refine docs

add linux upgrade docs
Merge pull request #3593 from Infisical/ENG-2742
2025-08-24 20:43:19 +00:00 · 2025-05-13 22:02:49 -07:00 · 2025-05-13 20:40:29 -07:00 · 2025-05-13 17:10:23 -04:00 · 2025-05-13 16:51:05 -04:00 · 2025-05-13 16:38:26 -04:00
644 changed files with 28031 additions and 9697 deletions
--- a/.infisicalignore
+++ b/.infisicalignore
@@ -28,3 +28,15 @@ frontend/src/pages/secret-manager/OverviewPage/components/SecretOverviewTableRow
 docs/cli/commands/user.mdx:generic-api-key:51
 frontend/src/pages/secret-manager/OverviewPage/components/SecretOverviewTableRow/SecretOverviewTableRow.tsx:generic-api-key:76
 docs/integrations/app-connections/hashicorp-vault.mdx:generic-api-key:188
 cli/detect/config/gitleaks.toml:gcp-api-key:567
 cli/detect/config/gitleaks.toml:gcp-api-key:569
 cli/detect/config/gitleaks.toml:gcp-api-key:570
 cli/detect/config/gitleaks.toml:gcp-api-key:572
 cli/detect/config/gitleaks.toml:gcp-api-key:574
 cli/detect/config/gitleaks.toml:gcp-api-key:575
 cli/detect/config/gitleaks.toml:gcp-api-key:576
 cli/detect/config/gitleaks.toml:gcp-api-key:577
 cli/detect/config/gitleaks.toml:gcp-api-key:578
 cli/detect/config/gitleaks.toml:gcp-api-key:579
 cli/detect/config/gitleaks.toml:gcp-api-key:581
 cli/detect/config/gitleaks.toml:gcp-api-key:582
--- a/Dockerfile.fips.standalone-infisical
+++ b/Dockerfile.fips.standalone-infisical
@@ -133,8 +133,8 @@ RUN apt-get update && apt-get install -y \
 RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 # Install Infisical CLI
-RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
+RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
-    && apt-get update && apt-get install -y infisical=0.31.1 \
+    && apt-get update && apt-get install -y infisical=0.41.2 \
    && rm -rf /var/lib/apt/lists/*
 RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
@@ -171,6 +171,7 @@ ENV NODE_ENV production
 ENV STANDALONE_BUILD true 
 ENV STANDALONE_MODE true
 ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
 ENV NODE_OPTIONS="--max-old-space-size=1024"
 WORKDIR /backend
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@@ -127,8 +127,8 @@ RUN apt-get update && apt-get install -y \
    && rm -rf /var/lib/apt/lists/*
 # Install Infisical CLI
-RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
+RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
-    && apt-get update && apt-get install -y infisical=0.31.1 \
+    && apt-get update && apt-get install -y infisical=0.41.2 \
    && rm -rf /var/lib/apt/lists/*
 WORKDIR /
@@ -168,6 +168,7 @@ ENV HTTPS_ENABLED false
 ENV NODE_ENV production
 ENV STANDALONE_BUILD true 
 ENV STANDALONE_MODE true
 ENV NODE_OPTIONS="--max-old-space-size=1024"
 WORKDIR /backend
--- a/backend/.eslintrc.js
+++ b/backend/.eslintrc.js
@@ -69,6 +69,15 @@ module.exports = {
          ["^\\."]
        ]
      }
    ],
    "import/extensions": [
      "error",
      "ignorePackages",
      {
        "": "never", // this is required to get the .tsx to work...
        ts: "never",
        tsx: "never"
      }
    ]
  }
 };
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -54,8 +54,8 @@ COPY --from=build /app .
 # Install Infisical CLI
 RUN apt-get install -y curl bash && \
-    curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash && \
+    curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash && \
-    apt-get update && apt-get install -y infisical=0.8.1 git
+    apt-get update && apt-get install -y infisical=0.41.2 git
 HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
  CMD node healthcheck.js
--- a/backend/Dockerfile.dev
+++ b/backend/Dockerfile.dev
@@ -55,9 +55,9 @@ RUN mkdir -p /etc/softhsm2/tokens && \
 # ? App setup
 # Install Infisical CLI
-RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash && \
+RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash && \
    apt-get update && \
-    apt-get install -y infisical=0.8.1
+    apt-get install -y infisical=0.41.2
 WORKDIR /app
--- a/backend/Dockerfile.dev.fips
+++ b/backend/Dockerfile.dev.fips
@@ -64,9 +64,9 @@ RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
 # ? App setup
 # Install Infisical CLI
-RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash && \
+RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash && \
    apt-get update && \
-    apt-get install -y infisical=0.8.1
+    apt-get install -y infisical=0.41.2
 WORKDIR /app
--- a/backend/e2e-test/mocks/keystore.ts
+++ b/backend/e2e-test/mocks/keystore.ts
@@ -1,4 +1,8 @@
 import RE2 from "re2";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { applyJitter } from "@app/lib/dates";
 import { delay as delayMs } from "@app/lib/delay";
 import { Lock } from "@app/lib/red-lock";
 export const mockKeyStore = (): TKeyStoreFactory => {
@@ -18,6 +22,27 @@ export const mockKeyStore = (): TKeyStoreFactory => {
      delete store[key];
      return 1;
    },
    deleteItems: async ({ pattern, batchSize = 500, delay = 1500, jitter = 200 }) => {
      const regex = new RE2(`^${pattern.replace(/[-[\]/{}()+?.\\^$|]/g, "\\$&").replace(/\*/g, ".*")}$`);
      let totalDeleted = 0;
      const keys = Object.keys(store);
      for (let i = 0; i < keys.length; i += batchSize) {
        const batch = keys.slice(i, i + batchSize);
        for (const key of batch) {
          if (regex.test(key)) {
            delete store[key];
            totalDeleted += 1;
          }
        }
        // eslint-disable-next-line no-await-in-loop
        await delayMs(Math.max(0, applyJitter(delay, jitter)));
      }
      return totalDeleted;
    },
    getItem: async (key) => {
      const value = store[key];
      if (typeof value === "string") {
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@@ -38,8 +38,8 @@
    "build:frontend": "npm run build --prefix ../frontend",
    "start": "node --enable-source-maps dist/main.mjs",
    "type:check": "tsc --noEmit",
-    "lint:fix": "eslint --fix --ext js,ts ./src",
+    "lint:fix": "node --max-old-space-size=8192 ./node_modules/.bin/eslint --fix --ext js,ts ./src",
-    "lint": "eslint 'src/**/*.ts'",
+    "lint": "node --max-old-space-size=8192 ./node_modules/.bin/eslint 'src/**/*.ts'",
    "test:unit": "vitest run -c vitest.unit.config.ts",
    "test:e2e": "vitest run -c vitest.e2e.config.ts --bail=1",
    "test:e2e-watch": "vitest -c vitest.e2e.config.ts --bail=1",
@@ -72,7 +72,8 @@
    "seed:new": "tsx ./scripts/create-seed-file.ts",
    "seed": "knex --knexfile ./dist/db/knexfile.ts --client pg seed:run",
    "seed-dev": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
-    "db:reset": "npm run migration:rollback -- --all && npm run migration:latest"
+    "db:reset": "npm run migration:rollback -- --all && npm run migration:latest",
    "email:dev": "email dev --dir src/services/smtp/emails"
  },
  "keywords": [],
  "author": "",
@@ -96,6 +97,7 @@
    "@types/picomatch": "^2.3.3",
    "@types/pkcs11js": "^1.0.4",
    "@types/prompt-sync": "^4.2.3",
    "@types/react": "^19.1.2",
    "@types/resolve": "^1.20.6",
    "@types/safe-regex": "^1.1.6",
    "@types/sjcl": "^1.0.34",
@@ -115,6 +117,7 @@
    "nodemon": "^3.0.2",
    "pino-pretty": "^10.2.3",
    "prompt-sync": "^4.2.0",
    "react-email": "4.0.7",
    "rimraf": "^5.0.5",
    "ts-node": "^10.9.2",
    "tsc-alias": "^1.8.8",
@@ -149,7 +152,8 @@
    "@infisical/quic": "^1.0.8",
    "@node-saml/passport-saml": "^5.0.1",
    "@octokit/auth-app": "^7.1.1",
-    "@octokit/plugin-paginate-graphql": "^5.2.4",
+    "@octokit/core": "^5.2.1",
    "@octokit/plugin-paginate-graphql": "^4.0.1",
    "@octokit/plugin-retry": "^5.0.5",
    "@octokit/rest": "^20.0.2",
    "@octokit/webhooks-types": "^7.3.1",
@@ -164,6 +168,7 @@
    "@opentelemetry/semantic-conventions": "^1.27.0",
    "@peculiar/asn1-schema": "^2.3.8",
    "@peculiar/x509": "^1.12.1",
    "@react-email/components": "0.0.36",
    "@serdnam/pino-cloudwatch-transport": "^1.0.4",
    "@sindresorhus/slugify": "1.1.0",
    "@slack/oauth": "^3.0.2",
@@ -204,6 +209,7 @@
    "mysql2": "^3.9.8",
    "nanoid": "^3.3.8",
    "nodemailer": "^6.9.9",
    "oci-sdk": "^2.108.0",
    "odbc": "^2.4.9",
    "openid-client": "^5.6.5",
    "ora": "^7.0.1",
@@ -223,6 +229,8 @@
    "posthog-node": "^3.6.2",
    "probot": "^13.3.8",
    "re2": "^1.21.4",
    "react": "19.1.0",
    "react-dom": "19.1.0",
    "safe-regex": "^2.1.1",
    "scim-patch": "^0.8.3",
    "scim2-parse-filter": "^0.2.10",
@@ -234,6 +242,6 @@
    "tweetnacl-util": "^0.15.1",
    "uuid": "^9.0.1",
    "zod": "^3.22.4",
-    "zod-to-json-schema": "^3.22.4"
+    "zod-to-json-schema": "^3.24.5"
  }
 }
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@@ -66,17 +66,21 @@ import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-a
 import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
 import { TIdentityJwtAuthServiceFactory } from "@app/services/identity-jwt-auth/identity-jwt-auth-service";
 import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { TIdentityLdapAuthServiceFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-service";
 import { TAllowedFields } from "@app/services/identity-ldap-auth/identity-ldap-auth-types";
 import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { TIdentityTokenAuthServiceFactory } from "@app/services/identity-token-auth/identity-token-auth-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";
 import { TIntegrationServiceFactory } from "@app/services/integration/integration-service";
 import { TIntegrationAuthServiceFactory } from "@app/services/integration-auth/integration-auth-service";
 import { TMicrosoftTeamsServiceFactory } from "@app/services/microsoft-teams/microsoft-teams-service";
 import { TOrgRoleServiceFactory } from "@app/services/org/org-role-service";
 import { TOrgServiceFactory } from "@app/services/org/org-service";
 import { TOrgAdminServiceFactory } from "@app/services/org-admin/org-admin-service";
 import { TPkiAlertServiceFactory } from "@app/services/pki-alert/pki-alert-service";
 import { TPkiCollectionServiceFactory } from "@app/services/pki-collection/pki-collection-service";
 import { TPkiSubscriberServiceFactory } from "@app/services/pki-subscriber/pki-subscriber-service";
 import { TProjectServiceFactory } from "@app/services/project/project-service";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env-service";
@@ -101,7 +105,6 @@ import { TUserServiceFactory } from "@app/services/user/user-service";
 import { TUserEngagementServiceFactory } from "@app/services/user-engagement/user-engagement-service";
 import { TWebhookServiceFactory } from "@app/services/webhook/webhook-service";
 import { TWorkflowIntegrationServiceFactory } from "@app/services/workflow-integration/workflow-integration-service";
 import { TMicrosoftTeamsServiceFactory } from "@app/services/microsoft-teams/microsoft-teams-service";
 declare module "@fastify/request-context" {
  interface RequestContextData {
@@ -146,6 +149,13 @@ declare module "fastify" {
      providerAuthToken: string;
      externalProviderAccessToken?: string;
    };
    passportMachineIdentity: {
      identityId: string;
      user: {
        uid: string;
        mail?: string;
      };
    };
    kmipUser: {
      projectId: string;
      clientId: string;
@@ -153,7 +163,9 @@ declare module "fastify" {
    };
    auditLogInfo: Pick<TCreateAuditLogDTO, "userAgent" | "userAgentType" | "ipAddress" | "actor">;
    ssoConfig: Awaited<ReturnType<TSamlConfigServiceFactory["getSaml"]>>;
-    ldapConfig: Awaited<ReturnType<TLdapConfigServiceFactory["getLdapCfg"]>>;
+    ldapConfig: Awaited<ReturnType<TLdapConfigServiceFactory["getLdapCfg"]>> & {
      allowedFields?: TAllowedFields[];
    };
  }
  interface FastifyInstance {
@@ -199,6 +211,7 @@ declare module "fastify" {
      identityAzureAuth: TIdentityAzureAuthServiceFactory;
      identityOidcAuth: TIdentityOidcAuthServiceFactory;
      identityJwtAuth: TIdentityJwtAuthServiceFactory;
      identityLdapAuth: TIdentityLdapAuthServiceFactory;
      accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
      accessApprovalRequest: TAccessApprovalRequestServiceFactory;
      secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;
@@ -220,6 +233,7 @@ declare module "fastify" {
      certificateAuthorityCrl: TCertificateAuthorityCrlServiceFactory;
      certificateEst: TCertificateEstServiceFactory;
      pkiCollection: TPkiCollectionServiceFactory;
      pkiSubscriber: TPkiSubscriberServiceFactory;
      secretScanning: TSecretScanningServiceFactory;
      license: TLicenseServiceFactory;
      trustedIp: TTrustedIpServiceFactory;
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@@ -209,6 +209,9 @@ import {
  TPkiCollections,
  TPkiCollectionsInsert,
  TPkiCollectionsUpdate,
  TPkiSubscribers,
  TPkiSubscribersInsert,
  TPkiSubscribersUpdate,
  TProjectBots,
  TProjectBotsInsert,
  TProjectBotsUpdate,
@@ -432,6 +435,11 @@ import {
  TWorkflowIntegrationsInsert,
  TWorkflowIntegrationsUpdate
 } from "@app/db/schemas";
 import {
  TIdentityLdapAuths,
  TIdentityLdapAuthsInsert,
  TIdentityLdapAuthsUpdate
 } from "@app/db/schemas/identity-ldap-auths";
 import {
  TMicrosoftTeamsIntegrations,
  TMicrosoftTeamsIntegrationsInsert,
@@ -559,6 +567,11 @@ declare module "knex/types/tables" {
      TPkiCollectionItemsInsert,
      TPkiCollectionItemsUpdate
    >;
    [TableName.PkiSubscriber]: KnexOriginal.CompositeTableType<
      TPkiSubscribers,
      TPkiSubscribersInsert,
      TPkiSubscribersUpdate
    >;
    [TableName.UserGroupMembership]: KnexOriginal.CompositeTableType<
      TUserGroupMembership,
      TUserGroupMembershipInsert,
@@ -735,6 +748,11 @@ declare module "knex/types/tables" {
      TIdentityJwtAuthsInsert,
      TIdentityJwtAuthsUpdate
    >;
    [TableName.IdentityLdapAuth]: KnexOriginal.CompositeTableType<
      TIdentityLdapAuths,
      TIdentityLdapAuthsInsert,
      TIdentityLdapAuthsUpdate
    >;
    [TableName.IdentityUaClientSecret]: KnexOriginal.CompositeTableType<
      TIdentityUaClientSecrets,
      TIdentityUaClientSecretsInsert,
--- a/backend/src/db/migrations/20250429232917_store-cert-secret-key-and-chain.ts
+++ b/backend/src/db/migrations/20250429232917_store-cert-secret-key-and-chain.ts
@@ -0,0 +1,33 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasColumn(TableName.CertificateBody, "encryptedCertificateChain"))) {
    await knex.schema.alterTable(TableName.CertificateBody, (t) => {
      t.binary("encryptedCertificateChain").nullable();
    });
  }
  if (!(await knex.schema.hasTable(TableName.CertificateSecret))) {
    await knex.schema.createTable(TableName.CertificateSecret, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.timestamps(true, true, true);
      t.uuid("certId").notNullable().unique();
      t.foreign("certId").references("id").inTable(TableName.Certificate).onDelete("CASCADE");
      t.binary("encryptedPrivateKey").notNullable();
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  if (await knex.schema.hasTable(TableName.CertificateSecret)) {
    await knex.schema.dropTable(TableName.CertificateSecret);
  }
  if (await knex.schema.hasColumn(TableName.CertificateBody, "encryptedCertificateChain")) {
    await knex.schema.alterTable(TableName.CertificateBody, (t) => {
      t.dropColumn("encryptedCertificateChain");
    });
  }
 }
--- a/backend/src/db/migrations/20250501164905_add-groups-to-ssh-host-login-user-mappings.ts
+++ b/backend/src/db/migrations/20250501164905_add-groups-to-ssh-host-login-user-mappings.ts
@@ -0,0 +1,22 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasColumn(TableName.SshHostLoginUserMapping, "groupId"))) {
    await knex.schema.alterTable(TableName.SshHostLoginUserMapping, (t) => {
      t.uuid("groupId").nullable();
      t.foreign("groupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
      t.unique(["sshHostLoginUserId", "groupId"]);
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  if (await knex.schema.hasColumn(TableName.SshHostLoginUserMapping, "groupId")) {
    await knex.schema.alterTable(TableName.SshHostLoginUserMapping, (t) => {
      t.dropUnique(["sshHostLoginUserId", "groupId"]);
      t.dropColumn("groupId");
    });
  }
 }
--- a/backend/src/db/migrations/20250505203703_project-templates-type-col.ts
+++ b/backend/src/db/migrations/20250505203703_project-templates-type-col.ts
@@ -0,0 +1,22 @@
 import { Knex } from "knex";
 import { ProjectType, TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasColumn(TableName.ProjectTemplates, "type"))) {
    await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
      // defaulting to sm for migration to set existing, new ones will always be specified on creation
      t.string("type").defaultTo(ProjectType.SecretManager).notNullable();
      t.jsonb("environments").nullable().alter();
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  if (await knex.schema.hasColumn(TableName.ProjectTemplates, "type")) {
    await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
      t.dropColumn("type");
      // not reverting nullable environments
    });
  }
 }
--- a/backend/src/db/migrations/20250507003056_identity-ldap-auth.ts
+++ b/backend/src/db/migrations/20250507003056_identity-ldap-auth.ts
@@ -0,0 +1,39 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
 export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasTable(TableName.IdentityLdapAuth))) {
    await knex.schema.createTable(TableName.IdentityLdapAuth, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
      t.jsonb("accessTokenTrustedIps").notNullable();
      t.uuid("identityId").notNullable().unique();
      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
      t.binary("encryptedBindDN").notNullable();
      t.binary("encryptedBindPass").notNullable();
      t.binary("encryptedLdapCaCertificate").nullable();
      t.string("url").notNullable();
      t.string("searchBase").notNullable();
      t.string("searchFilter").notNullable();
      t.jsonb("allowedFields").nullable();
      t.timestamps(true, true, true);
    });
  }
  await createOnUpdateTrigger(knex, TableName.IdentityLdapAuth);
 }
 export async function down(knex: Knex): Promise<void> {
  await knex.schema.dropTableIfExists(TableName.IdentityLdapAuth);
  await dropOnUpdateTrigger(knex, TableName.IdentityLdapAuth);
 }
--- a/backend/src/db/migrations/20250508160957_pki-subscriber.ts
+++ b/backend/src/db/migrations/20250508160957_pki-subscriber.ts
@@ -0,0 +1,46 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
 export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasTable(TableName.PkiSubscriber))) {
    await knex.schema.createTable(TableName.PkiSubscriber, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.timestamps(true, true, true);
      t.string("projectId").notNullable();
      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
      t.uuid("caId").nullable();
      t.foreign("caId").references("id").inTable(TableName.CertificateAuthority).onDelete("SET NULL");
      t.string("name").notNullable();
      t.string("commonName").notNullable();
      t.specificType("subjectAlternativeNames", "text[]").notNullable();
      t.string("ttl").notNullable();
      t.specificType("keyUsages", "text[]").notNullable();
      t.specificType("extendedKeyUsages", "text[]").notNullable();
      t.string("status").notNullable(); // active / disabled
      t.unique(["projectId", "name"]);
    });
    await createOnUpdateTrigger(knex, TableName.PkiSubscriber);
  }
  const hasSubscriberCol = await knex.schema.hasColumn(TableName.Certificate, "pkiSubscriberId");
  if (!hasSubscriberCol) {
    await knex.schema.alterTable(TableName.Certificate, (t) => {
      t.uuid("pkiSubscriberId").nullable();
      t.foreign("pkiSubscriberId").references("id").inTable(TableName.PkiSubscriber).onDelete("SET NULL");
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  const hasSubscriberCol = await knex.schema.hasColumn(TableName.Certificate, "pkiSubscriberId");
  if (hasSubscriberCol) {
    await knex.schema.alterTable(TableName.Certificate, (t) => {
      t.dropColumn("pkiSubscriberId");
    });
  }
  await knex.schema.dropTableIfExists(TableName.PkiSubscriber);
  await dropOnUpdateTrigger(knex, TableName.PkiSubscriber);
 }
--- a/backend/src/db/schemas/certificate-bodies.ts
+++ b/backend/src/db/schemas/certificate-bodies.ts
@@ -14,7 +14,8 @@ export const CertificateBodiesSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  certId: z.string().uuid(),
-  encryptedCertificate: zodBuffer
+  encryptedCertificate: zodBuffer,
  encryptedCertificateChain: zodBuffer.nullable().optional()
 });
 export type TCertificateBodies = z.infer<typeof CertificateBodiesSchema>;
--- a/backend/src/db/schemas/certificate-secrets.ts
+++ b/backend/src/db/schemas/certificate-secrets.ts
@@ -5,6 +5,8 @@
 import { z } from "zod";
 import { zodBuffer } from "@app/lib/zod";
 import { TImmutableDBKeys } from "./models";
 export const CertificateSecretsSchema = z.object({
@@ -12,8 +14,7 @@ export const CertificateSecretsSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  certId: z.string().uuid(),
-  pk: z.string(),
+  encryptedPrivateKey: zodBuffer
  sk: z.string()
 });
 export type TCertificateSecrets = z.infer<typeof CertificateSecretsSchema>;
--- a/backend/src/db/schemas/certificates.ts
+++ b/backend/src/db/schemas/certificates.ts
@@ -24,7 +24,8 @@ export const CertificatesSchema = z.object({
  caCertId: z.string().uuid(),
  certificateTemplateId: z.string().uuid().nullable().optional(),
  keyUsages: z.string().array().nullable().optional(),
-  extendedKeyUsages: z.string().array().nullable().optional()
+  extendedKeyUsages: z.string().array().nullable().optional(),
  pkiSubscriberId: z.string().uuid().nullable().optional()
 });
 export type TCertificates = z.infer<typeof CertificatesSchema>;
--- a/backend/src/db/schemas/identity-ldap-auths.ts
+++ b/backend/src/db/schemas/identity-ldap-auths.ts
@@ -0,0 +1,32 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { zodBuffer } from "@app/lib/zod";
 import { TImmutableDBKeys } from "./models";
 export const IdentityLdapAuthsSchema = z.object({
  id: z.string().uuid(),
  accessTokenTTL: z.coerce.number().default(7200),
  accessTokenMaxTTL: z.coerce.number().default(7200),
  accessTokenNumUsesLimit: z.coerce.number().default(0),
  accessTokenTrustedIps: z.unknown(),
  identityId: z.string().uuid(),
  encryptedBindDN: zodBuffer,
  encryptedBindPass: zodBuffer,
  encryptedLdapCaCertificate: zodBuffer.nullable().optional(),
  url: z.string(),
  searchBase: z.string(),
  searchFilter: z.string(),
  allowedFields: z.unknown().nullable().optional(),
  createdAt: z.date(),
  updatedAt: z.date()
 });
 export type TIdentityLdapAuths = z.infer<typeof IdentityLdapAuthsSchema>;
 export type TIdentityLdapAuthsInsert = Omit<z.input<typeof IdentityLdapAuthsSchema>, TImmutableDBKeys>;
 export type TIdentityLdapAuthsUpdate = Partial<Omit<z.input<typeof IdentityLdapAuthsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@@ -69,6 +69,7 @@ export * from "./organizations";
 export * from "./pki-alerts";
 export * from "./pki-collection-items";
 export * from "./pki-collections";
 export * from "./pki-subscribers";
 export * from "./project-bots";
 export * from "./project-environments";
 export * from "./project-gateways";
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@@ -21,6 +21,7 @@ export enum TableName {
  CertificateBody = "certificate_bodies",
  CertificateSecret = "certificate_secrets",
  CertificateTemplate = "certificate_templates",
  PkiSubscriber = "pki_subscribers",
  PkiAlert = "pki_alerts",
  PkiCollection = "pki_collections",
  PkiCollectionItem = "pki_collection_items",
@@ -80,6 +81,7 @@ export enum TableName {
  IdentityAwsAuth = "identity_aws_auths",
  IdentityOidcAuth = "identity_oidc_auths",
  IdentityJwtAuth = "identity_jwt_auths",
  IdentityLdapAuth = "identity_ldap_auths",
  IdentityOrgMembership = "identity_org_memberships",
  IdentityProjectMembership = "identity_project_memberships",
  IdentityProjectMembershipRole = "identity_project_membership_role",
@@ -185,11 +187,16 @@ export enum OrgMembershipStatus {
 }
 export enum ProjectMembershipRole {
  // general
  Admin = "admin",
  Member = "member",
  Custom = "custom",
  Viewer = "viewer",
-  NoAccess = "no-access"
+  NoAccess = "no-access",
  // ssh
  SshHostBootstrapper = "ssh-host-bootstrapper",
  // kms
  KmsCryptographicOperator = "cryptographic-operator"
 }
 export enum SecretEncryptionAlgo {
@@ -227,7 +234,8 @@ export enum IdentityAuthMethod {
  AWS_AUTH = "aws-auth",
  AZURE_AUTH = "azure-auth",
  OIDC_AUTH = "oidc-auth",
-  JWT_AUTH = "jwt-auth"
+  JWT_AUTH = "jwt-auth",
  LDAP_AUTH = "ldap-auth"
 }
 export enum ProjectType {
--- a/backend/src/db/schemas/pki-subscribers.ts
+++ b/backend/src/db/schemas/pki-subscribers.ts
@@ -0,0 +1,27 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { TImmutableDBKeys } from "./models";
 export const PkiSubscribersSchema = z.object({
  id: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
  projectId: z.string(),
  caId: z.string().uuid().nullable().optional(),
  name: z.string(),
  commonName: z.string(),
  subjectAlternativeNames: z.string().array(),
  ttl: z.string(),
  keyUsages: z.string().array(),
  extendedKeyUsages: z.string().array(),
  status: z.string()
 });
 export type TPkiSubscribers = z.infer<typeof PkiSubscribersSchema>;
 export type TPkiSubscribersInsert = Omit<z.input<typeof PkiSubscribersSchema>, TImmutableDBKeys>;
 export type TPkiSubscribersUpdate = Partial<Omit<z.input<typeof PkiSubscribersSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/project-templates.ts
+++ b/backend/src/db/schemas/project-templates.ts
@@ -12,10 +12,11 @@ export const ProjectTemplatesSchema = z.object({
  name: z.string(),
  description: z.string().nullable().optional(),
  roles: z.unknown(),
-  environments: z.unknown(),
+  environments: z.unknown().nullable().optional(),
  orgId: z.string().uuid(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
  type: z.string().default("secret-manager")
 });
 export type TProjectTemplates = z.infer<typeof ProjectTemplatesSchema>;
--- a/backend/src/db/schemas/projects.ts
+++ b/backend/src/db/schemas/projects.ts
@@ -27,7 +27,7 @@ export const ProjectsSchema = z.object({
  description: z.string().nullable().optional(),
  type: z.string(),
  enforceCapitalization: z.boolean().default(false),
-  hasDeleteProtection: z.boolean().default(true).nullable().optional()
+  hasDeleteProtection: z.boolean().default(false).nullable().optional()
 });
 export type TProjects = z.infer<typeof ProjectsSchema>;
--- a/backend/src/db/schemas/ssh-host-login-user-mappings.ts
+++ b/backend/src/db/schemas/ssh-host-login-user-mappings.ts
@@ -12,7 +12,8 @@ export const SshHostLoginUserMappingsSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  sshHostLoginUserId: z.string().uuid(),
-  userId: z.string().uuid().nullable().optional()
+  userId: z.string().uuid().nullable().optional(),
  groupId: z.string().uuid().nullable().optional()
 });
 export type TSshHostLoginUserMappings = z.infer<typeof SshHostLoginUserMappingsSchema>;
--- a/backend/src/ee/routes/v1/access-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-request-router.ts
@@ -2,6 +2,7 @@ import { z } from "zod";
 import { AccessApprovalRequestsReviewersSchema, AccessApprovalRequestsSchema, UsersSchema } from "@app/db/schemas";
 import { ApprovalStatus } from "@app/ee/services/access-approval-request/access-approval-request-types";
 import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -18,6 +19,9 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
  server.route({
    url: "/",
    method: "POST",
    config: {
      rateLimit: writeLimit
    },
    schema: {
      body: z.object({
        permissions: z.any().array(),
--- a/backend/src/ee/routes/v1/ldap-router.ts
+++ b/backend/src/ee/routes/v1/ldap-router.ts
@@ -98,6 +98,9 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/login",
    method: "POST",
    config: {
      rateLimit: writeLimit
    },
    schema: {
      body: z.object({
        organizationSlug: z.string().trim()
--- a/backend/src/ee/routes/v1/project-template-router.ts
+++ b/backend/src/ee/routes/v1/project-template-router.ts
@@ -1,9 +1,8 @@
 import { z } from "zod";
-import { ProjectMembershipRole, ProjectTemplatesSchema } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectTemplatesSchema, ProjectType } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { ProjectTemplateDefaultEnvironments } from "@app/ee/services/project-template/project-template-constants";
 import { isInfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
 import { ApiDocsTags, ProjectTemplates } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -35,6 +34,7 @@ const SanitizedProjectTemplateSchema = ProjectTemplatesSchema.extend({
      position: z.number().min(1)
    })
    .array()
    .nullable()
 });
 const ProjectTemplateRolesSchema = z
@@ -104,6 +104,9 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
      hide: false,
      tags: [ApiDocsTags.ProjectTemplates],
      description: "List project templates for the current organization.",
      querystring: z.object({
        type: z.nativeEnum(ProjectType).optional().describe(ProjectTemplates.LIST.type)
      }),
      response: {
        200: z.object({
          projectTemplates: SanitizedProjectTemplateSchema.array()
@@ -112,7 +115,8 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
-      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(req.permission);
+      const { type } = req.query;
      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(req.permission, type);
      const auditTemplates = projectTemplates.filter((template) => !isInfisicalProjectTemplate(template.name));
@@ -184,6 +188,7 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
      tags: [ApiDocsTags.ProjectTemplates],
      description: "Create a project template.",
      body: z.object({
        type: z.nativeEnum(ProjectType).describe(ProjectTemplates.CREATE.type),
        name: slugSchema({ field: "name" })
          .refine((val) => !isInfisicalProjectTemplate(val), {
            message: `The requested project template name is reserved.`
@@ -191,9 +196,7 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
          .describe(ProjectTemplates.CREATE.name),
        description: z.string().max(256).trim().optional().describe(ProjectTemplates.CREATE.description),
        roles: ProjectTemplateRolesSchema.default([]).describe(ProjectTemplates.CREATE.roles),
-        environments: ProjectTemplateEnvironmentsSchema.default(ProjectTemplateDefaultEnvironments).describe(
+        environments: ProjectTemplateEnvironmentsSchema.describe(ProjectTemplates.CREATE.environments).optional()
          ProjectTemplates.CREATE.environments
        )
      }),
      response: {
        200: z.object({
--- a/backend/src/ee/routes/v1/saml-router.ts
+++ b/backend/src/ee/routes/v1/saml-router.ts
@@ -166,6 +166,9 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/redirect/saml2/organizations/:orgSlug",
    method: "GET",
    config: {
      rateLimit: readLimit
    },
    schema: {
      params: z.object({
        orgSlug: z.string().trim()
@@ -192,6 +195,9 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/redirect/saml2/:samlConfigId",
    method: "GET",
    config: {
      rateLimit: readLimit
    },
    schema: {
      params: z.object({
        samlConfigId: z.string().trim()
@@ -218,6 +224,9 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/saml2/:samlConfigId",
    method: "POST",
    config: {
      rateLimit: writeLimit
    },
    schema: {
      params: z.object({
        samlConfigId: z.string().trim()
--- a/backend/src/ee/routes/v1/scim-router.ts
+++ b/backend/src/ee/routes/v1/scim-router.ts
@@ -196,6 +196,9 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/Users",
    method: "POST",
    config: {
      rateLimit: writeLimit
    },
    schema: {
      body: z.object({
        schemas: z.array(z.string()),
--- a/backend/src/ee/routes/v1/secret-scanning-router.ts
+++ b/backend/src/ee/routes/v1/secret-scanning-router.ts
@@ -1,11 +1,11 @@
 import { z } from "zod";
 import { GitAppOrgSchema, SecretScanningGitRisksSchema } from "@app/db/schemas";
 import { canUseSecretScanning } from "@app/ee/services/secret-scanning/secret-scanning-fns";
 import {
  SecretScanningResolvedStatus,
  SecretScanningRiskStatus
 } from "@app/ee/services/secret-scanning/secret-scanning-types";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { OrderByDirection } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -23,14 +23,14 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
      body: z.object({ organizationId: z.string().trim() }),
      response: {
        200: z.object({
-          sessionId: z.string()
+          sessionId: z.string(),
          gitAppSlug: z.string()
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
-      const appCfg = getConfig();
+      if (!canUseSecretScanning(req.auth.orgId)) {
      if (!appCfg.SECRET_SCANNING_ORG_WHITELIST?.includes(req.auth.orgId)) {
        throw new BadRequestError({
          message: "Secret scanning is temporarily unavailable."
        });
--- a/backend/src/ee/routes/v1/ssh-host-router.ts
+++ b/backend/src/ee/routes/v1/ssh-host-router.ts
@@ -73,7 +73,7 @@ export const registerSshHostRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
-      const host = await server.services.sshHost.getSshHost({
+      const host = await server.services.sshHost.getSshHostById({
        sshHostId: req.params.sshHostId,
        actor: req.permission.type,
        actorId: req.permission.id,
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@@ -19,9 +19,10 @@ import { TProjectPermission } from "@app/lib/types";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { TCreateAppConnectionDTO, TUpdateAppConnectionDTO } from "@app/services/app-connection/app-connection-types";
 import { ActorType } from "@app/services/auth/auth-type";
-import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
+import { CertExtendedKeyUsage, CertKeyAlgorithm, CertKeyUsage } from "@app/services/certificate/certificate-types";
 import { CaStatus } from "@app/services/certificate-authority/certificate-authority-types";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { TAllowedFields } from "@app/services/identity-ldap-auth/identity-ldap-auth-types";
 import { PkiItemType } from "@app/services/pki-collection/pki-collection-types";
 import { SecretSync, SecretSyncImportBehavior } from "@app/services/secret-sync/secret-sync-enums";
 import {
@@ -119,44 +120,60 @@ export enum EventType {
  CREATE_TOKEN_IDENTITY_TOKEN_AUTH = "create-token-identity-token-auth",
  UPDATE_TOKEN_IDENTITY_TOKEN_AUTH = "update-token-identity-token-auth",
  GET_TOKENS_IDENTITY_TOKEN_AUTH = "get-tokens-identity-token-auth",
  ADD_IDENTITY_TOKEN_AUTH = "add-identity-token-auth",
  UPDATE_IDENTITY_TOKEN_AUTH = "update-identity-token-auth",
  GET_IDENTITY_TOKEN_AUTH = "get-identity-token-auth",
  REVOKE_IDENTITY_TOKEN_AUTH = "revoke-identity-token-auth",
  LOGIN_IDENTITY_KUBERNETES_AUTH = "login-identity-kubernetes-auth",
  ADD_IDENTITY_KUBERNETES_AUTH = "add-identity-kubernetes-auth",
  UPDATE_IDENTITY_KUBENETES_AUTH = "update-identity-kubernetes-auth",
  GET_IDENTITY_KUBERNETES_AUTH = "get-identity-kubernetes-auth",
  REVOKE_IDENTITY_KUBERNETES_AUTH = "revoke-identity-kubernetes-auth",
  LOGIN_IDENTITY_OIDC_AUTH = "login-identity-oidc-auth",
  ADD_IDENTITY_OIDC_AUTH = "add-identity-oidc-auth",
  UPDATE_IDENTITY_OIDC_AUTH = "update-identity-oidc-auth",
  GET_IDENTITY_OIDC_AUTH = "get-identity-oidc-auth",
  REVOKE_IDENTITY_OIDC_AUTH = "revoke-identity-oidc-auth",
  LOGIN_IDENTITY_JWT_AUTH = "login-identity-jwt-auth",
  ADD_IDENTITY_JWT_AUTH = "add-identity-jwt-auth",
  UPDATE_IDENTITY_JWT_AUTH = "update-identity-jwt-auth",
  GET_IDENTITY_JWT_AUTH = "get-identity-jwt-auth",
  REVOKE_IDENTITY_JWT_AUTH = "revoke-identity-jwt-auth",
  CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
  REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "revoke-identity-universal-auth-client-secret",
  GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
  GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET_BY_ID = "get-identity-universal-auth-client-secret-by-id",
  LOGIN_IDENTITY_GCP_AUTH = "login-identity-gcp-auth",
  ADD_IDENTITY_GCP_AUTH = "add-identity-gcp-auth",
  UPDATE_IDENTITY_GCP_AUTH = "update-identity-gcp-auth",
  REVOKE_IDENTITY_GCP_AUTH = "revoke-identity-gcp-auth",
  GET_IDENTITY_GCP_AUTH = "get-identity-gcp-auth",
  LOGIN_IDENTITY_AWS_AUTH = "login-identity-aws-auth",
  ADD_IDENTITY_AWS_AUTH = "add-identity-aws-auth",
  UPDATE_IDENTITY_AWS_AUTH = "update-identity-aws-auth",
  REVOKE_IDENTITY_AWS_AUTH = "revoke-identity-aws-auth",
  GET_IDENTITY_AWS_AUTH = "get-identity-aws-auth",
  LOGIN_IDENTITY_AZURE_AUTH = "login-identity-azure-auth",
  ADD_IDENTITY_AZURE_AUTH = "add-identity-azure-auth",
  UPDATE_IDENTITY_AZURE_AUTH = "update-identity-azure-auth",
  GET_IDENTITY_AZURE_AUTH = "get-identity-azure-auth",
  REVOKE_IDENTITY_AZURE_AUTH = "revoke-identity-azure-auth",
  LOGIN_IDENTITY_LDAP_AUTH = "login-identity-ldap-auth",
  ADD_IDENTITY_LDAP_AUTH = "add-identity-ldap-auth",
  UPDATE_IDENTITY_LDAP_AUTH = "update-identity-ldap-auth",
  GET_IDENTITY_LDAP_AUTH = "get-identity-ldap-auth",
  REVOKE_IDENTITY_LDAP_AUTH = "revoke-identity-ldap-auth",
  CREATE_ENVIRONMENT = "create-environment",
  UPDATE_ENVIRONMENT = "update-environment",
  DELETE_ENVIRONMENT = "delete-environment",
@@ -224,6 +241,8 @@ export enum EventType {
  DELETE_CERT = "delete-cert",
  REVOKE_CERT = "revoke-cert",
  GET_CERT_BODY = "get-cert-body",
  GET_CERT_PRIVATE_KEY = "get-cert-private-key",
  GET_CERT_BUNDLE = "get-cert-bundle",
  CREATE_PKI_ALERT = "create-pki-alert",
  GET_PKI_ALERT = "get-pki-alert",
  UPDATE_PKI_ALERT = "update-pki-alert",
@@ -235,6 +254,13 @@ export enum EventType {
  GET_PKI_COLLECTION_ITEMS = "get-pki-collection-items",
  ADD_PKI_COLLECTION_ITEM = "add-pki-collection-item",
  DELETE_PKI_COLLECTION_ITEM = "delete-pki-collection-item",
  CREATE_PKI_SUBSCRIBER = "create-pki-subscriber",
  UPDATE_PKI_SUBSCRIBER = "update-pki-subscriber",
  DELETE_PKI_SUBSCRIBER = "delete-pki-subscriber",
  GET_PKI_SUBSCRIBER = "get-pki-subscriber",
  ISSUE_PKI_SUBSCRIBER_CERT = "issue-pki-subscriber-cert",
  SIGN_PKI_SUBSCRIBER_CERT = "sign-pki-subscriber-cert",
  LIST_PKI_SUBSCRIBER_CERTS = "list-pki-subscriber-certs",
  CREATE_KMS = "create-kms",
  UPDATE_KMS = "update-kms",
  DELETE_KMS = "delete-kms",
@@ -1032,6 +1058,55 @@ interface GetIdentityAzureAuthEvent {
  };
 }
 interface LoginIdentityLdapAuthEvent {
  type: EventType.LOGIN_IDENTITY_LDAP_AUTH;
  metadata: {
    identityId: string;
    ldapUsername: string;
    ldapEmail?: string;
  };
 }
 interface AddIdentityLdapAuthEvent {
  type: EventType.ADD_IDENTITY_LDAP_AUTH;
  metadata: {
    identityId: string;
    accessTokenTTL?: number;
    accessTokenMaxTTL?: number;
    accessTokenNumUsesLimit?: number;
    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
    allowedFields?: TAllowedFields[];
    url: string;
  };
 }
 interface UpdateIdentityLdapAuthEvent {
  type: EventType.UPDATE_IDENTITY_LDAP_AUTH;
  metadata: {
    identityId: string;
    accessTokenTTL?: number;
    accessTokenMaxTTL?: number;
    accessTokenNumUsesLimit?: number;
    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
    allowedFields?: TAllowedFields[];
    url?: string;
  };
 }
 interface GetIdentityLdapAuthEvent {
  type: EventType.GET_IDENTITY_LDAP_AUTH;
  metadata: {
    identityId: string;
  };
 }
 interface RevokeIdentityLdapAuthEvent {
  type: EventType.REVOKE_IDENTITY_LDAP_AUTH;
  metadata: {
    identityId: string;
  };
 }
 interface LoginIdentityOidcAuthEvent {
  type: EventType.LOGIN_IDENTITY_OIDC_AUTH;
  metadata: {
@@ -1790,6 +1865,24 @@ interface GetCertBody {
  };
 }
 interface GetCertPrivateKey {
  type: EventType.GET_CERT_PRIVATE_KEY;
  metadata: {
    certId: string;
    cn: string;
    serialNumber: string;
  };
 }
 interface GetCertBundle {
  type: EventType.GET_CERT_BUNDLE;
  metadata: {
    certId: string;
    cn: string;
    serialNumber: string;
  };
 }
 interface CreatePkiAlert {
  type: EventType.CREATE_PKI_ALERT;
  metadata: {
@@ -1879,6 +1972,77 @@ interface DeletePkiCollectionItem {
  };
 }
 interface CreatePkiSubscriber {
  type: EventType.CREATE_PKI_SUBSCRIBER;
  metadata: {
    pkiSubscriberId: string;
    caId?: string;
    name: string;
    commonName: string;
    ttl: string;
    subjectAlternativeNames: string[];
    keyUsages: CertKeyUsage[];
    extendedKeyUsages: CertExtendedKeyUsage[];
  };
 }
 interface UpdatePkiSubscriber {
  type: EventType.UPDATE_PKI_SUBSCRIBER;
  metadata: {
    pkiSubscriberId: string;
    caId?: string;
    name?: string;
    commonName?: string;
    ttl?: string;
    subjectAlternativeNames?: string[];
    keyUsages?: CertKeyUsage[];
    extendedKeyUsages?: CertExtendedKeyUsage[];
  };
 }
 interface DeletePkiSubscriber {
  type: EventType.DELETE_PKI_SUBSCRIBER;
  metadata: {
    pkiSubscriberId: string;
    name: string;
  };
 }
 interface GetPkiSubscriber {
  type: EventType.GET_PKI_SUBSCRIBER;
  metadata: {
    pkiSubscriberId: string;
    name: string;
  };
 }
 interface IssuePkiSubscriberCert {
  type: EventType.ISSUE_PKI_SUBSCRIBER_CERT;
  metadata: {
    subscriberId: string;
    name: string;
    serialNumber: string;
  };
 }
 interface SignPkiSubscriberCert {
  type: EventType.SIGN_PKI_SUBSCRIBER_CERT;
  metadata: {
    subscriberId: string;
    name: string;
    serialNumber: string;
  };
 }
 interface ListPkiSubscriberCerts {
  type: EventType.LIST_PKI_SUBSCRIBER_CERTS;
  metadata: {
    subscriberId: string;
    name: string;
    projectId: string;
  };
 }
 interface CreateKmsEvent {
  type: EventType.CREATE_KMS;
  metadata: {
@@ -2765,6 +2929,11 @@ export type Event =
  | UpdateIdentityJwtAuthEvent
  | GetIdentityJwtAuthEvent
  | DeleteIdentityJwtAuthEvent
  | LoginIdentityLdapAuthEvent
  | AddIdentityLdapAuthEvent
  | UpdateIdentityLdapAuthEvent
  | GetIdentityLdapAuthEvent
  | RevokeIdentityLdapAuthEvent
  | CreateEnvironmentEvent
  | GetEnvironmentEvent
  | UpdateEnvironmentEvent
@@ -2824,6 +2993,8 @@ export type Event =
  | DeleteCert
  | RevokeCert
  | GetCertBody
  | GetCertPrivateKey
  | GetCertBundle
  | CreatePkiAlert
  | GetPkiAlert
  | UpdatePkiAlert
@@ -2835,6 +3006,13 @@ export type Event =
  | GetPkiCollectionItems
  | AddPkiCollectionItem
  | DeletePkiCollectionItem
  | CreatePkiSubscriber
  | UpdatePkiSubscriber
  | DeletePkiSubscriber
  | GetPkiSubscriber
  | IssuePkiSubscriberCert
  | SignPkiSubscriberCert
  | ListPkiSubscriberCerts
  | CreateKmsEvent
  | UpdateKmsEvent
  | DeleteKmsEvent
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts
@@ -24,8 +24,16 @@ export const verifyHostInputValidity = async (host: string, isGateway = false) =
      if (net.isIPv4(el)) {
        exclusiveIps.push(el);
      } else {
        try {
          const resolvedIps = await dns.resolve4(el);
          exclusiveIps.push(...resolvedIps);
        } catch (error) {
          // only try lookup if not found
          if ((error as { code: string })?.code !== "ENOTFOUND") throw error;
          const resolvedIps = (await dns.lookup(el, { all: true, family: 4 })).map(({ address }) => address);
          exclusiveIps.push(...resolvedIps);
        }
      }
    }
  }
@@ -38,8 +46,16 @@ export const verifyHostInputValidity = async (host: string, isGateway = false) =
    if (normalizedHost === "localhost" || normalizedHost === "host.docker.internal") {
      throw new BadRequestError({ message: "Invalid db host" });
    }
    try {
      const resolvedIps = await dns.resolve4(host);
      inputHostIps.push(...resolvedIps);
    } catch (error) {
      // only try lookup if not found
      if ((error as { code: string })?.code !== "ENOTFOUND") throw error;
      const resolvedIps = (await dns.lookup(host, { all: true, family: 4 })).map(({ address }) => address);
      inputHostIps.push(...resolvedIps);
    }
  }
  if (!isGateway && !(appCfg.DYNAMIC_SECRET_ALLOW_INTERNAL_IP || appCfg.ALLOW_INTERNAL_IP_CONNECTIONS)) {
--- a/backend/src/ee/services/github-org-sync/github-org-sync-service.ts
+++ b/backend/src/ee/services/github-org-sync/github-org-sync-service.ts
@@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import { Octokit } from "@octokit/core";
-import { paginateGraphQL } from "@octokit/plugin-paginate-graphql";
+import { paginateGraphql } from "@octokit/plugin-paginate-graphql";
 import { Octokit as OctokitRest } from "@octokit/rest";
 import { OrgMembershipRole } from "@app/db/schemas";
@@ -18,7 +18,7 @@ import { TPermissionServiceFactory } from "../permission/permission-service";
 import { TGithubOrgSyncDALFactory } from "./github-org-sync-dal";
 import { TCreateGithubOrgSyncDTO, TDeleteGithubOrgSyncDTO, TUpdateGithubOrgSyncDTO } from "./github-org-sync-types";
-const OctokitWithPlugin = Octokit.plugin(paginateGraphQL);
+const OctokitWithPlugin = Octokit.plugin(paginateGraphql);
 type TGithubOrgSyncServiceFactoryDep = {
  githubOrgSyncDAL: TGithubOrgSyncDALFactory;
--- a/backend/src/ee/services/group/group-dal.ts
+++ b/backend/src/ee/services/group/group-dal.ts
@@ -157,10 +157,23 @@ export const groupDALFactory = (db: TDbClient) => {
    }
  };
  const findGroupsByProjectId = async (projectId: string, tx?: Knex) => {
    try {
      const docs = await (tx || db.replicaNode())(TableName.Groups)
        .join(TableName.GroupProjectMembership, `${TableName.Groups}.id`, `${TableName.GroupProjectMembership}.groupId`)
        .where(`${TableName.GroupProjectMembership}.projectId`, projectId)
        .select(selectAllTableCols(TableName.Groups));
      return docs;
    } catch (error) {
      throw new DatabaseError({ error, name: "Find groups by project id" });
    }
  };
  return {
    findGroups,
    findByOrgId,
    findAllGroupPossibleMembers,
    findGroupsByProjectId,
    ...groupOrm
  };
 };
--- a/backend/src/ee/services/group/user-group-membership-dal.ts
+++ b/backend/src/ee/services/group/user-group-membership-dal.ts
@@ -176,7 +176,8 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => {
          db.ref("name").withSchema(TableName.Groups).as("groupName"),
          db.ref("id").withSchema(TableName.OrgMembership).as("orgMembershipId"),
          db.ref("firstName").withSchema(TableName.Users).as("firstName"),
-          db.ref("lastName").withSchema(TableName.Users).as("lastName")
+          db.ref("lastName").withSchema(TableName.Users).as("lastName"),
          db.ref("slug").withSchema(TableName.Groups).as("groupSlug")
        );
      return docs;
--- a/backend/src/ee/services/ldap-config/ldap-config-types.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-types.ts
@@ -14,6 +14,11 @@ export type TLDAPConfig = {
  caCert: string;
 };
 export type TTestLDAPConfigDTO = Omit<
  TLDAPConfig,
  "organization" | "id" | "groupSearchBase" | "groupSearchFilter" | "isActive" | "uniqueUserAttribute" | "searchBase"
 >;
 export type TCreateLdapCfgDTO = {
  orgId: string;
  isActive: boolean;
--- a/backend/src/ee/services/ldap-config/ldap-fns.ts
+++ b/backend/src/ee/services/ldap-config/ldap-fns.ts
@@ -2,15 +2,14 @@ import ldapjs from "ldapjs";
 import { logger } from "@app/lib/logger";
-import { TLDAPConfig } from "./ldap-config-types";
+import { TLDAPConfig, TTestLDAPConfigDTO } from "./ldap-config-types";
 export const isValidLdapFilter = (filter: string) => {
  try {
    ldapjs.parseFilter(filter);
    return true;
  } catch (error) {
-    logger.error("Invalid LDAP filter");
+    logger.error(error, "Invalid LDAP filter");
    logger.error(error);
    return false;
  }
 };
@@ -20,7 +19,7 @@ export const isValidLdapFilter = (filter: string) => {
 * @param ldapConfig - The LDAP configuration to test
 * @returns {Boolean} isConnected - Whether or not the connection was successful
 */
-export const testLDAPConfig = async (ldapConfig: TLDAPConfig): Promise<boolean> => {
+export const testLDAPConfig = async (ldapConfig: TTestLDAPConfigDTO): Promise<boolean> => {
  return new Promise((resolve) => {
    const ldapClient = ldapjs.createClient({
      url: ldapConfig.url,
--- a/backend/src/ee/services/permission/default-roles.ts
+++ b/backend/src/ee/services/permission/default-roles.ts
@@ -0,0 +1,462 @@
 import { AbilityBuilder, createMongoAbility, MongoAbility } from "@casl/ability";
 import {
  ProjectPermissionActions,
  ProjectPermissionCertificateActions,
  ProjectPermissionCmekActions,
  ProjectPermissionDynamicSecretActions,
  ProjectPermissionGroupActions,
  ProjectPermissionIdentityActions,
  ProjectPermissionKmipActions,
  ProjectPermissionMemberActions,
  ProjectPermissionPkiSubscriberActions,
  ProjectPermissionSecretActions,
  ProjectPermissionSecretRotationActions,
  ProjectPermissionSecretSyncActions,
  ProjectPermissionSet,
  ProjectPermissionSshHostActions,
  ProjectPermissionSub
 } from "@app/ee/services/permission/project-permission";
 const buildAdminPermissionRules = () => {
  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
  // Admins get full access to everything
  [
    ProjectPermissionSub.SecretFolders,
    ProjectPermissionSub.SecretImports,
    ProjectPermissionSub.SecretApproval,
    ProjectPermissionSub.Role,
    ProjectPermissionSub.Integrations,
    ProjectPermissionSub.Webhooks,
    ProjectPermissionSub.ServiceTokens,
    ProjectPermissionSub.Settings,
    ProjectPermissionSub.Environments,
    ProjectPermissionSub.Tags,
    ProjectPermissionSub.AuditLogs,
    ProjectPermissionSub.IpAllowList,
    ProjectPermissionSub.CertificateAuthorities,
    ProjectPermissionSub.CertificateTemplates,
    ProjectPermissionSub.PkiAlerts,
    ProjectPermissionSub.PkiCollections,
    ProjectPermissionSub.SshCertificateAuthorities,
    ProjectPermissionSub.SshCertificates,
    ProjectPermissionSub.SshCertificateTemplates,
    ProjectPermissionSub.SshHostGroups
  ].forEach((el) => {
    can(
      [
        ProjectPermissionActions.Read,
        ProjectPermissionActions.Edit,
        ProjectPermissionActions.Create,
        ProjectPermissionActions.Delete
      ],
      el
    );
  });
  can(
    [
      ProjectPermissionCertificateActions.Read,
      ProjectPermissionCertificateActions.Edit,
      ProjectPermissionCertificateActions.Create,
      ProjectPermissionCertificateActions.Delete,
      ProjectPermissionCertificateActions.ReadPrivateKey
    ],
    ProjectPermissionSub.Certificates
  );
  can(
    [
      ProjectPermissionSshHostActions.Edit,
      ProjectPermissionSshHostActions.Read,
      ProjectPermissionSshHostActions.Create,
      ProjectPermissionSshHostActions.Delete,
      ProjectPermissionSshHostActions.IssueHostCert
    ],
    ProjectPermissionSub.SshHosts
  );
  can(
    [
      ProjectPermissionPkiSubscriberActions.Edit,
      ProjectPermissionPkiSubscriberActions.Read,
      ProjectPermissionPkiSubscriberActions.Create,
      ProjectPermissionPkiSubscriberActions.Delete,
      ProjectPermissionPkiSubscriberActions.IssueCert,
      ProjectPermissionPkiSubscriberActions.ListCerts
    ],
    ProjectPermissionSub.PkiSubscribers
  );
  can(
    [
      ProjectPermissionMemberActions.Create,
      ProjectPermissionMemberActions.Edit,
      ProjectPermissionMemberActions.Delete,
      ProjectPermissionMemberActions.Read,
      ProjectPermissionMemberActions.GrantPrivileges,
      ProjectPermissionMemberActions.AssumePrivileges
    ],
    ProjectPermissionSub.Member
  );
  can(
    [
      ProjectPermissionGroupActions.Create,
      ProjectPermissionGroupActions.Edit,
      ProjectPermissionGroupActions.Delete,
      ProjectPermissionGroupActions.Read,
      ProjectPermissionGroupActions.GrantPrivileges
    ],
    ProjectPermissionSub.Groups
  );
  can(
    [
      ProjectPermissionIdentityActions.Create,
      ProjectPermissionIdentityActions.Edit,
      ProjectPermissionIdentityActions.Delete,
      ProjectPermissionIdentityActions.Read,
      ProjectPermissionIdentityActions.GrantPrivileges,
      ProjectPermissionIdentityActions.AssumePrivileges
    ],
    ProjectPermissionSub.Identity
  );
  can(
    [
      ProjectPermissionSecretActions.DescribeAndReadValue,
      ProjectPermissionSecretActions.DescribeSecret,
      ProjectPermissionSecretActions.ReadValue,
      ProjectPermissionSecretActions.Create,
      ProjectPermissionSecretActions.Edit,
      ProjectPermissionSecretActions.Delete
    ],
    ProjectPermissionSub.Secrets
  );
  can(
    [
      ProjectPermissionDynamicSecretActions.ReadRootCredential,
      ProjectPermissionDynamicSecretActions.EditRootCredential,
      ProjectPermissionDynamicSecretActions.CreateRootCredential,
      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
      ProjectPermissionDynamicSecretActions.Lease
    ],
    ProjectPermissionSub.DynamicSecrets
  );
  can([ProjectPermissionActions.Edit, ProjectPermissionActions.Delete], ProjectPermissionSub.Project);
  can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
  can([ProjectPermissionActions.Edit], ProjectPermissionSub.Kms);
  can(
    [
      ProjectPermissionCmekActions.Create,
      ProjectPermissionCmekActions.Edit,
      ProjectPermissionCmekActions.Delete,
      ProjectPermissionCmekActions.Read,
      ProjectPermissionCmekActions.Encrypt,
      ProjectPermissionCmekActions.Decrypt,
      ProjectPermissionCmekActions.Sign,
      ProjectPermissionCmekActions.Verify
    ],
    ProjectPermissionSub.Cmek
  );
  can(
    [
      ProjectPermissionSecretSyncActions.Create,
      ProjectPermissionSecretSyncActions.Edit,
      ProjectPermissionSecretSyncActions.Delete,
      ProjectPermissionSecretSyncActions.Read,
      ProjectPermissionSecretSyncActions.SyncSecrets,
      ProjectPermissionSecretSyncActions.ImportSecrets,
      ProjectPermissionSecretSyncActions.RemoveSecrets
    ],
    ProjectPermissionSub.SecretSyncs
  );
  can(
    [
      ProjectPermissionKmipActions.CreateClients,
      ProjectPermissionKmipActions.UpdateClients,
      ProjectPermissionKmipActions.DeleteClients,
      ProjectPermissionKmipActions.ReadClients,
      ProjectPermissionKmipActions.GenerateClientCertificates
    ],
    ProjectPermissionSub.Kmip
  );
  can(
    [
      ProjectPermissionSecretRotationActions.Create,
      ProjectPermissionSecretRotationActions.Edit,
      ProjectPermissionSecretRotationActions.Delete,
      ProjectPermissionSecretRotationActions.Read,
      ProjectPermissionSecretRotationActions.ReadGeneratedCredentials,
      ProjectPermissionSecretRotationActions.RotateSecrets
    ],
    ProjectPermissionSub.SecretRotation
  );
  return rules;
 };
 const buildMemberPermissionRules = () => {
  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
  can(
    [
      ProjectPermissionSecretActions.DescribeAndReadValue,
      ProjectPermissionSecretActions.DescribeSecret,
      ProjectPermissionSecretActions.ReadValue,
      ProjectPermissionSecretActions.Edit,
      ProjectPermissionSecretActions.Create,
      ProjectPermissionSecretActions.Delete
    ],
    ProjectPermissionSub.Secrets
  );
  can(
    [
      ProjectPermissionActions.Read,
      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.SecretFolders
  );
  can(
    [
      ProjectPermissionDynamicSecretActions.ReadRootCredential,
      ProjectPermissionDynamicSecretActions.EditRootCredential,
      ProjectPermissionDynamicSecretActions.CreateRootCredential,
      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
      ProjectPermissionDynamicSecretActions.Lease
    ],
    ProjectPermissionSub.DynamicSecrets
  );
  can(
    [
      ProjectPermissionActions.Read,
      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.SecretImports
  );
  can([ProjectPermissionActions.Read], ProjectPermissionSub.SecretApproval);
  can([ProjectPermissionSecretRotationActions.Read], ProjectPermissionSub.SecretRotation);
  can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
  can([ProjectPermissionMemberActions.Read, ProjectPermissionMemberActions.Create], ProjectPermissionSub.Member);
  can([ProjectPermissionGroupActions.Read], ProjectPermissionSub.Groups);
  can(
    [
      ProjectPermissionActions.Read,
      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.Integrations
  );
  can(
    [
      ProjectPermissionActions.Read,
      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.Webhooks
  );
  can(
    [
      ProjectPermissionIdentityActions.Read,
      ProjectPermissionIdentityActions.Edit,
      ProjectPermissionIdentityActions.Create,
      ProjectPermissionIdentityActions.Delete
    ],
    ProjectPermissionSub.Identity
  );
  can(
    [
      ProjectPermissionActions.Read,
      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.ServiceTokens
  );
  can(
    [
      ProjectPermissionActions.Read,
      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.Settings
  );
  can(
    [
      ProjectPermissionActions.Read,
      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.Environments
  );
  can(
    [
      ProjectPermissionActions.Read,
      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.Tags
  );
  can([ProjectPermissionActions.Read], ProjectPermissionSub.Role);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.AuditLogs);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.IpAllowList);
  // double check if all CRUD are needed for CA and Certificates
  can([ProjectPermissionActions.Read], ProjectPermissionSub.CertificateAuthorities);
  can(
    [
      ProjectPermissionCertificateActions.Read,
      ProjectPermissionCertificateActions.Edit,
      ProjectPermissionCertificateActions.Create,
      ProjectPermissionCertificateActions.Delete
    ],
    ProjectPermissionSub.Certificates
  );
  can([ProjectPermissionActions.Read], ProjectPermissionSub.CertificateTemplates);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiAlerts);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiCollections);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificates);
  can([ProjectPermissionActions.Create], ProjectPermissionSub.SshCertificates);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificateTemplates);
  can([ProjectPermissionSshHostActions.Read], ProjectPermissionSub.SshHosts);
  can([ProjectPermissionPkiSubscriberActions.Read], ProjectPermissionSub.PkiSubscribers);
  can(
    [
      ProjectPermissionCmekActions.Create,
      ProjectPermissionCmekActions.Edit,
      ProjectPermissionCmekActions.Delete,
      ProjectPermissionCmekActions.Read,
      ProjectPermissionCmekActions.Encrypt,
      ProjectPermissionCmekActions.Decrypt,
      ProjectPermissionCmekActions.Sign,
      ProjectPermissionCmekActions.Verify
    ],
    ProjectPermissionSub.Cmek
  );
  can(
    [
      ProjectPermissionSecretSyncActions.Create,
      ProjectPermissionSecretSyncActions.Edit,
      ProjectPermissionSecretSyncActions.Delete,
      ProjectPermissionSecretSyncActions.Read,
      ProjectPermissionSecretSyncActions.SyncSecrets,
      ProjectPermissionSecretSyncActions.ImportSecrets,
      ProjectPermissionSecretSyncActions.RemoveSecrets
    ],
    ProjectPermissionSub.SecretSyncs
  );
  return rules;
 };
 const buildViewerPermissionRules = () => {
  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
  can(ProjectPermissionSecretActions.DescribeAndReadValue, ProjectPermissionSub.Secrets);
  can(ProjectPermissionSecretActions.DescribeSecret, ProjectPermissionSub.Secrets);
  can(ProjectPermissionSecretActions.ReadValue, ProjectPermissionSub.Secrets);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretFolders);
  can(ProjectPermissionDynamicSecretActions.ReadRootCredential, ProjectPermissionSub.DynamicSecrets);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretImports);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
  can(ProjectPermissionSecretRotationActions.Read, ProjectPermissionSub.SecretRotation);
  can(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
  can(ProjectPermissionGroupActions.Read, ProjectPermissionSub.Groups);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Webhooks);
  can(ProjectPermissionIdentityActions.Read, ProjectPermissionSub.Identity);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.ServiceTokens);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Settings);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Environments);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Tags);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.CertificateAuthorities);
  can(ProjectPermissionCertificateActions.Read, ProjectPermissionSub.Certificates);
  can(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateTemplates);
  can(ProjectPermissionSecretSyncActions.Read, ProjectPermissionSub.SecretSyncs);
  return rules;
 };
 const buildNoAccessProjectPermission = () => {
  const { rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
  return rules;
 };
 const buildSshHostBootstrapPermissionRules = () => {
  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
  can(
    [ProjectPermissionSshHostActions.Create, ProjectPermissionSshHostActions.IssueHostCert],
    ProjectPermissionSub.SshHosts
  );
  return rules;
 };
 const buildCryptographicOperatorPermissionRules = () => {
  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
  can(
    [
      ProjectPermissionCmekActions.Encrypt,
      ProjectPermissionCmekActions.Decrypt,
      ProjectPermissionCmekActions.Sign,
      ProjectPermissionCmekActions.Verify
    ],
    ProjectPermissionSub.Cmek
  );
  return rules;
 };
 // General
 export const projectAdminPermissions = buildAdminPermissionRules();
 export const projectMemberPermissions = buildMemberPermissionRules();
 export const projectViewerPermission = buildViewerPermissionRules();
 export const projectNoAccessPermissions = buildNoAccessProjectPermission();
 // SSH
 export const sshHostBootstrapPermissions = buildSshHostBootstrapPermissionRules();
 // KMS
 export const cryptographicOperatorPermissions = buildCryptographicOperatorPermissionRules();
--- a/backend/src/ee/services/permission/permission-dal.ts
+++ b/backend/src/ee/services/permission/permission-dal.ts
@@ -132,7 +132,7 @@ export const permissionDALFactory = (db: TDbClient) => {
    }
  };
-  const getProjectGroupPermissions = async (projectId: string) => {
+  const getProjectGroupPermissions = async (projectId: string, filterGroupId?: string) => {
    try {
      const docs = await db
        .replicaNode()(TableName.GroupProjectMembership)
@@ -148,6 +148,11 @@ export const permissionDALFactory = (db: TDbClient) => {
          `groupCustomRoles.id`
        )
        .where(`${TableName.GroupProjectMembership}.projectId`, "=", projectId)
        .where((bd) => {
          if (filterGroupId) {
            void bd.where(`${TableName.GroupProjectMembership}.groupId`, "=", filterGroupId);
          }
        })
        .select(
          db.ref("id").withSchema(TableName.GroupProjectMembership).as("membershipId"),
          db.ref("id").withSchema(TableName.Groups).as("groupId"),
--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@@ -12,6 +12,14 @@ import {
  TIdentityProjectMemberships,
  TProjectMemberships
 } from "@app/db/schemas";
 import {
  cryptographicOperatorPermissions,
  projectAdminPermissions,
  projectMemberPermissions,
  projectNoAccessPermissions,
  projectViewerPermission,
  sshHostBootstrapPermissions
 } from "@app/ee/services/permission/default-roles";
 import { conditionsMatcher } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { objectify } from "@app/lib/fn";
@@ -32,14 +40,7 @@ import {
  TGetServiceTokenProjectPermissionArg,
  TGetUserProjectPermissionArg
 } from "./permission-service-types";
-import {
+import { buildServiceTokenProjectPermission, ProjectPermissionSet } from "./project-permission";
  buildServiceTokenProjectPermission,
  projectAdminPermissions,
  projectMemberPermissions,
  projectNoAccessPermissions,
  ProjectPermissionSet,
  projectViewerPermission
 } from "./project-permission";
 type TPermissionServiceFactoryDep = {
  orgRoleDAL: Pick<TOrgRoleDALFactory, "findOne">;
@@ -95,6 +96,10 @@ export const permissionServiceFactory = ({
            return projectViewerPermission;
          case ProjectMembershipRole.NoAccess:
            return projectNoAccessPermissions;
          case ProjectMembershipRole.SshHostBootstrapper:
            return sshHostBootstrapPermissions;
          case ProjectMembershipRole.KmsCryptographicOperator:
            return cryptographicOperatorPermissions;
          case ProjectMembershipRole.Custom: {
            return unpackRules<RawRuleOf<MongoAbility<ProjectPermissionSet>>>(
              permissions as PackRule<RawRuleOf<MongoAbility<ProjectPermissionSet>>>[]
@@ -625,6 +630,34 @@ export const permissionServiceFactory = ({
    return { permission };
  };
  const checkGroupProjectPermission = async ({
    groupId,
    projectId,
    checkPermissions
  }: {
    groupId: string;
    projectId: string;
    checkPermissions: ProjectPermissionSet;
  }) => {
    const rawGroupProjectPermissions = await permissionDAL.getProjectGroupPermissions(projectId, groupId);
    const groupPermissions = rawGroupProjectPermissions.map((groupProjectPermission) => {
      const rolePermissions =
        groupProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
      const rules = buildProjectPermissionRules(rolePermissions);
      const permission = createMongoAbility<ProjectPermissionSet>(rules, {
        conditionsMatcher
      });
      return {
        permission,
        id: groupProjectPermission.groupId,
        name: groupProjectPermission.username,
        membershipId: groupProjectPermission.id
      };
    });
    return groupPermissions.some((groupPermission) => groupPermission.permission.can(...checkPermissions));
  };
  return {
    getUserOrgPermission,
    getOrgPermission,
@@ -634,6 +667,7 @@ export const permissionServiceFactory = ({
    getOrgPermissionByRole,
    getProjectPermissionByRole,
    buildOrgPermission,
-    buildProjectPermissionRules
+    buildProjectPermissionRules,
    checkGroupProjectPermission
  };
 };
--- a/backend/src/ee/services/permission/project-permission.ts
+++ b/backend/src/ee/services/permission/project-permission.ts
@@ -17,6 +17,14 @@ export enum ProjectPermissionActions {
  Delete = "delete"
 }
 export enum ProjectPermissionCertificateActions {
  Read = "read",
  Create = "create",
  Edit = "edit",
  Delete = "delete",
  ReadPrivateKey = "read-private-key"
 }
 export enum ProjectPermissionSecretActions {
  DescribeAndReadValue = "read",
  DescribeSecret = "describeSecret",
@@ -79,6 +87,15 @@ export enum ProjectPermissionSshHostActions {
  IssueHostCert = "issue-host-cert"
 }
 export enum ProjectPermissionPkiSubscriberActions {
  Read = "read",
  Create = "create",
  Edit = "edit",
  Delete = "delete",
  IssueCert = "issue-cert",
  ListCerts = "list-certs"
 }
 export enum ProjectPermissionSecretSyncActions {
  Read = "read",
  Create = "create",
@@ -135,6 +152,7 @@ export enum ProjectPermissionSub {
  SshCertificateTemplates = "ssh-certificate-templates",
  SshHosts = "ssh-hosts",
  SshHostGroups = "ssh-host-groups",
  PkiSubscribers = "pki-subscribers",
  PkiAlerts = "pki-alerts",
  PkiCollections = "pki-collections",
  Kms = "kms",
@@ -182,6 +200,11 @@ export type SshHostSubjectFields = {
  hostname: string;
 };
 export type PkiSubscriberSubjectFields = {
  name: string;
  // (dangtony98): consider adding [commonName] as a subject field in the future
 };
 export type ProjectPermissionSet =
  | [
      ProjectPermissionSecretActions,
@@ -232,7 +255,7 @@ export type ProjectPermissionSet =
      ProjectPermissionSub.Identity | (ForcedSubject<ProjectPermissionSub.Identity> & IdentityManagementSubjectFields)
    ]
  | [ProjectPermissionActions, ProjectPermissionSub.CertificateAuthorities]
-  | [ProjectPermissionActions, ProjectPermissionSub.Certificates]
+  | [ProjectPermissionCertificateActions, ProjectPermissionSub.Certificates]
  | [ProjectPermissionActions, ProjectPermissionSub.CertificateTemplates]
  | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateAuthorities]
  | [ProjectPermissionActions, ProjectPermissionSub.SshCertificates]
@@ -241,6 +264,13 @@ export type ProjectPermissionSet =
      ProjectPermissionSshHostActions,
      ProjectPermissionSub.SshHosts | (ForcedSubject<ProjectPermissionSub.SshHosts> & SshHostSubjectFields)
    ]
  | [
      ProjectPermissionPkiSubscriberActions,
      (
        | ProjectPermissionSub.PkiSubscribers
        | (ForcedSubject<ProjectPermissionSub.PkiSubscribers> & PkiSubscriberSubjectFields)
      )
    ]
  | [ProjectPermissionActions, ProjectPermissionSub.SshHostGroups]
  | [ProjectPermissionActions, ProjectPermissionSub.PkiAlerts]
  | [ProjectPermissionActions, ProjectPermissionSub.PkiCollections]
@@ -391,6 +421,21 @@ const SshHostConditionSchema = z
  })
  .partial();
 const PkiSubscriberConditionSchema = z
  .object({
    name: z.union([
      z.string(),
      z
        .object({
          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB],
          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
        })
        .partial()
    ])
  })
  .partial();
 const GeneralPermissionSchema = [
  z.object({
    subject: z.literal(ProjectPermissionSub.SecretApproval).describe("The entity this permission pertains to."),
@@ -478,7 +523,7 @@ const GeneralPermissionSchema = [
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.Certificates).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionCertificateActions).describe(
      "Describe what action an entity can take."
    )
  }),
@@ -655,6 +700,16 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
      "When specified, only matching conditions will be allowed to access given resource."
    ).optional()
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.PkiSubscribers).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionPkiSubscriberActions).describe(
      "Describe what action an entity can take."
    ),
    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
    conditions: PkiSubscriberConditionSchema.describe(
      "When specified, only matching conditions will be allowed to access given resource."
    ).optional()
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.SecretRotation).describe("The entity this permission pertains to."),
    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
@@ -670,393 +725,6 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
 export type TProjectPermissionV2Schema = z.infer<typeof ProjectPermissionV2Schema>;
 const buildAdminPermissionRules = () => {
  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
  // Admins get full access to everything
  [
    ProjectPermissionSub.SecretFolders,
    ProjectPermissionSub.SecretImports,
    ProjectPermissionSub.SecretApproval,
    ProjectPermissionSub.Role,
    ProjectPermissionSub.Integrations,
    ProjectPermissionSub.Webhooks,
    ProjectPermissionSub.ServiceTokens,
    ProjectPermissionSub.Settings,
    ProjectPermissionSub.Environments,
    ProjectPermissionSub.Tags,
    ProjectPermissionSub.AuditLogs,
    ProjectPermissionSub.IpAllowList,
    ProjectPermissionSub.CertificateAuthorities,
    ProjectPermissionSub.Certificates,
    ProjectPermissionSub.CertificateTemplates,
    ProjectPermissionSub.PkiAlerts,
    ProjectPermissionSub.PkiCollections,
    ProjectPermissionSub.SshCertificateAuthorities,
    ProjectPermissionSub.SshCertificates,
    ProjectPermissionSub.SshCertificateTemplates,
    ProjectPermissionSub.SshHostGroups
  ].forEach((el) => {
    can(
      [
        ProjectPermissionActions.Read,
        ProjectPermissionActions.Edit,
        ProjectPermissionActions.Create,
        ProjectPermissionActions.Delete
      ],
      el
    );
  });
  can(
    [
      ProjectPermissionSshHostActions.Edit,
      ProjectPermissionSshHostActions.Read,
      ProjectPermissionSshHostActions.Create,
      ProjectPermissionSshHostActions.Delete,
      ProjectPermissionSshHostActions.IssueHostCert
    ],
    ProjectPermissionSub.SshHosts
  );
  can(
    [
      ProjectPermissionMemberActions.Create,
      ProjectPermissionMemberActions.Edit,
      ProjectPermissionMemberActions.Delete,
      ProjectPermissionMemberActions.Read,
      ProjectPermissionMemberActions.GrantPrivileges,
      ProjectPermissionMemberActions.AssumePrivileges
    ],
    ProjectPermissionSub.Member
  );
  can(
    [
      ProjectPermissionGroupActions.Create,
      ProjectPermissionGroupActions.Edit,
      ProjectPermissionGroupActions.Delete,
      ProjectPermissionGroupActions.Read,
      ProjectPermissionGroupActions.GrantPrivileges
    ],
    ProjectPermissionSub.Groups
  );
  can(
    [
      ProjectPermissionIdentityActions.Create,
      ProjectPermissionIdentityActions.Edit,
      ProjectPermissionIdentityActions.Delete,
      ProjectPermissionIdentityActions.Read,
      ProjectPermissionIdentityActions.GrantPrivileges,
      ProjectPermissionIdentityActions.AssumePrivileges
    ],
    ProjectPermissionSub.Identity
  );
  can(
    [
      ProjectPermissionSecretActions.DescribeAndReadValue,
      ProjectPermissionSecretActions.DescribeSecret,
      ProjectPermissionSecretActions.ReadValue,
      ProjectPermissionSecretActions.Create,
      ProjectPermissionSecretActions.Edit,
      ProjectPermissionSecretActions.Delete
    ],
    ProjectPermissionSub.Secrets
  );
  can(
    [
      ProjectPermissionDynamicSecretActions.ReadRootCredential,
      ProjectPermissionDynamicSecretActions.EditRootCredential,
      ProjectPermissionDynamicSecretActions.CreateRootCredential,
      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
      ProjectPermissionDynamicSecretActions.Lease
    ],
    ProjectPermissionSub.DynamicSecrets
  );
  can([ProjectPermissionActions.Edit, ProjectPermissionActions.Delete], ProjectPermissionSub.Project);
  can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
  can([ProjectPermissionActions.Edit], ProjectPermissionSub.Kms);
  can(
    [
      ProjectPermissionCmekActions.Create,
      ProjectPermissionCmekActions.Edit,
      ProjectPermissionCmekActions.Delete,
      ProjectPermissionCmekActions.Read,
      ProjectPermissionCmekActions.Encrypt,
      ProjectPermissionCmekActions.Decrypt,
      ProjectPermissionCmekActions.Sign,
      ProjectPermissionCmekActions.Verify
    ],
    ProjectPermissionSub.Cmek
  );
  can(
    [
      ProjectPermissionSecretSyncActions.Create,
      ProjectPermissionSecretSyncActions.Edit,
      ProjectPermissionSecretSyncActions.Delete,
      ProjectPermissionSecretSyncActions.Read,
      ProjectPermissionSecretSyncActions.SyncSecrets,
      ProjectPermissionSecretSyncActions.ImportSecrets,
      ProjectPermissionSecretSyncActions.RemoveSecrets
    ],
    ProjectPermissionSub.SecretSyncs
  );
  can(
    [
      ProjectPermissionKmipActions.CreateClients,
      ProjectPermissionKmipActions.UpdateClients,
      ProjectPermissionKmipActions.DeleteClients,
      ProjectPermissionKmipActions.ReadClients,
      ProjectPermissionKmipActions.GenerateClientCertificates
    ],
    ProjectPermissionSub.Kmip
  );
  can(
    [
      ProjectPermissionSecretRotationActions.Create,
      ProjectPermissionSecretRotationActions.Edit,
      ProjectPermissionSecretRotationActions.Delete,
      ProjectPermissionSecretRotationActions.Read,
      ProjectPermissionSecretRotationActions.ReadGeneratedCredentials,
      ProjectPermissionSecretRotationActions.RotateSecrets
    ],
    ProjectPermissionSub.SecretRotation
  );
  return rules;
 };
 export const projectAdminPermissions = buildAdminPermissionRules();
 const buildMemberPermissionRules = () => {
  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
  can(
    [
      ProjectPermissionSecretActions.DescribeAndReadValue,
      ProjectPermissionSecretActions.DescribeSecret,
      ProjectPermissionSecretActions.ReadValue,
      ProjectPermissionSecretActions.Edit,
      ProjectPermissionSecretActions.Create,
      ProjectPermissionSecretActions.Delete
    ],
    ProjectPermissionSub.Secrets
  );
  can(
    [
      ProjectPermissionActions.Read,
      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.SecretFolders
  );
  can(
    [
      ProjectPermissionDynamicSecretActions.ReadRootCredential,
      ProjectPermissionDynamicSecretActions.EditRootCredential,
      ProjectPermissionDynamicSecretActions.CreateRootCredential,
      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
      ProjectPermissionDynamicSecretActions.Lease
    ],
    ProjectPermissionSub.DynamicSecrets
  );
  can(
    [
      ProjectPermissionActions.Read,
      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.SecretImports
  );
  can([ProjectPermissionActions.Read], ProjectPermissionSub.SecretApproval);
  can([ProjectPermissionSecretRotationActions.Read], ProjectPermissionSub.SecretRotation);
  can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
  can([ProjectPermissionMemberActions.Read, ProjectPermissionMemberActions.Create], ProjectPermissionSub.Member);
  can([ProjectPermissionGroupActions.Read], ProjectPermissionSub.Groups);
  can(
    [
      ProjectPermissionActions.Read,
      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.Integrations
  );
  can(
    [
      ProjectPermissionActions.Read,
      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.Webhooks
  );
  can(
    [
      ProjectPermissionIdentityActions.Read,
      ProjectPermissionIdentityActions.Edit,
      ProjectPermissionIdentityActions.Create,
      ProjectPermissionIdentityActions.Delete
    ],
    ProjectPermissionSub.Identity
  );
  can(
    [
      ProjectPermissionActions.Read,
      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.ServiceTokens
  );
  can(
    [
      ProjectPermissionActions.Read,
      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.Settings
  );
  can(
    [
      ProjectPermissionActions.Read,
      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.Environments
  );
  can(
    [
      ProjectPermissionActions.Read,
      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.Tags
  );
  can([ProjectPermissionActions.Read], ProjectPermissionSub.Role);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.AuditLogs);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.IpAllowList);
  // double check if all CRUD are needed for CA and Certificates
  can([ProjectPermissionActions.Read], ProjectPermissionSub.CertificateAuthorities);
  can(
    [
      ProjectPermissionActions.Read,
      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.Certificates
  );
  can([ProjectPermissionActions.Read], ProjectPermissionSub.CertificateTemplates);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiAlerts);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiCollections);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificates);
  can([ProjectPermissionActions.Create], ProjectPermissionSub.SshCertificates);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificateTemplates);
  can([ProjectPermissionSshHostActions.Read], ProjectPermissionSub.SshHosts);
  can(
    [
      ProjectPermissionCmekActions.Create,
      ProjectPermissionCmekActions.Edit,
      ProjectPermissionCmekActions.Delete,
      ProjectPermissionCmekActions.Read,
      ProjectPermissionCmekActions.Encrypt,
      ProjectPermissionCmekActions.Decrypt,
      ProjectPermissionCmekActions.Sign,
      ProjectPermissionCmekActions.Verify
    ],
    ProjectPermissionSub.Cmek
  );
  can(
    [
      ProjectPermissionSecretSyncActions.Create,
      ProjectPermissionSecretSyncActions.Edit,
      ProjectPermissionSecretSyncActions.Delete,
      ProjectPermissionSecretSyncActions.Read,
      ProjectPermissionSecretSyncActions.SyncSecrets,
      ProjectPermissionSecretSyncActions.ImportSecrets,
      ProjectPermissionSecretSyncActions.RemoveSecrets
    ],
    ProjectPermissionSub.SecretSyncs
  );
  return rules;
 };
 export const projectMemberPermissions = buildMemberPermissionRules();
 const buildViewerPermissionRules = () => {
  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
  can(ProjectPermissionSecretActions.DescribeAndReadValue, ProjectPermissionSub.Secrets);
  can(ProjectPermissionSecretActions.DescribeSecret, ProjectPermissionSub.Secrets);
  can(ProjectPermissionSecretActions.ReadValue, ProjectPermissionSub.Secrets);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretFolders);
  can(ProjectPermissionDynamicSecretActions.ReadRootCredential, ProjectPermissionSub.DynamicSecrets);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretImports);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
  can(ProjectPermissionSecretRotationActions.Read, ProjectPermissionSub.SecretRotation);
  can(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
  can(ProjectPermissionGroupActions.Read, ProjectPermissionSub.Groups);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Webhooks);
  can(ProjectPermissionIdentityActions.Read, ProjectPermissionSub.Identity);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.ServiceTokens);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Settings);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Environments);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Tags);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.CertificateAuthorities);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Certificates);
  can(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateTemplates);
  can(ProjectPermissionSecretSyncActions.Read, ProjectPermissionSub.SecretSyncs);
  return rules;
 };
 export const projectViewerPermission = buildViewerPermissionRules();
 const buildNoAccessProjectPermission = () => {
  const { rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
  return rules;
 };
 export const buildServiceTokenProjectPermission = (
  scopes: Array<{ secretPath: string; environment: string }>,
  permission: string[]
@@ -1098,8 +766,6 @@ export const buildServiceTokenProjectPermission = (
  return build({ conditionsMatcher });
 };
 export const projectNoAccessPermissions = buildNoAccessProjectPermission();
 /* eslint-disable */
 /**
--- a/backend/src/ee/services/project-template/project-template-fns.ts
+++ b/backend/src/ee/services/project-template/project-template-fns.ts
@@ -1,22 +1,27 @@
-import { ProjectTemplateDefaultEnvironments } from "@app/ee/services/project-template/project-template-constants";
+import { ProjectType } from "@app/db/schemas";
 import {
  InfisicalProjectTemplate,
  TUnpackedPermission
 } from "@app/ee/services/project-template/project-template-types";
 import { getPredefinedRoles } from "@app/services/project-role/project-role-fns";
-export const getDefaultProjectTemplate = (orgId: string) => ({
+import { ProjectTemplateDefaultEnvironments } from "./project-template-constants";
 export const getDefaultProjectTemplate = (orgId: string, type: ProjectType) => ({
  id: "b11b49a9-09a9-4443-916a-4246f9ff2c69", // random ID to appease zod
  type,
  name: InfisicalProjectTemplate.Default,
  createdAt: new Date(),
  updatedAt: new Date(),
-  description: "Infisical's default project template",
+  description: `Infisical's ${type} default project template`,
-  environments: ProjectTemplateDefaultEnvironments,
+  environments: type === ProjectType.SecretManager ? ProjectTemplateDefaultEnvironments : null,
-  roles: [...getPredefinedRoles("project-template")].map(({ name, slug, permissions }) => ({
+  roles: [...getPredefinedRoles({ projectId: "project-template", projectType: type })].map(
    ({ name, slug, permissions }) => ({
      name,
      slug,
      permissions: permissions as TUnpackedPermission[]
-  })),
+    })
  ),
  orgId
 });
--- a/backend/src/ee/services/project-template/project-template-service.ts
+++ b/backend/src/ee/services/project-template/project-template-service.ts
@@ -1,10 +1,11 @@
 import { ForbiddenError } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
-import { TProjectTemplates } from "@app/db/schemas";
+import { ProjectType, TProjectTemplates } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectTemplateDefaultEnvironments } from "@app/ee/services/project-template/project-template-constants";
 import { getDefaultProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
 import {
  TCreateProjectTemplateDTO,
@@ -32,11 +33,13 @@ const $unpackProjectTemplate = ({ roles, environments, ...rest }: TProjectTempla
  ...rest,
  environments: environments as TProjectTemplateEnvironment[],
  roles: [
-    ...getPredefinedRoles("project-template").map(({ name, slug, permissions }) => ({
+    ...getPredefinedRoles({ projectId: "project-template", projectType: rest.type as ProjectType }).map(
      ({ name, slug, permissions }) => ({
        name,
        slug,
        permissions: permissions as TUnpackedPermission[]
-    })),
+      })
    ),
    ...(roles as TProjectTemplateRole[]).map((role) => ({
      ...role,
      permissions: unpackPermissions(role.permissions)
@@ -49,7 +52,7 @@ export const projectTemplateServiceFactory = ({
  permissionService,
  projectTemplateDAL
 }: TProjectTemplatesServiceFactoryDep) => {
-  const listProjectTemplatesByOrg = async (actor: OrgServiceActor) => {
+  const listProjectTemplatesByOrg = async (actor: OrgServiceActor, type?: ProjectType) => {
    const plan = await licenseService.getPlan(actor.orgId);
    if (!plan.projectTemplates)
@@ -68,11 +71,14 @@ export const projectTemplateServiceFactory = ({
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.ProjectTemplates);
    const projectTemplates = await projectTemplateDAL.find({
-      orgId: actor.orgId
+      orgId: actor.orgId,
      ...(type ? { type } : {})
    });
    return [
-      getDefaultProjectTemplate(actor.orgId),
+      ...(type
        ? [getDefaultProjectTemplate(actor.orgId, type)]
        : Object.values(ProjectType).map((projectType) => getDefaultProjectTemplate(actor.orgId, projectType))),
      ...projectTemplates.map((template) => $unpackProjectTemplate(template))
    ];
  };
@@ -134,7 +140,7 @@ export const projectTemplateServiceFactory = ({
  };
  const createProjectTemplate = async (
-    { roles, environments, ...params }: TCreateProjectTemplateDTO,
+    { roles, environments, type, ...params }: TCreateProjectTemplateDTO,
    actor: OrgServiceActor
  ) => {
    const plan = await licenseService.getPlan(actor.orgId);
@@ -154,6 +160,17 @@ export const projectTemplateServiceFactory = ({
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.ProjectTemplates);
    if (environments && type !== ProjectType.SecretManager) {
      throw new BadRequestError({ message: "Cannot configure environments for non-SecretManager project templates" });
    }
    if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
      throw new BadRequestError({
        // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
        message: `Failed to create project template due to environment count exceeding your current limit of ${plan.environmentLimit}. Contact Infisical to increase limit.`
      });
    }
    const isConflictingName = Boolean(
      await projectTemplateDAL.findOne({
        name: params.name,
@@ -169,8 +186,10 @@ export const projectTemplateServiceFactory = ({
    const projectTemplate = await projectTemplateDAL.create({
      ...params,
      roles: JSON.stringify(roles.map((role) => ({ ...role, permissions: packRules(role.permissions) }))),
-      environments: JSON.stringify(environments),
+      environments:
-      orgId: actor.orgId
+        type === ProjectType.SecretManager ? JSON.stringify(environments ?? ProjectTemplateDefaultEnvironments) : null,
      orgId: actor.orgId,
      type
    });
    return $unpackProjectTemplate(projectTemplate);
@@ -202,6 +221,19 @@ export const projectTemplateServiceFactory = ({
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
    if (projectTemplate.type !== ProjectType.SecretManager && environments)
      throw new BadRequestError({ message: "Cannot configure environments for non-SecretManager project templates" });
    if (projectTemplate.type === ProjectType.SecretManager && environments === null)
      throw new BadRequestError({ message: "Environments cannot be removed for SecretManager project templates" });
    if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
      throw new BadRequestError({
        // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
        message: `Failed to update project template due to environment count exceeding your current limit of ${plan.environmentLimit}. Contact Infisical to increase limit.`
      });
    }
    if (params.name && projectTemplate.name !== params.name) {
      const isConflictingName = Boolean(
        await projectTemplateDAL.findOne({
--- a/backend/src/ee/services/project-template/project-template-types.ts
+++ b/backend/src/ee/services/project-template/project-template-types.ts
@@ -1,6 +1,6 @@
 import { z } from "zod";
-import { TProjectEnvironments } from "@app/db/schemas";
+import { ProjectType, TProjectEnvironments } from "@app/db/schemas";
 import { TProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
@@ -15,8 +15,9 @@ export type TProjectTemplateRole = {
 export type TCreateProjectTemplateDTO = {
  name: string;
  description?: string;
  type: ProjectType;
  roles: TProjectTemplateRole[];
-  environments: TProjectTemplateEnvironment[];
+  environments?: TProjectTemplateEnvironment[] | null;
 };
 export type TUpdateProjectTemplateDTO = Partial<TCreateProjectTemplateDTO>;
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
@@ -334,7 +334,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          db.ref("secretId").withSchema(TableName.SecretApprovalRequestSecret).as("commitSecretId"),
          db.ref("id").withSchema(TableName.SecretApprovalRequestSecret).as("commitId"),
          db.raw(
-            `DENSE_RANK() OVER (partition by ${TableName.Environment}."projectId" ORDER BY ${TableName.SecretApprovalRequest}."id" DESC) as rank`
+            `DENSE_RANK() OVER (PARTITION BY ${TableName.Environment}."projectId" ORDER BY ${TableName.SecretApprovalRequest}."createdAt" DESC) as rank`
          ),
          db.ref("secretPath").withSchema(TableName.SecretApprovalPolicy).as("policySecretPath"),
          db.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
@@ -483,7 +483,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          db.ref("secretId").withSchema(TableName.SecretApprovalRequestSecretV2).as("commitSecretId"),
          db.ref("id").withSchema(TableName.SecretApprovalRequestSecretV2).as("commitId"),
          db.raw(
-            `DENSE_RANK() OVER (partition by ${TableName.Environment}."projectId" ORDER BY ${TableName.SecretApprovalRequest}."id" DESC) as rank`
+            `DENSE_RANK() OVER (PARTITION BY ${TableName.Environment}."projectId" ORDER BY ${TableName.SecretApprovalRequest}."createdAt" DESC) as rank`
          ),
          db.ref("secretPath").withSchema(TableName.SecretApprovalPolicy).as("policySecretPath"),
          db.ref("allowedSelfApprovals").withSchema(TableName.SecretApprovalPolicy).as("policyAllowedSelfApprovals"),
--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts
@@ -219,7 +219,7 @@ export const parseRotationErrorMessage = (err: unknown): string => {
  if (err instanceof AxiosError) {
    errorMessage += err?.response?.data
      ? JSON.stringify(err?.response?.data)
-      : err?.message ?? "An unknown error occurred.";
+      : (err?.message ?? "An unknown error occurred.");
  } else {
    errorMessage += (err as Error)?.message || "An unknown error occurred.";
  }
--- a/backend/src/ee/services/secret-scanning/secret-scanning-fns.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-fns.ts
@@ -0,0 +1,11 @@
 import { getConfig } from "@app/lib/config/env";
 export const canUseSecretScanning = (orgId: string) => {
  const appCfg = getConfig();
  if (!appCfg.isCloud) {
    return true;
  }
  return appCfg.SECRET_SCANNING_ORG_WHITELIST?.includes(orgId);
 };
--- a/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
@@ -12,6 +12,7 @@ import { NotFoundError } from "@app/lib/errors";
 import { TGitAppDALFactory } from "./git-app-dal";
 import { TGitAppInstallSessionDALFactory } from "./git-app-install-session-dal";
 import { TSecretScanningDALFactory } from "./secret-scanning-dal";
 import { canUseSecretScanning } from "./secret-scanning-fns";
 import { TSecretScanningQueueFactory } from "./secret-scanning-queue";
 import {
  SecretScanningRiskStatus,
@@ -47,12 +48,14 @@ export const secretScanningServiceFactory = ({
    actorAuthMethod,
    actorOrgId
  }: TInstallAppSessionDTO) => {
    const appCfg = getConfig();
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.SecretScanning);
    const sessionId = crypto.randomBytes(16).toString("hex");
    await gitAppInstallSessionDAL.upsert({ orgId, sessionId, userId: actorId });
-    return { sessionId };
+    return { sessionId, gitAppSlug: appCfg.SECRET_SCANNING_GIT_APP_SLUG };
  };
  const linkInstallationToOrg = async ({
@@ -91,7 +94,8 @@ export const secretScanningServiceFactory = ({
    const {
      data: { repositories }
    } = await octokit.apps.listReposAccessibleToInstallation();
-    if (appCfg.SECRET_SCANNING_ORG_WHITELIST?.includes(actorOrgId)) {
+
    if (canUseSecretScanning(actorOrgId)) {
      await Promise.all(
        repositories.map(({ id, full_name }) =>
          secretScanningQueue.startFullRepoScan({
@@ -102,6 +106,7 @@ export const secretScanningServiceFactory = ({
        )
      );
    }
    return { installatedApp };
  };
@@ -164,7 +169,6 @@ export const secretScanningServiceFactory = ({
  };
  const handleRepoPushEvent = async (payload: WebhookEventMap["push"]) => {
    const appCfg = getConfig();
    const { commits, repository, installation, pusher } = payload;
    if (!commits || !repository || !installation || !pusher) {
      return;
@@ -175,7 +179,7 @@ export const secretScanningServiceFactory = ({
    });
    if (!installationLink) return;
-    if (appCfg.SECRET_SCANNING_ORG_WHITELIST?.includes(installationLink.orgId)) {
+    if (canUseSecretScanning(installationLink.orgId)) {
      await secretScanningQueue.startPushEventScan({
        commits,
        pusher: { name: pusher.name, email: pusher.email },
--- a/backend/src/ee/services/ssh-host-group/ssh-host-group-dal.ts
+++ b/backend/src/ee/services/ssh-host-group/ssh-host-group-dal.ts
@@ -28,6 +28,7 @@ export const sshHostGroupDALFactory = (db: TDbClient) => {
          `${TableName.SshHostLoginUserMapping}.sshHostLoginUserId`
        )
        .leftJoin(TableName.Users, `${TableName.SshHostLoginUserMapping}.userId`, `${TableName.Users}.id`)
        .leftJoin(TableName.Groups, `${TableName.SshHostLoginUserMapping}.groupId`, `${TableName.Groups}.id`)
        .where(`${TableName.SshHostGroup}.projectId`, projectId)
        .select(
          db.ref("id").withSchema(TableName.SshHostGroup).as("sshHostGroupId"),
@@ -35,7 +36,8 @@ export const sshHostGroupDALFactory = (db: TDbClient) => {
          db.ref("name").withSchema(TableName.SshHostGroup),
          db.ref("loginUser").withSchema(TableName.SshHostLoginUser),
          db.ref("username").withSchema(TableName.Users),
-          db.ref("userId").withSchema(TableName.SshHostLoginUserMapping)
+          db.ref("userId").withSchema(TableName.SshHostLoginUserMapping),
          db.ref("slug").withSchema(TableName.Groups).as("groupSlug")
        )
        .orderBy(`${TableName.SshHostGroup}.updatedAt`, "desc");
@@ -69,7 +71,8 @@ export const sshHostGroupDALFactory = (db: TDbClient) => {
        const loginMappings = Object.entries(loginMappingGrouped).map(([loginUser, entries]) => ({
          loginUser,
          allowedPrincipals: {
-            usernames: unique(entries.map((e) => e.username)).filter(Boolean)
+            usernames: unique(entries.map((e) => e.username)).filter(Boolean),
            groups: unique(entries.map((e) => e.groupSlug)).filter(Boolean)
          }
        }));
        return {
@@ -99,6 +102,7 @@ export const sshHostGroupDALFactory = (db: TDbClient) => {
          `${TableName.SshHostLoginUserMapping}.sshHostLoginUserId`
        )
        .leftJoin(TableName.Users, `${TableName.SshHostLoginUserMapping}.userId`, `${TableName.Users}.id`)
        .leftJoin(TableName.Groups, `${TableName.SshHostLoginUserMapping}.groupId`, `${TableName.Groups}.id`)
        .where(`${TableName.SshHostGroup}.id`, sshHostGroupId)
        .select(
          db.ref("id").withSchema(TableName.SshHostGroup).as("sshHostGroupId"),
@@ -106,7 +110,8 @@ export const sshHostGroupDALFactory = (db: TDbClient) => {
          db.ref("name").withSchema(TableName.SshHostGroup),
          db.ref("loginUser").withSchema(TableName.SshHostLoginUser),
          db.ref("username").withSchema(TableName.Users),
-          db.ref("userId").withSchema(TableName.SshHostLoginUserMapping)
+          db.ref("userId").withSchema(TableName.SshHostLoginUserMapping),
          db.ref("slug").withSchema(TableName.Groups).as("groupSlug")
        );
      if (rows.length === 0) return null;
@@ -121,7 +126,8 @@ export const sshHostGroupDALFactory = (db: TDbClient) => {
      const loginMappings = Object.entries(loginMappingGrouped).map(([loginUser, entries]) => ({
        loginUser,
        allowedPrincipals: {
-          usernames: unique(entries.map((e) => e.username)).filter(Boolean)
+          usernames: unique(entries.map((e) => e.username)).filter(Boolean),
          groups: unique(entries.map((e) => e.groupSlug)).filter(Boolean)
        }
      }));
--- a/backend/src/ee/services/ssh-host-group/ssh-host-group-service.ts
+++ b/backend/src/ee/services/ssh-host-group/ssh-host-group-service.ts
@@ -12,6 +12,7 @@ import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TGroupDALFactory } from "../group/group-dal";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { createSshLoginMappings } from "../ssh-host/ssh-host-fns";
 import {
@@ -43,8 +44,12 @@ type TSshHostGroupServiceFactoryDep = {
  sshHostLoginUserDAL: Pick<TSshHostLoginUserDALFactory, "create" | "transaction" | "delete">;
  sshHostLoginUserMappingDAL: Pick<TSshHostLoginUserMappingDALFactory, "insertMany">;
  userDAL: Pick<TUserDALFactory, "find">;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getUserProjectPermission">;
+  permissionService: Pick<
    TPermissionServiceFactory,
    "getProjectPermission" | "getUserProjectPermission" | "checkGroupProjectPermission"
  >;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
  groupDAL: Pick<TGroupDALFactory, "findGroupsByProjectId">;
 };
 export type TSshHostGroupServiceFactory = ReturnType<typeof sshHostGroupServiceFactory>;
@@ -58,7 +63,8 @@ export const sshHostGroupServiceFactory = ({
  sshHostLoginUserMappingDAL,
  userDAL,
  permissionService,
-  licenseService
+  licenseService,
  groupDAL
 }: TSshHostGroupServiceFactoryDep) => {
  const createSshHostGroup = async ({
    projectId,
@@ -127,6 +133,7 @@ export const sshHostGroupServiceFactory = ({
        loginMappings,
        sshHostLoginUserDAL,
        sshHostLoginUserMappingDAL,
        groupDAL,
        userDAL,
        permissionService,
        projectId,
@@ -179,6 +186,33 @@ export const sshHostGroupServiceFactory = ({
      });
    const updatedSshHostGroup = await sshHostGroupDAL.transaction(async (tx) => {
      if (name && name !== sshHostGroup.name) {
        // (dangtony98): room to optimize check to ensure that
        // the SSH host group name is unique across the whole org
        const project = await projectDAL.findById(sshHostGroup.projectId, tx);
        if (!project) throw new NotFoundError({ message: `Project with ID '${sshHostGroup.projectId}' not found` });
        const projects = await projectDAL.find(
          {
            orgId: project.orgId
          },
          { tx }
        );
        const existingSshHostGroup = await sshHostGroupDAL.find(
          {
            name,
            $in: {
              projectId: projects.map((p) => p.id)
            }
          },
          { tx }
        );
        if (existingSshHostGroup.length) {
          throw new BadRequestError({
            message: `SSH host group with name '${name}' already exists in the organization`
          });
        }
        await sshHostGroupDAL.updateById(
          sshHostGroupId,
          {
@@ -186,6 +220,8 @@ export const sshHostGroupServiceFactory = ({
          },
          tx
        );
      }
      if (loginMappings) {
        await sshHostLoginUserDAL.delete({ sshHostGroupId: sshHostGroup.id }, tx);
        if (loginMappings.length) {
@@ -194,6 +230,7 @@ export const sshHostGroupServiceFactory = ({
            loginMappings,
            sshHostLoginUserDAL,
            sshHostLoginUserMappingDAL,
            groupDAL,
            userDAL,
            permissionService,
            projectId: sshHostGroup.projectId,
--- a/backend/src/ee/services/ssh-host-group/ssh-host-group-types.ts
+++ b/backend/src/ee/services/ssh-host-group/ssh-host-group-types.ts
@@ -9,12 +9,7 @@ export type TCreateSshHostGroupDTO = {
 export type TUpdateSshHostGroupDTO = {
  sshHostGroupId: string;
  name?: string;
-  loginMappings?: {
+  loginMappings?: TLoginMapping[];
    loginUser: string;
    allowedPrincipals: {
      usernames: string[];
    };
  }[];
 } & Omit<TProjectPermission, "projectId">;
 export type TGetSshHostGroupDTO = {
--- a/backend/src/ee/services/ssh-host/ssh-host-dal.ts
+++ b/backend/src/ee/services/ssh-host/ssh-host-dal.ts
@@ -31,8 +31,18 @@ export const sshHostDALFactory = (db: TDbClient) => {
          `${TableName.SshHostLoginUser}.id`,
          `${TableName.SshHostLoginUserMapping}.sshHostLoginUserId`
        )
        .leftJoin(TableName.Users, `${TableName.Users}.id`, `${TableName.SshHostLoginUserMapping}.userId`)
        .leftJoin(
          TableName.UserGroupMembership,
          `${TableName.UserGroupMembership}.groupId`,
          `${TableName.SshHostLoginUserMapping}.groupId`
        )
        .whereIn(`${TableName.SshHost}.projectId`, projectIds)
-        .andWhere(`${TableName.SshHostLoginUserMapping}.userId`, userId)
+        .andWhere((bd) => {
          void bd
            .where(`${TableName.SshHostLoginUserMapping}.userId`, userId)
            .orWhere(`${TableName.UserGroupMembership}.userId`, userId);
        })
        .select(
          db.ref("id").withSchema(TableName.SshHost).as("sshHostId"),
          db.ref("projectId").withSchema(TableName.SshHost),
@@ -58,8 +68,17 @@ export const sshHostDALFactory = (db: TDbClient) => {
          `${TableName.SshHostLoginUserMapping}.sshHostLoginUserId`
        )
        .join(TableName.SshHost, `${TableName.SshHostGroupMembership}.sshHostId`, `${TableName.SshHost}.id`)
        .leftJoin(
          TableName.UserGroupMembership,
          `${TableName.UserGroupMembership}.groupId`,
          `${TableName.SshHostLoginUserMapping}.groupId`
        )
        .whereIn(`${TableName.SshHost}.projectId`, projectIds)
-        .andWhere(`${TableName.SshHostLoginUserMapping}.userId`, userId)
+        .andWhere((bd) => {
          void bd
            .where(`${TableName.SshHostLoginUserMapping}.userId`, userId)
            .orWhere(`${TableName.UserGroupMembership}.userId`, userId);
        })
        .select(
          db.ref("id").withSchema(TableName.SshHost).as("sshHostId"),
          db.ref("projectId").withSchema(TableName.SshHost),
@@ -133,6 +152,7 @@ export const sshHostDALFactory = (db: TDbClient) => {
          `${TableName.SshHostLoginUserMapping}.sshHostLoginUserId`
        )
        .leftJoin(TableName.Users, `${TableName.SshHostLoginUserMapping}.userId`, `${TableName.Users}.id`)
        .leftJoin(TableName.Groups, `${TableName.SshHostLoginUserMapping}.groupId`, `${TableName.Groups}.id`)
        .where(`${TableName.SshHost}.projectId`, projectId)
        .select(
          db.ref("id").withSchema(TableName.SshHost).as("sshHostId"),
@@ -144,6 +164,7 @@ export const sshHostDALFactory = (db: TDbClient) => {
          db.ref("loginUser").withSchema(TableName.SshHostLoginUser),
          db.ref("username").withSchema(TableName.Users),
          db.ref("userId").withSchema(TableName.SshHostLoginUserMapping),
          db.ref("slug").withSchema(TableName.Groups).as("groupSlug"),
          db.ref("userSshCaId").withSchema(TableName.SshHost),
          db.ref("hostSshCaId").withSchema(TableName.SshHost)
        )
@@ -163,10 +184,12 @@ export const sshHostDALFactory = (db: TDbClient) => {
          `${TableName.SshHostLoginUserMapping}.sshHostLoginUserId`
        )
        .leftJoin(TableName.Users, `${TableName.SshHostLoginUserMapping}.userId`, `${TableName.Users}.id`)
        .leftJoin(TableName.Groups, `${TableName.SshHostLoginUserMapping}.groupId`, `${TableName.Groups}.id`)
        .select(
          db.ref("sshHostId").withSchema(TableName.SshHostGroupMembership),
          db.ref("loginUser").withSchema(TableName.SshHostLoginUser),
-          db.ref("username").withSchema(TableName.Users)
+          db.ref("username").withSchema(TableName.Users),
          db.ref("slug").withSchema(TableName.Groups).as("groupSlug")
        )
        .whereIn(`${TableName.SshHostGroupMembership}.sshHostId`, hostIds);
@@ -185,7 +208,8 @@ export const sshHostDALFactory = (db: TDbClient) => {
        const directMappings = Object.entries(loginMappingGrouped).map(([loginUser, entries]) => ({
          loginUser,
          allowedPrincipals: {
-            usernames: unique(entries.map((e) => e.username)).filter(Boolean)
+            usernames: unique(entries.map((e) => e.username)).filter(Boolean),
            groups: unique(entries.map((e) => e.groupSlug)).filter(Boolean)
          },
          source: LoginMappingSource.HOST
        }));
@@ -197,7 +221,8 @@ export const sshHostDALFactory = (db: TDbClient) => {
        const groupMappings = Object.entries(inheritedGrouped).map(([loginUser, entries]) => ({
          loginUser,
          allowedPrincipals: {
-            usernames: unique(entries.map((e) => e.username)).filter(Boolean)
+            usernames: unique(entries.map((e) => e.username)).filter(Boolean),
            groups: unique(entries.map((e) => e.groupSlug)).filter(Boolean)
          },
          source: LoginMappingSource.HOST_GROUP
        }));
@@ -229,6 +254,7 @@ export const sshHostDALFactory = (db: TDbClient) => {
          `${TableName.SshHostLoginUserMapping}.sshHostLoginUserId`
        )
        .leftJoin(TableName.Users, `${TableName.SshHostLoginUserMapping}.userId`, `${TableName.Users}.id`)
        .leftJoin(TableName.Groups, `${TableName.SshHostLoginUserMapping}.groupId`, `${TableName.Groups}.id`)
        .where(`${TableName.SshHost}.id`, sshHostId)
        .select(
          db.ref("id").withSchema(TableName.SshHost).as("sshHostId"),
@@ -241,7 +267,8 @@ export const sshHostDALFactory = (db: TDbClient) => {
          db.ref("username").withSchema(TableName.Users),
          db.ref("userId").withSchema(TableName.SshHostLoginUserMapping),
          db.ref("userSshCaId").withSchema(TableName.SshHost),
-          db.ref("hostSshCaId").withSchema(TableName.SshHost)
+          db.ref("hostSshCaId").withSchema(TableName.SshHost),
          db.ref("slug").withSchema(TableName.Groups).as("groupSlug")
        );
      if (rows.length === 0) return null;
@@ -257,7 +284,8 @@ export const sshHostDALFactory = (db: TDbClient) => {
      const directMappings = Object.entries(directGrouped).map(([loginUser, entries]) => ({
        loginUser,
        allowedPrincipals: {
-          usernames: unique(entries.map((e) => e.username)).filter(Boolean)
+          usernames: unique(entries.map((e) => e.username)).filter(Boolean),
          groups: unique(entries.map((e) => e.groupSlug)).filter(Boolean)
        },
        source: LoginMappingSource.HOST
      }));
@@ -275,10 +303,12 @@ export const sshHostDALFactory = (db: TDbClient) => {
          `${TableName.SshHostLoginUserMapping}.sshHostLoginUserId`
        )
        .leftJoin(TableName.Users, `${TableName.SshHostLoginUserMapping}.userId`, `${TableName.Users}.id`)
        .leftJoin(TableName.Groups, `${TableName.SshHostLoginUserMapping}.groupId`, `${TableName.Groups}.id`)
        .where(`${TableName.SshHostGroupMembership}.sshHostId`, sshHostId)
        .select(
          db.ref("loginUser").withSchema(TableName.SshHostLoginUser),
-          db.ref("username").withSchema(TableName.Users)
+          db.ref("username").withSchema(TableName.Users),
          db.ref("slug").withSchema(TableName.Groups).as("groupSlug")
        );
      const groupGrouped = groupBy(
@@ -289,7 +319,8 @@ export const sshHostDALFactory = (db: TDbClient) => {
      const groupMappings = Object.entries(groupGrouped).map(([loginUser, entries]) => ({
        loginUser,
        allowedPrincipals: {
-          usernames: unique(entries.map((e) => e.username)).filter(Boolean)
+          usernames: unique(entries.map((e) => e.username)).filter(Boolean),
          groups: unique(entries.map((e) => e.groupSlug)).filter(Boolean)
        },
        source: LoginMappingSource.HOST_GROUP
      }));
--- a/backend/src/ee/services/ssh-host/ssh-host-fns.ts
+++ b/backend/src/ee/services/ssh-host/ssh-host-fns.ts
@@ -3,6 +3,7 @@ import { Knex } from "knex";
 import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError } from "@app/lib/errors";
 import { ProjectPermissionSshHostActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TCreateSshLoginMappingsDTO } from "./ssh-host-types";
 /**
@@ -15,6 +16,7 @@ export const createSshLoginMappings = async ({
  loginMappings,
  sshHostLoginUserDAL,
  sshHostLoginUserMappingDAL,
  groupDAL,
  userDAL,
  permissionService,
  projectId,
@@ -35,7 +37,7 @@ export const createSshLoginMappings = async ({
        tx
      );
-      if (allowedPrincipals.usernames.length > 0) {
+      if (allowedPrincipals.usernames && allowedPrincipals.usernames.length > 0) {
        const users = await userDAL.find(
          {
            $in: {
@@ -74,6 +76,41 @@ export const createSshLoginMappings = async ({
          tx
        );
      }
      if (allowedPrincipals.groups && allowedPrincipals.groups.length > 0) {
        const projectGroups = await groupDAL.findGroupsByProjectId(projectId);
        const groups = projectGroups.filter((g) => allowedPrincipals.groups?.includes(g.slug));
        if (groups.length !== allowedPrincipals.groups?.length) {
          throw new BadRequestError({
            message: `Invalid group slugs: ${allowedPrincipals.groups
              .filter((g) => !projectGroups.some((pg) => pg.slug === g))
              .join(", ")}`
          });
        }
        for await (const group of groups) {
          // check that each group has access to the SSH project and have read access to hosts
          const hasPermission = await permissionService.checkGroupProjectPermission({
            groupId: group.id,
            projectId,
            checkPermissions: [ProjectPermissionSshHostActions.Read, ProjectPermissionSub.SshHosts]
          });
          if (!hasPermission) {
            throw new BadRequestError({
              message: `Group ${group.slug} does not have access to the SSH project`
            });
          }
        }
        await sshHostLoginUserMappingDAL.insertMany(
          groups.map((group) => ({
            sshHostLoginUserId: sshHostLoginUser.id,
            groupId: group.id
          })),
          tx
        );
      }
    }
  };
--- a/backend/src/ee/services/ssh-host/ssh-host-schema.ts
+++ b/backend/src/ee/services/ssh-host/ssh-host-schema.ts
@@ -15,7 +15,24 @@ export const sanitizedSshHost = SshHostsSchema.pick({
 export const loginMappingSchema = z.object({
  loginUser: z.string().trim(),
-  allowedPrincipals: z.object({
+  allowedPrincipals: z
-    usernames: z.array(z.string().trim()).transform((usernames) => Array.from(new Set(usernames)))
+    .object({
      usernames: z
        .array(z.string().trim())
        .transform((usernames) => Array.from(new Set(usernames)))
        .optional(),
      groups: z
        .array(z.string().trim())
        .transform((groups) => Array.from(new Set(groups)))
        .optional()
    })
    .refine(
      (data) => {
        return (data.usernames && data.usernames.length > 0) || (data.groups && data.groups.length > 0);
      },
      {
        message: "At least one username or group must be provided",
        path: ["allowedPrincipals"]
      }
    )
 });
--- a/backend/src/ee/services/ssh-host/ssh-host-service.ts
+++ b/backend/src/ee/services/ssh-host/ssh-host-service.ts
@@ -1,6 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import { ActionProjectType, ProjectType } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionSshHostActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSshCertificateAuthorityDALFactory } from "@app/ee/services/ssh/ssh-certificate-authority-dal";
@@ -19,6 +20,7 @@ import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectSshConfigDALFactory } from "@app/services/project/project-ssh-config-dal";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TUserGroupMembershipDALFactory } from "../group/user-group-membership-dal";
 import {
  convertActorToPrincipals,
  createSshCert,
@@ -39,12 +41,14 @@ import {
 type TSshHostServiceFactoryDep = {
  userDAL: Pick<TUserDALFactory, "findById" | "find">;
  groupDAL: Pick<TGroupDALFactory, "findGroupsByProjectId">;
  projectDAL: Pick<TProjectDALFactory, "find">;
  projectSshConfigDAL: Pick<TProjectSshConfigDALFactory, "findOne">;
  sshCertificateAuthorityDAL: Pick<TSshCertificateAuthorityDALFactory, "findOne">;
  sshCertificateAuthoritySecretDAL: Pick<TSshCertificateAuthoritySecretDALFactory, "findOne">;
  sshCertificateDAL: Pick<TSshCertificateDALFactory, "create" | "transaction">;
  sshCertificateBodyDAL: Pick<TSshCertificateBodyDALFactory, "create">;
  userGroupMembershipDAL: Pick<TUserGroupMembershipDALFactory, "findGroupMembershipsByUserIdInOrg">;
  sshHostDAL: Pick<
    TSshHostDALFactory,
    | "transaction"
@@ -58,7 +62,10 @@ type TSshHostServiceFactoryDep = {
  >;
  sshHostLoginUserDAL: TSshHostLoginUserDALFactory;
  sshHostLoginUserMappingDAL: TSshHostLoginUserMappingDALFactory;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getUserProjectPermission">;
+  permissionService: Pick<
    TPermissionServiceFactory,
    "getProjectPermission" | "getUserProjectPermission" | "checkGroupProjectPermission"
  >;
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
 };
@@ -66,6 +73,8 @@ export type TSshHostServiceFactory = ReturnType<typeof sshHostServiceFactory>;
 export const sshHostServiceFactory = ({
  userDAL,
  userGroupMembershipDAL,
  groupDAL,
  projectDAL,
  projectSshConfigDAL,
  sshCertificateAuthorityDAL,
@@ -208,6 +217,7 @@ export const sshHostServiceFactory = ({
        loginMappings,
        sshHostLoginUserDAL,
        sshHostLoginUserMappingDAL,
        groupDAL,
        userDAL,
        permissionService,
        projectId,
@@ -278,6 +288,7 @@ export const sshHostServiceFactory = ({
            loginMappings,
            sshHostLoginUserDAL,
            sshHostLoginUserMappingDAL,
            groupDAL,
            userDAL,
            permissionService,
            projectId: host.projectId,
@@ -324,7 +335,7 @@ export const sshHostServiceFactory = ({
    return host;
  };
-  const getSshHost = async ({ sshHostId, actorId, actorAuthMethod, actor, actorOrgId }: TGetSshHostDTO) => {
+  const getSshHostById = async ({ sshHostId, actorId, actorAuthMethod, actor, actorOrgId }: TGetSshHostDTO) => {
    const host = await sshHostDAL.findSshHostByIdWithLoginMappings(sshHostId);
    if (!host) {
      throw new NotFoundError({
@@ -387,10 +398,14 @@ export const sshHostServiceFactory = ({
      userDAL
    });
    const userGroups = await userGroupMembershipDAL.findGroupMembershipsByUserIdInOrg(actorId, actorOrgId);
    const userGroupSlugs = userGroups.map((g) => g.groupSlug);
    const mapping = host.loginMappings.find(
      (m) =>
        m.loginUser === loginUser &&
-        m.allowedPrincipals.usernames.some((allowed) => internalPrincipals.includes(allowed))
+        (m.allowedPrincipals.usernames?.some((allowed) => internalPrincipals.includes(allowed)) ||
          m.allowedPrincipals.groups?.some((allowed) => userGroupSlugs.includes(allowed)))
    );
    if (!mapping) {
@@ -616,7 +631,7 @@ export const sshHostServiceFactory = ({
    createSshHost,
    updateSshHost,
    deleteSshHost,
-    getSshHost,
+    getSshHostById,
    issueSshHostUserCert,
    issueSshHostHostCert,
    getSshHostUserCaPk,
--- a/backend/src/ee/services/ssh-host/ssh-host-types.ts
+++ b/backend/src/ee/services/ssh-host/ssh-host-types.ts
@@ -7,12 +7,15 @@ import { TProjectPermission } from "@app/lib/types";
 import { ActorAuthMethod } from "@app/services/auth/auth-type";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TGroupDALFactory } from "../group/group-dal";
 export type TListSshHostsDTO = Omit<TProjectPermission, "projectId">;
 export type TLoginMapping = {
  loginUser: string;
  allowedPrincipals: {
-    usernames: string[];
+    usernames?: string[];
    groups?: string[];
  };
 };
@@ -63,7 +66,8 @@ type BaseCreateSshLoginMappingsDTO = {
  sshHostLoginUserDAL: Pick<TSshHostLoginUserDALFactory, "create" | "transaction">;
  sshHostLoginUserMappingDAL: Pick<TSshHostLoginUserMappingDALFactory, "insertMany">;
  userDAL: Pick<TUserDALFactory, "find">;
-  permissionService: Pick<TPermissionServiceFactory, "getUserProjectPermission">;
+  permissionService: Pick<TPermissionServiceFactory, "getUserProjectPermission" | "checkGroupProjectPermission">;
  groupDAL: Pick<TGroupDALFactory, "findGroupsByProjectId">;
  projectId: string;
  actorAuthMethod: ActorAuthMethod;
  actorOrgId: string;
--- a/backend/src/ee/services/ssh/ssh-certificate-authority-service.ts
+++ b/backend/src/ee/services/ssh/ssh-certificate-authority-service.ts
@@ -282,7 +282,7 @@ export const sshCertificateAuthorityServiceFactory = ({
    // set [keyId] depending on if [allowCustomKeyIds] is true or false
    const keyId = sshCertificateTemplate.allowCustomKeyIds
-      ? requestedKeyId ?? `${actor}-${actorId}`
+      ? (requestedKeyId ?? `${actor}-${actorId}`)
      : `${actor}-${actorId}`;
    const sshCaSecret = await sshCertificateAuthoritySecretDAL.findOne({ sshCaId: sshCertificateTemplate.sshCaId });
@@ -404,7 +404,7 @@ export const sshCertificateAuthorityServiceFactory = ({
    // set [keyId] depending on if [allowCustomKeyIds] is true or false
    const keyId = sshCertificateTemplate.allowCustomKeyIds
-      ? requestedKeyId ?? `${actor}-${actorId}`
+      ? (requestedKeyId ?? `${actor}-${actorId}`)
      : `${actor}-${actorId}`;
    const sshCaSecret = await sshCertificateAuthoritySecretDAL.findOne({ sshCaId: sshCertificateTemplate.sshCaId });
--- a/backend/src/keystore/keystore.ts
+++ b/backend/src/keystore/keystore.ts
@@ -1,6 +1,8 @@
 import { Redis } from "ioredis";
 import { pgAdvisoryLockHashText } from "@app/lib/crypto/hashtext";
 import { applyJitter } from "@app/lib/dates";
 import { delay as delayMs } from "@app/lib/delay";
 import { Redlock, Settings } from "@app/lib/red-lock";
 export const PgSqlLock = {
@@ -48,6 +50,13 @@ export const KeyStoreTtls = {
  AccessTokenStatusUpdateInSeconds: 120
 };
 type TDeleteItems = {
  pattern: string;
  batchSize?: number;
  delay?: number;
  jitter?: number;
 };
 type TWaitTillReady = {
  key: string;
  waitingCb?: () => void;
@@ -75,6 +84,35 @@ export const keyStoreFactory = (redisUrl: string) => {
  const deleteItem = async (key: string) => redis.del(key);
  const deleteItems = async ({ pattern, batchSize = 500, delay = 1500, jitter = 200 }: TDeleteItems) => {
    let cursor = "0";
    let totalDeleted = 0;
    do {
      // Await in loop is needed so that Redis is not overwhelmed
      // eslint-disable-next-line no-await-in-loop
      const [nextCursor, keys] = await redis.scan(cursor, "MATCH", pattern, "COUNT", 1000); // Count should be 1000 - 5000 for prod loads
      cursor = nextCursor;
      for (let i = 0; i < keys.length; i += batchSize) {
        const batch = keys.slice(i, i + batchSize);
        const pipeline = redis.pipeline();
        for (const key of batch) {
          pipeline.unlink(key);
        }
        // eslint-disable-next-line no-await-in-loop
        await pipeline.exec();
        totalDeleted += batch.length;
        console.log("BATCH DONE");
        // eslint-disable-next-line no-await-in-loop
        await delayMs(Math.max(0, applyJitter(delay, jitter)));
      }
    } while (cursor !== "0");
    return totalDeleted;
  };
  const incrementBy = async (key: string, value: number) => redis.incrby(key, value);
  const setExpiry = async (key: string, expiryInSeconds: number) => redis.expire(key, expiryInSeconds);
@@ -94,7 +132,7 @@ export const keyStoreFactory = (redisUrl: string) => {
      // eslint-disable-next-line
      await new Promise((resolve) => {
        waitingCb?.();
-        setTimeout(resolve, Math.max(0, delay + Math.floor((Math.random() * 2 - 1) * jitter)));
+        setTimeout(resolve, Math.max(0, applyJitter(delay, jitter)));
      });
      attempts += 1;
      // eslint-disable-next-line
@@ -108,6 +146,7 @@ export const keyStoreFactory = (redisUrl: string) => {
    setExpiry,
    setItemWithExpiry,
    deleteItem,
    deleteItems,
    incrementBy,
    acquireLock(resources: string[], duration: number, settings?: Partial<Settings>) {
      return redisLock.acquire(resources, duration, settings);
--- a/backend/src/keystore/memory.ts
+++ b/backend/src/keystore/memory.ts
@@ -1,3 +1,7 @@
 import RE2 from "re2";
 import { applyJitter } from "@app/lib/dates";
 import { delay as delayMs } from "@app/lib/delay";
 import { Lock } from "@app/lib/red-lock";
 import { TKeyStoreFactory } from "./keystore";
@@ -19,6 +23,27 @@ export const inMemoryKeyStore = (): TKeyStoreFactory => {
      delete store[key];
      return 1;
    },
    deleteItems: async ({ pattern, batchSize = 500, delay = 1500, jitter = 200 }) => {
      const regex = new RE2(`^${pattern.replace(/[-[\]/{}()+?.\\^$|]/g, "\\$&").replace(/\*/g, ".*")}$`);
      let totalDeleted = 0;
      const keys = Object.keys(store);
      for (let i = 0; i < keys.length; i += batchSize) {
        const batch = keys.slice(i, i + batchSize);
        for (const key of batch) {
          if (regex.test(key)) {
            delete store[key];
            totalDeleted += 1;
          }
        }
        // eslint-disable-next-line no-await-in-loop
        await delayMs(Math.max(0, applyJitter(delay, jitter)));
      }
      return totalDeleted;
    },
    getItem: async (key) => {
      const value = store[key];
      if (typeof value === "string") {
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -18,6 +18,7 @@ export enum ApiDocsTags {
  KubernetesAuth = "Kubernetes Auth",
  JwtAuth = "JWT Auth",
  OidcAuth = "OIDC Auth",
  LdapAuth = "LDAP Auth",
  Groups = "Groups",
  Organizations = "Organizations",
  Projects = "Projects",
@@ -45,6 +46,7 @@ export enum ApiDocsTags {
  PkiCertificateTemplates = "PKI Certificate Templates",
  PkiCertificateCollections = "PKI Certificate Collections",
  PkiAlerting = "PKI Alerting",
  PkiSubscribers = "PKI Subscribers",
  SshCertificates = "SSH Certificates",
  SshCertificateAuthorities = "SSH Certificate Authorities",
  SshCertificateTemplates = "SSH Certificate Templates",
@@ -184,6 +186,49 @@ export const UNIVERSAL_AUTH = {
  }
 } as const;
 export const LDAP_AUTH = {
  LOGIN: {
    identityId: "The ID of the identity to login.",
    username: "The username of the LDAP user to login.",
    password: "The password of the LDAP user to login."
  },
  ATTACH: {
    identityId: "The ID of the identity to attach the configuration onto.",
    url: "The URL of the LDAP server.",
    allowedFields:
      "The comma-separated array of key/value pairs of required fields that the LDAP entry must have in order to authenticate.",
    searchBase: "The base DN to search for the LDAP user.",
    searchFilter: "The filter to use to search for the LDAP user.",
    bindDN: "The DN of the user to bind to the LDAP server.",
    bindPass: "The password of the user to bind to the LDAP server.",
    ldapCaCertificate: "The PEM-encoded CA certificate for the LDAP server.",
    accessTokenTTL: "The lifetime for an access token in seconds.",
    accessTokenMaxTTL: "The maximum lifetime for an access token in seconds.",
    accessTokenNumUsesLimit: "The maximum number of times that an access token can be used.",
    accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from."
  },
  UPDATE: {
    identityId: "The ID of the identity to update the configuration for.",
    url: "The new URL of the LDAP server.",
    allowedFields: "The comma-separated list of allowed fields to return from the LDAP user.",
    searchBase: "The new base DN to search for the LDAP user.",
    searchFilter: "The new filter to use to search for the LDAP user.",
    bindDN: "The new DN of the user to bind to the LDAP server.",
    bindPass: "The new password of the user to bind to the LDAP server.",
    ldapCaCertificate: "The new PEM-encoded CA certificate for the LDAP server.",
    accessTokenTTL: "The new lifetime for an access token in seconds.",
    accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used.",
    accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from."
  },
  RETRIEVE: {
    identityId: "The ID of the identity to retrieve the configuration for."
  },
  REVOKE: {
    identityId: "The ID of the identity to revoke the configuration for."
  }
 } as const;
 export const AWS_AUTH = {
  LOGIN: {
    identityId: "The ID of the identity to login.",
@@ -595,6 +640,9 @@ export const PROJECTS = {
    commonName: "The common name of the certificate to filter by.",
    offset: "The offset to start from. If you enter 10, it will start from the 10th certificate.",
    limit: "The number of certificates to return."
  },
  LIST_PKI_SUBSCRIBERS: {
    projectId: "The ID of the project to list PKI subscribers for."
  }
 } as const;
@@ -1434,7 +1482,7 @@ export const SSH_HOSTS = {
    loginUser: "A login user on the remote machine (e.g. 'ec2-user', 'deploy', 'admin')",
    allowedPrincipals: "A list of allowed principals that can log in as the login user.",
    loginMappings:
-      "A list of login mappings for the SSH host. Each login mapping contains a login user and a list of corresponding allowed principals being usernames of users in the Infisical SSH project.",
+      "A list of login mappings for the SSH host. Each login mapping contains a login user and a list of corresponding allowed principals being usernames of users or groups slugs in the Infisical SSH project.",
    userSshCaId:
      "The ID of the SSH CA to use for user certificates. If not specified, the default user SSH CA will be used if it exists.",
    hostSshCaId:
@@ -1449,7 +1497,7 @@ export const SSH_HOSTS = {
    loginUser: "A login user on the remote machine (e.g. 'ec2-user', 'deploy', 'admin')",
    allowedPrincipals: "A list of allowed principals that can log in as the login user.",
    loginMappings:
-      "A list of login mappings for the SSH host. Each login mapping contains a login user and a list of corresponding allowed principals being usernames of users in the Infisical SSH project."
+      "A list of login mappings for the SSH host. Each login mapping contains a login user and a list of corresponding allowed principals being usernames of users or groups slugs in the Infisical SSH project."
  },
  DELETE: {
    sshHostId: "The ID of the SSH host to delete."
@@ -1619,7 +1667,8 @@ export const CERTIFICATES = {
    serialNumber: "The serial number of the certificate to get the certificate body and certificate chain for.",
    certificate: "The certificate body of the certificate.",
    certificateChain: "The certificate chain of the certificate.",
-    serialNumberRes: "The serial number of the certificate."
+    serialNumberRes: "The serial number of the certificate.",
    privateKey: "The private key of the certificate."
  }
 };
@@ -1686,6 +1735,67 @@ export const ALERTS = {
  }
 };
 export const PKI_SUBSCRIBERS = {
  GET: {
    subscriberName: "The name of the PKI subscriber to get.",
    projectId: "The ID of the project to get the PKI subscriber for."
  },
  CREATE: {
    projectId: "The ID of the project to create the PKI subscriber in.",
    caId: "The ID of the CA that will issue certificates for the PKI subscriber.",
    name: "The name of the PKI subscriber.",
    commonName: "The common name (CN) to be used on certificates issued for this subscriber.",
    status: "The status of the PKI subscriber. This can be one of active or disabled.",
    ttl: "The time to live for the certificates issued for this subscriber such as 1m, 1h, 1d, 1y, ...",
    subjectAlternativeNames:
      "A list of Subject Alternative Names (SANs) to be used on certificates issued for this subscriber; these can be host names or email addresses.",
    keyUsages: "The key usage extension to be used on certificates issued for this subscriber.",
    extendedKeyUsages: "The extended key usage extension to be used on certificates issued for this subscriber."
  },
  UPDATE: {
    projectId: "The ID of the project to update the PKI subscriber in.",
    subscriberName: "The name of the PKI subscriber to update.",
    caId: "The ID of the CA that will issue certificates for the PKI subscriber to update to.",
    name: "The name of the PKI subscriber to update to.",
    commonName: "The common name (CN) to be used on certificates issued for this subscriber to update to.",
    status: "The status of the PKI subscriber to update to. This can be one of active or disabled.",
    ttl: "The time to live for the certificates issued for this subscriber such as 1m, 1h, 1d, 1y, ...",
    subjectAlternativeNames:
      "A comma-delimited list of Subject Alternative Names (SANs) to be used on certificates issued for this subscriber; these can be host names or email addresses.",
    keyUsages: "The key usage extension to be used on certificates issued for this subscriber to update to.",
    extendedKeyUsages:
      "The extended key usage extension to be used on certificates issued for this subscriber to update to."
  },
  DELETE: {
    subscriberName: "The name of the PKI subscriber to delete.",
    projectId: "The ID of the project of the PKI subscriber to delete."
  },
  ISSUE_CERT: {
    subscriberName: "The name of the PKI subscriber to issue the certificate for.",
    projectId: "The ID of the project of the PKI subscriber to issue the certificate for.",
    certificate: "The issued certificate.",
    issuingCaCertificate: "The certificate of the issuing CA.",
    certificateChain: "The certificate chain of the issued certificate.",
    privateKey: "The private key of the issued certificate.",
    serialNumber: "The serial number of the issued certificate."
  },
  SIGN_CERT: {
    subscriberName: "The name of the PKI subscriber to sign the certificate for.",
    projectId: "The ID of the project of the PKI subscriber to sign the certificate for.",
    csr: "The CSR to be used to sign the certificate.",
    certificate: "The signed certificate.",
    issuingCaCertificate: "The certificate of the issuing CA.",
    certificateChain: "The certificate chain of the signed certificate.",
    serialNumber: "The serial number of the signed certificate."
  },
  LIST_CERTS: {
    subscriberName: "The name of the PKI subscriber to list the certificates for.",
    projectId: "The ID of the project of the PKI subscriber to list the certificates for.",
    offset: "The offset to start from.",
    limit: "The number of certificates to return."
  }
 };
 export const PKI_COLLECTIONS = {
  CREATE: {
    projectId: "The ID of the project to create the PKI collection in.",
@@ -1821,8 +1931,12 @@ export const KMS = {
 };
 export const ProjectTemplates = {
  LIST: {
    type: "The type of project template to list."
  },
  CREATE: {
    name: "The name of the project template to be created. Must be slug-friendly.",
    type: "The type of project template to be created.",
    description: "An optional description of the project template.",
    roles: "The roles to be created when the template is applied to a project.",
    environments: "The environments to be created when the template is applied to a project."
@@ -1925,6 +2039,13 @@ export const AppConnections = {
    AZURE_CLIENT_SECRETS: {
      code: "The OAuth code to use to connect with Azure Client Secrets.",
      tenantId: "The Tenant ID to use to connect with Azure Client Secrets."
    },
    OCI: {
      userOcid: "The OCID (Oracle Cloud Identifier) of the user making the request.",
      tenancyOcid: "The OCID (Oracle Cloud Identifier) of the tenancy in Oracle Cloud Infrastructure.",
      region: "The region identifier in Oracle Cloud Infrastructure where the vault is located.",
      fingerprint: "The fingerprint of the public key uploaded to the user's API keys.",
      privateKey: "The private key content in PEM format used to sign API requests."
    }
  }
 };
@@ -2072,6 +2193,11 @@ export const SecretSyncs = {
    TEAMCITY: {
      project: "The TeamCity project to sync secrets to.",
      buildConfig: "The TeamCity build configuration to sync secrets to."
    },
    OCI_VAULT: {
      compartmentOcid: "The OCID (Oracle Cloud Identifier) of the compartment where the vault is located.",
      vaultOcid: "The OCID (Oracle Cloud Identifier) of the vault to sync secrets to.",
      keyOcid: "The OCID (Oracle Cloud Identifier) of the encryption key to use when creating secrets in the vault."
    }
  }
 };
--- a/backend/src/lib/config/env.ts
+++ b/backend/src/lib/config/env.ts
@@ -146,6 +146,7 @@ const envSchema = z
    SECRET_SCANNING_GIT_APP_ID: zpStr(z.string().optional()),
    SECRET_SCANNING_PRIVATE_KEY: zpStr(z.string().optional()),
    SECRET_SCANNING_ORG_WHITELIST: zpStr(z.string().optional()),
    SECRET_SCANNING_GIT_APP_SLUG: zpStr(z.string().default("infisical-radar")),
    // LICENSE
    LICENSE_SERVER_URL: zpStr(z.string().optional().default("https://portal.infisical.com")),
    LICENSE_SERVER_KEY: zpStr(z.string().optional()),
--- a/backend/src/lib/delay/index.ts
+++ b/backend/src/lib/delay/index.ts
@@ -0,0 +1,4 @@
 export const delay = (ms: number) =>
  new Promise<void>((resolve) => {
    setTimeout(resolve, ms);
  });
--- a/backend/src/lib/logger/logger.ts
+++ b/backend/src/lib/logger/logger.ts
@@ -84,7 +84,9 @@ const redactedKeys = [
  "secrets",
  "key",
  "password",
-  "config"
+  "config",
  "bindPass",
  "bindDN"
 ];
 const UNKNOWN_REQUEST_ID = "UNKNOWN_REQUEST_ID";
--- a/backend/src/queue/queue-service.ts
+++ b/backend/src/queue/queue-service.ts
@@ -25,6 +25,7 @@ import {
  TQueueSecretSyncSyncSecretsByIdDTO,
  TQueueSendSecretSyncActionFailedNotificationsDTO
 } from "@app/services/secret-sync/secret-sync-types";
 import { CacheType } from "@app/services/super-admin/super-admin-types";
 import { TWebhookPayloads } from "@app/services/webhook/webhook-types";
 export enum QueueName {
@@ -49,7 +50,8 @@ export enum QueueName {
  AccessTokenStatusUpdate = "access-token-status-update",
  ImportSecretsFromExternalSource = "import-secrets-from-external-source",
  AppConnectionSecretSync = "app-connection-secret-sync",
-  SecretRotationV2 = "secret-rotation-v2"
+  SecretRotationV2 = "secret-rotation-v2",
  InvalidateCache = "invalidate-cache"
 }
 export enum QueueJobs {
@@ -81,7 +83,8 @@ export enum QueueJobs {
  SecretSyncSendActionFailedNotifications = "secret-sync-send-action-failed-notifications",
  SecretRotationV2QueueRotations = "secret-rotation-v2-queue-rotations",
  SecretRotationV2RotateSecrets = "secret-rotation-v2-rotate-secrets",
-  SecretRotationV2SendNotification = "secret-rotation-v2-send-notification"
+  SecretRotationV2SendNotification = "secret-rotation-v2-send-notification",
  InvalidateCache = "invalidate-cache"
 }
 export type TQueueJobTypes = {
@@ -234,6 +237,14 @@ export type TQueueJobTypes = {
        name: QueueJobs.SecretRotationV2SendNotification;
        payload: TSecretRotationSendNotificationJobPayload;
      };
  [QueueName.InvalidateCache]: {
    name: QueueJobs.InvalidateCache;
    payload: {
      data: {
        type: CacheType;
      };
    };
  };
 };
 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;
--- a/backend/src/server/config/rateLimiter.ts
+++ b/backend/src/server/config/rateLimiter.ts
@@ -100,3 +100,18 @@ export const publicSshCaLimit: RateLimitOptions = {
  max: 30, // conservative default
  keyGenerator: (req) => req.realIp
 };
 export const invalidateCacheLimit: RateLimitOptions = {
  timeWindow: 60 * 1000,
  hook: "preValidation",
  max: 2,
  keyGenerator: (req) => req.realIp
 };
 // Makes spamming "request access" harder, preventing email DDoS
 export const requestAccessLimit: RateLimitOptions = {
  timeWindow: 60 * 1000,
  hook: "preValidation",
  max: 10,
  keyGenerator: (req) => req.realIp
 };
--- a/backend/src/server/lib/caching.ts
+++ b/backend/src/server/lib/caching.ts
@@ -0,0 +1,8 @@
 import { FastifyReply } from "fastify";
 export const addNoCacheHeaders = (reply: FastifyReply) => {
  void reply.header("Cache-Control", "no-store, no-cache, must-revalidate, proxy-revalidate");
  void reply.header("Pragma", "no-cache");
  void reply.header("Expires", "0");
  void reply.header("Surrogate-Control", "no-store");
 };
--- a/backend/src/server/plugins/fastify-zod.ts
+++ b/backend/src/server/plugins/fastify-zod.ts
@@ -5,7 +5,7 @@
 import type { FastifySchema, FastifySchemaCompiler, FastifyTypeProvider } from "fastify";
 import type { FastifySerializerCompiler } from "fastify/types/schema";
 import type { z, ZodAny, ZodTypeAny } from "zod";
-import { zodToJsonSchema } from "zod-to-json-schema";
+import { PostProcessCallback, zodToJsonSchema } from "zod-to-json-schema";
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 type FreeformRecord = Record<string, any>;
@@ -28,9 +28,25 @@ interface Schema extends FastifySchema {
  hide?: boolean;
 }
 // Credit: https://github.com/StefanTerdell/zod-to-json-schema
 const jsonDescription: PostProcessCallback = (jsonSchema, def) => {
  if (def.description) {
    try {
      return {
        ...jsonSchema,
        description: undefined,
        ...JSON.parse(def.description)
      };
    } catch {}
  }
  return jsonSchema;
 };
 const zodToJsonSchemaOptions = {
  target: "openApi3",
-  $refStrategy: "none"
+  $refStrategy: "none",
  postProcess: jsonDescription
 } as const;
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
--- a/backend/src/server/plugins/serve-ui.ts
+++ b/backend/src/server/plugins/serve-ui.ts
@@ -57,7 +57,9 @@ export const registerServeUI = async (
          reply.callNotFound();
          return;
        }
-        return reply.sendFile("index.html");
+        // reference: https://github.com/fastify/fastify-static?tab=readme-ov-file#managing-cache-control-headers
        // to avoid ui bundle skew on new deployment
        return reply.sendFile("index.html", { maxAge: 0, immutable: false });
      }
    });
  }
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -126,6 +126,7 @@ import { tokenDALFactory } from "@app/services/auth-token/auth-token-dal";
 import { tokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { certificateBodyDALFactory } from "@app/services/certificate/certificate-body-dal";
 import { certificateDALFactory } from "@app/services/certificate/certificate-dal";
 import { certificateSecretDALFactory } from "@app/services/certificate/certificate-secret-dal";
 import { certificateServiceFactory } from "@app/services/certificate/certificate-service";
 import { certificateAuthorityCertDALFactory } from "@app/services/certificate-authority/certificate-authority-cert-dal";
 import { certificateAuthorityDALFactory } from "@app/services/certificate-authority/certificate-authority-dal";
@@ -159,6 +160,8 @@ import { identityJwtAuthDALFactory } from "@app/services/identity-jwt-auth/ident
 import { identityJwtAuthServiceFactory } from "@app/services/identity-jwt-auth/identity-jwt-auth-service";
 import { identityKubernetesAuthDALFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-dal";
 import { identityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { identityLdapAuthDALFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-dal";
 import { identityLdapAuthServiceFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-service";
 import { identityOidcAuthDALFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-dal";
 import { identityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
@@ -194,6 +197,8 @@ import { pkiAlertServiceFactory } from "@app/services/pki-alert/pki-alert-servic
 import { pkiCollectionDALFactory } from "@app/services/pki-collection/pki-collection-dal";
 import { pkiCollectionItemDALFactory } from "@app/services/pki-collection/pki-collection-item-dal";
 import { pkiCollectionServiceFactory } from "@app/services/pki-collection/pki-collection-service";
 import { pkiSubscriberDALFactory } from "@app/services/pki-subscriber/pki-subscriber-dal";
 import { pkiSubscriberServiceFactory } from "@app/services/pki-subscriber/pki-subscriber-service";
 import { projectDALFactory } from "@app/services/project/project-dal";
 import { projectQueueFactory } from "@app/services/project/project-queue";
 import { projectServiceFactory } from "@app/services/project/project-service";
@@ -241,6 +246,7 @@ import { projectSlackConfigDALFactory } from "@app/services/slack/project-slack-
 import { slackIntegrationDALFactory } from "@app/services/slack/slack-integration-dal";
 import { slackServiceFactory } from "@app/services/slack/slack-service";
 import { TSmtpService } from "@app/services/smtp/smtp-service";
 import { invalidateCacheQueueFactory } from "@app/services/super-admin/invalidate-cache-queue";
 import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 import { getServerCfg, superAdminServiceFactory } from "@app/services/super-admin/super-admin-service";
 import { telemetryDALFactory } from "@app/services/telemetry/telemetry-dal";
@@ -352,6 +358,7 @@ export const registerRoutes = async (
  const identityOidcAuthDAL = identityOidcAuthDALFactory(db);
  const identityJwtAuthDAL = identityJwtAuthDALFactory(db);
  const identityAzureAuthDAL = identityAzureAuthDALFactory(db);
  const identityLdapAuthDAL = identityLdapAuthDALFactory(db);
  const auditLogDAL = auditLogDALFactory(auditLogDb ?? db);
  const auditLogStreamDAL = auditLogStreamDALFactory(db);
@@ -610,6 +617,11 @@ export const registerRoutes = async (
    queueService
  });
  const invalidateCacheQueue = invalidateCacheQueueFactory({
    keyStore,
    queueService
  });
  const userService = userServiceFactory({
    userDAL,
    userAliasDAL,
@@ -721,7 +733,8 @@ export const registerRoutes = async (
    keyStore,
    licenseService,
    kmsService,
-    microsoftTeamsService
+    microsoftTeamsService,
    invalidateCacheQueue
  });
  const orgAdminService = orgAdminServiceFactory({
@@ -812,14 +825,17 @@ export const registerRoutes = async (
  const certificateDAL = certificateDALFactory(db);
  const certificateBodyDAL = certificateBodyDALFactory(db);
  const certificateSecretDAL = certificateSecretDALFactory(db);
  const pkiAlertDAL = pkiAlertDALFactory(db);
  const pkiCollectionDAL = pkiCollectionDALFactory(db);
  const pkiCollectionItemDAL = pkiCollectionItemDALFactory(db);
  const pkiSubscriberDAL = pkiSubscriberDALFactory(db);
  const certificateService = certificateServiceFactory({
    certificateDAL,
    certificateBodyDAL,
    certificateSecretDAL,
    certificateAuthorityDAL,
    certificateAuthorityCertDAL,
    certificateAuthorityCrlDAL,
@@ -857,6 +873,8 @@ export const registerRoutes = async (
  const sshHostService = sshHostServiceFactory({
    userDAL,
    groupDAL,
    userGroupMembershipDAL,
    projectDAL,
    projectSshConfigDAL,
    sshCertificateAuthorityDAL,
@@ -879,7 +897,8 @@ export const registerRoutes = async (
    sshHostLoginUserMappingDAL,
    userDAL,
    permissionService,
-    licenseService
+    licenseService,
    groupDAL
  });
  const certificateAuthorityService = certificateAuthorityServiceFactory({
@@ -891,6 +910,7 @@ export const registerRoutes = async (
    certificateAuthorityQueue,
    certificateDAL,
    certificateBodyDAL,
    certificateSecretDAL,
    pkiCollectionDAL,
    pkiCollectionItemDAL,
    projectDAL,
@@ -945,6 +965,20 @@ export const registerRoutes = async (
    projectDAL
  });
  const pkiSubscriberService = pkiSubscriberServiceFactory({
    pkiSubscriberDAL,
    certificateAuthorityDAL,
    certificateAuthorityCertDAL,
    certificateAuthoritySecretDAL,
    certificateAuthorityCrlDAL,
    certificateDAL,
    certificateBodyDAL,
    certificateSecretDAL,
    projectDAL,
    kmsService,
    permissionService
  });
  const projectTemplateService = projectTemplateServiceFactory({
    licenseService,
    permissionService,
@@ -1042,6 +1076,7 @@ export const registerRoutes = async (
    projectRoleDAL,
    folderDAL,
    licenseService,
    pkiSubscriberDAL,
    certificateAuthorityDAL,
    certificateDAL,
    pkiAlertDAL,
@@ -1434,6 +1469,16 @@ export const registerRoutes = async (
    kmsService
  });
  const identityLdapAuthService = identityLdapAuthServiceFactory({
    identityLdapAuthDAL,
    permissionService,
    kmsService,
    identityAccessTokenDAL,
    identityOrgMembershipDAL,
    licenseService,
    identityDAL
  });
  const gatewayService = gatewayServiceFactory({
    permissionService,
    gatewayDAL,
@@ -1694,6 +1739,7 @@ export const registerRoutes = async (
    identityAzureAuth: identityAzureAuthService,
    identityOidcAuth: identityOidcAuthService,
    identityJwtAuth: identityJwtAuthService,
    identityLdapAuth: identityLdapAuthService,
    accessApprovalPolicy: accessApprovalPolicyService,
    accessApprovalRequest: accessApprovalRequestService,
    secretApprovalPolicy: secretApprovalPolicyService,
@@ -1717,6 +1763,7 @@ export const registerRoutes = async (
    certificateEst: certificateEstService,
    pkiAlert: pkiAlertService,
    pkiCollection: pkiCollectionService,
    pkiSubscriber: pkiSubscriberService,
    secretScanning: secretScanningService,
    license: licenseService,
    trustedIp: trustedIpService,
@@ -1759,6 +1806,10 @@ export const registerRoutes = async (
    if (licenseSyncJob) {
      cronJobs.push(licenseSyncJob);
    }
    const microsoftTeamsSyncJob = await microsoftTeamsService.initializeBackgroundSync();
    if (microsoftTeamsSyncJob) {
      cronJobs.push(microsoftTeamsSyncJob);
    }
  }
  server.decorate<FastifyZodProvider["store"]>("store", {
--- a/backend/src/server/routes/v1/admin-router.ts
+++ b/backend/src/server/routes/v1/admin-router.ts
@@ -4,13 +4,14 @@ import { z } from "zod";
 import { IdentitiesSchema, OrganizationsSchema, SuperAdminSchema, UsersSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { invalidateCacheLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifySuperAdmin } from "@app/server/plugins/auth/superAdmin";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { RootKeyEncryptionStrategy } from "@app/services/kms/kms-types";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
-import { LoginMethod } from "@app/services/super-admin/super-admin-types";
+import { CacheType, LoginMethod } from "@app/services/super-admin/super-admin-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 export const registerAdminRouter = async (server: FastifyZodProvider) => {
@@ -548,4 +549,69 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
      };
    }
  });
  server.route({
    method: "POST",
    url: "/invalidate-cache",
    config: {
      rateLimit: invalidateCacheLimit
    },
    schema: {
      body: z.object({
        type: z.nativeEnum(CacheType)
      }),
      response: {
        200: z.object({
          message: z.string()
        })
      }
    },
    onRequest: (req, res, done) => {
      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
        verifySuperAdmin(req, res, done);
      });
    },
    handler: async (req) => {
      await server.services.superAdmin.invalidateCache(req.body.type);
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.InvalidateCache,
        distinctId: getTelemetryDistinctId(req),
        properties: {
          ...req.auditLogInfo
        }
      });
      return {
        message: "Cache invalidation job started"
      };
    }
  });
  server.route({
    method: "GET",
    url: "/invalidating-cache-status",
    config: {
      rateLimit: readLimit
    },
    schema: {
      response: {
        200: z.object({
          invalidating: z.boolean()
        })
      }
    },
    onRequest: (req, res, done) => {
      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
        verifySuperAdmin(req, res, done);
      });
    },
    handler: async () => {
      const invalidating = await server.services.superAdmin.checkIfInvalidatingCache();
      return {
        invalidating
      };
    }
  });
 };
--- a/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
@@ -38,6 +38,7 @@ import {
 } from "@app/services/app-connection/humanitec";
 import { LdapConnectionListItemSchema, SanitizedLdapConnectionSchema } from "@app/services/app-connection/ldap";
 import { MsSqlConnectionListItemSchema, SanitizedMsSqlConnectionSchema } from "@app/services/app-connection/mssql";
 import { OCIConnectionListItemSchema, SanitizedOCIConnectionSchema } from "@app/services/app-connection/oci";
 import {
  PostgresConnectionListItemSchema,
  SanitizedPostgresConnectionSchema
@@ -76,7 +77,8 @@ const SanitizedAppConnectionSchema = z.union([
  ...SanitizedAzureClientSecretsConnectionSchema.options,
  ...SanitizedWindmillConnectionSchema.options,
  ...SanitizedLdapConnectionSchema.options,
-  ...SanitizedTeamCityConnectionSchema.options
+  ...SanitizedTeamCityConnectionSchema.options,
  ...SanitizedOCIConnectionSchema.options
 ]);
 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@@ -97,7 +99,8 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
  AzureClientSecretsConnectionListItemSchema,
  WindmillConnectionListItemSchema,
  LdapConnectionListItemSchema,
-  TeamCityConnectionListItemSchema
+  TeamCityConnectionListItemSchema,
  OCIConnectionListItemSchema
 ]);
 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {
--- a/backend/src/server/routes/v1/app-connection-routers/index.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/index.ts
@@ -13,6 +13,7 @@ import { registerHCVaultConnectionRouter } from "./hc-vault-connection-router";
 import { registerHumanitecConnectionRouter } from "./humanitec-connection-router";
 import { registerLdapConnectionRouter } from "./ldap-connection-router";
 import { registerMsSqlConnectionRouter } from "./mssql-connection-router";
 import { registerOCIConnectionRouter } from "./oci-connection-router";
 import { registerPostgresConnectionRouter } from "./postgres-connection-router";
 import { registerTeamCityConnectionRouter } from "./teamcity-connection-router";
 import { registerTerraformCloudConnectionRouter } from "./terraform-cloud-router";
@@ -40,5 +41,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
    [AppConnection.Auth0]: registerAuth0ConnectionRouter,
    [AppConnection.HCVault]: registerHCVaultConnectionRouter,
    [AppConnection.LDAP]: registerLdapConnectionRouter,
-    [AppConnection.TeamCity]: registerTeamCityConnectionRouter
+    [AppConnection.TeamCity]: registerTeamCityConnectionRouter,
    [AppConnection.OCI]: registerOCIConnectionRouter
  };
--- a/backend/src/server/routes/v1/app-connection-routers/oci-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/oci-connection-router.ts
@@ -0,0 +1,123 @@
 import z from "zod";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
  CreateOCIConnectionSchema,
  SanitizedOCIConnectionSchema,
  UpdateOCIConnectionSchema
 } from "@app/services/app-connection/oci";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
 export const registerOCIConnectionRouter = async (server: FastifyZodProvider) => {
  registerAppConnectionEndpoints({
    app: AppConnection.OCI,
    server,
    sanitizedResponseSchema: SanitizedOCIConnectionSchema,
    createSchema: CreateOCIConnectionSchema,
    updateSchema: UpdateOCIConnectionSchema
  });
  // The following endpoints are for internal Infisical App use only and not part of the public API
  server.route({
    method: "GET",
    url: `/:connectionId/compartments`,
    config: {
      rateLimit: readLimit
    },
    schema: {
      params: z.object({
        connectionId: z.string().uuid()
      }),
      response: {
        200: z
          .object({
            id: z.string(),
            name: z.string()
          })
          .array()
      }
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const { connectionId } = req.params;
      const compartments = await server.services.appConnection.oci.listCompartments(connectionId, req.permission);
      return compartments;
    }
  });
  server.route({
    method: "GET",
    url: `/:connectionId/vaults`,
    config: {
      rateLimit: readLimit
    },
    schema: {
      params: z.object({
        connectionId: z.string().uuid()
      }),
      querystring: z.object({
        compartmentOcid: z.string().min(1, "Compartment OCID required")
      }),
      response: {
        200: z
          .object({
            id: z.string(),
            displayName: z.string()
          })
          .array()
      }
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const { connectionId } = req.params;
      const { compartmentOcid } = req.query;
      const vaults = await server.services.appConnection.oci.listVaults(
        { connectionId, compartmentOcid },
        req.permission
      );
      return vaults;
    }
  });
  server.route({
    method: "GET",
    url: `/:connectionId/vault-keys`,
    config: {
      rateLimit: readLimit
    },
    schema: {
      params: z.object({
        connectionId: z.string().uuid()
      }),
      querystring: z.object({
        compartmentOcid: z.string().min(1, "Compartment OCID required"),
        vaultOcid: z.string().min(1, "Vault OCID required")
      }),
      response: {
        200: z
          .object({
            id: z.string(),
            displayName: z.string()
          })
          .array()
      }
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const { connectionId } = req.params;
      const { compartmentOcid, vaultOcid } = req.query;
      const keys = await server.services.appConnection.oci.listVaultKeys(
        { connectionId, compartmentOcid, vaultOcid },
        req.permission
      );
      return keys;
    }
  });
 };
--- a/backend/src/server/routes/v1/certificate-router.ts
+++ b/backend/src/server/routes/v1/certificate-router.ts
@@ -1,3 +1,4 @@
 /* eslint-disable @typescript-eslint/no-floating-promises */
 import { z } from "zod";
 import { CertificatesSchema } from "@app/db/schemas";
@@ -5,6 +6,7 @@ import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApiDocsTags, CERTIFICATE_AUTHORITIES, CERTIFICATES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { addNoCacheHeaders } from "@app/server/lib/caching";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -64,6 +66,111 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
    }
  });
  // TODO: In the future add support for other formats outside of PEM (such as DER). Adding a "format" query param may be best.
  server.route({
    method: "GET",
    url: "/:serialNumber/private-key",
    config: {
      rateLimit: readLimit
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      hide: false,
      tags: [ApiDocsTags.PkiCertificates],
      description: "Get certificate private key",
      params: z.object({
        serialNumber: z.string().trim().describe(CERTIFICATES.GET.serialNumber)
      }),
      response: {
        200: z.string().trim()
      }
    },
    handler: async (req, reply) => {
      const { ca, cert, certPrivateKey } = await server.services.certificate.getCertPrivateKey({
        serialNumber: req.params.serialNumber,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId
      });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId: ca.projectId,
        event: {
          type: EventType.GET_CERT_PRIVATE_KEY,
          metadata: {
            certId: cert.id,
            cn: cert.commonName,
            serialNumber: cert.serialNumber
          }
        }
      });
      addNoCacheHeaders(reply);
      return certPrivateKey;
    }
  });
  // TODO: In the future add support for other formats outside of PEM (such as DER). Adding a "format" query param may be best.
  server.route({
    method: "GET",
    url: "/:serialNumber/bundle",
    config: {
      rateLimit: readLimit
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      hide: false,
      tags: [ApiDocsTags.PkiCertificates],
      description: "Get certificate bundle including the certificate, chain, and private key.",
      params: z.object({
        serialNumber: z.string().trim().describe(CERTIFICATES.GET_CERT.serialNumber)
      }),
      response: {
        200: z.object({
          certificate: z.string().trim().describe(CERTIFICATES.GET_CERT.certificate),
          certificateChain: z.string().trim().nullish().describe(CERTIFICATES.GET_CERT.certificateChain),
          privateKey: z.string().trim().describe(CERTIFICATES.GET_CERT.privateKey),
          serialNumber: z.string().trim().describe(CERTIFICATES.GET_CERT.serialNumberRes)
        })
      }
    },
    handler: async (req, reply) => {
      const { certificate, certificateChain, serialNumber, cert, ca, privateKey } =
        await server.services.certificate.getCertBundle({
          serialNumber: req.params.serialNumber,
          actor: req.permission.type,
          actorId: req.permission.id,
          actorAuthMethod: req.permission.authMethod,
          actorOrgId: req.permission.orgId
        });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId: ca.projectId,
        event: {
          type: EventType.GET_CERT_BUNDLE,
          metadata: {
            certId: cert.id,
            cn: cert.commonName,
            serialNumber: cert.serialNumber
          }
        }
      });
      addNoCacheHeaders(reply);
      return {
        certificate,
        certificateChain,
        serialNumber,
        privateKey
      };
    }
  });
  server.route({
    method: "POST",
    url: "/issue-certificate",
@@ -411,7 +518,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
      response: {
        200: z.object({
          certificate: z.string().trim().describe(CERTIFICATES.GET_CERT.certificate),
-          certificateChain: z.string().trim().describe(CERTIFICATES.GET_CERT.certificateChain),
+          certificateChain: z.string().trim().nullish().describe(CERTIFICATES.GET_CERT.certificateChain),
          serialNumber: z.string().trim().describe(CERTIFICATES.GET_CERT.serialNumberRes)
        })
      }
@@ -429,7 +536,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
        ...req.auditLogInfo,
        projectId: ca.projectId,
        event: {
-          type: EventType.DELETE_CERT,
+          type: EventType.GET_CERT_BODY,
          metadata: {
            certId: cert.id,
            cn: cert.commonName,
--- a/backend/src/server/routes/v1/identity-ldap-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-ldap-auth-router.ts
@@ -0,0 +1,497 @@
 /* eslint-disable @typescript-eslint/no-explicit-any */
 /* eslint-disable @typescript-eslint/no-unsafe-return */
 /* eslint-disable @typescript-eslint/no-unsafe-member-access */
 /* eslint-disable @typescript-eslint/no-unsafe-assignment */
 /* eslint-disable @typescript-eslint/no-unsafe-call */
 /* eslint-disable @typescript-eslint/no-unsafe-argument */
 // All the any rules are disabled because passport typesense with fastify is really poor
 import { Authenticator } from "@fastify/passport";
 import fastifySession from "@fastify/session";
 import { FastifyRequest } from "fastify";
 import { IncomingMessage } from "http";
 import LdapStrategy from "passport-ldapauth";
 import { z } from "zod";
 import { IdentityLdapAuthsSchema } from "@app/db/schemas/identity-ldap-auths";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { isValidLdapFilter } from "@app/ee/services/ldap-config/ldap-fns";
 import { ApiDocsTags, LDAP_AUTH } from "@app/lib/api-docs";
 import { getConfig } from "@app/lib/config/env";
 import { UnauthorizedError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { AllowedFieldsSchema } from "@app/services/identity-ldap-auth/identity-ldap-auth-types";
 import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
 export const registerIdentityLdapAuthRouter = async (server: FastifyZodProvider) => {
  const appCfg = getConfig();
  const passport = new Authenticator({ key: "ldap-identity-auth", userProperty: "passportMachineIdentity" });
  await server.register(fastifySession, { secret: appCfg.COOKIE_SECRET_SIGN_KEY });
  await server.register(passport.initialize());
  await server.register(passport.secureSession());
  const getLdapPassportOpts = (req: FastifyRequest, done: any) => {
    const { identityId } = req.body as {
      identityId: string;
    };
    process.nextTick(async () => {
      try {
        const { ldapConfig, opts } = await server.services.identityLdapAuth.getLdapConfig(identityId);
        req.ldapConfig = {
          ...ldapConfig,
          isActive: true,
          groupSearchBase: "",
          uniqueUserAttribute: "",
          groupSearchFilter: ""
        };
        done(null, opts);
      } catch (err) {
        logger.error(err, "Error in LDAP verification callback");
        done(err);
      }
    });
  };
  passport.use(
    new LdapStrategy(
      getLdapPassportOpts as any,
      // eslint-disable-next-line
      async (req: IncomingMessage, user, cb) => {
        try {
          const requestBody = (req as unknown as FastifyRequest).body as {
            username: string;
            password: string;
            identityId: string;
          };
          if (!requestBody.username || !requestBody.password) {
            return cb(new UnauthorizedError({ message: "Invalid request. Missing username or password." }), false);
          }
          if (!requestBody.identityId) {
            return cb(new UnauthorizedError({ message: "Invalid request. Missing identity ID." }), false);
          }
          const { ldapConfig } = req as unknown as FastifyRequest;
          if (ldapConfig.allowedFields) {
            for (const field of ldapConfig.allowedFields) {
              if (!user[field.key]) {
                return cb(
                  new UnauthorizedError({ message: `Invalid request. Missing field ${field.key} on user.` }),
                  false
                );
              }
              const value = field.value.split(",");
              if (!value.includes(user[field.key])) {
                return cb(
                  new UnauthorizedError({
                    message: `Invalid request. User field '${field.key}' does not match required fields.`
                  }),
                  false
                );
              }
            }
          }
          return cb(null, { identityId: requestBody.identityId, user });
        } catch (error) {
          logger.error(error, "Error in LDAP verification callback");
          return cb(error, false);
        }
      }
    )
  );
  server.route({
    method: "POST",
    url: "/ldap-auth/login",
    config: {
      rateLimit: writeLimit
    },
    schema: {
      hide: false,
      tags: [ApiDocsTags.LdapAuth],
      description: "Login with LDAP Auth",
      body: z.object({
        identityId: z.string().trim().describe(LDAP_AUTH.LOGIN.identityId),
        username: z.string().describe(LDAP_AUTH.LOGIN.username),
        password: z.string().describe(LDAP_AUTH.LOGIN.password)
      }),
      response: {
        200: z.object({
          accessToken: z.string(),
          expiresIn: z.coerce.number(),
          accessTokenMaxTTL: z.coerce.number(),
          tokenType: z.literal("Bearer")
        })
      }
    },
    preValidation: passport.authenticate("ldapauth", {
      failWithError: true,
      session: false
    }) as any,
    errorHandler: (error) => {
      if (error.name === "AuthenticationError") {
        throw new UnauthorizedError({ message: "Invalid credentials" });
      }
      throw error;
    },
    handler: async (req) => {
      if (!req.passportMachineIdentity?.identityId) {
        throw new UnauthorizedError({ message: "Invalid request. Missing identity ID or LDAP entry details." });
      }
      const { identityId, user } = req.passportMachineIdentity;
      const { accessToken, identityLdapAuth, identityMembershipOrg } = await server.services.identityLdapAuth.login({
        identityId
      });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        orgId: identityMembershipOrg?.orgId,
        event: {
          type: EventType.LOGIN_IDENTITY_LDAP_AUTH,
          metadata: {
            identityId,
            ldapEmail: user.mail,
            ldapUsername: user.uid
          }
        }
      });
      return {
        accessToken,
        tokenType: "Bearer" as const,
        expiresIn: identityLdapAuth.accessTokenTTL,
        accessTokenMaxTTL: identityLdapAuth.accessTokenMaxTTL
      };
    }
  });
  server.route({
    method: "POST",
    url: "/ldap-auth/identities/:identityId",
    config: {
      rateLimit: writeLimit
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      hide: false,
      tags: [ApiDocsTags.LdapAuth],
      description: "Attach LDAP Auth configuration onto identity",
      security: [
        {
          bearerAuth: []
        }
      ],
      params: z.object({
        identityId: z.string().trim().describe(LDAP_AUTH.ATTACH.identityId)
      }),
      body: z
        .object({
          url: z.string().trim().min(1).describe(LDAP_AUTH.ATTACH.url),
          bindDN: z.string().trim().min(1).describe(LDAP_AUTH.ATTACH.bindDN),
          bindPass: z.string().trim().min(1).describe(LDAP_AUTH.ATTACH.bindPass),
          searchBase: z.string().trim().min(1).describe(LDAP_AUTH.ATTACH.searchBase),
          searchFilter: z
            .string()
            .trim()
            .min(1)
            .default("(uid={{username}})")
            .refine(isValidLdapFilter, "Invalid LDAP search filter")
            .describe(LDAP_AUTH.ATTACH.searchFilter),
          allowedFields: AllowedFieldsSchema.array().optional().describe(LDAP_AUTH.ATTACH.allowedFields),
          ldapCaCertificate: z.string().trim().optional().describe(LDAP_AUTH.ATTACH.ldapCaCertificate),
          accessTokenTrustedIps: z
            .object({
              ipAddress: z.string().trim()
            })
            .array()
            .min(1)
            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
            .describe(LDAP_AUTH.ATTACH.accessTokenTrustedIps),
          accessTokenTTL: z
            .number()
            .int()
            .min(0)
            .max(315360000)
            .default(2592000)
            .describe(LDAP_AUTH.ATTACH.accessTokenTTL),
          accessTokenMaxTTL: z
            .number()
            .int()
            .min(1)
            .max(315360000)
            .default(2592000)
            .describe(LDAP_AUTH.ATTACH.accessTokenMaxTTL),
          accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(LDAP_AUTH.ATTACH.accessTokenNumUsesLimit)
        })
        .refine(
          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
          "Access Token TTL cannot be greater than Access Token Max TTL."
        ),
      response: {
        200: z.object({
          identityLdapAuth: IdentityLdapAuthsSchema.omit({
            encryptedBindDN: true,
            encryptedBindPass: true,
            encryptedLdapCaCertificate: true
          })
        })
      }
    },
    handler: async (req) => {
      const identityLdapAuth = await server.services.identityLdapAuth.attachLdapAuth({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        identityId: req.params.identityId,
        isActorSuperAdmin: isSuperAdmin(req.auth)
      });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        orgId: req.permission.orgId,
        event: {
          type: EventType.ADD_IDENTITY_LDAP_AUTH,
          metadata: {
            identityId: req.params.identityId,
            url: identityLdapAuth.url,
            accessTokenMaxTTL: identityLdapAuth.accessTokenMaxTTL,
            accessTokenTTL: identityLdapAuth.accessTokenTTL,
            accessTokenNumUsesLimit: identityLdapAuth.accessTokenNumUsesLimit,
            allowedFields: req.body.allowedFields
          }
        }
      });
      return { identityLdapAuth };
    }
  });
  server.route({
    method: "PATCH",
    url: "/ldap-auth/identities/:identityId",
    config: {
      rateLimit: writeLimit
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      hide: false,
      tags: [ApiDocsTags.LdapAuth],
      description: "Update LDAP Auth configuration on identity",
      security: [
        {
          bearerAuth: []
        }
      ],
      params: z.object({
        identityId: z.string().trim().describe(LDAP_AUTH.UPDATE.identityId)
      }),
      body: z
        .object({
          url: z.string().trim().min(1).optional().describe(LDAP_AUTH.UPDATE.url),
          bindDN: z.string().trim().min(1).optional().describe(LDAP_AUTH.UPDATE.bindDN),
          bindPass: z.string().trim().min(1).optional().describe(LDAP_AUTH.UPDATE.bindPass),
          searchBase: z.string().trim().min(1).optional().describe(LDAP_AUTH.UPDATE.searchBase),
          searchFilter: z
            .string()
            .trim()
            .min(1)
            .optional()
            .refine((v) => v === undefined || isValidLdapFilter(v), "Invalid LDAP search filter")
            .describe(LDAP_AUTH.UPDATE.searchFilter),
          allowedFields: AllowedFieldsSchema.array().optional().describe(LDAP_AUTH.UPDATE.allowedFields),
          accessTokenTrustedIps: z
            .object({
              ipAddress: z.string().trim()
            })
            .array()
            .min(1)
            .optional()
            .describe(LDAP_AUTH.UPDATE.accessTokenTrustedIps),
          accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(LDAP_AUTH.UPDATE.accessTokenTTL),
          accessTokenNumUsesLimit: z
            .number()
            .int()
            .min(0)
            .optional()
            .describe(LDAP_AUTH.UPDATE.accessTokenNumUsesLimit),
          accessTokenMaxTTL: z
            .number()
            .int()
            .max(315360000)
            .min(0)
            .optional()
            .describe(LDAP_AUTH.UPDATE.accessTokenMaxTTL)
        })
        .refine(
          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
          "Access Token TTL cannot be greater than Access Token Max TTL."
        ),
      response: {
        200: z.object({
          identityLdapAuth: IdentityLdapAuthsSchema.omit({
            encryptedBindDN: true,
            encryptedBindPass: true,
            encryptedLdapCaCertificate: true
          })
        })
      }
    },
    handler: async (req) => {
      const identityLdapAuth = await server.services.identityLdapAuth.updateLdapAuth({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        identityId: req.params.identityId
      });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        orgId: req.permission.orgId,
        event: {
          type: EventType.UPDATE_IDENTITY_LDAP_AUTH,
          metadata: {
            identityId: req.params.identityId,
            url: identityLdapAuth.url,
            accessTokenMaxTTL: identityLdapAuth.accessTokenMaxTTL,
            accessTokenTTL: identityLdapAuth.accessTokenTTL,
            accessTokenNumUsesLimit: identityLdapAuth.accessTokenNumUsesLimit,
            accessTokenTrustedIps: identityLdapAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
            allowedFields: req.body.allowedFields
          }
        }
      });
      return { identityLdapAuth };
    }
  });
  server.route({
    method: "GET",
    url: "/ldap-auth/identities/:identityId",
    config: {
      rateLimit: readLimit
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      hide: false,
      tags: [ApiDocsTags.LdapAuth],
      description: "Retrieve LDAP Auth configuration on identity",
      security: [
        {
          bearerAuth: []
        }
      ],
      params: z.object({
        identityId: z.string().trim().describe(LDAP_AUTH.RETRIEVE.identityId)
      }),
      response: {
        200: z.object({
          identityLdapAuth: IdentityLdapAuthsSchema.omit({
            encryptedBindDN: true,
            encryptedBindPass: true,
            encryptedLdapCaCertificate: true
          }).extend({
            bindDN: z.string(),
            bindPass: z.string(),
            ldapCaCertificate: z.string().optional()
          })
        })
      }
    },
    handler: async (req) => {
      const identityLdapAuth = await server.services.identityLdapAuth.getLdapAuth({
        identityId: req.params.identityId,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod
      });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        orgId: req.permission.orgId,
        event: {
          type: EventType.GET_IDENTITY_LDAP_AUTH,
          metadata: {
            identityId: identityLdapAuth.identityId
          }
        }
      });
      return { identityLdapAuth };
    }
  });
  server.route({
    method: "DELETE",
    url: "/ldap-auth/identities/:identityId",
    config: {
      rateLimit: writeLimit
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      hide: false,
      tags: [ApiDocsTags.LdapAuth],
      description: "Delete LDAP Auth configuration on identity",
      security: [
        {
          bearerAuth: []
        }
      ],
      params: z.object({
        identityId: z.string().trim().describe(LDAP_AUTH.REVOKE.identityId)
      }),
      response: {
        200: z.object({
          identityLdapAuth: IdentityLdapAuthsSchema.omit({
            encryptedBindDN: true,
            encryptedBindPass: true,
            encryptedLdapCaCertificate: true
          })
        })
      }
    },
    handler: async (req) => {
      const identityLdapAuth = await server.services.identityLdapAuth.revokeIdentityLdapAuth({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId
      });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        orgId: req.permission.orgId,
        event: {
          type: EventType.REVOKE_IDENTITY_LDAP_AUTH,
          metadata: {
            identityId: identityLdapAuth.identityId
          }
        }
      });
      return { identityLdapAuth };
    }
  });
 };
--- a/backend/src/server/routes/v1/identity-router.ts
+++ b/backend/src/server/routes/v1/identity-router.ts
@@ -52,7 +52,8 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
      response: {
        200: z.object({
          identity: IdentitiesSchema.extend({
-            authMethods: z.array(z.string())
+            authMethods: z.array(z.string()),
            metadata: z.object({ id: z.string(), key: z.string(), value: z.string() }).array()
          })
        })
      }
@@ -123,7 +124,9 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          identity: IdentitiesSchema
+          identity: IdentitiesSchema.extend({
            metadata: z.object({ id: z.string(), key: z.string(), value: z.string() }).array()
          })
        })
      }
    },
@@ -227,8 +230,8 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
          identity: IdentityOrgMembershipsSchema.extend({
            metadata: z
              .object({
                key: z.string().trim().min(1),
                id: z.string().trim().min(1),
                key: z.string().trim().min(1),
                value: z.string().trim().min(1)
              })
              .array()
--- a/backend/src/server/routes/v1/index.ts
+++ b/backend/src/server/routes/v1/index.ts
@@ -19,6 +19,7 @@ import { registerIdentityAzureAuthRouter } from "./identity-azure-auth-router";
 import { registerIdentityGcpAuthRouter } from "./identity-gcp-auth-router";
 import { registerIdentityJwtAuthRouter } from "./identity-jwt-auth-router";
 import { registerIdentityKubernetesRouter } from "./identity-kubernetes-auth-router";
 import { registerIdentityLdapAuthRouter } from "./identity-ldap-auth-router";
 import { registerIdentityOidcAuthRouter } from "./identity-oidc-auth-router";
 import { registerIdentityRouter } from "./identity-router";
 import { registerIdentityTokenAuthRouter } from "./identity-token-auth-router";
@@ -26,11 +27,13 @@ import { registerIdentityUaRouter } from "./identity-universal-auth-router";
 import { registerIntegrationAuthRouter } from "./integration-auth-router";
 import { registerIntegrationRouter } from "./integration-router";
 import { registerInviteOrgRouter } from "./invite-org-router";
 import { registerMicrosoftTeamsRouter } from "./microsoft-teams-router";
 import { registerOrgAdminRouter } from "./org-admin-router";
 import { registerOrgRouter } from "./organization-router";
 import { registerPasswordRouter } from "./password-router";
 import { registerPkiAlertRouter } from "./pki-alert-router";
 import { registerPkiCollectionRouter } from "./pki-collection-router";
 import { registerPkiSubscriberRouter } from "./pki-subscriber-router";
 import { registerProjectEnvRouter } from "./project-env-router";
 import { registerProjectKeyRouter } from "./project-key-router";
 import { registerProjectMembershipRouter } from "./project-membership-router";
@@ -47,7 +50,6 @@ import { registerUserEngagementRouter } from "./user-engagement-router";
 import { registerUserRouter } from "./user-router";
 import { registerWebhookRouter } from "./webhook-router";
 import { registerWorkflowIntegrationRouter } from "./workflow-integration-router";
 import { registerMicrosoftTeamsRouter } from "./microsoft-teams-router";
 export const registerV1Routes = async (server: FastifyZodProvider) => {
  await server.register(registerSsoRouter, { prefix: "/sso" });
@@ -63,6 +65,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
      await authRouter.register(registerIdentityAzureAuthRouter);
      await authRouter.register(registerIdentityOidcAuthRouter);
      await authRouter.register(registerIdentityJwtAuthRouter);
      await authRouter.register(registerIdentityLdapAuthRouter);
    },
    { prefix: "/auth" }
  );
@@ -103,6 +106,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
      await pkiRouter.register(registerCertificateTemplateRouter, { prefix: "/certificate-templates" });
      await pkiRouter.register(registerPkiAlertRouter, { prefix: "/alerts" });
      await pkiRouter.register(registerPkiCollectionRouter, { prefix: "/collections" });
      await pkiRouter.register(registerPkiSubscriberRouter, { prefix: "/subscribers" });
    },
    { prefix: "/pki" }
  );
--- a/backend/src/server/routes/v1/org-admin-router.ts
+++ b/backend/src/server/routes/v1/org-admin-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";
 import { ProjectMembershipsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { readLimit } from "@app/server/config/rateLimiter";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -47,7 +47,7 @@ export const registerOrgAdminRouter = async (server: FastifyZodProvider) => {
    method: "POST",
    url: "/projects/:projectId/grant-admin-access",
    config: {
-      rateLimit: readLimit
+      rateLimit: writeLimit
    },
    schema: {
      params: z.object({
--- a/backend/src/server/routes/v1/pki-subscriber-router.ts
+++ b/backend/src/server/routes/v1/pki-subscriber-router.ts
@@ -0,0 +1,478 @@
 import { z } from "zod";
 import { CertificatesSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApiDocsTags, PKI_SUBSCRIBERS } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { CertExtendedKeyUsage, CertKeyUsage } from "@app/services/certificate/certificate-types";
 import { validateAltNameField } from "@app/services/certificate-authority/certificate-authority-validators";
 import { sanitizedPkiSubscriber } from "@app/services/pki-subscriber/pki-subscriber-schema";
 import { PkiSubscriberStatus } from "@app/services/pki-subscriber/pki-subscriber-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 export const registerPkiSubscriberRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:subscriberName",
    config: {
      rateLimit: readLimit
    },
    schema: {
      hide: false,
      tags: [ApiDocsTags.PkiSubscribers],
      description: "Get PKI Subscriber",
      params: z.object({
        subscriberName: z.string().describe(PKI_SUBSCRIBERS.GET.subscriberName)
      }),
      querystring: z.object({
        projectId: z.string().describe(PKI_SUBSCRIBERS.GET.projectId)
      }),
      response: {
        200: sanitizedPkiSubscriber
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const subscriber = await server.services.pkiSubscriber.getSubscriber({
        subscriberName: req.params.subscriberName,
        projectId: req.query.projectId,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId
      });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId: subscriber.projectId,
        event: {
          type: EventType.GET_PKI_SUBSCRIBER,
          metadata: {
            pkiSubscriberId: subscriber.id,
            name: subscriber.name
          }
        }
      });
      return subscriber;
    }
  });
  server.route({
    method: "POST",
    url: "/",
    config: {
      rateLimit: writeLimit
    },
    schema: {
      hide: false,
      tags: [ApiDocsTags.PkiSubscribers],
      description: "Create PKI Subscriber",
      body: z.object({
        projectId: z.string().trim().describe(PKI_SUBSCRIBERS.CREATE.projectId),
        caId: z
          .string()
          .trim()
          .uuid("CA ID must be a valid UUID")
          .min(1, "CA ID is required")
          .describe(PKI_SUBSCRIBERS.CREATE.caId),
        name: slugSchema({ min: 1, max: 64, field: "name" }).describe(PKI_SUBSCRIBERS.CREATE.name),
        commonName: z.string().trim().min(1).describe(PKI_SUBSCRIBERS.CREATE.commonName),
        status: z
          .nativeEnum(PkiSubscriberStatus)
          .default(PkiSubscriberStatus.ACTIVE)
          .describe(PKI_SUBSCRIBERS.CREATE.status),
        ttl: z
          .string()
          .trim()
          .refine((val) => ms(val) > 0, "TTL must be a positive number")
          .describe(PKI_SUBSCRIBERS.CREATE.ttl),
        subjectAlternativeNames: validateAltNameField
          .array()
          .default([])
          .transform((arr) => Array.from(new Set(arr)))
          .describe(PKI_SUBSCRIBERS.CREATE.subjectAlternativeNames),
        keyUsages: z
          .nativeEnum(CertKeyUsage)
          .array()
          .default([CertKeyUsage.DIGITAL_SIGNATURE, CertKeyUsage.KEY_ENCIPHERMENT])
          .transform((arr) => Array.from(new Set(arr)))
          .describe(PKI_SUBSCRIBERS.CREATE.keyUsages),
        extendedKeyUsages: z
          .nativeEnum(CertExtendedKeyUsage)
          .array()
          .default([])
          .transform((arr) => Array.from(new Set(arr)))
          .describe(PKI_SUBSCRIBERS.CREATE.extendedKeyUsages)
      }),
      response: {
        200: sanitizedPkiSubscriber
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const subscriber = await server.services.pkiSubscriber.createSubscriber({
        ...req.body,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId
      });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId: subscriber.projectId,
        event: {
          type: EventType.CREATE_PKI_SUBSCRIBER,
          metadata: {
            pkiSubscriberId: subscriber.id,
            caId: subscriber.caId ?? undefined,
            name: subscriber.name,
            commonName: subscriber.commonName,
            ttl: subscriber.ttl,
            subjectAlternativeNames: subscriber.subjectAlternativeNames,
            keyUsages: subscriber.keyUsages as CertKeyUsage[],
            extendedKeyUsages: subscriber.extendedKeyUsages as CertExtendedKeyUsage[]
          }
        }
      });
      return subscriber;
    }
  });
  server.route({
    method: "PATCH",
    url: "/:subscriberName",
    config: {
      rateLimit: writeLimit
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      hide: false,
      tags: [ApiDocsTags.PkiSubscribers],
      description: "Update PKI Subscriber",
      params: z.object({
        subscriberName: z.string().trim().describe(PKI_SUBSCRIBERS.UPDATE.subscriberName)
      }),
      body: z.object({
        projectId: z.string().trim().describe(PKI_SUBSCRIBERS.UPDATE.projectId),
        caId: z
          .string()
          .trim()
          .uuid("CA ID must be a valid UUID")
          .min(1, "CA ID is required")
          .optional()
          .describe(PKI_SUBSCRIBERS.UPDATE.caId),
        name: slugSchema({ min: 1, max: 64, field: "name" }).describe(PKI_SUBSCRIBERS.UPDATE.name).optional(),
        commonName: z.string().trim().min(1).describe(PKI_SUBSCRIBERS.UPDATE.commonName).optional(),
        status: z.nativeEnum(PkiSubscriberStatus).optional().describe(PKI_SUBSCRIBERS.UPDATE.status),
        subjectAlternativeNames: validateAltNameField
          .array()
          .optional()
          .describe(PKI_SUBSCRIBERS.UPDATE.subjectAlternativeNames),
        ttl: z
          .string()
          .trim()
          .refine((val) => ms(val) > 0, "TTL must be a positive number")
          .optional()
          .describe(PKI_SUBSCRIBERS.UPDATE.ttl),
        keyUsages: z
          .nativeEnum(CertKeyUsage)
          .array()
          .transform((arr) => Array.from(new Set(arr)))
          .optional()
          .describe(PKI_SUBSCRIBERS.UPDATE.keyUsages),
        extendedKeyUsages: z
          .nativeEnum(CertExtendedKeyUsage)
          .array()
          .transform((arr) => Array.from(new Set(arr)))
          .optional()
          .describe(PKI_SUBSCRIBERS.UPDATE.extendedKeyUsages)
      }),
      response: {
        200: sanitizedPkiSubscriber
      }
    },
    handler: async (req) => {
      const subscriber = await server.services.pkiSubscriber.updateSubscriber({
        subscriberName: req.params.subscriberName,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body
      });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId: subscriber.projectId,
        event: {
          type: EventType.UPDATE_PKI_SUBSCRIBER,
          metadata: {
            pkiSubscriberId: subscriber.id,
            caId: subscriber.caId ?? undefined,
            name: subscriber.name,
            commonName: subscriber.commonName,
            ttl: subscriber.ttl,
            subjectAlternativeNames: subscriber.subjectAlternativeNames,
            keyUsages: subscriber.keyUsages as CertKeyUsage[],
            extendedKeyUsages: subscriber.extendedKeyUsages as CertExtendedKeyUsage[]
          }
        }
      });
      return subscriber;
    }
  });
  server.route({
    method: "DELETE",
    url: "/:subscriberName",
    config: {
      rateLimit: writeLimit
    },
    schema: {
      hide: false,
      tags: [ApiDocsTags.PkiSubscribers],
      description: "Delete PKI Subscriber",
      params: z.object({
        subscriberName: z.string().describe(PKI_SUBSCRIBERS.DELETE.subscriberName)
      }),
      body: z.object({
        projectId: z.string().trim().describe(PKI_SUBSCRIBERS.DELETE.projectId)
      }),
      response: {
        200: sanitizedPkiSubscriber
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const subscriber = await server.services.pkiSubscriber.deleteSubscriber({
        subscriberName: req.params.subscriberName,
        projectId: req.body.projectId,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId
      });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId: subscriber.projectId,
        event: {
          type: EventType.DELETE_PKI_SUBSCRIBER,
          metadata: {
            pkiSubscriberId: subscriber.id,
            name: subscriber.name
          }
        }
      });
      return subscriber;
    }
  });
  server.route({
    method: "POST",
    url: "/:subscriberName/issue-certificate",
    config: {
      rateLimit: writeLimit
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      hide: false,
      tags: [ApiDocsTags.PkiSubscribers],
      description: "Issue certificate",
      params: z.object({
        subscriberName: z.string().describe(PKI_SUBSCRIBERS.ISSUE_CERT.subscriberName)
      }),
      body: z.object({
        projectId: z.string().trim().describe(PKI_SUBSCRIBERS.ISSUE_CERT.projectId)
      }),
      response: {
        200: z.object({
          certificate: z.string().trim().describe(PKI_SUBSCRIBERS.ISSUE_CERT.certificate),
          issuingCaCertificate: z.string().trim().describe(PKI_SUBSCRIBERS.ISSUE_CERT.issuingCaCertificate),
          certificateChain: z.string().trim().describe(PKI_SUBSCRIBERS.ISSUE_CERT.certificateChain),
          privateKey: z.string().trim().describe(PKI_SUBSCRIBERS.ISSUE_CERT.privateKey),
          serialNumber: z.string().trim().describe(PKI_SUBSCRIBERS.ISSUE_CERT.serialNumber)
        })
      }
    },
    handler: async (req) => {
      const { certificate, certificateChain, issuingCaCertificate, privateKey, serialNumber, subscriber } =
        await server.services.pkiSubscriber.issueSubscriberCert({
          subscriberName: req.params.subscriberName,
          projectId: req.body.projectId,
          actor: req.permission.type,
          actorId: req.permission.id,
          actorAuthMethod: req.permission.authMethod,
          actorOrgId: req.permission.orgId
        });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId: subscriber.projectId,
        event: {
          type: EventType.ISSUE_PKI_SUBSCRIBER_CERT,
          metadata: {
            subscriberId: subscriber.id,
            name: subscriber.name,
            serialNumber
          }
        }
      });
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.IssueCert,
        distinctId: getTelemetryDistinctId(req),
        properties: {
          subscriberId: subscriber.id,
          commonName: subscriber.commonName,
          ...req.auditLogInfo
        }
      });
      return {
        certificate,
        certificateChain,
        issuingCaCertificate,
        privateKey,
        serialNumber
      };
    }
  });
  server.route({
    method: "POST",
    url: "/:subscriberName/sign-certificate",
    config: {
      rateLimit: writeLimit
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      hide: false,
      tags: [ApiDocsTags.PkiSubscribers],
      description: "Sign certificate",
      params: z.object({
        subscriberName: z.string().describe(PKI_SUBSCRIBERS.SIGN_CERT.subscriberName)
      }),
      body: z.object({
        projectId: z.string().trim().describe(PKI_SUBSCRIBERS.SIGN_CERT.projectId),
        csr: z.string().trim().min(1).max(3000).describe(PKI_SUBSCRIBERS.SIGN_CERT.csr)
      }),
      response: {
        200: z.object({
          certificate: z.string().trim().describe(PKI_SUBSCRIBERS.SIGN_CERT.certificate),
          issuingCaCertificate: z.string().trim().describe(PKI_SUBSCRIBERS.SIGN_CERT.issuingCaCertificate),
          certificateChain: z.string().trim().describe(PKI_SUBSCRIBERS.SIGN_CERT.certificateChain),
          serialNumber: z.string().trim().describe(PKI_SUBSCRIBERS.ISSUE_CERT.serialNumber)
        })
      }
    },
    handler: async (req) => {
      const { certificate, certificateChain, issuingCaCertificate, serialNumber, subscriber } =
        await server.services.pkiSubscriber.signSubscriberCert({
          subscriberName: req.params.subscriberName,
          projectId: req.body.projectId,
          csr: req.body.csr,
          actor: req.permission.type,
          actorId: req.permission.id,
          actorAuthMethod: req.permission.authMethod,
          actorOrgId: req.permission.orgId
        });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId: subscriber.projectId,
        event: {
          type: EventType.SIGN_PKI_SUBSCRIBER_CERT,
          metadata: {
            subscriberId: subscriber.id,
            name: subscriber.name,
            serialNumber
          }
        }
      });
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.SignCert,
        distinctId: getTelemetryDistinctId(req),
        properties: {
          subscriberId: subscriber.id,
          commonName: subscriber.commonName,
          ...req.auditLogInfo
        }
      });
      return {
        certificate,
        certificateChain,
        issuingCaCertificate,
        serialNumber
      };
    }
  });
  server.route({
    method: "GET",
    url: "/:subscriberName/certificates",
    config: {
      rateLimit: readLimit
    },
    schema: {
      hide: false,
      tags: [ApiDocsTags.PkiSubscribers],
      description: "List PKI Subscriber certificates",
      params: z.object({
        subscriberName: z.string().describe(PKI_SUBSCRIBERS.GET.subscriberName)
      }),
      querystring: z.object({
        projectId: z.string().trim().describe(PKI_SUBSCRIBERS.LIST_CERTS.projectId),
        offset: z.coerce.number().min(0).max(100).default(0).describe(PKI_SUBSCRIBERS.LIST_CERTS.offset),
        limit: z.coerce.number().min(1).max(100).default(25).describe(PKI_SUBSCRIBERS.LIST_CERTS.limit)
      }),
      response: {
        200: z.object({
          certificates: z.array(CertificatesSchema),
          totalCount: z.number()
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const { totalCount, certificates } = await server.services.pkiSubscriber.listSubscriberCerts({
        subscriberName: req.params.subscriberName,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.query
      });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId: req.query.projectId,
        event: {
          type: EventType.LIST_PKI_SUBSCRIBER_CERTS,
          metadata: {
            subscriberId: req.params.subscriberName,
            name: req.params.subscriberName,
            projectId: req.query.projectId
          }
        }
      });
      return {
        certificates,
        totalCount
      };
    }
  });
 };
--- a/backend/src/server/routes/v1/project-router.ts
+++ b/backend/src/server/routes/v1/project-router.ts
@@ -19,7 +19,7 @@ import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApiDocsTags, PROJECTS } from "@app/lib/api-docs";
 import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
 import { re2Validator } from "@app/lib/zod";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { readLimit, requestAccessLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
 import { validateMicrosoftTeamsChannelsSchema } from "@app/services/microsoft-teams/microsoft-teams-fns";
@@ -1006,7 +1006,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    method: "POST",
    url: "/:workspaceId/project-access",
    config: {
-      rateLimit: writeLimit
+      rateLimit: requestAccessLimit
    },
    schema: {
      params: z.object({
--- a/backend/src/server/routes/v1/secret-sync-routers/index.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/index.ts
@@ -10,6 +10,7 @@ import { registerGcpSyncRouter } from "./gcp-sync-router";
 import { registerGitHubSyncRouter } from "./github-sync-router";
 import { registerHCVaultSyncRouter } from "./hc-vault-sync-router";
 import { registerHumanitecSyncRouter } from "./humanitec-sync-router";
 import { registerOCIVaultSyncRouter } from "./oci-vault-sync-router";
 import { registerTeamCitySyncRouter } from "./teamcity-sync-router";
 import { registerTerraformCloudSyncRouter } from "./terraform-cloud-sync-router";
 import { registerVercelSyncRouter } from "./vercel-sync-router";
@@ -31,5 +32,6 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
  [SecretSync.Vercel]: registerVercelSyncRouter,
  [SecretSync.Windmill]: registerWindmillSyncRouter,
  [SecretSync.HCVault]: registerHCVaultSyncRouter,
-  [SecretSync.TeamCity]: registerTeamCitySyncRouter
+  [SecretSync.TeamCity]: registerTeamCitySyncRouter,
  [SecretSync.OCIVault]: registerOCIVaultSyncRouter
 };
--- a/backend/src/server/routes/v1/secret-sync-routers/oci-vault-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/oci-vault-sync-router.ts
@@ -0,0 +1,17 @@
 import {
  CreateOCIVaultSyncSchema,
  OCIVaultSyncSchema,
  UpdateOCIVaultSyncSchema
 } from "@app/services/secret-sync/oci-vault";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
 export const registerOCIVaultSyncRouter = async (server: FastifyZodProvider) =>
  registerSyncSecretsEndpoints({
    destination: SecretSync.OCIVault,
    server,
    responseSchema: OCIVaultSyncSchema,
    createSchema: CreateOCIVaultSyncSchema,
    updateSchema: UpdateOCIVaultSyncSchema
  });
--- a/backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts
@@ -24,6 +24,7 @@ import { GcpSyncListItemSchema, GcpSyncSchema } from "@app/services/secret-sync/
 import { GitHubSyncListItemSchema, GitHubSyncSchema } from "@app/services/secret-sync/github";
 import { HCVaultSyncListItemSchema, HCVaultSyncSchema } from "@app/services/secret-sync/hc-vault";
 import { HumanitecSyncListItemSchema, HumanitecSyncSchema } from "@app/services/secret-sync/humanitec";
 import { OCIVaultSyncListItemSchema, OCIVaultSyncSchema } from "@app/services/secret-sync/oci-vault";
 import { TeamCitySyncListItemSchema, TeamCitySyncSchema } from "@app/services/secret-sync/teamcity";
 import { TerraformCloudSyncListItemSchema, TerraformCloudSyncSchema } from "@app/services/secret-sync/terraform-cloud";
 import { VercelSyncListItemSchema, VercelSyncSchema } from "@app/services/secret-sync/vercel";
@@ -43,7 +44,8 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
  VercelSyncSchema,
  WindmillSyncSchema,
  HCVaultSyncSchema,
-  TeamCitySyncSchema
+  TeamCitySyncSchema,
  OCIVaultSyncSchema
 ]);
 const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
@@ -60,7 +62,8 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
  VercelSyncListItemSchema,
  WindmillSyncListItemSchema,
  HCVaultSyncListItemSchema,
-  TeamCitySyncListItemSchema
+  TeamCitySyncListItemSchema,
  OCIVaultSyncListItemSchema
 ]);
 export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {
--- a/backend/src/server/routes/v2/project-router.ts
+++ b/backend/src/server/routes/v2/project-router.ts
@@ -24,6 +24,7 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { CaStatus } from "@app/services/certificate-authority/certificate-authority-types";
 import { sanitizedCertificateTemplate } from "@app/services/certificate-template/certificate-template-schema";
 import { sanitizedPkiSubscriber } from "@app/services/pki-subscriber/pki-subscriber-schema";
 import { ProjectFilterType } from "@app/services/project/project-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
@@ -170,7 +171,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
          .optional()
          .default(InfisicalProjectTemplate.Default)
          .describe(PROJECTS.CREATE.template),
-        type: z.nativeEnum(ProjectType).default(ProjectType.SecretManager)
+        type: z.nativeEnum(ProjectType).default(ProjectType.SecretManager),
        shouldCreateDefaultEnvs: z.boolean().optional().default(true)
      }),
      response: {
        200: z.object({
@@ -190,7 +192,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        slug: req.body.slug,
        kmsKeyId: req.body.kmsKeyId,
        template: req.body.template,
-        type: req.body.type
+        type: req.body.type,
        createDefaultEnvs: req.body.shouldCreateDefaultEnvs
      });
      await server.services.telemetry.sendPostHogEvents({
@@ -272,7 +275,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    },
    schema: {
      params: z.object({
-        slug: slugSchema({ min: 5, max: 36 }).describe("The slug of the project to get.")
+        slug: slugSchema({ max: 36 }).describe("The slug of the project to get.")
      }),
      response: {
        200: projectWithEnv
@@ -488,6 +491,38 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    }
  });
  server.route({
    method: "GET",
    url: "/:projectId/pki-subscribers",
    config: {
      rateLimit: readLimit
    },
    schema: {
      hide: false,
      tags: [ApiDocsTags.PkiSubscribers],
      params: z.object({
        projectId: z.string().trim().describe(PROJECTS.LIST_PKI_SUBSCRIBERS.projectId)
      }),
      response: {
        200: z.object({
          subscribers: z.array(sanitizedPkiSubscriber)
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const subscribers = await server.services.project.listProjectPkiSubscribers({
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
        projectId: req.params.projectId
      });
      return { subscribers };
    }
  });
  server.route({
    method: "GET",
    url: "/:projectId/certificate-templates",
@@ -626,6 +661,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
      hide: false,
      tags: [ApiDocsTags.SshHosts],
      params: z.object({
        projectId: z.string().trim().describe(PROJECTS.LIST_SSH_HOSTS.projectId)
      }),
@@ -664,6 +701,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
      hide: false,
      tags: [ApiDocsTags.SshHostGroups],
      params: z.object({
        projectId: z.string().trim().describe(PROJECTS.LIST_SSH_HOST_GROUPS.projectId)
      }),
--- a/backend/src/services/app-connection/app-connection-enums.ts
+++ b/backend/src/services/app-connection/app-connection-enums.ts
@@ -16,7 +16,8 @@ export enum AppConnection {
  Auth0 = "auth0",
  HCVault = "hashicorp-vault",
  LDAP = "ldap",
-  TeamCity = "teamcity"
+  TeamCity = "teamcity",
  OCI = "oci"
 }
 export enum AWSRegion {
--- a/backend/src/services/app-connection/app-connection-fns.ts
+++ b/backend/src/services/app-connection/app-connection-fns.ts
@@ -53,6 +53,7 @@ import {
 } from "./humanitec";
 import { getLdapConnectionListItem, LdapConnectionMethod, validateLdapConnectionCredentials } from "./ldap";
 import { getMsSqlConnectionListItem, MsSqlConnectionMethod } from "./mssql";
 import { getOCIConnectionListItem, OCIConnectionMethod, validateOCIConnectionCredentials } from "./oci";
 import { getPostgresConnectionListItem, PostgresConnectionMethod } from "./postgres";
 import {
  getTeamCityConnectionListItem,
@@ -91,7 +92,8 @@ export const listAppConnectionOptions = () => {
    getAuth0ConnectionListItem(),
    getHCVaultConnectionListItem(),
    getLdapConnectionListItem(),
-    getTeamCityConnectionListItem()
+    getTeamCityConnectionListItem(),
    getOCIConnectionListItem()
  ].sort((a, b) => a.name.localeCompare(b.name));
 };
@@ -160,7 +162,8 @@ export const validateAppConnectionCredentials = async (
    [AppConnection.Windmill]: validateWindmillConnectionCredentials as TAppConnectionCredentialsValidator,
    [AppConnection.HCVault]: validateHCVaultConnectionCredentials as TAppConnectionCredentialsValidator,
    [AppConnection.LDAP]: validateLdapConnectionCredentials as TAppConnectionCredentialsValidator,
-    [AppConnection.TeamCity]: validateTeamCityConnectionCredentials as TAppConnectionCredentialsValidator
+    [AppConnection.TeamCity]: validateTeamCityConnectionCredentials as TAppConnectionCredentialsValidator,
    [AppConnection.OCI]: validateOCIConnectionCredentials as TAppConnectionCredentialsValidator
  };
  return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection);
@@ -176,6 +179,7 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
    case GitHubConnectionMethod.OAuth:
      return "OAuth";
    case AwsConnectionMethod.AccessKey:
    case OCIConnectionMethod.AccessKey:
      return "Access Key";
    case AwsConnectionMethod.AssumeRole:
      return "Assume Role";
@@ -250,5 +254,6 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
  [AppConnection.Auth0]: platformManagedCredentialsNotSupported,
  [AppConnection.HCVault]: platformManagedCredentialsNotSupported,
  [AppConnection.LDAP]: platformManagedCredentialsNotSupported, // we could support this in the future
-  [AppConnection.TeamCity]: platformManagedCredentialsNotSupported
+  [AppConnection.TeamCity]: platformManagedCredentialsNotSupported,
  [AppConnection.OCI]: platformManagedCredentialsNotSupported
 };
--- a/backend/src/services/app-connection/app-connection-maps.ts
+++ b/backend/src/services/app-connection/app-connection-maps.ts
@@ -18,5 +18,6 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
  [AppConnection.Auth0]: "Auth0",
  [AppConnection.HCVault]: "Hashicorp Vault",
  [AppConnection.LDAP]: "LDAP",
-  [AppConnection.TeamCity]: "TeamCity"
+  [AppConnection.TeamCity]: "TeamCity",
  [AppConnection.OCI]: "OCI"
 };
--- a/backend/src/services/app-connection/app-connection-service.ts
+++ b/backend/src/services/app-connection/app-connection-service.ts
@@ -49,6 +49,8 @@ import { ValidateHumanitecConnectionCredentialsSchema } from "./humanitec";
 import { humanitecConnectionService } from "./humanitec/humanitec-connection-service";
 import { ValidateLdapConnectionCredentialsSchema } from "./ldap";
 import { ValidateMsSqlConnectionCredentialsSchema } from "./mssql";
 import { ValidateOCIConnectionCredentialsSchema } from "./oci";
 import { ociConnectionService } from "./oci/oci-connection-service";
 import { ValidatePostgresConnectionCredentialsSchema } from "./postgres";
 import { ValidateTeamCityConnectionCredentialsSchema } from "./teamcity";
 import { teamcityConnectionService } from "./teamcity/teamcity-connection-service";
@@ -85,7 +87,8 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
  [AppConnection.Auth0]: ValidateAuth0ConnectionCredentialsSchema,
  [AppConnection.HCVault]: ValidateHCVaultConnectionCredentialsSchema,
  [AppConnection.LDAP]: ValidateLdapConnectionCredentialsSchema,
-  [AppConnection.TeamCity]: ValidateTeamCityConnectionCredentialsSchema
+  [AppConnection.TeamCity]: ValidateTeamCityConnectionCredentialsSchema,
  [AppConnection.OCI]: ValidateOCIConnectionCredentialsSchema
 };
 export const appConnectionServiceFactory = ({
@@ -464,6 +467,7 @@ export const appConnectionServiceFactory = ({
    auth0: auth0ConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
    hcvault: hcVaultConnectionService(connectAppConnectionById),
    windmill: windmillConnectionService(connectAppConnectionById),
-    teamcity: teamcityConnectionService(connectAppConnectionById)
+    teamcity: teamcityConnectionService(connectAppConnectionById),
    oci: ociConnectionService(connectAppConnectionById)
  };
 };
--- a/backend/src/services/app-connection/app-connection-types.ts
+++ b/backend/src/services/app-connection/app-connection-types.ts
@@ -76,6 +76,12 @@ import {
  TValidateLdapConnectionCredentialsSchema
 } from "./ldap";
 import { TMsSqlConnection, TMsSqlConnectionInput, TValidateMsSqlConnectionCredentialsSchema } from "./mssql";
 import {
  TOCIConnection,
  TOCIConnectionConfig,
  TOCIConnectionInput,
  TValidateOCIConnectionCredentialsSchema
 } from "./oci";
 import {
  TPostgresConnection,
  TPostgresConnectionInput,
@@ -125,6 +131,7 @@ export type TAppConnection = { id: string } & (
  | THCVaultConnection
  | TLdapConnection
  | TTeamCityConnection
  | TOCIConnection
 );
 export type TAppConnectionRaw = NonNullable<Awaited<ReturnType<TAppConnectionDALFactory["findById"]>>>;
@@ -150,6 +157,7 @@ export type TAppConnectionInput = { id: string } & (
  | THCVaultConnectionInput
  | TLdapConnectionInput
  | TTeamCityConnectionInput
  | TOCIConnectionInput
 );
 export type TSqlConnectionInput = TPostgresConnectionInput | TMsSqlConnectionInput;
@@ -180,7 +188,8 @@ export type TAppConnectionConfig =
  | TAuth0ConnectionConfig
  | THCVaultConnectionConfig
  | TLdapConnectionConfig
-  | TTeamCityConnectionConfig;
+  | TTeamCityConnectionConfig
  | TOCIConnectionConfig;
 export type TValidateAppConnectionCredentialsSchema =
  | TValidateAwsConnectionCredentialsSchema
@@ -200,7 +209,8 @@ export type TValidateAppConnectionCredentialsSchema =
  | TValidateAuth0ConnectionCredentialsSchema
  | TValidateHCVaultConnectionCredentialsSchema
  | TValidateLdapConnectionCredentialsSchema
-  | TValidateTeamCityConnectionCredentialsSchema;
+  | TValidateTeamCityConnectionCredentialsSchema
  | TValidateOCIConnectionCredentialsSchema;
 export type TListAwsConnectionKmsKeys = {
  connectionId: string;
--- a/backend/src/services/app-connection/oci/index.ts
+++ b/backend/src/services/app-connection/oci/index.ts
@@ -0,0 +1,4 @@
 export * from "./oci-connection-enums";
 export * from "./oci-connection-fns";
 export * from "./oci-connection-schemas";
 export * from "./oci-connection-types";
--- a/backend/src/services/app-connection/oci/oci-connection-enums.ts
+++ b/backend/src/services/app-connection/oci/oci-connection-enums.ts
@@ -0,0 +1,3 @@
 export enum OCIConnectionMethod {
  AccessKey = "access-key"
 }
--- a/backend/src/services/app-connection/oci/oci-connection-fns.ts
+++ b/backend/src/services/app-connection/oci/oci-connection-fns.ts
@@ -0,0 +1,139 @@
 import { common, identity, keymanagement } from "oci-sdk";
 import { BadRequestError } from "@app/lib/errors";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { OCIConnectionMethod } from "./oci-connection-enums";
 import { TOCIConnection, TOCIConnectionConfig } from "./oci-connection-types";
 export const getOCIProvider = async (config: TOCIConnectionConfig) => {
  const {
    credentials: { fingerprint, privateKey, region, tenancyOcid, userOcid }
  } = config;
  const provider = new common.SimpleAuthenticationDetailsProvider(
    tenancyOcid,
    userOcid,
    fingerprint,
    privateKey,
    null,
    common.Region.fromRegionId(region)
  );
  return provider;
 };
 export const getOCIConnectionListItem = () => {
  return {
    name: "OCI" as const,
    app: AppConnection.OCI as const,
    methods: Object.values(OCIConnectionMethod) as [OCIConnectionMethod.AccessKey]
  };
 };
 export const validateOCIConnectionCredentials = async (config: TOCIConnectionConfig) => {
  const provider = await getOCIProvider(config);
  try {
    const identityClient = new identity.IdentityClient({
      authenticationDetailsProvider: provider
    });
    // Get user details - a lightweight call that validates all credentials
    await identityClient.getUser({ userId: config.credentials.userOcid });
  } catch (error: unknown) {
    if (error instanceof Error) {
      throw new BadRequestError({
        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
      });
    }
    throw new BadRequestError({
      message: "Unable to validate connection: verify credentials"
    });
  }
  return config.credentials;
 };
 export const listOCICompartments = async (appConnection: TOCIConnection) => {
  const provider = await getOCIProvider(appConnection);
  const identityClient = new identity.IdentityClient({ authenticationDetailsProvider: provider });
  const keyManagementClient = new keymanagement.KmsVaultClient({
    authenticationDetailsProvider: provider
  });
  const rootCompartment = await identityClient
    .getTenancy({
      tenancyId: appConnection.credentials.tenancyOcid
    })
    .then((response) => ({
      ...response.tenancy,
      id: appConnection.credentials.tenancyOcid,
      name: response.tenancy.name ? `${response.tenancy.name} (root)` : "root"
    }));
  const compartments = await identityClient.listCompartments({
    compartmentId: appConnection.credentials.tenancyOcid,
    compartmentIdInSubtree: true,
    accessLevel: identity.requests.ListCompartmentsRequest.AccessLevel.Any,
    lifecycleState: identity.models.Compartment.LifecycleState.Active
  });
  const allCompartments = [rootCompartment, ...compartments.items];
  const filteredCompartments = [];
  for await (const compartment of allCompartments) {
    try {
      // Check if user can list vaults in this compartment
      await keyManagementClient.listVaults({
        compartmentId: compartment.id,
        limit: 1
      });
      filteredCompartments.push(compartment);
    } catch (error) {
      // Do nothing
    }
  }
  return filteredCompartments;
 };
 export const listOCIVaults = async (appConnection: TOCIConnection, compartmentOcid: string) => {
  const provider = await getOCIProvider(appConnection);
  const keyManagementClient = new keymanagement.KmsVaultClient({
    authenticationDetailsProvider: provider
  });
  const vaults = await keyManagementClient.listVaults({
    compartmentId: compartmentOcid
  });
  return vaults.items.filter((v) => v.lifecycleState === keymanagement.models.Vault.LifecycleState.Active);
 };
 export const listOCIVaultKeys = async (appConnection: TOCIConnection, compartmentOcid: string, vaultOcid: string) => {
  const provider = await getOCIProvider(appConnection);
  const kmsVaultClient = new keymanagement.KmsVaultClient({
    authenticationDetailsProvider: provider
  });
  const vault = await kmsVaultClient.getVault({
    vaultId: vaultOcid
  });
  const keyManagementClient = new keymanagement.KmsManagementClient({
    authenticationDetailsProvider: provider
  });
  keyManagementClient.endpoint = vault.vault.managementEndpoint;
  const keys = await keyManagementClient.listKeys({
    compartmentId: compartmentOcid
  });
  return keys.items.filter((v) => v.lifecycleState === keymanagement.models.KeySummary.LifecycleState.Enabled);
 };
--- a/backend/src/services/app-connection/oci/oci-connection-schemas.ts
+++ b/backend/src/services/app-connection/oci/oci-connection-schemas.ts
@@ -0,0 +1,65 @@
 import z from "zod";
 import { AppConnections } from "@app/lib/api-docs";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
  BaseAppConnectionSchema,
  GenericCreateAppConnectionFieldsSchema,
  GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 import { OCIConnectionMethod } from "./oci-connection-enums";
 export const OCIConnectionAccessTokenCredentialsSchema = z.object({
  userOcid: z.string().trim().min(1, "User OCID required").describe(AppConnections.CREDENTIALS.OCI.userOcid),
  tenancyOcid: z.string().trim().min(1, "Tenancy OCID required").describe(AppConnections.CREDENTIALS.OCI.tenancyOcid),
  region: z.string().trim().min(1, "Region required").describe(AppConnections.CREDENTIALS.OCI.region),
  fingerprint: z.string().trim().min(1, "Fingerprint required").describe(AppConnections.CREDENTIALS.OCI.fingerprint),
  privateKey: z.string().trim().min(1, "Private Key required").describe(AppConnections.CREDENTIALS.OCI.privateKey)
 });
 const BaseOCIConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.OCI) });
 export const OCIConnectionSchema = BaseOCIConnectionSchema.extend({
  method: z.literal(OCIConnectionMethod.AccessKey),
  credentials: OCIConnectionAccessTokenCredentialsSchema
 });
 export const SanitizedOCIConnectionSchema = z.discriminatedUnion("method", [
  BaseOCIConnectionSchema.extend({
    method: z.literal(OCIConnectionMethod.AccessKey),
    credentials: OCIConnectionAccessTokenCredentialsSchema.pick({
      userOcid: true,
      tenancyOcid: true,
      region: true,
      fingerprint: true
    })
  })
 ]);
 export const ValidateOCIConnectionCredentialsSchema = z.discriminatedUnion("method", [
  z.object({
    method: z.literal(OCIConnectionMethod.AccessKey).describe(AppConnections.CREATE(AppConnection.OCI).method),
    credentials: OCIConnectionAccessTokenCredentialsSchema.describe(
      AppConnections.CREATE(AppConnection.OCI).credentials
    )
  })
 ]);
 export const CreateOCIConnectionSchema = ValidateOCIConnectionCredentialsSchema.and(
  GenericCreateAppConnectionFieldsSchema(AppConnection.OCI)
 );
 export const UpdateOCIConnectionSchema = z
  .object({
    credentials: OCIConnectionAccessTokenCredentialsSchema.optional().describe(
      AppConnections.UPDATE(AppConnection.OCI).credentials
    )
  })
  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.OCI));
 export const OCIConnectionListItemSchema = z.object({
  name: z.literal("OCI"),
  app: z.literal(AppConnection.OCI),
  methods: z.nativeEnum(OCIConnectionMethod).array()
 });
--- a/backend/src/services/app-connection/oci/oci-connection-service.ts
+++ b/backend/src/services/app-connection/oci/oci-connection-service.ts
@@ -0,0 +1,70 @@
 import { logger } from "@app/lib/logger";
 import { OrgServiceActor } from "@app/lib/types";
 import { AppConnection } from "../app-connection-enums";
 import { listOCICompartments, listOCIVaultKeys, listOCIVaults } from "./oci-connection-fns";
 import { TOCIConnection } from "./oci-connection-types";
 type TGetAppConnectionFunc = (
  app: AppConnection,
  connectionId: string,
  actor: OrgServiceActor
 ) => Promise<TOCIConnection>;
 type TListOCIVaultsDTO = {
  connectionId: string;
  compartmentOcid: string;
 };
 type TListOCIVaultKeysDTO = {
  connectionId: string;
  compartmentOcid: string;
  vaultOcid: string;
 };
 export const ociConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
  const listCompartments = async (connectionId: string, actor: OrgServiceActor) => {
    const appConnection = await getAppConnection(AppConnection.OCI, connectionId, actor);
    try {
      const compartments = await listOCICompartments(appConnection);
      return compartments;
    } catch (error) {
      logger.error(error, "Failed to establish connection with OCI");
      return [];
    }
  };
  const listVaults = async ({ connectionId, compartmentOcid }: TListOCIVaultsDTO, actor: OrgServiceActor) => {
    const appConnection = await getAppConnection(AppConnection.OCI, connectionId, actor);
    try {
      const vaults = await listOCIVaults(appConnection, compartmentOcid);
      return vaults;
    } catch (error) {
      logger.error(error, "Failed to establish connection with OCI");
      return [];
    }
  };
  const listVaultKeys = async (
    { connectionId, compartmentOcid, vaultOcid }: TListOCIVaultKeysDTO,
    actor: OrgServiceActor
  ) => {
    const appConnection = await getAppConnection(AppConnection.OCI, connectionId, actor);
    try {
      const keys = await listOCIVaultKeys(appConnection, compartmentOcid, vaultOcid);
      return keys;
    } catch (error) {
      logger.error(error, "Failed to establish connection with OCI");
      return [];
    }
  };
  return {
    listCompartments,
    listVaults,
    listVaultKeys
  };
 };
--- a/backend/src/services/app-connection/oci/oci-connection-types.ts
+++ b/backend/src/services/app-connection/oci/oci-connection-types.ts
@@ -0,0 +1,22 @@
 import z from "zod";
 import { DiscriminativePick } from "@app/lib/types";
 import { AppConnection } from "../app-connection-enums";
 import {
  CreateOCIConnectionSchema,
  OCIConnectionSchema,
  ValidateOCIConnectionCredentialsSchema
 } from "./oci-connection-schemas";
 export type TOCIConnection = z.infer<typeof OCIConnectionSchema>;
 export type TOCIConnectionInput = z.infer<typeof CreateOCIConnectionSchema> & {
  app: AppConnection.OCI;
 };
 export type TValidateOCIConnectionCredentialsSchema = typeof ValidateOCIConnectionCredentialsSchema;
 export type TOCIConnectionConfig = DiscriminativePick<TOCIConnectionInput, "method" | "app" | "credentials"> & {
  orgId: string;
 };
--- a/backend/src/services/auth/auth-login-service.ts
+++ b/backend/src/services/auth/auth-login-service.ts
@@ -401,8 +401,8 @@ export const authLoginServiceFactory = ({
    }
    const shouldCheckMfa = selectedOrg.enforceMfa || user.isMfaEnabled;
-    const orgMfaMethod = selectedOrg.enforceMfa ? selectedOrg.selectedMfaMethod ?? MfaMethod.EMAIL : undefined;
+    const orgMfaMethod = selectedOrg.enforceMfa ? (selectedOrg.selectedMfaMethod ?? MfaMethod.EMAIL) : undefined;
-    const userMfaMethod = user.isMfaEnabled ? user.selectedMfaMethod ?? MfaMethod.EMAIL : undefined;
+    const userMfaMethod = user.isMfaEnabled ? (user.selectedMfaMethod ?? MfaMethod.EMAIL) : undefined;
    const mfaMethod = orgMfaMethod ?? userMfaMethod;
    if (shouldCheckMfa && (!decodedToken.isMfaVerified || decodedToken.mfaMethod !== mfaMethod)) {
@@ -573,9 +573,9 @@ export const authLoginServiceFactory = ({
  }: TVerifyMfaTokenDTO) => {
    const appCfg = getConfig();
    const user = await userDAL.findById(userId);
    enforceUserLockStatus(Boolean(user.isLocked), user.temporaryLockDateEnd);
    try {
      enforceUserLockStatus(Boolean(user.isLocked), user.temporaryLockDateEnd);
      if (mfaMethod === MfaMethod.EMAIL) {
        await tokenService.validateTokenForUser({
          type: TokenType.TOKEN_EMAIL_MFA,
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Maidul Islam	c8a3837432	refine docs	2025-05-13 22:02:49 -07:00
Maidul Islam	4e1a5565d8	add linux upgrade docs	2025-05-13 20:40:29 -07:00
x032205	9b6a315825	Merge pull request #3593 from Infisical/ENG-2742 Fixed project roles not being editable in some cases	2025-05-13 17:10:23 -04:00
x032205	13b2f65b7e	lint fix	2025-05-13 16:51:05 -04:00
x032205	6cf1e046b0	Fixed project roles not being editable in some cases	2025-05-13 16:38:26 -04:00
Scott Wilson	f6e1441dc0	Merge pull request #3570 from Infisical/policy-templates feature(project-roles): Project Role Templates	2025-05-13 12:47:40 -07:00
Scott Wilson	9eeb72ac80	fix: correct import	2025-05-13 12:18:35 -07:00
Scott Wilson	f6e566a028	merge main	2025-05-13 12:10:49 -07:00
x032205	a34c74e958	Merge pull request #3580 from Infisical/feat/return-metadata-with-identity-create Return metadata with identity post endpoints	2025-05-13 14:22:34 -04:00
x032205	eef7a875a1	Merge pull request #3585 from Infisical/ENG-2748 feat(docs): Self approval	2025-05-13 14:05:59 -04:00
x032205	09938a911b	nit fix	2025-05-13 13:58:52 -04:00
x032205	af08c41008	Merge pull request #3567 from Infisical/ENG-2636 feat(secret-sync): OCI Vault	2025-05-13 13:25:11 -04:00
x032205	443c8854ea	Merge branch 'main' into ENG-2636	2025-05-13 13:16:59 -04:00
x032205	f7a25e7601	Merge pull request #3592 from Infisical/lint-fix lint fix	2025-05-13 13:16:06 -04:00
x032205	4c6e5c9c4c	lint fix	2025-05-13 13:11:20 -04:00
Maidul Islam	98a4e6c96d	Merge pull request #3591 from akhilmhdh/fix/ui-skew feat: added new cache control for index html	2025-05-13 12:30:50 -04:00
Maidul Islam	c93ce06409	Merge pull request #3589 from Infisical/misc/updated-org-delete-flow misc: updated org delete flow to clear session	2025-05-13 11:41:09 -04:00
=	672e4baec4	feat: added new cache control for index html	2025-05-13 21:03:15 +05:30
Sheen	b5ef2a6837	Merge pull request #3569 from Infisical/pki-subscriber Infisical PKI: Subscriber Functionality	2025-05-13 16:34:05 +08:00
Sheen Capadngan	9c611daada	misc: updated org delete flow to clear session	2025-05-13 16:09:26 +08:00
x032205	71edb08942	Merge pull request #3587 from Infisical/ENG-2763 Fix approval request ordering	2025-05-12 23:54:27 -04:00
x032205	89d8261a43	Fix approval request ordering	2025-05-12 23:13:57 -04:00
Scott Wilson	a2b2b07185	Merge pull request #3584 from Infisical/sso-page Improvements(org-settings): Refactor Organization Security Settings to SSO Page	2025-05-12 18:43:35 -07:00
Scott Wilson	76864ababa	fix: correct doc casing	2025-05-12 18:37:05 -07:00
x032205	52858dad79	Update docs/documentation/platform/pr-workflows.mdx Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>	2025-05-12 21:07:57 -04:00
x032205	1d7a6ea50e	Update docs/documentation/platform/pr-workflows.mdx Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>	2025-05-12 21:07:34 -04:00
x032205	c031233247	feat(docs): Self approval	2025-05-12 21:04:05 -04:00
Scott Wilson	d17d40ebd9	improvements: refactor org security settings tab to sso page and update doc images	2025-05-12 17:18:40 -07:00
x032205	70fff1f2da	review fixes	2025-05-12 19:38:00 -04:00
x032205	3f8eaa0679	remove schema change	2025-05-12 18:13:14 -04:00
Scott Wilson	50d0035d7b	fix: correct remove oci secret if secret value is empty logic	2025-05-12 14:56:13 -07:00
Tuan Dang	9743ad02d5	Fix lint issues	2025-05-12 14:56:00 -07:00
x032205	50f5248e3e	Merge branch 'main' into feat/return-metadata-with-identity-create	2025-05-12 17:50:13 -04:00
x032205	8d7b573988	final reviews	2025-05-12 17:39:29 -04:00
Tuan Dang	26d0ab1dc2	Fix lint issues	2025-05-12 14:34:14 -07:00
x032205	4acdbd24e9	remove useless schema	2025-05-12 16:50:47 -04:00
x032205	c3c907788a	review fixes	2025-05-12 16:42:48 -04:00
Tuan Dang	bf833a57cd	Fix merge conflicts	2025-05-12 12:59:54 -07:00
Tuan Dang	e8519f6612	Revise PR based on review	2025-05-12 12:56:56 -07:00
x032205	0b4675e7b5	Merge branch 'main' into ENG-2636	2025-05-12 14:56:01 -04:00
Daniel Hougaard	07df6803a5	Merge pull request #3581 from Infisical/daniel/unblock-dev fix: move cli install to aws	2025-05-12 18:54:55 +04:00
Daniel Hougaard	a09d0e8948	fix: move cli install to aws	2025-05-12 18:47:02 +04:00
Daniel Hougaard	ee598560ec	Merge pull request #3572 from Infisical/daniel/fix-secret-scaninng-public-keys fix: update secret scanner to latest version	2025-05-12 11:13:51 +04:00
x032205	2793ac22aa	remove duplicate field	2025-05-11 22:27:09 -04:00
x032205	31fad03af8	Return metadata with identity post endpoints	2025-05-09 23:41:11 -04:00
carlosmonastyrski	c629705c9c	Merge pull request #3535 from Infisical/feat/addGroupsToSshHosts feat(ssh-hosts): Add groups to ssh hosts allowed principals	2025-05-09 22:52:35 -03:00
Daniel Hougaard	be10f6e52a	Merge pull request #3579 from Infisical/daniel/horizontal-scaling-ms-teams fix(workflow-integrations): microsoft teams scaling issues	2025-05-10 01:11:37 +04:00
Scott Wilson	40c5ff0ad6	Merge pull request #3578 from Infisical/project-template-improvements improvement(project-templates): Project templates UI improvements	2025-05-09 13:50:50 -07:00
Scott Wilson	8ecb5ca7bc	remove extra margin	2025-05-09 13:47:28 -07:00
Daniel Hougaard	ab6a2b7dbb	fix(workflow-integrations): microsoft teams scaling issues	2025-05-10 00:47:22 +04:00
carlosmonastyrski	81bfc04e7c	Trim hostname input on SSH Host permission form and fix getWorkspaceUsers key invalidation	2025-05-09 17:10:01 -03:00
x032205	a757fceaed	Merge pull request #3577 from Infisical/feat/docs-support-openapi-titles feat(docs): Support OpenAPI titles for Zod descriptions	2025-05-09 15:49:49 -04:00
Scott Wilson	ce8e18f620	improvement: address feedback	2025-05-09 12:40:07 -07:00
Scott Wilson	d09c964647	fix: use tanstack router link	2025-05-09 12:32:37 -07:00
Scott Wilson	eeddbde600	improvement: update org project templates relocation banner	2025-05-09 12:23:05 -07:00
Daniel Hougaard	859b643e43	Delete ssh	2025-05-09 22:49:39 +04:00
Daniel Hougaard	91f71e0ef6	feat(cli): upgrade secret scanner	2025-05-09 22:48:56 +04:00
x032205	4e9e31eeb7	added credit	2025-05-09 13:45:36 -04:00
x032205	f6bc99b964	support openapi titles for zod description	2025-05-09 13:40:15 -04:00
Scott Wilson	679eb9dffc	fix: correct project templates empty table display if feature is disabled	2025-05-09 10:14:03 -07:00
x032205	0754ae3aaf	Merge pull request #3576 from Infisical/ENG-2692 feat(api): Rate limit for all email-sending endpoints	2025-05-09 11:37:08 -04:00
x032205	519a0c1bdf	Merge branch 'main' into ENG-2692	2025-05-09 11:31:05 -04:00
x032205	e9d8979cf4	add rate limit to all email-sending endpoints	2025-05-09 11:29:53 -04:00
Maidul Islam	486d975fa0	Merge pull request #3575 from akhilmhdh/fix/octokit feat: resolved esm error in octokit	2025-05-09 10:50:25 -04:00
=	42c49949b4	feat: resolved esm error in octokit	2025-05-09 20:13:08 +05:30
carlosmonastyrski	aea44088db	Merge branch 'main' into feat/addGroupsToSshHosts	2025-05-09 09:21:29 -03:00
x032205	cd71db416d	cancel deletion + update on creation for scheduled for deletion secrets	2025-05-09 02:34:50 -04:00
x032205	9d682ca874	added RE2 to regex	2025-05-09 02:10:53 -04:00
x032205	9054db80ad	truncation and UI tweaks	2025-05-09 02:05:30 -04:00
x032205	5bb8756c67	only list compartments which the user is authorized to 'use vaults' in	2025-05-09 01:49:34 -04:00
x032205	8b7cb4c4eb	Merge branch 'main' into ENG-2636	2025-05-09 01:34:19 -04:00
Daniel Hougaard	e584c9ea95	test	2025-05-09 09:04:30 +04:00
Maidul Islam	428c60880a	Update jumpcloud.mdx	2025-05-09 00:28:20 -04:00
Maidul Islam	2179b9a4d7	Update general.mdx	2025-05-09 00:27:43 -04:00
Daniel Hougaard	1921763fa8	fix: update to upcoming version	2025-05-09 04:43:13 +04:00
Daniel Hougaard	5408859a18	fix: update gitleaks/go-diff to latest version	2025-05-09 04:40:09 +04:00
Daniel Hougaard	8dfc0cfbe0	Merge pull request #3571 from Infisical/daniel/identities-ldap-docs docs(identities): ldap auth	2025-05-09 04:15:11 +04:00
Daniel Hougaard	060199e58c	fix: machine identities -> identities	2025-05-09 04:13:11 +04:00
Daniel Hougaard	3b9b17f8d5	requested changes	2025-05-09 04:12:21 +04:00
Daniel Hougaard	6addde2650	docs(identities): ldap auth	2025-05-09 03:44:15 +04:00
Scott Wilson	5b7627585f	improvements: address feedback	2025-05-08 16:17:25 -07:00
Scott Wilson	800ea5ce78	feature: project role templates	2025-05-08 16:02:41 -07:00
Tuan Dang	a6b3be72a9	Make minor PR adjustments	2025-05-08 14:02:25 -07:00
Daniel Hougaard	394bd6755f	Merge pull request #3566 from Infisical/daniel/identity-ldap-auth feat(identities): ldap auth	2025-05-08 23:53:47 +04:00
Daniel Hougaard	c21873ac4b	Update identity-ldap-auth-router.ts	2025-05-08 23:48:08 +04:00
Daniel Hougaard	64b8c1a2de	added filter check	2025-05-08 23:44:30 +04:00
Daniel Hougaard	de443c5ea1	fix: requested changes	2025-05-08 23:20:18 +04:00
Daniel Hougaard	a3b7df4e6b	fix: addressed requested changes	2025-05-08 23:13:46 +04:00
Tuan Dang	531607dcb7	Revise pr based on greptile review	2025-05-08 10:37:33 -07:00
Tuan Dang	182de009b2	Fix lint issues	2025-05-08 10:01:44 -07:00
Tuan Dang	f1651ce171	Rename migration file	2025-05-08 09:10:49 -07:00
Tuan Dang	e1f563dbd4	Fix merge conflicts	2025-05-08 09:07:28 -07:00
Tuan Dang	107cca0b62	Complete preliminary docs for pki subscribers	2025-05-08 08:52:10 -07:00
x032205	72abc08f04	Merge branch 'main' into ENG-2636	2025-05-08 10:29:52 -04:00
Sheen Capadngan	a4b648ad95	misc: addressed tooltip display issue	2025-05-08 21:24:26 +08:00
x032205	04a8931cf6	Merge pull request #3568 from Infisical/pki-merge-fix small migration fix	2025-05-08 01:23:36 -04:00
x032205	ab0b8c0f10	migration tweak	2025-05-08 01:22:34 -04:00
x032205	258836a605	migration tweak	2025-05-08 01:17:47 -04:00
x032205	d6b31cde44	greptile review fixes	2025-05-08 01:16:42 -04:00
x032205	2c94f9ec3c	revert eslint memory increase	2025-05-08 00:50:31 -04:00
x032205	42ad63b58d	increase max old space size for lint:fix	2025-05-08 00:44:03 -04:00
x032205	f2d5112585	Merge branch 'main' into ENG-2636	2025-05-08 00:27:28 -04:00
x032205	9c7b25de49	docs + tweaks	2025-05-08 00:25:19 -04:00
Daniel Hougaard	0b31d7f860	feat(identities): ldap auth, requested changes	2025-05-08 08:14:29 +04:00
Daniel Hougaard	5c91d380b8	feat(identities): ldap auth	2025-05-08 07:55:22 +04:00
Daniel Hougaard	b908893a68	feat(identities): ldap auth	2025-05-08 07:49:23 +04:00
Maidul Islam	4d0275e589	Merge pull request #3565 from Infisical/remove-migration-folder Remove unused migration folder	2025-05-07 20:53:51 -04:00
Maidul Islam	6ca7a990f3	unused folder remove	2025-05-07 20:34:01 -04:00
Scott Wilson	befd77eec2	Merge pull request #3563 from Infisical/policy-selection-modal improvement(project-roles): Add Policy Selection Modal	2025-05-07 16:49:05 -07:00
Daniel Hougaard	1d44774913	Merge pull request #3564 from Infisical/daniel/generator-doc-imp docs(k8s/generators): improve documentation	2025-05-08 03:20:30 +04:00
Maidul Islam	984552eea9	rephrase generator overview	2025-05-07 19:18:45 -04:00
Scott Wilson	b6a957a30d	fix: select all apply to filtered policies only, skip replacing existing policies	2025-05-07 15:34:34 -07:00
x032205	36954a9df9	secret sync + tweaks	2025-05-07 17:57:00 -04:00
Daniel Hougaard	2f4efad8ae	Update infisical-push-secret-crd.mdx	2025-05-08 01:47:00 +04:00
Scott Wilson	16c476d78c	fix: correct policies typos	2025-05-07 14:09:32 -07:00
Scott Wilson	68c549f1c6	improvement: add select polices modal	2025-05-07 13:50:27 -07:00
Scott Wilson	0610416677	Merge pull request #3550 from Infisical/project-specific-default-roles Improvements: Refactor Project Templates and Project Type Policy Filtering/Specific Roles	2025-05-07 12:50:01 -07:00
Daniel Hougaard	4a37dc9cb7	Merge pull request #3561 from Infisical/helm-update-v0.9.2 Update Helm chart to version v0.9.2	2025-05-07 22:37:58 +04:00
DanielHougaard	7e432a4297	Update Helm chart to version v0.9.2	2025-05-07 18:27:13 +00:00
Scott Wilson	794fc9c2a2	improvements: address feedback	2025-05-07 11:23:51 -07:00
Daniel Hougaard	d4e5d2c7ed	Merge pull request #3540 from Infisical/daniel/generators feat(k8s): generator support	2025-05-07 22:10:22 +04:00
x032205	581840a701	fixed app connection endpoints	2025-05-07 13:53:05 -04:00
Sheen	0c2e0bb0f9	Merge pull request #3560 from Infisical/misc/add-default-old-space-config misc: add default old space config	2025-05-08 01:46:46 +08:00
Sheen Capadngan	e2a414ffff	misc: add default old space config	2025-05-08 01:39:56 +08:00
=	0ca3c2bb68	feat: added password generator crd to samples	2025-05-07 22:50:49 +05:30
Daniel Hougaard	083581b51a	Merge pull request #3554 from Infisical/feat/new-project-properties-for-tf-management feat: adjustments to properties and validation	2025-05-07 20:22:23 +04:00
x032205	40e976133c	Merge pull request #3528 from Infisical/ENG-2647 feat(admin): Invalidate Cache	2025-05-07 11:50:57 -04:00
x032205	ad2f002822	Merge pull request #3558 from Infisical/pki-docs-patch docs fix	2025-05-07 11:06:24 -04:00
x032205	8842dfe5d1	docs fix	2025-05-07 11:01:19 -04:00
x032205	326742c2d5	feat(app-connections): OCI	2025-05-07 10:59:27 -04:00
Sheen	b1eea4ae9c	Merge pull request #3556 from Infisical/misc/remove-unnecessary-key-encryption-for-service-token misc: removed unnecessary key encryption for service token	2025-05-07 16:41:51 +08:00
Sheen Capadngan	a8e0a8aca3	misc: removed unnecessary key encryption for service token	2025-05-07 16:36:10 +08:00
=	b37058d0e2	feat: switched to is fetching	2025-05-07 11:30:31 +05:30
Daniel Hougaard	c891b8f5d3	fix routing	2025-05-07 03:00:20 +04:00
Tuan Dang	a32bb95703	Start work on PkiSubscriberDetailsByIDPage	2025-05-06 15:46:54 -07:00
x032205	334a05d5f1	fix lint	2025-05-06 18:08:08 -04:00
x032205	12c813928c	fix polling	2025-05-06 18:00:24 -04:00
x032205	521fef6fca	Merge branch 'main' into ENG-2647	2025-05-06 17:00:40 -04:00
=	8f8236c445	feat: simplied the caching panel logic and fixed permission issue	2025-05-07 01:37:26 +05:30
x032205	3cf5c534ff	Merge pull request #3553 from Infisical/pki-docs-patch patch(docs): mint.json update	2025-05-06 15:54:31 -04:00
Sheen Capadngan	2b03c295f9	feat: adjustments to properties and validation	2025-05-07 03:51:22 +08:00
x032205	4fc7a52941	patch(docs): mint.json update	2025-05-06 15:38:10 -04:00
Scott Wilson	0ded2e51ba	fix: filter project templates polices by type	2025-05-06 11:59:59 -07:00
Maidul Islam	0d2b3adec7	Merge pull request #3551 from Infisical/maidul98-patch-11 Add Conduct and Enforcement to bug bounty	2025-05-06 14:50:17 -04:00
Maidul Islam	e695203c05	Update docs/internals/bug-bounty.mdx Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>	2025-05-06 14:49:38 -04:00
Maidul Islam	f9d76aae5d	Update bug-bounty.mdx	2025-05-06 14:46:42 -04:00
Daniel Hougaard	1c280759d1	Merge pull request #3548 from Infisical/daniel/self-hosted-secret-scanning docs: secret scanning self hosted documentation	2025-05-06 22:27:00 +04:00
Scott Wilson	4562f57b54	improvements: refactor project templates, filter policies by project type, project type specific roles	2025-05-06 11:26:09 -07:00
Daniel Hougaard	6005dce44d	fix: allow secret scanning from all self-hosted orgs	2025-05-06 22:16:29 +04:00
Tuan Dang	0410c83cef	Fix merge conflicts	2025-05-06 09:46:31 -07:00
Tuan Dang	cf4f2ea6b1	Begin developing pki subscriber	2025-05-06 09:44:57 -07:00
carlosmonastyrski	bf85df7e36	Fix SSH table UI user groups issues	2025-05-06 08:37:19 -03:00
Daniel Hougaard	f7f7d2d528	fix: typo	2025-05-06 08:24:59 +04:00
Daniel Hougaard	57342cf2a0	docs: secret scanning self hosted documentation	2025-05-06 08:14:05 +04:00
Maidul Islam	d530604b51	Merge pull request #3547 from Infisical/add-host-to-envar Add missing HOST environment var	2025-05-05 20:46:20 -04:00
Maidul Islam	229c7c0dcf	Add missing HOST environment var Added missing HOST environment var	2025-05-05 20:43:45 -04:00
Maidul Islam	6a79830e01	Update bug-bounty.mdx	2025-05-05 17:32:18 -04:00
x032205	722067f86c	Merge pull request #3514 from Infisical/ENG-2685 feat(pki): Store Secret Key Alongside Certificate + Endpoints to Fetch PK / Cert Bundle	2025-05-05 16:12:48 -04:00
x032205	86bb2659b5	small ui tweaks	2025-05-05 16:07:04 -04:00
x032205	dc59f226b6	swapped polling to react query	2025-05-05 15:58:45 -04:00
Scott Wilson	cd9792822b	Merge pull request #3545 from Infisical/fix-dns-resolve-fallback fix(external-connections): Use DNS Lookup as Fallback for DNS Resolve	2025-05-05 12:37:26 -07:00
x032205	9175c1dffa	Merge branch 'main' into ENG-2647	2025-05-05 15:27:25 -04:00
Scott Wilson	210f1dc2a2	fix: revert dev comment out	2025-05-05 12:24:12 -07:00
Scott Wilson	7851bb8710	improvement: address feedback	2025-05-05 12:23:18 -07:00
x032205	f6e802c017	review fixes: docs + frontend	2025-05-05 15:07:57 -04:00
Scott Wilson	d28c87ee67	fix: use dns lookup as fallback for dns resolve	2025-05-05 11:56:49 -07:00
x032205	b6e6a3c6be	docs changes	2025-05-05 14:50:54 -04:00
Andrey Lyubavin	54927454bf	ui fetch private key if permission allows it	2025-05-05 14:37:20 -04:00
carlosmonastyrski	b9070a8fa3	Merge branch 'main' into feat/addGroupsToSshHosts	2025-05-05 14:51:01 -03:00
Andrey Lyubavin	1ce06891a5	ui tweak for role policies	2025-05-05 13:43:38 -04:00
Andrey Lyubavin	3a8154eddc	Merge branch 'main' into ENG-2685	2025-05-05 13:37:43 -04:00
Daniel Hougaard	95b6676976	Merge pull request #3539 from Infisical/daniel/gateway-helm-docs docs(gateway-helm): helm deployment	2025-05-05 17:45:36 +04:00
Maidul Islam	15c0834d56	Merge pull request #3530 from Infisical/email-revamp improvemet(email-templates): migrate email templates to react email	2025-05-04 23:04:38 -04:00
Daniel Hougaard	1e4dfd0c7c	fix(k8s/generators): update base crds	2025-05-05 02:35:57 +04:00
Daniel Hougaard	34b7d28e2f	requested changes	2025-05-05 02:30:59 +04:00
Daniel Hougaard	245a348517	Update generators.go	2025-05-05 02:13:12 +04:00
Daniel Hougaard	e0fc582e2e	docs(k8s/generators): docs and minor fix	2025-05-05 02:09:21 +04:00
Daniel Hougaard	68ef897b6a	fix: logs and rbac	2025-05-05 01:39:30 +04:00
Daniel Hougaard	1b060e76de	Update kustomization.yaml	2025-05-05 01:08:22 +04:00
Daniel Hougaard	9f7599b2a1	feat(k8s): generators	2025-05-05 00:59:11 +04:00
x	9cbe70a6f3	lint fixes	2025-05-02 20:10:30 -04:00
x	f49fb534ab	review fixes	2025-05-02 19:50:55 -04:00
x	6eea4c8364	frontend tweaks	2025-05-02 19:20:02 -04:00
x	1e206ee441	Merge branch 'main' into ENG-2647	2025-05-02 19:03:08 -04:00
Scott Wilson	bec3cec040	fix: correct secret-scanning link	2025-05-02 15:52:13 -07:00
x	85c1a1081e	checkpoint	2025-05-02 18:43:07 -04:00
x	877485b45a	queue job	2025-05-02 15:23:35 -04:00
Scott Wilson	f9f098af86	fix: try updating tsup.config to account for .tsx	2025-05-02 12:20:17 -07:00
Scott Wilson	3ef053f255	fix: test adding explicity .tsx path	2025-05-02 12:13:23 -07:00
Scott Wilson	8f7a652741	fix: correct imports	2025-05-02 11:57:18 -07:00
Scott Wilson	717c947e53	fix: try removing jsx usage	2025-05-02 11:42:20 -07:00
Scott Wilson	8ad334b3ab	fix: try reverting ts jsx type	2025-05-02 11:34:18 -07:00
Scott Wilson	c7e707f20a	improvement: address feedback	2025-05-02 11:08:41 -07:00
x	d13e685a81	emphasize that secrets cache is encrypted in frontend	2025-05-02 13:04:22 -04:00
x	9849a5f136	switched to applyJitter functions	2025-05-02 13:00:37 -04:00
x	26773a1444	merge	2025-05-02 12:57:28 -04:00
carlosmonastyrski	3ea450e94a	Add groups to ssh hosts allowed principals fix delete principal row issue	2025-05-02 13:41:53 -03:00
carlosmonastyrski	7d0574087c	Add groups to ssh hosts allowed principals bot improvements	2025-05-02 13:36:05 -03:00
carlosmonastyrski	36916704be	Add groups to ssh hosts allowed principals	2025-05-02 11:14:43 -03:00
Scott Wilson	66fbcc6806	improvemet(email-templates): migrate email templates to react email	2025-05-01 14:57:24 -07:00
x	a6f280197b	spelling fix	2025-05-01 17:37:54 -04:00
x	346d2f213e	improvements + review fixes	2025-05-01 17:33:24 -04:00
x	9f1ac77afa	invalidate cache	2025-05-01 16:34:29 -04:00
x	1268bc1238	coderabbit review fixes	2025-04-30 17:50:23 -04:00
x	07e4bc8eed	review fixes	2025-04-30 17:46:05 -04:00
x	235be96ded	tweaks	2025-04-30 14:53:57 -04:00
x	30471bfcad	Merge branch 'main' into ENG-2685	2025-04-30 13:41:14 -04:00
x	eedffffc38	review fixes	2025-04-30 02:07:07 -04:00
x	9f487ad026	frontend type fixes	2025-04-30 00:53:31 -04:00
x	c70b9e665e	more tweaks and type fix	2025-04-30 00:39:10 -04:00
x	d460e96052	Merge branch 'main' into ENG-2685	2025-04-30 00:34:37 -04:00
x	e475774910	made certificates store PK and chain in relation to the main table, added /bundle endpoints, new audit log and permission entries	2025-04-30 00:33:46 -04:00
x	e81c49500b	get certificate private key endpoint + migrations	2025-04-29 20:34:39 -04:00