ARN required"),
+      region: z.string().trim().min(1),
+      awsPath: z.string().trim().optional(),
+      permissionBoundaryPolicyArn: z.string().trim().optional(),
+      policyDocument: z.string().trim().optional(),
+      userGroups: z.string().trim().optional(),
+      policyArns: z.string().trim().optional(),
+      tags: ResourceMetadataSchema.optional()
+    })
+  ])
+);

 export const DynamicSecretMongoAtlasSchema = z.object({
  adminPublicKey: z.string().trim().min(1).describe("Admin user public api key"),
@ -282,17 +328,89 @@ export const LdapSchema = z.union([
  })
 ]);

-export const DynamicSecretKubernetesSchema = z.object({
-  url: z.string().url().trim().min(1),
-  gatewayId: z.string().nullable().optional(),
-  sslEnabled: z.boolean().default(true),
-  clusterToken: z.string().trim().min(1),
-  ca: z.string().optional(),
-  serviceAccountName: z.string().trim().min(1),
-  credentialType: z.literal(KubernetesCredentialType.Static),
-  namespace: z.string().trim().min(1),
-  audiences: z.array(z.string().trim().min(1))
-});
+export const DynamicSecretKubernetesSchema = z
+  .discriminatedUnion("credentialType", [
+    z.object({
+      url: z
+        .string()
+        .optional()
+        .refine((val: string | undefined) => !val || new RE2(/^https?:\/\/.+/).test(val), {
+          message: "Invalid URL. Must start with http:// or https:// (e.g. https://example.com)"
+        }),
+      clusterToken: z.string().trim().optional(),
+      ca: z.string().optional(),
+      sslEnabled: z.boolean().default(false),
+      credentialType: z.literal(KubernetesCredentialType.Static),
+      serviceAccountName: z.string().trim().min(1),
+      namespace: z
+        .string()
+        .trim()
+        .min(1)
+        .refine((val) => !val.includes(","), "Namespace must be a single value, not a comma-separated list")
+        .refine(
+          (val) => characterValidator([CharacterType.AlphaNumeric, CharacterType.Hyphen])(val),
+          "Invalid namespace format"
+        ),
+      gatewayId: z.string().optional(),
+      audiences: z.array(z.string().trim().min(1)),
+      authMethod: z.nativeEnum(KubernetesAuthMethod).default(KubernetesAuthMethod.Api)
+    }),
+    z.object({
+      url: z
+        .string()
+        .url()
+        .optional()
+        .refine((val: string | undefined) => !val || new RE2(/^https?:\/\/.+/).test(val), {
+          message: "Invalid URL. Must start with http:// or https:// (e.g. https://example.com)"
+        }),
+      clusterToken: z.string().trim().optional(),
+      ca: z.string().optional(),
+      sslEnabled: z.boolean().default(false),
+      credentialType: z.literal(KubernetesCredentialType.Dynamic),
+      namespace: z
+        .string()
+        .trim()
+        .min(1)
+        .refine((val) => {
+          const namespaces = val.split(",").map((ns) => ns.trim());
+          return (
+            namespaces.length > 0 &&
+            namespaces.every((ns) => ns.length > 0) &&
+            namespaces.every((ns) => characterValidator([CharacterType.AlphaNumeric, CharacterType.Hyphen])(ns))
+          );
+        }, "Must be a valid comma-separated list of namespace values"),
+      gatewayId: z.string().optional(),
+      audiences: z.array(z.string().trim().min(1)),
+      roleType: z.nativeEnum(KubernetesRoleType),
+      role: z.string().trim().min(1),
+      authMethod: z.nativeEnum(KubernetesAuthMethod).default(KubernetesAuthMethod.Api)
+    })
+  ])
+  .superRefine((data, ctx) => {
+    if (data.authMethod === KubernetesAuthMethod.Gateway && !data.gatewayId) {
+      ctx.addIssue({
+        path: ["gatewayId"],
+        code: z.ZodIssueCode.custom,
+        message: "When auth method is set to Gateway, a gateway must be selected"
+      });
+    }
+    if (data.authMethod === KubernetesAuthMethod.Api || !data.authMethod) {
+      if (!data.clusterToken) {
+        ctx.addIssue({
+          path: ["clusterToken"],
+          code: z.ZodIssueCode.custom,
+          message: "When auth method is set to Token, a cluster token must be provided"
+        });
+      }
+      if (!data.url) {
+        ctx.addIssue({
+          path: ["url"],
+          code: z.ZodIssueCode.custom,
+          message: "When auth method is set to Token, a cluster URL must be provided"
+        });
+      }
+    }
+  });

 export const DynamicSecretVerticaSchema = z.object({
  host: z.string().trim().toLowerCase(),
@ -355,6 +473,27 @@ export const DynamicSecretTotpSchema = z.discriminatedUnion("configType", [
  })
 ]);

+export const DynamicSecretGcpIamSchema = z.object({
+  serviceAccountEmail: z.string().email().trim().min(1, "Service account email required").max(128)
+});
+
+export const DynamicSecretGithubSchema = z.object({
+  appId: z.number().min(1).describe("The ID of your GitHub App."),
+  installationId: z.number().min(1).describe("The ID of the GitHub App installation."),
+  privateKey: z
+    .string()
+    .trim()
+    .min(1)
+    .refine(
+      (val) =>
+        new RE2(
+          /^-----BEGIN(?:(?: RSA| PGP| ENCRYPTED)? PRIVATE KEY)-----\s*[\s\S]*?-----END(?:(?: RSA| PGP| ENCRYPTED)? PRIVATE KEY)-----$/
+        ).test(val),
+      "Invalid PEM format for private key"
+    )
+    .describe("The private key generated for your GitHub App.")
+});
+
 export enum DynamicSecretProviders {
  SqlDatabase = "sql-database",
  Cassandra = "cassandra",
@ -372,7 +511,9 @@ export enum DynamicSecretProviders {
  Totp = "totp",
  SapAse = "sap-ase",
  Kubernetes = "kubernetes",
-  Vertica = "vertica"
+  Vertica = "vertica",
+  GcpIam = "gcp-iam",
+  Github = "github"
 }

 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
@ -392,7 +533,9 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
  z.object({ type: z.literal(DynamicSecretProviders.Snowflake), inputs: DynamicSecretSnowflakeSchema }),
  z.object({ type: z.literal(DynamicSecretProviders.Totp), inputs: DynamicSecretTotpSchema }),
  z.object({ type: z.literal(DynamicSecretProviders.Kubernetes), inputs: DynamicSecretKubernetesSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.Vertica), inputs: DynamicSecretVerticaSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.Vertica), inputs: DynamicSecretVerticaSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.GcpIam), inputs: DynamicSecretGcpIamSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.Github), inputs: DynamicSecretGithubSchema })
 ]);

 export type TDynamicProviderFns = {
@ -400,9 +543,24 @@ export type TDynamicProviderFns = {
    inputs: unknown;
    expireAt: number;
    usernameTemplate?: string | null;
+    identity?: {
+      name: string;
+    };
+    metadata: { projectId: string };
+    config?: TDynamicSecretLeaseConfig;
  }) => Promise<{ entityId: string; data: unknown }>;
-  validateConnection: (inputs: unknown) => Promise<boolean>;
-  validateProviderInputs: (inputs: object) => Promise<unknown>;
-  revoke: (inputs: unknown, entityId: string) => Promise<{ entityId: string }>;
-  renew: (inputs: unknown, entityId: string, expireAt: number) => Promise<{ entityId: string }>;
+  validateConnection: (inputs: unknown, metadata: { projectId: string }) => Promise<boolean>;
+  validateProviderInputs: (inputs: object, metadata: { projectId: string }) => Promise<unknown>;
+  revoke: (
+    inputs: unknown,
+    entityId: string,
+    metadata: { projectId: string },
+    config?: TDynamicSecretLeaseConfig
+  ) => Promise<{ entityId: string }>;
+  renew: (
+    inputs: unknown,
+    entityId: string,
+    expireAt: number,
+    metadata: { projectId: string }
+  ) => Promise<{ entityId: string }>;
 };
--- a/backend/src/ee/services/dynamic-secret/providers/mongo-atlas.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/mongo-atlas.ts
@ -1,5 +1,4 @@
 import axios, { AxiosError } from "axios";
-import handlebars from "handlebars";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";

@ -7,19 +6,20 @@ import { createDigestAuthRequestInterceptor } from "@app/lib/axios/digest-auth";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { DynamicSecretMongoAtlasSchema, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";

 const generatePassword = (size = 48) => {
  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
  return customAlphabet(charset, 48)(size);
 };

-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
  const randomUsername = alphaNumericNanoId(32);
  if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
  });
 };

@ -64,12 +64,17 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
    return isConnected;
  };

-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, expireAt, usernameTemplate } = data;
+  const create = async (data: {
+    inputs: unknown;
+    expireAt: number;
+    usernameTemplate?: string | null;
+    identity?: { name: string };
+  }) => {
+    const { inputs, expireAt, usernameTemplate, identity } = data;
    const providerInputs = await validateProviderInputs(inputs);
    const client = await $getClient(providerInputs);

-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();
    const expiration = new Date(expireAt).toISOString();
    await client({
--- a/backend/src/ee/services/dynamic-secret/providers/mongo-db.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/mongo-db.ts
@ -1,4 +1,3 @@
-import handlebars from "handlebars";
 import { MongoClient } from "mongodb";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
@ -7,19 +6,20 @@ import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretMongoDBSchema, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";

 const generatePassword = (size = 48) => {
  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
  return customAlphabet(charset, 48)(size);
 };

-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
  const randomUsername = alphaNumericNanoId(32);
  if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
  });
 };

@ -60,12 +60,12 @@ export const MongoDBProvider = (): TDynamicProviderFns => {
    return isConnected;
  };

-  const create = async (data: { inputs: unknown; usernameTemplate?: string | null }) => {
-    const { inputs, usernameTemplate } = data;
+  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
+    const { inputs, usernameTemplate, identity } = data;
    const providerInputs = await validateProviderInputs(inputs);
    const client = await $getClient(providerInputs);

-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();

    const db = client.db(providerInputs.database);
--- a/backend/src/ee/services/dynamic-secret/providers/rabbit-mq.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/rabbit-mq.ts
@ -1,5 +1,4 @@
 import axios, { Axios } from "axios";
-import handlebars from "handlebars";
 import https from "https";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
@ -9,19 +8,20 @@ import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretRabbitMqSchema, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";

 const generatePassword = () => {
  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
  return customAlphabet(charset, 64)();
 };

-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
  const randomUsername = alphaNumericNanoId(32); // Username must start with an ascii letter, so we prepend the username with "inf-"
  if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
  });
 };

@ -117,12 +117,12 @@ export const RabbitMqProvider = (): TDynamicProviderFns => {
    return infoResponse;
  };

-  const create = async (data: { inputs: unknown; usernameTemplate?: string | null }) => {
-    const { inputs, usernameTemplate } = data;
+  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
+    const { inputs, usernameTemplate, identity } = data;
    const providerInputs = await validateProviderInputs(inputs);
    const connection = await $getClient(providerInputs);

-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();

    await createRabbitMqUser({
--- a/backend/src/ee/services/dynamic-secret/providers/redis.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/redis.ts
@ -9,19 +9,20 @@ import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars

 import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretRedisDBSchema, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";

 const generatePassword = () => {
  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
  return customAlphabet(charset, 64)();
 };

-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
  const randomUsername = alphaNumericNanoId(32); // Username must start with an ascii letter, so we prepend the username with "inf-"
  if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
  });
 };

@ -121,12 +122,17 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {
    return pingResponse;
  };

-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, expireAt, usernameTemplate } = data;
+  const create = async (data: {
+    inputs: unknown;
+    expireAt: number;
+    usernameTemplate?: string | null;
+    identity?: { name: string };
+  }) => {
+    const { inputs, expireAt, usernameTemplate, identity } = data;
    const providerInputs = await validateProviderInputs(inputs);
    const connection = await $getClient(providerInputs);

-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();
    const expiration = new Date(expireAt).toISOString();

--- a/Show More
+++ b/Show More